From 2d080ea2aaab9c4280b386719be042e0d8a38e0c Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Sat, 2 Mar 2024 12:10:28 +0100
Subject: [PATCH 01/94] add `"alg": "A256KW"` support for JWEs

---
 frontend/src/common/jwe.ts       | 40 +++++++++++++++++++++++++++++---
 frontend/test/common/jwe.spec.ts | 23 ++++++++++++++++++
 2 files changed, 60 insertions(+), 3 deletions(-)

diff --git a/frontend/src/common/jwe.ts b/frontend/src/common/jwe.ts
index 6ea42ade3..ec0c33cdf 100644
--- a/frontend/src/common/jwe.ts
+++ b/frontend/src/common/jwe.ts
@@ -36,8 +36,8 @@ export class ConcatKDF {
 }
 
 export type JWEHeader = {
-  readonly alg: 'ECDH-ES' | 'PBES2-HS512+A256KW',
-  readonly enc: 'A256GCM' | 'A128GCM',
+  readonly alg: 'ECDH-ES' | 'PBES2-HS512+A256KW' | 'A256KW',
+  readonly enc: 'A256GCM' | 'A128GCM', // A128GCM for testing only, as we use test vectors with 128 bit keys
   readonly apu?: string,
   readonly apv?: string,
   readonly epk?: JsonWebKey,
@@ -97,7 +97,7 @@ export class JWEParser {
    * @throws {UnwrapKeyError} if decryption failed (wrong password?)
    */
   public async decryptPbes2(password: string): Promise<any> {
-    if (this.header.alg != 'PBES2-HS512+A256KW' || /* this.header.enc != 'A256GCM' || */ !this.header.p2s || !this.header.p2c) {
+    if (this.header.alg != 'PBES2-HS512+A256KW' || this.header.enc != 'A256GCM' || !this.header.p2s || !this.header.p2c) {
       throw new Error('unsupported alg or enc');
     }
     const saltInput = base64url.parse(this.header.p2s, { loose: true });
@@ -110,6 +110,24 @@ export class JWEParser {
     }
   }
 
+  /**
+   * Decrypts the JWE, assuming alg == A256KW and enc == A256GCM.
+   * @param kek The key used to wrap the CEK
+   * @returns Decrypted payload
+   * @throws {UnwrapKeyError} if decryption failed (wrong kek?)
+   */
+  public async decryptA256kw(kek: CryptoKey): Promise<any> {
+    if (this.header.alg != 'A256KW' || this.header.enc != 'A256GCM') {
+      throw new Error('unsupported alg or enc');
+    }
+    try {
+      const cek = crypto.subtle.unwrapKey('raw', this.encryptedKey, kek, 'AES-KW', { name: 'AES-GCM', length: 256 }, false, ['decrypt']);
+      return this.decrypt(await cek);
+    } catch (error) {
+      throw new UnwrapKeyError(error);
+    }
+  }
+
   private async decrypt(cek: CryptoKey): Promise<any> {
     const utf8enc = new TextEncoder();
     const m = new Uint8Array(this.ciphertext.length + this.tag.length);
@@ -180,6 +198,22 @@ export class JWEBuilder {
     return new JWEBuilder(header, encryptedKey, cek);
   }
 
+  /**
+   * Prepares a new JWE using alg: A256KW and enc: A256GCM.
+   * 
+   * @param kek The key used to wrap the CEK
+   * @returns A new JWEBuilder ready to encrypt the payload
+   */
+  public static a256kw(kek: CryptoKey): JWEBuilder {
+    const header = (async () => <JWEHeader>{
+      alg: 'A256KW',
+      enc: 'A256GCM'
+    })();
+    const cek = crypto.subtle.generateKey({ name: 'AES-GCM', length: 256 }, true, ['encrypt']);
+    const encryptedKey = (async () => new Uint8Array(await crypto.subtle.wrapKey('raw', await cek, kek, 'AES-KW')))();
+    return new JWEBuilder(header, encryptedKey, cek);
+  }
+
   /**
    * Builds the JWE.
    * @param payload Payload to be encrypted
diff --git a/frontend/test/common/jwe.spec.ts b/frontend/test/common/jwe.spec.ts
index 62c65586e..0d0b73e1b 100644
--- a/frontend/test/common/jwe.spec.ts
+++ b/frontend/test/common/jwe.spec.ts
@@ -74,6 +74,29 @@ describe('JWE', () => {
     // TODO: add some more decrypt-only tests with JWE from 3rd party
   });
 
+  describe('JWE using alg: A256KW', () => {
+    it('x = decrypt(encrypt(x, kek), kek)', async () => {
+      const kek = await crypto.subtle.generateKey({ name: 'AES-KW', length: 256 }, false, ['wrapKey', 'unwrapKey']);
+      const orig = { hello: 'world' };
+
+      const jwe = await JWEBuilder.a256kw(kek).encrypt(orig);
+
+      const decrypted = await JWEParser.parse(jwe).decryptA256kw(kek);
+      expect(decrypted).to.deep.eq(orig);
+    });
+
+    it('decrypt', async () => {
+      // JWE generated by https://dinochiesa.github.io/jwt/
+      const jwe = 'eyJhbGciOiJBMjU2S1ciLCJlbmMiOiJBMjU2R0NNIn0.JTSrGbw4XEKXYFTC7siTT7DIZUX2SogThcLKXgxe0FPK3Fi8ckjr9A.zQx0t4qoTVIc-h5f.cmqzZ-md3cvdTNH9FWbKOsw.DCdGhmdwjoYKIuNC5zgQJQ';
+      const rawKek = base64url.parse('y_uxz8iAtcOXlqMYpm2jASvDWokpCYMtwkthFSK6IF0', { loose: true });
+      const kek = await crypto.subtle.importKey('raw', rawKek, 'AES-KW', false, ['unwrapKey']);
+      const orig = { hello: 'world' };
+
+      const decrypted = await JWEParser.parse(jwe).decryptA256kw(kek);
+      expect(decrypted).to.deep.eq(orig);
+    });
+  });
+
   describe('PBES2', () => {
     /**
      * Test vectors from https://www.rfc-editor.org/rfc/rfc7517#appendix-C.4

From d109cffef162ea9e848eeb21c4d1d408bb30ee83 Mon Sep 17 00:00:00 2001
From: chenkins <chenkins44@gmail.com>
Date: Wed, 28 Feb 2024 16:57:34 +0100
Subject: [PATCH 02/94] uvf metadata (WiP).

---
 .../cryptomator/hub/api/VaultResource.java    |   5 +-
 .../org/cryptomator/hub/entities/Vault.java   |   3 +
 .../hub/flyway/V15__Vault_Metadata.sql        |   1 +
 .../hub/api/VaultResourceTest.java            |  24 ++-
 .../hub/flyway/V9999__Test_Data.sql           |  11 +-
 frontend/src/common/backend.ts                |  36 +++-
 frontend/src/common/crypto.ts                 | 175 ++++++++++++++++--
 frontend/src/common/vaultconfig.ts            |  12 +-
 .../src/components/ArchiveVaultDialog.vue     |   2 +-
 frontend/src/components/CreateVault.vue       |  11 +-
 .../DownloadVaultTemplateDialog.vue           |   2 +-
 .../components/EditVaultMetadataDialog.vue    |   2 +-
 .../src/components/ReactivateVaultDialog.vue  |   2 +-
 frontend/test/common/crypto.spec.ts           |  40 +++-
 14 files changed, 272 insertions(+), 54 deletions(-)
 create mode 100644 backend/src/main/resources/org/cryptomator/hub/flyway/V15__Vault_Metadata.sql

diff --git a/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java b/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
index 76d1e0c69..3ecb60d02 100644
--- a/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
+++ b/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
@@ -421,6 +421,8 @@ public Response createOrUpdate(@PathParam("vaultId") UUID vaultId, @Valid @NotNu
 		vault.description = vaultDto.description;
 		vault.archived = existingVault.isEmpty() ? false : vaultDto.archived;
 
+		vault.metadata = vaultDto.metadata;
+
 		vault.persistAndFlush(); // trigger PersistenceException before we continue with
 		if (existingVault.isEmpty()) {
 			var access = new VaultAccess();
@@ -504,10 +506,11 @@ public record VaultDto(@JsonProperty("id") UUID id,
 						   @JsonProperty("masterkey") @OnlyBase64Chars String masterkey, @JsonProperty("iterations") Integer iterations,
 						   @JsonProperty("salt") @OnlyBase64Chars String salt,
 						   @JsonProperty("authPublicKey") @OnlyBase64Chars String authPublicKey, @JsonProperty("authPrivateKey") @OnlyBase64Chars String authPrivateKey
+							,@JsonProperty("metadata") @NotNull String metadata
 	) {
 
 		public static VaultDto fromEntity(Vault entity) {
-			return new VaultDto(entity.id, entity.name, entity.description, entity.archived, entity.creationTime.truncatedTo(ChronoUnit.MILLIS), entity.masterkey, entity.iterations, entity.salt, entity.authenticationPublicKey, entity.authenticationPrivateKey);
+			return new VaultDto(entity.id, entity.name, entity.description, entity.archived, entity.creationTime.truncatedTo(ChronoUnit.MILLIS), entity.masterkey, entity.iterations, entity.salt, entity.authenticationPublicKey, entity.authenticationPrivateKey, entity.metadata);
 		}
 
 	}
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/Vault.java b/backend/src/main/java/org/cryptomator/hub/entities/Vault.java
index 682b17e10..e08d96be6 100644
--- a/backend/src/main/java/org/cryptomator/hub/entities/Vault.java
+++ b/backend/src/main/java/org/cryptomator/hub/entities/Vault.java
@@ -104,6 +104,9 @@ public class Vault extends PanacheEntityBase {
 	@Column(name = "archived", nullable = false)
 	public boolean archived;
 
+	@Column(name = "metadata", nullable = false)
+	public String metadata;
+
 	public Optional<ECPublicKey> getAuthenticationPublicKey() {
 		if (authenticationPublicKey == null) {
 			return Optional.empty();
diff --git a/backend/src/main/resources/org/cryptomator/hub/flyway/V15__Vault_Metadata.sql b/backend/src/main/resources/org/cryptomator/hub/flyway/V15__Vault_Metadata.sql
new file mode 100644
index 000000000..96cdc6b4f
--- /dev/null
+++ b/backend/src/main/resources/org/cryptomator/hub/flyway/V15__Vault_Metadata.sql
@@ -0,0 +1 @@
+ALTER TABLE vault ADD metadata VARCHAR UNIQUE; -- encrypted using uvf vault masterkey A256KW
diff --git a/backend/src/test/java/org/cryptomator/hub/api/VaultResourceTest.java b/backend/src/test/java/org/cryptomator/hub/api/VaultResourceTest.java
index abcc9fa25..50a2060c6 100644
--- a/backend/src/test/java/org/cryptomator/hub/api/VaultResourceTest.java
+++ b/backend/src/test/java/org/cryptomator/hub/api/VaultResourceTest.java
@@ -48,9 +48,8 @@
 import static org.hamcrest.CoreMatchers.hasItems;
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.CoreMatchers.not;
-import static org.hamcrest.Matchers.comparesEqualTo;
 import static org.hamcrest.Matchers.equalTo;
-import static org.hamcrest.Matchers.hasSize;
+import static org.hamcrest.Matchers.*;
 import static org.hamcrest.text.IsEqualIgnoringCase.equalToIgnoringCase;
 
 @QuarkusTest
@@ -82,10 +81,13 @@ public class TestVaultDtoValidation {
 		private static final String VALID_SALT = "base64";
 		private static final String VALID_AUTH_PUB = "base64";
 		private static final String VALID_AUTH_PRI = "base64";
+		private static final String VALID_METADATA = "base64";
 
 		@Test
 		public void testValidDto() {
-			var dto = new VaultResource.VaultDto(VALID_ID, VALID_NAME, "foobarbaz", false, Instant.parse("2020-02-20T20:20:20Z"), VALID_MASTERKEY, 8, VALID_SALT, VALID_AUTH_PUB, VALID_AUTH_PRI);
+			var dto = new VaultResource.VaultDto(VALID_ID, VALID_NAME, "foobarbaz", false, Instant.parse("2020-02-20T20:20:20Z"), VALID_MASTERKEY, 8, VALID_SALT, VALID_AUTH_PUB
+					, VALID_AUTH_PRI, VALID_METADATA
+			);
 			var violations = validator.validate(dto);
 			MatcherAssert.assertThat(violations, Matchers.empty());
 		}
@@ -193,7 +195,8 @@ public void testUnlock2() {
 			}
 
 			@Test
-			@DisplayName("GET /vaults/7E57C0DE-0000-4000-8000-000100001111/keys/noSuchDevice returns 403") // legacy unlock must not encourage to register a legacy device by responding with 404 here
+			@DisplayName("GET /vaults/7E57C0DE-0000-4000-8000-000100001111/keys/noSuchDevice returns 403")
+			// legacy unlock must not encourage to register a legacy device by responding with 404 here
 			public void testUnlock3() {
 				when().get("/vaults/{vaultId}/keys/{deviceId}", "7E57C0DE-0000-4000-8000-000100001111", "noSuchDevice")
 						.then().statusCode(403);
@@ -247,7 +250,7 @@ public class CreateVaults {
 		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100003333 returns 201")
 		public void testCreateVault1() {
 			var uuid = UUID.fromString("7E57C0DE-0000-4000-8000-000100003333");
-			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 3", false, Instant.parse("2112-12-21T21:12:21Z"), "masterkey3", 42, "NaCl", "authPubKey3", "authPrvKey3");
+			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 3", false, Instant.parse("2112-12-21T21:12:21Z"), "masterkey3", 42, "NaCl", "authPubKey3", "authPrvKey3", "metadata1");
 
 			given().contentType(ContentType.JSON).body(vaultDto)
 					.when().put("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-000100003333")
@@ -272,7 +275,7 @@ public void testCreateVault2() {
 		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100004444 returns 201 ignoring archived flag")
 		public void testCreateVault3() {
 			var uuid = UUID.fromString("7E57C0DE-0000-4000-8000-000100004444");
-			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 4", true, Instant.parse("2112-12-21T21:12:21Z"), "masterkey4", 42, "NaCl", "authPubKey4", "authPrvKey4");
+			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 4", true, Instant.parse("2112-12-21T21:12:21Z"), "masterkey4", 42, "NaCl", "authPubKey4", "authPrvKey4", "metadata3");
 
 			given().contentType(ContentType.JSON).body(vaultDto)
 					.when().put("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-000100004444")
@@ -288,7 +291,7 @@ public void testCreateVault3() {
 		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100003333 returns 200, updating only name, description and archive flag")
 		public void testUpdateVault() {
 			var uuid = UUID.fromString("7E57C0DE-0000-4000-8000-000100003333");
-			var vaultDto = new VaultResource.VaultDto(uuid, "VaultUpdated", "Vault updated.", true, Instant.parse("2222-11-11T11:11:11Z"), "doNotUpdate", 27, "doNotUpdate", "doNotUpdate", "doNotUpdate");
+			var vaultDto = new VaultResource.VaultDto(uuid, "VaultUpdated", "Vault updated.", true, Instant.parse("2222-11-11T11:11:11Z"), "doNotUpdate", 27, "doNotUpdate", "doNotUpdate", "doNotUpdate", "metadata4");
 			given().contentType(ContentType.JSON)
 					.body(vaultDto)
 					.when().put("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-000100003333")
@@ -750,7 +753,7 @@ public void testCreateVaultExceedingSeats() {
 			assert EffectiveVaultAccess.countSeatOccupyingUsers() == 5;
 
 			var uuid = UUID.fromString("7E57C0DE-0000-4000-8000-0001FFFF3333");
-			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 4", false, Instant.parse("2112-12-21T21:12:21Z"), "masterkey3", 42, "NaCl", "authPubKey3", "authPrvKey3");
+			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 4", false, Instant.parse("2112-12-21T21:12:21Z"), "masterkey3", 42, "NaCl", "authPubKey3", "authPrvKey3", "metadata5");
 			given().contentType(ContentType.JSON).body(vaultDto)
 					.when().put("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-0001FFFF3333")
 					.then().statusCode(402);
@@ -763,7 +766,7 @@ public void testCreateVaultNotExceedingSeats() {
 			assert EffectiveVaultAccess.countSeatOccupyingUsers() == 5;
 
 			var uuid = UUID.fromString("7E57C0DE-0000-4000-8000-0001FFFF3333");
-			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 3", false, Instant.parse("2112-12-21T21:12:21Z"), "masterkey3", 42, "NaCl", "authPubKey3", "authPrvKey3");
+			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 3", false, Instant.parse("2112-12-21T21:12:21Z"), "masterkey3", 42, "NaCl", "authPubKey3", "authPrvKey3", "metadata6");
 			given().contentType(ContentType.JSON).body(vaultDto)
 					.when().put("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-0001FFFF3333")
 					.then().statusCode(201)
@@ -780,7 +783,7 @@ public void testUpdateVaultDespiteLicenseExceeded() {
 			assert EffectiveVaultAccess.countSeatOccupyingUsers() == 5;
 
 			var uuid = UUID.fromString("7E57C0DE-0000-4000-8000-0001FFFF3333");
-			var vaultDto = new VaultResource.VaultDto(uuid, "VaultUpdated", "Vault updated.", true, Instant.parse("2222-11-11T11:11:11Z"), "someVaule", -1, "doNotUpdate", "doNotUpdate", "doNotUpdate");
+			var vaultDto = new VaultResource.VaultDto(uuid, "VaultUpdated", "Vault updated.", true, Instant.parse("2222-11-11T11:11:11Z"), "someVaule", -1, "doNotUpdate", "doNotUpdate", "doNotUpdate", "metadata7");
 			given().contentType(ContentType.JSON)
 					.body(vaultDto)
 					.when().put("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-0001FFFF3333")
@@ -871,6 +874,7 @@ public static void setup() throws GeneralSecurityException {
 			v.name = "ownership-test-vault";
 			v.creationTime = Instant.now();
 			v.authenticationPublicKey = Base64.getEncoder().encodeToString(keyPair.getPublic().getEncoded());
+			v.metadata = UUID.randomUUID().toString();
 			v.persist();
 		}
 
diff --git a/backend/src/test/resources/org/cryptomator/hub/flyway/V9999__Test_Data.sql b/backend/src/test/resources/org/cryptomator/hub/flyway/V9999__Test_Data.sql
index 3ac426e73..b42ebdcd7 100644
--- a/backend/src/test/resources/org/cryptomator/hub/flyway/V9999__Test_Data.sql
+++ b/backend/src/test/resources/org/cryptomator/hub/flyway/V9999__Test_Data.sql
@@ -29,20 +29,23 @@ VALUES
 	('group1', 'user1'),
 	('group2', 'user2');
 
-INSERT INTO "vault" ("id", "name", "description", "creation_time", "salt", "iterations", "masterkey", "auth_pubkey", "auth_prvkey", "archived")
+INSERT INTO "vault" ("id", "name", "description", "creation_time", "salt", "iterations", "masterkey", "auth_pubkey", "auth_prvkey", "archived" , "metadata" )
 VALUES
 	('7E57C0DE-0000-4000-8000-000100001111', 'Vault 1', 'This is a testvault.', '2020-02-20 20:20:20', 'salt1', 42, 'masterkey1',
 	 'MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAElS+JW3VaBvVr9GKZGn1399WDTd61Q9fwQMmZuBGAYPdl/rWk705QY6WhlmbokmEVva/mEHSoNQ98wFm9FBCqzh45IGd/DGwZ04Xhi5ah+1bKbkVhtds8nZtHRdSJokYp',
 	 'MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDAa57e0Q/KAqmIVOVcWX7b+Sm5YVNRUx8W7nc4wk1IBj2QJmsj+MeShQRHG4ozTE9KhZANiAASVL4lbdVoG9Wv0YpkafXf31YNN3rVD1/BAyZm4EYBg92X+taTvTlBjpaGWZuiSYRW9r+YQdKg1D3zAWb0UEKrOHjkgZ38MbBnTheGLlqH7VspuRWG12zydm0dF1ImiRik=',
-	 FALSE),
+	 FALSE, 'm1'
+	 ),
 	('7E57C0DE-0000-4000-8000-000100002222', 'Vault 2', 'This is a testvault.', '2020-02-20 20:20:20', 'salt2', 42, 'masterkey2',
 	 'MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEC1uWSXj2czCDwMTLWV5BFmwxdM6PX9p+Pk9Yf9rIf374m5XP1U8q79dBhLSIuaojsvOT39UUcPJROSD1FqYLued0rXiooIii1D3jaW6pmGVJFhodzC31cy5sfOYotrzF',
 	 'MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDCAHpFQ62QnGCEvYh/pE9QmR1C9aLcDItRbslbmhen/h1tt8AyMhskeenT+rAyyPhGhZANiAAQLW5ZJePZzMIPAxMtZXkEWbDF0zo9f2n4+T1h/2sh/fviblc/VTyrv10GEtIi5qiOy85Pf1RRw8lE5IPUWpgu553SteKigiKLUPeNpbqmYZUkWGh3MLfVzLmx85ii2vMU=',
-	 FALSE),
+	 FALSE, 'm2'
+	 ),
 	('7E57C0DE-0000-4000-8000-00010000AAAA', 'Vault Archived', 'This is a archived vault.', '2020-02-20 20:20:20', 'salt3', 42, 'masterkey3',
 	 'MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEC1uWSXj2czCDwMTLWV5BFmwxdM6PX9p+Pk9Yf9rIf374m5XP1U8q79dBhLSIuaojsvOT39UUcPJROSD1FqYLued0rXiooIii1D3jaW6pmGVJFhodzC31cy5sfOYotrzF',
 	 'MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDCAHpFQ62QnGCEvYh/pE9QmR1C9aLcDItRbslbmhen/h1tt8AyMhskeenT+rAyyPhGhZANiAAQLW5ZJePZzMIPAxMtZXkEWbDF0zo9f2n4+T1h/2sh/fviblc/VTyrv10GEtIi5qiOy85Pf1RRw8lE5IPUWpgu553SteKigiKLUPeNpbqmYZUkWGh3MLfVzLmx85ii2vMU=',
-	 TRUE);
+	 TRUE, 'm3'
+	 );
 
 INSERT INTO "vault_access" ("vault_id", "authority_id", "role")
 VALUES
diff --git a/frontend/src/common/backend.ts b/frontend/src/common/backend.ts
index 0196012cc..969738c7d 100644
--- a/frontend/src/common/backend.ts
+++ b/frontend/src/common/backend.ts
@@ -46,6 +46,7 @@ export type VaultDto = {
   salt?: string;
   authPublicKey?: string;
   authPrivateKey?: string;
+  metadata: string;
 };
 
 export type DeviceDto = {
@@ -195,6 +196,18 @@ export type VersionDto = {
   keycloakVersion: string;
 }
 
+export type ConfigDto = {
+    keycloakUrl: string;
+    keycloakRealm: string;
+    keycloakClientIdHub: string;
+    keycloakClientIdCryptomator: string;
+    keycloakAuthEndpoint: string;
+    keycloakTokenEndpoint: string;
+    serverTime: string;
+    apiLevel: number;
+    uuid: string;
+}
+
 /* Services */
 
 export interface VaultIdHeader extends JWTHeader {
@@ -250,8 +263,12 @@ class VaultService {
       .catch(err => rethrowAndConvertIfExpected(err, 403));
   }
 
-  public async createOrUpdateVault(vaultId: string, name: string, archived: boolean, description?: string): Promise<VaultDto> {
-    const body: VaultDto = { id: vaultId, name: name, description: description, archived: archived, creationTime: new Date() };
+  public async createOrUpdateVault(vaultId: string, name: string, archived: boolean
+  , metadata: string
+  , description?: string): Promise<VaultDto> {
+    const body: VaultDto = { id: vaultId, name: name, description: description, archived: archived, creationTime: new Date()
+    , metadata: metadata
+    };
     return axiosAuth.put(`/vaults/${vaultId}`, body)
       .then(response => response.data)
       .catch((error) => rethrowAndConvertIfExpected(error, 402, 404));
@@ -439,3 +456,18 @@ export class ConflictError extends BackendError {
     super('Resource already exists');
   }
 }
+
+export type VaultMetadataJWEAutomaticAccessGrantDto = {
+    enabled: boolean,
+    maxWotDepth: number
+}
+
+export type VaultMetadataJWEDto = {
+    fileFormat: string;
+    nameFormat: string;
+    keys: Record<string,string>;
+    latestFileKey: string;
+    nameKey: string;
+    kdf: string;
+    automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto;
+}
\ No newline at end of file
diff --git a/frontend/src/common/crypto.ts b/frontend/src/common/crypto.ts
index 9895b0b08..934145de5 100644
--- a/frontend/src/common/crypto.ts
+++ b/frontend/src/common/crypto.ts
@@ -2,6 +2,9 @@ import * as miscreant from 'miscreant';
 import { base16, base32, base64, base64url } from 'rfc4648';
 import { JWEBuilder, JWEParser } from './jwe';
 import { CRC32, DB, wordEncoder } from './util';
+
+import { VaultMetadataJWEAutomaticAccessGrantDto } from './backend';
+
 export class UnwrapKeyError extends Error {
   readonly actualError: any;
 
@@ -29,8 +32,13 @@ export interface VaultConfigHeaderHub {
   devicesResourceUrl: string
 }
 
-interface JWEPayload {
+interface UserKeysJWEPayload {
+  key: string
+}
+
+interface VaultKeysWEPayload {
   key: string
+  uvfKey: string
 }
 
 const GCM_NONCE_LEN = 12;
@@ -46,14 +54,19 @@ export class VaultKeys {
     length: 512
   };
 
+  // in uvf setting, the vault masterKey is used to encrypt the vault metadata JWE using A256KW
+  private static readonly UVF_MASTERKEY_KEY_DESIGNATION = { name: 'AES-KW', length: 256 };
+
   readonly masterKey: CryptoKey;
+  readonly uvfMasterKey: CryptoKey;
 
-  protected constructor(masterkey: CryptoKey) {
-    this.masterKey = masterkey;
+  protected constructor(masterKey: CryptoKey, uvfMasterKey: CryptoKey) {
+    this.masterKey = masterKey;
+    this.uvfMasterKey = uvfMasterKey;
   }
 
   /**
-   * Creates a new masterkey
+   * Creates a new masterkey (vault8 and uvf)
    * @returns A new masterkey
    */
   public static async create(): Promise<VaultKeys> {
@@ -62,22 +75,31 @@ export class VaultKeys {
       true,
       ['sign']
     );
-    return new VaultKeys(await key);
+    const uvfKey = crypto.subtle.generateKey(
+      VaultKeys.UVF_MASTERKEY_KEY_DESIGNATION,
+      true,
+      ['wrapKey', 'unwrapKey']
+    );
+    return new VaultKeys(await key, await uvfKey);
   }
 
+
   /**
-   * Decrypts the vault's masterkey using the user's private key
+   * Decrypts the vault's masterkey (vault8 and uvf) using the user's private key
    * @param jwe JWE containing the vault key
    * @param userPrivateKey The user's private key
    * @returns The masterkey
    */
   public static async decryptWithUserKey(jwe: string, userPrivateKey: CryptoKey): Promise<VaultKeys> {
     let rawKey = new Uint8Array();
+    let rawUvfKey = new Uint8Array();
     try {
-      const payload: JWEPayload = await JWEParser.parse(jwe).decryptEcdhEs(userPrivateKey);
+      const payload: VaultKeysWEPayload = await JWEParser.parse(jwe).decryptEcdhEs(userPrivateKey);
       rawKey = base64.parse(payload.key);
-      const masterkey = crypto.subtle.importKey('raw', rawKey, VaultKeys.MASTERKEY_KEY_DESIGNATION, true, ['sign']);
-      return new VaultKeys(await masterkey);
+      rawUvfKey = base64.parse(payload.uvfKey);
+      const masterKey = crypto.subtle.importKey('raw', rawKey, VaultKeys.MASTERKEY_KEY_DESIGNATION, true, ['sign']);
+      const uvfMasterKey = crypto.subtle.importKey('raw', rawUvfKey, VaultKeys.UVF_MASTERKEY_KEY_DESIGNATION, true, ['wrapKey', 'unwrapKey']);
+      return new VaultKeys(await masterKey, await uvfMasterKey);
     } finally {
       rawKey.fill(0x00);
     }
@@ -141,7 +163,8 @@ export class VaultKeys {
         true,
         ['verify']
       );
-      return [new VaultKeys(await masterkey), { privateKey: await privKey, publicKey: await pubKey }];
+      // TODO https://github.com/encryption-alliance/unified-vault-format/pull/19 upstream legacy integration for uvf?
+      return [new VaultKeys(await masterkey, await masterkey), { privateKey: await privKey, publicKey: await pubKey }];
     } catch (error) {
       throw new UnwrapKeyError(error);
     }
@@ -174,7 +197,8 @@ export class VaultKeys {
       true,
       ['sign']
     );
-    return new VaultKeys(await key);
+    // TODO https://github.com/encryption-alliance/unified-vault-format/pull/19 upstream legacy integration for uvf?
+    return new VaultKeys(await key, await key);
   }
 
   public async createVaultConfig(kid: string, hubConfig: VaultConfigHeaderHub, payload: VaultConfigPayload): Promise<string> {
@@ -215,16 +239,18 @@ export class VaultKeys {
   }
 
   /**
-   * Encrypts this masterkey using the given public key
+   * Encrypts this masterkey (vault8 and uvf) using the given public key
    * @param userPublicKey The recipient's public key (DER-encoded)
    * @returns a JWE containing this Masterkey
    */
   public async encryptForUser(userPublicKey: Uint8Array): Promise<string> {
     const publicKey = await crypto.subtle.importKey('spki', userPublicKey, UserKeys.KEY_DESIGNATION, false, []);
     const rawkey = new Uint8Array(await crypto.subtle.exportKey('raw', this.masterKey));
+    const rawUvfKey = new Uint8Array(await crypto.subtle.exportKey('raw', this.uvfMasterKey));
     try {
-      const payload: JWEPayload = {
-        key: base64.stringify(rawkey)
+      const payload: VaultKeysWEPayload = {
+        key: base64.stringify(rawkey),
+        uvfKey: base64.stringify(rawUvfKey)
       };
       return JWEBuilder.ecdhEs(publicKey).encrypt(payload);
     } finally {
@@ -282,7 +308,7 @@ export class UserKeys {
    * @throws {UnwrapKeyError} when attempting to decrypt the private key using an incorrect setupCode
    */
   public static async recover(encodedPublicKey: string, encryptedPrivateKey: string, setupCode: string): Promise<UserKeys> {
-    const jwe: JWEPayload = await JWEParser.parse(encryptedPrivateKey).decryptPbes2(setupCode);
+    const jwe: UserKeysJWEPayload = await JWEParser.parse(encryptedPrivateKey).decryptPbes2(setupCode);
     const decodedPublicKey = base64.parse(encodedPublicKey, { loose: true });
     const decodedPrivateKey = base64.parse(jwe.key, { loose: true });
     const privateKey = crypto.subtle.importKey('pkcs8', decodedPrivateKey, UserKeys.KEY_DESIGNATION, true, UserKeys.KEY_USAGES);
@@ -308,7 +334,7 @@ export class UserKeys {
   public async encryptedPrivateKey(setupCode: string): Promise<string> {
     const rawkey = new Uint8Array(await crypto.subtle.exportKey('pkcs8', this.keyPair.privateKey));
     try {
-      const payload: JWEPayload = {
+      const payload: UserKeysJWEPayload = {
         key: base64.stringify(rawkey)
       };
       return await JWEBuilder.pbes2(setupCode).encrypt(payload);
@@ -327,7 +353,7 @@ export class UserKeys {
     const publicKey = await UserKeys.publicKey(devicePublicKey);
     const rawkey = new Uint8Array(await crypto.subtle.exportKey('pkcs8', this.keyPair.privateKey));
     try {
-      const payload: JWEPayload = {
+      const payload: UserKeysJWEPayload = {
         key: base64.stringify(rawkey)
       };
       return JWEBuilder.ecdhEs(publicKey).encrypt(payload);
@@ -347,7 +373,7 @@ export class UserKeys {
     const publicKey = await UserKeys.publicKey(userPublicKey);
     let rawKey = new Uint8Array();
     try {
-      const payload: JWEPayload = await JWEParser.parse(jwe).decryptEcdhEs(browserPrivateKey);
+      const payload: UserKeysJWEPayload = await JWEParser.parse(jwe).decryptEcdhEs(browserPrivateKey);
       rawKey = base64.parse(payload.key);
       const privateKey = await crypto.subtle.importKey('pkcs8', rawKey, UserKeys.KEY_DESIGNATION, true, UserKeys.KEY_USAGES);
       return new UserKeys({ publicKey: publicKey, privateKey: privateKey });
@@ -449,3 +475,116 @@ export async function getFingerprint(key: string | undefined) {
     return hashHex;
   }
 }
+
+export class VaultMetadata {
+  // a 256 bit = 32 byte file key for data encryption
+  private static readonly RAWKEY_KEY_DESIGNATION: HmacImportParams | HmacKeyGenParams = {
+    name: 'HMAC',
+    hash: 'SHA-256',
+    length: 256
+  };
+
+  readonly automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto;
+  readonly keys: Record<string,CryptoKey>;
+  readonly latestFileKey: string;
+  readonly nameKey: string;
+
+  protected constructor(automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto, keys: Record<string,CryptoKey>, latestFileKey: string, nameKey: string) {
+    this.automaticAccessGrant = automaticAccessGrant;
+    this.keys = keys;
+    this.latestFileKey = latestFileKey;
+    this.nameKey = nameKey;
+  }
+
+  /**
+   * Creates new vault metadata with a new file key and name key
+   * @returns new vault metadata
+   */
+  public static async create(automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto): Promise<VaultMetadata> {
+    const fileKey = crypto.subtle.generateKey(
+      VaultMetadata.RAWKEY_KEY_DESIGNATION,
+      true,
+      // TODO https://github.com/encryption-alliance/unified-vault-format/pull/19 is this correct?
+      ['sign']
+    );
+    const nameKey = crypto.subtle.generateKey(
+      VaultMetadata.RAWKEY_KEY_DESIGNATION,
+      true,
+      // TODO https://github.com/encryption-alliance/unified-vault-format/pull/19 is this correct?
+      ['sign']
+    );
+    const fileKeyId = Array(4).fill(null).map(()=>"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789".charAt(Math.random()*62)).join("")
+    const nameKeyId = Array(4).fill(null).map(()=>"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789".charAt(Math.random()*62)).join("")
+    const keys: Record<string,CryptoKey> = {};
+    keys[fileKeyId] = await fileKey;
+    keys[nameKeyId] = await nameKey;
+    return new VaultMetadata(automaticAccessGrant, keys, fileKeyId, nameKeyId);
+  }
+
+  /**
+   * Decrypts the vault metadata using the vault masterkey
+   * @param jwe JWE containing the vault key
+   * @param masterKey the vault masterKey
+   * @returns vault metadata
+   */
+  public static async decryptWithMasterKey(jwe: string, masterKey: CryptoKey): Promise<VaultMetadata> {
+      const payload = await JWEParser.parse(jwe).decryptA256kw(masterKey);
+      const keys: Record<string,string> = payload['keys'];
+      const keysImported: Record<string,CryptoKey> = payload['keys'];
+      for (const k in keys) {
+        // TODO https://github.com/encryption-alliance/unified-vault-format/pull/19 is this correct?
+        keysImported[k] = await crypto.subtle.importKey('raw', base64.parse(keys[k]), VaultMetadata.RAWKEY_KEY_DESIGNATION, true, ['sign']);
+      }
+      const latestFileKey = payload['latestFileKey']
+      const nameKey = payload['nameKey']
+      return new VaultMetadata(
+        payload['org.cryptomator.automaticAccessGrant'],
+        keysImported,
+        latestFileKey,
+        nameKey
+      );
+  }
+
+  /**
+   * Encrypts the vault metadata using the given vault masterKey
+   * @param userPublicKey The recipient's public key (DER-encoded)
+   * @returns a JWE containing this Masterkey
+   */
+  public async encryptWithMasterKey(masterKey: CryptoKey): Promise<string> {
+  const keysExported: Record<string,string> = {};
+    for (const k in this.keys) {
+      keysExported[k] = base64.stringify(new Uint8Array(await crypto.subtle.exportKey('raw', this.keys[k])));
+    }
+    const payload = {
+        fileFormat: "AES-256-GCM-32k",
+        nameFormat: "AES-256-SIV",
+        keys: keysExported,
+        latestFileKey: this.latestFileKey,
+        nameKey: this.nameKey,
+        // TODO https://github.com/encryption-alliance/unified-vault-format/pull/21 finalize kdf
+        kdf: "1STEP-HMAC-SHA512",
+        'org.cryptomator.automaticAccessGrant': this.automaticAccessGrant
+    }
+    return JWEBuilder.a256kw(masterKey).encrypt(payload);
+  }
+
+  public async hashDirectoryId(cleartextDirectoryId: string): Promise<string> {
+    const dirHash = new TextEncoder().encode(cleartextDirectoryId);
+    // TODO https://github.com/encryption-alliance/unified-vault-format/pull/19 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! MUST NEVER BE RELEASED LIKE THIS
+    // TODO https://github.com/encryption-alliance/unified-vault-format/pull/19 use rawFileKey,rawNameKey for rootDirHash for now - should depend on nameKey only!!
+    const rawkey = new Uint8Array([...new Uint8Array(await crypto.subtle.exportKey('raw', this.keys[this.latestFileKey])),...new Uint8Array(await crypto.subtle.exportKey('raw', this.keys[this.nameKey]))]);
+    try {
+      // miscreant lib requires mac key first and then the enc key
+      const encKey = rawkey.subarray(0, rawkey.length / 2 | 0);
+      const macKey = rawkey.subarray(rawkey.length / 2 | 0);
+      const shiftedRawKey = new Uint8Array([...macKey, ...encKey]);
+      const key = await miscreant.SIV.importKey(shiftedRawKey, 'AES-SIV');
+      const ciphertext = await key.seal(dirHash, []);
+      // hash is only used as deterministic scheme for the root dir
+      const hash = await crypto.subtle.digest('SHA-1', ciphertext);
+      return base32.stringify(new Uint8Array(hash));
+    } finally {
+      rawkey.fill(0x00);
+    }
+  }
+}
diff --git a/frontend/src/common/vaultconfig.ts b/frontend/src/common/vaultconfig.ts
index ba6b380f5..7ba183c04 100644
--- a/frontend/src/common/vaultconfig.ts
+++ b/frontend/src/common/vaultconfig.ts
@@ -4,14 +4,16 @@ import { VaultConfigHeaderHub, VaultConfigPayload, VaultKeys } from '../common/c
 
 export class VaultConfig {
   readonly vaultConfigToken: string;
-  private readonly rootDirHash: string;
+  readonly rootDirHash: string;
+  readonly vaultUvf: string;
 
-  private constructor(vaultConfigToken: string, rootDirHash: string) {
+  private constructor(vaultConfigToken: string, vaultUvf: string, rootDirHash: string) {
     this.vaultConfigToken = vaultConfigToken;
+    this.vaultUvf = vaultUvf;
     this.rootDirHash = rootDirHash;
   }
 
-  public static async create(vaultId: string, vaultKeys: VaultKeys): Promise<VaultConfig> {
+  public static async create(vaultId: string, vaultKeys: VaultKeys, vaultUvf: string): Promise<VaultConfig> {
     const cfg = config.get();
 
     const kid = `hub+${absBackendBaseURL}vaults/${vaultId}`;
@@ -35,12 +37,14 @@ export class VaultConfig {
 
     const vaultConfigToken = await vaultKeys.createVaultConfig(kid, hubConfig, jwtPayload);
     const rootDirHash = await vaultKeys.hashDirectoryId('');
-    return new VaultConfig(vaultConfigToken, rootDirHash);
+    return new VaultConfig(vaultConfigToken, vaultUvf, rootDirHash);
   }
 
   public async exportTemplate(): Promise<Blob> {
     const zip = new JSZip();
+    // TODO https://github.com/encryption-alliance/unified-vault-format/pull/19 what about vault.uvf? Not in template but only in vault dto?
     zip.file('vault.cryptomator', this.vaultConfigToken);
+    zip.file('vault.uvf', this.vaultUvf);
     zip.folder('d')?.folder(this.rootDirHash.substring(0, 2))?.folder(this.rootDirHash.substring(2));
     return zip.generateAsync({ type: 'blob' });
   }
diff --git a/frontend/src/components/ArchiveVaultDialog.vue b/frontend/src/components/ArchiveVaultDialog.vue
index 1e1a846e0..880d82c9c 100644
--- a/frontend/src/components/ArchiveVaultDialog.vue
+++ b/frontend/src/components/ArchiveVaultDialog.vue
@@ -81,7 +81,7 @@ async function archiveVault() {
   onArchiveVaultError.value = null;
   const v = props.vault;
   try {
-    const vaultDto = await backend.vaults.createOrUpdateVault(v.id, v.name, true, v.description);
+    const vaultDto = await backend.vaults.createOrUpdateVault(v.id, v.name, true, v.metadata, v.description);
     emit('archived', vaultDto);
     open.value = false;
   } catch (error) {
diff --git a/frontend/src/components/CreateVault.vue b/frontend/src/components/CreateVault.vue
index 02cca908b..93181b03b 100644
--- a/frontend/src/components/CreateVault.vue
+++ b/frontend/src/components/CreateVault.vue
@@ -185,7 +185,7 @@ import { base64 } from 'rfc4648';
 import { onMounted, ref } from 'vue';
 import { useI18n } from 'vue-i18n';
 import backend, { PaymentRequiredError } from '../common/backend';
-import { VaultKeys } from '../common/crypto';
+import { VaultKeys, VaultMetadata } from '../common/crypto';
 import { debounce } from '../common/util';
 import { VaultConfig } from '../common/vaultconfig';
 
@@ -292,9 +292,14 @@ async function createVault() {
       throw new Error('Invalid state');
     }
     const vaultId = crypto.randomUUID();
-    vaultConfig.value = await VaultConfig.create(vaultId, vaultKeys.value);
+    const vaultMetadata: VaultMetadata = await VaultMetadata.create({
+       enabled: true,
+       maxWotDepth: -1
+    });
+    const vaultMetadataEncrypted = await vaultMetadata.encryptWithMasterKey(vaultKeys.value.uvfMasterKey);
+    vaultConfig.value = await VaultConfig.create(vaultId, vaultKeys.value, vaultMetadataEncrypted);
     const ownerJwe = await vaultKeys.value.encryptForUser(base64.parse(owner.publicKey));
-    await backend.vaults.createOrUpdateVault(vaultId, vaultName.value, false, vaultDescription.value);
+    await backend.vaults.createOrUpdateVault(vaultId, vaultName.value, false, vaultMetadataEncrypted, vaultDescription.value);
     await backend.vaults.grantAccess(vaultId, { userId: owner.id, token: ownerJwe });
     state.value = State.Finished;
   } catch (error) {
diff --git a/frontend/src/components/DownloadVaultTemplateDialog.vue b/frontend/src/components/DownloadVaultTemplateDialog.vue
index 1a067ec4b..b12400ac6 100644
--- a/frontend/src/components/DownloadVaultTemplateDialog.vue
+++ b/frontend/src/components/DownloadVaultTemplateDialog.vue
@@ -93,7 +93,7 @@ async function downloadVault() {
 }
 
 async function generateVaultZip(): Promise<Blob> {
-  const config = await VaultConfig.create(props.vault.id, props.vaultKeys);
+  const config = await VaultConfig.create(props.vault.id, props.vaultKeys, props.vault.metadata);
   return await config.exportTemplate();
 }
 </script>
diff --git a/frontend/src/components/EditVaultMetadataDialog.vue b/frontend/src/components/EditVaultMetadataDialog.vue
index 2739c2abe..5c7f8642c 100644
--- a/frontend/src/components/EditVaultMetadataDialog.vue
+++ b/frontend/src/components/EditVaultMetadataDialog.vue
@@ -112,7 +112,7 @@ async function updateVaultMetadata() {
       throw new FormValidationFailedError();
     }
     const vault = props.vault;
-    const updatedVault = await backend.vaults.createOrUpdateVault(vault.id, vaultName.value, vault.archived, vaultDescription.value);
+    const updatedVault = await backend.vaults.createOrUpdateVault(vault.id, vaultName.value, vault.archived, vault.metadata, vaultDescription.value);
     emit('updated', updatedVault);
     open.value = false;
   } catch (error) {
diff --git a/frontend/src/components/ReactivateVaultDialog.vue b/frontend/src/components/ReactivateVaultDialog.vue
index 6bcf75de5..98fa6d5ca 100644
--- a/frontend/src/components/ReactivateVaultDialog.vue
+++ b/frontend/src/components/ReactivateVaultDialog.vue
@@ -81,7 +81,7 @@ async function reactivateVault() {
   onReactivateVaultError.value = null;
   const v = props.vault;
   try {
-    const vaultDto = await backend.vaults.createOrUpdateVault(v.id, v.name, false, v.description);
+    const vaultDto = await backend.vaults.createOrUpdateVault(v.id, v.name, false, v.metadata, v.description);
     emit('reactivated', vaultDto);
     open.value = false;
   } catch (error) {
diff --git a/frontend/test/common/crypto.spec.ts b/frontend/test/common/crypto.spec.ts
index 8b7bd397f..557f450d5 100644
--- a/frontend/test/common/crypto.spec.ts
+++ b/frontend/test/common/crypto.spec.ts
@@ -3,6 +3,9 @@ import chaiAsPromised from 'chai-as-promised';
 import { before, describe } from 'mocha';
 import { base64 } from 'rfc4648';
 import { UnwrapKeyError, UserKeys, VaultKeys } from '../../src/common/crypto';
+import { VaultMetadata } from '../../src/common/crypto';
+import { VaultMetadataJWEAutomaticAccessGrantDto } from '../../src/common/backend';
+import { JWEParser } from '../../src/common/jwe';
 
 chaiUse(chaiAsPromised);
 
@@ -58,8 +61,8 @@ describe('crypto', () => {
 
     it('recover() succeeds for valid key', async () => {
       let recoveryKey = `
-        pathway lift abuse plenty export texture gentleman landscape beyond ceiling around leaf cafe charity 
-        border breakdown victory surely computer cat linger restrict infer crowd live computer true written amazed 
+        pathway lift abuse plenty export texture gentleman landscape beyond ceiling around leaf cafe charity
+        border breakdown victory surely computer cat linger restrict infer crowd live computer true written amazed
         investor boot depth left theory snow whereby terminal weekly reject happiness circuit partial cup ad
         `;
 
@@ -101,7 +104,6 @@ describe('crypto', () => {
       it('decryptWithAdminPassword() with wrong pw', () => {
         return expect(VaultKeys.decryptWithAdminPassword('wrong', wrapped.wrappedMasterkey, wrapped.wrappedOwnerPrivateKey, wrapped.ownerPublicKey, wrapped.salt, wrapped.iterations)).to.eventually.be.rejectedWith(UnwrapKeyError);
       });
-
       it('decryptWithAdminPassword() with correct pw', () => {
         return expect(VaultKeys.decryptWithAdminPassword('pass', wrapped.wrappedMasterkey, wrapped.wrappedOwnerPrivateKey, wrapped.ownerPublicKey, wrapped.salt, wrapped.iterations)).to.eventually.be.fulfilled;
       });
@@ -133,7 +135,6 @@ describe('crypto', () => {
         beforeEach(async () => {
           recoveryKey = await vaultKeys.createRecoveryKey();
         });
-
         it('recover() imports original key', async () => {
           const recovered = await VaultKeys.recover(recoveryKey);
 
@@ -146,7 +147,6 @@ describe('crypto', () => {
       });
     });
   });
-
   describe('UserKeys', () => {
     it('create()', async () => {
       const orig = await UserKeys.create();
@@ -170,6 +170,30 @@ describe('crypto', () => {
     });
   });
 
+  describe('VaultMetadata', () => {
+    // TODO review @sebi what else should we test?
+    it('encryptWithMasterKey() and decryptWithMasterKey()', async () => {
+      const vaultKeys = await VaultKeys.create();
+      const uvfMasterKey: CryptoKey = vaultKeys.uvfMasterKey;
+      const automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto ={
+        "enabled": true,
+        "maxWotDepth": -1
+      }
+      const orig = await VaultMetadata.create(automaticAccessGrant);
+      expect(orig).to.be.not.null;
+      const jwe: string = await orig.encryptWithMasterKey(uvfMasterKey);
+      expect(jwe).to.be.not.null;
+      const decrypted: VaultMetadata = await VaultMetadata.decryptWithMasterKey(jwe,uvfMasterKey);
+      expect(JSON.stringify(decrypted.automaticAccessGrant)).to.eq(JSON.stringify(automaticAccessGrant));
+      const decryptedRaw: any = await JWEParser.parse(jwe).decryptA256kw(uvfMasterKey);
+      expect(decryptedRaw.fileFormat).to.eq("AES-256-GCM-32k");
+      expect(decryptedRaw.latestFileKey).to.eq(orig.latestFileKey);
+      expect(decryptedRaw.nameKey).to.eq(orig.nameKey);
+      expect(decryptedRaw.kdf).to.eq("1STEP-HMAC-SHA512");
+      expect(decryptedRaw['org.cryptomator.automaticAccessGrant']).to.deep.eq(automaticAccessGrant);
+    });
+  });
+
   // base64-encoded test key pairs for use in other implementations (Java, Swift, ...)
   describe('Test Key Pairs', () => {
     it('alice private key (PKCS8)', async () => {
@@ -215,8 +239,8 @@ describe('crypto', () => {
 /* ---------- MOCKS ---------- */
 
 class TestVaultKeys extends VaultKeys {
-  constructor(key: CryptoKey) {
-    super(key);
+  constructor(masterKey: CryptoKey, uvfMasterKey: CryptoKey) {
+    super(masterKey, uvfMasterKey);
   }
 
   static async create() {
@@ -234,7 +258,7 @@ class TestVaultKeys extends VaultKeys {
       true,
       ['sign']
     );
-    return new TestVaultKeys(key);
+    return new TestVaultKeys(key, key);
   }
 }
 

From 55633f19a8f72321fc7c6e7c164435371f9838e8 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Sat, 13 Apr 2024 12:37:41 +0200
Subject: [PATCH 03/94] remove dead code from `backend.ts` for now

---
 frontend/src/common/backend.ts | 30 ++----------------------------
 1 file changed, 2 insertions(+), 28 deletions(-)

diff --git a/frontend/src/common/backend.ts b/frontend/src/common/backend.ts
index 969738c7d..6fa61ca3e 100644
--- a/frontend/src/common/backend.ts
+++ b/frontend/src/common/backend.ts
@@ -196,18 +196,6 @@ export type VersionDto = {
   keycloakVersion: string;
 }
 
-export type ConfigDto = {
-    keycloakUrl: string;
-    keycloakRealm: string;
-    keycloakClientIdHub: string;
-    keycloakClientIdCryptomator: string;
-    keycloakAuthEndpoint: string;
-    keycloakTokenEndpoint: string;
-    serverTime: string;
-    apiLevel: number;
-    uuid: string;
-}
-
 /* Services */
 
 export interface VaultIdHeader extends JWTHeader {
@@ -263,12 +251,8 @@ class VaultService {
       .catch(err => rethrowAndConvertIfExpected(err, 403));
   }
 
-  public async createOrUpdateVault(vaultId: string, name: string, archived: boolean
-  , metadata: string
-  , description?: string): Promise<VaultDto> {
-    const body: VaultDto = { id: vaultId, name: name, description: description, archived: archived, creationTime: new Date()
-    , metadata: metadata
-    };
+  public async createOrUpdateVault(vaultId: string, name: string, archived: boolean, metadata: string, description?: string): Promise<VaultDto> {
+    const body: VaultDto = { id: vaultId, name: name, description: description, archived: archived, creationTime: new Date(), metadata: metadata };
     return axiosAuth.put(`/vaults/${vaultId}`, body)
       .then(response => response.data)
       .catch((error) => rethrowAndConvertIfExpected(error, 402, 404));
@@ -461,13 +445,3 @@ export type VaultMetadataJWEAutomaticAccessGrantDto = {
     enabled: boolean,
     maxWotDepth: number
 }
-
-export type VaultMetadataJWEDto = {
-    fileFormat: string;
-    nameFormat: string;
-    keys: Record<string,string>;
-    latestFileKey: string;
-    nameKey: string;
-    kdf: string;
-    automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto;
-}
\ No newline at end of file

From fe7ff3dabd5c3ac114f57d8a7672dfc57dff4912 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Sat, 13 Apr 2024 13:37:14 +0200
Subject: [PATCH 04/94] disentangle v8 and uvf based vaults

---
 frontend/src/common/crypto.ts                 | 32 ++++---------------
 frontend/src/common/vaultconfig.ts            | 10 ++----
 frontend/src/components/CreateVault.vue       |  7 ++--
 .../DownloadVaultTemplateDialog.vue           |  2 +-
 frontend/test/common/crypto.spec.ts           | 17 ++++++----
 5 files changed, 26 insertions(+), 42 deletions(-)

diff --git a/frontend/src/common/crypto.ts b/frontend/src/common/crypto.ts
index 934145de5..a4c2e8f84 100644
--- a/frontend/src/common/crypto.ts
+++ b/frontend/src/common/crypto.ts
@@ -38,7 +38,6 @@ interface UserKeysJWEPayload {
 
 interface VaultKeysWEPayload {
   key: string
-  uvfKey: string
 }
 
 const GCM_NONCE_LEN = 12;
@@ -54,19 +53,14 @@ export class VaultKeys {
     length: 512
   };
 
-  // in uvf setting, the vault masterKey is used to encrypt the vault metadata JWE using A256KW
-  private static readonly UVF_MASTERKEY_KEY_DESIGNATION = { name: 'AES-KW', length: 256 };
-
   readonly masterKey: CryptoKey;
-  readonly uvfMasterKey: CryptoKey;
 
-  protected constructor(masterKey: CryptoKey, uvfMasterKey: CryptoKey) {
+  protected constructor(masterKey: CryptoKey) {
     this.masterKey = masterKey;
-    this.uvfMasterKey = uvfMasterKey;
   }
 
   /**
-   * Creates a new masterkey (vault8 and uvf)
+   * Creates a new masterkey
    * @returns A new masterkey
    */
   public static async create(): Promise<VaultKeys> {
@@ -75,12 +69,7 @@ export class VaultKeys {
       true,
       ['sign']
     );
-    const uvfKey = crypto.subtle.generateKey(
-      VaultKeys.UVF_MASTERKEY_KEY_DESIGNATION,
-      true,
-      ['wrapKey', 'unwrapKey']
-    );
-    return new VaultKeys(await key, await uvfKey);
+    return new VaultKeys(await key);
   }
 
 
@@ -92,14 +81,11 @@ export class VaultKeys {
    */
   public static async decryptWithUserKey(jwe: string, userPrivateKey: CryptoKey): Promise<VaultKeys> {
     let rawKey = new Uint8Array();
-    let rawUvfKey = new Uint8Array();
     try {
       const payload: VaultKeysWEPayload = await JWEParser.parse(jwe).decryptEcdhEs(userPrivateKey);
       rawKey = base64.parse(payload.key);
-      rawUvfKey = base64.parse(payload.uvfKey);
       const masterKey = crypto.subtle.importKey('raw', rawKey, VaultKeys.MASTERKEY_KEY_DESIGNATION, true, ['sign']);
-      const uvfMasterKey = crypto.subtle.importKey('raw', rawUvfKey, VaultKeys.UVF_MASTERKEY_KEY_DESIGNATION, true, ['wrapKey', 'unwrapKey']);
-      return new VaultKeys(await masterKey, await uvfMasterKey);
+      return new VaultKeys(await masterKey);
     } finally {
       rawKey.fill(0x00);
     }
@@ -163,8 +149,7 @@ export class VaultKeys {
         true,
         ['verify']
       );
-      // TODO https://github.com/encryption-alliance/unified-vault-format/pull/19 upstream legacy integration for uvf?
-      return [new VaultKeys(await masterkey, await masterkey), { privateKey: await privKey, publicKey: await pubKey }];
+      return [new VaultKeys(await masterkey), { privateKey: await privKey, publicKey: await pubKey }];
     } catch (error) {
       throw new UnwrapKeyError(error);
     }
@@ -197,8 +182,7 @@ export class VaultKeys {
       true,
       ['sign']
     );
-    // TODO https://github.com/encryption-alliance/unified-vault-format/pull/19 upstream legacy integration for uvf?
-    return new VaultKeys(await key, await key);
+    return new VaultKeys(await key);
   }
 
   public async createVaultConfig(kid: string, hubConfig: VaultConfigHeaderHub, payload: VaultConfigPayload): Promise<string> {
@@ -239,18 +223,16 @@ export class VaultKeys {
   }
 
   /**
-   * Encrypts this masterkey (vault8 and uvf) using the given public key
+   * Encrypts this masterkey using the given public key
    * @param userPublicKey The recipient's public key (DER-encoded)
    * @returns a JWE containing this Masterkey
    */
   public async encryptForUser(userPublicKey: Uint8Array): Promise<string> {
     const publicKey = await crypto.subtle.importKey('spki', userPublicKey, UserKeys.KEY_DESIGNATION, false, []);
     const rawkey = new Uint8Array(await crypto.subtle.exportKey('raw', this.masterKey));
-    const rawUvfKey = new Uint8Array(await crypto.subtle.exportKey('raw', this.uvfMasterKey));
     try {
       const payload: VaultKeysWEPayload = {
         key: base64.stringify(rawkey),
-        uvfKey: base64.stringify(rawUvfKey)
       };
       return JWEBuilder.ecdhEs(publicKey).encrypt(payload);
     } finally {
diff --git a/frontend/src/common/vaultconfig.ts b/frontend/src/common/vaultconfig.ts
index 7ba183c04..37b2df980 100644
--- a/frontend/src/common/vaultconfig.ts
+++ b/frontend/src/common/vaultconfig.ts
@@ -5,15 +5,13 @@ import { VaultConfigHeaderHub, VaultConfigPayload, VaultKeys } from '../common/c
 export class VaultConfig {
   readonly vaultConfigToken: string;
   readonly rootDirHash: string;
-  readonly vaultUvf: string;
 
-  private constructor(vaultConfigToken: string, vaultUvf: string, rootDirHash: string) {
+  private constructor(vaultConfigToken: string, rootDirHash: string) {
     this.vaultConfigToken = vaultConfigToken;
-    this.vaultUvf = vaultUvf;
     this.rootDirHash = rootDirHash;
   }
 
-  public static async create(vaultId: string, vaultKeys: VaultKeys, vaultUvf: string): Promise<VaultConfig> {
+  public static async create(vaultId: string, vaultKeys: VaultKeys): Promise<VaultConfig> {
     const cfg = config.get();
 
     const kid = `hub+${absBackendBaseURL}vaults/${vaultId}`;
@@ -37,14 +35,12 @@ export class VaultConfig {
 
     const vaultConfigToken = await vaultKeys.createVaultConfig(kid, hubConfig, jwtPayload);
     const rootDirHash = await vaultKeys.hashDirectoryId('');
-    return new VaultConfig(vaultConfigToken, vaultUvf, rootDirHash);
+    return new VaultConfig(vaultConfigToken, rootDirHash);
   }
 
   public async exportTemplate(): Promise<Blob> {
     const zip = new JSZip();
-    // TODO https://github.com/encryption-alliance/unified-vault-format/pull/19 what about vault.uvf? Not in template but only in vault dto?
     zip.file('vault.cryptomator', this.vaultConfigToken);
-    zip.file('vault.uvf', this.vaultUvf);
     zip.folder('d')?.folder(this.rootDirHash.substring(0, 2))?.folder(this.rootDirHash.substring(2));
     return zip.generateAsync({ type: 'blob' });
   }
diff --git a/frontend/src/components/CreateVault.vue b/frontend/src/components/CreateVault.vue
index 93181b03b..884886e03 100644
--- a/frontend/src/components/CreateVault.vue
+++ b/frontend/src/components/CreateVault.vue
@@ -292,14 +292,17 @@ async function createVault() {
       throw new Error('Invalid state');
     }
     const vaultId = crypto.randomUUID();
+    /*
+    FIXME create UVF vault
     const vaultMetadata: VaultMetadata = await VaultMetadata.create({
        enabled: true,
        maxWotDepth: -1
     });
     const vaultMetadataEncrypted = await vaultMetadata.encryptWithMasterKey(vaultKeys.value.uvfMasterKey);
-    vaultConfig.value = await VaultConfig.create(vaultId, vaultKeys.value, vaultMetadataEncrypted);
+    */
+    vaultConfig.value = await VaultConfig.create(vaultId, vaultKeys.value);
     const ownerJwe = await vaultKeys.value.encryptForUser(base64.parse(owner.publicKey));
-    await backend.vaults.createOrUpdateVault(vaultId, vaultName.value, false, vaultMetadataEncrypted, vaultDescription.value);
+    await backend.vaults.createOrUpdateVault(vaultId, vaultName.value, false, '', vaultDescription.value);
     await backend.vaults.grantAccess(vaultId, { userId: owner.id, token: ownerJwe });
     state.value = State.Finished;
   } catch (error) {
diff --git a/frontend/src/components/DownloadVaultTemplateDialog.vue b/frontend/src/components/DownloadVaultTemplateDialog.vue
index b12400ac6..1a067ec4b 100644
--- a/frontend/src/components/DownloadVaultTemplateDialog.vue
+++ b/frontend/src/components/DownloadVaultTemplateDialog.vue
@@ -93,7 +93,7 @@ async function downloadVault() {
 }
 
 async function generateVaultZip(): Promise<Blob> {
-  const config = await VaultConfig.create(props.vault.id, props.vaultKeys, props.vault.metadata);
+  const config = await VaultConfig.create(props.vault.id, props.vaultKeys);
   return await config.exportTemplate();
 }
 </script>
diff --git a/frontend/test/common/crypto.spec.ts b/frontend/test/common/crypto.spec.ts
index 557f450d5..57f7054e8 100644
--- a/frontend/test/common/crypto.spec.ts
+++ b/frontend/test/common/crypto.spec.ts
@@ -61,8 +61,8 @@ describe('crypto', () => {
 
     it('recover() succeeds for valid key', async () => {
       let recoveryKey = `
-        pathway lift abuse plenty export texture gentleman landscape beyond ceiling around leaf cafe charity
-        border breakdown victory surely computer cat linger restrict infer crowd live computer true written amazed
+        pathway lift abuse plenty export texture gentleman landscape beyond ceiling around leaf cafe charity 
+        border breakdown victory surely computer cat linger restrict infer crowd live computer true written amazed 
         investor boot depth left theory snow whereby terminal weekly reject happiness circuit partial cup ad
         `;
 
@@ -173,8 +173,11 @@ describe('crypto', () => {
   describe('VaultMetadata', () => {
     // TODO review @sebi what else should we test?
     it('encryptWithMasterKey() and decryptWithMasterKey()', async () => {
-      const vaultKeys = await VaultKeys.create();
-      const uvfMasterKey: CryptoKey = vaultKeys.uvfMasterKey;
+      const uvfMasterKey = await crypto.subtle.generateKey(
+        { name: 'AES-KW', length: 256 },
+        true,
+        ['wrapKey', 'unwrapKey']
+      );
       const automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto ={
         "enabled": true,
         "maxWotDepth": -1
@@ -239,8 +242,8 @@ describe('crypto', () => {
 /* ---------- MOCKS ---------- */
 
 class TestVaultKeys extends VaultKeys {
-  constructor(masterKey: CryptoKey, uvfMasterKey: CryptoKey) {
-    super(masterKey, uvfMasterKey);
+  constructor(masterKey: CryptoKey) {
+    super(masterKey);
   }
 
   static async create() {
@@ -258,7 +261,7 @@ class TestVaultKeys extends VaultKeys {
       true,
       ['sign']
     );
-    return new TestVaultKeys(key, key);
+    return new TestVaultKeys(key);
   }
 }
 

From be8803c6a1d6a52deafe7528104e3690f797c0c2 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Sat, 13 Apr 2024 13:53:53 +0200
Subject: [PATCH 05/94] move vault format 8 code to separate file

---
 frontend/src/common/crypto.ts                 | 304 ++----------------
 frontend/src/common/vaultconfig.ts            |   2 +-
 frontend/src/common/vaultv8.ts                | 244 ++++++++++++++
 .../components/ClaimVaultOwnershipDialog.vue  |   3 +-
 frontend/src/components/CreateVault.vue       |   2 +-
 .../DownloadVaultTemplateDialog.vue           |   2 +-
 .../src/components/GrantPermissionDialog.vue  |   3 +-
 .../src/components/RecoverVaultDialog.vue     |   3 +-
 frontend/src/components/RecoveryKeyDialog.vue |   2 +-
 frontend/src/components/VaultDetails.vue      |   3 +-
 frontend/test/common/crypto.spec.ts           | 140 +-------
 frontend/test/common/vaultv8.spec.ts          | 154 +++++++++
 12 files changed, 444 insertions(+), 418 deletions(-)
 create mode 100644 frontend/src/common/vaultv8.ts
 create mode 100644 frontend/test/common/vaultv8.spec.ts

diff --git a/frontend/src/common/crypto.ts b/frontend/src/common/crypto.ts
index a4c2e8f84..6747a980c 100644
--- a/frontend/src/common/crypto.ts
+++ b/frontend/src/common/crypto.ts
@@ -1,7 +1,7 @@
 import * as miscreant from 'miscreant';
-import { base16, base32, base64, base64url } from 'rfc4648';
+import { base16, base32, base64 } from 'rfc4648';
 import { JWEBuilder, JWEParser } from './jwe';
-import { CRC32, DB, wordEncoder } from './util';
+import { DB } from './util';
 
 import { VaultMetadataJWEAutomaticAccessGrantDto } from './backend';
 
@@ -14,249 +14,11 @@ export class UnwrapKeyError extends Error {
   }
 }
 
-export interface VaultConfigPayload {
-  jti: string
-  format: number
-  cipherCombo: string
-  shorteningThreshold: number
-}
-
-export interface VaultConfigHeaderHub {
-  clientId: string
-  authEndpoint: string
-  tokenEndpoint: string
-  authSuccessUrl: string
-  authErrorUrl: string
-  apiBaseUrl: string
-  // deprecated:
-  devicesResourceUrl: string
-}
-
 interface UserKeysJWEPayload {
   key: string
 }
 
-interface VaultKeysWEPayload {
-  key: string
-}
-
-const GCM_NONCE_LEN = 12;
-
-export class VaultKeys {
-  // in this browser application, this 512 bit key is used
-  // as a hmac key to sign the vault config.
-  // however when used by cryptomator, it gets split into
-  // a 256 bit encryption key and a 256 bit mac key
-  private static readonly MASTERKEY_KEY_DESIGNATION: HmacImportParams | HmacKeyGenParams = {
-    name: 'HMAC',
-    hash: 'SHA-256',
-    length: 512
-  };
-
-  readonly masterKey: CryptoKey;
-
-  protected constructor(masterKey: CryptoKey) {
-    this.masterKey = masterKey;
-  }
-
-  /**
-   * Creates a new masterkey
-   * @returns A new masterkey
-   */
-  public static async create(): Promise<VaultKeys> {
-    const key = crypto.subtle.generateKey(
-      VaultKeys.MASTERKEY_KEY_DESIGNATION,
-      true,
-      ['sign']
-    );
-    return new VaultKeys(await key);
-  }
-
-
-  /**
-   * Decrypts the vault's masterkey (vault8 and uvf) using the user's private key
-   * @param jwe JWE containing the vault key
-   * @param userPrivateKey The user's private key
-   * @returns The masterkey
-   */
-  public static async decryptWithUserKey(jwe: string, userPrivateKey: CryptoKey): Promise<VaultKeys> {
-    let rawKey = new Uint8Array();
-    try {
-      const payload: VaultKeysWEPayload = await JWEParser.parse(jwe).decryptEcdhEs(userPrivateKey);
-      rawKey = base64.parse(payload.key);
-      const masterKey = crypto.subtle.importKey('raw', rawKey, VaultKeys.MASTERKEY_KEY_DESIGNATION, true, ['sign']);
-      return new VaultKeys(await masterKey);
-    } finally {
-      rawKey.fill(0x00);
-    }
-  }
-
-  /**
-   * Unwraps keys protected by the legacy "Vault Admin Password".
-   * @param vaultAdminPassword Vault Admin Password
-   * @param wrappedMasterkey The wrapped masterkey
-   * @param wrappedOwnerPrivateKey The wrapped owner private key
-   * @param ownerPublicKey The owner public key
-   * @param salt PBKDF2 Salt
-   * @param iterations PBKDF2 Iterations
-   * @returns The unwrapped key material.
-   * @throws WrongPasswordError, if the wrong password is used
-   * @deprecated Only used during "claim vault ownership" workflow for legacy vaults
-   */
-  public static async decryptWithAdminPassword(vaultAdminPassword: string, wrappedMasterkey: string, wrappedOwnerPrivateKey: string, ownerPublicKey: string, salt: string, iterations: number): Promise<[VaultKeys, CryptoKeyPair]> {
-    // pbkdf2:
-    const encodedPw = new TextEncoder().encode(vaultAdminPassword);
-    const pwKey = crypto.subtle.importKey('raw', encodedPw, 'PBKDF2', false, ['deriveKey']);
-    const kek = crypto.subtle.deriveKey(
-      {
-        name: 'PBKDF2',
-        hash: 'SHA-256',
-        salt: base64.parse(salt, { loose: true }),
-        iterations: iterations
-      },
-      await pwKey,
-      { name: 'AES-GCM', length: 256 },
-      false,
-      ['unwrapKey']
-    );
-    // unwrapping
-    const decodedMasterKey = base64.parse(wrappedMasterkey, { loose: true });
-    const decodedPrivateKey = base64.parse(wrappedOwnerPrivateKey, { loose: true });
-    const decodedPublicKey = base64.parse(ownerPublicKey, { loose: true });
-    try {
-      const masterkey = crypto.subtle.unwrapKey(
-        'raw',
-        decodedMasterKey.slice(GCM_NONCE_LEN),
-        await kek,
-        { name: 'AES-GCM', iv: decodedMasterKey.slice(0, GCM_NONCE_LEN) },
-        VaultKeys.MASTERKEY_KEY_DESIGNATION,
-        true,
-        ['sign']
-      );
-      const privKey = crypto.subtle.unwrapKey(
-        'pkcs8',
-        decodedPrivateKey.slice(GCM_NONCE_LEN),
-        await kek,
-        { name: 'AES-GCM', iv: decodedPrivateKey.slice(0, GCM_NONCE_LEN) },
-        { name: 'ECDSA', namedCurve: 'P-384' },
-        false,
-        ['sign']
-      );
-      const pubKey = crypto.subtle.importKey(
-        'spki',
-        decodedPublicKey,
-        { name: 'ECDSA', namedCurve: 'P-384' },
-        true,
-        ['verify']
-      );
-      return [new VaultKeys(await masterkey), { privateKey: await privKey, publicKey: await pubKey }];
-    } catch (error) {
-      throw new UnwrapKeyError(error);
-    }
-  }
-
-  /**
-   * Restore the master key from a given recovery key, create a new admin signature key pair.
-   * @param recoveryKey The recovery key
-   * @returns The recovered master key
-   * @throws Error, if passing a malformed recovery key
-   */
-  public static async recover(recoveryKey: string): Promise<VaultKeys> {
-    // decode and check recovery key:
-    const decoded = wordEncoder.decode(recoveryKey);
-    if (decoded.length !== 66) {
-      throw new Error('Invalid recovery key length.');
-    }
-    const decodedKey = decoded.subarray(0, 64);
-    const crc32 = CRC32.compute(decodedKey);
-    if (decoded[64] !== (crc32 & 0xFF)
-      || decoded[65] !== (crc32 >> 8 & 0xFF)) {
-      throw new Error('Invalid recovery key checksum.');
-    }
-
-    // construct new VaultKeys from recovered key
-    const key = crypto.subtle.importKey(
-      'raw',
-      decodedKey,
-      VaultKeys.MASTERKEY_KEY_DESIGNATION,
-      true,
-      ['sign']
-    );
-    return new VaultKeys(await key);
-  }
-
-  public async createVaultConfig(kid: string, hubConfig: VaultConfigHeaderHub, payload: VaultConfigPayload): Promise<string> {
-    const header = JSON.stringify({
-      kid: kid,
-      typ: 'jwt',
-      alg: 'HS256',
-      hub: hubConfig
-    });
-    const payloadJson = JSON.stringify(payload);
-    const encoder = new TextEncoder();
-    const unsignedToken = base64url.stringify(encoder.encode(header), { pad: false }) + '.' + base64url.stringify(encoder.encode(payloadJson), { pad: false });
-    const encodedUnsignedToken = new TextEncoder().encode(unsignedToken);
-    const signature = await crypto.subtle.sign(
-      'HMAC',
-      this.masterKey,
-      encodedUnsignedToken
-    );
-    return unsignedToken + '.' + base64url.stringify(new Uint8Array(signature), { pad: false });
-  }
-
-  public async hashDirectoryId(cleartextDirectoryId: string): Promise<string> {
-    const dirHash = new TextEncoder().encode(cleartextDirectoryId);
-    const rawkey = new Uint8Array(await crypto.subtle.exportKey('raw', this.masterKey));
-    try {
-      // miscreant lib requires mac key first and then the enc key
-      const encKey = rawkey.subarray(0, rawkey.length / 2 | 0);
-      const macKey = rawkey.subarray(rawkey.length / 2 | 0);
-      const shiftedRawKey = new Uint8Array([...macKey, ...encKey]);
-      const key = await miscreant.SIV.importKey(shiftedRawKey, 'AES-SIV');
-      const ciphertext = await key.seal(dirHash, []);
-      // hash is only used as deterministic scheme for the root dir
-      const hash = await crypto.subtle.digest('SHA-1', ciphertext);
-      return base32.stringify(new Uint8Array(hash));
-    } finally {
-      rawkey.fill(0x00);
-    }
-  }
-
-  /**
-   * Encrypts this masterkey using the given public key
-   * @param userPublicKey The recipient's public key (DER-encoded)
-   * @returns a JWE containing this Masterkey
-   */
-  public async encryptForUser(userPublicKey: Uint8Array): Promise<string> {
-    const publicKey = await crypto.subtle.importKey('spki', userPublicKey, UserKeys.KEY_DESIGNATION, false, []);
-    const rawkey = new Uint8Array(await crypto.subtle.exportKey('raw', this.masterKey));
-    try {
-      const payload: VaultKeysWEPayload = {
-        key: base64.stringify(rawkey),
-      };
-      return JWEBuilder.ecdhEs(publicKey).encrypt(payload);
-    } finally {
-      rawkey.fill(0x00);
-    }
-  }
-
-  /**
-   * Encode masterkey for offline backup purposes, allowing re-importing the key for recovery purposes
-   */
-  public async createRecoveryKey(): Promise<string> {
-    const rawkey = new Uint8Array(await crypto.subtle.exportKey('raw', this.masterKey));
-
-    // add 16 bit checksum:
-    const crc32 = CRC32.compute(rawkey);
-    const checksum = new Uint8Array(2);
-    checksum[0] = crc32 & 0xff;      // append the least significant byte of the crc
-    checksum[1] = crc32 >> 8 & 0xff; // followed by the second-least significant byte
-    const combined = new Uint8Array([...rawkey, ...checksum]);
-
-    // encode using human-readable words:
-    return wordEncoder.encodePadded(combined);
-  }
-}
+export const GCM_NONCE_LEN = 12;
 
 export class UserKeys {
   public static readonly KEY_USAGES: KeyUsage[] = ['deriveBits'];
@@ -467,11 +229,11 @@ export class VaultMetadata {
   };
 
   readonly automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto;
-  readonly keys: Record<string,CryptoKey>;
+  readonly keys: Record<string, CryptoKey>;
   readonly latestFileKey: string;
   readonly nameKey: string;
 
-  protected constructor(automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto, keys: Record<string,CryptoKey>, latestFileKey: string, nameKey: string) {
+  protected constructor(automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto, keys: Record<string, CryptoKey>, latestFileKey: string, nameKey: string) {
     this.automaticAccessGrant = automaticAccessGrant;
     this.keys = keys;
     this.latestFileKey = latestFileKey;
@@ -495,9 +257,9 @@ export class VaultMetadata {
       // TODO https://github.com/encryption-alliance/unified-vault-format/pull/19 is this correct?
       ['sign']
     );
-    const fileKeyId = Array(4).fill(null).map(()=>"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789".charAt(Math.random()*62)).join("")
-    const nameKeyId = Array(4).fill(null).map(()=>"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789".charAt(Math.random()*62)).join("")
-    const keys: Record<string,CryptoKey> = {};
+    const fileKeyId = Array(4).fill(null).map(() => "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789".charAt(Math.random() * 62)).join("")
+    const nameKeyId = Array(4).fill(null).map(() => "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789".charAt(Math.random() * 62)).join("")
+    const keys: Record<string, CryptoKey> = {};
     keys[fileKeyId] = await fileKey;
     keys[nameKeyId] = await nameKey;
     return new VaultMetadata(automaticAccessGrant, keys, fileKeyId, nameKeyId);
@@ -510,21 +272,21 @@ export class VaultMetadata {
    * @returns vault metadata
    */
   public static async decryptWithMasterKey(jwe: string, masterKey: CryptoKey): Promise<VaultMetadata> {
-      const payload = await JWEParser.parse(jwe).decryptA256kw(masterKey);
-      const keys: Record<string,string> = payload['keys'];
-      const keysImported: Record<string,CryptoKey> = payload['keys'];
-      for (const k in keys) {
-        // TODO https://github.com/encryption-alliance/unified-vault-format/pull/19 is this correct?
-        keysImported[k] = await crypto.subtle.importKey('raw', base64.parse(keys[k]), VaultMetadata.RAWKEY_KEY_DESIGNATION, true, ['sign']);
-      }
-      const latestFileKey = payload['latestFileKey']
-      const nameKey = payload['nameKey']
-      return new VaultMetadata(
-        payload['org.cryptomator.automaticAccessGrant'],
-        keysImported,
-        latestFileKey,
-        nameKey
-      );
+    const payload = await JWEParser.parse(jwe).decryptA256kw(masterKey);
+    const keys: Record<string, string> = payload['keys'];
+    const keysImported: Record<string, CryptoKey> = payload['keys'];
+    for (const k in keys) {
+      // TODO https://github.com/encryption-alliance/unified-vault-format/pull/19 is this correct?
+      keysImported[k] = await crypto.subtle.importKey('raw', base64.parse(keys[k]), VaultMetadata.RAWKEY_KEY_DESIGNATION, true, ['sign']);
+    }
+    const latestFileKey = payload['latestFileKey']
+    const nameKey = payload['nameKey']
+    return new VaultMetadata(
+      payload['org.cryptomator.automaticAccessGrant'],
+      keysImported,
+      latestFileKey,
+      nameKey
+    );
   }
 
   /**
@@ -533,19 +295,19 @@ export class VaultMetadata {
    * @returns a JWE containing this Masterkey
    */
   public async encryptWithMasterKey(masterKey: CryptoKey): Promise<string> {
-  const keysExported: Record<string,string> = {};
+    const keysExported: Record<string, string> = {};
     for (const k in this.keys) {
       keysExported[k] = base64.stringify(new Uint8Array(await crypto.subtle.exportKey('raw', this.keys[k])));
     }
     const payload = {
-        fileFormat: "AES-256-GCM-32k",
-        nameFormat: "AES-256-SIV",
-        keys: keysExported,
-        latestFileKey: this.latestFileKey,
-        nameKey: this.nameKey,
-        // TODO https://github.com/encryption-alliance/unified-vault-format/pull/21 finalize kdf
-        kdf: "1STEP-HMAC-SHA512",
-        'org.cryptomator.automaticAccessGrant': this.automaticAccessGrant
+      fileFormat: "AES-256-GCM-32k",
+      nameFormat: "AES-256-SIV",
+      keys: keysExported,
+      latestFileKey: this.latestFileKey,
+      nameKey: this.nameKey,
+      // TODO https://github.com/encryption-alliance/unified-vault-format/pull/21 finalize kdf
+      kdf: "1STEP-HMAC-SHA512",
+      'org.cryptomator.automaticAccessGrant': this.automaticAccessGrant
     }
     return JWEBuilder.a256kw(masterKey).encrypt(payload);
   }
@@ -554,7 +316,7 @@ export class VaultMetadata {
     const dirHash = new TextEncoder().encode(cleartextDirectoryId);
     // TODO https://github.com/encryption-alliance/unified-vault-format/pull/19 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! MUST NEVER BE RELEASED LIKE THIS
     // TODO https://github.com/encryption-alliance/unified-vault-format/pull/19 use rawFileKey,rawNameKey for rootDirHash for now - should depend on nameKey only!!
-    const rawkey = new Uint8Array([...new Uint8Array(await crypto.subtle.exportKey('raw', this.keys[this.latestFileKey])),...new Uint8Array(await crypto.subtle.exportKey('raw', this.keys[this.nameKey]))]);
+    const rawkey = new Uint8Array([...new Uint8Array(await crypto.subtle.exportKey('raw', this.keys[this.latestFileKey])), ...new Uint8Array(await crypto.subtle.exportKey('raw', this.keys[this.nameKey]))]);
     try {
       // miscreant lib requires mac key first and then the enc key
       const encKey = rawkey.subarray(0, rawkey.length / 2 | 0);
diff --git a/frontend/src/common/vaultconfig.ts b/frontend/src/common/vaultconfig.ts
index 37b2df980..51b66c542 100644
--- a/frontend/src/common/vaultconfig.ts
+++ b/frontend/src/common/vaultconfig.ts
@@ -1,6 +1,6 @@
 import JSZip from 'jszip';
 import config, { absBackendBaseURL, absFrontendBaseURL } from '../common/config';
-import { VaultConfigHeaderHub, VaultConfigPayload, VaultKeys } from '../common/crypto';
+import { VaultConfigHeaderHub, VaultConfigPayload, VaultKeys } from '../common/vaultv8';
 
 export class VaultConfig {
   readonly vaultConfigToken: string;
diff --git a/frontend/src/common/vaultv8.ts b/frontend/src/common/vaultv8.ts
new file mode 100644
index 000000000..79b25672a
--- /dev/null
+++ b/frontend/src/common/vaultv8.ts
@@ -0,0 +1,244 @@
+import * as miscreant from 'miscreant';
+import { base32, base64, base64url } from 'rfc4648';
+import { GCM_NONCE_LEN, UnwrapKeyError, UserKeys } from './crypto';
+import { JWEBuilder, JWEParser } from './jwe';
+import { CRC32, wordEncoder } from './util';
+
+interface JWEPayload {
+  key: string
+}
+
+export interface VaultConfigPayload {
+  jti: string
+  format: number
+  cipherCombo: string
+  shorteningThreshold: number
+}
+
+export interface VaultConfigHeaderHub {
+  clientId: string
+  authEndpoint: string
+  tokenEndpoint: string
+  authSuccessUrl: string
+  authErrorUrl: string
+  apiBaseUrl: string
+  // deprecated:
+  devicesResourceUrl: string
+}
+
+
+export class VaultKeys {
+  // in this browser application, this 512 bit key is used
+  // as a hmac key to sign the vault config.
+  // however when used by cryptomator, it gets split into
+  // a 256 bit encryption key and a 256 bit mac key
+  private static readonly MASTERKEY_KEY_DESIGNATION: HmacImportParams | HmacKeyGenParams = {
+    name: 'HMAC',
+    hash: 'SHA-256',
+    length: 512
+  };
+
+  readonly masterKey: CryptoKey;
+
+  protected constructor(masterKey: CryptoKey) {
+    this.masterKey = masterKey;
+  }
+
+  /**
+   * Creates a new masterkey
+   * @returns A new masterkey
+   */
+  public static async create(): Promise<VaultKeys> {
+    const key = crypto.subtle.generateKey(
+      VaultKeys.MASTERKEY_KEY_DESIGNATION,
+      true,
+      ['sign']
+    );
+    return new VaultKeys(await key);
+  }
+
+
+  /**
+   * Decrypts the vault's masterkey (vault8 and uvf) using the user's private key
+   * @param jwe JWE containing the vault key
+   * @param userPrivateKey The user's private key
+   * @returns The masterkey
+   */
+  public static async decryptWithUserKey(jwe: string, userPrivateKey: CryptoKey): Promise<VaultKeys> {
+    let rawKey = new Uint8Array();
+    try {
+      const payload: JWEPayload = await JWEParser.parse(jwe).decryptEcdhEs(userPrivateKey);
+      rawKey = base64.parse(payload.key);
+      const masterKey = crypto.subtle.importKey('raw', rawKey, VaultKeys.MASTERKEY_KEY_DESIGNATION, true, ['sign']);
+      return new VaultKeys(await masterKey);
+    } finally {
+      rawKey.fill(0x00);
+    }
+  }
+
+  /**
+   * Unwraps keys protected by the legacy "Vault Admin Password".
+   * @param vaultAdminPassword Vault Admin Password
+   * @param wrappedMasterkey The wrapped masterkey
+   * @param wrappedOwnerPrivateKey The wrapped owner private key
+   * @param ownerPublicKey The owner public key
+   * @param salt PBKDF2 Salt
+   * @param iterations PBKDF2 Iterations
+   * @returns The unwrapped key material.
+   * @throws WrongPasswordError, if the wrong password is used
+   * @deprecated Only used during "claim vault ownership" workflow for legacy vaults
+   */
+  public static async decryptWithAdminPassword(vaultAdminPassword: string, wrappedMasterkey: string, wrappedOwnerPrivateKey: string, ownerPublicKey: string, salt: string, iterations: number): Promise<[VaultKeys, CryptoKeyPair]> {
+    // pbkdf2:
+    const encodedPw = new TextEncoder().encode(vaultAdminPassword);
+    const pwKey = crypto.subtle.importKey('raw', encodedPw, 'PBKDF2', false, ['deriveKey']);
+    const kek = crypto.subtle.deriveKey(
+      {
+        name: 'PBKDF2',
+        hash: 'SHA-256',
+        salt: base64.parse(salt, { loose: true }),
+        iterations: iterations
+      },
+      await pwKey,
+      { name: 'AES-GCM', length: 256 },
+      false,
+      ['unwrapKey']
+    );
+    // unwrapping
+    const decodedMasterKey = base64.parse(wrappedMasterkey, { loose: true });
+    const decodedPrivateKey = base64.parse(wrappedOwnerPrivateKey, { loose: true });
+    const decodedPublicKey = base64.parse(ownerPublicKey, { loose: true });
+    try {
+      const masterkey = crypto.subtle.unwrapKey(
+        'raw',
+        decodedMasterKey.slice(GCM_NONCE_LEN),
+        await kek,
+        { name: 'AES-GCM', iv: decodedMasterKey.slice(0, GCM_NONCE_LEN) },
+        VaultKeys.MASTERKEY_KEY_DESIGNATION,
+        true,
+        ['sign']
+      );
+      const privKey = crypto.subtle.unwrapKey(
+        'pkcs8',
+        decodedPrivateKey.slice(GCM_NONCE_LEN),
+        await kek,
+        { name: 'AES-GCM', iv: decodedPrivateKey.slice(0, GCM_NONCE_LEN) },
+        { name: 'ECDSA', namedCurve: 'P-384' },
+        false,
+        ['sign']
+      );
+      const pubKey = crypto.subtle.importKey(
+        'spki',
+        decodedPublicKey,
+        { name: 'ECDSA', namedCurve: 'P-384' },
+        true,
+        ['verify']
+      );
+      return [new VaultKeys(await masterkey), { privateKey: await privKey, publicKey: await pubKey }];
+    } catch (error) {
+      throw new UnwrapKeyError(error);
+    }
+  }
+
+  /**
+   * Restore the master key from a given recovery key, create a new admin signature key pair.
+   * @param recoveryKey The recovery key
+   * @returns The recovered master key
+   * @throws Error, if passing a malformed recovery key
+   */
+  public static async recover(recoveryKey: string): Promise<VaultKeys> {
+    // decode and check recovery key:
+    const decoded = wordEncoder.decode(recoveryKey);
+    if (decoded.length !== 66) {
+      throw new Error('Invalid recovery key length.');
+    }
+    const decodedKey = decoded.subarray(0, 64);
+    const crc32 = CRC32.compute(decodedKey);
+    if (decoded[64] !== (crc32 & 0xFF)
+      || decoded[65] !== (crc32 >> 8 & 0xFF)) {
+      throw new Error('Invalid recovery key checksum.');
+    }
+
+    // construct new VaultKeys from recovered key
+    const key = crypto.subtle.importKey(
+      'raw',
+      decodedKey,
+      VaultKeys.MASTERKEY_KEY_DESIGNATION,
+      true,
+      ['sign']
+    );
+    return new VaultKeys(await key);
+  }
+
+  public async createVaultConfig(kid: string, hubConfig: VaultConfigHeaderHub, payload: VaultConfigPayload): Promise<string> {
+    const header = JSON.stringify({
+      kid: kid,
+      typ: 'jwt',
+      alg: 'HS256',
+      hub: hubConfig
+    });
+    const payloadJson = JSON.stringify(payload);
+    const encoder = new TextEncoder();
+    const unsignedToken = base64url.stringify(encoder.encode(header), { pad: false }) + '.' + base64url.stringify(encoder.encode(payloadJson), { pad: false });
+    const encodedUnsignedToken = new TextEncoder().encode(unsignedToken);
+    const signature = await crypto.subtle.sign(
+      'HMAC',
+      this.masterKey,
+      encodedUnsignedToken
+    );
+    return unsignedToken + '.' + base64url.stringify(new Uint8Array(signature), { pad: false });
+  }
+
+  public async hashDirectoryId(cleartextDirectoryId: string): Promise<string> {
+    const dirHash = new TextEncoder().encode(cleartextDirectoryId);
+    const rawkey = new Uint8Array(await crypto.subtle.exportKey('raw', this.masterKey));
+    try {
+      // miscreant lib requires mac key first and then the enc key
+      const encKey = rawkey.subarray(0, rawkey.length / 2 | 0);
+      const macKey = rawkey.subarray(rawkey.length / 2 | 0);
+      const shiftedRawKey = new Uint8Array([...macKey, ...encKey]);
+      const key = await miscreant.SIV.importKey(shiftedRawKey, 'AES-SIV');
+      const ciphertext = await key.seal(dirHash, []);
+      // hash is only used as deterministic scheme for the root dir
+      const hash = await crypto.subtle.digest('SHA-1', ciphertext);
+      return base32.stringify(new Uint8Array(hash));
+    } finally {
+      rawkey.fill(0x00);
+    }
+  }
+
+  /**
+   * Encrypts this masterkey using the given public key
+   * @param userPublicKey The recipient's public key (DER-encoded)
+   * @returns a JWE containing this Masterkey
+   */
+  public async encryptForUser(userPublicKey: Uint8Array): Promise<string> {
+    const publicKey = await crypto.subtle.importKey('spki', userPublicKey, UserKeys.KEY_DESIGNATION, false, []);
+    const rawkey = new Uint8Array(await crypto.subtle.exportKey('raw', this.masterKey));
+    try {
+      const payload: JWEPayload = {
+        key: base64.stringify(rawkey),
+      };
+      return JWEBuilder.ecdhEs(publicKey).encrypt(payload);
+    } finally {
+      rawkey.fill(0x00);
+    }
+  }
+
+  /**
+   * Encode masterkey for offline backup purposes, allowing re-importing the key for recovery purposes
+   */
+  public async createRecoveryKey(): Promise<string> {
+    const rawkey = new Uint8Array(await crypto.subtle.exportKey('raw', this.masterKey));
+
+    // add 16 bit checksum:
+    const crc32 = CRC32.compute(rawkey);
+    const checksum = new Uint8Array(2);
+    checksum[0] = crc32 & 0xff;      // append the least significant byte of the crc
+    checksum[1] = crc32 >> 8 & 0xff; // followed by the second-least significant byte
+    const combined = new Uint8Array([...rawkey, ...checksum]);
+
+    // encode using human-readable words:
+    return wordEncoder.encodePadded(combined);
+  }
+}
diff --git a/frontend/src/components/ClaimVaultOwnershipDialog.vue b/frontend/src/components/ClaimVaultOwnershipDialog.vue
index da081453b..2635e04e6 100644
--- a/frontend/src/components/ClaimVaultOwnershipDialog.vue
+++ b/frontend/src/components/ClaimVaultOwnershipDialog.vue
@@ -62,7 +62,8 @@ import { KeyIcon } from '@heroicons/vue/24/outline';
 import { ref } from 'vue';
 import { useI18n } from 'vue-i18n';
 import { VaultDto } from '../common/backend';
-import { UnwrapKeyError, VaultKeys } from '../common/crypto';
+import { UnwrapKeyError } from '../common/crypto';
+import { VaultKeys } from '../common/vaultv8';
 
 class FormValidationFailedError extends Error {
   constructor() {
diff --git a/frontend/src/components/CreateVault.vue b/frontend/src/components/CreateVault.vue
index 884886e03..3a8dc6b0b 100644
--- a/frontend/src/components/CreateVault.vue
+++ b/frontend/src/components/CreateVault.vue
@@ -185,9 +185,9 @@ import { base64 } from 'rfc4648';
 import { onMounted, ref } from 'vue';
 import { useI18n } from 'vue-i18n';
 import backend, { PaymentRequiredError } from '../common/backend';
-import { VaultKeys, VaultMetadata } from '../common/crypto';
 import { debounce } from '../common/util';
 import { VaultConfig } from '../common/vaultconfig';
+import { VaultKeys } from '../common/vaultv8';
 
 enum State {
   Initial,
diff --git a/frontend/src/components/DownloadVaultTemplateDialog.vue b/frontend/src/components/DownloadVaultTemplateDialog.vue
index 1a067ec4b..90262ef18 100644
--- a/frontend/src/components/DownloadVaultTemplateDialog.vue
+++ b/frontend/src/components/DownloadVaultTemplateDialog.vue
@@ -54,8 +54,8 @@ import { saveAs } from 'file-saver';
 import { ref } from 'vue';
 import { useI18n } from 'vue-i18n';
 import { VaultDto } from '../common/backend';
-import { VaultKeys } from '../common/crypto';
 import { VaultConfig } from '../common/vaultconfig';
+import { VaultKeys } from '../common/vaultv8';
 
 const { t } = useI18n({ useScope: 'global' });
 
diff --git a/frontend/src/components/GrantPermissionDialog.vue b/frontend/src/components/GrantPermissionDialog.vue
index ce21138e5..e315ccde3 100644
--- a/frontend/src/components/GrantPermissionDialog.vue
+++ b/frontend/src/components/GrantPermissionDialog.vue
@@ -73,8 +73,7 @@ import { onMounted, ref } from 'vue';
 import { useI18n } from 'vue-i18n';
 import backend, { AccessGrant, ConflictError, NotFoundError, UserDto, VaultDto } from '../common/backend';
 import { getFingerprint } from '../common/crypto';
-
-import { VaultKeys } from '../common/crypto';
+import { VaultKeys } from '../common/vaultv8';
 
 const { t } = useI18n({ useScope: 'global' });
 
diff --git a/frontend/src/components/RecoverVaultDialog.vue b/frontend/src/components/RecoverVaultDialog.vue
index 280bb9bb8..f4d201917 100644
--- a/frontend/src/components/RecoverVaultDialog.vue
+++ b/frontend/src/components/RecoverVaultDialog.vue
@@ -56,8 +56,7 @@ import { base64 } from 'rfc4648';
 import { ref } from 'vue';
 import { useI18n } from 'vue-i18n';
 import backend, { UserDto, VaultDto } from '../common/backend';
-
-import { VaultKeys } from '../common/crypto';
+import { VaultKeys } from '../common/vaultv8';
 
 class FormValidationFailedError extends Error {
   constructor() {
diff --git a/frontend/src/components/RecoveryKeyDialog.vue b/frontend/src/components/RecoveryKeyDialog.vue
index 58f9a11cd..401398b0f 100644
--- a/frontend/src/components/RecoveryKeyDialog.vue
+++ b/frontend/src/components/RecoveryKeyDialog.vue
@@ -69,8 +69,8 @@ import { KeyIcon } from '@heroicons/vue/24/outline';
 import { ref } from 'vue';
 import { useI18n } from 'vue-i18n';
 import { VaultDto } from '../common/backend';
-import { VaultKeys } from '../common/crypto';
 import { debounce } from '../common/util';
+import { VaultKeys } from '../common/vaultv8';
 
 const { t } = useI18n({ useScope: 'global' });
 
diff --git a/frontend/src/components/VaultDetails.vue b/frontend/src/components/VaultDetails.vue
index 6967ec968..f46d283ef 100644
--- a/frontend/src/components/VaultDetails.vue
+++ b/frontend/src/components/VaultDetails.vue
@@ -192,8 +192,9 @@ import { base64 } from 'rfc4648';
 import { computed, nextTick, onMounted, ref } from 'vue';
 import { useI18n } from 'vue-i18n';
 import backend, { AuthorityDto, ConflictError, ForbiddenError, MemberDto, NotFoundError, PaymentRequiredError, UserDto, VaultDto, VaultRole } from '../common/backend';
-import { BrowserKeys, UserKeys, VaultKeys } from '../common/crypto';
+import { BrowserKeys, UserKeys } from '../common/crypto';
 import { JWT, JWTHeader } from '../common/jwt';
+import { VaultKeys } from '../common/vaultv8';
 import ArchiveVaultDialog from './ArchiveVaultDialog.vue';
 import ClaimVaultOwnershipDialog from './ClaimVaultOwnershipDialog.vue';
 import DownloadVaultTemplateDialog from './DownloadVaultTemplateDialog.vue';
diff --git a/frontend/test/common/crypto.spec.ts b/frontend/test/common/crypto.spec.ts
index 57f7054e8..6c9d1e608 100644
--- a/frontend/test/common/crypto.spec.ts
+++ b/frontend/test/common/crypto.spec.ts
@@ -2,9 +2,8 @@ import { use as chaiUse, expect } from 'chai';
 import chaiAsPromised from 'chai-as-promised';
 import { before, describe } from 'mocha';
 import { base64 } from 'rfc4648';
-import { UnwrapKeyError, UserKeys, VaultKeys } from '../../src/common/crypto';
-import { VaultMetadata } from '../../src/common/crypto';
 import { VaultMetadataJWEAutomaticAccessGrantDto } from '../../src/common/backend';
+import { UserKeys, VaultMetadata } from '../../src/common/crypto';
 import { JWEParser } from '../../src/common/jwe';
 
 chaiUse(chaiAsPromised);
@@ -52,101 +51,6 @@ describe('crypto', () => {
     bob = { privateKey: await bobPrv, publicKey: await bobPub };
   });
 
-  describe('VaultKeys', () => {
-    it('create()', async () => {
-      const orig = await VaultKeys.create();
-
-      expect(orig).to.be.not.null;
-    });
-
-    it('recover() succeeds for valid key', async () => {
-      let recoveryKey = `
-        pathway lift abuse plenty export texture gentleman landscape beyond ceiling around leaf cafe charity 
-        border breakdown victory surely computer cat linger restrict infer crowd live computer true written amazed 
-        investor boot depth left theory snow whereby terminal weekly reject happiness circuit partial cup ad
-        `;
-
-      const recovered = await VaultKeys.recover(recoveryKey);
-
-      const newMasterKey = await crypto.subtle.exportKey('jwk', recovered.masterKey);
-      expect(newMasterKey).to.deep.include({
-        'k': 'uwHiVreDbmv47K7oZzlwZbHcEql2Z29brbgFxKA7i54pXVPoHoxKK5rzZS3VEhPxHegQKCwa5Mk4ep7OsYutAw'
-      });
-    });
-
-    it('recover() fails for invalid recovery key', async () => {
-      const noMultipleOfTwo = VaultKeys.recover('pathway');
-      const notInDict = VaultKeys.recover('hallo bonjour');
-      const wrongLength = VaultKeys.recover('pathway lift');
-      const invalidCrc = VaultKeys.recover(`
-        pathway lift abuse plenty export texture gentleman landscape beyond ceiling around leaf cafe charity 
-        border breakdown victory surely computer cat linger restrict infer crowd live computer true written amazed 
-        investor boot depth left theory snow whereby terminal weekly reject happiness circuit partial cup wrong
-        `);
-
-      return Promise.all([
-        expect(noMultipleOfTwo).to.be.rejectedWith(Error, /input needs to be a multiple of two words/),
-        expect(notInDict).to.be.rejectedWith(Error, /Word not in dictionary/),
-        expect(wrongLength).to.be.rejectedWith(Error, /Invalid recovery key length/),
-        expect(invalidCrc).to.be.rejectedWith(Error, /Invalid recovery key checksum/),
-      ]);
-    });
-
-    describe('Prove Vault Ownership using Vault Admin Password', () => {
-      const wrapped = {
-        wrappedMasterkey: 'CMPyJiiOQXBZ8FVvFZs6UOh0kW83+eALeK3bwXfFF2CWsguJZIgCJch94liWCh9xTqW84LUZPyo6IDWbSALqbbdiwDcztT8M81/pgadhTETVtHO5Q1CFNLJ9UvY=',
-        wrappedOwnerPrivateKey: 'O9snY73/eVElnWRLgM404KH7WwO/Ed30Y0UrQQw6x3vxOdroJcjvPdJeSqLD2x4lVP7ceTjVt3IT2N9Mx+jhUQzqrb1E2EvEYlXrTaID1jSdBXZ6ScrI1RvU0iH9cfXf2cRy2x8QZvJyVMr34gLJ3Di/XGrnc/BrOm+aF2K4F9FJXvJFen3CnAs9ewB3Vk0A1wRLX3hW/Wx7eXt/0i1gxB8T/NcLu7xIU3+uusTHh9uajFkA5+z1+JgNHURaa1bT8j5WTtNWIHYT/sw+erMn6S0Uj1vL',
-        ownerPublicKey: 'MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAESzrRXmyI8VWFJg1dPUNbFcc9jZvjZEfH7ulKI1UkXAltd7RGWrcfFxqyGPcwu6AQhHUag3OvDzEr0uUQND4PXHQTXP5IDGdYhJhL+WLKjnGjQAw0rNGy5V29+aV+yseW',
-        salt: 'IdXyKICznXKm41gSb5OqfQ',
-        iterations: 1
-      };
-
-      it('decryptWithAdminPassword() with wrong pw', () => {
-        return expect(VaultKeys.decryptWithAdminPassword('wrong', wrapped.wrappedMasterkey, wrapped.wrappedOwnerPrivateKey, wrapped.ownerPublicKey, wrapped.salt, wrapped.iterations)).to.eventually.be.rejectedWith(UnwrapKeyError);
-      });
-      it('decryptWithAdminPassword() with correct pw', () => {
-        return expect(VaultKeys.decryptWithAdminPassword('pass', wrapped.wrappedMasterkey, wrapped.wrappedOwnerPrivateKey, wrapped.ownerPublicKey, wrapped.salt, wrapped.iterations)).to.eventually.be.fulfilled;
-      });
-    });
-
-    describe('After creating new key material', () => {
-      let vaultKeys: VaultKeys;
-
-      beforeEach(async () => {
-        vaultKeys = await TestVaultKeys.create();
-      });
-
-      it('encryptForUser()', async () => {
-        const userKey = base64.parse('MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAERxQR+NRN6Wga01370uBBzr2NHDbKIC56tPUEq2HX64RhITGhii8Zzbkb1HnRmdF0aq6uqmUy4jUhuxnKxsv59A6JeK7Unn+mpmm3pQAygjoGc9wrvoH4HWJSQYUlsXDu');
-
-        const encrypted = await vaultKeys.encryptForUser(userKey);
-        expect(encrypted).to.be.not.null;
-      });
-
-      it('createRecoveryKey()', async () => {
-        const recoveryKey = await vaultKeys.createRecoveryKey();
-
-        expect(recoveryKey).to.eql('water water water water water water water water water water water water water water water water water water water water water asset partly partly partly partly partly partly partly partly partly partly partly partly partly partly partly partly partly partly partly partly option twist');
-      });
-
-      describe('After creating a valid recovery key', () => {
-        let recoveryKey: string;
-
-        beforeEach(async () => {
-          recoveryKey = await vaultKeys.createRecoveryKey();
-        });
-        it('recover() imports original key', async () => {
-          const recovered = await VaultKeys.recover(recoveryKey);
-
-          const oldMasterKey = await crypto.subtle.exportKey('jwk', vaultKeys.masterKey);
-          const newMasterKey = await crypto.subtle.exportKey('jwk', recovered.masterKey);
-          expect(newMasterKey).to.deep.include({
-            'k': oldMasterKey.k
-          });
-        });
-      });
-    });
-  });
   describe('UserKeys', () => {
     it('create()', async () => {
       const orig = await UserKeys.create();
@@ -178,7 +82,7 @@ describe('crypto', () => {
         true,
         ['wrapKey', 'unwrapKey']
       );
-      const automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto ={
+      const automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto = {
         "enabled": true,
         "maxWotDepth": -1
       }
@@ -186,7 +90,7 @@ describe('crypto', () => {
       expect(orig).to.be.not.null;
       const jwe: string = await orig.encryptWithMasterKey(uvfMasterKey);
       expect(jwe).to.be.not.null;
-      const decrypted: VaultMetadata = await VaultMetadata.decryptWithMasterKey(jwe,uvfMasterKey);
+      const decrypted: VaultMetadata = await VaultMetadata.decryptWithMasterKey(jwe, uvfMasterKey);
       expect(JSON.stringify(decrypted.automaticAccessGrant)).to.eq(JSON.stringify(automaticAccessGrant));
       const decryptedRaw: any = await JWEParser.parse(jwe).decryptA256kw(uvfMasterKey);
       expect(decryptedRaw.fileFormat).to.eq("AES-256-GCM-32k");
@@ -223,48 +127,10 @@ describe('crypto', () => {
       expect(encoded).to.eq('MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEem7I0xHVyliLrtQb4+mPMMkpSETsu2KZlWU2NdvCLaLwg/KXEeD5xZY7wCG9jLIQna9WpV+IOnIAzqnE3kRIjm3En7nDlPUctaSfxp1+igNHkpY65Oq8Y0g6LPGomejI');
     });
   });
-
-  describe('Hash directory id', () => {
-    it('root directory', async () => {
-      const vaultKeys = await TestVaultKeys.create();
-      const result = await vaultKeys.hashDirectoryId('');
-      expect(result).to.eql('VLWEHT553J5DR7OZLRJAYDIWFCXZABOD');
-    });
-
-    it('specific directory', async () => {
-      const vaultKeys = await TestVaultKeys.create();
-      const result = await vaultKeys.hashDirectoryId('918acfbd-a467-3f77-93f1-f4a44f9cfe9c');
-      expect(result).to.eql('7C3USOO3VU7IVQRKFMRFV3QE4VEZJECV');
-    });
-  });
 });
 
 /* ---------- MOCKS ---------- */
 
-class TestVaultKeys extends VaultKeys {
-  constructor(masterKey: CryptoKey) {
-    super(masterKey);
-  }
-
-  static async create() {
-    const raw = new Uint8Array(64);
-    raw.fill(0x55, 0, 32);
-    raw.fill(0x77, 32, 64);
-    const key = await crypto.subtle.importKey(
-      'raw',
-      raw,
-      {
-        name: 'HMAC',
-        hash: 'SHA-256',
-        length: 512
-      },
-      true,
-      ['sign']
-    );
-    return new TestVaultKeys(key);
-  }
-}
-
 class TestUserKeys extends UserKeys {
   constructor(keypair: CryptoKeyPair) {
     super(keypair);
diff --git a/frontend/test/common/vaultv8.spec.ts b/frontend/test/common/vaultv8.spec.ts
new file mode 100644
index 000000000..16040689c
--- /dev/null
+++ b/frontend/test/common/vaultv8.spec.ts
@@ -0,0 +1,154 @@
+import { use as chaiUse, expect } from 'chai';
+import chaiAsPromised from 'chai-as-promised';
+import { before, describe } from 'mocha';
+import { base64 } from 'rfc4648';
+import { UnwrapKeyError } from '../../src/common/crypto';
+import { VaultKeys } from '../../src/common/vaultv8';
+
+chaiUse(chaiAsPromised);
+
+describe('Vault Format 8', () => {
+
+  before(async () => {
+    // since this test runs on Node, we need to replace window.crypto:
+    Object.defineProperty(global, 'crypto', { value: require('node:crypto').webcrypto });
+    // @ts-ignore: global not defined (but will be available within Node)
+    global.window = { crypto: global.crypto };
+  });
+
+  describe('VaultKeys', () => {
+    it('create()', async () => {
+      const orig = await VaultKeys.create();
+
+      expect(orig).to.be.not.null;
+    });
+
+    it('recover() succeeds for valid key', async () => {
+      let recoveryKey = `
+        pathway lift abuse plenty export texture gentleman landscape beyond ceiling around leaf cafe charity
+        border breakdown victory surely computer cat linger restrict infer crowd live computer true written amazed
+        investor boot depth left theory snow whereby terminal weekly reject happiness circuit partial cup ad
+        `;
+
+      const recovered = await VaultKeys.recover(recoveryKey);
+
+      const newMasterKey = await crypto.subtle.exportKey('jwk', recovered.masterKey);
+      expect(newMasterKey).to.deep.include({
+        'k': 'uwHiVreDbmv47K7oZzlwZbHcEql2Z29brbgFxKA7i54pXVPoHoxKK5rzZS3VEhPxHegQKCwa5Mk4ep7OsYutAw'
+      });
+    });
+
+    it('recover() fails for invalid recovery key', async () => {
+      const noMultipleOfTwo = VaultKeys.recover('pathway');
+      const notInDict = VaultKeys.recover('hallo bonjour');
+      const wrongLength = VaultKeys.recover('pathway lift');
+      const invalidCrc = VaultKeys.recover(`
+        pathway lift abuse plenty export texture gentleman landscape beyond ceiling around leaf cafe charity 
+        border breakdown victory surely computer cat linger restrict infer crowd live computer true written amazed 
+        investor boot depth left theory snow whereby terminal weekly reject happiness circuit partial cup wrong
+        `);
+
+      return Promise.all([
+        expect(noMultipleOfTwo).to.be.rejectedWith(Error, /input needs to be a multiple of two words/),
+        expect(notInDict).to.be.rejectedWith(Error, /Word not in dictionary/),
+        expect(wrongLength).to.be.rejectedWith(Error, /Invalid recovery key length/),
+        expect(invalidCrc).to.be.rejectedWith(Error, /Invalid recovery key checksum/),
+      ]);
+    });
+
+    describe('Prove Vault Ownership using Vault Admin Password', () => {
+      const wrapped = {
+        wrappedMasterkey: 'CMPyJiiOQXBZ8FVvFZs6UOh0kW83+eALeK3bwXfFF2CWsguJZIgCJch94liWCh9xTqW84LUZPyo6IDWbSALqbbdiwDcztT8M81/pgadhTETVtHO5Q1CFNLJ9UvY=',
+        wrappedOwnerPrivateKey: 'O9snY73/eVElnWRLgM404KH7WwO/Ed30Y0UrQQw6x3vxOdroJcjvPdJeSqLD2x4lVP7ceTjVt3IT2N9Mx+jhUQzqrb1E2EvEYlXrTaID1jSdBXZ6ScrI1RvU0iH9cfXf2cRy2x8QZvJyVMr34gLJ3Di/XGrnc/BrOm+aF2K4F9FJXvJFen3CnAs9ewB3Vk0A1wRLX3hW/Wx7eXt/0i1gxB8T/NcLu7xIU3+uusTHh9uajFkA5+z1+JgNHURaa1bT8j5WTtNWIHYT/sw+erMn6S0Uj1vL',
+        ownerPublicKey: 'MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAESzrRXmyI8VWFJg1dPUNbFcc9jZvjZEfH7ulKI1UkXAltd7RGWrcfFxqyGPcwu6AQhHUag3OvDzEr0uUQND4PXHQTXP5IDGdYhJhL+WLKjnGjQAw0rNGy5V29+aV+yseW',
+        salt: 'IdXyKICznXKm41gSb5OqfQ',
+        iterations: 1
+      };
+
+      it('decryptWithAdminPassword() with wrong pw', () => {
+        return expect(VaultKeys.decryptWithAdminPassword('wrong', wrapped.wrappedMasterkey, wrapped.wrappedOwnerPrivateKey, wrapped.ownerPublicKey, wrapped.salt, wrapped.iterations)).to.eventually.be.rejectedWith(UnwrapKeyError);
+      });
+      it('decryptWithAdminPassword() with correct pw', () => {
+        return expect(VaultKeys.decryptWithAdminPassword('pass', wrapped.wrappedMasterkey, wrapped.wrappedOwnerPrivateKey, wrapped.ownerPublicKey, wrapped.salt, wrapped.iterations)).to.eventually.be.fulfilled;
+      });
+    });
+
+    describe('After creating new key material', () => {
+      let vaultKeys: VaultKeys;
+
+      beforeEach(async () => {
+        vaultKeys = await TestVaultKeys.create();
+      });
+
+      it('encryptForUser()', async () => {
+        const userKey = base64.parse('MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAERxQR+NRN6Wga01370uBBzr2NHDbKIC56tPUEq2HX64RhITGhii8Zzbkb1HnRmdF0aq6uqmUy4jUhuxnKxsv59A6JeK7Unn+mpmm3pQAygjoGc9wrvoH4HWJSQYUlsXDu');
+
+        const encrypted = await vaultKeys.encryptForUser(userKey);
+        expect(encrypted).to.be.not.null;
+      });
+
+      it('createRecoveryKey()', async () => {
+        const recoveryKey = await vaultKeys.createRecoveryKey();
+
+        expect(recoveryKey).to.eql('water water water water water water water water water water water water water water water water water water water water water asset partly partly partly partly partly partly partly partly partly partly partly partly partly partly partly partly partly partly partly partly option twist');
+      });
+
+      describe('After creating a valid recovery key', () => {
+        let recoveryKey: string;
+
+        beforeEach(async () => {
+          recoveryKey = await vaultKeys.createRecoveryKey();
+        });
+        it('recover() imports original key', async () => {
+          const recovered = await VaultKeys.recover(recoveryKey);
+
+          const oldMasterKey = await crypto.subtle.exportKey('jwk', vaultKeys.masterKey);
+          const newMasterKey = await crypto.subtle.exportKey('jwk', recovered.masterKey);
+          expect(newMasterKey).to.deep.include({
+            'k': oldMasterKey.k
+          });
+        });
+      });
+    });
+  });
+
+  describe('Hash directory id', () => {
+    it('root directory', async () => {
+      const vaultKeys = await TestVaultKeys.create();
+      const result = await vaultKeys.hashDirectoryId('');
+      expect(result).to.eql('VLWEHT553J5DR7OZLRJAYDIWFCXZABOD');
+    });
+
+    it('specific directory', async () => {
+      const vaultKeys = await TestVaultKeys.create();
+      const result = await vaultKeys.hashDirectoryId('918acfbd-a467-3f77-93f1-f4a44f9cfe9c');
+      expect(result).to.eql('7C3USOO3VU7IVQRKFMRFV3QE4VEZJECV');
+    });
+  });
+});
+
+/* ---------- MOCKS ---------- */
+
+class TestVaultKeys extends VaultKeys {
+  constructor(masterKey: CryptoKey) {
+    super(masterKey);
+  }
+
+  static async create() {
+    const raw = new Uint8Array(64);
+    raw.fill(0x55, 0, 32);
+    raw.fill(0x77, 32, 64);
+    const key = await crypto.subtle.importKey(
+      'raw',
+      raw,
+      {
+        name: 'HMAC',
+        hash: 'SHA-256',
+        length: 512
+      },
+      true,
+      ['sign']
+    );
+    return new TestVaultKeys(key);
+  }
+}

From b51cc59012356725a78e7a7eefc3b6089d8fc6b3 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Sat, 13 Apr 2024 14:01:53 +0200
Subject: [PATCH 06/94] move UVF code to separate file

---
 frontend/src/common/crypto.ts       | 116 +--------------------------
 frontend/src/common/uvf.ts          | 117 ++++++++++++++++++++++++++++
 frontend/test/common/crypto.spec.ts |  31 +-------
 frontend/test/common/uvf.spec.ts    |  45 +++++++++++
 4 files changed, 164 insertions(+), 145 deletions(-)
 create mode 100644 frontend/src/common/uvf.ts
 create mode 100644 frontend/test/common/uvf.spec.ts

diff --git a/frontend/src/common/crypto.ts b/frontend/src/common/crypto.ts
index 6747a980c..24ccf2dd1 100644
--- a/frontend/src/common/crypto.ts
+++ b/frontend/src/common/crypto.ts
@@ -1,9 +1,7 @@
-import * as miscreant from 'miscreant';
-import { base16, base32, base64 } from 'rfc4648';
+import { base16, base64 } from 'rfc4648';
 import { JWEBuilder, JWEParser } from './jwe';
 import { DB } from './util';
 
-import { VaultMetadataJWEAutomaticAccessGrantDto } from './backend';
 
 export class UnwrapKeyError extends Error {
   readonly actualError: any;
@@ -220,115 +218,3 @@ export async function getFingerprint(key: string | undefined) {
   }
 }
 
-export class VaultMetadata {
-  // a 256 bit = 32 byte file key for data encryption
-  private static readonly RAWKEY_KEY_DESIGNATION: HmacImportParams | HmacKeyGenParams = {
-    name: 'HMAC',
-    hash: 'SHA-256',
-    length: 256
-  };
-
-  readonly automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto;
-  readonly keys: Record<string, CryptoKey>;
-  readonly latestFileKey: string;
-  readonly nameKey: string;
-
-  protected constructor(automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto, keys: Record<string, CryptoKey>, latestFileKey: string, nameKey: string) {
-    this.automaticAccessGrant = automaticAccessGrant;
-    this.keys = keys;
-    this.latestFileKey = latestFileKey;
-    this.nameKey = nameKey;
-  }
-
-  /**
-   * Creates new vault metadata with a new file key and name key
-   * @returns new vault metadata
-   */
-  public static async create(automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto): Promise<VaultMetadata> {
-    const fileKey = crypto.subtle.generateKey(
-      VaultMetadata.RAWKEY_KEY_DESIGNATION,
-      true,
-      // TODO https://github.com/encryption-alliance/unified-vault-format/pull/19 is this correct?
-      ['sign']
-    );
-    const nameKey = crypto.subtle.generateKey(
-      VaultMetadata.RAWKEY_KEY_DESIGNATION,
-      true,
-      // TODO https://github.com/encryption-alliance/unified-vault-format/pull/19 is this correct?
-      ['sign']
-    );
-    const fileKeyId = Array(4).fill(null).map(() => "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789".charAt(Math.random() * 62)).join("")
-    const nameKeyId = Array(4).fill(null).map(() => "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789".charAt(Math.random() * 62)).join("")
-    const keys: Record<string, CryptoKey> = {};
-    keys[fileKeyId] = await fileKey;
-    keys[nameKeyId] = await nameKey;
-    return new VaultMetadata(automaticAccessGrant, keys, fileKeyId, nameKeyId);
-  }
-
-  /**
-   * Decrypts the vault metadata using the vault masterkey
-   * @param jwe JWE containing the vault key
-   * @param masterKey the vault masterKey
-   * @returns vault metadata
-   */
-  public static async decryptWithMasterKey(jwe: string, masterKey: CryptoKey): Promise<VaultMetadata> {
-    const payload = await JWEParser.parse(jwe).decryptA256kw(masterKey);
-    const keys: Record<string, string> = payload['keys'];
-    const keysImported: Record<string, CryptoKey> = payload['keys'];
-    for (const k in keys) {
-      // TODO https://github.com/encryption-alliance/unified-vault-format/pull/19 is this correct?
-      keysImported[k] = await crypto.subtle.importKey('raw', base64.parse(keys[k]), VaultMetadata.RAWKEY_KEY_DESIGNATION, true, ['sign']);
-    }
-    const latestFileKey = payload['latestFileKey']
-    const nameKey = payload['nameKey']
-    return new VaultMetadata(
-      payload['org.cryptomator.automaticAccessGrant'],
-      keysImported,
-      latestFileKey,
-      nameKey
-    );
-  }
-
-  /**
-   * Encrypts the vault metadata using the given vault masterKey
-   * @param userPublicKey The recipient's public key (DER-encoded)
-   * @returns a JWE containing this Masterkey
-   */
-  public async encryptWithMasterKey(masterKey: CryptoKey): Promise<string> {
-    const keysExported: Record<string, string> = {};
-    for (const k in this.keys) {
-      keysExported[k] = base64.stringify(new Uint8Array(await crypto.subtle.exportKey('raw', this.keys[k])));
-    }
-    const payload = {
-      fileFormat: "AES-256-GCM-32k",
-      nameFormat: "AES-256-SIV",
-      keys: keysExported,
-      latestFileKey: this.latestFileKey,
-      nameKey: this.nameKey,
-      // TODO https://github.com/encryption-alliance/unified-vault-format/pull/21 finalize kdf
-      kdf: "1STEP-HMAC-SHA512",
-      'org.cryptomator.automaticAccessGrant': this.automaticAccessGrant
-    }
-    return JWEBuilder.a256kw(masterKey).encrypt(payload);
-  }
-
-  public async hashDirectoryId(cleartextDirectoryId: string): Promise<string> {
-    const dirHash = new TextEncoder().encode(cleartextDirectoryId);
-    // TODO https://github.com/encryption-alliance/unified-vault-format/pull/19 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! MUST NEVER BE RELEASED LIKE THIS
-    // TODO https://github.com/encryption-alliance/unified-vault-format/pull/19 use rawFileKey,rawNameKey for rootDirHash for now - should depend on nameKey only!!
-    const rawkey = new Uint8Array([...new Uint8Array(await crypto.subtle.exportKey('raw', this.keys[this.latestFileKey])), ...new Uint8Array(await crypto.subtle.exportKey('raw', this.keys[this.nameKey]))]);
-    try {
-      // miscreant lib requires mac key first and then the enc key
-      const encKey = rawkey.subarray(0, rawkey.length / 2 | 0);
-      const macKey = rawkey.subarray(rawkey.length / 2 | 0);
-      const shiftedRawKey = new Uint8Array([...macKey, ...encKey]);
-      const key = await miscreant.SIV.importKey(shiftedRawKey, 'AES-SIV');
-      const ciphertext = await key.seal(dirHash, []);
-      // hash is only used as deterministic scheme for the root dir
-      const hash = await crypto.subtle.digest('SHA-1', ciphertext);
-      return base32.stringify(new Uint8Array(hash));
-    } finally {
-      rawkey.fill(0x00);
-    }
-  }
-}
diff --git a/frontend/src/common/uvf.ts b/frontend/src/common/uvf.ts
new file mode 100644
index 000000000..2aab43a68
--- /dev/null
+++ b/frontend/src/common/uvf.ts
@@ -0,0 +1,117 @@
+import * as miscreant from 'miscreant';
+import { base32, base64 } from 'rfc4648';
+import { VaultMetadataJWEAutomaticAccessGrantDto } from './backend';
+import { JWEBuilder, JWEParser } from './jwe';
+
+export class VaultMetadata {
+  // a 256 bit = 32 byte file key for data encryption
+  private static readonly RAWKEY_KEY_DESIGNATION: HmacImportParams | HmacKeyGenParams = {
+    name: 'HMAC',
+    hash: 'SHA-256',
+    length: 256
+  };
+
+  readonly automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto;
+  readonly keys: Record<string, CryptoKey>;
+  readonly latestFileKey: string;
+  readonly nameKey: string;
+
+  protected constructor(automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto, keys: Record<string, CryptoKey>, latestFileKey: string, nameKey: string) {
+    this.automaticAccessGrant = automaticAccessGrant;
+    this.keys = keys;
+    this.latestFileKey = latestFileKey;
+    this.nameKey = nameKey;
+  }
+
+  /**
+   * Creates new vault metadata with a new file key and name key
+   * @returns new vault metadata
+   */
+  public static async create(automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto): Promise<VaultMetadata> {
+    const fileKey = crypto.subtle.generateKey(
+      VaultMetadata.RAWKEY_KEY_DESIGNATION,
+      true,
+      // TODO https://github.com/encryption-alliance/unified-vault-format/pull/19 is this correct?
+      ['sign']
+    );
+    const nameKey = crypto.subtle.generateKey(
+      VaultMetadata.RAWKEY_KEY_DESIGNATION,
+      true,
+      // TODO https://github.com/encryption-alliance/unified-vault-format/pull/19 is this correct?
+      ['sign']
+    );
+    const fileKeyId = Array(4).fill(null).map(() => "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789".charAt(Math.random() * 62)).join("")
+    const nameKeyId = Array(4).fill(null).map(() => "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789".charAt(Math.random() * 62)).join("")
+    const keys: Record<string, CryptoKey> = {};
+    keys[fileKeyId] = await fileKey;
+    keys[nameKeyId] = await nameKey;
+    return new VaultMetadata(automaticAccessGrant, keys, fileKeyId, nameKeyId);
+  }
+
+  /**
+   * Decrypts the vault metadata using the vault masterkey
+   * @param jwe JWE containing the vault key
+   * @param masterKey the vault masterKey
+   * @returns vault metadata
+   */
+  public static async decryptWithMasterKey(jwe: string, masterKey: CryptoKey): Promise<VaultMetadata> {
+    const payload = await JWEParser.parse(jwe).decryptA256kw(masterKey);
+    const keys: Record<string, string> = payload['keys'];
+    const keysImported: Record<string, CryptoKey> = payload['keys'];
+    for (const k in keys) {
+      // TODO https://github.com/encryption-alliance/unified-vault-format/pull/19 is this correct?
+      keysImported[k] = await crypto.subtle.importKey('raw', base64.parse(keys[k]), VaultMetadata.RAWKEY_KEY_DESIGNATION, true, ['sign']);
+    }
+    const latestFileKey = payload['latestFileKey']
+    const nameKey = payload['nameKey']
+    return new VaultMetadata(
+      payload['org.cryptomator.automaticAccessGrant'],
+      keysImported,
+      latestFileKey,
+      nameKey
+    );
+  }
+
+  /**
+   * Encrypts the vault metadata using the given vault masterKey
+   * @param userPublicKey The recipient's public key (DER-encoded)
+   * @returns a JWE containing this Masterkey
+   */
+  public async encryptWithMasterKey(masterKey: CryptoKey): Promise<string> {
+    const keysExported: Record<string, string> = {};
+    for (const k in this.keys) {
+      keysExported[k] = base64.stringify(new Uint8Array(await crypto.subtle.exportKey('raw', this.keys[k])));
+    }
+    const payload = {
+      fileFormat: "AES-256-GCM-32k",
+      nameFormat: "AES-256-SIV",
+      keys: keysExported,
+      latestFileKey: this.latestFileKey,
+      nameKey: this.nameKey,
+      // TODO https://github.com/encryption-alliance/unified-vault-format/pull/21 finalize kdf
+      kdf: "1STEP-HMAC-SHA512",
+      'org.cryptomator.automaticAccessGrant': this.automaticAccessGrant
+    }
+    return JWEBuilder.a256kw(masterKey).encrypt(payload);
+  }
+
+  public async hashDirectoryId(cleartextDirectoryId: string): Promise<string> {
+    const dirHash = new TextEncoder().encode(cleartextDirectoryId);
+    // TODO https://github.com/encryption-alliance/unified-vault-format/pull/19 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! MUST NEVER BE RELEASED LIKE THIS
+    // TODO https://github.com/encryption-alliance/unified-vault-format/pull/19 use rawFileKey,rawNameKey for rootDirHash for now - should depend on nameKey only!!
+    const rawkey = new Uint8Array([...new Uint8Array(await crypto.subtle.exportKey('raw', this.keys[this.latestFileKey])), ...new Uint8Array(await crypto.subtle.exportKey('raw', this.keys[this.nameKey]))]);
+    try {
+      // miscreant lib requires mac key first and then the enc key
+      const encKey = rawkey.subarray(0, rawkey.length / 2 | 0);
+      const macKey = rawkey.subarray(rawkey.length / 2 | 0);
+      const shiftedRawKey = new Uint8Array([...macKey, ...encKey]);
+      const key = await miscreant.SIV.importKey(shiftedRawKey, 'AES-SIV');
+      const ciphertext = await key.seal(dirHash, []);
+      // hash is only used as deterministic scheme for the root dir
+      const hash = await crypto.subtle.digest('SHA-1', ciphertext);
+      return base32.stringify(new Uint8Array(hash));
+    } finally {
+      rawkey.fill(0x00);
+    }
+  }
+}
diff --git a/frontend/test/common/crypto.spec.ts b/frontend/test/common/crypto.spec.ts
index 6c9d1e608..28a74f431 100644
--- a/frontend/test/common/crypto.spec.ts
+++ b/frontend/test/common/crypto.spec.ts
@@ -2,9 +2,7 @@ import { use as chaiUse, expect } from 'chai';
 import chaiAsPromised from 'chai-as-promised';
 import { before, describe } from 'mocha';
 import { base64 } from 'rfc4648';
-import { VaultMetadataJWEAutomaticAccessGrantDto } from '../../src/common/backend';
-import { UserKeys, VaultMetadata } from '../../src/common/crypto';
-import { JWEParser } from '../../src/common/jwe';
+import { UserKeys } from '../../src/common/crypto';
 
 chaiUse(chaiAsPromised);
 
@@ -74,33 +72,6 @@ describe('crypto', () => {
     });
   });
 
-  describe('VaultMetadata', () => {
-    // TODO review @sebi what else should we test?
-    it('encryptWithMasterKey() and decryptWithMasterKey()', async () => {
-      const uvfMasterKey = await crypto.subtle.generateKey(
-        { name: 'AES-KW', length: 256 },
-        true,
-        ['wrapKey', 'unwrapKey']
-      );
-      const automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto = {
-        "enabled": true,
-        "maxWotDepth": -1
-      }
-      const orig = await VaultMetadata.create(automaticAccessGrant);
-      expect(orig).to.be.not.null;
-      const jwe: string = await orig.encryptWithMasterKey(uvfMasterKey);
-      expect(jwe).to.be.not.null;
-      const decrypted: VaultMetadata = await VaultMetadata.decryptWithMasterKey(jwe, uvfMasterKey);
-      expect(JSON.stringify(decrypted.automaticAccessGrant)).to.eq(JSON.stringify(automaticAccessGrant));
-      const decryptedRaw: any = await JWEParser.parse(jwe).decryptA256kw(uvfMasterKey);
-      expect(decryptedRaw.fileFormat).to.eq("AES-256-GCM-32k");
-      expect(decryptedRaw.latestFileKey).to.eq(orig.latestFileKey);
-      expect(decryptedRaw.nameKey).to.eq(orig.nameKey);
-      expect(decryptedRaw.kdf).to.eq("1STEP-HMAC-SHA512");
-      expect(decryptedRaw['org.cryptomator.automaticAccessGrant']).to.deep.eq(automaticAccessGrant);
-    });
-  });
-
   // base64-encoded test key pairs for use in other implementations (Java, Swift, ...)
   describe('Test Key Pairs', () => {
     it('alice private key (PKCS8)', async () => {
diff --git a/frontend/test/common/uvf.spec.ts b/frontend/test/common/uvf.spec.ts
new file mode 100644
index 000000000..9e9ff2ceb
--- /dev/null
+++ b/frontend/test/common/uvf.spec.ts
@@ -0,0 +1,45 @@
+import { use as chaiUse, expect } from 'chai';
+import chaiAsPromised from 'chai-as-promised';
+import { before, describe } from 'mocha';
+import { VaultMetadataJWEAutomaticAccessGrantDto } from '../../src/common/backend';
+import { JWEParser } from '../../src/common/jwe';
+import { VaultMetadata } from '../../src/common/uvf';
+
+chaiUse(chaiAsPromised);
+
+describe('Vault Format 8', () => {
+
+  before(async () => {
+    // since this test runs on Node, we need to replace window.crypto:
+    Object.defineProperty(global, 'crypto', { value: require('node:crypto').webcrypto });
+    // @ts-ignore: global not defined (but will be available within Node)
+    global.window = { crypto: global.crypto };
+  });
+
+  describe('VaultMetadata', () => {
+    // TODO review @sebi what else should we test?
+    it('encryptWithMasterKey() and decryptWithMasterKey()', async () => {
+      const uvfMasterKey = await crypto.subtle.generateKey(
+        { name: 'AES-KW', length: 256 },
+        true,
+        ['wrapKey', 'unwrapKey']
+      );
+      const automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto = {
+        "enabled": true,
+        "maxWotDepth": -1
+      }
+      const orig = await VaultMetadata.create(automaticAccessGrant);
+      expect(orig).to.be.not.null;
+      const jwe: string = await orig.encryptWithMasterKey(uvfMasterKey);
+      expect(jwe).to.be.not.null;
+      const decrypted: VaultMetadata = await VaultMetadata.decryptWithMasterKey(jwe, uvfMasterKey);
+      expect(JSON.stringify(decrypted.automaticAccessGrant)).to.eq(JSON.stringify(automaticAccessGrant));
+      const decryptedRaw: any = await JWEParser.parse(jwe).decryptA256kw(uvfMasterKey);
+      expect(decryptedRaw.fileFormat).to.eq("AES-256-GCM-32k");
+      expect(decryptedRaw.latestFileKey).to.eq(orig.latestFileKey);
+      expect(decryptedRaw.nameKey).to.eq(orig.nameKey);
+      expect(decryptedRaw.kdf).to.eq("1STEP-HMAC-SHA512");
+      expect(decryptedRaw['org.cryptomator.automaticAccessGrant']).to.deep.eq(automaticAccessGrant);
+    });
+  });
+});

From a9f12d442c8313c5a42e9b88a1a80ffad49f3603 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Sat, 13 Apr 2024 15:57:49 +0200
Subject: [PATCH 07/94] adjust UVF payload to latest spec

---
 frontend/src/common/backend.ts   |   5 -
 frontend/src/common/uvf.ts       | 157 +++++++++++++++++--------------
 frontend/test/common/uvf.spec.ts |  31 +++---
 3 files changed, 104 insertions(+), 89 deletions(-)

diff --git a/frontend/src/common/backend.ts b/frontend/src/common/backend.ts
index 6fa61ca3e..4e7e4b6b6 100644
--- a/frontend/src/common/backend.ts
+++ b/frontend/src/common/backend.ts
@@ -440,8 +440,3 @@ export class ConflictError extends BackendError {
     super('Resource already exists');
   }
 }
-
-export type VaultMetadataJWEAutomaticAccessGrantDto = {
-    enabled: boolean,
-    maxWotDepth: number
-}
diff --git a/frontend/src/common/uvf.ts b/frontend/src/common/uvf.ts
index 2aab43a68..f4477956f 100644
--- a/frontend/src/common/uvf.ts
+++ b/frontend/src/common/uvf.ts
@@ -1,26 +1,36 @@
-import * as miscreant from 'miscreant';
-import { base32, base64 } from 'rfc4648';
-import { VaultMetadataJWEAutomaticAccessGrantDto } from './backend';
+import { base64url } from 'rfc4648';
 import { JWEBuilder, JWEParser } from './jwe';
 
+export type MetadataPayload = {
+  fileFormat: 'AES-256-GCM-32k';
+  nameFormat: 'AES-SIV-512-B64URL'; // TODO verify after merging https://github.com/encryption-alliance/unified-vault-format/pull/24
+  seeds: Record<string, string>;
+  initialSeed: string;
+  latestSeed: string;
+  kdf: 'HKDF-SHA512';
+  kdfSalt: string;
+  'org.cryptomator.automaticAccessGrant': VaultMetadataJWEAutomaticAccessGrantDto;
+}
+
+export type VaultMetadataJWEAutomaticAccessGrantDto = {
+  enabled: boolean,
+  maxWotDepth: number
+}
+
 export class VaultMetadata {
-  // a 256 bit = 32 byte file key for data encryption
-  private static readonly RAWKEY_KEY_DESIGNATION: HmacImportParams | HmacKeyGenParams = {
-    name: 'HMAC',
-    hash: 'SHA-256',
-    length: 256
-  };
 
   readonly automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto;
-  readonly keys: Record<string, CryptoKey>;
-  readonly latestFileKey: string;
-  readonly nameKey: string;
+  readonly seeds: Map<number, Uint8Array>;
+  readonly initialSeedId: number;
+  readonly latestSeedId: number;
+  readonly kdfSalt: Uint8Array;
 
-  protected constructor(automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto, keys: Record<string, CryptoKey>, latestFileKey: string, nameKey: string) {
+  protected constructor(automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto, seeds: Map<number, Uint8Array>, initialSeedId: number, latestSeedId: number, kdfSalt: Uint8Array) {
     this.automaticAccessGrant = automaticAccessGrant;
-    this.keys = keys;
-    this.latestFileKey = latestFileKey;
-    this.nameKey = nameKey;
+    this.seeds = seeds;
+    this.initialSeedId = initialSeedId;
+    this.latestSeedId = latestSeedId;
+    this.kdfSalt = kdfSalt;
   }
 
   /**
@@ -28,24 +38,16 @@ export class VaultMetadata {
    * @returns new vault metadata
    */
   public static async create(automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto): Promise<VaultMetadata> {
-    const fileKey = crypto.subtle.generateKey(
-      VaultMetadata.RAWKEY_KEY_DESIGNATION,
-      true,
-      // TODO https://github.com/encryption-alliance/unified-vault-format/pull/19 is this correct?
-      ['sign']
-    );
-    const nameKey = crypto.subtle.generateKey(
-      VaultMetadata.RAWKEY_KEY_DESIGNATION,
-      true,
-      // TODO https://github.com/encryption-alliance/unified-vault-format/pull/19 is this correct?
-      ['sign']
-    );
-    const fileKeyId = Array(4).fill(null).map(() => "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789".charAt(Math.random() * 62)).join("")
-    const nameKeyId = Array(4).fill(null).map(() => "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789".charAt(Math.random() * 62)).join("")
-    const keys: Record<string, CryptoKey> = {};
-    keys[fileKeyId] = await fileKey;
-    keys[nameKeyId] = await nameKey;
-    return new VaultMetadata(automaticAccessGrant, keys, fileKeyId, nameKeyId);
+    const initialSeedId = new Uint32Array(1);
+    const initialSeedValue = new Uint8Array(32);
+    const kdfSalt = new Uint8Array(32);
+    crypto.getRandomValues(initialSeedId);
+    crypto.getRandomValues(initialSeedValue);
+    crypto.getRandomValues(kdfSalt);
+    const initialSeedNo = initialSeedId[0];
+    const seeds: Map<number, Uint8Array> = new Map<number, Uint8Array>();
+    seeds.set(initialSeedNo, initialSeedValue);
+    return new VaultMetadata(automaticAccessGrant, seeds, initialSeedNo, initialSeedNo, kdfSalt);
   }
 
   /**
@@ -56,19 +58,22 @@ export class VaultMetadata {
    */
   public static async decryptWithMasterKey(jwe: string, masterKey: CryptoKey): Promise<VaultMetadata> {
     const payload = await JWEParser.parse(jwe).decryptA256kw(masterKey);
-    const keys: Record<string, string> = payload['keys'];
-    const keysImported: Record<string, CryptoKey> = payload['keys'];
-    for (const k in keys) {
-      // TODO https://github.com/encryption-alliance/unified-vault-format/pull/19 is this correct?
-      keysImported[k] = await crypto.subtle.importKey('raw', base64.parse(keys[k]), VaultMetadata.RAWKEY_KEY_DESIGNATION, true, ['sign']);
+    const encodedSeeds: Record<string, string> = payload['seeds'];
+    const seeds = new Map<number, Uint8Array>();
+    for (const key in encodedSeeds) {
+      const num = parseSeedId(key);
+      const value = base64url.parse(encodedSeeds[key], { loose: true });
+      seeds.set(num, value);
     }
-    const latestFileKey = payload['latestFileKey']
-    const nameKey = payload['nameKey']
+    const initialSeedId = parseSeedId(payload['initialSeed']);
+    const latestSeedId = parseSeedId(payload['latestSeed']);
+    const kdfSalt = base64url.parse(payload['kdfSalt'], { loose: true });
     return new VaultMetadata(
       payload['org.cryptomator.automaticAccessGrant'],
-      keysImported,
-      latestFileKey,
-      nameKey
+      seeds,
+      initialSeedId,
+      latestSeedId,
+      kdfSalt
     );
   }
 
@@ -78,40 +83,48 @@ export class VaultMetadata {
    * @returns a JWE containing this Masterkey
    */
   public async encryptWithMasterKey(masterKey: CryptoKey): Promise<string> {
-    const keysExported: Record<string, string> = {};
-    for (const k in this.keys) {
-      keysExported[k] = base64.stringify(new Uint8Array(await crypto.subtle.exportKey('raw', this.keys[k])));
+    const encodedSeeds: Record<string, string> = {};
+    for (const [key, value] of this.seeds) {
+      const seedId = stringifySeedId(key);
+      encodedSeeds[seedId] = base64url.stringify(value, { pad: false });
     }
-    const payload = {
-      fileFormat: "AES-256-GCM-32k",
-      nameFormat: "AES-256-SIV",
-      keys: keysExported,
-      latestFileKey: this.latestFileKey,
-      nameKey: this.nameKey,
+    const payload: MetadataPayload = {
+      fileFormat: 'AES-256-GCM-32k',
+      nameFormat: 'AES-SIV-512-B64URL',
+      seeds: encodedSeeds,
+      initialSeed: stringifySeedId(this.initialSeedId),
+      latestSeed: stringifySeedId(this.latestSeedId),
       // TODO https://github.com/encryption-alliance/unified-vault-format/pull/21 finalize kdf
-      kdf: "1STEP-HMAC-SHA512",
+      kdf: 'HKDF-SHA512',
+      kdfSalt: base64url.stringify(this.kdfSalt, { pad: false }),
       'org.cryptomator.automaticAccessGrant': this.automaticAccessGrant
     }
     return JWEBuilder.a256kw(masterKey).encrypt(payload);
   }
 
-  public async hashDirectoryId(cleartextDirectoryId: string): Promise<string> {
-    const dirHash = new TextEncoder().encode(cleartextDirectoryId);
-    // TODO https://github.com/encryption-alliance/unified-vault-format/pull/19 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! MUST NEVER BE RELEASED LIKE THIS
-    // TODO https://github.com/encryption-alliance/unified-vault-format/pull/19 use rawFileKey,rawNameKey for rootDirHash for now - should depend on nameKey only!!
-    const rawkey = new Uint8Array([...new Uint8Array(await crypto.subtle.exportKey('raw', this.keys[this.latestFileKey])), ...new Uint8Array(await crypto.subtle.exportKey('raw', this.keys[this.nameKey]))]);
-    try {
-      // miscreant lib requires mac key first and then the enc key
-      const encKey = rawkey.subarray(0, rawkey.length / 2 | 0);
-      const macKey = rawkey.subarray(rawkey.length / 2 | 0);
-      const shiftedRawKey = new Uint8Array([...macKey, ...encKey]);
-      const key = await miscreant.SIV.importKey(shiftedRawKey, 'AES-SIV');
-      const ciphertext = await key.seal(dirHash, []);
-      // hash is only used as deterministic scheme for the root dir
-      const hash = await crypto.subtle.digest('SHA-1', ciphertext);
-      return base32.stringify(new Uint8Array(hash));
-    } finally {
-      rawkey.fill(0x00);
-    }
+}
+
+/**
+ * Parses the 4 byte seed id from its base64url-encoded form to a 32 bit integer.
+ * @param encoded base64url-encoded seed ID
+ * @returns a 32 bit number
+ * @throws Error if the input is invalid
+ */
+function parseSeedId(encoded: string): number {
+  const bytes = base64url.parse(encoded, { loose: true });
+  if (bytes.length != 4) {
+    throw new Error('Malformed seed ID');
   }
+  return new Uint32Array(bytes.buffer)[0];
+}
+
+/**
+ * Encodes a 32 bit integer denoting the 4 byte seed id as a base64url-encoded string.
+ * @param id numeric seed ID
+ * @returns a base6url-encoded seed ID
+ */
+function stringifySeedId(id: number): string {
+  const ints = new Uint32Array([id]);
+  const bytes = new Uint8Array(ints.buffer)
+  return base64url.stringify(bytes, { pad: false });
 }
diff --git a/frontend/test/common/uvf.spec.ts b/frontend/test/common/uvf.spec.ts
index 9e9ff2ceb..c11809cae 100644
--- a/frontend/test/common/uvf.spec.ts
+++ b/frontend/test/common/uvf.spec.ts
@@ -1,13 +1,12 @@
 import { use as chaiUse, expect } from 'chai';
 import chaiAsPromised from 'chai-as-promised';
 import { before, describe } from 'mocha';
-import { VaultMetadataJWEAutomaticAccessGrantDto } from '../../src/common/backend';
 import { JWEParser } from '../../src/common/jwe';
-import { VaultMetadata } from '../../src/common/uvf';
+import { MetadataPayload, VaultMetadata, VaultMetadataJWEAutomaticAccessGrantDto } from '../../src/common/uvf';
 
 chaiUse(chaiAsPromised);
 
-describe('Vault Format 8', () => {
+describe('Universal Vault Format', () => {
 
   before(async () => {
     // since this test runs on Node, we need to replace window.crypto:
@@ -16,7 +15,7 @@ describe('Vault Format 8', () => {
     global.window = { crypto: global.crypto };
   });
 
-  describe('VaultMetadata', () => {
+  describe('Vault Metadata', () => {
     // TODO review @sebi what else should we test?
     it('encryptWithMasterKey() and decryptWithMasterKey()', async () => {
       const uvfMasterKey = await crypto.subtle.generateKey(
@@ -25,20 +24,28 @@ describe('Vault Format 8', () => {
         ['wrapKey', 'unwrapKey']
       );
       const automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto = {
-        "enabled": true,
-        "maxWotDepth": -1
+        enabled: true,
+        maxWotDepth: -1
       }
       const orig = await VaultMetadata.create(automaticAccessGrant);
       expect(orig).to.be.not.null;
+      expect(orig.seeds.get(orig.initialSeedId)).to.not.be.undefined
+      expect(orig.seeds.get(orig.initialSeedId)!.length).to.eq(32)
+      expect(orig.initialSeedId).to.eq(orig.latestSeedId)
+      expect(orig.kdfSalt.length).to.eq(32)
       const jwe: string = await orig.encryptWithMasterKey(uvfMasterKey);
       expect(jwe).to.be.not.null;
       const decrypted: VaultMetadata = await VaultMetadata.decryptWithMasterKey(jwe, uvfMasterKey);
-      expect(JSON.stringify(decrypted.automaticAccessGrant)).to.eq(JSON.stringify(automaticAccessGrant));
-      const decryptedRaw: any = await JWEParser.parse(jwe).decryptA256kw(uvfMasterKey);
-      expect(decryptedRaw.fileFormat).to.eq("AES-256-GCM-32k");
-      expect(decryptedRaw.latestFileKey).to.eq(orig.latestFileKey);
-      expect(decryptedRaw.nameKey).to.eq(orig.nameKey);
-      expect(decryptedRaw.kdf).to.eq("1STEP-HMAC-SHA512");
+      expect(decrypted.seeds).to.deep.eq(orig.seeds)
+      expect(decrypted.initialSeedId).to.eq(orig.initialSeedId)
+      expect(decrypted.latestSeedId).to.eq(orig.latestSeedId)
+      expect(decrypted.automaticAccessGrant).to.deep.eq(automaticAccessGrant);
+      const decryptedRaw: MetadataPayload = await JWEParser.parse(jwe).decryptA256kw(uvfMasterKey);
+      expect(decryptedRaw.fileFormat).to.eq('AES-256-GCM-32k');
+      expect(decryptedRaw.initialSeed).to.eq(decryptedRaw.latestSeed);
+      expect(decryptedRaw.seeds[decryptedRaw.initialSeed]).to.be.not.empty;
+      expect(decryptedRaw.kdf).to.eq('HKDF-SHA512');
+      expect(decryptedRaw.kdfSalt).to.be.not.empty
       expect(decryptedRaw['org.cryptomator.automaticAccessGrant']).to.deep.eq(automaticAccessGrant);
     });
   });

From 3f77d16e2936dbda9311f99a4f0e18da6f8ab3e3 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Thu, 25 Apr 2024 22:10:23 +0200
Subject: [PATCH 08/94] new JWE API supporting compact and JSON format

---
 frontend/src/common/crypto.ts                 |  16 +-
 frontend/src/common/jwe.ts                    | 480 ++++++++++++------
 frontend/src/common/uvf.ts                    |   7 +-
 frontend/src/common/vaultv8.ts                |   7 +-
 frontend/src/components/InitialSetup.vue      |   4 +-
 frontend/src/components/ManageSetupCode.vue   |   4 +-
 .../components/RegenerateSetupCodeDialog.vue  |   4 +-
 frontend/test/common/jwe.spec.ts              |  87 +++-
 frontend/test/common/uvf.spec.ts              |   4 +-
 9 files changed, 424 insertions(+), 189 deletions(-)

diff --git a/frontend/src/common/crypto.ts b/frontend/src/common/crypto.ts
index 522a20580..58053412a 100644
--- a/frontend/src/common/crypto.ts
+++ b/frontend/src/common/crypto.ts
@@ -1,5 +1,5 @@
 import { base16, base64 } from 'rfc4648';
-import { JWEBuilder, JWEParser } from './jwe';
+import { JWE, Recipient } from './jwe';
 import { DB } from './util';
 
 
@@ -50,7 +50,7 @@ export class UserKeys {
    * @throws {UnwrapKeyError} when attempting to decrypt the private key using an incorrect setupCode
    */
   public static async recover(encodedPublicKey: string, encryptedPrivateKey: string, setupCode: string): Promise<UserKeys> {
-    const jwe: UserKeysJWEPayload = await JWEParser.parse(encryptedPrivateKey).decryptPbes2(setupCode);
+    const jwe: UserKeysJWEPayload = await JWE.parseCompact(encryptedPrivateKey).decrypt(Recipient.pbes2('org.cryptomator.hub.setupCode', setupCode));
     const decodedPublicKey = base64.parse(encodedPublicKey, { loose: true });
     const decodedPrivateKey = base64.parse(jwe.key, { loose: true });
     const privateKey = crypto.subtle.importKey('pkcs8', decodedPrivateKey, UserKeys.KEY_DESIGNATION, true, UserKeys.KEY_USAGES);
@@ -71,7 +71,7 @@ export class UserKeys {
    * Encrypts the user's private key using a key derived from the given setupCode
    * @param setupCode The password to protect the private key.
    * @returns A JWE holding the encrypted private key
-   * @see JWEBuilder.pbes2
+   * @see Recipient.pbes2
    */
   public async encryptedPrivateKey(setupCode: string): Promise<string> {
     const rawkey = new Uint8Array(await crypto.subtle.exportKey('pkcs8', this.keyPair.privateKey));
@@ -79,7 +79,8 @@ export class UserKeys {
       const payload: UserKeysJWEPayload = {
         key: base64.stringify(rawkey)
       };
-      return await JWEBuilder.pbes2(setupCode).encrypt(payload);
+      const jwe = await JWE.build(payload).encrypt(Recipient.pbes2('org.cryptomator.hub.setupCode', setupCode));
+      return jwe.compactSerialization();
     } finally {
       rawkey.fill(0x00);
     }
@@ -89,7 +90,7 @@ export class UserKeys {
    * Encrypts the user's private key using the given public key
    * @param devicePublicKey The device's public key (DER-encoded)
    * @returns a JWE containing the PKCS#8-encoded private key
-   * @see JWEBuilder.ecdhEs
+   * @see Recipient.ecdhEs
    */
   public async encryptForDevice(devicePublicKey: CryptoKey | Uint8Array): Promise<string> {
     const publicKey = await UserKeys.publicKey(devicePublicKey);
@@ -98,7 +99,8 @@ export class UserKeys {
       const payload: UserKeysJWEPayload = {
         key: base64.stringify(rawkey)
       };
-      return JWEBuilder.ecdhEs(publicKey).encrypt(payload);
+      const jwe = await JWE.build(payload).encrypt(Recipient.ecdhEs('org.cryptomator.hub.deviceKey', publicKey));
+      return jwe.compactSerialization();
     } finally {
       rawkey.fill(0x00);
     }
@@ -115,7 +117,7 @@ export class UserKeys {
     const publicKey = await UserKeys.publicKey(userPublicKey);
     let rawKey = new Uint8Array();
     try {
-      const payload: UserKeysJWEPayload = await JWEParser.parse(jwe).decryptEcdhEs(browserPrivateKey);
+      const payload: UserKeysJWEPayload = await JWE.parseCompact(jwe).decrypt(Recipient.ecdhEs('org.cryptomator.hub.deviceKey', browserPrivateKey));
       rawKey = base64.parse(payload.key);
       const privateKey = await crypto.subtle.importKey('pkcs8', rawKey, UserKeys.KEY_DESIGNATION, true, UserKeys.KEY_USAGES);
       return new UserKeys({ publicKey: publicKey, privateKey: privateKey });
diff --git a/frontend/src/common/jwe.ts b/frontend/src/common/jwe.ts
index ec0c33cdf..3509fb4a8 100644
--- a/frontend/src/common/jwe.ts
+++ b/frontend/src/common/jwe.ts
@@ -35,222 +35,372 @@ export class ConcatKDF {
   }
 }
 
-export type JWEHeader = {
-  readonly alg: 'ECDH-ES' | 'PBES2-HS512+A256KW' | 'A256KW',
-  readonly enc: 'A256GCM' | 'A128GCM', // A128GCM for testing only, as we use test vectors with 128 bit keys
-  readonly apu?: string,
-  readonly apv?: string,
-  readonly epk?: JsonWebKey,
-  readonly p2c?: number,
-  readonly p2s?: string
+type Header = {
+  kid?: string,
+  enc?: 'A256GCM' | 'A128GCM',
+  alg?: 'ECDH-ES' | 'ECDH-ES+A256KW' | 'PBES2-HS512+A256KW' | 'A256KW',
+  apu?: string,
+  apv?: string,
+  epk?: JsonWebKey,
+  p2c?: number,
+  p2s?: string,
+  [other: string]: undefined | string | number | boolean | object; // allow further properties
 }
 
+type PerRecipientProperties = {
+  encryptedKey: string;
+  header: Header;
+}
+
+export type JWEHeader = Header;
+
 export const ECDH_P384: EcKeyImportParams | EcKeyGenParams = {
   name: 'ECDH',
   namedCurve: 'P-384'
 };
 
-export class JWEParser {
-  readonly header: JWEHeader;
-  readonly encryptedKey: Uint8Array;
-  readonly iv: Uint8Array;
-  readonly ciphertext: Uint8Array;
-  readonly tag: Uint8Array;
+// #region Recipients
 
-  private constructor(readonly encodedHeader: string, readonly encodedEncryptedKey: string, readonly encodedIv: string, readonly encodedCiphertext: string, readonly encodedTag: string) {
-    const utf8dec = new TextDecoder();
-    this.header = JSON.parse(utf8dec.decode(base64url.parse(encodedHeader, { loose: true })));
-    this.encryptedKey = base64url.parse(encodedEncryptedKey, { loose: true });
-    this.iv = base64url.parse(encodedIv, { loose: true });
-    this.ciphertext = base64url.parse(encodedCiphertext, { loose: true });
-    this.tag = base64url.parse(encodedTag, { loose: true });
-  }
+export abstract class Recipient {
+
+  constructor(readonly kid: string) { };
 
   /**
-   * Decodes the JWE.
-   * @param jwe The JWE string
-   * @returns Decoded JWE, ready to decrypt.
+   * Encryptes a CEK using the recipient-specific `alg`.
+   * @param cek The CEK that is used to encrypt a JWE payload.
+   * @param commonHeader The protected and unprotected header (not per-recipient)
+   * @returns The encrypted CEK and per-recipient header parameters for the used `alg`.
    */
-  public static parse(jwe: string): JWEParser {
-    const [encodedHeader, encodedEncryptedKey, encodedIv, encodedCiphertext, encodedTag] = jwe.split('.', 5);
-    return new JWEParser(encodedHeader, encodedEncryptedKey, encodedIv, encodedCiphertext, encodedTag);
-  }
+  abstract encrypt(cek: CryptoKey, commonHeader: Header): Promise<PerRecipientProperties>;
 
   /**
-   * Decrypts the JWE, assuming alg == ECDH-ES, enc == A256GCM and keys on the P-384 curve.
-   * @param recipientPrivateKey The recipient's private key
-   * @returns Decrypted payload
+   * Decrypts the CEK using the recipient-specific `alg`.
+   * @param header JOSE header applicable for this recipient
+   * @param encryptedKey Encrypted CEK for this recipient
+   * @returns A non-extractable CEK suitable for decryption with AES-GCM.
+   * @throws {UnwrapKeyError} if decryption failed
    */
-  public async decryptEcdhEs(recipientPrivateKey: CryptoKey): Promise<any> {
-    if (this.header.alg != 'ECDH-ES' || this.header.enc != 'A256GCM' || !this.header.epk) {
-      throw new Error('unsupported alg or enc');
-    }
-    const ephemeralKey = await crypto.subtle.importKey('jwk', this.header.epk, ECDH_P384, false, []);
-    const cek = await ECDH_ES.deriveContentKey(ephemeralKey, recipientPrivateKey, 384, 32, this.header);
-    return this.decrypt(cek);
+  abstract decrypt(header: Header, encryptedKey: string): Promise<CryptoKey>;
+
+  /**
+   * Create a recipient using `alg: ECDH-ES+A256KW`. Also supports `ECDH-ES` with direct key agreement for decryption
+   * 
+   * @param kid The key ID used to distinguish multiple recipients
+   * @param recipientKey The recipients static public key for encryption or private key for decryption
+   * @param apu Optional information about the creator
+   * @param apv Optional information about the recipient
+   * @returns A new recipient
+   */
+  public static ecdhEs(kid: string, recipientKey: CryptoKey, apu: Uint8Array = new Uint8Array(), apv: Uint8Array = new Uint8Array()): Recipient {
+    return new EcdhRecipient(kid, recipientKey, apu, apv);
   }
 
   /**
-   * Decrypts the JWE, assuming alg == PBES2-HS512+A256KW and enc == A256GCM.
+   * Create a recipient using `alg: PBES2-HS512+A256KW`.
+   * 
+   * @param kid The key ID used to distinguish multiple recipients
    * @param password The password to feed into the KDF
-   * @returns Decrypted payload
-   * @throws {UnwrapKeyError} if decryption failed (wrong password?)
+   * @param iterations The PBKDF2 iteration count (defaults to {@link PBES2.DEFAULT_ITERATION_COUNT}) - ignored and read from the header's `p2c` value during decryption
+   * @returns A new recipient
+   */
+  public static pbes2(kid: string, password: string, iterations: number = PBES2.DEFAULT_ITERATION_COUNT): Recipient {
+    return new Pbes2Recipient(kid, password, iterations);
+  }
+
+  /**
+   * Create a recipient using `alg: A256KW`.
+   * 
+   * @param kid The key ID used to distinguish multiple recipients
+   * @param wrappingKey The key used to wrap the CEK
+   * @returns A new recipient
    */
-  public async decryptPbes2(password: string): Promise<any> {
-    if (this.header.alg != 'PBES2-HS512+A256KW' || this.header.enc != 'A256GCM' || !this.header.p2s || !this.header.p2c) {
-      throw new Error('unsupported alg or enc');
+  public static a256kw(kid: string, wrappingKey: CryptoKey): Recipient {
+    return new A256kwRecipient(kid, wrappingKey);
+  }
+
+}
+
+class EcdhRecipient extends Recipient {
+
+  constructor(readonly kid: string, private recipientKey: CryptoKey, private apu: Uint8Array = new Uint8Array(), private apv: Uint8Array = new Uint8Array()) {
+    super(kid);
+  }
+
+  async encrypt(cek: CryptoKey, commonHeader: Header): Promise<PerRecipientProperties> {
+    if (this.recipientKey.type !== 'public') {
+      throw new Error('Recipient public key required.');
     }
-    const saltInput = base64url.parse(this.header.p2s, { loose: true });
-    const wrappingKey = await PBES2.deriveWrappingKey(password, this.header.alg, saltInput, this.header.p2c);
+    const ephemeralKey = await crypto.subtle.generateKey(ECDH_P384, false, ['deriveBits']);
+    const header: Header = {
+      ...commonHeader,
+      alg: 'ECDH-ES+A256KW',
+      epk: await crypto.subtle.exportKey('jwk', ephemeralKey.publicKey),
+      apu: base64url.stringify(this.apu, { pad: false }),
+      apv: base64url.stringify(this.apv, { pad: false })
+    };
+    const wrappingKey = await ECDH_ES.deriveKey(this.recipientKey, ephemeralKey.privateKey, 384, 32, header, false, { name: 'AES-KW', length: 256 }, ['wrapKey']);
+    const encryptedKey = new Uint8Array(await crypto.subtle.wrapKey('raw', cek, wrappingKey, 'AES-KW'));
+    return {
+      header: header,
+      encryptedKey: base64url.stringify(encryptedKey, { pad: false })
+    }
+  }
+
+  async decrypt(header: Header, encryptedKey: string): Promise<CryptoKey> {
+    if (this.recipientKey.type !== 'private') {
+      throw new Error('Recipient private key required.');
+    }
+    if (header.alg === 'ECDH-ES' && header.epk) {
+      return this.decryptDirect(header, { name: 'AES-GCM', length: 256 }, ['decrypt']);
+    } else if (header.alg === 'ECDH-ES+A256KW' && header.epk) {
+      return this.decryptAndUnwrap(header, encryptedKey);
+    } else {
+      throw new Error('Missing or invalid header parameters.');
+    }
+  }
+
+  async decryptDirect(header: Header, keyAlgorithm: AesKeyAlgorithm, keyUsage: KeyUsage[]): Promise<CryptoKey> {
+    let keyBits: number;
+    switch (header.epk!.crv) {
+      case 'P-256':
+        keyBits = 256;
+        break;
+      case 'P-384':
+        keyBits = 384;
+        break;
+      default:
+        throw new Error('Unsupported curve');
+    }
+    const epk = await crypto.subtle.importKey('jwk', header.epk!, { name: 'ECDH', namedCurve: header.epk?.crv }, false, []);
+    return ECDH_ES.deriveKey(epk, this.recipientKey, keyBits, 32, header, false, keyAlgorithm, keyUsage);
+  }
+
+  async decryptAndUnwrap(header: Header, encryptedKey: string): Promise<CryptoKey> {
+    const wrappingKey = await this.decryptDirect(header, { name: 'AES-KW', length: 256 }, ['unwrapKey']);
     try {
-      const cek = crypto.subtle.unwrapKey('raw', this.encryptedKey, wrappingKey, 'AES-KW', { name: 'AES-GCM', length: 256 }, false, ['decrypt']);
-      return this.decrypt(await cek);
+      return await crypto.subtle.unwrapKey('raw', base64url.parse(encryptedKey, { loose: true }), wrappingKey, 'AES-KW', { name: 'AES-GCM' }, false, ['decrypt']);
     } catch (error) {
       throw new UnwrapKeyError(error);
     }
   }
 
-  /**
-   * Decrypts the JWE, assuming alg == A256KW and enc == A256GCM.
-   * @param kek The key used to wrap the CEK
-   * @returns Decrypted payload
-   * @throws {UnwrapKeyError} if decryption failed (wrong kek?)
-   */
-  public async decryptA256kw(kek: CryptoKey): Promise<any> {
-    if (this.header.alg != 'A256KW' || this.header.enc != 'A256GCM') {
-      throw new Error('unsupported alg or enc');
+}
+
+class A256kwRecipient extends Recipient {
+
+  constructor(readonly kid: string, private wrappingKey: CryptoKey) {
+    super(kid);
+  }
+
+  async encrypt(cek: CryptoKey, commonHeader: Header): Promise<PerRecipientProperties> {
+    const header: Header = {
+      ...commonHeader,
+      alg: 'A256KW',
+      enc: 'A256GCM'
+    };
+    const encryptedKey = new Uint8Array(await crypto.subtle.wrapKey('raw', cek, this.wrappingKey, 'AES-KW'));
+    return {
+      header: header,
+      encryptedKey: base64url.stringify(encryptedKey, { pad: false })
+    }
+  }
+
+  async decrypt(header: Header, encryptedKey: string): Promise<CryptoKey> {
+    if (header.alg != 'A256KW') {
+      throw new Error('unsupported alg');
     }
     try {
-      const cek = crypto.subtle.unwrapKey('raw', this.encryptedKey, kek, 'AES-KW', { name: 'AES-GCM', length: 256 }, false, ['decrypt']);
-      return this.decrypt(await cek);
+      return await crypto.subtle.unwrapKey('raw', base64url.parse(encryptedKey, { loose: true }), this.wrappingKey, 'AES-KW', { name: 'AES-GCM' }, false, ['decrypt']);
     } catch (error) {
       throw new UnwrapKeyError(error);
     }
   }
 
-  private async decrypt(cek: CryptoKey): Promise<any> {
+}
+
+class Pbes2Recipient extends Recipient {
+
+  constructor(readonly kid: string, private password: string, private iterations: number) {
+    super(kid);
+  }
+
+  async encrypt(cek: CryptoKey, commonHeader: Header): Promise<PerRecipientProperties> {
+    const salt = crypto.getRandomValues(new Uint8Array(16));
+    const header: Header = {
+      ...commonHeader,
+      kid: this.kid,
+      alg: 'PBES2-HS512+A256KW',
+      p2c: this.iterations,
+      p2s: base64url.stringify(salt, { pad: false })
+    };
+    const wrappingKey = PBES2.deriveWrappingKey(this.password, 'PBES2-HS512+A256KW', salt, this.iterations);
+    const encryptedKey = new Uint8Array(await crypto.subtle.wrapKey('raw', cek, await wrappingKey, 'AES-KW'));
+    return {
+      header: header,
+      encryptedKey: base64url.stringify(encryptedKey, { pad: false })
+    }
+  }
+
+  async decrypt(header: Header, encryptedKey: string): Promise<CryptoKey> {
+    if (header.alg != 'PBES2-HS512+A256KW' || !header.p2s || !header.p2c) {
+      throw new Error('Missing or invalid header parameters.');
+    }
+    const salt = base64url.parse(header.p2s!, { loose: true });
+    const wrappingKey = await PBES2.deriveWrappingKey(this.password, 'PBES2-HS512+A256KW', salt, header.p2c!);
+    try {
+      return await crypto.subtle.unwrapKey('raw', base64url.parse(encryptedKey, { loose: true }), wrappingKey, 'AES-KW', { name: 'AES-GCM' }, false, ['decrypt']);
+    } catch (error) {
+      throw new UnwrapKeyError(error);
+    }
+  }
+
+}
+
+// #endregion
+// #region JWE
+
+export class JWE {
+
+  private constructor(private payload: object) { }
+
+  public static build(payload: object): JWE {
+    return new JWE(payload);
+  }
+
+  public static parseCompact(token: string): EncryptedJWE {
+    const [protectedHeader, encryptedKey, iv, ciphertext, tag] = token.split('.', 5);
+    const utf8 = new TextDecoder();
+    const header: Header = JSON.parse(utf8.decode(base64url.parse(protectedHeader, { loose: true })));
+
+    return new EncryptedJWE(protectedHeader, [{ encryptedKey: encryptedKey, header: header }], iv, ciphertext, tag);
+  }
+
+  public static parseJson(jwe: any): EncryptedJWE { // TODO: json:
+    if (!jwe.protected || !jwe.recipients || !jwe.iv || !jwe.ciphertext || !jwe.tag) {
+      throw new Error('Malformed JWE');
+    }
+    return new EncryptedJWE(jwe.protected, jwe.recipients, jwe.iv, jwe.ciphertext, jwe.tag);
+  }
+
+  public async encrypt(recipient: Recipient, ...moreRecipients: Recipient[]): Promise<EncryptedJWE> {
+    let protectedHeader: Header = {
+      enc: 'A256GCM'
+    }
+    const cek = await crypto.subtle.generateKey({ name: 'AES-GCM', length: 256 }, true, ['encrypt']);
+    const iv = crypto.getRandomValues(new Uint8Array(12));
+    const recipients = await Promise.all([recipient, ...moreRecipients].map(r => r.encrypt(cek, protectedHeader)));
+
+    if (recipients.length === 1) {
+      protectedHeader = recipients[0].header;
+    } else {
+      protectedHeader = {
+        enc: recipients[0].header.enc
+      }
+    }
+
     const utf8enc = new TextEncoder();
-    const m = new Uint8Array(this.ciphertext.length + this.tag.length);
-    m.set(this.ciphertext, 0);
-    m.set(this.tag, this.ciphertext.length);
-    const payloadJson = new Uint8Array(await crypto.subtle.decrypt(
+    const encodedProtectedHeader = base64url.stringify(utf8enc.encode(JSON.stringify(protectedHeader)), { pad: false });
+    const m = utf8enc.encode(JSON.stringify(this.payload));
+    const ciphertextAndTag = new Uint8Array(await crypto.subtle.encrypt(
       {
         name: 'AES-GCM',
-        iv: this.iv,
-        additionalData: utf8enc.encode(this.encodedHeader),
+        iv: iv,
+        additionalData: utf8enc.encode(encodedProtectedHeader),
         tagLength: 128
       },
       cek,
       m
     ));
-    return JSON.parse(new TextDecoder().decode(payloadJson));
+    console.assert(m.byteLength > 16, 'result of GCM encryption expected to contain 128bit tag');
+    const ciphertext = ciphertextAndTag.slice(0, m.byteLength - 16);
+    const tag = ciphertextAndTag.slice(m.byteLength - 16);
+
+    const encodedIv = base64url.stringify(iv, { pad: false });
+    const encodedCiphertext = base64url.stringify(ciphertext, { pad: false });
+    const encodedTag = base64url.stringify(tag, { pad: false });
+    return new EncryptedJWE(encodedProtectedHeader, recipients, encodedIv, encodedCiphertext, encodedTag)
   }
+
 }
 
-export class JWEBuilder {
-  private constructor(readonly header: Promise<JWEHeader>, readonly encryptedKey: Promise<Uint8Array>, readonly cek: Promise<CryptoKey>) { }
 
-  /**
-   * Prepares a new JWE using alg: ECDH-ES and enc: A256GCM.
-   * 
-   * @param recipientPublicKey Static public key of the JWE's recipient
-   * @param apu Optional information about the creator
-   * @param apv Optional information about the recipient
-   * @returns A new JWEBuilder ready to encrypt the payload
-   */
-  public static ecdhEs(recipientPublicKey: CryptoKey, apu: Uint8Array = new Uint8Array(), apv: Uint8Array = new Uint8Array()): JWEBuilder {
-    /* key agreement and header params described in RFC 7518, Section 4.6: */
-    const ephemeralKey = crypto.subtle.generateKey(ECDH_P384, false, ['deriveBits']);
-    const header = (async () => <JWEHeader>{
-      alg: 'ECDH-ES',
-      enc: 'A256GCM',
-      epk: await crypto.subtle.exportKey('jwk', (await ephemeralKey).publicKey),
-      apu: base64url.stringify(apu, { pad: false }),
-      apv: base64url.stringify(apv, { pad: false })
-    })();
-    const encryptedKey = (async () => Uint8Array.of())(); // empty for Direct Key Agreement as per spec
-    const cek = (async () => ECDH_ES.deriveContentKey(recipientPublicKey, (await ephemeralKey).privateKey, 384, 32, await header))();
-    return new JWEBuilder(header, encryptedKey, cek);
+// visible for testing
+export class EncryptedJWE {
+
+  constructor(private protectedHeader: string, private perRecipient: PerRecipientProperties[], private iv: string, private ciphertext: string, private tag: string) {
+    if (perRecipient.length < 1) {
+      throw new Error('Expected at least one recipient.');
+    }
   }
 
-  /**
-   * Prepares a new JWE using alg: PBES2-HS512+A256KW and enc: A256GCM.
-   * 
-   * @param password The password to feed into the KDF
-   * @param iterations The PBKDF2 iteration count (defaults to {@link PBES2.DEFAULT_ITERATION_COUNT} )
-   * @param apu Optional information about the creator
-   * @param apv Optional information about the recipient
-   * @returns A new JWEBuilder ready to encrypt the payload
-   */
-  public static pbes2(password: string, iterations: number = PBES2.DEFAULT_ITERATION_COUNT, apu: Uint8Array = new Uint8Array(), apv: Uint8Array = new Uint8Array()): JWEBuilder {
-    const saltInput = crypto.getRandomValues(new Uint8Array(16));
-    const header = (async () => <JWEHeader>{
-      alg: 'PBES2-HS512+A256KW',
-      enc: 'A256GCM',
-      p2s: base64url.stringify(saltInput, { pad: false }),
-      p2c: iterations,
-      apu: base64url.stringify(apu, { pad: false }),
-      apv: base64url.stringify(apv, { pad: false })
-    })();
-    const wrappingKey = PBES2.deriveWrappingKey(password, 'PBES2-HS512+A256KW', saltInput, iterations);
-    const cek = crypto.subtle.generateKey({ name: 'AES-GCM', length: 256 }, true, ['encrypt']);
-    const encryptedKey = (async () => new Uint8Array(await crypto.subtle.wrapKey('raw', await cek, await wrappingKey, 'AES-KW')))();
-    return new JWEBuilder(header, encryptedKey, cek);
+  public jsonSerialization(): any {
+    if (this.perRecipient.length < 1) {
+      throw new Error('JWE JSON Serialization requires at least one recipient.');
+    }
+    const recipients = this.perRecipient.map(r => ({
+      header: r.header,
+      encrypted_key: r.encryptedKey
+    }));
+
+    return {
+      protected: this.protectedHeader,
+      recipients: recipients,
+      iv: this.iv,
+      ciphertext: this.ciphertext,
+      tag: this.tag
+    };
   }
 
-  /**
-   * Prepares a new JWE using alg: A256KW and enc: A256GCM.
-   * 
-   * @param kek The key used to wrap the CEK
-   * @returns A new JWEBuilder ready to encrypt the payload
-   */
-  public static a256kw(kek: CryptoKey): JWEBuilder {
-    const header = (async () => <JWEHeader>{
-      alg: 'A256KW',
-      enc: 'A256GCM'
-    })();
-    const cek = crypto.subtle.generateKey({ name: 'AES-GCM', length: 256 }, true, ['encrypt']);
-    const encryptedKey = (async () => new Uint8Array(await crypto.subtle.wrapKey('raw', await cek, kek, 'AES-KW')))();
-    return new JWEBuilder(header, encryptedKey, cek);
+  public compactSerialization(): string {
+    if (this.perRecipient.length !== 1) {
+      throw new Error('JWE Compact Serialization requires exactly one recipient.');
+    }
+    return `${this.protectedHeader}.${this.perRecipient[0].encryptedKey}.${this.iv}.${this.ciphertext}.${this.tag}`;
   }
 
-  /**
-   * Builds the JWE.
-   * @param payload Payload to be encrypted
-   * @returns The JWE
-   */
-  public async encrypt(payload: object) {
+  public async decrypt(recipient: Recipient): Promise<any> {
+    const utf8dec = new TextDecoder();
     const utf8enc = new TextEncoder();
-
-    /* JWE assembly and content encryption described in RFC 7516: */
-    const encodedHeader = base64url.stringify(utf8enc.encode(JSON.stringify(await this.header)), { pad: false });
-    const iv = crypto.getRandomValues(new Uint8Array(12));
-    const encodedIv = base64url.stringify(iv, { pad: false });
-    const encodedEncryptedKey = base64url.stringify(await this.encryptedKey, { pad: false });
-    const m = new Uint8Array(await crypto.subtle.encrypt(
+    const protectedHeader: Header = JSON.parse(utf8dec.decode(base64url.parse(this.protectedHeader, { loose: true })));
+    const perRecipientData = (this.perRecipient.length === 1)
+      ? this.perRecipient[0]
+      : this.perRecipientWithKid(recipient.kid);
+    const combinedHeader: Header = { ...perRecipientData.header, ...protectedHeader };
+    const cek = await recipient.decrypt(combinedHeader, perRecipientData.encryptedKey);
+    const ciphertext = base64url.parse(this.ciphertext, { loose: true })
+    const tag = base64url.parse(this.tag, { loose: true });
+    const ciphertextAndTag = new Uint8Array([...ciphertext, ...tag]);
+    const cleartext = new Uint8Array(await crypto.subtle.decrypt(
       {
         name: 'AES-GCM',
-        iv: iv,
-        additionalData: utf8enc.encode(encodedHeader),
+        iv: base64url.parse(this.iv, { loose: true }),
+        additionalData: utf8enc.encode(this.protectedHeader),
         tagLength: 128
       },
-      await this.cek,
-      utf8enc.encode(JSON.stringify(payload))
+      cek,
+      ciphertextAndTag
     ));
-    console.assert(m.byteLength > 16, 'result of GCM encryption expected to contain 128bit tag');
-    const ciphertext = m.slice(0, m.byteLength - 16);
-    const tag = m.slice(m.byteLength - 16);
-    const encodedCiphertext = base64url.stringify(ciphertext, { pad: false });
-    const encodedTag = base64url.stringify(tag, { pad: false });
-    return `${encodedHeader}.${encodedEncryptedKey}.${encodedIv}.${encodedCiphertext}.${encodedTag}`;
+    return JSON.parse(utf8dec.decode(cleartext));
+  }
+
+  private perRecipientWithKid(kid: string): PerRecipientProperties {
+    const result = this.perRecipient.find(r => r.header.kid === kid);
+    if (result) {
+      return result;
+    } else {
+      throw new Error(`JWE does not contain recipient with kid: ${kid}`);
+    }
   }
+
 }
 
+// #endregion
+// #region Utilities
+
 // visible for testing
 export class ECDH_ES {
-  public static async deriveContentKey(publicKey: CryptoKey, privateKey: CryptoKey, ecdhKeyBits: number, desiredKeyBytes: number, header: JWEHeader, exportable: boolean = false): Promise<CryptoKey> {
+  private static async deriveRawKey(publicKey: CryptoKey, privateKey: CryptoKey, ecdhKeyBits: number, desiredKeyBytes: number, header: JWEHeader): Promise<Uint8Array> {
     let agreedKey = new Uint8Array();
-    let derivedKey = new Uint8Array();
     try {
       const algorithmId = ECDH_ES.lengthPrefixed(new TextEncoder().encode(header.enc));
       const partyUInfo = ECDH_ES.lengthPrefixed(base64url.parse(header.apu || '', { loose: true }));
@@ -266,14 +416,30 @@ export class ECDH_ES {
         ecdhKeyBits
       ));
       const otherInfo = new Uint8Array([...algorithmId, ...partyUInfo, ...partyVInfo, ...new Uint8Array(suppPubInfo)]);
-      derivedKey = await ConcatKDF.kdf(new Uint8Array(agreedKey), desiredKeyBytes, otherInfo);
-      return crypto.subtle.importKey('raw', derivedKey, { name: 'AES-GCM', length: desiredKeyBytes * 8 }, exportable, ['encrypt', 'decrypt']);
+      return ConcatKDF.kdf(new Uint8Array(agreedKey), desiredKeyBytes, otherInfo);
     } finally {
-      derivedKey.fill(0x00);
       agreedKey.fill(0x00);
     }
   }
 
+  public static async deriveKey(publicKey: CryptoKey, privateKey: CryptoKey, ecdhKeyBits: number, desiredKeyBytes: number, header: JWEHeader, exportable: boolean, algorithm: AesKeyAlgorithm, usage: KeyUsage[]): Promise<CryptoKey> {
+    let derivedKey = new Uint8Array();
+    try {
+      derivedKey = await this.deriveRawKey(publicKey, privateKey, ecdhKeyBits, desiredKeyBytes, header);
+      return crypto.subtle.importKey('raw', derivedKey, algorithm, exportable, usage);
+    } finally {
+      derivedKey.fill(0x00);
+    }
+  }
+
+  public static async deriveContentKey(publicKey: CryptoKey, privateKey: CryptoKey, ecdhKeyBits: number, desiredKeyBytes: number, header: JWEHeader, exportable: boolean = false): Promise<CryptoKey> {
+    return this.deriveKey(publicKey, privateKey, ecdhKeyBits, desiredKeyBytes, header, exportable, { name: 'AES-GCM', length: desiredKeyBytes * 8 }, ['encrypt', 'decrypt']);
+  }
+
+  public static async deriveWrappingKey(publicKey: CryptoKey, privateKey: CryptoKey, ecdhKeyBits: number, desiredKeyBytes: number, header: JWEHeader, exportable: boolean = false): Promise<CryptoKey> {
+    return this.deriveKey(publicKey, privateKey, ecdhKeyBits, desiredKeyBytes, header, exportable, { name: 'AES-KW', length: desiredKeyBytes * 8 }, ['wrapKey', 'unwrapKey']);
+  }
+
   public static lengthPrefixed(data: Uint8Array): Uint8Array {
     const result = new Uint8Array(4 + data.byteLength);
     new DataView(result.buffer, 0, 4).setUint32(0, data.byteLength, false);
@@ -325,3 +491,5 @@ export class PBES2 {
     );
   }
 }
+
+// #endregion
diff --git a/frontend/src/common/uvf.ts b/frontend/src/common/uvf.ts
index f4477956f..4b471c3df 100644
--- a/frontend/src/common/uvf.ts
+++ b/frontend/src/common/uvf.ts
@@ -1,5 +1,5 @@
 import { base64url } from 'rfc4648';
-import { JWEBuilder, JWEParser } from './jwe';
+import { JWE, Recipient } from './jwe';
 
 export type MetadataPayload = {
   fileFormat: 'AES-256-GCM-32k';
@@ -57,7 +57,7 @@ export class VaultMetadata {
    * @returns vault metadata
    */
   public static async decryptWithMasterKey(jwe: string, masterKey: CryptoKey): Promise<VaultMetadata> {
-    const payload = await JWEParser.parse(jwe).decryptA256kw(masterKey);
+    const payload = await JWE.parseCompact(jwe).decrypt(Recipient.a256kw('org.cryptomator.hub.masterkey', masterKey));
     const encodedSeeds: Record<string, string> = payload['seeds'];
     const seeds = new Map<number, Uint8Array>();
     for (const key in encodedSeeds) {
@@ -99,7 +99,8 @@ export class VaultMetadata {
       kdfSalt: base64url.stringify(this.kdfSalt, { pad: false }),
       'org.cryptomator.automaticAccessGrant': this.automaticAccessGrant
     }
-    return JWEBuilder.a256kw(masterKey).encrypt(payload);
+    const jwe = await JWE.build(payload).encrypt(Recipient.a256kw('org.cryptomator.hub.masterkey', masterKey));
+    return jwe.compactSerialization();
   }
 
 }
diff --git a/frontend/src/common/vaultv8.ts b/frontend/src/common/vaultv8.ts
index 79b25672a..6f0d1ef0f 100644
--- a/frontend/src/common/vaultv8.ts
+++ b/frontend/src/common/vaultv8.ts
@@ -1,7 +1,7 @@
 import * as miscreant from 'miscreant';
 import { base32, base64, base64url } from 'rfc4648';
 import { GCM_NONCE_LEN, UnwrapKeyError, UserKeys } from './crypto';
-import { JWEBuilder, JWEParser } from './jwe';
+import { JWE, Recipient } from './jwe';
 import { CRC32, wordEncoder } from './util';
 
 interface JWEPayload {
@@ -67,7 +67,7 @@ export class VaultKeys {
   public static async decryptWithUserKey(jwe: string, userPrivateKey: CryptoKey): Promise<VaultKeys> {
     let rawKey = new Uint8Array();
     try {
-      const payload: JWEPayload = await JWEParser.parse(jwe).decryptEcdhEs(userPrivateKey);
+      const payload: JWEPayload = await JWE.parseCompact(jwe).decrypt(Recipient.ecdhEs('org.cryptomator.hub.userKey', userPrivateKey));
       rawKey = base64.parse(payload.key);
       const masterKey = crypto.subtle.importKey('raw', rawKey, VaultKeys.MASTERKEY_KEY_DESIGNATION, true, ['sign']);
       return new VaultKeys(await masterKey);
@@ -219,7 +219,8 @@ export class VaultKeys {
       const payload: JWEPayload = {
         key: base64.stringify(rawkey),
       };
-      return JWEBuilder.ecdhEs(publicKey).encrypt(payload);
+      const jwe = await JWE.build(payload).encrypt(Recipient.ecdhEs('org.cryptomator.hub.userKey', publicKey));
+      return jwe.compactSerialization();
     } finally {
       rawkey.fill(0x00);
     }
diff --git a/frontend/src/components/InitialSetup.vue b/frontend/src/components/InitialSetup.vue
index 4ef3ba60f..e0ce92a7a 100644
--- a/frontend/src/components/InitialSetup.vue
+++ b/frontend/src/components/InitialSetup.vue
@@ -192,7 +192,7 @@ import { nextTick, onMounted, ref } from 'vue';
 import { useI18n } from 'vue-i18n';
 import backend, { UserDto } from '../common/backend';
 import { BrowserKeys, UnwrapKeyError, UserKeys } from '../common/crypto';
-import { JWEBuilder } from '../common/jwe';
+import { JWE, Recipient } from '../common/jwe';
 import { debounce } from '../common/util';
 import router from '../router';
 import FetchError from './FetchError.vue';
@@ -266,7 +266,7 @@ async function createUserKey() {
     const userKeys = await UserKeys.create();
     me.value.publicKey = await userKeys.encodedPublicKey();
     me.value.privateKey = await userKeys.encryptedPrivateKey(setupCode.value);
-    me.value.setupCode = await JWEBuilder.ecdhEs(userKeys.keyPair.publicKey).encrypt({ setupCode: setupCode.value });
+    me.value.setupCode = (await JWE.build({ setupCode: setupCode.value }).encrypt(Recipient.ecdhEs('org.cryptomator.hub.userKey', userKeys.keyPair.publicKey))).compactSerialization();
     const browserKeys = await createBrowserKeys(me.value.id);
     await submitBrowserKeys(browserKeys, me.value, userKeys);
 
diff --git a/frontend/src/components/ManageSetupCode.vue b/frontend/src/components/ManageSetupCode.vue
index 9837cf488..20591190f 100644
--- a/frontend/src/components/ManageSetupCode.vue
+++ b/frontend/src/components/ManageSetupCode.vue
@@ -51,7 +51,7 @@ import { nextTick, onMounted, ref } from 'vue';
 import { useI18n } from 'vue-i18n';
 import backend from '../common/backend';
 import { BrowserKeys, UserKeys } from '../common/crypto';
-import { JWEParser } from '../common/jwe';
+import { JWE, Recipient } from '../common/jwe';
 import { debounce } from '../common/util';
 import FetchError from './FetchError.vue';
 import RegenerateSetupCodeDialog from './RegenerateSetupCodeDialog.vue';
@@ -84,7 +84,7 @@ async function fetchData() {
       throw new Error('Device not initialized.');
     }
     const userKeys = await UserKeys.decryptOnBrowser(myDevice.userPrivateKey, browserKeys.keyPair.privateKey, base64.parse(me.publicKey));
-    const payload : { setupCode: string } = await JWEParser.parse(me.setupCode).decryptEcdhEs(userKeys.keyPair.privateKey);
+    const payload : { setupCode: string } = await JWE.parseCompact(me.setupCode).decrypt(Recipient.ecdhEs('org.cryptomator.hub.userKey', userKeys.keyPair.privateKey));
     setupCode.value = payload.setupCode;
   } catch (error) {
     console.error('Retrieving setup code failed.', error);
diff --git a/frontend/src/components/RegenerateSetupCodeDialog.vue b/frontend/src/components/RegenerateSetupCodeDialog.vue
index fce75f43e..715584165 100644
--- a/frontend/src/components/RegenerateSetupCodeDialog.vue
+++ b/frontend/src/components/RegenerateSetupCodeDialog.vue
@@ -104,7 +104,7 @@ import { computed, ref } from 'vue';
 import { useI18n } from 'vue-i18n';
 import backend from '../common/backend';
 import { BrowserKeys, UserKeys } from '../common/crypto';
-import { JWEBuilder } from '../common/jwe';
+import { JWE, Recipient } from '../common/jwe';
 import { debounce } from '../common/util';
 
 enum State {
@@ -167,7 +167,7 @@ async function regenerateSetupCode() {
     const newCode = crypto.randomUUID();
     const userKeys = await UserKeys.decryptOnBrowser(myDevice.userPrivateKey, browserKeys.keyPair.privateKey, base64.parse(me.publicKey));
     me.privateKey = await userKeys.encryptedPrivateKey(newCode);
-    me.setupCode = await JWEBuilder.ecdhEs(userKeys.keyPair.publicKey).encrypt({ setupCode: newCode });
+    me.setupCode = (await JWE.build({ setupCode: newCode }).encrypt(Recipient.ecdhEs('org.cryptomator.hub.userKey', userKeys.keyPair.publicKey))).compactSerialization();
     await backend.users.putMe(me);
     setupCode.value = newCode;
 
diff --git a/frontend/test/common/jwe.spec.ts b/frontend/test/common/jwe.spec.ts
index 0d0b73e1b..701f1731d 100644
--- a/frontend/test/common/jwe.spec.ts
+++ b/frontend/test/common/jwe.spec.ts
@@ -1,7 +1,7 @@
 import { expect } from 'chai';
 import { describe } from 'mocha';
-import { base64url } from 'rfc4648';
-import { ConcatKDF, ECDH_ES, ECDH_P384, JWEBuilder, JWEHeader, JWEParser, PBES2 } from '../../src/common/jwe';
+import { base64, base64url } from 'rfc4648';
+import { ConcatKDF, ECDH_ES, ECDH_P384, EncryptedJWE, JWE, JWEHeader, PBES2, Recipient } from '../../src/common/jwe';
 
 describe('JWE', () => {
   before(done => {
@@ -26,7 +26,53 @@ describe('JWE', () => {
     });
   });
 
-  describe('JWE using alg: ECDH-ES', () => {
+  describe('JWE serialization for single recipient', () => {
+    const jwe = new EncryptedJWE('protectedHeader', [{ encryptedKey: 'encryptedKey', header: { kid: 'alice' } }], 'iv', 'ciphertext', 'tag');
+
+    it('compactSerialization', () => {
+      const token = jwe.compactSerialization();
+
+      expect(token).to.eq('protectedHeader.encryptedKey.iv.ciphertext.tag');
+    });
+
+    it('jsonSerialization', () => {
+      const token = jwe.jsonSerialization();
+
+      expect(token.protected).to.eq('protectedHeader');
+      expect(token.iv).to.eq('iv');
+      expect(token.ciphertext).to.eq('ciphertext');
+      expect(token.tag).to.eq('tag');
+      expect(token.recipients[0].encrypted_key).to.eq('encryptedKey');
+      expect(token.recipients[0].header.kid).to.eq('alice');
+    });
+  });
+
+  describe('JWE serialization for multiple recipients', () => {
+    const recipients = [
+      { encryptedKey: 'encryptedKey1', header: { kid: 'alice' } },
+      { encryptedKey: 'encryptedKey2', header: { kid: 'bob' } }
+    ];
+    const jwe = new EncryptedJWE('protectedHeader', recipients, 'iv', 'ciphertext', 'tag');
+
+    it('compactSerialization', () => {
+      expect(jwe.compactSerialization).to.throw();
+    });
+
+    it('jsonSerialization', () => {
+      const token = jwe.jsonSerialization();
+
+      expect(token.protected).to.eq('protectedHeader');
+      expect(token.iv).to.eq('iv');
+      expect(token.ciphertext).to.eq('ciphertext');
+      expect(token.tag).to.eq('tag');
+      expect(token.recipients[0].encrypted_key).to.eq('encryptedKey1');
+      expect(token.recipients[0].header.kid).to.eq('alice');
+      expect(token.recipients[1].encrypted_key).to.eq('encryptedKey2');
+      expect(token.recipients[1].header.kid).to.eq('bob');
+    });
+  });
+
+  describe('JWE using alg: ECDH-ES+A256KW', () => {
     it('x = decrypt(encrypt(x, pubKey), privKey)', async () => {
       // pkcs8: ME8CAQAwEAYHKoZIzj0CAQYFK4EEACIEODA2AgEBBDEA6QybmBitf94veD5aCLr7nlkF5EZpaXHCfq1AXm57AKQyGOjTDAF9EQB28fMywTDQ:
       const publicKeyJwk: JsonWebKey = {
@@ -44,9 +90,21 @@ describe('JWE', () => {
 
       const orig = { hello: 'world' };
 
-      const jwe = await JWEBuilder.ecdhEs(recipientPublicKey).encrypt(orig);
+      const jwe = await JWE.build(orig).encrypt(Recipient.ecdhEs('alice', recipientPublicKey));
+
+      const decrypted = await jwe.decrypt(Recipient.ecdhEs('alice', recipientPrivateKey));
+      expect(decrypted).to.deep.eq(orig);
+    });
+
+    it('decrypt ECDH', async () => {
+      // JWE generated by https://dinochiesa.github.io/jwt/
+      const jwe = 'eyJhbGciOiJFQ0RILUVTIiwiZW5jIjoiQTI1NkdDTSIsImVwayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwieCI6InpMYlRUN3M5d3lZeGpHdGZxeHVDQk81TTNTMTlNRzJHUGJzTlJhMFEwT2MiLCJ5IjoiTGpmVG9jLXpIcWRqcHA4VURPSl9aS1JLQ0FoSGpSSmFGS0FJbjdTR1RXdyJ9fQ..30WmoR8Qp1VA5NMr.TBRC30hVRwi_W_HIe03JWNY.zvfl5wQuG8vhUjhr1-f8jQ';
+      const rawRecipientPrivateKey = base64.parse('MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgzMoA2cm0rNRLA3zZa2VzYxd1QLFTdOxsMQ+6V6faoLmhRANCAAR4M7kZS/VdkdOQG56ELvL2/3L8ti+yQeQBv0BuyUJqWHMOv13VLZOKTnvtFrAZbjM6lONayft9qSr43thfj1Pb', { loose: true });
+      const recipientPrivateKey = await crypto.subtle.importKey('pkcs8', rawRecipientPrivateKey, { name: 'ECDH', namedCurve: 'P-256' }, false, ['deriveBits']);
+      const orig = { hello: 'world' };
+      const recipient = Recipient.ecdhEs('alice', recipientPrivateKey);
 
-      const decrypted = await JWEParser.parse(jwe).decryptEcdhEs(recipientPrivateKey);
+      const decrypted = await JWE.parseCompact(jwe).decrypt(recipient);
       expect(decrypted).to.deep.eq(orig);
     });
 
@@ -56,19 +114,22 @@ describe('JWE', () => {
   describe('JWE using alg: PBES2-HS512+A256KW', () => {
     it('x = decrypt(encrypt(x, pass), pass)', async () => {
       const orig = { hello: 'world' };
+      const recipient = Recipient.pbes2('password', 'topsecret', 1000);
 
-      const jwe = await JWEBuilder.pbes2('topsecret', 1000).encrypt(orig);
+      const jwe = await JWE.build(orig).encrypt(recipient);
 
-      const decrypted = await JWEParser.parse(jwe).decryptPbes2('topsecret');
+      const decrypted = await jwe.decrypt(recipient)
       expect(decrypted).to.deep.eq(orig);
     });
 
     it('encrypt JWE used in Java unit tests', async () => {
       const orig = { key: 'ME8CAQAwEAYHKoZIzj0CAQYFK4EEACIEODA2AgEBBDEA6QybmBitf94veD5aCLr7nlkF5EZpaXHCfq1AXm57AKQyGOjTDAF9EQB28fMywTDQ' };
 
-      const jwe = await JWEBuilder.pbes2('123456', 1000).encrypt(orig);
+      const recipient = Recipient.pbes2('password', '123456', 1000);
+      const jwe = await JWE.build(orig).encrypt(recipient);
+      const token = jwe.compactSerialization();
 
-      expect(jwe).not.to.be.null;
+      expect(token).not.to.be.null;
     });
 
     // TODO: add some more decrypt-only tests with JWE from 3rd party
@@ -78,10 +139,11 @@ describe('JWE', () => {
     it('x = decrypt(encrypt(x, kek), kek)', async () => {
       const kek = await crypto.subtle.generateKey({ name: 'AES-KW', length: 256 }, false, ['wrapKey', 'unwrapKey']);
       const orig = { hello: 'world' };
+      const recipient = Recipient.a256kw('kw', kek);
 
-      const jwe = await JWEBuilder.a256kw(kek).encrypt(orig);
+      const jwe = await JWE.build(orig).encrypt(recipient);
 
-      const decrypted = await JWEParser.parse(jwe).decryptA256kw(kek);
+      const decrypted = await jwe.decrypt(recipient);
       expect(decrypted).to.deep.eq(orig);
     });
 
@@ -91,8 +153,9 @@ describe('JWE', () => {
       const rawKek = base64url.parse('y_uxz8iAtcOXlqMYpm2jASvDWokpCYMtwkthFSK6IF0', { loose: true });
       const kek = await crypto.subtle.importKey('raw', rawKek, 'AES-KW', false, ['unwrapKey']);
       const orig = { hello: 'world' };
+      const recipient = Recipient.a256kw('kw', kek);
 
-      const decrypted = await JWEParser.parse(jwe).decryptA256kw(kek);
+      const decrypted = await JWE.parseCompact(jwe).decrypt(recipient);
       expect(decrypted).to.deep.eq(orig);
     });
   });
diff --git a/frontend/test/common/uvf.spec.ts b/frontend/test/common/uvf.spec.ts
index c11809cae..0b532d460 100644
--- a/frontend/test/common/uvf.spec.ts
+++ b/frontend/test/common/uvf.spec.ts
@@ -1,7 +1,7 @@
 import { use as chaiUse, expect } from 'chai';
 import chaiAsPromised from 'chai-as-promised';
 import { before, describe } from 'mocha';
-import { JWEParser } from '../../src/common/jwe';
+import { JWE, Recipient } from '../../src/common/jwe';
 import { MetadataPayload, VaultMetadata, VaultMetadataJWEAutomaticAccessGrantDto } from '../../src/common/uvf';
 
 chaiUse(chaiAsPromised);
@@ -40,7 +40,7 @@ describe('Universal Vault Format', () => {
       expect(decrypted.initialSeedId).to.eq(orig.initialSeedId)
       expect(decrypted.latestSeedId).to.eq(orig.latestSeedId)
       expect(decrypted.automaticAccessGrant).to.deep.eq(automaticAccessGrant);
-      const decryptedRaw: MetadataPayload = await JWEParser.parse(jwe).decryptA256kw(uvfMasterKey);
+      const decryptedRaw: MetadataPayload = await JWE.parseCompact(jwe).decrypt(Recipient.a256kw('org.cryptomator.hub.masterkey', uvfMasterKey));
       expect(decryptedRaw.fileFormat).to.eq('AES-256-GCM-32k');
       expect(decryptedRaw.initialSeed).to.eq(decryptedRaw.latestSeed);
       expect(decryptedRaw.seeds[decryptedRaw.initialSeed]).to.be.not.empty;

From 3646379647e44f8104a6fd7cdacd95855ecb122b Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Fri, 26 Apr 2024 17:02:07 +0200
Subject: [PATCH 09/94] use correct `AlgorithmID` for Concat KDF

---
 frontend/src/common/jwe.ts | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/frontend/src/common/jwe.ts b/frontend/src/common/jwe.ts
index 3509fb4a8..d24e79a03 100644
--- a/frontend/src/common/jwe.ts
+++ b/frontend/src/common/jwe.ts
@@ -172,7 +172,7 @@ class EcdhRecipient extends Recipient {
         throw new Error('Unsupported curve');
     }
     const epk = await crypto.subtle.importKey('jwk', header.epk!, { name: 'ECDH', namedCurve: header.epk?.crv }, false, []);
-    return ECDH_ES.deriveKey(epk, this.recipientKey, keyBits, 32, header, false, keyAlgorithm, keyUsage);
+    return ECDH_ES.deriveKey(epk, this.recipientKey, keyBits, keyAlgorithm.length / 8, header, false, keyAlgorithm, keyUsage);
   }
 
   async decryptAndUnwrap(header: Header, encryptedKey: string): Promise<CryptoKey> {
@@ -402,10 +402,12 @@ export class ECDH_ES {
   private static async deriveRawKey(publicKey: CryptoKey, privateKey: CryptoKey, ecdhKeyBits: number, desiredKeyBytes: number, header: JWEHeader): Promise<Uint8Array> {
     let agreedKey = new Uint8Array();
     try {
-      const algorithmId = ECDH_ES.lengthPrefixed(new TextEncoder().encode(header.enc));
+      const algOrEnc = header.alg === 'ECDH-ES' ? header.enc : header.alg; // see definition of AlgorithmID in RFC 7518, Section 4.6.2
+      const algorithmId = ECDH_ES.lengthPrefixed(new TextEncoder().encode(algOrEnc));
       const partyUInfo = ECDH_ES.lengthPrefixed(base64url.parse(header.apu || '', { loose: true }));
       const partyVInfo = ECDH_ES.lengthPrefixed(base64url.parse(header.apv || '', { loose: true }));
       const suppPubInfo = new ArrayBuffer(4);
+      const suppPrivInfo = new Uint8Array();
       new DataView(suppPubInfo).setUint32(0, desiredKeyBytes * 8, false);
       agreedKey = new Uint8Array(await crypto.subtle.deriveBits(
         {
@@ -415,7 +417,7 @@ export class ECDH_ES {
         privateKey,
         ecdhKeyBits
       ));
-      const otherInfo = new Uint8Array([...algorithmId, ...partyUInfo, ...partyVInfo, ...new Uint8Array(suppPubInfo)]);
+      const otherInfo = new Uint8Array([...algorithmId, ...partyUInfo, ...partyVInfo, ...new Uint8Array(suppPubInfo), ...suppPrivInfo]);
       return ConcatKDF.kdf(new Uint8Array(agreedKey), desiredKeyBytes, otherInfo);
     } finally {
       agreedKey.fill(0x00);

From f1c14fd486a3835711dc495332f1cd2f78967b65 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Fri, 26 Apr 2024 17:02:16 +0200
Subject: [PATCH 10/94] added tests

---
 frontend/test/common/jwe.spec.ts | 39 +++++++++++++++++++++++++++++---
 1 file changed, 36 insertions(+), 3 deletions(-)

diff --git a/frontend/test/common/jwe.spec.ts b/frontend/test/common/jwe.spec.ts
index 701f1731d..5abac143f 100644
--- a/frontend/test/common/jwe.spec.ts
+++ b/frontend/test/common/jwe.spec.ts
@@ -96,7 +96,7 @@ describe('JWE', () => {
       expect(decrypted).to.deep.eq(orig);
     });
 
-    it('decrypt ECDH', async () => {
+    it('decrypt ECDH-ES', async () => {
       // JWE generated by https://dinochiesa.github.io/jwt/
       const jwe = 'eyJhbGciOiJFQ0RILUVTIiwiZW5jIjoiQTI1NkdDTSIsImVwayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwieCI6InpMYlRUN3M5d3lZeGpHdGZxeHVDQk81TTNTMTlNRzJHUGJzTlJhMFEwT2MiLCJ5IjoiTGpmVG9jLXpIcWRqcHA4VURPSl9aS1JLQ0FoSGpSSmFGS0FJbjdTR1RXdyJ9fQ..30WmoR8Qp1VA5NMr.TBRC30hVRwi_W_HIe03JWNY.zvfl5wQuG8vhUjhr1-f8jQ';
       const rawRecipientPrivateKey = base64.parse('MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgzMoA2cm0rNRLA3zZa2VzYxd1QLFTdOxsMQ+6V6faoLmhRANCAAR4M7kZS/VdkdOQG56ELvL2/3L8ti+yQeQBv0BuyUJqWHMOv13VLZOKTnvtFrAZbjM6lONayft9qSr43thfj1Pb', { loose: true });
@@ -108,7 +108,31 @@ describe('JWE', () => {
       expect(decrypted).to.deep.eq(orig);
     });
 
-    // TODO: add some more decrypt-only tests with JWE from 3rd party
+    it('decrypt ECDH-ES+A256KW 1', async () => {
+      // JWE generated by https://dinochiesa.github.io/jwt/
+      const jwe = 'eyJlcGsiOnsia3R5IjoiRUMiLCJjcnYiOiJQLTI1NiIsIngiOiJGX3lIQWlEQkNMajdVdW43NXZtTGpsSkRnSFRmVnFPUW51X0g0cGhNbjVZIiwieSI6IlFMRThtd1V2M0tDU3pjNmtqT0R2QnhEQjFqRFdUVnE1N052UlpUcFZNZFUifSwiZW5jIjoiQTI1NkdDTSIsImFsZyI6IkVDREgtRVMrQTI1NktXIn0.ziLX2llBDAO0Ha_EV2QyLVGo47qN0c2QpSt-tu35yn8t6Q-elpVG3A.QXT0c27wNHVbvcQN.z82EXvOQ_IWaCGcSmlizzFY.JkrlVlJin8E4uH4WEjPs0w';
+      const rawRecipientPrivateKey = base64.parse('MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg8w/B3QWfLRwtt+pCYScLE8CzqWOYGYl/t2gwmb89AA2hRANCAAR/S7NvYpmAinsrGaDaFNmN8eQFRpwc5alP4Clu8hV//hcrN9DMHGbO2lsKk//ktpUNXt4Fj4UIsBw3ABUchbxI', { loose: true });
+      const recipientPrivateKey = await crypto.subtle.importKey('pkcs8', rawRecipientPrivateKey, { name: 'ECDH', namedCurve: 'P-256' }, false, ['deriveBits']);
+      const orig = { hello: 'world' };
+      const recipient = Recipient.ecdhEs('alice', recipientPrivateKey);
+
+      const decrypted = await JWE.parseCompact(jwe).decrypt(recipient);
+      expect(decrypted).to.deep.eq(orig);
+    });
+
+    // 
+
+    it('decrypt ECDH-ES+A256KW 2', async () => {
+      // JWE generated by nimbus-jose-jwt
+      const jwe = 'eyJlcGsiOnsia3R5IjoiRUMiLCJjcnYiOiJQLTM4NCIsIngiOiJDMndad2lrUUc2NFVjNWdHRHV4VWhVb0dHbEpDVnI4ZHFjMFZkelZIUDl3WUtmSTNCYl8tVnQ3VGtfRER5N1RoIiwieSI6IlNTMTNRS18wLWJYQ1J4OHkyZXFETUNPU0I5OUhqOGtHQWh3b2hzWmwwYi1vamdiTzBsNUpKQW4wYmFCTWE4d1YifSwiZW5jIjoiQTI1NkdDTSIsImFsZyI6IkVDREgtRVMrQTI1NktXIn0.VZPzMmLm31EfxoOhVmLRIu0ILMs473FKeLd8jhaCrzHlLhXS0S2VSA.7W9iNEn-1B1PnfuQ.6y_7YaOXUCCXvuaxwbHLtpc.yHRzBceUHw6huMv4jFApxg';
+      const privateKeyJwk: JsonWebKey = { "kty": "EC", "crv": "P-384", "x": "I47LcQjeZZ5_HxIbw3e5nwaA2S7BFr0CFfiGaay9q3OTNNxFm-O4pjQ2wntSS3hu", "y": "mDFWsM-fkpHpM6JmJczl31PkjrfCbz6B_IhYcMKsJc3NBIO1ALRvmsjrX0aTRH_e", "d": "tgit5ED1PpM6rwIDqMovYkKSZ8n5V05wc_sHi-AiqwM9atiTsO3w2E2wDa-L1lFN" };
+      const privateKey = await crypto.subtle.importKey('jwk', privateKeyJwk, { name: 'ECDH', namedCurve: 'P-384' }, false, ['deriveBits']);
+      const orig = { hello: 'world' };
+      const recipient = Recipient.ecdhEs('alice', privateKey);
+
+      const decrypted = await JWE.parseCompact(jwe).decrypt(recipient);
+      expect(decrypted).to.deep.eq(orig);
+    });
   });
 
   describe('JWE using alg: PBES2-HS512+A256KW', () => {
@@ -132,7 +156,16 @@ describe('JWE', () => {
       expect(token).not.to.be.null;
     });
 
-    // TODO: add some more decrypt-only tests with JWE from 3rd party
+    it('decrypt PBES2-HS512+A256KW', async () => {
+      // JWE generated by nimbus-jose-jwt
+      const jwe = 'eyJwMnMiOiI1REp2cFJVTzJkOWlUdjdHc24wTlp3IiwicDJjIjoxMDAwLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiUEJFUzItSFM1MTIrQTI1NktXIn0.uOPjfcgWobRPtoO124qLyv9XSRWEw1rmdzDqroH6iTBQyyNMKIjdPw.dIH9LVbMH5aAmCMj.hsIdH2JSliAV2ueFErovkHY.OA2nayTnJYTQO04HGvlaMA';
+      const orig = { hello: 'world' };
+
+      const recipient = Recipient.pbes2('password', 'topsecret');
+
+      const decrypted = await JWE.parseCompact(jwe).decrypt(recipient);
+      expect(decrypted).to.deep.eq(orig);
+    });
   });
 
   describe('JWE using alg: A256KW', () => {

From aa1690f9fed78cce44434b6fcd1a74ff96babe02 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Sun, 28 Apr 2024 14:13:19 +0200
Subject: [PATCH 11/94] type cleanup

---
 frontend/src/common/jwe.ts       | 85 +++++++++++++++++---------------
 frontend/test/common/jwe.spec.ts |  6 +--
 2 files changed, 49 insertions(+), 42 deletions(-)

diff --git a/frontend/src/common/jwe.ts b/frontend/src/common/jwe.ts
index d24e79a03..894b1577a 100644
--- a/frontend/src/common/jwe.ts
+++ b/frontend/src/common/jwe.ts
@@ -35,7 +35,7 @@ export class ConcatKDF {
   }
 }
 
-type Header = {
+export type JWEHeader = {
   kid?: string,
   enc?: 'A256GCM' | 'A128GCM',
   alg?: 'ECDH-ES' | 'ECDH-ES+A256KW' | 'PBES2-HS512+A256KW' | 'A256KW',
@@ -47,12 +47,18 @@ type Header = {
   [other: string]: undefined | string | number | boolean | object; // allow further properties
 }
 
-type PerRecipientProperties = {
-  encryptedKey: string;
-  header: Header;
+type JsonJWE = {
+  protected: string,
+  recipients: PerRecipientProperties[]
+  iv: string,
+  ciphertext: string,
+  tag: string
 }
 
-export type JWEHeader = Header;
+type PerRecipientProperties = {
+  encrypted_key: string;
+  header: JWEHeader;
+}
 
 export const ECDH_P384: EcKeyImportParams | EcKeyGenParams = {
   name: 'ECDH',
@@ -71,7 +77,7 @@ export abstract class Recipient {
    * @param commonHeader The protected and unprotected header (not per-recipient)
    * @returns The encrypted CEK and per-recipient header parameters for the used `alg`.
    */
-  abstract encrypt(cek: CryptoKey, commonHeader: Header): Promise<PerRecipientProperties>;
+  abstract encrypt(cek: CryptoKey, commonHeader: JWEHeader): Promise<PerRecipientProperties>;
 
   /**
    * Decrypts the CEK using the recipient-specific `alg`.
@@ -80,7 +86,7 @@ export abstract class Recipient {
    * @returns A non-extractable CEK suitable for decryption with AES-GCM.
    * @throws {UnwrapKeyError} if decryption failed
    */
-  abstract decrypt(header: Header, encryptedKey: string): Promise<CryptoKey>;
+  abstract decrypt(header: JWEHeader, encryptedKey: string): Promise<CryptoKey>;
 
   /**
    * Create a recipient using `alg: ECDH-ES+A256KW`. Also supports `ECDH-ES` with direct key agreement for decryption
@@ -126,12 +132,12 @@ class EcdhRecipient extends Recipient {
     super(kid);
   }
 
-  async encrypt(cek: CryptoKey, commonHeader: Header): Promise<PerRecipientProperties> {
+  async encrypt(cek: CryptoKey, commonHeader: JWEHeader): Promise<PerRecipientProperties> {
     if (this.recipientKey.type !== 'public') {
       throw new Error('Recipient public key required.');
     }
     const ephemeralKey = await crypto.subtle.generateKey(ECDH_P384, false, ['deriveBits']);
-    const header: Header = {
+    const header: JWEHeader = {
       ...commonHeader,
       alg: 'ECDH-ES+A256KW',
       epk: await crypto.subtle.exportKey('jwk', ephemeralKey.publicKey),
@@ -142,11 +148,11 @@ class EcdhRecipient extends Recipient {
     const encryptedKey = new Uint8Array(await crypto.subtle.wrapKey('raw', cek, wrappingKey, 'AES-KW'));
     return {
       header: header,
-      encryptedKey: base64url.stringify(encryptedKey, { pad: false })
+      encrypted_key: base64url.stringify(encryptedKey, { pad: false })
     }
   }
 
-  async decrypt(header: Header, encryptedKey: string): Promise<CryptoKey> {
+  async decrypt(header: JWEHeader, encryptedKey: string): Promise<CryptoKey> {
     if (this.recipientKey.type !== 'private') {
       throw new Error('Recipient private key required.');
     }
@@ -159,7 +165,7 @@ class EcdhRecipient extends Recipient {
     }
   }
 
-  async decryptDirect(header: Header, keyAlgorithm: AesKeyAlgorithm, keyUsage: KeyUsage[]): Promise<CryptoKey> {
+  async decryptDirect(header: JWEHeader, keyAlgorithm: AesKeyAlgorithm, keyUsage: KeyUsage[]): Promise<CryptoKey> {
     let keyBits: number;
     switch (header.epk!.crv) {
       case 'P-256':
@@ -175,7 +181,7 @@ class EcdhRecipient extends Recipient {
     return ECDH_ES.deriveKey(epk, this.recipientKey, keyBits, keyAlgorithm.length / 8, header, false, keyAlgorithm, keyUsage);
   }
 
-  async decryptAndUnwrap(header: Header, encryptedKey: string): Promise<CryptoKey> {
+  async decryptAndUnwrap(header: JWEHeader, encryptedKey: string): Promise<CryptoKey> {
     const wrappingKey = await this.decryptDirect(header, { name: 'AES-KW', length: 256 }, ['unwrapKey']);
     try {
       return await crypto.subtle.unwrapKey('raw', base64url.parse(encryptedKey, { loose: true }), wrappingKey, 'AES-KW', { name: 'AES-GCM' }, false, ['decrypt']);
@@ -192,20 +198,19 @@ class A256kwRecipient extends Recipient {
     super(kid);
   }
 
-  async encrypt(cek: CryptoKey, commonHeader: Header): Promise<PerRecipientProperties> {
-    const header: Header = {
+  async encrypt(cek: CryptoKey, commonHeader: JWEHeader): Promise<PerRecipientProperties> {
+    const header: JWEHeader = {
       ...commonHeader,
-      alg: 'A256KW',
-      enc: 'A256GCM'
+      alg: 'A256KW'
     };
     const encryptedKey = new Uint8Array(await crypto.subtle.wrapKey('raw', cek, this.wrappingKey, 'AES-KW'));
     return {
       header: header,
-      encryptedKey: base64url.stringify(encryptedKey, { pad: false })
+      encrypted_key: base64url.stringify(encryptedKey, { pad: false })
     }
   }
 
-  async decrypt(header: Header, encryptedKey: string): Promise<CryptoKey> {
+  async decrypt(header: JWEHeader, encryptedKey: string): Promise<CryptoKey> {
     if (header.alg != 'A256KW') {
       throw new Error('unsupported alg');
     }
@@ -224,9 +229,9 @@ class Pbes2Recipient extends Recipient {
     super(kid);
   }
 
-  async encrypt(cek: CryptoKey, commonHeader: Header): Promise<PerRecipientProperties> {
+  async encrypt(cek: CryptoKey, commonHeader: JWEHeader): Promise<PerRecipientProperties> {
     const salt = crypto.getRandomValues(new Uint8Array(16));
-    const header: Header = {
+    const header: JWEHeader = {
       ...commonHeader,
       kid: this.kid,
       alg: 'PBES2-HS512+A256KW',
@@ -237,11 +242,11 @@ class Pbes2Recipient extends Recipient {
     const encryptedKey = new Uint8Array(await crypto.subtle.wrapKey('raw', cek, await wrappingKey, 'AES-KW'));
     return {
       header: header,
-      encryptedKey: base64url.stringify(encryptedKey, { pad: false })
+      encrypted_key: base64url.stringify(encryptedKey, { pad: false })
     }
   }
 
-  async decrypt(header: Header, encryptedKey: string): Promise<CryptoKey> {
+  async decrypt(header: JWEHeader, encryptedKey: string): Promise<CryptoKey> {
     if (header.alg != 'PBES2-HS512+A256KW' || !header.p2s || !header.p2c) {
       throw new Error('Missing or invalid header parameters.');
     }
@@ -270,12 +275,12 @@ export class JWE {
   public static parseCompact(token: string): EncryptedJWE {
     const [protectedHeader, encryptedKey, iv, ciphertext, tag] = token.split('.', 5);
     const utf8 = new TextDecoder();
-    const header: Header = JSON.parse(utf8.decode(base64url.parse(protectedHeader, { loose: true })));
+    const header: JWEHeader = JSON.parse(utf8.decode(base64url.parse(protectedHeader, { loose: true })));
 
-    return new EncryptedJWE(protectedHeader, [{ encryptedKey: encryptedKey, header: header }], iv, ciphertext, tag);
+    return new EncryptedJWE(protectedHeader, [{ encrypted_key: encryptedKey, header: header }], iv, ciphertext, tag);
   }
 
-  public static parseJson(jwe: any): EncryptedJWE { // TODO: json:
+  public static parseJson(jwe: JsonJWE): EncryptedJWE { // TODO: json:
     if (!jwe.protected || !jwe.recipients || !jwe.iv || !jwe.ciphertext || !jwe.tag) {
       throw new Error('Malformed JWE');
     }
@@ -283,20 +288,23 @@ export class JWE {
   }
 
   public async encrypt(recipient: Recipient, ...moreRecipients: Recipient[]): Promise<EncryptedJWE> {
-    let protectedHeader: Header = {
+    let protectedHeader: JWEHeader = {
       enc: 'A256GCM'
     }
     const cek = await crypto.subtle.generateKey({ name: 'AES-GCM', length: 256 }, true, ['encrypt']);
     const iv = crypto.getRandomValues(new Uint8Array(12));
-    const recipients = await Promise.all([recipient, ...moreRecipients].map(r => r.encrypt(cek, protectedHeader)));
+    const perRecipientData = await Promise.all([recipient, ...moreRecipients].map(r => r.encrypt(cek, protectedHeader)));
 
-    if (recipients.length === 1) {
-      protectedHeader = recipients[0].header;
+    if (perRecipientData.length === 1) {
+      protectedHeader = {
+        ...perRecipientData[0].header
+      };
     } else {
       protectedHeader = {
-        enc: recipients[0].header.enc
+        enc: perRecipientData[0].header.enc
       }
     }
+    perRecipientData.forEach(r => delete r.header.enc);
 
     const utf8enc = new TextEncoder();
     const encodedProtectedHeader = base64url.stringify(utf8enc.encode(JSON.stringify(protectedHeader)), { pad: false });
@@ -318,7 +326,7 @@ export class JWE {
     const encodedIv = base64url.stringify(iv, { pad: false });
     const encodedCiphertext = base64url.stringify(ciphertext, { pad: false });
     const encodedTag = base64url.stringify(tag, { pad: false });
-    return new EncryptedJWE(encodedProtectedHeader, recipients, encodedIv, encodedCiphertext, encodedTag)
+    return new EncryptedJWE(encodedProtectedHeader, perRecipientData, encodedIv, encodedCiphertext, encodedTag)
   }
 
 }
@@ -333,15 +341,14 @@ export class EncryptedJWE {
     }
   }
 
-  public jsonSerialization(): any {
+  public jsonSerialization(): JsonJWE {
     if (this.perRecipient.length < 1) {
       throw new Error('JWE JSON Serialization requires at least one recipient.');
     }
     const recipients = this.perRecipient.map(r => ({
       header: r.header,
-      encrypted_key: r.encryptedKey
+      encrypted_key: r.encrypted_key
     }));
-
     return {
       protected: this.protectedHeader,
       recipients: recipients,
@@ -355,18 +362,18 @@ export class EncryptedJWE {
     if (this.perRecipient.length !== 1) {
       throw new Error('JWE Compact Serialization requires exactly one recipient.');
     }
-    return `${this.protectedHeader}.${this.perRecipient[0].encryptedKey}.${this.iv}.${this.ciphertext}.${this.tag}`;
+    return `${this.protectedHeader}.${this.perRecipient[0].encrypted_key}.${this.iv}.${this.ciphertext}.${this.tag}`;
   }
 
   public async decrypt(recipient: Recipient): Promise<any> {
     const utf8dec = new TextDecoder();
     const utf8enc = new TextEncoder();
-    const protectedHeader: Header = JSON.parse(utf8dec.decode(base64url.parse(this.protectedHeader, { loose: true })));
+    const protectedHeader: JWEHeader = JSON.parse(utf8dec.decode(base64url.parse(this.protectedHeader, { loose: true })));
     const perRecipientData = (this.perRecipient.length === 1)
       ? this.perRecipient[0]
       : this.perRecipientWithKid(recipient.kid);
-    const combinedHeader: Header = { ...perRecipientData.header, ...protectedHeader };
-    const cek = await recipient.decrypt(combinedHeader, perRecipientData.encryptedKey);
+    const combinedHeader: JWEHeader = { ...perRecipientData.header, ...protectedHeader };
+    const cek = await recipient.decrypt(combinedHeader, perRecipientData.encrypted_key);
     const ciphertext = base64url.parse(this.ciphertext, { loose: true })
     const tag = base64url.parse(this.tag, { loose: true });
     const ciphertextAndTag = new Uint8Array([...ciphertext, ...tag]);
diff --git a/frontend/test/common/jwe.spec.ts b/frontend/test/common/jwe.spec.ts
index 5abac143f..0a27d14fe 100644
--- a/frontend/test/common/jwe.spec.ts
+++ b/frontend/test/common/jwe.spec.ts
@@ -27,7 +27,7 @@ describe('JWE', () => {
   });
 
   describe('JWE serialization for single recipient', () => {
-    const jwe = new EncryptedJWE('protectedHeader', [{ encryptedKey: 'encryptedKey', header: { kid: 'alice' } }], 'iv', 'ciphertext', 'tag');
+    const jwe = new EncryptedJWE('protectedHeader', [{ encrypted_key: 'encryptedKey', header: { kid: 'alice' } }], 'iv', 'ciphertext', 'tag');
 
     it('compactSerialization', () => {
       const token = jwe.compactSerialization();
@@ -49,8 +49,8 @@ describe('JWE', () => {
 
   describe('JWE serialization for multiple recipients', () => {
     const recipients = [
-      { encryptedKey: 'encryptedKey1', header: { kid: 'alice' } },
-      { encryptedKey: 'encryptedKey2', header: { kid: 'bob' } }
+      { encrypted_key: 'encryptedKey1', header: { kid: 'alice' } },
+      { encrypted_key: 'encryptedKey2', header: { kid: 'bob' } }
     ];
     const jwe = new EncryptedJWE('protectedHeader', recipients, 'iv', 'ciphertext', 'tag');
 

From e6e028ad46982a6c96d135cd4404720f507d3f00 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Sun, 28 Apr 2024 16:30:15 +0200
Subject: [PATCH 12/94] include recovery key in UVF metadata

---
 frontend/src/common/crypto.ts    | 18 ++++++-
 frontend/src/common/jwe.ts       | 25 +++++++---
 frontend/src/common/uvf.ts       | 82 ++++++++++++++++++--------------
 frontend/test/common/uvf.spec.ts | 44 ++++++++---------
 4 files changed, 104 insertions(+), 65 deletions(-)

diff --git a/frontend/src/common/crypto.ts b/frontend/src/common/crypto.ts
index 58053412a..627443de9 100644
--- a/frontend/src/common/crypto.ts
+++ b/frontend/src/common/crypto.ts
@@ -1,4 +1,4 @@
-import { base16, base64 } from 'rfc4648';
+import { base16, base64, base64url } from 'rfc4648';
 import { JWE, Recipient } from './jwe';
 import { DB } from './util';
 
@@ -220,3 +220,19 @@ export async function getFingerprint(key: string | undefined) {
   }
 }
 
+/**
+ * Computes the JWK Thumbprint (RFC 7638) using SHA-256.
+ * @param key An EC key
+ */
+export async function getJwkThumbprint(key: CryptoKey): Promise<string> {
+  // see https://datatracker.ietf.org/doc/html/rfc7638#section-3.2
+  if (key.algorithm.name !== 'ECDH') {
+    throw new Error('Method only implemented for EC keys.');
+  }
+  const jwk = await crypto.subtle.exportKey('jwk', key);
+  const algo = key.algorithm as EcKeyAlgorithm;
+  const orderedJson = `{"crv":"${algo.namedCurve}","kty":"${jwk.kty}","x":${jwk.x},"y":${jwk.y}}`;
+  const bytes = new TextEncoder().encode(orderedJson);
+  const hashBuffer = await crypto.subtle.digest('SHA-256', bytes);
+  return base64url.stringify(new Uint8Array(hashBuffer), { pad: false });
+}
diff --git a/frontend/src/common/jwe.ts b/frontend/src/common/jwe.ts
index 894b1577a..bf1998530 100644
--- a/frontend/src/common/jwe.ts
+++ b/frontend/src/common/jwe.ts
@@ -44,10 +44,11 @@ export type JWEHeader = {
   epk?: JsonWebKey,
   p2c?: number,
   p2s?: string,
+  jku?: string,
   [other: string]: undefined | string | number | boolean | object; // allow further properties
 }
 
-type JsonJWE = {
+export type JsonJWE = {
   protected: string,
   recipients: PerRecipientProperties[]
   iv: string,
@@ -98,6 +99,9 @@ export abstract class Recipient {
    * @returns A new recipient
    */
   public static ecdhEs(kid: string, recipientKey: CryptoKey, apu: Uint8Array = new Uint8Array(), apv: Uint8Array = new Uint8Array()): Recipient {
+    if (recipientKey?.type === 'secret' || recipientKey?.algorithm.name !== 'ECDH') {
+      throw new Error('Unsupported recipient key');
+    }
     return new EcdhRecipient(kid, recipientKey, apu, apv);
   }
 
@@ -121,6 +125,9 @@ export abstract class Recipient {
    * @returns A new recipient
    */
   public static a256kw(kid: string, wrappingKey: CryptoKey): Recipient {
+    if (wrappingKey?.type !== 'secret' || wrappingKey?.algorithm.name !== 'AES-KW') {
+      throw new Error('Unsupported wrapping key');
+    }
     return new A256kwRecipient(kid, wrappingKey);
   }
 
@@ -139,6 +146,7 @@ class EcdhRecipient extends Recipient {
     const ephemeralKey = await crypto.subtle.generateKey(ECDH_P384, false, ['deriveBits']);
     const header: JWEHeader = {
       ...commonHeader,
+      kid: this.kid,
       alg: 'ECDH-ES+A256KW',
       epk: await crypto.subtle.exportKey('jwk', ephemeralKey.publicKey),
       apu: base64url.stringify(this.apu, { pad: false }),
@@ -201,6 +209,7 @@ class A256kwRecipient extends Recipient {
   async encrypt(cek: CryptoKey, commonHeader: JWEHeader): Promise<PerRecipientProperties> {
     const header: JWEHeader = {
       ...commonHeader,
+      kid: this.kid,
       alg: 'A256KW'
     };
     const encryptedKey = new Uint8Array(await crypto.subtle.wrapKey('raw', cek, this.wrappingKey, 'AES-KW'));
@@ -266,10 +275,10 @@ class Pbes2Recipient extends Recipient {
 
 export class JWE {
 
-  private constructor(private payload: object) { }
+  private constructor(private payload: object, private protectedHeader: JWEHeader) { }
 
-  public static build(payload: object): JWE {
-    return new JWE(payload);
+  public static build(payload: object, protectedHeader: JWEHeader = {}): JWE {
+    return new JWE(payload, protectedHeader);
   }
 
   public static parseCompact(token: string): EncryptedJWE {
@@ -289,6 +298,7 @@ export class JWE {
 
   public async encrypt(recipient: Recipient, ...moreRecipients: Recipient[]): Promise<EncryptedJWE> {
     let protectedHeader: JWEHeader = {
+      ...this.protectedHeader,
       enc: 'A256GCM'
     }
     const cek = await crypto.subtle.generateKey({ name: 'AES-GCM', length: 256 }, true, ['encrypt']);
@@ -297,14 +307,15 @@ export class JWE {
 
     if (perRecipientData.length === 1) {
       protectedHeader = {
+        ...protectedHeader,
         ...perRecipientData[0].header
       };
     } else {
-      protectedHeader = {
-        enc: perRecipientData[0].header.enc
+      protectedHeader.enc = perRecipientData[0].header.enc;
+      for (let key of Object.keys(protectedHeader)) {
+        perRecipientData.forEach(r => delete r.header[key]);
       }
     }
-    perRecipientData.forEach(r => delete r.header.enc);
 
     const utf8enc = new TextEncoder();
     const encodedProtectedHeader = base64url.stringify(utf8enc.encode(JSON.stringify(protectedHeader)), { pad: false });
diff --git a/frontend/src/common/uvf.ts b/frontend/src/common/uvf.ts
index 4b471c3df..ab979c55c 100644
--- a/frontend/src/common/uvf.ts
+++ b/frontend/src/common/uvf.ts
@@ -1,7 +1,8 @@
 import { base64url } from 'rfc4648';
-import { JWE, Recipient } from './jwe';
+import { getJwkThumbprint } from './crypto';
+import { JWE, JWEHeader, JsonJWE, Recipient } from './jwe';
 
-export type MetadataPayload = {
+type MetadataPayload = {
   fileFormat: 'AES-256-GCM-32k';
   nameFormat: 'AES-SIV-512-B64URL'; // TODO verify after merging https://github.com/encryption-alliance/unified-vault-format/pull/24
   seeds: Record<string, string>;
@@ -12,30 +13,32 @@ export type MetadataPayload = {
   'org.cryptomator.automaticAccessGrant': VaultMetadataJWEAutomaticAccessGrantDto;
 }
 
-export type VaultMetadataJWEAutomaticAccessGrantDto = {
+type VaultMetadataJWEAutomaticAccessGrantDto = {
   enabled: boolean,
   maxWotDepth: number
 }
 
-export class VaultMetadata {
+// const MEMBER_KEY_DESIGNATION: AesKeyGenParams = {
+//   name: 'AES',
+//   length: 256
+// };
+
+// const MEMBER_KEY_USAGE: KeyUsage[] = ['wrapKey', 'unwrapKey'];
 
-  readonly automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto;
-  readonly seeds: Map<number, Uint8Array>;
-  readonly initialSeedId: number;
-  readonly latestSeedId: number;
-  readonly kdfSalt: Uint8Array;
+export class VaultMetadata {
 
-  protected constructor(automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto, seeds: Map<number, Uint8Array>, initialSeedId: number, latestSeedId: number, kdfSalt: Uint8Array) {
-    this.automaticAccessGrant = automaticAccessGrant;
-    this.seeds = seeds;
-    this.initialSeedId = initialSeedId;
-    this.latestSeedId = latestSeedId;
-    this.kdfSalt = kdfSalt;
+  private constructor(
+    readonly automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto,
+    readonly seeds: Map<number, Uint8Array>,
+    readonly initialSeedId: number,
+    readonly latestSeedId: number,
+    readonly kdfSalt: Uint8Array) {
   }
 
   /**
-   * Creates new vault metadata with a new file key and name key
-   * @returns new vault metadata
+   * Creates a new UVF vault
+   * @param automaticAccessGrant Configuration instructing the client how to automatically deal with permission requests
+   * @returns new vault
    */
   public static async create(automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto): Promise<VaultMetadata> {
     const initialSeedId = new Uint32Array(1);
@@ -46,23 +49,24 @@ export class VaultMetadata {
     crypto.getRandomValues(kdfSalt);
     const initialSeedNo = initialSeedId[0];
     const seeds: Map<number, Uint8Array> = new Map<number, Uint8Array>();
+    // const memberKey = await crypto.subtle.generateKey(MEMBER_KEY_DESIGNATION, false, MEMBER_KEY_USAGE);
     seeds.set(initialSeedNo, initialSeedValue);
     return new VaultMetadata(automaticAccessGrant, seeds, initialSeedNo, initialSeedNo, kdfSalt);
   }
 
   /**
-   * Decrypts the vault metadata using the vault masterkey
-   * @param jwe JWE containing the vault key
-   * @param masterKey the vault masterKey
-   * @returns vault metadata
+   * Decrypts the vault metadata using the members' vault key
+   * @param uvfMetadataFile contents of the `vault.uvf` file
+   * @param memberKey the vault members' wrapping key
+   * @returns Decrypted vault metadata
    */
-  public static async decryptWithMasterKey(jwe: string, masterKey: CryptoKey): Promise<VaultMetadata> {
-    const payload = await JWE.parseCompact(jwe).decrypt(Recipient.a256kw('org.cryptomator.hub.masterkey', masterKey));
-    const encodedSeeds: Record<string, string> = payload['seeds'];
+  public static async decryptWithMemberKey(uvfMetadataFile: string, memberKey: CryptoKey): Promise<VaultMetadata> {
+    const json: JsonJWE = JSON.parse(uvfMetadataFile);
+    const payload: MetadataPayload = await JWE.parseJson(json).decrypt(Recipient.a256kw('org.cryptomator.hub.memberkey', memberKey));
     const seeds = new Map<number, Uint8Array>();
-    for (const key in encodedSeeds) {
+    for (const key in payload.seeds) {
       const num = parseSeedId(key);
-      const value = base64url.parse(encodedSeeds[key], { loose: true });
+      const value = base64url.parse(payload.seeds[key], { loose: true });
       seeds.set(num, value);
     }
     const initialSeedId = parseSeedId(payload['initialSeed']);
@@ -78,29 +82,37 @@ export class VaultMetadata {
   }
 
   /**
-   * Encrypts the vault metadata using the given vault masterKey
-   * @param userPublicKey The recipient's public key (DER-encoded)
-   * @returns a JWE containing this Masterkey
+   * Encrypts the vault metadata
+   * @param memberKey the vault members' AES wrapping key
+   * @param recoveryKey the public part of the recovery EC key pair
+   * @returns `vault.uvf` file contents
    */
-  public async encryptWithMasterKey(masterKey: CryptoKey): Promise<string> {
+  public async encrypt(memberKey: CryptoKey, recoveryKey: CryptoKey): Promise<string> {
+    const recoveryKeyID = `org.cryptomator.hub.recoverykey.${await getJwkThumbprint(recoveryKey)}`;
+    const protectedHeader: JWEHeader = {
+      jku: 'jku.jwks' // URL relative to /api/vaults/{vaultid}/
+    };
+    const jwe = await JWE.build(this.payload(), protectedHeader).encrypt(Recipient.a256kw('org.cryptomator.hub.memberkey', memberKey), Recipient.ecdhEs(recoveryKeyID, recoveryKey)); // TODO
+    const json = jwe.jsonSerialization();
+    return JSON.stringify(json);
+  }
+
+  public payload(): MetadataPayload {
     const encodedSeeds: Record<string, string> = {};
     for (const [key, value] of this.seeds) {
       const seedId = stringifySeedId(key);
       encodedSeeds[seedId] = base64url.stringify(value, { pad: false });
     }
-    const payload: MetadataPayload = {
+    return {
       fileFormat: 'AES-256-GCM-32k',
       nameFormat: 'AES-SIV-512-B64URL',
       seeds: encodedSeeds,
       initialSeed: stringifySeedId(this.initialSeedId),
       latestSeed: stringifySeedId(this.latestSeedId),
-      // TODO https://github.com/encryption-alliance/unified-vault-format/pull/21 finalize kdf
       kdf: 'HKDF-SHA512',
       kdfSalt: base64url.stringify(this.kdfSalt, { pad: false }),
       'org.cryptomator.automaticAccessGrant': this.automaticAccessGrant
-    }
-    const jwe = await JWE.build(payload).encrypt(Recipient.a256kw('org.cryptomator.hub.masterkey', masterKey));
-    return jwe.compactSerialization();
+    };
   }
 
 }
diff --git a/frontend/test/common/uvf.spec.ts b/frontend/test/common/uvf.spec.ts
index 0b532d460..1ec800156 100644
--- a/frontend/test/common/uvf.spec.ts
+++ b/frontend/test/common/uvf.spec.ts
@@ -1,8 +1,7 @@
 import { use as chaiUse, expect } from 'chai';
 import chaiAsPromised from 'chai-as-promised';
 import { before, describe } from 'mocha';
-import { JWE, Recipient } from '../../src/common/jwe';
-import { MetadataPayload, VaultMetadata, VaultMetadataJWEAutomaticAccessGrantDto } from '../../src/common/uvf';
+import { VaultMetadata } from '../../src/common/uvf';
 
 chaiUse(chaiAsPromised);
 
@@ -15,38 +14,39 @@ describe('Universal Vault Format', () => {
     global.window = { crypto: global.crypto };
   });
 
-  describe('Vault Metadata', () => {
+  describe('UVF Metadata', () => {
     // TODO review @sebi what else should we test?
-    it('encryptWithMasterKey() and decryptWithMasterKey()', async () => {
-      const uvfMasterKey = await crypto.subtle.generateKey(
+    it('encrypt() and decryptWithMemberKey()', async () => {
+      const vaultMemberKey = await crypto.subtle.generateKey(
         { name: 'AES-KW', length: 256 },
-        true,
+        false,
         ['wrapKey', 'unwrapKey']
       );
-      const automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto = {
-        enabled: true,
-        maxWotDepth: -1
-      }
-      const orig = await VaultMetadata.create(automaticAccessGrant);
+      const recoveryKey = await crypto.subtle.generateKey(
+        { name: 'ECDH', namedCurve: 'P-384' },
+        false,
+        ['deriveKey']
+      );
+
+      const orig = await VaultMetadata.create({ enabled: true, maxWotDepth: -1 });
       expect(orig).to.be.not.null;
       expect(orig.seeds.get(orig.initialSeedId)).to.not.be.undefined
       expect(orig.seeds.get(orig.initialSeedId)!.length).to.eq(32)
       expect(orig.initialSeedId).to.eq(orig.latestSeedId)
       expect(orig.kdfSalt.length).to.eq(32)
-      const jwe: string = await orig.encryptWithMasterKey(uvfMasterKey);
-      expect(jwe).to.be.not.null;
-      const decrypted: VaultMetadata = await VaultMetadata.decryptWithMasterKey(jwe, uvfMasterKey);
+
+      const uvfMetadata: string = await orig.encrypt(vaultMemberKey, recoveryKey.publicKey);
+      expect(uvfMetadata).to.be.not.null;
+
+      const decrypted: VaultMetadata = await VaultMetadata.decryptWithMemberKey(uvfMetadata, vaultMemberKey);
+      const decryptedPayload = decrypted.payload();
       expect(decrypted.seeds).to.deep.eq(orig.seeds)
       expect(decrypted.initialSeedId).to.eq(orig.initialSeedId)
       expect(decrypted.latestSeedId).to.eq(orig.latestSeedId)
-      expect(decrypted.automaticAccessGrant).to.deep.eq(automaticAccessGrant);
-      const decryptedRaw: MetadataPayload = await JWE.parseCompact(jwe).decrypt(Recipient.a256kw('org.cryptomator.hub.masterkey', uvfMasterKey));
-      expect(decryptedRaw.fileFormat).to.eq('AES-256-GCM-32k');
-      expect(decryptedRaw.initialSeed).to.eq(decryptedRaw.latestSeed);
-      expect(decryptedRaw.seeds[decryptedRaw.initialSeed]).to.be.not.empty;
-      expect(decryptedRaw.kdf).to.eq('HKDF-SHA512');
-      expect(decryptedRaw.kdfSalt).to.be.not.empty
-      expect(decryptedRaw['org.cryptomator.automaticAccessGrant']).to.deep.eq(automaticAccessGrant);
+      expect(decrypted.automaticAccessGrant).to.deep.eq(orig.automaticAccessGrant);
+      expect(decryptedPayload.fileFormat).to.eq('AES-256-GCM-32k');
+      expect(decryptedPayload.nameFormat).to.eq('AES-SIV-512-B64URL');
+      expect(decryptedPayload.kdf).to.eq('HKDF-SHA512');
     });
   });
 });

From a85cf3c29c2bab4a6acee7a6bb34bfb4abf6696c Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Sun, 28 Apr 2024 20:13:14 +0200
Subject: [PATCH 13/94] create UVF-based vault

---
 frontend/src/common/uvf.ts                    | 141 ++++++++++++++++--
 frontend/src/common/vaultv8.ts                |   6 +-
 frontend/src/components/CreateVault.vue       |  73 ++++++---
 frontend/src/components/InitialSetup.vue      |   2 +-
 frontend/src/components/ManageSetupCode.vue   |   2 +-
 .../components/RegenerateSetupCodeDialog.vue  |   2 +-
 frontend/test/common/uvf.spec.ts              |  75 ++++++++--
 7 files changed, 247 insertions(+), 54 deletions(-)

diff --git a/frontend/src/common/uvf.ts b/frontend/src/common/uvf.ts
index ab979c55c..ea5c0f4f1 100644
--- a/frontend/src/common/uvf.ts
+++ b/frontend/src/common/uvf.ts
@@ -1,5 +1,5 @@
-import { base64url } from 'rfc4648';
-import { getJwkThumbprint } from './crypto';
+import { base64, base64url } from 'rfc4648';
+import { UserKeys, getJwkThumbprint } from './crypto';
 import { JWE, JWEHeader, JsonJWE, Recipient } from './jwe';
 
 type MetadataPayload = {
@@ -18,13 +18,128 @@ type VaultMetadataJWEAutomaticAccessGrantDto = {
   maxWotDepth: number
 }
 
-// const MEMBER_KEY_DESIGNATION: AesKeyGenParams = {
-//   name: 'AES',
-//   length: 256
-// };
+type MemberKeyPayload = {
+  key: string
+}
+
+// #region Member Key
+/**
+ * The AES Key Wrap Key used to encapsulate the UVF Vault Metadata CEK for a vault member.
+ * This key is encrypted for each vault member individually, using the user's public key.
+ */
+export class MemberKey {
+  public static readonly KEY_DESIGNATION: AesKeyGenParams = { name: 'AES-KW', length: 256 };
+
+  public static readonly KEY_USAGE: KeyUsage[] = ['wrapKey', 'unwrapKey'];
+
+  protected constructor(readonly key: CryptoKey) { }
+
+  /**
+   * Creates a new vault member key
+   * @returns new key
+   */
+  public static async create(): Promise<MemberKey> {
+    const key = await crypto.subtle.generateKey(MemberKey.KEY_DESIGNATION, true, MemberKey.KEY_USAGE);
+    return new MemberKey(key);
+  }
+
+  /**
+   * Decrypts the vault's member key using the member's private key
+   * @param jwe JWE containing the encrypted member key
+   * @param userPrivateKey The user's private key
+   * @returns The masterkey
+   */
+  public static async decryptWithUserKey(jwe: string, userPrivateKey: CryptoKey): Promise<MemberKey> {
+    let rawKey = new Uint8Array();
+    try {
+      const payload: MemberKeyPayload = await JWE.parseCompact(jwe).decrypt(Recipient.ecdhEs('org.cryptomator.hub.userkey', userPrivateKey));
+      rawKey = base64url.parse(payload.key);
+      const masterKey = crypto.subtle.importKey('raw', rawKey, MemberKey.KEY_DESIGNATION, true, MemberKey.KEY_USAGE);
+      return new MemberKey(await masterKey);
+    } finally {
+      rawKey.fill(0x00);
+    }
+  }
+
+  /**
+   * Encrypts this member key using the given public key
+   * @param userPublicKey The user's public key (DER-encoded)
+   * @returns a JWE containing this member key
+   */
+  public async encryptForUser(userPublicKey: CryptoKey | Uint8Array): Promise<string> {
+    // TODO: remove Uint8Array support?
+    if (userPublicKey instanceof Uint8Array) {
+      userPublicKey = await crypto.subtle.importKey('spki', userPublicKey, UserKeys.KEY_DESIGNATION, false, []);
+    }
+    const rawkey = new Uint8Array(await crypto.subtle.exportKey('raw', this.key));
+    try {
+      const payload: MemberKeyPayload = {
+        key: base64.stringify(rawkey),
+      };
+      const jwe = await JWE.build(payload).encrypt(Recipient.ecdhEs('org.cryptomator.hub.userkey', userPublicKey));
+      return jwe.compactSerialization();
+    } finally {
+      rawkey.fill(0x00);
+    }
+  }
 
-// const MEMBER_KEY_USAGE: KeyUsage[] = ['wrapKey', 'unwrapKey'];
+}
+// #endregion
 
+// #region Recovery Key
+/**
+ * The Recovery Key Pair used to encapsulate the UVF Vault Metadata CEK for recovery purposes.
+ */
+export class RecoveryKey {
+  public static readonly KEY_DESIGNATION: EcKeyGenParams = { name: 'ECDH', namedCurve: 'P-384' };
+
+  public static readonly KEY_USAGE: KeyUsage[] = ['deriveKey', 'deriveBits'];
+
+  protected constructor(readonly publicKey: CryptoKey, readonly privateKey?: CryptoKey) { }
+
+  /**
+   * Creates a new vault member key
+   * @returns new key
+   */
+  public static async create(): Promise<RecoveryKey> {
+    const keypair = await crypto.subtle.generateKey(RecoveryKey.KEY_DESIGNATION, false, RecoveryKey.KEY_USAGE);
+    return new RecoveryKey(keypair.publicKey, keypair.privateKey);
+  }
+
+  /**
+   * Loads the public key of the recovery key pair.
+   * @param publicKey the JWK-encoded public key
+   * @returns recovery key for encrypting vault metadata
+   */
+  public static async loadJwk(publicKey: JsonWebKey): Promise<RecoveryKey> {
+    const key = await crypto.subtle.importKey('jwk', publicKey, RecoveryKey.KEY_DESIGNATION, false, RecoveryKey.KEY_USAGE);
+    return new RecoveryKey(key);
+  }
+
+  /**
+   * Restores the Recovery Key Pair
+   * @param recoveryKey the encoded recovery key
+   * @returns complete recovery key for decrypting vault metadata
+   */
+  public static recover(recoveryKey: string) {
+    // TODO
+  }
+
+  /**
+   * Encodes the private key
+   * @returns private key in a human-readable encoding
+   */
+  public serialize(): string {
+    return 'TODO'; // TODO
+  }
+
+}
+// #endregion
+
+// #region Vault metadata
+/**
+ * The UVF Metadata file
+ */
 export class VaultMetadata {
 
   private constructor(
@@ -49,7 +164,6 @@ export class VaultMetadata {
     crypto.getRandomValues(kdfSalt);
     const initialSeedNo = initialSeedId[0];
     const seeds: Map<number, Uint8Array> = new Map<number, Uint8Array>();
-    // const memberKey = await crypto.subtle.generateKey(MEMBER_KEY_DESIGNATION, false, MEMBER_KEY_USAGE);
     seeds.set(initialSeedNo, initialSeedValue);
     return new VaultMetadata(automaticAccessGrant, seeds, initialSeedNo, initialSeedNo, kdfSalt);
   }
@@ -60,9 +174,9 @@ export class VaultMetadata {
    * @param memberKey the vault members' wrapping key
    * @returns Decrypted vault metadata
    */
-  public static async decryptWithMemberKey(uvfMetadataFile: string, memberKey: CryptoKey): Promise<VaultMetadata> {
+  public static async decryptWithMemberKey(uvfMetadataFile: string, memberKey: MemberKey): Promise<VaultMetadata> {
     const json: JsonJWE = JSON.parse(uvfMetadataFile);
-    const payload: MetadataPayload = await JWE.parseJson(json).decrypt(Recipient.a256kw('org.cryptomator.hub.memberkey', memberKey));
+    const payload: MetadataPayload = await JWE.parseJson(json).decrypt(Recipient.a256kw('org.cryptomator.hub.memberkey', memberKey.key));
     const seeds = new Map<number, Uint8Array>();
     for (const key in payload.seeds) {
       const num = parseSeedId(key);
@@ -87,12 +201,12 @@ export class VaultMetadata {
    * @param recoveryKey the public part of the recovery EC key pair
    * @returns `vault.uvf` file contents
    */
-  public async encrypt(memberKey: CryptoKey, recoveryKey: CryptoKey): Promise<string> {
-    const recoveryKeyID = `org.cryptomator.hub.recoverykey.${await getJwkThumbprint(recoveryKey)}`;
+  public async encrypt(memberKey: MemberKey, recoveryKey: RecoveryKey): Promise<string> {
+    const recoveryKeyID = `org.cryptomator.hub.recoverykey.${await getJwkThumbprint(recoveryKey.publicKey)}`;
     const protectedHeader: JWEHeader = {
       jku: 'jku.jwks' // URL relative to /api/vaults/{vaultid}/
     };
-    const jwe = await JWE.build(this.payload(), protectedHeader).encrypt(Recipient.a256kw('org.cryptomator.hub.memberkey', memberKey), Recipient.ecdhEs(recoveryKeyID, recoveryKey)); // TODO
+    const jwe = await JWE.build(this.payload(), protectedHeader).encrypt(Recipient.a256kw('org.cryptomator.hub.memberkey', memberKey.key), Recipient.ecdhEs(recoveryKeyID, recoveryKey.publicKey));
     const json = jwe.jsonSerialization();
     return JSON.stringify(json);
   }
@@ -116,6 +230,7 @@ export class VaultMetadata {
   }
 
 }
+// #endregion
 
 /**
  * Parses the 4 byte seed id from its base64url-encoded form to a 32 bit integer.
diff --git a/frontend/src/common/vaultv8.ts b/frontend/src/common/vaultv8.ts
index 6f0d1ef0f..bf18a5994 100644
--- a/frontend/src/common/vaultv8.ts
+++ b/frontend/src/common/vaultv8.ts
@@ -59,7 +59,7 @@ export class VaultKeys {
 
 
   /**
-   * Decrypts the vault's masterkey (vault8 and uvf) using the user's private key
+   * Decrypts the vault's masterkey using the user's private key
    * @param jwe JWE containing the vault key
    * @param userPrivateKey The user's private key
    * @returns The masterkey
@@ -67,7 +67,7 @@ export class VaultKeys {
   public static async decryptWithUserKey(jwe: string, userPrivateKey: CryptoKey): Promise<VaultKeys> {
     let rawKey = new Uint8Array();
     try {
-      const payload: JWEPayload = await JWE.parseCompact(jwe).decrypt(Recipient.ecdhEs('org.cryptomator.hub.userKey', userPrivateKey));
+      const payload: JWEPayload = await JWE.parseCompact(jwe).decrypt(Recipient.ecdhEs('org.cryptomator.hub.userkey', userPrivateKey));
       rawKey = base64.parse(payload.key);
       const masterKey = crypto.subtle.importKey('raw', rawKey, VaultKeys.MASTERKEY_KEY_DESIGNATION, true, ['sign']);
       return new VaultKeys(await masterKey);
@@ -219,7 +219,7 @@ export class VaultKeys {
       const payload: JWEPayload = {
         key: base64.stringify(rawkey),
       };
-      const jwe = await JWE.build(payload).encrypt(Recipient.ecdhEs('org.cryptomator.hub.userKey', publicKey));
+      const jwe = await JWE.build(payload).encrypt(Recipient.ecdhEs('org.cryptomator.hub.userkey', publicKey));
       return jwe.compactSerialization();
     } finally {
       rawkey.fill(0x00);
diff --git a/frontend/src/components/CreateVault.vue b/frontend/src/components/CreateVault.vue
index b62582a6b..8389b432a 100644
--- a/frontend/src/components/CreateVault.vue
+++ b/frontend/src/components/CreateVault.vue
@@ -22,7 +22,7 @@
           </div>
           <div class="mt-5 sm:mt-6">
             <label for="recoveryKey" class="sr-only">{{ t('createVault.enterRecoveryKey.recoveryKey') }}</label>
-            <textarea id="recoveryKey" v-model="recoveryKey" rows="6" name="recoveryKey" class="block w-full rounded-md border-gray-300 shadow-sm focus:border-primary focus:ring-primary sm:text-sm" :class="{ 'invalid:border-red-300 invalid:text-red-900 focus:invalid:ring-red-500 focus:invalid:border-red-500': onRecoverError instanceof FormValidationFailedError }" required />
+            <textarea id="recoveryKey" v-model="recoveryKeyStr" rows="6" name="recoveryKey" class="block w-full rounded-md border-gray-300 shadow-sm focus:border-primary focus:ring-primary sm:text-sm" :class="{ 'invalid:border-red-300 invalid:text-red-900 focus:invalid:ring-red-500 focus:invalid:border-red-500': onRecoverError instanceof FormValidationFailedError }" required />
           </div>
           <div class="mt-5 sm:mt-6">
             <button type="submit" :disabled="processing" class="inline-flex w-full justify-center rounded-md border border-transparent bg-primary px-4 py-2 text-base font-medium text-white shadow-sm hover:bg-primary-d1 focus:outline-none focus:ring-2 focus:primary focus:ring-offset-2 sm:text-sm disabled:opacity-50 disabled:hover:bg-primary disabled:cursor-not-allowed">
@@ -101,7 +101,7 @@
             <div class="relative mt-5 sm:mt-6">
               <div class="overflow-hidden rounded-lg border border-gray-300 shadow-sm focus-within:border-primary focus-within:ring-1 focus-within:ring-primary">
                 <label for="recoveryKey" class="sr-only">{{ t('createVault.showRecoveryKey.recoveryKey') }}</label>
-                <textarea id="recoveryKey" v-model="recoveryKey" rows="6" name="recoveryKey" class="block w-full resize-none border-0 py-3 focus:ring-0 sm:text-sm" readonly />
+                <textarea id="recoveryKey" v-model="recoveryKeyStr" rows="6" name="recoveryKey" class="block w-full resize-none border-0 py-3 focus:ring-0 sm:text-sm" readonly />
 
                 <!-- Spacer element to match the height of the toolbar -->
                 <div class="py-2" aria-hidden="true">
@@ -187,6 +187,7 @@ import { onMounted, ref } from 'vue';
 import { useI18n } from 'vue-i18n';
 import backend, { PaymentRequiredError } from '../common/backend';
 import { debounce } from '../common/util';
+import { MemberKey, RecoveryKey, VaultMetadata } from '../common/uvf';
 import { VaultConfig } from '../common/vaultconfig';
 import { VaultKeys } from '../common/vaultv8';
 
@@ -198,6 +199,13 @@ enum State {
   Finished
 }
 
+enum VaultType {
+  VaultFormat8,
+  UniversalVaultFormat
+}
+
+const vaultType: VaultType = VaultType.UniversalVaultFormat;
+
 class FormValidationFailedError extends Error {
   constructor() {
     super('The form is invalid.');
@@ -225,8 +233,10 @@ const vaultDescription = ref<string | undefined>();
 const copiedRecoveryKey = ref(false);
 const debouncedCopyFinish = debounce(() => copiedRecoveryKey.value = false, 2000);
 const confirmRecoveryKey = ref(false);
-const vaultKeys = ref<VaultKeys>();
-const recoveryKey = ref<string>('');
+const format8VaultKeys = ref<VaultKeys>();
+const recoveryKeyStr = ref<string>('');
+const uvfMetadata = ref<VaultMetadata>();
+const uvfRecoveryKey = ref<RecoveryKey>();
 const vaultConfig = ref<VaultConfig>();
 
 const props = defineProps<{
@@ -239,8 +249,17 @@ async function initialize() {
   if (props.recover) {
     state.value = State.EnterRecoveryKey;
   } else {
-    vaultKeys.value = await VaultKeys.create();
-    recoveryKey.value = await vaultKeys.value.createRecoveryKey();
+    switch(vaultType) {
+      case VaultType.VaultFormat8:
+        format8VaultKeys.value = await VaultKeys.create();
+        recoveryKeyStr.value = await format8VaultKeys.value.createRecoveryKey();
+        break;
+      case VaultType.UniversalVaultFormat:
+        uvfMetadata.value = await VaultMetadata.create({enabled: false, maxWotDepth: 0});
+        uvfRecoveryKey.value = await RecoveryKey.create();
+        recoveryKeyStr.value = uvfRecoveryKey.value.serialize();
+        break;
+    }
     state.value = State.EnterVaultDetails;
   }
 }
@@ -258,7 +277,7 @@ async function recoverVault() {
   onRecoverError.value = null;
   try {
     processing.value = true;
-    vaultKeys.value = await VaultKeys.recover(recoveryKey.value);
+    format8VaultKeys.value = await VaultKeys.recover(recoveryKeyStr.value);
     state.value = State.EnterVaultDetails;
   } catch (error) {
     console.error('Recovering vault failed.', error);
@@ -284,27 +303,35 @@ async function validateVaultDetails() {
 async function createVault() {
   onCreateError.value = null;
   try {
-    if (!vaultKeys.value) {
-      throw new Error('Invalid state');
-    }
     processing.value = true;
     const owner = await backend.users.me();
     if (!owner.publicKey) {
       throw new Error('Invalid state');
     }
     const vaultId = crypto.randomUUID();
-    /*
-    FIXME create UVF vault
-    const vaultMetadata: VaultMetadata = await VaultMetadata.create({
-       enabled: true,
-       maxWotDepth: -1
-    });
-    const vaultMetadataEncrypted = await vaultMetadata.encryptWithMasterKey(vaultKeys.value.uvfMasterKey);
-    */
-    vaultConfig.value = await VaultConfig.create(vaultId, vaultKeys.value);
-    const ownerJwe = await vaultKeys.value.encryptForUser(base64.parse(owner.publicKey));
-    await backend.vaults.createOrUpdateVault(vaultId, vaultName.value, false, '', vaultDescription.value);
-    await backend.vaults.grantAccess(vaultId, { userId: owner.id, token: ownerJwe });
+    switch(vaultType) {
+      case VaultType.VaultFormat8: {
+        if (!format8VaultKeys.value) {
+          throw new Error('Invalid state');
+        }
+        vaultConfig.value = await VaultConfig.create(vaultId, format8VaultKeys.value);
+        const ownerJwe = await format8VaultKeys.value.encryptForUser(base64.parse(owner.publicKey));
+        await backend.vaults.createOrUpdateVault(vaultId, vaultName.value, false, '', vaultDescription.value);
+        await backend.vaults.grantAccess(vaultId, { userId: owner.id, token: ownerJwe });
+        break;
+      }
+      case VaultType.UniversalVaultFormat: {
+        if (!uvfMetadata.value || !uvfRecoveryKey.value) {
+          throw new Error('Invalid state');
+        }
+        const memberKey = await MemberKey.create();
+        const ownerJwe = await memberKey.encryptForUser(base64.parse(owner.publicKey));
+        const vaultUvfContents = await uvfMetadata.value.encrypt(memberKey, uvfRecoveryKey.value);
+        await backend.vaults.createOrUpdateVault(vaultId, vaultName.value, false, vaultUvfContents, vaultDescription.value);
+        await backend.vaults.grantAccess(vaultId, { userId: owner.id, token: ownerJwe });
+        break;
+      }
+    }
     state.value = State.Finished;
   } catch (error) {
     console.error('Creating vault failed.', error);
@@ -315,7 +342,7 @@ async function createVault() {
 }
 
 async function copyRecoveryKey() {
-  await navigator.clipboard.writeText(recoveryKey.value);
+  await navigator.clipboard.writeText(recoveryKeyStr.value);
   copiedRecoveryKey.value = true;
   debouncedCopyFinish();
 }
diff --git a/frontend/src/components/InitialSetup.vue b/frontend/src/components/InitialSetup.vue
index e0ce92a7a..8878a8c27 100644
--- a/frontend/src/components/InitialSetup.vue
+++ b/frontend/src/components/InitialSetup.vue
@@ -266,7 +266,7 @@ async function createUserKey() {
     const userKeys = await UserKeys.create();
     me.value.publicKey = await userKeys.encodedPublicKey();
     me.value.privateKey = await userKeys.encryptedPrivateKey(setupCode.value);
-    me.value.setupCode = (await JWE.build({ setupCode: setupCode.value }).encrypt(Recipient.ecdhEs('org.cryptomator.hub.userKey', userKeys.keyPair.publicKey))).compactSerialization();
+    me.value.setupCode = (await JWE.build({ setupCode: setupCode.value }).encrypt(Recipient.ecdhEs('org.cryptomator.hub.userkey', userKeys.keyPair.publicKey))).compactSerialization();
     const browserKeys = await createBrowserKeys(me.value.id);
     await submitBrowserKeys(browserKeys, me.value, userKeys);
 
diff --git a/frontend/src/components/ManageSetupCode.vue b/frontend/src/components/ManageSetupCode.vue
index 20591190f..e5782090b 100644
--- a/frontend/src/components/ManageSetupCode.vue
+++ b/frontend/src/components/ManageSetupCode.vue
@@ -84,7 +84,7 @@ async function fetchData() {
       throw new Error('Device not initialized.');
     }
     const userKeys = await UserKeys.decryptOnBrowser(myDevice.userPrivateKey, browserKeys.keyPair.privateKey, base64.parse(me.publicKey));
-    const payload : { setupCode: string } = await JWE.parseCompact(me.setupCode).decrypt(Recipient.ecdhEs('org.cryptomator.hub.userKey', userKeys.keyPair.privateKey));
+    const payload : { setupCode: string } = await JWE.parseCompact(me.setupCode).decrypt(Recipient.ecdhEs('org.cryptomator.hub.userkey', userKeys.keyPair.privateKey));
     setupCode.value = payload.setupCode;
   } catch (error) {
     console.error('Retrieving setup code failed.', error);
diff --git a/frontend/src/components/RegenerateSetupCodeDialog.vue b/frontend/src/components/RegenerateSetupCodeDialog.vue
index 715584165..6a347cc6c 100644
--- a/frontend/src/components/RegenerateSetupCodeDialog.vue
+++ b/frontend/src/components/RegenerateSetupCodeDialog.vue
@@ -167,7 +167,7 @@ async function regenerateSetupCode() {
     const newCode = crypto.randomUUID();
     const userKeys = await UserKeys.decryptOnBrowser(myDevice.userPrivateKey, browserKeys.keyPair.privateKey, base64.parse(me.publicKey));
     me.privateKey = await userKeys.encryptedPrivateKey(newCode);
-    me.setupCode = (await JWE.build({ setupCode: newCode }).encrypt(Recipient.ecdhEs('org.cryptomator.hub.userKey', userKeys.keyPair.publicKey))).compactSerialization();
+    me.setupCode = (await JWE.build({ setupCode: newCode }).encrypt(Recipient.ecdhEs('org.cryptomator.hub.userkey', userKeys.keyPair.publicKey))).compactSerialization();
     await backend.users.putMe(me);
     setupCode.value = newCode;
 
diff --git a/frontend/test/common/uvf.spec.ts b/frontend/test/common/uvf.spec.ts
index 1ec800156..1e0422286 100644
--- a/frontend/test/common/uvf.spec.ts
+++ b/frontend/test/common/uvf.spec.ts
@@ -1,7 +1,7 @@
 import { use as chaiUse, expect } from 'chai';
 import chaiAsPromised from 'chai-as-promised';
 import { before, describe } from 'mocha';
-import { VaultMetadata } from '../../src/common/uvf';
+import { MemberKey, RecoveryKey, VaultMetadata } from '../../src/common/uvf';
 
 chaiUse(chaiAsPromised);
 
@@ -14,19 +14,52 @@ describe('Universal Vault Format', () => {
     global.window = { crypto: global.crypto };
   });
 
+  describe('UVF Member Key', () => {
+
+    // key coordinates from MDN examples:
+    const alicePublic: JsonWebKey = {
+      kty: 'EC',
+      crv: 'P-384',
+      x: 'SzrRXmyI8VWFJg1dPUNbFcc9jZvjZEfH7ulKI1UkXAltd7RGWrcfFxqyGPcwu6AQ',
+      y: 'hHUag3OvDzEr0uUQND4PXHQTXP5IDGdYhJhL-WLKjnGjQAw0rNGy5V29-aV-yseW'
+    };
+    const alicePrivate: JsonWebKey = {
+      ...alicePublic,
+      d: 'wouCtU7Nw4E8_7n5C1-xBjB4xqSb_liZhYMsy8MGgxUny6Q8NCoH9xSiviwLFfK_',
+    };
+
+    let alice: CryptoKeyPair;
+
+    before(async () => {
+      // prepare some test key pairs:
+      let ecdhP384: EcKeyImportParams = { name: 'ECDH', namedCurve: 'P-384' };
+      const alicePrv = crypto.subtle.importKey('jwk', alicePrivate, ecdhP384, true, ['deriveKey']);
+      const alicePub = crypto.subtle.importKey('jwk', alicePublic, ecdhP384, true, []);
+      alice = { privateKey: await alicePrv, publicKey: await alicePub };
+    });
+
+    it('encryptForUser()', async () => {
+      const memberKey = await TestMemberKey.create();
+
+      const encrypted = await memberKey.encryptForUser(alice.publicKey);
+
+      expect(encrypted).to.be.not.null;
+    });
+
+    it('decryptWithUserKey()', async () => {
+      const jwe = 'eyJlbmMiOiJBMjU2R0NNIiwia2lkIjoib3JnLmNyeXB0b21hdG9yLmh1Yi51c2Vya2V5IiwiYWxnIjoiRUNESC1FUytBMjU2S1ciLCJlcGsiOnsia2V5X29wcyI6W10sImV4dCI6dHJ1ZSwia3R5IjoiRUMiLCJ4IjoicFotVXExTjNOVElRcHNpZC11UGZMaW95bVVGVFJLM1dkTXVkLWxDcGh5MjQ4bUlJelpDc3RPRzZLTGloZnBkZyIsInkiOiJzMnl6eF9Ca2QweFhIcENnTlJFOWJiQUIyQkNNTF80cWZwcFEza1N2LXhqcEROVWZZdmlxQS1xRERCYnZkNDdYIiwiY3J2IjoiUC0zODQifSwiYXB1IjoiIiwiYXB2IjoiIn0.I_rXJagNrrCa9zISf0DZJLQbIZDxEpGxCyjFbNE0iZs6yFeVayNOGQ.7rASe4SqyKJJLHZ4.l6T2N_ATytZUyh1IZTIJJDY4dXCyQVsRB19QIIPrAi0QQiS4gl4.fnOtAJhdvPFFHVi6L5Ma_R8iL3IXq1_xAq2PvdEfx0A';
+
+      const decrypted = MemberKey.decryptWithUserKey(jwe, alice.privateKey);
+
+      expect(decrypted).to.be.not.null;
+    });
+  });
+
   describe('UVF Metadata', () => {
     // TODO review @sebi what else should we test?
     it('encrypt() and decryptWithMemberKey()', async () => {
-      const vaultMemberKey = await crypto.subtle.generateKey(
-        { name: 'AES-KW', length: 256 },
-        false,
-        ['wrapKey', 'unwrapKey']
-      );
-      const recoveryKey = await crypto.subtle.generateKey(
-        { name: 'ECDH', namedCurve: 'P-384' },
-        false,
-        ['deriveKey']
-      );
+      const vaultMemberKey = await MemberKey.create();
+      const recoveryKey = await RecoveryKey.create();
 
       const orig = await VaultMetadata.create({ enabled: true, maxWotDepth: -1 });
       expect(orig).to.be.not.null;
@@ -35,7 +68,7 @@ describe('Universal Vault Format', () => {
       expect(orig.initialSeedId).to.eq(orig.latestSeedId)
       expect(orig.kdfSalt.length).to.eq(32)
 
-      const uvfMetadata: string = await orig.encrypt(vaultMemberKey, recoveryKey.publicKey);
+      const uvfMetadata: string = await orig.encrypt(vaultMemberKey, recoveryKey);
       expect(uvfMetadata).to.be.not.null;
 
       const decrypted: VaultMetadata = await VaultMetadata.decryptWithMemberKey(uvfMetadata, vaultMemberKey);
@@ -50,3 +83,21 @@ describe('Universal Vault Format', () => {
     });
   });
 });
+
+
+// #region Mocks
+
+class TestMemberKey extends MemberKey {
+  private constructor(key: CryptoKey) {
+    super(key);
+  }
+
+  static async create() {
+    const raw = new Uint8Array(32);
+    raw.fill(0x55);
+    const key = await crypto.subtle.importKey('raw', raw, MemberKey.KEY_DESIGNATION, true, MemberKey.KEY_USAGE);
+    return new TestMemberKey(key);
+  }
+}
+
+// #endregion

From 32f2743db67cb122389a70b9b5de58d928f5ac3b Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Thu, 2 May 2024 13:17:14 +0200
Subject: [PATCH 14/94] store uvf metadata and recovery key in vault table

---
 .../cryptomator/hub/api/VaultResource.java    | 11 +++---
 .../org/cryptomator/hub/entities/Vault.java   | 35 +++++++++++++------
 .../hub/flyway/V15__UVF_Support.sql           |  2 ++
 .../hub/flyway/V15__Vault_Metadata.sql        |  1 -
 .../cryptomator/hub/api/VaultResourceIT.java  | 25 ++++++-------
 .../hub/flyway/V9999__Test_Data.sql           |  8 ++---
 6 files changed, 49 insertions(+), 33 deletions(-)
 create mode 100644 backend/src/main/resources/org/cryptomator/hub/flyway/V15__UVF_Support.sql
 delete mode 100644 backend/src/main/resources/org/cryptomator/hub/flyway/V15__Vault_Metadata.sql

diff --git a/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java b/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
index afc134bf0..49fbb8836 100644
--- a/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
+++ b/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
@@ -418,8 +418,9 @@ public Response createOrUpdate(@PathParam("vaultId") UUID vaultId, @Valid @NotNu
 		// set regardless of whether vault is new or existing:
 		vault.setName(vaultDto.name);
 		vault.setDescription(vaultDto.description);
-		vault.setArchived(existingVault.isEmpty() ? false : vaultDto.archived);
-		vault.setMetadata(vaultDto.metadata);
+		vault.setArchived(existingVault.isPresent() && vaultDto.archived);
+		vault.setUvfMetadataFile(vaultDto.uvfMetadataFile);
+		vault.setUvfRecoveryPubKey(vaultDto.uvfRecoveryPublicKey);
 
 		vaultRepo.persistAndFlush(vault); // trigger PersistenceException before we continue with
 		if (existingVault.isEmpty()) {
@@ -503,12 +504,12 @@ public record VaultDto(@JsonProperty("id") UUID id,
 						   // Legacy properties ("Vault Admin Password"):
 						   @JsonProperty("masterkey") @OnlyBase64Chars String masterkey, @JsonProperty("iterations") Integer iterations,
 						   @JsonProperty("salt") @OnlyBase64Chars String salt,
-						   @JsonProperty("authPublicKey") @OnlyBase64Chars String authPublicKey, @JsonProperty("authPrivateKey") @OnlyBase64Chars String authPrivateKey
-							,@JsonProperty("metadata") @NotNull String metadata
+						   @JsonProperty("authPublicKey") @OnlyBase64Chars String authPublicKey, @JsonProperty("authPrivateKey") @OnlyBase64Chars String authPrivateKey,
+						   @JsonProperty("uvfMetadataFile") String uvfMetadataFile, @JsonProperty("uvfRecoveryPublicKey") @OnlyBase64Chars String uvfRecoveryPublicKey
 	) {
 
 		public static VaultDto fromEntity(Vault entity) {
-			return new VaultDto(entity.getId(), entity.getName(), entity.getDescription(), entity.isArchived(), entity.getCreationTime().truncatedTo(ChronoUnit.MILLIS), entity.getMasterkey(), entity.getIterations(), entity.getSalt(), entity.getAuthenticationPublicKey(), entity.getAuthenticationPrivateKey(), entity.getMetadata());
+			return new VaultDto(entity.getId(), entity.getName(), entity.getDescription(), entity.isArchived(), entity.getCreationTime().truncatedTo(ChronoUnit.MILLIS), entity.getMasterkey(), entity.getIterations(), entity.getSalt(), entity.getAuthenticationPublicKey(), entity.getAuthenticationPrivateKey(), entity.getUvfMetadataFile(), entity.getAuthenticationPublicKey());
 		}
 
 	}
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/Vault.java b/backend/src/main/java/org/cryptomator/hub/entities/Vault.java
index b04b385b7..114b2be70 100644
--- a/backend/src/main/java/org/cryptomator/hub/entities/Vault.java
+++ b/backend/src/main/java/org/cryptomator/hub/entities/Vault.java
@@ -105,8 +105,11 @@ public class Vault {
 	@Column(name = "archived", nullable = false)
 	private boolean archived;
 
-	@Column(name = "metadata", nullable = false)
-	private String metadata;
+	@Column(name = "uvf_metadata_file")
+	private String uvfMetadataFile;
+
+	@Column(name = "uvf_recovery_pubkey")
+	private String uvfRecoveryPubKey;
 
 	public Optional<ECPublicKey> getAuthenticationPublicKeyOptional() {
 		if (authenticationPublicKey == null) {
@@ -233,12 +236,20 @@ public void setArchived(boolean archived) {
 		this.archived = archived;
 	}
 
-	public String getMetadata() {
-		return metadata;
+	public String getUvfMetadataFile() {
+		return uvfMetadataFile;
+	}
+
+	public void setUvfMetadataFile(String uvfMetadataFile) {
+		this.uvfMetadataFile = uvfMetadataFile;
 	}
 
-	public void setMetadata(String metadata) {
-		this.metadata = metadata;
+	public String getUvfRecoveryPubKey() {
+		return uvfRecoveryPubKey;
+	}
+
+	public void setUvfRecoveryPubKey(String uvfRecoveryPubKey) {
+		this.uvfRecoveryPubKey = uvfRecoveryPubKey;
 	}
 
 	@Override
@@ -251,12 +262,14 @@ public boolean equals(Object o) {
 				&& Objects.equals(salt, vault.salt)
 				&& Objects.equals(iterations, vault.iterations)
 				&& Objects.equals(masterkey, vault.masterkey)
-				&& Objects.equals(archived, vault.archived);
+				&& Objects.equals(archived, vault.archived)
+				&& Objects.equals(uvfMetadataFile, vault.uvfMetadataFile)
+				&& Objects.equals(uvfRecoveryPubKey, vault.uvfRecoveryPubKey);
 	}
 
 	@Override
 	public int hashCode() {
-		return Objects.hash(id, name, salt, iterations, masterkey, archived);
+		return Objects.hash(id, name, salt, iterations, masterkey, archived, uvfMetadataFile, uvfRecoveryPubKey);
 	}
 
 	@Override
@@ -266,12 +279,12 @@ public String toString() {
 				", members=" + directMembers.stream().map(Authority::getId).collect(Collectors.joining(", ")) +
 				", accessToken=" + accessTokens.stream().map(a -> a.getId().toString()).collect(Collectors.joining(", ")) +
 				", name='" + name + '\'' +
-				", archived='" + archived + '\'' +
 				", salt='" + salt + '\'' +
 				", iterations='" + iterations + '\'' +
 				", masterkey='" + masterkey + '\'' +
-				", authenticationPublicKey='" + authenticationPublicKey + '\'' +
-				", authenticationPrivateKey='" + authenticationPrivateKey + '\'' +
+				", archived='" + archived + '\'' +
+				", uvfMetadataFile='" + uvfMetadataFile + '\'' +
+				", uvfRecoveryPubKey='" + uvfRecoveryPubKey + '\'' +
 				'}';
 	}
 
diff --git a/backend/src/main/resources/org/cryptomator/hub/flyway/V15__UVF_Support.sql b/backend/src/main/resources/org/cryptomator/hub/flyway/V15__UVF_Support.sql
new file mode 100644
index 000000000..b03d6c50c
--- /dev/null
+++ b/backend/src/main/resources/org/cryptomator/hub/flyway/V15__UVF_Support.sql
@@ -0,0 +1,2 @@
+ALTER TABLE vault ADD uvf_metadata_file VARCHAR UNIQUE; -- vault.uvf file, encrypted as JWE
+ALTER TABLE vault ADD uvf_recovery_pubkey VARCHAR UNIQUE;
\ No newline at end of file
diff --git a/backend/src/main/resources/org/cryptomator/hub/flyway/V15__Vault_Metadata.sql b/backend/src/main/resources/org/cryptomator/hub/flyway/V15__Vault_Metadata.sql
deleted file mode 100644
index 96cdc6b4f..000000000
--- a/backend/src/main/resources/org/cryptomator/hub/flyway/V15__Vault_Metadata.sql
+++ /dev/null
@@ -1 +0,0 @@
-ALTER TABLE vault ADD metadata VARCHAR UNIQUE; -- encrypted using uvf vault masterkey A256KW
diff --git a/backend/src/test/java/org/cryptomator/hub/api/VaultResourceIT.java b/backend/src/test/java/org/cryptomator/hub/api/VaultResourceIT.java
index 306c4bfa7..8e21e55b6 100644
--- a/backend/src/test/java/org/cryptomator/hub/api/VaultResourceIT.java
+++ b/backend/src/test/java/org/cryptomator/hub/api/VaultResourceIT.java
@@ -90,12 +90,13 @@ public class TestVaultDtoValidation {
 		private static final String VALID_SALT = "base64";
 		private static final String VALID_AUTH_PUB = "base64";
 		private static final String VALID_AUTH_PRI = "base64";
-		private static final String VALID_METADATA = "base64";
+		private static final String VALID_UVF_METADATA_FILE = "{json}";
+		private static final String VALID_UVF_RECOVERY_KEY = "base64";
 
 		@Test
 		public void testValidDto() {
-			var dto = new VaultResource.VaultDto(VALID_ID, VALID_NAME, "foobarbaz", false, Instant.parse("2020-02-20T20:20:20Z"), VALID_MASTERKEY, 8, VALID_SALT, VALID_AUTH_PUB
-					, VALID_AUTH_PRI, VALID_METADATA
+			var dto = new VaultResource.VaultDto(VALID_ID, VALID_NAME, "foobarbaz", false, Instant.parse("2020-02-20T20:20:20Z"), VALID_MASTERKEY, 8, VALID_SALT, VALID_AUTH_PUB, VALID_AUTH_PRI,
+					VALID_UVF_METADATA_FILE, VALID_UVF_RECOVERY_KEY
 			);
 			var violations = validator.validate(dto);
 			MatcherAssert.assertThat(violations, Matchers.empty());
@@ -174,7 +175,7 @@ public void testUnlockArchived2() {
 
 		@Test
 		@DisplayName("GET /vaults/7E57C0DE-0000-4000-8000-00010000AAAA/access-token returns 200 for archived vaults with evenIfArchived set to true")
-		public void testUnlockArchived3() throws SQLException {
+		public void testUnlockArchived3() {
 			when().get("/vaults/{vaultId}/access-token?evenIfArchived=true", "7E57C0DE-0000-4000-8000-00010000AAAA")
 					.then().statusCode(200);
 		}
@@ -260,7 +261,7 @@ public class CreateVaults {
 		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100003333 returns 201")
 		public void testCreateVault1() {
 			var uuid = UUID.fromString("7E57C0DE-0000-4000-8000-000100003333");
-			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 3", false, Instant.parse("2112-12-21T21:12:21Z"), "masterkey3", 42, "NaCl", "authPubKey3", "authPrvKey3", "metadata1");
+			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 3", false, Instant.parse("2112-12-21T21:12:21Z"), "masterkey3", 42, "NaCl", "authPubKey3", "authPrvKey3", "metadata3", "recovery3");
 
 			given().contentType(ContentType.JSON).body(vaultDto)
 					.when().put("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-000100003333")
@@ -285,7 +286,7 @@ public void testCreateVault2() {
 		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100004444 returns 201 ignoring archived flag")
 		public void testCreateVault3() {
 			var uuid = UUID.fromString("7E57C0DE-0000-4000-8000-000100004444");
-			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 4", true, Instant.parse("2112-12-21T21:12:21Z"), "masterkey4", 42, "NaCl", "authPubKey4", "authPrvKey4", "metadata3");
+			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 4", true, Instant.parse("2112-12-21T21:12:21Z"), "masterkey4", 42, "NaCl", "authPubKey4", "authPrvKey4", "metadata4", "recovery4");
 
 			given().contentType(ContentType.JSON).body(vaultDto)
 					.when().put("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-000100004444")
@@ -301,7 +302,7 @@ public void testCreateVault3() {
 		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100003333 returns 200, updating only name, description and archive flag")
 		public void testUpdateVault() {
 			var uuid = UUID.fromString("7E57C0DE-0000-4000-8000-000100003333");
-			var vaultDto = new VaultResource.VaultDto(uuid, "VaultUpdated", "Vault updated.", true, Instant.parse("2222-11-11T11:11:11Z"), "doNotUpdate", 27, "doNotUpdate", "doNotUpdate", "doNotUpdate", "metadata4");
+			var vaultDto = new VaultResource.VaultDto(uuid, "VaultUpdated", "Vault updated.", true, Instant.parse("2222-11-11T11:11:11Z"), "doNotUpdate", 27, "doNotUpdate", "doNotUpdate", "doNotUpdate", "doNotUpdate", "doNotUpdate");
 			given().contentType(ContentType.JSON)
 					.body(vaultDto)
 					.when().put("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-000100003333")
@@ -670,11 +671,11 @@ public void setup() throws SQLException {
 							('user94', 'USER', 'user name 94'),
 							('user95_A', 'USER', 'user name Archived'),
 							('group91', 'GROUP', 'group name 91');
-							
+						
 						INSERT INTO "group_details" ("id")
 						VALUES
 							('group91');
-							
+						
 						INSERT INTO "user_details" ("id")
 						VALUES
 							('user91'),
@@ -752,7 +753,7 @@ public void testUpdateVaultDespiteLicenseExceeded() {
 			Assumptions.assumeTrue(effectiveVaultAccessRepo.countSeatOccupyingUsers() == 5);
 			var vaultId = "7E57C0DE-0000-4000-8000-000100001111";
 
-			var vaultDto = new VaultResource.VaultDto(UUID.fromString(vaultId), "Vault 1", "This is a testvault.", false, Instant.parse("2222-11-11T11:11:11Z"), "someVaule", -1, "doNotUpdate", "doNotUpdate", "doNotUpdate", "doNotUpdate");
+			var vaultDto = new VaultResource.VaultDto(UUID.fromString(vaultId), "Vault 1", "This is a testvault.", false, Instant.parse("2222-11-11T11:11:11Z"), "someVaule", -1, "doNotUpdate", "doNotUpdate", "doNotUpdate", "doNotUpdate", "doNotUpdate");
 			given().contentType(ContentType.JSON)
 					.body(vaultDto)
 					.when().put("/vaults/{vaultId}", vaultId)
@@ -778,7 +779,7 @@ public void testCreateVaultExceedingSeats() throws SQLException {
 			Assumptions.assumeTrue(effectiveVaultAccessRepo.countSeatOccupyingUsers() > 5);
 
 			var uuid = UUID.fromString("7E57C0DE-0000-4000-8000-0001FFFF3333");
-			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 4", false, Instant.parse("2112-12-21T21:12:21Z"), "masterkey3", 42, "NaCl", "authPubKey3", "authPrvKey3", "metadata5");
+			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 4", false, Instant.parse("2112-12-21T21:12:21Z"), "masterkey4", 42, "NaCl", "authPubKey4", "authPrvKey4", "metadata4", "recovery4");
 			given().contentType(ContentType.JSON).body(vaultDto)
 					.when().put("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-0001FFFF3333")
 					.then().statusCode(402);
@@ -861,7 +862,7 @@ public void setup() throws GeneralSecurityException {
 						v.setName("ownership-test-vault");
 						v.setCreationTime(Instant.now());
 						v.setAuthenticationPublicKey(Base64.getEncoder().encodeToString(keyPair.getPublic().getEncoded()));
-						v.setMetadata("metadata");
+						v.setUvfMetadataFile("metadata");
 						vaultRepo.persist(v);
 						return 0;
 					});
diff --git a/backend/src/test/resources/org/cryptomator/hub/flyway/V9999__Test_Data.sql b/backend/src/test/resources/org/cryptomator/hub/flyway/V9999__Test_Data.sql
index b42ebdcd7..b0c856c93 100644
--- a/backend/src/test/resources/org/cryptomator/hub/flyway/V9999__Test_Data.sql
+++ b/backend/src/test/resources/org/cryptomator/hub/flyway/V9999__Test_Data.sql
@@ -29,22 +29,22 @@ VALUES
 	('group1', 'user1'),
 	('group2', 'user2');
 
-INSERT INTO "vault" ("id", "name", "description", "creation_time", "salt", "iterations", "masterkey", "auth_pubkey", "auth_prvkey", "archived" , "metadata" )
+INSERT INTO "vault" ("id", "name", "description", "creation_time", "salt", "iterations", "masterkey", "auth_pubkey", "auth_prvkey", "archived")
 VALUES
 	('7E57C0DE-0000-4000-8000-000100001111', 'Vault 1', 'This is a testvault.', '2020-02-20 20:20:20', 'salt1', 42, 'masterkey1',
 	 'MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAElS+JW3VaBvVr9GKZGn1399WDTd61Q9fwQMmZuBGAYPdl/rWk705QY6WhlmbokmEVva/mEHSoNQ98wFm9FBCqzh45IGd/DGwZ04Xhi5ah+1bKbkVhtds8nZtHRdSJokYp',
 	 'MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDAa57e0Q/KAqmIVOVcWX7b+Sm5YVNRUx8W7nc4wk1IBj2QJmsj+MeShQRHG4ozTE9KhZANiAASVL4lbdVoG9Wv0YpkafXf31YNN3rVD1/BAyZm4EYBg92X+taTvTlBjpaGWZuiSYRW9r+YQdKg1D3zAWb0UEKrOHjkgZ38MbBnTheGLlqH7VspuRWG12zydm0dF1ImiRik=',
-	 FALSE, 'm1'
+	 FALSE
 	 ),
 	('7E57C0DE-0000-4000-8000-000100002222', 'Vault 2', 'This is a testvault.', '2020-02-20 20:20:20', 'salt2', 42, 'masterkey2',
 	 'MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEC1uWSXj2czCDwMTLWV5BFmwxdM6PX9p+Pk9Yf9rIf374m5XP1U8q79dBhLSIuaojsvOT39UUcPJROSD1FqYLued0rXiooIii1D3jaW6pmGVJFhodzC31cy5sfOYotrzF',
 	 'MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDCAHpFQ62QnGCEvYh/pE9QmR1C9aLcDItRbslbmhen/h1tt8AyMhskeenT+rAyyPhGhZANiAAQLW5ZJePZzMIPAxMtZXkEWbDF0zo9f2n4+T1h/2sh/fviblc/VTyrv10GEtIi5qiOy85Pf1RRw8lE5IPUWpgu553SteKigiKLUPeNpbqmYZUkWGh3MLfVzLmx85ii2vMU=',
-	 FALSE, 'm2'
+	 FALSE
 	 ),
 	('7E57C0DE-0000-4000-8000-00010000AAAA', 'Vault Archived', 'This is a archived vault.', '2020-02-20 20:20:20', 'salt3', 42, 'masterkey3',
 	 'MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEC1uWSXj2czCDwMTLWV5BFmwxdM6PX9p+Pk9Yf9rIf374m5XP1U8q79dBhLSIuaojsvOT39UUcPJROSD1FqYLued0rXiooIii1D3jaW6pmGVJFhodzC31cy5sfOYotrzF',
 	 'MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDCAHpFQ62QnGCEvYh/pE9QmR1C9aLcDItRbslbmhen/h1tt8AyMhskeenT+rAyyPhGhZANiAAQLW5ZJePZzMIPAxMtZXkEWbDF0zo9f2n4+T1h/2sh/fviblc/VTyrv10GEtIi5qiOy85Pf1RRw8lE5IPUWpgu553SteKigiKLUPeNpbqmYZUkWGh3MLfVzLmx85ii2vMU=',
-	 TRUE, 'm3'
+	 TRUE
 	 );
 
 INSERT INTO "vault_access" ("vault_id", "authority_id", "role")

From a63ef34666e9c6f9125147859889d41b26d07c36 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Thu, 2 May 2024 14:24:43 +0200
Subject: [PATCH 15/94] adjusted to DTO model

---
 frontend/src/common/backend.ts                |   8 +-
 frontend/src/common/uvf.ts                    |  11 +-
 .../src/components/ArchiveVaultDialog.vue     |   7 +-
 frontend/src/components/CreateVault.vue       | 108 ++++++++++++------
 .../components/EditVaultMetadataDialog.vue    |   5 +-
 .../src/components/ReactivateVaultDialog.vue  |   7 +-
 6 files changed, 96 insertions(+), 50 deletions(-)

diff --git a/frontend/src/common/backend.ts b/frontend/src/common/backend.ts
index 8769934d8..29e0b938a 100644
--- a/frontend/src/common/backend.ts
+++ b/frontend/src/common/backend.ts
@@ -46,7 +46,8 @@ export type VaultDto = {
   salt?: string;
   authPublicKey?: string;
   authPrivateKey?: string;
-  metadata: string;
+  uvfMetadataFile?: string;
+  uvfRecoveryPublicKey?: string;
 };
 
 export type DeviceDto = {
@@ -268,9 +269,8 @@ class VaultService {
       .catch(err => rethrowAndConvertIfExpected(err, 403));
   }
 
-  public async createOrUpdateVault(vaultId: string, name: string, archived: boolean, metadata: string, description?: string): Promise<VaultDto> {
-    const body: VaultDto = { id: vaultId, name: name, description: description, archived: archived, creationTime: new Date(), metadata: metadata };
-    return axiosAuth.put(`/vaults/${vaultId}`, body)
+  public async createOrUpdateVault(vault: VaultDto): Promise<VaultDto> {
+    return axiosAuth.put(`/vaults/${vault.id}`, vault)
       .then(response => response.data)
       .catch((error) => rethrowAndConvertIfExpected(error, 402, 404));
   }
diff --git a/frontend/src/common/uvf.ts b/frontend/src/common/uvf.ts
index ea5c0f4f1..5d7c48bf0 100644
--- a/frontend/src/common/uvf.ts
+++ b/frontend/src/common/uvf.ts
@@ -129,10 +129,19 @@ export class RecoveryKey {
    * Encodes the private key
    * @returns private key in a human-readable encoding
    */
-  public serialize(): string {
+  public serializePrivateKey(): string {
     return 'TODO'; // TODO
   }
 
+  /**
+   * Encodes the public key
+   * @returns public key in base64-encoded DER format
+   */
+  public async serializePublicKey(): Promise<string> {
+    const bytes = await crypto.subtle.exportKey('spki', this.publicKey);
+    return base64.stringify(new Uint8Array(bytes), { pad: true });
+  }
+
 }
 // #endregion
 
diff --git a/frontend/src/components/ArchiveVaultDialog.vue b/frontend/src/components/ArchiveVaultDialog.vue
index 880d82c9c..44bc11350 100644
--- a/frontend/src/components/ArchiveVaultDialog.vue
+++ b/frontend/src/components/ArchiveVaultDialog.vue
@@ -79,10 +79,11 @@ function show() {
 
 async function archiveVault() {
   onArchiveVaultError.value = null;
-  const v = props.vault;
+  const dto = { ...props.vault };
+  dto.archived = true;
   try {
-    const vaultDto = await backend.vaults.createOrUpdateVault(v.id, v.name, true, v.metadata, v.description);
-    emit('archived', vaultDto);
+    const updatedVault = await backend.vaults.createOrUpdateVault(dto);
+    emit('archived', updatedVault);
     open.value = false;
   } catch (error) {
     console.error('Archiving vault failed.', error);
diff --git a/frontend/src/components/CreateVault.vue b/frontend/src/components/CreateVault.vue
index 8389b432a..e0d710498 100644
--- a/frontend/src/components/CreateVault.vue
+++ b/frontend/src/components/CreateVault.vue
@@ -22,14 +22,19 @@
           </div>
           <div class="mt-5 sm:mt-6">
             <label for="recoveryKey" class="sr-only">{{ t('createVault.enterRecoveryKey.recoveryKey') }}</label>
-            <textarea id="recoveryKey" v-model="recoveryKeyStr" rows="6" name="recoveryKey" class="block w-full rounded-md border-gray-300 shadow-sm focus:border-primary focus:ring-primary sm:text-sm" :class="{ 'invalid:border-red-300 invalid:text-red-900 focus:invalid:ring-red-500 focus:invalid:border-red-500': onRecoverError instanceof FormValidationFailedError }" required />
+            <textarea id="recoveryKey" v-model="recoveryKeyStr" rows="6" name="recoveryKey"
+              class="block w-full rounded-md border-gray-300 shadow-sm focus:border-primary focus:ring-primary sm:text-sm"
+              :class="{ 'invalid:border-red-300 invalid:text-red-900 focus:invalid:ring-red-500 focus:invalid:border-red-500': onRecoverError instanceof FormValidationFailedError }"
+              required />
           </div>
           <div class="mt-5 sm:mt-6">
-            <button type="submit" :disabled="processing" class="inline-flex w-full justify-center rounded-md border border-transparent bg-primary px-4 py-2 text-base font-medium text-white shadow-sm hover:bg-primary-d1 focus:outline-none focus:ring-2 focus:primary focus:ring-offset-2 sm:text-sm disabled:opacity-50 disabled:hover:bg-primary disabled:cursor-not-allowed">
+            <button type="submit" :disabled="processing"
+              class="inline-flex w-full justify-center rounded-md border border-transparent bg-primary px-4 py-2 text-base font-medium text-white shadow-sm hover:bg-primary-d1 focus:outline-none focus:ring-2 focus:primary focus:ring-offset-2 sm:text-sm disabled:opacity-50 disabled:hover:bg-primary disabled:cursor-not-allowed">
               {{ t('createVault.enterRecoveryKey.submit') }}
             </button>
             <div v-if="onRecoverError != null">
-              <p v-if="onRecoverError instanceof FormValidationFailedError" class="text-sm text-red-900 mt-2">{{ t('createVault.error.formValidationFailed') }}</p>
+              <p v-if="onRecoverError instanceof FormValidationFailedError" class="text-sm text-red-900 mt-2">{{
+    t('createVault.error.formValidationFailed') }}</p>
               <p v-else class="text-sm text-red-900 mt-2">{{ t('createVault.error.invalidRecoveryKey') }}</p>
             </div>
           </div>
@@ -54,16 +59,22 @@
           <div class="mt-5 md:mt-0 md:col-span-2">
             <div class="grid grid-cols-6 gap-6">
               <div class="col-span-6 sm:col-span-3">
-                <label for="vaultName" class="block text-sm font-medium text-gray-700">{{ t('createVault.enterVaultDetails.vaultName') }}</label>
-                <input id="vaultName" v-model="vaultName" :disabled="processing" type="text" class="mt-1 focus:ring-primary focus:border-primary block w-full shadow-sm sm:text-sm border-gray-300 rounded-md disabled:bg-gray-200" :class="{ 'invalid:border-red-300 invalid:text-red-900 focus:invalid:ring-red-500 focus:invalid:border-red-500': onCreateError instanceof FormValidationFailedError }" pattern="^(?! )([^\x5C\x2F:*?\x22<>\x7C])+(?<![ \x2E])$" required />
-                <p v-if="onCreateError instanceof FormValidationFailedError" class="text-sm text-red-900 mt-2">{{ t('createVault.error.illegalVaultName') }} \, /, :, *, ?, ", &lt;, >, |</p>
+                <label for="vaultName" class="block text-sm font-medium text-gray-700">{{
+    t('createVault.enterVaultDetails.vaultName') }}</label>
+                <input id="vaultName" v-model="vaultName" :disabled="processing" type="text"
+                  class="mt-1 focus:ring-primary focus:border-primary block w-full shadow-sm sm:text-sm border-gray-300 rounded-md disabled:bg-gray-200"
+                  :class="{ 'invalid:border-red-300 invalid:text-red-900 focus:invalid:ring-red-500 focus:invalid:border-red-500': onCreateError instanceof FormValidationFailedError }"
+                  pattern="^(?! )([^\x5C\x2F:*?\x22<>\x7C])+(?<![ \x2E])$" required />
+                <p v-if="onCreateError instanceof FormValidationFailedError" class="text-sm text-red-900 mt-2">{{
+    t('createVault.error.illegalVaultName') }} \, /, :, *, ?, ", &lt;, >, |</p>
               </div>
 
               <div class="col-span-6 sm:col-span-4">
                 <label for="vaultDescription" class="block text-sm font-medium text-gray-700">
                   {{ t('createVault.enterVaultDetails.vaultDescription') }}
                   <span class="text-xs text-gray-500">({{ t('common.optional') }})</span></label>
-                <input id="vaultDescription" v-model="vaultDescription" :disabled="processing" type="text" class="mt-1 focus:ring-primary focus:border-primary block w-full shadow-sm sm:text-sm border-gray-300 rounded-md disabled:bg-gray-200"/>
+                <input id="vaultDescription" v-model="vaultDescription" :disabled="processing" type="text"
+                  class="mt-1 focus:ring-primary focus:border-primary block w-full shadow-sm sm:text-sm border-gray-300 rounded-md disabled:bg-gray-200" />
               </div>
             </div>
           </div>
@@ -72,10 +83,12 @@
 
       <div class="flex justify-end items-center">
         <div v-if="onCreateError != null">
-          <p v-if="onCreateError instanceof FormValidationFailedError" class="text-sm text-red-900 mr-4">{{ t('createVault.error.formValidationFailed') }}</p>
+          <p v-if="onCreateError instanceof FormValidationFailedError" class="text-sm text-red-900 mr-4">{{
+    t('createVault.error.formValidationFailed') }}</p>
           <p v-else class="text-sm text-red-900 mr-4">{{ t('common.unexpectedError', [onCreateError.message]) }}</p>
         </div>
-        <button type="submit" :disabled="processing" class="flex-none inline-flex justify-center py-2 px-4 border border-transparent shadow-sm text-sm font-medium rounded-md text-white bg-primary hover:bg-primary-d1 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary disabled:opacity-50 disabled:hover:bg-primary disabled:cursor-not-allowed">
+        <button type="submit" :disabled="processing"
+          class="flex-none inline-flex justify-center py-2 px-4 border border-transparent shadow-sm text-sm font-medium rounded-md text-white bg-primary hover:bg-primary-d1 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary disabled:opacity-50 disabled:hover:bg-primary disabled:cursor-not-allowed">
           {{ t('common.next') }}
         </button>
       </div>
@@ -99,9 +112,11 @@
               </p>
             </div>
             <div class="relative mt-5 sm:mt-6">
-              <div class="overflow-hidden rounded-lg border border-gray-300 shadow-sm focus-within:border-primary focus-within:ring-1 focus-within:ring-primary">
+              <div
+                class="overflow-hidden rounded-lg border border-gray-300 shadow-sm focus-within:border-primary focus-within:ring-1 focus-within:ring-primary">
                 <label for="recoveryKey" class="sr-only">{{ t('createVault.showRecoveryKey.recoveryKey') }}</label>
-                <textarea id="recoveryKey" v-model="recoveryKeyStr" rows="6" name="recoveryKey" class="block w-full resize-none border-0 py-3 focus:ring-0 sm:text-sm" readonly />
+                <textarea id="recoveryKey" v-model="recoveryKeyStr" rows="6" name="recoveryKey"
+                  class="block w-full resize-none border-0 py-3 focus:ring-0 sm:text-sm" readonly />
 
                 <!-- Spacer element to match the height of the toolbar -->
                 <div class="py-2" aria-hidden="true">
@@ -112,10 +127,14 @@
               <div class="absolute inset-x-0 bottom-0">
                 <div class="flex flex-nowrap justify-end space-x-2 py-2 px-2 sm:px-3">
                   <div class="flex-shrink-0">
-                    <button type="button" class="relative inline-flex items-center whitespace-nowrap rounded-full bg-gray-50 py-2 px-2 text-sm font-medium text-gray-500 hover:bg-gray-100 sm:px-3" @click="copyRecoveryKey()">
+                    <button type="button"
+                      class="relative inline-flex items-center whitespace-nowrap rounded-full bg-gray-50 py-2 px-2 text-sm font-medium text-gray-500 hover:bg-gray-100 sm:px-3"
+                      @click="copyRecoveryKey()">
                       <ClipboardIcon class="h-5 w-5 flex-shrink-0 text-gray-300 sm:-ml-1" aria-hidden="true" />
-                      <span v-if="!copiedRecoveryKey" class="hidden truncate sm:ml-2 sm:block text-gray-900">{{ t('common.copy') }}</span>
-                      <span v-else class="hidden truncate sm:ml-2 sm:block text-gray-900">{{ t('common.copied') }}</span>
+                      <span v-if="!copiedRecoveryKey" class="hidden truncate sm:ml-2 sm:block text-gray-900">{{
+    t('common.copy') }}</span>
+                      <span v-else class="hidden truncate sm:ml-2 sm:block text-gray-900">{{ t('common.copied')
+                        }}</span>
                     </button>
                   </div>
                 </div>
@@ -123,19 +142,24 @@
             </div>
             <div class="relative flex items-start text-left mt-5 sm:mt-6">
               <div class="flex h-5 items-center">
-                <input id="confirmRecoveryKey" v-model="confirmRecoveryKey" name="confirmRecoveryKey" type="checkbox" class="h-4 w-4 rounded border-gray-300 text-primary focus:ring-primary" required>
+                <input id="confirmRecoveryKey" v-model="confirmRecoveryKey" name="confirmRecoveryKey" type="checkbox"
+                  class="h-4 w-4 rounded border-gray-300 text-primary focus:ring-primary" required>
               </div>
               <div class="ml-3 text-sm">
-                <label for="confirmRecoveryKey" class="font-medium text-gray-700">{{ t('createVault.showRecoveryKey.confirmRecoveryKey') }}</label>
+                <label for="confirmRecoveryKey" class="font-medium text-gray-700">{{
+    t('createVault.showRecoveryKey.confirmRecoveryKey') }}</label>
               </div>
             </div>
             <div class="mt-5 sm:mt-6">
-              <button type="submit" :disabled="!confirmRecoveryKey || processing" class="inline-flex w-full justify-center rounded-md border border-transparent bg-primary px-4 py-2 text-base font-medium text-white shadow-sm hover:bg-primary-d1 focus:outline-none focus:ring-2 focus:primary focus:ring-offset-2 sm:text-sm disabled:opacity-50 disabled:hover:bg-primary disabled:cursor-not-allowed">
+              <button type="submit" :disabled="!confirmRecoveryKey || processing"
+                class="inline-flex w-full justify-center rounded-md border border-transparent bg-primary px-4 py-2 text-base font-medium text-white shadow-sm hover:bg-primary-d1 focus:outline-none focus:ring-2 focus:primary focus:ring-offset-2 sm:text-sm disabled:opacity-50 disabled:hover:bg-primary disabled:cursor-not-allowed">
                 {{ t('createVault.showRecoveryKey.submit') }}
               </button>
               <div v-if="onCreateError != null">
-                <p v-if="onCreateError instanceof PaymentRequiredError" class="text-sm text-red-900 mt-2">{{ t('createVault.error.paymentRequired') }}</p>
-                <p v-else class="text-sm text-red-900 mt-2">{{ t('common.unexpectedError', [onCreateError.message]) }}</p>
+                <p v-if="onCreateError instanceof PaymentRequiredError" class="text-sm text-red-900 mt-2">{{
+    t('createVault.error.paymentRequired') }}</p>
+                <p v-else class="text-sm text-red-900 mt-2">{{ t('common.unexpectedError', [onCreateError.message]) }}
+                </p>
               </div>
             </div>
           </div>
@@ -161,11 +185,15 @@
           </div>
         </div>
         <div class="mt-5 sm:mt-6">
-          <button type="button" class="inline-flex items-center px-4 py-2 border border-transparent shadow-sm text-sm font-medium rounded-md text-white bg-primary hover:bg-primary-d1 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="downloadVaultTemplate()">
+          <button type="button"
+            class="inline-flex items-center px-4 py-2 border border-transparent shadow-sm text-sm font-medium rounded-md text-white bg-primary hover:bg-primary-d1 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary"
+            @click="downloadVaultTemplate()">
             <ArrowDownTrayIcon class="-ml-1 mr-2 h-5 w-5" aria-hidden="true" />
             {{ t('createVault.success.download') }}
           </button>
-          <p v-if="onDownloadTemplateError != null " class="text-sm text-red-900 mr-4">{{ t('createVault.error.downloadTemplateFailed', [onDownloadTemplateError.message]) }}</p> <!-- TODO: not beautiful-->
+          <p v-if="onDownloadTemplateError != null" class="text-sm text-red-900 mr-4">{{
+            t('createVault.error.downloadTemplateFailed', [onDownloadTemplateError.message]) }}</p>
+          <!-- TODO: not beautiful-->
         </div>
         <div class="mt-2">
           <router-link to="/app/vaults" class="text-sm text-gray-500">
@@ -185,7 +213,7 @@ import { saveAs } from 'file-saver';
 import { base64 } from 'rfc4648';
 import { onMounted, ref } from 'vue';
 import { useI18n } from 'vue-i18n';
-import backend, { PaymentRequiredError } from '../common/backend';
+import backend, { AccessGrant, PaymentRequiredError, VaultDto } from '../common/backend';
 import { debounce } from '../common/util';
 import { MemberKey, RecoveryKey, VaultMetadata } from '../common/uvf';
 import { VaultConfig } from '../common/vaultconfig';
@@ -222,8 +250,8 @@ const { t } = useI18n({ useScope: 'global' });
 
 const form = ref<HTMLFormElement>();
 
-const onCreateError = ref<Error | null >(null);
-const onRecoverError = ref<Error | null >(null);
+const onCreateError = ref<Error | null>(null);
+const onRecoverError = ref<Error | null>(null);
 const onDownloadTemplateError = ref<Error | null>(null);
 
 const state = ref(State.Initial);
@@ -249,15 +277,15 @@ async function initialize() {
   if (props.recover) {
     state.value = State.EnterRecoveryKey;
   } else {
-    switch(vaultType) {
+    switch (vaultType) {
       case VaultType.VaultFormat8:
         format8VaultKeys.value = await VaultKeys.create();
         recoveryKeyStr.value = await format8VaultKeys.value.createRecoveryKey();
         break;
       case VaultType.UniversalVaultFormat:
-        uvfMetadata.value = await VaultMetadata.create({enabled: false, maxWotDepth: 0});
+        uvfMetadata.value = await VaultMetadata.create({ enabled: false, maxWotDepth: 0 });
         uvfRecoveryKey.value = await RecoveryKey.create();
-        recoveryKeyStr.value = uvfRecoveryKey.value.serialize();
+        recoveryKeyStr.value = uvfRecoveryKey.value.serializePrivateKey();
         break;
     }
     state.value = State.EnterVaultDetails;
@@ -308,16 +336,21 @@ async function createVault() {
     if (!owner.publicKey) {
       throw new Error('Invalid state');
     }
-    const vaultId = crypto.randomUUID();
-    switch(vaultType) {
+    const vault: VaultDto = {
+      id: crypto.randomUUID(),
+      name: vaultName.value,
+      description: vaultDescription.value,
+      archived: false,
+      creationTime: new Date()
+    };
+    const ownerGrant: AccessGrant = { userId: owner.id, token: '' };
+    switch (vaultType) {
       case VaultType.VaultFormat8: {
         if (!format8VaultKeys.value) {
           throw new Error('Invalid state');
         }
-        vaultConfig.value = await VaultConfig.create(vaultId, format8VaultKeys.value);
-        const ownerJwe = await format8VaultKeys.value.encryptForUser(base64.parse(owner.publicKey));
-        await backend.vaults.createOrUpdateVault(vaultId, vaultName.value, false, '', vaultDescription.value);
-        await backend.vaults.grantAccess(vaultId, { userId: owner.id, token: ownerJwe });
+        vaultConfig.value = await VaultConfig.create(vault.id, format8VaultKeys.value);
+        ownerGrant.token = await format8VaultKeys.value.encryptForUser(base64.parse(owner.publicKey));
         break;
       }
       case VaultType.UniversalVaultFormat: {
@@ -325,13 +358,14 @@ async function createVault() {
           throw new Error('Invalid state');
         }
         const memberKey = await MemberKey.create();
-        const ownerJwe = await memberKey.encryptForUser(base64.parse(owner.publicKey));
-        const vaultUvfContents = await uvfMetadata.value.encrypt(memberKey, uvfRecoveryKey.value);
-        await backend.vaults.createOrUpdateVault(vaultId, vaultName.value, false, vaultUvfContents, vaultDescription.value);
-        await backend.vaults.grantAccess(vaultId, { userId: owner.id, token: ownerJwe });
+        ownerGrant.token = await memberKey.encryptForUser(base64.parse(owner.publicKey));
+        vault.uvfMetadataFile = await uvfMetadata.value.encrypt(memberKey, uvfRecoveryKey.value);
+        vault.uvfRecoveryPublicKey = await uvfRecoveryKey.value.serializePublicKey();
         break;
       }
     }
+    await backend.vaults.createOrUpdateVault(vault);
+    await backend.vaults.grantAccess(vault.id, ownerGrant);
     state.value = State.Finished;
   } catch (error) {
     console.error('Creating vault failed.', error);
diff --git a/frontend/src/components/EditVaultMetadataDialog.vue b/frontend/src/components/EditVaultMetadataDialog.vue
index 5c7f8642c..3cc3cb3af 100644
--- a/frontend/src/components/EditVaultMetadataDialog.vue
+++ b/frontend/src/components/EditVaultMetadataDialog.vue
@@ -111,8 +111,9 @@ async function updateVaultMetadata() {
     if (!form.value?.checkValidity()) {
       throw new FormValidationFailedError();
     }
-    const vault = props.vault;
-    const updatedVault = await backend.vaults.createOrUpdateVault(vault.id, vaultName.value, vault.archived, vault.metadata, vaultDescription.value);
+    const dto = { ...props.vault };
+    dto.description = vaultDescription.value;
+    const updatedVault = await backend.vaults.createOrUpdateVault(dto);
     emit('updated', updatedVault);
     open.value = false;
   } catch (error) {
diff --git a/frontend/src/components/ReactivateVaultDialog.vue b/frontend/src/components/ReactivateVaultDialog.vue
index 98fa6d5ca..cd8250e32 100644
--- a/frontend/src/components/ReactivateVaultDialog.vue
+++ b/frontend/src/components/ReactivateVaultDialog.vue
@@ -79,10 +79,11 @@ function show() {
 
 async function reactivateVault() {
   onReactivateVaultError.value = null;
-  const v = props.vault;
+  const dto =  { ...props.vault };
+  dto.archived = false;
   try {
-    const vaultDto = await backend.vaults.createOrUpdateVault(v.id, v.name, false, v.metadata, v.description);
-    emit('reactivated', vaultDto);
+    const updatedVault = await backend.vaults.createOrUpdateVault(dto);
+    emit('reactivated', updatedVault);
     open.value = false;
   } catch (error) {
     console.error('Reactivating vault failed.', error);

From 01c8a061ca28435be7fbae98f163bbcb8012c9fa Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Thu, 2 May 2024 15:21:11 +0200
Subject: [PATCH 16/94] grant permission to UVF vault

---
 frontend/src/common/crypto.ts                 |  5 +++
 frontend/src/common/uvf.ts                    | 12 ++---
 frontend/src/common/vaultv8.ts                |  4 +-
 .../src/components/GrantPermissionDialog.vue  |  5 +--
 frontend/src/components/VaultDetails.vue      | 44 ++++++++++++++++---
 5 files changed, 54 insertions(+), 16 deletions(-)

diff --git a/frontend/src/common/crypto.ts b/frontend/src/common/crypto.ts
index 627443de9..1c7a7330b 100644
--- a/frontend/src/common/crypto.ts
+++ b/frontend/src/common/crypto.ts
@@ -18,6 +18,11 @@ interface UserKeysJWEPayload {
 
 export const GCM_NONCE_LEN = 12;
 
+export interface UserEncryptable {
+  encryptForUser(userPublicKey: CryptoKey | Uint8Array): Promise<string>;
+
+}
+
 export class UserKeys {
   public static readonly KEY_USAGES: KeyUsage[] = ['deriveBits'];
 
diff --git a/frontend/src/common/uvf.ts b/frontend/src/common/uvf.ts
index 5d7c48bf0..b7d485fc0 100644
--- a/frontend/src/common/uvf.ts
+++ b/frontend/src/common/uvf.ts
@@ -1,5 +1,5 @@
 import { base64, base64url } from 'rfc4648';
-import { UserKeys, getJwkThumbprint } from './crypto';
+import { UserEncryptable, UserKeys, getJwkThumbprint } from './crypto';
 import { JWE, JWEHeader, JsonJWE, Recipient } from './jwe';
 
 type MetadataPayload = {
@@ -27,8 +27,8 @@ type MemberKeyPayload = {
  * The AES Key Wrap Key used to encapsulate the UVF Vault Metadata CEK for a vault member.
  * This key is encrypted for each vault member individually, using the user's public key.
  */
-export class MemberKey {
-  public static readonly KEY_DESIGNATION: AesKeyGenParams = { name: 'AES-KW', length: 256 };
+export class MemberKey implements UserEncryptable {
+  public static readonly KEY_DESIGNATION: AesKeyGenParams | AesKeyAlgorithm = { name: 'AES-KW', length: 256 };
 
   public static readonly KEY_USAGE: KeyUsage[] = ['wrapKey', 'unwrapKey'];
 
@@ -53,9 +53,9 @@ export class MemberKey {
     let rawKey = new Uint8Array();
     try {
       const payload: MemberKeyPayload = await JWE.parseCompact(jwe).decrypt(Recipient.ecdhEs('org.cryptomator.hub.userkey', userPrivateKey));
-      rawKey = base64url.parse(payload.key);
-      const masterKey = crypto.subtle.importKey('raw', rawKey, MemberKey.KEY_DESIGNATION, true, MemberKey.KEY_USAGE);
-      return new MemberKey(await masterKey);
+      rawKey = base64.parse(payload.key);
+      const memberKey = await crypto.subtle.importKey('raw', rawKey, MemberKey.KEY_DESIGNATION, true, MemberKey.KEY_USAGE);
+      return new MemberKey(memberKey);
     } finally {
       rawKey.fill(0x00);
     }
diff --git a/frontend/src/common/vaultv8.ts b/frontend/src/common/vaultv8.ts
index bf18a5994..f770bb796 100644
--- a/frontend/src/common/vaultv8.ts
+++ b/frontend/src/common/vaultv8.ts
@@ -1,6 +1,6 @@
 import * as miscreant from 'miscreant';
 import { base32, base64, base64url } from 'rfc4648';
-import { GCM_NONCE_LEN, UnwrapKeyError, UserKeys } from './crypto';
+import { GCM_NONCE_LEN, UnwrapKeyError, UserEncryptable, UserKeys } from './crypto';
 import { JWE, Recipient } from './jwe';
 import { CRC32, wordEncoder } from './util';
 
@@ -27,7 +27,7 @@ export interface VaultConfigHeaderHub {
 }
 
 
-export class VaultKeys {
+export class VaultKeys implements UserEncryptable {
   // in this browser application, this 512 bit key is used
   // as a hmac key to sign the vault config.
   // however when used by cryptomator, it gets split into
diff --git a/frontend/src/components/GrantPermissionDialog.vue b/frontend/src/components/GrantPermissionDialog.vue
index 1e468448e..d97d5f20e 100644
--- a/frontend/src/components/GrantPermissionDialog.vue
+++ b/frontend/src/components/GrantPermissionDialog.vue
@@ -72,8 +72,7 @@ import { base64 } from 'rfc4648';
 import { onMounted, ref } from 'vue';
 import { useI18n } from 'vue-i18n';
 import backend, { AccessGrant, ConflictError, NotFoundError, UserDto, VaultDto } from '../common/backend';
-import { getFingerprint } from '../common/crypto';
-import { VaultKeys } from '../common/vaultv8';
+import { UserEncryptable, getFingerprint } from '../common/crypto';
 
 const { t } = useI18n({ useScope: 'global' });
 
@@ -84,7 +83,7 @@ const onGrantPermissionError = ref<Error | null>();
 const props = defineProps<{
   vault: VaultDto
   users: UserDto[]
-  vaultKeys: VaultKeys
+  vaultKeys: UserEncryptable
 }>();
 
 const emit = defineEmits<{
diff --git a/frontend/src/components/VaultDetails.vue b/frontend/src/components/VaultDetails.vue
index 6d5f97736..59311e2db 100644
--- a/frontend/src/components/VaultDetails.vue
+++ b/frontend/src/components/VaultDetails.vue
@@ -196,10 +196,10 @@
   </div>
 
   <ClaimVaultOwnershipDialog v-if="claimingVaultOwnership && vault" ref="claimVaultOwnershipDialog" :vault="vault" @action="provedOwnership" @close="claimingVaultOwnership = false" />
-  <GrantPermissionDialog v-if="grantingPermission && vault && vaultKeys" ref="grantPermissionDialog" :vault="vault" :users="usersRequiringAccessGrant" :vault-keys="vaultKeys" @close="grantingPermission = false" @permission-granted="permissionGranted()" />
+  <GrantPermissionDialog v-if="grantingPermission && vault && (vaultKeys || uvfMemberKey)" ref="grantPermissionDialog" :vault="vault" :users="usersRequiringAccessGrant" :vault-keys="(vaultKeys || uvfMemberKey)!" @close="grantingPermission = false" @permission-granted="permissionGranted()" />
   <EditVaultMetadataDialog v-if="editingVaultMetadata && vault" ref="editVaultMetadataDialog" :vault="vault" @close="editingVaultMetadata = false" @updated="v => refreshVault(v)" />
-  <DownloadVaultTemplateDialog v-if="downloadingVaultTemplate && vault && vaultKeys" ref="downloadVaultTemplateDialog" :vault="vault" :vault-keys="vaultKeys" @close="downloadingVaultTemplate = false" />
-  <DisplayRecoveryKeyDialog v-if="displayingRecoveryKey && vault && vaultKeys" ref="displayRecoveryKeyDialog" :vault="vault" :vault-keys="vaultKeys" @close="displayingRecoveryKey = false" />
+  <DownloadVaultTemplateDialog v-if="downloadingVaultTemplate && vault && (vaultKeys || uvfMetadata)" ref="downloadVaultTemplateDialog" :vault="vault" :vault-keys="vaultKeys" @close="downloadingVaultTemplate = false" />
+  <DisplayRecoveryKeyDialog v-if="displayingRecoveryKey && vault && (vaultKeys || uvfMetadata)" ref="displayRecoveryKeyDialog" :vault="vault" :vault-keys="vaultKeys" @close="displayingRecoveryKey = false" />
   <ArchiveVaultDialog v-if="archivingVault && vault" ref="archiveVaultDialog" :vault="vault" @close="archivingVault = false" @archived="v => refreshVault(v)" />
   <ReactivateVaultDialog v-if="reactivatingVault && vault" ref="reactivateVaultDialog" :vault="vault" @close="reactivatingVault = false" @reactivated="v => { refreshVault(v); refreshLicense();}" />
   <RecoverVaultDialog v-if="recoveringVault && vault && me" ref="recoverVaultDialog" :vault="vault" :me="me" @close="recoveringVault = false" @recovered="fetchOwnerData()" />
@@ -216,6 +216,7 @@ import auth from '../common/auth';
 import backend, { AuthorityDto, ConflictError, ForbiddenError, LicenseUserInfoDto, MemberDto, NotFoundError, PaymentRequiredError, UserDto, VaultDto, VaultRole } from '../common/backend';
 import { BrowserKeys, UserKeys } from '../common/crypto';
 import { JWT, JWTHeader } from '../common/jwt';
+import { MemberKey, VaultMetadata } from '../common/uvf';
 import { VaultKeys } from '../common/vaultv8';
 import ArchiveVaultDialog from './ArchiveVaultDialog.vue';
 import ClaimVaultOwnershipDialog from './ClaimVaultOwnershipDialog.vue';
@@ -264,6 +265,8 @@ const recoveringVault = ref(false);
 const recoverVaultDialog = ref<typeof RecoverVaultDialog>();
 const vault = ref<VaultDto>();
 const vaultKeys = ref<VaultKeys>();
+const uvfMetadata = ref<VaultMetadata>();
+const uvfMemberKey = ref<MemberKey>();
 const members = ref<Map<string, MemberDto>>(new Map());
 const usersRequiringAccessGrant = ref<UserDto[]>([]);
 const claimVaultOwnershipDialog = ref<typeof ClaimVaultOwnershipDialog>();
@@ -295,12 +298,21 @@ async function fetchData() {
 }
 
 async function fetchOwnerData() {
+  if (!vault.value) {
+    throw new Error('Vault not initialized.');
+  }
   try {
     (await backend.vaults.getMembers(props.vaultId)).forEach(member => members.value.set(member.id, member));
     usersRequiringAccessGrant.value = await backend.vaults.getUsersRequiringAccessGrant(props.vaultId);
     vaultRecoveryRequired.value = false;
-    const vaultKeyJwe = await backend.vaults.accessToken(props.vaultId, true);
-    vaultKeys.value = await loadVaultKeys(vaultKeyJwe);
+    const accessToken = await backend.vaults.accessToken(props.vaultId, true);
+    if (vault.value.uvfMetadataFile) {
+      const decrypted = await loadUvfMetadata(accessToken);
+      uvfMetadata.value = decrypted.uvfMetadata;
+      uvfMemberKey.value = decrypted.memberKey;
+    } else {
+      vaultKeys.value = await loadVaultKeys(accessToken);
+    }
   } catch (error) {
     if (error instanceof ForbiddenError) {
       vaultRecoveryRequired.value = true;
@@ -331,6 +343,28 @@ async function loadVaultKeys(vaultKeyJwe: string): Promise<VaultKeys> {
   return VaultKeys.decryptWithUserKey(vaultKeyJwe, userKeys.keyPair.privateKey);
 }
 
+async function loadUvfMetadata(memberKeyJwe: string): Promise<{uvfMetadata: VaultMetadata, memberKey: MemberKey}> {
+  if (!vault.value || !vault.value.uvfMetadataFile) {
+    throw new Error('Vault not initialized.');
+  }
+  if (!me.value || !me.value.publicKey) {
+    throw new Error('User not initialized.');
+  }
+  const browserKeys = await BrowserKeys.load(me.value.id);
+  if (browserKeys == null) {
+    throw new Error('Browser keys not found.');
+  }
+  const browserId = await browserKeys.id();
+  const myDevice = me.value.devices.find(d => d.id == browserId);
+  if (myDevice == null) {
+    throw new Error('Device not initialized.');
+  }
+  const userKeys = await UserKeys.decryptOnBrowser(myDevice.userPrivateKey, browserKeys.keyPair.privateKey, base64.parse(me.value.publicKey));
+  const memberKey = await MemberKey.decryptWithUserKey(memberKeyJwe, userKeys.keyPair.privateKey);
+  const uvfMetadata = await VaultMetadata.decryptWithMemberKey(vault.value.uvfMetadataFile, memberKey);
+  return {uvfMetadata, memberKey};
+}
+
 async function provedOwnership(keys: VaultKeys, ownerKeyPair: CryptoKeyPair) {
   if (!me.value || !me.value.publicKey) {
     throw new Error('User not initialized.');

From 36eb79c7c546f3cddc534d240c2883f36fbf0e00 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Thu, 2 May 2024 19:46:29 +0200
Subject: [PATCH 17/94] fix autocompletion mistake

---
 .../src/main/java/org/cryptomator/hub/api/VaultResource.java    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java b/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
index 49fbb8836..40c8ee516 100644
--- a/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
+++ b/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
@@ -509,7 +509,7 @@ public record VaultDto(@JsonProperty("id") UUID id,
 	) {
 
 		public static VaultDto fromEntity(Vault entity) {
-			return new VaultDto(entity.getId(), entity.getName(), entity.getDescription(), entity.isArchived(), entity.getCreationTime().truncatedTo(ChronoUnit.MILLIS), entity.getMasterkey(), entity.getIterations(), entity.getSalt(), entity.getAuthenticationPublicKey(), entity.getAuthenticationPrivateKey(), entity.getUvfMetadataFile(), entity.getAuthenticationPublicKey());
+			return new VaultDto(entity.getId(), entity.getName(), entity.getDescription(), entity.isArchived(), entity.getCreationTime().truncatedTo(ChronoUnit.MILLIS), entity.getMasterkey(), entity.getIterations(), entity.getSalt(), entity.getAuthenticationPublicKey(), entity.getAuthenticationPrivateKey(), entity.getUvfMetadataFile(), entity.getUvfRecoveryPubKey());
 		}
 
 	}

From 3cf9c8e97d60febd1090c0ee061564508686b88f Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Thu, 2 May 2024 19:51:32 +0200
Subject: [PATCH 18/94] use common interfaces for VF8 and UVF

---
 frontend/src/common/crypto.ts                 | 18 +++++-
 frontend/src/common/uvf.ts                    | 58 ++++++++++++++++---
 frontend/src/common/vaultconfig.ts            | 47 ---------------
 frontend/src/common/vaultv8.ts                | 46 +++++++++++++--
 frontend/src/components/CreateVault.vue       | 55 +++++++++---------
 .../DownloadVaultTemplateDialog.vue           | 12 +---
 .../src/components/GrantPermissionDialog.vue  |  4 +-
 frontend/src/components/VaultDetails.vue      | 25 ++++----
 8 files changed, 150 insertions(+), 115 deletions(-)
 delete mode 100644 frontend/src/common/vaultconfig.ts

diff --git a/frontend/src/common/crypto.ts b/frontend/src/common/crypto.ts
index 1c7a7330b..2fa903bbc 100644
--- a/frontend/src/common/crypto.ts
+++ b/frontend/src/common/crypto.ts
@@ -1,4 +1,5 @@
 import { base16, base64, base64url } from 'rfc4648';
+import { VaultDto } from './backend';
 import { JWE, Recipient } from './jwe';
 import { DB } from './util';
 
@@ -18,11 +19,26 @@ interface UserKeysJWEPayload {
 
 export const GCM_NONCE_LEN = 12;
 
-export interface UserEncryptable {
+export interface AccessTokenProducing {
+
+  /**
+   * Creates a user-specific access token for the given vault.
+   * @param userPublicKey the public key of the user
+   */
   encryptForUser(userPublicKey: CryptoKey | Uint8Array): Promise<string>;
 
 }
 
+export interface VaultTemplateProducing {
+
+  /**
+   * Produces a zip file containing the vault template.
+   * @param vault The vault
+   */
+  exportTemplate(vault: VaultDto): Promise<Blob>;
+
+}
+
 export class UserKeys {
   public static readonly KEY_USAGES: KeyUsage[] = ['deriveBits'];
 
diff --git a/frontend/src/common/uvf.ts b/frontend/src/common/uvf.ts
index b7d485fc0..a8ff97e1f 100644
--- a/frontend/src/common/uvf.ts
+++ b/frontend/src/common/uvf.ts
@@ -1,5 +1,7 @@
+import JSZip from 'jszip';
 import { base64, base64url } from 'rfc4648';
-import { UserEncryptable, UserKeys, getJwkThumbprint } from './crypto';
+import { VaultDto } from './backend';
+import { AccessTokenProducing, UserKeys, VaultTemplateProducing, getJwkThumbprint } from './crypto';
 import { JWE, JWEHeader, JsonJWE, Recipient } from './jwe';
 
 type MetadataPayload = {
@@ -27,7 +29,7 @@ type MemberKeyPayload = {
  * The AES Key Wrap Key used to encapsulate the UVF Vault Metadata CEK for a vault member.
  * This key is encrypted for each vault member individually, using the user's public key.
  */
-export class MemberKey implements UserEncryptable {
+export class MemberKey {
   public static readonly KEY_DESIGNATION: AesKeyGenParams | AesKeyAlgorithm = { name: 'AES-KW', length: 256 };
 
   public static readonly KEY_USAGE: KeyUsage[] = ['wrapKey', 'unwrapKey'];
@@ -95,7 +97,7 @@ export class RecoveryKey {
 
   public static readonly KEY_USAGE: KeyUsage[] = ['deriveKey', 'deriveBits'];
 
-  protected constructor(readonly publicKey: CryptoKey, readonly privateKey?: CryptoKey) { }
+  protected constructor(private publicKey: CryptoKey, private privateKey?: CryptoKey) { }
 
   /**
    * Creates a new vault member key
@@ -108,12 +110,14 @@ export class RecoveryKey {
 
   /**
    * Loads the public key of the recovery key pair.
-   * @param publicKey the JWK-encoded public key
+   * @param publicKey the DER-encoded public key
    * @returns recovery key for encrypting vault metadata
    */
-  public static async loadJwk(publicKey: JsonWebKey): Promise<RecoveryKey> {
-    const key = await crypto.subtle.importKey('jwk', publicKey, RecoveryKey.KEY_DESIGNATION, false, RecoveryKey.KEY_USAGE);
-    return new RecoveryKey(key);
+  public static async load(publicKey: CryptoKey | Uint8Array): Promise<RecoveryKey> {
+    if (publicKey instanceof Uint8Array) {
+      publicKey = await crypto.subtle.importKey('spki', publicKey, RecoveryKey.KEY_DESIGNATION, true, []);
+    }
+    return new RecoveryKey(publicKey);
   }
 
   /**
@@ -240,6 +244,46 @@ export class VaultMetadata {
 
 }
 // #endregion
+// #region Vault metadata
+
+/**
+ * A UVF-formatted Vault
+ */
+export class UniversalVaultFormat implements AccessTokenProducing, VaultTemplateProducing {
+  private constructor(readonly metadata: VaultMetadata, readonly memberKey: MemberKey, readonly recoveryKey: RecoveryKey) { }
+
+  public static async create(automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto): Promise<UniversalVaultFormat> {
+    const metadata = await VaultMetadata.create(automaticAccessGrant);
+    const memberKey = await MemberKey.create();
+    const recoveryKey = await RecoveryKey.create();
+    return new UniversalVaultFormat(metadata, memberKey, recoveryKey);
+  }
+
+  public static async decrypt(vault: VaultDto, memberKey: MemberKey): Promise<UniversalVaultFormat> {
+    if (!vault.uvfMetadataFile || !vault.uvfRecoveryPublicKey) {
+      throw new Error('Not a UVF vault.');
+    }
+    const metadata = await VaultMetadata.decryptWithMemberKey(vault.uvfMetadataFile, memberKey);
+    const recoveryKey = await RecoveryKey.load(base64.parse(vault.uvfRecoveryPublicKey));
+    return new UniversalVaultFormat(metadata, memberKey, recoveryKey);
+  }
+
+  public async createMetadataFile(): Promise<string> {
+    return this.metadata.encrypt(this.memberKey, this.recoveryKey);
+  }
+
+  public async exportTemplate(vault: VaultDto): Promise<Blob> {
+    const zip = new JSZip();
+    zip.file('vault.uvf', this.createMetadataFile());
+    // TODO: add root folder
+    //zip.folder('d')?.folder(rootDirHash.substring(0, 2))?.folder(rootDirHash.substring(2));
+    return zip.generateAsync({ type: 'blob' });
+  }
+
+  public async encryptForUser(userPublicKey: CryptoKey | Uint8Array): Promise<string> {
+    return this.memberKey.encryptForUser(userPublicKey);
+  }
+}
 
 /**
  * Parses the 4 byte seed id from its base64url-encoded form to a 32 bit integer.
diff --git a/frontend/src/common/vaultconfig.ts b/frontend/src/common/vaultconfig.ts
deleted file mode 100644
index 51b66c542..000000000
--- a/frontend/src/common/vaultconfig.ts
+++ /dev/null
@@ -1,47 +0,0 @@
-import JSZip from 'jszip';
-import config, { absBackendBaseURL, absFrontendBaseURL } from '../common/config';
-import { VaultConfigHeaderHub, VaultConfigPayload, VaultKeys } from '../common/vaultv8';
-
-export class VaultConfig {
-  readonly vaultConfigToken: string;
-  readonly rootDirHash: string;
-
-  private constructor(vaultConfigToken: string, rootDirHash: string) {
-    this.vaultConfigToken = vaultConfigToken;
-    this.rootDirHash = rootDirHash;
-  }
-
-  public static async create(vaultId: string, vaultKeys: VaultKeys): Promise<VaultConfig> {
-    const cfg = config.get();
-
-    const kid = `hub+${absBackendBaseURL}vaults/${vaultId}`;
-
-    const hubConfig: VaultConfigHeaderHub = {
-      clientId: cfg.keycloakClientIdCryptomator,
-      authEndpoint: cfg.keycloakAuthEndpoint,
-      tokenEndpoint: cfg.keycloakTokenEndpoint,
-      authSuccessUrl: `${absFrontendBaseURL}unlock-success?vault=${vaultId}`,
-      authErrorUrl: `${absFrontendBaseURL}unlock-error?vault=${vaultId}`,
-      apiBaseUrl: absBackendBaseURL,
-      devicesResourceUrl: `${absBackendBaseURL}devices/`,
-    };
-
-    const jwtPayload: VaultConfigPayload = {
-      jti: vaultId,
-      format: 8,
-      cipherCombo: 'SIV_GCM',
-      shorteningThreshold: 220
-    };
-
-    const vaultConfigToken = await vaultKeys.createVaultConfig(kid, hubConfig, jwtPayload);
-    const rootDirHash = await vaultKeys.hashDirectoryId('');
-    return new VaultConfig(vaultConfigToken, rootDirHash);
-  }
-
-  public async exportTemplate(): Promise<Blob> {
-    const zip = new JSZip();
-    zip.file('vault.cryptomator', this.vaultConfigToken);
-    zip.folder('d')?.folder(this.rootDirHash.substring(0, 2))?.folder(this.rootDirHash.substring(2));
-    return zip.generateAsync({ type: 'blob' });
-  }
-}
diff --git a/frontend/src/common/vaultv8.ts b/frontend/src/common/vaultv8.ts
index f770bb796..b1fdce28d 100644
--- a/frontend/src/common/vaultv8.ts
+++ b/frontend/src/common/vaultv8.ts
@@ -1,6 +1,9 @@
+import JSZip from 'jszip';
 import * as miscreant from 'miscreant';
 import { base32, base64, base64url } from 'rfc4648';
-import { GCM_NONCE_LEN, UnwrapKeyError, UserEncryptable, UserKeys } from './crypto';
+import { VaultDto } from './backend';
+import config, { absBackendBaseURL, absFrontendBaseURL } from './config';
+import { AccessTokenProducing, GCM_NONCE_LEN, UnwrapKeyError, UserKeys, VaultTemplateProducing } from './crypto';
 import { JWE, Recipient } from './jwe';
 import { CRC32, wordEncoder } from './util';
 
@@ -8,14 +11,14 @@ interface JWEPayload {
   key: string
 }
 
-export interface VaultConfigPayload {
+interface VaultConfigPayload {
   jti: string
   format: number
   cipherCombo: string
   shorteningThreshold: number
 }
 
-export interface VaultConfigHeaderHub {
+interface VaultConfigHeaderHub {
   clientId: string
   authEndpoint: string
   tokenEndpoint: string
@@ -27,7 +30,7 @@ export interface VaultConfigHeaderHub {
 }
 
 
-export class VaultKeys implements UserEncryptable {
+export class VaultKeys implements AccessTokenProducing, VaultTemplateProducing {
   // in this browser application, this 512 bit key is used
   // as a hmac key to sign the vault config.
   // however when used by cryptomator, it gets split into
@@ -170,7 +173,38 @@ export class VaultKeys implements UserEncryptable {
     return new VaultKeys(await key);
   }
 
-  public async createVaultConfig(kid: string, hubConfig: VaultConfigHeaderHub, payload: VaultConfigPayload): Promise<string> {
+  public async exportTemplate(vault: VaultDto): Promise<Blob> {
+    const cfg = config.get();
+
+    const kid = `hub+${absBackendBaseURL}vaults/${vault.id}`;
+
+    const hubConfig: VaultConfigHeaderHub = {
+      clientId: cfg.keycloakClientIdCryptomator,
+      authEndpoint: cfg.keycloakAuthEndpoint,
+      tokenEndpoint: cfg.keycloakTokenEndpoint,
+      authSuccessUrl: `${absFrontendBaseURL}unlock-success?vault=${vault.id}`,
+      authErrorUrl: `${absFrontendBaseURL}unlock-error?vault=${vault.id}`,
+      apiBaseUrl: absBackendBaseURL,
+      devicesResourceUrl: `${absBackendBaseURL}devices/`,
+    };
+
+    const jwtPayload: VaultConfigPayload = {
+      jti: vault.id,
+      format: 8,
+      cipherCombo: 'SIV_GCM',
+      shorteningThreshold: 220
+    };
+
+    const vaultConfigToken = await this.createVaultConfig(kid, hubConfig, jwtPayload);
+    const rootDirHash = await this.hashDirectoryId('');
+
+    const zip = new JSZip();
+    zip.file('vault.cryptomator', vaultConfigToken);
+    zip.folder('d')?.folder(rootDirHash.substring(0, 2))?.folder(rootDirHash.substring(2));
+    return zip.generateAsync({ type: 'blob' });
+  }
+
+  private async createVaultConfig(kid: string, hubConfig: VaultConfigHeaderHub, payload: VaultConfigPayload): Promise<string> {
     const header = JSON.stringify({
       kid: kid,
       typ: 'jwt',
@@ -189,7 +223,7 @@ export class VaultKeys implements UserEncryptable {
     return unsignedToken + '.' + base64url.stringify(new Uint8Array(signature), { pad: false });
   }
 
-  public async hashDirectoryId(cleartextDirectoryId: string): Promise<string> {
+  private async hashDirectoryId(cleartextDirectoryId: string): Promise<string> {
     const dirHash = new TextEncoder().encode(cleartextDirectoryId);
     const rawkey = new Uint8Array(await crypto.subtle.exportKey('raw', this.masterKey));
     try {
diff --git a/frontend/src/components/CreateVault.vue b/frontend/src/components/CreateVault.vue
index e0d710498..695daa49f 100644
--- a/frontend/src/components/CreateVault.vue
+++ b/frontend/src/components/CreateVault.vue
@@ -61,7 +61,7 @@
               <div class="col-span-6 sm:col-span-3">
                 <label for="vaultName" class="block text-sm font-medium text-gray-700">{{
     t('createVault.enterVaultDetails.vaultName') }}</label>
-                <input id="vaultName" v-model="vaultName" :disabled="processing" type="text"
+                <input id="vaultName" v-model="vault.name" :disabled="processing" type="text"
                   class="mt-1 focus:ring-primary focus:border-primary block w-full shadow-sm sm:text-sm border-gray-300 rounded-md disabled:bg-gray-200"
                   :class="{ 'invalid:border-red-300 invalid:text-red-900 focus:invalid:ring-red-500 focus:invalid:border-red-500': onCreateError instanceof FormValidationFailedError }"
                   pattern="^(?! )([^\x5C\x2F:*?\x22<>\x7C])+(?<![ \x2E])$" required />
@@ -73,7 +73,7 @@
                 <label for="vaultDescription" class="block text-sm font-medium text-gray-700">
                   {{ t('createVault.enterVaultDetails.vaultDescription') }}
                   <span class="text-xs text-gray-500">({{ t('common.optional') }})</span></label>
-                <input id="vaultDescription" v-model="vaultDescription" :disabled="processing" type="text"
+                <input id="vaultDescription" v-model="vault.description" :disabled="processing" type="text"
                   class="mt-1 focus:ring-primary focus:border-primary block w-full shadow-sm sm:text-sm border-gray-300 rounded-md disabled:bg-gray-200" />
               </div>
             </div>
@@ -214,9 +214,9 @@ import { base64 } from 'rfc4648';
 import { onMounted, ref } from 'vue';
 import { useI18n } from 'vue-i18n';
 import backend, { AccessGrant, PaymentRequiredError, VaultDto } from '../common/backend';
+import { VaultTemplateProducing } from '../common/crypto';
 import { debounce } from '../common/util';
-import { MemberKey, RecoveryKey, VaultMetadata } from '../common/uvf';
-import { VaultConfig } from '../common/vaultconfig';
+import { UniversalVaultFormat } from '../common/uvf';
 import { VaultKeys } from '../common/vaultv8';
 
 enum State {
@@ -256,16 +256,19 @@ const onDownloadTemplateError = ref<Error | null>(null);
 
 const state = ref(State.Initial);
 const processing = ref(false);
-const vaultName = ref('');
-const vaultDescription = ref<string | undefined>();
+const vault = ref<VaultDto>({
+      id: crypto.randomUUID(),
+      name: '',
+      description: '',
+      archived: false,
+      creationTime: new Date()
+    });
 const copiedRecoveryKey = ref(false);
 const debouncedCopyFinish = debounce(() => copiedRecoveryKey.value = false, 2000);
 const confirmRecoveryKey = ref(false);
 const format8VaultKeys = ref<VaultKeys>();
 const recoveryKeyStr = ref<string>('');
-const uvfMetadata = ref<VaultMetadata>();
-const uvfRecoveryKey = ref<RecoveryKey>();
-const vaultConfig = ref<VaultConfig>();
+const uvfVault = ref<UniversalVaultFormat>();
 
 const props = defineProps<{
   recover: boolean
@@ -283,9 +286,8 @@ async function initialize() {
         recoveryKeyStr.value = await format8VaultKeys.value.createRecoveryKey();
         break;
       case VaultType.UniversalVaultFormat:
-        uvfMetadata.value = await VaultMetadata.create({ enabled: false, maxWotDepth: 0 });
-        uvfRecoveryKey.value = await RecoveryKey.create();
-        recoveryKeyStr.value = uvfRecoveryKey.value.serializePrivateKey();
+        uvfVault.value = await UniversalVaultFormat.create({ enabled: false, maxWotDepth: 0 });
+        recoveryKeyStr.value = uvfVault.value.recoveryKey.serializePrivateKey();
         break;
     }
     state.value = State.EnterVaultDetails;
@@ -336,36 +338,27 @@ async function createVault() {
     if (!owner.publicKey) {
       throw new Error('Invalid state');
     }
-    const vault: VaultDto = {
-      id: crypto.randomUUID(),
-      name: vaultName.value,
-      description: vaultDescription.value,
-      archived: false,
-      creationTime: new Date()
-    };
     const ownerGrant: AccessGrant = { userId: owner.id, token: '' };
     switch (vaultType) {
       case VaultType.VaultFormat8: {
         if (!format8VaultKeys.value) {
           throw new Error('Invalid state');
         }
-        vaultConfig.value = await VaultConfig.create(vault.id, format8VaultKeys.value);
         ownerGrant.token = await format8VaultKeys.value.encryptForUser(base64.parse(owner.publicKey));
         break;
       }
       case VaultType.UniversalVaultFormat: {
-        if (!uvfMetadata.value || !uvfRecoveryKey.value) {
+        if (!uvfVault.value) {
           throw new Error('Invalid state');
         }
-        const memberKey = await MemberKey.create();
-        ownerGrant.token = await memberKey.encryptForUser(base64.parse(owner.publicKey));
-        vault.uvfMetadataFile = await uvfMetadata.value.encrypt(memberKey, uvfRecoveryKey.value);
-        vault.uvfRecoveryPublicKey = await uvfRecoveryKey.value.serializePublicKey();
+        ownerGrant.token = await uvfVault.value.encryptForUser(base64.parse(owner.publicKey));
+        vault.value.uvfMetadataFile = await uvfVault.value.createMetadataFile();
+        vault.value.uvfRecoveryPublicKey = await uvfVault.value.recoveryKey.serializePublicKey();
         break;
       }
     }
-    await backend.vaults.createOrUpdateVault(vault);
-    await backend.vaults.grantAccess(vault.id, ownerGrant);
+    await backend.vaults.createOrUpdateVault(vault.value);
+    await backend.vaults.grantAccess(vault.value.id, ownerGrant);
     state.value = State.Finished;
   } catch (error) {
     console.error('Creating vault failed.', error);
@@ -382,11 +375,15 @@ async function copyRecoveryKey() {
 }
 
 async function downloadVaultTemplate() {
+  if (!format8VaultKeys.value && !uvfVault.value) {
+    throw new Error('Invalid state');
+  }
   onDownloadTemplateError.value = null;
   try {
-    const blob = await vaultConfig.value?.exportTemplate();
+    const templateProducer: VaultTemplateProducing = format8VaultKeys.value || uvfVault.value!;
+    const blob = await templateProducer.exportTemplate(vault.value);
     if (blob != null) {
-      saveAs(blob, `${vaultName.value}.zip`);
+      saveAs(blob, `${vault.value.name}.zip`);
     } else {
       throw new EmptyVaultTemplateError();
     }
diff --git a/frontend/src/components/DownloadVaultTemplateDialog.vue b/frontend/src/components/DownloadVaultTemplateDialog.vue
index 90262ef18..f2d5d0f20 100644
--- a/frontend/src/components/DownloadVaultTemplateDialog.vue
+++ b/frontend/src/components/DownloadVaultTemplateDialog.vue
@@ -54,8 +54,7 @@ import { saveAs } from 'file-saver';
 import { ref } from 'vue';
 import { useI18n } from 'vue-i18n';
 import { VaultDto } from '../common/backend';
-import { VaultConfig } from '../common/vaultconfig';
-import { VaultKeys } from '../common/vaultv8';
+import { VaultTemplateProducing } from '../common/crypto';
 
 const { t } = useI18n({ useScope: 'global' });
 
@@ -65,7 +64,7 @@ const onDownloadError = ref<Error|null>();
 
 const props = defineProps<{
   vault: VaultDto
-  vaultKeys: VaultKeys
+  vaultKeys: VaultTemplateProducing
 }>();
 
 defineEmits<{
@@ -83,7 +82,7 @@ function show() {
 async function downloadVault() {
   onDownloadError.value = null;
   try {
-    const blob = await generateVaultZip();
+    const blob = await props.vaultKeys.exportTemplate(props.vault);
     saveAs(blob, `${props.vault.name}.zip`);
     open.value = false;
   } catch (error) {
@@ -91,9 +90,4 @@ async function downloadVault() {
     onDownloadError.value = error instanceof Error ? error : new Error('Unknown Error');
   }
 }
-
-async function generateVaultZip(): Promise<Blob> {
-  const config = await VaultConfig.create(props.vault.id, props.vaultKeys);
-  return await config.exportTemplate();
-}
 </script>
diff --git a/frontend/src/components/GrantPermissionDialog.vue b/frontend/src/components/GrantPermissionDialog.vue
index d97d5f20e..39c969231 100644
--- a/frontend/src/components/GrantPermissionDialog.vue
+++ b/frontend/src/components/GrantPermissionDialog.vue
@@ -72,7 +72,7 @@ import { base64 } from 'rfc4648';
 import { onMounted, ref } from 'vue';
 import { useI18n } from 'vue-i18n';
 import backend, { AccessGrant, ConflictError, NotFoundError, UserDto, VaultDto } from '../common/backend';
-import { UserEncryptable, getFingerprint } from '../common/crypto';
+import { AccessTokenProducing, getFingerprint } from '../common/crypto';
 
 const { t } = useI18n({ useScope: 'global' });
 
@@ -83,7 +83,7 @@ const onGrantPermissionError = ref<Error | null>();
 const props = defineProps<{
   vault: VaultDto
   users: UserDto[]
-  vaultKeys: UserEncryptable
+  vaultKeys: AccessTokenProducing
 }>();
 
 const emit = defineEmits<{
diff --git a/frontend/src/components/VaultDetails.vue b/frontend/src/components/VaultDetails.vue
index 59311e2db..1a45c2fa3 100644
--- a/frontend/src/components/VaultDetails.vue
+++ b/frontend/src/components/VaultDetails.vue
@@ -153,10 +153,11 @@
         <button v-if="vaultRole == 'OWNER'" type="button" class="bg-white py-2 px-4 border border-gray-300 rounded-md shadow-sm text-sm font-medium text-gray-700 hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="showDownloadVaultTemplateDialog()">
           {{ t('vaultDetails.actions.downloadVaultTemplate') }}
         </button>
-        <!-- displayRecoveryKey button -->
-        <button v-if="vaultRole == 'OWNER'" type="button" class="bg-white py-2 px-4 border border-gray-300 rounded-md shadow-sm text-sm font-medium text-gray-700 hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="showDisplayRecoveryKeyDialog()">
+        <!-- displayRecoveryKey button (Vault Format 8 only) -->
+        <button v-if="vaultRole == 'OWNER' && vaultKeys" type="button" class="bg-white py-2 px-4 border border-gray-300 rounded-md shadow-sm text-sm font-medium text-gray-700 hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="showDisplayRecoveryKeyDialog()">
           {{ t('vaultDetails.actions.displayRecoveryKey') }}
         </button>
+        <!-- TODO: regenerateRecoveryKey button (UVF only) -->
         <!-- reactivateVault button -->
         <button v-if="(vaultRole == 'OWNER' || isAdmin)" type="button" class="bg-red-600 py-2 px-4 border border-transparent rounded-md shadow-sm text-sm font-medium text-white  hover:bg-red-700 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-red-500" @click="showReactivateVaultDialog()">
           {{ t('vaultDetails.actions.reactivateVault') }}
@@ -196,10 +197,10 @@
   </div>
 
   <ClaimVaultOwnershipDialog v-if="claimingVaultOwnership && vault" ref="claimVaultOwnershipDialog" :vault="vault" @action="provedOwnership" @close="claimingVaultOwnership = false" />
-  <GrantPermissionDialog v-if="grantingPermission && vault && (vaultKeys || uvfMemberKey)" ref="grantPermissionDialog" :vault="vault" :users="usersRequiringAccessGrant" :vault-keys="(vaultKeys || uvfMemberKey)!" @close="grantingPermission = false" @permission-granted="permissionGranted()" />
+  <GrantPermissionDialog v-if="grantingPermission && vault && (vaultKeys || uvfVault)" ref="grantPermissionDialog" :vault="vault" :users="usersRequiringAccessGrant" :vault-keys="(vaultKeys || uvfVault)!" @close="grantingPermission = false" @permission-granted="permissionGranted()" />
   <EditVaultMetadataDialog v-if="editingVaultMetadata && vault" ref="editVaultMetadataDialog" :vault="vault" @close="editingVaultMetadata = false" @updated="v => refreshVault(v)" />
-  <DownloadVaultTemplateDialog v-if="downloadingVaultTemplate && vault && (vaultKeys || uvfMetadata)" ref="downloadVaultTemplateDialog" :vault="vault" :vault-keys="vaultKeys" @close="downloadingVaultTemplate = false" />
-  <DisplayRecoveryKeyDialog v-if="displayingRecoveryKey && vault && (vaultKeys || uvfMetadata)" ref="displayRecoveryKeyDialog" :vault="vault" :vault-keys="vaultKeys" @close="displayingRecoveryKey = false" />
+  <DownloadVaultTemplateDialog v-if="downloadingVaultTemplate && vault && (vaultKeys || uvfVault)" ref="downloadVaultTemplateDialog" :vault="vault" :vault-keys="(vaultKeys || uvfVault)!" @close="downloadingVaultTemplate = false" />
+  <DisplayRecoveryKeyDialog v-if="displayingRecoveryKey && vault && vaultKeys" ref="displayRecoveryKeyDialog" :vault="vault" :vault-keys="vaultKeys" @close="displayingRecoveryKey = false" />
   <ArchiveVaultDialog v-if="archivingVault && vault" ref="archiveVaultDialog" :vault="vault" @close="archivingVault = false" @archived="v => refreshVault(v)" />
   <ReactivateVaultDialog v-if="reactivatingVault && vault" ref="reactivateVaultDialog" :vault="vault" @close="reactivatingVault = false" @reactivated="v => { refreshVault(v); refreshLicense();}" />
   <RecoverVaultDialog v-if="recoveringVault && vault && me" ref="recoverVaultDialog" :vault="vault" :me="me" @close="recoveringVault = false" @recovered="fetchOwnerData()" />
@@ -216,7 +217,7 @@ import auth from '../common/auth';
 import backend, { AuthorityDto, ConflictError, ForbiddenError, LicenseUserInfoDto, MemberDto, NotFoundError, PaymentRequiredError, UserDto, VaultDto, VaultRole } from '../common/backend';
 import { BrowserKeys, UserKeys } from '../common/crypto';
 import { JWT, JWTHeader } from '../common/jwt';
-import { MemberKey, VaultMetadata } from '../common/uvf';
+import { MemberKey, UniversalVaultFormat } from '../common/uvf';
 import { VaultKeys } from '../common/vaultv8';
 import ArchiveVaultDialog from './ArchiveVaultDialog.vue';
 import ClaimVaultOwnershipDialog from './ClaimVaultOwnershipDialog.vue';
@@ -265,8 +266,7 @@ const recoveringVault = ref(false);
 const recoverVaultDialog = ref<typeof RecoverVaultDialog>();
 const vault = ref<VaultDto>();
 const vaultKeys = ref<VaultKeys>();
-const uvfMetadata = ref<VaultMetadata>();
-const uvfMemberKey = ref<MemberKey>();
+const uvfVault = ref<UniversalVaultFormat>();
 const members = ref<Map<string, MemberDto>>(new Map());
 const usersRequiringAccessGrant = ref<UserDto[]>([]);
 const claimVaultOwnershipDialog = ref<typeof ClaimVaultOwnershipDialog>();
@@ -307,9 +307,7 @@ async function fetchOwnerData() {
     vaultRecoveryRequired.value = false;
     const accessToken = await backend.vaults.accessToken(props.vaultId, true);
     if (vault.value.uvfMetadataFile) {
-      const decrypted = await loadUvfMetadata(accessToken);
-      uvfMetadata.value = decrypted.uvfMetadata;
-      uvfMemberKey.value = decrypted.memberKey;
+      uvfVault.value = await loadUvfVault(accessToken);
     } else {
       vaultKeys.value = await loadVaultKeys(accessToken);
     }
@@ -343,7 +341,7 @@ async function loadVaultKeys(vaultKeyJwe: string): Promise<VaultKeys> {
   return VaultKeys.decryptWithUserKey(vaultKeyJwe, userKeys.keyPair.privateKey);
 }
 
-async function loadUvfMetadata(memberKeyJwe: string): Promise<{uvfMetadata: VaultMetadata, memberKey: MemberKey}> {
+async function loadUvfVault(memberKeyJwe: string): Promise<UniversalVaultFormat> {
   if (!vault.value || !vault.value.uvfMetadataFile) {
     throw new Error('Vault not initialized.');
   }
@@ -361,8 +359,7 @@ async function loadUvfMetadata(memberKeyJwe: string): Promise<{uvfMetadata: Vaul
   }
   const userKeys = await UserKeys.decryptOnBrowser(myDevice.userPrivateKey, browserKeys.keyPair.privateKey, base64.parse(me.value.publicKey));
   const memberKey = await MemberKey.decryptWithUserKey(memberKeyJwe, userKeys.keyPair.privateKey);
-  const uvfMetadata = await VaultMetadata.decryptWithMemberKey(vault.value.uvfMetadataFile, memberKey);
-  return {uvfMetadata, memberKey};
+  return UniversalVaultFormat.decrypt(vault.value, memberKey);
 }
 
 async function provedOwnership(keys: VaultKeys, ownerKeyPair: CryptoKeyPair) {

From 69f036020c0502a49e83ca3e311e4a53ac5f5c45 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Thu, 2 May 2024 22:28:38 +0200
Subject: [PATCH 19/94] fix linter errors

---
 frontend/src/common/uvf.ts              | 5 +++--
 frontend/src/common/vaultv8.ts          | 3 ++-
 frontend/src/components/CreateVault.vue | 2 +-
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/frontend/src/common/uvf.ts b/frontend/src/common/uvf.ts
index a8ff97e1f..284f0468f 100644
--- a/frontend/src/common/uvf.ts
+++ b/frontend/src/common/uvf.ts
@@ -3,6 +3,7 @@ import { base64, base64url } from 'rfc4648';
 import { VaultDto } from './backend';
 import { AccessTokenProducing, UserKeys, VaultTemplateProducing, getJwkThumbprint } from './crypto';
 import { JWE, JWEHeader, JsonJWE, Recipient } from './jwe';
+import { CRC32, wordEncoder } from './util';
 
 type MetadataPayload = {
   fileFormat: 'AES-256-GCM-32k';
@@ -97,14 +98,14 @@ export class RecoveryKey {
 
   public static readonly KEY_USAGE: KeyUsage[] = ['deriveKey', 'deriveBits'];
 
-  protected constructor(private publicKey: CryptoKey, private privateKey?: CryptoKey) { }
+  protected constructor(readonly publicKey: CryptoKey, private privateKey?: CryptoKey) { }
 
   /**
    * Creates a new vault member key
    * @returns new key
    */
   public static async create(): Promise<RecoveryKey> {
-    const keypair = await crypto.subtle.generateKey(RecoveryKey.KEY_DESIGNATION, false, RecoveryKey.KEY_USAGE);
+    const keypair = await crypto.subtle.generateKey(RecoveryKey.KEY_DESIGNATION, true, RecoveryKey.KEY_USAGE);
     return new RecoveryKey(keypair.publicKey, keypair.privateKey);
   }
 
diff --git a/frontend/src/common/vaultv8.ts b/frontend/src/common/vaultv8.ts
index b1fdce28d..03b2c5afb 100644
--- a/frontend/src/common/vaultv8.ts
+++ b/frontend/src/common/vaultv8.ts
@@ -223,7 +223,8 @@ export class VaultKeys implements AccessTokenProducing, VaultTemplateProducing {
     return unsignedToken + '.' + base64url.stringify(new Uint8Array(signature), { pad: false });
   }
 
-  private async hashDirectoryId(cleartextDirectoryId: string): Promise<string> {
+  // visible for testing
+  public async hashDirectoryId(cleartextDirectoryId: string): Promise<string> {
     const dirHash = new TextEncoder().encode(cleartextDirectoryId);
     const rawkey = new Uint8Array(await crypto.subtle.exportKey('raw', this.masterKey));
     try {
diff --git a/frontend/src/components/CreateVault.vue b/frontend/src/components/CreateVault.vue
index 695daa49f..7ba356d8f 100644
--- a/frontend/src/components/CreateVault.vue
+++ b/frontend/src/components/CreateVault.vue
@@ -287,7 +287,7 @@ async function initialize() {
         break;
       case VaultType.UniversalVaultFormat:
         uvfVault.value = await UniversalVaultFormat.create({ enabled: false, maxWotDepth: 0 });
-        recoveryKeyStr.value = uvfVault.value.recoveryKey.serializePrivateKey();
+        recoveryKeyStr.value = await uvfVault.value.recoveryKey.serializePrivateKey();
         break;
     }
     state.value = State.EnterVaultDetails;

From 7bddc627f2ac4491a5ebf03160d3754d96f0b266 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Thu, 2 May 2024 22:29:01 +0200
Subject: [PATCH 20/94] experimental implementation of `serializePrivateKey()`

---
 frontend/src/common/uvf.ts | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/frontend/src/common/uvf.ts b/frontend/src/common/uvf.ts
index 284f0468f..c83747f82 100644
--- a/frontend/src/common/uvf.ts
+++ b/frontend/src/common/uvf.ts
@@ -134,8 +134,27 @@ export class RecoveryKey {
    * Encodes the private key
    * @returns private key in a human-readable encoding
    */
-  public serializePrivateKey(): string {
-    return 'TODO'; // TODO
+  public async serializePrivateKey(): Promise<string> {
+    if (!this.privateKey) {
+      throw new Error('Private key not available');
+    }
+    const rawkey = new Uint8Array(await crypto.subtle.exportKey('pkcs8', this.privateKey));
+
+    // add 16 bit checksum:
+    const crc32 = CRC32.compute(rawkey);
+    const checksum = new Uint8Array(2);
+    checksum[0] = crc32 & 0xff;      // append the least significant byte of the crc
+    checksum[1] = crc32 >> 8 & 0xff; // followed by the second-least significant byte
+    const combined = new Uint8Array([...rawkey, ...checksum]);
+
+    // add 1-3 bytes of padding:
+    const numPaddingBytes = 3 - (combined.length % 3);
+    const padding = new Uint8Array(numPaddingBytes);
+    padding.fill(numPaddingBytes & 0xFF); // 01 or 02 02 or 03 03 03
+    const padded = new Uint8Array([...combined, ...padding]);
+
+    // encode using human-readable words:
+    return wordEncoder.encodePadded(padded);
   }
 
   /**

From ba05d8b91437b96db093db9f9002d23301c8d0ad Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Thu, 2 May 2024 22:29:49 +0200
Subject: [PATCH 21/94] make config.ts usable during tests

---
 frontend/package-lock.json                | 395 +++++++++++++++++++++-
 frontend/package.json                     |   3 +-
 frontend/src/common/auth.ts               |   2 +-
 frontend/src/common/config.ts             |  33 +-
 frontend/src/common/vaultv8.ts            |   2 +-
 frontend/src/components/AdminSettings.vue |   2 +-
 frontend/src/components/UserProfile.vue   |   2 +-
 frontend/test/common/vaultv8.spec.ts      |   2 +-
 8 files changed, 406 insertions(+), 35 deletions(-)

diff --git a/frontend/package-lock.json b/frontend/package-lock.json
index 35ce19071..4876c9edf 100644
--- a/frontend/package-lock.json
+++ b/frontend/package-lock.json
@@ -22,7 +22,7 @@
         "semver": "^7.6.0",
         "vue": "^3.3.13",
         "vue-i18n": "^9.13.1",
-        "vue-router": "4.2.5"
+        "vue-router": "^4.2.5"
       },
       "devDependencies": {
         "@intlify/unplugin-vue-i18n": "^4.0.0",
@@ -44,6 +44,7 @@
         "chai-bytes": "^0.1.2",
         "eslint": "^8.57.0",
         "eslint-plugin-vue": "^9.25.0",
+        "jsdom-global": "^3.0.2",
         "mocha": "^10.4.0",
         "nyc": "^15.1.0",
         "postcss": "^8.4.38",
@@ -2158,6 +2159,19 @@
         "node": ">=0.4.0"
       }
     },
+    "node_modules/agent-base": {
+      "version": "7.1.1",
+      "resolved": "https://registry.npmjs.org/agent-base/-/agent-base-7.1.1.tgz",
+      "integrity": "sha512-H0TSyFNDMomMNJQBn8wFV5YC/2eJ+VXECwOadZJT554xP6cODZHPX3H9QMQECxvrgiSOP1pHjy1sMWQVYJOUOA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "debug": "^4.3.4"
+      },
+      "engines": {
+        "node": ">= 14"
+      }
+    },
     "node_modules/aggregate-error": {
       "version": "3.1.0",
       "resolved": "https://registry.npmjs.org/aggregate-error/-/aggregate-error-3.1.0.tgz",
@@ -2709,11 +2723,38 @@
         "node": ">=4"
       }
     },
+    "node_modules/cssstyle": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/cssstyle/-/cssstyle-4.0.1.tgz",
+      "integrity": "sha512-8ZYiJ3A/3OkDd093CBT/0UKDWry7ak4BdPTFP2+QEP7cmhouyq/Up709ASSj2cK02BbZiMgk7kYjZNS4QP5qrQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "rrweb-cssom": "^0.6.0"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    },
     "node_modules/csstype": {
       "version": "3.1.3",
       "resolved": "https://registry.npmjs.org/csstype/-/csstype-3.1.3.tgz",
       "integrity": "sha512-M1uQkMl8rQK/szD0LNhtqxIPLpimGm8sOBwU7lLnCpSbTyY3yeU1Vc7l4KT5zT4s/yOxHH5O7tIuuLOCnLADRw=="
     },
+    "node_modules/data-urls": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/data-urls/-/data-urls-5.0.0.tgz",
+      "integrity": "sha512-ZYP5VBHshaDAiVZxjbRVcFJpc+4xGgT0bK3vzy1HLN8jTO975HEbuYzZJcHoQEY5K1a0z8YayJkyVETa08eNTg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "whatwg-mimetype": "^4.0.0",
+        "whatwg-url": "^14.0.0"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    },
     "node_modules/de-indent": {
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/de-indent/-/de-indent-1.0.2.tgz",
@@ -2746,6 +2787,13 @@
         "node": ">=0.10.0"
       }
     },
+    "node_modules/decimal.js": {
+      "version": "10.4.3",
+      "resolved": "https://registry.npmjs.org/decimal.js/-/decimal.js-10.4.3.tgz",
+      "integrity": "sha512-VBBaLc1MgL5XpzgIP7ny5Z6Nx3UrRkIViUkPUdtl9aya5amy3De1gsUUSB1g3+3sExYNjCAsAznmukyxCb1GRA==",
+      "dev": true,
+      "peer": true
+    },
     "node_modules/deep-eql": {
       "version": "4.1.3",
       "resolved": "https://registry.npmjs.org/deep-eql/-/deep-eql-4.1.3.tgz",
@@ -3573,12 +3621,66 @@
         "he": "bin/he"
       }
     },
+    "node_modules/html-encoding-sniffer": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/html-encoding-sniffer/-/html-encoding-sniffer-4.0.0.tgz",
+      "integrity": "sha512-Y22oTqIU4uuPgEemfz7NDJz6OeKf12Lsu+QC+s3BVpda64lTiMYCyGwg5ki4vFxkMwQdeZDl2adZoqUgdFuTgQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "whatwg-encoding": "^3.1.1"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    },
     "node_modules/html-escaper": {
       "version": "2.0.2",
       "resolved": "https://registry.npmjs.org/html-escaper/-/html-escaper-2.0.2.tgz",
       "integrity": "sha512-H2iMtd0I4Mt5eYiapRdIDjp+XzelXQ0tFE4JS7YFwFevXXMmOp9myNrUvCg0D6ws8iqkRPBfKHgbwig1SmlLfg==",
       "dev": true
     },
+    "node_modules/http-proxy-agent": {
+      "version": "7.0.2",
+      "resolved": "https://registry.npmjs.org/http-proxy-agent/-/http-proxy-agent-7.0.2.tgz",
+      "integrity": "sha512-T1gkAiYYDWYx3V5Bmyu7HcfcvL7mUrTWiM6yOfa3PIphViJ/gFPbvidQ+veqSOHci/PxBcDabeUNCzpOODJZig==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "agent-base": "^7.1.0",
+        "debug": "^4.3.4"
+      },
+      "engines": {
+        "node": ">= 14"
+      }
+    },
+    "node_modules/https-proxy-agent": {
+      "version": "7.0.4",
+      "resolved": "https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-7.0.4.tgz",
+      "integrity": "sha512-wlwpilI7YdjSkWaQ/7omYBMTliDcmCN8OLihO6I9B86g06lMyAoqgoDpV0XqoaPOKj+0DIdAvnsWfyAAhmimcg==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "agent-base": "^7.0.2",
+        "debug": "4"
+      },
+      "engines": {
+        "node": ">= 14"
+      }
+    },
+    "node_modules/iconv-lite": {
+      "version": "0.6.3",
+      "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.6.3.tgz",
+      "integrity": "sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "safer-buffer": ">= 2.1.2 < 3.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
     "node_modules/ignore": {
       "version": "5.3.1",
       "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.3.1.tgz",
@@ -3717,6 +3819,13 @@
         "node": ">=8"
       }
     },
+    "node_modules/is-potential-custom-element-name": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/is-potential-custom-element-name/-/is-potential-custom-element-name-1.0.1.tgz",
+      "integrity": "sha512-bCYeRA2rVibKZd+s2625gGnGF/t7DSqDs4dP7CrLA1m7jKWz6pps0LpYLJN8Q64HtmPKJ1hrN3nzPNKFEKOUiQ==",
+      "dev": true,
+      "peer": true
+    },
     "node_modules/is-stream": {
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/is-stream/-/is-stream-2.0.1.tgz",
@@ -3946,6 +4055,66 @@
         "js-yaml": "bin/js-yaml.js"
       }
     },
+    "node_modules/jsdom": {
+      "version": "24.0.0",
+      "resolved": "https://registry.npmjs.org/jsdom/-/jsdom-24.0.0.tgz",
+      "integrity": "sha512-UDS2NayCvmXSXVP6mpTj+73JnNQadZlr9N68189xib2tx5Mls7swlTNao26IoHv46BZJFvXygyRtyXd1feAk1A==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "cssstyle": "^4.0.1",
+        "data-urls": "^5.0.0",
+        "decimal.js": "^10.4.3",
+        "form-data": "^4.0.0",
+        "html-encoding-sniffer": "^4.0.0",
+        "http-proxy-agent": "^7.0.0",
+        "https-proxy-agent": "^7.0.2",
+        "is-potential-custom-element-name": "^1.0.1",
+        "nwsapi": "^2.2.7",
+        "parse5": "^7.1.2",
+        "rrweb-cssom": "^0.6.0",
+        "saxes": "^6.0.0",
+        "symbol-tree": "^3.2.4",
+        "tough-cookie": "^4.1.3",
+        "w3c-xmlserializer": "^5.0.0",
+        "webidl-conversions": "^7.0.0",
+        "whatwg-encoding": "^3.1.1",
+        "whatwg-mimetype": "^4.0.0",
+        "whatwg-url": "^14.0.0",
+        "ws": "^8.16.0",
+        "xml-name-validator": "^5.0.0"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "peerDependencies": {
+        "canvas": "^2.11.2"
+      },
+      "peerDependenciesMeta": {
+        "canvas": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/jsdom-global": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/jsdom-global/-/jsdom-global-3.0.2.tgz",
+      "integrity": "sha512-t1KMcBkz/pT5JrvcJbpUR2u/w1kO9jXctaaGJ0vZDzwFnIvGWw9IDSRciT83kIs8Bnw4qpOl8bQK08V01YgMPg==",
+      "dev": true,
+      "peerDependencies": {
+        "jsdom": ">=10.0.0"
+      }
+    },
+    "node_modules/jsdom/node_modules/xml-name-validator": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/xml-name-validator/-/xml-name-validator-5.0.0.tgz",
+      "integrity": "sha512-EvGK8EJ3DhaHfbRlETOWAS5pO9MZITeauHKJyb8wyajUfQUenkIg2MvLDTZ4T/TgIcm3HU0TFBgWWboAZ30UHg==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=18"
+      }
+    },
     "node_modules/jsesc": {
       "version": "2.5.2",
       "resolved": "https://registry.npmjs.org/jsesc/-/jsesc-2.5.2.tgz",
@@ -4429,6 +4598,13 @@
         "url": "https://github.com/fb55/nth-check?sponsor=1"
       }
     },
+    "node_modules/nwsapi": {
+      "version": "2.2.9",
+      "resolved": "https://registry.npmjs.org/nwsapi/-/nwsapi-2.2.9.tgz",
+      "integrity": "sha512-2f3F0SEEer8bBu0dsNCFF50N0cTThV1nWFYcEYFZttdW0lDAoybv9cQoK7X7/68Z89S7FoRrVjP1LPX4XRf9vg==",
+      "dev": true,
+      "peer": true
+    },
     "node_modules/nyc": {
       "version": "15.1.0",
       "resolved": "https://registry.npmjs.org/nyc/-/nyc-15.1.0.tgz",
@@ -4764,6 +4940,19 @@
         "node": ">=6"
       }
     },
+    "node_modules/parse5": {
+      "version": "7.1.2",
+      "resolved": "https://registry.npmjs.org/parse5/-/parse5-7.1.2.tgz",
+      "integrity": "sha512-Czj1WaSVpaoj0wbhMzLmWD69anp2WH7FXMB9n1Sy8/ZFF9jolSQVMu1Ij5WIyGmcBmhk7EOndpO4mIpihVqAXw==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "entities": "^4.4.0"
+      },
+      "funding": {
+        "url": "https://github.com/inikulin/parse5?sponsor=1"
+      }
+    },
     "node_modules/path-browserify": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/path-browserify/-/path-browserify-1.0.1.tgz",
@@ -5127,6 +5316,13 @@
       "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-1.1.0.tgz",
       "integrity": "sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg=="
     },
+    "node_modules/psl": {
+      "version": "1.9.0",
+      "resolved": "https://registry.npmjs.org/psl/-/psl-1.9.0.tgz",
+      "integrity": "sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==",
+      "dev": true,
+      "peer": true
+    },
     "node_modules/punycode": {
       "version": "2.3.1",
       "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz",
@@ -5136,6 +5332,13 @@
         "node": ">=6"
       }
     },
+    "node_modules/querystringify": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/querystringify/-/querystringify-2.2.0.tgz",
+      "integrity": "sha512-FIqgj2EUvTa7R50u0rGsyTftzjYmv/a3hO345bZNrqabNqjtgiDMgmo4mkUjd+nzU5oF3dClKqFIPUKybUyqoQ==",
+      "dev": true,
+      "peer": true
+    },
     "node_modules/queue-microtask": {
       "version": "1.2.3",
       "resolved": "https://registry.npmjs.org/queue-microtask/-/queue-microtask-1.2.3.tgz",
@@ -5224,6 +5427,13 @@
       "integrity": "sha512-NKN5kMDylKuldxYLSUfrbo5Tuzh4hd+2E8NPPX02mZtn1VuREQToYe/ZdlJy+J3uCpfaiGF05e7B8W0iXbQHmg==",
       "dev": true
     },
+    "node_modules/requires-port": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/requires-port/-/requires-port-1.0.0.tgz",
+      "integrity": "sha512-KigOCHcocU3XODJxsu8i/j8T9tzT4adHiecwORRQ0ZZFcp7ahwXuRU1m+yuO90C5ZUyGeGfocHDI14M3L3yDAQ==",
+      "dev": true,
+      "peer": true
+    },
     "node_modules/resolve": {
       "version": "1.22.8",
       "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz",
@@ -5355,6 +5565,13 @@
         "fsevents": "~2.3.2"
       }
     },
+    "node_modules/rrweb-cssom": {
+      "version": "0.6.0",
+      "resolved": "https://registry.npmjs.org/rrweb-cssom/-/rrweb-cssom-0.6.0.tgz",
+      "integrity": "sha512-APM0Gt1KoXBz0iIkkdB/kfvGOwC4UuJFeG/c+yV7wSc7q96cG/kJ0HiYCnzivD9SB53cLV1MlHFNfOuPaadYSw==",
+      "dev": true,
+      "peer": true
+    },
     "node_modules/run-parallel": {
       "version": "1.2.0",
       "resolved": "https://registry.npmjs.org/run-parallel/-/run-parallel-1.2.0.tgz",
@@ -5382,6 +5599,26 @@
       "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz",
       "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g=="
     },
+    "node_modules/safer-buffer": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz",
+      "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==",
+      "dev": true,
+      "peer": true
+    },
+    "node_modules/saxes": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/saxes/-/saxes-6.0.0.tgz",
+      "integrity": "sha512-xAg7SOnEhrm5zI3puOOKyy1OMcMlIJZYNJY7xLBwSze0UjhPLnWfj2GF2EpT0jmzaJKIWKHLsaSSajf35bcYnA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "xmlchars": "^2.2.0"
+      },
+      "engines": {
+        "node": ">=v12.22.7"
+      }
+    },
     "node_modules/semver": {
       "version": "7.6.0",
       "resolved": "https://registry.npmjs.org/semver/-/semver-7.6.0.tgz",
@@ -5676,6 +5913,13 @@
         "url": "https://github.com/sponsors/ljharb"
       }
     },
+    "node_modules/symbol-tree": {
+      "version": "3.2.4",
+      "resolved": "https://registry.npmjs.org/symbol-tree/-/symbol-tree-3.2.4.tgz",
+      "integrity": "sha512-9QNk5KwDF+Bvz+PyObkmSYjI5ksVUYtjW7AU22r2NKcfLJcXp96hkDWU3+XndOsUb+AQ9QhfzfCT2O+CNWT5Tw==",
+      "dev": true,
+      "peer": true
+    },
     "node_modules/tailwindcss": {
       "version": "3.4.3",
       "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-3.4.3.tgz",
@@ -5813,6 +6057,35 @@
         "node": ">=8.0"
       }
     },
+    "node_modules/tough-cookie": {
+      "version": "4.1.4",
+      "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-4.1.4.tgz",
+      "integrity": "sha512-Loo5UUvLD9ScZ6jh8beX1T6sO1w2/MpCRpEP7V280GKMVUQ0Jzar2U3UJPsrdbziLEMMhu3Ujnq//rhiFuIeag==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "psl": "^1.1.33",
+        "punycode": "^2.1.1",
+        "universalify": "^0.2.0",
+        "url-parse": "^1.5.3"
+      },
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/tr46": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/tr46/-/tr46-5.0.0.tgz",
+      "integrity": "sha512-tk2G5R2KRwBd+ZN0zaEXpmzdKyOYksXwywulIX95MBODjSzMIuQnQ3m8JxgbhnL1LeVo7lqQKsYa1O3Htl7K5g==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "punycode": "^2.3.1"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    },
     "node_modules/ts-api-utils": {
       "version": "1.3.0",
       "resolved": "https://registry.npmjs.org/ts-api-utils/-/ts-api-utils-1.3.0.tgz",
@@ -5954,6 +6227,16 @@
       "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz",
       "integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA=="
     },
+    "node_modules/universalify": {
+      "version": "0.2.0",
+      "resolved": "https://registry.npmjs.org/universalify/-/universalify-0.2.0.tgz",
+      "integrity": "sha512-CJ1QgKmNg3CwvAv/kOFmtnEN05f0D/cn9QntgNOQlQF9dgvVTHj3t+8JPdjqawCHk7V/KA+fbUqzZ9XWhcqPUg==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">= 4.0.0"
+      }
+    },
     "node_modules/unplugin": {
       "version": "1.10.1",
       "resolved": "https://registry.npmjs.org/unplugin/-/unplugin-1.10.1.tgz",
@@ -6044,6 +6327,17 @@
         "punycode": "^2.1.0"
       }
     },
+    "node_modules/url-parse": {
+      "version": "1.5.10",
+      "resolved": "https://registry.npmjs.org/url-parse/-/url-parse-1.5.10.tgz",
+      "integrity": "sha512-WypcfiRhfeUP9vvF0j6rw0J3hrWrw6iZv3+22h6iRMJ/8z1Tj6XfLP4DsUix5MhMPnXpiHDoKyoZ/bdCkwBCiQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "querystringify": "^2.1.1",
+        "requires-port": "^1.0.0"
+      }
+    },
     "node_modules/util-deprecate": {
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz",
@@ -6223,6 +6517,39 @@
         "typescript": "*"
       }
     },
+    "node_modules/w3c-xmlserializer": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/w3c-xmlserializer/-/w3c-xmlserializer-5.0.0.tgz",
+      "integrity": "sha512-o8qghlI8NZHU1lLPrpi2+Uq7abh4GGPpYANlalzWxyWteJOCsr/P+oPBA49TOLu5FTZO4d3F9MnWJfiMo4BkmA==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "xml-name-validator": "^5.0.0"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/w3c-xmlserializer/node_modules/xml-name-validator": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/xml-name-validator/-/xml-name-validator-5.0.0.tgz",
+      "integrity": "sha512-EvGK8EJ3DhaHfbRlETOWAS5pO9MZITeauHKJyb8wyajUfQUenkIg2MvLDTZ4T/TgIcm3HU0TFBgWWboAZ30UHg==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/webidl-conversions": {
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-7.0.0.tgz",
+      "integrity": "sha512-VwddBukDzu71offAQR975unBIGqfKZpM+8ZX6ySk8nYhVoo5CYaZyzt3YBvYtRtO+aoGlqxPg/B87NGVZ/fu6g==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=12"
+      }
+    },
     "node_modules/webpack-sources": {
       "version": "3.2.3",
       "resolved": "https://registry.npmjs.org/webpack-sources/-/webpack-sources-3.2.3.tgz",
@@ -6238,6 +6565,43 @@
       "integrity": "sha512-poXpCylU7ExuvZK8z+On3kX+S8o/2dQ/SVYueKA0D4WEMXROXgY8Ez50/bQEUmvoSMMrWcrJqCHuhAbsiwg7Dg==",
       "dev": true
     },
+    "node_modules/whatwg-encoding": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/whatwg-encoding/-/whatwg-encoding-3.1.1.tgz",
+      "integrity": "sha512-6qN4hJdMwfYBtE3YBTTHhoeuUrDBPZmbQaxWAqSALV/MeEnR5z1xd8UKud2RAkFoPkmB+hli1TZSnyi84xz1vQ==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "iconv-lite": "0.6.3"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/whatwg-mimetype": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/whatwg-mimetype/-/whatwg-mimetype-4.0.0.tgz",
+      "integrity": "sha512-QaKxh0eNIi2mE9p2vEdzfagOKHCcj1pJ56EEHGQOVxp8r9/iszLUUV7v89x9O1p/T+NlTM5W7jW6+cz4Fq1YVg==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/whatwg-url": {
+      "version": "14.0.0",
+      "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-14.0.0.tgz",
+      "integrity": "sha512-1lfMEm2IEr7RIV+f4lUNPOqfFL+pO+Xw3fJSqmjX9AbXcXcYOkCe1P6+9VBZB6n94af16NfZf+sSk0JCBZC9aw==",
+      "dev": true,
+      "peer": true,
+      "dependencies": {
+        "tr46": "^5.0.0",
+        "webidl-conversions": "^7.0.0"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    },
     "node_modules/which": {
       "version": "2.0.2",
       "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz",
@@ -6316,6 +6680,28 @@
         "typedarray-to-buffer": "^3.1.5"
       }
     },
+    "node_modules/ws": {
+      "version": "8.17.0",
+      "resolved": "https://registry.npmjs.org/ws/-/ws-8.17.0.tgz",
+      "integrity": "sha512-uJq6108EgZMAl20KagGkzCKfMEjxmKvZHG7Tlq0Z6nOky7YF7aq4mOx6xK8TJ/i1LeK4Qus7INktacctDgY8Ow==",
+      "dev": true,
+      "peer": true,
+      "engines": {
+        "node": ">=10.0.0"
+      },
+      "peerDependencies": {
+        "bufferutil": "^4.0.1",
+        "utf-8-validate": ">=5.0.2"
+      },
+      "peerDependenciesMeta": {
+        "bufferutil": {
+          "optional": true
+        },
+        "utf-8-validate": {
+          "optional": true
+        }
+      }
+    },
     "node_modules/xml-name-validator": {
       "version": "4.0.0",
       "resolved": "https://registry.npmjs.org/xml-name-validator/-/xml-name-validator-4.0.0.tgz",
@@ -6325,6 +6711,13 @@
         "node": ">=12"
       }
     },
+    "node_modules/xmlchars": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/xmlchars/-/xmlchars-2.2.0.tgz",
+      "integrity": "sha512-JZnDKK8B0RCDw84FNdDAIpZK+JuJw+s7Lz8nksI7SIuU3UXJJslUthsi+uWBUYOwPFwW7W7PRLRfUKpxjtjFCw==",
+      "dev": true,
+      "peer": true
+    },
     "node_modules/y18n": {
       "version": "5.0.8",
       "resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.8.tgz",
diff --git a/frontend/package.json b/frontend/package.json
index c8562618e..7cf9bd968 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -10,7 +10,7 @@
     "dev": "vite",
     "build": "vue-tsc --noEmit && vite build",
     "lint": "eslint -c .eslintrc.js",
-    "test": "nyc --reporter lcov mocha -r ts-node/register test/**/*.spec.ts",
+    "test": "nyc --reporter lcov mocha -r jsdom-global/register -r ts-node/register test/**/*.spec.ts",
     "serve": "vite preview",
     "dist": "vue-tsc --noEmit && vite build --sourcemap --outDir=\"../backend/src/main/resources/META-INF/resources\" --emptyOutDir"
   },
@@ -38,6 +38,7 @@
     "chai-bytes": "^0.1.2",
     "eslint": "^8.57.0",
     "eslint-plugin-vue": "^9.25.0",
+    "jsdom-global": "^3.0.2",
     "mocha": "^10.4.0",
     "nyc": "^15.1.0",
     "postcss": "^8.4.38",
diff --git a/frontend/src/common/auth.ts b/frontend/src/common/auth.ts
index 1f8f9e142..3e4fe06df 100644
--- a/frontend/src/common/auth.ts
+++ b/frontend/src/common/auth.ts
@@ -56,7 +56,7 @@ class Auth {
 
 // this is a lazy singleton:
 const instance: Promise<Auth> = (async () => {
-  return await Auth.build(config.get());
+  return await Auth.build(await config);
 })();
 
 export default instance;
diff --git a/frontend/src/common/config.ts b/frontend/src/common/config.ts
index 304663055..9306f3c85 100644
--- a/frontend/src/common/config.ts
+++ b/frontend/src/common/config.ts
@@ -25,33 +25,10 @@ export type ConfigDto = {
   apiLevel: number;
 };
 
-class ConfigWrapper {
-  private data: ConfigDto;
-  readonly serverTimeDiff: number;
-
-  private static async loadConfig(): Promise<ConfigDto> {
-    const response = await axios.get<ConfigDto>('/config');
-    return response.data;
-  }
-
-  static async build(): Promise<ConfigWrapper> {
-    return new ConfigWrapper(await this.loadConfig());
-  }
-
-  private constructor(data: ConfigDto) {
-    this.data = data;
-    this.serverTimeDiff = Math.floor((Date.parse(data.serverTime) - Date.now()) / 1000);
-  }
-
-  public get(): ConfigDto {
-    return this.data;
-  }
-
-  public async reload(): Promise<void> {
-    this.data = await ConfigWrapper.loadConfig();
-  }
-}
-
-const config = await ConfigWrapper.build();
+// this is a lazy singleton:
+const config: Promise<ConfigDto> = (async () => {
+  const response = await axios.get<ConfigDto>('/config');
+  return response.data;
+})();
 
 export default config;
diff --git a/frontend/src/common/vaultv8.ts b/frontend/src/common/vaultv8.ts
index 03b2c5afb..de7eaaf3c 100644
--- a/frontend/src/common/vaultv8.ts
+++ b/frontend/src/common/vaultv8.ts
@@ -174,7 +174,7 @@ export class VaultKeys implements AccessTokenProducing, VaultTemplateProducing {
   }
 
   public async exportTemplate(vault: VaultDto): Promise<Blob> {
-    const cfg = config.get();
+    const cfg = await config;
 
     const kid = `hub+${absBackendBaseURL}vaults/${vault.id}`;
 
diff --git a/frontend/src/components/AdminSettings.vue b/frontend/src/components/AdminSettings.vue
index 4aeb6fea2..687d24586 100644
--- a/frontend/src/components/AdminSettings.vue
+++ b/frontend/src/components/AdminSettings.vue
@@ -238,7 +238,7 @@ const numberOfExceededSeats = computed(() => {
 });
 
 onMounted(async () => {
-  let cfg = config.get();
+  let cfg = await config;
   keycloakAdminRealmURL.value = `${cfg.keycloakUrl}/admin/${cfg.keycloakRealm}/console`;
   if (props.token) {
     await setToken(props.token);
diff --git a/frontend/src/components/UserProfile.vue b/frontend/src/components/UserProfile.vue
index 7c03e8fea..7813fc957 100644
--- a/frontend/src/components/UserProfile.vue
+++ b/frontend/src/components/UserProfile.vue
@@ -82,7 +82,7 @@ const version = ref<VersionDto>();
 const onFetchError = ref<Error | null>();
 
 onMounted(async () => {
-  let cfg = config.get();
+  let cfg = await config;
   keycloakUserAccountURL.value = `${cfg.keycloakUrl}/realms/${cfg.keycloakRealm}/account`;
   await fetchData();
 });
diff --git a/frontend/test/common/vaultv8.spec.ts b/frontend/test/common/vaultv8.spec.ts
index 16040689c..f45b2c77d 100644
--- a/frontend/test/common/vaultv8.spec.ts
+++ b/frontend/test/common/vaultv8.spec.ts
@@ -12,7 +12,7 @@ describe('Vault Format 8', () => {
   before(async () => {
     // since this test runs on Node, we need to replace window.crypto:
     Object.defineProperty(global, 'crypto', { value: require('node:crypto').webcrypto });
-    // @ts-ignore: global not defined (but will be available within Node)
+    // @ts-ignore: we only need a subset of the properties available in global.window
     global.window = { crypto: global.crypto };
   });
 

From 3d1db01d0424f4e0e537611117a065ad700e2663 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Fri, 3 May 2024 16:53:53 +0200
Subject: [PATCH 22/94] deduplicate "encrypt for user"

---
 frontend/src/common/crypto.ts            | 64 +++++++++++++++++++++---
 frontend/src/common/uvf.ts               | 42 +++++++---------
 frontend/src/common/vaultv8.ts           | 37 +++++++-------
 frontend/src/components/VaultDetails.vue |  4 +-
 frontend/test/common/uvf.spec.ts         | 15 ++++--
 5 files changed, 105 insertions(+), 57 deletions(-)

diff --git a/frontend/src/common/crypto.ts b/frontend/src/common/crypto.ts
index 2fa903bbc..54f90e269 100644
--- a/frontend/src/common/crypto.ts
+++ b/frontend/src/common/crypto.ts
@@ -17,6 +17,14 @@ interface UserKeysJWEPayload {
   key: string
 }
 
+export interface AccessTokenPayload {
+  /**
+   * The vault key (base64-encoded DER-formatted)
+   */
+  key: string,
+  [key: string]: string | number | boolean | object
+}
+
 export const GCM_NONCE_LEN = 12;
 
 export interface AccessTokenProducing {
@@ -39,19 +47,51 @@ export interface VaultTemplateProducing {
 
 }
 
-export class UserKeys {
+/**
+ * Represents a vault member by their public key.
+ */
+export class OtherVaultMember {
+
+  protected constructor(readonly publicKey: Promise<CryptoKey>) { }
+
+  /**
+   * Creates a new vault member with the given public key
+   * @param publicKey The public key of the vault member
+   * @returns A vault member with the given public key
+   */
+  public static withPublicKey(publicKey: CryptoKey | Uint8Array): OtherVaultMember {
+    let keyPromise: Promise<CryptoKey>;
+    if (publicKey instanceof Uint8Array) {
+      keyPromise = crypto.subtle.importKey('spki', publicKey, UserKeys.KEY_DESIGNATION, false, []);
+    } else {
+      keyPromise = Promise.resolve(publicKey);
+    }
+    return new OtherVaultMember(keyPromise);
+  }
+
+  /**
+   * Creates an access token for this vault member.
+   * @param payload The payload to encrypt
+   * @return A ECDH-ES encrypted JWE containing the encrypted payload
+   */
+  public async createAccessToken(payload: AccessTokenPayload): Promise<string> {
+    const jwe = await JWE.build(payload).encrypt(Recipient.ecdhEs('org.cryptomator.hub.userkey', await this.publicKey));
+    return jwe.compactSerialization();
+  }
+
+}
+
+/**
+ * The current user's key pair.
+ */
+export class UserKeys { // TODO: rename to CurrentUserKeyPair
   public static readonly KEY_USAGES: KeyUsage[] = ['deriveBits'];
 
   public static readonly KEY_DESIGNATION: EcKeyImportParams | EcKeyGenParams = {
     name: 'ECDH',
     namedCurve: 'P-384'
   };
-
-  readonly keyPair: CryptoKeyPair;
-
-  protected constructor(keyPair: CryptoKeyPair) {
-    this.keyPair = keyPair;
-  }
+  protected constructor(readonly keyPair: CryptoKeyPair) { }
 
   /**
    * Creates a new user key pair
@@ -79,6 +119,16 @@ export class UserKeys {
     return new UserKeys({ privateKey: await privateKey, publicKey: await publicKey });
   }
 
+  /**
+   * Decrypts the access token using the user's private key
+   * @param jwe The encrypted access token
+   * @returns The token's payload
+   */
+  public async decryptAccessToken(jwe: string): Promise<AccessTokenPayload> {
+    const payload = await JWE.parseCompact(jwe).decrypt(Recipient.ecdhEs('org.cryptomator.hub.userkey', this.keyPair.privateKey));
+    return payload;
+  }
+
   /**
    * Gets the base64-encoded public key in SPKI format.
    * @returns base64-encoded public key
diff --git a/frontend/src/common/uvf.ts b/frontend/src/common/uvf.ts
index c83747f82..922d34e25 100644
--- a/frontend/src/common/uvf.ts
+++ b/frontend/src/common/uvf.ts
@@ -1,7 +1,7 @@
 import JSZip from 'jszip';
 import { base64, base64url } from 'rfc4648';
 import { VaultDto } from './backend';
-import { AccessTokenProducing, UserKeys, VaultTemplateProducing, getJwkThumbprint } from './crypto';
+import { AccessTokenProducing, OtherVaultMember, UserKeys, VaultTemplateProducing, getJwkThumbprint } from './crypto';
 import { JWE, JWEHeader, JsonJWE, Recipient } from './jwe';
 import { CRC32, wordEncoder } from './util';
 
@@ -21,10 +21,6 @@ type VaultMetadataJWEAutomaticAccessGrantDto = {
   maxWotDepth: number
 }
 
-type MemberKeyPayload = {
-  key: string
-}
-
 // #region Member Key
 /**
  * The AES Key Wrap Key used to encapsulate the UVF Vault Metadata CEK for a vault member.
@@ -49,13 +45,13 @@ export class MemberKey {
   /**
    * Decrypts the vault's member key using the member's private key
    * @param jwe JWE containing the encrypted member key
-   * @param userPrivateKey The user's private key
-   * @returns The masterkey
+   * @param userKeyPair The current user's key pair
+   * @returns The member key
    */
-  public static async decryptWithUserKey(jwe: string, userPrivateKey: CryptoKey): Promise<MemberKey> {
+  public static async decryptWithUserKey(jwe: string, userKeyPair: UserKeys): Promise<MemberKey> {
     let rawKey = new Uint8Array();
     try {
-      const payload: MemberKeyPayload = await JWE.parseCompact(jwe).decrypt(Recipient.ecdhEs('org.cryptomator.hub.userkey', userPrivateKey));
+      const payload = await userKeyPair.decryptAccessToken(jwe);
       rawKey = base64.parse(payload.key);
       const memberKey = await crypto.subtle.importKey('raw', rawKey, MemberKey.KEY_DESIGNATION, true, MemberKey.KEY_USAGE);
       return new MemberKey(memberKey);
@@ -70,20 +66,18 @@ export class MemberKey {
    * @returns a JWE containing this member key
    */
   public async encryptForUser(userPublicKey: CryptoKey | Uint8Array): Promise<string> {
-    // TODO: remove Uint8Array support?
-    if (userPublicKey instanceof Uint8Array) {
-      userPublicKey = await crypto.subtle.importKey('spki', userPublicKey, UserKeys.KEY_DESIGNATION, false, []);
-    }
-    const rawkey = new Uint8Array(await crypto.subtle.exportKey('raw', this.key));
-    try {
-      const payload: MemberKeyPayload = {
-        key: base64.stringify(rawkey),
-      };
-      const jwe = await JWE.build(payload).encrypt(Recipient.ecdhEs('org.cryptomator.hub.userkey', userPublicKey));
-      return jwe.compactSerialization();
-    } finally {
-      rawkey.fill(0x00);
-    }
+    return OtherVaultMember.withPublicKey(userPublicKey).createAccessToken({
+      key: await this.serializeKey()
+    });
+  }
+
+  /**
+   * Encodes the key
+   * @returns member key in base64-encoded raw format
+   */
+  public async serializeKey(): Promise<string> {
+    const bytes = await crypto.subtle.exportKey('raw', this.key);
+    return base64.stringify(new Uint8Array(bytes), { pad: true });
   }
 
 }
@@ -264,7 +258,7 @@ export class VaultMetadata {
 
 }
 // #endregion
-// #region Vault metadata
+// #region UVF
 
 /**
  * A UVF-formatted Vault
diff --git a/frontend/src/common/vaultv8.ts b/frontend/src/common/vaultv8.ts
index de7eaaf3c..ec06f6884 100644
--- a/frontend/src/common/vaultv8.ts
+++ b/frontend/src/common/vaultv8.ts
@@ -3,14 +3,9 @@ import * as miscreant from 'miscreant';
 import { base32, base64, base64url } from 'rfc4648';
 import { VaultDto } from './backend';
 import config, { absBackendBaseURL, absFrontendBaseURL } from './config';
-import { AccessTokenProducing, GCM_NONCE_LEN, UnwrapKeyError, UserKeys, VaultTemplateProducing } from './crypto';
-import { JWE, Recipient } from './jwe';
+import { AccessTokenProducing, GCM_NONCE_LEN, OtherVaultMember, UnwrapKeyError, UserKeys, VaultTemplateProducing } from './crypto';
 import { CRC32, wordEncoder } from './util';
 
-interface JWEPayload {
-  key: string
-}
-
 interface VaultConfigPayload {
   jti: string
   format: number
@@ -30,6 +25,7 @@ interface VaultConfigHeaderHub {
 }
 
 
+// TODO: rename to VaultFormat8Keys
 export class VaultKeys implements AccessTokenProducing, VaultTemplateProducing {
   // in this browser application, this 512 bit key is used
   // as a hmac key to sign the vault config.
@@ -64,13 +60,13 @@ export class VaultKeys implements AccessTokenProducing, VaultTemplateProducing {
   /**
    * Decrypts the vault's masterkey using the user's private key
    * @param jwe JWE containing the vault key
-   * @param userPrivateKey The user's private key
+   * @param userKeyPair The current user's key pair
    * @returns The masterkey
    */
-  public static async decryptWithUserKey(jwe: string, userPrivateKey: CryptoKey): Promise<VaultKeys> {
+  public static async decryptWithUserKey(jwe: string, userKeyPair: UserKeys): Promise<VaultKeys> {
     let rawKey = new Uint8Array();
     try {
-      const payload: JWEPayload = await JWE.parseCompact(jwe).decrypt(Recipient.ecdhEs('org.cryptomator.hub.userkey', userPrivateKey));
+      const payload = await userKeyPair.decryptAccessToken(jwe);
       rawKey = base64.parse(payload.key);
       const masterKey = crypto.subtle.importKey('raw', rawKey, VaultKeys.MASTERKEY_KEY_DESIGNATION, true, ['sign']);
       return new VaultKeys(await masterKey);
@@ -242,23 +238,24 @@ export class VaultKeys implements AccessTokenProducing, VaultTemplateProducing {
     }
   }
 
+  /**
+   * Encodes the key masterkey
+   * @returns master key in base64-encoded raw format
+   */
+  public async serializeMasterKey(): Promise<string> {
+    const bytes = await crypto.subtle.exportKey('raw', this.masterKey);
+    return base64.stringify(new Uint8Array(bytes), { pad: true });
+  }
+
   /**
    * Encrypts this masterkey using the given public key
    * @param userPublicKey The recipient's public key (DER-encoded)
    * @returns a JWE containing this Masterkey
    */
   public async encryptForUser(userPublicKey: Uint8Array): Promise<string> {
-    const publicKey = await crypto.subtle.importKey('spki', userPublicKey, UserKeys.KEY_DESIGNATION, false, []);
-    const rawkey = new Uint8Array(await crypto.subtle.exportKey('raw', this.masterKey));
-    try {
-      const payload: JWEPayload = {
-        key: base64.stringify(rawkey),
-      };
-      const jwe = await JWE.build(payload).encrypt(Recipient.ecdhEs('org.cryptomator.hub.userkey', publicKey));
-      return jwe.compactSerialization();
-    } finally {
-      rawkey.fill(0x00);
-    }
+    return OtherVaultMember.withPublicKey(userPublicKey).createAccessToken({
+      key: await this.serializeMasterKey(),
+    });
   }
 
   /**
diff --git a/frontend/src/components/VaultDetails.vue b/frontend/src/components/VaultDetails.vue
index 1a45c2fa3..f5ec5d674 100644
--- a/frontend/src/components/VaultDetails.vue
+++ b/frontend/src/components/VaultDetails.vue
@@ -338,7 +338,7 @@ async function loadVaultKeys(vaultKeyJwe: string): Promise<VaultKeys> {
     throw new Error('Device not initialized.');
   }
   const userKeys = await UserKeys.decryptOnBrowser(myDevice.userPrivateKey, browserKeys.keyPair.privateKey, base64.parse(me.value.publicKey));
-  return VaultKeys.decryptWithUserKey(vaultKeyJwe, userKeys.keyPair.privateKey);
+  return VaultKeys.decryptWithUserKey(vaultKeyJwe, userKeys);
 }
 
 async function loadUvfVault(memberKeyJwe: string): Promise<UniversalVaultFormat> {
@@ -358,7 +358,7 @@ async function loadUvfVault(memberKeyJwe: string): Promise<UniversalVaultFormat>
     throw new Error('Device not initialized.');
   }
   const userKeys = await UserKeys.decryptOnBrowser(myDevice.userPrivateKey, browserKeys.keyPair.privateKey, base64.parse(me.value.publicKey));
-  const memberKey = await MemberKey.decryptWithUserKey(memberKeyJwe, userKeys.keyPair.privateKey);
+  const memberKey = await MemberKey.decryptWithUserKey(memberKeyJwe, userKeys);
   return UniversalVaultFormat.decrypt(vault.value, memberKey);
 }
 
diff --git a/frontend/test/common/uvf.spec.ts b/frontend/test/common/uvf.spec.ts
index 1e0422286..4b65439f1 100644
--- a/frontend/test/common/uvf.spec.ts
+++ b/frontend/test/common/uvf.spec.ts
@@ -1,6 +1,7 @@
 import { use as chaiUse, expect } from 'chai';
 import chaiAsPromised from 'chai-as-promised';
 import { before, describe } from 'mocha';
+import { UserKeys } from '../../src/common/crypto';
 import { MemberKey, RecoveryKey, VaultMetadata } from '../../src/common/uvf';
 
 chaiUse(chaiAsPromised);
@@ -28,20 +29,20 @@ describe('Universal Vault Format', () => {
       d: 'wouCtU7Nw4E8_7n5C1-xBjB4xqSb_liZhYMsy8MGgxUny6Q8NCoH9xSiviwLFfK_',
     };
 
-    let alice: CryptoKeyPair;
+    let alice: TestUserKeys;
 
     before(async () => {
       // prepare some test key pairs:
       let ecdhP384: EcKeyImportParams = { name: 'ECDH', namedCurve: 'P-384' };
       const alicePrv = crypto.subtle.importKey('jwk', alicePrivate, ecdhP384, true, ['deriveKey']);
       const alicePub = crypto.subtle.importKey('jwk', alicePublic, ecdhP384, true, []);
-      alice = { privateKey: await alicePrv, publicKey: await alicePub };
+      alice = new TestUserKeys({ privateKey: await alicePrv, publicKey: await alicePub });
     });
 
     it('encryptForUser()', async () => {
       const memberKey = await TestMemberKey.create();
 
-      const encrypted = await memberKey.encryptForUser(alice.publicKey);
+      const encrypted = await memberKey.encryptForUser(alice.keyPair.publicKey);
 
       expect(encrypted).to.be.not.null;
     });
@@ -49,7 +50,7 @@ describe('Universal Vault Format', () => {
     it('decryptWithUserKey()', async () => {
       const jwe = 'eyJlbmMiOiJBMjU2R0NNIiwia2lkIjoib3JnLmNyeXB0b21hdG9yLmh1Yi51c2Vya2V5IiwiYWxnIjoiRUNESC1FUytBMjU2S1ciLCJlcGsiOnsia2V5X29wcyI6W10sImV4dCI6dHJ1ZSwia3R5IjoiRUMiLCJ4IjoicFotVXExTjNOVElRcHNpZC11UGZMaW95bVVGVFJLM1dkTXVkLWxDcGh5MjQ4bUlJelpDc3RPRzZLTGloZnBkZyIsInkiOiJzMnl6eF9Ca2QweFhIcENnTlJFOWJiQUIyQkNNTF80cWZwcFEza1N2LXhqcEROVWZZdmlxQS1xRERCYnZkNDdYIiwiY3J2IjoiUC0zODQifSwiYXB1IjoiIiwiYXB2IjoiIn0.I_rXJagNrrCa9zISf0DZJLQbIZDxEpGxCyjFbNE0iZs6yFeVayNOGQ.7rASe4SqyKJJLHZ4.l6T2N_ATytZUyh1IZTIJJDY4dXCyQVsRB19QIIPrAi0QQiS4gl4.fnOtAJhdvPFFHVi6L5Ma_R8iL3IXq1_xAq2PvdEfx0A';
 
-      const decrypted = MemberKey.decryptWithUserKey(jwe, alice.privateKey);
+      const decrypted = MemberKey.decryptWithUserKey(jwe, alice);
 
       expect(decrypted).to.be.not.null;
     });
@@ -100,4 +101,10 @@ class TestMemberKey extends MemberKey {
   }
 }
 
+class TestUserKeys extends UserKeys {
+  public constructor(keyPair: CryptoKeyPair) {
+    super(keyPair);
+  }
+}
+
 // #endregion

From 6b46862d244e8560809db2fe553f04761f3d6c14 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Fri, 3 May 2024 16:54:41 +0200
Subject: [PATCH 23/94] store recovery key among vault key in access token

---
 frontend/src/components/CreateVault.vue | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/frontend/src/components/CreateVault.vue b/frontend/src/components/CreateVault.vue
index 7ba356d8f..65a2b30f8 100644
--- a/frontend/src/components/CreateVault.vue
+++ b/frontend/src/components/CreateVault.vue
@@ -214,7 +214,7 @@ import { base64 } from 'rfc4648';
 import { onMounted, ref } from 'vue';
 import { useI18n } from 'vue-i18n';
 import backend, { AccessGrant, PaymentRequiredError, VaultDto } from '../common/backend';
-import { VaultTemplateProducing } from '../common/crypto';
+import { OtherVaultMember, VaultTemplateProducing } from '../common/crypto';
 import { debounce } from '../common/util';
 import { UniversalVaultFormat } from '../common/uvf';
 import { VaultKeys } from '../common/vaultv8';
@@ -344,14 +344,19 @@ async function createVault() {
         if (!format8VaultKeys.value) {
           throw new Error('Invalid state');
         }
-        ownerGrant.token = await format8VaultKeys.value.encryptForUser(base64.parse(owner.publicKey));
+        ownerGrant.token = await OtherVaultMember.withPublicKey(base64.parse(owner.publicKey)).createAccessToken({
+          key: await format8VaultKeys.value.serializeMasterKey()
+        });
         break;
       }
       case VaultType.UniversalVaultFormat: {
         if (!uvfVault.value) {
           throw new Error('Invalid state');
         }
-        ownerGrant.token = await uvfVault.value.encryptForUser(base64.parse(owner.publicKey));
+        ownerGrant.token = await OtherVaultMember.withPublicKey(base64.parse(owner.publicKey)).createAccessToken({
+          key: await uvfVault.value.memberKey.serializeKey(),
+          recoveryKey: await uvfVault.value.recoveryKey.serializePrivateKey()
+        });
         vault.value.uvfMetadataFile = await uvfVault.value.createMetadataFile();
         vault.value.uvfRecoveryPublicKey = await uvfVault.value.recoveryKey.serializePublicKey();
         break;

From cb4e53aa55b84c0dce2f48ca88e6f14820f9a486 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Fri, 3 May 2024 18:53:38 +0200
Subject: [PATCH 24/94] reordered fields

[ci skip]
---
 .../java/org/cryptomator/hub/api/VaultResource.java | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java b/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
index 40c8ee516..453e21a4c 100644
--- a/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
+++ b/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
@@ -501,15 +501,18 @@ public record VaultDto(@JsonProperty("id") UUID id,
 						   @JsonProperty("description") @NoHtmlOrScriptChars String description,
 						   @JsonProperty("archived") boolean archived,
 						   @JsonProperty("creationTime") Instant creationTime,
+						   @JsonProperty("uvfMetadataFile") String uvfMetadataFile,
+						   @JsonProperty("uvfRecoveryPublicKey") @OnlyBase64Chars String uvfRecoveryPublicKey,
 						   // Legacy properties ("Vault Admin Password"):
-						   @JsonProperty("masterkey") @OnlyBase64Chars String masterkey, @JsonProperty("iterations") Integer iterations,
-						   @JsonProperty("salt") @OnlyBase64Chars String salt,
-						   @JsonProperty("authPublicKey") @OnlyBase64Chars String authPublicKey, @JsonProperty("authPrivateKey") @OnlyBase64Chars String authPrivateKey,
-						   @JsonProperty("uvfMetadataFile") String uvfMetadataFile, @JsonProperty("uvfRecoveryPublicKey") @OnlyBase64Chars String uvfRecoveryPublicKey
+						   @JsonProperty("masterkey") @OnlyBase64Chars String masterkey, @JsonProperty("iterations") Integer iterations, @JsonProperty("salt") @OnlyBase64Chars String salt,
+						   @JsonProperty("authPublicKey") @OnlyBase64Chars String authPublicKey, @JsonProperty("authPrivateKey") @OnlyBase64Chars String authPrivateKey
+
 	) {
 
 		public static VaultDto fromEntity(Vault entity) {
-			return new VaultDto(entity.getId(), entity.getName(), entity.getDescription(), entity.isArchived(), entity.getCreationTime().truncatedTo(ChronoUnit.MILLIS), entity.getMasterkey(), entity.getIterations(), entity.getSalt(), entity.getAuthenticationPublicKey(), entity.getAuthenticationPrivateKey(), entity.getUvfMetadataFile(), entity.getUvfRecoveryPubKey());
+			return new VaultDto(entity.getId(), entity.getName(), entity.getDescription(), entity.isArchived(), entity.getCreationTime().truncatedTo(ChronoUnit.MILLIS), entity.getUvfMetadataFile(), entity.getUvfRecoveryPubKey(),
+					// legacy properties:
+					entity.getMasterkey(), entity.getIterations(), entity.getSalt(), entity.getAuthenticationPublicKey(), entity.getAuthenticationPrivateKey());
 		}
 
 	}

From b294f554cf7327ac46c710b6e43828acec22bdff Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Thu, 9 May 2024 11:52:47 +0200
Subject: [PATCH 25/94] store recovery key as PKCS8 instead of words

in access token
---
 frontend/src/common/uvf.ts               | 58 ++++++++++++++++++------
 frontend/src/components/CreateVault.vue  |  2 +-
 frontend/src/components/VaultDetails.vue | 19 +++++---
 frontend/test/common/uvf.spec.ts         | 10 ++--
 4 files changed, 62 insertions(+), 27 deletions(-)

diff --git a/frontend/src/common/uvf.ts b/frontend/src/common/uvf.ts
index 922d34e25..759fa1b8a 100644
--- a/frontend/src/common/uvf.ts
+++ b/frontend/src/common/uvf.ts
@@ -1,7 +1,7 @@
 import JSZip from 'jszip';
 import { base64, base64url } from 'rfc4648';
 import { VaultDto } from './backend';
-import { AccessTokenProducing, OtherVaultMember, UserKeys, VaultTemplateProducing, getJwkThumbprint } from './crypto';
+import { AccessTokenPayload, AccessTokenProducing, OtherVaultMember, UserKeys, VaultTemplateProducing, getJwkThumbprint } from './crypto';
 import { JWE, JWEHeader, JsonJWE, Recipient } from './jwe';
 import { CRC32, wordEncoder } from './util';
 
@@ -21,6 +21,13 @@ type VaultMetadataJWEAutomaticAccessGrantDto = {
   maxWotDepth: number
 }
 
+type UvfAccessTokenPayload = AccessTokenPayload & {
+  /**
+   * optional private key of the recovery key pair (PKCS8-encoded; only shared with vault owners)
+   */
+  recoveryKey?: string;
+}
+
 // #region Member Key
 /**
  * The AES Key Wrap Key used to encapsulate the UVF Vault Metadata CEK for a vault member.
@@ -43,16 +50,14 @@ export class MemberKey {
   }
 
   /**
-   * Decrypts the vault's member key using the member's private key
-   * @param jwe JWE containing the encrypted member key
-   * @param userKeyPair The current user's key pair
-   * @returns The member key
+   * Creates a new vault member key
+   * @param encodedKey base64-encoded raw 256 bit key (as retrieved from {@link AccessTokenPayload#foo})
+   * @returns new key
    */
-  public static async decryptWithUserKey(jwe: string, userKeyPair: UserKeys): Promise<MemberKey> {
+  public static async load(encodedKey: string): Promise<MemberKey> {
     let rawKey = new Uint8Array();
     try {
-      const payload = await userKeyPair.decryptAccessToken(jwe);
-      rawKey = base64.parse(payload.key);
+      rawKey = base64.parse(encodedKey);
       const memberKey = await crypto.subtle.importKey('raw', rawKey, MemberKey.KEY_DESIGNATION, true, MemberKey.KEY_USAGE);
       return new MemberKey(memberKey);
     } finally {
@@ -92,7 +97,7 @@ export class RecoveryKey {
 
   public static readonly KEY_USAGE: KeyUsage[] = ['deriveKey', 'deriveBits'];
 
-  protected constructor(readonly publicKey: CryptoKey, private privateKey?: CryptoKey) { }
+  protected constructor(readonly publicKey: CryptoKey, readonly privateKey?: CryptoKey) { }
 
   /**
    * Creates a new vault member key
@@ -106,13 +111,17 @@ export class RecoveryKey {
   /**
    * Loads the public key of the recovery key pair.
    * @param publicKey the DER-encoded public key
+   * @param publicKey the PKCS8-encoded private key
    * @returns recovery key for encrypting vault metadata
    */
-  public static async load(publicKey: CryptoKey | Uint8Array): Promise<RecoveryKey> {
+  public static async load(publicKey: CryptoKey | Uint8Array, privateKey?: CryptoKey | Uint8Array): Promise<RecoveryKey> {
     if (publicKey instanceof Uint8Array) {
       publicKey = await crypto.subtle.importKey('spki', publicKey, RecoveryKey.KEY_DESIGNATION, true, []);
     }
-    return new RecoveryKey(publicKey);
+    if (privateKey instanceof Uint8Array) {
+      privateKey = await crypto.subtle.importKey('pkcs8', privateKey, RecoveryKey.KEY_DESIGNATION, true, RecoveryKey.KEY_USAGE);
+    }
+    return new RecoveryKey(publicKey, privateKey);
   }
 
   /**
@@ -125,10 +134,10 @@ export class RecoveryKey {
   }
 
   /**
-   * Encodes the private key
+   * Encodes the private key as a list of words
    * @returns private key in a human-readable encoding
    */
-  public async serializePrivateKey(): Promise<string> {
+  public async createRecoveryKey(): Promise<string> {
     if (!this.privateKey) {
       throw new Error('Private key not available');
     }
@@ -151,6 +160,18 @@ export class RecoveryKey {
     return wordEncoder.encodePadded(padded);
   }
 
+  /**
+   * Encodes the private key
+   * @returns private key in base64-encoded DER format
+   */
+  public async serializePrivateKey(): Promise<string> {
+    if (!this.privateKey) {
+      throw new Error('Private key not available');
+    }
+    const bytes = await crypto.subtle.exportKey('pkcs8', this.privateKey);
+    return base64.stringify(new Uint8Array(bytes), { pad: true });
+  }
+
   /**
    * Encodes the public key
    * @returns public key in base64-encoded DER format
@@ -273,12 +294,19 @@ export class UniversalVaultFormat implements AccessTokenProducing, VaultTemplate
     return new UniversalVaultFormat(metadata, memberKey, recoveryKey);
   }
 
-  public static async decrypt(vault: VaultDto, memberKey: MemberKey): Promise<UniversalVaultFormat> {
+  public static async decrypt(vault: VaultDto, accessToken: string, userKeyPair: UserKeys): Promise<UniversalVaultFormat> {
     if (!vault.uvfMetadataFile || !vault.uvfRecoveryPublicKey) {
       throw new Error('Not a UVF vault.');
     }
+    const payload = await userKeyPair.decryptAccessToken(accessToken) as UvfAccessTokenPayload;
+    const memberKey = await MemberKey.load(payload.key);
     const metadata = await VaultMetadata.decryptWithMemberKey(vault.uvfMetadataFile, memberKey);
-    const recoveryKey = await RecoveryKey.load(base64.parse(vault.uvfRecoveryPublicKey));
+    let recoveryKey: RecoveryKey;
+    if (payload.recoveryKey) {
+      recoveryKey = await RecoveryKey.load(base64.parse(vault.uvfRecoveryPublicKey), base64.parse(payload.recoveryKey));
+    } else {
+      recoveryKey = await RecoveryKey.load(base64.parse(vault.uvfRecoveryPublicKey));
+    }
     return new UniversalVaultFormat(metadata, memberKey, recoveryKey);
   }
 
diff --git a/frontend/src/components/CreateVault.vue b/frontend/src/components/CreateVault.vue
index 65a2b30f8..6c72546fd 100644
--- a/frontend/src/components/CreateVault.vue
+++ b/frontend/src/components/CreateVault.vue
@@ -287,7 +287,7 @@ async function initialize() {
         break;
       case VaultType.UniversalVaultFormat:
         uvfVault.value = await UniversalVaultFormat.create({ enabled: false, maxWotDepth: 0 });
-        recoveryKeyStr.value = await uvfVault.value.recoveryKey.serializePrivateKey();
+        recoveryKeyStr.value = await uvfVault.value.recoveryKey.createRecoveryKey();
         break;
     }
     state.value = State.EnterVaultDetails;
diff --git a/frontend/src/components/VaultDetails.vue b/frontend/src/components/VaultDetails.vue
index f5ec5d674..f298e6f1d 100644
--- a/frontend/src/components/VaultDetails.vue
+++ b/frontend/src/components/VaultDetails.vue
@@ -184,10 +184,14 @@
         <button v-if="vaultRole == 'OWNER'" type="button" class="bg-white py-2 px-4 border border-gray-300 rounded-md shadow-sm text-sm font-medium text-gray-700 hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="showDownloadVaultTemplateDialog()">
           {{ t('vaultDetails.actions.downloadVaultTemplate') }}
         </button>
-        <!-- displayRecoveryKey button -->
-        <button v-if="vaultRole == 'OWNER'" type="button" class="bg-white py-2 px-4 border border-gray-300 rounded-md shadow-sm text-sm font-medium text-gray-700 hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="showDisplayRecoveryKeyDialog()">
+        <!-- displayRecoveryKey button (Vault Format 8 only) -->
+        <button v-if="vaultRole == 'OWNER' && vaultKeys" type="button" class="bg-white py-2 px-4 border border-gray-300 rounded-md shadow-sm text-sm font-medium text-gray-700 hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="showDisplayRecoveryKeyDialog()">
           {{ t('vaultDetails.actions.displayRecoveryKey') }}
         </button>
+        <!-- TODO: regenerateRecoveryKey button (UVF only) -->
+        <button v-if="vaultRole == 'OWNER' && uvfVault?.recoveryKey.privateKey" type="button" class="bg-white py-2 px-4 border border-gray-300 rounded-md shadow-sm text-sm font-medium text-gray-700 hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="showUvfRecoveryKey()">
+          {{ t('vaultDetails.actions.displayRecoveryKey') }} UVF TODO see console
+        </button>
         <!-- archiveVault button -->
         <button v-if="(vaultRole == 'OWNER' || isAdmin)" type="button" class="bg-red-600 py-2 px-4 border border-transparent rounded-md shadow-sm text-sm font-medium text-white  hover:bg-red-700 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-red-500" @click="showArchiveVaultDialog()">
           {{ t('vaultDetails.actions.archiveVault') }}
@@ -217,7 +221,7 @@ import auth from '../common/auth';
 import backend, { AuthorityDto, ConflictError, ForbiddenError, LicenseUserInfoDto, MemberDto, NotFoundError, PaymentRequiredError, UserDto, VaultDto, VaultRole } from '../common/backend';
 import { BrowserKeys, UserKeys } from '../common/crypto';
 import { JWT, JWTHeader } from '../common/jwt';
-import { MemberKey, UniversalVaultFormat } from '../common/uvf';
+import { UniversalVaultFormat } from '../common/uvf';
 import { VaultKeys } from '../common/vaultv8';
 import ArchiveVaultDialog from './ArchiveVaultDialog.vue';
 import ClaimVaultOwnershipDialog from './ClaimVaultOwnershipDialog.vue';
@@ -341,7 +345,7 @@ async function loadVaultKeys(vaultKeyJwe: string): Promise<VaultKeys> {
   return VaultKeys.decryptWithUserKey(vaultKeyJwe, userKeys);
 }
 
-async function loadUvfVault(memberKeyJwe: string): Promise<UniversalVaultFormat> {
+async function loadUvfVault(accessToken: string): Promise<UniversalVaultFormat> {
   if (!vault.value || !vault.value.uvfMetadataFile) {
     throw new Error('Vault not initialized.');
   }
@@ -358,8 +362,7 @@ async function loadUvfVault(memberKeyJwe: string): Promise<UniversalVaultFormat>
     throw new Error('Device not initialized.');
   }
   const userKeys = await UserKeys.decryptOnBrowser(myDevice.userPrivateKey, browserKeys.keyPair.privateKey, base64.parse(me.value.publicKey));
-  const memberKey = await MemberKey.decryptWithUserKey(memberKeyJwe, userKeys);
-  return UniversalVaultFormat.decrypt(vault.value, memberKey);
+  return UniversalVaultFormat.decrypt(vault.value, accessToken, userKeys);
 }
 
 async function provedOwnership(keys: VaultKeys, ownerKeyPair: CryptoKeyPair) {
@@ -467,6 +470,10 @@ function showDisplayRecoveryKeyDialog() {
   nextTick(() => displayRecoveryKeyDialog.value?.show());
 }
 
+async function showUvfRecoveryKey() {
+  console.log(await uvfVault.value?.recoveryKey.createRecoveryKey()); //TODO: implement
+}
+
 function showArchiveVaultDialog() {
   archivingVault.value = true;
   nextTick(() => archiveVaultDialog.value?.show());
diff --git a/frontend/test/common/uvf.spec.ts b/frontend/test/common/uvf.spec.ts
index 4b65439f1..ca0e40385 100644
--- a/frontend/test/common/uvf.spec.ts
+++ b/frontend/test/common/uvf.spec.ts
@@ -33,9 +33,8 @@ describe('Universal Vault Format', () => {
 
     before(async () => {
       // prepare some test key pairs:
-      let ecdhP384: EcKeyImportParams = { name: 'ECDH', namedCurve: 'P-384' };
-      const alicePrv = crypto.subtle.importKey('jwk', alicePrivate, ecdhP384, true, ['deriveKey']);
-      const alicePub = crypto.subtle.importKey('jwk', alicePublic, ecdhP384, true, []);
+      const alicePrv = crypto.subtle.importKey('jwk', alicePrivate, UserKeys.KEY_DESIGNATION, true, UserKeys.KEY_USAGES);
+      const alicePub = crypto.subtle.importKey('jwk', alicePublic, UserKeys.KEY_DESIGNATION, true, []);
       alice = new TestUserKeys({ privateKey: await alicePrv, publicKey: await alicePub });
     });
 
@@ -47,10 +46,11 @@ describe('Universal Vault Format', () => {
       expect(encrypted).to.be.not.null;
     });
 
-    it('decryptWithUserKey()', async () => {
+    it('load(userKeyPair.decryptAccessToken(...))', async () => {
       const jwe = 'eyJlbmMiOiJBMjU2R0NNIiwia2lkIjoib3JnLmNyeXB0b21hdG9yLmh1Yi51c2Vya2V5IiwiYWxnIjoiRUNESC1FUytBMjU2S1ciLCJlcGsiOnsia2V5X29wcyI6W10sImV4dCI6dHJ1ZSwia3R5IjoiRUMiLCJ4IjoicFotVXExTjNOVElRcHNpZC11UGZMaW95bVVGVFJLM1dkTXVkLWxDcGh5MjQ4bUlJelpDc3RPRzZLTGloZnBkZyIsInkiOiJzMnl6eF9Ca2QweFhIcENnTlJFOWJiQUIyQkNNTF80cWZwcFEza1N2LXhqcEROVWZZdmlxQS1xRERCYnZkNDdYIiwiY3J2IjoiUC0zODQifSwiYXB1IjoiIiwiYXB2IjoiIn0.I_rXJagNrrCa9zISf0DZJLQbIZDxEpGxCyjFbNE0iZs6yFeVayNOGQ.7rASe4SqyKJJLHZ4.l6T2N_ATytZUyh1IZTIJJDY4dXCyQVsRB19QIIPrAi0QQiS4gl4.fnOtAJhdvPFFHVi6L5Ma_R8iL3IXq1_xAq2PvdEfx0A';
 
-      const decrypted = MemberKey.decryptWithUserKey(jwe, alice);
+      const payload = await alice.decryptAccessToken(jwe);
+      const decrypted = await MemberKey.load(payload.key);
 
       expect(decrypted).to.be.not.null;
     });

From a3fc1843f94c8ad5d209f92696b1607628b8a2c8 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Thu, 9 May 2024 14:18:06 +0200
Subject: [PATCH 26/94] adjusted parameter order

---
 .../org/cryptomator/hub/api/VaultResourceIT.java   | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/backend/src/test/java/org/cryptomator/hub/api/VaultResourceIT.java b/backend/src/test/java/org/cryptomator/hub/api/VaultResourceIT.java
index 8e21e55b6..47aee0d0c 100644
--- a/backend/src/test/java/org/cryptomator/hub/api/VaultResourceIT.java
+++ b/backend/src/test/java/org/cryptomator/hub/api/VaultResourceIT.java
@@ -95,9 +95,7 @@ public class TestVaultDtoValidation {
 
 		@Test
 		public void testValidDto() {
-			var dto = new VaultResource.VaultDto(VALID_ID, VALID_NAME, "foobarbaz", false, Instant.parse("2020-02-20T20:20:20Z"), VALID_MASTERKEY, 8, VALID_SALT, VALID_AUTH_PUB, VALID_AUTH_PRI,
-					VALID_UVF_METADATA_FILE, VALID_UVF_RECOVERY_KEY
-			);
+			var dto = new VaultResource.VaultDto(VALID_ID, VALID_NAME, "foobarbaz", false, Instant.parse("2020-02-20T20:20:20Z"), VALID_UVF_METADATA_FILE, VALID_UVF_RECOVERY_KEY, VALID_MASTERKEY, 8, VALID_SALT, VALID_AUTH_PUB, VALID_AUTH_PRI);
 			var violations = validator.validate(dto);
 			MatcherAssert.assertThat(violations, Matchers.empty());
 		}
@@ -261,7 +259,7 @@ public class CreateVaults {
 		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100003333 returns 201")
 		public void testCreateVault1() {
 			var uuid = UUID.fromString("7E57C0DE-0000-4000-8000-000100003333");
-			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 3", false, Instant.parse("2112-12-21T21:12:21Z"), "masterkey3", 42, "NaCl", "authPubKey3", "authPrvKey3", "metadata3", "recovery3");
+			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 3", false, Instant.parse("2112-12-21T21:12:21Z"), "metadata3", "recovery3", "masterkey3", 42, "NaCl", "authPubKey3", "authPrvKey3");
 
 			given().contentType(ContentType.JSON).body(vaultDto)
 					.when().put("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-000100003333")
@@ -286,7 +284,7 @@ public void testCreateVault2() {
 		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100004444 returns 201 ignoring archived flag")
 		public void testCreateVault3() {
 			var uuid = UUID.fromString("7E57C0DE-0000-4000-8000-000100004444");
-			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 4", true, Instant.parse("2112-12-21T21:12:21Z"), "masterkey4", 42, "NaCl", "authPubKey4", "authPrvKey4", "metadata4", "recovery4");
+			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 4", true, Instant.parse("2112-12-21T21:12:21Z"), "metadata4", "recovery4", "masterkey4", 42, "NaCl", "authPubKey4", "authPrvKey4");
 
 			given().contentType(ContentType.JSON).body(vaultDto)
 					.when().put("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-000100004444")
@@ -302,7 +300,7 @@ public void testCreateVault3() {
 		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100003333 returns 200, updating only name, description and archive flag")
 		public void testUpdateVault() {
 			var uuid = UUID.fromString("7E57C0DE-0000-4000-8000-000100003333");
-			var vaultDto = new VaultResource.VaultDto(uuid, "VaultUpdated", "Vault updated.", true, Instant.parse("2222-11-11T11:11:11Z"), "doNotUpdate", 27, "doNotUpdate", "doNotUpdate", "doNotUpdate", "doNotUpdate", "doNotUpdate");
+			var vaultDto = new VaultResource.VaultDto(uuid, "VaultUpdated", "Vault updated.", true, Instant.parse("2222-11-11T11:11:11Z"), "doNotUpdate", "doNotUpdate", "doNotUpdate", 27, "doNotUpdate", "doNotUpdate", "doNotUpdate");
 			given().contentType(ContentType.JSON)
 					.body(vaultDto)
 					.when().put("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-000100003333")
@@ -753,7 +751,7 @@ public void testUpdateVaultDespiteLicenseExceeded() {
 			Assumptions.assumeTrue(effectiveVaultAccessRepo.countSeatOccupyingUsers() == 5);
 			var vaultId = "7E57C0DE-0000-4000-8000-000100001111";
 
-			var vaultDto = new VaultResource.VaultDto(UUID.fromString(vaultId), "Vault 1", "This is a testvault.", false, Instant.parse("2222-11-11T11:11:11Z"), "someVaule", -1, "doNotUpdate", "doNotUpdate", "doNotUpdate", "doNotUpdate", "doNotUpdate");
+			var vaultDto = new VaultResource.VaultDto(UUID.fromString(vaultId), "Vault 1", "This is a testvault.", false, Instant.parse("2222-11-11T11:11:11Z"), "doNotUpdate", "doNotUpdate", "someVaule", -1, "doNotUpdate", "doNotUpdate", "doNotUpdate");
 			given().contentType(ContentType.JSON)
 					.body(vaultDto)
 					.when().put("/vaults/{vaultId}", vaultId)
@@ -779,7 +777,7 @@ public void testCreateVaultExceedingSeats() throws SQLException {
 			Assumptions.assumeTrue(effectiveVaultAccessRepo.countSeatOccupyingUsers() > 5);
 
 			var uuid = UUID.fromString("7E57C0DE-0000-4000-8000-0001FFFF3333");
-			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 4", false, Instant.parse("2112-12-21T21:12:21Z"), "masterkey4", 42, "NaCl", "authPubKey4", "authPrvKey4", "metadata4", "recovery4");
+			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 4", false, Instant.parse("2112-12-21T21:12:21Z"), "metadata4", "recovery4", "masterkey4", 42, "NaCl", "authPubKey4", "authPrvKey4");
 			given().contentType(ContentType.JSON).body(vaultDto)
 					.when().put("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-0001FFFF3333")
 					.then().statusCode(402);

From aeafffe1e741c4980afd7aface29e76dc99134ca Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Thu, 9 May 2024 14:18:57 +0200
Subject: [PATCH 27/94] fix mocha test explorer: `document is not defined`

---
 frontend/package.json         | 10 +++++++++-
 frontend/src/common/config.ts |  8 +++++---
 hub.code-workspace            |  3 ++-
 3 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/frontend/package.json b/frontend/package.json
index 7cf9bd968..f67f95418 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -10,10 +10,18 @@
     "dev": "vite",
     "build": "vue-tsc --noEmit && vite build",
     "lint": "eslint -c .eslintrc.js",
-    "test": "nyc --reporter lcov mocha -r jsdom-global/register -r ts-node/register test/**/*.spec.ts",
+    "test": "nyc --reporter lcov mocha",
     "serve": "vite preview",
     "dist": "vue-tsc --noEmit && vite build --sourcemap --outDir=\"../backend/src/main/resources/META-INF/resources\" --emptyOutDir"
   },
+  "mocha": {
+    "require": [
+      "ts-node/register",
+      "jsdom-global/register"
+    ],
+    "spec": "test/**/*.spec.ts",
+    "timeout": 10000
+  },
   "directories": {
     "src": "./src",
     "test": "./test"
diff --git a/frontend/src/common/config.ts b/frontend/src/common/config.ts
index 9306f3c85..d341a1504 100644
--- a/frontend/src/common/config.ts
+++ b/frontend/src/common/config.ts
@@ -1,11 +1,13 @@
 import AxiosStatic from 'axios';
 
+const url = (typeof document !== 'undefined') ? new URL(document.baseURI) : new URL('http://localhost/'); // workaround for testing in Node environment
+
 // these URLs must end on '/':
-export const baseURL = new URL(document.baseURI).pathname;
+export const baseURL = url.pathname;
 export const frontendBaseURL = `${baseURL}app/`;
-export const absFrontendBaseURL = `${location.origin}${frontendBaseURL}`;
+export const absFrontendBaseURL = `${url.origin}${frontendBaseURL}`;
 export const backendBaseURL = `${baseURL}api/`;
-export const absBackendBaseURL = `${location.origin}${backendBaseURL}`;
+export const absBackendBaseURL = `${url.origin}${backendBaseURL}`;
 
 const axios = AxiosStatic.create({
   baseURL: backendBaseURL,
diff --git a/hub.code-workspace b/hub.code-workspace
index 949bb2ecf..1187e6386 100644
--- a/hub.code-workspace
+++ b/hub.code-workspace
@@ -30,6 +30,7 @@
 		"editor.codeActionsOnSave": {
 			"source.organizeImports": "explicit",
 			"source.fixAll.eslint": "explicit"
-		}
+		},
+		"testExplorer.useNativeTesting": true
 	}
 }

From 17c7099f12434bb007618ff0818ba03be7b22727 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Thu, 9 May 2024 14:19:51 +0200
Subject: [PATCH 28/94] fix method signature

---
 frontend/src/common/vaultv8.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/src/common/vaultv8.ts b/frontend/src/common/vaultv8.ts
index ec06f6884..b17257c08 100644
--- a/frontend/src/common/vaultv8.ts
+++ b/frontend/src/common/vaultv8.ts
@@ -252,7 +252,7 @@ export class VaultKeys implements AccessTokenProducing, VaultTemplateProducing {
    * @param userPublicKey The recipient's public key (DER-encoded)
    * @returns a JWE containing this Masterkey
    */
-  public async encryptForUser(userPublicKey: Uint8Array): Promise<string> {
+  public async encryptForUser(userPublicKey: CryptoKey | Uint8Array): Promise<string> {
     return OtherVaultMember.withPublicKey(userPublicKey).createAccessToken({
       key: await this.serializeMasterKey(),
     });

From f3f3e02677556bd93de20202a7015897ebc2258b Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Thu, 9 May 2024 14:41:24 +0200
Subject: [PATCH 29/94] relax linter

---
 frontend/tsconfig.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/frontend/tsconfig.json b/frontend/tsconfig.json
index a6b58cc11..6136992ef 100644
--- a/frontend/tsconfig.json
+++ b/frontend/tsconfig.json
@@ -9,12 +9,12 @@
     "resolveJsonModule": true,
     "esModuleInterop": true,
     "lib": ["esnext", "dom"],
-    "noUnusedLocals": true,
+    "noUnusedLocals": false,
     "useUnknownInCatchVariables": false, // Workaround for `node_modules/miscreant/src/providers/webcrypto.ts:21:11 - error TS18046: 'e' is of type 'unknown'.`
   },
   "ts-node": {
     "compilerOptions": {
-      "module": "CommonJS"
+      "module": "CommonJS" // TODO change to es2022?
     }
   },
   "include": ["src/**/*.ts", "src/**/*.d.ts", "src/**/*.tsx", "src/**/*.vue"]

From aa49371750b1360b4af179411780a7d558651adc Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Thu, 9 May 2024 14:41:38 +0200
Subject: [PATCH 30/94] add tests

---
 frontend/src/common/uvf.ts       |  6 +--
 frontend/test/common/uvf.spec.ts | 70 +++++++++++++++++++++++++-------
 2 files changed, 59 insertions(+), 17 deletions(-)

diff --git a/frontend/src/common/uvf.ts b/frontend/src/common/uvf.ts
index 759fa1b8a..28866b8cd 100644
--- a/frontend/src/common/uvf.ts
+++ b/frontend/src/common/uvf.ts
@@ -95,7 +95,7 @@ export class MemberKey {
 export class RecoveryKey {
   public static readonly KEY_DESIGNATION: EcKeyGenParams = { name: 'ECDH', namedCurve: 'P-384' };
 
-  public static readonly KEY_USAGE: KeyUsage[] = ['deriveKey', 'deriveBits'];
+  public static readonly KEY_USAGES: KeyUsage[] = ['deriveKey', 'deriveBits'];
 
   protected constructor(readonly publicKey: CryptoKey, readonly privateKey?: CryptoKey) { }
 
@@ -104,7 +104,7 @@ export class RecoveryKey {
    * @returns new key
    */
   public static async create(): Promise<RecoveryKey> {
-    const keypair = await crypto.subtle.generateKey(RecoveryKey.KEY_DESIGNATION, true, RecoveryKey.KEY_USAGE);
+    const keypair = await crypto.subtle.generateKey(RecoveryKey.KEY_DESIGNATION, true, RecoveryKey.KEY_USAGES);
     return new RecoveryKey(keypair.publicKey, keypair.privateKey);
   }
 
@@ -119,7 +119,7 @@ export class RecoveryKey {
       publicKey = await crypto.subtle.importKey('spki', publicKey, RecoveryKey.KEY_DESIGNATION, true, []);
     }
     if (privateKey instanceof Uint8Array) {
-      privateKey = await crypto.subtle.importKey('pkcs8', privateKey, RecoveryKey.KEY_DESIGNATION, true, RecoveryKey.KEY_USAGE);
+      privateKey = await crypto.subtle.importKey('pkcs8', privateKey, RecoveryKey.KEY_DESIGNATION, true, RecoveryKey.KEY_USAGES);
     }
     return new RecoveryKey(publicKey, privateKey);
   }
diff --git a/frontend/test/common/uvf.spec.ts b/frontend/test/common/uvf.spec.ts
index ca0e40385..478742b21 100644
--- a/frontend/test/common/uvf.spec.ts
+++ b/frontend/test/common/uvf.spec.ts
@@ -6,6 +6,18 @@ import { MemberKey, RecoveryKey, VaultMetadata } from '../../src/common/uvf';
 
 chaiUse(chaiAsPromised);
 
+// key coordinates from MDN examples:
+const alicePublic: JsonWebKey = {
+  kty: 'EC',
+  crv: 'P-384',
+  x: 'SzrRXmyI8VWFJg1dPUNbFcc9jZvjZEfH7ulKI1UkXAltd7RGWrcfFxqyGPcwu6AQ',
+  y: 'hHUag3OvDzEr0uUQND4PXHQTXP5IDGdYhJhL-WLKjnGjQAw0rNGy5V29-aV-yseW'
+};
+const alicePrivate: JsonWebKey = {
+  ...alicePublic,
+  d: 'wouCtU7Nw4E8_7n5C1-xBjB4xqSb_liZhYMsy8MGgxUny6Q8NCoH9xSiviwLFfK_',
+};
+
 describe('Universal Vault Format', () => {
 
   before(async () => {
@@ -17,18 +29,6 @@ describe('Universal Vault Format', () => {
 
   describe('UVF Member Key', () => {
 
-    // key coordinates from MDN examples:
-    const alicePublic: JsonWebKey = {
-      kty: 'EC',
-      crv: 'P-384',
-      x: 'SzrRXmyI8VWFJg1dPUNbFcc9jZvjZEfH7ulKI1UkXAltd7RGWrcfFxqyGPcwu6AQ',
-      y: 'hHUag3OvDzEr0uUQND4PXHQTXP5IDGdYhJhL-WLKjnGjQAw0rNGy5V29-aV-yseW'
-    };
-    const alicePrivate: JsonWebKey = {
-      ...alicePublic,
-      d: 'wouCtU7Nw4E8_7n5C1-xBjB4xqSb_liZhYMsy8MGgxUny6Q8NCoH9xSiviwLFfK_',
-    };
-
     let alice: TestUserKeys;
 
     before(async () => {
@@ -38,10 +38,10 @@ describe('Universal Vault Format', () => {
       alice = new TestUserKeys({ privateKey: await alicePrv, publicKey: await alicePub });
     });
 
-    it('encryptForUser()', async () => {
+    it('serializeKey()', async () => {
       const memberKey = await TestMemberKey.create();
 
-      const encrypted = await memberKey.encryptForUser(alice.keyPair.publicKey);
+      const encrypted = await memberKey.serializeKey();
 
       expect(encrypted).to.be.not.null;
     });
@@ -83,6 +83,42 @@ describe('Universal Vault Format', () => {
       expect(decryptedPayload.kdf).to.eq('HKDF-SHA512');
     });
   });
+
+  describe('UVF Recovery Key', () => {
+
+    it('create()', async () => {
+      const recoveryKey = await RecoveryKey.create();
+      expect(recoveryKey).to.be.not.null;
+    });
+
+    describe('instance methods', () => {
+      let recoveryKey: RecoveryKey;
+
+      beforeEach(async () => {
+        // prepare some test key pairs:
+        const alicePrv = await crypto.subtle.importKey('jwk', alicePrivate, RecoveryKey.KEY_DESIGNATION, true, RecoveryKey.KEY_USAGES);
+        const alicePub = await crypto.subtle.importKey('jwk', alicePublic, RecoveryKey.KEY_DESIGNATION, true, []);
+        recoveryKey = new TestRecoveryKey(alicePub, alicePrv);
+      });
+
+      it('serializePrivateKey()', async () => {
+        const serialized = await recoveryKey.serializePrivateKey();
+        expect(serialized).to.eq('MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDDCi4K1Ts3DgTz/ufkLX7EGMHjGpJv+WJmFgyzLwwaDFSfLpDw0Kgf3FKK+LAsV8r+hZANiAARLOtFebIjxVYUmDV09Q1sVxz2Nm+NkR8fu6UojVSRcCW13tEZatx8XGrIY9zC7oBCEdRqDc68PMSvS5RA0Pg9cdBNc/kgMZ1iEmEv5YsqOcaNADDSs0bLlXb35pX7Kx5Y=');
+      });
+
+      it('serializePublicKey()', async () => {
+        const serialized = await recoveryKey.serializePublicKey();
+        expect(serialized).to.eq('MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAESzrRXmyI8VWFJg1dPUNbFcc9jZvjZEfH7ulKI1UkXAltd7RGWrcfFxqyGPcwu6AQhHUag3OvDzEr0uUQND4PXHQTXP5IDGdYhJhL+WLKjnGjQAw0rNGy5V29+aV+yseW');
+      });
+
+      it('createRecoveryKey()', async () => {
+        const result = await recoveryKey.createRecoveryKey();
+        expect(result).to.eq('cult hold all away buck do law relaxed other stimulus all bank fit indulge dad any ear grey cult golf all baby dig war linear tour sleep humanity threat question neglect stance radar bank coup misery painter tragedy buddy compare winter national approval budget deep screen outdoor audience tear stream cure type ugly chamber supporter franchise accept sexy ad imply being drug doctor regime where thick dam training grass chamber domestic dictator educate sigh music spoken connected measure voice lemon pig comprise disturb appear greatly satisfied heat news curiosity top impress nor method reflect lesson recommend dual revenge thorough bus count broadband living riot prejudice target blonde excess company thereby tribe respond horror mere way proud shopping wise liver mortgage plastic gentleman eighteen terms worry melt');
+      });
+
+    });
+
+  });
 });
 
 
@@ -107,4 +143,10 @@ class TestUserKeys extends UserKeys {
   }
 }
 
+class TestRecoveryKey extends RecoveryKey {
+  public constructor(readonly publicKey: CryptoKey, readonly privateKey?: CryptoKey) {
+    super(publicKey, privateKey);
+  }
+}
+
 // #endregion

From eda2621371a497013dec0e5a6dd3fcbf3e9d6f98 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Thu, 9 May 2024 16:03:17 +0200
Subject: [PATCH 31/94] add tests

---
 frontend/src/common/crypto.ts       | 12 ++----
 frontend/test/common/crypto.spec.ts | 67 ++++++++++++++++++++++++++---
 2 files changed, 65 insertions(+), 14 deletions(-)

diff --git a/frontend/src/common/crypto.ts b/frontend/src/common/crypto.ts
index 54f90e269..e7724e913 100644
--- a/frontend/src/common/crypto.ts
+++ b/frontend/src/common/crypto.ts
@@ -13,10 +13,6 @@ export class UnwrapKeyError extends Error {
   }
 }
 
-interface UserKeysJWEPayload {
-  key: string
-}
-
 export interface AccessTokenPayload {
   /**
    * The vault key (base64-encoded DER-formatted)
@@ -111,7 +107,7 @@ export class UserKeys { // TODO: rename to CurrentUserKeyPair
    * @throws {UnwrapKeyError} when attempting to decrypt the private key using an incorrect setupCode
    */
   public static async recover(encodedPublicKey: string, encryptedPrivateKey: string, setupCode: string): Promise<UserKeys> {
-    const jwe: UserKeysJWEPayload = await JWE.parseCompact(encryptedPrivateKey).decrypt(Recipient.pbes2('org.cryptomator.hub.setupCode', setupCode));
+    const jwe: AccessTokenPayload = await JWE.parseCompact(encryptedPrivateKey).decrypt(Recipient.pbes2('org.cryptomator.hub.setupCode', setupCode));
     const decodedPublicKey = base64.parse(encodedPublicKey, { loose: true });
     const decodedPrivateKey = base64.parse(jwe.key, { loose: true });
     const privateKey = crypto.subtle.importKey('pkcs8', decodedPrivateKey, UserKeys.KEY_DESIGNATION, true, UserKeys.KEY_USAGES);
@@ -147,7 +143,7 @@ export class UserKeys { // TODO: rename to CurrentUserKeyPair
   public async encryptedPrivateKey(setupCode: string): Promise<string> {
     const rawkey = new Uint8Array(await crypto.subtle.exportKey('pkcs8', this.keyPair.privateKey));
     try {
-      const payload: UserKeysJWEPayload = {
+      const payload: AccessTokenPayload = {
         key: base64.stringify(rawkey)
       };
       const jwe = await JWE.build(payload).encrypt(Recipient.pbes2('org.cryptomator.hub.setupCode', setupCode));
@@ -167,7 +163,7 @@ export class UserKeys { // TODO: rename to CurrentUserKeyPair
     const publicKey = await UserKeys.publicKey(devicePublicKey);
     const rawkey = new Uint8Array(await crypto.subtle.exportKey('pkcs8', this.keyPair.privateKey));
     try {
-      const payload: UserKeysJWEPayload = {
+      const payload: AccessTokenPayload = {
         key: base64.stringify(rawkey)
       };
       const jwe = await JWE.build(payload).encrypt(Recipient.ecdhEs('org.cryptomator.hub.deviceKey', publicKey));
@@ -188,7 +184,7 @@ export class UserKeys { // TODO: rename to CurrentUserKeyPair
     const publicKey = await UserKeys.publicKey(userPublicKey);
     let rawKey = new Uint8Array();
     try {
-      const payload: UserKeysJWEPayload = await JWE.parseCompact(jwe).decrypt(Recipient.ecdhEs('org.cryptomator.hub.deviceKey', browserPrivateKey));
+      const payload: AccessTokenPayload = await JWE.parseCompact(jwe).decrypt(Recipient.ecdhEs('org.cryptomator.hub.deviceKey', browserPrivateKey));
       rawKey = base64.parse(payload.key);
       const privateKey = await crypto.subtle.importKey('pkcs8', rawKey, UserKeys.KEY_DESIGNATION, true, UserKeys.KEY_USAGES);
       return new UserKeys({ publicKey: publicKey, privateKey: privateKey });
diff --git a/frontend/test/common/crypto.spec.ts b/frontend/test/common/crypto.spec.ts
index 28a74f431..f8dcaff0b 100644
--- a/frontend/test/common/crypto.spec.ts
+++ b/frontend/test/common/crypto.spec.ts
@@ -2,7 +2,7 @@ import { use as chaiUse, expect } from 'chai';
 import chaiAsPromised from 'chai-as-promised';
 import { before, describe } from 'mocha';
 import { base64 } from 'rfc4648';
-import { UserKeys } from '../../src/common/crypto';
+import { UnwrapKeyError, UserKeys } from '../../src/common/crypto';
 
 chaiUse(chaiAsPromised);
 
@@ -40,11 +40,10 @@ describe('crypto', () => {
     global.window = { crypto: global.crypto };
 
     // prepare some test key pairs:
-    let ecdhP384: EcKeyImportParams = { name: 'ECDH', namedCurve: 'P-384' };
-    const alicePrv = crypto.subtle.importKey('jwk', alicePrivate, ecdhP384, true, ['deriveKey']);
-    const alicePub = crypto.subtle.importKey('jwk', alicePublic, ecdhP384, true, []);
-    const bobPrv = crypto.subtle.importKey('jwk', bobPrivate, ecdhP384, true, ['deriveKey']);
-    const bobPub = crypto.subtle.importKey('jwk', bobPublic, ecdhP384, true, []);
+    const alicePrv = crypto.subtle.importKey('jwk', alicePrivate, UserKeys.KEY_DESIGNATION, true, UserKeys.KEY_USAGES);
+    const alicePub = crypto.subtle.importKey('jwk', alicePublic, UserKeys.KEY_DESIGNATION, true, []);
+    const bobPrv = crypto.subtle.importKey('jwk', bobPrivate, UserKeys.KEY_DESIGNATION, true, UserKeys.KEY_USAGES);
+    const bobPub = crypto.subtle.importKey('jwk', bobPublic, UserKeys.KEY_DESIGNATION, true, []);
     alice = { privateKey: await alicePrv, publicKey: await alicePub };
     bob = { privateKey: await bobPrv, publicKey: await bobPub };
   });
@@ -56,6 +55,42 @@ describe('crypto', () => {
       expect(orig).to.be.not.null;
     });
 
+    it('recover()', async () => {
+      const encodedPublicKey = 'MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAESzrRXmyI8VWFJg1dPUNbFcc9jZvjZEfH7ulKI1UkXAltd7RGWrcfFxqyGPcwu6AQhHUag3OvDzEr0uUQND4PXHQTXP5IDGdYhJhL+WLKjnGjQAw0rNGy5V29+aV+yseW';
+      const jwe = 'eyJlbmMiOiJBMjU2R0NNIiwia2lkIjoib3JnLmNyeXB0b21hdG9yLmh1Yi5zZXR1cENvZGUiLCJhbGciOiJQQkVTMi1IUzUxMitBMjU2S1ciLCJwMmMiOjEwMDAwMDAsInAycyI6InJRV09pcl82VU9fMjE0eFJsQS02UEEifQ._cMSJto2fFJ9ixEmchid4VRAt-Al6GNVxjo114XdeJktm3WctXShSQ.kwOeIpnXmyZXt4n3.sYx6ZjCkkf8bXdHY-NGrZzG6hsd11Ze97cfuEay3glfJkOyKQgV7TURyKguJWrc-s7m67cq35uE9KUUB6SGLoUMs1ebmRx8emCxVBRjvia5e_gWnjCzIsS0Z3C67R8Tyvh1EadigRfE57HTrP7kJXV5zRf2L1OYOeI1QmmN44Cga2HW0B3zDOG3EXvN3tv3bMu83L3Css1_CZABWyPkrwOBt8LytzEeTWaV8SItdVolPUH9OmW7l0hS3dBMgS4haXlbLR0OxmL3Ag-tZ1G_WxLliWxLMUNAsqWOVzedkRhc9VichvD0KCZ8J5_O18sBPnMQ._2i2LUEV3T1nmY49oq7n_7EqADqAhnmzmTwLPWgqxOw';
+
+      const result = await UserKeys.recover(encodedPublicKey, jwe, 'password');
+
+      expect(result).to.be.not.null;
+    });
+
+    it('recover() with incorrect password', async () => {
+      const encodedPublicKey = 'MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAESzrRXmyI8VWFJg1dPUNbFcc9jZvjZEfH7ulKI1UkXAltd7RGWrcfFxqyGPcwu6AQhHUag3OvDzEr0uUQND4PXHQTXP5IDGdYhJhL+WLKjnGjQAw0rNGy5V29+aV+yseW';
+      const jwe = 'eyJlbmMiOiJBMjU2R0NNIiwia2lkIjoib3JnLmNyeXB0b21hdG9yLmh1Yi5zZXR1cENvZGUiLCJhbGciOiJQQkVTMi1IUzUxMitBMjU2S1ciLCJwMmMiOjEwMDAwMDAsInAycyI6InJRV09pcl82VU9fMjE0eFJsQS02UEEifQ._cMSJto2fFJ9ixEmchid4VRAt-Al6GNVxjo114XdeJktm3WctXShSQ.kwOeIpnXmyZXt4n3.sYx6ZjCkkf8bXdHY-NGrZzG6hsd11Ze97cfuEay3glfJkOyKQgV7TURyKguJWrc-s7m67cq35uE9KUUB6SGLoUMs1ebmRx8emCxVBRjvia5e_gWnjCzIsS0Z3C67R8Tyvh1EadigRfE57HTrP7kJXV5zRf2L1OYOeI1QmmN44Cga2HW0B3zDOG3EXvN3tv3bMu83L3Css1_CZABWyPkrwOBt8LytzEeTWaV8SItdVolPUH9OmW7l0hS3dBMgS4haXlbLR0OxmL3Ag-tZ1G_WxLliWxLMUNAsqWOVzedkRhc9VichvD0KCZ8J5_O18sBPnMQ._2i2LUEV3T1nmY49oq7n_7EqADqAhnmzmTwLPWgqxOw';
+
+      const attempt = UserKeys.recover(encodedPublicKey, jwe, 'wrong');
+
+      return expect(attempt).to.be.rejectedWith(UnwrapKeyError);
+    });
+
+    it('decryptOnBrowser()', async () => {
+      const jwe = 'eyJlbmMiOiJBMjU2R0NNIiwia2lkIjoib3JnLmNyeXB0b21hdG9yLmh1Yi5kZXZpY2VLZXkiLCJhbGciOiJFQ0RILUVTK0EyNTZLVyIsImVwayI6eyJrZXlfb3BzIjpbXSwiZXh0Ijp0cnVlLCJrdHkiOiJFQyIsIngiOiJETTNILXV2TDB2VnMwNDFCTUU2LWM5ZW1BN1NCellDSGI1czJTV1NsM05nWDM2azhPTWVyVlR6VUx4N185bDU4IiwieSI6InBERXk4WnpqXzNNZldtamt5YlpjV3oyVVBJdGhnVWEwSGk3Yks3QVBXTHFSRnFwZmh1eWx4MTdadFhnNnBPZUoiLCJjcnYiOiJQLTM4NCJ9LCJhcHUiOiIiLCJhcHYiOiIifQ.ppy4wTaFZPxHxq1s4LPbHHkC1EFCWq_i0uvvEE9tuO9shzpazi9f7w.fEMTO_2ueYtRd9F0.TjVy520PvstERopn4qhpQB9chotb80_vV3Zj78veWQdzg49a6MH51TVqKKqX1n-6_HyS_chDNR9P0kdLF2ZzrWUJ0x5aenmG7ALeLjrOrxMEf0Fsboxn04q1bRDBq-Gse7Iwhk8NZvVMs_xXDL3wTeIzff_YeeNZcJS_xXHzMpbLbWjQs_x60t56uP2_fF8Wm4Fr5srBOuB5-E3VPYhm_LVOYvBOYKJDl9awWw809UvZwotorI7jG_TwLqYCIgrdkvQxS5Sz05gWdM6yMrYcL5VInxJGSt-dL_0nomN0btmHOv51qD_dyxvFknPkESWD_l4.pWlTbfYgQ_rWI0AY8HXcirJ9pIg7Oh0AvjwR0mdM42Y';
+      const deviceKey = bob;
+
+      const result = UserKeys.decryptOnBrowser(jwe, deviceKey.privateKey, alice.publicKey);
+
+      expect(result).to.be.not.null;
+    });
+
+    it('decryptOnBrowser() with incorrect device key', async () => {
+      const jwe = 'eyJlbmMiOiJBMjU2R0NNIiwia2lkIjoib3JnLmNyeXB0b21hdG9yLmh1Yi5kZXZpY2VLZXkiLCJhbGciOiJFQ0RILUVTK0EyNTZLVyIsImVwayI6eyJrZXlfb3BzIjpbXSwiZXh0Ijp0cnVlLCJrdHkiOiJFQyIsIngiOiJETTNILXV2TDB2VnMwNDFCTUU2LWM5ZW1BN1NCellDSGI1czJTV1NsM05nWDM2azhPTWVyVlR6VUx4N185bDU4IiwieSI6InBERXk4WnpqXzNNZldtamt5YlpjV3oyVVBJdGhnVWEwSGk3Yks3QVBXTHFSRnFwZmh1eWx4MTdadFhnNnBPZUoiLCJjcnYiOiJQLTM4NCJ9LCJhcHUiOiIiLCJhcHYiOiIifQ.ppy4wTaFZPxHxq1s4LPbHHkC1EFCWq_i0uvvEE9tuO9shzpazi9f7w.fEMTO_2ueYtRd9F0.TjVy520PvstERopn4qhpQB9chotb80_vV3Zj78veWQdzg49a6MH51TVqKKqX1n-6_HyS_chDNR9P0kdLF2ZzrWUJ0x5aenmG7ALeLjrOrxMEf0Fsboxn04q1bRDBq-Gse7Iwhk8NZvVMs_xXDL3wTeIzff_YeeNZcJS_xXHzMpbLbWjQs_x60t56uP2_fF8Wm4Fr5srBOuB5-E3VPYhm_LVOYvBOYKJDl9awWw809UvZwotorI7jG_TwLqYCIgrdkvQxS5Sz05gWdM6yMrYcL5VInxJGSt-dL_0nomN0btmHOv51qD_dyxvFknPkESWD_l4.pWlTbfYgQ_rWI0AY8HXcirJ9pIg7Oh0AvjwR0mdM42Y';
+      const deviceKey = alice;
+
+      const attempt = UserKeys.decryptOnBrowser(jwe, deviceKey.privateKey, alice.publicKey);
+
+      return expect(attempt).to.be.rejectedWith(UnwrapKeyError);
+    });
+
     describe('After creating new key material', () => {
       let userKeys: UserKeys;
 
@@ -69,6 +104,26 @@ describe('crypto', () => {
 
         expect(jwe).to.be.not.null;
       });
+
+      it('encodedPublicKey() creates JWE', async () => {
+        const result = await userKeys.encodedPublicKey();
+
+        expect(result).to.eq('MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAESzrRXmyI8VWFJg1dPUNbFcc9jZvjZEfH7ulKI1UkXAltd7RGWrcfFxqyGPcwu6AQhHUag3OvDzEr0uUQND4PXHQTXP5IDGdYhJhL+WLKjnGjQAw0rNGy5V29+aV+yseW');
+      });
+
+      it('encryptedPrivateKey() creates JWE', async () => {
+        const result = await userKeys.encryptedPrivateKey('password');
+
+        expect(result).to.be.a('string');
+      });
+
+      it('decryptAccessToken() decrypts JWE', async () => {
+        const jwe = 'eyJlbmMiOiJBMjU2R0NNIiwia2lkIjoib3JnLmNyeXB0b21hdG9yLmh1Yi51c2Vya2V5IiwiYWxnIjoiRUNESC1FUytBMjU2S1ciLCJlcGsiOnsia2V5X29wcyI6W10sImV4dCI6dHJ1ZSwia3R5IjoiRUMiLCJ4IjoicFotVXExTjNOVElRcHNpZC11UGZMaW95bVVGVFJLM1dkTXVkLWxDcGh5MjQ4bUlJelpDc3RPRzZLTGloZnBkZyIsInkiOiJzMnl6eF9Ca2QweFhIcENnTlJFOWJiQUIyQkNNTF80cWZwcFEza1N2LXhqcEROVWZZdmlxQS1xRERCYnZkNDdYIiwiY3J2IjoiUC0zODQifSwiYXB1IjoiIiwiYXB2IjoiIn0.I_rXJagNrrCa9zISf0DZJLQbIZDxEpGxCyjFbNE0iZs6yFeVayNOGQ.7rASe4SqyKJJLHZ4.l6T2N_ATytZUyh1IZTIJJDY4dXCyQVsRB19QIIPrAi0QQiS4gl4.fnOtAJhdvPFFHVi6L5Ma_R8iL3IXq1_xAq2PvdEfx0A';
+
+        const payload = await userKeys.decryptAccessToken(jwe);
+
+        expect(payload.key).to.eq('VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVU=');
+      });
     });
   });
 

From 815199fce661b0fd1e30b24ae35ed0c64ae96fad Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Thu, 9 May 2024 16:54:14 +0200
Subject: [PATCH 32/94] reduce public API surface

---
 frontend/src/common/crypto.ts           |  2 +-
 frontend/src/common/uvf.ts              | 19 ++++++-------------
 frontend/src/components/CreateVault.vue | 11 +++--------
 3 files changed, 10 insertions(+), 22 deletions(-)

diff --git a/frontend/src/common/crypto.ts b/frontend/src/common/crypto.ts
index e7724e913..960e21243 100644
--- a/frontend/src/common/crypto.ts
+++ b/frontend/src/common/crypto.ts
@@ -18,7 +18,7 @@ export interface AccessTokenPayload {
    * The vault key (base64-encoded DER-formatted)
    */
   key: string,
-  [key: string]: string | number | boolean | object
+  [key: string]: string | number | boolean | object | undefined
 }
 
 export const GCM_NONCE_LEN = 12;
diff --git a/frontend/src/common/uvf.ts b/frontend/src/common/uvf.ts
index 28866b8cd..e674347e1 100644
--- a/frontend/src/common/uvf.ts
+++ b/frontend/src/common/uvf.ts
@@ -65,17 +65,6 @@ export class MemberKey {
     }
   }
 
-  /**
-   * Encrypts this member key using the given public key
-   * @param userPublicKey The user's public key (DER-encoded)
-   * @returns a JWE containing this member key
-   */
-  public async encryptForUser(userPublicKey: CryptoKey | Uint8Array): Promise<string> {
-    return OtherVaultMember.withPublicKey(userPublicKey).createAccessToken({
-      key: await this.serializeKey()
-    });
-  }
-
   /**
    * Encodes the key
    * @returns member key in base64-encoded raw format
@@ -322,8 +311,12 @@ export class UniversalVaultFormat implements AccessTokenProducing, VaultTemplate
     return zip.generateAsync({ type: 'blob' });
   }
 
-  public async encryptForUser(userPublicKey: CryptoKey | Uint8Array): Promise<string> {
-    return this.memberKey.encryptForUser(userPublicKey);
+  public async encryptForUser(userPublicKey: CryptoKey | Uint8Array, isOwner?: boolean): Promise<string> {
+    const payload: UvfAccessTokenPayload = {
+      key: await this.memberKey.serializeKey(),
+      recoveryKey: isOwner && this.recoveryKey.privateKey ? await this.recoveryKey.serializePrivateKey() : undefined
+    };
+    return OtherVaultMember.withPublicKey(userPublicKey).createAccessToken(payload);
   }
 }
 
diff --git a/frontend/src/components/CreateVault.vue b/frontend/src/components/CreateVault.vue
index 6c72546fd..545574a5a 100644
--- a/frontend/src/components/CreateVault.vue
+++ b/frontend/src/components/CreateVault.vue
@@ -214,7 +214,7 @@ import { base64 } from 'rfc4648';
 import { onMounted, ref } from 'vue';
 import { useI18n } from 'vue-i18n';
 import backend, { AccessGrant, PaymentRequiredError, VaultDto } from '../common/backend';
-import { OtherVaultMember, VaultTemplateProducing } from '../common/crypto';
+import { VaultTemplateProducing } from '../common/crypto';
 import { debounce } from '../common/util';
 import { UniversalVaultFormat } from '../common/uvf';
 import { VaultKeys } from '../common/vaultv8';
@@ -344,19 +344,14 @@ async function createVault() {
         if (!format8VaultKeys.value) {
           throw new Error('Invalid state');
         }
-        ownerGrant.token = await OtherVaultMember.withPublicKey(base64.parse(owner.publicKey)).createAccessToken({
-          key: await format8VaultKeys.value.serializeMasterKey()
-        });
+        ownerGrant.token = await format8VaultKeys.value.encryptForUser(base64.parse(owner.publicKey));
         break;
       }
       case VaultType.UniversalVaultFormat: {
         if (!uvfVault.value) {
           throw new Error('Invalid state');
         }
-        ownerGrant.token = await OtherVaultMember.withPublicKey(base64.parse(owner.publicKey)).createAccessToken({
-          key: await uvfVault.value.memberKey.serializeKey(),
-          recoveryKey: await uvfVault.value.recoveryKey.serializePrivateKey()
-        });
+        ownerGrant.token = await uvfVault.value.encryptForUser(base64.parse(owner.publicKey), true);
         vault.value.uvfMetadataFile = await uvfVault.value.createMetadataFile();
         vault.value.uvfRecoveryPublicKey = await uvfVault.value.recoveryKey.serializePublicKey();
         break;

From 037157fe6da16e5b8533466e1fd0067ff793ae93 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Thu, 9 May 2024 16:54:17 +0200
Subject: [PATCH 33/94] add tests

---
 frontend/test/common/uvf.spec.ts | 76 +++++++++++++++++++++++++++++---
 1 file changed, 69 insertions(+), 7 deletions(-)

diff --git a/frontend/test/common/uvf.spec.ts b/frontend/test/common/uvf.spec.ts
index 478742b21..001f465e5 100644
--- a/frontend/test/common/uvf.spec.ts
+++ b/frontend/test/common/uvf.spec.ts
@@ -1,8 +1,9 @@
 import { use as chaiUse, expect } from 'chai';
 import chaiAsPromised from 'chai-as-promised';
 import { before, describe } from 'mocha';
+import { VaultDto } from '../../src/common/backend';
 import { UserKeys } from '../../src/common/crypto';
-import { MemberKey, RecoveryKey, VaultMetadata } from '../../src/common/uvf';
+import { MemberKey, RecoveryKey, UniversalVaultFormat, VaultMetadata } from '../../src/common/uvf';
 
 chaiUse(chaiAsPromised);
 
@@ -18,7 +19,7 @@ const alicePrivate: JsonWebKey = {
   d: 'wouCtU7Nw4E8_7n5C1-xBjB4xqSb_liZhYMsy8MGgxUny6Q8NCoH9xSiviwLFfK_',
 };
 
-describe('Universal Vault Format', () => {
+describe('UVF', () => {
 
   before(async () => {
     // since this test runs on Node, we need to replace window.crypto:
@@ -27,9 +28,8 @@ describe('Universal Vault Format', () => {
     global.window = { crypto: global.crypto };
   });
 
-  describe('UVF Member Key', () => {
-
-    let alice: TestUserKeys;
+  describe('MemberKey', () => {
+    let alice: UserKeys;
 
     before(async () => {
       // prepare some test key pairs:
@@ -53,10 +53,11 @@ describe('Universal Vault Format', () => {
       const decrypted = await MemberKey.load(payload.key);
 
       expect(decrypted).to.be.not.null;
+      expect(decrypted.serializeKey()).to.eventually.eq('VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVU=');
     });
   });
 
-  describe('UVF Metadata', () => {
+  describe('VaultMetadata', () => {
     // TODO review @sebi what else should we test?
     it('encrypt() and decryptWithMemberKey()', async () => {
       const vaultMemberKey = await MemberKey.create();
@@ -84,7 +85,7 @@ describe('Universal Vault Format', () => {
     });
   });
 
-  describe('UVF Recovery Key', () => {
+  describe('RecoveryKey', () => {
 
     it('create()', async () => {
       const recoveryKey = await RecoveryKey.create();
@@ -119,6 +120,67 @@ describe('Universal Vault Format', () => {
     });
 
   });
+
+  describe('UniversalVaultFormat', () => {
+    let alice: UserKeys;
+
+    beforeEach(async () => {
+      // prepare some test key pairs:
+      const alicePrv = await crypto.subtle.importKey('jwk', alicePrivate, RecoveryKey.KEY_DESIGNATION, true, RecoveryKey.KEY_USAGES);
+      const alicePub = await crypto.subtle.importKey('jwk', alicePublic, RecoveryKey.KEY_DESIGNATION, true, []);
+      alice = new TestUserKeys({ privateKey: alicePrv, publicKey: alicePub });
+    });
+
+    it('create()', async () => {
+      const uvf = await UniversalVaultFormat.create({ enabled: true, maxWotDepth: -1 });
+      expect(uvf).to.be.not.null;
+      expect(uvf.metadata).to.be.not.null;
+      expect(uvf.memberKey).to.be.not.null;
+      expect(uvf.recoveryKey).to.be.not.null;
+    });
+
+    it('decrypt()', async () => {
+      const dto: VaultDto = {
+        id: '123',
+        name: 'test',
+        archived: false,
+        creationTime: new Date(),
+        uvfMetadataFile: '{"protected":"eyJqa3UiOiJqa3UuandrcyIsImVuYyI6IkEyNTZHQ00ifQ","recipients":[{"header":{"kid":"org.cryptomator.hub.memberkey","alg":"A256KW"},"encrypted_key":"WyLgMABBhRtsTE4PGJc-o8ZlhmoBB3uwCfNgs2wLqnmvCak9ZWoeww"},{"header":{"kid":"org.cryptomator.hub.recoverykey.7gnV24ftRgvx7eq-MeV4Pr_K9KlxdRl9EThXQ08XrA8","alg":"ECDH-ES+A256KW","epk":{"key_ops":[],"ext":true,"kty":"EC","x":"6DEeEYrLi7mz4a1QftEOXIia6wL2OblQioOiR081diHe1T_CbSP_OLnTXgQX2Ark","y":"qLY9M8mWj6kE5rzshqV-c2ioUvV82Gp7RLfolW_Yd4bMYTL142MQX7F7TSYIt1P3","crv":"P-384"},"apu":"","apv":""},"encrypted_key":"1bd-7tqhB6y3F2CxJxdoe3lRhvizbL7VyhlZjRSzGLxoBm7bELQBdQ"}],"iv":"aAFzuQNAO5NlO0eP","ciphertext":"C6ZhAuKv46ydOQ215-hm9ei18EHi5sVBdwYKBBL1XXpC852e8HWprA1HBPXBd_aKw_0wimpIiTxgJLK8V3YZIHlECHM2T-q7em7kPT-NUWHL9rnXKQrdFkuwXiKiVRvlYKQAG8r52-SHl-mm4cMVXFIwWyks36bt87ngQ1vWih9qYqpvxJ6DozHveR8jODxe_itGx8aYm6pbjlT56vAb10in7s-Y_Xya1pLSdVHmMyZf90fe9X7cY9qv6Jnybi2SvWLr8H3wIpp_3-T_zLMzJB1SpGo-BhZqcoon2SzYACx4TFh9eMydlTEi0DEqSs3NoqXAN8uBEEcSeDfTAAr5J9BjvIF7wq5FHomJcfPjW5qhSmqyxi3JXnF0UjP7jy0aPWqZtKqIkedlQb62oR4bPoKk9vrp","tag":"zK_nd4E8g25v3qq5ayVviogORUvQDS1Mi11dCkuxUgc"}',
+        uvfRecoveryPublicKey: 'MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEu35Pxi7dz4zbnOeU41N3Rkr3UDfpXlQPZYj/45+15K2wcKgGw7q8n8LCWHvSZ2XyXhUKsAeuosCsgEyw7LOji1J0yAvCASr44majKi9lyQ2gabxHPkPaHRJV/9QGO6id'
+      };
+      const accessToken = 'eyJlbmMiOiJBMjU2R0NNIiwia2lkIjoib3JnLmNyeXB0b21hdG9yLmh1Yi51c2Vya2V5IiwiYWxnIjoiRUNESC1FUytBMjU2S1ciLCJlcGsiOnsia2V5X29wcyI6W10sImV4dCI6dHJ1ZSwia3R5IjoiRUMiLCJ4IjoiWGJxOGozRXpXWlBuVDNnUDBzR2s3dkQxWVo5NUMyeUFRWEJoZlpLbE9sQnF5QlN6UlJsdUdOckZSTi10MHFIdCIsInkiOiJPb1VzcW04V0tCdUt6MzdKaGZhU3Y5OGk5SzVnS3hBYlNlQnBFSHdRTU9qSTlNZ0VSZmdDX2NqZWdKNnhqYlFjIiwiY3J2IjoiUC0zODQifSwiYXB1IjoiIiwiYXB2IjoiIn0.i8sw4wq6q-XH-rdbhsnOhJCw4WIFgrpDWIttyrRQk3Bhx4NhW1VwzA.HvVu3ujO_ckTBlCl.7nNWKXpy4kfAwxB7JDmPGrfjO9dDvB_w8FrGesfWlEXKf-WJBHo.eGUXkTJawp8EmVbXca3NarXaQ6_qS2_MxeuLLlKN_Ck';
+      const uvf = await UniversalVaultFormat.decrypt(dto, accessToken, alice);
+
+      expect(uvf).to.be.not.null;
+      expect(uvf.metadata).to.be.not.null;
+      expect(uvf.memberKey).to.be.not.null;
+      expect(uvf.recoveryKey).to.be.not.null;
+      expect(uvf.recoveryKey.privateKey).to.be.undefined;
+    });
+
+    describe('instance methods', () => {
+      let uvf: UniversalVaultFormat;
+
+      before(async () => {
+        uvf = await UniversalVaultFormat.create({ enabled: true, maxWotDepth: -1 });
+      });
+
+      it('encryptForUser() creates an access token', async () => {
+        const token = await uvf.encryptForUser(alice.keyPair.publicKey);
+        expect(token).to.be.not.null;
+      });
+
+      it('createMetadataFile() creates a vault.uvf file', async () => {
+        const file = await uvf.createMetadataFile();
+        expect(file).to.be.not.null;
+      });
+
+      it('serializePublicKey() creates a PEM-encoded representation', async () => {
+        const pem = await uvf.recoveryKey.serializePublicKey();
+        expect(pem).to.be.not.null;
+      });
+    });
+  });
 });
 
 

From 2a40d01cf28529b0d782f5b1c325a32e7f59808b Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Thu, 9 May 2024 19:31:30 +0200
Subject: [PATCH 34/94] speed up tests by reducing KDF iteration count

---
 frontend/src/common/crypto.ts       | 5 +++--
 frontend/test/common/crypto.spec.ts | 6 +++---
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/frontend/src/common/crypto.ts b/frontend/src/common/crypto.ts
index 960e21243..59aba50d8 100644
--- a/frontend/src/common/crypto.ts
+++ b/frontend/src/common/crypto.ts
@@ -137,16 +137,17 @@ export class UserKeys { // TODO: rename to CurrentUserKeyPair
   /**
    * Encrypts the user's private key using a key derived from the given setupCode
    * @param setupCode The password to protect the private key.
+   * @param p2c Optional number of iterations for PBKDF2.
    * @returns A JWE holding the encrypted private key
    * @see Recipient.pbes2
    */
-  public async encryptedPrivateKey(setupCode: string): Promise<string> {
+  public async encryptedPrivateKey(setupCode: string, p2c?: number): Promise<string> {
     const rawkey = new Uint8Array(await crypto.subtle.exportKey('pkcs8', this.keyPair.privateKey));
     try {
       const payload: AccessTokenPayload = {
         key: base64.stringify(rawkey)
       };
-      const jwe = await JWE.build(payload).encrypt(Recipient.pbes2('org.cryptomator.hub.setupCode', setupCode));
+      const jwe = await JWE.build(payload).encrypt(Recipient.pbes2('org.cryptomator.hub.setupCode', setupCode, p2c));
       return jwe.compactSerialization();
     } finally {
       rawkey.fill(0x00);
diff --git a/frontend/test/common/crypto.spec.ts b/frontend/test/common/crypto.spec.ts
index f8dcaff0b..d1460befb 100644
--- a/frontend/test/common/crypto.spec.ts
+++ b/frontend/test/common/crypto.spec.ts
@@ -57,7 +57,7 @@ describe('crypto', () => {
 
     it('recover()', async () => {
       const encodedPublicKey = 'MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAESzrRXmyI8VWFJg1dPUNbFcc9jZvjZEfH7ulKI1UkXAltd7RGWrcfFxqyGPcwu6AQhHUag3OvDzEr0uUQND4PXHQTXP5IDGdYhJhL+WLKjnGjQAw0rNGy5V29+aV+yseW';
-      const jwe = 'eyJlbmMiOiJBMjU2R0NNIiwia2lkIjoib3JnLmNyeXB0b21hdG9yLmh1Yi5zZXR1cENvZGUiLCJhbGciOiJQQkVTMi1IUzUxMitBMjU2S1ciLCJwMmMiOjEwMDAwMDAsInAycyI6InJRV09pcl82VU9fMjE0eFJsQS02UEEifQ._cMSJto2fFJ9ixEmchid4VRAt-Al6GNVxjo114XdeJktm3WctXShSQ.kwOeIpnXmyZXt4n3.sYx6ZjCkkf8bXdHY-NGrZzG6hsd11Ze97cfuEay3glfJkOyKQgV7TURyKguJWrc-s7m67cq35uE9KUUB6SGLoUMs1ebmRx8emCxVBRjvia5e_gWnjCzIsS0Z3C67R8Tyvh1EadigRfE57HTrP7kJXV5zRf2L1OYOeI1QmmN44Cga2HW0B3zDOG3EXvN3tv3bMu83L3Css1_CZABWyPkrwOBt8LytzEeTWaV8SItdVolPUH9OmW7l0hS3dBMgS4haXlbLR0OxmL3Ag-tZ1G_WxLliWxLMUNAsqWOVzedkRhc9VichvD0KCZ8J5_O18sBPnMQ._2i2LUEV3T1nmY49oq7n_7EqADqAhnmzmTwLPWgqxOw';
+      const jwe = 'eyJlbmMiOiJBMjU2R0NNIiwia2lkIjoib3JnLmNyeXB0b21hdG9yLmh1Yi5zZXR1cENvZGUiLCJhbGciOiJQQkVTMi1IUzUxMitBMjU2S1ciLCJwMmMiOjEwMDAsInAycyI6ImVJcEZ6d204eUxpQmxkY3R0OFRZRncifQ.xmC_aS7q_9dGXa7m2Oss_iaG24VDH9GS4M6m_63T9ZuZvI2WK2XWTA.84MrANVkMNuFlY0p.NZl7miGsbIAIdNpZaFz3JCyYyMfC4rKe3ThT1j8Kg_LFIvLb0GzguU2towJAZcGpdgtUkbDvUrOVoTa1u6Izjh-U0M7beWUrqw6RjXb82PT1fwL0ySEGm8Na4gZ_hVoK4wxQDswmFNFP_Z8_RLVroo3w0KgEnI8QKzG8G6bJ-taqW5ZV8hn8-Zz4MndeBtB4YjsLPWa37Vdrae0KGKEOXfIPwOVX1nrFyIYxIB-hwJY5fPEXJ1lqzA9mhliMjg0VpMdqQsagHPm2XyKtxjkRrFh7e2vMkqcLoBY6pdGNpKzKOQ6aaRmX60zjTleqIOrxhYs.Yn1HgK5Ot3sEJ3qRVH6yagYsZ46MRrcUxd_jVz4eJTI';
 
       const result = await UserKeys.recover(encodedPublicKey, jwe, 'password');
 
@@ -66,7 +66,7 @@ describe('crypto', () => {
 
     it('recover() with incorrect password', async () => {
       const encodedPublicKey = 'MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAESzrRXmyI8VWFJg1dPUNbFcc9jZvjZEfH7ulKI1UkXAltd7RGWrcfFxqyGPcwu6AQhHUag3OvDzEr0uUQND4PXHQTXP5IDGdYhJhL+WLKjnGjQAw0rNGy5V29+aV+yseW';
-      const jwe = 'eyJlbmMiOiJBMjU2R0NNIiwia2lkIjoib3JnLmNyeXB0b21hdG9yLmh1Yi5zZXR1cENvZGUiLCJhbGciOiJQQkVTMi1IUzUxMitBMjU2S1ciLCJwMmMiOjEwMDAwMDAsInAycyI6InJRV09pcl82VU9fMjE0eFJsQS02UEEifQ._cMSJto2fFJ9ixEmchid4VRAt-Al6GNVxjo114XdeJktm3WctXShSQ.kwOeIpnXmyZXt4n3.sYx6ZjCkkf8bXdHY-NGrZzG6hsd11Ze97cfuEay3glfJkOyKQgV7TURyKguJWrc-s7m67cq35uE9KUUB6SGLoUMs1ebmRx8emCxVBRjvia5e_gWnjCzIsS0Z3C67R8Tyvh1EadigRfE57HTrP7kJXV5zRf2L1OYOeI1QmmN44Cga2HW0B3zDOG3EXvN3tv3bMu83L3Css1_CZABWyPkrwOBt8LytzEeTWaV8SItdVolPUH9OmW7l0hS3dBMgS4haXlbLR0OxmL3Ag-tZ1G_WxLliWxLMUNAsqWOVzedkRhc9VichvD0KCZ8J5_O18sBPnMQ._2i2LUEV3T1nmY49oq7n_7EqADqAhnmzmTwLPWgqxOw';
+      const jwe = 'eyJlbmMiOiJBMjU2R0NNIiwia2lkIjoib3JnLmNyeXB0b21hdG9yLmh1Yi5zZXR1cENvZGUiLCJhbGciOiJQQkVTMi1IUzUxMitBMjU2S1ciLCJwMmMiOjEwMDAsInAycyI6ImVJcEZ6d204eUxpQmxkY3R0OFRZRncifQ.xmC_aS7q_9dGXa7m2Oss_iaG24VDH9GS4M6m_63T9ZuZvI2WK2XWTA.84MrANVkMNuFlY0p.NZl7miGsbIAIdNpZaFz3JCyYyMfC4rKe3ThT1j8Kg_LFIvLb0GzguU2towJAZcGpdgtUkbDvUrOVoTa1u6Izjh-U0M7beWUrqw6RjXb82PT1fwL0ySEGm8Na4gZ_hVoK4wxQDswmFNFP_Z8_RLVroo3w0KgEnI8QKzG8G6bJ-taqW5ZV8hn8-Zz4MndeBtB4YjsLPWa37Vdrae0KGKEOXfIPwOVX1nrFyIYxIB-hwJY5fPEXJ1lqzA9mhliMjg0VpMdqQsagHPm2XyKtxjkRrFh7e2vMkqcLoBY6pdGNpKzKOQ6aaRmX60zjTleqIOrxhYs.Yn1HgK5Ot3sEJ3qRVH6yagYsZ46MRrcUxd_jVz4eJTI';
 
       const attempt = UserKeys.recover(encodedPublicKey, jwe, 'wrong');
 
@@ -112,7 +112,7 @@ describe('crypto', () => {
       });
 
       it('encryptedPrivateKey() creates JWE', async () => {
-        const result = await userKeys.encryptedPrivateKey('password');
+        const result = await userKeys.encryptedPrivateKey('password', 1000);
 
         expect(result).to.be.a('string');
       });

From e4f9865107afc6e8d2a6e34532ba342a1a2f7f73 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Fri, 10 May 2024 08:11:08 +0200
Subject: [PATCH 35/94] renamed files

---
 .../{uvf.ts => universalVaultFormat.ts}       |  0
 .../common/{vaultv8.ts => vaultFormat8.ts}    | 27 +++++++++---------
 .../components/ClaimVaultOwnershipDialog.vue  |  6 ++--
 frontend/src/components/CreateVault.vue       | 20 ++++++-------
 .../components/DisplayRecoveryKeyDialog.vue   |  4 +--
 .../src/components/RecoverVaultDialog.vue     |  8 +++---
 frontend/src/components/VaultDetails.vue      | 28 +++++++++----------
 ...f.spec.ts => universalVaultFormat.spec.ts} |  2 +-
 .../{vaultv8.spec.ts => vaultFormat8.spec.ts} | 26 ++++++++---------
 9 files changed, 60 insertions(+), 61 deletions(-)
 rename frontend/src/common/{uvf.ts => universalVaultFormat.ts} (100%)
 rename frontend/src/common/{vaultv8.ts => vaultFormat8.ts} (93%)
 rename frontend/test/common/{uvf.spec.ts => universalVaultFormat.spec.ts} (99%)
 rename frontend/test/common/{vaultv8.spec.ts => vaultFormat8.spec.ts} (84%)

diff --git a/frontend/src/common/uvf.ts b/frontend/src/common/universalVaultFormat.ts
similarity index 100%
rename from frontend/src/common/uvf.ts
rename to frontend/src/common/universalVaultFormat.ts
diff --git a/frontend/src/common/vaultv8.ts b/frontend/src/common/vaultFormat8.ts
similarity index 93%
rename from frontend/src/common/vaultv8.ts
rename to frontend/src/common/vaultFormat8.ts
index b17257c08..91d274da5 100644
--- a/frontend/src/common/vaultv8.ts
+++ b/frontend/src/common/vaultFormat8.ts
@@ -25,8 +25,7 @@ interface VaultConfigHeaderHub {
 }
 
 
-// TODO: rename to VaultFormat8Keys
-export class VaultKeys implements AccessTokenProducing, VaultTemplateProducing {
+export class VaultFormat8 implements AccessTokenProducing, VaultTemplateProducing {
   // in this browser application, this 512 bit key is used
   // as a hmac key to sign the vault config.
   // however when used by cryptomator, it gets split into
@@ -47,13 +46,13 @@ export class VaultKeys implements AccessTokenProducing, VaultTemplateProducing {
    * Creates a new masterkey
    * @returns A new masterkey
    */
-  public static async create(): Promise<VaultKeys> {
+  public static async create(): Promise<VaultFormat8> {
     const key = crypto.subtle.generateKey(
-      VaultKeys.MASTERKEY_KEY_DESIGNATION,
+      VaultFormat8.MASTERKEY_KEY_DESIGNATION,
       true,
       ['sign']
     );
-    return new VaultKeys(await key);
+    return new VaultFormat8(await key);
   }
 
 
@@ -63,13 +62,13 @@ export class VaultKeys implements AccessTokenProducing, VaultTemplateProducing {
    * @param userKeyPair The current user's key pair
    * @returns The masterkey
    */
-  public static async decryptWithUserKey(jwe: string, userKeyPair: UserKeys): Promise<VaultKeys> {
+  public static async decryptWithUserKey(jwe: string, userKeyPair: UserKeys): Promise<VaultFormat8> {
     let rawKey = new Uint8Array();
     try {
       const payload = await userKeyPair.decryptAccessToken(jwe);
       rawKey = base64.parse(payload.key);
-      const masterKey = crypto.subtle.importKey('raw', rawKey, VaultKeys.MASTERKEY_KEY_DESIGNATION, true, ['sign']);
-      return new VaultKeys(await masterKey);
+      const masterKey = crypto.subtle.importKey('raw', rawKey, VaultFormat8.MASTERKEY_KEY_DESIGNATION, true, ['sign']);
+      return new VaultFormat8(await masterKey);
     } finally {
       rawKey.fill(0x00);
     }
@@ -87,7 +86,7 @@ export class VaultKeys implements AccessTokenProducing, VaultTemplateProducing {
    * @throws WrongPasswordError, if the wrong password is used
    * @deprecated Only used during "claim vault ownership" workflow for legacy vaults
    */
-  public static async decryptWithAdminPassword(vaultAdminPassword: string, wrappedMasterkey: string, wrappedOwnerPrivateKey: string, ownerPublicKey: string, salt: string, iterations: number): Promise<[VaultKeys, CryptoKeyPair]> {
+  public static async decryptWithAdminPassword(vaultAdminPassword: string, wrappedMasterkey: string, wrappedOwnerPrivateKey: string, ownerPublicKey: string, salt: string, iterations: number): Promise<[VaultFormat8, CryptoKeyPair]> {
     // pbkdf2:
     const encodedPw = new TextEncoder().encode(vaultAdminPassword);
     const pwKey = crypto.subtle.importKey('raw', encodedPw, 'PBKDF2', false, ['deriveKey']);
@@ -113,7 +112,7 @@ export class VaultKeys implements AccessTokenProducing, VaultTemplateProducing {
         decodedMasterKey.slice(GCM_NONCE_LEN),
         await kek,
         { name: 'AES-GCM', iv: decodedMasterKey.slice(0, GCM_NONCE_LEN) },
-        VaultKeys.MASTERKEY_KEY_DESIGNATION,
+        VaultFormat8.MASTERKEY_KEY_DESIGNATION,
         true,
         ['sign']
       );
@@ -133,7 +132,7 @@ export class VaultKeys implements AccessTokenProducing, VaultTemplateProducing {
         true,
         ['verify']
       );
-      return [new VaultKeys(await masterkey), { privateKey: await privKey, publicKey: await pubKey }];
+      return [new VaultFormat8(await masterkey), { privateKey: await privKey, publicKey: await pubKey }];
     } catch (error) {
       throw new UnwrapKeyError(error);
     }
@@ -145,7 +144,7 @@ export class VaultKeys implements AccessTokenProducing, VaultTemplateProducing {
    * @returns The recovered master key
    * @throws Error, if passing a malformed recovery key
    */
-  public static async recover(recoveryKey: string): Promise<VaultKeys> {
+  public static async recover(recoveryKey: string): Promise<VaultFormat8> {
     // decode and check recovery key:
     const decoded = wordEncoder.decode(recoveryKey);
     if (decoded.length !== 66) {
@@ -162,11 +161,11 @@ export class VaultKeys implements AccessTokenProducing, VaultTemplateProducing {
     const key = crypto.subtle.importKey(
       'raw',
       decodedKey,
-      VaultKeys.MASTERKEY_KEY_DESIGNATION,
+      VaultFormat8.MASTERKEY_KEY_DESIGNATION,
       true,
       ['sign']
     );
-    return new VaultKeys(await key);
+    return new VaultFormat8(await key);
   }
 
   public async exportTemplate(vault: VaultDto): Promise<Blob> {
diff --git a/frontend/src/components/ClaimVaultOwnershipDialog.vue b/frontend/src/components/ClaimVaultOwnershipDialog.vue
index 2635e04e6..addb2f396 100644
--- a/frontend/src/components/ClaimVaultOwnershipDialog.vue
+++ b/frontend/src/components/ClaimVaultOwnershipDialog.vue
@@ -63,7 +63,7 @@ import { ref } from 'vue';
 import { useI18n } from 'vue-i18n';
 import { VaultDto } from '../common/backend';
 import { UnwrapKeyError } from '../common/crypto';
-import { VaultKeys } from '../common/vaultv8';
+import { VaultFormat8 } from '../common/vaultFormat8';
 
 class FormValidationFailedError extends Error {
   constructor() {
@@ -86,7 +86,7 @@ const props = defineProps<{
 
 const emit = defineEmits<{
   close: []
-  action: [vaultKeys: VaultKeys, ownerSigningKey: CryptoKeyPair]
+  action: [vaultKeys: VaultFormat8, ownerSigningKey: CryptoKeyPair]
 }>();
 
 defineExpose({
@@ -104,7 +104,7 @@ async function authenticateVaultAdmin() {
       throw new FormValidationFailedError();
     }
     if (props.vault.masterkey && props.vault.authPrivateKey && props.vault.authPublicKey && props.vault.salt && props.vault.iterations) {
-      const [vaultKeys, ownerKeyPair] = await VaultKeys.decryptWithAdminPassword(password.value, props.vault.masterkey, props.vault.authPrivateKey, props.vault.authPublicKey, props.vault.salt, props.vault.iterations);
+      const [vaultKeys, ownerKeyPair] = await VaultFormat8.decryptWithAdminPassword(password.value, props.vault.masterkey, props.vault.authPrivateKey, props.vault.authPublicKey, props.vault.salt, props.vault.iterations);
       emit('action', vaultKeys, ownerKeyPair);
       open.value = false;
     } else {
diff --git a/frontend/src/components/CreateVault.vue b/frontend/src/components/CreateVault.vue
index 545574a5a..73c8ff0ba 100644
--- a/frontend/src/components/CreateVault.vue
+++ b/frontend/src/components/CreateVault.vue
@@ -215,9 +215,9 @@ import { onMounted, ref } from 'vue';
 import { useI18n } from 'vue-i18n';
 import backend, { AccessGrant, PaymentRequiredError, VaultDto } from '../common/backend';
 import { VaultTemplateProducing } from '../common/crypto';
+import { UniversalVaultFormat } from '../common/universalVaultFormat';
 import { debounce } from '../common/util';
-import { UniversalVaultFormat } from '../common/uvf';
-import { VaultKeys } from '../common/vaultv8';
+import { VaultFormat8 } from '../common/vaultFormat8';
 
 enum State {
   Initial,
@@ -266,7 +266,7 @@ const vault = ref<VaultDto>({
 const copiedRecoveryKey = ref(false);
 const debouncedCopyFinish = debounce(() => copiedRecoveryKey.value = false, 2000);
 const confirmRecoveryKey = ref(false);
-const format8VaultKeys = ref<VaultKeys>();
+const vaultFormat8 = ref<VaultFormat8>();
 const recoveryKeyStr = ref<string>('');
 const uvfVault = ref<UniversalVaultFormat>();
 
@@ -282,8 +282,8 @@ async function initialize() {
   } else {
     switch (vaultType) {
       case VaultType.VaultFormat8:
-        format8VaultKeys.value = await VaultKeys.create();
-        recoveryKeyStr.value = await format8VaultKeys.value.createRecoveryKey();
+        vaultFormat8.value = await VaultFormat8.create();
+        recoveryKeyStr.value = await vaultFormat8.value.createRecoveryKey();
         break;
       case VaultType.UniversalVaultFormat:
         uvfVault.value = await UniversalVaultFormat.create({ enabled: false, maxWotDepth: 0 });
@@ -307,7 +307,7 @@ async function recoverVault() {
   onRecoverError.value = null;
   try {
     processing.value = true;
-    format8VaultKeys.value = await VaultKeys.recover(recoveryKeyStr.value);
+    vaultFormat8.value = await VaultFormat8.recover(recoveryKeyStr.value);
     state.value = State.EnterVaultDetails;
   } catch (error) {
     console.error('Recovering vault failed.', error);
@@ -341,10 +341,10 @@ async function createVault() {
     const ownerGrant: AccessGrant = { userId: owner.id, token: '' };
     switch (vaultType) {
       case VaultType.VaultFormat8: {
-        if (!format8VaultKeys.value) {
+        if (!vaultFormat8.value) {
           throw new Error('Invalid state');
         }
-        ownerGrant.token = await format8VaultKeys.value.encryptForUser(base64.parse(owner.publicKey));
+        ownerGrant.token = await vaultFormat8.value.encryptForUser(base64.parse(owner.publicKey));
         break;
       }
       case VaultType.UniversalVaultFormat: {
@@ -375,12 +375,12 @@ async function copyRecoveryKey() {
 }
 
 async function downloadVaultTemplate() {
-  if (!format8VaultKeys.value && !uvfVault.value) {
+  if (!vaultFormat8.value && !uvfVault.value) {
     throw new Error('Invalid state');
   }
   onDownloadTemplateError.value = null;
   try {
-    const templateProducer: VaultTemplateProducing = format8VaultKeys.value || uvfVault.value!;
+    const templateProducer: VaultTemplateProducing = vaultFormat8.value || uvfVault.value!;
     const blob = await templateProducer.exportTemplate(vault.value);
     if (blob != null) {
       saveAs(blob, `${vault.value.name}.zip`);
diff --git a/frontend/src/components/DisplayRecoveryKeyDialog.vue b/frontend/src/components/DisplayRecoveryKeyDialog.vue
index 401398b0f..8c0a328ba 100644
--- a/frontend/src/components/DisplayRecoveryKeyDialog.vue
+++ b/frontend/src/components/DisplayRecoveryKeyDialog.vue
@@ -70,7 +70,7 @@ import { ref } from 'vue';
 import { useI18n } from 'vue-i18n';
 import { VaultDto } from '../common/backend';
 import { debounce } from '../common/util';
-import { VaultKeys } from '../common/vaultv8';
+import { VaultFormat8 } from '../common/vaultFormat8';
 
 const { t } = useI18n({ useScope: 'global' });
 
@@ -81,7 +81,7 @@ const debouncedCopyFinish = debounce(() => copiedRecoveryKey.value = false, 2000
 
 const props = defineProps<{
   vault: VaultDto
-  vaultKeys: VaultKeys
+  vaultKeys: VaultFormat8
 }>();
 
 defineEmits<{
diff --git a/frontend/src/components/RecoverVaultDialog.vue b/frontend/src/components/RecoverVaultDialog.vue
index f4d201917..8b6699a62 100644
--- a/frontend/src/components/RecoverVaultDialog.vue
+++ b/frontend/src/components/RecoverVaultDialog.vue
@@ -56,7 +56,7 @@ import { base64 } from 'rfc4648';
 import { ref } from 'vue';
 import { useI18n } from 'vue-i18n';
 import backend, { UserDto, VaultDto } from '../common/backend';
-import { VaultKeys } from '../common/vaultv8';
+import { VaultFormat8 } from '../common/vaultFormat8';
 
 class FormValidationFailedError extends Error {
   constructor() {
@@ -103,10 +103,10 @@ async function recoverVault() {
   onVaultRecoverError.value = null;
   try {
     processingVaultRecovery.value = true;
-    const vaultKeys = await VaultKeys.recover(recoveryKey.value);
-    if (props.me.publicKey && vaultKeys) {
+    const vaultFormat8 = await VaultFormat8.recover(recoveryKey.value);
+    if (props.me.publicKey && vaultFormat8) {
       const publicKey = base64.parse(props.me.publicKey);
-      const jwe = await vaultKeys.encryptForUser(publicKey);
+      const jwe = await vaultFormat8.encryptForUser(publicKey);
       await backend.vaults.grantAccess(props.vault.id, { userId: props.me.id, token: jwe });
       emit('recovered');
       open.value = false;
diff --git a/frontend/src/components/VaultDetails.vue b/frontend/src/components/VaultDetails.vue
index f298e6f1d..bd3e21e99 100644
--- a/frontend/src/components/VaultDetails.vue
+++ b/frontend/src/components/VaultDetails.vue
@@ -154,7 +154,7 @@
           {{ t('vaultDetails.actions.downloadVaultTemplate') }}
         </button>
         <!-- displayRecoveryKey button (Vault Format 8 only) -->
-        <button v-if="vaultRole == 'OWNER' && vaultKeys" type="button" class="bg-white py-2 px-4 border border-gray-300 rounded-md shadow-sm text-sm font-medium text-gray-700 hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="showDisplayRecoveryKeyDialog()">
+        <button v-if="vaultRole == 'OWNER' && vaultFormat8" type="button" class="bg-white py-2 px-4 border border-gray-300 rounded-md shadow-sm text-sm font-medium text-gray-700 hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="showDisplayRecoveryKeyDialog()">
           {{ t('vaultDetails.actions.displayRecoveryKey') }}
         </button>
         <!-- TODO: regenerateRecoveryKey button (UVF only) -->
@@ -185,7 +185,7 @@
           {{ t('vaultDetails.actions.downloadVaultTemplate') }}
         </button>
         <!-- displayRecoveryKey button (Vault Format 8 only) -->
-        <button v-if="vaultRole == 'OWNER' && vaultKeys" type="button" class="bg-white py-2 px-4 border border-gray-300 rounded-md shadow-sm text-sm font-medium text-gray-700 hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="showDisplayRecoveryKeyDialog()">
+        <button v-if="vaultRole == 'OWNER' && vaultFormat8" type="button" class="bg-white py-2 px-4 border border-gray-300 rounded-md shadow-sm text-sm font-medium text-gray-700 hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="showDisplayRecoveryKeyDialog()">
           {{ t('vaultDetails.actions.displayRecoveryKey') }}
         </button>
         <!-- TODO: regenerateRecoveryKey button (UVF only) -->
@@ -201,10 +201,10 @@
   </div>
 
   <ClaimVaultOwnershipDialog v-if="claimingVaultOwnership && vault" ref="claimVaultOwnershipDialog" :vault="vault" @action="provedOwnership" @close="claimingVaultOwnership = false" />
-  <GrantPermissionDialog v-if="grantingPermission && vault && (vaultKeys || uvfVault)" ref="grantPermissionDialog" :vault="vault" :users="usersRequiringAccessGrant" :vault-keys="(vaultKeys || uvfVault)!" @close="grantingPermission = false" @permission-granted="permissionGranted()" />
+  <GrantPermissionDialog v-if="grantingPermission && vault && (vaultFormat8 || uvfVault)" ref="grantPermissionDialog" :vault="vault" :users="usersRequiringAccessGrant" :vault-keys="(vaultFormat8 || uvfVault)!" @close="grantingPermission = false" @permission-granted="permissionGranted()" />
   <EditVaultMetadataDialog v-if="editingVaultMetadata && vault" ref="editVaultMetadataDialog" :vault="vault" @close="editingVaultMetadata = false" @updated="v => refreshVault(v)" />
-  <DownloadVaultTemplateDialog v-if="downloadingVaultTemplate && vault && (vaultKeys || uvfVault)" ref="downloadVaultTemplateDialog" :vault="vault" :vault-keys="(vaultKeys || uvfVault)!" @close="downloadingVaultTemplate = false" />
-  <DisplayRecoveryKeyDialog v-if="displayingRecoveryKey && vault && vaultKeys" ref="displayRecoveryKeyDialog" :vault="vault" :vault-keys="vaultKeys" @close="displayingRecoveryKey = false" />
+  <DownloadVaultTemplateDialog v-if="downloadingVaultTemplate && vault && (vaultFormat8 || uvfVault)" ref="downloadVaultTemplateDialog" :vault="vault" :vault-keys="(vaultFormat8 || uvfVault)!" @close="downloadingVaultTemplate = false" />
+  <DisplayRecoveryKeyDialog v-if="displayingRecoveryKey && vault && vaultFormat8" ref="displayRecoveryKeyDialog" :vault="vault" :vault-keys="vaultFormat8" @close="displayingRecoveryKey = false" />
   <ArchiveVaultDialog v-if="archivingVault && vault" ref="archiveVaultDialog" :vault="vault" @close="archivingVault = false" @archived="v => refreshVault(v)" />
   <ReactivateVaultDialog v-if="reactivatingVault && vault" ref="reactivateVaultDialog" :vault="vault" @close="reactivatingVault = false" @reactivated="v => { refreshVault(v); refreshLicense();}" />
   <RecoverVaultDialog v-if="recoveringVault && vault && me" ref="recoverVaultDialog" :vault="vault" :me="me" @close="recoveringVault = false" @recovered="fetchOwnerData()" />
@@ -221,8 +221,8 @@ import auth from '../common/auth';
 import backend, { AuthorityDto, ConflictError, ForbiddenError, LicenseUserInfoDto, MemberDto, NotFoundError, PaymentRequiredError, UserDto, VaultDto, VaultRole } from '../common/backend';
 import { BrowserKeys, UserKeys } from '../common/crypto';
 import { JWT, JWTHeader } from '../common/jwt';
-import { UniversalVaultFormat } from '../common/uvf';
-import { VaultKeys } from '../common/vaultv8';
+import { UniversalVaultFormat } from '../common/universalVaultFormat';
+import { VaultFormat8 } from '../common/vaultFormat8';
 import ArchiveVaultDialog from './ArchiveVaultDialog.vue';
 import ClaimVaultOwnershipDialog from './ClaimVaultOwnershipDialog.vue';
 import DisplayRecoveryKeyDialog from './DisplayRecoveryKeyDialog.vue';
@@ -269,7 +269,7 @@ const reactivateVaultDialog = ref<typeof ReactivateVaultDialog>();
 const recoveringVault = ref(false);
 const recoverVaultDialog = ref<typeof RecoverVaultDialog>();
 const vault = ref<VaultDto>();
-const vaultKeys = ref<VaultKeys>();
+const vaultFormat8 = ref<VaultFormat8>();
 const uvfVault = ref<UniversalVaultFormat>();
 const members = ref<Map<string, MemberDto>>(new Map());
 const usersRequiringAccessGrant = ref<UserDto[]>([]);
@@ -311,9 +311,9 @@ async function fetchOwnerData() {
     vaultRecoveryRequired.value = false;
     const accessToken = await backend.vaults.accessToken(props.vaultId, true);
     if (vault.value.uvfMetadataFile) {
-      uvfVault.value = await loadUvfVault(accessToken);
+      uvfVault.value = await loadUvfMetadata(accessToken);
     } else {
-      vaultKeys.value = await loadVaultKeys(accessToken);
+      vaultFormat8.value = await loadVaultFormat8Keys(accessToken);
     }
   } catch (error) {
     if (error instanceof ForbiddenError) {
@@ -328,7 +328,7 @@ async function fetchOwnerData() {
   }
 }
 
-async function loadVaultKeys(vaultKeyJwe: string): Promise<VaultKeys> {
+async function loadVaultFormat8Keys(vaultKeyJwe: string): Promise<VaultFormat8> {
   if (!me.value || !me.value.publicKey) {
     throw new Error('User not initialized.');
   }
@@ -342,10 +342,10 @@ async function loadVaultKeys(vaultKeyJwe: string): Promise<VaultKeys> {
     throw new Error('Device not initialized.');
   }
   const userKeys = await UserKeys.decryptOnBrowser(myDevice.userPrivateKey, browserKeys.keyPair.privateKey, base64.parse(me.value.publicKey));
-  return VaultKeys.decryptWithUserKey(vaultKeyJwe, userKeys);
+  return VaultFormat8.decryptWithUserKey(vaultKeyJwe, userKeys);
 }
 
-async function loadUvfVault(accessToken: string): Promise<UniversalVaultFormat> {
+async function loadUvfMetadata(accessToken: string): Promise<UniversalVaultFormat> {
   if (!vault.value || !vault.value.uvfMetadataFile) {
     throw new Error('Vault not initialized.');
   }
@@ -365,7 +365,7 @@ async function loadUvfVault(accessToken: string): Promise<UniversalVaultFormat>
   return UniversalVaultFormat.decrypt(vault.value, accessToken, userKeys);
 }
 
-async function provedOwnership(keys: VaultKeys, ownerKeyPair: CryptoKeyPair) {
+async function provedOwnership(keys: VaultFormat8, ownerKeyPair: CryptoKeyPair) {
   if (!me.value || !me.value.publicKey) {
     throw new Error('User not initialized.');
   }
diff --git a/frontend/test/common/uvf.spec.ts b/frontend/test/common/universalVaultFormat.spec.ts
similarity index 99%
rename from frontend/test/common/uvf.spec.ts
rename to frontend/test/common/universalVaultFormat.spec.ts
index 001f465e5..f7af13039 100644
--- a/frontend/test/common/uvf.spec.ts
+++ b/frontend/test/common/universalVaultFormat.spec.ts
@@ -3,7 +3,7 @@ import chaiAsPromised from 'chai-as-promised';
 import { before, describe } from 'mocha';
 import { VaultDto } from '../../src/common/backend';
 import { UserKeys } from '../../src/common/crypto';
-import { MemberKey, RecoveryKey, UniversalVaultFormat, VaultMetadata } from '../../src/common/uvf';
+import { MemberKey, RecoveryKey, UniversalVaultFormat, VaultMetadata } from '../../src/common/universalVaultFormat';
 
 chaiUse(chaiAsPromised);
 
diff --git a/frontend/test/common/vaultv8.spec.ts b/frontend/test/common/vaultFormat8.spec.ts
similarity index 84%
rename from frontend/test/common/vaultv8.spec.ts
rename to frontend/test/common/vaultFormat8.spec.ts
index f45b2c77d..c309684cf 100644
--- a/frontend/test/common/vaultv8.spec.ts
+++ b/frontend/test/common/vaultFormat8.spec.ts
@@ -3,7 +3,7 @@ import chaiAsPromised from 'chai-as-promised';
 import { before, describe } from 'mocha';
 import { base64 } from 'rfc4648';
 import { UnwrapKeyError } from '../../src/common/crypto';
-import { VaultKeys } from '../../src/common/vaultv8';
+import { VaultFormat8 } from '../../src/common/vaultFormat8';
 
 chaiUse(chaiAsPromised);
 
@@ -16,9 +16,9 @@ describe('Vault Format 8', () => {
     global.window = { crypto: global.crypto };
   });
 
-  describe('VaultKeys', () => {
+  describe('VaultFormat8', () => {
     it('create()', async () => {
-      const orig = await VaultKeys.create();
+      const orig = await VaultFormat8.create();
 
       expect(orig).to.be.not.null;
     });
@@ -30,7 +30,7 @@ describe('Vault Format 8', () => {
         investor boot depth left theory snow whereby terminal weekly reject happiness circuit partial cup ad
         `;
 
-      const recovered = await VaultKeys.recover(recoveryKey);
+      const recovered = await VaultFormat8.recover(recoveryKey);
 
       const newMasterKey = await crypto.subtle.exportKey('jwk', recovered.masterKey);
       expect(newMasterKey).to.deep.include({
@@ -39,10 +39,10 @@ describe('Vault Format 8', () => {
     });
 
     it('recover() fails for invalid recovery key', async () => {
-      const noMultipleOfTwo = VaultKeys.recover('pathway');
-      const notInDict = VaultKeys.recover('hallo bonjour');
-      const wrongLength = VaultKeys.recover('pathway lift');
-      const invalidCrc = VaultKeys.recover(`
+      const noMultipleOfTwo = VaultFormat8.recover('pathway');
+      const notInDict = VaultFormat8.recover('hallo bonjour');
+      const wrongLength = VaultFormat8.recover('pathway lift');
+      const invalidCrc = VaultFormat8.recover(`
         pathway lift abuse plenty export texture gentleman landscape beyond ceiling around leaf cafe charity 
         border breakdown victory surely computer cat linger restrict infer crowd live computer true written amazed 
         investor boot depth left theory snow whereby terminal weekly reject happiness circuit partial cup wrong
@@ -66,15 +66,15 @@ describe('Vault Format 8', () => {
       };
 
       it('decryptWithAdminPassword() with wrong pw', () => {
-        return expect(VaultKeys.decryptWithAdminPassword('wrong', wrapped.wrappedMasterkey, wrapped.wrappedOwnerPrivateKey, wrapped.ownerPublicKey, wrapped.salt, wrapped.iterations)).to.eventually.be.rejectedWith(UnwrapKeyError);
+        return expect(VaultFormat8.decryptWithAdminPassword('wrong', wrapped.wrappedMasterkey, wrapped.wrappedOwnerPrivateKey, wrapped.ownerPublicKey, wrapped.salt, wrapped.iterations)).to.eventually.be.rejectedWith(UnwrapKeyError);
       });
       it('decryptWithAdminPassword() with correct pw', () => {
-        return expect(VaultKeys.decryptWithAdminPassword('pass', wrapped.wrappedMasterkey, wrapped.wrappedOwnerPrivateKey, wrapped.ownerPublicKey, wrapped.salt, wrapped.iterations)).to.eventually.be.fulfilled;
+        return expect(VaultFormat8.decryptWithAdminPassword('pass', wrapped.wrappedMasterkey, wrapped.wrappedOwnerPrivateKey, wrapped.ownerPublicKey, wrapped.salt, wrapped.iterations)).to.eventually.be.fulfilled;
       });
     });
 
     describe('After creating new key material', () => {
-      let vaultKeys: VaultKeys;
+      let vaultKeys: VaultFormat8;
 
       beforeEach(async () => {
         vaultKeys = await TestVaultKeys.create();
@@ -100,7 +100,7 @@ describe('Vault Format 8', () => {
           recoveryKey = await vaultKeys.createRecoveryKey();
         });
         it('recover() imports original key', async () => {
-          const recovered = await VaultKeys.recover(recoveryKey);
+          const recovered = await VaultFormat8.recover(recoveryKey);
 
           const oldMasterKey = await crypto.subtle.exportKey('jwk', vaultKeys.masterKey);
           const newMasterKey = await crypto.subtle.exportKey('jwk', recovered.masterKey);
@@ -129,7 +129,7 @@ describe('Vault Format 8', () => {
 
 /* ---------- MOCKS ---------- */
 
-class TestVaultKeys extends VaultKeys {
+class TestVaultKeys extends VaultFormat8 {
   constructor(masterKey: CryptoKey) {
     super(masterKey);
   }

From e27d20a91dac6aede5d044105238f3c870679be4 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Fri, 10 May 2024 08:34:47 +0200
Subject: [PATCH 36/94] clean up tests

---
 .../test/common/universalVaultFormat.spec.ts  |  22 +--
 frontend/test/common/vaultFormat8.spec.ts     | 183 ++++++++++--------
 2 files changed, 103 insertions(+), 102 deletions(-)

diff --git a/frontend/test/common/universalVaultFormat.spec.ts b/frontend/test/common/universalVaultFormat.spec.ts
index f7af13039..3be1ad5f5 100644
--- a/frontend/test/common/universalVaultFormat.spec.ts
+++ b/frontend/test/common/universalVaultFormat.spec.ts
@@ -20,23 +20,21 @@ const alicePrivate: JsonWebKey = {
 };
 
 describe('UVF', () => {
+  let alice: UserKeys;
 
   before(async () => {
     // since this test runs on Node, we need to replace window.crypto:
     Object.defineProperty(global, 'crypto', { value: require('node:crypto').webcrypto });
     // @ts-ignore: global not defined (but will be available within Node)
     global.window = { crypto: global.crypto };
+
+    // prepare some test key pairs:
+    const alicePrv = crypto.subtle.importKey('jwk', alicePrivate, UserKeys.KEY_DESIGNATION, true, UserKeys.KEY_USAGES);
+    const alicePub = crypto.subtle.importKey('jwk', alicePublic, UserKeys.KEY_DESIGNATION, true, []);
+    alice = new TestUserKeys({ privateKey: await alicePrv, publicKey: await alicePub });
   });
 
   describe('MemberKey', () => {
-    let alice: UserKeys;
-
-    before(async () => {
-      // prepare some test key pairs:
-      const alicePrv = crypto.subtle.importKey('jwk', alicePrivate, UserKeys.KEY_DESIGNATION, true, UserKeys.KEY_USAGES);
-      const alicePub = crypto.subtle.importKey('jwk', alicePublic, UserKeys.KEY_DESIGNATION, true, []);
-      alice = new TestUserKeys({ privateKey: await alicePrv, publicKey: await alicePub });
-    });
 
     it('serializeKey()', async () => {
       const memberKey = await TestMemberKey.create();
@@ -122,14 +120,6 @@ describe('UVF', () => {
   });
 
   describe('UniversalVaultFormat', () => {
-    let alice: UserKeys;
-
-    beforeEach(async () => {
-      // prepare some test key pairs:
-      const alicePrv = await crypto.subtle.importKey('jwk', alicePrivate, RecoveryKey.KEY_DESIGNATION, true, RecoveryKey.KEY_USAGES);
-      const alicePub = await crypto.subtle.importKey('jwk', alicePublic, RecoveryKey.KEY_DESIGNATION, true, []);
-      alice = new TestUserKeys({ privateKey: alicePrv, publicKey: alicePub });
-    });
 
     it('create()', async () => {
       const uvf = await UniversalVaultFormat.create({ enabled: true, maxWotDepth: -1 });
diff --git a/frontend/test/common/vaultFormat8.spec.ts b/frontend/test/common/vaultFormat8.spec.ts
index c309684cf..c4658ab9d 100644
--- a/frontend/test/common/vaultFormat8.spec.ts
+++ b/frontend/test/common/vaultFormat8.spec.ts
@@ -1,133 +1,136 @@
 import { use as chaiUse, expect } from 'chai';
 import chaiAsPromised from 'chai-as-promised';
 import { before, describe } from 'mocha';
-import { base64 } from 'rfc4648';
-import { UnwrapKeyError } from '../../src/common/crypto';
+import { UnwrapKeyError, UserKeys } from '../../src/common/crypto';
 import { VaultFormat8 } from '../../src/common/vaultFormat8';
 
 chaiUse(chaiAsPromised);
 
+// key coordinates from MDN examples:
+const alicePublic: JsonWebKey = {
+  kty: 'EC',
+  crv: 'P-384',
+  x: 'SzrRXmyI8VWFJg1dPUNbFcc9jZvjZEfH7ulKI1UkXAltd7RGWrcfFxqyGPcwu6AQ',
+  y: 'hHUag3OvDzEr0uUQND4PXHQTXP5IDGdYhJhL-WLKjnGjQAw0rNGy5V29-aV-yseW'
+};
+const alicePrivate: JsonWebKey = {
+  ...alicePublic,
+  d: 'wouCtU7Nw4E8_7n5C1-xBjB4xqSb_liZhYMsy8MGgxUny6Q8NCoH9xSiviwLFfK_',
+};
+
 describe('Vault Format 8', () => {
+  let testVault: VaultFormat8;
+  let alice: UserKeys;
 
   before(async () => {
     // since this test runs on Node, we need to replace window.crypto:
     Object.defineProperty(global, 'crypto', { value: require('node:crypto').webcrypto });
     // @ts-ignore: we only need a subset of the properties available in global.window
     global.window = { crypto: global.crypto };
-  });
 
-  describe('VaultFormat8', () => {
-    it('create()', async () => {
-      const orig = await VaultFormat8.create();
+    // prepare test vault with hard-coded symmetric key:
+    testVault = await TestVaultKeys.create();
 
-      expect(orig).to.be.not.null;
-    });
+    // prepare some test key pairs:
+    const alicePrv = crypto.subtle.importKey('jwk', alicePrivate, UserKeys.KEY_DESIGNATION, true, UserKeys.KEY_USAGES);
+    const alicePub = crypto.subtle.importKey('jwk', alicePublic, UserKeys.KEY_DESIGNATION, true, []);
+    alice = new TestUserKeys({ privateKey: await alicePrv, publicKey: await alicePub });
+  });
 
-    it('recover() succeeds for valid key', async () => {
-      let recoveryKey = `
-        pathway lift abuse plenty export texture gentleman landscape beyond ceiling around leaf cafe charity
-        border breakdown victory surely computer cat linger restrict infer crowd live computer true written amazed
-        investor boot depth left theory snow whereby terminal weekly reject happiness circuit partial cup ad
-        `;
+  it('create()', async () => {
+    const orig = await VaultFormat8.create();
 
-      const recovered = await VaultFormat8.recover(recoveryKey);
+    expect(orig).to.be.not.null;
+  });
 
-      const newMasterKey = await crypto.subtle.exportKey('jwk', recovered.masterKey);
-      expect(newMasterKey).to.deep.include({
-        'k': 'uwHiVreDbmv47K7oZzlwZbHcEql2Z29brbgFxKA7i54pXVPoHoxKK5rzZS3VEhPxHegQKCwa5Mk4ep7OsYutAw'
-      });
-    });
+  it('recover() succeeds for valid actual key', async () => {
+    let recoveryKey = `
+      pathway lift abuse plenty export texture gentleman landscape beyond ceiling around leaf cafe charity
+      border breakdown victory surely computer cat linger restrict infer crowd live computer true written amazed
+      investor boot depth left theory snow whereby terminal weekly reject happiness circuit partial cup ad
+      `;
 
-    it('recover() fails for invalid recovery key', async () => {
-      const noMultipleOfTwo = VaultFormat8.recover('pathway');
-      const notInDict = VaultFormat8.recover('hallo bonjour');
-      const wrongLength = VaultFormat8.recover('pathway lift');
-      const invalidCrc = VaultFormat8.recover(`
-        pathway lift abuse plenty export texture gentleman landscape beyond ceiling around leaf cafe charity 
-        border breakdown victory surely computer cat linger restrict infer crowd live computer true written amazed 
-        investor boot depth left theory snow whereby terminal weekly reject happiness circuit partial cup wrong
-        `);
-
-      return Promise.all([
-        expect(noMultipleOfTwo).to.be.rejectedWith(Error, /input needs to be a multiple of two words/),
-        expect(notInDict).to.be.rejectedWith(Error, /Word not in dictionary/),
-        expect(wrongLength).to.be.rejectedWith(Error, /Invalid recovery key length/),
-        expect(invalidCrc).to.be.rejectedWith(Error, /Invalid recovery key checksum/),
-      ]);
-    });
+    const recovered = await VaultFormat8.recover(recoveryKey);
 
-    describe('Prove Vault Ownership using Vault Admin Password', () => {
-      const wrapped = {
-        wrappedMasterkey: 'CMPyJiiOQXBZ8FVvFZs6UOh0kW83+eALeK3bwXfFF2CWsguJZIgCJch94liWCh9xTqW84LUZPyo6IDWbSALqbbdiwDcztT8M81/pgadhTETVtHO5Q1CFNLJ9UvY=',
-        wrappedOwnerPrivateKey: 'O9snY73/eVElnWRLgM404KH7WwO/Ed30Y0UrQQw6x3vxOdroJcjvPdJeSqLD2x4lVP7ceTjVt3IT2N9Mx+jhUQzqrb1E2EvEYlXrTaID1jSdBXZ6ScrI1RvU0iH9cfXf2cRy2x8QZvJyVMr34gLJ3Di/XGrnc/BrOm+aF2K4F9FJXvJFen3CnAs9ewB3Vk0A1wRLX3hW/Wx7eXt/0i1gxB8T/NcLu7xIU3+uusTHh9uajFkA5+z1+JgNHURaa1bT8j5WTtNWIHYT/sw+erMn6S0Uj1vL',
-        ownerPublicKey: 'MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAESzrRXmyI8VWFJg1dPUNbFcc9jZvjZEfH7ulKI1UkXAltd7RGWrcfFxqyGPcwu6AQhHUag3OvDzEr0uUQND4PXHQTXP5IDGdYhJhL+WLKjnGjQAw0rNGy5V29+aV+yseW',
-        salt: 'IdXyKICznXKm41gSb5OqfQ',
-        iterations: 1
-      };
-
-      it('decryptWithAdminPassword() with wrong pw', () => {
-        return expect(VaultFormat8.decryptWithAdminPassword('wrong', wrapped.wrappedMasterkey, wrapped.wrappedOwnerPrivateKey, wrapped.ownerPublicKey, wrapped.salt, wrapped.iterations)).to.eventually.be.rejectedWith(UnwrapKeyError);
-      });
-      it('decryptWithAdminPassword() with correct pw', () => {
-        return expect(VaultFormat8.decryptWithAdminPassword('pass', wrapped.wrappedMasterkey, wrapped.wrappedOwnerPrivateKey, wrapped.ownerPublicKey, wrapped.salt, wrapped.iterations)).to.eventually.be.fulfilled;
-      });
-    });
+    const newMasterKey = await crypto.subtle.exportKey('jwk', recovered.masterKey);
+    expect(newMasterKey.k).to.eq('uwHiVreDbmv47K7oZzlwZbHcEql2Z29brbgFxKA7i54pXVPoHoxKK5rzZS3VEhPxHegQKCwa5Mk4ep7OsYutAw');
+  });
 
-    describe('After creating new key material', () => {
-      let vaultKeys: VaultFormat8;
+  it('recover() succeeds for valid test key', async () => {
+    let recoveryKey = `
+      water water water water water water water water water water water water water water water water water
+      water water water water asset partly partly partly partly partly partly partly partly partly partly
+      partly partly partly partly partly partly partly partly partly partly option twist
+      `;
 
-      beforeEach(async () => {
-        vaultKeys = await TestVaultKeys.create();
-      });
+    const recovered = await VaultFormat8.recover(recoveryKey);
 
-      it('encryptForUser()', async () => {
-        const userKey = base64.parse('MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAERxQR+NRN6Wga01370uBBzr2NHDbKIC56tPUEq2HX64RhITGhii8Zzbkb1HnRmdF0aq6uqmUy4jUhuxnKxsv59A6JeK7Unn+mpmm3pQAygjoGc9wrvoH4HWJSQYUlsXDu');
+    const recoveredKey = await crypto.subtle.exportKey('jwk', recovered.masterKey);
+    expect(recoveredKey.k).to.eq('VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3dw');
+  });
 
-        const encrypted = await vaultKeys.encryptForUser(userKey);
-        expect(encrypted).to.be.not.null;
-      });
+  it('recover() fails for invalid recovery key', async () => {
+    const noMultipleOfTwo = VaultFormat8.recover('pathway');
+    const notInDict = VaultFormat8.recover('hallo bonjour');
+    const wrongLength = VaultFormat8.recover('pathway lift');
+    const invalidCrc = VaultFormat8.recover(`
+      pathway lift abuse plenty export texture gentleman landscape beyond ceiling around leaf cafe charity 
+      border breakdown victory surely computer cat linger restrict infer crowd live computer true written amazed 
+      investor boot depth left theory snow whereby terminal weekly reject happiness circuit partial cup wrong
+      `);
+
+    return Promise.all([
+      expect(noMultipleOfTwo).to.be.rejectedWith(Error, /input needs to be a multiple of two words/),
+      expect(notInDict).to.be.rejectedWith(Error, /Word not in dictionary/),
+      expect(wrongLength).to.be.rejectedWith(Error, /Invalid recovery key length/),
+      expect(invalidCrc).to.be.rejectedWith(Error, /Invalid recovery key checksum/),
+    ]);
+  });
 
-      it('createRecoveryKey()', async () => {
-        const recoveryKey = await vaultKeys.createRecoveryKey();
+  it('encryptForUser()', async () => {
+    const encrypted = await testVault.encryptForUser(alice.keyPair.publicKey);
 
-        expect(recoveryKey).to.eql('water water water water water water water water water water water water water water water water water water water water water asset partly partly partly partly partly partly partly partly partly partly partly partly partly partly partly partly partly partly partly partly option twist');
-      });
+    expect(encrypted).to.be.not.null;
+  });
 
-      describe('After creating a valid recovery key', () => {
-        let recoveryKey: string;
+  it('createRecoveryKey()', async () => {
+    const recoveryKey = await testVault.createRecoveryKey();
 
-        beforeEach(async () => {
-          recoveryKey = await vaultKeys.createRecoveryKey();
-        });
-        it('recover() imports original key', async () => {
-          const recovered = await VaultFormat8.recover(recoveryKey);
+    expect(recoveryKey).to.eql('water water water water water water water water water water water water water water water water water water water water water asset partly partly partly partly partly partly partly partly partly partly partly partly partly partly partly partly partly partly partly partly option twist');
+  });
+
+  describe('Prove Vault Ownership using Vault Admin Password', () => {
+    const wrapped = {
+      wrappedMasterkey: 'CMPyJiiOQXBZ8FVvFZs6UOh0kW83+eALeK3bwXfFF2CWsguJZIgCJch94liWCh9xTqW84LUZPyo6IDWbSALqbbdiwDcztT8M81/pgadhTETVtHO5Q1CFNLJ9UvY=',
+      wrappedOwnerPrivateKey: 'O9snY73/eVElnWRLgM404KH7WwO/Ed30Y0UrQQw6x3vxOdroJcjvPdJeSqLD2x4lVP7ceTjVt3IT2N9Mx+jhUQzqrb1E2EvEYlXrTaID1jSdBXZ6ScrI1RvU0iH9cfXf2cRy2x8QZvJyVMr34gLJ3Di/XGrnc/BrOm+aF2K4F9FJXvJFen3CnAs9ewB3Vk0A1wRLX3hW/Wx7eXt/0i1gxB8T/NcLu7xIU3+uusTHh9uajFkA5+z1+JgNHURaa1bT8j5WTtNWIHYT/sw+erMn6S0Uj1vL',
+      ownerPublicKey: 'MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAESzrRXmyI8VWFJg1dPUNbFcc9jZvjZEfH7ulKI1UkXAltd7RGWrcfFxqyGPcwu6AQhHUag3OvDzEr0uUQND4PXHQTXP5IDGdYhJhL+WLKjnGjQAw0rNGy5V29+aV+yseW',
+      salt: 'IdXyKICznXKm41gSb5OqfQ',
+      iterations: 1
+    };
+
+    it('decryptWithAdminPassword() fails with wrong pw', () => {
+      return expect(VaultFormat8.decryptWithAdminPassword('wrong', wrapped.wrappedMasterkey, wrapped.wrappedOwnerPrivateKey, wrapped.ownerPublicKey, wrapped.salt, wrapped.iterations)).to.eventually.be.rejectedWith(UnwrapKeyError);
+    });
 
-          const oldMasterKey = await crypto.subtle.exportKey('jwk', vaultKeys.masterKey);
-          const newMasterKey = await crypto.subtle.exportKey('jwk', recovered.masterKey);
-          expect(newMasterKey).to.deep.include({
-            'k': oldMasterKey.k
-          });
-        });
-      });
+    it('decryptWithAdminPassword() succeeds with correct pw', () => {
+      return expect(VaultFormat8.decryptWithAdminPassword('pass', wrapped.wrappedMasterkey, wrapped.wrappedOwnerPrivateKey, wrapped.ownerPublicKey, wrapped.salt, wrapped.iterations)).to.eventually.be.fulfilled;
     });
   });
 
   describe('Hash directory id', () => {
     it('root directory', async () => {
-      const vaultKeys = await TestVaultKeys.create();
-      const result = await vaultKeys.hashDirectoryId('');
+      const result = await testVault.hashDirectoryId('');
       expect(result).to.eql('VLWEHT553J5DR7OZLRJAYDIWFCXZABOD');
     });
 
     it('specific directory', async () => {
-      const vaultKeys = await TestVaultKeys.create();
-      const result = await vaultKeys.hashDirectoryId('918acfbd-a467-3f77-93f1-f4a44f9cfe9c');
+      const result = await testVault.hashDirectoryId('918acfbd-a467-3f77-93f1-f4a44f9cfe9c');
       expect(result).to.eql('7C3USOO3VU7IVQRKFMRFV3QE4VEZJECV');
     });
   });
 });
 
-/* ---------- MOCKS ---------- */
+// #region Mocks
 
 class TestVaultKeys extends VaultFormat8 {
   constructor(masterKey: CryptoKey) {
@@ -152,3 +155,11 @@ class TestVaultKeys extends VaultFormat8 {
     return new TestVaultKeys(key);
   }
 }
+
+class TestUserKeys extends UserKeys {
+  public constructor(keyPair: CryptoKeyPair) {
+    super(keyPair);
+  }
+}
+
+// #endregion

From 657598a028f35d364423ec855f66fe11097c8577 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Fri, 10 May 2024 08:38:26 +0200
Subject: [PATCH 37/94] fix uneffective test

---
 frontend/test/common/universalVaultFormat.spec.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/test/common/universalVaultFormat.spec.ts b/frontend/test/common/universalVaultFormat.spec.ts
index 3be1ad5f5..b6e85030f 100644
--- a/frontend/test/common/universalVaultFormat.spec.ts
+++ b/frontend/test/common/universalVaultFormat.spec.ts
@@ -51,7 +51,7 @@ describe('UVF', () => {
       const decrypted = await MemberKey.load(payload.key);
 
       expect(decrypted).to.be.not.null;
-      expect(decrypted.serializeKey()).to.eventually.eq('VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVU=');
+      return expect(decrypted.serializeKey()).to.eventually.eq('VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVU=');
     });
   });
 

From 88a95eb66f3bf1143f33972a66370aa4d8fbdff0 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Fri, 10 May 2024 09:13:52 +0200
Subject: [PATCH 38/94] clean up test

---
 .../test/common/universalVaultFormat.spec.ts  | 55 +++++++++++++------
 1 file changed, 39 insertions(+), 16 deletions(-)

diff --git a/frontend/test/common/universalVaultFormat.spec.ts b/frontend/test/common/universalVaultFormat.spec.ts
index b6e85030f..33584a066 100644
--- a/frontend/test/common/universalVaultFormat.spec.ts
+++ b/frontend/test/common/universalVaultFormat.spec.ts
@@ -1,11 +1,14 @@
 import { use as chaiUse, expect } from 'chai';
 import chaiAsPromised from 'chai-as-promised';
+import chaiBytes from 'chai-bytes';
 import { before, describe } from 'mocha';
+import { base64 } from 'rfc4648';
 import { VaultDto } from '../../src/common/backend';
 import { UserKeys } from '../../src/common/crypto';
 import { MemberKey, RecoveryKey, UniversalVaultFormat, VaultMetadata } from '../../src/common/universalVaultFormat';
 
 chaiUse(chaiAsPromised);
+chaiUse(chaiBytes);
 
 // key coordinates from MDN examples:
 const alicePublic: JsonWebKey = {
@@ -56,30 +59,46 @@ describe('UVF', () => {
   });
 
   describe('VaultMetadata', () => {
-    // TODO review @sebi what else should we test?
-    it('encrypt() and decryptWithMemberKey()', async () => {
-      const vaultMemberKey = await MemberKey.create();
-      const recoveryKey = await RecoveryKey.create();
 
+    it('create()', async () => {
       const orig = await VaultMetadata.create({ enabled: true, maxWotDepth: -1 });
       expect(orig).to.be.not.null;
       expect(orig.seeds.get(orig.initialSeedId)).to.not.be.undefined
       expect(orig.seeds.get(orig.initialSeedId)!.length).to.eq(32)
       expect(orig.initialSeedId).to.eq(orig.latestSeedId)
       expect(orig.kdfSalt.length).to.eq(32)
+    });
+
+    describe('instance methods', () => {
+      let original: VaultMetadata;
 
-      const uvfMetadata: string = await orig.encrypt(vaultMemberKey, recoveryKey);
-      expect(uvfMetadata).to.be.not.null;
-
-      const decrypted: VaultMetadata = await VaultMetadata.decryptWithMemberKey(uvfMetadata, vaultMemberKey);
-      const decryptedPayload = decrypted.payload();
-      expect(decrypted.seeds).to.deep.eq(orig.seeds)
-      expect(decrypted.initialSeedId).to.eq(orig.initialSeedId)
-      expect(decrypted.latestSeedId).to.eq(orig.latestSeedId)
-      expect(decrypted.automaticAccessGrant).to.deep.eq(orig.automaticAccessGrant);
-      expect(decryptedPayload.fileFormat).to.eq('AES-256-GCM-32k');
-      expect(decryptedPayload.nameFormat).to.eq('AES-SIV-512-B64URL');
-      expect(decryptedPayload.kdf).to.eq('HKDF-SHA512');
+      beforeEach(async () => {
+        // prepare some test metadata:
+        original = await VaultMetadata.create({ enabled: true, maxWotDepth: -1 });
+      });
+
+      it('decrypt(encrypt(orig)) == orig', async () => {
+        const vaultMemberKey = await MemberKey.create();
+        const recoveryKey = await RecoveryKey.create();
+
+        const uvfFile: string = await original.encrypt(vaultMemberKey, recoveryKey);
+        expect(uvfFile).to.be.not.null;
+        const json = JSON.parse(uvfFile);
+        expect(json).to.have.property('protected');
+        expect(json).to.have.property('recipients');
+        expect(json).to.have.property('iv');
+        expect(json).to.have.property('ciphertext');
+        expect(json).to.have.property('tag');
+
+        const decrypted: VaultMetadata = await VaultMetadata.decryptWithMemberKey(uvfFile, vaultMemberKey);
+        expect(decrypted.seeds).to.deep.eq(original.seeds)
+        expect(decrypted.initialSeedId).to.eq(original.initialSeedId)
+        expect(decrypted.latestSeedId).to.eq(original.latestSeedId)
+        expect(decrypted.automaticAccessGrant).to.deep.eq(original.automaticAccessGrant);
+        expect(decrypted.payload().fileFormat).to.eq('AES-256-GCM-32k');
+        expect(decrypted.payload().nameFormat).to.eq('AES-SIV-512-B64URL');
+        expect(decrypted.payload().kdf).to.eq('HKDF-SHA512');
+      });
     });
   });
 
@@ -143,6 +162,10 @@ describe('UVF', () => {
 
       expect(uvf).to.be.not.null;
       expect(uvf.metadata).to.be.not.null;
+      expect(uvf.metadata.initialSeedId).to.eq(731870158);
+      expect(uvf.metadata.latestSeedId).to.eq(731870158);
+      expect(uvf.metadata.kdfSalt).to.equalBytes(base64.parse('BENqfHpG1FE8zlmBOfadoKMpsPxCJR1OqLz5H+yO2ls='));
+      expect(uvf.metadata.seeds.get(731870158)).to.equalBytes(base64.parse('D9anaJ+7ASDdGWNeTG3JuoVLoI1IWzYGjTUVxW0215s='));
       expect(uvf.memberKey).to.be.not.null;
       expect(uvf.recoveryKey).to.be.not.null;
       expect(uvf.recoveryKey.privateKey).to.be.undefined;

From c229fdd7c550b67749a9a0052aaab770b2e53d4f Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Fri, 10 May 2024 09:18:45 +0200
Subject: [PATCH 39/94] remove outdated TODOs

---
 frontend/src/common/jwe.ts | 3 +--
 frontend/tsconfig.json     | 2 +-
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/frontend/src/common/jwe.ts b/frontend/src/common/jwe.ts
index bf1998530..d9437ac2f 100644
--- a/frontend/src/common/jwe.ts
+++ b/frontend/src/common/jwe.ts
@@ -289,7 +289,7 @@ export class JWE {
     return new EncryptedJWE(protectedHeader, [{ encrypted_key: encryptedKey, header: header }], iv, ciphertext, tag);
   }
 
-  public static parseJson(jwe: JsonJWE): EncryptedJWE { // TODO: json:
+  public static parseJson(jwe: JsonJWE): EncryptedJWE {
     if (!jwe.protected || !jwe.recipients || !jwe.iv || !jwe.ciphertext || !jwe.tag) {
       throw new Error('Malformed JWE');
     }
@@ -473,7 +473,6 @@ export class PBES2 {
   public static readonly DEFAULT_ITERATION_COUNT = 1000000;
   private static readonly NULL_BYTE = Uint8Array.of(0x00);
 
-  // TODO: can we dedup this with crypto.ts's PBKDF2? Or is the latter unused anyway, once we migrate all ciphertext to JWE containers
   public static async deriveWrappingKey(password: string, alg: 'PBES2-HS512+A256KW' | 'PBES2-HS256+A128KW', salt: Uint8Array, iterations: number, extractable: boolean = false): Promise<CryptoKey> {
     let hash, keyLen;
     if (alg == 'PBES2-HS512+A256KW') {
diff --git a/frontend/tsconfig.json b/frontend/tsconfig.json
index 6136992ef..dae11f70e 100644
--- a/frontend/tsconfig.json
+++ b/frontend/tsconfig.json
@@ -14,7 +14,7 @@
   },
   "ts-node": {
     "compilerOptions": {
-      "module": "CommonJS" // TODO change to es2022?
+      "module": "CommonJS"
     }
   },
   "include": ["src/**/*.ts", "src/**/*.d.ts", "src/**/*.tsx", "src/**/*.vue"]

From b46f55ef6a0d2f8137ae32f1fad4ab32e5488cb5 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Fri, 10 May 2024 11:26:52 +0200
Subject: [PATCH 40/94] restore recovery key from human-readable form

---
 frontend/src/common/universalVaultFormat.ts   | 32 +++++++++++++----
 .../test/common/universalVaultFormat.spec.ts  | 35 +++++++++++++++++++
 2 files changed, 61 insertions(+), 6 deletions(-)

diff --git a/frontend/src/common/universalVaultFormat.ts b/frontend/src/common/universalVaultFormat.ts
index e674347e1..818520108 100644
--- a/frontend/src/common/universalVaultFormat.ts
+++ b/frontend/src/common/universalVaultFormat.ts
@@ -98,12 +98,12 @@ export class RecoveryKey {
   }
 
   /**
-   * Loads the public key of the recovery key pair.
+   * Imports the public key of the recovery key pair.
    * @param publicKey the DER-encoded public key
    * @param publicKey the PKCS8-encoded private key
    * @returns recovery key for encrypting vault metadata
    */
-  public static async load(publicKey: CryptoKey | Uint8Array, privateKey?: CryptoKey | Uint8Array): Promise<RecoveryKey> {
+  public static async import(publicKey: CryptoKey | Uint8Array, privateKey?: CryptoKey | Uint8Array): Promise<RecoveryKey> {
     if (publicKey instanceof Uint8Array) {
       publicKey = await crypto.subtle.importKey('spki', publicKey, RecoveryKey.KEY_DESIGNATION, true, []);
     }
@@ -118,8 +118,28 @@ export class RecoveryKey {
    * @param recoveryKey the encoded recovery key
    * @returns complete recovery key for decrypting vault metadata
    */
-  public static recover(recoveryKey: string) {
-    // TODO
+  public static async recover(recoveryKey: string): Promise<RecoveryKey> {
+    // decode and check recovery key:
+    const decoded = wordEncoder.decode(recoveryKey);
+    const paddingLength = decoded[decoded.length - 1];
+    if (paddingLength > 0x03) {
+      throw new Error('Invalid padding');
+    }
+    const unpadded = decoded.subarray(0, -paddingLength);
+    const checksum = unpadded.subarray(-2);
+    const rawkey = unpadded.subarray(0, -2);
+    const crc32 = CRC32.compute(rawkey);
+    if (checksum[0] !== (crc32 & 0xFF)
+      || checksum[1] !== (crc32 >> 8 & 0xFF)) {
+      throw new Error('Invalid recovery key checksum.');
+    }
+
+    // construct new RecoveryKey from recovered key
+    const privateKey = await crypto.subtle.importKey('pkcs8', rawkey, RecoveryKey.KEY_DESIGNATION, true, RecoveryKey.KEY_USAGES);
+    const jwk = await crypto.subtle.exportKey('jwk', privateKey);
+    delete jwk.d; // remove private part
+    const publicKey = await crypto.subtle.importKey('jwk', jwk, RecoveryKey.KEY_DESIGNATION, true, []);
+    return new RecoveryKey(publicKey, privateKey);
   }
 
   /**
@@ -292,9 +312,9 @@ export class UniversalVaultFormat implements AccessTokenProducing, VaultTemplate
     const metadata = await VaultMetadata.decryptWithMemberKey(vault.uvfMetadataFile, memberKey);
     let recoveryKey: RecoveryKey;
     if (payload.recoveryKey) {
-      recoveryKey = await RecoveryKey.load(base64.parse(vault.uvfRecoveryPublicKey), base64.parse(payload.recoveryKey));
+      recoveryKey = await RecoveryKey.import(base64.parse(vault.uvfRecoveryPublicKey), base64.parse(payload.recoveryKey));
     } else {
-      recoveryKey = await RecoveryKey.load(base64.parse(vault.uvfRecoveryPublicKey));
+      recoveryKey = await RecoveryKey.import(base64.parse(vault.uvfRecoveryPublicKey));
     }
     return new UniversalVaultFormat(metadata, memberKey, recoveryKey);
   }
diff --git a/frontend/test/common/universalVaultFormat.spec.ts b/frontend/test/common/universalVaultFormat.spec.ts
index 33584a066..a5d80b8ea 100644
--- a/frontend/test/common/universalVaultFormat.spec.ts
+++ b/frontend/test/common/universalVaultFormat.spec.ts
@@ -109,6 +109,41 @@ describe('UVF', () => {
       expect(recoveryKey).to.be.not.null;
     });
 
+    it('recover() succeeds for valid recovery key', async () => {
+      const serialized = `cult hold all away buck do law relaxed other stimulus all bank fit indulge dad any ear grey cult golf
+      all baby dig war linear tour sleep humanity threat question neglect stance radar bank coup misery painter tragedy buddy
+      compare winter national approval budget deep screen outdoor audience tear stream cure type ugly chamber supporter franchise
+      accept sexy ad imply being drug doctor regime where thick dam training grass chamber domestic dictator educate sigh music spoken
+      connected measure voice lemon pig comprise disturb appear greatly satisfied heat news curiosity top impress nor method reflect
+      lesson recommend dual revenge thorough bus count broadband living riot prejudice target blonde excess company thereby tribe
+      respond horror mere way proud shopping wise liver mortgage plastic gentleman eighteen terms worry melt`;
+
+      const recoveryKey = await RecoveryKey.recover(serialized);
+
+      return Promise.all([
+        expect(recoveryKey.serializePublicKey()).to.eventually.eq('MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAESzrRXmyI8VWFJg1dPUNbFcc9jZvjZEfH7ulKI1UkXAltd7RGWrcfFxqyGPcwu6AQhHUag3OvDzEr0uUQND4PXHQTXP5IDGdYhJhL+WLKjnGjQAw0rNGy5V29+aV+yseW'),
+        expect(recoveryKey.serializePrivateKey()).to.eventually.eq('MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDDCi4K1Ts3DgTz/ufkLX7EGMHjGpJv+WJmFgyzLwwaDFSfLpDw0Kgf3FKK+LAsV8r+hZANiAARLOtFebIjxVYUmDV09Q1sVxz2Nm+NkR8fu6UojVSRcCW13tEZatx8XGrIY9zC7oBCEdRqDc68PMSvS5RA0Pg9cdBNc/kgMZ1iEmEv5YsqOcaNADDSs0bLlXb35pX7Kx5Y=')
+      ]);
+    });
+
+    it('recover() fails for invalid recovery key', async () => {
+      const notInDict = RecoveryKey.recover('hallo bonjour');
+      const invalidPadding = RecoveryKey.recover('cult hold all away buck do law relaxed other stimulus');
+      const invalidCrc = RecoveryKey.recover(`wrong hold all away buck do law relaxed other stimulus all bank fit indulge dad any ear grey cult golf
+      all baby dig war linear tour sleep humanity threat question neglect stance radar bank coup misery painter tragedy buddy
+      compare winter national approval budget deep screen outdoor audience tear stream cure type ugly chamber supporter franchise
+      accept sexy ad imply being drug doctor regime where thick dam training grass chamber domestic dictator educate sigh music spoken
+      connected measure voice lemon pig comprise disturb appear greatly satisfied heat news curiosity top impress nor method reflect
+      lesson recommend dual revenge thorough bus count broadband living riot prejudice target blonde excess company thereby tribe
+      respond horror mere way proud shopping wise liver mortgage plastic gentleman eighteen terms worry melt`);
+
+      return Promise.all([
+        expect(notInDict).to.be.rejectedWith(Error, /Word not in dictionary/),
+        expect(invalidPadding).to.be.rejectedWith(Error, /Invalid padding/),
+        expect(invalidCrc).to.be.rejectedWith(Error, /Invalid recovery key checksum/),
+      ]);
+    });
+
     describe('instance methods', () => {
       let recoveryKey: RecoveryKey;
 

From b0790aac0edbafcc6ea98fd488fbc916fa3a4cdc Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Fri, 10 May 2024 20:13:23 +0200
Subject: [PATCH 41/94] store JWK Set in backend

---
 .../cryptomator/hub/api/VaultResource.java    |   6 +--
 .../org/cryptomator/hub/entities/Vault.java   |  18 +++----
 .../org/cryptomator/hub/flyway/ERM.png        | Bin 386627 -> 284093 bytes
 .../hub/flyway/V15__UVF_Support.sql           |   2 +-
 frontend/src/common/backend.ts                |   2 +-
 frontend/src/common/crypto.ts                 |  35 +++++++++++---
 frontend/src/common/universalVaultFormat.ts   |  38 +++++++++++----
 frontend/src/components/CreateVault.vue       |   3 +-
 frontend/test/common/crypto.spec.ts           |  21 ++++++++-
 .../test/common/universalVaultFormat.spec.ts  |  44 ++++++++++++------
 10 files changed, 124 insertions(+), 45 deletions(-)

diff --git a/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java b/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
index 453e21a4c..d6bc3dd44 100644
--- a/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
+++ b/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
@@ -420,7 +420,7 @@ public Response createOrUpdate(@PathParam("vaultId") UUID vaultId, @Valid @NotNu
 		vault.setDescription(vaultDto.description);
 		vault.setArchived(existingVault.isPresent() && vaultDto.archived);
 		vault.setUvfMetadataFile(vaultDto.uvfMetadataFile);
-		vault.setUvfRecoveryPubKey(vaultDto.uvfRecoveryPublicKey);
+		vault.setUvfKeySet(vaultDto.uvfKeySet);
 
 		vaultRepo.persistAndFlush(vault); // trigger PersistenceException before we continue with
 		if (existingVault.isEmpty()) {
@@ -502,7 +502,7 @@ public record VaultDto(@JsonProperty("id") UUID id,
 						   @JsonProperty("archived") boolean archived,
 						   @JsonProperty("creationTime") Instant creationTime,
 						   @JsonProperty("uvfMetadataFile") String uvfMetadataFile,
-						   @JsonProperty("uvfRecoveryPublicKey") @OnlyBase64Chars String uvfRecoveryPublicKey,
+						   @JsonProperty("uvfKeySet") String uvfKeySet,
 						   // Legacy properties ("Vault Admin Password"):
 						   @JsonProperty("masterkey") @OnlyBase64Chars String masterkey, @JsonProperty("iterations") Integer iterations, @JsonProperty("salt") @OnlyBase64Chars String salt,
 						   @JsonProperty("authPublicKey") @OnlyBase64Chars String authPublicKey, @JsonProperty("authPrivateKey") @OnlyBase64Chars String authPrivateKey
@@ -510,7 +510,7 @@ public record VaultDto(@JsonProperty("id") UUID id,
 	) {
 
 		public static VaultDto fromEntity(Vault entity) {
-			return new VaultDto(entity.getId(), entity.getName(), entity.getDescription(), entity.isArchived(), entity.getCreationTime().truncatedTo(ChronoUnit.MILLIS), entity.getUvfMetadataFile(), entity.getUvfRecoveryPubKey(),
+			return new VaultDto(entity.getId(), entity.getName(), entity.getDescription(), entity.isArchived(), entity.getCreationTime().truncatedTo(ChronoUnit.MILLIS), entity.getUvfMetadataFile(), entity.getUvfKeySet(),
 					// legacy properties:
 					entity.getMasterkey(), entity.getIterations(), entity.getSalt(), entity.getAuthenticationPublicKey(), entity.getAuthenticationPrivateKey());
 		}
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/Vault.java b/backend/src/main/java/org/cryptomator/hub/entities/Vault.java
index 114b2be70..e8acd432f 100644
--- a/backend/src/main/java/org/cryptomator/hub/entities/Vault.java
+++ b/backend/src/main/java/org/cryptomator/hub/entities/Vault.java
@@ -108,8 +108,8 @@ public class Vault {
 	@Column(name = "uvf_metadata_file")
 	private String uvfMetadataFile;
 
-	@Column(name = "uvf_recovery_pubkey")
-	private String uvfRecoveryPubKey;
+	@Column(name = "uvf_jwks")
+	private String uvfKeySet;
 
 	public Optional<ECPublicKey> getAuthenticationPublicKeyOptional() {
 		if (authenticationPublicKey == null) {
@@ -244,12 +244,12 @@ public void setUvfMetadataFile(String uvfMetadataFile) {
 		this.uvfMetadataFile = uvfMetadataFile;
 	}
 
-	public String getUvfRecoveryPubKey() {
-		return uvfRecoveryPubKey;
+	public String getUvfKeySet() {
+		return uvfKeySet;
 	}
 
-	public void setUvfRecoveryPubKey(String uvfRecoveryPubKey) {
-		this.uvfRecoveryPubKey = uvfRecoveryPubKey;
+	public void setUvfKeySet(String uvfKeySet) {
+		this.uvfKeySet = uvfKeySet;
 	}
 
 	@Override
@@ -264,12 +264,12 @@ public boolean equals(Object o) {
 				&& Objects.equals(masterkey, vault.masterkey)
 				&& Objects.equals(archived, vault.archived)
 				&& Objects.equals(uvfMetadataFile, vault.uvfMetadataFile)
-				&& Objects.equals(uvfRecoveryPubKey, vault.uvfRecoveryPubKey);
+				&& Objects.equals(uvfKeySet, vault.uvfKeySet);
 	}
 
 	@Override
 	public int hashCode() {
-		return Objects.hash(id, name, salt, iterations, masterkey, archived, uvfMetadataFile, uvfRecoveryPubKey);
+		return Objects.hash(id, name, salt, iterations, masterkey, archived, uvfMetadataFile, uvfKeySet);
 	}
 
 	@Override
@@ -284,7 +284,7 @@ public String toString() {
 				", masterkey='" + masterkey + '\'' +
 				", archived='" + archived + '\'' +
 				", uvfMetadataFile='" + uvfMetadataFile + '\'' +
-				", uvfRecoveryPubKey='" + uvfRecoveryPubKey + '\'' +
+				", uvfKeySet='" + uvfKeySet + '\'' +
 				'}';
 	}
 
diff --git a/backend/src/main/resources/org/cryptomator/hub/flyway/ERM.png b/backend/src/main/resources/org/cryptomator/hub/flyway/ERM.png
index c19e352b328e4d3df12b67ff6b127cc8def98e3c..c589c0598a324b749d246139fea5c0ffc459bac1 100644
GIT binary patch
literal 284093
zcmeEP2|!G37p6ZHK5Z02n`CR5nN}^@vm{bvt4uZ3Xqu^+X%pF^l6}jPkX=McmKG#J
zNY*w{Axo<$l>G0Vxo=I)lrW`X{=e`0n%kZG-h1D3&U4Ol&U@al8CDkm^&Q%`M~@!=
zO`c>rvqulXa`2C$P;YSL-9nuV@SmQvnHI)9V($%m+oNZL8{KRU-P7NdNFwx5#F;RE
zQ^cydQ)qNWoT(xfi}&(UaUtT}sCZAB3YkC$hrr)GDK11;BEf}u4pt4TuB@h^j8U`2
zs4L=(FgWlp4Xg@A3pbB>KHiN$MlU#xvY1FB;T5sw8Y*hwQlqEgorz>Rh32k^GX|e0
zlj#H!_%ApN{yp6W{A&*Q2czbQ(Qwon1AaB~@*)xJ2u@Rp;BL${a9S!jO>lVh)Je9}
zEETaP;CB+yg8=?xL2&k<AYU<Yr&2t@5pxVyT}2J~KR9TEcg0hQESEr@j6lb`F`r7?
zS_fz3qh(}jM#5^Td--cow9J`LLvzNH2+Wf(%p*<|stbXN9s<`!uH;Lg(ufo?`ij(5
zuqqnNKhOib&~LjCe2LEBwy=sgGetEc@FnC2XM(<P@PUj6x6POc8v>C|P)5fiqHmt$
zW#(n&K6SB?nxB`I3vTgrcQu#RmxCAe^tYhmz1*i!To~`y#UH&hH68S#E&=ERV6ZyO
zJ9VSNfzVTs12)9P@Zr%Xb@L&*5NPO^(PyMkNOYoC%Y)7oGMV6v$^m*sJe5lEYk8V0
zg@isHdX5(mpB7g~4%o0w0&>)j=t2jAgh;M7R*QKr$ni-8qMJJ$8Ka3lpC=xkj6Mm?
z9q&T%V}74;h;?3=FA}~^Dun{B$1-iKe}*S{`kN3)h&03Zh>in<?&rVT^fstX%Je&z
z12W1GQ#{EBeY>;qJ|sGgd6-5IfHDqV3PWJ&cqinLF^!I=(oreE0dX}3^Ge4P$qWU+
zFg^nX_o5LQr<*d4xD!b(miPdQ4>AXg3&Bsuu0(%=%S@&aAm;*kuml%FWCFRkE4a7~
zdNatM@g$-fqEyb{B_JajQwcO6k(PLd#X`=2v)=rg&^HG(l1@Oyo^h!C>1&=u3j(kn
zbZP*YNc8K<+G^;#N0kPrfoiv3vjk$a(R18cqz|Ww9>k+k@78p2WI8$`8Q>gLu-bnB
z#Gtp5KOEbnw>jNjV3vt^(oCSSc(NN~=A9|56N}7_3zgz!i>JB)U|>#{7X=t|0@chH
zOi$Ak0)uZtAyE(mNv4ny8KP6X&@Ye(uJF4~6gr*a363+w099CI6vjmvuS>&NQNtL#
zBoj4YO*Md;n}E+?F5zcz2sxcfH=&SebSjWa<l+P%9DW2uKsX2o)B`RE2b2YLhJPpu
ze^L_E*(71c)Sr_DhB0T_1g56`>@*`&OJ$kn)~Zec3hPQ@*kgC1iwgm$J%{;&BF%;Q
zW0^2u*cj%qh3d95U+rrmD>fin*{oDpwVxamPXg*i#?uML6d$q+YOQ~4HJ~wL*p4Q9
z*8W}NfGhROmIgJ4zRmCgFp%*|IY0|XTf=qvg3!S<ImR?E#Pf8sWEvn%AY7~hr~y8A
zxd5W*0)>x7G%y-}LLfUdDz8W+2ohR3JZ;J&!$Sc+36KGI3YEARad1c|V6nPChy|nh
z5j{zGGH@~Rh}+6~$e6<LsgXk<#A=O!9Ys^_03S!hWwpLd=*uw6h;d=WcZ}zOZZYG7
z2Z8R4_}GjObSlMz0Kwgb;EK4A;BlF67N~WTtIB<tg^m=fmT>gA+A-Um?r@<o2#XnP
zQ|P+J2ohX~s3XsCvpAVJD%U3;svaMso5OropMdpu6m`1-qqW&AB7<+}<|xf`BFjhh
zPV_TTDyJg`mXGROH|*R;bsZF~yEUp~(3|Xt)cwV<4t0+Y>)i_0F_7<Uj=cdt?@T3n
z(UF7%AKt+$;G*dA;k^^#9Rm@jS(e)rU_QR{0KQ|8SO?)@x;MZ>R=ERW_ZI_vllJiu
zzI!1&d-leeO28xVZc9W89S{ZUzC3%^MDW}cUOvWmCdRYpirSQ5KF0F`#=~S)_r`e0
zN_QKKXU#t%*_AG`lTiKmAm6<}o;`O&1G&~VO=H*ip+A*G=S?BzgMDX$J$urrO^N1%
zJuiSg%(-`Ou!n?Sw*mV<l8DDZ?c-y8x59czim@b=K)FAa5z(VHe*b(p&qdMYBYY<!
zJeEEE)F#4n^jW*6$Q<!aS?k|;tjHV-bI{!yb`c^H;UZb=+Rw=X*NcEV0K3dP1ftno
zya+{_51ZW!HrdlOo?xv9f$BjB_``Dc!#J4}xq}cuu$Wd6i_<b!Q!@uE#W<DIa#14r
zXxN!($eyZcQ!@GSE)T@JSan`VU}GVv`)|j)Sg3t`;O<_)&7OO~`_SDTy?mT_6uP;;
zXo8!v%ZK>Rgn0Hu4IkoJ*7denS;ir_Vjkkg>U?woHdc!#AQ}={yadr4rVmO#A7Z-~
z#Ik2Rm=H_#<xz<JiRhS%GRcR|PJ~WlI!;pqW8$JU*#tM!n7qi!!%kTlqXoV84p_#2
zK4#`%k+}}2IN0r`Ta(Rg2oo<x!t9gU#=}8P;e&6t0^c@fi#_V~@pW|sy`}Ijcskw@
z>BGmIdEQF)wgP5zKwE>N5Kgpp8}EgSQp|_zu7_*rZSmo{sh1gRX1UAbUmT|fLa<D$
zqaCe~l9V5JDg2ENQEk|QzauJc<KdvD@Zp*l;F>*xM&Nppp9fEtWOdl5<f4%B(YO=Q
zSe@OSG;($(&}g=xCl{G!NpQnEw_OIo2%LeF#@f%UJGOIW?VJW`BFr&5COSHd`(|xD
z2L9rr>7=QFwDDsXbnX{RC~HAHMLB03H8jrrQHb2M0Q!$KfK`Xe-2q?iUn$OO(jzXQ
zGEcRDWp}lZ9<V0nyx9o0Nwm2zjVwwG+YENpZ*Je<x9s%RW+&K=49Y8gH`UqQC|{&a
zq~qV(5SE*Qh&oVE9$4hE2}inAFgr9VuSh0brreS0<bOKPz`3n{C*US0Ifsr`N9DZJ
zi3<(rPB!~cyo{SoTENH6ZbeFHu&<q9ZW!~|0w*^mkq?~hJEFhW+@F2j#n0uf{=y|*
zoq&cs(F;`rChwZj@aJTqdo1zNfFjLD!S02E?ByGa{CF};&Q42mQ|9=1*O_?7&a|`H
zID!k<ln&jf3~WH<PI04<@g%e6qs;APn7ikJ-gIDV5xOU`sR$BW5y&n^$WD0RquI>G
z1S-XrG7V1#WFqnxbFg;^dS1&_2J8}rMkX|h4;5@I$k+!@%g<lS+(X^PiE1}TXEtGx
zm-dWF${20bYJ<Jpn45QjYe57<o`m^b#^u_7uS`M<+0>|M$AXr<Jz?n>YxstN2dM-S
z=yBl7IviGw6EWVAn`pk38OSbVVA(OM6w2x_u0-isE#y>WT{0Ys`NGhzA%FOB?wdJU
z+hb~AP|JmmiPb_s!!en!{x`-15`zc%ou-FCSFkf4tfTkeg}Y5?u%{l3z?vVhzYd-E
zvs7)WA~%*bKrz;6CB`_o%8!*6<V2S=v35}Qx^&Y)4fZ?(^L2H!%B^dng-+ac5Nt)*
z!EKV7l!OazC@<xrG}w~_Jh~rYleBYT23hnPmUOYgC_KhVtA7qK|A7q&q3vWL`~TJi
z6gNc>#U3bXEE3tF%>h|~hASf3p;37y0j0^FNoW%p|LFu2qgfNzn?rO0*g`AAswbR0
zGN@0SOm|13kKdwiHQ6%@ZHgVoBA`D(*|iLPn|5kPB!l*ATT(V@A0Mf^73HT1sn}*l
znH~VPpvS6>_Mw42-?8RyKp4En{9&2>r4CQsTZ;K$-@cFXdsg>%6D3^}26t&+#7;n9
zo=BQ$vS&5^ur>RozKEJor1=Qiy%3Z=U%{(8`!dynwHYTjg^mw+oe6mCg#T=$@Rzwr
zrA>RsD+^QDB@;&TT(E|a^4Er$GL+24XrsvSqX4sA%D??dZ=Km<B?sYsX}|y$y)O<;
z5g`z_$5`?VQNtT4j4t)vG@*KPLEL#MRiVi_Rl%#vW;CH_b72};j1nZm+S7inlfxYu
zlvhj+>|w`}ulT!{&2Uo?QJ8}Az#^ATxY(tF*`ZN+MlzwF)6CDc>CADYkGqD*=)`<J
zyX)5pV8}^$yIm?li#?UV%WGk@plI{Kuv-xtTI?wSq?sk7cI>ZR4#Q1h<O5>+G4F3N
z`&7D#I-WRnx(!y@&up=sBaup*3rcL+WwuS2{O6PVU4p2PkzjQPyB(soAxw~I|5cys
zPo(VGC$)`-gPOue-EM`tZOj&X?uts`&Bm2~LO}UQ+=)osk<QVq3v~!2CyL*nU!wyH
zHd$BWK=1GGTaAN*$pV!1g((eK3)cyYahf_}qC;YF+**v&g$rol0wNYhkj<fF74Gh|
z3Js+RSOpwXCV!uRYhqD{21*-T3f74dt^vahbWB)b0*CzN)n;8O;Ou1!7D%PvG=irS
zfl6~Hda=nnr~?I+fjCoMNg8*w{*T==;UY8Dl*EM;BPuf;PA<bh3JMo%BB#@<m$hKt
zu>+ydKOa~By1Z#YW#mFohRPSL8R*vWw-(HYHj5YUFxtN{-B7EzFx@Qk3oT5SX4^V4
zD9<F@*sBc~)$e}^>)kyBmLHRMVoVMh*7m}d7H-^3qz{HMlH6Gg_QS>_y)PK6e1Ho}
zw_*0rV0`u?dXn&D!XyIT1)hQ)GN!m7kb|7X+CG|0Ap>90*qPF?1T+m?LQ%sQ{D5{4
zCTc1giW;Wi7w{SQV(>FKgfsR6p_U1S43>H0k;W4^Qv%q9+>by5zZ%miUg)im2<>kV
z!AMyD(jqtX!PuR~P5^OeTv?1f22OEDt$e5Zh}zIw{+mI(<6Q;d{BWZg1<SlcQRwKj
zw{K+HD?9zkL3st-wb`pDJQ=a>KZfpqMw0oc-@ZcrR!$t!QSG6Amynf={Vm#PuGP}}
zB={5Qa}cZsNDmrsflqT$<VJosMZ^X1C>S50d%+I5DDtqj;DW2%SlLgA%zq#IiG{>2
z8ue>-0sDz*HD*)uEyz&u0{sblvazVlEU@0$6l@PjB+>ZPCpWwo)aEN=A%%$wDGruf
zvv?XD-C8WBRqMDe<vwAmj73D+mkWL@)f5}L<6RgH78$YQuXT)Q(oimtWKi%>ar%+m
zLGBb9w5}C9$OZGmDZl_=o3xM%V!$%*{BR1Wrpa&YD5(uO>}E0jJ6e3T^i#Rf`-Yn$
z%#WiwGmc_UNAVG#=;n^FtO$~~*j%?0^aR%3a>3NYc!(zupFQo=rr2>@<Mk)%jXPob
zq4sfM`uRxD=&KE+pYiisNDreomN>|Z=uG#a5*&S~q(3aF-J~&?HWy`=5AmG{@jC3u
zsx~F~pD$=)z8ThjK%EejL-WF7vN@7Le>5o9VNV{lDK^~(qS>dfN&5K^+pQM==)gr;
z&A~Lm6A;mVSjK({Tsv3l_~6)?;0Ob-W-)A20{P&`*!!iE!Lg~AN%uxa_Em~)%1w7h
zM=1V$bnIT}$et1L@^K;&ojnKve^}1Ag^*m7JU&8pCPK1jJ=&B&K0<a0Lc)!VyEj5Y
zey9VURd+^6DE@qe>|O}To<Z=U5`FP>0*^wZD_D$RLLpJ8AoHY%#hII{se!s`oH5hb
zvO3*5Tog$@bao<iHtj>ol1JcUXIt4-c0un1>a~ey?bg_dQTqwbz8iyQvjXtZvs<Aj
zMva}_rxEBrUd|L3p4|Ps<LJp%ndHM~r@|*Y3&IAU++O4{ow0_q)v69pJlTc$hn6)U
z&AX>__S8DKSOenR-?vx;*J^(WEwxsSkvgFn6Smcunyts=g~b{eHR$9whtG^=HT>lo
z&^6+MOM#kiw&fa4%Qt@HCBmBOKT<Z2QTqvs<)5eKT3YV5i=5fRkY-)vg2?gGx(tjO
zJIV4dG^=S=EG|qqiwS|&g1?~M--JK{jW^8N3yN?ip3Kv*YG9cKLW*HAaCICDq4IAn
z!Qf<_APR6nSo!hHk7V*U)(>GY&~<6{>AG_~0~f3#jboaYtE*t)>UA!!SZ_kvzb^{X
zfDs4;|JLncJ0S|vfTj{1vuRZ!bX9pG3c|3{RPAa^H*UBL+Z6nT;;oJb^-#QFKOiV-
zogm(tt;8D#Kf^J3L%i9GV9i`z3C?t)FX4x+Y0+k6z&Io1rwu&-G|9)A;=pHTcOuEf
z5+6YEL6)%rF3Z^iernnG46*DCstfIV1`5tuJEPek-vn1cj#3FU&>L+Ao=RYJAY(KW
zV>vVpkGKxaCt89IW$1yH{m_svdg7^WM6xl3PN#UHC&8*BXK;A}NP#k+iP?<}7y&T;
zFLf>hiBwI-|Bx#ZNhFp8tE&d`e{>|4<2c6uz;O<)7V{7{8%1cqm;lus*t?u1YG_JX
zv4#yzRgzHNyL7=m1_P_Nnmw5|+eXp}{z#*`mQ9$@mU66ff*zuI;hl+OH%n$WJ9Xrn
z%p)_=#36Es0_MP##OSx+PIPf0kiju3g^p*i9H>ZnQ9!di?ljqBDA+FuBL@+}K$Yi$
zw+`(sFRb{)K>T9~-P&$O#+MmrXn_b}IzeWj+4+&3`J+paFc|g(kQbir&QvQJig@4?
zUtBs_TzF!|8V19jGih?C+T9wS?@FPVNo%`tQMY%cTJL4gE3Ooz@0wkyHaBAC+qo8Y
z4yyY<=1OtiH?65Ev{{bY-NTeGOPwrBJmO-pr}#K-x5pQkP8Jv5aIui)Du9z!V~OI}
zym3$!1smd`F}*w86KS*0AdOn^IIPuMY}_sL!mO3=9O|i>oIWPu2Sx#3Yl@hDpKPTP
zNO**fLodv{Cr+eG`-!90-N$Dj<OFz+umVNBRnZa-a;k8sPT)|n&_jYeLhCVkf<wi2
zAgSi;L-i#fIb=ivS;W(sgs0Jn&fs916525#M05gCi%t?kmM9&r{bD5p;ju1~RU9+|
zsN7)GQ5Uu|Wfi8(;Fub%3JHH%R$;p+V6yOFZLJ!72$Vhq)7o*(hS&1+Z>`@rxM3c=
zf2eC9pUj;BAistVpo6}jpSwPzYZmiObmXbgCR-K+iYI|i1tb5UpyPLv=TOC3Ade;q
zp_bi&2~caMgEYN;D9B-iwN*y47K%6{Z~_MF<*$f^e+0j|At!<VGOpqE`<DPbHM!$g
zVO9*QF>cb2z~r`(+ayz{o?ufNAWF#1sga0ef-+Qg#$&KQ1C;;_91VaJ2@znBsiBY%
zbB9%9aPr{4Orn*!!y)r=!Avl3x8+*^hrx?rJBGYqcn~pj&F>mgZ!GrnCy9Pwm60qA
zO7hz>wzE-YJiVVgkxsAy<UazwepI{{IE^#$??ZNBn0MrzwO!fAmSaK^IYehX$%sUB
z0~rKU#$GyXnWr`pfSY+BHk*o=66960n0^c-W1%=8t`5X-XtugG4+M82ZK0H{B!mTT
zQFqV<PjhdAV;0Flj?ci;K>`q&4MeGtY$j8l?1(Oa_{EvB=K@<NXWI2C8BQj+44is!
z{Wj;9>2iUS!5MG^fR+G{5)i-dWwOjN1asC&hR3=J;Nf^EmSAD`dMIR_;Ec9jDS(9v
z0LT1gfbUX}V$X{*#f!ya{uTNF_ZMlY4`^=lZ_@{@R>2wD_THVK4{T$?8ZzF}2h<B?
z!3P@xoeuK*G&a3xu}L4p?l*79$0$s3Mz-q%?hq&sVFYsQg(WQuUl_#zO@%M6M1O({
z*slVq2w)NsewN^3$VbF&V4w(^QAGaC<}5G^V9>f2b|#~3x1%*awTU;}^d~ToeMC(-
zbQ4&BraRV^VA&JC?aK*&1Ck$aK+;+OTRP}21XsKdBLw0gn4s8~;e~QTG*L-}PVA2)
z5uOL_T^BpHFt^m4O+i+^v~q2s$?BRV_^nOU@5DmCBNI?ZxsY~a5dt{htbQ*%#z_X+
z=Nb_25&j?xNoIngN<7&Olt{J+so((Z4azIKJz}uzndE<KaZEQ6YLwH5vc)3f7#LW!
zCvU8Vjw?dmp;389%Gnc^ZQ5o2qSqGLwvPL#f7V5SzALNdz%>OO)f~k7|A<-ttvw=|
z*f^HhrcFWY8V7;kLWBj-NPzOE`~#?<eE*=m<*iKjq$|lO9DAnJ-N%Us_JaNk1exy>
zwC~FNrYQz-84{Xx#1!*=0-p2<c%wWD2Uqtr(*}H>0MujQpn~#!f^Oy$uqUiQmw5u2
zMsVcOKDr%UDEb>@0XL<Y?-+EdV*vT<W_xT(@C5?S`{^epu5hT1<px)eN+k@sA$1Rn
z?tT=Q|KX|>9Av1QXZ`0;m_)*R(TGlr1@%aB(1l9zvIUFQ37}$(ku78t2NI}ezF@g}
zQwEV`eK}g_!YC+We1XJV&Wv2FX-io~5|O1FGFov6>P<9^!4DuXOw?2~6g5Eoi3#`&
zqBr;%9KsoUQNThF3K>u}ASsI67y+!g_ah+d?m5-8zyeBchzFDhaEplB{UdRJOeiNB
zzYBO89!=$NQ1B+f=DShd%#He6Q!kw?gnaL(Q@tO^#C8A&`Lsv}X_22ujdTL!@<wU|
zRvWSKapv8rdIE97euq^485w{&$cOCi1=;HC*$|2!C@$oId<bhH5RZy7ANV^H_|+lZ
z+5zC_n40dI02q;7DlZ4Xypfbp=f$K1hrpvrs`*gb&7hP$i9p7C^5i~3oh){I*y}{t
z<JcDmtovooDN8KEJixLf3)XS}^Fc5N@$ZBnwyAk(w<eC;5U1aDt;l4g6umjOz@Y_d
z`)PyLUQ-9E{@ACrjfaD}!bjL{g|KbR7Q0_Z5Aga+V7HA&=AwY|vA7el7z6v8@L{((
z^UE6RHf4bkbIxv`F`WUsaP>*IhFy&M?`H422f{XM03S@d6_{ew*$V=^e4Iep8;@4J
zaj+gu)|U&i$H&P|#Yy(c0p@)2!&64#)StjfSoYS<aS~=0f0g9#E;tD_fD5*YWyWC9
zSw|NPwy)$(i^;(+|H^uD=q|Fj@IEw<AoZdWeerYxkD?`#JZ0JL$J|^^4d^>Z9~}0z
z<VMLPA4S_&u-{t%rU7|@U$uq&geR+oLycThUr($WTJej8+pMt|T8@2$p!NMTCBGVf
z2T6-*5^Fv*cCQdpgPnSHrV>D-a0=OxPW)?9pWKu`J^*$q0J5jxjhw+UCz>tA1FYt2
zKcocS58Ez~-K^Oj2abbzh>O0NvIc^I$buFW?KCw}x8g@=*ObuwLvY8w%B{@_|7Xg*
zG@wRs0XunWy^{tze~z@SGwD_p*lqQv;h^Vm(IGc9okfvhC4HCj105NZXF73du=D6`
z?py{dY&e=9t`kwPc`I|(CG0JaZYiq?;EuI|8tFdIX)!=2iz4a|L5X0I%qBGHQqk<t
zsJtVakW}mdA@EOEeIbUJlcaMWJvm7_WZF9_>4<~Yxn12f*jaVnMo*{+TyTR}Y!sZ#
zj!s<ru@5Wv)DFAekwJOJLcxb=&946)En7L66fR04A3WPvsNZALVc5$en#}p+kdx-<
z(D6K*{u4=}PKYykV_A{rUqZ4sNjo1QyBEo>$xgB}<4aG_=!QW3`}5D-luSNib}C}R
zaH*Yev)z5k7=#34t3p!@vc(z8u4pX#MVZZ9OrTP1Dbw&|KuIDynVN&9Q%xJ%ux^9L
z!2v@toZ>@e?5GDmYNNN^VizX}Xk6XJ2?MuKVhtFY4tCMLX6n%AM)_QING(Fzz7zIw
zYCWb7%%H<De|cXsX3&H)>D-M=o3i`pJJW(Wk{<`+Eu%Vce)rs16z<I0p10ezy1U57
z)5`|kiwaLgwkKvBVVVbR&V&uSa-;6qKcd^M_e;}+(+c&h6Lh=vm^!fU4IHzZ>$WDm
zU#Q#g^WUS}>?sOVQBd^)pSo7JIcz}6s_t%#U2a*_9i#pm`VN=U{C!Z~TJ_Z7PGwN_
zx<K7=aF1;`W;a)NE$Dhcb%)!!{ypjrDaH=E;h=-6JH?Gc#*@rk+z2S-vTXqU2Yqq4
z3h?h!U<@R=P+`=70RmK}PEcShtY}Ba)P%k)9J8A%aO?0z3$6S4TlAOXns1CIC#7cY
zV&A+ky(Pg7M8ja0dUPjC^X5OngI>*h*fY;UVs23E1-6l;AY00UKYRO7nB9|cTCQqp
zuCA<yG~F0~GQ%qBXek<-D4Llo8fz<Rn}I9LW^AB|RWow&B$C1B8F(7ak3t2vqc(#|
zp@V)8V7K$;TVsxkUa$Eu+x@W}Xzzwy!3`tX)aGYs=Z5X5crP#Hp41rkJH-w>Mbn$(
zbbIZM+~%u7FX==D7iYe__6GrC%<{-c9Ue=*flly8-am^iZrOwp?YPaMn+DAb?+i8^
z1~ZIQdZ3?dDPG`!GB5x*V?TEyonQmbB7j4F;MIU*oC-o(?kvFcBSHEDv;b#F4;HRL
z-~x|~vUSSPAx90CHY}@W$;3AGT5rLuw6<)ln+hU->(nH=mY=_txre%o6V+~x&TPUW
zFYOtVlrdTz;K-bPsJ=ihnL9MI5MRzDpi)F65@r#A4$cP?NSIU9#+{*dv_+^47yob-
zdLaO@&J{e?H6$3WHSX%5EIY(N?&B^FN-czX*vJhI*}Y*G+X{9ye$8!0v<_GsuovwN
z3evA1tA;8$u9aJ^0bkdTwUl{Hcx7;Yw`ADbSGpFoTQjV)*nS9U2nZ?D7%Z3(czqbG
zmp=!*Loo&*Ne3>00hd7PpWqO!kqV#%0_e>+1W#n#iywj6yb`$^GKK1i2UI+Vi<z02
zPEt0r0oP_YCkP&LxS|tq7zk8l)EhxA>5He1R#s*`K8A69wbn1<_nv~~jka|mSKuIF
z)m#`mr+~*$#Nu!|;8wu00yT6oDEN($k8AQGm~V~^_c<Nr=pe9o0!`Os_3661d(ie?
ztF4Mtk+No@GoEBbBD#?QN->&$vBjWW;cZ}BLj&w0!QyQ+?Rv_JV9-l}_Pjed8|+2!
zY{cImayC#(lGWJ&5d~x2$zSGcAi#v^DGaya?s!m6xbJExV_JhLZ}}SR_Ya@v=bQoP
z60kWN%Fua%z8GYfe(w5=`Z8W}HaO)0c-Prb2V@y1Ph*C$nGIHXl8puit89eT(41<=
z>U1!{*pEne2Rcb3(0vde$(iB;ItDgDEGK*hqQOUFx(!QpMpvLQo2Ej7lo!#M6NT5x
zgZo2hjF$VeqH$AM%3lu0a1nb~!Z9owg=2Q_(4QTSp^N-;aM^J<hFrtXU7zRRn0=8A
z#2_Tb;}9LU4tcv(?B5m~a|ryI7|e{Pk!DK27fthF`Om{L)L0&bWw`pT1qIhFU|Ac@
zrL=%$SPuP{!7@lfwTzRsVFfM($xeuqTXXVSu-G1s+0B8O?f!L8iTOF;Y#W$clVMs=
z`hIQzUPET6cr8o<?*_{M04x9dUIeF@pU=s64^Cd0%?@dyhK?8g4d7cK?nMjZ(mnhQ
zGzre?Z@}>QZ*w=)TT#Fm45rgd0F*Ub`8XIgP}s~61|D%Zv|A-JFlx~8|2c=CZI6R}
zgkR(SdCuiPrLTom;JX~%xDbFuaKk$X07K5N2>6MDK_09KP}YJJ0h%tvsKH!6FS;M>
z1&F4Mk`@}M9%cx1D_;aQEkn0!>-J4DS&LsmjgC1+$3%xwr$eWLE}$$;&s{W~G(np{
zj-8)S7mbTWtQt^eP$ANW$jK^0P|#TGN}9S&Lm#0V6qac7Mz2kztrzQdQ(j2TAq^>l
z)i4G>fN(NVQ_)b=09EfM;4_FR;Ae0MXY2)5#+XpZpu`%F)GFdk383YIAA!awfoHgF
ztcA~<3;f{Xa&Gi(L?s7SM*c`};CbCiZrBTwkiKGVSR9UBb-3Op5lO1Rb;ccU$l1nh
zL%raF;b56wIFqbq0UqNtyX`l5U^?H;F8EAjD^9W-2~<F+{p6s$(r2uV*<!DU`CI#r
zwebSDD6X)M8)flX1PKFc`@2+pJ2Wbf%Wnq?N?LetGbw%m*4!yn;$mR*kV0+7?ozC6
z&ykWUnjg`VgeMaw5%9<=6xKt=6c+@AkVC9~7P{^TL~A6x7me7wudfT0;$@4cx)Big
zM83sE2<Es!Fe}`**fp!=I+?b^kd_OoTnMg=Wo?|C#5Qya`qx~502J^$>M6Dd35dD>
z1IwMX*=roSRR?ZFB!9fhtrMjMsxTL%g~jATN$66G+mS(e+u*{wCl->9;ztIXf$^5x
z@HYuP-|cAM*=O+Jp8h5Tq(hond#w$TMR|<Vz<Ou|_CZ+28R1}&0gD#=TnN`OCxJjU
z^98Glk#M~YcY~t?&=T~SOVhaRc`zUMj|BhF1hE+VrsiZFwf29=7tjG=J`(BwvfOYz
z^e4CwQC8FRcO(BMrQid3dqxJb4!{}p^l#c(??;A-aW+>?7<;yjjQ?9UEc=1g=7NCo
zLAR?V7OTe2RkaDa|MXTKh_CPm@wsUO8QueEtQrhP+i4sI`J}Gl=D7#Z%?iW?`^Pf3
z9SM3_6L#$z4kkQ8ko5HbSE+fd8ar=95AXsRia(kvYSpv=l#C)hl~{Jv;zT8N&=_%5
zK=}aOzMgePR1A6F4j4~9K>xYyc~f49#fbAv1P$|b9gs0z189s6R3JV;^Fjp8UdiF*
z<3u7l^XP^o9YkraN+}<uyB?)~B8=u}LHXQu`*YSDyEL(TO|6fbV3rr5_b-l(F|hL%
zH;NQl=9V8D12W2l`{XryZ0t-W;ORsP*^y5C%UNt_zq#Nf^5M6AQ_g+S#j3IAUDzlc
zWThdj$L*r630U_Y`Sq=a;7;(Y%O^SKVqj4?R~J<_HEd!{12-M)n!d`)O>KM8(lszX
z8nePW<xXhhpaGNOZ4TPa`#7}T9!&#Q{QbCQkCicQ_Pts)S5|K7){MTPP9LCY87H@%
zKphqlqfhXQ12AmbpKRI4xB)5!*<pdL8V5DF7NGgQ`!vvzuw}&#<F776yc-qoiGCUV
z0;t3VP5Y6{`CCPv=+Q&A$7E9@TYrbLy}fd5&FVvBq|=QpXJF#`+4dJq>L;qJHgSI3
z{}gRW7$Iw;fnvG_|C?WyK6_x&6+_G!wa<=qRr~7Z?|A0-zATF78$`2TkX)HmYFSWo
zCwJHLfT&$_k4)R6d3T$sp<r7-;wB3v!+gWu_M2te<~hT9hWTOz#YB5@{+Tow{9X9H
z=q!siuP`$2R`0g%z*H75I5JQ1q>1ft&esRyZgMa6T#lo=Z8i#BF2woAumN1<`tv>~
zR&Y2WeY)Yj@zr%J7Rd?>0jJ#>_B%HdIxV3-Ygyw~?XM(ah}M}cLfcFh-rOYjs$j?M
zz%ANAHo`NvTlHVD=?2AVe~i45_)dbPr|dA7jHliQk4}5|?!bm5yJ-^ORj$YpP9K~1
zsq*<m-ySEH3z-`2x7avB@<FsrwpEE%-%RTflVwHoK2H;%J(gP_5b7(glUDwHvB$--
zi-n7A%f*ljyaewhBH6%t{me<S31*i~lLihwej+l$(7nX&h^&CO_@<j;N=vs7*XWr`
zdt|zOALG3kYJ$m%7ZwX$Zs;B!6y_^7czyh&{wwZ-yS;+kE%=Vh`KO)-30Xe*=N9cm
zzB6*oa?_-A`s%S;Tm=p&e^tyooI7t;9ZBH8ddIoTh0-S*%3DN!oaOsS&?U=SVpfp6
ztN{4QMPBnLQ&|D#SIicw-<HP+8cSae>v?*uAo86}&m7LL-=Y81^XUmZ@|{hC1;oq6
z9}YS(X}552;+qKf2v?6;&&~=5YX%W|%8M%X3>)VCz%JKXVw1kbG}|v>3_);_*yOIX
zM|6dd5aTOSE3!w2r;7@CHjL_>JXU-p_>Pfp;4{s6wF}PM$E-oVW9TF_DPgLm-7$IM
zDABxV$7uWAr)K$Nf!{xG?-gnoDL9gvKG~6AG0m`cn1=N$CFEh`H%&8)-b*qTlm}CS
zd_~aw;COKp*@WsngR4$V+62BMm|O0X@19G0=6h=BDC9d~a<bX6hIS3r88VvnWoMI?
z9V&Z1?(MB*jbAbvzrI)9L%XNr`DCu!sgdKJN#j=Bm;ClvviyO1MbNiTcJ+<*m7bf;
zB;!U++nr7d!w<}&Z7nTbK)XvAzjN%g1M8np33wYMb}V?g>4qV1zkREFUVB~2F(-le
zkd#Y^I3?(LE#-S-{pmfYv6nyAJe`D{JqjnbNk4NmQ|3=hlbw?tyX<?T?^AofyXk(n
z6eAKgD_G>Y?OW=4G?Kb@+D^5r_jF2!c|5!HssClavYfb=sd8Bn4vTN)C3<>fDxZ(E
z_j~43@qD$EgZul_mxFG7S^DX*U1DieU|w23RgzzUx5c$@88XX~Q$E}tXD*$8&clwH
zs#V~%%096CoG%zHXKc(#ClS4><yRHYZWzB)MEgaL`i~E%d)Akq_ahlw0SU_-RQ?WM
z5TNU}&ffd_AaeiD3HjutTx*NrvuY09kFiq?EDlpza8aw!|Df`@M>A_{vL@ya&@Fq>
znE38QOx}yDs}znuB}CY}`V|Ho{ZGa~FTR(n@AVrShI_0VQ%0&xsf#*ZXfYz-P|Bw#
z^DA=Iv-E0g3u1x%U%#?#g^;bGp?t>o7y5Mtw8Z*~r2GiSptp@VN2W>Zetxm4{Logb
zMcdR=ReJw7^yTX#NoDcjfjuL?)IXd)(esYYbp21Zx|PW_W8Wx0n-{vg?4qdLQWb{u
z%owv`p_#7W(TxUQZwg!OB3>V4N0->2y0kv;;6{T*A;W!l&i@=g<8H&!)Gx2c?fP~G
zf33hcVs+y@k5h!Y=gTfH1u~QfW^}&Jmug9$m{W<=PyX+YA1(L}2HP+^=yQ?P;6wLb
zjTF34x^G!wMQT0SZldXxRRbp6eEjezc!sR7^@kqYIX>$>VAvchYaiNl_wYulS<>Rc
zeuI^r>sIzt@v2QK*`PZwX7;JF6EU&W%OXRt>9ZXIUhU4Sy{B7A+Nw0&m*BAM+o!}k
z*vy<`)(3|MUy8L)%8SbwAw7BT5*dTW&n2^JUc9(2Jgg?={tKMmq+?SDj!CGN?uC0L
zC-4eb6wKaXQ9kcap52i0^<B)9qtj*f04+G>csZ!H{QUDvU!<}=Eg|0CHbxUX&n2Dl
zHF0InCpJ`>XsPDYA5QZ;y4QE?`53yR7%(qph7S~H$*JAFGj^lKu_=$Y9S7>1F1T`F
zd2-I<c*4}AFR%Bw8NchLYml?}{VDswk}LOq|Mqh0^u+m;l*c0$zmcnddvqUZ>om<c
z=M6eHT=#ftN^MwvG;iy4gSSC$X$emq0(G(m-gd&L)aH34Y3&0e?>^_AofeQOcji>w
zjiL9>27g#wTSmP6y)kJoc!G-m$~2xXaHb?zuc^7O`|-Ys=Ut7b^iS2{KJPN*pY$W!
zIW9eyw69l#(!M3dlGO{QE)}iySD2c=^G@{_ps!_xw~NOllqcrTJL`IPoiFz7wXN=N
z4@V^8?rC2W)mT<vuJ!)G;c(?MR|M`!cvoC3P3$AH<jjf^t>;Th-qq)MoYoOZ0bh<a
zT9B^WyV6+DCfF=J`0?!dcfE&9pdXXyCyXiZd1`-(R(elm`n$|S+q51e?7IwZ^+v_n
zj1hr%zLg9Oo)LWgSlZMnLp%_b6DuD(+%HF_WUY7bU2N|v^EvJZRxg@RF<M&JqcHiR
zMA4Uh>A0ez5E<X_(ZNBamDR>?bZdja{Z7y&kdo^P1IY~wGyUgYc^xca<yG=AU1GYr
z@gC7ksRdp}x?tub4L?8gd!7qs#qFTQ#zdXhJFmUksI5(WFj8y8kdSrL90qI>Syp2_
zqHJ*Gm(N8#!<4-0Ys>8$6W+c#xY5@kgOd8?h|in*SHpsAj#~LR@AAIuA6T?niuC1G
zgkRyXf~}NcCB3$UTclQJ)@+m#^Up0Zx_S2Fg^~?t!7K1vQ#vS1{epEL<10~1Yv*b;
z#`SxydVO69(0Gg`eZ7!vI54AcT>{43j$Ct5wD9^!2O&(zOTvAF`m&POOZBq+pNQ*t
z*XFt<m11Zk<;ROwR8@?a7}U`Ja!txg3v9rPi|1eMn19KwcHgo_B6ts{J>#xRRwS*i
z?3+pn9gR=DSvRw;;#v8Q`DAb7;@5j96{)l@vCdW*bwXKz(Q4a{05r=KZ?epjvhM{R
zj63%J(Q%vqIoBRCPH?(<Q!s4x7>T`p&zGJrs`E_Dy-}{ea?-g6Q^s9PIXTBtArBK~
zyv{j0({22n$w&7EU6MGz^W&K_qeLVhSsvLbiaB6>p=N}~_?g0f`IO7wNN4YA(j-P#
zC`>QB`2n|8MY6*GarTJ9+aG)-jZ|^d^KJ%jx*jKWk$m}^Z|RC_!Ry2J)D1NrztH-Q
zi-@-fMm(;E-17Guw2Ot5Hhn(h@Gi86QNBCQSSIl7eU(P@Nh5q}B&-Fk1TEiP{#+cc
zE4ND1KIqG<4LuheALltzEIRzyt+c)Gi%fKh67r*;#w~Oc=-2PUmoWEpeXM*NjmCe)
zIlSGjkT+{W#hG5Fq_nGXJtfCTdnRm_rkxw+CsaJ%UG(NzeV-KjB~@4Z+|zxm6zoM>
z_Izob&oblv7X20EW-F}0>=4Ty5(1{-qO`@jYq%`Ehx&acCG0Viau%1{dwsaEmX8tL
z;*FCfK-i}h1`eWU?mJ;L$psf88}8}XEzo+hw9(;BiQk->B?@A`;aYtPGe$;j)cby{
zpYyiTS*hN4qDSrN<E-)g^CwjWcgn*f)1K7?pTR^47iLOX3DNZ;mMryOv+2c>n{puo
zzYP|0YLJ{}BDL1gM|jf9o%bRlhAcV#?L(%jmEij)r}hMHsM#1HI<fKd!Tfj2vv!3W
ze7LDlVUX(hS><KYs(^8->N}?s8t*0F49SpBjr*=7ym_PB*cvm3JJ<|ohwJ@D8eGfI
z3VHWIeyz?BRkNHCt96DGs+Qh(A~@xt@XaWKFygMr3OpVqddNM)!PkF>i&DC}pr)Y8
zD4p>yciwbqOik-M?t+<oI9~EPkcdQy%X5;?dJ*vVf_tk@kbIad{A&FeiVbdJO~8jy
z11UJkSL0V&tQ%Y;d0s-vN<IBtVM<`q(kdYd=VH@0f`P;@OJkDlWG_oZ)!o5mT{xqi
zOz}6#+%s45@uTg*7tEuC7Hqp7G`h^*FH67ff|t7Fo6sGP`c>ZxajVh^%Q~*QvZwsW
zb)vmQKe#J=QP_V)EK2JceXGRNn;XxcTXOIDjyX=kQY-JI&OdXAlpHa-GBKY_^Sq)P
zYNnkgxOMthfvW;VJskW6<OJgkGio+??4s{DJ8|LR|0yS!Ez^m%S1j3pSsfy^QZ?;A
zhr^*S8|&t6&@CH)53fD*!uU#Ne-R7O4BhS5MZ<>)F4Ze;NTmg-YG3vnnRxAx%yd1y
zvHlJ&1~NkX<ogfIUUX%7&wHz$Y@BL3;ls700hsk}JzkYe&Kz7aWciEhQ+wZVRtZ|C
ze?!z*USPr}Cq0FsAH=Uz%4A%4xyxKX;O!OT&2bz1jPQ9m7uYC;*KRdcs>9+lRI|jQ
zFhaiLhX(AZo_Q^#p}urb@fhQgS=2=JE4b`_J0FECmfQne<?GaJANd*o35e@7T5NaI
z&zhTDv80$F=#ZbR_gd$U-+)3-z0zHon2fZf*tn{kJNo6x?irtif=qEQtTX&>*H>Py
zbQoOy>}r8HMK5*L&Y0?kSNj!Hmx=xt@C3KdWke#t0b9?&;6*tLG-|f#+ii{gAjydE
zyi`Mv#2q*9e>~D`neF3`4m#uIarO-X61QB|n5jmK^>Z}V!Yxy3Si32%EcnWGr>~d4
ze>=UW!6jsXf2EG9VEj$DxGec0*=vPG>u{KB9&6rL?W~c$<rWcgUby~++`=<AUoVzC
z9aK4Xlv8rptMZuXL2~a?<}AtC_59%4$?^emJ!Yz!no5@X*Q>o%xY|EUPx5|)g6ZJ6
z{zs(A7Y<0w6s_GETKw&`L|RWz(-}2^MPIV2?p^g5tGihV@16W#ZP+H)biL$?<T*tX
zYmCPhE<eZcCx=|#zD`%~Kk9Jbl~-1&&5rR72~l!hX?kqTR-eW-+OI`cE{t2{zq(EU
zU%5`gR8KEE*-f?%cTY4*^mFwk=LOZeg-08AUDHnY7~orYR;03j)PIdVhTiBCt{Y3R
zUVZaM&1&x(ZlT`EGj3*V%o4pnSFo5^Rv%Vv_GaM9F=4*dmbV5L1`w}K?H^l&NC9FT
zaaFRHmy|@fNm*8HGr3<AGV`;S>i6Wd_kuk|j2>JTsw#|Z>}463g+yg>3+Q`=Y*zt{
z+I3t!`>J1G+5`vs2l15=#&`VUB~;y2F1?A~Vy2tA%s*~ww1|J)wTAVT)}|(DE?;y5
z>OB{Rnim~Dwk%PhL2j7jgwY3w`fh!sN64C7KIHLKBv^kJVz?=Kc)0DTu?B~5NxE~B
z<3r6i$*+^G@skV-o$r75#g{er*GLIVXP4ODh!#7oo@`pRt%R1md}pX!ZQNiBm#V^X
z;~(u3jGJU8`VyDyU$xR%{Ce7;?6NEW6QN6tEnF<WCeBVWOl|I{IR@66X$PP0-+OCN
z;H<bDbM=Kq;dc8)u77gcEuw!daE-9S0g<wa8OHmB<vkZVJHOjJ?rP|2to*@=L!=J$
zGI9o(N>kE%V6NxtA2Zd#a)g-r&S4*FcZeF)eox!F!F1C2mA#fZ8)p_rZgTdYF``(u
z{(Ic9jQ7H1OM3OC<34>ovmH0M+ugcgawru9C40+d2PiCv6B$;rF2#S5M#W&I9H~U}
z!6#%w%Ep9My_&wS);Qt0$Cht{#a^aV1wWJDgozrW;9n9qx;QuO^O`}<TTB0!HK1%y
zeXfjn+}fq<kM;2_t=n&!kTLFmlnKTs2A^N&_Q8pgyre-?DqzJ6k(<@uf`ujv4f3gV
zO8UNTLe-X4ZX#K-4ql?MyFG^0=v4)(1dLesY)Oe!qW{-`s}E(4t+2q!Ir=a7S~^Ho
z;Dw-8RA8!szeN3}VyCEHAoO$E`DS;Xgb=~TJ8alP&wg2&@<LUlk|9%ylh#FC*DJ{}
zSYA0VYG3lOqQH$`#Apf*dE4F*Gc<)7U(Gz?p5Z4J_2`aHfc3RZafh)*#Ei@tseM8l
z4Q*c%`q6Z2eHDw1Cl|%VGija`?<9n*5}ebnr9~uM?Ja%Ba4@Dvwy^chN~!C`6Kecq
zc3*c*_J3GpZL+hc#1P5HLJt0WHj9?;?2jo*``?-wSjogt*O$8jMAy_Mml&7|r5Vk=
ze^%B_>|XSU&Ed;}s_&iiKl52DN@!8pvQnu}1yc?D3(km+a?HD)7M1Q4*-NXRr(h4s
z&zA3!t6u1@s47&T1Wy^YD>!R$+)9a&a~GB@H5KYpE^qCawz#^7{GkZpQ34~s+Zd2U
zt%PM>8%P#fTD_G?pY|EM%gle_hqXdsn{Eq4Ek5(YZA*BDn3J4@)$J0R;G=m*LC}48
zt?zaO7>p#X_w*WY;EDffxsS#8*_qy@`+DXKc8D48dPZN|c~4x_nDNzqvG`=*WL$Av
z_RU9Y$Aul$uTmVp$eh;Cd%aJ@p~s=}@%u%;Bx{@RR5R8t*&sSDXq23n*zDVbuTI@@
z-QFN*nDHvZjWe>0H<YfC`Xqdrkc?{#i2dTGG(y@x;lq~Y6SDg_7-o*h7_WCW;Qq2N
zH&lxi^is6qM8@4Ku-OPaSc%I=7aq})E$|<qP&}vwIFui;A?$N}JwJ3|ki*S>+d#yc
z8z5Fw@N({*R3B5F7uI(gHUvo2jHneGwQa|lxwQ)S8umu)%?-?ZB~k95DE|oav^a20
zgy~3A-FG+7?x^fhTToIT95CE?M2(IjV2WA@gVDN4+s4Tq6PvQeVrW_qr=21mHJ6ux
z=wIdIoshwzw{JvCX6>--sZ8scRlIriXbCyVZH4du!`}`ucu}4<!qW17&iS>ImBRw(
zEdP49Xs&2UdGXeXx5P2auj_rcu_(Mv71=u0czo3ig|hVzmBdQt9NOA|7xRB)t+{gd
z^Q|J4gMtl!LQH-s^(J+R_6z)^)bWkq4D1_eb8y)v4Tt)xl3&QJK6AxjPN-Dy!1}6w
z7iL%_4-@;|u;yFAwULslW_nc%i!Q2F6Q=7KY*bjC_(pYBLJYm2=<eF1I~^?-_6vO~
zRC#WM->}pxJL^JD&X7u{-q21PoFyozez|hbd5arbB?U@?OSOyVhI~6Kt5Ed#Ms%q6
zi(aZx(*AR0XX9>E?>Ez~i5^<AS8bGPe{q#N{z{g^<pQ(Kr0(9@=pFu|boFAHig)?~
zx%6T9ZM_uw89NxdjEG+)H9TB93QRVpc!}o58#h$LtsR0tZ%q-?AlB`~I7e>EpsjHe
zwiMMr`+il#@Iap(TYyt=_)PXWc~K3(;(b?GE2ZghJ=uSxSp4nCu!~YziyfRk6hF>d
z<=>m8KR={u%bL<dQYF}B8Pa>s%uZF>l~lb_X`g#WKc^3b*f1}P;r?=&nX{rYgcdg@
zN%h?PMksYp>v%*vTV?G2@dW`}Z>`kFiN%Mwn@<`YUQm{mV|<2aqi1*|oO*qvpsJqF
z9Dlb8iKjU!1=oxt0+V~}4A6Iyl8agW;h=tKFaLJ~_h>Iz*)Z4E?e+Bh>c*l&mT9^#
zB6d|Jmb{F&B=4%*<mfv8m=q;Y%uH-li6sa|rw%HQekYxFSI1f;>0ZLV;v4o4x16wc
zFR1RnzkrlPIw^YNhRDQ*7f~X)Q47aMo}oxCG7yv8aDI${OxiH#p>hU+WdrliENNJq
z^4u{a=b-Y%8}_l@k>kEk$v9p2q~v3MZFzpu*KJAr2<|24A2mMtBrmE6ctYI6mtK7?
zUtSQaBYhx7kFraFFe*7Vcf#r~!^YItIelG!$|=WuwNzp#HI(jOQ|)xSGV6}t@T0ds
zM31ujwsy=>htr$&pL%4SuxHSP!vK}J<)PGx$!ifRbK}&6sc~W3X8BaEm>N3zz>6v0
z6<%C(t?rFKFn4la&xYA)Q|i_l9tI?$?G&}V`mhsM&hAO?H!sa6Yyv)CSnun$p-QrW
zJ61DkZ`(b9j9nx#yU_@+oY|_`v6`-T3(bQQ&qgdLC_HqI=v{sIjEqwF)LNmF>Z>(_
z#=SaRZ?<0?xR7HH*zFDc5?iE}0HWy|<#X5h`5k%c=QHKh#s!3|PuUw6t!8k&yTIi~
z)@^vVV<^h?-cX;FEiVK}*l@$>siylEA-DP8DeQ(7%gc0nzZp9daU%p2WV2Py46vic
z08SJkqTl6grmhbGM6}k3+hb=5f++W<+|*-A0`aAb-%UGbhJ0tsWW#8CY`xjJDMJwU
zQ@nhp>;4nug9t^8?IRYt6?i<_Z)3`ifuQE#s1psQvbF*br%X78wViSxaelP@G5yoN
z7E_p`O}cBb>$)XiW2JHAK{DDaZki4_MG-iE$VGi3HqgqPX4{XESXdz_4*2pbR@U1e
zSTMi%G56S_$bAT3o;c%w0^-{~81J}g{l9t}F%1RTz}O*+28~2wsjJ{?QlzIbMb_es
zSFSSUy|sh41R$Aj+@1d_WE$YIbG|uJPDSWHoxkyfzWj_aJyXubY};S454=p>xvPat
z4Vl9UtuvoHat-oUFfV3pmIbk)P<;OT#O(OeOXc%4ERnYYNafktDwu(`Vt}E)vPsTF
z{-)yaxw3g<!VLArgoq7KY%U*Heygzj=7Es{pG+6#sq1;b?9ToPf=+|V6DFOoIy&}g
zo`hj~-&;{89+YzBDT+_F06KC<!mQbE1dBgdu8k?UU!PQ%ubOnCZp7?*Fsi9+5D?hn
z%KtsyKL8=pMNXyoER0@ctN=JStccjL;VUkfZn$v!)bP362lnZiJ8RgZSw|3Q2{r?B
zIOp4`C$qyqHlgu;-h9Qg)``M$vVm5UERGE|5)GaDGBl<@c7nzW^V_ik6-zYik%wGl
z3cj}9FlOghgn^%!Q2XTkrxQN$Zn?{a9&IpOAaAkY)sqb;r>tGIylm`%cVlgk@1)5C
z5j)v9+atylyv$|p<)^mfj?NDj-K4K{NWpf!tWdflHGLLYbnj3v1%h2qztr6f?o|VP
zE!KShEX$=}zOrTJ1-{Q;{P@z>Gj3L@kB&#izkVsfyv3Jwp^N4SgGW>RNI#7{TBsog
zWH1JqOnw?_*i+zB+#A)@J>YFtyU+<kfk-~g@i;-7C(ImlUj5`xDjSxUozS*AcX5j9
z=|$J(9tM|qv>WJ>c<6T!h~2oH>$Wc?IEhXa5;UIw@u^K9;BzVK--`AoDtMk$3LKC;
z?s3CF^mPrShn<+y6WmL$DtZj_UaSS*%}a2`7-S5i<pfryxJ^|}NmxHj=Rs|bv&f#n
zii<UA0Uxt1JOR0#2(;Vvh)3+DcVh!T7lo7q26uelSe3p&8N(aZ&()oO9t8Nt-MN5G
zT$rhPxuL)Lm)d+v{=1md<cCM9eP@rc6(Gi!&ZwVM9xEdNd`$1{^C#*b-SJXhHff7J
z@?Mq;+3qnEjed5)yM%<~C?u8V<p8FWpgceEPNvU?m$zy`_9Fl5`_sTS<vp>p_!5%%
zX1Yya^@gRdce#=F`aIb+`AmenoyDp%D~}wy6*bQN2zk&7Q{>S{+p0Vtw5*{z<gQL>
z<cCzN;KPRwimxskJN(oPWiv(wbBm>{cl0xa>rXBMl$=aP`3-4GLiRxmUDb==Eo7)%
zd?~JU!t>nY*}jcmO6LPcoAlz!iZwY;&bm$a%Ua&^e`QY{mz|Ta(!LsyCzpp%=bEl}
z2G4h1uhE}!2_!VM-7Y7C0O84L$BCuWG6XBi&SoX<Az!*R?>xEu_E$h2za&Pugl{-b
z1|TKvq3T>(K+8G@QmpeLRP4(Dr<*XJeDQj0QpJRNz&b~IS%rStZ?vi`x#r$kIg>Rx
zfYjR?GOi9&q4|t%lLVOgy;lqfw+H3}R;~=Zv-5!3eQ3UZ=qtTaGMK~pgzdBXi{uQl
zTY#Zteg9IrFA?Dxy_3_$r{)0KyyEs=Kn5;I1q|y7y>h3aT9e0Uf^^itiW3$)1&2!L
z_#61Wf8yC&?T#>#V9}~9NeX^m|M9J}+g_g?V%AqHL7pbW6VSo6FII`XUVmit$XLB^
zA0Ix6bGFd^^vLF!pQ-OWdbZi#{dM56f^)qW`B(|8E}N2r7z^;Tf2Kf~MET;6Z}3PC
zqMwOkoPVjz)?<nh3m!~+kawO!L8!=6m)@Ota(UUZy4*vPx0V6Q+NZ9n9*CS1a8UzR
zxz~Yb%6~GSQZ9HNJWt`YWa{BNRdY;Nn26{<nl?ae(9QFJycRDXd+ySN<cUD#Q){sU
z#L`uhtBmIZZn|LS7m)ZW2PqHVmBZ2|lvHiAv5Es;!F}QP<2MLdn<cz2Oi9}7UmTWr
zMW9~}$VZVf$DdvI?Q_Y-C&>XcrCNRPl#Ha6T*xpdkb2rT&JASad;}a*UtV+0*eFwZ
zL;t`Bpl<8Vc|5&mHR0{ZdY~qXd5?>Bjz2sZ#9=dY-pmsV-EHVBpW%7_nQKyc;-0{(
zYnQJvywPvIxav{||Ds-X!|x~gQFLqW;L7)}8W3M}EhOnpXvm1gHvtWtn*3OKWNg*m
z^r;J9N9vX*koWXThqVAUR@oaSzRojHTx5P*RbQ}g?ySZ0qIa)l=-$ZfhQ+2yAlY_L
zGtXV29uV@8GZJ&0!Y}H-6&0x3c8yk=RGE4fNiBJtPI;YHxK^xu?SC8Z4lEb#HCn3D
zK%B5O;i&!0yE>_hfeW1V)FGIh>|B{tY4CK&y5Xi2)jTBOrs-X5s+4f*eBolNE7$gH
z4}Np+T<}Rr@p2*jZjacD1uMzN5AUExo%>RI;?BTwe}@IWxrADvhZnHbxAniiIjER-
zU5hSmO$9I~c7ImbLg9f5dDTuK?tLFrBvq2ZRbv8mu1%FSO>#(Ce6eznLjh2jOSLx@
zHs&<cWIZ4K(73qo^L|KzF8rf**_mq#w%q`kruU6UEt4-*%SO0MoqYS6<S&;bu8dX-
z9NPw7iLP;pkXg!`=<tG<>&!mo#5u1QJr6Rh839>EW)?f8pS}_=-!QS!-*4%WqxL${
z!zrYY|D;{PxG^P5s;^5)M@O3`O}QJ}SRvw>z3+62zy1rn#mzBcUJ82iQ{3yoeP5d4
zCtl)_9x9etb5A$vxlCXgCf_MsInvGkh<j;DUGmZ4Q2`G0k^rNf??F0pA5CV;2jr#K
z->Sbo?lheseknX;&4B1*moamvgf~0!D`uMNrs`HL2?R0JUbT$6o&tHmSiFC|@=kdU
zc6I6E1GbYE+#0aao_1H`*^d6(R#<3;?NiJfBtQH~DX@#<hb}tBga-|wkyZ%@HwUK%
z0jo&<egR1nY?$zFbkh6Sq{ySvf%i_GdoqtKGrsoNhv?y3N7vqwFOSbuA%DL(#Vl#S
z@Cg@EX8AvyB5%7x_#p5tcRF3F>Cbo#7Q?)Qr4{_mHs$Pl0~nn<WAfreO++)!u2A={
zS}4`~dX(AtD-Fcc{*Mwp^AqLtc5Iq``KYMFg>k2o<Cg+BN-T@de61dBnZ3cS_m?kT
z^8`(k$BxW99M~{xUOiy84kyzu3)vd)ADn%!pNqqIlS9r9lZ3`c+q*7)v7!$t-}Aik
zoWsV&Qvhut*|+TY?Vw|2N2d(D;hXQNlpQPks!C<Fi(QeJbvP3lqDO54xf9g~#FG=t
zKRuYLdhUQp$OI8-W4B%V<0cLop-FO|K6u2|u>%e*JUupj6}Tm}`L);OKW<2=`hZxS
zG!>ywCZ<<t8>hV&ezx6R>fDec6E6d=^h;iN=`i_WdsZk!7ZE}}@5p?(p*jo%LCR5Q
z{d48+C~T2<9qd2-&DhJhT3lU%^X4bVZIq;jW_|t`GXG`#Aux<o&vnk}Mzz`bKpi9N
z)|e)J+<0}$JWy+JDtLRvpcPXP<tWNdL^ydV?K^eaht|F6o2n{W{`uZQ8QbJb7k6B=
zPyOGGB}@B-joTGHTs1`J#Y$0oW1rmE)yhL&677hUPoIBVU3Q{z-bqPjLBylohVo{*
zvR*?+?zw;Vvl5cc-`oF2knhOgo}+C13yRi<?5uqi;dm)*SY4cKUG(rm?Ux~?1!uDi
z@?`~IuiOi!xK7eoKyK+s!B9|rpj|1aD0Xus;-xtT>fGA+Fe3Mkw1{x+Nt56Vi5-{E
zYKf+ecnhikeD_HNnL0Vj*QPmJn+_fqD7m@znV+NIMyc{De}bdj2e)KEntZYf&5THP
z5AhG(baPZ`r1~Uzb*Y}yqwRA_bb#ybONsg9Eiu|WA+zA2%Gp$hgql9qFNEuW!A^1u
zaPA|%*+R}+(Iz3^J7f5><Si-XRRV4mxBRx6CS5qC6!1zaKIY})IU3>&x?+;_iuAR<
zxaE;INSOs`yVbO<mPIbD&9(nLzR-94i`@Lao7a2wPBpAi)T_R*Vg38F5_PA}-kX4H
z7$UY3dn=-<KX_y_#K}ypjXy71(r-m%b#RXPvGGyf7avUg-cVvC=rW8pf&My&uw*M%
zOUmu)ny1Pm688mtJudM^=h4cgRidw`ioq!WIG3#1ctNV?2$2PfVjx;LkzpolC14%q
zo17!(vO`DiEik8Xt3(X6DG&QHrZ;f3#NMl^0Yagq>uFOR!+gExSz$9(T<mV0Jhw=Z
zQAx0Al)zija`{mcmVB;SGi^2Q?CbD|Z}Hnq_uC@TTFp7Bo&zX}QTl<G{x_y7wxowt
z@~h}c4hexEPwRTK;+n|BJJN}Tan2dZA-1O0O0PBtff}CYAM19`+vF;+K5UpN_DqD@
zd>OAdGkl$N1=D6%C)5<?l)2q0JU%kDAIM-{jPwULDnv7-e~zbIDC(WR?E5!+hq9O{
z>U}2nu|AahHTra*T+-T9(^sPzcPlz{g{)c9{Rwl+PZ=OF-uiQOK=cxUzm{Y(UwHnr
zMKP!3-}f+nELL{OuX4oPsN0i}=<l63i2jf$K<Aa!F6{NyH;V5*oiorPQg4=Tvf%Bw
z7=MqG512~-z<mFb?27Luvok%<NKSsW<>AuFBSm-Xhde19nHTwP;BZj)L?6F>tI$As
z(TJPY#|oUxbOsm=#kpD@aD7)}C^RrW#!&6pE@r}P*2o#D?soXYAbt|vPo6$-#r-m!
zgxXQJb8L6r1pdB)#fkoAvZ_cNbmKNbb@l+gaif+3AM?pYTB(!DV~w7op_x(tGmII<
zgz1KfNXc9;W|b9)i=<bCjSd%-aK95(eeCVSqZ>WrZ;kpd&|UGum=n8&Mn*AXo>8eL
zwpZ5*-HaWZc61N(3D?Sk@I`3SB~!t^VnWl>`<_Z!{nc^b(LIJLf#xUQXCDkn0kuSA
z5i`vsJ0SYUBAFMOZDpx5au*1mZlxT&#He{%D!R$tPUhRO+3A+D>SE&(YHyGn#-`pD
zj4vOOHNooW$1ydBZjZGy%MCYth6Y5JD(_#B9-Y*;pvR*n2+$tu37$w}`APYAAYPWA
z4dSn5{RSkhE{r;ReZurtVM<Y>g+&h}OaU+RA~PzAE!&?ed^7f4(z3@BkPA!_02i42
zrq^S+PlCo0amF5$cmLV`=f15+tzJ;W=UrC83l_gUTn<WUeCl(zZ=voTziXGp>#RuA
zxr-VPKQeo|*6;xu;yw5rV~{Pr$=)o}<|5PP-LVAKStl9QS-V3A%?nge6C-S1D6m?u
z9Qfw5y~}Z{lR*teyxhdbiisx4H3AN&9a6@s*bE6Z6h|XC@p?m_wIG5UJ7LG|$qWxy
zRtwy2e1FCaB9FWNis?49mBKIcAKnYhd%S46Zo01O8|x#c$%4}BPt4Y22FS|N+sKx^
zK;$;|(&X&}fh}5L3+mG%-c{JV+G@NI#6EFA`9>X{Fzd8Ml5ct0b~}gTi*>&Ay;4cs
zku$~a>L+vAeL{Cf_+1MT@so=$^RRobHe0ngfRa2fEacOZ%ZsMR3&~PPBTPVOnsic>
z|1o8z?1H!9E~PyEmE`CZ_w};Co89j^-12O{TwJkzL1313AMv!k=}8MM&#Fidjc}U@
zf@^}(3G4p^UF@*EnZ(E<aF=$TX}2c|39Od<_NliV2+8MvKdz4xpR`q9p|B_*<mtZJ
zl&y+KH!}t7NZdx-(qb^XYuyfyV@m36Kmo<-kuOaZbd}w7#BA9>d#QPW2NxdE+cH&l
zeQomFBYUP?m>N6zxa)dml)GSv$x?|;_K*F(pYTDRVv`_3nceSq!sMOsA@6KQ;g5h#
z5FYnz&k_ORIX7XyTj!M@d$}?r(s9zqC<5^@Un?BXSs|0P#Srib;){)ZCh4z8Q2CnK
z3&i=EuMX8eFp@o0Yq@iL+Fnhg=^=ZM?|6uc=GT-qMf1U>H>y%g+{=|CwpL8-vqC)|
z7d<>M|M6FseEP?ei*}hZ?_f{5!Hm7p3bILSHyoxiLFXn?A~@azln8Em4KmPo0f+KR
z?ScMVxlOKtJKQ5i=-Ny>%FwN&1;m6o_Kq2X#c?qcdY?Fg%CPBv6|*FyI#7e2nCm)q
zNyK*$-yoHPN~uvN7M2J;NPeSwl(O}Hp?1c_8=g9|w-y9$S(x?eL6Q30Emm8UBlcIs
zXrMHWhU0d-`QQcReV9!|-mR$oic4bU6_?(tAfYbl;;S9B@QBl?UvI~PN~idG;Ht@-
zOQ|c&2jyqdV8E=h!x0Yg<Y$+*Z+EOLOhI(=90*>r=--#r+;y8i@ms>Fi?4SRUY**r
z#YpxpC?*pcbs!}~Cg_4Ph(u;dj8i9P#;v0lZWRnviHMY3huCFc(lcF4#%ihD8+%?8
z2;RA(lQWSxQr1PlM<Gvc@u#xfhr%A#p}wHlED_YaJ%8f3Y-tiGrzuCOctG9UvGMc2
zfS9^0YvT8W?X%}ij<%mGxOJJ$ZmDmt?oTrgj8V=b7VK~y@-|sXxORbxj`HA4#iRAb
z!0z9b92@aJ`>Gcz8efY}Uv7*CrAG?b$PX_!^e0Tij&-rqI3C;=DW(M$&O;z<U^%F?
z8j<vJ%hX8sL{LqY3u08tsd?w(SNyNfP^Y2A!-$|7pcXhhdE3U=ltt3+#VPKXlZHh6
zr581Q%jS4IIl0UGk^@j~5{MO^M4R=K)*?p^_f8k9pqVB#eyh(nm-ciyol?7dFW@Vl
zq%I9is=guZ`R4usgmbXl2;N{CsHby&pLZ^%-^FL3M6GQ3{|0#ZTnVfIK@jar>C~5>
zK0S5JAL15?N2)i52bRSl?p)r8z%u;O`r31V->{GJ9V6pPbodyt%D^$OdJ<tg_H`8<
zDcaooVksao@)7C>iEO3&jEvQ<PM3J5{Tvi#J)7gQZUCtKyRlJ*0t##PB7XrT7fHFj
zrAha_o&%9s1WJff<nopR!6cI~YkWbaXPu=xs1B=_E?HN-asRTby`*wL+^PRids)eP
zEg%M%<r9*WPL<dli1Tp`U7@a|viabQi>7nb&es=*tFEmOeodXKa`DhNKz=*{6hU<5
z)b&c|6JL(YISO3bg}pB^xdubQzM_*N-L-t)*=qHifE1H0zu~m(@hm%^eqTY+<zwKc
zJ`%0HU3t0TL%4(hxMf|$FWD>W_iDS{1kAd?xyS0>WM7-JZ7==7<iv&#nF!ZaVG#J{
zKu8%V$vMy94EhY$^-a+9%)9V@hr?o`)QIr&|2;+GTFu2D-4*&v$rbH#i}H5A=vH%A
zi=u8Sk~Q(e#iBLR3qDu$9d~kJpW*aPnRS5R+wN}H=bHK{pb^=n9;)F{%I6Cn2p52W
zJZZSkBWp&nW3`F#6=$PhJAnhIEM%4@lwW!u>kBH`@_<~EKmqAC>8a}+qk0Ne1DfEN
za{Ntsa<U$%4zdcp_I^-y1yY^)RORd)tZ$mI(j34!k?!v|s>qE)7>-*?`^rpxf|m(?
z2NAZ%8t))bCsk^;-+O+n&!NiHgbj|8;Y(!RzRdZUyWpnA283)QE1T&CP@iTAfk5ih
z!<pxp_5ZRe2(ts2u|DTVyH&40`d>e4@(a;hAHsb7Ul2kv;%C&Q4Xu+KSO%Ud5!4?}
z@LpILQ0j9h*JeQ0i1eO<+Q}<KYq50+nf*5&Rsm6=Pn6ygYgJIAu;%=L`nRv9230Qu
zG~fj5O}@$r_l;xiUn)*dx^QRWCF(<9cOwktvImIdTr7>s4|^z7yzV-f$EN`&41ng>
zf=Qd8`UJeDg7pfqS8IHV)5A1D6snZ)r8;x4$vU@TMRG~^CcGb9Y~ZBtTng0I@2=rV
z=aULfUjK#5r~4U4i3)ugR;@~l)Or%MKA(C@VQJlA?}po%DocHj44tmTa1a+vtSku(
ze<Pf#x>M%E(k-eFRz)N=n&DJ8`_H9=r@W{`a-J+U_!Dj@pk%%!*eWyaMrgPp;2&y(
z6p{y=9-90{^dVpi_u3@rg0k3W4&E0{bq8#$>N8RF^;f_ITo6qj7keQMTx@Ue!r>F>
zUQq_YHDc6|{T8>C@~VdvQiZ%gBofo_xS7{z*XrjWnk=<`dAcs}=%j@3%!Y&GwAP0=
zPMP<7r+cZ0m)tVFw>dIG)8~rIe*wjn<$AM)33sjh)1HA4xuQyHVvyYeZ?n=dPcPEk
zO2>p4T8$PTkr4VElzAs+_C7u91`y@vWyV=&C7fg(l6I9WC`l9_cWhtaL(QOoxN`um
zCm79}Ecn1&mZ7tSHj$OP|0kk%e<`IpK1|B!i^I@;zIjAYA23cRG3Z78`bw4W4@Nsa
zzqwV{bM~IgsX%{&=AGEV<crhI0BbuuJfLufd^|!#R4A8D(|YzuHqU$axcVoXftp3E
zNvRmB8=4mG8~nQb%(Ve3mIF4*Na_J5<+47gyC&BZIhpC|4XfH>l5oxDUS*t}JM~FQ
zpr6!~%p=!@h6qXc3rt4ek0*FP^9y&nM_g1AjUImBOqodp2x*1n^@dlkNZ+~evW299
zP|>cV6BYhX-J3^K-M;O^cT#OBHj2zPLL#9=8yPEe$~<PCXSQ92GH;ocsZePk^RUfR
znTH~w%o&n0Wr&pNJwM#v`?>4+J@5NIYrX%xYgsMpzW4UIKG%4j$9WvbHBi9KJRzY^
zoG@w-r6zx7QXgEtNRWy;m;EEd=f|*T%G&mb*S9!6I99Z5`CDr*I84yJij3Bw-BM(a
z7D0l5pthAX=5@{@ZXx}&{5N|A+{i<5_QNl?nhD<cLCo41G}0&o6;9Os_IiciT>Goj
zW4#?_9y|J+UqdL4Z=Q^i?bE$0x^=o!$!@B2B$x1v7!T!a^vFUahdqTF*4OgeNm}Fn
z^yZsg^9XyCao89DSx2Ep&M-3i$>>{>UGuPSdO8_WQKJW|oTa8P`?CSOj#zzi>q%SF
z27bRf>k`LzIzgE<!=d^|OH17)U-F2Jad&XZks<kz&B`#F#k#ycR_~Up)8+W7CFWEQ
ztqGd)g4~VO7y9_IAj8zaw?Z91v1x2()f#Hph(X1i<3E3-+idXiiTqrB${?b;J2R4~
zXo<J^8AL|#z$HJYPh5^+8R_mI_Ze#5V~fJizR<f&yheKQ*Ci!PrQ$8}UXtB_vy2P?
zs|Tk|{2y=@d}I6y;Gg?r7yOWm?Md!xS3NqDB74cs$JBhQVmkgla*ow2TBV|$2H!bi
z3-W6>R|kiS?IWWOP>hwL0#Vk=9ip$<wefr&<5J`!slVQ8Roz;6H$nPZhODb2WZmWR
zei@R`k}6<^=gu~*Hk`ayD;f1r>OSqJ`rAx7;)J`kc#x=Qo!4lA=Ubq*BLvw83hq|f
zR9ZCv^qoU}M(PpR9)F2>Bj2AEA2^%PMnz!)HD#E$R>3VxhpxNCNpvupJ$7LXdiInf
ziWqK8imke~sG&*iN2J~<X*jM*AL&ms%)Lx0Fi_wmw0xC%J%5S0r*DtomPM|3dADuj
zc9!RV@0-0Sr?X<rv2WGI2Yr8i<(_i*K(x6=ck`v?3e;KLAJAKIRav9op?n<p5J+2f
zO&?a#u;tH2PVs=gOYI?pWBnm(mw4D77Zd!;slD)+^X6QtFQ2L0dpI0yI-O=0dx?!d
zY%8NhzSpSX2CWR!);l<V3o}D*U*h2#%S)OFtv}tTouQef1z`Dd($f1fesWL4kt1;u
z+BA`*mA3CRM~XRjbLu9!O79pJBVv74<QK9Mw=wzC%Z*Jn-ADY?mBO+dbzvi@cy`ir
zchu1+&Z|TvA$)^a-Q;}P1O+#W?U&23{RgZ*DdP9yX5RC+s$3n0_&Heq7U>)NmNb@u
zEEmRS@=vjOPX~ql4Ivgy2{AMq!G4|J*DHBscM&=$6DOW78z4<EGx#N;CuSbX6Vntc
zUOv-2K>qtSja1`WX*v{9BSv0xz37ALrnD7R6l9z}U94x9AV)uYVKRY_M4`m$*41p%
zO7s43+iQ|YM6KBF!1r!1Ltx8zuLP(?cu1ajFJB%`i5t+IX2?Dmwu8&}B*S07&!O$N
za+$3)Y|D0mBB#3ddWQI2S+*Cev-_}Bv+h^zU1#Obz6eKBDE{_1Zchu5*yojY0OF0O
zRqVnBa+e^H0m$OoOVZeiFL_!Cf$v9bT{LQ1*`hVPECqR9ouU^>)04XdOOGSh^$ACM
za_nU(TwH^Zddf~!rUs-<S$SI;cBbsnJ@U7To&WxRIhnF>5q%VW=BXE)1H#;VMQZWl
zvzdcGR-&;7EL^O$^{(y|U7tTQ*63UU0HST;c_s1(rAY5^Lt2N|s<=wJM16TYt@i#f
z<kwlPS8p_{vDvKhy>hgCum;teY~3Qu)mH~t%etQ{scimQDRP-;>L*ZfC{~|cnt6ER
zGd&W}V#Tm`8cwYICxK9hutR*DT5O!RbXrPNDjU**f^qG!orHxHl5c7EA_iRt5(WM5
zS=GH<k2YpPrDB@|xEo_XnVfqP<bwLk^aDhL6RHjZXOUof6;S$tmKY8t<dIZ;B_Dmg
z)*%ewXa%x>%dz9RN17G1<1R|!G#La8`FG%{E9c=U&xE^~*-z8>aq|DN>ymg}TuQ5~
zdC{9R*0d9an>9J-z_6#TRRIauF*l2yK8`q6Enf73;C3fPqEQp?8o9OYGYH{x4k)US
zc%MUK8A%IX1soWZA?G(o(jp}I6LB7udLVwI5J_~-+W(zIREUf8UEk|D3`n6p!tbw!
zy$uKApgyQyI3yV2Tt0MwzyzuL4ZwkEjtGV3APp$#lw2>X%IN;m^(2KYA<xK&Xg64r
zgQ$dZB{@|CFCa>#m`f}L@b<NPet`tS>Y?{iD5BCj_1ztWiXz@?&L28XTzg(t2-8{l
zM?d5SXRrBCy<3>YjuSWxuv&UH$34G6rt+z396g7os&xNqdaoG7RTYI%P(;ypZ9Sd?
zTE!df0iDnsJ7eFU&nDiMIvINbvwqS>`+Cb|1BDLZXQ{UAm6_=y8v0kIAHDa=cuI1I
zSN9tf)qA}tvwY5CqVLJyQem*Ogg)0Y&{P#i`dmQ*PZIOOtU2;MBDwnd^sap~vnR2U
zR{wRR<S*+%c$Ya4nYkO8A+a(|X_;kDhPvw0LFl}c%S|7-RqmUEh$m;}6OtEz_<*hw
z;(domvCsJsaD5=d6HE~O+As_kQUt_~1=83<GUF-3JXSE#991eEu)iM^TxO6G<hO@8
zn{IVQ{hXeZ$1cg3KdreJIw~)TU$o%Ly>$K4z%^B|MhNgIAwil;7A=LM@!*~VOxHu0
zTnRLjv{3y^n)dn>bE)F=2qL{wy|C$yBpe3%h_H#<{U*Ri=Lft8Y|_Q3+){6RF5phZ
z*ZD$Ik|zNq(v9r=C#_iCO)DCn$c`&gMY}7s!YVn=(S3Lq_&E;1k2d>h!&4;XC{Bwm
z<E#;~oa*B7OxJNtG^v-Wt4=oE+=j0!Or<147_?QG5sc(oay;U#T&l^|P<FhFL|egS
za!{$wvX9f$DmcJ`f27_;;Z!s~Tv;iuU+U<fZFJ+=`X<a{XA;^GD<dM*t-mEVGdxsD
zIp0g>fyn8WOWL*bka|m}NY&&5stO=UM0eCtf7tKvBELRS_R$j+B&xOhz#hi;j_o`J
zqsZ%1Wuqihj}x+L@LwIEc6xZ6?Z$*p2)-Pu+h+(ksOr`rVQdE@rGTuxOI;vYu48!{
zq#WyjK<^c&U-WPAx{`_uddN(zeNgz_(Pw}p#dRoq?#7$<F2XKqQ{`Ta`otL>D1Ym0
z1=qs^H>*oZ84kr+Es-@ibSfMUTaiepKETL=3(U4mhm5IRWXM@omJQ??gNIlrbQ8YX
zTsrmzv?TqbHX)CK4=|FA9nQm2v)Ba2mDu)XN)zk54?Uhu3p?fN&*CBd-8S0@1cPez
zsW_DTPzX2kh;!h}68nBvuC7yVlvPl|@4E5Rf=hg5p|4%@Bh;dYZcL6*eYqAw!JKSm
z3Sa?)99I0>!hIwwPQJvlBGuBa&BC`}FUNCy6Jp>~a@uKzV^iS`adqMD@?T*F>}*;)
z(d09b0Bi5;Xkugy)nD>FN@2^_Th_c$d>maW!M#cBv+s(m9zy+K61EJV$*A4>)jlU%
z3Q*7ht-k%3>P3srv+q(oM{Jb%i|-BluFuUAHN>Yc&uWICr|Ql6w+}m2f2-Xd3F;l!
zg%|8B-z&EE6RH+Auq%|K%RnL}yd$Z5;85bS{`sty0I8%v9VSCv^2S8@MNwN^n`D{4
z&yVvS(><fomzm+=cKQJFy1l1+P&W}hg9z|S)i7S4kr-dqx?P-L3YttelLiEwK%{~t
zhz`$Z%Qfzj7jPronwbhH_V-9bUswhI-}eRe95FrRqI3!sL7%AfD@{P3XhtczdedvE
zl{@812wT%D3Vb%z`?gnTgatA91R;#LvDgO2jK{2k;Osnx+(}q`q);9!m!%@o-w=AG
z{ZwT(&HIHkvnVVpOPKXky^Nszw-X<9s!<k@1cX@dm5us4s#Ry@)eOw3XkRAEqMuR(
z{v0>)gf*{+Xoa?X%BS1Mjs%X?1y@g5Z^IIrm$?bk>nA;o{JuqM&e>kCx05HM@{Q_D
z*Od-hOa6xourgzXEXl#UQ6&n*lN(nQe~F$PA~B4S19*>f_0IGTL2U)0Vfn12>(S8o
zmC<b$JK_MI-vt3(2HawQ6fRf4#2jX-lj6xxV?w(?HK@Y4-zy@3TV&8)7~wSx8#xl3
zfbTz)0%bDCyz{G%CmOD;y6ameSqxzgLu93PUPeX%;W!LVMR?QcT;DU5Qu<!cPOPir
zTUN7&ftn;f?`S3+JKcyk$Hj2xgz?_smzP^kjqBmsYPMj$yR!u1zs8_XF0wR)o!0gt
zqq*49uon$fv%td~M2lr}N-V@-VUuskubNG&J58(kpWq&iono-dRv+}cW@)oaL*n8Z
zj;Ds#zUO`~^8|8$pWp&YSYt|hCU=Nba@dwA4@`a0V_B~Us0iJu-E0GsGh`I9Y@gzM
z#_pf75vsQ!xDgzI6JS;U5q4T*&-}gXB?WIC_^4J}F*NwzxcdxQ37ugQtLS#eva#T_
zBJPH`n+0^NMlMMXE!xHn=X6HTioznGGo+;x(PA;>cwG2NpJ1U7^nP@FmmRm~>QO2V
z0RO`mG>J%Eo>T^gg^fAKQY!&z-*gF|=ltX1a}-UyML5!NqSa~<2kAYu(z9tADY*%@
z5Xd+3Ot#CW6EdlV{>G_q*8Yz;^|-<J<~;&X$a$q>@jg;2d6lm#7q_Xb5V+<_G82iN
zw+8Sf$6<{34Hcvzge(IOum2HlZz%r~wbuwr903Jw+01^Tb7F7C3W{eiaT;o*yYX4-
zFI9&mC@3jvVRj=Y2LS6cRdjwHkY?+Uzr}PLm~l+unwE2@2AfW^rf|W)N;uKdaEG-N
zj#I6{Za%aEiIu*>kE3paknwK=#%%O@(!)h%m+L2={(|ZTR1?gZc8|4Q7}(r_z_?pz
z(w)~VyFZunnM902i&yw3X{JqQBax+xVo|luP>^VQ>kV*V9K-la5(m9bPk)EyJAfR-
z#z5;()&=F|pycNFYmAcK_@2h5`^G!ZYdWYOq@4nEy=j8xPVi2u#@3r=SnIoKKUC%-
zV%k6$#a{hu{5bkYTJ8IssETTUP7@FTaLJHsdwI|z!ghl&!y)Ivvn7(_=wgY40CkhX
z$tziJBwRvqNUVi@fqNFGm8l|Yr=hs}im0qRp`lP;;#%O<LgH#Dc-VH$BlIzdT|Qil
zWTL;4@ZyES&UwXOE;l>^fnPTwHXg3<xNEK59;u-lDb)kewpJjvDr-&qa9*zKOq|b0
zWbgLg2IR7*0)jMwnzgiH*LHr~u*U~_8JaZgSZcuj!>;K>1lWD9nqmvw!P3faA8&1+
zr5G)PlRU?wJznJhz(KQkbN_4+u$20>bS;inBEbQKrOA&O1ggKsrob9{pKFNaUdRIi
z4WPiy{lJWKWc6O~V|IHjh-;#^D)TB^1qm<_LGnugj`T#!htcvIRR0HCUUnS<(v*F`
zVG--HZwOlhA%LOhYPPq$)`2-V2N1Vsh|Zy7r(fPb=QO{Cn=NQQucnY{hLGKIpk@K*
zLSA`E$-m<9A*=e}!$lu`*WdIrtpF(A%#?sA;Hz&Nn8(N)R0Fk(nGtl+?c33^6a^6P
z_7<>+<MZvhfw5+aoz0ikFx2bz-kt2voi%mdz-+XQG}wovWm3+h)Z7D;_rGlYsNF8^
zR>i&viaK3jRfsV0%E$`n=9W~F17_6EiqeuO=zjl@x%hLSorG8b8WuclJ|LK-`iBtY
zM)lG4#W#tTUEAPwFbDzua9T>x=`dH?BEG^nxkn77u_C_0jo5)f!2AZy@2X^WeUDvE
zK4TNhU$s!T0}&(XM0)DYOav~U*U+lDOZAbeNmXnT#18e8bBOM`ZWw{K8(u){hTY@f
zw~sa-!u7s*T}%3PaG^-~E4c4R&o#CFRImB3ftiqNbjAq-oPOR<K$uFa0<sLf54na8
z0DhG|i9Fv{v$?7d4hQW+7AX8{`p=1G6m$bOp;Uw&3){#zIms3dH2M#Kxbpqj5CiRd
ziZu?@*n=EV;^V0oSbe_7(9EGJ%Hw~%<03sHrywUb;0lK?cF#O;yh>Z|au0$e-{No3
zy-$HV<<med^lU%)E=<T6od^@TLO0L_z$JF!<=&J>gp5$a<xRA7D6bAgu_>opg_mK`
zmjKV`9a$(*z~RIWMhUr0cu_h+Zub#5E^+3@_b*+J8yM8d#!HW)4I8zE<M?*>E&*gX
z3$Ax2e?j(n#51CTYz?WOAkgT8Q8#89T{*1WZEqSYE+9o+*~vhgdyT}+miWtb8yrE3
zhJ#e9a^HC)55B;~r~QxtAX!8yN2F*S|3zJ<3BiD7#V8huWbK2dw_`!OCv~+sk1|PK
ze4Mq;@Hsvtaq3!*oJ5o8$8zZEhbI}L1g5{rS0b=51m#}>OTd<*lML_eba#O;F#vSk
z%172e;0)~p|BuPQ(r58{ZHPw*!un+#n32bBdy4liJe9>ue;<EKfHL<xBcByb?Pdfi
z*D-KAJodbYD(`Hd$UKH0Q22TJK%J(ry;Z{t=mtAV%1YRpM+`%BLUjD|o6e%_5L&TI
z1}O>VA;*?r!mAl47}8Qmao*fmQfIkkHSfRn6ZpiUkRQkzX|Of0$<zt!6Q69ra{U-5
zn_BgWEsyvN&O(_<p}bEP)U(~_`+Qxe=;MuBa%0t%dS#G}Pmb*kDfP*LpP{G7J-M2E
z3pW5}?FVGs{-Mum(sGT-xEJKHQz@d$?==)i!K>s2fGNdTW3OuK1iM#n5*zpK^V<a8
zvU?gcIVbJ&{;`52avR!azM-T0jdMmcYHa9hQJyGu$wjZ+hvX~P$Hz(uX81m;X@#~U
z=L<`-6JdG`{rC<qF`H{)z%jHu&fg6M{cktau;R;AKceYItFBKD23v<ru^6dyiho75
zHeQR6>&H(O7;}yM><>*qp=`txHl!&7N5@Zud|-T7)X8NOSS9-CjghxEaPM+tLnuyp
zCnSXSlL<yAL>T=w?ncq)Hw+!*gdFc!Z-1O5#1O*7y?a~$MZnb=lvp3&{^s&Jj3Srg
zAm;CxoK!L^dzZ|liFToc)BS;DBL!MzSsss$jJOhh7-qp))tAho&W~seeo~lkm|**k
ztX?cTONMRmrE-QU6e~hFWt7kqy+$-s9!qKqbF2||3ku|T%8^Fn`-WWbf}=G#W<+t4
z3d%l{lbL_xJaVJANU2W@Sg5++m>9~`JZa`cPfcSzQc??<EkY4K-{pt^5>EMUD#?`C
z+0!efD2)^;J%CaDtd)uFrK6TiMSq!6b*9D1CF-7nv<DM$iGL!+hX~vx287iUce;V*
z@ZuNX`+D>bL85UgyW4BPVqUnt#v|}4%Z*Pl^Lh<@b+Y~26kQ#)$!7ZDz$p|7Y^GM7
zR=c($Fpauq2nZ)*W~$FLFW~xVzPY3FSfgJOu=8|Wi}?;^PcgL%GAdN`!j#q0MA>k2
z)foPPpTCwbj34ys{(0qk1LL;xlg%9cQjzHtv4pXt;3>B44D48yJ-Jkw!{@IB5uvyw
z79XVGK)#|f!L(bcOiD|kQ(iojexd(D^jpWeyHsQ7i6wdbg3qLED!l-~9c3A4jszOH
z+XWJz^ZU>O<t(>0T&7$i(|HA+7m&#`kPUYrgtvvTV<B%iu5ye{l9O3=Ud(-_N(kuV
zH$AW4$rFccPH_oY^SdMhwBI(>Wl(WHjn6+qyPxwyjAd;7rw}qB6Axt>SCwS43+mK<
zwuq7eN<axtuT=VG$OWoK#SiI_Vu%x=(MrU2gUd?9lfyUDllu9deWaabM%;qVGjuUi
zQM}qib=c(KB7cH)^N2IPMd)+CFoghi)xSRLKo^<X%?1(Q=AsjBYL$?0yqud1`G97B
zcwwmSL$yv<<fd>E>*(VzKLYD#LN^u?d9{d7m;(pc4~>t75Zs{9Sc%pSWRkJ&KM+;R
zac~QcBVhtAU&`F1Q*A(1RCuJx=+Pp(g;^T2k%v9=U!722`4CqxeCF@j4i&NzFDd0^
zlRi{B>IR|fr_7VD#&VT_Dm6l>kma1#T8&xwY1|r1!$fRNy&cUfhA5Q=sav+^(@v8J
zjSa!b5o(hwBCmv;exu~D>hYS6y2F5BF*)B}Tz#>lUTg8HCU2A!rjl1cdw7>b2blx)
zTq37%xdn-u=)t>MT#QVrW3n!Zho&Bgrn|_T+^fQhu+@U<%-s0P7L8tIkuG*b*{x=p
zQ?;4U*uPe-A>gU!-ksb3&HynHIqnmL3XYCkXnaM9GR3!1J#YKi9KkqMWus7adBUyk
zpaQ{iHYh~&RoM^jPwY}IK#9cDIt%gt<XFWxn|qNQ1^#DmNGU5z^~m0+LaL4yfpy)0
zbmkGez-7xCwohV>ES^A_FSI*gQiKvjDi1VAgk{Z5UP9J*xZuF!U{Y2&mXiH1D?`N-
zn-}=(Uw2bbN*EcrqW6tcd~mzKqQ~SL({yBq{brChj6iz!-1_3nUPmmKFQGYx&Ir3R
zs);UPJ|%568=+^=)nwHd@%5{st)jwRog==kE5hujMK0FmQgtqt$f7#ws3Sv8mNXQ<
zeoS@rr>Yk3L!@6XSPk!_V-UM{lW}%*pYlp;=d=RI)YU0I>E-E|TA*<Z@BffQ9tcOO
z2NBidk4RCFx&gVPs(1s|FR-P<G$3eSDpXJEY{|;&y*MFXe>`37VAu7KmxB-CC@S8h
zTlAM@!iP4Q9xaG)3A^&}WI+PshysM7=``eJ%^)}U)w)TridFOez!94t!kq5O{+&io
z$L1G;RyhYh+Np08*4MLQsMW?^<3@wz8T(0Y%i@-v0i&}!C9(Z%paAUy^v&xb=Z?O{
z`wG!1+TGbHlAr3LkUr{{kZ)Vn#ig8h9RUnz`e75uXEl3{esE%7aWh!OZAl<ah~>Uq
zINCJQ>IG$p#W$>d1fAYb>NI9d<-HKL4xEtOqkKA}nrP=Hj9Eg0HEN3R#YX%!r$PyG
zG-_z~?kM8q*iv>P&H5I(&?|fE{#q(uq{F(XT4}#{uYd@pY6ZJ;A*>A3Y7*k+7wWRW
zRFC?TSKMVG>oQsF=!8&3X{W3D*j2|cf$4ONUze8-J^st7oF|rUuJ5w3&G|h71DL)s
zg}BxKObF(&%&pO*C8n?J?pDVY{Pd<`Aq@PK!!`(2@lm}`>~_sZ2|Vj7>J9r?^=MU~
zcHtltTR6O#x+wNUSN-hwD*Jqp%xWwA9GlnNSW5Gcf*QAzjOtMEDID@B-QlH!b==!-
z)f9FT8-zhz8*QDw&yyiXbm)8t2ovXQ>f{!eenRA*O!rPp-$BzR{_u|pkA~&Fl<d#G
zlA=8klP#GOi}w`0c1ObU>4C@HTT+}9DN=GAV_i+soLSk0iX(5o%)XsdR>M+UG<m%i
zpwu@*VS*ND1A{8yz<P_}69m8_Og<E6&>(8A{4UZPGiDHSB}ALYpOs}^F%CHd<0f+}
zcR6ezOG~krB4x+y@|}xEBO8+MDMTO+bavs|jiE0OA^9-x2|B?;YL`|8Un@__;q%p)
zAAgjKJOj)h47Madnx}!I8ax*}7*oD!w6&;uH?f39JcFkOejb--VYzuSJKsOMNQNY?
zPcuk<2De)mlR`b^5*LZyx*~iHQ8a?MP347d=72nPv;-ZQVnV1C>EC%cwK;ypg-z*H
zSLEFRC6&Oj@&1rzuJmSJO;xrCoaT+JxPV<f06$p+=YUGl_Qup{Mj`Xd{DYZ=h;kE@
zXTXikq>mI*B?WFQdxdlyDsY$4$Mr(Lf87yQ$wi%9$}W|wo9}e!`ZXE6R6Gz*5I=V+
zf&x*voBf1gaM}Qre$RM8eXDT$7Z=DRzinyG#LDlMr0&Wa7l+=5Jl8g@O>H;a1HCG?
zKX6wA32*i{kFq6|W=JekZ+I7-7^;|&I%~b3r0^tt;O-j~lR+g*#AK3{6xoUaH9>Ju
zl*JTI-NqWL<ca;wa}&FMROcEXLifkDb{quJ;P;1<##J&fpZ)t=wqEMKt?VF2)Vh@+
zvZAuv$eGG>z32PmV5E_F^w9v6Bs3r7FH!F7OHc<4q&hHkx!>(&O5XDie=};|Gvy!5
zJ^|Q{ic8jMWYAEtQ14@_G>nM6zpH#?EUxCMH3y$P?yL(M4?x(M&_bnMzB2s4Hf2^(
zWViAUxx_!P$<8nzt|RPqd^#&O+M(TThZNMIs%J-`v+w;qKqsD;Y3|rBk}4pQ(97dz
z?Y}pK(l`JZ{vN!}^dauB({W9dKTI#gnHbFB%A=WZyUEGpr{xsOyR{sC-8e21VQQ&Q
zSE&7NvY&PsAl|f%9AMwcfTB;66o6sp#Fd0zdO(FGfL?>>7LcrSx-i1_9_ne(U)O$J
zjn8DLwfU;sdu^wib~|h5-%MG+wLHprwRdLk4tEZE<ljF$h)B7x>+8ke{_DR#kwF1N
z)jO7H@Sm0U=R@Qk*+XZwT})^EpFeRP8M%-w*Q5V>dd4}DXQ{jzPIKB`$ms6;*eXJU
zRa`!loKBI{)gR$iAx-0aw8(f|W%54(!7lCu|9(Z3%sxI^?h%MsuG;GdZu{oSwB~o8
ziYt)1_>wTx?z)Kn^M&1Cz-!Z*j(d|gfnP0!cdyne`xSZksAgbR_Mfe1+Xsz)_UNvL
z{QuB5e)&+u4a=!5zUyNDMKk~JjdZuN@z1}UNVz%CGdgqEo^p43{rg`u3-s^UO1a){
z();iKwflRtGjuQYh;(M^|M>|7DLgc^*X7~N_tx|C24{2T$*ect`_N_i{qgGTZ+YNR
z9`<ZLzrGhB_E5K~Z?0rc#An*DU%5qk#&;%9t(X1JcjXC!_FuJbbaB`h^1AIBcO=EN
zBzE-SJrN(RMS1D|{Pg9M@C2JVv0nZEHcNJg_>m*BT@2=G*2}S3kn%3@s^}_d8vglb
zVE*x3hM6EO2h74d7`Db2#}q3r!Vch0a<k&zKjovpJ6TEs;mlK3XNdgM>wo<68gf~I
zSH}lhAN@JV|CxCISlgy$N2)#ykA1#G?KeRE7M7<IEYCkWQURHIHWJh((2@T&^^Tf!
zv?=cFQfGX#0CC-=8~j&GqzcIzxCY(`wez)dJsAj<3MGB6!f{nH{OKa&#S0-lZP86m
zmp3y@cKHSWdA0k9^Q=wGJ<D$OVPP^h(;)NC$Hm(3jXr|jdu6!RHs!ZD@iYzwi@2IR
zox+2tOaSXm3s;E?O$Gx1*Qaf;F8+C4_yr7Kspr^lXYl<k(~b-Ja1PEIpC5U8zt2^h
z<M6sU66rU&@9gfN4|vS3S+IlEK_t@)A%r~tuOGr~Xab6jOM*P|(%S;o-nnNxr$TAP
z`zJ#aa0o?K9?+=yuSRPm-KK5S+@C$0g;Yk0TX;V{`dij6P49L)B2MB!-&fnh|N1=i
z%TweDN8DpG6TSa_$tC_PXR`xAI8S}ELi_iZe58l$JYm^OhyQLn<2}IxeSLC$MKU5J
zMDeq_zkM9+8@g0!*@60WxgqU>Kkmo_dEl4Fhvh19L(iOFS1I20-TM25{ca+hixDrK
zxhyi|7*lZi22@{5NHl{G2nW%#_B8C55%>g^xsn&x(gzS@SOi|rbmkmRy|(XK+`soj
z_@jhyc(s-*s-4yYL>ojb+7GCb9fH^L17~*rTY`aWD58`_oH-G*M#WPrK*21E5E*Fc
z0Di#CU}@ekFuz5>tr0t&@x-!arq3*@7y+zkb<L?Bh`OY`0V2lnglCM3+*bzWAq93X
zc5qtU^t<8-c6fb=p4Yh>c)4}~2PjM4=jhWtR43Io0vrPe<*|xnM5>PXDNp#$zkM7a
z0R;5<DIh24fJ~kD)Et171(5nT7B54kI!m<HfF6OHM1V6l09b+prR3VEazZjfrUs3-
z7bpi0eYR0lD4seasA2fWvP^@1J$3Ur4ge<o?X68KoeZanug?($IHJFFm@EEps$2tD
zT0BtKEOLNSWD(+}6B;O4km1;s7K9l1&8s2o6&lpNOf@7>qaF<N9KLfh*BYTf<P^5?
z;-CQoW>FHBh|49Q@_h)M0K|1(D-mPcN@Y;fWDKl8@?U@+_peVxUC6fSety`4ph!fd
zn%PPTr$ny5{0j?|->i2RzsZ-jay{q+mWkjsddQ5QAr7F3s9N)dY_X6^nuK;%PTL<d
zlT8AdnUC|(?dNf`*6{SAVR+msQ25Ky)nJPIUJ?ihjDQ}E1ucUftZYWd9F$za^WUCa
zj3`9-4^VU)qy5RZ0i^`fb-?da(wWnkQ^kPO<2F8o)Rp-9$Sxty0x5KdNE+7`C+2o6
zIz1&N0CvJ5^m4>^PTT~2mgk|I*uAKXd;prUl#<iyAQ488UUN`z`y--ivS1@r!=TgJ
z!q^U+?~3^6a>qv>n2ZEtgU#1gJ)XdfctJ8}ZcY#K!_c{E0Hd>kc2WYhm;Q)zBi22O
z(7sZDjJt!{mP(Ogy{hOK=^%9fETU*YP|5zew~uA#kO~7*W_fSuX;=w4)1k*Hg7s7Q
zR!mhj@B(oSRG0byg`8_M$v(}}0@>;}kBP*ad^Kz1j>;|{L6B>Q;6hpTkbQq?`{WdE
zEQhW701%>hB`_UQ1eb?Iw>Op#Q~3fvCm&F&3M-UMKadxu2HX(HTWtVz&i#ORO{MN3
z;1I4jq8nR<7WRW~z!oNQ<Qu_erW?(IE3KbhpqettRNHg+t@c`W&97-3F!B45g1c<+
zp#lp)^1;mXaiQ~|O?t{uQNUCSV9%e$BU-s_PK2%|pShSB_1m6CkeWlzMG`mKY|t>c
zVhRab1RFjhG6xH)5s)6}n}!}ABH2bDxyRWby_X~O#W|SplwyIohzD)ZgMu%h4;?E-
zY;g6z!)CLk>MTVxdnIY#cN*cg*aMfwz3#6%wh?*MeuO_@$Dg)`+=kl28(tfbHpls2
zP+cjME_*aGBrEpmQVnOFukI)6UrI*!-YW+JrKZoDHlVmU^Dl41NX<b}qcrSPMN80u
z4|d?!_OM}<{pm3H|8@-8f#Y$Tjjd7NDl0p?NiE8Nvni3%P=1XClod2xs7<+riw%SL
ziHJFH0B|u~g)+&fd9y>p@t4Dowk@VH|DdV)1st4ysFZzOlK!iCnYL>l(PU51$1s^N
znnVM1g{@^Zw%oe+YI$#z%sZGUQ>pX>5X`zYVJB9Bpzmf<^s@;HD7R+iR+L##&gD(t
zV8ABiupf;Y&P|URtC|Nlvx_cy#@-5j39h5ocJHoI&xzTDYq0)yhN1li5Si8S&wS3h
z;S<bmz-%hZKPzJflSgf8tX}3P%wU&sk}x}&^@X&Ppo2Zi5_V}Kf~NUDT!1bp7Y?)a
zV6L;F*olbEtm>J1?14Oq2I=YG#9(d;uURS?!iU2~X97zxr)O){=Yc*GB~fLGCZ%Fo
zJSZb7K6-m^veYZdn>`Op#$GjS;t!AIgdBsxdRVr1&%2UN%@fb5c2?SoSL0Z3Q2I3J
z7shA1xW(%i&YR6*qA{m9k^w*eyb6p{EL9Fz@j8aHwU{h3+UHA4159#wF--7sO}G`Q
zc-6-RqO3QEfN%3%TFe8x6Et0pP!Dw-rz63b;SsXM4R4@|IVS&nI|91s_Y@a4oVh!e
zh0VgO+MzNw2OFka8uK`If@Qy5PI3G?^CD6mXcdcG9B=>J1wnc81f8l8@yX%vAN%MG
z-i8JSvP@CWRp91qk#Y&*>=2n#TXL^JGtBO;b!V}4Y1_YJ3HbdoVuG(Z%}V-L-OK{7
zG}FtILD6Sv$NBCEpKD7$ST0xjTHYCq0wB*mJ=Bqc#diHA7$Gm@pJF^p<FC}mFSBQ*
zO&MX5(J(I@{2t~i`6Jc0pRhnuCrcK^Q5AC;{}uBEgBvZs)R+5FALt}{io~qgg2reE
zYIzE|&&rSQ3*H{a*qVGKSQ1PL8u&KM^BDBKYHhyNC^}wKW`7zMtE5z%<adeg?nsxA
z1I%PmdUfWD@m{cPq*#aiV8x_|D~W$Zm-pL66~Itj_$)DuXiIP;BfzNnoV)$)*7nSF
z-D8p22cfr{_s}6VTbfN^>`ZKqo%v2RLH!CHHEb}ESYfr?a?ZEfI>eLTfkS=&!~-k+
zQ(YY&LaNV+9SQk`R!j!$-b<B%qxX+%9UiSBM@*;~rV#%aKi2l}*EHpe>jJ#1O-prj
z0P#AZEF`Ns1=@=0&D=t9M)@s{6k+D1WOdrQuP0Xgk4dkwjFYarj`@W=dc~rPU(LUC
zbgTkE?EEZ_ABz_-PWb%=#&kyhpV}q(mih-HOU5<N-B>a&JwPWzGU7e!GxcNH%*7z;
z#LnT{F6oZaz$c7#U2GA>-SMOwcLg(sdcy+wTN&i3j`-?=AI$3?OnwkL33`D<SIUyt
zsjeWRPsQP%QwPuQa|XP-GYq#8p4fa$TDe)j*K0s9b!{E0isN$fzMp><Afo*IL76n>
z1MkojVb;x}7EWzsG+bq9pFr0-vlo|gU6eDhbM2pAvBZ@(39N6PwRzVdM486JIk4z$
z;-rK}zYF`o=4H#pf4nR8ZqwzJUAf3VQ!zsVnS|!^)q^~B4;hp)PK;cD0121sV4tkU
zK6FR`Q{{r1<4`{OIO3iXv7QFibyz@hwH0yWuB4@8y(Pm%ju+orcq<)#{Z;twS0BMJ
zdq(aY?NneN)&8&#hu7yY-fUdsNzK8_r~@c={2`2}vxL_qvug`xUQ&)){96X)jd9I}
z;z0VVEDxq=f<v0GRX<0fO?!co@CdU2lw9BOw1OY|-*69%xrAKeGoz4xuoyZTj*sjM
z#|N)PRMXU`wvBXC_%RnSs8c?;HIq|nfXbqq12vX;;Oo1`uz@8vyCR)k=Q$`<Yb`dS
z53EmNHt49q5<}Fx?wie}HLO`o^-s|wdnwDkClV#T1KX<h-1XJ9#!3pc2C&5#Xjj^w
zDoqIM51HVcyb%pE@gQTb?0?18{%ofsPRFw8WnO%agtxr7V;F~7?y34_o`VAMi2nr{
z`9?Lc4jcvB{SyP2b*{t0)M4VN03(o%8hwKhE3}u^A|+KPcc3)s`Kn;i(D&rQTW(b`
zeaqwpd!pED_gwHlV0vI2V<bdpgg22*S$Hpvl5*xW4n$Mev9Nfd_HPBMJY*%2gFteb
zh2l!%sSMrskR06|Fk02BuWXOP%u)*ok)D%jc>rOc^ZkMg=sg13l9#Mk$*AsEvxpTZ
zIpZ$mit@)7_~pNO#mgl3O0;QjoS@1Llm_8rGTH};jJ@FuouepUNVW83m6+!+xVOpI
zFC5#j#xWFcCq}4awf9SB87qYnC;^8bz*KOEFNtFog*z#x6P=ir!<W*rUMxSG1WZ-}
ze@@ZN2~l<|9#Cg{zg$=MAw&cn39DNJRyX&5TiqqFx_jeGPe!~wCw@bxW$GZ^<e3%-
zlbnJ#CtWpZzEwfWA%gEe+I@udyo?^%MEg)}q(nOE#qxu%McW#drfR22FRs3CS0;E8
zgEk5WWpqD%D70ud&5WP61N@P@x_Xv5lr6sf)G|H8YTL2V?;3R)!Zb$S#3Yxm-4M@x
zBNeP#UWm0|x;`_~U91scDNYmL;pX>t#FgfN+~}K2eGa&`bCGUwnyqUq>)*zTTWap-
zvm2ayapLQ0vW8=3!XE(;7;qD_P8m<Kp#DY#6X>n(;AW4$_<n%|_JToDPKnmkyCbrh
zySJn4(19Qu3`ET75;t?TE`hBa0?59xIE9a)UVS6!jvqX+8TD6)O8$@IkE;W}a{a&i
zeng+aJ;OQ_z@G0hnUTLY@-`&?s=;iKAMRR|{ViWFoFes%%={fD*aHy+o%2-I*Df%W
z=mMGZlcFP&_kavI^$!{FU#LQtDgclF|M;uuENku!_A6?DUOdoJdt*c7Con-pLyc61
zp?0Om$u{h_F6$BYJ0^z>jL_vf(-{mp@y-A)?LnCt<KlB?$n(Cf23rD(0l@3;-=T!>
zRDK2bD9)hwBfsd`8;d!KTbf>BMdXHY6eN!!6Tc~6{0Hs;@fru?+qC?PkIZ<vkWZTl
zojIz16#29!8}GG$#dm&>$dsdAXxu?O-!ei!x2lEJG5AHkNPPQCdoH5&t%kiOD$uf1
z(=S8$kE|3BkFHa$Ps@dS{)fkWexvctz^+~Y*{)E07sKhHfy3kMv<m-0JJR#dO?Td%
zOZHlUCI$>JwD+Y6{fPk}fMH9_=Z-7?&+U4x%<@@iFQER`uz14atwx53JlRxV67P`Z
z-0B@kJfza76(nW7YH*a$rm?djv+XCLCYavNWk+7^(Q{-2L6y=5oh4zuCir+IZ-DXc
z;}?CIXw;k3EE4sk|AL~V>c}pCR>dCx69i<L#+W>{QD1{SU=W<r9CFJ)7xr5|$hjE!
z&QSUOuX6|A**YCLV)r1V$-{R9`rm<H?YAC*ez~W_b~bGoKyrlECQNh#P^1Wyk;4>X
zpU{ZdjK83Px&-vrgCGx>%$@mITgwdcu96n^us#Sm?SNL|UBAhCYoh=HUsthmABa&)
zK<3NvVFR)gP$<)Q-U7<@&<dmorE`!M9v6%<Q^zB!=NIXzwo&3s1YkP1Lfy(7(w`DQ
zEuM8%Jp30lftVVlj12&0@e+_2GlbZCnE5=BbN`CB3)3becjwi?tVKpEClvwx3B5GK
z4Xq4@-O>K%-+MCfhRkUOh_fAtNQ=QD;3J|B<4#4;2^?rTcLe5$s(O7JG|L5`+ed^6
zqq(<``!ayxpXApL!sAbJ;*uW`-?Ft?BsnhrU{onhM5O98)jTth5Ediq|GGXy{md41
z*F9p6NQOH{>{cy8?8`!<i5}pXRto&VyslZmk)%C4LHlE$1xU`J4?yBuFF~%Ski1>+
z&Yi^NyHoP4l0#mTQ*!m$YWs+p4WBES63rhU{CQ886pHjJ_dv13;Cr~LXXe*u5IYwF
zLNNp;b7SJuz=`NIti*Y+_qugTSV2ZOpzH&zDTJP#3eZ)OWHULXS|!jxhHres^hGe7
zZ3An>sKVK_w`pj<Sui(nlR0KOj=V8oI^~EWrv&c2Ils7*cY?-ZSOf^>Q)C~qb%nX>
za)8&^k+lFc$>K<6?0NM$pc@t|cg+L4t^_+@RxgO@^xgb5>Ck-m+|YG{TVNoD_#J+0
z=z>`^_*^;3GzIG^BEH5s@P?3gWjo&D3|Y;Kp4FROxkk+bh8|NXo_Y@@eP$6!#e^H!
z1UObLgb#ohj(xYvxnh`pU4T50pL>o^a)x`3&I=e-X@dcRH3AADc6W~M29!*qZzaN3
zN4%UE0fALX74JuAfXD?O48_MH?4Y*e`!vJ$Uk3pKHH)F1Y7xzDaW#}9yg7upN5>v!
z9l{gz@*;5Z6OtdroxIT%8I9bAQ$9v5x36lY%KDNu<Q2X%q}gDZ_}HF<m(vxrO=38p
zWgyoqA=;6mQ-&3Nz^AkTZALEnH47Ited~{qlQ<4ndU|^3fl*)h=`rNO8Ax7Oxu<WK
za9$(U%SJnE4Y&c+Ax3rDxb4sryN@;1$VEGb6#(&^$K2)YQcW8s+SpI(8MM*PO*?EX
zh3f!=lKD{8P5RQO2+uBbC|v&`zJ{#=xd3WjZ6nh8QU!<_k}rSkEBh=Kc+Pn>v7tV(
z>P&7}QS0lhgAxywI@SMHhy1ga2vU>CjO#KNc>42m(Wu3qaO;GmzD{Iew=1-U;rdy}
z3;g>g<ttwYts-vBJX)%}M4pCrNAMNErHTcvyP_HZEi*yx|3OH%O-8PO8%9Zhjbg`>
z;KrW-OkE>dYb)aIpIiTc!9n1jX>kJj64m-BN0;NplRQ1OlYPpu-%b=)8xgZUEVd^O
z!{knBKABcV_qs?PBtlKyU`lCimFyC{0%Xh36@=frY%8D0Dsj_YJ#82aEt9QM={6Qc
zS51vh4R)1vTu4(ap29ah@4$wIR4V><2KcR^o?a!&=F9Y$J`}5yg?qWI0JXFTux|G6
z^XkM9T?}zx4p-L)p0f;+Mo?WGHUZ|p>>6TFVYtN?scW5Z_m1un*p~0FLNs_jPfX@I
z2>aQmOfC@wFgWk{6YQ2@IJ^J?W{FA6wH=+Cul`{)wHb0+ktOiEL;kD%)N_U5j}o`|
zn;m0ss=b&4f4pgz4fYN})nlyq^j|KqKtBuKU-Xgd@j~EdnzV1tr#2;Q-aVz4tDJS2
zlbAzjjio<6Bk5U#<my1f6A|OKBXehR>uHDY{xVRn{;dijMOyftw_7pPB`n&gJZ$TA
zkdviH6^Q23UIskV&NG^q({0H8{N_RDm37k}#EI{H2oEyoQS1Ui*Qt6%kxO0Ki_B93
z<Yx?ZlPGyZL<V7k4jiO96?Trr>pg^3@!YeK`>>B+&c+2bo8&I^xyobvFb2OiH~PZJ
zouqCI1XX_#Xi60(n;huQO>GkJXC`4@?;E31;yJ&rVR;898J>dkis}V7#U{fa2>!C*
zwpwD=+0oQg3{(xzScg3e4HkJSKsl<sZ7PS2n8|N;YBj!IA^l(Zj}RHpUs9`VBxgC$
zchiT@JOFSo=SX#akNh?`txeXwS-98_(8^Ho96qPut^9@_tnpz#${>m~DWcuGr=f!v
zqTZgPeIJ<J0T<;Q_qZy^9%5W}SJ2}UA7@V4_#F}74ZIhSeN#TLvYa<cHfQBu?KXYY
zG2)5x0dxeh3=BA#u?-iMx!z>`wcq0Ar%?}r_2tV#BfbPG)KluYI-~D&W}R^aoDE~G
z@9Y+<mlX-_T5rwb)LkKMjUz(OVg(fxVvp3c+zSu&KAy%S)P5yNKH!8(Y`H=ZwF2tI
z9cqP`L-NMF=Hc5Oc{Q6`onFa5hOHh-WJ?UqR2bkpM`m<qeu&%EdJRwM+DY5j``*i|
zTDmjsdohi<&`K~^FgHK@sBTe92U5DYzF{Gfd$^0jjGo>LJ-u)U52t$X9`RNJj_E@e
zOKrUGjYU&xwmtv;aUeYtieuN}-t=0Xjq%?{{@fz2kp>n_LR+SA1D|&dh+Bzw%?j)f
z9S|LD(4D3Cfc;aCdM>||F+NRNyk3rpTU75v>nfd+n&6E~oB07GF%);*?&%fVzUWkE
zOMR0lC>v_S1EE4p5INm*!MgoxEwS~T&Nq**4%Ln5)04$ryyaZT7r#fAv<kSu&wx^@
zI4k$c)jZiWEZ}s$jb!@;(%2Oz9lY+G(~%~D_(?M|AArnzLc2wC=(+1m#id`@_iX}a
z^PSAgmh7{>w-0HBufWNKoim@6n;1aPnNsGLfrDs|&^F+_9QEjlvJU)r-H56DaI@6_
z(#yC1_4D#0czX|s`B8bvn$*64%rA3RP#|nrVGQJcpMYX~WVW2nIFdyoQxd_|l`BaX
zsdSamtTaba`&(wi1X?~xTRwG>;gZ}2kD7OzAA9fwf&7_|=5N<dkPia~On7m5t<m+G
zd8grx$vDL`&3@=UZ5o*Ys8}RC_KIl@<C6$KIdRW&Vm!R57&CyGpbPnS-QaV3f?5ho
z#B0;aiJKp5d=w;<Vnh2M89d=g4X6vA<NR$Tso!2=y9$${IXcvTbH3`7<y{$X7NY;N
z3b-54>h1kGMXxs-Gk4S@;-<gkJ!}>rwKxC9BI?XG=Wb{IL0Yc9GlduZ1*|8Sj3(R#
z^(|+J5*K>XIZ`*@I+ghStCyh1prhE24}5i(hbQncH>CPVpA?;>R&v!X6Bn5kj1JET
z*yMy8pUnEJZWIj&(<rsNoIXSm@0>aM)PB|>G{7pKlUC_d$|(TZE6-P-S3FL?eKGXF
zx*`du)W3d4DM^mZi7)Nt4r1|pZ_Z`AWpV55K880HGHkYsvj^q0{`|P;o;$cm4iy8;
z|LzOVtf#218YhJgJbk#iqPbQeC_*O3pXx9^K8LhsRF=f|d~SOPzK?Tf&G@~feq=or
zGb4K9JBr99tiCL;o^|4__4}hF>S0#eY=u|<y|Uo<X0j_pHzu3$gJS=yFPxCaMn(T>
zQ|{r~oXyLti;5^vfVZ}%p>yK?eZ&_Cf5~I>q_$^_U8j$%4qhkY@XJv7)&KGIMHlz=
zBgOd0-1L68-`a$tg?=(xo4MCgTX==IOj3M`QT@U9qS^}f2;49mx)_fOz|8zHubfli
zDN{*Y*)exzqNMDEXwGgI*4`(Hur$OVU)aZf^7!w~a!!UXG{<n|M*r`=aFw`>dXe{9
z&f#6>)-T?TzGDwa;g$^%mqpxf@4&Vv3I%OHc!n}<fk0#t-g$wW<KbGvJM9T!xBIg_
z_n|%Mp_W%z|96w)|Kr*8uj$P~1@q{r^}Nj#m5qdDn#fnHTPqFpITf<V?52=^|L5#J
z1EZ!&^X8GH>Ol#ToL1$YjrJ|ugJ<r01WEOb_a7x>-}_^Uy1?pTx^%y+?vd(2N>)ie
z-9qyi`~E^PndwihcU?cVP>DhDn-hq9kv(5S6#b_^YV;S>zKA7%@1q)Zt9DfqnxTCm
z-|)93DMj*?jPxRLu*fRv2%pYr!x{Mci8l|<C4f4n9dtO)oX6^1>kpr60Sv6i1BC5y
zkXb2gZTy^sI6EfxxYG0CZOC$3pi&lln#FhPr_~F+;>=M7WxXP+&fNJtt(^N6zVk!n
z@A6G#l?pz+f4TrAS0R%+(i3{bj5D@9m*WMDPxWSLCxC&C0vKfQ7YlBU!&Pl9ko=v9
zJE<Li*6w`^v_<pdt1(DlR9`qg@v&wcIA(nC2+t$ZYM{-Yc=pR<m~@+h;ml>YAv95g
zhRuLI*IzHYNw_($C>83KrM>uvP~&%>?d$4q+t$|KSc^I*1e!6M54kCbTlzbY>T3^-
zYChAN=+DA+QIJLd^{*c(BGNwrJlYvoFrfR1B03CeA;S6NY@lI~0w?<8khE1BK)gBq
z?dVA@g5cwZl`QSN_;=5g(wDyj7?39??mYtj67CNp=!GxxYGo&K4FH`@0dZomu<J+`
zdk4-a?dlWIHIS2JQm#z*-o3H>xfTAv<nsrPv5<Tyv-o^hZ=VaV-lOXRd5N|u&(;>4
zk55%o&I^IT*UGj=8_*IgHr5t1BMvj15zRSB!0`YzLW#H6uCf_D$2MfaH6j5iu#jyJ
z&v7Byz<F@qq)rLY+U+D3UjV;9fs8f*0t1Dqj+B&~ja$WyQQLS9r1k<;JBcO8&f5`_
zCPl`o%pO~DuijGwnBO-Df{5SCP@J}*M_jgHrPd7x;9|Ohtf(DkN4C)Pp)QJTpl60s
z7ir}hoB()3;!S(7wf2*Xhkru-U3HyF7vDl$ho@++vXE9L30o<G;O^?3V?_#MaBAO6
z+^0STncTI0*Tis+3Cas04(2^^0>(z53FHOKJ*{#2E%1V8%*;dX<?YEe)F(4VivTuq
z2?2gJv_=6iIWFe*S;LenSHB8h0CqvLWbq*Nz48#bDR&8GRvYBlSz8kBU#=YAh~w2%
z{Pp8oUhXCcJwJid^j)x|&20Sz_5*nh*X}_*{6)B&`H1<w#xmc{o4t9^`B{fBs5D6M
zHE)&L_h0>aWbR;^^#RtjLoDJtWS)!T%-&(IdDaRP<9HR7=X+k<y)*WR%+qp_>B8kh
za4W<FUCk_*sty53r7aKfuA?rAd2vVZPPSrrKYWF(&@9H{j*Gwlq8K<|tSp0|N#!NV
zSaGymqtwyx?5Wcu(K!TVRr6x{G-kOX5T&6~tq`8KI5^<7aW&DCnh^JiKwj<=w{wAP
zCT>hD*y^wG(@(;O;JnuN(e+#023HD{oH&uubQqi_(o^LjQ)8E}yywfY!1c#IO?{dh
zt<y!JRLa(Ya9xCe?{WO56fpq5&+qU)rSk<uVRb<{ta*%yjQtVi#F!i_0!~M-(({{<
ze!oS=pz<dveW2Fs#r5ugOhNCHe|YiWU3>Fw6PpuUBk1m5D>K~Ww0u|mnYlX3Rv(A3
z!~&~CH5A8_sNvL?FTJ@AyMj6imG6EGWl{*p@w28G3(eVHK345<xCgZo1z-srsRyb3
zH8MY?cs_Lxsl>Ws^ddMJus4R$C3yc_YK5B_p2(4YKc^mQ%%cBTW?%2c0O5JTUk)ra
zTjlIAw<a2~gcP&^=H9V=X$R$woj!C`Fl=hArXdVx!dQ!VMNs!$IUVddKa>>wa;+Al
zBl9TWrFNPeS!)Wm^v*3*-`Y=L9%apkF;gyj%nz2TNsvd|g!mVPPkzGBn=qO6+sClW
z_iPLL3P!54agK+f%-b3E3Er8qN~5k7r%kF_nfaidkT#b=9+ZTWW+=Bm`LB%#HYKTO
z6samv>C9t!939sS2!xd`u0J1RkR^tB(iS$Jz9Axqop3|l(7AbkdW_7H{XhewdChg1
zh(mPduT9=<!antauQVLSW)GJhi=8=|fyM!KvqiFDrH>q4lAp&A|D>)1EFOCcRZuR8
ziL##p`p}i>h8s(Lpia;u3u<8sVA~_uHk#1IMmRbLa^19ef{ae$g<CbYG=Wi%?%*u<
zvK9o`XRi56Y*23wWlK)DanuX+&!m)f@TE>T980U_kX`%_7r;=bIS(@+?JX;Ee03mj
zA@a4Rd9n1{CeeVrg=GJXklCx|W$ZM^9-0Wef!gX7i$b{PRNbN!Lr&B0zIIONE89Dc
z?qj+{^jy9MD=u0Wu}aL`=5V7-$_8-qQCpg<C6kb4%<&MHJ64C}&JhnAqs=wO<+0(~
z-U=jREXIcr6`CTE@~L&m)4s%SN3)xXXv_#6$i{#BIEhOqztWGTf08N)5K&L959~Rd
zo@Dx!cGb0hNkG~E@Q&x0O}`s@z}e6nneY)NCo<IGHbZugi~!7l$vdpWz!}X8@u?U_
z{y0;S6AgjP^iJe-r<ApQ*t;CT#YVA3_PHS>d|Y4qK2XqjGcow_Va=B?`lm!H_p{TJ
z9#H;e)tQ<jhei2}GF-3$*-f<i0j)Ax`r9ombxT;~&%(R~u-x~f7|;rsRao@OKhI{Q
z8CKyx%Rf)iHF!py)jDL>>zHj#*R*Iyz#V%4?wTs?k!K5iBBsb1bWvlWZ7?BnNW}@$
ztiEfH0W`uY-bM^2G_?dt#raq-rQlhli2;P*$$6dyGE#5xB5H|rHXgWeRwoo^IevaR
zjCH%f=k{L_Q+!}}YfU%xSJq<k>tkbQ{|GNQuO~>2%2oDB6qsV22)HKcBk1h>ZJNTy
z{0%;*k*cpc$1BsBRig}xZR74=ev%k^m0qmD{whI1Otn(}0VZEMygpWefJ2jGo=d-#
z-JdFWqf?nEOpyjNFyEL~u0ktEul4)aZp~{E*$-j+eNnx9y;&#Nj%#4dm*COj-axH4
zTOQZ{PRD@t<N)Rg<(5$4-TYZff5W%(Sb-lz;jojHlmv|lv8@_8uYn+&4X%>|(tXIb
zrfE40m`bkD+=5ehF~~|a8f%iQLuN(zLV~PAtoAkKy!rt!vu3*)*8R()261nS$LIs^
zN6E?fVuGx#2w_Q$mp0b6L2sRtDxDuOmAUvj&3fuRk6HB}y`#>J*6X66(d7GJ09*O}
z%PZg{m+@w_Ak?eCw6W)Ff#m^pDPld>QWNRX_O|G_;OdO*Bf>8Gl=_{iIpg1(^z%}D
zkP>tM60Ns|DB6n?m>L9UO+rYzD0BnMT_>-$59c2O#ANns0n8OrF@igqEE*FKDjDD6
zM-!-ErdA2N0iSW>RV{);OW~{iE9gVv$`4=1b1-H@(nyFwUyE2B?J-8(mOeTcUe8@6
zF7ci(H@hJt&Ms%5n0H{G!-gK!oO3>@YE|$WxD_R29sk^yK(QEQL9|R`ZjdBQG^OJD
zmZ{rk1aZ!zhbZcKv~!agE{U33HigsM8e{o#8r@E6c2RVy68!K+qvZh=>O2Fw^kP-<
zzX!gzNn^Ru$Kag|`nC_H9gPoZq%*&RS+8#))=%}(wTX(+*3qq+)-4Gs=g0J#$`fUq
z^c(LS)m(iLGaM^!xg5ZQ;L*}t<P^cT{|f1*k5S(%czCWsZb(#vM1~`NQ-&yO8G#`g
zokE8%oKp>hDMN_Yk+dh$*D-RfH<>W^T_A5?U}HH3ue8@Wyp#A7_$gVW`-t@!A4e%@
ztp(!8Ew!$kD?}akqdXvdz4g?=LY|1j8v*#6_LioG;xwotbif>K)_9VkSJS4}T(Hju
zLmG3S3m;809jVTH2H5x0&g)#amodNe%8mR$^>w~+wu7h%ojY5g{89w>166$%@-B*g
zN1f?AQ<x^^gIf_+B&zNgx%dM;CX)7;F#EH_56cjR2a<Hf8=`I{+eSQFK%>+bW~FOS
z42Yf0)S>*>8FHHy<;<vl0q^H<`GMENcLiZS)afrO#@Ll*3i22O(;zA?Ghug0NtfG-
zn>6Mn@34<O)OB#Z;rMx<qwSXph!pEJjdX-N+-j-HynE41;9rnC?RP!8OCgWGcm<^T
zSANL2*A-$3FLZ8}-dMKOq*G0o55DgG$|_V&qQ|cWv)*N^U*%@{IX?T2j%qPh5my{x
zoRF%0j02r6IMOLP5q?j098AGTqz{{&t{Dx~_TF>*S_(}Z)G-YClT<Vo><M`^ou`@n
z_n4d(89Y{_uo9hm4?8~^QPC6=V0c~gkF|y2L?<d^x%)Wo9=dBb`{T2R;DaOkRkG_o
z`AoLO@p4e^Yrk1=F6G+h%O$Ki&HiVJKR@L7%C(+q&eK;nuQf7b+_Qf6>kH`*qVKx(
z^>&iaEK=`exABSRy3bzEDD0w4Y*c=iLviP2*@_e}@$Dv^d2C1d%E9s?OK<$Z7=_Y&
zv`v7-_hg>FBJ%ca|EumQzn)lXYl{auY@B~XwLV3k?uj)lrCa&RaLMR<gvf8m)ooIL
zrQ2yKmue=SzU6p(|Miz8r=D3`*St2iv-%^sSq?<IhktF_J;d1k4*gO8nb<#RuT?L~
zYOOvp=kE8TB{$dQlll+q;NKS*+apq*fg7JhcN5X@Q`;Bc<Z}JEO6=Y@!chsGdujLy
z{qIrW|HasQ$79*Q;p35AblYT;6(X|tD3z^*>^-yH5wbTSWn`3<Q1;%kM+wQ^lys8@
z72$hc8o%eWe&6qZJ<rR1-`DlN-q-s)&*MCf;|vTq1WlHHgC_Mq>4X~|OsAFEb`zI+
z)^%thpUTNFwfeV5lEo%B^pY*vO?#EpR?XVuhp0VTxGp&rUEk_ssXHe2`H9at#ed*M
zP+X%l5y;4m{#TKIA=w`mFwuv5@;&y)1S6xRo}7)L<Nw&;NRlK60L_;k*K~?oIM)+t
zjrL<77^!XK+2$W>R7QKovc=Ua3;o+=VX;5bsXWFdB$9?hMkeM-M3?Su;1Nk&+OL3Z
z#`?(OXILcDuEM`w*Sr+gvuvY#9GB`lDBmfD33IT{$M`>cXg?ogwDX!D2k!*q(+7g!
znYVTGssEDf7nQULl7C%6q<FdskcWHt2fHe5!%qnIRR6Q6znEhnL4fYVNX$M1AqsQq
zU+?V*VMszis4qhlni2O%CnW;h!1Jxg*gvNytSF=P4D(O5q9z=xNc^`OJQaTj(2_Xp
zpv5TVN5ZK?D<(#0VY53i`t2p3{FU*JNd6l(0SnIz%T9zH#e*Pqu<V`_qaosg*0BTi
zK(Z#>e?+r8eI5_{KR-vx2~RlZ$fMfDUr$&!*+?yg%}QiDWR{CzlAN2fqT)ZUjSzqk
z#!&o!y&vw1o@yb%^%N^=?y>*;%p(LW;zDs1d;NOGqgJ})Z+lYn{Mp{Qp;P{KcL(4M
zAO1Cs*pKahuJYMk@bc&f(^Si;>KodPUas$<Dz0>%lM&prQU3jY{{u@-v3sX~T+{H=
z@hU3C!v{sxLwc5|%?XU05j>+nJ1^>~anp4$3p)i>zienjM8}baOW2Qb)XkoSyw_>`
z$5&lsp2vZ&OE{WAp&LfRa2hC9cfpirH0RAo3@sMto`W^dw!0DfS!Kf5bv75U7w!c@
z!F^L33WA$}93+5)s$NlyZsI>-io<{7Bq2}P@Lg`Lpk)sVDSa(Lio;lyX+1z7_TEIu
zfMWeAis((1@*VmFpoE){fQQU=7`gS552>Xr2Q#JhGRz(R^VYRl<%Z6%JHBxiB=<yO
zX&}u_5F7MW+KpHOul_So$uB}fcp1usyAOmN`e3qNF2F`>5{i|GgJqt>SaG?>d+h?v
zte_a0vkCx#*fs?=wo_pV9ZVKVC8l{!coxY%)eT8S$6)_?NdjXCTs);L4&nUl^T<KC
zFG8;S8!XZ#M>|TGRN3o*%pyh#EEI;pxY8SB5i79r)P~_JWq^5X$S+GmZJ!5O^k;Be
z>Dydrw*s=;nhozPslb;K1HK`vv1j|G#-tl|-CX~6h{As!K{jP)U}~*-1VUoZxW}un
zy|cZ}gIL2ny<T;>%H_-37jEDx)B}O<$#!|L?btH|(K=8_j1ne7`jH6q;$G-}J`pK(
z2HZngI)_#`et(O<bM8ZSfAQE}%mZoY+pSO46qUUgvB;sqTEOsU>hhjKabQc_{uutx
z6US5??q8fuxmbW)mw6JvGL3zpTw9d@N~8^_6rzFLIRK&ryUok=&#>VApkOFbYJgFE
zmq3G}?!cs;i5V};VOzIm?}b};cB|5BxtwhDfp3MO0QJcKN>-Q8&&vS-4i1(Y6`)L|
z@)csg{l&oa*x`jfT}DwN>Qfg@y$)mr!XE(BtN`a-m#SrFjfdN$xzRLd2ZrMC3>AZE
zmv+87Lt8W2`}4Ba*up!g%I_aLQ_I|$^tt*fLCO!&`x1$D%E>d9lU)uN@<;ybLYBn)
zEUjMKas1<CyErt1+qC6)e>MS@I~@K4wBl}|6a7Ywwlz*O5(Qd0VZ3^!a)mlYk4bXJ
zYh80B(w~b(EP{j6wZ&<8nR7vdQf@oMS_kIt%P{ER+U`P`mvZYsi&K?SvQf=W`>hf9
zSz1yv)>bc)M9~TAE+LD*uV(8p_`$|U=^dFiJlCGa*L!|=%oo=w!wtB?U2upk;H{?@
zck2NkN1ic5_gIMtbMVHqcW#)duqg^Y9TPOjyjkX@A~)9GaHe5)IJQ`LN3_2AgvB83
zpxIY@kKGQy?mzy;?l<ouFRN|-j$4h-Hz#qI`2a&O2f7P*XUH>vq2eWCuzluNUZjoX
zFb=8m243BBNX|affS!7>o5&`2z|kG4iyM4oNu1`kIZq;6tC#v6@)FiRh+L^M>=^0W
zm*!q1H{@#JepWErAGH#VS0^&fc|UhVB3A8X{E?;9Hc}4kn0Er+iGF{eyo1B2?)=^D
z-9Jxno1}f>;C>CW;1B_i4m1<ZU^QtuHWR6-)NT*0Bhl{&6_SG7PI`Z`<Uga5c*R%e
zWkbd_5}{1R_1PZJJD=#qlPlVPhk!?+$Y)Bwti1e{;gp<dcp#wsl6Q|zJUP6+J?5Qe
zgQ#1Eg_QEk6^y{|-?3#uQV5K1-Isr!<w7b47hbMpZMdW?(Q-C_oUXf~o+(v8656*q
z|D;q5Bs%Q?Ra5mQ@fqmVTh=j|-LdHx@H+bYD{EDm`{-UmC>F1cS^M!H_a2+xuQ;<H
z&?VGS4->JpkWHa}OBum}W9Y@TL8i1?Cwq*7i`nPfhFV2*btT|`nZBPd0VH(u@%luw
zU&BC#q%Q1N4mjdH!^SejTon*mT7h9*Il#gfF2vBVfFvLZ-jrTMu;BgBllHiU)CcoR
z4SypgEjhFnv^+Nd$3mIKyn}w|8MSo8VKmq4)8a5F;a0i<@Vp2cRC=p`Wl|c9sIXmc
zK;~O+){a*Prcuif0jR$-=X?h0)5Q!4PfPHd8iorwUZN<%BExT3Te{-|3s*P@pvAq(
zDhHoQlZ-ByC@$eWEb=ESkuyiKv#8_E)879Phd*oH92fnBd9@S8rhMljbPRODW&m;E
zv+BF2weJH=FDn2++`vSr56CGv&u77W@-%3dN_Iq*ijjhw`6-`qqaL(1SisBe3ata&
z&Am@c-TecpLRO$5*KYRpPL=R1RLzvqkF-NA#*e;vB!5)D=~mTKlNRF{NtmsGv_m>j
z>+x6-K_7T@3Ufmmz!+E49vU2oAF}<?q%X5B?Zlr4ga&(HtkG3z#K8#}no-ycI3&+m
zC%9(&x{oksfOl{Ao36;K8tuHxy#PnKJg^mYc*C12XcYypKQ*XZec;exs2|@}lM27X
zE2;D+RYV<T@Sj@$$2$?umnrHz%L`);La!ERp9d)8e%40>0)>vb+Ah6<5lqNf1`|6i
z^EWX0r7)>-78=V45?_Q7j_~VG=GRrxaphmrD>V(Im%VLxQpEAeT2O7ZRX^31v*FP|
zKI6)E8w3uEp%Yb)bVqF#x9s1l3Zd>dNaoegUXxFn@!$W#wB=6_`pdZvJdBiId)6{O
z%!-B1xNrSRSy?I?(N-d%?`&X1WL`TM%@*1Fj9(sK6nES=^Z#A2F!SP6Mxo6Ddv3=c
zA)rYmHXfeOZBv<?oyzuavQdxTASE!6QuHm-DM~tLH>_mrzvqcdqCnXpMqx21s#vM`
z_GE|<TRXA7^OK{%aF~iOtMNa$jYM;`^OEgvq3?9{4P8e|ES)F^#X7_^c4?pOtGko(
zwjry)Og~o#qaLnq&w()@Cvs%N(&ZU2O8RU&{($;9*Ym@h%W{q*k7LPxCY>>QkY$UU
zwMgS<ak$Ds_Xos>WhgiyeTaU=@RGFJ3+=pIVf{D!Na9pRqR}T`_y}<XICpD7d+Evk
z9lwH@gBbc?jex|k`CWku##b#1+s?0VQCE9~UA$K9sLyUG|5f4rbX^5zqC$BVteVfU
zyg;o3S%(ukJ6HORAlWP`pTIj#0|So?YKqAQOQ*MBkk%#6NwWgJq`WTcNd$kg_vUNn
zea>Cn6S52MDR~qcGMg6F2j?y^Z$gLXqSZiWGQ|BJ0PB<0E8A~-)l#cC#F}$VB18oH
z-e(CQ)k9{P4ug*KRj3a<FAoy)@ITM%6qI|R9SLPK5q=2+t8*+E^r?o9ONzBK>IY#{
zEm|Lp#usVzEfE08$*=+aOag<2>(gcCFUGbDcM`KwjC#jBTxCCc`LV{s;*GlRi_toG
zvtU^AIuot8VNZ`Sjc_W<&T!=~20nz|;to*oGC3w$z7PXTEBYh!xK3A)_`H;-QR0|~
zq($d3(}oFPUlKzvdrpQNiL`2c(ydy_qm><UeeKx7XQ1L;^O<Vf23=yVUYU6o(T~zj
z_b2J?5Wo%(A-M?1?T;l0#TIv1zozBCKTv)wD`!cNyM3bF_FGiqbK6~6$EFh&QWm}3
z+kT3Hn&C(3;;X{$CLCJQaV3zLUxQg{IL}X#6bfv21-}Yqe>`qL^8Dm>sAA;Y2uZ)~
zocB8hPcNM9XYIoV78;Tfw@}NaKdI316XCa9ADss_Z7ys{w=tue1xJODp)>3>PSD%q
zbLbSDO@NtuO<&^AhD(&DQ+-Q|L`$ME@zBaF+WX|<c4k)E#S|~35y_3NvM_Xck=zd+
z|5IcWAQcgdtEI1KOmgq{7RAY#9&~hKm`g+EK5>nI&YK1ZM(Q@5^2hbC?I|LR#B{cy
z8LPEBK%0uzQ#dws3|C<s7QGlpn8LDNJ^=9$A8n%$D;U*FA_^ql?dgm{_pAXzP88Av
zOkiC?beOG8C2p!SykbevhAr@0-G|}c?70gR1_X9oVn4C*Reu7MsgvLT{0xq~<)*xp
zQeX=HCt@p*?AUWZE3;uzZ|Wp0>p8A;z>LQ#c><Td^dTe37=Zzyg;e+pW$vx+tdYDc
z<uB4Mw(?-dxR+cUAt4k~fDDC=W=}UVK|g%YVH3Y|{M}3cXI9bL?5&p+3zvWTF^NQV
zzx|X#Z*hrsJ6K_x=oleRs$9xL-R?UKi9k;-JT8G*N>UA+4?mm9XCT5JAE@CtQRDm&
z8I-x^o+CFN%oQ<W`VppKu~$-_zRE@G{=PWSEBtr^>-nhMA|`4Ua+C<tq9)02HTI@9
z@<?E(({qc)NT+kq&GD;H{`kHq&|MK%R$=!$2&2Ry)G1&-k5gMQaHfUPJaew^x)khe
zxS*%VJg$~5rUmXwkCOUX8uB3Vw^#Hcx_QUU`us_PO>ZlvTTgAn75VkPLdx{PLZkoB
zH?kjo;|<Fxcy6$7^K;sz?INr<WRiLpJT4KSF9f=bftsL_oVK0z1x9C_Fl5(zCH9-k
zcn6(xV^&g;x%cU48SEGvKa5@K?}|5DDInXZr|Cs<pNnM5K5?>tSuO^OT-|)BuH@-D
z_oAlaQp?y-oS=&VgGJ1@VsE^RfHbg7{!hG`$Ax`otog>YeViOD`45ZYjmW$<eB+em
z+_qzVvy-NeGin;`UPxm58hdv?NSfws^+G>%y>)D8p!wSa!S#g0m-2fYq;&^BI?&Oz
zoJluA0t?`%Y^^>0KFsYWM{E=|Ud)k)x>)WsX=&V8T|!4g{#5I~lW$BJvGtnQal;&O
z^^@nG-yAw8WMvf6UwDJ;`+*}h@4J_dbt2n3u`?R?2YJ#~y&Fmh1Ty_rNJRcXS_%+z
zjd~3GrOOoFY9?;D45OU<N01|0)5j*F5BiWvK!~%h-Ba-WDVQ0&=2|UD3Rkfd^k1%G
z();gKOq|p3N7D)vX+#FxUzws<*H#!v!&V4r@jtrAC6WmADKe}LMms`kehw@R1Z=>m
zsJZY|wXpF9?K5$;fJD6f$enzd?{B#B)fXuHo^A^F$Dm|uG+O(T6)4s*U#yAu*<0sY
z_P2-)F8qELW=P4cIvevoy3E%O-ZSl|dS^2k>9l3thf(U?to<ZbFgk1P#AVE^=>n!o
z)@MbR``oqHTXzkM4eOTSjLlDlth0t*!lS1jRB?p1obl7trzg{T@%|QeIFPV69FgQt
zeSGEhr7&%mk}Ut=4-Es?oxTh2e{|VSYPuX6P+T^s+OXV|*RR}L6R$hTB6l#E)$Q{a
zAh-*);Te5xtfo8s_pv+;@4k5KpNK>Gs6PfeS#N0fWB2p}>YqQZzbH30UQ@oO@H)AB
z?Q=r3S$ClY!K;?z_<!RpKeA*&<rnCD3tkh<9Ub{vf*&s}LW+Q3>#m8mFT-&>?)YUg
zrWwkue${g0Th>9t=h3U5jQ@N?pe0~_DoOWv#_C!O$V^Tfxu!dx&hz(MB2qp{_E3xZ
zgNgN&c#zn+``^tlOyX`z<p2t>T<LJc7{}bUtw_c~RqfyEeRHCE)da!De}e&mn~-%=
zyD@#q6PzY_1CUwTeE3uvCPN)teoE6AZfPlpxjJ>PN|AZ`+XcSN_I0)GJHL0)PbBe!
zpTF4uUHd)3g}H0l2uio}hSX8-5h2dm%&nS<TaRn^MSSQUYkerG@z^rR@!#4F;QRB-
zTqxw1`Tzbh8u@Z{>Okf$p{b`l*YDQQDKW9nNg7`|5XAe78aFaSWpu3X<c-ZdZ8qN%
zsvkZ>J;lhJ7fC=yU@lehV*kWz=AE8{t9v5~J7coVrYe8ZfdM2Pm}p>qjvO0$2-Zhj
zBRU~zgcC$F=vYx~dui4Q<#*5bqZj*LKh0mHWHSifa(*s{%C_Xov76EY&yZWZ6>yKk
zgS@m^=fOG^{@Kh4>nW$3P1r(A8B*TbF4!OSZ8F%Qj`nPlJ~z(`@Q;K;Y}Kzb1Gc5o
zeb|ukKAHUY7tp0=4%W))oSe&V))T;b<-B?eS>MIBAl#AA^H2`t0rW8p4geEPJ~b3)
z4D}E<3jJ!w)OsfXI)(v<>3t~Mg2?!_%Po5=cl{wS*TGCgvakurY<XcU5T&8}_f50j
zOzDRD7T~q6?Z6n^%izGw7y2YM?hhpi%z*lVBCKB2AQy;z`4uuLfOlf0a~1{gk?6BW
zlz(?$>ET8>@n0U7JH_O2tzykAg}a;@jCSB?4rwjZWhqIh_6Hsas~{OUl0S{kA-OA{
zSr=iL!t1~Mp<@N$T3{UM^}P`m?Y#^g06kaX98jyAs<ca-2FrlHH|gT;xnRMO)IKtx
z406l+NQDHmR!$*FBG=?XI5JewYO1l#58Ha*vjw;EFJBFXi$tFdtLCd=Q*8*I=~Ua)
zJNup$1t^6=8u8(<zPn&^QMj1`CeG8~1N|9%F^ggV)N5}^J7<@TQwQ{{%M;~R8pk*l
zD~kY^@dd(lzTX{QDa%Pe=mwtlIT17i)mk1@w%nnQQ{!MnBtI0zNkErTq37dI|HB1<
zh>ojZ2Hwr1a{z5#^?Q-Ph7a76)dv5>RR0-gEWW>ImQvv17D@f@Tf}Q<1GH0@pZI{0
ztrd)@v5(}1_PHl&T=UISeKxpSb(+gyjmusIdr7qcFPpi13us9y4&buR19@^1(B1Os
zldNT;eo;dvO3i|=PafOl`YtN8u8j^X5`FMvOlRq7`kzq2EQq`~)1$rx$7_N;f9NL9
zxcH2u&dQIAp)o0z{Yh#s#g>lSoF?|>laG1FRXKrLKmMr?Rlezu5!KDTNXkChnG~}f
z-Yy(wOU?8WOsDQbI-DPg?s|v%j1()MSxDhpelab!KO*JRz(ZLRDt=>LsA_=Yx?~fV
z>hCx0Arkxdg5=<WaC`I%&fVv~U!ZyHrSu_CJtq~M=ZLsVKhU!n`3bbaQ=>|l?ky;O
z`d}m;b9Wq*ZrY2nf-A}}3urHQV-S<gq8N4&uu>~{;XoKt(-T5So@+alJ^VzAZOSve
zDu}rYHa0!<%H@Jlv3_sYMvFLsGj$h1JR;Fh?yL4^2EPjXuo%rUiLkW51E;Ps4iQ@j
zU)b-hoZ<kO;V$gjf}Mu|C%zvmF}a-O{5D7L(AeT?zY7bag3`H=o7R(gA+w2T13y1p
zVzd35CNO_JT=mYst8OIgO>RDgR6^CfC&*ovaxYb&5qF-?AdBh+^4KuPJKFUMt82PH
z-=X%Y&KPnbC<7U5sRxR+8>WLjy+)b(A(&=R%ho+xdfhyD7)qRAF7VSnOA9tL5?WOK
zs(|#Soe4{v86nB<E(Yw^MVqe=!0yvD71yFu<IK-DK+#^rUOzsCGy}?^gRo@<XJgUp
zriR&pmf5P1q`znMb5+PrQkr;J|9SOaV1~Npgex-T2I!pU89|VC-!nWYk+)2>1nOC&
zy5Ppjg0#{Nq*sOH0#J1ncF3r{h9Jg=klJ=#ki8x0Fg`_;DhEU--K{1#Q-VhLT3{Zo
z=M0RodL5aFA}@VMCFoI_UJQ&f`^XufjE>$m{Qd=8ZMYUl^!-rcr9;s9V0N7U2rR$?
ziIbvE7|zDbYW9dv^r0dKl<Um77RR3&)TqO8$v%>=k*v(<trQy$h=58ICC_8^IAO^M
z>};cL%*5!vH^LJoW4}y5659h=NM7x^FItcS$H+v)c%5M$AsIyRVm-FCA*{=%PWv%7
z()EglP)u!}f`e3Dw{PdyT4@8!cZSj)t3Di33%6@TYNJTc>WbX*Bp-nKagASxRS=Z7
z>I7v-8Mx-Ft^02wZ3sBRaaD96Un=657mFoJbj7rd0v0AL?hI#dUtyqacn~3s$W}0H
z--EV?PWBYT&FL%|WeyUK&s->?nj2G(Llkom(%!m-4R2g$6Y8htNAQ2jb%dEes#OiZ
zFtP8&fEJ1m&RQLnqdC_hL~7XzC8aBdglWbe<yh>8I{4mqN6X2DFHlZB&Y+jHc}WjM
z-AIYhEnpZX0<!h`uI)Df!Y)CRU{o)7RR*LgDvBKg%3bbl<KfP0uM5^v1A^MmZqmyw
z$WtVh`k>2F{iPiuio%{u*G47Z|K0YHBZJp~9gDjsS!pRxu!pgH42^)iV~l+7HZE|G
zgor3UQN&}w!6xt;S3V;&MB;Oe{W@dx8<^R75%dnHe|%m^1coUO)*^I?u00Pf)1WSY
z2U5i>!5{HA@P|lJ<zT*Y;nio?bqGVlZ1J-M(B8a)@uk#y04R=T8jZ6ZUu*?XFe8|}
z^#PJ5xVr_01?$5+=IepX*FZwJ?Bupuc-7Zqb6&pc9F=}x?ZeI%9PLjf{yyzVe<S{P
zi1?B%x4N>>pYn!T;$@y4HX660>Ef}%S8`GP@nt~W6J#G}+1-FnikMoZP*NLh{#6c;
zsyschYnv6ozt+WQh)YC)N`K%D{Ac#^XV8H|rWu3oDsmc%+sl<gYn@H0k!W!7>OWeh
zM5VyIjR_)%SSiywBOhZ^EnXMV$wJm6(|P-*F|`mAJ5S$&CUL|z?>?*PTND4Pq-TGS
zaWaC_P#ei_8Qxugt70Yf#D#C`6|y4}kNb@ABc2w0PeCqXAKZ#Zdcyo<QkQ~K`>ZQO
zGgb1jfkU=ZjDzTn$y0fk?`zY#jdPyxd2Oa4HGVc};Xx$&J3ZZ&Vyi&XqykNd9L)+@
zhnIEQ9#dKB4+0hcG8+>?D+rJYv+jbl7bJ=a7inI%MT-1Q!7)HOw~2fB@#9;SypKkf
zMS+JWKA#@ROib{pm(t%1b?8V^S{cz?<6np-1oTe&K*#FIUIp_a41+UfU=1|4>|nV<
zLhG(K9F<o%{#6F;{u9WZ{dO=&YkNxp%|LRe)mT@Ig^C@v5Um6P31!o7m$e@ZS<`z2
z-W@VFBgrCC6-JhF;$VSNiRs6~LjUU*4|ck#9SMJ<#388=v;};U^Si^Q8zR;5w>c68
z`VuMG9EuTi&O?ZZ<X(VFIBzYaKRrM(&e-;bSZIlWuS^p3IA$1?aG$aX>Fw_Ri@^6m
z?OP9|Bv>EASBL2uaxvtNt|$3Iq$z&VsbEv{>M<h#W#6V^n#Bi5eELV<?x4tl-L~*5
zj=X{d56MS`O4bgfB4ma&_{8`g`3EoYRR3Yw2O&pud{eU0)DP`coZKTOhdDdm3!R?6
zqeUP;+O2%N^ePfgwo9{(-id2(5T>MC{bFZyeuhZe>(~QwJdI2#Zpb6A)gT1q^|tVs
zCWTNUb^|rrl4Isl`Bf8i8MCBw_z4vmca)#Cp!IM+8Sji)mEf*UycHz8rg2#Kp%9M0
z0^^at;Q>i0_GaZzNdbF%r8V&AFbI58rG2V*FB~;xiTE@ivMXB}w90mHWlQ7Ody|9j
zL43b=Y@h&=lv;mu^LFfMO0)HTDr)rBvXkzmx`DXsV#sv~gJMJRw!1Ty6+hFR!spiD
z3M*dRj?NyLBL6QBQBDvi<$3yXc3ES^p_g&SuBB?e1s<r!CyIuVcffBITZ9|uSG90(
zls`h|v#icRB{Vycp5E^ynLr3$AG7T<LXdMBSx<(}wqYJ|;slBPuuhXEgt8az!GPh;
z_=~U39rQ0Z?*0Pz0ytnb&INw!<25<m#QLoJ4pJ2qg$q6l%aB7Yi9fkP;=^0!Kg8;?
zMv-)~>~EGBAK(LLV_o+fYGHg=^LNKwu<Sw(>j_j%X(|>QifIshYLZ|g`r|Fu{e#=9
zjNOlz8e2vFzt6+32Q(mG(XZ>Xo<44OGq8yG@NG8=?d@YzVV22!vHuZYlRo(NCic|d
zjQa2&8%PK3jLCYHyLtW$Zn20QQcihNa`41Ky_4`V?$buM$a#@~ao0b^!(q$LB@zz8
z<kp?M>*|=Fi-b2Pvyft{UNNESLI%7%Pn3`B{@NdZer*5LBelx*Q<0%K&z0o5!(P{S
z2;G?zIPXNT6J)|kI(@>pTZj{9==qsn_mq1v;G;ixkjg@JMDt{>T;D98Z*qBe+)W=v
zxgy(c`Nh~oyG}oBiB2JgB`*6tPuU<_dCov)>&f@aE9p15p8dog6wiDbiDa46?2kU|
z4bB*Mj=h{yoBjO8hVSI3r*Zszl1RhRomc-#2;u6j)e)zV;5$Y)W8kK`HOpBKZ#57_
z{%UKM);t&U-~xbFv72_2WUwWYTtK~eQB`hC@gbTv;gsn^_{{Ec{a>v)x$p38ACJrG
z+xYYtwk>-JW+pCm6n%w_oj-@~C{I9e_*(=);YP32nQzk*L)=CrAa9DlA2>J*(EVAg
zlkj&RU%%3M5OV~ptAZ(AHBy|GAMk=OvJw_7a_oA>oyz`Kr?7T$JYv~)`D}=P<8$*2
zSo_Ui?+EkNX+U#a#^Sn57+jo<Sb0(e+{&x`nFxHwhK~eTz(Pvss`#_fLB8d0atr5y
zwG`6T#u17YlY^x>irUk|C0A?OiYgA5S-<tc=K3*C_#jvMxe1<M%Tr1=|FOUHmdJxW
zb1CJKkMbDd^9=|@x6OcMbi!|P%ZRH~9_!R22YOr-Wt!@*!@>;vrys4^yYSKvG4D_k
z!nsD-w$$3)<p#54$n_aH@2NU0ARh@$<nTEUTq*)=!@HyeqCcJ`{PcS-8doZf2JmeC
z)l!o&vTNCIOcL=O{+Jq*HgNpzK_cJtyJ9E4(b#!2#+~1%_>J%#Ox1&%zq62l8l3OD
z!*sLZCzz6;u($~Ey74TH7Eg1OP4j^AIikc5BIg^H#k_Bif;k26!H+@zWoXM#{iIs~
zpESD@ACKabTm*FxUyTF!2n;vebk?u5O+YH!e@KLS+>9C*4v>AdJG22s%NejISEFX+
zyIvWOUZ1?QK3Qc2S!d9}3FPq~r(xz)PuD!~hsNS^7@bo*^i53M-VUS+G!E=E`2KJ!
zFm9@k`UEg{#x><YY}|W~zJa&oS>H>{u>tyqq?CU;n*jv=CXeH=8+D;56kQJoHbVk5
zkNW^;PaT#brd(+H4sFAGefN3#f$>6vK0{_I)j*J}103q?j2y9yA`I9xBp}rF%}o%&
z%#GIY^(XONQ7~BQid}(@qH6Cr^rZ7N9?F!vEGQt7slpbJl?VbO`rg`-+5rk4;J2I^
zaEere@8?+QPu9ggiBk>|7z5YI>KkbY)2QjyaVYW;X%J`*d@TF!aYKKSk}?^_0HMRo
ztlrE4O5O)*t3wqLn0lO|Sl?8P;in=KAV}$?y!1B<TlJaS;_*?eM9fF;jaR#^Tt+Hi
zL(fqigiKQOBXBfGhYe&$$<ITN6}9M3v$cMc{We~1ZG#9Qlk#(_5OY<)S;+LES9I&U
z;yn0Sa9YBWYq#9?V{d)|MJwOYjw<M(CL7kdag&nFy^LXyytX+X?xJ0ImD?MPJx*P#
zM25@uIR&|dn}|Toa~}W?Zmbn>tc(Xj)svV!$W<jLO9ZYx{*d)ixgpGUtVoxi(wPfU
zszC|V1K>6;_W^1hUVko_N|+yYrGuwjb`aDas_pGhTRx1HB!ds03XI3hg9u)3H^T8A
z2Kw&MiNMI!Q{ryR5GuRmZF4lNU9EELXMeHbQ2N*l1|PfTlHUhI>8_p;RC3UJx9DoY
zU9t_tgtS1v;_-YF&Bu1hn;TboE`!%+YGp3r(+AHDNeqz!gzVgAanwyci;b{bXKmV(
zhsUw;zDNyBUB1V~;`MPIsAf9~^k_ttQvez{`(y7s-kxCWst{*0UO-f`KNrG7p0ysW
zhqVY|e+GcXJtE4}PfW0T8iS8~1Clsb+0kse4r$&z2I*Us>2S+y$vC(5f5KL~{5p6Q
z{}cZ;;O>8hd7PIaky-&IjrN2VyGqhkS`DQC{ty`<TW;Eh&2;6n@`#7@*F9TN<H}%x
z@PQi0$+*onpgz&TKDkKM-$?2Y<<&F9p!V_0b03_4e%7-XXbmg##X7KloWZ?z(a4la
zHzBC)WmuHl_fx@|b>SH-fvu!)mJOVj^xXlK8bSxVCx*|m4i+Q29~)CD%$lLcp4<yE
z9X7D3iRLw`zY0#FJnXMvmuvWy{e+fZVN2{vSy#2tlO?!=Yu^?tpp7jTMZujto98fE
zm^WLd1@4fN?AUJVHZqMggKuNJLS+#QIh={C+8p2<gch~+?07R@TMHd@#mn!P^3yQ(
z^>77g4uRNjO9iVRl}Ne1nB2|UPO^Jvp)C%R3k*0FL<qi37d`xVzaS)}IQ;f$yKe<w
z`G=&tYN9?p1aZ}EMxLYvtE2p^df3N?&Q#0MgvmKx8xZS`LL1e4AVT{>udbSuXlni>
zAc+);XjKZaF+3Z5v3UCWx#<tjUcS5U(`5caiz9yMV;h%{*<8C?Knwqi^9@=#7YZzo
zVH^<7v^V&SSb@3D+A$2Yv~|JDRa(EyJoGv)0(W`?u(bkistMqXa1G(1+!Y4<hxP`Z
zjUO<S?Y>^P1RRKY*UC%}+#^EtXt%%`r$9%4e1z73*A-TZiuRu?CFqEoRIL!vS|f~N
zDLqHUdU9K}7OZb{-ezc#0SIONI8tyOBr}$*^32oaR?&rItj8GlFE&{BrUw*<H#4mR
zi@l=^A!=B?l8=Ycnp3Z{I8l#4`BHKRY<sUXrO!_SYvDQ!$_-MLPumi`R@nez%TYaf
zG<VY4N&Gs^$|c)7oUnUNy*-ZQh7MzM_=FGPS@vh^H7}I_SLZX6X1BxGi-GpOmzH2e
zZ320J7RWKwqgIMj+ReP5mJJBQR|2ZL3`R7XDi#(RiJjFKfR8Bo%n6hQX3ps&sd2<z
z6|`(`Kcta<UUP@mR)YEviTce>MxzUD!+MzA(3PT#afjkZ@IcnI8}*uBT2^DjrQ;-7
zKpn|d=VY5SBljn`iMS{L$xm<nM)*AkdPdEsdSw(osMx7r@6Avqx=hRTP}$NG(ta#9
z;rs*rjuhm6+neKP$i2K%L41k<Em#x1R%LWoO69OhMQyn@b;*mABjQ35KQ)+t5E3m-
z9L!oC%iwIS9W<<LKg~VRE8s8TwfU$os@>-!ScYVmFPD}Gb%^pNboOzvMU#9vH_(R0
zjAvDg06^%}vWFI)YyWwi)?-lmTl)30LHzZSo@=?=HSKc<xF>=jZ#wvJ!h9O^60zyv
z`6&-kO7>^G8BhFvOw6f!dRj}sD$%8N)%y&0NZ^R#ig#l0xl5YFusD^fl+7S=y0eXP
zyoZ8&RL?2;+>PApP|9BQQwetV-Fzk5AMjcH!dP1V;lX@ONs|6TAbUj^R}4FjS6lCs
zUkj1N2Y|f}zd9&3#=kEoYCvi&b27-LmA5!(jLp9~C4KKbb@gdsV57aR{Zwp9ZaU3L
zwGKd29*+1x|K{vO^$i1IQK4<l5<r=!VTd+DZx!Zm&!QOLCU6(~Nsn8Uh5&Y+Dd(Ts
zenSW{b@~u!N6D`9hMuQlAd`eRoj>bPW{*4J17fT2<NF|XO&?)D`<iC(lH4MDGtxPs
zcIs&)MU63w%$qr4aIG=2;gSgjIIhIFEjTU=+7((Z*u2{)ArT>lv*x*9H)d4!p2Evk
zDC2uH#DoI?!YeIen>R>^ZWEen;DNI*<0(ihZ&x}vrbH(bVTwpiN}1S_p0SRQWHUs4
zQV8;ATOwD%BBQL>S4e4(jxqB=V4qGx+~>kw_(Y&fihIvxWJaZ{Wxil-(mSD6|8&X$
zlID`gkxV86fsGNLwu|=!ZbvB*L^yaIgl>k#h@O&XmV7COBL3JYCWXS~d9sNsM5G?X
zXVU!BE_((_Roo(F0cs_ALHup|t||n+19rmW8_6M08(<{kWveg9`C$GpC#kl5Czxd5
zaJsV+OEk|PA@ogB4WlPX7xVs{J3sD9A+^flBq!F^9@B}O2QupqcJWkj;T)Opjj?ez
z)@oE36N@_O;CAOhcl(S<mwWAA|13L4Ypn*KAoDCsJBa~R=Y~qM;|;N|cq+~bFYwI-
zK(P7V>HG{poSBmf+|@4X$>L^R?&YLCA3Vq-9@{4WOk%I!Q{2U3dGsMmqv8G0Q~FvP
z0AAk9Q%S}<RX?s;L%4cU+38!q^HyTToYeE}amc@`7303)-9NG<^CZ)vfgIZJLT7>$
zm>*;tX*RZ_@xl%-eBVF9G}zepSgLB<g%-W$Rt0QkNSV*a%7`n!SX$WNUlO0*xB5s%
z?!vl}D%rOB`4|@G;sn2+ndEad01S}(@>V)5U!>gxUW7adD0Zc=e?lms{8H<SSM6@U
z7fFr(gyc6R$#QnA7Sz1^G=HY4<NyRKA-0aeOU#6a<wshGyB8s03hI^co$R+X|FURW
zl@`ZC9v*qPwD8SU@7BekGrXCWvX#FQ{AW)2pW=}ZDFpGqcZzo(e&Xx75J}Ft49T_q
zm#>Hmw(gCQ37W17^_|LR(MOhysl6vXfi*foT=;Z^7}AXCM|~1(%7>TFMs1HNJ%+Q`
zJp}DztNGSIyQIZ~j|$|hT6x9q?kBr|RM>}GzdZM9v7tWnQ*u<7Lbf5FJM;p8WY_hn
zID!}gC!E8`4<dOojB?a=s#{4?T}Q}iz>Z)>xWK@cvAVSm9!<Ia2m43{;wiWQRAPQ`
z2zw$0mS=ai*dr*<vt$OZQddtHVaNE~{85f}CKSkQT2XT-fXXjfLUQ&JwjB-}zIMs-
z7qPbqJL1?X4yI~oUYzuhE@{lY5%EWaE|OuJ3~jd`K%io9cnK8xJcOPMIWof1wgR&O
zLBM8p4j@{wf$(<l)tk0peBAW{-IC0KG*SK$ktPU-NP1oe4TBX#-UNEfMr8VVSu;*q
zHdlu`YVWy71H`J2XH4E~@ImkbZUmnvEUUInx8x-_W4q6`niMl0jf)T$O1R_tPL)|H
z&_XbK2Hw48P%<aHAIU$qZv=d4S{UuR{4&D;>5xg^`Wg=$Zxw(F?+E}WP#B5rc|a~j
zNbdR|UME{4qT+p`)Bud@qCw4B-!Ezi+DZ22+Ecv*Ge1Q5jY#1y*CP2m&V<KOcU&?^
z8I8dSK@=%|JT|8F3$Hypjlzc-?<po-%3BaznbE8kC$bsKj{!%Ct7ZnBCWN*0<$5-1
zQ0699T7DqxoTDBOJYr$z2v<HGH-lTG$Lm|mzI3>Aa%i0~RTY4ji1!QSOd=2A{fz9j
zyQJ$eR?nbWn+Q2<@6R7!tX@CSI-U6JVgjq%d@EJ~^s{)cS6&?b0hnJe5HlZjNavXL
zqCxklPQDHWT~3G8J*XLM^yZ*aTIr-VxvGL@y0ywu2fBt8Ftoc5<p>XG$bGupW|jIa
z670fdZTX2hI-qjsg+`hcq=A<Mj{8I^NQKXYV;*|KUivWL748pvY3~DFHLo-Xco;I|
zLE+=F_L_UJA?HIfF{T^<lU4RdOQ{z5-SwHe=t;+|Sxcn`;ME!!d#_O5UkHnVCPDQj
zs2s0`89+I)0_@p)NTV1sq1^2|kZq=z*6}GdAl(loS+=8RWJX9*UAoLjd*a(OZ$_>K
zuaB>k^`t1`F*zd1x^@Hl20Np<Z1Y)*uJr1B1{}%CD&T?^s-Z|BlpFqlKRGPl07%q7
zPhI;V2Q?VzPDF>1z-m6IyOV+^#eu54$sPCURk{X&E#<n$ak6I1AE!Pmyg6><dcJ|>
z*eSH~u|p*1<Sv??qC>=B{Uah*5S+i9e1;GF60g><EkTg*wM%t?QlxCsnIxNrNT~!m
zK)t|qW<j#47pIca5!ElDJ;1VLmc3atK9iki;%4gH^AXnz?FwtP`_jo;e&ClxxsDis
z1g1n-6_+7^vC2(YAs&#;8&C2fGpG^%BGlq`lt%N#aSBrSFS#8{Kj3(DHl1lGKAMO1
z42MSd`lpdvq%+Oix|nw=p7aoouu{Dn;0ON?Bc%Em&uFm7a`NqK;T~<Myo(A+vgwl|
zZ$qcw-b5n8N$fS&B0Y&mKx<fDncg*`g<@!t*=vYdwt-pIC70(sBr&zC+0n1b^rz$U
z3PBM4LbEdXVmR>ecFrdCqE}zBnEAnoW_gLBV(9M(qA_}&OpbHF5e5=!lB&>pd|S9x
z19a%MvDvrV6(0gQivxU^@~>R<Gti(|oT%BH5V-N{b|&RUN;%<nGEE<o;=^I@euTA%
z`Pa>068`;WmW6v<44_3s)>-Pzuzg37_MB}zStqkCVzkA835b!hEHeASlQfV7T|TSj
zSdh>d1^cbLnBsJ_#3(g<Ug=kXF1!`wAmt#CusVi+-Lm&Cd;8A*-ba5Gpab30i?FJN
zRJ^`#8<}+?LB9lYm}^_6gVGV+dL#{S21A+bK1`BrJ6d?(UY4Xu4v$$qt22;NuQ@ue
z!i--l@?Gg}!d}G%Io;_G<qokVB_t=Yx^!MiQO#^?S4Ja}2K+<RuQ*uUQYV2OC3~k-
zmb!y7r{iGm#3PSbKS{q6=4n^n^OKm{zJ8K`jG48oQJfF*N|yFPBTz$CoVD8@E<m5P
zA|4}A2tR?vxH1W6-yLAs8wCgb%2J@}Zm+yz4TG(6WQ3BsyQ)c_GvbI?Zf99uW!i3X
zm?+Qd`;71qCTmC(X5pQ@9}iFGUBPw<v}_6Ed*(sDQYu9?5vXVHKtX>I3katos-Y&D
z8<Cf#@H?3t^F@C>yIIXVN+Wo7^*tlSI<W1Yk}YkWiVrwU76j=pwaOrfpL+j<wdB{v
zI_hvixz=C;ys|URrX`Z;)%NMzCwIk@G8DuVt<%Wab9PE?7)VOwIOZTMzyACNh{i;V
zJQG1yt>gV4AyG{R_d218DQtfuRJZATR>jdt!qq4rBXreKo1=#8t+j5H{5&_~0d~YU
zD=%C<jQTUHUGzR1^oJL5VjM2Qi=S|u6V-9nwq@)o%i6Dd(E4_Be0Q*xs3E+4L^cY&
z@QK|gJK^vS>^&sZ!Xfi<wZvzhatvqu$PU0~kQm<jw+F&X83Dz$V^*ST`y@UGw7O>B
zT)cLaht5bfTWXy9m2t$X=f8i2WE_|ymT3rb2#Bp5s{7HNaYfh@@>i7K>M<8)=FC3I
zE}h0Ol4u+NKcYJs6M5k<%PAUqe~#fKHb_Gm0vszCZZ#(3V8{s;X)5O&-k?0O>lcla
zXP)dzV)kqdLuc9--ZPzV5Hm4XeES=Rq>LOHd`{kX%O@L20B`NxvB4F&JD4U~G8^V)
z%8>Tj!eS31{oGN9*$2o4e!Y7GN&k?eL!Lf(+vml}Y<1YdX%j0y`PLFruOC2NUUl7@
znovxmH933c53o2kMa6d=q2c60dM^k(^0ou~6O6n^@s4Y9W-c5cW|`B7Y5*K{RlvN5
zd{~eUL@)fwz=2SKl)`Gf)GU8g>yaE5`zjb|YP|Fb7RE~gXt8ee?4+8;Hn7bF{dPRI
zq<U6q=X3ctRSO~A04Grf^=oOR#Yo%-{~as9G>fM$Th2osr(Ne}l?omk2+c`_Zd$O=
zfqvrsiT`|Za@MYcKMY>yuzBshbC>dxiMEgS<DP_B^A1SM2oY(Ky<(1Uf?+m&%0TTT
zS2Z@McH{<q`CYKny}AKBSwzo(=nxQ!#36>be~vEwe{hOau3CicsmnnDHyw1L;e9Vs
zP`Sa&)(h?LT+_B7Co|oxV!bj236E7~6Thwda3Xc;7(AgLtOtg}C7_lV)!a`A1PTbD
zaUa}p(KBKv8U$JX8v36Pjk%)s9Xzrj(#HKS;*3%c&sTLeQ?0{PJNEYQ6S~cI(0m1!
zk+K?989j0K4D`rWfaG-#6di@f;}KB}oNkE){4em{0ZT(i<o_1~93@SZZ+WrU$7fiX
zmdV?(4YkGTwgbc&2^cG<Ng1txU*HDutS^REXj%5)N8FAtFh15Q4s+dxb&;))h+P%T
zkY`0eGsrlVrA?S|x~Qj3AWC{eK4u95oHc!fs_>*==EpL*ClgLFBsoR=G~gtamz1<v
zk5EZIY+4;H1_jHbTW{r3f;CE@p<M^Ls1+!5)>3bRSz{mA5f-n>%^~7Z)T`p!MWQW?
z<Wh`KE{qq-p9$w(24|=OOe5sF+y(&U`8{68jRvT_2l8}ouwK3k!|Qbbu%z9xB1k&A
z^y3>K(p*z!+{l}G`@g)I;5C`va$fp!(1^cGckoitlbUlV@GuZp?E=kXen=fScIpt?
zB8tDnen|9+2)6-|c39J>XrpbBs)pRfzWf9o>WJp1v-M<Z_MO+b)~+j5$C1|oVZJC#
zfySkve7Mwua`1!{4^qgty+bvhfdNkJXmCQlyoUiM&;5h_Z!JNpO$errFl4HhJ;B9k
zZ66|Y##@EgpWrYBrqVPkV$y?j{_XnTmW5P;F6T4kP&^AaJ}q`4s6mwnQ>q)P1)3GC
zfOP5v(clR1R^0&q-mmLZx`-@m)H)*k`|uIS8%7Iz5w;-2)kFl)0!!KRhwg{0kAOf3
zP*zE9!wD0KtA$rDA@IVQ64htuB=GfcgheE4`LIwe_D4b*#hrzk2w6Qg85s0%;o!R)
z8}IosvGVq~|J>!RQMTR4``dW{@9*@1jQOzxmU)Mvm#CiOWycf8Av@DjlVJhM816Bu
zCo!lBa}hC%^OCBnWgW#(B-k@?sy3eO1yaog@mmkmI`11O*@{X}K&}b-OkiJpaLQ<{
zs|6yLC3{ecVF;ot?<vjQhYbn@$xH053(;7X57x)a6s;N;`j1#XSqJG#r1yokWZWJp
zaLNAo8lg~>MzZhO;!g(fHWn4vUtVtrw?V{Ej|%-@Ls~-nrrdSu0(*0oG%SA24h9^>
zwQrmR#$sQq;#(t-ZoanZK`Dimu}so_lV|P_8ba~8@=g8(bFl(`F+uY6QevzP<-ndu
zADNw1wk>~48gpk2HkF}g<J;xNNW5hVp0t+qd)stsUKIQLUYi287HfQrEk0veFA3~T
zZiS%HG3I6!+-L!V4-{A?VB|Y*;TA>6!SOI99S-!XYOH`v3VB$jn`TEl0M_f!rX>Aq
z4I2Pn(^h+0mQGwSJ08I>AxW{GPSmpb+JZ{gY3m+(Brz6*AS#Mw>5LOMP-CTI4C*w&
zz-2PBnBeK~qBpMqLD79PDw9%YBgn!=ZpUB@EEg0S`!giJ*<~|q&xbq-Q*8iZT;V%{
zj(VsHdJsRfq}Qw#H=rT(UUi|9$}hl{x&epM$HzR9FKJ0ZAh<Q0SAoKEbK$yTrO*cO
z=y+u!0xrl`GYS%zNnWdrzQL~~Prr!ui3~T0E$M?fh=vxjO?u9C1v35P4W69_im<mL
z2mQ6xIhXGVO{Eu@X@~B75p_`Yu9Cs_y@Tiw-Vl7hUKu?@&Qfg<W@|&Q6sRi3E9@{{
zn)M#<y>+k<0$^SlKOpQMh}S_#ZS3P(l@(N$TD6mK>YK|oq{1SfK`i{%{UfdNdZ>aU
z@W7|U5@=0VQqetE+qLx~ZuKm8HhXa)AfySNDL0>btO!xaS<4sl_kvO3s*;wSwD6Wr
zQ%$&jr~gLHZ*0id5-JvU+;}?9Zws-<t7@dg^_hd*w?i%hJ+4fyf4k>g*gQc3>5W>z
zeRH8Ewl9&O;9UuQ1tw!%etN^v{1Te{9U?godmbUf=>#45l_bAT^&IJ#gGxr_g8>Nb
zUng@y1ypNbw(i{o=Uv8~@)zh;Z+B;u-!gHki(Zz0`-1W|j6Sebl6*P$^z6#$4#B2)
zahx=t0UOF|h$PXKH??z_ZUs7HK$^6<I)G;bkYfkA#zkO-=!g*C##*SnXxXp%FDnJ{
z5z+<w0R^t$Ct;XU@F6QWD+N=5s%+9(Cb!;?D6hMR^J9Vk_ZiO<N|Kn!Z$J{xU-u3V
z=H2`P64A%BlDED-0eQaBdRe6Oddz_2v~InJ9ebDAoCH`S5xaWf0AEWoekR<icKqgv
z@DHYTvVxfSA7P4&U^+eOk<G9l=l5+>lt{h*!rM8Jr9r1)Pv#S@Vxuko0&#VzGt-8=
zf$O6a8-cb2t^#m&O|nFjh%hrQo^mEYWb8WI37+^1XKzPi*O*U7-vSQ}Nk0q7{=U4O
z1wuKU;6kawL0Een1_ma8S6h0E{?f~$8J5;}wUUPVMPG1yxhEGoI-yv){3k!!I+>`$
zE2{XIfpLdxyqhqUhilxHVS+0%YGOV_Al%9=?1t)9L?&1GT;^)ZX3i!v(YxTYJ;D#*
zSo6!78R<1A<m&JwxG|nchD|Ow7qe0dtlm$@KOGOEO&SE`;EGNduLy=A96RtfbRq5a
z?R^o<VAP!`wHAe6)<N~0X03e-)x<o>(s1ISdr*rxh{cB(+ai%e?P`($QTdNejA9x~
z(n35TuSMrpX|OEUxXB4~Hj-$8q(`Q7SiWYYK1{`-^AUNqU0Kp%jo5>|1C!v;b3-s`
zBWMJWf}+XLyw36BBjzUXD$Ec$41O4e%*Nv$ocV)kKEbPO&d?_y+M^?pEvJ4%U`h22
zR?MQeXp4N_-LU1vc+fJzckN1*;`aqc_xt9hAPcyDGTKpQdQbuT6OMKy4=2~KlX;XL
zSyYT91;OTc(aRnRAtlKOYdwxAKY@e=Dg%L8mH`X>(}HVcl)l~p?4@F_o^$EVMh!HN
z=T&|`9xm@V*KFjM8qcF!T=}8Qk}~yq&vXO$*5AF=EEgZ*5>{;%r^eggdD}<KPDD#y
zcF4xE->js5{O*$`)Vii@(t400c-Rd)wV6qwgj>K20&2}@au!Uq1h6M0Gi?6*zNlZ6
zp=^Nr{Bnb$M4i1jyC>4`jRwG{=_l?|u9W_KG5+mx3k<ZMIfV5@Ed~{zK9}+Ad2{|k
zMgpxh>~W0C1N%Z;eH+A0N+V(BolcwEETi<T9)z1&zLj}<$Bv!eT)dRL6SYoeB@R?_
zgBz3qyzK&%5IRT{t0zdLoi~WH;~H7WNqD|Gi~Z~|)?<6bv+)Aswr~9+u5pJ6+uHTK
z`l)$psQ1jJ0<CO%dM-T%ErBA?VABWk8ac3kUD?vS0(uIv^3mJQdW&`x7#>lu{_u=)
z@V$^es@bXSYq>1n_@z*ew?oDYl8A{Apy9{6t@MdoGlttUH=ul0I;qm1L&JDlbKT13
zs|Mr(OXvRQ)d^Mf|40*N`n-0)`G_a;{ZX<~gk7Lx-k6C)h7bhujl$TV^aHed!cH72
zf=tnGctgsw@r2=&JEHWrE%~349#&-6bJ~l7F9f(!o{KwQ14cmEAAGi_<qu1;50A+8
zbu1C&934>cUk^eoBiEAtVqu9!30tU%<-h28OsNc=sc$|o8PqU4@4w7Fj(Z5mqouod
z$;l($xPxO-Ik_K_Mb1t;yk+C{lyzH<xc>N|u){UyljnKvAm$quVS1#5-y;sI%`xTG
z2?}ZgfnvjezSBmCx}Wmt({uK}*4sXzYrkGz4!&|EnX8g^mx2;ZY8f5_C*m^XWqAPM
z*q@jLAg~`MSui6Ei!n2%{@)I@xSV`T_pEXNG&r$_^G*qulUo<)tS-dc&K=EnYUji(
z@pi>U9LHbX?H};1{LKuJSdbWM;|E5mX3#85O111g!@nICkm}!Lhx;rZ$S#Li)$DMd
za0#J6aU+MiPXRDzl241zDr2Ah1xcGBkTkNM*BL`a6z}m|eG(5;Yh@s9@Q8h)U8E&R
zY~$_|JMtE3Z2Ol$i3DU>R;c%`jDZmKI>2%nB*<9Me|3$`5CBvgf)`mj*$D&pw*v`q
znqEgIr^dO&zW|2EXcoViCP%YerDB_zDDOTSa90niQutUAN)rOEZAX^j$&#BI{+N(-
zG~fl+RSZ6v%P&AfVqWSRsrO+`zNuwf!7{n<^&O}_P8-5$co%#`OfsND_+K<1?cgaW
zZ2vkQaQoHD!Guu!p$%a8T%GViVXR-Ka|1c&Vy}+1%=MPrO$gw8y~c?TJPIiYLjQWC
zZV7`8O+hqz==w_L-8js&<y#X;&o9Pgn>@d^oXK7*T3j)}b>+D7n?)J8=nbLAp#+Ef
zeue;tx?xq~5CZAWe)abMF8qji16Gl_)c^<Djmc3cRcAsrXtxd+5mHkjt_SyKEZ^pQ
zUnv8rXgo2U$dkOL(zqahp^-CI)U~&AQvHpDU-n&+BmZ@290TV*fNJo*@*}%05rC01
z*56cMlWmd)UdfMtGk;@ftDnOj-L!T3nYWspuGG|f8;VKC2y~d26@mVD+3hqQ?c4~m
zL-Wq|L-Wpevp{B{mGSj@U~A(`!s7gXIFFl&%nT7k6hi@Hf6xrA&_e_riWqIsN=Kp5
zc#-|zK#pSd<!L5PB}#6(B3>?qU^S&B6pUjQiIHo%BmX>^*BP6~{+dT8<@yD_;c*jD
z0%T+EkcEl>WdZdHP|e5NsbE%|i4-wtFg4|vjHMSB<ntj>pev5%2Y+5LS?~sIU|6OZ
za8pDA0y%9+%fCuDiUkpN|Dgq^RW0fS3o9d-QEq{&7kAdTWe%Z(Tf+n=S+L@M0b9~t
zD(;N16}^wAzt!ddj=z;hV*<|p!(Zqc(O-1!#T2H6_{G3fdget$l~E!9)~3u+h!--V
z!dJi7DL4Y!jmJd-6VmH0w=iI@fx|hP?F;jJ-ChWf>7kSL{Vo1emvNZF#>`aEfu=-X
z(KZ4{>J&r)&xtJ*pPC(WYwhrn42~<m%#Io(afT0RenuBq{~WU3@Emn2C2#+%MQ{?3
zF>xZsFwn*6M@oM1Ax`>#kwdU2r~cr&R;hS_N$CRS1*F00VbScZ0C}@~`)Ur$HA!=l
z4cyQVaX{(kmxUg{*?2B6U%wwZEczF^=q}ECAZNGwMAd`DrF%w2Wx4&uqv+2&rlbVs
zhUc?h09`?Aw{gLgkY0e)1R;c!uf?cJ{+aslZXlHnTCH07rOnXRa{D#;0p<Yn7wDB`
zBk~i(zzTXsH5B94GC>02SL|c`z9Tlv(Du*~aS_84B-HXkg|cHZjU3;a44za_JT=eq
z>$M2CwYz*2UJJa{bEycoliO@b?Nof`uSZMv_t8$gU0z-2K&E?KV~)7beTAbgjlTXg
zB@=^`mnL8A`D@G@HlO$dum1cnH(P3TDjtwdh(JzmSG{yJ;m{3Qt6Qx~%QpJz`;xIi
z?y&!4<ib%Da|no%*j9^+-x5<=j1hW?!rXl4dG?D|c{V-CXzRkse{%Y5eywgsR@ZfK
zK5|__oR2=i@}A|m*oyTlFa~_lJHLE*khlI0jMg&GhfOdO$*L1&7UAcdro~cKyko-=
z>{Pl#@d^w3;Z7nhpqqGhKx%4umLdow?natYo#-8C3PXo{M}l{}HsBCEoj3c>G|6e}
z`I>Q?Q&s!>Tb{_Ft^UQrZ=bcb_H(lA_=6bW+F5wS2OK>NGGkcp%A$J65tK9Fe<obU
z$wm$yUY@UD_XNEyTdhvcHuCTr%#;K*E^uubJXnjOc##v7#N~e`Af6Ld7dWemTurs1
z;d`Ya_2vXC>TPW~ZkXsU;wLv(7eY+Ldf3$<Hm@vwahnZEMHX5`rn26>Xp;Y$AZq#C
zEOehZoN3~i1J1xAa*QF<deg7H2d>mI08{rlGrbg=0h6p8gkp{l47uZBq{w9mheD1q
zsYVV>o7-y$F$+>C_TMI4f*GF>S`k1locZcz@}Ac0PmdKhZJlqdV(z|g>{huU3_H)5
zT%(PVX@pzu%Xg|n_U!o3IqJ)YQ7+|IX7caVaVzfz%cKsx)e<*1(u)_dafx~mL>M88
zBN|LUYXUT4llvO5)RC~1iK;ipoJ(YY3ISXoh2rKN`(CgtkIK%dxp5~7E=1?5Z^!L@
zMR@*(rx1@H#19AoUl11mU0MIzw6eDwcW^@lVG?z!$c+cg_v;YyCz!K~BWFvAvC&53
z7j<uVH&2140CCv%20f(}WZG-gq_;EKlu3R-{rOK{wH<VUd1q8icfc=Z^4GxjPjs7s
zxdlIv5_jXjm$+CJwc)nmKeWKQO})qq2q<>hMqmMF1;*`%==Nx#jvAerH8myT4cxZ@
z=}_)lW1!Vs=~t&aXUmLu=uiN%Qh)Q~8GI7@crZljhn936bolL?-vG_-{j02Cz)3Ga
z4<~yK>7na1Y&!iw3~rCN!6DNFY4i$w^_6dMvZx{F6h;c9U4*+>lHe_J7u-!QE<6vt
z?-luDnbsyfYcjI#kvA|7S&ied11%R%huV7|BNPK?G$Z<9(7YAlJHVwO-V1`Zub7dV
zgcrm&2(J(*2nMf%Wq?_W80~Kz!$0AYD-F&%*NtQ$cW3WIgfM%H_RyI^6uAi77Ff53
zgvTJ0Yu~Nyzyqlq3~9E6lIDN)U%sA&#hpHzTd{&HuFU^Pn~}xUEj5)FjuY%VPi>Uj
zaTbKLHW%Yl#N8iPf^w|@FJ)p6F{gjti4-wwzQ673l7Ty+0u|QPyXPUpU4eOJS`cz8
z0f{t38hSiK>)=Tb<3}4*GyS&pVb|Sh1hJnRsF{BN;;{@q?)UJSd^I;}mq@@kE%zsE
z6nkSaKtA8YxWEVa+iRmLPWA5}hxnaM>UM(T9vP&@4MPb$-VdKYty6dkp&vj#1QqCM
zqV$#?-s1F{o|BiDg`qGKM6GYi4T7L=2amv<j`0;Fq}teYAvJ(*ogRWlEMqO$?$IDF
z_K2Z=p|hjQiSmt2;z8jtLpDU1b2+xFM$pT2$$;`FYe3If?xn=nQaug6klw?AL>`T%
zZ)v8X3bYGBdQ+O3Q;zwA&>{MHAz<R{?JopVOCnembJD1FNZFZDYcWBN<<L?)eP}sn
z?-Vk~^5~gionV0?%>V{GR&)^*Q6D^|1si}=S+^L)vkb(ItNJ%=GQA&@&AyVk2Pma3
zyPm0r_$gCU#_&-s)a)h+A?b-PG6P3h1U8`Zdxd8?g$x2fs0blV@VN_nbcBot_eMm8
zfpb@?x(x{DUEqxr6(tZypg-v^qL(>}=Xi_1Rz_XB1R<JYeKAGOt6gvmrj(uc3o_w=
z^RDSu3hPY0Nz3ia_uBdCDRTAcvNOusxU@?XTx$S5^(0o3_1z6tmHH{!JWs6;vM<_)
zSRB9jPQhVIqOHLfEk+Rd#mM?U;|Bu2Si3q`gP-sWG^0k7<i|N|S6^ijCJ%Sj^bMRT
zUj+tnZc<G)vkJ*>H%l7HbB68VcHeabg2$$-=6Jq9jbt;(6u!z}R@0A=&fkO4!SaL-
zpKyyxW^eD_kPn*!t8JlB8lFjMpz7FrQVQ;9%Itl;QiV%?UedvJ_4OzK`}Y{$C}N`_
zUPZG-T=IuT+P(k7+FM6e*>`>7l!OApK?J1X5Yi#t4FVz}rAUJyNJ@7|=b=#%5k&=Q
z6{JI25kv{4L8PQ4l$w2k&&>18-0!@z*6;V9Yu&fUbFS+fdw*)nN21_wKp(b1MUwv3
z(hN^2PFT4Hj#GsgD*oavZFTerOyKk2x_fSSgeH%XVe8pq=qbL^Ma{92W6m;%Z^U))
z79AnB$V<3jn%@0a7tEMeWvomTj;2u=fq40ct_=Q%_DVfVQ&+D=IS%oYp2$15(0XtO
z*t}HW3C&(6HJ?=<3i|o-&DfP;Pa}!DyopKnH+!aC8kk2O$wv8gbSX8-e((5D2sv%n
z+#K`)4fQnhU%QK>xqT*RDgpWcxZ%5xtPBBeKWb=)(9pbw+Ihj0%=5aW;|YjccDXmW
zj>6@S?ox{^Yac1cd4>BeN(_E9i1Ot!2g5-}s}&L7vFF0Ha(aj4=Z;&=(XkR(_RrmT
zMb#UY5hU$B+Kdy)D;rtieQaqvn3=%~p@_U8?-Wo*YvC>DFPCbQJIeP!M|^Ljfs{Mf
zB|e!b1N?Jc+-MWzq_J0|C*=f?LR`N2g<Yh~dZ`Juu`h5_dRc*)r-eR!xJD=G@yggl
z!X|PvDfkAgWu7Qc_2+Hu`J80q3twIqUU`}v5IOL@M`*b#owu-FI~%C{x7vm&+Na(u
z+KsLJ+fVZFBF3xsMCuITf37pk&u)Wi)F@&o0+%Mq!z<PH$G@}ykxKMez<2DcfYow~
zv&go2{knC(LXlF_Nlu;z?<UXuz}-620PIBCYI?HWO=~PmZnV|#ZIHWv#y&?jCJ@<D
z?=>WPzQS@K@pdYx?jIT4ssmlrLV5%VEf;oT-h)@-cNT6{czbq{E;3^yb}wUe)Tao~
zm9dwkm`3?=$P$_XK|1}{2aZU>Iuggo&%}0*ZRfZIySC)AcWs(7tq|Fd{>NefF|fWx
zXo(j=B-kpepG7?28#-V3zT1hbPhm9qG!}wmt^E>zGnD_ln9g$^LL=ptMWaH<W>JWg
zsX!_dcMyT*KI5(>sW66EPhT`U1;IWC%w)`cKOcVb7Z<1b<3#q6(y($dLd^K)z)>$J
z{$JcaM<sLlo!3sIT+a2sZJWEH%PTgpF55{A9-r<CY8_&^fyaU#+1GipH`tIFTEsn~
z=xB%>!%B2lm$GjnPADmQgyH`Oj2GeQ|GUz%Uvc6gon0M5c71aA=l6b8F27QZG$a67
z8J8VHtP{jKs|;>0RfiovVFixz7agc0t-=4dB3G;}`72GhQ|0h77NO<6Wr65xLCd8l
zr|Nz=lhw6}emySSUv<ZB@7}|j?ixR^SUf;%XsWnG;>QgJy$eHOl=M-t?0x)WUQIuS
z9OUPpP84WmVJxi1eHVEVid~YekAD_2DBNJeXcvSA%mOR9tyy7WA4z}swx0<GoH4)~
z1d#-ilX3xNZeky<^C=zlK^5V#R4I_Ac;rQk`s+oL;ywP|rc$zq=Z8+l_bPbz(=4n2
zRANHxG=Kv6etLv1qRtzIKMLLUL+SrMKuH~J2Fwk~qdEZL0X0WP2$>U3T%pUZm{#3m
zJ1TbPa{iGc<6N<5#wVAkqh&;PTp^ZZB_ht2EGSWCy3#Zc66+SRGV+Yx&S8ftce3Ov
zvqeV*2Xiv%hMo+Kiq6HbaVn7M=3M+B!Nr6*Lz#0DbA}90_cA)#I*E>rAmlJ7Cy1}x
zZRJ5-jnr3Rsn6qcb2eUY3m2~5UipyqVgV|bJO~M<mhvp>y1WZBfLuU+b!TOa9wc<~
zz)`QleVq%;<_=g$1YlZ||ITD&N0u-LyLNUs7@MX5REueyrj~F+gRv(P`0hv0yxuwh
z`d<)Ko%!1L&O)|sJJ^O4rb^(#<utAJ4$X}_C&HDxiJ;bJxULc^j;OG=DaSC8+2a*$
ziPZe+V;ki2v%YbYi3va_xu~;W2np?P#wVMQe<lns*hnqbHk(oPaEWmxSCk)|<2<vW
zJa_qHY>x>yWAZaUux<1~Zvb={A-owi3|iw%84S2x2^sc;W?BtoSeHTS2l<D1pd^up
zcB-%1{U&r16p#|23Mx5DX0N3oK`qD;qZx!`LWp(22d#nL><jdQ`UC)Sq)?43L6~#j
z6HTflaj+AVu*~dS^AB4*Q630&SdxUhE%P!9g(Zs$S(G@A!EW}Alk*sd44Lv`VX~wu
zw+KdMXu-lOE85hH$?$l{Kfan@Om!f-m`k-sfK{zW6B?|FS8V2GNVf22DRPQMY{9Xh
zj@=#x7pdf{C*y#fsRiaFJr<hD+*j>S$Y<!3s85Gt(TJr49Bf>gA9xa9v3$;qSL=6%
z){PTH!q+$e<2L_xvpbyxl2ueeIT*^m+_U*aS~N8(xjHm>1HM7xB4*J)F)HE_Ja5XA
zzCvOcc-~YRl_~}UEV&M!2HC`J(a&FLL6e#+RFMsMKJFcT=1#~LnpTHiR<C~vA)nFJ
zp3CPj?AkHF$6LU;A7ccZ1|1T;-etD0rkFp9=n8zNva&qyi8&kC6g~_(kT`e2&ZYaB
zRa=|_+>N;G%Tw3Q)N3xYsD3|*^FgigmRUtN&JDNaa<wlWFcaMH!)llv9OFrzU#L4N
zLt!+`ThV|UZoJsZr&wZwTNRWiJ;MdW{(Os<jGS`h_R|<C>q(>Wq?2|{YaM~X%U63P
zF`i&nQ~@ck%WM}VS~Hy(Iwh>#HkcB<m9A9-`jx^1PdX4MDnOHDsUcO-{td1I-8x^7
z&-{sO6?EudMxpn>wuPrrBmae}pYLA}uXJQ^sa!t8q-H7E<3UJpYnt#L(={Vjru+vY
zs&03g%%g*0v1XWP%Fl#Gu`s!k=~mG*_r%M3J^t`W{A-tKg|sKImCqoLdqD|FGF=*P
zFryb$=uePY7-CJBEnhMlEVEKGsdB*vOiMKy#rCn*#~qp$#k4mtW{nUGP6qq)I}CoK
z@MziX+w1S3=Z0t#_m_ca&xf(n->S$}V$MVlev=>k|L;3vJkg_9o@zyd80=Y!d6q?c
zk0gU~+09-Cl@HpP0tz?Ub-_!xc}^!g04Bca`z(WkDFSwX;gu0&#??#sAq>#1UP!OB
zI?Jf@WR^(~gjy{|pM1A}#sgo#X14%fFz&T+^s@i#-OxuVbJu<kcD{{u3Y9NC!iwC&
z-f4WV#>I~2_S(^?gq@VaNru-9CoDYYZvyh{n&ITw(P09i^Oz^!ez=P*&|MTa8rJMj
z*k2fGaRMoFjNSBnnQQ#UT<<h2!zQHO{qz-_s*OkhiSJ|?#~6sulc9?Gti%7PDU3I>
zvmG@;Od~V_rMwY9zW4Ru#}p7Yv=%X*baKjam^FJd#O!+#Ct3kfWn%78JI-9&W`=`H
z_Mwly74vfKf=`)L5#f)KUml$#+}`Cz9fWvv1ky|*lYYOGJd#hagvmF`CdNr(Yq&oC
zfK79@SH)l}JAV|~Uqy0?^y=@AC|!9~h1NiLLlS%6?pkYCL!Wiw5DOuI%%D$nd$-XS
zAKa>cXICt{h@zh_yY~ERJ0<zSrzM)jqPZ$A_X*YMy!i$GJ_&2%;ci?e^&t`ae)JhZ
zAwvorgM-ic=~0w;jw(mr-hn%_yvh>~U0hise}<3@n|T=r?;;-s9tsXx<Rg{CD#((=
zUDD-P9>voJ{8W9QwDu%pY10x_lCekIH7EaFmFh@6`0dAfj?r`??1$Fy>ttm8A9!<6
zGW1Y}A)7%>swJ#TgU-8m-sx90tp_Pvd9AH8r%|<Q@y=kpDa8Y&<L^StWhyj2OsH-m
z@l`Hwlmy=NDW-GY=dOXl6{qS7-x}BP8Bn)yvtWeRb>eF8P(jAu@02^ZL~?>#>;vWD
z+dhXp_h-kCO6i^EcPUy}I5&6ID&bj8P(x}tYs^{Rn8iWkJ&WFn=PnRZ)CK{kNpe94
z-glAM*v$qDr5}K5OoQyb6~yezx)%+!&m8~D6eki)9Hnqj1h18r#IcWm%eytx3b8Xq
z-^2~~7FA24KRjYVs;f>CO8%@BM|iIHml^vmsn-NsF`@ED;WjC?e0LI3eNo8J0>d|e
zr=5dbm_|6VT-Ika97o?$f=QHU=xp^zS-d;9|Gb?UiOeseBZhyoDfjzNiNDY9;(!1A
z9wd1ZwKc*o>Vps-w08CxXs8t%0{1P2m)Ui4;vi;f0{){n09_v+tDV-D-2H55W&wbU
zQH>`r08(LKlwbjCC2Un(zz*-i09stYhMEE32nPK`F5LJFn~>u$1@RnuL2wn_Aa@nE
z?YW%gC4BRPGN4C-AmIiGjZXi?)g~wtbW2QS?ktZ`0>04(Qn+X+in#*X<7p#7z*$IK
z3m9Aotu7?v^nud?LV&12lA;XCrB!enblzm@`MaBh{mV_FV1b7d=AJ63>6>#JkVyTw
znqBwEe73E6%1q2x`wl53fY#1z8ENVuuv7#zM*yHE>-X7|k5%Jiw4Ejb`XN5*<ZJ1v
z{UMlvj@%6%4_kMif-r>|xRrMxB8b&UVV?y4&2T%|Uk2WW_?;hQBX67&L6MjTIk*dB
zr4aM|sQLVc2&*}zVfJT=wNQB;oc>QA_^FLTv!%S8DxqdzyO=5u>PlCL#!(poA2uVX
z6R*ygJW{;-5umUO4qu3&l2QdN+?n6$%u4t$A(I@+5rdMsuC!CIN>qUZ9H7E$P*!gq
z_56B!p&QAdvKy<FK$I$b;M$4#h15Nt--1X_5j362XbqIg4`9!T!SSK*dtcm@<+XIW
z*`?G@esntIR!6R@e@xzkAGa%D*-H3i9E7Lg5H3Ce`pWI0_QtV_<)g*s%i~SwT-+Km
zedCPhiP59OG-moA*4p(>o3FV*{N%y;y>L(n+}^^0J-j`xkkIJUP;?n?+dB%k`jx>6
zTDXg5S6@AvQE(+;+Z?@>8Qz2!1D^O?fW2ULg$zuy3x#_&*Ll4D#X@vRrwc!hf$OYk
zxAF!YYwA*RiR<$xqstJq$178C5bTI5BQl!<dNFqpMZIsLj@eGW4Xm1&`>cYh<#FNX
zq6KZ=CC>oSf1k?_HeAM^X7ktd8d6<To3=VqX8j4quII1hH`WL2x`55&naB>CMSA<6
ztx7*Aaz9g@9-Pe$JOr>${|iGy+)m{WkOQ?ty$mtekU?;{)V#?q*5>8b(b@j_<ZHr)
z6WGzXD<|$AA4AbRCBw8Q4V><CA9y?-gc=nQ0T{Sx_a|&4u}Dn-d=+%O1`A-}E(6LD
zJ%(ics*EJ3T3O<+q=>%(s67*6)h}jF(6Jk=)+cTo0nK}vH_n@}y_Ix~!WLrflKqPU
zF_WfvMN?gM>CxZ&BA`GDWI!VSKI>7ST<GKu_bM*F{EmMERM2T8b5d2$-Q90q6s`C!
zzN6BJx`wgg(PZ=aE|r<B-R}e#Czn<4!%DEfXq+n_r|-T4B>i2e8QU~QlB1@n-h-y{
zWoy#6X$m$}zyX1Yi~AqYbL!uE6SvBITqOE;bY7g4m!D#y<9zEta$Jp}DF5L+d^z)n
z@gtJ<@Ca;c3kUH;WXLSl?TfX})8=<E8Y5W**kE6o<C=DYjH`unm_VL4HtY<CTa16J
zMWwq}zdI;5aur{A@m;=e%iyKNM{~93===u{r7|DE8g8%vJ@~={gd837`1Wf!vKW-F
zFUGM69*&f@V?TVmx&lj|b`RqX64in6CHnS2!lkUndM_vm8^LVz=+9tsrLgeWo`zIl
z^y;aIX@GpMwlbW4IFX@l0s+B!g=P)1;0%BKeO1#MGBaL`!-BHiD@$aEO!D0FKR7<9
z!}5yG@gN5^%iNgH--BB5A2$!1efw*b@B1nI_S;~iG>35V7XxW&y6iMJF`nN8uK4HE
zuN)fnwff1X{IZ%lF=*+BruoU{UNm*lpPNwp1l-Yk(rZAGaOK74Q|-3Ytu~)}v6q%l
zfBJ#BSrxc_pKIT%`!RGs^<E&Tp!D&tL%~UD-#&H+{T^I*MHlUcrxSEMj6}QFKZmPJ
zZB;%dMukheSVCho)DR?hmd7aA(9}m||9#G>r5j!VZhu}(m|<y%1NYGL@+CyN{N!Ph
zXY%i7^GJacPyB*~?J^#k6i0>2x7hutQ{W_@7V%SR>WX)N*WmOk`v)Cd+*4y0ofPxw
z{bGfELiDdf*QK}Zs1-UPlfH8FdsA4{Ka`0{_~mTWCpjDqoSgbU4}x;KG#&Fy^7bZ-
z9?BaHu@I6^e5p#8(jEgPJfTssB+)MMZE1KTVfNLMArjQ^j3Q1wCu?xymoWn|RM^IM
zc&bH&mosy;`#+*_eX#H~klZUymgFp7>E}_48_MXE%IOqFS?npIS5NN)cB8s^Cn~nm
zYJM5_v^3f6vZBunH}2K*RbOj5JNX70r-`~;m*d}?Jo{h#-ce{N^i@y<onl+GH+$V|
z$IDJ!QOr6Dlz&lbiK7C2rq$%)Xw4hRRh@_$^3oV?uj?EmY7{t%Bk!i)!yYN5Fc`KQ
z@JgzkCaM79<jM@K+|u`n#SDJ4Hi)$I`$UIv170gplKIOmf$IqYt3xdblB=C$I&wk;
zyOV;~d$oE+%^G|+U))N{miBSe&t5FdNYnC>yK`JyL?mPukzIn9*Bt#+>Wka)kLjEE
zKYxtu)#_Sjt99J#=UjQWh<Y;xA1}}{{4g(Z8FQG0dA<)6xm)%L!_OK1RFmg%IR)Qd
zqDPP2{*CSXbCLG!3+V9UGB6tdCX~q&JVDBev|@jxIUkIE<x(4^URQV+_d{8JkM=<z
zWg+Uw>V)B5BO8T6Pz55_J0+Qy>Aq`=in3V%Z$W{4AfY{n;KWtD8MR0~8LNk;e+#j&
ze>iylw?gbEK72Qg3xqfpfG$CK>qO0z!qyxG{UmkMoz5$NH!a;iY}!T4e^jSXU7>J8
z<&BQIc?_+=s&!csd6GCGjp88hgzCc@-MPy+Ee=}|p=q>pF+rn0UfF$-5UM+p1XcIZ
z368y5Zo8>6)m5WAA==IM>BDUXiU9g(dHH+wBn<^Pm__wg<>xL)_ju{TXj%H-%LV@*
zE|<465iuD(UZP0Dyp?F@g$suR`W#+}02rx}Hl8@C6J?<cCv=?oTkG>2J9`kCwvf8H
z(-w5NYgP*@sLWYPVNU(6VL_erD_Q7<hhE>NC8d`P2am@jm_L&*$Sv5+|8gD(<HlDd
z#x4x_W=Q^X9x_n|+!_=7$5_sya!_d3+4EjCBSy^2Cd;zAW9N@+HII`&^CF=?4%uc=
zDCp(T%7khQAFR!|9XT>m!1Ts}>tb{YFNoe_p@>!S&WPXghzKycI8X|-Lb{=Dp#krG
z*??;V#Jb#i1woI`UKQlAB*c50sK=aA#A?Bjf1}j|9m*0MyfjUYWvm>IoQlmjk9np%
zj+eIY==h}yv#CaVhB7n88?tlpV=(GO048>)p4Y>N;u8UW`k;cj9wo)Rd|;K8-27<@
zf*TNgD-V7<wU9L-jART48^I*h=*_^cu7P?y7m!EJ>#uo$cr6ZffT7_rQPV#@6`V$x
zm^~;N7er7m_G-YskSQC01cI>TKOkY$xbaYdRx6oJCPF@Uw~F8RrmglO(#Xl2J(nYF
zIMwCO=k>Blaisc-M_yG583GSs7ST&8RGpO@mc&2)ER93ifFw7ZvA9W!@`8fz3OZ$l
zte?-KKVkL-2;Y@Jud54rKfhMS&1_o0QfiV$361xz_x7k)vhdAI7o5lFz?u6Fn(k6y
zKOywx3|NgD0gJy3hU_>-IR+Xb>qe;KW5Kw?g_AT}_KT?7itQ8MUQKv$ulWvdGG$#v
z@Ml>DD&w1$`ABoKdCk%Ly=gReiO;vXt&{e1rsL7yN&hyCVYyWL`O;rf1RHzn6BJl}
zK$Gz%>QV|j2{ZvWpZ9MrN+-9|w%iJ0ki5eQRbV(Y1TRotwqHSANCy1S)!{fqBEwcp
zhuAy2?9f^5ZieY~ruF_bU*9;l1JkVw`fJ3$8&k=u(2lWTUS5h9h9~Uz67#t(xbgOz
z(WhId51R(Fo;ZlyS(-N3eV+DVy`G7T3bqJ}%1HrA$~WE@f8Duo+|to66QAbdaGg*n
za1a{iQfe{e?X1)k|CB(3Wa-wvOX<l$M%5u;2QuxZ&J5}*u&YoZ29{wDn0SuGXHu2h
zb<<b~7SC0HJ`HYs1^fo^z}4SL0b)2zv4q#jN=MpZkDnc~(IsGE+O5KUz{2$|8VWZQ
zb*Mb`@e8NL@34**Kz6*UfX#C}a>7a~6csu0j*G!pgp8Tt@|dl1n>`73;3)7GJu)mY
zMQ&^MOZTZYN1!-94STmbx)N6Py#;P@_wQN=io98m=-rY$$#>|w>uIr*RKj_YEu^U<
zb$ud3g+3fM52;(kGYk`QDhB`KshIkNhn(=&fCBR}ihUXEY0rFnk!VeF4{3QzFqOv?
z?E*-Q!?HYdiXZe6)Pk0Hpv{VeSlT>jM1DZfQ)>G)RX01Tj(Xa2fkM~$aYBAh4_vvF
z_<4~#*@+RSJn?Jf%OW~cq}S)qDbH3rK2R5R#iYJCM&q`>Wq(0g<GscLIV)S<w`byW
ze5RQA*RS2jx8&C}_CfIwoX&=QjSqlmzRN~$<+K7NXeI7AKBZsdm{gleK;%}>K*i5h
zZL>vx`V@qj+>?w7E!jvqMKh_yM0OaVlU;-+914Tg{geAMdL_T$flPgpK5HU8ndEj8
zG=3z!rlv{u3cQee$1jTer`K7i@jk3a+EIw%n8tpRU$!xm%t7A+00B?q<IdCqfJNdi
z6IgC@A6`c37H0@rsY3UCRk2SM4`;I^o~xrjRKE2{96X~+XHHJ73m5^*$v1?ju;Bz#
z#L{_s5{LbGX};U|peR4pXna6+JG_z=XT3V^r%vdO*xP;XFA@%n8NK(E^XcJ^91eL=
zWKRHZ5c$Kr1aka+aVy#Q(&v7#n%(rpbwWhB)s%x};+6PjcHN~o2`LZM;Yf6G(el;f
z>*&&E*bhnu_!iA!kBcnjkPk{MQ(wh8{t_}1R}8Z_T_?D_d<=|B-aQ{&+Pr2S8&vn*
zwJhT=9<})2;!*16RoK`^f7wHcI6_Zt%~`xJ_0_jfgd|}b<P9X32~(1v;u8O6Z7@R)
zC);{vY%3=udmuOTnYSN5vun^*jRfTAjybq4i1^7+bR0TA+Zl9Vpz;H>6+XhSmf_#4
z1(v1vkcV*+*`46fj?9tqLxQO?p#aKzg=`wAWNB7vq1&2#HE5~?oi?iOwU)Z{UyLU)
zsi%|zx;m-8v{x;6g9oPu;2!6`^sPK$XAl9kT9AM94W?VKvOxP@1e~HQ0C7xSF#Zx_
z32hlyj5gIL6QnI8_XM!u-75GECjiQO2ky*9{wxq*v0saY`)3L+*IQ%YIMfAu;^rZ^
zC<_O7Od-S11tO=}d~atZc^_Y7><r9V796nTJoC66B2OJZMiRsORW|f%CD*0dd?OHL
ztTWp-a9<s%=P5D=lHhuF$>woT5rjsX^4-%|dp>BSYsBe9!BUIRJO!5?G`si8L_#)=
z6+rPnJ{MAf_&FYS&Q)@2hc876@IRD#EE<3sie4##Sl5i2F5u5E-NAjh;hyOio<#;I
z2`wUYRT{Gx0E=+M6F@NbmGY`UIDg7Km#?Wzx$@d}>$bstc^Tr?wK4^;ksAnR1YQQs
zwb6Tt0&t~@yUh>+w3lb<3`3$=*0~Ie<KT52;ch@c#X+3O6y#IruOsOvh)T9DN66;l
z6HQ=5%3!2rlF8Cw2_vW&ewHVFd0c#iGs<wr4(tG2nKa~r3wu+qWOy-xnz$fgYTPC7
zyhHVg;|B#Tz2P>0k*zN<g#$9=D;eSkJJYB211^9$xE9QX3;U1=@od{WQ6FfdO)tf5
z52v-nA6eqa+jTAM{2Uq_0Bp%z<Z@d)t!|~AE-|Al9aK^!EM*Yl9D?NRtuI1Gni9Z2
zYjAD9(0UC3V_x9?pO_)3fIk;t#6bc8HMzhiQp*KOgEKO>e4#CYJ{EcfZkCr&am3`(
z3R;GDy=JA!0KppDHVhPMgM}jilC>iPNgrfGQzAEzyZRoR21dD4P|YNN^l_qW42-$c
zPfh?#)1X|!3$d(fzJ%u<qgA9=KnmLMXt;1W6~P4k>qq~SQvg1N0t|xCc?%*mM4%vq
ziqUYY$ru1O8<|%#|Iz}8cQfW`e<Sqfy;NsgGB{<rw<wYrTc-^0@%7FdRW6S%=I#L3
z3P{^YkHnT;A$IOsC_W~3YsafWA%IW=X<AK#-u#|>JFWtH{Pnw%YyQ7j06FV(s5bg8
z3Mc=@2Egp2rLZB5t~i3udZ@;$gk@EI1QDl^J0gIV&dnVLxz(Q6RuSI-tEcRHcc>n^
ze^diZXS73DTY=C}&$`jUz5G$IMFyV}xz!q2efbFhOcvj&T)Es6@<#!~Nn+PN=MObe
zjQKQ`uBE!vNK;V_JgPj%fGaD{@m)AC4LX^NvK5=pbfCv~-T&jUIje#JYk;p)>|)en
z;ZZ?7g%#U~2bF#jmg_$(F%|rf#r#o4)D!NX0C}Xhua8Bi>F7Px($zR!WMFv$wc?{b
z0!p8Y`aEl<k=u8QWI>#NqjuY)mJvh#fY9ij{+(;Q2G!(n6YSNt^;}5LUGI!t*?|RX
z^>Ad>!*&QH;_GK03U~iZkotL<tpwe%6CU{(QWe)Qo;+bTw&OrWTMk-1r4!!y*>D)B
zKXPlU1R0%ib(p8Y4y81bWjzgXG{r(cwT#hNziryIqz{(mGG)igZ8XK&Je57ZAhjp0
zu8T@08yq<4WSu8S<r|OATzWD~a(#t8THPv@OeKUzH*nkc8!3~VhegY!8`?_eHwx|o
z?PO07PQ~87*?RIB=*1DnEo!?yVcSwDj{>`}D&|t*J1#L6pvoQ&W-7if-~~H{?h1rO
z^K)HKAdt>{{>A?RTLq7m&GYl^5UbzVf9<JB!{(RkMlf0MVvDWuOO3d98TRe6r<MvD
zmuf-7#-*6h%2=`R;h|h2^2^8T11?@F%^!tIGZ{FiR<)5d-s=WW(ke<GXk2g_t2Lf?
z-s*I>3Rb&#^Qe(eZq}c{i-6|OT)b1?mwffwec$({b$ygR^Hbv;R(z;U#HR%BF~xJ~
z>-)3vwcCF{GzgX!xo5i)7|(irmD+L3SXPYh+UOvgPL7G(YF-F0yu>tKMH^iOCPHLo
z<1Qm{j*-I1_=vO`gF*vso6n#!Tw(A3u=Jo5K=h$8LPzf|?T2P4bVue(H5{M^Vn8_-
zw($INo-z?qx`UtNvKe}BY6pn=0Sd+~LvzNr;H`gddS?%Z<vcY}e}erqdhVGLBKIOi
zqcoI-D0EbtkDIVGZ<qh5R*)0%RTb5t@B3*>{$p^`$D3(4>fSc5G@$^1Z7=G`{NgGy
z-T<FUiCXE*G(pVWg%Y(vR_lr;+a4h9q?l7XkK8LyY-5f2lo5coK+q$*br>0HASLaB
z@Bz4;(oZk%ZegrC7a`B;vj@-f2ZB}+EPLud$|}>sl&R;+Qn$co(+=|7fzEQ16f=~x
zLVCISP913Bxw_-c1kmf=&E$T4Cp1R{!xD`HrK4CLX-Pc|*ibfJ_<~S}%0L~G1eSG{
zsveV6A}nqyXxNld=n)ofBfQ$P1poyMRk<um!xbsR;Twrm8mE={uAeI7mmsQw`>GI)
z$9_3;wv^p|`=iq7=lLhc+{^sa307TOz09ainhFgL6XHQj{aU_q<0Mo>@22f@(5+YW
z3sdwGA*k}t`!cg;IF%V{Mt~H!8idEN&`1(8xE6hS&>ElqQ`zq~D-(Jwfsbb1-=hMa
zrymstcY)q;5Tu=6)+w@vHFv~aHeOCHWVs9LFF)z5#3QET3hhyA#4%(b(kFpbXaTuy
z!?!wWgXW=@eoM6r7fR|d5Wl-GA$U}c%^+VZYn@$vs;1-=rC8RA79LJK_sv`U*L;ZJ
z45^*DUG`b@xQrOV&*z~#1G`$Gi9LlS?zpT`6~A8@OL2J1D}*x_8!pF()Ya(Op@M`o
z?Ve}crnNiT`Se6JaEjW?>nKZ-gtWG%eY!&xP<t1uo3ZsbMh+0*jF9rTLv_<hP{6@5
zg{0V%s~n#gtmm{y$=DA(f+>{mMj;!Cf;Ho1Tm&&q-Zi?iGhgT&<t{)sj>KgpwXm@;
zNG6=g%&c<D$IeT=iO`3_#b=e4k4wPf2S!~Z(P{u<tYvn_b+8^kr{qM=I@G%c-!-av
z-y>nq%z}b(zUoQr=t6a7UN=P*Seik2B^!46mo3tMoBm};2lp25__2}R|H<5!_^%r+
z&*b<<liYUwU8}J-jF9^D&$_Zbnc$>C{tyUpQWP(aZb!v$$n6L>;+g}+zMq9+4jdXI
zHY;#ixq$Srn(fD91D%>Z+E>BR7P=uvwW%1_eRkE>Solo5$p4ZU{W#BeVc5a-R%G4x
z`A8~gDd$^#BU+$~x(u|LM;>?wWXizo4lSs}2Xzb9Ezp7%ep;H%-<gor^4t*<*S1b)
zB7@Q&%nQ}YN(Sh80Oc<dEU*YuBaIclNER#M&M{_hh|~D@7yP}`mrKQ%`+q{gr3@ES
zBl{8@Bh9d=5vl{E55VQH!m)rVS70)a3<|s4;;Ogxb2Juq5Gzd9cs+lXi01YAmG!%b
zZK9gbE903n^7O)^u9Fc4S5_3<R~w8}&M<j{7yg5W4nW|G8Q&%@V~jlk1~jKCFLx40
z4&7_RHIQK3lPQRckg-q+>sGl~Kuqyj@B%hM$%qi6M>_Zu(2}=8%Ks`D_@*Elp$&2T
z7Tdfw0U7-&WI{J)RQ?xgCeAA>ptY5Uif6zC<GB|E+wt>ePtUZ&U!jsNjCT43O*HVn
z?MP(|-Uu8}kLXLTT^kXA&e|m++Tlz2dI<%|@Nxg(lX8o{VNd8_cl?kA`ra2S`74}y
zPl;s@cB~M26U_cr1Z>w?Fm?@*6j8PS@4$dKeGr7;9a?8WD~*d1nIw*22?z;+pf6CI
zO~AcgW%ClY+$8+A7S=>*)UGLLLqBgKuD;9o!rDNYQb{E~WZl?kp&}rr4u;H+#|R0R
z4LQqJK-Ol8IWzo()Gsi}P(!ktORbZ`=v$GtIGV>oPzk=jRgJI1DFf8(lJDqS550$L
zkm6j}D=e3|$D{ibx{<Y==|t}42h;F^pBY!M^O@F0!KaWxIF4b7Yso~td|n-d2QIjG
zBVoR5v9jfUN1BA?HoY%{$Qn1@Q}LZ3#FHO6QEy~fJg~{!$0jB?)bZ-4lDwhGJZ4e$
zw91<{6hYtexLw%?SnxLd8VOL6FhEwF5)iZl+TI}F5&#vMO6V#(67bTszqbvwTO(}{
z#uJ&~5l&aa=F`^m7VM|*Y)6u%CmsG%<E2bag{FfincpGVg)}y@hkNdO5C#<U@%)Xq
zmA)ll>WfKb9ahW>c1LE0>PK|zg3&JN@*^I8Qtm@Za*C8ntD;h#?AbnaE9h%uq1@!|
zPq0P_U(guCOmu+)pCv<sP*7FF?Kdgv4!ZG(k6j5mRJwbTvJ~lj1YoW(9lB(P!3OCi
zZjoTDQs?B<k0@Yxk+A{Y=w(yi`6u2sK>6w>4<bQucvJ+@^H8*!L-&*k116yMO;4Vf
zVxk#-q(q={F@+8p+3X7ATwt)(^4U5lcS=lkvV@+*c%i(BUM7Q$3nAK}%#6NK2-xF-
z`zByAd4LkdU<K`O4t~Cw`cNaKQkba5VX$}-$TCm}olpG+=`GKDzX2EjylVnRpgogK
zq=WyUt1Pwl`X65^2*kt<+@3Iz@gJZ1Y-jGn-4#-?$2`&+kK89+rYV)I7LBy-sPo92
zpsr_r5Wh}=Mx;sM0MG=BZJ}}C{11h$VC5`G*_ebqtJsBev{(|+OmnXshf%=&wSWXZ
z0zw+jmp_3HaX}Izg0@mO5U}C`4~h4WN0C=m8E)5rCq_TwBaku^ok?$CQz{5*NMTBU
z$+g3{r88@q<Db}V-wA5QKZc5wt0FF({&4ygyZxdAW3(VD0FckiuFXx0MtSeA7^9k&
z9(QbNND6MGEdEIZG7NKdt&^#28!Qx4NQlbXPru9E2!*pX1}W#1f<VuqDH$OoXOm_^
zKzJk5=ZD;mG27((o+=&L-+0hD>t?jR!PjU<GKp-e*M)DTpA3R2)!rbBqD<~+>OCzu
zIVl7Zx^o!wxgE&lPKJ(TQ|vYi&7UvVozE|2K2a}E&UABv<OJvSdk@MA5UlkTg{JX!
zIRG#J1TdY0$|1=!WD;#ighO;J)H7^8>ev2PkM?qjjl6M*X{^e9^}8&P&PL$G=*r!A
zU&%TwkJH*yDXcjw4ykOnVj8X3Q-(i%=&5A&X^dk}K?}%OF(_Lc?81uBwWb&Tndvht
zXLMHGEv(fPYM!gAOv1nR1~;!PUH?58ZIqcm3U?4Cb8ApaoaJkdXp@oFCCPL%%zc}u
zgWwO-ujbN_GM&@8RaTjvPhO#7%=MnyT9vw!BRve#I2z2Ko+GLT;m0(L7P?I1j>g(2
zC}Ae*+3Z<E0)yy{8E798n<7WKB|zH<Opy7xtvA@YjbS>wHA7=$O<1}7KHfOuw3v&O
zVRfJBaE&$XiD6~lfsJ11H~;`8Cyrpfh`Rr}a3_zlZKq&MlCrd1EP6kRi0Ca6?4Q=)
zCKGs|u2s$x0IG$U%NGdd$O%wB=spca=+zCD3HEq|Vnz8-0}0dvpc$SS33*gBPlu>^
zrcd>uE#Oj3Ate7N4cd9l;fUkCfbm??ct<QnI`*T&iyC4-gxc?|g0STIHi&B;ci;il
zNLL|7BRr=5ENOLvV>y$i^@_CZw7}O$nRl7XO6y@+2H?IcWI=J>8&=|pwDDmkqD7I?
zEj7JET~DXQ<XRXoMB~_w{@x<4;B}#UTbdU1;Mr^7?K4@8Ri+Z^=6<-h5!|*UI<Hx3
zoS<EvUe6xgN^O-+t#N(4>58_nfzdTURV`KclKqjM=Bk!k(w>#^`RO#9$31)28XN?E
z?CZ`L&p6j~zwEF>+criGse~Qtq&w&k?a<_`f*uBIlTYlVLH!9Og1Bk3<4d>2{C8Yb
z0(BXPMAF}^yLTw@Qy(s6s5QssGgkcZR&@7wNWw!;cJ_z|re~^%-T85O^Eb;=|A#{x
z?&^v;cucT;L(x3OTNj1KdnzIJ>;cQK%sO?qbqGm%(UbY`W?;hapo-M7pH-iZUPgRD
zQ3(~Oy6Sdfe>Ea_p-a)sMFl3)<4X4;r}!y=?{5B9s*I*Z;IgzjTOS_3a6#OteB5Yq
z6gT?RkWvC3p(c$cI1>m@!-3x*Vf$0SD#lnEN-wO6S&#vYb)?{#pQooCtJtP0Vbic+
zP;TPk#9TmAEDV;EbV%5WCUaWQ@CiR1;*L{3*}dQ6W`yxU)6_{8?JX*sOmQV{eohhn
z4K6P*70~y~PsPZbp5{(uQ+Ned%OM`oVhtfjnC}-8Y)My6z#1)xxtZEh#ah;;a3!wn
z-en&ijfEZSRd+>9AJ1=*(+(4xCQ^KGUW#{L(#TB45*A(>YDnDBxFuAP<e4NbcDkME
z(Hn^Vg)5r?xPo|hk`YzZgDihK^hy=Gh8!lLCx3QgZV4JL!&XGLz_Kofnu2p6x(Z;(
z7YyNOqiVj>+02t4S}dN4ZAVm*5|y#yAJuc7=9~_a1n{8eb`&pYP(w$7R{Te5vFplf
zW~j<vm1pGB)3#UmC$I&e*)l^~d&Dtlo@J|Q2D7=&9Ozl&*_L~RBqh5Yi+g$KFl5pp
zm?t4<O7$4P2bo_h$eb>naH#F$Xle>0RL4)s`~kdp*SZx=4nKC|pvKwku)2mJz3!z&
zo9m6@{uXdq>+VC1Z|hwq$8tJv;(QxAN<5J!n>~5SfmXO*y(d}TQk7cAj;#|`5r@94
zwov9ixyH`A45{T!)U|pCHsz7BaVvizqc86<UwdVDwdhwHsX3Tc-QLq3WO?o_!NUHN
z6{bwDA?RLO!0PdRF05e8E%V82kF2$Xi-|+hnVT!JwzTUT9a>Vh&)vWdWKF|=+op|m
zcd9IIX#1BD%5ATxpFxjrv*5vZ2liyOa?F9nN~1c2!vd&{7NDg01LE-h$U5~)bkJb3
zk@8nxBZ~qk7f~3X@c$?BKcx!o6jCNhr9Ul?q!$iV?<qUeN4MnKUc@jKcaJTwz9X9>
zIGgPb(K~wKAa&8CAwug?$D~Nzq;IUx=cF<>+x7U3eHUjfX3aP(DFC)C6pLm}&&J5x
zp0zU>Ht89o6L&FpR6RFW;h&;>hDZ)mgMQ&p&~2|_`};J?cxlkq_SIUz#xJAv_H1M4
z10nC76MpZ?zTHQ&bUKaqo0zWXjFibu1K{F(C4{ZCo}*N#Ch7G(g6d2vcV634p%j5)
zk)bz<c#?8T19uCCFs-b*okdkhJ|M=@_GP~*=3ae1{cI9XK^>YQi>Q0)x@F^%Y{eX7
zw*z#yb5UFAN2jmknmdo=-P6$7ty-Mt9*%`OaBGUY&=2qUX)(AKI`pK9yTlhtzkK$$
z4sq9PJ6G|{sJK0j8$-UN@g4d7C6+CiYpD00ZEF5P-i^2wSD}W>VJhsV;%Q<d@5Q)}
z!!#y>?xZt`u}OnZoSEE?_CSa^%U~69*lhp#;E;XFeh$GtUmvsUgJ;QX`f?H4|D0qN
zwE}`W7;Keu&=E<AHh8s|^YhuB5RC1R#$!EGS5l!RlzQSq@2m9^+fC(KCi7EAs#%lk
z@~JBHVNf_*nJ~u~Aq{7E6cZW#@ktheEo96RhsYhtwT!z&k8zE`*Nv_}njihi*#96t
zwAe%U-615ir#^!2`{8>D=>c@{Ag-}qF*#ll8KKC}mtPWBpg#}$Z2148pZ?d~<*+q!
zR-E*PxX~dd)9O$t#c}!(^Y>Mb36#(%dIwZ+o}X;KFPe0F-HvSLyj4vcVm>W<RTzX8
z`p*AL@%n!gTBJU4R6528Zl9uy<fDrV(r!*Dc*!1-`-ueG@7>x}{Si9tu*kaA1}Fhl
zQjA}ZptQb4Dlym0tp76O_$5b7pjxgvMPABXj4FxlA;Sa7h<c5HGNF$52n@@R{Ig$J
zQh%jDVeKjx&6q;)y+CN5aRXljfT7|W1aULtqRm8^m8dCCDQnVI)q!6eFC|`8S@S;r
z$z%`_pUJSR=A%B$eo}hreeg6<f%KEqIuJ^lL;+U!e7q8grzxm_5wVhvKc_p(5&HlT
z8qKe5Evd4>4_qGW*-Z#fWJ<O)jn~QOaD&mL;e#2`B(3ytMr1mu`X|%JXQ0@Y2UkX8
zi}KEH4u?Oqj}n(ArL%w=_$BT-)yi9NJ5uMmaVIIX^A+^3JF<aZOY*c>bp|B5F`^%e
zWTk)Ol}K8;%0X}~0Lry84&^b><AcnC7-SX%1M|1Q9jppXU#O^Fy<=zu-wXDObjoQ`
zkH1hKadGh@jq&ZJ=6l^*QYf#UO7|&bz5vU4B;lM?9h6bT*Iql?pR)IYu>h6;{2>!c
zUMVo=-<W!In*ApQ|LhkU&kpUV%3Xk`|E1P=kpBKt;P2`v2dEEW9C9)cDK44Z4$6es
zQd3-tFJh?^nVIr$(2=eHb%XTE_vM0+VN&uy&*^J4LX9m54st{UjaY5~&i(AV%x<3{
z=4^^skQT1Kf&%Ih@FonWI99S3Yvwlyd`xBlqJn?M9AP^mSD_~Cd+Xs)dFwNm-PEOe
z$68wV`gBb?b-E)0(*EPt#jfYH&BptD#OxdGOE(KxzZQc`!+Y`No7Ew!#77_?>`37_
zJr=Ni!yh`Q7^omSIrQHVjt6aiHcSTkX;c0!-~!$=$!ZWK=Qeu}#x%Te2xx~c{PW5r
zBo<78G}q9Yac*N<Ac()Bbt}!#Q~?QK3<75oL6BGwG;)aK8tD{YeFKMnX~3>0d~;kK
z>9z2#U(*gqi(5j;Z@R}`?QeJK1`PYiFJ=T%z1;Twi#wC!J!kXz_7Y_u2kgbSDWD=|
zlY1(6!DZeDed5x$Y6{R8w?e-E)veUHd*p<oKb79~UF0J&Z_|L9QxG%(5M)aYY=M6G
z2EZ!virE^JbpHmaywH*g#P{ai9|gg<^hS^HD%)}<r7u{+Jmjh@TJSe(9u(N83?O`e
z5}W2(5xDCQdkNNSbFzH=UqU<1WYG&MRV$&0hkidLC`<O}+*YrRG``@aNmc^kCQCuI
zI_hYvO3C@}JlP-6(>WiS@cbj-5AC2yT7yq*b6Vm#jr2;oKpAd6al&|h`}JF89KthI
z+N?j^H=gQcC2V~)znkI(B+f&w7N&pcVVWTXmGaD$bsLH^j=EwRQ%nmc=hE<f5WdR!
zD*kO8)w@$>H(GB%FQNaNA*cm&nbrQaRXb@d1oR?3<(Vdx^-$#zFkQ#NI2&pt5Ng<^
zh;*W*9m)b?*gwqxj9B$CGq)47V$9H*RSeOxD5t%bT8h2U%Vm}=C51B+UBIwI)2qXS
zeNpi)9v!3GQ_YM^<gDoNsx9DU%RuXNueKR={h-+LGY*l4toYo@4#?22&HMabw^3P0
z_6JikCxkyd4vg(%$J|AGREd5aNz&pmEWXcjBa=wITs1;UT?*v^y42bj+=F8F^Y=mU
zEpV?KI(lT{bqpiv!7d<YUE^_bsAlwxH*cq~?H2&I_(eY@;7OTT&3l6lPJaDf*0ZAf
z%nCi>q!^FXCckF*JUY4kUnwyvW5Vlod^g^5UP-_cB~t#ttouR8BmwBy$H2;AzZp)h
zB0i1tXlZ(~Pu_qW59dgjeZQ(t)b6AF?V@k;zwr`vE?>!4f0Tn+okyZ5)}YOshLLG{
z_g<#9<DYfx^QROGC~Q(~_s?6DLk6<XEgCFltq^SF%YA$mR)0xI1<t3;==H~})C1O+
z@{hTgG4=KoC!a@u4Ap{a02eT@K_!bbJ#QlT3^<8i_$bn6Zjot7ZB=aWC(ef1+p?F9
zgwxzQXpm927U)h0*8pAZXA$&Q_0UypaRSDuls#4-%k*~4M<!Rx;yEZ>8W<|}b`HP=
z6avzFE=*!r>#1m&bOE4}4E7H@l39^<lG3<6=M!CJhD}3JFtdd{Dgk}TPE2?w3j6ll
zgmVzIj84|y;^d#XGV<gc3B6?=`}C@g3tr09ZTEW}u3m#MHA54R&~a+))~gCN#taUC
zA)Ls%-z1_3;w#OWWV{(^TXziI_kCs!bK68fD6ibe01p9W3%bqNRjK*DV0)bONLw%N
zG)DPNTn97orpcd_(a`@RmNQ0K&;jY|%)lL#7l<WrJ4?>R`_@@avq%!!r-A6zd7_7}
zK`Y592%eNrmp)SAO~uM7sFJyy!!g};T@vwoaMsy#k%IKFZSYbH-zeOZg@Io&)=WOC
zS3<0Dx=(7fB|nQvtQ0<-XFk7x$W2e#tFcUja_}K=IRmhBb!<?A(?6hzj}nQtKGBUc
z&AP0fl;kZeybSKqC*_;!&B<}hop$LR*>6k7sTqUIU%m&3_v)836${Ah47LomIB9fn
ziJ)GRGE=0_5BzS==d7JF?yIE&^?WTdpn@LMQcTCATN$O6>&e|<Tc)OhBlA<j!&B*>
z-Aeb#iE1H6YfN!O@RU19@fIqkq<V5ZzdJPSt;ez~_9&AbQd>HvOt6-zHD}U<Xko3H
z8Cv!R;x(5gel2;TPKJjCENh-Q{OScY>_aPKo?W-3BCF@z6-$Bpn}+&aQV=tw1-=$_
zso!VL<K5Y;q}VxueYiuRjE7wSY8u9N(~808t~WDGC)fE4#f|vxWm5c5DvQoi<S|63
zY5gF+^rrHn)bKQZ`}W8$dv)D`CiMmFZ7L&W-xAR$f><kHs?Mt(Wy^Uk#_$yJYMA16
zwT)iW*jN&*YraWX*01S=f2dm~QCk=nYm5lClz;&Q(nk2Nww>ABdg+wwgqAjP(-exB
zEdi@ZBV72Dt{o`~_QFK;u)w(Az&LH+D-aQFIN!O%xu8^jm&U+fzL!TClO^;`X{4-Z
zxF-R0ZF0IWtxf+x+bumSeW|3QsVe^v%nI(AaZOF)=EfpKa))pyhzyFK_?H%d9Z_1n
zuriWqQJSUB=;5<@N<aNDpTVXg?w<bj9!VQf`c5}eTUVj^FntsBa#ore$gaI?du5`l
zJDACe1Ek%~#iC1&7~r|zD(@M|_wsDdAu9FH8l~TIhrfpExa?FGLyXPBbB3U(9U#yn
zae`7;u}&RTa`iqt%4nU$P10sddqu*IMAGQfVt-jPr>G{E1!||mY-6vUOViFeHTaqv
znf7WRkjK>|)XqXL_bdr-l}xV~qs*jpLrB&&o&uAsHkHWs2F*CskYJ4uE7E(K#6tk9
zQ#k!#O-z)CIDKRtix|U&zHT&WX;7AABCJtU^Yg8y%}2p|(bgw}f_6!5b(8(AoCUie
zM<QCvR;%n=#%Dpa*|XD(9Vy{-vi?>5Aq~SCLj6t*^6flww!d6gn`AbVCK*7sSr|8n
z%oL=)S&R5T-(AprG_Thtv;Sdi8mPTMcXW7GT+`CUHZCF)z*uZXwWcO4P)lZGpe*#@
zU7>#;#z|esvu(QvGi%I}-IoH?Snk<W@vw3zykFAAe7BY0>6FIA39-b=S8cC#+~V)A
z4TlOcaO`^uwJh(9;KZKdoNd>gpe^+Y`)f-#+nWl){kb~hq@J2MLnzIDu0;v4?0c&}
zGM%zCWAcsYWgHojgtgZGQ#7IS;$%sT^po<sUrLXVmBFP~Qi1nh*V7-w->EL5e2VT;
z4;EbHOj1B4<x^=o1rTT&Xr!;M61kT)P?>Sqw>9aBX1T(7=Ds@4Gif7Ary()E?LRo@
z%!P4BtNRa%72Z_e16W;Rk0c%H&wHkGxV||I-EnfZS30XGp@ftryZ>?qL(SgVgKJ=9
zs*RJWEFe4$d{m*3xQ}!DAWbCN8kR3wLfBMdNH2NY+cBt>SbIxj#@Vk8)m^VGbZ>AS
z>r{PPkqpLDYr$N4;~;7OjD~s;z|?j?ofJj;KX7~Bq@~Lqy~9|FB4l^d{()#RexR&R
zC@@JQ4rzjfCHF@D+fKEP)C;?~!L$NFajV_;<!m!=xAPN@H)-Fab;*@;Yo5Mntipj)
zKEJ4JX05rWLHwWUH>rKi^#nAI@I<Y&R(}FprO^G5;0LY`lkOV00quSvjq-Ah*NQ<a
zUH7H;O$=VroOfsY>SsTH-{nc34Pex`RcK)w_$Q@l?Y&il8iT5WTQB<gdxxyeb^|S*
zx-@bhM5VNTE?QZE$q9ieJC3Zfj(;q$bkhmXVMjOQK1zuuSN_Y<QeR9Uvw0JAw+a_j
zNyRVBGVM89Xb6Ysx7UpA*#^<e-!NruxcWv;-Q~AYzNl&6sjpnczwFqqoCvuNxZ9;X
zMKVHM_??m1%El~qc<6)Bh)e9MWXBq{cymq(#jEH&?$!saCcGDSn8>255>L5sS1%E%
zH5WrAU%X1S%e#KYD(9LbL+IqmcaOC+KqDgL{*I0cx!YnNaJ-Nrz#jhfVEPpQEta)8
zm6DoX+hY}>nR3Ka*L?Ws8+L)1;Yk&yE3PXgulTAbRdfv8&jDC|X(Q?f1tS0}8jeS@
zR?&TdU`|auFwUBN{Mgw__*V`|PRynj6_X#tdcK={A_kQJK2)9s%%YK6l%<6NC=z)D
zx>(5Np}iyw=3&WWgfH`Wy#3Pa%Tv9bW8|Y+e>-xAWCo2xXlJGu@HBJW&VxQCS{^+;
zHhAfVn};QD`7%(~U4d~birzqM^GS<$aWSaLiv}bT1lw+~9bAx-ZzTu^%=kjl)|Sc1
zCD{{N#S~;;#BSV~=Mq>xojbWN|KjV^L%ATSj~;@h^)^#B-YyYoLB?OY6v}xA6pTUa
zN8Ekw(E`gxU3{?qx36~-_^LgJSr;V{!}QG^g-Q@fs7pD-&74$dM8OZ>WyYLx1V=!x
zs*BBhDFWM(6xP*T!p=B2anklut=uIOETK(;tp*}%9d79L$m85q{SVlT)k5Q^p$ul$
zxc>Ie`6>qCrDlbLyZLciXYsJYJ<K%m^4`v{E2>lv+$BVxG5i)Jfo>VTn-H&<cDFKC
zu^>hxSxr7rOPRqv*&Du=Tr~dCx&5lrtCP>X4WG%w&HTG+uFF|-$J@E`?B@L|jm0UA
z2g35@=*AX_V5OTOg@eI*R3S~DNiv)zPhNO{%i~Wo<b(RL&$>EontRoA;-y+h`%i3!
zhd4Z=B+@P%rB%sgs=F(3gE6B-zY0&D>BZl%9nn>NToSDIGoiEI?~G9e<Bv+RAz!*@
zIj5=D@seib1cP)=w8_}_%-KmXc044vGaDgcroki}9Bi^J_7~_Rf+qq`rE*Qx6$JMJ
z&eTtMMA2fMGXkvU)g^b0bE@z2Rf}e^c1z-67e?}9CYQ+6qR+tw36)1S$hs8^F;f>x
zft6{E>cSl%!B9kbz`M+*yS+yxUlD0ZSZ*nQn1)X-TEP5qQElSE3Q1_(3@wo;#@pi*
zc5e^Phq~LTZv#u|j4E-B#?EjGpq^!ZHA-|y3I94Y;@$A4pfRHtTVy4kd0iI2f1LEr
zc>+kOsKF8ceYSML`LXm?fgy<y-;I+Kg%S7~nYWofZdv38S}65?${^0NkrTSJWK1sZ
zN2C6gz^I?_St>_p@)Nbxc{8)}4~7(nJW?s)8+C0N_oo+YBaG?yO2Af!nS9j#ibVt)
zk7rxt-p5!&z7*p_tCY*eq6_4!iQGS%U`z`>B>BWcy>cRrce!Cu^Qq}Tq^>gYnSMSN
zf!HKFn0c3&Y1gj5bcz_xqed4@;V)!6zN&-+hp!$tU;X5g6v;Q?R;HPVBK(L$V!9<e
zGM^P*5x{z<p8O=~@gskh%*ZKp&bxwV^_FYcGuHD|pAL!L5AjS7PF8)S7Y~|M^;v4F
zknda*ba+MJRzTq0qN(U~hc^t*KY$^LKTKhO_qJuN=p7LOJIc~+lIic6!=5M9&b@s<
zMjZE>a%ey@!g23Y#|Npk^kjPK*{}oco~XsP_vpDEkD2d$f>B+sB*{v@4LV-Am|=3S
zC)tKRG}zhXw_GrAZA6fel7B%YT3ps{ZU4>T_}-gCa7{#WoVKMyVews2QkSBV(7fuw
z2P>kvx_&Lx78PW=TE2Vx7l<H6G%+uGV`vHFOlnBc0gOhQFOsp}{I=`CM)guBh-uX5
zEZ}I*;k@Ax?s&Vaiq&3&MWfe7=G=gFcmtnKf?(#od1^NZ)ws8@Nn{&DGTR1l+@2&d
z??0tkvC$@Rba1f#S_V@)vaioM+SynyjmorEr4NVLV{ln-RmmCQmNGrkssZ@L3gWx5
zi&!!UaegW`x|vmU(t)~1NG;ui5Mpc~HEi<f(%Y)5!qMUzhdtq<YL<+zcV5d+jHf;v
z5~*zDFn)Q>T<q>i`vS^9at2<)*56i&qHpY6OQx5T7%LLIk~yE1g;evc^2%kPmnHde
zw(2aN?aT@0e&jS)lQM5>+tH|5d5s%Cheh9wQ+O!aW$JZ5Zk|nyF7paUL@GDVo(CPL
z=$1jh(=_?xt6P^jm~Oi%@pUSoJR2CWvU>#8Tdz<A&&6Qj7Glc;Vx4sq6Iu~3Hi<o7
zBV+mNy=KlC?_XBAmlP)UZ5qY+v1Z-pL#6ZFC>HG1R7~7i&*}~+XMQC|-m1{$f4x<C
zMVe1A`<MwC-gjL@q+&PUE9a$v+Pf*puDMJ5j&KwzP@++W)z|*fa?ZQsykGo~O)b)G
zWxQ~WIipX<=?nXG>R=%EG{>@fw#@>;{c1YBoDr;Nh8^OZdB2pcoSt44+@Jf7P4R{1
z$?J>~9GX8g`^!JINUUkFh@YLT<R;-6AsWbWs(rJ~s6>GAbbr%E<|-WD0KUcOdK+!a
zj#@fFcSD@Vfr8d$#ObqTFB?S4H%RZ`Vc3g-0R?;LP5%QC=VtWR4=-~l>nM(1Cz0&`
ze4X_)pRPvF&}=(xRSF;8-tHXzety#bBdZcw)M<q05k+_&COP(ItUMm_3pl7C1tks&
z)+qU@>4DMtuJkQTrNe<p(z@v5e36@yta=HN;;Uzdc-w=Ydyt$illJUAZ|+7vJ#O3i
z!iVX^BVRYk)n(D?eNvm?dD>tupLo=D+m^Bm>B_V^8MnoEBj)@J@!!h$Zp@eYzZtpu
zm~kw|FgW3q)uo~vHa*M|Vvon-Ti8kOW4jTHUdme5lL#e$Vwjp1q%qcMf$|MN_qQa%
zy%%YgSC;p$n=hnlD#lNYfJiz)-CA4IUy7CCe$m||&r4egKfa&Cv##)nFU-558{P2i
zj>7=WEOPV!m=#^BUxHnugYDB#8+j>Q$UF1I?$;;vBvm^lYmB=eT<_NsTJIb-^xhC8
zech4#v(3T4Eis3H^kMw@miKnQ287$!PRV~i5M-;q9pWc^?IlWN<@z77TRfCXcp<cZ
zjS|~{<m#Jb;pIFS_Ux(jgDki($>*YP>nH-g++F8{$yYyO3Ch%QaSZO&<EJU-N0KG&
zY$R3OaC`xzMn8xvu7B#OGu?MPCE)s?@2k@#rR@>&@bBpdB$nD)EQI3pAmD?*j!*l{
zf9^&EQ%rH8TFvb^I~_R?R)M0HNwSIoo5S%>F@Y}ee-?tb?D<azoAbYAKdt)ll*QS1
zV_xkaXd}%s39g45hwEij{3_9-q^iRUAv>1YMPQ|Ac|cO{^u_We6EZZZuCBUNq`2aM
zix|#Zu>h~f93zns&|~(Duxn5KZ+Dg)#mv!3b|~3No2Qw7{3)s@4U-=eV2`@0{C0CI
zVi>Q{ev#zqw2}E^Q62A&^PdDfmDCt&Sa;-M*YNHJAIlXZ$j%kt=Q{9s@>O}B?ASsR
zL71WCC5|IG9TTv`Wl%&YwL2?87pTim4%K=FVd=~j1t!SRaQZVv3FVxQWh2R7(I2g)
zz<tS>pqA*TMYCrCXb1J0(^~9bk=mc36Lb9hy{P^Vy}J;&(-zBL9|d_qRsa<kRoIe1
z_~&rxyAIIW-z8x1#sUF>-h3&P>}?={ZFybKlTU!~QVb3%FFwH=bk9~(epp3zEG{ll
zsrz@|idd29O7(#Fd4IPDt^9ufmwGRu3f24}EaWVH%3aVDufabw^wxvBEA@QXzXgai
zW4$U<{!0yTvbexeUUg?41#mv~>rESG8Nwe!zc!7yt~>y{>qCk<7Rld#m6WEj-fJa;
z(tP0Lqp~Dkl00GZhl(>(V(rv}DlF@T(@Q}V9XST-HLa}Fb8+e`)03RhP;(Yt<g>&{
z`ibOQ<X=oX3722r|6uOD<Ej3`_i>J$Ju))0R|y$qB$**niL$aoMn+_v6Gg_c56TK@
zkew0g$lfVsl)cIxg%H2{Men|!?{9qn{yiT4ct75qb6(HabKcMEzOL(jb-uTq1^TQJ
zhznwfxetgX5wyO)%0mcn`A~4(%ge6@)wYOX;s20W!c9N~<pLfSS~zhwkW_>!2W*Xk
zRX`)?J|cjqas!Vh6fIo@+O-;p{6BNpt%6|+IcTGsAs6)l!2W!*YNJ>m(`ry&oEP*0
za|d#$c#8&d@xDOqGJjo*j6G-{03OW-j|m?@^s|*6(i|*v<N}1OcuxNS>5)G7I`1jB
zgK%DMSt|@H*7&YxOtYBR9a*|MRc986wh9P#H)?KtXbZr{T*1$i;#(sKO265;5KBD^
zuPQjSJQ>jB6(2+fAxoDzsrg-k?-$d5gs2QWRLL{M<1^5ws9{@ZqVA0|!$(r9%uY6K
z-7h7ub|NB?B8(3t^G+jP&mfEwAmr*I<Ty=fT1%SxhMcOvCBN#2@CQ$tqGeml8STuC
zXneFE#&7^r!9~JVP3Gf&sK`@p8J~t9*JwJj@J`xX%v<O~p{Ri(`{?7Fnru;TQCw9D
zg4>H1C(2eYP-0#+V`hI_%?F~iRx^@8W;~I8a@wOTjdrq|yi6jka@1|?GtT|6;A5Zj
z;?naBvo|!kFdUe@=ht3~g6=O2Y+W*eGKL6SKj!L102D$AA}djF@5su{0kGT5nx^dt
z)Y3iADmAhP46kJn;5V3Gf)aWs9X=31lBZI89>(MY@VBpf9(~sXv`8@Nqyaxo;swz3
zA%4tE!UjCLVXacT`|_GF6D}PFY+bV@+<la9Pqttn1NQ_ZA<w~!VQXV48f-MIVeJ9Q
zFR3lv8vhoA0^urrV{(BzJ~k~eXKg=60fiJStu=sK*n=byJ|N{gV*~gnR%g1Sp&I1)
zUtLYYJOJfj;JZt3CjUTH^KoBQ!zu5^^IT$T?VJ`T!h>WIG1SV@WW{LR+M<`$X{aKG
zi%gPy+l1rY17Xbj>;FR-(<Wf@dB@3eg#AJG+ac1j$F%bf_H?chcTlyWL?gGzhJSNa
zZqh9OIi5Lv($a@I)4(qChiT@(IsDgX!ioTb96hdcx0M*qVG{`#!)AuV)rQtASl5mm
zCfX`I8Fqpppf>QNO)L-JZ;g9V{N_Wdc<EBKhb#Nj0&a0K<^=+r9Lb?bV$o^YFB5}h
zPS#Ene`YgK7RoHyYqgSU!_6vNUopq02pB^7#r5Bk<Zpcyj{fuGN^qo35^D41ld}wV
z?Brzutj{g_Kdk)}IA=EyO~vVFbh4$rEC4MKg+A|_rTqQageVnxOuyBGw9g{NfLMhb
zwJS{FgCca{`aWPqa@chl%#%hz`PP8Y`2gt}1=eAsb+l40Q0#7j{-GHt04LnX)e^-U
zyh`o63x<WB)#dPb@T(2R&H;mUSdTnLJjZ2HS~#>}2vV6Jz_1TV6^;OC%t{w8Fs=$$
zavv>)+%(YG#MM|geFX=x&n(QP3(53%fG6qyvqzH^0JyEkAxBE5lSz=0O$U-;>vB&0
z(3NA+Q}2F{`HkIYG04`SR!6PY<LhXdrPmQPnwEmpjINTvDNT*kzVe%&5UqF<XvQxK
z4nw|S1;heFKhGu=MN^?-`+xFTKh$#PgHsAzE;c;Z_w^%%>Sdd9F3}c3#S^bBmt$(d
z`N9yKFU%hM;%DDsM7+?vCYVG&Oz2|x4_Z0)mPbdDHxtI{qJtt@jjvNUJKl=%j!!3j
zq?lZE2Z6FI!@;WN6JF^Yl`59azdneR#`|Pg%?9pB4yW{r;Rfk+EqQMXclIZT(asWl
zUL$oDHix71&-5-u&CX%BCkk%6ZBeWJ!S<NA3F|M8w38QTm(OYbpYB3LZO+yA_^5~M
zTuGaD9Q&1K^!Z>EuWNW)CeXH59_k5<FWQC@wwG~cs`dN}!27t<UaR;}QjktEB~)8^
znuntKrLxgrtOC!Sv%Jv=U?4j79CCxABErQvobeG*C)+)uZTiimMtab2i?cvRvGafw
zI5YCAHQ3zs-(U8TOJ|vY6e2wj=H<SWNL6PfFI)^((z=gj^=jWiHMA?M;9=ft%z)MP
z1gjJ_*Eqz6G2CpgN0a*sTL2K9g68X3{nsGDW=M7F%n5$tlsD%~jw1}xi72^c;9csJ
zIjP_m^(=z5c|WR?Ywc9Em~a_=-WNL6G7pYh6#AOZgW({IT)~-}a(A4l=*#gfW!u|j
zXFn9%$hwk_MoCFFe5uzk`fAba>MdS6r)3;l_Vrs+3tq<|#%8W`ys3`1uYgE<gv_Yc
z(FT7@`G^O)LAvP>s7<uZ`0|$4ZAeY-jF6A|u<%&7v5qgWjJ|6}^UYA1nH-<fAMC-B
zW{kZ2oP15C;HSnq4;e-4ty@vf3b-1qsmEL@^{dFp+Uii&J}HG0dbcgrsP&0!Y)u8w
z_dXLH!qrPvAE$edwbK1q0BrBdg>v@Ls1x;ArDg3cM4lBuI&ow-hqLhLL+@X+R~ogK
z1GpZvhO2n^0|NT;{#Dbd;@;qr0J2--{&p)X0k;`Cc=Ip6i2Ep^JfujkE6Xkd2`BtY
ztT*_S8`$RAEv$p=p$NRQ6TqsQq*~&p=4vFH+q_JY*wy2SY|Xlrn_AUCwxk9-E29Bl
zIOeZ}d_yevN@kNC!A$3pI`QqzIPZiE$Oa;1>ghv~%<EmC&$mn$#ZLX9C%65?a*_mN
zKp(S7dH8G!H^txcnL%=rpKaVi$oHJ*LojB8Q97<&E$D%+Poomn$d@c>2j!q5YO<B?
zTx1%V)^xEmF65h-2j)-}`c6~_|L1M2(hOKF<_zIvzl3VUl+D$A*DzVkXhy4MQ&maJ
zHbG)gw_=4O)7pfOGRC%0;X>2TICd8sVp(A;y70!P;q!w%T(~x_S(}9A+c6ycH#X)7
ziOABqt~;WZO=FW+M;%q7xzQwFqdF9@VtrJm{c;k%hNC^vnA0SfjU>X68iIuG!!Ke!
ziZ)9X-0Q_oGM^$E-o9?zpTY}Z@Uhqa*UcnjL&=n5cp}6oqiYBkz=4J@Xay3r&nJ1_
zj=Z`q*QlKwyeAlBP~+ns$)$9yw&Rcrj8xZz|45zkp4}CmuRc9ZV4@-16@2V{zlFsE
zrTt}<2U(~iD~Pd=<cLkyKq>Y`hTz3!qNAJU;0fo#yP$=S)wRAR!Y;E~-*(AiBxo-n
zLHHsHa(q`K%T2i2SFdq7oL!Bk7GMD~_e{DU4frP-a6f<%hNURnl*%oP>%L9hHbJJZ
zVMAZ!^eH<3FmLB8WNCf&82<S6U}+uh+>*l9Jn#UiOJd3d>2<FKC*18ld1pG)_D8It
zXD=sne5zQq2v*FK{v?loqDeB^A&}kSX%@kn<xIIeAegP2ILYES{<MZV`I?+NcnJ-<
zQ!}9Fh2)&#-P^=;ZcVh8@!iC|;C7oXaW~eeRc$&;|5WIRhxF6%A7|uflZ(29U)TB{
zZu!vt-Sv*WBTqYlrOIbkRLRLA2O$H$H!H)#K~$VtgRz-83p<Z(_#Y~dUlP^q_?C!&
zZb4-N>PlbdIoGK98X`_i&am+9ipV@3<%AB!3Cjm&RvM~P#rzBX%~%RGAg)B1;X+ko
zh<JqPS#D|$V_MZDYJVEun<}2a)m(pEUW*2pZ5iRsVR?!;8&1EawE&M~ZS}XW-ZEHM
zn>ry>ABq_7d~P8^oN~b3&-GY=0-%)`N&AG)LGJVNX<_}xw%iK2>9<dOHyLcJOZRmC
z((-W-#>-45Y_e4h@g;BTouDWI(@i68SzLKs?R03g8W+X6xG-3`->8H~Y-&<^nmw<u
z#cJZQdS_OR!qh5wc~)kOx_xzA_tEuVMkf)TTTnzTDeBF-j84^_xpbSVwq-1O;^-lE
zENjjXZMF5T(v*hLk<xy6X{C|b06Pw?y1IO628V%9M{<TT3fZ6G1y3g5w2uoAzuB46
z)sm3ypN^`YN<NFaT?FvJi)2QpIo3T{9ivVnk(OEIQ$zA<!P)27EVoEA&zomA;0D~p
zqXc@IKG~YAI$?(sF)q=={&&Sk@?<}M53LwKoH_9xe&H&cv{qN=^E(qoK=(y+1V=%E
z^2_VGmDiiD@W%4oNcuogOmPf2`}46&esm;x%ZAS`yc)EPeT--<&i5j9Jg$uR?Pgr@
z=3m(4q79RWTTR<tz9oDJ*DC$Pg`3UhyOT%#$!Hrb%ei%IAgiq7Wgtj4RT6rp-N!d7
zav4cdkmNcq`heS^vDG}3mmWQOSaIPO_>o25kqyRi=flC3Cn4X}4t`0ZLAIov?G~U6
zl=qrVn7!1z>-m=ZOUPyZY%oA^LEO#*GJ`pLmVZhZf3264`1UwZ-ZM_72B?7<cl;OZ
zbZQYzV_#=6Tjb*Sh^0aNDHlx;V3Ua_vDwa3H^=FZ)WsX#$v~~z5*v<uXUU~;=ZW?H
z;i&6crR$!N_1?M4<Eo1nXM9h2#)&Y%IoRfAv|Tw))3=S@U@pVlmAW3YSG>eQrsE^M
zvp3TFknH-T)}09%u`12(<^;O`1H?hbah1@R<Is)fDZP(f7EF1wkdZ7Lya79y(ncpg
zH`le+L&`L9w{>^MMz_Hwfw0}PGgxd>`MRspY71X6FT-giT)^5NGR9=2vee-1V%3;d
zO^!)<ErwM~J+^fOxKOHWd&zZ<C-w2$=1fM9dNd#ltSSit&YFK2gtR=N6o4#r9L>6*
zc7QC18VK#Va8Qk%@!`P_{h<2jqE{L=>KZ|ZqtG|Cr%Us25pZ;l{Sl*HfB5PX2JeTM
z;7LxuE=fsY6DjU-8Oex{AJ+thS3XeLt+p1i02DUgc-3fw95puhQwf!n%w|WNCArJL
zE!S~&96gmKd4ciXXQ%bkJPo`r?<EFx2DhVbsd8PMQcvcg;|G;2_hbp~lV|Je%aJBN
z^Xh$*XWMl+{RsU=I2Bwu0&j3Rj~Uz6=NZe7hYvV&%wLf>M^{9NJW|!@%P%I>SpQEY
zl4MqPBS@^hKlDu8j`6_L!0A%Iy!XK7j!p?S>fJzd^0Td0I^rw}LbL5h$E$iK6^f^f
zh*hJ+j?VMH1a&D`wW(g4RFgqHaoM^^jb*h5|I(oHbK)p)&;?uxye*EZnZ6Er7o=B$
z4R|n+T?uB6alT`s(cvW+pt)Ln5|E?QojkI^OLyKhwus2MkNrO`z{J~({!3Ov5jcke
zMrgHXmPAQ5DaJrHKnSCvU{lFR*!tb=*+@-}SJ`|#W=s6#!jyJYYaH<*^~>fna~A8;
zQtdbNtZntN=PUe%h4&kue#a+)2%h6!z)5T0Uw9nMC(iP@mM2w#gV|{+X>A7ApsQrm
zIrW0zIdmd4?DV1<PlDcvHnU~~=Y{u|J?V*w35f^`7bMF2t7o{ggFcqt|8@U!6Q4?t
zB;Lz)V@cAr-{%u^U(u}X%w8bqwJc>cGd`)8@MPZMuCP6G_}N`9;Ig)1ON^DjkNwDl
znDRZ?BdD%-f|vC}sCb5O`}BLSA(BDx5WWwF9)ga;u<DD!Duaq$R{Y}Hcr_TP*0<n}
zvBN*+2A&bLLvA9^!F&O{q?kTHrNh;I{S|QkiQbqutE&$FP%*R7;6&BAY+WGYg}Meu
z3bLYkc;Lil!Le>`No3aF!DGE|m>hqu9#R$|@I<@65!^4qmmU16fYx;Udii|rM#>9&
zySWsnSx4u<^?8%!2M^_>-ZX=KYmDd>Q4q;%REY9gOw_ad4iFu)CqvaWT`5{)D5>Lr
z0p}1m+}w}bcmxY9Af;9=gmi*eN|q;>P>LdAMgQeGvWJgYMjC<nDS^P?5a@~a%nkX@
zq#2jkP=Lk2E_!;kdJ+2PEEt=j{<l~1b{;;h63(pPX(=Q{LU@+v260XKJ7OExcZvAs
zcZ4&A1jo)347C&aXLdNh`45~xAJr##CP8>bnb13(c=j-ASe){w8R5>7FVSY=Hu`8D
zdVm^zHV-YGgdU+K%-bb(oFseDNAU3}fh-5%wE&_Wch=`#+{<+nD!Y+*oVCiFE9NyB
z`d$ik%G9Flm-Je;@1-cME$&Q1F7(~UDc<ox(N*3uZtGIZABj|=SJQ>le*KatJ+4(Y
z)s@CRe=`ZrUw@!|p0(|Yt(2xvif5u?@vVSzM3WsUYdBgE+FdDj8&gH>;z4lK0CK2U
z*<05VZ>@lOEDO5Tk;awZH|kU}8~Dc>Fo_w7um1u2RhnqURjqj$h@3URpY{X55RWIj
z9?4LGBS?)pJaX$fRWyJQPk^RbtY!xcwkxEX7!-+3-sdnCmF-8=TVO38EK-saOh+zT
za4#(><_EN+9)1S@#|NerB6-w^WPMW7St+r0X7L^3z8kNv{Gz}NRF3m;9a`JqUmyvS
z5sH5+&He%y?uBkOgyv5G8RMZ}hsx@ipud^DhDB=h{DEu1$W>a+<dtTs*MQ9B^&y5`
zh?8d8X)jeEBD;^`2@$hfFbB>a+^&*{pGQd0ybJsF?bC{HPn~~FD!l>N4Sk-_JHDGb
z>59I~Q%M#tmk1Ys@4Q8-8ybLr%2SDVI_6N}{pkplr8@kgsV;I~PPapI^z0^>SG?@2
zqInmAlzG@UIAa6ZY&U$6?6l{1G~7S4fLl3>Ir1($AXIx06qY&zoA8QxOBt1J*&MUK
z5Ji|ky3aTTVtf;=w4VGb_E?S?YWb1OSovKQ=IBGj^Zhkm1dPYLzvD01975ewc~9<h
zE2y|^W9AS3k~F%C8Z-0^J#9f0!A@B9k!XMvb&H#HmW33M81m{RbJT-BR8(fv9YOT+
z{$0tXOVmW0t`&p})9fZbuilb0?H-EEr(kL!F548GuKh?Vnd~HNu&tcg8jMFLs(k6i
zKffl~Fyxl$U^KeWj3!Y)-^jx(ETAd(P*tHv)^xs+c$yP)oU)JcUaKIIdBzrE`J_YT
zQx&9)(Raku{xlywzPI`SBgYT19w|T{0(5OBbc!l9<iiv|UDioi+Sd^ao=2b0{eV7i
zf*lD#WzZ>ydNXXRYqZCyDM02VoG4+z1)d%Cz*7Aj#ocFXL^^`tZGd&KRC|MAr)xgc
z(zwH@#!vZz-L*hCRPI8JHc*YFL4?ZfH^F?UKuXRBGQqD$lP<XB{+9#?0(>~FQKeky
zHo+kru0%1Oj4jrISES+3IxtFS$6CSKr}tb0#IrBSjsimDJx|2=zBN?I{}0HZFZl^<
z7{mpdKGTZjb##^0R#2uJ=jv9<*p?&fGpq3_jys2n;^&=-W1S4_u1z)ZNocQA^4-~7
znZ5fqaJ+#cRpHJB`kVZ}wGv{5`I{iN!u~=u3kD!5S5LpFtX(c{Qi7&+hN3hWfc9T*
zJeTH{;)L60Y?wIvwBn#KAVt5F)}YSUOEQI>E*@Ea29R!>tCO$RnLy@07W{bB4Oj2Z
z>Q<X5&najPuG~1>dajFG+AeZy_#ven?sy@ToQq8WG4|DwsE#;YQ0cz9cq}LF)pFao
z`B|Q1y^)9gYH(UL7<n=f*I?0o>nu8cXGW+_ZgN2ST{wfX-=C=^?nv_Mo|c5K+Ye&B
znh`t(6U>RRp!p^o4PM1`H!J3H&i-`o_(mRiozhdpKE`=wnAC8H6oC6k3(CtaB)!SZ
z=V-i%J_^cB=gcum&uEX1zaza^`S$6`R*Q_v*WaW!H9yAYj5Iup+(?#b5wCgmaPG-O
zQ@4id?ypW9CD}kz@bStE&y|+oJ}PGfP|V5<^`X+Eh(}W54@;Ugjp!6k{;9XSTTbee
z?kD(yO?WzTMx#ujgu<{vfpPIT^Ty*jsfeZDGf}#RaSv-mZhg#o$X+kt=vfZw)soBq
z(yJ%j8~>#FNoiLbY}i<^(r_t0=L&S&<9ne|(#2n`6&TBE^@XifX0ea|i$58KP~2@I
zGMdX0NO@^njJuMumg8_u)!hIv>N!tS+E+OPxfymaNL7VX`?CJ&(r27gYhHFc?#oJX
zP94JbKaNdZ;*$Qo$rGl=)(oB`J%tu$%3Ox7*^&U!j1>02s4JiO7l0yt4<siqmQvq%
z&535kf%`={Kv-gao$1~ZHOu!zy`EzI@eNB-Z;^^&iFy@4-cK}Zrc#fK0)?Ti;?ED~
z+KjMpXU>~f-b=^8jgWa9)WhNYHohm`WsJX%+KMITuR4D_HV{<bsSETlFBa$`2qbvu
zI&zoPOtTtkgsj9)Q=rTtxZRF;T6?vSsIZG9H(xHSB)1WxoQSDlW^YK|>;KTkGXPB2
z-JGFsuOtOZDP3&9Lz?|^r?Ks?5tV^xbkA!lR9D7jz9(`!_Li6C*bTY=^tb%H?nkE;
zq;MkZ!3vi&al7tGt!fk><{fq<U*y)&-z-!0AK%?5J7cQXt+$UI&E__6ba;<;vbm}-
zI&LlK54tOBpG-Gw3Dof4!;o>QfJWK65B#f_BrWl1`F86UWVYKhgKfV%#wWHru%pzs
zLCKI1*kJZRnV6St<E_zbTpsPsSPlx}dr@MGm-v_7r`(#+87x+dr`6ZOx}WfiN^usv
zY0qH(mK8j&wQL_qdPD`&Dpm$94pp-NL!D8}KPC8SHvdm870J>l+Y0{1WKOu*flBOI
z+m1AC4$nm`RLp=YKjTv61h)T|vDA5~*x(Ved7)+;<&L@KspF;JJHP@s<@PiE3?qqG
zQ0|%j){Y!(F8PwBeK66VmWX#hecQpmGqSh)tjJ!F$3n<xsb&q!+v5+C$+w?e;?k!p
zp;%_(g}1>uoPAbCzECHJiAH=Sinap0)Gx;-ibn_(+uyk<?sfR%aR!BZEn#<w?+yJ-
zBh@YIA3JHP&V5#eE+$ym<so4@@nc?*7+w=yllcpyzkKnbiB?kcyM)ZnWVqcRjh;j&
z0@@(q#3AA9zXTQ@br90rk-~8mH}On%toDmtb+y6knX-J6SlUjGtlpAT`jJa;^)73`
z45Y{3_M@1prE_h(PrH@m^;BU0oL&5GZ8LjpkYdN1E_rS5Pjl|Auped{PtOj<lH1_Y
zO=$d9dELI}U({fq;)@$e8jG`y^X@ne+pc<ks1MP5B5t2xmaEKMuD#FCndX>*1{~k?
z1Ja;Zm)3H_<*?JE?*{gsgA@Mfk9!<74^M-3sBIsF;?f18qUAcVYosp`VnpdBJ?po2
zc<Si1*4q2S5f5c9Bz<d`73r&{#2AdX&D$O+2o8om#+gf5V;6{$|1=t21&(e4X42Rc
zP~etLbcn|$-8A^AU7EZGDkLZ`0<NvS^+)W!Np44(IEkOKr4S+8?nz1c)R8seU(h@+
zv$*oDFJ+}8&}Cjp(<(NHnY-phaOcj2qiij;X$#c-j+oPsF_e`((V?pl=hYh}kjGE{
z;tl}G4^`|)N@lqH=2vWt+bm6vw|i)JNq*{<`-C+apMTw)UyW1~9H`&*>*#n4iX%OY
z<9eC3H#au};!~DL+#JfzEt*36>G?UZuyCgJKf2%?YE0}yxPK!Wg8)OG;!=+~9UU<h
z5(yg*w(okbRS-(gHq+UNpu^)a_7SW~-(LnD5_du+wB7ib#{P@4XiqP=%ugWKm1EED
z)UD#;CND@D9u{POnlE@$ZXr7PoX|C*3IWMBw>7&HS~VSitj`<gp`s!PIayFF1q6)g
zD5+mWq?aRFcg1#t=F=!@^scZsW$<1UF|-L+4L8&}*|U5&j^W~wg!AFT{E6rNqlDEN
zsI?gM9)(4w1UykwcTj1P>i%>m<Mr1*uT+mE<&AWY^?^CXxs5rNjr`g#clVb3x{A}c
z-#VRA9n#}Q?RnllUYhw~!{pLTNA-1OZ}Vpk8<T354XT#CuP&7Hw0o^_l2AF>1oYeg
z7-6Lkv(?bFn<{2nsH}3AQ(9b2v8@x2g!|Tm!wZ$Ij(r83F4YU=y6x7!Tny3@{lYZ2
z<C$M5;;cC3uKEw%`o^((%Fenn%RG|KDOs4DUv%+Y(qv!F#mtL+1Po#7rd8unV#8Ge
zr77V38ix7MCmrss7>{MM7U!IraRu#NBtcWgr7~+1$ELVTSu+x*#@O?ckr}Z}1DjPH
z9g=|>Yb@MM1S!;dXWRd9OxeqKXJ#9;H0dhfx*;Rf)S*)sHS=1sJzACfOvLX&aOvrg
z@bh6#^@}9Tu&+8MJ>VmodR_JIkk=m96GHsq1>vj}FY`lnRU$?1$9CptB;urS%^&r5
zj*m+Of>)|NvFagg2j0$3w%ytHAu-9xbZN~Sv6`ofCUJW+D-7Zrwi8tWY|-e^Zm5ym
zj!n7G#FvuR5~0lNZvBO?d%&8MUwVh3hksDuUdeP(x{A2+&v?SPW8VBkI<L+WtBo3<
zUabF)ds<tgHNHcL5AVc|UU?Db!8rf$H;3fH6dR37I-4eaWJS4@biwVQXQqiy^A$6&
zs3RFOb2V&V4lfAqco%uTK7VmEB3Gq&=O${%RMXVjdVM&P6#HHCM$AAUhf}-D=)&Ab
z;`eR%T_WsvV0V|#wLhcqiQwpQnYfVILyq>SnpjyMyhMxZ?B7yu`S?y!D)rs3nd#%q
z_7hcEoN}RT;M+RA1oAr>c21m%`=>@~3TXzP_@jH>)Q6>iY#xyo_SvN^9riIe?Rt00
zM6)OTW^*KkOQw{pd3ar?kepQq$C!!cqDD+8RysH&pm*nJ%=1dx*Ik9af1W^*FLfR+
z_r`fk*$w7pxAG9i1=VfI`V?L!l9wOW=6F}eR!BP@SnqxC&=HA|tRGPF>k_jLv{+tC
zdvDy-WKnQJI(oqMNz^;jC(kwM#ZOX3WpTdyB!7InQf}z3nSN6slf)?+bxqmun@lpT
z*!9&N1z9`6)o)7S9#6b&WL)K4m<&^XH&fNS$(7j4*m;{LIV5p9-qj#hC2yEGH$vM|
z-akgB&?$oAjX8z6yzReYvs4g(FQHbctGOxH^kAp{&d_?<$G%rLE8e7&Pj)UxPt|Ux
zv6~H1^1*z4BGFwJoZh)m%(QM?{>J6&81LY^5<b^Vr6=Z;$oq?GHbz|C4ek9t^~d_?
z-(0|b+%2ZhJZ8^y`*^n&X1ev=sY$xL()n+;m04!rOOk!-=83uRo#I4xf+r}0*%`Tt
z7Pu@gT*RKSo|x;H9X&FXPx7{_H1znJ?^!=Zq^gy0Gd%ZYhnd?;PH^G6K8m|s8>pnu
z)-tYGd}l8<9rKE-n+v1X5Kx);TgG)=_{WP(Is;RI;Y$S$&AM-RWOuV(z#TL98_u@m
zp(DcrgZi~KV?8{MHsJbv(dmAhRC3}3m6ri;HysPb23M>oUsuwFRRmcd>sKejjB`p$
z`RG`dnNaj}Ogxp4-t(bhlve895u#hFjJA1Vv9_geDi#L#Q`6y~i_D`ISjqTD0|O5$
zYmRai*IV$fuvjWm#;n9Y7wkEHF-Io)GcoG-6YeIy^8OoMMXmDm<ih*I@Y#G=ygk3N
zU5D)CwYZ>xm7lKS-NibAao29dkT*y#N>7aT)tp_8`f@~xu<^>zj-MfCi1`P9*PE4I
z)A;)u;x#r{a^tf+pOq~PJI%%Jojk-hJ~d*TeuL%ysaa7}I(dWGV(FuAg}$ZNlFVsk
z;b)5eB%RNL`Eh<2_sX5mvOV<eG4F=Xo+HM@YCK<w4Hwn~KF@c0TN3}QGu}=LO}bPx
zK^;<D>B*aE{Cb{Wh;FWO!?D0(?XFqI7D+sMTr@dQr}2tTnT~p4`*bp6(bTySW(BK7
zOKM@5Yu5W)g5&zMyb4NIMf}fWhdS)c=c<ZX5~^z4oHWL`Dd1%8ri|-Jr^_Rw^aiFR
z-S#iuSUvQn__@<`2Ax=n36IKt?D@?aj|sqE8Orv%P;0HjQ|fW%*6$A$joALX=GhO?
z<PG<bG0b^XTO1b46Gbn!x4LuMu1_yjo<7OU+r*R}YzOe)-o60<Mcm@8Vu6Rcw7hE?
zNNz1a{22=sDf>6-$hg&@uFDG8z-Y*DRqa5m`TS~O`m>n_wA@%kxCq9ezj{X=Tqq9T
zb}-qLDXi`S2V15Z+bXzqP5)_=XFKU&P-bT{aOUEgO;rrjkI_4(0*5^CO9fg?xjE^Y
zS!SrA((ja`bD?OmBn`PAm7178ewaKzjg8d1LRj=M?yd6vSov-zL3$80{2hT`N65;5
zM%)i#3>a&GdR=a9BF`)V2gx+RiAPxtff~(izPP!`M!RMxTCR&3FrSwz!tWtVcZ6x8
zrVPlW1V|NIH3f;H+x<e!OBJc&V}QdnGU_X00A4}#lJ#&+cLQJAX`7a!Zb8TNWC_Jg
zqAkv=gpIkj+bSwqX5^lB?*q1}49Y}LY#ht<k;!a2hu>_*ybB_ESwZ6H?aj3{C2iTH
zgWpnDNy)?P)evx4aP$`wCjUHHG)gp@9G{xOqRj5IaR&duR^`5iN_=!`eswXeLU+<D
z>fS{Xj!Wdpa&-Nh>_xr;ZZ<AF7Inc{LyvyrS&m`at516bo*_@}q3o|c{M?h>U{2d|
zI<HId*VgH|N$HFcqHnv@F&o6(S>hzQW&88ZkY~~+i<}tycOqaYTR4u(Kii%9?d9B2
zq;t7?Yc_ACQ*LDRWnRI1F!5f7OLrC&lG11aglW4Y=z6(xUC{0tcW<G^$WI8pT|Xsl
z!2Fm1b-z@15tI%ej`V6ge0B6mDA#*1T(U~P1wljCnLU4`Jd(rL@?#*1M1|8MBqgNK
z_RrbRluUHsZ0uMvhLj(G((+s!8BRbjJIv)XN?4i>;Ox`xGq)$T_~KT6aR=?tcRZii
z1lCgn+!u@CrU&5XA$X1y&{;yD%+4ppZO|~M?A@9BLfy=HhvQnA!;N%y8OMYlBOued
zTwuxug=L@!RzC)uP&@k9!MM>1L`K4<l|{cj0Q#eGzoOBz2%=*(5WnjMHEBE_vgy!0
zU$6(i3W7K>H&_hTKzMt2J4koB_2xJGJM`w$e_%1_iX&D2<c2)sSDIlNI9t606b~tE
zgE*5~0*>ngTKQry`tL0;``W-aaeo04U2=awCgmh`-0$c28&Y!!K8K`t;Yv-cJ_hD)
zkE`SZ;X)J1Ei&#d-b6oxXw(ggt<-CNPd^rXu(iGr0rq5SYIs&kIel<?HUQ7+Z+GWj
z`G7S5R89+I{AAi5Lc!Rv9erlT@BZBQ_C0|O|L$6lD+-o>e$TkfaMel()rw5tFcw@C
z(Qs`W{TI<;;>f!M{pHNh*TO%=rrcggB5GzPH9t<#d-ss=#Uc7%7YfLGe~{=dQMjdw
zrIX<Nsdar&-+$6B53%DruA;wc5dDrIQqm`USwSfJja+w*W`2<B<R0_py2%XNAzzj|
zC>+*Zty=ULS}u=}#mlpy%0iRqTp{7?I_U*vO4b2LH=%?t60sVx`#4Lxc?MeEmb3g}
zJX-LgmF~88LEXV=B;96{NKX9t?*y*Hc74B^!MG<?k3H7Ia={=cvq<Hl^^cEFHBMR?
z4Zua!9dzlBBa0Ce>jp-BH82)m20OjSQSZJA8`gsBnZ~@8Q-9HuADWn86iP?^_mRd^
zhi(I1<=qd>i_XAuwDUj2#ndSL9BK~|g9~^Xy}q!xoB5%j!=jh*Py;j=qD5}Qm*-a|
zptxxxa6t7^#-YA@FjNXB+}>Df1~YTY+fO+;9#0h`urILNumCeZ@^ae&PieNZ!K&QN
z*_+KWaQR^d(5;+a6v^^iQ!Zqh?SYNq2PmOhKM!!}nGiDdN_N+p9`Z;g&YPP2)go?&
zn@(WSP46a*ej}b8trC>pqWx{grqQIc+OiIn>d|%T`%twUK!)}qV&Rrdwjw@h?oDih
zG$I<8RG!j)muo`m@kYsa8fSj*FrG?@?s(}3L>yg3sV|F_6Eu7uE|%Gqb51-1exIHB
z+pEGM(sm$&zV~}=hW+gJ19q1a-3FTqkT0aAuRG_v96;y7Re&*hZc5hd3rj?g>XLtM
zQA_f;U;L7Kcsybm39gCvz<lEI23dE}WOpx(P|Ow6hbiRz;0on^G~G?Ty6Y=C8%wBM
z&A#au%jd({PwUx9ax!Dyrt6O~g?!%8qFZTvk+0Hcer~^%DY6oDtGCo_xvoqte2v6d
zcGuEZys`R+1mVIiF;@P4Yq{To?&#PR{I?2>Np0F0Zg+nCYQNVRLNPl+`;o~oPv`mq
zkB0iW;oG~)OPrRo5h{5kDjTXQ!F6~OIf4K&6iXTD%h%^|MWwEs<^JElT7?GC3r48%
zY!Yw&&Jsk)(vPya_mrz8HQ1SQOZOT}wRw50=@$cTo-S=xS!KV@F6|@iBB_IYf3=BO
zyDU3Ky%;^<-Z5Pb&VzcsqNPd6#ZB(Q^DADsI>Qi4qtwU6GhJuLqMUM6ny8+CSUnfc
z5Bpp(eRIFC|3!``-<y1e?-o_r4@y3M3HN$SQs#Cx5mX6npX%5WaH*v3aWtN@V=c+J
z&ZToSBt>WORB#8{iunsv+`wT&6y;e+&Kwe9nu869vB%|5%DkL)6P4-hRslODaLkC3
z4e?)C>U+mn`Y1_t8Svka>XPB59c4La%^s}1prNJTRN_@#QVxrW<bs&a%IwO<J=XS)
zkQ@iii;?4Zn@X<irezHstN3Qs6_)e8d0tKym$tDqGGgOrSY~Z1SsgE_b1^DF+G%Xs
zU0q?YVS{-haf$wpdD9*Vi>c+8_f%I45KqnNfD4#7$-d_o`79;`O@z8d3*x+nu3ep_
zk8xlb_Xzjq9y#P`I#F}tWz?mtHmcL*Gtp!&Toeg4{UX_EzeJ0iDBb)iGF3!0%f8m2
zHox1AcHdN~`-GwVO30!}V59g6JJA)mu#9&4m3_%uC$^yH-OQk2SvG64(OcyYKRsr;
z1KNm!B$Pd=?7m3WFXkEH(>YZ-h0w#c7#cCmP7mio?A@gY9LCQ3q2DAv@$O|}H5G{d
zhzJ8D8e}<Ir0J6`gk1O1=qZ2_UxMettXRH+6yE|-asSBTY<vb}18ynZ=MI`<4^_Xx
zxf%%{OUakCYlEandzgh#nr9q6iN5^U=z#cqdz?}@ySPLLRQvgAC-n{7=bdPN&-gI$
ze$(i|zQ6A`&7s30f|jgagv^0#in=qKL{?^UsmII(zVuXJzvo6K*_L!{S$lJkXdd!>
z0#9eOn}tfi#{zbBBx-w4csv#x1VhJ<<T8M<%igo(uWr51rq8t0(skI=iv7k4XJ=t|
zaQ?LIDRCWxbN4NAc9(oS8l~*|Yu5+I*iYCENM2xzXKFO1$3A@#tEPaflPZm7Nv@0v
zv?b-Xj+)A6dOwh>pW)JGSIV#@&A4DXhLq+xnN_VI(WrtOlVXexqPg{F>z8zKfww#c
zs-|_Q@qp)T8RZJGx&khxgcuh!eyt!IJt(0NbVt29?J;@`$l33RE}WuG{=~hx5};Xj
zy_!JS?MTstt0tO#h}q!}<8pUgaEdo$x@VjDQtD)6wQKYmNB4)vUnbmoT>ePlr}jv;
zuH05r2*2ZMMxIbGmGHe}MZES^9>(elW<-#H`y_#*7a?;H#kZ77zDsce<&1A=t}Fk%
zRm}IKtIvj)2gPeCiHvermH18T2UoM&t;{H;0J7jNfMmP|>%=J+@pfxLHg!?E!TXF0
z!nu-<odNjP7|kASl>TN+lMD>HOL5K8uaiwS;5d1#%O5VnL@siz=yKw~t&VBR!wbn{
z4dPEAs_IG*T-B|##-3`jA$S9qSqY*|7-3yOZs`<bTuVv4Ru<>|D6r7~Ky~(FRElQD
zd8?a8_p)1B#QCq5@v-bSmuRos;}~y^RoxJ$F4)ZTR{W0(0AbYD-EYzhKBPx1?Cp3+
z;(!(w@*1&llvSnCkxYqgx&19u=AANa39NtdiMY4c)}#WZQ^J{cObf<R?NUZ>Sq4~V
z#9!HdyEEI{nxOZoP(078u?X6uQ<=iq*8h}8=PdR;c)cfUw^iP8y@|c=&@BG>(**@;
zm>^B3q%Z&G@>JJ+JMztgE122op|Puxdt#W30}cJMDiSmc6lM+0E~QC**$yJ`-XW^F
z%F>cZR%!o$4|n(laj!o^e=UhmG2MsT$BU*UMoX(x^X0-F74Kl5mN&j6{NzVax_!D(
zGVl1wPhGW2-nxF4W1%XK)$s{4nEQO_>zb$R`vTl0VidUDCQi&y)v)M$mJrO*x^=y|
z6v0h+FwBAJUs{l1j=4tsvzAUFXxj^CCf|e2Lfz-XB^efF71e#bw40j6DcvNjX5-vp
zlyySoDB3<mk};Z>yxV=k#1fDxj>c1VsEf}n?HC&waWSj;^0;6_jwh98>yBAZbc^65
z>!T*zl*Dg(va2hEON-Av{m@dPX*VsICvmyVn(aihb@m4%;5U1o4K?v*;{Gk2KBjpi
z+CI&Fs3X^U{b+aBgo#bZ<iudglV%-KDOpIJ1Y&1!CWZ+DNp9Y2CIyKok!|-sXPp8A
zxNKx38qE(qo77oJDAwa%p0AIDSz~|b`lS97?7$=O(&?(uj>;V2CTFEXXz?g-X=%1|
zkrZ}U-T>HVW`gRHOkQYRqZ2W_^dVO`nX~8kH$@j;XQM36_E#pj_Fo1+r|$}j8Yb8X
zrVox0mxPN+GGc6w^7I^6$QrW8YfoYB949F+^dNoy<w)`t%HZ7@H>*>Y%ZITsO-98J
zJr+6CtK~$Ad@1F#z9!S)BZH(jePlTs%Rdzm<SLToZ?iebH~6Mc6)Wm5y<EH?J0$iL
zP5D)!Vvxplk{s>a@p0l+nNaHNP8wTa=@vnB{vDU6SN=c8(1TBZ?0BqPlU?~;JJJ;^
zay#_>bPJXrr<Bjp=K+Ww>iMLl>G4UC65E=U#I)px%~W#f3yD`IOztvG`3PQh$aZMH
zt!d7LpBF52qLCB2e?Hx#Sy$Zd`bA=!b#Ay02s)e6s>|cdHNL(d=oDA5+myV1B5cNg
z>z8lL=bD<xkoRouF9(F*V_7BN+qf9=clzKsbj(FoOL_`Bn4gYno{fI`%9-iiCWp>V
z-%?4EYj#<;b;B+FN8FAd3KXZew_~>sR~-f#i)~wFDc|757MiqB`;RNU;T^EwPDlkO
z&e>4B`D&cr#o+#W85sumzr#S5KKi?!9fu-0uP`%QY=ax{)|~Qixi_?_U{FLAGt(a&
ze}V{W-&u8!OQN{HoK(J8JVwFwXT;bM**}EyLnKV6>#KU--(uPpW*T00`8hHB@H=_`
z>J!%p&K_U=T6H+@RET-$KWwNvTi4fy-7`@POl)oXlGPA39quiDiP|a~f37%8GG;|J
zf@fg7ZwAxnYtlBK&Y8^C2c(IVwP|6gnNB}9B8?uL>M?ceuGYW~#i`_uOzQ^@4y2;4
z)^@TY?Tsn79+_BMr0cO1Bnn@APu>$dy>diIkv%Ty;xYp>?opn);HXSNg8}i5AWu)1
zD{aG#-86R0&7rha6WkQ@D~?d@laoh@oe{8u=KeGCFf@6XiZl6lzoW7o(%5laYe`7L
zc$(iik?r1>SAg%fDZOE`!BOzxaB;6h87)bjn{~tRqlTy!1`WG@$vok(C=-j07AtKR
zgU1#bWPzRRPG=;y<7R{(IEg0}KxLBrXT3ftbVULMlQ!EFT4kjlnmbk>_q12#XE_|E
zq}El9-){((pNjsNHqv=0ZIuzq6|cu)qxZvI#)#i&@tVr_NW?9(SU8=0vp~GFrMT>5
z{`F7F?7B#Sp%Utz^*god(arN>dRD0Y092D9G#n?0g3SuUo4IsfrAjB_Fs71Wd2S6~
z=sR)fQt<W#75AxX$})mz0KI&PpStkIupR7j=Xyku@A1;HqqfY$s5PT_QL=OgU%a)P
z;vA-{;{NnIIT-YNpIu4#lG1z7hu9n%=3^K3o2~{;C%lcriK5&EM`3U+)|%L!J=jP=
zkGI*AIo$0=9;opY%WJvk>iBc&sW1y6Kr{3$TJW`SGWgFV^nMqLb$``UaR*zATO}8=
z()5NCj=iNnK*0PdiS@)$BKo5QXg<UAdwK*vYc1pDY$M1gBM-j%So+%C(*qR31#v^?
zu32nJ=+bb=<AZJp)%^Y?xZ*S%Li8nsLcmhTbihheHLb7}iO=v>@U}($RZ@DyS^NjB
z)_ABnM5LkOe)vS_)8*TVH<R9XCH*M=57g@_J+ePihL6#2Sq#7Km6#Jt{q5hWfNFU5
z{Cc6@7wxjr*2g7{atEUl>WayHh^!906!Nr=CsLZkw^h&?WRAR+jD#8CG`CcRuQMPQ
zY!r{vp>2x(k{88|G~0X^n8T6jX@yKr$yAw${n-lt2TdNr$J2Ac{U}P3$Fe=Q3BbWo
zL+YdZ!-scL$I7GH)C`1?sr~owe<GZEQOCTEna!aI@c#aMnM))iADpa^p*Z+Mt0|CR
z$Q#h;V~>wqpAW<6#Cwnr|9UlH6Zc8(S|Yjec^EI;X(Ky82@igr_#RrVTBTAuLf0Er
z?(FDX%r`KhKF0{ZhsmUay}&^6sTcAd`+xmfDp_e!=81X~LI*8p0Qt88(iCw4Xo?P}
zSSd0r`+umj&?7wGa?}MC2(Qb^0G>C$lJyIDu8INDCBo?+Pao_#@Ofu`Sne8yZMh+g
zMYfl$BRDB&3G@Ij<w4;XK5X23icK^@X7~Odh6he0I+u^U@o5KdskQFYvxPjAM;JNb
zne=a_{rj*i1Kcmj3KzdtbVoiCyILS08TdU0jDTg<mbpJW?$RGTZCCxC9W&B})zGrK
z<3Vjl{_9bUC2~RG3kul!@$C8K7YvB(6Rg@SA+AS^3$0GxoxCAGf{+x&3M$8AE+7@0
zkz!Dw*FU=G^nv(9)(_B7p`zb2E1;Ih+4f&RTNMUDdz}2(xxZbd#v=gROGNBfD2i>W
zxYEGr@U5~~t(sMm`s0a%G0`f{e!V}Nq!?jLr2K?7ohAwuu81-CpJ_www-vLAH1xrO
zeMZ28B=frz5zNQlLsj`G1fYP*3YuW(SPVvjd|ky5=sO{mM$27>!tK+2N&i|{A;dJ0
zX_5hACJt5#A&}{{YKb{2eEGS7nm!f^RYFY#>28FU_}t(L3NdU-kg!l5uK_xmR7wDl
z<>~=PL=-9D|JauAI^SRX1FU>~!NSk2N1Y`l1L%$HP|l#JxDZSq5vm*($arfrPzMdM
zxwA{VHCT2QSU&q^gc7J@Yy-Icxz1oDwckztLdaY<%Ov@4RgmYLKrn@_ky<~w^EmN`
z&(iN60yM1|#DrLY@Q&PwxYq{+l27gCzc+v*m<fsE%IQZ=Zh#lE_T&TB`5nqN`r=T=
zP;}!1pvRuY5~ej5pF0hfi6C$yaXElW>_=}+w#3rUJPp(8fkF>n2-IR!XdZ>2ieW)Q
zsc!dtUABJy(1=t3hE5%W`5~WYskg)FCtYe*G^D!$cv%4;X#72;#L0k+z^$8nYSY~r
z+)Rw;bX+fO{$c3x++P<@SP$>7-Y{z98uB1pgZ{t8Ooy4LgF#hY$Ozh%9B>Dk;z=vk
z#tOJw-T+g{lyLhe5Y|<1Qn5Fdg09aRN*B=wOon?y`Sk{nW8K=yxI6noFh1IeT!{Hi
z*3hepVaKf^nVTOQ6ocB2Rg40Y<U|(N{nLY<9g@wXV3sLq5`u6#PK8Ddc*DdH1RuHk
z(aKxoaGk3MDovEJ)=G>blvYej>p%a(-g%(6-%9g5Nk$~ne2hG-Q&o;JM+f>MH2Qq%
zF}EyT*pajxQ49;J-%6eOj$fJu%(?K9_-R}X4ydg84t;L}{EE&rmKyXdg8mZ^<?1@V
z!vf#{x`6^>{h1Q(4G^pURwF$CY;qOvyOJgA$sO3#t0UJ86S6-vNtw%HC4E<IE`4m9
zKT{43oPcsqGNA4+vNmyb*mp*Sf}!!YEpNd}QXGnV$j8e($I1NNj9xeQ9xOjRC3L&b
zlN{xLdj>BZH`3}#2qqw09{?$(qDRwLu+GmoJ_se<no_Sfe}UHiEM1hU4tt;H&<B`v
z{Eg;yz>`PwOS|4f5lSHD5U4#$%Hkv`hrMAyv9HG0Bh`EG=5wQ0M;2?=F7TmNy8%UJ
zyt_XC5OD2}sX@&h3gsZ}wget&F1XVAy0r=<u~sKnZNME7p;@jxRBYFHy}vi&?k9EZ
z&yf*ix03t$2=Y|_?Ygiv@{^kf{<f_F)E+R;n+`B-qmmmVE1+|R5^z{{xh_+!I!ZyG
z2b|Iin=??qtuNKA@2L(;zG;=zpLvDCEY9vSfYO<OV{3cfF_f0urRj+S%T4oeZ?IEr
z1j==ta}``LN1+CKQ?B0Qj}lp<jYpWq9T>Z7C#t+Unz9Z0vNdT-1H0;_jO`YB1np*!
z%#z?&{bNpl4;ZKD7oi6S3JV;l%c|M||C+A`jsg6G_uZZvcmWFjXl=e9inQHwiMDOx
zBq;_f09NqtJz-ng;h->+>Jj<9QAf!5(P^s&^7txd(ZS9%g}ziamKQ6!3gLmEPOgVi
z#+{p>;E_#IS>CDAS~CP@W_e99F3Nsjr3z|{3!0TpbekwwLxLe*vLAe04N`5g<(nhK
zzO@TFoN3N>(DLi8`FlhR*W{WX%n%bKL^cZf`R3mNP2La<hv*4sS`K;3HbbBv-zw=&
ze%<7(aL7^737aGf1mq6W$(UkE>FA1bjkXI&S-6fyh9^-IK!|K0zuED98_2#<JS|_X
zhj0Tm^Yv9=V*);``aP-_;{+-|`K=CR<UeKnhB@f|QCsK+)aerjd(vmcy%d7Xta4{v
z%lqj)&p7-+8W<xEhhU6&`iIm1detx%nn!#$jpfpbh~uda&6GUCgRmVdV8l*)ikc^^
zKmiOkOk9%1bKk$mdX3)&rGv9s3JEb9{|*=O!kd~90tC&|rlgqoFwOh;hFC<|kF4MZ
z;mF_#+T95}#uu|Th(thG71CJdW5}7UjRc9>-<b}A<o$!%79b%VwyW(1MR$LF2%k<q
zTf9HBB|Y*<8IawC33mJYOtb_k5-5tJbj?9ILN<RMsUg#R9G-8s)9*OR#Cs5e7z+Qi
zd5N^FArWG_@$jp`5&wlNVJf*Wn?zL9cu0v4wks;rmq!n}B{|cjRbA(H?*AG@Vx*UN
z?&>*RIQ@5`{y?cw?l%XGY;G!?&ustwv@t|CX@^}B=mY--EP>6z)B7>;b!1U8>$lMy
z9LtkOGd(!sn^{`lF+B8cUE+Ing5Ymk2vjw6n2?uMLE<bVQu-HXL70}6h6Fti1^&ia
za{-<E7lU;q9IAbrX!~!sYSo7hS>4tWqarxi+UU_SJq*a`@z5dR5V_pV*nc0!K{#ap
z!upo17@I!9LF^;j{LXnl+*3ndlJ}<5@&95ULVEcGh$q!U{%1TX6SCi91Ox#R!c_le
zm>M3cq%7=M7p5HhJ1lX0WpR>1Cr`CF9EPXY9fk2kt~v)t9h?kBuw)dr{Y4}E{|3SS
z<b-;_#^6C2A+MO|l6di7s|gVdf(QFiD*o}`h;PxMXLf%g$s?1U|E=MwcbvRx``<7a
z(*UoTWIX(+)9_#<>pz}|-wz;T++fGilD~ZrTOK^%2Qo)k|KH|_C;fe^|29^5n!f-9
zsaJO%ePc$IhnWFyLC3Upf0UPz+r-W~`d|Ve-KS*>-C;PeU7}?7ceFb=@-X`?jv=<X
zL-6P=3yO{4TG_wZCjgCTtc%^=I2Fv5B1RMJ)RM!0F!XU!T4ln>Z<6!CK}G!G=CzW4
z-;zPT)slE7=n&Hj;#6bO<bIO=5{AmfSFF^F?#b@agk<Z4SG_hi(Qg_f|K12vtYu=5
z@8`(FujTj<wD|uUZVMy`rQZ#lLCItgh{~>CEc0XPf5%e!#y&Fg<B9aY7n^SECC&Y>
zV00<I`<*4^{Tr4;XYTHYpnoJX2&K(YUnEd%rqnw#B%_<-`1!Z^E^4fNv+TBv<%X=~
zhSBI(d-Q}30W~QqNSDy4lMs8Fc{6~)AYat2o^CW*HI}p1S+U46d9C9fEjnI|pzkeV
z>SeBf>G7gFEX&<iqgxo2vG6V*>p`OCB;xW{r-TPzrO^8KFjUs$S=Vm_quFXxUmLxl
ze*TO9#M%|hdZ|ov3wsXbwckqkg%JW@{bdQ^VENMhixRmN)y>Wq+C1Ju(N6`>m~aNc
zGzmLn-MJsHA54>21jRmD>MFN<TRZd1C6$M>NbWyg4CQr~aDoePu`|Z&ZSR%_QI}mQ
zscK2(muNDtiCG$PLvnNUV>2cz5mWe;aHc|0c>TTy>HRm+k5E^x6U@jG<$94}<ryk{
z`Ii?;@gYL!lGm6B1;T7Dw~z`QZV$Ek87$FaD!KUYLHdQ4Wdy_dq^7++^fQ5+3;BgE
zuA`Hs=-AFQ-}Ai$4|++tzEW|djhL)`EXJE%`t{%;?(dj?37VDIA0@hUn5ax_{}vYS
zC^r&A&)?aZuxU>FOxIuDMPFjn?Gcg>;IH&&)pqM3_8^0uagWD1qNoQN-eqEgO2v#V
z0cD@w^}SG;xpm>exBOvzeICbA*I7#Zds+<618t#kn$3%I7bWOP`sELCelkgFKs?{a
zV(Mxd`SRtn#qPrj_+A!_5hZ%@KAJQbQ|dynWkh`3VSzl_vFGnu`@h3c_pJWilT?Uz
z;OcxlM5$fhWcKvj6`=^MKq1Nb`z#B_xVGIfwQ9W}m{O;L^?hkJ=M+YB^`%%AausR6
z?FE0D!3SnK9Uo0+BhaxIX{yQ^IirIfo<gs;r|IH%8dDj}!-JV7`rG=*9tAG$RO$PU
zE;WXBb#|P#>ks&RsK2zn6*X_h{JrQSoBpx?j)&7rFDmwzq6$Au7X#;iH<K`Q5G>65
zMKi~W>e*2nfn=$-xlTMgvplg)re6KZDb-`HU)h0RQi998tlh^i|7wqmv!-U4_4Pf<
z<v|mCunvYhlv8wY<rkQxi4M_3x=@y-&LxaN^x~1U$MXGZEB%7-aIM!-gEzQKtL^31
zL`7b&J-!UPGIA*FXF7f)47^m=$M4^t)RxXF9Y70oSY+&3{vTs+UqjUq@U_*)`o+AT
z7sk{#HL_x_mPR*-!a=sHDkdxF%Cm$7xX5{Y_Dd_B6Z9r5;Tv4htp?;B#ZFR5QlHi#
zXV-1pQ8p3hOVRXPR^^E_S~h}%Z!^-*PrQ`CM76yyxvs)3L|RsQ{%s{oOB!vZd-A8f
zM#i-K_gh4%rHj2;e`AiUjm-3e{Tue~dCAN?Cj<w|_`BCNJc7fSF6;U(YPgE2|81A=
zlWR^hR8?DlFeP5-3JFr#Lbo<M%5+jD<!1T?<J|M^`77j>3-{{PtFL%q1i96{xx33e
z8q01urLDNKQl)y|zhqv$XrDP26Wr~QCUN*qo0Y^5PXl13E?gN(bAEI6JRwUtnWG{x
zmFuL<=i<YK)A>^&m(t!zUyn|*S1eIpV|TIU^p}mYkLb6J;FN8|IqwJLXJALH)8Be@
z{l9>m=QHf7l#GOAGz9y&Es^Flskh7Rk_BwrOsY(UZKB8GS9(p3EhuP)RVI{|y1H3p
zRnFn+M}3PUbf#CbeQA*m-!#H`HYVvp!^<AQ^wMVO&E&Ks_l1rR+2lU;)y0pF{c1Xh
zonEkDO7<@T<L4mUS{ZwJ@gKUP26vo?-sZxM&$~B*3G8|}3kC^=5<JzanM<utri9+`
zb|KF7x+6tA<guctn0tK8)Te=7Ud8t0sNUmJw1Po964zi@5#%8f<0${{yr2(5up?p1
z#!|7;Wuq?Au4?J@QjXK>1)cav^Df)N>UsPw=Ir(*`=Om|Q?fGy;bV&LIR!S$E<O@~
z0I~UJ%lun2Iik?S7qh+toR|JaU%6eMEs@z8^By_l5g6~^+<nU!<1mBZpzP#;wrL+x
zNbt6<|Eekrzh<n$bMq~WxTOf={|ZicuEA-XC6K$zOZVVlOEic%h_xCXz@o6KznJ~6
z9bqcou+g{E$SCol0BJ@pxuK}P*<e{Do?^!yQU7mvRftQ@LG<PQ{0AExea~1A=C2kZ
za`@w0r7r&WIi8y^4Ro&cIovq=H$1w>q;M?{ncMu*a1QgA-YJv)*RNmU!=*#@B@%z1
zuc?|^puHbEkRZSrNvb&GzoCu8!4TwlMKLq;|LwN_J5;3U#E3DblP4GrGp5RsJm{2h
z1g+%AbZqGbU=%?h4JA;v#Yl4+LZL&(>#t=0i$%lGEbuxt28P`9E%*NR9{&G#y;t6Q
zG_#%8u(_{ff2?RARJ%a`AHpgK2&)kwtlH;5GwIUbtH!ee__w*1;;GJkjPYPzof3kh
zWrj-T9yzjg&KsPFP+0}+Iv~a0<~6SbF;kGa@Qdib+tEQ!sa0>feSR(i#8ddZRxv)Y
z3IoCHwiI2_>y~<Q;aw)Ce>3*rq}?s<>tIF>IX(sPL+4Yhs0ptRCw-CUZ=|}o^EA2M
zw&1^?S209FDV;mc{S-_c?Ctc{a$ko3s4VhX%bDBpt$cr~r+`6exAD?2!31r=$`gk^
zV8U=PAdNjob@!VPD*Q|a-su`LqqK}rZ&(COl(M}{;8I~G&Y@FWu)B@lk-<+lTS;0?
zN-F;$d48E#_|l0tzStnH<lFxjd2bz6WgEQ>k_uu_3P?&LB_ScHl#+rXAT2Eoa!4r^
zQMy4=!bDoS1nEYU?oMfGW<U5E@B8~^t@+l>{4s0RI)9wSI-GMqckFw|bzPgp#ww(~
zZ9f|~x{T0N>q2oh&t}3$!oo>|5%00euST9frZC52(bdXhH`nYvOIS@j7U<nOk0xM@
z=1Zpv_#EGx!X5M~PpR!;4|v@z|NTfwh<o{Dw|pP-&1IaPA+q`?p>uT7RO18uo=o?p
zIn$j97R%L73a?+z%Cp?GbehuC+p!yI()7IC@A<Kx;$?8M_Lp2Q*LQ~hTR({BK#l#H
z<P}CDzk^OpKE=#sOsBNd?KT3Jve0j?7*2oOH1H%^#h^QfA@%`tE)rXM@Vp?+P8<5U
z!&B+~$K>}YO;rdAv#{Eoz1NzXK6<%K#)+NTp_;i&)Kg4e_<?ZQP$6mF&@);6*|?Wi
zH|C)rrIY)+u$J0YHPQa@`!wAImEIpKAL(MU@?r8Po_Y{_(#<20F6m)Dj+5DytQl)2
z@}(z-XeB?=0)B90Szxx$u#KcJj_#gqqwX#5kn<Fh!4TR+TjY3<vslY6H?FpOvm>zA
z?M#rvRHim#OY0T!mu{cj=_qZzJ=j`)VF9pCQ|M(lWyP|`@@OvLpm@zTvT2i?0?*zE
z2&2S!Ua@fV3(ucD3B@AFa|x<A75~7~a~7J8$aKf<3q<9#T`XV1F%8nju;|C6_(5@L
zif?3k!z{TEOK)LOJb*An<cm=#U4n>e6Ty&x(x`!#+C17Y8z$raQgiiXEgs?-Z4!Zb
z`lM|Walea|3MN8g72{e-s+aY?-jOjSzd0-@m$~w^lDr#(KMps1_EfkKL1Bq(-xd$$
zN=Pzg9cyoshQ!8L<@orQg^MSJU9p$v(s^y|7%%PI8Cj?r-BtGV>jJ37jDTLt9U0G5
zv@3?9msSEFC2Q}mR<ekA@sXhM-$5%@l4E5V!glKy<|A1A!VEcd!>3B<hNF2`mgrH6
zA15D@3DKTs34t^HEcHXtpNj$*8*ot&EJl0%7*(o_bM*?TKx41KI+zP)6xa`mY}r(P
zp}t`=wIbDFwa2YDr>$5)D?+*QL5^Lo_2S4Lx*3_Z(kr9lQ;wfY3o`6?%6QH=*`Cju
zL8mbQ;9AuwA<sF6IRD~WI!_l90h7A;4kq@LOgfuRuFBG{;t>adrfREBG87h0=d!Fy
z=xAFtC(~IBoEOA|Xn!;{%Ldlvt_+p8YB;_zt!w@iWsK&Lj~VD0X6ZO(Uit2{*}WlK
zuZJFxcnP8OI(3zO04j>5ob0HOudi4R(ovcINQ8g%@+I@yN@a%|PBzbgg{4U^2EAZ{
zI!TL~2``B3e$A>-S{j?f#>Kw<Y_1RMAH8_Yx4Yw}W5|AhnjIeFPFh4H3iVhpvcuS7
zdrcrp%aC|6()!qyAjijC<*naFX_@?j$SjDrdp0Srmk8#^()GnVhu*r^v{1rc5?`LC
zD4><s|B=(KBF+~jmX59y`)~_KZ0Nh;59~bX?-fFceoCCZ|2{JC52(<ZT9yMgREGTT
zfnRrlwW)fB5{_zVc`?t^&qC(FX;L_%FtTYMAKF{Q?$!8OlBw^*fZL@<fysk@hv?@Y
z`=X-G9J?Q3C#&A;B(ym9LHuj-)90wgS~MOtH0psF9BT#92eR6nB41f#2G<N<s5_>H
zZQt2BE0Z@K;~*USy(G`#)0!gsj>qxR!|~B%O6#`)U7SqGl-=CMH}0Mrj&Egl-4vSs
zuF86Bq9J14I{G?Z9%9);IkCjHCy03Och$359A)a3hV41S^xgu0uMV(b6etEz<*J2z
zEam1$s7j0iYf@soHh}BiXJ7g(`l2Z03MpbScgXjsXsG_{v`QkUwT#arfX-i`oal{B
zjy>x_YuRxrA>(Hs$>Q(0-<{E8)Z~pp=}4BCycUSkTvov|ZeLj_ag#x>K98<?Jaxb9
zVtdX-o5kHqGi)zWhc8&4RV$4iby|6R7#-knRdF0CV)ZJyD8!J(mYHT+w>nTTjV?BD
zJPS%8H)YsjZ42z(hqcY7r$1OEq7sJE>-X(w`{G?NZtjXawf;CJ9%Lpyd?;wIqIc3X
z*XR~I%mW(8kxRRQ)UL5Ul7gr5*jq`}m;fQlW$1hQV&kS;KlF?vAjKnQ_5@&e5@^-w
zcLV$P&ID9RV0uJAg)WA7lYai1g|jXrtL_I@d$`!7e1F|2Ka-K#%&tRKjZIWeTv*t-
ztcv!sYJ>7675Qj2x~RsxLfQ+$Ej(jZhwCGgXG8WHcowfol`N^DcSnh-Q<bdYPH%pd
zrt`$D5TxV63n(a3S-z*iVeL=ZK`Jmhlh;IX(4r!^-IM1KWiPA5(z+5SVvL!itwoqb
z+F(ELR6Cf48BcD}dsla4AhQ3kkC$NiWRjgnlDN+Fs_*rE=JV3`iE$1GCJc#ufHjr7
zxs(xir%H%#G5I-JD~@nU&^>y=<Ap~Xzv1j-ASFve>faX1j0R8z6BzgB$ujLoUY7#N
z)~~)!dm50&w*_4CODF|QZ9tp3BoK}GCGHAJxRw67?)xsnd&||NA}+iL!yYpGBvAL_
zJu2Ce@|xm9IqJA^qsY!oinQA}DX{Zv+h0nwByRVC8ih&D<Up<SYxx*&;8|irF^OL+
zLD2qH3{=C+j2Ds89JGD<Bwym6jBrtx5#|6CbNKef_Le0|m#gs9v+rSZfYKI^Bcg!|
z{lv~|&Ud|i<i5Z25(ptk%Ql-{qbQ@|gNfDq>+iF{0GCa=(2{|V6#5D8?xSBTD*g^B
z*EX!N$%t_2K46Fy778S@9_?F^!JNc%4&q7BuV4G_lurR|ZOtC_M_+KfrUQ3u>pU@`
z9Er`&vK?+lZ03jI(-wW$aXQQG(}J6w9&skogSDc~`At#eNv1^xnRMzt^D<XMOlF^$
z3sYylscWJyR2<^g+?1rTw)(CWn)e#gLA@bb=zNCt_`K%dnsE$4;Gq^_NC3<+3EFzA
zm%9lnifr7@9RXB6sh7Vc2<N@xlv85yk6_avMA*_$IQ0R!U2=VYj9w6Z@P`IzU)QPm
zETWyu5R`Q~6ekh&Q@(2>&<JiMBLx`n(l)y=o#HP8Fk<^*gZj^pYY{K?fG!h`@tI;k
zXPE=D{=P->OaVZ?bNR|!FGH)rPdM&*qpMAv{11D!cp~xC-l|~RPc?sn;uBqlSW)Tu
z{rhlgq^*k*t{;Po-*DOc+wWvn@H-@L*ttgB?(|8bu$KE<?b&;Rv0?@*+<{8&r^Osw
zRN$6BNN<|fumtz=bRs5;p^I_2@|##Ok8*-Cke+cD-ku0U>Zb%P(MI2LO_UzYw4*}{
zMXq~&JZ-{{pcLC^*qQAXQPqt==K%;m2Bqkl7?T7uEbel}3k$$H;XWL+YhpJAA%Sfk
zp1yqR;Xn{cjNzHz+5^gmLOvBX5OQ`;K~r?DWF7jBz-tCjcWk*^WSsHDJBjtPayTn+
zIS5W|9~Rk9Cj(%baShrD0S_aAU{-*?yD`1$s6>l`{`CBrs+l^J2+DpLYzmoT$hSlx
z$1D%7BP%<keK$Z2j7nx|m(s6bO&seUl2TuYx&N6M$-zpa=#`d1((xEl+tt8-!WsEI
zXCi{(15zs`XxH)BcL;kXjm~Od(97IprqSpEsza|UBuD)wU%d=4%H=U`zLd%38W50t
zz9v7AQs_l<8C0cXdFFe14uLe#bUQD_vsR`584=Tq)vs_U$KIp_a<|!21b*i`h?y6e
zO%1aFboTk!Ye)goTJ|1GpYqM-C{F70d=|b4<qC9wO1527H<*IdatjC{oaoKfQQB4z
zUzsjA&Rg;OU|ocWIjV6eYLN?x_@q&v+34+r+kt5SjFhU&#viz<{i_CnOmE2HK`Mkw
zX9+Q?rQlg+HvVw;V<XN{14XGy5TF?W%G70sv}Qvgn-Mf8D=KWx6DG|r<2=N(%!SHY
z26qO1PLXFpKV&)z?${ucVdX+i&?+M3v4BE#^Yihd2hA@G@+s;@dDzU21X-uYJ%p`;
z#yid#<K^6r^e{1|&Rqr0j{avEQJE09!=V5lfEKNs*AE-)^9Be^T&X))wnu|!bm#6G
z=w(XUY7!L^IjR}_6Tv~$$MG6#qZ9{Cx-bciaGg;owC+)qmfbU!XOkb&0UD97LHZ;e
zxIrD^)vK#GCp1c#lL0!-NFJ0-UUPYfuSt%@s&Mq!t!s^V4AD<&a~GUWQ|+$U9XI~U
zWsm_^wE$EdK{f~v@W<8jeIMTwp!fa&3KRy<p!)Ns?Tn(S7wfqbTK8TiBMsVHdLOVo
zM0io6y9+!#RGh6zNz(~tGPc3y$>Q~E3#L4l2B;x01XfnfM(3!oB~G{ioVM?r**+A6
z?N$Z&$XUTo#+>@Hah(wV<{pC=Q6AQ>6oFSb@}x%EoYe+5j)G5LquYiaY>^dES#QMA
z5zb^+%g{2;0)jzDoJ?IJG%xM*wIm)KsKsM&I!4JeuHHJQb5I$2*SLN~Lq~cAh$pf3
zV?E4)r>I3K;NYYaG(^9ws}+pSmhlQUnNucxP?uuU{a%gJ{;d?8MX}fQb*py^lqFNI
zJA!4WvU3H^YE!(n`dw&|=C4=3Ab!HfqO^1j3g^5=mB7To$enXijE^<@QAh2Obo1pk
zg6_nJO7wMM;OT`udUc0@9lb_3?{k;#UndZ$@-3*}PbFqN+OAlfzAWw8sS(pXM#2?=
zF^R-`>N<@%w@(<6kxPkf0$^k2f|v=*#oRuD1kIf})QA>ECR|AgSF<ZzZLyzR&a?#h
z3uASlh7;Lh<J@-hx5Tfx4LijUsTxkccQ8^EUwMu52X%pd2pOQYpfclpUnJkrtFL^s
zk=PudlI3}|7g&sa$2e;!IPCwVV4fo>7`vzEh;Ab(7(<zxbT{YoV;~Nei+yOAYx!I(
zwv4s^caRYp4<9%D5&Vq==jX?1sucX>xe&MaR<q@|==WQ>wGrG$wa%lQk0;n_Y^eI!
zK{Dc}dzqg{i{vF(l#T)0lr!4>%e&uWSpaNQ>uIsZ6NyN*CWKP-c<3t<uS-~P6*Lxo
zqEFhwdo`S_y@8G<Be@&A^She)85vU{-8Zba;>dQYKz+7q8p))5i@%b?1yNEP5+z;3
zg@gvtA9wVqbnw5I(1^Od)PB!f_GriA+{d~<$Or7$hi17!7WoP*Cb^DAvA^wA4q~qs
zs5*BruKxVEWT9CIl4<#2^t`C$y!}~^Z-pv8zq58&!SDcRR}|zFMUT>8Idt2}lB|SY
z3q%4oo+hI2o{5j)_N<l#JK4SXos<*DvQvaz)=G9Ci{NOT37YltYpg$|QXi@|Rjin#
zlhG30+++DuM*mNdQyPWE!)&>td1<!J<Lj#R9+~;EXQ=1D;w&WfA`K3EXb0=vTO&xC
zGLq5@Pb61QbMKt|&Wi5GJ#vrQ7gv+x|E@5GA|+^27bAdLF{@|kos{XidG!JufV(Ix
zhOyJyui4%4827g_?;ZpowW$t8uHRQW4MqcC^R!QvUdzq^uPYj4r1-3dC~Q9idFVWV
zCMq?p%OWPz|AwbEmCuccLCN@QPW7RBW9tcv6-|_d(i4-3;oHl0t9@^_<aCBj|J0c`
zVMRzVsXd@a>>Jhh=a3s4SesH5wjd1B^U<6HIzU8ErV}paNQU30JW5NYo?vbB%dW9b
zIHi~!xN7}eP`II4b&nxNB9G#aA)^ID_IVKW<m-U?;0b`Afl_YEK3;?|npwJf0=eb@
zK=;be3X%T9Ws378ppzbfhq?w1G1vXBH@@iWKu<LQj8ad5bt1v{V$|YufJ>1%4%i;o
zab3KuW%CK!2|E9-OecDbCHry6w&nE~+R_1mIPxGDZUO>CX@&q72(QmTQ9G9BL)YHV
z8*+<8LNKQHT*c&Lua>sP3O-l<ZOdDG3>86n*M5y2-4#+=cq{BY152P&1zhTZ(p7MD
z5TSg~vU*D}4>B5j!kaw?2;2?<Ac5*uEsnL4=r%pDevW9J{?N|)2u;Yy8kCkp5k^Zn
zopQ71?JcIRx3`X;I?pTqRwd2fRE8iMKyv~BGFt)Y$QXD6bq?LyPmvb6$o=n(8Yr}t
zUcR*!bhM90bx%$j8f)%F5*_0cV?FF!7@R0jSc%#b?K}a7!j0a>lizz=pyCxE9<vf)
z!!b(=oiIlLi=Zp?2($}duoXZT2|Tu-GGL%0?Q`WZYe7k)2XSzLs9J?^{6O138RC;I
zVAk4z!!sVG>;4Hqbjy{PXOh6<*LyVx>W4M}EQ{Wb<uyYnfhq7sjMd-aANbndZ_6B=
z>SazJJMLU|_a<D-*u)4A%T24*{#RRa?$l;aejA!iq?Qki6MsJ7BC!UVbb>qCYB(wa
zlfevIt|2&9!1mtlWJ=CtW+1b>tj~A>RdXC5NBq6^Y&B)GuVS0Gnzu>-`qw;nf`sG9
z9fyWYd7IEDp%#2iL{^L!jtXqOQiAn=t-j!O_x=(`PH3oQ>3%f?(4%qD@!W048Y)=E
z!-=_XuS8vIjePraphGy!)t%%_8_#i}jG-@CBJ{nKN5nh>V1`q|LeEhaY!YPv$Wmwk
z`8IpyBD+b8XD9$e+7t`a$zL&U)JF9h0njp-V1>EQma<eNA1FQ2&GWsvOz@Ova(gE|
z*!+z6h7jNS9Q)nR^fbKJH;*bGszT8lvIL?AC1cN7n|A}hvm19s0=F0dpl=(}jm9;i
zh}T)(-Lm0??Y%SJ9Bve8QJC+tao=8)VHW_Jn1Cd_+@=dW!B;}LPSDL{=M6^3nTiz)
zg~(;3TlTAo#6(TDc@t+3<HcT+M1(7^-+DM9m_$bIAqXr}laY*)C5$#SRePMRQQd43
z0D+GwW&dT9jsO8w?gx9@0??ot0qX&p^pl0O<I+G3N8d`7FP~*!bigDiC^moTZOGdN
zdH5Eeh_npIl<<=%02TLhc>Rz~^(pDRai8d9%G~`zf~iD75?v6ck1oP`bWIo1CM_?1
zt{J21ViL0&2y=&(HTvnp7aM-gh4>d@QPD~W!z^U`why5J?!ES;tBg$%`_PrdOq7+I
z@A)3_%GQ<Pak74Z?^%3ySA*nF^j_SkR%w^d_i58uYIlQ3uC^Z&MG3?g%*;W)1`$y-
zE_QR@T#0c7GH6z8-gb-&s0N&;4$gidDOBTmh_$!nwlaMG!(Y&m&_{62@Wrwo_!+%z
zrW$1o@8tvCMuTG0X{)6{Ke{b}wpfGBcvojB`tD+rK4{_u;kNM}DDoig=@g%OWZ3~A
z!~_5ue1>3AU<izirIp`45S(p6NYnr*>r>m%>?J1FYTN&X2U4|4eMh;pTMU1jYL?CC
zA9BJ3Zkib2;Y_&av^oMkth(NWI3KPgM}z3!ZdRo|(3a+i`y|M7mzhEKgUtB5a#jj{
zTP|1bmz-5{Z0>}J8yEcV(YDnhnw$!+tiaj^Y}Lv+0vI%aHM6wSu!_=kAzS*f!7I+(
z6Tl6%ZtX~YQ`?s1pFHS^j@fKN6l2p2!sQ&vWWa;t=t+#JE-idIHiJ+o*JA2*)h|6#
zN*;W<m9uJ%x+mS{>-m2Yl3~4K(@(*V1jb!km-7&XoN@K#1ev;)i=6LAeE6Bb)z&ty
z*3Htp8fVwYB1m@eM&hZV3+UjIseBED)cKf5jbLP**hbf_SCWy*lu|4wEG(e^1)ukw
zLWJP*cG8H)Duub;LPRakzzm{#&;$PpE#@sMAS@x5n{lpo0JV0T;fFt7>R0<r@!i)k
ztmamYod0sJk6*tE>(-05%kd97Z%mPply3PXS`%+*>GJ^3=;YPN+|GojR4(<to*{Q@
zS9_ovPb?jJkD}QAgSDbs#*U?%E*jhX{az`@r7AJeYZ8xNpZg0^V~gC6K6)&#xLg^u
z`m^*Ou{<=mL7A)GwSW{7Vb9x02}!51rWO%2u1z6%3A#Qb3pU+phD)O_So@xoe}k(e
z>?J(k(me5Mbhex_n-Du|1y|D&09CnTEZBZb#zZ%F8a0SCtvN>y0G-$en!iS?Jj{4%
zw5=mmV%lf`@=eWD<tw%1NY@y;K$QhL>Srjp=GR2qc~&k2f1Q?dGyeMKx4G8A!QvdO
z@l%}(I|3cnV9HHIzpU=;U$AN>%Db%)b_(&&U_pSlhRyo?uCPhq<V)D&mnUa3OuHfe
zU0)D9VYxuk2fMUN9U2pT(Vcq2Q=0w>E}%W64YskHakazJfFOCt^kOnb!q)~Kp_t2c
zgz7^&EhmK{w{lKKXBrU`NI+7Qn#!R|S)XSyhqdqFN(~9)Zcr6--N?2lAmU$2mIN~+
z)v^yG-z3Vx%iCVUVE=twX`aBfE~h`;wBCcb++pufkA=Q)7(6IUj&~)HDzF-?<hiJE
zAe-%%Hb)lQ4ZKU&1-RJdaWD2mYP0#&*A6~TcY`8xQ1(<fM=8Y}nVbN~-zjb!peJcX
z_BsjY20nDs$7(Xt;A>LROXzLzueO=Y?mfF$A6S*<nn2xFV8EBey?8nRjq@OY&ltj@
zQo@^i&J1bpzbBa%-xXZTdu_MrUeO?+zqj{g@{$KZKe(CUgmCq0q^8v;$n7b7JI|?}
zw51BNn)ag-cSw|P<~7CgX9|i1MTsnH@kgdpfs>?M=2yA}QK&o5c&_atF<x(D6lV|+
z1`NQZV4M$%QY{=a1Xa4`7}ruQZ;0q;@R<6v;l`L6I}z9>=TK!tU3|=lEy(EG1u2P0
zdY=BE=`m%R2vepGj(7Z?SLz}>quQbhImG`4Wu8EM`(LyiWDl!@4hUq$A`?{4ohO59
zmRG|eBf6%WghMOZ-JY%O{RH;uQd`veOb38owcx66L%r83${}cTisiMA2z=$dK`y7H
z;XOBWw?&Y-b0u9N|9wVrV`;1O$^sZo{(I*&;WTp@H%C8^E}e|fu-hZEF0ks$dn?Gv
z8G3WJuR7L9<Cr`_76ANBdvnqVgnHEjn>8(*32LFScgj^g2i?qrkLSJp*8)7p+Ww2S
zR=i5{lg1;BG87|qnj*KBm}Kv0rjj#kdOHjRZy!*kd}Olpgij}{x?53ndxA|Nd8?jH
z@_EqcdFu{iV_j1NzF}~1E1N|NR$eXod$ifv`3X&QRh&x+F~g-v+LA*vRQL(tIl5N~
zAT+&Y>MMQ{x&A{ad(Rv*4gxL;p73{$4mj8=8%dWV=Y~KY<f<l0>sxGu$2j-fV`sfQ
zkl^japZ)XS;LV#XJZ3u}twK1L(-fg^zoJ)b>0hiIqsLeQJM-gO>6WS1Z?BiYmkFGl
zmDKmyw~pWxy#&p{A8V}L+r`jmde`tLb;W2U?2Dne_8j}q|11Z2W&&{7*xYy+*CwiY
zFh?rD#16ZxH%BnH=5*#t`29_n$$N5Q+ui4sj(s^@qkC!pmFn;KwC8FiKg6|e4c1Q%
zvMGmT#_sV)-CnbP*BiT+SemVUVSg7=7%2d}PB=CM4bN7mTISzoUU?>d2Wx#h^z2Iy
z-80wvGGuObDg4SX&^W_9%2DZlHe%SR%O4!Oo&Kmc(g|o=nFk7&UCZpU(-K+xlna~W
zOI^Va>Ht8yy^lVmw%Y;fpJ&=pb?#(NH50~;+X`;!tKX1Td~~Ww`%0e|qD9=a==%nm
z$=bZuXEeuZ&Iy(7aC}|ZXsn5JC)@8w%;><A=Z?e+kO+K=lz~8Xvl6H`9q&|G2cRJ~
z;gSU|R^meYw487yD?2CE?aRMV%Kz}MTJ*vWve`R0Uf>rn=vZV|zyA(GSD9KCvm~t*
zFUJPSOyayiLb@9VWd&&)kQQOnDeXB&oKt-q88LeCD+G1?^936NuqML9>p_;!P#up8
z*;nrQQR+O5`e!wE_}@ngIa)3B=1yl>L5nHe-L>@EFY~m)A)e2<iO>ACpU%LJIIvOb
zN$+cx%kyLGv3N$Jxv)G}ayz%1l|*xg<xA^tNc68C_YDM}XvPUUqkwM>s;;<q|1(ur
z{`EiCtuU_G@)Yf-d`)A7--_IYrcQ@aB{UDWdkH~vesp7;<)0~D&ve~>Y!&pe=6%jz
zz(L5R<N&9X!(7^H>19jlVX}5GM*Ytv&kp<Nan<tXJJbA_!ca>Ch~~V@+<V18k9c(a
z8ss3zUfp42Wc^~S1MBN$C|3#qA+_PO7iBs{J)KGiA8W$?^RvkaWbulQ*ZhZ;1j!Op
z?{7bUwOsC>jkag*$7J*u!XA<ul1TdNK`BPJW~>OT3)YAKtjqQfU8Q5Qo;NkUl~BKP
zAn;~OcCBl8@fQ{VFyxtA<6=d8t}wmNxc@V~tC{Qx;gtV+K72};*^ZSHTGp1E^nFr9
zdHJ9H*ilX!+V6VjBmCI+Cv-K1S%i+VQoC5;7I6<zE-J{0@|K6;2A56iFZM0m$Xml_
zoYnr%`ZrYMJE{C@sJ`M4Ah9J?$7)mdu{X?=M4`R!XdS;gHduWJQdl+!UVzNbamep)
z-jCebm!s+3XO;O)Tm1RdfL1~<I0`S6e}2a$_>PXg?E7CY0_9=>|F)WzEw)whEF&CQ
z43GT{5~MB$A{oR`TKF)FBsBA^hp8Zxtp!n(oB0;K>(f!}nm*7k;IUK%gh^TtI;8Xx
zp-UbO^sk!Qmg6Y;yiP4>N1p+alIeht>0-eBWzq);+(swve@lM`*>hqDBKP#^&atR`
z#&Kzai}aJl=Bbc{gO5RlYzUFy_seSnAu$T>;TNcy=E7b1VkCz_C;8)}WGyHdBN6F<
zZ5?G#o>>?{8w|@EQ7=Ojt$^odb|B_3cl+ddUL3et_>nN?8PrZGyqys(q|f8?3NLsC
zCq6<rP6lzZBFUor!L|uPhHkzLG#Os20fF;TG36b7<QrImZhDZqndvX!<fz!Q({dbi
z(3cWAuz`+!f^iM4bzy@QD3vJHe{B%R7r`;#rO9AzH&%k}k8UhiDrx?dwNLeD^@*z<
z;RPZ#%(OcrzTpkT6$eE?q?Qhjh1P|wkO;5FFG(IWiqiIhf(O;+mE7fMvmbCt$1aGR
zKta~48mW&5lyvSI8*x67HZB4o6GHG!gn%~}1a!1fV5(f^Q*m+wN)cS>q_^MSIR&~;
z)EQ-)cX<w;QoH*ibVr0EWWG39QqUl~FkB(#bCS#(BDK1`n1{@wKITxe!~{}NK)+Q<
zi@(ClRgk*lJ+uaQKtCS%jL%R6rI3lpJ<IEI9jgkz{pybscz@RIItP-`Yog}T4LCYf
zxED3Y814!|$qqc%^DmKb-)ZjcYx!qvQbH#jh<kdB+Y&6XGHhDTE~=~SLQ}?6$CrOc
z7#%-LXBW<^QFijPy29qMzh$=zT5Mx0b=3U5-ozt_ln2Ptje#)P<#A<RL*olgsD{U5
zRNZnVX7eEXWrIZFh(M550zBio!}4Y0&L`$jZh>$sgRK8!V%u_CW8Rl()%;;Bmm{Vw
za(s_oYzXJ}+G}H8miH~ClT$LhN?Npjm{3#7bIyjV^ac@C>1R)q3THFom!{QTn9XD>
z-?Tbf&jvB476nYVD0d~BMrBJ~Nep<X)xq%q_1v)eIxP1OhZ6>n@o(H@IHgfzZw$3d
zw>IH5`8fBTS?NmFn@MPVRs*J30tfrB(4V11ZF10>UJUmuc?U=xD@*6S*R3dTC}-6!
zejwQcR6p>bUdWe$J9k3&;l^3e>3eFPQ6!zL&G_;~gh!cFk;{J!0#*PRgd}IS#*O>A
zBvjFblBemP%RmK}k8<za5;N(>Oh>ihL*<#-p6rwc7rbt*>_BgAMM!^{!r{$h*+^H*
zq<VMf!+lu^?T!p!3D5T08=lRe?>f79QT3gntjypYXqkXC;?T}ZS(dr#KQ6Y`%rgTi
zo$&8AuU+q~P+aUQqJ6<itHPT?I?Wf^o?{r{O~EsBRJ#kp#ydxPBs#|%$88SJw$>`t
zX1K0gI<W`+Yxzne%t&JN?i{q-X`i|9XU8EX!z&d*CeCVy=VHTCB_tLaQmQqB20@*D
z@1E(A7h%$R_q}q8kDz0~bk@qreE%wK>Fn0CWGNfgg*=PgeG3r&NfATBl*dB-ppm=H
z8yk<xyM8_f#U>HYWpK>t7CRETK%$gHGC+vc6#^GO2!CTc5m_3nNRtL-UJx;9>((r?
zV}Nd?rrh(UoHdds>=uNami2B?HEnRuhcM)niXe1H!5>ro*YQ9uR~d(1Cc#qXFhjGT
z6$j!)u=SK%F2DBPKRXbfs}*&e+E((mk$2?yb$(9P5IR)>Lu01gdS>4zCD$(yxG|qR
zQg6$$Cx21`8AOEoW^8G7N840dFYh4W4pJNp(&&aIumw)59#CKr1wMp+=>|}WSGU6p
z>Wm!-u%#|V?yCr-;M5YT>h#%wag}-^!0PJkY7VKm=H3Uy!p@J_LAzxrvZ>#iC3WRH
z@to;#&X}I^hb2X&-l$8vf!@^EqR(B3Z-HJ1S4uD~Q`@l#H@1&PxH*zS&rr(PWmkUt
zs>sbGegb&ACPiVnea)Iy?viWuQtU;z6cCQSdcd8xGF{3{`~F-@3<{E|+>-^(jN{lu
zF9S48o8Q?3CG$#d=RmB1j6bP<<8=*{M($fD3_E;L#B~?dGAuq{HzwL#?B{1)JMAp;
z{>L`lleQoOc>Y2lC^HEwwTeUqMHywC?6qXmHPQ`~vkhk`UlQ~Hr9obU>~L5fDSo?#
z^db`7!Zl_8H1+!0CP8M5oLSoE%fz{>*0(<;xBko8gA4^iyt<UpICSk}Zxa>22sYif
ztZj!3ZCakid!yDTo&n#Qzt`(5>mC1^;Doy69noRr${GuV+*Wn1@l-z)AiY45?@^U$
zEz}D{fh3D3=yae}SW9kHVA+rAk&F9|NN6oggC_0ewCrZtaNmTY_hmcX_LXl^e$|40
zviZbmz+=aI9Gg>d-EuRhjpJ+Lx@Ml-L<}l>`7%!%FvzhJ9HV9;zwQb%CzH0-j&D2O
ze@a;2STV-%ho6KzogNaqpmr_~UbNg~bF`sowr|TB7c_P^>Mb&6nA_|T(377Djwx%?
z*lFU~^=^-z?S`hgG;Eh&ns-e*U9&ak{@2;Oejd3HYR|4{`0}}~jNYGr<4>ZNzBd1@
z$Hv0hfQ8dyxpM&TVzS_u)~3RS0h#Y>hMS75-HeA*aWAF+cmv28r$LY}l9^K3#+IAO
zo@p6V7F^_?IlzZLANtlfQ;j2kJ<P*$C3WH7|1|@X;uokk;$oglA`rD*toPH&J0|fz
zJhtB_kLC&tIeGkS;ZWZKcB@f2N6$}x^i%L(A=p3c#b5r)U#_~VmwikoUj9+sVSWiT
zX8$j^y*eXWQ}f=IM<K!almG8O&P&Q8X%2ELhx`WWoWIceV0H)*SqfU_U4f_UwEjUj
zx9;EnXUcT{e?4VL==*<X2XL|;D!$-th;{*(SMR-?e{WNC0yHr6tC#BU=b994b92gK
z{0uA{e$6@enl&VE5gfue<XrNjS&xE@-&<B3>j0r%uHI}n9<n=L*CYIM$%^^^iTFnM
z=AS#{g(PbOM#O?k?cZ^RClcugkhU9(Uf!c%W&ODe=eqw1OpVq#<@6yWe+qh>lmNox
zWxUt~p=#4l_U_O9?-fo{NgG2~s_{-<$T|+AUoLjLvbZ(sN&iv6av6v4{`aB%O65ar
zcV{$aZ8Xv=)P>s?Bhe|P9Q^tF2R&HLI=H+U_=AN(0mnBNj~DBn9kdr+f8_yPJe{J|
z>(Z7fN){4~)Zj9BV4fr7b4GwS?O&!Z^(0uV$dW5BW1X8cUU@s`f0oN%@Et3lY&eJ4
zo5NosU6?%B_Q9*F4&zBNCTl-t&8msx=QxocHTOndW_qPrrjSo}*rHj^Iy*dQ+is6N
zFv4X!#OtQr7k-~sOroBpJ7aW?c!hcHMsw5iWSyU~KK~e*pPC|K`8T-iuJNzk(9b>>
zLiEqlZ5Tyv>g<+>opRJ<FsTPlKuT1qQNv{{QBAB;UP|?Kej5j}5dgQ>tYJPpJZ{m0
zF0A~;dFo?tWxj~`Q@nU!=%apkV9W1N0{4Kl`=r2j^s<~W;{eYvhN>UBbqn^pvvNdz
z_tAoaj=S$4H`Sz^aeKRFk-7nV2w@T2Ej@HVO}AcY<2boDt*zI4EU81IQbqyPl%LjJ
z+3e!LTz`j2+<5%t9@Um5W|kdZ@b2{_y&+Ij-n%T`#Oak0C3y1K!^F)2dA)h7r@dj9
zz0^zu*VfBwHJB2MrtL>!jVp0wTpd*NcZv?uviKnHA@R8c1N+1X=(7gIK(W9v?y1L=
zM+Wm7`?Z`&Q4#uo-7vjKmZ5*fdqpoYc3Us{r79z!NRHAfg9&M606xa+#xSsU^eJ__
zWaDf$0yzKBGSAod(ZBi$(cZ1863^^2%M8H$X01fjn_-_YI$W@DOy`6B&AeTEB0$=X
z00r7*(o?voiqm<3d*t1Pz%104-b&0A;7E9?%?a$suoRTWhZT{SiHN*@jr*v{(<BqC
zTql%~Q4#H67OQkcyH9|}tD^v;Cg`~0EN)&AT4DCJyR-AWdTSgb{ZnRb3bqL^gS%%5
z_2m0VoAb<-FDpn=pgkz<A(&=1*7-NKA3%bEA7ZI7SEtd76%@ydh@)Mi)cB1`bRpFo
z=Q!jH&BS%`>)Ph7>bQK8Mh}W{B>bL3`>OjlSOswcY4{K*qK`pmVCbZ=sF_;ElWhQe
z9A)CTg44>rL}8LtjQeVp{1B`<*OqEvOu;jGJ^?$ue+fr<?T+BJaFUKzbLVu{K1<gD
z!QG{$HZQ69c;`)OG&=`O#^G7RR;jy6^U9UYXDdgJ1!f5>DkaG(>+M+|Z!%yRD&xi6
z%8j?rV$EG_bvvd072U~I=LJ50)Am}3jKJo8-sxzdy}V5Z?y5F_Gr<|{?A3VZO203j
z*dIE%H+8U%4WkX%826pmIeu3S^RDXJ+$#&f=~pbV=LoNH45g(%i(~E2T2K1dQC63P
zoQzcKNfX&fILwPt&cJy6nZf&!lNVK`{#MPCN)26T^GaHV{Sr26(Z2DHZv3oaM}z<s
zv%@u~j*NZM*B-U<C8m-knquhRgcqW_jPpP*)n7D!Jn^{nP#hy$!g*&AR=(E}Tkcr$
zny2G*@J-d|*bTm8(2U2RD5CP8<WqllY_wwO%%+b94aypU{2dcCAjceN9bDF18GagA
ziBMiY?lg|pg^uQw5uqY=BM(}Fv8OK^=ky2lq9CzQWR>2+AueJf=7p9Rbicyh@Z~?x
zh=r(NjBK;LJL}rJAayzEiY9axI9ke2Qw=(i<*Tp00&nSx5#^`(FS?yM3qF{`gLrX{
zC)y8%M)s-CJV%-5qhn?|Ms|!~zTV?4f!I-A1EWdWcJU3JSCj;hdrN3DO+MWn$@8up
z?x#f0Se)S{$he#}kqGLbN{XNk$}~9JoNMB7*Jt4F^vN=+FJ~bAp>byK$MZa%?HxgQ
z+7i6sBR+snuT$jE5g(xP@i4_{Z4S(Gt&{Sl)$jf6y4u1#?0F>~oPic4&n!xLc9S(D
zT>j<Udp?9M+dKV5f=xERC1J7<(>mej`NnJvD_gtsIwEY-(dU7+>qBRsTYNj!56#kY
zg*=NT;_YXR2Tqk9h`sI#Cy`&i_WT`YoJu=XNLlL8v2`EF%CII-I2W-6ZP4~Tthlo3
z!W_9$<;P@>u89&X_||HPyY~^hkaclDuuoDsV7fKCEC23FUUQXM>yz_t0U8c3V^B+r
z+0C?j%dhi72akJBzeY$+DOL`x86`jPXoi(5v!q+eoS4dI3>i+p`5xyG<q3@_aMhm*
zN#%TC@_J={@!x(eGu%12HSt>wc}23qYcy@9M|sX}^;HW_IWZ+xXlz<-+1gHA%0Y>f
z-aoZhwt;O{kfW&3R9Nz@p>|x*iA~O^mn~7~b^TS47#@q@#L`*~yp=O|!fW*0qEy~)
z`dc2I)QxafEG@1cg3g{7w;!~|r<{t|#l&8{lC1eO+l<VOCr*@YIIRa&V^(Q@%QLYX
zQ^Lwd2Z%IHJ|()7hF>D)u=6U~i@xS};K-ouiMg7fGa7yM89lCET%td_gFed<LYPX9
z#eyDUMVu-mbzYL?#_ZBDmaD}jAxk?yL=tnGYZsbZ72Vca>@%90jHcX}mVPYE43th&
zu!N>D6?DFO{$XE(d$0Cz((#52|KgpyB*d}f^WNF@MW`I9JFV>o7tjf5{(9MPpo1vm
zs)Osi%TCTTij=}r6+>EsQ#$79SI>R53-W6bYf&6~cw4m{tubNj??Np}zRHB%El5Cb
zxObmKNc|#hnUx53LdB`O5(!PQ&EMXlT?mk|@-ExMxlVG%mulr!Y$!UDNlVP*1g&?r
z(=o$E_A8#uqWM28-?11Ju3i_a<}}#zv?u9hO1AmtvC6sr;pxt^OEvsmWl#1z{cFxf
z=?FOWSOj8S_x$q`4n<3gm+@)YygEPIl(3j$tl&s+snNxDLRffI-d3iyd+Fnk{^82O
zL+;IHa$J(rGk1HIj2+fSQq<fvoJ&3~=H{^Ts}V+>QXpBu?!qRv3yhC5sk??jFaFnS
z#0?`H)oQZvjcR?>sO<xOPf-h&e~ykn_ZdyhY0I^b5q=W$HzJ3lANCoYEegAmXJ#HS
zd!c;k911$hRYQNtV8HyE7seeN43;<&u;1nV>`PER`!E~x@2UUJC~ju5yfr`Cl<<jw
z96G!l&H4wwrv52&R+5x1dq=l;mIbSULN8(#6)arU7;Yno=#B|L+#v>Va~0(I@p+8p
z=@niOL*`Qgs=Hl0Q0P%{keA{{M=~MMV|1sY!fNmeF~=TDe=bN_zkv=`ck?aCl7=Cr
zlLTeMtF_!f7l8UCCdeg815o{IjJpa*vOfjw_Y1dP$xCb8k2{VVjP~p0*@|<sZ<dWF
zkSegGVnNVF)S|8E*Sw@G9?gsLToG$I?Q6-Njm7?MGtGMnol9dieivO^ZqrIVe_Uug
zK8ENorO8EQ88#5oE5?z^1X5gmM#unqI`<*>Eq_BO#1g8wb^E(NxE}62I7uOZ-)RLB
zv|YRA-5F9)(B11leWMS-`<j1C$IW^md9Jai9J*|O4e~9C<+o0TPXVeP8*;9b;b~L2
znrrdgwtTXGFRhYiXX}XHCvDx$lYw8ezVI}<a5V~BXqyi4>1q~{rX>iCnG>Q~%O6zH
zFD8h2P>J{5SdjE*P)eYHNtFPh^8IQSLO^&sZUOTlJREXMX@t%yqV9XX^fy8gDiBD-
zsl7=X+*%pWhQZLt)pcbUuE5`v$~d`gcQ+TefJ5Y;(<N}`@68ZTkd*gDL!3f{!qKhQ
zex0HxVIGInsEpKzDqni&*M@L#+ufLdoiiWDzCbU^Xx0sYZb|>GS!un7EZ6;=kHuSK
zfIq@N_9>#WQ*q8$()I8_1oF5aQndpq1cPa=VjR{LKu#WTh*%{ecWN&@j3pVp&?a{-
zv6NH8HPmYhIzGH#(KsKg{Ed40>fbXa3Ws6I;CpC-_P$XYL)bkgMLNCkjeFtFJ?BlW
zfw`jPuhJH=a`q~N2Fgw%9f!q)BrGph*qNJFCU9X`8``m4AQAPY!Q;SF;vRl1XVaPC
z_<hJ}Z;J~_@o%`pkqKef<U7otY=d&Q1oTt9WIHCg;R4m%mE}>1h<K*9*eKwvyjfdM
zjT7_GS?Mix=0Wo6un35BTx;#;%^QE&hthDc51%l<H*&fjlbJpHdx0PPTHyD{0*C5P
zza#A2R1ZPf1r9<zQ#s#4<M2X58ou53XGl+bN1(ucz6wj;0f!F1psukOW!L+JIOGxZ
z0`y5+%%+{6=)`p%z6~29CBb!d;#ozP{aOA^iNEKK5{r59B$bKU!(JW%>CBh}<!^q<
zQ~L8&Yx&!KjWx_0S_HZTC>8qZ)`%MVML3RUN90Rz2xw^l3uxM&<aMRr3X+Dt)MBEW
z--pi>Y1}!8XOKI`FgYPoL^B3Nos07d9It|7b%+?{N#}SLr321C0nvPHahj-m*YguC
zLiQm;rTpRU<&E-nO^{jt7@#(n_2(?Zq4rF{z1b)D;!SIxeNB`|yh2PhE+%?PI!OZ8
zSs$rN8HXF<`H!x=k8aJfH>QrPwF*Uf4M*9}1X77SKYoTP3Ftp_Ik>&a7s*gyDn3EA
z<2@CD8B^wskRKIWV|ev$@+4~YyMPCifL8bWB{;L2J;0GWM)q#toDeij0o18h{1eB?
z#<QwSI;Bpsgm(a8r}0w1<hLP4$62;=;K2D#huFzza;Yj(Vfo@1s%}54YoEM=J)3aq
zzn5tVkIu1`w9DU|h>sJTo}b5~rcP`Zo?9*s-DZk1zRpOE_se!288Lw{*c&{vb4ix6
zq?A~n9{E&mj9vXScJoFhI@W{=c7weAq#)`vDPQd0S0oL3CJi!#OSfPIm8TP61dqIO
z1PR*((H-NBUfZ)#Q2pyiX1w7?II2cUuimT@2>L*vIpxB2@3tTlVU~O)C4Vh9)$b?#
z`6eIEer`Zm-M8e&D?RN+Mk89BR-alGZ&X@h8M;~kj<##FCzL_1*pk9dM;p*BgWtr2
z82`G$Y0yOo!Fm|nrVwD1B|ToX?)|Dzr<A5Xjusb-R_{u;Vru+*&Xizs^U2MxL`;e!
zkRmUB7BFzd70^gvfqO0(+#fC%31w7xP9@^<_?^h8-S(={?R52ySJUU%)IA|fst3aH
zd|yo%{<c^TiQqRK-KvDI$VOkHTYq;9e)Hl$92@Qy(WQ7xrh@w7RmNUWbfmcvN{<|N
z$?(}U-}Dlv720H(przmo+C_F!g95Q2BzF_;YwHTA!G6RiGm(n{1o)i{ts7=0cx>PP
za#qg38cd^KJ<){EqF;5bZ8u@kWu-jYzLs83u~KX3##FpnQ+h7<a$_XBUjR9OGGKYt
zE8Inp-qV2LWew>DjKW46z_kHUr8@%cfK(hD7kWm;CO`sOA4EXs$XGxSRK@Zk;1a>8
zU_!%ar40)>{~-_z4wO0*!SJd9XdS|1qUcY~e_A8Q@Ds4>XfSLc0d$dk32Jzikcv5F
zrd#`9{u{g7;r@^N!caln`0fF;NZHVa-NU`LGxRBneZvLT)b5A-j-^g37=Y`Pu6m41
zAm;9-Rpz29(*IhCdIPB<(?LIOfGIz5v4YF}ojd$S2&)<g;s|i+mP>-k{5s(BV<`ag
z)tGR3s)(t<Ij_Xvi$YTKRnSge_2IU~8DVREwv~vL*Rl~Ox-)fUA}*@h%(P!PQ2E;k
z%sht8s)#X~t`D2lFI~BBABQIH(6CU)pHQv!5muF=cz%o3aJlwn`d&vBdBV26y%ItO
zS*-pTc9V&C=wcqjV^Ry?e4EiKY=!{(_X|+mHT{+z(@5GB&O!t?|5Mm)DQcNIviUL3
zufNmCHD>8$NQ2%(?}ngwbO}0repJ0ZL?p;`Edv(fUBdNj1nN3V=lKf@@NSa<Pcbzb
zCj$%~qPH4s`;0ftU24y$<;7X}Eg2vfVpyog^I4uR-`~`%VSxhN7LW_MpnbaA)-pOg
zv-kCzF;DZ@`wi>?^a)tu^ZZr=H^+lF`7Qgf^x2b@`iQof3<_O;Z~)NirQ{^|Rb5(!
zRNR?ReMo`@e69ghQp{z1Ts7!l#6T)_rBRrzMHB0_Zw1u&?!n^8dcIKid5E2jjhv2l
zTrbbVlJ{X(ZAp>Ctw#>tb-#eK1-mS1(5ZOMW33xw=N1;iv4nj*>ls)WW0=HZb?}6r
zRc0P9SiHmCW!Us4&XVc7Upl$4Q`UXii73O08+TsRvp0kitr+RB-4G(sfMzu}du>Bo
z)Bqj#QA9OoklsL{k06`rdlO$zLm1Qhbb(v732)C3SaVAg7y`oTmUl;~uOZOco`o8y
zNV)+iK>h~*tjt6r@s}7B%+}S_iH2;am3yV``*&}Mzoj!Ec*UfYaQm9##7jd`S&=Vr
zMVg0BnuNZD`S=`sL83iNU*hlr?wMJ+$HUP7J0jh6ck@GyvtNC<3ltuu;I{wj1W?gw
zuK5s5hCfy+1<VDH(_<F>lT>=gm4fDLK8g2I;0BBPVl}5}L*X@8#1+L*l6sQ#658Rx
zZe~Ru(e}jnI8kyQ(F#3n23(E;b`!ph=fmWS;D%)0jsSOt0UP?=FAfKGQ39&^$}Oe*
znio;iZHezs7J%TacxzPH=ET^^TW}@C*uCPJMjG5>MH_YpKw~v<6i?GE8qR+(+yG#-
z?2V$s{qG+4$ulj&BGSbg0*OYMy*aY-!cIywbO9J5(c=(+%D0;3;g$yX`56FBM*vwQ
zi*xryfepX`0voRpqdH$(bQ}F;t_a(Y!_q(e{K+gO>9OtkyApiO8~5t7>{RHJG%=<+
z6<eQ@3)-a;8rTKKT3n8h=MK3YYDN;5M-;=@YY5Kx9dD(_QE{WFgFR=-=ft>B0<8uf
ziK_7+sDj?CaDRxfENF3lfb)_6P8JnwxP~2xIzugbdwPUY*a;upcU6-rkUdo}LVF=s
z0@W-6q=j*eTh8F^{AHgr)I-U6VdVOFXD_C{z<<kV(lptYs2gw2bm(iC4&_*we2&#1
zi|mM<(6h|;A@;k5<~E@0ig8`2mrBT_m13jZ@E9b`ae;1q1~ml43u$Og)+Oi_8p7Of
ztMPZNwl3k>sVJ6h(|Da(KhFDWR)Ad@DPLY3Deg?DXHj0*;#=B4L)W*4ZmQ|(%9bJ#
z-BNuwYNHK(VxnLRGNUt&u^ZI-UnElEFb%dJn7}v@VzC-mFWBqOnylDr9VSO&i1#+`
zEK~ngFeMo|-z5uUNSw6|V+;##2yrI>k@0viDwKh#-$jb|9H)+!(bSDQx+C&Jy~o%V
zZxD1uavRAqjHh0YjIWn*R%l%&%4Q<5t}kSWRm?dvxljstZ$+ckh8_k9C64w>oS`dB
z`*N<Y)-a6vKiJ?}4Xvj8t75(F3R}tjmoa?`#?<}ZXm|)1Q|$Np<dZI37N&w+gv&S>
zcKPvICohocd9`Kc@}fIS)885U{0#FpK?7>8i-n=L+1f2aHuM=2nN_|8c0}&FWaIYE
z&M`7?i=c>D(@7P)hUQ#{=1(nBl4)`FOqv=D?{Cs486Gy6t2};2Ocr!qpy(=J9z&tC
zTx7iA){Xq6J$}z8e?sQ#;$q;6t`p(C_J2%R%c6d&pSjylU!v(*2pX<{m*<VX20m3K
zHalA%L##&jf+>=_PGedE#(!@6OSE2ksg&P8^Qk1U==&2ZOt(Fmui5tR#RMPH76)7s
z38S8dCxi*=6Q$*FDZXPbV*A_2*`ceH7uv7+{E{yDu`RP=HGl2Ky)Aru@4r9u^F7ry
z2+kxhjJ{uD(O+Pgj&HLqb21qaH2*V{Uyj*65-{n?Q(U2yC4D-^>t>+E>2rpQ>H1&(
z_s@WS<N`dpF#XNV(_w_QI(9?b6y1J~weh+C_MnbzH#MBt|A&WJMzDn=D^ynV`P2Bz
z$F`SlKH{(2xVMaE@AAKRb~r1o2G@*+#o^h<r#>jbvzt!{TK~^yFGHSPQ<6fM3fw)+
z%TD%MoX5^wdM)!mpPdVNcE;PAr@F`)nq|;N7pf;Wl$^(1R(6tzz#$fA##yeo^wP8D
z-QUB}rx!OPk@j@)h$EE#PSDxCRj9Lm_DrD9U;F82xK-&2@dKIgX85I@lUX|Um*I0o
zIszB}=Yaol;s4`5|60mFpU*<v^Y{_rNiJDZrDx%ywGA7|K>{|!$mm8WvDRNWE>W%v
z%KiR_eZ&X#@UP;%20rNMTJh5&ol=g8xJ&<X$Adi;u(qNU`1J2FJOw}5o>_7KvNUc=
zMRc@uYF&_92FZQ~Nud9qhbxWpq&jTtbxrvc6NZLc7zjg}S1(Cpk|izB`_ZFVq$AAt
zfI{HkKY;{OpCC6v#+KyuS_0Q#8BNH^MT_(FvBs&t&EY@qD-|K2MtQG=*D>o0GpOv4
zGIjfjj#VoEZAyN=7kK7*e6jF#o_*)}cDdZ}OD@kIoA^JPui+W{tQ>k2(fs{Cq=_)r
zPX_Y;&;5Qd@`c@K4E~=m7e;0qT=cp4yn?7F(T<<{y#~MElp%}Z`nXC!RJP<2#>6<i
z9u3Bx@THrV1ke8d%+EK~N4|jX;6B6PBMu|3E!mOv>u5GVrqK=l&cXeBuP20fP#VsL
z3hp<4)MweY(~l6t*V>%8^RKMV(T5c;K!`w`zGD`y+qpr67x)-!KmpoaECr(NGX3#H
zevY9Zwr+20Bc1uGT(OK#z#~TV*Z3pTUbnJxl>akYLYosXgx7jsl~VRXGZNKp=;=qS
zkRdo?^@#m<8}ul`Ax7Py(g@S-6ydg@;Kdbqf+lt*&O0Ii*6XpPC%=mA!#`{0IS2=I
zL3*0(3=G5M^RpCsbTwoctjxLpN)I7JvN;LEsI%#^WQAe$x7+B^kJur@5VS-6537fQ
z8O|k-HxaJqoJ}BL3Jk^4x(YLqk<={u-~CvL*a(Vh<$@2(a>Z5>)m|Z<O}NWzm6P?o
z7hqR&;4UYLX!|^QMEh$7aS$6l;^(c~c?#M+2Vq@9zWKj4<mkj2!#1}%?U`FL9reJ3
z$at52L=bDsc|<UK?D{_m8*!XVoZ<6F)}%BR*=yr%oU=b|*-M(rwnsNB@2UQe<=}yN
z;6Gm3JGdrSoQs?LkZ_p-=3zNb-8S`aGj{YI!uHFR|DXQKrvw5X2f|3ec)0nTn8h1l
zNkZul>G<;?7rfA4proLDAT(6w>IiOPL;bC(fuHN!j2I&~L0HmHn9Z{xh@oGjA<j~d
zII?q<`dGj<eG2&7t%B|kn*1lp`I_|?$%|fsXpeq#G}pl`h@CEge_}AfVsCZj!m_et
zwqk9Sey}J1(a~MsW*8hnpIX08LktUwe?mR|XNGm;60G=UN@`wiB4r{yvSH}(!R^0B
zED?=akxDLH8ApZt*c;BnHFQ7KpId-J8g`R=IQ(1gco?!|dRXus(!R8?8B*$JLp%-O
zNd$f9G{LvFp+~o>w4+xj%b#R6W73pRiWBhaFR-Qql4yN27agsnFaB7bZn@htP&k1M
zmGI3CXtV4WL@jnrhd%<M>9=cR7$lmzNM3Y;nq{>5>C>Q~pq*_%arOXP_Fi3J0Avj=
zxbJOU2vnV;7IC@#F$5@k^@ZR%6~7bYI68!<VDoj`pfox6LYMf~7oxEqNa#U;NXm5&
zi$k~kq^_>+gT=nH?056pTebx7f9_oaBAoYmCGPuIUhrE7Zp?QdNB>&vV2)%FAQyXb
zc?iOhcIYV~pCBw)IS(OQHUF^NBZ!f=E6P0%-9c1p_^|EeVkTrwNd;_@Ttp#I1%#ha
z@q<}!Ac|tmlt5E!Qeme{$&dmZ*#Kua8RFKfQ{4d4Ep^#=Zqi4#+x;k)4%Wj9AGxvJ
zyukLI*E>+C_>ijJmW$(?1ypB3M#VT^09d{wpFtW~)JIV~7ixRXAR~u(6$!F5Y@JJx
zS76r2p-&Kfc;9x%uAv4#9eycnb#qbELC8|i?3@;6sBVGduqZL}P4O~IB@aL>KMJ*d
z70Rqk>+6e`fmQx^9EuCFq<7y@7oO6Q9DQ4XO~H>?&>k7s1fo_{Ys6{sb&sDz-1r(l
z_=7mKU{R@Ry)8M=Fg%ke;`)u{;cw%7iAgUrZ+CeV6OKgkK~+QP1jHi8L3e1m4+x_{
zkn(xojj+NY-tU{DxxP!gxUk5XmB-`2HVy@p2l%7Rn)WG@&ywHWI5r9#I1GQ)i4=w#
zkaV(F*9bw*$jPfPBz*lmVO&|EN5`YT(0SqG)JML+!X+GmOvKguHNFIxKp6dT*eM?T
zkJTAr!`PH9fzn1YtldF1$SIwBr5OKQz;=wr#^;4^1|-AY9A=~`B~p=a>a2TMLG#`@
zi^BR4y7!AYv|G)7H~M<NBw9F}Vq45HZg~zpHQwYdK-lGd?a7HzU=$o^H?~36N!dUi
z&_bTs7SPWb8iQkVXcc-QnQ(x_qYr_n@a>|}Q3^Fl34<dHHQ+XrfDN}I)zU%)*7`Ni
z7?jI1th%G@{*YXyjv0x%4+M-iwcGVBLcU!B)JFCX**X=try$`tb@;+?ZgHT9r&5Xt
zF!{BxcKh?usqrHFs*r8+&C>+-8;B>&43}@mIIfOCI^<@uB<{yFC`A<?Y)ouD$0cIi
zI@G|@hMq5&hJ(s|&fmWim?(lP7muaIxL8V*xoe_eHhn;9gGE20h#~x?HGaMKXg>sd
z;%BM#ea+A&hi*WtPff4nwys|rVNXqw4!8!%WL4wXw}{RHM4cz_aT>mvLxv6C%tXl}
z^b?8t=8a?8FL=%N`V&PTx_H_fDs);w2W@Eo@zkRX7!%iWa9iXc(?^pT`@BF-h|znQ
z2Lh$ae#Bl1kA<UtUOs&Imj<a^XFC}-7`zMW`p^PYf0|VaX_zx64F@}}#~-A)zvq~=
zQR&Hj(5eNZ!h1A@`p7RJ&u}aRwYlC6@itB860{@sJ;(mSW7p0&K2F=@A|oUt9Jobq
z3A*nIfa<_Gz4RO@)YkH7I4Yk5;~R29(I0_x&!aAmsq_?X+5feTg<V$JukHajVf?z=
z0PL=h`7jlOS|w4P>XbVl%>HI-x-TZbuJ21?oEV9~m)1KlVpOQ5$;GBfb_qy`VKiq$
zF%aGA)5fN}&{K9<K1t+={|UXoxa-)t1!DP2RX$h>irY6>lncr>ZteZ)wiL#CmUVJu
zbwQCLq<G-d?TP$uFihKrf}jF8$Ne1C6Lu;XO-dk@+;upX2FCXtd)^d(=L=-tG#r}u
zvo5;tZ>S*>Wgh8}jQR{K16yuYi9Xf&WuE<y`^JaJaT>V`w?M|^;_49dqE=uWWhgiz
z^(J0#>q*Z2ay@O%dR2Bpwa5;dPTBenHesK!ONe(agD%x~1`jSCDiCQfeTNKTTSfc_
z&4PD$RNN-5{y>}FsnCJ^3FK%`A=Oe1$4(z-t{Wwgn0!)P0h_*$eepEqmB)|;+&ROb
zoGghbgg}uLZQJ_eo|Go=dRZ2=KHls-gP5%u#63R!XsrH%a-U!*V?Ql=8$FE%N@c?1
zK%roPtG|`Upg|d8h+t19LL9b5i<oLC1BO86%5AgP1RX2Rmz}@}N`$9u-rol^W`pE<
z0x8IHTJk_eA^$<jTy*Lnq@Nb&+J@wXW`&j`wVV~KO3UmfPh{v;P#K<X&dU`{Pe1bg
ze2@Z#@1?s5Sa5A37ry5yEcrxCuS3h~l=NS<ZGA?tnQ}4Q4F3mTUjY^M_JvD{AcB;H
zARv+=El7ie(k0R*A>A-Yrvd`f-AGC25JQQy64DGIk_rsn`OcuX{_m}~?p-d{y)yIr
zowLv0`|SOF-$pb0aP2W!{R;>PkKGxfE$%v%BOrzm%|&0|U6DMSY4RAqq>rhNAzlB)
z4%|Lq_;n|+8=#<Ch^Qx}9JAKPLSE{>x4z2Sgx-NAc=m>6FCe!XN0?jW3EERy!`{l6
zuL8p>e#cf%lUY`Ne?4$VK>WbhIs{iC>R}adXGPDDo(ojejlsm5C&`hJCF?qqp6F|C
zc0f)rGDSzKH{>XKU9iVGW++F7=<<Yi6_EB3mn(w@jE}qV$T(Urk6TGqzNYdMfu`5K
zj}Iu-BV{!%GnOE(^?kfs3iZH)N*1bp90alUvH=*P`jqFN;#6b6Rjw%yvP0xm-0+R>
zv6*jf2KJTb2Pa*~uN73=98UHuYHUWv$4P;8NP%*FF`gdR=HgAE`U3HHl(%03rIF(*
z>yEhM=GKnci(<TP@oQ18$aXd;3dc!?Q3*FRDQxrqP5}atd5|;>t3tqEry2vzk9+m2
z=&eMXuH4^ULqkb4#}C$Eiuu-j2M$jYNLZe5O%XCG7GD6p8dDHdX<82^Kq3FWYL4{N
z_D}qvcms^^H6O@GZr#eP`SBdCb-(>^Uu<p!F5ph~_D3hj%MI*mi^x77{jm#cJ`~$j
z<@g&o(-VTQtJ=pV1OD_99vBm^Y-9^O18RS;)wk?xAY!e~wDNiUe(V`!W68#xlA8m0
z^)O-Sr>7ZWJMJ6mM+BC{_=aLlOGC+HA#DDAwn+a-Lxu*hp<-F$ZyxGz7`o?xY${RE
zwG<8tq<=~ipzL9h-&Me8FCPoR3+%~DMP`2%=9A?V!2i~x3c!#_qn{YYB3DR-ao0Qm
zZDF@P?GG)|ZxU#5-Nd7&rmnnllHlq7??(e+PPf^5rUu++bibrDA(ux?8e=gG2I|s3
zfT0BwG2(%x^8;xN(VagRx7Qe8^&+rh&I5iYt<HCm`CY{;rG7^6ah{#)e*Y8(z$-TT
zAr0rlmElmBxPx$kO_!eqp55WzZ}0f`pM1zB;C-gmI$T-7yVrvxcERU$br{kiliPO;
ze-6dftrfVt4bb9T5jkM{l{C~(pExN)2C}p_1T@s+x53lsy$J~TcVU?ZHG&@e^@^-2
zn>i3S9E?~Gk!1~bpMwoe@agZDdd7YSt3Q9X>ReT6c95~H{7K$33$sWu$2;KM-X%r*
zvkHHn+V?&(*Y?kTKLvK(!JhAt5BR(%q@Q88sJ9Mg1SNO2p9F6GsMi(>2Jd$LTByXo
z>ib|v?t;4k_%%w-N3w#?luao58RmM1Y%gZL%=wL9p-4`u=Csbic~rQpNMPT>b(=8J
z<Jr3A4{THzPA}JO8SAdI&%lBP+%JOL$hiz{4%uE>2~zq-ytHaFS9%U7XU$H%^0|L6
za2>MN>QM(P){qrU$a?kcB@OttjR@h>!PW7k?gU;|$K$-trhKJ}z1AmE#@<uB1(DoA
zdM3PgMg9616*E;Tvb&=nCh6H|x_8qdZsaKi?F%>XSKIJ*A}Vyzk$b{O<C8$^li&82
z?b6LnBCBbF-s;bkEX-~bu>AD(CCHg+h4Xv^m>Makr62dr`5d_9Ro9Pd){Y#$8Bx}~
z#?Hu9d_!HN{v_+>uWtv3T6`XBybL_&m=;9zZIuB*92Uc`JWt)28{H16S`ZVc78-$b
zvra4DE(c8cTu-6BjaHh~Sb(7BTf6z)crUpovDU0?6*g~{k!2SS@c#(EP*P5>HHfu{
zH(LGhQMN_TJX6N~>%}sHatl0tHr?-DygoYPZ+LM+7;T}+?8?S-csF0kc(C$zo&5@%
z$gV<o^6_q#ZI-{K?x%23op*}`ySwbc)b}x$y)M%V4~OSPD>l#E<ZZ_=z~x}%)9TH0
z{6q^<_g9|&f1QceZx{uecNJn0QNDu6102wRbDC4_bk7=M`WW?t3~VZb`u=k>)&LN~
zj3aAwl!QF?Z{$|K`ZN}kKeF}=^Hytg3!c$j<r3L&xgVh=?TO^kIZtNUNv(y4_1I!h
zRE^H9{ZuTWC<j%xF!GQ|805odbnccyBFeY>&pw5$jla;5SQ~o+EroOQ?5unSpEb8M
zRm&%6$+scmmJRK~Ot3gS>c9zI2q))xFyuM{9e$-4Pn>Tzt19}K{RLsb+K4zDFKtw)
zXz5F6_$8%==og{;r;^ot7upNnpMHEvaCkk4lB1Z2@^Q*VvbaFS!SM*cdnJL9L{?BK
z>`s^bf2yq~-~{KlB=R{+0>{?T)0rySYCg2_xho=gDmyNlCs&KeWm)gbQ0`!bxZBss
znr9&bJ#UK=*SHr?w;4U-1WCQmq5OnUOLYEQc1qu8IYfsy7Q<71R=p1CZHNhjGN;rU
zomcn_!nALXWN=_VrWR@U^E=09Riz{TIjq!EIU~CNG|C%2_Uqb<TrQ($q3^ob^|Lke
z<X@j}lt@|B+JE=1PQ0)xUr@L$Dw3?2_WquW<pPW=m-7`ufc~Zw+@)lX{?+DmcrkPI
zeVgpSpN~AK4pIe!Zl?*(Z?b5xzBi~`b^mG*{0(>QzFDCflkjUM0X3!|Z=OOyiyHnG
zEr1{7esv3(wf+6?94<I2H>pgKcc%%OVeaH=qLBDpt6RhaspRxkCQmPOzxYeaR{o&-
zTx$Ov^?{(RX~O#>%SE!A1uxJMy>YlSh_Sn;*N1CuKNqs4DL-^#xP&ggojm#u#e>{V
zB@@B8`)c3?xm_Nu&WkSZ8I)*jbLL^&k<}WKE(*LK9L7@+>y1%#x8Xb$avy`6RCzfw
zTkbBgo+%BcR=(Td-r{g1UA~a;Zv66`bh2SzvYv8sH2!6jua5W65FrasVTj9fxSRD)
zKKtJ>@Xw!vzkTuN?EsLb3O$GZe2w-r215Hw(tE!^7h7hb{mH48(+IyypIlrk>~M2?
zecy^M<SxZWBD&Urwa1x<+4Po0tIfNl_SQdX_8Z*tW|mG5znN}OC(bm`KUnDrXJu4;
z@KU`<%$s;kRN8dRW^)Ed<-Sx~l}6e2#%GV5Fw$F(sYKdKf+Fl!mle*S#tFUMDPxVy
zJGpXJplJ^^&hOanT_Q_c{`z@jSwSV=5cMm(UMKAf<B;NFj`e0-=wp+j^}z6yxB?;z
z*MkF_(1nDmvtHc0rOWA4;~LmfO0#!ZTJD1IaT#V9`p-s!9i0om+Dn(e_R_yP#->Co
zhVi-o>d&~M2V9kXJi2vTOnc8o>B7i~&Mnouvd?`!Iw6)l$7O9on;b7i9QTf%j3(@^
z^6syedIO9CE!6RHP$%s^qrdgUyBDkR@U?}mtn+pL)y9Tb^l~&3(d`eW6jsk?3+Zp{
zwXx>p{e=biRb*lqbYrPv<0ofuB+-xfOHm8b`?AC?NpIYKX&tk~Qu6UlY%fd4sfNEu
zFG>|mxLhLT$}>vh%HCf5c$D{=Gj<>ey)VB{najZ~A5WTGw7FxuE9}m-VW{nMRi$^<
z_u@-Fr|SY2&+kqNYr=RvUEj2L1bWne)!8+#0Gp#vkXa)L{!b$z%UMimtSJHu3Q!N(
zD5v?((y2`7C)ucCSeA>`eet8M)q%<mHLjJXJO%kVsl>y)qaBE;!YLzIe+sqX+Q(Es
zMpAj{SMb){FQadWRiit?L+fp{KNj=wU$>iXz`c-&IiW?A3cm)LI{qxQXya7EmJW@^
z<0W0eFRbu+j3kMB6H!_4?y9eR?;&^2y?$#q<Ab$poYSGC8idK9fBwkyCU6wu@ukVd
z(+9@vi#rO4Z!9T8{U1JeeL`MJ{{Gk37WnR848;B9Sh;CVb(Jr=z<dY`(mR9+n={WE
z$-a#u3JzkQvFpzreCU#nVY)|qdW2y<-?27cce==|+8MFJj-Kmp0@L%_D(h_vCA%kH
z(10tXANBrpz(DdqjX9S1%=9yZ!cAVw0<QI(V0?Ly(w2K^-MQQyFN>;hdR$|AG}r1)
z<zZEf&6cZI5KqqXpQl5?*1SSr<^Hwqv$O~yVO`e@p(myKO>tPUh~`Qu4QTJi`YyT&
zPMNUj<r^F(L6bUnHMZqQ908#wWw@I=2EX@z5A#3G`D&*-+Pv#xAk)DM{I!@zcWOI6
zS;gnN#;ZynTxRQ~K){|p)1=?%L0aXCP%+z#yD;EAI;%CE*uZqzq5;=G|JJM2&ld;V
z^Y!&WoU-%Jgj}FUf^y90*@}z)wzbp6Fqp%UkS<dYd_@CJi1Bqvixtgu>pp&PtWrP6
zl{EZLWU4g46M7N7K1Hi*7Cqw3W5SZWxx5&>u<O^c?`wPLXTB{e46~ywFGb(_96FbQ
z6Vl%QskQ03*#2bezE^9|p;#g9CsBu2^jptNGpEfnm7jenVJk$>VZ&RrGuF8o*pc~D
z4CW*zggDYETAF`lI7W(EWO{OgX@WrddGG2%!$*62F8i10$}0oD5{`>!#T}z}ZhB<g
zLI{-e;x#KFUHetpe+}g8bEv%Cd%(RDN-Ii$V#R_uvXSSPi9wZ$-f4C-U4E)c?94YI
zspwr<28x6c`l$DHN8XdY^)e~H*W|v1+!9LeT{LsEGMSyah7zQ62)WGpz_}?cH445K
zyx<s2bFUFcgRD57XbXr7Y2-t8e9mMWr@A`q#21)99p%3K^w_1G;Kb*H-T3MG*@<iX
zp{(Hb{sC>>5`x;p<H1sNtA)AKEB9rwa?J`nERMgmFS9C~oF+KcUle51Y?w$xun((_
zQICIwqA!ZMS~djtbVMghLo=@?kdDTgn8x92l8^Du@Iqg-EyXVRE{E!pfXW$zYL|}M
z;)6G0fJ>QNC<80z@iPst;SD`UAs%JpJY;95LitRD;*x;2TZC$(h=N^ZY1iV8QEY*u
zJB6O}5ZoC{YZ74O994XgO{n&Z8Z?gbnUd6V-STroBs6_1VsQpMzj$Fcm5r(FAv{}q
zm|I)X@qY0SZz=D)(zv(zE`Sn6#;gzgt;Y%(2Xj6HG0_SN1P}FnAF4^ptIl^~Nd#g?
zSgnW;z9wYp1~_zm=xWI~>AH!})*{$YPdm|Y$1Om;h~;A+qn+H`@{{nxaf)i|j?wR^
zwRou5T<A-k=H#JV8Ws}sbUKDC3TV(<C>KfB+huUu<x4xbrSoQdhWdxjY^iQc*mi`p
zmfmaq#N2xNSnNG!>q@|*o;!S{K9`v5cR!Q_P~!R#Hq}%#c^35jn6{+R60yPUhF9#n
z$*r}Hg~@p<B7Kf8D@G!~_R-%em9SX(^l3Lc3q)I$@+QN=ScpEpi6Xdz(~MxO_f*Fy
zN?P_6VK`rs2Hzp&<G`L6(L3EeQEV;w+)66p_bkCrv}LTapZ4kXx1FeP1C05+Z*)_G
zb#M>bI7xWi-H$dEUYFXZ{9C-E62rbN-roWzVui%=dc}G&sx8VaOJw+>L=$RJgUnD2
zF3=V&vu!+X*K1U=+Z$#dc&C$yy?xhuRw&kY>}zcm=N|o%DcZ)vCsR!nQ9o)^Z3Cq}
zMOJI~-GLpf9Qw|D_KlJA?SEXu-*YfomS>qtGB&iR8*kYP>aBLzG)_DU-A!(VGJ|va
zWn0`FY<CB@3mNJeOs)+j4Aae)zPz((S>>BCj2=>j-r<hAGLC-Qg^K7$Z?pLl0q2%#
zKp)sdVQIN0doa8R&!d7T0uY$o?i9}>L)c~dbzWyo*<0T_?>TDZ*fejVb-oyznPx{#
z(rA0wTFIa-6j)}`8DjWQP?jjUixfoxioPc3qfL5G*v{fExL}?v_}v0K5-5f|(_gL%
z6aVjny&ebI)JMNhh!(9yucg`&hZem&)SpD;Kq7b>pCy-}BySP(j@?*g54d<(O&Lp>
zn--O%nbvw>lwX=Dn8=VPVH5}{5V=K<@;*#wh>#yDjWQV1gb%fTn`|9=DyGz8(;V%>
zxUxV$aEo}ASQ)N2d*jh$Rt;;CbwsK8lxsi?WVuWRGP8nS?I688RTLz)gQmUwJzG1O
ziTE26p<@3ui?HU@`_s8F-uIFE?A*Fj=?~{sCG|3DlZ9?GL^tu}x8=L_B))A&d!T?y
zr9YyX1l{gE`#_J;8$R^3IkVxwP7Z0^COTDau;Cr_U%eK)368G?%1fvRe`&Yc473Tk
z(`N2Cm!zABz4HXKQla||6((ZwL-S0PoIW~+-xHOl@>qp0&n><H-}pYm7dW5ypvti#
zoh)D-I;0r%<VU1GDE=&Da}Waeb6+aP3E9aaM)k-|+hd<Jt9+xD6Nyzta?10IPRrVA
z3cXU{k@^h<^=pg>{UbdSPNA2r^03I9G>c+d584hC{b_W4(QC<@=-KV4-eAE$lF2+0
zi0+~H|4N6DCzVgt#IRl~vMGt9HCv?rib?$Ijxt=h`Q(?U2!ZV51D$y7A>KBNDM3@%
z$B#nInAXQnh~Cg*<r1%govUAbDdRPFtViP}lG&~VKhTmZ!+CCD0IkSl$_Z(A|5Ec+
zs7F86rjd3~emA;#G4;tL?ZYWK1vAXvHQHShx$;Iv(*bE4oeFvjGYju!GlFDz2`@#r
zu9VfdbClHg2vop`kZ%pBLe;3)vVf8%9*Np01P4B1Up9klxi@#9B3G|pCF72D5QelE
z$VbRMfr*j}wPGew<)%GB>#<-0;Zqk2>DuvQ#WZu$bm3c8oSExbHXg;+pJR8&I#1A&
ziqLXTthj8<tr3)h&-2n`(q{y+O@AcWMc@L66J&JwOU;G6sf312=tt{aVuH~f{K!YO
z2OB?Q#lBHxfF;%`Eg4b_%wZ<_nq18-y4#n!)9@Z{Q&)MeZjvs8-&-e{P2Yn(EsS@@
z^F$E6{QR1j5#iCk;&_eI56DfFMP1R!rz~b&GMyh%Ef@#%Cbz%GF9pGq+^9t@*G+K{
zxh1H%Y0+*qzW#`sZ@ubTQ3cRc3p0@xz}4Vllfp>GNGcBH{!+u4DED}n#Bdm5%-^*!
zX@ih&`NS#Op)wX@Z5Gcf^)Q)@sbbIbEG&K;HTSM4D(In7%7BH7dgL-P2DG3!fL4-j
zvnP3TbMsGl4U2ZQdDaI4M<%+h5MOCQ5<(6_zlXO;$Sed>uVC?kNxt2LQM8}p8cTf5
zw^?29iJO|JvObsZ_a;K!-MGym4i)Z4sT@Oj-#^sP5`*(#D0Yl4I<=Nz>h5^Wcz+ts
zL&TydPd!R@{Nyv}9uGqe!;h~^Uz#0S$7aEvR(5b(3L$phuuRp2KKKfTSO!(cloUAv
z^5{YhqS(<-@)I7Mo}#j;u9N!GblhgB^ZWKY-htLK*ZPt)VMa3)*{9kO&sx8?pnplR
zM8r{}H~Qe*j40D{zL#L9JAw7E^g{)~FY|N@MpCivdapLk_6%JtT2l4E7jPM&i=-kM
z*`CVS-Lp!y@lJE9an>e3A{;+VtLo$6M|&YRM$ROrN{gWz?=cnGujSYV$-#NGh8xNc
zJnexIvVEl{Mb@@k!$5rrH6Z{C28a$XK`$H#o6`UdlOTW$!~-3LygF{f#&8b$D9A=6
z<;Lnb7Uu%xL!!Bc`PD02Qy0<1SpWpRFqNJ`OI39dsy5lc%=OgPAr9vb9g9+bWQ=uv
z$)z4;)UK7yRDrZ$y^LDFPm##!Fg@vU%eYAb@ni%42kAkZ7)SM#R8+>5(PPOmXnSwG
z)}%Pa;}XbhIw+Ay53zl_^lj6tMpQ&&GcDXmwQ$`<QTA{Udz**Ii049>d|7R~gl4`A
z?%m3TQ0W!5pz?Doac!FvZ|b8t>Zb*(*2mJ;jpv&6M8?>Bs3Ac+95B~;LcgX69hHp=
zYvTECwf;sTj$EuXPdiNBGk11aCs~;&icu>4Fof{r_?oRo<<hH!Vdzu2D4P~8k)#j5
zb_hd?Qr&7Z-$E|3KBkw)RpFOyj@tqNdgu|0s5((ARD|7%wax|j#-r~(P-(PTd0@G|
z-v&VI9th;*2Bv)suCp2`Am~rWbuI`%T^V3@qe69+!E@bTb0e4!mXPpWd+?}QGXYtB
zYI{1j)S|tt5!MdpRp{xA$;fSVFFqHPwf^GOZHhxcYemcUXbFKM)}I}kf)|X>`AA8i
ztkk4ZxCy&``&!$ZVcWzwd5+1p2dRr+MeDQF`-`}5%au)W$=1hdz=<uGNp&?JIQD#Q
zA$^2xE?_qhe^4@dyrmC2=Mkqva1ka|eN60nG1jrbqMesvZN*c@XiW6#K%}h8#W0-W
zJAfK(Jp|4w{Wg2i2e19r+k|w|zGegI*FI8!ZvS+P4>f2jRlxCBB7Iq~>*O5kiVQR=
zO$|yJTV0mim)HO5LHw@XhDjsWNX0ZS4K=`Wi@E;luLlGT_YI#G=oPJWwz(`lJz7ux
zs~~sPlesAgen;%nBZW7h^UqO$nGp@63xb{Syyk22cGuO=Z^6L2`g?!s!@z|gQ~P^l
z`{TiYqXQJQ?g1^fMqzcId-K6xv3@@x=JyGVy3(+_2L1mfW9mwQUwx4?Gon;y|6@x<
z(Ewne?-JQ3EZS?d2;f}{T1G+B)xh)ZX88Nde*Xa4RdZ5<Wd@>qh$)Tp-C?E688^GR
zV@Jz$xmLaC&wA(XwmE!`I#~94lj0#R|Ndp6bl=m6n1k1WW60}xc;xjKb}dL=o3-FA
zyd2V-GrxcNiFA|uJMgM^y%p2{vo=?7lb1~Uqmd?)GMuLHo`J8>VT~}pWF?Ggdj8`5
z(;uI&1I)w?Ks5A^h`1&36pfdl99n8^85sBPhX6k}rUU=*B*FLBLs;u2?@wob)?1AD
z(TkdmuQ@G83vU~~1$+i60Bi^Hd|D4R%TadB2u8uAp-%vwF_Mw+P|M$_<K0Vu>jwQ{
z?ef6lo;W}oMGgc4{m|<``He6q9H8r2vRn~xo?8(pL7UQOV`FjmPmOf0Za4qb+B!iq
zz^rv5xpJMZs-F(=)qs00mY@Fjvs9ZCSdN#5Q}R19`7!uggGQTWr=#Ewkmpt|(-)3=
z0f)KTfllnrmh%IO8zc{d0XF5nda)+SFU=ShfTZsNL^$O_HD<L^U4BgqMs^@k+V%N<
z>kq+b-x`;t?&b-Se^n8Xsl5ZT)4%~;e%z^jGU+?K94nOQ%Q}P<BqI}WE=V>7efM(v
zAL0*npf>@HMQuotZXalzaR5O)BzyxoN(_j*OXL_Slu`=26C<a00cky?x@f9^%MH+x
z)3}Tm0m$$$Fn>xF?zRPY>KrU7VKLk5;r*KcDD(zJY2z?f+98!L^Ex<%?!o@(UHE(-
z`gP%;A?uep87qMu_!J(J81uCjuq9bIT`w=Z=m(8D!$LsIo)#QUKBwiINa&MG*w~`%
z9HN5XX}KLVqtvKDoBIXg%K&J*zJnJ%(A3e;zZMYlcMGIE3dJ-%JX13qqw$^Z%bYY%
z86#ANuVAnvZsqZZ@&hxjVRmHj{po6tN0r1n)KAwfUnx&F1ArAHB!Gpu3<xbe1<G0e
zqbk}lEXzYcI}aiq|B$>lmN@`)jg3L87RhU2Mii?aG~WQGa7geY?C-b!ZJX=&44Etv
z&R$t~kZq9@4&L>n=-~|*Qp5@UB`?@x{w4BWKyN0|Juq;KK1VU_&hE;9#t<7AR0X((
zs9^k2o+KQ=W}-M=w&5FFDU>G4!GOfNyq^6%9cR;`4S-R?=XW%b6`VOgsPhp64{-Xd
zo8X@!(p5F-H5y29m4XSoe!76-hRB;~V2=aU+y?jz7G@2>;#@zFnvg(|u7G<}{K44b
zyZUP6_%P)hX#yAM)!c>6Sz-G1I^nT3Z{ZTf33x*#9EIh7z9SL^1>EA%2?y_i?>Yr}
z;M03Lue`jxUZ8^|lGt7DV|_Z2tjn1I0elrnfD9O|ccaAzr|1o!>^_J8+B)o-k*I{0
zP78}1T$MHG=FreKMNmY3=nWFUu0l5<2NyC^f0p31i)^T6h}Qyo3_y6`2)pmK0tSqK
zyEAA}TTT_4z(cBIxB!Rgkqun!+!OTgbAb1ps4-M14Ne4Nj)^|s0fb2$X#Ky?0dk<7
z;CPJ=GzPaB`;4Y?*;}pkGN)<V#0Kf;NVVUfn<KywI&wYk&@sFWpJOJKN0r>iKAA0_
zY5m#Mn#PtfE60!7O-4O2E$xArq@Y>GpNqI7Hgoxl@m<AR6u}fUej=YcF&x1nWPIZ!
z($wsG#(Hif=H(c5-*JP5@Q-S43@&n)q-j0#>-^%2_>R)?+^X!n8aL7DX5Anj(+NxY
zsrH~q%fPL$T5ml2pVz-I{x&E|BnXOtcoGwvFA;dV06%T>eyaMN^-1m;9`(xOMaV0X
za{~KA4Q-FHxC<snNu+C<Geldt*pIPU2(a6;)}fK$Aha6b$?Ps`%{}n7qn!JSPP5Cd
zO`+t0#z~7hRfa<EgI?;4qS^u3%KSX2YY%!R&kV<3(AaU&XtxhOW*aKqp>FNU@U5(>
zIaVwyuG!sJRTw;1L;I<t>QOSXnLL-ODg&zUyV{G`6L!VjVrK<e)HoTxx6vLOY-57q
zD@Hne0kDr*3#N89R*oI&%o+fuWIYA#n|-;(AAof4H+l6G!M(#5!}`8qM775`RWKL6
zrY257-0ehXd`<5=kx=hr!h%SuNbAOrLDklkyjEv9`e=re7MTu;nMO}D$6p}^Xs@*#
z-!xCBnDFdj=ia1lDXx`nJzEeP3v6AK70WwnEokx<-{RRiv@zUtDT&BnL7}akZM=SB
zeT^gyV_p)qf#f1~#`TPC(EG0adB}nGCBoaL`bMG!<1RBdPND|7rWan_Hb&hZ)`UH3
zcMS1S)163;WYctT5%-+k6h(6gIx&TNVXn8}osEi96qzg}ap6nBUkso*KQPg0)C|1}
zf?}lLR5}x2;`w8sAzQ|M@33S_ryE>w9^1`UThIWOo>YzHsCD5N*-p@{HajD8dJA?G
zf?xg&F7tS4#az|KnLl&YGc%Cg{+IxtQ;4IoINmLumV~2%R@t4Te2H+&hALC;Ws6P5
zso&>X-z)?30cl=%xMJ&j7O^IJvCwI;52>wNGh#>f-i~E#gYGpMt%3zIPoiG4YM>%+
zpdfHign2F6Y$r&4tzF^}1v(U`rYFZ}zr4rV4XdVG>%8FVBdtUI)xzprIP@%v?fNaz
z@H0t1XwM4cwR5hehqs+9YBvRx%`xq3ix_S=DWR4^_P#Vze6Y!gJ6=v(J=ABUag%2q
zW;3-G)lWi$>hs>^MyzZ0dj=vG=T9O7fIR@9nybfT_$KSYk}TQWwn`{SeCqg+2Lj+5
z0Q8E$quRQzsjvEL#b;JOs|deR3cu$zXI!&y(YOoElU~z;y!+?Z2XGY0xt<Iu^|Z$P
z5LSMi%?&37c+&|%FePf;fn<!{fCp;Y<0G3cFRWs#f|`3?O8hy(q*<aIuseesK?nLD
za<x14rqJMH-#zsFFuwWTudQh=mVuQdoM9Ldm9X|;HSUll>dfry06&)}-@t?GOXP|=
zDSKvimuAI8;cUh&&lFb{Gn+UHLWoX~x@@Y>L!%?kruDl9o`wW<SQzp>L@H3MBp*F5
zt$SNlyAM)H8-f*25L2va0Z=IB3(F0~>ynD2S{Op>s6uYI?G%{Bc380~AAklx=tmjB
z$>ay*&Z<zoF=#Or>_g9k9%*hF*gcr<hmvY{$FWo_eu97&>e2obiWll01F_#;^%~&_
zO~NP7`V-{xP1n+n^*uD8MJIc;Y=}~k3pz4WSdq2O?d?|&9HrMjXe5)x8ar#Gq85G~
z@2`&8S<<C3aBOifKrb{!)m|B`M5S)Ih)@|(N|3krC|39qdzGAt*#Yz3BO!Pngn<H@
z(XYsrf4|uLfy>fH3ST4ZTq-+AQfx3lJ<CoMB?|K>1V$_dugl>2wxhI5Wb?z%$G|(<
zloqjit|VBi*q*eh*}__rbPmmmA8OZFzXvDL1XW4-Cab$O6&cO9Op-E9b7fwApE}H7
zd!6V_cJva*zM|=S2Wh~0yOwaK^Bn|#&tNEizn#viu>x5$0>QY}W<~BaR9ho22y_*l
zqa=a18{-xw=a*d*RG^%zZSmVk5t+$jNpjx3_y$Fh8_P;v0d+ARovbu~c7AJR@~u<W
z!fZ;wloh#;gXE}yXMwqRu+Y^#QlDaJDjw5mu9;&`rsF)l@VoId!^(SP4>t*{wLdj|
z^YXsKI-F<v$TW2U(<Ccb4q#%c(nYiF-`>=mY6=}b-3`P8xEUh)+Ap`q<zt%a5>dwE
zLj9@)!FLVNY;DD5NDAPeY3eND9_!Y~?pB9Vm`oMvGTh7E<jwpJK{VDoEY*yE&7CQ7
z70V`ok7*HTRJ})2h)1VrIS|}Mynza<S02jdj8zVkqz-Z&z)Sau0=j&Cnuq)QikhTj
z-c*LGfjcn*>PWHHm#-afusIJ;B)oYYGXXOhxVS<hY*KZL!wqzN2VV%mTN8X<9lUNU
zE?eg7wrI5ML{gV@JLyfRMtI+5TV}3FQ|g^+<>*~3W*jBa-Xpc{?rZ$RMr%M4n>x$o
zry6kemM^ljnbY~X)gi~5cI#~urT3|P_U5m-vuhV83poF}p{U#P-v8I|J>wxdEK)Y1
zPOll1c-yXrJoZ?42F+nz!})whO!uHKqaj?-ec?x_tB5y4{X8tbjvYLyO(mqIEOw!M
zD*!q@=Zt22a6IGQaPhn|$(c#VK<>QMhOs1Gi^5+Tb~1UssLqBMsJy1$|1Ojqn<-Tl
zW^FY7qGjq;%MPsAh#sFOJKlv+$IPefhG+UySg?41o8YOK)qPi0LsMa!(-P~d5<aD=
zS1eK|ddhM!9t)Q{M8Q@y<Doets~eU#7NyUyBY;S%la1eGSM`)}A2$MT8iiyWFZelh
zMi!Fxaou{JaZc63hf78{sqEujx27ZcxleK}RU6Hxd#Ru%L3!VvAd9?CDgS!x-QQW*
zge*u1)Ky7Vy*OW!;psMFeGkO8Kc4kUrQ*LSvtaI{v%k|vaZ?vcS@ixa{Pj2EOrz3N
z^XJPrlHtVI9s_C5E=3c5Oe3b4V$OZc|8HoE<%d7emf*#O0E$bI_8f(jipAC^bP*J!
zal4D+Fh{r>h1`XJZ$0dAeqywU>Ac1Ir)HKA7o*&&=;})rjh9<Hab(}?2=3fw$<}Y#
z|4Go$pAu2RsC3V=J-8sAo&99IxU|!Z4FOH%3&|L_6RWIq*mhbdb2#Z#IIA<~1TPdg
zpqk$n@uDbG`RyJbWdDvkn`W@8R@K~A?iW6X1<b<bo&fz9EcYuTBIY0czmPYuh4Iqs
zQyE`h0yGd=rO|CF5uf+Aan0>#O{dBLfm6+@gDI$((V1z=V*jIG&vQBD4$tn2#Ekg0
z(dmGN%k70{H#Hk>8k}wV{M7y>*Lb;w%F}sqGXsmDyv}QiqcnC<SkZ!1K>uJYPq!k0
z5;Or(#&3^bDfIjd_O;H4V}(XLFmzoH&WXXHdAfP+fOp(hE3PD;b}uIwRNtx{lRh`C
zXunExBT#`{7_^jBM)~Wn(vW*Prl*=LpO2?XNH==shjV)gDd1QB-tgCe?*QWn)TYzx
zPZwp9c>%y%XVphaVV26b0MJ3L1afLDl4m{pZZCvrVLOzx?r@J;z)K6YPcB|;%vM+}
z&C_D|K@$B^TVhmVlhxxBHmyQB!@X`5HArfA2`4T^=C6@ovi)8fd5@qO0v~3lri-r6
zcZFp^6J&L?q8U4i(_nE}k4P2#a?`Lrwt3MI1v>nN1vp*U>(i0l5Pp3kA71t(sx5IM
zr=q1=kfS`~M635L)l4L<zOD&kjA%f=Np+Xx2jf!r9BL$@?)I}VRUcj%`D3@2u+7^U
z)_OJk<J}obeGC6W4s}xN=B3$JjTn3_P>E{(08LY0rg4g*J-a^s@lEwzfg*=@Vbezg
z4*OMM+?7i0hR4)Yk5KA;euf8f8qZJvB#;#+q2}n$kRgkgEuaRdSRO7IRi<tQ4h40k
zxbNCKxvO-;Sy9Y3@V3RFMrbBF4+xvNE+W`?5m#ASD-sL&=3X!8^lN0>I)6T4ioJ(^
z<9tLZq)MTwVPPidR`8{bReLbuwUwv1T}8E<gP!o4IZDx3Jqw)@869#Q<q(B90tO?y
z|00G0yDQD3XtTsJyk&W3(vNV4TvxNbskCc(x#$%N>2#KJWE{>;Ts$A|y3&8s_EFI`
zJ!<kkRP5o**n)rW1nlx?3w7@ateRX`sTDj+&%A@O3n9!G&mx{r87u7ANUgkQilXNx
z*_etT8TOF^Kqocc@2PqoYP?w{=)KcY@E$&r>QgE~#k8k=4h!3emD~|gH=p$n@c$=Z
ziB#3+<9wF}t&?;bT-M~h7EBRaDGCzJ{Mci~)<hwS5}@ZK^Cx%9SEl*9g)W*MM`<q!
ziqwtwzdx(Ux1+WeaX<qT#8q~l(-p9U)`E7~RJC4Ds#lcneQfDvw%>v<zKYnXjVp}n
zwiv?S72d)Qgz!7AGc6Sje{#}1p=s60*dw_9-X9|jXhpHz<YXJnFYDbn0SFSh2vQB3
zj@X@n!B4?IiBOYZ&bJO6-}F0Ow(gZol^4n}5`RhU@xfsDMmim-c$3<{!{@GY^q?9Y
zw~bMZ9X^Y;S}e5y+REm%id_iPy81_2c*5mo;fZ0+47JBW)@T{`x1wH+pBFFa0ql*p
zM|x_w_Hpy24Kx~(M{BkpGDlJ4&U(VGM`98jjjMUzK!hIQu2veD9@nCpWZ7|YOLAep
zW6SBo+Y3YrReVXIaf>ZV{nyW`d3w_4ZzTA>PC)fcDV7ydo|-=Fg_uS`KCg{Fi8#jL
zbonxdVtm`8c77|$@K{dj<+Syx^UXp%oRs&}8alr0@9*Y94;w09r&K#>yo!dMxGZTK
z{r`%U{RQcb4$n=;u4&K(D00oJ)~*H9RTwV}W?sBLUS{>yZ_!V~Ia~#lA-9h8F;*3R
zCEM;K2ijE2+uadH=hr`4Hz1lkK2|NIH@SzqQqSJEsx;wqT7&kM!rU)WFNEw-PWug%
z#fv45D_8dgBdCl4SYy>%&_ZJIWg*7)C_cIwJS3G!hS5vW?wkB*&rnTJ?@o-<@#-a)
z3{VzxXtABjf@W-NOkH<^Af5uimfEuJt}6Z3#<_=($GLXjE<C^|uKF~~(v%*zFE`DE
zK)>1bRxOoC+sBm0+f(oL3d=0|QfLhts!4KZ>;xg&>vqH2L_Z&yQRVU4y%V^GQ(*JS
z#wQ~;N3Z8$(l`5g6SeLn37fdIa)&BH7g|LBY_m<2kAEU(RHe=J#e@A9yO#~-1ZO)6
z_XRaV&LdRdlLKszlvGOt-;%7sWqsFr)m4lCht!RaY$6JdcSYW2;dJhJ;9Q`Lw~s@r
zT9Vq}KoriXBn2gAR)cDPA?F_LzyiWn=lM#pYSCYz0O(m%H7pqzVt5B?6c=qf-W4Hn
zI_WgxX4fYhFZPx$<OMWwWa`_>vrFzDn4=%xFtQsw*rrR6T~tURL3n4BU_2jfbQ`IY
zMC&DYqs{V<f$TI&3q*Nv1x-az6;&id50ecfRb2KoT_9;DUzX$&6nkX(4@(UCRyC_H
z+4pBtH?{BC?)@am)l1>ZjcRc<aIw|<A0QVaxxXWMkQ-<`M5AB7K4tJ;jXCN=*R2Ot
z<&GP=7YVLd!vM%ts3}cia-7OPGG>yrwxf7AlFQpO^vw8axPKX=!l!o<L8Bbg6+G%E
zxz$y>q};I)Dy4yhWJObwU?~~oi?3)d|5Q&6-++=vnw%tCW@IQ69^QJ{VlwgM?1M=c
z+Mq=jex1^jL<iY!8Rlf>`^!*^a6UjE)Y0jywY@m8adN>-v%Y<|&bhuJQv99Ca-Yqx
ztf_a%*R_i-e-wnmQ648@$GZ?av#)B8KgtqhjWvt&yXdEX#BlXkhsNX&8qS;W=rcRM
z>^y_ojCg{a`5TMI=$o6gUHxH{Z+U#EJ0@HxMx@A8>DCncCu5v;=!O+-W8%1%7RP}2
zF(#7(Z>fre%lqj%7mBkky4~9ru82?QU<iXQK~(*L`PR7<7B!V)=^OxwjUZ~@aJ^El
zROp{t)A%4Ddy8sWw9}Elvd9Tt>JbtnM(acV8NiTZw_=VPjID~p{D%7b4ZbRiJgp~`
zH7vFzLM>%U;iw?|pDOQdP)t$Or={H~ooy+DHZX(}F^btm=r<~p+gcFP-*kKh4;?Ra
zIP7_z6GnZDHeX%}F6gvNvPg*8bAy|`5}^)F&67#Qhf=NE-N~3PNPcKbnUVn{eY876
z3GP;8Kdnj1#%e3Nb@9T8!zd7oSCmxOhZgrRqa}F#qbk$K<1cR&lF6(`ltaXsX)$6z
zjojKG{^$#I!BHZJg`7Xzdqz3@n@Surf>MfW5yGUQ`+0K8{YS$NG}x*6pS?%csVKo~
z^#ABp*AtuDh+*s=EvoG$j$Ie;F^^rZOY`y;gG+|2-}wX}lY>^DX!nb!X;N6F9AR+m
zH3`6fp*Nq}jb#Dg`;tL|xrQ5e*~k7zPXY_H2kvUTeMS^%En4rnFkLdWI)poknL?{C
z1Y4m?@TY8a#?GxWl}LZo45=j=yUvVglO2SvFl$&Zv}<SGZ*{pXpkJ);PnrMf*)6(w
z08tC66Ty>}t?PhmX1Dfct#^vH|M)**0KQIG9K-$mx|0vE14BSDBXMi;temkYE&`=(
zQixmKnGsb<TVrFfz4@Q|acdpMk<Vslc!`zSQ;QYt+4XQx1pqZ5qC5@_u1a0E!;QP1
zo}O)AgK-1XeWS)-{IuA@{#{M@`%k18#H8H&fhb=h@YA(G9l%UmpKTJv+UBtun**9w
zfV@i6pUS^*=^a5O%wavjQ4DBIreES~$e5MlS=jX(#efo}0}v(40pn;|DFI{WJ&@U1
zSa^0!Awr@-w6*B6WU0RXJ4yPxfz^tv)t2I2m4jiKL#2kF{LMij*!M9&8HNEN$qxoC
z-k>$*?><1c4hBnyfk8(??LXZsb&mmg6wD@m1DIa4pidqP5jYV(Saiv~A4YlOKL-C=
z7<@yS0UAc;Ghi`Ka`k{15SV{6K=T7Ri@BwGZLEfZK`AK=^n0>^43@ftRj963h0&YU
zLm+)6i*^C3_Lfr?fYw`K{*4w{cn6K1P9Q|a3C1A-(WN`|a`ElRA!-FG_p8CwAmpU$
zB8@UNLBL(pSO9}%TLyFGNaOBlf+h@Ls$zl~y~Y60ZNf&%Se*lk4gG|hw5Vxs>?iOh
zk+f1b=-Gq7;2@xqRNx?+caIxU%!Zn;R&J`tpKJWTk_m=LP{rFDjEu&_zh4aqZ7Kt9
z=jCId23NS42v8FqfOFY~9ESn4`{32Ypic!lHnf0o4MfrcES&&{_4VFQ0tgs9ruI?w
zCD1u7c%F|3sMIAnX~ES%tSB3Bmt-5jlHrhZziLN{VuA(`pqQhB22lG#S40$@3}Lm+
z6bZ1Ac0kP8UhE-44)_Js&bA2Aivmgg!;Kjgz~VAoF@jTh9IR_0<&Xfp0nBN-3zVw@
zkTZq={WTWCTY}c50Sfz+-|y>OQP2N2OhOJ?R0$cu`<TH_JNjr^4<2qM_vpk>I_AxQ
zwhm2pzZzYNHQ<=Z!g*|`$vBNW)iy)LkkeTd5;!#1YC%;L=oYdZY|Ioj2z#A80!!o%
zMm-i3LxTzKKiFnih^cg3k_F{tT*tg=z-t>#assQPGOv)6F5UP%U-6^77(p1av<j?H
z4XOu7$qqmtj{e|E{L%?<KUqsroh%rqOaOr`6l{LsNi;6gf>B<YhxeP}5|+cTcTN8}
z+<@_Q2l+a(cuG3nlx6g2vj@4~;hs|O-hjer&J5`7;qzFkEq+ZR0;`V)VX-ls9XpA8
z*np(mAxc!~<P`fOVyp!STpi=nO=@f=%Aa6E0g3YC7xvZhvIwBub-kWR9AgG(*@gca
z&S$A0sY6aW(QNkQr~7ONbO7&N_=DCEQld^VmG8j^rC#vkJu?(lc>M}@C%nONpkRUp
zd4BjJe04pD``!AgO#ke}7LwCRb;sSCd2g_FlF!;Mw5;Y>8^F6rRk}&WM7&N4imO1Y
zGEjP2yTy^EM4FeMUGbeXkHz!;e6aE4$Tm74MuOaM@vI)OtP8DSYvX12fk3V-T(9vp
zfyGdc%0Nm^S~a7iQsqugqt~gr=?ajjQnIPXEvb%iLI4$1f8cID9!MVXSWiR_^>==M
z{7j<?n9L0I)L*o+KhMg+01o}FaF!Ngck?-GN@#7zINVd>K4P}f?ZaY1Ea)v2?9M*C
zZFNp1;;EUIQv0g!PR%uSwrD{1##nT`!3>DM8eYL)Ln-+y1zOmERBhpVW+FB|3)hwY
zyDqP00FLBbY6i4dNBCa@D2#b-T51&I)Ejy^cJQVThV4Mh2w3z*Gk-%e=(PU4nE02%
zWMDYTuIcB_2&EX`U2s$6k0^Prvz#EFKkwqPFiT=!wTl~G9WxhV9fLy-G6*&oz@+Xu
zP$e)#_WR71dk%DZasV|p*Y10><yx_>;yo>A$NF}lIPjr81z@*&QDP~~6sBy6=w)-*
z2JyEUbUc=(VSw@;REMX4$PjeJvlz~k0%C|2K)-ii9?*$nTNe&A56>Rx=nQO--}d;s
zA^N)sv-JpUdOAtPW#<?6H&l1{D1s0++b-jtHi*OJzLZtk5I{wqbpG@v{ADK?MMk6L
z3XJYqER%}A5CfNTj;=jDXi%a8B)0%ypsFK+g-jf%QFX@SPM>zC{}a8gqJa>So5v{0
zoXEK&mlcHB-}%x*$8(0qz;)khfvXj4$o5Kx52j8N=&=LcQqZ^>JZ%`F=6oM~b?g2+
zpwRFkt+avdD0ff--E5(}iM4qnxeRtv<3L`X97H(Rurt`|F!7&MB9j~ZiU3Y<$>$#l
z;yN;JuY`eV!<N@dy@j1#IF3NUFIC17ul?q0{@u<5VlY7KYW(`YOiXXrMWcn64PAX#
z8NepMYT>2)=i!_IT~g5uwZerjeJ^(lG&EoDF5?1~-7w(oCj_L*N>^mIT_iK7kuSZ5
z^~zeJ1@tcVC@B6dZv+|{LLt86vM?~Z=pN7$KsDM2!oMGY@&_QCUR#7p*QZrzRv1lG
z7zY(T2Az55)e&qUG1&&3>}YsIp5yksluMO~{Sq)?Cfz!YoPI!29!0$0@dV0$FZRLt
z$^yf?v$P*?9I5hw7>^W}MmF}rM<8W=k?{{qO~!Rt|Ks6<f#c5v3J0jGy?u!wL`Z_*
z4SaBzGAD<lscZXqn$Xo2t|^YKPaT7|NgYTO{(A|LKlnbz-_o{VRAmEty}{(%3_#v7
ztSf?=#qD74*YmF#qSU~Eo`5d;XbZ9l3<fCT0(6VY{vkkef!Sf0n$%!guQH+1Y#C^{
z`yM`xpb7`x@K_E8TsQMCdM{SpI(*O+yRonB)RoW%#%gB+C=XB;ZHkWM8V9p~jYbP!
z+<Wf>fE=qyz@U*@B&e(DzlAZ?Iq^Fm-a$pa#rprg1>X^s2pZN(Y5yeXNnAD0fB(ss
z>I+8XP1idufI-MN)`8dl2KdX)>k}%bBS|@FXSyGr;?jQvs>1<D&B7;WpaP9dAb^}p
z0FZHh9c^(4^e>9mg$W=&XWQ3T$4aa;luNvriJw3Ko0+~%l7UUT8Vk6W&q$e!vgQ-n
zo>~Ae_}tZX9k^8WBzqu+qCp6hOgtYHZ2^1)lYV1ev?a(^g6gYN1Y8~fc5-&2bP5P9
zP`(I2i+-{iLCH@D<iyn+osqc!@Y6sF0kdcBLp4tDfVL+>`;mZm_my4$|KUJ~8Nfx4
zOZJCTi&6oYjEatl6g(uB@Dsxlknm6yXQ?xahE(Q4fze*Pkh~!a)jx6mW&dMds-^}+
zW|*uY7_B|IL2r(b`vC^=d;_=^c_2^-bkfCvwkwc3P)!wbQ?+@H0Ao^<L%-SqzB5vW
zdn6GA6_iN^kU70-^tsfR5ssO7lmLmo$26s7DsorAS($K9mGe85PNo=Ydjz$?3qUn5
zAxu(bLNFmJ)iezcHv^h(X`c#L*6N9@%mC|b6ud|k{_lRi1N$k6YC&khP~bSL3o@D5
zYHoJN^eF%&5RV0l${<CC^(u3l!joo6qrh-6Uiyx8=CNjC*?2v$*lG+Z)`xL&G>(hi
zejqt8`s9CE>&mdjtG-6<BcF9sh1M~Ombo;R@V2aMH0^VuI4)utNoE!DP=;7cddYxQ
z_2~ML=;@S?kCc;WB?zL~E(h#pE<HrL98%9WoDL>8y$>%+2fDiWJ<42#t-QvoTuU-m
z+{V<Nv({UcHI0c}92vtdPS(=Oj}E5nPDv2iG7$>waKvoW6bQtoAP73o7qp9PKdF`g
z|9t6x4D=6Z{iMGSgz%XyW1wP*p`hXWqF~UVpkmQcp-KvJGiu6=sHXAf291^KO#zcl
zU_dIl3$eN@il>~ITI=Ve1y-1)yD=aT3lXBTdSi27VEYBorTN*Z@n{+hQBPql+j3$8
z$2N~uuVF;0kNFw|WSnemip<Tj=wlwgq}s!>)3R^j5Hm$u<mf@9U|^U_m(-;U*(h1z
zEzMe6JxSP2{W&wAswF<`6J_PKz6w2AbNYg3*91!_PhXS|M;HQv>`%l?$G;vMyn&1q
z&5{&sj|VZdS<DD`BUJ$-OuI2}lFix1#!bA)mJA7?{A8yfI70;kiEV;^;Q{cbIsoXD
z4S66MB%TWc<~bD-P1qCrP8$GkT*(86Oybyz%!NjapHu6RWjSl*_C2`$8U$3fd5)^R
z2{7`|i1Eiz(MtXa<Q*p6(1s!DR#l6NpaPmG{)l@(WlF2grx7EuxixZ|VmSS_(&770
zBjjj*uQPJVrD@QDA-~wNyJf3^I#LEq@+HuQ83O`CK;<VoRD1Xu4q*#Yw}s6!*qPvs
zBn)`p`V+T?^(QVfv6b36(oqG|Z4ndYAf<WSoV?6dp<Dt0Z3ke~IviZb^hPq+iniK&
zhH~X#$sP^5;x(Ied!`KV(K3VYdb(NL2Csj-k^gY3=~}K*#EX$ENr_xK7PykjHeDnw
z{2n}tiegj)C5<T2H)C@JBVFWqz;E;TV=07zV!iJmAY4=fag;o%IMe9}fSG|62q=9W
zIt73lX&ApcDd$hL>oa_(7pI$3J&YNYapw7OTi~G`=e2-JvJHqgD)oWiC9+hN;`|G@
zO`j>y>VeF9W&nsnLpF<Kgn%%8CDHH*kccs&_S|}M=l;x2ArpTS1n5HRz#s_SrpC|M
zakKu;RmDTT^l19-zj7gKCA9(-&lP@kH*~0zz6=9`><=(|rYAQq7;pkI$0%ZFOeP<X
zMe(Da-5B^|?tk9L=n0Lf6il=AdEeuiw*oKQFi3?-2I7Y$et=sGQd>GN*@Juvh<D9+
z<jTgqtD_5vcqblvl&FQo4u!6NnIP_SoohvXZjv$1YXf&4+$0ERbO=h_u$vgfsF}@N
ze{18DXy=TvRrK@qH;Vt5KzAxiwjQ34#5bh42KOi|)HT$Z=_|OoHRi_}d&rJ9Ehk$!
z3Mq2k#JBK?c^Up|{I_jcpLV(9G58w%Ao$k-!1on<h(!bM@Hav+HgRE6Tipa;F|@=N
z{qnYxl^wZ@Ltj-9gVadd42@uXjC%H<{xD(m$v;P5j7A>=A2BZ_&<Wuq?j$q!$4#(2
zrMR+X!;Ma7BYBjTcbv*^|7{6k?+C@Jaej3=G2Q&td7KI<MA#{>;r5m)J<imT#-7u-
zH^Y~Q`!E0EhjHK6Ji(A+-c^9|#(DG&vlg|f?^iox?@nKJAcxYjBlphxzwe|D9!h+b
zn(~H3gM&!E*Hlfu*2kDKFvth<$bBAE397-dI9^Q&PV?Vc$y{fcr{c(;AZRT!>WYp+
zI<!AKOcU9Q{G5i<Kc7=_?&b3B<3TI>tvb;lqRn)#11$<pqd?f}9P7!-F%Xv4Mn1+U
zv4jk>GWp>3+RjIsG1NanY3ao+48#8CLs9%jzzdNM39l%V4TbOWBlb=O?dMwMI|Q*I
zK=Zf;BuEqdE2+jAUI$4o2>57&^DjbyA8brM?@e4m8g}sWLxeVndkT#af*X7k!tT`z
zCA?tJM+%=q_Bj|@3<0z5_)%Se*b@Y(olo(M>l(8+ZutY%vXPCJOK%EM@5a6~!ErEi
zVNsu5x32sglrYA?DESmopXSkGtzoeLufU1h`9<$6r-l}F_CRH&ukqiDg5uXs3pPaa
z^oIv8<qfY7y}9qNe|@OL7H$(idGU&P6GTBHFttFMDDn|Gwkwz<-{f_QsIBL%ohIYE
zdI^x<jMX_9!*+UE(r5|`x<G)2gGsk0AZ}NMvNd#fhEtf)%f^-i9d~%T_lbqoP)^8Q
zFs2l;`tdR}Hn!k_iXuTI;Q^@YyacleDnO{2nl#I>K@Q8^|25nNF5$*NGpz<dN@3&X
zKj`s$%GzLDukil01E^T-G2jddS#%AO1htX1$+u>y4cqSJ+}7%U=yP$#R>)#3I3IkU
z%S#wFA&ECPZdgaBMlQe8>s^${vvl)XFa(@MH7B?)k@ItijUZ&b94SPGZA~}}9%TiL
zUUigJi8s$T1IsS%alDj}7FlRU>@wcy=2Y}N|Ggg4=`1Ii!9jtk7{G)fzzMKC&kG|u
zMow>WB_RvD>nH7fTTm|Se}XJGsw6COgDt2n(l&L#g2-ZpNDU7rbwVlg`g!tNo<d4$
zF38k0f#h{+D-?pzh8@m&q%kpaDwcryghlp@>vu0R#x&>XrUSSY+q`YZyUUPr!t+?$
zB59%X)C%S$fMEnxMe>O2GBnW!*Z3b>OCV3V*hB0^+hwVTX1$tMCk$T^gr6VNwerJ^
z5)H(8Y1pWi@QyB4+7K2(gaBmyCq_e9wjNNh*Au8z)nidBh-Bz=i-LfX7Zh9^?y6T8
z>C~3W<-X7pRN6xhSD`2Zg{5s&-#FcSV4EB}m;%KA<y$~}eunamEk~y}izA0(#R)!5
zwf5(wP3hs_Zt*q5QAy-DhgGYx{mvtEL)U4CAmn74+^(mD2vE{mZs*t2{|4j}Q$Q`x
z0?=0yVA4X`udyX}indC_lCECx?+~?32M(nYoU^(ki{mW^kv-FBHH*v6C@&b=YfyCx
zsw5@KS>nwn3`Y5xXZ+DK#gZ_fj;{?A`6(4c>_F;Rlb`P1EA{;sWD@+ZVMW2d874tc
z1hkrh+Q8#)QVC6fIV1_eI_;_1G~iXU$=;Rz*Ja%xLVCsJ|9Hi|k3g>J5Dt#yv=kw@
z0#z9JoR1>MtpmruTR;2?gfzzll~@*y{uyyO98tg2lNU$W<!FEVFQhA@Apt(j=n1DU
zCm%5;itu}e=Qch8+IGs2g`cvCH+)gNZ=*QN|9jPGu(4_2Z=9d=6Tfv{@Kh8WJ$PKO
zk7+udPcg`v1L9GnE#>grzn2Y|h(Cc?wOl#ww%}d7H{LRDsto>kbX&frXsuIvUxQ<M
zDbfEv6AQ4Sd;7QW-T-HxF|1f~j%(TUWODx(rZWyR2r@sNpjCfi0dgq1s_*^VCmVwI
zA+(k_Q)CR5_yH<eHa_S33AZ0=aukZ6dXH5DQN>~0f@hQtfk5~C`@nsf8OGpqTtahX
zjIoU@u1Grt?=Wo^cJ1F!l!N9MdmDkA0uJuD!sZbaJeDQ^p<V$l&h-@cl=yyN2yQm+
zu78LSaXbe)jHV#<%)blF?ci5_23&?QE%x9H6xT|?2!o`Puk0;nM#w?uAHg~BC<a!u
zaSZkzc461FAFt=oaa-kBr#h$&Fpc_=uJZBh>kq<Ue1yv6jsVb9{5;m;<C7xd)qwO9
zlXn*EZ+V?<cOhN54shu<-I4c#oWUUSYN9=mW>Y+eg$QU?pQaS7Z3&hkW1?P*?oU!h
zw4)b%hv8cPHgKA6SUJV!j4DV?HRQZ-*pIgq>)@K`IzI{2lWf2pS{<+kSPYsQPfuf%
zL@G!PJij3i^ob9UGXtJCpQ<_mDfvjWz2^<azT9%RTkMWf2j>6i+Xg6OLvh&ZS|{E2
zM>P-t^!*;ro-IsVs$J8o$iGBft6oAcXww-+egLN0Pk<5Y*5Fb)(2pPFwS2nSQVTAn
zI)DjK;<me-^bX?gfUFVJq!a{5!CFEZ@LG0nT$#p~H{L(!d=1_>eNW`Mx^(=NRfdc8
zhC<9z9o~8YS8Hp43>a(RBDlXkIV?5emYwDe5}910MKJ8dFh30fzjyjG1cH0#Q91a!
zyF1O<Tf`QJ8JA~WQkyd69!qf=#WqvW$sKHv-G@Zp5;@8|2Q%*>;J?Gcq@W>57`RmT
zg4rAhjBZf>hk3s{i=jCLZ^ZXfiFOg(s$PMzcHInQ%7%>x0^sQf-S;Dqv3#NZtH(zD
z|0(Uu<Dp*Pza<rQDqBgCC1R8jg^;BpTQl}0jIx#N!q`bEp@f8D$ef1kVXR{*N{b>p
zV=Ku%RMu=g*N4;h@cli{@1N)VbI$9W(|nfub6?l>UatFkBfu!~6RYDF7K>Ew;jz9W
zq_}P>yUIxzXTgE;EJ^(Z2iJYfshBkx>n<%&?-++;4HqfETsS#z=Rn`JjT3cNUkX{8
zcXP_(7p9cv?X5k309Lwxe9Q5m_4_d%_V03)ZJLiG>rj&4Pjw2+T)>58Da$c=uy(XS
zM~d|of`?)1A}tiJkxm2nZ^9FLBdl#oS&r1^)LY)kbP<xs`=Uu@S#~EdQb))P?vq{#
z6-pXrI4h|_m7ndfn!O*mRFj<vlL(~j+m6m9>DunG@#^!R>jYwn;Dv8BFzQTjuDl9N
zI<zgOl1OhfN?P{Wv3?g=Nx$l-QAKOdO)fBn#sJeY_jE2ztAjZ<=kI3&@bj(zN*bCz
z9)<73KMD>w7OgncHUOx|bj+gr74P+ng0%|AcC6pF!31RSllBSZy|d4d7CNm##4X@U
zeC$WRhT=K7`zI)qc%92hwnG(Se9kLNzd9@3`I=I`-;?fr4kN@mflDATqF69fk+wo9
zSQbYZazx4Go2%X-b}|Lq=nBWYJ_l@6`t}r)SD8C<{A#LN2|&eIv5OP0)V2I#I)3%~
zPIjK%EkBTiD|RA;N6Y<udkAMuWT*!6j$&K-!NjK#X^+Y2eKMFX4$P7xqzM)Bj>Tfk
z-l_Wo4W)(CPsRt^eD+C;Gk!J-&D;H91Jtt+x^8=AkpGJSHod;vCJr~)q#`KmP3!?7
zrI|P+Ku*6{I|vZEB*}a55xE#XJg-cMHIHqDq8y;Z#mSG!3@QNUB0u4#l;>~|AvzyJ
z{}laFTfhwHEP`#?4wOW}m`aVej+5KqhrAtP<)2`PhJ|O3NBe1F4`s5_9(cMuC<@AC
z-Ocr0Sq9N>k-)*I+2xqMgt)x3K8+KwYtl5iV&4ikHdFFq)hG_78o~#|kjJ|7zdcqE
z>&Z)(y{}2#jNza)wUagPH?h&m!-Zj%kM-uQf4NA%7jY~ALUCKvoM|(*_zj#R_{m)_
zn+o)<lgDUFs1L^>?(GIuSo#zrX{{L=`zE1AEProyaqsA8i+Z=-PTAIq2QQ2PjC07R
z`FNU8lod&BqchV{cppqd70?|yy?vm^5stwbyS{9CDs7_X<sB;2kt?Czz)isXE-HzG
zhOSz=cBPAr1rm!9hfRnrM`1$nV368MqUjE%_fAgPA+BsU=>i_^TYPbJePPUu{|_{O
z@SH?-)QmmqTHOL?W|~buLSNSYSPYC}SvVIzPMNPU2bL-)pci_b%zC6rNg1=ICq$c4
zv?Yh#Ychk;xSSMOH&%W@>eb$~<bX0?t^Qu%3UN3&QcK3|9w;2U%Uj5oL+{#+sK{j-
zu=tj#7*!`LV@UhP_L?)@(8zw+13VoS64aLkI79fuPv9;`B$~tVVM;N=B6(o9D*Jw>
zpO1(;aga5qGHOYt*pMxzr`u%r*TY*O`-;y7UHF55Rx5~c23<pPSBdN2nF*=kg6=Ps
zYl{MweK-t;;KeP&1gWPz2ar~uvKH+gyM=YoeF1^)`EX`uTc|nkTM_T$mJVzeOj6g^
z*Q4f+)_4qmdRcp)XHr>}v@Bw$jnQ!{d%_Ro<b)@wN#q)Ks%fcZ>+XZ&O?J?`HQ^L)
zfGLL(OT@9)TtB%3hNktkzSm<@#aX(RXr5|Otxj}mof+MVjX(C1>8@Q^_k+*RYE{^E
zO4V&;7k><O8=u$4yIG0eeRLAC|Eta&m+9BRfuLh-Y8M*OdlOP)8VVW|x&)4)GDMR;
zPNrx#I>WKU&w&oPA}dcS9gXdTp+{Hj7a)F1hq{;9p7q$&TnqtPCJH0DEU;B%K`YnB
z0qQi@^a9QVUHrrSnZoC0)JcP$fe&t}uNENr<6L8a-ve%4S^tLV=<|31Qf&?klYOv{
z)bh!zSS_U5dQWLgGzB7%*VhP2h1w$59MiY_m#e_ntoGgaO>8f6>3iuuY)JCzfaPzw
zA1aV#7y0Q3NtF+GVc@D}3DPS*5WzPQWf!ut`UA|A!+LW7O@D3*MQ<!amEjv^VG+E%
zZP%^PQn9?p27ijVtfgRA)(7y}$1hfAZTRe^;Ez~z<^4_;`v;q(QCGGi6vl%4=CWHc
zP+>ORv!brQjM_2yBTPkn0ckZUpTyE#W;Oq*0C%PtN!V90d_Pk4ba>mk723pTt%4wd
zm6!h@f%KxP)7jF|tK~85FeGc^2clFLy5-AAvVfl+j`|rZuCEh#Ki{V#5)`pa?crxF
zsvXtO3&pGw6^A-|iX0QT-9CsT-}Dh+_|MP9zl@Gk5~$MXeOMrYq?>f*&(|M)QzvaH
zFkH<(jMo7?(tWbBh(2p^RQT}3zCU*Zg*tWV*Hkv-iq#|t`wro(>Rn^eI6F|`3NT5h
zI-SaYoSR#LOxfdmUt!@H0%MlT!9743%b_@c;LrvqqC)){!$yDgohD#0!O8a*I5#{B
zvnIU0yr-OR@_=(;!PBMcu9oxyl;c<G-OqGE&dma+1VRLKMsUkzf%GF~`-!)C5kbpv
z!hF|-D+C*uLFSSx|7+kuk;j;!-cxfJKspXQFw|-$oseOArg;3Pb?D4*z4KzZGhp=N
z@izSWHKz-5VN=`Rh}Jq--CRQp`=D?rX!EuheAIqX;iyB=J<}t3z<FI`xh7UI9gXw;
z_Rz4x2OJdH36jpe-J$p$9B8szz04c3GXh9K6zByqyq`FMsOHU{F+>_tH6rnbZOZl?
z0!IahGA``d_zLXl)eligR6bN|8<+hXt?3_s-T|jQ6=6+)WUzuUqn_1?c0IJds=iP>
zEUmhxFI4sE1SsE&;Dmi&C~J4Q7DLJ3c{Pm?JM8p!DId9<jhpeo^^6rAgYI2eaW(10
zvleR7^+V(}2qi$_RG~nIG=X!h9Y7zMg?fVuWQGGISS;DJ;PO3~eAK8y-6Lk+O{&&t
zS^Ru+w;AqKA&e32gk`{q&{$Ltd}-zy-YbRhEDmE9mFqXjb){o~bZ&e}vdTQL-R<tN
zlx=FOyCiCS1s2K>+T4W5DDK(Gs^3M((Z)y>4<%<Cj95F-2xkZf<kS=Fx^a-uCpbg#
z8KHAuLU>YJ%bQj9`p5&v!9=@x9=*uG|I1)jbx?hMQKiKDa5ah)ZvcP`d8Tl(^5S%}
z7U7d2bUlxOvO%$})(n{e>*L9<e;L(a<Mf67i@@FERO~x5YI8_6!d;OE!AS3q<Qjv~
z#LtJmr&{gB{foC;aUVE0Fq(J7fZLe=8SzMR*Ddk0k0LjdkO*R4g)esQo8X^lS(v4b
z*|lOIwl7bF;=|rA0?&ovFl0xY&GS|*%(P#01kjMP%N!1;Wo;UY*B@t`pULdFU@frm
zxj0vWt<i?(3XuQ%o&m)=BNrDXoF?mW_V!<{EFO@yWYx$IE*WJRi(j;AM3pizd~0}z
zdAO1JoLPNM4I6&$oRud~zfyKB!jz?-b(r+$=6e1VVDyXu3znKyrv(c67TYd~bY6I_
zu<_m&VXgBU(4T~4*tdo$w%_{`LkG(?TkvW_ng3*7d_9E~^pp=F5wi#WArb%KL~+SZ
zO2v_^FLKY6xt`xZ8#A4Q0Qyqu)uj7L_65N`^#N-^OPKOyTH`V;jxOL^9Q*RdJ)XrF
ze1?qhg8uVgLVyUlUXvr(x=TH(P0n}LVXPzX?`#|;R!fPINtxQmj7HU=wjojfaMwy+
z(oG<8y%;ub*&XyL%rx>RAc8ufTD9GM>bp{EKQ4ninm^kUSdv*-M^iu^mS2SKeu;ar
z>3H4O;;Ao-D%8G2Q?)FX8wh8?7OqebDhV}8n=<F_^`B6>I`0WkhiLm@T3nGP=WB|-
zoPdhSB&2IcaN*3pV$(8)?qOPCyLkZ&#xTw`uQ*?fi{O&32L;C-frBtz&lFCd&sM#E
z@NhlEWU@ug?F%3=>Q3oJ(Pc)EtC)_xj>qyLOo(*q_kBmdK*`QjEO?%A{avI8Fz;`~
zx>wjzrk~3HK(D^51O@pbut`b5;Vt&fsrQgz09E_Az&P&OJHgav<!%k~?GXwKwqwm{
z_dh;5{^s^BZab(iJaZfSwRoFWY6H)e+KaDV*7K@_&nGBfo_NwNt`8JyyXcwtsHiec
zjK^3@d0+FP`tic)$*L1sDY(8XPS?i6?i&D<OXZ*elWYkS2A{(~&K~dsO`Z!JB6uD^
zY%~-`%JGI%&23p1te~DFgZO6*3BduZTy6O_nmh$5npwyq8+YySDPJuho_Jd+dcqo)
z*2Oh$U}r=a`q5BB4^J1Y2&?FQTwJ`d1AQ{Ms<-aJ&?id^Wvb0Y#)t|9P$2@pvZ3o<
z3R<k|5~OoA{g)v=W<hW?e17S)eNWj8-{yPVa&5An6Nw_pw}MTsWN<I65?5^RJLAuP
zfQyT(zQ4ZVMX1xeve3%AE($(}I}oV%u2Ln6HIC%HIamPJfR7%eR2)|(ex#+wQd5lT
z*i+UTAwO$OSs2aC1|%D+7#QF?^-&r}hVVV+0H!u15ifp=yND!Erw`D}U$);1k#fkA
z<;go3{^%kJJJ2<eOv-ds8c#l65?OycjN(CNduRe}>JC%H5kyopeOmXnB|QJ@Y{&1Y
zP<P?;V$}3N5EIA4#VVge5-NRL2JQ15>1j!$3>2u_Pr70~CgEgkC+IVWp%ITuTRMSc
z3hAh*k(+^Xu=k;j!qn<wSa&J5xg7(A>i+*wsEm~5w6dBR-1u9(cf@=jy5~`%k_Jh$
z$>(?&o>dOcGaupKBX~XIGA?8nceiMs9T+1DVb(+H7Z@Dz9OOB%y$ZGaI(b1!DiF6m
zqsY3d?0iaiIdBb>o%iBrwywM4TdAPUm+`h&^Bi`+xf#TIC*79AJ`cTLA|0<5MmBHF
zp^T&^IDi&fDLz3htizoHE=uNz4l#IgXn3D5eblV<?B1K)YoEF?)wsbCf}RuGWxw@t
z^6A!~cx3m$HuqA?F7>iFUwBs6aBLYeZ{j5|5h=h)2Il2ObaLVX*A?F|U*3C`w0~$`
z`}OvKTf6_e;AUoPtj{#%2-oizM~lE#y^!q*vI;h<`869XejQpjX-6d8$^oAF^jaAO
z{k$6&zieK=x`=Q#U`*C?CzyO<!ND_X6wcIEch;OZ_orfx_lqh$rv(C75~tS2i-)kj
zjj|mYx^c(rv=%%-Mz*whK#VYct%QLn_qriob%Oat?zNC3e{Y~>TN$lQAupwIsqa4U
z>7#(F(<8In(RLwE^-Y}<<&V0!t;O`>@rkbDhVAUa%q2YHL6;Z@VlQqf*q^ojm+0tE
zv%D>`je`+5ajacWPTzbo7!cV5L6h{}M{g#7RKN4$<k<r)K5jJ=up6=<fEB?w3?TGB
zo$k|1_WK!H=+M~&y5+!1<JUJlfn=Zy#hWKT0Ug_e1TzTdT*Wd%uL5nBwD_f$-dB0}
zY`prrGrXom!f1y&^14HtbZL<>c4HWJ#qjo1Yj44+<D&+7asKOlT7Dh60A@*a0PJ;`
z?5)7RN2OV#R<|!O;hbXaHQ2ux2X0?{eaYmnO&cIX@Li=AB96Z`PqRT5);GPVH_|`n
z+NqwkRQYZqQO0fjp^<ss-x0F!Q_nxL1az4pzdYS+SZHT}=xUCAl|2h{lasTHuqE>W
z=5>OY_LZN8$Y||Gjn|-7$ji(rd*2j}2T8FU5z_FJ6?0UOx3l1=h$1ki2#w0mf4*r5
z$E?f&|F#UgkaPRRC~qGm%}52V_+<j=1@lZl0LrsL_-0LX=_`bF9ei48Qd1{Z1uCF5
z-EXMU9{!FRUaui;VtgvGss|}-z+7s0!Inb%_Ig>5QENnb0|Q1kpnrRWdPbBHIHJR{
zL4Gc=%V4<@R4lMqCbQA%Wyg*Ry-m-3bzG$lGP;y#6E^C-4^m7TrkvRV_QppDQb*XK
zH{70y@(aU%W3wLIgPF)3=DsvZ)906h2rku3c;JaCa|_cWUzJP2NhP~Ur{S4HP?Jk*
zz2a{_%J=FWY$77mAywX%9;i8=al9E=pEl@%N?7igko80<O6cS}*OfyA_A^9>DuL*B
zxcOSXnWi?sssJU)b`Dq|6F8oOFuck@s<c4n7S?QZg1m)qRN?3Zw<_TUQha6VlHT(X
z3Cb@)7b_FLf9mJk6MS0yPm&N~6&zykR={3m3a)J$ykjzw`DQYW^N5QIXb|G=aUQS5
zp8BCI_x0{^Gv%bpOjt|Di~chYTfxL_<A-9|yZ>D-t3||zP4vw3f%NGnr#QC#iGnaP
zi^xi2m6ViXfBHy(f!D>D{&eVpsBsOlo?T|Jm?ZSm{`^(|lWNKs%Yc(YWQ0r|pivN(
z8J%rN>kk*h)0;yA+RZ|PSbqhIXfinJxL>`Y+^P2c0g1xJlE6P<Qtaf<SO*4Y*&waz
zUjMnCA%6NjDRHi5-N)t-b*nph)837xoHZ}=L)$o8>Dt3JTc2-bRC;j~0ctn^27+mf
za)r*7ziNRpx{NUVn)a=t&%wOyIaz4iSPgT5z{oSgNy^Va^*h3_AME!jH1T_rl|f(*
z45BJ>?o+6PDI;Jte%b5wb!S{erWysD`Eoj1MI53g15Fm-OX(+$gzXg_t-T0}pJtu`
z_o?NtVZ@&TRMcpFW@$+B>-zw<!}`uY-za#(0d~%f*ewkn_7421wYR-D$ICJBMs^Sh
zO-4WnIdPb|1ZA2E{cwcQMp&}m&Qh?kQhct#*Ixt%j8u3s=`?mKlyzOe_u7K<R$Qgd
zhMlI*HrZiy-y=@F+ofh_Tc(j%`y9M`Ey^8B@S^8nlZYeWe){%GrnM45IH;XQGv9&m
zbppl0GtR_o<T>k<fJ9TjCe+fE<#}7z#hV~&!Oy1TLy}S#aMwLf^Lni<yhzhTtf^C8
z^{pLUKnCCjx;4cr2Kc`sNLSBp3_@%77`SZno3#|>F=YEsPl6~t1{mo&JO}|e=9C2w
zP?ufe&MpD$nurd&lI-8ssnfh=uMbAYH;fEHHsPVLPBl(S-0S-#j&IVQ6K1P&W9^6s
z>6;IxxC<uZcB>2`g=F-_*MaAZgV)IfbPUyM@Dz6`wTXO@)(kgTW%xV6ZquUQ`g{@I
z2;o>7SuZ!ewg=SsY_K;>^oQKVpz>L}VVDi8>l=1Vnk*gyzu&9M(I??Y+&OQ(lJ8XO
zW1sQtax8wN>wNWx5U8B}iieJFjQbXd%36!Fs#iaIU2|-u_~GjI@FC)i`P+a5u+%6v
zz?@?8DZ3ZDHxL2EE61z(H=>Ah^dT&?T@P9H8?Ym08o!8$8Rd>(&=chdHM{{E_6AbP
zSeAC1aoLYFk)*6@|FQ?&j4HUV^zz-H-3Xr&v}=9I&V2nk4}Ik!8Z&L_^V8k%fpH@X
zce?ZAu0u&oy8&sySc9rZtWyVyxUK$$=e!1t^LuIfxuFSGdap%|g&6uZd0|5dQ+|-b
z3%!7u>&G1MU0*GzA-egy(%h`=^eOzzF>hI7dbAyPJ-GK6*fB|ogMZ@3n)ofjhkQx$
zdw+whb1hs6f*+8V;fMa8>?|{_y7J}+9(r}9wVP0XZgZ4x2mSn>iH!;I)eT@VjtWa`
zg~vSf&ttM2J&5&!N~_wLg>C)k0Ye4h3AgS#FueB!AV2M+M`eWG?es(*L1gtw$Gxt>
zb4L3H))dIDB=eo}eSQ8v5nXAJ!7m&So^)v@Pk>!F1z`z;;#nCr1{mKvo&O?kTn%O$
zRwvDP=JjiPMjgJ#n6BEVe353z_jn^e!Hn|8P6E*Ecc%4KAfjo*?@Po&^&;n@G_v<y
z>&pDs-9UUjFo2r!`z=RMu_8|WR0EfW+GjTl_&_+259G;sZTJ!V4ZiCax72WFZde{E
zdL57jxuo1BY2YMa-o6V`V=)`{<d?`&P=z}#*C$?u32$T|S-OCU&jv(*2U)fYBi&;S
zhE~@G_9KQLW_~<wTZZ6r0S^0W?oAfAx=jGp@2Wo<d?0{l3VVFUvbS|Y!Jkp+*fkqj
z`WL6fD_}P4K_|#Fukd-)6xoUx*ANL2nZd@M1sUYpnYAUAv3Ok&3bmxhlDy^Z^>@y=
zIp~=(<#}u2lrjZ^6lGX4m)rFf3qlW3Cd$Sf;9h2Hxtxt*Gtl~euN324UT&F1bSv*6
z0^(J1gp^w82wtxw-w7Gt;gpc`Ut>j0+bTdaoJ7#LUnm}&!o^_R=NaH&-62^F8C6z}
zbwbLa;}UoiilC(F0=0;1tD<ED^IMj+*F4C$clU3_pjV>#_b+~Vy8d>Ns##f(`tDLZ
zk#?%l2~2(4Lh&Xc!FeE^cLL8&gGi@kg<_dNXe~(2-Jv%ZZi&*-?K`Tjd|Lk+i0~0?
zKU-q<o28!T90Pr{2jH_#I396<`2Tz-6f&M5okN@lZFZ<PE*@A59up)S<Tc#g6cl`T
zZQlj={&hIc3O@M=7Ksh<koSp%$2Q_oU5->+IW02c<=O*dnH+2OSQL9sn#T=Nz*=CG
zDOM1xL)PO7wM8u2G=PVABJSRP$#GbCjIST`&;ZiEbH3S1a(5@T&;3wtk`a4yuTe`<
za3iq7rN6kHoV>)4+GcfEKe#$+T$ciTclieCkNM7)pl2#_oI5qi1R?5bP5S)O%M<1R
z$fR-eyg^3`ginpcv(`zl(E#}<AaocF1X`ELxv}<!45Qp6siFWVl_|g`*MaW-)g1ak
zDv)wkWoYErbT(kkoTMaVmg1xx72zC^>KFV$#XGrWPwZX%u#Z{Ib}c+$hCg1qCIhCy
zZ~OQ*Z^SU2p=35mCQa4}$ZK(*;&iPa9z4>B^%z%}|Gb$p-yhzbcslOP@Xt_?_pgXh
zVccJr&+Pcsc5`3H*pWPFt&PJyQ$Mf-KJ9Urkv!Hh_mSY<IVudD>~@2kr^Yt(-I!6}
z$lB+0cuXNb=Qo6m?+pJP2J-h@6{^t~^ZOjM&5Tg2><I2G!16cks6c8oM97W`Q@{*q
z=175JxCark7opz?^6Tg%RNOK;*vXL_cNACVYg8&mEVuVen}8wXnLQOLaiySQxal&Y
z`<KchN(B!C)DROu*__QB2wnKA<)deBDoL=d1vH6CLHo1hnr(k7F2;DJ{@(UI$M$_V
z%j?IGFG}^UCJ-msUE}V2WTQ#cV?2f{7e<eCm3d@(jCVBRq*B-oR669RJ{-r_i58cr
z3Q$KRB`X4<o|VaKqLiGOgfmoY>gDIUPq2kOhdAPqDoLXjIr=gl?%BJD7z}{Uq1k-_
z;G&hI1!iD^nim)g4)dD~GOWhjQ#=0Gn9Hk5#O(`~Q>5_!z)B8*b=VfVY38QXa%OY}
zlF=Wv1$cJSr~ea$dMhh`4JJ%TBtTV2dHW4I2OG`(e!Px%_AMWO<=4;0eayCMJ4$NR
zzR6q9z^D>-+~vcnTU1F30n3_V-6KWK;KH=F+J6cZxTg|p3+&^IE4Yjq>#M5Lymb+H
zbIlONZ!vn76Wf2}vrUDDxW9O^Eb_D?UTS@|Ao51;|2@wNAf9ak#)K*|dg{z`;`r!-
zUTmLRWHHje_!FXBA;SB>;#nav3~}il44Ai&TO2QN1c@Bo699fnd^^sw6KdZqI0+bm
z4n{}x5SL9(A7U+v!{Hxk-fH*!1}eX`P@>BXM64jy{syR5A6q*~EzCq*C)iib#%1y6
zr1ZJ;qzx6}*YVx1Z%Q>m;uuP-@riQEs{at7J7tioS11n->Mcg}pCPz<x;=vNX_9s=
zZ!648Tr8w>VW?t><{bgLU4RFBA~AJ|*LkXLaIb%4NTO;CmWQd{x65~kFi-NQ4EaMP
ze+UU{?<NpMVP~CCl2<iW;g_|LnK}d50dBCBBOW6pP$R(<Ts~Ha%K`Z9_e{QJzkY$C
z3D9b6sZTs~jTEp7YLq-H1I3w&m7meK2c@J3ie&7QW?Exd(Sv=SP3l52l(}xV`;;#x
z#hPQWBhXb+R(H+a;$BkYoC9>v5ePMsp?4m2HXd;2yFZxXio_n}QZP};SmddM@0GH7
z&u;X$UjIO&Dvu+iP2}{=5}yPS)RT7G5LS?xj%`$3ct3|IeSk3d&?T)Vxyh#WMnrk@
z7u}F=)^=eXjiMzWw5q4t<i)ZJuD$`Ms(|HjD5NoLuiX*9-tTefg~Ed?g}~Nv(05#%
zV^iAP^rIN<R7RN|v+PNp<*4t4PCc?hRCV^|Im-pI!7{or2k6HM`u(8+VF7y0B<V5%
z)k3r&b>v1Oze-q1xQjqWy0f9^ak(VhG|3Tq0!*;$%mGuu2@16H76axkDNO`3hLcmq
zVmeoipti;UGQ2d*$Dyq*V!%l0e?DB!9ek37R{4YLX=)K(JG^AgMqiX#zTOU2^=zJl
z+h)9hO>h946*^y_@p04F7$*+LFcXOBxCPS%F6ZSeO!alAs*2H!%q91<-3-Lly7FC4
zlLdI=g-fQ9HVb@pf>11~dIAUxS?iBs`A4ARN7MVE@L;Hm21Y*7HtmG5%It`5ojqh0
zPZmEgNIllP(gSsruRXwQw4-64$Av;*F0{P-fIIJ=BVRE}_V#ZOX4O)>;((Zyp&(K%
zY)EgCiM~kMzO8K|MKN$!DJKj+k`}A;g7W#sjwb#e*NTE`6tiz;^PfRxUUQ^Jd&rUR
zSV#aD$pX~p0MVUzRl3LhLFSMLIQCVi_WARDUafxxD9}-s54}(wrp^`L+TcH4EU_)M
zx-UP=+lWOKXjru>YCi+RZ$k{6R(at{C%9c55&yKNq=8Ac&~0uknF4_eEJl~nvRaK~
z)&YSfRE85EzBT~S<iOxNw`_}jX6)t&E+-pvV8U(Ax#Ur*HxZd=++$MmP1bD=7O+x*
z-TlUfia|F?sau(Hmp+NZJB{5$?4DHHnIwi(xJs$J1otz8ljbbPS%0$g5fwF#>s6py
zpX&Ba7p4GRlpMHH+T;3$J9Tr;=-KpR<)bp*TfRy=bbKB?KXPm_H*mR*yJHbFuUb9*
z1Uoa}9cuOzOoFNH>Nw&$lNtFeYViZSbnfx)@kX+_<KCFbKJc7j*|klQbgAxljM(oo
z+%z)xeyzeVa;25nbbtb0*x)Uap>!FlB;riif=<OzCRU9R#O-(FiI}+3*f4^1qtzN^
zGDt}2NtvpbBXscQo%t$kqg_~{|1}d_gQ(x9>6Pjk83eB>=TqR&R8PJdu<uPa;bsWL
zXJzoFcm${)6J?s2OnCz4Q`kn`8-o?>p^WxSRt>dWn24f#HYw*{H1n(3^Mz<}w`Fm!
zPv&Cxku6Arq9=#3?O&na7R;kBRYH^0+^>cR+qg&EV)9bawrP_rp>B`wS8|=;@lPI>
z!$x_L&jQDBBz}Dt0^p|aXL*?$(aW#g8Cy>qVHAC%L`Ghp%B@naxciZ9Ny0SC$VlT%
z=WfNNOGaj{w=e|RRxksJdG1Sswiy(T48uvWk-CkZOa|tl4U9zQEEsC2=zaNxbi&jW
zjw-0f=s5~i<knDh2hpVitU@`^>y(ke?+(@QpfchmEWP4!grqyD--6>unx6<)xjQ7W
z3tW7H!=d-=u3(ZCdYEpo(vi>IOOG+?)W(Qp8+;u*h8EX)J@(K%?QKoq%2aZWGw7EG
zc87+6Qtc|4?e0t3_w4FDkwmd`J~)&+fbDX&Nr9j0?w`sHs_egiei`6*Pl5U5Q6z<`
z;bC0$WaSaa#wyaDp^IQs%uxT(d_~G%REAV8LNLeBmnrzNE=^xBw99<_N=!aYpZa@g
zNO59OO}ftReCVZxtaq^tilNhC4$X>3ho}6$-jkNiQ;;JP6xumy&khq-8;<m3bDUyY
zPdz+1Dd|5r<F8tm2*k||uK%Q{lff@iLN6*Id*o73I6kE7=Cox}`y00DCdIE6v7L^E
zBJ>wQI*v0>ofB;HrhmX76lyFR3EWulBjxmID2@(#53nG#Tlc;Dc44Ux=+dZK8m4+8
zX5ih!O+PYHGT-K?@^rZN4b-abD@#*aa0*2f+fRg}<;Slq_WdrqS+=WI<U3j%!ynJ@
zJZ-k1d6*sbx1`#MPqJ_V_AnS6xuGHSq^QY{l#qkhLfk$Y=^R5m)cucxHA6$pF>>51
z5EI7ums<o@)U`jI68I2$3r&f1`OH1qszrPS7SQgG55u%$o<Cz(*uRF&YI1Q*qd%wA
zib?Q2<xcpj#ObN+n|rKazYx(lq?v3#(>xbZtIt5FRFw#bn0{m+G699Ut?EH<>sYT=
zqiUbav|u)@OY%@n=MReW0$NAl3BUaVnk7%wUrV!7V@3gQ{^t45`$brS$j1z<hUD<q
z_@^8+b^<X*n@QI$%&eKOjg5Bdi)aN7fJ<jV8l_REKd#-KxBX+-{$^i8{-jYw)Ix3M
za%uv<%@FWmE<^(Vbg$nOhJzp^t`l;JRIlzg6;?MEna$odExPO$wi4y_gz+^DOFkKd
zMR}Ve?&t3E6N)MWD5{oZslXB#Yl*`#6KQj;0>ZWm`Jxtj{5RU!Ee-{p#+>;ZJ*Yh$
zNo3fwd?+e%YfvKdTA7SBwwcXR4p=^W<}&8DcBF!xbXyVUq&EG#exq^G4bRAYG$@9J
zCSZcH#HN#=4tGV_u_g%M)g#}-xAHVm`8X-rFkSaG>F<o%9`I|8HMP4N8}^8h!cpJO
zTc)6Wv@7J8tXMzpMVrBrFK6A^-&&$alWPra^6m4Ry2sYp5+jv1{CFDEke<Gk@Jd#t
z6xD=n^n+3{JDgtsL}b&C!{_5aGn9cLu(mVm#c&VfNGM)JM64@gCe6n??EQo5&k|4u
zikkdsb~MCafzH>C^0(7iG{_(X(=kP{&R2r;f2m^MSc=dZ;{4>iZ^zqcFn!(J2%++L
zBPECgC!GFt!YBphVZd=h&An-il@_!8vADdbKZe3#?)7p{n2}w^<0j2LA5#^=+Vt!m
zqaT0j3yasw^Jz_w_7V!h%w+3lYV^kk#A&Cx>sO?{Jt+y?r#R`cCuc%%0XULmU+Oem
zJ;=&7Q=n@gxP(w6t&f`pIqg_~xVr{7SxWLqYJs6ePCW8+>a<Dr=`BNoE$O*UKTjZ*
zLy!aTSDSUX6;#>@em~!#zZn+kx8GmCrav6|fd*m?ydTfEehsUYc+*uVce$QSYwhtd
zYB8=|@CcC7Z1l>QOw~l`*I>V*RP=T588W1|GAiXL4}DA{qPV(ErXP$+igF~yYjo&U
zR7_)ti3}%6EtlK$IqX3=%t6Q2YV^hQX0+?mDLzhpro<G;`9`md;MDnWI6e=xY(z{V
zG6LVkbx&sD46oiAgnhj;Issg3-HUaje*hY?kC?^iQG(QOTU*e$vJ!X0JxR&XKSg0N
zlzw-vS>QVA47kQ^CM?6~w`^CQI_b~H?6dZ3JC|?gT|Wxi^GU|_kIT!v1Nc3er_ab#
zAiuj1djr(i*GAGBix7CJ@N0lAZe_GJA{_tM!dc!AYwQ-+V1?yG6#P~cXXEA#oaCMJ
zz=TO0@`2B#^!yqDRC@Qpm(2jgx0G*+4_Q})C`B_v_eJzQYffgy<7;T@ws&s4uQd=H
z*5{@-5{vxMV{*Iz0UF^bV4k=h8J8V|c0`w}d1bd+wV(w&0}dvI(^3M;nzzyO9d>!~
z;pco(;3`w$e>25O816NtTk7zJ?z~`VX1g*7dEwh`PG`4!WK*%qc_Km|9Tu<GN|3M#
ztAJwS4nE*gqY#NvZQ#ji-bal3l$O3gj_9i&v$m`~H?t>w<FcG<cUs741mVjFMz#=p
zkWx=MA6h%h5-#k~X@@=@fL0CTq&V|@V4X~FZQqjx-9z{f;%_>TYTv6j@b~h><msDR
zFTj9@EKss1N`bbbtN{AK$6;Hb=U~+owlL!s2)0va=n<2|VO=59m9--d*&<aiCLo#R
z_HG`h-147c-`+iVbMH5B;if>M(ctgJ5;pIRp%Cp}`u*d6V7ya&MSs{41oyyLg}lTG
zxrX&#%rz<(`Q!wS1wGwML%Ibi-(pS2Yj!J=p;|Hp%M#&P5pYU~!nX6k$xlvYBZq~O
zQ1Y{PkJmp3GhlsN?#0QXEGSKYjBr4FIBW|il3rE8y&_@)4GO1Xs5LubpE`oM4)NG=
zcn^i*!B}&htHD0WwjG8mAd1&&qgo&wE98n3*ov55RQgd1xxkaO5mk0jmS?*VlOjS2
z%6y4jFKPU%ZbWu7M4OX+;aw%3Og;Psq1LhPNR{XaaAd+GH?;=>p$!OX1qjiCcxr&B
zaPt?aR-Z@Oy!@eHp9Rd^1#khUC?-D(y}c($bs7TtzR((oE29C6=Ls%+Q`RK}GQKJU
z7*;B*_))bw#R2K2D1zF2ao~ZLSrtfUCLs9q_(35Y*M0EahCTgnm(Wo#MytH{mK*}r
z@(aT;m3A1D(FBcwZjrWW;leRZ3&48H>P(QEu?2DyB{igXA`6&CR{+n%@PImDD$+)X
zG>ibE&~iI6Q!x;&xr>G7R54@d3!Qu8K)87D_kgX$9yuxjJVt3V;6Ke?rJO+g7V1?e
zKfsX2n%2jgfA1|iK?xuLcoT~e)eUzd#l0D64rzTP2Y8Ij0#<Sik0U;|t7}cyd(&Fj
zoD61}3(y<ctSs01v6+X|pz&9Xu&`-ZiQG`4o0)rJd--%nD4UQ8SnS4Q^ssq|ENGDn
ztp<Q?RE3sMBtsp4=nN#==akkeEDRq)$T^%Wdgq3S^CwR5{$diSuuT&#1z1~$+vke3
zkXEhCh{ZKM2G&z#41g64Uk*oW8CLpv3)QBh-ec3Ve2^aU!xodU!k+z9gjm*v6ChQ<
z@`kBSbU@%sCkh<Mk2z5NTC<W#O-_PT6b<C>r5q;$Izf9h%WlB?>ht|)3+G$3rqcea
zuK(xG1Qdgy;&DHeiS`8RJ|&Ygt|t|=s!~0X%+XKk@y((+J{XLSs~t=`NhmN#*Cjo}
z`2Sv>L+6Y6Z_gr*vwummJ>4Ur`Cl0PpH)!{phxjh!C%NXPdIhyvW}fo*~zmkL1o{d
zS2A~Jz|If<ZszqFoEOayZ9)cLWJS17^DR~jhj0!t{79k3JJSFC8J_M!0)g%ot_!FQ
z$>Yzrp(KHH(xvuTi*BII{}b)iPeWQj6-BA6zlncuO@Iv?0oGJZ+j?*Nx;@Me7Q<*u
zt_%Oz@_2n2@?A^4XaD-azTs||_rT9Qb7|aY(fsp)Kt|GnyO`s&0{Q#jf4S}-b>Jbw
zw{sBwqXzxw{#XB}NW|%QEm?e{K>hD+{{LToUa>Dc?hHe}M=u@xrLKZi&N*}G#{U5k
CocT5Y

literal 386627
zcmeEP2_RHm8<teG$}cJ{Qc4OlmO)XLNJ`nak|r~l45OK`mNu<gXwfDV2@z#!A!$z=
zDH1K(KC+ZbC{q8qGjql;L#iQD^MCzi?p*iWd(ZQ}&%2%XY%!fbdr<$8{RIRB2F)>=
zWiBAl4<{hdS3|fjIHGG1fCc~bqL|Ot6G+M(RUy!;`W@B4mg?^7Od#R~WL5O(KglYi
zTuBtFtja7|Wo4|Vry`Dkbs=NjDT*F=DmVnbcPHTp&ICM;evUFqSw#V*u7JW=qBLby
zbk#J#U#e(D3|iTqem>R(@4>jB3CW*8Bw}Ti4b>D;;8JoXSSNx9l|*rsRnY^V=Xg-@
zMDQ;-4E|nV0sgWD|3{-7(Q1zBlfjR=o}NU!4Swld0=OGPH5GM56%05mH`mD0WS*?D
zKKPkPaKnRtX5*dQNXW0~yOK%n;D{j_t*VGZ{sRXsu+CUAf#nj&li{gY7y46K+WBHM
zP<S(xt%c`uti7HFR^NpFG~ReJg+TIPJUm)aO%aWJp<*D5(gl}5{;23PUK;q|fdxa;
zUZw?}K*cN2PF6+{7;lg0Y2Z2Eb*{fI%Exm)PQ`zLD+<^4a`2+=zO%_#PgfHXj`ogl
zzVIF}8uVMk`O%M{(O?p2Q{_U212M)$4p<QU8MlN6w~IWtix&Zhr!an*euzpU5vc^v
z)(4$P9v*ln##}P4h$WLrKCMr4CJ`Br$2i9mK%mvtkpmV^SR(sT8v>3Bz<{7nLs^}E
zFUZ+Oc!G;792t$#q<`a%g(owfgyM?Dk$mXCPdmgqFZ34)UniMF0@q`iHrB7<N$$S-
zcp`#G_#PSK0O0)m?=s&8nJEyzb2%_`$mDrriC&ENXpQwEQYrMq6sjM5z2K#IB4<#s
zOOZo*6e^ZXWuQO>z*P^-D-}!dz>~pAXxe8Wq@EN4?R5GPR{{|?59>$rLgs*WA^1tp
znc$1ZnbSdl{5HVDJa91t6UfD#!Nn~YH-mhQB@$c^@o@q#0U1$`jHduZ&co8Q4sr&Z
z^_JJfcymDZsCWkKX@@$VzLrUxjRzWlO7;V<i}C9U8YsrQX9$goni_pvpB4n7H5li(
zvY<}|{vwuvdKc!!k?H6RGQc?uV0HWeh*EBYKNYq~Z+E&q!7LN7L~|gqSPvK4%sY`-
zCl;9<9GT>4i6y%L<xZb2PZChbc(Q>vm>%X70;R1_B9ah%c#u303{gp*j9(z)o#F2;
zB~hs)cW|5r1BSpNqtGr&dtGXJvTAzZCF!FS)nwIxnCpYjU@qZja0oe_Ow}iOP^e^p
zO61~r01h8K0uT=1fO5bEa6l|Drv1lIpuhY-f&^7IB$&?qIV{kWIbA2vCG}^g8JSu#
z%QUwYbrKL*XCh4>yAp6XJP>;h^9Lc#h52KdFre6I>an%xwm)ATOCl>bAX3>PRLZEI
z9283g;^l#*;`K;g9yo@!{;}48%8aHvnEI^ayH)|_&@XEmhB{=S7r=qESIU7}IO-a%
z;|o#;UFGOeJQ3^BWgcAtVF0*T0jLH(cRK(X>;l2Z0u8j<p8#a1M&%Vm0z<!z!P71t
zX%-5wNdN|1No0aQV&D)NgvDz9AR3I~LvSZzJ%EXcMa)*#LwY2dO^qA^Zc<wg>@1sd
zhxj-$F01xsvM)_7Bg%#5qtTuRn#HsaZg{E_Vq?=jP{|}WJS2A<-Wf3=!Q;~3ED&p^
zsmgtt#qa{nGJFsgHP|lbx<?7(aRi1TPcySPsW>v%Cm)I)pQBscd{&!)^=Ag_b_Yi@
z+<X>r(&7z0oTYgVvV2zWLOYWY%3;B9y9$=i>Reas+-G%7USM??`Rokp{$g5(vd5?O
z9!2YD81HNe?SlBc6Pe&iMN$uZdIzt7i_qoMdl%9>8Zt}^mfHm|pWk_a-_eM#gT!H2
zgIk;vCG_+DNOT+xqspCt-Cs=bOzGn@e9vNd_Uw%l8IMKi-I9P5D<A^abK~sY<H2(i
zynK%DN{(mG6}5|CKF9L{$HQb*&*pd-mF_Vd&zgTkvMb%BC!zT9Nxo;1JbUhl0&=bG
zs>bfILw_oX&YK|SlYLi`J$urrT}1QAo)^d-I`2K3>|wyK$B_LWNyMX}^zpgAM{zw2
zim@b=K)FAe=Fu~1{Qh}&o{P}sGkg~^yfS<Gsa=NWXtQ=tkvU?Uvev)xSdqCh%t7~P
z+C>79NGy^?ul*brxLyR@3EHLKA%JE}@gjsYpEi3IZL+6n+`(E8JlPHJ_lI%zLqC~Q
za0dwh!D3ojWfgTp6v_~+6ysD*%SA-;*|00wkUdq?E;9N4E)V#-%BsAOz*dGq-GAHP
zRff{XC+?m_-0Zm*tQXbQ(bH=wk5V`H7fo;zyL^i8N{VMs)bJ^uWnFKpm1P{9EBYaB
ztj=dFz*bi035tdREncE%4$}wG&!^a)MX~G|4?4w?y?K;kf5JQFA}0CN*@e`p%5Deh
zIyvDf6icwI*n=_;?}Bw|KaxZ9mqB=hbxC$l>`249_#1?E4AGkUnwqrxW?elEzQJLZ
zV$_gM1ng>-`|%zHb(pzj(55De;WYjzq|B`0{v);7s!+Ipl{f#w`~p*sxIn@@)y0P0
zhC<rd=o|88FB>MbxiF0^LJT`4bZax4&J4;ctwU7VZ7FZ0(}m;T+S7)cKx7zD5DzT4
zWb#P20<%-2@(MCxrFCZ#tp9X+fpcfTF5pd0IERK-XK{{{1O2!|<nMIng63q44aLj6
z$&>;<Z}zAdgc^JK2M+H|aKit!#K}!0@`<wxBM)lqr6Y8wyR&tcd@mA^6w4o^uO+i-
zl`@JMQ=q?9R;#b)u_4S7x3J;QVWDSKsWBnVXThGug6y>z%Y1lpkv4l+lAD<0^Icc+
z9ebpmO~>JJpszlo*E;B-?MiYXd0>eKEl24ca_JiYfaUd|J1W&3>5GauS9lMcF4D{&
zd^9lk$CF8xBonL$paJ9?L(u+|abD{}33fy=JQE7Zi|oW`Ot0?at8VC~id#yyvDLK3
zFZ0weHBvxpFtj#kM^EoR4z30LIpj&ec;E=_avi@{I*Ya8FIK{WE!$b$H#9s*#uLFZ
z4R6-rlu?`l<DI#QmRm7J8mR+<WeA0WD)cKE#Hx;*ij-Evq3AD+@oUHzKXxJMqqRS#
z8k(WG7-K4{Gd{yH>977b#srALg8UBiAs9vYv<K_#{dZ%-Of~k@gDxmr0xg26yq~3N
zR}{HXnE_#})&|BZuuzdz-Z&YE%%~m2UbpU>0Cz;`OqlHtu4(DQjT69b3Z3lq%oGwX
zn4t{C!>J)UCy>DN{tQOglLS1vr2-S}T$n)?xrVdDN~7=?ry2V>!u$vJRDimZMGO6{
z2`Fwtkik6=YAlHC)cyvnM8g$Gc4|~!NkC!PGYND<f<qkbpH4v0)|+yDeM=XREz~ls
za?<0-7Q>!dXcu-I4YEHGvTN=7GB=w;kU{yiT{W1}$7kvu74pNdXBVh`U>7~G)ua~%
zY+I*n=mNmt3HFynJarDLvU@Q5ON&%{Hj4RV-?5GITbp`eem7C_7beZRfPr~p4+IQ*
zR^tzAvtMfMz=SlPL3<X1vga#!b#o%RSg`gJ;U?(#gx8gX#~$#f?UGDiq|&aw<CTRe
z?8t=PJQuVf4EeX+DjBW8V2&R-m>q`vJD&8mnJw1fAiOU%7!YCvnK|@zfJEF;#FA$M
zHS9|z+QlzN@8d7D-7rwRxd3-wN>yMurz&`L*$f6kn+wy(qLg4DtRv~?dT_WigYt^X
zfy?k&@)dvgvKejykwH@s4=lK3@?y6Fvs0t;3^Jje^Q#q~-9v_5n9pZ7{knh*If1vw
zr4rQHQwhAh7DgRHn@@&4Dxjgxo)SR%anNeV{@Ud*+yo<^5IgpHe=D+2rs}I=33C@%
zC@c6F_}e%V$P_zJV#|)%c74WwKDpm5j0z(Xtma^kW7KxQ^t;KUKasL$pVW394oV82
zb$b-+wliDoxhpb>_?IlnY3Gr-2v9x~cOet2cS23FF4Vyjmy&$`{2Cotu*td_2U>rB
z-)bBcm@HsKePK!imN9q1VjPt==?Y~PZY{>?#sxHR0TD|?kj<cE1$R$cg~kXIumT*0
zO#VKAW0V<u!2q~2Tng5O2v>vd24hTEVFHKz<<(~032^qZh1p1@p9$W5DV|JmC3v#o
z9n^t>%0QJ_yplBTZ2cd*>CDB*6f=nnLyQc}bUL{V9VrMd)<jNc)=vJGx2+EIj-3cU
z|MPzJuj5S}3L_VsG6udN3HNCKTOH;@Tj0ez5$)fYZYWh;m~NK&g&L+?vu&LjlxLD{
z?9~Re>i54S>fJK{%lFB<&?kox){fkkR%V<z(g#BiN$&WAExoWv?+e;0A7H{#E$IC-
zXrFxu?nJBy-UyGy!BZHA^hh{_a*(rF+edqlJb<mJ=S1pU0-6FYA*-eb{(yE6`Y1&;
zSvAlULmzwwwix^j4yovQ0#{3)<N=m>W0A%aDzorlBQ+m91^lQ-C3!M#g@|`XzC-Sc
zb?-#x4iB`1^)D@QV>}qU(bxqf4wWm5l1IZS?yQ#YavM<tTFZYkiFdxM0GuCgG^1dd
zcL;^fPJ72nrlYdcpB$7|$X$cIdcvLN>;7Zx{%4TPXZ?-^^0&Nn7>??Q^}8ilN!#C|
zo#tAttxvo!foh8oG+=trcnf^8W6(A7^DG1|2zS#yK=Xo~av99S+JXzNa$}8tLT3K^
zqMynzu*>lJG2IaTM7J4}*?bE|sCXg#345}!h>R6j?>q}n#S(}Ve&~}M)(b=DD=5Pd
zCIh4@u-ux((%@*;GPe$g$m-VECrp*GK%`?_@O>$!Z|I7}(HblwI{X(qMldCm3qdjn
zJVqzNAK?zhPX7$-U@VyLP9beEnNr9F7_iJc-<<-Yss9@rGibmVb_-1Zjuv07?Nn~`
zzTqZ>`F>Pa`cdrZC_dx2w?A$d$O$Yc<ASP({t!<vK6~1!UD$D4@cbw0jk{p_q4aTK
z`uR*x>#GgWPy6#*Ob@*`7C*?7;6(Kz;~l-o#6OJG9?}?0gNxYZQ+yXvye50Hs$B&C
z^94=xH^bTws0*BOs9so9HpgJlA9cz#*^@`@!luViH2d^1(a)#Y9<}&K6Rvq_ai;O^
zAQ1hBG4@O3+O??TlVewsBXq!8VAw7K`Q%9Jh}*^F$n0g(v)Pe-m14WN>B;N};m>Es
zp2d#r84*vfr9^_08{Y2^<BVGj$wlPx8L}%Gl0ECuE&}-s*)0qSH!|+o3<={yov^HW
zGDAZ6^BJ;dF(i8i!IMnz#!~S-N|DZBF@ipcNFsweKv`uKLqik_)K#nK(UmQ$(XGiv
zNb;$(3#pU24=GC?fzO@oWmnmO-UXpoW}LN0b0-@06EXW9Or9+Qz-P}M#hz#sdvu?I
zr+Rrhk#IcOYN_+=$yH49>9b4elRXN;MxWeX<gtLZhO^D84tJ~vj{ZgK8jzOV(>Yse
zom{K|dG7C9tf2yTVrLX5siWF7M(ToQOv-J>#Izlg7Zz)vQP9Y5ai3|;YWT}FplQSf
zlY*hX*_LZCmv8*YN`y7lf23?4jrxfY%Re8QYpuE4FLGvgLt12!3y|Zbbs1<BdywT{
zXjaoASX`KJ78L@u1%E-iuRfj#8gCeM<P@psyVFloMuBA(NKi}}jb;=#vjkNBttA+o
zv=d|jE`XKq&-@6Jzp;J@jfSR6i%r*){TaAm9cdiHT&}LD3|FsndBr-DW&b`eNDX=*
zko?=WhwTC{NDZn=#+b}ih0s*x2`>oE9;WJ0VtR1HW!R?RFNC)$!>NbxhW&sb)VcuP
zm^ScMfuG@+ya8|aB3J`wXS@@Y;En%bYg$G#GN7E1;HL%E4>ZYFnWX|gJGl~wxOrGV
zk{8kt48*dW+~B9yea{fhP78H0`ksM;bJosi7RYacD<DV7cnau^W{M@_X&uOD&BRy^
znP3sqq2<JRphFqsK<j>J$S=BM$u0yBJrb2la%Y?btBRb!<?$c|N`EGLH#VRI!1%w^
zxeO#yF|_|7S0oULED2U;HRM0WNG!)yX#WGpIhb1XL)>f>p$2^dhU~!J<t$zUGiAl<
zHZZFsA>O;SPXrnbtG8M#nReSoQt`e>qq^2jm>4bPSm%Ush~kNLB6zsWqj$4YMShch
z#GH{hL=KU_95@qc{T5saI2_&s93zvcSXz{W0Vz)sXqLyFCVMmi`vov^fDjsrJQu8W
zsBd{;#U~o_AB*eOels#YW}u=45JGnWW}w>nk)HXZOOViL_5_e8mg-6uD++`0z$ZRj
zx)?4zv0@F4X3v>0&8ZHzhUc4749@JJaZ!&qrP}Ug&nu=B4BxewQtfWU%-3_R^c)oT
zf6SEPyongIDzpVh9qwVu$5Iz#iAPK<_7oq-?e_R^>0-F>hKYqVR{=3u6pI(fW{rcY
zDA*8};nTZP-H|r?w4hO|I1X#|7F+C=eqq+icMkPbOrwt;@B^cOUt@YqzaMNR<B3=#
z9LKmY{hl}lT{=!2we3D`iUcRXdxRAzs%?svRA5XM4%G!QRAp!(!8k(OF?k|}s@#dB
znv)mV8;|6W5d^Zp(}{?sPzX-oV7mzI90(DaK*XYpK*-{y!?j<m!9aMdo3N?^l>h@b
zXjO&@+m%>_DKj{xTAM<`U&bnI7X?%n7ObsB!G~ak55cr{Ub5k}+<n{1w+h@a58gkN
zHIPr{&HymJ#uz}8@qT{p`n0ZD^f%F&r)D(SnvEy9<EdmY@(&6+ekXYjMXVL`V2DU)
z*%hb&R7*Grv)qe>97dwH3P{#MRz(+_fL8YOl~smcf}dQFlfb{UYk2<tB|x0oqw`mx
zR}7<QH|c|?$F`B%^dOPl!KO3-O32Njhy)M30u*-IW3WF184na31&|aG0Wiqakcf!7
zQ%2EZ^59>3pq0MEA^mZ|Owez)^;-ak!HZx!hP+^S5K(h2?;3{QSoG&l2Ks?kMzS!B
zAipJTI~xVs)BCs*sCWwy{71;whm7?Er*RJadwJk!>K%D!?N|1(<(QB}4#5da)Fl#J
zKn7tJZ7&_R%u~Azz|A}mn@&Yk3G%90R6iO9V<8+6QwMT5R9oGf2ZB41wi3!V2w~w{
zhB=7CQe2sI%z_-`xG9zj5`f5TAVQ5~GwFD;A>csZS7jD^F0gHKrbC;OW@LiPz^Mn<
zZ+Cv_CKosvoB=lgXie~p0L1TGnJlvm$((hP;j!)_csL$|OO#>vdI+*EFh<+16i|i&
z0LT1gg6~$6V$X}x;l-jc{|b44`-`-e2S#r5Z<7c0HqIH__TF6}4{T$?8ZzFJ2Zj~O
z!VeaBDi!4SDQt4lYLh;i-f!8Ek5-uCglyLb%pp)7LUZKU3rkuTzR-#Rn1wIS1YbN3
z>{o$Q1keK!KJ&oEkdKJjKw}X`MiKd%%~+rpz%c4s*drP3n;mWWsa?L|ragg%(MN^~
zhh_o`(e%W+5@q&;Z^t;{Z$R?n4M^Gou(g4X!#iWWXf6;3V1i;_nia|oXflupjo2R{
z5uOM2T{j!HFt^l_O+i+^v@va=%Icma_-$3x@AyK$g9#|3Tu8gIfB?=ntKAEaal$~y
zu?EC?gny8QB<7%~66@gtN+eskRB(Wf2IZCA9?{C|ndE<KaZC>ZH6x}EvBiRMG<2*w
z!W*li;|j<-H7f6*oIPRLu3qLZdTo_$>%5KnXH5iXyRu3STvO0l$w9RLk0R^8wMPUq
z8pq<>v<t-UF%a-L0xW<=9F#w0A3y=++Xo#jZ>5_j-5H!xVb7GhdM)LFy`cXBAoFd4
zj!l{0RK>tALtL}YsA9fNz>_usZ<I%=z|}o1VFSKR0P3++pn&pif*xiQuqUiQmwCJg
z1@FkCeRMm!Q1mx~1>8h4-!SM>!vMywTlDcPyf*+i@28*WyuzV6mK(8p1}dS`4MX>^
z=<Y|3`5&%IQGpTamRbKf7A6w0o)p4T+Jbr{Ifx^ZJT1YZbv&pTqh$+e#esOTfj3yL
z&deaPtS@I2y3h)WXum+DFK0$BwiK>=rzH_tx*;<v4ne(%njZKA0vP%zMKxJ9P=BHi
zJ_GL!eg=nB^gKymAqdF>gla%i6uB`xSaa`#N7mhQs%e1*l-z&^!~?iR#O(eN9AG4r
zQy9M+;xs&(%Hbg3OknfPs2*lU{jI5&E(Rgr`sq^Z2S#E$!Grv;NGHQ0Kam>g0?Or$
z)CjCLVu{BY_N3|w#0>kLpz_aP0LmbrvU?U~tFmW9NIsyrkO%T1tc5^43S~a=cO~(w
z!f<ORh@WF>x_ca81iNHjc7S;!DWS@XNeK>)2NTtND(zuZ%AQ2<z`FC~K0;j#J3j4o
zA?<POiv!mE(&v=L7oi_uS&{|oxc_-4m;?N~z=>rxFYVER<96WmyQY<g2U3dOl3U==
z0=46`L0hY-6IFlg)7s9%L0RE5Y>#5tc4mv+uA};S{w1{A&LeXXpnNXwLM}$b{w93d
zZOQzy`nt?4Frv=c^)tFFXcw+N>Cv={R{h=Vea~Rn775^!X^$dPv?_Z+fT!0|Q1-^7
z6>l802UGiU0egI&>{6a&uN<JyC*M7#6;AyLo`hv@J)9?DX7N{p{5^#yp#*S2SFy|(
zEIRA#g29f3oVl1B{P3@=Cx_-DiwW;V0SQu1GQk^5#q%gzBFR&h?S2dmQ79nq9Bpve
z*OD70lYAEKSipX70hk($3;e1s<R?5?H5^09G5dNdqZk#x%5a-C7Ddakj}X+pf2QPD
z?e7TEqM5MfQ)AC^A=TJJuTEq<XcSKJaHJCcn$#yZ@y92?E+s(r6uhnzSms2rB)Ngr
zd>y-#!1`g^1+s@V+v5=9pdaF*ZKj}xa3Hdvg~4_hSjYM!wqqtV{}A1=uX1a5!vC3a
zFEuC;T;NWgTJNOB9zRD~*Xj4D3heg!({PY;xag1@lFlN?u#&!8;{%-;lxI3|sj<h=
z+ugYgR@iV<KU@z)!RD>>RhO{0JY!2)44^yK3TmYLJg3C~T?|ErJp>WKf=nixbSpGF
zH7f6569yGK5fJ#NtG*CL%n9k-XHQN@hmrQqA{{Z%y0)vE8hccox7ia40vF66799mA
zv$GS|vG2ngd+H#%-kCvpMnl1eX&YVtJ6g7KQYl<SBA+}v7O3Bgreps3X!=hiiMqhg
z<c(!Tn7<^*&O|$(A$wMk9m5`Er~8-gpwSJU{P*Xdxrt0ZV|FQHLU*YHceBHN$!Gxy
z+E#_L(8v~NEW4ty>=$KV?vE#vEJ-F<4-k?>b}}^tO{bU}+OTee$H4%jA7b6rOoMUT
zt#)yOgvQlfoX~I!C02)ld9a)IHB*H)HzS^_3PX!9Y~Ka@IJF&96K2rin7_QQ8Qp18
z(eK)gOPSey#yeAoIg%ec;;p?paDLC+SQPHe%HoJIB!#gZ6!_G=vb)U7-P3|GIF^iT
zPfR;PR}UJT12*i!%`ngY5!r6LUm6BZE0nV?knOf(YQlUW9J7bZHZ#BZ_sTYVisBE;
zHir#JS;gIjw#zMxxT95nL*C(1n!k_A+lrnl+^GzTUN?xl3fyBGj@iS-T^*VpP~73R
zu73}e!w_R9&2Z2`)s^Hz^1u=ea4vWT<+5!6{ReGvxC-#^6JRt9axuWD1|0+_OkE(r
z%CMrHF(wAuvT)2EF2HTw7j;J6&)*`y9M^oKF`R^&zKea!zV!3(F2EZGyVNswvNUY@
z3Lf-q*~6ZG7UFY*VlS|bED70C7JR+ji$w39tfKCWLODCL9>TcLzA{jj)l`?&)0Z_c
zl-1La)i3~8u%>OGsf^Oaxf49VXHzVN;zJ^X+d-L<NmS790ql0(a%=Q)8P{t$%yxfl
z2Rgc8XK=$vHnrs$I=EpQGS<@*xhE9uevNIwQ!w8gr`zjj<aS>b<C06s;NtX`*YO|#
z#w?GF)ZwwLfurJmk@wG{i(5BgWOUr-&`pEliFE=S4ucs+Dm@sVEJ>c=fC5keDtbPy
z1S;MFoP`I6e88&#$2b*)wBA{OZbx=)|8)iEP%sph1}v**$;2{yt+$G-wAE~^n+hV|
zb!ie^-N#qm&`lM$lx$<GX^mgzsbOlQfL8BBjLgZ4><w^9-=Uc$@a04VB1J$vVHN;z
znvXU_sf^+<L3CyTgMcY)=T;etwUzHoUk%i86cKr~08(JXQI@q6ERzKZh;^>uvF-_i
zskG%?O-7U*av=A4R|TRLQax<s28Zm~w5!~PcGZ5(Y;J*uDGBM<uZ&`Z<W<_3<!bPC
z{a8xr*MwIF=l946TgNiiD(u!m>nyq-QW`=+3KUutOc%U9w6do!2fkx)3}BK@TmlU)
zfz&_2A=)w(U<-uMTX+bbNV^vwJiU1(ayK3%vO5-p;yGN*K!28zf`J9NHqAIe_>jXD
zmjZ(UPgY=9BgiGav1B;~1=iz}Y1c=!eG$L+6fAGFy$d-514$W$qwSmm9z#}HMMV?b
z3RqTvVk`y)Khg4WOe=!^=Gb_j(_xMV0*fWUye6wn*VD~|_V-$CQ=E#FH4~h$L|r1m
z#RHHMt@#(54@$Q-*h-)|@Y^pC6hjdyx1|QyMS_LEn7f{`G8nW{pg!*j#s+&4JX_$e
zrx+WI7$vK*0bC5Q5ak!9l4Yu(UBNn2@L2cQ8VE5VathsTxH}%i3HMD61$0|7<t<x-
z{r=(e{G2fWO#*k{HpYemG+v-B1|v*AcYRuY87~<dobmv?Yiy{3U>PS%!&J|}LRrDc
zLJh5~psTEgnQOypbkNDzhd^}&GD*Qxy$~D8iG%|k1DO=diJt*9_-stIV5!dN4mM_!
zR2U#-QSm&(#+*WUZ7jH+!p4mHe^xeT)T#V!bPN}<cPAagqER?z&vyOU=@^>GKS!6H
zr(+mv__^!z938VSvVk0g_;?(=<F+nukMjN7qhk(^Kb?c={xs4|>G!;8J}v)wT80wK
zgR~4+-?a+C^-NmUU@S>#Ma%U1XkMpfkc4XOCu?+rpWHSkug+tBGTZ$_zxL;dvwdQ2
z8w^v2L9U-0fY+EA%2_Lwz`Ks}KM<AweJg^K&(Dv^_l%gl0-GL!AzWUxH-K${m=~>-
zOAoa-7+G;vdxP#T^SrsC3aOG20!E|JU0wp9fN5jnpi!W(nFa<Pi3Di0NoJr?(D45`
zgP?tjgMEZwi~aMQ$-zKhE3LpcIeKs*01@wkb@Bs>oL>>}69t1jSP`J04nqWxD^So4
z;zjd=y#R3*t)ztls)uQSZexqUre%!n+IoDGOxEI8P@`jr*3{S3MCx>?WY7harRg~i
zvlIi`1j5cwU0YV7pawC+0Fee{PF4&-ps`jfFuP4d8=(gjmT2%suT7+_7wdLYo=D9h
z1*v&e(*u7%z)2sas3xlhYGC!jXAoV3pTQv&Jx{PQMxW#XfP+P96;)>8LCXanJcV8z
zPqX3McFSm8ip06*kG|gg7c6K7a$sfTkAMTu>q)p_FGxcAinXJ0x~EMdl2n1~j5}_~
z`2!8n&TP{}<rij~WqRREvZ@7mjMMCPX0#R)+#K18)5C=bDj-llIVi968Ea>1*y~~b
zroLm{3s+dj&4}W&00|9)HQfr|PL0ar`0YeNNh|Bkoa6&&&6PwZ_yeVf6l&9Umtt*u
zj+9hUd<gDDtOwo*k409YupZJQ;Sd%=4zb!<jCDuATO(pUDTJ1NeQ{)xrzMu`f=B2R
z`7JI|FvksoS?Rvju34?u$+Yi=v^EoQcxT$OwoV#}?dTbr$=w;H+-A)TgYY|RDRx8&
zh`Rp+%bhgXYaDu12W|wCKVIe5y=b9H^)H}>Mdd;ybgRbg%%HrjaADmOOOTG_;{i4U
z<1Mq{Zvs8v?C4li(Bk0kzWR8iLz+QHtql?Gp`8ZSLnE{g+%nE|ruok|Mr9=M{)F=n
zRS=7^XErD6thWC{wtyyZ^Jzho4*HTnbG3V1e>{%Bh-%L20?(f=Cmjo2ix<v$sdQ&J
zl{FsNnbBIt{AWFXxZInC$UU&UykXfd`TD;MP(JB)EN9#&U1bz|tg79(=|8=d2V&g*
zL4Ia#Aj5kEt&IAKc+y`$&<vUCSd?4Hl26d|cftO5SExJoxDnOQ6J#j<XsW19(*jU3
ziu6=s*-?vADCyUg(XRuPPtYApHTMyV)?}}%Xcw(~f~Gryf5L%g=7o5VpwY0^DvR6F
zF2?=>f@a86$D+(9Xet@xiGC2;1IZsQ2LahDIXu0V5(!Q`x*^H0v-Gc{l+V)L58Iz`
zqd98O&Lz0<WCL$Jz0?fxM>(X*IVP`LC#>mh)wrEC{|%u3Zs8g;P|b_f`)~QiXm0f0
z;s>vR@auD*df9zrCo&#OC6GKEsf2$oicM4L9Wx0>Bau(P9ltd0LsuEaX_Zr(kPgzk
z7}n!<)7Av6dyjOm)zHtjRfb!`vo4?HoKpW~W@TkkxVVrt4cy(Ei!s~wGD_FL_>83j
zuui!P+8wIFq<Fi7(r19t1rWj8kBi}0!<=2cy;$4r(bQnY-_PA<i<WEK?~vK8nem3Y
zd;sP$PHsJcDl8&qJi#vxK+|b|vSlOf2FN62hXpp5ouP1NgXa6LCZHo>>xv!Pw>SdU
zg^YD){4(PgfO`R&_9K^jDzVc~KtNhx&MaL^-^JD8{q|TI)PGO5Lp=|&Lq|_QFVX8|
zh87GGE>pW*Itn%Wa*&MMj{UteGRoHUGPUXRzn~<M@%zU+4>i^OR=zOXB8yZKaiGCJ
z!!i4PJVoQqr-Foxx^u}1O@(LPo$xEm4WC{lC%Q&JNLrwmu#SLW2S1uF7p#@eu|70;
zkY0!9F)rjOB#JvX^v9P4r(13jSVs)Kcz<dq?n0oKklniuZ&k-!<c?L+?V}?%InbU)
zbR)R>aN~lttsnB9xZu<%wGCs6*q_GSL_il)`0k4D58ep!q|!IRbMCGlO$=;(d5*91
zmoIFp)N63mtFjK~>F8SUoFmV#-`>F-!n@Lu7m?06cHe#YpblRp{gHagg^!wtG_U?%
z^F2lkW2i46m@a!S!A7a-X{L|+_8i}uJ9#5~P*(zVLWNN?ZA7Nt1=D&!8kMJ2i(5Ks
zprD}W=6x3r>jo0vKfm<B+nB`ij_SmWPDp1y^?v-q8kz4SBHKo&T(^BcWP3t&kQnYj
z<n8M>Hi+iP_9`o1lo75A1|BMG6cTz;55be@-ismQ^q-txD=oEmcpVe$I&~sP?L(ff
zYI>WnVDlJhfwl8QHQt?lC5m%;e^e4&(rJx}q-c&Xxa2mCU05)v)%fRq?AC`KA9oBZ
zjN2hlYgo4E)*5)Z9Dw=aff_r<ffKj?Z^@<X<%XegYo!;81f}&_yK-pG)2~`ZcXDPN
zOb$DguXlKhkf`-R;gH+AXRpb-e7tGBUv%Z>iWY&LHF1r!)QAz1;97(UA(?%?kJJ>=
zJ#F~BLPBuz#EV}KEiK1R1J5;}*ZNRf)B_PAWrH<-<1OCdQ1Ff6)&rOsj=G5gkF`<c
z<nyt4qt{7G4RP^btFsrpdY7AF+xiHK#`OgkSY{eyB8&?Ik8`^D_8a&(Mw7tfP#Xs&
zj1yS9S;+Q%uyEp?O5qgzx>w4=ulEboQg(#r-2>m5f(OyVMu~yDk-m8T(p!jK0ij*9
zfqeSSxFjR2bGSdaLb70in2Aiz^(zM!ONYn`9yk!GIYeph8Cj>bI#I&Xi4$&(9^QMc
zrRb7pMjOIVVhkO(_RvtBkh=%2j8GK%Xe_NV;G2k#^g80@(d+$0jikZM2u<s=8$9By
zp*ps6_Do0h6^sXWv9rHAb^_E=n&a0<hpB8*StR^ARA9ij558k`F=KK+39g+wbjhmR
zUFstS2uYg`5)__Nc-S~hGzZhGY&)@OU%oD5GD7AH3a3<jlCnl1g}lh2wg(D_;%*Dw
zz>DUf!5xg69(e?OcLY4b`pdIqfv(Y6;}`h27gI@32nJK}apgJ#(KR~5gik(q>=P$@
za8}6nO)6PB(sPCON2b2M`)S99@oOGbWop^(IJv8zl8T|Q<z6r$c)$B2;d6+_34s|g
zHa$8B4DkV(ksAiWDIYwKNebh(fce;a{-!N>6U#((Y~%Y{m8{n}ErKH99%pYG3|}Qx
zOee%7w)EskAZA8u`h4Gf@mAsv>4g(D6a#g3h@fVcKl(Cow4kW4fdE!ke4;#f1HA<A
zNIe-0F{LBzhiK9A|4m&dAaq;@TtQw(A%DU;qSm2`K7w{K0GF~PWeG6dBLOIm>xN>+
zg}8$&6xS<7L%k~<4lePaLOpS#fRK#Xl1npXPAVsi&)F-o<F<5&li-~^P45}{n*@aP
zz=Voy*kTOc*&2b`zGr$fUxU#Y@ES&b!M%HOZhL*A(!EPjZmYh1acOF9D0Q!h*{Aq5
z{z8$|+rwLiIp5ijO?AohJ~8#e=a(kL6QBNzut0BJs@RxyWSR+DaoeD}^wK?UVM|qt
zzR`g3WLP0kBr3OSOG(+y&XKDc<4wXaclX*kk64J^Ff7q7)%ia)>sJZu8gv3`1NKi-
z8)F!i8T^WpB`#1_KC4t>c)wo46V?b^HWoZ&8Z0t)_19A-;nNB)d?}N1D?A>W?*91U
zxB4^L*Os1q*k{$3|Mp$3{VX_Os_5Ko>aM}y9aX&lpEabo5G4RPwf7BiX3^CpZprRx
z<!(vmu9u_{oK}DP68m&z?OpFz+toAN()NFQ<P>~BB4TdVVgmMKX3d4vv8z5`s>`}1
zpRj-RJt+;(!&zTH-hNlN{MGehy#WdZZ}vx7nudM<d}HPl*@YhGVg`*+KAQWV*ogXP
zD@Y9o$N1M=XnMEK-K>!i_ioFi2v?;GpQ92!Mt=W#qb!UxBO!S9$?%%&@6Q@PRap2E
zlC$bl^oMAtnLFpt9|6#))Z2c<K1=-&eD1b)!U_Wyul#VWzV!RI1|>;1#mds`)z`{z
zzp>t!{qk#V-kE-5SDy5|lsmnKcw_A9l`k5Sv%i&WpKSZ?TzSN_uzi;stQX(au77j|
zOxu8kPTSS`M;85;Zdsf#U*m;Pn8xy`rb8>AukAOIc)ldEs?IC->ms|z2S7|hw1E)c
ztgYBIc9m=6SNXbP|Bp8(J+^ZR$KMT855|2yq)Dm1t6oYia_xN@b3eYIA>+dM8t~GR
za<dwqxn)+T%su)o?hr@7x;;N*u|T^pBA~w5a7DdLti+M@;cw@b=Z3#MUz<zW`XFX8
zDecAPVY%83i&lKfpZ(No$jq-N6;3}|I)B2uXIYsm+)t!GOsPuBR9u>{-DY2iCpafF
zsOrR-2nYX)7%#<X<%cMTP$$UON4PvX{n+ENZ}iY*uG^+ppA5WvNb^C-84}6H!7DT~
zLp=DU^M7MceT-Rn#>2b5*k$&c@Z+HqFRoi1vt_SG^2l{lDbA{;Pd%>;@_t~VuI8H$
z-oMZE*CF~*YKyLv*b~3Li4N{B@u|A_LE58=+c`VOzjgfHX!F9yebGo2=Xpd4w+Fjs
zEe##*^CW-1=6`!0HG0I2S9rcmfA_78QXa07i+!<Kg|9v@N=~K#ygyMK-V5M;Kfrs+
zq1p!vW)}CAB0iUKs+v+F=Y3<e&m-_+q)L3<E8UAzViJ<epU+i1ceQy@Y1M(DxKOP`
z5Aw--cj9bk_9`3nZZOk+3(*3=M>owfJMoy5o%O#jX-lSlh_bY!<{JzUe6^-m@9J=$
zXUhwdE;KG%NQenNBxhe*6*^{DaHCoOV~;&D@2Vw#GFqTrx2MUk7{4#wtH|NZ{ihj5
z<LgeOR31+#Q8@F&{LQP~3uc@Gvv{LfQP(#As@WLtE5oI>U3?nQ@bvBG@jE>Cg}xk0
ztO0mP4IDD#?0iXGZ*1eS`TqgE@91|d#y&Ak`u3p_cS!)(*>8iUBza0!sFa<&GMFM|
z|LyauA(Kp>`IU!n=sVW$_0R_{CiicDs(28dGh%AVn&|Bs^4Z@S6CP{*Z|ZW=I<tv=
z@Rp|e-?LUU%oln%+2YuvUj0TrC+2_uR&IX%+J|$C$BMUo$I*9lRyl=T2t4FnLU=c#
zxzNVZ%WmhM3$_MfC)FPlQ}11$Jq%Z;`TYqc?_B+vM@t7R^!qPVzro;I_5YSU%efFd
zVjNVU6@U+=QuAgsRjXJu+7BCBVIL`yeEwsQcI_P%#paM8iK28lg<c<@`jj@`t}-?|
zx(O9NKH9)fTlDzMm<81Z@w?vwG4+}?H~jl?xySn!``?@(lXSXd+37E3VVRo@w<K16
zuZWF2-SjRquP&LoX`y?1=xE>PYcYNwU+Wbl3K_?ItXp~__wLR$6}KIHp5jSab$gqv
z%;qN~U+|Zcl9eWA)jiyBA+X}`#=)bP1<(9;wkb@;MOI_ww=d=MiJzYb4ygubrlc1w
zek^h==yjp5WrXib5viH0&NqEI95|R<{xxp%+F;j0-#zm7ZxhCb>IU{b_o3*9zTml_
ztI^|wweCOjeYHLNY+<a{;BQCJV?SqLt2WeS3B3h)d-}y7en!zEib>V|n62)qcQL06
z%;yf9H*ld+*%>ptr>CAfN}SG-w6X^pZs1Ip`3F^R#^l!4*3}g`I+iyl76nTArQI|L
zb5KnttTNC4npCQ`;MTszYSTS2WsVA;v%Y_8QrwUgrI3D3ZvO%4TVF>eW|ppMI@f1z
zvxVcqt$TJXj+`QYi73)Is$k>90F3KmYqMob$LhW$*^1;h-mwr-QCfDVG4_74<IEK=
zHb_318S|#5Fk#>SR)$X2TO>XxI&ZVn4$WhphKFQ!4Lgt+W!Yq`9+$VoAv@nt>RjH1
zFXfTh?^pGAv(R59qB3(Xb?l6lXRB-k>%l|2XDqnt*IZZRBenhOfy-i{0hoc`HHTkY
zuyfMZi+%3onH;&14j6b0VxHZ;-57DCdX#+0(W&TyeG5rhg?qNlGRTXcJ=$welbuw~
z9)pUTlOn05v7a=bq`TQX$QPW}IJ-3UlY?GqsbxvJTls~WH`6y?s1nak+LPlyu|ets
zb<dUSQl#qY4>!hFs0Ey^TJdDv0L3>ud>#SO4fn0ynj2i?BN<Ru<vJ!Hd-vUMEB3B0
zAEWJmwz6^X(TtQjKpj-Kej}UaPk;ORp_trF8DRHKUA<%w#JQ*_uoL#z^wxg!In^{>
zrz%=2(AhQL`g_oWXN}X0XTFgn1QyL%UzlVc-Yd3G)yw;5NRHF%A2~g}4d&%Ug5<nj
z6;*S6_nbYxDRW7Q!*`#$6R9FuI>$4D5<l!zzm&H5!7&rckN|o6iw^@6B-USf6z4`g
zQDU0E^xPPE>f&ID_f~11$pzQ)W`188{weg*sjBMHTY@vJCo5Xn;6J^|KmGaT*38Jz
z>mR-~)%eVG(-K>zl>POip6UT}Y-L@eukQ;T;@2xx;L93`|C%*3KjwYBt>lPO*fvBw
zOX76I)k4%Fsim@GCzsgD60`P~>fwEEtXp0DM#jOGpu1O7<?EsN0`G5k9t}`Ddr@TV
zHG|qM-&fjtocr(45)I$?OU`J-MV(tv+{-fUbL^eo2i4OFv6lHVQ4%jKqwXYM%2<pW
zbb74Tc<b6T3q~a8*tlDMEDxG%`^5ds(<kNY&HF7IzcWb4UV*wXTvCnHlvik8|0dP>
z@_G?3QDVx?iS>D_zdgv3&?21|pM(~h5_%G&_FB?itN$_L;QA4VZfwnarf}LMEU_Rs
z=-q+m<r(ib$gK)eH50dTUggnWJ86S}&_^9$eA+F3=san3{1F*5^VtuG85PG)zrQ?S
zpK1Zgc}nO@+sJDrYfjWSl%N(ZqAuD|Gv%}TmJI*JQ)cK}M<tPFhiyz3nQA-XdS&M3
zh`_pV)6(T%8zwoD4&e7rp7o`&*fc6JYI)t$<7c%Uq8pbvT^nXIZ*Mf&V^FPOE=geH
z5Qd+vBLf`o>(vrl4vCeGl%JuU6g9PONtxs=S!!a+E%}F023vO}Pm!^VC)Zt!?StQP
zphP6$8ZlcS*>!}r+_Dd~Ks`~MU2i0ei4b?FtRn2Ro9^XxLK2m3VV!R|qh$8dq{jTD
z#{gz`0ohM4ijX0b&VMj$NL{~h?28ruh1z5o6{0YWst3hFntMkz+TnH@9C}_MnJc^N
zxQT%tL3b6fa=r7<&7FE`{lZ1{ukz<(wL?Br^Th~W$AXo_cGrbe+!#Of^6Xs|YT;H>
z7T0|+ou2A^mu%*cqF?0tWS@igfi35PB!xev$}GO}Stp->t(;t`G0;ZjMnL1I<%?cV
zGVrY!IN|NH`paiz0%ghT<71nqC~WBS-B-(shOH-u;;*424;=PgWpT^#uI8nva~EgV
z&;43ZzEP=UPqbXWyGITNHoI(CKf_>|>x??PAuAm(72Mx`H~G>z+koR2qNb!7#mkvE
zs@7mg&z=}~8?U!An-z4`E_=icz=~zU3Vr?aEo+m?&Y^0fW{}nm#094)em?j3ar74l
zsi3beyJp5>e4qJxYT3)xNs&J_K04*}RK{5oQ{i7Dsc>gwcx0eUO=YcF{)I-57jMnO
z7O$`KYA#=5Ia3Y45!(h~))E8Vg{COpx^r}OiEvi#v?}p$iFumZk_mDzt!7KTDSkY*
zmn!iQszEEEeAVht+apfYrKT*H>^A#D)w0=nVS_|cDi<tGiYN>$&#9WeBdN&e_?00u
zpA^T`n3a4=9Iv=|b#vXiw~Irp(oT@{Z^(JQxp&FnZR5akk`7ceY^_hq`A|o<{pug9
zRu~S3kR#I|C#5j4X+w2m#@^>|Eb97N)b`D5no{R)`qh$p!dxanXuNyqg*UH)XL@J)
zTCFonwck@W#By4{+4(as#f{aLmM7b6eX@AvAVc9VecZDzCZt^oT4esAym>>q*-P@N
zw_+)wm2)PmSrweV-+S)xdV<6-wU`ZGmWU@gst!3eBNUZ@KE7vU@KvkGAdAe1bb%!E
zpiK?Y_g7bHjT@#-ow6ZqJwa)HB=!Cr5A-5~0kznb(x+7CX>Tc8{MjR?LCkrjvBj3E
zlDAJzInDN2kmD$y(IAeOJQfi=aK{&SOKYF0pZ9H0_-GI+0bH!_XX0ayG@Oq55K!{$
zWvZU+gvL0V8q*j`(Z-<$cPc3tB^8bl#%~Tv5#BZ&eYrW&Aae<I<BZ;4H%i{k7NZ7C
z`*yvo==q{Vxp@kG<&E{FbocBnJ(G|(At2)O1yz^Hp-EBZUtNMrHKOxOijTWBA9#wL
zNh;WMUpyg=RQe3R>E5wJ&t1wV#~yk~w7>{Qp3Wo9=pUh;bRkqkZ|Rx)?-Cr8yxjsr
zF+(>TNLYB9XqW7`E<RrB;EiiCzV%6Y{l~5N<agp_O`v&XpjorHUyAUei(j9J`!5>M
zOZfF#U<`jezp~+}PiFaj^P$lx){*JAQjXrmH%3JJi)nk^*%1*R`q8FT*D~##by#3@
z#JK6p3gY_qvD02%*|aSPGrKBIa9BXYeY-Qp%M+tlSbq8%ThpfmH|g<M|2N|rG9+=K
z8|^CgTTxG3a9oxefw>p|MtGEgh{Y~_5c|=*a8ZnDM?XiP<f|kkNgfs-)$f40!4Sis
zbygoHuV@xbO?Ld6A+buf{>uj9chA_yOF5H7lI*8O0JqBRxW;ymdl5?tf}=Kw8^lMs
zPF^js<NmlWpDr2itBUpzzbig(b=(G5gA*Im&4y6r{c}FKJa_H)4!Bg+GBFcUDv9=y
zWZNMj#_sZugC3xoQvCzt7vK|QwgugY-n1-c<X%_BaYhDFF=KS9ULBcMy0X>;tLs=T
zn=9{c>GG+O5-`EqH*$&>e)!n+@sigXf>47aYO0zQhU&cv)kygG-#*8U$0c7qj=kw{
z>Uk+{{gIJzM-fweRc^t?5!pr(PYR;1Wk+bQ_;$@_)r|WimWW9;mv4_M3lND=ud+BN
zxw>zKk3qcr<twqTNW@ixa<46Z^XYBhYfh{89w>bjeNETENiJws{0B7~H;Wx*i(>W{
zrOO9RGsBS{<w@Q3iH%&9k@=8xEI;p3o~nD4nYT#5h0jLfO6I{*>bc>u$7J&Dlbc?q
zD!uWEIloUws*GYEIl1nOZ1vYsS}SabpPpHoWjJM@no}=V=oOz=C%4MHvg#Nx?~mPk
zWe*}bLqMoxR|Vc6VwqFog#mAT!(Ac+PVYF<xUJA<AfEcsASzL*@qB}URB-xa+prX%
z21<!Gk*1ILODC8tDVb26z3KDaOO4MaEXT-+1D#XUXJOh++q{eNi$e<go_}tr<Y-s=
zK-KX3r~~sB{P#e<Z2QW_a5E6CqJ?xqh={w@SdMsA1W&7==<UV_j`UMf8o5mOX{4l0
zW!-bZgpyrL?2f-Vaz{yGN{ZoSY=G?Wy69AothZvzvvT4Jt_N9~=l70YZ!;{tO7cY3
z;SmoF4Gg~2`m7u9blHuqsrKs|wtgzfs>=IdQ95$p`q^W*Bz~HoBD=rQa>(A2`~;by
zS0ckIZ;YQm<HVle;R(T;N=(HQB&wz4XIwiLby56gmHUaje%LC57spi#jDuyd7Ya15
zjNFv#T9Eq&Rkw6ylj^xC5?{l%p)7lciX&QO(jhg~WVc+)qgQ}CSH5z>a?{CctkO*5
zH1!Pf8&{3roE&}b`LQq$@@gBYl0!$LwvU-%p^qAr_3hZ^!K*zIF_MI5!OGcvtBj9+
zir*dh@>J>iqu1`L<Y_%9p0L(@sO-Vmv^hpwH<uiawp=kS@^R4vmzb2PzWJxn-UkD-
z_P?DemDX$a<bGD`TvGa`N`0=Sq}$CgQ<iTmRZ8o7BU&{lWqP7XP~7DIB<qHHuNoYY
zCH3jV{wCKEF@e^Y&E}C+W?#jZkzEgq)lw`($l4&7;e`Y<KAub&Fh|Sk!-4QmsXNx>
zyCh+5#LIoOn!E-C033#|`Top8OGewR@=Nlrb%_|8if#6xhY!o^T8AwUI6WS}-ydkA
z0TU}+$Htgie^{4Dd~n?ZU)jI^&2KX9vmPGPFeVG5NE2>I+6pqW3tGTr9$vGdsU|zy
z^IcHxk`I%6SE=Z_R7^HV3i{SCL?dSL5W_RBn~pD-yy!_iux%F^g(V1&Up;u+m@(<7
zWCPc5pXjHl)8<+ZStK81R9TXq(4^_RF=4^v_@Y3WV^J&9-zQ)5H?W?wWRRQFJ?C(*
za*HWniqcQM9dGJ&Vf$6PVZ|r<kPPO|nN|04y^NRFyA$T(O|^ZRi`UyfdU&Nw(sAXB
zlJ~Df`X??%#RYFN-_V%qGcqIm{6*1+{lpBL70WiRjPVY*O4h%yPvbrCL^S@FK6hb7
z3RNQNzHMWz(=d_5J%_QCUmPBwFKjqiFl@j#lgpBgFOB=B+&S?5w&A^dD;DO894ikE
zsgxAVdi80sO+lQ}jOlu){+5(OGbN{KEEpCkQk6O^P9f3?ao^_YzqNRgaN>E{@W=q&
z0jtF(Sxu0eqE|TkW#cK=9S_U5CCBC|8yr}FK(cV7jH$TE@s}f9k66_n30e^Bc*ib(
zy#2+3W04KdR^%0i4w`ZzZC8_~#u$TJm5Jw0VhYRmovb}uR{p#=bH-&G?{E<FQ(O@U
zvWHYm08M}N*VZkt*!ksLywJHZf}%OoKnNe_XIq;7X|$n1*qX<{_d<ErR~MJ5%r;ut
z{4TSme`#`KLro1P>!HoaxprE?2SyLue8_#O-sy3=)_IS_b~pPB*OscB9vOsDNpK&g
zl(TG*US4j==R|bnIr|X_*MrB_R3h&1b`R6}dnHpzz*MdexFbA{5$HD>i(n?eJ6E$@
zJl8gV1l3+h!76R5l}uQa)7Jw@_5uyl-R5SESw!47{J7D$n5OfMl?ele7*6w9Fl6hD
zlsN%&A6Z`ADT7@ZB&*;*MaFo#OLOn&>i2~8&330|DBlVmCnw%iG~rF7T=Yqd$LV6{
zK2wdukM=8CB4W6@Pju!=YC`U%ozLHHm2nLfoObq&;!f{#|Lvu0Ew{g8BeLU0?E1m|
zhsO9CU9=v#)Zk;h(fjwA2kSCdKDV%|^ogl2Sm!@{Y+N|1j+&b&X+QE~mQa7v*8B73
zzBd(#pj3^&bGhJwzR$t_NXj5#7l^HueV<jZ@!8{pDuH1ZuL<tY^X-xjjukhk%xkz`
z`t@ANB{@@r>+(@o_C41u@i(Cy&+YTzWpr}vU8RFF_bwveyjSan8kAlVY8s!Xe|P)0
zfgV{&eP+0i+PNnFuGXq=1-9#!rj{*>v3nR5g?S&BWB5T>MM?fjV4kfgPITLP?W)Ao
z{^i&EUb9gk%iCX#1m;RzD&~t^Kz80N>1Sfw((`4vnY^r?slK&Y?9Ryids<0fiX*e8
z<ZI+uZ%v$$o^5VYb^giAyt=qm%POlce|=)PZV_;GaN$VwPAjpd?>E0WQmgBT@h&Sy
z4?CK-NL&55oWn_sf=^|^P51Ry`Ny#ML~{wz>@D_@&Bg(v#Bp^46J4yd6N(!AE&ABG
z3p_A%9=2USd+w4#ztju9y4Iz)#Yarp`DKITV$Z7nB^S$s?d5l*nC!jrkpRFmqd7N@
z2_6grp62Kr{jpn$P0xtU3H4U@T@@#>s(Jon^JKSu$8-DE?c8zgZ57sZK!p6IKL5S+
zzf^Gb8o{?PIoGLB@NAGo#IUumZUf46p0@AaJ`gu33ZI_PuUDuXrV+D_u%hl@)RMY2
zRgW$EJ7ur1+4^j&VutJJzG4H#>yC>pdZcu%G<ec}v1$A5GsK6)2v~nQ8MI)|q9><i
z90ER=5wHQG#}?ZrUCX~NcG&C0Oeb5J^Fk|Q68am;7TM&@zJKkr#4>Z6sh`zF9N%mW
z%{KW2YXPQA&QW&R7+Eyz)L~+;#e1gyhq}Ad*eXeLPOaU0Ez5va;x6M|rw+?3^NAU}
z1JKO_(;^>>$%580@nw@Do%14{#>~SeR>@N39Zmrq5`J4TbLyw^yL%>E9Fj{E+qQnt
zvF8ot<w4<&8g<P=c~Z$FtyNCukIrR`%U&OTqfWEzLF0;i`}({4(N{$3<i)-WQ%I;8
zbd5$Y{(xR&YALdE_xl2R!PDp^DI#*uCD+P=_(3C&nc$}_w36B<oAJ;l?S-*aLE5-w
z@iBYJQoaFS-d`Ew@OoK%k!(bx)4H#Ir%FW2)SqD_#!Xpk6_ym(JnZqCK6ax;&`Ymw
zz8vW_OCRNRYKQSXAD?yzX8*el&+W+Dz2c3=g_pmKUN}LoQDvc*dq8qF2$FfkCIzoF
zb5OWA#ouVa$)I&+`K5ISC10-8HqhxaK49HYz2oDhjxC5>ta00V=Zt`+dWC_L&iW=v
z2AZW`Ft?Qo+_o-io6wch?vEwDC8m0d8<gj5E%dDuINr}(Y1I_9S7LLgzKBYkKds{E
z<>L4tJqgLxiYLY{KwW+qIW%tYRzEp|xb?mB%qk|^EcW{^`>YQL1Y?ThU-sE{a)$6i
zrKvXBa#Jp6eEw=1ZkCvK``f(elXW9A_wD}VBk}ds2g4X4yRtjqYi%AioUW8VZY8+z
zgWtoTl!CIs1}d%=o1+@j{U+|;=wKH6?T+p0Sh?ei&1!?{2TE+&X&gQFP|fAs<Pzy<
zIk92x0_Gb9XKq?nyD4{z)%uM=5}FOAtH0|xggYf|m>om1{t&igU7c!a<(PrD6*ZFk
zjrdH>YMhsUz^(D?AuYcYr&yU)jhg$d7oHAEj&xKTQ+(X=n%RurQnhpUf3X{(G+(>U
zvgpLjN!By_^>F}!#n{cGRvTu0AGPgetnr<xck)6H8%cq1-(C?A?#s(8*_P-+64`sr
z-~fndH8oZxJAU4Mf#Mo?a>3BVnQw~cN@cHeNv>S6D?&H0bo7LSd;J|s-+moBpmBcG
zHc9`7wPAPns9kjt6p0v@Q0~9_^^ORObj;zJvGU9G^OJ%Et<8=pjyC%MLXhXs6~%T=
zLnH!LhXkz38t3=yR;<AtsV|?VM}rh0EgLOejHDgkM&>-6+$Uze(Oc`nBrAi#bDk(D
z9*=!`8VT1uUY_|fXv*G|Ywic`Gap*<!Z`m}sBcbxH>W+9s&vis)5L^FrkHtI+PIX;
z$$A!iu-rA<cI>Qp$?FYb?rEaZ`8x52p&7*kPU)5bYx9GJLRHH1u|t}TMN&T4y1jc+
zjj9PdS#!lWcW8vJtyDlj))`szWxKcK_I)tonaSj!(*@-llm+ERJH~&}d%Nj?V;)EX
zP4Yah^)YAs!}ER=mxMChU4t1-x)#-g7E6UXSTr>Q|9zg>na1;$%d*Wum4wxbRXZLp
z0KwL*+Ov?*U;EqU-I}&yvCGNITE_!Pl}&>W*BCd>k8v89rs<nrXib^CW$RXD`!`Md
zB3{+atBEYHT9LJATI1kEj1?}JXyzESzAh|1?VP6E@TwKtFjY5a6dyyoKH2knD9Ely
zEI295OioMZkcWUGgLBd#i=^c-KMd3e4D<gWwDNjyg~rJ;>vzo)T;8<hi{^obUe+KV
zd~@8Ile<Pa;%<r=+?S8CHgI_`rNmk)vo7FSEc)B)-3v}wC4{D^RzKOc!Ed~JlJjAh
zIX=1>q`-p?ZHNcx`hp}2BOUfk8H$U(cgx1XAmmeJ;q5{8g!=)n4KBz{Se=&s{(rTU
zk2M3Pt``tmHdg=}bNXv)Nz>6eyPw#dtqa9o*;q`74c}Y%!e!N>J5mRH(7nNVbf9bi
zK(TnEIu9Tx3Y1{XoR&&X(g{)6WIrPb#M8sGP9PEVs)r{Q&gdJFV)pPdc<Ylh=b$7(
zLLA}3>Kw|0BRlMet9u;UK6d7_2*0usK3WD%^>5va9DLG21Qeq_Dn-MzZ2MIIP&BhZ
zz#Di`ga+w)S`h#!5a@5Qd&;;R%!qM=bfkSidY@8G?mMuT@T>`IPKpg3UI@6)>Dlv%
zEk!~%kpcy+$R$HT9YP<$sh@3nE!#42DDKsZc}k)=VxYocs^9KYV2%o<*PJvTbUaOD
zEfLA-oL)U*G>mmuOaPadpN&-mRTw)#k;Blnp?0HnPtWsQ)OYQu|A8`xQ?(<IdXXUT
zkaF`ZLHb@$XutZ|(XiNKjm}45>70pqlWc`Ro!44$1*<joQFDZfeKj5o5K5V~=8NXs
zXSk_g_S8Tsz%o$YT~GQkxI)TXM?;YI1~&)3nuZiBJs{bFVx?IV0Gwtm!CTJ`QTX4e
zeY(;&koQo%awCX#t(O7sq5uCvL9K!SNdI~CV}>ng>A#z`A`;-$4wFU|-6<1EyRvR|
zpTiqn1$8k(6OMy%yg=~^MIRZ^733cK`v`-l3I&xCmP-pj)d1sp3MZ|RUKnuw6EIOh
zMjjY&8ohd6&4<Z#;CERDf*DbZyFXDV#RNog9)H7AnKH8*$jr3njfLRV&H}KQEoANN
zB~+|@Y552t@;opjH*#IxfbZl0lOI8uiGaclP&@P7o6EooG1jgB^kBgmP!oX(zj_MP
zj>L(q?IXG99_G=K-qWA2>Amd!>c!LWt8%x-j+i7QKYPuWbL6Q6a5p&<*8)L%408P;
zcQ2vkK~;#nkOT;SJ_c6WTi}KtH*Qkx&-6T{MZ<OE`xN);-S-hFd3gKnE~t1+t6d<Q
zJhR;ENzBSI%?cNX`He&Qe{!t?iLbhMPp2#CC*9OI5LvZq40`7G;Mpb~M$=6C0BNy2
zD>5F`C5;rjSL@O6?&;I)w3TOuYx#N>66X&H)TmB;;XbEGWD*LOBPylp8d8yE#8Po+
z)OW3A{}kgbTTbrUCM7&YIz$4LW_<ANpUW(>F=Uq67&%qutClPpRGL3gXqmy9h9xI*
z9w<QsipE6>tefi74_I0Qz}($<<*adoQTKF5%I@PtCot%7UFq$YjYqmCZLD$qpJ2Mo
z#T6&5UsnKK#F#;bYSx^DsAhG6LrjIRov9E)46(A?F*a9xfKsp@`dr&~%EwP25=oOs
z0iX-d^#f9N2+@QQQUV+wBKqVm!?1)GnJ3+I)l&T~TOS)Eq$m1Zd$^#ORf}@CBV=SZ
zO2sn+6!9$62W3CLXRm0&5~^o8%n~Ysxb=NkirUKAVWM%vdOZtFmsyYvA4cc!DxfBx
zj0S*J1T|1&gTr2og4Jjw9IQrLtJ;4GA?@7A3(+RR1wjHem+W`OI>N`1UL$>58;JDl
zLx@N}5%AmrE2z{{UNfXgXXJ*^_9sOr<i9cC<&x(k&)^}@v!`S_DB(IG{C-U0Fuz8S
z7-P%^c!#~gJItk(^bHayhYH$nJX1j*HM5-)eYf!aXm`EC)<V8R9tLSO!_p$8MsZ$g
z@9gIKux5}Jeh8|X<^}J*q<eTWU}aMOtoKEiHMOP`;=b*;KE*A){9v(`os{K>SCchK
z0<i;kEdm+~7fOG}hYFiEE&p#fn4>l!#o9aJ({1K1j+dXa_&o_!J~@2>^#B>)SATxd
zFKk9Yh62cQV!nT^o&EAW$bmk-KUc}!;@CXG`wT^gj7L?;*&Z{$f2AC)j~}>JYpBu3
z^E+i{Ui|X?{LQc7F_{NXSt3=6=^_ti0J-uOq~oom=6}_jbV3Abbl<h1l412XQ*JA|
zfh_0}-4N~SlUInZb9RD41f1LB)9y!~JzTuPeNxW+{U|^VVw&>$&y$g&y7HtowcnRJ
zf7?;MDtaFgXw;mIV@LD>)U3@IuTIP8w&><a@Zg^hJQxq>Mbvd0P}ffDWxi$YT1R}8
zv?XNF+#r8Hq&P?G*(Qo=?w!(nU$g092x(T>81@0Ge}|4GHpWtHYPy-@hq}3iBBu*Y
zrLMWpPPZ%i{`plf#wB;uKD*-vTO~q!8_gBX8Ml`FEKu|6)ez`AuhB^qQl63n0z4Pq
zt(~7AKPB;`Ua!i1j;jdvpOLDm>Zq-X<m8!+Z=&mS#s{BWjpPfxYMwnsa*mI^AG;4I
zs;er>OQ(Qr;=|>pr56I+@2VB04IOWIwkU92wQj%Bxairzr%4yST+i@+yKMT~wB6yJ
zmqm_@)>?8=U?K6;wQ7*8ms_ObU2U8B;kuMV(961q3-jtr+?1v_JfY078+A~ASgkQ4
zXj)@8AO%A1Hj9>T0M#7}Ct}IKMoycvdt&jK(p6PuYN4Rk=F#2TO>fUcI{3cWko4~A
zmj691jaczcQwmfnWC57GYXBASkMAAPKjCy^$Ih~M2UJ`#R$(3!Rgfwd_kuXHiI1mI
z-z@3fZ*Uq&0vK+*@pUvPo_)PvXOG|b8~cX?(+AWRnynwE-LEQhUVI8t7Ez<sZ;bDf
z7aF4jzGuAJF?~@TxR=ME#?IobWoasKlnO4__&oL6S8+~b-j=1Qqy>5R{k=VklERyE
zi%g4`-x&Rra^ATA0&M@lkZGc>V#wr}REBJ2PL6=kNZAlOUF)qciWaXp;Sf+)cq}qt
zr%r<EW&Mo<Po?HgyRDsAdBn;fD*o2z53innA2Q?fVZdsSn-i5%W5x`u%NRq<(h(KM
z$v&I`DvRoGD`jh})yW<*QZ>#j_H+MhE~1sXc0=ySS6aOM2%;ZltM+-`9+7e+-yFRO
z0r8CrtY*J*mAfazu;~J^Dff-147-29ZGPyI<5B0Rb%i!Q<;&c3J<mM#rX;&XJS>gy
zubkY_bawfx#M!}Pj+DOxwU0NqT(}SyjNfZ_eX;M0J`MLlmS@rDL&9@+ewjXXa;5IY
zCx+)1XZa7iK)EDDBdkiX%`%B!n`>5|0hJ-?y6ZQMB5!t}+*M1;1pxK%dFB@jLcw=-
zVD66gd%bgmw?}rf_hYAEZN1EiL3c0Y%YpFqf~x6}{nrs)&zPcT3*GV?QYJh^zeVq<
zjRSA9{(wuwDNt5-83Y2QEG*-do@RJa)>VOUb&brz=D;Umqzi<%kI(oNemWVSV<B=*
zjB0gjD9+2lA~$4^;+s4W6xqAbLvzwJt)}W!#a(kN4(-scx6K44l0$KBAM1}iP#p@G
zatvw13$1`g>b~VVwFjaWsz38}3e#S3dbIzWBi<mv^4%aL)HL%_U#YX(Re|@K)eOpL
z=I<}80`-vg<7BL*mZ+A`y%*}5P<#H$ou|6G^?NMlPo7mSZ)`o{e`zoN+p2Woq=BS^
zs_Lw=ntO3^!pvn7+eN|q6Y5j^VE**G_>K2{CTWjtGP3oG6}EH_nj)JcKYn+VYe2r&
zamkojr;5+400Oi>Vnt|@ZE?&<dEpeZ^SV#9#N^7g_iN0jqz~Vxk$`G(@%ETVr>?7x
zT>XuZkeCv*RXQBweo!I3!2Dgg^$Gi8P}=G7zlrla?~U<&-YX1DRMjl}XM=z(DF7W|
z36jocj&<^W8;PE}-@!zl{?^<yz1PE7d+XIfL501i3{Amj_dAQ4By?GLgQl)oA$H@7
z#OmJDYtE;FD#GQ8gH9=d;6+wCu{h<Zbb{tW%9+SBO`j@Wm7E2Uo~msww-wG%ccy^i
zhmCVJM>)S6+&=|WDx_?Xu#dZU%<(8v^W_c-83*0n@nyQIyu6-(?%oyB7{SD<>l+X5
zke??VbW%(l=jdM{`xulw4tV&cX?MhGEAe3o<+qpWTF-tZG#(p$bn@WA(}V7Q%NV~y
z<1*ePU!@7Ko}=r0spCqS)yh6;2EZ9~D8U<i78|$lh1B*kWrM?q8kQUrKn-VF9U(e`
z2ZrIU*;lOfia6~3`5lN-Den3d7rjIN>$~P7n{vZEGHxyosIzJU#cBNsYj#h_iJ;_a
zdN)?YN{%@c*kB$zKYY<urO8|W_j&M@qgO?R$BR$A{zzO(Y-8;;NyqA|kEA@#UK*_N
ze9g3IhZS$r9dK7czOiy~!{n`A6VGDu;*73p0|oH3Ox)dEL?Zmb3CbDS0^^h0Wpd>E
z+YAV}6qQOG<{+kK;%FLz|2F@_pzRf>M1@sISC<NhBUYf1+*-NI#`^0LBR15{OMDr*
z6R7r+*eg#|VwFJlA^9!fN4y!(Z#9Q4Z@qku9#%I(@7BwdMOO_*Oft<~fqG>$d<>J}
z;xyOJ8<0|SzIF#v%<NxZO+W|&DCSI+Ug;;3<IJ_s&Y{-DhlvNoq?s7wSAy!>%xpFB
zaaGaBE2ryQKRaQ0Yw4CDV&jar2s&g?(OYhTBIngJu{!GzTPB!t*>jAR@5#9{7cJYl
zVCYbJU0v(=P0clpVM692F)>Lq%l11}17ktqP_M<tAqo+h%{4JH9?f3}X3_fV)=jPT
z(P|izr5dX9c4@yWcce^4k1j&8oJK0h<C}&QnyHtZPZ%g2q+D2gV#hYq55=?Bts{oy
zdt|<KMrt{4UzfP%Tsr5J^mIzuyoFwcR!`Bx<b&Q6=8FTz-vK+yA2`!Q_2t-&B717b
z+(8ZA*q3Q!i|I-~SeGbVMbwK~<`0T@o{U)UuaouP-i4!9hC9TG?=fyj5Vp`3I6f~z
zt2lhp!l^k)=@0Gefh<Xkirs9VK4Oz}RrHGB8I7))uXoMuk9qUL!sT`)c9<?^XwBqp
zMsmGCY;pO#;knZ$S;v>n*ZMF^3cYmJC6t1waZZ8WLNKwp^$-10#ij*TR2PIuj8-dc
zO2wy(=0AG!woma(|7E1-7uPC^HDrHpPCk+OF5}2JP;CG-&!f2g7J}Ha?T4bUj}Qxe
z6#X@w7*bl9ko<0kkL$DZe&KtrU8}pXZG_Xbg!DsV;PtFJCEWxnh)Z@%fA{9wlT07d
znHTf_1H6#t_0TRhS7o^-hCE0pWga3xd;L(D76B3xJRpfn&iFrR-yM!+|NosUva?4?
zU1W=t6~bk2*;^5jl@*d?BtoRj>}2mflPDt@W$y~vqq53;-lwSV?|Giz?>L_0`KRN!
z@4NfD&g(PZ@7Fr#I7GI;za916_E@f+?sz`?>1BXf!Av%&Kzl*Ue1?wSTC4ty*j-Mx
zmi(folL9VtTKn~4aSLO9{*$`|XIti8s59C}kQ;sU0;TxK@4&lvqS!7&DOr<#`u;Cd
z=nH8qTV%16MvV|(!Rd;Cuer)Nt$NAs`gA6UfZcLLeD?>52v8{}smymQV#nv}5P`X4
zBb6Pf!-}qm{eG8#LkGuDA_M0IH$)V<&KB3u%2}|$$g^tyNrr})7;Zo0AoAwj@2s%!
z_$1*F>WV=RBcd0hCws3oPch^WH*boiri6TG6)tNa;FMlhr;PKQX!OnXit7IiLR-aX
z&sLf`{3~_3f|BK~Czu$ercrp<c(AarO}g=U%=i)*xDFb)VrBG-Z*CXe?-pIIE}QzX
z^ShiJI)s}XijGyQT}mQ8D}9FcE(Nou+E0z(6nP=?U>$yEd0zQY>*m_LB?YVMZIWUR
zkSZaPf&}-e=iIejprR(Y?hq5lQJGw@IYggp+<?f;McmZQL;$cPB>5oS;{QT1;T1WY
zQ&W*D%+2&sB?8ZGzV40BPP%sg_l>Roy4`QeR_7#jT(;MOqCRftI$K6I>7fd`h-}V=
zD#lcau(f2{+m-7(y=NZPFIB`XU^A+vPUG>Cdm%IWiULo>elme#0-&0oN`KDp0MPm7
z8CJNGm2cik39%4Pk*nK+V?B~UuQQL_rtE~i%;(;wP<q2V{>SGZvI%Sn1moz}>0j}x
zTj>x<uzNi-a5~LgCo3OK=lZVa0j3xkN98`e!ef8iX!9qSDIEQ(+$%|9>u-*dTr$-n
zNvluki4JP{Io%~++FMnmXp@_%pL9||atTVx3F<9v%B*aysJ8(mZsYYUo#M+^&x`GS
z&#M?Ke(kwcJu`w>6B4lK$|=v!cmcy+4hLzRhTLzbj}o|5Y}}$uXIuQ4m1-~VFT#R=
zZ@KPDmh~JzC1jinG-&7DWKuZ3Ib;d-J{gCyrQ#^b<&W))^(m_j!g77*`TU>PJg{t?
zdu32pnc><SAjW!6$G4F3dEMJ*DW|a?<LTc*A-n3JR?w#(ec9ef9GQ&Hu^dGxkI?lW
z{R*_A6OVZrf3rhb^%btc&IwRr7i_IS#cBx>{uf(=XPmzlNQH$=p5&PJ!w4<c$0wV{
z{Oi&!u$=(Aly&Qf7g~zfmucasO*;?$SrIjt!GMMmm-d}S7!g6PF&j(Ah@XR&NmY+H
z6S})2QUX*4*FMResd9F{w`#9BG-&{GD2(0<9+Gp}LQOpJ{7>3r`9DzWne3Msqw$*+
zbvx}Aor#NAHMQnL1jlGwmD}?SE<>S^W{AnP54F3wwC<bx+52VnkaWpZtPQompx?#x
zr;2T#5spHiiPU1OWxVnP1zb)(h1e;0oROsFH~Qgbn|o9UX2QoVi$nam@1J(mu7yw&
z76W$W`nAe%HaxOS8dV}7^BEv0979rbshWpDLX4z0##+dz{r_Q6){0<Ulid!QA=o0_
z0_>}w%-4)BJRcpVun*<*@x;3vca0OU8>t$YXnt~Dx@6P2f&2BZ>ong^>atUtE3JLl
zrjHh!VSR$#&_?Gz*${(t1$UtThy+Suh^-$~|B_RrH+a?8Grm}S^S?|9hpTE4I;TI9
zY!0zne769gq88;-hg5WUa(@rfBR+HB;L79vESxw0LT8%EpFKg?#p&sFO2F1GLfKzH
z)ZAo%|5iWPVkkbP=Z(S0Ft`znd-kBPH=>jtq0?x<D{lK7;+|M1m3$95{(l-yD<Yph
z%StMvryg`IZBzR>pVc$F!un&xr~&6r(M34x9b71%W~(^Ap4rlG4y88^GKn;H9c)|z
zkAxcL<-h`6&kym|`zgy0$i1`?$CcbEN59eA-6{|7yF@L3>Bzid>~4++v4lW`Qf34%
z>f0+^Xa7fE|Kbro1Bg~FH2ye1b_S%#xjknpv<HOa(yOKB(;jURr~+X5`l_5QMZQI7
z#>>-Lev(Y;*c^jzumh8*qpQj_Qg3fZ|8s&^$XaN^1N0-Sv>nvhyf^f%MyvUo*ZExE
zes{x*iHsCD<$x@74H=VsmKrVn$3@6L5lKYFL8Z`w<5MVU%59?M80L`AXcX&@kwxrt
zJw-%>fOyjSC<ez-@#gyY1Hg64Xyz!&5zsbT8mrBJ;Ne&JA^w&!Dxm3V-0#8M|2u#x
zQ@|cn3M!Ht?<lSyKAGWEfl6BN&ylW)#-tVTf`JYm2p$a`rUjUp!Wxk)0*EsMlpy2S
zH>}q#6kg17S`L7D4*BG%6<M5Sjgs`3Eo=Y8PzF+51VU4{)7eRn5OSVEw+P^%`z=B-
zJsT!dM|jZxJ{bd_jDMSe1wJ_v0T{nMkFq8^L<liG?h^nc6u}YOd5nnGgtOq4Q<NId
z{(~{&!w3gjmrSjvN61j?V@s5?AE^>>#!h*S%Zuxcb;ybw@xeyihRK>d00n1W_Q@pN
zjjTYQ;c5^%bKfF@G?U4vaHVNsu*41^8P`62OZ|#lqYI#SFGxL63g8F^U4-4mmYe!%
z>fP88+G9Q!0SG&H^knqm$Q<$Epn$D#(IghGl4la=1z)d=xhe%z4ypyqg{J^ag#)4z
z3|9-O;i|<@U9~(Hy1#t~oE=Je%IW)vViCFgKK5zm!jT}6+zL3E&Iz9OLuuR*_(pU~
z6jq25EUHy9ypk_Tuhp45uU}$CI1-;!ikmmb?m*SDSUC||f|y`R3op4X84ZKG<jakl
z7Y?-mi%{Y#Zx$Akz<gpFk+liP9F;RIu>=|mzLDh(e$0W42Btd*zR^hueqj~bTaETV
z0Mdw9!F1*4*Aa9B(DaW9_`jx;yr}&Vq3Ljb%~C8gHsa;=#yt2lWEQui5J%{8{Q*q;
zXDLy^gzNucnt(4l$poL@NsKxK57C$GmBHzlK;{7mP$k2$hkE!Wc?M<0S(+KbPoofZ
z82bFdY`hw|@|gDwJo?nz&c}Z}y0^ijs}fyTNR1+83qK-h`uq#y)nn6--edyZ6EhV8
z#91H9l|<XO{=_BF500j>aBCY>+_FOuD>iGmPwKc{eQ$8t<+tfuIA8EvxW0}b#Nh^|
zH%++=%Wv;dg92X7Qv=o!LO=bF=%&vmY(ghD7{fqxa@vM__Dy_AQ>w4WV*Q;DJgN@g
z>v4x+Jzp;X7unbNfz77=ayvsqi|02aiM`;`6MzO_!ya(ahhDp7Y9ZJh3V2bMz#I6%
z01o_IIEt38LB+CQ@3m#vGnI+>1<-tdP-~%5sZ2Z{N&wGeP^_kmhiy|8!tRMg^P1pI
zB13cee!$_Qe3=e`R=0)w)ptocUW><2N#A3U;MXfHWV^8b@`;#}dVVCE_|B>({fj=r
z3Ua%;ttF9-Wq=&=R#y72dD(&0^M&W$&IS&JdB5;{t{J_EYbltKKKDV#vcbE*AeawE
zEAl&)9R|&gthh#s0r2e|Y@=OpXh+q6Q@I5P%dg?i2+`q+NCuHTtgc1Gtf~G|wraJ}
zK#eGo*#qotg9@w(TF%&j;s#S#Fq6)E4T@TIF?m3_oY0cfm8Ho#Y@L&53*N?Z0BTaM
zOFFgVKEZ;S%RN{@dI^e_q?s3i9?(9fyt2PGku8u+1nct#W&%XaXiscXf{7m|4havR
z&8ZNp?({)zUE>>weIZx_1gq`|JUJ^y;=8}hqQx#{A#KQQ_80^U@R)omXWJUV-q8bI
zA-#gDwYC6umoP`^fxyO$2F_HT101(uBvc5HJFHsVD<X@0bON?|;X_}q9}W#{`&L-h
zd8d>NfGs6gPIg-!6S%uNgKZc?+<m)g9Nd#Cuh@~tZy>#Cdp01&9Gq-An&t~ga}#@c
zF7qYQtrB<NW1N!@^IRxuUV!ST46LaGgFV1OcMmXkX&{h3pERa{V1Kf-P^}$5dNi-d
z)IQ$)J1menzzAF>b0HtlI!wXd*bR-;hHZTYHhJbJqAu7l-33GtPeQ=#{*6ndnJhj{
z*n=jYCz?W>r`yDSyrWo${y-lPjvOlk?V(-h4HiJfQDIY1+m|N1^zp@m;g(`>?dhh8
zp9G+->k7s<*DrEuv?jxX2S7@Ng!U|-;1{HL5^w5o$;_qRq!1jgY0^hX6o_*2EL7Q<
zTs~}syCDX`{cU(!Y=K!R@pLZOR4{z!NZBmM?f|Ge`aBP;B?|n$0Jy$ET38QQwRQpY
zu7#ZWl?^(EcG_a*8jISG12Et4Q!nh;10(io`X(8w>?|;1t_!m#{#=GISUt#k^*FkJ
zTRTy2J7c9cJn(aV=+kuy+X;hS-oH?cH^04*3J|vE%yR^PuJadne>~uvng1|l0c*Hx
z=&)m`SGe6@m~H>c2JC?<TbXifBJ_zTZ`tzoGP)JuY?L~SiyCBj^XiA!>utc}?P?aw
zOOTsHHss`uovn?|(C`!Z*yxW;2g@lu{#_%fJT0tid}q9=zxNc@H>o%gxBO@J>Dh%2
z(Hw53=dj5ofayIg_~svl_A5!yYjc(rDc2Seh!YC+dI4}Mo~w#Qi2oZ0SJj8xBtWG<
zMYeGl7cFv2B6R|ALFksL?PDgtNLvUIxZnrh;m(05gX%G`J*Ojp4N`m~+cXc1?D|fE
z2m{%Q{xdAmUr%!TV6NkTKdqc=!$Wj1-k=<S=!Jddz)xue$bUtAcs_W$PZW&B^O*X&
z%=fj2BH#sp^d*zG5K24ZfY#)G%Ws78c}EWCp<cfU?cv%Hf@F(0vuWPjc$0w$k9UXe
zu<8J6$I4#uaV?m27m(@$<b#)#xGfRYf%L&3OIN7TqXJppc<_8$s=su&SDlc0JtNd|
zfV72fe*iB1#{hJVA@^h+SosBRja-`l^inR$DDiVq8?c=}MefO76+7S@?~yn%Lu3W;
zxPPJ=4jDICaQo%qJ`ltEUp^R4NAc0$MXX8piizok`TqZ(b+fh#Jg0+jr(5e@^K^+a
z>Oc}59vz&Vk8ZsX#wJ&RCrlZA;COgMOh&*~RHg4MWC#=7Z%-WmgVtR0aE1Va5{fIA
zKlziKNo0;jic2)(!G)D#n0eesngS;1=7!0szZ1mljUJY6?gZ!gs*D@BO>bRSntinm
z^ayW~#`%P^Z{}X@*XdU*AFe<Ki!GqE6`%*;Iqg6-_fV)x5^cqzgVKL4$U&^~`9hqa
z{n9(VG_G`5s=p65;q=CFvq^m>n8e_#H<S;5M`{B64s4QLDE$QheK&-Rgi*=b*74x;
zw~$%{x(H55rB6B8NomnnhoBr9=jOhll&OPIlp+1+mI_{TR^Ohz4oL#lJ1{RHf{Mg=
zJz>ZKd((-sY`5exC@rjAANl}@U-_Lk{9T03PK+boWZH~j58Yp$yor=2z#QzKjmO1)
zeX+hR5eMr|@!$ewucGInfQXOpr-}A6DGn9~S_dvIGKVv+1EvB_lk(jteIOP`BOURJ
z;fyV(FlSYc`LfA%L&@(2pFvq=-6l6C%#M<oid+)eO{bpXbinl<&Q<h|JP?8>!Y8V{
zX43?)i+Sv|9*mr@j0d3;amf|&ogN(ntF-^82kO@d;}R$t^0n1FhgWQ>pkC0o-;f;D
z{}L}PA&|Qf6ApmF)n|C-rem4MuG}!u2NrD+n)y80l~Q~xywpbs#p`67zv_r76ZZ8z
z%cQY7)moSZy&Lc22QU7W_|l{;ul`_yV67hCWgpM-*jOrujGjRt84VpUb@z8{A5!TQ
zDxI$_4b|LSU$lWBi}VmMbsZO;LDPxeE%jV!7wiMY`Y<TE7W^nw*`!-QdKu|D>e4?5
z=Ds{QU&^739|HJ7H=}ks(W4{b=sK*4>V6ToC0nV0<7J`rBGhy2%n1u4(B&^Q5T3uC
z6~?L>fAi=uqC(`Z<gWbU`>g!l_K)UtuV^EuKtRW=AFhl2o}@qkuhC0AR|m)!I<LJf
z8im@OTjs~z`Ml|rW+cf$gF4`$Vr}d`j<anlgrowLLm@Z>*zM9qlFNX~mjlc@^flnj
zEt}jTfA)*Y1y*7saE6aAL*ry`N*Y8f0z?y`{!#c!&S;@z;~Lk8!r#`(D9tN?zY?sl
z8Jq9P3Xi+OUx%wiYd9A-{PylcAt9jG(w<@l+|P!XarRpT77m#>LR`o&ncOM$Tf9b~
zwleoSm>%=>EbCJe^<?BH+@-#m(;}_4ufOTP);gA~r4$VoGqz#3&z|%~fteftSGeto
zgN?oq;M<Lo*O}I2b-zyO)xHKsR7gT=JolXsfP9VknVX&;lO<HcdTn0kB5?JX$8yy*
z<}O9FS{2NOEkYcM=Ug*hfpVqlb8`rtrRd#N2XUq3j~ymdz4}0Qj#d@b2h?el-=xWZ
zr;c9^t;@LqXGmojgeu7HfC1%P4bj;ybVtG>fa{&jrwIoSbQh9Kuu<c89Vokys33ku
zgh2oD)`>e&g#XFSj_y6hPBB1+2|F@|Xr0FcS*s-wLqR#rbmiuUb0v@Sz@NJgl~<L`
zzG+S{(rN3vZ!T+kC+^zB^um{s(|u8!Q|pCSO;wKrKX1iE>N+MrG0<A3|C#Wb`!}i$
z;~e*usc!;rU10aiBD<fxc?vuty)Abd{^xPdVbcpt0Jc263|xj1uYndcHqS^2LBc9F
z3}_{E*5;J-&#7Y;k=hju#Dq1lm~*}Mc2)00e%}J!gRrUgr?LYQ5mk^<aGN_ux*yS5
z;TLCD0Nr?r%mr$x3dG9~nLVx4GWH0dkApS%Sv@FUEus-fH?zCmM25b>dx~qNBTgTL
zen{Eb0a1zw2@qqu@#HZ$5VCu6n31dO#hIuQ8YTV$4rlMFDg@EQ&n6d7f-Hr3s0-Ok
z-axUqbdl~d{C@(_*9zj+f&<%iv8;ax@ucUktz-$b-AvSGuXvJ--a<UzH>A{ll;7+K
zmrvPyJEZX$#+kG2JsdsfL$Dh<=&Vi|3JGwY4Sp>}PH%WzG~Wj!fWQbawyA{0rpw%+
zVR$eby-dJ46~?ZA6ga$#0NT+{#~DNl$F$1Tr-e?H*Gi+=JcjKmsyvd(eRHY5uN}!^
zEYd*v`01n-N6;e{W-CDmso53YNYJ>=F*gU;qQm%uYo$q0tWYrAV-F4GU_P#NI}yav
z>?%ba^jmOQBoLFkv8u#U&fX_kcY|U<#77^s04%N6&E^ar$*>T=sMf#haQ%AL6j?h1
z2e^@nl-5o^o{2t^6T%JPW(g8vBhzfHs=2xVk_<yjHG~Kk{XH4Zt>mN896cOBW8T{g
z?VB;Hc5xRqr?pC)rn#ox|83g`TdzQT(ATc=`K=s*d898?k4r`*FA_)@)LJx1SR6u+
zOF7l@B2!MyugdO{BqI^?9MeMt%}pH$1&!6={gi`!k*lTED(F=0Y<k=X<1WAlYVsw9
z3KD&UIQ4PTzL}>{%mOnDeV|Al3w%z_|3K!ct|ITb7dpOqS8RU6zwIN#YQQTFngqps
zH~|?I5<?^MMBQ@Yv`dfr)1|K_UXWZ9ns9$}))icY!lnXxOscPd+f6+eDjnTgwl6B~
zdF#}7O7pTCVu?;K(Q(l!W4z}11A;P=HdmK}Qbx_gRpy8kr=2<9dTVrZUVJekwv8Ht
zQ@~8o^US%71lL$4k^);oa>a-svBz9%?Te<h4e_U<DA&5=(F?DhHWkT~xepYYF16X(
z`E!aD2wNK>LeOF<L|Z2$5FmP-t<8Uq4aTWf6UGS+S7sk%oR|hei2se#2SiE3k*%1L
z(;=p<UYgZ`Wdz!VMNl-mdfBi^_JIb8*SuHOlRcREHFc6W9i{mWY8UQ<{nVg@t=Sl}
zP)FY^@ot^qbw%UcmLU`Tvn}`G$|;9hwtB@W353KepDKbPj3G#hakRO9mx)CQ0=`~E
zq|{3ar_1YQ8A&0v+fngz(;Dovuh5)iTGunrOGvl^I(CaY3NM>)F)aw2xPA27`lpZ2
z&EVd1nGTpQ`3C(Yo}H4Xvxi;*4{HFkOf4TdFf6H#w(7PztF>Lp^OZs4k2%zbUU0+e
z*%vVFuO4E0T&87NDswtv-v+NvBIkYwKWT_wR3JcPEDA;RBLAd+I{4-~VcMxZAlRJK
zFy-*o4F1ZYIGfY+y3yCxaZ@RYx&*diN4DtdM=9fo1%zCmzWQ_a{LWyp3YmGY1E6|F
zw_`LYbL<k-MO+sKS~l#zn`&Cdus5s&l~@j;K&c<2r0o;95aN~5{4B+kZzVzpll&-*
z|3Ia5#&cDD7!lh{QQJA;M?oM}Ltv_+Zf*$IxAm_$gJ0ZBU!O^$*0&tE4=v>jyDY>L
ze5$in`TP$u7>9S3>f54LVvqpkGBT33z%3T(u^sghBwJzo{lwp)*pntRrxWp&q%&=x
z{&Ny3pb_>P-_`72>{!c1pEiPGgG}A*it&i>2e>4z(-c6aCiL?E2T|GaS&XAJ0=)&N
zr?9$iT90oX7$#fpI_i-;AotsGHz6m{F>;ilnN4%PMq_Z3f%TLe=){In?ibW72_r#G
zBfo=$<%%wKom*%>b#LGv(40noKM+c`!?x#lB?po!wFY8&u9F;*Y&a+dmSh~S1lBx{
zC=F4RDO7BYT@dTj)?Tn5HH2VjJGmhYu^X#yUfgz7p4gfrR=Y_4jqw?B4=9Bc1gGJq
z)>RE7wozgRT6l79w64^M4&|N%kzXrUqI;#67oiWU8k^Z0x)X2}0D2};z)Uql+tWhh
z*zTA2EvsV>Hiag$bsXsps}quB#9#K`9^%p6xbOFM-ZN$G{Edwl|N3A&rUw`c9DSKa
zYsafH>^^{*TCt+XpxRpEml0zZodV)xri0@Z;1PB?dF93TcQywR8CX>bC;`?NN;=CC
zCvL*aY(7P(HSm~QvgrdcbJu*sHsdas`HKXop%$rhjlOo=)yC&+i7J-q->2q~1fM1D
z^UBh-qd}TXoQx_@tq{7C-r)__QhXDV2gDzYri<iWvynjOs_7997x!4|b$km-yPj6M
za#r@S!|WhcRl!Zqv=k4J$tkmsM;7a)jfnYzT&ays%3Dk-ANX9FDr#j9n!YF~6Hd}O
zJ4KE0KW2uLNn0Z$-YE#V?w9U70)-iO&RcUMs46J%BF^3tcu^B%WDweJDj@QqQp4Bw
z$5ScOC&>fgTb6nfeU?e`Wy*EbK9%V`_#X)IMMTMy`zl?l9+q?z1&MZPVZO5&kO|Z@
zLL81-mK7Wt+F72=q1kNYw}JQ<xcAEe3CcpYrCY&#`~bpVwrDP<_CC)xJ#&&u!3AQ}
zhJb=poA$4sNeNb-ZkhW~9Q35zdVy$Aqx_dYqSe_{kDbiPug=b;tJDjN{8$5Q=Wxsg
zGlE6>+aD#?;fkn^XpwG-diXr}I#bvNUT&pY0F{nndxGGI!vm|UpPEjz3%-_bBTAP|
z;<t%PaBMo^T8~51b0SJ0JN|Z;LirmMVP*e^MX442U}~<B%LP@xpbz0%eW@ZeWF-b#
zlj{D4Kjp;v!*b&1W%2o%)Z+4)5k0$mFOdbtCUbDudzR}AhtLaAuHyx%2n;f<sx%jg
zy--)bfQ9`iOvRgm=U*lxB~lva6m>l3ZI)4CuU5zk^n8BtMv$QciEKEe2~MZuR=5I%
zc;_V>b9$G~rq*-yB@ScGuN5~wMD+pHT0DfeuG<>*_P9u!Z0M=kraZhaic~T$0*B?!
zcusZ*txW&a$@UxyR7G14rOb$$PX__F<SJ_v_w?QS-%tXSfvD_ln$I$nT5-`i>ZMk4
zD~T65&%qop*F5?VWis9NzW2L;U7s%|enpn6N%vaP(8u(f8;HOXq<UF*r=yt$A9KN4
zvP0HVUsKoK8nTvf26^O;KNR(4Y~>Yg-t5`TPuXKblytIIN!5Svx+ADh_~uu`LPD8F
zbrIBG28FB1Wg{K*QTuKu&o_|j=AYFHsPY#kl^6DT#r>;!k>*ms*^c;Ap%i65CD2b+
z`~}((&<9{U{^&rNIP854bnYwwNol9z-Vzj>hMo#?!j>5jd1B_-09_{e{xbF*9r#Cd
z6e|N>b9O8N)WCKCPpm_hSruhFA|?XyCbg`f$GWWtv^-KF<(e6)4<nLZa3_;vYhch%
z2zSdI2;<+XTdE#!4m9|U4y$mNlDozxlU`iG#$3Idfh>lb2hHno&K7?mC$?5HO4DVr
z|KU^zLG<H0ZcUF*aHGlr87qgfd<c52r%#_=Ai~q~$Ba>Lb4r0V*&(#!F&F~eQ0}pU
z5xcLHqPcHP4Ey0z*g}L*Tg}!9aWJCzB8}N4+v6USVWa^<zKnjHyBZJAGPS;F;&&u{
zG$Bgcd<m$-KU3jDMEYf<(U*eEoYz5|7aI_8N0ht4cl&tRHS0H3cWtdsp!Au;qTQvM
z6>l$%3`WQza<NhvD$yM78^}5G5UHRQ9<-lgQ2$C7IYlmmCSI<W#(Mitxkh>vao3`|
z5%sbM%3c3^0l(Fy{-L9*BtU7kynXdT#!IH@K0t!p7hz48&pK051OLU3%q26ifU}=;
z`z<TsP#?_6u?H7Sk_ivtHgp(RPKpDaaGPMfdl|z5aQ3W=g1flmUw%x1Is=W;PZ9)+
z<}FZTRv{6X2`3PF%&C2@g!}+{dZw94<l~1xPY$@Ie<fyBh>c09g7+rg<P%IE&35>>
z`XyF`vG7?XZTb1?f=%DKVW$sVi$HT!uqNJV5CEci_0lmVxSHM}R})wnC?*_;d@wkO
zZvKdL>|r4c^eMoOhNj7UNJwWmCJH`V`c#L)&tv5nG(C3lWqWAsxe=Z80HT70bcI<5
zJRRty1NR3bM1Zy92Q9V_3y?bl*msQnNd>Z{k4Tg&npgqzB~R^h?))#-K)(3!Nn%?c
zj4+<L%NVWj?M&j6d@W0_R#fL91yeZQClXL%A0+%~7cN;FV451v1^37A8y|$O7Ie{J
zXDb23=kmJ?RLci@hAjZFF`=GHfZOHieR8>fv9^;rsK&|_;-cQOhBdlRAlw4%ogsYI
zcoVp`<X=-bS${>KGX!~2d44f%9NVDG`rFVps2MoNT=P!mHpT#4Hm-3WZu-u$ldg=L
zDu0IWtL<Z0TFCH`%EtyOo8&)lr})jmeK3%d58y$>w%gbk!aPv=M&GZbXnu{CE-<0M
zex`!9S!sgC#|BX%*_D2hT?f#77})JNTinTk>ixvNVi1~UUU~>DP9L?AL%lM7aTzUz
z@50__>>nwABP;5pABGrk=v;<-)ra=aBd9e}F!3FGtHV8Zj<kizCztCNYp;TXYPMw|
zA?iJISep9;m}Dyu_jiQF8lrV$M}<GTf+{0DpQBPuZ6+Be6PCB`sj@}d!T~!X_imKq
zA%+!Z0ZZ9x{d75E-orPysuy2PwoxPN;P+OICY2ZRIoD2yz`KYnT>xmVdBCJvMK$Yw
zLnBp)0C$M{wCcxeIGF_;$EDqTG**#}(1)4bhzRSr$O4Z|f4*_TvAva~y#YXmEJ3#$
zFLLH~FjsjYgOtA>z=g)ONU1}>nQMZSL<#c;D47KV)ossmgm^%1aTwRF1<-)s-bFse
z4!PSQK&MIo7sz?|tQcd5dYp3jJF)pEgq%|6`)Q1GJZ^{Z_Z5QSoo$u&!T2|IIr<yW
zR2CV7E(_qO9I7G2ueks#{`Le}vqoB0?pp`7x}Oj3AaeVT$Drzr>yS7;)?9x<J2rar
zl!$BYKYYv*bgIz_9!piJ=U5~KN}Sn`KEUt;3853tZTF8rM;wJw%^^8}U`LR(boqKc
z`}9`m{aC#KvH^9bhyx21HP5O4XyffvW?3N6XEwbx)%HBU48fmt0Q`14J`YKcbAH;j
z<!u)~3~=P+UO!*E`iw&K0M~(QbTrV819HVH-iNaeLz6s_?+&rJBYOt&QI9x_1oc*{
zFL_{9MsS_E_uU65XjcUPXJyN;91lu&_S6RH_keHV$;(nY;|s7jZ2)jDqp${vKBt8K
zeI#!|^2r6ZtBH`dsj3(8ol{~U8m#zjz;(<>4yTQDQ}#JecMvyz1+2ap0MB-p&w!{+
z*JUK$ZQbGa--p9+o3+Xp8i@|I09IE)5*>hqXXc;ztt<I!U$)=B^Y%pX%D_S7In`Yn
z-MSO+lIM8Sae*0xW1wt_q-#z)_}t<Fs`nEES0~9;i^qVB1mBtkE1coYRIMjR;&Ym#
zq8P%oQTj207VWV&=!I_=f;!_JzN@~tpiV<Pb`P<@z?;B87`579;ZfU?_5~!Jp<xQ(
z9D9U;7m;&|vnzLOm;vP4qC4Y?+o$yEt1g0r<`jtdoq`3CZ*DAqlp+aXYM~xZxv3?S
z00mMnVv*hGQ%{{i@FK=L87grWgj}UzO6+;O=FBWPiP&a?+43sas$J$S0DG)}ZTfkT
z-r{k!0NYiLam}pU2a?5eZ1l?zM{0uzi)SwnYoxK~^5-{QdQ^+;av{R&o^<ZUup(#P
z<gb~_BVS@T-rK-cU5>z840@N}-2uj4^)hhLpx_S-YoBXAGvSNTMwTMg`H+80u^3s3
z4?}`sDVCD8H28X*jCm_We6>LqC{+ygR0tsLRjc{rrC|REKletvuqoINk;F4*1o_>>
zFSW@li>d_`oy*-(Xjc{?TBa09ZjpJrKHJ@Vs9b$9hQtmBF=+=)NF5hqDn`?l9%^Ho
z%kn5+(b>N$+R~R?L>w>gR<27R={dK_YJ*xMOlqJ@sY)`0^SLQ={cUIwlvghAl-5RH
zdwK}Erm^e9fpou0VS$oYMz>!#w!y&igkaOxqUO`iyK2JINK{Yg2_(!pI6}LpI0gr2
zQ1NHiRyrVyE-BGB9;IA2EWPQ24n`Y3)PKyv5atQz-QdQBvwyiyAluEmr+Lr8X$y29
z1pQs~r{7|B2&EUImqf2&cZu0=18L07yySy>T5nk>Im=Ds(~)~8jb#!xZ<-{n>&*I7
zt(`naE<@#$C9j#rqcb$-wY!q!+JMj66U<`WI-blGln*+ej1Y+HFDt-POXKOY*}V3&
zhNB)&e<wepki5?&G>h>bRYKOvwVh?t=FFD<<U3jA{A1y&!tcx6-;v2x%6~z!^%9=u
zh|O`TnC3Z~&`l(l*g!b!o#-ZgvaEW>J+}5@KLh;oMzd_n^D@JU|A9vdyUb0dge&MP
zw~ptwzkG~~>O~3xyN1%ks7J&pjtL7vin}8|l;rY2{~Cn772-;4P{m^kzzj_j<KID~
zpiiF!Ww%MOQ%~_(c=cst>!(d~X;UiP16DxzYEY<lgso>9H2z2sGK5V0h~_nqRMpLT
z^xzvjro(j87?drpaQIX1rk2+4{qFQKx;qQ%%&Z4+1I$ae0V^4Yt&*l4HIO6UUTCIu
zrtvXlLJfdN)Lm>_Gnz83`GpMxYfd)_Yz9Bk;{KMN9&QEyLa`FPNT|>hEh{Yo=`Xbe
zTsP!sRGMy9r0pAQ@K`94qo-rK#rcib_nfco=_#EiJRe0wKggsq1d@h>+9HwxhT}wN
zDG;|z@t7f+ZHmwelhg6t<LnE57$>|`_pvZcCSL{aDF^Rho;D?RW^%>t5kO=TGFctZ
z>mdo<TR?y)XWgT+%jUiAVzIy+ZKRQzE=;~BFybIJ-(QfVq;C|zJCH$iJh9QBH3}}N
zj@O%WoRACLn+s68YJ?VLI-^FUz;DPNcec6<>fRGCSDS*yJwZ!vB>WX_^JUc@ZG4fY
z@fDpN^p1O}qIzyi=lF`X(x^Br23~!-iSJMkig>Xpu0t(TVCHK}iR)Ev%WlX~KObw8
z@2K9;xbbeJ%6W9KnAfsHIxGQKLg4%g=Y$_74UPq!Ag0B?AjN-`e4yLmZ39i4G~Hj~
zS?o<Y5t&*0N)vKd0Jr2|84kUF>-!@oA5f+F33-iWSL>d%#DBp--p!Odw;bf8wW*Kq
zd3O<H!yKt3KsSZky?aE)O`yH;?xanwDKs`^v)vgrH+852{ex0%mBVV6s^>?9N`H3N
z<DM}>Uxb`ix{K!W48j!==y^^24`P88pzA0>@^1wiLLG}5skfB)vhp`vf0xq*llSqf
zn1c6euSWei`Fp|9+nUoP363I2iBP17*5$Y*bD49~&~hoNIF0<(ZP~nzS#4{p1n~t;
zMR8E%_rd!)I>NpY4bochS9@dDVN@(SGaerrh<sLIf2h=voB)9(bU3jz+fqd5FKB;>
zr`0vV!`6_3LGe$KU>;J?Ytv+BZnN6Hs<jBoU%{?gelI&zwcpJGwP&IDBnJuDrAf=?
zs{{r%P88HBNJzQRR~6s9q5c#3aDSJ;lF;G4?mGT1Fh5k$48$l#_|?|SP{x)c)ni(1
zq-W5{-p^E`hKgam`W186WUi<BDV*1kJz?hgw5Gnak392+nG{?fZ=J$s*nep5l5U*f
zwW#E4BEMNsIZi;MpR3UtrT9bRb{S)s+kh!9jbpy+lgmHl`wM8F7RTTXUT!aXOofUB
zoALfTJN~MqIFz8qFTQL=yl<!BgBqXGN}=T6qR3lm0*ys{GF<P?gMeNn5XD^3|CFuG
z*{}JdDi3iq@pfE#i|~-bQI9%7K4ngLuF%`VI3<%&7cRXHNl}@biV#$n9^|K%wi?Nn
znKJX<=O}LVilwfB6|)DR5u@{KgH9l+s=ocUp3!s}5%GW#t0r0rzxb~4?Bg@w+!BHG
zZWT*xT%~~veU{PohE~2*#zT5m9P>P<UhnOCh<tx@bTsCHj8&yeXfE{{-F0L9tBSmU
zVE+MgSWW?$v$Q={WY)~s@~pVBsDi)?Q1riw#DkV~64Ckni4Vy{`IK@)RE3OooS(Dy
zkFHDD7ZuQXEB+ce<yPHI3DMc|`mK9-_kglW=PM05w+K)NSJmV*<{vXg`i@#m*&XA=
zvMHN{Vqo^|)~|&H6Z}~3`WTQ{6DeF&qgetcgXM{b6$UO)SHM&SRF$>`o$Pb3QsFXP
z!22M<{+!vn!gjE02&8-RBBNS#E}pa^RO+HPS}75Sifw{RAG<V%ZpvP1#nXL<e8!Gg
z{e3)aXe=i0|LY0=Yw(7ZF}$H9C|dx3I(t0L5zqV?#$cLQ<|Yz4CUBq~W$}EQ%%Nlg
zWrFIx<LO5Ewj`xd+6U4Uo#iu4kyk)jv@+`^d-%Q{Ofl3VEW_e@&~|D)!WhtObMkEu
z#QHefX3pZFo->5?xlcTmJ6#05TQ#0?g1Vv)#uNLncSgWjZUZ++i(VRgfkB@;Xq|J#
zGeP8w$PAC2H~s5Bc1L7}f=_s_;!Q>%-_t$CeJP{eY=F>bh(dn;)ej)X^*|357?!ug
z6>*0UQECGnT?Vz{Ads(CpxTxmw`+Q1PKF@7QSHv{3wxpG5Y>hXlUkogVW6jz(BYK<
z*uz^STR;jfOe0eHd0(%g_@mRM?nE9805e!62m&)sVhE|lwk=@{u5(!#eW#hI;gg;p
z=szsik6kyZLi8Wew=6&YSz5^L1Fhx$dtJOSH}Fzj>gz7Pd{RJlsku2e5gkT_vPu*b
zfNC__e;wSyg*eoDXijd^Q}8Se2O150XOSsPvI3~11n|$${44&lp?S<B&_N__&t#D^
zUBPTHOw>U&yrPf_^&TBI<vsywg%aeY0HBe%1?`^GMepl?nS==)OzqUIQ^z7~U}~Kg
z?;ks?8!(c{)b?D6L9E<S$g#+&lv15nUsZk2iXNrU6t?behG^Wt%{RoN5^D|sOM6N%
zt)?$tTcYSN@D*-ur}L<XZS-GpAr&*i@|E#1uXtwcYlNTIJ*73thc>(|vgX9!7jCh`
zWgSN@XUYP)Gd`5nweR*rGZQt!3h|a5@w3!9ARGJo>&QniMUXznJevw>X^I<!ueU~O
z&spU`_+?$fVAodVH988f?YVumh_M*jS34UJ%V*kTYg-{wY}jmrfI?dWlbTf#2OZeZ
zanV(^8W1$(K}p$rk+pj<{m&D=4x}|&LY^?;!wH_lwZRUj=dgD;0ygYsKNJAPVAw6>
zL9Y<*7&z`irC<wh4=IOweHiZQWd|-OAky8p;gVD&6oZ0;8^6bTER$&gp)nATFOoWi
z$oyU5g&DfV?nAy9pEr=)dmYHeM3uzLRa0bxfO>*Lbr3;5z^j)49%?%KsQ*oZ#<nba
zslUxS&Xb`CbKy|l2GiyZOYSHsXiD`Bp@Akd=X7}a2^-s51x*M@qXljHo`Iu|UnsTz
z1HvBA(Oj0L$LmSN<V}SrKG{ahJBY06R^``Y6(^*{;SBaEZ($79s^%Q}Z~?Yzv5>27
zqyN>!LXD!O57ulU0@3_x+`h1CKxCI`#sjW`{e#HI2yR!Iu=X`N@A~Ngj1Kj7_)?L9
zqimSUW`d6=#E2l@XZ?E;0&vU0FWm?5g1#ZV5W^06{|e%p7Z|$v(%R+uBUek<(g0rO
zBX&`4?QL*w+ytBc!{DF@9)$g^j_5!*>jY?M*TK^^0BngV@+O#E`_He_`Bo5%7<9yD
z>(CGyBBt28!^j;({EUO-@^^1z;BJ@hmQ8<vm+UP2eFx}b0A|J>X=oAV&lRzHCV?Q?
zG!8(1L@AkH2a4O2s}>-b%rpi+rK%dlSWYh@7Gkg^=z%aOo=dSa=XJzIJu!NSVL`ME
zE<;F=z#`I7Bl!4^%DLM~Th2OhUBH|p8k33<r(mRu7_~eZ_X|A57oTwv|DJ>w)f9r?
zw)rY(e+}VnDtS;^g%*i(4$8G~pj;u^F5Qvc;2z{xmLS1VP!P`AeiCJ1LEc)hVyL+t
z{wS{YnCu@>Illv!v1GC}oFF>HT*UuQkYapugRtK5Xlf(ydW+Y962f?>HIRZ;SZ^QB
z@tOr>_I8~cptSJP3WMp90u8ca#cR2Zq4*RmmGg-B$IVrv#&xmP6-5Jmd@pNQ8P47u
z1!qA3Pkh--{%?K4a!{lfTQO`PZ_YSQFI?HU1UEw8tP$ZWC{P}4We9;~XkS=W)o2;{
z;J9#$?32@WP~L@r&#4z?lr{R~C%Jv)lqxALU^Rwc5Q`IHPT;inHbPFQcub7@%khM!
zkIC;U0Z1CzT`TaaikL$P*tnY8eN*uE7B$kG>pW?5#y77n!y7Ot^l1!jF9`O}SzhDo
z-1AyrI%<?XzBKX6`}$jKKI?_#fj78~V^r9L)IGE^g%7Sv5a~##WwDVy^42R#_QkQe
z{sgCxNtPMwWeVQ)bIB<hj|aTB#Ol5#v{!vts-0d)Oc-@u7wMds_%>F;>nz4A;<3El
z*@iGeuCK(w=+g#9eXFB)6ag@(<A<8cbHQd+q)d!twWiwF<Kzkzt?fYJi>lpCNT>bu
z<#`%lo`n;yeZx1wr>>;?`e%%=OZIPAY;9oZGfM|hq7V4|cy8{N%&m`WVA#&e3wSov
zKKk-%K_|U&M$$ZQvnLC?NlvPVhJ$`Td*x-*2JG%k^|LiEAMD;|OMSfHp_$b6`BL_S
zxlPy}mO3})SBhR&Puhed!kO~$IX3aguR{ySt7UTFRWg@aOlod{g~|fJ2@81fPpeS|
z#uo10VC$r3Zc_wY=s=%H$+>t>^RO}9yR;?{)k-yVF)b@<0S@PzUK`8|YMB^@<$B2v
z<1Tn;?<1)FKfYpX(1&Sbv?-(&W7R$}`RvAYQ_RCFFkbDv?zqs^iRc&i@-o^*AO)kY
z<9N&N{I$K}E1UCoRW9<`^tFjy$PXkCeOQq6loYIDI9<YDuUQS5#?x>aXxX?tYqAK*
zLWGmG34k*Ws}68h1zz{eGs)>fd=h(m(RJI6p<fO3(|QF@#vz6CmVKUH7gOTv>1Qlo
z;pVa0%R=X|yj8$MtKIkEnUMW$qi;lf8kqZ<VvW6iMGa=V8za>&HX^s!y{q1{#F_8f
zd`gjV#JPLF?DV}?Kszoh_aoSlgxt<p?vZr54-c^PJqzHnnF46ARN@`tk58=e7_!P3
zq$(tM4XAnNIu;#{K9$zxoz?EMxaMmj)#b&yCxDURN6csKSJv7$OjLRFvg-&bV|u1L
z5QuA82I~`ovwG*FSX!^-yjTl+dU{*kTPp`cb+30iPG^eaPVW53w9bVamEO5Ok@s`i
zCBYxpY~Sc|K3aQ|rE@GGPwBg}zyQmwY5croI|u^F%E~HA>a-4k-hH??zur4nhhqNq
zbZ3%1@|voelLk4BW!Zhk(ez<lsh*eJ7K7Ni|IGW&#s<_IHb;w>OlN|u!pL={T~8{N
znjOLSk;EZzC!sc=E|7wl9#RbQ2OewKrgv_le7|{EdA~3mwe27XHD{Gu-GT1WQs<rZ
z#XWfKO)-T4!H~60>6bHpv3?(=gHgvICZ&u*7U6A)Q8O;F%9{6?ut_tOeXL`?7hwP9
z>43*&i7IPMd#3Z=nktm#CM?gmL0@%>aRh}Mgf}8Cx)`XWabY}GXH0K_v0<zBo*^|S
zI%ghvEl(_;)%DZxiX#!LJWM`I(|=6-iEG4^Y?_4{oX6L$IWSulQZC{Ze)Xs8+q^RT
zi6bmWJ7BYJtJ7|l?jGDDUiP|E)~9;BHfwdvEZLtmS>lMTZI$`5a$DJ$hWr@hG+(PJ
zIc4Nj(9fYm^N#pFH`_-fVL=ww_KzoCrJR<=U6z5qUtDm6jlO?}3$1jRj+5)!>&qph
zg{RkhqS_SiR%TdsCc27T-LXr?^`*Si|2Ao8e1MteBcjP#6nNVh@fB4J9_i8~OKvMc
ze7lf^B`#ZIBaA?eO6fE08}U#OuJdY<2(f?Pf@6O;Ak&xA9HIbiDg<2L=jpjFCZ0zd
z%5O!a?6EL(G9A+)$a2o7&wln%%(4Hex9vzu@AGT0iRU85^U3yS68`W)X_JNZQj`r{
zR93hWI?ulLGE}&A=2ezSSNCTF_8hLMQf-6pB$68ubvk;U;8QBQ+7B4u7G<T*RjY?b
z@v*Qut|Sk!Y=7uQna0B=$vb5LEdp<^3&opTX(3Ivc@Y{%dYL!Sk5PmMKB-!|7@cob
zc}y<HlTW9AdMh~Oo9K50^^FFP_f|w*R9ap=k`#1C+HntFj@CIN?kWB&36=YhCGUIB
zgY%B8qNSOR1`@)({4uMfk5S=+So%0KJxhx9CK;&vCtn(G!iX$B&m3yftDny_q_(NK
zl6T!j;Wy`<Mc4NCH@^A?5X5tM&pi{9E9DTl^TeP%hwIl`Vft=C@4ZbAOuY(CY47}+
zenvp>?ViB$YuxEXG-17c?>IWs9um^TLYe@pv%Ts3II6f_Ks_;>MWuMnMPVbg^ZHId
z<Y{i%xt*y`;9B*}dlr@Of%h7wJZwF%W{-ur?$0E+VsuD)XC*{&ej96i?vX+b^%*TI
zENW0)9@guBC}c4Mp3Bl@nh^E7$(Y}>8&aZe$+$vVUd*)>r9X{G3~w6sJs5~p`gnnE
z$!MnVhX0~H{Pd9UYPoiWnHPkjc;xBIdFFc{cr-(7An<~>VC5e}uG`SXml#glG#}9r
zM)q*Jrf-ep;U4CYL$6`!i#Fzqr|_w#PL^wR`>8IE)!LN#?SAh%<3Z3f_aqlK?yWd8
z6#=XHVv{bRQUkK&jL$CjsrRSc8{bRZj=X6Q$GnU{G3SM^0%ulfieipQ*|!(ZbS56d
zI|x)IL4U~U9Ca<m+jf1j>SuTM>0Z+x<Bj*#*l@70=O|&yF~7vILarI?Wam8@-77n)
z?5crL^C8+u@^wj*-!wMlbT$6Sr{_QX2`z%2-_5fryQ^E@VMHRz@heNa;TCJ`JuH2i
z)HX3G0guMK)^2Q<{4Yg06@;fbevx0!&~fQeC9Dr{H^QtVebn&zn!KM>Ekwtxjm8L`
zS$j-fZ*|znrg{%nzBY#(@tcjMgaQG1!GtZxhTq-D4p1xG)RimAyc|6;H*#--OyJL+
zB4It;Q?3|+Eh2rv^vw3soFK#J1skQOv-|emp5~oA-RIm)HoG$$+UPLsH19)!gIU8o
zY+|q@%kQ00gei<kr7UkN^yH!q)8^6f(avk>e?S(S^D%}lUAaQZXX+9q#`V1&MFF~?
zoP#w@GdXO-M3}jf^WfaYBs*bioC)jI{9YeOu^|`O@m&}KNUY1=o!R}4>%sC&<TLv(
z+!t{UAJ4dpELECyP@jVAl0jgZI5J$a@KJc?*fHNXx=%D*s`0kXPawDj@Auhy_xiN2
z5R}-9>#@SlstO|XHyf^9S((50iU)SrwX$rE7`&FvS;7ckj2?204!o+&zl`GkwE?YR
z3{-Q1nt_O4D*tj0oWsGR^YA)3n;OPG<_h8hF%k&C_}WG=xWMHzy8a55Y^`j8i^6o=
zoSQq2Q)w%=E(eQVHBcCF&}DXm>Lai3Gof&uPQ8kqRGzo${-x)eDooMOyoi@t(pSc)
z$9d&#AM-VgE08S$Gu^rRyoT?f2(v(9n`#t0aXtqVw@`P9eVhII?L7bfwPpmzjR^M4
zJv&jnJTt%5u+lL@VXsYKh06D4SC|$qNZlH7%&F@AJlg8uR{AjXV%KuQUHjQK3ue)U
zyw3{!&B+&JR)|eM5DkYLVRV*n>|D+D&@|C=rp>k-n21<adpX6;CkNeuy?Ic-)THp1
zut%Ebz^0?|MQqq^EE64>%zw%xJam|mPc~u8+$)KMhtMX`JpcMOpx?R*v8*RfeCvoJ
z-j$eP@uPg#dq%Q8b@3bZIX#mK&JGuUU8fpcemS%#O8M88)d!vqZgiXte?;O~zx7cS
z3!C6((T$Pr{H0BBr!3~<C>jvISUHB@vT3EMD3RQQGHnXc==a$Urnm$*bcpYZdS{ij
ztsn4WGV=$lYdGdE>sj~vJH%*uMbBlK_}%w%6X_#5b?GA!EzcXBO;AvkbM}|Ea*3dG
zcy%H(ln9P<%IB7ty2#q*Ybh6M<qW_am_7I?tlP_+m#i)Bmh&ly{Vk69np(Kdk7_&Z
zZ;rj%x`U(MfG?tIQn;0kf8v;rQny>nRSfm#S-5gO{xemLYdw>%g%78yk6si?ZPvjH
zjcL%14UB4+Ui3sFZl~1(ge+R%!`)t;j#6_n%&d9IHB!~R`P{X!>%nowp=0oVmzkKe
zJ6BJ_))G~7H6YG8QaWZy&@{J`pKvWA<y6LG$4s9<<6X8NKq^)k@=gzBvDofZa-Tpw
ze1#kCXxT%4SlP(uV|w9>0wP#`t;xmi-f^NJinaYnF&}I4@eHSMHxF#DM1uY^Jc>i7
zRj;ITSj7o^OG~oZQo=bd4~3@t{yc?4A;W9FM*5g#A+mJb1iT~_;d7hI1ztNj#)A=}
zKhgv5s8~-Ev{;WTQ(RGuy=nF^H_0`F5<7?tjzr3E@dB<|Z=I`EXGJM#d*-<847Wf>
zG1xE<XVbNUJU*Ac7v;x$g`RGX8cFElFqYcYp7z%2>fnpD?aNltRfUVD-)b$+_ry?#
z*6&$2mmT6{Z)s%8dUix#+@p%H>rM|bj!f_5ip=S~2@s6qIZktJf3dSvMA5-Df;fg+
zIs?^{ge}!2gKPT3d4_^pVG$ic+G<AijyUiC%vsuUd!)W3`BBb?JyrSMxx>ZVPrSBY
zicawB2068<<=eGHX80x>{LZdhjOH@5I4-{JuvHlFtQ@=lPRjD^p74sW;&W4vXpfH#
z#swS6<??RqiqC&mLvYOE(UZa+I?JOF@X)_Rl#VMXKTE|nDH?N?c!}t6dO)57+bGC*
z*aM>QG-VCR_JIQ;?gYck_b2S4v&7XRiucex)Xx!<k|DK~4U>w%EXgT5mGlfJ{tMEQ
zV4tNlY507l#?SHiF>`)~e0svt#<Y%#u0HFbTFmF}Y(3HMDX9uC5yx`qXzZkJR}h<u
zsulk`{(d7fB)z6|C>_G+(n0EsZN9@Nl!jI-#l$$ioRMrvo<!Y!Bpbd3Y)<Ko*^L`G
zgk_A{oWsEMnK#?x$ipjL#k$j!q77WSj`MBS8j(y^rcxOpeY6#%8clh;lnp7i6s%57
zP8B1e#Oo7!a&m8!LnC1xy03w@GJ++Jup&^fPp>)D%+AEi=1ID+Z!M!duTAH0sHG%3
zK%(qo+TCB863R48eH*2X1#>U#R3c$V($}SEzuv5Q=gzK{x~SrEJYC6j?pc9K=}xIw
zFqI!M3r=Q`;`c)>K+5XLJhnEsGu&6)%JXYF^1QjzJr&2Ea+Z4kDPoMFx)VMF{Ld8D
z6C)L>Z!s_Kku2dHE#}ydW#Ig^Ts3`K<aAZ4op)Jd(P`_CM~NIy+fAa1@77u6ONbDI
zo1QQoyz1q@*fz3yU!9a1E&l)zJ8wAam2%D-Yu<S5wa9+#&Z$peIBYN@8N%kga}7Ts
ziiib(1@jUvf0|U|nawh^3z^zI(t5u(k*I&&g5V@}I120TTq%HVk)N`AP*~VH<j6#4
z;7u%`iep>41eS&0wlasb$5!?R9cA_$t@H8{AxlerpATrrfWie8?<(Hcw^egHNVU*k
z!12Wcoq#x&zPO4iJ02w$sl^CeHR(mRtT(`q+v+~EqRP>U%!4>6*L(fTZ3getacyrO
zH}g~w>6}^6u)`TDzM)hT#P5+7^Yi2Kq;R-4rxlgfdsXf)8{m9?j>He2Rao_?c2!dw
zRZJLpUbIOkjYZPS(C<lUND}$dqgzUafbkp0%Yo`PD1wjqO{OQ?$GGM$ziu5BTk9<#
z_ey;CMv=iKpA$Wg+PceQKw?pu+WY0M!xfSl{#zphHwjmHnu#9bx6IZ1A=30v{vigX
zdi@0E9Nfw^k&JS(z77NAN~<u>z*R|CO|U*Adl}+57q_l(?r1;BY-XQjpj;GA-oC9I
zUM|%q#TTf`-xPB!@b!ady04)edCw_>bqD}pA_-H4(T3NCt>aAdf_B>N@0+oDjtIP4
zt5pq`-ZYaRrk@|7Rq+jj_P!VgDLuqY<Bc(WIGSsIuUX3Y-p`-*!|&4x-;O2fBhXj5
zRKo`v%kESKiV{#@-*}zjXl&**@MGi&K^oc{V+{8hF*c_mCg*AyM^~Pjw%yv1$*UfV
zH=5l-CWz?-R$VFTy_0-NQd`NBJyR;={vJ@L#XfH7*JR8{T;BMeINYe1BU_fj2Uou-
zs@Py>NoObt)W6UDotrIZzP<s$p+7gT?S~JlhK%Cil3QmUGW`Nr9#6Gy9(m~9_-8dF
zgI3C}!z}@MB>l|$<=MsM2!peS%k@23=A5^!Q*2-?qc^4qZUY)l+NCwq_>!Z=U!A5n
zuu0`};J7%Ow~-jN1@V_SBoV87Ap%1!w~}&3iA%Fp4Bu}lV{hNHmOCH39(XJ2aGp8&
z7yVPTv+iatgYrrcCN<>*gu#mn>T~{B+brClZ0mVPQKHOkxzJNq71;ehPI5>MKb)U7
z5T%1Fkt>NlEP>ZD)R-YB_01|20F+tEd8@=?Z!!~zZeK~gO-T9kv~mTWTfhOTgBNkl
z+uQc{u=h!{w>K^p%eE+*&aB}QMc7(5HPnF`*bR^A6sn@F^D{b_dK}RN@3@UBKb`{h
z`nr+*&a}uVh{0s1BSTN{vP5yYdiIMie)}Z$$?(!&fXO#~h(V?%g^e9AJ2LyOS52yR
zlJNW;KrKr@6L_?##Q@gfY{`ggs8ZhsW$anr*AKanImrk3!1c0=)y&5i>-TIE^78Tm
zUPfivJ>i#4g06T9s=DKbRQXDU2uy|jnOj@#u-74Hz+eQ(+NGJvFv)uGbAqXeHa2-W
zl%mcRah~FHOy~NHT;8Kd!8Aubz65`32<I8C9{Y_18Ysj%pN^S4AXWy(bU|HmkiEmq
ze>Lnq0PXg=J2q6ea&+>X@_9l^pr#kIeUA8!K9zR}ACsP5eAabdt#!j>bFEV9Z~4xL
z!Zuf$P|Sy~GeyOIhm#ATxE}VNGwx+5e3rjHd5iQr!<%0VQqM1vV$knV3Pia~MIC8#
zXN5IAATWY3atB_yVr_T+)SS$k5uexYJ-Sz8P~Nw}MNTFcHTm=i<VLK0pNBX#ay7&3
zM~CyN6>tP=aPFq%61h({4O(p`gYe5j^K%VS`S2qXvatr?9uh}<H1L=%R6c(v9G$Wl
zF%5|{?O+t6;@Cn;R6a0k_LQv|uYTU!?FZ9?*c1{Nn&Xjl@27(Eudf098yD{<l0(J-
zyOsPcQ1|YGL>kO6=-Tb?+hOmDVd<Fso~6Uq*}kMnfU+Vtxu>dW<8&TIfxri@mS=j?
z8l}cUD?Jw&44&6Ou2w9hF2?}Y991G5v8eA&Rh(GQe*CZoz(Zyen>-pm_a_b><))QX
z{LaD0j>!MV#|nlcA4~7fsKyPC_U&1Q(cv_p>yBXQ-^E4YX+1o`S-8!|>q8~p0Sh}8
zn>MMtCw7DoOb(I=9?H~LMQJCOh!>#*&+wn0;O%|R6INHYkvHZ=(sA#SGnR@HXcg3B
zIxB0HCFpJy8N%Luu^^u}3MxN)1-q3QA|s4`Mg(Inppdh)(fp0gKK#OA1fNSahS4Iy
z!X76x!O^)Ky7o=dBu$Lre&`X@AnI}FDn2}P@~uCkWVy+J4BkWAKU20pAU>sdq+u#b
zN=|2BG&7F)NQ%>ATOR%z!LEP5roR0@e$9qS)g(L3;fS`J$6%tyd?3|>;SIq#@pfgC
z#wWaK=r9(nrfI%1mJQz{s5Daf>n6;BF5EK1PgzmlkcarsPe7xU&R`(@Xn%1X{T~-s
z3x$spuubQpFMne^JT|e-XOF_;e?#TI`Pq$ym;1{xof5l?>CLbB^uEcfFaVT?JK?6t
zPw8YMRBjm8|MmaJCfK=s<o|U!{F_WFz5BvP{>Q~Y<CTca;15fs&@2iVgt^!Vx&utb
zhZ2u3Gb`(p{c511@-Noxs?2jJDuy?eUo%cPtWPMj<E1KiJDyd^dtVDHmmT{V?TGUA
z1f@@|lYy8jAa|ma5}gh)IiGD*AaP4qCZ0LrJ!l`MfG#cmd=;Wx+91W|7&)p8I}{Wm
z&Y(g|){w-)(UHgF5$ncHA>a{{qnfx2kSYuO%X_SmF_o+po@dohqo}xf9KK+9P2PAD
z6fpPx1#+|H&`+@t2KJ%`VU^6Av|Xw4{Kh87s03rx3+`LlB{qeZ<`YNp5%Di%?9gv5
z)<3|FgZf2oj@8JB9u>RF8ma32qiVf}d158#b<;1S>J6h<CyT?~O`7orB&3Wtnm^b5
zuIgIdC|J7aLzgHs_rb{MmA7v(V7~_#q)#iUyg8=);!LJY8a`tGI0qMsP7b7Fq(j6`
zq>jwo131dG(vD0xYYT`7h8&)2e|d=gf@BX_#`%Y9>aa%nKmTroJlt-9Chw^a*Z(0B
z`uBMb|HGeUefUrR-Ct8=!eGj!3(bT7&#(Hg4+uLojpXmY!tyz3rhHWTa18#pZ}Ex2
z#%pQ9RuK5_f5*WmVaop(dv5_%)wcEz3jzXyfg-Kj00bnYK`8?y1%!<>NT<|BrNcr&
z5kXo|Kw`5&x=WA_r8jL5QYtC^JqwR<uAF=C_`mNr#`lf!zhj(n(R21@t-0o!^O?Wr
z7qFTw6a7FM{_*~mj}Q=MGW#%V|8blDdSl27ff68u?w%kt;j<R`5ElvPSGD&s2*FxF
zdQ8*nt4JMArvJx${rk1U9!r?{ntW#Y-d^+GTpXfc!nHt7j{myi=BskN44&in>SC)A
zgD4)-+9xefgNzOsypk|g&P1l`71%Q#kOf(9JzA(ou&;6y;4S@6QnDBLgs2PIXcXJM
zJEP5JqtTab(N>>=%8^3WYc-gyatu#<rGJzLfB!xXm_QHyaR7h*i~o;Ipg(3tAg8jC
zzr{A#zL2T$dgq=%&VfM2zu)2(58pcqM(-2tA76*uZ}1tf4oreF^Ti*ZL)pWBysyhx
zjrQ*k{m%gnIs*GN8|Qhk3F@)_qP%eM_b#yoG6zf~!THkLJ2$UOj=TJuj*F4pzfQsL
zU*}y<jY4S`*qm)TLY@s~K?>o#uS+dk<7K6xy|H<D`tU$kZ6qnTzDe+tBr<L=yI6N}
zC(pY>e8=&~hfb35h}Zn%ixqeQCa<5hAbYgDWG^*0tV8P;dZ~qMdiEbjhQOPAkAYj7
zmvk)omcxZo7KD$R#3dU17_UFa<@=>xD1wqKJCA4ad(kbKK;BMkM6YH!oJ8{vZ}Ogp
z@QLe;bx>YxeYZb<)n!?DgQMXL{2%_i<4`Z+sVagv|KT?xBm8}lf%iiE*Ps6Br~kL!
ziwS+i=gbrcZn;B`j><#`+Vp%&Ct}_#A5x)8P)PiT>0@~SrcV<tCe!umUkgzQ76KmV
z)*_+l1O<l&6gV?^1Ok72+*_C!SxeqG1{OmdK1}FGQM-##m}j`@)fDv+9#Cw6a%Q!r
zbPk+G1fWyJeT+fxu>(Q%!&X6_(u8?M%W3}>SsRhEdDGP|6N(mFO_g;bD!M?MH(sn4
zS226#&H%&<^j#i>Z=tzjbTRT1^3$a8>afb<I2+u5f+4?s&jnNlfhNoJSUD+b&v{Aj
zGt~jduiVnT?`UXSOzv%Yz@RT_q;quO&-K}Rd=Cr>(^RAG5#@OVt^7nNyz*DImH+5_
zwe@oz{TvntGT6EFp=?nn<$3oxG2H%N>zSVu<>%D+zST)~kRu=X^xu9!IfPI^l&g^a
z^Xcnt|Lw(**0%0|647!KV3_+a?q>4?7anb!(2Emb*|+|-n7o93^vv*eCc+Mm@_dyN
zo0zmyqe59uIjq-^vg7B54L?a16H;1QTJpOFCRJ7GK99Ixe?)mNl>HtN1b-CWzkhD?
zYb3c~ZJ65$<rz5~Lf82DnmwY}h`ssAcx>a71qx`kdR^fI@ERv+ZGJ%P|9;>fN69;c
z2p-JjB0pUON5|r<@C9}0(wT|+!46#7a*c|_%!NDK_N{yLWb{NKXZiv6McrBGaYT$X
zMfPr>busD^-6um;2g9@mTa40_*t4|r?Vf4oT8B>^RgB=59Tq#_aH&JkcK?+stF6}5
zAkH_jEW(u$fv$${xt`uG1leXI#KPE^B1Q#tkn)A|*N40kNATjte`a#1Jv;*Bp@768
zNiHw|;{iK~M|i+Yn%a{uO<f#mj<y;BzDC&q@EsgUHZ`k=0;uj2bhm{-SoW~Q!#M09
zK{cg>jV5O^!jNHd1Sg~tt(OeeFTD#O>!v9=@o7X-xiyfx8b8)O=3C?iv7RHeolMr(
zz_uX*T!6S|KkKiJYnUSaSkaJ^rk`39UI2EQTMTp|d>=sY1NCX?s6~+jBaSm*ij7->
z&nW=bVU3E(J`<}|P1(b+#r6{GLQGnVzS_$`ydR0&;Rv*HxcvC5=W<)jWDB@7TQv)R
z@bAt6_7mSM3_v)Ob9V*!vO9f!O%n+TKi%nw^L-rI<m7$|mI*WR{l&n@%;<VZ(RQ@_
zW?4*bD#<9a`a^J1tkN4mA$t4ZaOCmE=(q{kYzQG9_AH4AcLDLh3isU2AlNtubQH9#
zc+BWBkY<pxlWD_e5CMeq7@ncH#&q!jS8XA1I%$d1Cgg~W9VgT(^Y>o7dUUH7(L0_T
zj@gzCua!R!H-tta1ZA(JR?rk3$^vf)GY4m^#~dZ@vM!v_t{l&CK5&c3I0xc56$LY}
z{yr8!xpFR2rXnoZ?7woiPOrkVjD#?flfKD2H1?x5ZC%bDCa)@-1L<Sf;M(*xkD>b~
zn4$Sb{jx_d4>*E?qe{`D;UF)5j%Fh=*04KAR-1D1gl1-yt;UH<t>oU>4;ixgelAv$
zGel118q<{}LD#t3e^hGhXW`sql6@9$`4&VEd=NFK?P1qD2pK=+h<Db)3TVahZvbg>
zs;h@(2AWO+NC<@@RQ>@hUxAZ<)e#Isd;DA#-^4)V(t?(aP+ytnMq|nRB)-iJ^xCGN
zoM=k*YT8x101-|jpK}Ssrn1`<fSu9=@`B*HQ6MDpBND(3^qV2zbY<yJh-YfpeOk#f
zYZ27y2es-|JPI+pHv*QZa8W{%&vC9>B}!7Ehz`kfZ9?B!z7<HoUADUHJ3^hLhY+V5
zMe1_=mHV8N?zQq9Eq&nyhUpyIJ7iTVkbY@n_Ng7)Lkp@IaqMEyCO?r|9S-!!o^*jH
zYtS$q0oVO(qrmFhkY#03jTTdOfR1H2Lh*dy*&|>81H$J^LYcWc_V{@^ecvu<!@Ny}
z=Jp5(VfYb-s<mVR6eT&;sgqu*^{znuofJ;9w*-!VhLMe3BPEG(rT=|6w-+vf&BfFM
z5=4Jo03DnrIF2;JcUZ4~xg!yVC`fFh(~H46l{0Pvp*4LLbG?O_vf60WHA6Cxt-dEj
zn1=x_-8ufza9mBJ=q6JPLPZ;~C^DP+h8jiuM;5k+_Kn7huQ=(pJI~B=E$GYj)KG3b
z5B`b&{k9b;TOdaz-1*a8GNZX5?n%pSA36|%*kXu)=z40g=Ha2Mn}HsaY6g57tqajT
z1D78+*q#qzsR1*p;DSD4eQJN@at$`1WU%D=nwY;@1!`=)oBZQBL<zLvF%oX(??Wk9
z;nx2;B2WU77#%t_rHqN?)dpX7A!6MTV5KyK4}x~idV8B(#njU*?t?rAUUb5C2JsW8
zuiaNWPy;W!sbW?Z8u7;LKEuwF%-KOLOu;gB`U_CCd#--+-kmq$<w|M<K|R@{rW|ZT
zDcdFyfoRRiMLSs@iI6yZCty$e@t2a+yf@e*5SCXhL34tF#F(1j1N>5WcYiw0(+ku;
z*A{Y*LR^5Zq~K)!7==TJ%!j<z#&ABX8{_XnAw{Z#ymn-w4&fPp>MO`vvu_t2whVpw
z;d)vN&VXrtDWT<L!X)SYxZKAv*D^L#TTk15>xw_O#UAc0w;xI_KivBar3i`vScG^9
z2ysJNNEX_?1hC8==seep9(UC;Oz`q%Ndq;p>L$sPS50=`q}Eh|nt~*n!~SaFCl&^C
z^+I?_nvf3ub{aV(!$|jhLVQRr;IMv_#-}0RY{7M7byQ+%UaqI-GDolv)<%FXZB=*Z
z10uqryl|($7Np3z+NX<FK&hmaBVgH{qyU`%&z@7{FA<%(ULqecbrpIWv@x}wabS^@
zwXq(auDWowV%R-jGu*B_+|*n#bua6Xux9b~3?xF&a<2t(3Hk|pfkAu`z~q82jY84&
zBsGTu=z2yjV<iNhvRSOQ)ps8MV8!z$vCE<l{YCvoVTLZ|O?N!Xkq3p{Aw3u4N-K?N
zm%E5t)qQE;9S$C7xcl{QXc<j))aazP6C30dm4jc6W`hEULe5SfpLV%vsmLL6%|-VP
z8Ll+(!b3RzP9=(4?XpXS&ItGR?86q|5sHT*W{E3wBZOT@@YCDMi*guZ<I3zyVT%S-
z>9Vu=kE#}8oBvka{Z;FI-FZw9g{`}S<3C2t9m{#L|DK{^yVZ<-?_Q1qP9aQlDw>^*
z$-Zi@^NilUL6Do9jhxURKDPe^CkqO@N<GGS^2$w4d5$;y-cv!jeNNg(^qui0Bk-c}
zLHnY~+A3M{E0hLP!x2duYw(0T4}m1IQRHElj$=SSJ%1yHJiD+X16H3%O5jPY0b5v{
zVF-gQ;TQ2leD2CC5rQ0|rPh!0YJk~uaJ+Dm`ugj<>zEN_lXMPs)T%KP<8c7LX{}mh
zGq-&=9W>BJuk9oIc>}TS^x&ZNr%3x4#cLvGiq*v_sPnWk6I)Ufp<AC!kWb!X($CV+
z18vrd^zIOIh5^K!6mdTi90VnLhqy2mMQvg94xKgXFhqMim7nTp>`Q<jl4~!lehr|#
zF~$D5D50xQOK1WfLa^R>(-WB9z8$_%g`oyOfXgvw#^s82`U;UhDB6~W-Ur^{MbE0o
z4WiY&4T{V|9K-B&J~+NibBR9apjy&b$zS22JV=gT?x|}j>h@&wZ&`0*+q*^8QJyY&
zWqW3Yjs99tLOOr+4s2|E5Za#o`dG818)CctMOl{Myy9i6%ysZb@0IJdS|+V!r(K1!
z8-Drt^<v0#=q@*Hc)~fg$p1Fo)5;`bJcaC90+bp(eB_P^FS{(XO^4&+y}V9&qOp3q
zg){XWO<;IplShNW_V%@8pHY-Dj=nRY$FNX1H!r$zt?Fjkp;`V@R<4EtB63LJ+zn7;
z^CcN>&!j)ak1mWyjezx+$wqR=9O8C0Vn)y1x1FU&v=lrUh=EN<h0yJrKVq{i`?o8S
zvvcG#Qq)@B`UDzpvvdtfO#&UU;JDaCpTr6;>tOr0#0kFG`#DtI(R<fH1s@I#n#J6{
zq3$rIz^2kebaisF9JbU|yH25Z<f-h+m3L+ur?1fs6rjD{F)!+=af+X)w>ZtqI_$4q
zBfsw?-w!T81neLYTkjx#$PSXBUay=8t*6d3VbwP;p{wuQksOpu+DVQgW)fig+$`SS
zg1D*jxh_mLE{^Z4U0?1h%a!UYYz|Z}T|(Dd=1fX6*r=s9@8m8v_<T6uf#dpZeP<HG
z^qo(2v1AK6vSv)X4xa8-dc`3b+hL4n%Xc^Fo)|B&;7Zc)BHM8ByHbE^YVJwvvf)d+
zBe6f;35&vT<$9#yY6S$@hqVr4JCd|Q#)Fy%I(>QM$XP6->@B{1c^AG7N0?_8WiLGd
zjKpvBI)@|Ocje`3eg<@kvpOIERt>!g@qKDL0_vt`hoD4Arw$C@<r*QcB{_8W255cw
zc5m;X29amKXjU&X?1QxER<lsTn(3&o%hi?|iIdJMdWJP-G{#NMl{mXy41ttwN*Tqn
z96XQtA2LwaDu!%zbf`xGcuX-Ca@p9f_ku>*rHf($e91W372Ezo{2{inq!1lZ4MAZG
zAlk4z?I*ehCHQ3LBRSDKozV%G%_RkCg>ena^TlA~WzCZf8k2=q;FHtg$S<{a#?;Gy
z0$M4*sE|-2MvG}Qw=+uI-NjVh-dPtpW3;HNwVo?MTUjuu5|j4fbI57=uMV7U$G}PA
z8nbhFRfiuiJQbffo6#f%zwim+3LAIwCFs;4z)xnG`Szl$62_qZinK^NyIYLkQG5X`
zU5tBjtY}=^p!D(G?R|W9$WqVdD^}EGhjEL@D5E26*2d${ZTc}Ix#N3u4l}GyCRypI
zN!tV4N@Nxc2zsLTWPX-8#d?zoJKG^Uxck%tE4K$6D25l&tHt-%LW36UE6a|5$9#S(
zXArzWEdpRHIjcv!9WvM=AbS>RC0N~;w|SNn@AaZtTU|BwlJ*XmMj=VaX{**e<Vo&n
z=g}oL;b&F?7N5~4&Xd(z_6`D(sP4dCiuLi+y@*NIrCgsB+g^G1OB}8UdEWP_TtvCX
zo_9iJO93jeQoURppNhqapH%83c2t0zF3dez2O%M5)w5&6U`D?go4m|SygmDM;!Zt|
z%W<>(nB25nQjC-#j_6XLXd}jUWsDaS(7wL`R_qrFMOo;fBI=h^Vn8^U>Kt?FK4Ye{
zV|$7rVP?<4>rhv>@IxhNG`amqeS?jD>Q{NJeVl(fOjh15&93NE*K#@Jb8-sh=~;8c
z?1BBIO*iq3F%<M{Mz<;GGF2tfMiycA89-RdAU0NK#j$j->k|j}k6(7z_wIqfhLR*v
zwwR%_7cc=I=wm*R*WR{ZmH2#RBO%_s?+dq_-&PxB2n$TvR;_sddHY_D6ms%y$CY1#
zcMG1LO&HDvtj3m!u_?L2yIz2fKAcjh?`7wc$^zTOQZH+}Tj6@?UNuk<U(J4xmX+Ft
zlf+<gI&>A1U%*ta2?>L0F>Oc36sUeFF6HTBE4Ob~ks0p0eR-*9ik(_mMYrGb@|r?#
zWMP)6$tiGMngurBokFE_W@_&8o1R~98#*MBm_^Ir?wpxn4p5=r@ruYeq~`A4qrAO@
zqxF|K)cZxUDmeQm==Fh)QILi))0;2@QmR<$`{t3(7O<hQKecX>9!PnLi~V6fx^~3z
z^I%yS<!Ksi*5O0Wj9uRt%_MV6oyj4|>%Bk+kL|Gx-K5`6TvSAsb6sdEb~&c+s9TZ?
zpgrn?#OpiuP>>%db%8#fnMXe8!-}ZXu(x$$Rm{kyUsmoyDub-9f~ixXCp544=2gsI
z68M@PVxm>Bzpp+YjwTBfJwxaK@?1;eh@IaonS;~X*mV=YF|UU@56^a;>p7a!f;t7=
z%<g3mr>~Ae#F{5>@%gNM$Sb`>b)43x2qyoxYbg|YoU@>>vetM%PVvg1wS+@5bqJ^0
zJu&v;H6Y{q#fD*wDX%rnViv~U8YS%Do)Z(Jc)ml&f!G+zU&*3dH=JAXi7qzIt@nC|
z#y4I<Er-J1xkxW)ZH^efDJ*DxbpchdS#vqY8+~oy)68%Ka%$vTOyqRK+`hJespo+T
zn=n(#cZe?Yq1Zy02=I+;n85z|+AOd(deSl6Ad_ioSN~AtZ2X3clFLFML;QZWl~e}C
z;l^#I7+pzcBrU_JP`;o!5OIm&t<baibSNkK6|gt2E9L+j#hPK<|6i~=<d1)0=2(_c
zc)V}T84Phz4iz<SLg_ZX)H)qR*}0Pe5u0S&gPnrW%jse9#o3%$=!9I`e$lJ_m3oQW
zZq8ha6^*&&f!Gz#!o=;By+&-dNw6<3@4whRaj(ErujmTqsn4gLGZAW{-j)uXD_TZT
z)r2K^;0-_V+`w~bn5M`@ulK1CB6zy{zFD@ZIluI)0PWbscO=5+?KeT7J)JTI?pA(M
z;fRZUnElD-GwM%Q^WddwtQ5d6(P$^CK5Q8_PZaJ&r4^@G^xbXnciU<+2|_p*np5X(
zfWjgPkm1go_rLK*9rX&aGfUR-E+rNCpn8!oyN%qun(`vkgDYEoMLqIzThHx>(G*7z
z)wqDHL!--bhu>(#D4VQCIUfOE4zWjC|FQ&c{xMh!@P*`Cb%#I_at0wrn3m%oI=Uwu
zf7A8s?2foBgWkNWSDhXRCC?C<vl3>8ba5o_{fSuodU((qhyLH0kkfDz?}-qC2h|@P
z{hu)N&+90F54Caw4$QuZu{8d-IPkv(j^&t<hMICpW8F`#1cHgnag~$fgZ5oQ_8uPu
zR@C~x=<oj;g6*vatB&x{wl;84(4vNNpOl%${0$1Y3)}eYhRT(@990Yn$y0g6X-sRd
zdy>%5!m+fuF}(#GnRL*bL;(ILThtFy?w&?aqgZsjD22X{v^N60Fv7{pv@hS@B=!9A
zeIPA(GC1BLt>P^I#+Y|}X{)A-T7=}0?U~j#qlpaf5dPFE>6;k)g`-1>`<D?0(AT4q
zo|}!4pOf;}?m4^<FaYtDd)(n<t@o}TVW*YyT4yA{-j%oKBIJH0Z~wsSbpkcFq-WYU
zmghddKKARU^MF5cQt>o#oB8lJ;k4Zsr9BtgMub01%6O>)Q|3SQZaz{Q_yjjUVj)=0
zis`JPGm{_;4gz{lz+d#9U%%(CpOA*%9$7E4)(bj1I`0VQ%p@ppLcfCOIP-5Tr$5$@
zP2xb%wtexB^7Hdw5s$Ta(36@)t&u9r0k!G}8R^f_0s4aEF#?tgNA2zHZ|!^&v&O%t
zS$Jh{Z18_-jd))mR0x!Q{~l~qVkK5AP*LzSB-wx>^@9lZ=Q@E<jUEw&p#rL2zozDb
z2i7L}UkoDBGCD%Gdez6t>*Ncm_%4T&gdr@*dHX=c|3Aj^f)txT6v>d*Bm1MoYvI~I
zJA1z#Vg0edV2fPjg-Nk`PPOlvN5oE~rS)FMYu!KV5P?JjJQv|h_YT1fih4Yg=o=$0
z#rDUv@sjL;b@&DDyixHXmJ3Ez$FP~3&y(OkKTmHRI9BGc9IiQHsJLrHetKD_i)c25
z<6%;N2BQg!y^orbeIe40KLLuZ)WY$U7tqL6i42(FxPbCoEAaVtMuXYbta`L>&i>RL
z+o7AfwX{$DN#Z0}<Dx-@lltMsFXGK#SFM~c*|Ed;qR8-mN3hEp+24l{DUpB^#1?M5
zgB+3uji7&PE+BO=1^0l4VrQ@pc>&G@;hqv8sTqL)WB2A_Bqe!vRAQr``N_mUNl^iG
zSByCLEQMryh%CT8xDm{EjhzQ>nDK!lw`&pj^9jt3w&dwUF33W-GlkXH-of=wHz=Q8
zsAJJ1{nrL@vnI%q0)lbPCI!g)$WEV-y^=1k<*CH(6xHnCvg9fi)hs(@WjNkMdr&%g
zwd+kx!yrjJ(zH!tmYj>;1w6jro=X*%@;m_^0fPJwNt7yeBY1J2bFa-p1Y)MRiH8rm
zeimy3%KFMY#1fb{16-ycjwswk-rd|cGvW#?voJ6aOlfwwC^oOg2USXUy?>8ukf2l{
z-ZU~CF~yjKLe><H91G6CO}@f+rHXWA9&8;9`9%&fpAT<De88HZR==9XiefmAZ^@CJ
zXz@^c&&{j^4{UX6U!vn`Nvwl|F-3Y*ZW5MdZqzt?U(UHd+t7QC>p+EpLLoN147kiy
z07@F6s*Tbl<IuxBXlJj3(<wMMG^9Pp$a0utbamN4Wmmuewx4pLR`WKHkay+BgJC1g
zM6?&0nZ|zoY58z)#!yiO2J}>}>cwQQPinB1w!U`)g$P}YRh~*z^Vb}Y;o&M;y&E<`
zSm~`Vue@wqZ{9bd#41(jl~WQKgAIaW7NnAxruz1hTd7aN;U-VjZVnE*X*pE6X*TzK
z186B~p)u5ET{7Q!qgVJ8sg8NL$|;q0vdtrW|NT}ZSq@@rv{yil;%S2<o0oMi&haGx
z=2(L;_D2Bi$+PImPR4s~tTjOk&<5NiFSorkJX=)Xj^pigu0#UC`g~?Cm4dl|g(<N$
z91rJJ*0t(Voj|u9zA)7r33hgD{I@t{ZtOlJetNc0L+{4xK8US%wldC%&du#)w?x<8
zelhQ1*uFkl;={(qqcmzD`Q&SX^A5K5C8V8$#HcQ<3~ty)2w0h>6^zg$;m>qS>*E?_
znY|y2zRo~Ti3fr*VqvP-OfG`7-}ou8hF4}0fmg;VOt_ausm?5K1UI1B!W(Iw=~u#1
zPkXR97r;_eIQt4gcPe(NMq=I2xzApv4cshOmi7poye&h`(K3H)VRWYbiRzy$2Y46m
zazP#Yz{?t<_8Q^zoSK5JV2`Dtcz~cvIuNc+hauhom%1=zoU*xOZW!-b^%Hh5_NpCI
zh-zEp`1KpmFU6<lT)AxanOzsGMHiy_#od>~pcOZq+6oCM2J3T)68JhdV$%>Xe6j*F
zo#2820ELdjWZylx2uDm?Y`wu@%d<Hq-N9Bx^2Gh%x%W*p%b?-?%UA1Z_j_X2fcDM&
z`V(jrVMM*@{%V4Z?Fzm+sft=a8e|0c*Y|09SKA-RAy$fFk=n8Z8pH<ru2TYWvB`Rm
zql52Mj{`xQxs~=H<7Zv>%vtB%(zi+tjV1->@uOaRw`KOuIod>hxE(_ewCmp%g`ZpS
zTUf10Kp$h=d29wQ&pewj6JW@2vQY%>MVQ_>aB8z89?OnkwI+uKikc3LgjI<Xc;VN7
zq@f_Bxn$a1STONiDX<x;tE^TbT1hd)Cj)8CWpz}ogEZ1wL&Abr|M435$R=B~Cq4QE
zYh;P^<F8tN-&-36w$R!Do3NJd;%s(nNY==dy7iLHl~<pmIzs5GE$g?CY)dVyQ;y3C
z+9(u?0o^@_QCZ0<i%7u63r9mIta`L(?O2NALN{c8$l!4^NQkXMbpc`K^c|!hPWj3*
zwe6mI-mI56jpt&~U^wV~!VoXW1&4qPEj+ym#cmSgc~N&kb2s&;wxa|cQZa`E7=(7M
zy)dNMt*G9)Gj3rt6aD1XmXqwb<mP%5*>Z7TWe@rq;;O*_=|nNE(;{(>=PKh3Bn7+X
zD?(zH2s2e0C@!TB3EWZ$1W3Qsc|N%H)vcXVRZDRExAF}EL$VmL$VC`%KE!amt5!;z
z+G?c%<ehx`#@g9AiIeY>)v|8@?Or%5;VZJVYRI3L#XnvmpFW7heBDPv16GH*Ju~!?
z1o9VP))}5kRx7Qt;AnGr4S%tzRb4I$>=jOYaJ2DGYDSu=O^5F=Ug3M2`vr+_Skuy`
z1`ovPg$Xx6^9#n1Z0%DAj$52Evhkh_BFyPg)tBu>A+~VOYQ9WTXF`@usrz*^e5Q#h
z;`lSK=CE7lmU|b^?K>gt?=XiSxcK$N$Y0jZ+>&P*dkl8^3D76$6x)BO#)pK+;VV=?
z{i7}w(dhiRc0LCU@Peai7YGovxbd(W@%0|AQ8#tR)UV$-ye}SB1_5xgeW{693OO^U
zqLtYY#mNYmNayLpaXZwR!-!aTV<E2$mpyNiKw=DSEK^4at>|%mGu{iPJgk*3Iy%z0
z_rQAJE9dEcc&%VAM^2y2UbKrQ(8O(5nTfsKBqB==aOP6hDs?N+Wy7j(z=W#!{K+Lc
z#2sRR@m-d^OJGuStj!M$FM0W##*|k+fBjI?tIP6ATx}l!_RQ1ZxfxxjVb)>kYRVif
zmgccn5Rg#1%F6ns60T<Z%BxLmlw0&Nwt3sZ;A|(*R9pswi_V3~V*QQfE>i%HgdlIO
zJ}QB=)xb_oTgX!WJh4?jovYT#_>c?O)J(Z(PUSJW%-6wmY4WR|Q_iqlD1)wzg546l
z#DYCnRMX@T@f?ylGFerIJ}ttxHVF<LywG`Xc1thyO6`%s+D?d`MK4vCoLK;_hahYn
zd5e$TpBma>cnI)GCAhgRn${S3ee7Jwo<wNeHGI=4N<W7=2;DBG-Hrje0Ij|>x(YD$
z!KAk-YN1Z0d8ZDY{uUVEk(O1d>xK621-HSYS0x2qk@qdDW%;0hW$-5e-f=#sTEr$#
zv7SOT&>loLe@0&J!5$U*Ete~V(h7TP4)c5HIcp_a!aU)d)5^8BXsK^=F5<FywFrxM
zDqqZ*?Z`;v6zvz4N|_~s4%<lv|Bib74w38CX)NtUP~TzOz+SSb-V$-69$hS?enDQ#
zE*vX*oQ-E4-p`)&9O_KMBDvD-nW8(pa3_j}e0KW#?2`i#bomg~kKuqRuAk-fYdB)g
zVLYHqFok|Chd6;1fW^pU7m|m|BohKqn(wIh1buW9ZmK6l34)6nmxh)XpWQiVnK!Kg
z22r63z}7kQ@Ezc~&QHN8$a3U%zuCRglNPP<jZf+f2Sfm=tp37dxt<QM)>>B})z%A=
z5-dm*1eyXBLlwSO#D*AjO0$A)rm?K)%w_CV2>vtBPVM%x)-^fM#k{^aeunizj{4V=
zHH??A^bu8v>*mxVqH;wx@|Afo5;NrFzcC1CW24mp*txeyRj4PDdyMxWS*^B5ar>E3
zScCLl7tvIe1><!jb<ys!Y{gC->7_lMP$`eV-PIe*OA4mGESn&oYFW1odl2;A>A_K$
zJjKuTo1#y3S!dR<gewWc`F`bU0M^C4I>5q(R=Q4%;xSX;8hCk4q35^|b1kRw_PW!s
zv4(eK&@*7r*Mm=<hSF{zCFY=4t7cxsjwoPEm9-w&z?3-BRz5zNRwZJ4?8AfPpYr?P
z&ViCSP@n~{p^BV7sWM!5ho-9aq1JI_+?X|NPDnMire_yo#z=s7Gck>k(Kb)ya`Kr2
zOQY<?boDs7h^Ve(>j;r(1Lx-&9XS!?lLCU@RP`nRyXm6i82TK9yWHDp0x50Nle?@K
zOrj6d3YuITnZO{9;G^$4Lr80HQ!iZ8eYS?zr)*PEjcSGl2wjZE9BxQ6wZKI?j2gT%
z?N&bMEP<IcXSkzj<%4&40=&)=I}euW`151cUyf@H7YR1o$GKgTs@rNyC;dp11m--s
zF&zhP%k>;l(Pr)pK{6;0f*q%;A6niPdduMrNJMcK1cewAKGI@N35f!hTSgbr_Dn66
z_>O0CJ-iOc4zF$9&YL4(!k8RJ)(Vs`p?%*dY^Sg;h-ZclSkEt<kOa$=aZSALwSG+Q
zxYmsnNAjFkmn*c*5@IY=*TKn~2iR#YoR_Zcx?)$<a8Z1z>gmM^!cx51zRuBXC<yT(
zdKI~sqM@=4*G#~kc6#y!Rvz1GV4!3jLutpPZp6^E!CV(CV6Ohu_)Vwg&NW{W({e8Y
zQ*fGpB-#L=jwRwart#V`wLP~|G*V}y)0ZEd+7p^uaDg2KV{jOGFK6P<bgC2FDvc68
zPt2;_DBSOitU!?ZWZv@B9c&<Zmw+W!Lt-=^cqzDw_TYJ}TUWJ+ZSZHV<6tfO>v;U*
zCvVXaCo3vi5xMtO{RoW*;SSEi*2DTj;z^Gtheb}n%jS0&vsWXPOW^Pn;De3OfqE_H
zC<E8!m*vNI+dQK?Jt5#A?M-7o(TFgw%sDJ^ua2naN+z#3nhchd^)SCJpszLy$aBd*
zmkisZbFZO0i^crQoetyA!hp_pXZi#Zavctic1!SU6+xEhfAF5l(*jj@qw74VUP!Gh
zDk-a;!e^QFwvcv+Ov63pnZH|Nw(mQ>YI|eLH$s41ZH*kSDzps1eG?ouuI3GN)N4ii
zg$D1(_&CjctfTg{(t6a3)ks&KXB4nhGsQS2(HQGyBi0>|!-x$Gor$0#JvY_DoODLr
zIQ-bCC4CIFa7X1)xt@q`Py%M}&NpAd<jLRcZS7yYoHn)YNNnubQ8`MR=JIHj^q588
zm!oI4z!J6*S|F&|`vbbbHNiWzDK@<{tegyYv1O>GqG6C<P+`6B*y(D<wvNYs=$m^3
z=MOWb`6sQ3=%nd{a0YH(M28YWm@9zF#=%)Dx@HYF!wAU#ezh_h?2`dI`tYj4+b4BB
zdNChmP_iFxAKEL2s6>7|>K{K{hy;PnZq5|H5eKCcG%oky_vVm?%}IEJk<~pfYhujZ
zBmf{%o+hOnYbwyHHp3jTxwr}(%5bEJHlP0l|7Ws!dU>J904JEwjn31hH4f2qY0jWz
z^?jQ%3<t5^tXJ+`M^^$~Y>tRc-<P<57!fKID)L3A|B@a+SaiXY_3Qv)RX+UB&>Sih
zQ3;*b1DNd-qXiWLmnr@`xUAfQJ?RG*;4eVoe*&HHNYVRY<+#&MR`Xw|DuK6}f8T$G
zgb=#){|Mq6e)s-ks`R|q-U8BPN8?N%JugQo>qq)G9gTVQlq(45M#*g%Q*QqaFZq5n
z+H+shHzI=m{0%D5(9O2#Y<3eQ00spx^Bdc(^&jZ(rttL7RroInQ|WtoQ=jbjk$1_Z
z_ryxbl(WBAjk;fc|BGtWQ3HF6*MN+1l=>y1wkUNZ5kb>^B8Az8aFn9s1bVRKZOmG>
z$bTNPO%&}D%?;u(RDvT24%a6W1?;Qw54R=!rat`hh7q>@IVuAmekvLojr?tJV%Yu;
zLH*=pe<_52ybiyxLqr~T_gFcR#W60fG&=-ZCVBO5;n2W~vDLI~+YW9r+H+5&^}I;m
zs18Tr2JdnNA>er%`Ue&pYi|ULJhIqZ6mlYp+JAj1L5kxKGg|bl9swbT(*u4ofG4wA
z{_6ok<}#>V5vF1Fk4r|^zW6sZe3*zt=p+AY2=(7YynnmB@1rVd!2IX4kR0=}4gdf;
zVmb;W+kgAi=2J;JK+qhBd-8;9NSrKnzgM+9I~th*7IuHl0F;xYAaHa+fcobYPzwPT
zMT+ILxsbd8a|DfsMlLc9R)&5|0|NX%^$G&z0ry`!k`BsQQJDxLK>fA${XqQz4E{eD
zQ=nRZ7jpl3o!=KB($sVRYp6f@Ki=41O^|ZA|8{<FUhcnZouvNn-`MP&cSJ-)h{yA~
z3b#7l7;q}m!wm1uIrSt?f#rgR?WTDh<imvnn%Kb)VL_IB2Qcm;4O}Vjsb{Xtj{@1H
zst=R~BS0U+1!^Uv)7w8}@NX$txuDX#T-&g*H?&lVu8rv=Nexl>Q3iDFljbK;TOB>v
z&&EnArs1dSle7o4_6zKd4w*nKk*5I(iZYo3R?dh&Uo%gCAtsAJI02FOBk8#wVn)>z
zSrAlXqIU}D=xupd2OG<fB%N7+6vfR306NcJ0;!cwq7yjW*nByj#v3PS71gZLuuD$@
z0)Y9z0bvCPn5uXioKL<hDMTQ!vJrq3ZH2wh^jH2BT+c~w&?tKoe!G}Q1HYu_0>0AW
zW>0TauM2x${Tg`WE!QQ_&XwyRhA;)10uSUv`|l5f<CEVFNKI`@)y!&yqmK;|t`fOB
zIaf031IY)+^#STcN9K9M5(x$YOJl4P@aH1|p-sG!QbVg#_~L?<Cs#DB$WMom-!_Y5
zim~I{Gb6q*NqD$LPdNkL9|7d0CcU--M>9UiZCaTJE|wW`ye%sQld&cMIYR43p{f*O
zjj}s4;Pz1XJt>lP-Jv-Rf)C5;00tUuK#<K66aw|!zP>hvWQW{keYdZ--p1z#MKWp_
zOag5&z{QnVH^%CWxc(YBd+Y<6^JFB9ZeJ=!fZLE)us2ZGJ7wJsPNNZs$^lU0y5r@A
zP(DRS`I3Y~B;(8Gk=7Ocblq%o72L#}!7YzmAl%mU_xUw(H{1Ju74a0h+g1=H+6$4{
zSCA||?SwSlq6mQ8)D-4vedW9MgK$5Z^Veu3>^GQ=Rvix#`fCr2SNsj&FZ>PQ$4Ylu
zUclXJqz)_rP<@hJD>T~&-PIA|L!cQ_1To<_rvmgK)KiCZdE=Z1<ifwC$9qizD0XH0
zjh;<>|4F-sq#!)=o?x%ZdftllRhTsq@KtGO1M~*kOYjuikP9F?;Yg;74ls5RT#Fa+
zGN#;*#B7;D0J9K6`+r_qqU!1%^+EbO1kzCTNk=w1BWQc3e?`Iso5fU1!oH(sTkTfy
z|I!!e;mOCnM87@=Zq*#bGJwuZX>k}%^t=%67V#m#hx3_5!1+e>>R{b2LK-d8_GZm7
zqU78#Hvkx#AbsR&TeiieETHK|!V9+9$$kOIwDap1+G44kcUKla$0TdDJQZs~ItP$P
zcd3XySHH|dkQ*nB7X3|>p=Na}b%s{lEk7Jm5Ao2W2tW&9OEv{7BPrN4-mAr5Z#P|q
zb`(#~6D^KonA{|J_74E*zr?a2Vev&a*=T7bMWnjpD&l25Jd7PITc77f)IInU8vu}-
z%ycbO)9BcFuX#iY+F07y>*}u<hfbw=LXJu!ki!fR1EQ5jxp?%RN7R`)=N;!qC(BcN
z+`wJk6fuP1Mt^ZfIP2b8IiAkT4f^X>9*B+~@4e%*mS38yFx#?|Nys4_&aM6}^NXX)
z%N@`XvW28fvn&`;gnahKob?V^2+)a@f4w8IT4DPdx1PQu=%?I5g+qJI8V-ljMp3!j
zx?IopPFVS0OAd3$+@872*jc$-^oXR<h{$M^5kUM51xlEJiTQ$p7(S9aA@@9(IE>>W
zzmjkDtc~GW<Bp=>#Kg^K+DO~`T#Fb>)(^nlzAl6n{o*yX@M%z_oSFCfj#Q;w@xD(^
zmWmuiDHsG#n5mGTV;4^LN+ryai?|%aZ=pKkLM%#MtA?5bZ}nOtU0=EsruKujE46Nm
z!#xTT2s2y(^i@s3sLE>{E?e$Mw`PJlOtZq*pVx|bR<|Uns}7;P`zAR#96O}u+ZLf0
zW~q-IN+PV1BS%|tSTfIZDt@`6SdiP$zI_{@9d6N@FHOFZKP_B#bT(K(%zP_cb2h*U
z$$bA@bB+soX}koSiO+5~?B&CCQS;h<%u3<_Sf{TXu@8KDi&3y3L(xcY;d0VR4cXnK
z#E*T_Gtu<}5faz?5#h(7Lb3<XZUqBSI#QHA#I;{#BG^i2_e2dXBbt2~WB-8Rt^6qU
zZ!6`mdL>wIbAiCdM*BDbh7m_uKDH_<WP#(8!=NpAPz=@wiC-Ut_3RDj0YG7o=x{vt
zvH0Gs&<KCVvA97a9gXThw}{GLGL4w)437+;7s$jW2J?%2ZXTil>^|jO^x_iIj5v+>
z3um<{ox*Rk;Gs>S&OuD<OO$L9vjJc4RgVM0S`OA!w_IWBThZWJb6Vjtw16$r)jfKg
z(TkHl2b!%AF+_z<^k}5m;h1y}Es+;9A=w=`ZCyOLz%`<~k@zfKcRE3nP@H-(Xo!XM
z-RDD^&T#k)$5NM680;j#Q@_Gb(Rb>0CGW;%*0YP~KM%=(qa-GH@`x^jz}Nw{St=by
zOkWa~{5!6nd?w2GGlBc`*kNBp@qn%#Z$X@*-0z;R6Jwl(e6TP?Hc;(g(~&mxDM=-c
z_d}EC#)^I$L`!OY&Pf_J2G432v9b8CH{isd>lRSg^Hs8lZNDmO=pBZx%2G;N-%7dj
zWe=z`-!@$*-s;Sf`MsI66rogc-lh!8$v8_aGv5Q_)@-{*%K|=e1!>nF4=roznA}d*
z_!5z{Z(R$Y(xE0-C}E?XD(h&oG46BwJ`Hzn#pp`{&0+OHy3E26m@WL|S2*lmpk4;~
zJdW{LP6j&(Ia8qb%3=+C<;mMEcbX?a6S9Hiqp#Hc$yqN)TwuLM8MN{Rvw9S~@4=4O
zp9(!;!Rybc!;rSeQ2|+JJh}KGq-*jJ>6)0Y=p;ZIa!odH{vHd#sPDJz+P+KJAYn?0
zDVVU2e8kF1XZ~n3YYEW#@RDy3`Gv1!K@fWP04$da1UK^^=bm9fohnsASC5Wy7<Yt@
zHbt7%yaR|-FstpX-Ne+;c5eE!J{&5(*!6k(Jh??^v+%i$RRw&10mcs>#C3Np)Vo}?
zlp&@$-kC-s+Pj7r_pTkaj&`yMa~yEQh*l5f%j9ni%Sh%r<$m0X=cr8gS4$;I1?S(M
zqL45-l!TTlRDTk28p$9(i*o__6Xt0Op+rSInRy<QgN}*xl!MCl%zAxq4n=2<%iloc
zX_H`cQhskB##`f>r)Ve|YuIs+{o=lPB-D8=BllA2#~^v${UEH;G_`t%G&`m&e0yES
z=PLjPhUzV_kuKxn>902_t1U5Ut-xcjQ4$#rzMvSSy8u?P)*8fMf|t>Zc9Qir>Eb4<
zO;fJxipkN<=#e8}ji$r$-AhL>XOy>3#&TJ1kF(hZ34;x^mz+Z~o1c1s?(j&CS=jxZ
zH+J8y%M0$R(i|Nk$LnBB-MFk9-VdR__OMBsIdBlSNVXh2+rELApryBU7lM;iPkMi)
z;PNuk)5X5-r`5V30suSur8s!Bhrj3&{6e1<lAWosyX_qA@rn+(O_tN@+||nOf;Piw
zmHHnm5QyglB5tHX*jEfWI8!i?){ZyUBHS`17U<HH2_o6D79A<-IO@k0LrJ-}I|MVx
zI}5X<a|kbS9GbPcI=(FR%&hjnCDV3sT7j3({gyyp!(sGnCY#C${Px2?chCfe6rlr2
zG)TMh&Y-1~Y}lrPwCBfJ2B;N^z>=Q#@i$Nux{UOId#o8@w(YHuoh-(qSg7GZ3u+#c
z&<fkG4J2<IE$UIRsPG|1%yS+^94oRW7SAq8Y6Xt9jlPqt_M^fOV~~(08841bN~ShK
zE2S```Cf-}GIW6Rk#gG_Oe=#=qIuAx#2kSekkQjEY1_v(?#eSgv$Kx7S#$@o-{xq?
z?HSeaRuz+sQ^(0wIKF|7H@(ojT~JVUr;aT4HKzH-$zj-;MIWQh+6v=`u&z8;Cc877
z{qJif>U?nN_GtdT+TWTR9ZUGK)iz2%RL=^0);)n8=mf1#XbosU=a6S@o@Jb-G33D(
z3Cg<3Z@jEe!dx~5Q0{Z#1XmkamTLR6jO5T`kk(G`wxW&*a9ZUZRP5#$!r8Ef9N^M1
zhdPgG1rtS}89kW7=^m0zH3{U2CS^vKv1iU$iv;LY*JWFEahdT{l%V7!(dqWyDmMMe
zA;k{LLuv%=No+;d{dcrYu&7&vEpp`M951J!B}7e?CIL(OQVzOm8qyS{E5val4Izk-
zJ8#GXDwxR|<yzF~UWGp3AnFR0`3MZFe^1o2w1>+FDMBp#xbJ0s@6S%%=BO$NleDn2
z`T%e*15T+q^d1|lYr_>W;b(jWAx;Z<+I~pdK<{FFuk7<c(ev&cJR~yIJ3YlXj4QS6
zw*+{3L6%*;Cs4i3N?n<UbY-T2n}OIRn>c0XocTO1_l_Dn7+h<F+hbnCn!L6=pQT;G
zZgF3)Kh7trBE%OsOqmt0hRBtOsW3Q})qcxF@ZBcn?_YRp>rh-uovH7+mZJ$tEPN-7
zs{J!Km>}4+qH+8(u^+Y0rG5wEeSP;4>)MILu0GH(Ib*DO*kbLVij}c_F`0>^!)VxX
zB(G~tVRw*cuchT4#Q1qll9T03Abghn`3Q(U)kR))TNj^Vl@sv=Nm&{oADCFJf0_QU
zZwO<ZrE@{ARBs=$59-+yK`Uj0RYxI~|GH^TE>)*3We?ez-A6ao7_tyTv8R_@b2wRj
z3~@FR<rB=e$tTP~S`;IUQ)kBa&x=*iGOC|gorePCo&2!e7L^?V(dzHrBTR3V<@tED
zhaec_WeM2W37G%t8(q5x&Btwt&6OBgsSYUTJJ~(J=v8|314-WDX7w_l2ILRFOjGx|
zG@5vuvUXfR>va<EYy$8+m>rv~+r6wymy=J}d`NXEjF)`cjK_>}OIt+hR18h`7xiZC
zNA&6%WBJbg5WZuLS^&n$gID@btl~;{G^p04p81gKsI$q8`0PD|PczIr(JAbJup{o+
zI3x`Do_tN@;mct>J8x#wAr7s#OV-iPOZ91e<L=!mdrF=84wwJa4*3_>Cy5FtR0r$v
zC+W63dy_9E_Do%vkQ24KxUXAI>sdZ>gy-4-?ZK4bgC1VAtl34&*Jj|6KUsz(0=#kB
z*NgN)@z6M%Ilz#k5WSsN<{tg!x8V_5oC&!5(cZb&L;RXY)LPk<qDNCgD#-^(SQnv{
zWM*&Kap}!Cu-7uo-WCp}p%s!TghbLpYPB9ssxHuFPOpeMz63vBj<-o`IUyPHTw$@Z
zUU1@lt<`lEf|{I}ZNiodXh?iNlgC<`XdY(Mz&k+br<tiq#!SbPT8NP<6zf$(=9^6p
zl8DTQZQp6JeK6f``QV&xna(gMB7mR9sdd*eEdvbODbof9L4O{Q>$mH{;U2W!sKLX7
zVuk3}{7(j<IT6k|dY?_E!cnX?KE6eHDkV1hfKDN7nUkY_rxHuT;5{w-{+<HiK*ViY
z$L~)F4*W%yh*QK-6Iilr`irAOVz5h<-aAnk1$|o2)vq$H(9P{adP`XU+z0CA>ihbk
z%5VnBc|mlcUN8BMmJ0z6aa!&Ih%^QcLJ?5!g(H32W>){8i)mJ~9T$6rtxlOS=Y?Q0
zOiar3Mx!h_bZzc4={#b%CL-IM{$^dL+4V)U#~jwe?ZH_!Ddhkm7gE+nVSVdx_KPw5
zT<k0mhD&(#XVH@+G`%S~`Y}}*TzUi!KmFu>18Fz?ji~az{A?*TbjZa6<uEkA>RaYR
zQ7KWVGQW{uysp$krKXLx%1Lh)Yrpr7Gq10e#5YkP{K{vg!HEv6M$#!Jq~Vl+*=#r=
z=iS?s3<qXf+lyH&J=1P7BsM455Lb`3E~8zh#cK?rKkE*jl?j<vuV2nEv1h~7Z9xl{
zjHQA?^+`VU0d75O<ZR4m-Ob}Fo!ncWQT4hy$i3Y_IcS>mK&&Y5Tfqv^QKTo?tb?gx
zx)uhSypV+5=FAKPcoOHL4oISUQn+N)AOSmLuFw72<FZIW^8DEii(>@Do@BKntn#h-
zdz0T4{4iknZFm5_-k?FDCZ2H|7Y?m5FahQnj*tbn=Z$88R!2(K0U_AM+aRAFGLH`x
zi8+Ww&B3dvNth`<5TjB<c?gq&rKlct$dkkbr|*y=t?gtA40&`g;_z0ibyT1<G*T?A
zJHn>fEWAU)Y$L5z*#oQA6{0Wo&>7|9jx7Yx+D4vGg-()^MWuuGA5{;anso3DPPdDJ
zZQUx;dTjH<ZSC7Xl!U^EuM^jDDiTH=hPD*q)%YhY{oOqXX)&nXlB8l?eN5{le<k|y
zH<EG@Kb&;*EI{|47`FPY7BE7Q3kSH~uZN*H2_J@{qa>+T_%LbtwrVG-<*p1S(Vk{k
zwI`HyGkEcSPx79v&Lro7F@hT#VY@mU_JuoLBB6#Ou!?NsSm_Qh2fgkZ5!1J6&FF!E
z*5JkSC!#L-mxY-AS7tsbt*?sbh>wyU%aFJ<N=m6?63UWs^}5A##Kw=CS>=L1awRO)
zy{tdu8orN(chF8ALuH36<nYiDgOpBrwGtXoU4hY1^{I<jJYO_hO!|H8yF|4jefpXb
zmj&1bL{_7RpKdjlK2Ya>+70cUFNx6J0p@eKXkzk?YFBRANrtcFf!YxW{rVpe_rH2W
z-&-GnRof0=((a{czEOm`*zXiqoWu^FMW5$$eEjFLkW@#;aeO3wWhDIn>^J-EtmOi?
z5`J)WK%9bKK=5F;B^faZCH+lDGWWWkbgzjPFalrDw%eP)d~$4LT&K!rwsj9!pdJp)
zKX#IEyamu$e(=b;pb(vWe2YiDjZlS%3KCnIEMCPR?q27p-}o{T8ONoZFM9e_1R5Gg
zy~@dvjv~<(`?@#(rs!XNe?;-o5G9l!c2+J?s#%ss*|QWpXqtdbv(J&Ec*njrH8p+|
zFw%s=fX+Nv45lbAka{%c<9G`!5K%V(h-n1$#2Udq8MlJT;hB1?AyzUbS=El0h<xAM
z9}5NZ%PXErSE4!Ma+1%B5F_wa8$`-vA-F3Lv_~jw5hsvr%Z_^ggJL~%;~m&2^%vG#
z+yydyW8-0l$k#_sHj<Gr7p*0^+jt*a7(Lb*?s3P9NE!}CNaCv&);Mb=3teNm^D7vd
zM|EU4F>L*H7jmE}q$YILUPy)~NmxQpSCde7vPCx4(IiJShb^=mxPu0QgKmy(0P{Ao
z;|)BWu|`Nig|xXH)F1yeH2v2XiyJPogoib2kB?NHwUA}BHq2xZKg^4b!$U;U{<MZ%
zz})!peG*F__hrFR&S$GeEz)s`M|5W?k$L%%M`_if4yC7^_<qX;nOf03!Ix03A*mBB
zh)~w7X4fI{J{<_)7*0K6vK1tc08M)E8n_rLnI0zc4Z_>Di{`<i<Cr|I14=MS8L4vL
za$q4S#E833vTG6>?x3LEG?Q|5K7ln7<KK4v7gY88Pm<@s`xAH9G^tT8n4MNF{F*$j
zl?#^9s4CIKl0){MZ;7(yoZ*xpxP!?l@W$A)I|>MRi_r0rWGk+cxmNRVdx0%yJ!Fe0
z!?Y%|5kAzxLi-V%qut10g<{QUF70{j5OkF1dt*gk+YlE7gOIlNFw5w1+wJ!K|N2b6
z&wzUf<swQyMPHHUct?{qMrhG<lKTis?FSbinygQ~ZGEFm<K1&!b^b>|+GKhApWT(C
z=g+^*8y|V{9!V%K|Dy|)Ar5S3*ArCvS?dFN`2%U_`JYpn9Di=tFze~wwKmmu<7x8^
zQCGyadt!3YrKI?Dv>9%GEp2hJs4Hu6Ju2r(z>;-b%Om*{ByN&~2;W65^|A_t$?Ujv
z4cfx3KwI3N8%Icl+V(RJ`ENgZ>mZS&9FH2yh4=XKZVTbck}j`y%Y8eVN=#e%jO7dT
zy6T{tfkFVGVW8tazViCstsea--=6{G-(xU;eftnA0g<MJ#mHs-yHX+t-rU_?v-y2@
z6X_~1o-u%&GS%nj$O<6fU>M*4pMC#)Wfvf<I6y7GpYp)TS|)DGJCR-iON_QLv*$i?
zzuP4`aLY$>V|~p8!lpAVJJ=m<t)YmH2hB(;OgiOnclQ13b^RIuUd3%vf^9cBrzQHX
z1im(~7vmtZZZu<XZ<ez=NiRoOC}0l<Ipew@=2lo+lGU+KtOrYV!Hbh6Qt0Xvh|atK
z9k#QdPAN%k`zr(V*UkU+OTIkb=93!3@0iM670bBOyy}jTk$CTzV^y2~yPCb`kSnrR
zKk;G=7tq7}*GwTxsufh9h);bnG_O*FnXUfzh<^Ka?<iJyTC;~2#3idxpC`@f#0dpQ
zvI4~KaL-&1rX&PN@CitA>cKT7K|9ZOr6BgX_3L}o3C>eJyqNKJ>-@Wlq>}%1(cUoJ
zloUDcw=)lus3$2`cp+A5?&V*E+lewCwR|GXcsuG;qp;G4ialcu)x0rejH&`#?xycJ
zgiQi-3=O_dj~IMS_y6<22SJiAvp^74?QL2o$l9(0UbPQOUT;|m#jq4Ljk2B-=|9;f
zE<`%_c~BoTGDpD?<I$1x_l_~D!5EnU!{IsBgzcZd-XVOOk2RN!P*aA<S&B1(ihSn$
z7v+$zwiV`m@A&lYDzk2j`EKu5WT5ZSLx`K2U|rV^od?5VsQqi9Ts9uA4;i}ok5fCa
z4PuiWMT<XCHs7apf<>raMTUtPu?7%1Wd{SDX<SG3p%x79xe>+87~V$<9H|)Js;ePb
zRO8!oKB>0)tH>J#FOt=`F08Jt$(LA@!9mGodpstd^m^T>_4drSqt<+t9>S!PJvs9A
zPdKfrx;3**r$*a>H5w1Xr`B|RiMJt{`~Ue#7AU~{4vmW(=`Ox2#hx@hP||yOpujOv
zEk#YXGhLq>iianV4B6_2csxZ6HpNH`uDZgByA={MXC0-a7QpWB33$hqw|6;`0#JEQ
zv(PDdKewKaDP%=@$aqV#6BU1SWM4DQd=MaR7PP~?_q;)Sk_xae^DfMeG$lZ4--x_0
zaAbXpzrDZTTH<<5WFj@|ivF7nD`UT6lTQU}Cyj~z;W5@S5)k1VGjdAJxUU3~r}XC9
zAX&uWAs4{`#%~oM4(YIt7TD(=ci-y<2ePyDLbfNM0W0(z_mqi&yLM!FxUOLIDF?j3
zLEwcZ56zo+^S966XSapq^c*54Oy2V)s3mzWvQAWRIZF26oXsHuY7?j)Y!QQ|8IeKo
zx_Ubp!meIlD)sIp#4ytmtev{x4HIJMiPux3K`?{MYfAc&ApO@oLB+wW;Jeo~-CS~4
z>H!MdyE6t*a*}fBQJvQ>omdD4fq%n}VL-9?IZPlbgD)BE1I4A#8Z{{|UF+ErYoSb;
z&9Q<!)MD_g$~0}FPgYI1*B|>;d=H`CjL4oE@{?EMTJWZ~*S_q1Gj$&`-Nk2uh{v+j
z*8s(25|{Z(O1OuViD2}z!5CxZVNyv{Hqo4X1!?9p%H0osU!zd1aG^(;)?e-Te4fG~
z_XMQH-$8QYtG%8w_r}TWrW3RdbDHWAh<OV*r#yIKT+!>q8ZeZd>BNs*&SU5LHlx?_
ztb;mlCk+?B*?v`&9SW{*Nz&bPc@aj_f@SV1H^B^kp!=N&QRaEC8%MQ2X6z(zCF8l;
z&2Z{8q|yIe)g;p(Gr4J=H1VW3_wFp>7BBT#s1MU2Q%m`ULiiDzp6t5Ow_s$&R(WT4
zC>@_^SeD6$UI~aXLS7d~=Sh$rKC(Lo6>cEFukk14BBXD5g}OBhGQb)x$TxW>blVc+
zK=%+G(JMK)jMPUJ+@v={x6MjlH}W<6ecs&_g~^s=CVBY7;tWsZg+TY^Pl>~z$`ZgD
z@7R4Xs^vW}9@xO{=zcUO!=MK!&{`o#?dbcIFb4fxYy1%q=?nEzPvEomlQQ0g3lLY1
z312UPS0aLJtykX5Emz3-`Yvzly#@od2X0KBDc2)xWLT)))pGdPR)h+iK$aA-R~G&)
z4VBhMq|kXZY1(;dB0HU7DN>EUu=hjAy%hM7kHbL7w(t0zgD&O(BqAFTIW>D&A=vC;
z8DX~{83opKWa-?Z#KvkCysD=IR9g8rU(;NC_n2dDxS>QbQSIoLYLXVz9yDBsVE~1P
z6snjgOz0H@!|C65bIEqdMVA)aPEJ=AdIt|{Rs_62w~)+pYxzFdr|>yeq4?^{#64j9
zR1e)F)6;C->kvWz2#61|0ErHRC1GH3@#!1TiZDj_Asoj2nPG(9YRK}Yw%laQ1W)PM
z?&aLbZA;eIR=*r1#G}fKA5o5X-}LH->zRCTXy9jbGwgk+P`I8E2d6g1$k02QX6Gkh
zC!W#V_*!!)0rV}rkaO-90}hr7bBvlf2?+)((9TwzF5B>+gY>0R=iOp+fqei)IY1m|
zqKI6C%>Q(zv{Y55+VZ7huK?}kaxxmHWzFz@`>l7d=!YWuPU~wranh8amNVMbesl0F
z>X5g>N5>a?Ve@|x{-&&isMgHY=+5Y#+5-e50oIRdxQHg1%Zm-KPJUthy_P6Yf)%{$
zXjJvL>tTx94=SFO`CgR0AwGEL%vmqDU5dx;hzL9P7!15*Q4=Qjegi*|ZvNfx)BCvO
zHmN7U7v#L|Xa*e(CG8Gtf!9=Cr1J7Av!wV+!{Y(e9%7gZDtCE}ZhDo$(60{5Ufts*
zDNOd!uXbbC`tu*Pg26s0=^~#~zf3>fNJ7ErNXKljS<guOUKmC1L&e~B9cn&{;(%|+
z^kItI^D<)F?Cp+sl{bFhqCWD&yB4+Us*CRjLqRc*>|Hbj46}IYm`Z9)G1)$X84-oI
z<us(-QeHPI9|*r=CVF)aUfs>V`*9V>TZ4MK&F92YVDPrxS;u6!_P#tBV>2fb>To;b
z8@z7|p{ylRC~~-r=X*@5NeMh*>G_7-=5O!YHi8XORPAyN@2JarL&4EA^q&au$ha_m
zI%f3c78NQ+b`Pm!IVZsgWnLAs(DPh1=Gq~g#p`JOiSE}ELeaxp8@Jc&V%$f=&V7RP
zw}PQIg);mwrG)J*FIatiP(y@7Cyv6S)hxH8Av_E-eDCJp{eCThfp9Z^kN(rmtlpo2
zfEQzUwKAdcDl(n_Azn2>&Y|&S%{Mbt`O}#hr)a(P=LJDiGjN`+1>i7%fmtp%5XqKb
zo&3f?awx0mIO$3wgOqYL$*(mS+0$-8l}ZD)gq4-n=Lne|8TM?B#3QFGVFyVATMov)
zB_iC*3h$-|;p9MxHmH5XVT<VYh}H#F=nS}iH9)I8s`Qzc%QyH#0=TY{;X=4{wde&b
zkDa|u@d(O@fgBkKJ`X`CQqBo-AwiiY4Ta-I(A;W;VB9v-`e3$Jpn8W3+dqdkQnQ;N
z;IR<$R)7^xo_q?E$kjC4>$iPl8<7v3Rv0MEIB;KhtW3J?M9IESB3Vh&V@D;$A2aOn
z^3sMWZR<CjUS`s8z@jfdBUPt>*Fpx=p`q}Pe2!&DE8hX-31Ak~gT_leNr2iEj6As^
z7Rzb41KN7W!Q?L0!VxfvTDbn{6!#-i&aZBgIe_du(gO-0Hek=$b+Cr??=u*%Yw<tu
z`wQnK$piDk_nmbD^+8h{1%ndn;qNa>JeBe_g~s(=ew`@R7#tb(gEJ_8n5L~eUjx^W
z84fPI(PIZ*gY#4fj9o1hl$@aP4Fdc<axmJVo-Na5etgcKxLs5ae9&XPbwET?oq4YX
z4m%+bxLbW%#e04%?x7Ms%ZXUCpK2MhnS~aRI7vj7P9!C0vRbNcJn)5*nd$dx09<Qe
z7oMjx=fc!fT63L$oUyq;D7=tD(Gkpq_rbvTQNcaRTkEea&5kyJNX1<IjrvO<U#N@Q
z&j1<{93fy;52dZ;_}Iq9Q&arVx_JOaYPFjnIFQ_c+Olz>$alwX!L?5}k|4A%2qe?z
z5s-a68d!g=U|RAC4l0e_2<hmgsyv9Nj5zGTavJsjF!$#1RK8u?c(iFFGGwMUQX!ej
zl*}YF$t+Vgk|CLrdCuG>iA)idc`70q8bqd)dCZWxkRfFFty6vPyYBaS-_QFz|GdBd
zzMuQky<O*Zo##5&I@WO<i|bV6u@rEOHEfptX%mv)3j^rlVIF+p%{q=-bs(iaf;z~f
zAfy+u9VY4a%hq*nFg1*r3jTl$lls7&^HDz_E4<(~@MJrqa`~z+vJ7Iagh3!orYfs=
zg2HhWQm5lfpwqC^?pprVZ=f1`ga>X_(cTk$hs-m34^BUa0*bx&yM&hwC@2N_Zr&j)
zVimO^?Aq_~p{pMfr$or{l;1$(Jp&EBAJ}<L&2#`q_UG~5;aflpC6zT^{xjpAVh${f
zg8fxnTMiN{pOQG`<I!A35XNEgiLldeyx~2N_4%>VTTOZ_MJzym^&oX<dPmQzNdRKU
zB|v&Okjp|!=HW@38#(f}uxAu?`p+gyNu-+b)=7gQ?br=ebO7enu)Yq?1a-(e%xj;R
z-6b2X?9g&VMyM?3-8b7;CStq=ryv?hYOqfO$%=YZbm}BaoL*QM9?v$*F?><-1gl?w
zpdaOREn~aqLqQu}`NO&7CE#o@<>h5%zVrjt2k-Clsbv{3OsneC2T(*_{Q2o?EDW(c
z2&u}#zV+Zz{6MfPv7pDFH$Xs~PrIK@aM@UZHN-NJ!M2XC)rYAIl6=M-0V8VUr8FQH
zh_MOT>-9+9$Kz}utut<iuPYqpfrTL;C4`ebp7(o_$Jw5HlOmRuTa{@@$cW%P^+fQ5
z+v1ht_QK_CrNBA}LG_5K17S)x=LJxJv|s|llpdiyGVkTGKF`HR;Zl%A3blSmegJ*I
z65X{I59SgEpR~j5KIIHsmfH0z_F7*U1Q<!9I8<AQ#=7-xH5$B_Z3+B7<%RgrmbK!J
zPWqbi`#NEvC2KE$<04T)`vc<Ou_GGvcrCWhuMeN0vGx|MR)+D}d``~}w*cVhw#Vy@
zf$%j&DIzB6KSQv*dbPfs=o|Ixl#s#mzy(PlB`xKY^I=Sn!ix9@_~b*7s2GtN2^YEC
zO9L%)7{O4r(d6_fTf+IRRZZIEH1gDWKO3M5e*u@CJBXvB*~uTqPIIwzyq(|s8DMYy
zHvQR3Z<`^Bc4fdjYvtNe=9qWn=sl9*ZwB&CE+Il@m$ps<v}?39Z93YYtX-qO3$@eL
z5;B+Od(Hv9c+0w}tU;(cnQQc`KL3C$hgEI~@oFn2q#yIvO_i0FYv>|*8832W)y&mz
zFX(UpUT;{@V^_HSh9X#V|2`6pbOjoOCMkv^0ZG-Mn&fb^i?MqMS=6(*7a{wq^Pdls
z-vo=1QShobW{`9N2jniJ!`-wz>*|3!Rujp&ryv=aM=xbu0bw*i1$ngd<(`g(v(KK>
z;GLJofIq|L_=-k!X(v5*($A~?v@3CDkwQ!F?+FM1sq*^~c;csSc{#C$FI?(rPO+JK
zxx8uLNmc~&?LwaET)6ml80;aBijsbP$5U=zd~q?n8)cKoD`Me7&4QJ4!x*r65=4wC
z>^x_*3GI~-085PRotNez!#sp6tbbI0iWb4w{{h*cq~$5x3JR<&Y<%I>V6MhN&!-&&
z5&dlm#iunA<G#t#Zs&w&Kva3x{Mzpb#)hLh?1}+rU`i%6F6CmXBKvmMvk>&d<2k6v
zz7)ROC&K=QBAeI23#yedM_3|~56T?U=lBT@aiPhDSzl0W2HYerh5dTl{Mk}|mp6L-
z?^nPA_bhy}j*8}z>X2rFVX0k`#BHrGyZoGNy%F1eDunj0fnW*1@JU%GZA!0PD@!xP
zS96P&o<6GGh*M5<z|uCG@9L8JHsLm}kG$yWsqP;D)C?<`z7sGsoypm~oJ`beTVFxb
z-zDPUjUAnIr}r*TWBhjr@Fj-#aGK1TY(nq6+d<8B-fq7=pUWk+OSM0Jt=DC@wtd1i
zEiMql$-0)vCcc_@$JG2hb=_e|#b#Z#W{|`EnO(dO@{C^U1F`jq?kxm%#_$`6x+q)2
z<8999*~Zzh;tku~kPUdHGpkvDvnveI`3M~Gg>D!aU}nJbW2XD!KF`Gq3pY`v#bXDl
z#_9$P_2Pt}F}Sc~5QlpKSwrzszTLSTC6bFLXWMU*ei$b{c|uh0^i%WeMn=iqMctF1
zZhrgF{;r%{FU&yB1;zrTZA?uKo^)TXL$FTsPeVYJCR@6byWJNb_DA33>Y2A({4-0y
zioih^Jhf|(oV&pNhaI}48*geiH{4y>WpC*`1Mp=!wAeoc_&8%+Q}Kp%_Rpz_M@1%y
zh_KJ0Rv3!ys$45iTLNAS6ra|uxdFSV*se53dx9~7l8$GdUh%;W96g{53DTefeuUfw
zo5;`gm+O+8KBcZ%sHHPLHPxdW!4hANl-IkNg%x2R9pa)rF>Jvpw;XfvEX~PcEuH?U
z<(H9LyrWrL^L{zY+2aFQ&&xbk9d3eWfEnM}XDP6S<LFC35AX<?46URM7p&!7E)IRB
z?_@m!7mMsLi5~qm=djEDwOx8z*_N|N?L8)PQsf6{CdIz84{DrL&@MgSaksE1KeW3%
z;dUOcOY@Z0pqA|aHf#W3AZ2z0Pw=ViD+4n6<!t=O{_3RmLRK-m7*OXP@i+Q#93!mY
z!>AfRq?+H&AuDZp>x4Fki3k*0i)oLuC6>a%LQ3AYC$pzsAo-|?(WBSYI-=f@5?aZ7
z01aRN4lH+7U`&#;%ffEb+xbi{OEc5M&!(unJfk4*Bfm~wVrCkjhL+PAZJ2~%`Nr%d
zZ3bY(LN&V6-Y}H`q0U`pg_4`D90t=)lONx*-Hy(}xdSn~4hFkj{x(5A=K6^4pgIBk
z=^rt!V@oXtg6-#+CI7k&P}Mg|^y=j+vb~qMr=@(1o!hm>ddDD#irsh8&4-3qoAz^H
z^j*`}lLw%X)YwT(ZLbFP5`W>wboPfE)48Sh@21Wx>D)s+b79EAia#|1Wp(tvbzXgG
zJGe#X>f{?$x*+fX2py6ooE@tfd7|th7U68bnJ8Q<-zeyC)_ybfauvRk0I$l`>m|Zo
zU<=*IYrv2287c4{5%Se|t7W*VUu<z^;V1O8&QG;v-k}b+yO(1*FaX>RA)$^;anPGU
z?HZQJs{&&x!d9EDohxT1pBlVy$(>ia(c9WyrvEg_uD%b{@?BM6zQ8K7?_{ZV1K9l|
zd{Y?o99ErqNvn<Bk$O7x)2hP&<b{0?7r1)LQ+(oq|HnOEhuyH7$5h86&SUl+`ulo;
zjwSvy#WdN3SmV;$$UNc?j3)sg5Hg6F>@LiSd?sBHwQmPR81~IX<_bHjOo4P~)|>sg
zvc^5rWq#$u!Nd@)9|#h!vo8wB0BCOh?KZHrbhxfet!7Nd08Drm5-mqAwyCmQs1j^m
zeRDc71o{n)(7imDOU|4<aIBW1$W11{mv@@s4X=kbG-8hJSw9Q~&~ZMarPT-Wf#eP_
zv^}0bf`Y+3qn9zerQA(xE8iTlp&(<RS9{Q?I~!Qh$F;}yT=0$ruPm7$mPzS2F-~?b
z(mydr-}8{TQ#!laAEhTQR|O=h=;QP2X2=bGTb^Vv-OQ|=xhThu4TyrpzG9;HP`&F@
znR5+b92kS42wpKq-IfPXewoE#NR!UzQ+{JM`Ra`}K!G?_e5(9gv2Jp5B>=m&GKoKI
z#KHjzH_5p8?>G)GsTxLt7D>ydht1Fhdq+LY#+TZ3U)~&<>6&>*x~GB;cIge5r;XCS
zFn@|^-Wjm`k5Ku=DU{1+LXl(P-U!gG|J|bQJ@os~?YMG+sprGW6q8?0zBtz)^Mdl|
z#T`5T3Yq*6GCu^7zU!l2LGwvsEfBhFB?^-oC%cOuCmel3;roH+bD+kAyq^LOtuCmb
z+j0$bpd-i&$x(0q-OwUQOQ0>eS2<E%JSKM>u2f?5SAB6|bpd2_ctEc$3Ir<V{1U;I
z_y1zm_SCM>c^viKwU1D>xs;z~V9vm&eS|G?hy){rj_4`-V-1o-^p{~w1qaj-$H#}c
zc_Dp|Dl~idK9c=J(Ki7qNMwc%R1enJ*OKJps4WmA7fDt5XMu+6fzAAoeJhb=1B&_#
z#SmJDp+Ls>;PrC%qM4as>w#*Dj4QP#8I{q5ZXiJ32Ex`U*ox8iD!|%{CE7_EoEMvc
z&=VC!_^P8M2*rj{!{Bn;pI|H$)tpdN@3or2$M{sPr$8;9gZxuidttmZ%ySU2q_c>T
zOtQQWdrA0A+@^?<$@<E?L(}ojI`HMmfaV2R)6*-h@_-EB_;m6bV^|j{h_Je6;ZMfy
zqW-}_Kp2yrPvq&pHV_Wjmqk3LX&Sm@6CH2XG`#=M?Y7rb(q3{8&J$Oh=ajSIE&$3Y
zk3mTejhSWB{bz%M7L9QnkU~a-p?64L%ztai0kV)6hObC^t~pr&iMlb!&bRxoW?U22
zQ?lt8WTEEw1vf0Ct3eJh3OW%X<5;xw62T<rI}~Vj;5T%o@~|WDW$TCEhKWoPdjf_T
zOZR#9!55-8o>;suz|Ra1%xM3OA))UQ0u3wGxF>s+iPt!*APE-+dz{IR++MGvS%(b@
zFDqq2HKv{<c|2U9`Ve-nDqL;{g1=%kW6(r_FOYA(7mI-zqhXtQnwc6UduX-*S>BIr
zgnmw6@uc^BV3oggbp{1iG2BPw+Tvud&L(YPp~$7bze68vve)eUEBFF@$P1y=CFB~E
zsse0F*D>?&z8;YpR`-+-V{1p?ZfLBcCd8qgCoe98NkA-MPJQbs5I9Ho5skYULsGey
zPg@;X<Hh9tz<bZGoQQLmcomEzSiv@kKd8R-=ehRr(SdDXRNs1Z8ngCeRsdpk6eLnA
z(DkETduT~V#Uv=}^y~-;aS0smXj_`sgLn+ET~9hD+W?w`ATb}m9T*3KtR&ws4c<|Z
zgNYVXr0DZ={D|+nBY$44ID1+6L%S3e0}E)GWV|Z$u0MmJmkVh!7px#E+H@7jY3E&H
z?lAq#h>3;+Oj{qthq-^uiW7MdzFq~=Xrs#lblh+^u<7m=$NX%*jS_SD%9fDXZzX=k
zn(Y7kt11KR+E)<U7w<9k4;R44E=;GyMvto&%)hLwu7l5-0>oEtSOA?NkD9NKElTwa
z-pq;7_=1ylJ<?HmWf;UwC7uK~WfO=B67toze+pr`*-n!N5&2S6f8Lb9$W@d4{Vh2F
zrloy-m3T6*uE1?hJY@lXHD-Y$^34u`vQb({3eJu8UaPtb06L413+#3cu*6UaPmz<y
zb&{<Vnvwb0<XMu9_{-X3o_kY89*_O&ZY8<_JEea<%>_%A?r5Qhz2&b)9Som^w%+7~
zF92t{SKG6=xs<~R5Ud&if)Z$vS_ogYffB7`&mLf_obZMF{(jO)8(vD5V+4dK0jik}
zpPJ0DGf9<nHxmvD+{f9eFzU**2=Zbb+b6q;u!;#j-)iS?d#@{iwIrP_b@;x&-Ziwn
z;9>~G+^T?G`5hK!(H!#<a*hn|txX3|pSn+mic(|2KC1ge0P!g)+AEOp>rws$txG*v
z?(m}h7R{}udhe*AF86d4Pm@D}4_DpPv&(9&j;TxG6aSor^4!k#u0pd6$jiyR^Ens6
z)DFk{t(I})lFX;A@87>GZXLZEGSw2#Qu<oY%!I<sAaBq5?qr{_;^tJz6pg=MBQ^k?
z`nWV-0V_J$YE@Pa_JCkOjMGd$hguWQXPbfBrOQIJu`vNQ`b&r5kV6Qk<OX)*jeY@2
z9H9ZjCZ`=JX7C=uOvaxf!w!Zs=<sUi90r1JEYOY*vN0GiSc>)ZUBlm#>Dc%O^8YWe
z@aSZDS)W~V)EFX04?t0W21Q2}$vyzKRuLHg6iY4>6sSVTig?8*8EVTf+d-dO<E7iu
z5!YL%u>p5{BK&fqZGh3xovB!bPwlL{s2TnhygI^J#m)}6j!;^46`0D;VT-z(PJI(A
zYS=%$2^jmvcAw!7VAsbR_SS~k>2m;-?{vlb`A}5S;8HvlPM;#8JN#TyyXoEd0#weX
z+V#m0aD~m^$N0Q_&4ziUR;?|E?Emhd{ylt1#Zul*$28DJ+bQ;dP^^K#p^y&g*XbIr
zIt#HwWrKA`y>ov4(<%6i2(bz5ho#%xCjq_R^Z6H62Mq;)Oi9#bbs7NkJzOGL@&K2;
z)uB}cI@DW7j4KnhiiqCravb6|$;M4ne+378^+fRt+WAKO2yBMg2InPjd`omP&-p|p
zC;CF7enZ)1)vVu`c(k}mY7zjSKalOY+knJ-ADQIAU|e_Xk)yV+5rcnr?eOGbSz@?T
zV-PC5jh49B2-m#T<2I=B@{9+uqtCv}<izj*FL2X$Z2&TE?5G79^U&-AowRQ~HQn2+
z8Q5FjRz9=;84c4ALEwFBOHJXzj%0tih&clAU+C!$w;p^jJOzgc)t}INjA9Ch8?}CW
zvsZ{Km5L<+z$<ZX86cGqQE_E~#{HL>CZ0v#yLU=?Z`TwXE}qL|WJ7uE%7@~wP@eR1
z1^*T6>kJ_Rm$CM$M27F0Qwch0xy#l}I=f|?$6!YW&GKDx+SGW8v4{xoUHxNTOjEBV
zc3-I8RRx_0uc-9>e?_|LYw%lMbQx7Sw4aHjvR8z@iTr8=cv7+UL$o{!ou8SVwdCFF
z^$K>+E8?WIZxusMM!^kzrWn&2p1*!f_6Bi-*|}r19JjD@JCYS@@P{v>?v_X<DG?SA
zZDUd>0(Tz}^D7e_V%u$*gF*ebAQA1qPxTKJ97P@~1(VI~*f;$7^L^`I%$yfgyD8yc
z8p8wO>NxAx+)kH$3%CAoT$m*w4!#WhOO`*s3@0i9hsg-mug8g`IyqUs&ToVAY+sL<
zEmGG>0~UhO!*tIW-MZx8{pGf^HyNR2^Lx73U+bxsftRycnEn`U2_h+UOAP+%{mmFu
zPXJY54mxW)<rw5TK4pv;aOKGjp8t3O3vU_idXz2xdtZ`4=QWy1LJ5LHBDv-0u3s#s
zQ98;U)OEuDdX|9ye>_X~159^CMa71?)h0LJ*$qYK;h(%YdrI%=h}yW7k=~f;;y|6K
zG^McjQK$Azy2Q2JlC4E8>2L{!cYmxI{pT>W2&1X~59{v6VY;DyYJfX|?ta$A$B}(7
zuI(d`(76P!qS_S#LF;-2(9$yDme2VLz$_<(%+L*Y(2F_%hH_{Iob@_T?^-^;2<F|%
zCEpxl9<(Wcnf~&UKcdIl^p>2-(#b!{2l2cO57#sv*awf!a$e}mt%3(P1p<zU;-5SM
z2<sR**gM$wUD$94VZN!g=Xd;~wNc?>;$Tta9Mu(td(J|eB?I*B!P;B5-n8^Rhq-om
zFm?|#3KQ#hx)aWF{C!*5R8}?~CP$Br-{sR$g;qgh3v^^+;97sT2J;~OV7#=bRTYFp
z0yL-?ul@k@xqCupwJR2%z6Oj07PHDN4~GfFBA2&PI1|dZ*6he!>n%$~|C2XUO#$hO
zK-(2MePSt}TcXFr$9#WvQTNF!&_RiL3KGVjCY*I+=Z?rYav2dozVDvl@a6q?K%pD_
zNGLAznYNebEw^c<gkZYSbhw-}=g_<d?QVg0UFEdD#`0XWsG2HYD*?7mWw(?2O}C+S
z=p)o2{;kVfpxzy6JK&eo8+=}d9noyq-Jb^jaU;Qh5_lnP&^&#ig&dyGfaYMLdepDy
z;|cP=3T^TrXb#Wp48tYJ)UP*2xXQUe)~o^6gmHx{wt>!CGxR!_3RA=Zq)iz!AT#I^
zeLMd!m=WKZqsIl%>S;G_`n|p{dz{=e-G)2>yK4X+X#v#ksqx?SPW|Ym=jW4Mhsjo<
zuh*#S%y-4mxshD2^g?Q-4m@mkHh<5bl_DHkdxafx9hCf2LCNs(Q}@tNmE*QskHukx
z^Yp~jbvvMn_dHL7UpN$(Qg$H@*PEfn$PA8@LV4LHAon7iBd~+3ZXd|vg~oq#a86HN
zo#U;0WG2G>ZkYGxP~w$_%k-HrJM_JLQ?Yqr@5K2*ej<U@nGVvW|JaDG(4?IXWU-Z3
zgTR5Rb}8!ZMt!%!75Ux+=M*<-^=IvO6NjK6J>m!N@6`7DTZRvO2TZpwg297WD}55Q
zZ=TKcm3?CJ21ki6Xcpq3x?1-PzY!Rq6!ZNHn?PMM^hPyubPGLf!7*=C*L$81|EVy(
z$Z<=jm15k_Zw3@#8NgR9f(`o#EE<j)S5|CeSS4!`@a6wU3%CN6&Wei9O|$*#nC|tE
zFP3(1D2nPomO@AVJG2z*VeDeECZW9q8j$4^Wlu6=T;)VBc+y(|@@DIGSDoN&Eka*4
zJncGk={x~lr^jH{iIY3@O5a20w6Ue(p1?g&((_wT$#vK|J(-OKT9J#j|Jr{9C>XU(
zSdxzrP34Ak>578C*}mTqp5s`@u@LY1+`{^dBC~f?-7jwB@8#FmjFkFbcZo%RwDwg+
zp};7%X!X-zOP@Fa=MKBG0X(16LH|@6;x~K+s%ShE24go+3IlC~OF%$$ubw^*jb|7O
z9&<!b*f;^Yf6^uFMaH6gCNzD?jl>!E;<rEwTZgznZeGy*$pDjZA--~!Zqr-1X;I0x
z8*0^R(l4ILdH!`x0eu|8tXryb!UuGTKTWL>+Vd-5EmO1b-S>bW`VO}7C&#kwSZ{)k
zApOhFSbl?1$o51$6JeH)^6qwxG6(bS0#ko5>rpfU>%gZr={@4DtAX|FYR}G1ncv#6
zP%HfnR_pkor4NoCczp=K(WCiVg|HNuzofD>)!tN<L@N+EwVr7(m!+HSm=qg!v|I(I
ze(@;*l(P70-Yv*RQncTw9@d%Y4}wiOWW_3U66}FqH}Js!pRWI)KE?lZH|1Obg7!Hy
zFwLwIn3={5M|26Xv(VnZ2f+NB#d*M_Ln{fL!xeFzj*Ls|Z*i)CO~-r7t@u;ULKkeg
zP=U~ta>{E=xnkR-6W{`u)YCwN%)3;kk)@S=@HZj2wkH#N6U6O|J-2n_MA;MU@|6V=
zDVl45KXn(bG1gB2lHEyFxOG2e$;OEOWs=|j@Uz|jAO=^$?HE3tvjB6)wsZnbQ65T?
ziS8{yvLXl_p}=Wvu+ixQ3w@D;7`>L%rmG4NmsTJyJx)t08@h$d9-w3r#HC=fjh$Kr
zDkePI9?0z!*<tAU6YiAzDWB-^6vdOBfzyFNQ*{CPxW(N<hW?K?!2?Bk5kb{>xL}2J
zXz&}MEE@;7K69s}lKn?74hzW<FkzHUP^P{6co6ZgIO(_}b$8zzP^I$#5F7fEsgqt+
zfAQ@K*h=4-efvDw>WNY*&ZQ)w%^TUze24N@ZT0(?rmQaTW|Bqmviz#rHrW)cWgI}-
zGG@S$?Ku(V+Aq8cW=;gK2jUs*xZ9&0XxcCA1W?x_nUgOHp<9i}yj%xPDA@wRrq_nj
z4d|f3c0;S+h+GdIN|!eg5xYxmY!FbEBZ!`0I2FqO*t>r~SLeD_Yi^SJ(iFXGqTq@Q
zx+;Z<<V3f$hAiz?xa+1EjWk`IOFr`(mOq66DNiN6Vj?m1<YD6u&A7Ifrz;$F2aEOQ
zr1bM0Lm8VxTzEd%&Vv<qnS4LQ6&CKE3{^O>k9)+H{!VhS>2S-4vb#N{WcR(~v7_bF
zz4lbD2nD%c;awtFm(+G7Wo!L0B7wwhM>pG^w)LE}F<`iweVYiI_otGqTQ?vH0@?S8
z<rDOhT6Io6;sS#s@6!AxK_;}H4u2=&;`9|me%{MZWFl4A29<TRGWVc1(`uJQOCbc=
zLPu7u=UN=4510szG8=u}<u?JlRmOFE-`X79x-*?$HLxxPLlwB@G>Q~Zl)eE`T4KV|
zZo;L!JU1^EI3X&4Q)pdzRchUN_TbsXD^n9wEpSw7r;s1^SlEGPsSaQyiHuK$dh$c>
zEAMlPgyW-C4<G@czV@MK(;bhzPS@TZ4lG^}<MhfYSJfTY7@xhp_Q<k+AFxY=?fS$=
zc>Qwr(>%QW3ero<VEMmNYHF+>RR7d5g)~e=`>J;;M5ONc6}s7E5AQra4+~H&y!<x&
zjA4KI^$}$*pGt6z8beC{(@pn}n+eojq=zm(lKEO;jQC+l>C?$mBp+RcG;If9QpKYI
zKxEGt(o1XZXw@<*zuKW^o^9D|gglz8&n>BiEk7PVcJ(OSeLK(Vq)qBBntRKkZ~}-^
z1epLbR>`)0_J(3VlBuJ{>IZRCoBb$nI6{qI08YhNEh67Y&Q`2VWp`W}^KwK6(2e)J
zou)0ubFN#Pe15WoS#P$S_7&XmSEL876ZF67$l2!oAvy6npMJXl?U;5;`n}K@pkoM+
zS{MN<0a{DeVSt3*SNrZX2csbeaPnqlK$FjG-abj7FX~yAwXD0!Zb=dsnqMCHn1S9(
z%(mwM7_Fb330LY5(k<0?2_=7qd{0)#!FTD3c0F`s$~C@%Ia6r+xu=E}!dsi*bY2et
zoO&-<-@eW1kOZ1$<5UUQfi?7%Ida`QWXe(y;b`~>j>p&`>x*{lz@ZTa$*agYhQxf~
zy8>QI)^wItwdyiufFU&ZcL@vsxy~-A-8z=B!`{-6FW#XpQ~br*y!4)#U2XklATZ<a
zAhR_mk}D{uKJR=tbJIY_ewDvY@>TY0&6bSz_JVSHq%u2FZaxR{-pgJmL2|y@S+z<3
zI)AvZ_*sFS?M;B)-(d6}dwS&bVT;^c@*I_O?AWs|=j1iFe+Pznu${ST{XX=~W+0}H
zr=BTGbxdsbl`Nf<(y<TpUd}7nY2ebZ3jb2d{&8U22Z0gs7b5BHG!YyGAD><iQqDh%
zQQ+S^fGe6*iRFYZDkZ5KnaF~FrNBgiBGe)f3Ugz4E{^$>{DbtQ`q_lgayOEHTyeDA
z^Hg42sTsbXn8l#p(iAoe(c7Sn88;{c<CoJc`z6gGYzz5zNKCiW93x-OwuKcTiWM-6
zSTCY!8K$E-!vmF`FW6vS!7jXVU?VW8yWTO#iFzk@$Fi<*GbRM+-YPL@o{YQ>`VeeU
ze1ZnoU~#WUq?F)}zYE!4+Lq%%eh6Mdhi~sMxWGTulG+8Nemo%el75g0t(o`miL9q2
z1Ui5khN>^Yl&@Wd3aA;kP@LkIlRStF$nSfB<(WS72^X8jPULOx()<;=GTi0F4fDCc
zg8mL8>&IE|vC3()!q1#TfOWCFu1?`({4?;h3RJ&;Y|^LV2|*79?G>nRT8=w#6?Z0o
zdSTGKW}f8q9*8NvxCAQM9tPEFTWNo~KTC3`JI=#t^5=|5k_EV8AJ!rq^LwNDykZV!
zK6yhcP?;a`=Alx0JA<?z!4J-&hVB>OXx=8fyH=KG($0SyOa@GW6cnC$U!9<J0(9`l
zoY}4~%JSi>wl>{)AWLezMZ=}60_1n4mY2>Y0v+v7;r?MTOihTyvCgKjctGaZG}W~N
zx*|<0NFQ*8H7X8hL0v%BZlQDFii_Xb49zW7L7<(Rh?|l8wFvuja8yo;=mQ1<Xd4w(
zUfIE4)yi~rz|$HC$BH^-S6k^HKy$zE+O)dm-6tKbcT>ydk9n~UD=LIB;zvr^I?8$N
zH^E8jG|;<5fo>`!dgm@s)PP8kV}PRCRcjEB)Si3%WDaU=Z3!5>BhS)0@%$}hz#Whi
zE+qG1E%y013MLlP?gm(hsaY54JpK)j_Cb@?83>*n2Vu_y`}<qxk!@o!Gm?TFw*Tnj
zOe#Qne^2j=et{H>SojE*(hJw2p@auwD~ty@Y6VGiW1@tJ_6BgK7*ATdw5BO3k2;qK
zYe$uWV>QxxTr7oi@g3M4?=aoKQQR(UH}*;?bgaIeXnptvC_Mu$GX1Z_z3B6~>WqMu
z_Z|MHv25d1d6MF2QTnaKpz^gF0J4vzpvm;8yy1wjc-nV)po{Su+<j%|>@XsX)o6KS
zK>#=bfc59mz>Q$OFXlW8Hy~?+Yw5vrp;#*jUY5}6+I9L@_`;d7SQwNC7Lw=jIzf{&
z=e!QUt4H;XOX)kdDq>)Waus4FcY{_e(RDZkW#l~iPoLb&TeiN_SmoNPA81BT;OPby
zaiIVydhJnt*s-;M|IuqdRuJivH`m@?iPBX#v8vDm3TK+hseWcBD={Xx4b;UP1fZ_#
ze+bm&aD9NWIX6KnVCDrvonnOOOxH$bQ;BSYcNRaU##kEvZy{tq^P>Sb`P{Zi?)++c
zeM_>kEzRs;AP6B-8EA>T5Cv~v>*aE{zjcrVpacXDTHMh8{D1!!{w9<H_4yDSKx`4V
zDETP+Aj@^iH30Gf+4rCVK$+;T^QWQ$Evh$lJn*f@HO0APn6{siE9J@#AKBR7P^HBW
z&e8vO&$9Czc$8jZ6W_gCUN!*W$`V1jSZfR{0{GpiYXiNca$Dv9tSFheK^}Rb!f78g
zY^O-iu(`({_(i}zXr?kq?NjZ$y|#l5s8h@??mK*S^vk4}(dMD=mPO(&wB2)`T;xtn
zF0#k8P|?YFo_kYPFpn2rUbNi<K$ZLDz{h`9;lbp94n0wn<Qy5zu=@}8JT;cz7r&qk
zfP6X}?y;(s=$VBNR38G(cyUj#Azh=yELwj-CcXq}6SV>YhFA=)Tmm8uTbbB5uoAt&
zUF*9-fA+V=Q)JDR#CL*PMfBS94JpQ8$Wi3?GVlB|Wc?Gpx>7(`pci!!L+$Utn;5k}
z{Fg@f+_4?9xCTrgd48Ex3$D&Wf?4QKTFJi(C1FL#@)b-bMNeQHR=I6mf-fIW_^pt&
z2rr~0!miI&w7`TXm70akKCfhoBhY%~2o3*xi~UBCXCTtY=D<z^F))2|-JaTQF>u`>
zmK`{PIk8<}=cQyzYJ72Gc--Hdgx^bH<}}H`8Q7C31$BMM4a7izJcKMVk6rmtEkAo*
z0!u8~v|luoYD%QjggQQ)5<5!ei}!xf?`6jyB}KE^AU*5cck|{N#~-&3t`TG7Rz+<Q
zxkBoDnAT)7_;MSw2u3kyFMcUd2K_tOU?C-MoO(|YmTdRpvo$k0LFr0COIHGq)Ii4e
zyF1x%YAF9F!0dm5?*ua9ij+o-)>?q<H@bqa8~AUh0%+uM;=~=~Me3JoxXEI11PYAJ
zUa@(JxW?irM?ri6v9AfX!2CK~LWp|wyHfZpK$OhA-6I1+(pbb{#dslkoCNH_B4B(4
zV~AL<xz0(%wLSgUFF=m=nwjs9-MLBoS?{B9@**q|ltIDrG0a?$G$2|kZWv=zF;p{d
z65XNPTtlcK|3^~s=d}Q08q3q(H$Sps(qut}Lw>;`94U8q!S38mTSpgFkTPR4Lb*rU
zQqXFoyyXAIV+7L`%m?jC@jtE4DzQs}l#d!4BwJ){zq!7u0knw)V~^9zHw6bS|MA^-
z5N~l+7axd+3;q|4l4*&9V1U_#_SNGT5&Bwj&vVEbo8@tPF*b=}==B!<YhCt~|I6#O
zci(UQ`ue#|+BE3BJirl^E|6k4cKG%IlP1An9)AqdG+JWOfw|9)f|E8}<0dl^izfeY
z0qRUhh-;`nv+Vx6iL}mL?U}RP8N7hhLV<@xl(7du?ycqm`yvWwf?oKpJNHE$sDgHD
z<EVEN<<<P1S5+Gm_q|*DTh;|}Kmt~*nCKHBCbhz*{;{V{f=O7{7lbO$N&Sby>HoFq
zc7R;Ue*d(<IX8dVy>J~Va=Z_RnZre+kQ7m0|Gk#e*07fU#`8lPWhcCfH)LI|ul-wU
z4&+88`g8cxW1)v;E%<lFHFs~vkHYQaq=>jOd(#@307h0rJSmz(zZd`XzqfeVAd+r~
z0%|@n@z03^B6zT)SR&SON)M`ot2U!-yP0!jaZJRQ{2@yv|92DxA>8xZOMffLe0Nh6
z$?dclCciJfj5Cq>{Ufvgy&r+|>j2Rg<XY^{f;U@FYinfQX%-aj_m-?|6<t85GQ_W?
z*_k<o$Y?xdrILL5p-IWjp^E=NaT^Z_GT;cWF%_5mCBpqv|L6kf%KQB6nj?Mx^#y6w
zsaGd<R)vh6^=@P>qf=8RCK5m!eL^7SUNW)G>o@c`oBiq=;6dg98qHd_j|tI!#I?XV
z;Q~&*ursPxBp^BQEU3s216LJQ=xH?Wf*w>f5MNn^%mMfsD+Va$Gyuh(&rVwoahi-&
zL`_RWUT9Ps$(|s10XU&t!0>zMG}F}@oUFgd(qXOF09k!HKre+Qzhx?X%d_=&4mALs
zFIj^YdLYOU08qnpV8#~#XfOX2pmFuF#(1+S-IYUP+(DXtvXW@olU)yOsc5ll>oIJK
zb%cMeJo|G#KXrdJ`dw)SY%v~2CVD*zWfVAyrg0)tB*Nq@+UUh*cMDHplWs-A4ntHy
zYHZAQ+WXLYCR*)i6bP^ScfdrcEaY%XI)aD=A2ZYvyr;K--Ux*Hz4P=PKo=ZEQ@=c?
z&gjAGI$(6T5;Oy&AV>YtelRI83>~zxZwsJ8Iy6!n!FTKe8rsJUBfK&l+qHD+(@)=N
zY(Xu3cop#}V84k<&&Z{Ro$gSrTs$i)kk~JE$q;<mgs%-qjqLHWd2gC}IRNWgM#>d%
zEA<a7DIf;U%h2xd%7uiJ?k=g#&J!QxkV@zj+jT`{(xI^=Ic2s7pFV(s3u}7?x-GsC
z!6`8!%0Q#x+FBo%p$rDFQ!g3F-%K$p?b%3Dh5ztCu5zaWVTnD{nZ3vL^_^+ycN9g4
z`Ky_CNe|pnZ|D`60R1lK;Qc(=_PbC1XuCBZ(r-C4|7!KFj!_hV(DCh?YhQa`k^AK&
zTsbcmiay(g(Km5_Bt5T`V7J=8eLa8Bh`=t44@NcqcOWO#15{|fGB+gj_~-IhKFIXy
z>u`M)B6Yz#omliCy-lU0jFiKHfmM;ONv+EIRZT;ZpCJ0EliS6PuYMCIj1ceQW=S>C
zYXe8nxIR>;eh0cwh@Ej(FVpn<9)QlepF)Xt|H+3erE6)4?GC(S6QL6Ppr5`6wSRA0
zm@$VtXe;YrjME`d^yXwfzI^U=5M>4k(llT^80t5m`C8whq6@Pt^cc7~ju;Xq0ry})
zXo!!#N_8!3@}(aVn?1(hn$VVKcp_HME%zKKan=oV-Wq{&@+Vo5q|BTA0O#T}*FDJH
zhjI+qJOP~7fQpV;%GEyS1!(%-BeutW&&4Pp_Pw=vk;CVq$6-B`?%Uu?Gv`1_I>r|C
z&&Ef279jxb1$F2_0`gErZ<sq30}V07O(@P1yr&py*StRJac9rcX%(PD-_&{<`WAPf
z?abkl(}T=itUGdqY*BZ_8>Rp>wyfF74$@p{ZCSigKfs)0Ts3e+aTUOWCLxu_i4LJR
z2d~4l(FW67><kMFvXxhqPKKVj?dt}f{Ea^^dKzcWiUNe?0p6~6uXt&^ItBTIhfoa{
zRvhCePDv&g>p>ANyUt7nz``9s;@$(`r}(xN6>|_)%;Cf+hqsHcFBbbLU5j0;RnhtQ
zHidZ=*o1McRQ%;6S>z}67g?=9%+~GYmou<9aYn1A2;_Z^uhS~Ii}EiQtr<b<qx!jN
z-F|dqjh457z76T-dUsj1Y88|xonI&K24ZX-=ye#?B0&(Q0$V|fI}AYZlKmQTE6^Z5
z(zdJQ$nsuJmM`K&0-Yw2T&AvnWL6B+pQS|;<#+)#xvllo1335L3m{lZrnyA1FL19+
z5eUNcHi54eTzTs`c<?plFNSp^0in#h+4aX^Y7pGa6-_*UJfV<v>J;GTEt<M~TT$s}
zr@+JM;k%k1t<r6qpoyege$40XJWtN;0ZpD)jC4|dvIGSBq_bZ)m=`+?_FggY-tM#R
z->8jeFih%!CITql;`F++l$1Wfc-7#6b#cp6NCg0f36GzG*1=<GOid@>>H_PUBM3qw
z_BT^T*ySRndU3S2PTSQBTjefaS>~_wh<QMAX|o|}mL;|c=yx*-!rr@;RdnK~LS4qy
zXn+Hsr<bu$psv>PLFfa4my6Nk>5I{<B>VGRW(W8|6>@CPCHO*lYut1jkFKuYJ3);<
zc`GDHLcO}-c-(7oCVe&{gDomrMMy+nU^HGbHs#&Zg~Z>%7j5A1VP8!5iEqze&)8%r
z4IZCrc0)6%R!fg!km6$$y!`VK%2GJKx((kxYELS73YCEDfY(pk1xJV%O{!Y_<s->?
zn*1xxvW)48*K3)J9KNVtJXhtE=e)@Nc%d1XoYDlKqCXmKKzuTW=T};PaF<VM+h(g|
z&vHAlAzC>a@-VbpBjDxb-x3YQHz3lx^K<<Ub3Df!v?&r67?Ki5==Gdl+y*~}I*&)a
z)`>1XRu;$m;Eo#wf0yILxyd}4#F-2H$2K0tdyO1Pf?0Kr3{??D1L2bqv9YdE6W}s&
z*E+9EIZHd27r?~(t1s>1FM<59Q8ukJoCcEHQ=Vs+zt)HQsur6W<|a?66|7kE$9JpV
z<*m0&@jM6sx2uMnb}woVq**?5<1uo0`1y5vqJ(2Qn8nnt1Dwtae)@tk0>+hnjn-%7
z2urjaJ)@FnN9T!{dTeoh9wn7RF(h48Hf8_CmyBniV~Vl~6=m63Ems-l%5~@uXZvL*
z^JjlS0yDoWVBOSIwN#giW?ii3cwYo-wUKwX?}1JtUWt1x(1G9WO}yQWnVEGRV5b$6
zYpd1VAazqrSU7s2l&-_9>nRYKwHEsyGI+{l$y@VQPDGt6?=NK75Pn{HNNcdfuAdj`
zERmGyNZ+-ifwV`7rM80j_POr#eL$wmSNEMj@07J-c21{gvLsm_e8Ep}iB6WjUOadi
zLYWX3uiZpbWb#nf;9RIcJOh3N7$7gEUf4ysLG=H*)8B}g8#2gqc|SdHa@zUNfUFY7
z|K{1=OB@E-+Wf_V&lxtB$ALg%S9xZt1UmC`LsK$atGChY@7kxup@Z`ZI-8PSoOR_9
zR7($KVJ9<@91Xvof@^@;&rp8@Ph|5^x@xE!)Q<ZxagOT`CcO9WqQ#GR%fKBTf6~2V
z9cHvdzBI6Jc5rs7{%AbG83i)p^DvN)Uu@8$I5Ru#DmcD0lEdaL9)Q1mZov^=-TVvE
ztX!Z`iwso*fEimPFh9$Z*u1FrwVZ1R)Sd~m>iSzepC0PKr3eISD&jIk{}CI$(sXz+
z@zhC1Ikk0WLNhbPTAAIR8Mw2zIugkGFS|lQ^{5|?*~)T#GlAbG5c-bpUtlIm^ybFT
zcP0BHcIEI5I+3uwJ^DL-LJ%;zR=#vQvg~)yJg!)KxHLPQ5%0`r($Ap#R)1WLmC?{C
zsxj$=4s^_ic_m)jA6>D}*ke)NU&he?UB%N;bzSTV4c;&?=sgX`=PxYb*!y*R?(_wF
zknh+*oCk=^b7ke75D+Md8zro&8%#dE!szu&KEG7vQ24`h?X6wE@42eoc}i6?Nl%cl
zs^VRntq%w`t+FQGccAp_$1Q!QLzNG2OZTi_noE*fFDob)d0?lP_~glhge-ybYNfY2
z<DOO?-fJYw(EdB@A2Zp*2jsQ<(JQ-r`*2XOv0i^_u@{nD;oh5jj{x=YxB*eNZfY;f
ziSa`dO-iU)Q`){5q#DLmS3B4^!LT1#!J<{22~jX}r)_;kiO_DV*tTcs;<Yv>YjeZ)
z>~a08$ajFo^RNp#$cH*TBN_3)Fy<})a@Ld^M9X7AE4JQGbIBhzFOOwfJYj5x@VQvQ
zbW%(?%<Eyh#4Y`CVfr{|!Y5qSe8R|0Y?N1Xcs}I2ZhgezQz?ZC)vWOFfD4fjVL@V>
zI1*v-$bkM}-Be^)q)*lh2T$lyTD&msr#Tn4`BV19$fS1l+CGi9y7ZPy8v)<4etc9D
zcpIcWm*gAz2slv3syat{+4f7X&ndM2NYG!bd&;dAn?4G+vjHA1<3~w7AI&}wz<_qH
zG09m?XX`I$xaFtklY`vw5cjH|Q2DZP!5cIqdS)s<f2%*cYJRY14O05cgUXK5TR>k3
z@5-`Nyn3O=8O-R$lpg{YYfPknpJI#m3h<&v!Cw1zzehT#Qm=~kbC!Y8OyRY{$<kru
z5}-Z#HpSb(-rbxvZscK7@4g<_J7cw$G8nxk+l|<(71(Ucl8J8qOa?LO6P^qn&p$fm
zJLi2!b9@I5lo8cAgHN4HtU3od>K?JsPbr1?+_M%`^+=P_cHny7YB@tarwqC|Rxy2u
zcmr6xU2{EMRF$h^sJ4aNt)nv^(k^G`>9_xITQiymX>%wIm`o+o$c@}SY7IkACn7JE
zFKB}WT+<7A{_<yq3sf4VymoM_N`L%aBfXR6TWS6b61(V7dcN8LW)Nf;BMtE+NaYIi
zm2{@3s7#=nE3$R8@!pvP(bF)G<jhOd87sC6qvx||zHsA>QGZ6kgOv1B%Vc=Ffx6AE
zIf%^Sf`B;g6iEwe!7Lu+_G%dPvpfWexkL#`W@rkeaP{N9c67oXEB3391!kzn3kSOC
z#NmDdbs+9qk;EX|r%14hq-ZV1?V@DaJFQbS&){wM2FjUqp!P^#Onsq_FcsLX%W8!7
zyE8!2r`}k8%<$4eCr6j2S9wCV>`S0y%`LuX*O95Gh#5H_2r5EJt8R0mOJ%Qw()Gqs
z<-HG^<2VSY0lB!+$^x{sQ$7;!*z+G;g+ij<X6oMK*|PC{3)Y@zuR#<3Rj&8ak8-Ty
zjTXnyqin4|sG5H&ZfGncBHS%D2bG+&X*Wnq`y9f6mB^c_##>nleP^DZMK>2L7Bc2m
zZrq=r6=;79JW6I6o*_<vO!8bmQ)2uM!hSq@z4GbUeUlni#{SC>L3UT@HQ>GFIob0p
zdxGJS{^CLT(pmeGo$cP<&||hxGo`<g55L_-89Wev2?T$I3A~nkBfl$Ob?^B>{ZCrY
zfRv-tSYnryQ#ld)4knK?ysQZkn7UUY0g}W^w-ZRae_t_dRr*FPqODr<f%Gqfmh?M7
zGn%cP%aXkbr{cbCVB#&B4TdLPtjF#GgP@tNc_$&XO5aHh<?Sb32Ex1^WzT|T(fQVE
z16Sn;XSg}rLRir2ZDUe$t{7F;<Z5}&@i__kMYuc#pSnIeljiF!M}is3kK3m?Y5{xf
zns(U~xu&P~Z2_3uDwwV2Or+w`O2Q1~0Di_scl-v7v`x_akjlN;#X0^XWPlm*PAdG{
zHiyIPZsd%=M@rbS5lzq5{u-yiT)TKS<Hi0b<W;-}F8(`{$DD?XMy03ALCFO4E8h`i
z0XQ?{^s-u?&kHG+(zPb=m0r#aJ&cCVSmndM+p=DTtVyZG;ltqM_@N}Hk6vOXd8CS8
za%g{pc+6E2h~oz~C+H#!?IunFG<5IT>RD^*fieZ3zPcn`VOlH(d5RtW*adC6m>rI1
zzkTryO<j|!x-n~nY?zb>cG?YA_IG_q`g!)m*Qe>C8uLmUZT*{&Az3ew*n0|O%?c#l
zNGN0E_<8D0g{k*$X5R?RtKuwLxsKZP8cX1t9^VF5yPe}s9=C7MYjHdMI1v;nc~#=k
zktciPaWj}cBY)HVdp1{3`Si_!R6q{L3+Z_ptyL|VuRXO%GubJ&Ibvc_Xi^vO=&z6y
zZ2^0FttDn3;DXfutn@%>;xjKvrK*}K7jAFK<tr4v1$6fAltG?SE93i#9A3-BE@FJ2
zAk0=Zo%s;vm7I^nA-3z)6xc2xZNGkWWrz>64w&Gy%tbf&{PL*S+y{78RG&kn%#EI~
zThMZlCoB<1ib|+ee?1;ojAQEZ!qibl6aOO>7McQG+9W*f>0A43IjGM-_Rt!B;$e^v
zFneMzK{3fG_xm@G+x~@-m9&zVnVPlDF%x%#3O&kjQ}>o^8&+^!k$*Uxk$4i^a8yz_
zPRdqWKxr;|YR@37I_4Mb$8$?8H&oQ&tabIVAlW*sJ!Q}l9EZcLKI{cSdlKSUWMXyT
z{Bts2Hje7VJ6yhaCTc7J@EM;1Arg3TfLfTIw<iPIddfD2Ipe+Wz*OtMu<PpMOuH>v
za|x`X%9JS_1VdO4BF1ACBVdcPaW=bh5P&rwvB>;!C&mUsgSF%096MyW@!LO^=-~P(
z>k8NSQ&M#^Y(V&qPLn!fTFx7F5!56*b#NwRaLK6=2PRP0(Lin@L8}7Ns~wQAV6dzg
zsj;B8>ZT?oxraM1?h7y@1>w@KuWU%#ZRX4>;m*d}grimkfH8Hq+Tlb_F=57_3aOVV
zdoR?6y!Z7=k!acMEH;xFI4f){@>R`a3nbXL5Z%>76Z}yn0AW~I1@9*RQ5t0f(1wPS
zOUvPIkO_{D+SxEOV}#LJxQL%*Bz6H@=NZ>oSKzs&L(3Mn!&#9D9?{Y$$54fbESMY|
zVTQ#9OoN;zKGdu;8b^EDf#c~%dZIB)o#z^P>%do4O_Fq0-+&`j4+`w>&%Q!K8|b23
zW5wWgp$2J@#<$+vq4S&cGx?ByA&*FKRtrXo@w}$5AUTQ^Ft+Of%S2V6icV+U28pXG
zlwxNReizqxFlZH0{(UpPn7Z?R6CkNMgs<)(4utT<p#W7#DIBCe+K18@hcLk7?B3pK
z1=#mA_7`fLUi>fA7}tG#VtK)&;;kwH6PF^Q;0}~)2hd!`H$y3^5iew>EUf_g!5Ea8
zc|0N>MR_vwspv(PS!3bXyp379eFdfpI+g!GpZEJMzCC{!hKkC(o<p>FnEH-Gtm8>b
zNRvONDN*QnYIGaJmipD^d0-E_0FV7cMk{LvvZ1D2S78>&U%`uNyD{VR?~cfGdZRK6
z{}45%9O~&t#hQa)%kah+ZW7WrD8c&HS5{;{^oogzUKbM6i5R)Bba*AO_oC|bn}JT(
zm;cqr$yXCUfCUf_8Zpq#NL1j3*JOt>Xl`hQjxxZ8><c~g5CUX0_3zMX`LF&6yja0R
z+o!MA6XT!Uq{oYaTo;@g9?%>>(g@@QLBnlOV#5RRS);KVC}8b51)czJ;DPxDI>9rU
z##NQbTgd^0&-dLN#~Pzh8I=OA&Nu`EbQ8M*n+K7xyT}Lp(lYHNa<VTRI&&Z2BfZ>Z
z_Q;rjS5dYXBK~{_(dhj(m{%aiX9I!^e#kdtkW>pqv_}wm%L9zIEDXjW&(zT`wc`hK
zjv}jKlNw@X35WF6GMHdd+k*GA$*K^h`!cco{+HPZ7Vi(IUG#|=9kB}pqJk4%u6ul)
zApAa3BP>HzM*q9#rP1)OxUp>`#+oZAV|nnZ5k}9DIqTIFC>(w`s+R6CDzS;*=CA_M
z0mO6+^js8(6<imbcWU3w^l&C2c{C+H>xp1FfC~%7<j=q%qBz4LO)IBdei`|4ECFxD
zM!V_J<sS$S1)$ATrb_decIpa@pgbd93Cg_&MCb&0g{Xlzqm+VZ6fS``zfn=V=Ovf~
zo!A7CqZ}L!vfu57G0LB2bzojiMPyB)w;@_$XR3s#Dg<(0Xk(uS@1*o=gO!<@dz9FF
z?LI;|&J7rFfF8fur}dmN(}b2(mGg-{KIbrtEK>7t=rW)qz3Qg!VrwySzkO9)KtLda
z=0#>gjzYqwb_V9H8F%j{l^dJI=cWp5Q8^1ljnvvsP#WuBZF^#>eSa$SB0qqkcR)m;
z3TVYB@=;pN0SB+KaDBrjN$*XMh4{Q6q|{g-E27##Zvh{SABtW3RKFP@ee!{FPpFAk
zE9(HS*Q3j&fD~J_e?#8gJ)%}0->m0&MY0@MEx$2qC#}<}?fnDFgLm4)|KM0LB;A@f
zN%pN{nZR61mcY!3kyn%*XG`W**h_uM*M|gS;~`^3q<tyC=Qsx1xxYKN#iYWK0GoFo
zdeA$#F|vOv*!K24&)ZZpz7Ya3ZI-_pKk27%TJvHj`G&69jtth!U8JAqtecX^g91q8
z^$YN1{Q?deQGo5dhan;s(x3P}0jb~vk3GR`b?5dOWY-21%HzGPC&nuziLb7c>)Afu
zn0T+pKflSX&%x?VmDAG=#<K5S?j&*ig#Ce9A&shfo~M_QpAyj;@>7xq9HYU;GI5F=
z7THY@C|RwmFa<#{1bDj78|nS?uiasn`$WthDy|`e3rUMuo4iO=8s9zPn0N5xNa#T#
z)_gh01a$s=Yr9cSg-RGoFdFySnX`qL#y?BrGt&ZJ<c<B7W8;mZy}p=kp!}YKxdQm`
z>>bFE|9);j0yr9_D1cL22GW8!AbkKdWk#QmM259rC~V_dJMnlzFTcE~qq|5~rw=N_
zrozGfDg-q7H4!|@A615yfmHQe_cxHST9hbuXq=yE7mD03Gmsc%VBcU~>Sx0XN7vBJ
zd;o{q$vCnu@o_LHB?!G`zzCm#uHdJD$^FDba8t9M_lUFENgTn9J-}fyay+=D=8ub@
zI(P1VL+24co6W?AFS@%Now-Yjz@J6}26i?IXsK*~)cLzsTYEmQ`qfqu<KCxMTuA%{
z-5^zvnO_U&^fQM(h(@md@z%TYXIqPP=<Y%x#+=$ogNH$;XIdA`lN<mlDrKzv5^JFD
zY#7o5F8wiIr^IQ=ipn>NitmEm7~jobUPvq_>|kTMPP#Pj-GWfO@+;#Tg*LLI&0;)T
zfb3Bk;Phl%5oW+XN2yzK{9^|7lH`I`EO8~^11xVW2VWUqIrZ<>CZ^jn5s^39791_|
z<obty0A_#NInS~hP2w9HESEGW<uod`h*<pr4JtkqxsMoCbgiFl2^|FT{i+90;Ne=4
zznBjUGhz2-o9!{bRbZ_Z+O?V;qD)g|J`b=G7XV&fIr^r4GjJ7!dzbSUG0>|oRdi~8
zJ=jyE`!1uG`-CT8=^uj|B$J^WXZp3urlb>MB1Dm{`HieJ=XM0`@%8!r0jo{lvSEZ(
z;R8N&on#|Ug_W|N5B}eOz#Vcf`z;YS``vnCne}-c@2t5e8K4<MZqcjL##>jl^QKgF
zA5Sd50;uzOH?6Kt?NnAL95d9r_yW%!ne-E}<&k;v7nnjB0~G1_F%X_0b$cj~)$U(y
z<qwis`MmSA7C}o$w^UubRa0jf&8R4(FTd&tD(11o9?h@75$0u?Ry9FJMNJ3}+*Vv!
z0>l%Gx`8YGpwD0yw>NojS@-BYpCe7AT?=H)5huBB$%<ls?OoB!VP~-TP)Hsh)qNDe
z%mAdsdOq=gzx0<)#3%mY0{rJ|u$1Jq66Tw?d{LXim%X&)(Y2BrhO!bU(U0?4{Wc#u
z1m%{h9^p*KZ9AR{xEgtoH&Jv}KNMUF;A6;aK$&d|#yb>9dp*;qOYfFM|0>e6-{>av
z)p#h1GQYpS6!5TDWI@@<tfh{Ew(irXu9|35V$o&^@P{1|{CE;W%nf<<VY_fSoD=jN
zc9N6bv6X!wwA1$hT%@F)3li0q*9SeQ1n+?Ps;pF;pKLAJffuCXEhz%11F-e>9zMmg
zuXV?6pn~3NTu<yy2PONDbWof847tr)GDWU!C^r=|=)Gl#yttT8x;?cSsE|l8gX`cf
z*z0fi@}zYNbx0arFI?1l0H{USaAJa_!>9__krZd<_wMTi)AkO;@;(f<_NT>Hkh$Z6
z#kKOuM{!Kkn(A-!I<$;o#$BH77J~DJiy{?D)jHBPvu=OwExo<*6FQ$l*<MS1`uqUf
z+(DTy4E)Q0KR;Fs=y^Q-J3Ci%&__=v-Q;o;vV22b2hnw$4Qz|I=}%Q;_LOU9Vm5Im
zjF52o48O&*QeSD@&i}SUaMHg+@FoAB;#|Ool>k1h^&DKI(a=#;hnaNeT64p}t+FdU
z=vgHBqw=ME@={2=qS-tbTYt6>f@(|eCgT5Ro=^45d~85rS)P7Xr=_V~XfKb(n{b6+
zo<V87$2uV!KPdQk#4)SlW1*bE7^MT?M0NX!SZB4sOy8ZRRv5~~>f;lrT=Y4EK4mDw
zpPv$lNPlFj_LSd7!f{~*w2fM~=&_?m0oMLiZM=dyQ{o+X^)k78_<?1|CI5dT&JV<e
zyGb!DB2b1jU8U+0?}Qsk+dup|c17LCni`z6RHIm>jcuHE`C?I7`}^L;tvfbvjxz=h
zj#HB`>EH-N@SDs&s`sc1f+0_pt+`x8i9Ke4z}a@Tg6nz3Fpq*%Vz_pvRJ4R}dKoDV
zo(9k5SSE5FnP+-m6pmy<G!wR8U+Lf^j-Uqg7Dt}@;UvW0APp?H9LprRlY7YKn4ixz
zw1wxpOXnDSqW)D^peF@hd7L#RA2o2UHXr?BzYM{}lW6v^Whg{ESr+FB&p0WPz6;xh
z<ns?Egnq4CMZUV$ni{A`f27)-I6t_X1Up%Ps6#@$ekNp_f%Qt^_iLoPF6Aq`29Nm3
zQe_Wy0UBE%+iLb-ESY(PdM<v)_OIo%Fw*zS;a*`@5@?4$i#UO$j8B9kGT`TU8W#Xk
zW_wDD-Tdqd)#Ols69tCUi{d`S`NA)2J66}0H7lnS!!@r^Z3&A&6j5noP4r3VK3`J}
z@NfBmTzY<;|G*EIX^EM+s*lGBJ$2em#D@d`dk-G$^^r9rg<sZdf|o1_N8u_#h>9o$
zjsho=wR>D>Wyf%;`&9AJP)RG?l4bZE8yV!oPGj+?u&({^Q3$G0YBD)d0fB2(CKIFg
za>SSD+Cyfu3#7@HznT{zSJfFPC_@?ec~PQGPZoHG8q0^^uab9uEj5bO%FUV4tBaq`
zWq7Q9NB+m@Jppb<u}CY82A%*4bU#d6b7^EBj}8yW+H??GFyxz|qjO_m1mC^!@x!%u
zgcNXCsONrJA%CW}KQTV%72OBfbYC+oHTYjSgvmBj6hV}@2X*YhaD6C^M{8NH#egz^
zrS&4JhEY8`HV!^zrvbq<v)zAllx7mDnVCT}RRL@(r82_jguBtK@-zYW-y(v;ZD*kX
z-j;Av3CwGdlilT1Mh#J0MWAG1D(sQS0WKy14N#JG4c<1XIMe?g<X@wJ)%VX{)0;Yp
zuS626ronD#$0{RB)<)LF?pMDZK+x2QR(JAHG3XS?U5kA+NDc~#@Vbb(@gw`>aW<G&
z;@2iRU*GX&m$Jdk??O`H>ZZikKTnI{Gbw!gxIbGA)ESb8?<Q{LCM@{P{EN8q>c19*
z*J{5EXOqwXYYVn%OE5+TAK%^>k#`OFX=MU(UNMJ361Dp=-7&A_-(nG2!GaZdYji{c
zi6@+=4xBr=q*+--SL2#+|1Qh`MIL*cNJ$PoP0?q{dQXnK&Y2*^3pX;U0|kS5jsM~q
zBw$K=h1{)=AY6EjUAbTv>SJD(Cp7KXbKueuNxCkFa|8@Q_+4x=08bla&*L3kWloa<
z#-Li=R6!&J<@pb+qUwL8AwQl|POPPqc90ei4|KCQw1cPIPkXwI$LL@$GAxFA%DjZn
z4!BOKV<2Z&^e?|~0Ge2hqK6>cCN>hkWk_&VOacJ~lc{LVmz?6}XdnvJLCHg{&A4Zx
z6Of1l$dKjt*qA-KDddwc>)tzi0T-TY#@wrUiOtjlV%HEneH~bj<5Y<4#u8oSVt?F`
zQzkQ@#xfF#Ehs;iddCU~<sRZFTGUCpYII*R<ClSe)51AJdiS^VIx~mrrdHkO`Aqw5
zF0$>%3EcS#-It?q$-dNla$e4fKI$UOb3F{xJOU=vOgvljdXG+%8*A6CT|fQdR30t*
zP6;IFJC!CnTO0OM>6XUiL&d-Psu2JY^G)~l`FCH^@0<;lsDx{&_{A%5ygdQ~7z7uV
z(7265iS~ZoXSZNvLljt*FmdEVCbvpjVfE=Cn$R=~BaV-!fS^+;O}@bE=97Z&NZ*J?
zr$Ewu7k>Y^wpMAE02q4h-Y+d>>}WWYxe4uuI*+{Zd(#XXD5<+vxvG3tX2S{5O6D)T
zz4$nNI3-fYvkcnb=1`)JHJmGdna^OG&o&&W{w4K<#uczzn2I;UEM806<YyDNe_*Af
zn=)IqRXJ~1O55Q84xuVAJgA8&F`E1qFn?Zzw!^3gE11<D2R=ZX<<9Pu<)tR)C?G*C
z<P@8!H<VgB>+{v-WwBaY^v&0ZSi6l+Hzm>u)P47gZuFCNf-NVOrWO*V04SZJKH)1e
z&tejKrKqD*<1+DqBL$Z&&@u}NyY3>)Y(yh2=3^*fizyl~WaB)(+|^;2+G)VxPEHfy
zkcgU9y(+*##XkR%Lp;WMt%Bpkjc>=~Q#K857@e;v_{@8H<9j3fjXn;*-|s*!|0(#+
z*-XvM=om0xN3AnyH!zA*Y@z>{);nlqUqezG)FA<-zta95phq1Qv1~q8rKSz0X{H#>
zXWdZQ=pJXcOcSYJay+@E8K|-GvlX1*7D)DkP?&2b@!SBYS`fX2Z)<TjE;K>k>4@am
z(sXBnHyXo|W-O%-zK%2j&OgZLO`bhT;eC}gk&6Pf@=RNFPRmNwZBVK8B*=JIT0I=G
zYI_p3DnbAMk@nv4SoiJ!I64)Qy+@sPWQ4NAN%n}0lE|i<WJbe|hS6yyA)^vPMk#xX
z%!ZvU6hb1=_#H1?_qeX>zCWMO_xIQJxF2_qI^Xa2YaGXO9aK?SDcZSDql#@#RUdq)
zBGJf6{Jb}<e0V-564C%Hf2UST29;+I{QmvzrD}rip0HO2O_bRNf`UhP&>nAkpvhOp
zm(6=zi2UK0*olxjz99xawGfpZk(pUp?0RI0<-Lmmem$Pw+&d<cUs{5Tqr>uYK+kOV
zfsW#D>;Ao${i<jCSEsM^+Ti;btH0jH1S<#5s?#_GDH4>u$Yye7zmpeTQDRNGGp4Df
z>^OuKp~D6((q50lmOH)X#xbJMDvX$3x!1=G%f5_s5;V&Na<hJTsbc)V8K$5Sn9wNo
z1RI_(0NNFsInu*ImzHAIVR7Av+(C7mu%e(>A>IJ#9abgoU5=8HqoJO|BH@KebwI(h
z(Mxf5a&?UPAV2B@pufd&tDt;}Fu9T;^i(UBUmO1uIHbvDo?FHyPif9UTaZ>I92XmV
z|L7=u^!@2yfr-&4-&H4;V`UgL2pvqHx9e5S>knx(48Mox{d{d89zJr5<|tUIvV@d}
z)~A2$h3n}a-E}le<}lM!=$mpz9J9jEHJmftxL{}e+~&XpBniISBmF+Dqo(~p^LW*o
zBG+}*xyEU$3F8L2HaDfFog+hTV69(HdJLM)>_P<q`#b<O+{+!Dbi-;R&$k7)p^<V0
z!(c~WY9(+7cA#SJ+jjS8B67PxB7bSn@qB>1&j!k`9im!+7)@++V23BZ0^9m6HiDP#
zx+rmqH&0odj0YW=Sdb=pQFbP+m^(@thdxkGuz7qKASH7*)5i%@_J#2CGPJXy3w))J
z6JS6ZT7uw!4{=5|u7-pa3DpXLxy`qpxc%0PB<-Lz5CJ771KubiZwi<mM?PK^nTC?`
zCGLGyEM5(?8Vx&VlFvjH8!yRzh8ay|xt5i3#C0eQ2?@R?eWZj-4AdD#ennG{y*ulA
zwRvqsAnM@FjY3XIA=AQ2iKdwzrRi^XmLCedWF~vG){i35Aj#FVy3?S0w;{bbySxin
zLQxsR%V;;T(Xg~bCXC3hVs*foybb#!<2Y0G^jI}JmFsj4c*<Y(K)B-vs0U0mI6z0!
ztvedld^3TA^7SHpm<mqH-GP>Ut&ZYX{j$ifD5h>D$8+!3>L^)kzmb}=T=U*D`r?g1
zpzmHeuPm!0_B_O}qIK!JE=EN%+Zlat{1%&dPki+lLdc3;?MBQmDU<MyN(VLXF3QTN
zeeMVzW3R@Zi-Mm6n{=j;pZ_Ogw@#La3ga!;<)XeRM!T1h>;j<EG|VjQ=D`p@O8?Tk
z6dRoTd2VriKMY$6>7P<bZEp)??r6dELsfTlClyClN!?4+ijKRH=S=Xp57)0mDYGld
z;e8aq?aDVbmTWrrDlqS6r`&8VhKxpw%VFyIVbL6&!b)+>*xJYmc+q|vtJ%f)B~so)
z6*M(WO>30DHM}1eA1+{rFuqVjd-F8qpuUrfm%jmOcf+JujxiHbc$3!^s=BibRpC1K
zZob{P<fqb5IbSmP?)Iy`Q?gZ%IiT#qw<nz`I1jz?SF*Ny>%PMkmy3x6HhSbQZ=03f
zfjcF+-7S+*62sEzAoG@joS+P=_3*S?u<*z+i5yLs5aQJn=|nTOUkiH*!_C(`3~*X-
zUT48#{C-1}iICNi?O8=0m3@oZu8{Fy32E3#C@xPivVt%mw$yVvhj~h_z11e^1VN22
z+H>zH<YUF3*Y_-GY#0%2{?tbKB$9$yO!kh8)YtwtO5d?$U4j~;U`f1B$%eO(B&YQ|
z+V3$Y?uuw+63ndPyO2T0_)~SUL8`fhtwZKz>64bbM%m%>p{NDz<7>I9`BGq-((LpP
zfOAizu%oO65JFbamGA3S#y6NYyZ)?S5XaNcCI9~96?X0oT*mwt?&b2R@X0^s>~3;e
za%`TOr?-(hI&b$)-dyHB1#`L1i?PuQ`Ep(}X;)ND4t0Egh@BO2tei}f)~T%y55|vk
zh)cCK2+Jmo=^k((J9rPhNm!MqN#vaMw{}1Fue(2s<s1?y7qf~r+n6_jcr<5uF4=|L
zy|}nBL;s|&8Gf0f$d?@SOg{Ef{^lCVrMrUq&obC~JB0PB!_*&+HYxUXyu;24H+}x*
zy20fR`C}$eY{G5kP6tZD%-X$&G$wUQ7~P>PF!7#-qU2#mbmQt*U_XpVY_HUJLd<SP
z)oF~Ogqi16t7IJe8S8NOsb}a!&Y8c)iCcvPL;?zn*O&Xq`z%ta!7Q0Ce2BF`?+fTa
za!QOZ%$||J^^CdoTKKep1~Drv(9;Ie8~ES^D~EboLP~i0oB6P$9Xtbw>P}3zXJ}u5
zWCQY($(+2&#r8vPZt^FhtfFLJzJCOx+7ho*-(wV$WvMV+o1i7_KN=OWCt&=OTP0z6
zjBIHdC}@SjL*`%OF>|n|ry!sPfbrk&Ju$qa@qry>W8FI!;1D1aC8j94IK`ic4c9S<
zyz2QmIgI&TR<Orlg>cD5QZr-v^bF=bg8~x|B{5TA1<uM5dSpoOmOoG-s=axVe&0Gt
zi+P&I+f0lf$nB9ofCiIjuU!qiA@;^=wny)$%&*hO@!|{k_*;2Cg|<5yG=5yGmN!X<
zV#c^`{{W=(m{ia9K1l#@D|=)|%Uzz&FwepaDN)NGfY9;W^J|>)7n&ihD_ike;Ej2I
zPF&AY0JI$1Sns<$bk+)4B;K2Ewf~EZ<-w*@fL8E_6|b<q>JP2!XB~G7&RuTIuK1=}
zqX-G>#?QoaPIB>=qh$%IoJ^YZyK5lhSDd6gElG>7hL`E|J1h29U@)GWxhX7BQ@~L&
z`D`O4aZ@pC$5Ry&UV@IYWBZaSAyls_)$VIFOsewg*;B5ey#Uu%3~d@V>6*3>4m7Zp
zpZLB)#@IVf-_mlp5wFf;mv@Vcg}Yedn0})4dABA@|HxqB*c1#E-zeX%;`V68q(o?r
zu2Jt3MTXD;xhfEvqrsCOgoSh`o|8v0>rbdDl10#{0!QfNT?LG%PIm%+k#ztHz;q$C
zrN&ew<abfKC3$X1?;O4}JmBi1b20}QyPpBm!+2d@fA;nLYZWkW^W3Z-{#m*2l8twm
z++Ch#m4Z+!@<Qh6vhg3LYdZt5OcT>t_cmWBQ?(<)@?f@@b6sgsUz0D`i(e`I_zv>;
z*nnTlsjsT*$%|ezmF^p)v(1(9VH#vn9c{eb)xkRFDl^l@h@XD`p(t^G$sk-%PcJuQ
zS3bffHHQ^i^S^27r*u3et{S+650lIz5Rp&Pb(wkoptJk#AM;uRh>k8Z>AAgvl>)?c
zn(ElE!NMhLYHHMMC4`2ai0{u(tSAuF@A$Gbk3ivRoA4WO@#D{3Emn@RiS%EH$zESA
z>dPP@k2lD=8M+o8#@q%CtkE2woMH$zFlV2!YPuo8z9_aPeRK87zS*q4Bzq<SDR?Z@
zhbD)h837&8&YHrQpX`z@PMDoCx4gD|s_;WTRKus;fFYqM8ES87G3;G{sO9-rM1@jS
zII_LaUN8t5@8?T~AwpzV4Su-RT%6EXeYU^EAWZp&DLA5Whea-!1&)3PlgQ)FrE-ke
z?s0a^Dg1%CWQ)%|)fLm#$j5G2{lpcfFFaH8yrOD<u)*OPYt`CSk%%Q9;|!Zt>!%fd
za()1lnz>^()^^IvXfQ2DOofGXoK8R1KvLovMy<i=9hX?MCmJ0K8Dj#Jp>WE!Nl3LF
zmHWF>mI^MZbDDt|uiia$=q%V5)CCr&M2VDZholwHzkh*ZEb}^O8^V30;9UMezLpZg
z@B7w~K5pd~ZAvfCm9sld@;gfE)=G<0+=o4bIHIW;lM%;{dV2CQKu02PL|oh$0arN8
z2hepHGk>JdY2T_>Z`zn8s>e@LCwj%bq~=)9zJ}NEXK(O)9v`qX=e@il_C)VWG#R(p
z)hQBEiv7Q_`0>G!HA<5_a1>M|r9T#vz<DV`X2(0(#U)Sr5u87V*VHGtpi$OAHm7jG
z2gxKwV)kCSpN3`SA+VDLn!?IoXnhm%&`-cFP}31Nc@i8#stC$!<b5xu*5)Ngj_p+H
zpdM}AQR^cqv3ETsB%1hTP>ixBnE~POq3E)3krGecN6^$>Bsa%pzGYtE3pz;C)n1E@
zNQ6yGsw6wH?|#;tR|!$nKAdH=SnPdOQZdZwWa`UM06V;i6Z4zct=<=%0Ubh-Rc-Le
z!v}I~3%d`N98-^foSi9oqGPoiwdVt$6ZKL9Q)RQxA35n`K+sF3hVy5Q_b=y9P19kG
zUPm~6p2mVl&C9dv%<Nnwl+1&e{mpE5iH90{`cJ)nd>OPC_p!5#dlw+=a)^VH1Os;-
z(~nW)Bje-$1v;~woUg#R5&-q)qg2+IT(+I;`-KMB7%M)^p<Ahs+UJ+1!ZiKChTV~D
z0E`xiqjv(Ko6puBriOt*D~a>|YZDjp-P8*__a5w+vtL%PxyA9-LDtvD5Pmv6{B#z+
z|NBqB0JB}sUX%iapQ7k2?PR+(Pg+t4jz!5&N^-ZqThsSp8isHNL2j9F4oAOfmlr!7
zBOz_v09$5PRyz#tA7SYBk4uFNqoIsOnYz&s9-@OJt&oRRf>=opAjyQHd+a>rPtXt`
z=ScP<#OjiWT}qmK<lK6T<J~jXce8@c{2i3G^|}vY(1~voMl^vAD=uQXW)Sw>y*~?!
zMPfh;JeFm$Gf%u%)!|BTAz`rF(@w-}u9|i>409YZZFYSuPIN1YE@qX0I|B-vUDO_#
zSRGuCZcntQlnl(dBKeVGvvu|z)gXL09ZN(GUfWKgUtjFb^IEaPg&gJ(5uV4@bx0Nd
z?qaqbQu*G%$#iRFy3+v=>`4IS1HlHrmW=1Rq%NTvW{T&n@vd(&yWh!cB?c=WIEoT!
zl^I!b4(&kM<}7TG6MY)i+38nl9~+6DBri=yLZnna``1K4O%mQT9irKtLaG<3p6sUr
zN}oRYaht=mRG?HxQe<_x%cO2<JB^hBD$sb9NlG#J(}>MnQYW$IuHm43i}w)bO*<AC
zoU15#%*U;8<!YpKG=kRKaO-n}U#ABFT5l($GtwPY4V3jINRsw9+_A+U+|^E#7Jra-
zw2U^hfAXXzc5Umgm0gQgrq-%CLOhjr*|Z`CQ>O`kak|+D8)vdZ?F3~C@V{gIr06@O
zJRs-8RI`SX*tGdLL67mQ|C7!Zp<C8GCZ74nF6do3^L-^fNv*%&W9TxZqT55#WlU@=
z4+u=&aq>SA2#TOxr0Zn$4C92ie)V2pq%(l$*AxjdHJY?mRO;u-WKYt`TqPnkQ^nOb
z_Ru)p<$}*)7KzRifV)5OzLg;dN<&r?*K-v+2t_8!-#u>RnCu<~Gq-f|ArOY|V21bS
z_h!&YXa4$uOlh#IILdt*uG4xz+1L2%7eKryBrIlisKmt_Oo|RwW^Ymc8+fO{29T6t
z=}`c~9Ez;#ccQ7&przqH6AL2kIIuHjIlth14o%f13lht5v)-Lg;F81=U)y>L$#G4r
zF6K^%^<BNFP|R0y146gs)JG~&V40Wr=@ugcBV{#H{gQrNkuUnUwK;XW@rL-cBmOkZ
z8Iid7W%5eMI*?|u0Y4`8eY%UnaG>kxPCb!-S`hF};{g9p*^iLaq|iT8KSc<jaqa#E
zWHf;p;~l-9!DJ^wFQEUmJ=1mS(pWBpmH3W@A{XNaCYVasKekeasc0z9-(z`<1XdK)
z)@pTVh*rJ>`=tI*631@x8Cb24JKNrJp2i=sp3vhRWhZ9$Bq(l3{rrBxj>l2b&M6er
zMq@>_cTyK8B|h~d0;O(3PXK0A#_xcBOoE6g!lbTFF6W5hN}?{o4<=@rFy_5Az=h9#
zab5}*o<q3&wbN0b2Eod@;b0`~S?T5v;F}%HhB#L~4$~?oonxSRjaXdwBJ;g5?KQV#
z3HP59eSv#B%)fThVAa?sMbcJV(7ykrD#;}{c|R?ExpJ7<ymQ8vhkOl~AdUx}Rk}Z|
z<qM;it#>u<)~w-%KOPdR2EW(s=jQK4gAQOM%w|fc;U;v;!5t-PQFbVuPO94F=7a{V
zSTi_QpMyH#SzLeO3C!v_Bk7-&ZdD&Mlk9-6-1G?^K4;uE2^px9Hw5kxP)=hcqdD&W
zr#p;AWyN)~m2|MuEnSurVTsUf{&YumHgd=v_dKXu+)_vgRD`9y-li}F3!PqS_$U%0
zptI}z+tl+QMEGNuO^xC@0JyR3=<I7gMwst?lBxiO*DIMEE0}8$jcrz3tl8lKy4{z_
zN#eF)Xn><hurDJ-aDIGM_#zzotP*?iqo1IWlsL2ezUZXS1>Z_hVzH%M=a635f`mYz
z!wv(h$m-5Z!w+xiU_1Xy6_RyKF1=mh;T|aa1%c+TLfMW14Q6GwKxX%RPv$c|q(j2W
zH99%^<NLDYn*e^fXG>f_f^pOJ36Nif5%II?nGRRs?l)7ih0Iusr%uuDAXpJ9Se~pI
zG|>Rfa%VjQBbpAKd$%7)i2O#e87Mj_hk;pwK(gpS{2JY7c=zXWtJf&{z3^ohJ_j&g
z8cRMw7^=Md9EIGV4cdJmCj#WwDCAx@LPYTq_OZNtg=Iouf^W~W+F68U5n<N+W84v#
z5{hIyl@YPupycHhuu8#(TaWHD!^1A%E$g3K`a=r<2lAOo*Z?|u3zyi>1ozJr59cnP
zqa%|do*J$Fo{mjodF<Z=NsmcFJVGb(g^`02I*m*QJNE@pkBi7Kck4kiQmh4a^aapJ
zeA37USzD6pkDJv^yQeFH=a4rH;IW)RI2&7mU3!<AAa+I+9G%*29Dln(q0|tDU+l|e
zHMpTAW;=NVesBviV^ML+885zhb-O8mWkAB{t7I;Q5CXzuIy|wHPO<w?T4%{o=AXPl
zqcjEXL(L3FD2i^_!P1AG0Vs=jkk!8e>qmZa^MNRoj)go4E5%3>hs<+O(ktQjL&plI
zON{NUBT{4cP>xlJ>T2thb;>KxAm)yXr2QalL9#dF&fg2ae=3zOHL=^88br<&-2dxW
zr~wN1E>O4;GIV70#Ox!-!fq(RD(mN0#`SbjE(X0s2YnEPKETa|=TCN-#D`Jl5dvA!
zu1$uTpeZ@E5H=)2Z(u_nem1KQ0cQ`OvqP%>s}{cFjfVL0a1mdw9+1SD%J##6=tOy+
zd<Nl@2S<)>g@<}e_HKRv1OP%#m0{+iW2yPRvh(jfI~noxk?J_p|Lx9z<3@7XOT&(N
za7Ul*0KEj-xpbR5_X!uFNRnMPiA(hWuT>b4=OWe-UOPJ5;a!4RDjHN?lkB5Q!E=zV
z_7KuuzrZ)phHKyU8}2FxxQ?rSZtmRdq*6<nX+}FxZt?;zaw7A5<%%iF30s%!m<pYl
zKSTisO#Q4kx$g}}3-*e880aB5NTl*XIns8WC+HyDq+w^JWSQu?1e9^6sfmx|U-Vt7
zYf93rk>0$;S6$YZ=bP0#9Gbf*$nS8~a40k<2IFnozO%9eBeqDTv9BS#0J6!_54pZS
ziKL8rcMlovP+pmb(4==L{&Ttb<B71%-S`u7u#Dry*-E_jg1ersQUlEIFpSBg&4i-J
zznyJEORYvnA=bf*Y;j}!b)vHo&ogv}I~px($@5wT6M1%F><6$xqjac1a(%H?AQ6H$
zugdnTAUXbX{jw}61+6OhejZ;v;kbJkh7dFZknq4DUFCR=vEX4Mve-4sc50kde0#<8
z>r3q?#gYNbDM0$6i!g8Wi+4zHZm-$6AB17waD48!EQikKW}WRL@Z!H8fm<JX7qj`X
zK3{rrG&U67D|!J{oc+!Hl&nyeO2T!&OV)^>7a^-;yJPU9jk(2BbPvD@mT*4MXS)o^
z$E{3n79qcYJdG>!p3Rx}eLe8ZSpY8TIGC4^Qw_cx;G$6SfrZ~M;OP*nZ8XsROxCuE
z@=VOT-P15;ycvje`lg#gW8nPMDs*G(h&eKTod-p&e&V4hs?ueZZ@C5sAHM;5q($wm
zN2=_&HSCw0-aFCwxRTC_>Js0}4NWY^X0M_lS`w!GmXiDdM6XgoA3lcv>)nozh(r?<
zJUl!mp^`cjtE_l(DQOv!8tvh1J2&fK{H7>6P>aO>WwF-C*>H?zjpEiS#GkS2vZd41
zgYtLg&*iT&PU^9^)x;^s`<-Sfc5DJ5UpTl+usM@LFv-RiaKA4Qw*4xQc!#mQ3s|!J
zI^x>A9qFgr46Qn?xoUi=T6H}*c&&DAm)SgQGkoMPcxpJjUfwtnt$Y%SuEU3lPviFl
zWwOGWO6q1QaL+@!6@7`w*uYNsTnu*g*k)G{E1+qVC{Z0M7E7Aml0!or_<^TqPpMvp
zyY!)Q5Xsq<+9WM3<?K$!Xm~JxlCo;mkb^etepDpV>&hhlu*cTbVtx_=Q#RkG^!D2{
z0R0VR--{lkzY$1m(gLYR8;+vLn%2}!F-K1&x86c}*IUjB2+rEyyj~GiR33uynn;|3
z4Xlaf+<JM*9UM^akg*X@S#>#F{Y3~gLmkf2)K(!*MB1O*1O;abT({maXOl5k_-i;G
zVA)}k!1TL=Jt?kKV8A&dG6G@K+il!;+O9~)H@t{&@FIhj8-$*6o(-3^uukwga7nc5
zsw58Ry)`8L*Pch1)GRetyI6iIjsKwKUMG@>Y2{<oDLgRoYpX2lBBk2J0ON&fHIFIn
zI!2;`>oK5lD?E(3>i~@e-qg0H=^4_$$h92OhndG#K*IqX?Ros{g_j)fFiovH^a7VS
zW<I8S^3up{y$6o6nz2A`SVJryKTeNoK{t}kGHT;|^Uyp&*<-sKY5$ix2}^25QRLte
znOxkO*waoky1)S7VJN)Ugzfr#_}}aE0+s*W(fA#rSYX;;SWD23U2QegFBqY{Cg=XU
z_8OH@=l_44Ax%3yyC{iI!65d0_N^`=_}JDy4q+h&OI*U-Nc9=8_tG8xHe(bB+h&J?
ztXCw4k_JvsA_?8?w~Zy;tk;vsK??Pcs|fY1nt$8;dG#hkT4swX^^v%R8rSWM1|U9l
z%YdKWX3x&W0|3r5b`Qkl$IvwEm3|oK@{a0&Yf^rv>&Bi|Z#3l`(9l+(0={s*K{^DT
z1krdvlSzGM`n;xp2hUm>AF-uU_nwk<g*F~;d;{M9_DkW?G=&?V!!|_LDU2u&>gC?Z
zt)jG6Agz1~%?n0T&vhVv5NRQ_<!Ydm(&@Z+1QB!bkbK>`eYqAok6fA+DV>bbc{jrK
zIpbJL=4`S4i1iDmacN9Hq<c)sa~yyXpt_o5FQJ(pd*GqTn}&l`wlmjD^n*<j)sbNx
za8#j--E)2UbLK8~*>YCqCtSql2vO)@fNna=9)G9B#zU$;(G(h@f41pfy&M{ZltX7@
z0Dl)b6VZY(Gj7Z9U~++pZEqmja6Y?h#cWXdsB0RQJ^DsR&A~)a-Mtdkf-VI%y58-C
z#u7C81t3cp&Ak<K@>*k`7DRJA1kw$Slw28|ehTeqGhoiyzYdt>#G(3Jv}}gE6cA?H
z-n426SI~yj^8?fuw*fiRKuL!{4@QINzZtB#-HtDQ7qyBS1&A4>DbM|aim+vItloBn
z4h*b`Xo?2ZRU)bkfTvW@1A91}_uW&#Z}r;5*rlbq#M$MstS{5NqxXQ#@fs<&H~}a?
zvKWHP{)#y%`?PCm5Pl*p5ei)`l6M(6wBp*S^LC}bFvuqc4XOfa)7Z}orbM+u9LS>_
zzt>o*-vE%o&CVcbS@B|h4xT+8;KeifWuJ2HEFeh|xOB5NKv^pK`up=|N#9}+@U(Ck
z+@t57tt>-1U<c!1^9`*z76Tx`xbQN{kw@6&K*rkBxB9Wr<z;=EtT}Hscj;Y47ccP>
zS*JG|1Kdyta6m(rXq(hkoY2TL&6MT>O$tPa-tUMwSzr~kJ_o>Y0(d>Ll_rwBQCSw?
z3I_A_YR@64<1vFNY3WK|KO9o98eLdZDwzNxG0*skr9~ACw)Spmj^_CQ4|O5{p${Lx
zeQ@jh@$BP#W<_>4%9uyG>O1>1vCW&1_)FC-qV_cWXHVYI5O~Ry2Uwwulx*!gNdFNk
zW68WbT!Fq#tdZ0Ti-D{mh!>$bi>{|iiXs>bA5Ta8+Ti*a-fWJvD!;Q}3I4%WFu-KD
zjdAh}^L2m=`llbL!w|VqI(63>Dd}>$>Safm8u$73UeCDIYk67E;?}pgHTj0)$qBQo
zBRw}3_*x<5lQFg`0Th`)7{!aM-B3xWPua!ZDZap3L{kl1Qm&{h49K2@5+)vGDUYis
zQk>E{A@2fPAuxd+tSKb}VI{Wcwp5w7FZ9M3Ux}q;%mWdD$%wG3z0lskMVgQ>p_2+k
zB4?^jpX<%fQ%r&os7oj7rOOK<$?v}1mvd?<uOvB{139?qjJehzfTH|3K-wlZ2H}V@
zu?{a5q~eglPA7Xtp}7ST)^(T_J*oHM*K$Fbk#)Y_4-#|2G~ZB?`$8uDu1d2n3!>|D
z`&xfo`T~o(II%Q6-U)H#)_kgn%b)NGA)ih5JPrNUFZ!B<P|oz4-^2Yp<j{<9@TP5W
z%#syB5o9Fa{lNtuH~|t<RQ=}gW|Xh#;xnE0XVh%Kkns8Q_a5PTry*EJ$j}q&{8uGL
zw6hiT4f_5x3h=2+R-)XYp_Z^~rr|ri7rcD0j*%r~MKqQ-Kn}#?C7FeTLq7&jO;_?_
z%+@HH7C!(ZY<gj+1mG4xN{)l+oNrF_)Kkq$_MzwJQ{Q{EihKdb#c_i7?)Y9lfXH#<
zh*V&PMIAQvw$)}<Ar5dYHJ9f>B>}(v1y2^F4V1B%d#AN0%Nn_e%o*2>OHS94WeAt-
z#(A#SKYyM)ue$g0ocK!Qq3Iy<-Z9)GyOtQ3M@9P`S|}55;k|Z?qt8L#g|S)d83bwh
zqnvY(O&&X3=Wj>Ih8Q5}jU)0iFlEbVWhzv%*HO|_^}uT^y!d+UFvN;*OJQ?I_fwU$
z(biP&XqNT7(qC*wqOV{?INX}jqlwMIc%|BM;-na#Kx?W&Xnf{-?V67l4cqzhc_|d+
z<v3ZUIFVutd0q55r#UBNcJ7&-hf^=k?Z(iz#rI)0F-SJZSsRu?S0ViaUfd)oR!@}w
zc7Yk|mFFV@P9%<$A4~Zb6NN1Ymxc*GV-SWVJ0>}i6-4ci`n71uxS(go^;jpNHzd%N
zDuxY&1ur)Fh*V1^a|O&Oa|KU@T>iMZ7kJEc`<Ql2Gg&#)C_K0V2~vggl3yr_qMAQ_
zT>+CFMaPL6GqS8J-gk@b$@WSl=V=+JT?VftA5DEftuMBLsYRyiUL+<MqW)nbtMHbN
zplzkU?R}T_AxN&TEr<ckL8drjk7Trd2WT8_vXVrg+GDG*`FwYRtf-Hay8FRJ^K_Na
zcb|QoqOiMPQwM{TW;yjv%?#)T?Du;4HTBfd1aWDq+=)03dO-unJR5l%ylRA}bz%A5
z5=!-lVo~NH3pDnrFzlujG_WS!0MPh#kGy`rx&9s$1B7&j;mHgvz17-X`{F=BXP$X1
zb+7!6-jCGXZ6ki)IG+pmkhaY}>)pfs&qZhSE$HRN{YXA97pPd(2wE10(3zW(d%70q
zp8&Ljx}5I%W0p9n^8r!Va8D;lSYeU`G2b|jc927ra0G-Cv2^vUM`U!sCI0WPDB^Go
zY}xPW@r&q!vVOQJzxfY>kfFmbTUm=_EGdKe2Vj&059D&6SeS-UlY%cfJR??(XVxP;
zOZQ!x;R5R_0?<Tjhe3kj!&f%0dD!@y90`BPw@R4MG<lU?9}Qd58LJEJu9OL9bbLKN
zbBL_N$@P~@-m)bf0Gl5~T-|pISrS5N_TboF)_q{?GK>ozXSv5Udt3O4C)vytwj~;1
z?{I`~FMotXaM>W3qC0F4dyb35V!N<{Z`xQb<#fwBS93?Aq{gWdeD>aZi$qK#Akbp2
zE#dCVXQ5WW^U@fTSb7{Bv`z1HaH!esnBVCz6=s@&gB27OPYGp7B9tXJy#BT<5epU`
zUg*v>GwR<!NG(`)j8(8XdW8@3UEi);L=$BpR)Tj(h}9&c?`EH@`6{r@MvZJT0!%7X
z*J*i-3sF+nyPhVR!$|mcRCjv+Vd>u`Jr~73K7tQuvjJLf6s8lwDK8bq)+pYW!5Uu!
z;tw7|@9Y%z#-E>^B#439I?Gip{_)#n=1TxQfDYkAyp<DNClM~G!MmuF4}_<_RMKTt
z(U#;*10;d!9BXq;<5$@o2C-fr|L#!v4^(TJvwm5yFdjw^oz|EAz+nFy%G6jC{Nya>
z<#&MsxA=>C+^sg4H2w&KQyK|VcbU@9udy8N4YWn)M-<V-4m%+9KCv0ULW2*_UADP?
z*9qyRK_S$1<-+oLXE;dwDT+{1+`x?jfXYyYLJKg|{`WsIGgc|6njZM-yYw4<|Jpyl
zgW#N#3JmGiNvMW?yekC47$0|j0%K#}?H5p%Ydt4+ht0QMD?NY$@*~-$O{opnr25b-
zGXRum@n?cX!u$VkwL^_BDp;Z8^dO(fmxZ@pFq=GkQ)!|S8ztg7=;fzg-Epx5{&_Hs
zqV)7<k>Z$vP0t=oiIAiY@`Zxo)57J|IYSi@A*W;V^M_Vghb=Nbf%@*3OQiEqRl-*z
zLa4<Y%XNw&h~+<eV+6(t7&wk*fNq7|yFwI|jl4K$Mi)`r;v`xrT;jS<yTGp*^%bhb
zY*i^zQ2Je5YGgL)7T$Zu?Vf7UuSJ(KP<#pz!?=)qaW>z;8zYx?P#dC&>@byF0FF{d
zl*R@TBdpw7lDwml@K1boXsIrrDGm@`o^AQR?U8AP9&~tqQt1A{R`R{k>@i@BF(9bs
zJ$+OA9neaz0P%k(?f}VUg|mXMS6DgEgCGDgPl!tjP64gCv0Iezy4L_q$a+x1Up12v
zJ_!Lf$M?NF(b06iHX^n3=ksTS-(otb0{oM?cK-(7JM~J{R}hLvMba)9f}uA@$gkAC
zaJFkA6cWPtc9GwLCRSk+W@yzFEAf4SdnP1=oV9f9-OzPCfO{E5h^|Y#0VQ_}T!QbI
z_`s1Bjl!4`{QJqt?d~dPdLE?z^>$j<;K<WXUC$|?qxYU|v?NLFz$G;!x?2S5_nE)e
z@6de;aHbY|AH;OqM#-wDIGaCpGMq>Uz&@srk7nTn)GQj$EDqf~*{4}^Ajr$3>#^Rj
z2GpY*o1`r1|3u0rv3N%8nMz|Nc}mAma$34>lYhcM!~|jmAJLO%eQsQGb{zm6|EM`G
zoc(eI|6NSR?U2{W_EC2+#}TW#Uv3*T{LipbQ&?vUQ-&ii5Lb=r@UP&L53lQztZq><
z(_Y+mpcg_@!%9D8Ky|MW)6OVp8AlbA^}$Lm*H?@j#<#<1UHoc`jSQlx#6Lyox-KkX
zVhcbj*vo9aE+08yN3SI=^<G{7Qg5{9r60aN1t6#kIlS*{7^Y5ttB0@OtHE*RDKwAw
z507w&kWX&5!hbaFe+!Z9#c1Ph2j_Nv{E!2%%K_brW;(e1b@*?(B6-9Xl%rV}T8|}G
z1Efv4856YQdY-OVo1!1!zCAt<TI47HD`=D?^nit3QNaBAz34XJiP_2Bh6>z!W+ch`
zwh__!NSaIfB-a2rln~N{N$5!95U`DOU7fMNA33|z&w(O_h<pa#=1>>s{lQr?t|ZNy
zg=114Z_1;R-%h+N4^abPC--}rG%wACZD40rW_&FJelknm_bDeWtQe|LZG!&``m~5O
zpeSOn^V1hQF(kgr!g^c{0!tLkB@De{F)G0KAp%R4PLyLO`F?=gc9M`EP1?L-JO3+%
zEM=l8E_Fq}gyslOB0%<1bfaa~6S=P)=?b<Hqd|7AugM@0tKqOSCMZAM1Q&mAgNtOZ
zTh-Zn_pG-u0J7Ev>V&d%dG+VL#VS(K47T+ylMj3>_+=A7WeQ`BMWC&ApPxi&6VQ}<
zK*p|?zJAo~2EMES&a78M(0}(&mM~U1NZiXKQWgN-Dq@>3ydSG=%S*5ZRE=_n!#7?U
zw@rkA=6|)XHarW|BiXbG7C^Jj)}pTd3)H}Wpd<MU#UJYsOaRr4V6%hOn-{KjL_+28
zFq#lxvdIVr|Gz+440c9pY_>di5k=otajl!8H?p8Z_@x?2E$<cwRGaK~Ne%M84(_US
zpRnMiVcI+@c>miY34+kzaICYxJIG3(Bc30eBOKW$3o~Gdi<Tm|iy>b#>g&SD87L|l
zCA$G)LC8VG-Xn6W{b24F+l-)v@ouPlk^TK+*&dp%9JUh2&U;_LR@Myl*8?E4-oV5u
zRv5nsX$!b0rC+`m!EHky_PWaNa`vfbImmA1M^z1qNIn!!0>ib`O><9jftABlseZKv
zYRX$Cvr-V2jQ!P<W1@4J<ju-87?;#+F;X)km~XhG0>{O^tvy>zZPX~Li9HDLYfvJE
zoC=8<7i?FW3;!LEZxacpw~Z>KZQ}s=Kq-Fa<5R%7bP^@(q32UH+*b+653+5qOjkHI
zgO1Jw(lIjpd%#2TOhmll#QSP|zeMR+82co$2Z6N?;b)}5vygL2T1Yg;K;nF*ei~#H
z>bhQ`UF5Yad;Dsolh15`uvTb{Iknal4SEO8TwB;5n&|FMuTy2eK;Mv_=Ofa)=ZIy+
zUAUo+Z0+vkVc{iLIx;4JuM4I^h6#aZ(FdlThLgxky^Vt=`gf~l=iEE6iF$T9q_(%?
z*KZrdhcFlVinoEB$Lb!D2TkzqhUP43z&vQJCKhn)wkH!jE3lVAKJ*Gu$_HVQLS{ci
zLz};Y&rcKa#F&0isA@v^O&rngrB!79LVgLPNP_GLqu-F=RbpQlMRfBQOo@4v<BFUX
zsQb;C3T-E+=hwWo_Xw|mfCf1lrfN{P00>6jVegM?I|do-p1C<&<g$03N?Epn&qvq%
z2UqU<KkkgD-Hs#tk(^NN9SsA>{(W{PFvnk{e(ilKe%4zS_#P;rqIsfZxTWT{B_1Du
zbiEBrk)Nyxyg_lGfJE6I@1$PpZ$LZ{N`(#<x%#C1v)q|Y^iuo2dSo2A@k^Doylq#6
z^-YA&UIbgj=6rdGwl2M=Xn~U&-p7)Ton?Er8d|oL>k=pp00sfMbdgTUq3eHCesrmW
zXyxFAqa?ShXGSqGfz0qZ>9d!<r6uftQ>~Ez%43zuAFw3pDKkznjSH3Ve+C6-Fm?lI
zoE%99<jnLI#pm314HYgC9xn5K%&^};Infu!ynO(5yRkXreIe;8KS;R9vGIWl+yhv;
zvam;B*IwDBzQ4IlJ<l)QRl%8kbPpoxt-e<qz0jAqss*{VcVPDNvDtsqfB8w(x8L;J
zdAIR15Xm4H8fSRxb)Ebmvx-6~$0-uHWo{7HzL$>0mL-E!9PrOrz`8_gTQ-Z^)%nLq
zyMR;Yj@rxkhZcaBtO&H!2`FpE<Yk7ol!@noW;y@KBdR437z6`%%1(X*^zvy=St#~0
zsB-uZZ`ACd&MI~qDzOXBH4m@?veEp_dhf@k;wsW%91`5@LYl|E8A;nHOx;nq05=s_
z%BgT!`8nMCJZdvb&VHVo7)^=}kpd0Z)j}S+>pV55tz?dd!YXP=boiWf<BCN`)Z!id
zZY$%O47ybiwjUpNM07ahLZMMctV;eBay(3q5CShRB_)$Ay#aK-4k!cSt|w^|+MPT5
zZ?3uhLx}JOqOnn86Nz!(aFKoZKt78~{@_jr%b!7eD2iOQX3sog?_6i{-L(aKZL|2Y
zh{d0>y5kUQ%SG%5>*4U7hejeTjix&eiSY$dA_*R366`Q~DXOJ>XE$YV7F7B=I4SnR
z{PL!zRIUveVAqV)2k)DtY9Xs24vwS8zX7+sjcpzu0Gjgv7fOZz+1UNh<q+#`H`yE=
ztla|*t0I3h>fsPLn2$2*a)Ir?0KrMfsJuQ`GUyr$aY$LOdSGtq<IWiJ6r^hh>NG2L
z;eDwQIGS^QMdV!_+wETkvuM#3;r!#{TI{Q1y-gRbs}K(-gCryWJ05OR5SJFIC`qJ+
zrN`XaotXAYF$6JP<GBaFwI9tEo%Y3n`{|1|%aQe&`)HJ2k=MuL2)SCP6sb~S3IGXL
zC7R*)2104P^Jh_t2=KwiHZve{c!cR5tH0KYzzPJLfBigUepmXuC`4Ejm@R#AQ1oZ!
zIC0gCD?Z)SfYbT`43#V7Ma?0T)=`8~VC0sW%$a7Ndi}Hx&82dwboQPwd*WlMhnC=~
z(qp$2JBC>03qT+hx2E=J{UKic*ZXH+Msf!MBY_JnC6MRLNnVH2Z{T-~<aKv%nN+Xd
zzO~}xh3yL<e6it2ozJtwg+@Q`f=lKD{)uI!9n2Ffyln80qVO5eW}hUDJ5^r%1oRtC
zq(zg;YJ2KX_YA>HInGE!)3=w^@r?=t^g*|}r}g>pKUj;_t^lDU0XAelwwKb^tGBy5
zPAa3i&bKQ9@u{cu7snr<FUIo!^u?6J16zxU?(9Bge6g?*9*tjrujh#F!C8+BK-H9X
z+&!%0kDO@tK%RS;|N7nz&*Z@}Xz3wLEy5V4MpG~e`!<X8X|u#X?_jEbK~!Q@4S({Q
zWc1f*fJb6L-y?V#8Zg73kKVpn5#SuGkd`GL^5xe+cZlY;TJVviMnwW9SRD?5r>yBp
zyjHhS#agkg5#5wPINk50RHkdj5KpP_XBBl~5uq(}pv_OxFsD`a3D&u(we3`Y#l>PP
zd0Xju6sZkTou2lG75uy5&B*Q+eZva}{q^lW;krtgDi^Uel?2(J3wZ;AJtaYThHTNt
zX(lsnhc<9v!leCp-fN%P*wr`P6r0^q9n35Dn-__K8Q9@hxYF1=t61y>U_C`6WiDuY
zqW2u6Qiy|NIX&5w>L%tibZ4_{CYP8!3iWR7Ti}Nzu+2j)`Ln{3KR62lAs`;6H=(k=
zn0B_zc@C62?^vJ6EHjF?s*~Wj;UB<#NvVR%s!wC99(@~5nJ_*1!11b&V`89QF-Ijw
zn}=JM0y!oEy*c{2?FMaAMFck+(XU&9dcWBUtlr$&&7@0b@fA)`Ac(6lF%AN!Z4U=6
zeNm>jQrLCr(hLXr)u^qO^O~reOqwQ;)9RPjWqs*rpf3py{6}BHx&v|3KRDUS1V02G
z-#*h?Y7a}XzdI{w1QxVJ?pA+Tk1<<}xTE^M|D^USA$s2+@tjCESWI;5q;It=q=)hX
zUJBu#FXgmtF)l?)68fiP!J@eYQ27K4+rj|_4)iOgOCj7FSmMi@J&DhDPofE_ksME7
zJMP4i+kv)*i{7~3kp}+6Lu^vyi%GVmJ)fQ?3IcJj8*N_=Urvy;pG)<_u=Q$kc87ON
zp)Sgl<bcU)rv!rVn~LR~|LCo6iz}0)^VE!_rzah!+E2Rm*`hhnFFYb7)xIFr;2Wil
zcTeV}q1^8ABKk9#c}J;1O{~Pxzni>I8>xvCmpu!A!Z~gSIuBHgs}6$zrSDixC&wYR
zdi7Mj!t@j;S}W0`&Q<pnPHioX-+y@vSk~>@<?G+pF8-n=)Augt3tN;KLk%_6lAt?;
zvK$4`3|_Nh_14YMzkg}N%6gs8oC>?>{(x*PF(k7F1b>23Pw7QS+CrV$ed09W-f~|}
z+;Aug`m57$tAwifPd@|4Xy^PcD}A$EJ11TS0=Z2-7S26w@E3MhT5i0NXbb02Lyu1i
z+K4|t{*B^Js8;rDQ-1#f+ilel6Of$x*BWBcvv5xic9uNiIxoFl<!U47eHe+AJi8d|
z+5My%!!AJIT}qSpJ?e`S>Z;n+e|Sc=@AMvMV*p=9W^>UQ0Ostrb>`p(`Wv0OuLT}5
z=>J5hHbY_V1&&ULWQ&EH>t&7+M3`k>?SO`?@dtDok5LU}35*w-f%y<BCy##n1T9zv
z55bdBIE!+DFRqPU`v8#D@#%N>zy}NyUkgsIoP+D+0ZiZUfILDpBHa$^f+8?aq4D1g
zVwR^-dOKL>nNItlFah{K?cY4m`T`V%CP)|KD&bTXyo{nKVGfQem=&-9pxy?3aWm+P
z=+-?rLX;MNLkfb)z7*t702(9PT_*2O-1|Ao53LCa$e-jdPK|%fJ9>Cmu~sW6Sz5wN
z>UH2{4wrstrh{FkH;IZ%uD|_UzDs7)7K0%EL^>+t-(y48vHW_I8R4QapszYOHe><G
z77rns>D<eTzo+Z>Er=|A13ON`XP;%NIB{(f95Swj$T6*}fr;P`4*=LNAL%9W1K()6
z+95MR$(NCTrrPo+XWb*uusIltk$v<nYW<*Td;n@~6j|ck4%;!`|H5bu@e0u)(24U|
z-E*rW55C6x)ZDdH4Mjt(OhbDu^qP4OwO*e(i;dvA1tc@BEA73DeUVYik1<GQXAk&1
z3!bCwy~)X8&Tb2k7MZabe((U|-n92Osxqwyomty}R+Cy*bro95+n`21J~W65pPwKg
z?j8}(1SR-mrTSej#ro=dUhZZRHb^}J^#B^oeQfz<(wqQ1Z1ItEP}56E4p0lgjVLo6
ze_t*RisGaEa3h+j{FNI65Ro}`sLEMYeCO~=dio4W`$Yk1=N{n|#m<X9*S=lSuiw!5
z!TI~8p%Z-Zc#!P1f(`VsD2ljz57O^Xovy<{5{g<|ygcEh>IgvQUx5Vdp7`+n+)(2m
z9PEm65o8jWoGk;YfbSlPNfgI1sT}a%neK^#S?+64BPM{`5ylk7HKXN!p!O;BW}kv)
zKqqfJq1=dvP7X67Jov)>{*Q0fzfDGth7g7S>X4fihE#|r?;+d|jk8`EK>+|5v(rXT
zERUGTUIu*pKvFhL>R6~SGFiz;*Je@?+gpT)B0<0<-iU-xYz&loKBDuprnhw$vPluo
zAYqy~aQa2T7veThQV6YxltcMOA>?l;9<fVFfv89=7MRYRK{1hvyMoyL$YA8O%Gy*M
zkGB4%8*{2EQJ3p)HBaH4t|QOVDVWsgL5ZCJvc?1I`eVB;bhASrvflQQT7JV?K%v5D
z4oG_;A)I?76uOTu^wsD4_@2K(5{pbij7cvp?s~Px8-zt%9&RtSA5e&0JRn`Yl`#F-
zn|Uzc=j<5|NLS%Ceo`lsV*|toE4|%P`$4k%Yg2vj;pl&qj|T6aguqLqk^P&*R-BQ(
zq0-CS)o5_a`ZCNcIge(eUh1l?*8|4*q4{&ybK%yHeu9oj0{Pv~Swf#Dj=KO@*r(d&
zv+!Es&}fDUz_jI5<}tddiWZ8$)@&ikZOodqKT*<AsJcL}1!5>~A5_Pm4c0a@Ua+C;
zP#pq*&xWxKM);gCmr#8Xy4J>|2Sz0pjJDJ|2gda)7YvfwJ(gq?wO<zXqNnd{I7o#4
z?X4oFSnk&w_RXj7RA2U0Ql3Y5NXnP=5+&5!ftZ)qXTYa{V|+8=A*b#ZWZGnPVr#}Z
z_eU9RY*O>NNj_;nt=e9XQMMun3b}?VEDC@K<U)EJ**3TbEOi}9l^~vocO$o!s_F)1
zKAPph*CA*AeVpAc%PI0ajisT<&3T;LuuzAKAJ`ze`LbjhrP~%+f89EN-+Is{d0`zA
zFtV0SjSf4u+8FmWrH&DF35_9dz$|dDi!sNZYjND%V{Io#745ZirubW@!Is!p&srjg
z`*5Hm8+rcY0<vhL&M(qC_NZiqTJ7GqSaAD<ui6K(oWK;9dzJ0n3q^@&JzD4f-{0MA
zg|j(KebP;qF}(2z%zb`yGtVl5b9sv73cms+uMKy~B+L{CHGph;zo^+X=M2z+tu%Z=
zHFU84f;cHT(fR{zx+#0&b9OIgb20)AH|J}KVWGXki-956Xvq?34skW#yYwkrE9LTN
z(5`o^Py1q6rkhYk-WNbM8uA-E3-T5~Qq^tBl@+BHkI&hOV;bBs&3Gi1yr?DTRO+Qq
zf*%K;KcS12_nL7#iDMcUIr<(1-kOj;K=*!qW8`;!N0@g<Mj$n#kTC&TWZu&nxE}NO
zVIM`oO<30l-8I?!8PzqigUof(k2nlH5GGR!eWxA8Uwx*a3%3N8GJj8ZE{z3T51D;d
z8kKM{XHUFEF~=*#V6doI_{@QmT99w?#hFfX?zfHGqT6?R3x5S!?>_*FE(^T7KEB%j
z=ezHDa9c(8H|(J5xQ!ecbaq??VEj8y9#11Y!QSE2*i+e;vtv33c^y68XbEI{ns9ZD
z3-`mo(kzikq<wkzb63apc4zvZ%3o13Hl2Ytrr*w75ONE;^EYKo(bOln!X^1fnU8(~
z^Cn*eZFk+7D@$siv5}^}agU!MZFWpqdRNFnt1V3~jUtq6i|v9Mamnab5QSSI@ju=Q
z70&gdeloWy&1q~;C{@TGt#|d6Io3ms>zS7~V2Cb=RyIHzCoL+}A2!ZE3{hp_d7f@Z
zN|>7Z3;K?;xPYC-1JY)iItUik{*^goYJ=#&HGhrmQ=x3^<a%HA^^MM_AH9GvW{D^#
zPgShdOLr}{A0|tFLCu&MrFSLP1%Qnlwr}gRPkQO>tak-}M4*VSP0|ElAwoeczv06R
zZy_E>9;7#(7?h*-UffOXAw$iyM`ejzAUQ23Bw+ocfVX~L(zT<<=$n&r1vVX<1>0x1
zP|yxv`>__;sbB$oMT-hrBm$A8=lQSy)dCJ0-lg&4Bp;XkbVvZw9d+6F<(+Sp_xA<o
z4*H~Zls=6xq9cPD6S6D~?p*@V$exF``O-wDUjk_5;-9Ro_VOj1=I%Z187W82Wd1W_
zY^+X}x|>!P0TVgqhHBxSRtdsp86D>uZ#Tkq%ZMKg-$3djNbU(6SY`R9!qV7jcw`X3
zb`ud)7?i?3`T$CJ6Gx?nfO@@0Doj-nac*hy94eC6pDIrDsXaWPs9JB@g6#To2cB=)
z^_MX?re5W%VJv&9-EKFaj#8?L#;K50Ldfs+dj;Ne$M&8lBSncF^Ff0%o+XK|{bc|i
ztdo7h(VdQ9014~QNiB4LRZf8KvSMv+%7Q(|#!xdT%wiQtoxI@*JqSwhGX?W|ZAn9)
zpO{&IYl*PB(tj%(#KPx+H|9ban^0`XJ3I#tBIlJCWRSz{^9ST{p-Gx7WgGIyzO_W-
z1tSajPVY!(q&`BU`WoAj5qtq5EVGNsD|NfYvhp;#l5d`tc5EKMathA~#Yo1<001`g
ztk`WHkuZ0^pb0MY_IRY9@~*UWiLvN~JLKI2Z-BWzaa5^9u}QXQG<<4`>-9447xl+z
z(c`K6ptx<1SgqHB;<n@Bhb$^!Dy5>y0U^0f_&ZzfM5E*Lg@MKV^FZO}q+#~R4~)I<
zV?J}m(4;-1*`_DgOlxEape)Z|pL@POH+<6dRSmCu;@K5FH~vc{Yk@bMF9SFe+4Uhn
zNdHDkEurnk9|ZU9Duk~vW?y7)cn{w7>}xy<@2rx>?aVKZ&Y9ukBd$FHqNcHg{DS<N
z((fNe@IM$Y_pQUBA3q8wU-zA~q~~JzBP6LQE(x*yb%(QV9sxu9190Sgx18-cVadFQ
z#M1L%k{85xCRI4eSD<@4#XL$FsNnvid*NhZ{o9j8Khtj*lz0P$)Qm-a*_~&7pM$_t
zOBU{GKk|Lj3(9`t4f>kk2msbSb;#ZaT5v^#l1O$L52?AJ>?F22T}fU-4A@@~_JjLd
z>__`=D_sC0|0HkUvY$p}iIgzd9SJ2r{|bv37xh$0nb0}8I(Q=5dq1x4N!i4Dt}68Q
z;SC<O>q2IU<4xfWK9v2i%>w%U9oM1pj%g4Uaki(m`)6TG(V}SOl5Kcr{$l1&H##fP
ztDcs!IjY;>L&fM{zy}69fK$LnK{Hx>b00%L0OL9cAt;^LVyyoYyo!*i2EM=i+B9q{
z3$ne05T%;@NNZNqtg(dCZcjVsHm$h7Sz@Oq#OSWcAM!GKMf?z}48%HKDkj7kFO~Jy
zArr`YNwwQQfyv%P!@v-Z14FpKf!#i2=|%#|sK1ASfTFlbJXLi-_w1RY9cOv$b`f)f
zNu|rKi;?a+(H2e-rM%z$IxQHsBf9K7vv^@lB*0bH|8zG;fJl>*_!rflp*Rm^20M#J
zBF_=V%%@`9(@$xOLWtm#>~fNrp&&mRxCK&aVB=&O$dFswsYuosfr6Fbi%2@M`c#($
zd3gZ3y&w6n(CrI*_bpIb@K417aWw2FEyyxK>3zYDGUjZ(TILQn{lntHqnaz(>K+{^
zPm)XUeknNr_(fl4B!QEld<vQL*!}dKV|*pSI|ST>)6r06W72+@c!;R9cL7W2iuvL)
zeHu`g6_qOhbx@oPrC@ybyEo4qps75}&A|C3j{SGM!T@U*3_@cEkUSb3QgP6@9w*o*
z1L)^O3+sYO)KV8<Cu9<g^VqVIV2=h<_3qKB`%a`?AhOhbTsm?0ZGDcR9)7EG>}6=+
z(ew;E(B&Sl@O3{6bE3XN0x8g9!B@;4ymFtax<GcZtoB03;dAc{g6HZ&cXzLWf%5>E
z0Wz_(f^2iuEvvpI0Xt<#kl*u3rw~gwcndy&2{syX<Wx#v5&?3W3!4>zx3%C=@^G~B
zDA}SJpPP}&HO-p+Xq~uu{$Y7RP@RfKV702M^g|8<3X&3vBDf6WKon%mBxWfL-qsjU
z&$d9%fCgm5f`+(t=JoxD0l$9<PNxLpFBoy-onf`lH5rxUT@$%i+#b8Cg%!rUxo8?h
zBk$10!YY3u7lp2p7y3Fl_ZRWqQm4=fbOUb`0rmi8U8W!%85aE_{!p}Xi4WC}ms;uG
z+&o!o@3>r|1qXE~a!|+K49pA0L*W^>Cg(Y&dlt;icwdma84c1LgZm98tER-oBa}9Y
z-m>>3o?PL|+Tuz3b5PK4X0jrLXXiTzCp0M>D74kM2uz*{N18_&%vwc;aG0f9u%3$$
z8~}W>tC{y3U@!dsCl11fKkxTijkyJ88?uyV!X=)=&0eR(w*A<bBd75jdK=)~B^o*W
z;?dLxGt%){fQWK_Z2$#MfA!?cqD`exdFok9Es|ORuyOq2c&$p;%nJ{m_<+4v`d?KA
zE?*OgHAxa-$u?t5R#}gdNKq7_Sr>;O#KI)%{iWHwYgVEAFGDDWHn3%r;H1~Pi9W>r
z*R5=b2!93F$CDDg@HPqHGDv3q725d|N~-nW^ItTbU6cJ4_1iXS41z|rVFi8wJFrQ@
zsBRVf*W%|zz@@h6d2r7?{w;R0K>23?T#dl~%-)Gyle7a3hV;E6mmwVm$3e#d$Q5W7
zCLVH(N7+jN>u26`DVWf>qK3CT=7KUHWQ%F*hP7&h0bVs5ehPT`<|c{wS6>Yr^{j!s
z1akPyx(4>CINnjRBFG}zlW|$gZyl%>dnh`-fI8xUwWt~JWT|w$5PWm{fzmz*nWS4Z
z_{lP|D0?z+xA_#=On%`mDh>ijAJH^Z`ox3Q!8ySl0BXeNBOV8y;1wdxIS_f$5d}b>
zMQ^r|0N((&<*?s33#84s0^$oav&Q7-I*i=RzHCS;4^Wd?)s<2h&1>!_1*8z1Lg8sb
z7eIn4&dy*b$-J**CBj#~<X)c?)w&MYxAzf0?-W9lfKimlC!aT<2Sn+NpZYP5@sG|)
zDL$V0HT>;7e;++Cm7pzQ-Nj3@l?<ZvU)Mksmi_3+@$Xle<Cmv96F@hh4J34|r4&f=
zFG6RBfa(ENa5P8iZtNU7%+y^dBft`$2a%2X1wOT;%*{ynE@TP9cP8-5&-3Kiyf*N@
zdhT3BgE~G9Hz{IP^Z>%bkKWjD>LXzvWR{OFSZky8<9ekJ&Ai2~*9pP7t52`3?re}`
z2PeKL@#G#UWhx)}_r<TEkzXJWbm<f-tNwNbH>QW+df@9=IsO-qrA6|KW(~581Z4ym
z%v<ikcnK}}O6Wzpd!9nlqVBq<tJz%VY2SG@pGdzyczDKq#}seVU^D#gQsC@PDkuv_
zGMl-J3lZRq;zQ<{oP2M#e6<kY*{2V65?(=4J1O@fxN^jhWLGHzJL_FiACT&*a4nTg
z1I3yw=OUOENocxDC&9DR;Ztry*z*3Wi~lED<R2jjE?@hfliO<W(r5r9;)eXeeb1Z|
z(6l4%2)~I)X)1RHM?VxuOx{hnD3*au8v5RCVGEo2Y%Nm*jUD70zkASepPS9`GtMp#
z<mV{F<3b8gvkm(!V9$+;5cg*&zWcQ|7(PEu_jSAgocQ>&b0(!gHt&ahXh-5=A$@Ph
z5&w3v9wH(vk=9Y1F^e4N8b@~%i**XEd35y^+IGtp0gR+4*fxL|{bI488huSH7WgmX
zM6xm*i5WN2^!WZ~PBj+ugJ<zpzz@~@>R*>oqAqf_efseX%@1%99IOrqkX>$*B#n>F
zW+OHGJyoZ33`nx=_<%oH``{MH?o>mecqIo!0o!xLF)h7;;Y!cimw-hU03y=lf`NVH
zvYi>%tbOKv_gk(C8X*)KTJR(*W~6n(N6qlhe*<K*mwW3eBzf-q9jEYLbO{9IMe<R#
z>6)M&-L0?IdLU7yw$rW2F-ILIRlfYVyvb(J%D6IP{tx=S;_^3F?|fnZ&&jN_&s3OH
z7T{dX7jiPxnmsg~Y)?_tADM_X?~R<s-U_XP&U;M<o8ri5++xFSYut`}t^94{txgK6
zJtG%wz-V~^crfw}O3y321SNFUabMjo(ge2z6m3MjLAo?nqISVT8@w<H&Pt~Sxtmf}
z%yLhPKWoPiORC43feZEb>6x!H_K}Sxwa5?*2XreE5B1rsp_?C)YnmY`1Y^#09|krV
zGVXR~-sAWk*Odw*Wp)2(0KJ)9kiufm4^-}aa?Hw9^ZpFyqSwL20Rj!gfN-(OT>}Bg
zXmDV!BjY3I<OA}Mdto9TF2)UcXx_y45}@R1fKno~R+;4WW-7vu?LuPH&H1OZ9O-M(
zaRuYa4SzC^0FF4-yn7l!mf-C(d1i2hUGd6`oH$YAEW)}>B6b5Z4z!@TjDG>>Y;WH@
z&G97<_U>m+Xl^i?^Z=rxcO&i&A|<u{o2qL(usEcS3=lw&^2q`$wc`R#rWFmIT}{dX
z0D%V|vw{-gQ@GZe1RZJrXeaX#0B)gL)80(=3cQHwZgHgc`Xe>yPa+8|2pmGcct0nM
zg{uTr8q#8cWJn_llJ(A{pav?ZOpO!|dM+Ek`)nnDsGHB-O6fm_O@aFCD+e*0mS?w!
zM*Jnqv$rr3T7j~6w94j^;OC(>LUw%X2SBOa1cr+!qJV2*uG+F#Iya!d7ATAcn4>)h
z$og@CQ26gS#Of7_;a1-2cX(*DIc%=N4Z?G%pF@b87fJIBPHtbUTLkPssyZ6-7u+@P
zeL@B2!<%JYuFheVfdnSLOIfBuLW|vE#c9d-sKiy^RG__!r-}!R!9fgIRfk(gL}H1y
z7AZ%llYF4>%{t{Bht#K30{KJo34u5g=rIfa7NvpkgeLZXKR``411bJ3rvOOc5&j6y
zXwZ30k<<raGN6|~?=bx5zj3?SfeE&bjOX9`GLv6LB)O_&%b&UQ7-fFI8YOV?elf7&
z0cdQa{c|rtQ3Q<)!iCmy$0OMnxPuBd_5J+YiUw%7{*^<%jyX+h^|`z*ZdGkESxV&s
z4HkH5BE6j!Tri<x%TP{smF^k~7f4^p^rWt7!yr2Fs53DA!`lxHA9&A47rMIi1a}=J
z$tOGb&B9uHgWE%&olBmK2I$Pqcd3lo7C>NBZm34kfNbe1f08O692foJ#G)nrw#Qm|
ziNH;cR_TD|KcqZ=tkUa$i_e3+;7_ctRp?(sxY+$xUF!O1$s2&uKFFboy}P;Y|D0I6
zwL}Sl(umY=iu8dLgH5MdY>8M2jDm|s6`=b|P61h2*_)^SMdvjlcn>10fWwQaUp241
z<c+2-A?3{%D2-bIGzsXt?29|J)s=I!&x~hD>VcT&Y~5TcCU|o-SVD-!zXd@a)gkDu
z>J#8IfrSE^h>CyF=RTMZpNGJ@{YdYYd%E=axt`qYEEMHSUbLH8^lQpExHsso4g*!%
z3PzTPaG`1kdY>xw_<%y4Bp}A(JD{AT0gf<Pa;t%K0QUZWT2l~3y9r+F|KnF}8ar<I
zz}0}+lI7cM*d)zgdjgc>aS)CPKt)nbxmTgDEBCeTo$dXVd1vfoFi0zCl1tMBc&%cf
zy{2^eGsd?KM-0Om+{i9HtVUvuHh!1xB?~-a5dI*iH^&M<A0P&1&Ty0LRnQ{;og(-?
z49!bHG5V&p1CT`%RB%)1?V6Nh2ggMib=w^<^B97}J+}LvEYaEi;zt#r4nT=UXl6As
z-|vKpeo&3xMv*+w7TONgc0&AXGYqfEQIv-`^$)<<#KH~Jl#k}=!T@43i22<dCCFyJ
zZ4}QrQ}Al=3%wmO^#Ln+4AaZu{mxJV;{6Ug{Md9r0h0y4-efZ8aemB!{1+<y4USOK
zpxI5Yz+jZ|*^^Dk)qMetse%;J$EZ(&e~~}ow8xEfr}RW!n#H>ziHnUcsUTInfUk(c
zc)=Or<+OB)jtq1kRf(nlAwF^1ZUOWA=R&~lU+mDsCVRbsI1@C88l{?{G7J^om<8d^
z|19#3r%`wP|5$s=s4CZPe^^RF5D<{YMG68+cej9qC{iLFO1h-GkrIm#q!dA=K?G?K
zq*EG6DFNvQdFRdE`<!Q-^PKU2KD;0H9@{b8u-1KFG3T%5gel*SO06ppY&M7Pi_#!<
zVmhq>>f6j<#>Htru|dMbQF<<v-Qb-%wLU^x`vJ{v3E?rnUI7ixnNDW?1qjo4)yhWe
zvOMTkf2r%@W#`xY`Eo!_!w?P=@bdl;7E;(lNAT+e$<+iffHR$Zn&lv{AfkqtUTiCt
z-vSCSO9ZU$uPP%R?D|)C^|p1g<kH@`iGuAy^G(>0cU~5F82Sd<f%c@I8nL>?lWB;^
zCfAtftYMg4^9_ZtPsx37s*;mAHFPnS$VDk3UG8k<W~a_5v$#6l1j-!(4RS-7LamP2
zfDb?3k^L-9>oY*l3^8=V0O&ceuhT$?DDvn<|E-lrdGPenA1qx%2148lIQ#W>R=UYF
zMEK~2u=t%EPTcMZ>szb7usW@!6|e)?^4D?YFFs){WsoU^L~im#C7J`uCUTk#Xai&r
z46RK6AO=E2)6<z7uwXynCV`ax{RxamIm_BSO@kNhK3NX57^3s|MQc;$_%EDz#(jhn
z&yLvC?a{(HS4eJM0`X0TK67|=+5Yqhd(1T)*GQrZfD85{Vxi`xs!nsvVj3vK*CrpN
zxN4+_Uqm9OT^ND3g`aaJ8(RtITCfpboktR-?8TS4$UIDB=*I1p^E3h~E{DL&sQ~x;
z66FQ{3yyo>@H$Ze%k0nJ6|1@wB_@$!Y7!FDhJFZROfw1*`FRYe;pM*)Fw_4BC(eXC
z?n4LmOg|#gtgcu|?65O4q9SNnO%)UYqMfPSOWu8rilEYfIV*@O-mGHFv>M{ijr1W1
zEyv)KDk%3U$t+eYH#N3nh=^_%v5U!)HbQI?6Cz|?a!b$-=ZN7wLTvMU@125KNa#<&
z%um0~BDq}{Y0N$v-6|AYfx%l^^-N#emhvjDvNfAUj)U9decM_GA6^NJ!ik4}E=R2e
zp1T^0M0X%D1juNfkuRSi+eQ@+vYRt9#M~g>;MWXjNMmY{kkQlFd!a&Zo-3Bx{gJuX
z>11629xDthK0e&#WTdX=F6C$$g^83fRnXOLbQVcEq7kr3``|BqwAP@vo4ufDxq7Nz
zbt;fKgi~@BV1_4m!*X?<T)9hSsv&KFP?4x(?>f+S$0aMDuE7N<rVD<tedL0a`oAtn
zh;#>`)itThUYEl&&M*HAvyafm3)r=B&kEap>W&*mzmQDuUwr*JT5IbHNCDUL`MpEW
zHUlzi8N?TBI!1?uA6t8pLVq6SkkkrM30*b%A|(yV-20=%$&L}|+owc!a@eo%$DIRp
z**_I5?Y$d@^Rl<T3RUjS(a=;63pr0Ku>SNtb$I)@VC&n>dyU$E#y>)a6JD^Z_p>v{
zgyec|>|scBVqmJ2Bl!V>4gly@Vy8SwEwrCTez+@u*N03}{csV~rSs;;Z&ckNy=en_
z4fdLXSzd!mndq7~suz<{?P4!WOJ{F<KkkQ^+qI&ed6d%|;wjL9<4q(#RA8BeXt4>R
z%&mOJ`7P?Aut~5&;aXo^z{gjBVN{6d1xRN1d!kO0GIfVvkhG|kpMzPNmz-mm(AfIQ
zY0*z`Z?#STpmAN0cRm}zI#%5fC1>OuHHDlh4L5?{Fb9AJFC-^@f8eei60-5B<LU=<
zZPug@vayXqwd=Ptht5(FtGOrCU1VyZ30AxnCHLsHko~JK*c7Eetvo{}bRwbHzH_B=
z7m07Wr@i{eRn5{FU5k~7X5$Xl^!9Q9u@?T|K6kU6dsAF1xYkGi&fqk2rI)=p@oN<N
zfaHg*9KWoGMnv_OKs{pQwel%60}ekHAUS<Uc1Gf(rM&1lSD6Ej;NGFS#DdJx_Tk_B
zH#Yfyo(j8>$of|@bMYS0iWyPyPSHTSqSsr%<DZi8BZUso*yN3ynt53WUBJUa$j(q_
zG$BAQCtj}bL=v?S{@azaleaMu22;gEi$30@Ksm^%uRu)8NRdcBN*u0u+u@?j3rdW!
zO~PYOasvzR@?J4>?gSY{ZCusDIihKnQidK<3wl3oR%ijUv6GPO2ymn@xt7{#LEihf
zjE9sGLXP7(oj+V?7+41L@8y^BN`V8p9h)e3PZf5KkKpe@e%Lu8x5kw)_kn5Qk@>%N
zPVI^Dhd&c1Eug%bg%G1pXCKGA@Ilf%Mk<KR?&C_?X-B#Fu{$I{RG!%sUQtVoPD70U
zkm)MoDVT5m;t}@PEfwtMXA!$O;mjNrbbo(#m!U3FXJ5ElO2V_w6NF27>zUXz>dGBu
zuqS5+R>3Hs=LAJ0=d}YOO40Kg90n!X5S{}W^L~4xr8p_VjwwcP<%T8eMB=sp(8Nk%
z0r`h{UkwECK4!}_4%7}2P)}by2uq9PR_<Oi!AU3U{~~e+(^?+;c5JSG@jJ*Ol7F2~
z>&JGjsiz!mefxUUrrUb1w9p}Vt4&ChfHjkyRJv3Tun|eM=xn%3EfL&?w5p5u<U1Gn
zEr{!o1hGz|Zn6t7U+(l!5r?TU;<D}6T+=GR;{Uxurcy0(V)oh}LjB4aiQ}!l+bWaI
zpMZ{U1p#2c-(E$MTLOEE2{Q&7+o^u$#PVx0Of(2*UVZ^o1}AozWg+9T@x@X2yKTt8
zflmHL4}#U|!#uGi!Rib_{SdCupLm}U6Zh>>kt<a5;=m**yzcYoj?|`z3}X|x^+V3+
zHNXmDIuyBpQz1i|KinVtH%@>QFiIRCOu`RhKWE*g|025S@jIW%oGU_|JK;T#*F3~`
zFl7GZwqf>U`UOKVs7<8P9}Z~kbw?4y&5}lJ)%UAjDYcJ=$B_-97s01NbRnD#DIPrj
zckDjW8%K7vjN_Xf0SFi7={P4q?k7@jTZuBP_V%cY@dVd%2^j7S;;!EP;5yh~ZR0R*
z$~UJ1gauq;dQF|q0C0pO4IB;xXn5=7+{riQgFvE$coMC9?o&9oqa)_LBe~$Qdska`
zF(9mgXZK@A_i&oOV%=4IqH;sS2&tJw94Uz8;2`k<q~awWzB7e&O@=BZCU5n6DEbzV
z+@9g6NPA!B>R;`N{A6}!v=@?@&z-e_+0ygg_;@WOFJ=s({Gwo<PbQdO1v(~5l1dDS
z^CYj6y>HTHh>GBDG#a#1AH*&aW$X$L8a+3ed8T$%d*Y}euF=jF(FYAPyoczuB<hv0
z=OD38-fY!=S~~^JC$VyKYU=Z1P&=#fAl_eI;;lgJj8k*!>5~&fj{!Qi%|P-k4_3fc
zp>2q~D85(tV-0apNH<i-S3Y^<iuLI5JpUEvM(5BZB=|>|G$sZ+LlHqV_BE^v8x!+M
z$Qk2wA?dJ`z5wVA`w<qnpmlZ;_{4{n+Yvc5KO`%LoPsCPO}bx2bOis5It=}$@(~$D
zUEahPOuMp^U>-wihm}0>$)PDW`hnJua}Fepbw43Wt2LCiWRV$haVra#d@1U&&c)a;
zyWj-P;^YPLYs>+$(6J{aYW>gF=`@zQcU^Q?T-I9Lyz<W1^IjTo(PVXFDU!2qWCKBz
zQ^w**SMCwkGQ^BAivRX`Q0bG`e;|CeKyE;f5TKRNSE0ZJ{zXqy`~Ej)!9wDVoaktU
ze@l6%N|{@Wkv~ZzaD})heAB0QVlCTYl?_!mIQ@o`>WI0PK>tK<ZuEI7u|%j5<N@MQ
z{Pip3DFo=$P2kSJ<fnKP3|?FKT6H)6$M2{$Hf?<3@(@-FLR{>FJO4YWjbr6{D2O*B
z0=dY7u#HI8m~rnWOtHcRfx$Xy94qOc?~7wj4y6TX*8b7IpK|WUiQGGKn2%wTMdAHl
zn~cO>_To2hK}g($gf}LrcjMsdUW|>c6@*?T9x%FA&^NZlLKgboB@C&LJmiRvW9(cJ
z#<ayuz2zIgogM=2WQzorfjn&Gu^BExHKPMeWifkLYR826SO2FnIfJ|T;UDlTRFVPL
z>gHPc9Ev4msp<di8vl13{QrfE{GTYs|4(=g47~;OIl;NV@$^&R>c2fJOc-~dAkX8;
z^dS|^0-72-913!o=dyQHP?&#-*+ntazcMO?1FtRjyd(V?=s1=e&rpso7iL*r0G=KZ
zMo`=T@0CZ6-3iR-GYFmH0C+u7wolatADb~n{#-m3Xaq%q|6=6%xBj2Wf&eca3Yjj4
zV^1Ts%K3k4l@$9<=t-VK$q0&~yB1K6@1Oqyp73AufWhjVT+_}7M#jkjQ8+_$vB|52
zH6F=)TRdPewjmC%`&KOZc7X%1&`W=P$>AsEW>5x^17?=ij(v;@SVkbYaPj|}0Xt<)
zVQnZ6&m92|pbDlsBYbd$$KAeN5`!{)qeR5o48%gWAXn5bqE-jFZriqGWj6!naE!H=
zN{<d8e$sydY{i$*jZnk01J)^<h<_l9IehABcKeq%rVv_-Vb?_exM#!7hUHyi5KDkO
z9Go54ilw69`1E8{kR3QD==HnBRRZ_vccdScAG-qJFgQk0Q=8C(v_Wj<`SMZ-d%Yg^
zGG}7%T#xkf*Uv!vTt_C4ZhOqOzC>D%T_S4lZ&U@xqSGkHQIJqW#V@lFV-2o_53PSd
zcJ&-+9t|i{+58SiVbC}y8NDeT6>-z!b*l=-i#PYDos=a^e7iR~1IWBu%-H%XExp=f
zd``U{=Uct|h!K?ux|=v+IS6|h$#Cc%bN*YKfCMl8FR1>nBkXOP2jC99Ffmya^2w0s
zVm{kmmi@^f;<sSd?gh37D4^Tz>)=3TubTz5K$A)xNcc=piX({4V@eB1-e82B>nOz7
z@@p{v8bkrUL?)fOI*t<zgE3wWPC>+GSoq*y-4y={SUpFkH9dfEDiX}KP3Sgn-tHWK
z)OX{T*sZDa2v+4Y3Ro4A<BY&}zvhv#hR93cb6wUGU3~l8Y==>#&N0fdJ%QJX?WwLA
zVlrD^Kw^}DRnQP?M|fbwPQD)w4hsPo61~Yd7{{TbghZ#nh^vHFkCLMU7crQdN^3Dz
z=KL!k(E%PIS#<cv=7&x>#LbjhQ|h)koJdkK3~|XGTY+>Jt}vYr>ZVg~Msi4vhar^c
zmVb`+i=avnh5Xy^Pf`y~mS5wS-RM93R&yfIOhQc)^_X2Ci|?h@D_k1EKd*Yi-?A%c
zb8t`)-FnuGLaV0R#HwDOYc;wa%<}YP^X}-E9m&qB-DPx_G5o7$b#v^SOXtXgy_~86
zNo&8s!)i_GXkburA;hNnN~dJVHlPRe`uRY7vpcA4Utm>D15&-BM9}TGQL&%XlaG3Z
zW~IB&=~HW-J!Mw5>KFye<;IHuy&2;zh#H`ZF`|UFy=-`5=ZD)pokwtaFF=x@QSw+r
zYaDmd_Bd26yrAvyhU&(urUKld&LBs4wL6%j9|W;NiG#+Ti<x%YRVRNAt?p&=Ua3>0
zylbI%IPbsu!|&vH0m7-qRPdqk7v3cf*@QJVD{zdn<4L}o%)V1z%ce&ZDT9Yya#r5|
z!xcr895zd{*efpk(ioYK)TGS;GUS6M<cB%5TG;idv`-{wZ})RxE^5j=nCPIxnYF{Y
zH7f2|u3fMXPVWviSUh})iC|NF>7Bo*b!W0&(9{xW9vUDPp$J>w(0^9{QV7`yf0u-L
zu$Dm%iZ)5!6~>;=1xV!r@~I?{k=Afv)s<rZXZu_cxj9Ep5m7`PQYU*%YC6ZsT@Ar9
z)&U%l`My?mI(yyj@2Xv6W-BeicO>>JFrl&D{__tj1>*=pzR%c!<6RD3^VNc!$qeXr
zUJ=+@>bMIXDgn+g?qTi({Ip+fvtGxsHs2JO3BaRitOjsz1n<4kIpDzs#&b)JBfh}E
z@0()*>)mH@#=&)jYnM9c<a0AP6D0<oi{g7u#EF6r;`Hy4|L6qx29YtmlcX8si4Nl~
z%R}>V{_=sGL7VT{Jy#oZP;K(8TmC)(@H)fWdjnd+clW;0yU`&|Qs$<j4lt#i7ans8
zdLJe?bMj}m=I$?xOOWY0c-Pok-?*Wwi(%R%{V1wy0*~7HS_Tm{-&ec=-<hMEFXlv=
z;{(|`YAA~cs{&@g@3~nUyCx7ZGu9_6O>XXC61oGmN#Ld<&M-18F28a^RoBIrH*QxG
zbe=?x59cQ$0cK?U$h9gwZfyq{1Am$~4n7&Tt^bMn>CP<T%N*gQL4LUGZqT2M7pyAt
zfag}_2P5p>6n}sUbl!FhklF|`V~Uc5Pt!!1rMh56$WURIT&z#~Af|{q#<y9iNPLr)
zd>n{a!iptw7Fg8^gNeU$jC7;9vQHxbGN4bkn%r{AOshQr0q^;U{BnFm2Zb&9o?T`r
z?3mEyy7LQT&!hCP6c}Ro<dUO={=S%G8K{ovnVa~?*+W<c)?vxfrUx;~LL9n<f*}D3
zITO1ooyX6o`t?Pxxd~+ZvNXf)bvyAtzaN6EheVAIf-DJllBM?!tF{CM<kq=i%V5<g
zjm+Z05hXyU`s^gGN0n@YH08$v{I7Xb<qTz4*&S~F+#0<h{KLXHk|M;uN<yHnS{pP6
z*Rq-d35o!9|3W`PpZ<>)z&742bE55a2G>cK^TWy#2o&{)1@U=5n$b0Pkge($#Gr*i
z<_M2kNfd<z_l!l8_2^v)(tRvZd;HX{eD!9|4lQvZA)QEfcquY+dEw<K=%@N>paX4l
z|7}qB!Z_czCt(}>ZDTpCF}vOJ#EmefHw1L#34_BIna_6fmjP1ljH6#e)z%;=@l|fd
z2;I4O>eEOX%vrd9*cBuuQ6Nt%c%Qrz)UP>GSu>u|(<x+)@E>CzHJM_$FmmfGS{B7f
zn+Y*5SkQO85i(Rx>yN_wDT9i5z!Tv!K*Ww|O44nB7xdv5dBE1?v`?#6F@X<v&J`7!
zUcOfT^8#~<UJqM1O6{6p=>FFHrxIfwa(eb>b8O8cxVwm9oirwg_a1ANJ_kyR#4MFP
z=VoQ5i7ap2lr;5tg3_v<=VqZa@Yh{J_`sI)r+9(iizmgB5J$~4B3%}?W)ukD(*Td3
zJAh2r)(-3sFYQj>Y|J%b*|_n1%hneyU+$sFEEWY@V{5m_vo70`$PNrVz>$zfGdP$G
znRsU3)O)L<Je6SlOsM24@pYbCe8g5iFO~{rqaMgl-F#&6Td&5s5-O}V0&$HljW~0W
zpUF{PVcWN6tL2Fg^<;&lXNp&D-pafq)o2lFJ)fdLnwWAlu<%3mn#sneCZ7mP_MZ>w
zB%+X^+eV3e1ZQ?NYgAef7LL_4Z9N;CJev<1^(x#(rJOV~Yab9}thspk5mNEg(mg{^
zcXcXT8scN8C<z()u3wKz*nf*^FQdges}5K&TP}3dsK+Jekp;A)P_hF(68DQ;unjuG
zWzJ(~l%0JuWc|aRiR3IsZU|5I2MtmcKTLx|hdFk3YtH5-GWwMUuh8>|;{eN}xryLC
zT@}$eyQQ`pv7eYiCfbA;WMc*$k+chAxLR`J?WlA@cecX5TVQxT>%kffRj@P!za(Y|
z_MBA-CN2)ECrj%X8J?$f#cKNKMR?G;pP3rF0j{ycHzyQt+g5wS-qL{6POO^m7Fy0a
zg9^-{n9`d72f9tL;2eMEyhjcZaB%MG4_6G$FXf0-Kp3=Ln9$Lnp=?~3oY~;jHr^~j
z9821w1hZ*?Ng_aSF#{uZ1y1-V?@PQ9mS|LGm`vLh-^Gmyntmh!ez8OK^TU6?l{Hi|
zVDk>={ds=!qdj#>ei|#h@xQU2JnOE~L?d~dx^y4-68@=Sj#%_jyGw^to!4?<nCM=8
z_ke4v#e!u-I^lk&-{OsSlIC{t_G}!18dRIl*j!XJg|q#{d6CI8{J2Mk^{#gA))6a}
z*VtnWrz#*5jLiU}ZDeOGFRjur@^l}~OOjn-#Oz^A6Qp`wep6Esh3un-G@2}p|MWW5
zKh&C-Q1krK)9^Tht?`LFL($H`5M7Zj`Np7i)y9IXqA4S+b%xu7uT@v|A}~c0DQFN!
zAakddiRFT>XHD;dV4G7axe<H)SN;gq<rC;2oVsOksTt?th!--$RU{^0CFHn*)<i8F
zFIR^-7;epb&c4dDA1-PP#-6Xke6?*>k`f`h?X)~pIQb=g*b_}lG^h*A;SJIX;k`DU
z?n-dfMY(awPc`vJJd#+JnR@DVuHo#wg>Gy|WC4Xm;^E73w7teHW92UQ(7j9*J#azj
zP&Bah(SE0C$nHCQ*(4b@6=u$TSyrgjD0Y2)1h~dmRo_A--tnk4txFsn+xG;Of^uKU
z{nKHwG;yw<Ixw*HuLDJKv?E#}Y>1Dcb-*rVwc)%tms;%X1EGm)ZTs>Rhlgf3dP+2D
z@ee^Rcthm@K{a_3b!P%YZ##ecVZG<poM1lAw(no{PTJg^mDAhmY{ThoC3afxaQ>$+
zsNWs)OoL6Yjtlf&O6?Xu3TN$9CSeg8`>N0~4b262+=!(Yu!(IUZA&hM)}$-&8_%09
zz0Au=6px25R{eoBZM{L(I}^!Z(vH(2@fe|%NF&%)_o7{R+c_I3R>5*Mm-}2ptOd_7
z=LusR_4!0baZ4O|cwI(3RgVVmJJfTa-}XL#R({J?H+D846kh9iWmCaVVA};&wS!BH
zpOhMVwhDuc^0z;`YVXGZnnrmBUz2LvJW@}?UiP2P$2?=7C-ma>mGom6gBDvl52(zN
zm-=bG$(r_qv)-Y6^()QhyPLO4U{r3FFvqvAmHAt(KMy_+K!#L<HPmuS$(e)Pl17WU
zZM;1B+&C&buj!8B!cnx3ymL|yX%%fF77)zO_8BH$!$qB(S%#m&b3MK=@jPmmYrgB!
z`GiBxs;ATe{$5Op<4`fbySg;1nSaapn@_ZH+18iYbV|=zgY@s7%_HS+=ecprJ2@M=
z`MF9b7GA2YS`0KCG{=}vS2}CXxi8eUEtS>mEc7(A+kY`QeYK)@=kFa~2(ZAjA!3ui
zF&Hj0M-q!#vbp+cSPV1QN&$t7scjUby<F@dLy8yVKOjeS>vk62TWO43A7M24i(=_8
zuBzM|_S%As_RZ$7-J^6TGc*i3DdTO!iXmR2X5xqEZ9{!wh(K1ThE?)2JB=0>yll&R
z>`GeU>B{j$VXCJ7a)griIDR`-623>K15novsI_}0YZsVG>AjM^$Erv-(6I~9J@HPY
zQejZJ?LLEK^~OfG3;)NE&o9$<(eIwOa$7hr524!_+XNN0pN-ET1B}vQ8_6a2XS#?x
zN<Bn^%xE{IM?Ikyaxd3S%zBZ*F#5(VOK{FM^IMK!L^S!ipt;!0dCpbJCBd$PveMzy
zk9l8OZ*^@OLm*b!=f~TVevk;Mu5qVkmaUmhT<W*%7*?*EgI(4T?oJ~OacuYKOE2c#
zQE2(4l=J<(qKO`;Yub1!6iY^Q3SBGXw%&E!d3?wsFNw}$Cm+n#ZfL)}Yvh-w=Y>Qp
zw@(l-q?t-0$w=j?3-)b=+Sqg3QBt)&i9NVfA*j3Drxj&#-e$h<V;Mf^H=d`zd!T?q
z<Eg~D2*i)r(Ff@AGsR*Bu;<mW@8}Ds;RVaeJYXdJ@IeQ=H`RZjI!TnEb@*Cy@0(~$
zPRT@eY@RJ^2qW%zAi$X{U_bKRJ*$^2n&}*O3aSnFpuMV<B$?b)FID=ookJkkl7+Fn
zXP0(xnlgRW_z***j_3aRfu8IR6mWbDMFN~WhNSUKXC!;s*$OWaI=7F-5$fA@tkO3P
z9+~APQQzY9#gtv0SI>&SB0CVeGHaj@CIS?k!cVrmqvCNN!I{G*{BgVVElQcx5mHc<
zqTUox)57ud(O3H!!^b0hrsm$r)G2p;>5zWCH>h^HiY>EDH_1Ukbkf1*xPha_Z`?o0
zpL00jOq8DS0#|K^R4YkW`}Qy4P`fN=X|t<(b1Rwie2IOdFENYnks!j%sP5LP(XK&;
z;Hi|3<LBwY97PAjS$n$%rQeR9269yyC;BBc$%{lilUcR$q~KRCoM8X@jP)dR4Rub@
z;KA0|?1RdbsKv~VwZ_H!+GFU9q4`Iz{kGMxpTW(QKqz>Z88cB{CNSqs`FE=&ypmU>
z0d#l@&O}OuU0*PeJI&ynsn+e+OtF8kOLl&=Yio7>p(`L9Z428TKtg|b9u-h<FQhkW
z#gm8FkfRqG8!IEdNi_303FzB3-N6|7Ds1D=0sDO(yKIUJIrATU+%+|?M0_R>w;>m&
zQbj|Drtgz6f2C@XYT!lFI-eWsCWXNpx4Y0u+*nW#y_9*T8*l}?aVxG-KuyRFo(G0a
zQ0*ibyKL=w!nA-N>d6L=)!?{HUZm1th1HV06pG8nzBcTcYwh7cS6*7y6iP^KcHVZc
zW1s<x9FW_yo;%C7!MEo~t00UB>xL$YY}|unrmMTSp1*prCL9Ts)t^j38a=ghf`=VP
z_(pe_;1Z6Q=avl`@2jIIe$hU4Dn)4`aU4_WMA<6uTYmYg{Mes5tUKgc$X}R8huvj&
zZwht)Y}_kxtD!+K8LLxR9&eQHD>)jp3HK$;62k@=RM*cH**!_0<M8Z*xPveN#w}eM
zLXGFn`L5dhNe%N7b6vJ+ZTj6G;DDzb@}_KFp|C6FolZx%KN+S$kOt33Qc@K|q+Y)f
z{h!tArQq$tBOv9}&EXkWC)BaU=^IKZCd~f`#;uf~jBvHO08ygj{mYw`-FN(rjkieN
zn8-|Js61toz1nr9EjhmZWAhSqo}dtA2DeQ}V)EA~Z)pY<uaiPqc)4FC_^PT>tYw)&
zo-~c5d3p7sheq-KP5UY?Wye<cCZjfF{702Zxv#rPU`q0q#01FXJ4Swi#NXpbXyzx6
zHy&$@<6kn<68k*QGd17Tdb^;!{sfnoU848F^Qj(>v>@rN5ldei&z?<5&k@LC?qdrR
zKsVpCnM*;MU8_x)>YWU3;cwr3o~A!f60i+~*yPo~BvB9Qh}Zjmi^FOGiH8#|gLglx
z>4##z^KT=mOE&b}dw5<{135KwD17YQO$Qq3^2g>mx^LRCp6hhf2;`!*Qn}CYfzh0y
zwy^v&#~PoeaL2Wsjgy}q-?fz!cd5qzK#i)tL_ygoc{##IV<}1IHCcc^9B){dI?klc
zJg09a`}EDI*JGFV$)l!vd#+J63Q{#nDW7Qc;PpO*yGX1v0xJC}vhES$R9-{8R#Dwp
zm%g?w`;aLe4&5P=_Qlb@`krFsj?h6Sn2{2hOES(xCoz23y7ffRvy}giK;tJdmtP5=
z?W@YyH|OtLl|5uIGSPFY>5+dqRh!u60bNand+N6V%~f^IUyaq^xe_MxbqArll6tft
zXXpq?S<X^=7()bY5i)sO$oLD$`Gxv<9yvn_?mCRxu)M8ix)0tL!F?_Bj)(>!;VTne
zU3&++tBzlL-Hn@al00mwg%YNPa11@0=PY!;TUua*8tf>OoBRw!`U}HO-Izp%2J-v4
z>&9sb8qP-mILLtNO4dq<rHXqOYWG*=lcp4WQ!WAwuBMN$Xo$P@I*+8GOFE&8l-Bh4
zlGp!NOZ26)=71Hmg#=on&{uh+0qu-POJwvPwnX?v<CQ$hOd)4IziVexiMw(w=(BU`
zA*Xxbiv866*K(s!FsmDD&(UWpOXBEv>dVqJyyF*G2UIvpMTJ-|lt0E=!oSY@`xg1E
zY?OKd_~ZgaT{v%Ln|!tO%hMN^ifAF9(vM5|L`ZpU6VA-8#{iDhJeFZ2?WSpeJN#Ww
z0VRTgUsRXK>JlO}`nF(^iByI9uNzO)lI&fCLanmQ1KH0(c;p(VU7RGlwN$J%gW{Zp
zC3|cA{hucC`Mq9IqHLBpNC9uOCaFuTAcLKujyk<t>1MqYd?*9-;8^%_Ss~4d3@Ly9
z{3qoPOQ(a#M+#wVf@$A(p9QM879~6VPCySv7TRCk)ctWw%p&{8P-@lA2<Pa7b{*Ag
zH~y@-CE|t4c#^S)OJ1%~fE(l}Mt?9;Mhw2Fde*SkJq4H;3;Lmi2Y>ad02}?lVv2Rf
z-Vzp=d3OuzLO?K{&C2Cqj){=3q7!(xWobz94t@VX5bgS(!&URnWKomzosQM}Y`+(%
zH%h@LrZ3%|*^->uzP)%-n6F(DZQZ_Ti(@di_>&kN0%&s6QRh+KmTvrGe>`%+fP&p*
z9wmxKsjxa(mk1eI_)J{v8~5*E_XZ*G)n?j%0ADdXyEf?OmNAkv9k;K22T;8c;#42Q
zq}4PypOvsJuXez8n}l4)cDCv`c5SA`y55g*9;)Vk2@{WCUF(%U%xr0BJ?Vpdz8ILz
zj9T1zlnxK<4_<KL{Lg%4k9+iuQuC5mUXlbXz*>&#G<u(fH1YUFrdrWDS^vpF{&kqh
z`qOl%%!gHLg0#!YPMCnB#el?MCW14s7Iy546^}=WoM{|GDST@6$UoU+Oj=a<Z#}!5
z>j2Afty8oQ_veJAlBe>Ko>WEi6!D4t`xmRk_DiBLsg-5?<oO*`1yQ6b;r;`@atRxE
zRgyQOwJ6?_2HcwHLO?2{p^+m8F|T;E5{<?kfIdP2g(imfT6yg3o)mfxOpSEVt9yyO
zX2<^Y2mDJz5c{-&ZCz`W1s^4V<^T0jelj&fa1H6T$~8<4IPz7TdaFqv+upoP4?vXD
z8T}jKGBg*uN8I>1rk6vD4V>js{kv!&e4Lx8ttX+GLi77$I?M*(GRQz`Y5_zoIxR!1
zgx%NxA*=OUb|AE}87biyhlx-?;I?`=)*Sred@dbt`sR%tnAaqgqNp%Jv*Q$#WIpWD
zQ3~{?cM;-r$<qV!pB2gYk%&}<6LYcPY#%|m7&B%_6tcR=jJuP#Yt(xZ+(JuTR}9ca
zFZUfD74`SrNV6h%ab^&;>XM>hHB<=N7u*Y0`yo>hX3z*!e{H1}a2o>K!L~S6j=`cr
z{oI(ccsAVF>6t}Lv7)DiR;EbBRF3W#iOTk|Hy}nCAO%tK=OS!s_(-1mEs8n_p6w;*
zC)wBoL2Z+7wWk|<iaJB@C8k`zUj<^+br3s>IEud{QjNXA+7Xz`+3yt-*+c#))q^A*
z_L$9&FM>cQ$1TO0r&|7o5fAM5swLq4CG%W~iN}4=^yE_Nn&1_{057mF2vW@r-TDkG
zdK~)axej(#RszrB*?5i=iQ+)JBq4hqkePw{k62{6py4K8lh&2t^OGlX@AY3^<ij)y
z0#u2Qu?&Rj)LJI?-?K?Qw-!t_Jm#&u+3Oxa5ObGZBOsLCo3(-W@ahW!$A#;uo&(|t
zogFvJX=k@}3Ng$7y+>nz9hQTyv<#qh9+3DV%3+7IPnB|ivNnS`h~9$XtGkTQu>90}
z5{rEwr_VoJ&-Gd!fyGfY)Y(dra8~`|;~2F-JJgZwT@mDg)Lnd(x^I*Tbv-_QQDGO~
zgZ>YeDK+XzLfode=p3PLTZ7(?)jOIXLM8#5z>_HS^ldT43d8R8;8(r=IB?vKnX~y_
zaP<{Zj09X9!WzY{A+T>@feyBlt$pK!+{QdQa0yW5;NniPb3o}U0jE|7p$6z@#c<My
zK*AMJ1^0pj%hGnEwa#X$Dx&bA=)Nw~$I29ofvg4fjQ?H>N3c$(AXQgr;u54cJPtZ9
z*4!a;vztJ&`6?tD!?(bJDb)gk8{))OJ|65Z_nmDKyX5sHxz$2|j!o7k>)y44qQ(4=
zrZ|KhsEck)nhpTCMcp+F@hXYC`qIQz7a?%Op^GDM#PhO7ayV$ir$GE73wb$OB{te<
zBE_yS22Z^FsvVk(TzdXs_?`smu+S`W9&L7t6W{YY{?t<8*~}O=3889&$5vIByw?Ko
zE!E90aipBA`kgdze;x}2i7PgYhnEFjeGSOk8SwM+?fdUntpUH>`f>|Gb8d+4gbj9c
z?txWQ5gY{VE->1<2_%K4zuvxv!M_U-ob&jd1r&n5@*vNMcH^x&6geLg))Rlk7zv-j
zrLP9~sovmlD?<sw*zD${KtrY5EV8J6FO3U#@w~6g?utqW+D+E=ev=Qh;~RQ(BmDH`
ziU{21#!M$`#-5PGFG`<aGsbGMD}`zbOY>(8o#+J^0>O8wb${wLlh#uv#UjtnYuAr9
zzFtb<o1vsk`6CAAi=x&&oM8~-o(IYUr-lk31u9smdHaDVvH*295=WvYf@1HoHK2T7
zUF#L_?9t8Es>Aza#9t@`O-3=>zRV2Vh?=6+7CX@|+~g=CWN6^zQwh4RMX8W>1}@Qx
zfUAGs-t}dv)VCwTcyjOPf{OA7AzNzhP(j+?@UEf`g5|2e;39ZUu4hYr?M{xKshs}^
z9WsCxqp=wS>nznevakg)FEcv~FUUb3no8=;!Bs?<sv`kW70zDAQ0OKk7jyXm)tP8b
zNq*g9@+A{*bQdetmBcPds>k77qU;({Af#kd=UsYdVpwc-Lx-4n6q(LDm)HW@<{M&c
zuPD5JS06fTGE`}=?B$nD6FjGNgOGuDUETxrrPI_Q#!}*@enW1aKehKHfwik$4M5L#
z3NmqvYQ4=2<09TH8ei<odIJ+s<_>>C{B;bZrjXhtjn|PI+mgrSqSOMCj`S!+b<S8#
z?A?9tZMmq1ijus%+;et?e^Uibzn%he{s?{PD4JTQ-<6IY?muXNwx@1|t3A=4N}>c7
zJP}%^{@Q7V)0{~oeDW|PJe4kEZ9Xf;<tjpgcZ{sB3Q8=m!P%B1PXi5%u!hvW#b#8K
z5*DyJ9x}nJe!%t34Ra7b=q{^Sj}70ho;Ciq5NI?nkca*qjbMUt-(HD+9(Ig*5_ZLc
zDV8!I?Ez2z!B#aKrX{Cf$URwML*ImXTrA(odCD`si^W+w9+=NB4cQ){kj$4v2#)VX
z9M?eBv#hmYcAPMVUJ8b77YsK@!k2wN-^8a-a*{RMBTMV(W^EYh(X=-h8j=Jly1e2l
z-HVcE_e_}kFFu+8{rd+^?A{RQK)$pGA24D%AP4Id_dg5jODZ*K*aYcb)hjt{oG|tw
zFh1H=dT|Kk7*~zp`IZ2*KZI8Rw4K0oD22{(AXi9yvfRZ!^EmZ|s_R_?01D9*?!rA1
z85xpstwu*XJUyO0x}N#)Yf!%TKwasP9IqmZ;l(j{Jk-mfxNM_)v^yW0iEEn?$kk{V
z^Q1|v#b2%sysfT_{G+Ag-Q>o(yWBO0Ad@=}8UaDfez4F-gXnxf;?DY@8nJ$a7-B;r
zz0b~4oG%b34eD4Ro#*ByC;hRay49Z;zI&DN$$oSod~S>2U3@8*B!2Lx`C!qJG@nw;
z4=ZGY=XalhbbYLH3r6EvOU7ILSRbIcmwzXp!KyvsDQok{!E)VMhTgQE(G)p$Zr#}E
z4#u`1=5|H3H)w*?w(kAl;~CHC8eiEsGp>-^rFD|8aTykdPkHOq=Nqq}gLs9-ICjZH
zD|mI?gn&3!i*PQ*_8;E*;)v`q&niy;T^{Vfyt=@}OalrGQoKli?BRmurth?m;AUk`
z$;)Uy00l_W$O3O0@y<>gc};BhxwwoKFgH0?pXph~y^umjD`2BFM$G%Pg>lKo_q+NW
z*(8nnfcvxI)tA5X!%_;t3#wlFOCrD6G;WhC8<Q!v4m<D<QHKdR%_}_eD@e=n&M^6h
zlP;$NUa*I>4%N)A<J_gp_&3|+F8oD54GJf2BeZq<E5SDRpmAuV-GTX*&A%EEy@PTG
zUb)z#8OXj3e-YvcLu6zm>9r$9_hZR-dj~Lsle#W=(S+SW?}={Qo3c7FP;Ht?*yQ$z
z$BpOeZnZx-9k{j`)kvey^OLXf4z18|wX&mR#IU!6+*H%6Z5FFb92s#}ZnsLLuG8v_
zX=P8lsd$#%tj$!hsM^+xo94$c+%UT|L`m@3!aRDl*vFH@khuEiZ_K+CYymvG$pr`W
zC0)L<1FQX=4ID;&<lKvy#*jn8?0c5fqMUL#+-J*amS1x~SrdKAL`!Jh1nV4g?Zb}O
zka}tLLz`~a^z5It*f0u<#l$X`ror;n9(1Z17roiSahn+Al6sKky$-vv&@9&zhkLaQ
zci5+npv~3S-96QK9i9sodhFd-K1MccRT&E_R@p%ltDD`~3TbN>kOu8{kV7fC9`#6Q
z)AKCCrwZooQQ$255qvfs)keH}BxfUOs^8>mGs(d_SN@hGEa%N*U4C0N{|B-6j`l+s
zQ`RFzH0?KKF{Qt521%l^oR8PP7fIe=@Z#3Iv%x3}%2zpB@y&}Z3TZrKcn88IJjK03
zim2zvwUKz^pB885SY0+|>LCZ+8o#G6^No<>_SZ}pjhGB0@2qK3FLg7&48*_prdftq
zCv?CvyGudR0;YLC<v#gv&m>B?Z;L&Xr+z6%`@4y|R>auAra)Fja0>e9YJ52Afn<QW
z{6)v%A{?Y0&?P(iV-;c>%DY1=IZY)edYShT(7baM854$s#$9+;Q5H?}LgXF^zE^a!
z-??$?uepSZfP!8==3FpZZq-=d^8%h%7ryy-*~4W@3m`b`QWOo$W30#9wqmlBy#Tc{
zo{}K1w|+H1RhkfX&u(aS3|rqTAz-Sud@iR4D`h-KLI4d@%o3!u^=A1~U}!H5ZyaM?
z`Fzg;y;{ECjy0%<hGRDi@X-qVQ6lI&qXnxH-Ss{}eq;$`NrU|PrRvxh7)c%xvE9sS
z4fn@W2t$f}G{vLhAEow5Ee$+i10nN_IrEPepie#&dn)W~b(5cmK^u*x?Rp7^v;vnw
zNpmvGo9h60m)~c*fc?-Qh;XVgjD+xVBQEJtZ3iya5g+j3CmU)TFpi_VO{83dx;5hR
z+x-AzHcTdx^8smo@(qh2_u+7Gx&aa#BImzf;pDXMoZA_KLPB}9d}YsD+U{z~#Z$qF
zp&?9shu5EIdb;tskSZEP5D00)*}4o;LHxOhlDK%(gEs9UQ|X2GN`=pxR?VSusvy1P
zURDV$Zbh0!xQ%Ba8xw42ZsL+}1Vw+GTI~GyO%pH2J#AiC{3T4lb7ZWdJrAL}?Vgd-
zSBP8s&c&EU9g}w0F>(&^2z=Q75@{b~xuCBmJ23abQam0sN>|OT#Q|5+_%^EMgV`=g
z{V7{l_RtPz*gb<;e(&MyHGkaI2~?n6PHZb}YbZ|XHjoq}V{N|IM%{&34}S{#8QWKP
z9!KHYyW^!Am-^1|GkQ*r2<X~HhKVkl5_yjDRf?eJHVUf$?VEbpZq;^8vpo|DVoVrg
zfkW}d^(AV9pbX9i)*h;npv!luL&NS#A>t<^K{9;I!UsIM;j=ByzKP)-6kd?&k$_7s
z;nSkiJFtfeO}9fri#I3z?+sZpp)jXNROTFQL?pFy;SX1lD>VI|E7WMb>qtX`_`0Wx
zww{S`U2?{+GHRbAUG}ExoskD~H>AYVl#_@U+Xva%`^=wT3`MD#J`>ei%vHi@q-l8Z
zjJm2dA@p&&R^r3Q@8ffLx7dlR`6yWwTl8e(a33Tlxy-dErdiYHg6xBh3!Q^fBi)PQ
z@8q#`CyCDxkQ|@(_{4j3A4<XEhsGm+l6?;r=ei|uuEZ>Y3s@lIihNFQ4uGEbsRQ?*
zQRc@iu}{jlieqKm@W4JnH$tC0J!jo5G-PgUvBF9=FKukpwS4|<gj}~2(DjUED^o<H
zlu4I|8G6GnH;*itqni&>_2G(Su-N?o8!t)zRhVcQF2W0E2Aw0e(=yqXZb%>GY6wD~
zSY>axH(`-2OA}kHX;t5y$x41muu#`kgQeZVo$}#OWt#=SEgJP|*1H^VL&co(voF(<
zxTTv<;AWnC#2#`dqPU&4?fD(Tmvz@z+soxvC4FP9rO17?(s`xvHH}pN*<Z^vKjS@X
zl)0o;Hs$>^(xa$1A{a~DJ(Dj@dR%$I_<2t;cznS-yf#^xkCY@}4G;U6md04~Rxw_<
zzZ!BE+C&!9LNXx{#^5eLj$lMmyP{sHo&F3|QEfdP3p1bVvEGu$*y;+b)hGo7?3>vZ
z2Idgew2kGdKmWR5M6Mg;*=(@>vK}9uv$5X@(5d~#=bLF3RJWF>+t#YMHsQO_^7gJO
zS~pTh$Q;EeX@`)0rQ$1r@p^3PJRy1@k5el|VxN@4eSSVwZl7|C$RxC->0-ahFG#dx
zs%II>Yo%f6*;@rQDVr+we2Nh}+h*<62ED$D0fGX;Z>{p1%a<e<7gk#N$kTFBZAULH
zRJFrWybwblHKk-Cr1Cm`wUHuwmU$Ut&`aYAJN8O3#jTl;txx-@iEmz+u`R`LTgzj@
z#upO)=%+5EP|$&&l!R)-q9Y9Hw3aX$9dJ(zWcV0mp`_`%^VoiU4F@g8Z_WRPWaLw0
zmA~;HiKwosF~^+9E<bm7b1*pyIKGCyyvaOndmV+>z*qw)(fb6Ner**z?7KlB*pZ<e
zm?5FanW{tosMrTUi*`z^6WiOaFE5SnD+b-O*h{YjUBGa4+FlzAQ#0Qk?nc8zJPR?5
zJlW7Fvy`{sL~c9k#6ABwMaW7&rPo4()YoI~dNYJovraAXzs_&E46p^<fCBB+*$$*6
z7;Z=#U2xG_IJrN978A!sT1Vuk8x~*)@;(ucJGCWAPv^%Xwwt#iSqS6RNaM_=pbRa#
zS{j(s@kAv(kl_>PK6#j!bS|%ZkubaS{wx%Xcq1Xhki^+v-IW}(b<vW3VDEKA{kv^C
zOB*ezhP1)=f}Xj&5l@LY+If2JetE>}xG7GLb3sZtT}1WG+I5VV>GI|<hM<<*!<O6{
zWM5$bPe>~}A*HoX>3HMvwGjJvpNF9zi9Vy2Up^#J?;Y3R)I8AKdTBf{1BeKE%W6Xd
zV{#uVpO&sLrY;>#Ny~cXw%&Ld*%i@!#tS7~f9Q(ZS5;S?Xyl#Im!|&Irh-H@K_b_v
z!AQC>l2Ulqy*bb}%?wAs`kPA^$&A47REd(>PfEBHQk(6kBzO2j#~CRroeJlb&2AjY
zd*z{`#tdWbFjPogJj%NX>!RzENm;KX<yVIhl4t6$m~)a=4<)BoHVvwk!xAec9&Pg9
z`69%R53f4$y6l@PT9~8M=o%R>t!&zOD1i>31Ufncq02|8dYyzLlFq*DquN?xF>gO;
zwC5TyqO)q;J)dP&xsSYTg5eB3Ejp%!m(2E9r@`&sfM{LiFa;gQ$4K!(lZYc<8~WZ<
zgG35SCTj$v7C7D4(c16h;c)gK?H=ih)Ve=TIse`17WblT8fw*AX&}8>c~v`tfSi_p
z%1h{ti?iJp*AI}BZV2`u)mx)JK?WckHgP8AoU{Dr8T>P|ICXe=?VNJfJ(?k?ElRma
zkU*5&NiXYo+<KxoC2vc?a^w{}R$AGX2w@MRa2K80IoTa1#fasb$*cUT)QWVaHQ>Ho
zy%{=9o;vR|=G{p)s%%{Qr^hhSyZP1rW6MR&G}Lag#Ukv<d$F_WxCA+4GgRDByMhhD
zn}RgN7uP1Ss;WIm0-iQ42RwEU<Ql{#)>`vmtE$)koADl<sUuM$d7C9xH3%kL`MwnC
zXC@#;6;vYDe?^gy8{UR@f2(ZP(?XhRT0|(mgy@FD{$b;Y#k>L-s4<~HoyvIA6CpEq
z${@r%AGSL-4Ym{BPY-0`47o)k|7h*jWi+aL&(sPgrm?MZL3tzJ0&xVz8eZ#>*wI<v
z_Ub~i%FWO(MdUK96lysz^6K10Rg+!iq5+?0QA8!yq+b_&8wu1!Zv?{ZFOvMd4;P)J
zpHT7E2Nz|!QK0EIcx)sXyNF0XO;cJZ%46TWfui3@PBSMMvGzN!=a~tRpXA5up~G|N
z>t3}1<KtVu=NNHlLNr4Ktwz`*%1;%YLYaf&sfruanKe>kF+6-}l1HYJcUFqqAuQ}$
z_-6?{*%=I?Jm=pP0}Ewx+6f%vHgwk{*Qr&<Mj(XUPA;0Cl|r7F-_8^8?daxZVX@*z
zzrN!m#cb&y^^QBZ4%saDn3<XtP<TiaukzyxC)`+nPH(I?7Q%+1XQnuA668rxH^s`4
zTOK!QiAsEGBxaScw~fA}wa1tRL1m&b&(ek6i*ATsr~83-|6MH}OU2o9ISu#quoX~|
z{sZ|AXGz(UPvPH+e;~j3!^DZkMC0(qn+vRMYYD(jyI{%YS}>zzb%hlYuzM}L@cEjc
zsSV6=*)zF%U(BsL@(01Y!WH0nXZYJIqnLg}n`@VG#JlXwr=;oPIoNj{@e^FX6qxQN
zg>Ks*xdD?IIyQUVo1A_TK5n-zj8bJM3qT>ADaz$z4s5A|zt%;`e+g@Va1vBNeZemA
zeIxGns~qoV7|;d23#`7mB9}W=S^H9D#C~)UZjV9|;B(_};$?sl6J{EYw=UEEV1UfC
z#&BizeipKTTVyI(l9zi5aaN$1NwN`7G>Bmw<2V{2X-^c>h~|_)R;Ih8b_Z-^99a-3
zF#q~5*$76i><=0ylDn7&H9fDzw~eqj<YgX6OK)AM(M=|^&V070iK1V%4lM@fHFu2I
zFLrMTBy>hcy_448)`CaP5b$UWz47XOnok_6jisx$sYWORgpF+X1m94>z^sc%3Yu}*
zb~WCz9MmS{a!@a{Ga<~Q_utGT++6=Jf=gxa(4*ELqilP?u&y!)BBj)s&3;AT1<RO-
zlevXzInwAR=6Pv2WC!kefSbVv{K73Qtw(tw{mto+oiL}>VHtln)OBTqLYJJzO$s?n
z_w6*|BmME-QX^Cwn?h19b2o5P4^e4?*@p7i8EP_1!e7u?DUmY1(D2QN8BY&Jpr><g
z@g3v8-8>$HFg^)zy1RoSs2dzKTVd}RBK+}wUPry&O->fO1pJgJ=@k?vDHF&U(_3!d
zQAA+_NhI%2ldt->S}qp#(MtxKFUJ2*sMXku`!Y<iBpA8J!924Su_E)d=~q;kF&BNM
z`Nw8qnnNK>l>q6oM0E3ePI!MUBr3a-%3YVAC*B6R$<&4L>1xuer2SVhLjd&vjxP6a
zj_!hm3vswi6KVHEcU00%A{FclOlhA|N#1!=UYPf0zJ+6}fcmjI4-=RsAq=<<oCQJP
zGI>iX>Y@m5l^S!gdR`^=hLx^MG+wY8D&kP7OyO1q9{JT%w(IkM&UUenbwM3157*H;
z<X`;v&(|J8n|%YO@iM>g7bWc8m;M7LUpk|Jp>{x!yawvO*C%YvU4J|aI*enYjxvsZ
ze+3jH6qxv?t!|9Yox*arW0kO<m8U}Jb2LDBkScaI{fPzqE_VGQ7BKs<NdTyt{yFO`
z9GLa2vF#~j4o^1nBqMw}y>9(ay=jPA><?gC>T46+UXR#qTD`r%M8XETZl1*t4y1VT
z{sWF>-nT38-f|+cH+~&d^6nzhi)-h(s=2p=j4G&y%5X#qunP_y>VBQnFw{~D`me|1
zR%m4Qh04Sp?nC2P2Q1SQ2m>_*l9OFKLt$ZNq5mT#gk?w}J1QH7K`pGj$AInOgpWOp
zu3x!6{Ykm7>+ur}R>T;<QhXNbKF4LSEG|lmobEhLO!&whWXkS1&xY+9mZI-p45$YZ
zykM=PTqzldFJFG^tAZCu@#J7T<K_NryNEY$faSl@=x;m7HnE<ZXUBh@N`!1Lo!&{W
z++<rP)?S<5eKo>l@cp9^5|y96??^^Lxd;~Iku4YqGrllZj?Oku!*u{;ga<}E^bN=p
zOOoIB0&jytEm45N4xO;%^~#s*JEH47@85ztFaY%+R?aT$JiXKG%R9eNcMddjJ=rnw
zNn=q-B=3$WAuejJMz9|R-MN~~1FhX)JO$(#KbqH&qzpJBfntNW>T7<7NaqC$veY9&
zuEfz}I?k^T_n-?t-!BfE`I9?XMR-kW&#bu-)FFi-N3;cOkDkjUjWy{Y0pD6BkCwr9
zy`b`l$QS-*8HBKRScgLR93Da^hn^}NnaF<F(Yq*vB0QZrO;B&)oe@?i3JyYQfkc`J
zJZ!M-TsosG6>)a%XjgagphqUCRp#Z*+HS{y_iFxM4l!1iu&n8eiiNrEd|`Lm)~=mN
z#X$RFS&f|;6FJLXPPsN@TYH;1z$Galz#5A}^>?LfztZG8UYTt^nVO5^OJo-@W+*+S
zb3V7orYJAj_E+uZ(-KA9J#(}}*<D89<iMRa6H}SiHh@(nb@m<icB@eC*%Hz7*>}fx
zgSndIcWPE-p1iLW{^);E(BE~tvdE*~WeMA)MJ(-vTIN%)_|m<D%T8_XX-d?S>-6TW
z-^Lbu@8W;0NKItkf%>Tt@)kSfJ61*$+wkVxJij644G#HzfQ3yVoF{?Lk^n))A!+p0
z7bIro5uBadzgEh^ZVqHzxqv~c5-g)f-Hv%ebmMI?V?0PT<drghDb{iXR1Qpn63cn;
zu3KV*k$}>WJIo+@y`zm(FTu((fp+e8#r?^HR!iBmaNH7b!}gLB-==XtOVWMN;eY)*
zi2}mc9bT7Fn|@ZCd~$@#{=?c@4R`h2@*TQ8@ABP|wt1{O^oz&Ue)lF<{i-H}?J)G>
zJj{<pEjT)*P6T-t>?WJc-3HnU8n#?lda%n*EKC+4BVFyykm{jDSee)X-(>PDnKohn
z>(ZX~^o7#h8$4;FEw#cmXD$=38(ZJ|7>8MHg#TiUjH-`Dr2NC3RA~#|Mm>U$UEcV~
zo;+*6Gi3@TFMM1YCk`0zlc-B%`t&Kw>dfaGL!$3k=G5YUYSj8k_c6!q8+?nVjlU88
zNswiRz5>`uNXx_ox~m?tr`92XDCv@C9>VYrL7vHbU#PZZVRlh>iLFjDq)3P?qy-7M
zz(S^0L9I=63z(3A%LGHnMHc&}66&+y9;Cp$f$_#jyi?K0%zWaT7_lpsD<7HQ;0R=e
zdzIABXVUp^lS9c_mj~f8kMM1dmE3-RN0T-a!zFXnt#&k0dulOK0+pk&`PMW0jc1o1
z<}IIjG1LbhkX+C9fD}9rPa>1uA4TViE?vXW@NFTJoTzzd{Y{f*8b9xx<F<sVCM|*Y
z8uOZuVOr<;{DG+ntlWv6U?YMrB}1`|k0S4{Wn89`_B-#?p>2GLeJn-nJDEdG)i5;J
zMKjlSCG=BYFM3Q?qaR;xVlx<YtHD%0kNxZRnnYl(APu4Vy|e8VIN7&_*00}e3C3UZ
zbr{ThjW2J9{yO&v$=dHJFm14NJOS`t52i$r>aGxP*4zx9C9cvnTk*#_UkkXJ9YY+<
zLMRl0aU4!xNtIc~tSQJbNW-rN)cVQynPkK1Kx3jqserP?p3bcUk~iVSS;SB&s?gNM
zeDoPWyty-aOr;J##5VU4<@Tg?Jm{6C!0W~*ee`<Y=9Fkpb>1@ohbWxn_%FEhdym?%
z9)Qb6Agtxe?GM55BUpPY5xA2@1(tna+J>R}CHD<AEl~RW0h#sOlhnM60f8)O+lH}Q
z{iS&1bjYo;jD-eEP*Me^7sc>!kJ>n<QagrJ#d(p!UJY5-kxw!Wt>SI_k`{}P4Yu)3
z_B~Cu@5+>$jjz5u^cY+-7|GtRbvT*#s5dCixWCj8V9H%}2RdWVZw&l++4>g~{M1~t
zJB%@;4)FDyIGt3eHDfb*+Id>Gx-+T7H*T7&{-|0C{C<0$dNQoPwpTo$_3#X*(3zJE
zyI&Xc9Uk$QhZInZcabaAz+9V69)4j?$RSy`;MUDa@Stk(+eh_EC6v?@6W*H%QvK8E
zw_i{Mo@<exB=^F9%QYLy!_A~|x|+{i{Fl}2O5_Vu$jX+B+6rL&tDSuTT_3%~S}hhE
z-#6eq*TIWx0{)4)6SerOf;Bq9vo%7hxSUhgG>7}4siw=;v?tbdzMWI^Gz6vOP9CV}
zlbb`9Tf__s#kv))_6S)F5#t%x8?@f3C%#zMQe@H^I^_sw4r*uqmgd?J{Tcun(S`1V
z=-*@S=b2(J!Qr!?9>4b~K-5rHD5ap8r;2b;ypqDn_Qz|+$U&E#ueTlmPnGYIgek#8
zLG>_YzD~>}l=AA(p9%17^u=3w)GuU6OH9SZC7}-Ih-(`iJ<}sJvlHmsDLEyG$2I@p
z3VfKxFY>L}v6*Z{yH#I!o2M*|Bj$64P^7O-Qq6I+bjJU3*BJ*%sdfCDEi%~4$KEid
zDGjE6xvzX0Y~L1g%*o9GK`C4E8o(TvvVAEoLdAd~eY&pC+#^3sK0EXs2b6Ib6=xSo
zM?tE%wb+MSu~JG4@}g2TTA-#cC8Ul!f*)NG*0na|i9^!euzTUgy+iSn)GLMsCK!AC
zmaXL8aAU%BxU-;G2<dz+J_D0r`7`p>p)#a`in-36^{&As_h(93=M+(_pxD$2)P5N*
z69A_;H_7t-Ti682NOQ`8*FH>8G~d6m@!?=)@miHujiWKPk=`ho#V!{nR|UUUxt^@+
z_-d`GCS0SKQT9aNCrHf_<Q(2tRch4{-Z(ngHJ02;&b>Q+&eD7L?HG=JQe<4<^3%g_
zVFxDs*DAp@GfX^}kf|rWcqL6=aP<qyg?pb&WC8!$#LBl5EDaCpgbn_J3`wo@w@EGB
z!MR_@yTBs{D52yUsC;N?3hTMhpAeQRB=$up7qp)Qm;ooD?=pJ42S}lWM>l@~+hzm^
zkNP+vmUj4O>imhhbn4J~m^JiX1mp?o3uf<>O)SoPmR@|(L;D$KvCg3>`uKrwkIzM(
zlrxmdWY#b9pB>abzvlf#4|@Zc2Of~@1>liWVdPF=%IAkFrpX|ncip9gVhW3ykTVX_
zqzk*EJWE!ZN9wm?XSJUAjg!gNRJWYt^`0fI<)m~cS!nT`K4<JZ67m`2kaE}9TE!&v
zY-fkOYdzCsyJ;;>m}j}kap^;>0@weKw6~7Ra_!bfNhv8okd%;8Kt!ZF1Vu`a4haeA
zZWIs^5CK5}X(gpw8tLwCK}tYMy3Tz3*0;~z=ePISXN>d58e@&I#^Qb7C+0opHLoZp
z&x>iegQ>L?^-S)EJ)ZBb0T#gwdCYW6Cp}dvXPNQtTv4rY(&Rm*yf`*awcMXhV!OU9
z0pnnbXtMoOYboMGv{g!_438$U92@d@sZMw}d{~?^OZ3^1DVEFg&|`uth6Nzv(z9o8
zjM6odU9A)?$gUa1BpI&Y$0_m}HekeqohI`{8|brR6!laMr0F(r5XFLw%4zr#cIYQ!
zR2F!25}v9vG7#ay^-wPO`k0vY8X9Wio&_w~KEoLW=XxTo_sh|K=%H?&y~NjfiGP5?
zw0{}48{xI29^^TwqTjBV`xIy#2s!$yGrqj_4(0W4B8wxB12$-mwlT*yC()ccHoIgy
zcV0}d;bfQ8m80ED+L<wU5yr9)!3Z;B2YFi^@j}$sic!8*(f4Jz7gV~P;TfRwz1`j!
zb$GNc)JlgJDz1O93n1nrw|XRECYun!N7{p!Nqi46&`y6`X^@nq%NJpx@dbMMYMY8T
z2x)M}?zM&2!JyitV_Opd3T;D}NvhrylUjxe{pQ~)#(km0Ld9=K2P|TL7zt8fU|t=%
zw<m)!@CljW2EPyr|05!QIg)IH4<{E~pOu~j4^FfrdYIy_djuI!#Q?&UTSC~EBC2d^
zJ6G6?vgEem`RRa?<4quYBYLrL=#Kym7nI=jts$+$K$gUT82?hQJH7sU!<*HkE5jYS
z`K?b-JiISY@lkxs<h5HUOw8;oXbF3C(111T;zy2l)W4c2`@1I87c0(VuL-wEEEk>N
z_hyY*^Ro2X{5{L_OC2Ibj@&t0afg30O~lcHW_p2D#4BJr3rgb>^L{iyIQ8p4s=;_5
zj`377bSE6^ATm>v^o06q*{=-j8<KQ0l)803A`mzUHmGjsh_oD_?Kp*a@2&4x_V9l*
zKdvd}1{_zq{XJ8EiWJtLjjDya)x{&j;mD|f><}~lzg;E}*ExPL^vSqAIX+e@i|*fZ
z$z|5wug*biv!>diZG!R|gWHhTTy5k_EX8)wHxdS@2TJ=pl>@931eQ3}I~-hpgrIAz
zU+H`)knQ`?){QnRdIa-zIU27mW~I;1pcbFCVbYZ$qA_FH7i?{bD(Kf<9Q8aVRKgNe
zLVG9BhxaVrT(8i$@`!(Ky!cAewGWSi#rysagm;V(i;^gLUbgv4ISgDr-(*ik!M<Rl
zq(R@fV>+}fhVW6!DG1pUU~S>SgGj>$=&V&B<8^^a2MA<p&WucZq#W9$P}rM6%a-{5
zSS<*f^wQt?+(ADs_lr#?1u<(0ykdA8LzZ(C;(%$OGpk4u`QAVX#HbuW@@S3#bzK$L
zu-a<srF{0X<K#xaKT5RKB!O228mj?yX6<GV9(g|I!wt-+TV=cVUNfXG=i#e#x%$jv
zbe(taR_9hF9rzS|G}p6kK}9!1Gnkok-|CQLB0BV$>8J8=j{<h@P;Hh20{Jk8uP3U8
z-vGL^-_Nu%8M<K%zZ|6V0`it9mtiQywDGT@tf%_pP6aUFeFji%WwuW2nvWK2Z^Mxz
zC&<3THH$9Jx|T{66Pn{Hp#BaifMS#>d5>zkLbX?hP7JWVU8&pKmgtV}u9}e8e%<<@
zTZ1#Usq%8B>8=f{*TU_W#8|aSc*$YUA47F^{D)+IcllkvoHX5$@-q0wfC(*?a;4L1
zNqrkOBTzn?z#Kpsj7m#ZA_eKuRQ`&H*;moS{#Uf<(h|D_ukAOgauj?l^g63QlI&sD
z`0>tiGoxA3wKy2HNxRdZZxW#rvvz?J8PTN#9MKMr-3=3G&XK@veDYOI0vg?IAOo7t
z+^~>lAYy<^K;N*Zk$?kGl^V=Wl896mSN+LNG(~LlGr{jU_o2N0B`3h(#CNu~Xf9HC
zrLQI^PVs*3Rqp4)7-OEUb4885E~_6lZ$0Pt|HHR+MxE;L0T$v!zSq$HYMIQY-5A0j
zU~n7aBk7ITgx$Enb0L5+Oqe?|UDlY`w-3rUK271MII~sRJLN12Vr-y4J!RE=l7-Dr
zpS-t*QB28Zhc<Z>R9NpBp-6*pi>dzM7K<Ms3qb@~s_Z>3QTp}!DoiUxd-wRk6avYg
zc-l4(yk2tlN2Q#J*RH1jn+t$Od;@_BQ)Rr1onJkGG2I*<XDO-dU>Q0m7}HZ2)qxuS
z@h`74<R6f??+jrx6QcsofIw{0bOLB9=Q-Rj&b@}RH3%W6rXDOo3MXx<n6M-?g2d^W
zkq`JO>kc0v2Op4$d_Z${hYXz>@&WTt78%0J{(eB{|H}uQ<?KM}>pU2N-SIz%^`r{o
zgNm|plbH1<0%=#Gey$uBZ1@6FO8DCTf4?>nC6x5OzOP2aa+b)-G+p)|`p}9G!k>r9
z;a^m8hHz?MRv+~v`1^KXU19{q@c!FeSm-(Uk3NAn0f;aw%x~sFZuUQ%sB)fv|GeD)
z{O2>h)wQ4!YnPZCN|HiE4MiyBy@xh)l@9^gL12=V`)?-T@5}SVjrV*Y>CPix(znDX
zTN)o7`=SU%<=5TJ^AK?dxJZ!;WPfhj6FhvhI2il#_p(zW&7J}VcbNFUM5epHsY5fl
zNZt%k>XzHkAl$#M1R-*yuu+)BtHfj|8k74*!RN(YdF!t6zRR=<*tW@DM?0F;ZiN<4
z0q}u&nUO$vOMD%cSMGeD8m??lyxTCqjZ=NX5bl81p7Z@L%M;m?z_((vf}+as*KUP0
z_@8a`bT1;-fQI>>uT&xayWHCYeK7<*#8%#W*OCt%URbP;C@!-cnr9cI==@(Uah>n{
z3lV$ML3s)cS-TFlj5$z0Hb8gW2l3Y>hMDi)h)4ZxY&?PA`nDAr)k-YVqpc@OzC((`
zHta*@3K|I<haB@`-K<;pdo2QoVz4o8gm+P19(xrGDD*37_`Wv^zN%vk{Oy}@uKcsq
zsZ2r`WpI;eegCE5@tv|Qy@awDf;yO|;Jy2=sw-B4PH>An#|O8F<16~69`U;12SqA0
z6-|E_n`8i35La=5s2t`OR{HxO7FyCa0UEayFm7GgioK2;y5jf<5quVIdBLpD$+KI)
zqjs?ZI{T!hNlaw%1k4Rvz^Vc^Gv|mV`PvkaIvqChIigil+`JC~(JX|hUan;uFuhg=
z-k04JH}Mv-;#l#KYc`FufklH86syOQbXP68m}pd(;J5e!9C7J>I-WEg<KKF9{~sn!
z@(Ci#U_fJ-BYyMO6Tochj9G$rA)Tk~<$yQ-0C5g<N{2A^Afl=t;KSJM=vJK$UQZPt
ztB#i9w!z!c^urOrD*cdl$as9b@yRmpI}|UY_#tyAHOr}Q+nmlopZ;z>RzUx|?!t%h
zr#3WYRJ3k$sE#zVpanaFeF`QdtF-8QZhSCKqM&es<3OOcci&oV5E=jTs(v>BOdgqw
zL{e-IsVe;_8C2|yOu;3k{d?#-bH^c$?r%T{HDB0D+XyVbKyWqvq!1j}2Q-lo*oJ(X
zxvf)nxyEC!V<&Yn{lPZq9455BRDtS1rP9el*L!c+4FX>7faxiCLN!*4K@<J<y4cKV
z!DXd-F0Jxuc8BMavtpBd@Bjuw@aJ5}?OLwe5H~w(<tIyRFRgCCS$FDSH(0sVfVT}U
zC%&U<U)69B61#CxhQ_swMCZ_dh}X^t)MO4S;3<-O@6sQ4OGk-wTXKDtdQvV!w*Uvq
z|Fo2-Od2%jMst29l$I;5ky(J93aaDZ0uT0%8i>UM-q%OoIbzhQMIB;A7k2o{N3+I@
z?wyXxxQv?3iz2&D81Ks3S1YRARNfMuiv^wMBb{G*qa~DmOZ>@YEcMr_e0Y@qD~=jI
zR&r4@TvaRaEcqeZ)0Oi2Atv$Zv+7#pAl>-S7;8--zVPJ2Q|teXuV(*)udcs{^cM~r
z8T{(GX~0K$tqSFE<94$B)wwBc@zzT-o<Vj&d*NrcLVd<Jx4Lg8%it&L)inL8bVe&M
zq3OH0oUFZ?V66QYO10I$4!PP*nb~T781J?HaYhnmjUri;ct1%2r~a+J9Vknf)zYq-
z9Ic;&_hYc90tA@YK}c8Z0eFPSC}$_{t&fu+694V@X_vUXkDV4G5MT9mcs35fP5w~=
zsRlfKHhG56n-Q0ms5BSJ?xr$%-;d5amEc6ZF+hH+?Xevvl<9X1U+Cn&e7w>N9#<i7
zZpM|{)a<DvmMG>oAqGtnjL#G<5M{_r(mhMEcfvbuuQb0Z|EHa_fHs>tw={~9sh#7(
zh5P&htS9cYmmUe~9aqfNo$kmNQ{1T)n*Fi?4f&D@Ug)z8ws$E~f%9N%&z(Ox$UIeG
z{zW#d1&r5>CxS;^tO&;WX1z!tpt7*y<7gpGB7X|f!)wK*Pxo0RQ5=tzA#VAf6yBzw
zv*PXwzAFbKttCR#jdw!7#Uc8Zx;y?;J1J7XA5m1bK%2z^J>4FK+Jy|9-P$MZ_IMs2
z__3JMcUB*XA2<s3zB^_{i<L!$dyl=-vE>S#6ergs+eX)(Y`uD%m~DQC^l(mA=}oTY
z00~RCe>I6K?#J0vw0P)%3NXj=`ISpaw-z5J|4gip8L4l7Qe(NliFaDVh;g%%w%T_7
zNcSJm*}$D+^7!9~^9GTu!}Hc8sgLvPy9UVoVDrZvk9(b~M$eN6^|u(swc`YqnE}?a
z0nu@K!LZuP{29#R#GV6TGl%V2i-zLmk-pLuhnQNyg{109M_2gwp3Y6n`x<%PP#>+i
zj#iW5?sr$_xusG!icMUB<D=MeD?Bgh2e}ehH9p{GWe)(*HR8yI6*%<b?6TFvk(}vJ
z$0s%|1+_y==7>ClcT>IgKGvOIs8X*lqt-kFGXHj@_M6!mpA+kat>$Ca74FOSH!;Vh
z2n3q2vnwd1sEYOW5tx5GzU?*Pb(`v!pd5KFZ4`?gj!abt65MgtIdc@?Ci9s|DcTF1
zwcX&KZsz906;dTgf>L8Nfi(AW(^sS>t9qVYcUofxDG);^HcP$=IAKI@mAss0UqKau
zC6S|dwO#x9`5j(CKH9SHyt%SD8+am5S6g}`IYt&QfKSLHU{ArA$YQrLE>9mV$<@g{
zg(5Q#3fHkezO=={_)=kWV7|6Ysb1e-@--HlSk4sxzPa14uh=F$&^^6P)W=uEaJT_(
zN=r-sCPMtzGxNco0I`J2wsvw$WFpbg_Jy$cpPSbF*EIK83Mxqo%!re}ha_?xp9<99
zlSQrCT*8UUAlSp`u(jRKOH+P$d%&3BPt*57OSfkvck1XSD~S85VqLG+n8a28463^&
z1V}_z1x+2@$@Z1GpV7koyJxpt_vcdS6Xz<o)O)}DDWUQEb71W&C{*no_=2#+XOhH$
zZDqhnicGajF)9SyxeR{07l{fD?$&!RUr~CiP?ERlgZYm7o2qj8m*+g!VrnnPxZ){i
zTQQV8VW#s<9eG;M>qmyrU;3+DZJS<SRV+!Q^JD+=%w=_;`4y9C%&exd-a27vC>$z_
zH`{i!f6*hhav;R>4dJY8tDviLSbVr3cfUJ8(cwJ4a7g~zYUJiL_!S1tt5sZPLHb|}
zmg4ax(Eba3#QU_}w%nVPWPJm1l(L_3=l0JK0N*((F>fGmn0`qndfpwJDg6D8)fm@i
zv1A<Yec{D)w=u)O*wNE7V-av#sKsGBh3%&4S_nQSm*>9K5TKFr;m_PqU(2Q68RsSO
zRQ;AV_t5tcPHeu-JEz+~(6{w5C^Erud;faxC)x7!|DRjFe=_^B(e-EG>Ac6>VK8kf
z(+jjZTeM%l2~W4E?7HZZO|_n$bBx=5G0jK0eulyR?J9q2mtu<3UyS{`jX)h;RmH6W
zjfjL%gB>z1BZ94Q=lY-z4mPdeqCryni==*Mul`rnONZv_*;@y@$1S1*_q(xNPQ-di
zMm}AQ)45J?*>bgp@)lf3UKP%GJlw|1k&g)Vf(sdMWA4vPXA8;cIVYm}XyUWikYrX9
z78s!`ui7hNT>NTz+Vw=x5bZ(k_g9vL>fseivD)FiJJv%TPw%;<`C}Jd)_G*Bo2~V8
zSl@=WsQM%EJ;df@K}7zx_8Pss@BS+i#j!LGkD<r>3O7vb8EA`~VuTP0N8|(qVp>+e
z9p|L!GhrYK`}>;9z-z7#yi4LP<>o@F%QBB_FhIPHul4A*>cs<mf(wwIHi9FzNyGKq
z+9lYX(Vq0ee%M7_@{<6?kUWf`4>)V7F6i>_>`w6GXoZQDjj{ST7sBmYcAY_#H&$j%
zh4?E$W_&+s$^nPewcUH?@|*gx*ckLk=li&>11J-(WTEpFF8iv5F%XL&#^c2QZRh*1
zw|LTJF2}IGshO7gHBP#wo4UfLfk%1m5xU)Woc`e)i3@hwzUi@1z%ubk`^C%qPh4KJ
z>yM6;2>8bUvWgROd9c&2rcnnqdZZh9XFJQP6i{hna4!q=?yl2tHR6$5UD%%dKQVl&
zS9r?}wxhK8)o#CgH2jA4Rx-ph2w$R_c~qFKT2H#fN8dVB@4a*XqX%-&hFlwkqcg%Q
zjGA#tK98k~JW6M~)wblq;T*iP*tq~5>%ElVRgq6`%wwbJ<gvK!|1!DJqoME41Y3Md
z>LBc*N98e*S_%G}ccV98A~GD{(>A7^!sGl_pBkL{^cD%KJmM_kNgvzIdmB7dvj6C&
z(Z#76tzcdEA_6e~E^X0e@^x|vcRyfeE2Z^aBlre|fLV>pxE71p#M;~+I=)sbUY{y3
z>*!{qii`ZX@Kv{h8;H=6x$(f2qXK?GzQAHbchsF9x%R@B?RCMdMYcG@l-n2S4M|#Z
z@4OLbMi#ZNw1%!Ba{S!0xvuvWlJSTg4G=hB;7gzYFBI-bWZ+9ZrdA3s{hZNFZ%O;}
z4C|35Hb7}x`%?*#J=~G`sIPt2+yftni#S{y@-_Q+S94Wf*6Jc^?fiY&XLqbNL8G%X
z`&W5J-5<%bT6bbQ!;SdKpsOa!X9U#yJa!}W^<yLAXEZ6%Y}cYEI`OV{^)=<c*et!@
ztF<)!jCG-kWs$ROLboKyuF#MD<oi?=X(5XqCQtTKDFELdx3B+c>fsv9sJ{H@h(fcU
zHdC3K-&HSy2r00V_gM7b(0(Q*0<Qj%Hlg53a?|a1ssoV3^%L=l{N@arV{agDylPjG
zM|A|VQRai^`k)5r%mfDrk4&5wU0iJ=Qu`luZ0@MY7>7Pvd3#^tqZo2#mN9^aP_qBC
zOsEt^=!CrR7qdcz@wNl4QE(c+0}Gek+p3SWzcf+|-tUlp`4=-F1XjoH6_Z?fQA}mr
z6d&VLhu0YCmLdUTz*?*^ch~*`K~<XH>{8gIisQ^d#8F{NVV0<01Txs}5pvI+=B1Ac
z(&2i=ruYyKK(3ap-W~rjg}+m`2=Kyt^!RQLf%Na6F@&@Fnv6XC?3^7BoQQA08EIV1
zo{*u_`>PVB_-`k(NVOz3w3gQtWhwT#bX7~XbJ3x|H_+!)1!{TC!>~?F%a;++D4rVx
z@dB5>%_-krwkX4jrFvN!S7X;qYNSfv)`Ay0<-^do>G*V{JCQYBRS3CD9;dsB*vESc
z`fq;R3PaH!{}ClgI7?!%wKK?BjX(AxkOW5x?JkcUlsytMrk()D@48i&*@SKA?atQ{
z`F7TMX%Fa}?H}<Ha;^#OSLp5jd|sFlFaFq)E1)JhQJe#zfwiD^;D#MpFvztTEj{-B
zU9r3csOhKW^TPWnACIh7yPApW-EoSBq+xaYjJk)j;^%vDSU+?<7TTT!t)$_r=ME2e
zOztGi7%{#t`V9hpvaZ<9wxkg9%{R2+*ZV4Y8UJn<LjeN-Z=0@s?F>a4$4~xoB;A`!
zy(AREs0{}c=h1$a!V)7kns2Q|omTqTue>dvfkyfpZBdyu+5SOqaFtbb9M|sm0V^X*
zk8N<l9Qx@EHxc1<+kpUQ4tD>o5Rh9ZKRafyufvQMbOjnBX6^D0gkFJg)^uyX>iy+X
z)yBpCyOc&$C#^oY%0-z$_31AFcN+ow-v4skWAVK{ibl1G8N9h=zP2U0b!e8zxAvCm
zC3)>7n``L8u)IIJBh>Glg!Tu@WDSbBLwL07uy9-TC<&3p3tP<RqKg3sday`&o-P^w
zY?@RlY=)TAY1%aTq1e+#vZswA;z7C-K_GEJHZ^SAFYK85PM_Ld-t5BE4n@i1Z=lM)
zCv@)Sw~lm3i>^yw6kg$BYQ28xW7~SS-!Tx~m<+|05964JP@R0Tc-OSGsn+pwQ6Kh=
z(o3pCaj-9mC93RN=y(%V$Y4~|jX`V@`?~-hedZeai_lU~qf)TsK+G1&qlg%IJBzAY
zmQqV;i+Dqgt<FF+5xi}b=F<@MX6V-G{fHRHs7yNfFrE99X&Lr8u3O;yYbLE1+#B@T
zT+xNVNzdu;ebs>bTIgp5z`OXtIkZ#Qu(SB0^;36C_fUA)0di}6S-5Gv|ENU9e=>YU
zQ4~W4>vfGB=V>!J!xsDNd^XgG?8Om(`nLhhg4C{4_HSTry66!-v2r|vIm+KMuj109
z%RM9<Q&C9j>caFxdFk-Q`^`ixq>)J8*wEJ}oj)rV-6+CDGE{jG7bEF#q%8Y2szuAt
zF#@Jy`m^M@GDA2Elx1P!wA7dU85mz~J|IDZk==x02%nhs1_CwT7+$uV!PGw|GuQ6M
z+Z8enh-Ud<3jFypQX95(QF}q<Z0dTiudXlVaFWGle!KT_du=if)^JsnC(H#LdplJw
zyL;FggYaFyChLmHtqpXiOv0#fD!28!`AXhOyZW8E2~eJ3`((iLnp}Szm9=O=y1PM4
zSS7ZFI%hG&oi-=mXSwEnzWS1fNFG|>n(<t1d%aAlFICu{^t5!vf2^5G4ga-f`eVg;
z(AIO+5_4O!=rx{E44ks0P9;G1Yw;`rd}~SI#Z8VkbXCuXZ|=q?-9KwM@43j=Derl;
zzqoeUatio>)R<b&=}4`FzzK@sWsxxE5_HT`B+Dj2pw94PD}|7~*CyHTh{bL_`D&tn
z0xy?pkgl^#jCd`^xSwE~mNJ!w&yql_Xe(}FSH(opGkM4P1yE!*gQ&jHeb*FtQN!^!
zw;_L|MYz0hESDu0yzn~j4sr3_WFATHkNlAF%<bW8{Y+Ag*pqwulZ9tr<i(_Lw$y@W
z-F5=pP1;|A|6ivA>Fe0=Nn28LwkxVpAA`h+kWrX!?=N524JpaS*`H+S68@HCn*XUJ
zYuKPD(txmxGnC$8aun<M5jv}zk4wUVU~}s&S<^ZZKwjJuSwsi^Sz3MhkEIpg=99Gt
zaY@ugq#+dNZpUB%3_~ptsh%DPBX4gJ*=uatd)L2h-k9@MEebR2)2Kg-tf|i92`+2Y
z_7HFm^udZ(CAsEJ!DV)@ZwJ4(bAO<+eoH;bF@?_aKK|3wMWIO_H^DylD|TJJ`m77m
z6qA(eF*c$EZu{&Uo8dU{I`59Nc*N~*&R%~j*KT%@#S2|?MYhEtP2f!<%9M;u=aC(;
z-3+O5M6(Y38pL&>r7%R%Z2fk(N84kkG}l|9AcHMQn-g$c>dH}jn?-6eKH@yOF*a+|
z(&(N__o%-VsztgOf==|aBk=LUqn46)PF!F7r_l+8!=JBzz5N+uhpCNhC<f1Hp<`21
zb=>SV11E%%x92`bB*Lxh<HZV@bKu7Q>3{@e&}Fd-{<KAZ9+tL@ErGG7B%nV<`XTT-
z3$ZtL7h8=NA<i8|dw2Uq#~p+z?t-Bt<F&!ga%jd{EY+FOBydt4@Gn{GEXs&u>>&N`
zi&LjkY-u3CLeVDqZ~Nb)U%SEh^+|EQ6N`?unAgbMW;PR9D_-E_v&)QYo_LdRo$&QG
zmi+cf#IpRl-unXJQWxChb-w0*E%j2remLCwFH1e{kWsX>eYB1ZuaB0JJdRVmPIu)q
z-phY>E~UV_9FODW?!Wx~7TyQ(+L5PMM5@4Z;gOSqpn;xGg;JZ+=e&4M#7N8CG%2q1
zpEa*~1XROD?EH}jZ*8|?#bgwNlSc|I0R?B~HqTMPNaN#Z{W*FUE}&_Xl71_9Avl2E
zMXbMD+C#IhI&up}-FavR*(puyEULUND}CR87Vc5CN(Bl8_hjJ`CNx;6KEaemNb6g9
zd^)m?kMA-NQNS7{BKD@U8iosOp0eX4F>s;qdGqc5+tI;E46%HH)wA$FyDjvSusYwC
z@kZYzx9jgL@YOc!RKthy<L>$n$GtqGou=^6&XHu9bHJ}8GTudht7rt~4tLyjv(>Wv
zz!!vdpkWbaX(M4{pnfT-<!JV&26u6=JNS&PPOSV(i>zx?_U?5mY<M2S28r>W-me^N
z6Gr%IRR70U1HLkZ_27H(b1_5$PedHUk4Vn67w7SdYtO)vxY2O!MSa(YAo?s7GS-VX
z7~@ms)>CLa)R#|-`gcufCn@>Y!kZ4is?}nD)Ak3ed#v4-*Q*q9w~2sYg3AVL!gtIw
z!=`KI{D8YN03DdiK{cHqM4SvY*I@cGgEIf$GUEDA86o=VV|spPX`d1z>K{~mQFgFd
zlFNlIpBTGnIkofKm$Bvgb>9D2CO(+!#B0Vhkq%p^amC^kqBhsaSH3Jnb7|EGzZTfF
z-yn_-VFpjRErhOeS?x(+NI%6wzK{(jIjo~oU>*JD1~5M56ypRr&|V`F4UGRoq5-^P
zzICX|eQEOKr$EzzHE><KAu|cGrcB1TGVbU%Lg8`*EMqI?uLc;pplrtPiMfLg>kCOh
zvHJ22#G<8CbzseagKUyeQq@RtJc|`%u0ILHHsOX3f0U>f$}xx>m&cbay%>o8`eO=7
z{j(hV=`0p@U5pkIVw-^OtPmJXew*MmJMd*|rk#|Lotz1&Z}on>6SWmkt=>@&vk=RD
z6pyjA1HhGkr;Sks0w=++|9-#N`-B^MENJxbXizcez8E${9*$&qI0lf1L&W=+7d?QS
zI&HQn_;r1MO_=unE=t=&>Rnoz+Om}sH<z8ndOzL6gQ%L;pY4&|jSoE92M_}gAat?x
zdOU&6rZ~ntY)WSP!1L2J3ESj~FW2Z?J4@2rq!;JosYY`tcM%QOG3-It%oQ7^tZ48h
zV85A)10JuU-X=^WzD|sN0LeIQ&WKD`rk%r&dnG6SqDt!3TDJB-mjf76Fyl0e98CFx
z7fQF&(-Rlmy2Pt&k1@bgya_<S<#fltJ>>$n^tP=zToZe~cbC*M!5-og79s6h*jdto
zAVUg(aNK*w`1;6{4+vv1$p|ojPml)`_H$g@Y$Z8Y>Li(DAX^Nl=<kM3jvVcHa>JCl
zNkAt4V*Ju+In9{o0qK*>=kMvCZkl;C?gNspBzklMg4&DZpZs}W^YguY*9mlPe30}O
zzcDMaKZXwBcI3fi9G^A}YRh1gcw-Q8=VS<n=;lK{9#8<(>&QyoY{F>J^gm@+1tMHL
zSW~%ydl25+-$3*X299kCq;{kn_y(?z<Qs$mX6>6a`S=+!B?qN9_<Lp*<?57w`sy+}
zy>WoSZ8S-Z*BWJ`uB?mu$sc~>U7{BFjcf25x&2^CK0nB+9#s7J0qh>(LEge%*;H|}
zI=e^Czg!yU8>;gXT^^+>W7gmAm03#v)43`G-@StyUO~9&i71=PVEsb__q4*D?%KyY
z%j-aIeG3U7bKz11cf^pX^C+U#T65@0K6dJLU$hIVPZ;mv^$0Tjbp>&^G|c&)k?4U-
zBj{8Q79X!5c#W)W3`&^;NyMupf7Y(o)|b0=bG7dYLj>+OSfi;9P!n!%Z_%t7*JKsJ
zfJBQJc5UmsSb)ROceadpKL}4lIv@qDK?Co-tB|i_e7M}&mIlKpg5>S0D*Vj*08d;;
z!x%8@_27xSk2nr`Q8wSSSHB6eWQ6cfi+U!48<tzQgtk0oO3h`*yd@<xSKwfCiRS*T
zzqa4s6lZ#2k<s8?i(&U~E`T2<9s(mS5EsA^{A~}}<|EGd+kR>F&o34?yY9&6Yh8do
z>ojuj0@ihg0EuWK)9=NZYh-q4-5?SWLJg$grRA=>y-g2T5=h;sD-nVKB?j)Pt@)K0
z;HKPooh2_#XANF&_ye8cGld}er9g<pXcPx91Nwq33$o*v01BZUIHm^9gmGa2!Isx*
zj0l!&(qOcz%KI8P6BH?~r-$2Y*>@v?S>wwr1~0+JuK~%;Xk)_p@I%B41QGKeH1r>2
zdMO65wsDVc!yCT)L}`fgBV4(b$2H@EzskTn_AO#6d#D!t1e8ZWSwX(5Fxs&vDXq?n
zZp<Dnznr)r&KtRho6A5j`vLvYrHfFOE^enuC|xQ*T8ZjQ;W`1p;s+u=0jn!~4<;_z
z4OA@Zr`75<6^mqy$CbRIx?SB4xSi$y+64E$LQ7?_%URCH_b0DP`bqjOtbsqkrnc8T
z_#SY~65Io5N){a`N!H$Npf8&OmT?F#c$d`Lui@;BXDgzk2d^hO#r{5mO+^3oV#1d8
zs=_B8)Mh^1&zOe5!sJttgk)`h#NIBNb4!^Dv%UIl68gON{Wq?9*Ziz(&WclBkZdH?
zapG2=dhJ5ci;1P5Gc!pGKe1v^RJ(O`h2Cum-h3f}g9E0vr7(jAjSP=sg>Qxk%bN>I
zEJ+=4(|`B8rSj)bUj7q%>1{k#&IAf|p_tuFiulQ~IB`;6k(CIHBTpwD=eMU1zvOL2
zE$#HYsI%eWazWjiG!S37Szl55@*Vz5JXw^h57CqoBWNT+M*yrTSw+nA8C+d4N^@n3
z%*VLbjybrTag<%f@~@lGyg!?07egmhLKoG$v|fW{=kO%Cm2JGn;fS_%uNil9;`jq_
z&bC{Y%MZxWrA*!FgTn+-%)R;hP9pWB$d>Q<@Tux%Y6rQB4XT!b1n1fvqgTYIthfWL
z(uv^G2QHje=5IxhR~Y|5_Y61!ujCxKek6Ew4LFt~d+~R-dD*Wwwv^gTQ`SLRZP{90
z#S$ef0~uKjW_0Q<SB-vyJn~<rtY#k3Q&2nax0OO3GatghUJ|UmZh1LNmN-toy+Wkq
z8Nn>5tA6q`m({s#8|{jU#3C`K!n<8}$2(MCnYp#9d4#-jA<3FAVGbXf?L(tgAwAKp
zZyTz{PK^@(I!Y&IhGhIK-Bpyh7NByU<%eMj@QPEwDsAa5dGmdra}Pjc>ZSCB$C`Vu
zoO+4p%S`~&g1}>xJDyX-GK_y7yBZeS_JP~ruWB?`@4K``g}H*v;2L_)Ps+lZ-|7#5
zB5xt6qq?#?j!zbmoGN#V{uNVz{A(MmG0jT9b2URzxR=FxiICRH$Bc6Z*~W7Vo4c;%
zmK(vNXnL7k-z^2l!V3f|aR=^O8vy8W|A03+z<c2Y0=gflQ-P=@0Y?iEKI%;vEVsZ+
zjl%TwktFfSgk^rH&~M1C#zck;_oUB4;|^BT^03-e&Wk5EWTowd-amG<J^pNYS>@e!
z8)I14^R={SeeR^7M6aC(yGQF#XnCI@5iKMVEk#S;IHdODQeMXvEg-IMNt11>iJrgj
zT-<*0HR|ZC0%zHa?Mviq^i?1WbPVeQ#@cJ#t2blb@CbCTLKv>m?=yHSXWY<q;shL-
z5e;19+sj21(d~K5XbGG&(2m)`yW%`#4T^6HP<nE0XOU(%X@O)5I)FFgZWw<KScS{Z
zKcPD=MURn5`4am4dDRij<ckwheRGqacxANV<SfqMWn>@<RT;|3RjjZ7w`695M4GKY
z@woq1W2H9jB_|<@!#dhTbD<1t7i_N@eaxpVFvDD+q@ApLUCepcxQH73uG!x?s(&Ix
z%X|5P*8HsOz$4QC<#lyW2CmLtn}xG~81&D2vR3yjI(la=#Qu_f4^Gx*(W5sqL%g+0
zi8X6yJj0BO1x!dN>i)%Jb`iU+S4j$3&^^LSt67GjgpP1plHSaKy;<)omoFL2HH?Q(
zy92Z&J`(af;wAt{fKIX$z7IL!p8~Z@5=A`c5lcY*B4F?G5bhijMJDolWy;y)L=tWu
z)<+`Fl)DAt&yJGc8I@Z{6QXOGDOQ6?MBv*B_baO5X?nonuqWm=F@kWiZcne5f*?@a
z<%%E-0sYVO<JQ3160Ks>XP&I9Mv6oCO^LBj`FQYOgJSeQBtFBI;XlkbK@}MJ**CCT
zmuk0p$5vR(K&8v7|8oFwAFJf!u`hNV=(<QpK+M55G~QS9XoCxgBAdoe?eCWy(J-4d
zi<6XCKP5u?(*3AZemS@}M-;F0D}|L^dIXkZ&@HTzE-qf|_n<%e`pat}Ke&cI_<r-H
zF`|1e#zB~cDVa}O4>d?hzF(2=yLR;vSJ@lArWqo6t1(P`GU@(I*0F*nH1(+T@Uin=
z&pcOGm$7G?T|H9?Rl6sNW=Yct0tZpE0&ozX%xs=`>CLav;6;!*>6Jk@^~0@v)8{ay
z7_#Cxb^WQGhg2kZ68P;QGy6C7v8kag7>fS*A&6J}uKLF)$BZacA&EyWv%0guamj>#
zzL~Puau%}WG#iHX&SzY|R?J0%S7B<zd$d$tPg~wych(mlU~tzij!c#YCtdWT&#dD-
zFZFiQnd9{?0p5_$wIjt_YZXpZw9yoY<&9Sm6Ai<2_Ig3~vH*3w_S(cfbk~KJ&}{dy
z9;1@hUu(BV_du=6!`iWgTSS|YPm!UNln3!+&qFxMuy=X#1@;c7TA{=SR0MagZ9*h?
zAL!{COD)qV{Hz|{ef%rZ`r&js1$N0bwDs>lRdKR^=CI<RVvD1oEi%?Gs~n9jjp%YM
zAJj$&>QlOxh<dxJeGoA%uhl<xtNioqg+&TxYHnUgQ@`bY6v0X9(DQRSuMH3R8@2B)
zq@1k0=|k|YnkY@*7tD}XOR6y`ue)<aHY1+2X5`0!+)M9sIg5}FY1e(;zw?x)+<DKF
z8uzCPKW#r+`q@<e7$fg*+p4tGgLfhCPKL!83SAy;wh0}yCZ&mq-qaJ#Qx7jSPjEV2
zedIV?^4>&b^6q!OpmqGGzC(QeUd5SH`ye@c9rvX6$70-l%bddd6>*m<ti7cM63Gb|
z`ETD1IeeXD`+L!&{FvV}^7zs?KHn5kHMx<*2p@&_UCvRMU4G9=%pZG2_8J~PWNSNq
zog6Ui9xLKFm3J~n6<w=EF$thrBYyX3-1}!qM3m<C81Lg9Z(8?htvjaONfje9$Mt=@
zDS>C|BiG(fKi|8Z{wF`icp<#GwzkO5qJMBcqgfL#u<%GkHg{|9)%B%d8R-lcJ5v0R
z*GEfj6h6rvgjU|bt@?g4pr5txQ!;AB-X^%5t@`Bf?hI{t8Gp{U=*c>Xu&A-^{1i8m
zD7Vh^+;?;)zQQj@3jZX9$AIP7qu*3wV5Yd@vx7|u@xdTNGUk0x*QNVsc0UP13Vddb
zQo8fC3S6#x>%F%vq_h0dKdQD*S=!u?*ScuDX1qF;Q%JW~$lnq4VqT7c?1Q($VhLp}
zXIZ9A?_<0U2qv{KZza5{&AMORte<&AAJW~@`Yj)_d_4Gj2<bd%b@SKqd*NE@_mg#X
z_w+xTFN^HT%70*6xtd;Y3eq5g2s?FMdl`<xrYjOWx0#!q?sz7L8xxt}r3`~5gy=YL
z$}MVK->*07X&;Gh6g=z+eoyog1%pmm6wQnFLzuNqH>P9aRzS&lcxEv9yC_}*f#Z|L
z)d7uJ8G8Q>-^y)ei`-{v<-4^nT`ROacF=(mm3D73>V9~FV`Yh5?$~GabGB&#6-v)n
ze~!urX3FIQt>~tUls5XrVwe;5rAhCP(-v_Sk4_AD_v6P?PX0)5QyobxvGr!!aMjRL
zdP*L@ZD6tLXo;!i*~(1wLU2&`UM^`-;s%ptFAm-Zf}<s>CyTtZFG~tm_o<C?r_{k8
z%{H*^bn*6gsV04@qoqnkp$#7Ajfs0xRtaE=V!S|QQcJu>Rb+uz)H7QJwpD>#0ksce
z*6#h(EdouLky|ex?Hz1V`Q&g%#X{?-<8SQy6+@RZ3DLSABoBG^(FUAX7mHi;b}kio
zNsQ3@ax{#`{efvKYjq$~<x7L}E5?tSuR>*{#d69TaNXG?eFQp^evth>rTfr0)?ykl
z)L_cqc8tnnkp0ceCKW%BV1JEZbv<x_-Mj@Y7gIc>zHl@zAKwvEOLnpCD%bQrkVySB
zzFybe<@Zup4jeWj?tivUW0^m*z0itvdt_`X(BSNs#&^q6+NOQ3QX-4(0{Re4Edz~;
z1o%%1yyG{d&$jNVd$S{dP%21fieK_g{?Tb)VvWH@#B;~%HR<bD*H*aq^J>6IwW0B?
z{o$;x#0cS^*ogcr_O~sjDdWz9l0l7kN6iv70@=!9+d&9SE_tW*qlqF+Jlk_0XqIp9
zYf|%0qScAC-s&eZQT_DcagvqlFWzqP<YuC$gv?0~HJQw09w60?h!ui#!#Y}d%a{BF
zCK*d6xmF8VWxr70bc-f<TweMa6r!Px7uqW&vd{Ab#Ii+Hk_2=oOo!9)im38g&rUKc
zt>bsCZj=#hQUs8SZr@q;%Tw{0IJVl-Tup8LV%JGf6>rHR#;M28d*wNc5B=HVgVmn1
z)HA_hj`H^5fz&LOwt2~xq#hm(g<F{UW^BR_Hmfyivp&4$DDL8>uh#pmknK>a^M-DX
z${BP#o?FbN<<iC@F?3XcC?y9uHRi?=BWTuMgSX4^J%^5&pT7@pejse(XzOvzTxyG5
zHGN!dOG$NWQ!1GrtvTNDQ=BQ;$<$Pr`E|6k8_MrQ%nQ2=kI(Er?7F2}ANl1pk9_yX
z>UCBij^340+2<*Jv+{<V;KO9NR@bh-Uf~vHbV$I%y5E7>lz5}-x`prJfiLO_{6X3Q
zfRFt6(i;!8?fy8+<<YI3mMi*m-IlnMmz`1zW2ZK3n)DLNH$>LYwfWz6(|_!~B_<d&
z8`kQM%%fNfMvnZmVB?SpzGn0+Hs0*Jm|B5k`=!e4^V(ZZ(!{+X-Sb~ZBl59~9rd4j
z67t<>Yw>fJx*X5jaF*F?)H`ulGi5hY`%a!aV@7FduI(;aJqMSL`8yHQ!5O><6H?&{
zl35tfI_!%$B+4_<(4I)W6p8WrYWN}kDib{loNviq7>B|)uTM^W3YkAWQyO55OpR-m
zcdgUXNpSpnzQ(osaXX^#xr9sOagxjExZY>4f(KG$tpdioj%_2$!ye5c19u4JT{l?H
zPE=Q?%osN{J=;gj$ZR?0XB=Oa^a?u5Q(t5{t>O*5@n=xd3MnV^AY9iipW+>r&-bRq
zDblEk^7_}|^?1lbG4>s%R){~r4|SUm%yIWp<1h?QUd`~b@_-uI$TuHDaf$%s@z}z(
z|E(LS`WAD%r6pcEJVC(G)PMM=hX%h{JRD^o%lSe@j0r^k^v$LDNhGsj6xsE(UpIjJ
z9wjiZiLFNI>#*^CY_dOspIW~RLQAvoMGV4AT|ZxME1FxS-Yz`4JCXFA?79;Fk5|%u
zR_mx1cLqM2SP?L-uP_%XTN3IRNR6Eo*Y4`a-)xxA7EwK$WFuqm(I(P&>X%u=F4}k4
z+v_upvnF#$Z87at3i+DXODwaFY1KP>{8(j-if>ehuiT(V_5{Y8Kp!{uqm8C#@C5(x
z<hasmN~qpj=$Iz>%HfK{NULB@ez&!Dcqx~S?-W@ewhO18Sl1HP9QFR_j|{3SCJPni
znO3Gprg;SPx=GEnMSzuAxw-Yue5=qOey}{WaKL}6oFc_jRWl_ZZ_Rka3R{AgJ~N%{
z)@XZK*4expwi+Jl{?nb<*H0YOqh7(8g5tYFJhz+aW#wqe8M8YyK44aydQV$Ego9Np
z-uqZ8Yg1}KNHxuqFr3VWX+xC#3Ll5V(nM730H5P$yXKyIlK|UZ|IJT;9)G)Sgq&=g
zwvb%pcFl1hYuLth+NgJvl9eW-6N%rhlWFtmJ=lrST}qvmyBMpmd9iVHypy3~qZPJ0
zCcBi^DPWwS<FbDcL3h$t)!zE=s<0f@et18^_LZLV@RO`p9ii}gL^$S^9e4ehqP}Sx
zXI&P7*)`^$dWQ!dkZpXy*_=NL^P1t#*o~zl+Ln30^jc`I)yDox^7>x+;^O>AdU_+)
z#JsTS5tt(kXDhmikM032yj}n1dBR%64iJ6<hz71<1T!hGF2^6Yd}tOW7ZRh!@_l$i
zxku!%i9{(AjF`S>4<yEtiER+C21ayP9Qj$XdmI<f&cqZpH)ydBF>i-E%jqmLb(6Dm
zP#$a3lbL`rN8`xR8`6?~4Y38AELc(+%<}VD#qSRLeZAi1koh#aT-KcWmw=c_Vg9(+
z1{8ym@T!p|;ZibA?;OUQ!%ZOag1_%`#{F-$WWr~52npV@#a6NIY{OQHbCSO|ceZ5C
zB4SiO<%kTgh_-IGhqFLDD!q9=LuLc9R+H9$aI>wYp+*Y*L=&&kUVlOp<qU9oK)|#6
z6sdhG=_N+qCa{bO*mSe)KQ9fpyfbs;oN(ofXozFmg#XBoRO3Q7kR#B)avl&UjV_hC
zuS4oH=Zp30XBEeC<?S*XjB%s(t8TgiN@bWXX$&DJPInDt_TMU&k|Le--T$GJwlw&7
zEKH|YoZ<AdrSu6tHAljp+RvcMvtI)@$z?XZJ+*I4O_*NL<vPdyX@4vCP1hksTf#-s
zz@ny1rGg;(;pPj*Zb1d@(`aLw$73^DP`*3sPCYHY7zj_NcSoq#$bC8zvsg-Ej2Qd;
zHDEHx`%8F7nd<!q%V80D6H>=}`KcWFp&ixzO4@VLw#;PK8no2z$39Mee>T|$Mn+`~
zKP6D{<*lVW7@#d5UJBnkeE&`?!6NUII<9^%TV&z2)#}pPqi0Iv4m$MoAvB_!0CErr
zH2&J%*}~`ZG|egMxcS}k^BswOzyNRz&#Cu&jwW&2=`9U;#jJ{K2|mSQj;GRxtl_yX
zS9<S`7}89Z+vXq4oG_hwRIvCT>)h~tD7HL=B@*Io6A=<9@r1*dXFoYWDCD!^^|`)W
z-jFB&3u;I7T&L-jTf_?M`SNk>SM;w>hA-k3k?~F^=Cj2g4EcQ#A>-)L(sVl4aFk<c
zt5lGkM68&kX0$xZ1$nI5U$*$=T(5L+(-r%(82Fu?NV{OK(G(U2)@|dIao2zCG}`k9
zPKEB)E#Vc}3|hOcjc~X{2)=()^Ma$tqswRIR;{VSY<$%a8{7KosyXZaeivV{9j*33
z`>0xN;*Rr&-DJSHzBqme!_=xXES#=z;<$2B*&QL*HSA~pSYpK8P(#PMwC^2e7f6?f
zN-XRr8nRzd3p7hwP&1E@7SLAZH?x1_Ea{V!$Z;Ms_2fJe?48N#QC$-is>{o-V1MZP
zJDyx?C7KKxs5%qFNy{dqJ!BB^cY3hQL)NR;8*Si2G2)s=iA;8pE$zH%DSekQxE~-#
z-^A1Z=IFy)vPv29%W579as4o&&xt$i+0iD4;eBz~=E+MYT&{O-hjou6hWu@Wemp}$
zS+3LmI~Bf5A{+_Z`K&B!Dsgf`rO^acN|hGXB@2`TwF#;Ak!e&faKzM;=q7El+Nw&s
zKdaPg9JD6p`E-vg5UkFWr;3ce-#1Y5nD@^V4Kp0DAHWTf_4^v|BwAp7bij31*6{7@
z;p0jp*Q`xb6}|n_Qml0wnzTl~;GG|W!bRPCTIOX;|8Bag6IE|4WSn^~tOH2(h)K6F
z5Snezei`zBxX_A}HHYo7kOudW_0S*6{!kz}*No@mO9J4i>e#|>)ZN8b>a~3=!Ml$_
zA>i;+cjkK!m6ggUUvMN4Y3#H5)Lvt&?FeMhzlDMB^+yc70P!yv12g_)t<*FP4T!UD
z7Vy6Lf8sh50GgM<J7GXx&}X_i`MPVApG=aYPawm>3x9qpzm_b>8Zf($j_s|qv1GgK
zd6i1L+y}$NT<lz}riH_3Mm9qcRJPSBFvGbee5J-|k~GTGN-bT^kumlhY9aIV)Fv(I
zTf?fNzB1<iz<4(XiAMQkPE8ig@&5P|120~!&l`^Yuie&@KSCjOm^?4cXm>B=x=Hr!
zE+_Uj?E-{2_I!W~h#yaCT^z>@b-dYWXqxoDlJPl;IKaP+$`XvP7xWftnUtYeM@*E#
zUNjI32MeE)bfgaiLF7%wVnbw}HOGP-pKBe-tHcVAGy{9~8{P3^F}3iPw<nH)2JN4@
zu`e>ZAFd#n0lRmb75`-;a0}ekRq8%tMxMg(eRv8D`{614R|EFgEFc678&Yl{hwn{>
z@Z)8btA*V(&sE}Wy%mn9Yn+3$-d5Y>%W0N&A4v$Fwad|Umr4jdJS+c5cG|4!JRcqL
z^tqDy@-t^2b<cE{8m22!*86fI+k7gVnj!hdVc`yr9fE(hW8$d<YWUv2{;jh1{dvk^
z8}UFwDW9$%-@1aQyiQrj#Gyyo(239LdHLG@!DqeHh4LKy<%O-5n%^I3JGZ|I88Nme
zR)p1Q+-idnFL*7FlCvUMyO*uY*LF+5s=zVo$kbe0X@i`hZRvIJZfF6&Rs1$TMuIJz
z9<xnOF?Fvov}UVIo~{+VB8XVoAu!N*LpP~hd+&fL3;KEYeKG;yT==;v=6PS79Xuc9
zoH$7&xs29)C3DEJr@AHbKb^c5o^~y7DSkNm0O<Q;8Sy5-iwkHD<(<fU8lTr0!Ri(I
z11m*c-+j?<?G549UclNhAcKC_emUXo#bQc^<k(Ek)Th0XGg8tF>481*W%p;h-PT%N
zC4C#*p`n9>ug8mrr#6_@Ec5uK?R=(T=2vdtZ`d32qM-<xkU>vq^`#BzW~dsq?3x)>
z+`cyfVpJ(Pb5Et#rR@{JQFmhz+5OKP0Zg%jKnP=YQ<%&i)i3>Eg<Ztft(cZzrAmp6
zT}IdiSdmJYIq!=<BextCJ1Pt%Np{gVPRFr7o<qEL@5xX4%7!bCGs+?Y&1=2)68;>M
zt6ZDw>6F#a*^6yFJ+9%eF6?}i$fl4)GMs>b6=5U9STfHzez{mN=3ZHhiSLZB+TY0k
zOw^QJnuo6tuhVx{KvcbMG*H<&yrHDq)3M}fAb%0doLeXP({M8UZ~2&>*J1MziH>+{
zYcw9$ppU&DyfTm`Poa~o;|$|)dQ6SZue-B!p*33beO{c)M9u_CD_b4=@9gw?f|jby
z$~41ESDtU;#o21Me9pC<sDa#N`kaK^D8HPwPJEFVA<leMyaqD8ji7~d{_2$Fr=W_t
zOv_I2Wm(sH&%Ha9SAb`T0b6ZeAmdH})E8spd2ei!AQVq7`QqVI@9wK6CkLCer!-#+
zXb(Ml#Rvkd<G2hZi6U-|BLgjsVi}t+z;!(0NKv<_zbSC*p(ISRFU60rx7^i4%Z}!o
zU!tP(*v-{DQL;a|1x;Gkue8KRB$-XS_v16V=$#S<*%gYT{TjEsJ9ivEPQ$W8!mSkR
zp%np(S;QcNxmV=cxLMLLn5YP843kN0D6IAQRiqqvCEB-%Uti`vGEF&##r+U?Oh|H;
zyzYYN;*OZ;@!h7gc<yHpx0vl|Cv|t-yi^B27uUG{1um}i3WSC-!I^ILsG881o%kuC
zsYThRx_s=S-9+>ZG<()(ajMT?vtM(>k{dxw*OtyB6K|!8rf`?Y{3TqJqk)(IO}E~|
zZiX@LL?+jwomH~8eriZ|_D<~FO%L*|V^dbC^{@LJ8n!J|{`#8z99(;POYDx|H(~Z_
z1{yhClL(xP)6o3c^@x<l+6C={OV0ze8zJ6`+?*Yx50fdcP>^=qNZ48b?!;dnrG82@
z0S2+m%Q_s)R!;Ii`uh0eKhMLOau@(YDuxu3@5n7-`rmFz#XYl+yKuNwm?faQJbku|
z^U#dhq8a0+g@_RKZ&=SbL3VQhmBlp-y1pH3wE+PZwrTc#fz>fqEMIm&EldqRt}tSB
z$f8J;d0DLub+z*{_3@zlUP9ii+xY(tpkd0N(HN^fK(CCmHtwE-%!EYD<<Pz(*MoaQ
z?^91#KQ2bmgXAkc0s-$kjgs(a7#Hc4+cC!cKL`u`!ADzUc}b_^(~^SuzyGjC0h*qY
z_XNI6`n^B}%>o@CLSJr&fu@es9|c33(|1X9nN*55#GBJJo*LcvAyYkV&QNTM0g+rF
zil3EWJh6%D{3E#4Z&1jE+ea_`A9W&xE{;G)`$3YpV<I1H3EZ7GXY^oiUi`ayS8)TR
z%B$$fGT7pDPtdyEd)Qo(;e9GJUgXDCV}L=AsR!5FPuv3oZjw>=|8mvHBzS4cO5Th5
zE(zM|f{slPQj$u#c_&vu_}BOFR&Lb!oCPr&kz9hfV}j!+?mmFw*cKL%!5Tg&tsDEy
zSG*GWp!vTa)Ekh5{%<Y-4>~HwICDN~kA}j1Im~}SnP>=<iDKk;b1oj`iVU|@vcQNV
zyaCQYoL&K;?jSs^dJ#FI7pIP}2vo4luW^yt&mU79r#gZ|KpECEl4?af-4%WyUGm{5
zs7JHljmyjh3`_+Ygh(=7yYJGAY-+;3OZ>~Evy&@r@MW`%mtg$8f?SpEOWwZX$A7O%
z&;N2&c+3C&EQK$5oP#j31U6G^kXnGFUkFZ3I)eV}1t0WlJXWDx41$-yZM<TRcAysb
z*CWa+i2Rg)E_E_{ah?%CuCMvxu<<&NNn7~)(i8Z7?Q73LF-W*aZt2567w^~;A!8ge
zta*f;3iolCwP<YlacF`EoiYycRC3|{K}G9^7l4;(UrThn=luThEW1Vf)wCmdCk`<?
zQH$>BRDHq>9#kIHJ&dAitieQK%`}DhedN3mPeyR#v|`S=cmgx+2Z7?+Ye%tWiTwbf
ze}RE>1<<TPO3R#x9uz#QMHnzfiaI&7K^m<IX0RV25h)DKGIM<%3DYW@cF_r?5mE=Y
z@n_EyO8Y8cuE++9CP5ga<wt&FlItd)pPgVuyy(6+%3e7mc5&1zcrfKiY!bp8b6Q{0
zBhc<S<kk*vwyWB#*KR0qFVe1R=oT*d`lo%=eh5U7Vc>3!^1tN%nEA8zgZ-GA9-VK_
z=6AF}d3$)m!{Bv!D9_NzGKm%TQNQxxuY=b^F4F@j#dMSQ<g4Mb@~YQM#gp%#Y0dbD
zhUN}!HhvwF&LV_^0R<zN9u_%whH%9$^#t5qc+<fY-r`XUOQq7y+LKEXzaciS50bvL
z3dIo>W-g?aNyG~+MyW3ST7GeHGAo@JLx8Uv9A0nl_9GoF<m9f;soUA{Xx+#w9Fh`<
z)EidQu@WNKUE^xnEqYvFo=Jl-o}TyiPngm|yy`ENXNA2Lm*0sVn<FTO$3iGy$?wX3
zg@=L0<#cO-Jf8+{R@ip82b8T{X*;Gh5v51*O(zx)x2CLXk~KRrftTOy6PxDuzxT8S
zH@hTgkoIpAF(mu4_lwgAX8hofN4HjqSPwjCffWdqP8oE|s^?Yj9i7gX#V&BpkU*qi
zh%G!@;seKE*BJ_jJi+)4u<561SP+cbHVmXm2bsJo?CjiPGGVi=zn>=p+dO}>jZ0Kk
z$;gYB_u!BHtoMOlCSTbd<Cc|g3-1PD9Zo5284?COm74RT-WQi_jSd#U&94t?c}W{X
z$g9S6`{RSU3z1jqWv(mxleX6zP^)yUU~H%$5IuY<AodG#->6#(hShbl0E&ZwF{}iT
zf4&LDa}*>IFBGs-kfjaIefQskckU~=by4!$CBq-8Q$7W~4$g)iR49id*x;)mA!{yE
z_OehHMYv$OU*i{;*V(jG(84)b>+L!1wcGvuORqITr0@V?Z0WdZT)+W<d>FX}4Y<C$
zK<vr7U3(~LnOpi%QFvSW?EIiksfqc8?h$PfI3y7`E5!4w0NKEBZt|LAU}YkY#pAi+
zF{6-S9(%B(Uxn*947`ki@u90T4=Z{F7O(k`oy2#hi1rs#$Kz)2nwc#>dA6Th5TRUo
zicwUH)v5G`jIOT;2RY>Hn&YiDe=~6u`jyO}Mg;yk`I36iC7gHd7RR83$IhRXQW<Ue
zwRNVmeJ6|B_&@;`5e5Yh{$u;t;qtKR$3pA6LMsA;sb;+&W~wzl?PZlTTpF10d{8H#
z^63TY>N#VoD{WNmnWVP0j>X3B0d*GHR;3F~50CIa{kI8|a|^$ejQ2mDR4m;K<L7?v
z*?1AzLh!LRo^_9cWzn<k{4|p1n0>WaBbA^^F77~nq@}U-;h<QQOO3QPGt0xFKVhkX
zVG$EfQ7#nm12+aA$&j!Di23Jb$C!ZT2V%}AQh(bqBd9t|_lHyc>};-x66A5AE$a3%
z-hYcNV9b%MHT2cVu~suAhfJU2bOQ<wJ@s#5S!&`}@_6qE4lM2aBr_cgMNjRbRLu{j
zT?rdfx@qfQoJ`L8$;H`{J%If#r{{dj(t_717!qYdKqSJsz-icm1i5_38{{c5jOb1A
z;rKeiZZ$DE){sw8MSzz?Cb{6^DB{H7pzrv9G56O|Rc>D!FpLOFNC>)B8YyWNX=#xX
z1XQGvZjdfPLPS9Xq?ATLx?2eq5ez`Kbax}&_0AjR9FNcQ{9=r6eDC|u84QklbKh&t
zHP@Wiyyi6<xVxZ5$H#MOmHib@n}Ww)(B(yGfK?m@N1^ZfN@iApEb$%oo5<YeM9#hS
zI+5j6ksao{&jE2J_HAg=E2#Yhz}!QR3K(u;TZRTAj^CypA<D-6-q&8eGzlq<mI`o<
z=4BdrC68wBcI31#6@FI`WY7y0$$@&#`#ho7z0~7xioeA^D92vnYUGoEm((GSu>_Ld
zt$FdUTCCw!M4x-BZR6}dx31}JZRg(KksFV7ii5Z0XMa8Mvdikt?0X-q{K$;8(DuE(
zo&G&vKca06QMMka0@V%DKI!mj9j6b7?5i#xbC|Mwa9=ZWEucwDaE_w4epz_2yq1V#
zeS6fd4&qpf)hBBvKgv6I?Cm|l&S@#8{gijXxjkIEX5lgacARwXxX6hi{q1j$YC_)h
ziJv`8KO5b>EOFXn;6q$hqgQ1Op&(Mf7(5gT^cSIuu?4rejXlk#on*Ez#U5#;lUV+}
zKJwNt$ROF3rSYVRMzfu;D-befo~-6F7c859*1We{sj4v<y_RCw{_Is1Y51gTRnbcP
z%j&xRv%PL6%cZ_IyZxH3R1=ZWW>=;zFEydF-$>5|K6%iQq7uP21UY+B(X=F*Qs``R
z`|RtluZ5Clk4nc^o$W2tTHYM`BA0zTl(G8s%51{X<kr%Fsq#D6lYX7e{Ty$uxlOLG
zP2m-w^x3njoKsp7Gwlc5(cS?J=EINSTs4L`mY*jH(RUlXI2kgWOxgIXM35^*=G6;-
zM#ZmGSrdoC^X>9j=rl7P?xW}*pq3*0Btr&!u!sI0g{Cgn=i)eami4jf+AKMa^5pkd
zd+$081=j*R<uZ?1Y+|zTO;0E1c4mK}(^!27oe$1w`~s#}du8JDwnFrF8gggrcUMcR
z3C<?@YK*%SQF^QoZbES3lShIdX=MKHn^BO0TTB;e>nKXwd5}!^!%oS36t#L;zT;HV
z34j8rgcPE?i$wJk>%El$202}DceWy&a3zMd-c^2kA?SV!KxRI57MFpkS8?Ido7KKz
zjKW%!M*Vvai?KCeN|_=#cgi-D)H+9k*ii<l^3kZVt|c=fWBjWn^egJiHdGq;t*CTM
zs-W>k3PNbS{5s=f>sX{Y9wR$l*j_??HP3~UPcu(a$*lthmP`+pwwJBtG!St*Q}d@z
zv*uQie9)*Kv(3ydQFk7AkC{RJVcv}=mrIH!Z{wc%QhCjodm%t6M-p4~Ql<;?ruL2=
zJ5AikUe0d-M7ErH;ztd2<rUOe`L*NxdzA5^Lsk6CHa)MXgZUs>A-yh%t}2%=J*Bao
z=Xc-j7)Ts=%s+D~!qC`O^xISTe9<PAxq}U>z`4%^rFaR?3ndFNRmx-bF#~e^f>nXu
zNlnvT6|@LZSf2+CiP+v8uIWZ2x~@s4-BOE}X_{S7O5D637rj`WtnA`mX213h%_t?~
zMi^e@as73XK79w(u07U!s=^%ek9FwysxWnSwoyN}l3=%96*N<mTyJiOhr4PEFMcVn
zQ{aQ{q&le;H7G&N`jblynbc_|73BL_<oeNFZ#(68Wk+NnPWp*_*T?Z(83~>+l|Ht`
zion@T%jBSs(sdOK?4^#fq1U)h$|pP*Qf)rWqCbA;*446`1pB;|$G9hk!h_3{@gOf|
zkMp!{6dbWg|El-GmpQ<=k-A&;X|r;%hQI3~)Kgl7Ak6ok*G**S!KcuA<47=+B-x=F
zyaW0?-u38UhT{h818Vh!kB0NgQ95j9AIH8`oYJxnu__yUI3PwIU8z4?IdwT7rM>-v
zI3RgtB^69ikP&4-8C42nK)EGn&P<n=lo?#;rpn2$%fbho8cC8=)J+*?VP4`px{f-v
z4~;AI4nJU$lFZh418@H^?e{37p|wQ-$}JY_pr}E3W|kPeI#p7qm-uy7$%M$vFQr7v
zpn{`<iG|<EmU&eHEl{xDTmDU0u%|?bm;J4)&^knn!cHc(B3F*PX>Vx`UIa6@nUCoO
zM6dWQCjNtOL&A;PvxIhiPz9mM*o+yjoE5SvJe5_8?uq%9PfX#K^hVQN*UJvO6NWDG
zJbL#-?%wXajZO5bXR%_%H*tJyu{O7Pr|K=Od6ku_Vx~MHXZDdXVbKr+`AcoQ?Z-<e
z3swiXiA3skZMwWyNUvW`1WneX)>?DAZa5+k>I_~E2{U|FrTl6G=fvxy(YdKb#{d-a
zf#{Y$t?h>K1*UFT|D`AOOD(J0wdf?KmX+;ghn;dcxolMU?y}3xAK6<;^R-Z%XGdLY
z7g3$!zqYC8Z9lr%{Kj27Sf%gsrdyXE+DS)J&)VHPt5V<3io#`_N`w5xISRKMrzU-v
zQuO;nBD4xsf@gQKil*9%-2qavR`t_%<Qt>;*vHCVW^(gYFi(!^_02_s$p=BnDYrw6
zu0<Rv4Y)GUzbBZ23oeieae?b%;pskkETpO#zWXlF8)w}}n-<mojiWRe1XgwWWjh@`
z1m)8OvxV!f$#$-7@->-X_RV@B{>4>Z{aQiZgIhda%6J8YoRdANsOAV&y~m%aoVDk`
zDg&}nV>2#>A^as}G1#Jh+eP!MFg{m<(Csp3=JjBQM;iE{HuZXb3&m^ZIZ`=GsRH-X
zu}}NWxkF8!%;KZAWuKGq(N$2|Vf=7+_fTN*4V}Y)?B!LJZ+KF6bq=N3eeXjspWtFo
z{gAo{&ic(_X9^T6rEurVoXTYiyjG+9+Qj(TGbRDp4bWr!%Lfj(voCg#I=wKAz~yAf
zZpRFlq+9D9nz8-De(C}1_=noFm}=WUG)>}n?s~V|<&+lHSy?Z_ozMO#(tUFom&jTb
z%RyBS|1po7y?R1%ow1dPU3EK%C+6KAT2k768{qq`L+^NNUwLD<rTMkxCtK5ZtA(jY
zqo8gVqnE245SPyvMQ+vOlFLr7QC6JlOxvc~uX(%2=!Xx12SzQC!n#0B;+SPso0{un
zN=*&1@TpVp3xb7j@VI08{&=_SCLI9q7(Yav5usKJy%2Y@*N^#U<@^|(rXM%#-FjHh
z#my60tX2`&(3h0kclvR(PBm-8I=w3s%HaN{((CN#<sbUZ(}YYGy7moL&DL%OU5i2n
zOnnT!#rH>2x~&3UV~DuWE<T#wc~UgRQ%oChJywOcIvcxFvpcP{=yup^231<iC*`7K
zojP4Ri|2s8VM#s3I_sETB)K?omN^?M%9I1McIMsKl(}6ge&$%*p)Nnfq>$W|1ov*>
zO=!mG6INr(Gr2=cL)fm?hmzB9tAZ`9SfyDlW4rbN6_AE9XUDrF8SFrb^3WIKv8tgB
zm|Ym{30@T_c84sRRw_%#k-Z`-|09{*p}g_*n!~(|^$_{7T^-{g#xE!z4BPRDnQNuJ
zKie94B{)zbc@rYCe#$FG0q0ORW^_#swY^W9E@aB9d_bwtVMx9h?6BTOZ?TwI>z(Dx
zjBkMYa+%SOy#(xH@MW*D8@FpEA8%R>W%ttY033q_yTot8-9EiU=IgZB<F_p9Ar9!{
zwW0TN)^VonEaYjA>296=PU~F?smXjqO-6T8-_S5{?a9SGy77)14BG{7%_<I+kL_+H
zhVt<i)G7tUZM@GE@~+$+zB?q-?gm91l-jT>CBfTqIw`z)j{tVU^cjy6pD&umGe-)0
ziLc$+6iNn&C?N(Ak1sO3sXz1-N>FN%>XK8u`6Vw^gJ*35io`4*(2n92tUh-z8Nw}<
zs_Wz`wq#0|mogn;F80pq-&$~+?3GGh;FYuP(dvFGfw9+Lo$QN>*9b0_%9K>cFR1Ry
z^Y9dmqx3!QSU-e~dZzHzEsYIj&_0D4jVpfSHgPW9Ju<CIyem&?t~Rs%p>~zc(Mge{
zlu$-FxtuUG*7s|*`#HpR!siw-)o@(4)_q79j3C$)Q<Kinb<=;U!up9uMNz5&id`o-
z(0Zc#Fe@*f7@P73aZ6YM!V6RLDXZrS^GxP=0z%*dDsV~)<iVq|M@i`gbc4FGM3{j6
z91!kD^OE!VDKcuXx<j*p=el&lV79qURd5ykr4&$Y>6xl7inz7g)tk5GX&m>4C<+2y
z>Oa=;C#MNz#JZvR&spwmkBj)MN3jw&yx?LQK^M`q2Gh6!8GJvu2geO5h|hT=Ye~N+
z#S^nfkKv`4f*$z0q`RT=Jh+$HUJ8C-K^?Cj8W&G=f7*V-BW-D$`;J(fuBTmXL&ujc
z@2sWU?ZzNi;OH#<?&b7ssTA+UN+ZgbJ&7N#^N)sk!=%sIIJ-uE+IwY{D|QV;p3XWS
z`AylKbD-`_t7D%Nt`Xc|&4n^pIx~(}AfqOLc}S%b3$NEFT!_r|=pmdF5bTsF>Pbd$
zju~iV(U^0#nwLI#PeCmxqdpV~(^00U=d1GlW}I%MsKv{C$vQr2S<JUJ_&vmFvc)O+
z@LYIXr<;|SBbpAK*PG(7_Sm*+tm`W?dd3>4ASk_YhI)baED5~orC|H5z7RjF{`RD*
z6X=KC)q|yIh~QTUdg<}}w%^nR#IO;XhhX`4`mmE+@fLf>a){m^p`-0n938OAu4cSu
zCZg3Q;v4V`);J#k4qBikNAfB3_KG;`snML_wbI04o{3&xRb3Le&QiZS%6Y#T5H=@E
zz~jU`iw2wk@IHDILMgT?b(6at8sp~0sVPfY0&5w*pE|hO;)*%!zRU9>fL$i(+2RXC
zogcf@05%_wdJhJmYX6BL5{q_qd#Q;?JAukiNG=qwAm{Sx)1`hwd5ZB5#gXyYrvt7v
zp5b?xY8kMc*v=`rt>e!9wHBJusV}Rsi}Ew&NMJGPhKl4trZ<#cNvKsVktbkpqdb<w
zi(1$z-5TB1FUBfZFIR-SBJV-daS!SDTl6I`*$2z!`*crY`826PW#m2K$4ji^Ih53M
zitjwu-%;fwklQ@{8vofwtsMy4O)6K~Sfzslx2BgKuUY48yz_?4qMWhRA_A*3nT_3F
zKU_ZHn~-W}Qlb-h{zN$V_zWrr8*uPz@d~W_=z5#E788n@EG?3b$|f~soHWp>QXy-W
zn(_!NS_rX=45+*dTwQl2=`Xpbe1)khWN+?r_FskR(OaEpLvzWwIu~nXyV(|LgRa&Q
z&T&-kcosD<qZP(cZ4ZNj>V_&xP@zjgj{;(N2+hUzciLnfn*dt{d+_D?pMD(!^Om@$
zc{0n3i5OkiM#{ccOkGsN`-gVC+5qfK0WIRRH#VW0`KFTv3NLoJb<oSQ@q&QI_WIQ&
zrmi>N<5Ez37AS|<QlwpkDDm-5+|spOKyHZQ^77T}ZLHclSX;&ODu>xl)EU`)*R~>L
zGF#FddDz<!A4ESpLQM)e(xYMi629(So$9E|PYJEf^4r}5YL&)gw44WheWbYoq>VCT
z&l6bAkes_0B<L4V!Z#9=Uji-YiZC<`pI@!_RSkJJY4@=P?o~a7_kb7W`y~h&=v%9}
z(ROpS>19hUC$DrZ@uCVVjS#*Do0V_D3V%R6zVB-1R=4=8CI;>Hg{T72xud7I-}<jP
zyL($~pZ8`O0D!AiFF=x)ct`Z%^wJh#-Sm<~Q=HKF=Nr@a23E&%ISm#7bo5p=FU&*4
zK7*$_&AW$krq`m1*Qy#Y=Ru>5Vl{d#YVB@0R_DV_)LQXrBCv<y?G{6g<(oYQNHoC6
zi(v4gl7KSGn+o{zccNJ96=F}|Ch?3bX;oN`_-=M(1DXArLsgq(w{)caqsyjFm8$BF
zmY-aVrDD(SIK8sp-U?Zp`R<d<)D+y-eZ6bsT>6fJ(!}tEaVcHzQohDdV=3btkKPkm
zyG6B(&ZK20d(ZGvOGg$3J>A&(g7zn8u&$}==w90%HDlsJJ-8929rX#rOK<hgk%zY;
zINoQlsivR!=?yTvp1@#l=3!FRD{G)xxI`nm&RAW^q~Xv1A+OGW=$2cmTC$11eB5QV
zobR;G<QLtH)GrmEE&wH~mPhw&T&S&s`aqkJ<pDE$$@ReE(C%s=ht=Ql8{#JQ6Xv)r
ztsM}(s#5&uL;#~zJ5^@>X{-Ep?=1e>II9!@YItR)9L_Y=0-%_^FPHZvS&}Ncw#ip-
zvj>{Dh{bzoKY>TOF9bbHwCxavnnSS7B!se>m9gg3nB#SO)E&@6M8s!cvpxUlOZRl!
zP=-W&zpJ@Dot+N>PjJm<7r7Ilr2@lGxZe9P5ZYBitk`<oK&y`^eBF7iJ#oBpZQIii
zyQ}BuO<DGO#z_r#OGaF^m@vbD9usy8MF^Hq4?PD(6EgOp#2pCfz;Ec3Yro#ZNw3RB
zAE`7Gv>sgY>kKi@m`zDUS2sSfE$oV!D<01~cY9`CBe{4jjF9a3<D#|g91bk}qTbv9
zEY<E)q$z@~SK?A*iNaPXId;xVxh~pImg7%Ty&0x4o!&)b;$O|Jiz`|g4c4;bO>eI$
zt`l*KyEJvvv^Fs5Ta8TjBlEi*!=*nWd3Jn?q-G^Dm>bSF+!R2zHYF%sbI0dadA%~{
z!TDEXe9NsIVVql56+|h>^Wa6X=S1{YzMp|jvCYkt<Mk&EShKAgdZ`19M0VHp>nBY)
zwa4ETAEi@?6h(=g@}DdedQ+)0BSRf6q&TZ)WqmWcQrHp@f}Lt=zP$E|$_BfJA?W_y
zDIV}{Cb;59R$^R6EuFWK_y7^_2c_-^i8u{Shaa~^==HtUk#bJlSdAZ1yj<{#4`HR-
zS{sPv>ZHn#+c;9Gapi@p2g{>NH@lwHgll;IXw6(T%9XToBkc|-BaWE){&^n|nmOJq
z2r(8hCQgCxH#70hF}}{-<)llalBW43%F%?yv3r|BrXeXQwH^!SV!7lur?RChwC-W2
zTc*~V^Yl~rcW4*eJkqP)>%EO0&y`!^q+##pcdc%TC<^2&T2$hcWwlhF(pJ=I!@X2T
z^_7K7)zD#Vg7;u8N9kcL`6pGZdRMXR%Dzs1PtAm=gSK?MQE*O^^hlwtn?e&AohMEA
zd0IEFQfq483wEasMPi8kJS?A>b63WLUB6oH<ky+~WR>4SwcwkD>sGxF+&qWWHB&yi
z+?r;S7Q?NvO9Gg)UF0uTwVl>&$8SAtpuMLhMRBCO%3=KCs=t<Fr=djItV=li=xbQ7
zS4EKz3~x-0cPx^ae5PWvZc3ws@*$Gvl7-#><a7~wt@!s2skmbHdoXL|RTM26DaYHS
z<i?W~UiZY08?nRryAcQc)e7+dS-R_(!2M(>1`zaVtqv57hufK1<=3KU@4c$5Vbd%&
zZ|CS)=Jf3(w*<)w2alekZcp8z`Y~8~pG~#n%Q4ocZ((+)Ph@OOoSp-22i+XN&iHy+
z67QknuuYTUhu9TV-Nw}K3HJ-O*pj$SrKe8ee3W^bc+G+24w1@u1(zAl2c&AKjvr(3
z<?!bH!sO|a2qSlt%R1F|LXk@8Vv%HaCnM6easThG4aj0{5*^A3$uQ0#Crg)*60jeG
z#)M^X)f13nWZ$q4kwoEc@az<RAd!1O9Z<SpJ<hm7;NjM-KJR~@?d?aAMu(2)<-%@h
zYUc{2pR`I07>k@CI)f9oe-7Yz7aR3ziUs`^LH#c*Z3B7?k{P#cUmiYpvlt48w**&?
zQDAx@l{0*=P)irl`+KqWJ0$>f%El5s<C(i1=a|O5h2`Jx)4C>K<*d@F!}R1=C<f1c
z>58X0ecM&xLjh^SbwTZ*hMW8;l*t_0$OlU+Z}0R0F<)b8STVlDFhY%Sgx!9<0g&*c
z?;Ih7%Gy|P%YQ^3@S0<~efWIhS1f2>IfH~f!L`D-KU#dp#|e9g;g)xaA{`r3jRC=h
zzuFYY<6Z*7%prt4DtB1rlbRCA!96fV3kJUOm75NM8iF7E+A4ZGu`@UZzQB=S<&qSk
zRiuK$H##VAJNp-X0_tdsWCQnF4IbP?a>@Ow1U_<9@MCU1#6q%5++UBxtLx8q0`sJl
zr;w`64RJr3U=}D@huyV<N3t*EzTvKG8BO32LQr@#)W_#9G6wPmt~ijM3fVPCBb0i2
z+F&?IP~ZHdsdxlajrJ|o*U#6Quj7Ovm4279##^jR-C?5Nk71F~fRR*P`kRmlkCsLS
ziO#JiO)h2RNoA0{krrWPoC@<2RRN|$;l&%vq?n_$z)YaZ0g91L${8GbhPT+)m6b{U
zCJn$xTO}Z{ntEY=6%QVe2G@(tgTo-dNoLIZB5^$)l)qJs{5`}IE+ffc%}FRI=Kz%=
z8LMnSMix(uhoAW;nFf|wQ68%-F6&jNQ5F)KlQI2#xAKJ-30PPK2$wCk{ADWfb6&3@
zW!1CwuZnW`I$vQ$8PR;hfIqUBa_Fz)JH&BK<A4hQ8+ve*qe74zPg<M?!XjWTJS$H)
zhE*UA-y8noWjygYBG`e&yRn%nzc?5)^*k;FcdN`UinAb@0<xhA*d*W-uoYM&yx}+B
zumFP5tk;W=J}(LFQ~q>7v?yavlpvN4N9@0h|L5a@7aZY!yOHq;C;h<Ey-?DyWGKG$
zW4Orkk^WkHtM?~t&S9}U1v?#j^?*<eI2N$(gJTBKBqmYFnF?*k7|&#+OUC?ZTfp|9
zfrG9-kbIFI`HeiyuO-91@gb2ojSuYFKbk}U%j+g`X+MaDzQY95Bk-N_+J|Fuqn-rg
z?Y|W~m5CRmL1tc|pM#O#T=Ej#F8}s`MOkDytFRI6*ln2#9oNDuC8orf#K9Fu0Ul5A
zI(*doFc^_I@`&;RI(_^6q5tFnY?phA!Jj-A1}~KO;T(}ygaiVKmydjL`_CS4|6Kjt
zk>o4zQTA_34N`pGVX9#0Q*>_$ibkd}|L?<ma4->rGlPduVeArhzvprtaRr`29shc(
ze%S%CkD{_*(BClw{VZgYVNq8|2ac#OhW~AZ|HJSOj0kymZm>0FQp*J4s)|&^gx^wG
zERxl~-<UF%S>kp{{>yt{U_B$Pf6uMF*sOTqn!pT^KaYWhrUx%ZV)^SE{;ie$&qtT9
z9}1I3){F^RGuD6M0RO+cX8+3B{#>Sg6Q^N-oi_FQD8a*k2Jf?pd-pK=#^=9jZvVrx
z{$^ugQDCU)k9icSe;N55qJQHUep{|!64>b?(P7$X64NLz(H*QZuZVkwe{%>CD-=Q?
zh`4g2<b6cq?+?q$1A5YOg*+{Yb8er3n0GX~;s~D(_Zixg2haBn6X41gOr~&J<V^i$
zV$zS{snrt}g5@70cbo@ikEmSL#eZ=D{Py7#M)3J&F9}+1r|a~AnjZU_CBzIekFV%9
z+yj^r#_xoq)J+oK6DD860{Yw(Rn~{c-naI-U%#v@p&WUv9xl<X-@X?4u|RJBtY<#p
zocoQDbKy};3Bt&MI=DY0jIbtoJkkIo4kRGNC_?xfATMDNcQk4as?e{1j>YG4I4p|=
zGaT+HObQjX7tEVK+o$1BM!{OjhVoecu^J|7NEj8>B)h)o0m@?2AXSfsB26MxXn3Dg
zJj3opB3MA@9%FYxP$?M%>={`uSuQm?MO?V+zupPozaoAuZ?X(H?@OlNQ3uiR&v*2S
zkVM{XBMaUQ@rgVQH=(_v!{;RKt2l*sEc+3|ug#SX#b}o{MZaP{ILp8MFna)On(UI=
zOyrsrl?(lY!Ihv&Nu(RGlhhu{@i~(lz=F&SS5cRV)OIzEZC;*emH?J<3n+i)(mmx9
zClX#ys9GPwN06zhzREW+MP-DHs1pjH%Fu9;O?7|UCcAtrYO1p^RRP-0yeIgmXG5f@
z(z8ptWHWPKXCS&SLcpz>>M1Wo$SJTQ*$KkquJxc$!M!{OGSS}|qb*+QKjmj!zQD88
z0HYD0>)XCf&3F=cEx5UB)9sumcGic3xIySk2sDER_b8oulu#Kk$>7AU2$V}#K!|1v
zs87v608_fL2NB+hu1ihO4SDK=@B47EgbpFqGnLm%Pvyx*@@5}wVlV*$$?C^VF#NIN
zvWN>rXPsCY?e!jm{zx)cljE(cAmH<$ABZ2{fW2^L*RdCMVrl8^<_b^?uR#-kXl*A5
zfSQ7^an~Img7<rej~v7C&e936%r0(2Bch<Y#nR^a7t?Do%`{<p_o_Mw<gNfZ=NAcT
z8Ly%i=qK$w+^LeL$%R~(HFv(8G+_UzuIjMIKGFx`zv>qGwcdPhdL6rc7hcB!+ejX`
zJ})CcAOzt!4OT+ZEk7P(_ml%9OK8s4LH-gs3H&DfvvWX@dvOAHl;x4=1-Cr!*YRez
z?}W2hkpZLgrvsw{!~R@<rCI(DlQ}7k7@Z9B*q1kzcch+Dq~nq@B48c95T)=v=lXP4
zU=5j0d`lcGrXPCsh5JN72WHANyyj97aHyw2fxQicx=vx~;8)AA-xftS-zU$sFfvQX
zjr|@>Jdu=R%fIqcc)ZQ&9rh`#Ank6uCZW{q(msKfHQ;h!De<EWW@Rj{w}DV5R#OM4
zK`}kbhwR2~zNeV)9<cHzfG~Ok*puGUmd$NvSJoGXeUAQkNN%M{XHci#5B-amjJ}?R
z$JI~=L9WoViJI8Q5o(X(+KpMfEah5x{R97D@Bog?nHT3?9~|`qPlLG+NHEvlb3s%a
zxIuxh-TD3N%zRH1B}eFsNL))HHemNq?<hj-QY^~?^j~lmqFZdSTR;-h1hjK=_?HnT
z8RX>YFptIT3w!Ccmhm!Sx7jKXyz-K?Ak=^^4bGz>E#jGHR8?ocCHmw5trsenK-N)*
zX3QGe)u+86YB%~C$b7Q`62QR>0O6KT17~LLHlV8eorekduPv}-X1#=5<|s;d7r~B|
zDZ(<(BPA$2a&fa>uUlqmrZ~U+x7V@bfI&%wO5Wb@n*H0Y-#m@v2#m=coO7!k6$>B9
zeG=AT1CInLYA{0$GXgX}TqsFUXW1Wt<{jOIL{-u3>t#iySv7~cYu4T#CSsEg78(hb
z5Et&!43NMdZ;RaWKp3!4rf#jU2l*OPXpSIC^e+XrnSetjXzI|G=G2IFleYDh?QE^J
zk4EZH**0}`mmuB4Qn?be`knNOGgM#4OrqP&Rk;JHrS@r9urJ>(BHsVvc(~HR2|n<9
zzmo9<J%`3Nh#(ownrR)`_t!14LSk9K&#dk#r31`Rx&%#xLnbj2Z4Q^fVu#E<b~|6;
z6o84`uJ4XA2VpNs90sTj0!uLac5uU--S+*Qb&B?l_Uc{kk+<B`ZvC5Mk3fITik34A
zTLplVtyZI4wV-}bYasbq?!dXV4W0<0suQ`mA(FZXvzgX9TgdRXx@pRlC8@;E`;nv_
z=3iOGe-zMFiC0&2n}1Jqk7aUzMn-jA-;?4EgelX(uYupUk?1^3T-iX2bgm)|o-LB6
zw2~1tALr#*vuZq)5gX^C0(c0yW@7SIogLgc#)IDz2`vZ1NN($5>waydC%K+>3!1MG
zl3F_=NwN5OENZFCW2u3cR&zldpZ!GN=B)L7^2<hA@ilaU6pKKxj6<6xzOW@eXHOK7
zM5LBZ`d?j`@H!foK;blXv1X;KW);$b47z#&>nZ5<%mt|$Q&7Ysq7#@*4!z_&KQOSs
zZ`D&auRcR7sQdl_%~V$mZ%GSPK~DRI7H^kH(zlOArr(Q@4gqk!gT{{;B5=yJ$*1kC
z6x8usfU4<|)-+@q&131Ux`Xr%ylcG|%exBGoCpkGJI&=BrE;cmCXELdL)%hVXSxO4
z%$f@&orT6nbvxz+FBeW1X@PxAeNVma+*EEzd9l;Z%P>+j(e3;jI!o6k-B$aDEeD~M
z=odQ3$-hM3xQgWDe;+VW8g?X`3E@}<XR613q$}o45s-x6EiC~@i6FO=yoFzxx7Yp#
zrDKOK+y&7^AXfA6?pxHISf{oK)_Ov+OVY+MHV@&+L?}VPrVBLPJ~P&r08I4gJxYPI
zVqTp8)DMx}g`oK;cA0qSDD)$9+*PqF11743d*g~LOx5+<1R@Gt<226oU3xYhLo;x-
zQ;Q#`21#gJRg?BX;<`qe>EPOY`B;Hl;Hfkl_R94vW#t|k$zDV1FGFKow<xnNa%<V6
z4!lVi00v?E`Qtw>PY4_lPG~y#O=<!Av__EY3MOhbQnCe~`5GLbPu&<?pXtyvSx@Uk
zsoXyJ#1eIu@@z+3BI+s}QgUslxDF~ISFE5Wq(%WyCT9SR`SFg#`*lyw+>j^*J+eh-
z&`Lk4Er&J^NPs}jeqy?g`o3nWF#eZS6rw&P;Xd{T2JKD4Im|I#s#t3Lo}L<)0X%TN
z2UKxf#!r#fI~wBgDBmgIc$>rZleP4^h6<*Q?QGUi?<T;FlU$^1@=6ma_l!=-rL^N`
z%Er@fLfLVDOGWJv0FOWIJL5mz8^bF?47o8~*jB%6K}+H3%Y3tErp{OAR|3yoEbHsa
zP|RhQf|*-g&}HcI^z)$0Y&n_VEc;3CjwEiBKfuG)5O8JTo{H&LK?`s31(X5j{JytS
zUJcbLbA(M<&;AA|KWTR3jb4)OC_iVO`)+6TI~fs2xtbO*EtKUy{88!PQY*56z@~U+
z!_fZVH@~d$vkZj(G4^&-jZ=|paO?#htjp^)cA7Qwp$tMPZloI`imC%4G31No%3HG4
z&yLqmQC;JCjgIiXW$L0#e(=WZK5%KW>r<V<KKRYAP<0GpMv|;#dARJs@<SxR$?($P
zx~kivky>ypw|PWKpQ|~{T{Nb>x%`Xp%0MRK%MvZBvUbN#(f5{}V(MRk2um#dk#J#&
z<)75|U!g3-;-e%;#m6dR@XHp2MyG6BAiRvAtu{wB=;ukzzYO5W0PS39pk03%IzM42
zgq5L76k#@`dyC~+%i)7flsgM2RW3^YBjz6`RSP+(3uC`90|G>9M2GBu1wqd+|MBw5
zq@uy>+)5u3!XBZIVd3rj`HKH4GlD;T9MG^6S3Sv1KDoU6t0N5VzJHO;CBRIjc!q}C
zbIyh9l6=sgv!a(IjB|+z&@0=`|Mbz*?ueBPCK@dS+(m6^PSsv@CpJ+)@XO`DbvD4E
z{S({!&A9$b?dl@e_L0F3pML`e{pKJ4LR(S~9X?_LQhUtB(p<379EYqD7<7pK(^o)N
zzxl}2@UOj_dH2s&9q`gcqR6>;D`P1A+oK~tDxU?rMVVYSxN#P`)zacIc)vZ%J@$7)
z7W|V8KQPBuuJ$JfHN68<N(YA*5oL0CWnokZ+POlNFh%5|a<klxi5Tnf|C?K05_0Nu
zkW-&Wa_UC>{|0LEhf}8nIDjsK1H_#AzhP7i%rj>dcN5Idc#HiE0~4O@`)k2pNY%dw
ztq(3c#3p~@T>huS{?kAH*Rm(HK;kSXe*$3JmjIl+#{uAkpYy+2@N<ySUIBp2_c#D#
zw%Y%Vktjj9`~Tk~x(~QOgWOqJF5+`f5bIj<{=eb(-;TyFkO*MuD`7@7il>niF^>KJ
z8>>>}#`1``q|^GOq|eJX@MiB))5IT{!6je74Q@=FyvwH3hwmw=gcIfkH46Tl|II%A
zbubQtKl(R7^IztHfys=N_3@YQEt$UcJOn*6cVyYYsnP_?A+E9g@V~O~zrN*{krjDu
zt}n*zhbnG)pUgd%ZiOCKK6K!`*@Kb0?5^?|l7rv;{Jd8f4g@mT0CW7m17>O^QWf+!
zMT|vXH!GHwr7<~z*>DAU_jfh_;kED!<jW<gs%ZMV%}zs-5}FoF({Ckvklw&l@-{ls
z$dp|k-7-B$a`WoRTM`K*P*}NB^B=)V;bH@TD~Bhr;uJ7=K2P=s6l`~(87+5PW~VQ>
zD~EhVAk*8TPAgf0N?ttfBJm@foA05Jr1|zg`tk$J3RkBO4o;LsRJt^R%(0SO6N>e|
zwO{-B6=4T6La_p!EU)p`#{c{u>L?_y9V>*qHk2xaQHWxP4Xv*3?)IrKk<u||c0G1W
zRxXEr*3q>0T~D)w*>|NW*DCwH<7h!5*?te&?2_yvM<>(FP;()JH(Jb<_p+D!hS3G)
zveT<!9(LlocVmJaKZKxJG-Tv*St=a^mg7^CM+N1eZ%I8<!xD0=1&j6j=#F>jNYa$i
zwve%Fp{r#qWY;aYM8c`ID~qljHEj=|_hV}WtZReGbXg5;oGVS~7{W7mijsdve{xa`
zE!A{&FZZCqsd<lxnpJ*Jv1^6I^aZzBcl2(^^8AJ4Z?uk_`sj%cmqQS)ayk~Brmtpj
zfs&oSBf3GBX!KVW5_|zu^SY76`w5OetQ-%y`OpRcb-8b|qbvQcQWiZj+nRqdu_i_b
z<ccS|C8DMw7et7%baY&}(wq1`4b4D**Ir|oN{6U=sbA5Kr*!a&c|QA_h)XN66Cwdc
zsPmy+F_Y->Y;!rz@7n73TqZ-uliF9yWxD1g7c}#{muqGw97^X3X5UEfRbB0}ODp=M
zRJ_9XwV=|?iBGQU$Jf`OW2TCq$*IlkFu_9U9A7k`hfd9v=CwN2IxAeHEg!Z0vS|Jp
zT8v0K)0#=hCTjUBKbqszRc{*$PEAH3TTM$hnY!!c2V{ouT&Fx1Y7Mjf?iRSRY2F}!
z*N>iNyT8`v=Z)3?s5no`nR8=bw%7&b<^sbu6@nvlIHxA2Yf|12J;jp4k1U}FjUEK*
zdYLjk?HX4!k48s3$vOQvg<FO42vyIadDD;%+_5WCU2>}*XX!31Co`kP<)i`1%6>ES
zF=W2e=Jw?9crtlOz=PI)A?@xdg6hBr6T^&>+L^yKOi&db?IC>(XcwDS=`DIJr|PSl
zE4t|I?6YE<V>ux-?#s@TOYO<D<Zb?KHUaI{bncg~3XHLvmKTRUjk66`K>8>q^;vH3
z%?HaXv}K(~UelN4E*7TL*|*TUWO01J^`gd-r1c-J9vX__uoxvh=bW?d<!s=+pUsr@
zhAhB;nwo8e0_9LeE9Ut2p7I-=%LZCj+TJtqsdD(7CtKIP2cdP~1QdrVZ1eFaXo{^a
z^DAfing>-*W0(%bqC@mk95veT3M%8nReA+jjIG-PR6>pJon6^eR<|ghn0uFb#ZZ%n
zDpyj&?|jLc1+o5II7;)9Ykyz91aHL5tlLbt!`A%+vj1aoE}i_i<xz4pE;SswvklML
z2&_)w)>iL1E#}`SSj0V1c$D@2&Cy9(ZwuR;h1aqkSPamHYQ}UIfMnm`d7OgQDw5Op
zQMh-7Ueu~3HT~f(SP&3Nc1dw2(#g%H%2l8KqQ{OEy<*ohoPu&FU|*B)w#bxB5pmZ(
z^+595o<ijAWjg)@)!^*wU+qoq_~G<9m9=cVl?Gzg(2Z2dmv$C=WHdr6w@v5B&o;H$
zL`u;<9^TVx9R6G!=ql%?b$jdchd0S@R)fS(mUh3i>b$P~=(3%g2wnE;z)NG8rUv&-
z*S;k66t0%Ir&)&uIR)s42E{%LzmA;p4LVkLqT>dkT!vad6%c98zIE{l$MBjVxwB{F
z^kahmk0U+?WtV95u@jr4y}C}6QO@sYm5$ERLbnTHr{H4PN9;~jia@*i*H0f}b*8Ai
z5Ztr4fz|1->Tg><)>X#(a{m2RKZ8RTFNwh^RTC?sp4`4?96GnvGo$V2ebB|#kHv{J
z%Crn7(>?+x?aa7u@mtr4v~x$Z*&F%I#a3^Vw~4$%*wid>tBLjtQ%X<!YT_fTdc-!H
zOeT{*p`Wp)6!Dobo<#V3HwA7b2GZ0s#-DEc6&jtzjNw(qC9dZ<v})}*{xt3Y2mBR+
znph#ZT7zh!PT%Y&m)QuVzE*uE8M!QChn7JHN+aHW2_BKl))XbB{8*iv;@BdNFE6d0
zog~V=de&6JJFCvQVJzg^=2j#yzQ}hKy2i)49v9F|U(O?B-fomY&$`KdDT>^zq8bg3
zU4C@Q!pXGP{bfZ#Igg$HrLE|5n#<=m8xObu`PjM|F-dJe3^w>dQNqlAJc^kMp{u`m
zbECPnhGk><pe}d(P$PL37LGwA#uo1zJE^8W&fq29{WF;G4bC7!ZN1SoK%8F3UK~py
zq)6tjq9wNaj1bK`Czsmr45faVWvfF5?w62LCh<1S=HNh(ey(ZB+}Ogfn`T66?dBI8
zY6D;Lz{SI%ert2?+GNoS@J3%Xf&*)gXmrGGKDD2a2EJqQF_5ISo&f@EF2QdE*tW6Q
z6}S5vJS3);5QT7Pu)6jqK4*9A)<*cXOrQCuSHE`m<VQ#XI@D2cRj0!Q65WHmgZTJB
z#XDI~QAgao`-Or|%M|~pAbN`0L82^gdIWE0QP@G5o~kRR$$p_Egm=Qc^lEOWM2pLf
z+g&$b&z+xajfO_zC+`nkr#dwnTMVrJ>qO7uE=#Cei<pKcoee3}^qx_kP0m($hO(p+
za!MT0EEC+LbA>sTL~4FCt6MyNl)|R|m-aA=Ny9noJ(j%eWws`ERB;?t$ARIQ_^6am
z!4_u%7@n7{ONHd8Y#lA#`{lzMb#hksH1l~<M#Z?85p?s_w-kR%@8H@`sSh1~3U7Hm
z!Wbt|!Gxlt=T7w9A0DfpICRzg|G=cvND%9kx4)p%r$ffFGyV0PR7S&)L6a_eJvwEf
zRN8!wnevjj?diVgH&+1!BkbRbCQX4ZXtpO*{5-BZ0gsVZP|k0SM`gDNIfD=kY|vAL
z>;}G5QXe`_B4tBEGM8T}d-g-nbUcP1t;e*7=^L(O%3bwRkd@?i3Uw9I+}bQ0mq}6x
zSLxxyGu*DBnEdpe?gC%CBL%%>ua5eicdv8nW-T|5ng-D_v*Sg{ghPesd@G@fqCQT+
zCnlet?;3o>i_HWhh8L}hTXe{4k@(JDgdc11K~KZ4gP4YJKbRYA^L6^5%O+~^Ws#~z
zy1ZXkqsLBMQ9T;1#~&BV#VEHI%TYXgX-<saAXn)2uwqq;_<7^k_EyvCi5)xn>)o%C
zik3MsEz-MW)tj7jWa6u-Tsk=V`N^CB?y?h}s;!?sZSI0};j#x^8Kx5twv18I^#0#=
zq_;e2{14wA6^;0IuHaVAxx(s*oPM4&$v)J<F-<(HJ@Sq>mm)V;<tDvHryn|5?P@ps
zD3b#0#m4PNzw(X+m*GM9NEo7{Jwh@-@x}GuT6MwZ=uRqiGBYQGPti50N$--*;|6=Y
za<8q-P1}r>R406>!`h}IEV9BrQ+Z|mcsE8vkU7%w3uO6+Vg28)p-7<9SG~vaS*hDf
z&UDL**~?O#>ql<o{ZpDZr|tz8xl}XW{Fr$1dIH(%opeSouw0pfoS&*qo-|*`JVo1Z
z=gZ?)&Lr>sxk~%W6f+w?lO@r^z`OetdBod7H|xkgGly&bgzTa&LS{QhhbZpiL}t(`
z8ez`#Up)NE^^b6h{W-GYp<jN%LBs|?F(5Vwr5ovq+t+RV4`21||MmGpSZZxh_E+$1
z+R197**R#l`jrxVyNA@}^_qVFG@lNG)BzQfroP|^O|S#zy&uNzM<zx7yfA@b8cpK%
zPX-JNzc{45;Tnse)Izuyr6X7391|FrpJHcXvE8~VJRWEkZS%4F8BX4P4Yb8Y)E~<+
ziC~tGd4DlIe#s%x7}y*v?NLUNw9j&@P<IEo*g7E(U|58nsD8%_Tb&~O1(&f|dP;=s
zrJSUv0<s`9A%C+3hIzf7E$PO51H)%7H(xlB!3Ht~x7zM~BgZ*`bR>wIC>>z+e?gqK
z2-Z_XRkjg<WWxs=%u9~1?@JRMgA9c&?y>#S%8v|mY9SPy39fkdBrN8F{=*1u*U2lD
zv)@yLa;i3`t{B>3&n8oqJ!W~OXomEQ6L1rVC5&KoR5M7)`u<^5&{qzIaHHYZR{UZN
zLLbM^zscRMN$2J>)&-&oiJ*DG<HB%;c>_qxM?<(#^0T=2V0OTRzEUVsF~!^!Z;*x_
z1TBY2G(&Seu>q-W#)LS$^YZdHew?oe^?{A}k7Xx57Xg1ge+2LH(`ajK%p^W6*=s<|
zqd1oZ*OjO)1GK7<2cF?#q$q+>PM>w%E&DyTvQZiq`2yiP(2-H#xdru26PT)F_We~L
zPqzgZ&<<>n`o7s`Ms{P}Wso3+0%vauGEe!@%j%5=YkRZ|lPOHv$w_aD%SMKKP~Dps
zgCR6B(G~?V^8>wxky=I2qJBb?LwEqlZ*2n8S){v&bk_<}xI2@3W*h2k-)~$ON&!0)
zUbcqjFZ5%kxHO<rWW2I)_nrZDf@~0OXAV<?4v&?f``dK$+w(O<60ry)pbDDQ&-X#c
z=rp1no^D+qOzR48d-24}fQKb)Peqo$!R=YOGExG154q=W=a*+MHHnCPeQXIVkTz%}
zBLB=t(5%^!Vd|2?UsqDWZ+Hbrm^&H=ywLv%O#Kh`lI&Ar04|ZD#}o`F;Jec#w01L9
zA=Vx`%Y65cnnnf?f4IZdE*BG<TqqGPyklx}$&|l6A8PDJFYxro1gz-nZQh<}+S^?d
zQM**)sTL1Ywe-b2uc>pCK7}q;WRNK_cfZSctZR4WkJr;JZ=B}lwX0|ZZH7M36nz{j
z@f`sf4Q!?M+;-#po8RLx-E#XSh=gvI_Snjui(q|LSBErgzlOH__tlL%)2q{kunXEr
zR|CyLHatUf7Y!Krt?7raFeAECmkn5LR3=FO@D3Kl^+hz%1Rs<*n_$v7h>AHb6386`
z0%*MF8cm{MsLi;M{zU~2-@Iortw>3J2l~2jkE&u69i4!3ALVZ8x+~O|TW=Z-wqRyt
zL#w&~^ip%%j!1)8j6j8vbt{lpF5zU!d>+MnjMCPEVGFYt%mai}X3x9^x$Xz;nqyE>
z#;3}J+Bs3Knl#k~y({xH^2!{MjTKm(`awb}h&Drma}fX7X{6XLh7pLo@pnAdEJdl{
z*vl@q#IHm)MnV;5;Aw8bWZC5!A`z^nK7`0)#0L6*Mkd2>{)lpgV9<`(y+$CSD0J(u
zgHlcgo%Z!;9`=!%UeFwoh(%ekqXpQO5P_@Vm6_ol4jyYHUZ+Lk^_-A`|26Kb&!Xw>
z8Q51ZKOdhQFQ-Q9(26j(I^Pc*EZUQBA+=db@&GTw`04o)*6gBZGn8gqz?48-lW#Rt
ze4K<p17~nfb;OR6uy<MjX}Bg<=y+-J%ob${I!Heh`+<T*J8n@t`cTo)S;z1AQz0dI
z)TYeJYwX&MQQUIKT#uOxt{~Ax&k`w@3aM>l3_q>rU5oO;XiD*Qs3754Z>&*+UWx!z
z_Ic}GX4baB*dX5mkA|W2*#RG-wmjXM_x&&m&Okm#eS8tdoS9I90%?vzr)JO)XbEY>
z3OW(mq1=W9vX)><zzK1>Zu0iAjr?y<8={fW5eEq!&68&uDTV%dab-O4^hM!woHTiH
z!hkiHPAh{Lvu7kL`0;Zo-sedcUz^{09rlsB@Gwu=pZh$N#G|$|Q3Cqbs^dPDK--WY
zMIB`)=@PJ?P^9Y<kjiQzUr|HbHu{;-wi$6kTlR&HJwXcich*_Zan;xwmZTA5`<eM2
zSG)TLsQ;3Lf5}b*8RZ?@Jqw_DMN@%RM^p_Pk48+%%H($`pc6R2JC=I*36`A7Vizg8
z>#kqoRA5&(=34IodPLm!6oBLt6^w>PB{O1YJDq^;l2VKQDt8AEaxn+pM7CO6(*=il
z{*Iy4=Z8w}K*Y%IY<q_6kHd8lsiAS*$+#Yg!OQ=BRO_1gSJ1mc3q9nQZ6sIuq&n*A
z%42_pjd*iM)w4L*BqWbkPQ4MvlrMk;t2@uV_4#18*1<<jmzS<p!WC+F((Xqq;^8Xd
ziZnH4AnRLdwF3H0V#l1vnjj*n#62ruu>e9$XLf^xwCwEa#~jb!{#sn`4)d7WE42Eb
zQ>u5A+kt=r@Bz$`{)W0%CdecjcsINIcU6Xqqlrx5mVQ)#TY@znh!uPe(+iK`?QZtB
z$BBP}krze5%nyfNITcDez$jy@(s1h;zZu8kr*6Zi$W=7V5Nm7?tgUQZ2f<uAgaSmo
z$kTXhs=y}g&fY9V5o(8GXboB|u4(4L0AgCrTwj@SiCCz1PtShTu&zAWSE}~GAx+OM
z9pMTMa#PQ(#ujqR@cXGe&4xWaYYg-U@eBCh8c&krH=yp%zA(3=vcRu}F(Wmnb$~6#
z-S=VjvZJuJTNO|tO9snWbIQ&-=kXZGz;Fz@>(9^A-W=YzbacGE64(i5T~2WWh$LDd
zr#}nlJN}Z-r!Z=oE`hh?5^}ev`XkpXguusAW&4u08CWtKcQd-Zjv_qHG~L|b=`&K_
zTf<qlH9xxW+xiO1fev2UI^q<FU6~Xltd0!XIyY94ju0QN22o|hgrtY<de_m(qqdbo
z>}CiNO6+DYtkbAsbqUneAC@3h;Q4Av)zWs5!w@Jpn$4dc4h{Q4aIyzxQI^D{@-)^=
zRTS4z*gcuyCtv$+_z~C!6%fg&jkh}VwZpVYuH|y@#<qfpMwq;`;hOG9eF&}J9E=4O
zkLBUonbz5h>X2wF*K1cd&%T>g+b8&=jLx~{DH*pcqBoK&h_%8Hsfk{HnYKt0!<%vM
z(E06aq=3k{ZcbeO!^(}IQKUO--L#?wt4v1O>}5)B5I>91cjfj+YktWOKJ}|L1?E<P
z7~iLtnGJ)^?61b6gl^BiGb<c07F$4kvx@<F0Z5pcfbfj0W}|l6bXK8)e8<qXtG*3d
z_t6?i-9?oSD^_zEHy+Ea)eR4g_+n|Sjlik_1q7YY*iDV4r~$GA?RrFDTs=*VhlHHx
z@5DmrLeMrz+}Icy-6G)#VgoR)=?B*CE3-ZDgeT7UTRjth;b+CtoFG$Qd7OdZ;WM<!
z#BOt|yrJ0u6Ej&4BlGKqD7ye7D<9=_9N(9?pA?ne?=7gMy2s2dP`2^A#oM*@jTch~
zQB9i9R<?O~w6#@k^{Q(Cnd8<SR$~HB?v7Q$Yz^p2m5V#!(&sJ0yLb=t?p7jd;69!2
z>wCwj4q*|CVjTRZJ{_P;g^kI}CWo|bkFb+%ucRr>zY^04i40tQ`E`6K+djnzrX&vq
zLL(0osKm40RbGtvNbSBH(&?`%ahrg;(z<#|hAbEuZ4zD3NLKyOQjp-v9%u^H1E=I>
z!XCL*nb<=@N;8%BQ#KIdJ@#O2!`H3+xaqF8QwdujlH%C60Vgpq_k8Qg6lAicm(7Gb
zqJ1j*Hl4tp4H1-^fq?4O&KctvU6m7=wI2h?8=8cn1&|+tu;KPCaJgUk9K!RhXk(l?
zVSwDJ9c?QZpLlIc*nRW4rQb?Nfnh)xr%vCtdJ{Q}+}qxC?fV?gDtY??62xKWr0c)9
zWcsWeCG`n&yIiT@I6Lv(Tb|?Xt)I_x{Ju`2Z`}`Js;!xSz_~#@z#xOC%5NqcXp0pu
zUW!$)s`}N~Ez@3o7sQ_n^lI@6NlIY26gp2=0-CtLazqwbrZP>HUgxHOnV1>4(kpI7
zpX$aMq763|M_*-o9EF)=T?;fk`Pr6&-EQFM-{1;4+}n(8gBK03Iyp1`E%;WcVcU7l
zIVTtcxMas~m(y38Gu2yS8Qoc;TD_(5JZbLfS=U3mJ&#Ou%d;zpVV_4OUzE%I_W0sV
zcgj0;CVsG*9cBy;RF_=Z_Hh0*xr>!>wWZ$u(AM#b@w3?`k1;SWz_;9Cq#@Qm6xToB
z_B4df69W^6=HNf&D4O5~2kZ$E#Y5W9us**C2~bLUl6S;a$;_bXad_oP_T!?Sq7nR_
zq8-?(wB)OJ7d?J^1Y%JdCqR123sc9B;SfJHz~CN`Q%>>}<GRbQ&C`{1@B~-|Uk_ou
z=XhJaR--NUG3fU{k29j+Dazxtx*T%|{{HV@fT`wobFA<m53t@Zt(!|TEcKV6BPMUl
zBuW!4=;qq!i7_aBMDcJHJvZLzONS$e4U>demOA@bj<GvUtO?beSNwR|43+}NVdM0@
zIQ;qQko_a{_e#J|o<v{|)Xp(eaTuKZy_qtLkJ65F+v>dacmT%0s(#i}^qQv#?{i$7
z2e&=Pc`J(bNB;3~(Hv|X13Rrln?yG~Bk8?tjYjlZ&e3IgX@`+@+UXfuOUhvp(**bO
zA5{%%Tq0IDq*DK|(CP`<!Li*xz<0#}g79TI|L`pqjud9n*ACw_rH>|u-<;<ppJjg0
zw5n2c1p^*(3<Fd5)Ik5%zg!PanTwue^9<=qZxhaxQFvwTuZMpG4vi?y7Yb3D8O&|#
z<h<L#3x8MyDOg0TkdU#c=Uw{4X@_*4kzpT;^7^t+&`cG+Ve#uN3<+t79S`kRQvWNH
zn1A;B7bwxW-OQTVx5)#GxL<_&SD*i<Ntqc0`Tx@**VjBcSnJo1|K|E)-x3~Y4uA7w
zvhxru(^3Do#NMQEw(mx~cum6nIn3g2d&<?-2-QxFW~k}l7`!-)^FYh<WWm2&$N$x?
z{;`g3A~Poqw*P4iKj7=_jITGHL43<^hDir%DwZ92iJ(StYL)35JjSASg6-&MGz|KD
zA>d%vr-1>d4GS^$%+te?KaJh%JbqrK`SZ-Wj^n_AK@31L84G8thm(mLPb%>0QwnC_
z-rv2S$4`~mI1YNR&#N70I%qeWTt}vJxg7c-g}e9>0SQc=*j?tH?9)9I+q5~Jxy%2>
z3j=eIWZ-_?!%XcbP!j&_7P%_}mY8C89@URoLBAmXd;woE=?Ur94^OgAQZVMxRE9>6
zWxjUqLt};JCv`95bl}f#ckM6hZ(kyskbvRE#&uR1zQd+ErsWY?Ip-Y_aX8rF@ezDm
z&BL1QSkIesZar9_xx@K3qV}hK|Na;>!G?raR6QeOew>OV^G&*Hp=NQLX{<0dv|oj9
z>*UD2NccR*EuVav;3$kHYcuVltN(Bh#2w6U@zjhYlChj+hCKMwmH5oA(3t<9-@s~c
zW9cRLZ~hV4Q!h3<nwOXrBlgvKE$1k>&juG~k}h>NezInb*}=1|lEeIJ9GUS>l~`IH
zyaG3;`ajPT4srd(qi0#(%8{($%LS%|Y+<g_83=c4Y?wYSq!wy)koVk}QI|YTgt>~D
z6<l2U61t}T^3L#+sMw(rHlwRoWRWF^3?);dTf?4_s=rrKy7-;MSj07EItpW{v)KPU
z71j*4v&T=L|NA!}hy76=2B%C9CkJ9I9R(dZ3SW%{nX0qzuCmr|aNu5X6`mswQRXn^
zLScEIyyI(;7pF<^4_l~b0%tXLqj+gRn{MYB*V&b%t3OUXgK&ad?|*-j%hkW{B${ME
zWbs-+U?^M|6mVe-rjaHUofu$v%y5%1S}BQQNW)P+kS)=kRyAGuqTUCb=99G)FG%0=
z+m&eYZ()8NpNalXhbe|TPo0g;@X6tK^TP1jM%-0(l+@-^mrs)(F6qBHY!P;w)ug)e
z9NhEqTA4V*VsEt}2<Sr&?!oQ1{}VQN?H9*GNZ@(4Mw71&rXBD9FL!w61Xw8#vPJaB
z7J-#w6*xM;((rFs`WEVlH9E<_CM$EF#>Y&@%`>$5pH{kW<#20&l}G%W&(Cka8k02t
z{fL131BW1b1sgGO-GdbnYZ?dE><qemRjFmLm@`X$sM!C_!=2ub>SHgP5@K&uj@x%-
z-U$9N-JTl>gln130z*Rpq^=oD#|%FbJw0AXXMgOlR}6lhIL|o49gN==Z6w{Zii>TN
zQaA49gC8ZG1$_1l`fqD-=bwGw*%13>;m2%+Vce?5EBR;@lW~ZVp5b#=C~}kyV3O8P
zHYZ6Dxr~HJea$_^u1*j5-{W|AP}Oo^sSoXKL&wM$hzpe_im$^AL6@-?#{QL)&=m9;
za5Hk%_|^CM5n=+VT}}eC@Z_9dBG^Mw?CSMLsqfw4SOB={a}>Av*IXiyt8}Kc%+*P{
zN}yKhT71d8?HW+`3-zu~cjPC1jp6@Z#LPBQIveWv;y6zCy~Zb)w<T#}FfUgRW|1fT
z(}QTjo$Zi__k{L55+PlEk&h1%Qu7f<T{DC0XOdgX$KzOm|IS&m1mlmTVWg(j_c72_
zi~u<5>$dCQdtY>s>5Zjn$cH4LP(WPW2#69}?;9u1#n-7Zw*JT%<=Rz5Tj~=a%!jAH
zYxA{TlpepirI6}A+f{4`;W@g(#cl&urGX)*YzVI$c;XGY(01e2?8zNY7cPp7IlE}y
z#%AY&*?BXp@H>yi62BnJvbQK77DQ}M1uj6(?B5rp=vzrJmQ$JUpQBL&48~pdYJwqT
zhJgaJPn|nWuAdsYr*O=`kAR%<_2)(CfeQse7OpB16{%O5bPnMLx?VF7-dn3QyZYrM
zv^v&OKK9C5)qucUD{6YGdv&(^Xj^LK-7Lf4#`M)#g{^B?1posjZvzl)^k#@d>-7mi
zHq1`@jEG9R_dM~1OcK{|$~fOHO?w2Mru~Q08_2-$%E}Da)ied8qGvD3in|h6@Htk+
z7~*mZvBvQaqK<tPE@+tjzAj2qda~_SzHyw(7{}lQ45Y`)dcbZKJ@i5F+A)JjHnp?R
z#>hrO!;hs<dfjbM^~=rJ+{#t;X18X2=;K3|+2}7#gQSEkh=?@gt{88+xn5o$@VTh}
z@fe_h*OQ^^(iR{ZIcUjCfzB4?*Y>7`pIbBxv$_e0sD&?k;JXS{T7h*BvEB(itVS86
zt#kY0baU!;YSZ?dSWtWCZ#$ta;yMd+BkP*nU_{OcWIbFObmp`6=H^<G4R~tiU0J->
z9E6SCJ?$T1U`paaSo)mex1)x5s!2TJ`d6%VE(&;X!afz8IDO*JJ6|_=sk}_o5x7mZ
zTeGFnZ(48Vkxei>Oycdi>!XQGKPDj9d+j)DmJ(`3Go5-p(~IGfY^z$GBlL<rXEkx=
zH>f9GGS|A0)!)}T3=r6*{?1Bhk1*^hv+*S~1p%9jFw2;<-t2s)6hI{-(2*EWy7s>P
zY9QICq1u3kCU|x0H-jG(iXN)VbtmPq2XNbqK-TSFiKT(+)-6hSb-)F{GtSk@SmJl1
zOJc$zJ}2WjUP@2vLH&=LMl|6Z;>@ld+}FR{`Oi)N(Nk^<;1isAjVrfBS3v_ELLGx6
zJjRU_{Gf0O(;gnvwR!%4_LbtQ#~(yhBx)fmJjGWk=5u6Wn&IJFkIf>go_K;A4!bZw
zW{B0D^l(dGrP~+ikokHml3jxl7VrOI@6E%hZomK02$7Uz$dC+0rbx<^nUJZBnKNcq
z=9!(64242M8mQQ8ndhM-TQVfu7|NKr%(JuJdU{I3=kq<k?{%(oUFSOg>3MAX{l4#Y
zuY0Z6dac(=(#$mKZf`~Fs6m3uIrt{}Hn^U9C$-WvBf*mH8n2L;BQ0M=GYz5^&`~p_
z2YS-64A7g>40*I|$bh8V%uu}(j8A(5<LBy6xZrXz%?RM%?=0u9%4DmOkQbENFq}>n
zc9UH4fh^prF$%KVw;a%IC>A6zr9&>Hr^to$EuAA0PTIG<<I(8{4<9<9^|MT?S+?tn
zEdcUNv3B!WedK;Db*uR0!Hefmc4@wyVO&`%A`Rez(yg9n)GW`9rKqQz$p#cV?)fyd
zJ|6EKGR(7yR=y`tn|p3YcbW%etxnLhSRL39PA_;bqEn3t-B!^T!qulw2dy6qkML|c
z<(-(&pB$hIrT#FChvr5m1uV^hXc8xQ-b<^^1lg%aE<Uvv0pG*=nC5@FyAX}Nim7&U
z-RUGAONl+{*kkZSHPJ>}do+^aX1>)s>7m9XM?W<kHv~krB(zeLH)TTiDk8`hX+k!@
z*{=&^cBeH)y}q-$G9uIqZIVt9RL3icL4C^da5{#&)eI0wC-`u@@dng^EV<0cgf>93
zp6a||TE&zNlc?vk`AA!4Qqc}WUvEGdt2<m=^8{&#%{3D3;~bM3d>U4tea6Ehup{vB
zv%g~%xFvOEI(rvF!<m0$+kZksjfffHV-W|$ymC97bTTVo6BH6fT$7=3YbdFV^%w)r
z-o~{~kIdGU%Sa65y|@4$$-V=iLVLX80(~}^==<&t&I7|R=HeLRQDcz$M8-b`7msE+
zbc>{FXWY{z^oDNgn)=xVRgsZHO91}&OK@>S;Fdq9b@i1qqua>5u8l*FH9PbN2`<b4
z-W9j(E#EhK0j`IO`a@k$k0%|M;PiqkfgU2u{Bw`Uw)oxvNfU_B-i9h{-sev0k1w?Z
zOSWQEx42!?9bj-r4GPcRJ891e`+(_iXcHC4Eg8CJ8&alPj7m=upKx){Khw4Zg~HgU
z_r2a+%_^SOsYzH2?}jcmV<ZrGj{x?Fk5PXpO*pe=<ajNWD7(0?owVx2{tdW6-wGE~
zWfPTnnTtl?96yZ;UY^@8U=^W!m+!@@UX=;ijj}+=lemtUrTLMD;kUQK7~wn}0*E8(
z>Z0#2=jjo0p6LG#@cundfyCyn1K=ZNP~_Sb(P_QP0P7j2z$lWTA(y!cD2$o=O$bKt
zVAQ;8`}CiTrR!6<!<AfFjW~djmekuz9pDPN5HxFP4s7otw-NLrf#)||O+b7_!12qt
z)S#r!dBml5DU3y)VM3c^7R=>loSPOjhtS7dTV?Da>MQi;ssu|w0OSc*O@Hj+h&-wW
zqY{^4=lRnLYQ#)u?`-3O$N%q_!lToZr0uu(uuBY@Oe@g#b@!tyILx8bF0RiopSg7~
z37Q#txK-}U(HF^4cISNA{BN}y<zJ|CNi4AIFr75k2_Jp<Vz4vM)&i<_$2V4CTtkST
zAZ)9qVYay<s-a?KQuN)_XEq06gLdCLlvtZ!Q4r8uOf3%2_S?}qudv&Et`zZ=Q=h2a
z$+4Y?uP;V?eKO+f&jbv|7D2B0^IJq<0H!Q<N*GRt<RpPx2_<!o)n=ePV2wC1p|N-^
z-9ZLj1I~qsM=$q?8xwSXM?io6tK4_EC?sSoFwQc)Cg9j}icxly^PFKV#9`j|PToM-
z#U3?$J9<_u=BObj8J)n9>|V_kq)IPld5mXG2x*pQ^kH+DKzBpTt3tGgk-OM6i>7mQ
zR5y?QxMdh^B<2*3NlRzHt;d+|$kd2i6U>K*aqsbb8ek1gQ}u#Yd2q>zK`GgG##fK`
z3sUtTX`6p$SdyO(K%k_A$P;LstI-)5&70NF9;}Ov1(AbzrG1<0k(jiUP<F0)A3iZ9
zTjfk$=}%D^lCvu402F2@+~BMZd4y_AO67xRh<_9`pBSZlz4YOs%nlCy{PfbrzEC&8
z5lOVN=-3&(?$hThs>Xcx<v;6MhhAaj!ZbW<xU@7{mp~&xHuGT@6T9Eoi9yoC3C}I-
z>2ymyvN}Tabef$Cc_K!Z#^<|_ix9lzfxP<@=HO#_CN#dNY_g`dck=NcC#VLpqXWF;
zRZ1$5ouqmWK00yY%{4C@-|6gkJzUB&o-6YcAdg&dH^bf4Vgl-&_WqBB9cbAu>ZgH_
zL7d}CCxc_@*C2wtwHy`y+}d<W%3){A>Ov9xN#ZZ7#TuliuWT`jt17Stc2s7i)e!8w
zS|gGEo=&{?=_$PYxFt<X2_RJVSOcdUpWCaPl1F{|Zm^5^+ZIPZFHmt(48%G1E~mCZ
zuE9jbrOlm6?<b*z5BDuMS*QcKWTkY#hE+ZO4Yr@H5CW`g5Mc2iV>w)@q`FY2`28EZ
zd|Jty)Sh4D-Dd|;W0l9P7a>%o_Z%XXnc@{cwO|rQeN-n#0c}7j@BFfAsUB;)HSK=~
zz-qXg@66;Rl9knd&&m)WQG!RqHQ&&4^rEtfNP%)3KSB0xDsJ4;cvBPYPJB<^%AFmh
zN%-5gCaKn>5Cp2!+&GE^fz@f04Euf!0-53JC9D({ZJ3QZfH&mqmM}tyQiesgl#aG#
z*^=-sF#}|J(6u4HWB^j$lqX2ai%K_4yxZue>Zku{Tqk12km7=Pi6+_WE0Q*VN~qL_
zw*InaqDazA_HT^xpZ~(Cid4^cTXD`!RGIu7q*R5*=WS%eKhQis$P94p8#Sebwa=F^
zwg9TMalZ5*e@=7ZTKXmoyam_Ux%0Vn4DDVHsBjb;tN!Od@NwyPSY;E`dAW&76(XRH
zX`N|_$g!k}gw_0)9hpqSC5I|~+*0Yn2vIF?_x}zGRU+^$KRseJ6o}EhJjaT!``5qF
zo-OouTu2qch5qyB|MUdkVJX1X{wpj+mHqb(fc5*n0VX~5!v|Q@-}JCQi}4(0pk!#f
ztPa41x$b^Sd~HaMwUq^=x9kG>5!nDoEI-fB%b<<z#NAl38y+a2YVacz?mY|up%U%_
zH*qo>SawUPRruzK57>t<yu2qgvCy4p^IrIP2Xa1*!3%tTgiyxN;hP!Oc>I=rWrF#u
z1?xsdiigTjPH%^$yLf|}YVOYK+h&9rTutx%-*Tio|Gq!xnd9%#Wc-99Bd*yEaSNL}
zyy+JHmpk;Ik<XpFoAre)zL1jg!nJSEDIkyk1v-@kb$_J1@XwWk(j;&TR!G%UeE`k%
zSI>e^y((vhl_NzUnhq(%*dX%zD~Kt1@^@qX0dZ}jkpCIt0$24{hzdYDlmCXo{t3tZ
zj*uNf5VHRWf}Usoz7{BQ(k~o!<TSS)Zu;gzZn)`=>RiuC;jUC_xKo?$hkxRYi07LF
z>a5=UP?=cGebsS`ak!Wbj(!G9*bY2zy!*y~+8211O+fZL+V`I@=|3UL;5_iZVbZV~
z{}q$|!)jci2!45UnIK!Lo(R)_6$zh?$YcdR`2UO}H))#jtl7OrC*54}OevbvNz%ys
zfc$i%N5)IP-u0uT`ETWtq(q;3Pj#Gfgs3drzUw3s8jV8?*fD;uoS!@5){JmfvH_5Y
zp+mwl{2nCRKlv>b7XIsLO!AVi3<Bz}|Lgw=g_A&0mFN8v6|UTV?F_wInCEwd#^4f)
z<TIc}kFO*1#fI8Ksd=K<RPMcML_`S;VBXtTe?N%a2g8mx9GUHWn&@^9bRCXY_gsRy
z?;x;M$kNqByAw06xTxk$8RTW2dmNN*RHg?oC0mm3ylz(2=O2h<OCwIK$?+5Zl2B3{
zDY2{^99+)m0r9O*KMtXQWp4uG@grcxyZVS+tZgXC&53xc>P~xqU>ctJe+rRo&|1;N
z@7R4n1e>m#^Y$!>xwF=>6~CFw;$34<#VR0#ij_m#^>@r$VvVElu*C)kUdLoZNmYZb
zZkeRz$k+gfI~E=`n`zkDlu6XCoiEk6qI?x3Jf=ak_qEQ;QLIZ|GUgsPcSIRbAL}{w
zrkbd7J28c<$0Bfkwyo(!O3sG9U65>4F6YwR%-hv0j4OA>tphRlj<Nq5&Q9k84Barj
zF2xj&=1ggG6mJ-wO%@`>TY#Iq8%@F*k{{sr_VMRi?y@UAMWR2P=4Zq#GM{+*$|J?9
z)t}7*pcl`XAw@u*`U4d{XrI@q2EZ|{<mzKmYVIS?De?>LL-tJ_Jr)6}(hUK-_UG7m
zwcV)q6Yo{sFQPRQU8A2Ba4tRw+#U6)>Us@tYlXkRZi!n463qhR%5uheO&je%lhMUL
zCWgz<*MS_29rCx*1h3IlHuCx1WLS2Udxv1y>%$K5Wyt5Lx|@q2xc+()hK@u6J3^@|
z-#!KOwT6m8vMmCru|3PJWtUqqhWf8>9Xu#81=3MbAo`&qzW8yw23PkRJsp)C>DGHE
zhsiV&8-)+@ZI|4JD%`g5j_x)<9Y5O|lOZ19wSz*9iV$Xr=*Hj&KKg-1g_4@@*v)VR
zP~sBWyO=AuO5S4(WuJoR2Y|eBbB_;9muk+l)j`uM3P#Mme~PQ5pi3D|N7;=ur_@t*
z=328NIP9to-6f1(-W!6HP#WHo5(oLsgCW6x*klsE|Cscw#MvfRPtnh>_TBgBBN=JU
zh+m4N`G`Psfd5(gJ?X{sn<`sKcPv8?NAqupBauF}{=VUK6F?a+Zci~IAa9q0%v15d
zXPyYmK?Ow{K%&@*vO!5C8gP1pe7g>oVwP-R<z`#IXFL83)T^+^Y8W(_B2*YMh}=N3
z?pZe(OrB;!Gh0B~MVinBvk@2PC}b{3`0DMMYz#^jc}js@N7&K`_;$a=74Qx=SzLtM
z+$atpIjSX~mkh!fklWjL3svU6PeLXhX1k7Q#|d3FEj@`$fYnUXOsx#jv#$UY2n!Z&
zS6*f7eP{<DCG$YP7BFj;(NP@ZG&b}dt0!9%Mx|$5n(RywNpcoc_k!HS9Enodf8JB@
zgUwX%{5m&h5}*Y4^tJ^D-w_+in{<02ZsWi%B><9$E5Q`5BKWsyb%-2Mw$~)kehw`g
zo{NVA$dm5dcc%FffJrO4v^u8onu!`D=8$vSXxEKC#2W@F8LNEebr3ii046D)1n9}U
zuYWTD+7);GTY0YV7Jp`$83S9b)@edUS4M)I4JEO;eR;qBT|gK`orjc1z#Uq57CB$^
z1afwLCj0>nVZh}3W8tA)-7G46VQ*JhljZ;Cr~>S*LV+vJ(e$Ks^C8BQMH18F;b$wP
zykI~?9PZ8y{mx}tDMgeW0Jrr!>tNK~TbJ8g;Kxe{{Fn{w_h_MHK$R;>iUH825xNLm
zxNyho44O%YcXOsnrTIG~Q($d$is?FXW{O+CtN>R#7O4SbuS}NIfn5v$r#O6Nv~l)}
zcKT>$X3-E`5pcBoQ0c8EAd#2agRxFxz^a1IJ>az${iZ<G`%c}_5^lflS6}yGpHwH}
zZo7!vF8V`_4hz)jh4guqi^NPH)quUQzA8k&<>X>7!ol^y_z_Hr;bQ0a9=fz1^DJ`a
zFhAZnP*o4ZwG+o}P}r27+d_q^l}cQ3&mJT8Uz^kMTpoE^|3<$1o=(9tgh!m=XaSTn
ze!o?ZeQ!sov%Sn&HgQdGa7_f>-s4%<p=2cw7n$~jK?_r%w64}s>U_FZuU>AzRx(O~
zW2*i{InH#7x7!iBJo27y70$zY(K!Pq^!?&$$G$hliNkc|;xIe5WS2_dBnU7`A|l<3
zF;#TA)NY>({N}ofdj!p0{YI$Yk1*7t(uv9tNHf-JJgY{ztV~8{cJySM7sQ&66T6*V
z{O<7RYp*Z%@0l6CwH_CLhHq@4F>Absr;M4L2c@~;OPNtJ3>d&qVE`V%D%9qefrBuN
zkOK@9-Dt^AI8~g!!P@fROod`GxXfB)m}%XDT$PI;9p|0{BAO@d+Rt8SNA7r%1T=J+
z3{0dOR~R9**~JBE{X82B={rCZvp5uyDCl@U*RCV`d=FU6SPRquJwZNf@Y&;=AxTe}
z?_)Z-ClwIKcrk5;Em1<S^sHu}-P$eE*(MQfw08Y!C#g9Q!}OP+bXMOeKw$X%0;&{B
zGHgC`<@ISM!!W>?(U=2*j)S3?^G8R&EIU981~R8Iwa3ASyLh>kegldc$sh<dwBV9A
z3DYFrX1a#a@q6z;+39`I6;m9p0qsZ*xHpcY6Hi>goi!||Xx)f-R9MxRWTsoDC{lNS
zlSflFIbFsMmH(ApAJ?~JN2poI|KAt%EAJp|_Ozb*XfNxf&~n6Qa89}d>U?*nY=gcw
zk@th<<T1Q7%+*ss;va+??ap;ZF9ig1lV`YmmE`#CJ>3r4fxL!$(NY+iS6;o-P&8(D
z&`oe)Lie{(-Mhh@PBc<;z&(M)SAeNSMyGeQZ0r+)$2L9~IwR6>1ARI#$SX<2|AZB;
ziqw3r>p2psEp-4TRk;a+e(E}ygVAg?gL?=7=4*?B1_&kn9o5U?<@3Y0{6w{H0V1ym
z=v6<LdEl;1IQFHkn9DT`rlqyXZ@fKg8cMD;sU+rs_gv#jRQr5dwHDxyage_ql^9!9
z5pP~|=5}^}8NK(2GE*nXF%);sRuZP<kINI~V$><>$-0*j3U?PTmrdxop12>RWg;RF
z+~SyOQ~4EyE~ofsVIYt;(8M)!MC!XJv;*63>|?*jr>&#Kwj--Y?n*+V6k&ETSsD?l
zhdLh$*|&6=^)Lp)sQ^0CdiABfW5Vxvw7knEe#|8y6RN~HX+_UqQFJo&EKZf;o_8A6
zmpWG2ET-xkjP0~ZWWQ!_n?8KVK`r41Rd%O5#HkigC#e?qBgmfI7}0F^QQd9nnv%X=
zL)8<q;Ihu(Y<y)e3%NM>lrOljy<2fE44k22^&6)S$Tw|}`HJvP%-j*bSfCQ_bb1PH
zW~l1{YJc$;(x5}291}fp+jR~Gos|thM8fHUi@PZ=qqsId3gsO3+iWWQQum1t$q{Dt
zh!F@Uxr*v_$7t_avrP3X$t{Fo9E{+PZrx=o_R3bg&GvPOOFNxUf7FZF4B+<qH%-7$
zexIwj%N#bHh94|YlTN_uta(A|d@7expiuMW)@{hF1VVgGL*Y~2^LEf7<GyqMXU;xw
zuy1{i3x7S!ZW#T{1kFg-F!n|_k@d#)`N#T=UR})IsPrJ4;<d{n@__tTlZKY@#LnGc
zUYI&)Jcw??Io8JT8XG-POL8b?j!=;oEg7a1Ou8M|aa&cSHoc`)BFS!pLFs-?N13RX
z3{xkRRo-EE-LG#+^3ByD#=l)`AUcLWQkvVi%rsLf!}|>DOynT31HU*#qu?&jcvE!N
zav9ELH`!;G_^#&+&`}WqrSCUzzwVD=j^_z@?}}i*Zv{<HeB^d;E%0k}hI-yKj9I*U
zHV3j8^#X@(>ESS<93;l--G*~q@RG92muySdHCt}Wcsf^7!0?IU%godZ<uzgIqf)0s
zB^?N7dzY4{4(;9&4T9@b-wT(pTxfm+=^~u^)p|MefMT9>#vACuT!-2X19kefwSk$C
zWnF$lli`%k*H0YdPhJb}7&<j|%}>!mN+q6<lo|`|TNc`TN8K<cBFG?aPZ-`X2>QZD
zoW{5B*nJ1?N;SO#2mAcxZs7Q~r0Z&cXfA;@giVnJ=o#Ve2Yg*YFgPd{MkUF)a2Xrw
zdP9_O(VN(Mf##Y-m+RnTzq+;|5C#=I^lak3{qkcKH$oTju_T@z!Nl9%y``Qxy6-Z3
zqguCVyB}^^deB>xzvOHOO06Ab%&<j`1f~A$gB|wHCBLAZ;^6Ik@tunG@y~f!PsJR0
zEXBn3po?lOzq<Mw9!AeP_+hU}%hU@HBeaS&8Re`&<oWdS?X0CC7+=?QD4WxMzmC*O
z-Maet*5V%bR^zmi5LsN98vAN>2bqbmx~n+Mm`N--v384{qC!Le!?wASJipQ75D%rE
zeR##0Xx9<8vn@W~Jd+bR#b5`uZj7O55%jdxCmE-%3kUtmT0?3r0s3Hc4!FQ~i<Am;
zDP@h5LI+T#dz&01;G(?ssJC-h|HFQNxbz1>33u<BWtzLy{w`oI%&e)b<v$~0>UoIw
z1akyef!umleDwJe&H|LP`(_8z=2Jzke`O5J#Zkoo2oXZ$oiVVK!0?I@Vgi24w|5Q8
zJrf&}%wF6~KyS$g-7h=8_|66RrxcXT1z0qOVOW?WVpPeS-SLVP^T)dZeq1UALpaBq
zNGHS1@CFB=<@$OJRbe^Erp1uTTdvi+m+5{GMgu*@2|7;dV1_tp*<C+gO`SSbnB^^y
zY!7<bOO|#uHxKywcC|PR<f=muU{_#xgHEd($d-GtA_fMI;>MseOsM^8G^Q0i%uy#U
zGYS8j!f#(R{SzlJ@e;ay-gwhkCprxC+BZW7CVw!6nS%Mq(iu(TPI(Gcyfg@h99D|K
zt}e|CLOYG1$v71BETFj%&p@~!w&}S{MN+ZHSJQX)Ca$(!5C>D9r`2yEK5-Xm7x~5q
zX#{3Pug9)BL33xWsZ95EyM^JJ4hNFYKCM$)$f##1@mAb59!pZW!8IF7pOqw0^C9Yj
zz%M2W|CC$@Up%CiG1I5&X`Mu4F~oM9JEE}LHjs$S9CT418q&s-aCRGMR#bT*G!edQ
zk|+1QA<V2znurs8a($e{!~ZoS@Uqx~L2p-PUgRkh?zYBD@K00%@*P(bRgVMmy`o&}
z)a^s@<^E%sAfp7ZNeUzkOD-#|3&1wfOEoGJL8a%NUnX115%U#oa8Z*Sc7{1ugCH91
z<ajBJcuUCo&+@W@!P1%xJ}RR4nBt2W7!f>!e@cEH_v+2>m4V-%?Ja_g^xS34MvxJ1
z)Aw5DgdR7?l|rL`XPa&TDK?ifjs}Q?rN_j~&q1L}_tg_LcIOv{j#z3gq+qj^NVp}4
z+*~7mUNB=%GcW8TfH`u4Rdgb$J_={^@@UU%`|0(K%inS~+y@mE?Y*zRa|jxCjsxei
z;pR=$zej|F<j#KVbcL__bn@k!fP%;M<2U&pB7j$@3;rLz!jWSU^{eEc@lYQLJZfnZ
z4(q%z#=FnD(rNYw!tT}r6JkF@VB5zXmG|gEVtA1{YlJf!S^SjhpBG;w389A}%pzME
zvs1qtA&BTvz(SI9$JU2$<DGEsSIvA!0c(-@RPQqKjj1~mF1;j~hQRiz7v02`pz<Gk
zkmi(RqHlhAZ2To5anxN};zb(xxS%E%nKr-%X8sgB8r1tw*ibfbpf6uR<M;TmMY!fk
zhmrnnO~giUw|Zz`?#kd@NoMGK?`n>$r4qC?{6;?hf888@T1a!`v1eY-M#ur`V!1aS
z!@^bRY;LUgJ3`Gqwpp-k^-hub^{6_*BF1a@iR{q>YnBRiD)XU4HbLa?2Kj&V1UoiY
z9jvXLfJsORbM<>{Ba75=ZK&#JRz4lRcwcRsg9JI)q4(+E-{IR|*s^)pQXmElg^w_Y
z0_plK%Sl5y?SNryc`mT_e<Mx*^wi(%Il>dd)VK8SWvG!8BxhF~lD@4m($_jG`**_h
zZ|;q02HX$g47s7qdOWn<g-RDWKFvS#-BFsuGeB!KhZF&sZk4K=^Tf8G%Hy}c1x|t+
zh$lP|RuqgVO=G8^;fDPj_#OLT8wy_ke4_GaJb_=x4^$*tVW(seKh{R@t~Q5jUw=EH
zu)OD?Dy1j=j++5LpI5l*vS1hm>H{%2s*){7Jbnr3d#{65T=VJ>D$7Nfah=Zq^2nI(
zo&8e3yD#$Rz+le1`bbxZz|P1is9$yeVf>=aC$0JUNvrFJ5d;juGJppf+nl0Q2c*vw
zz#{qGCk@&h0{{5L$<S{Sk58@AP4h9OY~_UM)k#u#-ZtW&9V_L@B!sL9RMu#qa-N24
zgcXw0&^_M&z=;2wzkR4-_=IgM_RFWLK~PsdR;9el)b*MjaIyyAUKK!F2>)s8UP4?#
z-_v<)TAIMax-nO>vI4BAjCu3;1idbr=gI0a5I!=$kdz<1x>}-8|AxgvhVGd~ALE&D
z3gIFYHneP2Ikf3MdIo79j)B<(D$r8N1v!0u$GyVmkD(1;JwxvVBIaNLn@_ktxi${1
z={J&!ApnjaW82Uw_gPwO<kWn|gisHm&A)0D$VT3ZfEx}1?so_9LP@%lc1OGp{1&9c
z>%f5|HV@1hIJ2Ah>QGAAcI{nws7HwN8z%bx2CqFLyWfoOGUxS{8t9!0<sRp4c5##-
zC=wOix9|Wp-a8t)x{&apTW7a->ykmHk(h42o$igtLV(28b9O)k6(^bZtil#MN|;aA
z;^lAM9>3Vwli3Chh4g|B0{+n8ViJ3~1t92~LVdxD#z3lyraNJCN63ioPex676uK1N
z2H%miGU}8+lNf&kdO0F}<u=bOzd!@9=`GkIqCpp10TyfUNxVZ8^c=_Y+_<e%J6hTc
znKNSLk5IO3x1zap?)gDhb`*4>qdyDUBgo`>^B3(shN<3I=IaWOeI`RDs9xkWsJ#2e
zFPx1{XA%k5SGcBdQCt(uA=V@o;zpb=!=~d>?kHN&U>Pe2UR|M#TuU1tUoJ_KJL;*L
zyl%u&u*x$(6K5P;S|~8DgWJhszdJ0WXZ)=Hu;;~7)Flncw@G_mkK76oXjd}-pqP~e
zAhT~0m8ahg?5MHqO*CtBN*0zXV}jPJo;>xO;=p*tYweB(BQ~c#6w8`k^=tonbXL;H
zT{U}dr~0ofDM}Ni<@LU)@7je~)O?Rlce6zfosd<vXW?J8isVm`4Jo-EO)rP>*D!Br
z%M$Nur7B8KQOFq;t-16mC+lmX`!np-0y%Mgp6MPrmRi*K`~jB7J>*MYL?bIskdO3o
zx`jtA?-$Y-K+m!4Q=?ARcfD9)>_|@g#WelozV-B+GN0G_Y>mU!p)_?6=?=cwaZmuQ
zd;1pj++r)%=Q6`?p`Y!BwDT}DyQeKFRrNcTFTJ+2M#M_)X2iP2oBh#X`ylj)V~(Uy
zSW59tp1dC~#k3!}Fy#MP_ocpJ*~vIwr#222nuFyzwqz$=Nqf%O%LXMe@!O+<g9^N?
ztkP=q{fWXF=gCJt9GO2(Mt;I-HQo3{S5s0!CoeVsC@>an&ZAKyPkPOyhDTK7PA6Pw
zd|q?6y{PA$MM1m7ST9<KLU;bQ!sCiy?xka`(lVd?*J&3!KeX-MyVNBRsat2--&Jvj
zJE66I;{X+DdT8<WJry*<pVr$w=2H(jRo-WrDGv{yD7w$WzDnDaS~HZ9Woy&rg_A8W
zExiE5zjPwBd&55A)ce@?-Ey2U`?5yN+PPTFhJrtQV5VmAuCbrGVIb~&F>wNy)13Wm
zsTAm1aUhBg99>1IF3P`igBFR1Gtr!J(dgww9U5d(vhjVdQH~<e!++~mgG>fiP7r!`
z?cp&Z0&;9hz`FP0PZgwZ2G4%p3JqU62W?%|X?#y|3Dy0qlibu2f+by$FxmE7n9Lzs
zu@sFZ(J;g7ts9;kUtU}>Lya|~vT(N#tnWG`F~RQClw{IYl@v1T!%sb6^8hUmLH_;W
z;T5zI6B?~rlTX8;ua~^CkEN04#<d5Tv(!st;w&5b98PcVT<JB>E6U{cr?BSZpq8!h
z^cxp<txh+x9VCi8AtU!DwquTQ_L}$DifoVWVJEeVk>b~1zkc#*M)AGrr^%Yw*O;fM
zbPTz}x#QF~*UO~RGYX{VtBtav({K0Q3ip5Ak;T`Ve~VBem|=SA%EQ8W?{Uh=A}%@c
zgG|kfynauNPB-vai;r=3AP}UBMY;oRx_pJ-n)0^M=7+sWNF|r{se?s2vpoRbhIA}u
zf4C$Q0Q_)$Lb>Y@F)9lBs^9HslVlo20%WSq>%8txqAP9?uOKA7^GNnk5{tJ^*jn*C
z4@*r8b)2)5olqn9P5YU#jH|dL&ljeRfpUx@Vy#DGQRA=Crd(=sg>wfYrFf|fmQp_r
z-ZztV<7J<&qMBcr8?lKDWUuM0@P3HhyHew~h9ip1t9bpg=Ow<bVNquvrhW87_4b`H
zdEJ35nMY}K`OhYQG7{acJE!eFbykh6&UMVfFfZL?T%%jgjhEgw^31^<-5lAM!m(|E
zvNlu9)AekTdizY7zwDq{iF2bB6^vdw1+64;d?r^A_&)p6CuszFdHp(i@|v;dAk|1`
z9vZ>?#i6R>!dvC}Tl5tmnG6S+)v#x^q)5}qX((y8dssjsIP=8Y`7e=BqAoW<zVs;n
zGFjw`T6jiZ=~`KPYhjOs_x5J37!8S#YXQdTp@aoqh2&VapmdQZE8>*zrn1?312Io<
zGFAFrE1mf=$?s)YcztO_WeWDSUdYvW+}`VY7|mFV_Bm*L#HqDEORHFZowm=*w|qs#
zPHtR(IFv!3of<nDQ$4n!^<^cW4$H<!!@%Zb9GfVim~tzAot@t$20L-UtoJ?+m%nBd
z>^tTDaj)MK!`BTe7sWwEVwf!g2;~wRtf;W?qh+KOK)`HH)nMO*Uflm2J?uoNL#!-^
zBN~(%6!0z`CnjKmTjbWaEY4ckzg#<c<N!+|UC60kje*Y+1s%9cml~(D>@U08_Q|gs
zynD(eG$)!>9Q`#qM`^dY;3}KCtKGZa2ps)<iN)m!F;c&RR#Nk)u2jNLmsFcyNuG>e
z=`1!hA5xFpAwliw^sZrS#Qn1I7^`~f2h74p-|ITtJ7jDqjaunDs|_eBQsdj3NzL<4
zE>Gx^UB0+LZM`t;R**XTkjraNsq1iS9lJQw^zzO~N21Vio$AKiy7nUL`r)u}wnEYZ
zpya1%XK*4iCYNXi&-`KgWg+ljRabCeWh2MMCbZC??2s(lb~8A&=xmVxu#a?g$e5zb
za^b@e%O1CIGC3V*Mps8W(T^#yp)JoSSBf0`(On<eG9y%a9<_C8>jc&;91Tf~XOJ9%
zzRR-AgMy(x8#xNyX<1YGHbQ9VSiz+z`B8d~+C{#<H%^CbSd~uhmtirCe^tJ8&%>ug
zao{OW)<lRqmxd3t4&1}>Tr)n;>D0-ZMOB<+Kuxd2>1(yoQ-GTDy53thRuH(RT)rzI
ze%_~{^8A%ja|Ege81)VW6-1u8m}}p&n;#*JtTf~~6cz()r%=zz2a;bx=K!QCM)aGp
z?R&TR{7f95mdtD2;gH-+8u~Y3axC49p&0@=s;522rd=b?Ia2O2A5%l_9c*KjDf;x>
z{^@MEoF}xgew}Iq4@Oh>eokw10ZLs@TiJ}<Q7_ej`wc8K`R#M-Wm<(s&&In07kG@s
z`eRM9wrSm}_YW2*=E)z-S?KQS)5ebGV>iUu-5g@C%iY&!aT+|vV%9aa+LNhru=8~Z
zO=d$aSFpzIMvt-FVdvNKLz#iBw@#^poYbCoQ$0>U-tfmylt`B&@Sd2`c!gQD4mrH`
zL~<hv69ig-tu3a)1YPm^OkL6o9oQP2^NmVv)%dbvv)+$!T(7llRgKA4;xHdurtal`
zP)lxn&$7pdyEz|&rLC9kSz(*+))foUXZBu;XK5>EbFw@h8M>#JmZ<AOGClI{MkS$E
zP3c@$9oI?}`pe{Iy^D1kC^}|Ku-X2vv>U12_7tbg6c%OKU*VPD&tIESaW+FoUO&L@
zB-7P?ppz)Ot}V1Be!r-^&hdl!j&@yE@#3=#h7%<Vg^6iKOm_VVfhVmShZ(|f`E^qj
z8%8#*=^Ska&fx~o+LQnE-R>>9=_crerH34|lmn&@TTvQ24apA{D#aqvH5#=EEtDs?
zihj6A9ctiRiv7Hgbay{yk8Dr{^-54GBVDJsi`RI3+I#9?7l%XBc6;`Ahb$ypXHA67
zHBGqgILO2Ac2glkOtxo|e#LV_-_+k2NirH+gA>-R>|7ldDnd?usK5X4xun~h>nspJ
z#`zU1WCpq$DFrsx>zi?D%snsTB};1bP5XFP;6d3`%lTk~7BRaenSpycat?kaAB)-w
zsA#>y6pEU!d3$8c(Py&@l6z*gHOy={Vz3pKp}Eg!yWX_t@0r?Zl*nt(!C!Q{%z3xo
z^1Vjk{h2DUG{!zz$}j{6iLarJqoST8_Ye2vG^m@N%zSfTEk3+Yso}FuxTp&>Mq|ra
zHuLwmbHnzcvO~VC>Sa+1Yc`_Smj=~XyklrOO8Od-d~+1dtEeL_IUFR?yB0@7G#$N-
zCHChJg9$A2uq0)MUu!<WSu?33(=qV)x%c@MG?pE0hQ7H`tTxUVC~mj%C13l#`#C$U
zoGSU#!_K=Wy`e{}8Hn?=r#zmA9o!fWnPmtIJo*RFDHd)mL(Fb7C0!;P;3*M(Bp|>i
zhfH056L_ps5X$W0cKWd9w##vrV?RMxVsu4D>ndk<qY7ccEw}SB!!y`OR*P4`dw1Vz
zcCZ2tQXX_B7|eIO8!tf`Zn4mPocv7}*){F&4pUMRe_8CNgoHCi6IIc!?_CiO0DO2G
zs6Zmy2Qe_`%lfP5kY%&kTsB&gVTt_E(v6G*Ri9QSKFqgGhOOGo%}lY>DDPcbA8y~-
zJM10eV)MCF?$A(9Fv6um8q(gKbz5IuQit?yc!HMc`}h0+yCS&2kPT|zJDw(ZG#z!E
zRmgx6PYF)7(vh{yduO8g(H~s$=;en9E;S_BKg(PlYi&>K@2(4(6*`~nk3RcBl~Nn)
z(3z_U4PkcL)o{boz5TQ2;DPjRJopaafvj4p4s7yB)b!<NIEQI`#<Tw32`6Clzk!~;
zL7<UD$m|glc=`(3E_w1d0BTT*<F|0L&auI9E<wQ*L7JN%NNtCX1K*vw9a(1Ak!m=h
z-;+Ep{d~KJYe;to3{7+JGwwQk(2J+c5)!_U1DS1@XQ!`)n?Nydx|+rq3%yq?uA?oH
zz_<wQ5!~_H0u{1KGL5P7>{kT24gXr&ZFsSgl?4#Zh<yVB{sDH0XLjn6@rk;8W&-}z
zC6+M5!b=YsT$-e+V-{h^Pc%%RtLZ|j_suyM)u0*K6*aRwJHm?8f1pP&KB+P8xcp7%
z4>rVP=pR4m{Pq~X&*G(h176oBWB9ygt(@<#`%OP&o`;(MQFyh;>A^Z0;UPc-WLyZH
z&Rw71fZE@^-gRhQ8cf<)efj}vn}qiSZCVsSt?Hx(*YDZZB^k&7!bSK(0sz`LNPZ}`
z))sN((?0`9sOJqAyYCg+wqewvgW3}&_9b8Le=YoU4!;9bZt7sEjX!%posI|Ea`+J4
zxdntPY31h&gY9Zft{<?}t`&!|h6pSqJo@aha#Jb7rT{T63ry-K8>qV13j?v|w$GOr
zJD%7_b7~F1$gNuoXuJ#~jYd(pgxqOEX|N7GrMiHCoJ~#y4pIU%;atmKsxw}v=w<W&
zr`1&n`cad?LYyk`cHI3MPIux>!U}YM)-qpbh?)^Ow(VC`l$@M7!h#yEuyo`KBXD4w
zMJ(~~mg<6u0kbIZgqCU~)|uIpe6kVJXWzA;qI`IFWT+?LIQrw4T=b0%4by6%=tG+B
zfJ+*&X$Cq$Ex<Xv#d;8%&C!1<UOw^F1Ez~1yimTj_mVmV%)9v`5akaN?NCt{TeAtB
zn&;-VQTSc_5&+g&QhforPcv!L-!}|f26*VCZ6z^2B@{&h?iz49Zq_w!{S0J7M>Q-f
zm&Oz2W2nak)6G=xfvgEyf9F7y)Fy`~%V8$o=W|{VVE62aE>W{ny%p_}+KsrTdDITZ
z2xwANMy8Ra??7ly8RO7i-uy_8G)~ab2<7;Cw7`7F9!5LADd2NlPB94E{>zPsDn&$u
z#-`<`hN|YHj(bsky!i-;ca7zKhI`3lsItLM5?v-gbfj;?X=Nep@3wcMpewG6dd&B;
zjk+O9uld}Eow{P~&{^A@WhS5FrLFVMi_84P1B8v_UQ~*ChWprJS!Wtgm5rpsz6;%L
zKBNm*NRLJU&#Gn?X^V|=2=Cph5JY~-;KKFbJ5D}fyLer}-?h{WRhi%cCBuLrh?)*D
zef7;4<{v#16yMunur>K&ml4x^Hn&0VtZTS;q~@XMETR}3S|=8GfgkL&($Vtv(sfbz
z9l$D)o$bnl?lTP1I{sBMKY7V=AL15Mv2~{)PjVVfeR{9A&9P$?#7ZaTL<^TQdZFt$
zzB1<5b;Kk1fM^Xo-W|rmgyJh5*!5W(E(cl!hkd%G27}3rz-`msUItt>We}e|jIcm#
zuYUdNfl7C%M|iQ)HJ%fBZD)XzI0$@EkZ6Ip#-Y3nmRFsr1d5T?&B-@9*3TD6&1++K
z@8^>QXfC&IFs~lO;ok1lT^oZob*?5$sEcn>XBIqpOUARMueYOhc=r)_UpE><+%xn&
zcCQ*%xlA=Jj}%<~9YkeXfa|O%6OWbnY(VTho~cu6>1It#?B^21B~NkN{oXLNPZ8i=
zIUQ5bPng7frP{B?sZTvtpb4#|4gfsHwPfhK$F4L#aDxHG>LqUWIfR!KQR88>$C1Nt
zNk0G@o}wv^(4ih*YCm1<I+hH=X>1XB-Pz|0cz_M!g7SW6s|L)v+4v#=P;Z0VZyurJ
z7y8vbOe2JAW6nhOg^_8chEp7P1+;jGeX#tD|KsWCV9VF$yPRH<u-}ci3^gfrfJWOs
zyV0s~qQ-d&KClGt*b@W9v5r--B@d9VP~I;FlX)ShmIk?me4KNsV>4pYSRAgfwg%*D
zt+ca7L$veOpd>~r@Gj!~aF9I{n#&=xboxvj0M|#+fgthgAZ<vNWM5$AR^Gmg{MYjr
z0d>!y(tuqR58#FcL5pt{vn^ijXu~jc#05L7c)vYXgN607z4C&OA(deBND4T7X#db!
z>N(R_(duth;aAqtspF67q66YcF;-GrC&lK1H>gww`(<i%jd9{M@pa*Dcvf{XB2n1+
ziOYEVIpjVAK*}Fg2l$B=s3utW&BHml`tVNJ-d`UU3lDp`{8cM$Zoqdgz>;g=(ei<}
znL95PoI|3nOw;qyq${F`6pp#f1yC9UQJ7#m7cJ9+050DF_V2xk8*?j<F^(Du9x?zs
z^=jhmV@O3^Qmg>ddF!Z>ByQLswqP(bW>OVY3-}~AGWHr8?c`?lzT;%8<pma5L73uV
ztv!a_qu283Jj#J;j$C##-coSgl))*Y_L5khIzV<6y7;#l);PnUj9TDHaKN4jpiOIT
z9pnY_H~E_1B(w%7C2SY?PxWZYh&w+@QS#w*7QN?XT`Zy*<90ih`R$}Pi11}!=pXLv
zpv$>PG0;xxe00)J{holp&Gdkv?4u0JWdOQ7y_exmFJSfYWkh<-bE|hO)~)HfSrZ%c
z1r@da8!NpY@gR-cLXZip#G4!G02Hzfw2-%~INO1ItJ8<eH4{$uWKymt>=6JQ*jQhC
z+X4)$)Wp=f4jqJO=r-^|wGg&5w5;+vy)Bk@gKB<t&us_A^nN6mMEDFtqWL$j_cQ`G
zK;?77YPhbg0o~TVLWpi9kr)=`<dkJVN`7dt7=QL4A>RGRM>He7k<~dvy$GygS)EuT
z5WjK)<-lkkX<0ox2-QG1n``Dkn~3Wu7Ve|{qaUXszYydy6SQk*LNW~jh-X5&sD)W9
z22TE3t|5l;9(K>(R9{e{U{c^z4DOYGU=Cjz6>f#lzGbC8!r<{Jm@*tf<kiz!a;}hf
z@)w#rQV+WX1<O`MMadYSK(TyLh!&5v()pDv^3>BZk`)gTCB~UD&EGF)D7L&snoJsE
zxP~PIm^gNPcA*u9ug6B;p_kr<G9{etYDk%GR;X%6q$ZLTZ%<FJ7g_)6c|aHmq3U!*
zJxNL@CO>3xEl!o?Xr(jdSA1u0Sk}rU{N=S4m@A8r&2EzX7N^3(6Ct(x;JTC?Ua&P^
zXRomP+ZxZ!+Ppb{&<n1S%z{iUFmsrZlc1TZPI&0|C)kGCg}exHOx@6FcoD(LSvnqg
z5i8v75+utDp*Wvw6$wH*Z|(F~p#*i6dK73|5p!d0N)XD*c<;GJ<^yz_Y2bM(fR<4G
zLU)d*9e9H?u}67;URY~cpzZrlRDKjLrW_kJ)?c6DC#jt)$(2Wn&N4!!aPaciB3FR4
zMNtUn3t^8Yin_-DXHW;2UrA?aXGd{L>oZ9kcQ4!W(WmrRY^-G_0BwjLXnsg9eyhU-
zc&1p0n(II;gY!1K+V1pTB+W-k6wqG&yvVP(2C0+6)$-_JRuJx2`4!@;Ajx-fmzHT*
zE0{*Brhx1N1-KO0kZd8s7=Is|GB8eq6rccQvH0ba6VTb}U_kWbsh4mM4e<Ieg#uYg
z8njXlBk|6RnW{yA^U&K!K<!l#`Wq4*s|(|F^vOgJQEFib7zPpIc&6>)`#wNWuZ81g
zQ5$s_lqailGre(II<+7jPGbI^dO&vT@}Ue6W{z~C_;EI{fMa?`6Oc5^Q`63Y3haAP
zLsBLi319ES++{>Y!T=P~r#E0O_HDS!8g(B-IY$Xdn94#=&D6v}Csz<1eYg0;C31ay
z?=I36!kO1I5cJmpb%zrsH>V=$&DXjoUAG)&&|Ty-?gS?1G$jbK{Voy>Z>5J4U)4np
z*60Lz<hUQpn-h4({mcr})it%mNPUM5A6di-{3M_08%U)CtQ*O3j`iLZgOE5y3#~mg
zb)CT}7@8nBh9!aX838v^Ed<>uuzOA*gHZ>X-j?M>X<Z#X5DZ#+8+5-ZR7(=K9LyA)
z^k3~i_y}za8t4w%t)MOP!LBXA=d)+U`ZBr*<Nh{Lv@M-Uo7GS*?NdMKZw$aq91&~e
zRU0-4;uA5DZ5cuCaY6Mx)l<P9kH;N)x`9)Ou--&KUZOk0<yU)=Z0_CE;~uZEj3GuO
z6@rrx3u9yT=3!he#fl>1M&afD0Z7YYK@lJnbHxvsuqt9OEuI4^+)u2<?K=hD_kv_T
zbEhAO8D;w{Iavd1-esh@dVeA`{#aha<bU1W-Fm*O1v*|3q5LJtkyH+XZtWciPix-N
ztgV5rjUpsHVKXpCodX<y447G*eKv2=00me4z{(jT<`T~tOXmz|9Z^Oajr#SYiX2?a
zTt?LUA9Gce^@9pd4D_%lAd<=njhBgj00Wypk@G;bY=t{MH5J6fG4*sCOf>nzKp22M
zj8vE-NbNopo<k~72!qoCE~9MA`g@B94tRV-O~XuZ+|?X9%n1lA2z;S}UE66mwqSa~
z9QRQxu%cpZ!qHOn10ojjQGL67_oPmh6q)p#embJkPiqWLMCH=6>o=E*$1wZItZ(lj
zQ$((TVv07=*;8U0unMujv9E>bPnpjLE@h-EOXVQl^oVu^T^eXu3?W(^S9;&8iq_9&
zym(6V(5T`Dm&=KPQi##RGK+0C=$^#1s7)`rM$drFT=YXKlL~MLs%%3`<+W<pApH(Y
z(3@h-fT#;eo6NoE)2*s4nJlggGkbA`a2kdTC<5=We(ux`vdeQmjfPccyG8V5RLJJU
z+{w~Uyz&E~r?;+o;uBp31=)(_na}_b`003qP*s?Gg*#fRAiRiZ2oaRm-HSoxFhYtQ
z4KM)BT`t}DCYOH+G~ZxXa)iu+jTNeJh+yKV7_INNJRLB6<T%CvInu;Al?ZQkIo2Vm
z1PV3pqH`g4vq$MS^C@lbL{g*lkQQ8OPcJewBZuPHQYHW^PwV^ab$t-_pVk99IvbB?
zCdPef+G}EliK#ELg94CPsve|kTu@X|Hv+Rr%wbrw$3A|WOC^vY-hB_#G<^15u(cW^
zjHRQrx$x{d=5q_x(_#v(u4rCk@p6mooBDxm0~yzpMxXM@@<!l3o}1FxGoi8Fn9R#n
zE|msr6Os196<{8@0xysmV^>YE%FhHP_3QN^x>JlW2*Kv1p<x-?RUDGNLGbP2d*s%{
zH&&hBT{6Bkz!Pe3A2n4^YTlM<>}ZqWilb_v+c{?9+>KQHr`m1KW-#Y5dP(Ssx<WW6
z-#HVt?^l@bh%zYIdV*xYm1KqJ+wrxLa6#VuID)8N62}ENXrMoh1HfsL--qM5PyzAC
z61efVt+~r9emD223cW}_$ukNfC$37}NHbG_O5n+<yJFrjFuGZh&8LMNl72*#ZQmhk
z*LH$zx{uZoPf<@C;?ZWUXWv7%--BFUlNB3&IagXmU0l;KM!2b0qi=NA+%svSs88OH
zTILvMfF&yyfLx(RR_C=i^pLXcZ{^e1DfHs9%sU72OLHxbB%nZpODArf5jd}A;F=C4
zE180*)(TL-GuI{=OVgiPh}y2JA3xwd12H<kUO_~weWYv2fM&gGyse>BMwdD=1K_LY
zLp-OGI^HXur-f+X?SBefnNC3z@+p;yHIJN0AzShh3I1U?^T*^if9DECQ-F4rE?JSl
z1KgLo6{SG2wK~%AsFjwC$T?Ar+yQ9O3Cf^*Yb}(HK3G;|`xNhipPA-%WU{)XOILs2
zO{iIR_h|<zI@XzXzt+*IV8dW>Q%^@@3W3qi*R@a%Qh0K1k5M^6h09Ytq(=*x%BwF;
zlN_GYIKKl7vuinqOXp~hY=K+rCCv(z70{=-CpnK$c(^XkA?h<1dwi`9xUQI!xq^1m
z<s8H3jKzm@9M;nHkBxmIyjM+_oqw`+VTdrhr_uFrKIT;hT!KrH6RsO;Q~q@@dBpNH
z=2JSR59vp$7yLb+CDwx|!0H?(Rs-xOVfwwNEFk_YQ0YRl_~1fG*q^THoBNNwBnV=^
z?_s(+Sw^l^rDv!z!XAOMwfZtfm~F&fZ1EKt-7!O^Yv`I*1MvZH_FbznnC1-qg2|&)
z@1ma;i$P**r?}=}Vr~jA9bcH3y<WahrqeyGQ=w%G8f=Scy|uUsWJU#>d8?$pPK-?x
z1}~lHv6q-3NjmzftEh>+e#_1dh&A;)4n6jSiup9|`36jF;9p1vn8n1~u=}W9P5Q%%
zhFFj=YqWD;1vxCSKDFHiTl*52B1jQv_}Tl5uL+2w_)phen^6GQb1S4i0}1+>sbR&-
znl3@a!*A2_Y%vjOT(q=Er)hz5OYuvs3bkb<4g|<n`8f;;xVZ1M4HH^_o)HmB%eU7D
zJj&f;ZG_W6%(!5(Yz$K}09Vn?f+DCn*Pnc`%+muv1T{U@p|`y3m7iX&RhH7>GLUmK
zJ%DB`7SXNvislM-^?}|nB|YY`#I|BrThEb{SaSdc`2o3eu7?eHc{S7K0o41<;BweR
z2P<=*NzQMqPi>^zMLE7DHHX~RraTX=Pczn9Mdwvu+oq~s<bY@g<+p=ZErj-^GHBmo
z_T$_yvNhZeK*JHiXa`+RISg?YH9b4?S;>ImV3N%qQ*t8IfTVUoCvNIF1Tt@Za^_&x
zOeA>VMmvu5E@IG7Dq&m9B{N4Vs6{YtVh~Yd!%HUe0|>R?;a6>}*C#ae(%L)Dd1n+i
zs~4EII%eANjbw!3qVqb35U6frby#9Zw7}~=<Kc`5p424B^d{8#!E<Om*vGCaAT<tA
z$6L;`WqS;DZRoM1)vn&g-9tKiy6?5Guua0UCWA6L+kS-bfGBNRDw(g9qZtwH_ta{L
zg5I8KMS{fH_`+hj=iw^T;fIN`>Fysr|Gd(m0zxj!F;ji#G7L@MSf;Cih#!&-F}=rM
z#!aZlO<o=Q5%~#$DEF9w;{J$(cvlXAMs291vSiZZNLKlK_6Pq#iY{qMRy86Lf=CDi
zP5j5J3;;IQ%}DiM*iE)`jy|(k>^b9d_&d0P&TC@~bjLGBMpX@UMf}%&-mA)VLl=n_
z23ja{PGqh3KyW{Z^qO&*l*trK;T&_k(CR0MCp&VUl7y7WRMjKYB%uD$Zn!)4<(JfM
z&lzD~LY!^Dd6^4h0tpkn6&0U3O~qUWp9htRoaAM|IW|CvtB0TivW1(*+S^+p%51&b
zgS6|TCS6Lb$lT}Rv%Emi-VhR2^YYp>-_iNk%k_FEG<6)Qa$wnfLI3M*`^ZjR#}jCb
zbZc}LU8_y7gSVmK(%7{Qk&B?3HahBZ(cpVI=%2bWGceG}Jn?A#q!4)s0{nGAc~|M3
z2qF17ju%rbq;;v=^nAfb993HJi7A*=FlFn5q;sGcU+|G<v?)4{?w-wJJEWK%*x|gk
z8CSU}=p;{pAkq3(YO)_i%`kM3Sv+^BMza-HJ3YxCz+KYNK{G-mKNO$sWmQpZiUaMn
zah#-fB8;05e9v|yexS46K&R{Ts?~?WtWppjEgvFb|FO&8VwAH9phPpnst(CfBqzJz
zZC1z`8D6{x;SuEj<Lx{|l#OR}k|MS_!V56I%`Psj(&YmmAd;8s>nSAJa{p|@6NEgr
zJDv3L84bumRfJS!n55uzjeHADB^TlUhGHIKEHOHn_pKjv9RWsV7t&?=g(gw-r+aKO
zrPqecqobMcxeIu(=5zfF1UrF?aE$faeMekTiBwdSVz?urkxFP)aNm~$NJNWNP4>Np
z(vcA)t_LpdG5EFqi%MRY6m_X!+fBg2A{jv$DeXir48Z0a4vEBHm*(3;BOrt_bm{Kp
zvMTT0Eu~)GxNTB`7*>givIvF){wT0-{plED1k#}L9mVp!W+r^)ss1m^_3uAX3cxuz
zot?hqtwEr;r0+d>N(jE<BX<#uTHN}FfBX~5jVJ{Y@<VcI2_KYi63hzI0RcH||1lPM
z)(3z6B0PdeP!*$3)N^7l-r=6A&L-Q;cLOfLX27Y>G=}H=98MtH@MBm0Ljd;Umwx(*
zDGEGoB)9E)52cj)dh31BJ*sd8{Y*3e{lyTi?!TDgkN1Y0a|&N{w!~%WX5|`dfFvbY
z)#LNHQ|0Vel208KFJQb2q2Yx)27l^M`RA3Ojzj^1&rBTZg9DaMhbo=#uzD2#Bi6p<
zr8nOvI2j<SLv{Bm1mz;`ROAge1j1tNY~Y{5yvmpM)Nyjy|NCc<51xU-3QtEcH8UVv
zJI`h9Ps@Rnz9A;)N6*O5FNK)fzhXa}XBYXouN<=6@sk_*X>GUc%qcLnq5mUOi`*Ht
zNNu*RI>6BDnGEM%zgg^mY;GPmoe0zletm&|w=@#yCgJ9~GYe0MqoxbyKX_h(cYmSl
zboghJ+WJO7A>9u2U4;;YzRN%Y*b(u4hhNixe?P*)0cKpAJv61V_t2o@M9~cN%-p;J
zr0Kst5&$e9<qp?AWvY|Yabaj{d9(La_irF5cs*jIxd+eSy3*$B5Wsav56w7E01(!q
zSop3s0j_ne{OX5)9RKfM7$5_tznd!X;UW!_!n7ln3Se>5-T$u5Zyz8BCv0~q#-J7t
zE?i{lfiy3mhszXB+kgAj?@nnqfPEsGyMp?R;h`#+b&w!N`1}9-{Zo>c;E9ms-vJ(p
z;RwFW;>LJ4NrKAUM$K3EBdKSzWus)7In?)Z+Oym+w!)PwJ&a0Wk)yEBwLbUm^o=um
zR?N||8`Q~i3M4$TQG6RU!wC&<6XQgWFZ2{GGzc%0HuQh>U$vYR8}=^m9Ue}=Z1^@V
zc;oX{`cf`Z@c&-O{l1F_;VqV*?RQC8g!`vjFqx2`@KzzwPfq9iFA_wtM;x}kK5#-_
z30_We8yxxV=LL!lo^O+)(Aj}sP4iKlvz(dd?@Rm<zR8Kl{LVHh_0!R}U)+h<ws4N*
zg|pt@%n=m^23(KL4st(Bp!g|6j8*MEd}5m0n&jJAuONATKB1RW+W(h_eF^On^g*20
zt-=TtnK@6&sKmj?-dI`x#YI2_b`^GpncItPPaG4+ZFF6G^WjS0J4dY>zPFnFwwdHa
z5Zm)<3d@=uLfi_i%^O%X_0vjKzy0QSdtiolAv1Y*+!ITn7-wMkI_4<e<YN~_XU4z2
zJs%vFpoedm=~$)IgG1`iYOujW@$1oT6<7c1-H9K92@{9jua#j_cr!4{pYK9)>0pY|
zy_vsm$v?pC?sxl1qNFwLg6{FdL*04T%=b4JBuNarE^~fXnUP;golPe;D@7?_<%nT(
z!XKKDzS#}aE?8TWXHLPd6(T4fnI3PsgFIANOweDwiu4iKzL$?KPDhYL@fQ_`@fhNN
zkROQ}`eUoy=6ahz(U(jnT1MdXm1J_N_=iuF;h`*Y1;YO39mu6&`^c%qZeLf9xKoR>
zup6QHD1IhZVE7MYtZxfU90+T>KaJthF^WUip0)2fVF3@t@i@iguiHls(L~Vm&vB>B
zuOusDj+!aOf)y4g3-9^s+U^JDXVuw3^6*F|4%uqUXB_+Bp=f!?{u&hhb5%7CFz-8L
z;p9rIUkp~*eE2~5jJaYbvrm=ftDnqqQ8K_keB}YL%lF!iG&ihsU*E;PCRpdJv@nit
zWSyypeSZ4TR?CTlPsG>a$Ue0bM@gS|2}*DQb4kA4%=GIkjqJN1?XsLM3_`8QUpNL!
z@tU~W;RQe<J5MKmPN^U)ytQh0(Ce3s`TJQRW+LZ?4Z45}?V)CtjCghUisV=LM2MpT
z>5peqq__~H6UAgr^z+4k2E+jJ56ua?H$&%Rl<Jv4X3FO)R$o58K-3I~<r^dZYIWoa
zh?uUEn03ZgFma{AZ3*J6u$ugj!gk^R{0(3Zs7pJa7fTC`H9SN9S`t)amrEsGc*OzM
zSS)R)M_Iu-8qoZB(qDf%qy|8UXH4$EcDQN|QlgF$7=gWhIc)y(h={E#FAgm=bLWnI
zKJyjcYjYhg9lT7o^>=>$ng|F;ItFx`qxQgE<8zjvnA`)lsxmeL@2{U(RDfV#zWM=I
zHC&jRj=a+M)rlWl^6O8M(_pT*FDfdD!>&$C?foqMk#Jm`4tRn@WOS5^S$u!LatO`<
z6qKLLRk?H<X|mK*r6Wy+!=XUh`24T?qs{`qNuf>0gP@O5QNyKihbnh<D5tUgsnOuu
znLT0+ix7p`HmnBI5bV^2t+|t7XP9|TRsGe4D%^nIJagVU7s(pVoVh<^83hl<rgb~(
zuj_Uv7e1n>6EMTB1;K1;f&jHTEOi9+eUo3#EhRHtpF8e+ci5;xu(N)){%sOa=v^uj
zndLbGPbZa1xd!v8{_ItVufSK4r^y~PqlOSIF66-8BWD9vf<w3CxvOk%{LTgV^Jl?q
z2jKo?YmAEVVUmm(2xMuxR!Q3K`zlD1jbs;{fC6wX8j_ihQUCel#1Zh-0U>fap-4d8
z87u~h)E_~PiN_{(d?6=0+kC;0f1{1=R)NaY{*_+y`NMh=rY~-!?8(Zl60fFtJ{BjL
zzjzb)3cq@aO{2X5M~Ka#CQ=;k$T^d9pOJ*?>=k^Uqj#9ZpZ;a9<N=B%WqwSs*eCY*
zP3;BbSelZ4DLQK>P4{oW@@=UV(j;Sid6HVFt#={oTDbui(t74zu`rnc-k$zSQyut^
zOa$<4S07+^{Ytj@wi7>{@p6w_jiF^=rYL2akIu~Rx!x{*-_b3*_N4;UST}5C_w<v0
z3|$a<-o9CIKy6DRWj?|$qkMB4`pMy%NbTQ0i#h_&XFyGRxRPdyR!fx#i9sm!0~)WH
z?rZ+@@)1*Nz;U`8z%a>+SMIT(BlZ~t>95LFR%nbZ8W7i=zzY5GRDH>WC-k?KX{11&
zkf2G30A2ul0Z*KUzp!xE*6~IEEGa4gViKa{vo6O^!Z+Qjzfty*^JA}Wm`Mh4ziJu0
zTdLsDuAlwTj}1Rt2q1@!!fBE()!s<-hn%Ns>W|J3+ph}z_^mBJRf9S3urXa<QG$(H
z)7s;OECn35B+|o%cnw>p;Qf0%VePj6Z`Y3LY%^kfE`&l7f3#Ov1Sc|xV~tBMY6{aL
z?Bla`uxueJ3g4532o%0<lpD74^0A+30;}Nd#@gOAWnM+hmigpvL<^W-8}>GghiALY
zpN>5fA6Ns5gX%!I94vy_In#rPwVpz(^=WGu<rb6sZub>%-7e?x&vG%tCaDF72O@_f
zj0&vPOsTH&cZ-8RLL3Ii`@$JHd9%G>3+L~&Bk>&ZEm-PLsV7+fn3Y#%!jt)B>{>gc
z08h5hw4VuiGBd(O18jRUKOg+#_xHg^aF4s{@7|q97J&NjJQ8ocWUU;Q_OPi}__LLw
z!Agy}WGW~q;K{DG3n7pK_B>*x`MJ9`PxP<fgQ`TV^ogd605xKzayNXD1^7bzrHK5#
z-f{ImKH2}jHQ%=8TJq!ni?u%whq`^=!0{3-kF-Y;Mw`l3$)2sv7Rr*HWXrxU8N2qf
zmXV#ZWM77{({4A6b%vorwn2pvWB6XLR8POp`}rNm_mA&C9S$;Hulv64>%NxrJTEX@
zMV}m>Z;54`3P@%ia}4(9=(VU*e`GfPKH+~wYT&R85B~gF1lXsO^q({NdiOJ!9{@bC
zBty=8-NNSp1=?Hnx^2iV5Fo$f(ClwHf*{emUS8esr#68ag6mPZ=G~|LD3hvt*#kdk
z>%kNR{GI2wz5YzR`I;0!=MbFn0QB-rz<8`o@=HHdx(-#+69D6_@dcb%8Vo#r*SS&Z
z&%?{Z1;*ksKZce8;~0JZ(@O8}`RE!ri3G-*i{wrv0fH>0!;|qGaH`{OvBAms()D!b
zuMd#(0ki*htFRQ$^y4#ml<7HwE|QA{vsV-r&-inOBN56z<Ao#<dDJ8}sEzZN(J5BK
zr;!>YOi#dXOGi}{BU0Xs>hM+{yB>4>2^c^^!IK4$M8>M@JAZkgcSr>!i49FNgwy70
zjH*Cl=TtrT%`?HSlD};lwFRC|Np4PWH)D|u-)8c!d?v6MZrJpM_}%Fm@Y|Z1Dt*X9
ze`SR0!MJ7Y)NdyjJ}u_~5NLhCF9LES87Kp6mFoZ>>P~tf8v6N6BE|2^)T8-IzyZD=
zf9{%dCm&|uHj4N$5N}}rTuqFI5Zr!bN~M*<8z%7mjGbRG0uCS*CbW!!nq#{XZ$c{I
zea1kIjPZBcNH~F%7K#%io><(KlVs4Nm3{`$TK?kfs4Wmsh)#fG(S|1jrW#uUK$A`}
z6|<Vx%n?*#r9AUwmc|bG0(aqrNln!@Day$bn=WN!q{xYDIWGaeDDm2H*aK`Y8@^^@
z%`2lXLs$BY>6_bzQ%EZpkOR@Pj$aUL{)`aJV?hL9Lk5>Rpe1I7w1)QHx@uuzA+buu
z75YP?JyzH%RConCK$$?uUjh}$3}m#kO|O(q=P?*$o>A{wuz_JS#L{7&+<SxbV3orW
zAptFcC4HoV8F7JvTyf@AuK<J81*lXX6Az$IC{c|8!hd=oVEvy`m^`bZ1*#G_%t&9*
z8vr7Y4%-lm(zu{8ivUEJrfHyzH32}IZqO<Gr@!u8D}ZdyBlD+sdtY(@9FohM!778I
zB}6?T%d9T6JhpU2_oj{MIA9o<DW!L^K#H#&m<~E0WdIV|30#gG(92^jQwLdxGcdi2
zxcY?*or0>ZFa~tZx=vq!ojw0g!%0IZcIGj{H&OiztYyZa03|u{RI@YRM79KgT8Kge
zNc*yn3eALxf8K2Mg@NO@eFX&gGimItCs9=6=3~Y72wZ-1t^q`WFS1yGNRvWF^~Fc5
zdmn&HXnFa`s#s1mhW?nfUf)XK0N{_UBj`9zR({=N(2XAM^8~C|D}S%<2S=WQJI%Mm
z7>Li5U#b0aOX2I`46t9ha5o%WT2mLY-nVsLVGOfDHyX>|Z<}9@+5Q>C8{4fj64HTC
zp<UYVqT-dZPvZAuf-lfwELvTj4a4qn%;7OV9C0TaRLIJa5#oj}qO+Y0_|JB?HW1Ah
zu*q_wi85k<(P8%=Xu%u|wMch19X%KxlCg{O2>veO0srzh40?k9Aj?+80C=LD*=Akz
z#%Fhm+Hs%=EpGDW{db+^Pf_N7CgRF9{F4fDq0mrpDEoBx<%Y_SLCogDy0y#SRa6rs
zMJ8m1>cV<JsydFI*s{OG>K$t_v6%$A5*HKp?!R?;Ku(lM=RXl%;zz1Y00r<gSl7Mc
z=pO*(>j9OqojpIMuJT-D`Y1X8&Eq_CA@SDGUk|)FRUYLQ$d5mu{#IK%C<9_Jc^@^z
zPdzPo1wcInUV&hgK_EJm#1Y31teq=}TIp?c)A+wP_&>W8Jy0~j7QFPHpIB70Y8vwc
zrb-qFep1oYI$uEAy4CoGNllBl#7hX%=7TKnk@)+OuJab#rl-eWfE?IMa6C)U)PBBA
z>@-N`$ucvWg9pe4n$O!UX7)7D$L$2X^-G@bKrwj^Q0cSitxPT3WIhILh`&+^_}tbS
zW;Vf2;M9!q(+=1l3LmNc9h~i84Qyj7GCgjmTc?EL=x!8tfK8D@bVCwq^GsmYA*HG0
zrUB?|SztL}!1pHh--Zzopw1M@`BPyQwCKER+6TZSDnNzodo?1YoCRv3i^e83KIMSl
zP6IHTEeMu|WtDn;`%F1W=tDGWNiYoT#m0n)K)WKE^{CLXaA^>&69E-!AOHFv00|v~
z)7mPA1Dur_f^nOzXu*&Hj5RxDhP6jp-#)9XCV=J#JaO$yV{q}+TgF*`J>6j=IG*FF
zXLOOC&yh@gIg+D9?tKOxa+ZzG+I)$|&|>)>(X<Bq5FZtrr|gj$&-v?Y@2Iy6G~ZMN
zBXHY*nec48J>W}8fN7hpu7T0rQ=qTBXuPnJV2w4}E-@VLGqZi)$ya(IM@XWU&HISl
zo4$|_BFCYlRr?AG8ANFWL$?-}X2H=mT5cF6BLim)NJJchq64?tQmPIp^LX~sb{qhW
zCSz^$8Wvas?JNhI9{+9?x`5Lx-+vn6LH^F}%9wy8mjjoGcvC9zw9SB}X^w9o_;JP-
z7_tsf37>v@*WVTlZr7U;cFNd;XyFYY$65E9WNmG`Isl#z_YGQx>KFWI<jWr`?oex5
z@EhhQR5_BG^$c3YXIR<mk5(pm<OMP48N?D3IpaLB7LO)DFK=ePUaotk+J1GqwUSu$
zj#?MiE{c|Mge{$|zKDuTL_fs-3U}lh;I75^u#Cy?f(YixeI-rgu3g6jE1!)>zb87o
zHy+Or_b*?ChZg6_Z3zG^uBU+i-~B40-D1tv{tWROwwX`G6tK#%dP)JJCZWz`PjTuu
zn9tY={ppt(!~)Y`xTM2ps_T)HUi@V5o_Y`hS4K~j=+vz2IU^;0I$Yr9GIeV|7~@6G
zRiIR+fryU4Aeyo0ef0^6-&(6dP*>r2s@#r$21{;s;|3yG2eH@Pt?bX?f-x4|onlz-
zVgu)UmY?79gQd^-9~Pu}fLzfAJ+$8>#0ifC%<xxA^a`ksEzm6=vBf7Q*^EBK*$-3^
z7d@>91mFaF$W9qDF%?l29<?V1bEu%uFe^;Tf9#nj4Q~1pfYPvy*##CebwqFk+7$|^
z{LbS4PB|Hfz45(>Oxfn(05RqiFePu0A$@bw`~!@BT=V|sx8b3PPt;}fKs3ctCJu27
zf<gxAUI1<J2AxKChy+HZsGtPodd>O)&KG9$Wr3rqDP1#QHOxaf4^Z9-JwIT-_<aP>
z9@jd*ITDL5S~Ou=7PtcK45Lv}zrr-R0NCFRhG#1hO`sN$jYK+MqvbHEoXRg%5KVUk
zFFKk(XMcR?rb=qml^*e54SmEMco>k~jo1qttDYyUzt1+TT+tjm5@vtvQ&k@TmPM|=
z3V5jsAWdz!jvE(@%~5d_KT?Cn&U*c%O7}^OBR^FkoLU#&jzc^pc)P`cgW;;f{|xW@
zWk8#sL$t9Y`%)4!B+(<Ee@3|{17S8{7Q`+~Fy-|?I5JQbU?UrT$6&DU>yXC+nS4{D
zTO(16mujp#(qA@hwz9Bj!0ZFN---vtb!0jg2{@zQt4*+$s=lzEps%ixw*U=)LFRxd
zcI>UvHH&mjI~Y!f00pF*JABN>2dXQD(c+};Qb!Y@I2s`j%<_swiS5^&fjW*vuBNFw
zYaw}CO4~Jupu&#n1%lpxw*Tsi8ZT6ElVLl?!74+S?ie&spJM;S%bSPy-iJ`3cM-yv
zcXurK(t2GD?7w^gymiuyF0(Z^uq1u*2LT}j(Vk9C53hP+4(Kh~LY|NXK>;9dpExGL
zx&Q>qxN*fZLt3ZHvPQpmzx|`F=1<7#QYI%Dh~Ul@d{=T3W?qEJXn@eUD@)h834~xf
z@nehmP(><{{g*3cK+5VLKex{>!wVVi{b`oev}j*>51>1Z!2@cAaY@f1z8=vhr(4MU
z6&}?xJ!dL<FxQLe@&&?ZvFY25ql>xi44t-l<(I4y+%d?=i#T@LyWQ$z5Bc)$dso2g
zWW)JxMFYsEOt5@7lA+S#H3g75nFwMk=Bhy(c(nBANtvJ!&(CVfw&%1#JsD`tdYq%p
zF`CI4CFfCb^-(RS)(#J9#|5aEqOOI=ut5)|>HSYY)=3yAO$I$!0Fgz2Ue-%E-{aZ&
zH3TF+2SU_I6^sf}IQnT}U(4l+7>IdBl{TN>J!rjY)%+}FxBA&rpCUj@s%t->VyWNY
zuyx6A;!K6(dGwR$)GM%+z4Xi4C|ka^UT%3-&qE+jjjH>7#I7L0v&Qiy_9tM@moHNg
zbgy|%Kuc(@b~YwdnyNe6BrxOp2?(N2Z-^j@FQM|G@K2_<`G*c_Z(vRc4yF(67q-0I
zzd;tF19QA88NiAzoVHk#zGCa$nrL9`cv?<;A%EXk)G%$8#h^Di3S5CRP9I-A`(V<h
z2LAH%(DmQv>VN8>NF|W9;MF{k&pa*bNLaH&vTVS7{M;N#hY50U#YkD4-eC48F=P-3
z&yu48%ALR>)}IVoI>#)Nrpc93!e#)@-#7mZ5kkdW5}a7X!3w3rc+0qapyAk^ro}Y=
zOwRU8y1jHLAHf`yw#R)35o4gqR~gd2Z+dc(PzagF&r8VsKCIT=J&~qmhzV{%9F7;$
z_twxBT6qC*7p*W905|iZukHKG^kkXfHre4WYF$+g8I7xm-|`Qidqg{(I00L{n7~ae
zdoCmqUBKSb8@3j+Ck<1ifSK$I>|Ff{w@lZ|5L0vk-*kSePY3+U3n~EOeeA12TeoPm
z<x*c{J05bQY+o96F?JOsUM<X;E9t;Nze=+X{lab!9OT&90|PgO1MFdpFwGXIQj*hU
zLuWvIz))4U*S<*}`)5;QkfeNk?>6EOXhdFfx{HL_7dH1ptTF*Jp{W#IG~di<P)j5o
zWCIdvTdgqs(SJH_JB$N!a`**IY7D6gXk5iZI<1YN0}yl){_k{v6A3BU2_6*lQ6L9c
z@!p;nWwwn24f_0Q$U?Kh6EY?8M$s?dbYePSj_*XchV!t$l8Hcv?1)g{8rQ`f*E|}N
z@m%1SrO2VeVf6#~IT8e+vx2cj{MqJ=SHQiC7is}%<MFdn-F@Hv1ii54Q$$l>fp6wz
z{cCXcG2AQQ9;ZNLJz`Urc*>wn*uwtq7zhV`Pw)f}eAOzIwKDjx%IQZCBG5C53U1v4
zLlALgK?jifD5K^pj3n0LezjGd_lx_~@>l%C>)p?c|M*S6odv{Xc<qN37xJYKl|YJ6
zUZLMs^crXW6$n19TQzF;VEq1+agM`PqRQhimyWet|Gqd$grE0tIEzXeJ1;{y6RW!H
zhRAT{{>8D?@rC)-vDV43<|EGXwF_=PUTb%PKuD3vswL5Te*aR+bnW=DE^_IO`jI!%
z%Z=`pFO{qFK3%##_sa)`hreQCGfak&rza)~sXio77LYQ{7WgCudGbpd3vg{g<4|>M
z`M|$O|G#Qb;I^P!D9*$mE>LS)>$ENLDxj0jF>o}lg1-Chv7gmL#8n-xp6@n*u*SZS
zA83o{E?@`h+B^N*_m(?}c%G}g-s~^nEIqzLxhr>fi&vl>P_$wqOw%mHH>Y0yn6Y1Y
zi@9d{@2>yt^B)WAxH{kxiEX=%FbNVsr*#Wwll-qYgJkgaZYVxM$;FumIhkCWZ$sr?
zG~V5+bMqc(XyC-X5ByFW6JG(C6y`*nBx23XhyX*(0P((;;Nl7?tup_9AUo0)<GEwL
z54xB9It&b-V2@a=$m}8v??G%!Ae5`_S4Bb2I1seMZ$g}@U+$8I2%^E%ZG_*f2}K+&
z;N~H@J5oNF=+0&4`jhee)$k9rLmK{zS5ZwXJKk*KJQO|;O+N;P^~fvfz8(|&^E<y|
zG1QLhaGk7U3(Fe?T;@oY9L$FYY<!N?i%ZGk@YVbFA>H4H<*yoUpcgFtQ2Py&L8P-<
zbHQy#;8TbR(r-sy+F5@SKJl@jQ1CB*8W_O*!$KrIK$!4*WbM}os27Jll-GGE1dKqR
z^ZIhA`|!8qbN2gQN;ZdxO{F{OufXAtahvYitc_|i=}G%W5ah9AAfD-drpfd15FDzX
zb(|eL;137vdFb$`K=aogpmt=*iEfy9zvCeQ5k_{&|9}6Uzb{zCbbXFM7a`lFE#@=S
z`B`<shjwmG2OB*(c`1MAF(r7+$j;IJf1mF6S8`>rtZ%hv9&-x>+I@(Aw*KG_ZKQ_=
ze(5uevk3vQwSUw1e~b6KkWn{Up+i1^^_pxdYCF!Tfp}n-8)^Y^AE2RVX{f}$<A1mQ
zqXDekAm(o95yU|6@2^Ac@PSAB*b@$B=>T83J#v-#-_3{82v|t2@1@XqInhH+jmbNX
zAsv0E=Q%k!K2p8@LLDW!gT+8~x5~Ucu90;m&#*$x;Nz{cVQ%}M{zx8|g9!_3HI~2Z
z>F3%7y1}!i0~RI~VW<l<$1|=UgzvB#MhYv)CXXliM>yUidkpBY*mSm~)p2GE$8yII
zV!Nk&tGgX~lb1xYY^TFtAD7m-8lvD0ch@z}f*#|GoNs9CNCP|Nj)m^;W&UIQ0Rh{=
z+I)5QR6K>&m)&QN0}tfF;XBNE#-+5nu@<2k{^F|9;<L(!@G_c}PX*#4n_j60+NIX<
zma=pQc4cRnH=mjChxb|SxzF_<Ru_XT?C~h`1EFy8+15^eh(I_eDL4DXw1(R1GA+M`
zZc)OOxTr=Aq)R1c`Eg364l{ULtT5P<ir(u%B{bz;>hOU=QDqcIw$_&!1ytOkh~@47
zco7q@9J<DqrHDPSaj7Q>n;8P((8C|2Q>QDnO3vM(B-AcBr|A!P$IVs>m@ZGf+)2cm
zkNV8!?(X%2A;XPNPvo-BPh_DdF_JE;^aQ$N(rN9%T;rkTvtNrtvr2VDMn?xl9Xj3d
zXGfO}^YukoD4p$#WaIquI<AUpgJ{a^YJo@Ybizuyj6sc|?P`B=MORj)EB38h_f-Kc
zhYU{a0$-L8ZU{HkH@~dFJvmO~9?OoBwH|DYa<>a!lAH+emK<q2A1~WmC;)XajH^NA
zjL?d{dX=n7l25Hx2{k7*PRf%IWYJW7o#+xZSe|nUQeUc9BJHbLb;b2S)|I&@C#H)Y
z>2qDdJ5PD(YDPWu!Z}`**}$ttQ1{PqC2@A=X4_B-D`#h6W^d=}9i>)$$U<f&5ZIWe
z6V(*%0oydC`F{l-z(^5B)g<Z#EU<7^{ML<u&kzeqf4CJjyRpclGxN|)drp3>$9}JD
ze-qw)K6B&+H@bg{%>bs(<W~9a1EKNM3J3J9tXbTh9BFmQ_Ql0C^)I&wdP?ioq1Gu~
zkk=Z2UKl1JyM4)omv`%9oOvNr!j!_}$0TRl)l5D?*EbEiOE*Gv#U;MvvS01P#?*>#
z=*4+45Owj=BOQy9tDg!NTkUxkKD5Lo6woqGEtDS>QtPgEtYR-ol2$t_|F(5(qKfSi
zKKF@<2ZMdzwCs#wg1?*Xs1>tMzSoWT+1Yy6RzjM6Xvm`RKOLcf0?QIL`;S(lGN8<H
z=5z^kB)t2Rt;(*O8KKgQ`*?2e-g>I<^eySrvql-~ndRfUi0Yf>r)HKN<Ufnpt9RD+
z;l@+gXT(1}x6kG(GpWrn$v?Wm!Nbqd{p0#rkGJlv_-I*~)|gD2KDM{_B!#tMMGZ<F
zb(&tEpPR>L$I~h7IPDWpd(38Pl6*tiH#lg`L$xkb$N*>GQPVT$L9#LS^k*6OuE6Bd
zwKteNOD*9L6(7>|7$lPl-Nv77AV$@$a&?q@_NF}DR#RB(%GGBl>QF-Fn|QEbX~FiM
z*?g5)q3!N%H2S#EBdT%2-Nhj4xRJh&?4lcPp|O3z#^Bnu%Q6;Cl$YJ-9Xvzr`+i(k
zt@>gEi}y}oU+L6jgr{Vv-6E_=`HA1oIPeWqk=@ZvivONaC2*#y{~QYW0Zy%3C@PtI
zb1D-3U7vyJVsS@nUbZ_{Po4St^&*?ikZc^*s_s&2#etPZ+lrwmodh~pEoGOx#Al}x
zPMLGu{tMN!q_7t=?ieZD^-hMm7ZBCXapZdrG;!4XRm^STl(j3HO=Nn8H};L1oy}&J
z(VY2)7ndFEUp%ANHqp{4kRzl@CF`hes`%s-B29I&{6gB*WV^DgsnV0<ZamXl{Gf5F
zShG3MZkW>hrq#&0$Ea(O%afYjLMdT?ha<YYw|A(0yGUd<_g@(bql{8<_WiwjSze3z
zwG%&5-eNZx#VOg!yYtJ49-<ZmmX1|+Whcz)Ua9E_m9p$fR(-oMmXM+2?f79`LWrEG
z-23O*|E|&RujF3AVs0>&t4K0{GsnjOC@#eRFThgOFJw^1)5L0*HMZAC3ri{Tm%gC!
z>o{(FN%uK_k6Mx0VeM_xZD%w)$2jWCtj!lasLD$|^=6SC$c*nP7YK9lYvriFBxrkf
zx!IxO`|Y6@+mctAcbiQ&wU@GVjW+2F+tgX6P^~?SDnuL;>6b~m(fpzF{i3vD{B5g*
zS^Z?+?yD^cNu^d6;{h^a=J>XG3_mWs_roeRnptFlHiNZdM01wX2bMoKQ7n>}XA8}y
zV^;2Nteq=z{lVNb*Tz*j9cvU^zjAxFcIzEr^sSYme&*wU{ev=sn-xJ(S|c{YEX*ta
z$`iiB6rEZi*Nxeh=WjGfDVXo*yC=SWP}o(*ZGUl0LOZT0%<+YRq$gp9W0l}ny(C^~
z=tgPJ(x?fV_L&zMT^Lyyd_ndkzF(AZL~%&a=3X=7Ju&>DI3tni%xAP4SmjN%XY@K`
zR}Y$K-lG_(U>&%|s<>=X9Fye&>q_)K;E0j<gji0D@5=e5?QR$~s%5?YOW!vIpIU7P
zEU~)&x|O0d5oYrw+Sm{!=JlOLU5;){LS6Q2<Gp+~y;`0}XCKmLuD)Nj`B)j(y@~VS
zuYmOThX1*VckF^|D}0Y6|J#4_74Wh(2mfI<7bu%$=nS^$?z|W5*!|MFLu7d5xLPo^
zvf8-UV>)=dlnRT^aT8-SX0S!ip>+0B%iQotv?Vu2EWD&`uDN}?_{_qT)5DD(6JyKE
z#G;X+f^M9H0$0kSEdQfSq3rJ5C(^TBxU9V=kn3oi{{GQ?b9`8lRdP*NZGLFK|0;M9
zT~0fS<@G*`x{`JytEBPeW%`5&vFR8(kaAmsJFBiNBYr`klZ!CoHdQqg`Y@hs8%UuX
z8GJYFYWH@dn!x~}{aWz;C^&Eb7@V|Qf6CxB?5QE=|11Hd9^(KZR0W8u(j$mQ^q)y=
zVW@#iT%hc5L|~4zf%}4yM^{qZYIk!!t95sei52&cu_J7m2D69esnI5xO};M@deqOB
zMO;c6G)hy6A_TA<wI=kd$M@J<n+a|8nZmAiNNhj*G<(DD{BnJJ4(@om{(u~{ZqQHj
z1;-}w83WzLC6=B{f<tB20%G)imRR@bTq6!mlWQyA6g=99v#GngR*N-DY>7p!m#+#r
zB|3HOl`OG-Vi=gi^b*`O{$7t=Exp*DMt#=mdp%?#%by-XwBIT|rKLUSyIuM#wNFia
zDx^KAyD#H%mr;K8bd_Zja}toQG=nu22A=pXgUhuhr`O*2o{5ATWzI8rjr`Tb>PeBg
z%VB(7DGez#l{)lJ9tJ&G?cka}S;4;x83PJ@am0BR@)*<|bX+z*4uI~W!Ph%G*y~w~
zVF=W!dNrxUeW10mk)UVB^|)d#zk0B0dc_-SGDt}mU8UtyXMBCBm$jI6{mVR`dYsTa
zicYEu%&B&s>exLuoI|`?X)gcuQ4jTTxsdGYw|m=aZ#m_S7Lx3)&XkvSXRKBZd04SJ
z@^k4VcvanXpWKfPzEd-B`gQxp;g;}(voo4TKk8pd2zF(SgJ*Q*{ND1iQY-hyoo7B(
z8|>pPDfS*UGt*o#^nSw?;hoSY!tf#0h`+qU&v5zwuZwtx*%(SS?Ani}@Sy$1l{Ser
z&i8BDTGP{2)n5Jh+U)5f;<L2#-sH3^zSU1OXTdUQ3x49;!homWl=J5;`#mo87}klD
zr6lp6$u)UV@nsu3rD|aT<L};)$~NEYud)Zdsn?}$yOCE7ToF%ZHFA7oW?M=pgg?bl
z^fHan9<8+2$!W$0+}`1xL{rDDg^7KkC3;z3EU-7GVoI#e$ZDwLS6(fWgFenovyV4d
zl*D|%xqU-o7ERLS8wRXP(>)ndwSxn>kL)mxIWoqzhl0P%>X&wo&EjXtz7wU}cGfTD
z9-RBP3jQZ`sE0;3u{qcNn8GC#M`MxjO~z+DanEgEF*G>(>*d<(^|@b%-eyp*dAvu0
zYp6-F#iS^wmg@`yey55F|5wA6$^50oFn6^cBr>Gt8WQzf%Eb*#M{(?LSVjAAD#W5J
z!<s6Hjni`bN^S8?d2YrFiTKI+*P)9(?;k$9Y&Kt*7H+R(-j_b;RUHbgQ}OfL-WM_!
zr5qCu{tt+#4-X`0k50EeFh^jXDv=&LHe=Qan+I#>U!IsEh}d?TziMd>x6Ax^bu>OL
zHtK}+@+Q|gh?b@DO~9vDjP|=~oTj{&UCp^QxSG5oblJ_4+?}VPw<<>QAdd1Fd;-UE
zyy9HZVdurP&C!<slPaQK!hev@JwOjVam6K&e^ACn>EM;$tw^C;bIz)<G$pP35V%{r
z%-F`qRAlzvRl9ZZkZ~M_Jok*bRdeB*fTnZSW7{WkqC?7!0smv2>(&n<xHjAwH~yW0
zk<8}1#|7%3uvrA5^OGY=QV%xwet#!itN${rhOWlVzj(=3Y&kP{fvB))MpIKK!6~RQ
zx=$j)(oFJ83cGNERnN3`;d3=`Xx=4KM7`57xkzE*c}VYno(l<hwFc+Zy-7%GB6Ww`
zhQKojo`yZXgXa&}06gqZXL0c#yTKFoeFvkC^M2EMbg<l~e1phkH9e=xp@(vRx|PF7
z`V7#jB^WB-eeYt53iR6{C1t6PX9(O19=W9;==6cL!}-t7AD&OnxaoM_OB_^0cQ@6#
z4$J8H32NKMpC#xBMzEe0oHrKK&N)IX7o{JaD#|Dx61<pH7nFJxt>T{>5o^rv?vpcS
zRwX^a!C&o}-D#Ghm1at*yV&PSU?;qJKya5;8nNAzpF1-Uezf?}zy~h()D2R~b^ZKN
z*;-Yz=5N{yJ5Q1mzZt*%*3Gkbs_yeXM_J+;^6LM6iKc#CAPZz!A$;Dbdx=8YFZJg9
zo>Z!sTn-QAK3X!J<iDDqp@{eNIIqGi^rT$1T6c-EC9`KcVY(zOKQY?)tcs+2j$3cq
z#iVgsY3et7S1QL39Xt6v&QEu)==dJdmVP<rx))bxtE2pgSA|t~2B-6lwB%7ScNyLA
zriV@%E-v}THlA_I;fGzyk0abFQW(C0@*qDqev!+iR#iPtRU(QPX@%k+`qZgwf`=$B
zumZ2*-X27GuSRGm=LOUe#O_Vgt}>oR<O^OjHGTYPnWyEhkJJ&&1RiqLAK_LKiDRoy
zVzXi0Q>HIx!_%g8DD6caUq!VS^_T;SMvx#x<CW1|C^|KybL3WLJA2{$t9+iPY^Y0d
z-zqI$%yl|DoJ4<6(Fk6BFWP;X%!k>Z-Y2{_&>C{?c0c~m7;lzSf<FzyAF;m|+vW}`
z!9ytprLr?J9EE06K~TF9BY?V5lK|=lt~27-|Je!n3yyM%;{frw!Aj)asV^Ssc;(DD
z1B3~o)Qdt&gQ}j<Y&gC65`Co*e3WvO^MdcH==kU@!s<~)3%=p4U+6ppe3G&eud;;)
z2704M@|BsnT>DC$%Dgql{fC(E{-Ak|w@Q<J)obb!jvM4BxV26$hAmDRjK8Q%<Cb-+
zyE3z<!7{$J!sz>lvsSl@KW`X+w{tp&oS&f_MUCF?8NF@dL<`rK8r-b}sV}={A{(bZ
zCE8BkY?vVUJ*LH$Sd13M)ZqBP7cKPDZMgXoP8yytsQKu;mlZ|2D!in^y){~`?7U4E
z-kui|Yd3gQz)LH3_2nF`lrT+GqHzgudd3ycPCH0loSJReKv-~8&fTOe66O}BCwV>=
zU0d9fq7la<F;t}Y_S%a)p|X7X;*+^nIqO9`>kj?QB~wC#wClabFJ*J~ndF<+E4t&e
z8RVE(*RZ-a`&31Y@o$!{bnc_{2IZL=*!1Qx&yorn>1JChtthb}{oMktw##p&2;H?t
zJ=f@DdStub^H3&}!m2eU8PHe&Qw21Z-+YdL7_5<^`XSMbbExx35g;{u>rWR1Kw7{r
z?C*T+N7&@4Z0`^iT7KkSYf#SvqtpufG}poK6~p7wZC948f~EMn5+y2qFto~+#1g$?
zoOI9CqJa6kB7{6`7ZMs5JlAr@`qf7346@6nBGHbnL|$5*hG*tT^|pvszub?f{g&>}
zk@h<5LwjwvewXMVn@7_-VIn<RCSsx##vRpR#T+E?YED!rd_Hl5t!ZY7nQy^2lI5qb
zSxoTx<nZQ!u&w^pX4P#Z8rk-3P_OnZd1xZ(Xo5uA&&{&5P%@jS#0E;q3UCsnsj*(d
ze7Wjq?&*!e-Q3K@E!XdHx?mm)-b}(LMW!1b<CIdA^eB+JYb~96YkLLHY)EZo%5u6%
z+D`4%4eC*?-WQkLAIyz?nqH*ZPsyxyGbqp?6{p(GGC<;ot?owOnZqyjuI*9K()B=_
zt7ZjlG9;0zTh(W#$KoejxAH&3<xY_`9t}+6ZP}E<L_Ce`^lWHmThJ{y=0VTZ>&fC%
zb>2dIeB8fpTXW`_NUjvZmy1EVem|*-%DRwW-)4R_zH@Ujd~e;OOVK~C!gEK$AIfzz
zG~V0hoMhlVwIC7yq(X_ASIH>x$^L}n)vj2n?BXFajVF)#cg%!wr_v_M)>|fVlg)NR
z^Vs(;<<Pxyp7EdlSg|AD*=k3kPk!ezDgKm~?}M#1RZawIBdEAHUySS0Gv)R?I?=q|
z!2ox`iLOSd^;db3RhdF;F-RpyDFeQOHB0ZMp)>aaF@K@QJ*?6qTPw?LuBn@Ohd}dL
zYWFI&!NuynpOos-a;@Imfikn)247mGspqOJ`KwzW>-c;&nH?J~6rLp(@sL!<FkWd}
zkuq@y+g}qR)5db&ewOqtQL6uwX(n-mFq_a%e4imbZ7hb%UA?-$ui3rayHKm#PYq>D
z$2!%v>p7U1<(i&p_mZxb6LsXi!Fj&;$Q`R~ZdSTtm2VP=cEXW80?}O3Z#Y+3vdIO5
z92xWo`B~%Xo0P>?YW!$$MR||KX_C-{@#Zf7EA0Hpegp`?3GuzUQ8EHyhnXu8wlTbh
zq=w~M^_T#IAC%tb&+i@k)dOW>2JBo3Ru5(SI)^Pw&&jLKzlmjg@3E=k>`MNbnL#BM
zwP+9iQL6J>{B(|LA3p^v&=r`&hT?WoZsjNKbxq~fFBfLcUp|}R_=4Ih&D{CKw<x6Y
zsndWQjuuB);Vnng&knM%9NM6WCNpQ{FJ8;iD*Y%&ttw5E<Q?uLFwf^1otP>#ncI(E
zf5UV^ZW!xgmiwTKU}KXq#xq(jthc)Imc?4&erX!Uj96Exw$Z`GDlargaLO}YYN&)v
zpFaJrBi}vxRLvJD>(PhPcEo!2;(=Z}>q$??2+6a<ccYB=c`u*LbYJ~pyRU`c7=P3E
ztL5^C(|4-^Gh1wGN}l!!3td=PlCXU_*Q!deRxiUoXlV!{PWn5q_P!Q1xU^K#l*Z{9
zMIuMbhKH2+#*J`IR=@K1UkmCKOTn-!-b<J$gR|0XR2ka*1JQvfO-nKR>#Lu!j5rJ<
zG`IK2Y&mT&Ehp*sa;}S+@W@J8Rmj8Yop;=w6sjHGq}IdA-Wz*JAV*mTMe{JRZZ&ea
zqMu#Ths~LqetfNuKfL66H^$5Nd5PN(ZNl;G!!-d_7O_yP6FuL{pxkGdX~Z12y;^SK
zjNqtOT;WY&w(6J!rk3!jlFKCD!T2Fcc~+84{B8z?%GBz0?HDDQAC!1$k7Faal7)zA
zVeLbux;8h2&)BD@+h5DBm_p*4dD7@vW-*K}zg!7w{yA})(#ob5-I{b<+P$hX8SD1J
z+_O8!UOHM)w#C&d$h(P6f!c>D!F?UTP)hXTVA;E(HM%ZMCw}WZ$)4E0v;)5nU<1@m
z%&fObmK!7DS|UqGM7pIv<4Nk*prl|5XY@@Pwd$kp%$=K|Rd;{Jh;k>8bp;HzHFU*P
zr6hPSykbMbjbrDxxF1v@`1@ZoIw$?H_%+hWvm}rGoJuR_#R$Mz2i+qfS)T-@?eJ6a
zUKPbZEXIQtQb~1XH3Q!>saWYz>?PsM52gh4s<b+2^>iCpij#!R&5VkAF(l5b#Dpom
zw(f~b<F`K%B6U(n)m*JiNc_$9Q`H7!zfl(RLrG|mSh{uIS}1&~P%(>;{E@xrR#FOl
zPnxv?>+!<=j`Zvq(n?|XyHNTkqwyxI{!yC#Gn=?O*yz?LCsx^>vzCOhg_8)C-5(Sd
z6vga4^4ZXd1-AyU`JLZ4!sSo!bX43;Dp&bR(x{5)``qA=JSpwp%X}V9M-k_*8=Mun
zeAlX2=AAHN!_uYmuY<{nQ~o#RV*6Y^R%%BlS|_b;M}6mtxJj$j3Z)xw#`~+XAOGnU
z{<}NDV%RWtlHmvh+XkPHB>#eb?l}SAi*B_gyG`S9){z2zQZ-ZlpC~R3mR1gf6RkeQ
zM;!2RJY5n4Q|SURl2y-Xu293MNJ{(O<w~8!I0%4i!yhb3^S7tIlok?oF{piGbfXvJ
zTQXv*<9}S5(8&^JkFy-6e!n$6tE&R#s8;sewr`9@uw;p7Tlc=)So7EM_M*Za4A#tK
z`@0j)=N}E!Sr$6bbSmt5J&$Izd@UXwN~GQ8Xs#jFvFOMih;j|d(K{yHdu&02Fi=*l
z*Em(Ds4!O_!^6Q|pSQ$M-Ot+75gNu?{{dOFaan(5Pp!u_=Cfbs2}yipD^%ZQeb+{G
zE~(iuF2XQ9r!&iB<;Wv5dw+7#XNm7gzo3R1(ASGoHX^CTA>iIQ0A<*I`~3cdPF_4<
zPqG2%qhH6pI=DLe6qo395D-~g0v)Xk({fi=uI<WD`w_3Fr&lC<(DXb&O?US4WIt}4
z@qJ2_NmXcY3&8&FJf|?QrV_WdJjV&*_nu|OCY!OTxg>?zV2|2woG1)VHCv6NPqZYr
z&>lCX38!VKJB58?Ag;v#Dn!!kMf+JxNfQ1dQxPW@Cf10nI(ooW_fXRO{_+el=AOhs
zee9hxSrt;4`f$e~p=qqTJ+ljn!&cSq*7zxw{vEVAE0^Lb5;3w_G`sAjZ<R${^^w@z
zBXJMx>bzfP_AIITt3ZIuzm-d`C09NvN}@@?;F(=X(d1&IP^!%)h3)4{m-nJsUKpMF
z#@O%S1EBQ8Q-A^(7P0fMzpjEdnG4j)wonr?Iorgdi}zO`W!!Po(eBACWg?gK(<$2z
zQ??)3HgVM5mxnhzq?BGAb}Z5C>T30;U(M==ND1kHbf|!HV2N!{7T_9|K;733;Gs~7
zOkV=E+A|i7dvXoSK~*_KBT2?rxhlyGf_n|Vg0XoAk~=;)e)Z8-NkGz&9C@vym02_i
zR<dDIWM7r3D1}LR)*thgY}(}xY}%PUBK2>RXMR<)!UJB_#-&D}NBB4S%=bvZB45@;
z<1v{f>`~OqjZv<yiG4O1QZ()HfNg|T>Eo*9ZN99wk7OcS4C!+z@gB_J@*Db`>&mdl
z<4pKO%8xCes@4(S408BKD@QfRD#j%&cFz-d$Z4(WmH5~at5$uJ&~m*KM%@YQ6Vf!%
z`aruJk;2jUGHq>~u5kwBa36Y@!xaCHlCL$UJ<k^k)7<T6Cv0U+&MJ^bk6F`1A<O9B
z-y^Fk>8h+|FH>RQJuB%+&0ty<?d!nk<A~*(+@mVg+!jJu?~*19yHApiBt4evCWW|f
zZO=0m(khX)ELhiPd0Z%VxU~%z(2Zd#wOxF2iZCf{#LHanziPZ>UTix-cRue-5(+hA
zSe5v+V=aNY0W_fypxDxnwSoE?uMglbvm`wz&&clqk~0p1`E9qi>_&(ZmW@k=UUORl
z5C78}`Cgv+T2SxkVa((79mky4Pru$Jw4M_HVs8I@t)F+Zam@?Z?1h)eB^p)?zvxde
zmND>t5nXH}-#W<~^3;Q*T{L6|A}2&wW9Y1Y*IN)_zGBb%<%_$+W|8YJ(9L|&ip*U2
zn4M+r*f}qiQhGgm=>W0nRU?C`fs7c*lBb*QPWIfmawKX%$$RwZc(9Z!HE*Dkg=LWQ
z@QCj=yTKBPrX_EDxHLs$yt7cE4&B6w4lEHf>%=JGMy#p_5A_wj$S^w6f<87H-@Y^>
zoj+I5l&Z;neChdvlB1%*T|pDv0}bSKfnZyFaESoM*REF9KXN*6oXd4qHm}fLw31}0
z7Z(+CE3V~kg2<Ush%P5tWBV@SIbo1i16uk57q<$_lTUiO+&9?I%l9~$-=CWA!1zx8
zc!qB2wOmh&-x(<|0)<NMc%P)s;d2X7pNk#c6*~*Z_#&j&YC(z!v&dO0l;1S4+;uby
zh$9GOzYEl9eX0wu-~hh~bBAIOI?AqTfeeLpfm;7Cp3>cNBS};5Jn0e&)D43Fs2im0
ztWTC*r(0R?i@Dhq>|&WoI{nIEHNs<1EaSQVDi0CMmn|BpJhRUrP2gz}dx-^~;t2Kr
z)H7Xb(Ms;3GN~F@T(_c;E`8)kcWm$M75j9GAi6^MlxH7btua6C-Hk*~?n<tljW}Y7
zW}b#m?vIqag^yE`ZF?<~`&>gx?VR#oOH&`o_!%5r?0G+JH?2&oRFPG1cyB+rJ@lJ)
zBEl{PUMPa+@8FAnJ%mM3LCCcOu&dg@ZF+fV3S`+ngmLG?)L4rG#`EBNQ5*T>DZ)DY
z8GsZo{Y<ILod4HR|6P?rqUTx&JLn*~pmYEK(l{zcL3ICl%K3YZmQ6)GFva@U!U-?@
zbHm(p&quDUW?k&UYbnv+AAIFB#4SgLTJ@fwz5>v90%3Pih**$z&3-B1G1exp5-r&E
z{NkfXr%SQ$O0~Z}magx=bVu$W?8k$b&VOe2{Pn2tGsYtL*<+!f#4(tyAZ|)Qcsu#(
zpy~fmO={{48AOANVv6iQh^m}Hek*e7nyZ8M>Fr}G+w@k~{lkAqe>_Dvt_@|b-G{e4
z=9IdI=-8`CjO+nmueyMKaT^TyO-Cl@0vV%yr^100u(6}#c4r`Q_uISqM!~LkGPIJF
zIp)9%jAfg4Umf}lwEnw@4nNy$j{MAIi|(;L06OQI)XM18g2dfnbUtv&Y9@pd<bj9J
zyk?hAOeFL#BoD*qsk9~v{{iLwyTYajw94SUuv-<*=NrJm;;kBy@$wbGTZ><{fPHt`
zy!J_NokdPH7HoFfem9Nqc=unWeU`H0)4#C*YkqCVF+>qJGJn0aV&toM3D@}1hHjWg
z2qaA3Nc}W+z$gaE?Ff!SQ6)C_F!)|TT>~$so7TJiuMhq8L2}6my!8FvVXwi>$joKO
z>Um5@5~7CO5+}BxIykl&2#VKG_g^dTpv99;5F{DK_kQHMoG)he2Mqgfk@pRPn*K6j
z)z&M!^1}?UXm8ltK}haP^V0+wU+;|};VDq-HC@|jtGsiJr<DTGC!b_B=>Gc=f4=fZ
zaATD+bAp!w5h4IW-2$h;23KtB7BjXr4%xe2hDxyXaHgPrIgEvP`I<{(QVh4ic*>9d
z`JCVH35SsYn5#Gt1bT8h@E3`t3n;B_AV@t4vvdidZuq4NIF7|n6QV)b=9TQP2VK>Q
zPefhufhGLRK|qwc|1$EmT)+;Nuu!5fI*bXiMJrJXC^5nq0X-H_WB^^>YrsN^IWjp^
z(JsOmd3=XsL1a`^)Xba|rQm#^(RXSXPTkz#PDw=RH!qr9UA{r7S|83{6Es7$V2+FV
zE&?k<%5KGBuC1KAHmu1gpw_RaMSHwnEmBLC-}aZ-4Qc~Yd`iA=%5@GJ^jy;3^>21C
zn{V2>FBy=+ItmAzZ>Osz?6*AlAyn=d<L52c0J?rQgj-f7s|k2mc`AbC7uby4B6fR|
zJU~u*9EiT2e#TW^g%dsbNxl@A8{Jjwze*Y8RgF!BVIuF$xzv-YH)d;Rrvo7e;b`iY
zIhm%6S`XIvQnAG^nA%RcM<#$2LEwey*IU0_zxluGwvJ&9j4G&_VVn%W<X8ae3QKup
zBzQD#Lq_dT_)YDw<^sh9UxPr%;Is}Z@p>8zEsli|A}RYoqdXI45KU5CKd@WfM3CzE
zN2~%G!5dlPleoP;uD6PDb3{*<kGjF=kq?g#z_VT&+G4IQIexerv=UoW7>iCt-{Cxe
zIJ{nZ-$Aas5C1fp|J~hi1W14Q20_ak!CjYN(ZVpsoLpq_NLU32EXUZhw_LoX>WDzO
z$YuD($OkRhmUK9R^m!17z6pE;qOfW1>;Sjx1!nWQ5RTF2=kua*^0u`1*!LY)`DAzj
zCBRI(VEAydipT8^0pD;xh2s*kTqh+@S^j0W8i!snjAlBgY5)A*Z()FJ#Xz7xOhSCw
zn#gIp=>jCMl`WCgUt(?Nx^zrVso)f^ddQ*5em_}(BRmoH6##IbRyUWoJOrh0+Zy&F
z6Q6Gv^I{6V@oOG9jx5rUoi!C$M%pwAHtbU9ff#Z>+yx>qf2$=))&x+}t{5X6drfmV
z%e06pUQ-BG@7a>EGtAok+l8)y^)5s1+wv~!?)A$!yPFXE#;<$B@Q))vQM|F{Kp;q{
z9=^HRYu`bz?)$vD$DxE^(K@wV!Varfz-H(qpC<=*Ps)CAr|Y=<mYP!8ZA#{kGVsQ<
zcEDB0mBH`d@d!NfXm{q0I`ay-gA3Qw<4*nu6meZ(CzRVie5#=KDLGSG@-p|7y&OH}
zTXg*aYt=%s2dVHfH8YE=O;v1;GO?UgDlPMgg{90sUdC@yW~y|?IFrI^f9OiGT$Hy&
z&*94rZ1A8DwweR$;sr8u2!Q37mebO(R3$+2$Os08N+4juWB9^DDCKvOg{r=udlUR1
z13#by)djGNQk$N<TsSP^mA#J#fCVxEK;tH^d(~>FIHwr#lfg{8$~Or=3r_h1lmF|;
zq(Y-fbekdVb7%`UgNlEDGK^BXhP|Zi;y(67sQ=36`yaHSN&S7sqgvW3P0dbEQ))`L
zk$XcjTgtANhNX|7R$=hnD=4a74wq~UIB5kFzr{4*)kQOG(37Gf!#$<5MIr<eWzbVl
zMaWQ3%7cmaQjSTW!0$a0r4yfIA43h^E+bxP0C&39eY4X>s0j4Q4%L0!|K$&Dzz+>M
zl?Y8YI`*pX743X5bj;)8y1<jn%UWjX@F@OF?{??x*;_B_(60-Fqf%qfSbug~2L4BV
z$?z?hxKeWcHN$8%IMGSaCcOsI{-3$b&-zmL<2mYO=Gx9zOk`!pm%?hxBMc`Zy&$I6
zSQbjKg4;LUmP4M4k^es>U{Flpr=62`)qe<lpSKzH5y2ymo?F|~dq9-~l50bvtWnB2
zCJ261K)cq>Zvh94K@0=VB2XX)2+Wz-Cg(cNjM4#b6@)o!Tkvg;Xe;iBLIbII9An_%
zJdh~v{JcZV(Y7lq%1+6$57yxXi`2af$Wt9Yv-R&=9Rx5g2l6XPm@Jxq*~h*Y_~uZc
z6AdMRx&H6tjkd&Pz+8d7q=tGqkM`#mZQ7CpzqBS~!xTCzZmZX0s$%3lJ=cfEu{}`S
z^jQA!O>(AcHog?RWiHS@`xc3b!M5wMr910CXz%yf_5e9BiZ}Ni{jbeK0DMF1j)aG7
zcw_{(AW}TX-`SyF5D6LCB@wr=HbWjtjvlrXbi1Ez`sr7p&i9B-$is4uWZA?Uc0hu#
z<=MUM+<8h*j#@0-krVw=RA6?W5p4VXySG>Vr{xUyawMV^x9Mo0-2q(+_+fy;+Ib7!
z25U8E0<fP$7aWtgYJMl!loAm5*UmGPNSChz7y253Uif``&o&7|D~`>@gG-OPopA0b
z;?hqa{7EW7?&=u90{6;di#RO@1<cpxIep>Zegcv^2BNq!^2b>#4+bDukhnx<p2X`g
zv9Kh~&puApzXmjl^>6axB|(z{xa6$>T`K{i9+3tJ!^=R#^T2Gz<+_fxB6q>%;81W-
z!HDMsrRMSGhb3Qoa6oU&R0!kp296CDZ;Ou<Fu>&;z5MKB6`&C`m3ohxGd$=I<~eku
zZ0)R@hrW7VLXh9CJmMMIJ^w`c;#oPT21gD0scGF&lcOTJiRgY>|DoJv%~;n6w@#TD
zvm1xlmlNG4X@ob~sdu%XhfO_ZOMAeamb9cO(#Y$-OdAvupr0qTnRruG#=rNZ=CPzb
zFmg?re1K1VWa4c5gBGF@qaiV~TA-HYnna^v;?iPN(me2c$UUW%D!iS?y=AF?96O?h
z!LjM!|Jf$US{kNj;W8;PZ`cJ)Hg(Y_7`UzfVN;|^-xvF3V2AZSj<OKSR{1L0XSYY#
zTs!7dJEcdMew)T(ka|%%b>q%#(pho!iEkC?<*&O_ISjrO&krSO<f8irSGkT&8K#e|
zFj{XH3a3w;7*A$^`GXlsPuNtFOn9bB48ALXp7SJ4=?i(R_M?yQYCqPaQZ@3ZfD1lJ
z?129Y-*`@R>h4KJNB8J-f8G-R57mO(nsyf`gkEne)Ob=IDSK4^4-Dfua#c9%{htH4
zmNsN$#KtoP&OvmZUKjI=B^+Mxs*W#>HH^*ohXR{Qi!E!l$wGA6786DF_@hQ%H(OUY
z6Qk07Cszh4FlQ#;#4qr#D@GL<8I8}oK9o^tquxIft~&n=+Opp*(yA{h+pa{`j34jH
z9!?}<v<1;<HFXE+YZW8U;s?=c(I0#clHH%X(XUDb+U0*CNZV^lGm!qw_qzcNl#mAv
z<Ogs?@Pnsa4>S}}X|{8a0(jB-(^cbcn8Nrg;D}u0pVZFj7T*{6k@+2Z`$qqFkKy>i
z)g2hH<*-z^@AuVI<_u*vkqEAtu^V<vIwbdJ9AndZtt^)I68+L19)mOVbhnv0hnH5L
z2FBD=OKYPql}3MPjZR!KT>7!gdgeQUEjulmRi&dg%8zDXqiJBHts+_K-1@yjtd@^n
zp;S>6GuM_uupLzF@_f>Ia~Nl`RGaqHjEv`adtZX^IE|1MGObIAXFaIkFt{Q}rbo<u
z3UlyRmylbsc;QCl&n#ds61B{J|BRaVD4~h851m!n{|(*Lk3C?}mtbnA@=qQ1;>M!A
zjmm77BNCSky(_St)rEb8O?;`{L;b`i&(?@-`8>WZ)~$MW5;g{yrH-b4_QHX!dVm%<
z@w#U10N&O?sg&z{QH)>&J1>Ci;(8$;!)Ao&GG4v|(u{X~qnsZ1y;`*yav(}S6t4Oz
z<UB;C1L%{kNA~^F7?9ZuZTm@St4>TIy|7g3Ci5xv143lK_+nZsp(|fSD2c~CYo^A(
z{;fmXlE04PJuTNHQyctg>Fes_afAK7*XBHGU)lZ$s61R$Z6z#aCE)2_n|J5T_rsop
zZ$BtAUmLlNxz|;{<&2QH)_zZYA6o9Jf~0qRpF*GA-5JW>X}o7?l((3t|B6kBTj!7j
z9h(+iZ5F@4tXI^FzDsG8aR{HJJA_j0jF@kXu2OKmq(H(`;i1Z8h*3lz5iNyHJf6)d
zZYs@{pHVtL;Atf^xKPO9lV4+;Rgul%r^6LNBNl;nPFKKMfdhhH0pwOax%>b3+Col^
zV-gIkxx(LU<VlW_!|4Vch_`0=HV_;m>i1!-lO8aG^v6j7)n8{aWHds)6GDXh*^@+@
zx)_K{W~qF3)QRH+?zl8%&kFg$3O|iZP8S9}bj!JJ>^6_VQubWYj=93n>8*y$H(xNl
zGDh{eaF3IjQ#n<XvR5Pb%MJ^6*kWbusa82O79WNEqJ2}doOP9Ex;4g<pRblm3l&p-
z#LrELm7mw2DbM~Asfg+;i=8782{L>8UAw9WSu9EiB85A|Fpu~hQI$8Ui)X4e5~NdS
z@|_L7o?R(d+P`|ot$~l=nxSGP+8D#qH-#F%BRIVhfe*L8`pTu7^{#@9kT|BM=nrr4
z%2wpI`3jfoPqjKHh><#6dDc?@4o%h8AW%Cf+te}CthW|RE9wI8)h?_jZPTcdko%LB
z9yv*;$Hg|mm6x4kGzc;aWq3aNh_|QpXWZ^o>~>7zVv^KW$Gen*p|q7;m%Em}^l8uW
zxw{(Wr>7@n9i289_pMN7R`S{S_1F0f4@lI>E@!%poEdN3omwLR1JUndG%^jyqE!Jz
zTjw#m@pRAr(GeWkghX@5G~Fxa6=LX>(V{uMm3)DL`159HU_YNRnwF`On%1LCo8m$f
z5voJ#0x4_qu)(>4563cHeXYN<OURdsz3635<CfO0NX<kW3xx~husvx065^{xdGI^q
z8b)X+L(k!#wTOeh`pC9fYox+RE6rHvg2u5O@2(%Y@2h6I#d<$TAb|r038b~I#EvAn
z6QJ=hfor<pd3?||^eMGc$n)a_6OQ$Yn*Nx~p)Sl$+*dr{9_ZhdGp}~_4;3B>n2G@s
z;|b!de)W+M`;GPka^05w*ZAXHm*ct9uBi_<x6TLky`fev-W0o8GS#`kW#PSLgTDV=
zE?&;+eA;qX_O@uQn@Q+eKjD6>qNBU&1t*V88Jx<HW_~K5E0~jeQ%9~?jv6~YJ?m}1
zI22-#>dLDU5tz-1r3#IQ`4LVH9iFA(GPFt~(Hn)rtCu!=UUMpL39@GX1X<)SS9}JL
ze;?MX{-2;^tpJl~<HE{FI0WTEF00m{wc^7Y2H=JFI7DU*91+Q#-uM(ZH`S4lHXTBC
zAZ=BT8^1NvKzN!@CcePg<q0I&#<A6}IOS?d-C%vW(68B7m&nuCjN!}^WbwmG3p%3W
zM2?9yjb^8v=k^FTVGgL4!xhje#Nth|!#LL)?=E-MW9*d%8!Htvq?2}2FV#2(V&_jq
z$a%D|Xha#g=+80`@930coo5|pb;^0ZDT$hu`m|Px@(~j+R@NkGeX0#7We2yg;$l90
z;n2G$<EXsgLy^(!PE6rgG`wybV^x3Dr_UMnD`rRqZkp&e12{83Wfu>?>6tU!yjCTg
z(|UqMg>ykkW=`Dom)PYlR>g}b+XRVWQ?Y$#aX5~$OM(lN(qi3--)yjgvm1Te8Hl-k
z<g~Ep6`mGxbxA*2&w5;^!+WXzBrsjvo*CoHkv82QeTz)iiX07=HQs@CrZgjTs+MyZ
zZL5J}gGK)P`PDL>3~63ZqGaayA%`nf!xQ}@;xiTtF*yxe&6#bQf?&n$yR!w@DE51&
zosy(!Gc6Lr*ZfxvNUpaz;{9oHS{6M}sUtZXfAsG6BS^_AMspsOCh%ma0;|<gYTK_s
zB(M{)08@@(IZ?i*71{OH_c#x7v+k<<xS=Rpto3<C+=FeVna)>B=KE-HD`hIK75b#R
zhWR(ADnLO^x;36@?N-0d#D8XL#ijk8tf%)JdkhmN(Lepn@`eSYxCU!s$wOiWlD%(q
z`@Rd#atMSQm9+bQu<kM<Tj9M;Dw~((B|lk<oowN#549GW7w?z8=WEpAQ8h=^7^gG$
zAGr&b@siHJ8J89zTc%jFgV@*Vt>g{SR>ExBAu1*-%<VkBKBl_X?rBz-OPHbpiZ;eD
zUZg`Fd0uUC+kaUz%RQ{KDt)f~efgx*yBCD2By!Keu);xm_Mz{qcgR%QyF87ayApM~
z>sfsV3w{qIPeqF9+rB4nEE<*hQDAKJHAa|lVx-Bo;pNT~Mki(ypA<UJT2A@Smz>g`
z3wmKNSu@)jVm+wB<!kuli{Iy7Ur&7fvrwf4we3~X=QkKX8;+;0%vMe=cjpqwOszTr
zKhutopH+BQ@2m#B9g1P=7Os28OE9llWX*1`Np$8EW2ph%K<RBLp8Q@)CVXSFn+ZBI
zZmxEt#Eb$k5w4JJQ;WX{iHR4>xlgN0q~vqbC-gM#ZEy*?hHkNZqmMf4oHF;l$02!X
zfN7flDmX-&TI)e&&P4aOA3yPyHSO-hI@)*Jnxj2^kInn`8F>?14RDVuwF(#F``j3d
z28x<RkD_teA>>2}+t;)Z0rHB10|ZxOnI>P0B?&@<yKAjK!Jh|LZ6ohhV&pooz@X<U
zk*fbX`eR8;n&!mf^scn?zsd^XG04T;DRMuM@{1WVynn>DXW{DP($1#0?@T|A8i_4e
z>xrO0u+}F6C5+5%hT>qqneR{8X|n6_E!(>r)s}_ArDqI@KYEt|w;Y!!`R{F}p}{~k
zx?!3BBEkTJE=bKg)4IlqmfOO7p*63VJ=NZ3bUM7Hv6vWx%dLLRB2nFvC_(#SMfh&4
zk^4|0A8*Vv?|ojs;KXQ21g}!%^f4k<+a5dm+FO1yswMTFObfBc@_tRPz$h`RaN0`X
z?4m#6j;3o^3WV1X6GXnp5sMndst=JRc&%g&w)JARam^(bzr5F(>@xQz{@Zho{b&^_
zbnR$KxlOE8`WuqBdCi#{p_NtGQg<oE{eya>Ot<OTK8<&EvQsrU=Kx#wa)?IV$Oali
zHiS`~VZWJ>nN&!Vd{aW`{?zFW$`5Z04*l?d5E;yPF_LlT1+5^I{OJ?yhaVo)D~d)P
zWB4c1a7)m^6NaC*81C4!Q|Td_R?x0am8Ym@C)X=SrZUVdGh4+QVJxz&aGu`OzEP+6
zgxu+@B`uMenw6_vAr~qz)!q`yf9lSNQhJHp+zk}XpF2OQCV%z+A?~fis$AFZ(Iusb
z2#SIdf&qvKC?z4G7_@@YDXDZL4WigcNS7cXFafDaPe29f?nau4OeH1fxnGQ>d-0vU
z_ji8h`u*d@x~{!p&i8$uJH{CIJvLz4VAgcaL}~QF!(NSrKDx{J^B&qpZpF&38q1q@
zGx@Tbn0LGwt69yK)LAinPu7RUPMO7kb35D55_G=`J!wY_6RM7hJ~ZA3xzOEF&GEr6
zkNNfOIJ2xP9d>8o2WUY<?7%?1GJmg%qX6&3m|{WhI$JCmYla7xw}xpK?b2^kEz=zV
z1tXia0y<1Cxi*;esLdM&Ye)S9CoVl1KTvSi<y}+<dPd-cqQF{$P4!~N*POJ~=q`=<
zN27H^pZ-z+1mycS^h1_2QZH%mF~A+BVUKao9bDj^=j(iAfld9`$W_90xFz9f>lzsi
z*AtR_cC<y{=RwAo^kLjm1$1Om%RRZH!Rsp<hTa^Gt9^oDIiJ9MdfB2IUwf48#@kmn
zG0C9|1xeBI*8(d&M6|kB->sz@jG@gF`#wL|UDJOq#IFa8tH+-9-PUSwe20O7;yH<j
z5sa`n%gD)5w^U%GeMzLqE(|r8eT|<{K=-1CxjxR>K3=amZZnG%+R)|MKqorUvxY4R
zQpaCw<erHh#IL4);M8J?aob3v7qOR~J*|FedeA*0C;eu#M~R2WH-FbG9DB7NXWBxF
zhKjaMk^Dd}T1$Gs?;34Ti3Dw*d&FV(!B~4a?Um@mR3avWiqf;Ev}I{SIM~&=HBT8A
zUE~jSn6@t!vAI;qrNK$J<jy?Rni#a#Q6-4Zb|SdIW7*9N8*JmYB!ho3P`R;YxH?T?
z*hwK)Qy_+a`K01W_~tnd9r-Nd^$DE=SbA6YF_+4Xh~rmBedq<_uOvq#nAV2}oYPPa
zD{}Wn^<=hcW=rIzD86nJ>y;2$U8NUvAAc4v6Q!;_+oz!DG!#_@ug#;{=X%@I@+UOC
z^zSIGPZ8{6EfYCpEpZW9Ukgd;k-JyfE56JD5)IDPipirtUpXZo^2#Nqa>bXh?;nmW
zvHFA`8F17%%;t}Cc5<(98K3ADIpSYAw%HwgStSVV_LZ5clErS_v1){co*dnm*_xEF
z%JX_G;{8?5qDY_Dwl4M|sKeY<j2;`z%g<coMe*YiL|C_?!Pkn|V8sg|WW|ztUNggi
ztYZV#jnyip>jAnYTn@LnD3sFl+-bz1T>QwG&=6|8F}!pSQ!*CKofm#xrS#h5-Gu>X
z?oXTJ`>CjozgTxktizAqxN-W-iRGxI*qO-a5Oi;|Bi>|#ltD?R?}QA=0uPQ5O={q6
zJ~0sE5gh)ya&>LW)EgtCva!&$P}drl`rLjX$LW^Iz0bvI*Dt7Tj8X-#D4i0t`*gpJ
zVa@E`{6)gAeAo8+H)1x`)n(nwHB${MgblBBHjLX2x$fo7%6|};aMBAUJfpowxwy;7
z@k*dNrPWn&T)FHy-hg|C_gs>Sh124GR7aGLOuTfxJ9KL=^HE3rqVD2kKoh8UzJ$6;
zUKM@u3Z|rM;Y&MbRNd|-XMO$p#=_n6VkIuCE~R&Cjpx49W`xJgk5wJjGPxPjUgS_+
zDB@D@Sg3BVP>R`aR=_%-%EXnnnjx4so0cHQRD64$8o%gs&h!)^ZJ)8S4?27<j;*uc
ziv1mxge*3m_4>RzN9Tcc(UN<dGy;*2iL+j87-NbHou8MMzGzEf)4*)@5WT|a4}O?9
zajgSoP0-yx5)-8U`eXHrt6U{G1LqL=mK4RyE7*6$1umnvyPdwYoKpTQ(_HK%%YeD=
zJT~;PuBM|*T={+dz;as<7iOiSYt<L0b9aEKBPhnbQuBs)Z-GeBQ;S*@yRutqv=}Y_
zB@3>bCnv=_5~G9|UCmprFV5~~mi3z<)6Y%A!0%Dj2^E7qLu>)8d9tdQ7F_1=)Ub`r
zCY?c9pA)x!{lmnFpr<q;Jqa?^GxpexE63G&L!#|XYM<k2hbZn*l%8)#UF`V$#{L27
z$XEOYuL|=SX9WnkRf~+mR!G!C6TDcw!<Ko2x-0sM(@!#`EKEG+;IY9YRBA2!U+29!
zCQt_>AN=f^nEVh=4(dtTDkBlKOIeZY#&lXwTeUb+*wri<x!V}++=LAS48R(W?X0e!
z*mdDA>qG_ownnX-TK@SaYkTLrY38Q*rhT6WS?*;FmhFrW;i`PbJ$&cP*zSdu5YjeY
zt3HvV9Vp-P?yETmW?b&{>XJXq^JU<$?XdLI=D|0*Cb1j4w5M`7QnQ_+TlyS$W1>N-
z(r&7bA5$Job_t`%<g(N##%%dwU^C9E_Z)?jeypt4qSs1)S4UdBaet3BcwiQG(-itz
zb}AQkpl;PnJJLo^@5@iQk!Nbb>mIOzdEeh|V6(P!1T>ZHxvOhse=P*=yC#)PH&;zw
z!nn9I5W?%r@B|BfjpLT0Uvdi)Ez(fI<>`Lp=%_;C?2fdDBnuH&M9tAxMdv@pD5CJ<
z9uclyGmkDm9b11eZ_~QiS?jHI>S?;)>?SU3({CxwV=*W^L0Y=OLZpt*UfYb}oH}>H
zHOqJA<k^dFRK}H^l1JX}KNQNv(4~{ouX*vv-LK4QOQmUvnin-Jik!XGZeC$B^*VU5
zd4M7~_?e(gn3%Spuj^vsM9<7Yjh@HiX9zGZe&YOxIBI?+@gK<!VH@wm5(v}SiG+h$
zkS3nD(Ta2|$a^<9m2eT?@*Xd_HPD>=(8rs0|Fm^4)iw2??q41OtM7aDTXpy~uq<{&
zH{?~WQ)ACHc@+9sVvbwcC-|5o;lD{dSvM^+RGM-q-k2@wEap<`ox|cvcPepyxu~++
zz!Co~@Fx9c4qHm9<DhHK3p_7*gj?^JsH-DiSj%R)fS1|Oq8Q`GGd1GWtLteGsHSZb
z^e&H;eB4<<YET-^J8(bH`TSzXF??_fHiniZfo$}}d{l;o7DsP_k^PiH5?V8aBVt9U
zOPs&ULEiOk)J=Ei_yTmgdWT<|qg~jhrCPpq;7T)1)pSii-t5~4fpuJj<p?US-G;U*
zxGv<HG`VwMB#p-dhjr3dxYvtm;~k%)AM)Orp=ch-V=aG7dqHP^RUywI?Y_;<r{)gE
zyvf8n905S-w@&;S^1gS}Wmp25%lAvVi$$O0FnW!GTsQX+As2C$7rRJC+hrZ`H>Hgo
zWBYE%g84FO20X~wvRDb5kAAl{Wo~<hHhmql9jQYX7n*;abPTTQuq-V?h5A?@*XXmv
zP@p4m$KWw8y5+7~+!X2QQ<Bo2>TA})1rzGXd_Fr;*N6#9_rm#+o9XI?rXF={ELB-G
z3A?}Q>Job|YbJ9C1T~$+l9QeBa;BUS*O^k;<@5)&#&vS(7;iV;SEZ^Up{pY4mFHU~
zUhOw&e>rjF_DDwIU}V8u&qKzD7(PD^_kR19kzBRS<xkVgg%#F5Id?WR*iD&S+?LEX
zl|HDDDRF5QpUm6i{0<e}ez1(|{JNh<!dKx9JTsqkP)@#WU>=e@HvdQ-o-R!c#wNc>
z3ch0!khm$2`sIcaYm*w-=jsh#U0cfwl0!W$G=EE?jd2Vz>5fU1_kT9k8qvDIkR!$@
zY;p1ZV+v8qn+3+b=wQtkn$BY8t#f0e_(I1bJ*uV6_3Z8%RSGv9tWSwfbqa&<XqsF^
zy(6vJY!oHC7`+JXO~HPGPDf2PzjnXura=u>)4$SiPZra5xkG_6*B0@#j@gIz&IxZi
zzGvANmGjQJ8!npQP4wI-GSZjU4F*+gaM_Jv^DH^0>{^=xH3G4|J24Xcnc_>8=L?YH
zCsby%?xmW$kb`UouHRHSZgoIr?dE)9OX;TDg`KcAYrg3*m0~eoKXEo<UW*GGbHoB2
z)nSfWbQzR3CO5zfd6buiqs@ljjcdIZ<TiXlb;guQW47|0k@mDgtmM8G-74Mrl@DP&
zbKllwaJbecbwXW{%HsL-^J}w;^J;^))(4}6>s^~Z=jC!}3xdhxVKy!jc5Sn4;nz|e
zyYd0sne^q!-7ZW}R;kzT$bfBRy|dG&x&{`fE2k#zJ&!P`HjatFxq4|2rCfEhoPOm)
zZqOfH!t$)`eO>@>myM$sPfzJ5dy9-CMy5lHE=$tcQi1i0u3nnD0)q4Y=`H!1YE<Zc
z9?p)^LPeFCy;@%qJ&29;#t8CuLl940>^wY=G845b%Slk_7h)l53(CI6dAAi+(<VVE
zVQxIMyL*I3+drrmErn&fA$QoVbb8|T)yi&Xwcalco*q*E=ba2HA2Noav9XEQ_|54T
zcB{Fmn02#qrSYa~7U$Q^478(sHmo{BS`0qTkFU+<nm#5O@?tl@vDv1+<g!_D@y*qm
z#`Yc)%5*R}q&1biFRoV@8=Lw7SCsaw`0Lb_Y{hQJ+e~ZkEw65jtY*02{P%H$*ZM<U
zhi3Iz#VdGPkfqr&S=C~vw1lKSx8#MQuR$ZEIajgw^H^+(Qr!fX$GXBPa>jkev(u{2
z@AS7!W8`Mv5oOIj^ZeBcQ4{s;8#-e5F--j@Lbrvj{P<^=LE5;d3PE?7qwBOoF>NBr
z5k}m==fTZf)q&!<?n!^6iUc1+6`=tSJ-?f$)p;jvyfpAEc5;L0Y}(meD2YlRS*8vS
zHb(OeuAr6nqBV83pcJC5G&$*#@LKJ`95>cKeZ2E4q1r}z^EatDU+41!`LXAl^A#em
z^TuLlV|cY~46FCsF=?E_lPl`Cg$ig0n*KFI_AJ-eeB_D@EPYK^&kJr3N~gOj>eilx
zaUdZnRk3Li=eJ!oUB~$>wvUk6xJ}g0etkshJ=m9{CR8ePyu5a*3+FzoRvj=L!;wy?
zVu6*y`1MU!%8errX3u~1U}y-sc|6vSb}r70;6f~L;UfB#0vpdt6TYq{`AAI>tkgeg
z+nFRkZ+SJ9^^PQep7F8(Ze|a<Z#t@IG!tJJlHtBmp;M}D2_>&lZUQcJrTHVb-LOW8
zc_xZoB*tU%LUqXTA~sqx!9n|FyiHZ<yBwqBfUJCc=_i5PVnP^h5&5!Y;)Rl2i3omw
zyE`qRa};te6{wRPX#AH?2?sI47_pN|SI&==4m5OSLXR{v*K?Jzw$-wPA&Dz*w2=#>
znR)~YA`5OXbMp4cL+$8OQ~30&jS)F|2`ldJTi;)5Y;8{(3E>JMj<I-RD`zfa*4q(>
z(`(nCPNBFoNEg{POlHuilTUe5cu~Eu;%loV2e+-n`yr#T+Q$|vC|n$vGQaUxTrVu1
zTkToocBn3LmmyzW8@QpeiV^+zvNcn)DKBs3Ja!~^ZgOyNttZvIb<i}Q{w`7adi$zl
zh3}#zSJZ9e<C7uCYx%o%{}0Y94S`zfUgqoHGRSB~i;iEdlkQsY9Df<-G$%PtG|+k2
zOpqLpfsS(T=2AqT-|?gaHBs#4%O24yBiC-sPUwF;(aJX^r=~+m*Hx!mON_M|{&aa|
zIB)RM``*Yfo(L<2yxn`p1Yog!7CuC0bTYYBk=ODFRhti3>*mo5FinS@bKz%;WY05@
z4B?Nj)lQ4rxtD>v^V-2c>D`(Utzs16*TVG%CQ?403uFynu9%L+h4e4=F9-10vanfw
z&V7uQTeBT%;<EYnL8@SC6)W2n(G=TjbndRjy_NR2Msfza-m6C!1qJ0<{OqsxZ#AMb
z4Yw7^2xfu0EgX^M_^s~x6=aFBlx>-q;a{c$zUn*3Rh}+;)Rn5QPOU{$M_qnelen=~
zzgt&i_e29To{r~~lrrjwsFR}Ts!g7(8=i39LPx~zpv`8apop<N6Sl$6>8$Eky@>w9
zawZqb7<SBFaEye~<Y!I)E1`-*=Vh`NV!E|L*9ZZA`KvlU_&urp*k|__(rFsf%u-w<
zrKQS)-YA^J(x(gXd*A%mzgJ*45t{y+x?S&(y~}b<gSVJuwd+b<k(F@g8w<3)e2V_a
z=0=NorD*_%{uMSy{af?$gQh&j@+s2+3xzP6T!Ssm|1ZKIZ0tKo^I)I2_$5ecVI==!
zUBPtI>*=xmRMVFQei?uO0c}A2sNfCP)6reXw(yfIyFu0ofGkS5wfsMPhbX_?a6)*6
zng>86sa#dazq9xd>TYIzI{C?iM~CkHwfu^#>gLuiT%_dw_3C#q=@O|PH9fm;mjTDy
zlb}Ai0v5%yvPAz)P9{)e=iCj-UoVuYZQ1va+vBNz({8p;u)u2go<Wsg`KQxQjxoIx
zsXF~jP4Qbcv66wmN!<e7oazA}?~j-5R&!*zXa1Jkpo;Rau!C9Lb1X<OWg`U?XwO-k
z2HkM_%s`2T^vjd`CL%#`Ap=srddK$<DMDbmBvJpZUjChK!zbB7`An6oqlEKj21~`7
zk0_<7E1}JMSy<&G9|c6WlIJ0%azNs?#+3wWPX(bP@w%))M2R>T!Q<%F9fLj0A+Rx8
zx#lI?ad4^7zxUj%?TtTtNi|p~d=mWS1GS1Aq`<#r!%!t%lMS}!$E>Km*D6V@ztw9L
zVR}_Ujl7i4Pb<$tE3W^j-*ca4`Djrq3YHhbx!df;V^ctYi8j(-FGai~>ai{z>Kj3K
zceZgYNYO%XAE(-FU|)esk8FocSla$zq^;)IhOX~881F{~BC{%S)(htfb_V_xB(u#Q
z*mVL#N2X`bZoPKeeuA^dY|a)I9ZDbASLGwa{T16q!VVHqWP5LpS$7NX?alR-7H|`}
z8kJ+7oe==quqrT^H-OFY<Ecfng)$(OyraA}9XtF5w4bLz5EOJ;Eh`iUJ{KoUJ5c_x
zA-HOA3ATyK3E55RHh6q`%o-0*OEF$@-<{^T2hR@kT*--EUzwMIoz#Y~<a|HX>vNk4
zBe0!01eS%asAP12AkBGU@+hqNoC}!(0Mwu{TI&ex_|9IO2NkFxh~_S6+!4#!pkk5z
z5;G63=(TlWJoVHS$PV-KU&;uL?720lch*an|Ft7&nd#B*7vR@@=z`T8>W^SMxvm0u
zQi0GOB}`S$uWC(OwTbh<^BjG3q&9?W*-~vLJ_K#vAw<ooc@ox-a<@+f*T6FFmlR^_
zP3y%b?WbT3tFPTmmjVdZm=R4Regl!q1`+PuD+!h+1~8eHxE{bPQ`blvJiTVK7?tKc
z$u~b*tv?V_<nUR2z8^&L@z-KR$LDEuT#v#5Uk+i19r<RkhW>t1p^d6X($#@tr!n|`
zo2DjRF1gF)Btn%Q4^cjYFx10$88#p@iES(d(x1QEw2rc$->b%&ea0|mWb}w^x8B0f
zjrqS_Kk>3;_^J>3(#O(HY%mJeG46$6&2-2sPz@8TS)ndD`zb{Erp<}xp5|{qkr}{2
zXQx%J6axnqR&d+n*I7fK?r2g}37@uZl{;4rRug03g<#!xw3j~yw!WiuMeHX1l6&)x
zDSLN<WG=iNMSB+m3gnhVIl9AV_3rOs6zwAlfi?9!pWB8MRVovu0<Wwt<1AOR^*`=~
z710{9OsTg}>2Yr09>WZFFGfmf>F(`cR0#V(bBC;c9c#TN76gl#BMzdSIdtf9<a+o;
zc>Q2uRVI227C7@6dW#SccDE*7tA&N_#yxrN8_umh^AnA=rJIXfPN1Fxgz|ENCjE|H
z7s{W?xL;8!;G+1sW9!B`S@CbYOpkerp8$!J`m=W!3g;RfP?%VgT;3<nltA_&UYb=c
zqf}-tXez9QEg%PvE`I|2w&H8o9r2q3(Bd1D^YR!}>E5f{K}b^d?du4`axJ<ZB#OSg
z<~_U(r&M&tKo`r)ZU|;N7WZoV3T$OS^(p&m70e04%pdWoYJs7LD{QH^`N-fHdhqQ>
zUxq+XuvTbR(o})Yz0Hgd_3;52%?a2p%ret%{>0uMMS`N0#C2!0LQd;UH%~8h#A&l>
z7w3y15hx0F-B<Lmo$*^Vr%Ky_;yTbtHl5OC)|~}sA8T`Och`XTo9#rnOhY#zEM4^7
z=}4`5^gx9m(Rumj0$%Z<jq9lewGX>Hy5XBjU)PeO#Y;x;r>PxHdC2A0eny$_BaB15
zXFRitCUxNcYSxR=AT!;C@`@)3^m>RHQ5wum>D`Cr|FEj9s#TGqL4uXm>9<ksO^=-+
z<0@tXtCvzWzTP57%lYghw4NsU$>pX)vFwj17)8zAT^kIpE=;fnBb||#t&Tk=*VB6G
zRnpYkOARx9Fv*GuSuDHv7%WDi5s~d_)wgB%y_$o>_I&dgx3#XUF7;3<Gu(v_zh8x4
z<%t!nL^VD7(OZ}dMfv0tJ;9NrE0KTAcSjw~w0D@>+l}8`E@f$I(+8IYZZJ)nPj82C
zRt<&>ru_=N{1k_|FM&3n9R&FS5Ckfcam`m5`C?No*ior2ZaWe!aJ{*vDh0znbOzm7
zh5?*fLbmCcr%HpDQ*o~CWoi`U;$#O-GQn>0XSSaK#3h`8cO2?I2tF;OOHK=u&EpIi
zg@&0OG-5;K)Thq)wKJ&`PQfIZ7WFIBZ$;+4{NOr!i*17DZOP8qUr_h&-}3u~r>B@b
z{r2L?C$_upM$%dn)EPVaeCX(wVoEJHg)Aob5aKE;Y!Oc)C9uy;wn#R0=|Zm{i3S$E
zv*s&hrSES~d*p@-Mg{^%FE5H@(i-^Eoohh7G>3&{-94%*#8_cn`}R~Q*N=yaJHR_q
zEOmFInl?E@e|P=c$cwmM2CPE`?FSzozxL%1OH-{^SC>As2eMvUQc1<-v~z^pGrwJW
zK)8brE@sns&&zF=ZbFzs_7CZaei>>YV80(H@X+&PGB7T#4#tvZQ4-_^xhi1f;s^Ff
z?RH<_<plaN2&>z7pz8~ntss-st!ePlcQ_VJ$6k1o?%A%CI_S0>1(8>~Ax4Z#&}P&R
zK1?`wp&}amh>TqH$oUq*&L_PXzqz)_zmux!2n1Mw>qgp=Z)}=J@lm!rOyS&)S_%+$
zLwXD~k9&H6O>aOef<=zDl|*YXmED!^CJPj4?gz#hvg)=ei2vF_1JYxTx8{t|8k*s8
zI|u}L7~-TnSD=3H5qfysuRVHY0GkrCD3S=zlC1DO<RG%O0prx({f;oDCLaT6@7WGd
zhv~NDmTco|9vifjjp2N?>#j>PYE*60yL-THr{6V6gC3i5V{jitRYUs(b2Bs4%~a+3
z`$dJ)i{Qc(2t!X#EmBb$)YyFu;>sCG?6&p~W?_29_?@MjP8x<#g#rlEBnIM@LAq_f
zf|tP-H|sd}rSH?+fenqnj1w>NlAeiyZa~9$a7`6IAA=8FPG)hK<S$)KZ--^~GLQE&
ze>%_}^acXpOPFp7Z%>VJos()}K$~Z4e}nWL2nHh6!nk6pq-ao7KgL|;XJM(tZ@^yp
zTWA&xm<$;}5*S}A3(EG=ID^IABRAmdV*q~v+0Zjb<>?lp3SlHB0Ngvmac=B)-hbVz
zRx$v_1*f2B3`FcDbSx(tqQ=0;%qW42-M~BA`M{`$<(ZwoUzeXjK@+BFbN~AB-R!YD
zrY`SWVa+aM@H%mD2>1NN*rHC~(}vg_wLFpz@x>m~3_e^g*!sK{ZrYJcFKBZKyhSX~
z@-RA-GYYx8y7yJ8^)hadYtVK6c{iuJ%CHTDSEiRPO?RRqx3iS?<3>(LWz-+RcgJ|P
zu*9d!#$0H@m(6YMC583YXFh^2)rkU|vE7L$4JoZo`?bto_;@|?m$}Sur9WjBB!1$f
z+r)vV4ccb5Ctt6C1zj~P`@dIs34Y<a2IEe9f(MjVOvvxtc`5R{0_)Fqf|3QebTY{!
zeQLT7t{<47{35{ji72#jcF$v)sFGhS-M<4`&*x{C?T$U!aCFGp<ipna+0P~9l373d
zj3t+8$QQa9;fA*D{yao&zMXfij4Q_S&ouZ>37jQ>b+5B~p8RKj9Nup@A^h!6HkyZw
zKiWke@<PHQNd@va{zHHgzPPm@=d)~mA^B(G$m{XmdOe7$;NL?Ne^Jb$^66<RyU#MP
zUU`M&n+sp#vT1t%!xp}eVwMvo*3>r6o;|B#7MS6B(U2e`sEZFJboyAef^mM7`Pxi;
zvCxCo4LI*Mo9j++p`JrUS1%PPz<QCWSRm&3{f3mo+ICBN5osh3-tD@S4+^0B6qNPb
zq>(sDrg6QC$+`#Z&qQjGPIwo=#7r#=OHr9=KiGXR9;Rknl5en5RZTUc%{9Vclwf6j
zEJUXUW^HD~9Q*RE=fD8wn}>G3Rcy}f=40ii;Ky-u0KEJzsewh-X&$4xT^dnneM))b
z-omJtT<SS*=mo6AYoPj!aa#&2_yArpCt=EhKgP0Pj2bUM;<5ooYBeza8xO@z7IYw&
zuBGafVo<7??_Lf&>{ae6vC)oboUOi}$Fg;jh8g(MeZ=Q>LkpH6mb=Z|Dw`CNT5{g6
z49&(qJQ5&iJAOjlr88Y?45rKY4At{2ILN3^pNVn&+`|lZC%iF9@=>QsT$Yz~jG;P*
z>NbL1I}fG;v!JZHgmnYgMMD@svz}hJ>EtZvz7<9NA@R0AlsVQx5hLzJVDn|@0=R-b
zGwUyG*VKa!h#Ne?=3xZUgPL5`d~bv}TD!zK3wjG%CjvD(L&q9tb5Wge$zwKS6|1vl
zY8~Itn2qX5U-3&I5xuhT1)Pxo5yO~LKy=ID!xKp{3nekwS3XM5I`23e=?cb^n?Y}T
zc(oXkQ%^u!Y1|NbN4a@*uhxasvHij@BbBxcRw1RR{B%s(jU@T5=^Q5h%kQVmH1Y!H
zr1n)|z=pzRbpedkz=85Pl{vK+Dp0`|N1st|yln7JBM`ZK<6nGfRV0{@>D0i^n4Z7q
zV2Y0qm3!oUX3$jMnnCo_+xm<`-#;VdBN^xoHaJN8lvPzK&}Q9pSypzSJhxVU$AXr#
z)}<jN?1rZ<4NX<XNlGyy2lXW4Og0njc`%)5#!Q~I8I@#Hh`YbyI$E`F3S2T*P=iyr
zg}Y$eWe8(LS#E0%)zKnFeURc53v3JvAh$CsrQ9?MO12Ejv^aO(^_!Ik&4ROYKQyOn
zDrJ=v2Du{6Zd%o-s}J`w#KW}y+>kc~iQI7N)eI5$^}Bc{D7J%WwC|RiJxA#$X=q?i
znJ8D0$YGr?^sdY}6TXhWxOMmxxV0up2z)n}NnrN-SO59<PXgdqkn2Y_@qYdTK{t56
zRz2my+*VIa)#Ym<+jAA>X*iIIwseek6SC&%H_-y*1`^3UZ+wUkWI=gD&LGsLdEtF6
z^cta!g?g%kC8-}_(6`RT0ftIXXJ%%S@+a$*x^r89x<plFawZiFX88=j`(|?v^JNhx
zfdfQbmO^nOJF_sKeF)i`&$eamS(3b6t4H3ik!un($=sDCpn7Y$rn|v-S)E#o&#Afl
zskv{unuMidA%qL*m>mnhAzMES9jj|_o!<R;tuU@G0|{jm!bKcA6EdzU=rk99ryCl?
zco;DUX0VLKRD8LT&XTDADOA7`6_7DM3g)S1>TP0)ead3n4%>}va^A+S!)07iStTKP
z^SL)K1fY?K)FTikV04ZZM&J3-m!BN)2d^ioo}4=g5EBw*gHNlCLjN^xd(vwLEZ@e!
z=Oh3Oph8Vc=4#lH?n)AZ*S*9?j8)NswpVu3aGr)2&E46g)LJO*So!SmW<lH_6}-_I
zb>xkzzmG#5`~F7x%_rq|)4*u>FqP-*HsOR50T*;1&X;THGPxwM+`j#$ciN~f^y?EZ
zRP-A3sZiMPh8{oTC-=s6sHTyfI16o0(wbhzEgzYxoOX)V3~N2pb+-B?TObq<t@ndq
z7>oxuE^_zFE5yk5rNYksly7iDgW>6|csEe7%7^+1y@U!*%xXv+A6zMhU(dc>W@7t+
z0;(ez=*JXXf{9cEsPo6?p(q}OK66ng90uIFqq5{7X>mMFS1+ENso=lbiHbePrUkOv
zgvP&Cx3MeF2TNbmTMP|59aR7v0Bj7LPr2FI7auYDLgAn+ieI;#7uM=7a9Os<CRi}J
zs>_s$ld6ZQ@W>nKMYBS9hpOR}c@y&|co)_NXwpLf#tM_+&@S#m-ER-7a4ufzF>L`)
zruh|Eb#PYWuxVKV1XY1lnZ;%Q6w;($djV*x<RkdyoR?<qtiDRMbb$?f#;xt`m;(54
z!o2~Q;=q;2g|sIa+V5X#urBs0n;Lv6<`<%Fzs89Ej+cGN{rj>Pl3JO#!)TSiQEh){
z=%MOxzSIM!Rj<P{HgsQN@EU$&aU)fu!$dVz<Lk6SsxpTYeq)&#dho|fRa3%nBU|rv
z9kBnj4)104{TQ@OGSTOqE@>@(1LwLESAFS?4$i=6$k@5o!S*x_l_lID4nJ$+h4Ouo
zUMM%ikmcNOmEq?G<J$(`z6>XdA=zdGCrqFMtw&D-I-Uz>Aj;~N8ka$`bpV^s*-k1*
zQ^NtQetm85@9_HTOF1ItV=<&N&NF`f#ZK8TxpYLEgNaD80CWlfII0E=F6$kNFcK0)
zkVRRX8IrurPTH$eM#RZS!K5!Itd>BN>f4WHpas7$6!920yoAC$ObEPqjzdVXspsnq
zU0z;Q4mANL-`DL{KFJ6)u)GtK%2l*8)58w%+TXQ1ewuCuhutt35?w(JzxDZm@fPoJ
zKr_2JCCv*?X+SW!`(Fl=cl)YLS|K1Zu-<QXOqdqF0l*mtpGn)9lGgS-xbb{3&<0Ya
zw%+4zhVNmY`U&aB3zp#OCqP^nFM`8V4TeN@6X2`YsfyArQHLSr&tel0BUpy^XxgU?
zCj~R`7(MI0qD~P3Iw<YIj@EM83Xg{~a31d{%VA@^zQX@j?va>9pMV+^GkBN|D&JkC
z(lF)fknx~d;d}C%4CPoL@REUTA$5r7@XwCo*H3v!(u+r4j;7ZP%%2<H>x38?5j{D5
zU8^|^W-yT~wZdr?WGn#Vf9;3yZaLIB)=z}&MO~IqQ>E#&?GoO#$FKTIf@xb_qh;||
zpGg;6w}(C{Fai7g#_~0>jT5U!`pY;TQcZtsCr~4|hOG!gVoG@m9m{1TE)W$Ki=o|*
zSRQ6^0M~i;8EwI&`R)?xD_7;Viow_V=q55EPEsohZmM6O`M2-U2LpJyesEue``wlE
zV%tZu8$|=b*Nvqo06_N|NS<6G;$Zn(ureO8F;==VPKOjbVvpLC;tB(JG|*;=vbr#T
zWUZeqbn^umtVzM<hji5p^C&=2vYLu*ny*KKjoK82C}G}Gdk@l{Z>%lT^cQx~^h{5y
z<<bc|pzipkpKoVUQaNOL7n|KOIOWiUK(DUgmT4^uzr|$WLaP27{p64Eo{a~tVaZ&<
z@>h47eCg!%SDpZso{<;nNrW0}MP+I_cR?!)0L2g}`9ftN*u&!}xIUiklD6Rf{c)6t
z-I&}#fCom6o9=&p97~_Pi(sT$3Z}aapoXCqksFAU`ix?~V^4Prv>Ldmw<^<L0V|fx
zPuX#2ye=&5mhTafQ_kf5B!XYGGCF8>3k<{3i7eyBBiRRY)8oe;nR&%WH~ROxEUQl-
z9bb3Jz62Jc0Bs0kQ_qus8eISWd4>X@zpIe_(&AkNHo{e4xmwpzR0x>`+p+a&&<%)9
z<{ZDkqaORq7O<M@-bprYr#S=s^!O|JM=D$1j)2Vz2?p5)h?hBtvR<H4{J>m-<b|Y1
z)t6XrJcE4y<gkg*R^|3*9diOq;!zcpcc;qx!IJxg$L9KeIy&|j=jR@M`0zn>f!FD2
zkC02UrA5{B6HNlObMfA(?;S*UIx0z5(0oB!p1L{-rf?u>Uf<!J`Z0j;d#Oa(ji~=d
zMsjyLu8Jyf`2?XG3U`N&FnakPzq-HbO4I$fQH}fB?5^>B@7<DEh@W2`ItBMncHeL3
z_SeJue*c`Tj6uYv5GheM()Nf-SG0)d#MbfOhRgIa*q8r?Yf3seJQ=uxpTEb82nn(*
zB>zK4{qI}IM^Gfx5&W;4XSjv`NBdVV1{sZNbj*_)LamQibg^+sQrhb-@1fd@J}hyK
zl5+Tn0rlTS>)$`+GnWNdP`CWq#GhYNWp;91zmlw)8TX7{P!Tpk(O8>5^C5BiiX#X7
zf_8kjn|K+>rK>dm86Sx#fg}XzIs6aw!|NIiZ(uhrCPZz1lO2{e1Oq7%p^Gfhx{#|>
z3t>WMX{P(QT9$!7Y@3kA4U~9`ioKDJd*w%iANZmd@me<pHchW1hhn=09y_)>6kqBm
z+B!ReGxa~#$Z(Yy-0KG8(lA{#_%D*8SKzv~yuBsSopUD;492&bRY*-i6;Eku%e{9R
zzPnEft8Vd+u$DG_RZl%Eft{`9!?ZmWSA<By^59hGuSx94U782{53#b^{8-@&%Nh;?
ztnxJWQ+X7z@~+F)dw0CJaa^8h({&SSiBCk?;3>-|hV>wP0qHI5%VLz{fIp=3H4l4e
z@~4_&y`g-*D*A1RP`PH4W2B<=Tx3qczwmGTW?f9+5g7s-6>7`82$@;NV;&v?H%~t>
z7L5>t%KF?e9y~RvjC;*Ww4uXIfFLqASIZS4n2`Dwf-@UJaY5k_j$2p<+AlN)#;wO<
zUcf$>l4rDh(!dKDV_;cMFu>OmP(U5DUOq;CkqP4&=t6n<*ZukXChZ`KM5vZGU;jXM
ztrAw~#X{RTp7C{oUvGd}Uw-qtBkaCu$<QgSU5$?gRoa6D*Oj?B@D{(S858*W0&-rZ
zBA_NUxqB`8Je$+psQ-Ru=_;7luXntWDC-Z+RcK?jabqx`7ZHtxv>FsT1<=k*LUjxR
zZIO~-T$6d`qVb01Y+u0`JQo{;<Qgb(k@N5BQgxci{0Jf{%(shRY%psn6MOLiEUv5{
z??Z}-bzed+Nop$_iYqoAxBvDi{TnS4A4OV%XXJkd3;eQ~T=$BEMRh38@Ih~A#Lr#`
zBT@6%SPW4M3T0Q}q^jA3r_N$0Gubrsc@V#uw}+PZ<fqk0dU6x3uQJt2s0X8*1Kffs
zjyID6OR=sy5PM$(<s4`=6aatFS57pkO1YJK1XkGu!l9`~iho$#adr?o?Q2J%5u55r
ziztR(Xk2)3(M|~qEbj@qa9)J1qk1#lw+2KgJFNcTXSYthnXISWl@5Cy0du-N@NgZB
zL~9nNTI*BHMO0K;;f1RpR5>iLupfOVwJV=_X!M9(s(IV@(dWM(1M(9k;_E{_QvC<r
z;z<I_GVx6cMZB-%U~%ESiM@=Xn$b?<hp%=%uMBkHundYLP;-lUYjJ#w{Hi<Ooc7e7
z?3RdKs%gJ^SKfZ*()kAov^7xIbiSM?&I0ED47<kSU0~7bYi2+y@Th@Dgx9k^m?HvF
zD6C8D&|*l%@pZIk!)boZlVF#-3?ZsMrRP({)2kzPudgW_E5i>w3h;`j`#lkT&w8Fa
zkphn7@t@)8!+5rZ1}YVHj7FV;@Wjtf237wZ^y79%m+6}BZ@Az^d+_M>N$dl&;bZBI
z)y+&?n<c~X^|Y@{&P<bOyLA+1twKzRD^J07q0J-e0M5Uk1TMruTios`cP1>En%l%w
z4HiJ<D!AhHH7bL{y_{-TRRmQtX|F-Wr9sOad9<^=AKF-HyG@pl^s(|ppU4CXb}Iae
zHb1i$a{J02BU~`;pJ$S^e&X8&l*Kt=*n>1bpen)}Ss%g`L#iLbspYH|W2eyr7yg4<
z`5|it$ATX>j_&{m6jn2R1w6i1(DJ3K@!3TI2FUhWgFNJvlJt{<>@2_@V@~@$_Yl#6
z-XPZPOZm=?MQBF~wX!U1QC>6VdHumdx3Q7w*JJP1@_0>C?$R!+7CE%u&h~3^`tOXx
z<O%D_;0R@V{rLvUAYMFbFSDQN$|Oy{2mZ|}V_<XZPeM*x1&gCN9sBJ=)&bcvO6>;A
z-dYHocLsQBt)<E!It$#fJ>!LHAR}M4C;Nodq!9F;`==*%ELT_R9L1jS(*je#whSE|
z#LpTk%qKkL9$-k?%n@W?^vQ0j<?Q8sk5qTCF6(}9@bTG>O}&(ZR7hX`<gQ-L3);`R
z7*^in+JYtkYzzBKd9X2=U7t#r_ay`GZ9jT3_w(|ZfG<AT<aC_v+t)cbYJwy*tCn$H
zsO%-d^VU7PP)Vg=)i)`|y$AG8L|KI!nIr|ylaUQTN36Jx*BzeMR@-nJa=8;|s(qb{
z;4vwjhke@;Y}=lP8!;)T2&4N?Of+oV8OTkJ?J8LwptBRUUxTYc6XED-)DYQiCPs&k
zin^e4`U#mcBzRWyy)1t1N}04zrq9AUSgJl`feaMA`WSZT1SZiRAkBo_Pp7F1u5f1P
z-xT2ISB3?QEb!b9_Mck$K~2@da^E`sKKfmkvLJ7q30RZp{r&9z?5d7|eO!m08L$Aq
zRdaVej3k`&=ClusSUgdpq_bvt{AH{1`2N9Sku6V1pKUYQbd<+tHC?5Dc6G5+=Ul20
z9iPdGRnAZM)0ctLkpi+v&a*dNOBi2;?f6(opsa$Kwg!gn@DIkRVdfB@$xF5FC|IPo
zD~6AkD*?G{Hwq7LYy&e;T7mP0>2T#AVQ-6N{u*bin70CblTmI;x*u$IeB;3c009@!
z#etdyHV+J~eCY*`!FI+FU>{{b5W@_a;#L7C%>|}p;(*m7veQf0MXo23&*%;+{2U+t
z{kDipBDcl084h1uQMK}c34_;3pH5Kfin8u7AqZLc&p3x;$c6L#<HG&TNB#duc(7gd
zRKdnaW+o;r5rFLN%*Y=_5ki>yZNUitFGCSOj*2oODgVF7*ucY6*7PMCnF;l!I({Ab
z<gfn2PYx1R!7{MT;QaW&+Clc?<9#O)*8BPvyj8>#-geJZ80y+tfg9WOPKZ*koqpG{
zcM(Wvw3R(%W$O<1j<UyG4=Xceb|6pP`&81V?XZP$uV`<u7;FoU6!Xw-iI+MKhc8=1
z1T}U%nd8>y(1%>(xhpeDCR^x}b`)a{o!5Qn*TQK2nH~Qkups@QDSPsuU8=*2b}GOM
zf1tIjC$Gb{F+|U0H{Di!-_;pe!8zU-V=3wZavz)d`g3cI4CgE&&wu?uwHZSLf-ATR
zl3#jYt5gt36Ic~iAiLK>i~3GE>GPR~tp%`~Dod|ockBK5@M%y)1i?0HDbRr!z_ms9
zlbbq4p!080bu>6F=nY3U9sw0V_f~_aby)V)g)(LktA@NvCi%Sz{SjZpk+$xF0ArsB
z>|f)CyLQPG*OQxCygHqlD2we#Gc3PHJU$O;JRUIB@p-tE368jdO>7-hRe(L)R$!sN
zz7BwB@a+=NiM@qX&Th5^t_|Czt7Jr@)N^YzL&W)KCG&6T3okXRibl>0(z?BCXWe?d
z!?axK-XJ~#X6N0>rfr%PCc`aZk}Z5fVv;NgpFRGtv9<;v@KH!}OBwgu6Q`cYXgP&l
zXA-s@m(70C;W)Wlog<`c-=Qj#5+Hdu3@hvx&7sPI2MPQMt-SHMiyx6SZ(Fhgb_<Yn
zm^;2#A4ue|=(?Y4d!$5FU?Te}spcK@7O|>A5-3e+1=~!Um~W?SH$J2L098-F>pPwb
z6|y46)yd-qLEga*rA*ieR(zViA4tN;ptq0BZ_syr1ke?lHO1n)U)lG6pzw<7xTB9U
zj1tPwDpJ<IJ50O+YkFl%?Rt&1ZbdfjRwKtG$%Y++MUD@;sSBYUi__o(0cJO^BZzb2
zM4gdd6SShYL>YmD2Rz156zjMuyrEXg1qI48MzMjxegKnXKnVd%U4_{lSE%sAGTRPT
z9p*Op5>lkDVYZ&$MomW-v3k<Qen-;$%Ct)2rB|L?-`j|Rpc$4GACh}5rSs2B<W)rt
z-@D@5eE|LSyvzV!8Lgnv;pJ#mdJ6)DM^sgS_ozpM*ukTghC}@XFfe2(tn!52*QfWS
z+}iOVQoxj{AClmu)H!oCdXI>SvcLh?c{zlmy1WMH)%AIHay7v5bVaeJ4BTQej(|Gu
zEN)hAvLuZ*OF2VZq<m>|k?;1kpi}LJ8uG009ZK)_=;`a<pfU8Ovf_^MF5*rgAl`}?
zJXp#{EU-=FHm%(1Hmv$3G*YQ-eGgrxA`sBA!DjtP5f^1U<`F`Q^Gu+A<mEtCS_1XT
zEYC#OWk7y(@b1X-S1xeArk~XRPTs(XVnV|!x@E@;8WR8_OG3w1f9fVE$W1_EY6uLA
z`_&C?!fsIc%I`jS%Am%uI^Z(NUiy<Bn=47O(dWB$mOv2}663yFUFw_<ZFiPYJ*}<$
z+R|r3==I0vy$E-X0&P@$+HV73_fd4O1rKhuU4qb_Tw2F@irIq!#3heMLC5(9Z2;}b
z?RVe2P|xL>g04471Hh%B75UD6$JUjT6(j=jjmw$vD}mcNDf)wxqUl-DVOJ}fLsi<z
zqzKUjK}`m}Kn8s00$j;*^yHejw;&L$_iIcgivY%(PyL(LK{p`1_39!vLWb9*O%iA+
zJyBd&ri4YwqB1^#&yQS_A+`4~kjw4s?jIiQn_FnT7SV`bY4oT&rP^Pq`rbwaIyV;D
zXHY`5-cQ+LgVx%QyYDKr9=VbXt?`Q152@++Jm`KnKxlI=26#SZC{Z6S%=Y)LyXK;a
zOb?ZE@bi~<To4rA(Ys>iXfM4+^!+@H{D<eEA68Xy8`f08Lc~#D;n_1B&;Fo&rnYFG
zPjd+E(+e$R^>)0E#sv5TNWqTadP6t`FOG<;hqMKK6lEnhSX;!hf}Xf|uzs0SWpG-3
z<AH_JdL2(=6||WNaNZJ8J}C&zmm0Kq_j7J%JnYaNw_T^?wbIZ}!-C{a&aW(yqnx(V
z^67KAxAxZ?<lz<fYDKk(et*Sv0{{6dhH|UL>;)YRzN=*$1>GYilZLbc6OPBv(6^`E
zwb#%l2X72b5ePrbP=I6Nfg5Q)BIx$;2Ze%eppAz1wJ$OiXQV_oxG%p(iBOGPfp4-y
z!h7caUblxC7>Ol_!;3qi=i>vUB2GWyBQP#3AVWJ7GxG42SE`j8?l1W_M<V`Dyf)w<
zi=5_-*mN+iaU7%|k?fBL(BoxUn)RXq`JkP>vEIX0asHP=9FOD_G>qMnQZc<s6k7H|
zz!=Y~<xzKd_QKeiuu<J1{O+MNjl3u6m*i(|4-^-4o2b55)sjQ){W{o7Cq@LUx?=)J
z0>-o6`;gB+%m<+VtOg6V8Omn_BU942XZ>uDnl3^&{n}v{<OJ#v8Vjtr9N*s-O6PxO
zcg|5}WZl(hbJ9=Khu<J(&myFP9Y8LiuefqVI=djDgsNLcGG=fAP6v2RkhcnJxd8>G
zIWO2I&Yvm7agvI|1dC`;!VgwBPo{K!9r+mH=>kfWEZC~)p+#Fog1NDXS(~NOT1icP
zvIZLD0fy9%5P*@F37x!BADnW5&&V27K=;b<TI-YxaJPcqJs?}_ore|DHHiKbt=O@;
z*u;@&Z=a3p&nwSiJ~a5v94Pnk)t8wx07@_MS^4bVD)NlbM=9l?NNeT|U)W|q=8+kK
z_<co`HCDt~2mnN?-I<|d=^V!{2z?(LT$&)@&m(ZWs5acfuB*T*3yqY%=(xu(ufPgr
zkt09OUT&sITp7=Mr{$8}LDP#5F~=SH3+*>`qC{LeLZ?kMM0mf5*o-~`txkgui~FvW
z(z~PnS4V+TmwUUHTqlG}$D%)2_dJz}%v=6)%^2<_0-%Q7I3kA;_8~0HN1PW3p)0Mo
zTWJ0X;4x)wsnu9P#$oqVt6yIEMWg7NEXa2vZp(lt3p)s~&l%dak05d&E<F4jn&#*h
z8=F4awj6H+ilmotD(%^|bPg3*4vMlVqq+`abJJ`=vOyiL!a4mxO@#>1nOeNNYDpnR
zh9B15Ls3S5Bg`k$nO@jIHrjcbEsWbxI`Rq#|E_35;Kvu;aw~<$l_VR%U%!4RpE(P+
zOuYMmAAk^*)}prK&-Ty@G-+~uY5MHDSdw*^$H=ZNICTe-G$T^AVg`H31i~7Za;<#6
zr+wOgllB3JKg7r-nx6`#9k4EysH%mUeNX0x-#;{jIA;`Lq{R{56<dx97V+3Dc4D=J
z=<-h9Zedd4#z#gN7=*$Ldk|~&8iMn!hmz$qdkjUBbosIAE(ke_K5|H2oar9uXpY~t
zx=s7XEYH^cpfp5o2H|wVPDiMi{XpXtrWF1M>$B?Haa+W$-4<bdrUyo=12<CRyoHWx
zAJs~Tf~gtSBpdl-1nBw0vc?2k<#E*Wy~al=!{Ds?3v%Y{{%3vs=n8UH6&8VL0_lMy
zWO8PH{*K~CUXW_WB~@#*b#%+P$!K?fFcouOhq?Owd;C7T%HLy&e<b6Kd?)#Rfsf@A
z4?zWTfTzvwH$vs-pOSPy{=m^MJ>J4@#wj%Kr8SJTi0k$hmH|9QY9L`;te#-j`O_m{
zW;c3XkTl%y80QpnQUx!|vIvFgL2q)S?s_ZC^!zKmz|@VLRiFQTCwmG0??yZR#LTwj
z)c=ES@KRyf<$Yfp*nN*_1up#t4OuZG-?E_m4?MuLVWO`>LpoiL<5;?RbK4d~2)c~c
z$XG6ffZSH8`kjv*|6ljT=+o$b<&jW+_RwB_TlV=+)ri~owo(z0;7^s}H;XhOqy>OD
z+R-YR*z4p$1Sn@C?!WjG#QE(lN$Tx@5A@geUq>ne#2!bvO4qYydU9o?gHKQG<;-QG
zOdyb-EkBv?N@KfjR0@0=On21%@tA+WF4=+n!1&fB!HC{S!+Kos<N@S^B@vZu`@u}$
zeUaVTmaa4Jg((hWHAoipLUxh}mIdpQgCV7NtcRU<%Ibsi*nI}6a-ElFIY7`I*!=n`
zXePDdL2R!0R`)`fhzr_vq4}y}q1~OS!O~JlIZO>qZlEwh1`gDq*j~XXr>VzXu!2IQ
z@31TkTQVa``2-^c@_)tzPw@i?*|6u-wucmLZUM>L6%bgPxlt*EnxAZhjyVuvxxgSu
zHh)?e>AR+S^D>?tI(zYm+kyh3N5DHGRquJHxhen}O)zVv_%$)GKPXvQhc-tN7zQ~8
z^+ag!v!K)frP0%3aJm_H1oZBy=Vy^a92<#@+r6AwFuowU;|_Ad!)>4Ct3$J2uDtiR
zBe;rjrkaQ!8LQzW`!;Sn^OBgeGcqe>UhnOv`1-GTrw0HZ?}GseMZgn~+QOp=kxjwe
zU<j1H$mGuig#m<CYpS8?*i-}4wl}xlb-;fsK=Epz+-!1P*lpDgA<B?weZLI2Exw~)
zfWo-Z@gXixfdi<EXC{<F+sd*HkZ7B8_G~e#;oj4@T})r{%JkjTcYB$&$nS(HO8K71
zCSe0aq}rWp8ZyaWfn*(^-7m~dG;$f%1_vQ|(U(zdmI6lFMA$)huuO5~2ciH=vtvSW
zi;)o)g;LPnP#KqjIE4d}O7IWKW1z#C0wDrU1isZWp>6*i;rmIjTna;aH_y30cr-wn
zTgjit>xS(-{wt=$*TV*{Mv>)6Ae1Dv!4?6LOG36pL{)Gkwy3giglanCbON)5>JC+Y
zN4YHr&PzoJ<swXjnUW@GHUwJrk&(cD(DA1q)N-r!66f6opY3(*;KFwLgfche{@8AN
zf1+{(W5t2S+p4c*z%mFyGJ*kXuX)Jmep|U_yf&nfv5Fr`8)`0XdSh|0_CVyf!7v6@
z0~&x!85v$E3-8FLv%pzoi*WBGXl6p*qK|v)&VOcrzjiDmDWGm!0f0lx_<aJkgHRb3
z)lVz+$K?Y6J06vRl=<b$=4z2m${zqg2!T9X4P!xK^GCX&t&;)D(E!R7YZ7@6M@Z}-
zjRk2=-{G4k7nmLsNA`J3^_}3{Mox!BE+l)`{tv-vji8%B*x?aIxWln7^sGdo!)KEL
zd<xD9N;>rUZ$k;@S%iZ}*FZR2%i!2|3xmLSh-6JZ`uv^E$;Q>a>LO6gGDCgC8`Bsm
zsGsfv!ec?}Pxk?~s))LfKur{&3M@<L2f0sk+g(ltWGw3J+dr9oWV{39`NDVRK}lr*
zs7p(hp$x(!0u1)?FFf!o0YF@eIp|u^9;yO#PlsgBAtn&lyd<S!sRDhF0qpA^7ZxG;
zE>1OC8-ekx8ekGG4=NyC%6z(7e^w}=*X?~sD3%$V`Uz-X3WPNJ_;KRi<{t&<v74Uw
z2)bCpkuW2eWZQFa+h8Z(Q*1jSe+L4d8Zpw7hJot}V?I>VbKnOfxjfr%2!P!t&dm#j
zSyRfR(=K%{!8-yn7NDZ-bQxe!eT*<@uJ(Y&_I|F{Lz40z<0XYWuK;u<gS2yjCj9cj
zzaJi(wCBS$Hk16RE&EsTC&&=VA@^<1yu_Vs3r19`rd#js)GSM3eXV+R0LsLQx%|vw
z)EFjeFS&mk-bpn{&8}Qmdf9qiK?tgMvq6lOVv;-u!phoPGf|oo#6nMDbiw1d47yeE
zNM85!IQQ;@I1^&mL;Z5wcla>79z^xQ5Yr!}-|Nr0bAx^X021Nj7ddua!iWpt%Byf3
z9RErjGSv|8dhy!Tvt&>N%9pdF+m#)H^yZrz%Y!g=b!u+DQLGk}0tSHlw!FGPh^$^@
z$i1t{M8Ev%Bk66?ZL*iA4Dykiw*Sbl>k;V(bly@vdtk3-FS-RHWNlgQGmIlzF+m!E
zPKtP#;N|QjdS^}H{3?QX-_Nr0w@Q$SV2i>1lRx}#=#2li2>h2|4cYns8Wq9D>sJDU
z`jNtp@-TC+`~P8pMl#k5wbvCCrK50}ULulL(1&`5lbz2ed%`w)QQ)C$74b1igy_)y
z2hqWwi-=xmu&+=3Ge9%FBhmwz!J8M7ihY>?Kqjl_ri|7{sQBz<I0Y?jAn>is)4+!~
zCO)Q`fHqy)i+~sb{bzXt)G2o<mQ}m%oohKjM)_S@7XR<0Wo-O@?YELatpdNQ@>vrQ
zfn0!K1VUG>b2fCWJW4pQ`*F5UCP>8tpj0Smm4v7+xr23HuuA5}Gx1<S=);cg`m&5n
zR&FDWW71{zi`$wKlngqhv`1A|_SvM~Fr7tyIZ-weXrO1UEQedv-uJ&6Ly8}AtXd^0
zMTQdq1FHs6PrVA%hyfr0lmwbW?o4m2#7<=LXN7?RR4s;)0@&bIBpd@$6ZSa?fL7x$
zVaIeNBk(#yz%$}o01e3r!0CAhVQ|~h$Q4(J<#d7>{yN7W@}8Q~7G)KM<?qs-G5LvP
z=4qnHx`{UuR<RP_36?|BDdJ^(K(KVaN#6C(>nHh@fX(><%6Ah~O9^mkL*$5b&S-$4
z)?rcCeA2n4G!xc>C%Jxo6<oy5^is!%Mt9s95;lP0&XbU511LnliSt@@zP{ZYXERi`
z<4#Nb<I|uZcg+J!j`{fykEs%1++prVQ91_wZUF1GBiY1rpmmaa18E%>K4{IP%RXcv
z+S_r#$#T>C@Hhz%jn^pR^rr1$vJG>q7$AO=I16}_TvyN(fVq+T3halFdy7n8)^0|M
zx~VU`*p$b+fMy?G)Ah|8*ISbhN(}D!R`Qm&m$|@J3nLMEo{4;q0pR51kbIs)Vg2s@
z6f(FE=yYR_`g<j<!>Os!2n?m%Fx!>+9_0xhs#%Djl^beRe9digIC^R9hBYt!0fJ+(
zZY*%+-3=&3^Q2#!+Z@8+Mz)PqE$*|r0kn*q`Sdmoj3V08n6MinW;Ie%q3H%NZbdV_
zdAKb9I=`dd1`UyFP#%xsGu%7Gkct5>7XrI6!AJu^m%3LlN?D!SE@|DEd}V)ooBsN=
zT?T>QqOIpVdC&MEu+nHll!gfu+GsX+Y+7DC=)>ZADKbD|jm!iTjQ9%2UwXWs<ry9j
zxw`2tPz%?9i_Zx}eA6nSWtckgxxYx|2@O~Dhmwi8W)^rkS0lXWHonipRjMlP1X2-J
z+AzzBY~|Wv>im<(&JJTvcK$xA2BVo@WSNRgJ2|t7)41-pEBQK4x<~;0&sBI&={@(x
z>li*WvhhPA&N-wST-t5;knxsbGCjUFy7PD6E=;$}q{9NqfunSLZXc=<a1w{|#e{01
z<ZWTkB2XGedw_S+yQoBNr~}OrLd(>rbb~Z3VvDFmHbZC}R6(hpmFKe4zyc9j4WhFI
zNK>~akA_G}0hVSfJx8jdvn8i}Xj+`Vm%yJ1xFpio;@gOdy<Q%r%=7{P%h(XK#N#hW
zGGUuW+Tkr>BZQ$k7ajY{uQ3y?Q(s|eM#OdbJpPX3XCAr1U{`{1V>HX7MTYbFwx`S;
zqp2podCkBy&?xj4FOfMMWTef9&cY9Rk+6f!KtcsVNfr*G6Y^frGCBbdn*bt47Qd3u
z=-&NiZ+(`9mIWx^?gIkJJpEd?%y)z+%yQSIKoA4-K4)>;hW|UJ!So5VDcXqJniC-P
zbw#4~6<AP>urK%7zEJCb(@Xgf+vI5uj%S;-FwQFjnOyH)K^aqr3cv`%0oT@r<Rf7q
z2?3CYlQFCgp!wql!F{$O8iJNlP%cJadGMgirw^p_+TAeDBe}7<D5qKk@j!sQZFwIf
ztVpQ4Ol~LmzxdpG1l>?s)j%n02p{YU3OI%qFvTo@NEmqOy2?kSo`v>}bJZ7sZ>I#N
zj?TZ1^f6ao*K`0B_A6mG0G%=b@2#iC*e965Z>V4TAe6E2bC7&|9)zI@FaS6{4@&Sl
zVIP2wUjP8P>Y{TO>r0Ret#aTBJ%^iPHsg0CGX0I|iy-lUAv*O?>^5UYyS@<xi1<Z8
zO{-Rt532yOwNO5BtE`p-#Zp4jAZiS#4rFC5JjU-%c-JZ<UgA?}K5`&X+OiTGKx~9z
zr>VOT={rP}RS9>u41}~?UxeXtP&+0or-hT6FP6MRnnYw9Ngb7zLcNz~8hk`Ejh$m^
zM{DV!pmN!<>5e`(vge;k{I4Cx1l8147#O>rt2+K7)bagv%_TQuQ;^5)?>p6{)|u|w
z0qxr;qPywsV9DY88q_dau9biF*f3VmTK=S;+sN~Cb%(GHotU6bFLvV}qn8WkE=p+h
zzjFq8tu<}p@W!hP-Y3Ata`vz5GB-&fASw_KDH?wlM({@7^!8*295emQ4btuE%t!f0
zs-_*@!m5^+FyGOQdenaK5zu<eA9O(}6LrhxQ{;6fY)&r7__o+Si1rCkdIZ4MsHBij
z=ZVg*Slr;+8xdG~E}$p|Ca7&96vPOI5%1X~md=Y{no5=b25;#$r*y6U?*?J(rwgR{
zv{lnC=V7#w9Z9O^L1z%BQE3F2z#E?{7mpqRCEadx12C-z$PHi}3=?9VnB?DfPuvfX
zTEVJX#naK>Icb(7{|214;_w4?QaFUSTGW#$LEA(`uIkSbD2}~rHPPVLEx@Ije;t{@
zrLCD>)8!kT5N8S?G8?x&k=tu({yqHWI$dztCn@Xc;<vKhN~xh>Pj;`Fp>l6Pft5j%
zZ9Fg*1|4ADDouy;T`L;p26pYbN+*DXkYNMlCe^R$*p5~W%O3|Qkck-nmS0G`D#4G?
z;`;AGOEqCPvLIu*0?}C5@s03xYEpF{dz=G%N@n*kG=K=^sW8lOM`oNT>$5VpxK0KK
zVEgR_qtucu;tp+Z6u4o0^iEGsaxqM{2Aon#8J)G1T%7-M{siXLwMxO;r*=DwBSkFJ
z*6icI*BSYrATuzAZ9vevzXT)QDv&=Ss@mvfz%+#=CVl6jkF`#cXbXrV?h9*V3-7WU
zK%iqD9&)eS`-hG^OKgtk`j-O(|0!-jc0!724Rp8ARVi&%+%OJ$*E!--*)V9LgaZ#7
z!|t^Th8^QP4J!L}E%JHJy&;AYZ2TuS^m_{;ZbNoo#7_k5F<+imQ)~bz3No=j>@7I)
z|J3&7@lfyY+cnWbN((BLX|JiYBeEow>QusvU5U0CTV%<ErlL*@N=cE@Vwqut#@g5_
zl&x({c3Q|zm=@u=K5>5E&N-gv`+8ol=Q)3!ylQ;r{dvFd_jO<Qbzire!V{Y2#F8gl
zZhZD}bcGRQ<)nQYA7(zcdWlF;G(i?=ob#bOQR1wzlWW@>#?Bajb2te>s@A(vWrR*O
zbD+=RILhPq(QUKm85~yJe5d^9IWN!1#|S}fqIYQGhK`ekx73thu_#b#d`I@^?a&|c
zo2%F7k$!*vc^UX^chHKxv%A+%)gdnt|JJ*HiA$=|Fo#>~j+XJLGQe1(#q&NIqgEqI
zL<RnO1?LmtC-B~HMA!6&rQ_y*tyJ;)nL_Y!QCdm}od;!NF{lD<#N%v)v1W4JBj7TN
zAefJ>eOlw}sj>4PXgSrK-d3i}y)?|yN}G_Zq->ylUr6Zn2<i{0YO0C4)FuWF!|11E
zMV7O)?$pkU1O*-b<*u_+^7^Y<rO%@#=d14d5PE;AZX0vulHOe2Fim}8b9az!SuLQK
z3uT{ydJDvLvX!>t$=eyTD}Ba&p<K@{gQ4xwttY?FWEIP8o}YWmbph={Yo!V*UY{8w
zDMs97;*zpg0V@g!*9hEnK@h_30H^U&fceGRL?bP@zdzrc0ao4thHpMjG$ajZ)O`Wj
zl?}p`KIRcNR;4FbV!~&?^M|;ARxm$E9ySwW{#F2<&p0kBJ9Gf~)0H`!Mn_xn(+H^h
z*vQf!Km_5wus!qJd&xwnB%?UXh){0MEa)e_d+dOp?&l38yDjQiUD`L0r)hIRX>&-d
zPL)af)y0$dWa<UoJ-5t9`|9K?3#PuFyX2};Rgms{v&|1G+iYDblCO-NV;8je<AA%j
z_W;AoI`lw&Vdxs?TgN>WCi<&1+-&dRhY1VUtJkaFE=jiDN+?i!y}-TO0#GaMe>yh(
z+xrWn8fri(!|$aXWSakg)IsraE2JA4E9+LA6Cc)3Ek>)5R0hdP$_wMZ=ct|LSURqi
z{BSA#aCeUPvf?_kqc-m)J5CheWPaS*pet+<j|w}C2-sTbT*3p_mA(Syfnrl0{Zl`;
z!(e1Ru;T8Nkw4OsWQ|b(AP4kJc-eW=0qI-Y4&35S8>6-yCd;RtZ2@0x-fVpdyl6Sz
zi7mFQy@pHiOYhU8Onl-cXf6|cvI(N{Q_1ZbpF{~K7>=~hHn^)Z4oK>Tq&I|YjTu6C
zE6K06IVX8qMu%yQZr4(n6UluMH49fT!rVij2}zeTMtge3FC)Cebhop_zE8E(FL!?R
zdq9$=NC#@snEBBbol|yiumT@ilJufl-mOeTn({G6<fSI~a@!)e&x%~@Hd6hz<Td(!
zpB>6Qy$|Mh|LB_*qmx!&t3|wj#j9`iuEl8U`2?YG|LDywwdL=%L^lqF#e+#m|87`k
z8f&^vxdyEoJL?#xtQLrUTCVI+JUTKarw&2-9ZDz`D(t?GJzJRtOjZj9gPSklWN=@+
zLxPpMQiMKD?hhm9i?h^9LGf9m0X+f9ar#S|!cWswrw5$(gjk+zED8&T=~^=Kl`>x`
z`9GMItEF{!lV1z>d31Gp4u@*Q^rxJIZIZ-IFoe&jd6tgZ;$<{5hssr}_i8!3XuiZ8
zO)A?ATgR^U`wFM8=?Z7g%%81s;vLdY`IG#vVl_JmkwnOXOd;c$Ct<UK->q*3){$^{
zTY0-&7IiYAVy&U>O&VFvI(Iy37ngbP<m2rT<w8(szK&x$0k&b)vD>oQITfp{b5mBj
zf^^~X<9*rIOQ~!d(-I`ryWL;E<yur|^mQ9lpgeL-(V`s1_-3}FAc9Ct+Xghx%Pw!4
zJ%Hl>f&M9eYiuN0x_eKTy}z3}c9^fsN*Sv&D}VNSr>Fcq9NBXUC<vJ=o(lYRF6Jkn
z{Pitc#1oeI__2ei-=a&ikycz-93Um7-}A?pauT!aflNLjhv7|_z)jfMST^m)#t;mv
z&a=dK%?d|Vj9Y~{vs`LC+xB!GdXvq?+n}=8dF`R95z2=xXxevTmaxl{Adj~%G3RL?
zBuo2g-H*$5tp7ONNc)ju`X{`*Q(jEEH?5q(Mb%6RxZ~><%BWvN1S>|i!}{Um#+#Vw
zgl-J`5<zVzT5QslvLx1ptUYpNKV}(f9Ghs;+NWxjb7o4tyo%$Uic_^{7Fb2CiIB<H
z5WTZjf*j9i7ROPUS0|o;tjeu7hq8~Vwx60wkD}9NDNoI3FF3mWLv&=AlfsCKG#8G=
zu~(bz)6bxHD5uZ+T)(%@wFKBkSkW~5RBrDUpX(_FMT5z(w-{-xj>Q~~r*+ThMuh6+
zknoIi+_vmjd4*gi_LDeG2UqCrjD8SDF{DPPK@BT+kn(f9dNE_%%o+I}%*4@}haSsj
zSBE`3BA!s5pv8PjFL_5eXGXm8N@5%HF<h85C%*VWP!8InT<!dJ1T8xPLe-U-kF;Ni
zmY73`RIa@*Mo%p2fy6G&^%<I~j@GdE-1FrG3r^7EV_Y$K<mb@@^`6w~#bWp>TaHp@
z4@ZLqd?f7|lK|BdA3J=neU0kq!CSjidhmUm{u&_Y=Ng$G^|?p1xy875zHd9d=ZACo
zk;qg})6CvBH8scDlQN6-vSxinKJgB`ay#XZ>xyT&b?^Vu0$9+qyP_9#U|YBP8FUag
zQ3ddlJs3(St0ShYn9{pih9f%=ZI?qcY9AJ+&MZeuj`^o%XqOta_qWRTLfDhmt_;Bs
zx*8h&418J<eyY44&VZN3u?B$(+zms_YHE@lZkt`tWyJC8MG=CpkCJUYWYRj_EuD&=
z%AV_97yQoXNz*_1c!GSMY(i#hVN%4vF^8Y7&80>B#utN}G<i13YdmePg|p*H(?^H*
z$UUT}cw(BnEkc9{^4GMuBLqu`gMCQ3((yEB7j;B0JRDNnA7H2Ld?>P9Zl3ZGwjM8v
z<Q^}w#rLd#jP%_WalsW_Oj@g?#`lj?+%$Y53HK?<W1D{Aq7-OpSL_pMoAc(<p2fOS
zU#h-+Z`@nXo_AK+3#1^j4!zo%Y%9ABVW&gicoVlmpPNt2w12aCTI4-qcO`6a3AR<g
zqxuvqPp-VOSol=+*9u(uBg;Q~`+dfQ>QOX1CWNn3Qwj(cAll`j(Ji)YCcQ4*zDm{Y
z;;G%db+iTS9CH_*-pS*zK`;fDXaP~BVwHgc(aog!`8U=?G9MeIvOlaXR{1bqt{PSB
zvOcqGsqpqnM9EUD^!^K~PY&ALT=p7}p%=6WL84Y0Oti%iLSTSqr&yFbG;E<CIy%R>
z!yN_JSdbmW?K35Vo0JC^BFE){_{lAs5)VaXQz9n53iHn!F7cipr)9`$0ofRfn*$U|
zQdS7>`Htt;e*N92I|jeBh-5+y_d=mP3GS9cb}|IB(ft!jS9zF2uJoF}PU0w}5zIFl
zaZO&AFNeG4$t&BhrB((l-jlOy{imxJ|F8yZbzv4Xb%IH7zLvG*5>%jRLHX=E0!!X_
zvAL75*QPzMoH;ma>>pTE>ml)gCr6I5eR*f2D{7L4gMji}$Y8)mbjX!b+qml|3^h}0
zg^cV_a>4%T8k6yvpYQFkj{g0=|4WEBZlN@lT!C_*S%S@<6$*ZX*`U_rp*Tb;8}M|U
zrQ(<cfO-&TE&<Lm@4%_YK&Rj7(R9>OK~m?(jPA|{3CD)JWmF_}Wb$e7s%)L73>dDm
zcXZ@0E>`#8NX^kpFLS@c1nOaheR@&rb9SFapi6#TS~EA%V7I#9rm}-QNXlI_39j09
z;;roo^E*52TZ<<aWwV^cN46mVYrxYpe;#klD_XX7zv3k-A<bDOhhX$RZ(ZKc+*NZ(
zN2k`Vo3{1Du3>Qg{2Rn4!NBT})Qq(cA)Qz_UH<y77ZIRKoaLV>^*U({G2*Pl;_gyg
zmgavL4$kMuoTCJ&cNMOQ#Rd}PNUk`;)bJZ5G|BZtpAuZ7vQUTYM|wQ^!?}{^e}4*V
z{uF#jQQ#tfm-gx^R8>Q5Y|Ryk(5f|e+&7qWf4DiNF)UG5?5+&HOf1=d7=BxNtPui}
z5_pc%$lVI^YY*$CG<+Cxl-jRYo44<oKf~|)C2MW5_lvU_EB(HO&iHp2&|S@nB9%ca
zYYMW$7R^=La&tcoVuUN$ax$9S^_Sb$Gd7Y<M_QhKCGo|5xIN$~j!1$&6?^5XV}X3Q
z!PJHMe;5p<=Te70rC!-@+@y2&M#N>SymzJ(pThbkF;h8lW~T+|&~M)k_ai<G4z>&&
zpG1NQ3y~KNz9Oxm#T85Yv`m~8MZBV&`C`Luc`FHGQ^I7lczwgn5Ot<&aO8)TgHOJH
z#n8(1-Ll>y_I?po#!D1BeVCO|B31@nlkd>SN5u5!^|?KRD-$sEomlqkcWflnu`+w6
ztR6XBIvY&dBc1@FGchvE;{_<j{ixxL@47nE_t&}CvK0pw_;$1?p3f-s)jEN1lq<ZQ
zILsM%J|Ab8!?#9iT~DzAH-7sMd-J8g_6zB+{qi{|ajMu|S?rf}bEf=G8~hbx&Md))
zq$AmrdkQwR8h6&D`X%ef4+5-r5`){$nkfvH!mH_+aWPKw_ZRb*=<CWh;yMIQr$GT_
zv;Yd@U>m0oroZ<1WL<>N^9sUHt>n-LWNDsOLdIzS5EH+sp5VX!`R_L@c`}yR<d&{g
z3y`B740A7sUblu>?>I5{H_GGeolcqG9o&K&?Uf6($P00ttaI|`5BtUmuuFIrm%;(t
zEaOC~#qm$qtU^~a6`YVQtzEGaX_V`WC6S@W3V{vmkm&|#dV2wSU%drTyJ+S;`p0`)
z{lhv47f55GVR}Oi!b1!4GS?d6(eO>qM~a~pi%hj_PkB3G`w=O`cpf1Xn=pIBVWfu1
zI}}r&9;+e<RdON`Sn*PCxC{i#vE0XECC{oh{IejB^|)d{ZqgFrrgN&Z8tCt9{c};6
z?yhG8-U6h!iC|YEjyOU}R`L1Oy-|55aP7GYE!@h0es;N=6NeQd4jQU&Uwga<dTU&(
zT!gpQx*=OdQcf?0fsfork4;~#VN=(3^oQ5yC=^PU!(A7M-WE+)J6(zng&y^7h3~qc
zz4<4+gIsF{Al_*~HIfHA?^}*P0pRIyt9b-r(~{`h3g#O~V{O8QHhxzddCk0l9=wml
z>d-aAq}tCZ(k|qsDIpFSWoWYe$etURI{CFEL5l8!@sDojdKXj}Ownaj^%ePq3#3T5
zdV4_%x13+fb)+W1WQxe`OmOO2ff$pabx28idDEbdj@oObwO3z{QEw9`t}-5rmxjD$
zsiUR%qnif)983O>ZH!J*8A>@O87IE$d-g945a`Jq+x{Wcxp<sdCxqeg*DXDs(@SHH
z5VqsjaBIgpWStz@7LHzzheXSBGviY8mJzH!rVidIhu$x@p^GJ$pA_y33Ut=~claY8
z5#K-ge{eUXwd2oRdcL?xoVZ6HK|&F+?M_k#TT$>08k^lw_5z{dPF0Aqm}s2aDM+v+
zb0{{{%+daY&naAJ-q#!4;V3<gA8!MpVe2WuBVSYb=EtU|bH3Lm6{20liJJ8b2(2RW
zqI0~V_fh)w(s$`|kqEBtP0sfJdd7SjDX*yIW7V2O!GbN!RjbC?@Z_Sk(@EkI??8{;
zvj}uhP}oLRbMM&4L@~<3Y(MY2)U2BvbjP`Z%{N7j{tfyMjD3>8UJ;<p7*_6y8v?3u
zAY_*4KSf$k1Z=f%eN*Ohjh`J)+L(m1zC-&8$*m(;Ph|!da#7owlh+m`YvuO)-xlt3
z(qyD~+#YAsa-c2of=%i_j&zv`c_Az2<RgcuQ%@j3N}=c5%)Bg?KsWmd$wCTU->0nc
z(jy8UDQ<gNMS+kLK-DsXY$Y(lXmjkTH;$&VXAS0X^!k5xmAEnMs+~*JO96k}s?n<(
z>2~A<;e2<_bTCrQ?76g`BsN(Wua{IcK4=(L)W(?=3~fJJo31S}$VKotL|714yjff3
zE0-VPQYEnrMSEM&3J)06n5I{b+6CRDGLRD?A}$}iXDhOz35NL*ZWD9H*?`))-L#e<
zd)C>$d+E8CSqA;0@RYw$BLxXt5^k*2tRMoP+4v5<*)?smoaaifz!lSZrQz{EmI;5<
z`ZDh6vH+PXOg%VAWEtq9e?=`^SkXZ;;nl|?_db6edCy+8)<<t*fTtC+2&c2kYEI)N
zJSBc-xn_UoL}9<NT>xLAY|L!;EJc3z>%a)%D)69gG6_G{Abd{oYkYO@ESkSd2nhex
zrRvSqEoi1Umu`_N>H+gs0r*hqjW*Sp->Sh-eiY>%Ag-TyB4sB~*^i7>3ZzZ~mF@N{
z9uAdV*ZO0W$*X8>1G@`g_~=F!E>!&^TV5v^Gov%my~(`^u5X3L^KBbj(OeF<(EVI-
zM-NsDva1$o9o*~!;L=`vP82|0DPOKcn9#-JiPE%`DubTU%|g+^Hif&{8Kgw{qeJ$H
zkambW+j>H4_v5Nz3<YZwXJyP#Hkk)F!1$kO%70t#lO~0u%24*H;(bu}=#D~CUkN7h
z>e^y#OboV2M%ME#jM=vSYt2g#JijO)6#t9Duyc-$GC`M$JM*=NOoD_H^^&|QO3a_w
z#?)6gQE~x4TQTnJ;`zmpM80FiQ0zhKAHgH4MXP=z?w@dOPJ^S_+C@cyzLJ|qu!6@9
zUDQsA!D1}2Nww>O$;zjGt@z)bcLZr0S-MM$c2Hi)_92dWIt}ITubHiH4R-G&ZBNuC
zm4N|xrI_Bbx`FUN&8q2XN4dI)ClUw+rQgs;zjIvxmC7bnfY%EVF$A4#{Y&!$sEqe-
zx1`7r=B+&JClg#mE$9r{V3mfu!Wd%8Dk1tpZ%r)`SDZW&qfUnK0MG4O;+%j~To`MF
z*USEmhewL_?<O0NOm=EAMYidfC}6Iu>|9?MXj*nKFQgV6hyj(^7_ruHNjdy#zs901
zC|$N>2DGF}V81JnV6|LQu6C@mN1@yft$1y{mIeELxNLiYo(o5=oYG;q`3q2gLxx;|
z7Oks_+0I{L>CZkaGj{2*SX4~SN(dn)8kTvIiYZytXBxdNiAgYWebb+cDr2Evau@@J
zK^4ith5v9OWW73R6#>i*b}jr}$?zA5)ZIjW16-5nJ<zXslJV|g_)auM5=xd>hg|4R
zV_^q*#PY+y&ys<6*frBswkS$ieuZ}UTRC`-Htk(LcO*8fGdyzQ*PWiMtw(*6bof<{
zV(P~$Szpze>bvsJ_<;?nAQat5jdyirL}|MMKpe3QG@Z;qO4asg>+IuCTdn0c98<?$
zbqsg@JUg-M$GGfg7+DiEgclQAe4XZsC1@e?$&#HV{&i`9<5(0B&5GG|N7^1jVpo_4
z5@}%zm<?YIom#jP!=sFr?9YI$YwO($ieFqDQ=#E7n$GDv16%d?rbdwh*&B<*08*u6
zhoadxjXvChuF(Gor8Y7zGd^$Hfa*dLd~LQecii(hF*j~GTk=EpDw&R6#>$9ke+<Ip
zzwqlIrVWTD-I$$E@1bW`WOy>=ig&_Wv(@D<N`^L+Bh>Z^;7BPCS3pKQ(Wjp7aKz!5
zctTULbjjs>#)U}928}&g?Qt9177YX2PkM_b%ny(`TOBH>zDqCSxTYbAO^M@Z^*LWK
zS%QBM&^H9!vrFz@)h^LF9<ks{`Q&HkT!O#%t;<&*2J1<8_-h4;C(PX=nGO4=GPDrc
z5(GAE*Gy5d`FZcz_CWxxPjC=hgg?s;-7Z6pZ%4F~w&2L}5VotK$(4@Mw*y$Z<x*-w
zAl+nz@7M`;DDSmp^mRO$DEb(<do;z^A*F7#f&28df$spVcEvOMZnW03O%fxHOgz?V
z!VOn1=1H+MY##I#A#2<R@qO}yS*pPzDQ~b>q>?GI&d_)yL6`M)ot@R4zE41H(kfee
z?_6JI@){6jKl-s;g)}f;>ENp>A6I)d)ou8mV-Zq(9Ny4n;9MIio((VvfFL{pO6FAc
zvfl2-4;c~74mb+EZXFt*>r8zU5BmM-ueD|G=}wd7hlaB?=}6QH8l5ovExLzdQFaJ|
z9E^$9w@L**t6+$Kn@7Ct)d}?w%9Rl=o#&=rVOu=ZeuWEPi010neojE=%kWKY!Kihl
z-!WjOA^r`x)Wv2*d?32bfmtw#{#Sh^vNO)RuVApW^N?zdhUd0S!ke(lqd8V_G1WLa
zb!tpgO_SFolylPCGn&(^4}U(Y>P6IgY7nXuQ7}%)Y(84;!BgUCh>E}CzB0vCmg8l5
zCSB>4L35|?%x;H1BfIN7xipbh4cL7(LWC{)e9u2E^DJY!=<fQJilphsrE(91hYr(Q
zrIq!Sbab4}g9zobJ-PL0o{UA$2G=K^tv~hk>Y+?qhuAvz85-bQIhBSZ(%n1vbMzma
zp9NtJAwfra<Lcc8;~5M92}UtG^+g#0&%s$uO-IUJ^#Ri`7^t?!Lpq<T*MkP_W8qD>
zH)f@>_sIltA+jWj5gGO3+3b^^aAK(x>eD5OG6_a3_+*=2s25T8^PSlw+Q5oCHNBQ9
z9>9R<bOA6|2!%z>=8%mxI?kWR=N(aO4^^efJpQ65H__*fgpVdz&ZX#8=adqmm?Pbf
zZQP3V(#mX0!a=_x4}uvo$<!_$&Ky6$LhQY4zQ;+r)wirs6W`%3s0zuauZvPXK~4Q2
zjEA3XFW{HC&+cVstKEe!LvqWGFFvN{euowsKjVg#8<c;&kYX)It7g3E!Y-hx(Zsn%
zsS8p%W7P0sAh_b57s#U$7Z24~dI!v?MJyE2l9%ef)!Q6NGNqn???R{8r=fV<MA-=3
zZl~&R+C>@L<12TUt?CBNOItysPgu2wpzSLv<eGJ%bg7u_Ce$8EcX!SnJG(ow*)x88
zXV-{J*b8Q>T)A9bzV^CXF@BSH+OfwSIg-GL%5pYen}sE}^hdU!)Yj;=sPQXve$eHZ
z8`g=IMA@q}E?~GcY^;qOD`iZ=?2njIWJTZc4Iaj+E21ZFc8F@aWUeXIx-F7_lxlHL
z+1`3RiUtkUkNvtYH5zm0EUkZ?k;DFYbHj0`!d*t_)2)cNKFi5HFK~yOnmJVf<S^+?
zhYGFPdbZe=ZG-!cmOk(c0>S(%IgU<$!Z3-MIQlp<%p>-6Px`iNyzEU17xiU0reX|l
zw@cuA%P{ieQx4HUU5cp-Z5gvsp6g@q7O+bDUT&Ir%W+ri-rhn=l%V~%&piqCP2QQ&
zbHCxnTkR8Z`J&?}lNB~S^~eK-JDD9Ba4hAXe<yFb<3Q{@{Q}+6qIi>~L>-u6lvnmU
z-|!a)kr1erBbG3`30@%PYR`=JdJ6a>V_b9TbE3}Qd8vGPO6!)NC@#5zJQ6F{sdg$@
zzRKb*sVpwz2c>?a!yj_fPd{IcQ6C{)68VukLu60O^tVqXVq$C(_1QJRpx~kc9b9?@
z^My)ci|1G!LHv(f!R45rtCW>p7g0W<x#13}49RB1x0eJl#7%3W$faeV%-A-K`Ys4*
z2F~XJ<c}8@2T%oV0KJtZRj4D}b}SyFaN?!s*n)~c8Y|LE1h);*nGdVg0;JR<<??-J
zj2V+qXG%k{|I4D){`va9j!v4&u3@jySh2~90aB%X81qsUlEdDzN50~MVp{&A%ux0$
z>c(jG`pHM4q&^bqfzi5XW$vcD+ur?02<pJ?Io&^4KkK>-D<)@i++7OKhus%fu6vL+
z_QrIUt?6eFlF#)j>IiMt)POTI`{#>7lV0Z)U7V&|b$!$rvUJeky2S9!cw1vc7iX>7
zuak8EIi_NzVQ~5VZBv8^Dr*CPVz`ZN=T5zPIWgjMCtW7S^%?sds0}uwt`~SSC3P)M
zMT02t(tYhxvpBX51`d=>X(NWL9f9K4WuJqIra0E3Y4*y=X2b#6zgLPgEL5{$ota>B
zx-Me(?KV*%a9>Gff6NSzE)#*8#9?aZz3n&MF9C#C+h_K<ejS}CN>8u9$*@H+IKpw4
zjJD;oICkLM(R-M0hzi$oqifo1E)^qjVmUBGBZ$yN7TdS8Vn__0k2#9@%+TtKM!M5x
zj%D}6nQnrMwgBR^4-^h2vo)ITZK|0;-?`qU$q<BPQiZi1a}wL`UiI3qzSU9faNmKe
zPCnJ7(OhB-1h;K|0}Yx3N7#yAazQav3T5;;eb(DIHMgM)@krdJ*uBiL1q)LS#FGrD
z_t-LzL@GdT5o+zk-5hcCg7%(P*0i6aQ%c#iP{M12V?(Vdz$KcRcer>_n0wB84mGm$
zc!gbZs>JFQ0i``JzGx17_h&pnN25jZ1gah5^Y^IrZ%3PK6v4%#ZoKA?&-1>{eEEa0
zNdYyv_i<QIs2uD5B&2_+*!J{p)(q@fV|wj=b;)th5r=W@MZ73NX1wB=7H!s|ZY#M<
zI6R{@Uf#d`=H~7iVaY3OvecRb;k|F04&Cz7M74~#e0+E_BxuOATf7vT8sc&+isH14
z6h6Mv8)1$Cbzhl;%BAh}_8T(!5lKo8vD2diq=fq6O7r50I_*M{;Gya;0GFjB+p&`@
ze=$n=ZYG?M<;FKj)u1q(?!Z`~;^RS&0};4>>E4XT95z+3``|?06KX(IEwwI8l+}ua
zSaO=o+jVy3ZwZTZv&Zi7lCm;wMX<nMzJqm_V!yU~bQ=gQb6t5=?NKHUnj87igny14
zjgnI8b)x+G?oAsx8Ij6QL4CD~K2t|TuYy*VAz)wQ1ihB;P~9>B55(J5Vcw<}{HS*p
zJKty`fW2#PJSE_5Dlc;%)IYXBAKc{+Ga^=DzCb!ea29$Uz!PD|)XVR^WZa5Azk+97
zsxC-@ikrmDr?=f$b102j5w&ODp$FuzK5~|hyCi~mmg3<AY0rGj<`*OFIhm;43-y(l
zse6+uuOGQe`o6szV}Cy8Pmsx>v<UUSacVz+7)(IDKdm8D+az`ql}`8*XX!PUo=8jn
z@)`Yzk{_o7A*T*vvxA<FI+_hViBwI8Zq}5((23l`JEOH}KP(+NHJg9j;Mk8Z_or#@
z7FZfDzd)7Y)QHbur%_Yb6PpOvAJ3hdXM3{c`$FH0*@eMV&0d)<pI>HsW-U?)5OmV3
z;_?{$A1kkjDoaar#2+=Seu>;r*&$|BnPX|t>-A5Ln9SrJsMq*#LtXY4vU>lxa5y1k
zzzI^uc$-ZQZ*a`pNT&Sgm@ETt!=p1cbdPqy+@nebAG*gp+DLBs?8xrDo<+U)wDi3-
zL8rVv;p@Kqf=uO-N8O~Ye3MwZiNj|mq5HX}>oKZA(ne5v6y$4k(*6k(Y-COlG(g*>
zE@1vKlubSLB9OWk54aQqmnx4<7FG==hi)C9hr}e6&_}h3Cm<hka|q^~ddrAzY3++-
z=sj%p86hzb7ZBZT2|KN|nx8JIz?&_e$yT9`jSW|>ahX7!SfG9^Du*^Qo^8$VFklGR
zxwB$~GxWowG9tszD^e|%>=WFSk>${reG3NhS%KLot(Bh?X6CcM@X*VlNQT_pm%)z-
z&<a~^hKA_$E$X+AP4M|KgT0m}lgPe+`46lqid(y&JAK)0-YuGO^=xV6zMELk8%t48
zSul@Lo#~y~Y$^RyZFA<B?nIiV+`7lx-_@$y^z?uoF@r|AvZSpxyhC4s`~nj{dlO8h
znn!J^KI_&!=TYgIbt6W|`ES$NXcz*zFW8IQbb8s3vS|L^o<yTe`ED!OKHIlr%y5qS
z6p3k4l_ll1;S)1Ik6LHh+-r<GFJ}1z=cZAHKW0UYNCR)oTF~qk?e*1tdD9bKVdWw9
z#H~vME(`ZPYWUds4~pd1AD=G?SWYUtYJW>xi&{+4GhlA)GmD+nv#5J#lcNJ6duV6R
zHjqcx6x(}hWuufW&$~Mpu(p+e$jqiCXL?9wFzOW-HScJgnazr+uB7pz>WwaJcUW9$
zSYhFl!#<@i&Nd}+s_rWjZ52Y1P|}9F;6W$&cGX2ZrBaO)32QVV)YXsm47A8&?A<G#
z2{O}(#iQs`r^lS%gUuD!xPiU~?Tqh@T9;A<4`kn3hV0|H(-wmovFzcP&gRT5kZ1c*
z7rX&rw|Ev*exNC%smPm}2s5f8uHfOR{ju{@0;totdgiTR{G_~_Mh>-0^{6S~(q`e9
zQXc*?34nup(>V6e(`R#xsL_ocE}GruskNshb3ExsXF|@hgm}rAtsr^Qt6}jn!5GWO
zu32>}K@AB#1Gf6_X&BYlGGP`fIL->&UzOz4wvKpv-gtQ>zqHjO)GLqf_ekU-T*W@G
z-Vo~C0%%o|pkDjL#7yO2^sFg<2iA6Vy(^SCSHCVeb*Z)MaB;e2VSwGJvTpmUIqRtD
zpLciE@Z*jTP#=Eovyiz;cL^yUD`g{-ME5qLP83hxDe^OT7q$JtRgv#bypOyimPNPA
z^&Z5MHuEkRQUlrh`E@)6qQ-xbqVqPSz4~RyPqrV%$kUhd{|wWYo_@m1Cxl(DPmQ7+
zak2M_VEakTlJH&u96rT#3N!EXiR#%2mgxm=xdtOsb9Tp>8ujK=LaFNlbLiAWy4aWm
zc9WpfGFV<UdFEqE?bYHC{rnh59htOjDg(YsuFKW=N-rAK7kx(urH%OzIo7E*wQ63E
zmAq&E;?VGkv&6^b)@|^$zG47o#;MwkJ51H~+*z&HqZ4khX3fZ_Or^T8wR4cVitmc<
zvw#?(C8r$F;=tm7o^lGkM3Z-Z{46#N!i-DIQA|`ixPAAP--a1)1Yq=NJuZmQ@2z2%
zZ)es~UK)})=l4)Gmh3ZB+v~76pC;3acB~eXUTYV-&yrfiR(?ud#a4cWAs6nif1vR7
z*;MOnakR9t^KqGkYRfn_rS!P=S#1m6)zUCxn5qkdcHw|{p(&?cICg@~r||Q2wd#jl
zF1Fofd+`)`iZrub)c3v<sFe}4KDLAzwVr(`k$rWY{+j%Y4P@uJ0Wm{Nj=Os1TXicm
z)L7lJT;9SL6<DdCJbi_R#d%%rp*Zs|&TWtqAP|1O(@0X;v@2&vCzMB0v+w5U`JAlo
zpseNJQJM$(weL|o8$uxEWKjq6bNE?Xbg6Kc+gzTzx$-FeK#P=vgOPXwqO@D<V!rxF
zzV+ii3x3eE>lUszINemH6_4}Q9o=07A;H>b(EEnXe^5PM7{;T^&oo~(V|(m&V_u-4
zOSC9i@G>kxH5p6Xpl4hOh?X@KA%X`nc6w4swKZSq8Qm&|Vo^2G0b8be{cL8-Dx#f9
zO{aJDi|qoQL?G|F{b99FL~<nF%sxZ(2#s>)^nH;rGOx?AZM`tf<Mx4Y`T>Zs{%>k>
zT4ebrY6{phca}j;OE^Dq>4waBHr;>~Mo|`&Dg(MtX9ox};v_~05{#C!P#3gk&lU7X
zNo<xeWU~dFm4Yzdk90pHc`GUL1p0v(x*kuO7R<>b2KhN&q#QMSbhz#mbrz(No(7x)
zt+O~1`+O49>>b*(AS)N6Y=Xf4lizN;!?Pg&aqcaq)EZ**8u>i3B=@4uH-=&@xci+L
zP1{VXjqyCr(~MJov?ylg+Q&`S?aXXe3mEdsb<G)sI+U7D&#Zy5SUD~(bC*^EY6U2M
zAkw4O%`xiUJf$*v&9mA%pB7X9(r?HZj8RmzNN1GEF4iOamaL5cp{qwIRJ_dBlxz@7
z2t@6y<(P7+?7zbgIUc?P*6!X@bE5fiIedcAx&ev#A@Id613kVJnv5g6itAfGhN1Ze
zSZGd>;LL1{HQ8mrYsR=UlD|O*+tYyhiXASS#@<hT8MP<DW?MSSeHJ6Y8W|?9Xu(78
zBfy>2Jzw^EfrJU`uIX4%W!V-&JeoDq!119wgaT+h3^ucsAHT3@-N;eOfiiY`&rLAj
z2SF6@FegmRkMQ+i1jdM-VkV~RUL!|O)QeL`2;|YxaLm7p?b72CCza5z7*d;*BVoe}
z1IkEWV%W-N7!@3lve*j%UDdN>zELn&qP+IJkwqZML0$3K;)m1#`4cM)tvC$yL)nkN
zec%tD5u_zU9P)9|oPb+m?otOM)1UK(ksSO92fh&TuUnZlOU4>LAezZ77?s9S)E7kV
zLv<uT5qIa&4!xDpO;n%L<z3VP>L<48R5-;~Q_s_*TDfdXp3;hZLzhVHKYUW4oj8`)
z$dCxz0dM-K^HLhObIfAr9IGjR#C3xw0C!db5*vk(*8$;_qxf@k@vNnrd}_gvyMA5p
zAiV4Ow%%NddoeLEG<laWjv3xTOES#OZMspsVeI|ogQ}4F<L9(oC!?ftt8Jlhm}203
zxGdW4uelvXi<Is{vgkUp8Gg#K`?61Q&p*P>Xse-Dh0w$q^A`zIr<Svw(0IDnMUa7L
zc*#b>kDxhMFB|+##T`=bS!3tl!M+oFykyz9Vd7W>8tTisb3Lv<P<lep_ydMMk;1!1
zcIT-J<T<M_$}BlA#<#p5-0fPL!J3H#FU=hy+N<QVM~?l5s^%Skd)Xbs(5ojDwaCp~
z^3#gH2===pkx;w{*dIfUv#bJwkSpHwL}Lr{Bdn;Ow4Q~U;`>8|JQlE$*0P~;S$v97
zAxrBnv<-h;Rm&a}4gQU3VYRHltM6++Y8%&)a^usv)~kgC3!y`RMM9S((&%&-o4gHC
zd~TIg>2E82GE>~W;BC!Ue*qzbF`0u;k$DmNO9f0e7-HRTcucu5leG*|m*8i$p%ebS
zbZ{dg+IPR3s}hT1G4#-7pT6g~kjbc}ZkYJDhaLKWgzXT3bMC)cUjmVO)g<DC1<3T(
ztR@Z_8YhxJL0nr`ntO`)x0$1tp4qs;ZPK|oyufcioQHue<Qs4+nDWtH7`5k#Ys)(;
z1XI7V^Jw`#fZA#@xJom)m9N?002@_1qQC;3%9-&O*PO80AdSk|rJ*-jvB4@uS}ZEy
z6Vb5#FZ3GVgFRw$?pA5Es%y*Pbhq{-$mpNhZZ6r-b+PC3t0xd&*q~vgxZ|<Ex+oY!
z=dNlgJvl}Eg4JePbqjxq2n_G&MK7eK9DAdykUK0s9;-7SH^(F+n=zashvLxnZ%({K
z0d6@ii_1G_Ivt}o%n7)3{@R#%Cr|o|p^aeOT|v{KxGj$~z2B%syM<l#yYMM>Q^}N~
zN)z6}lKDZ5-Oty@Hg9Y1@9g`CL9{#ldJCz;C`dY|k^?S<_e1DQ<hiBrX<{NHZbeOm
zht`~TL<hspkbZ}rXK1U4L7}xY)7v`)?)8^o0*MiX@BIc)OZ#IE9ZH{AR9i(ronvTU
zA!II-Qm)(wC&foZ8Z=?1O6}}5Fd!rncq$xeJu?yIT!}gcA;LtLSrSY^)4N~qXobc&
z39Lm4H5Jh3-NId=pDBkJkdY9>ud9w9Y7!g>mq~zwzmqfWnNp$>ti08uizwWIpOkM1
z)b#Gpav}0pT8yz3F&`6@5!u)6bo6jr@wcCy%S6Z--@Xyj%ogM#Zfo%EUV}S4IPgQ5
zS*gJ#v@-BmEh8lO@0z5<qfzfZ#)>^vhPx=6LW?;JlO>`HUQn#syv!}?ln`ax8`?D}
z)W2=xf3;*n;bA__1Nz?-J!hD_&;}*Aei-K<ARLC!;2*xE`|VGROpAvle@YiMN-sNh
zYnP%~QXyeD#e`7S;4J{2%y{J^ub-;hV|a*Sp+MK6deQ9@uaUJg2)Tn~=sHnb6$8b-
z2{G$^lTZEqOS7Iz>skAKzBzY6uFJ!JR3cg9;Wc$Ixb5Q@4_3^nJhYRfjhdRkW>c>v
zuoolq!iK1lU2bXvd4gM>0PKczz8`v*W_x^|Lo^1U*{;wtlMreW(rd?L-OF>i5=6Em
z${wR2CQAh93UrXbpvAL|5x)EaU(aX`JI7Fpnoc2?s#3#oXsZJi3ngv5ds~&|T8cxI
zODvhK>*ORDXV%1>I@oH>xnnwq=gZwHd_b>4g*UHb*GidxpVPmc-9Hi3<e&5+ccT}X
zVMa<;AzSAb(r-yk=-V4fdOTTLffWG^F_QhBg?pV(DW-0r(0-E{TK>~R5a)3*c~Ldd
zY4;-$HXF^LTnHUk2OmC?b{BBn**j!>kFanNP+86#RoXSaX$a-ern7SSG)$59$q#2t
zbgO1?Q*(Jn{e<ER#YGpHObKTh^3pp8hq=Rlk2wKV2x->tTlx4+o{#{{3QmRanrrF;
z@Q?(^BbQHCc!&C!n&TgiWX=k<R42OOEsUf2hh>@wZzitAL*McV6KAZ==gF6Lkcu9W
zOdN{eDw_1B6I~^XJVBfA9YP_<<4#V-o!Yjeu9$EzZGIPj&n!KsOxs6d{V0=_za5VM
zp#J~-U%nq=;;P3SU`iBsDyAO_ofKSF(N10NEo0+5C7*JF4@S&<EHThA)zOsz4hh|u
z8l!lUx)MRu*r?SbTU;*1HAl6S6DAcKU<Xc)A-BQ1{{+!;wmZ#<`U$>P?f2uDAOudJ
zY;TR`W4G4xf+XX4mB$5>O&IpDihy#hfZ$jtHh3BJ)2hV*IRAZ5{pX>z$VY!I?TW`*
zt_ZPQJ{GErz(@82Z;8Ug!?WmCNT~k6<%>*v!ScnR%p^jUF>O6Mvzu~^cnYPKi8Ju>
zlQ23bC2K8DON996YIkYx@lP_%D1z3$Kmef=!2;P$1^6bHE9c~XwFf!X7apNo#FRdf
za0MA@ce$_vhCc=i+Q6kZZt(j4Nv;5y>-ct(!EY{zf7{PPJ0w8m*SgCQlD3y<R!Jed
zg6ri<bQ2ip+5_~cjN@q23iO$KdEW(kjQtKZLadw_%HQTIRneP6IAU4suxV{)<3|!4
zjG*Fo=E`%g@L-Nm3hGoi_Z{b=CrZHP6}4~_C?jP2M19Uf>A|F#`IHS77<?L%2|oeu
zdm}5ylrE2JnX3M!4|>-8xBbHX_1q|=acGYvRM$-{c5SO9{J|Rf`Ntadi5jY;rpzgi
zP0W14;{(m6Gr!#=m7-u~hK2xJWHO6lj)CeUdOmK7E(#8p#@rCZ?X7{}-I>jg7sU{s
zAe@_m@5DSmQeApmS^;quvQ9{NorQ(Mp|Ilz&l6G>*BT?A7^5Qgb~9=&C1%zJcgJ^K
z>@UeM9%$P@C_)QXWNz?vJNfs}`R_fYyNpPGt0%4qpcd@oy{D#lJd-i9G2LMaT7yP_
zyb1%_rUvRWw&=8g7)NSO<^(9g&A5$$qs${DVW@P*qUnKlU-xqGVuU%rSKkSlP%pOI
zekaR?!+1yhzQSaE)`x>Z^InfRQ0q=A8-M44D4<qL$@k5{3(-^c71Ue{ak<ViddBf|
zM0P8(J!)r8NJNI)P=Ea_dYp8AZb#}ya)@d@y6IxjxY{;?w}+Uq)Oyum*Pr1U|8;A+
zlR71B64|3wB#Y#h8Sg_dO#p1RsWa(2%0~WFmVbGk#Wb_XU9$?%uc9eiOc_q1^y^zr
z)+5XNjvp6Qcm+~lCE{bP6TJ@pmo>rBpG*U|v~rM=9IguWTO0ti#D({xZ$g6Czf;k_
zhY($3yy-Lib;|}N-2dJR|MRgw3AF!JE&s>=_G=BjL9!Kc-6^8dheK-l-(T$Ce|ZNn
zJFupm-29t%|L=ce=(n?CCaKsTTt8P$hGlDGIdd5O-#=dd86=JJN-|@92ZdTXr0L(D
z9@gn{Uit6MQacJ3g$kAPgNBm`{I!XGZLxlU%AN*KYr+3{!(o)$|ErG-;Eo6>kKFNe
z<X=Iu5y9rhuEKHu`;{GBH?j%dL|{*`bJc%))`0&nA2~4b>c;`K)qJh-Bk<q0&AW8C
I+WSuZFO_n#Q~&?~

diff --git a/backend/src/main/resources/org/cryptomator/hub/flyway/V15__UVF_Support.sql b/backend/src/main/resources/org/cryptomator/hub/flyway/V15__UVF_Support.sql
index b03d6c50c..781b0dad1 100644
--- a/backend/src/main/resources/org/cryptomator/hub/flyway/V15__UVF_Support.sql
+++ b/backend/src/main/resources/org/cryptomator/hub/flyway/V15__UVF_Support.sql
@@ -1,2 +1,2 @@
 ALTER TABLE vault ADD uvf_metadata_file VARCHAR UNIQUE; -- vault.uvf file, encrypted as JWE
-ALTER TABLE vault ADD uvf_recovery_pubkey VARCHAR UNIQUE;
\ No newline at end of file
+ALTER TABLE vault ADD uvf_jwks VARCHAR UNIQUE; -- encoded as JWKs
\ No newline at end of file
diff --git a/frontend/src/common/backend.ts b/frontend/src/common/backend.ts
index 29e0b938a..740a9da5e 100644
--- a/frontend/src/common/backend.ts
+++ b/frontend/src/common/backend.ts
@@ -47,7 +47,7 @@ export type VaultDto = {
   authPublicKey?: string;
   authPrivateKey?: string;
   uvfMetadataFile?: string;
-  uvfRecoveryPublicKey?: string;
+  uvfKeySet?: string;
 };
 
 export type DeviceDto = {
diff --git a/frontend/src/common/crypto.ts b/frontend/src/common/crypto.ts
index 59aba50d8..9fc7a622a 100644
--- a/frontend/src/common/crypto.ts
+++ b/frontend/src/common/crypto.ts
@@ -3,6 +3,13 @@ import { VaultDto } from './backend';
 import { JWE, Recipient } from './jwe';
 import { DB } from './util';
 
+/**
+ * Represents a JSON Web Key (JWK) as defined in RFC 7517.
+ * @see https://datatracker.ietf.org/doc/html/rfc7517#section-5
+ */
+export type JsonWebKeySet = {
+  keys: JsonWebKey & { kid?: string }[] // RFC defines kid, but webcrypto spec does not
+}
 
 export class UnwrapKeyError extends Error {
   readonly actualError: any;
@@ -290,16 +297,30 @@ export async function getFingerprint(key: string | undefined) {
 
 /**
  * Computes the JWK Thumbprint (RFC 7638) using SHA-256.
- * @param key An EC key
+ * @param key A key to compute the thumbprint for
+ * @throws Error if the key is not supported
  */
-export async function getJwkThumbprint(key: CryptoKey): Promise<string> {
+export async function getJwkThumbprint(key: JsonWebKey | CryptoKey): Promise<string> {
+  let jwk: JsonWebKey;
+  if (key instanceof CryptoKey) {
+    jwk = await crypto.subtle.exportKey('jwk', key);
+  } else {
+    jwk = key;
+  }
   // see https://datatracker.ietf.org/doc/html/rfc7638#section-3.2
-  if (key.algorithm.name !== 'ECDH') {
-    throw new Error('Method only implemented for EC keys.');
+  let orderedJson: string;
+  switch (jwk.kty) {
+    case 'EC':
+      orderedJson = `{"crv":"${jwk.crv}","kty":"${jwk.kty}","x":"${jwk.x}","y":"${jwk.y}"}`;
+      break;
+    case 'RSA':
+      orderedJson = `{"e":"${jwk.e}","kty":"${jwk.kty}","n":"${jwk.n}"}`;
+      break;
+    case 'oct':
+      orderedJson = `{"k":"${jwk.k}","kty":"${jwk.kty}"}`;
+      break;
+    default: throw new Error('Unsupported key type');
   }
-  const jwk = await crypto.subtle.exportKey('jwk', key);
-  const algo = key.algorithm as EcKeyAlgorithm;
-  const orderedJson = `{"crv":"${algo.namedCurve}","kty":"${jwk.kty}","x":${jwk.x},"y":${jwk.y}}`;
   const bytes = new TextEncoder().encode(orderedJson);
   const hashBuffer = await crypto.subtle.digest('SHA-256', bytes);
   return base64url.stringify(new Uint8Array(hashBuffer), { pad: false });
diff --git a/frontend/src/common/universalVaultFormat.ts b/frontend/src/common/universalVaultFormat.ts
index 818520108..23da4b3b7 100644
--- a/frontend/src/common/universalVaultFormat.ts
+++ b/frontend/src/common/universalVaultFormat.ts
@@ -1,7 +1,7 @@
 import JSZip from 'jszip';
 import { base64, base64url } from 'rfc4648';
 import { VaultDto } from './backend';
-import { AccessTokenPayload, AccessTokenProducing, OtherVaultMember, UserKeys, VaultTemplateProducing, getJwkThumbprint } from './crypto';
+import { AccessTokenPayload, AccessTokenProducing, JsonWebKeySet, OtherVaultMember, UserKeys, VaultTemplateProducing, getJwkThumbprint } from './crypto';
 import { JWE, JWEHeader, JsonJWE, Recipient } from './jwe';
 import { CRC32, wordEncoder } from './util';
 
@@ -183,11 +183,18 @@ export class RecoveryKey {
 
   /**
    * Encodes the public key
-   * @returns public key in base64-encoded DER format
+   * @returns public key in JWK format
    */
   public async serializePublicKey(): Promise<string> {
-    const bytes = await crypto.subtle.exportKey('spki', this.publicKey);
-    return base64.stringify(new Uint8Array(bytes), { pad: true });
+    const jwk = await crypto.subtle.exportKey('jwk', this.publicKey);
+    const thumbprint = await getJwkThumbprint(jwk);
+    return JSON.stringify({
+      kid: `org.cryptomator.hub.recoverykey.${thumbprint}`,
+      kty: jwk.kty,
+      crv: jwk.crv,
+      x: jwk.x,
+      y: jwk.y
+    });
   }
 
 }
@@ -261,7 +268,8 @@ export class VaultMetadata {
   public async encrypt(memberKey: MemberKey, recoveryKey: RecoveryKey): Promise<string> {
     const recoveryKeyID = `org.cryptomator.hub.recoverykey.${await getJwkThumbprint(recoveryKey.publicKey)}`;
     const protectedHeader: JWEHeader = {
-      jku: 'jku.jwks' // URL relative to /api/vaults/{vaultid}/
+      origin: `https://example.com/api/vaults/TODO/uvf/vault.uvf`, // TODO use ${absBackendBaseURL}. Couldn't do this, because tests fail for mysterious reasons
+      jku: 'jwks.json' // URL relative to origin
     };
     const jwe = await JWE.build(this.payload(), protectedHeader).encrypt(Recipient.a256kw('org.cryptomator.hub.memberkey', memberKey.key), Recipient.ecdhEs(recoveryKeyID, recoveryKey.publicKey));
     const json = jwe.jsonSerialization();
@@ -304,21 +312,35 @@ export class UniversalVaultFormat implements AccessTokenProducing, VaultTemplate
   }
 
   public static async decrypt(vault: VaultDto, accessToken: string, userKeyPair: UserKeys): Promise<UniversalVaultFormat> {
-    if (!vault.uvfMetadataFile || !vault.uvfRecoveryPublicKey) {
+    if (!vault.uvfMetadataFile || !vault.uvfKeySet) {
       throw new Error('Not a UVF vault.');
     }
+    const jwks = JSON.parse(vault.uvfKeySet) as JsonWebKeySet;
+    const recoveryPublicKey = await this.getRecoveryPublicKeyFromJwks(jwks);
     const payload = await userKeyPair.decryptAccessToken(accessToken) as UvfAccessTokenPayload;
     const memberKey = await MemberKey.load(payload.key);
     const metadata = await VaultMetadata.decryptWithMemberKey(vault.uvfMetadataFile, memberKey);
     let recoveryKey: RecoveryKey;
     if (payload.recoveryKey) {
-      recoveryKey = await RecoveryKey.import(base64.parse(vault.uvfRecoveryPublicKey), base64.parse(payload.recoveryKey));
+      recoveryKey = await RecoveryKey.import(recoveryPublicKey, base64.parse(payload.recoveryKey));
     } else {
-      recoveryKey = await RecoveryKey.import(base64.parse(vault.uvfRecoveryPublicKey));
+      recoveryKey = await RecoveryKey.import(recoveryPublicKey);
     }
     return new UniversalVaultFormat(metadata, memberKey, recoveryKey);
   }
 
+  private static async getRecoveryPublicKeyFromJwks(jwks: JsonWebKeySet): Promise<CryptoKey> {
+    for (const key of jwks.keys) {
+      if (key.kid?.startsWith('org.cryptomator.hub.recoverykey.')) {
+        const thumbprint = await getJwkThumbprint(key as JsonWebKey);
+        if (key.kid === `org.cryptomator.hub.recoverykey.${thumbprint}`) {
+          return await crypto.subtle.importKey('jwk', key as JsonWebKey, RecoveryKey.KEY_DESIGNATION, true, []);
+        }
+      }
+    }
+    throw new Error('Recovery key not found in JWKS');
+  }
+
   public async createMetadataFile(): Promise<string> {
     return this.metadata.encrypt(this.memberKey, this.recoveryKey);
   }
diff --git a/frontend/src/components/CreateVault.vue b/frontend/src/components/CreateVault.vue
index 73c8ff0ba..17fa3523f 100644
--- a/frontend/src/components/CreateVault.vue
+++ b/frontend/src/components/CreateVault.vue
@@ -352,8 +352,9 @@ async function createVault() {
           throw new Error('Invalid state');
         }
         ownerGrant.token = await uvfVault.value.encryptForUser(base64.parse(owner.publicKey), true);
+        const recoveryPublicKey = await uvfVault.value.recoveryKey.serializePublicKey();
         vault.value.uvfMetadataFile = await uvfVault.value.createMetadataFile();
-        vault.value.uvfRecoveryPublicKey = await uvfVault.value.recoveryKey.serializePublicKey();
+        vault.value.uvfKeySet = `{"keys": [${recoveryPublicKey}]}`;
         break;
       }
     }
diff --git a/frontend/test/common/crypto.spec.ts b/frontend/test/common/crypto.spec.ts
index d1460befb..c6b2a8c10 100644
--- a/frontend/test/common/crypto.spec.ts
+++ b/frontend/test/common/crypto.spec.ts
@@ -2,7 +2,7 @@ import { use as chaiUse, expect } from 'chai';
 import chaiAsPromised from 'chai-as-promised';
 import { before, describe } from 'mocha';
 import { base64 } from 'rfc4648';
-import { UnwrapKeyError, UserKeys } from '../../src/common/crypto';
+import { UnwrapKeyError, UserKeys, getJwkThumbprint } from '../../src/common/crypto';
 
 chaiUse(chaiAsPromised);
 
@@ -153,6 +153,25 @@ describe('crypto', () => {
       expect(encoded).to.eq('MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEem7I0xHVyliLrtQb4+mPMMkpSETsu2KZlWU2NdvCLaLwg/KXEeD5xZY7wCG9jLIQna9WpV+IOnIAzqnE3kRIjm3En7nDlPUctaSfxp1+igNHkpY65Oq8Y0g6LPGomejI');
     });
   });
+
+  describe('JWK Thumbprint', () => {
+
+    // https://datatracker.ietf.org/doc/html/rfc7638#section-3.1
+    it('compute example thumbprint from RFC 7638, Section 3.1', async () => {
+      const input: JsonWebKey & any = {
+        kty: 'RSA',
+        n: '0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw',
+        e: 'AQAB',
+        alg: 'RS256',
+        kid: '2011-04-29'
+      };
+
+      const thumbprint = await getJwkThumbprint(input);
+
+      expect(thumbprint).to.eq('NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs');
+    });
+
+  });
 });
 
 /* ---------- MOCKS ---------- */
diff --git a/frontend/test/common/universalVaultFormat.spec.ts b/frontend/test/common/universalVaultFormat.spec.ts
index a5d80b8ea..bcf2c8f82 100644
--- a/frontend/test/common/universalVaultFormat.spec.ts
+++ b/frontend/test/common/universalVaultFormat.spec.ts
@@ -5,6 +5,7 @@ import { before, describe } from 'mocha';
 import { base64 } from 'rfc4648';
 import { VaultDto } from '../../src/common/backend';
 import { UserKeys } from '../../src/common/crypto';
+import { JsonJWE } from '../../src/common/jwe';
 import { MemberKey, RecoveryKey, UniversalVaultFormat, VaultMetadata } from '../../src/common/universalVaultFormat';
 
 chaiUse(chaiAsPromised);
@@ -121,7 +122,7 @@ describe('UVF', () => {
       const recoveryKey = await RecoveryKey.recover(serialized);
 
       return Promise.all([
-        expect(recoveryKey.serializePublicKey()).to.eventually.eq('MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAESzrRXmyI8VWFJg1dPUNbFcc9jZvjZEfH7ulKI1UkXAltd7RGWrcfFxqyGPcwu6AQhHUag3OvDzEr0uUQND4PXHQTXP5IDGdYhJhL+WLKjnGjQAw0rNGy5V29+aV+yseW'),
+        expect(recoveryKey.serializePublicKey()).to.eventually.eq('{"kid":"org.cryptomator.hub.recoverykey.T-LR82IaI1_TGHwcyn1u8vAYakGPz4upg1lPnE0xBZQ","kty":"EC","crv":"P-384","x":"SzrRXmyI8VWFJg1dPUNbFcc9jZvjZEfH7ulKI1UkXAltd7RGWrcfFxqyGPcwu6AQ","y":"hHUag3OvDzEr0uUQND4PXHQTXP5IDGdYhJhL-WLKjnGjQAw0rNGy5V29-aV-yseW"}'),
         expect(recoveryKey.serializePrivateKey()).to.eventually.eq('MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDDCi4K1Ts3DgTz/ufkLX7EGMHjGpJv+WJmFgyzLwwaDFSfLpDw0Kgf3FKK+LAsV8r+hZANiAARLOtFebIjxVYUmDV09Q1sVxz2Nm+NkR8fu6UojVSRcCW13tEZatx8XGrIY9zC7oBCEdRqDc68PMSvS5RA0Pg9cdBNc/kgMZ1iEmEv5YsqOcaNADDSs0bLlXb35pX7Kx5Y=')
       ]);
     });
@@ -161,7 +162,7 @@ describe('UVF', () => {
 
       it('serializePublicKey()', async () => {
         const serialized = await recoveryKey.serializePublicKey();
-        expect(serialized).to.eq('MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAESzrRXmyI8VWFJg1dPUNbFcc9jZvjZEfH7ulKI1UkXAltd7RGWrcfFxqyGPcwu6AQhHUag3OvDzEr0uUQND4PXHQTXP5IDGdYhJhL+WLKjnGjQAw0rNGy5V29+aV+yseW');
+        expect(serialized).to.eq('{"kid":"org.cryptomator.hub.recoverykey.T-LR82IaI1_TGHwcyn1u8vAYakGPz4upg1lPnE0xBZQ","kty":"EC","crv":"P-384","x":"SzrRXmyI8VWFJg1dPUNbFcc9jZvjZEfH7ulKI1UkXAltd7RGWrcfFxqyGPcwu6AQ","y":"hHUag3OvDzEr0uUQND4PXHQTXP5IDGdYhJhL-WLKjnGjQAw0rNGy5V29-aV-yseW"}');
       });
 
       it('createRecoveryKey()', async () => {
@@ -189,21 +190,23 @@ describe('UVF', () => {
         name: 'test',
         archived: false,
         creationTime: new Date(),
-        uvfMetadataFile: '{"protected":"eyJqa3UiOiJqa3UuandrcyIsImVuYyI6IkEyNTZHQ00ifQ","recipients":[{"header":{"kid":"org.cryptomator.hub.memberkey","alg":"A256KW"},"encrypted_key":"WyLgMABBhRtsTE4PGJc-o8ZlhmoBB3uwCfNgs2wLqnmvCak9ZWoeww"},{"header":{"kid":"org.cryptomator.hub.recoverykey.7gnV24ftRgvx7eq-MeV4Pr_K9KlxdRl9EThXQ08XrA8","alg":"ECDH-ES+A256KW","epk":{"key_ops":[],"ext":true,"kty":"EC","x":"6DEeEYrLi7mz4a1QftEOXIia6wL2OblQioOiR081diHe1T_CbSP_OLnTXgQX2Ark","y":"qLY9M8mWj6kE5rzshqV-c2ioUvV82Gp7RLfolW_Yd4bMYTL142MQX7F7TSYIt1P3","crv":"P-384"},"apu":"","apv":""},"encrypted_key":"1bd-7tqhB6y3F2CxJxdoe3lRhvizbL7VyhlZjRSzGLxoBm7bELQBdQ"}],"iv":"aAFzuQNAO5NlO0eP","ciphertext":"C6ZhAuKv46ydOQ215-hm9ei18EHi5sVBdwYKBBL1XXpC852e8HWprA1HBPXBd_aKw_0wimpIiTxgJLK8V3YZIHlECHM2T-q7em7kPT-NUWHL9rnXKQrdFkuwXiKiVRvlYKQAG8r52-SHl-mm4cMVXFIwWyks36bt87ngQ1vWih9qYqpvxJ6DozHveR8jODxe_itGx8aYm6pbjlT56vAb10in7s-Y_Xya1pLSdVHmMyZf90fe9X7cY9qv6Jnybi2SvWLr8H3wIpp_3-T_zLMzJB1SpGo-BhZqcoon2SzYACx4TFh9eMydlTEi0DEqSs3NoqXAN8uBEEcSeDfTAAr5J9BjvIF7wq5FHomJcfPjW5qhSmqyxi3JXnF0UjP7jy0aPWqZtKqIkedlQb62oR4bPoKk9vrp","tag":"zK_nd4E8g25v3qq5ayVviogORUvQDS1Mi11dCkuxUgc"}',
-        uvfRecoveryPublicKey: 'MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEu35Pxi7dz4zbnOeU41N3Rkr3UDfpXlQPZYj/45+15K2wcKgGw7q8n8LCWHvSZ2XyXhUKsAeuosCsgEyw7LOji1J0yAvCASr44majKi9lyQ2gabxHPkPaHRJV/9QGO6id'
+        uvfMetadataFile: '{"protected":"eyJvcmlnaW4iOiJodHRwczovL2V4YW1wbGUuY29tL2FwaS92YXVsdHMvVE9ETy91dmYvdmF1bHQudXZmIiwiamt1Ijoiandrcy5qc29uIiwiZW5jIjoiQTI1NkdDTSJ9","recipients":[{"header":{"kid":"org.cryptomator.hub.memberkey","alg":"A256KW"},"encrypted_key":"7FtABJ5BpSM9Ft8wUPfLQc-12WF57kX0tWtRWiVwA_N_gJBa9iwhzw"},{"header":{"kid":"org.cryptomator.hub.recoverykey.1h24rxLxIlNRPQAn5NBP0fL3VKNTmqS6NEnt2clI5ko","alg":"ECDH-ES+A256KW","epk":{"key_ops":[],"ext":true,"kty":"EC","x":"oNu46YFrgrGSvl98HyDD3_iPkfZBnpYgEHmPL3qbO4AdwBsycpIqcHwKhT8Lt7B8","y":"P80VgJFml85v_F2-aPYdgDQX_DPGZr1s_p8gWF4Idkp13QfKdhi32C7Zoy5kzPWO","crv":"P-384"},"apu":"","apv":""},"encrypted_key":"QaJn0TP7mGAc5ukOpZ0gNAuBtCW7hPCkj8Jp4bhMftQfJefHNyqE7Q"}],"iv":"Wgif0WP21-MAwvWs","ciphertext":"-n5CePmmN99I4KqlnR64Fuu5b2Md9s4CGxLMm7KQqu65H0ug7Fs5HHnrx_gkpFiv1Mn-jwrkoEtiixyQcYX6UcoyT2dY1MkLQB7QU9mdMpZU3n19Q2sAx1-gfTCd7IzVXef7SEfuscdQL1QTKJW454Dy8L3WwPiDpUgt9ED7mMFdJ6lJ3_EFYstN0VFAVf_jwtIILmQrjkM_LI0FFKfqkOCH2nuE9xG8ihPH9X9OStllPp00G9_onYu9mrg-smiNNK2Ib19CZJ2E6mAp7F_LGiz6p203fsprj4XY9J6t8zl5Vpc61NmFvzvY4j3_5FpD_BmpVr8tyyVT9zqWn4vsBAHORQ1V_b9v68O7CekCebpQvpmzEPZwZN1Ma_T6oI7Ydn1rtBnDruVrpWm01RL8XpHnFbko","tag":"vPLd65IEcexmhGbYPM0cYI53H4Pp1OfTaAq_QGrneLM"}',
+        uvfKeySet: '{"keys": [{"kid":"org.cryptomator.hub.recoverykey.1h24rxLxIlNRPQAn5NBP0fL3VKNTmqS6NEnt2clI5ko","kty":"EC","crv":"P-384","x":"DczdNhPQnpgP8FV6qa372LDLJF2w2bMKXzea5cjxslaMjM6w7NGqrF498LYHU-Jt","y":"vH9bc-Ow_O1EQmd6N5pKmDoPyE6ziKsrlpuck5aLXwV4fSMV_8Ro1a872j5ClsPe"}]}'
       };
-      const accessToken = 'eyJlbmMiOiJBMjU2R0NNIiwia2lkIjoib3JnLmNyeXB0b21hdG9yLmh1Yi51c2Vya2V5IiwiYWxnIjoiRUNESC1FUytBMjU2S1ciLCJlcGsiOnsia2V5X29wcyI6W10sImV4dCI6dHJ1ZSwia3R5IjoiRUMiLCJ4IjoiWGJxOGozRXpXWlBuVDNnUDBzR2s3dkQxWVo5NUMyeUFRWEJoZlpLbE9sQnF5QlN6UlJsdUdOckZSTi10MHFIdCIsInkiOiJPb1VzcW04V0tCdUt6MzdKaGZhU3Y5OGk5SzVnS3hBYlNlQnBFSHdRTU9qSTlNZ0VSZmdDX2NqZWdKNnhqYlFjIiwiY3J2IjoiUC0zODQifSwiYXB1IjoiIiwiYXB2IjoiIn0.i8sw4wq6q-XH-rdbhsnOhJCw4WIFgrpDWIttyrRQk3Bhx4NhW1VwzA.HvVu3ujO_ckTBlCl.7nNWKXpy4kfAwxB7JDmPGrfjO9dDvB_w8FrGesfWlEXKf-WJBHo.eGUXkTJawp8EmVbXca3NarXaQ6_qS2_MxeuLLlKN_Ck';
+      const accessToken = 'eyJlbmMiOiJBMjU2R0NNIiwia2lkIjoib3JnLmNyeXB0b21hdG9yLmh1Yi51c2Vya2V5IiwiYWxnIjoiRUNESC1FUytBMjU2S1ciLCJlcGsiOnsia2V5X29wcyI6W10sImV4dCI6dHJ1ZSwia3R5IjoiRUMiLCJ4IjoiUXZRWUpUd3dSVEg2MWRFS3ZoNDI4ZG9nN3pRTFFxY3I0NUhwZTRqZFQ5Qno2bjcyVzQ4dTJ3WXk0UXlyZ0kxciIsInkiOiJZS1RtQ04zZXNKNDJVbUpzLU44NTFKamsyUFVPUU0zZXpCTkJvZGk4RnRNUDlUeUhoXzc0aHpxTC1EYTZkMXlwIiwiY3J2IjoiUC0zODQifSwiYXB1IjoiIiwiYXB2IjoiIn0.rdysEEQN0FidglDtK5yyaEpQtv4CsYLOQd__y7REkb_3BLP9nD4Blw.dFb9JOdveiw3LmIs.rSMkz8VoB_LspnvxvmRzCWNVLShTWfbzHfqe5lwrWwumYCdeRPM.xsS2tDUr2khJrLxHex8gZhBgO_CMA_PxFlR-ku3JiT8';
       const uvf = await UniversalVaultFormat.decrypt(dto, accessToken, alice);
 
       expect(uvf).to.be.not.null;
       expect(uvf.metadata).to.be.not.null;
-      expect(uvf.metadata.initialSeedId).to.eq(731870158);
-      expect(uvf.metadata.latestSeedId).to.eq(731870158);
-      expect(uvf.metadata.kdfSalt).to.equalBytes(base64.parse('BENqfHpG1FE8zlmBOfadoKMpsPxCJR1OqLz5H+yO2ls='));
-      expect(uvf.metadata.seeds.get(731870158)).to.equalBytes(base64.parse('D9anaJ+7ASDdGWNeTG3JuoVLoI1IWzYGjTUVxW0215s='));
+      expect(uvf.metadata.initialSeedId).to.eq(2754894775);
+      expect(uvf.metadata.latestSeedId).to.eq(2754894775);
+      expect(uvf.metadata.seeds.get(2754894775)).to.not.be.empty;
+      expect(base64.stringify(uvf.metadata.kdfSalt)).to.eq('HE4OP+2vyfLLURicF1XmdIIsWv0Zs6MobLKROUIEhQY=');
+      expect(base64.stringify(uvf.metadata.seeds.get(2754894775)!)).to.eq('fP4V4oAjsUw5DqackAvLzA0oP1kAQZ0f5YFZQviXSuU=');
       expect(uvf.memberKey).to.be.not.null;
       expect(uvf.recoveryKey).to.be.not.null;
       expect(uvf.recoveryKey.privateKey).to.be.undefined;
+      expect(uvf.recoveryKey.publicKey).to.be.not.null;
     });
 
     describe('instance methods', () => {
@@ -219,13 +222,26 @@ describe('UVF', () => {
       });
 
       it('createMetadataFile() creates a vault.uvf file', async () => {
-        const file = await uvf.createMetadataFile();
-        expect(file).to.be.not.null;
+        const json = await uvf.createMetadataFile();
+        expect(json).to.be.not.null;
+        const jwe = JSON.parse(json) as JsonJWE;
+        expect(jwe.protected).to.not.be.empty;
+        expect(jwe.recipients).to.have.lengthOf(2);
+        expect(jwe.iv).to.not.be.empty;
+        expect(jwe.ciphertext).to.not.be.empty;
+        expect(jwe.tag).to.not.be.empty;
       });
 
-      it('serializePublicKey() creates a PEM-encoded representation', async () => {
-        const pem = await uvf.recoveryKey.serializePublicKey();
-        expect(pem).to.be.not.null;
+      it('serializePublicKey() creates a JWK-encoded representation', async () => {
+        const json = await uvf.recoveryKey.serializePublicKey();
+        expect(json).to.be.not.null;
+        const jwk = JSON.parse(json) as JsonWebKey & { kid: string };
+        expect(jwk.kty).to.eq('EC');
+        expect(jwk.crv).to.eq('P-384');
+        expect(jwk.x).to.not.be.empty;
+        expect(jwk.y).to.not.be.empty;
+        expect(jwk.d).to.be.undefined;
+        expect(jwk.kid).to.not.be.empty;
       });
     });
   });

From 98cd1737fd8c9493fd2cddf9a53ebfa0f3a9e470 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Fri, 10 May 2024 20:14:40 +0200
Subject: [PATCH 42/94] expose `jwks.json` and `vault.uvf` endpoints

---
 .../cryptomator/hub/api/VaultResource.java    | 32 +++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java b/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
index d6bc3dd44..824271c50 100644
--- a/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
+++ b/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
@@ -331,6 +331,38 @@ public Response unlock(@PathParam("vaultId") UUID vaultId, @QueryParam("evenIfAr
 		}
 	}
 
+	@GET
+	@Path("/{vaultId}/uvf/vault.uvf")
+	@RolesAllowed("user")
+	@Transactional
+	@Produces(MediaType.APPLICATION_JSON)
+	@Operation(summary = "get the vault.uvf file")
+	@APIResponse(responseCode = "200")
+	@APIResponse(responseCode = "404", description = "unknown vault")
+	public String getUvfMetadata(@PathParam("vaultId") UUID vaultId) {
+		var vault = vaultRepo.findById(vaultId);
+		if (vault == null || vault.getUvfMetadataFile() == null) {
+			throw new NotFoundException();
+		}
+		return vault.getUvfMetadataFile();
+	}
+
+	@GET
+	@Path("/{vaultId}/uvf/jwks.json")
+	@RolesAllowed("user")
+	@Transactional
+	@Produces(MediaType.APPLICATION_JSON)
+	@Operation(summary = "get public vault keys", description = "retrieves a JWK Set containing public keys related to this vault")
+	@APIResponse(responseCode = "200")
+	@APIResponse(responseCode = "404", description = "unknown vault")
+	public String getUvfKeys(@PathParam("vaultId") UUID vaultId) {
+		var vault = vaultRepo.findById(vaultId);
+		if (vault == null || vault.getUvfMetadataFile() == null) {
+			throw new NotFoundException();
+		}
+		return vault.getUvfKeySet();
+	}
+
 	@POST
 	@Path("/{vaultId}/access-tokens")
 	@RolesAllowed("user")

From 00641e4f7f6cc329cb518259e0c8b01ff7a02ebd Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Thu, 16 May 2024 15:28:07 +0200
Subject: [PATCH 43/94] switch to MemberDto

in `/api/vaults/{v}/users-requiring-access-grant`, allowing us to know the member's role
---
 .../org/cryptomator/hub/api/MemberDto.java    |  9 ++--
 .../cryptomator/hub/api/VaultResource.java    | 13 +++--
 .../hub/entities/EffectiveVaultAccess.java    | 52 ++++++++++++++++++-
 .../org/cryptomator/hub/entities/User.java    | 13 -----
 frontend/src/common/backend.ts                | 10 ++--
 .../src/components/GrantPermissionDialog.vue  |  4 +-
 frontend/src/components/VaultDetails.vue      | 16 +++---
 7 files changed, 82 insertions(+), 35 deletions(-)

diff --git a/backend/src/main/java/org/cryptomator/hub/api/MemberDto.java b/backend/src/main/java/org/cryptomator/hub/api/MemberDto.java
index bcae87d44..3da705453 100644
--- a/backend/src/main/java/org/cryptomator/hub/api/MemberDto.java
+++ b/backend/src/main/java/org/cryptomator/hub/api/MemberDto.java
@@ -7,20 +7,23 @@
 
 public final class MemberDto extends AuthorityDto {
 
+	@JsonProperty("publicKey")
+	public final String publicKey;
 	@JsonProperty("role")
 	public final VaultAccess.Role role;
 
-	MemberDto(@JsonProperty("id") String id, @JsonProperty("type") AuthorityDto.Type type, @JsonProperty("name") String name, @JsonProperty("pictureUrl") String pictureUrl, @JsonProperty("role") VaultAccess.Role role) {
+	MemberDto(@JsonProperty("id") String id, @JsonProperty("type") Type type, @JsonProperty("name") String name, @JsonProperty("pictureUrl") String pictureUrl, @JsonProperty("publicKey") String publicKey, @JsonProperty("role") VaultAccess.Role role) {
 		super(id, type, name, pictureUrl);
+		this.publicKey = publicKey;
 		this.role = role;
 	}
 
 	public static MemberDto fromEntity(User user, VaultAccess.Role role) {
-		return new MemberDto(user.getId(), Type.USER, user.getName(), user.getPictureUrl(), role);
+		return new MemberDto(user.getId(), Type.USER, user.getName(), user.getPictureUrl(), user.getPublicKey(), role);
 	}
 
 	public static MemberDto fromEntity(Group group, VaultAccess.Role role) {
-		return new MemberDto(group.getId(), Type.GROUP, group.getName(), null, role);
+		return new MemberDto(group.getId(), Type.GROUP, group.getName(), null, null, role);
 	}
 
 }
diff --git a/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java b/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
index 824271c50..3ff8bd0ac 100644
--- a/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
+++ b/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
@@ -245,11 +245,18 @@ public Response removeAuthority(@PathParam("vaultId") UUID vaultId, @PathParam("
 	@VaultRole(VaultAccess.Role.OWNER) // may throw 403
 	@Transactional
 	@Produces(MediaType.APPLICATION_JSON)
-	@Operation(summary = "list devices requiring access rights", description = "lists all devices owned by vault members, that don't have a device-specific masterkey yet")
+	@Operation(summary = "list members requiring access tokens", description = "lists all members, that have permissions but lack an access token")
 	@APIResponse(responseCode = "200")
 	@APIResponse(responseCode = "403", description = "not a vault owner")
-	public List<UserDto> getUsersRequiringAccessGrant(@PathParam("vaultId") UUID vaultId) {
-		return userRepo.findRequiringAccessGrant(vaultId).map(UserDto::justPublicInfo).toList();
+	public List<MemberDto> getUsersRequiringAccessGrant(@PathParam("vaultId") UUID vaultId) {
+		return effectiveVaultAccessRepo.findMembersWithoutAccessTokens(vaultId).map(access -> {
+			if (access.getAuthority() instanceof User u) {
+				return MemberDto.fromEntity(u, access.getRole());
+			} else {
+				// findMembersWithoutAccessTokens() should only return users, not groups.
+				throw new IllegalStateException();
+			}
+		}).toList();
 	}
 
 	@Deprecated(forRemoval = true)
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/EffectiveVaultAccess.java b/backend/src/main/java/org/cryptomator/hub/entities/EffectiveVaultAccess.java
index e55f4b5b1..a5f0feba2 100644
--- a/backend/src/main/java/org/cryptomator/hub/entities/EffectiveVaultAccess.java
+++ b/backend/src/main/java/org/cryptomator/hub/entities/EffectiveVaultAccess.java
@@ -9,6 +9,9 @@
 import jakarta.persistence.Entity;
 import jakarta.persistence.EnumType;
 import jakarta.persistence.Enumerated;
+import jakarta.persistence.JoinColumn;
+import jakarta.persistence.ManyToOne;
+import jakarta.persistence.MapsId;
 import jakarta.persistence.NamedQuery;
 import jakarta.persistence.Table;
 import org.hibernate.annotations.Immutable;
@@ -19,6 +22,7 @@
 import java.util.Objects;
 import java.util.UUID;
 import java.util.stream.Collectors;
+import java.util.stream.Stream;
 
 @Entity
 @Immutable
@@ -62,11 +66,29 @@ SELECT count(DISTINCT u)
 		FROM EffectiveVaultAccess eva
 		WHERE eva.id.vaultId = :vaultId AND eva.id.authorityId = :authorityId
 		""")
+@NamedQuery(name = "EffectiveVaultAccess.findMembersWithoutAccessTokens", query = """
+		SELECT eva
+		FROM EffectiveVaultAccess eva
+			INNER JOIN User u ON u.id = eva.id.authorityId
+			LEFT JOIN AccessToken token ON token.id.vaultId = eva.id.vaultId AND token.id.userId = eva.id.authorityId
+			WHERE eva.id.vaultId = :vaultId AND token.vault IS NULL AND u.publicKey IS NOT NULL
+		"""
+)
 public class EffectiveVaultAccess {
 
 	@EmbeddedId
 	private EffectiveVaultAccess.Id id;
 
+	@ManyToOne
+	@MapsId("vaultId")
+	@JoinColumn(name = "vault_id")
+	private Vault vault;
+
+	@ManyToOne
+	@MapsId("authorityId")
+	@JoinColumn(name = "authority_id")
+	private Authority authority;
+
 	public Id getId() {
 		return id;
 	}
@@ -75,6 +97,30 @@ public void setId(Id id) {
 		this.id = id;
 	}
 
+	public Vault getVault() {
+		return vault;
+	}
+
+	public void setVault(Vault vault) {
+		this.vault = vault;
+	}
+
+	public Authority getAuthority() {
+		return authority;
+	}
+
+	public void setAuthority(Authority authority) {
+		this.authority = authority;
+	}
+
+	public VaultAccess.Role getRole() {
+		return id.role;
+	}
+
+	public void setRole(VaultAccess.Role role) {
+		this.id.role = role;
+	}
+
 	@Embeddable
 	public static class Id implements Serializable {
 
@@ -170,8 +216,12 @@ public long countSeatOccupyingUsersOfGroup(String groupId) {
 
 		public Collection<VaultAccess.Role> listRoles(UUID vaultId, String authorityId) {
 			return find("#EffectiveVaultAccess.findByAuthorityAndVault", Parameters.with("vaultId", vaultId).and("authorityId", authorityId)).stream()
-					.map(eva -> eva.getId().getRole())
+					.map(EffectiveVaultAccess::getRole)
 					.collect(Collectors.toUnmodifiableSet());
 		}
+
+		public Stream<EffectiveVaultAccess> findMembersWithoutAccessTokens(UUID vaultId) {
+			return find("#EffectiveVaultAccess.findMembersWithoutAccessTokens", Parameters.with("vaultId", vaultId)).stream();
+		}
 	}
 }
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/User.java b/backend/src/main/java/org/cryptomator/hub/entities/User.java
index 8bca0b0ca..ae8660fe0 100644
--- a/backend/src/main/java/org/cryptomator/hub/entities/User.java
+++ b/backend/src/main/java/org/cryptomator/hub/entities/User.java
@@ -20,15 +20,6 @@
 @Entity
 @Table(name = "user_details")
 @DiscriminatorValue("USER")
-@NamedQuery(name = "User.requiringAccessGrant",
-		query = """
-				SELECT u
-				FROM User u
-					INNER JOIN EffectiveVaultAccess perm ON u.id = perm.id.authorityId
-					LEFT JOIN u.accessTokens token ON token.id.vaultId = :vaultId AND token.id.userId = u.id
-					WHERE perm.id.vaultId = :vaultId AND token.vault IS NULL AND u.publicKey IS NOT NULL
-				"""
-)
 @NamedQuery(name = "User.getEffectiveGroupUsers", query = """
 				SELECT DISTINCT u
 				FROM User u
@@ -141,10 +132,6 @@ public int hashCode() {
 	@ApplicationScoped
 	public static class Repository implements PanacheRepositoryBase<User, String> {
 
-		public Stream<User> findRequiringAccessGrant(UUID vaultId) {
-			return find("#User.requiringAccessGrant", Parameters.with("vaultId", vaultId)).stream();
-		}
-
 		public long countEffectiveGroupUsers(String groupdId) {
 			return count("#User.countEffectiveGroupUsers", Parameters.with("groupId", groupdId));
 		}
diff --git a/frontend/src/common/backend.ts b/frontend/src/common/backend.ts
index 740a9da5e..d707ba725 100644
--- a/frontend/src/common/backend.ts
+++ b/frontend/src/common/backend.ts
@@ -167,7 +167,7 @@ export class GroupDto extends AuthorityDto {
 }
 
 export class MemberDto extends AuthorityDto {
-  constructor(public id: string, public name: string, public type: AuthorityType, public role: VaultRole, pictureUrl: string) {
+  constructor(public id: string, public name: string, public type: AuthorityType, public role: VaultRole, pictureUrl?: string, public publicKey?: string) {
     super(id, name, type, pictureUrl);
   }
 
@@ -247,7 +247,7 @@ class VaultService {
 
   public async getMembers(vaultId: string): Promise<MemberDto[]> {
     return axiosAuth.get<MemberDto[]>(`/vaults/${vaultId}/members`).then(response => {
-      return response.data.map(member => new MemberDto(member.id, member.name, member.type, member.role, member.pictureUrl));
+      return response.data.map(member => new MemberDto(member.id, member.name, member.type, member.role, member.pictureUrl, member.publicKey));
     }).catch(err => rethrowAndConvertIfExpected(err, 403));
   }
 
@@ -261,10 +261,10 @@ class VaultService {
       .catch((error) => rethrowAndConvertIfExpected(error, 402, 404, 409));
   }
 
-  public async getUsersRequiringAccessGrant(vaultId: string): Promise<UserDto[]> {
-    return axiosAuth.get<UserDto[]>(`/vaults/${vaultId}/users-requiring-access-grant`)
+  public async getUsersRequiringAccessGrant(vaultId: string): Promise<MemberDto[]> {
+    return axiosAuth.get<MemberDto[]>(`/vaults/${vaultId}/users-requiring-access-grant`)
       .then(response => {
-        return response.data.map(dto => UserDto.copy(dto));
+        return response.data.map(member => new MemberDto(member.id, member.name, member.type, member.role, member.pictureUrl, member.publicKey));
       })
       .catch(err => rethrowAndConvertIfExpected(err, 403));
   }
diff --git a/frontend/src/components/GrantPermissionDialog.vue b/frontend/src/components/GrantPermissionDialog.vue
index 39c969231..e24000c2d 100644
--- a/frontend/src/components/GrantPermissionDialog.vue
+++ b/frontend/src/components/GrantPermissionDialog.vue
@@ -71,7 +71,7 @@ import { ExclamationTriangleIcon } from '@heroicons/vue/24/outline';
 import { base64 } from 'rfc4648';
 import { onMounted, ref } from 'vue';
 import { useI18n } from 'vue-i18n';
-import backend, { AccessGrant, ConflictError, NotFoundError, UserDto, VaultDto } from '../common/backend';
+import backend, { AccessGrant, ConflictError, MemberDto, NotFoundError, VaultDto } from '../common/backend';
 import { AccessTokenProducing, getFingerprint } from '../common/crypto';
 
 const { t } = useI18n({ useScope: 'global' });
@@ -82,7 +82,7 @@ const onGrantPermissionError = ref<Error | null>();
 
 const props = defineProps<{
   vault: VaultDto
-  users: UserDto[]
+  users: MemberDto[]
   vaultKeys: AccessTokenProducing
 }>();
 
diff --git a/frontend/src/components/VaultDetails.vue b/frontend/src/components/VaultDetails.vue
index bd3e21e99..b70f2c9b5 100644
--- a/frontend/src/components/VaultDetails.vue
+++ b/frontend/src/components/VaultDetails.vue
@@ -168,7 +168,7 @@
       <div v-else class="mt-2 flex flex-col gap-2">
         <!-- grantAccess button -->
         <div v-if="vaultRole == 'OWNER'" class="flex gap-2">
-          <button :disabled="usersRequiringAccessGrant.length == 0" type="button" class="flex-1 bg-primary py-2 px-4 border border-transparent rounded-md shadow-sm text-sm font-medium text-white hover:bg-primary-d1 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary disabled:opacity-50 disabled:hover:bg-primary disabled:cursor-not-allowed" @click="showGrantPermissionDialog()">
+          <button :disabled="membersRequiringAccessGrant.length == 0" type="button" class="flex-1 bg-primary py-2 px-4 border border-transparent rounded-md shadow-sm text-sm font-medium text-white hover:bg-primary-d1 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary disabled:opacity-50 disabled:hover:bg-primary disabled:cursor-not-allowed" @click="showGrantPermissionDialog()">
             {{ t('vaultDetails.actions.updatePermissions') }}
           </button>
           <button type="button" class="bg-white py-2 px-4 border border-gray-300 rounded-md shadow-sm text-sm font-medium text-gray-700 hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="reloadDevicesRequiringAccessGrant()">
@@ -201,7 +201,7 @@
   </div>
 
   <ClaimVaultOwnershipDialog v-if="claimingVaultOwnership && vault" ref="claimVaultOwnershipDialog" :vault="vault" @action="provedOwnership" @close="claimingVaultOwnership = false" />
-  <GrantPermissionDialog v-if="grantingPermission && vault && (vaultFormat8 || uvfVault)" ref="grantPermissionDialog" :vault="vault" :users="usersRequiringAccessGrant" :vault-keys="(vaultFormat8 || uvfVault)!" @close="grantingPermission = false" @permission-granted="permissionGranted()" />
+  <GrantPermissionDialog v-if="grantingPermission && vault && (vaultFormat8 || uvfVault)" ref="grantPermissionDialog" :vault="vault" :users="membersRequiringAccessGrant" :vault-keys="(vaultFormat8 || uvfVault)!" @close="grantingPermission = false" @permission-granted="permissionGranted()" />
   <EditVaultMetadataDialog v-if="editingVaultMetadata && vault" ref="editVaultMetadataDialog" :vault="vault" @close="editingVaultMetadata = false" @updated="v => refreshVault(v)" />
   <DownloadVaultTemplateDialog v-if="downloadingVaultTemplate && vault && (vaultFormat8 || uvfVault)" ref="downloadVaultTemplateDialog" :vault="vault" :vault-keys="(vaultFormat8 || uvfVault)!" @close="downloadingVaultTemplate = false" />
   <DisplayRecoveryKeyDialog v-if="displayingRecoveryKey && vault && vaultFormat8" ref="displayRecoveryKeyDialog" :vault="vault" :vault-keys="vaultFormat8" @close="displayingRecoveryKey = false" />
@@ -272,7 +272,7 @@ const vault = ref<VaultDto>();
 const vaultFormat8 = ref<VaultFormat8>();
 const uvfVault = ref<UniversalVaultFormat>();
 const members = ref<Map<string, MemberDto>>(new Map());
-const usersRequiringAccessGrant = ref<UserDto[]>([]);
+const membersRequiringAccessGrant = ref<MemberDto[]>([]);
 const claimVaultOwnershipDialog = ref<typeof ClaimVaultOwnershipDialog>();
 const claimingVaultOwnership = ref(false);
 const me = ref<UserDto>();
@@ -307,7 +307,7 @@ async function fetchOwnerData() {
   }
   try {
     (await backend.vaults.getMembers(props.vaultId)).forEach(member => members.value.set(member.id, member));
-    usersRequiringAccessGrant.value = await backend.vaults.getUsersRequiringAccessGrant(props.vaultId);
+    membersRequiringAccessGrant.value = await backend.vaults.getUsersRequiringAccessGrant(props.vaultId);
     vaultRecoveryRequired.value = false;
     const accessToken = await backend.vaults.accessToken(props.vaultId, true);
     if (vault.value.uvfMetadataFile) {
@@ -399,7 +399,7 @@ async function provedOwnership(keys: VaultFormat8, ownerKeyPair: CryptoKeyPair)
 
 async function reloadDevicesRequiringAccessGrant() {
   try {
-    usersRequiringAccessGrant.value = await backend.vaults.getUsersRequiringAccessGrant(props.vaultId);
+    membersRequiringAccessGrant.value = await backend.vaults.getUsersRequiringAccessGrant(props.vaultId);
   } catch (error) {
     console.error('Getting devices requiring access grant failed.', error);
     onFetchError.value = error instanceof Error ? error : new Error('Unknown Error');
@@ -420,7 +420,7 @@ async function addAuthority(authority: unknown) {
     await addAuthorityBackend(authority);
     const addedMember = new MemberDto(authority.id, authority.name, authority.type, 'MEMBER', authority.pictureUrl);
     members.value.set(authority.id, addedMember);
-    usersRequiringAccessGrant.value = await backend.vaults.getUsersRequiringAccessGrant(props.vaultId);
+    membersRequiringAccessGrant.value = await backend.vaults.getUsersRequiringAccessGrant(props.vaultId);
   } catch (error) {
     //even if error instanceof NotFoundError, it is not expected from user perspective
     console.error('Adding member failed.', error);
@@ -490,7 +490,7 @@ function showRecoverVaultDialog() {
 }
 
 function permissionGranted() {
-  usersRequiringAccessGrant.value = [];
+  membersRequiringAccessGrant.value = [];
 }
 
 async function refreshLicense() {
@@ -537,7 +537,7 @@ async function removeMember(memberId: string) {
     await backend.vaults.removeAuthority(props.vaultId, memberId);
     members.value.delete(memberId);
     if (!licenseViolated.value) {
-      usersRequiringAccessGrant.value = await backend.vaults.getUsersRequiringAccessGrant(props.vaultId);
+      membersRequiringAccessGrant.value = await backend.vaults.getUsersRequiringAccessGrant(props.vaultId);
     } else {
       await refreshLicense();
     }

From 4f3e969a636507ccac0395e01d2354901e974ad5 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Thu, 16 May 2024 15:31:41 +0200
Subject: [PATCH 44/94] cleanup

---
 frontend/src/common/crypto.ts               | 3 ++-
 frontend/src/common/universalVaultFormat.ts | 2 ++
 frontend/src/common/vaultFormat8.ts         | 7 ++-----
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/frontend/src/common/crypto.ts b/frontend/src/common/crypto.ts
index 9fc7a622a..99d9cbd46 100644
--- a/frontend/src/common/crypto.ts
+++ b/frontend/src/common/crypto.ts
@@ -35,8 +35,9 @@ export interface AccessTokenProducing {
   /**
    * Creates a user-specific access token for the given vault.
    * @param userPublicKey the public key of the user
+   * @param isOwner whether to also include owner secrets for this user (UVF only)
    */
-  encryptForUser(userPublicKey: CryptoKey | Uint8Array): Promise<string>;
+  encryptForUser(userPublicKey: CryptoKey | Uint8Array, isOwner?: boolean): Promise<string>;
 
 }
 
diff --git a/frontend/src/common/universalVaultFormat.ts b/frontend/src/common/universalVaultFormat.ts
index 23da4b3b7..456f18e3a 100644
--- a/frontend/src/common/universalVaultFormat.ts
+++ b/frontend/src/common/universalVaultFormat.ts
@@ -345,6 +345,7 @@ export class UniversalVaultFormat implements AccessTokenProducing, VaultTemplate
     return this.metadata.encrypt(this.memberKey, this.recoveryKey);
   }
 
+  /** @inheritdoc */
   public async exportTemplate(vault: VaultDto): Promise<Blob> {
     const zip = new JSZip();
     zip.file('vault.uvf', this.createMetadataFile());
@@ -353,6 +354,7 @@ export class UniversalVaultFormat implements AccessTokenProducing, VaultTemplate
     return zip.generateAsync({ type: 'blob' });
   }
 
+  /** @inheritdoc */
   public async encryptForUser(userPublicKey: CryptoKey | Uint8Array, isOwner?: boolean): Promise<string> {
     const payload: UvfAccessTokenPayload = {
       key: await this.memberKey.serializeKey(),
diff --git a/frontend/src/common/vaultFormat8.ts b/frontend/src/common/vaultFormat8.ts
index 91d274da5..d21b6df55 100644
--- a/frontend/src/common/vaultFormat8.ts
+++ b/frontend/src/common/vaultFormat8.ts
@@ -168,6 +168,7 @@ export class VaultFormat8 implements AccessTokenProducing, VaultTemplateProducin
     return new VaultFormat8(await key);
   }
 
+  /** @inheritdoc */
   public async exportTemplate(vault: VaultDto): Promise<Blob> {
     const cfg = await config;
 
@@ -246,11 +247,7 @@ export class VaultFormat8 implements AccessTokenProducing, VaultTemplateProducin
     return base64.stringify(new Uint8Array(bytes), { pad: true });
   }
 
-  /**
-   * Encrypts this masterkey using the given public key
-   * @param userPublicKey The recipient's public key (DER-encoded)
-   * @returns a JWE containing this Masterkey
-   */
+  /** @inheritdoc */
   public async encryptForUser(userPublicKey: CryptoKey | Uint8Array): Promise<string> {
     return OtherVaultMember.withPublicKey(userPublicKey).createAccessToken({
       key: await this.serializeMasterKey(),

From 832078657a4512a2950c452545fcbe2462c484ee Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Thu, 16 May 2024 15:32:22 +0200
Subject: [PATCH 45/94] include role-depending data in access token

---
 frontend/src/components/GrantPermissionDialog.vue | 13 +++++++------
 frontend/src/components/VaultDetails.vue          |  5 +++++
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/frontend/src/components/GrantPermissionDialog.vue b/frontend/src/components/GrantPermissionDialog.vue
index e24000c2d..4b35ebd38 100644
--- a/frontend/src/components/GrantPermissionDialog.vue
+++ b/frontend/src/components/GrantPermissionDialog.vue
@@ -121,13 +121,14 @@ async function grantAccess() {
   }
 }
 
-async function giveUsersAccess(users: UserDto[]) {
+async function giveUsersAccess(members: MemberDto[]) {
   let tokens: AccessGrant[] = [];
-  for (const user of users) {
-    if (user.publicKey) { // some users might not have set up their key pair, so we can't share secrets with them yet
-      const publicKey = base64.parse(user.publicKey);
-      const jwe = await props.vaultKeys.encryptForUser(publicKey);
-      tokens.push({ userId: user.id, token: jwe });
+  for (const member of members) {
+    if (member.publicKey) { // some users might not have set up their key pair, so we can't share secrets with them yet
+      const publicKey = base64.parse(member.publicKey);
+      const includeOwnerKeys = member.role === 'OWNER';
+      const jwe = await props.vaultKeys.encryptForUser(publicKey, includeOwnerKeys);
+      tokens.push({ userId: member.id, token: jwe });
     }
   }
   await backend.vaults.grantAccess(props.vault.id, ...tokens);
diff --git a/frontend/src/components/VaultDetails.vue b/frontend/src/components/VaultDetails.vue
index b70f2c9b5..a1aa9d4b7 100644
--- a/frontend/src/components/VaultDetails.vue
+++ b/frontend/src/components/VaultDetails.vue
@@ -524,6 +524,11 @@ async function updateMemberRole(member: MemberDto, role: VaultRole) {
     if (updatedMember) {
       updatedMember.role = role;
     }
+    if (uvfVault.value && member.publicKey) { // atm only users have public keys
+      const includeOwnerKeys = role == 'OWNER';
+      const updatedAccessToken = await uvfVault.value.encryptForUser(base64.parse(member.publicKey), includeOwnerKeys);
+      await backend.vaults.grantAccess(props.vaultId, { userId: member.id, token: updatedAccessToken });
+    }
   } catch (error) {
     console.error('Updating member role failed.', error);
     //404 not expected from user perspective

From 8cb9af675a5e4f58727605a41f70fe786f5a7f2f Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Thu, 16 May 2024 16:25:00 +0200
Subject: [PATCH 46/94] add `UniversalVaultFormat.recover(...)`

---
 frontend/src/common/universalVaultFormat.ts   | 40 +++++++++++++++++++
 .../test/common/universalVaultFormat.spec.ts  | 18 +++++++++
 2 files changed, 58 insertions(+)

diff --git a/frontend/src/common/universalVaultFormat.ts b/frontend/src/common/universalVaultFormat.ts
index 456f18e3a..bf42aad97 100644
--- a/frontend/src/common/universalVaultFormat.ts
+++ b/frontend/src/common/universalVaultFormat.ts
@@ -241,6 +241,26 @@ export class VaultMetadata {
   public static async decryptWithMemberKey(uvfMetadataFile: string, memberKey: MemberKey): Promise<VaultMetadata> {
     const json: JsonJWE = JSON.parse(uvfMetadataFile);
     const payload: MetadataPayload = await JWE.parseJson(json).decrypt(Recipient.a256kw('org.cryptomator.hub.memberkey', memberKey.key));
+    return VaultMetadata.createFromJson(payload);
+  }
+
+  /**
+   * Decrypts the vault metadata using the recovery key
+   * @param uvfMetadataFile contents of the `vault.uvf` file
+   * @param recoveryKey the vault's recovery key
+   * @returns Decrypted vault metadata
+   */
+  public static async decryptWithRecoveryKey(uvfMetadataFile: string, recoveryKey: RecoveryKey): Promise<VaultMetadata> {
+    if (!recoveryKey.privateKey) {
+      throw new Error('Recovery key does not have a private key');
+    }
+    const recoveryKeyID = `org.cryptomator.hub.recoverykey.${await getJwkThumbprint(recoveryKey.publicKey)}`;
+    const json: JsonJWE = JSON.parse(uvfMetadataFile);
+    const payload: MetadataPayload = await JWE.parseJson(json).decrypt(Recipient.ecdhEs(recoveryKeyID, recoveryKey.privateKey));
+    return VaultMetadata.createFromJson(payload);
+  }
+
+  public static async createFromJson(payload: MetadataPayload): Promise<VaultMetadata> {
     const seeds = new Map<number, Uint8Array>();
     for (const key in payload.seeds) {
       const num = parseSeedId(key);
@@ -311,6 +331,13 @@ export class UniversalVaultFormat implements AccessTokenProducing, VaultTemplate
     return new UniversalVaultFormat(metadata, memberKey, recoveryKey);
   }
 
+  /**
+   * Decrypts a UVF vault.
+   * @param vault The vault to decrypt
+   * @param accessToken The vault member's access token
+   * @param userKeyPair THe vault member's key pair
+   * @returns The decrypted vault
+   */
   public static async decrypt(vault: VaultDto, accessToken: string, userKeyPair: UserKeys): Promise<UniversalVaultFormat> {
     if (!vault.uvfMetadataFile || !vault.uvfKeySet) {
       throw new Error('Not a UVF vault.');
@@ -329,6 +356,19 @@ export class UniversalVaultFormat implements AccessTokenProducing, VaultTemplate
     return new UniversalVaultFormat(metadata, memberKey, recoveryKey);
   }
 
+  /**
+   * Recovery the `vault.uvf` file using the recovery key. After recovery, all access tokens need to be re-issued.
+   * @param uvfMetadataFile contents of the `vault.uvf` file
+   * @param recoveryKey the vault's recovery key encoded into human-readable words
+   * @returns The recovered vault
+   */
+  public static async recover(uvfMetadataFile: string, recoveryKey: string): Promise<UniversalVaultFormat> {
+    const recoveryKeyPair = await RecoveryKey.recover(recoveryKey);
+    const metadata = await VaultMetadata.decryptWithRecoveryKey(uvfMetadataFile, recoveryKeyPair);
+    const memberKey = await MemberKey.create();
+    return new UniversalVaultFormat(metadata, memberKey, recoveryKeyPair);
+  }
+
   private static async getRecoveryPublicKeyFromJwks(jwks: JsonWebKeySet): Promise<CryptoKey> {
     for (const key of jwks.keys) {
       if (key.kid?.startsWith('org.cryptomator.hub.recoverykey.')) {
diff --git a/frontend/test/common/universalVaultFormat.spec.ts b/frontend/test/common/universalVaultFormat.spec.ts
index bcf2c8f82..acec99ade 100644
--- a/frontend/test/common/universalVaultFormat.spec.ts
+++ b/frontend/test/common/universalVaultFormat.spec.ts
@@ -206,6 +206,24 @@ describe('UVF', () => {
       expect(uvf.memberKey).to.be.not.null;
       expect(uvf.recoveryKey).to.be.not.null;
       expect(uvf.recoveryKey.privateKey).to.be.undefined;
+    });
+
+    it('recover()', async () => {
+      const vaultUvfFileContents = '{"protected":"eyJvcmlnaW4iOiJodHRwczovL2V4YW1wbGUuY29tL2FwaS92YXVsdHMvVE9ETy91dmYvdmF1bHQudXZmIiwiamt1Ijoiandrcy5qc29uIiwiZW5jIjoiQTI1NkdDTSJ9","recipients":[{"header":{"kid":"org.cryptomator.hub.memberkey","alg":"A256KW"},"encrypted_key":"XLoNIWvDKQqaDurrGt7VK9s2aggSMir7fS4ZdBUxdTxceCOHndo4kA"},{"header":{"kid":"org.cryptomator.hub.recoverykey.v2nb-mGX4POKMWCQKOogMWTlAn7DDqEOjjEGCsPEeco","alg":"ECDH-ES+A256KW","epk":{"key_ops":[],"ext":true,"kty":"EC","x":"j6Retxx-L-rURQ4WNc8LvoqjbdPtGS6n9pCJgcm1U-NAWuWEvwJ_qi2tlrv_4w4p","y":"wS-Emo-Q9qdtkHMJiDfVDAaxhF2-nSkDRn2Eg9CbG0pVwGEpaDybx_YYJwIaYooO","crv":"P-384"},"apu":"","apv":""},"encrypted_key":"iNGgybMqmiXn_lbKLMMTpg38i1f00O6Zj65d5nzsLw3hyzuylGWpvA"}],"iv":"Pfy90C9SSq2gJr6B","ciphertext":"ogYR1pZN9k97zEgO9Fj3ePQramtaUdHWq95geXD7FH1oB6T7fEOvdU2AEGWOcbIbQihn-eOqG2_5oTol16O_nQ4HcDOJ9w4R9EdpByuWG-kVNh_fpWeQjIuH4kO-Rtbf05JRVG2jexWopbIA8uHuoiOXSNpSYPTzTKirp2hU7w3sE01zycsu06HiasUX-tKZH_hbyiUEdTlFFLcvKpRwnYOQf6QMw0uY1IbUTX1cJY9LO5SpD8bZFZOd6hg_Qnsdcq52I8KkZyxocgqdW7P5OSUrv5z8DCLMPdByEpaz9cCOzQQvtZwHxJy82O4vDAh89QA_AzfK8J7TI5zJRlTGQgrNhiaVBC85fN3tMSv8sLfJs7rC_5LiVW5ZeqbQ52sAZQw0lfwgGpMmxsdMzPoVOLD8OxvX","tag":"3Jiv6kI4Qoso60T0dRv9vIlca-P4UFyHqh-TEZvargM"}';
+      const recoveryKey = 'cult hold all away buck do law relaxed other stimulus all bank fit indulge dad any ear grey cult golf all baby dig adv convict seldom dancer funding refusal shop final ceremony brush fire stick pound seldom shower tobacco wealth secret dispose session intend host elite fasten compound pants original drug hurricane bat noble lovely half accept sexy ad mouth current sound tie freedom musical ought shatter minimum density broadcast locate argument explosive manager colour numerous biscuit die absurd jury sole steel pub listener tempt creative plug everybody power constant recall lord camera dawn elbow chairman sit organic united morning dry feedback marine keep charm face cloud giant pull eternal withdraw probable canal coal heal large less flight gig hockey pit weed identify object boom melt';
+
+      const uvf = await UniversalVaultFormat.recover(vaultUvfFileContents, recoveryKey);
+
+      expect(uvf).to.be.not.null;
+      expect(uvf.metadata).to.be.not.null;
+      expect(uvf.metadata.initialSeedId).to.eq(4157009252);
+      expect(uvf.metadata.latestSeedId).to.eq(4157009252);
+      expect(uvf.metadata.seeds.get(4157009252)).to.not.be.empty;
+      expect(base64.stringify(uvf.metadata.kdfSalt)).to.eq('pNxWJ5R5TO0mbkmL5pv7M3tAi6Etoh/SK73Q0KvfKMY=');
+      expect(base64.stringify(uvf.metadata.seeds.get(4157009252)!)).to.eq('p6zznin4zSGt7gH6T95/kZj6HndpyUdY+1QVfxR2k20=');
+      expect(uvf.memberKey).to.be.not.null;
+      expect(uvf.recoveryKey).to.be.not.null;
+      expect(uvf.recoveryKey.privateKey).to.be.not.null;
       expect(uvf.recoveryKey.publicKey).to.be.not.null;
     });
 

From 155d64048517c2e969346c8e5474e83c8414cb35 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Fri, 17 May 2024 15:16:49 +0200
Subject: [PATCH 47/94] remove unnecessary guard

---
 frontend/src/common/jwe.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/frontend/src/common/jwe.ts b/frontend/src/common/jwe.ts
index 7cb26f26c..a5663fb57 100644
--- a/frontend/src/common/jwe.ts
+++ b/frontend/src/common/jwe.ts
@@ -259,8 +259,8 @@ class Pbes2Recipient extends Recipient {
     if (header.alg != 'PBES2-HS512+A256KW' || !header.p2s || !header.p2c) {
       throw new Error('Missing or invalid header parameters.');
     }
-    const salt = base64url.parse(header.p2s!, { loose: true });
-    const wrappingKey = await PBES2.deriveWrappingKey(this.password, 'PBES2-HS512+A256KW', salt, header.p2c!);
+    const salt = base64url.parse(header.p2s, { loose: true });
+    const wrappingKey = await PBES2.deriveWrappingKey(this.password, 'PBES2-HS512+A256KW', salt, header.p2c);
     try {
       return await crypto.subtle.unwrapKey('raw', base64url.parse(encryptedKey, { loose: true }), wrappingKey, 'AES-KW', { name: 'AES-GCM' }, false, ['decrypt']);
     } catch (error) {

From 9b4f5baaeb951ca791885cd2f22a533a817a86dd Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Tue, 21 May 2024 11:01:36 +0200
Subject: [PATCH 48/94] fix weird error message in unit tests

---
 frontend/src/common/config.ts | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/frontend/src/common/config.ts b/frontend/src/common/config.ts
index d341a1504..3905dd5ce 100644
--- a/frontend/src/common/config.ts
+++ b/frontend/src/common/config.ts
@@ -1,6 +1,11 @@
 import AxiosStatic from 'axios';
 
-const url = (typeof document !== 'undefined') ? new URL(document.baseURI) : new URL('http://localhost/'); // workaround for testing in Node environment
+let url: URL;
+if (typeof document === 'undefined' || document.baseURI === 'about:blank') {
+  url = new URL('http://localhost/'); // workaround for testing in Node environment
+} else {
+  url = new URL(document.baseURI);
+}
 
 // these URLs must end on '/':
 export const baseURL = url.pathname;

From 388426fcbfeea564de286c922ad7bcbf8a8b3d28 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Tue, 21 May 2024 11:03:12 +0200
Subject: [PATCH 49/94] pass in URL during vault template generation

---
 frontend/src/common/crypto.ts                 |  3 ++-
 frontend/src/common/universalVaultFormat.ts   | 20 +++++++++++++------
 frontend/src/common/vaultFormat8.ts           | 10 +++++-----
 frontend/src/components/CreateVault.vue       |  5 +++--
 .../DownloadVaultTemplateDialog.vue           |  3 ++-
 .../test/common/universalVaultFormat.spec.ts  |  7 +++----
 6 files changed, 29 insertions(+), 19 deletions(-)

diff --git a/frontend/src/common/crypto.ts b/frontend/src/common/crypto.ts
index 99d9cbd46..dff292621 100644
--- a/frontend/src/common/crypto.ts
+++ b/frontend/src/common/crypto.ts
@@ -45,9 +45,10 @@ export interface VaultTemplateProducing {
 
   /**
    * Produces a zip file containing the vault template.
+   * @param apiURL absolute base URL of the API
    * @param vault The vault
    */
-  exportTemplate(vault: VaultDto): Promise<Blob>;
+  exportTemplate(apiURL: string, vault: VaultDto): Promise<Blob>;
 
 }
 
diff --git a/frontend/src/common/universalVaultFormat.ts b/frontend/src/common/universalVaultFormat.ts
index bf42aad97..50cb3988a 100644
--- a/frontend/src/common/universalVaultFormat.ts
+++ b/frontend/src/common/universalVaultFormat.ts
@@ -281,14 +281,16 @@ export class VaultMetadata {
 
   /**
    * Encrypts the vault metadata
+   * @param apiURL absolute base URL of the API
+   * @param vault the corresponding vault
    * @param memberKey the vault members' AES wrapping key
    * @param recoveryKey the public part of the recovery EC key pair
    * @returns `vault.uvf` file contents
    */
-  public async encrypt(memberKey: MemberKey, recoveryKey: RecoveryKey): Promise<string> {
+  public async encrypt(apiURL: string, vault: VaultDto, memberKey: MemberKey, recoveryKey: RecoveryKey): Promise<string> {
     const recoveryKeyID = `org.cryptomator.hub.recoverykey.${await getJwkThumbprint(recoveryKey.publicKey)}`;
     const protectedHeader: JWEHeader = {
-      origin: `https://example.com/api/vaults/TODO/uvf/vault.uvf`, // TODO use ${absBackendBaseURL}. Couldn't do this, because tests fail for mysterious reasons
+      origin: `${apiURL}/vaults/${vault.id}/uvf/vault.uvf`,
       jku: 'jwks.json' // URL relative to origin
     };
     const jwe = await JWE.build(this.payload(), protectedHeader).encrypt(Recipient.a256kw('org.cryptomator.hub.memberkey', memberKey.key), Recipient.ecdhEs(recoveryKeyID, recoveryKey.publicKey));
@@ -381,14 +383,20 @@ export class UniversalVaultFormat implements AccessTokenProducing, VaultTemplate
     throw new Error('Recovery key not found in JWKS');
   }
 
-  public async createMetadataFile(): Promise<string> {
-    return this.metadata.encrypt(this.memberKey, this.recoveryKey);
+  /**
+   * Creates the `vault.uvf` file
+   * @param apiURL absolute base URL of the API
+   * @param vault the vault
+   * @returns `vault.uvf` file contents
+   */
+  public async createMetadataFile(apiURL: string, vault: VaultDto): Promise<string> {
+    return this.metadata.encrypt(apiURL, vault, this.memberKey, this.recoveryKey);
   }
 
   /** @inheritdoc */
-  public async exportTemplate(vault: VaultDto): Promise<Blob> {
+  public async exportTemplate(apiURL: string, vault: VaultDto): Promise<Blob> {
     const zip = new JSZip();
-    zip.file('vault.uvf', this.createMetadataFile());
+    zip.file('vault.uvf', this.createMetadataFile(apiURL, vault));
     // TODO: add root folder
     //zip.folder('d')?.folder(rootDirHash.substring(0, 2))?.folder(rootDirHash.substring(2));
     return zip.generateAsync({ type: 'blob' });
diff --git a/frontend/src/common/vaultFormat8.ts b/frontend/src/common/vaultFormat8.ts
index d21b6df55..0641b74e6 100644
--- a/frontend/src/common/vaultFormat8.ts
+++ b/frontend/src/common/vaultFormat8.ts
@@ -2,7 +2,7 @@ import JSZip from 'jszip';
 import * as miscreant from 'miscreant';
 import { base32, base64, base64url } from 'rfc4648';
 import { VaultDto } from './backend';
-import config, { absBackendBaseURL, absFrontendBaseURL } from './config';
+import config, { absFrontendBaseURL } from './config';
 import { AccessTokenProducing, GCM_NONCE_LEN, OtherVaultMember, UnwrapKeyError, UserKeys, VaultTemplateProducing } from './crypto';
 import { CRC32, wordEncoder } from './util';
 
@@ -169,10 +169,10 @@ export class VaultFormat8 implements AccessTokenProducing, VaultTemplateProducin
   }
 
   /** @inheritdoc */
-  public async exportTemplate(vault: VaultDto): Promise<Blob> {
+  public async exportTemplate(apiURL: string, vault: VaultDto): Promise<Blob> {
     const cfg = await config;
 
-    const kid = `hub+${absBackendBaseURL}vaults/${vault.id}`;
+    const kid = `hub+${apiURL}vaults/${vault.id}`;
 
     const hubConfig: VaultConfigHeaderHub = {
       clientId: cfg.keycloakClientIdCryptomator,
@@ -180,8 +180,8 @@ export class VaultFormat8 implements AccessTokenProducing, VaultTemplateProducin
       tokenEndpoint: cfg.keycloakTokenEndpoint,
       authSuccessUrl: `${absFrontendBaseURL}unlock-success?vault=${vault.id}`,
       authErrorUrl: `${absFrontendBaseURL}unlock-error?vault=${vault.id}`,
-      apiBaseUrl: absBackendBaseURL,
-      devicesResourceUrl: `${absBackendBaseURL}devices/`,
+      apiBaseUrl: apiURL,
+      devicesResourceUrl: `${apiURL}devices/`,
     };
 
     const jwtPayload: VaultConfigPayload = {
diff --git a/frontend/src/components/CreateVault.vue b/frontend/src/components/CreateVault.vue
index 17fa3523f..27cb52bcd 100644
--- a/frontend/src/components/CreateVault.vue
+++ b/frontend/src/components/CreateVault.vue
@@ -214,6 +214,7 @@ import { base64 } from 'rfc4648';
 import { onMounted, ref } from 'vue';
 import { useI18n } from 'vue-i18n';
 import backend, { AccessGrant, PaymentRequiredError, VaultDto } from '../common/backend';
+import { absBackendBaseURL } from '../common/config';
 import { VaultTemplateProducing } from '../common/crypto';
 import { UniversalVaultFormat } from '../common/universalVaultFormat';
 import { debounce } from '../common/util';
@@ -353,7 +354,7 @@ async function createVault() {
         }
         ownerGrant.token = await uvfVault.value.encryptForUser(base64.parse(owner.publicKey), true);
         const recoveryPublicKey = await uvfVault.value.recoveryKey.serializePublicKey();
-        vault.value.uvfMetadataFile = await uvfVault.value.createMetadataFile();
+        vault.value.uvfMetadataFile = await uvfVault.value.createMetadataFile(absBackendBaseURL, vault.value);
         vault.value.uvfKeySet = `{"keys": [${recoveryPublicKey}]}`;
         break;
       }
@@ -382,7 +383,7 @@ async function downloadVaultTemplate() {
   onDownloadTemplateError.value = null;
   try {
     const templateProducer: VaultTemplateProducing = vaultFormat8.value || uvfVault.value!;
-    const blob = await templateProducer.exportTemplate(vault.value);
+    const blob = await templateProducer.exportTemplate(absBackendBaseURL, vault.value);
     if (blob != null) {
       saveAs(blob, `${vault.value.name}.zip`);
     } else {
diff --git a/frontend/src/components/DownloadVaultTemplateDialog.vue b/frontend/src/components/DownloadVaultTemplateDialog.vue
index f2d5d0f20..86d430669 100644
--- a/frontend/src/components/DownloadVaultTemplateDialog.vue
+++ b/frontend/src/components/DownloadVaultTemplateDialog.vue
@@ -54,6 +54,7 @@ import { saveAs } from 'file-saver';
 import { ref } from 'vue';
 import { useI18n } from 'vue-i18n';
 import { VaultDto } from '../common/backend';
+import { absBackendBaseURL } from '../common/config';
 import { VaultTemplateProducing } from '../common/crypto';
 
 const { t } = useI18n({ useScope: 'global' });
@@ -82,7 +83,7 @@ function show() {
 async function downloadVault() {
   onDownloadError.value = null;
   try {
-    const blob = await props.vaultKeys.exportTemplate(props.vault);
+    const blob = await props.vaultKeys.exportTemplate(absBackendBaseURL, props.vault);
     saveAs(blob, `${props.vault.name}.zip`);
     open.value = false;
   } catch (error) {
diff --git a/frontend/test/common/universalVaultFormat.spec.ts b/frontend/test/common/universalVaultFormat.spec.ts
index acec99ade..86c8ea72d 100644
--- a/frontend/test/common/universalVaultFormat.spec.ts
+++ b/frontend/test/common/universalVaultFormat.spec.ts
@@ -1,6 +1,5 @@
 import { use as chaiUse, expect } from 'chai';
 import chaiAsPromised from 'chai-as-promised';
-import chaiBytes from 'chai-bytes';
 import { before, describe } from 'mocha';
 import { base64 } from 'rfc4648';
 import { VaultDto } from '../../src/common/backend';
@@ -9,7 +8,6 @@ import { JsonJWE } from '../../src/common/jwe';
 import { MemberKey, RecoveryKey, UniversalVaultFormat, VaultMetadata } from '../../src/common/universalVaultFormat';
 
 chaiUse(chaiAsPromised);
-chaiUse(chaiBytes);
 
 // key coordinates from MDN examples:
 const alicePublic: JsonWebKey = {
@@ -79,10 +77,11 @@ describe('UVF', () => {
       });
 
       it('decrypt(encrypt(orig)) == orig', async () => {
+        const dto: VaultDto = { id: '123', name: 'test', archived: false, creationTime: new Date() };
         const vaultMemberKey = await MemberKey.create();
         const recoveryKey = await RecoveryKey.create();
 
-        const uvfFile: string = await original.encrypt(vaultMemberKey, recoveryKey);
+        const uvfFile: string = await original.encrypt('https://example.com/api/', dto, vaultMemberKey, recoveryKey);
         expect(uvfFile).to.be.not.null;
         const json = JSON.parse(uvfFile);
         expect(json).to.have.property('protected');
@@ -240,7 +239,7 @@ describe('UVF', () => {
       });
 
       it('createMetadataFile() creates a vault.uvf file', async () => {
-        const json = await uvf.createMetadataFile();
+        const json = await uvf.createMetadataFile('https.//example.com/api/', { id: '123', name: 'test', archived: false, creationTime: new Date() });
         expect(json).to.be.not.null;
         const jwe = JSON.parse(json) as JsonJWE;
         expect(jwe.protected).to.not.be.empty;

From 52b97b550eee3568a71ea98439903b61402153e6 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Tue, 21 May 2024 13:57:49 +0200
Subject: [PATCH 50/94] improve test

---
 frontend/src/common/universalVaultFormat.ts   | 20 +++++++++++++++++++
 .../test/common/universalVaultFormat.spec.ts  | 19 +++++++++++++-----
 2 files changed, 34 insertions(+), 5 deletions(-)

diff --git a/frontend/src/common/universalVaultFormat.ts b/frontend/src/common/universalVaultFormat.ts
index 50cb3988a..e60523f75 100644
--- a/frontend/src/common/universalVaultFormat.ts
+++ b/frontend/src/common/universalVaultFormat.ts
@@ -212,6 +212,12 @@ export class VaultMetadata {
     readonly initialSeedId: number,
     readonly latestSeedId: number,
     readonly kdfSalt: Uint8Array) {
+    if (!seeds.has(initialSeedId)) {
+      throw new Error('Initial seed is missing');
+    }
+    if (!seeds.has(latestSeedId)) {
+      throw new Error('Latest seed is missing');
+    }
   }
 
   /**
@@ -232,6 +238,20 @@ export class VaultMetadata {
     return new VaultMetadata(automaticAccessGrant, seeds, initialSeedNo, initialSeedNo, kdfSalt);
   }
 
+  public get initialSeed(): Uint8Array {
+    if (!this.seeds.has(this.initialSeedId)) {
+      throw new Error('Illegal State');
+    }
+    return this.seeds.get(this.initialSeedId)!;
+  }
+
+  public get latestSeed(): Uint8Array {
+    if (!this.seeds.has(this.latestSeedId)) {
+      throw new Error('Illegal State');
+    }
+    return this.seeds.get(this.latestSeedId)!;
+  }
+
   /**
    * Decrypts the vault metadata using the members' vault key
    * @param uvfMetadataFile contents of the `vault.uvf` file
diff --git a/frontend/test/common/universalVaultFormat.spec.ts b/frontend/test/common/universalVaultFormat.spec.ts
index 86c8ea72d..d3c26821d 100644
--- a/frontend/test/common/universalVaultFormat.spec.ts
+++ b/frontend/test/common/universalVaultFormat.spec.ts
@@ -199,9 +199,9 @@ describe('UVF', () => {
       expect(uvf.metadata).to.be.not.null;
       expect(uvf.metadata.initialSeedId).to.eq(2754894775);
       expect(uvf.metadata.latestSeedId).to.eq(2754894775);
-      expect(uvf.metadata.seeds.get(2754894775)).to.not.be.empty;
       expect(base64.stringify(uvf.metadata.kdfSalt)).to.eq('HE4OP+2vyfLLURicF1XmdIIsWv0Zs6MobLKROUIEhQY=');
-      expect(base64.stringify(uvf.metadata.seeds.get(2754894775)!)).to.eq('fP4V4oAjsUw5DqackAvLzA0oP1kAQZ0f5YFZQviXSuU=');
+      expect(base64.stringify(uvf.metadata.initialSeed)).to.eq('fP4V4oAjsUw5DqackAvLzA0oP1kAQZ0f5YFZQviXSuU=');
+      expect(base64.stringify(uvf.metadata.latestSeed)).to.eq('fP4V4oAjsUw5DqackAvLzA0oP1kAQZ0f5YFZQviXSuU=');
       expect(uvf.memberKey).to.be.not.null;
       expect(uvf.recoveryKey).to.be.not.null;
       expect(uvf.recoveryKey.privateKey).to.be.undefined;
@@ -217,9 +217,9 @@ describe('UVF', () => {
       expect(uvf.metadata).to.be.not.null;
       expect(uvf.metadata.initialSeedId).to.eq(4157009252);
       expect(uvf.metadata.latestSeedId).to.eq(4157009252);
-      expect(uvf.metadata.seeds.get(4157009252)).to.not.be.empty;
       expect(base64.stringify(uvf.metadata.kdfSalt)).to.eq('pNxWJ5R5TO0mbkmL5pv7M3tAi6Etoh/SK73Q0KvfKMY=');
-      expect(base64.stringify(uvf.metadata.seeds.get(4157009252)!)).to.eq('p6zznin4zSGt7gH6T95/kZj6HndpyUdY+1QVfxR2k20=');
+      expect(base64.stringify(uvf.metadata.initialSeed!)).to.eq('p6zznin4zSGt7gH6T95/kZj6HndpyUdY+1QVfxR2k20=');
+      expect(base64.stringify(uvf.metadata.latestSeed!)).to.eq('p6zznin4zSGt7gH6T95/kZj6HndpyUdY+1QVfxR2k20=');
       expect(uvf.memberKey).to.be.not.null;
       expect(uvf.recoveryKey).to.be.not.null;
       expect(uvf.recoveryKey.privateKey).to.be.not.null;
@@ -230,7 +230,16 @@ describe('UVF', () => {
       let uvf: UniversalVaultFormat;
 
       before(async () => {
-        uvf = await UniversalVaultFormat.create({ enabled: true, maxWotDepth: -1 });
+        const dto: VaultDto = {
+          id: '123',
+          name: 'test',
+          archived: false,
+          creationTime: new Date(),
+          uvfMetadataFile: '{"protected":"eyJvcmlnaW4iOiJodHRwczovL2V4YW1wbGUuY29tL2FwaS92YXVsdHMvVE9ETy91dmYvdmF1bHQudXZmIiwiamt1Ijoiandrcy5qc29uIiwiZW5jIjoiQTI1NkdDTSJ9","recipients":[{"header":{"kid":"org.cryptomator.hub.memberkey","alg":"A256KW"},"encrypted_key":"7FtABJ5BpSM9Ft8wUPfLQc-12WF57kX0tWtRWiVwA_N_gJBa9iwhzw"},{"header":{"kid":"org.cryptomator.hub.recoverykey.1h24rxLxIlNRPQAn5NBP0fL3VKNTmqS6NEnt2clI5ko","alg":"ECDH-ES+A256KW","epk":{"key_ops":[],"ext":true,"kty":"EC","x":"oNu46YFrgrGSvl98HyDD3_iPkfZBnpYgEHmPL3qbO4AdwBsycpIqcHwKhT8Lt7B8","y":"P80VgJFml85v_F2-aPYdgDQX_DPGZr1s_p8gWF4Idkp13QfKdhi32C7Zoy5kzPWO","crv":"P-384"},"apu":"","apv":""},"encrypted_key":"QaJn0TP7mGAc5ukOpZ0gNAuBtCW7hPCkj8Jp4bhMftQfJefHNyqE7Q"}],"iv":"Wgif0WP21-MAwvWs","ciphertext":"-n5CePmmN99I4KqlnR64Fuu5b2Md9s4CGxLMm7KQqu65H0ug7Fs5HHnrx_gkpFiv1Mn-jwrkoEtiixyQcYX6UcoyT2dY1MkLQB7QU9mdMpZU3n19Q2sAx1-gfTCd7IzVXef7SEfuscdQL1QTKJW454Dy8L3WwPiDpUgt9ED7mMFdJ6lJ3_EFYstN0VFAVf_jwtIILmQrjkM_LI0FFKfqkOCH2nuE9xG8ihPH9X9OStllPp00G9_onYu9mrg-smiNNK2Ib19CZJ2E6mAp7F_LGiz6p203fsprj4XY9J6t8zl5Vpc61NmFvzvY4j3_5FpD_BmpVr8tyyVT9zqWn4vsBAHORQ1V_b9v68O7CekCebpQvpmzEPZwZN1Ma_T6oI7Ydn1rtBnDruVrpWm01RL8XpHnFbko","tag":"vPLd65IEcexmhGbYPM0cYI53H4Pp1OfTaAq_QGrneLM"}',
+          uvfKeySet: '{"keys": [{"kid":"org.cryptomator.hub.recoverykey.1h24rxLxIlNRPQAn5NBP0fL3VKNTmqS6NEnt2clI5ko","kty":"EC","crv":"P-384","x":"DczdNhPQnpgP8FV6qa372LDLJF2w2bMKXzea5cjxslaMjM6w7NGqrF498LYHU-Jt","y":"vH9bc-Ow_O1EQmd6N5pKmDoPyE6ziKsrlpuck5aLXwV4fSMV_8Ro1a872j5ClsPe"}]}'
+        };
+        const accessToken = 'eyJlbmMiOiJBMjU2R0NNIiwia2lkIjoib3JnLmNyeXB0b21hdG9yLmh1Yi51c2Vya2V5IiwiYWxnIjoiRUNESC1FUytBMjU2S1ciLCJlcGsiOnsia2V5X29wcyI6W10sImV4dCI6dHJ1ZSwia3R5IjoiRUMiLCJ4IjoiUXZRWUpUd3dSVEg2MWRFS3ZoNDI4ZG9nN3pRTFFxY3I0NUhwZTRqZFQ5Qno2bjcyVzQ4dTJ3WXk0UXlyZ0kxciIsInkiOiJZS1RtQ04zZXNKNDJVbUpzLU44NTFKamsyUFVPUU0zZXpCTkJvZGk4RnRNUDlUeUhoXzc0aHpxTC1EYTZkMXlwIiwiY3J2IjoiUC0zODQifSwiYXB1IjoiIiwiYXB2IjoiIn0.rdysEEQN0FidglDtK5yyaEpQtv4CsYLOQd__y7REkb_3BLP9nD4Blw.dFb9JOdveiw3LmIs.rSMkz8VoB_LspnvxvmRzCWNVLShTWfbzHfqe5lwrWwumYCdeRPM.xsS2tDUr2khJrLxHex8gZhBgO_CMA_PxFlR-ku3JiT8';
+        uvf = await UniversalVaultFormat.decrypt(dto, accessToken, alice);
       });
 
       it('encryptForUser() creates an access token', async () => {

From 7224b46569b0a6cc180effdf58c2141199b8fa0c Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Tue, 21 May 2024 13:59:00 +0200
Subject: [PATCH 51/94] add root directory to vault template

---
 frontend/src/common/universalVaultFormat.ts      | 16 +++++++++++++---
 .../test/common/universalVaultFormat.spec.ts     |  5 +++++
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/frontend/src/common/universalVaultFormat.ts b/frontend/src/common/universalVaultFormat.ts
index e60523f75..c60ef1ec9 100644
--- a/frontend/src/common/universalVaultFormat.ts
+++ b/frontend/src/common/universalVaultFormat.ts
@@ -1,5 +1,5 @@
 import JSZip from 'jszip';
-import { base64, base64url } from 'rfc4648';
+import { base32, base64, base64url } from 'rfc4648';
 import { VaultDto } from './backend';
 import { AccessTokenPayload, AccessTokenProducing, JsonWebKeySet, OtherVaultMember, UserKeys, VaultTemplateProducing, getJwkThumbprint } from './crypto';
 import { JWE, JWEHeader, JsonJWE, Recipient } from './jwe';
@@ -413,12 +413,22 @@ export class UniversalVaultFormat implements AccessTokenProducing, VaultTemplate
     return this.metadata.encrypt(apiURL, vault, this.memberKey, this.recoveryKey);
   }
 
+  public async computeRootDirIdHash(): Promise<string> {
+    const textencoder = new TextEncoder();
+    const initialSeed = await crypto.subtle.importKey('raw', this.metadata.initialSeed, { name: 'HKDF' }, false, ['deriveBits', 'deriveKey']);
+    const rootDirId = await crypto.subtle.deriveBits({ name: 'HKDF', hash: 'SHA-512', salt: this.metadata.kdfSalt, info: textencoder.encode('rootDirId') }, initialSeed, 256);
+    const hmacKey = await crypto.subtle.deriveKey({ name: 'HKDF', hash: 'SHA-512', salt: this.metadata.kdfSalt, info: textencoder.encode('hmac') }, initialSeed, { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
+    const rootDirHash = await crypto.subtle.sign("HMAC", hmacKey, rootDirId);
+    return base32.stringify(new Uint8Array(rootDirHash).slice(0, 20));
+  }
+
   /** @inheritdoc */
   public async exportTemplate(apiURL: string, vault: VaultDto): Promise<Blob> {
+    const rootDirHash = await this.computeRootDirIdHash();
     const zip = new JSZip();
     zip.file('vault.uvf', this.createMetadataFile(apiURL, vault));
-    // TODO: add root folder
-    //zip.folder('d')?.folder(rootDirHash.substring(0, 2))?.folder(rootDirHash.substring(2));
+    zip.folder('d')?.folder(rootDirHash.substring(0, 2))?.folder(rootDirHash.substring(2)); // TODO verify after merging https://github.com/encryption-alliance/unified-vault-format/pull/24
+    // TODO: add `dir.uvf`
     return zip.generateAsync({ type: 'blob' });
   }
 
diff --git a/frontend/test/common/universalVaultFormat.spec.ts b/frontend/test/common/universalVaultFormat.spec.ts
index d3c26821d..79108031d 100644
--- a/frontend/test/common/universalVaultFormat.spec.ts
+++ b/frontend/test/common/universalVaultFormat.spec.ts
@@ -269,6 +269,11 @@ describe('UVF', () => {
         expect(jwk.d).to.be.undefined;
         expect(jwk.kid).to.not.be.empty;
       });
+
+      it('computeRootDirIdHash() creates a hash', async () => {
+        const hash = await uvf.computeRootDirIdHash();
+        expect(hash).to.eq('6DYU3E5BTPAZ4DWEQPQK3AIHX2DXSPHG');
+      });
     });
   });
 });

From 81e9ab4f5afa50cf18fc5b2b95eb7314992cd8f4 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Tue, 21 May 2024 14:59:30 +0200
Subject: [PATCH 52/94] split up `computeDirId` and `computeDirIdHash`

---
 frontend/src/common/universalVaultFormat.ts       | 13 ++++++++++---
 frontend/test/common/universalVaultFormat.spec.ts | 12 ++++++++++--
 2 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/frontend/src/common/universalVaultFormat.ts b/frontend/src/common/universalVaultFormat.ts
index c60ef1ec9..cc5da70d1 100644
--- a/frontend/src/common/universalVaultFormat.ts
+++ b/frontend/src/common/universalVaultFormat.ts
@@ -413,10 +413,16 @@ export class UniversalVaultFormat implements AccessTokenProducing, VaultTemplate
     return this.metadata.encrypt(apiURL, vault, this.memberKey, this.recoveryKey);
   }
 
-  public async computeRootDirIdHash(): Promise<string> {
+  public async computeRootDirId(): Promise<Uint8Array> {
     const textencoder = new TextEncoder();
-    const initialSeed = await crypto.subtle.importKey('raw', this.metadata.initialSeed, { name: 'HKDF' }, false, ['deriveBits', 'deriveKey']);
+    const initialSeed = await crypto.subtle.importKey('raw', this.metadata.initialSeed, { name: 'HKDF' }, false, ['deriveBits']);
     const rootDirId = await crypto.subtle.deriveBits({ name: 'HKDF', hash: 'SHA-512', salt: this.metadata.kdfSalt, info: textencoder.encode('rootDirId') }, initialSeed, 256);
+    return new Uint8Array(rootDirId);
+  }
+
+  public async computeRootDirIdHash(rootDirId: Uint8Array): Promise<string> {
+    const textencoder = new TextEncoder();
+    const initialSeed = await crypto.subtle.importKey('raw', this.metadata.initialSeed, { name: 'HKDF' }, false, ['deriveKey']);
     const hmacKey = await crypto.subtle.deriveKey({ name: 'HKDF', hash: 'SHA-512', salt: this.metadata.kdfSalt, info: textencoder.encode('hmac') }, initialSeed, { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
     const rootDirHash = await crypto.subtle.sign("HMAC", hmacKey, rootDirId);
     return base32.stringify(new Uint8Array(rootDirHash).slice(0, 20));
@@ -424,7 +430,8 @@ export class UniversalVaultFormat implements AccessTokenProducing, VaultTemplate
 
   /** @inheritdoc */
   public async exportTemplate(apiURL: string, vault: VaultDto): Promise<Blob> {
-    const rootDirHash = await this.computeRootDirIdHash();
+    const rootDirId = await this.computeRootDirId();
+    const rootDirHash = await this.computeRootDirIdHash(rootDirId);
     const zip = new JSZip();
     zip.file('vault.uvf', this.createMetadataFile(apiURL, vault));
     zip.folder('d')?.folder(rootDirHash.substring(0, 2))?.folder(rootDirHash.substring(2)); // TODO verify after merging https://github.com/encryption-alliance/unified-vault-format/pull/24
diff --git a/frontend/test/common/universalVaultFormat.spec.ts b/frontend/test/common/universalVaultFormat.spec.ts
index 79108031d..8df72aa9c 100644
--- a/frontend/test/common/universalVaultFormat.spec.ts
+++ b/frontend/test/common/universalVaultFormat.spec.ts
@@ -270,8 +270,16 @@ describe('UVF', () => {
         expect(jwk.kid).to.not.be.empty;
       });
 
-      it('computeRootDirIdHash() creates a hash', async () => {
-        const hash = await uvf.computeRootDirIdHash();
+      it('computeRootDirId() deterministically creates a dir ID', async () => {
+        const dirId = await uvf.computeRootDirId();
+        expect(dirId).to.have.a.lengthOf(32);
+        expect(base64.stringify(dirId)).to.eq('24UBEDeGu5taq7U4GqyA0MXUXb9HTYS6p3t9vvHGJAc=');
+      });
+
+      it('computeRootDirIdHash() creates a truncated hmac', async () => {
+        const rootDirId = base64.parse('24UBEDeGu5taq7U4GqyA0MXUXb9HTYS6p3t9vvHGJAc=');
+        const hash = await uvf.computeRootDirIdHash(rootDirId);
+        expect(hash).to.have.a.lengthOf(32);
         expect(hash).to.eq('6DYU3E5BTPAZ4DWEQPQK3AIHX2DXSPHG');
       });
     });

From 9c3ab12fd5a8e3c15436bd3c65defc3fe035d5d1 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Tue, 21 May 2024 14:59:50 +0200
Subject: [PATCH 53/94] add `dir.uvf` file to vault template

---
 frontend/src/common/universalVaultFormat.ts   | 42 ++++++++++++++++++-
 .../test/common/universalVaultFormat.spec.ts  |  6 +++
 2 files changed, 46 insertions(+), 2 deletions(-)

diff --git a/frontend/src/common/universalVaultFormat.ts b/frontend/src/common/universalVaultFormat.ts
index cc5da70d1..62dde1889 100644
--- a/frontend/src/common/universalVaultFormat.ts
+++ b/frontend/src/common/universalVaultFormat.ts
@@ -428,14 +428,52 @@ export class UniversalVaultFormat implements AccessTokenProducing, VaultTemplate
     return base32.stringify(new Uint8Array(rootDirHash).slice(0, 20));
   }
 
+  public async encryptFile(content: Uint8Array, seedId: number): Promise<Uint8Array> {
+    const seed = this.metadata.seeds.get(seedId);
+    if (!seed) {
+      throw new Error('Seed not found');
+    }
+    if (content.length > 32 * 1024) {
+      throw new Error('Only files up to 32k are supported.');
+    }
+    const textencoder = new TextEncoder();
+    const fileKey = await crypto.subtle.generateKey({ name: 'AES-GCM', length: 256 }, true, ['encrypt']);
+
+    // general header:
+    const generalHeader = new ArrayBuffer(8);
+    const view = new DataView(generalHeader);
+    view.setUint32(0, 0x75766601); // magic bytes "uvf1"
+    view.setUint32(4, seedId);
+
+    // format-specific header:
+    const initialSeed = await crypto.subtle.importKey('raw', this.metadata.initialSeed, { name: 'HKDF' }, false, ['deriveKey']);
+    const headerKey = await crypto.subtle.deriveKey({ name: 'HKDF', hash: 'SHA-512', salt: this.metadata.kdfSalt, info: textencoder.encode('fileHeader') }, initialSeed, { name: 'AES-GCM', length: 256 }, false, ['wrapKey']);
+    const headerNonce = new Uint8Array(12);
+    crypto.getRandomValues(headerNonce);
+    const encryptedFileKeyAndTag = await crypto.subtle.wrapKey('raw', fileKey, headerKey, { name: 'AES-GCM', iv: headerNonce, additionalData: generalHeader });
+
+    // complete header:
+    const header = new Uint8Array([...new Uint8Array(generalHeader), ...headerNonce, ...new Uint8Array(encryptedFileKeyAndTag)]);
+
+    // encrypt chunk 0:
+    const blockNonce = new Uint8Array(12);
+    crypto.getRandomValues(blockNonce);
+    const blockAd = new Uint8Array([0x00, 0x00, 0x00, 0x00, ...headerNonce]);
+    const blockCiphertext = await crypto.subtle.encrypt({ name: 'AES-GCM', iv: blockNonce, additionalData: blockAd }, fileKey, content);
+
+    // result:
+    return new Uint8Array([...header, ...blockNonce, ...new Uint8Array(blockCiphertext)]);
+  }
+
   /** @inheritdoc */
   public async exportTemplate(apiURL: string, vault: VaultDto): Promise<Blob> {
     const rootDirId = await this.computeRootDirId();
     const rootDirHash = await this.computeRootDirIdHash(rootDirId);
+    const dirFile = await this.encryptFile(rootDirId, this.metadata.initialSeedId);
     const zip = new JSZip();
     zip.file('vault.uvf', this.createMetadataFile(apiURL, vault));
-    zip.folder('d')?.folder(rootDirHash.substring(0, 2))?.folder(rootDirHash.substring(2)); // TODO verify after merging https://github.com/encryption-alliance/unified-vault-format/pull/24
-    // TODO: add `dir.uvf`
+    const rootDir = zip.folder('d')?.folder(rootDirHash.substring(0, 2))?.folder(rootDirHash.substring(2)); // TODO verify after merging https://github.com/encryption-alliance/unified-vault-format/pull/24
+    rootDir?.file('dir.uvf', dirFile);
     return zip.generateAsync({ type: 'blob' });
   }
 
diff --git a/frontend/test/common/universalVaultFormat.spec.ts b/frontend/test/common/universalVaultFormat.spec.ts
index 8df72aa9c..06d4f89d8 100644
--- a/frontend/test/common/universalVaultFormat.spec.ts
+++ b/frontend/test/common/universalVaultFormat.spec.ts
@@ -282,6 +282,12 @@ describe('UVF', () => {
         expect(hash).to.have.a.lengthOf(32);
         expect(hash).to.eq('6DYU3E5BTPAZ4DWEQPQK3AIHX2DXSPHG');
       });
+
+      it('encryptFile() creates some ciphertext', async () => {
+        const rootDirId = base64.parse('24UBEDeGu5taq7U4GqyA0MXUXb9HTYS6p3t9vvHGJAc=');
+        const fileContent = await uvf.encryptFile(rootDirId, uvf.metadata.initialSeedId);
+        expect(fileContent).to.have.a.lengthOf(128);
+      });
     });
   });
 });

From ec4415d4684dca1b5c4ec6cb3e8e379ac08648e4 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Wed, 22 May 2024 09:26:51 +0200
Subject: [PATCH 54/94] refine test

---
 frontend/test/common/universalVaultFormat.spec.ts | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/frontend/test/common/universalVaultFormat.spec.ts b/frontend/test/common/universalVaultFormat.spec.ts
index 06d4f89d8..90cdb704d 100644
--- a/frontend/test/common/universalVaultFormat.spec.ts
+++ b/frontend/test/common/universalVaultFormat.spec.ts
@@ -1,5 +1,6 @@
 import { use as chaiUse, expect } from 'chai';
 import chaiAsPromised from 'chai-as-promised';
+import chaiBytes from 'chai-bytes';
 import { before, describe } from 'mocha';
 import { base64 } from 'rfc4648';
 import { VaultDto } from '../../src/common/backend';
@@ -8,6 +9,7 @@ import { JsonJWE } from '../../src/common/jwe';
 import { MemberKey, RecoveryKey, UniversalVaultFormat, VaultMetadata } from '../../src/common/universalVaultFormat';
 
 chaiUse(chaiAsPromised);
+chaiUse(chaiBytes);
 
 // key coordinates from MDN examples:
 const alicePublic: JsonWebKey = {
@@ -287,6 +289,7 @@ describe('UVF', () => {
         const rootDirId = base64.parse('24UBEDeGu5taq7U4GqyA0MXUXb9HTYS6p3t9vvHGJAc=');
         const fileContent = await uvf.encryptFile(rootDirId, uvf.metadata.initialSeedId);
         expect(fileContent).to.have.a.lengthOf(128);
+        expect(fileContent.slice(0, 4)).to.equalBytes(new Uint8Array([0x75, 0x76, 0x66, 0x01])); // magic bytes
       });
     });
   });

From 2947b80710d28666e7bc7469b8a9de9282a21a76 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Wed, 22 May 2024 10:27:15 +0200
Subject: [PATCH 55/94] show also uvf recovery key in vault details

---
 .../components/DisplayRecoveryKeyDialog.vue   | 10 +++++-----
 frontend/src/components/VaultDetails.vue      | 19 +++++++------------
 2 files changed, 12 insertions(+), 17 deletions(-)

diff --git a/frontend/src/components/DisplayRecoveryKeyDialog.vue b/frontend/src/components/DisplayRecoveryKeyDialog.vue
index 8c0a328ba..4a8469b70 100644
--- a/frontend/src/components/DisplayRecoveryKeyDialog.vue
+++ b/frontend/src/components/DisplayRecoveryKeyDialog.vue
@@ -26,7 +26,7 @@
                     <div class="relative mt-3">
                       <div class="overflow-hidden rounded-lg border border-gray-300 shadow-sm focus-within:border-primary focus-within:ring-1 focus-within:ring-primary">
                         <label for="recoveryKey" class="sr-only">{{ t('recoveryKeyDialog.recoveryKey') }}</label>
-                        <textarea id="recoveryKey" v-model="recoveryKey" rows="6" name="recoveryKey" class="block w-full resize-none border-0 py-3 focus:ring-0 sm:text-sm" readonly />
+                        <textarea id="recoveryKey" v-model="recoveryKey" :rows="textAreaRows" name="recoveryKey" class="block w-full resize-none border-0 py-3 focus:ring-0 sm:text-sm" readonly />
 
                         <!-- Spacer element to match the height of the toolbar -->
                         <div class="py-2" aria-hidden="true">
@@ -70,7 +70,7 @@ import { ref } from 'vue';
 import { useI18n } from 'vue-i18n';
 import { VaultDto } from '../common/backend';
 import { debounce } from '../common/util';
-import { VaultFormat8 } from '../common/vaultFormat8';
+import { computed } from 'vue';
 
 const { t } = useI18n({ useScope: 'global' });
 
@@ -78,10 +78,10 @@ const open = ref(false);
 const recoveryKey = ref<string>('');
 const copiedRecoveryKey = ref(false);
 const debouncedCopyFinish = debounce(() => copiedRecoveryKey.value = false, 2000);
+const textAreaRows = computed(() => recoveryKey.value.length > 390 ? 14 : 6);
 
 const props = defineProps<{
   vault: VaultDto
-  vaultKeys: VaultFormat8
 }>();
 
 defineEmits<{
@@ -92,9 +92,9 @@ defineExpose({
   show
 });
 
-async function show() {
+async function show(recoveryKeyPromise: Promise<string>) {
   open.value = true;
-  recoveryKey.value = await props.vaultKeys.createRecoveryKey();
+  recoveryKey.value = await recoveryKeyPromise;
 }
 
 async function copyRecoveryKey() {
diff --git a/frontend/src/components/VaultDetails.vue b/frontend/src/components/VaultDetails.vue
index 4e29290d6..4fe199eb0 100644
--- a/frontend/src/components/VaultDetails.vue
+++ b/frontend/src/components/VaultDetails.vue
@@ -184,14 +184,10 @@
         <button v-if="vaultRole == 'OWNER'" type="button" class="bg-white py-2 px-4 border border-gray-300 rounded-md shadow-sm text-sm font-medium text-gray-700 hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="showDownloadVaultTemplateDialog()">
           {{ t('vaultDetails.actions.downloadVaultTemplate') }}
         </button>
-        <!-- displayRecoveryKey button (Vault Format 8 only) -->
-        <button v-if="vaultRole == 'OWNER' && vaultFormat8" type="button" class="bg-white py-2 px-4 border border-gray-300 rounded-md shadow-sm text-sm font-medium text-gray-700 hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="showDisplayRecoveryKeyDialog()">
+        <!-- displayRecoveryKey button -->
+        <button v-if="vaultRole == 'OWNER' && (vaultFormat8 || uvfVault?.recoveryKey.privateKey)" type="button" class="bg-white py-2 px-4 border border-gray-300 rounded-md shadow-sm text-sm font-medium text-gray-700 hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="showDisplayRecoveryKeyDialog()">
           {{ t('vaultDetails.actions.displayRecoveryKey') }}
         </button>
-        <!-- TODO: regenerateRecoveryKey button (UVF only) -->
-        <button v-if="vaultRole == 'OWNER' && uvfVault?.recoveryKey.privateKey" type="button" class="bg-white py-2 px-4 border border-gray-300 rounded-md shadow-sm text-sm font-medium text-gray-700 hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="showUvfRecoveryKey()">
-          {{ t('vaultDetails.actions.displayRecoveryKey') }} UVF TODO see console
-        </button>
         <!-- archiveVault button -->
         <button v-if="(vaultRole == 'OWNER' || isAdmin)" type="button" class="bg-red-600 py-2 px-4 border border-transparent rounded-md shadow-sm text-sm font-medium text-white  hover:bg-red-700 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-red-500" @click="showArchiveVaultDialog()">
           {{ t('vaultDetails.actions.archiveVault') }}
@@ -204,7 +200,7 @@
   <GrantPermissionDialog v-if="grantingPermission && vault && (vaultFormat8 || uvfVault)" ref="grantPermissionDialog" :vault="vault" :users="membersRequiringAccessGrant" :vault-keys="(vaultFormat8 || uvfVault)!" @close="grantingPermission = false" @permission-granted="permissionGranted()" />
   <EditVaultMetadataDialog v-if="editingVaultMetadata && vault" ref="editVaultMetadataDialog" :vault="vault" @close="editingVaultMetadata = false" @updated="v => refreshVault(v)" />
   <DownloadVaultTemplateDialog v-if="downloadingVaultTemplate && vault && (vaultFormat8 || uvfVault)" ref="downloadVaultTemplateDialog" :vault="vault" :vault-keys="(vaultFormat8 || uvfVault)!" @close="downloadingVaultTemplate = false" />
-  <DisplayRecoveryKeyDialog v-if="displayingRecoveryKey && vault && vaultFormat8" ref="displayRecoveryKeyDialog" :vault="vault" :vault-keys="vaultFormat8" @close="displayingRecoveryKey = false" />
+  <DisplayRecoveryKeyDialog v-if="displayingRecoveryKey && vault && (vaultFormat8 || uvfVault?.recoveryKey.privateKey)" ref="displayRecoveryKeyDialog" :vault="vault" @close="displayingRecoveryKey = false" />
   <ArchiveVaultDialog v-if="archivingVault && vault" ref="archiveVaultDialog" :vault="vault" @close="archivingVault = false" @archived="v => refreshVault(v)" />
   <ReactivateVaultDialog v-if="reactivatingVault && vault" ref="reactivateVaultDialog" :vault="vault" @close="reactivatingVault = false" @reactivated="v => { refreshVault(v); refreshLicense();}" />
   <RecoverVaultDialog v-if="recoveringVault && vault && me" ref="recoverVaultDialog" :vault="vault" :me="me" @close="recoveringVault = false" @recovered="fetchOwnerData()" />
@@ -471,11 +467,10 @@ function showDownloadVaultTemplateDialog() {
 
 function showDisplayRecoveryKeyDialog() {
   displayingRecoveryKey.value = true;
-  nextTick(() => displayRecoveryKeyDialog.value?.show());
-}
-
-async function showUvfRecoveryKey() {
-  console.log(await uvfVault.value?.recoveryKey.createRecoveryKey()); //TODO: implement
+  const recoveryKey: Promise<string> = uvfVault.value?.recoveryKey.createRecoveryKey()
+    ?? vaultFormat8.value?.createRecoveryKey()
+    ?? Promise.reject('No private key material present');
+  nextTick(() => displayRecoveryKeyDialog.value?.show(recoveryKey));
 }
 
 function showArchiveVaultDialog() {

From 2d03e3906638d8d3e85d2671b54c49d3e4bd9dbd Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Wed, 22 May 2024 11:52:21 +0200
Subject: [PATCH 56/94] fix linter hints

---
 frontend/src/components/CreateVault.vue  | 103 ++++++++++++-----------
 frontend/src/components/VaultDetails.vue |   2 +-
 2 files changed, 57 insertions(+), 48 deletions(-)

diff --git a/frontend/src/components/CreateVault.vue b/frontend/src/components/CreateVault.vue
index 27cb52bcd..b479afb8f 100644
--- a/frontend/src/components/CreateVault.vue
+++ b/frontend/src/components/CreateVault.vue
@@ -22,7 +22,9 @@
           </div>
           <div class="mt-5 sm:mt-6">
             <label for="recoveryKey" class="sr-only">{{ t('createVault.enterRecoveryKey.recoveryKey') }}</label>
-            <textarea id="recoveryKey" v-model="recoveryKeyStr" rows="6" name="recoveryKey"
+            <!-- Textarea -->
+            <textarea
+              id="recoveryKey" v-model="recoveryKeyStr" rows="6" name="recoveryKey"
               class="block w-full rounded-md border-gray-300 shadow-sm focus:border-primary focus:ring-primary sm:text-sm"
               :class="{ 'invalid:border-red-300 invalid:text-red-900 focus:invalid:ring-red-500 focus:invalid:border-red-500': onRecoverError instanceof FormValidationFailedError }"
               required />
@@ -33,8 +35,7 @@
               {{ t('createVault.enterRecoveryKey.submit') }}
             </button>
             <div v-if="onRecoverError != null">
-              <p v-if="onRecoverError instanceof FormValidationFailedError" class="text-sm text-red-900 mt-2">{{
-    t('createVault.error.formValidationFailed') }}</p>
+              <p v-if="onRecoverError instanceof FormValidationFailedError" class="text-sm text-red-900 mt-2">{{ t('createVault.error.formValidationFailed') }}</p>
               <p v-else class="text-sm text-red-900 mt-2">{{ t('createVault.error.invalidRecoveryKey') }}</p>
             </div>
           </div>
@@ -59,22 +60,24 @@
           <div class="mt-5 md:mt-0 md:col-span-2">
             <div class="grid grid-cols-6 gap-6">
               <div class="col-span-6 sm:col-span-3">
-                <label for="vaultName" class="block text-sm font-medium text-gray-700">{{
-    t('createVault.enterVaultDetails.vaultName') }}</label>
-                <input id="vaultName" v-model="vault.name" :disabled="processing" type="text"
+                <label for="vaultName" class="block text-sm font-medium text-gray-700">{{ t('createVault.enterVaultDetails.vaultName') }}</label>
+                <input
+                  id="vaultName" v-model="vault.name" :disabled="processing" type="text"
                   class="mt-1 focus:ring-primary focus:border-primary block w-full shadow-sm sm:text-sm border-gray-300 rounded-md disabled:bg-gray-200"
                   :class="{ 'invalid:border-red-300 invalid:text-red-900 focus:invalid:ring-red-500 focus:invalid:border-red-500': onCreateError instanceof FormValidationFailedError }"
-                  pattern="^(?! )([^\x5C\x2F:*?\x22<>\x7C])+(?<![ \x2E])$" required />
-                <p v-if="onCreateError instanceof FormValidationFailedError" class="text-sm text-red-900 mt-2">{{
-    t('createVault.error.illegalVaultName') }} \, /, :, *, ?, ", &lt;, >, |</p>
+                  pattern="^(?! )([^\x5C\x2F:*?\x22<>\x7C])+(?<![ \x2E])$" required
+                >
+                <p v-if="onCreateError instanceof FormValidationFailedError" class="text-sm text-red-900 mt-2">{{ t('createVault.error.illegalVaultName') }} \, /, :, *, ?, ", &lt;, >, |</p>
               </div>
 
               <div class="col-span-6 sm:col-span-4">
                 <label for="vaultDescription" class="block text-sm font-medium text-gray-700">
                   {{ t('createVault.enterVaultDetails.vaultDescription') }}
                   <span class="text-xs text-gray-500">({{ t('common.optional') }})</span></label>
-                <input id="vaultDescription" v-model="vault.description" :disabled="processing" type="text"
-                  class="mt-1 focus:ring-primary focus:border-primary block w-full shadow-sm sm:text-sm border-gray-300 rounded-md disabled:bg-gray-200" />
+                <input
+                  id="vaultDescription" v-model="vault.description" :disabled="processing" type="text"
+                  class="mt-1 focus:ring-primary focus:border-primary block w-full shadow-sm sm:text-sm border-gray-300 rounded-md disabled:bg-gray-200"
+                >
               </div>
             </div>
           </div>
@@ -83,12 +86,15 @@
 
       <div class="flex justify-end items-center">
         <div v-if="onCreateError != null">
-          <p v-if="onCreateError instanceof FormValidationFailedError" class="text-sm text-red-900 mr-4">{{
-    t('createVault.error.formValidationFailed') }}</p>
+          <p v-if="onCreateError instanceof FormValidationFailedError" class="text-sm text-red-900 mr-4">
+            {{ t('createVault.error.formValidationFailed') }}
+          </p>
           <p v-else class="text-sm text-red-900 mr-4">{{ t('common.unexpectedError', [onCreateError.message]) }}</p>
         </div>
-        <button type="submit" :disabled="processing"
-          class="flex-none inline-flex justify-center py-2 px-4 border border-transparent shadow-sm text-sm font-medium rounded-md text-white bg-primary hover:bg-primary-d1 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary disabled:opacity-50 disabled:hover:bg-primary disabled:cursor-not-allowed">
+        <button
+          type="submit" :disabled="processing"
+          class="flex-none inline-flex justify-center py-2 px-4 border border-transparent shadow-sm text-sm font-medium rounded-md text-white bg-primary hover:bg-primary-d1 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary disabled:opacity-50 disabled:hover:bg-primary disabled:cursor-not-allowed"
+        >
           {{ t('common.next') }}
         </button>
       </div>
@@ -112,12 +118,12 @@
               </p>
             </div>
             <div class="relative mt-5 sm:mt-6">
-              <div
-                class="overflow-hidden rounded-lg border border-gray-300 shadow-sm focus-within:border-primary focus-within:ring-1 focus-within:ring-primary">
+              <div class="overflow-hidden rounded-lg border border-gray-300 shadow-sm focus-within:border-primary focus-within:ring-1 focus-within:ring-primary">
                 <label for="recoveryKey" class="sr-only">{{ t('createVault.showRecoveryKey.recoveryKey') }}</label>
-                <textarea id="recoveryKey" v-model="recoveryKeyStr" rows="6" name="recoveryKey"
-                  class="block w-full resize-none border-0 py-3 focus:ring-0 sm:text-sm" readonly />
-
+                <textarea
+                  id="recoveryKey" v-model="recoveryKeyStr" rows="6" name="recoveryKey"
+                  class="block w-full resize-none border-0 py-3 focus:ring-0 sm:text-sm" readonly
+                />
                 <!-- Spacer element to match the height of the toolbar -->
                 <div class="py-2" aria-hidden="true">
                   <div class="h-9" />
@@ -127,14 +133,13 @@
               <div class="absolute inset-x-0 bottom-0">
                 <div class="flex flex-nowrap justify-end space-x-2 py-2 px-2 sm:px-3">
                   <div class="flex-shrink-0">
-                    <button type="button"
-                      class="relative inline-flex items-center whitespace-nowrap rounded-full bg-gray-50 py-2 px-2 text-sm font-medium text-gray-500 hover:bg-gray-100 sm:px-3"
-                      @click="copyRecoveryKey()">
+                    <button
+                      type="button" class="relative inline-flex items-center whitespace-nowrap rounded-full bg-gray-50 py-2 px-2 text-sm font-medium text-gray-500 hover:bg-gray-100 sm:px-3"
+                      @click="copyRecoveryKey()"
+                    >
                       <ClipboardIcon class="h-5 w-5 flex-shrink-0 text-gray-300 sm:-ml-1" aria-hidden="true" />
-                      <span v-if="!copiedRecoveryKey" class="hidden truncate sm:ml-2 sm:block text-gray-900">{{
-    t('common.copy') }}</span>
-                      <span v-else class="hidden truncate sm:ml-2 sm:block text-gray-900">{{ t('common.copied')
-                        }}</span>
+                      <span v-if="!copiedRecoveryKey" class="hidden truncate sm:ml-2 sm:block text-gray-900">{{ t('common.copy') }}</span>
+                      <span v-else class="hidden truncate sm:ml-2 sm:block text-gray-900">{{ t('common.copied') }}</span>
                     </button>
                   </div>
                 </div>
@@ -142,24 +147,25 @@
             </div>
             <div class="relative flex items-start text-left mt-5 sm:mt-6">
               <div class="flex h-5 items-center">
-                <input id="confirmRecoveryKey" v-model="confirmRecoveryKey" name="confirmRecoveryKey" type="checkbox"
-                  class="h-4 w-4 rounded border-gray-300 text-primary focus:ring-primary" required>
+                <input
+                  id="confirmRecoveryKey" v-model="confirmRecoveryKey" name="confirmRecoveryKey" type="checkbox"
+                  class="h-4 w-4 rounded border-gray-300 text-primary focus:ring-primary" required
+                >
               </div>
               <div class="ml-3 text-sm">
-                <label for="confirmRecoveryKey" class="font-medium text-gray-700">{{
-    t('createVault.showRecoveryKey.confirmRecoveryKey') }}</label>
+                <label for="confirmRecoveryKey" class="font-medium text-gray-700">{{ t('createVault.showRecoveryKey.confirmRecoveryKey') }}</label>
               </div>
             </div>
             <div class="mt-5 sm:mt-6">
-              <button type="submit" :disabled="!confirmRecoveryKey || processing"
-                class="inline-flex w-full justify-center rounded-md border border-transparent bg-primary px-4 py-2 text-base font-medium text-white shadow-sm hover:bg-primary-d1 focus:outline-none focus:ring-2 focus:primary focus:ring-offset-2 sm:text-sm disabled:opacity-50 disabled:hover:bg-primary disabled:cursor-not-allowed">
+              <button
+                type="submit" :disabled="!confirmRecoveryKey || processing"
+                class="inline-flex w-full justify-center rounded-md border border-transparent bg-primary px-4 py-2 text-base font-medium text-white shadow-sm hover:bg-primary-d1 focus:outline-none focus:ring-2 focus:primary focus:ring-offset-2 sm:text-sm disabled:opacity-50 disabled:hover:bg-primary disabled:cursor-not-allowed"
+              >
                 {{ t('createVault.showRecoveryKey.submit') }}
               </button>
               <div v-if="onCreateError != null">
-                <p v-if="onCreateError instanceof PaymentRequiredError" class="text-sm text-red-900 mt-2">{{
-    t('createVault.error.paymentRequired') }}</p>
-                <p v-else class="text-sm text-red-900 mt-2">{{ t('common.unexpectedError', [onCreateError.message]) }}
-                </p>
+                <p v-if="onCreateError instanceof PaymentRequiredError" class="text-sm text-red-900 mt-2">{{ t('createVault.error.paymentRequired') }}</p>
+                <p v-else class="text-sm text-red-900 mt-2">{{ t('common.unexpectedError', [onCreateError.message]) }}</p>
               </div>
             </div>
           </div>
@@ -185,14 +191,17 @@
           </div>
         </div>
         <div class="mt-5 sm:mt-6">
-          <button type="button"
+          <button
+            type="button"
             class="inline-flex items-center px-4 py-2 border border-transparent shadow-sm text-sm font-medium rounded-md text-white bg-primary hover:bg-primary-d1 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary"
-            @click="downloadVaultTemplate()">
+            @click="downloadVaultTemplate()"
+          >
             <ArrowDownTrayIcon class="-ml-1 mr-2 h-5 w-5" aria-hidden="true" />
             {{ t('createVault.success.download') }}
           </button>
-          <p v-if="onDownloadTemplateError != null" class="text-sm text-red-900 mr-4">{{
-            t('createVault.error.downloadTemplateFailed', [onDownloadTemplateError.message]) }}</p>
+          <p v-if="onDownloadTemplateError != null" class="text-sm text-red-900 mr-4">
+            {{ t('createVault.error.downloadTemplateFailed', [onDownloadTemplateError.message]) }}
+          </p>
           <!-- TODO: not beautiful-->
         </div>
         <div class="mt-2">
@@ -258,12 +267,12 @@ const onDownloadTemplateError = ref<Error | null>(null);
 const state = ref(State.Initial);
 const processing = ref(false);
 const vault = ref<VaultDto>({
-      id: crypto.randomUUID(),
-      name: '',
-      description: '',
-      archived: false,
-      creationTime: new Date()
-    });
+  id: crypto.randomUUID(),
+  name: '',
+  description: '',
+  archived: false,
+  creationTime: new Date()
+});
 const copiedRecoveryKey = ref(false);
 const debouncedCopyFinish = debounce(() => copiedRecoveryKey.value = false, 2000);
 const confirmRecoveryKey = ref(false);
diff --git a/frontend/src/components/VaultDetails.vue b/frontend/src/components/VaultDetails.vue
index 4fe199eb0..b74d8d1f8 100644
--- a/frontend/src/components/VaultDetails.vue
+++ b/frontend/src/components/VaultDetails.vue
@@ -429,7 +429,7 @@ async function addAuthority(authority: AuthorityDto) {
 
 async function addAuthorityBackend(authority: AuthorityDto) {
   try {
-    switch(authority.type) {
+    switch (authority.type) {
       case 'USER':
         await backend.vaults.addUser(props.vaultId, authority.id);
         break;

From bf85c2ab3ddb3dd053838dbe1f70ff5c37f0f42f Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Mon, 27 May 2024 18:13:01 +0200
Subject: [PATCH 57/94] (unfinished) rework recover Vault dialog

---
 frontend/src/components/CreateVault.vue | 147 ++++++++++++++++++++++--
 1 file changed, 136 insertions(+), 11 deletions(-)

diff --git a/frontend/src/components/CreateVault.vue b/frontend/src/components/CreateVault.vue
index b479afb8f..33be71c61 100644
--- a/frontend/src/components/CreateVault.vue
+++ b/frontend/src/components/CreateVault.vue
@@ -3,7 +3,10 @@
     {{ t('common.loading') }}
   </div>
 
-  <div v-else-if="state == State.EnterRecoveryKey">
+  <div v-else-if="state == State.EnterRecoveryKey"
+    @drop.prevent=""
+    @dragover.prevent=""
+  >
     <form ref="form" novalidate @submit.prevent="validateRecoveryKey()">
       <div class="flex justify-center">
         <div class="bg-white px-4 py-5 shadow sm:rounded-lg sm:p-6 text-center sm:w-full sm:max-w-lg">
@@ -15,23 +18,68 @@
               {{ t('createVault.enterRecoveryKey.title') }}
             </h3>
             <div class="mt-2">
+              <!-- TODO: this text must be altered -->
               <p class="text-sm text-gray-500">
                 {{ t('createVault.enterRecoveryKey.description') }}
               </p>
             </div>
           </div>
+          <!-- Textarea -->
           <div class="mt-5 sm:mt-6">
             <label for="recoveryKey" class="sr-only">{{ t('createVault.enterRecoveryKey.recoveryKey') }}</label>
-            <!-- Textarea -->
+            <label for="metadata-file" class="block text-sm font-medium leading-6 text-gray-900">{{ t('createVault.enterRecoveryKey.recoveryKey') }}</label>
             <textarea
               id="recoveryKey" v-model="recoveryKeyStr" rows="6" name="recoveryKey"
               class="block w-full rounded-md border-gray-300 shadow-sm focus:border-primary focus:ring-primary sm:text-sm"
               :class="{ 'invalid:border-red-300 invalid:text-red-900 focus:invalid:ring-red-500 focus:invalid:border-red-500': onRecoverError instanceof FormValidationFailedError }"
-              required />
+              required
+            />
           </div>
+          <!-- Dropzone -->
           <div class="mt-5 sm:mt-6">
-            <button type="submit" :disabled="processing"
-              class="inline-flex w-full justify-center rounded-md border border-transparent bg-primary px-4 py-2 text-base font-medium text-white shadow-sm hover:bg-primary-d1 focus:outline-none focus:ring-2 focus:primary focus:ring-offset-2 sm:text-sm disabled:opacity-50 disabled:hover:bg-primary disabled:cursor-not-allowed">
+            <label for="metadata-file" class="block text-sm font-medium leading-6 text-gray-900">Vault Metadata File</label>
+            <div
+              class="relative mt-2 flex justify-center rounded-lg border-2  px-6 py-10 border-gray-300 hover:border-gray-400 active:border-primary focus-within:border-primary focus-within:ring-primary  focus-within:ring-offset-2"
+              :class="{ 'border-primary': isDraggingOver, 'border-dashed': (vaultMetadata?.length ?? 0) == 0 }"
+              @dragenter.prevent="handleDragEnterAndOver"
+              @dragover.prevent="handleDragEnterAndOver"
+              @dragleave="handleDragLeave"
+              @drop.prevent="handleDrop"
+            >
+              <input id="file-upload" ref="fileUpload" name="file-upload" type="file" class="cursor-pointer absolute inset-0 opacity-0" accept=".cryptomator, .uvf" @change="handleUpload" >
+              <div v-if="(vaultMetadata?.length ?? 0) == 0" class="text-center">
+                <ArrowUpOnSquareIcon class="mx-auto h-12 w-12 text-gray-300" aria-hidden="true" />
+                <p class="mt-2 block text-sm font-semibold text-gray-900">
+                  Upload vault metadata file or drag and drop
+                </p>
+                <p class="text-xs leading-5 text-gray-600">vault.cryptomator or vault.uvf</p>
+              </div>
+              <div v-else class="text-center">
+                <DocumentCheckIcon class="mx-auto h-12 w-12 text-primary" aria-hidden="true" />
+                <p class="mt-2 block text-sm font-semibold text-gray-900">
+                  Upload successful
+                </p>
+                <p class="text-xs leading-5 text-gray-600">To replace, click and select or drag and drop a different file. </p>
+              </div>
+            </div>
+            <div v-if="onUploadError" class="rounded-md bg-red-50 p-4">
+              <div class="flex">
+                <div class="flex-shrink-0">
+                  <XCircleIcon class="h-5 w-5 text-red-400" aria-hidden="true" />
+                </div>
+                <div class="ml-3 flex-1 md:flex md:justify-between">
+                  <p v-if="onUploadError instanceof FileTooBigError" class="text-sm text-red-700">TODO Too big!</p>
+                  <p v-else-if="onUploadError instanceof NoFileError" class="text-sm text-red-700">File could not be uploaded</p>
+                  <p v-else-if="onUploadError instanceof WrongFileNameError" class="text-sm text-red-700">TODO Wrong files!</p>
+                </div>
+              </div>
+            </div>
+          </div>
+          <!-- Button -->
+          <div class="mt-5 sm:mt-6">
+            <button
+              type="submit" :disabled="processing" class="inline-flex w-full justify-center rounded-md border border-transparent bg-primary px-4 py-2 text-base font-medium text-white shadow-sm hover:bg-primary-d1 focus:outline-none focus:ring-2 focus:bg-primary focus:ring-offset-2 sm:text-sm disabled:opacity-50 disabled:hover:bg-primary disabled:cursor-not-allowed"
+            >
               {{ t('createVault.enterRecoveryKey.submit') }}
             </button>
             <div v-if="onRecoverError != null">
@@ -215,8 +263,8 @@
 </template>
 
 <script setup lang="ts">
-import { ClipboardIcon } from '@heroicons/vue/20/solid';
-import { ArrowPathIcon, CheckIcon, KeyIcon } from '@heroicons/vue/24/outline';
+import { ClipboardIcon, XCircleIcon } from '@heroicons/vue/20/solid';
+import { ArrowPathIcon, CheckIcon, KeyIcon, ArrowUpOnSquareIcon, DocumentCheckIcon } from '@heroicons/vue/24/outline';
 import { ArrowDownTrayIcon } from '@heroicons/vue/24/solid';
 import { saveAs } from 'file-saver';
 import { base64 } from 'rfc4648';
@@ -242,7 +290,7 @@ enum VaultType {
   UniversalVaultFormat
 }
 
-const vaultType: VaultType = VaultType.UniversalVaultFormat;
+const vaultType = ref(VaultType.UniversalVaultFormat);
 
 class FormValidationFailedError extends Error {
   constructor() {
@@ -259,6 +307,7 @@ class EmptyVaultTemplateError extends Error {
 const { t } = useI18n({ useScope: 'global' });
 
 const form = ref<HTMLFormElement>();
+const fileUpload = ref<HTMLInputElement>();
 
 const onCreateError = ref<Error | null>(null);
 const onRecoverError = ref<Error | null>(null);
@@ -280,6 +329,77 @@ const vaultFormat8 = ref<VaultFormat8>();
 const recoveryKeyStr = ref<string>('');
 const uvfVault = ref<UniversalVaultFormat>();
 
+const vaultMetadata = ref<string>('');
+const isDraggingOver = ref<boolean>(false);
+const onUploadError = ref<Error | null>(null);
+
+const handleDragEnterAndOver = (event: DragEvent): void => {
+  isDraggingOver.value = true;
+  if (event.dataTransfer) {
+    event.dataTransfer.effectAllowed = 'copy';
+    event.dataTransfer.dropEffect = 'copy';
+  }
+};
+const handleDragLeave = (): void => {
+  isDraggingOver.value = false;
+};
+const handleDrop = (event: DragEvent): void => {
+  onUploadError.value = null;
+  vaultMetadata.value = '';
+  isDraggingOver.value = false;
+  let file: File | null = null;
+  try {
+    if (event.dataTransfer?.items && event.dataTransfer.items.length >= 1) {
+      //new DataTransferItemList API
+      var item = event.dataTransfer.items[0];
+      if (item.kind == 'file') {
+        file = item.getAsFile();
+      }
+    } else {
+      file = event.dataTransfer?.files[0] ?? null;
+    }
+
+    validateAndSetMetadataFile(file);
+  } catch (error: any) {
+    onUploadError.value = error instanceof Error ? error : new Error('Unknown reason');
+  }
+};
+const handleUpload = (event: Event)  => {
+  onUploadError.value = null;
+  vaultMetadata.value = '';
+  validateAndSetMetadataFile(fileUpload.value?.files?.item(0) ?? null);
+};
+
+function validateAndSetMetadataFile(file: File | null): void {
+  if (!file) {
+    throw new NoFileError();
+  } else if (!file.name.match(/vault\.(cryptomator|uvf)/)) {
+    throw new WrongFileNameError();
+  } else if (file.size > 8000) {
+    throw new FileTooBigError();
+  }
+
+  file.text().then(text => vaultMetadata.value = text, err => console.log('error reading file'));
+}
+
+class UploadFileError extends Error {
+}
+class NoFileError extends UploadFileError {
+  constructor() {
+    super('Drag and drop operation has no file.');
+  }
+}
+class WrongFileNameError extends Error {
+  constructor() {
+    super('Dropped file is not named "vault.cryptomator" or "vault.uvf"');
+  }
+}
+class FileTooBigError extends Error {
+  constructor() {
+    super('Dropped file exceeds size limit of 8KB');
+  }
+}
+
 const props = defineProps<{
   recover: boolean
 }>();
@@ -290,7 +410,7 @@ async function initialize() {
   if (props.recover) {
     state.value = State.EnterRecoveryKey;
   } else {
-    switch (vaultType) {
+    switch (vaultType.value) {
       case VaultType.VaultFormat8:
         vaultFormat8.value = await VaultFormat8.create();
         recoveryKeyStr.value = await vaultFormat8.value.createRecoveryKey();
@@ -317,7 +437,12 @@ async function recoverVault() {
   onRecoverError.value = null;
   try {
     processing.value = true;
-    vaultFormat8.value = await VaultFormat8.recover(recoveryKeyStr.value);
+    if (vaultMetadata.value.startsWith('{')) {
+      //uvfVault.value = await UniversalVaultFormat.recover(uvfMetadataFile, recoveryKeyStr.value);
+      console.log('HELLO');
+    } else {
+      vaultFormat8.value = await VaultFormat8.recover(recoveryKeyStr.value);
+    }
     state.value = State.EnterVaultDetails;
   } catch (error) {
     console.error('Recovering vault failed.', error);
@@ -349,7 +474,7 @@ async function createVault() {
       throw new Error('Invalid state');
     }
     const ownerGrant: AccessGrant = { userId: owner.id, token: '' };
-    switch (vaultType) {
+    switch (vaultType.value) {
       case VaultType.VaultFormat8: {
         if (!vaultFormat8.value) {
           throw new Error('Invalid state');

From 8d864462978994a1ac08e01123154d39e204aef4 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Tue, 28 May 2024 15:04:35 +0200
Subject: [PATCH 58/94] Do not erase uploaded file on failed upload

---
 frontend/src/components/CreateVault.vue | 2 --
 1 file changed, 2 deletions(-)

diff --git a/frontend/src/components/CreateVault.vue b/frontend/src/components/CreateVault.vue
index 33be71c61..19d872a44 100644
--- a/frontend/src/components/CreateVault.vue
+++ b/frontend/src/components/CreateVault.vue
@@ -345,7 +345,6 @@ const handleDragLeave = (): void => {
 };
 const handleDrop = (event: DragEvent): void => {
   onUploadError.value = null;
-  vaultMetadata.value = '';
   isDraggingOver.value = false;
   let file: File | null = null;
   try {
@@ -366,7 +365,6 @@ const handleDrop = (event: DragEvent): void => {
 };
 const handleUpload = (event: Event)  => {
   onUploadError.value = null;
-  vaultMetadata.value = '';
   validateAndSetMetadataFile(fileUpload.value?.files?.item(0) ?? null);
 };
 

From 57cfd0ac0a648d8ce6e4a4b174a2d65d2d4ef735 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Tue, 28 May 2024 15:14:54 +0200
Subject: [PATCH 59/94] improve error handling

---
 frontend/src/components/CreateVault.vue | 46 +++++++++++++------------
 1 file changed, 24 insertions(+), 22 deletions(-)

diff --git a/frontend/src/components/CreateVault.vue b/frontend/src/components/CreateVault.vue
index 19d872a44..6ba443b6a 100644
--- a/frontend/src/components/CreateVault.vue
+++ b/frontend/src/components/CreateVault.vue
@@ -69,8 +69,9 @@
                 </div>
                 <div class="ml-3 flex-1 md:flex md:justify-between">
                   <p v-if="onUploadError instanceof FileTooBigError" class="text-sm text-red-700">TODO Too big!</p>
-                  <p v-else-if="onUploadError instanceof NoFileError" class="text-sm text-red-700">File could not be uploaded</p>
+                  <p v-else-if="onUploadError instanceof NoFileError" class="text-sm text-red-700">TODO File could not be uploaded</p>
                   <p v-else-if="onUploadError instanceof WrongFileNameError" class="text-sm text-red-700">TODO Wrong files!</p>
+                  <p v-else class="text-sm text-red-700">TODO Error uploading and reading file</p>
                 </div>
               </div>
             </div>
@@ -347,21 +348,17 @@ const handleDrop = (event: DragEvent): void => {
   onUploadError.value = null;
   isDraggingOver.value = false;
   let file: File | null = null;
-  try {
-    if (event.dataTransfer?.items && event.dataTransfer.items.length >= 1) {
-      //new DataTransferItemList API
-      var item = event.dataTransfer.items[0];
-      if (item.kind == 'file') {
-        file = item.getAsFile();
-      }
-    } else {
-      file = event.dataTransfer?.files[0] ?? null;
+  if (event.dataTransfer?.items && event.dataTransfer.items.length >= 1) {
+    //new DataTransferItemList API
+    var item = event.dataTransfer.items[0];
+    if (item.kind == 'file') {
+      file = item.getAsFile();
     }
-
-    validateAndSetMetadataFile(file);
-  } catch (error: any) {
-    onUploadError.value = error instanceof Error ? error : new Error('Unknown reason');
+  } else {
+    file = event.dataTransfer?.files[0] ?? null;
   }
+
+  validateAndSetMetadataFile(file);
 };
 const handleUpload = (event: Event)  => {
   onUploadError.value = null;
@@ -369,15 +366,20 @@ const handleUpload = (event: Event)  => {
 };
 
 function validateAndSetMetadataFile(file: File | null): void {
-  if (!file) {
-    throw new NoFileError();
-  } else if (!file.name.match(/vault\.(cryptomator|uvf)/)) {
-    throw new WrongFileNameError();
-  } else if (file.size > 8000) {
-    throw new FileTooBigError();
-  }
+  try {
+    if (!file) {
+      throw new NoFileError();
+    } else if (!file.name.match(/vault\.(cryptomator|uvf)/)) {
+      throw new WrongFileNameError();
+    } else if (file.size > 8000) {
+      throw new FileTooBigError();
+    }
 
-  file.text().then(text => vaultMetadata.value = text, err => console.log('error reading file'));
+    file.text().then(text => vaultMetadata.value = text,
+      error => onUploadError.value = error instanceof Error ? error : new Error('Error reading file as UTF-8 encoded text.'));
+  } catch (error) {
+    onUploadError.value = error instanceof Error ? error : new Error('Unknown reason');
+  }
 }
 
 class UploadFileError extends Error {

From b1f9fc4805ccbb07311e7e04981b2655047411f6 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Tue, 28 May 2024 15:25:25 +0200
Subject: [PATCH 60/94] define event listeners as functions

---
 frontend/src/components/CreateVault.vue | 126 ++++++++++++------------
 1 file changed, 62 insertions(+), 64 deletions(-)

diff --git a/frontend/src/components/CreateVault.vue b/frontend/src/components/CreateVault.vue
index 6ba443b6a..f9e8251b0 100644
--- a/frontend/src/components/CreateVault.vue
+++ b/frontend/src/components/CreateVault.vue
@@ -3,10 +3,7 @@
     {{ t('common.loading') }}
   </div>
 
-  <div v-else-if="state == State.EnterRecoveryKey"
-    @drop.prevent=""
-    @dragover.prevent=""
-  >
+  <div v-else-if="state == State.EnterRecoveryKey" @drop.prevent="" @dragover.prevent="">
     <form ref="form" novalidate @submit.prevent="validateRecoveryKey()">
       <div class="flex justify-center">
         <div class="bg-white px-4 py-5 shadow sm:rounded-lg sm:p-6 text-center sm:w-full sm:max-w-lg">
@@ -41,12 +38,12 @@
             <div
               class="relative mt-2 flex justify-center rounded-lg border-2  px-6 py-10 border-gray-300 hover:border-gray-400 active:border-primary focus-within:border-primary focus-within:ring-primary  focus-within:ring-offset-2"
               :class="{ 'border-primary': isDraggingOver, 'border-dashed': (vaultMetadata?.length ?? 0) == 0 }"
-              @dragenter.prevent="handleDragEnterAndOver"
-              @dragover.prevent="handleDragEnterAndOver"
-              @dragleave="handleDragLeave"
-              @drop.prevent="handleDrop"
+              @dragenter.prevent="event => handleDragEnterAndOver(event)"
+              @dragover.prevent="event => handleDragEnterAndOver(event)"
+              @dragleave="handleDragLeave()"
+              @drop.prevent="event => handleDrop(event)"
             >
-              <input id="file-upload" ref="fileUpload" name="file-upload" type="file" class="cursor-pointer absolute inset-0 opacity-0" accept=".cryptomator, .uvf" @change="handleUpload" >
+              <input id="file-upload" ref="fileUpload" name="file-upload" type="file" class="cursor-pointer absolute inset-0 opacity-0" accept=".cryptomator, .uvf" @change="event => handleUpload(event)" >
               <div v-if="(vaultMetadata?.length ?? 0) == 0" class="text-center">
                 <ArrowUpOnSquareIcon class="mx-auto h-12 w-12 text-gray-300" aria-hidden="true" />
                 <p class="mt-2 block text-sm font-semibold text-gray-900">
@@ -305,6 +302,24 @@ class EmptyVaultTemplateError extends Error {
   }
 }
 
+class UploadFileError extends Error {
+}
+class NoFileError extends UploadFileError {
+  constructor() {
+    super('Drag and drop operation has no file.');
+  }
+}
+class WrongFileNameError extends Error {
+  constructor() {
+    super('Dropped file is not named "vault.cryptomator" or "vault.uvf"');
+  }
+}
+class FileTooBigError extends Error {
+  constructor() {
+    super('Dropped file exceeds size limit of 8KB');
+  }
+}
+
 const { t } = useI18n({ useScope: 'global' });
 
 const form = ref<HTMLFormElement>();
@@ -334,17 +349,43 @@ const vaultMetadata = ref<string>('');
 const isDraggingOver = ref<boolean>(false);
 const onUploadError = ref<Error | null>(null);
 
-const handleDragEnterAndOver = (event: DragEvent): void => {
+const props = defineProps<{
+  recover: boolean
+}>();
+
+onMounted(initialize);
+
+async function initialize() {
+  if (props.recover) {
+    state.value = State.EnterRecoveryKey;
+  } else {
+    switch (vaultType.value) {
+      case VaultType.VaultFormat8:
+        vaultFormat8.value = await VaultFormat8.create();
+        recoveryKeyStr.value = await vaultFormat8.value.createRecoveryKey();
+        break;
+      case VaultType.UniversalVaultFormat:
+        uvfVault.value = await UniversalVaultFormat.create({ enabled: false, maxWotDepth: 0 });
+        recoveryKeyStr.value = await uvfVault.value.recoveryKey.createRecoveryKey();
+        break;
+    }
+    state.value = State.EnterVaultDetails;
+  }
+}
+
+async function handleDragEnterAndOver (event: DragEvent){
   isDraggingOver.value = true;
   if (event.dataTransfer) {
     event.dataTransfer.effectAllowed = 'copy';
     event.dataTransfer.dropEffect = 'copy';
   }
-};
-const handleDragLeave = (): void => {
+}
+
+async function handleDragLeave() {
   isDraggingOver.value = false;
-};
-const handleDrop = (event: DragEvent): void => {
+}
+
+async function handleDrop(event: DragEvent) {
   onUploadError.value = null;
   isDraggingOver.value = false;
   let file: File | null = null;
@@ -357,15 +398,15 @@ const handleDrop = (event: DragEvent): void => {
   } else {
     file = event.dataTransfer?.files[0] ?? null;
   }
-
   validateAndSetMetadataFile(file);
-};
-const handleUpload = (event: Event)  => {
+}
+
+async function handleUpload(event: Event) {
   onUploadError.value = null;
   validateAndSetMetadataFile(fileUpload.value?.files?.item(0) ?? null);
-};
+}
 
-function validateAndSetMetadataFile(file: File | null): void {
+async function validateAndSetMetadataFile(file: File | null) {
   try {
     if (!file) {
       throw new NoFileError();
@@ -375,52 +416,9 @@ function validateAndSetMetadataFile(file: File | null): void {
       throw new FileTooBigError();
     }
 
-    file.text().then(text => vaultMetadata.value = text,
-      error => onUploadError.value = error instanceof Error ? error : new Error('Error reading file as UTF-8 encoded text.'));
+    vaultMetadata.value = await file.text();
   } catch (error) {
-    onUploadError.value = error instanceof Error ? error : new Error('Unknown reason');
-  }
-}
-
-class UploadFileError extends Error {
-}
-class NoFileError extends UploadFileError {
-  constructor() {
-    super('Drag and drop operation has no file.');
-  }
-}
-class WrongFileNameError extends Error {
-  constructor() {
-    super('Dropped file is not named "vault.cryptomator" or "vault.uvf"');
-  }
-}
-class FileTooBigError extends Error {
-  constructor() {
-    super('Dropped file exceeds size limit of 8KB');
-  }
-}
-
-const props = defineProps<{
-  recover: boolean
-}>();
-
-onMounted(initialize);
-
-async function initialize() {
-  if (props.recover) {
-    state.value = State.EnterRecoveryKey;
-  } else {
-    switch (vaultType.value) {
-      case VaultType.VaultFormat8:
-        vaultFormat8.value = await VaultFormat8.create();
-        recoveryKeyStr.value = await vaultFormat8.value.createRecoveryKey();
-        break;
-      case VaultType.UniversalVaultFormat:
-        uvfVault.value = await UniversalVaultFormat.create({ enabled: false, maxWotDepth: 0 });
-        recoveryKeyStr.value = await uvfVault.value.recoveryKey.createRecoveryKey();
-        break;
-    }
-    state.value = State.EnterVaultDetails;
+    onUploadError.value = error instanceof Error ? error : new Error('Error reading file as UTF-8 encoded text.');
   }
 }
 

From a667e0dbc150bcd5dfca65671a10bdee32f2663d Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Tue, 28 May 2024 15:25:55 +0200
Subject: [PATCH 61/94] remove unused Error class

---
 frontend/src/components/CreateVault.vue | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/frontend/src/components/CreateVault.vue b/frontend/src/components/CreateVault.vue
index f9e8251b0..80b552dad 100644
--- a/frontend/src/components/CreateVault.vue
+++ b/frontend/src/components/CreateVault.vue
@@ -302,18 +302,18 @@ class EmptyVaultTemplateError extends Error {
   }
 }
 
-class UploadFileError extends Error {
-}
-class NoFileError extends UploadFileError {
+class NoFileError extends Error {
   constructor() {
     super('Drag and drop operation has no file.');
   }
 }
+
 class WrongFileNameError extends Error {
   constructor() {
     super('Dropped file is not named "vault.cryptomator" or "vault.uvf"');
   }
 }
+
 class FileTooBigError extends Error {
   constructor() {
     super('Dropped file exceeds size limit of 8KB');

From 871b6decca212f5a0a4fe3e88c4aafa34bc00b1d Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Tue, 28 May 2024 15:44:15 +0200
Subject: [PATCH 62/94] set vault type during recovery

---
 frontend/src/components/CreateVault.vue | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/frontend/src/components/CreateVault.vue b/frontend/src/components/CreateVault.vue
index 80b552dad..5825d0e5b 100644
--- a/frontend/src/components/CreateVault.vue
+++ b/frontend/src/components/CreateVault.vue
@@ -416,6 +416,7 @@ async function validateAndSetMetadataFile(file: File | null) {
       throw new FileTooBigError();
     }
 
+    vaultType.value = file.name.endsWith('.uvf') ? VaultType.UniversalVaultFormat : VaultType.VaultFormat8;
     vaultMetadata.value = await file.text();
   } catch (error) {
     onUploadError.value = error instanceof Error ? error : new Error('Error reading file as UTF-8 encoded text.');
@@ -435,11 +436,12 @@ async function recoverVault() {
   onRecoverError.value = null;
   try {
     processing.value = true;
-    if (vaultMetadata.value.startsWith('{')) {
+    if (vaultType.value == VaultType.UniversalVaultFormat) {
       //uvfVault.value = await UniversalVaultFormat.recover(uvfMetadataFile, recoveryKeyStr.value);
-      console.log('HELLO');
+      console.log('TODO UVF Recover');
     } else {
       vaultFormat8.value = await VaultFormat8.recover(recoveryKeyStr.value);
+      //TODO: implement function to validate
     }
     state.value = State.EnterVaultDetails;
   } catch (error) {

From 3368768cae5d6fb9f02bb7299c21f5a8d6d129ad Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Tue, 28 May 2024 15:44:34 +0200
Subject: [PATCH 63/94] minor adjustments

---
 frontend/src/components/CreateVault.vue | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/frontend/src/components/CreateVault.vue b/frontend/src/components/CreateVault.vue
index 5825d0e5b..e3d603850 100644
--- a/frontend/src/components/CreateVault.vue
+++ b/frontend/src/components/CreateVault.vue
@@ -37,7 +37,7 @@
             <label for="metadata-file" class="block text-sm font-medium leading-6 text-gray-900">Vault Metadata File</label>
             <div
               class="relative mt-2 flex justify-center rounded-lg border-2  px-6 py-10 border-gray-300 hover:border-gray-400 active:border-primary focus-within:border-primary focus-within:ring-primary  focus-within:ring-offset-2"
-              :class="{ 'border-primary': isDraggingOver, 'border-dashed': (vaultMetadata?.length ?? 0) == 0 }"
+              :class="{ 'border-primary': isDraggingOver, 'border-dashed': (vaultMetadata?.length ?? 0) == 0, 'border-red-300 active:border-red-500 focus-within:ring-red-500 focus-within:border-red-500': (vaultMetadata?.length ?? 0) == 0 && onRecoverError instanceof FormValidationFailedError}"
               @dragenter.prevent="event => handleDragEnterAndOver(event)"
               @dragover.prevent="event => handleDragEnterAndOver(event)"
               @dragleave="handleDragLeave()"
@@ -326,8 +326,9 @@ const form = ref<HTMLFormElement>();
 const fileUpload = ref<HTMLInputElement>();
 
 const onCreateError = ref<Error | null>(null);
-const onRecoverError = ref<Error | null>(null);
 const onDownloadTemplateError = ref<Error | null>(null);
+const onRecoverError = ref<Error | null>(null);
+const onUploadError = ref<Error | null>(null);
 
 const state = ref(State.Initial);
 const processing = ref(false);
@@ -347,7 +348,6 @@ const uvfVault = ref<UniversalVaultFormat>();
 
 const vaultMetadata = ref<string>('');
 const isDraggingOver = ref<boolean>(false);
-const onUploadError = ref<Error | null>(null);
 
 const props = defineProps<{
   recover: boolean

From b43a946ff02240c5462751cec8ce19f1a9c23220 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Wed, 29 May 2024 17:36:24 +0200
Subject: [PATCH 64/94] add additional verification to vaultformat 8 module

---
 frontend/src/common/jwt.ts                | 22 ++++++++++++++++
 frontend/src/common/vaultFormat8.ts       | 31 +++++++++++++++++++++--
 frontend/test/common/vaultFormat8.spec.ts | 13 ++++++++++
 3 files changed, 64 insertions(+), 2 deletions(-)

diff --git a/frontend/src/common/jwt.ts b/frontend/src/common/jwt.ts
index 16979d945..58283b76e 100644
--- a/frontend/src/common/jwt.ts
+++ b/frontend/src/common/jwt.ts
@@ -7,6 +7,16 @@ export type JWTHeader = {
 }
 
 export class JWT {
+  public header: any;
+  public payload: any;
+  public signature: Uint8Array;
+
+  private constructor(header: any, payload: any, signature: Uint8Array) {
+    this.header = header;
+    this.payload = payload;
+    this.signature = signature;
+  }
+
   /**
    * Creates a ES384 JWT (signed with ECDSA using P-384 and SHA-384).
    * 
@@ -37,4 +47,16 @@ export class JWT {
     );
     return base64url.stringify(new Uint8Array(signature), { pad: false });
   }
+
+  public static async parse(token: string): Promise<JWT> {
+    const jwtSections = token.split('.');
+    if (jwtSections.length != 3 || !jwtSections[0] || !jwtSections[1] || !jwtSections[2]) {
+      throw new Error('Invalid JWT');
+    }
+
+    const header = JSON.parse(new TextDecoder().decode(base64url.parse(jwtSections[0], { loose: true })));
+    const payload = JSON.parse(new TextDecoder().decode(base64url.parse(jwtSections[1], { loose: true })));
+    const signature = base64url.parse(jwtSections[2], { loose: true });
+    return new JWT(header, payload, signature);
+  }
 }
diff --git a/frontend/src/common/vaultFormat8.ts b/frontend/src/common/vaultFormat8.ts
index 0641b74e6..7cc0ceecf 100644
--- a/frontend/src/common/vaultFormat8.ts
+++ b/frontend/src/common/vaultFormat8.ts
@@ -5,6 +5,7 @@ import { VaultDto } from './backend';
 import config, { absFrontendBaseURL } from './config';
 import { AccessTokenProducing, GCM_NONCE_LEN, OtherVaultMember, UnwrapKeyError, UserKeys, VaultTemplateProducing } from './crypto';
 import { CRC32, wordEncoder } from './util';
+import { JWT } from './jwt';
 
 interface VaultConfigPayload {
   jti: string
@@ -138,6 +139,29 @@ export class VaultFormat8 implements AccessTokenProducing, VaultTemplateProducin
     }
   }
 
+  public static async verifyAndRecover(vaultMetadataToken: string, recoveryKey: string) {
+    //basic validation
+    const vaultMetadata = JWT.parse(vaultMetadataToken);
+
+    const sigSeparatorIndex = vaultMetadataToken.lastIndexOf('.');
+    const headerPlusPayload = vaultMetadataToken.slice(0,sigSeparatorIndex);
+    const signature = vaultMetadataToken.slice(sigSeparatorIndex + 1,vaultMetadataToken.length);
+
+    const message = new TextEncoder().encode(headerPlusPayload);
+    const key = await this.transcodeKey(recoveryKey);
+    var digest = await crypto.subtle.sign(
+      VaultFormat8.MASTERKEY_KEY_DESIGNATION,
+      key,
+      message
+    );
+    const base64urlDigest = base64url.stringify(new Uint8Array(digest), { pad: false });
+    if (!(signature === base64urlDigest)) {
+      throw new Error('Verification failed.');
+    }
+
+    return new VaultFormat8(key);
+  }
+
   /**
    * Restore the master key from a given recovery key, create a new admin signature key pair.
    * @param recoveryKey The recovery key
@@ -145,6 +169,10 @@ export class VaultFormat8 implements AccessTokenProducing, VaultTemplateProducin
    * @throws Error, if passing a malformed recovery key
    */
   public static async recover(recoveryKey: string): Promise<VaultFormat8> {
+    return new VaultFormat8(await this.transcodeKey(recoveryKey));
+  }
+
+  public static async transcodeKey(recoveryKey: string): Promise<CryptoKey> {
     // decode and check recovery key:
     const decoded = wordEncoder.decode(recoveryKey);
     if (decoded.length !== 66) {
@@ -158,14 +186,13 @@ export class VaultFormat8 implements AccessTokenProducing, VaultTemplateProducin
     }
 
     // construct new VaultKeys from recovered key
-    const key = crypto.subtle.importKey(
+    return crypto.subtle.importKey(
       'raw',
       decodedKey,
       VaultFormat8.MASTERKEY_KEY_DESIGNATION,
       true,
       ['sign']
     );
-    return new VaultFormat8(await key);
   }
 
   /** @inheritdoc */
diff --git a/frontend/test/common/vaultFormat8.spec.ts b/frontend/test/common/vaultFormat8.spec.ts
index c4658ab9d..3865db243 100644
--- a/frontend/test/common/vaultFormat8.spec.ts
+++ b/frontend/test/common/vaultFormat8.spec.ts
@@ -87,6 +87,19 @@ describe('Vault Format 8', () => {
     ]);
   });
 
+  it('verifyAndRecover() succeeds for key and corresponding metadata', async () => {
+    const recoveryKey = `
+      exotic ghost cooperate rain writing purple bicycle fixed first elite treaty friendly screen pull middle seventeen passport
+      correctly bored remains give profound ultimate charm haunt retired viable ray delegate indicator race cause aluminium
+      obesity site tactical root rumour theology glory consist comic terribly substance
+      `;
+    const vaultMetadata = 'eyJraWQiOiJtYXN0ZXJrZXlmaWxlOm1hc3RlcmtleS5jcnlwdG9tYXRvciIsInR5cCI6IkpXVCIsImFsZyI6IkhTMjU2In0.eyJmb3JtYXQiOjgsInNob3J0ZW5pbmdUaHJlc2hvbGQiOjIyMCwianRpIjoiZmI0N2IyMDYtM2FjMS00Y2RkLThkNTMtYWE0OWM4NjY4Nzk5IiwiY2lwaGVyQ29tYm8iOiJTSVZfQ1RSTUFDIn0.oSMdTtcC6LtoC37knQpNoPo3biUNFCRfxownXIFf_GM';
+
+    const recovered = await VaultFormat8.verifyAndRecover(vaultMetadata, recoveryKey);
+    const recoveredKey = await crypto.subtle.exportKey('jwk', recovered.masterKey);
+    //TODO: expect(recoveredKey.k).to.eq('VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3dw');
+  });
+
   it('encryptForUser()', async () => {
     const encrypted = await testVault.encryptForUser(alice.keyPair.publicKey);
 

From ea77daf9e75d85f066005fc3b447c9a06ea36df6 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Thu, 30 May 2024 11:15:15 +0200
Subject: [PATCH 65/94] Add negative test for vaultFormat8 verfiy and recover

---
 frontend/src/common/vaultFormat8.ts       |  2 +-
 frontend/test/common/vaultFormat8.spec.ts | 16 +++++++++++++---
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/frontend/src/common/vaultFormat8.ts b/frontend/src/common/vaultFormat8.ts
index 7cc0ceecf..7ad167d40 100644
--- a/frontend/src/common/vaultFormat8.ts
+++ b/frontend/src/common/vaultFormat8.ts
@@ -156,7 +156,7 @@ export class VaultFormat8 implements AccessTokenProducing, VaultTemplateProducin
     );
     const base64urlDigest = base64url.stringify(new Uint8Array(digest), { pad: false });
     if (!(signature === base64urlDigest)) {
-      throw new Error('Verification failed.');
+      throw new Error('Recovery key does not match vault file.');
     }
 
     return new VaultFormat8(key);
diff --git a/frontend/test/common/vaultFormat8.spec.ts b/frontend/test/common/vaultFormat8.spec.ts
index 3865db243..eda60efb7 100644
--- a/frontend/test/common/vaultFormat8.spec.ts
+++ b/frontend/test/common/vaultFormat8.spec.ts
@@ -87,7 +87,7 @@ describe('Vault Format 8', () => {
     ]);
   });
 
-  it('verifyAndRecover() succeeds for key and corresponding metadata', async () => {
+  it('verifyAndRecover() succeeds for valid and matching key-metadata-pair', async () => {
     const recoveryKey = `
       exotic ghost cooperate rain writing purple bicycle fixed first elite treaty friendly screen pull middle seventeen passport
       correctly bored remains give profound ultimate charm haunt retired viable ray delegate indicator race cause aluminium
@@ -96,8 +96,18 @@ describe('Vault Format 8', () => {
     const vaultMetadata = 'eyJraWQiOiJtYXN0ZXJrZXlmaWxlOm1hc3RlcmtleS5jcnlwdG9tYXRvciIsInR5cCI6IkpXVCIsImFsZyI6IkhTMjU2In0.eyJmb3JtYXQiOjgsInNob3J0ZW5pbmdUaHJlc2hvbGQiOjIyMCwianRpIjoiZmI0N2IyMDYtM2FjMS00Y2RkLThkNTMtYWE0OWM4NjY4Nzk5IiwiY2lwaGVyQ29tYm8iOiJTSVZfQ1RSTUFDIn0.oSMdTtcC6LtoC37knQpNoPo3biUNFCRfxownXIFf_GM';
 
     const recovered = await VaultFormat8.verifyAndRecover(vaultMetadata, recoveryKey);
-    const recoveredKey = await crypto.subtle.exportKey('jwk', recovered.masterKey);
-    //TODO: expect(recoveredKey.k).to.eq('VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3dw');
+  });
+
+  it('verifyAndRecover() fails for not-matching, but valid key-metadata-pair', async () => {
+    const recoveryKeyA = `
+      exotic ghost cooperate rain writing purple bicycle fixed first elite treaty friendly screen pull middle seventeen passport
+      correctly bored remains give profound ultimate charm haunt retired viable ray delegate indicator race cause aluminium
+      obesity site tactical root rumour theology glory consist comic terribly substance
+      `;
+    const vaultMetdataB = 'eyJraWQiOiJtYXN0ZXJrZXlmaWxlOm1hc3RlcmtleS5jcnlwdG9tYXRvciIsInR5cCI6IkpXVCIsImFsZyI6IkhTMjU2In0.eyJmb3JtYXQiOjgsInNob3J0ZW5pbmdUaHJlc2hvbGQiOjIyMCwianRpIjoiYzU2YmJlNTMtMTYxYS00YjRkLWEyYjktMzE0ODMxYzAxNWJjIiwiY2lwaGVyQ29tYm8iOiJTSVZfR0NNIn0.zPCDsnrBEOT1-X7MVmcMEuP2eqOiqS63V9oM_CcNppg';
+    const keyDoesNotCorrespondToSignature = VaultFormat8.verifyAndRecover(vaultMetdataB, recoveryKeyA);
+
+    expect(keyDoesNotCorrespondToSignature).to.be.rejectedWith(Error, /Recovery key does not match vault file/);
   });
 
   it('encryptForUser()', async () => {

From c2fe76858e4c6ac6aee8986f6d472750b7bcf058 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Thu, 30 May 2024 11:33:12 +0200
Subject: [PATCH 66/94] reduce diff

---
 frontend/src/common/vaultFormat8.ts       | 17 +++++++----------
 frontend/test/common/vaultFormat8.spec.ts |  4 ++--
 2 files changed, 9 insertions(+), 12 deletions(-)

diff --git a/frontend/src/common/vaultFormat8.ts b/frontend/src/common/vaultFormat8.ts
index 7ad167d40..af0c07521 100644
--- a/frontend/src/common/vaultFormat8.ts
+++ b/frontend/src/common/vaultFormat8.ts
@@ -139,19 +139,19 @@ export class VaultFormat8 implements AccessTokenProducing, VaultTemplateProducin
     }
   }
 
-  public static async verifyAndRecover(vaultMetadataToken: string, recoveryKey: string) {
+  public static async recoverAndVerify(vaultMetadataToken: string, recoveryKey: string) {
     //basic validation
     const vaultMetadata = JWT.parse(vaultMetadataToken);
 
+    const vault = await this.recover(recoveryKey);
+
     const sigSeparatorIndex = vaultMetadataToken.lastIndexOf('.');
     const headerPlusPayload = vaultMetadataToken.slice(0,sigSeparatorIndex);
     const signature = vaultMetadataToken.slice(sigSeparatorIndex + 1,vaultMetadataToken.length);
-
     const message = new TextEncoder().encode(headerPlusPayload);
-    const key = await this.transcodeKey(recoveryKey);
     var digest = await crypto.subtle.sign(
       VaultFormat8.MASTERKEY_KEY_DESIGNATION,
-      key,
+      vault.masterKey,
       message
     );
     const base64urlDigest = base64url.stringify(new Uint8Array(digest), { pad: false });
@@ -159,7 +159,7 @@ export class VaultFormat8 implements AccessTokenProducing, VaultTemplateProducin
       throw new Error('Recovery key does not match vault file.');
     }
 
-    return new VaultFormat8(key);
+    return vault;
   }
 
   /**
@@ -169,10 +169,6 @@ export class VaultFormat8 implements AccessTokenProducing, VaultTemplateProducin
    * @throws Error, if passing a malformed recovery key
    */
   public static async recover(recoveryKey: string): Promise<VaultFormat8> {
-    return new VaultFormat8(await this.transcodeKey(recoveryKey));
-  }
-
-  public static async transcodeKey(recoveryKey: string): Promise<CryptoKey> {
     // decode and check recovery key:
     const decoded = wordEncoder.decode(recoveryKey);
     if (decoded.length !== 66) {
@@ -186,13 +182,14 @@ export class VaultFormat8 implements AccessTokenProducing, VaultTemplateProducin
     }
 
     // construct new VaultKeys from recovered key
-    return crypto.subtle.importKey(
+    const key = crypto.subtle.importKey(
       'raw',
       decodedKey,
       VaultFormat8.MASTERKEY_KEY_DESIGNATION,
       true,
       ['sign']
     );
+    return new VaultFormat8(await key);
   }
 
   /** @inheritdoc */
diff --git a/frontend/test/common/vaultFormat8.spec.ts b/frontend/test/common/vaultFormat8.spec.ts
index eda60efb7..00d67c2e0 100644
--- a/frontend/test/common/vaultFormat8.spec.ts
+++ b/frontend/test/common/vaultFormat8.spec.ts
@@ -95,7 +95,7 @@ describe('Vault Format 8', () => {
       `;
     const vaultMetadata = 'eyJraWQiOiJtYXN0ZXJrZXlmaWxlOm1hc3RlcmtleS5jcnlwdG9tYXRvciIsInR5cCI6IkpXVCIsImFsZyI6IkhTMjU2In0.eyJmb3JtYXQiOjgsInNob3J0ZW5pbmdUaHJlc2hvbGQiOjIyMCwianRpIjoiZmI0N2IyMDYtM2FjMS00Y2RkLThkNTMtYWE0OWM4NjY4Nzk5IiwiY2lwaGVyQ29tYm8iOiJTSVZfQ1RSTUFDIn0.oSMdTtcC6LtoC37knQpNoPo3biUNFCRfxownXIFf_GM';
 
-    const recovered = await VaultFormat8.verifyAndRecover(vaultMetadata, recoveryKey);
+    const recovered = await VaultFormat8.recoverAndVerify(vaultMetadata, recoveryKey);
   });
 
   it('verifyAndRecover() fails for not-matching, but valid key-metadata-pair', async () => {
@@ -105,7 +105,7 @@ describe('Vault Format 8', () => {
       obesity site tactical root rumour theology glory consist comic terribly substance
       `;
     const vaultMetdataB = 'eyJraWQiOiJtYXN0ZXJrZXlmaWxlOm1hc3RlcmtleS5jcnlwdG9tYXRvciIsInR5cCI6IkpXVCIsImFsZyI6IkhTMjU2In0.eyJmb3JtYXQiOjgsInNob3J0ZW5pbmdUaHJlc2hvbGQiOjIyMCwianRpIjoiYzU2YmJlNTMtMTYxYS00YjRkLWEyYjktMzE0ODMxYzAxNWJjIiwiY2lwaGVyQ29tYm8iOiJTSVZfR0NNIn0.zPCDsnrBEOT1-X7MVmcMEuP2eqOiqS63V9oM_CcNppg';
-    const keyDoesNotCorrespondToSignature = VaultFormat8.verifyAndRecover(vaultMetdataB, recoveryKeyA);
+    const keyDoesNotCorrespondToSignature = VaultFormat8.recoverAndVerify(vaultMetdataB, recoveryKeyA);
 
     expect(keyDoesNotCorrespondToSignature).to.be.rejectedWith(Error, /Recovery key does not match vault file/);
   });

From b2cb75d78afccfbeb5b588b993f1c7d4b1cc0bea Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Mon, 3 Jun 2024 12:39:15 +0200
Subject: [PATCH 67/94] add doc string

---
 frontend/src/common/vaultFormat8.ts | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/frontend/src/common/vaultFormat8.ts b/frontend/src/common/vaultFormat8.ts
index af0c07521..378c233fe 100644
--- a/frontend/src/common/vaultFormat8.ts
+++ b/frontend/src/common/vaultFormat8.ts
@@ -139,6 +139,13 @@ export class VaultFormat8 implements AccessTokenProducing, VaultTemplateProducin
     }
   }
 
+  /**
+   * Restore the master key from a given recovery key and verify the masterkey matches with the given vault config. On success, creates a new admin signature key pair.
+   * @param vaultMetadataToken Content of the alleged matching vault metadata file vault.cryptomator
+   * @param recoveryKey The recovery key
+   * @returns The recovered master key
+   * @throws Error, if passing a malformed recovery key or the recovery key does not match with the vault metadata
+   */
   public static async recoverAndVerify(vaultMetadataToken: string, recoveryKey: string) {
     //basic validation
     const vaultMetadata = JWT.parse(vaultMetadataToken);

From 64d8ff691f9c9477dbb1819e712ab52ff78443c7 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Mon, 3 Jun 2024 13:31:08 +0200
Subject: [PATCH 68/94] add tests for simple jwt parsing

---
 frontend/src/common/jwt.ts       |  6 +++++
 frontend/test/common/jwt.spec.ts | 43 +++++++++++++++++++++++++++++++-
 2 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/frontend/src/common/jwt.ts b/frontend/src/common/jwt.ts
index 58283b76e..b103e24fc 100644
--- a/frontend/src/common/jwt.ts
+++ b/frontend/src/common/jwt.ts
@@ -48,6 +48,12 @@ export class JWT {
     return base64url.stringify(new Uint8Array(signature), { pad: false });
   }
 
+  /**
+   * Parses an encoded JWT token.
+   * Note that only basic JSON /encoding checks are made, neither the header nor the payload are checked for required attributes.
+   * @param token The encoded JWT.
+   * @returns A generic, and maybe still invalid JWT object
+   */
   public static async parse(token: string): Promise<JWT> {
     const jwtSections = token.split('.');
     if (jwtSections.length != 3 || !jwtSections[0] || !jwtSections[1] || !jwtSections[2]) {
diff --git a/frontend/test/common/jwt.spec.ts b/frontend/test/common/jwt.spec.ts
index 9d4829eaa..8c5b6ba58 100644
--- a/frontend/test/common/jwt.spec.ts
+++ b/frontend/test/common/jwt.spec.ts
@@ -1,4 +1,4 @@
-import { expect } from 'chai';
+import { expect, should } from 'chai';
 import { describe } from 'mocha';
 import { JWT, JWTHeader } from '../../src/common/jwt';
 
@@ -61,4 +61,45 @@ describe('JWT', () => {
       expect(jwt).to.be.not.null;
     });
   });
+
+  describe('Simple JWT parsing',() => {
+    it('parse() accepts any valid base64url encoded *JWT-likeish* string.', () => {
+      const validJSON = 'eyJmb28iOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYmFyIjp0cnVlfQ'; // '{"foo":"1234567890","name":"John Doe","bar":true}'
+
+      const parseResult = JWT.parse(validJSON + '.' + validJSON + '.' + validJSON);
+      expect(parseResult).to.be.fulfilled;
+    }),
+
+    it('parse() throws error on invalid base64url encoded jwt string', () => {
+      const invalidJSON = 'eyJhbGciOiJIUzI1NiIsInR5cH0'; //{"foo":"bar","error}
+      const validJSON = 'eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ'; //{"sub":"1234567890","name":"John Doe","iat":1516239022}
+      const noBase64 = 'foob$r';
+      const validBase64 = 'SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c';
+
+      const notEnoughSections = JWT.parse('a.b');
+      const emptyHeader = JWT.parse('.a.b');
+      const emptyPayload = JWT.parse('a..b');
+      const emptySignature = JWT.parse('a.b.');
+      const tooManySections = JWT.parse('a.b.c.d');
+
+      const headerNoBase64 = JWT.parse(noBase64 + '.' + validJSON + '.' + validBase64);
+      const payloadNoBase64 = JWT.parse(validJSON + '.' + noBase64 + '.' + validBase64);
+      const signatureNoBase64 = JWT.parse(validJSON + '.' + validJSON + '.' + noBase64);
+
+      const headerInvalidJSON = JWT.parse(invalidJSON + '.' + validJSON + '.' + validBase64);
+      const payloadInvalidJSON = JWT.parse(validJSON + '.' + invalidJSON + '.' + validBase64);
+      return Promise.all([
+        expect(notEnoughSections).to.be.rejectedWith(Error, /Invalid JWT/),
+        expect(emptyHeader).to.be.rejectedWith(Error, /Invalid JWT/),
+        expect(emptyPayload).to.be.rejectedWith(Error, /Invalid JWT/),
+        expect(emptySignature).to.be.rejectedWith(Error, /Invalid JWT/),
+        expect(tooManySections).to.be.rejectedWith(Error, /Invalid JWT/),
+        expect(headerNoBase64).to.be.rejected,
+        expect(payloadNoBase64).to.be.rejected,
+        expect(signatureNoBase64).to.be.rejected,
+        expect(headerInvalidJSON).to.be.rejected,
+        expect(payloadInvalidJSON).to.be.rejected,
+      ]);
+    });
+  });
 });

From eaaad2488c1b07041ebe759ab6236c366c9fa235 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Mon, 3 Jun 2024 16:30:32 +0200
Subject: [PATCH 69/94] improve error handling

---
 frontend/src/common/universalVaultFormat.ts | 19 ++++++++++++++++---
 frontend/src/common/vaultFormat8.ts         | 21 +++++++++++++++++----
 frontend/src/components/CreateVault.vue     | 15 +++++++--------
 3 files changed, 40 insertions(+), 15 deletions(-)

diff --git a/frontend/src/common/universalVaultFormat.ts b/frontend/src/common/universalVaultFormat.ts
index 62dde1889..a11f6a9e5 100644
--- a/frontend/src/common/universalVaultFormat.ts
+++ b/frontend/src/common/universalVaultFormat.ts
@@ -117,13 +117,20 @@ export class RecoveryKey {
    * Restores the Recovery Key Pair
    * @param recoveryKey the encoded recovery key
    * @returns complete recovery key for decrypting vault metadata
+   * @throws DecodeUvfRecoveryKeyError, if passing a malformed recovery key
    */
   public static async recover(recoveryKey: string): Promise<RecoveryKey> {
     // decode and check recovery key:
-    const decoded = wordEncoder.decode(recoveryKey);
+    let decoded;
+    try {
+      decoded = wordEncoder.decode(recoveryKey);
+    } catch (error) {
+      throw new DecodeUvfRecoveryKeyError( error instanceof Error ? error.message : 'Internal error');
+    }
+
     const paddingLength = decoded[decoded.length - 1];
     if (paddingLength > 0x03) {
-      throw new Error('Invalid padding');
+      throw new DecodeUvfRecoveryKeyError('Invalid padding');
     }
     const unpadded = decoded.subarray(0, -paddingLength);
     const checksum = unpadded.subarray(-2);
@@ -131,7 +138,7 @@ export class RecoveryKey {
     const crc32 = CRC32.compute(rawkey);
     if (checksum[0] !== (crc32 & 0xFF)
       || checksum[1] !== (crc32 >> 8 & 0xFF)) {
-      throw new Error('Invalid recovery key checksum.');
+      throw new DecodeUvfRecoveryKeyError('Invalid recovery key checksum.');
     }
 
     // construct new RecoveryKey from recovered key
@@ -196,8 +203,14 @@ export class RecoveryKey {
       y: jwk.y
     });
   }
+}
 
+export class DecodeUvfRecoveryKeyError extends Error {
+  constructor(message: string) {
+    super(message);
+  }
 }
+
 // #endregion
 
 // #region Vault metadata
diff --git a/frontend/src/common/vaultFormat8.ts b/frontend/src/common/vaultFormat8.ts
index 378c233fe..6ed1c08d9 100644
--- a/frontend/src/common/vaultFormat8.ts
+++ b/frontend/src/common/vaultFormat8.ts
@@ -173,19 +173,25 @@ export class VaultFormat8 implements AccessTokenProducing, VaultTemplateProducin
    * Restore the master key from a given recovery key, create a new admin signature key pair.
    * @param recoveryKey The recovery key
    * @returns The recovered master key
-   * @throws Error, if passing a malformed recovery key
+   * @throws DecodeVf8RecoveryKeyError, if passing a malformed recovery key
    */
   public static async recover(recoveryKey: string): Promise<VaultFormat8> {
     // decode and check recovery key:
-    const decoded = wordEncoder.decode(recoveryKey);
+    let decoded;
+    try {
+      decoded = wordEncoder.decode(recoveryKey);
+    } catch (error) {
+      throw new DecodeVf8RecoveryKeyError( error instanceof Error ? error.message : 'Internal error');
+    }
+
     if (decoded.length !== 66) {
-      throw new Error('Invalid recovery key length.');
+      throw new DecodeVf8RecoveryKeyError('Invalid recovery key length.');
     }
     const decodedKey = decoded.subarray(0, 64);
     const crc32 = CRC32.compute(decodedKey);
     if (decoded[64] !== (crc32 & 0xFF)
       || decoded[65] !== (crc32 >> 8 & 0xFF)) {
-      throw new Error('Invalid recovery key checksum.');
+      throw new DecodeVf8RecoveryKeyError('Invalid recovery key checksum.');
     }
 
     // construct new VaultKeys from recovered key
@@ -302,3 +308,10 @@ export class VaultFormat8 implements AccessTokenProducing, VaultTemplateProducin
     return wordEncoder.encodePadded(combined);
   }
 }
+
+
+export class DecodeVf8RecoveryKeyError extends Error {
+  constructor(message: string) {
+    super(message);
+  }
+}
diff --git a/frontend/src/components/CreateVault.vue b/frontend/src/components/CreateVault.vue
index e3d603850..b3095c4ff 100644
--- a/frontend/src/components/CreateVault.vue
+++ b/frontend/src/components/CreateVault.vue
@@ -82,7 +82,8 @@
             </button>
             <div v-if="onRecoverError != null">
               <p v-if="onRecoverError instanceof FormValidationFailedError" class="text-sm text-red-900 mt-2">{{ t('createVault.error.formValidationFailed') }}</p>
-              <p v-else class="text-sm text-red-900 mt-2">{{ t('createVault.error.invalidRecoveryKey') }}</p>
+              <p v-if="onRecoverError instanceof DecodeUvfRecoveryKeyError || onRecoverError instanceof DecodeVf8RecoveryKeyError" class="text-sm text-red-900 mt-2">{{ t('createVault.error.invalidRecoveryKey') }}</p>
+              <p v-else class="text-sm text-red-900 mt-2">TODO: illegal vault metadata</p>
             </div>
           </div>
         </div>
@@ -271,9 +272,9 @@ import { useI18n } from 'vue-i18n';
 import backend, { AccessGrant, PaymentRequiredError, VaultDto } from '../common/backend';
 import { absBackendBaseURL } from '../common/config';
 import { VaultTemplateProducing } from '../common/crypto';
-import { UniversalVaultFormat } from '../common/universalVaultFormat';
+import { DecodeUvfRecoveryKeyError, UniversalVaultFormat } from '../common/universalVaultFormat';
 import { debounce } from '../common/util';
-import { VaultFormat8 } from '../common/vaultFormat8';
+import { DecodeVf8RecoveryKeyError, VaultFormat8 } from '../common/vaultFormat8';
 
 enum State {
   Initial,
@@ -425,7 +426,7 @@ async function validateAndSetMetadataFile(file: File | null) {
 
 async function validateRecoveryKey() {
   onRecoverError.value = null;
-  if (!form.value?.checkValidity()) {
+  if (!form.value?.checkValidity() || !vaultMetadata.value ) {
     onRecoverError.value = new FormValidationFailedError();
     return;
   }
@@ -437,11 +438,9 @@ async function recoverVault() {
   try {
     processing.value = true;
     if (vaultType.value == VaultType.UniversalVaultFormat) {
-      //uvfVault.value = await UniversalVaultFormat.recover(uvfMetadataFile, recoveryKeyStr.value);
-      console.log('TODO UVF Recover');
+      uvfVault.value = await UniversalVaultFormat.recover(vaultMetadata.value, recoveryKeyStr.value);
     } else {
-      vaultFormat8.value = await VaultFormat8.recover(recoveryKeyStr.value);
-      //TODO: implement function to validate
+      vaultFormat8.value = await VaultFormat8.recoverAndVerify(vaultMetadata.value, recoveryKeyStr.value);
     }
     state.value = State.EnterVaultDetails;
   } catch (error) {

From 597b2cc2f7bdaf2b33b94dfe29dfa6c4938018ed Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Mon, 3 Jun 2024 16:54:54 +0200
Subject: [PATCH 70/94] add error translations

---
 frontend/src/components/CreateVault.vue | 12 +++++-------
 frontend/src/i18n/de-DE.json            |  9 +++++++--
 frontend/src/i18n/en-US.json            |  7 ++++++-
 3 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/frontend/src/components/CreateVault.vue b/frontend/src/components/CreateVault.vue
index b3095c4ff..d810b60e3 100644
--- a/frontend/src/components/CreateVault.vue
+++ b/frontend/src/components/CreateVault.vue
@@ -4,7 +4,7 @@
   </div>
 
   <div v-else-if="state == State.EnterRecoveryKey" @drop.prevent="" @dragover.prevent="">
-    <form ref="form" novalidate @submit.prevent="validateRecoveryKey()">
+    <form ref="form" novalidate @submit.prevent="validateRecoveryKey()" >
       <div class="flex justify-center">
         <div class="bg-white px-4 py-5 shadow sm:rounded-lg sm:p-6 text-center sm:w-full sm:max-w-lg">
           <div class="mx-auto flex items-center justify-center h-12 w-12 rounded-full bg-emerald-100">
@@ -15,7 +15,6 @@
               {{ t('createVault.enterRecoveryKey.title') }}
             </h3>
             <div class="mt-2">
-              <!-- TODO: this text must be altered -->
               <p class="text-sm text-gray-500">
                 {{ t('createVault.enterRecoveryKey.description') }}
               </p>
@@ -65,10 +64,9 @@
                   <XCircleIcon class="h-5 w-5 text-red-400" aria-hidden="true" />
                 </div>
                 <div class="ml-3 flex-1 md:flex md:justify-between">
-                  <p v-if="onUploadError instanceof FileTooBigError" class="text-sm text-red-700">TODO Too big!</p>
-                  <p v-else-if="onUploadError instanceof NoFileError" class="text-sm text-red-700">TODO File could not be uploaded</p>
-                  <p v-else-if="onUploadError instanceof WrongFileNameError" class="text-sm text-red-700">TODO Wrong files!</p>
-                  <p v-else class="text-sm text-red-700">TODO Error uploading and reading file</p>
+                  <p v-if="onUploadError instanceof FileTooBigError" class="text-sm text-red-700">{{ t('createVault.error.uploadTooBig') }}</p>
+                  <p v-else-if="onUploadError instanceof WrongFileNameError" class="text-sm text-red-700">{{ t('createVault.error.wrongFileName') }}</p>
+                  <p v-else class="text-sm text-red-700">{{ t('createVault.error.failedUpload') }}</p>
                 </div>
               </div>
             </div>
@@ -83,7 +81,7 @@
             <div v-if="onRecoverError != null">
               <p v-if="onRecoverError instanceof FormValidationFailedError" class="text-sm text-red-900 mt-2">{{ t('createVault.error.formValidationFailed') }}</p>
               <p v-if="onRecoverError instanceof DecodeUvfRecoveryKeyError || onRecoverError instanceof DecodeVf8RecoveryKeyError" class="text-sm text-red-900 mt-2">{{ t('createVault.error.invalidRecoveryKey') }}</p>
-              <p v-else class="text-sm text-red-900 mt-2">TODO: illegal vault metadata</p>
+              <p v-else class="text-sm text-red-900 mt-2">{{ t('createVault.error.keyDoesNotMatchMetadata') }}</p>
             </div>
           </div>
         </div>
diff --git a/frontend/src/i18n/de-DE.json b/frontend/src/i18n/de-DE.json
index cf9a49d15..5b7fd5fb2 100644
--- a/frontend/src/i18n/de-DE.json
+++ b/frontend/src/i18n/de-DE.json
@@ -90,8 +90,9 @@
   "fetchError.title": "Abruf von Daten fehlgeschlagen",
 
   "createVault.enterRecoveryKey.title": "Tresor wiederherstellen",
-  "createVault.enterRecoveryKey.description": "Gib den Wiederherstellungsschlüssel deines bestehenden Tresors ein, um daraus eine neue Tresorvorlage zu erstellen.",
+  "createVault.enterRecoveryKey.description": "Gib den Wiederherstellungsschlüssel deines bestehenden Tresors ein und lade die dazugehörige Tresormetadatendatei hoch, um daraus einen neue Tresor mit gleichem Schlüssel zu erstellen.",
   "createVault.enterRecoveryKey.recoveryKey": "Wiederherstellungsschlüssel für deinen Tresor",
+  "createVault.enterRecoveryKey.vaultMetadataFile": "Tresormetadatendatei deines Tresors",
   "createVault.enterRecoveryKey.submit": "Tresor wiederherstellen",
   "createVault.enterVaultDetails.title": "Tresor erstellen",
   "createVault.enterVaultDetails.description": "Gib einen Namen und eine Beschreibung für deinen neuen Tresor ein. Du kannst diese später ändern.",
@@ -104,7 +105,11 @@
   "createVault.showRecoveryKey.submit": "Tresor erstellen",
   "createVault.error.illegalVaultName": "Der Tresorname darf keines der folgenden Zeichen beinhalten:",
   "createVault.error.formValidationFailed": "Bitte überprüfe das Formular und versuche es erneut.",
+  "createVault.error.uploadTooBig": "Die Tresormetadatendatei ist zu groß. Es werden nur Dateien bis zu 8KB akzeptiert.",
+  "createVault.error.failedUpload": "Die Tresormetadatendatei konnte nicht hochgeladen werden.",
+  "createVault.error.wrongFileName": "Die hochgeladene Datei ist nicht wie eine Tresormetadatendatei benannt. Erlaubte Namen sind 'vault.cryptomator' oder 'vault.uvf'.",
   "createVault.error.invalidRecoveryKey": "Wiederherstellungsschlüssel ist ungültig.",
+  "createVault.error.keyDoesNotMatchMetadata": "Der eingegebene Wiederherstellungsschlüssel passt nicht zur hochgeladenen Tresormetadatendatei.",
   "createVault.error.vaultAlreadyExists": "Ein Tresor mit dem angegebenen Namen existiert bereits.",
   "createVault.error.downloadTemplateFailed": "Download der Tresorvorlage fehlgeschlagen: {0}",
   "createVault.error.paymentRequired": "Deine Cryptomator Hub Lizenz hat die Anzahl der verfügbaren Sitze überschritten oder ist abgelaufen. Bitte informiere einen Hub-Administrator, um die Lizenz zu erneuern oder zu erweitern.",
@@ -182,7 +187,7 @@
 
   "recoveryKeyDialog.title": "Wiederherstellungsschlüssel",
   "recoveryKeyDialog.description": "Dies ist dein Wiederherstellungsschlüssel für „{0}“. Verwahre ihn gut, er ist im Falle eines Systemausfalls deine einzige Möglichkeit, auf einen Tresor zuzugreifen.",
-  "recoveryKeyDialog.recoveryKey": "Wiederherstellungsschlüssel für deinen Tresor",
+  "recoveryKeyDialog.recoveryKey": "Wiederherstellungsschlüssel",
 
   "recoverVaultDialog.title": "Tresor Wiederherstellung",
   "recoverVaultDialog.description": "Gib den Wiederherstellungsschlüssel für den Tresor ein, um den Zugriff auf den Tresor wiederherzustellen.",
diff --git a/frontend/src/i18n/en-US.json b/frontend/src/i18n/en-US.json
index 4fa0e26dd..742290e6d 100644
--- a/frontend/src/i18n/en-US.json
+++ b/frontend/src/i18n/en-US.json
@@ -90,8 +90,9 @@
   "fetchError.title": "Fetching data failed",
 
   "createVault.enterRecoveryKey.title": "Recover Vault",
-  "createVault.enterRecoveryKey.description": "Enter the recovery key of your existing vault to create a new vault template from it.",
+  "createVault.enterRecoveryKey.description": "Enter the recovery key and upload the matching vault metadata file of your vault to create a new one with the same keys.",
   "createVault.enterRecoveryKey.recoveryKey": "Recovery Key of Your Vault",
+  "createVault.enterRecoveryKey.vaultMetadataFile": "Vault metadata file of Your Vault",
   "createVault.enterRecoveryKey.submit": "Recover Vault",
   "createVault.enterVaultDetails.title": "Create Vault",
   "createVault.enterVaultDetails.description": "Enter a name and description for your new vault. You can change these later.",
@@ -104,7 +105,11 @@
   "createVault.showRecoveryKey.submit": "Create Vault",
   "createVault.error.illegalVaultName": "The vault name must not contain any of the following characters:",
   "createVault.error.formValidationFailed": "Please check the form and try again.",
+  "createVault.error.uploadTooBig": "The vault metadata file is too big. Files up to 8KB are supported.",
+  "createVault.error.failedUpload": "The vault metadata file could not be uploaded.",
+  "createVault.error.wrongFileName": "The uploaded file is not named like as a vault metadata file. Allowed names are 'vault.cryptomator' or 'vault.uvf'.",
   "createVault.error.invalidRecoveryKey": "Recovery key is invalid.",
+  "createVault.error.keyDoesNotMatchMetadata": "The given recovery key does not match the uploaded vault metadata file.",
   "createVault.error.vaultAlreadyExists": "A vault with the given name already exists.",
   "createVault.error.downloadTemplateFailed": "Download of vault template failed: {0}",
   "createVault.error.paymentRequired": "Your Cryptomator Hub license has exceeded the number of available seats or has expired. Please inform a Hub administrator to upgrade or renew the license.",

From b7a0687ba749d29c629ca80fe307fef5d2239650 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Wed, 5 Jun 2024 11:48:56 +0200
Subject: [PATCH 71/94] more wording/translations

---
 frontend/src/common/universalVaultFormat.ts |  3 ++-
 frontend/src/common/vaultFormat8.ts         |  3 ++-
 frontend/src/components/CreateVault.vue     | 10 ++++++----
 frontend/src/i18n/de-DE.json                |  4 ++++
 frontend/src/i18n/en-US.json                |  6 +++++-
 5 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/frontend/src/common/universalVaultFormat.ts b/frontend/src/common/universalVaultFormat.ts
index a11f6a9e5..c3d1cc88f 100644
--- a/frontend/src/common/universalVaultFormat.ts
+++ b/frontend/src/common/universalVaultFormat.ts
@@ -125,7 +125,8 @@ export class RecoveryKey {
     try {
       decoded = wordEncoder.decode(recoveryKey);
     } catch (error) {
-      throw new DecodeUvfRecoveryKeyError( error instanceof Error ? error.message : 'Internal error');
+      console.error(error);
+      throw new DecodeUvfRecoveryKeyError( error instanceof Error ? error.message : 'Internal error. See console log for more info.');
     }
 
     const paddingLength = decoded[decoded.length - 1];
diff --git a/frontend/src/common/vaultFormat8.ts b/frontend/src/common/vaultFormat8.ts
index 6ed1c08d9..4a5cce1a3 100644
--- a/frontend/src/common/vaultFormat8.ts
+++ b/frontend/src/common/vaultFormat8.ts
@@ -181,7 +181,8 @@ export class VaultFormat8 implements AccessTokenProducing, VaultTemplateProducin
     try {
       decoded = wordEncoder.decode(recoveryKey);
     } catch (error) {
-      throw new DecodeVf8RecoveryKeyError( error instanceof Error ? error.message : 'Internal error');
+      console.error(error);
+      throw new DecodeVf8RecoveryKeyError( error instanceof Error ? error.message : 'Internal error. See console log for more info.');
     }
 
     if (decoded.length !== 66) {
diff --git a/frontend/src/components/CreateVault.vue b/frontend/src/components/CreateVault.vue
index d810b60e3..abc604223 100644
--- a/frontend/src/components/CreateVault.vue
+++ b/frontend/src/components/CreateVault.vue
@@ -46,16 +46,16 @@
               <div v-if="(vaultMetadata?.length ?? 0) == 0" class="text-center">
                 <ArrowUpOnSquareIcon class="mx-auto h-12 w-12 text-gray-300" aria-hidden="true" />
                 <p class="mt-2 block text-sm font-semibold text-gray-900">
-                  Upload vault metadata file or drag and drop
+                  {{ t('createVault.enterRecoveryKey.uploadCaption') }}
                 </p>
-                <p class="text-xs leading-5 text-gray-600">vault.cryptomator or vault.uvf</p>
+                <p class="text-xs leading-5 text-gray-600">{{ t('createVault.enterRecoveryKey.uploadSubcaption') }}</p>
               </div>
               <div v-else class="text-center">
                 <DocumentCheckIcon class="mx-auto h-12 w-12 text-primary" aria-hidden="true" />
                 <p class="mt-2 block text-sm font-semibold text-gray-900">
-                  Upload successful
+                  {{ t('createVault.enterRecoveryKey.uploadSuccessCaption', [metadataFilename]) }}
                 </p>
-                <p class="text-xs leading-5 text-gray-600">To replace, click and select or drag and drop a different file. </p>
+                <p class="text-xs leading-5 text-gray-600">{{ t('createVault.enterRecoveryKey.uploadSuccessSubcaption') }}</p>
               </div>
             </div>
             <div v-if="onUploadError" class="rounded-md bg-red-50 p-4">
@@ -273,6 +273,7 @@ import { VaultTemplateProducing } from '../common/crypto';
 import { DecodeUvfRecoveryKeyError, UniversalVaultFormat } from '../common/universalVaultFormat';
 import { debounce } from '../common/util';
 import { DecodeVf8RecoveryKeyError, VaultFormat8 } from '../common/vaultFormat8';
+import { computed } from 'vue';
 
 enum State {
   Initial,
@@ -345,6 +346,7 @@ const vaultFormat8 = ref<VaultFormat8>();
 const recoveryKeyStr = ref<string>('');
 const uvfVault = ref<UniversalVaultFormat>();
 
+const metadataFilename = computed(() => vaultType.value == VaultType.VaultFormat8 ? 'vault.cryptomator' : 'vault.uvf');
 const vaultMetadata = ref<string>('');
 const isDraggingOver = ref<boolean>(false);
 
diff --git a/frontend/src/i18n/de-DE.json b/frontend/src/i18n/de-DE.json
index 5b7fd5fb2..af96d0cd5 100644
--- a/frontend/src/i18n/de-DE.json
+++ b/frontend/src/i18n/de-DE.json
@@ -93,6 +93,10 @@
   "createVault.enterRecoveryKey.description": "Gib den Wiederherstellungsschlüssel deines bestehenden Tresors ein und lade die dazugehörige Tresormetadatendatei hoch, um daraus einen neue Tresor mit gleichem Schlüssel zu erstellen.",
   "createVault.enterRecoveryKey.recoveryKey": "Wiederherstellungsschlüssel für deinen Tresor",
   "createVault.enterRecoveryKey.vaultMetadataFile": "Tresormetadatendatei deines Tresors",
+  "createVault.enterRecoveryKey.uploadCaption": "Datei hochladen oder per Drag & Drop ziehen",
+  "createVault.enterRecoveryKey.uploadSubcaption": "vault.cryptomator oder vault.uvf",
+  "createVault.enterRecoveryKey.uploadSuccessCaption": "Datei \"{0}\" erfolgreich hochgeladen.",
+  "createVault.enterRecoveryKey.uploadSuccessSubcaption": "Zum ersetzen, wähle eine andere Datei oder ziehe sie per Drag & Drop.",
   "createVault.enterRecoveryKey.submit": "Tresor wiederherstellen",
   "createVault.enterVaultDetails.title": "Tresor erstellen",
   "createVault.enterVaultDetails.description": "Gib einen Namen und eine Beschreibung für deinen neuen Tresor ein. Du kannst diese später ändern.",
diff --git a/frontend/src/i18n/en-US.json b/frontend/src/i18n/en-US.json
index 742290e6d..e48a6af48 100644
--- a/frontend/src/i18n/en-US.json
+++ b/frontend/src/i18n/en-US.json
@@ -90,9 +90,13 @@
   "fetchError.title": "Fetching data failed",
 
   "createVault.enterRecoveryKey.title": "Recover Vault",
-  "createVault.enterRecoveryKey.description": "Enter the recovery key and upload the matching vault metadata file of your vault to create a new one with the same keys.",
+  "createVault.enterRecoveryKey.description": "Enter the recovery key and upload the vault metadata file of your vault to create a new one with the same keys.",
   "createVault.enterRecoveryKey.recoveryKey": "Recovery Key of Your Vault",
   "createVault.enterRecoveryKey.vaultMetadataFile": "Vault metadata file of Your Vault",
+  "createVault.enterRecoveryKey.uploadCaption": "Upload vault metadata file or drag and drop",
+  "createVault.enterRecoveryKey.uploadSubcaption": "vault.cryptomator or vault.uvf",
+  "createVault.enterRecoveryKey.uploadSuccessCaption": "File \"{0}\" successfully uploaded.",
+  "createVault.enterRecoveryKey.uploadSuccessSubcaption": "To replace, click and select or drag and drop a different file.",
   "createVault.enterRecoveryKey.submit": "Recover Vault",
   "createVault.enterVaultDetails.title": "Create Vault",
   "createVault.enterVaultDetails.description": "Enter a name and description for your new vault. You can change these later.",

From afd370f36a6ff3aabddc846104f55414053f348c Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Wed, 5 Jun 2024 11:50:05 +0200
Subject: [PATCH 72/94] fix display bug

---
 frontend/src/components/CreateVault.vue | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/src/components/CreateVault.vue b/frontend/src/components/CreateVault.vue
index abc604223..b8c3785ac 100644
--- a/frontend/src/components/CreateVault.vue
+++ b/frontend/src/components/CreateVault.vue
@@ -80,7 +80,7 @@
             </button>
             <div v-if="onRecoverError != null">
               <p v-if="onRecoverError instanceof FormValidationFailedError" class="text-sm text-red-900 mt-2">{{ t('createVault.error.formValidationFailed') }}</p>
-              <p v-if="onRecoverError instanceof DecodeUvfRecoveryKeyError || onRecoverError instanceof DecodeVf8RecoveryKeyError" class="text-sm text-red-900 mt-2">{{ t('createVault.error.invalidRecoveryKey') }}</p>
+              <p v-else-if="onRecoverError instanceof DecodeUvfRecoveryKeyError || onRecoverError instanceof DecodeVf8RecoveryKeyError" class="text-sm text-red-900 mt-2">{{ t('createVault.error.invalidRecoveryKey') }}</p>
               <p v-else class="text-sm text-red-900 mt-2">{{ t('createVault.error.keyDoesNotMatchMetadata') }}</p>
             </div>
           </div>

From 917fedcc2c343e6c5cd1cee65a29b332dac76b0d Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Thu, 6 Jun 2024 12:26:20 +0200
Subject: [PATCH 73/94] use new JWE parser in `userdata.ts`

---
 frontend/src/common/userdata.ts | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/frontend/src/common/userdata.ts b/frontend/src/common/userdata.ts
index 800f6c80b..d0f72040c 100644
--- a/frontend/src/common/userdata.ts
+++ b/frontend/src/common/userdata.ts
@@ -1,7 +1,7 @@
 import { base64 } from 'rfc4648';
 import backend, { DeviceDto, UserDto } from './backend';
 import { BrowserKeys, UserKeys } from './crypto';
-import { JWEParser } from './jwe';
+import { JWE, Recipient } from './jwe';
 
 class UserData {
 
@@ -120,6 +120,16 @@ class UserData {
     return userKeys;
   }
 
+  public async decryptSetupCode(userKeys: UserKeys): Promise<string> {
+    const me = await this.me;
+    if (me.setupCode) {
+      const payload: { setupCode: string } = await JWE.parseCompact(me.setupCode).decrypt(Recipient.ecdhEs('org.cryptomator.hub.userkey', userKeys.ecdhKeyPair.privateKey));
+      return payload.setupCode;
+    } else {
+      throw new Error('User not set up yet.');
+    }
+  }
+
   /**
    * Updates the stored user keys, if the ECDSA key was missing before (added in 1.4.0)
    * @param userKeys The user keys that contain the ECDSA key
@@ -127,9 +137,9 @@ class UserData {
   private async addEcdsaKeyIfMissing(userKeys: UserKeys) {
     const me = await this.me;
     if (me.setupCode && !me.ecdsaPublicKey) {
-      const payload: { setupCode: string } = await JWEParser.parse(me.setupCode).decryptEcdhEs(userKeys.ecdhKeyPair.privateKey);
+      const setupCode = await this.decryptSetupCode(userKeys);
       me.ecdsaPublicKey = await userKeys.encodedEcdsaPublicKey();
-      me.privateKey = await userKeys.encryptWithSetupCode(payload.setupCode);
+      me.privateKey = await userKeys.encryptWithSetupCode(setupCode);
       for (const device of me.devices) {
         device.userPrivateKey = await userKeys.encryptForDevice(base64.parse(device.publicKey));
       }

From 847ecc48b20674e22ff8ebc54db2b9ee201f801b Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Thu, 6 Jun 2024 12:26:32 +0200
Subject: [PATCH 74/94] dedup

---
 frontend/src/components/ManageSetupCode.vue | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/frontend/src/components/ManageSetupCode.vue b/frontend/src/components/ManageSetupCode.vue
index e2021393b..bbc9dc5a1 100644
--- a/frontend/src/components/ManageSetupCode.vue
+++ b/frontend/src/components/ManageSetupCode.vue
@@ -48,7 +48,6 @@
 import { ClipboardIcon, EyeIcon, EyeSlashIcon } from '@heroicons/vue/20/solid';
 import { nextTick, onMounted, ref } from 'vue';
 import { useI18n } from 'vue-i18n';
-import { JWE, Recipient } from '../common/jwe';
 import userdata from '../common/userdata';
 import { debounce } from '../common/util';
 import FetchError from './FetchError.vue';
@@ -73,8 +72,7 @@ async function fetchData() {
       throw new Error('Invalid state');
     }
     const userKeys = await userdata.decryptUserKeysWithBrowser();
-    const payload : { setupCode: string } = await JWE.parseCompact(me.setupCode).decrypt(Recipient.ecdhEs('org.cryptomator.hub.userkey', userKeys.ecdhKeyPair.privateKey));
-    setupCode.value = payload.setupCode;
+    setupCode.value = await userdata.decryptSetupCode(userKeys);
   } catch (error) {
     console.error('Retrieving setup code failed.', error);
     onFetchError.value = error instanceof Error ? error : new Error('Unknown Error');

From 26369a57a68093f3f0480a2dbc68fa57007e60f6 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Thu, 6 Jun 2024 16:59:03 +0200
Subject: [PATCH 75/94] adjust DTO to carry both EC keys

---
 .../java/org/cryptomator/hub/api/MemberDto.java   | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/backend/src/main/java/org/cryptomator/hub/api/MemberDto.java b/backend/src/main/java/org/cryptomator/hub/api/MemberDto.java
index 3da705453..dd2219b3e 100644
--- a/backend/src/main/java/org/cryptomator/hub/api/MemberDto.java
+++ b/backend/src/main/java/org/cryptomator/hub/api/MemberDto.java
@@ -7,23 +7,26 @@
 
 public final class MemberDto extends AuthorityDto {
 
-	@JsonProperty("publicKey")
-	public final String publicKey;
+	@JsonProperty("ecdhPublicKey")
+	public final String ecdhPublicKey;
+	@JsonProperty("ecdsaPublicKey")
+	public final String ecdsaPublicKey;
 	@JsonProperty("role")
 	public final VaultAccess.Role role;
 
-	MemberDto(@JsonProperty("id") String id, @JsonProperty("type") Type type, @JsonProperty("name") String name, @JsonProperty("pictureUrl") String pictureUrl, @JsonProperty("publicKey") String publicKey, @JsonProperty("role") VaultAccess.Role role) {
+	MemberDto(@JsonProperty("id") String id, @JsonProperty("type") Type type, @JsonProperty("name") String name, @JsonProperty("pictureUrl") String pictureUrl, @JsonProperty("ecdhPublicKey") String ecdhPublicKey, @JsonProperty("ecdsaPublicKey") String ecdsaPublicKey, @JsonProperty("role") VaultAccess.Role role) {
 		super(id, type, name, pictureUrl);
-		this.publicKey = publicKey;
+		this.ecdhPublicKey = ecdhPublicKey;
+		this.ecdsaPublicKey = ecdsaPublicKey;
 		this.role = role;
 	}
 
 	public static MemberDto fromEntity(User user, VaultAccess.Role role) {
-		return new MemberDto(user.getId(), Type.USER, user.getName(), user.getPictureUrl(), user.getPublicKey(), role);
+		return new MemberDto(user.getId(), Type.USER, user.getName(), user.getPictureUrl(), user.getEcdhPublicKey(), user.getEcdsaPublicKey(), role);
 	}
 
 	public static MemberDto fromEntity(Group group, VaultAccess.Role role) {
-		return new MemberDto(group.getId(), Type.GROUP, group.getName(), null, null, role);
+		return new MemberDto(group.getId(), Type.GROUP, group.getName(), null, null, null, role);
 	}
 
 }

From fd0add414d74c403068a82f62f5c9f5a5154c2aa Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Sun, 3 Nov 2024 14:12:40 +0100
Subject: [PATCH 76/94] fixed test

---
 .../src/test/java/org/cryptomator/hub/api/VaultResourceIT.java  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/src/test/java/org/cryptomator/hub/api/VaultResourceIT.java b/backend/src/test/java/org/cryptomator/hub/api/VaultResourceIT.java
index 96fd6a3d5..283113a5c 100644
--- a/backend/src/test/java/org/cryptomator/hub/api/VaultResourceIT.java
+++ b/backend/src/test/java/org/cryptomator/hub/api/VaultResourceIT.java
@@ -248,7 +248,7 @@ public void testUnlock() {
 		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100003333 returns 403 for missing role")
 		public void testCreateVaultWithMissingRole() {
 			var uuid = UUID.fromString("7E57C0DE-0000-4000-8000-000100003333");
-			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 3", false, Instant.parse("2112-12-21T21:12:21Z"), "masterkey3", 42, "NaCl", "authPubKey3", "authPrvKey3");
+			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 3", false, Instant.parse("2112-12-21T21:12:21Z"), "metadata3", "recovery3", "masterkey3", 42, "NaCl", "authPubKey3", "authPrvKey3");
 
 			given().contentType(ContentType.JSON).body(vaultDto)
 					.when().put("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-000100003333")

From 68eb5d92142ec0606c6f41a79e7b162a8ba66be6 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Sun, 3 Nov 2024 14:12:50 +0100
Subject: [PATCH 77/94] fixed linter warnings

---
 frontend/src/common/universalVaultFormat.ts | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/frontend/src/common/universalVaultFormat.ts b/frontend/src/common/universalVaultFormat.ts
index b074ad760..e59040aa0 100644
--- a/frontend/src/common/universalVaultFormat.ts
+++ b/frontend/src/common/universalVaultFormat.ts
@@ -73,7 +73,6 @@ export class MemberKey {
     const bytes = await crypto.subtle.exportKey('raw', this.key);
     return base64.stringify(new Uint8Array(bytes), { pad: true });
   }
-
 }
 // #endregion
 
@@ -218,7 +217,6 @@ export class DecodeUvfRecoveryKeyError extends Error {
  * The UVF Metadata file
  */
 export class VaultMetadata {
-
   private constructor(
     readonly automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto,
     readonly seeds: Map<number, Uint8Array>,
@@ -348,7 +346,6 @@ export class VaultMetadata {
       'org.cryptomator.automaticAccessGrant': this.automaticAccessGrant
     };
   }
-
 }
 // #endregion
 // #region UVF
@@ -437,7 +434,7 @@ export class UniversalVaultFormat implements AccessTokenProducing, VaultTemplate
     const textencoder = new TextEncoder();
     const initialSeed = await crypto.subtle.importKey('raw', this.metadata.initialSeed, { name: 'HKDF' }, false, ['deriveKey']);
     const hmacKey = await crypto.subtle.deriveKey({ name: 'HKDF', hash: 'SHA-512', salt: this.metadata.kdfSalt, info: textencoder.encode('hmac') }, initialSeed, { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
-    const rootDirHash = await crypto.subtle.sign("HMAC", hmacKey, rootDirId);
+    const rootDirHash = await crypto.subtle.sign('HMAC', hmacKey, rootDirId);
     return base32.stringify(new Uint8Array(rootDirHash).slice(0, 20));
   }
 
@@ -521,6 +518,6 @@ function parseSeedId(encoded: string): number {
  */
 function stringifySeedId(id: number): string {
   const ints = new Uint32Array([id]);
-  const bytes = new Uint8Array(ints.buffer)
+  const bytes = new Uint8Array(ints.buffer);
   return base64url.stringify(bytes, { pad: false });
 }

From 42684840fb339019b4a1cff3cd8aa3f77088ae1e Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Fri, 17 Jan 2025 21:16:25 +0100
Subject: [PATCH 78/94] make tests run from IDE again

[ci skip]
---
 hub.code-workspace | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hub.code-workspace b/hub.code-workspace
index 05098883c..fb77a0859 100644
--- a/hub.code-workspace
+++ b/hub.code-workspace
@@ -30,6 +30,7 @@
 		"editor.codeActionsOnSave": {
 			"source.organizeImports": "explicit",
 			"source.fixAll.eslint": "explicit"
-		}
+		},
+		"testify.additionalArgs": "--require ts-node/register"
 	}
 }

From 3ca8f78ae18ff62d885001861ee34fab879d1a28 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Fri, 17 Jan 2025 21:17:22 +0100
Subject: [PATCH 79/94] linter error

---
 frontend/src/common/universalVaultFormat.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/src/common/universalVaultFormat.ts b/frontend/src/common/universalVaultFormat.ts
index e59040aa0..b91cab211 100644
--- a/frontend/src/common/universalVaultFormat.ts
+++ b/frontend/src/common/universalVaultFormat.ts
@@ -55,7 +55,7 @@ export class MemberKey {
    * @returns new key
    */
   public static async load(encodedKey: string): Promise<MemberKey> {
-    let rawKey = new Uint8Array();
+    let rawKey: Uint8Array = new Uint8Array();
     try {
       rawKey = base64.parse(encodedKey);
       const memberKey = await crypto.subtle.importKey('raw', rawKey, MemberKey.KEY_DESIGNATION, true, MemberKey.KEY_USAGE);

From a0ce4882461bdd857994a4530e27a3e13e1b6220 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Fri, 17 Jan 2025 21:17:31 +0100
Subject: [PATCH 80/94] spec is final now

---
 frontend/src/common/universalVaultFormat.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/src/common/universalVaultFormat.ts b/frontend/src/common/universalVaultFormat.ts
index b91cab211..30ac1a5d4 100644
--- a/frontend/src/common/universalVaultFormat.ts
+++ b/frontend/src/common/universalVaultFormat.ts
@@ -7,7 +7,7 @@ import { CRC32, wordEncoder } from './util';
 
 type MetadataPayload = {
   fileFormat: 'AES-256-GCM-32k';
-  nameFormat: 'AES-SIV-512-B64URL'; // TODO verify after merging https://github.com/encryption-alliance/unified-vault-format/pull/24
+  nameFormat: 'AES-SIV-512-B64URL';
   seeds: Record<string, string>;
   initialSeed: string;
   latestSeed: string;

From da7fe40266bca2e0a80ee9bc9142d4c0be56bc1c Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Fri, 17 Jan 2025 21:18:57 +0100
Subject: [PATCH 81/94] encode keys with base64url; values with base64

---
 frontend/src/common/universalVaultFormat.ts | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/frontend/src/common/universalVaultFormat.ts b/frontend/src/common/universalVaultFormat.ts
index 30ac1a5d4..aa907521b 100644
--- a/frontend/src/common/universalVaultFormat.ts
+++ b/frontend/src/common/universalVaultFormat.ts
@@ -295,12 +295,12 @@ export class VaultMetadata {
     const seeds = new Map<number, Uint8Array>();
     for (const key in payload.seeds) {
       const num = parseSeedId(key);
-      const value = base64url.parse(payload.seeds[key], { loose: true });
+      const value = base64.parse(payload.seeds[key], { loose: true });
       seeds.set(num, value);
     }
     const initialSeedId = parseSeedId(payload['initialSeed']);
     const latestSeedId = parseSeedId(payload['latestSeed']);
-    const kdfSalt = base64url.parse(payload['kdfSalt'], { loose: true });
+    const kdfSalt = base64.parse(payload['kdfSalt'], { loose: true });
     return new VaultMetadata(
       payload['org.cryptomator.automaticAccessGrant'],
       seeds,
@@ -333,7 +333,7 @@ export class VaultMetadata {
     const encodedSeeds: Record<string, string> = {};
     for (const [key, value] of this.seeds) {
       const seedId = stringifySeedId(key);
-      encodedSeeds[seedId] = base64url.stringify(value, { pad: false });
+      encodedSeeds[seedId] = base64.stringify(value);
     }
     return {
       fileFormat: 'AES-256-GCM-32k',
@@ -342,7 +342,7 @@ export class VaultMetadata {
       initialSeed: stringifySeedId(this.initialSeedId),
       latestSeed: stringifySeedId(this.latestSeedId),
       kdf: 'HKDF-SHA512',
-      kdfSalt: base64url.stringify(this.kdfSalt, { pad: false }),
+      kdfSalt: base64.stringify(this.kdfSalt),
       'org.cryptomator.automaticAccessGrant': this.automaticAccessGrant
     };
   }

From 3cc7d272636a4bbd20064263cf57b894d6bc013a Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Fri, 17 Jan 2025 21:20:17 +0100
Subject: [PATCH 82/94] use corrected test vectors confirmed in java

---
 frontend/src/common/universalVaultFormat.ts   |  6 ++
 .../test/common/universalVaultFormat.spec.ts  | 87 +++++++++----------
 2 files changed, 49 insertions(+), 44 deletions(-)

diff --git a/frontend/src/common/universalVaultFormat.ts b/frontend/src/common/universalVaultFormat.ts
index aa907521b..67458c23c 100644
--- a/frontend/src/common/universalVaultFormat.ts
+++ b/frontend/src/common/universalVaultFormat.ts
@@ -363,6 +363,12 @@ export class UniversalVaultFormat implements AccessTokenProducing, VaultTemplate
     return new UniversalVaultFormat(metadata, memberKey, recoveryKey);
   }
 
+  public static async forTesting(metadata: VaultMetadata) {
+    const memberKey = await MemberKey.create();
+    const recoveryKey = await RecoveryKey.create();
+    return new UniversalVaultFormat(metadata, memberKey, recoveryKey);
+  }
+
   /**
    * Decrypts a UVF vault.
    * @param vault The vault to decrypt
diff --git a/frontend/test/common/universalVaultFormat.spec.ts b/frontend/test/common/universalVaultFormat.spec.ts
index 45e88f3ea..0f7b80e01 100644
--- a/frontend/test/common/universalVaultFormat.spec.ts
+++ b/frontend/test/common/universalVaultFormat.spec.ts
@@ -32,8 +32,8 @@ describe('UVF', () => {
     global.window = { crypto: global.crypto };
 
     // prepare some test key pairs:
-    let ecdhP384: EcKeyImportParams = { name: 'ECDH', namedCurve: 'P-384' };
-    let ecdsaP384: EcKeyImportParams = { name: 'ECDSA', namedCurve: 'P-384' };
+    const ecdhP384: EcKeyImportParams = { name: 'ECDH', namedCurve: 'P-384' };
+    const ecdsaP384: EcKeyImportParams = { name: 'ECDSA', namedCurve: 'P-384' };
     const aliceEcdhPrv = crypto.subtle.importKey('jwk', alicePrivate, ecdhP384, true, ['deriveKey', 'deriveBits']);
     const aliceEcdhPub = crypto.subtle.importKey('jwk', alicePublic, ecdhP384, true, []);
     const aliceEcdsaPrv = crypto.subtle.importKey('jwk', alicePrivate, ecdsaP384, true, ['sign']);
@@ -44,7 +44,6 @@ describe('UVF', () => {
   });
 
   describe('MemberKey', () => {
-
     it('serializeKey()', async () => {
       const memberKey = await TestMemberKey.create();
 
@@ -65,14 +64,13 @@ describe('UVF', () => {
   });
 
   describe('VaultMetadata', () => {
-
     it('create()', async () => {
       const orig = await VaultMetadata.create({ enabled: true, maxWotDepth: -1 });
       expect(orig).to.be.not.null;
-      expect(orig.seeds.get(orig.initialSeedId)).to.not.be.undefined
-      expect(orig.seeds.get(orig.initialSeedId)!.length).to.eq(32)
-      expect(orig.initialSeedId).to.eq(orig.latestSeedId)
-      expect(orig.kdfSalt.length).to.eq(32)
+      expect(orig.seeds.get(orig.initialSeedId)).to.not.be.undefined;
+      expect(orig.seeds.get(orig.initialSeedId)!.length).to.eq(32);
+      expect(orig.initialSeedId).to.eq(orig.latestSeedId);
+      expect(orig.kdfSalt.length).to.eq(32);
     });
 
     describe('instance methods', () => {
@@ -98,9 +96,9 @@ describe('UVF', () => {
         expect(json).to.have.property('tag');
 
         const decrypted: VaultMetadata = await VaultMetadata.decryptWithMemberKey(uvfFile, vaultMemberKey);
-        expect(decrypted.seeds).to.deep.eq(original.seeds)
-        expect(decrypted.initialSeedId).to.eq(original.initialSeedId)
-        expect(decrypted.latestSeedId).to.eq(original.latestSeedId)
+        expect(decrypted.seeds).to.deep.eq(original.seeds);
+        expect(decrypted.initialSeedId).to.eq(original.initialSeedId);
+        expect(decrypted.latestSeedId).to.eq(original.latestSeedId);
         expect(decrypted.automaticAccessGrant).to.deep.eq(original.automaticAccessGrant);
         expect(decrypted.payload().fileFormat).to.eq('AES-256-GCM-32k');
         expect(decrypted.payload().nameFormat).to.eq('AES-SIV-512-B64URL');
@@ -110,7 +108,6 @@ describe('UVF', () => {
   });
 
   describe('RecoveryKey', () => {
-
     it('create()', async () => {
       const recoveryKey = await RecoveryKey.create();
       expect(recoveryKey).to.be.not.null;
@@ -175,13 +172,10 @@ describe('UVF', () => {
         const result = await recoveryKey.createRecoveryKey();
         expect(result).to.eq('cult hold all away buck do law relaxed other stimulus all bank fit indulge dad any ear grey cult golf all baby dig war linear tour sleep humanity threat question neglect stance radar bank coup misery painter tragedy buddy compare winter national approval budget deep screen outdoor audience tear stream cure type ugly chamber supporter franchise accept sexy ad imply being drug doctor regime where thick dam training grass chamber domestic dictator educate sigh music spoken connected measure voice lemon pig comprise disturb appear greatly satisfied heat news curiosity top impress nor method reflect lesson recommend dual revenge thorough bus count broadband living riot prejudice target blonde excess company thereby tribe respond horror mere way proud shopping wise liver mortgage plastic gentleman eighteen terms worry melt');
       });
-
     });
-
   });
 
   describe('UniversalVaultFormat', () => {
-
     it('create()', async () => {
       const uvf = await UniversalVaultFormat.create({ enabled: true, maxWotDepth: -1 });
       expect(uvf).to.be.not.null;
@@ -196,37 +190,37 @@ describe('UVF', () => {
         name: 'test',
         archived: false,
         creationTime: new Date(),
-        uvfMetadataFile: '{"protected":"eyJvcmlnaW4iOiJodHRwczovL2V4YW1wbGUuY29tL2FwaS92YXVsdHMvVE9ETy91dmYvdmF1bHQudXZmIiwiamt1Ijoiandrcy5qc29uIiwiZW5jIjoiQTI1NkdDTSJ9","recipients":[{"header":{"kid":"org.cryptomator.hub.memberkey","alg":"A256KW"},"encrypted_key":"7FtABJ5BpSM9Ft8wUPfLQc-12WF57kX0tWtRWiVwA_N_gJBa9iwhzw"},{"header":{"kid":"org.cryptomator.hub.recoverykey.1h24rxLxIlNRPQAn5NBP0fL3VKNTmqS6NEnt2clI5ko","alg":"ECDH-ES+A256KW","epk":{"key_ops":[],"ext":true,"kty":"EC","x":"oNu46YFrgrGSvl98HyDD3_iPkfZBnpYgEHmPL3qbO4AdwBsycpIqcHwKhT8Lt7B8","y":"P80VgJFml85v_F2-aPYdgDQX_DPGZr1s_p8gWF4Idkp13QfKdhi32C7Zoy5kzPWO","crv":"P-384"},"apu":"","apv":""},"encrypted_key":"QaJn0TP7mGAc5ukOpZ0gNAuBtCW7hPCkj8Jp4bhMftQfJefHNyqE7Q"}],"iv":"Wgif0WP21-MAwvWs","ciphertext":"-n5CePmmN99I4KqlnR64Fuu5b2Md9s4CGxLMm7KQqu65H0ug7Fs5HHnrx_gkpFiv1Mn-jwrkoEtiixyQcYX6UcoyT2dY1MkLQB7QU9mdMpZU3n19Q2sAx1-gfTCd7IzVXef7SEfuscdQL1QTKJW454Dy8L3WwPiDpUgt9ED7mMFdJ6lJ3_EFYstN0VFAVf_jwtIILmQrjkM_LI0FFKfqkOCH2nuE9xG8ihPH9X9OStllPp00G9_onYu9mrg-smiNNK2Ib19CZJ2E6mAp7F_LGiz6p203fsprj4XY9J6t8zl5Vpc61NmFvzvY4j3_5FpD_BmpVr8tyyVT9zqWn4vsBAHORQ1V_b9v68O7CekCebpQvpmzEPZwZN1Ma_T6oI7Ydn1rtBnDruVrpWm01RL8XpHnFbko","tag":"vPLd65IEcexmhGbYPM0cYI53H4Pp1OfTaAq_QGrneLM"}',
-        uvfKeySet: '{"keys": [{"kid":"org.cryptomator.hub.recoverykey.1h24rxLxIlNRPQAn5NBP0fL3VKNTmqS6NEnt2clI5ko","kty":"EC","crv":"P-384","x":"DczdNhPQnpgP8FV6qa372LDLJF2w2bMKXzea5cjxslaMjM6w7NGqrF498LYHU-Jt","y":"vH9bc-Ow_O1EQmd6N5pKmDoPyE6ziKsrlpuck5aLXwV4fSMV_8Ro1a872j5ClsPe"}]}'
+        uvfMetadataFile: '{"protected":"eyJvcmlnaW4iOiJodHRwcy4vL2V4YW1wbGUuY29tL2FwaS8vdmF1bHRzLzEyMy91dmYvdmF1bHQudXZmIiwiamt1Ijoiandrcy5qc29uIiwiZW5jIjoiQTI1NkdDTSJ9","recipients":[{"header":{"kid":"org.cryptomator.hub.memberkey","alg":"A256KW"},"encrypted_key":"6Jmq4Uje1Njp6UOZhMC8EQySIhb82OGqJ3LT_CNGtfS3PTVAanFTkw"},{"header":{"kid":"org.cryptomator.hub.recoverykey.gRQZJlBF8UOUry_viZdNFrIG02r12zKPfKPJjg1z0gc","alg":"ECDH-ES+A256KW","epk":{"key_ops":[],"ext":true,"kty":"EC","x":"ZIM3rAYg1CPMJgYD2-8M04n00tvUnXjx6QBjXMdZJZwozEjo6ns1aI3WVjGb71HC","y":"iYiX7Qs6JV8AxW-W9pRp_wFUqiwD22L7ytbr91eazmKDK0Uuk72K8xWdz0x3TZHB","crv":"P-384"},"apu":"","apv":""},"encrypted_key":"UDe4WL6fkZCMhLQaNYMGvbRFGGNum8Nk7ahiaORnPi9BlUxPCCArkg"}],"iv":"DW6-c25BXTxJ-wF4","ciphertext":"5yhWvQwZPb6ss_b30pFxxpQPKC_-QIKgK1sdTQUUggl5yL6gzfFSOeERDjuD5WSFiLSisMi1BZwI-GPzclpG4SsjIMtOakfe_OcKQGBqpPAfJLiRUePg4CmptBTY205dbqFZfJvFK-jVxUP8oc7mYg3Z8kUovhUAeoIkyubaeiGcV49NLF-_UgV5smPouAxVBBroBpnJ76BDM0UfanfTzHZ_ekynwZDK7HFw4lJZ3xxrBkIbimB5NQU6cL8lviOGbaSQ8dAGCGcSuafKrAXlzOItCUdK4w5cBUTFJV6LILkKEmxy8atYNJdh-4VoJmOwv-LwGhwJyv20yrq5RrV-flgN4_jjFmh71ne_XchWy8MH7vdY8ShkT1KI6waFPcfU2PglEYQn6qaDBJ3igMsLUnNL1SRxrFY3ov6--mJdGlz-0eFny0Nz8Qy2bjxIOxCaKMRTQz41d1N7uiXcEa4","tag":"PZFk3Lw2XxZu2_ZooqV0lyI0ALRB8l6YuKDeH3jYBtQ"}',
+        uvfKeySet: '{"keys": [{"kid":"org.cryptomator.hub.recoverykey.gRQZJlBF8UOUry_viZdNFrIG02r12zKPfKPJjg1z0gc","kty":"EC","crv":"P-384","x":"PKwD88lrI0LBwC0p5IKcHCaubRLNPCueNi_mfGrp83Y09MOIX3wIH63At0Lm897r","y":"d7TKPTkh4DURRrMGZp6Vig_cVAWjOa_nwurJ36Gp8SEiJbB6eK0uWxZL_tTESq9K"}]}'
       };
-      const accessToken = 'eyJlbmMiOiJBMjU2R0NNIiwia2lkIjoib3JnLmNyeXB0b21hdG9yLmh1Yi51c2Vya2V5IiwiYWxnIjoiRUNESC1FUytBMjU2S1ciLCJlcGsiOnsia2V5X29wcyI6W10sImV4dCI6dHJ1ZSwia3R5IjoiRUMiLCJ4IjoiUXZRWUpUd3dSVEg2MWRFS3ZoNDI4ZG9nN3pRTFFxY3I0NUhwZTRqZFQ5Qno2bjcyVzQ4dTJ3WXk0UXlyZ0kxciIsInkiOiJZS1RtQ04zZXNKNDJVbUpzLU44NTFKamsyUFVPUU0zZXpCTkJvZGk4RnRNUDlUeUhoXzc0aHpxTC1EYTZkMXlwIiwiY3J2IjoiUC0zODQifSwiYXB1IjoiIiwiYXB2IjoiIn0.rdysEEQN0FidglDtK5yyaEpQtv4CsYLOQd__y7REkb_3BLP9nD4Blw.dFb9JOdveiw3LmIs.rSMkz8VoB_LspnvxvmRzCWNVLShTWfbzHfqe5lwrWwumYCdeRPM.xsS2tDUr2khJrLxHex8gZhBgO_CMA_PxFlR-ku3JiT8';
+      const accessToken = 'eyJlbmMiOiJBMjU2R0NNIiwia2lkIjoib3JnLmNyeXB0b21hdG9yLmh1Yi51c2Vya2V5IiwiYWxnIjoiRUNESC1FUytBMjU2S1ciLCJlcGsiOnsia2V5X29wcyI6W10sImV4dCI6dHJ1ZSwia3R5IjoiRUMiLCJ4IjoiSDZ3M1VWbXJ1VTcwRnUwWHFqN0FLekNkZl95dVF1SXVHa0FvVEljaHBaUWNpV0JkbnRjOE93TGhTSU5xZFNGeiIsInkiOiIyWjlqbE5pX0lXa3lCbU1ycDhMbEttamg1WDUwWExGQTNsNzNVYVJ3bHRZSlpOVzdoTTVHTkZsX21XNmxBbWVlIiwiY3J2IjoiUC0zODQifSwiYXB1IjoiIiwiYXB2IjoiIn0.1YGRThFLsu6XjoUhTkxzX6DTbyhEmjl2l07hjCl4qBynFv9hrZIpHg.3HMszd5g8-6FPrcX.ngw9_D6xpRKWNeALK2oW6d314JXnUYjYDhohAnRBjNezTdOgbLw.1E1tcGvv4wFfarSsL_atcCS47uDKjU7MT0C9wFBQIjk';
       const uvf = await UniversalVaultFormat.decrypt(dto, accessToken, alice);
 
       expect(uvf).to.be.not.null;
       expect(uvf.metadata).to.be.not.null;
-      expect(uvf.metadata.initialSeedId).to.eq(2754894775);
-      expect(uvf.metadata.latestSeedId).to.eq(2754894775);
-      expect(base64.stringify(uvf.metadata.kdfSalt)).to.eq('HE4OP+2vyfLLURicF1XmdIIsWv0Zs6MobLKROUIEhQY=');
-      expect(base64.stringify(uvf.metadata.initialSeed)).to.eq('fP4V4oAjsUw5DqackAvLzA0oP1kAQZ0f5YFZQviXSuU=');
-      expect(base64.stringify(uvf.metadata.latestSeed)).to.eq('fP4V4oAjsUw5DqackAvLzA0oP1kAQZ0f5YFZQviXSuU=');
+      expect(uvf.metadata.initialSeedId).to.eq(4072093980);
+      expect(uvf.metadata.latestSeedId).to.eq(369695552);
+      expect(base64.stringify(uvf.metadata.kdfSalt)).to.eq('NIlr89R7FhochyP4yuXZmDqCnQ0dBB3UZ2D+6oiIjr8=');
+      expect(base64.stringify(uvf.metadata.initialSeed)).to.eq('ypeBEsobvcr6wjGzmiPcTaeG7/gUfE5yuYB3ha/uSLs=');
+      expect(base64.stringify(uvf.metadata.latestSeed)).to.eq('Ln0sA6lQeuJl7PW1NWiFpTOTogKdJBOUmXJloaJa78Y=');
       expect(uvf.memberKey).to.be.not.null;
       expect(uvf.recoveryKey).to.be.not.null;
       expect(uvf.recoveryKey.privateKey).to.be.undefined;
     });
 
     it('recover()', async () => {
-      const vaultUvfFileContents = '{"protected":"eyJvcmlnaW4iOiJodHRwczovL2V4YW1wbGUuY29tL2FwaS92YXVsdHMvVE9ETy91dmYvdmF1bHQudXZmIiwiamt1Ijoiandrcy5qc29uIiwiZW5jIjoiQTI1NkdDTSJ9","recipients":[{"header":{"kid":"org.cryptomator.hub.memberkey","alg":"A256KW"},"encrypted_key":"XLoNIWvDKQqaDurrGt7VK9s2aggSMir7fS4ZdBUxdTxceCOHndo4kA"},{"header":{"kid":"org.cryptomator.hub.recoverykey.v2nb-mGX4POKMWCQKOogMWTlAn7DDqEOjjEGCsPEeco","alg":"ECDH-ES+A256KW","epk":{"key_ops":[],"ext":true,"kty":"EC","x":"j6Retxx-L-rURQ4WNc8LvoqjbdPtGS6n9pCJgcm1U-NAWuWEvwJ_qi2tlrv_4w4p","y":"wS-Emo-Q9qdtkHMJiDfVDAaxhF2-nSkDRn2Eg9CbG0pVwGEpaDybx_YYJwIaYooO","crv":"P-384"},"apu":"","apv":""},"encrypted_key":"iNGgybMqmiXn_lbKLMMTpg38i1f00O6Zj65d5nzsLw3hyzuylGWpvA"}],"iv":"Pfy90C9SSq2gJr6B","ciphertext":"ogYR1pZN9k97zEgO9Fj3ePQramtaUdHWq95geXD7FH1oB6T7fEOvdU2AEGWOcbIbQihn-eOqG2_5oTol16O_nQ4HcDOJ9w4R9EdpByuWG-kVNh_fpWeQjIuH4kO-Rtbf05JRVG2jexWopbIA8uHuoiOXSNpSYPTzTKirp2hU7w3sE01zycsu06HiasUX-tKZH_hbyiUEdTlFFLcvKpRwnYOQf6QMw0uY1IbUTX1cJY9LO5SpD8bZFZOd6hg_Qnsdcq52I8KkZyxocgqdW7P5OSUrv5z8DCLMPdByEpaz9cCOzQQvtZwHxJy82O4vDAh89QA_AzfK8J7TI5zJRlTGQgrNhiaVBC85fN3tMSv8sLfJs7rC_5LiVW5ZeqbQ52sAZQw0lfwgGpMmxsdMzPoVOLD8OxvX","tag":"3Jiv6kI4Qoso60T0dRv9vIlca-P4UFyHqh-TEZvargM"}';
-      const recoveryKey = 'cult hold all away buck do law relaxed other stimulus all bank fit indulge dad any ear grey cult golf all baby dig adv convict seldom dancer funding refusal shop final ceremony brush fire stick pound seldom shower tobacco wealth secret dispose session intend host elite fasten compound pants original drug hurricane bat noble lovely half accept sexy ad mouth current sound tie freedom musical ought shatter minimum density broadcast locate argument explosive manager colour numerous biscuit die absurd jury sole steel pub listener tempt creative plug everybody power constant recall lord camera dawn elbow chairman sit organic united morning dry feedback marine keep charm face cloud giant pull eternal withdraw probable canal coal heal large less flight gig hockey pit weed identify object boom melt';
+      const vaultUvfFileContents = '{"protected":"eyJvcmlnaW4iOiJodHRwcy4vL2V4YW1wbGUuY29tL2FwaS8vdmF1bHRzLzEyMy91dmYvdmF1bHQudXZmIiwiamt1Ijoiandrcy5qc29uIiwiZW5jIjoiQTI1NkdDTSJ9","recipients":[{"header":{"kid":"org.cryptomator.hub.memberkey","alg":"A256KW"},"encrypted_key":"6Jmq4Uje1Njp6UOZhMC8EQySIhb82OGqJ3LT_CNGtfS3PTVAanFTkw"},{"header":{"kid":"org.cryptomator.hub.recoverykey.gRQZJlBF8UOUry_viZdNFrIG02r12zKPfKPJjg1z0gc","alg":"ECDH-ES+A256KW","epk":{"key_ops":[],"ext":true,"kty":"EC","x":"ZIM3rAYg1CPMJgYD2-8M04n00tvUnXjx6QBjXMdZJZwozEjo6ns1aI3WVjGb71HC","y":"iYiX7Qs6JV8AxW-W9pRp_wFUqiwD22L7ytbr91eazmKDK0Uuk72K8xWdz0x3TZHB","crv":"P-384"},"apu":"","apv":""},"encrypted_key":"UDe4WL6fkZCMhLQaNYMGvbRFGGNum8Nk7ahiaORnPi9BlUxPCCArkg"}],"iv":"DW6-c25BXTxJ-wF4","ciphertext":"5yhWvQwZPb6ss_b30pFxxpQPKC_-QIKgK1sdTQUUggl5yL6gzfFSOeERDjuD5WSFiLSisMi1BZwI-GPzclpG4SsjIMtOakfe_OcKQGBqpPAfJLiRUePg4CmptBTY205dbqFZfJvFK-jVxUP8oc7mYg3Z8kUovhUAeoIkyubaeiGcV49NLF-_UgV5smPouAxVBBroBpnJ76BDM0UfanfTzHZ_ekynwZDK7HFw4lJZ3xxrBkIbimB5NQU6cL8lviOGbaSQ8dAGCGcSuafKrAXlzOItCUdK4w5cBUTFJV6LILkKEmxy8atYNJdh-4VoJmOwv-LwGhwJyv20yrq5RrV-flgN4_jjFmh71ne_XchWy8MH7vdY8ShkT1KI6waFPcfU2PglEYQn6qaDBJ3igMsLUnNL1SRxrFY3ov6--mJdGlz-0eFny0Nz8Qy2bjxIOxCaKMRTQz41d1N7uiXcEa4","tag":"PZFk3Lw2XxZu2_ZooqV0lyI0ALRB8l6YuKDeH3jYBtQ"}';
+      const recoveryKey = 'cult hold all away buck do law relaxed other stimulus all bank fit indulge dad any ear grey cult golf all baby dig rip may southern bar super use emotional punk pathway who infection bet sporting colleague buffer neutral corporate stand mud desire rob mortgage actually tackle browser killing month minority company editorial escalate expense emission accept sexy ad guest symptom dirty friendly condemn ghost idea warn forever visual workout seat architect call tomorrow true situated bind branch critic heavily nature smoke birthday clinic rubber unique village tin glass female militant harmony embrace officer alive less pole core custody attend funding burst arms convince gap limb apology safety discovery firstly limited hearing nail oven balloon quickly uniform upcoming east tragedy wildlife image abolish nervous till melt';
 
       const uvf = await UniversalVaultFormat.recover(vaultUvfFileContents, recoveryKey);
 
       expect(uvf).to.be.not.null;
       expect(uvf.metadata).to.be.not.null;
-      expect(uvf.metadata.initialSeedId).to.eq(4157009252);
-      expect(uvf.metadata.latestSeedId).to.eq(4157009252);
-      expect(base64.stringify(uvf.metadata.kdfSalt)).to.eq('pNxWJ5R5TO0mbkmL5pv7M3tAi6Etoh/SK73Q0KvfKMY=');
-      expect(base64.stringify(uvf.metadata.initialSeed!)).to.eq('p6zznin4zSGt7gH6T95/kZj6HndpyUdY+1QVfxR2k20=');
-      expect(base64.stringify(uvf.metadata.latestSeed!)).to.eq('p6zznin4zSGt7gH6T95/kZj6HndpyUdY+1QVfxR2k20=');
+      expect(uvf.metadata.initialSeedId).to.eq(4072093980);
+      expect(uvf.metadata.latestSeedId).to.eq(369695552);
+      expect(base64.stringify(uvf.metadata.kdfSalt)).to.eq('NIlr89R7FhochyP4yuXZmDqCnQ0dBB3UZ2D+6oiIjr8=');
+      expect(base64.stringify(uvf.metadata.initialSeed)).to.eq('ypeBEsobvcr6wjGzmiPcTaeG7/gUfE5yuYB3ha/uSLs=');
+      expect(base64.stringify(uvf.metadata.latestSeed)).to.eq('Ln0sA6lQeuJl7PW1NWiFpTOTogKdJBOUmXJloaJa78Y=');
       expect(uvf.memberKey).to.be.not.null;
       expect(uvf.recoveryKey).to.be.not.null;
       expect(uvf.recoveryKey.privateKey).to.be.not.null;
@@ -237,16 +231,22 @@ describe('UVF', () => {
       let uvf: UniversalVaultFormat;
 
       before(async () => {
-        const dto: VaultDto = {
-          id: '123',
-          name: 'test',
-          archived: false,
-          creationTime: new Date(),
-          uvfMetadataFile: '{"protected":"eyJvcmlnaW4iOiJodHRwczovL2V4YW1wbGUuY29tL2FwaS92YXVsdHMvVE9ETy91dmYvdmF1bHQudXZmIiwiamt1Ijoiandrcy5qc29uIiwiZW5jIjoiQTI1NkdDTSJ9","recipients":[{"header":{"kid":"org.cryptomator.hub.memberkey","alg":"A256KW"},"encrypted_key":"7FtABJ5BpSM9Ft8wUPfLQc-12WF57kX0tWtRWiVwA_N_gJBa9iwhzw"},{"header":{"kid":"org.cryptomator.hub.recoverykey.1h24rxLxIlNRPQAn5NBP0fL3VKNTmqS6NEnt2clI5ko","alg":"ECDH-ES+A256KW","epk":{"key_ops":[],"ext":true,"kty":"EC","x":"oNu46YFrgrGSvl98HyDD3_iPkfZBnpYgEHmPL3qbO4AdwBsycpIqcHwKhT8Lt7B8","y":"P80VgJFml85v_F2-aPYdgDQX_DPGZr1s_p8gWF4Idkp13QfKdhi32C7Zoy5kzPWO","crv":"P-384"},"apu":"","apv":""},"encrypted_key":"QaJn0TP7mGAc5ukOpZ0gNAuBtCW7hPCkj8Jp4bhMftQfJefHNyqE7Q"}],"iv":"Wgif0WP21-MAwvWs","ciphertext":"-n5CePmmN99I4KqlnR64Fuu5b2Md9s4CGxLMm7KQqu65H0ug7Fs5HHnrx_gkpFiv1Mn-jwrkoEtiixyQcYX6UcoyT2dY1MkLQB7QU9mdMpZU3n19Q2sAx1-gfTCd7IzVXef7SEfuscdQL1QTKJW454Dy8L3WwPiDpUgt9ED7mMFdJ6lJ3_EFYstN0VFAVf_jwtIILmQrjkM_LI0FFKfqkOCH2nuE9xG8ihPH9X9OStllPp00G9_onYu9mrg-smiNNK2Ib19CZJ2E6mAp7F_LGiz6p203fsprj4XY9J6t8zl5Vpc61NmFvzvY4j3_5FpD_BmpVr8tyyVT9zqWn4vsBAHORQ1V_b9v68O7CekCebpQvpmzEPZwZN1Ma_T6oI7Ydn1rtBnDruVrpWm01RL8XpHnFbko","tag":"vPLd65IEcexmhGbYPM0cYI53H4Pp1OfTaAq_QGrneLM"}',
-          uvfKeySet: '{"keys": [{"kid":"org.cryptomator.hub.recoverykey.1h24rxLxIlNRPQAn5NBP0fL3VKNTmqS6NEnt2clI5ko","kty":"EC","crv":"P-384","x":"DczdNhPQnpgP8FV6qa372LDLJF2w2bMKXzea5cjxslaMjM6w7NGqrF498LYHU-Jt","y":"vH9bc-Ow_O1EQmd6N5pKmDoPyE6ziKsrlpuck5aLXwV4fSMV_8Ro1a872j5ClsPe"}]}'
-        };
-        const accessToken = 'eyJlbmMiOiJBMjU2R0NNIiwia2lkIjoib3JnLmNyeXB0b21hdG9yLmh1Yi51c2Vya2V5IiwiYWxnIjoiRUNESC1FUytBMjU2S1ciLCJlcGsiOnsia2V5X29wcyI6W10sImV4dCI6dHJ1ZSwia3R5IjoiRUMiLCJ4IjoiUXZRWUpUd3dSVEg2MWRFS3ZoNDI4ZG9nN3pRTFFxY3I0NUhwZTRqZFQ5Qno2bjcyVzQ4dTJ3WXk0UXlyZ0kxciIsInkiOiJZS1RtQ04zZXNKNDJVbUpzLU44NTFKamsyUFVPUU0zZXpCTkJvZGk4RnRNUDlUeUhoXzc0aHpxTC1EYTZkMXlwIiwiY3J2IjoiUC0zODQifSwiYXB1IjoiIiwiYXB2IjoiIn0.rdysEEQN0FidglDtK5yyaEpQtv4CsYLOQd__y7REkb_3BLP9nD4Blw.dFb9JOdveiw3LmIs.rSMkz8VoB_LspnvxvmRzCWNVLShTWfbzHfqe5lwrWwumYCdeRPM.xsS2tDUr2khJrLxHex8gZhBgO_CMA_PxFlR-ku3JiT8';
-        uvf = await UniversalVaultFormat.decrypt(dto, accessToken, alice);
+        const json = `{
+            "fileFormat": "AES-256-GCM-32k",
+            "nameFormat": "AES-SIV-512-B64URL",
+            "seeds": {
+                "HDm38g": "ypeBEsobvcr6wjGzmiPcTaeG7/gUfE5yuYB3ha/uSLs=",
+                "gBryKw": "PiPoFgA5WUoziU9lZOGxNIu9egCI1CxKy3PurtWcAJ0=",
+                "QBsJFg": "Ln0sA6lQeuJl7PW1NWiFpTOTogKdJBOUmXJloaJa78Y="
+            },
+            "initialSeed": "HDm38g",
+            "latestSeed": "QBsJFg",
+            "kdf": "HKDF-SHA512",
+            "kdfSalt": "NIlr89R7FhochyP4yuXZmDqCnQ0dBB3UZ2D+6oiIjr8=",
+            "org.example.customfield": 42
+        }`;
+        const metadata = await VaultMetadata.createFromJson(JSON.parse(json));
+        uvf = await UniversalVaultFormat.forTesting(metadata);
       });
 
       it('encryptForUser() creates an access token', async () => {
@@ -280,14 +280,14 @@ describe('UVF', () => {
       it('computeRootDirId() deterministically creates a dir ID', async () => {
         const dirId = await uvf.computeRootDirId();
         expect(dirId).to.have.a.lengthOf(32);
-        expect(base64.stringify(dirId)).to.eq('24UBEDeGu5taq7U4GqyA0MXUXb9HTYS6p3t9vvHGJAc=');
+        expect(base64.stringify(dirId)).to.eq('5WEGzwKkAHPwVSjT2Brr3P3zLz7oMiNpMn/qBvht7eM=');
       });
 
       it('computeRootDirIdHash() creates a truncated hmac', async () => {
-        const rootDirId = base64.parse('24UBEDeGu5taq7U4GqyA0MXUXb9HTYS6p3t9vvHGJAc=');
+        const rootDirId = base64.parse('5WEGzwKkAHPwVSjT2Brr3P3zLz7oMiNpMn/qBvht7eM=');
         const hash = await uvf.computeRootDirIdHash(rootDirId);
         expect(hash).to.have.a.lengthOf(32);
-        expect(hash).to.eq('6DYU3E5BTPAZ4DWEQPQK3AIHX2DXSPHG');
+        expect(hash).to.eq('RKHZLENL3PQIW6GZHE3KRRRGLFBHWHRU');
       });
 
       it('encryptFile() creates some ciphertext', async () => {
@@ -300,7 +300,6 @@ describe('UVF', () => {
   });
 });
 
-
 // #region Mocks
 
 class TestMemberKey extends MemberKey {

From f684a58ddd5378006f122e9d6a90f7a0b1cd3570 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Fri, 17 Jan 2025 21:27:45 +0100
Subject: [PATCH 83/94] fix incorrect hkdf output size

see https://stackoverflow.com/q/79365928/4014509
---
 frontend/src/common/universalVaultFormat.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/src/common/universalVaultFormat.ts b/frontend/src/common/universalVaultFormat.ts
index 67458c23c..df6dd121b 100644
--- a/frontend/src/common/universalVaultFormat.ts
+++ b/frontend/src/common/universalVaultFormat.ts
@@ -439,7 +439,7 @@ export class UniversalVaultFormat implements AccessTokenProducing, VaultTemplate
   public async computeRootDirIdHash(rootDirId: Uint8Array): Promise<string> {
     const textencoder = new TextEncoder();
     const initialSeed = await crypto.subtle.importKey('raw', this.metadata.initialSeed, { name: 'HKDF' }, false, ['deriveKey']);
-    const hmacKey = await crypto.subtle.deriveKey({ name: 'HKDF', hash: 'SHA-512', salt: this.metadata.kdfSalt, info: textencoder.encode('hmac') }, initialSeed, { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
+    const hmacKey = await crypto.subtle.deriveKey({ name: 'HKDF', hash: 'SHA-512', salt: this.metadata.kdfSalt, info: textencoder.encode('hmac') }, initialSeed, { name: 'HMAC', hash: 'SHA-256', length: 256 }, false, ['sign']);
     const rootDirHash = await crypto.subtle.sign('HMAC', hmacKey, rootDirId);
     return base32.stringify(new Uint8Array(rootDirHash).slice(0, 20));
   }

From c1d6c299755e1212557ec41bc1b49aa32bd2807d Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Fri, 31 Jan 2025 11:31:31 +0100
Subject: [PATCH 84/94] reordered flyway migrations

---
 .../hub/flyway/{V17__UVF_Support.sql => V18__UVF_Support.sql}     | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename backend/src/main/resources/org/cryptomator/hub/flyway/{V17__UVF_Support.sql => V18__UVF_Support.sql} (100%)

diff --git a/backend/src/main/resources/org/cryptomator/hub/flyway/V17__UVF_Support.sql b/backend/src/main/resources/org/cryptomator/hub/flyway/V18__UVF_Support.sql
similarity index 100%
rename from backend/src/main/resources/org/cryptomator/hub/flyway/V17__UVF_Support.sql
rename to backend/src/main/resources/org/cryptomator/hub/flyway/V18__UVF_Support.sql

From fd6db88d8797b754f99cab6a85f3d2fce6376b97 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Fri, 7 Feb 2025 09:56:41 +0100
Subject: [PATCH 85/94] reordered migrations

---
 .../hub/flyway/{V18__UVF_Support.sql => V19__UVF_Support.sql}     | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename backend/src/main/resources/org/cryptomator/hub/flyway/{V18__UVF_Support.sql => V19__UVF_Support.sql} (100%)

diff --git a/backend/src/main/resources/org/cryptomator/hub/flyway/V18__UVF_Support.sql b/backend/src/main/resources/org/cryptomator/hub/flyway/V19__UVF_Support.sql
similarity index 100%
rename from backend/src/main/resources/org/cryptomator/hub/flyway/V18__UVF_Support.sql
rename to backend/src/main/resources/org/cryptomator/hub/flyway/V19__UVF_Support.sql

From b5a94a9c71f226596e1c4bd5531126ee4f383bf3 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Thu, 24 Apr 2025 12:37:33 +0200
Subject: [PATCH 86/94] use base64url in `vault.uvf`

see https://github.com/encryption-alliance/unified-vault-format/pull/32
---
 frontend/src/common/universalVaultFormat.ts | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/frontend/src/common/universalVaultFormat.ts b/frontend/src/common/universalVaultFormat.ts
index df6dd121b..b2f2ce992 100644
--- a/frontend/src/common/universalVaultFormat.ts
+++ b/frontend/src/common/universalVaultFormat.ts
@@ -51,7 +51,7 @@ export class MemberKey {
 
   /**
    * Creates a new vault member key
-   * @param encodedKey base64-encoded raw 256 bit key (as retrieved from {@link AccessTokenPayload#foo})
+   * @param encodedKey base64-encoded raw 256 bit key (as retrieved from {@link AccessTokenPayload#key})
    * @returns new key
    */
   public static async load(encodedKey: string): Promise<MemberKey> {
@@ -295,12 +295,12 @@ export class VaultMetadata {
     const seeds = new Map<number, Uint8Array>();
     for (const key in payload.seeds) {
       const num = parseSeedId(key);
-      const value = base64.parse(payload.seeds[key], { loose: true });
+      const value = base64url.parse(payload.seeds[key], { loose: true });
       seeds.set(num, value);
     }
     const initialSeedId = parseSeedId(payload['initialSeed']);
     const latestSeedId = parseSeedId(payload['latestSeed']);
-    const kdfSalt = base64.parse(payload['kdfSalt'], { loose: true });
+    const kdfSalt = base64url.parse(payload['kdfSalt'], { loose: true });
     return new VaultMetadata(
       payload['org.cryptomator.automaticAccessGrant'],
       seeds,
@@ -333,7 +333,7 @@ export class VaultMetadata {
     const encodedSeeds: Record<string, string> = {};
     for (const [key, value] of this.seeds) {
       const seedId = stringifySeedId(key);
-      encodedSeeds[seedId] = base64.stringify(value);
+      encodedSeeds[seedId] = base64url.stringify(value);
     }
     return {
       fileFormat: 'AES-256-GCM-32k',
@@ -342,7 +342,7 @@ export class VaultMetadata {
       initialSeed: stringifySeedId(this.initialSeedId),
       latestSeed: stringifySeedId(this.latestSeedId),
       kdf: 'HKDF-SHA512',
-      kdfSalt: base64.stringify(this.kdfSalt),
+      kdfSalt: base64url.stringify(this.kdfSalt),
       'org.cryptomator.automaticAccessGrant': this.automaticAccessGrant
     };
   }

From 7e285ea831d2cbb9bc37af084b0e21b62c1fc048 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Thu, 24 Apr 2025 13:11:44 +0200
Subject: [PATCH 87/94] fix base64url encoding and tests

---
 frontend/src/common/universalVaultFormat.ts   |  6 +--
 .../test/common/universalVaultFormat.spec.ts  | 37 +++++++++++--------
 2 files changed, 24 insertions(+), 19 deletions(-)

diff --git a/frontend/src/common/universalVaultFormat.ts b/frontend/src/common/universalVaultFormat.ts
index b2f2ce992..7683b8905 100644
--- a/frontend/src/common/universalVaultFormat.ts
+++ b/frontend/src/common/universalVaultFormat.ts
@@ -333,7 +333,7 @@ export class VaultMetadata {
     const encodedSeeds: Record<string, string> = {};
     for (const [key, value] of this.seeds) {
       const seedId = stringifySeedId(key);
-      encodedSeeds[seedId] = base64url.stringify(value);
+      encodedSeeds[seedId] = base64url.stringify(value, { pad: false });
     }
     return {
       fileFormat: 'AES-256-GCM-32k',
@@ -342,7 +342,7 @@ export class VaultMetadata {
       initialSeed: stringifySeedId(this.initialSeedId),
       latestSeed: stringifySeedId(this.latestSeedId),
       kdf: 'HKDF-SHA512',
-      kdfSalt: base64url.stringify(this.kdfSalt),
+      kdfSalt: base64url.stringify(this.kdfSalt, { pad: false }),
       'org.cryptomator.automaticAccessGrant': this.automaticAccessGrant
     };
   }
@@ -395,7 +395,7 @@ export class UniversalVaultFormat implements AccessTokenProducing, VaultTemplate
   }
 
   /**
-   * Recovery the `vault.uvf` file using the recovery key. After recovery, all access tokens need to be re-issued.
+   * Recover the `vault.uvf` file using the recovery key. After recovery, all access tokens need to be re-issued.
    * @param uvfMetadataFile contents of the `vault.uvf` file
    * @param recoveryKey the vault's recovery key encoded into human-readable words
    * @returns The recovered vault
diff --git a/frontend/test/common/universalVaultFormat.spec.ts b/frontend/test/common/universalVaultFormat.spec.ts
index 0f7b80e01..8876bf407 100644
--- a/frontend/test/common/universalVaultFormat.spec.ts
+++ b/frontend/test/common/universalVaultFormat.spec.ts
@@ -2,7 +2,7 @@ import { use as chaiUse, expect } from 'chai';
 import chaiAsPromised from 'chai-as-promised';
 import { before, describe } from 'mocha';
 import { webcrypto } from 'node:crypto';
-import { base64 } from 'rfc4648';
+import { base64, base64url } from 'rfc4648';
 import { VaultDto } from '../../src/common/backend';
 import { UserKeys } from '../../src/common/crypto';
 import { JsonJWE } from '../../src/common/jwe';
@@ -190,27 +190,27 @@ describe('UVF', () => {
         name: 'test',
         archived: false,
         creationTime: new Date(),
-        uvfMetadataFile: '{"protected":"eyJvcmlnaW4iOiJodHRwcy4vL2V4YW1wbGUuY29tL2FwaS8vdmF1bHRzLzEyMy91dmYvdmF1bHQudXZmIiwiamt1Ijoiandrcy5qc29uIiwiZW5jIjoiQTI1NkdDTSJ9","recipients":[{"header":{"kid":"org.cryptomator.hub.memberkey","alg":"A256KW"},"encrypted_key":"6Jmq4Uje1Njp6UOZhMC8EQySIhb82OGqJ3LT_CNGtfS3PTVAanFTkw"},{"header":{"kid":"org.cryptomator.hub.recoverykey.gRQZJlBF8UOUry_viZdNFrIG02r12zKPfKPJjg1z0gc","alg":"ECDH-ES+A256KW","epk":{"key_ops":[],"ext":true,"kty":"EC","x":"ZIM3rAYg1CPMJgYD2-8M04n00tvUnXjx6QBjXMdZJZwozEjo6ns1aI3WVjGb71HC","y":"iYiX7Qs6JV8AxW-W9pRp_wFUqiwD22L7ytbr91eazmKDK0Uuk72K8xWdz0x3TZHB","crv":"P-384"},"apu":"","apv":""},"encrypted_key":"UDe4WL6fkZCMhLQaNYMGvbRFGGNum8Nk7ahiaORnPi9BlUxPCCArkg"}],"iv":"DW6-c25BXTxJ-wF4","ciphertext":"5yhWvQwZPb6ss_b30pFxxpQPKC_-QIKgK1sdTQUUggl5yL6gzfFSOeERDjuD5WSFiLSisMi1BZwI-GPzclpG4SsjIMtOakfe_OcKQGBqpPAfJLiRUePg4CmptBTY205dbqFZfJvFK-jVxUP8oc7mYg3Z8kUovhUAeoIkyubaeiGcV49NLF-_UgV5smPouAxVBBroBpnJ76BDM0UfanfTzHZ_ekynwZDK7HFw4lJZ3xxrBkIbimB5NQU6cL8lviOGbaSQ8dAGCGcSuafKrAXlzOItCUdK4w5cBUTFJV6LILkKEmxy8atYNJdh-4VoJmOwv-LwGhwJyv20yrq5RrV-flgN4_jjFmh71ne_XchWy8MH7vdY8ShkT1KI6waFPcfU2PglEYQn6qaDBJ3igMsLUnNL1SRxrFY3ov6--mJdGlz-0eFny0Nz8Qy2bjxIOxCaKMRTQz41d1N7uiXcEa4","tag":"PZFk3Lw2XxZu2_ZooqV0lyI0ALRB8l6YuKDeH3jYBtQ"}',
-        uvfKeySet: '{"keys": [{"kid":"org.cryptomator.hub.recoverykey.gRQZJlBF8UOUry_viZdNFrIG02r12zKPfKPJjg1z0gc","kty":"EC","crv":"P-384","x":"PKwD88lrI0LBwC0p5IKcHCaubRLNPCueNi_mfGrp83Y09MOIX3wIH63At0Lm897r","y":"d7TKPTkh4DURRrMGZp6Vig_cVAWjOa_nwurJ36Gp8SEiJbB6eK0uWxZL_tTESq9K"}]}'
+        uvfMetadataFile: '{"protected":"eyJvcmlnaW4iOiJodHRwcy4vL2V4YW1wbGUuY29tL2FwaS8vdmF1bHRzLzEyMy91dmYvdmF1bHQudXZmIiwiamt1Ijoiandrcy5qc29uIiwiZW5jIjoiQTI1NkdDTSJ9","recipients":[{"header":{"kid":"org.cryptomator.hub.memberkey","alg":"A256KW"},"encrypted_key":"vJ16vGF2Z3NcA7nXPnVrgDLzgxZ8RFtySgf0FsckcrTBfKDg4hAK0w"},{"header":{"kid":"org.cryptomator.hub.recoverykey.J7-F_hjMaygRKdqIoZrbxSqVSRFJ5aF8BXuOCoBBGjw","alg":"ECDH-ES+A256KW","epk":{"key_ops":[],"ext":true,"kty":"EC","x":"oQZ8e-e9UIOtbN50ySx5Xwik9ET3uu38Bzl6HdDR8uipOzdXIO8OUhVQMJWqEHjs","y":"cTP6OI_YfdCVPVWpGOA1SjQ6-4vUpE4a6QJx3JSw29DkOL70Rjl4GAcDc4Iw-VHY","crv":"P-384"},"apu":"","apv":""},"encrypted_key":"m_tSjpBcNQK42pgqLA9YDZYa3WQwJZ94HhGIpwOcKDoJQ8lP8IKbFw"}],"iv":"XPY9W-TE__Hu2m53","ciphertext":"uoukmSAuFTq-20gD9Ayum8iH6ERrld6cNV_ZTyfHBcWeIIZKOdp3RWWEtzNagVnRy5ix0yAafJIa14aSLnsxFv-NhzW1BirU5YypIkvFIO4cPnjI54vzd8nEtPdpp6z2JOqKUvZQYN89Y2EGoXb33FmQAwVMNJt_xDn2Bcb1dvI0q0uKLUidsvFL87NHSA8KUVWjXmmFdjibfqhWuO9YtFVoYD2Oqso9TzQIRMnDt3aIcVAouTTE7bR9O8kj5nseNID2gQ2osKlJVVcUn-4Cn0bI2w_-SeAfAvnePWLmolF8q79_aOsMkow3zMGsQHFoVU3PWCHR374Z02Lnt0Mj5_aUu_k8R5L11xNZQ0EYY7XWWGoUjRif7HmRfTZoHbJwvnHWk5q6IuEEjd_zSa4_im7PpoEofZR2EcH7Zz_Llq00wPWT05ZD82aRo3VCRNs6A2s6Jd8hspnaYA","tag":"j-xKxc2aZ2EDHDm8CzNf8Tj4QIkruZauF0LeUwrhq6c"}',
+        uvfKeySet: '{"keys": [{"kid":"org.cryptomator.hub.recoverykey.J7-F_hjMaygRKdqIoZrbxSqVSRFJ5aF8BXuOCoBBGjw","kty":"EC","crv":"P-384","x":"3ydUf9ZwzYc9RAT2X4nMnJIU2nGbwRbvLj0ve7-C6_i6LaBpy2EbUrfrOBYbEoAN","y":"CQ77rXdI5tg0pyPpTLWzke2l_dMt6k9FquZpilf-_35XlK6weIEdh-ialC-Tw8P0"}]}'
       };
-      const accessToken = 'eyJlbmMiOiJBMjU2R0NNIiwia2lkIjoib3JnLmNyeXB0b21hdG9yLmh1Yi51c2Vya2V5IiwiYWxnIjoiRUNESC1FUytBMjU2S1ciLCJlcGsiOnsia2V5X29wcyI6W10sImV4dCI6dHJ1ZSwia3R5IjoiRUMiLCJ4IjoiSDZ3M1VWbXJ1VTcwRnUwWHFqN0FLekNkZl95dVF1SXVHa0FvVEljaHBaUWNpV0JkbnRjOE93TGhTSU5xZFNGeiIsInkiOiIyWjlqbE5pX0lXa3lCbU1ycDhMbEttamg1WDUwWExGQTNsNzNVYVJ3bHRZSlpOVzdoTTVHTkZsX21XNmxBbWVlIiwiY3J2IjoiUC0zODQifSwiYXB1IjoiIiwiYXB2IjoiIn0.1YGRThFLsu6XjoUhTkxzX6DTbyhEmjl2l07hjCl4qBynFv9hrZIpHg.3HMszd5g8-6FPrcX.ngw9_D6xpRKWNeALK2oW6d314JXnUYjYDhohAnRBjNezTdOgbLw.1E1tcGvv4wFfarSsL_atcCS47uDKjU7MT0C9wFBQIjk';
+      const accessToken = 'eyJlbmMiOiJBMjU2R0NNIiwia2lkIjoib3JnLmNyeXB0b21hdG9yLmh1Yi51c2Vya2V5IiwiYWxnIjoiRUNESC1FUytBMjU2S1ciLCJlcGsiOnsia2V5X29wcyI6W10sImV4dCI6dHJ1ZSwia3R5IjoiRUMiLCJ4Ijoia3VWU3FSSEVYbC1DbzhLRkhQTDRtN1FSWTd6NkMxcHlvRWNFVkw3X0VXY3N6ZDZmSWxyWEFyZ29Fbl9yejU0ZSIsInkiOiJ5RlBUNjN1VWdTVVo0VUxYcUtSWl9LMjBOZy1kZUh3WkFyU29xLU91RTFEcHF2czY3THpGNlAtZXk2Ykl5T0o5IiwiY3J2IjoiUC0zODQifSwiYXB1IjoiIiwiYXB2IjoiIn0.23s1IkwjWpjpzUxr_wZjyXjPwM-D19m0ONQI_naq6bURT2DSHnwe7g.iuH5sI2eL9Qumb_a.TVjVWBOQJAR-9Pu_Ke702hjww9JUZzg9sLyhjAj2o7aYgJtixKw.iQq2B6qQr4ZddqS7-__fhTAF3CteL73IpbJZNBabWLE';
       const uvf = await UniversalVaultFormat.decrypt(dto, accessToken, alice);
 
       expect(uvf).to.be.not.null;
       expect(uvf.metadata).to.be.not.null;
       expect(uvf.metadata.initialSeedId).to.eq(4072093980);
       expect(uvf.metadata.latestSeedId).to.eq(369695552);
-      expect(base64.stringify(uvf.metadata.kdfSalt)).to.eq('NIlr89R7FhochyP4yuXZmDqCnQ0dBB3UZ2D+6oiIjr8=');
-      expect(base64.stringify(uvf.metadata.initialSeed)).to.eq('ypeBEsobvcr6wjGzmiPcTaeG7/gUfE5yuYB3ha/uSLs=');
-      expect(base64.stringify(uvf.metadata.latestSeed)).to.eq('Ln0sA6lQeuJl7PW1NWiFpTOTogKdJBOUmXJloaJa78Y=');
+      expect(base64url.stringify(uvf.metadata.kdfSalt, { pad: false })).to.eq('NIlr89R7FhochyP4yuXZmDqCnQ0dBB3UZ2D-6oiIjr8');
+      expect(base64url.stringify(uvf.metadata.initialSeed, { pad: false })).to.eq('ypeBEsobvcr6wjGzmiPcTaeG7_gUfE5yuYB3ha_uSLs');
+      expect(base64url.stringify(uvf.metadata.latestSeed, { pad: false })).to.eq('Ln0sA6lQeuJl7PW1NWiFpTOTogKdJBOUmXJloaJa78Y');
       expect(uvf.memberKey).to.be.not.null;
       expect(uvf.recoveryKey).to.be.not.null;
       expect(uvf.recoveryKey.privateKey).to.be.undefined;
     });
 
     it('recover()', async () => {
-      const vaultUvfFileContents = '{"protected":"eyJvcmlnaW4iOiJodHRwcy4vL2V4YW1wbGUuY29tL2FwaS8vdmF1bHRzLzEyMy91dmYvdmF1bHQudXZmIiwiamt1Ijoiandrcy5qc29uIiwiZW5jIjoiQTI1NkdDTSJ9","recipients":[{"header":{"kid":"org.cryptomator.hub.memberkey","alg":"A256KW"},"encrypted_key":"6Jmq4Uje1Njp6UOZhMC8EQySIhb82OGqJ3LT_CNGtfS3PTVAanFTkw"},{"header":{"kid":"org.cryptomator.hub.recoverykey.gRQZJlBF8UOUry_viZdNFrIG02r12zKPfKPJjg1z0gc","alg":"ECDH-ES+A256KW","epk":{"key_ops":[],"ext":true,"kty":"EC","x":"ZIM3rAYg1CPMJgYD2-8M04n00tvUnXjx6QBjXMdZJZwozEjo6ns1aI3WVjGb71HC","y":"iYiX7Qs6JV8AxW-W9pRp_wFUqiwD22L7ytbr91eazmKDK0Uuk72K8xWdz0x3TZHB","crv":"P-384"},"apu":"","apv":""},"encrypted_key":"UDe4WL6fkZCMhLQaNYMGvbRFGGNum8Nk7ahiaORnPi9BlUxPCCArkg"}],"iv":"DW6-c25BXTxJ-wF4","ciphertext":"5yhWvQwZPb6ss_b30pFxxpQPKC_-QIKgK1sdTQUUggl5yL6gzfFSOeERDjuD5WSFiLSisMi1BZwI-GPzclpG4SsjIMtOakfe_OcKQGBqpPAfJLiRUePg4CmptBTY205dbqFZfJvFK-jVxUP8oc7mYg3Z8kUovhUAeoIkyubaeiGcV49NLF-_UgV5smPouAxVBBroBpnJ76BDM0UfanfTzHZ_ekynwZDK7HFw4lJZ3xxrBkIbimB5NQU6cL8lviOGbaSQ8dAGCGcSuafKrAXlzOItCUdK4w5cBUTFJV6LILkKEmxy8atYNJdh-4VoJmOwv-LwGhwJyv20yrq5RrV-flgN4_jjFmh71ne_XchWy8MH7vdY8ShkT1KI6waFPcfU2PglEYQn6qaDBJ3igMsLUnNL1SRxrFY3ov6--mJdGlz-0eFny0Nz8Qy2bjxIOxCaKMRTQz41d1N7uiXcEa4","tag":"PZFk3Lw2XxZu2_ZooqV0lyI0ALRB8l6YuKDeH3jYBtQ"}';
-      const recoveryKey = 'cult hold all away buck do law relaxed other stimulus all bank fit indulge dad any ear grey cult golf all baby dig rip may southern bar super use emotional punk pathway who infection bet sporting colleague buffer neutral corporate stand mud desire rob mortgage actually tackle browser killing month minority company editorial escalate expense emission accept sexy ad guest symptom dirty friendly condemn ghost idea warn forever visual workout seat architect call tomorrow true situated bind branch critic heavily nature smoke birthday clinic rubber unique village tin glass female militant harmony embrace officer alive less pole core custody attend funding burst arms convince gap limb apology safety discovery firstly limited hearing nail oven balloon quickly uniform upcoming east tragedy wildlife image abolish nervous till melt';
+      const vaultUvfFileContents = '{"protected":"eyJvcmlnaW4iOiJodHRwcy4vL2V4YW1wbGUuY29tL2FwaS8vdmF1bHRzLzEyMy91dmYvdmF1bHQudXZmIiwiamt1Ijoiandrcy5qc29uIiwiZW5jIjoiQTI1NkdDTSJ9","recipients":[{"header":{"kid":"org.cryptomator.hub.memberkey","alg":"A256KW"},"encrypted_key":"J3Gd7wZzsy-ykWPboW9CqK6DzoDGwRiZCJ3d6fNYkpt0klqDRmYR0g"},{"header":{"kid":"org.cryptomator.hub.recoverykey.DGbyooUW5QlVWzTaF102-f59uRTX1kdqkQb_CMDq9gM","alg":"ECDH-ES+A256KW","epk":{"key_ops":[],"ext":true,"kty":"EC","x":"q4p-3TTjHZxAkf6Fa3rknf_oqBGRiAkXB78_UxElbv6DN0Ufc_2RSX2pYKb8gaAU","y":"czJGKQe_q12AMYROZfEUBbP6zMo0DjgjK_346_BjS9RQ531jf32Ryht4xIBP50ef","crv":"P-384"},"apu":"","apv":""},"encrypted_key":"7D-irqonnK01xQiTNGmsgSRPBzLdKdGTtq2XGS6BONkHWFgESpOYeg"}],"iv":"FNxcOvj_BgQ4vRVN","ciphertext":"qyORqJsK_3aec14d6gnIuNrLmnhFggY0MBWkjqOUXsOhSgOKcamtLbLGhk1gqWfc_dcshzWnBxx7TB2K_TwfSKnF0mumPldFMQ6u_HQM-jemBDCsStBSdOQoYqYcwbLyEfvH39XO4Oremppsj1a-8bOIbga0gnbQQmuNXraQtZLtyut82Q7P521Ab_leIUo_laKHPk610SW3DyJySoroxFH40qEb0GfsUAdcHMwCNA2dhQCCOW4zFZsmV_PxnVaNOhUV8aVz-lmwW8PnNCLxMdveQDegnbSvban6O0Qjl1MRnf1_pnBEM2meWk6CTnuJYwWaKHgbG69geGliOB_wKRTAapw8gOyQ-gPZya2hMvK2gAJLPWXAAc6mDo_MfzHa7PbLQ70J1r_tsJLKLmTrvU683Let70KG1_UyHFi6m9aFfXgA5PfmfGFKeDZ3e_bqNzFJbf-ytZJq9A","tag":"FpTkkwkTujb3OosDC-ck97W4awBStimQ95NfTe0TRxQ"}';
+      const recoveryKey = 'cult hold all away buck do law relaxed other stimulus all bank fit indulge dad any ear grey cult golf all baby dig dip departure subsidy boring inner pioneer excellent chip do outer frighten carriage know sculpture copper downtown pretty universe twelve condition indirect fantasy extend excuse affair canvas anybody arrest kilometre notorious period online franchise accept sexy ad mouse away fatal tool leave whereas behind stake disease balance cook knock foreign design there sister kill fortune associate spelling lorry snake dive penalty martial affection inclusion heal clothes attribute drain devise civic debut buy nurse cost visual insertion site surprise relevant cost per apologize dinner terms see protect lottery worthy rational infect dog latest physician goods severe enjoyable acute concert problem primarily prey pen material melt';
 
       const uvf = await UniversalVaultFormat.recover(vaultUvfFileContents, recoveryKey);
 
@@ -218,9 +218,9 @@ describe('UVF', () => {
       expect(uvf.metadata).to.be.not.null;
       expect(uvf.metadata.initialSeedId).to.eq(4072093980);
       expect(uvf.metadata.latestSeedId).to.eq(369695552);
-      expect(base64.stringify(uvf.metadata.kdfSalt)).to.eq('NIlr89R7FhochyP4yuXZmDqCnQ0dBB3UZ2D+6oiIjr8=');
-      expect(base64.stringify(uvf.metadata.initialSeed)).to.eq('ypeBEsobvcr6wjGzmiPcTaeG7/gUfE5yuYB3ha/uSLs=');
-      expect(base64.stringify(uvf.metadata.latestSeed)).to.eq('Ln0sA6lQeuJl7PW1NWiFpTOTogKdJBOUmXJloaJa78Y=');
+      expect(base64url.stringify(uvf.metadata.kdfSalt, { pad: false })).to.eq('NIlr89R7FhochyP4yuXZmDqCnQ0dBB3UZ2D-6oiIjr8');
+      expect(base64url.stringify(uvf.metadata.initialSeed, { pad: false })).to.eq('ypeBEsobvcr6wjGzmiPcTaeG7_gUfE5yuYB3ha_uSLs');
+      expect(base64url.stringify(uvf.metadata.latestSeed, { pad: false })).to.eq('Ln0sA6lQeuJl7PW1NWiFpTOTogKdJBOUmXJloaJa78Y');
       expect(uvf.memberKey).to.be.not.null;
       expect(uvf.recoveryKey).to.be.not.null;
       expect(uvf.recoveryKey.privateKey).to.be.not.null;
@@ -235,14 +235,14 @@ describe('UVF', () => {
             "fileFormat": "AES-256-GCM-32k",
             "nameFormat": "AES-SIV-512-B64URL",
             "seeds": {
-                "HDm38g": "ypeBEsobvcr6wjGzmiPcTaeG7/gUfE5yuYB3ha/uSLs=",
-                "gBryKw": "PiPoFgA5WUoziU9lZOGxNIu9egCI1CxKy3PurtWcAJ0=",
-                "QBsJFg": "Ln0sA6lQeuJl7PW1NWiFpTOTogKdJBOUmXJloaJa78Y="
+                "HDm38g": "ypeBEsobvcr6wjGzmiPcTaeG7_gUfE5yuYB3ha_uSLs",
+                "gBryKw": "PiPoFgA5WUoziU9lZOGxNIu9egCI1CxKy3PurtWcAJ0",
+                "QBsJFg": "Ln0sA6lQeuJl7PW1NWiFpTOTogKdJBOUmXJloaJa78Y"
             },
             "initialSeed": "HDm38g",
             "latestSeed": "QBsJFg",
             "kdf": "HKDF-SHA512",
-            "kdfSalt": "NIlr89R7FhochyP4yuXZmDqCnQ0dBB3UZ2D+6oiIjr8=",
+            "kdfSalt": "NIlr89R7FhochyP4yuXZmDqCnQ0dBB3UZ2D-6oiIjr8",
             "org.example.customfield": 42
         }`;
         const metadata = await VaultMetadata.createFromJson(JSON.parse(json));
@@ -254,6 +254,11 @@ describe('UVF', () => {
         expect(token).to.be.not.null;
       });
 
+      it('create recovery key', async () => {
+        const recoveryKey = await uvf.recoveryKey.createRecoveryKey();
+        expect(recoveryKey).to.match(/^cult hold.+$/);
+      });
+
       it('createMetadataFile() creates a vault.uvf file', async () => {
         const json = await uvf.createMetadataFile('https.//example.com/api/', { id: '123', name: 'test', archived: false, creationTime: new Date() });
         expect(json).to.be.not.null;

From 6efd70252c927bb8559fe153beee1c9fa3120373 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Thu, 24 Apr 2025 13:25:08 +0200
Subject: [PATCH 88/94] fix test broken during merge cd68e29

---
 .../cryptomator/hub/api/VaultResourceIT.java    | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/backend/src/test/java/org/cryptomator/hub/api/VaultResourceIT.java b/backend/src/test/java/org/cryptomator/hub/api/VaultResourceIT.java
index c98f517c8..34f7d776c 100644
--- a/backend/src/test/java/org/cryptomator/hub/api/VaultResourceIT.java
+++ b/backend/src/test/java/org/cryptomator/hub/api/VaultResourceIT.java
@@ -53,6 +53,7 @@
 import static org.hamcrest.CoreMatchers.hasItems;
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.CoreMatchers.not;
+import static org.hamcrest.Matchers.comparesEqualTo;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.hasSize;
 import static org.hamcrest.text.IsEqualIgnoringCase.equalToIgnoringCase;
@@ -91,10 +92,12 @@ public class TestVaultDtoValidation {
 		private static final String VALID_SALT = "base64";
 		private static final String VALID_AUTH_PUB = "base64";
 		private static final String VALID_AUTH_PRI = "base64";
+		private static final String VALID_UVF_METADATA_FILE = "{json}";
+		private static final String VALID_UVF_RECOVERY_KEY = "base64";
 
 		@Test
 		public void testValidDto() {
-			var dto = new VaultResource.VaultDto(VALID_ID, VALID_NAME, "foobarbaz", false, Instant.parse("2020-02-20T20:20:20Z"), VALID_MASTERKEY, 8, VALID_SALT, VALID_AUTH_PUB, VALID_AUTH_PRI);
+			var dto = new VaultResource.VaultDto(VALID_ID, VALID_NAME, "foobarbaz", false, Instant.parse("2020-02-20T20:20:20Z"), VALID_UVF_METADATA_FILE, VALID_UVF_RECOVERY_KEY, VALID_MASTERKEY, 8, VALID_SALT, VALID_AUTH_PUB, VALID_AUTH_PRI);
 			var violations = validator.validate(dto);
 			MatcherAssert.assertThat(violations, Matchers.empty());
 		}
@@ -263,7 +266,7 @@ public void testUnlock() {
 		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100003333 returns 403 for missing role")
 		public void testCreateVaultWithMissingRole() {
 			var uuid = UUID.fromString("7E57C0DE-0000-4000-8000-000100003333");
-			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 3", false, Instant.parse("2112-12-21T21:12:21Z"), "masterkey3", 42, "NaCl", "authPubKey3", "authPrvKey3");
+			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 3", false, Instant.parse("2112-12-21T21:12:21Z"), "uvfMetadata3", "uvfKeySet3", "masterkey3", 42, "NaCl", "authPubKey3", "authPrvKey3");
 
 			given().contentType(ContentType.JSON).body(vaultDto)
 					.when().put("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-000100003333")
@@ -286,7 +289,7 @@ public class CreateVaults {
 		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100003333 returns 201")
 		public void testCreateVault1() {
 			var uuid = UUID.fromString("7E57C0DE-0000-4000-8000-000100003333");
-			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 3", false, Instant.parse("2112-12-21T21:12:21Z"), "masterkey3", 42, "NaCl", "authPubKey3", "authPrvKey3");
+			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 3", false, Instant.parse("2112-12-21T21:12:21Z"), "uvfMetadata3", "uvfKeySet3", "masterkey3", 42, "NaCl", "authPubKey3", "authPrvKey3");
 
 			given().contentType(ContentType.JSON).body(vaultDto)
 					.when().put("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-000100003333")
@@ -311,7 +314,7 @@ public void testCreateVault2() {
 		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100004444 returns 201 ignoring archived flag")
 		public void testCreateVault3() {
 			var uuid = UUID.fromString("7E57C0DE-0000-4000-8000-000100004444");
-			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 4", true, Instant.parse("2112-12-21T21:12:21Z"), "masterkey4", 42, "NaCl", "authPubKey4", "authPrvKey4");
+			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 4", true, Instant.parse("2112-12-21T21:12:21Z"), "uvfMetadata4", "uvfKeySet4","masterkey4", 42, "NaCl", "authPubKey4", "authPrvKey4");
 
 			given().contentType(ContentType.JSON).body(vaultDto)
 					.when().put("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-000100004444")
@@ -327,7 +330,7 @@ public void testCreateVault3() {
 		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100003333 returns 200, updating only name, description and archive flag")
 		public void testUpdateVault() {
 			var uuid = UUID.fromString("7E57C0DE-0000-4000-8000-000100003333");
-			var vaultDto = new VaultResource.VaultDto(uuid, "VaultUpdated", "Vault updated.", true, Instant.parse("2222-11-11T11:11:11Z"), "doNotUpdate", 27, "doNotUpdate", "doNotUpdate", "doNotUpdate");
+			var vaultDto = new VaultResource.VaultDto(uuid, "VaultUpdated", "Vault updated.", true, Instant.parse("2222-11-11T11:11:11Z"), "doNotUpdate", "doNotUpdate", "doNotUpdate", 27, "doNotUpdate", "doNotUpdate", "doNotUpdate");
 			given().contentType(ContentType.JSON)
 					.body(vaultDto)
 					.when().put("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-000100003333")
@@ -778,7 +781,7 @@ public void testUpdateVaultDespiteLicenseExceeded() {
 			Assumptions.assumeTrue(effectiveVaultAccessRepo.countSeatOccupyingUsers() == 5);
 			var vaultId = "7E57C0DE-0000-4000-8000-000100001111";
 
-			var vaultDto = new VaultResource.VaultDto(UUID.fromString(vaultId), "Vault 1", "This is a testvault.", false, Instant.parse("2222-11-11T11:11:11Z"), "someVaule", -1, "doNotUpdate", "doNotUpdate", "doNotUpdate");
+			var vaultDto = new VaultResource.VaultDto(UUID.fromString(vaultId), "Vault 1", "This is a testvault.", false, Instant.parse("2222-11-11T11:11:11Z"), "doNotUpdate", "doNotUpdate", "someVaule", -1, "doNotUpdate", "doNotUpdate", "doNotUpdate");
 			given().contentType(ContentType.JSON)
 					.body(vaultDto)
 					.when().put("/vaults/{vaultId}", vaultId)
@@ -804,7 +807,7 @@ public void testCreateVaultExceedingSeats() throws SQLException {
 			Assumptions.assumeTrue(effectiveVaultAccessRepo.countSeatOccupyingUsers() > 5);
 
 			var uuid = UUID.fromString("7E57C0DE-0000-4000-8000-0001FFFF3333");
-			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 4", false, Instant.parse("2112-12-21T21:12:21Z"), "masterkey3", 42, "NaCl", "authPubKey3", "authPrvKey3");
+			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 4", false, Instant.parse("2112-12-21T21:12:21Z"), "uvfMetadata3", "uvfKeySet3", "masterkey3", 42, "NaCl", "authPubKey3", "authPrvKey3");
 			given().contentType(ContentType.JSON).body(vaultDto)
 					.when().put("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-0001FFFF3333")
 					.then().statusCode(402);

From ce36aa1309695db7ae4dd993b1fb741e9c986c30 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Thu, 24 Apr 2025 13:27:38 +0200
Subject: [PATCH 89/94] run linter

[ci skip]
---
 frontend/src/common/jwe.ts | 27 +++++++--------------------
 1 file changed, 7 insertions(+), 20 deletions(-)

diff --git a/frontend/src/common/jwe.ts b/frontend/src/common/jwe.ts
index a5663fb57..f3b560729 100644
--- a/frontend/src/common/jwe.ts
+++ b/frontend/src/common/jwe.ts
@@ -69,7 +69,6 @@ export const ECDH_P384: EcKeyImportParams | EcKeyGenParams = {
 // #region Recipients
 
 export abstract class Recipient {
-
   constructor(readonly kid: string) { };
 
   /**
@@ -130,11 +129,9 @@ export abstract class Recipient {
     }
     return new A256kwRecipient(kid, wrappingKey);
   }
-
 }
 
 class EcdhRecipient extends Recipient {
-
   constructor(readonly kid: string, private recipientKey: CryptoKey, private apu: Uint8Array = new Uint8Array(), private apv: Uint8Array = new Uint8Array()) {
     super(kid);
   }
@@ -157,7 +154,7 @@ class EcdhRecipient extends Recipient {
     return {
       header: header,
       encrypted_key: base64url.stringify(encryptedKey, { pad: false })
-    }
+    };
   }
 
   async decrypt(header: JWEHeader, encryptedKey: string): Promise<CryptoKey> {
@@ -197,11 +194,9 @@ class EcdhRecipient extends Recipient {
       throw new UnwrapKeyError(error);
     }
   }
-
 }
 
 class A256kwRecipient extends Recipient {
-
   constructor(readonly kid: string, private wrappingKey: CryptoKey) {
     super(kid);
   }
@@ -216,7 +211,7 @@ class A256kwRecipient extends Recipient {
     return {
       header: header,
       encrypted_key: base64url.stringify(encryptedKey, { pad: false })
-    }
+    };
   }
 
   async decrypt(header: JWEHeader, encryptedKey: string): Promise<CryptoKey> {
@@ -229,11 +224,9 @@ class A256kwRecipient extends Recipient {
       throw new UnwrapKeyError(error);
     }
   }
-
 }
 
 class Pbes2Recipient extends Recipient {
-
   constructor(readonly kid: string, private password: string, private iterations: number) {
     super(kid);
   }
@@ -252,7 +245,7 @@ class Pbes2Recipient extends Recipient {
     return {
       header: header,
       encrypted_key: base64url.stringify(encryptedKey, { pad: false })
-    }
+    };
   }
 
   async decrypt(header: JWEHeader, encryptedKey: string): Promise<CryptoKey> {
@@ -267,14 +260,12 @@ class Pbes2Recipient extends Recipient {
       throw new UnwrapKeyError(error);
     }
   }
-
 }
 
 // #endregion
 // #region JWE
 
 export class JWE {
-
   private constructor(private payload: object, private protectedHeader: JWEHeader) { }
 
   public static build(payload: object, protectedHeader: JWEHeader = {}): JWE {
@@ -300,7 +291,7 @@ export class JWE {
     let protectedHeader: JWEHeader = {
       ...this.protectedHeader,
       enc: 'A256GCM'
-    }
+    };
     const cek = await crypto.subtle.generateKey({ name: 'AES-GCM', length: 256 }, true, ['encrypt']);
     const iv = crypto.getRandomValues(new Uint8Array(12));
     const perRecipientData = await Promise.all([recipient, ...moreRecipients].map(r => r.encrypt(cek, protectedHeader)));
@@ -312,7 +303,7 @@ export class JWE {
       };
     } else {
       protectedHeader.enc = perRecipientData[0].header.enc;
-      for (let key of Object.keys(protectedHeader)) {
+      for (const key of Object.keys(protectedHeader)) {
         perRecipientData.forEach(r => delete r.header[key]);
       }
     }
@@ -337,15 +328,12 @@ export class JWE {
     const encodedIv = base64url.stringify(iv, { pad: false });
     const encodedCiphertext = base64url.stringify(ciphertext, { pad: false });
     const encodedTag = base64url.stringify(tag, { pad: false });
-    return new EncryptedJWE(encodedProtectedHeader, perRecipientData, encodedIv, encodedCiphertext, encodedTag)
+    return new EncryptedJWE(encodedProtectedHeader, perRecipientData, encodedIv, encodedCiphertext, encodedTag);
   }
-
 }
 
-
 // visible for testing
 export class EncryptedJWE {
-
   constructor(private protectedHeader: string, private perRecipient: PerRecipientProperties[], private iv: string, private ciphertext: string, private tag: string) {
     if (perRecipient.length < 1) {
       throw new Error('Expected at least one recipient.');
@@ -385,7 +373,7 @@ export class EncryptedJWE {
       : this.perRecipientWithKid(recipient.kid);
     const combinedHeader: JWEHeader = { ...perRecipientData.header, ...protectedHeader };
     const cek = await recipient.decrypt(combinedHeader, perRecipientData.encrypted_key);
-    const ciphertext = base64url.parse(this.ciphertext, { loose: true })
+    const ciphertext = base64url.parse(this.ciphertext, { loose: true });
     const tag = base64url.parse(this.tag, { loose: true });
     const ciphertextAndTag = new Uint8Array([...ciphertext, ...tag]);
     const cleartext = new Uint8Array(await crypto.subtle.decrypt(
@@ -409,7 +397,6 @@ export class EncryptedJWE {
       throw new Error(`JWE does not contain recipient with kid: ${kid}`);
     }
   }
-
 }
 
 // #endregion

From 27a944dcada33c4ee18c2b45ad37e805768ebf8e Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Tue, 8 Jul 2025 10:58:37 +0200
Subject: [PATCH 90/94] use 512 bit keys for HMAC-SHA256 as per spec

see https://github.com/encryption-alliance/unified-vault-format/pull/31
---
 frontend/src/common/universalVaultFormat.ts       | 2 +-
 frontend/test/common/universalVaultFormat.spec.ts | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/frontend/src/common/universalVaultFormat.ts b/frontend/src/common/universalVaultFormat.ts
index 7683b8905..a10cc771d 100644
--- a/frontend/src/common/universalVaultFormat.ts
+++ b/frontend/src/common/universalVaultFormat.ts
@@ -439,7 +439,7 @@ export class UniversalVaultFormat implements AccessTokenProducing, VaultTemplate
   public async computeRootDirIdHash(rootDirId: Uint8Array): Promise<string> {
     const textencoder = new TextEncoder();
     const initialSeed = await crypto.subtle.importKey('raw', this.metadata.initialSeed, { name: 'HKDF' }, false, ['deriveKey']);
-    const hmacKey = await crypto.subtle.deriveKey({ name: 'HKDF', hash: 'SHA-512', salt: this.metadata.kdfSalt, info: textencoder.encode('hmac') }, initialSeed, { name: 'HMAC', hash: 'SHA-256', length: 256 }, false, ['sign']);
+    const hmacKey = await crypto.subtle.deriveKey({ name: 'HKDF', hash: 'SHA-512', salt: this.metadata.kdfSalt, info: textencoder.encode('hmac') }, initialSeed, { name: 'HMAC', hash: 'SHA-256', length: 512 }, false, ['sign']);
     const rootDirHash = await crypto.subtle.sign('HMAC', hmacKey, rootDirId);
     return base32.stringify(new Uint8Array(rootDirHash).slice(0, 20));
   }
diff --git a/frontend/test/common/universalVaultFormat.spec.ts b/frontend/test/common/universalVaultFormat.spec.ts
index 8876bf407..d43476ba8 100644
--- a/frontend/test/common/universalVaultFormat.spec.ts
+++ b/frontend/test/common/universalVaultFormat.spec.ts
@@ -292,11 +292,11 @@ describe('UVF', () => {
         const rootDirId = base64.parse('5WEGzwKkAHPwVSjT2Brr3P3zLz7oMiNpMn/qBvht7eM=');
         const hash = await uvf.computeRootDirIdHash(rootDirId);
         expect(hash).to.have.a.lengthOf(32);
-        expect(hash).to.eq('RKHZLENL3PQIW6GZHE3KRRRGLFBHWHRU');
+        expect(hash).to.eq('RZK7ZH7KBXULNEKBMGX3CU42PGUIAIX4');
       });
 
       it('encryptFile() creates some ciphertext', async () => {
-        const rootDirId = base64.parse('24UBEDeGu5taq7U4GqyA0MXUXb9HTYS6p3t9vvHGJAc=');
+        const rootDirId = base64.parse('5WEGzwKkAHPwVSjT2Brr3P3zLz7oMiNpMn/qBvht7eM=');
         const fileContent = await uvf.encryptFile(rootDirId, uvf.metadata.initialSeedId);
         expect(fileContent).to.have.a.lengthOf(128);
         expect(fileContent.slice(0, 4)).to.eql(new Uint8Array([0x75, 0x76, 0x66, 0x01])); // magic bytes

From 85f4d3006406bd974e30367a57f222000843637d Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Tue, 2 Sep 2025 11:16:19 +0200
Subject: [PATCH 91/94] force big-endian seed IDs

---
 frontend/src/common/universalVaultFormat.ts       | 14 +++++++-------
 frontend/test/common/universalVaultFormat.spec.ts |  8 ++++----
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/frontend/src/common/universalVaultFormat.ts b/frontend/src/common/universalVaultFormat.ts
index 27e6fecf2..5ceece4f7 100644
--- a/frontend/src/common/universalVaultFormat.ts
+++ b/frontend/src/common/universalVaultFormat.ts
@@ -237,13 +237,13 @@ export class VaultMetadata {
    * @returns new vault
    */
   public static async create(automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto): Promise<VaultMetadata> {
-    const initialSeedId = new Uint32Array(1);
+    const initialSeedId = new Uint8Array(4);
     const initialSeedValue = new Uint8Array(32);
     const kdfSalt = new Uint8Array(32);
     crypto.getRandomValues(initialSeedId);
     crypto.getRandomValues(initialSeedValue);
     crypto.getRandomValues(kdfSalt);
-    const initialSeedNo = initialSeedId[0];
+    const initialSeedNo = new DataView(initialSeedId.buffer).getInt32(0, false);
     const seeds: Map<number, Uint8Array> = new Map<number, Uint8Array>();
     seeds.set(initialSeedNo, initialSeedValue);
     return new VaultMetadata(automaticAccessGrant, seeds, initialSeedNo, initialSeedNo, kdfSalt);
@@ -501,7 +501,7 @@ export class UniversalVaultFormat implements AccessTokenProducing, VaultTemplate
 }
 
 /**
- * Parses the 4 byte seed id from its base64url-encoded form to a 32 bit integer.
+ * Decodes a base64url-encoded 32 bit big endian number.
  * @param encoded base64url-encoded seed ID
  * @returns a 32 bit number
  * @throws Error if the input is invalid
@@ -511,16 +511,16 @@ function parseSeedId(encoded: string): number {
   if (bytes.length != 4) {
     throw new Error('Malformed seed ID');
   }
-  return new Uint32Array(bytes.buffer)[0];
+  return new DataView(bytes.buffer).getInt32(0, false);
 }
 
 /**
- * Encodes a 32 bit integer denoting the 4 byte seed id as a base64url-encoded string.
+ * Encodes the seed ID as a 32 bit big endian integer and base64url-encodes it.
  * @param id numeric seed ID
  * @returns a base6url-encoded seed ID
  */
 function stringifySeedId(id: number): string {
-  const ints = new Uint32Array([id]);
-  const bytes = new Uint8Array(ints.buffer);
+  const bytes = new Uint8Array(4);
+  new DataView(bytes.buffer).setInt32(0, id, false);
   return base64url.stringify(bytes, { pad: false });
 }
diff --git a/frontend/test/common/universalVaultFormat.spec.ts b/frontend/test/common/universalVaultFormat.spec.ts
index c50a788b2..635c804f4 100644
--- a/frontend/test/common/universalVaultFormat.spec.ts
+++ b/frontend/test/common/universalVaultFormat.spec.ts
@@ -188,8 +188,8 @@ describe('UVF', () => {
 
       expect(uvf).to.be.not.null;
       expect(uvf.metadata).to.be.not.null;
-      expect(uvf.metadata.initialSeedId).to.eq(4072093980);
-      expect(uvf.metadata.latestSeedId).to.eq(369695552);
+      expect(uvf.metadata.initialSeedId).to.eq(473544690);
+      expect(uvf.metadata.latestSeedId).to.eq(1075513622);
       expect(base64url.stringify(uvf.metadata.kdfSalt, { pad: false })).to.eq('NIlr89R7FhochyP4yuXZmDqCnQ0dBB3UZ2D-6oiIjr8');
       expect(base64url.stringify(uvf.metadata.initialSeed, { pad: false })).to.eq('ypeBEsobvcr6wjGzmiPcTaeG7_gUfE5yuYB3ha_uSLs');
       expect(base64url.stringify(uvf.metadata.latestSeed, { pad: false })).to.eq('Ln0sA6lQeuJl7PW1NWiFpTOTogKdJBOUmXJloaJa78Y');
@@ -206,8 +206,8 @@ describe('UVF', () => {
 
       expect(uvf).to.be.not.null;
       expect(uvf.metadata).to.be.not.null;
-      expect(uvf.metadata.initialSeedId).to.eq(4072093980);
-      expect(uvf.metadata.latestSeedId).to.eq(369695552);
+      expect(uvf.metadata.initialSeedId).to.eq(473544690);
+      expect(uvf.metadata.latestSeedId).to.eq(1075513622);
       expect(base64url.stringify(uvf.metadata.kdfSalt, { pad: false })).to.eq('NIlr89R7FhochyP4yuXZmDqCnQ0dBB3UZ2D-6oiIjr8');
       expect(base64url.stringify(uvf.metadata.initialSeed, { pad: false })).to.eq('ypeBEsobvcr6wjGzmiPcTaeG7_gUfE5yuYB3ha_uSLs');
       expect(base64url.stringify(uvf.metadata.latestSeed, { pad: false })).to.eq('Ln0sA6lQeuJl7PW1NWiFpTOTogKdJBOUmXJloaJa78Y');

From e7dceec704fc962cad7609ce9eae8f0d2e1e78df Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Tue, 2 Sep 2025 11:19:41 +0200
Subject: [PATCH 92/94] use `Uint8Array<ArrayBuffer>` (TS 5.7 adjustments)

see https://devblogs.microsoft.com/typescript/announcing-typescript-5-7/#support-for---target-es2024-and---lib-es2024
---
 frontend/src/common/crypto.ts                 |  6 ++--
 frontend/src/common/universalVaultFormat.ts   | 32 +++++++++----------
 frontend/src/common/userdata.ts               | 10 +++---
 frontend/src/common/util.ts                   |  2 +-
 .../test/common/universalVaultFormat.spec.ts  |  4 +--
 5 files changed, 27 insertions(+), 27 deletions(-)

diff --git a/frontend/src/common/crypto.ts b/frontend/src/common/crypto.ts
index fbe14ebbd..da156c7ff 100644
--- a/frontend/src/common/crypto.ts
+++ b/frontend/src/common/crypto.ts
@@ -144,13 +144,13 @@ export class UserKeys {
   private static async createFromJwe(jwe: UserKeyPayload, ecdhPublicKey: CryptoKey | BufferSource, ecdsaPublicKey?: CryptoKey | BufferSource): Promise<UserKeys> {
     const ecdhKeyPair: CryptoKeyPair = {
       publicKey: await asPublicKey(ecdhPublicKey, UserKeys.ECDH_KEY_DESIGNATION),
-      privateKey: await crypto.subtle.importKey('pkcs8', base64.parse(jwe.ecdhPrivateKey ?? jwe.key, { loose: true }), UserKeys.ECDH_KEY_DESIGNATION, true, UserKeys.ECDH_PRIV_KEY_USAGES)
+      privateKey: await crypto.subtle.importKey('pkcs8', base64.parse(jwe.ecdhPrivateKey ?? jwe.key, { loose: true }).slice(), UserKeys.ECDH_KEY_DESIGNATION, true, UserKeys.ECDH_PRIV_KEY_USAGES)
     };
     let ecdsaKeyPair: CryptoKeyPair;
     if (jwe.ecdsaPrivateKey && ecdsaPublicKey) {
       ecdsaKeyPair = {
         publicKey: await asPublicKey(ecdsaPublicKey, UserKeys.ECDSA_KEY_DESIGNATION, UserKeys.ECDSA_PUB_KEY_USAGES),
-        privateKey: await crypto.subtle.importKey('pkcs8', base64.parse(jwe.ecdsaPrivateKey, { loose: true }), UserKeys.ECDSA_KEY_DESIGNATION, true, UserKeys.ECDSA_PRIV_KEY_USAGES)
+        privateKey: await crypto.subtle.importKey('pkcs8', base64.parse(jwe.ecdsaPrivateKey, { loose: true }).slice(), UserKeys.ECDSA_KEY_DESIGNATION, true, UserKeys.ECDSA_PRIV_KEY_USAGES)
       };
     } else {
       // ECDSA key was added in Hub 1.4.0. If it's missing, we generate a new one.
@@ -196,7 +196,7 @@ export class UserKeys {
    * @returns a JWE containing the PKCS#8-encoded private key
    * @see Recipient.ecdhEs
    */
-  public async encryptForDevice(devicePublicKey: CryptoKey | Uint8Array): Promise<string> {
+  public async encryptForDevice(devicePublicKey: CryptoKey | BufferSource): Promise<string> {
     const publicKey = await asPublicKey(devicePublicKey, BrowserKeys.KEY_DESIGNATION);
     const payload = await this.prepareForEncryption();
     const jwe = await JWE.build(payload).encrypt(Recipient.ecdhEs('org.cryptomator.hub.deviceKey', publicKey));
diff --git a/frontend/src/common/universalVaultFormat.ts b/frontend/src/common/universalVaultFormat.ts
index 5ceece4f7..b0aad9737 100644
--- a/frontend/src/common/universalVaultFormat.ts
+++ b/frontend/src/common/universalVaultFormat.ts
@@ -55,9 +55,9 @@ export class MemberKey {
    * @returns new key
    */
   public static async load(encodedKey: string): Promise<MemberKey> {
-    let rawKey: Uint8Array = new Uint8Array();
+    let rawKey: Uint8Array<ArrayBuffer> = new Uint8Array();
     try {
-      rawKey = base64.parse(encodedKey);
+      rawKey = base64.parse(encodedKey).slice();
       const memberKey = await crypto.subtle.importKey('raw', rawKey, MemberKey.KEY_DESIGNATION, true, MemberKey.KEY_USAGE);
       return new MemberKey(memberKey);
     } finally {
@@ -102,7 +102,7 @@ export class RecoveryKey {
    * @param publicKey the PKCS8-encoded private key
    * @returns recovery key for encrypting vault metadata
    */
-  public static async import(publicKey: CryptoKey | Uint8Array, privateKey?: CryptoKey | Uint8Array): Promise<RecoveryKey> {
+  public static async import(publicKey: CryptoKey | Uint8Array<ArrayBuffer>, privateKey?: CryptoKey | Uint8Array<ArrayBuffer>): Promise<RecoveryKey> {
     if (publicKey instanceof Uint8Array) {
       publicKey = await crypto.subtle.importKey('spki', publicKey, RecoveryKey.KEY_DESIGNATION, true, []);
     }
@@ -133,7 +133,7 @@ export class RecoveryKey {
     }
     const unpadded = decoded.subarray(0, -paddingLength);
     const checksum = unpadded.subarray(-2);
-    const rawkey = unpadded.subarray(0, -2);
+    const rawkey = unpadded.slice(0, -2);
     const crc32 = CRC32.compute(rawkey);
     if (checksum[0] !== (crc32 & 0xFF)
       || checksum[1] !== (crc32 >> 8 & 0xFF)) {
@@ -219,10 +219,10 @@ export class DecodeUvfRecoveryKeyError extends Error {
 export class VaultMetadata {
   private constructor(
     readonly automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto,
-    readonly seeds: Map<number, Uint8Array>,
+    readonly seeds: Map<number, Uint8Array<ArrayBuffer>>,
     readonly initialSeedId: number,
     readonly latestSeedId: number,
-    readonly kdfSalt: Uint8Array) {
+    readonly kdfSalt: Uint8Array<ArrayBuffer>) {
     if (!seeds.has(initialSeedId)) {
       throw new Error('Initial seed is missing');
     }
@@ -249,14 +249,14 @@ export class VaultMetadata {
     return new VaultMetadata(automaticAccessGrant, seeds, initialSeedNo, initialSeedNo, kdfSalt);
   }
 
-  public get initialSeed(): Uint8Array {
+  public get initialSeed(): Uint8Array<ArrayBuffer> {
     if (!this.seeds.has(this.initialSeedId)) {
       throw new Error('Illegal State');
     }
     return this.seeds.get(this.initialSeedId)!;
   }
 
-  public get latestSeed(): Uint8Array {
+  public get latestSeed(): Uint8Array<ArrayBuffer> {
     if (!this.seeds.has(this.latestSeedId)) {
       throw new Error('Illegal State');
     }
@@ -292,15 +292,15 @@ export class VaultMetadata {
   }
 
   public static async createFromJson(payload: MetadataPayload): Promise<VaultMetadata> {
-    const seeds = new Map<number, Uint8Array>();
+    const seeds = new Map<number, Uint8Array<ArrayBuffer>>();
     for (const key in payload.seeds) {
       const num = parseSeedId(key);
-      const value = base64url.parse(payload.seeds[key], { loose: true });
+      const value = base64url.parse(payload.seeds[key], { loose: true }).slice();
       seeds.set(num, value);
     }
     const initialSeedId = parseSeedId(payload['initialSeed']);
     const latestSeedId = parseSeedId(payload['latestSeed']);
-    const kdfSalt = base64url.parse(payload['kdfSalt'], { loose: true });
+    const kdfSalt = base64url.parse(payload['kdfSalt'], { loose: true }).slice();
     return new VaultMetadata(
       payload['org.cryptomator.automaticAccessGrant'],
       seeds,
@@ -387,7 +387,7 @@ export class UniversalVaultFormat implements AccessTokenProducing, VaultTemplate
     const metadata = await VaultMetadata.decryptWithMemberKey(vault.uvfMetadataFile, memberKey);
     let recoveryKey: RecoveryKey;
     if (payload.recoveryKey) {
-      recoveryKey = await RecoveryKey.import(recoveryPublicKey, base64.parse(payload.recoveryKey));
+      recoveryKey = await RecoveryKey.import(recoveryPublicKey, base64.parse(payload.recoveryKey).slice());
     } else {
       recoveryKey = await RecoveryKey.import(recoveryPublicKey);
     }
@@ -429,20 +429,20 @@ export class UniversalVaultFormat implements AccessTokenProducing, VaultTemplate
     return this.metadata.encrypt(apiURL, vault, this.memberKey, this.recoveryKey);
   }
 
-  public async computeRootDirId(): Promise<Uint8Array> {
+  public async computeRootDirId(): Promise<Uint8Array<ArrayBuffer>> {
     const initialSeed = await crypto.subtle.importKey('raw', this.metadata.initialSeed, { name: 'HKDF' }, false, ['deriveBits']);
     const rootDirId = await crypto.subtle.deriveBits({ name: 'HKDF', hash: 'SHA-512', salt: this.metadata.kdfSalt, info: UTF8.encode('rootDirId') }, initialSeed, 256);
     return new Uint8Array(rootDirId);
   }
 
-  public async computeRootDirIdHash(rootDirId: Uint8Array): Promise<string> {
+  public async computeRootDirIdHash(rootDirId: Uint8Array<ArrayBuffer>): Promise<string> {
     const initialSeed = await crypto.subtle.importKey('raw', this.metadata.initialSeed, { name: 'HKDF' }, false, ['deriveKey']);
     const hmacKey = await crypto.subtle.deriveKey({ name: 'HKDF', hash: 'SHA-512', salt: this.metadata.kdfSalt, info: UTF8.encode('hmac') }, initialSeed, { name: 'HMAC', hash: 'SHA-256', length: 512 }, false, ['sign']);
     const rootDirHash = await crypto.subtle.sign('HMAC', hmacKey, rootDirId);
     return base32.stringify(new Uint8Array(rootDirHash).slice(0, 20));
   }
 
-  public async encryptFile(content: Uint8Array, seedId: number): Promise<Uint8Array> {
+  public async encryptFile(content: Uint8Array<ArrayBuffer>, seedId: number): Promise<Uint8Array> {
     const seed = this.metadata.seeds.get(seedId);
     if (!seed) {
       throw new Error('Seed not found');
@@ -491,7 +491,7 @@ export class UniversalVaultFormat implements AccessTokenProducing, VaultTemplate
   }
 
   /** @inheritdoc */
-  public async encryptForUser(userPublicKey: CryptoKey | Uint8Array, isOwner?: boolean): Promise<string> {
+  public async encryptForUser(userPublicKey: CryptoKey | Uint8Array<ArrayBuffer>, isOwner?: boolean): Promise<string> {
     const payload: UvfAccessTokenPayload = {
       key: await this.memberKey.serializeKey(),
       recoveryKey: isOwner && this.recoveryKey.privateKey ? await this.recoveryKey.serializePrivateKey() : undefined
diff --git a/frontend/src/common/userdata.ts b/frontend/src/common/userdata.ts
index 04f1e3b58..3252ca4f0 100644
--- a/frontend/src/common/userdata.ts
+++ b/frontend/src/common/userdata.ts
@@ -65,12 +65,12 @@ class UserData {
    * 
    * @see UserDto.ecdhPublicKey
    */
-  public get ecdhPublicKey(): Promise<Uint8Array> {
+  public get ecdhPublicKey(): Promise<Uint8Array<ArrayBuffer>> {
     return this.me.then(me => {
       if (!me.ecdhPublicKey) {
         throw new Error('User not initialized.');
       }
-      return base64.parse(me.ecdhPublicKey);
+      return base64.parse(me.ecdhPublicKey).slice();
     });
   }
 
@@ -79,9 +79,9 @@ class UserData {
    * 
    * @see UserDto.ecdsaPublicKey
    */
-  public get ecdsaPublicKey(): Promise<Uint8Array | undefined> {
+  public get ecdsaPublicKey(): Promise<Uint8Array<ArrayBuffer> | undefined> {
     return this.me.then(me => {
-      return me.ecdsaPublicKey ? base64.parse(me.ecdsaPublicKey) : undefined;
+      return me.ecdsaPublicKey ? base64.parse(me.ecdsaPublicKey).slice() : undefined;
     });
   }
 
@@ -175,7 +175,7 @@ class UserData {
       me.ecdsaPublicKey = await userKeys.encodedEcdsaPublicKey();
       me.privateKeys = await userKeys.encryptWithSetupCode(setupCode);
       for (const device of me.devices) {
-        device.userPrivateKey = await userKeys.encryptForDevice(base64.parse(device.publicKey));
+        device.userPrivateKey = await userKeys.encryptForDevice(base64.parse(device.publicKey).slice());
       }
       await backend.users.putMe(me);
     }
diff --git a/frontend/src/common/util.ts b/frontend/src/common/util.ts
index b4213b5de..5c00c3be6 100644
--- a/frontend/src/common/util.ts
+++ b/frontend/src/common/util.ts
@@ -9,7 +9,7 @@ export class UTF8 {
    * @param data string to encode
    * @returns Uint8Array containing the UTF-8 NFC encoded string
    */
-  public static encode(data: string): Uint8Array {
+  public static encode(data: string): Uint8Array<ArrayBuffer> {
     return UTF8.encoder.encode(data.normalize('NFC'));
   }
 
diff --git a/frontend/test/common/universalVaultFormat.spec.ts b/frontend/test/common/universalVaultFormat.spec.ts
index 635c804f4..0498d965c 100644
--- a/frontend/test/common/universalVaultFormat.spec.ts
+++ b/frontend/test/common/universalVaultFormat.spec.ts
@@ -279,14 +279,14 @@ describe('UVF', () => {
       });
 
       it('computeRootDirIdHash() creates a truncated hmac', async () => {
-        const rootDirId = base64.parse('5WEGzwKkAHPwVSjT2Brr3P3zLz7oMiNpMn/qBvht7eM=');
+        const rootDirId = base64.parse('5WEGzwKkAHPwVSjT2Brr3P3zLz7oMiNpMn/qBvht7eM=').slice();
         const hash = await uvf.computeRootDirIdHash(rootDirId);
         expect(hash).to.have.a.lengthOf(32);
         expect(hash).to.eq('RZK7ZH7KBXULNEKBMGX3CU42PGUIAIX4');
       });
 
       it('encryptFile() creates some ciphertext', async () => {
-        const rootDirId = base64.parse('5WEGzwKkAHPwVSjT2Brr3P3zLz7oMiNpMn/qBvht7eM=');
+        const rootDirId = base64.parse('5WEGzwKkAHPwVSjT2Brr3P3zLz7oMiNpMn/qBvht7eM=').slice();
         const fileContent = await uvf.encryptFile(rootDirId, uvf.metadata.initialSeedId);
         expect(fileContent).to.have.a.lengthOf(128);
         expect(fileContent.slice(0, 4)).to.eql(new Uint8Array([0x75, 0x76, 0x66, 0x01])); // magic bytes

From 703d09239ef84dfcfac575a30fec76b4ad155b62 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Wed, 5 Nov 2025 12:31:00 +0100
Subject: [PATCH 93/94] use `Uint8Array<ArrayBuffer>` (TS 5.7 adjustments)

see https://devblogs.microsoft.com/typescript/announcing-typescript-5-7/#support-for---target-es2024-and---lib-es2024
---
 frontend/src/common/jwe.ts | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/frontend/src/common/jwe.ts b/frontend/src/common/jwe.ts
index 8d06c0a3d..8b1be4205 100644
--- a/frontend/src/common/jwe.ts
+++ b/frontend/src/common/jwe.ts
@@ -12,7 +12,7 @@ export class ConcatKDF {
    * @param otherInfo Optional context info binding the derived key to a key agreement (see e.g. RFC 7518, Section 4.6.2)
    * @returns key data
    */
-  public static async kdf(z: Uint8Array, keyDataLen: number, otherInfo: Uint8Array): Promise<Uint8Array> {
+  public static async kdf(z: Uint8Array, keyDataLen: number, otherInfo: Uint8Array): Promise<Uint8Array<ArrayBuffer>> {
     const hashLen = 32; // output length of SHA-256
     const reps = Math.ceil(keyDataLen / hashLen);
     if (reps >= 0xFFFFFFFF) {
@@ -46,6 +46,8 @@ export type JWEHeader = {
   p2c?: number,
   p2s?: string,
   jku?: string,
+  cty?: 'json',
+  crit?: string[],
   [other: string]: undefined | string | number | boolean | object; // allow further properties
 }
 
@@ -190,7 +192,7 @@ class EcdhRecipient extends Recipient {
   async decryptAndUnwrap(header: JWEHeader, encryptedKey: string): Promise<CryptoKey> {
     const wrappingKey = await this.decryptDirect(header, { name: 'AES-KW', length: 256 }, ['unwrapKey']);
     try {
-      return await crypto.subtle.unwrapKey('raw', base64url.parse(encryptedKey, { loose: true }), wrappingKey, 'AES-KW', { name: 'AES-GCM' }, false, ['decrypt']);
+      return await crypto.subtle.unwrapKey('raw', base64url.parse(encryptedKey, { loose: true }) as Uint8Array<ArrayBuffer>, wrappingKey, 'AES-KW', { name: 'AES-GCM' }, false, ['decrypt']);
     } catch (error) {
       throw new UnwrapKeyError(error);
     }
@@ -220,7 +222,7 @@ class A256kwRecipient extends Recipient {
       throw new Error('unsupported alg');
     }
     try {
-      return await crypto.subtle.unwrapKey('raw', base64url.parse(encryptedKey, { loose: true }), this.wrappingKey, 'AES-KW', { name: 'AES-GCM' }, false, ['decrypt']);
+      return await crypto.subtle.unwrapKey('raw', base64url.parse(encryptedKey, { loose: true }) as Uint8Array<ArrayBuffer>, this.wrappingKey, 'AES-KW', { name: 'AES-GCM' }, false, ['decrypt']);
     } catch (error) {
       throw new UnwrapKeyError(error);
     }
@@ -256,7 +258,7 @@ class Pbes2Recipient extends Recipient {
     const salt = base64url.parse(header.p2s, { loose: true });
     const wrappingKey = await PBES2.deriveWrappingKey(this.password, 'PBES2-HS512+A256KW', salt, header.p2c);
     try {
-      return await crypto.subtle.unwrapKey('raw', base64url.parse(encryptedKey, { loose: true }), wrappingKey, 'AES-KW', { name: 'AES-GCM' }, false, ['decrypt']);
+      return await crypto.subtle.unwrapKey('raw', base64url.parse(encryptedKey, { loose: true }) as Uint8Array<ArrayBuffer>, wrappingKey, 'AES-KW', { name: 'AES-GCM' }, false, ['decrypt']);
     } catch (error) {
       throw new UnwrapKeyError(error);
     }
@@ -377,7 +379,7 @@ export class EncryptedJWE {
     const cleartext = new Uint8Array(await crypto.subtle.decrypt(
       {
         name: 'AES-GCM',
-        iv: base64url.parse(this.iv, { loose: true }),
+        iv: base64url.parse(this.iv, { loose: true }) as Uint8Array<ArrayBuffer>,
         additionalData: UTF8.encode(this.protectedHeader),
         tagLength: 128
       },
@@ -402,7 +404,7 @@ export class EncryptedJWE {
 
 // visible for testing
 export class ECDH_ES {
-  private static async deriveRawKey(publicKey: CryptoKey, privateKey: CryptoKey, ecdhKeyBits: number, desiredKeyBytes: number, header: JWEHeader): Promise<Uint8Array> {
+  private static async deriveRawKey(publicKey: CryptoKey, privateKey: CryptoKey, ecdhKeyBits: number, desiredKeyBytes: number, header: JWEHeader): Promise<Uint8Array<ArrayBuffer>> {
     let agreedKey = new Uint8Array();
     try {
       const algOrEnc = header.alg === 'ECDH-ES' ? header.enc : header.alg; // see definition of AlgorithmID in RFC 7518, Section 4.6.2

From ce24d916dbe4348b01a31b5746abfc0f70819b8c Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@skymatic.de>
Date: Wed, 5 Nov 2025 12:31:16 +0100
Subject: [PATCH 94/94] add missing protected header params

---
 frontend/src/common/universalVaultFormat.ts | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/frontend/src/common/universalVaultFormat.ts b/frontend/src/common/universalVaultFormat.ts
index b0aad9737..99b259e2b 100644
--- a/frontend/src/common/universalVaultFormat.ts
+++ b/frontend/src/common/universalVaultFormat.ts
@@ -320,9 +320,14 @@ export class VaultMetadata {
    */
   public async encrypt(apiURL: string, vault: VaultDto, memberKey: MemberKey, recoveryKey: RecoveryKey): Promise<string> {
     const recoveryKeyID = `org.cryptomator.hub.recoverykey.${await getJwkThumbprintStr(recoveryKey.publicKey)}`;
+    // see https://github.com/encryption-alliance/unified-vault-format/tree/develop/vault%20metadata#jose-header
     const protectedHeader: JWEHeader = {
-      origin: `${apiURL}/vaults/${vault.id}/uvf/vault.uvf`,
-      jku: 'jwks.json' // URL relative to origin
+      // enc: 'A256GCM', // will be set by JWE.build()
+      cty: 'json',
+      crit: ['uvf.spec.version'],
+      'uvf.spec.version': 1,
+      'cloud.katta.origin': `${apiURL}/vaults/${vault.id}/uvf/vault.uvf`, // single source of truth for this vault
+      jku: 'jwks.json', // URL relative to cloud.katta.origin
     };
     const jwe = await JWE.build(this.payload(), protectedHeader).encrypt(Recipient.a256kw('org.cryptomator.hub.memberkey', memberKey.key), Recipient.ecdhEs(recoveryKeyID, recoveryKey.publicKey));
     const json = jwe.jsonSerialization();