From 54df346edac6788fd82e51d71fee146e2865a083 Mon Sep 17 00:00:00 2001
From: "Yann Esposito (Yogsototh)" <yann.esposito@gmail.com>
Date: Fri, 24 Dec 2021 11:37:51 +0100
Subject: [PATCH] update

---
 .gitignore                                    |    1 +
 .orgids                                       |    2 +-
 inbox.html                                    |  202 ++
 inbox.tmpixImQE.org                           |  126 --
 inbox.tmprVPMxB.org                           |  126 --
 inbox.tmpvFI9v8.org                           |  126 --
 journal.org                                   |   10 +-
 ...isco_ft_securex_registration.tmpFfE2le.org |  209 --
 ...isco_ft_securex_registration.tmpPTkv6L.org |  227 ---
 ...isco_ft_securex_registration.tmpajfMv6.org |  303 ---
 ...isco_ft_securex_registration.tmpzz9bMt.org |  304 ---
 notes/journal/2021/2021-11-06.org             |    2 +-
 notes/journal/2021/2021-11-07.org             |   12 +-
 notes/journal/2021/2021-11-08.org             |    4 +
 notes/journal/2021/2021-11-12.org             |   23 +-
 notes/mdph_recours.tmp7nDXAo.org              |  113 --
 notes/mdph_recours.tmpCYWwYS.org              |  117 --
 notes/mdph_recours.tmpcoDUQI.org              |  113 --
 notes/mdph_recours.tmpkI0rDy.org              |  116 --
 roam/org-roam.db                              |  Bin 421888 -> 442368 bytes
 tracker.tmp8YFKFI.org                         |  108 --
 tracker.tmpqvB1XT.org                         | 1717 -----------------
 tracker.tmprXn6OX.org                         | 1717 -----------------
 23 files changed, 241 insertions(+), 5437 deletions(-)
 create mode 100644 inbox.html
 delete mode 100644 inbox.tmpixImQE.org
 delete mode 100644 inbox.tmprVPMxB.org
 delete mode 100644 inbox.tmpvFI9v8.org
 delete mode 100644 notes/cisco_ft_securex_registration.tmpFfE2le.org
 delete mode 100644 notes/cisco_ft_securex_registration.tmpPTkv6L.org
 delete mode 100644 notes/cisco_ft_securex_registration.tmpajfMv6.org
 delete mode 100644 notes/cisco_ft_securex_registration.tmpzz9bMt.org
 delete mode 100644 notes/mdph_recours.tmp7nDXAo.org
 delete mode 100644 notes/mdph_recours.tmpCYWwYS.org
 delete mode 100644 notes/mdph_recours.tmpcoDUQI.org
 delete mode 100644 notes/mdph_recours.tmpkI0rDy.org
 delete mode 100644 tracker.tmp8YFKFI.org
 delete mode 100644 tracker.tmpqvB1XT.org
 delete mode 100644 tracker.tmprXn6OX.org

diff --git a/.gitignore b/.gitignore
index 19cd85fe..58882482 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,7 @@
 ltximg
 HWP/
 .*.icloud
+*.tmp*.org
 .stack-work/
 ._*
 reveal.js/
diff --git a/.orgids b/.orgids
index 59145201..bbdf49ac 100644
--- a/.orgids
+++ b/.orgids
@@ -1,2 +1,2 @@
 
-(("../Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/notes/how_to_speak.org" "4ad5f64e-c330-4f36-8f8a-d82a1ae993a0") ("../Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/notes/interview_certification.org" "93027c33-dcf8-4bda-8aee-60f507e0ff4a") ("../y/her.esy.fun/src/posts/0019-utopia-tv-show/index.org" "88e25182-ee54-4d2e-b373-b4e06fc292c8") ("../y/her.esy.fun/src/posts/0013-how-to-choose-your-tools/index.org" "c2e61938-8493-434a-9ffa-9fd4698d9863") ("../Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/notes/cisco_team_history.org" "e3296579-2f2e-4f23-92e2-1ce9fef6fe04") ("../Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/notes/customer_manager.org" "99fd9444-ae5d-4d51-a295-a936fc01928a") ("../Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/archives/TODO.archive.org" "797ba971-6ae3-49a1-9499-928572760d09" "B72E4288-E96B-4099-8684-37DDF3395C50" "96343FD2-E7A9-4AAA-A40A-8D048DA340E9") ("../Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/inbox.org" "9207b53a-e38e-4996-abc6-140c31f2960a" "a4ebd43b-b589-499e-85e1-7ebea0abf3af" "2110820C-4877-40B3-A351-2DEDE0F222C6" "90110976-520D-4B0C-B1D9-3798323C370E" "49981B50-AFBD-4C93-A9C2-8D88550AB425" "8B092321-BA1F-47F9-A927-76D2E232CF51" "1644E007-AFBE-4F4B-9307-B007C60548E8") ("../Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/notes/artificial_life_game_approach.org" "8a37b5d3-8ee5-45cd-8c32-021b8d42210f"))
+(("../Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/inbox.org" "1644E007-AFBE-4F4B-9307-B007C60548E8" "8B092321-BA1F-47F9-A927-76D2E232CF51" "49981B50-AFBD-4C93-A9C2-8D88550AB425" "90110976-520D-4B0C-B1D9-3798323C370E" "2110820C-4877-40B3-A351-2DEDE0F222C6" "a4ebd43b-b589-499e-85e1-7ebea0abf3af" "9207b53a-e38e-4996-abc6-140c31f2960a") ("../Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/archives/TODO.archive.org" "96343FD2-E7A9-4AAA-A40A-8D048DA340E9" "B72E4288-E96B-4099-8684-37DDF3395C50" "797ba971-6ae3-49a1-9499-928572760d09") ("../Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/notes/artificial_life_game_approach.org" "8a37b5d3-8ee5-45cd-8c32-021b8d42210f") ("../Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/notes/customer_manager.org" "99fd9444-ae5d-4d51-a295-a936fc01928a") ("../Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/notes/cisco_team_history.org" "e3296579-2f2e-4f23-92e2-1ce9fef6fe04") ("../y/her.esy.fun/src/posts/0013-how-to-choose-your-tools/index.org" "c2e61938-8493-434a-9ffa-9fd4698d9863") ("../y/her.esy.fun/src/posts/0019-utopia-tv-show/index.org" "88e25182-ee54-4d2e-b373-b4e06fc292c8") ("../Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/notes/interview_certification.org" "93027c33-dcf8-4bda-8aee-60f507e0ff4a") ("../Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/notes/how_to_speak.org" "4ad5f64e-c330-4f36-8f8a-d82a1ae993a0") ("../Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/notes/cisco_ft_securex_registration.org" "1208f09c-d37d-4e6b-9110-151f3c6b7d34"))
diff --git a/inbox.html b/inbox.html
new file mode 100644
index 00000000..9546522e
--- /dev/null
+++ b/inbox.html
@@ -0,0 +1,202 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml" lang="" xml:lang="">
+<head>
+  <meta charset="utf-8" />
+  <meta name="generator" content="pandoc" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
+  <meta name="author" content="Yann Esposito" />
+  <title>TODO</title>
+  <style>
+    html {
+      line-height: 1.5;
+      font-family: Georgia, serif;
+      font-size: 20px;
+      color: #1a1a1a;
+      background-color: #fdfdfd;
+    }
+    body {
+      margin: 0 auto;
+      max-width: 36em;
+      padding-left: 50px;
+      padding-right: 50px;
+      padding-top: 50px;
+      padding-bottom: 50px;
+      hyphens: auto;
+      word-wrap: break-word;
+      text-rendering: optimizeLegibility;
+      font-kerning: normal;
+    }
+    @media (max-width: 600px) {
+      body {
+        font-size: 0.9em;
+        padding: 1em;
+      }
+    }
+    @media print {
+      body {
+        background-color: transparent;
+        color: black;
+        font-size: 12pt;
+      }
+      p, h2, h3 {
+        orphans: 3;
+        widows: 3;
+      }
+      h2, h3, h4 {
+        page-break-after: avoid;
+      }
+    }
+    p {
+      margin: 1em 0;
+    }
+    a {
+      color: #1a1a1a;
+    }
+    a:visited {
+      color: #1a1a1a;
+    }
+    img {
+      max-width: 100%;
+    }
+    h1, h2, h3, h4, h5, h6 {
+      margin-top: 1.4em;
+    }
+    h5, h6 {
+      font-size: 1em;
+      font-style: italic;
+    }
+    h6 {
+      font-weight: normal;
+    }
+    ol, ul {
+      padding-left: 1.7em;
+      margin-top: 1em;
+    }
+    li > ol, li > ul {
+      margin-top: 0;
+    }
+    blockquote {
+      margin: 1em 0 1em 1.7em;
+      padding-left: 1em;
+      border-left: 2px solid #e6e6e6;
+      color: #606060;
+    }
+    code {
+      font-family: Menlo, Monaco, 'Lucida Console', Consolas, monospace;
+      font-size: 85%;
+      margin: 0;
+    }
+    pre {
+      margin: 1em 0;
+      overflow: auto;
+    }
+    pre code {
+      padding: 0;
+      overflow: visible;
+    }
+    .sourceCode {
+     background-color: transparent;
+     overflow: visible;
+    }
+    hr {
+      background-color: #1a1a1a;
+      border: none;
+      height: 1px;
+      margin: 1em 0;
+    }
+    table {
+      margin: 1em 0;
+      border-collapse: collapse;
+      width: 100%;
+      overflow-x: auto;
+      display: block;
+      font-variant-numeric: lining-nums tabular-nums;
+    }
+    table caption {
+      margin-bottom: 0.75em;
+    }
+    tbody {
+      margin-top: 0.5em;
+      border-top: 1px solid #1a1a1a;
+      border-bottom: 1px solid #1a1a1a;
+    }
+    th {
+      border-top: 1px solid #1a1a1a;
+      padding: 0.25em 0.5em 0.25em 0.5em;
+    }
+    td {
+      padding: 0.125em 0.5em 0.25em 0.5em;
+    }
+    header {
+      margin-bottom: 4em;
+      text-align: center;
+    }
+    #TOC li {
+      list-style: none;
+    }
+    #TOC a:not(:hover) {
+      text-decoration: none;
+    }
+    code{white-space: pre-wrap;}
+    span.smallcaps{font-variant: small-caps;}
+    span.underline{text-decoration: underline;}
+    div.column{display: inline-block; vertical-align: top; width: 50%;}
+    div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
+    ul.task-list{list-style: none;}
+  </style>
+  <!--[if lt IE 9]>
+    <script src="//cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv-printshiv.min.js"></script>
+  <![endif]-->
+</head>
+<body>
+<header id="title-block-header">
+<h1 class="title">TODO</h1>
+<p class="author">Yann Esposito</p>
+</header>
+<h1 id="réponse-mdph"><span class="todo TODO">TODO</span> Réponse MDPH</h1>
+<p>[2021-12-22 Wed 14:44]</p>
+<dl>
+<dt>ref</dt>
+<dd>
+</dd>
+</dl>
+<p>Depuis la création du dossier MDPH la situation de ma fille les angoisses de ma filles se sont agravées et nous investigons les moyen de l'aider à s'autonomiser avec l'aide d'un chien d'assistance.</p>
+<p>Ils nous semble que sa situation actuelle justifie un handicap de 80% ou plus.</p>
+<p>Tout d'abord, nous avons obtenu une AND à 100% de la sécurité sociale (ci-joins ses attestations de l'assurance maladie). De plus il faut vraiment comprendre que même sans affection physique, ma fille est dans l'incapacité d'accomplir certains actes de la vie quotidienne en société sans ses parents.</p>
+<p>Soyons clair, une crise d'angoisse de ma fille se caractérise tout d'abord par ce qui est courant en crise d'angoisse, mais la plupart elle monte, jusqu'à une incapacité totale de maîtrise d'elle-même. Elle se recroqueville, elle pleure, elle n'entend ni ne vois ce qui se passe autour d'elle. Parfois il lui arrive de tomber avec ses muscles qui se relachent.</p>
+<p>Les crises sont provoqués par:</p>
+<ul>
+<li>un inconnu qui la touche (par exemple, un enfant a voulu toucher sa peluche et s'est gentillement jeté sur ma fille. Elle a eu une réaction d'angoisse totalement inattendue.)</li>
+<li>voir trop de monde</li>
+<li>trop de bruit</li>
+<li>trop de lumière</li>
+<li>l'approche d'un lycée ou d'un collège</li>
+</ul>
+<p>Parfois, elle peut arriver à se concentrer quelques minutes même dans un environnement sensoriellement difficile. Mais elle ne peut maintenir cette maîtrise de soit pendant plus de quelques minutes. Imaginez simplement qu'attendre dans une file d'attente pendant des courses peut pour elle être un calvaire, et si celà dure trop longtemps, il n'y a pas d'autre choix que de sortir du magasin en laissant le caddie en place pour retourner dans la voiture.</p>
+<p>Depuis ces derniers mois, elle n'est jamais seule sans un adulte qui lui est familié. Elle ne s'éloigne jamais à plus de quelques mètre des personnes de son entourage.</p>
+<p>Comme précisé dans le document CNSA sur le guide de l'éligibilité PCH.</p>
+<blockquote>
+<p>Dès lors que la personne n'est pas en capacité d'initier seule l'activité concernée et qu'en abscence de stimulation, l'activité ou l'acte n'est pas réalisé, la difficulté est considérée comme absolue.</p>
+</blockquote>
+<p>Et c'est bien de celà qu'il s'agit pour notre fille. Sans notre appuis, elle n'est pas en capacité de répondre aux changements innattendus de sa routine. Elle n'est pas du tout capable de prendre l'initiative d'aller faire des courses pour se faire à manger. Elle n'est pas capable d'entrer dans un transport en commun.</p>
+<p>Elle est aussi incapable d'entrer dans des lieux scolaire public ou privé ordinaire car ils sont trop bruyant, trop stressants. Nous avons essayer de garder notre fille à la maison pendant cette année de confinement. Mais ce fut un désastre pour ses résultats scolaire mais surtout pour sa capacité à avoir une vie sociale. Nous avons pu trouver un lieu scolaire avec de petits effectifs. Sachant que même dans cet établissement à faible effectif, elle n'est capable d'entrer dans la classe qu'environ 2 à 3 demi-journée par semaine. Notre fille fait chaque jour des efforts considérables pour entrer dans ce lieu avec pour premier objectif retrouver un environnement où elle pourra socialiser. Et en second lieu ne pas décrocher sur ses études. Anna est une élève douée, mais elle a des difficultés simplement à envoyer un devoir qu'elle a fini à cause de l'angoisse de la note et du jugement.</p>
+<p>Le plan que nous avons établi avec les soignants qui la suivent sont:</p>
+<ol>
+<li>Des soins pour diminuer ses angoisses et controller ses crises</li>
+<li>Accompagner son autonomie avec l'aide d'un chien d'assistance qui nous l'espérons pourrait lui permettre d'avoir un rythme qui la socialise et la rassure dans des espaces qui lui sont aujourd'huis interdit sans un accompagnement parental.</li>
+<li>Continuer à la socialisé en continuant à l'accompagner dans ses études via une école à petit effectif.</li>
+</ol>
+<p>Soyons clair, les difficultés auxquelles fait face notre fille dans l'environnement social sont absolues.</p>
+<p>Elle ne réalise jamais aucune de ses action de façon spontanée. Il faut que ce soit un des parent qui la pousse à sortir. Celà entrave de façon majeure sa vie quotidienne.</p>
+<p>Actuellement pour nous, il est essentiel que l'on puisse octroyer à notre fille un chien d'assistance. Elle a déjà réagit très positivement à cette idée. Elle espère pouvoir sortir le chien sans un adulte qui l'accompagnerait. Les critères pour l'obtention d'un chien d'assistance, sont:</p>
+<p>Un handicap reconnu &gt; à 50% et avoir une Carte Mobilité Inclusion. Il ne nous semble pas du tout exagérer de considérer que ses difficultés actuelles sont absolues et donc bien au delà des 80%. Elle est incapable d'amorcer d'elle même tout geste quotidien qui inclueraient des inconnus dans sa routine.</p>
+<ul>
+<li>Prendre des transports en commun</li>
+<li>Aller dans un lieu d'enseignement public</li>
+<li>Faire des courses</li>
+<li>Conduire</li>
+<li>Faire une simple balade dans la nature</li>
+</ul>
+<p>Je comprends qu'il soit difficile d'imaginer qu'une personne sans invalidité physique ni déficience mentale grave soit à se point handicapée dans son quotidient. Mais je vous supplie de croire qu'elle est très seule et très isolée. Même dans son école, il est très difficile pour elle d'établir des relations avec des jeunes de son age. Elle a beaucoup de mal à parler avec inconnu même avec un parent proche d'elle. Elle ne peut pas exemple pas dire à une serveuse ce qu'elle désire, elle le dit à un parent qui répètera.</p>
+</body>
+</html>
diff --git a/inbox.tmpixImQE.org b/inbox.tmpixImQE.org
deleted file mode 100644
index 71058c6e..00000000
--- a/inbox.tmpixImQE.org
+++ /dev/null
@@ -1,126 +0,0 @@
-# Created 2021-12-22 Wed 15:19
-#+title: TODO
-#+author: Yann Esposito
-* TODO Réponse MDPH
-[2021-12-22 Wed 14:44]
-- ref :: 
-
-Depuis la création du dossier MDPH la situation de ma fille les angoisses
-de ma filles se sont agravées et nous investigons les moyen de l'aider à
-s'autonomiser avec l'aide d'un chien d'assistance.
-
-Ils nous semble que sa situation actuelle justifie un handicap de 80% ou
-plus.
-
-Tout d'abord, nous avons obtenu une AND à 100% de la sécurité sociale
-(ci-joins ses attestations de l'assurance maladie).
-De plus il faut vraiment comprendre que même sans affection physique, ma
-fille est dans l'incapacité d'accomplir certains actes de la vie
-quotidienne en société sans ses parents.
-
-Soyons clair, une crise d'angoisse de ma fille se caractérise tout d'abord
-par ce qui est courant en crise d'angoisse, mais la plupart elle monte,
-jusqu'à une incapacité totale de maîtrise d'elle-même.
-Elle se recroqueville, elle pleure, elle n'entend ni ne vois ce qui se
-passe autour d'elle. Parfois il lui arrive de tomber avec ses muscles qui
-se relachent.
-
-Les crises sont provoqués par:
-
-- un inconnu qui la touche (par exemple, un enfant a voulu toucher sa
-  peluche et s'est gentillement jeté sur ma fille. Elle a eu une réaction
-  d'angoisse totalement inattendue.)
-- voir trop de monde
-- trop de bruit
-- trop de lumière
-- l'approche d'un lycée ou d'un collège
-
-Parfois, elle peut arriver à se concentrer quelques minutes même dans un
-environnement sensoriellement difficile. Mais elle ne peut maintenir cette
-maîtrise de soit pendant plus de quelques minutes.
-Imaginez simplement qu'attendre dans une file d'attente pendant des courses
-peut pour elle être un calvaire, et si celà dure trop longtemps, il n'y a
-pas d'autre choix que de sortir du magasin en laissant le caddie en place
-pour retourner dans la voiture.
-
-Depuis ces derniers mois, elle n'est jamais seule sans un adulte qui lui
-est familié.
-Elle ne s'éloigne jamais à plus de quelques mètre des personnes de son
-entourage.
-
-Comme précisé dans le document CNSA sur le guide de l'éligibilité PCH.
-
-#+begin_quote
-Dès lors que la personne n'est pas en capacité d'initier seule l'activité
-concernée et qu'en abscence de stimulation, l'activité ou l'acte n'est pas
-réalisé, la difficulté est considérée comme absolue.
-#+end_quote
-
-Et c'est bien de celà qu'il s'agit pour notre fille.
-Sans notre appuis, elle n'est pas en capacité de répondre aux changements
-innattendus de sa routine.
-Elle n'est pas du tout capable de prendre l'initiative d'aller faire des
-courses pour se faire à manger.
-Elle n'est pas capable d'entrer dans un transport en commun.
-
-Elle est aussi incapable d'entrer dans des lieux scolaire public ou privé
-ordinaire car ils sont trop bruyant, trop stressants.
-Nous avons essayer de garder notre fille à la maison pendant cette année de
-confinement.
-Mais ce fut un désastre pour ses résultats scolaire mais surtout pour sa
-capacité à avoir une vie sociale.
-Nous avons pu trouver un lieu scolaire avec de petits effectifs. Sachant
-que même dans cet établissement à faible effectif, elle n'est capable
-d'entrer dans la classe qu'environ 2 à 3 demi-journée par semaine.
-Notre fille fait chaque jour des efforts considérables pour entrer dans ce
-lieu avec pour premier objectif retrouver un environnement où elle pourra
-socialiser.
-Et en second lieu ne pas décrocher sur ses études.
-Anna est une élève douée, mais elle a des difficultés simplement à envoyer
-un devoir qu'elle a fini à cause de l'angoisse de la note et du jugement.
-
-Le plan que nous avons établi avec les soignants qui la suivent sont:
-
-1. Des soins pour diminuer ses angoisses et controller ses crises
-2. Accompagner son autonomie avec l'aide d'un chien d'assistance qui nous
-   l'espérons pourrait lui permettre d'avoir un rythme qui la socialise et
-   la rassure dans des espaces qui lui sont aujourd'huis interdit sans un
-   accompagnement parental.
-3. Continuer à la socialisé en continuant à l'accompagner dans ses études
-   via une école à petit effectif.
-
-
-Soyons clair, les difficultés auxquelles fait face notre fille dans
-l'environnement social sont absolues.
-
-Elle ne réalise jamais aucune de ses action de façon spontanée.
-Il faut que ce soit un des parent qui la pousse à sortir.
-Celà entrave de façon majeure sa vie quotidienne.
-
-Actuellement pour nous, il est essentiel que l'on puisse octroyer à notre
-fille un chien d'assistance.
-Elle a déjà réagit très positivement à cette idée.
-Elle espère pouvoir sortir le chien sans un adulte qui l'accompagnerait.
-Les critères pour l'obtention d'un chien d'assistance, sont:
-
-Un handicap reconnu > à 50% et avoir une Carte Mobilité Inclusion.
-Il ne nous semble pas du tout exagérer de considérer que ses difficultés
-actuelles sont absolues et donc bien au delà des 80%.
-Elle est incapable d'amorcer d'elle même tout geste quotidien qui
-inclueraient des inconnus dans sa routine.
-- Prendre des transports en commun
-- Aller dans un lieu d'enseignement public
-- Faire des courses
-- Conduire
-- Faire une simple balade dans la nature
-
-Je comprends qu'il soit difficile d'imaginer qu'une personne sans
-invalidité physique ni déficience mentale grave soit à se point handicapée
-dans son quotidient.
-Mais je vous supplie de croire qu'elle est très seule et très isolée.
-Même dans son école, il est très difficile pour elle d'établir des
-relations avec des jeunes de son age.
-Elle a beaucoup de mal à parler avec inconnu même avec un parent proche
-d'elle.
-Elle ne peut pas exemple pas dire à une serveuse ce qu'elle désire, elle le
-dit à un parent qui répètera.
diff --git a/inbox.tmprVPMxB.org b/inbox.tmprVPMxB.org
deleted file mode 100644
index 71058c6e..00000000
--- a/inbox.tmprVPMxB.org
+++ /dev/null
@@ -1,126 +0,0 @@
-# Created 2021-12-22 Wed 15:19
-#+title: TODO
-#+author: Yann Esposito
-* TODO Réponse MDPH
-[2021-12-22 Wed 14:44]
-- ref :: 
-
-Depuis la création du dossier MDPH la situation de ma fille les angoisses
-de ma filles se sont agravées et nous investigons les moyen de l'aider à
-s'autonomiser avec l'aide d'un chien d'assistance.
-
-Ils nous semble que sa situation actuelle justifie un handicap de 80% ou
-plus.
-
-Tout d'abord, nous avons obtenu une AND à 100% de la sécurité sociale
-(ci-joins ses attestations de l'assurance maladie).
-De plus il faut vraiment comprendre que même sans affection physique, ma
-fille est dans l'incapacité d'accomplir certains actes de la vie
-quotidienne en société sans ses parents.
-
-Soyons clair, une crise d'angoisse de ma fille se caractérise tout d'abord
-par ce qui est courant en crise d'angoisse, mais la plupart elle monte,
-jusqu'à une incapacité totale de maîtrise d'elle-même.
-Elle se recroqueville, elle pleure, elle n'entend ni ne vois ce qui se
-passe autour d'elle. Parfois il lui arrive de tomber avec ses muscles qui
-se relachent.
-
-Les crises sont provoqués par:
-
-- un inconnu qui la touche (par exemple, un enfant a voulu toucher sa
-  peluche et s'est gentillement jeté sur ma fille. Elle a eu une réaction
-  d'angoisse totalement inattendue.)
-- voir trop de monde
-- trop de bruit
-- trop de lumière
-- l'approche d'un lycée ou d'un collège
-
-Parfois, elle peut arriver à se concentrer quelques minutes même dans un
-environnement sensoriellement difficile. Mais elle ne peut maintenir cette
-maîtrise de soit pendant plus de quelques minutes.
-Imaginez simplement qu'attendre dans une file d'attente pendant des courses
-peut pour elle être un calvaire, et si celà dure trop longtemps, il n'y a
-pas d'autre choix que de sortir du magasin en laissant le caddie en place
-pour retourner dans la voiture.
-
-Depuis ces derniers mois, elle n'est jamais seule sans un adulte qui lui
-est familié.
-Elle ne s'éloigne jamais à plus de quelques mètre des personnes de son
-entourage.
-
-Comme précisé dans le document CNSA sur le guide de l'éligibilité PCH.
-
-#+begin_quote
-Dès lors que la personne n'est pas en capacité d'initier seule l'activité
-concernée et qu'en abscence de stimulation, l'activité ou l'acte n'est pas
-réalisé, la difficulté est considérée comme absolue.
-#+end_quote
-
-Et c'est bien de celà qu'il s'agit pour notre fille.
-Sans notre appuis, elle n'est pas en capacité de répondre aux changements
-innattendus de sa routine.
-Elle n'est pas du tout capable de prendre l'initiative d'aller faire des
-courses pour se faire à manger.
-Elle n'est pas capable d'entrer dans un transport en commun.
-
-Elle est aussi incapable d'entrer dans des lieux scolaire public ou privé
-ordinaire car ils sont trop bruyant, trop stressants.
-Nous avons essayer de garder notre fille à la maison pendant cette année de
-confinement.
-Mais ce fut un désastre pour ses résultats scolaire mais surtout pour sa
-capacité à avoir une vie sociale.
-Nous avons pu trouver un lieu scolaire avec de petits effectifs. Sachant
-que même dans cet établissement à faible effectif, elle n'est capable
-d'entrer dans la classe qu'environ 2 à 3 demi-journée par semaine.
-Notre fille fait chaque jour des efforts considérables pour entrer dans ce
-lieu avec pour premier objectif retrouver un environnement où elle pourra
-socialiser.
-Et en second lieu ne pas décrocher sur ses études.
-Anna est une élève douée, mais elle a des difficultés simplement à envoyer
-un devoir qu'elle a fini à cause de l'angoisse de la note et du jugement.
-
-Le plan que nous avons établi avec les soignants qui la suivent sont:
-
-1. Des soins pour diminuer ses angoisses et controller ses crises
-2. Accompagner son autonomie avec l'aide d'un chien d'assistance qui nous
-   l'espérons pourrait lui permettre d'avoir un rythme qui la socialise et
-   la rassure dans des espaces qui lui sont aujourd'huis interdit sans un
-   accompagnement parental.
-3. Continuer à la socialisé en continuant à l'accompagner dans ses études
-   via une école à petit effectif.
-
-
-Soyons clair, les difficultés auxquelles fait face notre fille dans
-l'environnement social sont absolues.
-
-Elle ne réalise jamais aucune de ses action de façon spontanée.
-Il faut que ce soit un des parent qui la pousse à sortir.
-Celà entrave de façon majeure sa vie quotidienne.
-
-Actuellement pour nous, il est essentiel que l'on puisse octroyer à notre
-fille un chien d'assistance.
-Elle a déjà réagit très positivement à cette idée.
-Elle espère pouvoir sortir le chien sans un adulte qui l'accompagnerait.
-Les critères pour l'obtention d'un chien d'assistance, sont:
-
-Un handicap reconnu > à 50% et avoir une Carte Mobilité Inclusion.
-Il ne nous semble pas du tout exagérer de considérer que ses difficultés
-actuelles sont absolues et donc bien au delà des 80%.
-Elle est incapable d'amorcer d'elle même tout geste quotidien qui
-inclueraient des inconnus dans sa routine.
-- Prendre des transports en commun
-- Aller dans un lieu d'enseignement public
-- Faire des courses
-- Conduire
-- Faire une simple balade dans la nature
-
-Je comprends qu'il soit difficile d'imaginer qu'une personne sans
-invalidité physique ni déficience mentale grave soit à se point handicapée
-dans son quotidient.
-Mais je vous supplie de croire qu'elle est très seule et très isolée.
-Même dans son école, il est très difficile pour elle d'établir des
-relations avec des jeunes de son age.
-Elle a beaucoup de mal à parler avec inconnu même avec un parent proche
-d'elle.
-Elle ne peut pas exemple pas dire à une serveuse ce qu'elle désire, elle le
-dit à un parent qui répètera.
diff --git a/inbox.tmpvFI9v8.org b/inbox.tmpvFI9v8.org
deleted file mode 100644
index 71058c6e..00000000
--- a/inbox.tmpvFI9v8.org
+++ /dev/null
@@ -1,126 +0,0 @@
-# Created 2021-12-22 Wed 15:19
-#+title: TODO
-#+author: Yann Esposito
-* TODO Réponse MDPH
-[2021-12-22 Wed 14:44]
-- ref :: 
-
-Depuis la création du dossier MDPH la situation de ma fille les angoisses
-de ma filles se sont agravées et nous investigons les moyen de l'aider à
-s'autonomiser avec l'aide d'un chien d'assistance.
-
-Ils nous semble que sa situation actuelle justifie un handicap de 80% ou
-plus.
-
-Tout d'abord, nous avons obtenu une AND à 100% de la sécurité sociale
-(ci-joins ses attestations de l'assurance maladie).
-De plus il faut vraiment comprendre que même sans affection physique, ma
-fille est dans l'incapacité d'accomplir certains actes de la vie
-quotidienne en société sans ses parents.
-
-Soyons clair, une crise d'angoisse de ma fille se caractérise tout d'abord
-par ce qui est courant en crise d'angoisse, mais la plupart elle monte,
-jusqu'à une incapacité totale de maîtrise d'elle-même.
-Elle se recroqueville, elle pleure, elle n'entend ni ne vois ce qui se
-passe autour d'elle. Parfois il lui arrive de tomber avec ses muscles qui
-se relachent.
-
-Les crises sont provoqués par:
-
-- un inconnu qui la touche (par exemple, un enfant a voulu toucher sa
-  peluche et s'est gentillement jeté sur ma fille. Elle a eu une réaction
-  d'angoisse totalement inattendue.)
-- voir trop de monde
-- trop de bruit
-- trop de lumière
-- l'approche d'un lycée ou d'un collège
-
-Parfois, elle peut arriver à se concentrer quelques minutes même dans un
-environnement sensoriellement difficile. Mais elle ne peut maintenir cette
-maîtrise de soit pendant plus de quelques minutes.
-Imaginez simplement qu'attendre dans une file d'attente pendant des courses
-peut pour elle être un calvaire, et si celà dure trop longtemps, il n'y a
-pas d'autre choix que de sortir du magasin en laissant le caddie en place
-pour retourner dans la voiture.
-
-Depuis ces derniers mois, elle n'est jamais seule sans un adulte qui lui
-est familié.
-Elle ne s'éloigne jamais à plus de quelques mètre des personnes de son
-entourage.
-
-Comme précisé dans le document CNSA sur le guide de l'éligibilité PCH.
-
-#+begin_quote
-Dès lors que la personne n'est pas en capacité d'initier seule l'activité
-concernée et qu'en abscence de stimulation, l'activité ou l'acte n'est pas
-réalisé, la difficulté est considérée comme absolue.
-#+end_quote
-
-Et c'est bien de celà qu'il s'agit pour notre fille.
-Sans notre appuis, elle n'est pas en capacité de répondre aux changements
-innattendus de sa routine.
-Elle n'est pas du tout capable de prendre l'initiative d'aller faire des
-courses pour se faire à manger.
-Elle n'est pas capable d'entrer dans un transport en commun.
-
-Elle est aussi incapable d'entrer dans des lieux scolaire public ou privé
-ordinaire car ils sont trop bruyant, trop stressants.
-Nous avons essayer de garder notre fille à la maison pendant cette année de
-confinement.
-Mais ce fut un désastre pour ses résultats scolaire mais surtout pour sa
-capacité à avoir une vie sociale.
-Nous avons pu trouver un lieu scolaire avec de petits effectifs. Sachant
-que même dans cet établissement à faible effectif, elle n'est capable
-d'entrer dans la classe qu'environ 2 à 3 demi-journée par semaine.
-Notre fille fait chaque jour des efforts considérables pour entrer dans ce
-lieu avec pour premier objectif retrouver un environnement où elle pourra
-socialiser.
-Et en second lieu ne pas décrocher sur ses études.
-Anna est une élève douée, mais elle a des difficultés simplement à envoyer
-un devoir qu'elle a fini à cause de l'angoisse de la note et du jugement.
-
-Le plan que nous avons établi avec les soignants qui la suivent sont:
-
-1. Des soins pour diminuer ses angoisses et controller ses crises
-2. Accompagner son autonomie avec l'aide d'un chien d'assistance qui nous
-   l'espérons pourrait lui permettre d'avoir un rythme qui la socialise et
-   la rassure dans des espaces qui lui sont aujourd'huis interdit sans un
-   accompagnement parental.
-3. Continuer à la socialisé en continuant à l'accompagner dans ses études
-   via une école à petit effectif.
-
-
-Soyons clair, les difficultés auxquelles fait face notre fille dans
-l'environnement social sont absolues.
-
-Elle ne réalise jamais aucune de ses action de façon spontanée.
-Il faut que ce soit un des parent qui la pousse à sortir.
-Celà entrave de façon majeure sa vie quotidienne.
-
-Actuellement pour nous, il est essentiel que l'on puisse octroyer à notre
-fille un chien d'assistance.
-Elle a déjà réagit très positivement à cette idée.
-Elle espère pouvoir sortir le chien sans un adulte qui l'accompagnerait.
-Les critères pour l'obtention d'un chien d'assistance, sont:
-
-Un handicap reconnu > à 50% et avoir une Carte Mobilité Inclusion.
-Il ne nous semble pas du tout exagérer de considérer que ses difficultés
-actuelles sont absolues et donc bien au delà des 80%.
-Elle est incapable d'amorcer d'elle même tout geste quotidien qui
-inclueraient des inconnus dans sa routine.
-- Prendre des transports en commun
-- Aller dans un lieu d'enseignement public
-- Faire des courses
-- Conduire
-- Faire une simple balade dans la nature
-
-Je comprends qu'il soit difficile d'imaginer qu'une personne sans
-invalidité physique ni déficience mentale grave soit à se point handicapée
-dans son quotidient.
-Mais je vous supplie de croire qu'elle est très seule et très isolée.
-Même dans son école, il est très difficile pour elle d'établir des
-relations avec des jeunes de son age.
-Elle a beaucoup de mal à parler avec inconnu même avec un parent proche
-d'elle.
-Elle ne peut pas exemple pas dire à une serveuse ce qu'elle désire, elle le
-dit à un parent qui répètera.
diff --git a/journal.org b/journal.org
index 4ed3f945..102e4579 100644
--- a/journal.org
+++ b/journal.org
@@ -1,13 +1,9 @@
-
-
 * 2021
-
 ** 2021-08 August
-
 *** 2021-08-31 Tuesday
-
 ** 2021-09 September
-
 *** 2021-09-22 Wednesday
-
 *** 2021-09-23 Thursday
+*
+* MDPH Anna
+Merci de considérer que l'obtention d'une CMI sera critique pour que notre fille puisse obtenir un chien d'assistance qui dan s l'état actuel nous semble indispensable pour qu'elle puisse acquérir sont autonomie.
diff --git a/notes/cisco_ft_securex_registration.tmpFfE2le.org b/notes/cisco_ft_securex_registration.tmpFfE2le.org
deleted file mode 100644
index b07ffdd5..00000000
--- a/notes/cisco_ft_securex_registration.tmpFfE2le.org
+++ /dev/null
@@ -1,209 +0,0 @@
-# Created 2021-12-07 Tue 16:36
-#+title: Cisco FT SecureX Simplified Registration
-#+date: [2021-12-07 Tue]
-#+author: Yann Esposito
-- tags :: [[id:299643a7-00e5-47fb-a987-3b9278e89da3][Auth]]
-- source :: https://github.com/advthreat/response/issues/821
-- dashboard :: https://github.com/advthreat/iroh/projects/32
-
-* Technical Plan
-** Support private email vs public emails
-
-The solution is to use a blacklist of domains where any user could create
-multiple email accounts pseudo-anonymously.
-
-** Support, search admin with same email domain
-
-We should be able given an email from a user, to find all the orgs for
-which at least one of its admin has a matching domain name.
-
-1. Most efficient: add an invisible field =email-domain= to all users. This
-   should be lower-case, and we will need a migration.
-   Doing this we could have a faster match than using string related queries.
-
-Problems, users can login in the same user, with the same public email with
-different emails.
-This should be rare.
-
-1. Search via text match.
-
-
-The algorithm should look a bit like:
-
-#+begin_src clojure
-
-;; only when this is an unknown user
-;; so a single approval will prevent the user to see this page.
-(let [user-email ,,,
-      domain (string/replace user-email #".*@" "")
-      users (matching-admins domain) ;; returns a potentially big list of admin users
-      indexed-orgs (group-by :org-id users)]
-  (vals indexed-orgs))
-#+end_src
-
-
-Once this list of orgs is found.
-We should also check the list of pending or rejected OrgAccessRequest for this user in
-order to prevent the user to request access multiple time.
-
-** Support Org request to admins
-
-We need to create another Entity for access request to an Org.
-
-#+begin_src clojure
-(s/defschema OrgAccessRequest
-  (st/merge
-   {:id UUID
-    :idp-mapping IdPMapping
-    :user-email s/Str
-    :org-id s/Str
-    :status (s/enum :pending :accepted :rejected)
-    :created-at DateTime}
-   (st/optional-keys
-    {:user-name s/Str
-     :user-nick s/Str
-     :approver-id UserId
-     :approver-email UserEmail ;; email of the approver
-     :updated-at DateTime
-     })))
-#+end_src
-
-When a user request access to an organization.
-We should create this object in DB.
-
-** Support the mechanism to create a new Org Access Request
-
-After the UserIdentity is known and after retrieving the matching orgs, and
-matching org access requests for this UserIdentity.
-
-We should allow the user to create new OrgAccessRequest.
-The way to do this is to create a new POST endpoint.
-As the user will not have any JWT at this point.
-We might probably build a "UserIdentity JWT" and trust it.
-So the webpage could make request on behalf of a UserIdentity and not a User.
-
-There should be an endpoint:
-
-#+begin_src http
-POST
-/iroh/iroh-auth/request-org-access
-
-Accept: application/json
-Content-Type: application/json
-User-Agent: ob-http
-Authorization: Bearer ${user-jwt}
-
-{"org-id":"the-id-of-the-org-the-user-request-access-to"}
-#+end_src
-
-After this call the =user-jwt= should contain enough data to retrieve:
-- =idp-mapping=
-- =user-email=
-- all other metas, as user-name, user-nick, etc…
-
-With this, and if every check matches:
-
-1. There is a known active admin of this org with an email with the same domain name
-2. The org is active
-
-We should:
-
-1. create a new =OrgAccessRequest= object in DB.
-2. Send emails (see next section)
-
-** Email Notification of Org Request Accesses
-
-1. List all the admins of the requested org.
-2.a. If there is fewer admins than a number that could be configured in the
-     node configuration. Then we send an email to all admins.
-2.b. If there are more admins than this specific number, then we randomly
-     chose this maximal number of admins and send them an email notification.
-
-*TODO* Have an email template (both HTML and Text)
-
-** Org Requests CRUD API for Admins of the Orgs
-
-There should be a CRUD API restricted to the ~admin/user-mgmt/org-requests~ scope:
-
-- ~GET  /iroh/user-mgmt/org-requests~ list pending org access requests
-- ~GET  /iroh/user-mgmt/org-requests/<id>~ read a single org access request
-- ~POST /iroh/user-mgmt/org-requests/<id>/accept~ Grant the access
-- ~POST /iroh/user-mgmt/org-requests/<id>/reject~ Reject the access
-
-*** List
-
-~GET  /iroh/user-mgmt/org-requests~
-
-If no parameter is provided, only list pending =OrgAccessRequests= of the org
-of the caller.
-Otherwise we could pass the query-parameter =status= with the following
-value(s):
-
-- =pending=
-- =accepted=
-- =rejected=
-
-Note we should probably support duplicate statuses.
-Ex:
-
-~GET /iroh/user-mgmt/org-requests?status=accepted&status=pending~
-
-*** Read
-
-~GET /iroh/user-mgmt/org-requests/org-request-id~
-
-Should returns a 404 if not found or the single Org Access Request object.
-
-*** Accept the Org Access
-
-~POST /iroh/user-mgmt/org-requests/<id>/accept~ Grant the access
-
-The body should contain the role (either =admin= or =user=) with the following schema:
-
-#+begin_src js
-{"role":"admin"}
-#+end_src
-
-During the call, should:
-
-1. Create a new user with:
-
-#+begin_src clojure
-{:user-id (gen-uuid)
- :org-id (:org-id org-access-request)
- :user-email (:user-email org-access-request)
- :idp-mappings [(:idp-mapping org-access-request)]
- :user-name (:user-name org-access-request)
- :user-nick (:user-nick org-access-request)
- :role (get-in request [:body :role])
- :enabled? true
- }
-#+end_src
-
-1. Send an email to user confirming his access was granted.
-
-*TODO* have an email template + text.
-
-*** Reject the Org Access
-
-~POST /iroh/user-mgmt/org-requests/<id>/reject~ Reject the access
-
-This call should update the =OrgAccessRequest= object by patching with:
-
-#+begin_src clojure
-{:udpated-at (now)
- :approver-id (get-in req [:identity :user :id])
- :approver-email (get-in req [:identity :user :email])
- :status :rejected}
-#+end_src
-
-Then send an email to user confirming his access was denied.
-
-*TODO* have an email template + text.
-** UI Revamp.
-
-All the page shown during login are hosted in IROH.
-So we should revamp all pages and we should probably, take great attention
-to every shown webpage.
-
-*TODO* have UI templates for every page of the workflow.
diff --git a/notes/cisco_ft_securex_registration.tmpPTkv6L.org b/notes/cisco_ft_securex_registration.tmpPTkv6L.org
deleted file mode 100644
index 9127274b..00000000
--- a/notes/cisco_ft_securex_registration.tmpPTkv6L.org
+++ /dev/null
@@ -1,227 +0,0 @@
-# Created 2021-12-15 Wed 16:28
-#+title: Cisco FT SecureX Simplified Registration
-#+date: [2021-12-07 Tue]
-#+author: Yann Esposito
-- tags :: [[id:299643a7-00e5-47fb-a987-3b9278e89da3][Auth]]
-- source :: https://github.com/advthreat/response/issues/821
-- dashboard :: https://github.com/advthreat/iroh/projects/32
-
-* Technical Plan
-** Support private email vs public emails
-
-/Estimate: 1 release cycle after the list is provided./
-
-The solution is to use a blacklist of domains where any user could create
-multiple email accounts pseudo-anonymously.
-
-** Support, search admin with same email domain
-
-/Estimate: 1 release cycle./
-Note: *Work in progress*
-
-We should be able given an email from a user, to find all the orgs for
-which at least one of its admin has a matching domain name.
-
-1. Most efficient: add an invisible field =email-domain= to all users. This
-   should be lower-case, and we will need a migration.
-   Doing this we could have a faster match than using string related queries.
-
-Problems, users can login in the same user, with the same public email with
-different emails.
-This should be rare.
-
-1. Search via text match.
-
-
-The algorithm should look a bit like:
-
-#+begin_src clojure
-
-;; only when this is an unknown user
-;; so a single approval will prevent the user to see this page.
-(let [user-email ,,,
-      domain (string/replace user-email #".*@" "")
-      users (matching-admins domain) ;; returns a potentially big list of admin users
-      indexed-orgs (group-by :org-id users)]
-  (vals indexed-orgs))
-#+end_src
-
-
-Once this list of orgs is found.
-We should also check the list of pending or rejected OrgAccessRequest for this user in
-order to prevent the user to request access multiple time.
-
-** Support Org request to admins
-
-/Estimate: 4 release cycles/
-
-We need to create another Entity for access request to an Org.
-
-#+begin_src clojure
-(s/defschema OrgAccessRequest
-  (st/merge
-   {:id UUID
-    :idp-mapping IdPMapping
-    :user-email s/Str
-    :org-id s/Str
-    :status (s/enum :pending :accepted :rejected)
-    :created-at DateTime}
-   (st/optional-keys
-    {:user-name s/Str
-     :user-nick s/Str
-     :approver-id UserId
-     :approver-email UserEmail ;; email of the approver
-     :updated-at DateTime
-     })))
-#+end_src
-
-When a user request access to an organization.
-We should create this object in DB.
-
-** Support the mechanism to create a new Org Access Request
-
-/Estimate: 2 release cycle/
-
-After the UserIdentity is known and after retrieving the matching orgs, and
-matching org access requests for this UserIdentity.
-
-We should allow the user to create new OrgAccessRequest.
-The way to do this is to create a new POST endpoint.
-As the user will not have any JWT at this point.
-We might probably build a "UserIdentity JWT" and trust it.
-So the webpage could make request on behalf of a UserIdentity and not a User.
-
-There should be an endpoint:
-
-#+begin_src http
-POST
-/iroh/iroh-auth/request-org-access
-
-Accept: application/json
-Content-Type: application/json
-User-Agent: ob-http
-Authorization: Bearer ${user-jwt}
-
-{"org-id":"the-id-of-the-org-the-user-request-access-to"}
-#+end_src
-
-After this call the =user-jwt= should contain enough data to retrieve:
-- =idp-mapping=
-- =user-email=
-- all other metas, as user-name, user-nick, etc…
-
-With this, and if every check matches:
-
-1. There is a known active admin of this org with an email with the same domain name
-2. The org is active
-
-We should:
-
-1. create a new =OrgAccessRequest= object in DB.
-2. Send emails (see next section)
-
-** Email Notification of Org Request Accesses
-
-/Estimate: 2 release cycle after email+html templates/
-
-1. List all the admins of the requested org.
-2.a. If there is fewer admins than a number that could be configured in the
-     node configuration. Then we send an email to all admins.
-2.b. If there are more admins than this specific number, then we randomly
-     chose this maximal number of admins and send them an email notification.
-
-
-
-*TODO* Have an email template (both HTML and Text)
-*** Notes
-
-Need to be able to trigger a new request to join after 7 days.
-
-** Org Requests CRUD API for Admins of the Orgs
-
-There should be a CRUD API restricted to the ~admin/user-mgmt/org-requests~ scope:
-
-- ~GET  /iroh/user-mgmt/org-requests~ list pending org access requests
-- ~GET  /iroh/user-mgmt/org-requests/<id>~ read a single org access request
-- ~POST /iroh/user-mgmt/org-requests/<id>/accept~ Grant the access
-- ~POST /iroh/user-mgmt/org-requests/<id>/reject~ Reject the access
-
-*** List
-
-~GET  /iroh/user-mgmt/org-requests~
-
-If no parameter is provided, only list pending =OrgAccessRequests= of the org
-of the caller.
-Otherwise we could pass the query-parameter =status= with the following
-value(s):
-
-- =pending=
-- =accepted=
-- =rejected=
-
-Note we should probably support duplicate statuses.
-Ex:
-
-~GET /iroh/user-mgmt/org-requests?status=accepted&status=pending~
-
-*** Read
-
-~GET /iroh/user-mgmt/org-requests/org-request-id~
-
-Should returns a 404 if not found or the single Org Access Request object.
-
-*** Accept the Org Access
-
-~POST /iroh/user-mgmt/org-requests/<id>/accept~ Grant the access
-
-The body should contain the role (either =admin= or =user=) with the following schema:
-
-#+begin_src js
-{"role":"admin"}
-#+end_src
-
-During the call, should:
-
-1. Create a new user with:
-
-#+begin_src clojure
-{:user-id (gen-uuid)
- :org-id (:org-id org-access-request)
- :user-email (:user-email org-access-request)
- :idp-mappings [(:idp-mapping org-access-request)]
- :user-name (:user-name org-access-request)
- :user-nick (:user-nick org-access-request)
- :role (get-in request [:body :role])
- :enabled? true
- }
-#+end_src
-
-1. Send an email to user confirming his access was granted.
-
-*TODO* have an email template + text.
-
-*** Reject the Org Access
-
-~POST /iroh/user-mgmt/org-requests/<id>/reject~ Reject the access
-
-This call should update the =OrgAccessRequest= object by patching with:
-
-#+begin_src clojure
-{:udpated-at (now)
- :approver-id (get-in req [:identity :user :id])
- :approver-email (get-in req [:identity :user :email])
- :status :rejected}
-#+end_src
-
-Then send an email to user confirming his access was denied.
-
-*TODO* have an email template + text.
-** UI Revamp.
-
-/Estimate: 2 release cycle after email+html templates/
-
-All the page shown during login are hosted in IROH.
-So we should revamp all pages and we should probably, take great attention
-to every shown webpage.
-
-*TODO* have UI templates for every page of the workflow.
diff --git a/notes/cisco_ft_securex_registration.tmpajfMv6.org b/notes/cisco_ft_securex_registration.tmpajfMv6.org
deleted file mode 100644
index 27bfd720..00000000
--- a/notes/cisco_ft_securex_registration.tmpajfMv6.org
+++ /dev/null
@@ -1,303 +0,0 @@
-# Created 2021-12-16 Thu 15:53
-#+title: Cisco FT SecureX Simplified Registration
-#+date: [2021-12-07 Tue]
-#+author: Yann Esposito
-- tags :: [[id:299643a7-00e5-47fb-a987-3b9278e89da3][Auth]]
-- source :: https://github.com/advthreat/response/issues/821
-- dashboard :: https://github.com/advthreat/iroh/projects/32
-
-* Functional Spec
-
-Response issues:
-- https://github.com/advthreat/response/issues/821
-
-Figma: https://www.figma.com/file/Bz3m25kpWXpdct7AnhmNsW/SXSO-Registeration?node-id=759%3A5926
-
-* Technical Plan
-** Support private email vs public emails
-
-/Estimate: 1 release cycles after the list is provided./
-
-The solution is to use a blacklist of domains where any user could create
-multiple email accounts pseudo-anonymously.
-
-Details: https://github.com/advthreat/response/issues/979
-
-*** Question is about where to put the list?
-
-/Estimate: 1 release cycles depends on ops/
-
-I suggest the list should be a single file in tenzin-config that should be
-used on all environments.
-
-*** Support allow-list exceptions for some Cisco user.
-
-/Estimate: 1 release cycles after the list is provided./
-
-Typically we should allow some users with an email like =some-user+XXX@gmail.com=
-
-** Support, search admin with same email domain
-
-/Estimate: 1 release cycle./
-Note: *Work in progress*
-
-We should be able given an email from a user, to find all the orgs for
-which at least one of its admin has a matching domain name.
-
-1. Most efficient: add an invisible field =email-domain= to all users. This
-   should be lower-case, and we will need a migration.
-   Doing this we could have a faster match than using string related queries.
-
-Problems, users can login in the same user, with the same public email with
-different emails.
-This should be rare.
-
-1. Search via text match.
-
-
-The algorithm should look a bit like:
-
-#+begin_src clojure
-
-;; only when this is an unknown user
-;; so a single approval will prevent the user to see this page.
-(let [user-email ,,,
-      domain (string/replace user-email #".*@" "")
-      users (matching-admins domain) ;; returns a potentially big list of admin users
-      indexed-orgs (group-by :org-id users)]
-  (vals indexed-orgs))
-#+end_src
-
-
-Once this list of orgs is found.
-We should also check the list of pending or rejected OrgAccessRequest for this user in
-order to prevent the user to request access multiple time.
-
-** Support Org request to admins
-
-/Estimate: 4 release cycles/
-
-We need to create another Entity for access request to an Org.
-
-#+begin_src clojure
-(s/defschema OrgAccessRequest
-  (st/merge
-   {:id UUID
-    :idp-mapping IdPMapping
-    :user-email s/Str
-    :org-id s/Str
-    :status (s/enum :pending :accepted :rejected)
-    :created-at DateTime}
-   (st/optional-keys
-    {:user-name s/Str
-     :user-nick s/Str
-     :approver-id UserId
-     :approver-email UserEmail ;; email of the approver
-     :updated-at DateTime
-     })))
-#+end_src
-
-When a user request access to an organization.
-We should create this object in DB.
-
-** Login Account Management Page
-
-/Estimate: 4 release cycles/
-
-See Figma: https://www.figma.com/file/Bz3m25kpWXpdct7AnhmNsW/SXSO-Registeration?node-id=759%3A5926
-
-
-We should change the login flow, so the user might see an intermediate
-/login account management page/.
-On this /login account management page/ the user should see:
-
-1. account selection
-2. pending invites
-3. matching orgs
-
-To give an idea here is an example of what it will look like:
-
-#+begin_src
-Select Account:
-  - account-1
-  - account-2
-Pending Invites:
-  - invite for org-1
-  - invite for org-2 (expired) [ask for renewal]
-Matching Orgs:
-  - org-4
-  - org-5
-#+end_src
-
-*** Behavior
-
-If the user is only part of 1 org, and has no invite, and not matching org.
-He should not see that page and be redirected directly to his account.
-
-If the user is only part of 1 org, and has matching org, it is not clear if
-we should display that page?
-
-If all other cases, the "login account management page"
-
-Note also that if we have a pending invite on a matching email domain org.
-The pending invite should take the priority when displaying the org.
-
-**** Question
-
-1. pending invite expired
-2. matching org
-
-What should we present the user?
-
-1. renew invite (send an email to the inviter)
-2. request access to the org
-3. both 1 and 2
-
-*** Technical details
-
-When the user see this page, we know the =UserIdentity= only.
-
-We should allow the user to create new =OrgAccessRequest=.
-The way to do this is to create a new POST endpoint.
-As the user will not have any JWT at this point.
-We might probably build a "UserIdentity JWT" and trust it.
-So the webpage could make request on behalf of a =UserIdentity= and not a =User=.
-
-There should be an endpoint:
-
-#+begin_src http
-POST
-/iroh/iroh-auth/request-org-access
-
-Accept: application/json
-Content-Type: application/json
-User-Agent: ob-http
-Authorization: Bearer ${user-identity-jwt}
-
-{"org-id":"the-id-of-the-org-the-user-request-access-to"}
-#+end_src
-
-After this call the =user-identity-jwt= should contain enough data to retrieve:
-- =idp-mapping=
-- =user-email=
-- all other metas, as user-name, user-nick, etc…
-
-With this, and if every check matches:
-
-1. There is a known active admin of this org with an email with the same domain name
-2. The org is active
-
-We should:
-
-1. create a new =OrgAccessRequest= object in DB.
-2. Send emails (see next section)
-
-** Email Notification of Org Request Accesses
-
-/Estimate: 4 release cycle after email+html templates/
-
-1. List all the admins of the requested org.
-2.a. If there is fewer admins than a number that could be configured in the
-     node configuration. Then we send an email to all admins.
-2.b. If there are more admins than this specific number, then we randomly
-     chose this maximal number of admins and send them an email notification.
-
-
-
-*TODO* Have an email template (both HTML and Text)
-*** Notes
-
-Need to be able to trigger a new request to join after 7 days.
-
-** Org Requests CRUD API for Admins of the Orgs
-
-/Estimate: 3 release cycle after mail templates + text/
-
-There should be a CRUD API restricted to the ~admin/user-mgmt/org-requests~ scope:
-
-- ~GET  /iroh/user-mgmt/org-requests~ list pending org access requests
-- ~GET  /iroh/user-mgmt/org-requests/<id>~ read a single org access request
-- ~POST /iroh/user-mgmt/org-requests/<id>/accept~ Grant the access
-- ~POST /iroh/user-mgmt/org-requests/<id>/reject~ Reject the access
-
-*** List
-
-~GET  /iroh/user-mgmt/org-requests~
-
-If no parameter is provided, only list pending =OrgAccessRequests= of the org
-of the caller.
-Otherwise we could pass the query-parameter =status= with the following
-value(s):
-
-- =pending=
-- =accepted=
-- =rejected=
-
-Note we should probably support duplicate statuses.
-Ex:
-
-~GET /iroh/user-mgmt/org-requests?status=accepted&status=pending~
-
-*** Read
-
-~GET /iroh/user-mgmt/org-requests/org-request-id~
-
-Should returns a 404 if not found or the single Org Access Request object.
-
-*** Accept the Org Access
-
-~POST /iroh/user-mgmt/org-requests/<id>/accept~ Grant the access
-
-The body should contain the role (either =admin= or =user=) with the following schema:
-
-#+begin_src js
-{"role":"admin"}
-#+end_src
-
-During the call, should:
-
-1. Create a new user with:
-
-#+begin_src clojure
-{:user-id (gen-uuid)
- :org-id (:org-id org-access-request)
- :user-email (:user-email org-access-request)
- :idp-mappings [(:idp-mapping org-access-request)]
- :user-name (:user-name org-access-request)
- :user-nick (:user-nick org-access-request)
- :role (get-in request [:body :role])
- :enabled? true
- }
-#+end_src
-
-1. Send an email to user confirming his access was granted.
-
-*TODO* have an email template + text.
-
-*** Reject the Org Access
-
-~POST /iroh/user-mgmt/org-requests/<id>/reject~ Reject the access
-
-This call should update the =OrgAccessRequest= object by patching with:
-
-#+begin_src clojure
-{:udpated-at (now)
- :approver-id (get-in req [:identity :user :id])
- :approver-email (get-in req [:identity :user :email])
- :status :rejected}
-#+end_src
-
-Then send an email to user confirming his access was denied.
-
-*TODO* have an email template + text.
-** UI Revamp.
-
-/Estimate: 2 release cycle after email+html templates/
-
-All the page shown during login are hosted in IROH.
-So we should revamp all pages and we should probably, take great attention
-to every shown webpage.
-Typically, the look and feel is different for all pages. So we might
-probably take care of the OAuth2 authorization pages as well as the error pages.
-
-*TODO* have UI templates for every page of the workflow.
diff --git a/notes/cisco_ft_securex_registration.tmpzz9bMt.org b/notes/cisco_ft_securex_registration.tmpzz9bMt.org
deleted file mode 100644
index 09f86d43..00000000
--- a/notes/cisco_ft_securex_registration.tmpzz9bMt.org
+++ /dev/null
@@ -1,304 +0,0 @@
-# Created 2021-12-22 Wed 15:50
-#+title: Cisco FT SecureX Simplified Registration
-#+date: [2021-12-07 Tue]
-#+author: Yann Esposito
-- tags :: [[id:299643a7-00e5-47fb-a987-3b9278e89da3][Auth]]
-- source :: https://github.com/advthreat/response/issues/821
-- dashboard :: https://github.com/advthreat/iroh/projects/32
-
-* Functional Spec
-
-Response issues:
-- https://github.com/advthreat/response/issues/821
-
-Figma: https://www.figma.com/file/Bz3m25kpWXpdct7AnhmNsW/SXSO-Registeration?node-id=759%3A5926
-
-* Technical Plan
-** Support private email vs public emails
-
-/Estimate: 1 release cycles after the list is provided./
-
-The solution is to use a blacklist of domains where any user could create
-multiple email accounts pseudo-anonymously.
-
-Details: https://github.com/advthreat/response/issues/979
-
-*** Question is about where to put the list?
-
-/Estimate: 1 release cycles depends on ops/
-
-I suggest the list should be a single file in tenzin-config that should be
-used on all environments.
-
-*** Support allow-list exceptions for some Cisco user.
-
-/Estimate: 1 release cycles after the list is provided./
-
-Typically we should allow some users with an email like =some-user+XXX@gmail.com=
-
-** Support, search admin with same email domain
-
-/Estimate: 1 release cycle./
-Note: *Work in progress*
-
-We should be able given an email from a user, to find all the orgs for
-which at least one of its admin has a matching domain name.
-
-1. Most efficient: add an invisible field =email-domain= to all users. This
-   should be lower-case, and we will need a migration.
-   Doing this we could have a faster match than using string related queries.
-
-Problems, users can login in the same user, with the same public email with
-different emails.
-This should be rare.
-
-1. Search via text match.
-
-
-The algorithm should look a bit like:
-
-#+begin_src clojure
-
-;; only when this is an unknown user
-;; so a single approval will prevent the user to see this page.
-(let [user-email ,,,
-      domain (string/replace user-email #".*@" "")
-      users (matching-admins domain) ;; returns a potentially big list of admin users
-      indexed-orgs (group-by :org-id users)]
-  (vals indexed-orgs))
-#+end_src
-
-
-Once this list of orgs is found.
-We should also check the list of pending or rejected OrgAccessRequest for this user in
-order to prevent the user to request access multiple time.
-
-** Support Org request to admins
-
-/Estimate: 4 release cycles/
-
-We need to create another Entity for access request to an Org.
-
-#+begin_src clojure
-(s/defschema OrgAccessRequest
-  (st/merge
-   {:id UUID
-    :idp-mapping IdPMapping
-    :user-email s/Str
-    :org-id s/Str
-    :status (s/enum :pending :accepted :rejected)
-    :created-at DateTime}
-   (st/optional-keys
-    {:user-name s/Str
-     :user-nick s/Str
-     :approver-id UserId
-     :approver-email UserEmail ;; email of the approver
-     :updated-at DateTime
-     })))
-#+end_src
-
-When a user request access to an organization.
-We should create this object in DB.
-
-** Login Account Management Page
-
-/Estimate: 4 release cycles/
-
-See Figma: https://www.figma.com/file/Bz3m25kpWXpdct7AnhmNsW/SXSO-Registeration?node-id=759%3A5926
-
-
-We should change the login flow, so the user might see an intermediate
-/login account management page/.
-On this /login account management page/ the user should see:
-
-1. account selection
-2. pending invites
-3. matching orgs
-
-To give an idea here is an example of what it will look like:
-
-#+begin_src
-Select Account:
-  - account-1
-  - account-2
-Pending Invites:
-  - invite for org-1
-  - invite for org-2 (expired) [ask for renewal]
-Matching Orgs:
-  - org-4
-  - org-5
-#+end_src
-
-*** Behavior
-
-If the user is only part of 1 org, and has no invite, and not matching org.
-He should not see that page and be redirected directly to his account.
-
-If the user is only part of 1 org, and has matching org, it is not clear if
-we should display that page?
-
-If all other cases, the "login account management page"
-
-Note also that if we have a pending invite on a matching email domain org.
-The pending invite should take the priority when displaying the org.
-
-**** Question
-
-1. pending invite expired
-2. matching org
-
-What should we present the user?
-
-1. renew invite (send an email to the inviter)
-2. request access to the org
-3. both 1 and 2
-
-*** Technical details
-
-When the user see this page, we know the =UserIdentity= only.
-
-We should allow the user to create new =OrgAccessRequest=.
-The way to do this is to create a new POST endpoint.
-As the user will not have any JWT at this point.
-We might probably build a "UserIdentity JWT" and trust it.
-So the webpage could make request on behalf of a =UserIdentity= and not a =User=.
-
-There should be an endpoint:
-
-#+begin_src http
-POST
-/iroh/iroh-auth/request-org-access
-
-Accept: application/json
-Content-Type: application/json
-User-Agent: ob-http
-Authorization: Bearer ${user-identity-jwt}
-
-{"org-id":"the-id-of-the-org-the-user-request-access-to"}
-#+end_src
-
-After this call the =user-identity-jwt= should contain enough data to retrieve:
-- =idp-mapping=
-- =user-email=
-- all other metas, as user-name, user-nick, etc…
-
-With this, and if every check matches:
-
-1. There is a known active admin of this org with an email with the same domain name
-2. The org is active
-
-We should:
-
-1. create a new =OrgAccessRequest= object in DB.
-2. Send emails (see next section)
-
-** Email Notification of Org Request Accesses
-
-/Estimate: 4 release cycle after email+html templates/
-
-1. List all the admins of the requested org.
-2.a. If there is fewer admins than a number that could be configured in the
-     node configuration. Then we send an email to all admins.
-2.b. If there are more admins than this specific number, then we randomly
-     chose this maximal number of admins and send them an email notification.
-
-
-
-*TODO* Have an email template (both HTML and Text)
-*** Notes
-
-Need to be able to trigger a new request to join after 7 days.
-
-** Org Requests CRUD API for Admins of the Orgs
-
-/Estimate: 3 release cycle after mail templates + text/
-
-There should be a CRUD API restricted to the ~admin/user-mgmt/org-requests~ scope:
-
-- ~GET  /iroh/user-mgmt/org-requests~ list pending org access requests
-- ~GET  /iroh/user-mgmt/org-requests/<id>~ read a single org access request
-- ~POST /iroh/user-mgmt/org-requests/<id>/accept~ Grant the access
-- ~POST /iroh/user-mgmt/org-requests/<id>/reject~ Reject the access
-
-*** List
-
-~GET  /iroh/user-mgmt/org-requests~
-
-If no parameter is provided, only list pending =OrgAccessRequests= of the org
-of the caller.
-Otherwise we could pass the query-parameter =status= with the following
-value(s):
-
-- =pending=
-- =accepted=
-- =rejected=
-
-Note we should probably support duplicate statuses.
-Ex:
-
-~GET /iroh/user-mgmt/org-requests?status=accepted&status=pending~
-
-*** Read
-
-~GET /iroh/user-mgmt/org-requests/org-request-id~
-
-Should returns a 404 if not found or the single Org Access Request object.
-
-*** Accept the Org Access
-
-~POST /iroh/user-mgmt/org-requests/<id>/accept~ Grant the access
-
-The body should contain the role (either =admin= or =user=) with the following schema:
-
-#+begin_src js
-{"role":"admin"}
-#+end_src
-
-During the call, should:
-
-1. Create a new user with:
-
-#+begin_src clojure
-{:user-id (gen-uuid)
- :org-id (:org-id org-access-request)
- :user-email (:user-email org-access-request)
- :idp-mappings [(:idp-mapping org-access-request)]
- :user-name (:user-name org-access-request)
- :user-nick (:user-nick org-access-request)
- :role (get-in request [:body :role])
- :enabled? true
- }
-#+end_src
-
-1. Send an email to user confirming his access was granted.
-
-*TODO* have an email template + text.
-
-*** Reject the Org Access
-
-~POST /iroh/user-mgmt/org-requests/<id>/reject~ Reject the access
-
-This call should update the =OrgAccessRequest= object by patching with:
-
-#+begin_src clojure
-{:udpated-at (now)
- :approver-id (get-in req [:identity :user :id])
- :approver-email (get-in req [:identity :user :email])
- :status :rejected}
-#+end_src
-
-Then send an email to user confirming his access was denied.
-
-*TODO* have an email template + text.
-** UI Revamp.
-
-/Estimate: 2 release cycle after email+html templates/
-
-All the page shown during login are hosted in IROH.
-So we should revamp all pages and we should probably, take great attention
-to every shown webpage.
-Typically, the look and feel is different for all pages. So we might
-probably take care of the OAuth2 authorization pages as well as the error pages.
-
-*TODO* have UI templates for every page of the workflow.
-- https://github.com/advthreat/GLaDOS/issues/2667
diff --git a/notes/journal/2021/2021-11-06.org b/notes/journal/2021/2021-11-06.org
index c982c9ad..1abc1dbb 100644
--- a/notes/journal/2021/2021-11-06.org
+++ b/notes/journal/2021/2021-11-06.org
@@ -52,7 +52,7 @@ une angine.
 Et c'est ce qu'elle pensait avoir.
 Mais elle a attrapé la COVID.
 D'après ses mots, ça a été un enfer.
-Des températures à 40, des nausées, etc...
+Des températures à 40, des nausées, etc…
 J'ai essayé de lui expliquer qu'il fallait se faire vacciner, une seule
 dose pour se protéger.
 Mais j'ai bien peur qu'elle n'en fasse rien.
diff --git a/notes/journal/2021/2021-11-07.org b/notes/journal/2021/2021-11-07.org
index f999ad04..bd3ca561 100644
--- a/notes/journal/2021/2021-11-07.org
+++ b/notes/journal/2021/2021-11-07.org
@@ -134,7 +134,13 @@ Le concept est que ça met l'accent sur la phrase en cours d'écriture seulement
 Cela donne une sensation de focus sur la phrase en cours d'écriture.
 
 Enfin, c'est la classe franchement.
-Je suis vraiment content aussi de ma façon d'avoir écrit le theme en
-utilisant un système de couleur hsl. J'ai tout fixé, sauf la luminosité.
-En mode nuit, vraiment, les choses reste vraiment sombre, est c'est parfait pour faire le focus.
+Je suis vraiment content aussi de ma façon d'avoir écrit le theme en utilisant
+un système de couleur hsl.
+J'ai tout fixé, sauf la luminosité.
+En mode nuit, vraiment, les choses reste vraiment sombre, est c'est parfait pour
+faire le focus.
 Vraiment je suis content.
+Idéallement, il faudrait pouvoir charger le theme en runtime avec un paramètre.
+Par exemple, la couleur principale.
+J'ai choisi une Hue à 218, ça correspond un peu à la couleur de Nord.
+Enfin, c'est la classe, dans tous les cas.
diff --git a/notes/journal/2021/2021-11-08.org b/notes/journal/2021/2021-11-08.org
index 6283d287..f35144f7 100644
--- a/notes/journal/2021/2021-11-08.org
+++ b/notes/journal/2021/2021-11-08.org
@@ -41,3 +41,7 @@ J'ai un pb pour me souvenir du theme précédent.
 bouh....
 ** 16:39
 It works!!!!
+** 17:04
+Woooo!!!!
+Mon plugin zen-writer c'est de la boulette.
+Ça marche trop bien!
diff --git a/notes/journal/2021/2021-11-12.org b/notes/journal/2021/2021-11-12.org
index 9a63ddd0..fed91499 100644
--- a/notes/journal/2021/2021-11-12.org
+++ b/notes/journal/2021/2021-11-12.org
@@ -33,7 +33,7 @@
  | intérêt    | ?/5 | ennuie     -> exceptionnel  |
 * 2021-11-12 Friday
 ** 11:39
-Bien, Anna a réussie à aller en cour aujour'hui. J'en suis ravi.
+Bien, Anna a réussie à aller en cour aujourd'hui. J'en suis ravi.
 Je vais aller à mon rendez-vous dans quelques minutes.
 J'ai été pris d'une terrible crise d'angoisse ce matin. Elle n'est pas
 entièrement passée.
@@ -42,6 +42,23 @@ Et je n'arrive pas vraiment à identifier l'origine du problème.
 Je verrai. Nous avons joué à Carcassonne avec Krystelle.
 Cela m'a détendu.
 ** 23:28
-Je viend de finir de regarder le dernier épisode de Foundation.
-Bon, celà reste intéressant.
+Je viens de finir de regarder le dernier épisode de Foundation.
+Bon, cela reste intéressant.
 Mais ça manque de tenue.
+
+
+Petite réflexion du jour sur le manque de programme pour lequel on puisse imaginer que les programmes continueront à fonctionner dans 10 ans, 20 ans, 40 ans.
+
+C'est un vrai point faible de notre industrie.
+Et de la science qui lui est associée.
+Le manque d'une lingua franca.
+Peut-être est-elle au niveau d'une VM (comme la JVM?)
+J'en doute, un tel système ne s'adapterait pas à un nouveau modèle de calcul des
+processeurs.
+Qui sait de quoi les processeurs de demain seront fait.
+Quelles opérations seront faisables et rapides, lesquelles seront impossibles.
+Comment gerrer le parallelisme, la concurrence, les accès mémoires sécurisés,
+etc...
+
+Ensuite, au niveau des langages eux mêmes quels sont les bonnes abstractions.
+A quel moment est-on trop bas niveau ? Trop haut ? etc...
diff --git a/notes/mdph_recours.tmp7nDXAo.org b/notes/mdph_recours.tmp7nDXAo.org
deleted file mode 100644
index 9b8ecb0c..00000000
--- a/notes/mdph_recours.tmp7nDXAo.org
+++ /dev/null
@@ -1,113 +0,0 @@
-# Created 2021-12-22 Wed 22:27
-#+title: MDPH recours
-#+date: [2021-12-22 Wed]
-#+author: Yann & Krystelle Esposito
-#+lang: fr
-
-Nous demandons une réévaluation du dossier de notre fille, soit:
-
-- *une reconnaissance d'handicap supérieure à 80%* (avec réévaluation à la hausse de
-  l'AEEH complémentaire)
-- la *CMI Invalidité/Priorité* indispensable à la réalisation de son projet
-  de vie (en accord avec les soignants)
-- la *CMI Stationnement*
-
-* Demande reconnaissance d'au moins 80% de handicap
-
-Depuis avril 2021, date de la demande de création de dossier MDPH,
-l'*anxiété* et l'*autonomie* de notre fille Anna se sont *dégradées*.
-
-Une *ALD à 100%* vient de lui être octroyée (cf attestation).
-Compte tenu de la majoration de ses angoisses et en s'appuyant sur le guide
-d'appui aux pratiques des maisons départementales des personnes handicapées
-de la Caisse Nationale de Solidarité pour l'Autonomie (CNSA, cf document en
-annexe) Anna est dans l'_incapacité absolue_ de réaliser des actes et
-activités simples de la vie courante comme :
-
-- faire des courses seule à cause de ses hypersensibilités ;
-- se diriger et agir seule en ville ;
-- prendre les transports en commun ; incapacité de programmer un trajet et
-  surtout de répondre à un évènement inattendu comme adapter son itinéraire
-  en cas de dysfonctionnement.
-- suivre un enseignement dans un établissement classique
-- initier une sortie en extérieur
-
-C'est pourquoi nous vous demandons de réévaluer son taux de handicap à au
-moins 80%.
-Et aussi par conséquent de réévaluer l'AEEH complémentaire à la hausse.
-
-** Description des crises
-
-L'intensité des crises d'angoisses autistiques de notre fille sont
-invalidantes.
-Ses dernières vont jusqu'à provoquer une incapacité à se mouvoir,
-hyperventilation, cécité et surdité temporaires, pertes de sensations.
-Lors des crises les risques de chutes sont présents car elle n'arrive pas à
-tenir la station debout.
-Afin d'assurer sa sécurité il est pratiquement impossible de la laisser
-seule, sauf chez elle.
-
-Les crises sont provoquées par :
-
-- *un contact, même léger* : une personne qui la frôle suffit à provoquer une
-  crise. Par exemple, récemment une enfant à voulu toucher sa peluche
-  lestée en se précipitant sur elle. Anna n'a pas su comment se "mettre en
-  sécurité" ce qui à provoquer une crise que nous avons eu du mal à apaiser.
-- *trop de monde*
-- *les hyperstimulations sensorielles*, par exemple, bruit de moteur
-  inattendu, un feu clignotant, lumière trop vive, etc…
-
-Elle n'arrive à gérer les hyperstimulations que pendant une courte période.
-Attendre à une caisse peut, pour elle, être elle un calvaire.
-Si cela dure un peu trop longtemps, ou qu'une personne la touche par
-inadvertance, il n'y a pas d'autre solution que de sortir du magasin, en
-laissant le caddie pour retourner dans la voiture.
-Je vous laisse imaginer la difficulté pour traverser un parking avec une
-personne en crise que l'on ne peut pas toucher, qui ne voit et n'entend
-pratiquement rien !
-
-C'est pour cela que nous vous demandons la CMI Invalidité/Priorité et
-Stationnement.
-
-** Scolarité
-
-La phobie scolaire de notre fille l'empêche d'avoir un enseignement dans un
-établissement ordinaire.
-Nous avons essayé le CNED à domicile, cela fut un échec, car son anxiété de
-performance et son isolement social ont été à leurs apogées.
-
-Pour l'aider, depuis septembre, nous avons orienté Anna vers un
-établissement privé à très petit effectif.
-Cela est toujours difficile pour elle (incapacité à assister à tous les
-cours à cause de son anxiété et de sa fatiguabilité), mais nous avons
-constaté avec les équipes médicales et pédagogiques de réels progrès
-d'autant plus qu'Anna est douée, motivée et intéressée par les études.
-
-Cependant cela à un coût élevé.
-
-* Chien d'assistance
-
-Pour la soutenir dans ses efforts et avec l'appui de sa psychiatre et de
-son psychologue (cf certificats médicaux joins) nous avons pour projet
-d'adopter un chien d'assistance qui pourrait :
-
-- agir sur son état anxieux et maîtriser ses crises d'angoisses ;
-- être un moteur déterminant pour son autonomie future ;
-- rendre son handicap visible en rendant les inconnus plus conscient
-  des difficultés d'Anna ;
-- initier des sorties en extérieur et sociabiliser grâce à l'animal ;
-- faciliter son autonomie en lui permettant d'accéder aux lieux publics.
-
-Anna est très motivée par ce projet, c'est pourquoi il est indispensable
-qu'elle puisse bénéficier de la carte CMI ainsi que d'un taux de handicap
-reconnu à au moins 50% sans lesquels un chien d'assistance ne pourrait pas
-lui être attribué.
-
-* Conclusion
-
-Bien que le TSA ne sera jamais soigné, avec les bons soins et les bons
-outils, elle peut arriver à vivre avec ses phobies et devenir un membre
-actif, responsable et épanouie de notre société.
-C'est pourquoi nous avons besoin de la reconnaissance de handicap d'au moins
-80% et de la carte CMI Invalidité/Priorité pour qu'on puisse lui attribuer
-un chien d'assistance qui est essentiel à la réalisation de son projet de vie.
diff --git a/notes/mdph_recours.tmpCYWwYS.org b/notes/mdph_recours.tmpCYWwYS.org
deleted file mode 100644
index cc49ecf4..00000000
--- a/notes/mdph_recours.tmpCYWwYS.org
+++ /dev/null
@@ -1,117 +0,0 @@
-# Created 2021-12-22 Wed 21:43
-#+title: MDPH recours
-#+date: [2021-12-22 Wed]
-#+author: Yann Esposito
-#+lang: fr
-
-- tags :: 
-
-- source :: 
-
-Nous demandons une réévaluation du dossier de notre fille, soit:
-
-- *une reconnaissance d'handicap supérieure à 80%* (avec réévaluation à la hausse de
-  l'AEEH complémentaire)
-- la *CMI Invalidité/Priorité* indispensable à la réalisation de son projet
-  de vie (en accord avec les soignants)
-- la *CMI Stationnement*
-
-* Demande reconnaissance d'au moins 80% de handicap
-
-Depuis avril 2021, date de la demande de création de dossier MDPH,
-l'*anxiété* et l'*autonomie* de notre fille Anna se sont *dégradées*.
-
-Une *ALD à 100%* vient de lui être octroyée (cf attestation).
-Compte tenu de la majoration de ses angoisses et en s'appuyant sur le guide
-d'appui aux pratiques des maisons départementales des personnes handicapées
-de la Caisse Nationale de Solidarité pour l'Autonomie (CNSA, cf document en
-annexe) Anna est dans l'_incapacité absolue_ de réaliser des actes et
-activités simples de la vie courante comme :
-
-- faire des courses seule à cause de ses hypersensibilités ;
-- se diriger et agir seule en ville ;
-- prendre les transports en commun ; incapacité de programmer un trajet et
-  surtout de répondre à un évènement inattendu comme adapter son itinéraire
-  en cas de dysfonctionnement.
-- suivre un enseignement dans un établissement classique
-- initier une sortie en extérieur
-
-C'est pourquoi nous vous demandons de réévaluer son taux de handicap à au
-moins 80%.
-Et aussi par conséquent de réévaluer l'AEEH complémentaire à la hausse.
-
-** Description des crises
-
-L'intensité des crises d'angoisses autistiques de notre fille sont
-invalidantes.
-Ses dernières vont jusqu'à provoquer une incapacité à se mouvoir,
-hyperventilation, cécité et surdité temporaires, pertes de sensations.
-Lors des crises les risques de chutes sont présents car elle n'arrive pas à
-tenir la station debout.
-Afin d'assurer sa sécurité il est pratiquement impossible de la laisser
-seule, sauf chez elle.
-
-Les crises sont provoquées par :
-
-- *un contact, même léger* : une personne qui la frôle suffit à provoquer une
-  crise. Par exemple, récemment une enfant à voulu toucher sa peluche
-  lestée en se précipitant sur elle. Anna n'a pas su comment se "mettre en
-  sécurité" ce qui à provoquer une crise que nous avons eu du mal à apaiser.
-- *trop de monde*
-- *les hyperstimulations sensorielles*, par exemple, bruit de moteur
-  inattendu, un feu clignotant, lumière trop vive, etc…
-
-Elle n'arrive à gérer les hyperstimulations que pendant une courte période.
-Attendre à une caisse peut, pour elle, être elle un calvaire.
-Si cela dure un peu trop longtemps, ou qu'une personne la touche par
-inadvertance, il n'y a pas d'autre solution que de sortir du magasin, en
-laissant le caddie pour retourner dans la voiture.
-Je vous laisse imaginer la difficulté pour traverser un parking avec une
-personne en crise que l'on ne peut pas toucher, qui ne voit et n'entend
-pratiquement rien !
-
-C'est pour cela que nous vous demandons la CMI Invalidité/Priorité et
-Stationnement.
-
-** Scolarité
-
-La phobie scolaire de notre fille l'empêche d'avoir un enseignement dans un
-établissement ordinaire.
-Nous avons essayé le CNED à domicile, cela fut un échec, car son anxiété de
-performance et son isolement social ont été à leurs apogées.
-
-Pour l'aider, depuis septembre, nous avons orienté Anna vers un
-établissement privé à très petit effectif.
-Cela est toujours difficile pour elle (incapacité à assister à tous les
-cours à cause de son anxiété et de sa fatiguabilité), mais nous avons
-constaté avec les équipes médicales et pédagogiques de réels progrès
-d'autant plus qu'Anna est douée, motivée et intéressée par les études.
-
-Cependant cela à un coût élevé.
-
-* Chien d'assistance
-
-Pour la soutenir dans ses efforts et avec l'appui de sa psychiatre et de
-son psychologue (cf certificats médicaux joins) nous avons pour projet
-d'adopter un chien d'assistance qui pourrait :
-
-- agir sur son état anxieux et maîtriser ses crises d'angoisses ;
-- être un moteur déterminant pour son autonomie future ;
-- rendre son handicap visible en rendant les inconnus plus conscient
-  des difficultés d'Anna ;
-- initier des sorties en extérieur et sociabiliser grâce à l'animal ;
-- faciliter son autonomie en lui permettant d'accéder aux lieux publics.
-
-Anna est très motivée par ce projet, c'est pourquoi il est indispensable
-qu'elle puisse bénéficier de la carte CMI ainsi que d'un taux de handicap
-reconnu à au moins 50% sans lesquels un chien d'assistance ne pourrait pas
-lui être attribué.
-
-* Conclusion
-
-Bien que le TSA ne sera jamais soigné, avec les bons soins et les bons
-outils, elle peut arriver à vivre avec ses phobies et devenir un membre
-actif, responsable et épanouie de notre société.
-C'est pourquoi nous avons besoin de la reconnaissance de handicap d'au moins
-80% et de la carte CMI Invalidité/Priorité pour qu'on puisse lui attribuer
-un chien d'assistance qui est essentiel à la réalisation de son projet de vie.
diff --git a/notes/mdph_recours.tmpcoDUQI.org b/notes/mdph_recours.tmpcoDUQI.org
deleted file mode 100644
index f564eef4..00000000
--- a/notes/mdph_recours.tmpcoDUQI.org
+++ /dev/null
@@ -1,113 +0,0 @@
-# Created 2021-12-22 Wed 21:44
-#+title: MDPH recours
-#+date: [2021-12-22 Wed]
-#+author: Yann & Krystelle Esposito
-#+lang: fr
-
-Nous demandons une réévaluation du dossier de notre fille, soit:
-
-- *une reconnaissance d'handicap supérieure à 80%* (avec réévaluation à la hausse de
-  l'AEEH complémentaire)
-- la *CMI Invalidité/Priorité* indispensable à la réalisation de son projet
-  de vie (en accord avec les soignants)
-- la *CMI Stationnement*
-
-* Demande reconnaissance d'au moins 80% de handicap
-
-Depuis avril 2021, date de la demande de création de dossier MDPH,
-l'*anxiété* et l'*autonomie* de notre fille Anna se sont *dégradées*.
-
-Une *ALD à 100%* vient de lui être octroyée (cf attestation).
-Compte tenu de la majoration de ses angoisses et en s'appuyant sur le guide
-d'appui aux pratiques des maisons départementales des personnes handicapées
-de la Caisse Nationale de Solidarité pour l'Autonomie (CNSA, cf document en
-annexe) Anna est dans l'_incapacité absolue_ de réaliser des actes et
-activités simples de la vie courante comme :
-
-- faire des courses seule à cause de ses hypersensibilités ;
-- se diriger et agir seule en ville ;
-- prendre les transports en commun ; incapacité de programmer un trajet et
-  surtout de répondre à un évènement inattendu comme adapter son itinéraire
-  en cas de dysfonctionnement.
-- suivre un enseignement dans un établissement classique
-- initier une sortie en extérieur
-
-C'est pourquoi nous vous demandons de réévaluer son taux de handicap à au
-moins 80%.
-Et aussi par conséquent de réévaluer l'AEEH complémentaire à la hausse.
-
-** Description des crises
-
-L'intensité des crises d'angoisses autistiques de notre fille sont
-invalidantes.
-Ses dernières vont jusqu'à provoquer une incapacité à se mouvoir,
-hyperventilation, cécité et surdité temporaires, pertes de sensations.
-Lors des crises les risques de chutes sont présents car elle n'arrive pas à
-tenir la station debout.
-Afin d'assurer sa sécurité il est pratiquement impossible de la laisser
-seule, sauf chez elle.
-
-Les crises sont provoquées par :
-
-- *un contact, même léger* : une personne qui la frôle suffit à provoquer une
-  crise. Par exemple, récemment une enfant à voulu toucher sa peluche
-  lestée en se précipitant sur elle. Anna n'a pas su comment se "mettre en
-  sécurité" ce qui à provoquer une crise que nous avons eu du mal à apaiser.
-- *trop de monde*
-- *les hyperstimulations sensorielles*, par exemple, bruit de moteur
-  inattendu, un feu clignotant, lumière trop vive, etc…
-
-Elle n'arrive à gérer les hyperstimulations que pendant une courte période.
-Attendre à une caisse peut, pour elle, être elle un calvaire.
-Si cela dure un peu trop longtemps, ou qu'une personne la touche par
-inadvertance, il n'y a pas d'autre solution que de sortir du magasin, en
-laissant le caddie pour retourner dans la voiture.
-Je vous laisse imaginer la difficulté pour traverser un parking avec une
-personne en crise que l'on ne peut pas toucher, qui ne voit et n'entend
-pratiquement rien !
-
-C'est pour cela que nous vous demandons la CMI Invalidité/Priorité et
-Stationnement.
-
-** Scolarité
-
-La phobie scolaire de notre fille l'empêche d'avoir un enseignement dans un
-établissement ordinaire.
-Nous avons essayé le CNED à domicile, cela fut un échec, car son anxiété de
-performance et son isolement social ont été à leurs apogées.
-
-Pour l'aider, depuis septembre, nous avons orienté Anna vers un
-établissement privé à très petit effectif.
-Cela est toujours difficile pour elle (incapacité à assister à tous les
-cours à cause de son anxiété et de sa fatiguabilité), mais nous avons
-constaté avec les équipes médicales et pédagogiques de réels progrès
-d'autant plus qu'Anna est douée, motivée et intéressée par les études.
-
-Cependant cela à un coût élevé.
-
-* Chien d'assistance
-
-Pour la soutenir dans ses efforts et avec l'appui de sa psychiatre et de
-son psychologue (cf certificats médicaux joins) nous avons pour projet
-d'adopter un chien d'assistance qui pourrait :
-
-- agir sur son état anxieux et maîtriser ses crises d'angoisses ;
-- être un moteur déterminant pour son autonomie future ;
-- rendre son handicap visible en rendant les inconnus plus conscient
-  des difficultés d'Anna ;
-- initier des sorties en extérieur et sociabiliser grâce à l'animal ;
-- faciliter son autonomie en lui permettant d'accéder aux lieux publics.
-
-Anna est très motivée par ce projet, c'est pourquoi il est indispensable
-qu'elle puisse bénéficier de la carte CMI ainsi que d'un taux de handicap
-reconnu à au moins 50% sans lesquels un chien d'assistance ne pourrait pas
-lui être attribué.
-
-* Conclusion
-
-Bien que le TSA ne sera jamais soigné, avec les bons soins et les bons
-outils, elle peut arriver à vivre avec ses phobies et devenir un membre
-actif, responsable et épanouie de notre société.
-C'est pourquoi nous avons besoin de la reconnaissance de handicap d'au moins
-80% et de la carte CMI Invalidité/Priorité pour qu'on puisse lui attribuer
-un chien d'assistance qui est essentiel à la réalisation de son projet de vie.
diff --git a/notes/mdph_recours.tmpkI0rDy.org b/notes/mdph_recours.tmpkI0rDy.org
deleted file mode 100644
index 7768672a..00000000
--- a/notes/mdph_recours.tmpkI0rDy.org
+++ /dev/null
@@ -1,116 +0,0 @@
-# Created 2021-12-22 Wed 21:23
-#+title: MDPH recours
-#+date: [2021-12-22 Wed]
-#+author: Yann Esposito
-#+lang: fr
-
-- tags :: 
-
-- source :: 
-
-Nous demandons une réévaluation du dossier de notre fille, soit:
-
-- *une reconnaissance d'handicap supérieure à 80%* (avec réévaluation à la hausse de
-  l'AEEH complémentaire)
-- la *CMI Invalidité/Priorité* indispensable à la réalisation de son projet
-  de vie (en accord avec les soignants)
-- la *CMI Stationnement*
-
-* Reconnaissance d'au moins 80% de handicap
-
-Depuis avril 2021, date de la demande de création de dossier MDPH,
-l'*anxiété* et l'*autonomie* de notre fille Anna se sont *dégradées*.
-
-Une *ALD à 100%* vient de lui être octroyée (cf attestation).
-Compte tenu de la majoration de ses angoisses et en s'appuyant sur le guide
-d'appui aux pratiques des maisons départementales des personnes handicapées
-de la Caisse Nationale de Solidarité pour l'Autonomie (CNSA, cf document en
-annexe) Anna est dans l'_incapacité absolue_ de réaliser des actes et
-activités simples de la vie courante comme :
-
-- faire des courses seule à cause de ses hypersensibilités ;
-- se diriger et agir seule en ville ;
-- prendre les transports en commun ; incapacité de programmer un trajet et
-  surtout de répondre à un évènement inattendu comme adapter son itinéraire
-  en cas de dysfonctionnement.
-- suivre un enseignement dans un établissement classique
-- initier une sortie en extérieur
-
-C'est pourquoi nous vous demander de réévaluer son taux de handicap à au
-moins 80%.
-
-** Description des crises
-
-L'intensité des crises d'angoisses autistiques de notre fille sont
-invalidantes.
-Ses dernières vont jusqu'à provoquer une incapacité à se mouvoir,
-hyperventilation, cécité et surdité temporaire, pertes de sensations.
-Les risques de chutes sont présents car elle n'arrive pas à tenir la
-station debout.
-Afin d'assurer sa sécurité il est pratiquement impossible de la laisser
-seule, sauf chez elle.
-
-Les crises sont provoqués par :
-
-- *un contact, même léger* ,(une personne qui la frôle suffit à provoquer une
-  crise). Par exemple, récemment une enfant à voulu toucher sa peluche
-  lestée en se précipitant sur elle. Anna n'a pas su comment se "mettre en
-  sécurité" ce qui à provoquer une crise que nous avons eu du mal à apaiser.
-- *trop de monde*
-- *les hyperstimulations sensorielles*, par exemple, bruit de moteur
-  inattendu, un feu clignotant, lumière trop vive, etc…
-
-Elle ne peut arriver à gérer les hyperstimulations que pendant une courte
-période.
-Attendre à une caisse peut être pour elle un calvaire.
-Si cela dure trop longtemps il n'y a pas d'autre solution que de sortir du
-magasin, en laissant le caddie pour retourner dans la voiture.
-Je vous laisse imaginer la difficulté pour traverser un parking avec une
-personne en crise que l'on ne peut pas toucher, qui ne voit et n'entend
-pratiquement rien !
-
-C'est pour cela que nous vous demandons la CMI Invalidité/Priorité et Stationnement.
-
-** Scolarité
-
-La phobie scolaire de notre fille l'empêche d'avoir un enseignement dans un
-établissement ordinaire.
-Nous avons essayé le CNED à domicile, cela fut un échec, car son anxiété de
-performance et son isolement social ont été à leur apogées.
-
-Pour l'aider, depuis septembre, nous avons orienté Anna dans un
-établissement privé à très petit effectif.
-Cela est toujours difficile pour elle (incapacité à assister à tous les
-cours à cause de son anxiété et de sa fatiguabilité), mais nous avons
-constaté avec les équipes médicales et pédagogiques de réels progrès
-d'autant plus qu'Anna est douée, motivée et intéressée par les études.
-
-* Chien d'assistance
-
-Pour la soutenir dans ses efforts et avec l'appui de sa psychiatre et de
-son psychologue (cf certificats médicaux joins), un chien d'assistance
-pourrait agir sur son état anxieux, être un moteur déterminant pour son
-autonomie future et rendre son handicap visible.
-
-En accord avec sa psychiatre et son psychologue nous avons pour projet
-d'aider Anna à s'intégrer socialement et à gagner en autonomie par le biais
-d'un chien d'assistance.
-Il lui permettra de:
-
-- agir sur son état anxieux et maîtriser ses crises d'angoisses
-- rendre son handicap visible et donc les inconnus seraient plus conscient
-  et prévenants avec notre fille
-- un moteur déterminant pour son autonomie future.
-- initier des sorties en extérieur et sociabiliser grâce à l'animal
-
-C'est pourquoi il est indispensable qu'elle puisse bénéficier de la carte
-CMI ainsi que d'un taux de handicap reconnu à au moins 50%.
-
-* Conclusion
-
-Bien que le TSA ne sera jamais soigné, avec les bons soins et les bons
-outils, elle peut arriver à vivre avec ses phobies et devenir un membre
-actif, responsable et épanouie de notre société.
-C'est pourquoi nous avons besoin de la reconnaissance de handicap d'au moins
-80% et de la carte CMI Invalidité/Priorité pour qu'on puisse lui attribuer
-un chien d'assistance.
diff --git a/roam/org-roam.db b/roam/org-roam.db
index 31d35aad9e4f03bd89eaf7ac361baf2cf4c4e744..474b354e45803e17b161dfd9b7d95f602312e3df 100644
GIT binary patch
delta 66661
zcmeFacbF7a)<52rJNFP~2oq=q7?^=!ItTKA<Qye48HOBHlrY_3SQTaLm9qv+tFB_g
zh`T0qjfjW|v$DorQNe^+zn^=nYNmR0zwf@!^M3#MJ->J6sp{@?&pr3nty}k=Tun#2
zG&SY#>{=o}X0zFr<7kINz~RIp<1qgitbKEH5yR|Xu-D`J&gOQO*?d!d&v{FIC7#{x
z58V@8&$)7(4?EX8%kFMB<wnQdA!l#Jai*Yk>eNX{P0!T$2CM5E*DtU4XLkD*kI(aM
zXVhzaKl)DkzVLnO``GuM?`_{}z88H5eNX!K`~K#;$9KE$Cf{|wD}B3sJALQt70fQ-
zGo6m)Xz6(?XzyXAfhz2>BXhKTAg#Gd2xNx0ujn85M*_iU!XFQWqVcdl7EJ~Mfzm#q
zNFo{XhvI=i(jV{#N>fXGTH4p0QCYHUu3)F*cgr2=$Gc=_rno~El~5w&kB76U#FC+y
zPGz-MOLr>eeaY<YQ|u|O+0eMWu6*6bb?fU_WR#A9^49(Y<I#ve63e0#4+PO0^e0{B
z(b7@6_OKk!9L_JJiTBHKdip*&nfbn>wL6hWDDF>$L)jN)5J_!xYw32C`p^vfL~_#L
zzsePv*K@5Dg2`muAB{wRpF)jGOFQy)3J-aNe6@IeV_o&~%)NPm_LfVD1jGJdFp+tu
zQ=WR7Q%e_C=v5YcCOhf#2jza5-JL43DuiSHXiTqA<<Qbv7gnL34nHF2)A5I8HM6m^
zwL&<M4EjTXc&52)t~2ehYw6&K>dFeLzDua3!xe%vvntdpGbfmzY3x$buC-^OL?rHy
zv1;g;W_GMT6R2=yCWiZErgY6}1#`t83I$jzT3S}Mbl<`Hg`D^ZGhubCI8znvoEegD
ztrU!f!~R4fl-Zh}r*2WSbgww8Q%e<%Lch$?cy6Y&pnpXy<PS!o$*?~h2!w+{jCjNt
z@g!zvBpQzy6LGa{PNCY&&}2B{DYP~g2}Ur9Ly63!!aT<+iJ_Xqka@naM`qkWPv(n4
z>j(s+v6w#;<`ou+Y@}I*sXK*LnMaCza${Y6edb_Mz%phL+(~~T!fL2Bf_eXIw&H19
zn4XIB-1KmqPfdq$o{{c}^T2d2&ZE*Q&b6u2ajr})!MQ9o8|P?hEY8bQ18_bi)feZX
zsREoQr#v`!+k#W+Dx7*P!l}z-oW=~rX>kQk4St+*azyvR!8VuULHw}I^VNCZ^iFY4
z@f`GwaUFDxaX#)G=6F!J!{w4s%4^+ylyk)AgotON_dCx~+wH1se@U9q+&oiF70T(s
z0=xDOYD$*VF8+N1t*jA>)q*qS)ae47P}LcKaYrpb)lp9O6{y`dr8aX_aX+nVN|n<-
zj!{cFx64Ipmo0K?YfBX^v%g0>t#hiYoQ@lWms}zwv`#6zobJ$CPbL2@p{tgc66Lg}
z)2E~5qMI%rC405plvhr7Gr&{Igc7ymW;wOFr4@ySEfd;n9jyH?a*1k>hV_fq)z@xV
zTYtu)we^b|*R5Y$y}ohP%Kod?E-r4LQslHp?*i5(mE4-pMd>G}=Na8H*3ChgM|yjy
z@h)LO%Nm#&)yKym^H48Hb9M?d`C6oTQktA@$FFmY12<*-R*Z$n#&!YipRMH5=2H~S
zB?M43$WnBolbqW=9OS(cCZMpSwJ@`{v;z&fRdKk4ktpfeT0%{iOC4zFTcX2d+litc
zmZB3Mi@EJX5l+$e6bcJYms4wu8*o;&kn1c4aFeA*&f8KR>vE9=c7nvbb_S7aP*!Lu
zoAL)CuYFi=;26sCjM2o*XxOz-?&?Yan46O1w8I$AygVV_)dSFusXRGdVL%@|DEIdS
z6oC8qy5nqHmT?EVSKQ*e!FRRqGGE5G!*{MP<vYu_!MDoS=&SWD@STd?b-Zt+Z>TTn
z3;W7_y?x!An<JT>fua1KSXaI~>F@}3W~M5pn$V5ZWt*~)_O1|$GfTp|c{!c<Npf%y
zo&Thgm$@P`M5km~;BGM~okR26E3?gY>;|2{HA@70W_jW)HW%h)jurIC)F*f8HKq*M
zq)!!nCDNfZ%qjRXfq`8z3kJ<#l@_ygC)0cIIc6o5rmPaWQpr0)UM4YQ2=(0|PNtks
zB_B0?EMcxziybnbeI8-!PgOdGbA7r$&U4ZwIL}TO;XE>(hjU%pi*tytLL*XaS&5`h
z!+A<-1<o^5^*HxQEx<XEnu+tG)I^;7rr2zokQ$70EEUDMI8~0bKh+E8V5$)3C8=B+
z+OOaXR=*Uxhl4lc6kz0su(hlIVw}p^0v2aW-ZZvOc4o_7^$48i55j3!1gBa3aB5_f
zJFt$oXZ`N#!^vkCeb?C}A49hd@E!Jz@U3-x<Nnd}7e|rn4CiU?t!Fy@-j{v12p>AG
zb{w!5C}dx&9v26?zIPsUtQT`UCARnNqs3<L&7P^!zqHlD#jc6UW4@VEdnHfs3V+kS
zaE|wt2}$)b$5{1oWw|t1zSMnK`OH089pQP=b;x<G`vz%=Hd6f9*JR&qf7;te9x5-D
zGD4m9q}EkkStLCyHu#Qsr@M-s---`vSE!xsU%7jFw|IYb{n@jrxw&`d*F#FCLuD^z
zZkaSkpw++1CBhtf?lz%Jn4M{Qq)a%K4v!Yflv%vEa)w$W%*^BrFB4{D2I4%OHctlX
zv`jO8OwBwvyiA$GF`Jf(CBkI7`3{s$$_yS+rcC7UKmhOwwCQ@l$7db}d>n^Qjfo}7
zSpM~)1W?9gnw~FHMl(R>>WfQ+QNZmZMT<vf_McKFoRT?)^9Z_nFvtwgRE{hYDl^MR
zmMOzHh2}}PilO8SqjX5-Gr$LPc*RV>2T|vIrA!!@Svjgq8NlJyUjd$^B6ih@%<)lW
zLY#c3;HqQ1_|cOnj%HSmE>j{p{igs3(<(+Ml=)(GnGnnrj41>AIvVE+@{R|g{+ZqQ
zQBFVKjvxK#M)uK{9_^}>DP^2WaG=~<X5TXVcb5o#GFOi+6MEC`DB3OI2zS1xlnA{t
z{&8hO&&>F7Wl9eYu0A67&Rh#%_sl^6{Tz6BH@eh~3JTDrqRhncWlAB3|KmovL@D53
z1x7AEb7*`Sp4^{t1C%ZtUU3JicFs(mP$qPuy*HwpdGyc#eB@>h1J;oqxmGCa*MZ>{
z2Sb5GLm*jOUKftnl}GAhHRZ`*Fi;+h1{=b)v6^^YI8xl6c8(VUch8#mnZSgRd^#~w
z=*zx!r|)hP`a0Nl(4RNW<`XOEL{%Z7uh8SJDe^G8$9Eq<ws9Hv&d#FmzPn3y?)0(8
zeRO&u&P&s$;5?NtC%x01@O^md44lKMIXF*Dv4uUEVr%u-6kA#*orTl%c{nW?boY-}
zzdY>!cdPJu`X;d7EBM&L+&**cc$e`xwlOwezBlO^?VjP9?wsJ5ZXd1Hsmqje<nyHk
z;!<I&ZH&|;*~F%-f18MZp-B*JX~=Q^E5`k=827(ooKXA!Sd44P96k;yzJ5h@?Yhj(
zzXrCp%F01#HJF~nstJH<Lzhdj=9z!X@Wni8@VyELTTSb6u(fe64z_-tii7b&<8jQu
z!PZ@N48&1~V-${YjH_dOTnGnaeQI$qK4}V$N*s(&W5|7Ql;L1YGUKuspEeFhUmT1m
zlO>q;Du#nC>Wt|hjf2tg;~0t~h=WO`OK~tMlgXD`89&CDHOBsR!@(L2;OLEG2#!)5
zYzJVUtaFU@Wb9!t9K&(MaZJO}8Alf!`8cX^FyVMU4#r|8aWGzR431$qX5pBG13Y7y
zZ92X%_K*>2#L)o<;|d#aw8zmE2V)RBHaB;(r*qN^w6v?5ChZiehzWjM|8Ig{@rcHC
zwX6K2X85Ob*>JXhdgF@K%NrXS>+Af}EMj7Dak8PVHV~=}Rwsk;U?P-=H(*<CNG58k
z!!^*H)zt)p4e|Qg`r<yJXdsx}HaE{ZC*8sB*mu?+g(HG57r!*S1O2ph+1|rOj}8z@
z_MNj!*eM7d_jUS{@U<Xx*yp}nxKF^H6OPYGyL9C0?R{<k2`4~nei0Y_PhN1JKE)#{
zXN(*@dD@&}e}8{*EgPvt|7I|YOZ|O{$DYCwd;TYU3r&rRXYuZ~|1C-S$JIi&eUDus
z43T$LiK>5_&69CG=6K28RqZ8LiQBZp>a)s|@?+9N;{C!4wx^n#ueGPu^g@2)UwHI?
z_{N9o0u7NsZ72{52E*}4vY|Fo8?O)Hrq?9mHOXKgn205kHP!saL)!@LRTLVfXs=`>
z67fe9h5|DhKp9v!s7JX%wH6aK)mTd1j>%OMSJbUu0<}c#sts$`aY4Fx;we+c_zg&L
zaV!>0)`!D^cujpxB2*m@N9*e&@jydOeJ~UY*VcrR!BDa~6e#Y4dAD!FDe7DQZpMvL
z^%*xt{Zf#(#X5NRdB&;t39;qvF+u;Eb1qV>>ofibAG81Wv#vzv&{&`U-PEJU#;cc`
zdZ13U@k(I_ue3`OdeD~L!VI0QwJOu!)P;4XU0`6^d$llSSCynD2iZI|t{WVOwZE%*
za!3?xgIpV(-#a%tzISZ2e{bKYeXng)zgIUZ-zyvC@8ylM%$A64!;AL4omL(fe1*6z
zgY~6g^4UIHX6pEoeMhz{KM6tsy>z2INLM*A4IQ2H7x_B<;`q<2Z<0F+`LypQAVEPj
zhiUDo>SlSX*;ScCChP%PSE}0sH0VR-F<l<@zD3rx984dga?qSxf!BrB+^UnC$5nh(
za+`dyNl#^<sL+{4-QL<H*ZR>{x69|6XslTsdh8B4S2{bt)4o?L)hondPVre=zR<xY
z9`-HuzUy5ej`6(inc?2)7F?$}PdKX`Z#$;i4+u}%Bie0RPj$E2S-DWr<TcVKQZ1^j
zZEg;!AaQM_p-)<JQi^NqQb9RgZ$JV^gt6M{lub@c24w$-QfI9(CCF(-hhY16(AIxS
zIc~NSDix`Aa=Mp+ykNOhs;#%^3Td?>IH~-A&_P@98}K9F$sM$)p(W*dcwoE9<Cgu}
zLaR0m;CyXp$|<Ki8GYE>rzdq$1&^*R+S|uXfzM!_2>e}8w0cWJ<{T~2CnR)KZp!}%
z&Gxq-5x|97xwRvvGK-$ELr!7ZOL~5;P^b;FcH;TMVtUJAl!NPX&}663PMeeR$mv33
zMBa7b`u(%f|KWzhm0#$uF0nuxmvYGI+*ZWyT7$K!Y5K^gi``}?0Gq3oSjPr7l`?%4
zz?RVhufWx>^Y~qQ9zvEj+1kp9<zjbjOxBey7gc)X38AF2#wm0Judu@=#)P}%ujOUZ
zhf<ADYTM!4;JsIT)myHXdv5e}bzkBZUA4~Fow8%I{U!S(?HO%^`d8sLdlkKNojg%(
z9oVLVk-}}Z+@MfgF>_u0+I1E6>sGH?*SOx$TVo&^Xmz99$vsFp$EE~Z!L_vcRJp4*
zFx5>?x0$OgBi2CPT2Z6b9fVHWs@CbrDLUwFQS@jttRoKVRe`qH&^hyaVA`{CX;(*M
ze0SvveKf{*{iTgwJF2$c_y)Ronbb|&VAaZ3y^lE?w6@pusa&A-ZoO0Wbm*Ysq#+;5
zKCPk+xQo_3)kjWG=To76mqS*l>2o=$^=chU2F=$NrKZc<N_8~4W`^9T4Q}lPL(!<)
zObo~f!%%_i)S-_o68dRF49ft6(oHMno?5KcB2oVvg*{W@`?X4IALe2*-!91QwA$8+
zd^j{JpC@<JlBpqbS~qC$`!ije*gE@G(W1F>?#Ka7jBi)rBAaiT_i67C&wZXE_hs((
zSoDuN7dW1A47WdGPilYG1a-4=LaCCUl}AetNFnhWu|T*;&}_>D7?(5ErM*?KfjwX-
zVOn&ikk;tuVzCF^(H(2RT%*^fhFwdf+;TeKK(2a4=&r44HJ@zOic&dpx(6>_vFm54
zNLyyi6cAWWhyN+(X?=|u07xw}w-jr$S}AZyivgyCoW@Nu5uH?cC-$P8yU?#uZH+Tp
z$COJ>cQLWcgdW;V3)#$~&Ryx;zL=hT=ULR*Nyqz&{k2nnYg^LIQM}PR%CU?d9woYH
zSUDP<W;`BdSr=_e>+sYP#~#ujD_1<#UQYKm`U0?nt~#W2*Zi%IS1nDf5V~j+Qk~><
z&{(-(Jgv}rwt;YSD(&cHE?nMcu*8O1=Y1_*Jph*7&#uLSy#G2`(Yjd;9VqLsmA1|?
z-CU-1X`SpG(qag+*vG(J__eCk@0g}?*u<M-d&TB^*>|&Vv-m#c1cXjo_lZ%@de2zQ
z!Y|!VxvzAu7S48`;_mGFOnBS%sOwVKQrA#dN9RAC4>>P!HaG`5bA&q`A2{xJT<EBB
zL>zYeTlT&7vxPbKx%LXXq`j)$qBUtVv_9%j>I=44)Em@|>O{4>=uo~<o>8t+)+wWv
z0-;<!AwMo(Ci&!*9p&M29yaKQrAws6f*=hPFBGerEA#vHmF9@Wp@v9982oa1bxlpU
zJW^X1DzApQy*vcgIvR`A)<kO~#ljGJD+q<<04m3a5@$8(+NpAhD7a`21BE!~z)ebt
zDpc_A!){kl+>atm)7gh!2>>g}wV)S2B9#c640SbK$jbe6Kl|uR0wd<-1lH83C8F(e
zL&w}4M!Az7!iVw)US9F5Sfbh<&>K4>0{2a-i~vic6%lBA&)|(QrLxkCBi%e#0@7!6
zoFTnT`AqX%#Y?=~7^y3Hg`s_+j$dHtrFrS<vvHxeYv}7J>U~K57(Ong3GCx~I)i;&
zM%S~CuXIZR{TLI<L_wh5adh@JPGhB;jfO&7<4`njp*^hRIbJesl7zOu=HIIiu^v7~
z{S(4WVIA#F0J)CdOaOVCj=Y6+<pK&P(cDe6h<#j37qE}VX&*k6i#XnzG$XW!d;?G-
z(!c?r*MpkbuP;qyH&p6McaDAZW;S}a)6jt!k&S#5nDSi7=U<uLp7sw!)wk(Wd?;Tq
zaHi_&5~ZG3UwRv>ek-jS1e|y23VbN<@v8oN<&u70_VquJpP458OGe`^Dq@C?)0rti
z>B%V_{szkY^@ah24zS|I%w!^rCjSsr`BpcF@ct}Vz%Kq%`ZFu|j-F>9s$oGX8Hyk0
zWPYC5mo~Gnm(a~aanbX6#r&JZk~y|JJa~##;h4?ymFpHqQvIuZs&LGEnpg9j?S8}E
zADqc6w$--PFWH*J;)>R9GuJhV^=sL0{l7c{@0s#sbu3<9o6vww%^QU-PWxc#>p63B
zOKpFmrsGO)dViE07aIoBEz{M-jsdF3%l=HTWAvusGt`8uD5;5aQkD6ow(IHKTjY|C
z#Vc2>U$LQf$$-YX0l`2t9N6ACmPW)xE{Dvc!>how<V+WOks25Op$j9!l46J+87lhe
zqJ-!d#?T!JpkHu8>6SS>Xpp7K+NAhac9l~4Wq{Zo!`yD*Z(DeIpm;1BJxM19iXNr3
zbo;7N)I9jNRb~tkKgh09DQzD)lFFvQQpN1Gmfn0eMR-0N*Izhx+T=0*$_?w66r&C2
zDG<&2>Y~};?aORbd96^w1Y$Vc7{hQln?T3Rug8_KInd+zI(d6~dbwk+fOE8?(!M}j
zuAZ*!ly8!r5|;?wZ6iD#-T!ny2+^m`op8HdM_u>0&U4Lo1zfT-HE*((mU3IXT9~|Y
z{7ETCtQ<?#ni%M3Raim+!Q5zC9lBzPcvN?wI%SfUZsZPBw0bghF>@!0Nm^wWt==@@
zNFw16#}l;IF6L?TC)(3nQ!rZ{RvH<5`X@TqAzEFfLP2=?BolBNvox5D2X%$V!U<Yh
z;k6t1HY*pO)>u!~PSNTq6-p!{%zcc8dBi-me!Q025M>Qk(U!$xUy8cK{uO};bS#NT
z440M+Bm({<)3ERslW<RpBopu(<0_WAanJ}A>JCZ}NeWfy_ExQ5M_t`nZ3ZLI>n0Kj
zz0I{_;WSjPdnoOE1FPn{Zm~P{TPFJGS9jLvL;~TEKOBwf^;VA2(z(6$#vq6Er}sQr
z*uiix>5nG$Rvgu%nctA%X~ZWCl+IikNe_F)Ku+sT3@1Y&f0Bk`Je+B1l$I_X%BuYi
z`$Zq@g@C@tCtBT`!q8Uw6UKNpjMUPeZmf^n)%Er3);F%C;0wyo9=HlaOQpO0#mt+Q
zmQG<lUe<o{=X)^uYvinE5;5HRFjd#cdFt{JTDn6o*31%<Y41T|t!$lIAv6iME2GAy
z;cz`0s1II?Oi7(jg^~1M+4Z17!|jhn^p;jvG7m4kC9w14o&y2#xw`C@LTD)&G+JsH
zW)49ElX*+%)_S?3q;<IA3z>k@E_)6q;t4jR=+`^sPKClf@=@EKnd@vXVX1b!rnP=c
zZS6&suZtU;f#Cnw)RAc+Jzq<0t)+J3l(o6w$bvCl4>=Ah$(7a1{e40-;x3uH)wDW4
zF$Yjx{X<8)fS*2k7rYZcj?1~!`5qmYxkVMz%lF8nFNOQ>l{e`sE9SAe4<4HVK`+7Y
z3v^Y4DY@Ru3*fP1r(yq+?94ecmzMucHq>v--I8Jt$bT>vStmNM-vc&o^d>ov#y=<<
zo;#+Z;eHEV)n||;;dhx&58MdkK@S7j5J6x;e^}OiZ*=7slTnU6BIoYPQRJ<&Z9m%N
zhm|MfjJ!l1B<Dbh@HgpVsaA^nUh(Y_-}P;={pg$K>+Su~dsw+l*y_FBdxm#{c(>Q@
z`Ns2%XSZjqXOu8q=nX}~=gJEAWA0t<rS75b4z7O+x40g3HM<&I16)4m2jV>EUnQ4w
zhqGGA6(wiP>2$o~xXTee$1&H@UwBolaESI-?YD^M+PB)L+xuugE0x*{+Kt+o+GMSV
z{4e!e^`Lr<x?UZl7AjvfH;<qnhk@Z3Oj|0!ANAx6$CZ~euCRoDn1m7!?Li5Yh({Pg
zH;%CKErw7?{fDC@pXRcUu5=DQlr9|Mz!HYgiQZu)x#S#yk9JheK3=08_)sq7{L?RA
zgP+^LzdowK|6z&Y@WF`;TgVuuW7Kd8svTi|97;Jy6-1yeh0jcxu!tT)sglqu6sh3z
zBmDcC>sSxMR0*dCAxJCmp_KCy;S5IhW6B?ek{4+7C@@;pdi@Qo<ezjEN|YTO<bRfd
zK4;!57^Ci^QRP0Gh!15q?~3l&!BJm0jWNNP^xRQLC%6(FvSm1CGrU!lF#oE%*3jlL
zAoB)CtnR?L?Z5KxcRYqB1se%tg;~P;G<z)C+(+Bl#}l-deLPEV;Y0b0-iDV6H!}bJ
zMFJOXdy=Zgq3X}HZyb>A%pFLWVtT`PE6bF*9C_(xc4;3lFOiwbbPnnkXZ4>ld|(Do
zKqLR+J<j<^Dp6K*oR#YsTm3riN2zcfeab%Wq|OuZahy(J9}ZfL59RN?Ci93fW=+!w
z*5D8H6+`-nx=q5sZ{{@bn8pO1^ZEB-_p<MY^|lVOw%(#cn25^#oSyC`LsKV%hQ!^T
zlxZ9{a8&9@`zH$>gp>3#N|mb^{w^8KH}aY<JS3Hj-pXX*0^1hR`<f_wZujK6t6cAa
zcmBZHsO@$fag4LyYY(cws7sXhmD%zExsP<E)Je?v)_bQ2TWsIiwm8pp{$SgB>146L
z&pS!%7Uep=jdE&(;Wr8EK__kef78dbjYq9kV5mc}m2(YGPeu25HGGe~nrJ8#0NA2M
z3<V8mFt^qU#oE}EUrvwUJ*p*F9b9Qw8fqYpb6cIzQ=4xns5oTjAt;7sw-VL)4sEod
zZQ(d3>)J~@rPUp{HuH-=suddg6OPxkSSZt07`hw|>H3q@Ra>6YwL>PvN!KLg?pm3(
z^UoZYinTgJvCa@LDJZ3Rjk;==n<>=%-+B(KowH%|*|S1Bb>8ng|AyssBUkj))5FW4
z^PgnsZ!pyLbnY>^T<eo6lG8&uP6Oqv5W)@^x($^K`m}%^9xL|LrW)SL<}J!r!s!}&
zb_MYBES?}cZBN2PKFa2+_desD={cgzQjSPRJhN;E)mgSt?j!D5!a>&&*DU7|=Pb;^
zS@t8s1aX3WmUcuusLfK3NE75E@+^yI?KPK)xioB(sCjJ9N(Uhq7Pl?*Z<aL8_J##~
zcndVaw%08XM#UR6oOfTd6aY2Plhhq|U$wxS_Mk#2suw)hrhry$6t#A?gLuN6y6W44
z09W7+wCW7OseYOb&GUqGawpotbzf)OC)w~0bo_Ks`Bz(L&O*td+1|5&^)Xt<hT*6M
ztY1SyZ*=c(3gUXfW7!3HG<l$+YPJWm!5Gi$Ef79z#_0UH4V<=oD1yL)7BD&p0ykJ7
zhi_+)YqKGF)c<2v^>0@2FAVWc3q-%#D@9!Gb#1|u9$?_Vw*?PrX5c$4V1AdT91$^+
zq(4-A#vk7-6sSwr$tgTK9I$c=w5HX+<FMaFPDc$K#>S2II2}#4BB&nV-*7_QW?L;v
zvM6nnBzu$H28E%Zrc}Xc6SgTSw#NCId^T^B*XC*R*xXHSo2$uXb2d4enw!gL$bJ}X
z7M*~?Xg^7ld<Gk8`+_YOJq-VO^uIzq+j2pN8>Bos(Vh+8Hx@8+OsA^1B!Iup26uAn
z_y42?%!zE-hNu?XpDd%oh`9BK<O~Zor@j9&MmuEzU-K_9Z`X~iBR6K#$n_Xr{ij*5
zK_r*Fe`0fYn+42z;xT6E1s1rU*rUDOLKv6@>gg5~Ue$Qi({15~kN$;i;l`ucY=QI3
zdq-gp!>@SKn~af17yx?k7YiaEwRbvW)C8La%;E(+Mtcvng&XbN-v&;ry0YQCwJmt{
z_iQ}xv4Ghq)38Ad`$-G<a8yC>9=1S$2*|!{NS?=dcyDV9HwNzRHgG!eBJ05wZNZP6
zEvX^fRUY>-o7Z;0=6%@n6x_rQI9|2Cq&=@bt2`zDO*$gJC>%oJ0qA5?7)f|?Hdp2f
z>E`A^vMdO{GQ}KZY;5pM`r?|7Yr5d-E}Dzy;Ji7|d5pVKs>orncnE7^&L#0A^ayn4
z6;dZu+uT|WVH>%$Xg(BhbLXL2@ouT2zgaC5j>p1r&`4zKW)R54qv?cA7CH;W(ewjq
z2hG~SSR@fn`h)Ow$<pi?wNuq+p>{7rNw9!;N4{MscAyupk}4`pD#>V!dB7yv_|KVL
zaGuG!P+dt=b_xsifR@$OQiS$gEmg!#8lhN>1qDXT*sw%028v7<6pqA`u_&$(@nZ-N
z6gIYA5Q1a!XiA-=(zsfwFHQTRWnkj|WHb^AM*YcnD@C*wOF~zp56l^@boeuoTQ3Ev
z>`M!YL_8jhhWxQ`+p#rCoZd<TPs?Z$zp~Vh!<Pqfm(jq#>%eKPwfS;!-x4WAZ)A~R
z5px*X;O~=2t=?cNNgBCrmo8r_dFi3Ar7V36ly@v}j*gy`5ZfoLN1UD!+XuIYO1klz
zEc9Rq_W_Z4271?ZTDo$&uD^lXMS?C{DHYSzC$sA$LlHmJV0s-q32!m~CpP7`{#X7_
z@!CjrG+7@C1tXDoT`*Y}Kty07noQOQtLy6$@nF0@8Vv?QEk0O@D70p=U?7~pRmBbE
z7I(n{Bw<9Ou3w|2^UJG8RM6drl^Ux0Rw|(-FT<vH_P1Fb4~G%Iib-Z%?9kO(x_+a6
zvG6F_N*8~Zg&t%&)<`J8(YG>%zFm00=AG!i-1)Ra(t^q&X@~HDzUet_jwXlA*d}di
zlWJ3%L{SihG&ayQ{};tH9Ke}_D03WTpUgdyIgK)JNapWZii11k<CFP=vNGnqG8Tt@
zwrv{-v@GBsV_i15qNlCv8P*(+vHbne0x!(pR+%dI&Pi?6)!bvZZG<yob$x8xq*O1u
z=zK}n<J0~d#R+VY)M(HJ(&f6Ig|E?U;iN9_NS*0{^Q0VFb)i(QYkv@xmPgtS=~^9`
z|Lky)R75+@2VUhxCLRxLyZU9(Nk=a-DVs0{9lIDy-uw#@`}RgkHYoEAiEZO_Mq0i?
zCvU=vgzmI^8=RAPoE{#h4g@yHN#nQ6x`!8W*s!zZ?ocMyoNZ!OodG40;~d%OE&rK&
zu3Us5kjS|v5(}H7H_w&RdYk;`)8_%Hh(10q3+bXiWFfut8XKgQO72#twh%Y>L($&f
zE;-)kR@iE>QhZXpLY}Otp6@+}Jb(6_?iugt=Kk9KjC;3xjeDfKt0U?<ZlB|N+;y32
zg=@I|Z07)1p6x>+M_3{Z5<U?g5i-(u4hO8e4@(E7Yoztk7^zVFLcK%Xrk?8j#QwJ0
z53}xN<z{8@7G=8qPNk3hv;3lbqkI;#B&%;Yy}m8t3g2`s<m==8S$oy{0;Gc*<sRO%
zyi>eAotM~~?G4)bu*p7}5=+1-_vLc95qs3`TFB@RanZf{?@Y}9haOWzOIX1x9JTor
zD0)ugkuORIjw(FK6eYj%@3(Q?%qO(+I-#%jlRTMMIs7rKxU2LyAliN-v;+^E(KKHI
zPq>+i{)~@XXdFJ2y`0d+?HJL&@%lz^(sQiz8(uo>BBs~5f(0H45t?#6YCmd5PVvYb
z7XO1uVTtAO-Y1vPv>SlAlD4pq=V=f7c!xzh!CWn{e*Kxs@u9rLo9*tymDbXmtl%hJ
zj-D#_@Yb)qlc_^q#Phn5R(4f-3kT_f&Pre90E~ev=~x$~khcB>l?EE&SBUWvCQ`qf
zKp@5mtSo@NT8PqifP?_;WhMQ2$(l=;imWf)cQZhGFq9ryMhh9_5bqcZMN{VRugl(t
z5@?N1^h#E>7kT%9Xm=Wb52c8g410&EqYC)<E0;2?JbIWF>-TR{9UJN<PS1!Bqgy~D
zZNz(hehZXBHN1H84`_KI`>ID~(W+ZPhV)kY<DS6R<0%H(&(W{_7N*#>M)Vksy$wYF
zL>t)0)pRZUxZ8}UE1Mjo+9Pr=U1zpqKAU{oX$p%BTSjNy4x4medf|4|*u|s9lzyE4
znqj#575r<T{;<W*qb+wpaW;wfXL6NPveouSeMKjmx4(P7^L+dL>PJd<X}&=Jy%im-
zO9=PdmKv5WXGYe^U8?i<6xRoWb*!X3QIk3g2HElXrNW%z+PeBgtUeek55N=W7e$fT
ziq1I4HLgT?&|J<*NDCV%$E!G){tZ8JWww0Ny?b;^=uBdgE6u+}{G+ifvY+#A6^rQj
zO=3Gb|5mY|zA|zt(|?<IsgBnobW)ewl{~s@kJz3j-7cC7?(O0pgC68sI(CPMb|<CE
zXnhL%17B&GG(h?3merp9?7dAY5=v>*HWP_2>z{0suGfk2pC`9V-DzD)YDay}mdwsE
z<{zxLu^97xhH>IFdL8zek=w9;e1DF)fAE%vzJQ(SPv@HZhY3?@&Ir`#bT(={dtO$J
zRp*0V;~ykr|KK$M%irphL|XwOvcxoY>3<{0LeLels|)tDo#hh{)wC)qX(sscJssg(
zsfK8%z9!lbC=b`wA+#^q5aN3-^CV0)EMgWaa3!W+;l^t2S=f-;sM=woM-ME!c`i*1
zE07=ew`|%AhzStpX8xlEZe9jtnJe3ZF-8FI&IU7Ck0m=Xr9Xs{(`O+juD)PJ1lZdW
zVg8!}L)v?{O#$tEis>a@X$yWEZbq8zt!!`}T@zu_-t%q1CM)wyHXQx_Yc>QkCYKSo
zy$#q@OI_X;9?%s8H(7-37P(B_Vu9u?5DQdm_&gtdLwf(xLYBh~k@$Ev9R2+)8<Iz>
z=dk{MU;*RyK^u6GjoM3Xz}}G2;5%&!XypNh|8g6!H)M3=@iqlCcq+qxv<=uBGSqYj
zep6r!)S>JGXwuGN{eQD9_>m_>b*b$LSI~=+jVX!5ZNIM&;=Hk7PuT@61r<{3QzVI!
zunpm^+u8bQ{j<-)Ts0pX@V<Voq$*G_ht1pzd|6q2DbpgJW4VhuxLR_kXIgs9p)9R}
zX4}~oT-B%oyu$)!nHH$qFKqnoY774DL&~v@hsn~B7AaocY@xw8PE%9c%APME4mZ~S
zpW5OZQ{udAIOf{9mi9O=`~0b*s&383Yf;}^)CNwE)T_9&7q<a>j2W`a0?*k2FJW88
z(j2=yPf%B<on^%Y+#59XGT*l;pp{Ox#Qod`><t=Ce*BvPV^V&UUC=Uwm$rcuW5G4s
zAKQRU9o*+_;YL6I*#=HS?qp;>%m!lwzRHH=nPc^x1<vQguyt(q9R3aXZc*E6dzvvG
zIf#4nb@S$XBCd~Js<WM=Nc&lHt7S@_9FYc#GlfaE2F(y86`R~7+l<I!7D?P>JHmxW
z>oa4^dT6lMr0VqzsIp}P;@c0cyi1r3caEO4?rEXI;-C_W1dtAgu6;(xLrx$BVVOCB
zTEZRZN2lDGs-F?83Ws2V<q`@<DRn@|bJQbh51SqwTj0K3+Y(pNQCm{IZdv{E<uvqw
zV9mi3OhkkJc!XD0*Ux8iJQK)k>DL27AMf<)<<*UA>(}{pkD6Z33RWMZa55f89A}Ka
zIE0oL&4YrayU{XBZKE;EQhRNAef8RvaFF@wSs`di{sVs>Xu=Y#F4QFL=4$Eqc-AsY
znG~jni^XpA<-x2A4TsTOBpfiBn`5RJVi(#HR-qJ!5Hv{7J(qozQDiepCV5SD<!sZz
zh+m~bkCdXZ=lX~qy7N$Wi-<h)L#t$TvglMTJz@^;B%SDs+zU^Xi6yk>dBN(t6%NFp
zoQXksX7$~Q>H5Lc>RF}=sXkNH%d=~g+=-6&L(64?SV6Ud(nno8Q%iU0tGBYZzZfQ;
znC1Tj&1J+NN(5+%2+yvCGfZc&MiwN&LmIr&%EmM3U!rKe(V;*D`NSeL8MW-`antST
zIVqkCtBU?KLcExcOIfWXp%Y@-JPOEYrEZ$(09H?XWwA(ITMwVJ)9Ij`<p2hiVUp{<
z&^2Vw5~d>6*~}JoCNl)mhA}wZrewKRMS?Np77OZ4Eu3OrP(AG&hZ}RADpss$^(zX&
zFU}ufDniTnn$CD^H!Q-|C8p(+%y&D5n@p6{zug&AlHd>oo0NiHxryzO_EdB807Xoh
z+#1golyke{(1cSg>&el(lw5B>ckU79wH7e+cA@f+zL^N!?b$_Cb(!L@3kk`xmjC{q
z$r_-e_hZ2phPKjxYY=qv!Z-_rS0CJtZLZ(81sfZ5TkwuI81^M?z&XM4fUzP!(WZ!U
z4zU_9wgIym1_ShVn<5%IkMRcYw*~L$Dg*pWE0~XO|9xzHM`S~D!sP*dXA(|rEny=7
z_N||aftj8?in?}M-Dp9^;9%cq%7$QvH1_mAv?(C(C5&r6KO5YEpgBXYFKY`fjH27N
zN7{lf{DfiO*A{%u9~t<Tw%{wiW#D_;fHAbj_HMiRcZv*N<?1#?bhXSz{U2??IYp9V
znr#o;__`rd+_&E6^8VR7(DS0F5vIc{;5W6~)y;Xa<3anI_J9^plgbOq68Tqol`Kmn
z^%tKI=L=s67YN0+`*@%^+xQyNooLIK$`VH&<m;*VL3p{WiNFsk_bX+vBiC?(zC?$m
zzETDtDa(UjDT`_Imx`VGeyvms?P<r?$`ZIbon#+5wCEdr_~_|xl;sXD2%MT<nh)RM
zZ<GkFIjK~@x$4@J%0;yB8xV+p3j!{>>|14t-Kh%9<9aPIbrw~8rwoKw&9d*5lXko2
zn6pjlQcBQA^roHPD=#=TC<#jQQ`6O}b>JmGC}#>Pd45!m!b$b>AC(scnI8Q~*&(JS
zn)0)<2_h;T`dQf^rUhD9DGj05f09dSaHUiz)ue57@E4^{*h;})(f2KM`L9ZY)R5Xt
zS00v@*f;4NJ5z5d{DPDe&Y~4x$cu$D>6I_!Mqwij{Zc+}*EO;_cQez2G&;%tg!&cq
zAd`j7i2gWN&X?|z`iXxR=L%m48w58G^=D!JOn1!^9IzAuEWdyr{NEN@p6ZwGLaQE@
zZihc#(Ie6lXD5v7#(d}%7SKfpOnpX+L_`Ch6<cL>E+uuN2c8z8ay|$>1=4iQ)J;lk
zJs{6>CNf`x0P9XW4gk6G5RiF#tzp-R`ApQc)6qksq0w&P*y-5w;PmGogoSJO8dD9@
z!oShLwI+EJ)(vT%s@9>`%<G*3UkPI=X9MfVdJCp5<5HImVrOACg*Iee<ZBy5Bes`c
z^9QGi-H<IxKHWrO?hdr)bW>x)f8KlskY>>{XJjG4eZ!!{k(f6JjlNsVz2t;^YL4wK
zo3EX>ucwE5fNQj~#<9kJzIL;EKshYGAbl<#6As$mQfBD?ECH(avNNR_zZsO@PkzeM
zYSE)R#FR6&VijXx3{J}u;OJsO1@->*)yu$ct^QuJvRfh89+3o;7X8euQUxo)$;{Ll
zJ@{rXqUAqiSzcfOgViS)HPCG<v~=&Jj{e+RNMSYm$1L=448#$iPdUFzd1}>i#+m8Z
z-Il=b@%TG<z9K(mS4jj=C6LgoY+9zJdvO1B#{S9Ve_!fF-QI(XTG7wh)k1N&wS&RK
zb>ultUka9UXmw?!?q<RKF39<T)P+u>7P^G|5@1l{u^6-TCKyk~60$O;E*=bniGrak
zz`U)wy)QMtk;MbBem4-pnG5LoU$WW`!VHEKs6oBU3zwLD3d?k&hdRr}m7~Yf&A&=k
zE;$$mcN2=ld6(6?#U>}!Ks?s8xS@JQ<MNHP{!t-dO(Kh~fwyk!K5c{mtZXn@*am`|
zH{9xvNgkU0SQaPB(tzT!+t`|sq?7yf*VLN{Hyhwu+!`3ID(jY1FRQ1>-?RD?jECX=
z&IZcDb|p<>tLsd*ww7?q6?*o#<fm6Zhk3Ni<5`^w$02Vdz{USAorYS|shlOp<w2xf
z>AP$Sp%7BK#@iU+6R>P^JF`*)xoN0=6A?YYW0rf<H4@~e51+_l?vdyL7V1cdi9Vf_
zYMw)aCp%%@I&`5Td+Dwxg<vd%)UH5Gh7n1JRI)9z2zFZ(VHU^3kq}bbhV_ItspVCs
z(>_lV>~|HfsIO~W&y!?Q<|!et(8A0{VRw%rY{EJk=C!cR+Gjgq^Zw+Ou}RxqlH(Wq
z_uAL$ape>FL+Pmaw(zm-gluc`kIc#Tw2)fD&E40&Ag<L?Rm>@(7yaWyv8yY!E;Sp!
z#<sBKTqzxSOzcHt+@`NWIO@j$M*?89v!_o2PZFO#Yg4CkDnogS*9E#p{D;4Tx$o|g
zDzJLM&4N)0!`~qsF$az3LPnAggUHs@EY{2F5q<RsnCn%c*b34QAX2Uqfq5LV3yTnG
z8T&*s>W?AOt?pTnn#qW;TV6$cqkuv*L@#(vmkB)SNY2aZAlfB+q>YYXxMo;rF!dl)
z_fg|B@c-E3lPcPoUBO}!fl)dbq-u`@ISRR^+f-zFMYfCfrQtzK58@cj2(t0Uv!7_(
zdGji!wGuLSQ@+FYrTmbEP%IP+U_rrJlyxZ<LQ`7_nL91teaq-;E1_sK8p4bY!`yG3
zeHKDf+7Mz&6}Bn&rRTzy9z_xn_zb|A<lhpSoJEN5&l-8xi)D0U#7YPOM7T>>w*Fm@
zCRqrvyM*05L|da+rp+4^jzp3OGC}4bS`(M@kY!>b>WtNAhq<};qS-M^olq<u2}S*h
zSd`Vtb){{o39O-(N5tIVLllTxCPNVRC2TMuUX3+{C@Zrm-P8k*QyOy?>_U!&r9GBv
z2G17!CtBJYm(?C;P1Mb}w)ar4W%5NMu?XaA?6a(!yY`EnM@TQ5|F#*vCb{L8^fLSH
z6to#xFoUo74O4M8yXLXK=|j-aRu?091stQN)q$awIWUAGu{s1}CCVX^$IBzIk&UFA
z1}KKD3WLVoK>ui%p^Ts0Sd>Rc6H0s9G)QT+eR01{jq(R8h6@3_J9S@9>M}&>46Y+I
z#H5XRT}VfVD6I@7>}5k0ZZ8{7sV_`MjV~x~{}Xqi;>#B9lNrq-Ux`IRB~Aaz#Dw*$
zkeRmHQTwk&BNFDs*J4B%M!mi<k@#~7;m%3>G{r~neIs6Av9U3!kKQ>6u5&1TdlGdx
z16=i`P)zq}N)FxgZ5BEc`)KcXVrT044Or&azH4ECSqI^(XS#G4KbilBlDlh)s19qk
zc`Mutofq2wrv6ijB56xA_KK|{b^;G~d;voVZKZ<U!`>upm78?mP_;=zZbaL!BK$*>
zE&ibzRjpQ*(1VvM4w`nObUM9rzvAdD4B--_X#(JuGt2;mZkuZkMvH=-xyczag9+<K
zZ_LIuT{PdkCKz}2=|jcLJj_WWPeOVNnz}HH9Gu;@8EDK2?}J6aJ!?M1gE#&1r35!N
zt4$L>9n|Fz##^A>H5Tiqt_EOEYDTwk-#DyLOxb8<or!Atp&0|se|Fe_d2nS7ESZxU
zOiL!bUX0G;8#=#G>O?E*fYNP=iGsSh1dlR9BH%wCYm^Fh1w<t*C^k<A*EC0?wp|%1
z)d`AosV(9f;r!IO)H&4I!5((hTYq7kPornXNYCYLpT7v9vAHml;;;KTh4fi3XbE|I
zEek=QKb43($Mxt_JfL#MjLH#X1{C|D%k}qZT)CuvZR2`mURz&U$`Xprs2n|=r4;)w
zP)XR1EEZ7wa+PS9KJ6{`feT@7AN?N9BQ#n}hx!<1@640|Dg$+=cS^-h@bo`f3dF1g
z6ih?<gnmPL{v#tX#Yka3Mf(}ZJV^$9-cK|l+ZZB)CE+vBwSNl|QeM!@{l&{#snJme
zJ60j)O529arID4uMGBsUt$I*8St)MUD^zu0fi{MM)I*;SM~~-_Izk-GE$jQB1HD1e
zQSo&wy*X0M-G#hUp?7WGf$m)AZ2L0xa(RdNpzU2-MEScCl5a&mhQ)G59c}$(-n+j@
z+vYB&^HsPj@vJ~B-2_!?a)vj-lV<}I7aC}>UB_7flfX@S2c|rY>+(C1CaRtiPLo8I
z6~IU;HS9YiuO9LY(97LGucMJ}p!0R-uv@-QC&!Wc9f11f7Y~qXDbEWeK8tSi%8%$h
zV)v2-y3nyzY&-|l>`Sbc773X^q`#@kZ%1!;$Ea1)H{JES!c%@*A~~4W-UtpfvwvGl
zFMC|h6Ngt(eoy^I&1+HG)4`sip4N&b@%Gcxy)gJ#=w>WoI+3%SH``y;6eTQG3rj>B
zG`aZKce3nXI*gsQSyn77T(vQGk4AXfA<GU^BDNEz8cQ9RIlcuFnC1<H?bj=B+mQ0m
z;xqN(n#r8n`cuhS@>RxtVm}ci*_r-$h71kKCew8e{^f<_-7Fj16LU8w<nZqdeN||S
zg&6l)2XD5;#N_J+^JAxDTM?r<f0NvS_D%z9&cg_}_uZUn=ElH()=$Sq=AiA<F{Y+7
zULL`pUZbTqD{ks0D+-O6VQy(?fS0N?cqSH3JI$JDR>UG%$Q<|({HZA_b(m$@tqRC@
zD$q6Rb1Kk}v%Klo%odC3l~ct{`dGA>KdH;T*wSXs#Pa{iY;*Z<vG_AjY-3S2VfidI
z;mk{H-VyH8ooCwbRrkv4#7k^5knFKNl2`s78}oZG<0k)xwfP&em)yTYT+Cc)7VLZQ
zX|bIkZCiL6<-dkh1$?<^Nf1RZy@r$^EW15nx#&&y5Ynn`AFzRbdfiNGz@o$G**Ap0
zw>~u-gvSr4;(AKHWuhK_3*nMHRX%&RSeO^fJl_c!L593z;vm!uVY2TCMwsl*1g6ou
z??4lJ>|Fs*;hAfx>L1vxu%^}{-B363zh~|+c)<Ge2w`d4*fq4^eREGUbs)R+>)=0+
zUCoFMSWTrL0*$Xn&~F&GVedy$m_2L#Hd+0!I^tQ|)Vi>-!L=@Q&CM`{4TT!Ybl=6|
zBr|EKFXJHzsUwj=R7e%@Ul7cYj;cCUNSB{)PJU+4rqLH5hM5mH|Jmgtya@+;j+<s&
zD3?K%v-Lut^TiC4t$_Mp2w&8GJKEOijF8&UMJ8d+qQShu{9Mha%7igLSDEvOU1@!_
zYCJIfG0Lw|4K9HH>|LuCAqBvwS`&$rfCGb*{<K*2l31r+sQ26~aL})HYG)`}JJ*|a
z_#*)uzd_ji2|jKE^RKE^;a}CD8VoQmZC;#(ynBgSM4jq^_v{iAkGBVx2`eMSJSdpc
z7GE<jRh9NLv^S8cs1TWo*1Ar(9@lPn4R;=MHadqm+uK8qj~sQ5gu`uD?dRJU{-^)3
zVtoz5Q(H(&8&&VFQIbr57%TBa-99{BX_YQ=nhZL>oTy8&Ui*l%<w7y7P?g)n;!A+$
zF|qj14qgS$%TDmim0nXi;M89Cnt1%@hdw2r=DU>+^ymxV!uT}VTO{|OsuxZFG|r9I
zy(D!*@|^82nNJ9ydDQo1$?9I*`4xEbLcJe<#l+&{45ONpmR_c~ch#vXefx@jv4#em
zS={Kv5yZQ~2;g|ttcVr16J62?-0PFCN``pAVGq5A^)>bi*v3y@GdrBq3EJ`F?L|BN
z;dQgud;+o<Eb84LF>Ugw?zXiy-{rm_@}TuZ9<+(>58P8+FS(YvMCWDB0>>Ul!hXNK
zulATWM}0yar0i9ka+UOpbgASOw~BefZNe$GH*ITa$_W<5wOVNp`@|e-9w9G*di)1`
zI8HT;H9u#D4lg0N5f6a6``{@+m`Tx*FjLH+t4GQg;l&C4N6BY9rWxoLP}B9W_q;a>
z_*1EHv|J-hp{CLD&3K1G*%<i-VG<o4BVQm)r1@jz^PCfycc#{Buu!|Jo6?iokCW>i
z;|)?*>PcU290yY4=pW<I=2#j(UcSIF1{kO3hmqswg$Xdb*eA%79HRl72Us10Rnj#R
z<UYbEdS-&WMi@y0C(4@~rx<j%GmPH!@kBWZ0kZofT+(nlf0De|Q3;It{Gp;qM;9Qo
zRq<qbB4oYQljWTlo}rZTOG}V2>l1u91_O0LeyONrz8G0TsqWG+=OA`1BjHmzgTub)
zF0FG6)Y}v~a!{sN8UWwrL&YGFM9D-TuO+;+p*J=3kRq2Hl_L%$pyvF|(~exNM%gVr
zD|`>Z!1AnSKe-UFPopcwVW#Pl<yTmuhK`pEz8RB@hm1ld0;@q!kHJh^HNhgFAWmSS
z>Fmk*fDV)3Il7)glPq&Lk6xdYh4kTMDWAE&uG^OwCOQSG8ioaW(p2c@`O3{(MTjX{
zy;o#1-CFv2s!5MOYS&N8deoYyqtP|Ace({BmuAh7tb*T&nb_=pnu;q}JJY-Z{xmyg
zW#OHi1-v_^1FzSq7Q8&>KxC&UPL<9y_80cdGp8cjJ6q}uH}hv^o6Yk@2R?$vN@f0J
zUa;JjGu&tU6z@#&w)42%noD&2Z2u0Sn08fBY|@Y7N#P6Ir~e&sy9ezYCZ57JN1fL+
zwU!w7Ezo;DkZjQtu?#?AL}MY+Cr(v^rCe5NjJcy4s?K3>Xrh64K_&Oc0oIyOF(E%P
zvpSeHN4Ke|-UId0ih-6&2u%w!byl*q(x}!-+&vhff*KvY7mB-4gDf@Uv3MMzW5GbO
zrMZ!<HThC{(>^gm-3D7K#gYjGKS9IHo6B=<O`XE(RGS)Qt_0ikSM>6`!BYSJ#(T{m
z;D!ST(rSq_)8A?aU7D_!UY{BPDu%v~E8!5$+lyWp(xPWXj94^@^wEACZS;&`lg98?
z8eI3+;UUo2Gt@!@-44R3C(d4HXSImHo@8jHD_ci^UkV&T!RkMZu^aObNb&2YioMw#
z9cDpeeviz-ks2En5AECtL3mzB=}g_<6OHgc<b?`H!qBS2YS31btS4&%$)T+z`Pefr
z1?n16`qB>|WT+Fv(9k0Y3>KmoRlmo4f`rtN)`|!L9ZfI3Z)q3r?~BHP4mY*zD{g6b
zaBFq0c)LHY1nHI!#0rFvF>?T3-50{U2${~g?Z_L6rq-nffkvxsg8SJc5?rIPYa!`g
zlT^I4{X^u+G6_cEJA`0GWc2>MKBd;D1~Pgr+F!1a>`4ng5-aBDB#;sc^F9XkH5<;X
zJE`aQVpbTta6Z!loaVgV{-S16`Xfl;{QnzsJVH(-(w)iukaV*hidCHrt}Ionm=F@B
zi@KVN55GNd3vtq*d~^RdVQd|TB=taNwvHEIb<=I$mx|NLTbP9m=MLE2y8^GW2zdJD
z@CDf7*NRMWffIeN8{)#|7a+>(@oP=V44TwDDkqHa=^K%mYwdNW)W-{!{29_^kk0+H
zDJ0^)LQUEUYSK~Hn=&O}1vKmi^!1)=A@wb}!KBTW48(AoE2|OF4UG+B!Yfl1)b}qY
zT|B9U^!i^!L-mWF1@ug#lqXfD`qPP<Of)=<1+@ES@gjry-XjK?hHa>Dn$0`Zb&mZ<
zZHTg28X=q}+%7lSc|<(ZdV1i!+4i@~#&o6{;^%$PhZZ|qy)~KVBuj_;pE_uEm$r?Y
zO<#>fCz<j~Pn6n{R+VlX)iR_^vz4866&?@@1jqQPw12dDk*1&A*ZM``=RmMyKa4f$
zuTsUXbjvtXv&HpgpxTAM*i0NSlO7lkR3_$e!!*ljN6RLN2EU6p>J(AcL@07*&>0hf
zsB_NC;01xqbw(mU(6sY}A9QRo)In#*rqj9_sLGhUybtp7OhNA(#N-?r=nyAl&KQs<
z4w**%>W!v(W;%MSUOby)a*Y?u2}>W{EpR!7)Evnd94>4YJ`()4xlY0S*G(39>iC}t
zHBA{5*e`aJQ^V606u47*!r7lOV$-`+=aw<&h$(Dd&7>>NL@&5DB+CqA%o-Ecjh;RO
z^L5oG%vU}L`x8<RsBJ8Uf?R69MeOFAo^AM`;EiB=xk`pVCD^%*InIB6xD`zO{7uZM
z<xcZaKmnX-jLq7RyiHg)Fwa$Yn?2@GY|e%zng48mFC0*&Q0QJ0DQhz}v`i*UrDONu
zSzL5CuC2p9vjcnqz$R>!8}GSa><%9N$o(K|4nP5I{%gzCFcaH(e-jHJgj9FH%SL=r
z?*h+G_g`JdAbRw5EU^Dkdr&>57ARBY?b2=Ho1#NV+NwRvJ;RKwi#w5d(em$k-1Dd3
zEltfxb*Eb;^;M@I_cPul-7fk*wd;q)>~FGqnX?;!0~zpX1}vp>6!mInkqNv_2hLX2
ztKn?&ovI#z?%;V%J%|<XO1pZ%*%g>kR(*hud6`4K(%A*TBm??&;1Z{Lm9sN|qXCRO
zpaYXG^#+J@@4D2dAv@jVR-bd`0%asa>7=9F<WaAOYIUMl{U`YEg?r`6w5n7ZN>j>}
z!P4|pdz$B0jyT()RuHv9K~}4rmULHk;nDfEyYi~jhq7{%1wPj)I(jIVwr8HKVQrSp
z9^z?;x7ZhwH%I9-GVR%5i1tq-Y;~=Bw7Y<b_^!*eS+13?;jT^)^!Gb2)rEcS4G8-W
zICdHW|3B>aX}3e@S82`N$^s({LeMO}f_Q7D>Dw<%YJqozGJC|ntuutT1Y!8T`Ll$R
zf>60{`fT9?0U}dkF0`O`bW-|4sr4rNC?$=BT=v#O4_C6F#*VZIAo%-z!XhAZXiGQz
z^6}72;Xr27!~lKVS?PtOXr3;p`6{n@do>H?{E>fOGgCs;;R$N)g2X4!a1aZU6>T@r
zP`sNCPIXJWg5p8reQ@l3bx^l`%3$a5H|Hq>d8I46GCKG2m*6QO9-YYE`KL_gr4P(y
zEuPK4-%`UcQ<itrVQ#HuFREKky9<=9OyDg9`5S30K9pZLE%rV@$gS5f$b%fhUec!|
z^$zb~)X(K$<K=vK37-<=g~ECkHQQ{yys!wAzh^HR%se!rRKp7dInu-^f<<jlGYahW
zg32gPtLhuX!Zu`1o7}heBf87TRd5;ceCz(w^||w3jt}hbYHz5|DNoCPm+leo5U#OZ
zl?mo-bZ$xKGIp(cM5(@#;a#eEbjKVppG&)_-h8|sFA(*Y``<h7oQ;Dck^XQc>H}Yx
zM6|S&?wO+m`swTwe8j;NCKHyd4J<hU7(UJgyV4ywPssdg;OCo1wa<thcD<}9oq=Q_
z9^=I05fDFrt`gvH%#OixB$0?EVJQdCXz*r9IGDqW1Bo7z$w&-23E<Afija1(18<4R
zQ)nrd7R-Z_C{*CSu1Q38S{sY-#$pLHRy$7#=y^3*V_@hZ|3qUZGnr&=ED<C}H7}-p
z%f+x)&vuYP<w0ux3*ya#_-4HzcpzZ35aLi;T3lQgt7(9^QV&ykAP$E!c(WwKv0A)}
zrmi*^h$9U^btsHH4EhU?ST<I0*#0EsBV-&!(pde{;nBc~!f;uER2W4HlVq4n0JwCe
zo%P!BZrk}VZVXzcl+oz<is>7Xgv^BO7%bW&N>vLKCQqhwvMc7SgrwkE0ZF0T0>zXR
z;Bo+G8|LT)AGQTbo-6H0`&hl|5koC=XI-__p%6~Xm^jv<z)Pq3#9{aL+XV_nfXf09
zB$ClE6A3URI^WImvoa3{Bxi|1H1z9vK+s8VODFjof5DJG(o4=|Qxpz)t+OZ=;4LKs
zXzB1m%Z)_}i*N`Mlb+Iqc>uzfEf_@_6+>1_ds<syOCY_z5|YcFMV7IHq=ehXya-#y
z&fQXpyRZ*x#}d^?VRPwUEEmzpc1WITUMsT3Boi1wCLkLl?`o+{yvfgc$U!P<Z>bbY
z!V@Nli5{k$jxuvgNjq63(=CO!`gwcS>Mu}5KHp33PTzunA>bh^Y!L2cYzp!E>~=d^
z8)Xw1BUyc!(rGKwlp^%VGLriA4JO(24Oa)?2NFqyB6abG+GxB1-fqYp8?LWUBIQd%
zO|TZzI9MIT^o8pUT$}<4wjM--?0&`rEe{jkJC4LR#tZDx7dyWe7M)A?9tPXY-q=h#
zd&?m@+`%#mLA>%E-gR)pYZ(R2ItqHdm1W37+E^<0rJFihMgWdIQReog*PZXw7Qy{}
zkxh74SR^e{-qm=@5TDIuv%TwR65kaU$?wXG)OXcIET5L0=hkw<r^2>KS>$Vy-enoK
zoK4&To}~m~Z(U<=VB>FRqp3OKS~}5Fwwp1b!u*yUbOFCt?CH{koVL*Z2#65mHc;k|
zp$UW9Kz-8~)ZYd=<Shp6-3E%80jRST%16o@GD22{wHENsUGyp=Qq~5Fl?2dstx)4O
z{e^|4jBN$$*Y}$s8O~4W*-!+v6`K)35Q~7Z>&`=>v7yT5TfI4{sz%ms=T<1Il1Hod
zAd!|ZrWMSQ@#F#7oej-FkiQW;BDN`smk0Hr6(QJKVq91!7FIH&4cHsj;~)jg%g6OW
zBi79UZP3{)1{F)>k4~ITQth|=mL7^CxU#9_d5jz7$%Z3BTn_{n=C&!IhjUryXJ&(2
z__@igaQ$u-A@0_~<t^Zy>}{kg6efDK*N`ajKAUHYtJ!gea<y~?-l=yV<h37#xNRL?
zb1%cz+MhOEB>o*Q3?6o|IGkxWW->SVsI;wSGyS6xY7TB;y%;aTVabvVO*N!O4-IP%
z_Wbr`QYT>(J-JNBoJUBJWEf4^8^G9mqG;@VW?GG%MF&=xSY~FV{ibY*XpfUfadm8!
zl#ACS3fIg@HR_3WO1CYBpW1)&b_~9gE&DI>C$)X6nibvp>c0P^MfT=C{T*s<D;fI7
z-9o;Yw~;b0fT4y$VIi^i(9on8@s0?ta_7DkfJJp<=|wLIg~Azh>q}Yai(eK@F_XQB
z9q0++bh_*nATiCrKIB`%>*6^*_=ij;W+P^1;P!PkZ<TwRGiAS0eM$aO>Lt`QH;=PJ
zlg1p1$1>lDbu6W%gFYMvzeazdc&fW5wHRf+sz+=avWh<X$hb=_Uh%Z+V@cNn(CU9m
zF=*fa@=x<lG8cH7`!B;#W~Qj_O7lO##8^S=KQR$aFZWCJKIhDa6!9+?WV6Aa0&_Xd
z{M2kV%bA_*pP5EGWXx{g`uZ<YKS#Y~RP;IOabFmgO_jN<8<P~TpYKD*j!UqdPg+VY
z0S0Ca981~F-O>#g5Hnl1Mz;#^)xf*mFjrlT^p>dOV_UO2p&M>H*U0i%ByaviHm%mC
z%Xt&Kx>>Yp3$BhSN+5Vo^Wi-P-XA?D-Cwvqb$;v=9R>E77E}i)Q8^&7*PL{>PnW0b
z`L7%{_HUnFZJ&<Z7P|M|wpmC#m2StLhg8kb7N>u@W<H#`{?H&-6tw!I2jeWFm&HRs
z8{A^OhpmD6Aey;6`cmPGh!xd&8w4ppkDLHgiX3J+FN@qtk<T`0UFpiT5@trLGCFCk
z83X?S4iH|nEj7Eg)`aGRXSNE`^DkMNi^fBU9sn~3uEuDtOKT;r<}lM-mC;QvTWf-Y
zW=t4fH1OyvdPh6A*5qbaGu>5RO1)yK8A0eVco1AEtC{Cqm+FLyt!ip+1Tzz071Ep|
zEn4;fOR=8>4-yHtG@94iD7R!IA6Ae;NJZW<q+qZTkZlq{y*;fa#bmW!`iOF)8q#C6
zC)aB&>iGafE-2Vx)QB>R1PgP~eeIF2pEJ3sniLbotTd24t37=H8sO8IdOiT27(y2u
zq1&p{O&ZlHCS+L>6z-7w&_l1c=;H%^h-Bd0Av0xnqSen{7ooV-i{C5LRilh{y<uJr
z-UOUXA}=0utu}>&?5n}-Y!!LP^xz26syEG%XEgBY7O?#>@Z4|f_Kj9)M-O7la_A_a
zF>jgo0JV{(4uL};5~Aw2_1VIO9{ncp8wcNxAa#G+QYnrWnS{z-$6!>l2rs-6d_02m
zeO4vdv%u%$hVe>6bc=(`e0*m)ci7KRuaFOj&k3>+u+4SjE#@-gn~Xokr)EQFNRv<?
zr>3R+w6IFKQQ9^tLU%r{FEpo9-4n9@W_9koIb{`+LhauPO$<Df^29U4bmo)By2V~`
zN6Dw;KlAn0T$p7V{4^}-Av*nObA7`byY#F@T*b@Y-$j7~a5D_jm;)vbUVGPl*R%2^
z#@d~S-Q&cwas>IcCZAB|?Q1$H<IQGlF9Hn*J#r9iJnzt`3L0=oC$gaBy?8nF*&*X1
z^p_<(e-J_|dtn}w=~#ZZ&4N>2lX8FxT=1r9{}CeW6YZ3bh4Ov=_R1jvOKQ&?ykObq
z$TsP!KdO@ai}bzJQLGTg+G?Ad2ioz_uwBpk(7>AAp1v<M?>Rz|LXgv-D2ONUDvd(C
z-No1qTOL+!+(rt|BGJe`iaN*-z$})Krwhf-&gxV{_G86-pJD0lKzq80M)put!ka;&
zSWob-maGRHDhsA-NmZxn+fvc(;0_i_#*`Ql8X-slLp)^pK4UPXhVep=99g$6*MWe!
zZnNB}FpCGNP;4=KBEKig3yO3TNmHydo=d#z!!Uc+w$k7aIKsdqbP_a-)eXx_G#<l+
zB-n-_^AL?1)G>^7d?{tgsj2G%SgW3wTH+sANKy<{Aw`l8^_amDQCnt*^_5?i;P|yr
z!pbjOdd*C=SotBsW({2eYdRmg^{J}X9_Z!)<iVyfYte(0Vj&cZ1X$iw2)MsX2t8WV
z+9O?)zg`N_T-8D&ii{Z%gb;<Y@1xln&{$}p!Bp`5G!{O)0aq2)tb_uAI5cGl?EH6~
z!HbczhUcc!aW7nU3k}3oG3{LtQ`kDGES;I(N`qez(n{HNTVZA+oEJX;wU#>@j$y%N
zx<G_-y7Vc<l7g7AS&WH5HlrXt<gip?+627w2KR<lVqr9MQO9b*M{f3Bw99F&gK$Ks
zd*bkKV0Ew|&tY{;%?OJ|8$hdEmbn83Mu26!<&ETyVry(S+kTsGiuYr0%=46Iq5B*6
zO1#@(qpQ8M+3}5Ivi%ABAniKn0%pR}J5T;n{)6n7_DPe(6Ji}ipi6{O+kOgE$vvB!
zr#N8bg$k)5bp{>y68==D>z+Wi&)NGFn9t7u;WWDPE0k<7O3vXW;jiU^aKKshwR}F@
zLVx&LUH})N+26oPX$?KfK2}rNNz{VHkH1mue!Q=(H%<RqNr)*VR6&t_g&tvkT4v`}
zy(#l8T3SwrzLlH7+E#rh|3O$vpL{1jCN$D*-~XT9z5_n0D(!o2oy?>WLK*=QLN7_C
z7kcPLdaq$J1%hc3il72BsHnRt5#cBbva7q+Rdn6Og1s*mSjAn-3M%%7@4K&UUH$&g
zxn=GI_Wkzzz2El{$7Jrg=iGD8J@=fa{Gb0LUk{mc(hu@w!YX$32b3k)l7Gm*fv@vN
zc`vY3H~c7X13J9NKjnm@LBHZ{j56u5d;f`!M%Wks1e$9l+w_xsiBQje{z*=-ZU2P*
zY0DV7KD#No9F^(;bK1y`)d8w?d7V5;SjL{OlkZ_a{UqB(+hHmgz-}EY4|6Vo*CPp3
zm2fWyofV9eFQPDbrXH2LZq@i(HQJqYcq3S@%pY-^xQ%nQBFnpN5kCF!>5mV^#81?}
z_r-4?KEw|=9iJFJ#Opd!|9c>Q55}h+AL4%<qJOqdz#sIPiqARtjK^mZJ^_5Fat%Ii
zd}iT81hG~4tifj#J|pp=fc)9`)Zx<y9}3bZOVI#)2H``UuE2*nJl)ng%wq`qvY&Vz
zY13QS@7~n(6AnHHeD7_zke9q=fOoN4@?*V(i`dq;jWZ!3UZ-!he}j6(X=Cqt6JFrD
zci?)`{GznHzwu56>gj_Mg!Gz`ynr2uh(}r5Sm}JN6@Hbu<AB@R%+`)GuELL&jW?R$
zU;9nKNt@XC3C2krPW9OY<0Ss|+le^od{#WkIEhQNk4(ydiQO?7CvBuK7{il$R^aJ;
z;^+gC7~ofI?4EpN71DL3FPz^vesZW;dG=zpP|1@Wk}Uje`-eJK*()EDr%Q*WfOtSa
zN}pRvxg{{x6v8dTx^2@?%;sXkcNPPrF__(cts!GlL^No)DJxcp6<n(ciG$M%9<NBu
z8!We{G=!ygn^FTA;SrOH&{i-Y88ruWs`+{^tkz5SSSke|WFQdM4O$+f(!g{jt}tal
zIm(%r8A3HW8*l}&`QTUP&O<&Gee)h*Y0ZlCC}TO-nR)_DydLNaa0{Fv=IgQLTa*2%
zAv3O52ZFfS2WUkP>xIDUce~-430uOS{Qza5D<saWOZGz>>1}|+Lwd5q*IRA~W_5~%
z#ZYGKUd9cfjlStN4D3iRwtKI&4VRDLRFL)mRU3WMZ5X_teOb#5mgnL@gtIRM2$7#f
z_CW+(m#j+H;qnAHK>M*tH(KhDGYwEE=+3+jwy@q*$DDPDejLUs_gUsz*o#!I<Pf3?
zJW90^HKJw>uB3w;6zYYw8mPhC80-L45>z9pse-C$@+qI9;0pDzWBbiZ!TIEO`{DkB
zj$Lq*raJXX*WoHXh(h5ZxyigC$a7F)Fgb&Pv>l*lx)Sf4!5=!9O*m$)>4Lfo=T;!V
zRr);#fYVgFsD+M~#1R6seQ8_M(J?tEX-iGyyV7z*ik&_O2#kg#fG88#14(fU)~yt{
z{@3Wpa&F)>ykHtWLOax?^kxsQ2DrSnNe7o}wou*grJ2l(LjYB+Asl*(fkWpuX!wQ<
zLmZi;KWHT!dJ}Ny+k5NrKfHd1J4i#G7{?u~x(|YZy0VFVpxp5Fn70fUkhSIS`-1bj
zfR*;sPvX@x{5>6-(gemSM%I4z+0T#`$M%6C>ihmiED~DgZWRMhqJITfNe>mAt^J@Q
z9T}K$vf)cH?1xkX#|Q-y=U~|KyyDyfWYe@ed&3x2V(+TvDp}I^;@^eSw$DXX*eCdG
zM{J3#dgCYA1SY&f7zlMHJmYv)edm()TF~_prOrxeyMH$OA|Y0i-%HJ$=rr#BA+VYx
zi)2GT!a@Qe7ONasJu*aD*rxdEW=km<t>_N0ZHq<tZ>z}#7CzGj=7BS@s;VIt4R`}F
zk2~h`Cj6m<tDzwj_lF}fSZN~eh$rHT1z|dgrd?o^Koh1AEM^}3PwP(@YcH%c(7CkL
zHYM}^U{KioN0nvTtb;R%<yJ!hUQ%rOv2bf1ZuG*s|3r}t%_lo0@mGuURd81{?tpa+
zkZ~)-8)dl>c;v_x?d3O;h=hXiSRxTf#1rm#up!bAPDG;NSi}btmpkE!H3Y&@7+v^{
zkar!L6ZRWW$04&Pv|Qs(v?AOi=pB$707K6eB6#%_k#|gY!xyr_C6EtK*2vIZN@N4X
z3YtS7{M*1@cGf$LhXvAQvmNqF0Cc!Y&Dqlz0^(c|h}fJ`OJjf^qi2+Y;_OdeNZHbj
zabpqktN`aQ2uZ~eAJ>bWvbGiodp*R|z>QdGLmKF9j9qeTx-~BKAiWE8nlej|0?4HS
z8&Z124B`v3jV<Xm_!|5>J4mkfbT=KJu;lqd6z&g>2G|vlSiT`iIZD#D2)vYF^JJGf
z;Bjs#w^Rhz1+nCWX*cRA^A-QX^wqc#3XwT(ECAL@E|BDag%4x~Mx_hVmAKr7Kpi&>
z{+3E!>_}L+Lq0NnXjkINM=UlnMD1WdLM0t$5kgXsApSdxGH!U|la`bt9Q42F&(NX&
z+)FkLm87qtw?rS=>4{@X(Yuw5Bq`m9#Zalo{B(sy#qwIYkp~0P8@9&JD&(>$-I3@a
ze`(%*c{RDe&CSY*Xa5N9rb``9I3{O3lr_}8Tm3=3K>3HV0lZvuq`l%t;wWK{?IoTa
z0&=|m58KoVcI%VUc40Xi@|5(va~Tw!nPtgA>M{m8{#rKlX{i;V%{M+R-Nu!mNoC1N
zN&}S*VVj<jwjeC|rIq3##O54)R@w(x=8Wg0OB@UM)>kin$dDIs0F$1V<{>y|(eu()
z;5h$Ezvi+<FGzcNa8A7ZJZTw2GR6U{>Q6`)Kbu|gC#1@l#bzB47qPY@l24e)ese_H
z1oU6Ui_+81>FDF)qU3z}5IaHG#=@7R4j!+wv^?pT{H&l%>Caw!NxE2=#umRUH9DuF
zLVZ~>U;2Qxz9NO$h{f2cieCY1*%X#|McNDc#nfbW*EVqn57t>+l(}h7q)q!a?A?)+
z_^Sn^jCX-vmG@tHDx%hUW!E|<BDG+HeUo~XvQIuNy&+D=mNL`1jl3Mviu4aMfZ~Td
z9{*b}N7pmG9PF`GNU~cz%AOiIlcubeWcRUpM2zlV0himhRhaAPYCxG27mc5)6=iLA
zjLh0TC^?B&WC!NSjjY>Tc{#gtwQQvWg*^nzqlt0R&1HB!`8-`Y!l26H?470Zs(Acd
zc4?zbAr3wla_9m<;epMm5*Ucg#ZAkkJ1DtgIOjn{)C4Ddy=Wl<&7*7N+Wd3_u<nEq
zeLhevQCo%?#8GQm{Stsms@m4Ju38&uZU$x8_;Y1<LAn|?QkcO#Y-fK|Tpb3NXK%V$
zp8Lkms+R)f(!VM5W?@nUsaGf4pmDQ_kU{PgrxY<xHgY*^wq2HkXh~_tKAyfZ))mN;
zok*fW`reR?2Mvl_WD|^Pfa*~-LO~YYOKg2~9ecl7c2%dF^H4$~+J!BC5wo>T0eh;#
zt3AcrTI7E0wkO~gd9fw)#=MY*iT}&mL>Lh^{3#~<#*HO3!rjNdle^iYO|5IzuZ^?Y
zTV*S;7ZgTJ2#d}G=L^6=dQ(k4?x4fIo>J<j%$Ylvz1&4@P%rcv{AdZoFyD<m_HM@X
zbQAanuA4pYVNxeN=`O)0-=FP&FXLnn^#W1>d*Xe{Gwn`OR_V6-Y_{$F%o+qa!y7;~
zz#s>f$W(0|4O@a8eo>yx+D>Jh4woR*VqD<fQ*u!az2Swny|(=6dHZue$Q5(k*-M?j
zaQq?bovd8DPmL?P<!7X?q(0(oVUuldM+c9LA=5ioQ%2?{mnM<LbMbsa$v&&0WMAu}
z+yxjxvaj+NI58IYQ;s3Jen@}ih|`HP$KlM{7ql}64Nz`|$Kj;`$}0$X-!~Ay?5ueZ
zd;uyOF<ALac2YqN!UESkqM>uA4pFYpPQqfvk-jyXwRVb!DmNpOD0^tA@*2BgAe;_+
zs+H$J6w6lBD6bK<$iaj1LUy`Z+9<Bv3crf{o^uP@m|mWoK2*o{9`BGZg{@}UHS*oU
zg)DoQe6X0tM$Wy(mfxE9N#5MtTL7nc)b?OU$IYawX}~n(!rs6P$I${hu3^uJ-HRQ#
z34yq+YY?E?*r*O+e||^A8MdT`FGJADxvcHDn9cm>!tZqF32}Z_a%<AbhZcNb?W{`+
zf`@aPQFBy>G>_WWKw`Y@>}#ZKcCtks%!;m&_=U50O<s8XJlW5_)Q@va7A5W8!0v2^
zWd7VPoR7#E&7#1Mui1#>2d<@dY#4HSxV(F(zsKGIhMYn+e-i>1H|>_@XAyrdru+m}
zS0-;@wZyRi-i014x<~7VCjO$3h#CMH8^N^Wn)Jz!gGPZ<E1>V!X@#0d$qN_F5j{#(
za!9IyP1^=?%n1A8acMVfn>(MtW?PTVc4>L5GKL|$@BlX9Noj?H0NLfRIc72YL7}1;
z$r#T<4$j;a3jA)fgkU~obaL9_mzUovUg>e{qsQf*<dHiBkK87~0(#=W#ykVr<4;3%
z^a35pH2jPL9hem8T%ad25r&*mpx4ODEC3v<IP(Zc0|RYU)akIE5JSlCd|dBi&-8Jq
zG(FXljPFK14WV1cVFX9qNRYB%#!(~LsZieOuzn8}8HYLM7i|<~9?f&>Kq^n?<2o=c
zoOzsenM6IQ?sT-}O*%R#^Jt!1?@9ko$6XpTzctS+1_O%tDr%)y=GpAg<8-v9)6o?Z
z=xA-Hqg|%c(SDgn^K=$w!Iycww@b&0d1;m5VQgBi9paefVQd{8Em9&ik)*m98A69)
zvT8;*G6fg0!>d&{{WX%^@B_j`G~+QPjse`ah%NkwsPiCjqfp_?fCN4N9Rg1-{Lu(J
z;Z7q;=D@oD)1dw^j#UW5+325)W{>`4=D$I@R?V2v_#?t-b`}_BYaWa_psN|xMr5tt
zLV(Lg{e+7)6dLDon;Y`Ag5Ts}u`4U=CS9PJvW)^e`?(tefkUjc2nJ>z`~s%h9+cd~
zFu@S~gmRs*NkiolF&Si^7UR_P07T1FbnQV=VYin^I%60gg?*)P8<rHo-hQMM9n!+~
zen4V3O3TR_%M9ba2CC^UmG9Xms;+Zv`M~MqUY2uT_6OOe&N@dUqBY*O4_4PI45(CD
z8Z163E*4G;JA_`gKiJOcs4GUGdWh}og8=g&*A52R{-Fh!`}=}uIKW!_qR6io{ZcEk
z_k*<lQWciQ$^E1VGQQu@4?M*l-HXH!n84jgA!$L<%`WUOy^-xguAF2=S#o6fa%~^H
ze1LSTP|Mr{r9+7P_++5;rjrscEiO-v4C!0$H-n^0AVps|Sh^S4p^!i84TNK44VCUg
zaLB_$rN1}_>U(Q2Ol{V(Bh}J=Fs`hrkzRE6M;XP+1YXjv*H|kt0yOj^K*MooUlh}3
z9ax|hCj<oU^ufW=bda}K&4!EWKERva5Y<=qxFmUArLEPLUz7K2-iqA+$h|nXN6!7(
zf6xA9c3<aV=RC*fj*DT(YRt;E-(&Bu?pAA*XO$K5UqF5>NGrwTVzcm^P-bg2%~$Q|
zcd|rE4!D3lx(l2Ko7w7X<=;6sp(lgNu;Z`Rx;J^ZycXV$hj+`Xof}b>ECQ3jZbtd-
z**kl{SFvG_91=FLd-ljT3G3NRCO5++_z1)4?R0uBTx8B&m6Q9k`Paz{;2*r}I<Oa<
zr$5ylykzY40A;kX3$K?~Ia{expRz%=@0f58RJmLBLZ%Jvl}9*RsH6}jx0of1gl6{7
zz4B5x4Hw@auYl9=fg9v|;WS)xBQDaYT?CLp_i(xYo_)B;YBp>iN>=HYf1Q^wWUUXw
zo9Nt+qPSkP4{69WUnN|NZ|=wKMCtllaXU5aSAO(t?M?DkQldd+P46lRM?|l8zgF0G
z3{9?N!{1Yy;cC47J>^`-3jK_)*uC#51K9ZYl@N67i{4jOa~(U?uWXRe0i{_P$VyHr
z`-x#8-*()VPv*+PoV;v@Q_lL){vB4nFXd09Q{oBXP1|v$T)sjAEspqr=n}56ePz3}
zqhn+dh3}%b7nOtTAy(y!!igx=vn4M})6zm2nYc6<5%^bpBzNhKa2S4&pw;UK4hqnF
z0|%6j7SQlYhCG(8<VP?wQm7*2pVjWtyyuo60dBXlH$#YnoR+TS0~`*z2_hQIN}6zI
zbPpU;*N`Bj3vub1Ub5N2M&${cH7(%*FiL@5^E`-Fknk*(!1)L#1e_&iB~2pam*ci2
zL;N!m*208E!2^h$fVU<?e?mYD=}!<jHR;i4qX%o-2n#4g#q@<?!VJLB=teNayVq(Q
zotZ{qZbd`71J2FZ)f6T5Xb1vyxxzqMh1@>g07;k%moWKNVaMalUR=VgtxfBW05lNu
zY-doN*>i5gB{gUzGg!X{lQe4FJ=ty%_(R~8PHJ)b?loc7=tr6qj7zS@5RlC@h*$`C
znef1_*XBps*s4t`kb}9|m)Du&2J?ZB+inTvgG$7*z@=c*HOCE@XVQh0v1hM07<i%g
zk%1MiIw;cS69fY<P%QfMv)EVh96Hg6AqsP^rAGmTlMv$2uk}c6Aakm2*5nfiNtC*>
zbvH<Qh(0b4JE{lffioPJ=n{3HlWg+<=g&uozLl}6Gk?|d^df6)RZwO&n0s>$2|LZ~
zh9$;c&*v3DOxD0zN^L<jkQAQY#G02G=VCAmnE_tXqm7MYz1iL+<bq#e$SAyFq-)@S
zB|V1MI0jcvJ>I{@WrP7c&#1wLmoYjrDI=J<9UMoEV8%B(!UZgKogpXjuU*&Uq}AZV
zH&3!+i}VgaCIRi{21r!(?dWacM&sJNXTT3xhvEM7rQTTfUq9b$k)oV4075ze67K*d
zq+?fa22B;@ol)P~@;8Gb|F*o*xliRT$+;s(g0b~E=V-^Ktl!(eun$lp$_?^yIbWJ0
zZWkW0eXE)J40B&c$FeT)HjE|JDw4{oHH;CHC^Wo=9lj5t;Utt$Xn5fwHv4|*Fsr>6
z>)_1$rAHx><oy9B4AxKR(wm<E*<|k@rDuS9TzN=(hUNZ2$`W%YYeoIp=MSJpKfOkF
zRBN*S5YBOK)XwR{Mm;P&<EX+mRbRGL{vA8^h~#CX4@=WvOZ>%QX&aagK?(6NlHET4
zi1b^8;q$x<J$YURge>oPOxgrlyqrDqxVYNUUEl2<VOKu}9d!QJN|^P040o{SYo!4^
zW8Z(Rq^>!sc74H?`*8NBjuTnMs$ZS~E5r*O9TnM_+}wNunWdwykmkB+P3bNtrz9&#
z)ap|M*BaMO;X~HI;uup-A8nC!^sI@xJ5HB?x2zI1WGL&EEtaq=SA$Pr7W>U=$nq3k
zz<$mKpTput@d{1s=5YOOjbbiq%LcpXk~KJeCR@8k6aAO6tx*VTL(bLNJvlbDq6rM3
zGuYxLqe%ei|ELS`G8{KE@)19xp+u*%VJ${WM_a{m_IZoJP4RdfV^5Tpxff@h0~q`u
zEi8l$-KoHGGDw(s=+r@BvLH-5RDGXtR1l`JpS+f)?5xXN<ZXSzXIy$r7<@F3jTS3e
zuYg!JhgO~n+jqA7>+)S-=UNH-^|?83<xI_fEPIM`uHz-g{H#C0j{S|j!(O94q)q{p
zEF?b-^vRzkm-x6iQ+OBluJ2q?WU)-Hm}w*wnAQ!CL3=K64jR*(&?%F$w=ShAD3uSg
z{f$JO0a-}-(7ZmndKmlgl;SN;tlzwOQ`Nv>t?Sn{HMYbnTN;}NC6+Mv2g)k=6|Vn4
zX?85a#2Vgbnmm;We*sD>^r14E6M%(rEKfUjJC1>J;*$@R18_22@sYCGF%PvS^_eD~
zWRcgQBKSU5Cc)!y;m684VGjHHW914s87}-pxfruR_*7}b(|z|1x!o}X)hhZ-1Cti7
zR`eOzaHq2=pCM(+IqdGwlyl)w=>9o!$V|nFOUqW}j$zxrg1h~J&y{&_CFFjgoX;7+
zW|ptYj%!5^f1%70Cb66^mA?xUnedge0e*z@zfvxflX>G+R=-kQv+HPw%x0aCE1kLH
z(C(`8sJ)abPhhXjQpY;R;@CyyQS~W0Hj*uyt<D1%^u4py#RzB5o};dEjK&#AC<6l_
z&KSUcJx2}U7T%&FA_GH_?K-XK{fTlAlIHMy+a_Dyf98If^GWtw&X*jIX5C}|m3kvo
zw`--V#a{@Q*)~Z6lE~>llE8nG%ka!4cJv8h82NMwtP*90Pq&EGEtR@y5w+k+vP5U{
z0A@rCBhK}!>56Lv+{zrQjwnr%I?a$_1Rn4r918(#LbzjuAVUO$S&Bd{X|5%>kc*%T
zc9f_*tQKB$%jI}*HhkH*+;cM&PYtk_6wrY1T?BC(LJiR{0S^SE2^R@$sVaT}<e?*;
z3~u}A-k^BcoimNNV#IX^LWt}}Qy#W$wib`vn-2krLfjqxX%t@3(X)*>T&m)BAuIw2
zBtO-GJd>)l-U+XTC`s@%4uEsvcpTu2(m9HbyrxickS9TaO<yq$hC$t8K++#Su9TDl
zF`XU(;6^EgIY@!Ur{@@f#b}IVVT3y%HHI!0Ax0Q(0&m)jorcYzb#DIgus_YU+>bYm
z91;N@-b!PTopPo)Y9=yHPilfkQ_S|wgQxep5<M>8`gHu@dnPCmJ)K|AQ(VOQg&YOI
zi6j0NzrrTWI1E?-60IS7fe&B;nEykX&ptb)1^T4tUGfcc-dT|Zcv6HUa3Ly~ZJv)P
zeY6A*EJRyB4gw1RW_nG&=K(M7U<k}iNFswS23>rFFvqpfAi5R}H=DiyH}>ptrJxid
zp=HGRrGP%brRFS9T*HmKf+_*mx`l))jKM?93o>*-I))zwFeEOkV;p%bQKXK|+9|9s
z;`LpuV~12ocn?oCYNoFUTshsGFGzTgKpX++2&4%jTQu@U(3Fe2z42%~68FRqBI9!f
zBd&;#@E*7rKx^=ez}w-0s}4vqeKMFONFj(j!K=ta`JwMP9Vs5NWPQdunZPPl?;Heu
zOXv7Q_WJS01B?Rp18>aV5R3-GiFg<=`iKXq9HL==#NU7rAS?ndzbg^ro#Xl>O)xly
zJP5sqf~h?t&<Su=6A(1C7lOM@bK9kmA2uBog=bXA5R2<$gBMyRtviSrM>s@}8O}}t
zQ5vQUb$T$iL(0{79;}0mbQAnV3gEGdixemV`eX&d1lejx!!c$Mihz(u)<(XZI8r=l
zDgs&+{bBZG&-Rlwnu?%hqzsx0JVy2wuCUd(0@g2z;4<(6VZ@>1)x}$Y96OlBh+5|>
znWjqIVo>2e1GcZ>(gxuc=^<&h_%T4oCBmJ;SleOST<rYme~DD7zAfyi0yjgtK*gUZ
zWLJN!Gzujov|TI|Q`WS4(lg@hw#}yOtfS)%^P~Qi*kZw}SeJ~k%@-Qyazy~B_}vzx
zCcfI)Uv2|SbCiwVVw?%UqLEX4iv*kMR%jI)E`(OG?+F-a(^<4e=Rgk`@uY=+3x?IF
zL>N}LKn-Yk%CP2g03_19T&rD~fBpVxkc6#drO#-B(|j#j5NTYjw}P*@mAe&KQtR2L
z&zh%_#(;b+20BguYS*~WN}dr5*o)5_+0?mmVkBlU&}pQw;23AxpDqlv<qpekcFePn
zRss@uJ#G7JAKA79ectLw)EBCbXMT$W0|_?-uXMR_#1O@X!p1s`$Uu8QhSohf1ydDx
zo%Sht(#4*khrTXUe4;SqQ2%1(a)EUr9<H`q0OC6OF+ge`1rZ4~nEf2oAbcRS{}JPS
zASC}u8$S>}yV>b5P6D&(Fr37N=bMJff8*smqzd0^C>XR@EFQ>uj=)I>3SQ23e1^lP
zM#u-XmN;V<j#aZ>qtM&{78qqTx9xMlr#>Ae8?rcsUmYDKmmy;Y!lf=5*Z)v^Z}lk=
z@V=^i+wTqTm{ZP^j<><P{;K-2@&dfGPl}HS57>U+(czVoGn2i^v`P*^eN6Nn8z!Uu
z*yMkxQ*`?W0jWS@0pS4Kk^XM$SSSSKXx4+2$GUc4I_!|T@wEdMlJpwr_wuzPKx@ab
zvF0Ys<L3MTBl|3wbs&nk$!?>!@3yvI$V&f=_3X}ZiVi127kzHPaA8EF4KV{Fpu;q_
zrd-rSq^_DvGu$V~E*cMl8A7G$BARu<hJ?YlN-sLQeZ1nL#J;pe;3~8MbJQEZ5Fs;A
zq7Q{FRjXacA~nGagv;!Zaxf&lSbTyh%V5K$xKudhS)@)Wre{%Oz0o3aD|y(ciRQu$
zY$WoYc>q3lA#2V=P2#G~tOMtlc30XHu-=sM1n8!UCn>PW@YNesD&bI=cuFA#7{dp&
z1fXFi@^UD@t#Q`jYj{C4gj*|Jj4^UtxSfP)#6?&D-^q>!D-=W+!v+Nq1?-+K6HcjF
zbGR9e<XP5myHd<aVlt>rJbW63iT&s3WX0q1djpWJJ>b<rcY$TpZy~JBTu8XOJj-$Y
z2G*MIi(t&~vHPc(@+_u0_${%cghG6D3AoBJ{gzr-tKdgujc<Tr=gO((vxJ<6TG+h2
zY|BJQwUAy0YBRyy@Cp%iX<$_$yI2J?U3T&7Sk-_V;sJ1Z5m$rHABwpeko&5k0jN*E
zKMHekEYtwxr!Kn?pC`6HL~pwgM+hQJ?e-xgXeF2{AxOTYIiQ4WwQ5Rp>6<b-v5&Cf
zZ{da#)6A)c8*(8;0P(Xh*cwx<f96zE|3=gE9CQ32gAnkCWPCmfG=3BVfcMVwKEVG8
zYxX<JU{*5SGJdcvBUKsX`mN9k_RLabCU;SbhG}^-FB2+k587s(nPKtFBeZoV$0U+r
zjk!65Z9S8@IUoed=QacTcd8e=>dg$qxjqyY7&%4<i1WWH1+49DWhi$aV)7I*+`P8u
z@o!z<K|0GT-z2d4J84{c5i@Sqgs}5N$PRG=^LyFbN;h_K#M&xUEK95Xqe=xh)h0%*
zeS}J-+3@%r{w9X*wMWpsf$?-hg)Bpb(u{cgd?KJ>Wi^0fOo*bl-zTiSg>&0-b#ir6
zq91_F<2d!m>h!5xrnK~e*j`xKqe%L3Kq)I+DSazlCB7rB7oHa8gM4{=Ac6i!Jw*Mt
zbO9jZNX*(Dd-D=43T@pOxlw6KZXY{>^`0*m)3fQ%uG*WvZw+6-hTou=&xRjDa?|V3
zxz-!exwj+YO4g-L>B{o<>6xXphqIp^&R!fJw;!{dJiz=owmQr0p1Mit!Is@faRA4x
zcZ%J{a;JS?ReB3mY~ridu349OGg6?4k^i6l{2EeU^=75VQGvUu4~~UOi<RASX@U>1
z?*d8*8~-Yv<oB;zua8yAa(!a?VN)(aOms1nE_URvIF(C*+r}zzP`|0bLH&kxjIdnw
zfMhT(-?p0~tG>v2C;JWOYmR5K9=HEqy<53MzE!$e+%N34?IsH%7kqU~mS#e<9NGOV
zF<1d{N=+pvaX6PodRP@jQa#hiWh~!?G64BO_IN+J8>gqT3i;q&rrp)eb+vd5;Y@LF
z9D({#UktQUzIa0<5NU|V$=?IqyEo7f^E8k;WTB^m&y1K3u!R`wJsNfUJ$gb*tUPu4
z$^&|;xjSLeOrz{|9Su69b$5gaLY?w(9Sw954H0hyE;eLHizYn21_104@*PV=!a?}z
zVo=ba8b`EFVQ&L77R)Cgd?VkXxxqnHfIg>#nlVIUc%NVs<N*U3sZjT8u!`nCV6ME-
zn*d!$J0V012oI4-!Im0rT}HJ8+Q=*pe!ND2>aT@d@evxx*Y<PRGhiyB;Pjs#R7zoB
z8O19bwA?ffcs8I#FrE!mwX~RK3<HFOsw#Ih5sif-iEsi8Vh{s8!3KZ4A>npKg9(US
zk%lND4*ZFDr(wWj!zN&=YQT@e^{3-qaWf;$Co{jD&EE;Trv7Zw%01?eRdxj2JUwCj
zk%%u6@J50#n#2Q<KrE0*AfP)Oh($n4?T-Oz8xBR?oq{<a!h&D}79VrIkOE0I5M9U|
zk@0N!VtIHs1cb*QG#?FdxrO~uLlLm1KN?4BxOO*bYflk7FC`nIk=4|L%X6WUj3U=P
z1SUNw%tQ(pLVy>DxuM7!eIuI;@cfucVQ{)5Bnt(cBazTOrj}mFu43q5+r!oldXO-d
zoWeogL9$AQc^%ziQv_ZIFdh~YsiIYEv&x2(4;u`QkfA~d?gl6rVJ~{;Fwig@KwyMT
z5^n@(`Cz5gdKb#<-OB6HyQ)VlssysWB3O?MEoNhwvplw6e+ofs6X`{N2>S=xDKG?9
zO2!HM1@b*=l5=({VBVxA+`srJ-VVdUkYNloo&p&I|NJOSQ@8^!%sZ7HJP<q$#31RN
zBkKjEOLW+csRrp1(GvVlohd(E&SIJ>5<zcA?-R+Z8I~~Pa`e#ecntPEjHMURKya$V
z{6b_1=GC+k1l8bG!wkSg<5v?>zRW>^>gr*=p`z)=5v)9L4+E|nI0JF5Nxx3%gsnS*
zr0pm2K!%rVQ%>N^31kO5L5T(J^+G*S=Min5d_t+u-j;3CkosA#%4;&{e>;=^>V;{{
z8h?|K`5sxvTGy_s5@wyH$gdSmI<v^FBM>K^S>)15*2bP$WN^XNoux=e&uPgJP2I1M
zdZ>d6M`qRAe!)5Hmh+iYrl-slhUXzdU8i7LCnp=Vb4smLU)qhVILmeQ#+RR^NWYQA
zXBHV4z(r>kx%EL?aF!x{sOOxeNC!7+3DV5l2Lqj6XK3Cw+d6?4oOxqwlSAaxVy%=>
zPCa#Q=SvW4sx}B+&r+mw^p%}iWS}bto~1}1y6&BeC@fC9mUL#3(O@S;E`QJ=t(GIR
zR#Bc;pKX0Q7kKpR^f;qHe+r-_5Vl$7Oy2)7Sl1(P*m#z(kXVAk&ed5=eNui`>VX4y
zh?9i(geA69wuHMO{Wpow-MJiX$j^0TG9Zj{l)<F6Rw3qAP2%dw|FrDtX|t*>VslFs
z&$L*|UY#%N`O84;$CE6Uu$LD=#H^f;;L`tE0GkvyYauj6vk1bh<zU+u;tV9uD;8G_
zV|Omnj8&_6PzsAKMz&ARP1ofZ#BKzt3>CucmrJyhRxt1h@&FXw1<m;c^PA8fxB^Q6
z>WnPInM9qpXNBCI6)l(bv;xGOheK|*av6G7w*o!WWa@JfLcodnDUO7FxWZCFXYA(%
zpVbq;P<w!Vx>LE7J^r%XjosdYJOKz9xk>Bqffjivd;UrE!p}}Vsr7ehIw*wgeoEE>
zvpg%~qX-mX$ctFC=cuesnr6$Nl6N5YyWCjLJ2~^Rk7TcR-s}uJjyW0~V%FZQk@n;E
znEH*nUOA#v$_u0yq=@)~c#YUcI4qRIa5s(1+KCbD&bjbY>e+~FH?wztD-U2}=c%FW
zUc<<FTnFdzEo{e~a(_pa={>${o;s)J*}TW`u!arY$ZGEaWO3YlH6%8NSk3~q1)A^$
z3)EFWn!dk4P2i5FE>sgslTII$=4g4O_tYvkw)liA9IcLdgRyE~JkU@bh9#le?RO`<
z(Lh5m=Ji!o)z+?RT(^3CLrt``xi%8pux|C*cw}Aeq;n$UXU?r{Y;Rv5Z?A=D9%OaD
z5W8)i7mu!PX^cjiDrYrCTB<6m=1-}d6W<VNZmX#pgorFJ0am@`NqbK2zuke28#mS@
z8do((cpnmtP4U{Xo4w5*|G8}o7q!Kr>w<MHtD9%EFRY#0chTIL)pO#j8r#>!*Yd3H
zqgz^I@#@Cd$e=&m&s*n*bKzg~^qkgJjV+aR(P-=XmUWfWBQ23t@#Z-GoP|HA^8-D2
zLh<rsndJDl`+nBJTN`h0%WrLIj~n9$srFxVYVP{Bw$`=lD%;jJZiuXlSH_zojZKvs
z+AG`EH#9XyweRiJy8&*RKi={w!bAUd?>dj{=>KMD|Lu`&p18gxx~{Rc1(RTITRe)+
zZFOPR#nH9ozumQeIdIl-3xTqqrrnw|FWFR!OA_JD(Er&b8`rk3u0`zHns{_wd#%^A
ztM`q?OIvIB{S2~w{y%G+CPJtCLHi}O)o7k@40r!~&9mhpKz1L!QSRzoIuun$ViEZ-
zCftOBCl{(UfK=r#QdeaS))tEkSmhtESlqHm4a2kX&LTB&=-6V_t1i#C-J=n-Sjp*+
zD@Wxc(zD_d!u=?|DvszTad9Ki+};nkaUi7gRvMtBe^pKhnQAHNx_|<!deQF2u}m5|
z)70OIJDf+!TV4FRNkI$uhwdJMOCc5u#A88MBoc|aLkRv4#sX1KA{31xI5QHBdm7Rv
z1qk89dkqgb)Df=E=+*`(v0mLk?MThyQvbNoR+9qssq+v?K|TZ$do6pep|p}EyrNol
zL61OsF8FJKfdzF6=->>8N*GFl7oKWzL<bP1sDUzY`!h|!pKJx-OehC@_`7OV$CScp
z4pwsD8lWq9**!y4iWN`IFe`B-whL&2!C!;;uwyl<p+b?8!BuhqoC|7I?tGYT*3%3V
zf9<7u*d4W&Iw3DuZ-8|`4h+4{Ii2cs|20&TsrQ;HAJK`xn+-!vC&IZ<NC%n-scD_s
z`21$H(dRx(8-Wn?MvR*Yg)lr&W*bw}ZJfMM0olN<Nbi39H?Xw*n9-0M5CiB*pzt>w
z9h&}WHZ&#OkVd?5D?0Pq?@bNcgGU5M24zU_vzz{?xnL$|R07c|Sgu*)?XWfe?tV*6
zaLfdOuYsw^tT`!Nljb*DS*Dhj(?rU^3+dJm@|-pIQ(e#+fdwFLOOV3AW)9LeLx%*!
z!v{~f>GYUL?HlHIuAE`MM&8gU<I$Hh?LHn3Q3(2D4Gr;V18@|+P_!Z7iuv6Qu81cX
z_l6?=IFKRHU@REOwEKV-4_O#Mr)2a7cm+&M*h_R5%mlqRFf_7xJB1~DevZ0}+z)qR
zurB?Bsp10!1@sFH83;f%MtQtBR@%G<Svkx79qO(4qh*j`Rm3Y>3A$Ia;<(I;HHUyM
zI(au75Wz#13wmHPgP81dv;BWmic2*h0i(2GjZT(D@m9T&HjH(2)XGV$aFj6SVtaBW
z@j&!rJQDN8g<{djs!%i>jHBy;ctbqqf!EsS^)*D1_W=t))D6(Ud`d>Nea1zZIf<%}
z_-H!2?IFXl&LILweW%OO##dP6XK>i^Ijs4xaW0RlLW(>6T>iD|qewY4jd>n5PU6mY
zBZr+8EsSGuNIWL;#JW@24Q}1E%{b`y%yf1d|EO770hnL2*Qmo`#zww6-NkPl>n%)X
zqy5I2NKki3lezI%4>Et3vL-KV`ISN4{H@^-kc7^PLwGu*^a5<~{g7c#A9JVJgJq<c
z+oCtS1vw*8pt7rnDZngCrDHXaEP03steN>uDKWMuqda|NZF?<Hw8^<hCXQ@Ci)fYA
zf<kpC8b=bauf6gF@>~RvAkN4kY%JTxEzl}nScAy>hf9$bxV49#7C2+2Ha#4`qW4lM
zGaOE>>xEOv(!Z;%W*QR1sha;lTdGgJf-zXu1MzIze`O9H(f(jPww~AjW;m2QY~szv
zL*Q#17F_E|-`#?f+^qCB#z`3~styRpF|f7`B|p;5<VX5##$|Wjn$aS@V&47%IOF2q
zkkjHe%gO20QlBk+#IS;vQ(`y-HraAcJ0HvX#@<gEBTW&Sr2D|$u|qDG?vsX!ns;!$
zki%0s&}-RA@SsO|=Fw<Fa%iedLvNQ7dV4t~NMcBkq;rHjz%ElUU(k^^UFJhb;z;Fn
zV;Qn1=_n5{nmbwLBA}Q{7Ye#23!L;=Kv9ueN%!`g?t!?J99U7bIeD@S3iiqS(EPB)
z2sJ2QBJ|KQFzIc+vc$OP7$;QPH<t=E!f57LW?U1T-<mUsarJZA<%qO+XgQLSk79pb
zZtcB6g7JuU-GlYQEa}qRk*r{jJd*REbH<B9V7xF`<k7YB*cH#>O{r9sVdATVBl#}p
zKaqpzbH_(n@7rHjk0~$8&q)uUD2j1iiq8uDvl72adtI`9Y_CIq`?dVEklzzv?U5Q-
zd*&tiwq3KQ^=Gf&BKxI_6a85DX(fUMHW^8+uqPV_Md~!``PMUxYgKFGP_@>!S56;4
zYjRZ;yf1JO1w7c7u#bbH2dqulrvk*<9D_$Dng|C%5vZhu>qFcLlK*hmH`4WRW;(v<
zTS`C(4nG4#F50nD*=lMz-zp3wCFNJSdWWRbOJ$&0AaikV5qDvMfi4E$R3s6LfN82B
z;rB&C32!(Si~$!Hh=qe*?3lo&Xxk-;m_&X9D=_TJm4P&-4Nd?Q!BGNFMTqc*FmqGK
z>_Tdpxrb?QygD7i*{uGia0br?Dx!;E8v;=X7w9b1t$1Al?U{i(g9cdZ5bzN03@GM$
zoh6;F)4eO|2m?)tlaK}g!2tB)ha;iCTI57Bp~Y0mg6-pZX)ZU%&FcCy#trZdWTpwl
zVxeFp91Rh+AqEsCq}gaJ9&#t*uBbZ#W-EWp7f<kUgTM%6BsrFllLnn8tPim}Aqy=P
zP|zNrF_du$Oiwgwwp7+4-Z340z{MX4vK28g@JvVeJHrF0%UL9_zkyq>CC~~v_Tc#f
zr9SfbnsOFgT7Ga}8M$Ip3(aBUEBU8|2q=7HkY&_7!Ek_*uLfNtrxzo8*8*+O(vX@$
z^bKRmC><64vPyu)sPS}EK+HxG7%=!oeG#B^;_!QgLlH>ko(O!8v8XE$kNZNpc0*GN
zF=Ut?&=wHKW{eu{4TK=3+&iE52A;{<`R#G`z)@w9HqVff#KU$Ew%!TwmUwA`p0vg>
z&%ArB(#{f8Y8hgwM1A#=77*fU3b{1r@+%t8hELEjLshsm%fMDKX{cqE((uDQ<4M<@
zlTp{y47F5V7(1&PmN9m|2*5O0Goq2Ot054Jc_RVnhk-~O0O&vrBZ#D4zHppUdC~i%
zJ$^U9&+rqvVGPr!92ONnNV+sJn<T}2L8ctjQqJF}X8-8?)>+`l$+Fu;<)2E4+*QgI
zvryg#u9t0QDhKe&UTjJ7&|Z6H3EAZlQjkE-hujLT8`HRH;XT^8O~HZW#*D$>!qypi
z?@QUl0+Z#Rh%VvE#kz<4vBKp{M|E;T`iUa`t%O}u0^I4df04?O;mYLR3=(6T8`H{b
zLb`N%BxtglKQFmH-4G9eJ>3<;=H+jI3i}&tL-5!V1`uevf7PRP>4wmwG?DHQ_DZ1<
zxC>1^2=Y6Mu?)Mww8zQZ+fgx1x;BvA+D)u+naQXDeG8E$Wr7cRI%<rJ0X|HwO<$O^
zsDX6X&9)U;uIUf@;PQv}4S6YwG=|Re(v^5`Cyhm=#l@DP^MTNu;Qi#|vpfR;4ve8|
z>(mCQdXZ+L#ANxzI|w%+CSl0S&MVPaK3mgucxS=f>t@bU^Sbojx`8mKw<+Vg<j<u?
z2FCmrw2>aLVg_R0uIznl8=$od68OTjl<4}n-Ufoznlt**lW+=odnSVC=JF|0DLY(d
z=@8NnQaEYA^vq{A21<)2G-hR&A3aSPz;<`Hwt*~s7|fsn-Pdzx7&n#5PM*s<#5Z>S
zK<v{oFfHX`E#^FQX@u4w*4q!SEBay%3``CnQpf)h|4dwonhzYew<djiytOxGptVUo
zERP0mV-IXR$c$1@A(ntpwz1PqWTfEH?K$WL$kZ{mP<x@K_Y{lPXlm%yw!G;%7dUSR
zoL5o2pnbTS))K5c=D*J0ZT7i>P4`~56PtDVUq(s19Rp0Eh1LQ7xB6CmM%ti(r2OQu
zs|Leuk|sq3&!<)SsT)el&p^0uT8HYarJC}i6K7hLpBf~@yK*pjdTOkv8kCeKsIHK`
zSBqAc4Fz%PuV>3m?7*#(hm8?+929d&iVw1STrxD8GdU#nXk4Q}WxbH&60&+wG3xLK
z4W>x_W{j^YJFP-<jY-ggO6`VX!&hNYLh8ag|9WM2pvud7L3^)F+1XoJM#G#U(V&97
zP?Oh<V?9W1t<=2nT5cfX%Io}nPlbYLEj>5T?4P7YwzCx~#&T!}N@HwoV>`PnAuqJ2
zx@k;#FjfqvM^(eFx<l^-e*}gl#_|Yo2<XS#2w`^@?v0#nyAITpu`ast#d0bR;c4B0
zQ|s>5hk>_hm|HAQ3x^OOeGfq(?;^ZihcRqi9R(oDs*d*G1$A^Vo4CsuFD@!r(NFrb
zGmZmucP*aXAXd8DdUpWxSa5XshKF&L1jyYkg52$~b{Vi5%c=P0V3Xd)LoV5kyE}57
z^;BS7ET`fdT5VB?%Y1kj+YPq-k~}51Z_c3XiOz+Np;=SxE7XO`h4L0DE~bS2wj0j&
z+Cqn7e@iLL>?vENJvAUq=I=Or{1sTb9(x(FWFenw<=XQgO%5>n2Cj*(p4e10qgygk
zL40&%0p#q0h($oQ$zLJ-wu@g?mDaT}5Zrb1tFD4HV*>3Aq!OHPtHtWdUIxKoe3z?M
zW|i;5b9>US7O<;tmKAo|4<RpI72-MK=e!~24yfRmEADA9Ge+6Y(V}uqZ!c^44PNSx
z0;-i`5fqD%O(EA?cEa>6T+qXw%ATe<0a_Y_Dt76uas_)TsMgf#+c=aG*xLv)XC_bL
z+qj>iDfzCp2w`g*%czamuF9%zY~}4BqTL<J?0f+71JpFV^Ky54YRE`!@DIwO%v^WL
zgV=yOVe;4>hIDGVYv>~|3o}=Mcoxg-I?rMPZ;9N?QMDS5#@0rRbHgyzWf?3u8nE7j
z4IG1ofu^7>&d*3awC{SnPl2Nf7@F#4_$Jw~;Tctts|!kx+s9^&q;VctVowD(X(P1y
z8sulI8If^kJ|Ey+KrpeE5x7!Qahfa;Jycoc9)OI8?uNY~e`H2IfWDxzfHDx5K@V{y
zJ0HV1J33PBA#ZG5doKHQWM<DOf(~Y2?NaA=v!^QDd<=K3>?gB>qtw3a_;qm6zd9;&
z2DqW30EN|Q259jI$rXk6<V6+6(^J@(bA_&1Rcl}vfd7!)K3b*eZm?~7p+*uM-r5wX
zigmFnzbhtF#6WH#_FdhYSXbX3kAms({Q9-rE37$%IclV8Tw{B*wQ}OT%DMcMMU`_K
zo7<Wi6OHj0eAeVc*3Pb~^1uM$b43wD=yt<T5>7;Y(IA{m{vZPW8sKgLw<d7>1Q~?|
zf}$-D#R&nS8YGM8uRi(pB9KfHKn(VM2yEO4kW3VqjF7ty4pdo=T_^!#W@}U9y2j|P
z;RV)L7&dU=3Bh<ZTJ7E^-}VY|=v3!U&Kc(X*>P>w@9YQE-O5h+X6bTdP`Dq(Y``p-
znXqS%NkdBDi$gGP1DF{c<uvrG(+QlEw$+VIt?Zl+<c#?YDT%alPD$x#tg)vG`j`vP
z=?}5ylz#}c#7{0PK{X$O#W(%T05OC*5+trkP+wM?H_A}0m%V*mWbL~3Z7k=b3|dtL
zlF(GkSorXub(OYcs691$HeDYiqj(jY5gz@hPp)Fh#~GLQ`e1_rN$QM`aOpKesMFef
zrPc270FW0SqC!o&uU=>vgca;Gzx2zBgYBt7!>NTRt5^+wOT>zW*sGspaBF%ghA4=a
zgt#?9#W@JJXq}1^3-o06)TeSyEjI>%lOOW{8Sn5blN}q^*Oe@Aai!ejc&Axg69S;$
zA0d~s`#+QY17Tf)Gz;Y!(@O6zLYMezsf+uu0eByJQe~uqL7bV22_0{5XE%H<(<C)s
zDoj~;mJmprxkBqbSlvHsyFFPJ8C|FCGRwb^m$Jl@2-iRKh3rPU?+{!~z*55q0-Ki6
z1WDIGTtZhPI%yxYA(W&-{p_i^7g2|Z%~xUDzLbZtf@hQ<d+^JQ=Rh&goij(Eas55d
z?u$X0pxxKeTA`M$ehvofJHE<nA_U_A(A;L1NEa}gNH+8_rhbAI7lYrU^#!=~uIhmI
z;gnk~P|t<Tb)H)b_rD+_6tN*kfOTs1sI{2PxE;(ZpoJ;eof3>`ca4<a{7xy#+(l8l
z0B%xIvZ1$eG5(%avU9wdOEJ_VY|1X$m5V%@Rxn?Sa&67pryh~Nmj(#)|2x8*aWau&
z5rN5utmImqClI3G3W$Q>3A}2J;j-W|FxahhL6?6m90iQ|!>h6Fw>7C+6pTh#1VXEf
z^Bx6(;FW90U(uqwHi%*?&0(cGo{VE~JhiG21DoKwNR0+lN1^~CSz8xz_O4k&oy1?I
zi-NquskL$i_71t-P%sR>D!mK*>!EeXy3mEazRq$|k6cN*w`$H)w<nt7=Qp;pcWdB_
zIJi+RU=OSZj|NAop|Xn-vgWdDH^?<esrS?dYYRkarF$rFrccOYyU#buxp<#JU8VcT
zi~<Lnu^AY#m7-eHY|9Jgc$|${52~l-*TrW0QT0XTIr&NHE%8`dM>GCn-_MrD7!fPr
z%ldz}99L<E`M&DC?3GgZJGwlhoG^VBx%3)_$vaRY^ku((7IHO51R8JFef&(o0#(Kj
zX|yhV*x~1mGmRHWADAx1h>2<b6Pl}Hm;A|)?2WfbKZ$?s`65p0&HOKFE%7vh`kdg-
z6eJHUWjt@-#UOS0=_Q;7;NVh113K9LmzC$Wn*ef<0|EIlFv`5500=m-;!wAw@+_qk
z99wKVXv-g#w=VbYoKJK5XE!+aBRR&cj$T<S?3>l+R7vRu&iEwodaHz2ggV<n;cMHi
z{D(g(Bo<GCr-zMt9PY;Y(?YTNvi0r`u;@Y)6oxNTIp!#tn;Os5?cz=cF`O(eIuH3}
zW>3PvKeJt|7sj$lEAileehK`7cbrB9_sOflg?Zp&v4>E{9=TY&2416Cmxz}-N2BHT
zvgAVfkL=z{#ULB~g3yO`Nnv`gxdJ}H+8ts@8kHKwZo3rdoRMtJ4)II4i56cbJ_YK|
zo|lXF3B%aY%f<JdVKkJSR=!l4%I=vX_Gj;3fv!>XTs@9;*N*-A7vf@I27mm8xXBSf
z(X_Iq;$2$NEx#0JI{nnf%(6)N9qfrK#fJnRd*Di3$gAa;hDLt1__z#yCpTMj5IjvT
z=DHW0Otn-CG*3l?iH7OHJv&9YZ<g>YBZU6}^+TnbG!_Sr+a59A3;cehqhq&}T)CNe
zngN2<-wa4C33l`qxm>L>g_KdD?LAYY;BNoFmQy;zEA{^)r*veQ*h5T>WGl}xR%xy(
z!wY0pmAlSREAVtZGjI~Qiuc?s&0!~IsQS9a735PhA-O~OAI{blWV8iOkF~A-g=lLS
zn^>ryWcW2K+U_^q)ZT#gmKNa@-7<j4wxWz?@D;A#s{rjCUx?k~`(k5P;QfcAz<N!5
z#mQU9Ph5nPkCYlGXLtwnEyOs6L^v0Uq;Mnn{Ul-2zJ=5BACx>S>wEj()vuIK<qxEj
z;#<OBZ6}e2NKST5tz<uJlUg#_avAb96|<U;V4f}?2?UYvBQswXfu$&g3Jm53v_-db
z>mnEkxp|O{Ny-Q0L{D~dlros*d~7Dnf^ZBO2n;6>giMJ8EPQ(YPnZ?c@iQ9q;cp+K
zH?{vE4rcG889f09AXR=SyA)H^N%T#dU(-=E42-sbL+y|XSl7RcW$f@LmWB{`<ATBt
z>CEg8Bp|TBnC5#etOmlE&XoDfPesnpn9tt(FYt8j{?s&s^U;CP6Q&55F2B&s;C|?|
zTDX!%w0Xm~qK~zFW~t<d^hepdf=H60S4u~_Xrs{fy$Iv#=ax!HkOB@DvKW|^(r^sA
z<21W*4_5hwwWbR!l7QZMknlvmT$;Q<gR~e_$3xin)|yC^LpdElB||kSMHsOX=vGrO
z9}i>4zBKK>G>ULa!>Ekxa9?SrdCovU0x5=)Xpg~y40zpFmd=q4gFH)c;nrWnFF|Yq
z`Xx93$YexzQc@s4^kujz$9IUXt|Ym_{|Ss7$bm4$f^KSqCmG|U0wx9wQ<KvoyIHSm
z%!IZOq`|>M84`GR$*aU^1<YD}Ofv|R%h<Q+`Us2*!p4BfY~C(s4A5@Z;7R7($wS!D
WUFJRGNraF=50-mBaEM62_rCxekFUl6

delta 55965
zcmeFacYIVu_dmY3Z_92HNFyPH7HX31g&KM<3Xu+hKxoo?&o0<dk+{OK0AhJ8V8MzN
zY}l}%qCR$Pk6p2M{Jv*y*$w)9zrWAlzYlqF@7{CIoS8c_cjoll&`{iPqG)@Ia^+T=
z%{CkVr{TYV|4#gu@!$N%U^$JAr3|yO<Up497n|D|uz4qVpZEB^m0ACCf90-mz3M7-
zKIvTV4BVA7`ZmX1ot+&N$5KHnC@2sT{ZbRXJyTbEXLZf>Ud71Pd4Ko*<o(wBrS}u>
z2i|wQuX|te9`zpa9`@evy~}&6_eSqE-m4lL*JLLq=cvi7>HVtO=)Y)swK|ukxrJid
zKTWO7jg*D`!BC_u7z_k_!Lm@uPba6S`HGaSCMPlEdirL7&`ViZxoGL^RL2~jULp`H
z3;BGpNF2p|<YgtMc-5p=FH!ck<fLy>Li1Gf+$yU;BpwZgd}Yx<oK=yhCZ>DTWP#qG
z#ji^aI&_&(kg_*RH!2j2#eLDTaLAWhl9#V7%2Jcz>3!&>Y+)*mxLk;)Ld~mk_!9);
zW${=nh+{OyaFwZUHJQU`&!JIQ3N2H<JhLH@vS`d7iv-Jp@eoIy=u(po9rbWep(vG?
zZ=#0EV!lu$5H1S`L#a^(`N~YEnrx|~p4~%eoAMN-Q6s?g`N|>zj;f7!s7cLi?1{64
zvedT)>Bfdbv3MAC{i$9>`N~4On)EZW^|bgL)tOopXrDS&Xp)YX`NP4mAB{mP82U`j
zXvHk5J}kIWBZ4KVpNouc3;N3Nc<8yZNF>bB=c{V63!^@l_Qr%xsXtp7lrijqcs%S6
zl*PiaRIlQEWsagI+cVTUI&i<Bq|T0YNS!LKY!=3F$6{!(KNgPQ6b%GZy-V_y>9R3`
zb*bL*^3-=Fl@)wAf}ye~W>pw%j{EShQ^x=vI8YXd#4%F7GGC{}bjc_>hfZ7|YAIj$
z7O9V08s!5a3}hgNS>}&~|GE4G5&f$-b;DhPH#M@SL*{ezNU6_iL?jvr$D?KOP~@M9
zOcbo4KQ>3wHU&c!c)2Dgd*WD=?1JN2$s!#4CN&(}Bv#<)Pt@TUN}PdXRiZbJofE87
zWuh3zZV3mD)vIu5S&u{O8XN}o$6-_uhna0~$j%X+ui0FVp=@E8;GLN@&+~+<*8Lx6
z)tSz>-7_37c&Z&k#jwkzte1arcU0Zd7~z4e5w;zkU$RaJA^R)R%eIsFYiMljQRHn9
z+f>yoo3(UV)vRTU7cHB+d{LsMoa`yk8FrzTMz0bS+TBJ7Y9$F-PP#aF3cc4}XrmUd
zl@qHtpgwhVYp>QK(Ogb;5$KLfr5Ut$geX&ON1>Belu+fQmxJr5)l{KWE!-$4Ht7Xv
z)Pq7Ztsv1tPDXXwsoUGewETo!PBu%IQR&vHLJKV~A<9Y3sNwdpLb297;gOTAbVzDy
z`wnWe4RT@wr?gtjO(=3QOQ(`L&`~9KR47uq%E?IvWwtb>?(2|8_g^Yar4yH8RVx}H
zc-iG76!6moyHLZHiso!R9#5MNh%3DDia><Tlr};RfMpE0fKK{FJMI5Sa;P=}v`B}J
zo-Da?gB;m*h3h?=x{1*#(Qhs;S6x)wRaRZLuK+DrBPUkqT|g%e2nDX89#4sFv(;5o
zsCJc_N7KF(HDx34Tj^A)KM<U>XQHgBw%-9QG@A30V5g%`2~O7|0Olr6d*&*>9Jk5F
zy>^LaauR1_2+X;#X1YEbs)plUcSdvtJv2aexCJ`^&5ZHlBaJmA=$Zg%P9k4URvBG;
zbzecH(Z5L@v#J!_>*y`R(KajP_O-6s=e^#$$9uW=Qtw6HbG;4Twch34h2A;d8Q#g>
zv%I6dL%sdIy}U7Rz}wYZ?k#I<45haFdh=09FK`q5chE6Om}ElMu=^9u741HD&$=q6
zFT84A>dKHo<m4ZcGqpI<CRH2WuM;sKE7^#TPcL5cqW@y|Eyy~4AB)vP9E>0BQ>(j;
z)tmNScfo;m=zvbqxGG9b=`mKPYOXV>2TNV4u00bvWeeJ}*93jy9s8y@^<}TnCiK^g
zWE{syNk5Jglbvv!nrw~ZIKHg(OR^bwMv^TVy^?G-2q)Iy7)dO_F_xHvV@0AC$Bv2d
zICf2p#&K+7Fpj=NHI9Kq496}BACB=vM;wPF%5a>WD72ye!3j1+$`fqNqX`^rrK@r1
z&B*tei$mM#IJ9Sj-{DLg+6}`YpRHB{d*Co4j6;96xJ_w~!?02uTIAy}+>3+PF5)P8
zm*QwU6AZ|;-lfj6tQ#FeT-Q0TasO+RbC~D2cfXkJc-HZweUS2)eYe&^tarC_{_MC~
z?4DIFc<f8XhdeiDogp{Zt`Z(_tyaGB)<`{-K0;jh*k0mX>Fq4cRG)AxSHDq6nj=5r
z{#`9}uT>Xjz3lqc`JDThl+qSUx!wlbhxVuK-+MaB^W+`UA>k73TWx^a>I&&IvC;dQ
zXN+rvtBv@H_N3a+QR*J$+35Mp^+MMA#>Nh*zg|%2WU<^HQ_Z_y=qyY~dHQr##&?z`
z2(-OYDHq128V+|B&PrX<r!!WP=?<~8FqU4b2kIDVL<!|gjyrmxRIZ%Cf3|KTl?$U&
zjeR={qf!syIFfGmqSy$kwBs~9)w5q`Wf(`@+ZL!p>5n~9XJJU{5a5G3eA5b{To{yU
zc(JoEFx9(%XJG)t=_rNU^rtxji1bT60%%{ldI4I{hnG2H2WVBN`V8nS^iG|PV=uaB
z2JZIccOR|5-5#m026R@sb3nyiO1aXF|J=J6wZ&5l2X<Cs9I*X<+>7#`(;q}1L{i`2
zUYG-_58+;j|7_d>n!(iKL7jyFExZcP;HQ!7QGBUy0jo-t4DKvcrUnh}tW@Y_PoY59
z)NTN}aKOSbpx&7txe|psrAmi%Rys0x>XF^$N(YXyaS|}fQ&;0wdk#4Eu3Rp(qak>3
z@Ly#^J1cD%d}l}CwWf#X0bG{4W@u-jRq8q1EaioKv&3?tB@NnzdP->2jX)}<-t%#4
zLGND<U{UIYVV#9SI(8d+tbmnCWo;@K@>8RRcUJN^jU_UAsX6^Aqx+lD=NJVgm*05M
zEtKCidc^la>h|3^ioy#Yh!?R}uDFXdL8OJZh~=v7VO;0&DWI?=xjCj@XJP7{qvdM5
z+xrk8ww@{X_QJc`9lPAin2JtG_8Rs`vbV1`S%BkczBUX<u(vgsVC%~CL@OM}B-}U-
zWedm1$vD*ayzBR?k5~WyYq|aU0={aej(rm<&#~QQ^S1R2%Bpj3a$V-U!ExCBg7&@U
zR;!ee@?>eXc)4(??XJeg3)KIWiFE1de`TWom5EHj>@=B(-l>zDrS|_-Ia{A9kefrH
zXv7bJ5aRAXNOn%4tF72}vrV|lJJ0i;XNv9StT(d8y0^Op*GlI}=XA$Ajx+4fitpP)
z+O1kUb+=lmT%>6766tfPPOKEVHa5;x6M~#n3`X=o0~qA8^F^=5bS#T<4DjJsBvno1
z$jSBwARdIQvNYkBld}xS;;`VL{Vz(@+M<L_PD%zCtfEG}&J%OAIT`W=0ozHvUKg8b
zlm7<x9#%YVE(V0sGEyBY;-(=x)iP~LLXwk?biKt|uY^-h7U&R&BJHRsB4p|O;en2B
zx;P?uwV4?enet7!zHXzDt+a}a`vi!a-uz3-(Yj`~!C-vb&@(YZ@S($++EVMCQ9qfy
zEWI5!kr;^f4n!}EPh`o-mPXqFc2f2ZsaWe{$cvB>>KFkxInEWbwIK<IoXksOx7KE5
zmY>%{2<cCNUru^&iZWVjpV>JN_r#9R<ukC!G^Ll|(a|x?h1$qW;wK7}*4m)VXWf3W
z*tPd`r%;XwcCAgEtaOq|_DJUoJ#5!{*Lc46REmFQ-5?yxYUNJ3U9NS`x1DD?HrRi%
z57(a3`l=790p-@l#xo1A@C&EONol!s7JYN4QrNP)aM+grH?+CwiOKPtv}u@_RX7F{
zGbbyPX1eodQQ0Uaf)9kSyDZU4PWCbS4gywGTatcYj%cT${e%K-VP@ZBrk7~-2~AFB
z%zY=l+aG)o>qug+0xkGnYNG|x&rwIkeIapo%k2BD=cy%XreuE0AWVXWpQT(H{j;QK
zzRYTIuS6?P7q6$@)73()@-&Epyceoott`<|PLAP^Hjg};)wtF!J$cWjZ-xlXwW*0Q
z^5#w)=WM#btIp7Rq#LtY>ucyOFyR)_txM!iTF<m{pq>^E7uss!v@W8)sl3m{e~m64
zfoW8ou9{<MG<<>FOq-D|Y>vuEbapJ!OHM+afqFT3tTsGzR8EW%T50h##aRT1lOEYB
z<n-y!RJ|>Pdu;ap+5=iZy;99nw#h$wXL~;KjLv!{YoPlPcW2l6F4?)t@rmP1`wQ}1
z>4Y>=d{*os+#?j(wx-VLmrwaElui%??V}3xDFiKY7yW&lVT!}Wns&O#u1!d{X$JZ3
zS4y>L!YwC@`IB&nbLW|ub&J!Jg42^}&lt$|$4cZJtz{xxPPR2lKoMZvTlBlwLSOIZ
zrRQC`aEaDAJ;7%X6ggSs8!O~%HHiW_>F4CIIvT1>&7N*(9j%)zwAB3RNmNJ2E>VlM
z(oEe0AWm}6R@-SE(?h1~p0vXBl;IFdvy`E5f?CKy+g}z7v}u{oZYZ3fFVQC<Z@G(l
z)d;P%0qLnWgXy8PW(k*^EHZj#!%(rEHa3G+>R3VX&T;x$IuRExn)0OBN$;|=(o0rT
zHJYw}<2n~;*IH_4q*oJ;m_;SCr7Ue!y1NXp=RqY$izIU8WCx=`DDR~16VdQiX(Dy>
z#zLt`8+O_tROPgF3U}DX+g`PKk9%+SZV>OI>{_8<(?zydvzBKK$trb!=YGn4l`z4*
z$lcFfDB4|Lx*l=uaLse|b~ST;>U`MQ=&W~k7tV2d9UnRlIxcifa|9il{Vn?e`xg5I
zJLFpJHEo}^NgJbeP=8mCsn@Hk)!}NH7*c*vo>q1%OO=62u}~p@BR?)*E(r1hxsROJ
zT>4CUSZb8&g}0?{l2`mltQGEP>{BdrscF|fwOkaU<gF9BVDG7zE_6}C{LZt#D7fRJ
zI~a(GM_p*)ACL-dBmg4B=pA;Wvo3oLXH?2l$47NhTI-ODlyX%l)qk&Nl=5jh1Z80@
zmzRZ})ScCMIg?(MN{;qfj1jTZA>2^T<Dlw$<Z{t=KjqH^=nW2<){9{&v~VV5$W>f4
zWWuV_j^Ew&Ei3Q^okRiQWh$8kq-p%lL)%q|hgb3fjZZ>Qoy^2tp*=k_3#fbOM|S#<
zTG!*0q7m$LEv>;xAzr>QB7yR^rc&Y$=q5zlU(|6n5cktqc9N)JHlA=j?Z=gJloxv^
zD52W#bP@+x;~t@^IYN!FlqRtLbMOY8(HtEMW566xNzmKubOG7t;&cOr*y(DjWv9pJ
zB6hln?!!sBiBtWo5DmkqWX}_79Bmk=jeq7$@*PlGc<Q2ox?pH}8{0`<jUik!@m(q7
zg{!8q=H0^YUi2*V2CEH$T~`xuoJ*F7X!cw5=zLWD4SfZHUYW`7jBd_E?tT3C!r>TX
z+dH)QY+#+BT{!78Oc>8P?f{iCUBXJPQc&9R3LpIm!>}w<yYl`^fYj?687f-{N<T7H
zi_%-K?gtswea?Sh+?Dm^PxK-~l9`@H>C10af6ZFECH3csF0^40Zf>WW7oo+I_}zI^
zr1DL+TiJdx9*SV)3FQj;Qn_C4CVQoir2D0drRh>c7$d&xJ#PEmdy{vA_Y7~jvcU73
z=LOHTo|WRAo}r#rS>I<pm9;BtvCu)-nAJb4Q0e3T5<Adk?z!%s?p$G?>p!jsUE5tV
zU2&I3oap>eaykz>FO)wMMQ5!u<m_&DyzMyP*y0#3ye3vUx;g~=tKzx#o9!FyXWBa`
zdD`#VG3|P7jW$AlSZl5Rq&}<eQJ1QN)MDjiV`D%1eJ{qoJAa%dN%oet<Gq<!gua_Y
z9j?JMx1s$w8Dm_%jlF&?NxBwyim8g7if9r}N+GARYb~Qvz<*b7WXO5+9>Z!zuIqs1
z<@B@N(EV(nD1*GlakF>gRkUrTORhuzF6T%~-o+f6%@kQen6j@2jnAkDPRen9yBew~
zr7JJI@D}zSM=0-KKnhSFcJk8#cB-N)a59uvYu`eVxq1;SKdS9xMk#e5UXES#TZaB3
zwY&jStCj}efKvbAs2e|Ev*1G7%Rpc9x|wcH>A~+-A7X^==D)WIY<ga0s;k!C2#OaQ
zddQd9MI%$aDFIGH*BH{6n*jeeZDOZ`wErfy6r4((ff*;>4AA>j$xipsM0R?d&c#W2
zMt_77)~<iiy9^|9P}Mi+ecKcKsjl&rQ|&&XtMEHrybonnL%#{-o={<^PN~~|l>LCW
zhbhHqJFbN@=^+L_!of_Pr<8N*&;G*RlTWDkE$E^}H18JRzD_%FQucC$ZVMU0?esOf
z^A)wY6(@}bveTnXw<na+Zd@q8aO~<+tmi)BwS1e6MQa_E-3HY2X*f>G3mj?sGPW$d
z$$#&9fRVqKHnC~x;+j99fPQDl0;i&@bUAKEKO2f4XyffdmoB@q@Q&JT9c)=Ix>aY`
zK3bh1uNN2DI;g#sPm~9hs61KrDK2@-fc|vbI-!SdJAfUoik7U$oZ#jNe%Y{6D5Fm{
z2p*vy{j{M8=KUM7b~nLnE_d2IvG2h}jndnK(C6Url=PDzR3GfOL;6S%dQ(SD?O{j*
zn!1nc!nhnroyRG8(&mA^=vO;1)@7?;SE^(>d_roK`o32o-Tnfk;bYZm7QO3G&(aG*
zt}Uj0PPG8L;bTsn@NCAC52f2(>Mk9r!K*sxcDLGRpi|p#D-vB&R)6>PZo6xY^Ht|r
zj@KQNwF3Jy_MYDP+WqQk<pX7k{Ic9%x>m{;8$F+RCS|=Mx`akB!5eLB)wTAuuo5|?
z-)s%qe&OP<VMk*|el=^AoLFK2dT)i}K<m>iZQ9V&O`BS=!C-P5C@eIkTF~HFIi&U{
zQQ4WVlxc$#Wpc6~Ctgc{cGngdJT%Ai-6M3+CK=Lz2~l=FA-2-SW!8Y<bke~>rMWiH
zVE#BV8)dEEe>2DG>>NiN^s`uzcQ)pgr>!ML8r&wo&y4X@c0YKKOMVqyw0MiCX!A24
z2ng-9Izt^|6=C*!n)3ieY*@vnG8?bj!m>x!bJML_kO6oBwp?{$69a5ePR=!W&WjVm
zaBW1Ixtu{89u|Dg4rq3wR8ICb&>%%XUvo&P(7L1*15E@O-JFb8PNCQ9q;}fqj3;3h
zIZe)dcGJG5GuI+BcY=Mlo{@D+r$L?A)G4<8W|KwrJ^QyFch<$)TIDzGx2!B>t?f5&
zgZpCPH+ii)%XP7|)|KVFSX}GO64uJUIW87|^V-zktU0K#IVdvvFxZBqe0t#tK@+~#
z&9aZ=gYAC)Nx?3>o3_)sLKVK4ZX<qOhwdGuxafuFQ0~z*8eKF}a)`DEG9bgA7M#NU
zIsl|yH1epRdG1r!+U(4zf7-l<eS@2-K|M#by_P{|!4L(MU$qFK|NASNXv0pxZQIP4
zyit`Mn(c&rt!<Y6bdGt8RwRn#WahgDIWAq|onx%MpJYJZ_DK%A?Q>6qZB^TJ7d2N;
zv;KplPE$F`p7GiYK<``;WUtX7yhF>TNNDVJ76easwRM4xM5hS1>j2)fBU#VxwJ@Bt
z=zbXlZq*?tx#|3Q!Kv=BruGza{VA5HbC<~p%w|5eZ@wqxsI{28=3p=0CFaqF-6AMG
zn?WgiBWv!_jM^T4M6maM#%XV`71@%aAj*Q2kOVQ|Y_NajYH-=Sf;S-~-8Q8`ZE!Rw
z0(ju0)221Z2@S?~)#kBfHBhgUQc2_9j<om~`n<M`X<)VsXVHtxRMd7sM*YL!1fbrQ
z@g!_gYH>c_R$6#2yYA9pOX{G-FJn(T5R_EW_E`obb1rj~kw?&#pIT(>v~D+h+;j&x
z>79>7O|vDMwjj?Q2=gYau*$mZ0sSSoL<ce72@|v{jkR;Bs@iQ^?WfVBQJ<kD%PqWI
z;d_frj%K^w-C$c_Ou5nD2`;YrHRs^sHfjN_`%EqnZJR9uc>GU9Jbpt4WcxT7kW)H@
zKYwix6_7tOAO|`yoNtU$FAKTC560bBgj{u}%_f=?2JOhBJ@2!*d!>#tIwe{Iaa9IL
z?<#Ot{I#g<0mX}LPsY>(rF^?Sq_!t$;{kCYp>?_HcTGDfpSFE2s-reB21FB%+p<!w
z$D9s(b9I!wR5-3}lG=;I{WI(8Z8yfkv!+)>oBW<JV@4oWR}TrS4by!xjKs_!bAJ-X
z%C)JzrMYww{HW;AIyt7=Y>swGM`}rKJu#gj{d<8rKsu*5pJr9)Y)TFD@;O*pDfk4&
z4e(3)qDla(F){DpxuO6jrTM`+S$IManjP$@3O@)!?!lIJ;a=h3V=keWyveCevyBsS
zB)b6J!G6b7u2Fbf>?b}cUMc;i*|VO{x+ZG{*G_!Tv=h)x^mp9rF0yxZeeHVOMXs~$
z<DDK?A6LGRBlHwL7Y+-T33H@t9b28<oR>-~rJ+)(_?>z{-J(uVD^$UG$bLY1P1&bx
zRK_SB<?eslw}2nHQC=^PmfJJEi29b}1Mfz0p?8cH^mg?8scrJSB<6c=ke>If^NjYi
zbJl15;{4n`Tf30nA_>-CyVus0sz-v2#4DUFh+TvSxpiLY$C<_@OBvJn3LRz!`xV?`
zEaXxT;3@BMgz8eMT(kWta&GgCmm!}lqy-{w|Hf}G9K*`rNuy*?zJdlzINeCg+39B5
z%TBk^bL@1VZr108TmeS&dyUa#HgTmjr>>jo=?0Ke4s(d%dZ3%L4THIE1K+5KHOd0L
z3F}!Cp5LjW*xPzB_zEa-esjr>0&ZSIn{iioiEdZ%m^0{GJb>^Jvzz1PcoVn8cQtw;
zOEhHeUsgiau^qz%rcoa$E$MX)=<y7vi}U{w%az5vF6PmoRO@wpr=XWZbdDY9LAryT
zD(M||>Z&^%P#;$Dr>2L-MGiFiIbQaT-H;4~PW<<?gPCmCkvvWyx20}4DXsJxma-a3
z=u&p41s!6i=JYv3$l(YJhqHn9WO#4vc>r?lM#I-)feV-oyxq)aLW%I7bKeBYbo#~x
zZ-FTcqPsTe1l_E2chC|ys&dk9b~;4QxPiKa7iMl4P=K{U=LtJ$7*5J=Ub4D|=|=9*
zk>I4FjN{<MS|;^wqjnw?NYZEz24o(s^N2ODxV*%Gmu2`~EEx^m)Y+WIH^q>bCelVP
z27Ux5^;V-=?zCOXv=N2ycq5NbEY7pp8|>J|G@II>Vsle$a)WH!@vT^T5DM(q1YzjG
zuZoppf;7Z4!B{bwgWP+Mh$>Tj@uiQs%-Q|=Ht~VAKsp^kpALJ;Ky%9A0p2zc-p8UE
z((k{V0W#e39?Jk38_;13l(REOTt&Utu|4fM1KN*qPj46(DG?XPtqT`j{XW|>|HtdO
zXxo!Pr0i=2L>^2-%zY5zCS%C>K4Emjz6_Aj3wIhIwt-r^f?g0H8u=xo{!ki;rrynV
zv3t@GyRqZ!PlGlYU3drEJ#yf&=v6)KvIe`yy4E{)Iu6>O(LUGgYIkLXyhyrGyiGW2
z`^w&0`%zn}wNMG7?Mx*m2c@p!aq%W`wD8OS_^<E(ya-A-KR5rd@Y0(kb@Ar18QP{k
zT9=qquO?m01(^GI!(Z|^*r?(Q#46qYHxOkm-m$R1%pYQ2$Z03!Sk$jOA=l1QlX*G?
zI3br&)>hH<Kn|D1!+~fl2oL0Flfv;xL@zvXrr|t1m*Bo$MBiD3nLm9z8i@tUq9Ol3
z7oJ{cdQLNE#rE{kg<@5e?mG>4>|iJs^25-6n%lBj^Q0Nfr{8ddKQRQx4!FK@BUc{1
zc#&AqRX5ecd)gnvvzNu2(uqX_`V-8bZg_^zp|9VTy3lJEi-s3@fSLINez@z$A_1!I
zE9NUhYt_VDdUU&7ON@7>JGP1bF5z&*=P!%G&Dw`&wtThY@ca%0;5@I_Gi{ohY{t5o
z2NUR~8QOP=HBj&_5Bbqi@GEcHT~<pcPsJ1K6rgu-Qtc~ZbNa2?YHkcp{b7HUH8-L+
zcm5RP*_JX3ee0clO<W94I35W3F*|}j9e46%gZg6T0MML1%S4X&0`V{&E~XQf>n5p5
zs;yR`$%b}--t8wE?)1SR!Ucl7KYV@?28al8sF|oHHnDckq?2!oMf6yIvl)Q^A{Knn
zU=)KCFtC?QP?J%H%^mxLbbNqCn|bxe1L)8|ENWm+7;kvM>mKyXn4e4c4YVqN4}CBe
zWIp%^(O}K7C#H?Vd^aWzSU#1mepGBtHx3ew$OJq>FcOFc{fN0RYFTxbn(W8hWSP0R
zpFKS_SoBTPCmNzaVnJV+J<93tN{r6{onzf@^K^Gd9KYHNm7UVf!uF;+iHw+;)Bko}
zEw!T)>##j?w_dI_gA(mJX-ocUTK9~^RbCUB@spc6De|mz4dX{MKy#m$np34Dd1&=f
zsaRM=mmU3Eu~E-SSN*+M0gM8P=XGRwDVxqDwEP=rhv@~$@Dny~)JU7BuAm*?iM&x$
znAu;q=F^Dp#T~lNthyhB_^CgL1(0-B{s2t=SWNFk1AY`AXGr6j8tP2XGS7r$2Rm~N
zw#B#9(KU5qCmI7K4nb9PT*qTdBij25h%Kf2eldytT~*|wMZb!Mv+`+oYkw14G<UiZ
zwh~)X@IZETCY+)p=@6-FnOImMCJ|jA3Q0k<CB0m3&9b>0+%{LD0`E__B0fD5t*DEI
zrw9D?5w_KI()XLPcCw2u>C85zFVhfnQ~FN^$k>!Vv_RO7ztt~J2B2%%y^6`>FJwTr
zuVMn%lNKabIH3Pt929fGK=FO@B>VlMg@Ybg%eM6+nULR@ocB%!Wa?#%Q+Xu~u^apG
zn>y%`8<^^C4MTd~fUK0z-lweFxHxECSWL?;86bm0xm*YB9S3h7+YK2~9wfnL-e`qS
z-}cv^c87+4C^%rK<j)9RD#wl}5O@o~d4cORvcG}~<Gp)CO<1Gj@Zf^m3s{f+oB?6s
z2BPiv49MX)!}&M^GOY)Le56CzfSRmGN(XUP&KSO5Gq4Oz*rjO@EovdDgKa-CZnBka
zi%r@r$>J7-4cI&l9w94{CAbrC4okX3XVNJ-HajHyX1k<q)+BYaDk+;4N!~0=P_t|i
zWZRa;KFyfYq?52o7nFJ6#)e@`RrRo5Cx_JD!xSlZXFz(5VK_HuK(cRReBoU>gm=}Z
z&n4(O8Z)~6|3jDZ`Zfh+(7G{$dTkM-zB>(Z`78W}mgc=Ql(K7ByKc&aY-Etf(-4&O
z8C`uW4W;Z;tj@P|$RjG7i`%UWm-)KAZ<Vly@Q)0TF<w8WL0M6q+1`@T4Yi-j`E>Pt
zq6#~#{)YMShHcY-FAj*g>V+BDtkdiUPrpvb;oZA!3Y&Moq#<G;M(c9K5?Z`noJOP9
zs!q{%Zu&MY{zS%joYRza35<Qb4UDEEV8{U%rD0U<W^?!A49Lbm1Z}YGGM)F`W%D-k
z#IkDKOI#`EeU5kRN3{FYcQMu4$^)coahA|v+r?xYHtjH3C2_MT37gp;W-tC|$pNva
zY7@6WcbGb(uo)s5YYc8~R@xbc9vqUfd$ZWUP?$MQ(zipwP0bjqCX4i~9?m80>5idd
zr5?(N0KP~d7!C(<qL+q=`D$YP7&WOd<a+w*PQ}ff&OCJKFtY?0-Eh<&2>8n)epaGD
z5zkbU6Lel})NpYqy*J$A3S!`7d?7>=#zR4BH3ChUbcVr3&tgGerS#+o3prjE3dR|0
zhcG(5-BU)hC{NA>LU-Suj*hgDK^c5tG*||<S*JXHl+kWZS$A)teWNVC4}3!)5Ct<H
zi=WP*hjq?z+(<Pku_vEH2++%?=Nbf)yAOhm^M%0O2BS?w1Y=RXaMC$KP0rQ(7`BTM
z)GR5O@rePjx4xL4u`f+)j)R9}@rlX2;cAj|ZuNv++es&qps;kaV2lz%6T@h95FwEP
zx?{6Ypo|}84HDdNTF{s+LM3_*;kEFr1z!}1qs7tF`CCJl7(Y}^teD=fx4w?E@G<Ik
zj!+o^10D?dA%(<!u`rsJW{~6HyF>99*gNz=+*hVQM`F?tOD2Lu<77UYIn?G{^T83z
z>IaVv9yk>FFHM;~*pf_4Ga2QdXLdUxJ0p>3JP-k=9c&`n#G=Nt)DE(Qs<+OAh0}h%
zP^pVH2<r^RBLO%M$6`$xMXT`mfe@;u_a+wO%Q@5og-Qv11rl9&UxGu8#DnO4FvCqn
zI-~Y^1Jq<EebC|WrF(bLcNYj%^Y!vPLf03MfI0r>4q$6UuI+J~w}WR?)=Kwo*Avb!
zoVkv;y;eI<y<K@t{!?xz4HuUQSJ@sH#(Hh;gv(|-?iRGMqV-3$$Ak?oe^p{^Vg&>M
z#&M_Q#i>WS$O>O?>CV=wF9&1m#|r>SDFRumEF30bs+{LQq2*SgWvZXc@^o(-)mLGb
z2*)C!7=m}3jsRwZ{?^namNBsdZ|O37xFW!r33{-t>dVy$Kw^u;5LApH+qhNd(sZ44
zNjud}kF`@PjT*7CgnXFocwd|LI_5Nw=B-IAF=||)`uK`WH?&u)s*J#4A6A=i5F(d9
zWR82B-NGC+MA4eWVzbHgR(sh=x0b7wm1c8;af~^{D~Oa$20dN<BCGVR9Z>qt4r(Rj
zN!Gu9EMBM;vF!*|&nz8}8B=C#VqwO!KM#8!-P=*EGM*i;RyYI!FdA-JxmCO-vB0W)
zN>|xI4|Y<k^q%%Z_V)SXnDD_+oZjoI=4pwV#MuV=3fk5g{d{d_#NqR{0zDcJh47@I
zc)&uRZ&82y5xmhicF91G#G)ZA|M7UlLZ6pL_aO}b>aH2+c!Y4AMREHqbU54VGldpa
zK(M~P!t8c5CKL@LFF;u&n${mgP#CHWbJXWpr8k8U!GC9^TBQ#fN(Uo;1c9U9ny#=2
zd^bzawo1d+=%oEsY9$3<k~*q2iF)JKiXA6p$BrN63Vk#|)*p;w5h;uMnhu9Wc5Gr6
z%IdG&5_&ie!fy()F_Td~5MpzJt(lpV!75&pm}yo`j0dK}qHK;PRvlkB915UxnEn#w
zyck<7?6$DYQ{WCbzPINp@5qJ1cebz^Rc=tq<gL<ML2(S&1Vm}!ShI{@ZSFRmCcUW(
zY*UFD-O2uzcpj7LCNMQY;m)@q)YVeq+qx{t!(fAS&j7L2&UeHs7@h$dKS{|K`%a@?
z@9LP7xTinU1QgJZ@9IKd8kR#}yeH=6Yza(-aG3|84*y!8Go%ZBnJ;&so~`92bnG73
zC?0uK+)lTzg}$B3qfm2jmk074fo`PN<6=jc#%Din3Y^C6yZ??{AWWvgM}P;f6SU%p
z_$P0=rAMH7Pl+W606y<2z4a3_n5XKeMbaM>tGMo6j2K{MU#g!-XFp>W0Phr}@U!Ap
z9hdp(QqQAe-p*`6=>lmZYn#hszeTN<eiu92T8YcCXg`LS`z`ii=z>nVeBFD?Y+I^N
zzj8h9J-unXaRI#19&VvrYPG}IP3Fvk56j4*1a-F|>vNCr?Ip?{hB}Gf9R-h7<{(Zj
zPDy#vmcB#iP)p#Zl^BUq<z9w6o(1Sv5%&aox0TXH+A?=AeZ8cKFVG!J;kfm8+&mh&
zTyP14XyWoF=q*<WZ#PBnE)1lHRvJhLQDF;iv`g3Bi7s3vv{X8E+OlW>^;lzK9$O<I
zguhA6oyfIT$nVyvldjR}Ys*^Uy3g^m_ONnNl7zl+Bwh-WT}yU$ed{`+-R|n={L(qk
z+1uI79^Bj~vE<-2VaX{-n-MErb5tM2DJ<fGM^faH^Et7B)i}vwbhGHxb9fuZQ~vW}
zPu7Dq1eW%agV7hneBL;IJ%qk^QN-jJI*!&%H}yN<X4_L}hP0VcoXD8lmQ-0M6~N9u
zuntI!*g<fyg$5nwj6z$FV8k}}s-cEi8FUQZ)mJZ_V-e%9b_fUVGh4@;L<nLjp&w>T
zoAhU3F)j3;IjC_Aotk5k121|G70r|G)G0By8Y<r-<n25ls=aTsc}BR`Id8VVuC-In
zlp2KFgez^2s-l*3B%Pwm_&fcY!96yJ)QycjGh7O49YR4iHk`zmghNf>M{l;Yy>voY
zW{*?^xGsWj7$S`;#I0Uz(L|aUE0@IPkqJ9FKEW9APKVn;9^L+lcr9yn4Rej*ml_p)
zEf!+OeCyK;Ox;pVbBjbT(P!dCRvCVy6wwE_er}<gSrKUB7a~`~fw}=}1-GY7Uz(T@
zD=*h6;a3T-nCkBmv#HP5(1h_;GW`j?_O*Duj>j)Q_(m+1@iY?cxC5m2H%c|c#rp1d
znoq+o2i+yMqA%_Ry_I)0p$Dx?h<e{GF3upzG%-|m4<22h_&pgd<O&!*<BVFEK8A)o
z#MdNs!eW~z>ORZ4$bPN*xzb5oEbMZQaeVGbI125z+XrgzXv@{lC(OM7N~Q^Oi|e%E
zn+H~4rTRO>p|4%VTRPa<gphLR0vg#>nFm{)+M4#%$p=fuXySxnMTsKuK%2VyNZ4OL
zBU%xO)J4$|Ysk?-J|>+LIg>7!FZE<@gIrxXmbz{h2GB!iOAoUron#3<!>RK^OyV=B
z??Q8?L&Px_I~H?5Uo2v8O?Wgtm#wdJH9Q9fm7fDE>iId!YQ5{YU~_h^QXq_?ExG#Y
z$@eE7TvkZEn<>2O3|Ob;N(Y3`pV1tc7&fjN<$inQ%v1P2Xn~@T&SLo{MHV_nC-apZ
z`g7nihL^0U(4>Pkko)WHX7~9zsJrjcvqcJj4@<V%JeBUrPJ(X0rc_Fkg{|o=9V#g4
z|FVbk$u^#TUTMyXT8Es+G@0hBV_a%<U^V8?IC^HaiCKN8n$J{>*XZ44UaD;V6p(Kt
z6#V<wid~I2atH+Ck?Td32CuVT90OL0S9HO8lPp}Dx>0O{Ie~GBw`ZeRNCTEh*|hyp
zshrNV3zNxofeMgwQwFl`7DZod67yuN;bSPV1k-@OZzr2W;|PZ+jVhN)+w@kaVHL}y
zLi%ha>Zn;J8E<GUYvI&uz{qa+9lPZAtHoj}T`n2#mU&mDzm}uygR4=t!wR!3?~lVP
zbRB;UnU^Yk@t0E6zrc2r&D+DXI_qxtN%u0>udc<;1CHk$MfMu4UcFv<MHw#NFSnLb
zk|<6Q?iPHun?&oMuH(+SoGKfn7G(%l-7a<3|HN0s(fXh8tMT_dHQc6@%LzHzpY|<~
z&x8B!!fJUl@-f`IP`*j%L(>+?*T{*iWHsHrUES{JjhA^s-V$s^@agVA%Ny0H$j<Oe
zqe}3voqwr%DK^|wm#XJFyW^c*R+Jbg-%D^|znI>+OpUpFCA$G!!@vm!Mo0{zQK|cL
zn5j!7I~~}ej+N#o<5ajq{Tk6P+D`RxxD6cLson`Y#YR#;bcR77F|2r!G?cntsdk{$
zD{?dX*X8PZM+i-uh8r#P8-e3;Yg&4R8ikX^zAMx<@PBW2rMkiCX9PwSO)uU@i9PBD
zI<QOa>GT=E7KhV7@G_luq5ewxdYAgh&b_KUC>I<TWa*JjWa$~&1?mCi-|}B_xirFH
z%aZX#m*iANv~BTpxkgNiNqty2oNn4JuW(?as!3EB4Ei!!a6e?dJr7wD4h*i)w}b;M
zZ4|x#fG%!zwa^zn3<>ADhcnP2)-n|mlxG%t7YjZ65QMoK4q3un0OBtUYQC}n?0Y8l
z&L%pxR6n=r)6IuXNgJuPLOy>O4T88q-vneX|8+8oETx`fAf4><TLK1j0nlm1LS@kZ
zS?C=tbR<V{(rp2`N>?3#x<48TL+XcZ^6P+{&r}B;fNkg-Xk!p|n7e~=rG<}_T*!PD
z@y9Ld<yQM+6@G5;po1aV&=mOnu!4vDP`AXwKKeE$=R-7WZ<e676VRSRVc8U4q1W*T
zAT&a^5};FIG-yns9cxd&F1liiIl9rPNsy`@kI0o>b)gr^g*dZ#mxVJd?JPH%u8G5d
zx3y|4oq`(gk7m>ujzIv1Lc<?2+t<dzhVQ9^4#cePh1eJMg=3Jiq4zMJrnQ9)$5bcX
z9M7N)V=j~SqR}Y5-;F<enT0*<IndtQErWI-6a;njRM5n3WnmwE7TA|}&%pLWcZ2kK
z&?0bb``AP&uuZXbTLId#yN6tvZT68L+8yL{^U;ZJasfu6r9pcsO@r?}UDMNQH<T^D
z0Q8!0K8TwwLD;V$<@YKP9rUkWR!g8$j6rJ~g)$~UIUh)QJF8`N=pD>dyV7}w{Y$Nb
zQX_2^?ntki_O0f!slT4~t?cigU<qe(ARU?`k3W5_+`#xTAIam)eS|ON`^Pm|*$<AF
zO0k~2HXcZvX~XQvqxBOcV;|+0=TDScVYRtwB9I_v){r^Hj4jl>RB6x{DPQW7sGzlz
z&06_R1@B|dCe)C5sc~GI(oAedqozv6c6)59#N#Sz2)|0`i)mnhTjv2~UyjKw9vh%w
zM}7wE?bf(lO7*$sCYrucw2`->Gu1XTcV|>vLRrnl^!6DNI#K()jQe@?{Il3&*LDZh
zlX)gp-d=tKJUC}tdU3X8uJd~P%O=~x#D_N10|9twgrXJEa3oj}I{kW9Xja8^U(ipp
z-xMQqqAx5H8yreMrmLzmCeDhsh6Sn(bBaOuUUWM2TG7zV>5+JRRxmItw0Z3k+VGp$
znGNk|`h2C?$(;Lv)i#s+VMbgUG+ZvAsq5iNa&)!1!vi^=8*6E8KRBe+4^x{__DZlg
zx2}=K>FkAxQVPy++gh_0KF(|UOMa?fXEGBU)~p7zXav=+H!)8x7xQW30AO}mE*8-l
z8%)CH4Hdi*WWwPT*l3pFY{?rN&FRT6Ki(u2Gj?bgUG+ZrO3n@~9wc?6`VSO?o55uX
z4f;?i6oyjmhbGd=kD$@c`baUy`y(YpPk*XpQ|MzQ%_I$?KR-6<puQ4%_dhyoO6p!Q
zH(&l<-U?>serYt~X4eTn3Kt1&5nBMgb3Qw)bk!#dINQ<5_C5SBl@7GTqr`D@zekzL
znq5osAge{q(IpETp*wkTkXa`t7l)~IU@#tF8a*@EMCY@4@et)QeL&1h^ji)3Z7OXW
zYGPsp@~C>aqEYu@iXq#XuvRR<Vz`OPM->)$KRN%BF)AaJ%;9FHc`6!-c1%8)_*O(7
zghCa(aLp*Cy)h{mSNZWMrI=c;z$>|ZiTO(M+Bz&Xd2fChTn0h!r<D-&W-K%DF!&`q
zmz!)ft}rI6fe~6^V(=C|x5DJj`Q^V?ip7_nG<ckj++MK9bp#rZW{z(5>Du|+UT{io
z&+P?QGS!o<36H}xaK=9dXFSd-wuu*KYz5h+Sg`l?wl;kjFd}dpg0(Hk*K78cwy>7>
zUGHOqeCd73+>(9p<Ov61_QBCYFS5`VeUE+V)ej_-qrh$xN3v6#qLlps0u4aC(8RWb
zL(r85Z+s}390Ir@WORj-T|Dl$Dkw0DETw%P!DI2nM;Yz$Gix17)EcMOpGx`I_+a5Q
zHooPG&Ov?nv1FJ>zyt(i;W%?h(($qN!LQ2L%=Z5ZIqseRNCtz$$ijOG3|%NpWuHoH
zpG0&DM_vi#1s0w6KgmFj`JinF>8ObeQ!Yn_5kohc9Qjo8=?ZPo#!APsiAKPqWvY(j
ze#;1wn=Y^0dG>#nQ67cCK%%4mYxx|ju?_G<pw#D*VFN+!p$J^@z=*}t%6OhoHEtwS
ztx04XrI*r!3VNNs$S4ipycpcN0zT9JVx(hDx7}-$UPjwA%%NRhnq!8#1B^9e<|6RD
zUrC&a^_Z2xs^z4;UrC0N9N7L)*vD+rejS@l=qzBHyiG4RECv7i+MIKYe1xU>MZQ{#
zy4#?>f%bnRRT4GI9oSSv+y@_@rQDRJ&&9JZmB+CvoK_Xf5o4m!vXne_j&965@^=BG
z76Ql}%A1NHca%nntAstaBhDRARQ9q@g|TnDW2Pf!57_V3d7J<Dv9V8!rg}F|OEecs
zx28I^#ft#tN;qzt%T&S{(+r0BD6C!Z(2PRTXfn+(0EVrN>FT(3kFNRzn$uf{nsXYZ
zBSF8PnRvji50kh=(9`Oe#k77HCdQq^B-0!c;s)?AhTyb$VY+VCBzjnt_5K2t9UN}X
zDpUsV)+h`_@EJU<sfOccO`^M1y5-jjOk*P?(?A4QM!ZfDtRJD%%$VuAyIG|XJm;jl
zM`qORNB$`Y4S!1zY?dCAh_li!rsQRWKs&6VqogW>oklmsV3EXPN5}3~xydyKWOIg2
zx&w0J<~vkVZo<ru_%JG%q8#4|g=&=Hn{o}<*OqktovJC)z*LDv7lRlF+hq=77?noN
zA&gj0w(Ul+`WN11ncadcLpFRp;Y^t>tH0@1uZFGCwKt>m_PZ^SmJ4@q7U1q3?Ah3B
z6Ee^tE8GK@{2ljXJXsiS5Rf3l0ebhK%Gdj#h3&l!#ILy55`bZs^uZk(racJ2?;X^M
z2duWtJBV((`d~&|kX||(g)|$3@zX%}Tj-1K1N!y%WuRl?0+mbS44u8zKA@Y!l6?>4
z@tf{f&CLqE4B3=P<!SO&7Wtz`nSl0yg^j_8VxqyJ8_UeY`lD7_*jF8dCgFw$t;WC!
zJA!o#a~qzpOx7RBO?|=!CK%0SdO`JjrL{Cl*uYFm%v(qll?GXqk`R=Vr(dUa8I6s-
zBtefLi~l!mM&}%`(1o4}iA`L|i;HUd{037T;4IAc8=G)6xCB3ai`bEl-emGCz=NXg
zZq-k(u0Y=5n{O5;>AaG8L#2Cz;MaQ5wtb+@gr}W9qeyta!Q$|%J|$u)v{bdX7}ay&
zoO?kvcB>(Wa8R?`;5jtyE*Z-B+cH{^M`s^Yp-#Nrlv#M|Ke}BkVPZme+IEL*u+F?y
z;XCC_xvg0*sg!=Y7ep7`C7Y}<lMuAKO+3zqHM<9L(bM;_%I`7pbm0i0qi~3nO;(#}
zE1zeuckh++z_``r+8)*ShE?vSjN1X_bvezrJ!*R(C-__&k)_^j^6#Ia$c=jg^jN{7
zB<>S}uUf)I#0hqM3RL<~;#DeLJO+P`x6=}_R9(cP>m*D6g8km-N1lBsdP4NI!gUZc
z%t>p9qo~d=-6+fE{=xFTBb7gLv}55hmma=+#B^V5)HvOs00q?d%+*4%v;k1UV5^6H
zAD$LweenA?b{oVH<0VloO#}1WXZk8=Nc<-DG?TW&Z~8mZ&00qDf}vm#{2Uz1nluky
z1?Ji~)v9ov9Ti?@mkln+51$t}j4|uK6>6aKF&U+&Sfy)!Md_Q67T)k3;PDVars{wT
zTxQo;rN<^FqqMo+^!fwq%`HyZ@B~5aemKry9YNs0KNhb^OfsLIyr)q49WL42?%<^1
zM{#Td;ik*FRe4Q<2Mch{AXX93b#eE&t*(p0IV2v(diQtV1#4s{SPwtEFE;CkvaGHH
ze-#V);9MApoc{1u>G4+S(*7uYw<n`?7;abSf!N>NF09hy%+hu<AfEPlGg==CBOU>(
z_1^~GqHvZ;f#x@2=Selfw@}xAAy^}X4=iA&#e;P0GLdg<H5NJo;GMMf(hT$fA0zDB
z0gldg?6E+%c5J>5amn<elvrhGBH^C|Z7p1qf*GDw7_o@uq%_8=GJ7Q0nM*E%i>KZ~
zIFw;*@Y#hZG`(gE&$Q5Mci@3`?66u0|2c$ZfcItl3q#+zSjzKbJ4x%=OpTi9fzKA6
z(_xK`al7~zJUNU#rM0DLOR@zvn_gV04r9M!^z*&uQVTOrKJ7VZE}{H#<WtaE9k>tP
zD^YspJ`<BKqKK~Fq3;~#C5*mI(vQ%#2TV+^zzaWU(&U!|gKA4L5vJOQfOSi*+Mde3
zgDZmeu!+Uj{AL@m$WI#sLr<SW=Hksq=ii6qOikZMhvgEgtdW}0?lTN^5#M>%_+`Es
z715?M4ONc5BaKu_VZW#yV=8gDerH2~VUIOcL>$IcMD*%-)`FTe<vjX#jiIyxy*&Ep
zEU5%rMyv%AmUx4n`m9Ub2i>x(vvalM5&OsX3hhiJJ<C>ZRC>v;%4frK_(~}x9u;Q@
zhlJ6#Piz}0yI5(#)ZiVZ`b3-(qm`1>?E`WtuR`huv(4xVX%71S{t9U!I<{k_bS)AU
z9j%n+a2w5pyiT_F2$_O9P+gT2hk0gql~e~p0UGs)JO>Gi?qeq(wSE+*D%y&ZqtZ|S
zJxe1WR?6wS$K)7FRM6zd<T>`PssN)@r<H_^-W}-s$K-B87pi<*egnax_9x^wot?0Q
zO(;(EjE|!}=gF1S;)vXU(Alew;9dvgUhEnA_F}m+-Tb7y1qpvDpOWuDEZd2vK&2f$
z@U(m<f@~K&Bfsu!g8~Dv9YW{_u?kxEth^VYFeOLj=injw*-`nKoyTOkW3KJ6z8$Y{
z?{Ynk(7zmrVbip8)mxQU<v--M(ok`UaJlVpW8)+_QJt({R;Cc+aL+JbG+1GD$8)-T
zr)cUZ*nSZUf#3Is;U`D>>M`0VvXtf$6zEq|#=8kKi7x^H1^m8=KFX|t7F~{4`TEN<
z(19I=ARS|Du0egIg?`m4px=B&20ENQd6XEO-%a!p7W#rUK)>xu_;#D?O3(*KI;LNt
zcS+<N`fv*yp{-83>#7Xm%-awq9%y9fo82N)uM7jWxuvme7PM~{;=N4jQ8)v$O)19F
zp)i3bva#JG7le}z?6!!*t`h;j4U0i2WMU7ous7`i_KkZouw$WUkTnIyAl4Mn9&BMx
zViw?AuFk-QAPIR8vZO_OkcIuw3Z{|hV`?PWE*kK$XgD}m)BAmOjl@6;ecLLaU(?r;
ziXq-$=Yy*>>|Q7O>RPP<7Iy6#VBgR$gE(|xOs;_6qeZ;Gh2CpD)EE2uoB9s41x7(X
z3z-Y}EcAW``cm?41ohhoWT3+<GQjrXV9Y}AYf*0)2=sdfN)=69XJb(Jg`(!Z&0S}q
z&aw8*K34JGA7CTgKPW>?#%G4$bjxOb6P|@R^BUTOYOD0R!KnPY!BXWoeRd#p5DX8@
zk?=SE$I`k?v@7i^k*ic={o17rk{^`ML`LVN1P2sxknn*p(e{z8zOgYv^#_#xR5xGj
zE+*E}-udDRXJQRosEVeG^9fPu9cbX$qL=Mi+)pL#ew0th&0&ZKJTnhV)j>t2@S#{u
zZ*??xB7O^rPE<O-lWh7Eu|z)GI?JVq|GTxbiHTjN8F7!@?VZ#v)U!DpS@v|14aKv0
zx3z#YD_v1WcO0saO&_ER>_<hFav}ZU$JR0E5%CcHRVlBtgsf%+e_aQ%V#wTWVmZZp
z)>iZbgqZhylA%FAX<RbPgIXvoqd)y7rv9Kv<U;!bdXQp`o|Xv7T}l!7_hK*u^Pr&&
z55Zh;epq4>PRL;kvEkt&tCp)wlWq}ywT1rgPI?3<J=3C5rFNsUBj$d&xC+@oMnvJ7
zakLwI=mymg%d&f-hqGc*Qf~sk{4Iukbz=|Ub&O+Q<>oo=X@zLBOb;m*d`4efqM)0q
z5)0|MZf4~inLFXG=`O7|D6<$hz*-3lXj2ahv!`SZOHVv}Q7@^`d$uJ(+v+y2vC%cN
z<&G?dauTx<!b_}|)Wl1yHyYdeM>t08{?=qe5cQNt)!)l7UwmgxB?ATv!cR;v{oX{z
zAi}KkgC%SJAcyF|Uw{&V_cAvRaW>-Uj|Nx6uU`L2F4<WosC}NcWj*D3-0`kGOYI@g
z7q7HE&0SR!&66F~=1EKDJpEd~!Jy2aq}tjPeL1?%-zI%;#LHx(FYh&Ec(S6osOQJn
z^`Rfgr#BCZ6OHL(#Co*^;|2@J^Y@wZJon05`~Xx9^Y1q;B_^y?*ht$Suqt5h+u%>Y
zmdtt3l>GTj?)Q+`65(6ZAIiYYqhX(dQHwvEftg3m4ngs-o&tw}$!8AA=dmn70rLI_
zcDuHRMbkoL+`t?<%zQv+tfTuM#l$e(+VtexRR1~hpfx-u=^u)q(T_=O=*E{(U<)ED
z_dJdQsAeM79+6<2{Q{1gE1!_IvmTj5EVVpy3@s4W(6vW&(vyfK@TSF2N{{MD{L=K}
z43KU>Pa9$>?LX#N?HKMTa~xww`_udi?qmny5<X2}rnx!v^G{fB_)~M1d-u;xIB+B&
zgSMvx{#(=j!2CM;i#Y|M3>ie{bivxP?^oFzO$VkWLl)|3+i&L5$1RxaoZyA)f0q{<
z<IZeoeg42AIg4uluo}S3r424%>gLiv&GnJ9&bWa^>lDO>nG`r>QD-`uH%?iLHM{)y
zFB#_2k%>CGsgIJ@`M`_0uae2;<C42eGF$x&Sb<Gk-VsP^mMMy`EN8l{{>i~gE{z;u
z+D~DUG;Q?*6xiwq!gSi86b7XZ;&q5yyvX*GZBX1-5em+zt3W2CCN{a#;LIj>8%&ks
z_Q)$)`#aL-`R3&1V#@Y{rmDCCri!}@+rqRGygf$?jkkxt?hAX$0lKWnnCLpFh1d$L
z^R^b|JO@!I;fhT=BfsQYxb{?A(xm3qy+O^{iW#w6nlA%yQf{f(inf0*WK)~nh|#;Q
z5&oV02C`N062^#|FuXaf*sA&?mc<voMM6*0m)6)&fQK~|qfDWnL3Ho;CJGnxZvGIq
z^tnF>22l>{|D#X}{=V)<-Ittc7E37mCqdtjapl*|rVrYXYH4)VYWH5()6ValEgb#r
z^R-LW`;`~upX8QOe{nuO)$*Vq{Il8AfU_Z5tQiX)Q}}P7OFo3e@~_L}_DndiTg=$r
z6;OY#-67X7ux5cbu7)Oh<4*Z3238I5N`=S4QW9<|46ZQv`vl_GeFEYKFPA$o1+@&Y
z&Ry&AU3#I5u3*GwCnPo5R=3n-e;}67?Vq9K<5%j&EYYZF8EyI;x}qzu(wik%;I}>o
zk9_qm9c;6}i*^J1(3hqbj(s3A%;G<p>4)Ci#UjYYY+|i4trL9ZWvRpHv9IK+E}XYR
zDfSr;IJ1F0w|G17)sT{OzHp;a;Zhp?1>~bAzs{%-rYR%`fx{M}lu)6X7_)(4b6ZRH
z*I;_4zOS^RXTFiMb%P6P3q%kH#Qc{Y{ZPnPYSx>N!<3l1t##G=f+4UWY?7%J5eF4U
zwhO($I-|e})sXMjeUO2UkXCM*g^^fCUu)85G4oDJd?*;IB+!mRphDyr#0>*^jY*pY
z&)cc~qYUJT59-t?QnJJh<kbc;w?XolXqxje!VC3oMUWvJX%O)V+0p7&7Bm$@%q8ns
zr*zy_Y8#6bl1^Jz!jZ5i<m2LT<+yO%+2C!+Vp$jx>R5TKZLG(p9+$={V;#cjVTR1Z
z1G}@4HE<+7vR$$x3#DI=<;Jdr@aPrP>t6^Xhl?${aG{rtyDt6isH>1O5}E>j7lwU3
zzFZLLuLI(0I{YsrZx9CSsMGdI4o%Rs<7Tcz_BM+)Vs}@;y#qnr@YCnzUO0i|1ATR(
z5v$7H>?Sb(KvGJfJG;Bu$R;2NdKGVlRXipk_1#LkHL4<0<zHZJDtN}fjts^4LgTcL
zSjhYNjNT?V<>ST*${q=P!JiQ%ZZahr*!^_bO{-Z-fb;Z1wQJbpLubS&c*BZA5(+)+
zY7=xTI@xUugXi2_K?@eJ3;xN*Rdi^8s%b*x^a|OR9l-^$!Y)Kz>QVGUE(5GiRd>;#
z<l%(3oyTbLr&>h|_o><@VE_}P@@@4t?-p;dXMWZbS$6mN$g|PSx!iG^{Zo4zZL+#k
zIi@&~KzE~fpYR>Nu~QGDlJSoRr%SfYJn7$QiT>D!LCudr!n3OaikQThqUi<2ZD#rW
zGh<MYR?vle;49pfrY@F_&~Qny(}1hh2gxfViz!C-5SX7w1?33sQ53tFJCu3*K7`CS
zBP8XBv)rJU-I{~xq=w=rWE5&gS1TyA-ho0{gY`mfsEei?L8pF;le5ey>s+PZZN<FK
zjyOso4NfbXB;QKN>>Z?yPGuNo`?F4k1=kF7DGwq!vF288K$^DN#mH1uMBXLh958H8
zW+`hfJs}TjVH;%g&hQ-eoRxKr`-HpLb*-zp^IXR_j<NPv;S7FE8>-%d4-@o}FPBbc
zas-YBcSBZ#y+M41Z#Nk`{|;d?eYHnE$1w?Qn^e3=sixa+!mi!sUAdSZx?1ipCv3@y
zG@=$>;1lSjTKQ>26<j%8zR@`j&v-^rg2|W2_t$}5sFQ1`bOv0vs*-2X7c-zDtKk6~
z&auGM12!y7FTL0cDH)H}%g9JKQw}4H=!co|ImoHKb{1+ngHFwoHwmL@V?9oz=v2LY
zC7j}}m@V%VMv!lgd@-EZ;C^|LFpP%HmDdPE>BwC931J9rohLtnw|m%p`7U7){WV{n
z3%%^zv*l|M{^4FAU%9hPF3gvImgmEud4=Q?pAx$ZFAMV!GI#~ee^YG14rjRPb-^8~
z$=h_nU0x{0A&d7~D9*O8()EkW$^Q)Wi^ms=&A>e+1#%RCf9CuJm+p|9#NhtSODLC1
z;Uig<w9#9I7A_MnSsoF(dYbG83uOwVT+qagmgFmiC*kfE5Hz`<&Sji%vE{PIgqmg>
z6)2=Pf{!xkB6a8>inTPU;S!8aDRkQ#C{Su5amizATV}^>WnyyJN3En13bu#L_-JeJ
z;Cj7G^x57H2GXr<EY8}1sWiVWSmkxJrLD;-^Y(XXCuhpdh3#R^e6u51`+@CE)*dWa
zGZq+~DYD|yK_|;)?)q6h#pWq?pXpp;zh3=NDVHV+Q*1|U57?4zLiKespmD6P2-i=a
z^>;``sLmg)K;l@I<($s;q4@}Jh~*jvN{sIJU~{;UGRF&FitJvJqwpWSKn)L2BPmnU
zugOsKckw1BXYk0?jL*!_lt080@Q!Q$FnL?opW>amM1o&X`JY1g-y#}#3itWvj?C|O
z<<YOFL?hD9gdxQBFD3)_T1c~B!uat5<`=}8Q_0Jc5ngD*yp;V4<hlja@fDzB1o`Kb
zZq!9O_T?pd=Q!@4O+Owt@8erot?91|#4LK?Rq1>klfw?Z2F&^N+G|F|_@tNqp)WfB
zbwlh-gU<Umkmu3W{{}K%2mXcH_B8$ti5NxW^6WRc5@%BmQf7MFdxm8#cW-sw=6uZY
zwEbi4P4!3R4<$#glE#Y-!cDeg_N}%D{@<=j{|&<*jYp@4>*@mak@_}mn0mFs$F{MG
z3Vh)GQZ-ug_X#n*4?Zhjv&v+MsQN!hxUlj+NH$?IL+}>~!0wDB9~LvjZPD;f*SXA<
z7N1uA5ctM5pCHkMSr~3GQ3Ml2PRs8B=NO~#3bQcFa-gS4SpTWut1<~7e_aUbYAD42
zx%ROcc@~&z!A{A~1k>XVHgE*v!yq0r^{%GNoKgL>Wooj(NL4}G2VzHG{<%=4r>TIW
z9#a27H+-70GY+c)fABd=jW4a&>)M6YUziy-pm;`VmJlrXc>bpCHVdy@q9*&W92axx
zlBc8)?f6nKk_RF$M>rOU;uGyLWMs=UQd>38Sga<CnZ$w&8+2lo>}4N`qB&m+ReIV$
z{R8r-n<a|*CkjdXA~iXSRlkUTU61yCW40YUE*zy0FTn!k|FLkQcA=3Sgy&UhO{)@C
zIvA7+gaa%-1zA{{)@%qRs}>l^=<0Z~e%g^V3$wf=ENdb=oi^GqZ}2Xkd$yYFz?xmh
zlBiYE6`Rduk8oi_O28=Q6+C{L)QmJGdf^H4t<TM$mO~B6_*GiJC4*KRnOa~(jvyQ)
z^C>J^v*$6X5DnpJ{xa4=J+a=Jb3}xOu*5NZDB=<1Jc(l}XVQwB4>fi!-ht`;D)jgo
zESN26!MS2(S7!2vVE%<daI0h)FwN(J$18$m&|SPw#?3ME>&&GSr=aK=d!G3m7|KA1
zr%8k#Ta&u2=NLcR$aphn=gZIthtC%)H}Q5O&r1Ln5m<Agr~CF9?bZzkcAKY}yDz?>
zF;hKH{zQC3u>Z4LyDd4(pSg*dTh`y9)Xgt7uWXYjNKDWi6B5zlPHp1&&d`kdx<Cat
zk~6CzV>=PdR`_v(KR(i2m;Ix=e2KJq<XqbFroNmTADF|J<eF3bEs4i8PolE7r4T-D
zQ}ed5<`ceAH~=5kD59b7NNe@Yfqk}+hP{jRem2#;tFQMpdJ;|LJ$*ysm*qK|C)Oj{
zx0xQ>+kQ)T8?g@$(Xwn6-*cOWZD-FVqMPL&%%=xm5|OS!f@Z4W61ZOJxe-RrqQfui
z`{YcT_KL1UnnXNh=E))8AXXp8W;&C$A2&Bs^AnbB=(9c;|M{<qDZSC=jWW9RUL=_q
zSx38H%P7P@mAThK)xVrcXZ;)GXVAib0~34ccs)ht3;m!7i@zaW$j}WK3$$hC2_rf%
zooPq+oM+L2x&xLG9hjLzz%oyagkC0Ts&VFXF_<8%I_a`~rZtbH9AepWm;*_aUc8x`
z3X`UeXFgRo!Xb9iP-rnP-*396q6}PJkZk5}i)hU9p-OUf5PWs!Q+8iykC+rpyKj-I
zbYCNofD0$G&%kWkbQQHoj7_FhM{`-*bLfWKBs1#_a|4F6HgkJv`tqe)AQ`(Ke{h$P
zSZLqvro%b3C&*wMii6T=`-s(qnxv_N(mO)oN&vd@4AX0e=iG@$uou9Rds;ipO*m;P
ztawkj6kVBf?U)Q2QTVXIYc#|>UNY10!q=0pLN!TKyJZX_)B#Squg3J;Vu~PG@Pl!d
z8TX$_j7@Nr7f-Y_mm1EJbLru;%&adc50|eXc2;D*`R5iSOm!EuadA}s*f=w45`|eB
zA?7WNJgwtpZh`0OF6OC4Q+nVtI8Tn3&4Gu1X`Fe<GEG|3x}g5zPdhfjlwX-TL%qwM
zogkYTp5O!Q_hH#)TX>W9VkGn)OIZ3aLN-S`-8s?p)#CgEv)i(;%Kui{RFADRrp-N*
ztl@&^Yaqr`>7JGvEtam_RG2Me+B<#HJb<qr>5&p>KokkKF!92?{TX?e(-cfC+Df_v
zNdf86DW-N2rNi-16pR-v*H&^W#$%d347V2G4S#Z~H9l~N1EU5<a)eT{1X@g4YqFIq
zXkiN&7xzyyJsd$E9#;q^fk&lIerK(WugF%*%?p@kiS0(7bJa4q;hLrU%Y!fRl4@xN
zxtEBAS*U<HoJ{X$+SRUSvTY81KF}2F7S}-BJZHGnZ08S(O6&Gvd%SE2K>r?O+GRM#
z?!l1srVVFCoWZ7~=L^Cb$5*5U`=u@jhf<2@)*+_V#k^Yzy}-7iW_7+B;1<<uIK;v3
z!%Rb^32P0rSM6{MGYDT`b%g0z1#)?mJ5p{%_!b2GpGIc1B9GSG&ddd)Ofi-te>4jA
zq+l3vdDr?)<1cQMP<22xtnIiAkv$4}%Y#7Sb}ZhSMPpzS?HN)HOMwY<P-$2#q&H(I
zF)(ZrMF$NcZ^T5#WeJ^(sCnF6+TZ30x?4CE?GLrB^tIU1*5BKpy`qg#UJ+lBUqN0`
zd}Af60V9-7XtGI8Y+_&4SvG6w=Cfep_`}?>Av+$>H!}Qc#ZvYZKp7S|m2qGH@G|}9
zlytF$$zkQvmOvNk@~tv}8gdYQy7*4`9k7odQP-Jj8)|W;vYQp)La+W+BpN&h=`Ubn
z90SW1#M87qTtZc|V4g@l2|K5&HI&xXW0l!fY0f5=(7BHz_mJ9&;x)Qqj0=kV+fbe8
z_ZsD9hMx(;=f4Udne-i}*EWfLZIyppwHKI_e2R`&xCA|wJZB<ihJACDdQU)+4m56p
z*}$(RDDUg-U>|&fm6d%_Y-l+xo@5eb-wLL-lNG+hPa=MK-*;Sg?O$eFZi6lU8_#*3
z(yV*3V(urAbN;w%kn>&V3dj47@%HEJ<=T2=nZHBrtX!o8<Y)d*YhMChMUl0A`}T5|
z?13bNkc3<aA%P?}`@#}J*dgozSwa#*0+D@_Rp8zL0x|)NQlNk+?xP~(IE(`#I*a0p
z;({VL?ur{DBZxBN_nxY*&b{b-^Z(EP>(ktHb!}bUT~+6t_q<1|RWGY8_H*{72p>{q
zJ8N6QDz_W)T;Z+FZ}d%Kb%|P|YpL%#!!>DXLON?o)Y4jCT2soVoJKh4IlhVPg+y(>
zGJ%yQX$PTSJD;RAas8UFIw4&-#73n+6SqEDTMZS~I02G_gwIp&=?rw;Saz;6(0F6m
z;1v9fW{=U&C>HNgo7^L5_m~);Zu^3BM*YsC*0?JvEevUQ$h2Jc^b{k472Se=M!%$M
zz}<~tySkv7;Y{hOPInKZB97FilsIr)cVn$x)s@i8g{P|bx`vScGj(DFV$dvwj`71(
zwHivge%%n~dJsF&O}zz5x~XXZ1`ZHiN63et=ON?8G_@C~D6+e&H$w$~q`SISDQCUX
z)rCqw_6YryvE&SOH30v6GElmYS$aD|pp7(^-vc+^o6YN?&UE#{rG|tuyPchM8{L`F
zQ>}Cp3572e!<QfuH}q6%plt2$0P#?GcIY(sX6FM?JSEw~m2JNyPyJ;|0G%qLWMq*J
zB;x;#Q#G1%s#>2sW@Hz06&b74jbXjn#ZZG2-OS*Drw?BWGqM$Wr}^f19qaTs?8i-q
zU_a)l0SW=mYL{SF_-q`^?CHPLn?z>NujVMFEctQy<|iP?Haq#a&e_|h@R-}|rQhQN
zDq$c0USz7KfYHfp&lAFS&FR5XXjdHvi@;z1ATxn497qKOq-HA*>)S+g04cz?Zluzl
z(^4Un8+!TRAJI$9snc4IXLV#FpVax3#2L?%$fF|;@X^_S618&Dt1yQ6!JMq8?KFxr
zPGJMyEz0(wEg~hnG;B)f>X1F|CtYV<isKFAeZvkq+%l+^ZcsLXHF<O-bkMbtusjC+
z;|yz>zQ~le%ny^+Uw=H7N61yNhHvTsi@9IYqD8YaTP#9S;L`Kqhl$nun(YRh4aHt(
zc7@60UoXhgKDb$FW8BXHj{@M?`MHHGWh)GeHT|tn13W-s#4T8QPi}=lPe`WN)8~L}
z6q_SBRPYir$_;-aN#mSG-^n6xQxn)LzmaV~qXM@iI5NT03?8V|2J-sjs6-=)f1zw!
zB`o&Ov{)tJf&m9UK=z=D5GAITnS;RF(Abu3FjxF`n>7g7TS8fokDVsic7ry2sD*F%
zCigXiP59aSe}_k8hjJs$>08vt@b{4_sQsZvFLrsMmL1u4t3XtuQkJ|>i`6rF8_nsW
z+ZdYJta&j!8)Vj8pf8~=fR-qz{StU@@%AV6GW8#vg194VTw)c5B^hQU1Tp}RL{MQu
zEsDaWX5l85)E_VS(52XpiI%ZX1`RJ9j?q*0OdO&+`f5uo4H4d$6jpqLl^ZS)P=vsX
z4yJ1}cXcrl67z@A_O*0bX7vtF!3&2I?5K-_9ZsxUn_6T(oCXRckj%oCLvG-`GgV=r
z-$m4g;9HZT%hW=vF!<&8rxwjFp$3!j78J(_iU4%zwHh3Ng~i~^C@}oVmOhSxc~GQ#
zc3}lPzU9-w2<1X01P9rim3Wd<^UX#Va4sOBHafi$UPHV9R5y6+UU+Mu6qSha2z^VI
z0BY7dcNkA=ud6mCtIgYB$BqnjeKcm4AB2J;@mD+vOv4S#tA}ZR0upf<Hh!Cy1G5;x
z?plsOq0+Du%jSFv$k6O)Kq_xpVN4X+Vd8;`X{C{bE$QNwLD@U5GB~pyCryiG?$t&W
zXdi1=2W4{HXqfm<UK285PWlL>l&kIn(cI`YMv~|NY(IlRVI{YYI0Xi1tpR-DQeOz0
z^8vIIyrVGp@W63-Z19J6(*h&Y;s6}L)bIQZx{D<rSr9nFnuUBU5kK4t6!!_xHt&9p
ze1kqgKEB=M7Z5qmv~9^#2fOg8VCop~96gIw?w!t$9A15zx?6cpEeBLKL%G%VNt^W1
z=v$7pxb0m2CDM14cf!VEIjfm&hx1L9uX*|`GAJZ#05nx|^JUCb6knQ96Z(v&v2n%>
zZ+#s^mSnc$qQb#goms(U6QM(>(inE;GGaA~M@y%l{h%ac>2h3=nK)AQ(JM+IaP^g!
zvFD9%(c|pCB=*veGAn;X@VN)XY?a=Qt^1u_XGed+=9E{@udclclu#nuchxFGX1;;{
zLi8$;iB932(TPo05!$Er-x7Dkt!B4>fi(BeupPB!{^V!6u{vJ@Tc_YX=FfsR1%G;j
zW!lv?6e-MHl=icx^7tTySjQVw@$Q>1A+ATWBu$$9+Uh|WaFaO!Y)#Wu6D@_8EQTG^
zr8QHY!kRgfyBby`+McpS^b0>7z98HgwjcZ8lcBRho(P%f{>i-v`{0$XXy-%DE{-FP
zO5<T8MSoInr!}ZYRHuECvfuVpc9kWx;MFZveYGpt@%<3q_QJc675zqg%(Walw8{iu
zWlvVV4H(9bE!sxlAMR=aeC-Cd<D{Onb2C(zwa-D^-M9_0P<?4jQ6eWEC3caMVmiC$
zq_#|1!aBXCJpvH&3$JPS0AW1;b$FC4WT#)(wzwD2Ca^pq-42SQ*R`SSiBnpoYd&7F
znuK)3k4IWM%YQ@bt;}N!-$1ds?A<qDub#td-_&NpH1<6GT+h63;irl1dQ005-D&#U
zpirC14!x~SQ5sp;X>FR)z~-FR4zb^yfo3E19j(??k2c_~g7;+fM3|GGct<OSp7EP^
zw3#gNtmahS66qV>MS3ke_O3S5RU?Yn_9Et58ml^^6|<UisPDEjS{<~em(OTV?Ob3t
zJW;mriqLuPI_K|=liHp3ca<pDI+soU?;NL`*-_puRCx#B7m^;W#~^Kyd5Er@#7bK*
zQ}HASSPAT_7K7tVxm?u&;AR6NQ~$)nWswFVB6eb0G;BAKs~}D7^(YtU1?DV-*Z_Kf
zKS}JW#9^OZ&=vQ~jmqz*DjxQESNUz?v;?nfd^hpk@W{UG*=`CK<v4|~gMCwlkj{^$
zp`v*9w=`trvL@Cjjn#Hn-k>J=c95T@gR>erJFrtU#QZjrry;=hrVNGeMC;gs3|!sb
z1DWF313k=kc?4nh(sht1YkI<DjyiekPSz(=Nd*TlB8P2PB8L!px|-_A_6-yBSKD9w
z+?33H!+fC*dxXt7PR?@IUS;3jtd0uxRj$BmSORaN%u(XKeQ|>p#g=c?+W+^!m0nhH
z3j`tDBG>10lqlEYyV<v`cp2&5VWjo6UWpE8AKt16v@oTx&u;_QD_=J#EOqNo?ZBPR
zl*?lFLDJ1);9xX%vvUKKnAX^sj%?0uWh3R_W@VAi=G=~o_#i*kM@eW6k9Dv<cZfM}
z3Zo=idScn|JrLD+w(EN<sjdHt1)cC-#k4z667Au6MF{B~m%_f^r})HUJ$a|%B{fOE
z&xmc*;~wZ-Vl2}hwV$<prZC$v8rGpe#Cu@sZJ1urc<s3`KTr;~qY%RBn+0k#)|p_R
zwFuhg6IUL#`5v`-aRKXnR0ti@#0KW<3g99_pAzE96gGPVMAVMQAoSz|)Gc!Is7h|Z
zXZYeuEu4LOOkXcX3+4y&!lzH`9r20fF~>i|?0g-gfZpuMyR_%ny6@nEpUX~uhf92@
zF!~0Ydl5h;Iq3Y<BP637_VPbv&Q(*f^!UD)8XbPR@e;%*FWYxXW`ZWe#nxTMIxzaO
z@G#)ojkYvhXk?<Z#m0&E0Z4Fzjs8*X&iY+Z4~mY+v@(#DZU0eJKaG{u8OdzuPby#U
zrm)_1m^u=-LdSJnH^!c}Ma&QXID8(^vEPNR4EZ+XrjP{pA3zuTzH1&ZVbzW=9E*(0
zMwR}FzC<^)eF#f1)_xwSuvp~*rJwC|BLYI2#(rN7XCX(h5+e2T_Yse+(A`Me1M)5W
zbmx0;y!qrkOrKL&(pgNOlf|q~@7p<Cdg83s*EI=gQ=kIK7HM71VWtNI>p9Hk6WR0U
zFyT*NIqz$)I+j-<=i=m@DS8IWP0{l@%$vVt?$Y{Mp6;ddmoAypG_RrayrwznjpNy>
z6n&<PbT9>7hHD!TvNVlFd-T4_ST@F^FK~^)l@eSD=U3Kw;NA3-M=x@ZriCcJ%W!om
zzfj)=c}F4dC?s{`NorTX#zwMHUG*DWmAF#gWw`w=e&zeF`al4qdZp@HT*GmtzRPgs
zq_~o*S1H5Ta6}-5GUjMEeK9~%-ZXu>YcTS4LB7sB-?M3Y0dz4xr0KI=1962$a3{ag
z+8rcY1K7*m_06sdT**tE8Tv1B_)lXS)Agay%bZNtH@M5ueSc0uy>lmBOUFE`KMO6*
z@E+(av4vVZ0h#P_5A>-otL&+_^rT&Ulx>tPA|gC2^dF(^L*m`(uHMcmj(TIgen9)1
z`j-8lP*wM^jmpntALOZ>BI+CKOX^D?nNy@+Q^*L4^_!Cc>@YZxKp6r72WDGS%qc-y
zPF^A6n{WwkX0B<np2cbg;zNFJwIyHyPn!pYI>bz?Fb7INU@~3IrskO9N+aW6*<&|a
z0v)7kZ$Tbn#^e_lvwz$O*`~&83GhK5pTYL8fsH^)L~s)<Avv(5NEDl!ZTPcE3~XYR
zKSFK(&|29BVG?qS$cT;r5Nur|iI|hKOli82zPV1UrVhj(R@GjJPO!beKEQi4Ez^K*
zpI5!Th#-j5L5Ly+t=tlL<0CWl52EU+J<XfN`d*LEIlo?3O%`>^jgiXtvX&V}tiH5|
z;V+}AITFBB5RaT8>lgNa2!Es_5hbQ&n4M|E4s>Fr4FM$z@fZk00m4qS5vQe_@lfh1
z(4?s;E^D+3z(Sb|4^ZM#$u)0bZg+Dm8!c^dDjPo2$ZQ8q3w%)_*5~3DU~wV$`n65O
z)UrIy@aNQ3R0tA%XpD2%b+e3oyg!H`0RRsku+%KTJO+yz;ZgD^76T+?5zEClxf^2F
z$d|OX&=7j$zD=NTv7Qal08sPPY^)xiYBW1&{ARH^y#e2Ozgi!|4qR_|djLIw@y>zS
z5K%`!Noq;&gvAC)taz>0b~XItsC*;Y$Q>-a8QyN6%tqW3*<dk@r-i?8pTxUuhQOHD
z1@|p#Sg^tHvWs(!tofoa-fal&AnimnC#!j&pRB_4Id``0wna3AUkzUx_61B9@u9my
zu7*r-zvQlPJ?Q+@Io0ukW4dw0*lwih$MmZI0LeU5p#I;YF-ss5gwMA(DNEV%`Swjv
zgf9^j8F0J4`SvvSU8Gh5A)sfJHj9mJhb{IWMfzW&kiL-pI|`W51#DKdwuK7-eXuM<
zu!YeO0J^r*dO`pg(~b)Of5MMzjyXww%~GDlVgeWTB5WvTv#srM@p|*(263@#3>s)+
z(_*w)?pZX=cY$L4dzNw^rkzc(S}ObMEv>iRH<L|@)iy(5_$XF;*42PI>f&$2YN~XE
zi^Y3!T0LM6{W@rylzMiegSOc{9aYuG`=Yc4%2L8^i$|6^b|qfB-Bn9Hh_AxLjZ10l
z&mFZfTznV>spez0<8StEtReyOLv14Dhvo!rI^>5>6SSM%Q>lNX_-|zhqFlvJcGA+Y
zfd0@)YYc%_bh3#-*-7?^0c)nTrtb+SnS&XTYION8b>hEFY15Mb3bvd1-c-^ZYegV3
z0stlIJQ5ij(^((Udc12I^NxpR5^=~TI!QM!HR7iB17<q7)D}sViaZ5V>PMh4UESM=
zX6K8gHI8cswoQb?(LFz*&J!hYmBS8;JEO)hT!5h40)9pZd!!VSkW_+zjIy_3usg2P
zdaw<>EQJi=VR3;10j%w9sd)NGwNhjsg5g$i6tK?5^tE!3?<dUN?U=hv)&;4Yr@@D*
z4B~KJ3@o8{M@gyN+YZWue$mo%7N@XG#zAmj(oSaK$XZwXAZO5+7&Qg15JfTAsI{rI
zV5!bw5wSt~0HhgUng?y}eno4{aU8ToyczLO#F~h);Jm&Xelq;t@D<@B!@GoC4tptV
zzvB!KX;1Mno)6s{x+rvTXeWx35pp{sWy}w$2<ZUs$Y<O;CECUHnd_))hpWL=;tF$q
z=sfInIB#~=9A14@eL_)s9)^wb6@@I2hkK0C^X*E;VOSM6D{KPdB<rO-lJ}lrMmIaG
zd5<Cq5(7n0)_DYFR<lpTl}NUQLa;yIy1LTKKHa6JLR<{pjl6HNV*Kb=crEXis@?3i
zZ`k(Ts!xB8Cp|q6#cc;z-`mv;eFaY%{jrX?<S+0z=V5ER;Wasqi|`)!@^;j;k;fX(
zd>rx0&9051N*`zQ?m(uT)}#G1uwVPj9mv|uv%d64go0no|MWH>j(Q>+ya#P{;weCt
zcY{J<?;cpWMzh4dD0L6-#PJmB*VWcz6&cvP?Z*Y>Pp$I?W$4BHGJF@%#|^v=Fkf_o
zG%|7@YW4D~2bW{CY};DbJ)MEA?8$v7e3@Ovb!-Rm)7??v8Nf3>cpl;65ruTxE@TO7
zEgO)b59D=X2JDv8Kr?$g+eBN0H+)Li*3iQtAB04?i(O65-HsE+Ma<<@+KuWy`zhro
zCCfHZgrCtpzHz=#_S9DOEq4g!l^h7TxjBL^<AvX-J0TC%wWx1H9x2(TKBxJnAUwyu
zb=o<6ayR-wv0<Q0FO>0WLMXn;uiXg)xqVVL60^@!MHy^zv$o3(f1ODclz2kqOkJ-X
zP*iqez4j_=*@7u<{{}cPD6DCt_KIR-#W!hhL$wgKNqg1321SX-BWtB7+I};N-pHQZ
zti7SEX4|%)z$#XAv-XC2C360njJ}14KIS_ihjOp<dz|k(!t`Eh6GUm@)gm;YtAk<6
zre5@#)Zje9XF<L$!oP%jxXdIc&LQmbrw~E;r_C9}_I;+Cnq_$kHk{941f27g9?4FB
zZaS92@hO%q_`=M~&(;lxz!@J7mw`d-j`OloOe$c4Mxb_f^9bxlZ+#F>np?k=oVN06
z5-hoMzX~W5!;-(z9c+6g%5be|<fppMs=wAvttkrfEXi1^%D#~WPkv*0yMCiX)BP=Z
z(wF-xSj%0Orh62Ki6`A{H+7{8MqyekJpiZR{%qU<nTfmDRv!XSPtrXyCr_&+%Cw*F
zfja!i15k6P-7D4M@bw(bF5D|K<CL2N2-(*^+P06JI|qi%4ZStwi2EbA+m+)S>6mNW
zsvprl)D*S5eU!4yw(oz5vuSkHWt>e~-neB^((?mtHU`$v-`=U4^j?7Lf%!5YLIJ29
z1NU2n@Vyh;z43lx>!%%Ns|Lv3Mm>s6uhS*uj>4z`p@tpnHF#H9yvm=B;^fZB8+RKb
zoGWXbu5;*<4AhA7fN-}}0uxjY>}#SARdDE+m3ZrM2XpK7EMmC@#th~yV4naTMuf6o
zzk_Oj8oz^bf%m<TqsOqa8F0B;G(*oKI{931#X%ZF5IKl+60%1yb|B{v^V16wGVDu1
zSOY5~Gy&bLzF;%~gxrERc1eS7l9r)EkO0BS2q5G&P_ni$Ne!yPbedh(sLS|<L<F0U
zW-%n}mDxJM=lm2DAaEQ-#K6@vbpQp;k$@!>OliO`x9y!de~&bqRr|aAVkAb-!bmjF
z(lbke?*hLkK$zI-!!wrCmvH1E1Tc8K60j0J33w(59>9m9#_yr(Ai(fQ$~3Ts@TX)O
znsfwcEGz=1vly^uAeeL7s91<Tn8L{eVNLQcFw=aXaE~c%_t;;P@XRgO>!yz@#+DH0
zc-X~|9bcWT^S8TmTcI(~byUyB4Q-#Tn`A&J15Qd1!$M@@V+jXje=;8i@k&Q7!V7ix
zTs=#;-BNzsED4<KgSleplY(3LYB5^4f1Yl7$L4~UjCkG%{GVg>D$y!){04k8zn!m}
ztY^p$TxKC|0^DqDZN3h^A%CZU4%P0{Lv-Ppk(Q%Fu%>Y$?lUffaoSk%SSYFn96ijB
zq{g2>l>|JEL{^-ug9s6<udq@VK?nsV6%4S#SWb*MFe2k6!_zFL5VYb0!titq=ncK&
zCO)+!&w4?jAAkk|LM^QIxCJn=>BK~Jw2g`CFYXWAPFJpTl4G55zkX8tLF=pzw$D>;
zvmIrlwqwo%JgIx@{wRX^aB$K<ddUd`AzpIw&t>p9b+fYkfRTobnp23@^Le}ANAh>D
ziePGxUF~0By)%UX2!O;C&mU~wG~6f?XO+S2xeb#yaA2XBlQ63gnIoKg@DW?&&+x7W
zoPoGjxpt?@51>Zd2Pt3HVMPHA!-uATWLZ!@na>$|6l*T+cRyg%$;DW^#uV#W!T|>j
zqXj$@;3wpBqR9vRlBQN^yuW=w9rUiS%o5a5Q=(^O5_|%IW{HarZww%zvJRRR@CBN6
zjPrBSZn&PCld>7tY)+}}6|{cz!eC*baHp~gNbm5O#~f+izU1u|@MH2O5^nsgk2M1D
zsKKj+B88yJl{oUKz+uDK^YGqmPv7A6035h*mA58i3flrjkmO(TOWJN=urZ3}1bSDQ
zH5by;re%Q`Y2^)IY>E2TtYfU7$h+$*(gP+hulVXl+@*Sj$3JnvWAef?#9dhRz*EB-
z1xe{G29hP-jkk96-Kt!j08)Y021p&u=dwHz7($<7_M^tndA{Xm+j%<V$jk%4-_{&Z
zvq~|u%N4Si(9~A^U77^(UZF0)coE7JA2uH>e7(d2F4ybG{s46^zE`q(;eIf4LX%VI
zEw&zrBnZbX^aobys|xI9m){rQ3;_3+Jgi-aJZqI9;&AbuV*I1ojrU9TEHU8&M2%IV
zZRBaLgYHqjI<COd*b)fZ&P@*hhEGdFF>o=^J>~!q4q5;?Y`}vcDv(7h>33R{93KQz
zR?CBuE(~2jY!(D;CO0(RV}xhvFbKh`CfhuS9g|B+ew%H5w5@#o;{TRHk>s+4ai`oj
z7BGNm7u5UMg$-(^S_#wr)|a*3gkz3J@D91P#3PJh+m}g(7J14EASrkUR)ZIpOV$;R
z=fyN<`l!lNm(UEvAzFv57MDP*v>Km!uT{E44V!7n*g4m(mN|Kg@kM$r;+N^>?v<x~
z{4-Rs{VSjgC|?uQfw$HKb>PFbdJ=0t5c!(REpRh$>Ry1GNA$PA&1RZ|WmbUb<cmQ7
zWmi?81XpFC!-HAUfPl=M*v|uy@5m55ukHgiGe`_qqC7oNGT+EkNC-*xm_crsHj@zv
zRvV|Da+8UfoXy9D+T82(amFcQT*$f*TbM0$9kQHK#wn-Nae=7j2%Eq)vk}_~_hPX>
zVA_wegT{%I3mjca<N}G}q+bJ_bQ33ix6(-}KM4W9EZ=i^AlUM9{cfkLUU3q+hE8I|
zNzJ=-QX)=jhk}2Bv^GR?P?9M&z#fSBg4tj&7#2WVDX*GMbQM=4M^af$Ttx>=J_=P_
zoidx6>C8`}P&5CIJW3KI>C8zAO>Ai*W6S;2$Y62O_hC92AWkA5rIQMA()$$E*H4@r
z{hm(xij$VhbkawhjDDL=dW)0Df73~+ILWG`lMH@>TNO;p9+>a=ttQ+}<QkkYf(Ak?
zIv#jfnfET1VGpe3axl!>4HM;Cmgz3H($S6Ei#AT#Sh&}o(ADM`=Qw4Ya*iA73;jIw
zD21Uj|Mv~`B}1S#!3Qr8<lrzM2Y*8()&4*gbOumb>2z50C|*0v$7pg%DCn2P8sLFR
zi&9v1yy3P(Oywt8uj_87Qts=a`Ni;7Q(V=dFuaM<-poACE$y-D^O}*wJ%FRiJi_bN
zgHMrHS~*Kc3thxX?-_K$pBj3D(mY;+2iSU^H**(VhW&td7MIN@o@u2>J`+z{ikZhH
zs+e0wRYY2s<^4vqrI@rP2ro+`kWfqoVrUNSVB1H5e?4_Y^{{@_6=!;<mw2sEz_A_m
zA+(2+(q?~Y;oe9yWI8-Oq>>Y#IA+Mfh6$UJr<ftv09-b0gn=1y2(+j|Bbvm0JD?G5
z8Y;adYR$AH3{}f8sp{mDXWtR<Edq;S7%O9##YXf82!8EwiKdfTQt*Y>jtD3i%lhty
z{iV24>PV53r(qfz2}g^8&CqF-kCduiUJvMC^5N<cPy(^9KoP^f9EJO9zX8j@2A|$T
zz)|=F+|eJjDs*cGbn=UhsJW_H&c{68SIt5BepruuM>b*M=)OTWXHA~ZTZc*h!iJzp
z9%-EEjM%$?zQ2}IH-M_EF0&|S`g9hNfDk}<c>j%KH<2D=4m*Dd>x`J-`D45+yDA>z
zWomt#ipK~)d+@Bu`{GyU{fMhgSFGiWDnME?tm7>|%H<0W7YiMDZ`icc7`?`y<n74|
z6uhkVs?5$Sp85{0cK?z&d0O<pF=_)V3_Q1g2lRqi)}-PJ`G{o=_uqaXymOk%@q9UW
zh(F)CXYqXT0+~xFrM33y;lg5v7vhUSsJN;k=!H06VFa$@mj)OqSnQB5ZD3HoqXUET
z;S}qA7Kgk|jJ7=|`MvH8`J4M|cdV<AbB1H9@q7J@u4)<T82bu<+n&QD82q2(x04i)
z0!EwQWSr3zS`51DHk-PR^8>|YH~30Twh@oOn_Er*i?bUR11g89vpT^ag%6sb50+4d
z$QhR*{;qq=63Vazg`@<VBzA1<_*+6K?;Tu*Klt@;TQV@b5<wCLNu|)6&&!Zh-V0^q
z#`XAp07&tdVDo9+WZp#+MS0Mz(B9H&s5G#l5LW#T-kWXj1auC1By1Z={$(GW6`d=w
z%8)Co>CSh{yO!KSZkGs42&Dx!kW`3zR~*ngxUWKIaMsc>5Ct!M7vaQ*=z(S<MOGtR
zl*PLN#@urO9i!NXkf15brEH@xppD~$FbzKRe!$H`E5lLIVAwVLR1lbdJ8ne?QzKd}
zK^^r2ssIHJh?5`NEp9)*t!MYad20SJ%&lW@wHku3Q$SKLJSo|ZTXh74^2_ihBqA6g
zx(FgPmFZqnX9DJiT<CdVb7$Lc)jPPx`6<FlUAgIE&sA>TU3hKkcj;L@!4Cml14U^7
z%$p=uxy6Ts1D-KUz|OJy$pw=>yHUY{-PQ;aO1%jB4+^DY-5bR|3DlAaN6W>xTarBh
z-k^DabXgn_Qve2TK;2D^XO&+DL@_;UF{iuP`a1%YrWCxV5O)9pEXeafYWT+cDN2fb
zmm~eqFm2vr$@ruZ0JAdmMN+sn12VJ~r*N&ZIM)XW5ozmQ-J8v63g}y)AYu>+WhEpY
z7vv$%nGmza`+Ejg63zDR)3XNA=tCq&s8B+?=LxZ~J2^c==>dOVA=;8P#-S{*h5Zzo
z>-IaJH15<2l?Bj7U*}kB+^4_1V@GPVuf|U=IaE&npRh8}5|^nPDpFaWYMpx?O<}<7
zxeo)PFwyipqH}^Qj7Bg?xYVt0?8+8I8+Gilp-P{_fFg*v^xQ*<Lla8i<qsU``nWFa
zo%LAnIoJ%SgAYu|+y*0?o!Mx_DIRulqrAT5CNV!xVfZV7AcL{?%oKKXliV<rZNU=t
z;5<wMOEw!f2%|32dSWj=XN#zX1JztC;%0-B>~f%5D4j+SS}hI;@q(=)Cx?`}S+B|P
z+qksV;5<5kX`CMwOq}g)59McaXi{cj{`A~TJTVip#NN+SdrCbTzE$BrRKC>?*O^fm
zuj5-lsRsWcE~=)m^Bb+TlLWZ!H(4vVd5RUB%-Pjj@!r0;Nv@rI$1!gUt>ByG3NF(K
z@!qmUR?AcSZAH$?Mq0sdmg};-kPIwh?N*r`3u_FUbUm%$zmYk4T67Do;ES=3=-(2s
z??H&3+1RTkErFMBmu=EOgu3|!M79PkGHbsS0Q%;Ivh%#Y`E$|6h($qdAPwT{VwkPI
zAU*Ab#X${yy;yD)c=cD7U`u&qIW}x*OJ&Xco{lY*V<=CtneD5_tPNO<8}K(B)6JtE
zzf*8b#W5MjG#uCAsKPN32VI+hqXNem9KCS#$I%x@f%&%wzlAu8%_9fDnK-)RK!|(W
z+Mf7_Dj1K$YyO>$-#$2UarD5EfrGA<;24S{3&%_xLvW<y=!T;dM{gWOIH*yQG5g`D
z#ZiW%90xU;h@&%(7#v;DzHK!ANX3zcBLzoS90PH*#}SKT5RSn(@^IAQARu!kjsZ9b
z`aBB9NF3ETqHsjx7>;8Gjz}CGag4wbfg{EQW_kb~LexN_>2trQB?^q@WP#BnJSLF$
zK^V>JkajIbbE3d#P7oN)DifnQ9y$LHFq-28MsqB3UxU#cBQTnyapl)AnxnAmx)!53
z5_zw|XjTf0<_KK52BSG#U^Iu}$~73xp#q~hgfN<mAVce&CM5%%*_UH5Ytr;Q*B}(S
z2Cz9$05+x9Yye=hLI5`Vqs+B{&2j<Q?1y{#1z@vG05<!gSTJC7+$dUdlEAeV!6LH4
zPlT6;y%<&*`c%mI5SM$JYnpSW<7dZCN2amY$kqR<PyG+9H>iXDGrh8=BwV|<ZG`S$
zyd@W}4e>e)cH#;B^d^Yv$NTB)p_dq43y#ES_GGPnwkygkb_;u^7ErJ8b)fBwWG!{}
znXU-)(gC*ZWq1XrPRFHiaxj_&cdX~>CzR#X<0pjOUT>e{qNr9A6Vel2WzSr)cV{ou
zgP*2ihCSQuqNkr6pN`TmhXO!#_Y8ZD%W2krQltUaQ3}iQ><0TRry+Lmi`bag0XbJ1
z!8oY1K8^NEP7NrkW;H&YI0n13Z=39m?8Hp_^==g{q$j|E`%b!&&KhUgmjkr({w(|7
z0bV%XWPjadLwj}cO#mM)d`!<`C$6_ov|~@z^q5|5h9FpDh9J0+dKMIdV1nJZn(doo
zpW#|1dJT^Y9-bg~uDyhX&9^(*;<<M6fu7tBb6!Ml_|ULLq4$KG2~pj-u6pM#$BV{4
z4UaxrTc<u?f77mTr7b;Bd$ZvK-GaZ3X~Igu{zFg{KydkW6)iEpR==X1g32Z5RqfR<
zaPuW#AO-`JQE*j&GT1uxUUasPPkj|=o-n`qn!5wC5ICgZ5s@XTS-lgwsYA``ThQ}u
zTCcw3jzN}8$}(1DxoLyC3$IV-jldYSW8ZF6PvZ4CeiINVQEb;H^?AH8b(__ff%?nd
zf?C4a@V^7Re__2kT^;5NBUg<V2<k!98ZmM4O15nXiR)71BL0TEe4N8427@W%wb~$T
za-Gg$$8a#{MdEr1g5b$b3m1yF-yf`XxgQA5!6P8g);tV3^~DE*<kZ>+gXC14x`b@+
zeH60E-iNHrB**uA7*+N9tyIzQ){vGA*Xr7bgZi)_5wwuSk63awl|~v?%tuMnauLgG
zZXL9)+^P(rpWqVE;&eGEwKzxvWaA);wf`Qg{G#s=(wJxF@_gATYz{_zXRY!i<0B2O
zY!_*jzl7?mF3Q!LQ;K|jQLgg*^vXYJmH&ZO`R`>uemlp$m#e%yC6yJN6C(}1Nc&P6
zKlg_G#r-8BqLw-*I@Zu;S^H83G!mACl=bbPL=*AFS<Sol{@A+(dx``{H%g>U@nLL=
z|7;gKUcYfD#O9mkAI5k1rv1Hhd%(0!6Baw8dm$OYXa$2l%->{fE|S6u5uxShAoLbR
zya9b2L{K7~A#B4?RA`C%A?)h|cq+?cWQ0dD!4R|;(QLfnn1<&u3C2SL#0-e-QEXML
z3?PXD2qFYdv%*~PMk7Dz2L}hYF)9vi_~NWK2nPc38xkwx>rfdt<cvYohGiqejk4N!
z!^v9Xjm%yEMH5vt@&5p6K-5hVcLAt1U?hk@3{zqb5Z*Eh9XdTQu+xJ`3VsMu@Xn4_
z&tW>ug@g`(ObI)5N(jy}pbeJ`Lm*PlUo?~L>13Gj1VGOb@t2_I0FPLODuQm;4Ay*C
zVnCsSVmt;Ic|k=kTav+T&=QI0poliu{Ye0zbEpRzf;|mr42Zs>3_XYPfLnr9&dIW&
zu4Xe{hg}#JOF+BnF+fidAhyB<og_eM7q0U6vpO639X9_9Pf1t=nnVynVhk!_2T$pk
zfvWsvR%W5$xQOO%ctgtPD1iawbY8_m$3tcMww1Yr?e@wyrAi3d5l9Ze2*|ZUyEBnC
z1W`(yEg~J8frilLknNyac*psrGtSY=7^GjXwWxR7|El~`iKDQ?|1}Wt|01NuUhB}|
zo9wZ?9UudCVyEW@0NfFa(My<^Yw04TZFwYcEDPx~s%2bKJTlM7hHV}ZukbYj+n)yu
zEP_BvwFk_d03X3#$t~-XJ6kQo&w`7Lk${f`G>?x1m<}{A-*b~>Q#Rj}Y?3xMF!(N-
zlI4&whUB{>%0@VM5Try}SEcuf8BcOj68b>;2k>3Cl2-wD(99fbn0%L{eaJ_2B)nGg
zF0Sdrq(qaxpv~t3wRF;=S>!nB+<`|9Vu@VLL%HxW89mO30XsvdHg*OqY=A*~uz;kG
zm$wg>6pTIW=>m=gy~VX%PaubgGTwE@eL%ZaA;vIF_|W@6rH2^9c<Fh+iDXN}h02p4
znlXUBEF;&18SKKlcJ2`x&g>Ipk1@izQ2Jn2fDxVd*znDcH>o!GXmi)l4Cb0>6@jk?
z9z6IEV3anCRCloW7r4vl#fj3j1b{q*lFx&w9Bdfokc=m^iuo|uW7i>S^4r%T7_o4e
zfI%O?2-3Xev79N0(7Pbk@E6HPcd$z_Qzpx&Mx2<ykr2hC1eeICW&%TMVk}1@bj)Cn
zOv9e&0xF1>z8yf>0Z{?XRW5H%pVZ!Z&IiZC>~(62^gO}SC9D$G8Yno+CmV5kLp#Ht
zOoQ9Nju{|WdUdKCB+3g79Q1$i`(P2(a8nr%d<lZym`_4yl}E9aI#_LWg$UDt>cK07
zxb+vR;r~}_XdUdKQ#oIQwn%vcU~*6-ihp<P=&t_K3po@fLD=_gHdnOYB^*+$kKJwF
z@rH!h!ws3r9d@;Oa?Ih4(aL*@(*AILd$Jz3JKQ}M2wV-q)aAoT9h5&P?9U0xZrXVD
zVuKD~(<6)tw88o6K+wkPhkM|6apVE)xzg^H+bC>nVkwG%MAe$7hUA?Y-`Td_7BMt@
zf7lOUGeXaS66(c}rS1dn64z^p0rH-6sWZ&+m}7|Xfw97H>#Owk+6pa7eGnW8@7NdG
zUCKeFy=}d4UxlS|#tiP?NE@e~sxPb$JJ(a+2CMG8Ono;34mh*)Nv=|J7hfdY@pfeC
z#jt9>kOlw4VsXj#nz%Im2=-tbv-Ng}q;Pw--e_+uWR=H}ufWWApmoe}&|fW7N}L_?
zv2FI{B(p;cVJn{Sj6U{1_&PS^v18BZ4Q^j(E_sEdB&4^7tzE_*{<G%ZIm52G=jNdD
zIyjuX%2HIwOXHr^`?<VkgDoQM*=ONhn9Z&}t2bJ~9dBidj_f=BtQXs-WU{j7^{KG1
z?s;CH>Fgmys#R?N9GD1!m@h#WXP?j;-9AKjL?<AgvGAQr_twYPR<fBd>fwi9JE7+p
zoDDB1Rt`xm=6^x4a%3WYDLsHOpU2ASz|I@egMvGdY<F1v2t+S|Q|#D7;VAo}Q@Ue-
zI05u`U#mIH9if8x&ZSN?9ZmQJH=>>)l$%>t%SjmuLL|*QKjqPKu&W9U%CzEJ)L9%B
z<h{`@96`S_7Gs~+bVy6FHx{tbPOu{LKJ>mt<9#qKW<2ea2sMFSSpxIgtcBK_PIuC;
zRm)|K!+|pC`~&8iVT-Koy?GUzYhc9LD>vXPDP4@R{A&`tAWN`m9DXZ=)IJ{rCf;dD
mP}#Ff@Nw-&WKkBn)M|1WKEi`HpxDUUPz>?AWGBrFo&E>@R}IYo

diff --git a/tracker.tmp8YFKFI.org b/tracker.tmp8YFKFI.org
deleted file mode 100644
index e515e31a..00000000
--- a/tracker.tmp8YFKFI.org
+++ /dev/null
@@ -1,108 +0,0 @@
-# Created 2021-12-21 Tue 12:03
-#+title: 
-#+author: Yann Esposito
-* CHAT Dar about using UI Components in the login pages              :work:chat:
-[2021-12-21 Tue 10:20]
-
-#+begin_quote
-@Dar
-Hey Yann, a question came up in our weekly sync about the login flows…
-now that they're getting a bit more sophisticated wouldn't it be better to
-start using common UI components rather than taking snapshots/hard-copies
-of styles and generating one-off templates?
-what are the security concerns around client-side rendering the auth UI?
-#+end_quote
-
-
-Hi Dar,
-
-So to answer the question historically.
-First, we didn't have any login page.
-It was 100% hosted in CTR UI.
-I just provided the route to create the login links (and this could still
-be used today and it is in the new login page).
-
-We faced many bugs (most of them related to URL encoding), and thus decided
-to close the gap by building an hosted login page.
-That way I can 100% control the behavior and have lot of tests to check url
-encoding related bugs.
-Do not forget that in CTR you often want to deal with URL with very complex
-URL fragments that contain a representation of the investigation, imagine
-text with carriage return, URL, emails, etc…
-
-Even recently we experienced subtle bugs. And the solution was to get rid
-as much as possible of the javascript code that handled the url parsing and building.
-Now, this is handled via the backend on the login page.
-
-So the 1st reason to host the login page was convenience and bug fixing and
-not necessarily security.
-
-Regarding security, I was afraid to introduce a security bug because, the
-login page is clearly a nice entry point for security attack.
-So I tried to be as conservative as possible.
-So no js when possible.
-And if we need to use js, do not use any lib, just basic javascript so the
-code is easy to understand and debug.
-
-There is another complexity to keep in mind.
-For historical reason, for now, there is no "session" when the user has
-logged in via the IdP but hasn't yet selected a user and thus is not logged
-in SecureX.
-Right now, we handle this state with a token in the URLs.
-And this token can be consumed only once.
-By that I mean, in the account selection page you will have links looking like:
-
-- https://..../select-org-1?code=XXX
-- https://..../select-org-2?code=XXX
-- https://..../select-org-3?code=XXX
-
-When the user will click on the first link; the code =XXX=
-will be consumed and the other links will not work.
-So I ensure that the user need to perform a login workflow again to login
-into another org.
-
-So that being, said.
-I think now we are in a new situation where I think we could totally have a
-lot more convenient system.
-
-1. I need to create a notion of session when the user is logged in in the
-   IdP but has not selected a SecureX account.
-2. Use more js to ease the UI work, typically, UI components. The limit
-   being that the CSP header are restrictive in the sense that we must host
-   the JS at the same URL, and we should probably still generate data via
-   the backend, maybe still keep a bit of HTML.
-
-In fact, we need the backend to be able to provide a set of informations to
-the UI and take care that no XSS could be possible.
-I think the main risk is that, the login page must support complex query
-parameters.
-So great care should be taken in the parsing of these query parameters.
-To give a concrete example:
-
-You should be able to generate a page for a URL looking like:
-
-https://securex...cisco.com/login?redirects=<URL2>
-
-Where URL2 should be encoded correctly, and could itself be complex:
-
-URL2: https://visibility...cisco.com/investigate#q=<QUERY>
-
-Where QUERY should be encoded an could contain urls, emails:
-
-QUERY:
-
-#+begin_src
-url:http://attack.com/foo?param=something-complex
-foo@example.com
-some random text
-carriage return, unicode, emojis? etc…
-#+end_src
-
-So to present the login page, every button should take care that adding a
-=<script>= somewhere will not generate an XSS, that the encoding is correct.
-And that login link could be forged by an attacker, and it should not be
-possible to hijack the redirection to a non allowed login endpoint.
-Because in that case, the endpoint will get a =code= from which we could
-retrieve the creds of the user.
-
-To me this totally doable, and I think should be the preferred route.
diff --git a/tracker.tmpqvB1XT.org b/tracker.tmpqvB1XT.org
deleted file mode 100644
index cf951f7a..00000000
--- a/tracker.tmpqvB1XT.org
+++ /dev/null
@@ -1,1717 +0,0 @@
-# Created 2021-12-21 Tue 12:01
-#+title: 
-#+author: Yann Esposito
-* 2021
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W03.org][2021-W03]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W04.org][2021-W04]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W05.org][2021-W05]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W06.org][2021-W06]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W07.org][2021-W07]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W08.org][2021-W08]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W09.org][2021-W09]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W10.org][2021-W10]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W11.org][2021-W11]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W12.org][2021-W12]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W13.org][2021-W13]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W14.org][2021-W14]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W15.org][2021-W15]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W16.org][2021-W16]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W17.org][2021-W17]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W18.org][2021-W18]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W19.org][2021-W19]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W20.org][2021-W20]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W21.org][2021-W21]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W22.org][2021-W22]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W23.org][2021-W23]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W24.org][2021-W24]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W25.org][2021-W25]]
-** 2021-W33
-#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
-#+caption: Table 1: Clock summary at [2021-10-28 Thu 18:16]
-| Tags          | Headline                                     | Time   |      |      |      |
-|---------------+----------------------------------------------+--------+------+------+------|
-|               | *Total time*                                 | *6:19* |      |      |      |
-|---------------+----------------------------------------------+--------+------+------+------|
-|               | \_  2021-W33                                 |        | 6:19 |      |      |
-|               | \_    2021-08-16 Monday                      |        |      | 1:52 |      |
-| work          | \_      Fix Carlos Hidalgo account           |        |      |      | 0:20 |
-| work          | \_      create an issue about email...       |        |      |      | 1:32 |
-|               | \_    2021-08-17 Tuesday                     |        |      | 2:48 |      |
-| work          | \_      Add scope to TG clients              |        |      |      | 0:38 |
-| work          | \_      Write an issue about 1-click...      |        |      |      | 2:03 |
-| work, chat    | \_      Jyoti about CDO 1-click module setup |        |      |      | 0:07 |
-|               | \_    2021-08-19 Thursday                    |        |      | 1:39 |      |
-| work, meeting | \_      Interview Olivier Barbeau            |        |      |      | 1:39 |
-#+end:
-
-*** 2021-08-16 Monday
-**** DONE Fix Carlos Hidalgo account                                 :work:
-[2021-08-16 Mon 15:11]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*create an issue about email search case sensitivity][create an issue about email search case sensitivity]]
-**** DONE create an issue about email search case sensitivity        :work:
-[2021-08-16 Mon 15:03]
-- ref :: https://github.com/threatgrid/response/issues/818
-
-***** Fix email case sensitivity
-
-> Related https://github.com/threatgrid/response/issues/818
-
-We often need to search by email. The main issue being that, currently our
-search mechanism does not support case insensitive matches.
-
-We have 4 possible solutions:
-
-1. Lower case the user email at creation. We need to also update the user
-   emails in our DB. The safest route to achieve this will be via the
-   iroh-migration service.
-2. Keep the email case sensitive and add a new case insensitive field =lc-user-email=
-   for example. But same as for case 1, we need to perform a DB migration to
-     add this new field to all existing user in DB.
-3. Add support for case insensitive search in tk-store, perhaps with a new
-   tk-store service, or improving current =CRUDStoreService.=
-4. Add a specific service just for search user emails that could take care
-   of this specific case by using a Postgres specific query. This could
-   also be the occasion to provide a tk-store hole in the abstraction service.
-
-The simplest is probably option 1.
-Option 2 would be slightly more complex and we would not lose any detail.
-Option 3 seems the most generic one, and we could totally imagine we would
-appreciate a case insensitive search support.
-Option 4 looks like a specific case of 3.
-
-My preference then goes to option 3, but we need to understand if this is
-not too difficult to achieve, what would be the API? The most natural one
-would probably add an option along =filter-map= like =case-insensitive-fields=.
-One issue would be to write the support for case insensitive match for =atom=
-and =redis=.
-
-
-**** TODO Interview Steven Collins
-
-*** 2021-08-17 Tuesday
-**** DONE Add scope to TG clients                                    :work:
-[2021-08-17 Tue 17:54]
-
-In tenzin config:
-
-#+begin_src
-- INT: 34d94c8c-2041-4708-8172-ebe2df295ca7-2
-- TEST: f993f6a0-8075-43e0-a9e5-dae9c3980513
-- NAM: 7b8d9fef-bd93-4ef3-88af-ae4174ee02e5
-- EU: a1662193-9155-44fd-aa1f-43afd42c889c
-#+end_src
-**** DONE Write an issue about 1-click module setup                  :work:
-[2021-08-17 Tue 15:51]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/Cisco.org.gpg::*Activation Optimization][Activation Optimization]]
-**** CHAT Jyoti about CDO 1-click module setup                       :work:chat:
-[2021-08-17 Tue 15:44]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/Cisco.org.gpg::*Epics][Epics]]
-
-*** 2021-08-19 Thursday
-#+begin: clocktable :scope subtree :maxlevel 4 :timestamp t :link t :tags t :narrow 36! :match "work"
-#+caption: Table 2: Clock summary at [2021-08-19 Thu 17:43]
-| Timestamp              | Tags          | Headline                                                                                                                                                                  | Time   |   |      |      |
-|------------------------+---------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---+------+------|
-|                        |               | *Total time*                                                                                                                                                              | *1:39* |   |      |      |
-|------------------------+---------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---+------+------|
-|                        |               | \_    [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*2021-08-19 Thursday][2021-08-19 Thursday]]               |        |   | 1:39 |      |
-| [2021-08-19 Thu 16:04] | work, meeting | \_      [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Interview Olivier Barbeau][Interview Olivier Barbeau]] |        |   |      | 1:39 |
-#+end:
-
-**** MEETING Interview Olivier Barbeau                               :work:meeting:
-[2021-08-19 Thu 16:04]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/Cisco.org.gpg::*Self Presentation][Self Presentation]]
-
-** 2021-W35
-#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
-#+caption: Table 3: Clock summary at [2021-10-28 Thu 18:15]
-| Tags          | Headline                  | Time   |      |      |      |
-|---------------+---------------------------+--------+------+------+------|
-|               | *Total time*              | *2:54* |      |      |      |
-|---------------+---------------------------+--------+------+------+------|
-|               | \_  2021-W35              |        | 2:54 |      |      |
-|               | \_    2021-09-02 Thursday |        |      | 2:54 |      |
-| work, meeting | \_      Weekly meeting    |        |      |      | 2:54 |
-#+end:
-
-
-*** 2021-09-02 Thursday
-**** MEETING Weekly meeting                                          :work:meeting:
-[2021-09-02 Thu 17:06]
-
-Guillaume start about the *Design Planning* github project.
-
-- SecureX session
-- High Impact Incident
-
-Sorry
-
-** 2021-W36
-
-*** 2021-09-08 Wednesday
-**** MEETING 1-click module setup weekly meeting                     :work:meeting:
-[2021-09-08 Wed 17:30]
-- ref :: https://miro.com/app/board/o9J_l57_gro=/
-
-Miro dashboard from Chloe:
-
-https://miro.com/app/board/o9J_l57_gro=/
-
-
-Discussion:
-
-When to TEST, tomorrow.
-Asking for client_id in TEST.
-
-
-Client-id: client-555c1f7a-b57b-4a6b-9f0b-015e311a6d06
-
-*** 2021-09-09 Thursday
-**** MEETING Interview: Florin Braghis                               :work:meeting:
-[2021-09-09 Thu 15:49]
-
-** 2021-W37
-#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
-#+caption: Table 4: Clock summary at [2021-10-28 Thu 18:15]
-| Tags          | Headline                  | Time    |       |       |       |
-|---------------+---------------------------+---------+-------+-------+-------|
-|               | *Total time*              | *22:11* |       |       |       |
-|---------------+---------------------------+---------+-------+-------+-------|
-|               | \_  2021-W37              |         | 22:11 |       |       |
-|               | \_    2021-09-14 Tuesday  |         |       |  1:04 |       |
-| work          | \_      Device Grant      |         |       |       |  1:04 |
-|               | \_    2021-09-16 Thursday |         |       | 21:07 |       |
-| work, meeting | \_      Team weekly       |         |       |       | 21:07 |
-#+end:
-
-
-*** 2021-09-14 Tuesday
-**** IN-PROGRESS Device Grant                                        :work:
-[2021-09-14 Tue 19:31]
-- ref :: 
-
-*** 2021-09-16 Thursday
-**** MEETING Team weekly                                             :work:meeting:
-[2021-09-16 Thu 17:25]
-
-Ambrose, Irina, Guillaume, Matt, Yann
-
-TO MENTION: Device Grant with FMC => Public clients
-
-***** Incident discussion
-
-*** 2021-09-17 Friday
-**** MEETING Presenting the projects                                 :work:meeting:
-[2021-09-17 Fri 14:32]
-- ref :: https://github.com/advthreat/iroh/projects
-.
-
-***** Pres
-
-****** General
-
-******* Project Organization
-
-Every project has an owner (main point of contact for the FT)
-Now only leads, but could be anyone in the future.
-
-****** [Design] Shared IROH Auth Session
-
-Goal of this Project which is not an official FT is to reflect and write
-proposals to reach the feeling of a shared session across all Cisco
-Security products via SecureX.
-
-- solution using cookies
-- solution using Open ID Connect
-.
-****** [Design] High Impact Incident
-
-/Guillaume Ereteo/ made an awesome work to provide multiple proposals to be
-able to deliver the feature as fast as possible.
-
-1. filter on source (only AMP)
-2. Add severity on incident model
-3. Incident with high impact via an IROH route:  https://github.com/advthreat/iroh/issues/5710
-   - needs the proxy from Ambrose
-   - need sync with engine team too
-
-****** SecureX Suite Session Improvement
-
-Delivered yesterday in v1.81
-Limit the number of interstitial pages between SecureX and CTR/SSE
-
-- For orbital, missing the Launch button, the back end work is done as we do
-  not need any SXSO app link.
-
-****** [HOLD] Cisco Secure Client Integration
-
-Still no work to be done by the IROH Services team
-
-****** Hiring
-
-Since last meeting two new hires will join us in next few weeks.
-Kiril and Olivier.
-
-Kiril lives in Germany and Olivier in France.
-
-****** 1-Click Module Setup
-
-In progress integration by CDO and SWC
-
-/Irina/ worked to provide the vault metadata API for SWC.
-
-AMP is in the QA test phase.
-
-****** ModuleType updates
-
-Just saw the rename of "Threat Grid" into "Secure Malware Analytics"
-
-****** [HOLD] CTIA Hydrant support
-****** CTIA Incident Manager Improvement
-****** Bug Squashing
-
-- Fix a bug where a user could login to org that reject non-admin user login
-- Fix a refresh token bug that would provide too much scopes to an access token
-- Login Page url parsing potential discrepancy fixed
-
-****** [HOLD] ES 7 Migration
-****** Device Insights Integration
-
-- Wanderson: Webhooks work, trigger a notification for every
-  module-instance configuration change.
-
-****** AppLinks API
-****** SSE API Extension & OAuth2 Device Grant
-- FMC ⇒ public clients for Device Grants
-****** Incident Assignment Notifications
-
-/Ambrose/ worked to make IROH a proxy to private intel for incident
-assignments notifications.
-Should be delivered in v1.82
-
-** 2021-W39
-#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
-#+caption: Table 5: Clock summary at [2021-10-28 Thu 18:15]
-| Tags          | Headline                   | Time   |      |      |      |
-|---------------+----------------------------+--------+------+------+------|
-|               | *Total time*               | *6:30* |      |      |      |
-|---------------+----------------------------+--------+------+------+------|
-|               | \_  2021-W39               |        | 6:30 |      |      |
-|               | \_    2021-09-29 Wednesday |        |      | 3:18 |      |
-| work, meeting | \_      Interview          |        |      |      | 3:18 |
-|               | \_    2021-10-01 Friday    |        |      | 3:12 |      |
-| work, meeting | \_      App Links          |        |      |      | 1:41 |
-| work, meeting | \_      Secure Client      |        |      |      | 1:31 |
-#+end:
-
-
-*** 2021-09-29 Wednesday
-**** MEETING Interview                                               :work:meeting:
-[2021-09-29 Wed 16:12]
-- ref :: [[file:~/dev/ring-jwt-middleware/src/ring_jwt_middleware/core.clj::jwt-check-fn (s/=> s/Any s/Str JwtClaims)]]
-
-*** 2021-10-01 Friday
-**** MEETING App Links                                               :work:meeting:
-[2021-10-01 Fri 17:26]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Secure Client][Secure Client]]
-**** MEETING Secure Client                                           :work:meeting:
-[2021-10-01 Fri 15:55]
-
-Meeting link:
-https://cisco.webex.com/cisco/j.php?MTID=m5814a8530a0870a19a57230bfd6d4b0e
-
-** 2021-W40
-#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
-#+caption: Table 6: Clock summary at [2021-10-28 Thu 18:15]
-| Tags          | Headline                                | Time    |       |       |       |
-|---------------+-----------------------------------------+---------+-------+-------+-------|
-|               | *Total time*                            | *38:18* |       |       |       |
-|---------------+-----------------------------------------+---------+-------+-------+-------|
-|               | \_  2021-W40                            |         | 38:18 |       |       |
-|               | \_    2021-10-05 Tuesday                |         |       |  0:46 |       |
-| work          | \_      Training Interviewing           |         |       |       |  0:46 |
-|               | \_    2021-10-07 Thursday               |         |       | 32:04 |       |
-| work, meeting | \_      DI blockers                     |         |       |       | 23:32 |
-| work          | \_      support                         |         |       |       |  1:16 |
-| work, chat    | \_      check continu                   |         |       |       |  6:38 |
-| work, chat    | \_      support DI JWT signature        |         |       |       |  0:19 |
-| work, support | \_      client update via admin for CMD |         |       |       |  0:18 |
-| work, chat    | \_      Check webex matinal.            |         |       |       |  0:01 |
-|               | \_    2021-10-08 Friday                 |         |       |  5:28 |       |
-| work, meeting | \_      IDB decomissioning              |         |       |       |  2:28 |
-| work, meeting | \_      Customer Manager                |         |       |       |  3:00 |
-#+end:
-
-
-*** 2021-10-05 Tuesday
-**** MEETING DI weekly                                               :work:meeting:
-[2021-10-05 Tue 15:30]
-
-#+begin_quote
-From Yuri
-
-Hi,
-Things I’d like to discuss on our today sync meeting:
-1. The integration modules screen:
-   1. When will all the modules be updated with the relevant text?
-   2. When will all the modules be deployed to production?
-   3. Same goes for the DI module? Need help in updating its text and taking it to production as well
-   4. The filter by capability for device insights currently shows an empty result in production
-2. Integration code
-   1. Is there still some integration code that is pending?
-   2. What is the status of https://github.com/advthreat/iroh/issues/5680?
-   ii. Any other open issues?
-   1. Any blockers that you see for deploying to production?
-3. Assets API QA?
-#+end_quote
-
-1.a. doc team
-1.b
-
-2.a
-
-**** IN-PROGRESS Training Interviewing                               :work:
-[2021-10-05 Tue 14:44]
-***** Past Perf Predict the Future
-
-*Behaviorial questions*
-
-- tell me about a time when...
-- Where and how have you used ,,, to achieve ,,,
-- Walk me through the system/process/etc...
-
-*Behavioral questions better*
-
-More specific to their experience, not generic.
-
-- concise
-- clear
-- relevant
-- practiced
-- tailored to the job
-
-***** Real Purpose of interviewing
-
-Predict whether or not they'd be successful in our company
-
-Evidence?
-- Yes, specific examples
-- Yes, demonstration
-
-What the candidate will think about the question.
-
-****** Clear on hiring criteria
-
-*skills & knownledge, attributes, achievements, motivations*
-
-targeted probing behavioral interviewing.
-
-Go deep, specific, examples.
-Ask the *how* to detect liars, lack of honesty.
-
-- what ,,, what did you do, what was your role, etc...
-  Question need specific responses.
-
-Do brainteasers work? no
-Use problem solving questions; how would you do/solve/etc...?
-
-Examples:
-
-- role play question. ×
-- problem they solved. ✓
-
-
-What work-related experience(s) changed your opinion(s) on something?
-
-****** On Question to rule them all?
-
-Combination question.
-Find combo questions.
-
-*Probing*
-
-*** 2021-10-07 Thursday
-**** MEETING DI blockers                                             :work:meeting:
-[2021-10-07 Thu 18:01]
-
-#+begin_quote
-@Yuri:
-
-I’ve opened the issues there, still need to set priorities.
-Here is the list of the issues I’m currently aware of that are important
-for the release:
-
-1. https://github.com/advthreat/iroh/issues/5680 - didn’t open a new ticket for this one, since it already has tracking.
-   1. Umbrella module -
-      1. Allow configuring only DI relevant fields - https://github.com/threatgrid/response/issues/933 b. Placement of fields https://github.com/threatgrid/response/issues/934 c. Add explanations of DI relevant fields - https://github.com/threatgrid/response/issues/935 d. Umbrella doesn't send the external reference info - https://github.com/threatgrid/response/issues/936
-   2. filtering for the device insights SecureX modules in the Integration Modules screen - results in an empty set - https://github.com/threatgrid/response/issues/937
-
-If you know of something else, please add here
-
-@Matt:
-2.a is also tracked here https://github.com/advthreat/iroh/issues/5821
-#+end_quote
-
-
-1. Doc discussion 30min
-2. show time (Yuri share chat)
-
-
-
-**** IN-PROGRESS support                                             :work:
-[2021-10-07 Thu 16:45]
-- ref :: https://github.com/threatgrid/tenzin/issues/1530
-
-new-org
-
-#+begin_src js
-{
-    "id": "00000000-0000-0000-6473-000028fbaa95",
-    "name": "GATE/Tier3",
-    "enabled?": true,
-    "created-at": "2021-10-07T17:00:00.000Z",
-    "scim-status": "activated",
-    "additional-scopes": [
-        "iroh-master:read",
-        "iroh-admin:read",
-        "iroh-master/tac",
-        "iroh-auth:read"]
-}
-#+end_src
-
-Idp Mapping INT/TEST
-
-#+begin_src js
-{
-    "idp": "sxso",
-    "user-identity-id": "00uox5862kEG8G0CD0h7",
-    "enabled?": true
-}
-#+end_src
-
-IdP Mapping PROD
-
-#+begin_src js
-{
-    "idp": "sxso",
-    "user-identity-id": "00u4dmbgyjnx4glS2357",
-    "enabled?": true
-}
-#+end_src
-
-
-Users to invite:
-
-
-#+begin_src js
-
-[{"invitee-email":"ashakarc@cisco.com","role":"admin"},
- {"invitee-email":"bmacer@cisco.com",  "role":"admin"},
- {"invitee-email":"caknowle@cisco.com","role":"admin"},
- {"invitee-email":"cdeleanu@cisco.com","role":"admin"},
- {"invitee-email":"daphgalm@cisco.com","role":"admin"},
- {"invitee-email":"djanulik@cisco.com","role":"admin"},
- {"invitee-email":"bmahsan@cisco.com", "role":"admin"},
- {"invitee-email":"majacob2@cisco.com","role":"admin"},
- {"invitee-email":"sorianto@cisco.com","role":"admin"},
- {"invitee-email":"stabulic@cisco.com","role":"admin"}]
-#+end_src
-
-**** CHAT check continu                                              :work:chat:
-[2021-10-07 Thu 10:07]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*support DI JWT signature][support DI JWT signature]]
-**** CHAT support DI JWT signature                                   :work:chat:
-[2021-10-07 Thu 09:45]
-- ref :: https://github.com/advthreat/iroh/issues/5680
-
-**** IN-PROGRESS client update via admin for CMD                     :work:support:
-[2021-10-07 Thu 09:27]
-- ref :: https://github.com/advthreat/iroh/issues/5827
-
-Cisco Secure Email Cloud Mailbox
-
-- module NAM client-0be615ab-b0ff-4c12-8a85-f16c95e7d396
-- ribbon NAM client-e36ba40b-5710-402d-b036-ada6d7817c55
-- module EU client-6fc3230c-936a-40c1-ad73-f9f28700804e
-- ribbon EU client-164688ee-cd5d-44b6-be3d-5e255955e969
-
-
-**** CHAT Check webex matinal.                                       :work:chat:
-[2021-10-07 Thu 09:26]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/notes/journal/2021/2021-10-07.org::*09:20][09:20]]
-**** PAUSE Journal                                                   :pause:
-[2021-10-07 Thu 09:20]
-
-*** 2021-10-08 Friday
-**** MEETING IDB decomissioning                                      :work:meeting:
-[2021-10-08 Fri 20:33]
-- ref :: [[file:~/dev/iroh/services/iroh-auth/test/iroh_auth/oauth2_web_service_test.clj][file:~/dev/iroh/services/iroh-auth/test/iroh_auth/oauth2_web_service_test.clj]]
-
-- SSE side decomission
-
-Chander Goyal
-
-context; SX released as a platform, SSE had a PingFed ID Broker.
-Also for CSA.
-
-We want to user IROH-Auth.
-We want to use directly IROH-Auth.
-
-CSA Migration was launched.
-SSE-side done.
-
-CSA should be completed very soon.
-Let's not change PingFed.
-
-Nov 1919 -> nobody left in PingFed at SSE.
-
-Very limited knowledge.
-The license was Cisco Wideside license.
-end in 2022.
-
-We want to duplicate PingFed.
-**** MEETING Customer Manager                                        :work:meeting:
-[2021-10-08 Fri 17:33]
-- ref :: ,,,
-
-** 2021-W41
-#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
-#+caption: Table 7: Clock summary at [2021-10-28 Thu 18:15]
-| Tags | Headline                                     | Time   |      |      |      |
-|------+----------------------------------------------+--------+------+------+------|
-|      | *Total time*                                 | *1:35* |      |      |      |
-|------+----------------------------------------------+--------+------+------+------|
-|      | \_  2021-W41                                 |        | 1:35 |      |      |
-|      | \_    2021-10-14 Thursday                    |        |      | 1:35 |      |
-| work | \_      Write Customer Manager doc           |        |      |      | 1:10 |
-| work | \_      write attack on Webhooks with JWT... |        |      |      | 0:25 |
-#+end:
-
-
-*** 2021-10-14 Thursday
-**** IN-PROGRESS Write Customer Manager doc                          :work:
-[2021-10-14 Thu 15:23]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*write attack on Webhooks with JWT from emitters][write attack on Webhooks with JWT from emitters]]
-**** IN-PROGRESS write attack on Webhooks with JWT from emitters     :work:
-[2021-10-14 Thu 14:58]
-
-Attack using access_token/id_token from emitters and not webhook owner.
-
-Webhooks are a generic mechanism; but here we only focus on webhook used by
-internal Cisco team integration.
-
-So the webhook mechanism should be used to push a trusted API that a
-changed occurred in SecureX (typically module instance change).
-
-The call must be authenticated by the API.
-The call should also optionally contain access/refresh tokens to the
-destination so the integration team could access IROH as the event's
-emitter user.
-
-The issue is that, nothing is explicitly done to prevent any user to get an
-access/id token generated from the same client we use to forge the
-authentication headers.
-So it means, that a SecureX user from any org that could get access to its
-own access token/id token (which is entirely possible, and easy to get for
-DI as their client is public).
-So any user could call the API endpoint to fake real webhook events, and
-potentially using cross-tenancy/cross-user false events.
-
-So to mitigate this issue, we suggest to:
-
-1. Always use the owner of the webhook & the client of the team to build
-   id_tokens, (if possible not access_token).
-   The forged JWT should have a specific audience (this is already the case
-   for DI at least). The API team *MUST* check that the =sub= claim matches the
-   =owner-id= field of the webhook as well as verifying the JWT signature.
-2. Provide the emitter tokens in the body of the HTTP call made during
-   webhook trigger.
-
-
-- With 1, we prevent this cross-tenant/cross-user attack.
-- With 2, we not only provide even more data than before but the team could
-directly use the token without using the "custom route" to retrieve the
-refresh token (as it is already provided in the webhook HTTP body)
-
-** 2021-W42
-#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
-#+caption: Table 8: Clock summary at [2021-10-28 Thu 18:15]
-| Tags              | Headline                                    | Time   |      |      |      |
-|-------------------+---------------------------------------------+--------+------+------+------|
-|                   | *Total time*                                | *9:45* |      |      |      |
-|-------------------+---------------------------------------------+--------+------+------+------|
-|                   | \_  2021-W42                                |        | 9:45 |      |      |
-|                   | \_    2021-10-19 Tuesday                    |        |      | 6:59 |      |
-| work              | \_      whitelist synopsis.com in TEST      |        |      |      | 6:59 |
-|                   | \_    2021-10-21 Thursday                   |        |      | 1:13 |      |
-| work, meeting     | \_      Weekly IROH Service Team            |        |      |      | 0:09 |
-| work, meeting     | \_      FMC - Device Grant OAuth2 Flow Sync |        |      |      | 0:24 |
-| work, meeting, me | \_      Secure Client                       |        |      |      | 0:40 |
-|                   | \_    2021-10-22 Friday                     |        |      | 1:33 |      |
-| work, meeting     | \_      Engineering Team                    |        |      |      | 1:33 |
-#+end:
-
-
-*** 2021-10-18 Monday
-**** TODO Write Weekly todos                                         :work:
-[2021-10-18 Mon 10:56]
-- ref :: 
-***** DONE Check Wanderson PRs/Webhooks
-***** DONE Customer Manager Doc
-***** DONE IROH-Auth tour
-****** DONE Organize invitations for IROH-Auth tour + bugfix, etc...
-***** DONE Discuss Exceptions organization
-*** 2021-10-19 Tuesday
-**** DONE whitelist synopsis.com in TEST                             :work:
-[2021-10-19 Tue 09:04]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Olivier][Olivier]]
-
-*** 2021-10-21 Thursday
-**** MEETING Weekly IROH Service Team                                :work:meeting:
-[2021-10-21 Thu 17:16]
-***** Remark to tell
-
-- Internal JWT generation, with/without client.
-- Next week IROH-Auth tour probably record this.
-
-
-**** MEETING FMC - Device Grant OAuth2 Flow Sync                     :work:meeting:
-[2021-10-21 Thu 16:27]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Secure Client][Secure Client]]
-
-Updated Target Date.
-No blocking issue or concerns.
-
-We just finish delivering the feature.
-
-Good to go for 7.2 release (in April).
-Maybe maintenance release 7.0.2 in Feb.
-
-**** MEETING Secure Client                                           :work:meeting:me:
-[2021-10-21 Thu 15:32]
-
-Jyoti discuss with a document how the 1-click module setup
-should work and the constraints to obey.
-
-*** 2021-10-22 Friday
-**** MEETING Engineering Team                                        :work:meeting:
-[2021-10-22 Fri 17:03]
-
-- Working closely to finalize 1-click module setup to work.
-  We faced an issue in using the same client for both the ribbon and the
-  1-click module setup.
-  This not really a blocker and a fix is in the way.
-
-** 2021-W43
-#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags nil :narrow 36! :match "work"
-#+caption: Table 9: Clock summary at [2021-11-03 Wed 10:24]
-| Headline                                     | Time    |       |      |      |
-|----------------------------------------------+---------+-------+------+------|
-| *Total time*                                 | *19:46* |       |      |      |
-|----------------------------------------------+---------+-------+------+------|
-| \_  2021-W43                                 |         | 19:46 |      |      |
-| \_    2021-10-25 Monday                      |         |       | 3:29 |      |
-| \_      IROH-Auth Overview                   |         |       |      | 3:29 |
-| \_    2021-10-26 Tuesday                     |         |       | 4:35 |      |
-| \_      All Hands                            |         |       |      | 0:48 |
-| \_      AO                                   |         |       |      | 0:29 |
-| \_      IROH-Auth tour                       |         |       |      | 3:18 |
-| \_    2021-10-27 Wednesday                   |         |       | 0:19 |      |
-| \_      security                             |         |       |      | 0:18 |
-| \_      preparation IROH Auth Tour           |         |       |      | 0:01 |
-| \_    2021-10-28 Thursday                    |         |       | 2:33 |      |
-| \_      Weekly Team                          |         |       |      | 0:51 |
-| \_      SecureX + Secure Client + DI...      |         |       |      | 0:29 |
-| \_      Weekly Sync:  SecureX / Secure...    |         |       |      | 0:35 |
-| \_      SSE =CCO_id=                         |         |       |      | 0:38 |
-| \_    2021-10-29 Friday                      |         |       | 8:50 |      |
-| \_      AO disucssion + generic discusssions |         |       |      | 1:00 |
-| \_      Jyoti email about PROD module on INT |         |       |      | 0:14 |
-| \_      aide Matt URL encoding               |         |       |      | 0:50 |
-| \_      code gen docs                        |         |       |      | 2:48 |
-| \_      Customer Manager doc                 |         |       |      | 2:34 |
-| \_      morning tour                         |         |       |      | 1:06 |
-| \_      configurable default sort            |         |       |      | 0:18 |
-#+end:
-
-*** 2021-10-25 Monday
-**** MEETING IROH-Auth Overview                                      :work:meeting:
-[2021-10-25 Mon 13:57]
-- ref :: 
-
-
-- services/iroh-auth
-- lib/iroh-web/{core.clj,compojure-api.clj}
-- 
-
-*** 2021-10-26 Tuesday
-**** MEETING All Hands                                               :work:meeting:
-**** MEETING AO                                                      :work:meeting:
-[2021-10-26 Tue 17:43]
-- ref :: 
-**** MEETING IROH-Auth tour                                          :work:meeting:
-[2021-10-26 Tue 14:25]
-- ref :: [[file:~/dev/iroh/dev-resources/config.edn::}}]]
-
-***** org-level entities (clients)
-1. makes user-id/owner-id optional ×
-2. hack the User service, to create a fake org-level user.
-
-#+begin_src clojure
-(get-user org-id)
-
-=> {:user-id org-id
-    :org-id org-id
-    :role "admin"
-    :scopes ,,,,}
-#+end_src
-
-search for entities, you should search for the owned entities + (if you are
-an admin for the admin-level entities.)
-
-during the ~create-client~ to add the ability to create client with that
-specific owner.
-
-Fun: filter-map => list of filter-map
-
-
-#+begin_src clojure
-;; inside an Org
-{:addtional-scopes #{"cisco/user:read"}}
-;;
-{:addtional-scopes
- {:user #{}
-  :admin #{"cisco/user:read"}}}
-#+end_src
-
-****** Hidden migration
-
-(get-org ,,,,)
-
-****** IROH-Crud
-
-TK-Store => provide a minimalist abstraction to Databases.
-IROH-CRUD => provide CRUD-only related abstractions
-search that
-
-#+begin_src clojure
-(search ,,,,)
-
-(iroh-crud/search-with-admin
- {:,,,, :user-id xxx :org-id xxx})
-=> (tk-store/search {:filter-map [{:user-id xxxx ,,,}
-                                  {:user-id xxxx :org-id org-id}]
-
-                     })
-#+end_src
-
-****** update entities
-
-To decide later:
-
-1. any admin should be allowed to update the org-level entities.
-2. some specific admin only should be allowed to update the org-level
-   entites (use another scope maybe?)
-
-Probably option 1.
-
-*** 2021-10-27 Wednesday
-**** MEETING security                                                :work:meeting:
-[2021-10-27 Wed 17:03]
-
-xx
-
-auto loop
-
-
-Proxy route
-
-**** IN-PROGRESS preparation IROH Auth Tour                          :work:
-[2021-10-27 Wed 12:06]
-
-- Continue on "org-level entities"
-- Doc on JWT client expectations
-- :load-path "" Dispatch work
-- Dig if necessary
-
-*** 2021-10-28 Thursday
-**** Weekly Team                                                     :work:meeting:
-[2021-10-28 Thu 17:01]
-- ref :: 
-***** Agenda (to discuss about)
-
-***** Notes
-****** G2
-ES deployed, start the migration
-Old tenzin config pull-request I need to update.
-
-Ag moving to the last step to set the default fields, which are required
-for ES7.
-
-Production Bug in CTIA investigate module
-
-Fixed the pagination.
-default search was not consistent.
-PR on CTIA.
-Made this default search configurable per store.
-
-Ag, PR for the enrichment?
-
-Ambrose, ops related.
-
-@Jyoti discussion
-****** Matt Integration
-
-- DI Irina working adding new auth in the module
-- Yann fixed a security issue affecting Umbrella
-- 1-click setup started to work on the org activation
-- Mark work on SSE
-- former_title field (rebranding guidelines)
-- working on a bug in Umbrella, source URL are wrong
-- log all proxy requests
-
-****** Auth
-
-Y
-
-(personal)
-- IROH-Auth tour
-- minor fix
-- clean up SAML
-- security bug fix
-
-*IROH-Auth*
-
-1. take a task
-2. write PR doc
-3. review PR doc
-4. optional IROH-Auth tour webex(es)
-5. code
-
-Q2:
-- region switching API
-- account switching inside each region
-Q3:
-- org-level entities
-
-*Big hidden work*
-Working on OAuth2 bug.
-A bit big PR, because will need a new service to store refresh tokens and
-their metas.
-And we should be able to migrate/update clients.
-
-*Security Bug Fix*
-Chris Duane was happy, it was the first declared bug by Jimmy Miller.
-
-Olivier working on providing the API for the privacy team.
-
-Not 100% fixed, still a problem with paths.
-
-*AO migration to OIDC*
-****** Jyoti
-Questions about JWT used by DI, that call Orbital on behalf on someone
-else.
-
-***** Actions
-
-- @Jyoti: should ask Yuri about which JWT are used.
-- @Jyoti: AO for Q3 for the telemetry
-**** SecureX + Secure Client + DI Integration                        :work:meeting:
-[2021-10-28 Thu 16:32]
-- ref :: https://cisco.webex.com/cisco/j.php?MTID=m3d2fe4735f7151dc690e000c8749ed0e
-
-***** Discussion
-****** Abhishek
-
-- deployement
-- Secure Client onboarding
-- Secure Client always visible
-- cannot read property from DI when adding module
-- work on feature flag
-.
-@Paul: 1.84 today, so these fixes are going to be for date?
-@Abishek: will more time to develop and test
-.
-****** Nirmesh Patel
-
-- Secure Client always visible, real issue
-
-**** Weekly Sync:  SecureX / Secure Endpoint                         :work:meeting:
-[2021-10-28 Thu 15:30]
-- ref :: https://cisco.webex.com/cisco/j.php?MTID=m6563218d7c961e691f62c539fc645607
-
-What remains?
-
-- Martin
-
-1-click module setup
-
-Restrict them to a region.
-Who was impacted.
-
-Nov 13th, for the 1-click module setup is at risk to be delayed.
-
-- G2
-
-no 1-click => nothing can happen
-
-Dependency to deploy Secure Endpoint.
-
-- Martin/Namrata
-
-Jyoti is in active conversation.
-
-- Martin/G2
-
-Are we going to change the design?
-
-Martin: We don't know Yet
-
-- Vlad
-
-Pb with Region.
-
-An AMP tenant can only talk to 1 SecureX tenant.
-
-- Martin
-
-Maybe region selection.
-
-- Release Nov 11th
-- Relesases v1.85 10-Nov
-
-.
-***** Initiated SecureX 1-click module setup for Secure Endpoint
-
-
-**** SSE =CCO_id=                                                    :work:discussion:
-[2021-10-28 Thu 14:52]
-- ref :: https://github.com/advthreat/iroh/discussions/5754
-
-So after giving more thoughts on the subject.
-Here are some scenarios:
-
-1. A person login via Okta with the email ~user-1@domain.com~
-2. This person want to connect his account, then he must login via Okta
-   again but using another Okta account ~user-1@smart-account.com~ for example.
-
-In this scenario there are two issues:
-
-The first is that we do not control the Okta session.
-The Okta session will keep being the one for ~user-1@smart-account.com~.
-When the user will launch another product he will not use his usual
-~user-1@domain.com~ Okta session.
-
-The second, is that we should have a mechanism to understand that on the
-second login, we don't want to login the user, but to merge two different
-IdP accounts.
-
-Mainly we will need to develop a new workflow, so a user could merge
-multiple IdP accounts to his current SecureX account.
-
-The implications are:
-
-- SecureX users should support multiple email addresses. (also note that
-  user login via TG have a non verified email addresses and are treated
-  separately on different login flows.)
-- We need to support more metas data in the IdP Mappings in general,
-  (typically the =CCO_id=). Now, what if a user login multiple times, and has
-  two different IdP Mapping with a different =CCO_id=.
-- We will need to provide a new route, that will present a new HTML page
-  similar to the login page but with subtle modifications.
-  We might, for example, negotiate another login buttons that will behave
-  differently (typically a login button forcing the user to use CCO).
-
-In the end, it means we should deliver a "Merge a new Login" flow to
-SecureX Accounts. And it doesn't seem to be trivial.
-
-*** 2021-10-29 Friday
-#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
-#+caption: Table 10: Clock summary at [2021-10-29 Fri 18:39]
-| Tags         | Headline                                     | Time   |   |      |      |
-|--------------+----------------------------------------------+--------+---+------+------|
-|              | *Total time*                                 | *8:50* |   |      |      |
-|--------------+----------------------------------------------+--------+---+------+------|
-|              | \_    2021-10-29 Friday                      |        |   | 8:50 |      |
-| work, chat   | \_      AO disucssion + generic discusssions |        |   |      | 1:00 |
-| work, email  | \_      Jyoti email about PROD module on INT |        |   |      | 0:14 |
-| work, chat   | \_      aide Matt URL encoding               |        |   |      | 0:50 |
-| work         | \_      code gen docs                        |        |   |      | 2:48 |
-| work         | \_      Customer Manager doc                 |        |   |      | 2:34 |
-| work         | \_      morning tour                         |        |   |      | 1:06 |
-| work, review | \_      configurable default sort            |        |   |      | 0:18 |
-#+end:
-**** CHAT AO disucssion + generic discusssions                       :work:chat:
-[2021-10-29 Fri 18:39]
-**** PAUSE :pause:
-[2021-10-29 Fri 17:30]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Jyoti email about PROD module on INT][Jyoti email about PROD module on INT]]
-**** EMAIL Jyoti email about PROD module on INT                      :work:email:
-[2021-10-29 Fri 17:04]
-- ref :: 
-
-Hi Jyoti,
-
-I checked on INT and in our org, there is an AMP module configured with the
-PROD URL.
-
-Chris told me we have a security requirement that no production customer
-data can be in INT or TEST.
-
-Do you know why this is needed, and if we could use a QA1 URL instead?
-And if not, do you know who we could ask to see if this is still needed?
-If I remember correctly, I think it was used to help makes demos.
-
-Because of this I tend to be extra cautious about the
-"allowed-login-origins" parameter (see
-https://github.com/advthreat/tenzin-config/pull/505).
-
-I don't want our INT access token to be sent in the wild.
-Even without this module linking to PROD I would prefer not to send the INT
-JWT on 3rd party.
-Because if https://vercel.app is compromised anyone will be able to access
-our INT environment, generally with administrator privileges.
-
-Thanks,
-Yann.
-**** CHAT aide Matt URL encoding                                     :work:chat:
-[2021-10-29 Fri 16:14]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*code gen docs][code gen docs]]
-**** PAUSE :pause:
-[2021-10-29 Fri 16:08]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*code gen docs][code gen docs]]
-**** IN-PROGRESS code gen docs                                       :work:
-[2021-10-29 Fri 16:07]
-- ref :: [[file:~/dev/iroh/README.org::*Rebuild the generated doc][Rebuild the generated doc]]
-**** CANCELED Customer Manager doc                                   :work:
-[2021-10-29 Fri 11:02]
-- ref :: 
-**** morning tour                                                    :work:
-[2021-10-29 Fri 09:56]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/inbox.org::*Fortuneo: Amundi World (CW8)][Fortuneo: Amundi World (CW8)]]
-**** REVIEW configurable default sort                                :work:review:
-[2021-10-29 Fri 09:33]
-- ref :: https://github.com/threatgrid/ctia/pull/1163
-
-** 2021-W44
-
-*** 2021-11-03 Wednesday
-#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
-#+caption: Table 11: Clock summary at [2021-11-03 Wed 18:16]
-| Tags        | Headline                           | Time   |   |      |      |
-|-------------+------------------------------------+--------+---+------+------|
-|             | *Total time*                       | *7:13* |   |      |      |
-|-------------+------------------------------------+--------+---+------+------|
-|             | \_    2021-11-03 Wednesday         |        |   | 7:13 |      |
-| work        | \_      Engagement pulse Teamspace |        |   |      | 2:05 |
-| work        | \_      cleanup code               |        |   |      | 0:29 |
-| work, email | \_      SSE potential bug          |        |   |      | 0:37 |
-| work        | \_      GH notif tour              |        |   |      | 0:27 |
-| work, chat  | \_      Discussion Guillaume       |        |   |      | 2:03 |
-| work, email | \_      OIDC conf in Okta          |        |   |      | 0:01 |
-| work, chat  | \_      webex tour                 |        |   |      | 1:31 |
-#+end:
-**** IN-PROGRESS Engagement pulse Teamspace                          :work:
-[2021-11-03 Wed 16:11]
-- ref :: [[file:~/dev/iroh/services/iroh-auth/test/iroh_auth/test_helpers/tk.clj:::conf (conf port)})]]
-**** IN-PROGRESS cleanup code                                        :work:
-[2021-11-03 Wed 15:42]
-**** EMAIL SSE potential bug                                         :work:email:
-[2021-11-03 Wed 15:05]
-Hi Yann,
-
-We noticed that we have two tenants created in SSE APJ stack for the AMP
-company ID (51ab0c3e-381b-4169-ab63-b031c685f441).
-One of them with spID AMP-APJ (created on 2020-12-01 11:58:50 UTC) and the
-other with spID SXSO (created on 2021-08-24 09:25:07 UTC).
-
-I see from the logs the user ID token that came to Anubis had “SXSO”
-instead on AMP-APJ resulting in this state.
-Wondering what caused the spID to change in the ID token from AMP-APJ to
-SXSO on 2021-08-24 ?
-Could there be a possible issue here ?
-
-#+begin_src
-TX_LOG 192.168.25.199 [2021-08-24T09:25:07Z] GET /scim/v2/Organizations?filter=spId+eq+SXSO+and+orgInfo.companyId+eq+51ab0c3e-381b-4169-ab63-b031c685f441 200 774 0.0076 aba74caa-ba90-43d3-b1d2-7066750a6754 -
-#+end_src
-
-
-**** IN-PROGRESS GH notif tour                                       :work:
-[2021-11-03 Wed 14:38]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*2021-11-03 Wednesday][2021-11-03 Wednesday]]
-**** CHAT Discussion Guillaume                                       :work:chat:
-[2021-11-03 Wed 10:00]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*OIDC conf in Okta][OIDC conf in Okta]]
-**** EMAIL OIDC conf in Okta                                         :work:email:
-[2021-11-03 Wed 09:59]
-**** CHAT webex tour                                                 :work:chat:
-[2021-11-03 Wed 09:58]
-<<<<<<< HEAD
-
-*** 2021-11-04 Thursday
-**** MEETING Weekly meeting                                          :work:meeting:
-[2021-11-04 Thu 17:00]
-- ref :: 
-***** Agenda (to discuss about)
-Make a tour of everyone work.
-***** Notes
-Welcome
-
-Me. ... (see tracker .org) + git weekly
-Olivier. PR for oauth2-client-demo, waiting for review
-Matt. logs for proxy
-- auditability of the proxy; kibana dashboard
-Mark. SSE passthrough, and AO
-
-***** Actions
-- review Olivier's PR
-**** IN-PROGRESS Continu code cleanup                                :work:
-[2021-11-04 Thu 15:40]
-- ref :: https://github.com/advthreat/iroh
-**** IN-PROGRESS update Secure Endpoint client                       :work:
-[2021-11-04 Thu 15:38]
-- ref :: https://github.com/advthreat/iroh
-
-Secure Endpoint (or AMP for Endpoint)
-
-=client-555c1f7a-b57b-4a6b-9f0b-015e311a6d06=
-**** MEETING Weekly Sync:  SecureX / Secure Endpoint                 :work:meeting:
-[2021-11-04 Thu 15:08]
-- ref :: https://cisco.webex.com/cisco/j.php?MTID=m0a5157ed81ded94305da1bae743352fc
-***** Agenda (to discuss about)
-***** Notes
-10-Nov:
-
-- AC6: on/off configuration within Secure Endpoint UI
-
-1-click module setup 8/9-Dec.
-
-- retention of module ID and secureX org id in SE
-- update of legacy module upon integration
-
-***** Actions
-**** IN-PROGRESS code                                                :work:
-[2021-11-04 Thu 09:51]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*2021-11-04 Thursday][2021-11-04 Thursday]]
-**** CHAT Webex chat tour                                            :work:chat:
-[2021-11-04 Thu 09:50]
-
-*** 2021-11-05 Friday
-**** MEETING SecureX Registration                                    :work:meeting:
-[2021-11-05 Fri 15:33]
-- ref :: https://github.com/threatgrid/response/issues/821
-***** Agenda (to discuss about)
-- Discuss feature
-- Find a date
-***** Notes
-
-... bad org creation
-
-1. User has SXSO account don't have invitation
-
-   Only show them active invitations.
-   If too many invitations in the DB.
-
-2. second workflow, check email domain
-
-   if matches other orgs, present the orgs + asks for invitation
-
-3. Limit access from "public" email domain
-
-***** Actions
-**** IN-PROGRESS tour                                                :work:
-[2021-11-05 Fri 11:09]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Code][Code]]
-**** DONE Code                                                       :work:
-[2021-11-05 Fri 11:08]
-**** EMAIL Help John doing a cron                                    :work:email:
-[2021-11-05 Fri 09:09]
-- ref :: mail: How can I query an IROH endpoint programatically?
-
-#+begin_quote
-On 4 Nov 2021, at 22:23, John Jardine (johjardi) <johjardi@cisco.com> wrote:
-
-Hi,
-
-To support iroh-incident scaling based on a queue-depth metric ( Tenzin Issue 1553 ) I am thinking about creating a task that will be run every N minutes to query the endpoint.  To do this the task would have to authenticate and I don’t know how to do that for an automated tool.  Not sure if the route makes a difference, the metrics are available here: /iroh/admin/queue/status-report/incidents
-
-Can you give me any guidance or point me to any docs on how to do this?
-
-Thanks,
-John J.
-#+end_quote
-
-John,
-
-The endpoint will not be =/iroh/admin/…= but =/admin/…= which mean it is only
-reachable via the VPN, but I guess you will make the request from the
-internal network.
-So you should be able to reach https://iroh-adm.int.iroh.site/admin/
-directly.
-
-In order to make a call you need an OAuth2 client with the following scope:
-
-=iroh-master/queue/incidents:read=
-
-I created one client per environment for you;
-
-- INT (client-79d54f25-2a71-4bcb-b057-001f53091b2f)
-- TEST (client-c1a00641-45e0-4090-b80e-ce87b35a84b3)
-- PROD NAM (client-22b0f44f-3d7e-4b14-a11b-5cfa35f86b83)
-- PROD EU (client-b56530b0-b16c-40b2-bb77-850e32e06e8b)
-- PROD APJC (client-502fb0a3-605c-4b1b-b91d-07980d5a1f2f)
-
-I used the same password for all of them.
-
-***** Password
-
-The password is here:
-
------BEGIN PGP MESSAGE-----
-
-hQIMA2UoHNQCOfATARAAsDn3KJpJprlK60eUi2C4ol/2B5iCpIud6oYkeAB09yGe
-Wt8ditdZdLKt+EV+Jw8QB6O+WDKl2+fN0IZGVzmzSehf6+ittlNUdeX2qJxx6RoE
-Btw2VdcZIj9gzFxYf9Y9rf/9Zpp0Yc/NRBK9kKAwnPbMO0lytHUsWKTA8OcfBawZ
-mOzcnhOpZeUxneEn1LKbiBSMfGsWQnPnUfme8vSwrnP3vOrgSio5rL3LwLsIz4Bq
-z7yFdq8HBiF6z7NfJaxJZBljO/YDmYfjnwq024s24E+Fn9Bsdra85h1smGj+QIVE
-hVIvU8fU6s8MpWuvQVNBFQXoF5IqxfaH4Z0p8as0X3qSmd4f8x3P/XdmklGAzUQ9
-Za5SDn1mkJJvVK6jCRC8uf+M8nufZU/ORcFqu6eVc9WWgDJYIc93vyNMWKBnCoYl
-6GMC/IpKtveWUBaa28V76sSjjunv9gNHmYNGjwoLqd7lCLKppoQtPNwVFmHKJ16o
-iW0rVYoIypleOuevkEn3barYy1N6wxhZrFcHOqUMWH+kZnPjDHcTOQxCEyYDVULw
-uQclzZinR1vF4PeLIdFn74n2npXjFkCkaZa0ev10QROo1Tk4O+uv+5vAFVjsm5Fh
-RT3eXVGu87qnDu67fWTQjV2F7tLvYAAYdb47N9OyQjQoglPYdvqfoRFufL7oNluF
-AgwDfS7loNnfM+IBEACVwXlc001cWQw9f8AV37sySKWyhB9N4SG175lu7+T9DtwH
-/WDEgYERv9Fhcg7EwVclSFwUreg/PmY8cazIc1Sy6Z+Nv2TH4rp17jcy7zlZCZMT
-/twmW2MvgXS42qnb7jcvb3jQ9YTJs6fHV+PCMEsfjYKq+aSGr/ton/zFGqPIcLtF
-G3vZ62cyoxYebSNwXMkB9W+2t30Cg0xpTwas+3V7dkscB+sIU+KIoTsD2AqMfgyW
-Cia/U8H22qZiz8ugeod/gdsZytj4e5k72Yo2fm6owpHi4i+V/p333QbbP1G1/bzo
-nfUh7wT4jiApUbrJIDWebsJqi9bv3z8zLiy72BRATgRM2vd3b1Q0y83/PcC+XkT2
-l3/GRRScqM9ewVziol/BzSH1jBj6oA/3VJil8YEZsNhGhX15Bs9ZLwAy2HLSzJ8G
-8nVxNk6P0RRhD9m+Ue4Zb5PsH7CG21WOZTGWn/I9UXCHl7LnO4yT+qfESNDDzodF
-F7Zo7E5yheTLRsXxp1f4c5cGoZvgDU293s/U3DhZt5Y6z5vN3L/IDkBap2X6OWkp
-/HfIy3L0rvKwoYn3w8x+uCO0DpzUuZnjLpdarPhTWkiVj8uQkU80t3snHpvlwjEv
-Hzcuzz2XkDWwzlaJEUuUJ1+my6a41fDHdNHYqSryrVLkpMLxwz1PqNi3NomhG9Lp
-ARM67Ggjb520Cf5pmyj5cBZK57FMPwN2H/blT5GRcjFyfzl7H7Y+Fq9etcnZMIv+
-mJAFpqCoHasnEQKL5D4huxQDEsXqLvxO3/u79GU1w0AQgqg7KJLP6b3DRWAWI/Kl
-7MK95j5EPrrvl69AErdCOH+Pfqvzi1CDb4Zy2lKuMGGQRgqyLubIIdZQkzX6YLD+
-xuxxyiQ+P2imToe1KGGX39AFbdXuakqBgKiSLEU7MWwEAEd/LfDuuGV+aiJ83SZI
-ZWZGSe5ThdAsdWoHYcCtFgynhd+QnN5hW//ODNU8IeIPhjZRUxe2CQbAEQgfUXif
-vHn+JfcSo1pf7BcOnzTOlgTqFn6NmX/SYlAL1kpG2YwcJFK3ZRK2a/0db3DbeLXp
-2Nk40WD1tOdt8FDZHOXYRXFhmV6K/nEf56g7XMHnaESeEsQtzFvIq+SSxx0IkS+h
-gaoAO+Mz9SKoxWcabTBHimhDxqemmtDbTdk7iHQZZhmei0DJxSdxWzwj9nYeKggK
-aBxof2wuZAnki3nTlpy+p6S2S/TxP3wSZ9wMkBNkYRzWpTD5+fEqOhHtLgtyp2/M
-a6YrH4b1uvk86Sz4Uk18ZuvdgoVMx5UjUnmfRxEWNrZEhatr+y4nH1PPCVsVPvXO
-N3AyHCJWYGwUe+AXNegKJ8QJr/a+T2U/rVCujVoCUBGqebtm5L0RV9+1xCWmyeog
-wuGXF5duRcdMNr+dAHvrdUhQIyBm4cFWYHM97lP0HkOcOM+wJjSDmT5VorCW952g
-LPANVlddb4vO1TXvwjw7+yZFcpYH9pZtIC1Wp5a+UMvPewoPY2xZfh1ZsVJxUqp9
-FNHFEvRJuZzq80MIGY9s1rXrKiuAWJDGqEN8rlObuwNFrFfrDLDUgEhply/3Qcvi
-n73Ag7cleOs7yF4=
-=iyzN
------END PGP MESSAGE-----
-
-***** How to use
-
-I made a demo shell script for INT:
-
-#+begin_src bash
-#!/usr/bin/env bash
-CLIENT_ID="client-79d54f25-2a71-4bcb-b057-001f53091b2f"
-CLIENT_SECRET="..."
-ACCESS_TOKEN=$(curl -s -X POST "https://visibility.int.iroh.site/iroh/oauth2/token" -d "grant_type=client_credentials" -H  "accept: application/json" -H  "Content-Type: application/x-www-form-urlencoded" -u "$CLIENT_ID:$PASSWORD"|jq '.access_token'|sed 's/"//g')
-curl -X GET "https://iroh-adm.int.iroh.site/admin/queue/status-report/incidents" -H "accept: application/json" -H "Authorization: Bearer $ACCESS_TOKEN"
-#+end_src
-
-returns
-
-#+begin_src bash
-❯ ./demo.sh
-[{"queue-name":"incident-sessions","total-sessions":0,"total-processing-sessions":0,"total-pending-sessions":0,"factor-increase-needed":0}]
-#+end_src
-
-What this does is:
-
-1. retrieve an access token with the client (client-id + client-password)
-2. Call the =/admin/queue/status-report/incidents= route
-
-An important remark; notice the domain name is different between the admin
-and non admin calls. For INT and TEST, you just need to replace
-visibility by iroh-adm.
-But in prod, you need to use a completely different URL.
-
-Here is a JSON where I store the relations:
-
-#+begin_src js
-{"envs": [{"name":"INT",
-           "visurl":"int.iroh.site",
-           "internalurl":"int.iroh.site"},
-          {"name":"TEST",
-           "visurl":"test.iroh.site",
-           "internalurl":"test.iroh.site"},
-          {"name":"NAM",
-           "visurl":"amp.cisco.com",
-           "internalurl":"us-east-1.prod.iroh.site"},
-          {"name":"EU",
-           "visurl":"eu.amp.cisco.com",
-           "internalurl":"eu-west-1.prod.iroh.site"},
-          {"name":"APJC",
-           "visurl":"apjc.amp.cisco.com",
-           "internalurl":"ap-northeast-1.prod.iroh.site"}]}
-#+end_src
-
-Happy hacking!
-Yann.
-
-***** Details
-
------BEGIN PGP MESSAGE-----
-
-hQIMA30u5aDZ3zPiARAAqfa80rkkVQy2HpHd1tOZZ1NZaaSMwrWRQKXTfkD6fYpl
-HSOfyK9+9lKBV9Uz0H+l5DclDuenJ4akAMyaF5hhr7NfPZQ9exmnkODLDnpDTLoD
-adm7ArrQnowJHvMEH4ogxoWN902Q9d2apOnrHYr5JmvEc0rwv1dQ2IuJeOLEpZ33
-IYqP/rnOlhPZZd7lgyHGw2iRDU3XZfkyivPQtsWZqY6XWIoL2wNj/HlomtrcPLYj
-RxErXBOMS8GRr5FYeDyp+aGo3IpYMMMFffGCqew8yvphDhRYiO2SrQtTIp2+207j
-V7/FSp3dp9xhsLsOM4fzFuCe9UctjbZma9QngkRjUSDU7D0rXGoKydecau4TlBy7
-ZPDOlg+6JWbwXM6qXJNaYAJ6Ii3E2xGYdpBMWBRn/j9RzkS68wKeoQelySV3aDSi
-y00bbq/dq1Qh+tqyi7X8wj5tGf21Ri/Yd9D6DGWVTNvt0sj9CB55v3UfgZn5gcIy
-2Njdb96pO+7VGgspPf6JnwJdCFq97O9cLFK985uJpmGrYvjN5qMA2z6PewdL9PW/
-bPNCXMcfwwbJxqZKcfqoJUcRAQyatPDKvPgHXDgmgRtI3oMjwhWBDl5nmYgwjSDO
-uiKHNxMNGO2BMFWnJ3Qi1OTjG98+nWwmGoF6VlyzxAZtIjr2sGLrrbogreEA4XrS
-6QGqDwPhIf2GA0blOoiMKDVUxstru6kiQSOL0EmlWWDgCYamUGgiWUy5nZiveRDT
-JUdHsgLzIBrDElaZfxOim10PO0AkQgplMqSGfWI7LQ3fEPiIuXQFhXZBmBu+DC7C
-j7+QOu6DlhyPNVL0QiI4OeucizSWamcHYKL1IVC05XYm0FITf4oKiLfiFj/upleI
-736qOe9x4bsrS5ZUQmdmpCkv3Q0Yde3ATXOHxxspgOlJ55CCXRTM8J4Fcgwf38/O
-zM7L9Ly/H+0g52PCsyQRMmfYigVVJf14cjcyuBEN2rie32qs91ajiuIZpG3ECRJ0
-R2y4nnCKM+G8oM+23pgIWdX0ei6RAFnGANRcM7It/Ni21YcafxgkzLFJ6clMELi5
-vIzy9oAG85BK7Kwo/dxe3r3wQPC8cEmt9vRdR8v5rShYp0YTX5rJXZ4Kq2U6pGVo
-msxo/LQhvWsMZ2UPRIsDcyIHL36LRxdy/h7hkr6BJK2o1YwSwK0e6r4KbYlfyaij
-SiBDjuxwBFFkjAbnd8LoK0JDoEid9Eg7VXoFnDgq3X3Vr/yLRjA5yLkVgDuFdhgP
-zJ3k1ly4NVQTQuTalNcXY7JXV/yhP+EaxxJ09rudW0192O4EIAo8IXyPYxWmELqa
-yrnulQ7+g2l3DCS+ZrWBSRDFOJZSaWIPaU0xr2jXafy1wMqreDPE+YFQ2cnvt1J7
-RLdarjU7hh5vkmpxiaezi91+YFC8b+8JAb58f7MndaZfyTYK4ww+pjSOLwIg2EgE
-j9xuQRu5dy9xOKLL0jj3EBYrtH9eoGTtjrC3ycm0tIQTY4BJgGQ66KjsFfSzJ6gM
-FHONJHlcaIeEWsnMMKm42A15jZG0AjH1LUbnEc6KOHzwySQ28IjJvDKY2kU3Wt6R
-KoxbIox8fBvD8QunG+creFmYqG1IgFIodF9QgEdleRLJCKhB95HCCm3/qdSn1362
-6LyIClb09bNImrPo974yrZ/hnel8MNXPQyQJSCtqOUUI8JhRBKi0IGi07+TVIeqi
-5yakl8HSxnkbT0n6KLa0ZGOKFD5d0qXjwl1s6hnI4JTKCGDOyjHptVpjxsKT08jO
-1lzutH67duk6Z38Qr1fpv9iAgSCsnfgLaKC/0jbIsPsOXTpvODiHK+liAbQiqUnn
-XqRbQ2x4MavIy50zutVPduNgj72IUYvGfx1WO+mKt1uymx5DXidYoLAdCIru
-=4Qus
------END PGP MESSAGE-----
-=======
->>>>>>> e714315a8c096570b2629793969eec54e9fe2450
-
-** 2021-W45
-
-*** 2021-11-08 Monday
-**** EMAIL inscription BAC Anna                                      :work:email:
-[2021-11-08 Mon 12:22]
-- ref :: 
-
-** 2021-W46
-
-*** 2021-11-17 Wednesday
-**** MEETING Weekly meeting                                          :work:meeting:
-[2021-11-17 Wed 17:30]
-- ref :: 
-**** MEETING Weekly                                                  :work:meeting:
-[2021-11-17 Wed 17:05]
-- ref :: 
-
-*** 2021-11-18 Thursday
-**** MEETING Alan Interview                                          :work:meeting:
-[2021-11-18 Thu 16:29]
-- ref :: 
-***** Agenda (to discuss about)
-***** Notes
-***** Actions
-**** CHAT Small text about the breaking PR                           :work:chat:
-[2021-11-18 Thu 11:42]
-
-Good morning everyone!
-
-I wanted to drop a word about this PR: https://github.com/advthreat/iroh/pull/5998
-
-An interesting aspect of this PR was that a change (that first appeared to be minor)
-in some namespace impacted a failure in a ns that did not depend
-transitively of the first.
-
-I wanted to improve our build time by filtering the test by dependent ns only.
-It would have missed this build failure.
-So I still think this is a good idea to have an optimized test for
-branches, but the merge into master should run all the tests.
-
-**** MEETING Alan Interview                                          :work:meeting:
-[2021-11-18 Thu 09:56]
-- ref :: 
-***** Agenda (to discuss about)
-
-- in tupelo, why name it =glue= instead of =mconcat=?
-- Why =unwrap= and not =flatten=?
-
-***** Notes
-***** Actions
-
-*** 2021-11-19 Friday
-**** MEETING Monthly Engineering Meeting                             :work:meeting:
-[2021-11-19 Fri 17:02]
-- ref :: 
-.
-
-
-***** Updates
-***** Release Status
-
-- Issue with GlaDoS deployment, 1.86 done yesterday.
-- Issue with AO, pb with cross-launch.
-
-***** Services
-
-- High Impact Incident
-- Background support for DI
-- Added auditability API gateway
-
-Will focus on replicating/synchronize across the product of incidents.
-
-** 2021-W47
-
-*** 2021-11-23 Tuesday
-**** MEETING DI Secure Client weekly PO meeting                      :work:meeting:
-[2021-11-23 Tue 16:08]
-- ref :: 
-***** Actions
-
-- [ ] Apparently some clients scopes and authorization to do.
-
-** 2021-W48
-
-*** 2021-11-30 Tuesday
-**** MEETING Simplify login page                                     :work:meeting:
-[2021-11-30 Tue 16:01]
-
-https://github.com/advthreat/GLaDOS/issues/2555
-
-*** 2021-12-02 Thursday
-**** MEETING Weekly IROH-Service Team meeting                        :work:meeting:
-[2021-12-02 Thu 17:04]
-
-@Mark most special people are leaving.
-
-@Jyoti about Al. Come as a surprise and a chock.
-Certain there were politic about it.
-Start with UI & UX.
-
-Must not be done in silos.
-I has to be implementable.
-
-@Mark
-
-I feel that with AO with should have blame post-mortem.
-Never run all the way in TEST.
-They never talk to us about it.
-
-Discussion about QA
-
-@Mark
-Possible QA tested it and was never informed something will change.
-A retro for AO integration.
-
-***** Notes
-
-- Working on the refresh token DB (token grants)
-- Regarding the registering simplification I will need the work done by Olivier
-  To search users by domain name email.
-- We will need a pass of technical design. We will need another entities
-  about requested invitations. And yet another flow to integrate an
-  existing SecureX org.
-
-
-**** MEETING SecureX / Secure Endpoint Alignment                     :work:meeting:
-[2021-12-02 Thu 15:59]
-***** Actions
-Create a queue of requested invites.
-Admin can approve the request, the user is added to the org.
-A confirmation email is sent.
-
-** 2021-W49
-
-*** 2021-12-09 Thursday
-**** MEETING Weekly Team Meeting                                     :work:meeting:
-[2021-12-09 Thu 17:18]
-- ref :: 
-.
-
-
-***** Project Board
-
-****** Enrich API Enhancement
-Discussion
-****** Webhooks
-****** Hiring
-no professionnal experience in Clojure
-***** Remarks
-
-IDB Decommission.
-Meeting with Geetha next week.
-
-How can I do that?
-
-***** Actions
-IDB Decommission test Monday
-
-** 2021-W50
-
-*** 2021-12-13 Monday
-**** MEETING OIDC AO                                                 :work:meeting:
-[2021-12-13 Mon 17:02]
-- ref :: 
-
-April Ping fed expires.
-Is that still possible?
-Also no expertise.
-
-We had some action items. Where do we stand?
-
-Are we confident?
-Priority across the teams.
-
-TG and CSA.
-
-Just CSA and TG IdP.
-***** Action
-
-Continue test results after Holidays.
-- Test CSA
-- Test TG (direct OIDC)
-
-Sync up after shutdown.
-If success talk to QA to prepare tests.
-*** 2021-12-15 Wednesday
-**** MEETING Estimate New Registration Workflow                      :work:meeting:
-[2021-12-15 Wed 16:29]
-- ref :: https://github.com/advthreat/iroh/issues/6076
-
-***** Prevent User to login with public email page
-
-Should propose the user to login via another account (so use logout).
-
-Need templates.
-@Jilian will do the templates.
-***** Add an allow-list to pass throught the blocklist (@gmail,,,)
-
-1.89 Feb 2.
-
-**** MEETING IDB Decomissioning                                      :work:meeting:
-[2021-12-15 Wed 15:59]
-- ref :: 
-***** Agenda (to discuss about)
-***** Notes
-***** Actions
-
-** 2021-W51
-
-*** 2021-12-21 Tuesday
-**** CHAT Dar about using UI Components in the login pages           :work:chat:
-[2021-12-21 Tue 10:20]
-
-#+begin_quote
-@Dar
-Hey Yann, a question came up in our weekly sync about the login flows…
-now that they're getting a bit more sophisticated wouldn't it be better to
-start using common UI components rather than taking snapshots/hard-copies
-of styles and generating one-off templates?
-what are the security concerns around client-side rendering the auth UI?
-#+end_quote
-
-
-Hi Dar,
-
-So to answer the question historically.
-First, we didn't have any login page.
-It was 100% hosted in CTR UI.
-I just provided the route to create the login links (and this could still
-be used today and it is in the new login page).
-
-We faced many bugs (most of them related to URL encoding), and thus decided
-to close the gap by building an hosted login page.
-That way I can 100% control the behavior and have lot of tests to check url
-encoding related bugs.
-Do not forget that in CTR you often want to deal with URL with very complex
-URL fragments that contain a representation of the investigation, imagine
-text with carriage return, URL, emails, etc…
-
-Even recently we experienced subtle bugs. And the solution was to get rid
-as much as possible of the javascript code that handled the url parsing and building.
-Now, this is handled via the backend on the login page.
-
-So the 1st reason to host the login page was convenience and bug fixing and
-not necessarily security.
-
-Regarding security, I was afraid to introduce a security bug because, the
-login page is clearly a nice entry point for security attack.
-So I tried to be as conservative as possible.
-So no js when possible.
-And if we need to use js, do not use any lib, just basic javascript so the
-code is easy to understand and debug.
-
-There is another complexity to keep in mind.
-For historical reason, for now, there is no "session" when the user has
-logged in via the IdP but hasn't yet selected a user and thus is not logged
-in SecureX.
-Right now, we handle this state with a token in the URLs.
-And this token can be consumed only once.
-By that I mean, in the account selection page you will have links looking like:
-
-- https://..../select-org-1?code=XXX
-- https://..../select-org-2?code=XXX
-- https://..../select-org-3?code=XXX
-
-When the user will click on the first link; the code =XXX=
-will be consumed and the other links will not work.
-So I ensure that the user need to perform a login workflow again to login
-into another org.
-
-So that being, said.
-I think now we are in a new situation where I think we could totally have a
-lot more convenient system.
-
-1. I need to create a notion of session when the user is logged in in the
-   IdP but has not selected a SecureX account.
-2. Use more js to ease the UI work, typically, UI components. The limit
-   being that the CSP header are restrictive in the sense that we must host
-   the JS at the same URL, and we should probably still generate data via
-   the backend, maybe still keep a bit of HTML.
-
-In fact, we need the backend to be able to provide a set of informations to
-the UI and take care that no XSS could be possible.
-I think the main risk is that, the login page must support complex query
-parameters.
-So great care should be taken in the parsing of these query parameters.
-To give a concrete example:
-
-You should be able to generate a page for a URL looking like:
-
-https://securex...cisco.com/login?redirects=<URL2>
-
-Where URL2 should be encoded correctly, and could itself be complex:
-
-URL2: https://visibility...cisco.com/investigate#q=<QUERY>
-
-Where QUERY should be encoded an could contain urls, emails:
-
-QUERY:
-
-#+begin_src
-url:http://attack.com/foo?param=something-complex
-foo@example.com
-some random text
-carriage return, unicode, emojis? etc…
-#+end_src
-
-So to present the login page, every button should take care that adding a
-=<script>= somewhere will not generate an XSS, that the encoding is correct.
-And that login link could be forged by an attacker, and it should not be
-possible to hijack the redirection to a non allowed login endpoint.
-Because in that case, the endpoint will get a =code= from which we could
-retrieve the creds of the user.
-
-To me this totally doable, and I think should be the preferred route.
diff --git a/tracker.tmprXn6OX.org b/tracker.tmprXn6OX.org
deleted file mode 100644
index 10987152..00000000
--- a/tracker.tmprXn6OX.org
+++ /dev/null
@@ -1,1717 +0,0 @@
-# Created 2021-12-21 Tue 12:02
-#+title: 
-#+author: Yann Esposito
-* 2021
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W03.org][2021-W03]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W04.org][2021-W04]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W05.org][2021-W05]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W06.org][2021-W06]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W07.org][2021-W07]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W08.org][2021-W08]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W09.org][2021-W09]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W10.org][2021-W10]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W11.org][2021-W11]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W12.org][2021-W12]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W13.org][2021-W13]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W14.org][2021-W14]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W15.org][2021-W15]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W16.org][2021-W16]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W17.org][2021-W17]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W18.org][2021-W18]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W19.org][2021-W19]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W20.org][2021-W20]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W21.org][2021-W21]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W22.org][2021-W22]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W23.org][2021-W23]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W24.org][2021-W24]]
-** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W25.org][2021-W25]]
-** 2021-W33
-#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
-#+caption: Table 1: Clock summary at [2021-10-28 Thu 18:16]
-| Tags          | Headline                                     | Time   |      |      |      |
-|---------------+----------------------------------------------+--------+------+------+------|
-|               | *Total time*                                 | *6:19* |      |      |      |
-|---------------+----------------------------------------------+--------+------+------+------|
-|               | \_  2021-W33                                 |        | 6:19 |      |      |
-|               | \_    2021-08-16 Monday                      |        |      | 1:52 |      |
-| work          | \_      Fix Carlos Hidalgo account           |        |      |      | 0:20 |
-| work          | \_      create an issue about email...       |        |      |      | 1:32 |
-|               | \_    2021-08-17 Tuesday                     |        |      | 2:48 |      |
-| work          | \_      Add scope to TG clients              |        |      |      | 0:38 |
-| work          | \_      Write an issue about 1-click...      |        |      |      | 2:03 |
-| work, chat    | \_      Jyoti about CDO 1-click module setup |        |      |      | 0:07 |
-|               | \_    2021-08-19 Thursday                    |        |      | 1:39 |      |
-| work, meeting | \_      Interview Olivier Barbeau            |        |      |      | 1:39 |
-#+end:
-
-*** 2021-08-16 Monday
-**** DONE Fix Carlos Hidalgo account                                 :work:
-[2021-08-16 Mon 15:11]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*create an issue about email search case sensitivity][create an issue about email search case sensitivity]]
-**** DONE create an issue about email search case sensitivity        :work:
-[2021-08-16 Mon 15:03]
-- ref :: https://github.com/threatgrid/response/issues/818
-
-***** Fix email case sensitivity
-
-> Related https://github.com/threatgrid/response/issues/818
-
-We often need to search by email. The main issue being that, currently our
-search mechanism does not support case insensitive matches.
-
-We have 4 possible solutions:
-
-1. Lower case the user email at creation. We need to also update the user
-   emails in our DB. The safest route to achieve this will be via the
-   iroh-migration service.
-2. Keep the email case sensitive and add a new case insensitive field =lc-user-email=
-   for example. But same as for case 1, we need to perform a DB migration to
-     add this new field to all existing user in DB.
-3. Add support for case insensitive search in tk-store, perhaps with a new
-   tk-store service, or improving current =CRUDStoreService.=
-4. Add a specific service just for search user emails that could take care
-   of this specific case by using a Postgres specific query. This could
-   also be the occasion to provide a tk-store hole in the abstraction service.
-
-The simplest is probably option 1.
-Option 2 would be slightly more complex and we would not lose any detail.
-Option 3 seems the most generic one, and we could totally imagine we would
-appreciate a case insensitive search support.
-Option 4 looks like a specific case of 3.
-
-My preference then goes to option 3, but we need to understand if this is
-not too difficult to achieve, what would be the API? The most natural one
-would probably add an option along =filter-map= like =case-insensitive-fields=.
-One issue would be to write the support for case insensitive match for =atom=
-and =redis=.
-
-
-**** TODO Interview Steven Collins
-
-*** 2021-08-17 Tuesday
-**** DONE Add scope to TG clients                                    :work:
-[2021-08-17 Tue 17:54]
-
-In tenzin config:
-
-#+begin_src
-- INT: 34d94c8c-2041-4708-8172-ebe2df295ca7-2
-- TEST: f993f6a0-8075-43e0-a9e5-dae9c3980513
-- NAM: 7b8d9fef-bd93-4ef3-88af-ae4174ee02e5
-- EU: a1662193-9155-44fd-aa1f-43afd42c889c
-#+end_src
-**** DONE Write an issue about 1-click module setup                  :work:
-[2021-08-17 Tue 15:51]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/Cisco.org.gpg::*Activation Optimization][Activation Optimization]]
-**** CHAT Jyoti about CDO 1-click module setup                       :work:chat:
-[2021-08-17 Tue 15:44]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/Cisco.org.gpg::*Epics][Epics]]
-
-*** 2021-08-19 Thursday
-#+begin: clocktable :scope subtree :maxlevel 4 :timestamp t :link t :tags t :narrow 36! :match "work"
-#+caption: Table 2: Clock summary at [2021-08-19 Thu 17:43]
-| Timestamp              | Tags          | Headline                                                                                                                                                                  | Time   |   |      |      |
-|------------------------+---------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---+------+------|
-|                        |               | *Total time*                                                                                                                                                              | *1:39* |   |      |      |
-|------------------------+---------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---+------+------|
-|                        |               | \_    [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*2021-08-19 Thursday][2021-08-19 Thursday]]               |        |   | 1:39 |      |
-| [2021-08-19 Thu 16:04] | work, meeting | \_      [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Interview Olivier Barbeau][Interview Olivier Barbeau]] |        |   |      | 1:39 |
-#+end:
-
-**** MEETING Interview Olivier Barbeau                               :work:meeting:
-[2021-08-19 Thu 16:04]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/Cisco.org.gpg::*Self Presentation][Self Presentation]]
-
-** 2021-W35
-#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
-#+caption: Table 3: Clock summary at [2021-10-28 Thu 18:15]
-| Tags          | Headline                  | Time   |      |      |      |
-|---------------+---------------------------+--------+------+------+------|
-|               | *Total time*              | *2:54* |      |      |      |
-|---------------+---------------------------+--------+------+------+------|
-|               | \_  2021-W35              |        | 2:54 |      |      |
-|               | \_    2021-09-02 Thursday |        |      | 2:54 |      |
-| work, meeting | \_      Weekly meeting    |        |      |      | 2:54 |
-#+end:
-
-
-*** 2021-09-02 Thursday
-**** MEETING Weekly meeting                                          :work:meeting:
-[2021-09-02 Thu 17:06]
-
-Guillaume start about the *Design Planning* github project.
-
-- SecureX session
-- High Impact Incident
-
-Sorry
-
-** 2021-W36
-
-*** 2021-09-08 Wednesday
-**** MEETING 1-click module setup weekly meeting                     :work:meeting:
-[2021-09-08 Wed 17:30]
-- ref :: https://miro.com/app/board/o9J_l57_gro=/
-
-Miro dashboard from Chloe:
-
-https://miro.com/app/board/o9J_l57_gro=/
-
-
-Discussion:
-
-When to TEST, tomorrow.
-Asking for client_id in TEST.
-
-
-Client-id: client-555c1f7a-b57b-4a6b-9f0b-015e311a6d06
-
-*** 2021-09-09 Thursday
-**** MEETING Interview: Florin Braghis                               :work:meeting:
-[2021-09-09 Thu 15:49]
-
-** 2021-W37
-#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
-#+caption: Table 4: Clock summary at [2021-10-28 Thu 18:15]
-| Tags          | Headline                  | Time    |       |       |       |
-|---------------+---------------------------+---------+-------+-------+-------|
-|               | *Total time*              | *22:11* |       |       |       |
-|---------------+---------------------------+---------+-------+-------+-------|
-|               | \_  2021-W37              |         | 22:11 |       |       |
-|               | \_    2021-09-14 Tuesday  |         |       |  1:04 |       |
-| work          | \_      Device Grant      |         |       |       |  1:04 |
-|               | \_    2021-09-16 Thursday |         |       | 21:07 |       |
-| work, meeting | \_      Team weekly       |         |       |       | 21:07 |
-#+end:
-
-
-*** 2021-09-14 Tuesday
-**** IN-PROGRESS Device Grant                                        :work:
-[2021-09-14 Tue 19:31]
-- ref :: 
-
-*** 2021-09-16 Thursday
-**** MEETING Team weekly                                             :work:meeting:
-[2021-09-16 Thu 17:25]
-
-Ambrose, Irina, Guillaume, Matt, Yann
-
-TO MENTION: Device Grant with FMC => Public clients
-
-***** Incident discussion
-
-*** 2021-09-17 Friday
-**** MEETING Presenting the projects                                 :work:meeting:
-[2021-09-17 Fri 14:32]
-- ref :: https://github.com/advthreat/iroh/projects
-.
-
-***** Pres
-
-****** General
-
-******* Project Organization
-
-Every project has an owner (main point of contact for the FT)
-Now only leads, but could be anyone in the future.
-
-****** [Design] Shared IROH Auth Session
-
-Goal of this Project which is not an official FT is to reflect and write
-proposals to reach the feeling of a shared session across all Cisco
-Security products via SecureX.
-
-- solution using cookies
-- solution using Open ID Connect
-.
-****** [Design] High Impact Incident
-
-/Guillaume Ereteo/ made an awesome work to provide multiple proposals to be
-able to deliver the feature as fast as possible.
-
-1. filter on source (only AMP)
-2. Add severity on incident model
-3. Incident with high impact via an IROH route:  https://github.com/advthreat/iroh/issues/5710
-   - needs the proxy from Ambrose
-   - need sync with engine team too
-
-****** SecureX Suite Session Improvement
-
-Delivered yesterday in v1.81
-Limit the number of interstitial pages between SecureX and CTR/SSE
-
-- For orbital, missing the Launch button, the back end work is done as we do
-  not need any SXSO app link.
-
-****** [HOLD] Cisco Secure Client Integration
-
-Still no work to be done by the IROH Services team
-
-****** Hiring
-
-Since last meeting two new hires will join us in next few weeks.
-Kiril and Olivier.
-
-Kiril lives in Germany and Olivier in France.
-
-****** 1-Click Module Setup
-
-In progress integration by CDO and SWC
-
-/Irina/ worked to provide the vault metadata API for SWC.
-
-AMP is in the QA test phase.
-
-****** ModuleType updates
-
-Just saw the rename of "Threat Grid" into "Secure Malware Analytics"
-
-****** [HOLD] CTIA Hydrant support
-****** CTIA Incident Manager Improvement
-****** Bug Squashing
-
-- Fix a bug where a user could login to org that reject non-admin user login
-- Fix a refresh token bug that would provide too much scopes to an access token
-- Login Page url parsing potential discrepancy fixed
-
-****** [HOLD] ES 7 Migration
-****** Device Insights Integration
-
-- Wanderson: Webhooks work, trigger a notification for every
-  module-instance configuration change.
-
-****** AppLinks API
-****** SSE API Extension & OAuth2 Device Grant
-- FMC ⇒ public clients for Device Grants
-****** Incident Assignment Notifications
-
-/Ambrose/ worked to make IROH a proxy to private intel for incident
-assignments notifications.
-Should be delivered in v1.82
-
-** 2021-W39
-#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
-#+caption: Table 5: Clock summary at [2021-10-28 Thu 18:15]
-| Tags          | Headline                   | Time   |      |      |      |
-|---------------+----------------------------+--------+------+------+------|
-|               | *Total time*               | *6:30* |      |      |      |
-|---------------+----------------------------+--------+------+------+------|
-|               | \_  2021-W39               |        | 6:30 |      |      |
-|               | \_    2021-09-29 Wednesday |        |      | 3:18 |      |
-| work, meeting | \_      Interview          |        |      |      | 3:18 |
-|               | \_    2021-10-01 Friday    |        |      | 3:12 |      |
-| work, meeting | \_      App Links          |        |      |      | 1:41 |
-| work, meeting | \_      Secure Client      |        |      |      | 1:31 |
-#+end:
-
-
-*** 2021-09-29 Wednesday
-**** MEETING Interview                                               :work:meeting:
-[2021-09-29 Wed 16:12]
-- ref :: [[file:~/dev/ring-jwt-middleware/src/ring_jwt_middleware/core.clj::jwt-check-fn (s/=> s/Any s/Str JwtClaims)]]
-
-*** 2021-10-01 Friday
-**** MEETING App Links                                               :work:meeting:
-[2021-10-01 Fri 17:26]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Secure Client][Secure Client]]
-**** MEETING Secure Client                                           :work:meeting:
-[2021-10-01 Fri 15:55]
-
-Meeting link:
-https://cisco.webex.com/cisco/j.php?MTID=m5814a8530a0870a19a57230bfd6d4b0e
-
-** 2021-W40
-#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
-#+caption: Table 6: Clock summary at [2021-10-28 Thu 18:15]
-| Tags          | Headline                                | Time    |       |       |       |
-|---------------+-----------------------------------------+---------+-------+-------+-------|
-|               | *Total time*                            | *38:18* |       |       |       |
-|---------------+-----------------------------------------+---------+-------+-------+-------|
-|               | \_  2021-W40                            |         | 38:18 |       |       |
-|               | \_    2021-10-05 Tuesday                |         |       |  0:46 |       |
-| work          | \_      Training Interviewing           |         |       |       |  0:46 |
-|               | \_    2021-10-07 Thursday               |         |       | 32:04 |       |
-| work, meeting | \_      DI blockers                     |         |       |       | 23:32 |
-| work          | \_      support                         |         |       |       |  1:16 |
-| work, chat    | \_      check continu                   |         |       |       |  6:38 |
-| work, chat    | \_      support DI JWT signature        |         |       |       |  0:19 |
-| work, support | \_      client update via admin for CMD |         |       |       |  0:18 |
-| work, chat    | \_      Check webex matinal.            |         |       |       |  0:01 |
-|               | \_    2021-10-08 Friday                 |         |       |  5:28 |       |
-| work, meeting | \_      IDB decomissioning              |         |       |       |  2:28 |
-| work, meeting | \_      Customer Manager                |         |       |       |  3:00 |
-#+end:
-
-
-*** 2021-10-05 Tuesday
-**** MEETING DI weekly                                               :work:meeting:
-[2021-10-05 Tue 15:30]
-
-#+begin_quote
-From Yuri
-
-Hi,
-Things I’d like to discuss on our today sync meeting:
-1. The integration modules screen:
-   1. When will all the modules be updated with the relevant text?
-   2. When will all the modules be deployed to production?
-   3. Same goes for the DI module? Need help in updating its text and taking it to production as well
-   4. The filter by capability for device insights currently shows an empty result in production
-2. Integration code
-   1. Is there still some integration code that is pending?
-   2. What is the status of https://github.com/advthreat/iroh/issues/5680?
-   ii. Any other open issues?
-   1. Any blockers that you see for deploying to production?
-3. Assets API QA?
-#+end_quote
-
-1.a. doc team
-1.b
-
-2.a
-
-**** IN-PROGRESS Training Interviewing                               :work:
-[2021-10-05 Tue 14:44]
-***** Past Perf Predict the Future
-
-*Behaviorial questions*
-
-- tell me about a time when...
-- Where and how have you used ,,, to achieve ,,,
-- Walk me through the system/process/etc...
-
-*Behavioral questions better*
-
-More specific to their experience, not generic.
-
-- concise
-- clear
-- relevant
-- practiced
-- tailored to the job
-
-***** Real Purpose of interviewing
-
-Predict whether or not they'd be successful in our company
-
-Evidence?
-- Yes, specific examples
-- Yes, demonstration
-
-What the candidate will think about the question.
-
-****** Clear on hiring criteria
-
-*skills & knownledge, attributes, achievements, motivations*
-
-targeted probing behavioral interviewing.
-
-Go deep, specific, examples.
-Ask the *how* to detect liars, lack of honesty.
-
-- what ,,, what did you do, what was your role, etc...
-  Question need specific responses.
-
-Do brainteasers work? no
-Use problem solving questions; how would you do/solve/etc...?
-
-Examples:
-
-- role play question. ×
-- problem they solved. ✓
-
-
-What work-related experience(s) changed your opinion(s) on something?
-
-****** On Question to rule them all?
-
-Combination question.
-Find combo questions.
-
-*Probing*
-
-*** 2021-10-07 Thursday
-**** MEETING DI blockers                                             :work:meeting:
-[2021-10-07 Thu 18:01]
-
-#+begin_quote
-@Yuri:
-
-I’ve opened the issues there, still need to set priorities.
-Here is the list of the issues I’m currently aware of that are important
-for the release:
-
-1. https://github.com/advthreat/iroh/issues/5680 - didn’t open a new ticket for this one, since it already has tracking.
-   1. Umbrella module -
-      1. Allow configuring only DI relevant fields - https://github.com/threatgrid/response/issues/933 b. Placement of fields https://github.com/threatgrid/response/issues/934 c. Add explanations of DI relevant fields - https://github.com/threatgrid/response/issues/935 d. Umbrella doesn't send the external reference info - https://github.com/threatgrid/response/issues/936
-   2. filtering for the device insights SecureX modules in the Integration Modules screen - results in an empty set - https://github.com/threatgrid/response/issues/937
-
-If you know of something else, please add here
-
-@Matt:
-2.a is also tracked here https://github.com/advthreat/iroh/issues/5821
-#+end_quote
-
-
-1. Doc discussion 30min
-2. show time (Yuri share chat)
-
-
-
-**** IN-PROGRESS support                                             :work:
-[2021-10-07 Thu 16:45]
-- ref :: https://github.com/threatgrid/tenzin/issues/1530
-
-new-org
-
-#+begin_src js
-{
-    "id": "00000000-0000-0000-6473-000028fbaa95",
-    "name": "GATE/Tier3",
-    "enabled?": true,
-    "created-at": "2021-10-07T17:00:00.000Z",
-    "scim-status": "activated",
-    "additional-scopes": [
-        "iroh-master:read",
-        "iroh-admin:read",
-        "iroh-master/tac",
-        "iroh-auth:read"]
-}
-#+end_src
-
-Idp Mapping INT/TEST
-
-#+begin_src js
-{
-    "idp": "sxso",
-    "user-identity-id": "00uox5862kEG8G0CD0h7",
-    "enabled?": true
-}
-#+end_src
-
-IdP Mapping PROD
-
-#+begin_src js
-{
-    "idp": "sxso",
-    "user-identity-id": "00u4dmbgyjnx4glS2357",
-    "enabled?": true
-}
-#+end_src
-
-
-Users to invite:
-
-
-#+begin_src js
-
-[{"invitee-email":"ashakarc@cisco.com","role":"admin"},
- {"invitee-email":"bmacer@cisco.com",  "role":"admin"},
- {"invitee-email":"caknowle@cisco.com","role":"admin"},
- {"invitee-email":"cdeleanu@cisco.com","role":"admin"},
- {"invitee-email":"daphgalm@cisco.com","role":"admin"},
- {"invitee-email":"djanulik@cisco.com","role":"admin"},
- {"invitee-email":"bmahsan@cisco.com", "role":"admin"},
- {"invitee-email":"majacob2@cisco.com","role":"admin"},
- {"invitee-email":"sorianto@cisco.com","role":"admin"},
- {"invitee-email":"stabulic@cisco.com","role":"admin"}]
-#+end_src
-
-**** CHAT check continu                                              :work:chat:
-[2021-10-07 Thu 10:07]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*support DI JWT signature][support DI JWT signature]]
-**** CHAT support DI JWT signature                                   :work:chat:
-[2021-10-07 Thu 09:45]
-- ref :: https://github.com/advthreat/iroh/issues/5680
-
-**** IN-PROGRESS client update via admin for CMD                     :work:support:
-[2021-10-07 Thu 09:27]
-- ref :: https://github.com/advthreat/iroh/issues/5827
-
-Cisco Secure Email Cloud Mailbox
-
-- module NAM client-0be615ab-b0ff-4c12-8a85-f16c95e7d396
-- ribbon NAM client-e36ba40b-5710-402d-b036-ada6d7817c55
-- module EU client-6fc3230c-936a-40c1-ad73-f9f28700804e
-- ribbon EU client-164688ee-cd5d-44b6-be3d-5e255955e969
-
-
-**** CHAT Check webex matinal.                                       :work:chat:
-[2021-10-07 Thu 09:26]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/notes/journal/2021/2021-10-07.org::*09:20][09:20]]
-**** PAUSE Journal                                                   :pause:
-[2021-10-07 Thu 09:20]
-
-*** 2021-10-08 Friday
-**** MEETING IDB decomissioning                                      :work:meeting:
-[2021-10-08 Fri 20:33]
-- ref :: [[file:~/dev/iroh/services/iroh-auth/test/iroh_auth/oauth2_web_service_test.clj][file:~/dev/iroh/services/iroh-auth/test/iroh_auth/oauth2_web_service_test.clj]]
-
-- SSE side decomission
-
-Chander Goyal
-
-context; SX released as a platform, SSE had a PingFed ID Broker.
-Also for CSA.
-
-We want to user IROH-Auth.
-We want to use directly IROH-Auth.
-
-CSA Migration was launched.
-SSE-side done.
-
-CSA should be completed very soon.
-Let's not change PingFed.
-
-Nov 1919 -> nobody left in PingFed at SSE.
-
-Very limited knowledge.
-The license was Cisco Wideside license.
-end in 2022.
-
-We want to duplicate PingFed.
-**** MEETING Customer Manager                                        :work:meeting:
-[2021-10-08 Fri 17:33]
-- ref :: ,,,
-
-** 2021-W41
-#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
-#+caption: Table 7: Clock summary at [2021-10-28 Thu 18:15]
-| Tags | Headline                                     | Time   |      |      |      |
-|------+----------------------------------------------+--------+------+------+------|
-|      | *Total time*                                 | *1:35* |      |      |      |
-|------+----------------------------------------------+--------+------+------+------|
-|      | \_  2021-W41                                 |        | 1:35 |      |      |
-|      | \_    2021-10-14 Thursday                    |        |      | 1:35 |      |
-| work | \_      Write Customer Manager doc           |        |      |      | 1:10 |
-| work | \_      write attack on Webhooks with JWT... |        |      |      | 0:25 |
-#+end:
-
-
-*** 2021-10-14 Thursday
-**** IN-PROGRESS Write Customer Manager doc                          :work:
-[2021-10-14 Thu 15:23]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*write attack on Webhooks with JWT from emitters][write attack on Webhooks with JWT from emitters]]
-**** IN-PROGRESS write attack on Webhooks with JWT from emitters     :work:
-[2021-10-14 Thu 14:58]
-
-Attack using access_token/id_token from emitters and not webhook owner.
-
-Webhooks are a generic mechanism; but here we only focus on webhook used by
-internal Cisco team integration.
-
-So the webhook mechanism should be used to push a trusted API that a
-changed occurred in SecureX (typically module instance change).
-
-The call must be authenticated by the API.
-The call should also optionally contain access/refresh tokens to the
-destination so the integration team could access IROH as the event's
-emitter user.
-
-The issue is that, nothing is explicitly done to prevent any user to get an
-access/id token generated from the same client we use to forge the
-authentication headers.
-So it means, that a SecureX user from any org that could get access to its
-own access token/id token (which is entirely possible, and easy to get for
-DI as their client is public).
-So any user could call the API endpoint to fake real webhook events, and
-potentially using cross-tenancy/cross-user false events.
-
-So to mitigate this issue, we suggest to:
-
-1. Always use the owner of the webhook & the client of the team to build
-   id_tokens, (if possible not access_token).
-   The forged JWT should have a specific audience (this is already the case
-   for DI at least). The API team *MUST* check that the =sub= claim matches the
-   =owner-id= field of the webhook as well as verifying the JWT signature.
-2. Provide the emitter tokens in the body of the HTTP call made during
-   webhook trigger.
-
-
-- With 1, we prevent this cross-tenant/cross-user attack.
-- With 2, we not only provide even more data than before but the team could
-directly use the token without using the "custom route" to retrieve the
-refresh token (as it is already provided in the webhook HTTP body)
-
-** 2021-W42
-#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
-#+caption: Table 8: Clock summary at [2021-10-28 Thu 18:15]
-| Tags              | Headline                                    | Time   |      |      |      |
-|-------------------+---------------------------------------------+--------+------+------+------|
-|                   | *Total time*                                | *9:45* |      |      |      |
-|-------------------+---------------------------------------------+--------+------+------+------|
-|                   | \_  2021-W42                                |        | 9:45 |      |      |
-|                   | \_    2021-10-19 Tuesday                    |        |      | 6:59 |      |
-| work              | \_      whitelist synopsis.com in TEST      |        |      |      | 6:59 |
-|                   | \_    2021-10-21 Thursday                   |        |      | 1:13 |      |
-| work, meeting     | \_      Weekly IROH Service Team            |        |      |      | 0:09 |
-| work, meeting     | \_      FMC - Device Grant OAuth2 Flow Sync |        |      |      | 0:24 |
-| work, meeting, me | \_      Secure Client                       |        |      |      | 0:40 |
-|                   | \_    2021-10-22 Friday                     |        |      | 1:33 |      |
-| work, meeting     | \_      Engineering Team                    |        |      |      | 1:33 |
-#+end:
-
-
-*** 2021-10-18 Monday
-**** TODO Write Weekly todos                                         :work:
-[2021-10-18 Mon 10:56]
-- ref :: 
-***** DONE Check Wanderson PRs/Webhooks
-***** DONE Customer Manager Doc
-***** DONE IROH-Auth tour
-****** DONE Organize invitations for IROH-Auth tour + bugfix, etc...
-***** DONE Discuss Exceptions organization
-*** 2021-10-19 Tuesday
-**** DONE whitelist synopsis.com in TEST                             :work:
-[2021-10-19 Tue 09:04]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Olivier][Olivier]]
-
-*** 2021-10-21 Thursday
-**** MEETING Weekly IROH Service Team                                :work:meeting:
-[2021-10-21 Thu 17:16]
-***** Remark to tell
-
-- Internal JWT generation, with/without client.
-- Next week IROH-Auth tour probably record this.
-
-
-**** MEETING FMC - Device Grant OAuth2 Flow Sync                     :work:meeting:
-[2021-10-21 Thu 16:27]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Secure Client][Secure Client]]
-
-Updated Target Date.
-No blocking issue or concerns.
-
-We just finish delivering the feature.
-
-Good to go for 7.2 release (in April).
-Maybe maintenance release 7.0.2 in Feb.
-
-**** MEETING Secure Client                                           :work:meeting:me:
-[2021-10-21 Thu 15:32]
-
-Jyoti discuss with a document how the 1-click module setup
-should work and the constraints to obey.
-
-*** 2021-10-22 Friday
-**** MEETING Engineering Team                                        :work:meeting:
-[2021-10-22 Fri 17:03]
-
-- Working closely to finalize 1-click module setup to work.
-  We faced an issue in using the same client for both the ribbon and the
-  1-click module setup.
-  This not really a blocker and a fix is in the way.
-
-** 2021-W43
-#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags nil :narrow 36! :match "work"
-#+caption: Table 9: Clock summary at [2021-11-03 Wed 10:24]
-| Headline                                     | Time    |       |      |      |
-|----------------------------------------------+---------+-------+------+------|
-| *Total time*                                 | *19:46* |       |      |      |
-|----------------------------------------------+---------+-------+------+------|
-| \_  2021-W43                                 |         | 19:46 |      |      |
-| \_    2021-10-25 Monday                      |         |       | 3:29 |      |
-| \_      IROH-Auth Overview                   |         |       |      | 3:29 |
-| \_    2021-10-26 Tuesday                     |         |       | 4:35 |      |
-| \_      All Hands                            |         |       |      | 0:48 |
-| \_      AO                                   |         |       |      | 0:29 |
-| \_      IROH-Auth tour                       |         |       |      | 3:18 |
-| \_    2021-10-27 Wednesday                   |         |       | 0:19 |      |
-| \_      security                             |         |       |      | 0:18 |
-| \_      preparation IROH Auth Tour           |         |       |      | 0:01 |
-| \_    2021-10-28 Thursday                    |         |       | 2:33 |      |
-| \_      Weekly Team                          |         |       |      | 0:51 |
-| \_      SecureX + Secure Client + DI...      |         |       |      | 0:29 |
-| \_      Weekly Sync:  SecureX / Secure...    |         |       |      | 0:35 |
-| \_      SSE =CCO_id=                         |         |       |      | 0:38 |
-| \_    2021-10-29 Friday                      |         |       | 8:50 |      |
-| \_      AO disucssion + generic discusssions |         |       |      | 1:00 |
-| \_      Jyoti email about PROD module on INT |         |       |      | 0:14 |
-| \_      aide Matt URL encoding               |         |       |      | 0:50 |
-| \_      code gen docs                        |         |       |      | 2:48 |
-| \_      Customer Manager doc                 |         |       |      | 2:34 |
-| \_      morning tour                         |         |       |      | 1:06 |
-| \_      configurable default sort            |         |       |      | 0:18 |
-#+end:
-
-*** 2021-10-25 Monday
-**** MEETING IROH-Auth Overview                                      :work:meeting:
-[2021-10-25 Mon 13:57]
-- ref :: 
-
-
-- services/iroh-auth
-- lib/iroh-web/{core.clj,compojure-api.clj}
-- 
-
-*** 2021-10-26 Tuesday
-**** MEETING All Hands                                               :work:meeting:
-**** MEETING AO                                                      :work:meeting:
-[2021-10-26 Tue 17:43]
-- ref :: 
-**** MEETING IROH-Auth tour                                          :work:meeting:
-[2021-10-26 Tue 14:25]
-- ref :: [[file:~/dev/iroh/dev-resources/config.edn::}}]]
-
-***** org-level entities (clients)
-1. makes user-id/owner-id optional ×
-2. hack the User service, to create a fake org-level user.
-
-#+begin_src clojure
-(get-user org-id)
-
-=> {:user-id org-id
-    :org-id org-id
-    :role "admin"
-    :scopes ,,,,}
-#+end_src
-
-search for entities, you should search for the owned entities + (if you are
-an admin for the admin-level entities.)
-
-during the ~create-client~ to add the ability to create client with that
-specific owner.
-
-Fun: filter-map => list of filter-map
-
-
-#+begin_src clojure
-;; inside an Org
-{:addtional-scopes #{"cisco/user:read"}}
-;;
-{:addtional-scopes
- {:user #{}
-  :admin #{"cisco/user:read"}}}
-#+end_src
-
-****** Hidden migration
-
-(get-org ,,,,)
-
-****** IROH-Crud
-
-TK-Store => provide a minimalist abstraction to Databases.
-IROH-CRUD => provide CRUD-only related abstractions
-search that
-
-#+begin_src clojure
-(search ,,,,)
-
-(iroh-crud/search-with-admin
- {:,,,, :user-id xxx :org-id xxx})
-=> (tk-store/search {:filter-map [{:user-id xxxx ,,,}
-                                  {:user-id xxxx :org-id org-id}]
-
-                     })
-#+end_src
-
-****** update entities
-
-To decide later:
-
-1. any admin should be allowed to update the org-level entities.
-2. some specific admin only should be allowed to update the org-level
-   entites (use another scope maybe?)
-
-Probably option 1.
-
-*** 2021-10-27 Wednesday
-**** MEETING security                                                :work:meeting:
-[2021-10-27 Wed 17:03]
-
-xx
-
-auto loop
-
-
-Proxy route
-
-**** IN-PROGRESS preparation IROH Auth Tour                          :work:
-[2021-10-27 Wed 12:06]
-
-- Continue on "org-level entities"
-- Doc on JWT client expectations
-- :load-path "" Dispatch work
-- Dig if necessary
-
-*** 2021-10-28 Thursday
-**** Weekly Team                                                     :work:meeting:
-[2021-10-28 Thu 17:01]
-- ref :: 
-***** Agenda (to discuss about)
-
-***** Notes
-****** G2
-ES deployed, start the migration
-Old tenzin config pull-request I need to update.
-
-Ag moving to the last step to set the default fields, which are required
-for ES7.
-
-Production Bug in CTIA investigate module
-
-Fixed the pagination.
-default search was not consistent.
-PR on CTIA.
-Made this default search configurable per store.
-
-Ag, PR for the enrichment?
-
-Ambrose, ops related.
-
-@Jyoti discussion
-****** Matt Integration
-
-- DI Irina working adding new auth in the module
-- Yann fixed a security issue affecting Umbrella
-- 1-click setup started to work on the org activation
-- Mark work on SSE
-- former_title field (rebranding guidelines)
-- working on a bug in Umbrella, source URL are wrong
-- log all proxy requests
-
-****** Auth
-
-Y
-
-(personal)
-- IROH-Auth tour
-- minor fix
-- clean up SAML
-- security bug fix
-
-*IROH-Auth*
-
-1. take a task
-2. write PR doc
-3. review PR doc
-4. optional IROH-Auth tour webex(es)
-5. code
-
-Q2:
-- region switching API
-- account switching inside each region
-Q3:
-- org-level entities
-
-*Big hidden work*
-Working on OAuth2 bug.
-A bit big PR, because will need a new service to store refresh tokens and
-their metas.
-And we should be able to migrate/update clients.
-
-*Security Bug Fix*
-Chris Duane was happy, it was the first declared bug by Jimmy Miller.
-
-Olivier working on providing the API for the privacy team.
-
-Not 100% fixed, still a problem with paths.
-
-*AO migration to OIDC*
-****** Jyoti
-Questions about JWT used by DI, that call Orbital on behalf on someone
-else.
-
-***** Actions
-
-- @Jyoti: should ask Yuri about which JWT are used.
-- @Jyoti: AO for Q3 for the telemetry
-**** SecureX + Secure Client + DI Integration                        :work:meeting:
-[2021-10-28 Thu 16:32]
-- ref :: https://cisco.webex.com/cisco/j.php?MTID=m3d2fe4735f7151dc690e000c8749ed0e
-
-***** Discussion
-****** Abhishek
-
-- deployement
-- Secure Client onboarding
-- Secure Client always visible
-- cannot read property from DI when adding module
-- work on feature flag
-.
-@Paul: 1.84 today, so these fixes are going to be for date?
-@Abishek: will more time to develop and test
-.
-****** Nirmesh Patel
-
-- Secure Client always visible, real issue
-
-**** Weekly Sync:  SecureX / Secure Endpoint                         :work:meeting:
-[2021-10-28 Thu 15:30]
-- ref :: https://cisco.webex.com/cisco/j.php?MTID=m6563218d7c961e691f62c539fc645607
-
-What remains?
-
-- Martin
-
-1-click module setup
-
-Restrict them to a region.
-Who was impacted.
-
-Nov 13th, for the 1-click module setup is at risk to be delayed.
-
-- G2
-
-no 1-click => nothing can happen
-
-Dependency to deploy Secure Endpoint.
-
-- Martin/Namrata
-
-Jyoti is in active conversation.
-
-- Martin/G2
-
-Are we going to change the design?
-
-Martin: We don't know Yet
-
-- Vlad
-
-Pb with Region.
-
-An AMP tenant can only talk to 1 SecureX tenant.
-
-- Martin
-
-Maybe region selection.
-
-- Release Nov 11th
-- Relesases v1.85 10-Nov
-
-.
-***** Initiated SecureX 1-click module setup for Secure Endpoint
-
-
-**** SSE =CCO_id=                                                    :work:discussion:
-[2021-10-28 Thu 14:52]
-- ref :: https://github.com/advthreat/iroh/discussions/5754
-
-So after giving more thoughts on the subject.
-Here are some scenarios:
-
-1. A person login via Okta with the email ~user-1@domain.com~
-2. This person want to connect his account, then he must login via Okta
-   again but using another Okta account ~user-1@smart-account.com~ for example.
-
-In this scenario there are two issues:
-
-The first is that we do not control the Okta session.
-The Okta session will keep being the one for ~user-1@smart-account.com~.
-When the user will launch another product he will not use his usual
-~user-1@domain.com~ Okta session.
-
-The second, is that we should have a mechanism to understand that on the
-second login, we don't want to login the user, but to merge two different
-IdP accounts.
-
-Mainly we will need to develop a new workflow, so a user could merge
-multiple IdP accounts to his current SecureX account.
-
-The implications are:
-
-- SecureX users should support multiple email addresses. (also note that
-  user login via TG have a non verified email addresses and are treated
-  separately on different login flows.)
-- We need to support more metas data in the IdP Mappings in general,
-  (typically the =CCO_id=). Now, what if a user login multiple times, and has
-  two different IdP Mapping with a different =CCO_id=.
-- We will need to provide a new route, that will present a new HTML page
-  similar to the login page but with subtle modifications.
-  We might, for example, negotiate another login buttons that will behave
-  differently (typically a login button forcing the user to use CCO).
-
-In the end, it means we should deliver a "Merge a new Login" flow to
-SecureX Accounts. And it doesn't seem to be trivial.
-
-*** 2021-10-29 Friday
-#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
-#+caption: Table 10: Clock summary at [2021-10-29 Fri 18:39]
-| Tags         | Headline                                     | Time   |   |      |      |
-|--------------+----------------------------------------------+--------+---+------+------|
-|              | *Total time*                                 | *8:50* |   |      |      |
-|--------------+----------------------------------------------+--------+---+------+------|
-|              | \_    2021-10-29 Friday                      |        |   | 8:50 |      |
-| work, chat   | \_      AO disucssion + generic discusssions |        |   |      | 1:00 |
-| work, email  | \_      Jyoti email about PROD module on INT |        |   |      | 0:14 |
-| work, chat   | \_      aide Matt URL encoding               |        |   |      | 0:50 |
-| work         | \_      code gen docs                        |        |   |      | 2:48 |
-| work         | \_      Customer Manager doc                 |        |   |      | 2:34 |
-| work         | \_      morning tour                         |        |   |      | 1:06 |
-| work, review | \_      configurable default sort            |        |   |      | 0:18 |
-#+end:
-**** CHAT AO disucssion + generic discusssions                       :work:chat:
-[2021-10-29 Fri 18:39]
-**** PAUSE :pause:
-[2021-10-29 Fri 17:30]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Jyoti email about PROD module on INT][Jyoti email about PROD module on INT]]
-**** EMAIL Jyoti email about PROD module on INT                      :work:email:
-[2021-10-29 Fri 17:04]
-- ref :: 
-
-Hi Jyoti,
-
-I checked on INT and in our org, there is an AMP module configured with the
-PROD URL.
-
-Chris told me we have a security requirement that no production customer
-data can be in INT or TEST.
-
-Do you know why this is needed, and if we could use a QA1 URL instead?
-And if not, do you know who we could ask to see if this is still needed?
-If I remember correctly, I think it was used to help makes demos.
-
-Because of this I tend to be extra cautious about the
-"allowed-login-origins" parameter (see
-https://github.com/advthreat/tenzin-config/pull/505).
-
-I don't want our INT access token to be sent in the wild.
-Even without this module linking to PROD I would prefer not to send the INT
-JWT on 3rd party.
-Because if https://vercel.app is compromised anyone will be able to access
-our INT environment, generally with administrator privileges.
-
-Thanks,
-Yann.
-**** CHAT aide Matt URL encoding                                     :work:chat:
-[2021-10-29 Fri 16:14]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*code gen docs][code gen docs]]
-**** PAUSE :pause:
-[2021-10-29 Fri 16:08]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*code gen docs][code gen docs]]
-**** IN-PROGRESS code gen docs                                       :work:
-[2021-10-29 Fri 16:07]
-- ref :: [[file:~/dev/iroh/README.org::*Rebuild the generated doc][Rebuild the generated doc]]
-**** CANCELED Customer Manager doc                                   :work:
-[2021-10-29 Fri 11:02]
-- ref :: 
-**** morning tour                                                    :work:
-[2021-10-29 Fri 09:56]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/inbox.org::*Fortuneo: Amundi World (CW8)][Fortuneo: Amundi World (CW8)]]
-**** REVIEW configurable default sort                                :work:review:
-[2021-10-29 Fri 09:33]
-- ref :: https://github.com/threatgrid/ctia/pull/1163
-
-** 2021-W44
-
-*** 2021-11-03 Wednesday
-#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
-#+caption: Table 11: Clock summary at [2021-11-03 Wed 18:16]
-| Tags        | Headline                           | Time   |   |      |      |
-|-------------+------------------------------------+--------+---+------+------|
-|             | *Total time*                       | *7:13* |   |      |      |
-|-------------+------------------------------------+--------+---+------+------|
-|             | \_    2021-11-03 Wednesday         |        |   | 7:13 |      |
-| work        | \_      Engagement pulse Teamspace |        |   |      | 2:05 |
-| work        | \_      cleanup code               |        |   |      | 0:29 |
-| work, email | \_      SSE potential bug          |        |   |      | 0:37 |
-| work        | \_      GH notif tour              |        |   |      | 0:27 |
-| work, chat  | \_      Discussion Guillaume       |        |   |      | 2:03 |
-| work, email | \_      OIDC conf in Okta          |        |   |      | 0:01 |
-| work, chat  | \_      webex tour                 |        |   |      | 1:31 |
-#+end:
-**** IN-PROGRESS Engagement pulse Teamspace                          :work:
-[2021-11-03 Wed 16:11]
-- ref :: [[file:~/dev/iroh/services/iroh-auth/test/iroh_auth/test_helpers/tk.clj:::conf (conf port)})]]
-**** IN-PROGRESS cleanup code                                        :work:
-[2021-11-03 Wed 15:42]
-**** EMAIL SSE potential bug                                         :work:email:
-[2021-11-03 Wed 15:05]
-Hi Yann,
-
-We noticed that we have two tenants created in SSE APJ stack for the AMP
-company ID (51ab0c3e-381b-4169-ab63-b031c685f441).
-One of them with spID AMP-APJ (created on 2020-12-01 11:58:50 UTC) and the
-other with spID SXSO (created on 2021-08-24 09:25:07 UTC).
-
-I see from the logs the user ID token that came to Anubis had “SXSO”
-instead on AMP-APJ resulting in this state.
-Wondering what caused the spID to change in the ID token from AMP-APJ to
-SXSO on 2021-08-24 ?
-Could there be a possible issue here ?
-
-#+begin_src
-TX_LOG 192.168.25.199 [2021-08-24T09:25:07Z] GET /scim/v2/Organizations?filter=spId+eq+SXSO+and+orgInfo.companyId+eq+51ab0c3e-381b-4169-ab63-b031c685f441 200 774 0.0076 aba74caa-ba90-43d3-b1d2-7066750a6754 -
-#+end_src
-
-
-**** IN-PROGRESS GH notif tour                                       :work:
-[2021-11-03 Wed 14:38]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*2021-11-03 Wednesday][2021-11-03 Wednesday]]
-**** CHAT Discussion Guillaume                                       :work:chat:
-[2021-11-03 Wed 10:00]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*OIDC conf in Okta][OIDC conf in Okta]]
-**** EMAIL OIDC conf in Okta                                         :work:email:
-[2021-11-03 Wed 09:59]
-**** CHAT webex tour                                                 :work:chat:
-[2021-11-03 Wed 09:58]
-<<<<<<< HEAD
-
-*** 2021-11-04 Thursday
-**** MEETING Weekly meeting                                          :work:meeting:
-[2021-11-04 Thu 17:00]
-- ref :: 
-***** Agenda (to discuss about)
-Make a tour of everyone work.
-***** Notes
-Welcome
-
-Me. ... (see tracker .org) + git weekly
-Olivier. PR for oauth2-client-demo, waiting for review
-Matt. logs for proxy
-- auditability of the proxy; kibana dashboard
-Mark. SSE passthrough, and AO
-
-***** Actions
-- review Olivier's PR
-**** IN-PROGRESS Continu code cleanup                                :work:
-[2021-11-04 Thu 15:40]
-- ref :: https://github.com/advthreat/iroh
-**** IN-PROGRESS update Secure Endpoint client                       :work:
-[2021-11-04 Thu 15:38]
-- ref :: https://github.com/advthreat/iroh
-
-Secure Endpoint (or AMP for Endpoint)
-
-=client-555c1f7a-b57b-4a6b-9f0b-015e311a6d06=
-**** MEETING Weekly Sync:  SecureX / Secure Endpoint                 :work:meeting:
-[2021-11-04 Thu 15:08]
-- ref :: https://cisco.webex.com/cisco/j.php?MTID=m0a5157ed81ded94305da1bae743352fc
-***** Agenda (to discuss about)
-***** Notes
-10-Nov:
-
-- AC6: on/off configuration within Secure Endpoint UI
-
-1-click module setup 8/9-Dec.
-
-- retention of module ID and secureX org id in SE
-- update of legacy module upon integration
-
-***** Actions
-**** IN-PROGRESS code                                                :work:
-[2021-11-04 Thu 09:51]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*2021-11-04 Thursday][2021-11-04 Thursday]]
-**** CHAT Webex chat tour                                            :work:chat:
-[2021-11-04 Thu 09:50]
-
-*** 2021-11-05 Friday
-**** MEETING SecureX Registration                                    :work:meeting:
-[2021-11-05 Fri 15:33]
-- ref :: https://github.com/threatgrid/response/issues/821
-***** Agenda (to discuss about)
-- Discuss feature
-- Find a date
-***** Notes
-
-... bad org creation
-
-1. User has SXSO account don't have invitation
-
-   Only show them active invitations.
-   If too many invitations in the DB.
-
-2. second workflow, check email domain
-
-   if matches other orgs, present the orgs + asks for invitation
-
-3. Limit access from "public" email domain
-
-***** Actions
-**** IN-PROGRESS tour                                                :work:
-[2021-11-05 Fri 11:09]
-- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Code][Code]]
-**** DONE Code                                                       :work:
-[2021-11-05 Fri 11:08]
-**** EMAIL Help John doing a cron                                    :work:email:
-[2021-11-05 Fri 09:09]
-- ref :: mail: How can I query an IROH endpoint programatically?
-
-#+begin_quote
-On 4 Nov 2021, at 22:23, John Jardine (johjardi) <johjardi@cisco.com> wrote:
-
-Hi,
-
-To support iroh-incident scaling based on a queue-depth metric ( Tenzin Issue 1553 ) I am thinking about creating a task that will be run every N minutes to query the endpoint.  To do this the task would have to authenticate and I don’t know how to do that for an automated tool.  Not sure if the route makes a difference, the metrics are available here: /iroh/admin/queue/status-report/incidents
-
-Can you give me any guidance or point me to any docs on how to do this?
-
-Thanks,
-John J.
-#+end_quote
-
-John,
-
-The endpoint will not be =/iroh/admin/…= but =/admin/…= which mean it is only
-reachable via the VPN, but I guess you will make the request from the
-internal network.
-So you should be able to reach https://iroh-adm.int.iroh.site/admin/
-directly.
-
-In order to make a call you need an OAuth2 client with the following scope:
-
-=iroh-master/queue/incidents:read=
-
-I created one client per environment for you;
-
-- INT (client-79d54f25-2a71-4bcb-b057-001f53091b2f)
-- TEST (client-c1a00641-45e0-4090-b80e-ce87b35a84b3)
-- PROD NAM (client-22b0f44f-3d7e-4b14-a11b-5cfa35f86b83)
-- PROD EU (client-b56530b0-b16c-40b2-bb77-850e32e06e8b)
-- PROD APJC (client-502fb0a3-605c-4b1b-b91d-07980d5a1f2f)
-
-I used the same password for all of them.
-
-***** Password
-
-The password is here:
-
------BEGIN PGP MESSAGE-----
-
-hQIMA2UoHNQCOfATARAAsDn3KJpJprlK60eUi2C4ol/2B5iCpIud6oYkeAB09yGe
-Wt8ditdZdLKt+EV+Jw8QB6O+WDKl2+fN0IZGVzmzSehf6+ittlNUdeX2qJxx6RoE
-Btw2VdcZIj9gzFxYf9Y9rf/9Zpp0Yc/NRBK9kKAwnPbMO0lytHUsWKTA8OcfBawZ
-mOzcnhOpZeUxneEn1LKbiBSMfGsWQnPnUfme8vSwrnP3vOrgSio5rL3LwLsIz4Bq
-z7yFdq8HBiF6z7NfJaxJZBljO/YDmYfjnwq024s24E+Fn9Bsdra85h1smGj+QIVE
-hVIvU8fU6s8MpWuvQVNBFQXoF5IqxfaH4Z0p8as0X3qSmd4f8x3P/XdmklGAzUQ9
-Za5SDn1mkJJvVK6jCRC8uf+M8nufZU/ORcFqu6eVc9WWgDJYIc93vyNMWKBnCoYl
-6GMC/IpKtveWUBaa28V76sSjjunv9gNHmYNGjwoLqd7lCLKppoQtPNwVFmHKJ16o
-iW0rVYoIypleOuevkEn3barYy1N6wxhZrFcHOqUMWH+kZnPjDHcTOQxCEyYDVULw
-uQclzZinR1vF4PeLIdFn74n2npXjFkCkaZa0ev10QROo1Tk4O+uv+5vAFVjsm5Fh
-RT3eXVGu87qnDu67fWTQjV2F7tLvYAAYdb47N9OyQjQoglPYdvqfoRFufL7oNluF
-AgwDfS7loNnfM+IBEACVwXlc001cWQw9f8AV37sySKWyhB9N4SG175lu7+T9DtwH
-/WDEgYERv9Fhcg7EwVclSFwUreg/PmY8cazIc1Sy6Z+Nv2TH4rp17jcy7zlZCZMT
-/twmW2MvgXS42qnb7jcvb3jQ9YTJs6fHV+PCMEsfjYKq+aSGr/ton/zFGqPIcLtF
-G3vZ62cyoxYebSNwXMkB9W+2t30Cg0xpTwas+3V7dkscB+sIU+KIoTsD2AqMfgyW
-Cia/U8H22qZiz8ugeod/gdsZytj4e5k72Yo2fm6owpHi4i+V/p333QbbP1G1/bzo
-nfUh7wT4jiApUbrJIDWebsJqi9bv3z8zLiy72BRATgRM2vd3b1Q0y83/PcC+XkT2
-l3/GRRScqM9ewVziol/BzSH1jBj6oA/3VJil8YEZsNhGhX15Bs9ZLwAy2HLSzJ8G
-8nVxNk6P0RRhD9m+Ue4Zb5PsH7CG21WOZTGWn/I9UXCHl7LnO4yT+qfESNDDzodF
-F7Zo7E5yheTLRsXxp1f4c5cGoZvgDU293s/U3DhZt5Y6z5vN3L/IDkBap2X6OWkp
-/HfIy3L0rvKwoYn3w8x+uCO0DpzUuZnjLpdarPhTWkiVj8uQkU80t3snHpvlwjEv
-Hzcuzz2XkDWwzlaJEUuUJ1+my6a41fDHdNHYqSryrVLkpMLxwz1PqNi3NomhG9Lp
-ARM67Ggjb520Cf5pmyj5cBZK57FMPwN2H/blT5GRcjFyfzl7H7Y+Fq9etcnZMIv+
-mJAFpqCoHasnEQKL5D4huxQDEsXqLvxO3/u79GU1w0AQgqg7KJLP6b3DRWAWI/Kl
-7MK95j5EPrrvl69AErdCOH+Pfqvzi1CDb4Zy2lKuMGGQRgqyLubIIdZQkzX6YLD+
-xuxxyiQ+P2imToe1KGGX39AFbdXuakqBgKiSLEU7MWwEAEd/LfDuuGV+aiJ83SZI
-ZWZGSe5ThdAsdWoHYcCtFgynhd+QnN5hW//ODNU8IeIPhjZRUxe2CQbAEQgfUXif
-vHn+JfcSo1pf7BcOnzTOlgTqFn6NmX/SYlAL1kpG2YwcJFK3ZRK2a/0db3DbeLXp
-2Nk40WD1tOdt8FDZHOXYRXFhmV6K/nEf56g7XMHnaESeEsQtzFvIq+SSxx0IkS+h
-gaoAO+Mz9SKoxWcabTBHimhDxqemmtDbTdk7iHQZZhmei0DJxSdxWzwj9nYeKggK
-aBxof2wuZAnki3nTlpy+p6S2S/TxP3wSZ9wMkBNkYRzWpTD5+fEqOhHtLgtyp2/M
-a6YrH4b1uvk86Sz4Uk18ZuvdgoVMx5UjUnmfRxEWNrZEhatr+y4nH1PPCVsVPvXO
-N3AyHCJWYGwUe+AXNegKJ8QJr/a+T2U/rVCujVoCUBGqebtm5L0RV9+1xCWmyeog
-wuGXF5duRcdMNr+dAHvrdUhQIyBm4cFWYHM97lP0HkOcOM+wJjSDmT5VorCW952g
-LPANVlddb4vO1TXvwjw7+yZFcpYH9pZtIC1Wp5a+UMvPewoPY2xZfh1ZsVJxUqp9
-FNHFEvRJuZzq80MIGY9s1rXrKiuAWJDGqEN8rlObuwNFrFfrDLDUgEhply/3Qcvi
-n73Ag7cleOs7yF4=
-=iyzN
------END PGP MESSAGE-----
-
-***** How to use
-
-I made a demo shell script for INT:
-
-#+begin_src bash
-#!/usr/bin/env bash
-CLIENT_ID="client-79d54f25-2a71-4bcb-b057-001f53091b2f"
-CLIENT_SECRET="..."
-ACCESS_TOKEN=$(curl -s -X POST "https://visibility.int.iroh.site/iroh/oauth2/token" -d "grant_type=client_credentials" -H  "accept: application/json" -H  "Content-Type: application/x-www-form-urlencoded" -u "$CLIENT_ID:$PASSWORD"|jq '.access_token'|sed 's/"//g')
-curl -X GET "https://iroh-adm.int.iroh.site/admin/queue/status-report/incidents" -H "accept: application/json" -H "Authorization: Bearer $ACCESS_TOKEN"
-#+end_src
-
-returns
-
-#+begin_src bash
-❯ ./demo.sh
-[{"queue-name":"incident-sessions","total-sessions":0,"total-processing-sessions":0,"total-pending-sessions":0,"factor-increase-needed":0}]
-#+end_src
-
-What this does is:
-
-1. retrieve an access token with the client (client-id + client-password)
-2. Call the =/admin/queue/status-report/incidents= route
-
-An important remark; notice the domain name is different between the admin
-and non admin calls. For INT and TEST, you just need to replace
-visibility by iroh-adm.
-But in prod, you need to use a completely different URL.
-
-Here is a JSON where I store the relations:
-
-#+begin_src js
-{"envs": [{"name":"INT",
-           "visurl":"int.iroh.site",
-           "internalurl":"int.iroh.site"},
-          {"name":"TEST",
-           "visurl":"test.iroh.site",
-           "internalurl":"test.iroh.site"},
-          {"name":"NAM",
-           "visurl":"amp.cisco.com",
-           "internalurl":"us-east-1.prod.iroh.site"},
-          {"name":"EU",
-           "visurl":"eu.amp.cisco.com",
-           "internalurl":"eu-west-1.prod.iroh.site"},
-          {"name":"APJC",
-           "visurl":"apjc.amp.cisco.com",
-           "internalurl":"ap-northeast-1.prod.iroh.site"}]}
-#+end_src
-
-Happy hacking!
-Yann.
-
-***** Details
-
------BEGIN PGP MESSAGE-----
-
-hQIMA30u5aDZ3zPiARAAqfa80rkkVQy2HpHd1tOZZ1NZaaSMwrWRQKXTfkD6fYpl
-HSOfyK9+9lKBV9Uz0H+l5DclDuenJ4akAMyaF5hhr7NfPZQ9exmnkODLDnpDTLoD
-adm7ArrQnowJHvMEH4ogxoWN902Q9d2apOnrHYr5JmvEc0rwv1dQ2IuJeOLEpZ33
-IYqP/rnOlhPZZd7lgyHGw2iRDU3XZfkyivPQtsWZqY6XWIoL2wNj/HlomtrcPLYj
-RxErXBOMS8GRr5FYeDyp+aGo3IpYMMMFffGCqew8yvphDhRYiO2SrQtTIp2+207j
-V7/FSp3dp9xhsLsOM4fzFuCe9UctjbZma9QngkRjUSDU7D0rXGoKydecau4TlBy7
-ZPDOlg+6JWbwXM6qXJNaYAJ6Ii3E2xGYdpBMWBRn/j9RzkS68wKeoQelySV3aDSi
-y00bbq/dq1Qh+tqyi7X8wj5tGf21Ri/Yd9D6DGWVTNvt0sj9CB55v3UfgZn5gcIy
-2Njdb96pO+7VGgspPf6JnwJdCFq97O9cLFK985uJpmGrYvjN5qMA2z6PewdL9PW/
-bPNCXMcfwwbJxqZKcfqoJUcRAQyatPDKvPgHXDgmgRtI3oMjwhWBDl5nmYgwjSDO
-uiKHNxMNGO2BMFWnJ3Qi1OTjG98+nWwmGoF6VlyzxAZtIjr2sGLrrbogreEA4XrS
-6QGqDwPhIf2GA0blOoiMKDVUxstru6kiQSOL0EmlWWDgCYamUGgiWUy5nZiveRDT
-JUdHsgLzIBrDElaZfxOim10PO0AkQgplMqSGfWI7LQ3fEPiIuXQFhXZBmBu+DC7C
-j7+QOu6DlhyPNVL0QiI4OeucizSWamcHYKL1IVC05XYm0FITf4oKiLfiFj/upleI
-736qOe9x4bsrS5ZUQmdmpCkv3Q0Yde3ATXOHxxspgOlJ55CCXRTM8J4Fcgwf38/O
-zM7L9Ly/H+0g52PCsyQRMmfYigVVJf14cjcyuBEN2rie32qs91ajiuIZpG3ECRJ0
-R2y4nnCKM+G8oM+23pgIWdX0ei6RAFnGANRcM7It/Ni21YcafxgkzLFJ6clMELi5
-vIzy9oAG85BK7Kwo/dxe3r3wQPC8cEmt9vRdR8v5rShYp0YTX5rJXZ4Kq2U6pGVo
-msxo/LQhvWsMZ2UPRIsDcyIHL36LRxdy/h7hkr6BJK2o1YwSwK0e6r4KbYlfyaij
-SiBDjuxwBFFkjAbnd8LoK0JDoEid9Eg7VXoFnDgq3X3Vr/yLRjA5yLkVgDuFdhgP
-zJ3k1ly4NVQTQuTalNcXY7JXV/yhP+EaxxJ09rudW0192O4EIAo8IXyPYxWmELqa
-yrnulQ7+g2l3DCS+ZrWBSRDFOJZSaWIPaU0xr2jXafy1wMqreDPE+YFQ2cnvt1J7
-RLdarjU7hh5vkmpxiaezi91+YFC8b+8JAb58f7MndaZfyTYK4ww+pjSOLwIg2EgE
-j9xuQRu5dy9xOKLL0jj3EBYrtH9eoGTtjrC3ycm0tIQTY4BJgGQ66KjsFfSzJ6gM
-FHONJHlcaIeEWsnMMKm42A15jZG0AjH1LUbnEc6KOHzwySQ28IjJvDKY2kU3Wt6R
-KoxbIox8fBvD8QunG+creFmYqG1IgFIodF9QgEdleRLJCKhB95HCCm3/qdSn1362
-6LyIClb09bNImrPo974yrZ/hnel8MNXPQyQJSCtqOUUI8JhRBKi0IGi07+TVIeqi
-5yakl8HSxnkbT0n6KLa0ZGOKFD5d0qXjwl1s6hnI4JTKCGDOyjHptVpjxsKT08jO
-1lzutH67duk6Z38Qr1fpv9iAgSCsnfgLaKC/0jbIsPsOXTpvODiHK+liAbQiqUnn
-XqRbQ2x4MavIy50zutVPduNgj72IUYvGfx1WO+mKt1uymx5DXidYoLAdCIru
-=4Qus
------END PGP MESSAGE-----
-=======
->>>>>>> e714315a8c096570b2629793969eec54e9fe2450
-
-** 2021-W45
-
-*** 2021-11-08 Monday
-**** EMAIL inscription BAC Anna                                      :work:email:
-[2021-11-08 Mon 12:22]
-- ref :: 
-
-** 2021-W46
-
-*** 2021-11-17 Wednesday
-**** MEETING Weekly meeting                                          :work:meeting:
-[2021-11-17 Wed 17:30]
-- ref :: 
-**** MEETING Weekly                                                  :work:meeting:
-[2021-11-17 Wed 17:05]
-- ref :: 
-
-*** 2021-11-18 Thursday
-**** MEETING Alan Interview                                          :work:meeting:
-[2021-11-18 Thu 16:29]
-- ref :: 
-***** Agenda (to discuss about)
-***** Notes
-***** Actions
-**** CHAT Small text about the breaking PR                           :work:chat:
-[2021-11-18 Thu 11:42]
-
-Good morning everyone!
-
-I wanted to drop a word about this PR: https://github.com/advthreat/iroh/pull/5998
-
-An interesting aspect of this PR was that a change (that first appeared to be minor)
-in some namespace impacted a failure in a ns that did not depend
-transitively of the first.
-
-I wanted to improve our build time by filtering the test by dependent ns only.
-It would have missed this build failure.
-So I still think this is a good idea to have an optimized test for
-branches, but the merge into master should run all the tests.
-
-**** MEETING Alan Interview                                          :work:meeting:
-[2021-11-18 Thu 09:56]
-- ref :: 
-***** Agenda (to discuss about)
-
-- in tupelo, why name it =glue= instead of =mconcat=?
-- Why =unwrap= and not =flatten=?
-
-***** Notes
-***** Actions
-
-*** 2021-11-19 Friday
-**** MEETING Monthly Engineering Meeting                             :work:meeting:
-[2021-11-19 Fri 17:02]
-- ref :: 
-.
-
-
-***** Updates
-***** Release Status
-
-- Issue with GlaDoS deployment, 1.86 done yesterday.
-- Issue with AO, pb with cross-launch.
-
-***** Services
-
-- High Impact Incident
-- Background support for DI
-- Added auditability API gateway
-
-Will focus on replicating/synchronize across the product of incidents.
-
-** 2021-W47
-
-*** 2021-11-23 Tuesday
-**** MEETING DI Secure Client weekly PO meeting                      :work:meeting:
-[2021-11-23 Tue 16:08]
-- ref :: 
-***** Actions
-
-- [ ] Apparently some clients scopes and authorization to do.
-
-** 2021-W48
-
-*** 2021-11-30 Tuesday
-**** MEETING Simplify login page                                     :work:meeting:
-[2021-11-30 Tue 16:01]
-
-https://github.com/advthreat/GLaDOS/issues/2555
-
-*** 2021-12-02 Thursday
-**** MEETING Weekly IROH-Service Team meeting                        :work:meeting:
-[2021-12-02 Thu 17:04]
-
-@Mark most special people are leaving.
-
-@Jyoti about Al. Come as a surprise and a chock.
-Certain there were politic about it.
-Start with UI & UX.
-
-Must not be done in silos.
-I has to be implementable.
-
-@Mark
-
-I feel that with AO with should have blame post-mortem.
-Never run all the way in TEST.
-They never talk to us about it.
-
-Discussion about QA
-
-@Mark
-Possible QA tested it and was never informed something will change.
-A retro for AO integration.
-
-***** Notes
-
-- Working on the refresh token DB (token grants)
-- Regarding the registering simplification I will need the work done by Olivier
-  To search users by domain name email.
-- We will need a pass of technical design. We will need another entities
-  about requested invitations. And yet another flow to integrate an
-  existing SecureX org.
-
-
-**** MEETING SecureX / Secure Endpoint Alignment                     :work:meeting:
-[2021-12-02 Thu 15:59]
-***** Actions
-Create a queue of requested invites.
-Admin can approve the request, the user is added to the org.
-A confirmation email is sent.
-
-** 2021-W49
-
-*** 2021-12-09 Thursday
-**** MEETING Weekly Team Meeting                                     :work:meeting:
-[2021-12-09 Thu 17:18]
-- ref :: 
-.
-
-
-***** Project Board
-
-****** Enrich API Enhancement
-Discussion
-****** Webhooks
-****** Hiring
-no professionnal experience in Clojure
-***** Remarks
-
-IDB Decommission.
-Meeting with Geetha next week.
-
-How can I do that?
-
-***** Actions
-IDB Decommission test Monday
-
-** 2021-W50
-
-*** 2021-12-13 Monday
-**** MEETING OIDC AO                                                 :work:meeting:
-[2021-12-13 Mon 17:02]
-- ref :: 
-
-April Ping fed expires.
-Is that still possible?
-Also no expertise.
-
-We had some action items. Where do we stand?
-
-Are we confident?
-Priority across the teams.
-
-TG and CSA.
-
-Just CSA and TG IdP.
-***** Action
-
-Continue test results after Holidays.
-- Test CSA
-- Test TG (direct OIDC)
-
-Sync up after shutdown.
-If success talk to QA to prepare tests.
-*** 2021-12-15 Wednesday
-**** MEETING Estimate New Registration Workflow                      :work:meeting:
-[2021-12-15 Wed 16:29]
-- ref :: https://github.com/advthreat/iroh/issues/6076
-
-***** Prevent User to login with public email page
-
-Should propose the user to login via another account (so use logout).
-
-Need templates.
-@Jilian will do the templates.
-***** Add an allow-list to pass throught the blocklist (@gmail,,,)
-
-1.89 Feb 2.
-
-**** MEETING IDB Decomissioning                                      :work:meeting:
-[2021-12-15 Wed 15:59]
-- ref :: 
-***** Agenda (to discuss about)
-***** Notes
-***** Actions
-
-** 2021-W51
-
-*** 2021-12-21 Tuesday
-**** CHAT Dar about using UI Components in the login pages           :work:chat:
-[2021-12-21 Tue 10:20]
-
-#+begin_quote
-@Dar
-Hey Yann, a question came up in our weekly sync about the login flows…
-now that they're getting a bit more sophisticated wouldn't it be better to
-start using common UI components rather than taking snapshots/hard-copies
-of styles and generating one-off templates?
-what are the security concerns around client-side rendering the auth UI?
-#+end_quote
-
-
-Hi Dar,
-
-So to answer the question historically.
-First, we didn't have any login page.
-It was 100% hosted in CTR UI.
-I just provided the route to create the login links (and this could still
-be used today and it is in the new login page).
-
-We faced many bugs (most of them related to URL encoding), and thus decided
-to close the gap by building an hosted login page.
-That way I can 100% control the behavior and have lot of tests to check url
-encoding related bugs.
-Do not forget that in CTR you often want to deal with URL with very complex
-URL fragments that contain a representation of the investigation, imagine
-text with carriage return, URL, emails, etc…
-
-Even recently we experienced subtle bugs. And the solution was to get rid
-as much as possible of the javascript code that handled the url parsing and building.
-Now, this is handled via the backend on the login page.
-
-So the 1st reason to host the login page was convenience and bug fixing and
-not necessarily security.
-
-Regarding security, I was afraid to introduce a security bug because, the
-login page is clearly a nice entry point for security attack.
-So I tried to be as conservative as possible.
-So no js when possible.
-And if we need to use js, do not use any lib, just basic javascript so the
-code is easy to understand and debug.
-
-There is another complexity to keep in mind.
-For historical reason, for now, there is no "session" when the user has
-logged in via the IdP but hasn't yet selected a user and thus is not logged
-in SecureX.
-Right now, we handle this state with a token in the URLs.
-And this token can be consumed only once.
-By that I mean, in the account selection page you will have links looking like:
-
-- https://..../select-org-1?code=XXX
-- https://..../select-org-2?code=XXX
-- https://..../select-org-3?code=XXX
-
-When the user will click on the first link; the code =XXX=
-will be consumed and the other links will not work.
-So I ensure that the user need to perform a login workflow again to login
-into another org.
-
-So that being, said.
-I think now we are in a new situation where I think we could totally have a
-lot more convenient system.
-
-1. I need to create a notion of session when the user is logged in in the
-   IdP but has not selected a SecureX account.
-2. Use more js to ease the UI work, typically, UI components. The limit
-   being that the CSP header are restrictive in the sense that we must host
-   the JS at the same URL, and we should probably still generate data via
-   the backend, maybe still keep a bit of HTML.
-
-In fact, we need the backend to be able to provide a set of informations to
-the UI and take care that no XSS could be possible.
-I think the main risk is that, the login page must support complex query
-parameters.
-So great care should be taken in the parsing of these query parameters.
-To give a concrete example:
-
-You should be able to generate a page for a URL looking like:
-
-https://securex...cisco.com/login?redirects=<URL2>
-
-Where URL2 should be encoded correctly, and could itself be complex:
-
-URL2: https://visibility...cisco.com/investigate#q=<QUERY>
-
-Where QUERY should be encoded an could contain urls, emails:
-
-QUERY:
-
-#+begin_src
-url:http://attack.com/foo?param=something-complex
-foo@example.com
-some random text
-carriage return, unicode, emojis? etc…
-#+end_src
-
-So to present the login page, every button should take care that adding a
-=<script>= somewhere will not generate an XSS, that the encoding is correct.
-And that login link could be forged by an attacker, and it should not be
-possible to hijack the redirection to a non allowed login endpoint.
-Because in that case, the endpoint will get a =code= from which we could
-retrieve the creds of the user.
-
-To me this totally doable, and I think should be the preferred route.