diff --git a/.env.example b/.env.example
new file mode 100644
index 0000000..7bd3dc7
--- /dev/null
+++ b/.env.example
@@ -0,0 +1,15 @@
+# Lapdev API configuration
+
+# Required: PostgreSQL connection URL for the Lapdev database.
+# Example: postgres://username:password@db-host:5432/lapdev
+LAPDEV_DB_URL=postgres://username:password@localhost:5432/lapdev
+
+# Optional overrides with sensible defaults.
+LAPDEV_BIND_ADDR=0.0.0.0
+LAPDEV_HTTP_PORT=8080
+LAPDEV_SSH_PROXY_PORT=2222
+LAPDEV_SSH_PROXY_DISPLAY_PORT=2222
+LAPDEV_PREVIEW_URL_PROXY_PORT=8443
+
+# Set to force all workspaces to run under a specific OS user.
+# LAPDEV_FORCE_OSUSER=
diff --git a/.github/workflows/release-cli.yml b/.github/workflows/release-cli.yml
new file mode 100644
index 0000000..5e8754b
--- /dev/null
+++ b/.github/workflows/release-cli.yml
@@ -0,0 +1,246 @@
+name: Release Lapdev CLI
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Lapdev CLI version (e.g. 0.1.0). Must match Cargo.toml."
+        required: true
+  push:
+    tags:
+      - "lapdev-cli-v*"
+
+jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.vars.outputs.version }}
+      tag_name: ${{ steps.vars.outputs.tag_name }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - id: vars
+        run: |
+          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            VERSION="${{ github.event.inputs.version }}"
+          else
+            VERSION="${GITHUB_REF_NAME#lapdev-cli-v}"
+          fi
+
+          VERSION="${VERSION#v}"
+          if [[ -z "$VERSION" ]]; then
+            echo "Unable to determine version" >&2
+            exit 1
+          fi
+
+          TAG_NAME="lapdev-cli-v${VERSION}"
+
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+          echo "tag_name=$TAG_NAME" >> "$GITHUB_OUTPUT"
+
+      - name: Verify Cargo version matches release version
+        run: |
+          FILE_VERSION=$(python - <<'PY'
+          import pathlib, tomllib
+          data = tomllib.loads(pathlib.Path("Cargo.toml").read_text())
+          print(data["workspace"]["package"]["version"])
+          PY
+          )
+          if [[ "$FILE_VERSION" != "${{ steps.vars.outputs.version }}" ]]; then
+            echo "Cargo workspace version ${FILE_VERSION} does not match requested version ${{ steps.vars.outputs.version }}" >&2
+            exit 1
+          fi
+
+  build:
+    needs: prepare
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-22.04
+            target: x86_64-unknown-linux-gnu
+            archive: tar.gz
+          - os: ubuntu-22.04
+            target: aarch64-unknown-linux-gnu
+            archive: tar.gz
+          - os: macos-13
+            target: x86_64-apple-darwin
+            archive: tar.gz
+          - os: macos-14
+            target: aarch64-apple-darwin
+            archive: tar.gz
+          - os: windows-latest
+            target: x86_64-pc-windows-msvc
+            archive: zip
+          - os: windows-latest
+            target: aarch64-pc-windows-msvc
+            archive: zip
+    runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
+      id-token: write
+    env:
+      TARGET: ${{ matrix.target }}
+      ARCHIVE_NAME: lapdev-cli-${{ matrix.target }}.${{ matrix.archive }}
+      ARTIFACT_NAME: lapdev-cli-${{ matrix.target }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          targets: ${{ matrix.target }}
+          components: "clippy,rustfmt"
+
+      - name: Install Linux cross toolchain
+        if: runner.os == 'Linux' && contains(matrix.target, 'aarch64-unknown-linux-gnu')
+        run: |
+          sudo apt-get update
+          sudo apt-get install --yes gcc-aarch64-linux-gnu
+
+      - name: Cargo fetch
+        run: cargo fetch --locked
+        if: runner.os != 'Windows'
+
+      - name: Cargo fetch (Windows)
+        if: runner.os == 'Windows'
+        shell: pwsh
+        run: cargo fetch --locked
+
+      - name: Build (Unix)
+        if: runner.os != 'Windows'
+        run: cargo build -p lapdev-cli --release --locked --target "${TARGET}"
+
+      - name: Build (Windows)
+        if: runner.os == 'Windows'
+        shell: pwsh
+        run: cargo build -p lapdev-cli --release --locked --target $env:TARGET
+
+      - name: Import Apple code signing cert
+        if: runner.os == 'macOS'
+        uses: apple-actions/import-codesign-certs@v3
+        with:
+          p12-file-base64: ${{ secrets.APPLE_CODESIGN_CERT_BASE64 }}
+          p12-password: ${{ secrets.APPLE_CODESIGN_CERT_PASSWORD }}
+
+      - name: Codesign binary (macOS)
+        if: runner.os == 'macOS'
+        env:
+          APPLE_CODESIGN_IDENTITY: ${{ secrets.APPLE_CODESIGN_IDENTITY }}
+        run: |
+          codesign --force --timestamp --options runtime --sign "${APPLE_CODESIGN_IDENTITY}" "target/${TARGET}/release/lapdev-cli"
+
+      - name: Notarize macOS binary
+        if: runner.os == 'macOS'
+        env:
+          APPLE_ID: ${{ secrets.APPLE_NOTARIZE_APPLE_ID }}
+          APPLE_PASSWORD: ${{ secrets.APPLE_NOTARIZE_APP_SPECIFIC_PASSWORD }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+        run: |
+          mkdir -p notarize
+          cp "target/${TARGET}/release/lapdev-cli" notarize/lapdev
+          ditto -c -k --keepParent notarize/lapdev notarize.zip
+          xcrun notarytool submit notarize.zip --apple-id "${APPLE_ID}" --team-id "${APPLE_TEAM_ID}" --password "${APPLE_PASSWORD}" --wait
+          xcrun stapler staple "target/${TARGET}/release/lapdev-cli"
+          rm -rf notarize notarize.zip
+
+      - name: Sign Windows binary
+        if: runner.os == 'Windows'
+        shell: pwsh
+        env:
+          WINDOWS_SIGNING_CERT: ${{ secrets.WINDOWS_SIGNING_CERT_BASE64 }}
+          WINDOWS_SIGNING_CERT_PASSWORD: ${{ secrets.WINDOWS_SIGNING_CERT_PASSWORD }}
+        run: |
+          if (-not $env:WINDOWS_SIGNING_CERT) {
+            throw "WINDOWS_SIGNING_CERT_BASE64 secret is required"
+          }
+          if (-not $env:WINDOWS_SIGNING_CERT_PASSWORD) {
+            throw "WINDOWS_SIGNING_CERT_PASSWORD secret is required"
+          }
+          $pfxPath = Join-Path $env:RUNNER_TEMP "codesign.pfx"
+          [IO.File]::WriteAllBytes($pfxPath, [Convert]::FromBase64String($env:WINDOWS_SIGNING_CERT))
+          $signtool = Get-ChildItem "C:\Program Files (x86)\Windows Kits\10\bin" -Filter signtool.exe -Recurse | Sort-Object FullName -Descending | Select-Object -First 1
+          if (-not $signtool) {
+            throw "signtool.exe not found"
+          }
+          & $signtool.FullName sign /fd SHA256 /td SHA256 /tr http://timestamp.digicert.com /f $pfxPath /p $env:WINDOWS_SIGNING_CERT_PASSWORD "target\${env:TARGET}\release\lapdev-cli.exe"
+          Remove-Item $pfxPath -Force
+
+      - name: Prepare artifact (Unix)
+        if: runner.os != 'Windows'
+        run: |
+          BIN="target/${TARGET}/release/lapdev-cli"
+          install -Dm755 "${BIN}" pack/lapdev
+          tar -C pack -czf "${ARCHIVE_NAME}" lapdev
+
+      - name: Prepare artifact (Windows)
+        if: runner.os == 'Windows'
+        shell: pwsh
+        run: |
+          $bin = "target\${env:TARGET}\release\lapdev-cli.exe"
+          New-Item -ItemType Directory -Path pack -Force | Out-Null
+          Copy-Item $bin "pack\lapdev.exe" -Force
+          Compress-Archive -Path "pack\lapdev.exe" -DestinationPath $env:ARCHIVE_NAME -Force
+
+      - uses: sigstore/cosign-installer@v3.7.0
+
+      - name: Sign artifact (Unix)
+        if: runner.os != 'Windows'
+        env:
+          COSIGN_EXPERIMENTAL: "1"
+        run: |
+          cosign sign-blob --yes --output-signature "${ARCHIVE_NAME}.sig" --output-certificate "${ARCHIVE_NAME}.pem" "${ARCHIVE_NAME}"
+
+      - name: Sign artifact (Windows)
+        if: runner.os == 'Windows'
+        shell: pwsh
+        env:
+          COSIGN_EXPERIMENTAL: "1"
+        run: |
+          cosign sign-blob --yes --output-signature "$env:ARCHIVE_NAME.sig" --output-certificate "$env:ARCHIVE_NAME.pem" "$env:ARCHIVE_NAME"
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.ARTIFACT_NAME }}
+          path: |
+            ${{ env.ARCHIVE_NAME }}
+            ${{ env.ARCHIVE_NAME }}.sig
+            ${{ env.ARCHIVE_NAME }}.pem
+
+  publish:
+    needs: [prepare, build]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/download-artifact@v4
+        with:
+          path: release
+
+      - name: List artifacts
+        run: ls -R release
+
+      - name: Create GitHub release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG_NAME: ${{ needs.prepare.outputs.tag_name }}
+          VERSION: ${{ needs.prepare.outputs.version }}
+        run: |
+          FILES=()
+          while IFS= read -r -d '' file; do
+            FILES+=("$file")
+          done < <(find release -type f -print0)
+
+          if [[ ${#FILES[@]} -eq 0 ]]; then
+            echo "No artifacts found to upload" >&2
+            exit 1
+          fi
+
+          FILES+=("pkg/installers/lapdev-cli.sh" "pkg/installers/lapdev-cli.ps1")
+
+          gh release create "${TAG_NAME}" "${FILES[@]}" \
+            --title "Lapdev CLI v${VERSION}" \
+            --notes "Prebuilt Lapdev CLI binaries for version v${VERSION}."
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 43de488..503eff8 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -76,6 +76,8 @@ jobs:
             ./target/debian/lapdev-ws_${{ github.event.inputs.lapdev_version }}-1_amd64.deb
             ./pkg/common/install.sh
             ./pkg/common/install-ws.sh
+            ./pkg/installers/lapdev-cli.sh
+            ./pkg/installers/lapdev-cli.ps1
           retention-days: 1
   
   publish:
@@ -100,4 +102,6 @@ jobs:
         if: github.event_name != 'pull_request'
         run: |
           gh release create $TAG_NAME --title "$TAG_NAME" --target $GITHUB_SHA \
-            lapdev-linux/*/*/*
+            lapdev-linux/*/*/* \
+            pkg/installers/lapdev-cli.sh \
+            pkg/installers/lapdev-cli.ps1
diff --git a/.gitignore b/.gitignore
index 5c9e44f..b5e3274 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@
 /lapdev-dashboard/dist
 .lapce
 .env
+.git-credentials
diff --git a/Cargo.lock b/Cargo.lock
index d4bdedb..d56e0c9 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1,21 +1,12 @@
 # This file is automatically @generated by Cargo.
 # It is not intended for manual editing.
-version = 3
+version = 4
 
 [[package]]
-name = "addr2line"
-version = "0.21.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8a30b2e23b9e17a9f90641c7ab1549cd9b44f296d3ccbf309d2863cfe398a0cb"
-dependencies = [
- "gimli",
-]
-
-[[package]]
-name = "adler"
-version = "1.0.2"
+name = "adler2"
+version = "2.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe"
+checksum = "320119579fcad9c21884f5c4861d16174d0e06250625266f50fe6898340abefa"
 
 [[package]]
 name = "aead"
@@ -29,9 +20,9 @@ dependencies = [
 
 [[package]]
 name = "aes"
-version = "0.8.3"
+version = "0.8.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ac1f845298e95f983ff1944b728ae08b8cebab80d684f0a832ed0fc74dfa27e2"
+checksum = "b169f7a6d4742236a0a00c541b845991d0ac43e546831af1249753ab4c3aa3a0"
 dependencies = [
  "cfg-if",
  "cipher",
@@ -54,23 +45,23 @@ dependencies = [
 
 [[package]]
 name = "ahash"
-version = "0.7.7"
+version = "0.7.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5a824f2aa7e75a0c98c5a504fceb80649e9c35265d44525b5f94de4771a395cd"
+checksum = "891477e0c6a8957309ee5c45a6368af3ae14bb510732d2684ffa19af310920f9"
 dependencies = [
- "getrandom",
+ "getrandom 0.2.16",
  "once_cell",
  "version_check",
 ]
 
 [[package]]
 name = "ahash"
-version = "0.8.6"
+version = "0.8.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "91429305e9f0a25f6205c5b8e0d2db09e0708a7a6df0f42212bb56c32c8ac97a"
+checksum = "5a15f179cd60c4584b8a8c596927aadc462e27f2ca70c04e0071964a73ba7a75"
 dependencies = [
  "cfg-if",
- "getrandom",
+ "getrandom 0.3.3",
  "once_cell",
  "version_check",
  "zerocopy",
@@ -78,9 +69,9 @@ dependencies = [
 
 [[package]]
 name = "aho-corasick"
-version = "1.1.2"
+version = "1.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b2969dcb958b36655471fc61f7e416fa76033bdd4bfed0678d8fee1e2d07a1f0"
+checksum = "8e60d3430d3a69478ad0993f19238d2df97c507009a52b3c10addcd7f6bcb916"
 dependencies = [
  "memchr",
 ]
@@ -93,9 +84,9 @@ checksum = "250f629c0161ad8107cf89319e990051fae62832fd343083bea452d93e2205fd"
 
 [[package]]
 name = "allocator-api2"
-version = "0.2.16"
+version = "0.2.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0942ffc6dcaadf03badf6e6a2d0228460359d5e34b57ccdc720b7382dfbd5ec5"
+checksum = "683d7910e743518b0e34f1186f92494becacb047c7b6bf616c96772180fef923"
 
 [[package]]
 name = "android-tzdata"
@@ -114,57 +105,70 @@ dependencies = [
 
 [[package]]
 name = "anstream"
-version = "0.6.11"
+version = "0.6.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6e2e1ebcb11de5c03c67de28a7df593d32191b44939c482e97702baaaa6ab6a5"
+checksum = "301af1932e46185686725e0fad2f8f2aa7da69dd70bf6ecc44d6b703844a3933"
 dependencies = [
  "anstyle",
  "anstyle-parse",
  "anstyle-query",
  "anstyle-wincon",
  "colorchoice",
+ "is_terminal_polyfill",
  "utf8parse",
 ]
 
 [[package]]
 name = "anstyle"
-version = "1.0.4"
+version = "1.0.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7079075b41f533b8c61d2a4d073c4676e1f8b249ff94a393b0595db304e0dd87"
+checksum = "862ed96ca487e809f1c8e5a8447f6ee2cf102f846893800b20cebdf541fc6bbd"
 
 [[package]]
 name = "anstyle-parse"
-version = "0.2.3"
+version = "0.2.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c75ac65da39e5fe5ab759307499ddad880d724eed2f6ce5b5e8a26f4f387928c"
+checksum = "4e7644824f0aa2c7b9384579234ef10eb7efb6a0deb83f9630a49594dd9c15c2"
 dependencies = [
  "utf8parse",
 ]
 
 [[package]]
 name = "anstyle-query"
-version = "1.0.2"
+version = "1.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e28923312444cdd728e4738b3f9c9cac739500909bb3d3c94b43551b16517648"
+checksum = "6c8bdeb6047d8983be085bab0ba1472e6dc604e7041dbf6fcd5e71523014fae9"
 dependencies = [
- "windows-sys 0.52.0",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
 name = "anstyle-wincon"
-version = "3.0.2"
+version = "3.0.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1cd54b81ec8d6180e24654d0b371ad22fc3dd083b6ff8ba325b72e00c87660a7"
+checksum = "403f75924867bb1033c59fbf0797484329750cfbe3c4325cd33127941fabc882"
 dependencies = [
  "anstyle",
- "windows-sys 0.52.0",
+ "once_cell_polyfill",
+ "windows-sys 0.59.0",
+]
+
+[[package]]
+name = "any_spawner"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1384d3fe1eecb464229fcf6eebb72306591c56bf27b373561489458a7c73027d"
+dependencies = [
+ "futures",
+ "thiserror 2.0.17",
+ "wasm-bindgen-futures",
 ]
 
 [[package]]
 name = "anyhow"
-version = "1.0.66"
+version = "1.0.98"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "216261ddc8289130e551ddcd5ce8a064710c0d064a4d2895c67151c92b5443f6"
+checksum = "e16d2d3311acee920a9eb8d33b8cbc1787ce4a264e85f964c2404b969bdcd487"
 
 [[package]]
 name = "argon2"
@@ -180,40 +184,194 @@ dependencies = [
 
 [[package]]
 name = "arrayvec"
-version = "0.7.4"
+version = "0.7.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7c02d123df017efcdfbd739ef81735b36c5ba83ec3c59c80a9d7ecc718f92e50"
+
+[[package]]
+name = "async-attributes"
+version = "1.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a3203e79f4dd9bdda415ed03cf14dae5a2bf775c683a00f94e9cd1faf0f596e5"
+dependencies = [
+ "quote",
+ "syn 1.0.109",
+]
+
+[[package]]
+name = "async-broadcast"
+version = "0.7.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "435a87a52755b8f27fcf321ac4f04b2802e337c8c4872923137471ec39c37532"
+dependencies = [
+ "event-listener 5.4.0",
+ "event-listener-strategy",
+ "futures-core",
+ "pin-project-lite",
+]
+
+[[package]]
+name = "async-channel"
+version = "1.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "81953c529336010edd6d8e358f886d9581267795c61b19475b71314bffa46d35"
+dependencies = [
+ "concurrent-queue",
+ "event-listener 2.5.3",
+ "futures-core",
+]
+
+[[package]]
+name = "async-channel"
+version = "2.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "96d30a06541fbafbc7f82ed10c06164cfbd2c401138f6addd8404629c4b16711"
+checksum = "924ed96dd52d1b75e9c1a3e6275715fd320f5f9439fb5a4a11fa51f4221158d2"
+dependencies = [
+ "concurrent-queue",
+ "event-listener-strategy",
+ "futures-core",
+ "pin-project-lite",
+]
 
 [[package]]
 name = "async-compression"
-version = "0.4.6"
+version = "0.4.33"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a116f46a969224200a0a97f29cfd4c50e7534e4b4826bd23ea2c3c533039c82c"
+checksum = "93c1f86859c1af3d514fa19e8323147ff10ea98684e6c7b307912509f50e67b2"
 dependencies = [
+ "compression-codecs",
+ "compression-core",
  "futures-core",
- "memchr",
  "pin-project-lite",
  "tokio",
- "zstd",
- "zstd-safe",
 ]
 
 [[package]]
-name = "async-recursion"
-version = "1.0.5"
+name = "async-executor"
+version = "1.13.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5fd55a5ba1179988837d24ab4c7cc8ed6efdeff578ede0416b4225a5fca35bd0"
+checksum = "bb812ffb58524bdd10860d7d974e2f01cc0950c2438a74ee5ec2e2280c6c4ffa"
 dependencies = [
- "proc-macro2",
- "quote",
- "syn 2.0.98",
+ "async-task",
+ "concurrent-queue",
+ "fastrand 2.3.0",
+ "futures-lite 2.6.0",
+ "pin-project-lite",
+ "slab",
+]
+
+[[package]]
+name = "async-global-executor"
+version = "2.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "05b1b633a2115cd122d73b955eadd9916c18c8f510ec9cd1686404c60ad1c29c"
+dependencies = [
+ "async-channel 2.5.0",
+ "async-executor",
+ "async-io 2.5.0",
+ "async-lock 3.4.0",
+ "blocking",
+ "futures-lite 2.6.0",
+ "once_cell",
+ "tokio",
+]
+
+[[package]]
+name = "async-io"
+version = "1.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0fc5b45d93ef0529756f812ca52e44c221b35341892d3dcc34132ac02f3dd2af"
+dependencies = [
+ "async-lock 2.8.0",
+ "autocfg",
+ "cfg-if",
+ "concurrent-queue",
+ "futures-lite 1.13.0",
+ "log",
+ "parking",
+ "polling 2.8.0",
+ "rustix 0.37.28",
+ "slab",
+ "socket2 0.4.10",
+ "waker-fn",
+]
+
+[[package]]
+name = "async-io"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "19634d6336019ef220f09fd31168ce5c184b295cbf80345437cc36094ef223ca"
+dependencies = [
+ "async-lock 3.4.0",
+ "cfg-if",
+ "concurrent-queue",
+ "futures-io",
+ "futures-lite 2.6.0",
+ "parking",
+ "polling 3.9.0",
+ "rustix 1.0.8",
+ "slab",
+ "windows-sys 0.60.2",
+]
+
+[[package]]
+name = "async-lock"
+version = "2.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "287272293e9d8c41773cec55e365490fe034813a2f172f502d6ddcf75b2f582b"
+dependencies = [
+ "event-listener 2.5.3",
+]
+
+[[package]]
+name = "async-lock"
+version = "3.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ff6e472cdea888a4bd64f342f09b3f50e1886d32afe8df3d663c01140b811b18"
+dependencies = [
+ "event-listener 5.4.0",
+ "event-listener-strategy",
+ "pin-project-lite",
+]
+
+[[package]]
+name = "async-once-cell"
+version = "0.5.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4288f83726785267c6f2ef073a3d83dc3f9b81464e9f99898240cced85fce35a"
+
+[[package]]
+name = "async-std"
+version = "1.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "730294c1c08c2e0f85759590518f6333f0d5a0a766a27d519c1b244c3dfd8a24"
+dependencies = [
+ "async-attributes",
+ "async-channel 1.9.0",
+ "async-global-executor",
+ "async-io 2.5.0",
+ "async-lock 3.4.0",
+ "crossbeam-utils",
+ "futures-channel",
+ "futures-core",
+ "futures-io",
+ "futures-lite 2.6.0",
+ "gloo-timers 0.3.0",
+ "kv-log-macro",
+ "log",
+ "memchr",
+ "once_cell",
+ "pin-project-lite",
+ "pin-utils",
+ "slab",
+ "wasm-bindgen-futures",
 ]
 
 [[package]]
 name = "async-stream"
-version = "0.3.5"
+version = "0.3.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cd56dd203fef61ac097dd65721a419ddccb106b2d2b70ba60a6b529f03961a51"
+checksum = "0b5a71a6f37880a80d1d7f19efd781e4b5de42c88f0722cc13bcb6cc2cfe8476"
 dependencies = [
  "async-stream-impl",
  "futures-core",
@@ -222,24 +380,30 @@ dependencies = [
 
 [[package]]
 name = "async-stream-impl"
-version = "0.3.5"
+version = "0.3.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "16e62a023e7c117e27523144c5d2459f4397fcc3cab0085af8e2224f643a0193"
+checksum = "c7c24de15d275a1ecfd47a380fb4d5ec9bfe0933f309ed5e705b775596a3574d"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.98",
+ "syn 2.0.104",
 ]
 
+[[package]]
+name = "async-task"
+version = "4.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b75356056920673b02621b35afd0f7dda9306d03c79a30f5c56c44cf256e3de"
+
 [[package]]
 name = "async-trait"
-version = "0.1.74"
+version = "0.1.88"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a66537f1bb974b254c98ed142ff995236e81b9d0fe4db0575f46612cb15eb0f9"
+checksum = "e539d3fca749fcee5236ab05e93a52867dd549cc157c8cb7f99595f3cedffdb5"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.98",
+ "syn 2.0.104",
 ]
 
 [[package]]
@@ -252,32 +416,30 @@ dependencies = [
 ]
 
 [[package]]
-name = "atomic-write-file"
-version = "0.1.2"
+name = "atomic-waker"
+version = "1.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "edcdbedc2236483ab103a53415653d6b4442ea6141baf1ffa85df29635e88436"
-dependencies = [
- "nix",
- "rand",
-]
+checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0"
 
 [[package]]
 name = "attribute-derive"
-version = "0.8.1"
+version = "0.10.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0c94f43ede6f25dab1dea046bff84d85dea61bd49aba7a9011ad66c0d449077b"
+checksum = "0053e96dd3bec5b4879c23a138d6ef26f2cb936c9cdc96274ac2b9ed44b5bb54"
 dependencies = [
  "attribute-derive-macro",
+ "derive-where",
+ "manyhow",
  "proc-macro2",
  "quote",
- "syn 2.0.98",
+ "syn 2.0.104",
 ]
 
 [[package]]
 name = "attribute-derive-macro"
-version = "0.8.1"
+version = "0.10.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b409e2b2d2dc206d2c0ad3575a93f001ae21a1593e2d0c69b69c308e63f3b422"
+checksum = "463b53ad0fd5b460af4b1915fe045ff4d946d025fb6c4dc3337752eaa980f71b"
 dependencies = [
  "collection_literals",
  "interpolator",
@@ -286,30 +448,55 @@ dependencies = [
  "proc-macro2",
  "quote",
  "quote-use",
- "syn 2.0.98",
+ "syn 2.0.104",
 ]
 
 [[package]]
 name = "autocfg"
-version = "1.1.0"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
+
+[[package]]
+name = "aws-lc-rs"
+version = "1.14.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "879b6c89592deb404ba4dc0ae6b58ffd1795c78991cbb5b8bc441c48a070440d"
+dependencies = [
+ "aws-lc-sys",
+ "untrusted 0.7.1",
+ "zeroize",
+]
+
+[[package]]
+name = "aws-lc-sys"
+version = "0.32.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"
+checksum = "107a4e9d9cab9963e04e84bb8dee0e25f2a987f9a8bad5ed054abd439caa8f8c"
+dependencies = [
+ "bindgen",
+ "cc",
+ "cmake",
+ "dunce",
+ "fs_extra",
+]
 
 [[package]]
 name = "axum"
-version = "0.7.4"
+version = "0.8.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1236b4b292f6c4d6dc34604bb5120d85c3fe1d1aa596bd5cc52ca054d13e7b9e"
+checksum = "8a18ed336352031311f4e0b4dd2ff392d4fbb370777c9d18d7fc9d7359f73871"
 dependencies = [
- "async-trait",
  "axum-core",
- "base64 0.21.7",
+ "axum-macros",
+ "base64",
  "bytes",
+ "form_urlencoded",
  "futures-util",
- "http 1.2.0",
- "http-body 1.0.1",
+ "http",
+ "http-body",
  "http-body-util",
- "hyper 1.6.0",
+ "hyper",
  "hyper-util",
  "itoa",
  "matchit",
@@ -317,16 +504,15 @@ dependencies = [
  "mime",
  "percent-encoding",
  "pin-project-lite",
- "rustversion",
- "serde",
+ "serde_core",
  "serde_json",
  "serde_path_to_error",
  "serde_urlencoded",
  "sha1",
- "sync_wrapper 0.1.2",
+ "sync_wrapper",
  "tokio",
- "tokio-tungstenite 0.21.0",
- "tower 0.4.13",
+ "tokio-tungstenite",
+ "tower",
  "tower-layer",
  "tower-service",
  "tracing",
@@ -334,31 +520,29 @@ dependencies = [
 
 [[package]]
 name = "axum-client-ip"
-version = "0.5.0"
+version = "1.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0f5ffe4637708b326c621d5494ab6c91dcf62ee440fa6ee967d289315a9c6f81"
+checksum = "3f08a543641554404b42acd0d2494df12ca2be034d7b8ee4dbbf7446f940a2ef"
 dependencies = [
  "axum",
- "forwarded-header-value",
+ "client-ip",
  "serde",
 ]
 
 [[package]]
 name = "axum-core"
-version = "0.4.3"
+version = "0.5.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a15c63fd72d41492dc4f497196f5da1fb04fb7529e631d73630d1b491e47a2e3"
+checksum = "59446ce19cd142f8833f856eb31f3eb097812d1479ab224f54d72428ca21ea22"
 dependencies = [
- "async-trait",
  "bytes",
- "futures-util",
- "http 1.2.0",
- "http-body 1.0.1",
+ "futures-core",
+ "http",
+ "http-body",
  "http-body-util",
  "mime",
  "pin-project-lite",
- "rustversion",
- "sync_wrapper 0.1.2",
+ "sync_wrapper",
  "tower-layer",
  "tower-service",
  "tracing",
@@ -366,58 +550,59 @@ dependencies = [
 
 [[package]]
 name = "axum-extra"
-version = "0.9.2"
+version = "0.12.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "895ff42f72016617773af68fb90da2a9677d89c62338ec09162d4909d86fdd8f"
+checksum = "5136e6c5e7e7978fe23e9876fb924af2c0f84c72127ac6ac17e7c46f457d362c"
 dependencies = [
  "axum",
  "axum-core",
  "bytes",
+ "futures-core",
  "futures-util",
  "headers",
- "http 1.2.0",
- "http-body 1.0.1",
+ "http",
+ "http-body",
  "http-body-util",
  "mime",
  "pin-project-lite",
- "serde",
- "tower 0.4.13",
  "tower-layer",
  "tower-service",
+ "tracing",
 ]
 
 [[package]]
-name = "backtrace"
-version = "0.3.69"
+name = "axum-macros"
+version = "0.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2089b7e3f35b9dd2d0ed921ead4f6d318c27680d4a5bd167b3ee120edb105837"
+checksum = "604fde5e028fea851ce1d8570bbdc034bec850d157f7569d10f347d06808c05c"
 dependencies = [
- "addr2line",
- "cc",
- "cfg-if",
- "libc",
- "miniz_oxide",
- "object",
- "rustc-demangle",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
 ]
 
 [[package]]
-name = "base16ct"
-version = "0.2.0"
+name = "backon"
+version = "1.5.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4c7f02d4ea65f2c1853089ffd8d2787bdbc63de2f0d29dedbcf8ccdfa0ccd4cf"
+checksum = "592277618714fbcecda9a02ba7a8781f319d26532a88553bbacc77ba5d2b3a8d"
+dependencies = [
+ "fastrand 2.3.0",
+ "gloo-timers 0.3.0",
+ "tokio",
+]
 
 [[package]]
-name = "base64"
-version = "0.13.1"
+name = "base16"
+version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8"
+checksum = "d27c3610c36aee21ce8ac510e6224498de4228ad772a171ed65643a24693a5a8"
 
 [[package]]
-name = "base64"
-version = "0.21.7"
+name = "base16ct"
+version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9d297deb1925b89f2ccc13d7635fa0714f12c87adce1c75356b39ca9b7178567"
+checksum = "4c7f02d4ea65f2c1853089ffd8d2787bdbc63de2f0d29dedbcf8ccdfa0ccd4cf"
 
 [[package]]
 name = "base64"
@@ -444,13 +629,16 @@ dependencies = [
 
 [[package]]
 name = "bigdecimal"
-version = "0.3.1"
+version = "0.4.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a6773ddc0eafc0e509fb60e48dff7f450f8e674a0686ae8605e8d9901bd5eefa"
+checksum = "1a22f228ab7a1b23027ccc6c350b72868017af7ea8356fbdf19f8d991c690013"
 dependencies = [
+ "autocfg",
+ "libm",
  "num-bigint",
  "num-integer",
  "num-traits",
+ "serde",
 ]
 
 [[package]]
@@ -462,6 +650,26 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "bindgen"
+version = "0.72.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "993776b509cfb49c750f11b8f07a46fa23e0a1386ffc01fb1e7d343efc387895"
+dependencies = [
+ "bitflags 2.9.1",
+ "cexpr",
+ "clang-sys",
+ "itertools 0.12.1",
+ "log",
+ "prettyplease",
+ "proc-macro2",
+ "quote",
+ "regex",
+ "rustc-hash",
+ "shlex",
+ "syn 2.0.104",
+]
+
 [[package]]
 name = "bitflags"
 version = "1.3.2"
@@ -470,9 +678,9 @@ checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
 
 [[package]]
 name = "bitflags"
-version = "2.6.0"
+version = "2.9.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de"
+checksum = "1b8e56985ec62d17e9c1001dc89c88ecd7dc08e47eba5ec7c29c7b5eeecde967"
 dependencies = [
  "serde",
 ]
@@ -516,6 +724,19 @@ dependencies = [
  "generic-array",
 ]
 
+[[package]]
+name = "blocking"
+version = "1.6.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e83f8d02be6967315521be875afa792a316e28d57b5a2d401897e2a7921b7f21"
+dependencies = [
+ "async-channel 2.5.0",
+ "async-task",
+ "futures-io",
+ "futures-lite 2.6.0",
+ "piper",
+]
+
 [[package]]
 name = "blowfish"
 version = "0.9.1"
@@ -528,9 +749,9 @@ dependencies = [
 
 [[package]]
 name = "borsh"
-version = "1.5.1"
+version = "1.5.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a6362ed55def622cddc70a4746a68554d7b687713770de539e59a739b249f8ed"
+checksum = "ad8646f98db542e39fc66e68a20b2144f6a732636df7c2354e74645faaa433ce"
 dependencies = [
  "borsh-derive",
  "cfg_aliases",
@@ -538,29 +759,28 @@ dependencies = [
 
 [[package]]
 name = "borsh-derive"
-version = "1.5.1"
+version = "1.5.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c3ef8005764f53cd4dca619f5bf64cafd4664dada50ece25e4d81de54c80cc0b"
+checksum = "fdd1d3c0c2f5833f22386f252fe8ed005c7f59fdcddeef025c01b4c3b9fd9ac3"
 dependencies = [
  "once_cell",
  "proc-macro-crate",
  "proc-macro2",
  "quote",
- "syn 2.0.98",
- "syn_derive",
+ "syn 2.0.104",
 ]
 
 [[package]]
 name = "bumpalo"
-version = "3.11.1"
+version = "3.19.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "572f695136211188308f16ad2ca5c851a712c464060ae6974944458eb83880ba"
+checksum = "46c5e41b57b8bba42a04676d81cb89e9ee8e859a1a66f80a5a72e1cb76b34d43"
 
 [[package]]
 name = "bytecheck"
-version = "0.6.11"
+version = "0.6.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8b6372023ac861f6e6dc89c8344a8f398fb42aaba2b5dbc649ca0c0e9dbcb627"
+checksum = "23cdc57ce23ac53c931e88a43d06d070a6fd142f2617be5855eb75efc9beb1c2"
 dependencies = [
  "bytecheck_derive",
  "ptr_meta",
@@ -569,13 +789,13 @@ dependencies = [
 
 [[package]]
 name = "bytecheck_derive"
-version = "0.6.11"
+version = "0.6.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a7ec4c6f261935ad534c0c22dbef2201b45918860eb1c574b972bd213a76af61"
+checksum = "3db406d29fbcd95542e92559bed4d8ad92636d1ca8b3b72ede10b4bcc010e659"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 1.0.105",
+ "syn 1.0.109",
 ]
 
 [[package]]
@@ -586,15 +806,15 @@ checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b"
 
 [[package]]
 name = "bytes"
-version = "1.10.0"
+version = "1.10.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f61dac84819c6588b558454b194026eb1f09c293b9036ae9b159e74e73ab6cf9"
+checksum = "d71b6127be86fdcfddb610f7182ac57211d4b18a3e9c82eb2d17662f2227ad6a"
 
 [[package]]
 name = "camino"
-version = "1.1.6"
+version = "1.1.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c59e92b5a388f549b863a7bea62612c09f24c8393560709a54558a9abdfb3b9c"
+checksum = "0da45bc31171d8d6960122e222a67740df867c1dd53b4d51caa297084c185cab"
 
 [[package]]
 name = "cbc"
@@ -607,19 +827,35 @@ dependencies = [
 
 [[package]]
 name = "cc"
-version = "1.0.83"
+version = "1.2.30"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f1174fb0b6ec23863f8b971027804a42614e347eafb0a95bf0b12cdae21fc4d0"
+checksum = "deec109607ca693028562ed836a5f1c4b8bd77755c4e132fc5ce11b0b6211ae7"
 dependencies = [
  "jobserver",
  "libc",
+ "shlex",
+]
+
+[[package]]
+name = "cesu8"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6d43a04d8753f35258c91f8ec639f792891f748a1edbd759cf1dcea3382ad83c"
+
+[[package]]
+name = "cexpr"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6fac387a98bb7c37292057cffc56d62ecb629900026402633ae9160df93a8766"
+dependencies = [
+ "nom",
 ]
 
 [[package]]
 name = "cfg-if"
-version = "1.0.0"
+version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
+checksum = "9555578bc9e57714c812a1f84e4fc5b4d21fcb063490c624de019f7464c91268"
 
 [[package]]
 name = "cfg_aliases"
@@ -640,9 +876,9 @@ dependencies = [
 
 [[package]]
 name = "chrono"
-version = "0.4.38"
+version = "0.4.41"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a21f936df1771bf62b77f047b726c4625ff2e8aa607c01ec06e5a05bd8463401"
+checksum = "c469d952047f47f91b68d1cba3f10d63c11d73e4636f24f08daf0278abf01c4d"
 dependencies = [
  "android-tzdata",
  "iana-time-zone",
@@ -650,138 +886,208 @@ dependencies = [
  "num-traits",
  "serde",
  "wasm-bindgen",
- "windows-targets 0.52.6",
+ "windows-link 0.1.3",
 ]
 
 [[package]]
-name = "ciborium"
-version = "0.2.1"
+name = "cipher"
+version = "0.4.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "effd91f6c78e5a4ace8a5d3c0b6bfaec9e2baaef55f3efc00e45fb2e477ee926"
+checksum = "773f3b9af64447d2ce9850330c473515014aa235e6a783b02db81ff39e4a3dad"
 dependencies = [
- "ciborium-io",
- "ciborium-ll",
- "serde",
+ "crypto-common",
+ "inout",
 ]
 
 [[package]]
-name = "ciborium-io"
-version = "0.2.1"
+name = "clang-sys"
+version = "1.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cdf919175532b369853f5d5e20b26b43112613fd6fe7aee757e35f7a44642656"
+checksum = "0b023947811758c97c59bf9d1c188fd619ad4718dcaa767947df1cadb14f39f4"
+dependencies = [
+ "glob",
+ "libc",
+ "libloading",
+]
 
 [[package]]
-name = "ciborium-ll"
-version = "0.2.1"
+name = "clap"
+version = "4.5.42"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "defaa24ecc093c77630e6c15e17c51f5e187bf35ee514f4e2d67baaa96dae22b"
+checksum = "ed87a9d530bb41a67537289bafcac159cb3ee28460e0a4571123d2a778a6a882"
 dependencies = [
- "ciborium-io",
- "half",
+ "clap_builder",
+ "clap_derive",
 ]
 
 [[package]]
-name = "cipher"
-version = "0.4.4"
+name = "clap_builder"
+version = "4.5.42"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "773f3b9af64447d2ce9850330c473515014aa235e6a783b02db81ff39e4a3dad"
+checksum = "64f4f3f3c77c94aff3c7e9aac9a2ca1974a5adf392a8bb751e827d6d127ab966"
 dependencies = [
- "crypto-common",
- "inout",
+ "anstream",
+ "anstyle",
+ "clap_lex",
+ "strsim",
 ]
 
 [[package]]
-name = "clap"
-version = "4.5.2"
+name = "clap_derive"
+version = "4.5.41"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b230ab84b0ffdf890d5a10abdbc8b83ae1c4918275daea1ab8801f71536b2651"
+checksum = "ef4f52386a59ca4c860f7393bcf8abd8dfd91ecccc0f774635ff68e92eeef491"
 dependencies = [
- "clap_builder",
- "clap_derive",
+ "heck 0.5.0",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
 ]
 
 [[package]]
-name = "clap_builder"
-version = "4.5.2"
+name = "clap_lex"
+version = "0.7.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b94f61472cee1439c0b966b47e3aca9ae07e45d070759512cd390ea2bebc6675"
+
+[[package]]
+name = "client-ip"
+version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ae129e2e766ae0ec03484e609954119f123cc1fe650337e155d03b022f24f7b4"
+checksum = "31211fc26899744f5b22521fdc971e5f3875991d8880537537470685a0e9552d"
 dependencies = [
- "anstream",
- "anstyle",
- "clap_lex",
- "strsim 0.11.0",
+ "http",
 ]
 
 [[package]]
-name = "clap_derive"
-version = "4.5.0"
+name = "cmake"
+version = "0.1.54"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "307bc0538d5f0f83b8248db3087aa92fe504e4691294d0c96c0eabc33f47ba47"
+checksum = "e7caa3f9de89ddbe2c607f4101924c5abec803763ae9534e4f4d7d8f84aa81f0"
 dependencies = [
- "heck",
- "proc-macro2",
- "quote",
- "syn 2.0.98",
+ "cc",
 ]
 
 [[package]]
-name = "clap_lex"
-version = "0.7.0"
+name = "codee"
+version = "0.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "98cc8fbded0c607b7ba9dd60cd98df59af97e84d24e49c8557331cfc26d301ce"
+checksum = "fd8bbfdadf2f8999c6e404697bc08016dce4a3d77dec465b36c9a0652fdb3327"
+dependencies = [
+ "serde",
+ "serde_json",
+ "thiserror 2.0.17",
+]
 
 [[package]]
 name = "collection_literals"
-version = "1.0.1"
+version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "186dce98367766de751c42c4f03970fc60fc012296e706ccbb9d5df9b6c1e271"
+checksum = "26b3f65b8fb8e88ba339f7d23a390fe1b0896217da05e2a66c584c9b29a91df8"
 
 [[package]]
 name = "colorchoice"
-version = "1.0.0"
+version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "acbf1af155f9b9ef647e42cdc158db4b64a1b61f743629225fde6f3e0be2a7c7"
+checksum = "b05b61dc5112cbb17e4b6cd61790d9845d13888356391624cbe7e41efeac1e75"
 
 [[package]]
-name = "config"
-version = "0.13.3"
+name = "colored"
+version = "2.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d379af7f68bfc21714c6c7dea883544201741d2ce8274bb12fa54f89507f52a7"
+checksum = "117725a109d387c937a1533ce01b450cbde6b88abceea8473c4d7a85853cda3c"
 dependencies = [
- "async-trait",
  "lazy_static",
- "nom",
+ "windows-sys 0.59.0",
+]
+
+[[package]]
+name = "combine"
+version = "4.6.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ba5a308b75df32fe02788e748662718f03fde005016435c444eea572398219fd"
+dependencies = [
+ "bytes",
+ "memchr",
+]
+
+[[package]]
+name = "compression-codecs"
+version = "0.4.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "680dc087785c5230f8e8843e2e57ac7c1c90488b6a91b88caa265410568f441b"
+dependencies = [
+ "compression-core",
+ "zstd",
+ "zstd-safe",
+]
+
+[[package]]
+name = "compression-core"
+version = "0.4.30"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3a9b614a5787ef0c8802a55766480563cb3a93b435898c422ed2a359cf811582"
+
+[[package]]
+name = "concurrent-queue"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4ca0197aee26d1ae37445ee532fefce43251d24cc7c166799f4d46817f1d3973"
+dependencies = [
+ "crossbeam-utils",
+]
+
+[[package]]
+name = "config"
+version = "0.15.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5b1eb4fb07bc7f012422df02766c7bd5971effb894f573865642f06fa3265440"
+dependencies = [
+ "convert_case 0.6.0",
  "pathdiff",
  "serde",
- "toml 0.5.11",
+ "toml",
+ "winnow",
 ]
 
 [[package]]
 name = "const-oid"
-version = "0.9.5"
+version = "0.9.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8"
+
+[[package]]
+name = "const-str"
+version = "0.6.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "28c122c3980598d243d63d9a704629a2d748d101f278052ff068be5a4423ab6f"
+checksum = "451d0640545a0553814b4c646eb549343561618838e9b42495f466131fe3ad49"
 
 [[package]]
 name = "const_format"
-version = "0.2.32"
+version = "0.2.34"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e3a214c7af3d04997541b18d432afaff4c455e79e2029079647e72fc2bd27673"
+checksum = "126f97965c8ad46d6d9163268ff28432e8f6a1196a55578867832e3049df63dd"
 dependencies = [
  "const_format_proc_macros",
 ]
 
 [[package]]
 name = "const_format_proc_macros"
-version = "0.2.32"
+version = "0.2.34"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c7f6ff08fd20f4f299298a28e2dfa8a8ba1036e6cd2460ac1de7b425d76f2500"
+checksum = "1d57c2eccfb16dbac1f4e61e206105db5820c9d26c3c472bc17c774259ef7744"
 dependencies = [
  "proc-macro2",
  "quote",
  "unicode-xid",
 ]
 
+[[package]]
+name = "const_str_slice_concat"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f67855af358fcb20fac58f9d714c94e2b228fe5694c1c9b4ead4a366343eda1b"
+
 [[package]]
 name = "convert_case"
 version = "0.6.0"
@@ -791,11 +1097,20 @@ dependencies = [
  "unicode-segmentation",
 ]
 
+[[package]]
+name = "convert_case"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "baaaa0ecca5b51987b9423ccdc971514dd8b0bb7b4060b983d3664dad3f1f89f"
+dependencies = [
+ "unicode-segmentation",
+]
+
 [[package]]
 name = "core-foundation"
-version = "0.9.3"
+version = "0.9.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "194a7a9e6de53fa55116934067c844d9d749312f75c6f6d0980e8c252f8c2146"
+checksum = "91e195e091a93c46f7102ec7818a2aa394e1e1771c3ab4825963fa03e45afb8f"
 dependencies = [
  "core-foundation-sys",
  "libc",
@@ -803,9 +1118,9 @@ dependencies = [
 
 [[package]]
 name = "core-foundation"
-version = "0.10.0"
+version = "0.10.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b55271e5c8c478ad3f38ad24ef34923091e0548492a266d19b3c0b4d82574c63"
+checksum = "b2a6cd9ae233e7f62ba4e9353e81a88df7fc8a5987b8d445b4d90c879bd156f6"
 dependencies = [
  "core-foundation-sys",
  "libc",
@@ -828,9 +1143,9 @@ dependencies = [
 
 [[package]]
 name = "crc"
-version = "3.0.1"
+version = "3.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "86ec7a15cbe22e59248fc7eadb1907dab5ba09372595da4d73dd805ed4417dfe"
+checksum = "9710d3b3739c2e349eb44fe848ad0b7c8cb1e42bd87ee49371df2f7acaf3e675"
 dependencies = [
  "crc-catalog",
 ]
@@ -843,37 +1158,36 @@ checksum = "19d374276b40fb8bbdee95aef7c7fa6b5316ec764510eb64b8dd0e2ed0d7e7f5"
 
 [[package]]
 name = "crc32fast"
-version = "1.3.2"
+version = "1.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b540bd8bc810d3885c6ea91e2018302f68baba2129ab3e88f32389ee9370880d"
+checksum = "9481c1c90cbf2ac953f07c8d4a58aa3945c425b7185c9154d67a65e4230da511"
 dependencies = [
  "cfg-if",
 ]
 
 [[package]]
 name = "crossbeam-channel"
-version = "0.5.13"
+version = "0.5.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "33480d6946193aa8033910124896ca395333cae7e2d1113d1fef6c3272217df2"
+checksum = "82b8f8f868b36967f9606790d1903570de9ceaf870a7bf9fbbd3016d636a2cb2"
 dependencies = [
  "crossbeam-utils",
 ]
 
 [[package]]
 name = "crossbeam-queue"
-version = "0.3.8"
+version = "0.3.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d1cfb3ea8a53f37c40dea2c7bedcbd88bdfae54f5e2175d6ecaff1c988353add"
+checksum = "0f58bbc28f91df819d0aa2a2c00cd19754769c2fad90579b3592b1c9ba7a3115"
 dependencies = [
- "cfg-if",
  "crossbeam-utils",
 ]
 
 [[package]]
 name = "crossbeam-utils"
-version = "0.8.20"
+version = "0.8.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "22ec99545bb0ed0ea7bb9b8e1e9122ea386ff8a48c0922e43f36d45ab09e0e80"
+checksum = "d0a5c400df2834b80a4c3327b3aad3a4c4cd4de0629063962b03235697506a28"
 
 [[package]]
 name = "crypto-bigint"
@@ -882,7 +1196,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0dc92fb57ca44df6db8059111ab3af99a63d5d0f8375d9972e319a379c6bab76"
 dependencies = [
  "generic-array",
- "rand_core",
+ "rand_core 0.6.4",
  "subtle",
  "zeroize",
 ]
@@ -894,15 +1208,14 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3"
 dependencies = [
  "generic-array",
- "rand_core",
  "typenum",
 ]
 
 [[package]]
 name = "ct-codecs"
-version = "1.1.1"
+version = "1.1.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f3b7eb4404b8195a9abb6356f4ac07d8ba267045c8d6d220ac4dc992e6cc75df"
+checksum = "9b10589d1a5e400d61f9f38f12f884cfd080ff345de8f17efda36fe0e4a02aa8"
 
 [[package]]
 name = "ctr"
@@ -923,7 +1236,7 @@ dependencies = [
  "cpufeatures",
  "curve25519-dalek-derive",
  "digest",
- "fiat-crypto",
+ "fiat-crypto 0.2.9",
  "rustc_version",
  "subtle",
  "zeroize",
@@ -937,52 +1250,88 @@ checksum = "f46882e17999c6cc590af592290432be3bce0428cb0d5f8b6715e4dc7b383eb3"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.98",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "darling"
+version = "0.20.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fc7f46116c46ff9ab3eb1597a45688b6715c6e628b5c133e288e709a29bcb4ee"
+dependencies = [
+ "darling_core 0.20.11",
+ "darling_macro 0.20.11",
 ]
 
 [[package]]
 name = "darling"
-version = "0.14.4"
+version = "0.21.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9cdf337090841a411e2a7f3deb9187445851f91b309c0c0a29e05f74a00a48c0"
+dependencies = [
+ "darling_core 0.21.3",
+ "darling_macro 0.21.3",
+]
+
+[[package]]
+name = "darling_core"
+version = "0.20.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7b750cb3417fd1b327431a470f388520309479ab0bf5e323505daf0290cd3850"
+checksum = "0d00b9596d185e565c2207a0b01f8bd1a135483d02d9b7b0a54b11da8d53412e"
 dependencies = [
- "darling_core",
- "darling_macro",
+ "fnv",
+ "ident_case",
+ "proc-macro2",
+ "quote",
+ "strsim",
+ "syn 2.0.104",
 ]
 
 [[package]]
 name = "darling_core"
-version = "0.14.4"
+version = "0.21.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "109c1ca6e6b7f82cc233a97004ea8ed7ca123a9af07a8230878fcfda9b158bf0"
+checksum = "1247195ecd7e3c85f83c8d2a366e4210d588e802133e1e355180a9870b517ea4"
 dependencies = [
  "fnv",
  "ident_case",
  "proc-macro2",
  "quote",
- "strsim 0.10.0",
- "syn 1.0.105",
+ "strsim",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "darling_macro"
+version = "0.20.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fc34b93ccb385b40dc71c6fceac4b2ad23662c7eeb248cf10d529b7e055b6ead"
+dependencies = [
+ "darling_core 0.20.11",
+ "quote",
+ "syn 2.0.104",
 ]
 
 [[package]]
 name = "darling_macro"
-version = "0.14.4"
+version = "0.21.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a4aab4dbc9f7611d8b55048a3a16d2d010c2c8334e46304b40ac1cc14bf3b48e"
+checksum = "d38308df82d1080de0afee5d069fa14b0326a88c14f15c5ccda35b4a6c414c81"
 dependencies = [
- "darling_core",
+ "darling_core 0.21.3",
  "quote",
- "syn 1.0.105",
+ "syn 2.0.104",
 ]
 
 [[package]]
 name = "dashmap"
-version = "5.4.0"
+version = "6.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "907076dfda823b0b36d2a1bb5f90c96660a5bbcd7729e10727f07858f22c4edc"
+checksum = "5041cc499144891f3790297212f32a74fb938e5136a14943f338ef9e0ae276cf"
 dependencies = [
  "cfg-if",
- "hashbrown 0.12.3",
+ "crossbeam-utils",
+ "hashbrown 0.14.5",
  "lock_api",
  "once_cell",
  "parking_lot_core",
@@ -990,26 +1339,26 @@ dependencies = [
 
 [[package]]
 name = "data-encoding"
-version = "2.4.0"
+version = "2.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c2e66c9d817f1720209181c316d28635c050fa304f9c79e47a520882661b7308"
+checksum = "2a2330da5de22e8a3cb63252ce2abb30116bf5265e89c0e01bc17015ce30a476"
 
 [[package]]
 name = "delegate"
-version = "0.13.2"
+version = "0.13.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "297806318ef30ad066b15792a8372858020ae3ca2e414ee6c2133b1eb9e9e945"
+checksum = "6178a82cf56c836a3ba61a7935cdb1c49bfaa6fa4327cd5bf554a503087de26b"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.98",
+ "syn 2.0.104",
 ]
 
 [[package]]
 name = "der"
-version = "0.7.8"
+version = "0.7.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fffa369a668c8af7dbf8b5e56c9f744fbd399949ed171606040001947de40b1c"
+checksum = "e7c1832837b905bbfb5101e07cc24c8deddf52f93225eee6ead5f4d63d53ddcb"
 dependencies = [
  "const-oid",
  "pem-rfc7468",
@@ -1018,65 +1367,75 @@ dependencies = [
 
 [[package]]
 name = "deranged"
-version = "0.3.9"
+version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0f32d04922c60427da6f9fef14d042d9edddef64cb9d4ce0d64d0685fbeb1fd3"
+checksum = "9c9e6a11ca8224451684bc0d7d5a7adbf8f2fd6887261a1cfc3c0432f9d4068e"
 dependencies = [
  "powerfmt",
  "serde",
 ]
 
-[[package]]
-name = "derivative"
-version = "2.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fcc3dd5e9e9c0b295d6e1e4d811fb6f157d5ffd784b8d202fc62eac8035a770b"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn 1.0.105",
-]
-
 [[package]]
 name = "derive-where"
-version = "1.2.5"
+version = "1.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "146398d62142a0f35248a608f17edf0dde57338354966d6e41d0eb2d16980ccb"
+checksum = "510c292c8cf384b1a340b816a9a6cf2599eb8f566a44949024af88418000c50b"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.98",
+ "syn 2.0.104",
 ]
 
 [[package]]
 name = "derive_builder"
-version = "0.12.0"
+version = "0.20.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8d67778784b508018359cbc8696edb3db78160bab2c2a28ba7f56ef6932997f8"
+checksum = "507dfb09ea8b7fa618fcf76e953f4f5e192547945816d5358edffe39f6f94947"
 dependencies = [
  "derive_builder_macro",
 ]
 
 [[package]]
 name = "derive_builder_core"
-version = "0.12.0"
+version = "0.20.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c11bdc11a0c47bc7d37d582b5285da6849c96681023680b906673c5707af7b0f"
+checksum = "2d5bcf7b024d6835cfb3d473887cd966994907effbe9227e8c8219824d06c4e8"
 dependencies = [
- "darling",
+ "darling 0.20.11",
  "proc-macro2",
  "quote",
- "syn 1.0.105",
+ "syn 2.0.104",
 ]
 
 [[package]]
 name = "derive_builder_macro"
-version = "0.12.0"
+version = "0.20.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ebcda35c7a396850a55ffeac740804b40ffec779b98fffbb1738f4033f0ee79e"
+checksum = "ab63b0e2bf4d5928aff72e83a7dace85d7bba5fe12dcc3c5a572d78caffd3f3c"
 dependencies = [
  "derive_builder_core",
- "syn 1.0.105",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "derive_more"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "093242cf7570c207c83073cf82f79706fe7b8317e98620a47d5be7c3d8497678"
+dependencies = [
+ "derive_more-impl",
+]
+
+[[package]]
+name = "derive_more-impl"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bda628edc44c4bb645fbe0f758797143e4e07926f7ebf4e9bdfbd3d2ce621df3"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+ "unicode-xid",
 ]
 
 [[package]]
@@ -1091,14 +1450,46 @@ dependencies = [
  "subtle",
 ]
 
+[[package]]
+name = "dirs"
+version = "6.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c3e8aa94d75141228480295a7d0e7feb620b1a5ad9f12bc40be62411e38cce4e"
+dependencies = [
+ "dirs-sys",
+]
+
+[[package]]
+name = "dirs-sys"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e01a3366d27ee9890022452ee61b2b63a67e6f13f58900b651ff5665f0bb1fab"
+dependencies = [
+ "libc",
+ "option-ext",
+ "redox_users",
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "displaydoc"
+version = "0.2.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
 [[package]]
 name = "docker-compose-types"
-version = "0.7.0"
+version = "0.22.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "608ffe949fbffae4034bdde4bfa224238736ecc9e1a362997245c7282f49fa60"
+checksum = "7edb75a85449fd9c34d9fb3376c6208ec4115d2ca43b965175a52d71349ecab8"
 dependencies = [
  "derive_builder",
- "indexmap 2.1.0",
+ "indexmap",
  "serde",
  "serde_yaml",
 ]
@@ -1115,6 +1506,18 @@ version = "0.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "669a445ee724c5c69b1b06fe0b63e70a1c84bc9bb7d9696cd4f4e3ec45050408"
 
+[[package]]
+name = "dunce"
+version = "1.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "92773504d58c093f6de2459af4af33faa518c13451eb8f2b5698ed3d36e7c813"
+
+[[package]]
+name = "dyn-clone"
+version = "1.0.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d0881ea181b1df73ff77ffaaf9c7544ecc11e82fba9b5f27b262a3c73a332555"
+
 [[package]]
 name = "ecdsa"
 version = "0.16.9"
@@ -1141,48 +1544,71 @@ dependencies = [
 
 [[package]]
 name = "ed25519-compact"
-version = "2.0.6"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a667e6426df16c2ac478efa4a439d0e674cba769c5556e8cf221739251640c8c"
+checksum = "e9b3460f44bea8cd47f45a0c70892f1eff856d97cd55358b2f73f663789f6190"
 dependencies = [
- "getrandom",
+ "getrandom 0.2.16",
 ]
 
 [[package]]
 name = "ed25519-dalek"
-version = "2.0.0"
+version = "2.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7277392b266383ef8396db7fdeb1e77b6c52fed775f5df15bb24f35b72156980"
+checksum = "70e796c081cee67dc755e1a36a0a172b897fab85fc3f6bc48307991f64e4eca9"
 dependencies = [
  "curve25519-dalek",
  "ed25519",
- "rand_core",
+ "rand_core 0.6.4",
  "serde",
  "sha2",
+ "subtle",
  "zeroize",
 ]
 
 [[package]]
 name = "educe"
-version = "0.4.20"
+version = "0.5.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e4bd92664bf78c4d3dba9b7cdafce6fa15b13ed3ed16175218196942e99168a8"
+dependencies = [
+ "enum-ordinalize",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "educe"
+version = "0.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cb0188e3c3ba8df5753894d54461f0e39bc91741dc5b22e1c46999ec2c71f4e4"
+checksum = "1d7bc049e1bd8cdeb31b68bbd586a9464ecf9f3944af3958a7a9d0f8b9799417"
 dependencies = [
  "enum-ordinalize",
  "proc-macro2",
  "quote",
- "syn 1.0.105",
+ "syn 2.0.104",
 ]
 
 [[package]]
 name = "either"
-version = "1.9.0"
+version = "1.15.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a26ae43d7bcc3b814de94796a5e736d4029efb0ee900c12e2d54c993ad1a1e07"
+checksum = "48c757948c5ede0e46177b7add2e67155f70e33c07fea8284df6576da70b3719"
 dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "either_of"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "216d23e0ec69759a17f05e1c553f3a6870e5ec73420fbb07807a6f34d5d1d5a4"
+dependencies = [
+ "paste",
+ "pin-project-lite",
+]
+
 [[package]]
 name = "elliptic-curve"
 version = "0.13.8"
@@ -1198,33 +1624,30 @@ dependencies = [
  "hkdf",
  "pem-rfc7468",
  "pkcs8",
- "rand_core",
+ "rand_core 0.6.4",
  "sec1",
  "subtle",
  "zeroize",
 ]
 
 [[package]]
-name = "encoding_rs"
-version = "0.8.33"
+name = "enum-ordinalize"
+version = "4.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7268b386296a025e474d5140678f75d6de9493ae55a5d709eeb9dd08149945e1"
+checksum = "fea0dcfa4e54eeb516fe454635a95753ddd39acda650ce703031c6973e315dd5"
 dependencies = [
- "cfg-if",
+ "enum-ordinalize-derive",
 ]
 
 [[package]]
-name = "enum-ordinalize"
-version = "3.1.12"
+name = "enum-ordinalize-derive"
+version = "4.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a62bb1df8b45ecb7ffa78dca1c17a438fb193eb083db0b1b494d2a61bcb5096a"
+checksum = "0d28318a75d4aead5c4db25382e8ef717932d0346600cacae6357eb5941bc5ff"
 dependencies = [
- "num-bigint",
- "num-traits",
  "proc-macro2",
  "quote",
- "rustc_version",
- "syn 1.0.105",
+ "syn 2.0.104",
 ]
 
 [[package]]
@@ -1236,23 +1659,29 @@ dependencies = [
  "once_cell",
  "proc-macro2",
  "quote",
- "syn 2.0.98",
+ "syn 2.0.104",
 ]
 
 [[package]]
 name = "equivalent"
-version = "1.0.1"
+version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5"
+checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f"
+
+[[package]]
+name = "erased"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a1731451909bde27714eacba19c2566362a7f35224f52b153d3f42cf60f72472"
 
 [[package]]
 name = "errno"
-version = "0.3.8"
+version = "0.3.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a258e46cdc063eb8519c00b9fc845fc47bcfca4130e2f08e88665ceda8474245"
+checksum = "778e2ac28f6c47af28e4907f13ffd1e1ddbd400980a9abd7c8df189bf578a5ad"
 dependencies = [
  "libc",
- "windows-sys 0.52.0",
+ "windows-sys 0.60.2",
 ]
 
 [[package]]
@@ -1272,51 +1701,81 @@ version = "2.5.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0206175f82b8d6bf6652ff7d71a1e27fd2e4efde587fd368662814d6ec1d9ce0"
 
+[[package]]
+name = "event-listener"
+version = "5.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3492acde4c3fc54c845eaab3eed8bd00c7a7d881f78bfc801e43a93dec1331ae"
+dependencies = [
+ "concurrent-queue",
+ "parking",
+ "pin-project-lite",
+]
+
+[[package]]
+name = "event-listener-strategy"
+version = "0.5.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8be9f3dfaaffdae2972880079a491a1a8bb7cbed0b8dd7a347f668b4150a3b93"
+dependencies = [
+ "event-listener 5.4.0",
+ "pin-project-lite",
+]
+
 [[package]]
 name = "fastrand"
-version = "2.0.1"
+version = "1.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e51093e27b0797c359783294ca4f0a911c270184cb10f85783b118614a1501be"
+dependencies = [
+ "instant",
+]
+
+[[package]]
+name = "fastrand"
+version = "2.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "25cbce373ec4653f1a01a31e8a5e5ec0c622dc27ff9c4e6606eefef5cbbed4a5"
+checksum = "37909eebbb50d72f9059c3b6d82c0463f2ff062c9e95845c43a6c9c0355411be"
 
 [[package]]
 name = "ff"
-version = "0.13.0"
+version = "0.13.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ded41244b729663b1e574f1b4fb731469f69f79c17667b5d776b16cda0479449"
+checksum = "c0b50bfb653653f9ca9095b427bed08ab8d75a137839d9ad64eb11810d5b6393"
 dependencies = [
- "rand_core",
+ "rand_core 0.6.4",
  "subtle",
 ]
 
 [[package]]
 name = "fiat-crypto"
-version = "0.2.3"
+version = "0.2.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "28dea519a9695b9977216879a3ebfddf92f1c08c05d984f8996aecd6ecdc811d"
+
+[[package]]
+name = "fiat-crypto"
+version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f69037fe1b785e84986b4f2cbcf647381876a00671d25ceef715d7812dd7e1dd"
+checksum = "64cd1e32ddd350061ae6edb1b082d7c54915b5c672c389143b9a63403a109f24"
 
 [[package]]
 name = "filetime"
-version = "0.2.23"
+version = "0.2.25"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1ee447700ac8aa0b2f2bd7bc4462ad686ba06baa6727ac149a2d6277f0d240fd"
+checksum = "35c0522e981e68cbfa8c3f978441a5f34b30b96e146b33cd3359176b50fe8586"
 dependencies = [
  "cfg-if",
  "libc",
- "redox_syscall 0.4.1",
- "windows-sys 0.52.0",
+ "libredox",
+ "windows-sys 0.59.0",
 ]
 
-[[package]]
-name = "finl_unicode"
-version = "1.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8fcfdc7a0362c9f4444381a9e697c79d435fe65b52a37466fc2c1184cee9edc6"
-
 [[package]]
 name = "flate2"
-version = "1.0.28"
+version = "1.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "46303f565772937ffe1d394a4fac6f411c6013172fadde9dcdb1e147a086940e"
+checksum = "4a3d7db9596fecd151c5f638c0ee5d5bd487b6e0ea232e5dc96d5250f6f94b1d"
 dependencies = [
  "crc32fast",
  "miniz_oxide",
@@ -1324,13 +1783,13 @@ dependencies = [
 
 [[package]]
 name = "flume"
-version = "0.11.0"
+version = "0.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "55ac459de2512911e4b674ce33cf20befaba382d05b62b008afc1c8b57cbf181"
+checksum = "da0e4dd2a88388a1f4ccc7c9ce104604dab68d9f408dc34cd45823d5a9069095"
 dependencies = [
  "futures-core",
  "futures-sink",
- "spin 0.9.8",
+ "spin",
 ]
 
 [[package]]
@@ -1340,35 +1799,52 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
 
 [[package]]
-name = "form_urlencoded"
-version = "1.2.1"
+name = "foldhash"
+version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e13624c2627564efccf4934284bdd98cbaa14e79b0b5a141218e507b3a823456"
+checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2"
+
+[[package]]
+name = "foreign-types"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
 dependencies = [
- "percent-encoding",
+ "foreign-types-shared",
 ]
 
 [[package]]
-name = "forwarded-header-value"
+name = "foreign-types-shared"
 version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8835f84f38484cc86f110a805655697908257fb9a7af005234060891557198e9"
+checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
+
+[[package]]
+name = "form_urlencoded"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e13624c2627564efccf4934284bdd98cbaa14e79b0b5a141218e507b3a823456"
 dependencies = [
- "nonempty",
- "thiserror 1.0.58",
+ "percent-encoding",
 ]
 
 [[package]]
 name = "fs4"
-version = "0.10.0"
+version = "0.13.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ec6fcfb3c0c1d71612528825042261419d5dade9678c39a781e05b63677d9b32"
+checksum = "8640e34b88f7652208ce9e88b1a37a2ae95227d84abec377ccd3c5cfeb141ed4"
 dependencies = [
- "rustix",
+ "rustix 1.0.8",
  "tokio",
- "windows-sys 0.52.0",
+ "windows-sys 0.59.0",
 ]
 
+[[package]]
+name = "fs_extra"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42703706b716c37f96a77aea830392ad231f44c9e9a67872fa5548707e11b11c"
+
 [[package]]
 name = "fsevent-sys"
 version = "4.1.0"
@@ -1386,9 +1862,9 @@ checksum = "e6d5a32815ae3f33302d95fdcb2ce17862f8c65363dcfd29360480ba1001fc9c"
 
 [[package]]
 name = "futures"
-version = "0.3.25"
+version = "0.3.31"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "38390104763dc37a5145a53c29c63c1290b5d316d6086ec32c293f6736051bb0"
+checksum = "65bc07b1a8bc7c85c5f2e110c476c7389b4554ba72af57d8445ea63a576b0876"
 dependencies = [
  "futures-channel",
  "futures-core",
@@ -1401,9 +1877,9 @@ dependencies = [
 
 [[package]]
 name = "futures-channel"
-version = "0.3.29"
+version = "0.3.31"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ff4dd66668b557604244583e3e1e1eada8c5c2e96a6d0d6653ede395b78bbacb"
+checksum = "2dff15bf788c671c1934e366d07e30c1814a8ef514e1af724a602e8a2fbe1b10"
 dependencies = [
  "futures-core",
  "futures-sink",
@@ -1411,19 +1887,20 @@ dependencies = [
 
 [[package]]
 name = "futures-core"
-version = "0.3.29"
+version = "0.3.31"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "eb1d22c66e66d9d72e1758f0bd7d4fd0bee04cad842ee34587d68c07e45d088c"
+checksum = "05f29059c0c2090612e8d742178b0580d2dc940c837851ad723096f87af6663e"
 
 [[package]]
 name = "futures-executor"
-version = "0.3.25"
+version = "0.3.31"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7acc85df6714c176ab5edf386123fafe217be88c0840ec11f199441134a074e2"
+checksum = "1e28d1d997f585e54aebc3f97d39e72338912123a67330d723fdbb564d646c9f"
 dependencies = [
  "futures-core",
  "futures-task",
  "futures-util",
+ "num_cpus",
 ]
 
 [[package]]
@@ -1439,38 +1916,66 @@ dependencies = [
 
 [[package]]
 name = "futures-io"
-version = "0.3.29"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9e5c1b78ca4aae1ac06c48a526a655760685149f0d465d21f37abfe57ce075c6"
+
+[[package]]
+name = "futures-lite"
+version = "1.13.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8bf34a163b5c4c52d0478a4d757da8fb65cabef42ba90515efee0f6f9fa45aaa"
+checksum = "49a9d51ce47660b1e808d3c990b4709f2f415d928835a17dfd16991515c46bce"
+dependencies = [
+ "fastrand 1.9.0",
+ "futures-core",
+ "futures-io",
+ "memchr",
+ "parking",
+ "pin-project-lite",
+ "waker-fn",
+]
+
+[[package]]
+name = "futures-lite"
+version = "2.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f5edaec856126859abb19ed65f39e90fea3a9574b9707f13539acf4abf7eb532"
+dependencies = [
+ "fastrand 2.3.0",
+ "futures-core",
+ "futures-io",
+ "parking",
+ "pin-project-lite",
+]
 
 [[package]]
 name = "futures-macro"
-version = "0.3.29"
+version = "0.3.31"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "53b153fd91e4b0147f4aced87be237c98248656bb01050b96bf3ee89220a8ddb"
+checksum = "162ee34ebcb7c64a8abebc059ce0fee27c2262618d7b60ed8faf72fef13c3650"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.98",
+ "syn 2.0.104",
 ]
 
 [[package]]
 name = "futures-sink"
-version = "0.3.29"
+version = "0.3.31"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e36d3378ee38c2a36ad710c5d30c2911d752cb941c00c72dbabfb786a7970817"
+checksum = "e575fab7d1e0dcb8d0c7bcf9a63ee213816ab51902e6d244a95819acacf1d4f7"
 
 [[package]]
 name = "futures-task"
-version = "0.3.29"
+version = "0.3.31"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "efd193069b0ddadc69c46389b740bbccdd97203899b48d09c5f7969591d6bae2"
+checksum = "f90f7dce0722e95104fcb095585910c0977252f286e354b5e3bd38902cd99988"
 
 [[package]]
 name = "futures-util"
-version = "0.3.29"
+version = "0.3.31"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a19526d624e703a3179b3d322efec918b6246ea0fa51d41124525f00f1cc8104"
+checksum = "9fa08315bb612088cc391249efdc3bc77536f16c91f6cf495e6fbe85b20a4a81"
 dependencies = [
  "futures-channel",
  "futures-core",
@@ -1497,40 +2002,48 @@ dependencies = [
 
 [[package]]
 name = "getrandom"
-version = "0.2.15"
+version = "0.2.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c4567c8db10ae91089c99af84c68c38da3ec2f087c3f82960bcdbf3656b6f4d7"
+checksum = "335ff9f135e4384c8150d6f27c6daed433577f86b4750418338c01a1a2528592"
 dependencies = [
  "cfg-if",
  "js-sys",
  "libc",
- "wasi",
+ "wasi 0.11.1+wasi-snapshot-preview1",
  "wasm-bindgen",
 ]
 
 [[package]]
-name = "ghash"
-version = "0.5.0"
+name = "getrandom"
+version = "0.3.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d930750de5717d2dd0b8c0d42c076c0e884c81a73e6cab859bbd2339c71e3e40"
+checksum = "26145e563e54f2cadc477553f1ec5ee650b00862f0a58bcd12cbdc5f0ea2d2f4"
 dependencies = [
- "opaque-debug",
- "polyval",
+ "cfg-if",
+ "js-sys",
+ "libc",
+ "r-efi",
+ "wasi 0.14.2+wasi-0.2.4",
+ "wasm-bindgen",
 ]
 
 [[package]]
-name = "gimli"
-version = "0.28.1"
+name = "ghash"
+version = "0.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4271d37baee1b8c7e4b708028c57d816cf9d2434acb33a549475f78c181f6253"
+checksum = "f0d8a4362ccb29cb0b265253fb0a2728f592895ee6854fd9bc13f2ffda266ff1"
+dependencies = [
+ "opaque-debug",
+ "polyval",
+]
 
 [[package]]
 name = "git2"
-version = "0.18.2"
+version = "0.20.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1b3ba52851e73b46a4c3df1d89343741112003f0f6f13beb0dfac9e457c3fdcd"
+checksum = "2deb07a133b1520dc1a5690e9bd08950108873d7ed5de38dcc74d3b5ebffa110"
 dependencies = [
- "bitflags 2.6.0",
+ "bitflags 2.9.1",
  "libc",
  "libgit2-sys",
  "log",
@@ -1541,62 +2054,53 @@ dependencies = [
 
 [[package]]
 name = "glob"
-version = "0.3.1"
+version = "0.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d2fabcfbdc87f4758337ca535fb41a6d701b65693ce38287d856d1674551ec9b"
+checksum = "a8d1add55171497b4705a648c6b583acafb01d58050a51727785f0b2c8e0a2b2"
 
 [[package]]
 name = "gloo-net"
-version = "0.2.6"
+version = "0.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9902a044653b26b99f7e3693a42f171312d9be8b26b5697bd1e43ad1f8a35e10"
+checksum = "c06f627b1a58ca3d42b45d6104bf1e1a03799df472df00988b6ba21accc10580"
 dependencies = [
  "futures-channel",
  "futures-core",
  "futures-sink",
- "gloo-utils 0.1.7",
+ "gloo-utils",
+ "http",
  "js-sys",
  "pin-project",
  "serde",
  "serde_json",
- "thiserror 1.0.58",
+ "thiserror 1.0.69",
  "wasm-bindgen",
  "wasm-bindgen-futures",
  "web-sys",
 ]
 
 [[package]]
-name = "gloo-net"
-version = "0.5.0"
+name = "gloo-timers"
+version = "0.2.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "43aaa242d1239a8822c15c645f02166398da4f8b5c4bae795c1f5b44e9eee173"
+checksum = "9b995a66bb87bebce9a0f4a95aed01daca4872c050bfcb21653361c03bc35e5c"
 dependencies = [
  "futures-channel",
  "futures-core",
- "futures-sink",
- "gloo-utils 0.2.0",
- "http 0.2.9",
  "js-sys",
- "pin-project",
- "serde",
- "serde_json",
- "thiserror 1.0.58",
  "wasm-bindgen",
- "wasm-bindgen-futures",
- "web-sys",
 ]
 
 [[package]]
-name = "gloo-utils"
-version = "0.1.7"
+name = "gloo-timers"
+version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "037fcb07216cb3a30f7292bd0176b050b7b9a052ba830ef7d5d65f6dc64ba58e"
+checksum = "bbb143cf96099802033e0d4f4963b19fd2e0b728bcf076cd9cf7f6634f092994"
 dependencies = [
+ "futures-channel",
+ "futures-core",
  "js-sys",
- "serde",
- "serde_json",
  "wasm-bindgen",
- "web-sys",
 ]
 
 [[package]]
@@ -1619,92 +2123,86 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f0f9ef7462f7c099f518d754361858f86d8a07af53ba9af0fe635bbccb151a63"
 dependencies = [
  "ff",
- "rand_core",
+ "rand_core 0.6.4",
  "subtle",
 ]
 
 [[package]]
-name = "h2"
-version = "0.3.21"
+name = "guardian"
+version = "1.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "91fc23aa11be92976ef4729127f1a74adf36d8436f7816b185d18df956790833"
-dependencies = [
- "bytes",
- "fnv",
- "futures-core",
- "futures-sink",
- "futures-util",
- "http 0.2.9",
- "indexmap 1.9.3",
- "slab",
- "tokio",
- "tokio-util",
- "tracing",
-]
+checksum = "17e2ac29387b1aa07a1e448f7bb4f35b500787971e965b02842b900afa5c8f6f"
 
 [[package]]
 name = "h2"
-version = "0.4.2"
+version = "0.4.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "31d030e59af851932b72ceebadf4a2b5986dba4c3b99dd2493f8273a0f151943"
+checksum = "17da50a276f1e01e0ba6c029e47b7100754904ee8a278f886546e98575380785"
 dependencies = [
+ "atomic-waker",
  "bytes",
  "fnv",
  "futures-core",
  "futures-sink",
- "futures-util",
- "http 1.2.0",
- "indexmap 2.1.0",
+ "http",
+ "indexmap",
  "slab",
  "tokio",
  "tokio-util",
  "tracing",
 ]
 
-[[package]]
-name = "half"
-version = "1.8.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "eabb4a44450da02c90444cf74558da904edde8fb4e9035a9a6a4e15445af0bd7"
-
 [[package]]
 name = "hashbrown"
 version = "0.12.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888"
 dependencies = [
- "ahash 0.7.7",
+ "ahash 0.7.8",
 ]
 
 [[package]]
 name = "hashbrown"
-version = "0.14.2"
+version = "0.14.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e5274423e17b7c9fc20b6e7e208532f9b19825d82dfd615708b70edd83df41f1"
+
+[[package]]
+name = "hashbrown"
+version = "0.15.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f93e7192158dbcda357bdec5fb5788eebf8bbac027f3f33e719d29135ae84156"
+checksum = "5971ac85611da7067dbfcabef3c70ebb5606018acd9e2a3903a0da507521e0d5"
 dependencies = [
- "ahash 0.8.6",
  "allocator-api2",
+ "equivalent",
+ "foldhash",
 ]
 
+[[package]]
+name = "hashbrown"
+version = "0.16.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5419bdc4f6a9207fbeba6d11b604d481addf78ecd10c11ad51e76c2f6482748d"
+
 [[package]]
 name = "hashlink"
-version = "0.8.4"
+version = "0.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e8094feaf31ff591f651a2664fb9cfd92bba7a60ce3197265e9482ebe753c8f7"
+checksum = "7382cf6263419f2d8df38c55d7da83da5c18aef87fc7a7fc1fb1e344edfe14c1"
 dependencies = [
- "hashbrown 0.14.2",
+ "hashbrown 0.15.4",
 ]
 
 [[package]]
 name = "headers"
-version = "0.4.0"
+version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "322106e6bd0cba2d5ead589ddb8150a13d7c4217cf80d7c4f682ca994ccc6aa9"
+checksum = "b3314d5adb5d94bcdf56771f2e50dbbc80bb4bdf88967526706205ac9eff24eb"
 dependencies = [
- "base64 0.21.7",
+ "base64",
  "bytes",
  "headers-core",
- "http 1.2.0",
+ "http",
  "httpdate",
  "mime",
  "sha1",
@@ -1716,7 +2214,7 @@ version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "54b4a22553d4242c49fddb9ba998a99962b5cc6f22cb5a3482bec22522403ce4"
 dependencies = [
- "http 1.2.0",
+ "http",
 ]
 
 [[package]]
@@ -1724,18 +2222,24 @@ name = "heck"
 version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8"
-dependencies = [
- "unicode-segmentation",
-]
+
+[[package]]
+name = "heck"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea"
 
 [[package]]
 name = "hermit-abi"
-version = "0.1.19"
+version = "0.3.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "62b467343b94ba476dcb2500d242dadbb39557df889310ac77c5d99100aaac33"
-dependencies = [
- "libc",
-]
+checksum = "d231dfb89cfffdbc30e7fc41579ed6066ad03abda9e567ccafae602b97ec5024"
+
+[[package]]
+name = "hermit-abi"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fc0fef456e4baa96da950455cd02c081ca953b141298e41db3fc7e36b1da849c"
 
 [[package]]
 name = "hex"
@@ -1751,9 +2255,9 @@ checksum = "6fe2267d4ed49bc07b63801559be28c718ea06c4738b7a03c94df7386d2cde46"
 
 [[package]]
 name = "hkdf"
-version = "0.12.3"
+version = "0.12.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "791a029f6b9fc27657f6f188ec6e5e43f6911f6f878e0dc5501396e09809d437"
+checksum = "7b5f8eb2ad728638ea2c7d47a21db23b7b58a72ed6a38256b8a1849f15fbbdf7"
 dependencies = [
  "hmac",
 ]
@@ -1769,55 +2273,44 @@ dependencies = [
 
 [[package]]
 name = "home"
-version = "0.5.5"
+version = "0.5.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5444c27eef6923071f7ebcc33e3444508466a76f7a2b93da00ed6e19f30c1ddb"
+checksum = "589533453244b0995c858700322199b2becb13b627df2851f64a2775d024abcf"
 dependencies = [
- "windows-sys 0.48.0",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
-name = "html-escape"
-version = "0.2.13"
+name = "hostname"
+version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6d1ad449764d627e22bfd7cd5e8868264fc9236e07c752972b4080cd351cb476"
+checksum = "a56f203cd1c76362b69e3863fd987520ac36cf70a8c92627449b2f64a8cf7d65"
 dependencies = [
- "utf8-width",
+ "cfg-if",
+ "libc",
+ "windows-link 0.1.3",
 ]
 
 [[package]]
-name = "http"
-version = "0.2.9"
+name = "html-escape"
+version = "0.2.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bd6effc99afb63425aff9b05836f029929e345a6148a14b7ecd5ab67af944482"
+checksum = "6d1ad449764d627e22bfd7cd5e8868264fc9236e07c752972b4080cd351cb476"
 dependencies = [
- "bytes",
- "fnv",
- "itoa",
+ "utf8-width",
 ]
 
 [[package]]
 name = "http"
-version = "1.2.0"
+version = "1.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f16ca2af56261c99fba8bac40a10251ce8188205a4c448fbb745a2e4daa76fea"
+checksum = "f4a85d31aea989eead29a3aaf9e1115a180df8282431156e533de47660892565"
 dependencies = [
  "bytes",
  "fnv",
  "itoa",
 ]
 
-[[package]]
-name = "http-body"
-version = "0.4.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d5f38f16d184e36f2408a55281cd658ecbd3ca05cce6d6510a176eca393e26d1"
-dependencies = [
- "bytes",
- "http 0.2.9",
- "pin-project-lite",
-]
-
 [[package]]
 name = "http-body"
 version = "1.0.1"
@@ -1825,33 +2318,33 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1efedce1fb8e6913f23e0c92de8e62cd5b772a67e7b3946df930a62566c93184"
 dependencies = [
  "bytes",
- "http 1.2.0",
+ "http",
 ]
 
 [[package]]
 name = "http-body-util"
-version = "0.1.2"
+version = "0.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "793429d76616a256bcb62c2a2ec2bed781c8307e797e2598c50010f2bee2544f"
+checksum = "b021d93e26becf5dc7e1b75b1bed1fd93124b374ceb73f43d4d4eafec896a64a"
 dependencies = [
  "bytes",
- "futures-util",
- "http 1.2.0",
- "http-body 1.0.1",
+ "futures-core",
+ "http",
+ "http-body",
  "pin-project-lite",
 ]
 
 [[package]]
 name = "http-range-header"
-version = "0.4.0"
+version = "0.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3ce4ef31cda248bbdb6e6820603b82dfcd9e833db65a43e997a0ccec777d11fe"
+checksum = "9171a2ea8a68358193d15dd5d70c1c10a2afc3e7e4c5bc92bc9f025cebd7359c"
 
 [[package]]
 name = "httparse"
-version = "1.10.0"
+version = "1.10.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f2d708df4e7140240a16cd6ab0ab65c972d7433ab77819ea693fde9c43811e2a"
+checksum = "6dbf3de79e51f3d586ab4cb9d5c3e2c14aa28ed23d180cf89b4df0454a69cc87"
 
 [[package]]
 name = "httpdate"
@@ -1861,106 +2354,64 @@ checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9"
 
 [[package]]
 name = "humantime"
-version = "2.1.0"
+version = "2.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9a3a5bfb195931eeb336b2a7b4d761daec841b97f947d34394601737a7bba5e4"
+checksum = "9b112acc8b3adf4b107a8ec20977da0273a8c386765a3ec0229bd500a1443f9f"
 
 [[package]]
-name = "hyper"
-version = "0.14.27"
+name = "hydration_context"
+version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ffb1cfd654a8219eaef89881fdb3bb3b1cdc5fa75ded05d6933b2b382e395468"
+checksum = "e8714ae4adeaa846d838f380fbd72f049197de629948f91bf045329e0cf0a283"
 dependencies = [
- "bytes",
- "futures-channel",
- "futures-core",
- "futures-util",
- "h2 0.3.21",
- "http 0.2.9",
- "http-body 0.4.5",
- "httparse",
- "httpdate",
- "itoa",
+ "futures",
+ "once_cell",
+ "or_poisoned",
  "pin-project-lite",
- "socket2 0.4.7",
- "tokio",
- "tower-service",
- "tracing",
- "want",
+ "serde",
+ "throw_error",
 ]
 
 [[package]]
 name = "hyper"
-version = "1.6.0"
+version = "1.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cc2b571658e38e0c01b1fdca3bbbe93c00d3d71693ff2770043f8c29bc7d6f80"
+checksum = "eb3aa54a13a0dfe7fbe3a59e0c76093041720fdc77b110cc0fc260fafb4dc51e"
 dependencies = [
+ "atomic-waker",
  "bytes",
  "futures-channel",
- "futures-util",
- "h2 0.4.2",
- "http 1.2.0",
- "http-body 1.0.1",
+ "futures-core",
+ "h2",
+ "http",
+ "http-body",
  "httparse",
  "httpdate",
  "itoa",
  "pin-project-lite",
+ "pin-utils",
  "smallvec",
  "tokio",
  "want",
 ]
 
-[[package]]
-name = "hyper-http-proxy"
-version = "1.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5d06dbdfbacf34d996c6fb540a71a684a7aae9056c71951163af8a8a4c07b9a4"
-dependencies = [
- "bytes",
- "futures-util",
- "headers",
- "http 1.2.0",
- "hyper 1.6.0",
- "hyper-rustls 0.27.5",
- "hyper-util",
- "pin-project-lite",
- "rustls-native-certs 0.7.3",
- "tokio",
- "tokio-rustls 0.26.1",
- "tower-service",
-]
-
-[[package]]
-name = "hyper-rustls"
-version = "0.24.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ec3efd23720e2049821a693cbc7e65ea87c72f1c58ff2f9522ff332b1491e590"
-dependencies = [
- "futures-util",
- "http 0.2.9",
- "hyper 0.14.27",
- "rustls 0.21.8",
- "tokio",
- "tokio-rustls 0.24.1",
-]
-
 [[package]]
 name = "hyper-rustls"
-version = "0.27.5"
+version = "0.27.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2d191583f3da1305256f22463b9bb0471acad48a4e534a5218b9963e9c1f59b2"
+checksum = "e3c93eb611681b207e1fe55d5a71ecf91572ec8a6705cdb6857f7d8d5242cf58"
 dependencies = [
- "futures-util",
- "http 1.2.0",
- "hyper 1.6.0",
+ "http",
+ "hyper",
  "hyper-util",
  "log",
- "rustls 0.23.23",
- "rustls-native-certs 0.8.1",
+ "rustls",
+ "rustls-native-certs",
  "rustls-pki-types",
  "tokio",
- "tokio-rustls 0.26.1",
+ "tokio-rustls",
  "tower-service",
+ "webpki-roots 1.0.2",
 ]
 
 [[package]]
@@ -1969,7 +2420,7 @@ version = "0.5.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2b90d566bffbce6a75bd8b09a05aa8c2cb1fabb6cb348f8840c9e4c90a0d83b0"
 dependencies = [
- "hyper 1.6.0",
+ "hyper",
  "hyper-util",
  "pin-project-lite",
  "tokio",
@@ -1978,18 +2429,23 @@ dependencies = [
 
 [[package]]
 name = "hyper-util"
-version = "0.1.10"
+version = "0.1.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df2dcfbe0677734ab2f3ffa7fa7bfd4706bfdc1ef393f2ee30184aed67e631b4"
+checksum = "3c6995591a8f1380fcb4ba966a252a4b29188d51d2b89e3a252f5305be65aea8"
 dependencies = [
+ "base64",
  "bytes",
  "futures-channel",
+ "futures-core",
  "futures-util",
- "http 1.2.0",
- "http-body 1.0.1",
- "hyper 1.6.0",
+ "http",
+ "http-body",
+ "hyper",
+ "ipnet",
+ "libc",
+ "percent-encoding",
  "pin-project-lite",
- "socket2 0.5.5",
+ "socket2 0.6.0",
  "tokio",
  "tower-service",
  "tracing",
@@ -2002,7 +2458,7 @@ source = "git+https://github.com/softprops/hyperlocal?rev=70c0b8e4007b96ed392be7
 dependencies = [
  "hex",
  "http-body-util",
- "hyper 1.6.0",
+ "hyper",
  "hyper-util",
  "pin-project-lite",
  "tokio",
@@ -2011,16 +2467,17 @@ dependencies = [
 
 [[package]]
 name = "iana-time-zone"
-version = "0.1.58"
+version = "0.1.63"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8326b86b6cff230b97d0d312a6c40a60726df3332e721f72a1b035f451663b20"
+checksum = "b0c919e5debc312ad217002b8048a17b7d83f80703865bbfcfebb0458b0b27d8"
 dependencies = [
  "android_system_properties",
  "core-foundation-sys",
  "iana-time-zone-haiku",
  "js-sys",
+ "log",
  "wasm-bindgen",
- "windows-core 0.51.1",
+ "windows-core 0.61.2",
 ]
 
 [[package]]
@@ -2033,74 +2490,162 @@ dependencies = [
 ]
 
 [[package]]
-name = "ident_case"
-version = "1.0.1"
+name = "icu_collections"
+version = "2.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39"
+checksum = "200072f5d0e3614556f94a9930d5dc3e0662a652823904c3a75dc3b0af7fee47"
+dependencies = [
+ "displaydoc",
+ "potential_utf",
+ "yoke",
+ "zerofrom",
+ "zerovec",
+]
 
 [[package]]
-name = "idna"
-version = "0.3.0"
+name = "icu_locale_core"
+version = "2.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e14ddfc70884202db2244c223200c204c2bda1bc6e0998d11b5e024d657209e6"
+checksum = "0cde2700ccaed3872079a65fb1a78f6c0a36c91570f28755dda67bc8f7d9f00a"
 dependencies = [
- "unicode-bidi",
- "unicode-normalization",
+ "displaydoc",
+ "litemap",
+ "tinystr",
+ "writeable",
+ "zerovec",
 ]
 
 [[package]]
-name = "include_dir"
-version = "0.7.3"
+name = "icu_normalizer"
+version = "2.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "18762faeff7122e89e0857b02f7ce6fcc0d101d5e9ad2ad7846cc01d61b7f19e"
+checksum = "436880e8e18df4d7bbc06d58432329d6458cc84531f7ac5f024e93deadb37979"
 dependencies = [
- "include_dir_macros",
+ "displaydoc",
+ "icu_collections",
+ "icu_normalizer_data",
+ "icu_properties",
+ "icu_provider",
+ "smallvec",
+ "zerovec",
 ]
 
 [[package]]
-name = "include_dir_macros"
-version = "0.7.3"
+name = "icu_normalizer_data"
+version = "2.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b139284b5cf57ecfa712bcc66950bb635b31aff41c188e8a4cfc758eca374a3f"
-dependencies = [
- "proc-macro2",
- "quote",
-]
+checksum = "00210d6893afc98edb752b664b8890f0ef174c8adbb8d0be9710fa66fbbf72d3"
 
 [[package]]
-name = "indexmap"
-version = "1.9.3"
+name = "icu_properties"
+version = "2.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bd070e393353796e801d209ad339e89596eb4c8d430d18ede6a1cced8fafbd99"
+checksum = "016c619c1eeb94efb86809b015c58f479963de65bdb6253345c1a1276f22e32b"
 dependencies = [
- "autocfg",
- "hashbrown 0.12.3",
+ "displaydoc",
+ "icu_collections",
+ "icu_locale_core",
+ "icu_properties_data",
+ "icu_provider",
+ "potential_utf",
+ "zerotrie",
+ "zerovec",
 ]
 
 [[package]]
-name = "indexmap"
-version = "2.1.0"
+name = "icu_properties_data"
+version = "2.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d530e1a18b1cb4c484e6e34556a0d948706958449fca0cab753d649f2bce3d1f"
-dependencies = [
- "equivalent",
- "hashbrown 0.14.2",
- "serde",
-]
+checksum = "298459143998310acd25ffe6810ed544932242d3f07083eee1084d83a71bd632"
 
 [[package]]
-name = "inherent"
-version = "1.0.10"
+name = "icu_provider"
+version = "2.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ce243b1bfa62ffc028f1cc3b6034ec63d649f3031bc8a4fbbb004e1ac17d1f68"
+checksum = "03c80da27b5f4187909049ee2d72f276f0d9f99a42c306bd0131ecfe04d8e5af"
 dependencies = [
- "proc-macro2",
- "quote",
- "syn 2.0.98",
+ "displaydoc",
+ "icu_locale_core",
+ "stable_deref_trait",
+ "tinystr",
+ "writeable",
+ "yoke",
+ "zerofrom",
+ "zerotrie",
+ "zerovec",
 ]
 
 [[package]]
-name = "inotify"
+name = "ident_case"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39"
+
+[[package]]
+name = "idna"
+version = "1.0.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "686f825264d630750a544639377bae737628043f20d38bbc029e8f29ea968a7e"
+dependencies = [
+ "idna_adapter",
+ "smallvec",
+ "utf8_iter",
+]
+
+[[package]]
+name = "idna_adapter"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3acae9609540aa318d1bc588455225fb2085b9ed0c4f6bd0d9d5bcd86f1a0344"
+dependencies = [
+ "icu_normalizer",
+ "icu_properties",
+]
+
+[[package]]
+name = "include_dir"
+version = "0.7.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "923d117408f1e49d914f1a379a309cffe4f18c05cf4e3d12e613a15fc81bd0dd"
+dependencies = [
+ "include_dir_macros",
+]
+
+[[package]]
+name = "include_dir_macros"
+version = "0.7.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7cab85a7ed0bd5f0e76d93846e0147172bed2e2d3f859bcc33a8d9699cad1a75"
+dependencies = [
+ "proc-macro2",
+ "quote",
+]
+
+[[package]]
+name = "indexmap"
+version = "2.12.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6717a8d2a5a929a1a2eb43a12812498ed141a0bcfb7e8f7844fbdbe4303bba9f"
+dependencies = [
+ "equivalent",
+ "hashbrown 0.16.0",
+ "serde",
+ "serde_core",
+]
+
+[[package]]
+name = "inherent"
+version = "1.0.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6c38228f24186d9cc68c729accb4d413be9eaed6ad07ff79e0270d9e56f3de13"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "inotify"
 version = "0.9.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f8069d3ec154eb856955c1c0fbffefbf5f3c40a104ec912d4797314c1801abff"
@@ -2121,19 +2666,28 @@ dependencies = [
 
 [[package]]
 name = "inout"
-version = "0.1.3"
+version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a0c10553d664a4d0bcff9f4215d0aac67a639cc68ef660840afe309b807bc9f5"
+checksum = "879f10e63c20629ecabbb64a8010319738c66a5cd0c29b02d63d272b03751d01"
 dependencies = [
  "block-padding",
  "generic-array",
 ]
 
+[[package]]
+name = "instant"
+version = "0.1.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e0242819d153cba4b4b05a5a8f2a7e9bbf97b6055b2a002b395c96b5ff3c0222"
+dependencies = [
+ "cfg-if",
+]
+
 [[package]]
 name = "internal-russh-forked-ssh-key"
-version = "0.6.9+upstream-0.6.7"
+version = "0.6.11+upstream-0.6.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fb5af01d366561582e9ea5f841837cc1d8e37e7142a32f33a43801e81863cba5"
+checksum = "e0a77eae781ed6a7709fb15b64862fcca13d886b07c7e2786f5ed34e5e2b9187"
 dependencies = [
  "argon2",
  "bcrypt-pbkdf",
@@ -2145,7 +2699,7 @@ dependencies = [
  "p256",
  "p384",
  "p521",
- "rand_core",
+ "rand_core 0.6.4",
  "rsa",
  "sec1",
  "sha1",
@@ -2164,59 +2718,116 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "71dd52191aae121e8611f1e8dc3e324dd0dd1dee1e6dd91d10ee07a3cfb4d9d8"
 
 [[package]]
-name = "inventory"
-version = "0.3.13"
+name = "io-lifetimes"
+version = "1.0.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0508c56cfe9bfd5dfeb0c22ab9a6abfda2f27bdca422132e494266351ed8d83c"
+checksum = "eae7b9aee968036d54dce06cebaefd919e4472e753296daccd6d344e3e2df0c2"
+dependencies = [
+ "hermit-abi 0.3.9",
+ "libc",
+ "windows-sys 0.48.0",
+]
 
 [[package]]
 name = "ipnet"
-version = "2.9.0"
+version = "2.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "469fb0b9cefa57e3ef31275ee7cacb78f2fdca44e4765491884a2b119d4eb130"
+
+[[package]]
+name = "iri-string"
+version = "0.7.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8f518f335dce6725a761382244631d86cf0ccb2863413590b31338feb467f9c3"
+checksum = "4f867b9d1d896b67beb18518eda36fdb77a32ea590de864f1325b294a6d14397"
+dependencies = [
+ "memchr",
+ "serde",
+]
+
+[[package]]
+name = "is_terminal_polyfill"
+version = "1.70.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7943c866cc5cd64cbc25b2e01621d07fa8eb2a1a23160ee81ce38704e97b8ecf"
 
 [[package]]
 name = "itertools"
-version = "0.11.0"
+version = "0.12.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b1c173a5686ce8bfa551b3563d0c2170bf24ca44da99c7ca4bfdab5418c3fe57"
+checksum = "ba291022dbbd398a455acf126c1e341954079855bc60dfdda641363bd6922569"
 dependencies = [
  "either",
 ]
 
 [[package]]
 name = "itertools"
-version = "0.12.0"
+version = "0.14.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "25db6b064527c5d482d0423354fcd07a89a2dfe07b67892e62411946db7f07b0"
+checksum = "2b192c782037fadd9cfa75548310488aabdbf3d2da73885b31bd0abd03351285"
 dependencies = [
  "either",
 ]
 
 [[package]]
 name = "itoa"
-version = "1.0.9"
+version = "1.0.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "af150ab688ff2122fcef229be89cb50dd66af9e01a4ff320cc137eecc9bacc38"
+checksum = "4a5f13b858c8d314ee3e8f639011f7ccefe71f97f96e50151fb991f267928e2c"
+
+[[package]]
+name = "jni"
+version = "0.21.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1a87aa2bb7d2af34197c04845522473242e1aa17c12f4935d5856491a7fb8c97"
+dependencies = [
+ "cesu8",
+ "cfg-if",
+ "combine",
+ "jni-sys",
+ "log",
+ "thiserror 1.0.69",
+ "walkdir",
+ "windows-sys 0.45.0",
+]
+
+[[package]]
+name = "jni-sys"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8eaf4bc02d17cbdd7ff4c7438cafcdf7fb9a4613313ad11b4f8fefe7d3fa0130"
 
 [[package]]
 name = "jobserver"
-version = "0.1.27"
+version = "0.1.33"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8c37f63953c4c63420ed5fd3d6d398c719489b9f872b9fa683262f8edd363c7d"
+checksum = "38f262f097c174adebe41eb73d66ae9c06b2844fb0da69969647bbddd9b0538a"
 dependencies = [
+ "getrandom 0.3.3",
  "libc",
 ]
 
 [[package]]
 name = "js-sys"
-version = "0.3.72"
+version = "0.3.77"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6a88f1bda2bd75b0452a14784937d796722fdebfe50df998aeb3f0b7603019a9"
+checksum = "1cfaf33c695fc6e08064efbc1f72ec937429614f25eef83af942d0e227c3a28f"
 dependencies = [
+ "once_cell",
  "wasm-bindgen",
 ]
 
+[[package]]
+name = "json-patch"
+version = "4.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "159294d661a039f7644cea7e4d844e6b25aaf71c1ffe9d73a96d768c24b0faf4"
+dependencies = [
+ "jsonptr",
+ "serde",
+ "serde_json",
+ "thiserror 1.0.69",
+]
+
 [[package]]
 name = "json5"
 version = "0.4.1"
@@ -2238,27 +2849,51 @@ dependencies = [
  "pest_derive",
  "regex",
  "serde_json",
- "thiserror 2.0.11",
+ "thiserror 2.0.17",
+]
+
+[[package]]
+name = "jsonptr"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a5a3cc660ba5d72bce0b3bb295bf20847ccbb40fd423f3f05b61273672e561fe"
+dependencies = [
+ "serde",
+ "serde_json",
 ]
 
 [[package]]
 name = "k8s-openapi"
-version = "0.24.0"
+version = "0.26.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2c75b990324f09bef15e791606b7b7a296d02fc88a344f6eba9390970a870ad5"
+checksum = "d13f06d5326a915becaffabdfab75051b8cdc260c2a5c06c0e90226ede89a692"
 dependencies = [
- "base64 0.22.1",
+ "base64",
  "chrono",
  "serde",
- "serde-value",
  "serde_json",
 ]
 
+[[package]]
+name = "keyring"
+version = "3.6.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "eebcc3aff044e5944a8fbaf69eb277d11986064cba30c468730e8b9909fb551c"
+dependencies = [
+ "byteorder",
+ "linux-keyutils",
+ "log",
+ "security-framework 2.11.1",
+ "security-framework 3.2.0",
+ "windows-sys 0.60.2",
+ "zeroize",
+]
+
 [[package]]
 name = "kqueue"
-version = "1.0.8"
+version = "1.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7447f1ca1b7b563588a205fe93dea8df60fd981423a768bc1c0ded35ed147d0c"
+checksum = "eac30106d7dce88daf4a3fcb4879ea939476d5074a9b7ddd0fb97fa4bed5596a"
 dependencies = [
  "kqueue-sys",
  "libc",
@@ -2276,89 +2911,146 @@ dependencies = [
 
 [[package]]
 name = "kube"
-version = "0.98.0"
+version = "2.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "32053dc495efad4d188c7b33cc7c02ef4a6e43038115348348876efd39a53cba"
+checksum = "48e7bb0b6a46502cc20e4575b6ff401af45cfea150b34ba272a3410b78aa014e"
 dependencies = [
  "k8s-openapi",
  "kube-client",
  "kube-core",
+ "kube-derive",
+ "kube-runtime",
 ]
 
 [[package]]
 name = "kube-client"
-version = "0.98.0"
+version = "2.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9d34ad38cdfbd1fa87195d42569f57bb1dda6ba5f260ee32fef9570b7937a0c9"
+checksum = "4987d57a184d2b5294fdad3d7fc7f278899469d21a4da39a8f6ca16426567a36"
 dependencies = [
- "base64 0.22.1",
+ "base64",
  "bytes",
  "chrono",
  "either",
  "futures",
  "home",
- "http 1.2.0",
- "http-body 1.0.1",
+ "http",
+ "http-body",
  "http-body-util",
- "hyper 1.6.0",
- "hyper-http-proxy",
- "hyper-rustls 0.27.5",
+ "hyper",
+ "hyper-rustls",
  "hyper-timeout",
  "hyper-util",
  "jsonpath-rust",
  "k8s-openapi",
  "kube-core",
  "pem",
- "rustls 0.23.23",
- "rustls-pemfile 2.1.0",
+ "rustls",
  "secrecy",
  "serde",
  "serde_json",
  "serde_yaml",
- "thiserror 2.0.11",
+ "thiserror 2.0.17",
  "tokio",
  "tokio-util",
- "tower 0.5.2",
- "tower-http 0.6.2",
+ "tower",
+ "tower-http",
  "tracing",
 ]
 
 [[package]]
 name = "kube-core"
-version = "0.98.0"
+version = "2.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "97aa830b288a178a90e784d1b0f1539f2d200d2188c7b4a3146d9dc983d596f3"
+checksum = "914bbb770e7bb721a06e3538c0edd2babed46447d128f7c21caa68747060ee73"
 dependencies = [
  "chrono",
+ "derive_more",
  "form_urlencoded",
- "http 1.2.0",
+ "http",
+ "json-patch",
  "k8s-openapi",
+ "schemars",
  "serde",
  "serde-value",
  "serde_json",
- "thiserror 2.0.11",
+ "thiserror 2.0.17",
+]
+
+[[package]]
+name = "kube-derive"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "03dee8252be137772a6ab3508b81cd797dee62ee771112a2453bc85cbbe150d2"
+dependencies = [
+ "darling 0.21.3",
+ "proc-macro2",
+ "quote",
+ "serde",
+ "serde_json",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "kube-runtime"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6aea4de4b562c5cc89ab10300bb63474ae1fa57ff5a19275f2e26401a323e3fd"
+dependencies = [
+ "ahash 0.8.12",
+ "async-broadcast",
+ "async-stream",
+ "backon",
+ "educe 0.6.0",
+ "futures",
+ "hashbrown 0.15.4",
+ "hostname",
+ "json-patch",
+ "k8s-openapi",
+ "kube-client",
+ "parking_lot",
+ "pin-project",
+ "serde",
+ "serde_json",
+ "thiserror 2.0.17",
+ "tokio",
+ "tokio-util",
+ "tracing",
+]
+
+[[package]]
+name = "kv-log-macro"
+version = "1.0.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0de8b303297635ad57c9f5059fd9cee7a47f8e8daa09df0fcd07dd39fb22977f"
+dependencies = [
+ "log",
 ]
 
 [[package]]
 name = "lapdev"
-version = "0.1.0"
+version = "0.2.0"
 dependencies = [
  "anyhow",
+ "dotenvy",
  "lapdev-api",
+ "lapdev-cli",
  "lapdev-db",
  "lapdev-guest-agent",
  "lapdev-kube",
+ "lapdev-kube-manager",
  "lapdev-ws",
- "sea-orm-migration",
+ "sea-orm-cli",
  "tokio",
  "tracing",
  "tracing-appender",
+ "tracing-journald",
  "tracing-subscriber",
 ]
 
 [[package]]
 name = "lapdev-api"
-version = "0.1.0"
+version = "0.2.0"
 dependencies = [
  "anyhow",
  "axum",
@@ -2370,67 +3062,131 @@ dependencies = [
  "futures",
  "futures-util",
  "git2",
- "hyper 1.6.0",
+ "hyper",
  "hyper-util",
  "include_dir",
- "itertools 0.12.0",
+ "itertools 0.14.0",
+ "k8s-openapi",
+ "lapdev-api-hrpc",
  "lapdev-common",
  "lapdev-conductor",
  "lapdev-db",
+ "lapdev-db-entities",
+ "lapdev-devbox-rpc",
  "lapdev-enterprise",
  "lapdev-kube",
+ "lapdev-kube-rpc",
  "lapdev-proxy-http",
  "lapdev-proxy-ssh",
  "lapdev-rpc",
+ "lapdev-tunnel",
  "oauth2",
  "pasetors",
+ "pin-project",
+ "regex",
  "reqwest",
  "russh",
- "rustls-pemfile 2.1.0",
- "rustls-webpki 0.102.8",
+ "rustls-pemfile",
+ "rustls-webpki",
  "sea-orm",
+ "secrecy",
  "serde",
  "serde_json",
+ "serde_yaml",
  "sqlx",
+ "tarpc",
  "tokio",
- "tokio-rustls 0.25.0",
- "toml 0.8.11",
- "tower 0.4.13",
- "tower-http 0.5.2",
+ "tokio-rustls",
+ "tokio-stream",
+ "tokio-tungstenite",
+ "tokio-util",
+ "toml",
+ "tower",
+ "tower-http",
  "tracing",
  "tracing-appender",
  "tracing-subscriber",
  "uuid",
 ]
 
+[[package]]
+name = "lapdev-api-hrpc"
+version = "0.2.0"
+dependencies = [
+ "lapdev-common",
+ "lapdev-hrpc",
+ "serde",
+ "uuid",
+]
+
+[[package]]
+name = "lapdev-cli"
+version = "0.2.0"
+dependencies = [
+ "anyhow",
+ "bytes",
+ "chrono",
+ "clap",
+ "colored",
+ "dirs",
+ "futures",
+ "futures-util",
+ "hostname",
+ "http",
+ "keyring",
+ "lapdev-common",
+ "lapdev-devbox-rpc",
+ "lapdev-rpc",
+ "lapdev-tunnel",
+ "quinn",
+ "reqwest",
+ "serde",
+ "serde_json",
+ "tarpc",
+ "tempfile",
+ "thiserror 2.0.17",
+ "tokio",
+ "tokio-tungstenite",
+ "tokio-util",
+ "tracing",
+ "tracing-appender",
+ "tracing-subscriber",
+ "urlencoding",
+ "uuid",
+ "webbrowser",
+ "windows-sys 0.59.0",
+]
+
 [[package]]
 name = "lapdev-common"
-version = "0.1.0"
+version = "0.2.0"
 dependencies = [
  "anyhow",
  "base16ct",
  "chrono",
- "rand",
+ "rand 0.9.2",
+ "secrecy",
  "serde",
  "serde_json",
  "sha2",
- "strum 0.26.1",
+ "strum 0.27.2",
  "strum_macros",
  "uuid",
 ]
 
 [[package]]
 name = "lapdev-conductor"
-version = "0.1.0"
+version = "0.2.0"
 dependencies = [
  "anyhow",
  "chrono",
  "data-encoding",
  "futures",
  "git2",
- "itertools 0.12.0",
+ "itertools 0.14.0",
  "lapdev-common",
  "lapdev-db",
+ "lapdev-db-entities",
  "lapdev-enterprise",
  "lapdev-rpc",
  "russh",
@@ -2449,18 +3205,23 @@ dependencies = [
 
 [[package]]
 name = "lapdev-dashboard"
-version = "0.1.0"
+version = "0.2.0"
 dependencies = [
  "anyhow",
  "chrono",
  "futures",
- "gloo-net 0.5.0",
+ "getrandom 0.3.3",
+ "gloo-net",
+ "gloo-timers 0.2.6",
+ "lapdev-api-hrpc",
  "lapdev-common",
  "leptos",
  "leptos_router",
+ "lucide-leptos",
  "rust_decimal",
  "serde",
  "serde_json",
+ "tailwind_fuse",
  "urlencoding",
  "uuid",
  "wasm-bindgen",
@@ -2469,35 +3230,76 @@ dependencies = [
 
 [[package]]
 name = "lapdev-db"
-version = "0.1.0"
+version = "0.2.0"
 dependencies = [
  "anyhow",
- "base64 0.22.1",
+ "base64",
  "chrono",
+ "hex",
  "lapdev-common",
+ "lapdev-db-entities",
+ "lapdev-db-migration",
  "pasetors",
  "sea-orm",
  "sea-orm-migration",
+ "secrecy",
+ "serde",
+ "serde_json",
+ "serde_yaml",
  "sqlx",
  "tokio",
+ "tracing",
+ "uuid",
+]
+
+[[package]]
+name = "lapdev-db-entities"
+version = "0.2.0"
+dependencies = [
+ "sea-orm",
+ "sea-orm-cli",
+ "tokio",
+]
+
+[[package]]
+name = "lapdev-db-migration"
+version = "0.2.0"
+dependencies = [
+ "lapdev-common",
+ "lapdev-db-entities",
+ "sea-orm-cli",
+ "sea-orm-migration",
+ "tokio",
+ "uuid",
+]
+
+[[package]]
+name = "lapdev-devbox-rpc"
+version = "0.2.0"
+dependencies = [
+ "chrono",
+ "lapdev-common",
+ "serde",
+ "tarpc",
  "uuid",
 ]
 
 [[package]]
 name = "lapdev-enterprise"
-version = "0.1.0"
+version = "0.2.0"
 dependencies = [
  "anyhow",
- "base64 0.22.1",
+ "base64",
  "chrono",
  "lapdev-common",
  "lapdev-db",
+ "lapdev-db-entities",
  "lapdev-rpc",
  "pasetors",
  "sea-orm",
  "serde",
  "serde_json",
- "strum 0.26.1",
+ "strum 0.27.2",
  "strum_macros",
  "tokio",
  "uuid",
@@ -2505,37 +3307,174 @@ dependencies = [
 
 [[package]]
 name = "lapdev-guest-agent"
-version = "0.1.0"
+version = "0.2.0"
+dependencies = [
+ "serde_json",
+ "tracing",
+]
+
+[[package]]
+name = "lapdev-hrpc"
+version = "0.2.0"
+dependencies = [
+ "anyhow",
+ "gloo-net",
+ "http",
+ "lapdev-hrpc-proc-macro",
+ "reqwest",
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "lapdev-hrpc-proc-macro"
+version = "0.2.0"
+dependencies = [
+ "lapdev-hrpc",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "lapdev-kube"
+version = "0.2.0"
+dependencies = [
+ "anyhow",
+ "axum",
+ "base64",
+ "chrono",
+ "futures",
+ "httparse",
+ "k8s-openapi",
+ "kube",
+ "lapdev-common",
+ "lapdev-db",
+ "lapdev-db-entities",
+ "lapdev-kube-rpc",
+ "lapdev-rpc",
+ "lapdev-tunnel",
+ "pasetors",
+ "pem",
+ "reqwest",
+ "sea-orm",
+ "serde",
+ "serde_json",
+ "serde_yaml",
+ "tarpc",
+ "thiserror 2.0.17",
+ "tokio",
+ "tokio-tungstenite",
+ "tracing",
+ "uuid",
+ "yup-oauth2",
+]
+
+[[package]]
+name = "lapdev-kube-manager"
+version = "0.2.0"
+dependencies = [
+ "anyhow",
+ "bytes",
+ "chrono",
+ "futures",
+ "futures-util",
+ "k8s-openapi",
+ "kube",
+ "lapdev-common",
+ "lapdev-kube-rpc",
+ "lapdev-rpc",
+ "lapdev-tunnel",
+ "reqwest",
+ "serde",
+ "serde_yaml",
+ "tarpc",
+ "tokio",
+ "tokio-tungstenite",
+ "tokio-util",
+ "tracing",
+ "tracing-journald",
+ "tracing-subscriber",
+ "uuid",
+]
+
+[[package]]
+name = "lapdev-kube-rpc"
+version = "0.2.0"
 dependencies = [
+ "chrono",
+ "httparse",
+ "k8s-openapi",
+ "lapdev-common",
+ "serde",
  "serde_json",
+ "tarpc",
+ "tokio",
+ "tracing",
+ "uuid",
 ]
 
 [[package]]
-name = "lapdev-kube"
-version = "0.1.0"
+name = "lapdev-kube-sidecar-proxy"
+version = "0.2.0"
 dependencies = [
  "anyhow",
- "base64 0.22.1",
+ "axum",
+ "bytes",
+ "chrono",
+ "clap",
+ "futures",
+ "futures-util",
+ "h2",
+ "http",
+ "http-body-util",
+ "httparse",
+ "hyper",
+ "hyper-util",
  "k8s-openapi",
  "kube",
+ "lapdev-common",
+ "lapdev-hrpc",
+ "lapdev-kube-rpc",
+ "lapdev-rpc",
+ "lapdev-tunnel",
+ "libc",
+ "nix",
+ "serde",
+ "serde_json",
+ "serde_yaml",
+ "socket2 0.5.10",
+ "tarpc",
+ "thiserror 2.0.17",
+ "tokio",
+ "tokio-tungstenite",
+ "tokio-util",
+ "tower",
+ "tower-http",
+ "tracing",
+ "tracing-subscriber",
+ "url",
+ "uuid",
 ]
 
 [[package]]
 name = "lapdev-proxy-http"
-version = "0.1.0"
+version = "0.2.0"
 dependencies = [
  "anyhow",
  "axum",
  "futures",
- "hyper 1.6.0",
+ "hyper",
  "lapdev-db",
+ "lapdev-db-entities",
  "tokio",
- "tokio-tungstenite 0.26.1",
+ "tokio-tungstenite",
+ "tracing",
 ]
 
 [[package]]
 name = "lapdev-proxy-ssh"
-version = "0.1.0"
+version = "0.2.0"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -2543,6 +3482,7 @@ dependencies = [
  "lapdev-common",
  "lapdev-conductor",
  "lapdev-db",
+ "lapdev-db-entities",
  "russh",
  "sea-orm",
  "serde_json",
@@ -2552,24 +3492,49 @@ dependencies = [
 
 [[package]]
 name = "lapdev-rpc"
-version = "0.1.0"
+version = "0.2.0"
 dependencies = [
  "anyhow",
  "axum",
  "chrono",
  "futures",
  "lapdev-common",
+ "pin-project",
  "serde",
  "serde_json",
  "tarpc",
  "tokio",
+ "tokio-util",
+ "tracing",
+ "uuid",
+]
+
+[[package]]
+name = "lapdev-tunnel"
+version = "0.2.0"
+dependencies = [
+ "bytes",
+ "chrono",
+ "futures",
+ "futures-util",
+ "lapdev-common",
+ "pin-project",
+ "quinn",
+ "rand 0.9.2",
+ "rcgen",
+ "serde",
+ "thiserror 2.0.17",
+ "tokio",
+ "tokio-serde",
+ "tokio-tungstenite",
+ "tokio-util",
  "tracing",
  "uuid",
 ]
 
 [[package]]
 name = "lapdev-ws"
-version = "0.1.0"
+version = "0.2.0"
 dependencies = [
  "anyhow",
  "async-compression",
@@ -2582,7 +3547,7 @@ dependencies = [
  "futures",
  "git2",
  "http-body-util",
- "hyper 1.6.0",
+ "hyper",
  "hyper-util",
  "hyperlocal",
  "json5",
@@ -2600,7 +3565,7 @@ dependencies = [
  "tempfile",
  "tokio",
  "tokio-util",
- "toml 0.8.11",
+ "toml",
  "tracing",
  "tracing-appender",
  "tracing-subscriber",
@@ -2610,196 +3575,189 @@ dependencies = [
 
 [[package]]
 name = "lazy_static"
-version = "1.4.0"
+version = "1.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
+checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe"
 dependencies = [
- "spin 0.5.2",
+ "spin",
 ]
 
 [[package]]
 name = "leptos"
-version = "0.6.5"
+version = "0.8.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0c115de7c6fca2164133e18328777d02c371434ace38049ac02886b5cffd22dc"
+checksum = "20adc17f0584e5f605a31444179bae17c399a2d160bf19eb3da701a1f6e7cb8e"
 dependencies = [
+ "any_spawner",
  "cfg-if",
+ "either_of",
+ "futures",
+ "getrandom 0.3.3",
+ "hydration_context",
  "leptos_config",
  "leptos_dom",
+ "leptos_hot_reload",
  "leptos_macro",
- "leptos_reactive",
  "leptos_server",
+ "oco_ref",
+ "or_poisoned",
+ "paste",
+ "reactive_graph",
+ "rustc-hash",
+ "rustc_version",
+ "send_wrapper",
+ "serde",
+ "serde_json",
+ "serde_qs",
  "server_fn",
- "tracing",
+ "slotmap",
+ "tachys",
+ "thiserror 2.0.17",
+ "throw_error",
  "typed-builder",
  "typed-builder-macro",
  "wasm-bindgen",
+ "wasm-bindgen-futures",
+ "wasm_split_helpers",
  "web-sys",
 ]
 
 [[package]]
 name = "leptos_config"
-version = "0.6.5"
+version = "0.8.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "055262ff3660e95ec95cadd8a05a02070d624354e08e30b99c14a81023feb2dc"
+checksum = "b0fddaae8dbc1680aa59c40c8f8ebb780b9a841e503d3cc5143d346a40c6d8ab"
 dependencies = [
  "config",
  "regex",
  "serde",
- "thiserror 1.0.58",
+ "thiserror 2.0.17",
  "typed-builder",
 ]
 
 [[package]]
 name = "leptos_dom"
-version = "0.6.5"
+version = "0.8.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "adfea7feb9c488448db466ca0673b691ec2a05efb0b2bc6626b7248ee04bb39c"
+checksum = "1aa676df0da118c690d65669eb322f47f0e47f5505ce5d2119ed5b4432d3c732"
 dependencies = [
- "async-recursion",
- "cfg-if",
- "drain_filter_polyfill",
- "futures",
- "getrandom",
- "html-escape",
- "indexmap 2.1.0",
- "itertools 0.12.0",
  "js-sys",
- "leptos_reactive",
- "once_cell",
- "pad-adapter",
- "paste",
- "rustc-hash",
- "serde",
- "serde_json",
- "server_fn",
- "smallvec",
- "tracing",
+ "or_poisoned",
+ "reactive_graph",
+ "send_wrapper",
+ "tachys",
  "wasm-bindgen",
- "wasm-bindgen-futures",
  "web-sys",
 ]
 
 [[package]]
 name = "leptos_hot_reload"
-version = "0.6.5"
+version = "0.8.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3ba8f68f7c3135975eb34ed19210272ebef2d6f422d138ff87a726b8793fe105"
+checksum = "0d61ec3e1ff8aaee8c5151688550c0363f85bc37845450764c31ff7584a33f38"
 dependencies = [
  "anyhow",
  "camino",
- "indexmap 2.1.0",
+ "indexmap",
  "parking_lot",
  "proc-macro2",
  "quote",
  "rstml",
  "serde",
- "syn 2.0.98",
+ "syn 2.0.104",
  "walkdir",
 ]
 
 [[package]]
 name = "leptos_macro"
-version = "0.6.5"
+version = "0.8.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "039c510dafb7d9997e4b8accfcced5675fabc65720caf544592df32432d6d65a"
+checksum = "5a824b74d70dd505e5fe32952150325275050febb0d0bd7ac8b8efc50a69ec95"
 dependencies = [
  "attribute-derive",
  "cfg-if",
- "convert_case",
+ "convert_case 0.8.0",
  "html-escape",
- "itertools 0.12.0",
+ "itertools 0.14.0",
  "leptos_hot_reload",
  "prettyplease",
- "proc-macro-error",
+ "proc-macro-error2",
  "proc-macro2",
  "quote",
  "rstml",
+ "rustc_version",
  "server_fn_macro",
- "syn 2.0.98",
- "tracing",
+ "syn 2.0.104",
  "uuid",
 ]
 
 [[package]]
-name = "leptos_reactive"
-version = "0.6.5"
+name = "leptos_router"
+version = "0.8.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b30c5bc7f3496d6ba399578171cf133c50d2172f9791fe292db4da2fd0d8cec4"
+checksum = "3991de30a9cce8082e8c0d729744c8f6ffd66a828629806bf1332cb624123c75"
 dependencies = [
- "base64 0.21.7",
- "cfg-if",
+ "any_spawner",
+ "either_of",
  "futures",
- "indexmap 2.1.0",
+ "gloo-net",
  "js-sys",
- "paste",
- "pin-project",
- "rustc-hash",
- "self_cell",
- "serde",
- "serde-wasm-bindgen",
- "serde_json",
- "slotmap",
- "thiserror 1.0.58",
- "tracing",
+ "leptos",
+ "leptos_router_macro",
+ "or_poisoned",
+ "reactive_graph",
+ "rustc_version",
+ "send_wrapper",
+ "tachys",
+ "thiserror 2.0.17",
+ "url",
  "wasm-bindgen",
- "wasm-bindgen-futures",
  "web-sys",
 ]
 
 [[package]]
-name = "leptos_router"
-version = "0.6.5"
+name = "leptos_router_macro"
+version = "0.8.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "498159479603569e1d7c969cffa0817b73249e96f825c295743f8f4607a68cbe"
+checksum = "571042420d79f4f5b6b0d149dc1561b03f47e08c37c8fa0dfc80c73ad67be8af"
 dependencies = [
- "cfg-if",
- "gloo-net 0.2.6",
- "itertools 0.12.0",
- "js-sys",
- "lazy_static",
- "leptos",
- "linear-map",
- "once_cell",
- "percent-encoding",
- "send_wrapper",
- "serde",
- "serde_json",
- "serde_qs",
- "thiserror 1.0.58",
- "tracing",
- "wasm-bindgen",
- "wasm-bindgen-futures",
- "web-sys",
+ "proc-macro-error2",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
 ]
 
 [[package]]
 name = "leptos_server"
-version = "0.6.5"
+version = "0.8.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f06b9b860479385991fad54cbee372382aee3c1e75ca78b5da6f8bda90c153e1"
+checksum = "38acbf32649a4b127c8d4ccaed8fb388e19a746430a0ea8f8160e51e28c36e2d"
 dependencies = [
- "inventory",
- "lazy_static",
- "leptos_macro",
- "leptos_reactive",
+ "any_spawner",
+ "base64",
+ "codee",
+ "futures",
+ "hydration_context",
+ "or_poisoned",
+ "reactive_graph",
+ "send_wrapper",
  "serde",
+ "serde_json",
  "server_fn",
- "thiserror 1.0.58",
- "tracing",
+ "tachys",
 ]
 
 [[package]]
 name = "libc"
-version = "0.2.162"
+version = "0.2.174"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "18d287de67fe55fd7e1581fe933d965a5a9477b38e949cfa9f8574ef01506398"
+checksum = "1171693293099992e19cddea4e8b849964e9846f4acee11b3948bcc337be8776"
 
 [[package]]
 name = "libgit2-sys"
-version = "0.16.2+1.7.2"
+version = "0.18.2+1.9.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ee4126d8b4ee5c9d9ea891dd875cfdc1e9d0950437179104b183d7d8a74d24e8"
+checksum = "1c42fe03df2bd3c53a3a9c7317ad91d80c81cd1fb0caec8d7cc4cd2bfa10c222"
 dependencies = [
  "cc",
  "libc",
@@ -2809,17 +3767,38 @@ dependencies = [
  "pkg-config",
 ]
 
+[[package]]
+name = "libloading"
+version = "0.8.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "07033963ba89ebaf1584d767badaa2e8fcec21aedea6b8c0346d487d49c28667"
+dependencies = [
+ "cfg-if",
+ "windows-targets 0.53.3",
+]
+
 [[package]]
 name = "libm"
-version = "0.2.8"
+version = "0.2.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f9fbbcab51052fe104eb5e5d351cf728d30a5be1fe14d9be8a3b097481fb97de"
+
+[[package]]
+name = "libredox"
+version = "0.1.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4ec2a862134d2a7d32d7983ddcdd1c4923530833c9f2ea1a44fc5fa473989058"
+checksum = "391290121bad3d37fbddad76d8f5d1c1c314cfc646d143d7e07a3086ddff0ce3"
+dependencies = [
+ "bitflags 2.9.1",
+ "libc",
+ "redox_syscall",
+]
 
 [[package]]
 name = "libsqlite3-sys"
-version = "0.27.0"
+version = "0.30.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cf4e226dcd58b4be396f7bd3c20da8fdee2911400705297ba7d2d7cc2c30f716"
+checksum = "2e99fb7a497b1e3339bc746195567ed8d3e24945ecd636e3619d20b9de9e9149"
 dependencies = [
  "cc",
  "pkg-config",
@@ -2828,9 +3807,9 @@ dependencies = [
 
 [[package]]
 name = "libssh2-sys"
-version = "0.3.0"
+version = "0.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2dc8a030b787e2119a731f1951d6a773e2280c660f8ec4b0f5e1505a386e71ee"
+checksum = "220e4f05ad4a218192533b300327f5150e809b54c4ec83b5a1d91833601811b9"
 dependencies = [
  "cc",
  "libc",
@@ -2842,9 +3821,9 @@ dependencies = [
 
 [[package]]
 name = "libz-sys"
-version = "1.1.12"
+version = "1.1.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d97137b25e321a73eef1418d1d5d2eda4d77e12813f8e6dead84bc52c5870a7b"
+checksum = "8b70e7a7df205e92a1a4cd9aaae7898dac0aa555503cc0a649494d0d60e7651d"
 dependencies = [
  "cc",
  "libc",
@@ -2857,22 +3836,40 @@ name = "linear-map"
 version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bfae20f6b19ad527b550c223fddc3077a547fc70cda94b9b566575423fd303ee"
+
+[[package]]
+name = "linux-keyutils"
+version = "0.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "761e49ec5fd8a5a463f9b84e877c373d888935b71c6be78f3767fe2ae6bed18e"
 dependencies = [
- "serde",
- "serde_test",
+ "bitflags 2.9.1",
+ "libc",
 ]
 
 [[package]]
 name = "linux-raw-sys"
-version = "0.4.12"
+version = "0.3.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ef53942eb7bf7ff43a617b3e2c1c4a5ecf5944a7c1bc12d7ee39bbb15e5c1519"
+
+[[package]]
+name = "linux-raw-sys"
+version = "0.9.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cd945864f07fe9f5371a27ad7b52a172b4b499999f1d97574c9fa68373937e12"
+
+[[package]]
+name = "litemap"
+version = "0.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c4cd1a83af159aa67994778be9070f0ae1bd732942279cabb14f86f986a21456"
+checksum = "241eaef5fd12c88705a01fc1066c48c4b36e0dd4377dcdc7ec3942cea7a69956"
 
 [[package]]
 name = "lock_api"
-version = "0.4.9"
+version = "0.4.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "435011366fe56583b16cf956f9df0095b405b82d76425bc8981c0e22e60ec4df"
+checksum = "96936507f153605bddfcda068dd804796c84324ed2510809e5b2a624c81da765"
 dependencies = [
  "autocfg",
  "scopeguard",
@@ -2880,27 +3877,45 @@ dependencies = [
 
 [[package]]
 name = "log"
-version = "0.4.22"
+version = "0.4.27"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "13dc2df351e3202783a1fe0d44375f7295ffb4049267b0f3018346dc122a1d94"
+dependencies = [
+ "value-bag",
+]
+
+[[package]]
+name = "lru-slab"
+version = "0.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a7a70ba024b9dc04c27ea2f0c0548feb474ec5c54bba33a7f72f873a39d07b24"
+checksum = "112b39cec0b298b6c1999fee3e31427f74f676e4cb9879ed1a121b43661a4154"
+
+[[package]]
+name = "lucide-leptos"
+version = "1.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d4148eece2243ffac848135656b001183f58388723c009d80e0e299e31f0dda8"
+dependencies = [
+ "leptos",
+]
 
 [[package]]
 name = "manyhow"
-version = "0.8.1"
+version = "0.11.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "516b76546495d933baa165075b95c0a15e8f7ef75e53f56b19b7144d80fd52bd"
+checksum = "b33efb3ca6d3b07393750d4030418d594ab1139cee518f0dc88db70fec873587"
 dependencies = [
  "manyhow-macros",
  "proc-macro2",
  "quote",
- "syn 2.0.98",
+ "syn 2.0.104",
 ]
 
 [[package]]
 name = "manyhow-macros"
-version = "0.8.1"
+version = "0.11.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8ba072c0eadade3160232e70893311f1f8903974488096e2eb8e48caba2f0cf1"
+checksum = "46fce34d199b78b6e6073abf984c9cf5fd3e9330145a93ee0738a7443e371495"
 dependencies = [
  "proc-macro-utils",
  "proc-macro2",
@@ -2918,9 +3933,9 @@ dependencies = [
 
 [[package]]
 name = "matchit"
-version = "0.7.3"
+version = "0.8.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0e7465ac9959cc2b1404e8e2367b43684a6d13790fe23056cc8c6c5a6b7bcb94"
+checksum = "47e1ffaa40ddd1f3ed91f717a33c8c0ee23fff369e3aa8772b9605cc1d22f4c3"
 
 [[package]]
 name = "md-5"
@@ -2940,9 +3955,18 @@ checksum = "490cc448043f947bae3cbee9c203358d62dbee0db12107a74be5c30ccfd09771"
 
 [[package]]
 name = "memchr"
-version = "2.7.4"
+version = "2.7.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32a282da65faaf38286cf3be983213fcf1d2e2a58700e808f83f4ea9a4804bc0"
+
+[[package]]
+name = "memoffset"
+version = "0.9.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "78ca9ab1a0babb1e7d5695e3530886289c18cf2f87ec19a575a0abdce112e3a3"
+checksum = "488016bfae457b036d996092f6cb448677611ce4449e970ceaf42695203f218a"
+dependencies = [
+ "autocfg",
+]
 
 [[package]]
 name = "mime"
@@ -2952,9 +3976,9 @@ checksum = "6877bb514081ee2a7ff5ef9de3281f14a4dd4bceac4c09388074a6b5df8a139a"
 
 [[package]]
 name = "mime_guess"
-version = "2.0.4"
+version = "2.0.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4192263c238a5f0d0c6bfd21f336a313a4ce1c450542449ca191bb657b4642ef"
+checksum = "f7c44f8e672c00fe5308fa235f821cb4198414e1c77935c1ab6948d3fd78550e"
 dependencies = [
  "mime",
  "unicase",
@@ -2968,34 +3992,76 @@ checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
 
 [[package]]
 name = "miniz_oxide"
-version = "0.7.1"
+version = "0.8.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e7810e0be55b428ada41041c41f32c9f1a42817901b4ccf45fa3d4b6561e74c7"
+checksum = "1fa76a2c86f704bdb222d66965fb3d63269ce38518b83cb0575fca855ebb6316"
 dependencies = [
- "adler",
+ "adler2",
 ]
 
 [[package]]
 name = "mio"
-version = "0.8.10"
+version = "0.8.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8f3d0b296e374a4e6f3c7b0a1f5a51d748a0d34c85e7dc48fc3fa9a87657fe09"
+checksum = "a4a650543ca06a924e8b371db273b2756685faae30f8487da1b56505a8f78b0c"
 dependencies = [
  "libc",
  "log",
- "wasi",
+ "wasi 0.11.1+wasi-snapshot-preview1",
  "windows-sys 0.48.0",
 ]
 
+[[package]]
+name = "mio"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "78bed444cc8a2160f01cbcf811ef18cac863ad68ae8ca62092e8db51d51c761c"
+dependencies = [
+ "libc",
+ "wasi 0.11.1+wasi-snapshot-preview1",
+ "windows-sys 0.59.0",
+]
+
+[[package]]
+name = "native-tls"
+version = "0.2.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "87de3442987e9dbec73158d5c715e7ad9072fda936bb03d19d7fa10e00520f0e"
+dependencies = [
+ "libc",
+ "log",
+ "openssl",
+ "openssl-probe",
+ "openssl-sys",
+ "schannel",
+ "security-framework 2.11.1",
+ "security-framework-sys",
+ "tempfile",
+]
+
+[[package]]
+name = "ndk-context"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "27b02d87554356db9e9a873add8782d4ea6e3e58ea071a9adb9a2e8ddb884a8b"
+
+[[package]]
+name = "next_tuple"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "60993920e071b0c9b66f14e2b32740a4e27ffc82854dcd72035887f336a09a28"
+
 [[package]]
 name = "nix"
-version = "0.27.1"
+version = "0.29.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2eb04e9c688eff1c89d72b407f168cf79bb9e867a9d3323ed6c01519eb9cc053"
+checksum = "71e2746dc3a24dd78b3cfcb7be93368c6de9963d30f43a6a73998a9cf4b17b46"
 dependencies = [
- "bitflags 2.6.0",
+ "bitflags 2.9.1",
  "cfg-if",
+ "cfg_aliases",
  "libc",
+ "memoffset",
 ]
 
 [[package]]
@@ -3008,19 +4074,13 @@ dependencies = [
  "minimal-lexical",
 ]
 
-[[package]]
-name = "nonempty"
-version = "0.7.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e9e591e719385e6ebaeb5ce5d3887f7d5676fceca6411d1925ccc95745f3d6f7"
-
 [[package]]
 name = "notify"
 version = "6.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6205bd8bb1e454ad2e27422015fb5e4f2bcc7e08fa8f27058670d208324a4d2d"
 dependencies = [
- "bitflags 2.6.0",
+ "bitflags 2.9.1",
  "crossbeam-channel",
  "filetime",
  "fsevent-sys",
@@ -3028,7 +4088,7 @@ dependencies = [
  "kqueue",
  "libc",
  "log",
- "mio",
+ "mio 0.8.11",
  "walkdir",
  "windows-sys 0.48.0",
 ]
@@ -3045,14 +4105,13 @@ dependencies = [
 
 [[package]]
 name = "num-bigint"
-version = "0.4.3"
+version = "0.4.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f93ab6289c7b344a8a9f60f88d80aa20032336fe78da341afc91c8a2341fc75f"
+checksum = "a5e44f723f1133c9deac646763579fdb3ac745e418f2a7af9cd0c431da1f20b9"
 dependencies = [
- "autocfg",
  "num-integer",
  "num-traits",
- "rand",
+ "rand 0.8.5",
 ]
 
 [[package]]
@@ -3067,7 +4126,7 @@ dependencies = [
  "num-integer",
  "num-iter",
  "num-traits",
- "rand",
+ "rand 0.8.5",
  "smallvec",
  "zeroize",
 ]
@@ -3080,19 +4139,18 @@ checksum = "51d515d32fb182ee37cda2ccdcb92950d6a3c2893aa280e540671c2cd0f3b1d9"
 
 [[package]]
 name = "num-integer"
-version = "0.1.45"
+version = "0.1.46"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "225d3389fb3509a24c93f5c29eb6bde2586b98d9f016636dff58d7c6f7569cd9"
+checksum = "7969661fd2958a5cb096e56c8e1ad0444ac2bbcd0061bd28660485a44879858f"
 dependencies = [
- "autocfg",
  "num-traits",
 ]
 
 [[package]]
 name = "num-iter"
-version = "0.1.43"
+version = "0.1.45"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7d03e6c028c5dc5cac6e2dec0efda81fc887605bb3d884578bb6d6bf7514e252"
+checksum = "1429034a0490724d0075ebb2bc9e875d6503c3cf69e235a8941aa757d83ef5bf"
 dependencies = [
  "autocfg",
  "num-integer",
@@ -3101,9 +4159,9 @@ dependencies = [
 
 [[package]]
 name = "num-traits"
-version = "0.2.15"
+version = "0.2.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "578ede34cf02f8924ab9447f50c28075b4d3e5b269972345e7e0372b38c6cdcd"
+checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841"
 dependencies = [
  "autocfg",
  "libm",
@@ -3111,75 +4169,142 @@ dependencies = [
 
 [[package]]
 name = "num_cpus"
-version = "1.14.0"
+version = "1.17.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "91df4bbde75afed763b708b7eee1e8e7651e02d97f6d5dd763e89367e957b23b"
+dependencies = [
+ "hermit-abi 0.5.2",
+ "libc",
+]
+
+[[package]]
+name = "num_threads"
+version = "0.1.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f6058e64324c71e02bc2b150e4f3bc8286db6c83092132ffa3f6b1eab0f9def5"
+checksum = "5c7398b9c8b70908f6371f47ed36737907c87c52af34c268fed0bf0ceb92ead9"
 dependencies = [
- "hermit-abi",
  "libc",
 ]
 
 [[package]]
 name = "oauth2"
-version = "4.4.2"
+version = "5.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c38841cdd844847e3e7c8d29cef9dcfed8877f8f56f9071f77843ecf3baf937f"
+checksum = "51e219e79014df21a225b1860a479e2dcd7cbd9130f4defd4bd0e191ea31d67d"
 dependencies = [
- "base64 0.13.1",
+ "base64",
  "chrono",
- "getrandom",
- "http 0.2.9",
- "rand",
+ "getrandom 0.2.16",
+ "http",
+ "rand 0.8.5",
  "reqwest",
  "serde",
  "serde_json",
  "serde_path_to_error",
  "sha2",
- "thiserror 1.0.58",
+ "thiserror 1.0.69",
  "url",
 ]
 
 [[package]]
-name = "object"
-version = "0.32.2"
+name = "objc2"
+version = "0.6.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b7c2599ce0ec54857b29ce62166b0ed9b4f6f1a70ccc9a71165b6154caca8c05"
+dependencies = [
+ "objc2-encode",
+]
+
+[[package]]
+name = "objc2-encode"
+version = "4.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ef25abbcd74fb2609453eb695bd2f860d389e457f67dc17cafc8b8cbc89d0c33"
+
+[[package]]
+name = "objc2-foundation"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e3e0adef53c21f888deb4fa59fc59f7eb17404926ee8a6f59f5df0fd7f9f3272"
+dependencies = [
+ "bitflags 2.9.1",
+ "objc2",
+]
+
+[[package]]
+name = "oco_ref"
+version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a6a622008b6e321afc04970976f62ee297fdbaa6f95318ca343e3eebb9648441"
+checksum = "ed0423ff9973dea4d6bd075934fdda86ebb8c05bdf9d6b0507067d4a1226371d"
 dependencies = [
- "memchr",
+ "serde",
+ "thiserror 2.0.17",
 ]
 
 [[package]]
 name = "once_cell"
-version = "1.18.0"
+version = "1.21.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42f5e15c9953c5e4ccceeb2e7382a716482c34515315f7b03532b8b4e8393d2d"
+
+[[package]]
+name = "once_cell_polyfill"
+version = "1.70.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dd8b5dd2ae5ed71462c540258bedcb51965123ad7e7ccf4b9a8cafaa4a63576d"
+checksum = "a4895175b425cb1f87721b59f0f286c2092bd4af812243672510e1ac53e2e0ad"
 
 [[package]]
 name = "opaque-debug"
-version = "0.3.0"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381"
+
+[[package]]
+name = "openssl"
+version = "0.10.73"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8505734d46c8ab1e19a1dce3aef597ad87dcb4c37e7188231769bd6bd51cebf8"
+dependencies = [
+ "bitflags 2.9.1",
+ "cfg-if",
+ "foreign-types",
+ "libc",
+ "once_cell",
+ "openssl-macros",
+ "openssl-sys",
+]
+
+[[package]]
+name = "openssl-macros"
+version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5"
+checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
 
 [[package]]
 name = "openssl-probe"
-version = "0.1.5"
+version = "0.1.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf"
+checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e"
 
 [[package]]
 name = "openssl-src"
-version = "300.1.6+3.1.4"
+version = "300.5.1+3.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "439fac53e092cd7442a3660c85dde4643ab3b5bd39040912388dcdabf6b88085"
+checksum = "735230c832b28c000e3bc117119e6466a663ec73506bc0a9907ea4187508e42a"
 dependencies = [
  "cc",
 ]
 
 [[package]]
 name = "openssl-sys"
-version = "0.9.95"
+version = "0.9.109"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "40a4130519a360279579c2053038317e40eff64d13fd3f004f9e1b72b8a6aaf9"
+checksum = "90096e2e47630d78b7d1c20952dc621f957103f8bc2c8359ec81290d75238571"
 dependencies = [
  "cc",
  "libc",
@@ -3190,47 +4315,51 @@ dependencies = [
 
 [[package]]
 name = "opentelemetry"
-version = "0.18.0"
+version = "0.30.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "69d6c3d7288a106c0a363e4b0e8d308058d56902adefb16f4936f417ffef086e"
+checksum = "aaf416e4cb72756655126f7dd7bb0af49c674f4c1b9903e80c009e0c37e552e6"
 dependencies = [
- "opentelemetry_api",
- "opentelemetry_sdk",
+ "futures-core",
+ "futures-sink",
+ "js-sys",
+ "pin-project-lite",
+ "thiserror 2.0.17",
+ "tracing",
 ]
 
 [[package]]
-name = "opentelemetry_api"
-version = "0.18.0"
+name = "opentelemetry-semantic-conventions"
+version = "0.30.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c24f96e21e7acc813c7a8394ee94978929db2bcc46cf6b5014fc612bf7760c22"
-dependencies = [
- "futures-channel",
- "futures-util",
- "indexmap 1.9.3",
- "js-sys",
- "once_cell",
- "pin-project-lite",
- "thiserror 1.0.58",
-]
+checksum = "83d059a296a47436748557a353c5e6c5705b9470ef6c95cfc52c21a8814ddac2"
 
 [[package]]
 name = "opentelemetry_sdk"
-version = "0.18.0"
+version = "0.30.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1ca41c4933371b61c2a2f214bf16931499af4ec90543604ec828f7a625c09113"
+checksum = "11f644aa9e5e31d11896e024305d7e3c98a88884d9f8919dbf37a9991bc47a4b"
 dependencies = [
- "async-trait",
- "crossbeam-channel",
  "futures-channel",
  "futures-executor",
  "futures-util",
- "once_cell",
- "opentelemetry_api",
+ "opentelemetry",
  "percent-encoding",
- "rand",
- "thiserror 1.0.58",
+ "rand 0.9.2",
+ "thiserror 2.0.17",
 ]
 
+[[package]]
+name = "option-ext"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "04744f49eae99ab78e0d5c0b603ab218f515ea8cfe5a456d7629ad883a3b6e7d"
+
+[[package]]
+name = "or_poisoned"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8c04f5d74368e4d0dfe06c45c8627c81bd7c317d52762d118fb9b3076f6420fd"
+
 [[package]]
 name = "ordered-float"
 version = "2.10.1"
@@ -3242,29 +4371,29 @@ dependencies = [
 
 [[package]]
 name = "ordered-float"
-version = "3.9.2"
+version = "4.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f1e1c390732d15f1d48471625cd92d154e66db2c56645e29a9cd26f4699f72dc"
+checksum = "7bb71e1b3fa6ca1c61f383464aaf2bb0e2f8e772a1f01d486832464de363b951"
 dependencies = [
  "num-traits",
 ]
 
 [[package]]
 name = "orion"
-version = "0.17.6"
+version = "0.17.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7abdb10181903c8c4b016ba45d6d6d5af1a1e2a461aa4763a83b87f5df4695e5"
+checksum = "21b3da83b2b4cdc74ab6a556b2e7b473da046d5aa4008c0a7a3ae96b1b4aabb4"
 dependencies = [
- "fiat-crypto",
+ "fiat-crypto 0.3.0",
  "subtle",
  "zeroize",
 ]
 
 [[package]]
 name = "ouroboros"
-version = "0.17.2"
+version = "0.18.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e2ba07320d39dfea882faa70554b4bd342a5f273ed59ba7c1c6b4c840492c954"
+checksum = "1e0f050db9c44b97a94723127e6be766ac5c340c48f2c4bb3ffa11713744be59"
 dependencies = [
  "aliasable",
  "ouroboros_macro",
@@ -3273,15 +4402,15 @@ dependencies = [
 
 [[package]]
 name = "ouroboros_macro"
-version = "0.17.2"
+version = "0.18.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ec4c6225c69b4ca778c0aea097321a64c421cf4577b331c61b229267edabb6f8"
+checksum = "3c7028bdd3d43083f6d8d4d5187680d0d3560d54df4cc9d752005268b41e64d0"
 dependencies = [
- "heck",
- "proc-macro-error",
+ "heck 0.4.1",
  "proc-macro2",
+ "proc-macro2-diagnostics",
  "quote",
- "syn 2.0.98",
+ "syn 2.0.104",
 ]
 
 [[package]]
@@ -3304,9 +4433,9 @@ dependencies = [
 
 [[package]]
 name = "p384"
-version = "0.13.0"
+version = "0.13.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "70786f51bcc69f6a4c0360e063a4cac5419ef7c5cd5b3c99ad70f3be5ba79209"
+checksum = "fe42f1670a52a47d448f14b6a5c61dd78fce51856e68edaa38f7ae3a46b8d6b6"
 dependencies = [
  "ecdsa",
  "elliptic-curve",
@@ -3324,37 +4453,37 @@ dependencies = [
  "ecdsa",
  "elliptic-curve",
  "primeorder",
- "rand_core",
+ "rand_core 0.6.4",
  "sha2",
 ]
 
-[[package]]
-name = "pad-adapter"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "56d80efc4b6721e8be2a10a5df21a30fa0b470f1539e53d8b4e6e75faf938b63"
-
 [[package]]
 name = "pageant"
-version = "0.0.2"
+version = "0.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2c6f0e349ea8dea1b50aa17c082777d30df133d89898c7568a615354772d3731"
+checksum = "bdd27df01428302f915ea74737fe88170dd1bab4cbd00ff9548ca85618fcd4e4"
 dependencies = [
  "bytes",
  "delegate",
  "futures",
  "log",
- "rand",
- "thiserror 1.0.58",
+ "rand 0.8.5",
+ "thiserror 1.0.69",
  "tokio",
  "windows",
 ]
 
+[[package]]
+name = "parking"
+version = "2.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f38d5652c16fde515bb1ecef450ab0f6a219d619a7274976324d5e377f7dceba"
+
 [[package]]
 name = "parking_lot"
-version = "0.12.3"
+version = "0.12.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f1bf18183cf54e8d6059647fc3063646a1801cf30896933ec2311622cc4b9a27"
+checksum = "70d58bf43669b5795d1576d0641cfb6fbb2057bf629506267a92807158584a13"
 dependencies = [
  "lock_api",
  "parking_lot_core",
@@ -3362,26 +4491,26 @@ dependencies = [
 
 [[package]]
 name = "parking_lot_core"
-version = "0.9.5"
+version = "0.9.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7ff9f3fef3968a3ec5945535ed654cb38ff72d7495a25619e2247fb15a2ed9ba"
+checksum = "bc838d2a56b5b1a6c25f55575dfc605fabb63bb2365f6c2353ef9159aa69e4a5"
 dependencies = [
  "cfg-if",
  "libc",
- "redox_syscall 0.2.16",
+ "redox_syscall",
  "smallvec",
- "windows-sys 0.42.0",
+ "windows-targets 0.52.6",
 ]
 
 [[package]]
 name = "pasetors"
-version = "0.6.8"
+version = "0.7.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6b36d47c66f2230dd1b7143d9afb2b4891879020210eddf2ccb624e529b96dba"
+checksum = "03e1ed71dcdf863d9f66d9de86de714db38aedc2fcabc1a60207d1fde603e2d5"
 dependencies = [
  "ct-codecs",
  "ed25519-compact",
- "getrandom",
+ "getrandom 0.3.3",
  "orion",
  "regex",
  "serde_json",
@@ -3397,21 +4526,21 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "346f04948ba92c43e8469c1ee6736c7563d71012b17d40745260fe106aac2166"
 dependencies = [
  "base64ct",
- "rand_core",
+ "rand_core 0.6.4",
  "subtle",
 ]
 
 [[package]]
 name = "paste"
-version = "1.0.14"
+version = "1.0.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "de3145af08024dea9fa9914f381a17b8fc6034dfb00f3a84013f7ff43f29ed4c"
+checksum = "57c0d7b74b563b49d38dae00a0c37d4d6de9b432382b2892f0574ddcae73fd0a"
 
 [[package]]
 name = "pathdiff"
-version = "0.2.1"
+version = "0.2.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8835116a5c179084a830efb3adc117ab007512b535bc1a21c991d3b32a6b44dd"
+checksum = "df94ce210e5bc13cb6651479fa48d14f601d9858cfe0467f43ae157023b938d3"
 
 [[package]]
 name = "pbkdf2"
@@ -3429,7 +4558,7 @@ version = "3.0.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "38af38e8470ac9dee3ce1bae1af9c1671fffc44ddfd8bd1d0a3445bf349a8ef3"
 dependencies = [
- "base64 0.22.1",
+ "base64",
  "serde",
 ]
 
@@ -3450,20 +4579,20 @@ checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e"
 
 [[package]]
 name = "pest"
-version = "2.7.5"
+version = "2.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ae9cee2a55a544be8b89dc6848072af97a20f2422603c10865be2a42b580fff5"
+checksum = "1db05f56d34358a8b1066f67cbb203ee3e7ed2ba674a6263a1d5ec6db2204323"
 dependencies = [
  "memchr",
- "thiserror 1.0.58",
+ "thiserror 2.0.17",
  "ucd-trie",
 ]
 
 [[package]]
 name = "pest_derive"
-version = "2.7.5"
+version = "2.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "81d78524685f5ef2a3b3bd1cafbc9fcabb036253d9b1463e726a91cd16e2dfc2"
+checksum = "bb056d9e8ea77922845ec74a1c4e8fb17e7c218cc4fc11a15c5d25e189aa40bc"
 dependencies = [
  "pest",
  "pest_generator",
@@ -3471,53 +4600,61 @@ dependencies = [
 
 [[package]]
 name = "pest_generator"
-version = "2.7.5"
+version = "2.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "68bd1206e71118b5356dae5ddc61c8b11e28b09ef6a31acbd15ea48a28e0c227"
+checksum = "87e404e638f781eb3202dc82db6760c8ae8a1eeef7fb3fa8264b2ef280504966"
 dependencies = [
  "pest",
  "pest_meta",
  "proc-macro2",
  "quote",
- "syn 2.0.98",
+ "syn 2.0.104",
 ]
 
 [[package]]
 name = "pest_meta"
-version = "2.7.5"
+version = "2.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7c747191d4ad9e4a4ab9c8798f1e82a39affe7ef9648390b7e5548d18e099de6"
+checksum = "edd1101f170f5903fde0914f899bb503d9ff5271d7ba76bbb70bea63690cc0d5"
 dependencies = [
- "once_cell",
  "pest",
  "sha2",
 ]
 
+[[package]]
+name = "pgvector"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fc58e2d255979a31caa7cabfa7aac654af0354220719ab7a68520ae7a91e8c0b"
+dependencies = [
+ "serde",
+]
+
 [[package]]
 name = "pin-project"
-version = "1.0.12"
+version = "1.1.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ad29a609b6bcd67fee905812e544992d216af9d755757c05ed2d0e15a74c6ecc"
+checksum = "677f1add503faace112b9f1373e43e9e054bfdd22ff1a63c1bc485eaec6a6a8a"
 dependencies = [
  "pin-project-internal",
 ]
 
 [[package]]
 name = "pin-project-internal"
-version = "1.0.12"
+version = "1.1.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "069bdb1e05adc7a8990dce9cc75370895fbe4e3d58b9b73bf1aee56359344a55"
+checksum = "6e918e4ff8c4549eb882f14b3a4bc8c8bc93de829416eacf579f1207a8fbf861"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 1.0.105",
+ "syn 2.0.104",
 ]
 
 [[package]]
 name = "pin-project-lite"
-version = "0.2.13"
+version = "0.2.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8afb450f006bf6385ca15ef45d71d2288452bc3683ce2e2cacc0d18e4be60b58"
+checksum = "3b3cff922bd51709b605d9ead9aa71031d81447142d828eb4a6eba76fe619f9b"
 
 [[package]]
 name = "pin-utils"
@@ -3525,6 +4662,17 @@ version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
 
+[[package]]
+name = "piper"
+version = "0.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "96c8c490f422ef9a4efd2cb5b42b76c8613d7e7dfc1caf667b8a3350a5acc066"
+dependencies = [
+ "atomic-waker",
+ "fastrand 2.3.0",
+ "futures-io",
+]
+
 [[package]]
 name = "pkcs1"
 version = "0.7.5"
@@ -3559,15 +4707,45 @@ checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7"
 dependencies = [
  "der",
  "pkcs5",
- "rand_core",
+ "rand_core 0.6.4",
  "spki",
 ]
 
 [[package]]
 name = "pkg-config"
-version = "0.3.27"
+version = "0.3.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c"
+
+[[package]]
+name = "polling"
+version = "2.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4b2d323e8ca7996b3e23126511a523f7e62924d93ecd5ae73b333815b0eb3dce"
+dependencies = [
+ "autocfg",
+ "bitflags 1.3.2",
+ "cfg-if",
+ "concurrent-queue",
+ "libc",
+ "log",
+ "pin-project-lite",
+ "windows-sys 0.48.0",
+]
+
+[[package]]
+name = "polling"
+version = "3.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "26072860ba924cbfa98ea39c8c19b4dd6a4a25423dbdf219c1eca91aa0cf6964"
+checksum = "8ee9b2fa7a4517d2c91ff5bc6c297a427a96749d15f98fcdbb22c05571a4d4b7"
+dependencies = [
+ "cfg-if",
+ "concurrent-queue",
+ "hermit-abi 0.5.2",
+ "pin-project-lite",
+ "rustix 1.0.8",
+ "windows-sys 0.60.2",
+]
 
 [[package]]
 name = "poly1305"
@@ -3582,9 +4760,9 @@ dependencies = [
 
 [[package]]
 name = "polyval"
-version = "0.6.1"
+version = "0.6.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d52cff9d1d4dee5fe6d03729099f4a310a41179e0a10dbf542039873f2e826fb"
+checksum = "9d1fe60d06143b2430aa532c94cfe9e29783047f06c0d7fd359a9a51b729fa25"
 dependencies = [
  "cfg-if",
  "cpufeatures",
@@ -3592,6 +4770,15 @@ dependencies = [
  "universal-hash",
 ]
 
+[[package]]
+name = "potential_utf"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e5a7c30837279ca13e7c867e9e40053bc68740f988cb07f7ca6df43cc734b585"
+dependencies = [
+ "zerovec",
+]
+
 [[package]]
 name = "powerfmt"
 version = "0.2.0"
@@ -3600,18 +4787,21 @@ checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391"
 
 [[package]]
 name = "ppv-lite86"
-version = "0.2.17"
+version = "0.2.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5b40af805b3121feab8a3c29f04d8ad262fa8e0561883e7653e024ae4479e6de"
+checksum = "85eae3c4ed2f50dcfe72643da4befc30deadb458a9b590d720cde2f2b1e97da9"
+dependencies = [
+ "zerocopy",
+]
 
 [[package]]
 name = "prettyplease"
-version = "0.2.15"
+version = "0.2.36"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ae005bd773ab59b4725093fd7df83fd7892f7d8eafb48dbd7de6e024e4215f9d"
+checksum = "ff24dfcda44452b9816fff4cd4227e1bb73ff5a2f1bc1105aa92fb8565ce44d2"
 dependencies = [
  "proc-macro2",
- "syn 2.0.98",
+ "syn 2.0.104",
 ]
 
 [[package]]
@@ -3625,42 +4815,40 @@ dependencies = [
 
 [[package]]
 name = "proc-macro-crate"
-version = "3.1.0"
+version = "3.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6d37c51ca738a55da99dc0c4a34860fd675453b8b36209178c2249bb13651284"
+checksum = "edce586971a4dfaa28950c6f18ed55e0406c1ab88bbce2c6f6293a7aaba73d35"
 dependencies = [
- "toml_edit 0.21.1",
+ "toml_edit",
 ]
 
 [[package]]
-name = "proc-macro-error"
-version = "1.0.4"
+name = "proc-macro-error-attr2"
+version = "2.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "da25490ff9892aab3fcf7c36f08cfb902dd3e71ca0f9f9517bea02a73a5ce38c"
+checksum = "96de42df36bb9bba5542fe9f1a054b8cc87e172759a1868aa05c1f3acc89dfc5"
 dependencies = [
- "proc-macro-error-attr",
  "proc-macro2",
  "quote",
- "syn 1.0.105",
- "version_check",
 ]
 
 [[package]]
-name = "proc-macro-error-attr"
-version = "1.0.4"
+name = "proc-macro-error2"
+version = "2.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a1be40180e52ecc98ad80b184934baf3d0d29f979574e439af5a55274b35f869"
+checksum = "11ec05c52be0a07b08061f7dd003e7d7092e0472bc731b4af7bb1ef876109802"
 dependencies = [
+ "proc-macro-error-attr2",
  "proc-macro2",
  "quote",
- "version_check",
+ "syn 2.0.104",
 ]
 
 [[package]]
 name = "proc-macro-utils"
-version = "0.8.0"
+version = "0.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3f59e109e2f795a5070e69578c4dc101068139f74616778025ae1011d4cd41a8"
+checksum = "eeaf08a13de400bc215877b5bdc088f241b12eb42f0a548d3390dc1c56bb7071"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -3669,9 +4857,9 @@ dependencies = [
 
 [[package]]
 name = "proc-macro2"
-version = "1.0.93"
+version = "1.0.95"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "60946a68e5f9d28b0dc1c21bb8a97ee7d018a8b322fa57838ba31cc878e22d99"
+checksum = "02b3e5e68a3a1a02aad3ec490a98007cbc13c37cbe84a3cd7b8e406d76e7f778"
 dependencies = [
  "unicode-ident",
 ]
@@ -3684,32 +4872,31 @@ checksum = "af066a9c399a26e020ada66a034357a868728e72cd426f3adcd35f80d88d88c8"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.98",
+ "syn 2.0.104",
  "version_check",
  "yansi",
 ]
 
 [[package]]
 name = "procfs"
-version = "0.17.0"
+version = "0.18.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cc5b72d8145275d844d4b5f6d4e1eef00c8cd889edb6035c21675d1bb1f45c9f"
+checksum = "25485360a54d6861439d60facef26de713b1e126bf015ec8f98239467a2b82f7"
 dependencies = [
- "bitflags 2.6.0",
+ "bitflags 2.9.1",
  "chrono",
  "flate2",
- "hex",
  "procfs-core",
- "rustix",
+ "rustix 1.0.8",
 ]
 
 [[package]]
 name = "procfs-core"
-version = "0.17.0"
+version = "0.18.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "239df02d8349b06fc07398a3a1697b06418223b1c7725085e801e7c0fc6a12ec"
+checksum = "e6401bf7b6af22f78b563665d15a22e9aef27775b79b149a66ca022468a4e405"
 dependencies = [
- "bitflags 2.6.0",
+ "bitflags 2.9.1",
  "chrono",
  "hex",
 ]
@@ -3731,105 +4918,281 @@ checksum = "16b845dbfca988fa33db069c0e230574d15a3088f147a87b64c7589eb662c9ac"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 1.0.105",
+ "syn 1.0.109",
+]
+
+[[package]]
+name = "quinn"
+version = "0.11.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b9e20a958963c291dc322d98411f541009df2ced7b5a4f2bd52337638cfccf20"
+dependencies = [
+ "bytes",
+ "cfg_aliases",
+ "pin-project-lite",
+ "quinn-proto",
+ "quinn-udp",
+ "rustc-hash",
+ "rustls",
+ "socket2 0.6.0",
+ "thiserror 2.0.17",
+ "tokio",
+ "tracing",
+ "web-time",
+]
+
+[[package]]
+name = "quinn-proto"
+version = "0.11.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f1906b49b0c3bc04b5fe5d86a77925ae6524a19b816ae38ce1e426255f1d8a31"
+dependencies = [
+ "bytes",
+ "getrandom 0.3.3",
+ "lru-slab",
+ "rand 0.9.2",
+ "ring",
+ "rustc-hash",
+ "rustls",
+ "rustls-pki-types",
+ "slab",
+ "thiserror 2.0.17",
+ "tinyvec",
+ "tracing",
+ "web-time",
+]
+
+[[package]]
+name = "quinn-udp"
+version = "0.5.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "addec6a0dcad8a8d96a771f815f0eaf55f9d1805756410b39f5fa81332574cbd"
+dependencies = [
+ "cfg_aliases",
+ "libc",
+ "once_cell",
+ "socket2 0.6.0",
+ "tracing",
+ "windows-sys 0.60.2",
 ]
 
 [[package]]
 name = "quote"
-version = "1.0.35"
+version = "1.0.40"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "291ec9ab5efd934aaf503a6466c5d5251535d108ee747472c3977cc5acc868ef"
+checksum = "1885c039570dc00dcb4ff087a89e185fd56bae234ddc7f056a945bf36467248d"
 dependencies = [
  "proc-macro2",
 ]
 
 [[package]]
 name = "quote-use"
-version = "0.7.2"
+version = "0.8.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a7b5abe3fe82fdeeb93f44d66a7b444dedf2e4827defb0a8e69c437b2de2ef94"
+checksum = "9619db1197b497a36178cfc736dc96b271fe918875fbf1344c436a7e93d0321e"
 dependencies = [
  "quote",
  "quote-use-macros",
- "syn 2.0.98",
 ]
 
 [[package]]
 name = "quote-use-macros"
-version = "0.7.2"
+version = "0.8.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "97ea44c7e20f16017a76a245bb42188517e13d16dcb1aa18044bc406cdc3f4af"
+checksum = "82ebfb7faafadc06a7ab141a6f67bcfb24cb8beb158c6fe933f2f035afa99f35"
 dependencies = [
- "derive-where",
+ "proc-macro-utils",
  "proc-macro2",
  "quote",
- "syn 2.0.98",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "r-efi"
+version = "5.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f"
+
+[[package]]
+name = "radium"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dc33ff2d4973d518d823d61aa239014831e521c75da58e3df4840d3f47749d09"
+
+[[package]]
+name = "rand"
+version = "0.8.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
+dependencies = [
+ "libc",
+ "rand_chacha 0.3.1",
+ "rand_core 0.6.4",
+]
+
+[[package]]
+name = "rand"
+version = "0.9.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1"
+dependencies = [
+ "rand_chacha 0.9.0",
+ "rand_core 0.9.3",
+]
+
+[[package]]
+name = "rand_chacha"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
+dependencies = [
+ "ppv-lite86",
+ "rand_core 0.6.4",
+]
+
+[[package]]
+name = "rand_chacha"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb"
+dependencies = [
+ "ppv-lite86",
+ "rand_core 0.9.3",
+]
+
+[[package]]
+name = "rand_core"
+version = "0.6.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
+dependencies = [
+ "getrandom 0.2.16",
+]
+
+[[package]]
+name = "rand_core"
+version = "0.9.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "99d9a13982dcf210057a8a78572b2217b667c3beacbf3a0d8b454f6f82837d38"
+dependencies = [
+ "getrandom 0.3.3",
+]
+
+[[package]]
+name = "rcgen"
+version = "0.14.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5fae430c6b28f1ad601274e78b7dffa0546de0b73b4cd32f46723c0c2a16f7a5"
+dependencies = [
+ "pem",
+ "ring",
+ "rustls-pki-types",
+ "time",
+ "yasna",
+]
+
+[[package]]
+name = "reactive_graph"
+version = "0.2.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3c8fb64b85138d34e26f0b1b853f44f592eeb0b9976bfa58897fa8beda65f2ea"
+dependencies = [
+ "any_spawner",
+ "async-lock 3.4.0",
+ "futures",
+ "guardian",
+ "hydration_context",
+ "or_poisoned",
+ "pin-project-lite",
+ "rustc-hash",
+ "rustc_version",
+ "send_wrapper",
+ "serde",
+ "slotmap",
+ "thiserror 2.0.17",
+ "web-sys",
 ]
 
 [[package]]
-name = "radium"
-version = "0.7.0"
+name = "reactive_stores"
+version = "0.2.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dc33ff2d4973d518d823d61aa239014831e521c75da58e3df4840d3f47749d09"
+checksum = "79983e88dfd1a2925e29a4853ab9161b234ea78dd0d44ed33a706c9cd5e35762"
+dependencies = [
+ "dashmap",
+ "guardian",
+ "itertools 0.14.0",
+ "or_poisoned",
+ "paste",
+ "reactive_graph",
+ "reactive_stores_macro",
+ "rustc-hash",
+ "send_wrapper",
+]
 
 [[package]]
-name = "rand"
-version = "0.8.5"
+name = "reactive_stores_macro"
+version = "0.2.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
+checksum = "c1d6c624f2babd2319a55f39637b62d38dd327f8219c6727479792fac3f670b6"
 dependencies = [
- "libc",
- "rand_chacha",
- "rand_core",
+ "convert_case 0.8.0",
+ "proc-macro-error2",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
 ]
 
 [[package]]
-name = "rand_chacha"
-version = "0.3.1"
+name = "redox_syscall"
+version = "0.5.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
+checksum = "5407465600fb0548f1442edf71dd20683c6ed326200ace4b1ef0763521bb3b77"
 dependencies = [
- "ppv-lite86",
- "rand_core",
+ "bitflags 2.9.1",
 ]
 
 [[package]]
-name = "rand_core"
-version = "0.6.4"
+name = "redox_users"
+version = "0.5.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
+checksum = "a4e608c6638b9c18977b00b475ac1f28d14e84b27d8d42f70e0bf1e3dec127ac"
 dependencies = [
- "getrandom",
+ "getrandom 0.2.16",
+ "libredox",
+ "thiserror 2.0.17",
 ]
 
 [[package]]
-name = "redox_syscall"
-version = "0.2.16"
+name = "ref-cast"
+version = "1.0.25"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fb5a58c1855b4b6819d59012155603f0b22ad30cad752600aadfcb695265519a"
+checksum = "f354300ae66f76f1c85c5f84693f0ce81d747e2c3f21a45fef496d89c960bf7d"
 dependencies = [
- "bitflags 1.3.2",
+ "ref-cast-impl",
 ]
 
 [[package]]
-name = "redox_syscall"
-version = "0.4.1"
+name = "ref-cast-impl"
+version = "1.0.25"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4722d768eff46b75989dd134e5c353f0d6296e5aaa3132e776cbdb56be7731aa"
+checksum = "b7186006dcb21920990093f30e3dea63b7d6e977bf1256be20c3563a5db070da"
 dependencies = [
- "bitflags 1.3.2",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
 ]
 
 [[package]]
 name = "regex"
-version = "1.9.4"
+version = "1.12.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "12de2eff854e5fa4b1295edd650e227e9d8fb0c9e90b12e7f36d6a6811791a29"
+checksum = "843bc0191f75f3e22651ae5f1e72939ab2f72a4bc30fa80a066bd66edefc24d4"
 dependencies = [
  "aho-corasick",
  "memchr",
- "regex-automata 0.3.7",
- "regex-syntax 0.7.5",
+ "regex-automata 0.4.13",
+ "regex-syntax 0.8.5",
 ]
 
 [[package]]
@@ -3843,13 +5206,13 @@ dependencies = [
 
 [[package]]
 name = "regex-automata"
-version = "0.3.7"
+version = "0.4.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "49530408a136e16e5b486e883fbb6ba058e8e4e8ae6621a77b048b314336e629"
+checksum = "5276caf25ac86c8d810222b3dbb938e512c55c6831a10f3e6ed1c93b84041f1c"
 dependencies = [
  "aho-corasick",
  "memchr",
- "regex-syntax 0.7.5",
+ "regex-syntax 0.8.5",
 ]
 
 [[package]]
@@ -3860,60 +5223,58 @@ checksum = "f162c6dd7b008981e4d40210aca20b4bd0f9b60ca9271061b07f78537722f2e1"
 
 [[package]]
 name = "regex-syntax"
-version = "0.7.5"
+version = "0.8.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dbb5fb1acd8a1a18b3dd5be62d25485eb770e05afb408a9627d14d451bae12da"
+checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c"
 
 [[package]]
 name = "rend"
-version = "0.4.1"
+version = "0.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a2571463863a6bd50c32f94402933f03457a3fbaf697a707c5be741e459f08fd"
+checksum = "71fe3824f5629716b1589be05dacd749f6aa084c87e00e016714a8cdfccc997c"
 dependencies = [
  "bytecheck",
 ]
 
 [[package]]
 name = "reqwest"
-version = "0.11.26"
+version = "0.12.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "78bf93c4af7a8bb7d879d51cebe797356ff10ae8516ace542b5182d9dcac10b2"
+checksum = "9d0946410b9f7b082a427e4ef5c8ff541a88b357bc6c637c40db3a68ac70a36f"
 dependencies = [
- "base64 0.21.7",
+ "base64",
  "bytes",
- "encoding_rs",
  "futures-core",
  "futures-util",
- "h2 0.3.21",
- "http 0.2.9",
- "http-body 0.4.5",
- "hyper 0.14.27",
- "hyper-rustls 0.24.2",
- "ipnet",
+ "http",
+ "http-body",
+ "http-body-util",
+ "hyper",
+ "hyper-rustls",
+ "hyper-util",
  "js-sys",
  "log",
- "mime",
- "once_cell",
  "percent-encoding",
  "pin-project-lite",
- "rustls 0.21.8",
- "rustls-pemfile 1.0.4",
+ "quinn",
+ "rustls",
+ "rustls-pki-types",
  "serde",
  "serde_json",
  "serde_urlencoded",
- "sync_wrapper 0.1.2",
- "system-configuration",
+ "sync_wrapper",
  "tokio",
- "tokio-rustls 0.24.1",
+ "tokio-rustls",
  "tokio-util",
+ "tower",
+ "tower-http",
  "tower-service",
  "url",
  "wasm-bindgen",
  "wasm-bindgen-futures",
  "wasm-streams",
  "web-sys",
- "webpki-roots",
- "winreg",
+ "webpki-roots 1.0.2",
 ]
 
 [[package]]
@@ -3928,26 +5289,27 @@ dependencies = [
 
 [[package]]
 name = "ring"
-version = "0.17.3"
+version = "0.17.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9babe80d5c16becf6594aa32ad2be8fe08498e7ae60b77de8df700e67f191d7e"
+checksum = "a4689e6c2294d81e88dc6261c768b63bc4fcdb852be6d1352498b114f61383b7"
 dependencies = [
  "cc",
- "getrandom",
+ "cfg-if",
+ "getrandom 0.2.16",
  "libc",
- "spin 0.9.8",
- "untrusted",
- "windows-sys 0.48.0",
+ "untrusted 0.9.0",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
 name = "rkyv"
-version = "0.7.42"
+version = "0.7.45"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0200c8230b013893c0b2d6213d6ec64ed2b9be2e0e016682b7224ff82cff5c58"
+checksum = "9008cd6385b9e161d8229e1f6549dd23c3d022f132a2ea37ac3a10ac4935779b"
 dependencies = [
  "bitvec",
  "bytecheck",
+ "bytes",
  "hashbrown 0.12.3",
  "ptr_meta",
  "rend",
@@ -3959,20 +5321,20 @@ dependencies = [
 
 [[package]]
 name = "rkyv_derive"
-version = "0.7.42"
+version = "0.7.45"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b2e06b915b5c230a17d7a736d1e2e63ee753c256a8614ef3f5147b13a4f5541d"
+checksum = "503d1d27590a2b0a3a4ca4c94755aa2875657196ecbf401a42eff41d7de532c0"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 1.0.105",
+ "syn 1.0.109",
 ]
 
 [[package]]
 name = "rsa"
-version = "0.9.3"
+version = "0.9.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "86ef35bf3e7fe15a53c4ab08a998e42271eab13eb0db224126bc7bc4c4bad96d"
+checksum = "78928ac1ed176a5ca1d17e578a1825f3d81ca54cf41053a592584b020cfd691b"
 dependencies = [
  "const-oid",
  "digest",
@@ -3981,7 +5343,7 @@ dependencies = [
  "num-traits",
  "pkcs1",
  "pkcs8",
- "rand_core",
+ "rand_core 0.6.4",
  "sha2",
  "signature",
  "spki",
@@ -3991,32 +5353,33 @@ dependencies = [
 
 [[package]]
 name = "rstml"
-version = "0.11.2"
+version = "0.12.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fe542870b8f59dd45ad11d382e5339c9a1047cde059be136a7016095bbdefa77"
+checksum = "61cf4616de7499fc5164570d40ca4e1b24d231c6833a88bff0fe00725080fd56"
 dependencies = [
+ "derive-where",
  "proc-macro2",
  "proc-macro2-diagnostics",
  "quote",
- "syn 2.0.98",
+ "syn 2.0.104",
  "syn_derive",
- "thiserror 1.0.58",
+ "thiserror 2.0.17",
 ]
 
 [[package]]
 name = "russh"
-version = "0.50.2"
+version = "0.53.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "125d81ea357e708dd04bcaab60bb664e759c0bd3553995ca6cdfb9f87a9ae43d"
+checksum = "9b71d6d784c75ab19c421b7c3df21b100c9643f8b2563ae345a495ee792e85e4"
 dependencies = [
  "aes",
- "aes-gcm",
- "bitflags 2.6.0",
+ "aws-lc-rs",
+ "base64ct",
+ "bitflags 2.9.1",
  "block-padding",
  "byteorder",
  "bytes",
  "cbc",
- "chacha20",
  "ctr",
  "curve25519-dalek",
  "data-encoding",
@@ -4030,7 +5393,7 @@ dependencies = [
  "flate2",
  "futures",
  "generic-array",
- "getrandom",
+ "getrandom 0.2.16",
  "hex-literal",
  "hmac",
  "home",
@@ -4048,9 +5411,8 @@ dependencies = [
  "pkcs1",
  "pkcs5",
  "pkcs8",
- "poly1305",
- "rand",
- "rand_core",
+ "rand 0.8.5",
+ "rand_core 0.6.4",
  "rsa",
  "russh-cryptovec",
  "russh-util",
@@ -4061,30 +5423,30 @@ dependencies = [
  "spki",
  "ssh-encoding",
  "subtle",
- "thiserror 1.0.58",
+ "thiserror 1.0.69",
  "tokio",
- "tokio-stream",
  "typenum",
  "zeroize",
 ]
 
 [[package]]
 name = "russh-cryptovec"
-version = "0.50.2"
+version = "0.52.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1fcb7c127135848b47715b5bcb13d8a27ccd86ce1de1c15eab5982df91fe279a"
+checksum = "4fb0ed583ff0f6b4aa44c7867dd7108df01b30571ee9423e250b4cc939f8c6cf"
 dependencies = [
  "libc",
  "log",
+ "nix",
  "ssh-encoding",
  "winapi",
 ]
 
 [[package]]
 name = "russh-util"
-version = "0.50.0"
+version = "0.52.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c698d702527b51a82e64de98d506e9c1e83a063035d41df4f2354499ec090b79"
+checksum = "668424a5dde0bcb45b55ba7de8476b93831b4aa2fa6947e145f3b053e22c60b6"
 dependencies = [
  "chrono",
  "tokio",
@@ -4094,108 +5456,77 @@ dependencies = [
 
 [[package]]
 name = "rust_decimal"
-version = "1.36.0"
+version = "1.37.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b082d80e3e3cc52b2ed634388d436fe1f4de6af5786cc2de9ba9737527bdf555"
+checksum = "b203a6425500a03e0919c42d3c47caca51e79f1132046626d2c8871c5092035d"
 dependencies = [
  "arrayvec",
  "borsh",
  "bytes",
  "num-traits",
- "rand",
+ "rand 0.8.5",
  "rkyv",
  "serde",
  "serde_json",
 ]
 
-[[package]]
-name = "rustc-demangle"
-version = "0.1.23"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d626bb9dae77e28219937af045c257c28bfd3f69333c512553507f5f9798cb76"
-
 [[package]]
 name = "rustc-hash"
-version = "1.1.0"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "08d43f7aa6b08d49f382cde6a7982047c3426db949b1424bc4b7ec9ae12c6ce2"
+checksum = "357703d41365b4b27c590e3ed91eabb1b663f07c4c084095e60cbed4362dff0d"
 
 [[package]]
 name = "rustc_version"
-version = "0.4.0"
+version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bfa0f585226d2e68097d4f95d113b15b83a82e819ab25717ec0590d9584ef366"
+checksum = "cfcb3a22ef46e85b45de6ee7e79d063319ebb6594faafcf1c225ea92ab6e9b92"
 dependencies = [
  "semver",
 ]
 
 [[package]]
 name = "rustix"
-version = "0.38.28"
+version = "0.37.28"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "72e572a5e8ca657d7366229cdde4bd14c4eb5499a9573d4d366fe1b599daa316"
+checksum = "519165d378b97752ca44bbe15047d5d3409e875f39327546b42ac81d7e18c1b6"
 dependencies = [
- "bitflags 2.6.0",
+ "bitflags 1.3.2",
  "errno",
+ "io-lifetimes",
  "libc",
- "linux-raw-sys",
- "windows-sys 0.52.0",
-]
-
-[[package]]
-name = "rustls"
-version = "0.21.8"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "446e14c5cda4f3f30fe71863c34ec70f5ac79d6087097ad0bb433e1be5edf04c"
-dependencies = [
- "log",
- "ring",
- "rustls-webpki 0.101.7",
- "sct",
+ "linux-raw-sys 0.3.8",
+ "windows-sys 0.48.0",
 ]
 
 [[package]]
-name = "rustls"
-version = "0.22.2"
+name = "rustix"
+version = "1.0.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e87c9956bd9807afa1f77e0f7594af32566e830e088a5576d27c5b6f30f49d41"
+checksum = "11181fbabf243db407ef8df94a6ce0b2f9a733bd8be4ad02b4eda9602296cac8"
 dependencies = [
- "log",
- "ring",
- "rustls-pki-types",
- "rustls-webpki 0.102.8",
- "subtle",
- "zeroize",
+ "bitflags 2.9.1",
+ "errno",
+ "libc",
+ "linux-raw-sys 0.9.4",
+ "windows-sys 0.60.2",
 ]
 
 [[package]]
 name = "rustls"
-version = "0.23.23"
+version = "0.23.31"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "47796c98c480fce5406ef69d1c76378375492c3b0a0de587be0c1d9feb12f395"
+checksum = "c0ebcbd2f03de0fc1122ad9bb24b127a5a6cd51d72604a3f3c50ac459762b6cc"
 dependencies = [
  "log",
  "once_cell",
  "ring",
  "rustls-pki-types",
- "rustls-webpki 0.102.8",
+ "rustls-webpki",
  "subtle",
  "zeroize",
 ]
 
-[[package]]
-name = "rustls-native-certs"
-version = "0.7.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e5bfb394eeed242e909609f56089eecfe5fda225042e8b171791b9c95f5931e5"
-dependencies = [
- "openssl-probe",
- "rustls-pemfile 2.1.0",
- "rustls-pki-types",
- "schannel",
- "security-framework 2.10.0",
-]
-
 [[package]]
 name = "rustls-native-certs"
 version = "0.8.1"
@@ -4210,61 +5541,45 @@ dependencies = [
 
 [[package]]
 name = "rustls-pemfile"
-version = "1.0.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1c74cae0a4cf6ccbbf5f359f08efdf8ee7e1dc532573bf0db71968cb56b1448c"
-dependencies = [
- "base64 0.21.7",
-]
-
-[[package]]
-name = "rustls-pemfile"
-version = "2.1.0"
+version = "2.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3c333bb734fcdedcea57de1602543590f545f127dc8b533324318fd492c5c70b"
+checksum = "dce314e5fee3f39953d46bb63bb8a46d40c2f8fb7cc5a3b6cab2bde9721d6e50"
 dependencies = [
- "base64 0.21.7",
  "rustls-pki-types",
 ]
 
 [[package]]
 name = "rustls-pki-types"
-version = "1.11.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "917ce264624a4b4db1c364dcc35bfca9ded014d0a958cd47ad3e960e988ea51c"
-
-[[package]]
-name = "rustls-webpki"
-version = "0.101.7"
+version = "1.12.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765"
+checksum = "229a4a4c221013e7e1f1a043678c5cc39fe5171437c88fb47151a21e6f5b5c79"
 dependencies = [
- "ring",
- "untrusted",
+ "web-time",
+ "zeroize",
 ]
 
 [[package]]
 name = "rustls-webpki"
-version = "0.102.8"
+version = "0.103.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "64ca1bc8749bd4cf37b5ce386cc146580777b4e8572c7b97baf22c83f444bee9"
+checksum = "2ffdfa2f5286e2247234e03f680868ac2815974dc39e00ea15adc445d0aafe52"
 dependencies = [
  "ring",
  "rustls-pki-types",
- "untrusted",
+ "untrusted 0.9.0",
 ]
 
 [[package]]
 name = "rustversion"
-version = "1.0.14"
+version = "1.0.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7ffc183a10b4478d04cbbbfc96d0873219d962dd5accaff2ffbd4ceb7df837f4"
+checksum = "8a0d197bd2c9dc6e53b84da9556a69ba4cdfab8619eb41a8bd1cc2027a0f6b1d"
 
 [[package]]
 name = "ryu"
-version = "1.0.11"
+version = "1.0.20"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4501abdff3ae82a1c1b477a17252eb69cee9e66eb915c1abaa4f44d873df9f09"
+checksum = "28d3b2b1366ec20994f1fd18c3c594f05c5dd4bc44d8bb0c1c632c8d6829481f"
 
 [[package]]
 name = "salsa20"
@@ -4294,10 +5609,35 @@ dependencies = [
 ]
 
 [[package]]
-name = "scopeguard"
+name = "schemars"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9558e172d4e8533736ba97870c4b2cd63f84b382a3d6eb063da41b91cce17289"
+dependencies = [
+ "dyn-clone",
+ "ref-cast",
+ "schemars_derive",
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "schemars_derive"
 version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd"
+checksum = "301858a4023d78debd2353c7426dc486001bddc91ae31a76fb1f55132f7e2633"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "serde_derive_internals",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "scopeguard"
+version = "1.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
 
 [[package]]
 name = "scrypt"
@@ -4310,42 +5650,34 @@ dependencies = [
  "sha2",
 ]
 
-[[package]]
-name = "sct"
-version = "0.7.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414"
-dependencies = [
- "ring",
- "untrusted",
-]
-
 [[package]]
 name = "sea-bae"
-version = "0.2.0"
+version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3bd3534a9978d0aa7edd2808dc1f8f31c4d0ecd31ddf71d997b3c98e9f3c9114"
+checksum = "f694a6ab48f14bc063cfadff30ab551d3c7e46d8f81836c51989d548f44a2a25"
 dependencies = [
- "heck",
- "proc-macro-error",
+ "heck 0.4.1",
+ "proc-macro-error2",
  "proc-macro2",
  "quote",
- "syn 2.0.98",
+ "syn 2.0.104",
 ]
 
 [[package]]
 name = "sea-orm"
-version = "0.12.12"
+version = "1.1.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0cbf88748872fa54192476d6d49d0775e208566a72656e267e45f6980b926c8d"
+checksum = "699b1ec145a6530c8f862eed7529d8a6068392e628d81cc70182934001e9c2a3"
 dependencies = [
  "async-stream",
  "async-trait",
  "bigdecimal",
  "chrono",
- "futures",
+ "derive_more",
+ "futures-util",
  "log",
  "ouroboros",
+ "pgvector",
  "rust_decimal",
  "sea-orm-macros",
  "sea-query",
@@ -4353,8 +5685,8 @@ dependencies = [
  "serde",
  "serde_json",
  "sqlx",
- "strum 0.25.0",
- "thiserror 1.0.58",
+ "strum 0.26.3",
+ "thiserror 2.0.17",
  "time",
  "tracing",
  "url",
@@ -4363,45 +5695,62 @@ dependencies = [
 
 [[package]]
 name = "sea-orm-cli"
-version = "0.12.12"
+version = "1.1.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9f17eb697616be2f3e4ea3b468a44cfb6848750dec522fdef4caa44bf5a02beb"
+checksum = "500cd31ebb07814d4c7b73796708bfab6c13d22f8db072cdb5115f967f4d5d2c"
 dependencies = [
+ "async-std",
  "chrono",
  "clap",
  "dotenvy",
  "glob",
  "regex",
+ "sea-orm-codegen",
  "sea-schema",
+ "sqlx",
+ "tokio",
  "tracing",
  "tracing-subscriber",
  "url",
 ]
 
+[[package]]
+name = "sea-orm-codegen"
+version = "1.1.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1503f30d7d41c4adbd513f10cd8fb9e300ce768885ab2994c073979346070a99"
+dependencies = [
+ "heck 0.5.0",
+ "proc-macro2",
+ "quote",
+ "sea-query",
+ "syn 2.0.104",
+ "tracing",
+]
+
 [[package]]
 name = "sea-orm-macros"
-version = "0.12.12"
+version = "1.1.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e0dbc880d47aa53c6a572e39c99402c7fad59b50766e51e0b0fc1306510b0555"
+checksum = "b0c964f4b7f34f53decf381bc88f03187b9355e07f356ce65544626e781a9585"
 dependencies = [
- "heck",
+ "heck 0.5.0",
  "proc-macro2",
  "quote",
  "sea-bae",
- "syn 2.0.98",
+ "syn 2.0.104",
  "unicode-ident",
 ]
 
 [[package]]
 name = "sea-orm-migration"
-version = "0.12.12"
+version = "1.1.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e42807e13d38edd4cc1f9cbb370df898d43a9a143f6161dcdb8424a6de002def"
+checksum = "977e3f71486b04371026d1ecd899f49cf437f832cd11d463f8948ee02e47ed9e"
 dependencies = [
  "async-trait",
  "clap",
  "dotenvy",
- "futures",
  "sea-orm",
  "sea-orm-cli",
  "sea-schema",
@@ -4411,15 +5760,14 @@ dependencies = [
 
 [[package]]
 name = "sea-query"
-version = "0.30.7"
+version = "0.32.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4166a1e072292d46dc91f31617c2a1cdaf55a8be4b5c9f4bf2ba248e3ac4999b"
+checksum = "64c91783d1514b99754fc6a4079081dcc2c587dadbff65c48c7f62297443536a"
 dependencies = [
  "bigdecimal",
  "chrono",
- "derivative",
  "inherent",
- "ordered-float 3.9.2",
+ "ordered-float 4.6.0",
  "rust_decimal",
  "sea-query-derive",
  "serde_json",
@@ -4429,9 +5777,9 @@ dependencies = [
 
 [[package]]
 name = "sea-query-binder"
-version = "0.5.0"
+version = "0.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "36bbb68df92e820e4d5aeb17b4acd5cc8b5d18b2c36a4dd6f4626aabfa7ab1b9"
+checksum = "b0019f47430f7995af63deda77e238c17323359af241233ec768aba1faea7608"
 dependencies = [
  "bigdecimal",
  "chrono",
@@ -4445,38 +5793,41 @@ dependencies = [
 
 [[package]]
 name = "sea-query-derive"
-version = "0.4.1"
+version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "25a82fcb49253abcb45cdcb2adf92956060ec0928635eb21b4f7a6d8f25ab0bc"
+checksum = "bae0cbad6ab996955664982739354128c58d16e126114fe88c2a493642502aab"
 dependencies = [
- "heck",
+ "darling 0.20.11",
+ "heck 0.4.1",
  "proc-macro2",
  "quote",
- "syn 2.0.98",
- "thiserror 1.0.58",
+ "syn 2.0.104",
+ "thiserror 2.0.17",
 ]
 
 [[package]]
 name = "sea-schema"
-version = "0.14.2"
+version = "0.16.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "30d148608012d25222442d1ebbfafd1228dbc5221baf4ec35596494e27a2394e"
+checksum = "2239ff574c04858ca77485f112afea1a15e53135d3097d0c86509cef1def1338"
 dependencies = [
  "futures",
  "sea-query",
+ "sea-query-binder",
  "sea-schema-derive",
+ "sqlx",
 ]
 
 [[package]]
 name = "sea-schema-derive"
-version = "0.2.0"
+version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c6f686050f76bffc4f635cda8aea6df5548666b830b52387e8bc7de11056d11e"
+checksum = "debdc8729c37fdbf88472f97fd470393089f997a909e535ff67c544d18cfccf0"
 dependencies = [
- "heck",
+ "heck 0.4.1",
  "proc-macro2",
  "quote",
- "syn 1.0.105",
+ "syn 2.0.104",
 ]
 
 [[package]]
@@ -4510,12 +5861,12 @@ dependencies = [
 
 [[package]]
 name = "security-framework"
-version = "2.10.0"
+version = "2.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "770452e37cad93e0a50d5abc3990d2bc351c36d0328f86cefec2f2fb206eaef6"
+checksum = "897b2245f0b511c87893af39b033e5ca9cce68824c4d7e7630b5a1d339658d02"
 dependencies = [
- "bitflags 1.3.2",
- "core-foundation 0.9.3",
+ "bitflags 2.9.1",
+ "core-foundation 0.9.4",
  "core-foundation-sys",
  "libc",
  "security-framework-sys",
@@ -4527,8 +5878,8 @@ version = "3.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "271720403f46ca04f7ba6f55d438f8bd878d6b8ca0a1046e8228c4145bcbb316"
 dependencies = [
- "bitflags 2.6.0",
- "core-foundation 0.10.0",
+ "bitflags 2.9.1",
+ "core-foundation 0.10.1",
  "core-foundation-sys",
  "libc",
  "security-framework-sys",
@@ -4544,17 +5895,11 @@ dependencies = [
  "libc",
 ]
 
-[[package]]
-name = "self_cell"
-version = "1.0.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e388332cd64eb80cd595a00941baf513caffae8dce9cfd0467fc9c66397dade6"
-
 [[package]]
 name = "semver"
-version = "1.0.14"
+version = "1.0.26"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e25dfac463d778e353db5be2449d1cce89bd6fd23c9f1ea21310ce6e5a1b29c4"
+checksum = "56e6fa9c48d24d85fb3de5ad847117517440f6beceb7798af16b4a87d616b8d0"
 
 [[package]]
 name = "send_wrapper"
@@ -4567,10 +5912,11 @@ dependencies = [
 
 [[package]]
 name = "serde"
-version = "1.0.195"
+version = "1.0.228"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "63261df402c67811e9ac6def069e4786148c4563f4b50fd4bf30aa370d626b02"
+checksum = "9a8e94ea7f378bd32cbbd37198a4a91436180c5bb472411e48b5ec2e2124ae9e"
 dependencies = [
+ "serde_core",
  "serde_derive",
 ]
 
@@ -4585,43 +5931,53 @@ dependencies = [
 ]
 
 [[package]]
-name = "serde-wasm-bindgen"
-version = "0.6.3"
+name = "serde_core"
+version = "1.0.228"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b9b713f70513ae1f8d92665bbbbda5c295c2cf1da5542881ae5eefe20c9af132"
+checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad"
 dependencies = [
- "js-sys",
- "serde",
- "wasm-bindgen",
+ "serde_derive",
 ]
 
 [[package]]
 name = "serde_derive"
-version = "1.0.195"
+version = "1.0.228"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "serde_derive_internals"
+version = "0.29.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "46fe8f8603d81ba86327b23a2e9cdf49e1255fb94a4c5f297f6ee0547178ea2c"
+checksum = "18d26a20a969b9e3fdf2fc2d9f21eda6c40e2de84c9408bb5d3b05d499aae711"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.98",
+ "syn 2.0.104",
 ]
 
 [[package]]
 name = "serde_json"
-version = "1.0.111"
+version = "1.0.141"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "176e46fa42316f18edd598015a5166857fc835ec732f5215eac6b7bdbf0a84f4"
+checksum = "30b9eff21ebe718216c6ec64e1d9ac57087aad11efc64e32002bce4a0d4c03d3"
 dependencies = [
  "itoa",
+ "memchr",
  "ryu",
  "serde",
 ]
 
 [[package]]
 name = "serde_path_to_error"
-version = "0.1.14"
+version = "0.1.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4beec8bce849d58d06238cb50db2e1c417cfeafa4c63f692b15c82b7c80f8335"
+checksum = "59fab13f937fa393d08645bf3a84bdfe86e296747b506ada67bb15f10f218b2a"
 dependencies = [
  "itoa",
  "serde",
@@ -4629,31 +5985,22 @@ dependencies = [
 
 [[package]]
 name = "serde_qs"
-version = "0.12.0"
+version = "0.15.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0431a35568651e363364210c91983c1da5eb29404d9f0928b67d4ebcfa7d330c"
+checksum = "f3faaf9e727533a19351a43cc5a8de957372163c7d35cc48c90b75cdda13c352"
 dependencies = [
  "percent-encoding",
  "serde",
- "thiserror 1.0.58",
+ "thiserror 2.0.17",
 ]
 
 [[package]]
 name = "serde_spanned"
-version = "0.6.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "eb3622f419d1296904700073ea6cc23ad690adbd66f13ea683df73298736f0c1"
-dependencies = [
- "serde",
-]
-
-[[package]]
-name = "serde_test"
-version = "1.0.176"
+version = "1.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5a2f49ace1498612d14f7e0b8245519584db8299541dfe31a06374a828d620ab"
+checksum = "e24345aa0fe688594e73770a5f6d1b216508b4f93484c0026d521acd30134392"
 dependencies = [
- "serde",
+ "serde_core",
 ]
 
 [[package]]
@@ -4670,11 +6017,11 @@ dependencies = [
 
 [[package]]
 name = "serde_yaml"
-version = "0.9.30"
+version = "0.9.33"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b1bf28c79a99f70ee1f1d83d10c875d2e70618417fda01ad1785e027579d9d38"
+checksum = "a0623d197252096520c6f2a5e1171ee436e5af99a5d7caa2891e55e61950e6d9"
 dependencies = [
- "indexmap 2.1.0",
+ "indexmap",
  "itoa",
  "ryu",
  "serde",
@@ -4683,25 +6030,29 @@ dependencies = [
 
 [[package]]
 name = "server_fn"
-version = "0.6.5"
+version = "0.8.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "97fab54d9dd2d7e9eba4efccac41d2ec3e7c6e9973d14c0486d662a32662320c"
+checksum = "36dab1d4cbc272e15f4475d18e90a59488d1d1efe4e7db3f71b73a43d8c5f02b"
 dependencies = [
+ "base64",
  "bytes",
- "ciborium",
+ "const-str",
  "const_format",
  "dashmap",
  "futures",
- "gloo-net 0.5.0",
- "http 1.2.0",
+ "gloo-net",
+ "http",
  "js-sys",
- "once_cell",
+ "pin-project-lite",
+ "rustc_version",
+ "rustversion",
  "send_wrapper",
  "serde",
  "serde_json",
  "serde_qs",
  "server_fn_macro_default",
- "thiserror 1.0.58",
+ "thiserror 2.0.17",
+ "throw_error",
  "url",
  "wasm-bindgen",
  "wasm-bindgen-futures",
@@ -4712,26 +6063,27 @@ dependencies = [
 
 [[package]]
 name = "server_fn_macro"
-version = "0.6.5"
+version = "0.8.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3be6011b586a0665546b7ced372b0be690d9e005d3f8524795da2843274d7720"
+checksum = "b381389c2307b4b83ce70516c0408d99727ab9f73645e065bb51e6be09cb2f6b"
 dependencies = [
  "const_format",
- "convert_case",
+ "convert_case 0.8.0",
  "proc-macro2",
  "quote",
- "syn 2.0.98",
+ "rustc_version",
+ "syn 2.0.104",
  "xxhash-rust",
 ]
 
 [[package]]
 name = "server_fn_macro_default"
-version = "0.6.5"
+version = "0.8.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "752ed78ec49132d154b922cf5ab6485680cab039a75740c48ea2db621ad481da"
+checksum = "63eb08f80db903d3c42f64e60ebb3875e0305be502bdc064ec0a0eab42207f00"
 dependencies = [
  "server_fn_macro",
- "syn 2.0.98",
+ "syn 2.0.104",
 ]
 
 [[package]]
@@ -4747,9 +6099,9 @@ dependencies = [
 
 [[package]]
 name = "sha2"
-version = "0.10.8"
+version = "0.10.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "793db75ad2bcafc3ffa7c68b215fee268f537982cd901d132f89c6343f3a3dc8"
+checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283"
 dependencies = [
  "cfg-if",
  "cpufeatures",
@@ -4758,18 +6110,24 @@ dependencies = [
 
 [[package]]
 name = "sharded-slab"
-version = "0.1.4"
+version = "0.1.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "900fba806f70c630b0a382d0d825e17a0f19fcd059a2ade1ff237bcddf446b31"
+checksum = "f40ca3c46823713e0d4209592e8d6e826aa57e928f09752619fc696c499637f6"
 dependencies = [
  "lazy_static",
 ]
 
+[[package]]
+name = "shlex"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
+
 [[package]]
 name = "signal-hook-registry"
-version = "1.4.0"
+version = "1.4.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e51e73328dc4ac0c7ccbda3a494dfa03df1de2f46018127f60c693f2648455b0"
+checksum = "9203b8055f63a2a00e2f593bb0510367fe707d7ff1e5c872de2f537b339e5410"
 dependencies = [
  "libc",
 ]
@@ -4781,45 +6139,44 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "77549399552de45a898a580c1b41d445bf730df867cc44e6c0233bbc4b8329de"
 dependencies = [
  "digest",
- "rand_core",
+ "rand_core 0.6.4",
 ]
 
 [[package]]
 name = "simdutf8"
-version = "0.1.4"
+version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f27f6278552951f1f2b8cf9da965d10969b2efdea95a6ec47987ab46edfe263a"
+checksum = "e3a9fe34e3e7a50316060351f37187a3f546bce95496156754b601a5fa71b76e"
 
 [[package]]
 name = "slab"
-version = "0.4.7"
+version = "0.4.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4614a76b2a8be0058caa9dbbaf66d988527d86d003c11a94fbd335d7661edcef"
-dependencies = [
- "autocfg",
-]
+checksum = "04dc19736151f35336d325007ac991178d504a119863a2fcb3758cdb5e52c50d"
 
 [[package]]
 name = "slotmap"
-version = "1.0.6"
+version = "1.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e1e08e261d0e8f5c43123b7adf3e4ca1690d655377ac93a03b2c9d3e98de1342"
+checksum = "dbff4acf519f630b3a3ddcfaea6c06b42174d9a44bc70c620e9ed1649d58b82a"
 dependencies = [
- "serde",
  "version_check",
 ]
 
 [[package]]
 name = "smallvec"
-version = "1.13.1"
+version = "1.15.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e6ecd384b10a64542d77071bd64bd7b231f4ed5940fba55e98c3de13824cf3d7"
+checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03"
+dependencies = [
+ "serde",
+]
 
 [[package]]
 name = "socket2"
-version = "0.4.7"
+version = "0.4.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "02e2d2db9033d13a1567121ddd7a095ee144db4e1ca1b1bda3419bc0da294ebd"
+checksum = "9f7916fc008ca5542385b89a3d3ce689953c143e9304a9bf8beec1de48994c0d"
 dependencies = [
  "libc",
  "winapi",
@@ -4827,19 +6184,23 @@ dependencies = [
 
 [[package]]
 name = "socket2"
-version = "0.5.5"
+version = "0.5.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7b5fac59a5cb5dd637972e5fca70daf0523c9067fcdc4842f053dae04a18f8e9"
+checksum = "e22376abed350d73dd1cd119b57ffccad95b4e585a7cda43e286245ce23c0678"
 dependencies = [
  "libc",
- "windows-sys 0.48.0",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
-name = "spin"
-version = "0.5.2"
+name = "socket2"
+version = "0.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d"
+checksum = "233504af464074f9d066d7b5416c5f9b894a5862a6506e306f7b816cdd6f1807"
+dependencies = [
+ "libc",
+ "windows-sys 0.59.0",
+]
 
 [[package]]
 name = "spin"
@@ -4852,30 +6213,19 @@ dependencies = [
 
 [[package]]
 name = "spki"
-version = "0.7.2"
+version = "0.7.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9d1e996ef02c474957d681f1b05213dfb0abab947b446a62d37770b23500184a"
+checksum = "d91ed6c858b01f942cd56b37a94b3e0a1798290327d1236e4d9cf4eaca44d29d"
 dependencies = [
  "base64ct",
  "der",
 ]
 
-[[package]]
-name = "sqlformat"
-version = "0.2.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6b7b278788e7be4d0d29c0f39497a0eef3fba6bbc8e70d8bf7fde46edeaa9e85"
-dependencies = [
- "itertools 0.11.0",
- "nom",
- "unicode_categories",
-]
-
 [[package]]
 name = "sqlx"
-version = "0.7.3"
+version = "0.8.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dba03c279da73694ef99763320dea58b51095dfe87d001b1d4b5fe78ba8763cf"
+checksum = "1fefb893899429669dcdd979aff487bd78f4064e5e7907e4269081e0ef7d97dc"
 dependencies = [
  "sqlx-core",
  "sqlx-macros",
@@ -4886,75 +6236,71 @@ dependencies = [
 
 [[package]]
 name = "sqlx-core"
-version = "0.7.3"
+version = "0.8.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d84b0a3c3739e220d94b3239fd69fb1f74bc36e16643423bd99de3b43c21bfbd"
+checksum = "ee6798b1838b6a0f69c007c133b8df5866302197e404e8b6ee8ed3e3a5e68dc6"
 dependencies = [
- "ahash 0.8.6",
- "atoi",
+ "async-io 1.13.0",
+ "async-std",
+ "base64",
  "bigdecimal",
- "byteorder",
  "bytes",
  "chrono",
  "crc",
  "crossbeam-queue",
- "dotenvy",
  "either",
- "event-listener",
- "futures-channel",
+ "event-listener 5.4.0",
  "futures-core",
  "futures-intrusive",
  "futures-io",
  "futures-util",
+ "hashbrown 0.15.4",
  "hashlink",
- "hex",
- "indexmap 2.1.0",
+ "indexmap",
  "log",
  "memchr",
+ "native-tls",
  "once_cell",
- "paste",
  "percent-encoding",
  "rust_decimal",
- "rustls 0.21.8",
- "rustls-pemfile 1.0.4",
+ "rustls",
  "serde",
  "serde_json",
  "sha2",
  "smallvec",
- "sqlformat",
- "thiserror 1.0.58",
+ "thiserror 2.0.17",
  "time",
  "tokio",
  "tokio-stream",
  "tracing",
  "url",
  "uuid",
- "webpki-roots",
+ "webpki-roots 0.26.11",
 ]
 
 [[package]]
 name = "sqlx-macros"
-version = "0.7.3"
+version = "0.8.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "89961c00dc4d7dffb7aee214964b065072bff69e36ddb9e2c107541f75e4f2a5"
+checksum = "a2d452988ccaacfbf5e0bdbc348fb91d7c8af5bee192173ac3636b5fb6e6715d"
 dependencies = [
  "proc-macro2",
  "quote",
  "sqlx-core",
  "sqlx-macros-core",
- "syn 1.0.105",
+ "syn 2.0.104",
 ]
 
 [[package]]
 name = "sqlx-macros-core"
-version = "0.7.3"
+version = "0.8.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d0bd4519486723648186a08785143599760f7cc81c52334a55d6a83ea1e20841"
+checksum = "19a9c1841124ac5a61741f96e1d9e2ec77424bf323962dd894bdb93f37d5219b"
 dependencies = [
- "atomic-write-file",
+ "async-std",
  "dotenvy",
  "either",
- "heck",
+ "heck 0.5.0",
  "hex",
  "once_cell",
  "proc-macro2",
@@ -4966,22 +6312,21 @@ dependencies = [
  "sqlx-mysql",
  "sqlx-postgres",
  "sqlx-sqlite",
- "syn 1.0.105",
- "tempfile",
+ "syn 2.0.104",
  "tokio",
  "url",
 ]
 
 [[package]]
 name = "sqlx-mysql"
-version = "0.7.3"
+version = "0.8.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e37195395df71fd068f6e2082247891bc11e3289624bbc776a0cdfa1ca7f1ea4"
+checksum = "aa003f0038df784eb8fecbbac13affe3da23b45194bd57dba231c8f48199c526"
 dependencies = [
  "atoi",
- "base64 0.21.7",
+ "base64",
  "bigdecimal",
- "bitflags 2.6.0",
+ "bitflags 2.9.1",
  "byteorder",
  "bytes",
  "chrono",
@@ -5003,7 +6348,7 @@ dependencies = [
  "memchr",
  "once_cell",
  "percent-encoding",
- "rand",
+ "rand 0.8.5",
  "rsa",
  "rust_decimal",
  "serde",
@@ -5012,7 +6357,7 @@ dependencies = [
  "smallvec",
  "sqlx-core",
  "stringprep",
- "thiserror 1.0.58",
+ "thiserror 2.0.17",
  "time",
  "tracing",
  "uuid",
@@ -5021,14 +6366,14 @@ dependencies = [
 
 [[package]]
 name = "sqlx-postgres"
-version = "0.7.3"
+version = "0.8.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d6ac0ac3b7ccd10cc96c7ab29791a7dd236bd94021f31eec7ba3d46a74aa1c24"
+checksum = "db58fcd5a53cf07c184b154801ff91347e4c30d17a3562a635ff028ad5deda46"
 dependencies = [
  "atoi",
- "base64 0.21.7",
+ "base64",
  "bigdecimal",
- "bitflags 2.6.0",
+ "bitflags 2.9.1",
  "byteorder",
  "chrono",
  "crc",
@@ -5036,7 +6381,6 @@ dependencies = [
  "etcetera",
  "futures-channel",
  "futures-core",
- "futures-io",
  "futures-util",
  "hex",
  "hkdf",
@@ -5048,16 +6392,15 @@ dependencies = [
  "memchr",
  "num-bigint",
  "once_cell",
- "rand",
+ "rand 0.8.5",
  "rust_decimal",
  "serde",
  "serde_json",
- "sha1",
  "sha2",
  "smallvec",
  "sqlx-core",
  "stringprep",
- "thiserror 1.0.58",
+ "thiserror 2.0.17",
  "time",
  "tracing",
  "uuid",
@@ -5066,9 +6409,9 @@ dependencies = [
 
 [[package]]
 name = "sqlx-sqlite"
-version = "0.7.3"
+version = "0.8.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "210976b7d948c7ba9fced8ca835b11cbb2d677c59c79de41ac0d397e14547490"
+checksum = "c2d12fe70b2c1b4401038055f90f151b78208de1f9f89a7dbfd41587a10c3eea"
 dependencies = [
  "atoi",
  "chrono",
@@ -5082,11 +6425,12 @@ dependencies = [
  "log",
  "percent-encoding",
  "serde",
+ "serde_urlencoded",
  "sqlx-core",
+ "thiserror 2.0.17",
  "time",
  "tracing",
  "url",
- "urlencoding",
  "uuid",
 ]
 
@@ -5119,6 +6463,12 @@ dependencies = [
  "sha2",
 ]
 
+[[package]]
+name = "stable_deref_trait"
+version = "1.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a8f112729512f8e442d81f95a8a7ddf2b7c6b8a1a6f509a95864142b30cab2d3"
+
 [[package]]
 name = "static_assertions"
 version = "1.1.0"
@@ -5127,63 +6477,56 @@ checksum = "a2eb9349b6444b326872e140eb1cf5e7c522154d69e7a0ffb0fb81c06b37543f"
 
 [[package]]
 name = "stringprep"
-version = "0.1.4"
+version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bb41d74e231a107a1b4ee36bd1214b11285b77768d2e3824aedafa988fd36ee6"
+checksum = "7b4df3d392d81bd458a8a621b8bffbd2302a12ffe288a9d931670948749463b1"
 dependencies = [
- "finl_unicode",
  "unicode-bidi",
  "unicode-normalization",
+ "unicode-properties",
 ]
 
 [[package]]
 name = "strsim"
-version = "0.10.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623"
-
-[[package]]
-name = "strsim"
-version = "0.11.0"
+version = "0.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5ee073c9e4cd00e28217186dbe12796d692868f432bf2e97ee73bed0c56dfa01"
+checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f"
 
 [[package]]
 name = "strum"
-version = "0.25.0"
+version = "0.26.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "290d54ea6f91c969195bdbcd7442c8c2a2ba87da8bf60a7ee86a235d4bc1e125"
+checksum = "8fec0f0aef304996cf250b31b5a10dee7980c85da9d759361292b8bca5a18f06"
 
 [[package]]
 name = "strum"
-version = "0.26.1"
+version = "0.27.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "723b93e8addf9aa965ebe2d11da6d7540fa2283fcea14b3371ff055f7ba13f5f"
+checksum = "af23d6f6c1a224baef9d3f61e287d2761385a5b88fdab4eb4c6f11aeb54c4bcf"
 
 [[package]]
 name = "strum_macros"
-version = "0.26.1"
+version = "0.27.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7a3417fc93d76740d974a01654a09777cb500428cc874ca9f45edfe0c4d4cd18"
+checksum = "7695ce3845ea4b33927c055a39dc438a45b059f7c1b3d91d38d10355fb8cbca7"
 dependencies = [
- "heck",
+ "heck 0.5.0",
  "proc-macro2",
  "quote",
- "rustversion",
- "syn 2.0.98",
+ "syn 2.0.104",
 ]
 
 [[package]]
 name = "subtle"
-version = "2.5.0"
+version = "2.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "81cdd64d312baedb58e21336b31bc043b77e01cc99033ce76ef539f78e965ebc"
+checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
 
 [[package]]
 name = "syn"
-version = "1.0.105"
+version = "1.0.109"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "60b9b43d45702de4c839cb9b51d9f529c5dd26a4aff255b42b1ebc03e88ee908"
+checksum = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -5192,9 +6535,9 @@ dependencies = [
 
 [[package]]
 name = "syn"
-version = "2.0.98"
+version = "2.0.104"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "36147f1a48ae0ec2b5b3bc5b537d267457555a10dc06f3dbc8cb11ba3006d3b1"
+checksum = "17b6f705963418cdb9927482fa304bc562ece2fdd4f616084c50b7023b435a40"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -5203,47 +6546,90 @@ dependencies = [
 
 [[package]]
 name = "syn_derive"
-version = "0.1.8"
+version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1329189c02ff984e9736652b1631330da25eaa6bc639089ed4915d25446cbe7b"
+checksum = "cdb066a04799e45f5d582e8fc6ec8e6d6896040d00898eb4e6a835196815b219"
 dependencies = [
- "proc-macro-error",
+ "proc-macro-error2",
  "proc-macro2",
  "quote",
- "syn 2.0.98",
+ "syn 2.0.104",
 ]
 
 [[package]]
 name = "sync_wrapper"
-version = "0.1.2"
+version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2047c6ded9c721764247e62cd3b03c09ffc529b2ba5b10ec482ae507a4a70160"
+checksum = "0bf256ce5efdfa370213c1dabab5935a12e49f2c58d15e9eac2870d3b4f27263"
+dependencies = [
+ "futures-core",
+]
 
 [[package]]
-name = "sync_wrapper"
-version = "1.0.2"
+name = "synstructure"
+version = "0.13.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0bf256ce5efdfa370213c1dabab5935a12e49f2c58d15e9eac2870d3b4f27263"
+checksum = "728a70f3dbaf5bab7f0c4b1ac8d7ae5ea60a4b5549c8a5914361c99147a709d2"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
 
 [[package]]
-name = "system-configuration"
-version = "0.5.1"
+name = "tachys"
+version = "0.2.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ba3a3adc5c275d719af8cb4272ea1c4a6d668a777f37e115f6d11ddbc1c8e0e7"
+checksum = "a8112797d6fa2ce26c1633e518759eb357ff28cd5e06d3bde2cb2ec850c3d87f"
 dependencies = [
- "bitflags 1.3.2",
- "core-foundation 0.9.3",
- "system-configuration-sys",
+ "any_spawner",
+ "async-trait",
+ "const_str_slice_concat",
+ "drain_filter_polyfill",
+ "either_of",
+ "erased",
+ "futures",
+ "html-escape",
+ "indexmap",
+ "itertools 0.14.0",
+ "js-sys",
+ "linear-map",
+ "next_tuple",
+ "oco_ref",
+ "or_poisoned",
+ "parking_lot",
+ "paste",
+ "reactive_graph",
+ "reactive_stores",
+ "rustc-hash",
+ "rustc_version",
+ "send_wrapper",
+ "slotmap",
+ "throw_error",
+ "wasm-bindgen",
+ "web-sys",
 ]
 
 [[package]]
-name = "system-configuration-sys"
-version = "0.5.0"
+name = "tailwind_fuse"
+version = "0.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a75fb188eb626b924683e3b95e3a48e63551fcfb51949de2f06a9d91dbee93c9"
+checksum = "7ca71fb01735fbc6fa13e9390d7a3037dde97053c0b65c0c72c0159cd009d26b"
 dependencies = [
- "core-foundation-sys",
- "libc",
+ "nom",
+ "tailwind_fuse_macro",
+]
+
+[[package]]
+name = "tailwind_fuse_macro"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "efa51b9ff80b5533001f8452d254a688bc7bb39c6bb77f9e0a19c1664d035888"
+dependencies = [
+ "darling 0.20.11",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
 ]
 
 [[package]]
@@ -5254,9 +6640,9 @@ checksum = "55937e1799185b12863d447f42597ed69d9928686b8d88a1df17376a097d8369"
 
 [[package]]
 name = "tar"
-version = "0.4.40"
+version = "0.4.44"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b16afcea1f22891c49a00c751c7b63b2233284064f11a200fc624137c51e2ddb"
+checksum = "1d863878d212c87a19c1a610eb53bb01fe12951c0501cf5a0d65f724914a667a"
 dependencies = [
  "filetime",
  "libc",
@@ -5265,21 +6651,22 @@ dependencies = [
 
 [[package]]
 name = "tarpc"
-version = "0.34.0"
+version = "0.37.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "93a1870169fb9490fb3b37df7f50782986475c33cb90955f9f9b9ae659124200"
+checksum = "e5cb86a4b5b941909e9896289c01b46ff0bec756b01f366b0d5490a5e8ed7871"
 dependencies = [
  "anyhow",
  "fnv",
  "futures",
  "humantime",
  "opentelemetry",
+ "opentelemetry-semantic-conventions",
  "pin-project",
- "rand",
+ "rand 0.8.5",
  "serde",
  "static_assertions",
  "tarpc-plugins",
- "thiserror 1.0.58",
+ "thiserror 2.0.17",
  "tokio",
  "tokio-serde",
  "tokio-util",
@@ -5289,86 +6676,97 @@ dependencies = [
 
 [[package]]
 name = "tarpc-plugins"
-version = "0.13.0"
+version = "0.14.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cb0b234b43836d3ee3bcc318eeaf38ec27f28e398cb9d700b62e9e47f2744536"
+checksum = "26ef4401b013b1f5218ba33ea8f1eddbfcc00ec8db073ef995c192e71f08f027"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 1.0.105",
+ "syn 2.0.104",
 ]
 
 [[package]]
 name = "tempfile"
-version = "3.8.1"
+version = "3.20.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7ef1adac450ad7f4b3c28589471ade84f25f731a7a0fe30d71dfa9f60fd808e5"
+checksum = "e8a64e3985349f2441a1a9ef0b853f869006c3855f2cda6862a94d26ebb9d6a1"
 dependencies = [
- "cfg-if",
- "fastrand",
- "redox_syscall 0.4.1",
- "rustix",
- "windows-sys 0.48.0",
+ "fastrand 2.3.0",
+ "getrandom 0.3.3",
+ "once_cell",
+ "rustix 1.0.8",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
 name = "thiserror"
-version = "1.0.58"
+version = "1.0.69"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "03468839009160513471e86a034bb2c5c0e4baae3b43f79ffc55c4a5427b3297"
+checksum = "b6aaf5339b578ea85b50e080feb250a3e8ae8cfcdff9a461c9ec2904bc923f52"
 dependencies = [
- "thiserror-impl 1.0.58",
+ "thiserror-impl 1.0.69",
 ]
 
 [[package]]
 name = "thiserror"
-version = "2.0.11"
+version = "2.0.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d452f284b73e6d76dd36758a0c8684b1d5be31f92b89d07fd5822175732206fc"
+checksum = "f63587ca0f12b72a0600bcba1d40081f830876000bb46dd2337a3051618f4fc8"
 dependencies = [
- "thiserror-impl 2.0.11",
+ "thiserror-impl 2.0.17",
 ]
 
 [[package]]
 name = "thiserror-impl"
-version = "1.0.58"
+version = "1.0.69"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c61f3ba182994efc43764a46c018c347bc492c79f024e705f46567b418f6d4f7"
+checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.98",
+ "syn 2.0.104",
 ]
 
 [[package]]
 name = "thiserror-impl"
-version = "2.0.11"
+version = "2.0.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "26afc1baea8a989337eeb52b6e72a039780ce45c3edfcc9c5b9d112feeb173c2"
+checksum = "3ff15c8ecd7de3849db632e14d18d2571fa09dfc5ed93479bc4485c7a517c913"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.98",
+ "syn 2.0.104",
 ]
 
 [[package]]
 name = "thread_local"
-version = "1.1.4"
+version = "1.1.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5516c27b78311c50bf42c071425c560ac799b11c30b31f87e3081965fe5e0180"
+checksum = "f60246a4944f24f6e018aa17cdeffb7818b76356965d03b07d6a9886e8962185"
 dependencies = [
- "once_cell",
+ "cfg-if",
+]
+
+[[package]]
+name = "throw_error"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "41e42a6afdde94f3e656fae18f837cb9bbe500a5ac5de325b09f3ec05b9c28e3"
+dependencies = [
+ "pin-project-lite",
 ]
 
 [[package]]
 name = "time"
-version = "0.3.36"
+version = "0.3.41"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5dfd88e563464686c916c7e46e623e520ddc6d79fa6641390f2e3fa86e83e885"
+checksum = "8a7619e19bc266e0f9c5e6686659d394bc57973859340060a69221e57dbc0c40"
 dependencies = [
  "deranged",
  "itoa",
+ "libc",
  "num-conv",
+ "num_threads",
  "powerfmt",
  "serde",
  "time-core",
@@ -5377,25 +6775,35 @@ dependencies = [
 
 [[package]]
 name = "time-core"
-version = "0.1.2"
+version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ef927ca75afb808a4d64dd374f00a2adf8d0fcff8e7b184af886c3c87ec4a3f3"
+checksum = "c9e9a38711f559d9e3ce1cdb06dd7c5b8ea546bc90052da6d06bb76da74bb07c"
 
 [[package]]
 name = "time-macros"
-version = "0.2.18"
+version = "0.2.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3f252a68540fde3a3877aeea552b832b40ab9a69e318efd078774a01ddee1ccf"
+checksum = "3526739392ec93fd8b359c8e98514cb3e8e021beb4e5f597b00a0221f8ed8a49"
 dependencies = [
  "num-conv",
  "time-core",
 ]
 
+[[package]]
+name = "tinystr"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5d4f6d1145dcb577acf783d4e601bc1d76a13337bb54e6233add580b07344c8b"
+dependencies = [
+ "displaydoc",
+ "zerovec",
+]
+
 [[package]]
 name = "tinyvec"
-version = "1.6.0"
+version = "1.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "87cc5ceb3875bb20c2890005a4e226a4651264a5c75edb2421b52861a0a0cb50"
+checksum = "09b3661f17e86524eccd4371ab0429194e0d7c008abb45f7a7495b1719463c71"
 dependencies = [
  "tinyvec_macros",
 ]
@@ -5408,74 +6816,61 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
 
 [[package]]
 name = "tokio"
-version = "1.36.0"
+version = "1.48.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "61285f6515fa018fb2d1e46eb21223fff441ee8db5d0f1435e8ab4f5cdb80931"
+checksum = "ff360e02eab121e0bc37a2d3b4d4dc622e6eda3a8e5253d5435ecf5bd4c68408"
 dependencies = [
- "backtrace",
  "bytes",
  "libc",
- "mio",
- "num_cpus",
+ "mio 1.0.4",
  "parking_lot",
  "pin-project-lite",
  "signal-hook-registry",
- "socket2 0.5.5",
+ "socket2 0.6.0",
  "tokio-macros",
- "windows-sys 0.48.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
 name = "tokio-macros"
-version = "2.2.0"
+version = "2.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5b8a1e28f2deaa14e508979454cb3a223b10b938b45af148bc0986de36f1923b"
+checksum = "af407857209536a95c8e56f8231ef2c2e2aff839b22e07a1ffcbc617e9db9fa5"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.98",
-]
-
-[[package]]
-name = "tokio-rustls"
-version = "0.24.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081"
-dependencies = [
- "rustls 0.21.8",
- "tokio",
+ "syn 2.0.104",
 ]
 
 [[package]]
-name = "tokio-rustls"
-version = "0.25.0"
+name = "tokio-native-tls"
+version = "0.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "775e0c0f0adb3a2f22a00c4745d728b479985fc15ee7ca6a2608388c5569860f"
+checksum = "bbae76ab933c85776efabc971569dd6119c580d8f5d448769dec1764bf796ef2"
 dependencies = [
- "rustls 0.22.2",
- "rustls-pki-types",
+ "native-tls",
  "tokio",
 ]
 
 [[package]]
 name = "tokio-rustls"
-version = "0.26.1"
+version = "0.26.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5f6d0975eaace0cf0fcadee4e4aaa5da15b5c079146f2cffb67c113be122bf37"
+checksum = "1729aa945f29d91ba541258c8df89027d5792d85a8841fb65e8bf0f4ede4ef61"
 dependencies = [
- "rustls 0.23.23",
+ "rustls",
  "tokio",
 ]
 
 [[package]]
 name = "tokio-serde"
-version = "0.8.0"
+version = "0.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "911a61637386b789af998ee23f50aa30d5fd7edcec8d6d3dedae5e5815205466"
+checksum = "caf600e7036b17782571dd44fa0a5cea3c82f60db5137f774a325a76a0d6852b"
 dependencies = [
  "bincode",
  "bytes",
- "educe",
+ "educe 0.5.11",
  "futures-core",
  "futures-sink",
  "pin-project",
@@ -5485,9 +6880,9 @@ dependencies = [
 
 [[package]]
 name = "tokio-stream"
-version = "0.1.14"
+version = "0.1.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "397c988d37662c7dda6d2208364a706264bf3d6138b11d436cbac0ad38832842"
+checksum = "eca58d7bba4a75707817a2c44174253f9236b2d5fbd055602e9d5c07c139a047"
 dependencies = [
  "futures-core",
  "pin-project-lite",
@@ -5497,112 +6892,88 @@ dependencies = [
 
 [[package]]
 name = "tokio-tungstenite"
-version = "0.21.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c83b561d025642014097b66e6c1bb422783339e0909e4429cde4749d1990bc38"
-dependencies = [
- "futures-util",
- "log",
- "tokio",
- "tungstenite 0.21.0",
-]
-
-[[package]]
-name = "tokio-tungstenite"
-version = "0.26.1"
+version = "0.28.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "be4bf6fecd69fcdede0ec680aaf474cdab988f9de6bc73d3758f0160e3b7025a"
+checksum = "d25a406cddcc431a75d3d9afc6a7c0f7428d4891dd973e4d54c56b46127bf857"
 dependencies = [
  "futures-util",
  "log",
+ "native-tls",
  "tokio",
- "tungstenite 0.26.1",
+ "tokio-native-tls",
+ "tungstenite",
 ]
 
 [[package]]
 name = "tokio-util"
-version = "0.7.10"
+version = "0.7.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5419f34732d9eb6ee4c3578b7989078579b7f039cbbb9ca2c4da015749371e15"
+checksum = "2efa149fe76073d6e8fd97ef4f4eca7b67f599660115591483572e406e165594"
 dependencies = [
  "bytes",
  "futures-core",
+ "futures-io",
  "futures-sink",
  "pin-project-lite",
  "slab",
  "tokio",
- "tracing",
 ]
 
 [[package]]
 name = "toml"
-version = "0.5.11"
+version = "0.9.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f4f7f0dd8d50a853a531c426359045b1998f04219d88799810762cd4ad314234"
+checksum = "f0dc8b1fb61449e27716ec0e1bdf0f6b8f3e8f6b05391e8497b8b6d7804ea6d8"
 dependencies = [
- "serde",
+ "indexmap",
+ "serde_core",
+ "serde_spanned",
+ "toml_datetime 0.7.3",
+ "toml_parser",
+ "toml_writer",
+ "winnow",
 ]
 
 [[package]]
-name = "toml"
-version = "0.8.11"
+name = "toml_datetime"
+version = "0.6.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "af06656561d28735e9c1cd63dfd57132c8155426aa6af24f36a00a351f88c48e"
-dependencies = [
- "serde",
- "serde_spanned",
- "toml_datetime",
- "toml_edit 0.22.7",
-]
+checksum = "22cddaf88f4fbc13c51aebbf5f8eceb5c7c5a9da2ac40a13519eb5b0a0e8f11c"
 
 [[package]]
 name = "toml_datetime"
-version = "0.6.5"
+version = "0.7.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3550f4e9685620ac18a50ed434eb3aec30db8ba93b0287467bca5826ea25baf1"
+checksum = "f2cdb639ebbc97961c51720f858597f7f24c4fc295327923af55b74c3c724533"
 dependencies = [
- "serde",
+ "serde_core",
 ]
 
 [[package]]
 name = "toml_edit"
-version = "0.21.1"
+version = "0.22.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6a8534fd7f78b5405e860340ad6575217ce99f38d4d5c8f2442cb5ecb50090e1"
+checksum = "41fe8c660ae4257887cf66394862d21dbca4a6ddd26f04a3560410406a2f819a"
 dependencies = [
- "indexmap 2.1.0",
- "toml_datetime",
- "winnow 0.5.40",
+ "indexmap",
+ "toml_datetime 0.6.11",
+ "winnow",
 ]
 
 [[package]]
-name = "toml_edit"
-version = "0.22.7"
+name = "toml_parser"
+version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "18769cd1cec395d70860ceb4d932812a0b4d06b1a4bb336745a4d21b9496e992"
+checksum = "c0cbe268d35bdb4bb5a56a2de88d0ad0eb70af5384a99d648cd4b3d04039800e"
 dependencies = [
- "indexmap 2.1.0",
- "serde",
- "serde_spanned",
- "toml_datetime",
- "winnow 0.6.5",
+ "winnow",
 ]
 
 [[package]]
-name = "tower"
-version = "0.4.13"
+name = "toml_writer"
+version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b8fa9be0de6cf49e536ce1851f987bd21a43b771b09473c3549a6c853db37c1c"
-dependencies = [
- "futures-core",
- "futures-util",
- "pin-project",
- "pin-project-lite",
- "tokio",
- "tower-layer",
- "tower-service",
- "tracing",
-]
+checksum = "df8b2b54733674ad286d16267dcfc7a71ed5c776e4ac7aa3c3e2561f7c637bf2"
 
 [[package]]
 name = "tower"
@@ -5613,7 +6984,7 @@ dependencies = [
  "futures-core",
  "futures-util",
  "pin-project-lite",
- "sync_wrapper 1.0.2",
+ "sync_wrapper",
  "tokio",
  "tokio-util",
  "tower-layer",
@@ -5623,42 +6994,28 @@ dependencies = [
 
 [[package]]
 name = "tower-http"
-version = "0.5.2"
+version = "0.6.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1e9cd434a998747dd2c4276bc96ee2e0c7a2eadf3cae88e52be55a05fa9053f5"
+checksum = "adc82fd73de2a9722ac5da747f12383d2bfdb93591ee6c58486e0097890f05f2"
 dependencies = [
- "bitflags 2.6.0",
+ "base64",
+ "bitflags 2.9.1",
  "bytes",
+ "futures-core",
  "futures-util",
- "http 1.2.0",
- "http-body 1.0.1",
+ "http",
+ "http-body",
  "http-body-util",
  "http-range-header",
  "httpdate",
+ "iri-string",
  "mime",
  "mime_guess",
  "percent-encoding",
  "pin-project-lite",
  "tokio",
  "tokio-util",
- "tower-layer",
- "tower-service",
- "tracing",
-]
-
-[[package]]
-name = "tower-http"
-version = "0.6.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "403fa3b783d4b626a8ad51d766ab03cb6d2dbfc46b1c5d4448395e6628dc9697"
-dependencies = [
- "base64 0.22.1",
- "bitflags 2.6.0",
- "bytes",
- "http 1.2.0",
- "http-body 1.0.1",
- "mime",
- "pin-project-lite",
+ "tower",
  "tower-layer",
  "tower-service",
  "tracing",
@@ -5678,9 +7035,9 @@ checksum = "8df9b6e13f2d32c91b9bd719c00d1958837bc7dec474d94952798cc8e69eeec3"
 
 [[package]]
 name = "tracing"
-version = "0.1.40"
+version = "0.1.41"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c3523ab5a71916ccf420eebdf5521fcef02141234bbc0b8a49f2fdc4544364ef"
+checksum = "784e0ac535deb450455cbfa28a6f0df145ea1bb7ae51b821cf5e7927fdcfbdd0"
 dependencies = [
  "log",
  "pin-project-lite",
@@ -5695,32 +7052,43 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3566e8ce28cc0a3fe42519fc80e6b4c943cc4c8cef275620eb8dac2d3d4e06cf"
 dependencies = [
  "crossbeam-channel",
- "thiserror 1.0.58",
+ "thiserror 1.0.69",
  "time",
  "tracing-subscriber",
 ]
 
 [[package]]
 name = "tracing-attributes"
-version = "0.1.27"
+version = "0.1.30"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "34704c8d6ebcbc939824180af020566b01a7c01f80641264eba0999f6c2b6be7"
+checksum = "81383ab64e72a7a8b8e13130c49e3dab29def6d0c7d76a03087b3cf71c5c6903"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.98",
+ "syn 2.0.104",
 ]
 
 [[package]]
 name = "tracing-core"
-version = "0.1.32"
+version = "0.1.34"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c06d3da6113f116aaee68e4d601191614c9053067f9ab7f6edbcb161237daa54"
+checksum = "b9d12581f227e93f094d3af2ae690a574abb8a2b9b7a96e7cfe9647b2b617678"
 dependencies = [
  "once_cell",
  "valuable",
 ]
 
+[[package]]
+name = "tracing-journald"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fc0b4143302cf1022dac868d521e36e8b27691f72c84b3311750d5188ebba657"
+dependencies = [
+ "libc",
+ "tracing-core",
+ "tracing-subscriber",
+]
+
 [[package]]
 name = "tracing-log"
 version = "0.2.0"
@@ -5734,22 +7102,25 @@ dependencies = [
 
 [[package]]
 name = "tracing-opentelemetry"
-version = "0.18.0"
+version = "0.31.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "21ebb87a95ea13271332df069020513ab70bdb5637ca42d6e492dc3bbbad48de"
+checksum = "ddcf5959f39507d0d04d6413119c04f33b623f4f951ebcbdddddfad2d0623a9c"
 dependencies = [
+ "js-sys",
  "once_cell",
  "opentelemetry",
+ "opentelemetry_sdk",
  "tracing",
  "tracing-core",
  "tracing-subscriber",
+ "web-time",
 ]
 
 [[package]]
 name = "tracing-subscriber"
-version = "0.3.18"
+version = "0.3.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ad0f048c97dbd9faa9b7df56362b8ebcaa52adb06b498c050d2f4e32f90a7a8b"
+checksum = "e8189decb5ac0fa7bc8b96b7cb9b2701d60d48805aca84a238004d665fcc4008"
 dependencies = [
  "matchers",
  "nu-ansi-term",
@@ -5765,126 +7136,104 @@ dependencies = [
 
 [[package]]
 name = "try-lock"
-version = "0.2.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3528ecfd12c466c6f163363caf2d02a71161dd5e1cc6ae7b34207ea2d42d81ed"
-
-[[package]]
-name = "tungstenite"
-version = "0.21.0"
+version = "0.2.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9ef1a641ea34f399a848dea702823bbecfb4c486f911735368f1f137cb8257e1"
-dependencies = [
- "byteorder",
- "bytes",
- "data-encoding",
- "http 1.2.0",
- "httparse",
- "log",
- "rand",
- "sha1",
- "thiserror 1.0.58",
- "url",
- "utf-8",
-]
+checksum = "e421abadd41a4225275504ea4d6566923418b7f05506fbc9c0fe86ba7396114b"
 
 [[package]]
 name = "tungstenite"
-version = "0.26.1"
+version = "0.28.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "413083a99c579593656008130e29255e54dcaae495be556cc26888f211648c24"
+checksum = "8628dcc84e5a09eb3d8423d6cb682965dea9133204e8fb3efee74c2a0c259442"
 dependencies = [
- "byteorder",
  "bytes",
  "data-encoding",
- "http 1.2.0",
+ "http",
  "httparse",
  "log",
- "rand",
+ "native-tls",
+ "rand 0.9.2",
  "sha1",
- "thiserror 2.0.11",
+ "thiserror 2.0.17",
  "utf-8",
 ]
 
 [[package]]
 name = "typed-builder"
-version = "0.18.1"
+version = "0.21.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "444d8748011b93cb168770e8092458cb0f8854f931ff82fdf6ddfbd72a9c933e"
+checksum = "ce63bcaf7e9806c206f7d7b9c1f38e0dce8bb165a80af0898161058b19248534"
 dependencies = [
  "typed-builder-macro",
 ]
 
 [[package]]
 name = "typed-builder-macro"
-version = "0.18.1"
+version = "0.21.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "563b3b88238ec95680aef36bdece66896eaa7ce3c0f1b4f39d38fb2435261352"
+checksum = "60d8d828da2a3d759d3519cdf29a5bac49c77d039ad36d0782edadbf9cd5415b"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.98",
+ "syn 2.0.104",
 ]
 
 [[package]]
 name = "typenum"
-version = "1.17.0"
+version = "1.18.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "42ff0bf0c66b8238c6f3b578df37d0b7848e55df8577b3f74f92a69acceeb825"
+checksum = "1dccffe3ce07af9386bfd29e80c0ab1a8205a2fc34e4bcd40364df902cfa8f3f"
 
 [[package]]
 name = "ucd-trie"
-version = "0.1.6"
+version = "0.1.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ed646292ffc8188ef8ea4d1e0e0150fb15a5c2e12ad9b8fc191ae7a8a7f3c4b9"
+checksum = "2896d95c02a80c6d6a5d6e953d479f5ddf2dfdb6a244441010e373ac0fb88971"
 
 [[package]]
 name = "unicase"
-version = "2.7.0"
+version = "2.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f7d2d4dafb69621809a81864c9c1b864479e1235c0dd4e199924b9742439ed89"
-dependencies = [
- "version_check",
-]
+checksum = "75b844d17643ee918803943289730bec8aac480150456169e647ed0b576ba539"
 
 [[package]]
 name = "unicode-bidi"
-version = "0.3.13"
+version = "0.3.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "92888ba5573ff080736b3648696b70cafad7d250551175acbaa4e0385b3e1460"
+checksum = "5c1cb5db39152898a79168971543b1cb5020dff7fe43c8dc468b0885f5e29df5"
 
 [[package]]
 name = "unicode-ident"
-version = "1.0.5"
+version = "1.0.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6ceab39d59e4c9499d4e5a8ee0e2735b891bb7308ac83dfb4e80cad195c9f6f3"
+checksum = "5a5f39404a5da50712a4c1eecf25e90dd62b613502b7e925fd4e4d19b5c96512"
 
 [[package]]
 name = "unicode-normalization"
-version = "0.1.22"
+version = "0.1.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5c5713f0fc4b5db668a2ac63cdb7bb4469d8c9fed047b1d0292cc7b0ce2ba921"
+checksum = "5033c97c4262335cded6d6fc3e5c18ab755e1a3dc96376350f3d8e9f009ad956"
 dependencies = [
  "tinyvec",
 ]
 
 [[package]]
-name = "unicode-segmentation"
-version = "1.10.1"
+name = "unicode-properties"
+version = "0.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1dd624098567895118886609431a7c3b8f516e41d30e0643f03d94592a147e36"
+checksum = "e70f2a8b45122e719eb623c01822704c4e0907e7e426a05927e1a1cfff5b75d0"
 
 [[package]]
-name = "unicode-xid"
-version = "0.2.4"
+name = "unicode-segmentation"
+version = "1.12.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f962df74c8c05a667b5ee8bcf162993134c104e96440b663c8daa176dc772d8c"
+checksum = "f6ccf251212114b54433ec949fd6a7841275f9ada20dddd2f29e9ceea4501493"
 
 [[package]]
-name = "unicode_categories"
-version = "0.1.1"
+name = "unicode-xid"
+version = "0.2.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "39ec24b3121d976906ece63c9daad25b85969647682eee313cb5779fdd69e14e"
+checksum = "ebc1c04c71510c7f702b52b7c350734c9ff1295c464a03335b00bb84fc54f853"
 
 [[package]]
 name = "universal-hash"
@@ -5898,9 +7247,15 @@ dependencies = [
 
 [[package]]
 name = "unsafe-libyaml"
-version = "0.2.10"
+version = "0.2.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "673aac59facbab8a9007c7f6108d11f63b603f7cabff99fabf650fea5c32b861"
+
+[[package]]
+name = "untrusted"
+version = "0.7.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ab4c90930b95a82d00dc9e9ac071b4991924390d46cbd0dfe566148667605e4b"
+checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a"
 
 [[package]]
 name = "untrusted"
@@ -5910,9 +7265,9 @@ checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
 
 [[package]]
 name = "url"
-version = "2.3.1"
+version = "2.5.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0d68c799ae75762b8c3fe375feb6600ef5602c883c5d21eb51c09f22b83c4643"
+checksum = "32f8b686cadd1473f4bd0117a5d28d36b1ade384ea9b5069a1c40aefed7fda60"
 dependencies = [
  "form_urlencoded",
  "idna",
@@ -5934,31 +7289,45 @@ checksum = "09cc8ee72d2a9becf2f2febe0205bbed8fc6615b7cb429ad062dc7b7ddd036a9"
 
 [[package]]
 name = "utf8-width"
-version = "0.1.6"
+version = "0.1.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "86bd8d4e895da8537e5315b8254664e6b769c4ff3db18321b297a1e7004392e3"
+
+[[package]]
+name = "utf8_iter"
+version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5190c9442dcdaf0ddd50f37420417d219ae5261bbf5db120d0f9bab996c9cba1"
+checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be"
 
 [[package]]
 name = "utf8parse"
-version = "0.2.1"
+version = "0.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "711b9620af191e0cdc7468a8d14e709c3dcdb115b36f838e601583af800a370a"
+checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821"
 
 [[package]]
 name = "uuid"
-version = "1.6.1"
+version = "1.17.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5e395fcf16a7a3d8127ec99782007af141946b4795001f876d54fb0d55978560"
+checksum = "3cf4199d1e5d15ddd86a694e4d0dffa9c323ce759fea589f00fef9d81cc1931d"
 dependencies = [
- "getrandom",
+ "getrandom 0.3.3",
+ "js-sys",
  "serde",
+ "wasm-bindgen",
 ]
 
 [[package]]
 name = "valuable"
-version = "0.1.0"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ba73ea9cf16a25df0c8caa16c51acb937d5712a8429db78a3ee29d5dcacd3a65"
+
+[[package]]
+name = "value-bag"
+version = "1.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "830b7e5d4d90034032940e4ace0d9a9a057e7a45cd94e6c007832e39edb82f6d"
+checksum = "943ce29a8a743eb10d6082545d861b24f9d1b160b7d741e0f2cdf726bec909c5"
 
 [[package]]
 name = "vcpkg"
@@ -5968,15 +7337,21 @@ checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426"
 
 [[package]]
 name = "version_check"
-version = "0.9.4"
+version = "0.9.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a"
+
+[[package]]
+name = "waker-fn"
+version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f"
+checksum = "317211a0dc0ceedd78fb2ca9a44aed3d7b9b26f81870d485c07122b4350673b7"
 
 [[package]]
 name = "walkdir"
-version = "2.4.0"
+version = "2.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d71d857dc86794ca4c280d616f7da00d2dbfd8cd788846559a6813e6aa4b54ee"
+checksum = "29790946404f91d9c5d06f9874efddea1dc06c5efe94541a7d6863108e3a5e4b"
 dependencies = [
  "same-file",
  "winapi-util",
@@ -5993,53 +7368,69 @@ dependencies = [
 
 [[package]]
 name = "wasi"
-version = "0.11.0+wasi-snapshot-preview1"
+version = "0.11.1+wasi-snapshot-preview1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ccf3ec651a847eb01de73ccad15eb7d99f80485de043efb2f370cd654f4ea44b"
+
+[[package]]
+name = "wasi"
+version = "0.14.2+wasi-0.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9683f9a5a998d873c0d21fcbe3c083009670149a8fab228644b8bd36b2c48cb3"
+dependencies = [
+ "wit-bindgen-rt",
+]
+
+[[package]]
+name = "wasite"
+version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
+checksum = "b8dad83b4f25e74f184f64c43b150b91efe7647395b42289f38e50566d82855b"
 
 [[package]]
 name = "wasm-bindgen"
-version = "0.2.95"
+version = "0.2.100"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "128d1e363af62632b8eb57219c8fd7877144af57558fb2ef0368d0087bddeb2e"
+checksum = "1edc8929d7499fc4e8f0be2262a241556cfc54a0bea223790e71446f2aab1ef5"
 dependencies = [
  "cfg-if",
  "once_cell",
+ "rustversion",
  "wasm-bindgen-macro",
 ]
 
 [[package]]
 name = "wasm-bindgen-backend"
-version = "0.2.95"
+version = "0.2.100"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cb6dd4d3ca0ddffd1dd1c9c04f94b868c37ff5fac97c30b97cff2d74fce3a358"
+checksum = "2f0a0651a5c2bc21487bde11ee802ccaf4c51935d0d3d42a6101f98161700bc6"
 dependencies = [
  "bumpalo",
  "log",
- "once_cell",
  "proc-macro2",
  "quote",
- "syn 2.0.98",
+ "syn 2.0.104",
  "wasm-bindgen-shared",
 ]
 
 [[package]]
 name = "wasm-bindgen-futures"
-version = "0.4.45"
+version = "0.4.50"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cc7ec4f8827a71586374db3e87abdb5a2bb3a15afed140221307c3ec06b1f63b"
+checksum = "555d470ec0bc3bb57890405e5d4322cc9ea83cebb085523ced7be4144dac1e61"
 dependencies = [
  "cfg-if",
  "js-sys",
+ "once_cell",
  "wasm-bindgen",
  "web-sys",
 ]
 
 [[package]]
 name = "wasm-bindgen-macro"
-version = "0.2.95"
+version = "0.2.100"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e79384be7f8f5a9dd5d7167216f022090cf1f9ec128e6e6a482a2cb5c5422c56"
+checksum = "7fe63fc6d09ed3792bd0897b314f53de8e16568c2b3f7982f468c0bf9bd0b407"
 dependencies = [
  "quote",
  "wasm-bindgen-macro-support",
@@ -6047,28 +7438,31 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro-support"
-version = "0.2.95"
+version = "0.2.100"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "26c6ab57572f7a24a4985830b120de1594465e5d500f24afe89e16b4e833ef68"
+checksum = "8ae87ea40c9f689fc23f209965b6fb8a99ad69aeeb0231408be24920604395de"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.98",
+ "syn 2.0.104",
  "wasm-bindgen-backend",
  "wasm-bindgen-shared",
 ]
 
 [[package]]
 name = "wasm-bindgen-shared"
-version = "0.2.95"
+version = "0.2.100"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "65fc09f10666a9f147042251e0dda9c18f166ff7de300607007e96bdebc1068d"
+checksum = "1a05d73b933a847d6cccdda8f838a22ff101ad9bf93e33684f39c1f5f0eece3d"
+dependencies = [
+ "unicode-ident",
+]
 
 [[package]]
 name = "wasm-streams"
-version = "0.4.0"
+version = "0.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b65dc4c90b63b118468cf747d8bf3566c1913ef60be765b5730ead9e0a3ba129"
+checksum = "15053d8d85c7eccdbefef60f06769760a563c7f0a9d6902a13d35c7800b0ad65"
 dependencies = [
  "futures-util",
  "js-sys",
@@ -6077,27 +7471,94 @@ dependencies = [
  "web-sys",
 ]
 
+[[package]]
+name = "wasm_split_helpers"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c50e0e45d0d871605a21fc4ee93a5380b7bdc41b5eda22e42f0777a4ce79b65c"
+dependencies = [
+ "async-once-cell",
+ "or_poisoned",
+ "wasm_split_macros",
+]
+
+[[package]]
+name = "wasm_split_macros"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9f8a7f0bf54b0129a337aadfe8b716d843689f69c75b2a6413a0cff2e0d00982"
+dependencies = [
+ "base16",
+ "digest",
+ "quote",
+ "sha2",
+ "syn 2.0.104",
+ "wasm-bindgen",
+]
+
 [[package]]
 name = "web-sys"
-version = "0.3.65"
+version = "0.3.77"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "33b6dd2ef9186f1f2072e409e99cd22a975331a6b3591b12c764e0e55c60d5d2"
+dependencies = [
+ "js-sys",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "web-time"
+version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5db499c5f66323272151db0e666cd34f78617522fb0c1604d31a27c50c206a85"
+checksum = "5a6580f308b1fad9207618087a65c04e7a10bc77e02c8e84e9b00dd4b12fa0bb"
 dependencies = [
  "js-sys",
  "wasm-bindgen",
 ]
 
+[[package]]
+name = "webbrowser"
+version = "1.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "aaf4f3c0ba838e82b4e5ccc4157003fb8c324ee24c058470ffb82820becbde98"
+dependencies = [
+ "core-foundation 0.10.1",
+ "jni",
+ "log",
+ "ndk-context",
+ "objc2",
+ "objc2-foundation",
+ "url",
+ "web-sys",
+]
+
 [[package]]
 name = "webpki-roots"
-version = "0.25.2"
+version = "0.26.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "14247bb57be4f377dfb94c72830b8ce8fc6beac03cf4bf7b9732eadd414123fc"
+checksum = "521bc38abb08001b01866da9f51eb7c5d647a19260e00054a8c7fd5f9e57f7a9"
+dependencies = [
+ "webpki-roots 1.0.2",
+]
+
+[[package]]
+name = "webpki-roots"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7e8983c3ab33d6fb807cfcdad2491c4ea8cbc8ed839181c7dfd9c67c83e261b2"
+dependencies = [
+ "rustls-pki-types",
+]
 
 [[package]]
 name = "whoami"
-version = "1.4.1"
+version = "1.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "22fc3756b8a9133049b26c7f61ab35416c130e8c09b660f5b3958b446f52cc50"
+checksum = "6994d13118ab492c3c80c1f81928718159254c53c472bf9ce36f8dae4add02a7"
+dependencies = [
+ "redox_syscall",
+ "wasite",
+]
 
 [[package]]
 name = "winapi"
@@ -6117,11 +7578,11 @@ checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
 
 [[package]]
 name = "winapi-util"
-version = "0.1.6"
+version = "0.1.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f29e6f9198ba0d26b4c9f07dbe6f9ed633e1f3d5b8b414090084349e46a52596"
+checksum = "cf221c93e13a30d793f7645a0e7762c55d169dbb0a49671918a2319d289b10bb"
 dependencies = [
- "winapi",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -6142,24 +7603,28 @@ dependencies = [
 
 [[package]]
 name = "windows-core"
-version = "0.51.1"
+version = "0.58.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f1f8cf84f35d2db49a46868f947758c7a1138116f7fac3bc844f43ade1292e64"
+checksum = "6ba6d44ec8c2591c134257ce647b7ea6b20335bf6379a27dac5f1641fcf59f99"
 dependencies = [
- "windows-targets 0.48.5",
+ "windows-implement 0.58.0",
+ "windows-interface 0.58.0",
+ "windows-result 0.2.0",
+ "windows-strings 0.1.0",
+ "windows-targets 0.52.6",
 ]
 
 [[package]]
 name = "windows-core"
-version = "0.58.0"
+version = "0.61.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6ba6d44ec8c2591c134257ce647b7ea6b20335bf6379a27dac5f1641fcf59f99"
+checksum = "c0fdd3ddb90610c7638aa2b3a3ab2904fb9e5cdbecc643ddb3647212781c4ae3"
 dependencies = [
- "windows-implement",
- "windows-interface",
- "windows-result",
- "windows-strings",
- "windows-targets 0.52.6",
+ "windows-implement 0.60.0",
+ "windows-interface 0.59.1",
+ "windows-link 0.1.3",
+ "windows-result 0.3.4",
+ "windows-strings 0.4.2",
 ]
 
 [[package]]
@@ -6170,7 +7635,18 @@ checksum = "2bbd5b46c938e506ecbce286b6628a02171d56153ba733b6c741fc627ec9579b"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.98",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "windows-implement"
+version = "0.60.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a47fddd13af08290e67f4acabf4b459f647552718f683a7b415d290ac744a836"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
 ]
 
 [[package]]
@@ -6181,9 +7657,32 @@ checksum = "053c4c462dc91d3b1504c6fe5a726dd15e216ba718e84a0e46a88fbe5ded3515"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.98",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "windows-interface"
+version = "0.59.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bd9211b69f8dcdfa817bfd14bf1c97c9188afa36f4750130fcdf3f400eca9fa8"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
 ]
 
+[[package]]
+name = "windows-link"
+version = "0.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5e6ad25900d524eaabdbbb96d20b4311e1e7ae1699af4fb28c17ae66c80d798a"
+
+[[package]]
+name = "windows-link"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"
+
 [[package]]
 name = "windows-result"
 version = "0.2.0"
@@ -6193,29 +7692,41 @@ dependencies = [
  "windows-targets 0.52.6",
 ]
 
+[[package]]
+name = "windows-result"
+version = "0.3.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "56f42bd332cc6c8eac5af113fc0c1fd6a8fd2aa08a0119358686e5160d0586c6"
+dependencies = [
+ "windows-link 0.1.3",
+]
+
 [[package]]
 name = "windows-strings"
 version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4cd9b125c486025df0eabcb585e62173c6c9eddcec5d117d3b6e8c30e2ee4d10"
 dependencies = [
- "windows-result",
+ "windows-result 0.2.0",
  "windows-targets 0.52.6",
 ]
 
+[[package]]
+name = "windows-strings"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "56e6c93f3a0c3b36176cb1327a4958a0353d5d166c2a35cb268ace15e91d3b57"
+dependencies = [
+ "windows-link 0.1.3",
+]
+
 [[package]]
 name = "windows-sys"
-version = "0.42.0"
+version = "0.45.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5a3e1820f08b8513f676f7ab6c1f99ff312fb97b553d30ff4dd86f9f15728aa7"
+checksum = "75283be5efb2831d37ea142365f009c02ec203cd29a3ebecbc093d52315b66d0"
 dependencies = [
- "windows_aarch64_gnullvm 0.42.2",
- "windows_aarch64_msvc 0.42.2",
- "windows_i686_gnu 0.42.2",
- "windows_i686_msvc 0.42.2",
- "windows_x86_64_gnu 0.42.2",
- "windows_x86_64_gnullvm 0.42.2",
- "windows_x86_64_msvc 0.42.2",
+ "windows-targets 0.42.2",
 ]
 
 [[package]]
@@ -6245,6 +7756,39 @@ dependencies = [
  "windows-targets 0.52.6",
 ]
 
+[[package]]
+name = "windows-sys"
+version = "0.60.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f2f500e4d28234f72040990ec9d39e3a6b950f9f22d3dba18416c35882612bcb"
+dependencies = [
+ "windows-targets 0.53.3",
+]
+
+[[package]]
+name = "windows-sys"
+version = "0.61.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ae137229bcbd6cdf0f7b80a31df61766145077ddf49416a728b02cb3921ff3fc"
+dependencies = [
+ "windows-link 0.2.1",
+]
+
+[[package]]
+name = "windows-targets"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e5180c00cd44c9b1c88adb3693291f1cd93605ded80c250a75d472756b4d071"
+dependencies = [
+ "windows_aarch64_gnullvm 0.42.2",
+ "windows_aarch64_msvc 0.42.2",
+ "windows_i686_gnu 0.42.2",
+ "windows_i686_msvc 0.42.2",
+ "windows_x86_64_gnu 0.42.2",
+ "windows_x86_64_gnullvm 0.42.2",
+ "windows_x86_64_msvc 0.42.2",
+]
+
 [[package]]
 name = "windows-targets"
 version = "0.48.5"
@@ -6269,13 +7813,30 @@ dependencies = [
  "windows_aarch64_gnullvm 0.52.6",
  "windows_aarch64_msvc 0.52.6",
  "windows_i686_gnu 0.52.6",
- "windows_i686_gnullvm",
+ "windows_i686_gnullvm 0.52.6",
  "windows_i686_msvc 0.52.6",
  "windows_x86_64_gnu 0.52.6",
  "windows_x86_64_gnullvm 0.52.6",
  "windows_x86_64_msvc 0.52.6",
 ]
 
+[[package]]
+name = "windows-targets"
+version = "0.53.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d5fe6031c4041849d7c496a8ded650796e7b6ecc19df1a431c1a363342e5dc91"
+dependencies = [
+ "windows-link 0.1.3",
+ "windows_aarch64_gnullvm 0.53.0",
+ "windows_aarch64_msvc 0.53.0",
+ "windows_i686_gnu 0.53.0",
+ "windows_i686_gnullvm 0.53.0",
+ "windows_i686_msvc 0.53.0",
+ "windows_x86_64_gnu 0.53.0",
+ "windows_x86_64_gnullvm 0.53.0",
+ "windows_x86_64_msvc 0.53.0",
+]
+
 [[package]]
 name = "windows_aarch64_gnullvm"
 version = "0.42.2"
@@ -6294,6 +7855,12 @@ version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3"
 
+[[package]]
+name = "windows_aarch64_gnullvm"
+version = "0.53.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "86b8d5f90ddd19cb4a147a5fa63ca848db3df085e25fee3cc10b39b6eebae764"
+
 [[package]]
 name = "windows_aarch64_msvc"
 version = "0.42.2"
@@ -6312,6 +7879,12 @@ version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469"
 
+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.53.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c7651a1f62a11b8cbd5e0d42526e55f2c99886c77e007179efff86c2b137e66c"
+
 [[package]]
 name = "windows_i686_gnu"
 version = "0.42.2"
@@ -6330,12 +7903,24 @@ version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b"
 
+[[package]]
+name = "windows_i686_gnu"
+version = "0.53.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c1dc67659d35f387f5f6c479dc4e28f1d4bb90ddd1a5d3da2e5d97b42d6272c3"
+
 [[package]]
 name = "windows_i686_gnullvm"
 version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66"
 
+[[package]]
+name = "windows_i686_gnullvm"
+version = "0.53.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9ce6ccbdedbf6d6354471319e781c0dfef054c81fbc7cf83f338a4296c0cae11"
+
 [[package]]
 name = "windows_i686_msvc"
 version = "0.42.2"
@@ -6354,6 +7939,12 @@ version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66"
 
+[[package]]
+name = "windows_i686_msvc"
+version = "0.53.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "581fee95406bb13382d2f65cd4a908ca7b1e4c2f1917f143ba16efe98a589b5d"
+
 [[package]]
 name = "windows_x86_64_gnu"
 version = "0.42.2"
@@ -6372,6 +7963,12 @@ version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78"
 
+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.53.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2e55b5ac9ea33f2fc1716d1742db15574fd6fc8dadc51caab1c16a3d3b4190ba"
+
 [[package]]
 name = "windows_x86_64_gnullvm"
 version = "0.42.2"
@@ -6390,6 +7987,12 @@ version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d"
 
+[[package]]
+name = "windows_x86_64_gnullvm"
+version = "0.53.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0a6e035dd0599267ce1ee132e51c27dd29437f63325753051e71dd9e42406c57"
+
 [[package]]
 name = "windows_x86_64_msvc"
 version = "0.42.2"
@@ -6409,33 +8012,35 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec"
 
 [[package]]
-name = "winnow"
-version = "0.5.40"
+name = "windows_x86_64_msvc"
+version = "0.53.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f593a95398737aeed53e489c785df13f3618e41dbcd6718c6addbf1395aa6876"
-dependencies = [
- "memchr",
-]
+checksum = "271414315aff87387382ec3d271b52d7ae78726f5d44ac98b4f4030c91880486"
 
 [[package]]
 name = "winnow"
-version = "0.6.5"
+version = "0.7.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dffa400e67ed5a4dd237983829e66475f0a4a26938c4b04c21baede6262215b8"
+checksum = "21a0236b59786fed61e2a80582dd500fe61f18b5dca67a4a067d0bc9039339cf"
 dependencies = [
  "memchr",
 ]
 
 [[package]]
-name = "winreg"
-version = "0.50.0"
+name = "wit-bindgen-rt"
+version = "0.39.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "524e57b2c537c0f9b1e69f1965311ec12182b4122e45035b1508cd24d2adadb1"
+checksum = "6f42320e61fe2cfd34354ecb597f86f413484a798ba44a8ca1165c58d42da6c1"
 dependencies = [
- "cfg-if",
- "windows-sys 0.48.0",
+ "bitflags 2.9.1",
 ]
 
+[[package]]
+name = "writeable"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ea2f10b9bb0928dfb1b42b65e1f9e36f7f54dbdf08457afefb38afcdec4fa2bb"
+
 [[package]]
 name = "wyz"
 version = "0.5.1"
@@ -6447,76 +8052,188 @@ dependencies = [
 
 [[package]]
 name = "xattr"
-version = "1.1.3"
+version = "1.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a7dae5072fe1f8db8f8d29059189ac175196e410e40ba42d5d4684ae2f750995"
+checksum = "af3a19837351dc82ba89f8a125e22a3c475f05aba604acc023d62b2739ae2909"
 dependencies = [
  "libc",
- "linux-raw-sys",
- "rustix",
+ "rustix 1.0.8",
 ]
 
 [[package]]
 name = "xxhash-rust"
-version = "0.8.7"
+version = "0.8.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9828b178da53440fa9c766a3d2f73f7cf5d0ac1fe3980c1e5018d899fd19e07b"
+checksum = "fdd20c5420375476fbd4394763288da7eb0cc0b8c11deed431a91562af7335d3"
 
 [[package]]
 name = "yansi"
-version = "1.0.0-rc.1"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cfe53a6657fd280eaa890a3bc59152892ffa3e30101319d168b781ed6529b049"
+
+[[package]]
+name = "yasna"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e17bb3549cc1321ae1296b9cdc2698e2b6cb1992adfa19a8c72e5b7a738f44cd"
+dependencies = [
+ "time",
+]
+
+[[package]]
+name = "yoke"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5f41bb01b8226ef4bfd589436a297c53d118f65921786300e427be8d487695cc"
+dependencies = [
+ "serde",
+ "stable_deref_trait",
+ "yoke-derive",
+ "zerofrom",
+]
+
+[[package]]
+name = "yoke-derive"
+version = "0.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1367295b8f788d371ce2dbc842c7b709c73ee1364d30351dd300ec2203b12377"
+checksum = "38da3c9736e16c5d3c8c597a9aaa5d1fa565d0532ae05e27c24aa62fb32c0ab6"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+ "synstructure",
+]
+
+[[package]]
+name = "yup-oauth2"
+version = "12.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4964039ac787bbd306fba65f6a8963b7974ae99515087e506a862674abae6a30"
+dependencies = [
+ "async-trait",
+ "base64",
+ "http",
+ "http-body-util",
+ "hyper",
+ "hyper-rustls",
+ "hyper-util",
+ "log",
+ "percent-encoding",
+ "rustls",
+ "rustls-pemfile",
+ "seahash",
+ "serde",
+ "serde_json",
+ "thiserror 2.0.17",
+ "time",
+ "tokio",
+ "url",
+]
 
 [[package]]
 name = "zerocopy"
-version = "0.7.25"
+version = "0.8.26"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8cd369a67c0edfef15010f980c3cbe45d7f651deac2cd67ce097cd801de16557"
+checksum = "1039dd0d3c310cf05de012d8a39ff557cb0d23087fd44cad61df08fc31907a2f"
 dependencies = [
  "zerocopy-derive",
 ]
 
 [[package]]
 name = "zerocopy-derive"
-version = "0.7.25"
+version = "0.8.26"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9ecf5b4cc5364572d7f4c329661bcc82724222973f2cab6f050a4e5c22f75181"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "zerofrom"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "50cc42e0333e05660c3587f3bf9d0478688e15d870fab3346451ce7f8c9fbea5"
+dependencies = [
+ "zerofrom-derive",
+]
+
+[[package]]
+name = "zerofrom-derive"
+version = "0.1.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c2f140bda219a26ccc0cdb03dba58af72590c53b22642577d88a927bc5c87d6b"
+checksum = "d71e5d6e06ab090c67b5e44993ec16b72dcbaabc526db883a360057678b48502"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.98",
+ "syn 2.0.104",
+ "synstructure",
 ]
 
 [[package]]
 name = "zeroize"
-version = "1.7.0"
+version = "1.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ced3678a2879b30306d323f4542626697a464a97c0a07c9aebf7ebca65cd4dde"
+
+[[package]]
+name = "zerotrie"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "36f0bbd478583f79edad978b407914f61b2972f5af6fa089686016be8f9af595"
+dependencies = [
+ "displaydoc",
+ "yoke",
+ "zerofrom",
+]
+
+[[package]]
+name = "zerovec"
+version = "0.11.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4a05eb080e015ba39cc9e23bbe5e7fb04d5fb040350f99f34e338d5fdd294428"
+dependencies = [
+ "yoke",
+ "zerofrom",
+ "zerovec-derive",
+]
+
+[[package]]
+name = "zerovec-derive"
+version = "0.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "525b4ec142c6b68a2d10f01f7bbf6755599ca3f81ea53b8431b7dd348f5fdb2d"
+checksum = "5b96237efa0c878c64bd89c436f661be4e46b2f3eff1ebb976f7ef2321d2f58f"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
 
 [[package]]
 name = "zstd"
-version = "0.13.0"
+version = "0.13.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bffb3309596d527cfcba7dfc6ed6052f1d39dfbd7c867aa2e865e4a449c10110"
+checksum = "e91ee311a569c327171651566e07972200e76fcfe2242a4fa446149a3881c08a"
 dependencies = [
  "zstd-safe",
 ]
 
 [[package]]
 name = "zstd-safe"
-version = "7.0.0"
+version = "7.2.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "43747c7422e2924c11144d5229878b98180ef8b06cca4ab5af37afc8a8d8ea3e"
+checksum = "8f49c4d5f0abb602a93fb8736af2a4f4dd9512e36f7f570d66e65ff867ed3b9d"
 dependencies = [
  "zstd-sys",
 ]
 
 [[package]]
 name = "zstd-sys"
-version = "2.0.9+zstd.1.5.5"
+version = "2.0.15+zstd.1.5.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9e16efa8a874a0481a574084d34cc26fdb3b99627480f785888deb6386506656"
+checksum = "eb81183ddd97d0c74cedf1d50d85c8d08c1b8b68ee863bdee9e706eedba1a237"
 dependencies = [
  "cc",
  "pkg-config",
diff --git a/Cargo.toml b/Cargo.toml
index 210396c..bd6df1d 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,5 +1,5 @@
 [workspace.package]
-version = "0.1.0"
+version = "0.2.0"
 edition = "2021"
 authors = ["Lapdev <team@lap.dev>"]
 license = "AGPL-3.0"
@@ -15,15 +15,15 @@ description.workspace = true
 
 [[bin]]
 name = "lapdev-ws"
-path = "lapdev-ws/src/main.rs"
+path = "crates/ws/src/main.rs"
 
 [[bin]]
 name = "lapdev-guest-agent"
-path = "lapdev-guest-agent/src/main.rs"
+path = "crates/guest-agent/src/main.rs"
 
 [[bin]]
-name = "lapdev-db"
-path = "lapdev-db/src/main.rs"
+name = "lapdev-kube-manager"
+path = "crates/kube-manager/src/main.rs"
 
 [dependencies]
 tokio.workspace = true
@@ -32,111 +32,189 @@ anyhow.workspace = true
 tracing.workspace = true
 tracing-appender.workspace = true
 tracing-subscriber.workspace = true
-sea-orm-migration.workspace = true
+tracing-journald.workspace = true
+sea-orm-cli.workspace = true
 lapdev-db.workspace = true
 lapdev-ws.workspace = true
+lapdev-cli.workspace = true
 lapdev-guest-agent.workspace = true
 lapdev-kube.workspace = true
+lapdev-kube-manager.workspace = true
+dotenvy.workspace = true
 
 [workspace]
 members = [
-  "lapdev-api",
-  "lapdev-conductor",
-  "lapdev-ws",
-  "lapdev-rpc",
-  "lapdev-kube",
-  "lapdev-dashboard",
-  "lapdev-db",
-  "lapdev-common",
-  "lapdev-enterprise",
-  "lapdev-proxy-ssh",
-  "lapdev-proxy-http",
-  "lapdev-guest-agent",
+  "crates/api",
+  "crates/api-hrpc",
+  "crates/cli",
+  "crates/conductor",
+  "crates/ws",
+  "crates/rpc",
+  "crates/kube",
+  "crates/kube-rpc",
+  "crates/kube-manager",
+  "crates/kube-sidecar-proxy",
+  "crates/dashboard",
+  "crates/db",
+  "crates/db/migration",
+  "crates/db/entities",
+  "crates/common",
+  "crates/enterprise",
+  "crates/proxy-ssh",
+  "crates/proxy-http",
+  "crates/guest-agent",
+  "crates/hrpc",
+  "crates/hrpc-proc-macro",
+  "crates/devbox-rpc",
+  "crates/tunnel",
 ]
 
 [workspace.dependencies]
-rust_decimal = "1.36.0"
-toml = "0.8.11"
+rust_decimal = "1.37.1"
+toml = "0.9.8"
+dotenvy = "0.15.7"
 clap = { version = "4.5.2", features = ["derive"] }
 tempfile = "3.8.1"
 zstd = "0.13.0"
 tar = "0.4.40"
-git2 = { version = "0.18.2", features = ["vendored-libgit2", "vendored-openssl"] }
+regex = "1.11.1"
+git2 = { version = "0.20.2", features = [
+  "vendored-libgit2",
+  "vendored-openssl",
+] }
 anyhow = "1.0.66"
-thiserror = "1.0.58"
+thiserror = "2.0.17"
 async-trait = "0.1.74"
-serde = "1.0.190"
-pasetors = "0.6.8"
-futures = "0.3"
-futures-util = "0.3"
+serde = { version = "1.0.219", features = ["derive"] }
+pasetors = "0.7.7"
+pin-project = "1.1.5"
+futures = "0.3.31"
+futures-util = "0.3.31"
 serde_yaml = "0.9.30"
-serde_json = "1.0.111"
+serde_json = "1.0.140"
 json5 = "0.4.1"
-itertools = "0.12.0"
+itertools = "0.14.0"
 base64 = "0.22.0"
-oauth2 = "4.2.3"
+hex = "0.4"
+oauth2 = "5.0.0"
 include_dir = "0.7.3"
-reqwest = {version = "0.11.26", default-features = false, features = ["rustls", "stream", "json"] }
-async-compression = { version = "0.4.6", features = ["tokio", "zstd"] }
-docker-compose-types = "0.7.0"
+reqwest = { version = "0.12.24", default-features = false, features = [
+  "rustls-tls",
+  "stream",
+  "json",
+] }
+async-compression = { version = "0.4.33", features = ["tokio", "zstd"] }
+docker-compose-types = "0.22.0"
 tracing = "0.1.40"
 tracing-appender = "0.2.3"
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }
-chrono = { version = "0.4.31", features = ["serde"] }
-tower = { version = "0.4", features = ["util"] }
-tower-http = { version = "0.5.2", features = ["fs", "trace"] }
-tokio-tungstenite = "0.26.1"
+tracing-journald = "0.3.0"
+chrono = { version = "0.4.40", features = ["serde"] }
+tower = { version = "0.5.2", features = ["util"] }
+tower-http = { version = "0.6.6", features = ["fs", "trace"] }
+tokio-tungstenite = { version = "0.28.0", features = ["native-tls-vendored"] }
+tokio-serde = "0.9.0"
 data-encoding = "2.4.0"
-sha2 = "0.10.8"
-rand = "0.8.5"
-strum = "0.26.1"
-strum_macros = "0.26.1"
-procfs = "0.17.0"
+secrecy = "0.10.3"
+sha2 = "0.10.9"
+rand = "0.9.2"
+strum = "0.27.1"
+strum_macros = "0.27.1"
+procfs = "0.18.0"
+quinn = { version = "0.11.9", default-features = false, features = [
+  "rustls",
+  "runtime-tokio",
+] }
+rcgen = "0.14.5"
 base16ct = { version = "0.2.0", features = ["alloc"] }
-axum = { version = "0.7.4", features = ["ws"] }
-axum-extra = { version = "0.9.2", features = ["typed-header"] }
-axum-client-ip = "0.5.0"
-bytes = "1.5.0"
-hyper = { version = "1.2.0", features = ["server", "client", "http1", "http2"] }
-hyper-util = { version = "0.1.2", features = ["tokio", "client-legacy", "server", "server-auto"] }
-http-body-util = "0.1.1"
-tarpc = { version = "0.34.0", features = ["full"] }
-rustls-webpki = "0.102.2"
-rustls-pemfile = "2.1.0"
-tokio-rustls = "0.25.0"
-tokio-util = "0.7.10"
-tokio = { version = "1.36.0", features = ["full"] }
-sqlx = { version = "0.7.3", default-features = false, features = ["sqlx-postgres"] }
-sea-orm = { version = "0.12.12", features = [ "sqlx-postgres", "sqlx-sqlite", "runtime-tokio-rustls", "macros" ] }
-sea-orm-migration = { version = "0.12.6", features = [ "sqlx-postgres", "runtime-tokio-rustls" ] }
+axum = { version = "0.8.6", features = ["ws", "macros"] }
+axum-extra = { version = "0.12.1", features = ["typed-header"] }
+axum-client-ip = "1.1.3"
+bytes = "1.10.1"
+hyper = { version = "1.7.0", features = ["server", "client", "http1", "http2"] }
+hyper-util = { version = "0.1.17", features = [
+  "tokio",
+  "client-legacy",
+  "server",
+  "server-auto",
+] }
+http-body-util = "0.1.3"
+kube = { version = "2.0.1", features = ["runtime"] }
+k8s-openapi = { version = "0.26.0", features = ["latest"] }
+tarpc = { version = "0.37.0", features = ["full"] }
+rustls-webpki = "0.103.8"
+rustls-pemfile = "2.2.0"
+tokio-rustls = { version = "0.26.4", default-features = false, features = [
+  "ring",
+  "logging",
+  "tls12",
+] }
+tokio-util = { version = "0.7.17", features = ["codec", "io", "compat"] }
+tokio = { version = "1.48.0", features = ["full"] }
+sqlx = { version = "0.8.6", default-features = false, features = [
+  "sqlx-postgres",
+] }
+sea-orm = { version = "1.1.17", features = [
+  "sqlx-postgres",
+  "sqlx-sqlite",
+  "runtime-tokio-rustls",
+  "macros",
+] }
+sea-orm-migration = { version = "1.1.17", features = [
+  "sqlx-postgres",
+  "runtime-tokio-rustls",
+] }
+sea-orm-cli = { version = "1.1.17", features = [
+  "sqlx-postgres",
+  "runtime-tokio-rustls",
+] }
 uuid = { version = "1.6.1", features = ["v4", "serde"] }
-russh = {version = "0.50.2" }
-lapdev-api = { path = "./lapdev-api" }
-lapdev-ws = { path = "./lapdev-ws" }
-lapdev-db = { path = "./lapdev-db" }
-lapdev-rpc = { path = "./lapdev-rpc" }
-lapdev-conductor = { path = "./lapdev-conductor" }
-lapdev-proxy-ssh = { path = "./lapdev-proxy-ssh" }
-lapdev-proxy-http = { path = "./lapdev-proxy-http" }
-lapdev-common = { path = "./lapdev-common" }
-lapdev-enterprise = { path = "./lapdev-enterprise" }
-lapdev-guest-agent = { path = "./lapdev-guest-agent" }
-lapdev-kube = { path = "./lapdev-kube" }
+russh = { version = "0.53.0" }
+lapdev-api = { path = "./crates/api" }
+lapdev-api-hrpc = { path = "./crates/api-hrpc" }
+lapdev-cli = { path = "./crates/cli" }
+lapdev-ws = { path = "./crates/ws" }
+lapdev-db = { path = "./crates/db" }
+lapdev-db-entities = { path = "./crates/db/entities" }
+lapdev-db-migration = { path = "./crates/db/migration" }
+lapdev-rpc = { path = "./crates/rpc" }
+lapdev-conductor = { path = "./crates/conductor" }
+lapdev-proxy-ssh = { path = "./crates/proxy-ssh" }
+lapdev-proxy-http = { path = "./crates/proxy-http" }
+lapdev-common = { path = "./crates/common" }
+lapdev-enterprise = { path = "./crates/enterprise" }
+lapdev-guest-agent = { path = "./crates/guest-agent" }
+lapdev-kube = { path = "./crates/kube" }
+lapdev-kube-rpc = { path = "./crates/kube-rpc" }
+lapdev-kube-manager = { path = "./crates/kube-manager" }
+lapdev-kube-sidecar-proxy = { path = "./crates/kube-sidecar-proxy" }
+lapdev-devbox-rpc = { path = "./crates/devbox-rpc" }
+lapdev-hrpc = { path = "./crates/hrpc" }
+lapdev-hrpc-proc-macro = { path = "./crates/hrpc-proc-macro" }
+lapdev-tunnel = { path = "./crates/tunnel" }
 
 [package.metadata.deb]
 depends = "$auto, passwd"
 maintainer-scripts = "pkg/deb/"
 systemd-units = { unit-name = "lapdev", enable = false }
 assets = [
-    ["target/release/lapdev", "/usr/bin/lapdev", "755"],
-    ["pkg/common/lapdev.service.preset", "/lib/systemd/system-preset/50-lapdev.preset", "644"],
+  [
+    "target/release/lapdev",
+    "/usr/bin/lapdev",
+    "755",
+  ],
+  [
+    "pkg/common/lapdev.service.preset",
+    "/lib/systemd/system-preset/50-lapdev.preset",
+    "644",
+  ],
 ]
 
 [package.metadata.generate-rpm]
 post_install_script = "pkg/rpm/lapdev.postinst"
 post_uninstall_script = "pkg/rpm/lapdev.postuninst"
 assets = [
-    { source = "target/release/lapdev", dest = "/usr/bin/lapdev", mode = "755" },
-    { source = "pkg/deb/lapdev.service", dest = "/lib/systemd/system/lapdev.service", mode = "644" },
-    { source = "pkg/common/lapdev.service.preset", dest = "/lib/systemd/system-preset/50-lapdev.preset", mode = "644" },
+  { source = "target/release/lapdev", dest = "/usr/bin/lapdev", mode = "755" },
+  { source = "pkg/deb/lapdev.service", dest = "/lib/systemd/system/lapdev.service", mode = "644" },
+  { source = "pkg/common/lapdev.service.preset", dest = "/lib/systemd/system-preset/50-lapdev.preset", mode = "644" },
 ]
diff --git a/README.md b/README.md
index d28f14b..d18e5a2 100644
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@
 
   # Lapdev
   
-  **Self-hosted remote development enviroment management with ease**
+  **Seamless dev environments for your Kubernetes apps**
 </div>
 
 <div align="center">
@@ -13,44 +13,48 @@
   <a href="https://discord.gg/DTZNfz3Ung" target="_blank">
     <img src="https://img.shields.io/discord/946858761413328946?logo=discord" />
   </a>
-  <a href="https://docs.lap.dev" target="_blank">
-      <img src="https://img.shields.io/static/v1?label=Docs&message=docs.lap.dev&color=blue" alt="Lapdev Docs">
+  <a href="https://lapdev.gitbook.io/docs/" target="_blank">
+      <img src="https://img.shields.io/static/v1?label=Docs&message=https://lapdev.gitbook.io/docs/&color=blue" alt="Lapdev Docs">
   </a>
 </div>
 <br>
 
-**Lapdev** is a self hosted application that spins up remote development environments on your own servers or clouds. It scales from a single machine in the corner to a global fleet of servers. It uses [Devcontainer open specification](https://containers.dev/) for defining your development environment as code. If you’re interested in a deep dive into how Lapdev works, you can read about its [architecture](https://docs.lap.dev/administration/architecture) here.
-
-## Cloud
-
-If you don't want to self host, we also have cloud offering of Lapdev using high end Gaming CPU: https://ws.lap.dev/
-
-[Read More](https://lap.dev/blog/a-performance-review-of-cloud-dev-envs/) to know how a Gaming CPU can boost the performance.
+**Lapdev** gives your team production-accurate development environments that run directly in your Kubernetes cluster. Install the lightweight `lapdev-kube-manager`, choose the workloads you care about, and Lapdev keeps isolated or shared environments in sync with your production manifests. Developers iterate quickly using the [Devbox CLI](https://lapdev.gitbook.io/docs/core-concepts/devbox) for local debugging while staying connected to real cluster resources.
 
 <br>
 
-![](https://lap.dev/images/screenshot.png) 
+![](https://new.lap.dev/images/screenshot.png) 
 
 <br>
 
-## Features
-
-- **Self hosted with ease:** Lapdev is designed to be self hosted with minimum efforts for installation and maintenance. The application is designed to just work, sparing you from digging too deep into the internals for troubleshooting. 
+## What Lapdev Does
 
-- **Horizontal scalability:** With a simple yet powerful [architecture](https://docs.lap.dev/administration/architecture), Lapdev can scale from a single machine to a fleet of servers, so that you can have a development environment management system that can grow with your developer teams.
+- **Reads production manifests** – Lapdev builds an App Catalog straight from your production Deployments, StatefulSets, ConfigMaps, Secrets, and Services.
+- **Creates tailored environments** – Launch fully isolated personal namespaces, shared team baselines, or lightweight branch environments with intelligent traffic routing.
+- **Keeps everything in sync** – Monitor production for changes, notify developers, and apply updates when you are ready—no manual YAML drift.
+- **Enables local-style iteration** – Devbox routes cluster traffic to your laptop, so you debug locally while remaining wired into in-cluster dependencies.
+- **Publishes secure preview URLs** – Share HTTPS endpoints for any service without juggling DNS, certificates, or ingress rules.
 
-- **Development Environment as Code:** Using the [Devcontainer open specification](https://containers.dev/), Lapdev allows you to define your development environment as code. This empowers you to standardize development environments that can be replicated across different developers, avoiding environment related issues and ensuring a consistent setup for everyone.
+## Architecture at a Glance
 
-- **Save Onboarding Time:** Onboarding developers to new projects don't need hours or days to prepare the environment on their machines. They can start to code instantly.
+Lapdev is made of three components that work together:
 
-## Planned Features
+1. **Lapdev API Server** – SaaS control plane that handles auth, orchestration, and secure tunneling.
+2. **Lapdev-Kube-Manager** – In-cluster operator that mirrors production workloads into development namespaces.
+3. **Devbox CLI** – Developer tooling for traffic interception and access to cluster services from your local machine.
 
-- **More workspace types:** Currently Lapdev only supports container based workspaces, which has its own limitations for example when you want to run a k8s cluster in your development flow. It's planned to have support for more than containers. VMs and bare metal machine support are on the roadmap. And more OS support is planned as well, e.g. when you are developing a cross platform desktop application for Windows, Linux and macOS, Lapdev can spin up development environments on all of them and you can develop and debug from the same local machine without the need to switch machines.  
+Dig deeper in the [Architecture docs](https://lapdev.gitbook.io/docs/core-concepts/architecture/).
 
-## Installation
+## Getting Started
 
-You can see the installation steps [here](https://docs.lap.dev/installation/quickstart).
+1. [Connect your Kubernetes cluster](https://lapdev.gitbook.io/docs/how-to-guides/connect-your-kubernetes-cluster)
+2. [Create an App Catalog](https://lapdev.gitbook.io/docs/how-to-guides/create-an-app-catalog)
+3. [Provision your first environment](https://lapdev.gitbook.io/docs/how-to-guides/create-lapdev-environment)
+4. [Develop locally with Devbox](https://lapdev.gitbook.io/docs/how-to-guides/local-development-with-devbox)
 
-## Build from source
+## Resources
 
-## Contributing
+- [Traffic routing architecture](https://lapdev.gitbook.io/docs/core-concepts/architecture/traffic-routing-architecture)
+- [Branch Environment Architecture](https://lapdev.gitbook.io/docs/core-concepts/architecture/branch-environment-architecture)
+- [Preview URLs](https://lapdev.gitbook.io/docs/core-concepts/preview-url)
+- [Lapdev Docs](https://lapdev.gitbook.io/docs/)
diff --git a/crates/api-hrpc/Cargo.toml b/crates/api-hrpc/Cargo.toml
new file mode 100644
index 0000000..d25cdcc
--- /dev/null
+++ b/crates/api-hrpc/Cargo.toml
@@ -0,0 +1,13 @@
+[package]
+name = "lapdev-api-hrpc" 
+version.workspace = true
+authors.workspace = true
+edition.workspace = true
+license.workspace = true
+description.workspace = true
+
+[dependencies]
+uuid.workspace = true
+serde.workspace = true
+lapdev-common.workspace = true
+lapdev-hrpc.workspace = true
\ No newline at end of file
diff --git a/crates/api-hrpc/src/lib.rs b/crates/api-hrpc/src/lib.rs
new file mode 100644
index 0000000..c48bc11
--- /dev/null
+++ b/crates/api-hrpc/src/lib.rs
@@ -0,0 +1,322 @@
+use lapdev_common::{
+    devbox::{
+        DevboxEnvironmentSelection, DevboxPortMappingOverride, DevboxSessionSummary,
+        DevboxSessionWhoAmI, DevboxStartWorkloadInterceptResponse,
+        DevboxWorkloadInterceptListResponse,
+    },
+    kube::{
+        CreateKubeClusterResponse, CreateKubeEnvironmentPreviewUrlRequest, KubeAppCatalogWorkload,
+        KubeAppCatalogWorkloadCreate, KubeCluster, KubeContainerInfo, KubeEnvironmentPreviewUrl,
+        KubeEnvironmentService, KubeEnvironmentWorkload, KubeEnvironmentWorkloadDetail,
+        KubeNamespace, KubeNamespaceInfo, KubeWorkload, KubeWorkloadKind, KubeWorkloadList,
+        PagePaginationParams, PaginatedResult, PaginationParams,
+        UpdateKubeEnvironmentPreviewUrlRequest,
+    },
+};
+use uuid::Uuid;
+
+pub use lapdev_common::hrpc::HrpcError;
+pub use lapdev_common::kube::{
+    KubeAppCatalog, KubeEnvironment, KubeEnvironmentDashboardSummary, KubeEnvironmentStatusCount,
+};
+// For backward compatibility
+pub use lapdev_common::kube::KubeAppCatalog as AppCatalog;
+
+#[lapdev_hrpc::service]
+pub trait HrpcService {
+    async fn devbox_session_get_session(&self) -> Result<Option<DevboxSessionSummary>, HrpcError>;
+
+    async fn devbox_session_revoke_session(&self, session_id: Uuid) -> Result<(), HrpcError>;
+
+    async fn devbox_session_get_active_environment(
+        &self,
+    ) -> Result<Option<DevboxEnvironmentSelection>, HrpcError>;
+
+    async fn devbox_session_set_active_environment(
+        &self,
+        environment_id: Uuid,
+    ) -> Result<(), HrpcError>;
+
+    async fn devbox_session_whoami(&self) -> Result<DevboxSessionWhoAmI, HrpcError>;
+
+    async fn devbox_intercept_list(
+        &self,
+        environment_id: Uuid,
+    ) -> Result<DevboxWorkloadInterceptListResponse, HrpcError>;
+
+    async fn devbox_intercept_start(
+        &self,
+        workload_id: Uuid,
+        port_mappings: Vec<DevboxPortMappingOverride>,
+    ) -> Result<DevboxStartWorkloadInterceptResponse, HrpcError>;
+
+    async fn devbox_intercept_stop(&self, intercept_id: Uuid) -> Result<(), HrpcError>;
+
+    async fn all_kube_clusters(&self, org_id: Uuid) -> Result<Vec<KubeCluster>, HrpcError>;
+
+    async fn create_kube_cluster(
+        &self,
+        org_id: Uuid,
+        name: String,
+    ) -> Result<CreateKubeClusterResponse, HrpcError>;
+
+    async fn delete_kube_cluster(&self, org_id: Uuid, cluster_id: Uuid) -> Result<(), HrpcError>;
+
+    async fn set_cluster_deployable(
+        &self,
+        org_id: Uuid,
+        cluster_id: Uuid,
+        can_deploy_personal: bool,
+        can_deploy_shared: bool,
+    ) -> Result<(), HrpcError>;
+
+    async fn set_cluster_personal_deployable(
+        &self,
+        org_id: Uuid,
+        cluster_id: Uuid,
+        can_deploy: bool,
+    ) -> Result<(), HrpcError>;
+
+    async fn set_cluster_shared_deployable(
+        &self,
+        org_id: Uuid,
+        cluster_id: Uuid,
+        can_deploy: bool,
+    ) -> Result<(), HrpcError>;
+
+    async fn get_workloads(
+        &self,
+        org_id: Uuid,
+        cluster_id: Uuid,
+        namespace: Option<String>,
+        workload_kind_filter: Option<KubeWorkloadKind>,
+        include_system_workloads: bool,
+        pagination: Option<PaginationParams>,
+    ) -> Result<KubeWorkloadList, HrpcError>;
+
+    async fn get_workload_details(
+        &self,
+        org_id: Uuid,
+        cluster_id: Uuid,
+        name: String,
+        namespace: String,
+    ) -> Result<Option<KubeWorkload>, HrpcError>;
+
+    async fn get_cluster_namespaces(
+        &self,
+        org_id: Uuid,
+        cluster_id: Uuid,
+    ) -> Result<Vec<KubeNamespaceInfo>, HrpcError>;
+
+    async fn get_cluster_info(
+        &self,
+        org_id: Uuid,
+        cluster_id: Uuid,
+    ) -> Result<KubeCluster, HrpcError>;
+
+    async fn create_app_catalog(
+        &self,
+        org_id: Uuid,
+        cluster_id: Uuid,
+        name: String,
+        description: Option<String>,
+        workloads: Vec<KubeAppCatalogWorkloadCreate>,
+    ) -> Result<Uuid, HrpcError>;
+
+    async fn all_app_catalogs(
+        &self,
+        org_id: Uuid,
+        search: Option<String>,
+        pagination: Option<PagePaginationParams>,
+    ) -> Result<PaginatedResult<KubeAppCatalog>, HrpcError>;
+
+    async fn get_app_catalog(
+        &self,
+        org_id: Uuid,
+        catalog_id: Uuid,
+    ) -> Result<KubeAppCatalog, HrpcError>;
+
+    async fn get_app_catalog_workloads(
+        &self,
+        org_id: Uuid,
+        catalog_id: Uuid,
+    ) -> Result<Vec<KubeAppCatalogWorkload>, HrpcError>;
+
+    async fn delete_app_catalog(&self, org_id: Uuid, catalog_id: Uuid) -> Result<(), HrpcError>;
+
+    async fn delete_app_catalog_workload(
+        &self,
+        org_id: Uuid,
+        workload_id: Uuid,
+    ) -> Result<(), HrpcError>;
+
+    async fn update_app_catalog_workload(
+        &self,
+        org_id: Uuid,
+        workload_id: Uuid,
+        containers: Vec<KubeContainerInfo>,
+    ) -> Result<(), HrpcError>;
+
+    async fn add_workloads_to_app_catalog(
+        &self,
+        org_id: Uuid,
+        catalog_id: Uuid,
+        workloads: Vec<KubeAppCatalogWorkloadCreate>,
+    ) -> Result<(), HrpcError>;
+
+    async fn create_kube_environment(
+        &self,
+        org_id: Uuid,
+        app_catalog_id: Uuid,
+        cluster_id: Uuid,
+        name: String,
+        is_shared: bool,
+    ) -> Result<KubeEnvironment, HrpcError>;
+
+    async fn create_branch_environment(
+        &self,
+        org_id: Uuid,
+        base_environment_id: Uuid,
+        name: String,
+    ) -> Result<KubeEnvironment, HrpcError>;
+
+    async fn all_kube_environments(
+        &self,
+        org_id: Uuid,
+        search: Option<String>,
+        is_shared: bool,
+        is_branch: bool,
+        pagination: Option<PagePaginationParams>,
+    ) -> Result<PaginatedResult<KubeEnvironment>, HrpcError>;
+
+    async fn get_environment_dashboard_summary(
+        &self,
+        org_id: Uuid,
+        recent_limit: Option<usize>,
+    ) -> Result<KubeEnvironmentDashboardSummary, HrpcError>;
+
+    async fn get_kube_environment(
+        &self,
+        org_id: Uuid,
+        environment_id: Uuid,
+    ) -> Result<KubeEnvironment, HrpcError>;
+
+    async fn delete_kube_environment(
+        &self,
+        org_id: Uuid,
+        environment_id: Uuid,
+    ) -> Result<(), HrpcError>;
+
+    async fn pause_kube_environment(
+        &self,
+        org_id: Uuid,
+        environment_id: Uuid,
+    ) -> Result<(), HrpcError>;
+
+    async fn resume_kube_environment(
+        &self,
+        org_id: Uuid,
+        environment_id: Uuid,
+    ) -> Result<(), HrpcError>;
+
+    async fn sync_environment_from_catalog(
+        &self,
+        org_id: Uuid,
+        environment_id: Uuid,
+    ) -> Result<(), HrpcError>;
+
+    async fn rebase_branch_environment(
+        &self,
+        org_id: Uuid,
+        environment_id: Uuid,
+    ) -> Result<(), HrpcError>;
+
+    // Kube Environment Workload operations
+    async fn get_environment_workloads(
+        &self,
+        org_id: Uuid,
+        environment_id: Uuid,
+    ) -> Result<Vec<KubeEnvironmentWorkload>, HrpcError>;
+
+    async fn get_environment_services(
+        &self,
+        org_id: Uuid,
+        environment_id: Uuid,
+    ) -> Result<Vec<KubeEnvironmentService>, HrpcError>;
+
+    async fn get_environment_workload(
+        &self,
+        org_id: Uuid,
+        workload_id: Uuid,
+    ) -> Result<Option<KubeEnvironmentWorkload>, HrpcError>;
+
+    async fn get_environment_workload_detail(
+        &self,
+        org_id: Uuid,
+        environment_id: Uuid,
+        workload_id: Uuid,
+    ) -> Result<KubeEnvironmentWorkloadDetail, HrpcError>;
+
+    async fn update_environment_workload(
+        &self,
+        org_id: Uuid,
+        environment_id: Uuid,
+        workload_id: Uuid,
+        containers: Vec<KubeContainerInfo>,
+    ) -> Result<Uuid, HrpcError>;
+
+    async fn delete_environment_workload(
+        &self,
+        org_id: Uuid,
+        environment_id: Uuid,
+        workload_id: Uuid,
+    ) -> Result<(), HrpcError>;
+
+    // Kube Namespace operations
+    async fn create_kube_namespace(
+        &self,
+        org_id: Uuid,
+        name: String,
+        description: Option<String>,
+        is_shared: bool,
+    ) -> Result<KubeNamespace, HrpcError>;
+
+    async fn all_kube_namespaces(
+        &self,
+        org_id: Uuid,
+        is_shared: bool,
+    ) -> Result<Vec<KubeNamespace>, HrpcError>;
+
+    async fn delete_kube_namespace(
+        &self,
+        org_id: Uuid,
+        namespace_id: Uuid,
+    ) -> Result<(), HrpcError>;
+
+    // Kube Environment Preview URL operations
+    async fn create_environment_preview_url(
+        &self,
+        org_id: Uuid,
+        environment_id: Uuid,
+        request: CreateKubeEnvironmentPreviewUrlRequest,
+    ) -> Result<KubeEnvironmentPreviewUrl, HrpcError>;
+
+    async fn get_environment_preview_urls(
+        &self,
+        org_id: Uuid,
+        environment_id: Uuid,
+    ) -> Result<Vec<KubeEnvironmentPreviewUrl>, HrpcError>;
+
+    async fn update_environment_preview_url(
+        &self,
+        org_id: Uuid,
+        preview_url_id: Uuid,
+        request: UpdateKubeEnvironmentPreviewUrlRequest,
+    ) -> Result<KubeEnvironmentPreviewUrl, HrpcError>;
+
+    async fn delete_environment_preview_url(
+        &self,
+        org_id: Uuid,
+        preview_url_id: Uuid,
+    ) -> Result<(), HrpcError>;
+}
diff --git a/lapdev-api/Cargo.toml b/crates/api/Cargo.toml
similarity index 74%
rename from lapdev-api/Cargo.toml
rename to crates/api/Cargo.toml
index 098460b..dfc648e 100644
--- a/lapdev-api/Cargo.toml
+++ b/crates/api/Cargo.toml
@@ -7,6 +7,8 @@ license.workspace = true
 description.workspace = true
 
 [dependencies]
+regex.workspace = true
+tarpc.workspace = true
 itertools.workspace = true
 rustls-webpki.workspace = true
 include_dir.workspace = true
@@ -14,6 +16,7 @@ toml.workspace = true
 clap.workspace = true
 rustls-pemfile.workspace = true
 tokio-rustls.workspace = true
+tokio-util.workspace = true
 reqwest.workspace = true
 oauth2.workspace = true
 chrono.workspace = true
@@ -30,21 +33,32 @@ tower.workspace = true
 tower-http.workspace = true
 anyhow.workspace = true
 tokio.workspace = true
+tokio-tungstenite.workspace = true
+tokio-stream = { version = "0.1.15", features = ["sync"] }
 futures.workspace = true
 futures-util.workspace = true
 serde.workspace = true
 serde_json.workspace = true
+serde_yaml.workspace = true
 tracing.workspace = true
 tracing-appender.workspace = true
 tracing-subscriber.workspace = true
 uuid.workspace = true
+secrecy.workspace = true
 sqlx.workspace = true
 sea-orm.workspace = true
 lapdev-rpc.workspace = true
+lapdev-kube-rpc.workspace = true
+lapdev-devbox-rpc.workspace = true
 lapdev-common.workspace = true
+k8s-openapi.workspace = true
+lapdev-api-hrpc.workspace = true
 lapdev-db.workspace = true
+lapdev-db-entities.workspace = true
 lapdev-enterprise.workspace = true
 lapdev-conductor.workspace = true
 lapdev-proxy-ssh.workspace = true
 lapdev-proxy-http.workspace = true
 lapdev-kube.workspace = true
+lapdev-tunnel.workspace = true
+pin-project.workspace = true
diff --git a/lapdev-api/pages/tailwind.config.js b/crates/api/pages/tailwind.config.js
similarity index 100%
rename from lapdev-api/pages/tailwind.config.js
rename to crates/api/pages/tailwind.config.js
diff --git a/lapdev-api/src/account.rs b/crates/api/src/account.rs
similarity index 88%
rename from lapdev-api/src/account.rs
rename to crates/api/src/account.rs
index 5852340..84e0b1f 100644
--- a/lapdev-api/src/account.rs
+++ b/crates/api/src/account.rs
@@ -1,11 +1,12 @@
-use std::{collections::HashMap, str::FromStr};
+use std::{collections::HashMap, str::FromStr, sync::Arc};
 
 use axum::{
-    extract::{Host, Path, Query, State},
+    extract::{Path, Query, State},
     response::{IntoResponse, Response},
     Json,
 };
 use axum_extra::{
+    extract::Host,
     headers::{self, Cookie},
     TypedHeader,
 };
@@ -15,7 +16,7 @@ use lapdev_common::{
     console::{MeUser, NewSessionResponse, Organization},
     GitProvider, NewSshKey, SshKey, UserRole,
 };
-use lapdev_db::{api::DbApi, entities};
+use lapdev_db::api::DbApi;
 use lapdev_rpc::error::ApiError;
 use russh::keys::PublicKeyBase64;
 use sea_orm::{prelude::Uuid, ActiveModelTrait, ActiveValue};
@@ -23,7 +24,7 @@ use sea_orm::{prelude::Uuid, ActiveModelTrait, ActiveValue};
 use crate::{session::create_oauth_connection, state::CoreState};
 
 pub async fn me(
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     TypedHeader(cookies): TypedHeader<headers::Cookie>,
 ) -> Result<Response, ApiError> {
     let user = state.authenticate(&cookies).await?;
@@ -64,7 +65,7 @@ pub async fn me(
 }
 
 pub async fn set_current_organization(
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     Path(org_id): Path<Uuid>,
     TypedHeader(cookies): TypedHeader<headers::Cookie>,
 ) -> Result<Response, ApiError> {
@@ -74,7 +75,7 @@ pub async fn set_current_organization(
         .get_organization_member(user.id, org_id)
         .await
         .map_err(|_| ApiError::Unauthorized)?;
-    entities::user::ActiveModel {
+    lapdev_db_entities::user::ActiveModel {
         id: ActiveValue::Set(user.id),
         current_organization: ActiveValue::Set(org_id),
         ..Default::default()
@@ -85,11 +86,11 @@ pub async fn set_current_organization(
 }
 
 async fn user_current_organization(
-    user: &entities::user::Model,
+    user: &lapdev_db_entities::user::Model,
     db: &DbApi,
 ) -> anyhow::Result<(
-    entities::organization::Model,
-    entities::organization_member::Model,
+    lapdev_db_entities::organization::Model,
+    lapdev_db_entities::organization_member::Model,
 )> {
     if let Ok(r) = user_organization(user, user.current_organization, db).await {
         return Ok(r);
@@ -98,12 +99,12 @@ async fn user_current_organization(
 }
 
 async fn user_organization(
-    user: &entities::user::Model,
+    user: &lapdev_db_entities::user::Model,
     org_id: Uuid,
     db: &DbApi,
 ) -> anyhow::Result<(
-    entities::organization::Model,
-    entities::organization_member::Model,
+    lapdev_db_entities::organization::Model,
+    lapdev_db_entities::organization_member::Model,
 )> {
     let org = db.get_organization(org_id).await?;
     let member = db.get_organization_member(user.id, org.id).await?;
@@ -111,16 +112,16 @@ async fn user_organization(
 }
 
 async fn pick_user_organization(
-    user: &entities::user::Model,
+    user: &lapdev_db_entities::user::Model,
     db: &DbApi,
 ) -> anyhow::Result<(
-    entities::organization::Model,
-    entities::organization_member::Model,
+    lapdev_db_entities::organization::Model,
+    lapdev_db_entities::organization_member::Model,
 )> {
     let org_members = db.get_user_organizations(user.id).await?;
     for org_member in org_members {
         if let Ok(org) = db.get_organization(org_member.organization_id).await {
-            entities::user::ActiveModel {
+            lapdev_db_entities::user::ActiveModel {
                 id: ActiveValue::Set(user.id),
                 current_organization: ActiveValue::Set(org.id),
                 ..Default::default()
@@ -134,12 +135,12 @@ async fn pick_user_organization(
 }
 
 async fn all_user_organizations(
-    user: &entities::user::Model,
+    user: &lapdev_db_entities::user::Model,
     db: &DbApi,
 ) -> anyhow::Result<
     Vec<(
-        entities::organization::Model,
-        entities::organization_member::Model,
+        lapdev_db_entities::organization::Model,
+        lapdev_db_entities::organization_member::Model,
     )>,
 > {
     let mut result = Vec::new();
@@ -154,7 +155,7 @@ async fn all_user_organizations(
 
 pub async fn create_ssh_key(
     TypedHeader(cookie): TypedHeader<Cookie>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     Json(ssh_key): Json<NewSshKey>,
 ) -> Result<Response, ApiError> {
     let user = state.authenticate(&cookie).await?;
@@ -179,7 +180,7 @@ pub async fn create_ssh_key(
         .map_err(|_| ApiError::InvalidRequest("The SSH public key is invalid".to_string()))?;
     let parsed_key = parsed_key.public_key_base64();
 
-    let model = entities::ssh_public_key::ActiveModel {
+    let model = lapdev_db_entities::ssh_public_key::ActiveModel {
         id: ActiveValue::Set(Uuid::new_v4()),
         created_at: ActiveValue::Set(Utc::now().into()),
         name: ActiveValue::Set(name.to_string()),
@@ -201,7 +202,7 @@ pub async fn create_ssh_key(
 }
 
 pub async fn all_ssh_keys(
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     TypedHeader(cookie): TypedHeader<Cookie>,
 ) -> Result<Response, ApiError> {
     let user = state.authenticate(&cookie).await?;
@@ -223,7 +224,7 @@ pub async fn all_ssh_keys(
 pub async fn delete_ssh_key(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path(key_id): Path<Uuid>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
 ) -> Result<Response, ApiError> {
     let user = state.authenticate(&cookie).await?;
     let key = state.db.get_ssh_key(key_id).await?;
@@ -231,7 +232,7 @@ pub async fn delete_ssh_key(
         return Err(ApiError::Unauthorized);
     }
 
-    entities::ssh_public_key::ActiveModel {
+    lapdev_db_entities::ssh_public_key::ActiveModel {
         id: ActiveValue::Set(key.id),
         deleted_at: ActiveValue::Set(Some(Utc::now().into())),
         ..Default::default()
@@ -244,7 +245,7 @@ pub async fn delete_ssh_key(
 
 pub async fn get_git_providers(
     TypedHeader(cookie): TypedHeader<Cookie>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
 ) -> Result<impl IntoResponse, ApiError> {
     let user = state.authenticate(&cookie).await?;
     let all_oauths = state.db.get_user_all_oauth(user.id).await?;
@@ -261,7 +262,7 @@ pub async fn get_git_providers(
             avatar_url: oauth.as_ref().and_then(|o| o.avatar_url.clone()),
             email: oauth.as_ref().and_then(|o| o.email.clone()),
             name: oauth.as_ref().and_then(|o| o.name.clone()),
-            read_repo: oauth.as_ref().map(|o| o.read_repo),
+            read_repo: oauth.as_ref().map(|o| o.read_repo.unwrap_or(false)),
             scopes: config.scopes.iter().map(|s| s.to_string()).collect(),
             all_scopes: config
                 .read_repo_scopes
@@ -279,7 +280,7 @@ pub async fn connect_git_provider(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Host(hostname): Host,
     Query(query): Query<HashMap<String, String>>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
 ) -> Result<impl IntoResponse, ApiError> {
     let user = state.authenticate(&cookie).await?;
     let provider_name = query
@@ -303,7 +304,7 @@ pub async fn update_scope(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Host(hostname): Host,
     Query(query): Query<HashMap<String, String>>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
 ) -> Result<impl IntoResponse, ApiError> {
     let user = state.authenticate(&cookie).await?;
     let all_oauths = state.db.get_user_all_oauth(user.id).await?;
@@ -339,7 +340,7 @@ pub async fn update_scope(
 pub async fn disconnect_git_provider(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Query(query): Query<HashMap<String, String>>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
 ) -> Result<impl IntoResponse, ApiError> {
     let user = state.authenticate(&cookie).await?;
     let all_oauths = state.db.get_user_all_oauth(user.id).await?;
@@ -358,7 +359,7 @@ pub async fn disconnect_git_provider(
         .await?
         .ok_or_else(|| ApiError::InvalidRequest("provider isn't connected".to_string()))?;
 
-    entities::oauth_connection::ActiveModel {
+    lapdev_db_entities::oauth_connection::ActiveModel {
         id: ActiveValue::Set(oauth.id),
         deleted_at: ActiveValue::Set(Some(Utc::now().into())),
         ..Default::default()
diff --git a/lapdev-api/src/admin.rs b/crates/api/src/admin.rs
similarity index 90%
rename from lapdev-api/src/admin.rs
rename to crates/api/src/admin.rs
index c0692b2..2b676c9 100644
--- a/lapdev-api/src/admin.rs
+++ b/crates/api/src/admin.rs
@@ -1,4 +1,4 @@
-use std::{collections::HashMap, str::FromStr};
+use std::{collections::HashMap, str::FromStr, sync::Arc};
 
 use anyhow::anyhow;
 use axum::{
@@ -15,7 +15,6 @@ use lapdev_common::{
     UpdateWorkspaceHost, WorkspaceHost, WorkspaceHostStatus, LAPDEV_BASE_HOSTNAME,
 };
 use lapdev_conductor::scheduler::{self, LAPDEV_CPU_OVERCOMMIT};
-use lapdev_db::entities;
 use lapdev_rpc::error::ApiError;
 use sea_orm::{
     ActiveModelTrait, ActiveValue, ColumnTrait, EntityTrait, PaginatorTrait, QueryFilter,
@@ -31,7 +30,7 @@ use crate::{
 
 pub async fn update_license(
     TypedHeader(cookie): TypedHeader<Cookie>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     Json(new_license_key): Json<NewLicenseKey>,
 ) -> Result<Json<EnterpriseLicense>, ApiError> {
     state.authenticate_cluster_admin(&cookie).await?;
@@ -46,7 +45,7 @@ pub async fn update_license(
 
 pub async fn get_license(
     TypedHeader(cookie): TypedHeader<Cookie>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
 ) -> Result<Json<EnterpriseLicense>, ApiError> {
     state.authenticate_cluster_admin(&cookie).await?;
     let license = state
@@ -62,7 +61,7 @@ pub async fn get_license(
 }
 
 pub async fn new_license(
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     Json(new_license): Json<NewLicense>,
 ) -> Result<String, ApiError> {
     let license = state
@@ -81,7 +80,7 @@ pub async fn new_license(
 
 pub async fn get_workspace_hosts(
     TypedHeader(cookie): TypedHeader<Cookie>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
 ) -> Result<Json<Vec<WorkspaceHost>>, ApiError> {
     state.authenticate_cluster_admin(&cookie).await?;
     let hosts = state.db.get_all_workspace_hosts().await?;
@@ -110,7 +109,7 @@ pub async fn get_workspace_hosts(
 
 pub async fn create_workspace_host(
     TypedHeader(cookie): TypedHeader<Cookie>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     Json(new_workspace_host): Json<NewWorkspaceHost>,
 ) -> Result<Json<WorkspaceHost>, ApiError> {
     state.authenticate_cluster_admin(&cookie).await?;
@@ -125,7 +124,7 @@ pub async fn create_workspace_host(
             new_workspace_host.host
         )));
     }
-    let host = entities::workspace_host::ActiveModel {
+    let host = lapdev_db_entities::workspace_host::ActiveModel {
         id: ActiveValue::Set(Uuid::new_v4()),
         deleted_at: ActiveValue::Set(None),
         host: ActiveValue::Set(new_workspace_host.host),
@@ -164,11 +163,11 @@ pub async fn create_workspace_host(
 pub async fn update_workspace_host(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path(id): Path<Uuid>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     Json(update_workspace_host): Json<UpdateWorkspaceHost>,
 ) -> Result<Json<WorkspaceHost>, ApiError> {
     state.authenticate_cluster_admin(&cookie).await?;
-    let host = entities::workspace_host::ActiveModel {
+    let host = lapdev_db_entities::workspace_host::ActiveModel {
         id: ActiveValue::Set(id),
         cpu: ActiveValue::Set(update_workspace_host.cpu as i32),
         memory: ActiveValue::Set(update_workspace_host.memory as i32),
@@ -204,13 +203,13 @@ pub async fn update_workspace_host(
 pub async fn delete_workspace_host(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path(id): Path<Uuid>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
 ) -> Result<Response, ApiError> {
     state.authenticate_cluster_admin(&cookie).await?;
     let now = Utc::now();
-    if entities::workspace::Entity::find()
-        .filter(entities::workspace::Column::DeletedAt.is_null())
-        .filter(entities::workspace::Column::HostId.eq(id))
+    if lapdev_db_entities::workspace::Entity::find()
+        .filter(lapdev_db_entities::workspace::Column::DeletedAt.is_null())
+        .filter(lapdev_db_entities::workspace::Column::HostId.eq(id))
         .one(&state.db.conn)
         .await?
         .is_some()
@@ -219,7 +218,7 @@ pub async fn delete_workspace_host(
             "You can't delete a workspace host with workspaces on it".to_string(),
         ));
     };
-    entities::workspace_host::ActiveModel {
+    lapdev_db_entities::workspace_host::ActiveModel {
         id: ActiveValue::Set(id),
         deleted_at: ActiveValue::Set(Some(now.into())),
         ..Default::default()
@@ -231,7 +230,7 @@ pub async fn delete_workspace_host(
 
 pub async fn get_oauth(
     TypedHeader(cookie): TypedHeader<Cookie>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
 ) -> Result<Json<OauthSettings>, ApiError> {
     state.authenticate_cluster_admin(&cookie).await?;
     let setting = OauthSettings {
@@ -261,7 +260,7 @@ pub async fn get_oauth(
 
 pub async fn update_oauth(
     TypedHeader(cookie): TypedHeader<Cookie>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     Json(update_oauth): Json<OauthSettings>,
 ) -> Result<Response, ApiError> {
     let is_cluster_initiated = {
@@ -302,7 +301,7 @@ pub async fn update_oauth(
 
 pub async fn get_certs(
     TypedHeader(cookie): TypedHeader<Cookie>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
 ) -> Result<Json<Vec<(String, String)>>, ApiError> {
     state.authenticate_cluster_admin(&cookie).await?;
     let certs = state.db.get_config(LAPDEV_CERTS).await?;
@@ -312,7 +311,7 @@ pub async fn get_certs(
 
 pub async fn update_certs(
     TypedHeader(cookie): TypedHeader<Cookie>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     Json(update_body): Json<Vec<(String, String)>>,
 ) -> Result<StatusCode, ApiError> {
     state.authenticate_cluster_admin(&cookie).await?;
@@ -322,7 +321,7 @@ pub async fn update_certs(
 }
 
 pub async fn get_auth_providers(
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
 ) -> Result<Json<Vec<AuthProvider>>, ApiError> {
     let providers: Vec<AuthProvider> = state
         .auth
@@ -336,7 +335,7 @@ pub async fn get_auth_providers(
 }
 
 pub async fn get_cluster_info(
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
 ) -> Result<Json<ClusterInfo>, ApiError> {
     let providers: Vec<AuthProvider> = state
         .auth
@@ -378,15 +377,15 @@ pub struct FilterQuery {
 
 pub async fn get_cluster_users(
     TypedHeader(cookie): TypedHeader<Cookie>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     Query(filter_query): Query<FilterQuery>,
 ) -> Result<Json<ClusterUserResult>, ApiError> {
     state.authenticate_cluster_admin(&cookie).await?;
-    let mut query = entities::user::Entity::find()
-        .filter(entities::user::Column::DeletedAt.is_null())
-        .order_by_desc(entities::user::Column::CreatedAt);
+    let mut query = lapdev_db_entities::user::Entity::find()
+        .filter(lapdev_db_entities::user::Column::DeletedAt.is_null())
+        .order_by_desc(lapdev_db_entities::user::Column::CreatedAt);
     if let Some(filter) = filter_query.filter {
-        query = query.filter(entities::user::Column::Name.like(format!("%{filter}%")));
+        query = query.filter(lapdev_db_entities::user::Column::Name.like(format!("%{filter}%")));
     }
     let page_size = filter_query.page_size.unwrap_or(10);
     let page = filter_query.page.unwrap_or(0);
@@ -419,7 +418,7 @@ pub async fn get_cluster_users(
 pub async fn update_cluster_user(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path(user_id): Path<Uuid>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     Json(update_cluter_user): Json<UpdateClusterUser>,
 ) -> Result<StatusCode, ApiError> {
     state.authenticate_cluster_admin(&cookie).await?;
@@ -430,10 +429,10 @@ pub async fn update_cluster_user(
         .ok_or_else(|| ApiError::InvalidRequest("user doesn't exist".to_string()))?;
     if !update_cluter_user.cluster_admin {
         // check if it's the last cluster admin if we're trying to change it to false
-        if entities::user::Entity::find()
-            .filter(entities::user::Column::DeletedAt.is_null())
-            .filter(entities::user::Column::ClusterAdmin.eq(true))
-            .filter(entities::user::Column::Id.ne(user.id))
+        if lapdev_db_entities::user::Entity::find()
+            .filter(lapdev_db_entities::user::Column::DeletedAt.is_null())
+            .filter(lapdev_db_entities::user::Column::ClusterAdmin.eq(true))
+            .filter(lapdev_db_entities::user::Column::Id.ne(user.id))
             .one(&state.db.conn)
             .await?
             .is_none()
@@ -443,7 +442,7 @@ pub async fn update_cluster_user(
             ));
         }
     }
-    entities::user::ActiveModel {
+    lapdev_db_entities::user::ActiveModel {
         id: ActiveValue::Set(user.id),
         cluster_admin: ActiveValue::Set(update_cluter_user.cluster_admin),
         ..Default::default()
@@ -455,7 +454,7 @@ pub async fn update_cluster_user(
 
 pub async fn get_cpu_overcommit(
     TypedHeader(cookie): TypedHeader<Cookie>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
 ) -> Result<String, ApiError> {
     state.require_enterprise().await?;
     state.authenticate_cluster_admin(&cookie).await?;
@@ -466,7 +465,7 @@ pub async fn get_cpu_overcommit(
 pub async fn update_cpu_overcommit(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path(value): Path<usize>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
 ) -> Result<StatusCode, ApiError> {
     state.require_enterprise().await?;
     state.authenticate_cluster_admin(&cookie).await?;
@@ -484,7 +483,7 @@ pub async fn update_cpu_overcommit(
 }
 
 pub async fn get_hostnames(
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
 ) -> Result<Json<HashMap<String, String>>, ApiError> {
     let mut hostnames = state
         .conductor
@@ -502,7 +501,7 @@ pub async fn get_hostnames(
 
 pub async fn update_hostnames(
     TypedHeader(cookie): TypedHeader<Cookie>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     Json(update): Json<Vec<(String, String)>>,
 ) -> Result<StatusCode, ApiError> {
     state.authenticate_cluster_admin(&cookie).await?;
diff --git a/crates/api/src/app_catalog_events.rs b/crates/api/src/app_catalog_events.rs
new file mode 100644
index 0000000..b1e85f6
--- /dev/null
+++ b/crates/api/src/app_catalog_events.rs
@@ -0,0 +1,126 @@
+use std::{convert::Infallible, sync::Arc, time::Duration};
+
+use axum::{
+    extract::{Path, State},
+    response::sse::{Event, KeepAlive, Sse},
+};
+use axum_extra::{headers, TypedHeader};
+use chrono::Utc;
+use futures::{stream, Stream, StreamExt};
+use lapdev_common::kube::AppCatalogStatusEvent;
+use lapdev_rpc::error::ApiError;
+use tokio_stream::wrappers::BroadcastStream;
+use tracing::warn;
+use uuid::Uuid;
+
+use crate::state::CoreState;
+
+pub async fn stream_app_catalog_events(
+    Path((org_id, catalog_id)): Path<(Uuid, Uuid)>,
+    State(state): State<Arc<CoreState>>,
+    TypedHeader(cookies): TypedHeader<headers::Cookie>,
+) -> Result<Sse<impl Stream<Item = Result<Event, Infallible>>>, ApiError> {
+    let user = state.authenticate(&cookies).await?;
+    state
+        .db
+        .get_organization_member(user.id, org_id)
+        .await
+        .map_err(|_| ApiError::Unauthorized)?;
+
+    let catalog = state
+        .db
+        .get_app_catalog(catalog_id)
+        .await?
+        .ok_or_else(|| ApiError::InvalidRequest("App catalog not found".to_string()))?;
+
+    if catalog.organization_id != org_id {
+        return Err(ApiError::Unauthorized);
+    }
+
+    let initial_event = AppCatalogStatusEvent {
+        organization_id: catalog.organization_id,
+        catalog_id,
+        cluster_id: catalog.cluster_id,
+        sync_version: catalog.sync_version,
+        last_synced_at: catalog.last_synced_at.map(|dt| dt.to_string()),
+        last_sync_actor_id: catalog.last_sync_actor_id,
+        updated_at: catalog
+            .last_synced_at
+            .map(|dt| dt.with_timezone(&Utc))
+            .unwrap_or_else(Utc::now),
+    };
+
+    let receiver = state.app_catalog_events.subscribe();
+    let initial_stream = stream::iter(
+        build_app_catalog_sse_event(&initial_event)
+            .into_iter()
+            .map(Ok::<Event, Infallible>),
+    );
+
+    let target_org = org_id;
+    let target_catalog = catalog_id;
+
+    let event_stream = BroadcastStream::new(receiver).filter_map(move |result| async move {
+        match result {
+            Ok(event)
+                if event.organization_id == target_org && event.catalog_id == target_catalog =>
+            {
+                build_app_catalog_sse_event(&event).map(Ok)
+            }
+            Ok(_) => None,
+            Err(err) => {
+                warn!("app catalog event stream lagged: {err}");
+                None
+            }
+        }
+    });
+
+    let stream = initial_stream.chain(event_stream);
+    let keep_alive = KeepAlive::new()
+        .interval(Duration::from_secs(15))
+        .text("keep-alive");
+
+    Ok(Sse::new(stream).keep_alive(keep_alive))
+}
+
+pub async fn stream_organization_app_catalog_events(
+    Path(org_id): Path<Uuid>,
+    State(state): State<Arc<CoreState>>,
+    TypedHeader(cookies): TypedHeader<headers::Cookie>,
+) -> Result<Sse<impl Stream<Item = Result<Event, Infallible>>>, ApiError> {
+    let user = state.authenticate(&cookies).await?;
+    state
+        .db
+        .get_organization_member(user.id, org_id)
+        .await
+        .map_err(|_| ApiError::Unauthorized)?;
+
+    let receiver = state.app_catalog_events.subscribe();
+    let target_org = org_id;
+
+    let event_stream = BroadcastStream::new(receiver).filter_map(move |result| {
+        let target_org = target_org;
+        async move {
+            match result {
+                Ok(event) if event.organization_id == target_org => {
+                    build_app_catalog_sse_event(&event).map(Ok)
+                }
+                Ok(_) => None,
+                Err(err) => {
+                    warn!("app catalog event stream lagged: {err}");
+                    None
+                }
+            }
+        }
+    });
+
+    let keep_alive = KeepAlive::new()
+        .interval(Duration::from_secs(15))
+        .text("keep-alive");
+
+    Ok(Sse::new(event_stream).keep_alive(keep_alive))
+}
+
+fn build_app_catalog_sse_event(event: &AppCatalogStatusEvent) -> Option<Event> {
+    Event::default().event("catalog").json_data(event).ok()
+}
diff --git a/lapdev-api/src/auth.rs b/crates/api/src/auth.rs
similarity index 83%
rename from lapdev-api/src/auth.rs
rename to crates/api/src/auth.rs
index bf887e0..b0e6bb3 100644
--- a/lapdev-api/src/auth.rs
+++ b/crates/api/src/auth.rs
@@ -5,8 +5,9 @@ use lapdev_common::AuthProvider;
 use lapdev_db::api::DbApi;
 use oauth2::{
     basic::BasicClient, AccessToken, AuthUrl, AuthorizationCode, ClientId, ClientSecret,
-    RedirectUrl, TokenResponse, TokenUrl,
+    EndpointNotSet, EndpointSet, RedirectUrl, TokenResponse, TokenUrl,
 };
+use reqwest::redirect::Policy;
 use tokio::sync::RwLock;
 
 use crate::gitlab::GitlabClient;
@@ -42,8 +43,11 @@ impl AuthConfig {
     };
 }
 
+type ConfiguredOAuthClient =
+    BasicClient<EndpointSet, EndpointNotSet, EndpointNotSet, EndpointNotSet, EndpointSet>;
+
 pub struct Auth {
-    pub clients: RwLock<HashMap<AuthProvider, (BasicClient, AuthConfig)>>,
+    pub clients: RwLock<HashMap<AuthProvider, (ConfiguredOAuthClient, AuthConfig)>>,
     pub gitlab_client: GitlabClient,
 }
 
@@ -60,7 +64,7 @@ impl Auth {
         *self.clients.write().await = clients;
     }
 
-    async fn get_clients(db: &DbApi) -> HashMap<AuthProvider, (BasicClient, AuthConfig)> {
+    async fn get_clients(db: &DbApi) -> HashMap<AuthProvider, (ConfiguredOAuthClient, AuthConfig)> {
         let mut clients = HashMap::new();
         if let Ok(client) = Self::build_auth(db, &AuthConfig::GITHUB).await {
             clients.insert(AuthProvider::Github, (client, AuthConfig::GITHUB));
@@ -71,19 +75,17 @@ impl Auth {
         clients
     }
 
-    async fn build_auth(db: &DbApi, config: &AuthConfig) -> Result<BasicClient> {
+    async fn build_auth(db: &DbApi, config: &AuthConfig) -> Result<ConfiguredOAuthClient> {
         let client_id = db.get_config(config.client_id).await?;
         let client_secret = db.get_config(config.client_secret).await?;
         if client_id.trim().is_empty() || client_secret.trim().is_empty() {
             return Err(anyhow::anyhow!("client id or secret is empty"));
         }
 
-        let client = BasicClient::new(
-            ClientId::new(client_id),
-            Some(ClientSecret::new(client_secret)),
-            AuthUrl::new(config.auth_url.to_string())?,
-            Some(TokenUrl::new(config.token_url.to_string())?),
-        );
+        let client = BasicClient::new(ClientId::new(client_id))
+            .set_client_secret(ClientSecret::new(client_secret))
+            .set_auth_uri(AuthUrl::new(config.auth_url.to_string())?)
+            .set_token_uri(TokenUrl::new(config.token_url.to_string())?);
         Ok(client)
     }
 
@@ -121,10 +123,13 @@ impl Auth {
         let (client, _) = clients
             .get(provider)
             .ok_or_else(|| anyhow::anyhow!("can't find provider"))?;
+        let http_client = reqwest::Client::builder()
+            .redirect(Policy::none())
+            .build()?;
         let token = match client
             .exchange_code(AuthorizationCode::new(code))
             .set_redirect_uri(Cow::Borrowed(&RedirectUrl::new(redirect_url)?))
-            .request_async(oauth2::reqwest::async_http_client)
+            .request_async(&http_client)
             .await
         {
             Ok(t) => t,
diff --git a/lapdev-api/src/cert.rs b/crates/api/src/cert.rs
similarity index 99%
rename from lapdev-api/src/cert.rs
rename to crates/api/src/cert.rs
index d227356..104fdc5 100644
--- a/lapdev-api/src/cert.rs
+++ b/crates/api/src/cert.rs
@@ -15,6 +15,7 @@ use webpki::EndEntityCert;
 
 pub type CertStore = Arc<RwLock<Arc<HashMap<String, Arc<CertifiedKey>>>>>;
 
+#[allow(dead_code)]
 pub fn tls_config(certs: CertStore) -> Result<ServerConfig> {
     let mut config = ServerConfig::builder()
         .with_no_client_auth()
diff --git a/crates/api/src/cli_auth.rs b/crates/api/src/cli_auth.rs
new file mode 100644
index 0000000..9ce96c4
--- /dev/null
+++ b/crates/api/src/cli_auth.rs
@@ -0,0 +1,97 @@
+use std::sync::Arc;
+
+use axum::{
+    extract::{Query, State},
+    http::StatusCode,
+    response::{IntoResponse, Response},
+    Json,
+};
+use axum_extra::{headers, TypedHeader};
+use chrono::Utc;
+use lapdev_rpc::error::ApiError;
+use pasetors::claims::Claims;
+use serde::{Deserialize, Serialize};
+use uuid::Uuid;
+
+use crate::state::CoreState;
+
+#[derive(Debug, Deserialize)]
+pub struct GenerateTokenRequest {
+    pub session_id: Uuid,
+    pub device_name: String,
+}
+
+#[derive(Debug, Deserialize)]
+pub struct CliTokenQuery {
+    pub session_id: Uuid,
+}
+
+#[derive(Debug, Serialize)]
+pub struct CliTokenResponse {
+    pub token: String,
+    pub expires_in: u32, // seconds (30 days = 2592000)
+}
+
+/// POST /api/v1/auth/cli/generate-token - Generate CLI token for already logged-in users
+/// This is called by the Leptos frontend when user is already authenticated
+pub async fn generate_cli_token(
+    TypedHeader(cookie): TypedHeader<headers::Cookie>,
+    State(state): State<Arc<CoreState>>,
+    Json(req): Json<GenerateTokenRequest>,
+) -> Result<Json<CliTokenResponse>, ApiError> {
+    // Authenticate the browser session
+    let user = state.authenticate(&cookie).await?;
+
+    // Create PASETO token for CLI
+    let mut cli_claims = Claims::new_expires_in(&core::time::Duration::from_secs(86400 * 30))?;
+    cli_claims.add_additional("user_id", user.id.to_string())?;
+    cli_claims.add_additional("organization_id", user.current_organization.to_string())?;
+    cli_claims.add_additional("session_type", "cli")?;
+    cli_claims.add_additional("device_name", req.device_name.clone())?;
+    cli_claims.add_additional("session_id", req.session_id.to_string())?;
+    let cli_token = pasetors::local::encrypt(&state.auth_token_key, &cli_claims, None, None)?;
+
+    // Store in pending_cli_auth map (5-min TTL)
+    state.pending_cli_auth.write().await.insert(
+        req.session_id,
+        crate::state::PendingCliAuth {
+            token: cli_token,
+            expires_at: Utc::now() + chrono::Duration::seconds(300),
+        },
+    );
+
+    Ok(Json(CliTokenResponse {
+        token: "generated".to_string(), // Don't return actual token, CLI will poll for it
+        expires_in: 2592000,
+    }))
+}
+
+/// GET /api/v1/auth/cli/token - Poll for CLI auth token
+/// Returns 404 if token not ready, or the token if authentication completed
+pub async fn cli_token_poll(
+    Query(params): Query<CliTokenQuery>,
+    State(state): State<Arc<CoreState>>,
+) -> Result<Response, ApiError> {
+    let pending = state.pending_cli_auth.read().await;
+
+    if let Some(auth) = pending.get(&params.session_id) {
+        if auth.expires_at > Utc::now() {
+            // Remove from pending (single use)
+            let token = auth.token.clone();
+            drop(pending);
+            state
+                .pending_cli_auth
+                .write()
+                .await
+                .remove(&params.session_id);
+
+            return Ok(Json(CliTokenResponse {
+                token,
+                expires_in: 2592000, // 30 days
+            })
+            .into_response());
+        }
+    }
+
+    Ok(StatusCode::NOT_FOUND.into_response())
+}
diff --git a/crates/api/src/cluster_events.rs b/crates/api/src/cluster_events.rs
new file mode 100644
index 0000000..81a0321
--- /dev/null
+++ b/crates/api/src/cluster_events.rs
@@ -0,0 +1,130 @@
+use std::{convert::Infallible, str::FromStr, sync::Arc, time::Duration};
+
+use axum::{
+    extract::{Path, State},
+    response::sse::{Event, KeepAlive, Sse},
+};
+use axum_extra::{headers, TypedHeader};
+use chrono::Utc;
+use futures::{stream, Stream, StreamExt};
+use lapdev_common::kube::{ClusterStatusEvent, KubeClusterStatus};
+use lapdev_rpc::error::ApiError;
+use tokio_stream::wrappers::BroadcastStream;
+use tracing::warn;
+use uuid::Uuid;
+
+use crate::state::CoreState;
+
+pub async fn stream_cluster_status_events(
+    Path((org_id, cluster_id)): Path<(Uuid, Uuid)>,
+    State(state): State<Arc<CoreState>>,
+    TypedHeader(cookies): TypedHeader<headers::Cookie>,
+) -> Result<Sse<impl Stream<Item = Result<Event, Infallible>>>, ApiError> {
+    let user = state.authenticate(&cookies).await?;
+    state
+        .db
+        .get_organization_member(user.id, org_id)
+        .await
+        .map_err(|_| ApiError::Unauthorized)?;
+
+    let cluster = state
+        .db
+        .get_kube_cluster(cluster_id)
+        .await?
+        .ok_or_else(|| ApiError::InvalidRequest("Cluster not found".to_string()))?;
+
+    if cluster.organization_id != org_id {
+        return Err(ApiError::Unauthorized);
+    }
+
+    let status =
+        KubeClusterStatus::from_str(&cluster.status).unwrap_or(KubeClusterStatus::Provisioning);
+    let updated_at = cluster
+        .last_reported_at
+        .map(|dt| dt.with_timezone(&Utc))
+        .unwrap_or_else(Utc::now);
+
+    let initial_event = ClusterStatusEvent {
+        organization_id: cluster.organization_id,
+        cluster_id,
+        status,
+        cluster_version: cluster.cluster_version.clone(),
+        region: cluster.region.clone(),
+        updated_at,
+    };
+
+    let receiver = state.cluster_events.subscribe();
+
+    let initial_stream = stream::iter(
+        build_cluster_sse_event(&initial_event)
+            .into_iter()
+            .map(Ok::<Event, Infallible>),
+    );
+
+    let target_org = org_id;
+    let target_cluster = cluster_id;
+
+    let event_stream = BroadcastStream::new(receiver).filter_map(move |result| async move {
+        match result {
+            Ok(event)
+                if event.organization_id == target_org && event.cluster_id == target_cluster =>
+            {
+                build_cluster_sse_event(&event).map(Ok)
+            }
+            Ok(_) => None,
+            Err(err) => {
+                warn!("cluster event stream lagged: {err}");
+                None
+            }
+        }
+    });
+
+    let stream = initial_stream.chain(event_stream);
+    let keep_alive = KeepAlive::new()
+        .interval(Duration::from_secs(15))
+        .text("keep-alive");
+
+    Ok(Sse::new(stream).keep_alive(keep_alive))
+}
+
+pub async fn stream_organization_cluster_status_events(
+    Path(org_id): Path<Uuid>,
+    State(state): State<Arc<CoreState>>,
+    TypedHeader(cookies): TypedHeader<headers::Cookie>,
+) -> Result<Sse<impl Stream<Item = Result<Event, Infallible>>>, ApiError> {
+    let user = state.authenticate(&cookies).await?;
+    state
+        .db
+        .get_organization_member(user.id, org_id)
+        .await
+        .map_err(|_| ApiError::Unauthorized)?;
+
+    let receiver = state.cluster_events.subscribe();
+    let target_org = org_id;
+
+    let event_stream = BroadcastStream::new(receiver).filter_map(move |result| {
+        let target_org = target_org;
+        async move {
+            match result {
+                Ok(event) if event.organization_id == target_org => {
+                    build_cluster_sse_event(&event).map(Ok)
+                }
+                Ok(_) => None,
+                Err(err) => {
+                    warn!("cluster event stream lagged: {err}");
+                    None
+                }
+            }
+        }
+    });
+
+    let keep_alive = KeepAlive::new()
+        .interval(Duration::from_secs(15))
+        .text("keep-alive");
+
+    Ok(Sse::new(event_stream).keep_alive(keep_alive))
+}
+
+fn build_cluster_sse_event(event: &ClusterStatusEvent) -> Option<Event> {
+    Event::default().event("cluster").json_data(event).ok()
+}
diff --git a/crates/api/src/devbox.rs b/crates/api/src/devbox.rs
new file mode 100644
index 0000000..15b6958
--- /dev/null
+++ b/crates/api/src/devbox.rs
@@ -0,0 +1,1093 @@
+use std::{collections::BTreeMap, net::SocketAddr, sync::Arc};
+
+use axum::{
+    extract::{ws::WebSocket, Path, Query, State, WebSocketUpgrade},
+    http::HeaderMap,
+    response::Response,
+    Json,
+};
+use axum_extra::{headers, TypedHeader};
+use futures::StreamExt;
+use lapdev_common::devbox::DirectTunnelConfig;
+use lapdev_devbox_rpc::{
+    DevboxClientRpcClient, DevboxInterceptRpc, DevboxSessionInfo, DevboxSessionRpc, PortMapping,
+};
+use lapdev_rpc::{error::ApiError, spawn_twoway};
+use lapdev_tunnel::{
+    relay_client_addr, relay_server_addr, run_tunnel_server_with_connector,
+    websocket_serde_transport_from_socket, DynTunnelStream, RelayEndpoint, TunnelError,
+    TunnelTarget, WebSocketUdpSocket,
+};
+use serde::{Deserialize, Serialize};
+use tarpc::server::{BaseChannel, Channel};
+use uuid::Uuid;
+
+use crate::{
+    devbox_tunnels::split_axum_websocket, state::CoreState, websocket_socket::AxumBinarySocket,
+};
+
+#[derive(Debug, Serialize)]
+pub struct WhoamiResponse {
+    pub user_id: Uuid,
+    pub email: String,
+    pub name: Option<String>,
+    pub organization_id: Uuid,
+    pub device_name: String,
+    pub authenticated_at: Option<String>,
+    pub expires_at: Option<String>,
+}
+
+/// GET /api/v1/devbox/whoami - Get current CLI session info
+pub async fn devbox_whoami(
+    State(state): State<Arc<CoreState>>,
+    TypedHeader(auth): TypedHeader<headers::Authorization<headers::authorization::Bearer>>,
+) -> Result<Json<WhoamiResponse>, ApiError> {
+    let ctx = state.authenticate_bearer(&auth).await?;
+
+    // Extract timestamps from token claims if available
+    let authenticated_at = ctx
+        .token_claims
+        .get_claim("iat")
+        .and_then(|v| serde_json::from_value::<String>(v.clone()).ok());
+
+    let expires_at = ctx
+        .token_claims
+        .get_claim("exp")
+        .and_then(|v| serde_json::from_value::<String>(v.clone()).ok());
+
+    Ok(Json(WhoamiResponse {
+        user_id: ctx.user.id,
+        email: ctx.user.email.unwrap_or_default(),
+        name: ctx.user.name,
+        organization_id: ctx.organization_id,
+        device_name: ctx.device_name,
+        authenticated_at,
+        expires_at,
+    }))
+}
+
+/// WebSocket endpoint for devbox RPC connections (control plane)
+pub async fn devbox_rpc_websocket(
+    websocket: WebSocketUpgrade,
+    headers: HeaderMap,
+    State(state): State<Arc<CoreState>>,
+) -> Result<Response, ApiError> {
+    tracing::debug!("Handling devbox RPC WebSocket connection");
+
+    // Extract Bearer token from Authorization header
+    let auth_header = headers
+        .get("Authorization")
+        .ok_or(ApiError::Unauthenticated)?
+        .to_str()
+        .map_err(|_| ApiError::Unauthenticated)?;
+
+    if !auth_header.starts_with("Bearer ") {
+        return Err(ApiError::Unauthenticated);
+    }
+
+    let token = &auth_header[7..]; // Skip "Bearer "
+
+    // Authenticate using the same method as regular devbox requests
+    let bearer = headers::Authorization::bearer(token).map_err(|_| ApiError::Unauthenticated)?;
+    let ctx = state.authenticate_bearer(&bearer).await?;
+
+    tracing::info!(
+        "Devbox RPC WebSocket authenticated for user {} ({})",
+        ctx.user.id,
+        ctx.device_name
+    );
+
+    // Extract expiration time from token claims
+    let expires_at = ctx
+        .token_claims
+        .get_claim("exp")
+        .and_then(|v| serde_json::from_value::<String>(v.clone()).ok())
+        .and_then(|s| chrono::DateTime::parse_from_rfc3339(&s).ok())
+        .map(|dt| dt.with_timezone(&chrono::Utc))
+        .unwrap_or_else(|| chrono::Utc::now() + chrono::Duration::days(30));
+
+    // Check for existing active sessions and notify them before displacing
+    if let Some(existing_handles) = state
+        .active_devbox_sessions
+        .read()
+        .await
+        .get(&ctx.user.id)
+        .map(|entries| entries.values().cloned().collect::<Vec<_>>())
+    {
+        for old_handle in existing_handles {
+            tracing::info!(
+                "Displacing existing session {} on device {} for user {}",
+                old_handle.session_id,
+                old_handle.device_name,
+                ctx.user.id
+            );
+
+            let _ = old_handle
+                .notify_tx
+                .send(crate::state::DevboxSessionNotification::Displaced {
+                    new_device_name: ctx.device_name.clone(),
+                });
+        }
+    }
+
+    // Create or update devbox session
+    state
+        .db
+        .create_or_update_devbox_session(
+            ctx.user.id,
+            token,
+            ctx.device_name.clone(),
+            expires_at.into(),
+        )
+        .await
+        .map_err(|e| ApiError::InternalError(format!("Failed to create session: {}", e)))?;
+
+    tracing::info!(
+        "Created devbox session for user {} on device {}",
+        ctx.user.id,
+        ctx.device_name
+    );
+
+    Ok(handle_devbox_rpc_upgrade(
+        websocket,
+        state,
+        ctx.session_id,
+        ctx.user.id,
+        ctx.organization_id,
+        ctx.device_name,
+    ))
+}
+
+fn handle_devbox_rpc_upgrade(
+    websocket: WebSocketUpgrade,
+    state: Arc<CoreState>,
+    session_id: Uuid,
+    user_id: Uuid,
+    organization_id: Uuid,
+    device_name: String,
+) -> Response {
+    websocket
+        .on_failed_upgrade(|e| tracing::error!("devbox RPC websocket upgrade failed {e:?}"))
+        .on_upgrade(move |socket| async move {
+            handle_devbox_rpc(
+                socket,
+                state,
+                session_id,
+                user_id,
+                organization_id,
+                device_name,
+            )
+            .await;
+        })
+}
+
+async fn handle_devbox_rpc(
+    socket: WebSocket,
+    state: Arc<CoreState>,
+    session_id: Uuid,
+    user_id: Uuid,
+    organization_id: Uuid,
+    device_name: String,
+) {
+    let socket = AxumBinarySocket::new(socket);
+    let transport = websocket_serde_transport_from_socket(
+        socket,
+        tarpc::tokio_serde::formats::Bincode::default(),
+    );
+    let (server_chan, client_chan, _abort_handle) = spawn_twoway(transport);
+
+    // Create RPC client (for calling CLI methods)
+    let rpc_client =
+        DevboxClientRpcClient::new(tarpc::client::Config::default(), client_chan).spawn();
+
+    // Create notification channel for session migration
+    let (notify_tx, mut notify_rx) = tokio::sync::mpsc::unbounded_channel();
+
+    // Register this session as active
+    let connection_id = Uuid::new_v4();
+    {
+        let mut sessions = state.active_devbox_sessions.write().await;
+        sessions
+            .entry(user_id)
+            .or_insert_with(BTreeMap::new)
+            .insert(
+                connection_id,
+                crate::state::DevboxSessionHandle {
+                    session_id,
+                    device_name: device_name.clone(),
+                    notify_tx,
+                    rpc_client: rpc_client.clone(),
+                    connection_id,
+                },
+            );
+    }
+
+    // Create RPC server (for CLI to call our methods)
+    let rpc_server = DevboxSessionRpcServer::new(
+        session_id,
+        user_id,
+        organization_id,
+        device_name.clone(),
+        rpc_client.clone(),
+        state.clone(),
+    );
+
+    tracing::info!(
+        "Starting DevboxSessionRpc server for session {} user {} device {}",
+        session_id,
+        user_id,
+        device_name
+    );
+
+    // Run RPC server and notification listener concurrently
+    let rpc_client_for_notifications = rpc_client.clone();
+    let notification_task = tokio::spawn(async move {
+        while let Some(notification) = notify_rx.recv().await {
+            match notification {
+                crate::state::DevboxSessionNotification::Displaced { new_device_name } => {
+                    tracing::info!(
+                        "Session {} displaced by new login from {}",
+                        session_id,
+                        new_device_name
+                    );
+                    // Notify the CLI that it's been displaced
+                    let _ = rpc_client_for_notifications
+                        .session_displaced(tarpc::context::current(), new_device_name)
+                        .await;
+                }
+            }
+        }
+    });
+
+    // Run the RPC server
+    BaseChannel::with_defaults(server_chan)
+        .execute(rpc_server.serve())
+        .for_each(|resp| async move {
+            tokio::spawn(resp);
+        })
+        .await;
+
+    // Cleanup: unregister session and stop notification listener
+    {
+        let mut sessions = state.active_devbox_sessions.write().await;
+        if let Some(entries) = sessions.get_mut(&user_id) {
+            entries.remove(&connection_id);
+            if entries.is_empty() {
+                sessions.remove(&user_id);
+            }
+        }
+    }
+    notification_task.abort();
+
+    if let Ok(Some(session)) = state.db.get_active_devbox_session(user_id).await {
+        if let Some(environment_id) = session.active_environment_id {
+            let state_clone = state.clone();
+            tokio::spawn(async move {
+                state_clone
+                    .clear_devbox_routes_for_environment(environment_id)
+                    .await;
+            });
+        }
+    }
+
+    // Mark session as revoked in database
+    if let Err(e) = state.db.revoke_active_devbox_session(user_id).await {
+        tracing::error!(
+            "Failed to revoke session {} on disconnect: {}",
+            session_id,
+            e
+        );
+    }
+
+    tracing::info!(
+        "DevboxSessionRpc server stopped for session {} user {} device {} (session revoked)",
+        session_id,
+        user_id,
+        device_name
+    );
+}
+
+#[derive(Default, Deserialize)]
+pub struct DevboxInterceptTunnelParams {
+    _workload_id: Option<Uuid>,
+}
+
+/// WebSocket endpoint for devbox intercept tunnels (server side - receives connections from in-cluster services)
+pub async fn devbox_intercept_tunnel_websocket(
+    Path(requested_user_id): Path<Uuid>,
+    Query(_params): Query<DevboxInterceptTunnelParams>,
+    websocket: WebSocketUpgrade,
+    headers: HeaderMap,
+    State(state): State<Arc<CoreState>>,
+) -> Result<Response, ApiError> {
+    tracing::debug!("Handling devbox tunnel WebSocket connection");
+
+    let auth_header = headers
+        .get("Authorization")
+        .ok_or(ApiError::Unauthenticated)?
+        .to_str()
+        .map_err(|_| ApiError::Unauthenticated)?;
+
+    if !auth_header.starts_with("Bearer ") {
+        return Err(ApiError::Unauthenticated);
+    }
+
+    let token = &auth_header[7..];
+
+    let session = state
+        .db
+        .get_devbox_session_by_token_hash(token)
+        .await
+        .map_err(|e| ApiError::InternalError(format!("Failed to load devbox session: {}", e)))?
+        .ok_or(ApiError::Unauthenticated)?;
+
+    if session.user_id != requested_user_id {
+        tracing::warn!(
+            "Devbox user mismatch: token user {} vs path {}",
+            session.user_id,
+            requested_user_id
+        );
+        return Err(ApiError::Unauthenticated);
+    }
+
+    state
+        .db
+        .update_devbox_session_last_used(session.user_id)
+        .await
+        .map_err(|e| ApiError::InternalError(format!("Failed to update session usage: {}", e)))?;
+
+    tracing::info!(
+        "Devbox tunnel WebSocket authenticated for user {} ({})",
+        session.user_id,
+        session.device_name
+    );
+
+    let user_id = session.user_id;
+    let registry = state.devbox_tunnels.clone();
+
+    let token_string = token.to_string();
+
+    Ok(websocket.on_upgrade(move |socket| {
+        let registry = registry.clone();
+        async move {
+            registry.register_cli(user_id, token_string, socket).await;
+        }
+    }))
+}
+
+/// WebSocket endpoint for devbox client tunnels (client side - connects to in-cluster services via devbox-proxy)
+pub async fn devbox_client_tunnel_websocket(
+    Path(requested_user_id): Path<Uuid>,
+    websocket: WebSocketUpgrade,
+    headers: HeaderMap,
+    State(state): State<Arc<CoreState>>,
+) -> Result<Response, ApiError> {
+    tracing::debug!("Handling devbox client tunnel WebSocket connection");
+
+    let auth_header = headers
+        .get("Authorization")
+        .ok_or(ApiError::Unauthenticated)?
+        .to_str()
+        .map_err(|_| ApiError::Unauthenticated)?;
+
+    if !auth_header.starts_with("Bearer ") {
+        return Err(ApiError::Unauthenticated);
+    }
+
+    let token = &auth_header[7..];
+
+    let session = state
+        .db
+        .get_devbox_session_by_token_hash(token)
+        .await
+        .map_err(|e| ApiError::InternalError(format!("Failed to load devbox session: {}", e)))?
+        .ok_or(ApiError::Unauthenticated)?;
+
+    if session.user_id != requested_user_id {
+        tracing::warn!(
+            "Devbox user mismatch: token user {} vs path {}",
+            session.user_id,
+            requested_user_id
+        );
+        return Err(ApiError::Unauthenticated);
+    }
+
+    state
+        .db
+        .update_devbox_session_last_used(session.user_id)
+        .await
+        .map_err(|e| ApiError::InternalError(format!("Failed to update session usage: {}", e)))?;
+
+    tracing::info!(
+        "Devbox client tunnel WebSocket authenticated for user {} ({})",
+        session.user_id,
+        session.device_name
+    );
+
+    let user_id = session.user_id;
+
+    let environment_id = session.active_environment_id;
+
+    let environment = match environment_id {
+        Some(environment_id) => state.db.get_kube_environment(environment_id).await?,
+        None => None,
+    };
+
+    let cluster_id = environment.map(|e| e.cluster_id);
+    tracing::info!("Devbox client tunnel for user {user_id} targeting environment {environment_id:?} cluster {cluster_id:?}");
+
+    let tunnel_registry = state.kube_controller.tunnel_registry.clone();
+
+    Ok(websocket.on_upgrade(move |socket| {
+        let registry = tunnel_registry.clone();
+        let cluster_id = cluster_id;
+        let user_id = user_id;
+        async move {
+            let (sink, stream) = split_axum_websocket(socket);
+            let udp_socket = WebSocketUdpSocket::from_parts(
+                sink,
+                stream,
+                relay_server_addr(),
+                relay_client_addr(),
+            );
+
+            let connector = move |target: TunnelTarget| {
+                let registry = registry.clone();
+                async move {
+                    let Some(cluster_id) = cluster_id else {
+                        return Err(TunnelError::Remote("active environment is not set".into()));
+                    };
+
+                    match registry.get_client(cluster_id).await {
+                        Some(cluster_client) if !cluster_client.is_closed() => {
+                            let TunnelTarget { host, port } = target;
+                            let stream = cluster_client.connect_tcp(host, port).await?;
+                            Ok::<DynTunnelStream, TunnelError>(Box::new(stream) as DynTunnelStream)
+                        }
+                        Some(_) => {
+                            tracing::warn!(
+                                user_id = %user_id,
+                                cluster_id = %cluster_id,
+                                "Cluster tunnel is closed; rejecting devbox client request"
+                            );
+                            Err(TunnelError::Remote("cluster tunnel is closed".into()))
+                        }
+                        None => {
+                            tracing::warn!(
+                                user_id = %user_id,
+                                cluster_id = %cluster_id,
+                                "No cluster tunnel available for devbox client request"
+                            );
+                            Err(TunnelError::Remote("cluster tunnel unavailable".into()))
+                        }
+                    }
+                }
+            };
+
+            match RelayEndpoint::udp_server_connection(udp_socket).await {
+                Ok(connection) => {
+                    if let Err(err) = run_tunnel_server_with_connector(connection, connector).await
+                    {
+                        tracing::warn!(
+                            user_id = %user_id,
+                            error = %err,
+                            "Devbox client tunnel terminated with error"
+                        );
+                    }
+                }
+                Err(err) => {
+                    tracing::warn!(
+                        user_id = %user_id,
+                        error = %err,
+                        "Failed to establish QUIC relay for devbox client tunnel"
+                    );
+                }
+            }
+        }
+    }))
+}
+
+#[derive(Clone)]
+struct DevboxSessionRpcServer {
+    session_id: Uuid,
+    user_id: Uuid,
+    #[allow(dead_code)]
+    organization_id: Uuid,
+    #[allow(dead_code)]
+    device_name: String,
+    #[allow(dead_code)]
+    client_rpc: DevboxClientRpcClient,
+    state: Arc<CoreState>,
+}
+
+impl DevboxSessionRpcServer {
+    fn new(
+        session_id: Uuid,
+        user_id: Uuid,
+        organization_id: Uuid,
+        device_name: String,
+        client_rpc: DevboxClientRpcClient,
+        state: Arc<CoreState>,
+    ) -> Self {
+        Self {
+            session_id,
+            user_id,
+            organization_id,
+            device_name,
+            client_rpc,
+            state,
+        }
+    }
+}
+
+impl DevboxSessionRpc for DevboxSessionRpcServer {
+    async fn whoami(self, _context: tarpc::context::Context) -> Result<DevboxSessionInfo, String> {
+        tracing::info!("whoami called for session {}", self.session_id);
+
+        let user = self
+            .state
+            .db
+            .get_user(self.user_id)
+            .await
+            .map_err(|e| format!("Failed to fetch user: {}", e))?
+            .ok_or_else(|| "User not found".to_string())?;
+
+        let session = self
+            .state
+            .db
+            .get_active_devbox_session(self.user_id)
+            .await
+            .map_err(|e| format!("Failed to fetch session: {}", e))?
+            .ok_or_else(|| "Session not found".to_string())?;
+
+        if let Some(environment_id) = session.active_environment_id {
+            let state = self.state.clone();
+            let user_id = self.user_id;
+            tokio::spawn(async move {
+                state.push_devbox_routes(user_id, environment_id).await;
+            });
+        }
+
+        Ok(DevboxSessionInfo {
+            user_id: self.user_id,
+            email: user.email.unwrap_or_default(),
+            device_name: session.device_name,
+            created_at: session.created_at.with_timezone(&chrono::Utc),
+            expires_at: session.expires_at.with_timezone(&chrono::Utc),
+            last_used_at: session.last_used_at.with_timezone(&chrono::Utc),
+        })
+    }
+
+    async fn get_active_environment(
+        self,
+        _context: tarpc::context::Context,
+    ) -> Result<Option<lapdev_devbox_rpc::DevboxEnvironmentInfo>, String> {
+        tracing::info!(
+            "get_active_environment called for session {}",
+            self.session_id
+        );
+
+        let session = self
+            .state
+            .db
+            .get_active_devbox_session(self.user_id)
+            .await
+            .map_err(|e| format!("Failed to fetch session: {}", e))?
+            .ok_or_else(|| "Session not found".to_string())?;
+
+        if let Some(env_id) = session.active_environment_id {
+            let environment = self
+                .state
+                .db
+                .get_kube_environment(env_id)
+                .await
+                .map_err(|e| format!("Failed to fetch environment: {}", e))?
+                .ok_or_else(|| "Environment not found".to_string())?;
+
+            let cluster = self
+                .state
+                .db
+                .get_kube_cluster(environment.cluster_id)
+                .await
+                .map_err(|e| format!("Failed to fetch cluster: {}", e))?
+                .ok_or_else(|| "Cluster not found".to_string())?;
+
+            Ok(Some(lapdev_devbox_rpc::DevboxEnvironmentInfo {
+                environment_id: env_id,
+                environment_name: environment.name.clone(),
+                cluster_name: cluster.name,
+                namespace: environment.namespace,
+            }))
+        } else {
+            Ok(None)
+        }
+    }
+
+    async fn update_device_name(
+        self,
+        _context: tarpc::context::Context,
+        device_name: String,
+    ) -> Result<(), String> {
+        tracing::info!("update_device_name called for session {}", self.session_id);
+
+        self.state
+            .db
+            .update_devbox_session_device_name(self.user_id, device_name.clone())
+            .await
+            .map_err(|e| format!("Failed to update device name: {}", e))?;
+
+        {
+            let mut sessions = self.state.active_devbox_sessions.write().await;
+            if let Some(entries) = sessions.get_mut(&self.user_id) {
+                if let Some(handle) = entries
+                    .values_mut()
+                    .find(|handle| handle.session_id == self.session_id)
+                {
+                    handle.device_name = device_name.clone();
+                }
+            }
+        }
+
+        tracing::info!(
+            "Updated device name for session {} to {}",
+            self.session_id,
+            device_name
+        );
+
+        Ok(())
+    }
+
+    async fn heartbeat(self, _context: tarpc::context::Context) -> Result<(), String> {
+        tracing::trace!("Heartbeat received for session {}", self.session_id);
+        Ok(())
+    }
+
+    async fn set_active_environment(
+        self,
+        _context: tarpc::context::Context,
+        environment_id: Uuid,
+    ) -> Result<(), String> {
+        tracing::info!(
+            "set_active_environment called for session {} with environment {}",
+            self.session_id,
+            environment_id
+        );
+
+        let previous_environment = self
+            .state
+            .db
+            .get_active_devbox_session(self.user_id)
+            .await
+            .map_err(|e| format!("Failed to fetch session: {}", e))?
+            .and_then(|session| session.active_environment_id);
+
+        let environment = self
+            .state
+            .db
+            .get_kube_environment(environment_id)
+            .await
+            .map_err(|e| format!("Failed to fetch environment: {}", e))?
+            .ok_or_else(|| "Environment not found".to_string())?;
+
+        if environment.is_shared {
+            return Err("Shared environments cannot be used as active devbox environments".into());
+        }
+
+        self.state
+            .db
+            .update_devbox_session_active_environment(self.user_id, Some(environment_id))
+            .await
+            .map_err(|e| format!("Failed to update active environment: {}", e))?;
+
+        let cluster = self
+            .state
+            .db
+            .get_kube_cluster(environment.cluster_id)
+            .await
+            .map_err(|e| format!("Failed to fetch cluster: {}", e))?
+            .ok_or_else(|| "Cluster not found".to_string())?;
+
+        // Notify client about the environment change
+        let env_info = lapdev_devbox_rpc::DevboxEnvironmentInfo {
+            environment_id: environment.id,
+            environment_name: environment.name.clone(),
+            cluster_name: cluster.name,
+            namespace: environment.namespace.clone(),
+        };
+
+        // Fire and forget - don't wait for client response
+        let client_rpc = self.client_rpc.clone();
+        tracing::info!(
+            "Spawning task to notify CLI about environment change to {} ({})",
+            env_info.cluster_name,
+            env_info.namespace
+        );
+        tokio::spawn(async move {
+            tracing::info!("Calling environment_changed RPC on client...");
+            match client_rpc
+                .environment_changed(tarpc::context::current(), Some(env_info.clone()))
+                .await
+            {
+                Ok(_) => {
+                    tracing::info!(
+                        "Successfully notified client of environment change to {}",
+                        env_info.namespace
+                    );
+                }
+                Err(e) => {
+                    tracing::warn!("Failed to notify client of environment change: {}", e);
+                }
+            }
+        });
+
+        let state = self.state.clone();
+        let user_id = self.user_id;
+        tokio::spawn(async move {
+            state.push_devbox_routes(user_id, environment_id).await;
+        });
+
+        if let Some(prev_env) = previous_environment.filter(|prev| *prev != environment_id) {
+            let state = self.state.clone();
+            tokio::spawn(async move {
+                state.clear_devbox_routes_for_environment(prev_env).await;
+            });
+        }
+
+        Ok(())
+    }
+
+    async fn list_workload_intercepts(
+        self,
+        _context: tarpc::context::Context,
+        environment_id: Uuid,
+    ) -> Result<Vec<lapdev_devbox_rpc::WorkloadInterceptInfo>, String> {
+        tracing::info!(
+            "list_workload_intercepts called for session {} environment {}",
+            self.session_id,
+            environment_id
+        );
+
+        let session = self
+            .state
+            .db
+            .get_active_devbox_session(self.user_id)
+            .await
+            .map_err(|e| format!("Failed to fetch session: {}", e))?
+            .ok_or_else(|| "Session not found".to_string())?;
+
+        let intercepts = self
+            .state
+            .db
+            .get_active_intercepts_for_environment(environment_id)
+            .await
+            .map_err(|e| format!("Failed to fetch intercepts: {}", e))?;
+
+        let mut result = Vec::new();
+        for intercept in intercepts {
+            let workload = self
+                .state
+                .db
+                .get_environment_workload(intercept.workload_id)
+                .await
+                .map_err(|e| format!("Failed to fetch workload: {}", e))?
+                .ok_or_else(|| "Workload not found".to_string())?;
+
+            let port_mappings: Vec<lapdev_devbox_rpc::PortMapping> =
+                serde_json::from_value(intercept.port_mappings.clone())
+                    .map_err(|e| format!("Failed to parse port mappings: {}", e))?;
+
+            result.push(lapdev_devbox_rpc::WorkloadInterceptInfo {
+                intercept_id: intercept.id,
+                workload_id: workload.id,
+                workload_name: workload.name,
+                namespace: workload.namespace,
+                port_mappings,
+                created_at: intercept.created_at.with_timezone(&chrono::Utc),
+                device_name: session.device_name.clone(),
+            });
+        }
+
+        Ok(result)
+    }
+
+    async fn list_services(
+        self,
+        _context: tarpc::context::Context,
+        environment_id: Uuid,
+    ) -> Result<Vec<lapdev_devbox_rpc::ServiceInfo>, String> {
+        tracing::info!(
+            "list_services called for session {} environment {}",
+            self.session_id,
+            environment_id
+        );
+
+        // Get environment and verify user has access
+        let environment = self
+            .state
+            .db
+            .get_kube_environment(environment_id)
+            .await
+            .map_err(|e| format!("Failed to fetch environment: {}", e))?
+            .ok_or_else(|| "Environment not found".to_string())?;
+
+        // Verify user has access to this environment
+        if environment.user_id != self.user_id {
+            return Err("Unauthorized: You don't have access to this environment".to_string());
+        }
+
+        // Get all services for the environment
+        let services = self
+            .state
+            .db
+            .get_environment_services(environment_id)
+            .await
+            .map_err(|e| format!("Failed to fetch services: {}", e))?;
+
+        let mut result = Vec::new();
+        for service in services {
+            // Convert KubeServicePort to ServicePort
+            let ports: Vec<lapdev_devbox_rpc::ServicePort> = service
+                .ports
+                .iter()
+                .map(|p| lapdev_devbox_rpc::ServicePort {
+                    name: p.name.clone(),
+                    port: p.port as u16,
+                    protocol: p.protocol.clone().unwrap_or_else(|| "TCP".to_string()),
+                })
+                .collect();
+
+            result.push(lapdev_devbox_rpc::ServiceInfo {
+                name: service.name,
+                namespace: service.namespace,
+                ports,
+            });
+        }
+
+        Ok(result)
+    }
+
+    async fn request_direct_client_config(
+        self,
+        _context: tarpc::context::Context,
+        environment_id: Uuid,
+        stun_observed_addr: Option<SocketAddr>,
+    ) -> Result<Option<DirectTunnelConfig>, String> {
+        let environment = self
+            .state
+            .db
+            .get_kube_environment(environment_id)
+            .await
+            .map_err(|e| format!("Failed to fetch environment: {}", e))?
+            .ok_or_else(|| "Environment not found".to_string())?;
+
+        if environment.user_id != self.user_id {
+            return Err("Unauthorized".to_string());
+        }
+
+        match self
+            .state
+            .kube_controller
+            .request_devbox_direct_config(
+                environment.cluster_id,
+                self.user_id,
+                environment.id,
+                environment.namespace.clone(),
+                stun_observed_addr,
+            )
+            .await
+        {
+            Ok(config) => Ok(config),
+            Err(err) => {
+                tracing::warn!(
+                    environment_id = %environment_id,
+                    user_id = %self.user_id,
+                    error = %err,
+                    "Failed to fetch direct devbox config; falling back to relay"
+                );
+                Ok(None)
+            }
+        }
+    }
+}
+
+/// Implementation for DevboxInterceptRpc - allows dashboard/CLI to control intercepts
+pub struct DevboxInterceptRpcImpl {
+    state: Arc<CoreState>,
+    user_id: Uuid,
+    _organization_id: Uuid,
+}
+
+impl DevboxInterceptRpcImpl {
+    pub fn new(state: Arc<CoreState>, user_id: Uuid, organization_id: Uuid) -> Self {
+        Self {
+            state,
+            user_id,
+            _organization_id: organization_id,
+        }
+    }
+}
+
+impl DevboxInterceptRpc for DevboxInterceptRpcImpl {
+    async fn start_workload_intercept(
+        self,
+        _context: tarpc::context::Context,
+        workload_id: Uuid,
+        port_mappings: Vec<lapdev_devbox_rpc::PortMappingOverride>,
+    ) -> Result<Uuid, String> {
+        tracing::info!(
+            "start_workload_intercept called for user {} workload {}",
+            self.user_id,
+            workload_id
+        );
+
+        // Get workload to find environment and validate access
+        let workload = self
+            .state
+            .db
+            .get_environment_workload(workload_id)
+            .await
+            .map_err(|e| format!("Failed to fetch workload: {}", e))?
+            .ok_or_else(|| "Workload not found".to_string())?;
+
+        // Get environment to validate user has access
+        let environment = self
+            .state
+            .db
+            .get_kube_environment(workload.environment_id)
+            .await
+            .map_err(|e| format!("Failed to fetch environment: {}", e))?
+            .ok_or_else(|| "Environment not found".to_string())?;
+
+        if environment.is_shared {
+            return Err("Shared environments cannot start Devbox intercepts".to_string());
+        }
+
+        // Verify user has access to this environment
+        if environment.user_id != self.user_id {
+            return Err("Unauthorized: You don't have access to this environment".to_string());
+        }
+
+        // Convert port mapping overrides to actual port mappings
+        let mut actual_port_mappings = Vec::new();
+        for override_mapping in &port_mappings {
+            let local_port = override_mapping
+                .local_port
+                .unwrap_or(override_mapping.workload_port);
+            actual_port_mappings.push(PortMapping {
+                workload_port: override_mapping.workload_port,
+                local_port,
+                protocol: "TCP".to_string(),
+            });
+        }
+
+        // Create intercept in database
+        let intercept = self
+            .state
+            .db
+            .create_workload_intercept(
+                self.user_id,
+                environment.id,
+                workload_id,
+                serde_json::to_value(&actual_port_mappings)
+                    .map_err(|e| format!("Failed to serialize port mappings: {}", e))?,
+            )
+            .await
+            .map_err(|e| format!("Failed to create intercept: {}", e))?;
+
+        if self
+            .state
+            .active_devbox_sessions
+            .read()
+            .await
+            .get(&self.user_id)
+            .is_some()
+        {
+            let state = self.state.clone();
+            let environment = environment.clone();
+            let intercept_clone = intercept.clone();
+            tokio::spawn(async move {
+                state
+                    .push_devbox_route_for_intercept(environment, intercept_clone)
+                    .await;
+            });
+        }
+
+        Ok(intercept.id)
+    }
+
+    async fn stop_workload_intercept(
+        self,
+        _context: tarpc::context::Context,
+        intercept_id: Uuid,
+    ) -> Result<(), String> {
+        tracing::info!(
+            "stop_workload_intercept called for user {} intercept {}",
+            self.user_id,
+            intercept_id
+        );
+
+        // Get intercept to validate ownership
+        let intercept = self
+            .state
+            .db
+            .get_workload_intercept(intercept_id)
+            .await
+            .map_err(|e| format!("Failed to fetch intercept: {}", e))?
+            .ok_or_else(|| "Intercept not found".to_string())?;
+
+        // Verify intercept belongs to this user
+        if intercept.user_id != self.user_id {
+            return Err("Unauthorized: This intercept doesn't belong to you".to_string());
+        }
+
+        // Stop the intercept in database
+        self.state
+            .db
+            .stop_workload_intercept(intercept_id)
+            .await
+            .map_err(|e| format!("Failed to stop intercept: {}", e))?;
+
+        if self
+            .state
+            .active_devbox_sessions
+            .read()
+            .await
+            .get(&self.user_id)
+            .is_some()
+        {
+            match self
+                .state
+                .db
+                .get_kube_environment(intercept.environment_id)
+                .await
+            {
+                Ok(Some(environment)) => {
+                    let state = self.state.clone();
+                    let intercept_clone = intercept.clone();
+                    tokio::spawn(async move {
+                        state
+                            .clear_devbox_route_for_intercept(environment, intercept_clone)
+                            .await;
+                    });
+                }
+                Ok(None) => {
+                    tracing::warn!(
+                        environment_id = %intercept.environment_id,
+                        intercept_id = %intercept.id,
+                        "Environment not found while clearing devbox route after intercept stop"
+                    );
+                }
+                Err(err) => {
+                    tracing::warn!(
+                        environment_id = %intercept.environment_id,
+                        intercept_id = %intercept.id,
+                        error = %err,
+                        "Failed to load environment while clearing devbox route after intercept stop"
+                    );
+                }
+            }
+        }
+
+        Ok(())
+    }
+}
diff --git a/crates/api/src/devbox_auth.rs b/crates/api/src/devbox_auth.rs
new file mode 100644
index 0000000..3afbcbb
--- /dev/null
+++ b/crates/api/src/devbox_auth.rs
@@ -0,0 +1,91 @@
+use anyhow::Result;
+use axum_extra::headers::{self, authorization::Bearer};
+use lapdev_db_entities::user;
+use lapdev_rpc::error::ApiError;
+use pasetors::claims::{Claims, ClaimsValidationRules};
+use sea_orm::{ColumnTrait, EntityTrait, QueryFilter};
+use uuid::Uuid;
+
+use crate::state::CoreState;
+
+/// Context for devbox/CLI authenticated requests
+pub struct DevboxContext {
+    pub user: user::Model,
+    pub organization_id: Uuid,
+    pub session_id: Uuid,
+    pub device_name: String,
+    pub token_claims: Claims,
+}
+
+impl CoreState {
+    /// Authenticate CLI request using Bearer token (PASETO)
+    /// Same pattern as browser session authentication - stateless!
+    pub async fn authenticate_bearer(
+        &self,
+        auth_header: &headers::Authorization<Bearer>,
+    ) -> Result<DevboxContext, ApiError> {
+        let token = auth_header.token();
+
+        // 1. Parse and decrypt PASETO token (same as browser cookies)
+        let untrusted_token = pasetors::token::UntrustedToken::try_from(token)
+            .map_err(|_| ApiError::Unauthenticated)?;
+        let validated = pasetors::local::decrypt(
+            &self.auth_token_key,
+            &untrusted_token,
+            &ClaimsValidationRules::new(),
+            None,
+            None,
+        )
+        .map_err(|_| ApiError::Unauthenticated)?;
+
+        let claims = validated
+            .payload_claims()
+            .ok_or(ApiError::Unauthenticated)?;
+
+        // 2. Extract and verify claims
+        let user_id: Uuid = claims
+            .get_claim("user_id")
+            .and_then(|v| serde_json::from_value(v.clone()).ok())
+            .ok_or(ApiError::Unauthenticated)?;
+
+        let organization_id: Uuid = claims
+            .get_claim("organization_id")
+            .and_then(|v| serde_json::from_value(v.clone()).ok())
+            .ok_or(ApiError::Unauthenticated)?;
+
+        let session_type: String = claims
+            .get_claim("session_type")
+            .and_then(|v| serde_json::from_value(v.clone()).ok())
+            .unwrap_or_default();
+
+        if session_type != "cli" {
+            return Err(ApiError::Unauthenticated);
+        }
+
+        let device_name: String = claims
+            .get_claim("device_name")
+            .and_then(|v| serde_json::from_value(v.clone()).ok())
+            .ok_or(ApiError::Unauthenticated)?;
+
+        let session_id: Uuid = claims
+            .get_claim("session_id")
+            .and_then(|v| serde_json::from_value(v.clone()).ok())
+            .ok_or(ApiError::Unauthenticated)?;
+
+        // 3. Load user (same as browser sessions - no session table lookup!)
+        let user = user::Entity::find_by_id(user_id)
+            .filter(user::Column::DeletedAt.is_null())
+            .one(&self.db.conn)
+            .await
+            .map_err(|e| ApiError::InternalError(e.to_string()))?
+            .ok_or(ApiError::Unauthenticated)?;
+
+        Ok(DevboxContext {
+            user,
+            organization_id,
+            session_id,
+            device_name,
+            token_claims: claims.clone(),
+        })
+    }
+}
diff --git a/crates/api/src/devbox_tunnels.rs b/crates/api/src/devbox_tunnels.rs
new file mode 100644
index 0000000..48e5c4c
--- /dev/null
+++ b/crates/api/src/devbox_tunnels.rs
@@ -0,0 +1,202 @@
+use std::{
+    collections::{BTreeMap, HashMap},
+    io,
+    sync::{
+        atomic::{AtomicU64, Ordering},
+        Arc,
+    },
+};
+
+use axum::extract::ws::{CloseFrame, Message as AxumMessage, Utf8Bytes, WebSocket};
+use bytes::Bytes;
+use futures::{future, Sink, SinkExt, Stream, StreamExt};
+use lapdev_tunnel::{
+    relay_client_addr, relay_server_addr, run_tunnel_server_with_connector, DynTunnelStream,
+    RelayEndpoint, TunnelClient, TunnelError, TunnelTarget, WebSocketUdpSocket,
+};
+use tokio::sync::RwLock;
+use tokio_tungstenite::tungstenite::{self as ws, Message as TungMessage};
+use tracing::{info, warn};
+use uuid::Uuid;
+
+pub struct DevboxTunnelRegistry {
+    sessions_by_user: Arc<RwLock<HashMap<Uuid, BTreeMap<u64, Arc<TunnelClient>>>>>,
+    generation_counter: AtomicU64,
+}
+
+impl DevboxTunnelRegistry {
+    pub fn new() -> Self {
+        Self {
+            sessions_by_user: Arc::new(RwLock::new(HashMap::new())),
+            generation_counter: AtomicU64::new(1),
+        }
+    }
+
+    fn next_generation(&self) -> u64 {
+        self.generation_counter.fetch_add(1, Ordering::SeqCst)
+    }
+
+    pub async fn register_cli(&self, user_id: Uuid, token: String, socket: WebSocket) {
+        let (sink, stream) = split_axum_websocket(socket);
+        let udp_socket =
+            WebSocketUdpSocket::from_parts(sink, stream, relay_server_addr(), relay_client_addr());
+
+        let connection = match RelayEndpoint::udp_server_connection(udp_socket).await {
+            Ok(connection) => connection,
+            Err(err) => {
+                warn!(
+                    user_id = %user_id,
+                    error = %err,
+                    "Failed to perform QUIC handshake for CLI tunnel"
+                );
+                return;
+            }
+        };
+
+        let client = Arc::new(TunnelClient::new_relay(connection));
+        let generation = self.next_generation();
+
+        {
+            let mut sessions = self.sessions_by_user.write().await;
+            let entry = sessions.entry(user_id).or_insert_with(BTreeMap::new);
+            if entry.insert(generation, client.clone()).is_some() {
+                warn!(
+                    "Overwrote Devbox CLI tunnel generation {} for user {}",
+                    generation, user_id
+                );
+            }
+            info!(
+                "Registered Devbox CLI tunnel for user {} generation {}; active entries {}",
+                user_id,
+                generation,
+                entry.len()
+            );
+        }
+
+        let sessions = Arc::clone(&self.sessions_by_user);
+        tokio::spawn(async move {
+            client.closed().await;
+            let mut sessions = sessions.write().await;
+            if let Some(entry) = sessions.get_mut(&user_id) {
+                if entry.remove(&generation).is_some() {
+                    info!(
+                        "Devbox CLI tunnel closed for user {} generation {}; remaining {}",
+                        user_id,
+                        generation,
+                        entry.len()
+                    );
+                    if entry.is_empty() {
+                        sessions.remove(&user_id);
+                    }
+                } else {
+                    info!(
+                        "Skip removing Devbox CLI tunnel for user {} due to generation mismatch (requested {})",
+                        user_id, generation
+                    );
+                }
+            } else {
+                info!(
+                    "Devbox CLI tunnel cleanup found no user {} for generation {}",
+                    user_id, generation
+                );
+            }
+        });
+    }
+
+    pub async fn attach_sidecar(
+        &self,
+        user_id: Uuid,
+        socket: WebSocket,
+    ) -> Result<(), TunnelError> {
+        let cli_client = {
+            let sessions = self.sessions_by_user.read().await;
+            sessions.get(&user_id).and_then(|entry| {
+                entry
+                    .values()
+                    .rev()
+                    .find(|client| !client.is_closed())
+                    .cloned()
+            })
+        };
+
+        let Some(cli_client) = cli_client else {
+            warn!(
+                "Received sidecar tunnel for user {} with no active CLI tunnel",
+                user_id
+            );
+            return Err(TunnelError::Remote("no active CLI tunnel".to_string()));
+        };
+
+        let (sink, stream) = split_axum_websocket(socket);
+        let udp_socket =
+            WebSocketUdpSocket::from_parts(sink, stream, relay_server_addr(), relay_client_addr());
+
+        let connection = RelayEndpoint::udp_server_connection(udp_socket).await?;
+        let connector = move |target: TunnelTarget| {
+            let cli_client = cli_client.clone();
+            async move {
+                let stream = cli_client
+                    .connect_tcp(target.host.clone(), target.port)
+                    .await?;
+                Ok::<DynTunnelStream, TunnelError>(Box::new(stream) as DynTunnelStream)
+            }
+        };
+
+        run_tunnel_server_with_connector(connection, connector).await
+    }
+}
+
+pub(crate) fn split_axum_websocket(
+    socket: WebSocket,
+) -> (
+    impl Sink<TungMessage, Error = io::Error> + Send + 'static,
+    impl Stream<Item = Result<Bytes, io::Error>> + Send + 'static,
+) {
+    let (sink, stream) = socket.split();
+
+    let sink = sink
+        .sink_map_err(io::Error::other)
+        .with(|message: TungMessage| future::ready(map_tungstenite_to_axum(message)));
+
+    let stream = stream.filter_map(|msg| {
+        future::ready(match msg {
+            Ok(AxumMessage::Binary(data)) => Some(Ok(data)),
+            Ok(AxumMessage::Close(_)) => None,
+            Ok(_) => None,
+            Err(err) => Some(Err(io::Error::other(err))),
+        })
+    });
+
+    (sink, stream)
+}
+
+fn map_tungstenite_to_axum(message: TungMessage) -> io::Result<AxumMessage> {
+    match message {
+        ws::Message::Text(text) => {
+            let bytes: Bytes = text.into();
+            let utf8 = Utf8Bytes::try_from(bytes)
+                .map_err(|err| io::Error::new(io::ErrorKind::InvalidData, err))?;
+            Ok(AxumMessage::Text(utf8))
+        }
+        ws::Message::Binary(data) => Ok(AxumMessage::Binary(data)),
+        ws::Message::Ping(data) => Ok(AxumMessage::Ping(data)),
+        ws::Message::Pong(data) => Ok(AxumMessage::Pong(data)),
+        ws::Message::Close(frame) => {
+            let mapped = frame.map(|close| CloseFrame {
+                code: close.code.into(),
+                reason: Utf8Bytes::from(close.reason.to_string()),
+            });
+            Ok(AxumMessage::Close(mapped))
+        }
+        ws::Message::Frame(_) => Err(io::Error::new(
+            io::ErrorKind::InvalidData,
+            "frame messages are not supported",
+        )),
+    }
+}
+
+impl Default for DevboxTunnelRegistry {
+    fn default() -> Self {
+        Self::new()
+    }
+}
diff --git a/crates/api/src/environment_events.rs b/crates/api/src/environment_events.rs
new file mode 100644
index 0000000..551e57a
--- /dev/null
+++ b/crates/api/src/environment_events.rs
@@ -0,0 +1,181 @@
+use std::{convert::Infallible, sync::Arc, time::Duration};
+
+use axum::{
+    extract::{Path, State},
+    response::sse::{Event, KeepAlive, Sse},
+};
+use axum_extra::{headers, TypedHeader};
+use chrono::{DateTime, Utc};
+use futures::{Stream, StreamExt};
+use lapdev_common::kube::{EnvironmentWorkloadStatusEvent, KubeEnvironmentStatus};
+use lapdev_rpc::error::ApiError;
+use serde::{Deserialize, Serialize};
+use tokio_stream::wrappers::BroadcastStream;
+use tracing::warn;
+use uuid::Uuid;
+
+use crate::state::CoreState;
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct EnvironmentLifecycleEvent {
+    pub organization_id: Uuid,
+    pub environment_id: Uuid,
+    pub status: KubeEnvironmentStatus,
+    pub paused_at: Option<String>,
+    pub resumed_at: Option<String>,
+    pub updated_at: DateTime<Utc>,
+}
+
+pub async fn stream_environment_events(
+    Path((org_id, environment_id)): Path<(Uuid, Uuid)>,
+    State(state): State<Arc<CoreState>>,
+    TypedHeader(cookies): TypedHeader<headers::Cookie>,
+) -> Result<Sse<impl Stream<Item = Result<Event, Infallible>>>, ApiError> {
+    let user = state.authenticate(&cookies).await?;
+    state
+        .db
+        .get_organization_member(user.id, org_id)
+        .await
+        .map_err(|_| ApiError::Unauthorized)?;
+
+    let environment = state
+        .db
+        .get_kube_environment(environment_id)
+        .await?
+        .ok_or_else(|| ApiError::InvalidRequest("Environment not found".to_string()))?;
+
+    if environment.organization_id != org_id {
+        return Err(ApiError::Unauthorized);
+    }
+
+    let receiver = state.environment_events.subscribe();
+
+    let target_org = org_id;
+    let target_env = environment_id;
+
+    let event_stream = BroadcastStream::new(receiver).filter_map(move |result| {
+        let target_org = target_org;
+        let target_env = target_env;
+        async move {
+            match result {
+                Ok(event)
+                    if event.organization_id == target_org
+                        && event.environment_id == target_env =>
+                {
+                    build_sse_event(&event).map(Ok)
+                }
+                Ok(_) => None,
+                Err(err) => {
+                    warn!("environment event stream lagged: {err}");
+                    None
+                }
+            }
+        }
+    });
+
+    let keep_alive = KeepAlive::new()
+        .interval(Duration::from_secs(15))
+        .text("keep-alive");
+
+    Ok(Sse::new(event_stream).keep_alive(keep_alive))
+}
+
+pub async fn stream_organization_environment_events(
+    Path(org_id): Path<Uuid>,
+    State(state): State<Arc<CoreState>>,
+    TypedHeader(cookies): TypedHeader<headers::Cookie>,
+) -> Result<Sse<impl Stream<Item = Result<Event, Infallible>>>, ApiError> {
+    let user = state.authenticate(&cookies).await?;
+    state
+        .db
+        .get_organization_member(user.id, org_id)
+        .await
+        .map_err(|_| ApiError::Unauthorized)?;
+
+    let receiver = state.environment_events.subscribe();
+    let target_org = org_id;
+
+    let event_stream = BroadcastStream::new(receiver).filter_map(move |result| {
+        let target_org = target_org;
+        async move {
+            match result {
+                Ok(event) if event.organization_id == target_org => build_sse_event(&event).map(Ok),
+                Ok(_) => None,
+                Err(err) => {
+                    warn!("environment event stream lagged: {err}");
+                    None
+                }
+            }
+        }
+    });
+
+    let keep_alive = KeepAlive::new()
+        .interval(Duration::from_secs(15))
+        .text("keep-alive");
+
+    Ok(Sse::new(event_stream).keep_alive(keep_alive))
+}
+
+pub async fn stream_environment_workload_events(
+    Path((org_id, environment_id)): Path<(Uuid, Uuid)>,
+    State(state): State<Arc<CoreState>>,
+    TypedHeader(cookies): TypedHeader<headers::Cookie>,
+) -> Result<Sse<impl Stream<Item = Result<Event, Infallible>>>, ApiError> {
+    let user = state.authenticate(&cookies).await?;
+    state
+        .db
+        .get_organization_member(user.id, org_id)
+        .await
+        .map_err(|_| ApiError::Unauthorized)?;
+
+    let environment = state
+        .db
+        .get_kube_environment(environment_id)
+        .await?
+        .ok_or_else(|| ApiError::InvalidRequest("Environment not found".to_string()))?;
+
+    if environment.organization_id != org_id {
+        return Err(ApiError::Unauthorized);
+    }
+
+    let receiver = state.environment_workload_events.subscribe();
+    let target_org = org_id;
+    let target_env = environment_id;
+
+    let event_stream = BroadcastStream::new(receiver).filter_map(move |result| {
+        let target_org = target_org;
+        let target_env = target_env;
+        async move {
+            match result {
+                Ok(event)
+                    if event.organization_id == target_org
+                        && event.environment_id == target_env =>
+                {
+                    build_workload_sse_event(&event).map(Ok)
+                }
+                Ok(_) => None,
+                Err(err) => {
+                    warn!("environment workload event stream lagged: {err}");
+                    None
+                }
+            }
+        }
+    });
+
+    let keep_alive = KeepAlive::new()
+        .interval(Duration::from_secs(15))
+        .text("keep-alive");
+
+    Ok(Sse::new(event_stream).keep_alive(keep_alive))
+}
+
+fn build_sse_event(event: &EnvironmentLifecycleEvent) -> Option<Event> {
+    Event::default().event("environment").json_data(event).ok()
+}
+
+fn build_workload_sse_event(event: &EnvironmentWorkloadStatusEvent) -> Option<Event> {
+    Event::default()
+        .event("environment_workload")
+        .json_data(event)
+        .ok()
+}
diff --git a/lapdev-api/src/github.rs b/crates/api/src/github.rs
similarity index 100%
rename from lapdev-api/src/github.rs
rename to crates/api/src/github.rs
diff --git a/lapdev-api/src/gitlab.rs b/crates/api/src/gitlab.rs
similarity index 100%
rename from lapdev-api/src/gitlab.rs
rename to crates/api/src/gitlab.rs
diff --git a/crates/api/src/hrpc_service.rs b/crates/api/src/hrpc_service.rs
new file mode 100644
index 0000000..09ffd38
--- /dev/null
+++ b/crates/api/src/hrpc_service.rs
@@ -0,0 +1,1418 @@
+use axum_extra::headers;
+use chrono::{DateTime, Utc};
+use lapdev_api_hrpc::HrpcService;
+use lapdev_common::{
+    devbox::{
+        DevboxEnvironmentSelection, DevboxPortMapping, DevboxPortMappingOverride,
+        DevboxSessionSummary, DevboxSessionWhoAmI, DevboxStartWorkloadInterceptResponse,
+        DevboxWorkloadInterceptListResponse, DevboxWorkloadInterceptSummary,
+    },
+    hrpc::HrpcError,
+    kube::{
+        CreateKubeClusterResponse, KubeAppCatalog, KubeAppCatalogWorkload,
+        KubeAppCatalogWorkloadCreate, KubeCluster, KubeEnvironment,
+        KubeEnvironmentDashboardSummary, KubeEnvironmentWorkload, KubeEnvironmentWorkloadDetail,
+        KubeNamespace, KubeNamespaceInfo, KubeWorkload, KubeWorkloadKind, KubeWorkloadList,
+        PagePaginationParams, PaginatedResult, PaginationParams,
+    },
+    UserRole,
+};
+use lapdev_rpc::error::ApiError;
+use pasetors::claims::Claims;
+use sea_orm::DbErr;
+use tarpc::context;
+use uuid::Uuid;
+
+use crate::state::CoreState;
+
+impl HrpcService for CoreState {
+    async fn devbox_session_get_session(
+        &self,
+        headers: &axum::http::HeaderMap,
+    ) -> Result<Option<DevboxSessionSummary>, HrpcError> {
+        let user = self.hrpc_authenticate_user(headers).await?;
+        let session = self
+            .db
+            .get_active_devbox_session(user.id)
+            .await
+            .map_err(hrpc_from_anyhow)?;
+
+        let session = session.map(|session| DevboxSessionSummary {
+            id: session.id,
+            device_name: session.device_name,
+            token_prefix: session.token_prefix,
+            active_environment_id: session.active_environment_id,
+            created_at: session.created_at.with_timezone(&Utc),
+            expires_at: session.expires_at.with_timezone(&Utc),
+            last_used_at: session.last_used_at.with_timezone(&Utc),
+            revoked_at: session.revoked_at.map(|ts| ts.with_timezone(&Utc)),
+        });
+
+        Ok(session)
+    }
+
+    async fn devbox_session_revoke_session(
+        &self,
+        headers: &axum::http::HeaderMap,
+        session_id: Uuid,
+    ) -> Result<(), HrpcError> {
+        let user = self.hrpc_authenticate_user(headers).await?;
+        let session = self
+            .db
+            .get_devbox_session_by_id(session_id)
+            .await
+            .map_err(hrpc_from_anyhow)?
+            .ok_or_else(|| hrpc_error("Session not found"))?;
+
+        if session.user_id != user.id {
+            return Err(hrpc_error("Unauthorized"));
+        }
+
+        if session.revoked_at.is_some() {
+            return Ok(());
+        }
+
+        self.db
+            .revoke_devbox_session_by_id(session_id)
+            .await
+            .map_err(hrpc_from_anyhow)?;
+
+        let session_notification = {
+            let sessions = self.active_devbox_sessions.read().await;
+            sessions.get(&user.id).and_then(|entries| {
+                entries
+                    .iter()
+                    .find(|(_, handle)| handle.session_id == session_id)
+                    .map(|(connection_id, handle)| (*connection_id, handle.rpc_client.clone()))
+            })
+        };
+
+        if let Some((connection_id, client)) = session_notification {
+            {
+                let mut sessions = self.active_devbox_sessions.write().await;
+                if let Some(entries) = sessions.get_mut(&user.id) {
+                    entries.remove(&connection_id);
+                    if entries.is_empty() {
+                        sessions.remove(&user.id);
+                    }
+                }
+            }
+            tokio::spawn(async move {
+                let _ = client
+                    .session_displaced(
+                        context::current(),
+                        "Session revoked by dashboard".to_string(),
+                    )
+                    .await;
+            });
+        }
+
+        Ok(())
+    }
+
+    async fn devbox_session_get_active_environment(
+        &self,
+        headers: &axum::http::HeaderMap,
+    ) -> Result<Option<DevboxEnvironmentSelection>, HrpcError> {
+        let ctx = self.hrpc_resolve_active_devbox_session(headers).await?;
+
+        let Some(environment_id) = ctx.session.active_environment_id else {
+            return Ok(None);
+        };
+
+        let environment = self
+            .db
+            .get_kube_environment(environment_id)
+            .await
+            .map_err(hrpc_from_db_err)?;
+
+        let Some(environment) = environment else {
+            return Ok(None);
+        };
+
+        let cluster = self
+            .db
+            .get_kube_cluster(environment.cluster_id)
+            .await
+            .map_err(hrpc_from_anyhow)?
+            .ok_or_else(|| hrpc_error("Cluster not found"))?;
+
+        Ok(Some(DevboxEnvironmentSelection {
+            environment_id,
+            cluster_name: cluster.name,
+            namespace: environment.namespace,
+        }))
+    }
+
+    async fn devbox_session_set_active_environment(
+        &self,
+        headers: &axum::http::HeaderMap,
+        environment_id: Uuid,
+    ) -> Result<(), HrpcError> {
+        let ctx = self.hrpc_resolve_active_devbox_session(headers).await?;
+        let previous_environment = ctx.session.active_environment_id;
+        let environment = self
+            .db
+            .get_kube_environment(environment_id)
+            .await
+            .map_err(hrpc_from_db_err)?
+            .ok_or_else(|| hrpc_error("Environment not found"))?;
+
+        if environment.is_shared {
+            return Err(hrpc_error(
+                "Shared environments cannot be used as active devbox environments",
+            ));
+        }
+
+        self.ensure_environment_access(&ctx.user, &environment)
+            .await?;
+
+        self.db
+            .update_devbox_session_active_environment(ctx.session.user_id, Some(environment_id))
+            .await
+            .map_err(hrpc_from_anyhow)?;
+
+        // Notify CLI about the environment change
+        let cluster = self
+            .db
+            .get_kube_cluster(environment.cluster_id)
+            .await
+            .map_err(hrpc_from_anyhow)?
+            .ok_or_else(|| hrpc_error("Cluster not found"))?;
+
+        let env_info = lapdev_devbox_rpc::DevboxEnvironmentInfo {
+            environment_id: environment.id,
+            environment_name: environment.name.clone(),
+            cluster_name: cluster.name.clone(),
+            namespace: environment.namespace.clone(),
+        };
+
+        tracing::info!(
+            "set_active_environment (HRPC) called for session {} with environment {} ({}/{})",
+            ctx.session.id,
+            environment_id,
+            cluster.name,
+            environment.namespace
+        );
+
+        // Get the RPC client for the active session
+        let rpc_client = {
+            let sessions = self.active_devbox_sessions.read().await;
+            sessions.get(&ctx.user.id).and_then(|entries| {
+                entries
+                    .values()
+                    .next_back()
+                    .map(|handle| handle.rpc_client.clone())
+            })
+        };
+
+        if let Some(client) = rpc_client {
+            tracing::info!(
+                "Spawning task to notify CLI about environment change to {} ({})",
+                env_info.cluster_name,
+                env_info.namespace
+            );
+            tokio::spawn(async move {
+                tracing::info!("Calling environment_changed RPC on client...");
+                match client
+                    .environment_changed(context::current(), Some(env_info.clone()))
+                    .await
+                {
+                    Ok(_) => {
+                        tracing::info!(
+                            "Successfully notified client of environment change to {}",
+                            env_info.namespace
+                        );
+                    }
+                    Err(e) => {
+                        tracing::warn!("Failed to notify client of environment change: {}", e);
+                    }
+                }
+            });
+        } else {
+            tracing::warn!(
+                "No active WebSocket connection for user {}, environment change saved but CLI not notified",
+                ctx.user.id
+            );
+        }
+
+        let state = self.clone();
+        let user_id = ctx.user.id;
+        tokio::spawn(async move {
+            state.push_devbox_routes(user_id, environment_id).await;
+        });
+
+        if let Some(prev_env) = previous_environment.filter(|prev| *prev != environment_id) {
+            let state = self.clone();
+            tokio::spawn(async move {
+                state.clear_devbox_routes_for_environment(prev_env).await;
+            });
+        }
+
+        Ok(())
+    }
+
+    async fn devbox_session_whoami(
+        &self,
+        headers: &axum::http::HeaderMap,
+    ) -> Result<DevboxSessionWhoAmI, HrpcError> {
+        let ctx = self.hrpc_resolve_active_devbox_session(headers).await?;
+
+        Ok(DevboxSessionWhoAmI {
+            user_id: ctx.user.id,
+            email: ctx.user.email.clone(),
+            device_name: ctx.session.device_name,
+            authenticated_at: ctx.authenticated_at,
+            expires_at: ctx.expires_at,
+        })
+    }
+
+    async fn devbox_intercept_list(
+        &self,
+        headers: &axum::http::HeaderMap,
+        environment_id: Uuid,
+    ) -> Result<DevboxWorkloadInterceptListResponse, HrpcError> {
+        let environment = self
+            .db
+            .get_kube_environment(environment_id)
+            .await
+            .map_err(hrpc_from_db_err)?
+            .ok_or_else(|| hrpc_error("Environment not found"))?;
+
+        let user = self
+            .authorize(headers, environment.organization_id, None)
+            .await
+            .map_err(hrpc_from_api_error)?;
+
+        self.ensure_environment_access(&user, &environment).await?;
+
+        let intercepts = self
+            .db
+            .list_workload_intercepts_for_environment(environment_id)
+            .await
+            .map_err(hrpc_from_anyhow)?;
+
+        let mut results = Vec::with_capacity(intercepts.len());
+        for intercept in intercepts {
+            let workload = self
+                .db
+                .get_environment_workload(intercept.workload_id)
+                .await
+                .map_err(hrpc_from_anyhow)?
+                .ok_or_else(|| hrpc_error("Workload not found"))?;
+
+            let port_mappings: Vec<DevboxPortMapping> =
+                serde_json::from_value(intercept.port_mappings.clone())
+                    .map_err(hrpc_from_anyhow)?;
+
+            results.push(DevboxWorkloadInterceptSummary {
+                intercept_id: intercept.id,
+                session_id: Uuid::nil(), // Intercepts are no longer tied to sessions
+                workload_id: workload.id,
+                workload_name: workload.name,
+                namespace: workload.namespace,
+                port_mappings,
+                created_at: intercept.created_at.with_timezone(&Utc),
+                restored_at: intercept.stopped_at.map(|dt| dt.with_timezone(&Utc)),
+            });
+        }
+
+        Ok(DevboxWorkloadInterceptListResponse {
+            intercepts: results,
+        })
+    }
+
+    async fn devbox_intercept_start(
+        &self,
+        headers: &axum::http::HeaderMap,
+        workload_id: Uuid,
+        port_mappings: Vec<DevboxPortMappingOverride>,
+    ) -> Result<DevboxStartWorkloadInterceptResponse, HrpcError> {
+        let user = self.hrpc_authenticate_user(headers).await?;
+
+        let workload = self
+            .db
+            .get_environment_workload(workload_id)
+            .await
+            .map_err(hrpc_from_anyhow)?
+            .ok_or_else(|| hrpc_error("Workload not found"))?;
+
+        let environment = self
+            .db
+            .get_kube_environment(workload.environment_id)
+            .await
+            .map_err(hrpc_from_db_err)?
+            .ok_or_else(|| hrpc_error("Environment not found"))?;
+
+        if environment.is_shared {
+            return Err(hrpc_error(
+                "Shared environments cannot start Devbox intercepts",
+            ));
+        }
+
+        self.ensure_environment_access(&user, &environment).await?;
+
+        let mappings = port_mappings
+            .into_iter()
+            .map(|override_mapping| DevboxPortMapping {
+                workload_port: override_mapping.workload_port,
+                local_port: override_mapping
+                    .local_port
+                    .unwrap_or(override_mapping.workload_port),
+                protocol: "TCP".to_string(),
+            })
+            .collect::<Vec<_>>();
+
+        let intercept = self
+            .db
+            .create_workload_intercept(
+                user.id,
+                environment.id,
+                workload_id,
+                serde_json::to_value(&mappings).map_err(hrpc_from_anyhow)?,
+            )
+            .await
+            .map_err(hrpc_from_anyhow)?;
+
+        if self
+            .active_devbox_sessions
+            .read()
+            .await
+            .get(&user.id)
+            .is_some()
+        {
+            let state = self.clone();
+            let environment = environment.clone();
+            let intercept_clone = intercept.clone();
+            tokio::spawn(async move {
+                state
+                    .push_devbox_route_for_intercept(environment, intercept_clone)
+                    .await;
+            });
+        }
+
+        Ok(DevboxStartWorkloadInterceptResponse {
+            intercept_id: intercept.id,
+        })
+    }
+
+    async fn devbox_intercept_stop(
+        &self,
+        headers: &axum::http::HeaderMap,
+        intercept_id: Uuid,
+    ) -> Result<(), HrpcError> {
+        let user = self.hrpc_authenticate_user(headers).await?;
+
+        let intercept = self
+            .db
+            .get_workload_intercept(intercept_id)
+            .await
+            .map_err(hrpc_from_anyhow)?
+            .ok_or_else(|| hrpc_error("Intercept not found"))?;
+
+        if intercept.user_id != user.id {
+            return Err(hrpc_error("Unauthorized"));
+        }
+
+        self.db
+            .stop_workload_intercept(intercept_id)
+            .await
+            .map_err(hrpc_from_anyhow)?;
+        if self
+            .active_devbox_sessions
+            .read()
+            .await
+            .get(&user.id)
+            .is_some()
+        {
+            match self.db.get_kube_environment(intercept.environment_id).await {
+                Ok(Some(environment)) => {
+                    let state = self.clone();
+                    let intercept_clone = intercept.clone();
+                    tokio::spawn(async move {
+                        state
+                            .clear_devbox_route_for_intercept(environment, intercept_clone)
+                            .await;
+                    });
+                }
+                Ok(None) => {
+                    tracing::warn!(
+                        environment_id = %intercept.environment_id,
+                        intercept_id = %intercept.id,
+                        "Environment not found while clearing devbox route after intercept stop"
+                    );
+                }
+                Err(err) => {
+                    tracing::warn!(
+                        environment_id = %intercept.environment_id,
+                        intercept_id = %intercept.id,
+                        error = %err,
+                        "Failed to load environment while clearing devbox route after intercept stop"
+                    );
+                }
+            }
+        }
+
+        Ok(())
+    }
+
+    async fn all_kube_clusters(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+    ) -> Result<Vec<KubeCluster>, HrpcError> {
+        let _ = self.authorize(headers, org_id, None).await?;
+        self.kube_controller
+            .get_all_kube_clusters(org_id)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn create_kube_cluster(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        name: String,
+    ) -> Result<CreateKubeClusterResponse, HrpcError> {
+        let user = self
+            .authorize(headers, org_id, Some(UserRole::Admin))
+            .await?;
+
+        self.kube_controller
+            .create_kube_cluster(org_id, user.id, name)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn delete_kube_cluster(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        cluster_id: Uuid,
+    ) -> Result<(), HrpcError> {
+        let _ = self
+            .authorize(headers, org_id, Some(UserRole::Admin))
+            .await?;
+
+        self.kube_controller
+            .delete_kube_cluster(org_id, cluster_id)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn set_cluster_deployable(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        cluster_id: Uuid,
+        can_deploy_personal: bool,
+        can_deploy_shared: bool,
+    ) -> Result<(), HrpcError> {
+        let _ = self
+            .authorize(headers, org_id, Some(UserRole::Admin))
+            .await?;
+
+        self.kube_controller
+            .set_cluster_deployable(org_id, cluster_id, can_deploy_personal, can_deploy_shared)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn set_cluster_personal_deployable(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        cluster_id: Uuid,
+        can_deploy: bool,
+    ) -> Result<(), HrpcError> {
+        let _ = self
+            .authorize(headers, org_id, Some(UserRole::Admin))
+            .await?;
+
+        self.kube_controller
+            .set_cluster_personal_deployable(org_id, cluster_id, can_deploy)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn set_cluster_shared_deployable(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        cluster_id: Uuid,
+        can_deploy: bool,
+    ) -> Result<(), HrpcError> {
+        let _ = self
+            .authorize(headers, org_id, Some(UserRole::Admin))
+            .await?;
+
+        self.kube_controller
+            .set_cluster_shared_deployable(org_id, cluster_id, can_deploy)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn get_workloads(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        cluster_id: Uuid,
+        namespace: Option<String>,
+        workload_kind_filter: Option<KubeWorkloadKind>,
+        include_system_workloads: bool,
+        pagination: Option<PaginationParams>,
+    ) -> Result<KubeWorkloadList, HrpcError> {
+        let _ = self.authorize(headers, org_id, None).await?;
+
+        self.kube_controller
+            .get_workloads(
+                org_id,
+                cluster_id,
+                namespace,
+                workload_kind_filter,
+                include_system_workloads,
+                pagination,
+            )
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn get_workload_details(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        cluster_id: Uuid,
+        name: String,
+        namespace: String,
+    ) -> Result<Option<KubeWorkload>, HrpcError> {
+        let _ = self.authorize(headers, org_id, None).await?;
+
+        self.kube_controller
+            .get_workload_details(org_id, cluster_id, name, namespace)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn get_cluster_namespaces(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        cluster_id: Uuid,
+    ) -> Result<Vec<KubeNamespaceInfo>, HrpcError> {
+        let _ = self.authorize(headers, org_id, None).await?;
+
+        self.kube_controller
+            .get_cluster_namespaces(org_id, cluster_id)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn get_cluster_info(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        cluster_id: Uuid,
+    ) -> Result<KubeCluster, HrpcError> {
+        let _ = self.authorize(headers, org_id, None).await?;
+
+        self.kube_controller
+            .get_cluster_info(org_id, cluster_id)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn create_app_catalog(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        cluster_id: Uuid,
+        name: String,
+        description: Option<String>,
+        workloads: Vec<KubeAppCatalogWorkloadCreate>,
+    ) -> Result<Uuid, HrpcError> {
+        let user = self
+            .authorize(headers, org_id, Some(UserRole::Admin))
+            .await?;
+
+        self.kube_controller
+            .create_app_catalog(org_id, user.id, cluster_id, name, description, workloads)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn all_app_catalogs(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        search: Option<String>,
+        pagination: Option<PagePaginationParams>,
+    ) -> Result<PaginatedResult<KubeAppCatalog>, HrpcError> {
+        let _ = self.authorize(headers, org_id, None).await?;
+
+        self.kube_controller
+            .get_all_app_catalogs(org_id, search, pagination)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn get_app_catalog(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        catalog_id: Uuid,
+    ) -> Result<KubeAppCatalog, HrpcError> {
+        let _ = self.authorize(headers, org_id, None).await?;
+
+        self.kube_controller
+            .get_app_catalog(org_id, catalog_id)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn get_app_catalog_workloads(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        catalog_id: Uuid,
+    ) -> Result<Vec<KubeAppCatalogWorkload>, HrpcError> {
+        let _ = self.authorize(headers, org_id, None).await?;
+
+        self.kube_controller
+            .get_app_catalog_workloads(org_id, catalog_id)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn all_kube_environments(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        search: Option<String>,
+        is_shared: bool,
+        is_branch: bool,
+        pagination: Option<PagePaginationParams>,
+    ) -> Result<PaginatedResult<KubeEnvironment>, HrpcError> {
+        let user = self.authorize(headers, org_id, None).await?;
+
+        self.kube_controller
+            .get_all_kube_environments(org_id, user.id, search, is_shared, is_branch, pagination)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn get_environment_dashboard_summary(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        recent_limit: Option<usize>,
+    ) -> Result<KubeEnvironmentDashboardSummary, HrpcError> {
+        let user = self.authorize(headers, org_id, None).await?;
+
+        self.kube_controller
+            .get_environment_dashboard_summary(org_id, user.id, recent_limit)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn get_kube_environment(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        environment_id: Uuid,
+    ) -> Result<KubeEnvironment, HrpcError> {
+        let user = self.authorize(headers, org_id, None).await?;
+        self.kube_controller
+            .get_kube_environment(org_id, user.id, environment_id)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn delete_kube_environment(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        environment_id: Uuid,
+    ) -> Result<(), HrpcError> {
+        let environment = self
+            .db
+            .get_kube_environment(environment_id)
+            .await
+            .map_err(hrpc_from_db_err)?
+            .ok_or_else(|| hrpc_error("Environment not found"))?;
+
+        if environment.organization_id != org_id {
+            return Err(hrpc_error(
+                "Environment does not belong to the organization",
+            ));
+        }
+
+        let required_role = environment.is_shared.then_some(UserRole::Admin);
+        let user = self.authorize(headers, org_id, required_role).await?;
+
+        if !environment.is_shared && environment.user_id != user.id {
+            return Err(hrpc_error("Unauthorized"));
+        }
+
+        self.kube_controller
+            .delete_kube_environment(org_id, user.id, environment_id)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn pause_kube_environment(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        environment_id: Uuid,
+    ) -> Result<(), HrpcError> {
+        let environment = self
+            .db
+            .get_kube_environment(environment_id)
+            .await
+            .map_err(hrpc_from_db_err)?
+            .ok_or_else(|| hrpc_error("Environment not found"))?;
+
+        if environment.organization_id != org_id {
+            return Err(hrpc_error(
+                "Environment does not belong to the organization",
+            ));
+        }
+
+        if environment.is_shared {
+            return Err(hrpc_error(
+                "Pause is not yet supported for shared environments",
+            ));
+        }
+
+        let user = self.authorize(headers, org_id, None).await?;
+
+        if environment.user_id != user.id {
+            return Err(hrpc_error("Unauthorized"));
+        }
+        self.kube_controller
+            .pause_kube_environment(org_id, user.id, environment_id)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn resume_kube_environment(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        environment_id: Uuid,
+    ) -> Result<(), HrpcError> {
+        let environment = self
+            .db
+            .get_kube_environment(environment_id)
+            .await
+            .map_err(hrpc_from_db_err)?
+            .ok_or_else(|| hrpc_error("Environment not found"))?;
+
+        if environment.organization_id != org_id {
+            return Err(hrpc_error(
+                "Environment does not belong to the organization",
+            ));
+        }
+
+        if environment.is_shared {
+            return Err(hrpc_error(
+                "Resume is not yet supported for shared environments",
+            ));
+        }
+
+        let user = self.authorize(headers, org_id, None).await?;
+
+        if environment.user_id != user.id {
+            return Err(hrpc_error("Unauthorized"));
+        }
+        self.kube_controller
+            .resume_kube_environment(org_id, user.id, environment_id)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn sync_environment_from_catalog(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        environment_id: Uuid,
+    ) -> Result<(), HrpcError> {
+        let user = self.authorize(headers, org_id, None).await?;
+        self.kube_controller
+            .sync_environment_from_catalog(org_id, user.id, environment_id)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn rebase_branch_environment(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        environment_id: Uuid,
+    ) -> Result<(), HrpcError> {
+        let user = self.authorize(headers, org_id, None).await?;
+        self.kube_controller
+            .rebase_branch_environment(org_id, user.id, environment_id)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn delete_app_catalog(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        catalog_id: Uuid,
+    ) -> Result<(), HrpcError> {
+        let _ = self
+            .authorize(headers, org_id, Some(UserRole::Admin))
+            .await?;
+
+        self.kube_controller
+            .delete_app_catalog(org_id, catalog_id)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn delete_app_catalog_workload(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        workload_id: Uuid,
+    ) -> Result<(), HrpcError> {
+        let _ = self
+            .authorize(headers, org_id, Some(UserRole::Admin))
+            .await?;
+
+        self.kube_controller
+            .delete_app_catalog_workload(org_id, workload_id)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn update_app_catalog_workload(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        workload_id: Uuid,
+        containers: Vec<lapdev_common::kube::KubeContainerInfo>,
+    ) -> Result<(), HrpcError> {
+        let _ = self
+            .authorize(headers, org_id, Some(UserRole::Admin))
+            .await?;
+
+        self.kube_controller
+            .update_app_catalog_workload(org_id, workload_id, containers)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn add_workloads_to_app_catalog(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        catalog_id: Uuid,
+        workloads: Vec<KubeAppCatalogWorkloadCreate>,
+    ) -> Result<(), HrpcError> {
+        let user = self
+            .authorize(headers, org_id, Some(UserRole::Admin))
+            .await?;
+
+        self.kube_controller
+            .add_workloads_to_app_catalog(org_id, user.id, catalog_id, workloads)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn create_kube_environment(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        app_catalog_id: Uuid,
+        cluster_id: Uuid,
+        name: String,
+        is_shared: bool,
+    ) -> Result<KubeEnvironment, HrpcError> {
+        let required_role = is_shared.then_some(UserRole::Admin);
+        let user = self.authorize(headers, org_id, required_role).await?;
+
+        self.kube_controller
+            .create_kube_environment(org_id, user.id, app_catalog_id, cluster_id, name, is_shared)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn create_branch_environment(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        base_environment_id: Uuid,
+        name: String,
+    ) -> Result<KubeEnvironment, HrpcError> {
+        let user = self.authorize(headers, org_id, None).await?;
+
+        self.kube_controller
+            .create_branch_environment(org_id, user.id, base_environment_id, name)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn get_environment_workloads(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        environment_id: Uuid,
+    ) -> Result<Vec<KubeEnvironmentWorkload>, HrpcError> {
+        let user = self.authorize(headers, org_id, None).await?;
+        self.kube_controller
+            .get_environment_workloads(org_id, user.id, environment_id)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn get_environment_services(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        environment_id: Uuid,
+    ) -> Result<Vec<lapdev_common::kube::KubeEnvironmentService>, HrpcError> {
+        let user = self.authorize(headers, org_id, None).await?;
+        self.kube_controller
+            .get_environment_services(org_id, user.id, environment_id)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn get_environment_workload(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        workload_id: Uuid,
+    ) -> Result<Option<KubeEnvironmentWorkload>, HrpcError> {
+        let user = self.authorize(headers, org_id, None).await?;
+        self.kube_controller
+            .get_environment_workload(org_id, user.id, workload_id)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn get_environment_workload_detail(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        environment_id: Uuid,
+        workload_id: Uuid,
+    ) -> Result<KubeEnvironmentWorkloadDetail, HrpcError> {
+        let user = self.authorize(headers, org_id, None).await?;
+        self.kube_controller
+            .get_environment_workload_detail(org_id, user.id, environment_id, workload_id)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn update_environment_workload(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        environment_id: Uuid,
+        workload_id: Uuid,
+        containers: Vec<lapdev_common::kube::KubeContainerInfo>,
+    ) -> Result<Uuid, HrpcError> {
+        let workload = self
+            .db
+            .get_environment_workload(workload_id)
+            .await
+            .map_err(|e| HrpcError::from(ApiError::from(e)))?
+            .ok_or_else(|| {
+                HrpcError::from(ApiError::InvalidRequest("Workload not found".to_string()))
+            })?;
+
+        let target_environment = self
+            .db
+            .get_kube_environment(environment_id)
+            .await
+            .map_err(|e| HrpcError::from(ApiError::from(e)))?
+            .ok_or_else(|| {
+                HrpcError::from(ApiError::InvalidRequest(
+                    "Environment not found".to_string(),
+                ))
+            })?;
+
+        if target_environment.organization_id != org_id {
+            return Err(HrpcError::from(ApiError::Unauthorized));
+        }
+
+        // Ensure the workload belongs to this environment or its base
+        if workload.environment_id != target_environment.id {
+            let base_env = target_environment.base_environment_id.ok_or_else(|| {
+                // Branch workloads reference their base shared environment; if there's no base we can't continue
+                HrpcError::from(ApiError::InvalidRequest(
+                    "Workload does not belong to the target environment".to_string(),
+                ))
+            })?;
+            if workload.environment_id != base_env {
+                return Err(HrpcError::from(ApiError::InvalidRequest(
+                    "Workload does not belong to the target environment".to_string(),
+                )));
+            }
+        }
+
+        // Determine required role based on the target environment. Branch workloads inherit permissions from their branch.
+        let required_role = target_environment.is_shared.then_some(UserRole::Admin);
+
+        let user = self.authorize(headers, org_id, required_role).await?;
+
+        if !target_environment.is_shared && target_environment.user_id != user.id {
+            return Err(HrpcError::from(ApiError::Unauthorized));
+        }
+
+        self.kube_controller
+            .update_environment_workload(
+                org_id,
+                user.id,
+                workload_id,
+                containers,
+                target_environment,
+            )
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn delete_environment_workload(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        environment_id: Uuid,
+        workload_id: Uuid,
+    ) -> Result<(), HrpcError> {
+        let user = self.authorize(headers, org_id, None).await?;
+        self.kube_controller
+            .delete_environment_workload(org_id, user.id, environment_id, workload_id)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn create_kube_namespace(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        name: String,
+        description: Option<String>,
+        is_shared: bool,
+    ) -> Result<KubeNamespace, HrpcError> {
+        // Only admin can create shared namespaces, regular users can create personal ones
+        let required_role = if is_shared {
+            Some(UserRole::Admin)
+        } else {
+            None
+        };
+        let user = self.authorize(headers, org_id, required_role).await?;
+
+        self.kube_controller
+            .create_kube_namespace(org_id, user.id, name, description, is_shared)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn all_kube_namespaces(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        is_shared: bool,
+    ) -> Result<Vec<KubeNamespace>, HrpcError> {
+        let user = self.authorize(headers, org_id, None).await?;
+
+        self.kube_controller
+            .get_all_kube_namespaces(org_id, user.id, is_shared)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn delete_kube_namespace(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        namespace_id: Uuid,
+    ) -> Result<(), HrpcError> {
+        // Get the namespace first to check if it's shared
+        let namespace = self
+            .kube_controller
+            .db
+            .get_kube_namespace(namespace_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("Namespace not found".to_string()))?;
+
+        if namespace.organization_id != org_id {
+            return Err(ApiError::Unauthorized)?;
+        }
+
+        // For shared namespaces, only admin can delete
+        // For personal namespaces, any user can delete (with ownership check below)
+        let required_role = if namespace.is_shared {
+            Some(UserRole::Admin)
+        } else {
+            None
+        };
+        let user = self.authorize(headers, org_id, required_role).await?;
+
+        // For personal namespaces, only the creator can delete
+        if !namespace.is_shared && namespace.user_id != user.id {
+            return Err(ApiError::InvalidRequest(
+                "You can only delete namespaces you created".to_string(),
+            ))?;
+        }
+
+        self.kube_controller
+            .delete_kube_namespace(org_id, namespace_id)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn create_environment_preview_url(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        environment_id: Uuid,
+        request: lapdev_common::kube::CreateKubeEnvironmentPreviewUrlRequest,
+    ) -> Result<lapdev_common::kube::KubeEnvironmentPreviewUrl, HrpcError> {
+        let environment = self
+            .db
+            .get_kube_environment(environment_id)
+            .await
+            .map_err(hrpc_from_db_err)?
+            .ok_or_else(|| hrpc_error("Environment not found"))?;
+
+        if environment.organization_id != org_id {
+            return Err(hrpc_error(
+                "Environment does not belong to the organization",
+            ));
+        }
+
+        let required_role = environment.is_shared.then_some(UserRole::Admin);
+        let user = self.authorize(headers, org_id, required_role).await?;
+
+        if !environment.is_shared && environment.user_id != user.id {
+            return Err(hrpc_error("Unauthorized"));
+        }
+
+        self.kube_controller
+            .create_environment_preview_url(user.id, environment, request)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn get_environment_preview_urls(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        environment_id: Uuid,
+    ) -> Result<Vec<lapdev_common::kube::KubeEnvironmentPreviewUrl>, HrpcError> {
+        let user = self.authorize(headers, org_id, None).await?;
+        self.kube_controller
+            .get_environment_preview_urls(org_id, user.id, environment_id)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn update_environment_preview_url(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        preview_url_id: Uuid,
+        request: lapdev_common::kube::UpdateKubeEnvironmentPreviewUrlRequest,
+    ) -> Result<lapdev_common::kube::KubeEnvironmentPreviewUrl, HrpcError> {
+        let preview_url = self
+            .db
+            .get_environment_preview_url(preview_url_id)
+            .await
+            .map_err(hrpc_from_db_err)?
+            .ok_or_else(|| hrpc_error("Preview URL not found"))?;
+
+        let environment = self
+            .db
+            .get_kube_environment(preview_url.environment_id)
+            .await
+            .map_err(hrpc_from_db_err)?
+            .ok_or_else(|| hrpc_error("Environment not found"))?;
+
+        if environment.organization_id != org_id {
+            return Err(hrpc_error(
+                "Environment does not belong to the organization",
+            ));
+        }
+
+        let required_role = environment.is_shared.then_some(UserRole::Admin);
+        let user = self.authorize(headers, org_id, required_role).await?;
+
+        if !environment.is_shared && environment.user_id != user.id {
+            return Err(hrpc_error("Unauthorized"));
+        }
+
+        self.kube_controller
+            .update_environment_preview_url(preview_url_id, request)
+            .await
+            .map_err(HrpcError::from)
+    }
+
+    async fn delete_environment_preview_url(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        preview_url_id: Uuid,
+    ) -> Result<(), HrpcError> {
+        let preview_url = self
+            .db
+            .get_environment_preview_url(preview_url_id)
+            .await
+            .map_err(hrpc_from_db_err)?
+            .ok_or_else(|| hrpc_error("Preview URL not found"))?;
+
+        let environment = self
+            .db
+            .get_kube_environment(preview_url.environment_id)
+            .await
+            .map_err(hrpc_from_db_err)?
+            .ok_or_else(|| hrpc_error("Environment not found"))?;
+
+        if environment.organization_id != org_id {
+            return Err(hrpc_error(
+                "Environment does not belong to the organization",
+            ));
+        }
+
+        let required_role = environment.is_shared.then_some(UserRole::Admin);
+        let user = self.authorize(headers, org_id, required_role).await?;
+
+        if !environment.is_shared && environment.user_id != user.id {
+            return Err(hrpc_error("Unauthorized"));
+        }
+
+        self.kube_controller
+            .delete_environment_preview_url(preview_url_id)
+            .await
+            .map_err(HrpcError::from)
+    }
+}
+
+struct ActiveDevboxSessionContext {
+    user: lapdev_db_entities::user::Model,
+    session: lapdev_db_entities::kube_devbox_session::Model,
+    authenticated_at: Option<DateTime<Utc>>,
+    expires_at: Option<DateTime<Utc>>,
+}
+
+impl CoreState {
+    async fn hrpc_authenticate_user(
+        &self,
+        headers: &axum::http::HeaderMap,
+    ) -> Result<lapdev_db_entities::user::Model, HrpcError> {
+        self.authenticate_raw(headers)
+            .await
+            .map_err(hrpc_from_api_error)
+    }
+
+    async fn hrpc_resolve_active_devbox_session(
+        &self,
+        headers: &axum::http::HeaderMap,
+    ) -> Result<ActiveDevboxSessionContext, HrpcError> {
+        if let Some(value) = headers.get(axum::http::header::AUTHORIZATION) {
+            let value = value
+                .to_str()
+                .map_err(|_| hrpc_error("Invalid Authorization header"))?;
+
+            if let Some(token) = value.strip_prefix("Bearer ") {
+                let bearer = headers::Authorization::bearer(token)
+                    .map_err(|_| hrpc_error("Invalid bearer token"))?;
+                let ctx = self
+                    .authenticate_bearer(&bearer)
+                    .await
+                    .map_err(hrpc_from_api_error)?;
+
+                let session = self
+                    .db
+                    .get_devbox_session_by_token_hash(token)
+                    .await
+                    .map_err(hrpc_from_anyhow)?
+                    .ok_or_else(|| hrpc_error("Active session not found"))?;
+
+                self.db
+                    .update_devbox_session_last_used(session.user_id)
+                    .await
+                    .map_err(hrpc_from_anyhow)?;
+
+                return Ok(ActiveDevboxSessionContext {
+                    user: ctx.user,
+                    session,
+                    authenticated_at: parse_claim_datetime(&ctx.token_claims, "iat"),
+                    expires_at: parse_claim_datetime(&ctx.token_claims, "exp"),
+                });
+            }
+        }
+
+        let user = self.hrpc_authenticate_user(headers).await?;
+        let session = self
+            .db
+            .get_active_devbox_session(user.id)
+            .await
+            .map_err(hrpc_from_anyhow)?
+            .ok_or_else(|| hrpc_error("No active devbox session"))?;
+
+        self.db
+            .update_devbox_session_last_used(session.user_id)
+            .await
+            .map_err(hrpc_from_anyhow)?;
+
+        Ok(ActiveDevboxSessionContext {
+            authenticated_at: Some(session.created_at.with_timezone(&Utc)),
+            expires_at: Some(session.expires_at.with_timezone(&Utc)),
+            user,
+            session,
+        })
+    }
+
+    async fn ensure_environment_access(
+        &self,
+        user: &lapdev_db_entities::user::Model,
+        environment: &lapdev_db_entities::kube_environment::Model,
+    ) -> Result<(), HrpcError> {
+        if environment.user_id == user.id {
+            return Ok(());
+        }
+
+        if environment.is_shared {
+            self.db
+                .get_organization_member(user.id, environment.organization_id)
+                .await
+                .map(|_| ())
+                .map_err(|_| hrpc_error("Unauthorized"))
+        } else {
+            Err(hrpc_error("Unauthorized"))
+        }
+    }
+}
+
+fn hrpc_error<E: ToString>(err: E) -> HrpcError {
+    HrpcError {
+        error: err.to_string(),
+    }
+}
+
+fn hrpc_from_anyhow<E: ToString>(err: E) -> HrpcError {
+    hrpc_error(err)
+}
+
+fn hrpc_from_api_error(err: ApiError) -> HrpcError {
+    hrpc_error(err)
+}
+
+fn hrpc_from_db_err(err: DbErr) -> HrpcError {
+    hrpc_error(err)
+}
+
+fn parse_claim_datetime(claims: &Claims, key: &str) -> Option<DateTime<Utc>> {
+    claims
+        .get_claim(key)
+        .and_then(|value| serde_json::from_value::<String>(value.clone()).ok())
+        .and_then(|value| chrono::DateTime::parse_from_rfc3339(&value).ok())
+        .map(|dt| dt.with_timezone(&Utc))
+}
diff --git a/crates/api/src/kube.rs b/crates/api/src/kube.rs
new file mode 100644
index 0000000..a7589b8
--- /dev/null
+++ b/crates/api/src/kube.rs
@@ -0,0 +1,405 @@
+use std::{net::SocketAddr, sync::Arc};
+
+use axum::{
+    extract::{ws::WebSocket, Path, State, WebSocketUpgrade},
+    http::HeaderMap,
+    response::Response,
+};
+use futures::{future::BoxFuture, StreamExt};
+use lapdev_common::{
+    devbox::DirectTunnelConfig,
+    kube::{KUBE_CLUSTER_TOKEN_HEADER, KUBE_ENVIRONMENT_TOKEN_HEADER},
+    token::HashedToken,
+};
+use lapdev_kube::server::{DirectConfigProvider, KubeClusterServer};
+use lapdev_kube_rpc::{KubeClusterRpc, KubeManagerRpcClient};
+use lapdev_rpc::{error::ApiError, spawn_twoway};
+use lapdev_tunnel::{
+    relay_client_addr, relay_server_addr, run_tunnel_server_with_connector,
+    websocket_serde_transport_from_socket, DynTunnelStream, RelayEndpoint, TunnelClient,
+    TunnelError, TunnelMode, TunnelTarget, WebSocketUdpSocket,
+};
+use secrecy::ExposeSecret;
+use tarpc::{
+    context,
+    server::{BaseChannel, Channel},
+};
+use uuid::Uuid;
+
+use crate::{
+    devbox_tunnels::split_axum_websocket, state::CoreState, websocket_socket::AxumBinarySocket,
+};
+
+struct CliDirectConfigProvider {
+    state: Arc<CoreState>,
+}
+
+impl CliDirectConfigProvider {
+    fn new(state: Arc<CoreState>) -> Self {
+        Self { state }
+    }
+}
+
+impl DirectConfigProvider for CliDirectConfigProvider {
+    fn request_direct_config(
+        &self,
+        user_id: Uuid,
+        stun_observed_addr: Option<SocketAddr>,
+    ) -> BoxFuture<'static, Result<Option<DirectTunnelConfig>, String>> {
+        let state = self.state.clone();
+        Box::pin(async move {
+            let rpc_client = {
+                let sessions = state.active_devbox_sessions.read().await;
+                sessions.get(&user_id).and_then(|entries| {
+                    entries
+                        .values()
+                        .rev()
+                        .next()
+                        .map(|handle| handle.rpc_client.clone())
+                })
+            };
+
+            let Some(client) = rpc_client else {
+                return Err("No active Devbox CLI session found for user".to_string());
+            };
+
+            client
+                .request_direct_config(context::current(), user_id, stun_observed_addr)
+                .await
+                .map_err(|err| {
+                    format!(
+                        "Failed to dispatch request_direct_config RPC to Devbox CLI: {}",
+                        err
+                    )
+                })?
+        })
+    }
+}
+
+pub async fn kube_cluster_rpc_websocket(
+    websocket: WebSocketUpgrade,
+    headers: HeaderMap,
+    State(state): State<Arc<CoreState>>,
+) -> Result<Response, ApiError> {
+    tracing::debug!("now handle kube_cluster_websocket");
+    let token = headers
+        .get(KUBE_CLUSTER_TOKEN_HEADER)
+        .ok_or(ApiError::Unauthenticated)?
+        .to_str()?;
+    let token = HashedToken::parse(token);
+    let token = state
+        .db
+        .get_kube_token(token.expose_secret())
+        .await?
+        .ok_or(ApiError::Unauthenticated)?;
+
+    state.db.update_kube_token_last_used(token.id).await?;
+    let cluster = state
+        .db
+        .get_kube_cluster(token.cluster_id)
+        .await?
+        .ok_or_else(|| {
+            ApiError::InternalError(format!("Cluster {} doesn't exist", token.cluster_id))
+        })?;
+
+    tracing::debug!("now handle cluster websocket");
+    Ok(handle_cluster_websocket(websocket, state, cluster.id))
+}
+
+fn handle_cluster_websocket(
+    websocket: WebSocketUpgrade,
+    state: Arc<CoreState>,
+    cluster_id: Uuid,
+) -> Response {
+    websocket
+        .on_failed_upgrade(|e| tracing::error!("websocket upgrade failed {e:?}"))
+        .on_upgrade(move |socket| async move {
+            handle_cluster_rpc(socket, state, cluster_id).await;
+        })
+}
+
+async fn handle_cluster_rpc(socket: WebSocket, state: Arc<CoreState>, cluster_id: Uuid) {
+    let socket = AxumBinarySocket::new(socket);
+    let transport = websocket_serde_transport_from_socket(
+        socket,
+        tarpc::tokio_serde::formats::Bincode::default(),
+    );
+    let (server_chan, client_chan, _) = spawn_twoway(transport);
+    let rpc_client =
+        KubeManagerRpcClient::new(tarpc::client::Config::default(), client_chan).spawn();
+    let direct_config_provider: Arc<dyn DirectConfigProvider> =
+        Arc::new(CliDirectConfigProvider::new(state.clone()));
+    let rpc_server = KubeClusterServer::new(
+        cluster_id,
+        rpc_client,
+        state.db.clone(),
+        state.kube_controller.kube_cluster_servers.clone(),
+        state.kube_controller.kube_cluster_server_generation.clone(),
+        state.kube_controller.tunnel_registry.clone(),
+        direct_config_provider,
+    );
+
+    let fut = {
+        let rpc_server = rpc_server.clone();
+        tokio::spawn(async move {
+            BaseChannel::with_defaults(server_chan)
+                .execute(rpc_server.serve())
+                .for_each(|resp| async move {
+                    tokio::spawn(resp);
+                })
+                .await;
+        })
+    };
+
+    rpc_server.register().await;
+    let _ = fut.await;
+    rpc_server.unregister().await;
+}
+
+pub async fn kube_data_plane_websocket(
+    websocket: WebSocketUpgrade,
+    headers: HeaderMap,
+    State(state): State<Arc<CoreState>>,
+) -> Result<Response, ApiError> {
+    tracing::debug!("Handling data plane WebSocket connection");
+    let raw_token = headers
+        .get(KUBE_CLUSTER_TOKEN_HEADER)
+        .ok_or(ApiError::Unauthenticated)?
+        .to_str()?
+        .to_owned();
+    let token = HashedToken::parse(&raw_token);
+    let token = state
+        .db
+        .get_kube_token(token.expose_secret())
+        .await?
+        .ok_or(ApiError::Unauthenticated)?;
+
+    state.db.update_kube_token_last_used(token.id).await?;
+    let cluster = state
+        .db
+        .get_kube_cluster(token.cluster_id)
+        .await?
+        .ok_or_else(|| {
+            ApiError::InternalError(format!("Cluster {} doesn't exist", token.cluster_id))
+        })?;
+
+    tracing::debug!("Handling data plane WebSocket for cluster: {}", cluster.id);
+    Ok(handle_data_plane_websocket(
+        websocket, state, cluster.id, raw_token,
+    ))
+}
+
+fn handle_data_plane_websocket(
+    websocket: WebSocketUpgrade,
+    state: Arc<CoreState>,
+    cluster_id: Uuid,
+    token: String,
+) -> Response {
+    websocket
+        .on_failed_upgrade(|e| tracing::error!("data plane websocket upgrade failed {e:?}"))
+        .on_upgrade(move |socket| {
+            let token = token.clone();
+            async move {
+                handle_data_plane_tunnel(socket, state, cluster_id, token).await;
+            }
+        })
+}
+
+async fn handle_data_plane_tunnel(
+    socket: WebSocket,
+    state: Arc<CoreState>,
+    cluster_id: Uuid,
+    token: String,
+) {
+    tracing::info!("Data plane tunnel established for cluster: {}", cluster_id);
+
+    let (sink, stream) = split_axum_websocket(socket);
+    let udp_socket =
+        WebSocketUdpSocket::from_parts(sink, stream, relay_server_addr(), relay_client_addr());
+
+    let connection = match RelayEndpoint::udp_server_connection(udp_socket).await {
+        Ok(connection) => connection,
+        Err(err) => {
+            tracing::warn!(
+                cluster_id = %cluster_id,
+                error = %err,
+                "Failed to negotiate QUIC transport for data plane tunnel"
+            );
+            return;
+        }
+    };
+
+    let tunnel_client = Arc::new(TunnelClient::new_relay(connection));
+
+    let generation = state
+        .kube_controller
+        .tunnel_registry
+        .register_client(cluster_id, Arc::clone(&tunnel_client))
+        .await;
+
+    tracing::info!(
+        "Tunnel client registered for cluster {}; waiting for disconnect",
+        cluster_id
+    );
+
+    tunnel_client.closed().await;
+
+    tracing::info!("Data plane tunnel closed for cluster: {}", cluster_id);
+    state
+        .kube_controller
+        .tunnel_registry
+        .remove_client(cluster_id, generation)
+        .await;
+}
+
+pub async fn sidecar_tunnel_websocket(
+    Path((environment_id, workload_id)): Path<(Uuid, Uuid)>,
+    headers: HeaderMap,
+    websocket: WebSocketUpgrade,
+    State(state): State<Arc<CoreState>>,
+) -> Result<Response, ApiError> {
+    tracing::debug!(
+        "Handling sidecar tunnel WebSocket for environment {} workload {}",
+        environment_id,
+        workload_id
+    );
+
+    // Get the environment auth token from headers
+    let auth_token = extract_environment_token(&headers)?;
+
+    // Get the environment and validate auth token
+    let environment = state
+        .db
+        .get_kube_environment(environment_id)
+        .await?
+        .ok_or(ApiError::Unauthenticated)?;
+
+    // Validate the auth token matches
+    if auth_token != environment.auth_token {
+        return Err(ApiError::Unauthenticated);
+    }
+
+    tracing::debug!(
+        "Sidecar authenticated for environment {} workload {} using auth token",
+        environment.id,
+        workload_id
+    );
+
+    let user_id = environment.user_id;
+    let registry = state.devbox_tunnels.clone();
+
+    Ok(websocket.on_upgrade(move |socket| {
+        let registry = registry.clone();
+        async move {
+            if let Err(err) = registry.attach_sidecar(user_id, socket).await {
+                tracing::warn!(
+                    user_id = %user_id,
+                    environment_id = %environment_id,
+                    workload_id = %workload_id,
+                    error = %err,
+                    "Sidecar tunnel terminated with error"
+                );
+            }
+        }
+    }))
+}
+
+fn extract_environment_token(headers: &HeaderMap) -> Result<&str, ApiError> {
+    headers
+        .get(KUBE_ENVIRONMENT_TOKEN_HEADER)
+        .ok_or(ApiError::Unauthenticated)?
+        .to_str()
+        .map_err(|_| ApiError::Unauthenticated)
+}
+
+pub async fn devbox_proxy_tunnel_websocket(
+    Path(environment_id): Path<Uuid>,
+    headers: HeaderMap,
+    websocket: WebSocketUpgrade,
+    State(state): State<Arc<CoreState>>,
+) -> Result<Response, ApiError> {
+    tracing::debug!(
+        "Handling devbox proxy tunnel WebSocket for environment {}",
+        environment_id
+    );
+
+    // Get the environment auth token from headers
+    let auth_token = headers
+        .get(KUBE_ENVIRONMENT_TOKEN_HEADER)
+        .ok_or(ApiError::Unauthenticated)?
+        .to_str()
+        .map_err(|_| ApiError::Unauthenticated)?;
+
+    // Get the environment and validate auth token
+    let environment = state
+        .db
+        .get_kube_environment(environment_id)
+        .await?
+        .ok_or(ApiError::Unauthenticated)?;
+
+    // Validate the auth token matches
+    if auth_token != environment.auth_token {
+        return Err(ApiError::Unauthenticated);
+    }
+
+    tracing::info!(
+        "Devbox proxy authenticated for environment {} using auth token",
+        environment.id
+    );
+
+    let cluster_id = environment.cluster_id;
+    let auth_token = environment.auth_token.clone();
+    let tunnel_registry = state.kube_controller.tunnel_registry.clone();
+
+    Ok(websocket.on_upgrade(move |socket| {
+        let registry = tunnel_registry.clone();
+        let token = auth_token.clone();
+        async move {
+            match registry.get_client(cluster_id).await {
+                Some(client) if !client.is_closed() => {
+                    serve_devbox_proxy_tunnel(socket, client, token).await;
+                }
+                _ => {
+                    tracing::warn!(
+                        "No active cluster tunnel available for devbox proxy environment {} (cluster {})",
+                        environment_id,
+                        cluster_id
+                    );
+                }
+            }
+        }
+    }))
+}
+
+async fn serve_devbox_proxy_tunnel(
+    socket: WebSocket,
+    cluster_client: Arc<TunnelClient>,
+    token: String,
+) {
+    let (sink, stream) = split_axum_websocket(socket);
+    let udp_socket =
+        WebSocketUdpSocket::from_parts(sink, stream, relay_server_addr(), relay_client_addr());
+
+    let connection = match RelayEndpoint::udp_server_connection(udp_socket).await {
+        Ok(connection) => connection,
+        Err(err) => {
+            tracing::warn!("Failed to negotiate QUIC relay for devbox proxy: {}", err);
+            return;
+        }
+    };
+
+    let connector_client = cluster_client.clone();
+
+    let connector = move |target: TunnelTarget| {
+        let client = connector_client.clone();
+        async move {
+            let TunnelTarget { host, port } = target;
+            let stream = client.connect_tcp(host, port).await?;
+            Ok::<DynTunnelStream, TunnelError>(Box::new(stream) as DynTunnelStream)
+        }
+    };
+
+    if let Err(err) = run_tunnel_server_with_connector(connection, connector).await {
+        tracing::warn!("Devbox proxy tunnel terminated with error: {}", err);
+    }
+}
diff --git a/crates/api/src/kube_controller/app_catalog.rs b/crates/api/src/kube_controller/app_catalog.rs
new file mode 100644
index 0000000..81052ed
--- /dev/null
+++ b/crates/api/src/kube_controller/app_catalog.rs
@@ -0,0 +1,1020 @@
+use k8s_openapi::api::core::v1::{ConfigMap, Secret, Service};
+use k8s_openapi::apimachinery::pkg::util::intstr::IntOrString;
+use lapdev_common::kube::{
+    KubeAppCatalog, KubeAppCatalogWorkload, KubeAppCatalogWorkloadCreate, KubeServiceDetails,
+    KubeServiceWithYaml, KubeWorkloadDetails, PagePaginationParams, PaginatedInfo, PaginatedResult,
+    ProxyPortRoute, DEFAULT_SIDECAR_PROXY_METRICS_PORT, DEFAULT_SIDECAR_PROXY_PORT,
+    SIDECAR_PROXY_DYNAMIC_PORT_START,
+};
+use lapdev_db::api::{CachedClusterService, NewEnvironmentWorkload};
+use lapdev_db_entities::kube_app_catalog_workload_dependency;
+use lapdev_kube_rpc::{
+    KubeWorkloadYamlOnly, KubeWorkloadsWithResources, NamespacedResourceRequest,
+    NamespacedResourceResponse,
+};
+use lapdev_rpc::error::ApiError;
+use sea_orm::{ColumnTrait, EntityTrait, QueryFilter, TransactionTrait};
+use std::collections::{HashMap, HashSet};
+use std::convert::TryFrom;
+use uuid::Uuid;
+
+use crate::kube_controller::resources::clean_service;
+
+use super::{
+    resources::{clean_configmap, clean_secret, rebuild_workload_yaml, SidecarInjectionOptions},
+    yaml_parser::build_workload_details_from_yaml,
+    KubeController,
+};
+use chrono::Utc;
+
+pub struct SidecarInjectionContext<'a> {
+    pub environment_id: Uuid,
+    pub namespace: &'a str,
+    pub auth_token: &'a str,
+    pub manager_namespace: Option<&'a str>,
+}
+
+struct PreparedWorkloads {
+    workload_yamls: Vec<KubeWorkloadYamlOnly>,
+    proxy_routes: HashMap<Uuid, Vec<ProxyPortRoute>>,
+    workloads_for_details: Vec<KubeAppCatalogWorkload>,
+    env_workload_ids: HashMap<Uuid, Uuid>,
+}
+
+impl KubeController {
+    pub(super) async fn enrich_workloads_with_details(
+        &self,
+        cluster_id: Uuid,
+        workloads: Vec<lapdev_common::kube::KubeAppCatalogWorkloadCreate>,
+    ) -> Result<Vec<KubeWorkloadDetails>, ApiError> {
+        // Get cluster connection
+        let cluster_server = self
+            .get_random_kube_cluster_server(cluster_id)
+            .await
+            .ok_or_else(|| {
+                ApiError::InvalidRequest("No connected KubeManager for this cluster".to_string())
+            })?;
+
+        // Convert to WorkloadIdentifier for RPC call
+        let workload_identifiers: Vec<lapdev_kube_rpc::WorkloadIdentifier> = workloads
+            .iter()
+            .map(|w| lapdev_kube_rpc::WorkloadIdentifier {
+                name: w.name.clone(),
+                namespace: w.namespace.clone(),
+                kind: w.kind.clone(),
+            })
+            .collect();
+
+        let raw_workloads = cluster_server
+            .rpc_client
+            .get_workloads_raw_yaml(Self::kube_manager_rpc_context(), workload_identifiers)
+            .await
+            .map_err(|e| ApiError::InvalidRequest(format!("Failed to get workload YAML: {}", e)))?
+            .map_err(|e| ApiError::InvalidRequest(format!("KubeManager error: {}", e)))?;
+
+        let mut namespaces: HashSet<String> =
+            raw_workloads.iter().map(|w| w.namespace.clone()).collect();
+        namespaces.extend(workloads.iter().map(|w| w.namespace.clone()));
+
+        let mut services_cache: HashMap<String, Vec<CachedClusterService>> = HashMap::new();
+        for namespace in namespaces {
+            let services = self
+                .db
+                .get_active_cluster_services(cluster_id, &namespace)
+                .await
+                .map_err(ApiError::from)?;
+            services_cache.insert(namespace, services);
+        }
+
+        let mut results = Vec::with_capacity(raw_workloads.len());
+        for raw in raw_workloads {
+            let services = services_cache
+                .get(&raw.namespace)
+                .map(|s| s.as_slice())
+                .unwrap_or(&[]);
+            match build_workload_details_from_yaml(raw, services) {
+                Ok(details) => results.push(details),
+                Err(err) => {
+                    return Err(ApiError::InvalidRequest(format!(
+                        "Failed to process workload YAML: {}",
+                        err
+                    )))
+                }
+            }
+        }
+
+        Ok(results)
+    }
+
+    /// Build KubeWorkloadsWithResources from database-cached catalog data.
+    /// This retrieves workload YAML and services from the database cache instead of querying Kubernetes.
+    /// Much faster and doesn't require connectivity to the source cluster.
+    /// Uses workload label and service selector tables to find only services that select the workloads' pods.
+    pub(super) async fn get_catalog_workloads_with_yaml_from_db(
+        &self,
+        cluster_id: Uuid,
+        workloads: Vec<KubeAppCatalogWorkload>,
+        injection_ctx: &SidecarInjectionContext<'_>,
+    ) -> Result<(KubeWorkloadsWithResources, Vec<NewEnvironmentWorkload>), ApiError> {
+        let workload_ids: Vec<Uuid> = workloads.iter().map(|w| w.id).collect();
+        let services_by_workload = self
+            .load_services_for_catalog_workloads(cluster_id, &workload_ids)
+            .await?;
+
+        let PreparedWorkloads {
+            workload_yamls,
+            proxy_routes,
+            workloads_for_details,
+            env_workload_ids,
+        } = self.prepare_workloads_from_cache(&workloads, &services_by_workload, injection_ctx)?;
+
+        let services_map =
+            self.prepare_services_from_cache(&services_by_workload, &proxy_routes)?;
+
+        let (configmaps_map, secrets_map) = self
+            .fetch_dependency_resources(cluster_id, &workload_ids)
+            .await?;
+
+        tracing::info!(
+            "Built catalog workload resources from DB: {} workloads, {} services, {} configmaps, {} secrets (cluster: {})",
+            workload_yamls.len(),
+            services_map.len(),
+            configmaps_map.len(),
+            secrets_map.len(),
+            cluster_id,
+        );
+
+        let workload_details = Self::prepare_workload_details_from_catalog(
+            workloads_for_details,
+            injection_ctx.namespace,
+            &env_workload_ids,
+        )?;
+
+        Ok((
+            KubeWorkloadsWithResources {
+                workloads: workload_yamls,
+                services: services_map,
+                configmaps: configmaps_map,
+                secrets: secrets_map,
+            },
+            workload_details,
+        ))
+    }
+
+    async fn load_services_for_catalog_workloads(
+        &self,
+        cluster_id: Uuid,
+        workload_ids: &[Uuid],
+    ) -> Result<HashMap<Uuid, Vec<CachedClusterService>>, ApiError> {
+        self.db
+            .get_services_for_catalog_workloads(cluster_id, workload_ids)
+            .await
+            .map_err(ApiError::from)
+    }
+
+    fn prepare_workloads_from_cache(
+        &self,
+        workloads: &[KubeAppCatalogWorkload],
+        services_by_workload: &HashMap<Uuid, Vec<CachedClusterService>>,
+        injection_ctx: &SidecarInjectionContext<'_>,
+    ) -> Result<PreparedWorkloads, ApiError> {
+        let mut workload_yamls = Vec::with_capacity(workloads.len());
+        let mut proxy_routes: HashMap<Uuid, Vec<ProxyPortRoute>> = HashMap::new();
+        let mut workloads_for_details = Vec::with_capacity(workloads.len());
+        let mut env_workload_ids: HashMap<Uuid, Uuid> = HashMap::with_capacity(workloads.len());
+
+        for workload in workloads {
+            if workload.workload_yaml.trim().is_empty() {
+                return Err(ApiError::InvalidRequest(format!(
+                    "Workload '{}' has no cached YAML in database",
+                    workload.name
+                )));
+            }
+
+            let routes = Self::build_proxy_routes(
+                services_by_workload
+                    .get(&workload.id)
+                    .map(|services| services.as_slice()),
+            );
+
+            let env_workload_id = *env_workload_ids
+                .entry(workload.id)
+                .or_insert_with(Uuid::new_v4);
+
+            let raw_yaml = workload.workload_yaml.clone();
+            let sidecar_options = SidecarInjectionOptions {
+                environment_id: injection_ctx.environment_id,
+                workload_id: env_workload_id,
+                namespace: injection_ctx.namespace,
+                auth_token: injection_ctx.auth_token,
+                manager_namespace: injection_ctx.manager_namespace,
+                proxy_routes: routes.as_slice(),
+            };
+
+            let rebuilt_yaml = rebuild_workload_yaml(
+                &workload.kind,
+                &raw_yaml,
+                &workload.containers,
+                Some(&sidecar_options),
+            )
+            .map_err(|err| {
+                ApiError::InvalidRequest(format!(
+                    "Failed to reconstruct workload YAML for '{}': {}",
+                    workload.name, err
+                ))
+            })?;
+
+            let mut workload_for_details = workload.clone();
+            workload_for_details.workload_yaml = rebuilt_yaml.clone();
+            workloads_for_details.push(workload_for_details);
+
+            let workload_yaml_only = Self::to_workload_yaml_only(&workload.kind, rebuilt_yaml);
+            workload_yamls.push(workload_yaml_only);
+
+            if !routes.is_empty() {
+                proxy_routes.insert(workload.id, routes);
+            }
+        }
+
+        Ok(PreparedWorkloads {
+            workload_yamls,
+            proxy_routes,
+            workloads_for_details,
+            env_workload_ids,
+        })
+    }
+
+    fn prepare_services_from_cache(
+        &self,
+        services_by_workload: &HashMap<Uuid, Vec<CachedClusterService>>,
+        proxy_routes: &HashMap<Uuid, Vec<ProxyPortRoute>>,
+    ) -> Result<HashMap<String, KubeServiceWithYaml>, ApiError> {
+        let mut services_map = HashMap::new();
+
+        for services in services_by_workload.values() {
+            for service in services {
+                if services_map.contains_key(&service.name) {
+                    continue;
+                }
+
+                let ports = service.ports.clone();
+                let selector = service.selector.clone();
+                let parsed: Service =
+                    serde_yaml::from_str(&service.service_yaml).map_err(|err| {
+                        ApiError::InvalidRequest(format!(
+                            "Failed to parse cached Service '{}' YAML: {}",
+                            service.name, err
+                        ))
+                    })?;
+                let cleaned = clean_service(parsed);
+                let cleaned_yaml = serde_yaml::to_string(&cleaned).map_err(|err| {
+                    ApiError::InvalidRequest(format!(
+                        "Failed to serialize cleaned Service '{}' YAML: {}",
+                        service.name, err
+                    ))
+                })?;
+
+                services_map.insert(
+                    service.name.clone(),
+                    KubeServiceWithYaml {
+                        yaml: cleaned_yaml,
+                        details: KubeServiceDetails {
+                            name: service.name.clone(),
+                            ports,
+                            selector,
+                        },
+                    },
+                );
+            }
+        }
+
+        for (workload_id, routes) in proxy_routes {
+            if let Some(services) = services_by_workload.get(workload_id) {
+                for service in services {
+                    if let Some(entry) = services_map.get_mut(&service.name) {
+                        rewrite_service_for_sidecar(entry, routes)?;
+                    }
+                }
+            }
+        }
+
+        Ok(services_map)
+    }
+
+    async fn fetch_dependency_resources(
+        &self,
+        cluster_id: Uuid,
+        workload_ids: &[Uuid],
+    ) -> Result<(HashMap<String, String>, HashMap<String, String>), ApiError> {
+        if workload_ids.is_empty() {
+            return Ok((HashMap::new(), HashMap::new()));
+        }
+
+        let dependency_rows = kube_app_catalog_workload_dependency::Entity::find()
+            .filter(
+                kube_app_catalog_workload_dependency::Column::WorkloadId
+                    .is_in(workload_ids.to_vec()),
+            )
+            .filter(kube_app_catalog_workload_dependency::Column::DeletedAt.is_null())
+            .all(&self.db.conn)
+            .await
+            .map_err(ApiError::from)?;
+
+        let mut dependency_requests: HashMap<String, (HashSet<String>, HashSet<String>)> =
+            HashMap::new();
+
+        for row in dependency_rows {
+            let entry = dependency_requests
+                .entry(row.namespace.clone())
+                .or_default();
+            match row.resource_type.as_str() {
+                "configmap" => {
+                    entry.0.insert(row.resource_name.clone());
+                }
+                "secret" => {
+                    entry.1.insert(row.resource_name.clone());
+                }
+                _ => {}
+            }
+        }
+
+        if dependency_requests.is_empty() {
+            return Ok((HashMap::new(), HashMap::new()));
+        }
+
+        let cluster_server = self
+            .get_random_kube_cluster_server(cluster_id)
+            .await
+            .ok_or_else(|| {
+                ApiError::InvalidRequest(
+                    "No connected KubeManager for the app catalog's source cluster".to_string(),
+                )
+            })?;
+
+        let requests: Vec<NamespacedResourceRequest> = dependency_requests
+            .into_iter()
+            .map(
+                |(namespace, (configmaps, secrets))| NamespacedResourceRequest {
+                    namespace,
+                    configmaps: configmaps.into_iter().collect(),
+                    secrets: secrets.into_iter().collect(),
+                },
+            )
+            .collect();
+
+        if requests.is_empty() {
+            return Ok((HashMap::new(), HashMap::new()));
+        }
+
+        let responses = match cluster_server
+            .rpc_client
+            .get_namespaced_resources(Self::kube_manager_rpc_context(), requests)
+            .await
+        {
+            Ok(Ok(res)) => res,
+            Ok(Err(e)) => {
+                return Err(ApiError::InvalidRequest(format!(
+                    "Failed to fetch ConfigMaps/Secrets: {e}"
+                )))
+            }
+            Err(e) => {
+                return Err(ApiError::InvalidRequest(format!(
+                    "Connection error to source cluster: {e}"
+                )))
+            }
+        };
+
+        Self::extract_dependency_resources(responses)
+    }
+
+    fn build_proxy_routes(services: Option<&[CachedClusterService]>) -> Vec<ProxyPortRoute> {
+        let mut routes = Vec::new();
+
+        if let Some(services) = services {
+            let mut assigned_ports: HashMap<(u16, u16), u16> = HashMap::new();
+            let mut used_proxy_ports: HashSet<u16> = HashSet::new();
+            used_proxy_ports.insert(DEFAULT_SIDECAR_PROXY_PORT);
+            used_proxy_ports.insert(DEFAULT_SIDECAR_PROXY_METRICS_PORT);
+            let mut next_proxy_port = u32::from(SIDECAR_PROXY_DYNAMIC_PORT_START);
+
+            for service in services {
+                for port in &service.ports {
+                    let service_port = match u16::try_from(port.port) {
+                        Ok(port) if port > 0 => port,
+                        _ => continue,
+                    };
+
+                    let raw_target = port.original_target_port.or(port.target_port);
+                    let target_port = match raw_target {
+                        Some(value) => match u16::try_from(value) {
+                            Ok(tp) if tp > 0 => tp,
+                            _ => continue,
+                        },
+                        None => {
+                            // TODO: support named targetPort values when the service uses port names.
+                            continue;
+                        }
+                    };
+
+                    let key = (service_port, target_port);
+                    let proxy_port = if let Some(existing) = assigned_ports.get(&key) {
+                        *existing
+                    } else {
+                        let allocated = loop {
+                            if next_proxy_port > u32::from(u16::MAX) {
+                                tracing::warn!(
+                                    service_port,
+                                    target_port,
+                                    "exhausted dynamic proxy port range; reusing service port for proxy"
+                                );
+                                break service_port;
+                            }
+
+                            let candidate = next_proxy_port as u16;
+                            next_proxy_port += 1;
+
+                            if candidate == service_port || candidate == target_port {
+                                continue;
+                            }
+
+                            if !used_proxy_ports.insert(candidate) {
+                                continue;
+                            }
+
+                            break candidate;
+                        };
+
+                        assigned_ports.insert(key, allocated);
+                        allocated
+                    };
+
+                    routes.push(ProxyPortRoute {
+                        proxy_port,
+                        service_port,
+                        target_port,
+                    });
+                }
+            }
+        }
+
+        routes
+    }
+
+    fn to_workload_yaml_only(
+        kind: &lapdev_common::kube::KubeWorkloadKind,
+        yaml: String,
+    ) -> KubeWorkloadYamlOnly {
+        match kind {
+            lapdev_common::kube::KubeWorkloadKind::Deployment => {
+                KubeWorkloadYamlOnly::Deployment(yaml)
+            }
+            lapdev_common::kube::KubeWorkloadKind::StatefulSet => {
+                KubeWorkloadYamlOnly::StatefulSet(yaml)
+            }
+            lapdev_common::kube::KubeWorkloadKind::DaemonSet => {
+                KubeWorkloadYamlOnly::DaemonSet(yaml)
+            }
+            lapdev_common::kube::KubeWorkloadKind::ReplicaSet => {
+                KubeWorkloadYamlOnly::ReplicaSet(yaml)
+            }
+            lapdev_common::kube::KubeWorkloadKind::Pod => KubeWorkloadYamlOnly::Pod(yaml),
+            lapdev_common::kube::KubeWorkloadKind::Job => KubeWorkloadYamlOnly::Job(yaml),
+            lapdev_common::kube::KubeWorkloadKind::CronJob => KubeWorkloadYamlOnly::CronJob(yaml),
+        }
+    }
+
+    fn extract_dependency_resources(
+        responses: Vec<NamespacedResourceResponse>,
+    ) -> Result<(HashMap<String, String>, HashMap<String, String>), ApiError> {
+        let mut configmaps_map: HashMap<String, String> = HashMap::new();
+        let mut secrets_map: HashMap<String, String> = HashMap::new();
+
+        for response in responses {
+            for (name, yaml) in response.configmaps {
+                let parsed: ConfigMap = serde_yaml::from_str(&yaml).map_err(|err| {
+                    ApiError::InvalidRequest(format!(
+                        "Failed to parse ConfigMap '{name}' from namespace {}: {err}",
+                        response.namespace
+                    ))
+                })?;
+                let cleaned = clean_configmap(parsed);
+                let cleaned_yaml = serde_yaml::to_string(&cleaned).map_err(|err| {
+                    ApiError::InvalidRequest(format!(
+                        "Failed to serialize ConfigMap '{name}' from namespace {}: {err}",
+                        response.namespace
+                    ))
+                })?;
+                configmaps_map.insert(name, cleaned_yaml);
+            }
+
+            for (name, yaml) in response.secrets {
+                let parsed: Secret = serde_yaml::from_str(&yaml).map_err(|err| {
+                    ApiError::InvalidRequest(format!(
+                        "Failed to parse Secret '{name}' from namespace {}: {err}",
+                        response.namespace
+                    ))
+                })?;
+                let cleaned = clean_secret(parsed);
+                let cleaned_yaml = serde_yaml::to_string(&cleaned).map_err(|err| {
+                    ApiError::InvalidRequest(format!(
+                        "Failed to serialize Secret '{name}' from namespace {}: {err}",
+                        response.namespace
+                    ))
+                })?;
+                secrets_map.insert(name, cleaned_yaml);
+            }
+        }
+
+        Ok((configmaps_map, secrets_map))
+    }
+
+    pub async fn create_app_catalog(
+        &self,
+        org_id: Uuid,
+        user_id: Uuid,
+        cluster_id: Uuid,
+        name: String,
+        description: Option<String>,
+        workloads: Vec<lapdev_common::kube::KubeAppCatalogWorkloadCreate>,
+    ) -> Result<Uuid, ApiError> {
+        // Get enriched workload details from KubeManager
+        let enriched_workloads = self
+            .enrich_workloads_with_details(cluster_id, workloads)
+            .await?;
+
+        let namespaces: HashSet<String> = enriched_workloads
+            .iter()
+            .map(|workload| workload.namespace.clone())
+            .collect();
+
+        let catalog_id = self
+            .db
+            .create_app_catalog_with_enriched_workloads(
+                org_id,
+                user_id,
+                cluster_id,
+                name,
+                description,
+                enriched_workloads,
+            )
+            .await
+            .map_err(ApiError::from)?;
+
+        if !namespaces.is_empty() {
+            let cluster_servers = {
+                let servers = self.kube_cluster_servers.read().await;
+                servers
+                    .get(&cluster_id)
+                    .map(|entries| entries.values().cloned().collect::<Vec<_>>())
+            };
+
+            if let Some(cluster_servers) = cluster_servers {
+                for server in cluster_servers {
+                    for namespace in &namespaces {
+                        if let Err(err) = server.add_namespace_watch(namespace.clone()).await {
+                            tracing::warn!(
+                                cluster_id = %cluster_id,
+                                namespace = namespace.as_str(),
+                                error = ?err,
+                                "Failed to add namespace watch for catalog namespace"
+                            );
+                        }
+                    }
+                }
+            } else {
+                tracing::debug!(
+                    cluster_id = %cluster_id,
+                    "No connected KubeManager instances; skipping namespace watch add"
+                );
+            }
+        }
+
+        Ok(catalog_id)
+    }
+
+    pub async fn get_all_app_catalogs(
+        &self,
+        org_id: Uuid,
+        search: Option<String>,
+        pagination: Option<PagePaginationParams>,
+    ) -> Result<PaginatedResult<KubeAppCatalog>, ApiError> {
+        let pagination = pagination.unwrap_or_default();
+
+        let (catalogs_with_clusters, total_count) = self
+            .db
+            .get_all_app_catalogs_paginated(org_id, search, Some(pagination.clone()))
+            .await
+            .map_err(ApiError::from)?;
+
+        let app_catalogs = catalogs_with_clusters
+            .into_iter()
+            .filter_map(|(catalog, cluster)| {
+                let cluster = cluster?;
+                Some(KubeAppCatalog {
+                    id: catalog.id,
+                    name: catalog.name,
+                    description: catalog.description,
+                    created_at: catalog.created_at,
+                    created_by: catalog.created_by,
+                    cluster_id: catalog.cluster_id,
+                    cluster_name: cluster.name,
+                    last_sync_actor_id: catalog.last_sync_actor_id,
+                })
+            })
+            .collect();
+
+        let total_pages = (total_count + pagination.page_size - 1) / pagination.page_size;
+
+        Ok(PaginatedResult {
+            data: app_catalogs,
+            pagination_info: PaginatedInfo {
+                total_count,
+                page: pagination.page,
+                page_size: pagination.page_size,
+                total_pages,
+            },
+        })
+    }
+
+    pub async fn get_app_catalog(
+        &self,
+        org_id: Uuid,
+        catalog_id: Uuid,
+    ) -> Result<KubeAppCatalog, ApiError> {
+        // Get catalog with cluster info
+        let (catalog, cluster) = self
+            .db
+            .get_all_app_catalogs_paginated(org_id, None, None)
+            .await
+            .map_err(ApiError::from)?
+            .0
+            .into_iter()
+            .find(|(cat, _)| cat.id == catalog_id)
+            .ok_or_else(|| ApiError::InvalidRequest("App catalog not found".to_string()))?;
+
+        let cluster =
+            cluster.ok_or_else(|| ApiError::InvalidRequest("Cluster not found".to_string()))?;
+
+        Ok(KubeAppCatalog {
+            id: catalog.id,
+            name: catalog.name,
+            description: catalog.description,
+            created_at: catalog.created_at,
+            created_by: catalog.created_by,
+            cluster_id: catalog.cluster_id,
+            cluster_name: cluster.name,
+            last_sync_actor_id: catalog.last_sync_actor_id,
+        })
+    }
+
+    pub async fn get_app_catalog_workloads(
+        &self,
+        org_id: Uuid,
+        catalog_id: Uuid,
+    ) -> Result<Vec<KubeAppCatalogWorkload>, ApiError> {
+        // Verify catalog belongs to the organization
+        let catalog = self
+            .db
+            .get_app_catalog(catalog_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("App catalog not found".to_string()))?;
+
+        if catalog.organization_id != org_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        self.db
+            .get_app_catalog_workloads(catalog_id)
+            .await
+            .map_err(ApiError::from)
+    }
+
+    pub async fn delete_app_catalog(&self, org_id: Uuid, catalog_id: Uuid) -> Result<(), ApiError> {
+        // Verify catalog belongs to the organization
+        let catalog = self
+            .db
+            .get_app_catalog(catalog_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("App catalog not found".to_string()))?;
+
+        if catalog.organization_id != org_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        // Check for dependencies - kube_environment (any user's environments using this catalog)
+        let has_environments = self
+            .db
+            .check_app_catalog_has_environments(catalog_id)
+            .await
+            .map_err(ApiError::from)?;
+
+        if has_environments {
+            return Err(ApiError::InvalidRequest(
+                "Cannot delete app catalog: it has active environments. Please delete them first."
+                    .to_string(),
+            ));
+        }
+
+        // Soft delete the app catalog
+        self.db
+            .delete_app_catalog(catalog_id)
+            .await
+            .map_err(ApiError::from)?;
+
+        self.refresh_cluster_namespace_watches(catalog.cluster_id)
+            .await;
+
+        Ok(())
+    }
+
+    pub async fn delete_app_catalog_workload(
+        &self,
+        org_id: Uuid,
+        workload_id: Uuid,
+    ) -> Result<(), ApiError> {
+        // First get the workload to find its catalog
+        let workload = self
+            .db
+            .get_app_catalog_workload(workload_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("Workload not found".to_string()))?;
+
+        // Verify the catalog belongs to the organization
+        let catalog = self
+            .db
+            .get_app_catalog(workload.app_catalog_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("App catalog not found".to_string()))?;
+
+        if catalog.organization_id != org_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        // Delete the workload
+        self.db
+            .delete_app_catalog_workload(workload_id)
+            .await
+            .map_err(ApiError::from)?;
+
+        let _ = self
+            .db
+            .bump_app_catalog_sync_version(workload.app_catalog_id, Utc::now().into())
+            .await
+            .map_err(ApiError::from)?;
+
+        self.refresh_cluster_namespace_watches(workload.cluster_id)
+            .await;
+
+        Ok(())
+    }
+
+    pub async fn update_app_catalog_workload(
+        &self,
+        org_id: Uuid,
+        workload_id: Uuid,
+        containers: Vec<lapdev_common::kube::KubeContainerInfo>,
+    ) -> Result<(), ApiError> {
+        // Validate containers
+        super::validation::validate_containers(&containers)?;
+
+        // First get the workload to find its catalog
+        let workload = self
+            .db
+            .get_app_catalog_workload(workload_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("Workload not found".to_string()))?;
+
+        // Verify the catalog belongs to the organization
+        let catalog = self
+            .db
+            .get_app_catalog(workload.app_catalog_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("App catalog not found".to_string()))?;
+
+        if catalog.organization_id != org_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        // Update the workload containers
+        self.db
+            .update_app_catalog_workload(workload_id, containers)
+            .await
+            .map_err(ApiError::from)?;
+
+        let new_version = self
+            .db
+            .bump_app_catalog_sync_version(catalog.id, Utc::now().into())
+            .await
+            .map_err(ApiError::from)?;
+
+        self.db
+            .update_catalog_workload_versions(&[workload.id], new_version)
+            .await
+            .map_err(ApiError::from)
+    }
+
+    pub async fn add_workloads_to_app_catalog(
+        &self,
+        org_id: Uuid,
+        _user_id: Uuid,
+        catalog_id: Uuid,
+        workloads: Vec<KubeAppCatalogWorkloadCreate>,
+    ) -> Result<(), ApiError> {
+        // Verify the catalog belongs to the organization
+        let catalog = self
+            .db
+            .get_app_catalog(catalog_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("App catalog not found".to_string()))?;
+
+        if catalog.organization_id != org_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        // Enrich workloads with details from KubeManager
+        let enriched_workloads = self
+            .enrich_workloads_with_details(catalog.cluster_id, workloads)
+            .await?;
+
+        // Add enriched workloads to the catalog
+        let txn = self.db.conn.begin().await.map_err(ApiError::from)?;
+        let now = chrono::Utc::now().into();
+
+        let inserted_ids = match self
+            .db
+            .insert_enriched_workloads_to_catalog(
+                &txn,
+                catalog_id,
+                catalog.cluster_id,
+                enriched_workloads,
+                now,
+            )
+            .await
+        {
+            Ok(ids) => ids,
+            Err(db_err) => {
+                txn.rollback().await.map_err(ApiError::from)?;
+                if matches!(
+                    db_err.sql_err(),
+                    Some(sea_orm::SqlErr::UniqueConstraintViolation(_))
+                ) {
+                    return Err(ApiError::InvalidRequest(
+                        "One or more selected workloads already exist in this catalog".to_string(),
+                    ));
+                } else {
+                    return Err(ApiError::from(anyhow::Error::from(db_err)));
+                }
+            }
+        };
+
+        txn.commit().await.map_err(ApiError::from)?;
+
+        let new_version = self
+            .db
+            .bump_app_catalog_sync_version(catalog.id, Utc::now().into())
+            .await
+            .map_err(ApiError::from)?;
+
+        self.db
+            .update_catalog_workload_versions(&inserted_ids, new_version)
+            .await
+            .map_err(ApiError::from)?;
+
+        self.refresh_cluster_namespace_watches(catalog.cluster_id)
+            .await;
+
+        Ok(())
+    }
+}
+
+fn rewrite_service_for_sidecar(
+    service_entry: &mut KubeServiceWithYaml,
+    routes: &[ProxyPortRoute],
+) -> Result<(), ApiError> {
+    if routes.is_empty() {
+        return Ok(());
+    }
+
+    let mut service: Service = serde_yaml::from_str(&service_entry.yaml).map_err(|err| {
+        ApiError::InvalidRequest(format!(
+            "Failed to parse cached Service '{}' YAML: {}",
+            service_entry.details.name, err
+        ))
+    })?;
+
+    if let Some(spec) = service.spec.as_mut() {
+        if let Some(ports) = spec.ports.as_mut() {
+            for port in ports.iter_mut() {
+                let service_port = port.port;
+                if let Some(route) = routes
+                    .iter()
+                    .find(|route| route.service_port as i32 == service_port)
+                {
+                    port.target_port = Some(IntOrString::Int(route.proxy_port as i32));
+                }
+            }
+        }
+    }
+
+    service_entry.yaml = serde_yaml::to_string(&service).map_err(|err| {
+        ApiError::InvalidRequest(format!(
+            "Failed to serialize Service '{}' YAML after sidecar rewrite: {}",
+            service_entry.details.name, err
+        ))
+    })?;
+
+    for port in service_entry.details.ports.iter_mut() {
+        if let Some(route) = routes
+            .iter()
+            .find(|route| route.service_port as i32 == port.port)
+        {
+            if port.original_target_port.is_none() {
+                port.original_target_port = Some(route.target_port as i32);
+            }
+            port.target_port = Some(route.proxy_port as i32);
+        }
+    }
+
+    Ok(())
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use k8s_openapi::api::core::v1::Service;
+    use k8s_openapi::apimachinery::pkg::util::intstr::IntOrString;
+    use lapdev_common::kube::KubeServicePort;
+    use std::collections::BTreeMap;
+
+    #[test]
+    fn rewrite_service_preserves_original_target_port() {
+        let initial_yaml = r#"
+apiVersion: v1
+kind: Service
+metadata:
+  name: test
+spec:
+  ports:
+    - port: 80
+      targetPort: 8080
+      protocol: TCP
+  selector:
+    app: demo
+"#
+        .to_string();
+
+        let mut service_entry = KubeServiceWithYaml {
+            yaml: initial_yaml,
+            details: KubeServiceDetails {
+                name: "test".to_string(),
+                ports: vec![KubeServicePort {
+                    name: None,
+                    port: 80,
+                    target_port: Some(8080),
+                    protocol: Some("TCP".to_string()),
+                    node_port: None,
+                    original_target_port: None,
+                }],
+                selector: BTreeMap::new(),
+            },
+        };
+
+        let routes = vec![ProxyPortRoute {
+            proxy_port: DEFAULT_SIDECAR_PROXY_PORT,
+            service_port: 80,
+            target_port: 8080,
+        }];
+
+        rewrite_service_for_sidecar(&mut service_entry, &routes).unwrap();
+
+        let updated: Service = serde_yaml::from_str(&service_entry.yaml).unwrap();
+        let rewritten_target = updated
+            .spec
+            .as_ref()
+            .and_then(|spec| spec.ports.as_ref())
+            .and_then(|ports| ports.first())
+            .and_then(|port| port.target_port.clone())
+            .expect("target port should be set");
+
+        let target_value = match rewritten_target {
+            IntOrString::Int(value) => value,
+            IntOrString::String(_) => panic!("expected numeric target port"),
+        };
+
+        assert_eq!(target_value, DEFAULT_SIDECAR_PROXY_PORT as i32);
+
+        let details_port = &service_entry.details.ports[0];
+        assert_eq!(
+            details_port.target_port,
+            Some(DEFAULT_SIDECAR_PROXY_PORT as i32)
+        );
+        assert_eq!(details_port.original_target_port, Some(8080));
+    }
+}
diff --git a/crates/api/src/kube_controller/cluster.rs b/crates/api/src/kube_controller/cluster.rs
new file mode 100644
index 0000000..5c65b77
--- /dev/null
+++ b/crates/api/src/kube_controller/cluster.rs
@@ -0,0 +1,398 @@
+use std::str::FromStr;
+use uuid::Uuid;
+
+use lapdev_common::{
+    kube::{
+        CreateKubeClusterResponse, KubeCluster, KubeClusterInfo, KubeClusterStatus,
+        KubeNamespaceInfo, KubeWorkload, KubeWorkloadKind, KubeWorkloadList, PaginationParams,
+    },
+    token::PlainToken,
+};
+use lapdev_rpc::error::ApiError;
+use secrecy::ExposeSecret;
+
+use super::KubeController;
+
+impl KubeController {
+    pub async fn get_all_kube_clusters(&self, org_id: Uuid) -> Result<Vec<KubeCluster>, ApiError> {
+        let clusters = self
+            .db
+            .get_all_kube_clusters(org_id)
+            .await
+            .map_err(ApiError::from)?
+            .into_iter()
+            .map(|c| KubeCluster {
+                id: c.id,
+                name: c.name.clone(),
+                can_deploy_personal: c.can_deploy_personal,
+                can_deploy_shared: c.can_deploy_shared,
+                info: KubeClusterInfo {
+                    cluster_version: c.cluster_version.unwrap_or("Unknown".to_string()),
+                    node_count: 0, // TODO: Get actual node count from kube-manager
+                    available_cpu: "N/A".to_string(), // TODO: Get actual CPU from kube-manager
+                    available_memory: "N/A".to_string(), // TODO: Get actual memory from kube-manager
+                    provider: c.provider.clone(),
+                    region: c.region,
+                    status: KubeClusterStatus::from_str(&c.status)
+                        .unwrap_or(KubeClusterStatus::NotReady),
+                    manager_namespace: c.manager_namespace.clone(),
+                },
+            })
+            .collect();
+        Ok(clusters)
+    }
+
+    pub async fn create_kube_cluster(
+        &self,
+        org_id: Uuid,
+        user_id: Uuid,
+        name: String,
+    ) -> Result<CreateKubeClusterResponse, ApiError> {
+        // Generate cluster ID and token
+        let cluster_id = Uuid::new_v4();
+        let token = PlainToken::generate();
+        let hashed_token = token.hashed();
+        let token_name = format!("{name}-default");
+
+        // Create the cluster
+        self.db
+            .create_kube_cluster(
+                cluster_id,
+                org_id,
+                user_id,
+                name,
+                KubeClusterStatus::Provisioning.to_string(),
+            )
+            .await
+            .map_err(ApiError::from)?;
+
+        // Create the cluster token
+        self.db
+            .create_kube_cluster_token(
+                cluster_id,
+                user_id,
+                token_name,
+                hashed_token.expose_secret().to_vec(),
+            )
+            .await
+            .map_err(ApiError::from)?;
+
+        Ok(CreateKubeClusterResponse {
+            cluster_id,
+            token: token.expose_secret().to_string(),
+        })
+    }
+
+    pub async fn delete_kube_cluster(
+        &self,
+        org_id: Uuid,
+        cluster_id: Uuid,
+    ) -> Result<(), ApiError> {
+        // Verify cluster belongs to the organization
+        let cluster = self
+            .db
+            .get_kube_cluster(cluster_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("Cluster not found".to_string()))?;
+
+        if cluster.organization_id != org_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        // Check for dependencies - kube_app_catalog
+        let has_app_catalogs = self
+            .db
+            .check_kube_cluster_has_app_catalogs(cluster_id)
+            .await
+            .map_err(ApiError::from)?;
+
+        if has_app_catalogs {
+            return Err(ApiError::InvalidRequest(
+                "Cannot delete cluster: it has active app catalogs. Please delete them first."
+                    .to_string(),
+            ));
+        }
+
+        // Check for dependencies - kube_environment
+        let has_environments = self
+            .db
+            .check_kube_cluster_has_environments(cluster_id)
+            .await
+            .map_err(ApiError::from)?;
+
+        if has_environments {
+            return Err(ApiError::InvalidRequest(
+                "Cannot delete cluster: it has active environments. Please delete them first."
+                    .to_string(),
+            ));
+        }
+
+        // Soft delete the cluster
+        self.db
+            .delete_kube_cluster(cluster_id)
+            .await
+            .map_err(ApiError::from)
+    }
+
+    pub async fn set_cluster_deployable(
+        &self,
+        org_id: Uuid,
+        cluster_id: Uuid,
+        can_deploy_personal: bool,
+        can_deploy_shared: bool,
+    ) -> Result<(), ApiError> {
+        // Verify cluster belongs to the organization
+        let cluster = self
+            .db
+            .get_kube_cluster(cluster_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("Cluster not found".to_string()))?;
+
+        if cluster.organization_id != org_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        // Update the deployment capability fields
+        self.db
+            .set_cluster_deployable(cluster_id, can_deploy_personal, can_deploy_shared)
+            .await
+            .map_err(ApiError::from)?;
+
+        Ok(())
+    }
+
+    pub async fn set_cluster_personal_deployable(
+        &self,
+        org_id: Uuid,
+        cluster_id: Uuid,
+        can_deploy: bool,
+    ) -> Result<(), ApiError> {
+        // Verify cluster belongs to the organization
+        let cluster = self
+            .db
+            .get_kube_cluster(cluster_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("Cluster not found".to_string()))?;
+
+        if cluster.organization_id != org_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        // Update only the personal deployment capability
+        self.db
+            .set_cluster_deployable(cluster_id, can_deploy, cluster.can_deploy_shared)
+            .await
+            .map_err(ApiError::from)?;
+
+        Ok(())
+    }
+
+    pub async fn set_cluster_shared_deployable(
+        &self,
+        org_id: Uuid,
+        cluster_id: Uuid,
+        can_deploy: bool,
+    ) -> Result<(), ApiError> {
+        // Verify cluster belongs to the organization
+        let cluster = self
+            .db
+            .get_kube_cluster(cluster_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("Cluster not found".to_string()))?;
+
+        if cluster.organization_id != org_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        // Update only the shared deployment capability
+        self.db
+            .set_cluster_deployable(cluster_id, cluster.can_deploy_personal, can_deploy)
+            .await
+            .map_err(ApiError::from)?;
+
+        Ok(())
+    }
+
+    pub async fn get_workloads(
+        &self,
+        org_id: Uuid,
+        cluster_id: Uuid,
+        namespace: Option<String>,
+        workload_kind_filter: Option<KubeWorkloadKind>,
+        include_system_workloads: bool,
+        pagination: Option<PaginationParams>,
+    ) -> Result<KubeWorkloadList, ApiError> {
+        // Verify cluster belongs to the organization
+        let cluster = self
+            .db
+            .get_kube_cluster(cluster_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("Cluster not found".to_string()))?;
+
+        if cluster.organization_id != org_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        // Get a connected KubeClusterServer for this cluster
+        let server = self
+            .get_random_kube_cluster_server(cluster_id)
+            .await
+            .ok_or_else(|| {
+                ApiError::InvalidRequest("No connected KubeManager for this cluster".to_string())
+            })?;
+
+        let pagination = pagination.unwrap_or(PaginationParams {
+            cursor: None,
+            limit: 20,
+        });
+
+        // Call KubeManager to get workloads
+        match server
+            .rpc_client
+            .get_workloads(
+                Self::kube_manager_rpc_context(),
+                namespace,
+                workload_kind_filter,
+                include_system_workloads,
+                Some(pagination),
+            )
+            .await
+        {
+            Ok(Ok(workload_list)) => Ok(workload_list),
+            Ok(Err(e)) => Err(ApiError::InvalidRequest(format!(
+                "KubeManager error: {}",
+                e
+            ))),
+            Err(e) => Err(ApiError::InvalidRequest(format!("Connection error: {}", e))),
+        }
+    }
+
+    pub async fn get_workload_details(
+        &self,
+        org_id: Uuid,
+        cluster_id: Uuid,
+        name: String,
+        namespace: String,
+    ) -> Result<Option<KubeWorkload>, ApiError> {
+        // Verify cluster belongs to the organization
+        let cluster = self
+            .db
+            .get_kube_cluster(cluster_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("Cluster not found".to_string()))?;
+
+        if cluster.organization_id != org_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        // Get a connected KubeClusterServer for this cluster
+        let server = self
+            .get_random_kube_cluster_server(cluster_id)
+            .await
+            .ok_or_else(|| {
+                ApiError::InvalidRequest("No connected KubeManager for this cluster".to_string())
+            })?;
+
+        // Call KubeManager to get workload details
+        match server
+            .rpc_client
+            .get_workload_details(Self::kube_manager_rpc_context(), name, namespace)
+            .await
+        {
+            Ok(Ok(workload_details)) => Ok(workload_details),
+            Ok(Err(e)) => Err(ApiError::InvalidRequest(format!(
+                "KubeManager error: {}",
+                e
+            ))),
+            Err(e) => Err(ApiError::InvalidRequest(format!("Connection error: {}", e))),
+        }
+    }
+
+    pub async fn get_cluster_namespaces(
+        &self,
+        org_id: Uuid,
+        cluster_id: Uuid,
+    ) -> Result<Vec<KubeNamespaceInfo>, ApiError> {
+        // Verify cluster belongs to the organization
+        let cluster = self
+            .db
+            .get_kube_cluster(cluster_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("Cluster not found".to_string()))?;
+
+        if cluster.organization_id != org_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        // Get a connected KubeClusterServer for this cluster
+        let server = self
+            .get_random_kube_cluster_server(cluster_id)
+            .await
+            .ok_or_else(|| {
+                ApiError::InvalidRequest("No connected KubeManager for this cluster".to_string())
+            })?;
+
+        // Call KubeManager to get namespaces
+        match server
+            .rpc_client
+            .get_namespaces(Self::kube_manager_rpc_context())
+            .await
+        {
+            Ok(Ok(namespaces)) => Ok(namespaces),
+            Ok(Err(e)) => Err(ApiError::InvalidRequest(format!(
+                "KubeManager error: {}",
+                e
+            ))),
+            Err(e) => Err(ApiError::InvalidRequest(format!("Connection error: {}", e))),
+        }
+    }
+
+    pub async fn get_cluster_info(
+        &self,
+        org_id: Uuid,
+        cluster_id: Uuid,
+    ) -> Result<KubeCluster, ApiError> {
+        // Get cluster from database
+        let cluster = self
+            .db
+            .get_kube_cluster(cluster_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("Cluster not found".to_string()))?;
+
+        if cluster.organization_id != org_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        // Convert database cluster to KubeClusterInfo
+        let cluster_info = KubeClusterInfo {
+            cluster_version: cluster
+                .cluster_version
+                .clone()
+                .unwrap_or_else(|| "Unknown".to_string()),
+            node_count: 0, // TODO: Get actual node count from kube-manager
+            available_cpu: "N/A".to_string(), // TODO: Get actual CPU from kube-manager
+            available_memory: "N/A".to_string(), // TODO: Get actual memory from kube-manager
+            provider: cluster.provider.clone(),
+            region: cluster.region.clone(),
+            status: KubeClusterStatus::from_str(&cluster.status)
+                .unwrap_or(KubeClusterStatus::NotReady),
+            manager_namespace: cluster.manager_namespace.clone(),
+        };
+
+        Ok(KubeCluster {
+            id: cluster.id,
+            name: cluster.name,
+            can_deploy_personal: cluster.can_deploy_personal,
+            can_deploy_shared: cluster.can_deploy_shared,
+            info: cluster_info,
+        })
+    }
+}
diff --git a/crates/api/src/kube_controller/container_images.rs b/crates/api/src/kube_controller/container_images.rs
new file mode 100644
index 0000000..139076f
--- /dev/null
+++ b/crates/api/src/kube_controller/container_images.rs
@@ -0,0 +1,26 @@
+/// Shared image tag for Lapdev Kubernetes components.
+pub const CONTAINER_IMAGE_TAG: &str = "0.2.0";
+
+/// Registry/repository for the Lapdev API image.
+pub(crate) const API_IMAGE_REPO: &str = "ghcr.io/lapce/lapdev-api";
+/// Registry/repository for the kube-manager controller image.
+pub(crate) const KUBE_MANAGER_IMAGE_REPO: &str = "ghcr.io/lapce/lapdev-kube-manager";
+/// Registry/repository for the sidecar proxy image.
+pub(crate) const SIDECAR_PROXY_IMAGE_REPO: &str = "ghcr.io/lapce/lapdev-kube-sidecar-proxy";
+
+/// Helper returning the Lapdev API image reference with the shared tag.
+#[allow(dead_code)]
+pub(crate) fn api_image_reference() -> String {
+    format!("{}:{}", API_IMAGE_REPO, CONTAINER_IMAGE_TAG)
+}
+
+/// Helper returning the kube-manager image reference with the shared tag.
+#[allow(dead_code)]
+pub(crate) fn kube_manager_image_reference() -> String {
+    format!("{}:{}", KUBE_MANAGER_IMAGE_REPO, CONTAINER_IMAGE_TAG)
+}
+
+/// Helper returning the sidecar proxy image reference with the shared tag.
+pub(crate) fn sidecar_proxy_image_reference() -> String {
+    format!("{}:{}", SIDECAR_PROXY_IMAGE_REPO, CONTAINER_IMAGE_TAG)
+}
diff --git a/crates/api/src/kube_controller/deployment.rs b/crates/api/src/kube_controller/deployment.rs
new file mode 100644
index 0000000..f9359cf
--- /dev/null
+++ b/crates/api/src/kube_controller/deployment.rs
@@ -0,0 +1,208 @@
+use std::collections::HashMap;
+
+use super::KubeController;
+use lapdev_kube::server::KubeClusterServer;
+use lapdev_rpc::error::ApiError;
+
+impl KubeController {
+    pub(super) async fn deploy_environment_resources(
+        &self,
+        target_server: &KubeClusterServer,
+        environment: &lapdev_db_entities::kube_environment::Model,
+        workloads_with_resources: lapdev_kube_rpc::KubeWorkloadsWithResources,
+        extra_labels: Option<HashMap<String, String>>,
+    ) -> Result<(), ApiError> {
+        let namespace = &environment.namespace;
+        let environment_name = &environment.name;
+
+        tracing::info!(
+            "Deploying environment resources for '{}' in namespace '{}'",
+            environment_name,
+            namespace
+        );
+
+        if workloads_with_resources.workloads.is_empty() {
+            tracing::warn!("No workloads found for environment '{}'", environment_name);
+            return Ok(());
+        }
+
+        tracing::info!(
+            "Found {} workloads to deploy for environment '{}'",
+            workloads_with_resources.workloads.len(),
+            environment_name
+        );
+
+        // Prepare environment-specific labels
+        let mut environment_labels = std::collections::HashMap::new();
+        environment_labels.insert("lapdev.managed-by".to_string(), "lapdev".to_string());
+        if environment.base_environment_id.is_some() {
+            environment_labels.insert(
+                "lapdev.io/branch-environment-id".to_string(),
+                environment.id.to_string(),
+            );
+        }
+        if let Some(extra) = extra_labels {
+            for (key, value) in extra {
+                environment_labels.insert(key, value);
+            }
+        }
+
+        // Deploy all workloads and resources in a single call
+        if environment.auth_token.is_empty() {
+            return Err(ApiError::InvalidRequest(
+                "Environment auth token is required".to_string(),
+            ));
+        }
+        let mut ctx = Self::kube_manager_rpc_context();
+
+        match target_server
+            .rpc_client
+            .deploy_workload_yaml(
+                ctx,
+                namespace.to_string(),
+                workloads_with_resources,
+                environment_labels,
+            )
+            .await
+        {
+            Ok(Ok(())) => {
+                tracing::info!("Successfully deployed all workloads to target cluster");
+                Ok(())
+            }
+            Ok(Err(e)) => {
+                tracing::error!("Failed to deploy workloads to target cluster: {}", e);
+                Err(ApiError::InvalidRequest(format!(
+                    "Failed to deploy workloads to target cluster: {e}"
+                )))
+            }
+            Err(e) => Err(ApiError::InvalidRequest(format!(
+                "Connection error to target cluster: {e}"
+            ))),
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use crate::kube_controller::resources;
+
+    use super::super::container_images;
+    use super::*;
+    use k8s_openapi::api::apps::v1::{Deployment, DeploymentSpec};
+    use k8s_openapi::api::core::v1::{Container, PodSpec, PodTemplateSpec};
+    use k8s_openapi::apimachinery::pkg::apis::meta::v1::LabelSelector;
+    use lapdev_common::kube::{
+        DEFAULT_SIDECAR_PROXY_BIND_ADDR, DEFAULT_SIDECAR_PROXY_PORT,
+        SIDECAR_PROXY_BIND_ADDR_ENV_VAR, SIDECAR_PROXY_MANAGER_ADDR_ENV_VAR,
+        SIDECAR_PROXY_PORT_ENV_VAR, SIDECAR_PROXY_WORKLOAD_ENV_VAR,
+    };
+    use uuid::Uuid;
+
+    #[test]
+    fn inject_sidecar_proxy_appends_once() {
+        let mut deployment = Deployment {
+            metadata: Default::default(),
+            spec: Some(DeploymentSpec {
+                replicas: None,
+                selector: LabelSelector::default(),
+                template: PodTemplateSpec {
+                    metadata: Default::default(),
+                    spec: Some(PodSpec {
+                        containers: vec![Container {
+                            name: "primary".to_string(),
+                            ..Default::default()
+                        }],
+                        ..Default::default()
+                    }),
+                },
+                ..Default::default()
+            }),
+            status: None,
+        };
+
+        let environment_id = Uuid::new_v4();
+        let workload_id = Uuid::new_v4();
+        let options = resources::SidecarInjectionOptions {
+            environment_id,
+            workload_id,
+            namespace: "lapdev-namespace",
+            auth_token: "auth-token",
+            manager_namespace: Some("lapdev"),
+            proxy_routes: &[],
+        };
+
+        resources::inject_sidecar_proxy_into_deployment(&mut deployment, &options).unwrap();
+        resources::inject_sidecar_proxy_into_deployment(&mut deployment, &options).unwrap();
+
+        let pod_spec = deployment
+            .spec
+            .as_ref()
+            .and_then(|spec| spec.template.spec.as_ref())
+            .expect("deployment pod spec should exist");
+
+        let sidecars: Vec<&Container> = pod_spec
+            .containers
+            .iter()
+            .filter(|container| container.name == "lapdev-sidecar-proxy")
+            .collect();
+        assert_eq!(sidecars.len(), 1, "sidecar should be appended exactly once");
+
+        let sidecar = sidecars[0];
+        let expected_image = container_images::sidecar_proxy_image_reference();
+        assert_eq!(
+            sidecar.image.as_deref(),
+            Some(expected_image.as_str()),
+            "sidecar should use the shared repo:tag reference"
+        );
+        assert!(
+            sidecar.args.is_none(),
+            "sidecar should not rely on CLI arguments once injected"
+        );
+
+        let env_vars = sidecar
+            .env
+            .as_ref()
+            .expect("sidecar should include required environment variables");
+        let bind_addr_var = env_vars
+            .iter()
+            .find(|var| var.name == SIDECAR_PROXY_BIND_ADDR_ENV_VAR)
+            .expect("bind address environment variable should be set");
+        assert_eq!(
+            bind_addr_var.value.as_deref(),
+            Some(DEFAULT_SIDECAR_PROXY_BIND_ADDR),
+            "bind address env var should carry the default proxy address"
+        );
+
+        let port_var = env_vars
+            .iter()
+            .find(|var| var.name == SIDECAR_PROXY_PORT_ENV_VAR)
+            .expect("port environment variable should be set");
+        let expected_port = DEFAULT_SIDECAR_PROXY_PORT.to_string();
+        assert_eq!(
+            port_var.value.as_deref(),
+            Some(expected_port.as_str()),
+            "port env var should reflect the default proxy port"
+        );
+
+        let manager_addr_var = env_vars
+            .iter()
+            .find(|var| var.name == SIDECAR_PROXY_MANAGER_ADDR_ENV_VAR)
+            .expect("manager addr environment variable should be set");
+        assert_eq!(
+            manager_addr_var.value.as_deref(),
+            Some("lapdev-kube-manager.lapdev.svc:5001"),
+            "manager addr env var should default to lapdev namespace"
+        );
+
+        let expected_workload_id = workload_id.to_string();
+        let workload_var = env_vars
+            .iter()
+            .find(|var| var.name == SIDECAR_PROXY_WORKLOAD_ENV_VAR)
+            .expect("workload environment variable should be set");
+        assert_eq!(
+            workload_var.value.as_deref(),
+            Some(expected_workload_id.as_str()),
+            "workload env var should carry the provided workload id"
+        );
+    }
+}
diff --git a/crates/api/src/kube_controller/environment.rs b/crates/api/src/kube_controller/environment.rs
new file mode 100644
index 0000000..8c616ce
--- /dev/null
+++ b/crates/api/src/kube_controller/environment.rs
@@ -0,0 +1,2840 @@
+use chrono::Utc;
+use k8s_openapi::api::{
+    apps::v1::{DaemonSet, Deployment, ReplicaSet, StatefulSet},
+    batch::v1::{CronJob, Job},
+    core::v1::{Pod, PodSpec, Service},
+};
+use k8s_openapi::apimachinery::pkg::util::intstr::IntOrString;
+use lapdev_common::{
+    kube::{
+        KubeAppCatalogWorkload, KubeContainerImage, KubeEnvironment,
+        KubeEnvironmentDashboardSummary, KubeEnvironmentService, KubeEnvironmentStatus,
+        KubeEnvironmentSyncStatus, KubeServiceDetails, KubeServicePort, KubeServiceWithYaml,
+        KubeWorkloadDetails, KubeWorkloadKind, PagePaginationParams, PaginatedInfo,
+        PaginatedResult,
+    },
+    utils::rand_string,
+};
+use lapdev_db::api::NewEnvironmentWorkload;
+use lapdev_kube::server::KubeClusterServer;
+use lapdev_kube_rpc::{KubeWorkloadYamlOnly, KubeWorkloadsWithResources, NamespacedResourceKind};
+use lapdev_rpc::error::ApiError;
+use sea_orm::{
+    prelude::{DateTimeWithTimeZone, Json},
+    sea_query::Expr,
+    ActiveModelTrait, ActiveValue, ColumnTrait, EntityTrait, QueryFilter, TransactionTrait,
+};
+use serde_yaml;
+use std::{
+    collections::{HashMap, HashSet},
+    str::FromStr,
+    time::{Duration, Instant},
+};
+use tracing::{error, warn};
+use uuid::Uuid;
+
+use crate::environment_events::EnvironmentLifecycleEvent;
+
+use super::{
+    app_catalog::SidecarInjectionContext,
+    resources::{set_cronjob_suspend, set_daemonset_paused, set_workload_replicas},
+    workload::{build_branch_service_selector, rename_service_yaml, rename_workload_yaml},
+    EnvironmentNamespaceKind, KubeController,
+};
+
+impl KubeController {
+    pub(super) async fn generate_unique_namespace(
+        &self,
+        _cluster_id: Uuid,
+        kind: EnvironmentNamespaceKind,
+    ) -> Result<String, ApiError> {
+        let prefix = match kind {
+            EnvironmentNamespaceKind::Personal => "lapdev-personal",
+            EnvironmentNamespaceKind::Shared => "lapdev-shared",
+            EnvironmentNamespaceKind::Branch => "lapdev-branch",
+        };
+
+        Ok(format!("{prefix}-{}", rand_string(12)))
+    }
+
+    pub async fn get_all_kube_environments(
+        &self,
+        org_id: Uuid,
+        user_id: Uuid,
+        search: Option<String>,
+        is_shared: bool,
+        is_branch: bool,
+        pagination: Option<PagePaginationParams>,
+    ) -> Result<PaginatedResult<KubeEnvironment>, ApiError> {
+        let pagination = pagination.unwrap_or_default();
+
+        let (environments_with_catalogs_and_clusters, total_count) = self
+            .db
+            .get_all_kube_environments_paginated(
+                org_id,
+                user_id,
+                search,
+                is_shared,
+                is_branch,
+                Some(pagination.clone()),
+            )
+            .await
+            .map_err(ApiError::from)?;
+
+        let kube_environments = environments_with_catalogs_and_clusters
+            .into_iter()
+            .filter_map(
+                |(
+                    env,
+                    catalog,
+                    cluster,
+                    base_environment_name,
+                    base_environment_catalog_sync_version,
+                    base_environment_last_synced_at,
+                )| {
+                    let catalog = catalog?;
+                    let cluster = cluster?;
+                    let catalog_sync_version = env.catalog_sync_version;
+                    let status = KubeEnvironmentStatus::from_str(&env.status)
+                        .unwrap_or(KubeEnvironmentStatus::Creating);
+                    let last_catalog_synced_at =
+                        env.last_catalog_synced_at.map(|dt| dt.to_string());
+                    let paused_at = env.paused_at.map(|dt| dt.to_string());
+                    let resumed_at = env.resumed_at.map(|dt| dt.to_string());
+                    let catalog_update_available = match env.base_environment_id {
+                        Some(_) => base_environment_catalog_sync_version
+                            .map(|version| version > catalog_sync_version)
+                            .unwrap_or(false),
+                        None => catalog.sync_version > catalog_sync_version,
+                    };
+
+                    Some(KubeEnvironment {
+                        id: env.id,
+                        name: env.name,
+                        namespace: env.namespace,
+                        app_catalog_id: env.app_catalog_id,
+                        app_catalog_name: catalog.name,
+                        cluster_id: env.cluster_id,
+                        cluster_name: cluster.name,
+                        status,
+                        created_at: env.created_at.to_string(),
+                        user_id: env.user_id,
+                        is_shared: env.is_shared,
+                        base_environment_id: env.base_environment_id,
+                        base_environment_name,
+                        base_environment_catalog_sync_version,
+                        base_environment_last_catalog_synced_at: base_environment_last_synced_at
+                            .map(|dt| dt.to_string()),
+                        catalog_sync_version,
+                        last_catalog_synced_at,
+                        paused_at,
+                        resumed_at,
+                        catalog_update_available,
+                        catalog_last_sync_actor_id: catalog.last_sync_actor_id,
+                        sync_status: KubeEnvironmentSyncStatus::from_str(&env.sync_status)
+                            .unwrap_or(KubeEnvironmentSyncStatus::Idle),
+                    })
+                },
+            )
+            .collect();
+
+        let total_pages = total_count.div_ceil(pagination.page_size);
+
+        Ok(PaginatedResult {
+            data: kube_environments,
+            pagination_info: PaginatedInfo {
+                total_count,
+                page: pagination.page,
+                page_size: pagination.page_size,
+                total_pages,
+            },
+        })
+    }
+
+    pub async fn get_environment_dashboard_summary(
+        &self,
+        org_id: Uuid,
+        user_id: Uuid,
+        recent_limit: Option<usize>,
+    ) -> Result<KubeEnvironmentDashboardSummary, ApiError> {
+        let limit = recent_limit.unwrap_or(5);
+        self.db
+            .get_environment_dashboard_summary(org_id, user_id, limit)
+            .await
+            .map_err(ApiError::from)
+    }
+
+    pub async fn get_kube_environment(
+        &self,
+        org_id: Uuid,
+        user_id: Uuid,
+        environment_id: Uuid,
+    ) -> Result<KubeEnvironment, ApiError> {
+        // Get the environment from database
+        let environment = self
+            .db
+            .get_kube_environment(environment_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("Environment not found".to_string()))?;
+
+        // Check authorization
+        if environment.organization_id != org_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        // If it's a personal environment, check ownership
+        if !environment.is_shared && environment.user_id != user_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        // Get related catalog and cluster info
+        let catalog = self
+            .db
+            .get_app_catalog(environment.app_catalog_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("App catalog not found".to_string()))?;
+
+        let cluster = self
+            .db
+            .get_kube_cluster(environment.cluster_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("Cluster not found".to_string()))?;
+
+        // Get base environment name if this is a branch environment
+        let base_environment = if let Some(base_env_id) = environment.base_environment_id {
+            self.db
+                .get_kube_environment(base_env_id)
+                .await
+                .map_err(ApiError::from)?
+        } else {
+            None
+        };
+
+        let base_environment_name = base_environment.as_ref().map(|env| env.name.clone());
+        let base_environment_catalog_sync_version = base_environment
+            .as_ref()
+            .map(|env| env.catalog_sync_version);
+        let base_environment_last_synced_at =
+            base_environment.and_then(|env| env.last_catalog_synced_at);
+
+        let catalog_update_available = if base_environment_catalog_sync_version.is_some() {
+            base_environment_catalog_sync_version
+                .map(|version| version > environment.catalog_sync_version)
+                .unwrap_or(false)
+        } else {
+            catalog.sync_version > environment.catalog_sync_version
+        };
+
+        let status = KubeEnvironmentStatus::from_str(&environment.status)
+            .unwrap_or(KubeEnvironmentStatus::Creating);
+
+        Ok(KubeEnvironment {
+            id: environment.id,
+            user_id: environment.user_id,
+            name: environment.name,
+            namespace: environment.namespace,
+            app_catalog_id: environment.app_catalog_id,
+            app_catalog_name: catalog.name,
+            cluster_id: environment.cluster_id,
+            cluster_name: cluster.name,
+            status,
+            created_at: environment
+                .created_at
+                .format("%Y-%m-%d %H:%M:%S%.f %z")
+                .to_string(),
+            is_shared: environment.is_shared,
+            base_environment_id: environment.base_environment_id,
+            base_environment_name,
+            base_environment_catalog_sync_version,
+            base_environment_last_catalog_synced_at: base_environment_last_synced_at
+                .map(|dt| dt.to_string()),
+            catalog_sync_version: environment.catalog_sync_version,
+            last_catalog_synced_at: environment.last_catalog_synced_at.map(|dt| dt.to_string()),
+            paused_at: environment.paused_at.map(|dt| dt.to_string()),
+            resumed_at: environment.resumed_at.map(|dt| dt.to_string()),
+            catalog_last_sync_actor_id: catalog.last_sync_actor_id,
+            catalog_update_available,
+            sync_status: KubeEnvironmentSyncStatus::from_str(&environment.sync_status)
+                .unwrap_or(KubeEnvironmentSyncStatus::Idle),
+        })
+    }
+
+    /// Prepare workload details for environment creation by copying from catalog workloads
+    pub(super) fn prepare_workload_details_from_catalog(
+        workloads: Vec<lapdev_common::kube::KubeAppCatalogWorkload>,
+        namespace: &str,
+        env_workload_ids: &HashMap<Uuid, Uuid>,
+    ) -> Result<Vec<NewEnvironmentWorkload>, ApiError> {
+        workloads
+            .into_iter()
+            .map(|workload| {
+                if workload.workload_yaml.trim().is_empty() {
+                    return Err(ApiError::InvalidRequest(format!(
+                        "Workload {} from catalog is missing YAML",
+                        workload.name
+                    )));
+                }
+                let env_workload_id = env_workload_ids.get(&workload.id).ok_or_else(|| {
+                    ApiError::InvalidRequest(format!(
+                        "Missing generated workload id for catalog workload {}",
+                        workload.name
+                    ))
+                })?;
+                let workload_yaml = workload.workload_yaml.clone();
+                let mut containers = workload.containers;
+                for container in &mut containers {
+                    // Preserve the original environment variables
+                    container.original_env_vars = container.env_vars.clone();
+                    container.env_vars.clear();
+
+                    // If the app catalog has a customized image, use it as the original_image
+                    // for the new environment (so the environment starts from the customized state)
+                    match &container.image {
+                        KubeContainerImage::Custom(custom_image) => {
+                            container.original_image = custom_image.clone();
+                            container.image = KubeContainerImage::FollowOriginal;
+                        }
+                        KubeContainerImage::FollowOriginal => {
+                            // Keep the current original_image and FollowOriginal setting
+                        }
+                    }
+                }
+                Ok(NewEnvironmentWorkload {
+                    id: *env_workload_id,
+                    details: KubeWorkloadDetails {
+                        name: workload.name,
+                        namespace: namespace.to_string(),
+                        kind: workload.kind,
+                        containers,
+                        ports: workload.ports,
+                        workload_yaml,
+                        base_workload_id: None,
+                    },
+                })
+            })
+            .collect()
+    }
+
+    /// Build the manifest set used for pause/resume.
+    ///
+    /// We snapshot workload YAML when the environment is created or synced. This method:
+    /// 1. Pulls that stored manifest from the DB (fails if missing—we require it for new feature).
+    /// 2. Wraps each YAML string into the appropriate `KubeWorkloadYamlOnly` variant.
+    /// 3. Loads stored service YAML so we redeploy exactly what was saved.
+    ///
+    /// No catalog fallback: avoiding divergence and ensuring pause/resume replay the original manifest.
+    async fn assemble_environment_workloads(
+        &self,
+        environment: &lapdev_db_entities::kube_environment::Model,
+    ) -> Result<KubeWorkloadsWithResources, ApiError> {
+        let stored_workloads = self
+            .db
+            .get_environment_workloads(environment.id)
+            .await
+            .map_err(ApiError::from)?;
+
+        if stored_workloads.is_empty()
+            || stored_workloads
+                .iter()
+                .any(|w| w.workload_yaml.trim().is_empty())
+        {
+            return Err(ApiError::InvalidRequest(
+                "Environment workloads are missing stored manifests".to_string(),
+            ));
+        }
+
+        let mut workloads = Vec::new();
+        for workload in stored_workloads {
+            let kind = KubeWorkloadKind::from_str(&workload.kind).map_err(|_| {
+                ApiError::InvalidRequest(format!(
+                    "Invalid workload kind {} for environment {}",
+                    workload.kind, environment.id
+                ))
+            })?;
+            workloads.push(Self::wrap_workload_yaml(kind, workload.workload_yaml));
+        }
+
+        Ok(KubeWorkloadsWithResources {
+            workloads,
+            services: HashMap::new(),
+            configmaps: HashMap::new(),
+            secrets: HashMap::new(),
+        })
+    }
+
+    /// Build KubeEnvironment response from database model
+    fn build_environment_response(
+        created_env: lapdev_db_entities::kube_environment::Model,
+        app_catalog_name: String,
+        cluster_name: String,
+        base_environment_name: Option<String>,
+        base_environment_catalog_sync_version: Option<i64>,
+        base_environment_last_synced_at: Option<DateTimeWithTimeZone>,
+    ) -> lapdev_common::kube::KubeEnvironment {
+        let status = KubeEnvironmentStatus::from_str(&created_env.status)
+            .unwrap_or(KubeEnvironmentStatus::Creating);
+        let base_version = base_environment_catalog_sync_version;
+        let catalog_update_available = match (created_env.base_environment_id, base_version) {
+            (Some(_), Some(base)) => base > created_env.catalog_sync_version,
+            _ => false,
+        };
+        lapdev_common::kube::KubeEnvironment {
+            id: created_env.id,
+            user_id: created_env.user_id,
+            name: created_env.name,
+            namespace: created_env.namespace,
+            status,
+            is_shared: created_env.is_shared,
+            app_catalog_id: created_env.app_catalog_id,
+            app_catalog_name,
+            cluster_id: created_env.cluster_id,
+            cluster_name,
+            created_at: created_env.created_at.to_string(),
+            base_environment_id: created_env.base_environment_id,
+            base_environment_name,
+            base_environment_catalog_sync_version: base_version,
+            base_environment_last_catalog_synced_at: base_environment_last_synced_at
+                .map(|dt| dt.to_string()),
+            catalog_sync_version: created_env.catalog_sync_version,
+            last_catalog_synced_at: created_env.last_catalog_synced_at.map(|dt| dt.to_string()),
+            paused_at: created_env.paused_at.map(|dt| dt.to_string()),
+            resumed_at: created_env.resumed_at.map(|dt| dt.to_string()),
+            catalog_update_available,
+            catalog_last_sync_actor_id: None,
+            sync_status: KubeEnvironmentSyncStatus::from_str(&created_env.sync_status)
+                .unwrap_or(KubeEnvironmentSyncStatus::Idle),
+        }
+    }
+
+    fn wrap_workload_yaml(kind: KubeWorkloadKind, yaml: String) -> KubeWorkloadYamlOnly {
+        match kind {
+            KubeWorkloadKind::Deployment => KubeWorkloadYamlOnly::Deployment(yaml),
+            KubeWorkloadKind::StatefulSet => KubeWorkloadYamlOnly::StatefulSet(yaml),
+            KubeWorkloadKind::DaemonSet => KubeWorkloadYamlOnly::DaemonSet(yaml),
+            KubeWorkloadKind::ReplicaSet => KubeWorkloadYamlOnly::ReplicaSet(yaml),
+            KubeWorkloadKind::Pod => KubeWorkloadYamlOnly::Pod(yaml),
+            KubeWorkloadKind::Job => KubeWorkloadYamlOnly::Job(yaml),
+            KubeWorkloadKind::CronJob => KubeWorkloadYamlOnly::CronJob(yaml),
+        }
+    }
+
+    /// Notify devbox-proxy about branch environment deletion
+    async fn notify_branch_environment_deletion(
+        &self,
+        rpc_client: &lapdev_kube_rpc::KubeManagerRpcClient,
+        base_env_id: Uuid,
+        environment_id: Uuid,
+    ) -> Result<(), ApiError> {
+        match rpc_client
+            .remove_branch_environment(
+                Self::kube_manager_rpc_context(),
+                base_env_id,
+                environment_id,
+            )
+            .await
+        {
+            Ok(Ok(())) => {
+                tracing::info!(
+                    "Successfully notified devbox-proxy about branch environment {} deletion",
+                    environment_id
+                );
+                Ok(())
+            }
+            Ok(Err(e)) => {
+                if e.contains("No devbox-proxy registered for base environment") {
+                    tracing::warn!(
+                        base_environment_id = %base_env_id,
+                        branch_environment_id = %environment_id,
+                        error = %e,
+                        "No devbox-proxy registered for base environment; skipping branch deletion notification"
+                    );
+                    return Ok(());
+                }
+                tracing::error!(
+                    "Failed to notify devbox-proxy about branch environment {} deletion: {}",
+                    environment_id,
+                    e
+                );
+                Err(ApiError::InvalidRequest(format!(
+                    "Failed to notify devbox-proxy about branch environment deletion: {e}"
+                )))
+            }
+            Err(e) => {
+                tracing::error!(
+                    "RPC call failed when notifying about branch environment {} deletion: {}",
+                    environment_id,
+                    e
+                );
+                Err(ApiError::InvalidRequest(format!(
+                    "Connection error while notifying devbox-proxy: {e}"
+                )))
+            }
+        }
+    }
+
+    /// Destroy environment resources via RPC
+    async fn destroy_environment_resources(
+        &self,
+        rpc_client: &lapdev_kube_rpc::KubeManagerRpcClient,
+        environment: &lapdev_db_entities::kube_environment::Model,
+    ) -> Result<(), ApiError> {
+        let mut ctx = Self::kube_manager_rpc_context();
+
+        match rpc_client
+            .destroy_environment(ctx, environment.id, environment.namespace.clone())
+            .await
+        {
+            Ok(Ok(())) => {
+                tracing::info!(
+                    "Successfully deleted resources for environment {} in namespace {}",
+                    environment.id,
+                    environment.namespace
+                );
+                Ok(())
+            }
+            Ok(Err(e)) => {
+                tracing::error!(
+                    "KubeManager error when deleting environment {}: {}",
+                    environment.id,
+                    e
+                );
+                Err(ApiError::InvalidRequest(format!(
+                    "Failed to delete environment resources: {e}"
+                )))
+            }
+            Err(e) => {
+                tracing::error!(
+                    "Connection error when deleting environment {}: {}",
+                    environment.id,
+                    e
+                );
+                Err(ApiError::InvalidRequest(format!(
+                    "Failed to communicate with KubeManager to delete environment: {e}"
+                )))
+            }
+        }
+    }
+
+    async fn destroy_branch_environment_resources(
+        &self,
+        rpc_client: &lapdev_kube_rpc::KubeManagerRpcClient,
+        environment: &lapdev_db_entities::kube_environment::Model,
+    ) -> Result<(), ApiError> {
+        let mut resources: Vec<(NamespacedResourceKind, String)> = Vec::new();
+
+        let branch_namespace = environment.namespace.clone();
+
+        let branch_workloads = self
+            .db
+            .get_environment_workloads(environment.id)
+            .await
+            .map_err(ApiError::from)?;
+        for workload in branch_workloads {
+            let kind = KubeWorkloadKind::from_str(&workload.kind).map_err(|_| {
+                ApiError::InvalidRequest(format!(
+                    "Invalid workload kind {} in branch environment",
+                    workload.kind
+                ))
+            })?;
+            resources.push((Self::workload_kind_to_resource_kind(&kind), workload.name));
+        }
+
+        let branch_services = self
+            .db
+            .get_environment_services(environment.id)
+            .await
+            .map_err(ApiError::from)?;
+        for service in branch_services {
+            resources.push((NamespacedResourceKind::Service, service.name));
+        }
+
+        let mut ctx = Self::kube_manager_rpc_context();
+        match rpc_client
+            .delete_namespaced_resources(ctx, branch_namespace.clone(), resources)
+            .await
+        {
+            Ok(Ok(())) => {}
+            Ok(Err(err)) => {
+                tracing::warn!(
+                    environment_id = %environment.id,
+                    error = %err,
+                    "KubeManager refused to delete some branch resources"
+                );
+            }
+            Err(err) => {
+                tracing::warn!(
+                    environment_id = %environment.id,
+                    error = ?err,
+                    "RPC error while deleting branch resources"
+                );
+            }
+        }
+
+        Ok(())
+    }
+
+    pub async fn delete_kube_environment(
+        &self,
+        org_id: Uuid,
+        _user_id: Uuid,
+        environment_id: Uuid,
+    ) -> Result<(), ApiError> {
+        // Authorize deletion (HRPC already enforced ownership/role, so we just ensure the environment exists and belongs to the org)
+        let environment = self
+            .db
+            .get_kube_environment(environment_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("Environment not found".to_string()))?;
+
+        if environment.organization_id != org_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        if environment.is_shared {
+            let has_branches = self
+                .db
+                .check_environment_has_branches(environment_id)
+                .await
+                .map_err(ApiError::from)?;
+
+            if has_branches {
+                return Err(ApiError::InvalidRequest(
+                    "Cannot delete shared environment: it has active branch environments. Please delete them first.".to_string()
+                ));
+            }
+        }
+
+        // Get RPC client for cluster operations
+        let rpc_client = self
+            .get_random_kube_cluster_server(environment.cluster_id)
+            .await
+            .ok_or_else(|| {
+                ApiError::InvalidRequest(
+                    "No connected KubeManager for this cluster; cannot delete environment"
+                        .to_string(),
+                )
+            })?
+            .rpc_client
+            .clone();
+
+        // If this is a branch environment, notify the base environment's devbox-proxy
+        if let Some(base_env_id) = environment.base_environment_id {
+            self.notify_branch_environment_deletion(&rpc_client, base_env_id, environment_id)
+                .await?;
+        }
+
+        // Mark as deleting immediately
+        self.update_environment_status(environment_id, KubeEnvironmentStatus::Deleting, None, None)
+            .await?;
+
+        // Destroy environment resources in Kubernetes asynchronously
+        let controller = self.clone();
+        let environment_clone = environment.clone();
+        let rpc_client_clone = rpc_client.clone();
+
+        tokio::spawn(async move {
+            let env_id = environment_clone.id;
+            let destroy_result = if environment_clone.base_environment_id.is_some() {
+                controller
+                    .destroy_branch_environment_resources(&rpc_client_clone, &environment_clone)
+                    .await
+            } else {
+                controller
+                    .destroy_environment_resources(&rpc_client_clone, &environment_clone)
+                    .await
+            };
+
+            match destroy_result {
+                Ok(_) => {
+                    match controller
+                        .db
+                        .delete_kube_environment(env_id)
+                        .await
+                        .map_err(ApiError::from)
+                    {
+                        Ok(_) => {
+                            if environment_clone.base_environment_id.is_none() {
+                                match rpc_client_clone
+                                    .remove_namespace_watch(
+                                        KubeController::kube_manager_rpc_context(),
+                                        environment_clone.namespace.clone(),
+                                    )
+                                    .await
+                                {
+                                    Ok(Ok(())) => {}
+                                    Ok(Err(err)) => warn!(
+                                        cluster_id = %environment_clone.cluster_id,
+                                        namespace = %environment_clone.namespace,
+                                        error = %err,
+                                        "Failed to remove namespace watch after environment deletion"
+                                    ),
+                                    Err(err) => warn!(
+                                        cluster_id = %environment_clone.cluster_id,
+                                        namespace = %environment_clone.namespace,
+                                        error = ?err,
+                                        "RPC error while removing namespace watch after environment deletion"
+                                    ),
+                                }
+                            }
+
+                            let event = EnvironmentLifecycleEvent {
+                                organization_id: environment_clone.organization_id,
+                                environment_id: env_id,
+                                status: KubeEnvironmentStatus::Deleted,
+                                paused_at: environment_clone
+                                    .paused_at
+                                    .as_ref()
+                                    .map(|dt| dt.to_string()),
+                                resumed_at: environment_clone
+                                    .resumed_at
+                                    .as_ref()
+                                    .map(|dt| dt.to_string()),
+                                updated_at: Utc::now(),
+                            };
+                            controller.publish_environment_event(event).await;
+                        }
+                        Err(err) => {
+                            error!(
+                                environment_id = %env_id,
+                                error = ?err,
+                                "failed to delete environment record after resource cleanup"
+                            );
+                            let _ = controller
+                                .update_environment_status(
+                                    env_id,
+                                    KubeEnvironmentStatus::Error,
+                                    None,
+                                    None,
+                                )
+                                .await;
+                        }
+                    }
+                }
+                Err(err) => {
+                    error!(
+                        environment_id = %env_id,
+                        error = ?err,
+                        "failed to cleanup environment resources"
+                    );
+                    let _ = controller
+                        .update_environment_status(env_id, KubeEnvironmentStatus::Error, None, None)
+                        .await;
+                }
+            }
+        });
+
+        Ok(())
+    }
+
+    pub async fn pause_kube_environment(
+        &self,
+        _org_id: Uuid,
+        _user_id: Uuid,
+        environment_id: Uuid,
+    ) -> Result<(), ApiError> {
+        let environment = self
+            .db
+            .get_kube_environment(environment_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("Environment not found".to_string()))?;
+
+        let status = KubeEnvironmentStatus::from_str(&environment.status)
+            .unwrap_or(KubeEnvironmentStatus::Creating);
+
+        match status {
+            KubeEnvironmentStatus::Running | KubeEnvironmentStatus::PauseFailed => {} // allowed transitions
+            KubeEnvironmentStatus::Paused => {
+                return Err(ApiError::InvalidRequest(
+                    "Environment is already paused".to_string(),
+                ))
+            }
+            _ => {
+                return Err(ApiError::InvalidRequest(format!(
+                    "Environment cannot be paused while it is in status {}",
+                    status
+                )))
+            }
+        }
+
+        self.update_environment_status(environment.id, KubeEnvironmentStatus::Pausing, None, None)
+            .await?;
+
+        let controller = self.clone();
+        tokio::spawn(async move {
+            if let Err(err) = controller.run_pause_environment(environment.id).await {
+                error!(
+                    environment_id = %environment.id,
+                    error = ?err,
+                    "Pause environment orchestration failed"
+                );
+                let _ = controller
+                    .update_environment_status(
+                        environment.id,
+                        KubeEnvironmentStatus::PauseFailed,
+                        None,
+                        None,
+                    )
+                    .await;
+            }
+        });
+
+        Ok(())
+    }
+
+    pub async fn resume_kube_environment(
+        &self,
+        org_id: Uuid,
+        user_id: Uuid,
+        environment_id: Uuid,
+    ) -> Result<(), ApiError> {
+        let environment = self
+            .db
+            .get_kube_environment(environment_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("Environment not found".to_string()))?;
+
+        let status = KubeEnvironmentStatus::from_str(&environment.status)
+            .unwrap_or(KubeEnvironmentStatus::Creating);
+
+        match status {
+            KubeEnvironmentStatus::Paused
+            | KubeEnvironmentStatus::PauseFailed
+            | KubeEnvironmentStatus::ResumeFailed => {}
+            KubeEnvironmentStatus::Running => {
+                return Err(ApiError::InvalidRequest(
+                    "Environment is already running".to_string(),
+                ))
+            }
+            _ => {
+                return Err(ApiError::InvalidRequest(format!(
+                    "Environment cannot be resumed while it is in status {}",
+                    status
+                )))
+            }
+        }
+
+        self.update_environment_status(environment.id, KubeEnvironmentStatus::Resuming, None, None)
+            .await?;
+
+        let controller = self.clone();
+        tokio::spawn(async move {
+            if let Err(err) = controller.run_resume_environment(environment.id).await {
+                error!(
+                    environment_id = %environment.id,
+                    error = ?err,
+                    "Resume environment orchestration failed"
+                );
+                let _ = controller
+                    .update_environment_status(
+                        environment.id,
+                        KubeEnvironmentStatus::ResumeFailed,
+                        None,
+                        None,
+                    )
+                    .await;
+            }
+        });
+
+        Ok(())
+    }
+
+    /// Validate and get app catalog and cluster for environment creation
+    async fn validate_environment_creation(
+        &self,
+        org_id: Uuid,
+        app_catalog_id: Uuid,
+        cluster_id: Uuid,
+        is_shared: bool,
+    ) -> Result<
+        (
+            lapdev_db_entities::kube_app_catalog::Model,
+            lapdev_db_entities::kube_cluster::Model,
+        ),
+        ApiError,
+    > {
+        // Verify app catalog belongs to the organization
+        let app_catalog = self
+            .db
+            .get_app_catalog(app_catalog_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("App catalog not found".to_string()))?;
+
+        if app_catalog.organization_id != org_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        // Verify cluster belongs to the organization
+        let cluster = self
+            .db
+            .get_kube_cluster(cluster_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("Cluster not found".to_string()))?;
+
+        if cluster.organization_id != org_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        // Check if the cluster allows deployments for the requested environment type
+        if is_shared && !cluster.can_deploy_shared {
+            return Err(ApiError::InvalidRequest(
+                "Shared deployments are not allowed on this cluster".to_string(),
+            ));
+        }
+
+        if !is_shared && !cluster.can_deploy_personal {
+            return Err(ApiError::InvalidRequest(
+                "Personal deployments are not allowed on this cluster".to_string(),
+            ));
+        }
+
+        Ok((app_catalog, cluster))
+    }
+
+    pub async fn create_kube_environment(
+        &self,
+        org_id: Uuid,
+        user_id: Uuid,
+        app_catalog_id: Uuid,
+        cluster_id: Uuid,
+        name: String,
+        is_shared: bool,
+    ) -> Result<lapdev_common::kube::KubeEnvironment, ApiError> {
+        let name = Self::normalize_environment_name(name)?;
+
+        // Validate catalog and cluster
+        let (app_catalog, cluster) = self
+            .validate_environment_creation(org_id, app_catalog_id, cluster_id, is_shared)
+            .await?;
+
+        let server = self.require_cluster_server(cluster_id).await?;
+        let workloads = self.fetch_catalog_workloads(&app_catalog).await?;
+        let namespace = self
+            .generate_unique_namespace(cluster_id, Self::namespace_kind(is_shared))
+            .await?;
+        let environment_id = Uuid::new_v4();
+        let auth_token = rand_string(32);
+        let environment_namespace = namespace.clone();
+        let (workloads_with_resources, workload_details) = self
+            .prepare_catalog_workloads(
+                &app_catalog,
+                &cluster,
+                workloads,
+                environment_id,
+                &namespace,
+                &auth_token,
+            )
+            .await?;
+        let services_map = workloads_with_resources.services.clone();
+
+        let created_env = self
+            .persist_environment_creation(
+                environment_id,
+                org_id,
+                user_id,
+                app_catalog_id,
+                cluster_id,
+                name,
+                namespace,
+                is_shared,
+                app_catalog.sync_version,
+                workload_details,
+                services_map,
+                auth_token,
+            )
+            .await?;
+
+        // Ensure kube-manager begins watching the new namespace immediately.
+        if let Err(err) = server
+            .add_namespace_watch(environment_namespace.clone())
+            .await
+        {
+            warn!(
+                cluster_id = %cluster_id,
+                namespace = environment_namespace,
+                error = ?err,
+                "Failed to add namespace watch for new environment"
+            );
+        }
+
+        self.spawn_environment_deployment(server, created_env.clone(), workloads_with_resources);
+
+        Ok(Self::build_environment_response(
+            created_env,
+            app_catalog.name,
+            cluster.name,
+            None,
+            None,
+            None,
+        ))
+    }
+
+    fn normalize_environment_name(name: String) -> Result<String, ApiError> {
+        let trimmed = name.trim();
+        if trimmed.is_empty() {
+            return Err(ApiError::InvalidRequest(
+                "Environment name cannot be empty".to_string(),
+            ));
+        }
+        Ok(trimmed.to_string())
+    }
+
+    fn namespace_kind(is_shared: bool) -> EnvironmentNamespaceKind {
+        if is_shared {
+            EnvironmentNamespaceKind::Shared
+        } else {
+            EnvironmentNamespaceKind::Personal
+        }
+    }
+
+    async fn require_cluster_server(
+        &self,
+        cluster_id: Uuid,
+    ) -> Result<KubeClusterServer, ApiError> {
+        self.get_random_kube_cluster_server(cluster_id)
+            .await
+            .ok_or_else(|| {
+                ApiError::InvalidRequest(
+                    "No connected KubeManager for the environment target cluster".to_string(),
+                )
+            })
+    }
+
+    async fn fetch_catalog_workloads(
+        &self,
+        app_catalog: &lapdev_db_entities::kube_app_catalog::Model,
+    ) -> Result<Vec<KubeAppCatalogWorkload>, ApiError> {
+        let workloads = self
+            .db
+            .get_app_catalog_workloads(app_catalog.id)
+            .await
+            .map_err(ApiError::from)?;
+
+        if workloads.is_empty() {
+            return Err(ApiError::InvalidRequest(format!(
+                "No workloads found for app catalog '{}'",
+                app_catalog.name
+            )));
+        }
+
+        Ok(workloads)
+    }
+
+    async fn prepare_catalog_workloads(
+        &self,
+        app_catalog: &lapdev_db_entities::kube_app_catalog::Model,
+        cluster: &lapdev_db_entities::kube_cluster::Model,
+        workloads: Vec<KubeAppCatalogWorkload>,
+        environment_id: Uuid,
+        namespace: &str,
+        auth_token: &str,
+    ) -> Result<(KubeWorkloadsWithResources, Vec<NewEnvironmentWorkload>), ApiError> {
+        self.get_catalog_workloads_with_yaml_from_db(
+            app_catalog.cluster_id,
+            workloads,
+            &SidecarInjectionContext {
+                environment_id,
+                namespace,
+                auth_token,
+                manager_namespace: cluster.manager_namespace.as_deref(),
+            },
+        )
+        .await
+    }
+
+    async fn persist_environment_creation(
+        &self,
+        environment_id: Uuid,
+        org_id: Uuid,
+        user_id: Uuid,
+        app_catalog_id: Uuid,
+        cluster_id: Uuid,
+        name: String,
+        namespace: String,
+        is_shared: bool,
+        catalog_sync_version: i64,
+        workload_details: Vec<NewEnvironmentWorkload>,
+        services_map: HashMap<String, KubeServiceWithYaml>,
+        auth_token: String,
+    ) -> Result<lapdev_db_entities::kube_environment::Model, ApiError> {
+        match self
+            .db
+            .create_kube_environment(
+                environment_id,
+                org_id,
+                user_id,
+                app_catalog_id,
+                cluster_id,
+                name,
+                namespace,
+                KubeEnvironmentStatus::Creating.to_string(),
+                is_shared,
+                catalog_sync_version,
+                None,
+                workload_details,
+                services_map,
+                auth_token,
+            )
+            .await
+        {
+            Ok(env) => Ok(env),
+            Err(db_err) => {
+                if let Some(sea_orm::SqlErr::UniqueConstraintViolation(constraint)) =
+                    db_err.sql_err()
+                {
+                    if constraint == "kube_environment_app_cluster_namespace_unique_idx" {
+                        return Err(ApiError::InvalidRequest(
+                            "This app catalog is already deployed to the specified namespace in this cluster".to_string(),
+                        ));
+                    }
+                    if constraint == "kube_environment_cluster_namespace_unique_idx" {
+                        return Err(ApiError::InternalError(
+                            "Namespace allocation conflict. Please retry environment creation."
+                                .to_string(),
+                        ));
+                    }
+                }
+                Err(ApiError::from(anyhow::Error::from(db_err)))
+            }
+        }
+    }
+
+    fn spawn_environment_deployment(
+        &self,
+        server: KubeClusterServer,
+        created_env: lapdev_db_entities::kube_environment::Model,
+        workloads_with_resources: KubeWorkloadsWithResources,
+    ) {
+        let controller = self.clone();
+        let server_clone = server.clone();
+        let env_for_task = created_env.clone();
+
+        tokio::spawn(async move {
+            match controller
+                .deploy_environment_resources(
+                    &server_clone,
+                    &env_for_task,
+                    workloads_with_resources,
+                    None,
+                )
+                .await
+            {
+                Ok(_) => {
+                    if let Err(err) = controller
+                        .update_environment_status(
+                            env_for_task.id,
+                            KubeEnvironmentStatus::Running,
+                            None,
+                            None,
+                        )
+                        .await
+                    {
+                        error!(
+                            environment_id = %env_for_task.id,
+                            error = ?err,
+                            "failed to mark environment as running after creation"
+                        );
+                    }
+                }
+                Err(err) => {
+                    error!(
+                        environment_id = %env_for_task.id,
+                        error = ?err,
+                        "environment creation deployment failed"
+                    );
+                    if let Err(status_err) = controller
+                        .update_environment_status(
+                            env_for_task.id,
+                            KubeEnvironmentStatus::Error,
+                            None,
+                            None,
+                        )
+                        .await
+                    {
+                        error!(
+                            environment_id = %env_for_task.id,
+                            error = ?status_err,
+                            "failed to mark environment as errored after deployment failure"
+                        );
+                    }
+                }
+            }
+        });
+    }
+
+    /// Validate base environment for branch creation
+    async fn validate_base_environment(
+        &self,
+        org_id: Uuid,
+        base_environment_id: Uuid,
+    ) -> Result<
+        (
+            lapdev_db_entities::kube_environment::Model,
+            lapdev_db_entities::kube_cluster::Model,
+            lapdev_db_entities::kube_app_catalog::Model,
+        ),
+        ApiError,
+    > {
+        // Get the base environment
+        let base_environment = self
+            .db
+            .get_kube_environment(base_environment_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("Base environment not found".to_string()))?;
+
+        // Verify base environment belongs to the same organization
+        if base_environment.organization_id != org_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        // Verify base environment is shared (only shared environments can be used as base)
+        if !base_environment.is_shared {
+            return Err(ApiError::InvalidRequest(
+                "Only shared environments can be used as base environments".to_string(),
+            ));
+        }
+
+        // Verify base environment is not itself a branch environment
+        if base_environment.base_environment_id.is_some() {
+            return Err(ApiError::InvalidRequest(
+                "Cannot create a branch from another branch environment".to_string(),
+            ));
+        }
+
+        // Get the cluster
+        let cluster = self
+            .db
+            .get_kube_cluster(base_environment.cluster_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("Cluster not found".to_string()))?;
+
+        // Get app catalog
+        let app_catalog = self
+            .db
+            .get_app_catalog(base_environment.app_catalog_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("App catalog not found".to_string()))?;
+
+        Ok((base_environment, cluster, app_catalog))
+    }
+
+    fn strip_sidecar_proxy_from_yaml(
+        kind: &KubeWorkloadKind,
+        yaml: &str,
+    ) -> Result<String, ApiError> {
+        match kind {
+            KubeWorkloadKind::Deployment => {
+                let mut deployment: Deployment = serde_yaml::from_str(yaml).map_err(|err| {
+                    ApiError::InvalidRequest(format!(
+                        "Failed to parse deployment YAML while stripping lapdev-sidecar-proxy: {err}"
+                    ))
+                })?;
+                if let Some(spec) = deployment.spec.as_mut() {
+                    if let Some(pod_spec) = spec.template.spec.as_mut() {
+                        Self::strip_sidecar_proxy_from_pod_spec(pod_spec);
+                    }
+                }
+                serde_yaml::to_string(&deployment).map_err(|err| {
+                    ApiError::InvalidRequest(format!(
+                        "Failed to serialize deployment YAML after stripping lapdev-sidecar-proxy: {err}"
+                    ))
+                })
+            }
+            KubeWorkloadKind::StatefulSet => {
+                let mut statefulset: StatefulSet = serde_yaml::from_str(yaml).map_err(|err| {
+                    ApiError::InvalidRequest(format!(
+                        "Failed to parse statefulset YAML while stripping lapdev-sidecar-proxy: {err}"
+                    ))
+                })?;
+                if let Some(spec) = statefulset.spec.as_mut() {
+                    if let Some(pod_spec) = spec.template.spec.as_mut() {
+                        Self::strip_sidecar_proxy_from_pod_spec(pod_spec);
+                    }
+                }
+                serde_yaml::to_string(&statefulset).map_err(|err| {
+                    ApiError::InvalidRequest(format!(
+                        "Failed to serialize statefulset YAML after stripping lapdev-sidecar-proxy: {err}"
+                    ))
+                })
+            }
+            KubeWorkloadKind::DaemonSet => {
+                let mut daemonset: DaemonSet = serde_yaml::from_str(yaml).map_err(|err| {
+                    ApiError::InvalidRequest(format!(
+                        "Failed to parse daemonset YAML while stripping lapdev-sidecar-proxy: {err}"
+                    ))
+                })?;
+                if let Some(spec) = daemonset.spec.as_mut() {
+                    if let Some(pod_spec) = spec.template.spec.as_mut() {
+                        Self::strip_sidecar_proxy_from_pod_spec(pod_spec);
+                    }
+                }
+                serde_yaml::to_string(&daemonset).map_err(|err| {
+                    ApiError::InvalidRequest(format!(
+                        "Failed to serialize daemonset YAML after stripping lapdev-sidecar-proxy: {err}"
+                    ))
+                })
+            }
+            KubeWorkloadKind::ReplicaSet => {
+                let mut replicaset: ReplicaSet = serde_yaml::from_str(yaml).map_err(|err| {
+                    ApiError::InvalidRequest(format!(
+                        "Failed to parse replicaset YAML while stripping lapdev-sidecar-proxy: {err}"
+                    ))
+                })?;
+                if let Some(spec) = replicaset.spec.as_mut() {
+                    if let Some(template) = spec.template.as_mut() {
+                        if let Some(pod_spec) = template.spec.as_mut() {
+                            Self::strip_sidecar_proxy_from_pod_spec(pod_spec);
+                        }
+                    }
+                }
+                serde_yaml::to_string(&replicaset).map_err(|err| {
+                    ApiError::InvalidRequest(format!(
+                        "Failed to serialize replicaset YAML after stripping lapdev-sidecar-proxy: {err}"
+                    ))
+                })
+            }
+            KubeWorkloadKind::Pod => {
+                let mut pod: Pod = serde_yaml::from_str(yaml).map_err(|err| {
+                    ApiError::InvalidRequest(format!(
+                        "Failed to parse pod YAML while stripping lapdev-sidecar-proxy: {err}"
+                    ))
+                })?;
+                if let Some(pod_spec) = pod.spec.as_mut() {
+                    Self::strip_sidecar_proxy_from_pod_spec(pod_spec);
+                }
+                serde_yaml::to_string(&pod).map_err(|err| {
+                    ApiError::InvalidRequest(format!(
+                        "Failed to serialize pod YAML after stripping lapdev-sidecar-proxy: {err}"
+                    ))
+                })
+            }
+            KubeWorkloadKind::Job => {
+                let mut job: Job = serde_yaml::from_str(yaml).map_err(|err| {
+                    ApiError::InvalidRequest(format!(
+                        "Failed to parse job YAML while stripping lapdev-sidecar-proxy: {err}"
+                    ))
+                })?;
+                if let Some(spec) = job.spec.as_mut() {
+                    if let Some(pod_spec) = spec.template.spec.as_mut() {
+                        Self::strip_sidecar_proxy_from_pod_spec(pod_spec);
+                    }
+                }
+                serde_yaml::to_string(&job).map_err(|err| {
+                    ApiError::InvalidRequest(format!(
+                        "Failed to serialize job YAML after stripping lapdev-sidecar-proxy: {err}"
+                    ))
+                })
+            }
+            KubeWorkloadKind::CronJob => {
+                let mut cronjob: CronJob = serde_yaml::from_str(yaml).map_err(|err| {
+                    ApiError::InvalidRequest(format!(
+                        "Failed to parse cronjob YAML while stripping lapdev-sidecar-proxy: {err}"
+                    ))
+                })?;
+                if let Some(spec) = cronjob.spec.as_mut() {
+                    if let Some(job_spec) = spec.job_template.spec.as_mut() {
+                        if let Some(pod_spec) = job_spec.template.spec.as_mut() {
+                            Self::strip_sidecar_proxy_from_pod_spec(pod_spec);
+                        }
+                    }
+                }
+                serde_yaml::to_string(&cronjob).map_err(|err| {
+                    ApiError::InvalidRequest(format!(
+                        "Failed to serialize cronjob YAML after stripping lapdev-sidecar-proxy: {err}"
+                    ))
+                })
+            }
+        }
+    }
+
+    fn strip_sidecar_proxy_from_pod_spec(pod_spec: &mut PodSpec) {
+        const SIDECAR_NAME: &str = "lapdev-sidecar-proxy";
+        pod_spec
+            .containers
+            .retain(|container| container.name != SIDECAR_NAME);
+        if let Some(init_containers) = pod_spec.init_containers.as_mut() {
+            init_containers.retain(|container| container.name != SIDECAR_NAME);
+        }
+    }
+
+    fn restore_service_target_ports(
+        service_yaml: String,
+        ports: &mut [KubeServicePort],
+    ) -> Result<String, ApiError> {
+        let mut service: Service = serde_yaml::from_str(&service_yaml).map_err(|err| {
+            ApiError::InvalidRequest(format!(
+                "Failed to parse service YAML while restoring lapdev-sidecar proxy targets: {err}"
+            ))
+        })?;
+
+        let mut target_map: HashMap<(Option<String>, i32), i32> = HashMap::new();
+        for port in ports.iter_mut() {
+            if let Some(original_target) = port.original_target_port {
+                port.target_port = Some(original_target);
+                target_map.insert((port.name.clone(), port.port), original_target);
+            }
+        }
+
+        if let Some(spec) = service.spec.as_mut() {
+            if let Some(spec_ports) = spec.ports.as_mut() {
+                for spec_port in spec_ports.iter_mut() {
+                    let key = (spec_port.name.clone(), spec_port.port);
+                    if let Some(original) = target_map
+                        .get(&key)
+                        .or_else(|| target_map.get(&(None, spec_port.port)))
+                    {
+                        spec_port.target_port = Some(IntOrString::Int(*original));
+                    }
+                }
+            }
+        }
+
+        serde_yaml::to_string(&service).map_err(|err| {
+            ApiError::InvalidRequest(format!(
+                "Failed to serialize service YAML after restoring lapdev-sidecar proxy targets: {err}"
+            ))
+        })
+    }
+
+    fn branch_resource_name(name: &str, branch_environment_id: Uuid) -> String {
+        let env_suffix = branch_environment_id.to_string();
+        if name.ends_with(&env_suffix) {
+            name.to_string()
+        } else {
+            format!("{}-{}", name, branch_environment_id)
+        }
+    }
+
+    fn strip_branch_suffix(name: &str, branch_environment_id: Uuid) -> String {
+        let suffix = format!("-{}", branch_environment_id);
+        if name.ends_with(&suffix) {
+            name[..name.len() - suffix.len()].to_string()
+        } else {
+            name.to_string()
+        }
+    }
+
+    fn build_branch_workload_details(
+        workload: &lapdev_common::kube::KubeEnvironmentWorkload,
+        namespace: &str,
+        branch_environment_id: Uuid,
+    ) -> Result<(NewEnvironmentWorkload, String), ApiError> {
+        let kind: KubeWorkloadKind = workload.kind.parse().map_err(|_| {
+            ApiError::InvalidRequest(format!(
+                "Invalid workload kind {} in base environment",
+                workload.kind
+            ))
+        })?;
+
+        if workload.workload_yaml.trim().is_empty() {
+            return Err(ApiError::InvalidRequest(format!(
+                "Base workload {} is missing YAML",
+                workload.name
+            )));
+        }
+
+        let branch_name = Self::branch_resource_name(&workload.name, branch_environment_id);
+        let sanitized_yaml = Self::strip_sidecar_proxy_from_yaml(&kind, &workload.workload_yaml)?;
+        let mut workload_yaml = Self::wrap_workload_yaml(kind.clone(), sanitized_yaml);
+        let selector = build_branch_service_selector(&branch_name);
+        rename_workload_yaml(&mut workload_yaml, &branch_name, &selector)?;
+        let workload_yaml_string = Self::workload_yaml_to_string(&workload_yaml);
+
+        let mut containers = workload.containers.clone();
+        for container in &mut containers {
+            container.original_env_vars = container.env_vars.clone();
+            container.env_vars.clear();
+
+            match &container.image {
+                KubeContainerImage::Custom(custom_image) => {
+                    container.original_image = custom_image.clone();
+                    container.image = KubeContainerImage::FollowOriginal;
+                }
+                KubeContainerImage::FollowOriginal => {}
+            }
+        }
+
+        let env_workload_id = Uuid::new_v4();
+        let details = KubeWorkloadDetails {
+            name: branch_name.clone(),
+            namespace: namespace.to_string(),
+            kind,
+            containers,
+            ports: workload.ports.clone(),
+            workload_yaml: workload_yaml_string,
+            base_workload_id: Some(workload.id),
+        };
+
+        Ok((
+            NewEnvironmentWorkload {
+                id: env_workload_id,
+                details,
+            },
+            branch_name,
+        ))
+    }
+
+    fn service_targets_workload(
+        service: &lapdev_common::kube::KubeEnvironmentService,
+        base_workload_name: &str,
+        branch_workload_name: &str,
+    ) -> bool {
+        if service.name == base_workload_name || service.name == branch_workload_name {
+            return true;
+        }
+        service
+            .selector
+            .values()
+            .any(|value| value == base_workload_name || value == branch_workload_name)
+    }
+
+    fn build_branch_service_entry(
+        service: &lapdev_common::kube::KubeEnvironmentService,
+        branch_environment_id: Uuid,
+        branch_workload_name: &str,
+    ) -> Result<lapdev_common::kube::KubeServiceWithYaml, ApiError> {
+        let branch_service_name = Self::branch_resource_name(&service.name, branch_environment_id);
+        let branch_selector = build_branch_service_selector(branch_workload_name);
+        let renamed_yaml =
+            rename_service_yaml(&service.yaml, &branch_service_name, &branch_selector)?;
+        let mut ports = service.ports.clone();
+        let restored_yaml = Self::restore_service_target_ports(renamed_yaml, &mut ports)?;
+        Ok(lapdev_common::kube::KubeServiceWithYaml {
+            yaml: restored_yaml,
+            details: KubeServiceDetails {
+                name: branch_service_name,
+                ports,
+                selector: branch_selector,
+            },
+        })
+    }
+
+    pub(super) async fn ensure_branch_workload_override(
+        &self,
+        environment: &lapdev_db_entities::kube_environment::Model,
+        base_workload: &lapdev_common::kube::KubeEnvironmentWorkload,
+    ) -> Result<lapdev_common::kube::KubeEnvironmentWorkload, ApiError> {
+        environment.base_environment_id.ok_or_else(|| {
+            ApiError::InvalidRequest("Branch environment missing base environment".to_string())
+        })?;
+
+        if let Some(existing) = self
+            .db
+            .get_branch_workload_override(base_workload.id, environment.id)
+            .await
+            .map_err(ApiError::from)?
+        {
+            return Ok(existing);
+        }
+
+        let (new_workload, branch_workload_name) = Self::build_branch_workload_details(
+            base_workload,
+            &environment.namespace,
+            environment.id,
+        )?;
+
+        let inserted = self
+            .db
+            .insert_environment_workload(
+                environment.id,
+                new_workload,
+                environment.catalog_sync_version,
+            )
+            .await
+            .map_err(ApiError::from)?;
+
+        self.ensure_branch_services_for_workload(
+            environment,
+            &base_workload.name,
+            &branch_workload_name,
+        )
+        .await?;
+
+        self.db
+            .get_environment_workload(inserted.id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| {
+                ApiError::InternalError(
+                    "Failed to load newly created branch workload from database".to_string(),
+                )
+            })
+    }
+
+    async fn reapply_branch_overrides_from_base(
+        &self,
+        branch_environment: &lapdev_db_entities::kube_environment::Model,
+        base_environment: &lapdev_db_entities::kube_environment::Model,
+    ) -> Result<(), ApiError> {
+        let branch_workloads = self
+            .db
+            .get_environment_workloads(branch_environment.id)
+            .await
+            .map_err(ApiError::from)?;
+
+        if branch_workloads.is_empty() {
+            return Ok(());
+        }
+
+        let base_workloads = self
+            .db
+            .get_environment_workloads(base_environment.id)
+            .await
+            .map_err(ApiError::from)?;
+
+        let mut base_workloads_by_name = HashMap::with_capacity(base_workloads.len());
+        for workload in base_workloads {
+            base_workloads_by_name.insert(workload.name.clone(), workload);
+        }
+
+        let base_services = self
+            .db
+            .get_environment_services(base_environment.id)
+            .await
+            .map_err(ApiError::from)?;
+
+        let Some(base_environment_id) = branch_environment.base_environment_id else {
+            return Err(ApiError::InvalidRequest(
+                "Branch environment missing base environment".to_string(),
+            ));
+        };
+
+        let cluster_server = self
+            .get_random_kube_cluster_server(branch_environment.cluster_id)
+            .await
+            .ok_or_else(|| {
+                ApiError::InvalidRequest(
+                    "No connected KubeManager for the environment target cluster".to_string(),
+                )
+            })?;
+
+        for branch_workload in branch_workloads {
+            let branch_workload_name = branch_workload.name.clone();
+            let base_name = Self::strip_branch_suffix(&branch_workload_name, branch_environment.id);
+
+            let Some(base_workload) = base_workloads_by_name.get(&base_name) else {
+                tracing::warn!(
+                    environment_id = %branch_environment.id,
+                    workload = %branch_workload_name,
+                    "Skipping branch workload rebase because base workload no longer exists"
+                );
+                continue;
+            };
+
+            self.refresh_branch_services_for_workload(
+                branch_environment,
+                &base_name,
+                &branch_workload_name,
+                &base_services,
+            )
+            .await?;
+
+            let (template_workload, _) = Self::build_branch_workload_details(
+                base_workload,
+                &branch_environment.namespace,
+                branch_environment.id,
+            )?;
+
+            let KubeWorkloadDetails {
+                workload_yaml: template_yaml,
+                containers: template_containers,
+                ..
+            } = template_workload.details;
+
+            let merged_containers =
+                Self::merge_branch_containers(&template_containers, &branch_workload.containers);
+
+            let mut updated_workload = branch_workload.clone();
+            updated_workload.workload_yaml = template_yaml;
+            updated_workload.base_workload_id = Some(base_workload.id);
+
+            let kind = KubeWorkloadKind::from_str(&updated_workload.kind).map_err(|_| {
+                ApiError::InvalidRequest(format!(
+                    "Invalid workload kind {} when rebasing branch workload",
+                    updated_workload.kind
+                ))
+            })?;
+
+            let (workload_with_resources, persisted_yaml, extra_labels) = self
+                .build_branch_workload_manifest(
+                    branch_environment,
+                    &updated_workload,
+                    kind,
+                    &merged_containers,
+                )
+                .await?;
+
+            self.deploy_environment_resources(
+                &cluster_server,
+                branch_environment,
+                KubeWorkloadsWithResources {
+                    workloads: vec![workload_with_resources.workload],
+                    services: workload_with_resources.services,
+                    configmaps: workload_with_resources.configmaps,
+                    secrets: workload_with_resources.secrets,
+                },
+                Some(extra_labels),
+            )
+            .await?;
+
+            match cluster_server
+                .build_branch_service_route_config(
+                    base_environment,
+                    base_workload.id,
+                    branch_environment.id,
+                )
+                .await
+            {
+                Ok(Some(route)) => {
+                    Self::send_branch_service_route_update(
+                        &cluster_server,
+                        base_environment_id,
+                        base_workload.id,
+                        branch_environment.id,
+                        route,
+                    )
+                    .await;
+                }
+                Ok(None) => {
+                    Self::send_branch_service_route_removal(
+                        &cluster_server,
+                        base_environment_id,
+                        base_workload.id,
+                        branch_environment.id,
+                    )
+                    .await;
+                }
+                Err(err) => {
+                    tracing::warn!(
+                        base_environment_id = %base_environment_id,
+                        branch_environment_id = %branch_environment.id,
+                        workload_id = %base_workload.id,
+                        error = ?err,
+                        "Failed to build branch service route config during rebase; falling back to refresh"
+                    );
+                    Self::refresh_branch_service_routes_with_logging(
+                        &cluster_server,
+                        base_environment_id,
+                    )
+                    .await;
+                }
+            }
+
+            self.db
+                .update_environment_workload(branch_workload.id, merged_containers, persisted_yaml)
+                .await
+                .map_err(ApiError::from)?;
+
+            self.db
+                .update_branch_workload_link(
+                    branch_workload.id,
+                    base_workload.id,
+                    base_environment.catalog_sync_version,
+                )
+                .await
+                .map_err(ApiError::from)?;
+        }
+
+        Ok(())
+    }
+
+    async fn refresh_branch_services_for_workload(
+        &self,
+        branch_environment: &lapdev_db_entities::kube_environment::Model,
+        base_workload_name: &str,
+        branch_workload_name: &str,
+        base_services: &[KubeEnvironmentService],
+    ) -> Result<(), ApiError> {
+        let mut desired_services = Vec::new();
+        for service in base_services {
+            if Self::service_targets_workload(service, base_workload_name, branch_workload_name) {
+                desired_services.push(Self::build_branch_service_entry(
+                    service,
+                    branch_environment.id,
+                    branch_workload_name,
+                )?);
+            }
+        }
+
+        let desired_names: HashSet<String> = desired_services
+            .iter()
+            .map(|svc| svc.details.name.clone())
+            .collect();
+
+        let existing_services = self
+            .db
+            .get_environment_services(branch_environment.id)
+            .await
+            .map_err(ApiError::from)?;
+
+        for service in existing_services {
+            if Self::service_targets_workload(&service, base_workload_name, branch_workload_name)
+                && !desired_names.contains(&service.name)
+            {
+                self.db
+                    .soft_delete_environment_service(branch_environment.id, &service.name)
+                    .await
+                    .map_err(ApiError::from)?;
+            }
+        }
+
+        for entry in desired_services {
+            self.db
+                .soft_delete_environment_service(branch_environment.id, &entry.details.name)
+                .await
+                .map_err(ApiError::from)?;
+            self.db
+                .insert_environment_service(
+                    branch_environment.id,
+                    &branch_environment.namespace,
+                    entry,
+                )
+                .await
+                .map_err(ApiError::from)?;
+        }
+
+        Ok(())
+    }
+
+    fn merge_branch_containers(
+        template_containers: &[lapdev_common::kube::KubeContainerInfo],
+        branch_containers: &[lapdev_common::kube::KubeContainerInfo],
+    ) -> Vec<lapdev_common::kube::KubeContainerInfo> {
+        template_containers
+            .iter()
+            .map(|template| {
+                let mut merged = template.clone();
+                if let Some(branch) = branch_containers
+                    .iter()
+                    .find(|container| container.name == template.name)
+                {
+                    merged.image = branch.image.clone();
+                    merged.cpu_request = branch.cpu_request.clone();
+                    merged.cpu_limit = branch.cpu_limit.clone();
+                    merged.memory_request = branch.memory_request.clone();
+                    merged.memory_limit = branch.memory_limit.clone();
+                    merged.env_vars = branch.env_vars.clone();
+                    merged.ports = branch.ports.clone();
+                }
+                merged
+            })
+            .collect()
+    }
+
+    async fn relink_branch_overrides(
+        &self,
+        base_environment: &lapdev_db_entities::kube_environment::Model,
+        replacements: &[(Uuid, Uuid)],
+        new_catalog_sync_version: i64,
+    ) -> Result<(), ApiError> {
+        if replacements.is_empty() {
+            return Ok(());
+        }
+
+        for (old_base_id, new_base_id) in replacements {
+            let branch_workloads = self
+                .db
+                .get_workloads_by_base_workload_id(*old_base_id)
+                .await
+                .map_err(ApiError::from)?;
+
+            for branch_workload in branch_workloads {
+                if branch_workload.environment_id == base_environment.id {
+                    continue;
+                }
+
+                self.db
+                    .update_branch_workload_link(
+                        branch_workload.id,
+                        *new_base_id,
+                        new_catalog_sync_version,
+                    )
+                    .await
+                    .map_err(ApiError::from)?;
+            }
+        }
+
+        Ok(())
+    }
+
+    async fn ensure_branch_services_for_workload(
+        &self,
+        environment: &lapdev_db_entities::kube_environment::Model,
+        base_workload_name: &str,
+        branch_workload_name: &str,
+    ) -> Result<(), ApiError> {
+        let base_environment_id = environment.base_environment_id.ok_or_else(|| {
+            ApiError::InvalidRequest("Branch environment missing base environment".to_string())
+        })?;
+
+        let base_services = self
+            .db
+            .get_environment_services(base_environment_id)
+            .await
+            .map_err(ApiError::from)?;
+        let existing_services = self
+            .db
+            .get_environment_services(environment.id)
+            .await
+            .map_err(ApiError::from)?;
+        let mut existing_names: HashSet<String> = HashSet::new();
+        for svc in existing_services {
+            existing_names.insert(svc.name.clone());
+            existing_names.insert(Self::strip_branch_suffix(&svc.name, environment.id));
+        }
+
+        for service in base_services {
+            if !Self::service_targets_workload(&service, base_workload_name, branch_workload_name) {
+                continue;
+            }
+
+            let base_service_name = service.name.clone();
+            let branch_service_name =
+                Self::branch_resource_name(&base_service_name, environment.id);
+            if existing_names.contains(&base_service_name)
+                || existing_names.contains(&branch_service_name)
+            {
+                continue;
+            }
+
+            let branch_entry =
+                Self::build_branch_service_entry(&service, environment.id, branch_workload_name)?;
+            let inserted_name = branch_entry.details.name.clone();
+            self.db
+                .insert_environment_service(environment.id, &environment.namespace, branch_entry)
+                .await
+                .map_err(ApiError::from)?;
+            existing_names.insert(base_service_name);
+            existing_names.insert(inserted_name);
+        }
+
+        Ok(())
+    }
+
+    fn workload_kind_to_resource_kind(kind: &KubeWorkloadKind) -> NamespacedResourceKind {
+        match kind {
+            KubeWorkloadKind::Deployment => NamespacedResourceKind::Deployment,
+            KubeWorkloadKind::StatefulSet => NamespacedResourceKind::StatefulSet,
+            KubeWorkloadKind::DaemonSet => NamespacedResourceKind::DaemonSet,
+            KubeWorkloadKind::ReplicaSet => NamespacedResourceKind::ReplicaSet,
+            KubeWorkloadKind::Pod => NamespacedResourceKind::Pod,
+            KubeWorkloadKind::Job => NamespacedResourceKind::Job,
+            KubeWorkloadKind::CronJob => NamespacedResourceKind::CronJob,
+        }
+    }
+
+    fn workload_yaml_to_string(workload: &KubeWorkloadYamlOnly) -> String {
+        match workload {
+            KubeWorkloadYamlOnly::Deployment(yaml)
+            | KubeWorkloadYamlOnly::StatefulSet(yaml)
+            | KubeWorkloadYamlOnly::DaemonSet(yaml)
+            | KubeWorkloadYamlOnly::ReplicaSet(yaml)
+            | KubeWorkloadYamlOnly::Pod(yaml)
+            | KubeWorkloadYamlOnly::Job(yaml)
+            | KubeWorkloadYamlOnly::CronJob(yaml) => yaml.clone(),
+        }
+    }
+
+    /// Notify devbox-proxy about new branch environment
+    async fn notify_branch_environment_creation(
+        &self,
+        base_environment_id: Uuid,
+        cluster_id: Uuid,
+        created_env: &lapdev_db_entities::kube_environment::Model,
+    ) {
+        if let Some(server) = self.get_random_kube_cluster_server(cluster_id).await {
+            let branch_info = lapdev_kube_rpc::BranchEnvironmentInfo {
+                environment_id: created_env.id,
+                auth_token: created_env.auth_token.clone(),
+                namespace: created_env.namespace.clone(),
+            };
+
+            match server
+                .rpc_client
+                .add_branch_environment(
+                    Self::kube_manager_rpc_context(),
+                    base_environment_id,
+                    branch_info,
+                )
+                .await
+            {
+                Ok(Ok(())) => {
+                    tracing::info!(
+                        "Successfully notified devbox-proxy about new branch environment {}",
+                        created_env.id
+                    );
+                }
+                Ok(Err(e)) => {
+                    tracing::error!(
+                        "Failed to notify devbox-proxy about new branch environment {}: {}",
+                        created_env.id,
+                        e
+                    );
+                }
+                Err(e) => {
+                    tracing::error!(
+                        "RPC call failed when notifying about new branch environment {}: {}",
+                        created_env.id,
+                        e
+                    );
+                }
+            }
+        } else {
+            tracing::warn!(
+                "No connected KubeManager for cluster {} - branch environment {} not registered with devbox-proxy",
+                cluster_id,
+                created_env.id
+            );
+        }
+    }
+
+    pub async fn create_branch_environment(
+        &self,
+        org_id: Uuid,
+        user_id: Uuid,
+        base_environment_id: Uuid,
+        name: String,
+    ) -> Result<lapdev_common::kube::KubeEnvironment, ApiError> {
+        let name = name.trim();
+        if name.is_empty() {
+            return Err(ApiError::InvalidRequest(
+                "Environment name cannot be empty".to_string(),
+            ));
+        }
+        let name = name.to_string();
+
+        // Validate base environment
+        let (base_environment, cluster, app_catalog) = self
+            .validate_base_environment(org_id, base_environment_id)
+            .await?;
+
+        let branch_environment_id = Uuid::new_v4();
+        let auth_token = rand_string(32);
+        let namespace = base_environment.namespace.clone();
+
+        // Create environment in database
+        let mut created_env = match self
+            .db
+            .create_kube_environment(
+                branch_environment_id,
+                org_id,
+                user_id,
+                base_environment.app_catalog_id,
+                base_environment.cluster_id,
+                name.clone(),
+                namespace.clone(),
+                KubeEnvironmentStatus::Creating.to_string(),
+                false, // Branch environments are always personal (not shared)
+                base_environment.catalog_sync_version,
+                Some(base_environment_id), // Set the base environment reference
+                Vec::new(),
+                HashMap::new(),
+                auth_token.clone(),
+            )
+            .await
+        {
+            Ok(env) => env,
+            Err(db_err) => {
+                if let Some(sea_orm::SqlErr::UniqueConstraintViolation(constraint)) =
+                    db_err.sql_err()
+                {
+                    if constraint == "kube_environment_cluster_namespace_unique_idx" {
+                        return Err(ApiError::InternalError(
+                            "Namespace allocation conflict. Please retry branch environment creation.".to_string(),
+                        ));
+                    }
+                }
+                return Err(ApiError::from(anyhow::Error::from(db_err)));
+            }
+        };
+
+        // Notify kube-manager about the new branch environment
+        self.notify_branch_environment_creation(
+            base_environment_id,
+            base_environment.cluster_id,
+            &created_env,
+        )
+        .await;
+
+        self.update_environment_status(created_env.id, KubeEnvironmentStatus::Running, None, None)
+            .await?;
+        created_env.status = KubeEnvironmentStatus::Running.to_string();
+
+        // Build and return response
+        Ok(Self::build_environment_response(
+            created_env,
+            app_catalog.name,
+            cluster.name,
+            Some(base_environment.name),
+            Some(base_environment.catalog_sync_version),
+            base_environment.last_catalog_synced_at,
+        ))
+    }
+
+    /// Authorize and validate that the environment can be synced from catalog
+    async fn authorize_and_validate_sync(
+        &self,
+        org_id: Uuid,
+        user_id: Uuid,
+        environment_id: Uuid,
+    ) -> Result<
+        (
+            lapdev_db_entities::kube_environment::Model,
+            lapdev_db_entities::kube_app_catalog::Model,
+        ),
+        ApiError,
+    > {
+        let environment = self
+            .db
+            .get_kube_environment(environment_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("Environment not found".to_string()))?;
+
+        if environment.organization_id != org_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        if !environment.is_shared && environment.user_id != user_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        if environment.base_environment_id.is_some() {
+            return Err(ApiError::InvalidRequest(
+                "Branch environments must be rebased from their shared environment".to_string(),
+            ));
+        }
+
+        let catalog = self
+            .db
+            .get_app_catalog(environment.app_catalog_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("App catalog not found".to_string()))?;
+
+        if catalog.organization_id != org_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        if catalog.sync_version == environment.catalog_sync_version {
+            return Err(ApiError::InvalidRequest(
+                "Environment is already up to date".to_string(),
+            ));
+        }
+
+        Ok((environment, catalog))
+    }
+
+    /// Determine which workloads need to be synced by comparing sync versions
+    async fn determine_workloads_to_sync(
+        &self,
+        environment_id: Uuid,
+        catalog_id: Uuid,
+    ) -> Result<
+        (
+            Vec<lapdev_common::kube::KubeAppCatalogWorkload>,
+            Vec<lapdev_common::kube::KubeAppCatalogWorkload>,
+        ),
+        ApiError,
+    > {
+        // Get existing environment workloads
+        let existing_workloads = self
+            .db
+            .get_environment_workloads(environment_id)
+            .await
+            .map_err(ApiError::from)?;
+
+        // Build a map of existing workloads by name for quick lookup
+        let existing_workloads_map: std::collections::HashMap<String, _> = existing_workloads
+            .into_iter()
+            .map(|w| (w.name.clone(), w))
+            .collect();
+
+        let catalog_workloads = self
+            .db
+            .get_app_catalog_workloads(catalog_id)
+            .await
+            .map_err(ApiError::from)?;
+
+        // Determine which workloads need to be deployed (added or updated)
+        let workloads_to_deploy: Vec<_> = catalog_workloads
+            .iter()
+            .filter(|catalog_workload| {
+                match existing_workloads_map.get(&catalog_workload.name) {
+                    Some(existing_workload) => {
+                        // Workload needs update if catalog version is newer
+                        catalog_workload.catalog_sync_version
+                            > existing_workload.catalog_sync_version
+                    }
+                    None => {
+                        // New workload, needs to be deployed
+                        true
+                    }
+                }
+            })
+            .cloned()
+            .collect();
+
+        Ok((catalog_workloads, workloads_to_deploy))
+    }
+
+    /// Deploy changed workloads to Kubernetes
+    async fn perform_workload_deployment(
+        &self,
+        environment: &lapdev_db_entities::kube_environment::Model,
+        catalog: &lapdev_db_entities::kube_app_catalog::Model,
+        workloads_to_deploy: &[lapdev_common::kube::KubeAppCatalogWorkload],
+        total_workloads: usize,
+    ) -> Result<(HashSet<String>, Vec<NewEnvironmentWorkload>), ApiError> {
+        if workloads_to_deploy.is_empty() {
+            tracing::info!(
+                "No workload changes detected for environment {} - skipping K8s deployment",
+                environment.name
+            );
+            return Ok((HashSet::new(), Vec::new()));
+        }
+
+        tracing::info!(
+            "Syncing {}/{} workloads for environment {} (only changed ones)",
+            workloads_to_deploy.len(),
+            total_workloads,
+            environment.name
+        );
+
+        let target_server = self
+            .get_random_kube_cluster_server(environment.cluster_id)
+            .await
+            .ok_or_else(|| {
+                ApiError::InvalidRequest(
+                    "No connected KubeManager for the environment target cluster".to_string(),
+                )
+            })?;
+
+        let manager_namespace = self
+            .db
+            .get_kube_cluster(catalog.cluster_id)
+            .await
+            .map_err(ApiError::from)?
+            .and_then(|cluster| cluster.manager_namespace);
+
+        // Get workload YAML from database cache instead of querying Kubernetes
+        // Handles workloads from multiple namespaces
+        let (workloads_with_resources, workload_details) = self
+            .get_catalog_workloads_with_yaml_from_db(
+                catalog.cluster_id,
+                workloads_to_deploy.to_vec(),
+                &SidecarInjectionContext {
+                    environment_id: environment.id,
+                    namespace: &environment.namespace,
+                    auth_token: &environment.auth_token,
+                    manager_namespace: manager_namespace.as_deref(),
+                },
+            )
+            .await?;
+
+        let service_names: HashSet<String> =
+            workloads_with_resources.services.keys().cloned().collect();
+
+        self.deploy_environment_resources(
+            &target_server,
+            &environment,
+            workloads_with_resources,
+            None,
+        )
+        .await?;
+
+        Ok((service_names, workload_details))
+    }
+
+    /// Update environment workloads in the database after successful deployment
+    async fn update_environment_workloads_in_db(
+        &self,
+        environment_id: Uuid,
+        environment_namespace: &str,
+        catalog_workloads: &[lapdev_common::kube::KubeAppCatalogWorkload],
+        workloads_to_deploy: &[NewEnvironmentWorkload],
+        service_names: HashSet<String>,
+        new_catalog_sync_version: i64,
+    ) -> Result<Vec<(Uuid, Uuid)>, ApiError> {
+        let now = Utc::now().into();
+        let txn = self.db.conn.begin().await.map_err(ApiError::from)?;
+        let mut replaced_workloads: Vec<(Uuid, Uuid)> = Vec::new();
+
+        // Build a set of catalog workload names for efficient lookup
+        let catalog_workload_names: HashSet<String> =
+            catalog_workloads.iter().map(|w| w.name.clone()).collect();
+
+        // Only soft-delete workloads that no longer exist in the catalog
+        let deleted_workloads = lapdev_db_entities::kube_environment_workload::Entity::find()
+            .filter(
+                lapdev_db_entities::kube_environment_workload::Column::EnvironmentId
+                    .eq(environment_id),
+            )
+            .filter(lapdev_db_entities::kube_environment_workload::Column::DeletedAt.is_null())
+            .all(&txn)
+            .await
+            .map_err(ApiError::from)?;
+
+        for existing_workload in deleted_workloads {
+            if !catalog_workload_names.contains(&existing_workload.name) {
+                // This workload no longer exists in the catalog, soft-delete it
+                lapdev_db_entities::kube_environment_workload::ActiveModel {
+                    id: ActiveValue::Set(existing_workload.id),
+                    deleted_at: ActiveValue::Set(Some(now)),
+                    ..Default::default()
+                }
+                .update(&txn)
+                .await
+                .map_err(ApiError::from)?;
+            }
+        }
+
+        // Soft-delete services that are no longer in use
+        let mut service_delete_query =
+            lapdev_db_entities::kube_environment_service::Entity::update_many()
+                .filter(
+                    lapdev_db_entities::kube_environment_service::Column::EnvironmentId
+                        .eq(environment_id),
+                )
+                .filter(lapdev_db_entities::kube_environment_service::Column::DeletedAt.is_null());
+
+        if !service_names.is_empty() {
+            let existing: Vec<String> = service_names.into_iter().collect();
+            service_delete_query = service_delete_query.filter(
+                lapdev_db_entities::kube_environment_service::Column::Name.is_not_in(existing),
+            );
+        }
+
+        service_delete_query
+            .col_expr(
+                lapdev_db_entities::kube_environment_service::Column::DeletedAt,
+                Expr::value(now),
+            )
+            .exec(&txn)
+            .await
+            .map_err(ApiError::from)?;
+
+        // Only insert/update workloads that were actually deployed
+        for workload in workloads_to_deploy {
+            let details = &workload.details;
+            let containers_json =
+                serde_json::to_value(&details.containers).unwrap_or_else(|_| serde_json::json!([]));
+            let ports_json =
+                serde_json::to_value(&details.ports).unwrap_or_else(|_| serde_json::json!([]));
+            let workload_yaml = details.workload_yaml.clone();
+
+            let existing_workload = lapdev_db_entities::kube_environment_workload::Entity::find()
+                .filter(
+                    lapdev_db_entities::kube_environment_workload::Column::EnvironmentId
+                        .eq(environment_id),
+                )
+                .filter(
+                    lapdev_db_entities::kube_environment_workload::Column::Name
+                        .eq(details.name.clone()),
+                )
+                .filter(lapdev_db_entities::kube_environment_workload::Column::DeletedAt.is_null())
+                .one(&txn)
+                .await
+                .map_err(ApiError::from)?;
+
+            // First, soft-delete any existing workload with the same name
+            lapdev_db_entities::kube_environment_workload::Entity::update_many()
+                .filter(
+                    lapdev_db_entities::kube_environment_workload::Column::EnvironmentId
+                        .eq(environment_id),
+                )
+                .filter(
+                    lapdev_db_entities::kube_environment_workload::Column::Name
+                        .eq(details.name.clone()),
+                )
+                .filter(lapdev_db_entities::kube_environment_workload::Column::DeletedAt.is_null())
+                .col_expr(
+                    lapdev_db_entities::kube_environment_workload::Column::DeletedAt,
+                    Expr::value(now),
+                )
+                .exec(&txn)
+                .await
+                .map_err(ApiError::from)?;
+
+            // Then insert the new version
+            lapdev_db_entities::kube_environment_workload::ActiveModel {
+                id: ActiveValue::Set(workload.id),
+                created_at: ActiveValue::Set(now),
+                deleted_at: ActiveValue::Set(None),
+                environment_id: ActiveValue::Set(environment_id),
+                name: ActiveValue::Set(details.name.clone()),
+                namespace: ActiveValue::Set(environment_namespace.to_string()),
+                kind: ActiveValue::Set(details.kind.to_string()),
+                containers: ActiveValue::Set(containers_json),
+                ports: ActiveValue::Set(ports_json),
+                workload_yaml: ActiveValue::Set(workload_yaml),
+                catalog_sync_version: ActiveValue::Set(new_catalog_sync_version),
+                base_workload_id: ActiveValue::Set(details.base_workload_id),
+                ready_replicas: ActiveValue::Set(None),
+            }
+            .insert(&txn)
+            .await
+            .map_err(ApiError::from)?;
+
+            if let Some(existing) = existing_workload {
+                replaced_workloads.push((existing.id, workload.id));
+            }
+        }
+
+        // Update environment's catalog sync version and timestamp
+        lapdev_db_entities::kube_environment::ActiveModel {
+            id: ActiveValue::Set(environment_id),
+            catalog_sync_version: ActiveValue::Set(new_catalog_sync_version),
+            last_catalog_synced_at: ActiveValue::Set(Some(now)),
+            sync_status: ActiveValue::Set(KubeEnvironmentSyncStatus::Idle.to_string()),
+            ..Default::default()
+        }
+        .update(&txn)
+        .await
+        .map_err(ApiError::from)?;
+
+        txn.commit().await.map_err(ApiError::from)?;
+
+        Ok(replaced_workloads)
+    }
+
+    pub async fn sync_environment_from_catalog(
+        &self,
+        org_id: Uuid,
+        user_id: Uuid,
+        environment_id: Uuid,
+    ) -> Result<(), ApiError> {
+        // Authorize and validate that sync is needed
+        let (environment, catalog) = match self
+            .authorize_and_validate_sync(org_id, user_id, environment_id)
+            .await
+        {
+            Ok(result) => result,
+            Err(ApiError::InvalidRequest(msg)) if msg == "Environment is already up to date" => {
+                return Ok(())
+            }
+            Err(e) => return Err(e),
+        };
+
+        // Mark environment as syncing
+        lapdev_db_entities::kube_environment::ActiveModel {
+            id: ActiveValue::Set(environment.id),
+            sync_status: ActiveValue::Set(KubeEnvironmentSyncStatus::Syncing.to_string()),
+            ..Default::default()
+        }
+        .update(&self.db.conn)
+        .await
+        .map_err(ApiError::from)?;
+
+        // Perform sync operations; reset status to idle on error
+        let sync_result = async {
+            // Determine which workloads need syncing
+            let (catalog_workloads, workloads_to_deploy) = self
+                .determine_workloads_to_sync(environment.id, catalog.id)
+                .await?;
+
+            // Deploy changed workloads to Kubernetes
+            let (service_names, workload_details) = self
+                .perform_workload_deployment(
+                    &environment,
+                    &catalog,
+                    &workloads_to_deploy,
+                    catalog_workloads.len(),
+                )
+                .await?;
+
+            Ok::<_, ApiError>((catalog_workloads, workload_details, service_names))
+        }
+        .await;
+
+        // Handle sync result - reset status on failure
+        let (catalog_workloads, workload_details, service_names) = match sync_result {
+            Ok(result) => result,
+            Err(e) => {
+                // Reset sync_status to idle on failure
+                let _ = lapdev_db_entities::kube_environment::ActiveModel {
+                    id: ActiveValue::Set(environment.id),
+                    sync_status: ActiveValue::Set(KubeEnvironmentSyncStatus::Idle.to_string()),
+                    ..Default::default()
+                }
+                .update(&self.db.conn)
+                .await;
+                return Err(e);
+            }
+        };
+
+        // Update database with synced workloads
+        let replaced_workloads = self
+            .update_environment_workloads_in_db(
+                environment.id,
+                &environment.namespace,
+                &catalog_workloads,
+                &workload_details,
+                service_names,
+                catalog.sync_version,
+            )
+            .await?;
+
+        self.relink_branch_overrides(&environment, &replaced_workloads, catalog.sync_version)
+            .await?;
+
+        Ok(())
+    }
+
+    pub async fn rebase_branch_environment(
+        &self,
+        org_id: Uuid,
+        user_id: Uuid,
+        environment_id: Uuid,
+    ) -> Result<(), ApiError> {
+        let environment = self
+            .db
+            .get_kube_environment(environment_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("Environment not found".to_string()))?;
+
+        if environment.organization_id != org_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        if environment.user_id != user_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        let base_environment_id = environment.base_environment_id.ok_or_else(|| {
+            ApiError::InvalidRequest(
+                "Only branch environments can be rebased from a shared environment".to_string(),
+            )
+        })?;
+
+        let base_environment = self
+            .db
+            .get_kube_environment(base_environment_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("Base environment not found".to_string()))?;
+
+        if base_environment.organization_id != org_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        lapdev_db_entities::kube_environment::ActiveModel {
+            id: ActiveValue::Set(environment.id),
+            sync_status: ActiveValue::Set(KubeEnvironmentSyncStatus::Syncing.to_string()),
+            ..Default::default()
+        }
+        .update(&self.db.conn)
+        .await
+        .map_err(ApiError::from)?;
+
+        let rebase_result = self
+            .reapply_branch_overrides_from_base(&environment, &base_environment)
+            .await;
+
+        if let Err(err) = rebase_result {
+            let _ = lapdev_db_entities::kube_environment::ActiveModel {
+                id: ActiveValue::Set(environment.id),
+                sync_status: ActiveValue::Set(KubeEnvironmentSyncStatus::Idle.to_string()),
+                ..Default::default()
+            }
+            .update(&self.db.conn)
+            .await;
+            return Err(err);
+        }
+
+        let now = Utc::now().into();
+        lapdev_db_entities::kube_environment::ActiveModel {
+            id: ActiveValue::Set(environment.id),
+            catalog_sync_version: ActiveValue::Set(base_environment.catalog_sync_version),
+            last_catalog_synced_at: ActiveValue::Set(Some(now)),
+            sync_status: ActiveValue::Set(KubeEnvironmentSyncStatus::Idle.to_string()),
+            ..Default::default()
+        }
+        .update(&self.db.conn)
+        .await
+        .map_err(ApiError::from)?;
+
+        Ok(())
+    }
+
+    // Kube Namespace operations
+    pub async fn create_kube_namespace(
+        &self,
+        org_id: Uuid,
+        user_id: Uuid,
+        name: String,
+        description: Option<String>,
+        is_shared: bool,
+    ) -> Result<lapdev_common::kube::KubeNamespace, ApiError> {
+        let namespace = self
+            .db
+            .create_kube_namespace(org_id, user_id, name, description, is_shared)
+            .await
+            .map_err(ApiError::from)?;
+
+        Ok(lapdev_common::kube::KubeNamespace {
+            id: namespace.id,
+            name: namespace.name,
+            description: namespace.description,
+            is_shared: namespace.is_shared,
+            created_at: namespace.created_at,
+            created_by: namespace.user_id,
+        })
+    }
+
+    pub async fn get_all_kube_namespaces(
+        &self,
+        org_id: Uuid,
+        user_id: Uuid,
+        is_shared: bool,
+    ) -> Result<Vec<lapdev_common::kube::KubeNamespace>, ApiError> {
+        let namespaces = self
+            .db
+            .get_all_kube_namespaces(org_id, user_id, is_shared)
+            .await
+            .map_err(ApiError::from)?;
+
+        let kube_namespaces = namespaces
+            .into_iter()
+            .map(|ns| lapdev_common::kube::KubeNamespace {
+                id: ns.id,
+                name: ns.name,
+                description: ns.description,
+                is_shared: ns.is_shared,
+                created_at: ns.created_at,
+                created_by: ns.user_id,
+            })
+            .collect();
+
+        Ok(kube_namespaces)
+    }
+
+    pub async fn delete_kube_namespace(
+        &self,
+        _org_id: Uuid,
+        namespace_id: Uuid,
+    ) -> Result<(), ApiError> {
+        self.db
+            .delete_kube_namespace(namespace_id)
+            .await
+            .map_err(ApiError::from)?;
+
+        Ok(())
+    }
+
+    async fn publish_environment_event(&self, event: EnvironmentLifecycleEvent) {
+        match serde_json::to_string(&event) {
+            Ok(payload) => {
+                if let Some(pool) = self.db.pool.clone() {
+                    if let Err(err) = sqlx::query("SELECT pg_notify('environment_lifecycle', $1)")
+                        .bind(payload)
+                        .execute(&pool)
+                        .await
+                    {
+                        warn!(
+                            error = %err,
+                            "failed to publish environment lifecycle event via NOTIFY"
+                        );
+                        let _ = self.environment_events.send(event);
+                    }
+                } else {
+                    warn!("pg pool unavailable; broadcasting environment event locally");
+                    let _ = self.environment_events.send(event);
+                }
+            }
+            Err(err) => {
+                warn!(
+                    error = %err,
+                    "failed to serialize environment lifecycle event"
+                );
+            }
+        }
+    }
+
+    async fn update_environment_status(
+        &self,
+        environment_id: Uuid,
+        status: KubeEnvironmentStatus,
+        paused_at: Option<Option<chrono::DateTime<Utc>>>,
+        resumed_at: Option<Option<chrono::DateTime<Utc>>>,
+    ) -> Result<(), ApiError> {
+        let paused_value = match paused_at {
+            Some(Some(dt)) => ActiveValue::Set(Some(dt.into())),
+            Some(None) => ActiveValue::Set(None),
+            None => ActiveValue::NotSet,
+        };
+
+        let resumed_value = match resumed_at {
+            Some(Some(dt)) => ActiveValue::Set(Some(dt.into())),
+            Some(None) => ActiveValue::Set(None),
+            None => ActiveValue::NotSet,
+        };
+
+        lapdev_db_entities::kube_environment::ActiveModel {
+            id: ActiveValue::Set(environment_id),
+            status: ActiveValue::Set(status.to_string()),
+            paused_at: paused_value,
+            resumed_at: resumed_value,
+            ..Default::default()
+        }
+        .update(&self.db.conn)
+        .await
+        .map_err(ApiError::from)?;
+
+        if let Ok(Some(environment)) = self.db.get_kube_environment(environment_id).await {
+            let event = EnvironmentLifecycleEvent {
+                organization_id: environment.organization_id,
+                environment_id,
+                status: status.clone(),
+                paused_at: environment.paused_at.map(|dt| dt.to_string()),
+                resumed_at: environment.resumed_at.map(|dt| dt.to_string()),
+                updated_at: Utc::now(),
+            };
+
+            self.publish_environment_event(event).await;
+        }
+
+        Ok(())
+    }
+
+    async fn run_pause_environment(&self, environment_id: Uuid) -> Result<(), ApiError> {
+        let environment = self
+            .db
+            .get_kube_environment(environment_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("Environment not found".to_string()))?;
+
+        let server = self
+            .get_random_kube_cluster_server(environment.cluster_id)
+            .await
+            .ok_or_else(|| {
+                ApiError::InvalidRequest(
+                    "No connected KubeManager for the environment target cluster".to_string(),
+                )
+            })?;
+
+        let mut workloads_with_resources =
+            self.assemble_environment_workloads(&environment).await?;
+
+        for workload in &mut workloads_with_resources.workloads {
+            let result = match workload {
+                KubeWorkloadYamlOnly::CronJob(_) => set_cronjob_suspend(workload, true),
+                KubeWorkloadYamlOnly::Deployment(_)
+                | KubeWorkloadYamlOnly::StatefulSet(_)
+                | KubeWorkloadYamlOnly::ReplicaSet(_) => set_workload_replicas(workload, 0),
+                KubeWorkloadYamlOnly::DaemonSet(_) => set_daemonset_paused(workload, true),
+                KubeWorkloadYamlOnly::Pod(_) => {
+                    warn!(
+                        environment_id = %environment.id,
+                        "Pod workloads cannot be gracefully paused; they will continue running"
+                    );
+                    Ok(())
+                }
+                _ => Ok(()),
+            };
+            if let Err(err) = result {
+                warn!(
+                    environment_id = %environment.id,
+                    error = ?err,
+                    "Failed to update workload YAML while pausing environment"
+                );
+            }
+        }
+
+        self.deploy_environment_resources(&server, &environment, workloads_with_resources, None)
+            .await?;
+
+        if let Some(base_env_id) = environment.base_environment_id {
+            if let Err(err) = self
+                .notify_branch_environment_deletion(&server.rpc_client, base_env_id, environment.id)
+                .await
+            {
+                warn!(
+                    environment_id = %environment.id,
+                    error = ?err,
+                    "Failed to notify devbox proxy about branch environment pause"
+                );
+            }
+        }
+
+        self.update_environment_status(
+            environment.id,
+            KubeEnvironmentStatus::Paused,
+            Some(Some(Utc::now())),
+            Some(None),
+        )
+        .await
+    }
+
+    async fn run_resume_environment(&self, environment_id: Uuid) -> Result<(), ApiError> {
+        let environment = self
+            .db
+            .get_kube_environment(environment_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("Environment not found".to_string()))?;
+
+        let server = self
+            .get_random_kube_cluster_server(environment.cluster_id)
+            .await
+            .ok_or_else(|| {
+                ApiError::InvalidRequest(
+                    "No connected KubeManager for the environment target cluster".to_string(),
+                )
+            })?;
+
+        let mut workloads_with_resources =
+            self.assemble_environment_workloads(&environment).await?;
+
+        for workload in &mut workloads_with_resources.workloads {
+            let result = match workload {
+                KubeWorkloadYamlOnly::CronJob(_) => set_cronjob_suspend(workload, false),
+                KubeWorkloadYamlOnly::Deployment(_)
+                | KubeWorkloadYamlOnly::StatefulSet(_)
+                | KubeWorkloadYamlOnly::ReplicaSet(_) => set_workload_replicas(workload, 1),
+                KubeWorkloadYamlOnly::DaemonSet(_) => set_daemonset_paused(workload, false),
+                KubeWorkloadYamlOnly::Pod(_) => Ok(()),
+                _ => Ok(()),
+            };
+            if let Err(err) = result {
+                warn!(
+                    environment_id = %environment.id,
+                    error = ?err,
+                    "Failed to update workload YAML while resuming environment"
+                );
+            }
+        }
+
+        self.deploy_environment_resources(&server, &environment, workloads_with_resources, None)
+            .await?;
+
+        if let Some(base_env_id) = environment.base_environment_id {
+            self.notify_branch_environment_creation(
+                base_env_id,
+                environment.cluster_id,
+                &environment,
+            )
+            .await;
+        }
+
+        self.update_environment_status(
+            environment.id,
+            KubeEnvironmentStatus::Running,
+            None,
+            Some(Some(Utc::now())),
+        )
+        .await
+    }
+}
diff --git a/crates/api/src/kube_controller/mod.rs b/crates/api/src/kube_controller/mod.rs
new file mode 100644
index 0000000..0e08327
--- /dev/null
+++ b/crates/api/src/kube_controller/mod.rs
@@ -0,0 +1,362 @@
+use std::{
+    collections::{BTreeMap, HashMap},
+    net::SocketAddr,
+    sync::{atomic::AtomicU64, Arc},
+    time::{Duration, Instant},
+};
+use tokio::sync::{broadcast, RwLock};
+use uuid::Uuid;
+
+use crate::environment_events::EnvironmentLifecycleEvent;
+use lapdev_common::devbox::DirectTunnelConfig;
+use lapdev_db::api::DbApi;
+use lapdev_kube::{server::KubeClusterServer, tunnel::TunnelRegistry};
+use lapdev_kube_rpc::{DevboxRouteConfig, ProxyBranchRouteConfig};
+use tracing::{debug, warn};
+
+// Submodules
+mod app_catalog;
+mod cluster;
+pub(crate) mod container_images;
+mod deployment;
+mod environment;
+mod preview_url;
+mod resources;
+mod service;
+pub mod validation;
+mod workload;
+pub mod yaml_parser;
+
+// Re-exports
+pub use self::container_images::CONTAINER_IMAGE_TAG;
+pub use validation::*;
+pub use yaml_parser::*;
+
+pub(crate) enum EnvironmentNamespaceKind {
+    Personal,
+    Shared,
+    Branch,
+}
+
+#[derive(Clone)]
+pub struct KubeController {
+    // KubeManager connections per cluster
+    pub kube_cluster_servers: Arc<RwLock<HashMap<Uuid, BTreeMap<u64, KubeClusterServer>>>>,
+    pub kube_cluster_server_generation: Arc<AtomicU64>,
+    // Tunnel registry for preview URL functionality
+    pub tunnel_registry: Arc<TunnelRegistry>,
+    // Database API
+    pub db: DbApi,
+    // Broadcast channel for environment lifecycle events
+    pub environment_events: broadcast::Sender<EnvironmentLifecycleEvent>,
+}
+
+impl KubeController {
+    const KUBE_MANAGER_RPC_TIMEOUT_SECS: u64 = 300;
+
+    fn kube_manager_rpc_context_with_timeout(timeout: Duration) -> tarpc::context::Context {
+        let mut ctx = tarpc::context::current();
+        ctx.deadline = Instant::now() + timeout;
+        ctx
+    }
+
+    fn kube_manager_rpc_context() -> tarpc::context::Context {
+        Self::kube_manager_rpc_context_with_timeout(Duration::from_secs(
+            Self::KUBE_MANAGER_RPC_TIMEOUT_SECS,
+        ))
+    }
+
+    pub fn new(
+        db: DbApi,
+        environment_events: broadcast::Sender<EnvironmentLifecycleEvent>,
+    ) -> Self {
+        Self {
+            kube_cluster_servers: Arc::new(RwLock::new(HashMap::new())),
+            kube_cluster_server_generation: Arc::new(AtomicU64::new(1)),
+            tunnel_registry: Arc::new(TunnelRegistry::new()),
+            db,
+            environment_events,
+        }
+    }
+
+    pub async fn get_random_kube_cluster_server(
+        &self,
+        cluster_id: Uuid,
+    ) -> Option<KubeClusterServer> {
+        let servers = self.kube_cluster_servers.read().await;
+        servers
+            .get(&cluster_id)?
+            .iter()
+            .next_back()
+            .map(|(_, server)| server.clone())
+    }
+
+    pub async fn refresh_cluster_namespace_watches(&self, cluster_id: Uuid) {
+        let namespaces = match self.db.get_cluster_watch_namespaces(cluster_id).await {
+            Ok(namespaces) => namespaces,
+            Err(err) => {
+                warn!(
+                    cluster_id = %cluster_id,
+                    error = ?err,
+                    "Failed to load namespaces for watch configuration"
+                );
+                return;
+            }
+        };
+
+        let servers = self.kube_cluster_servers.read().await;
+        let Some(cluster_servers) = servers.get(&cluster_id) else {
+            debug!(
+                cluster_id = %cluster_id,
+                "No connected KubeManager instances; skipping namespace watch refresh"
+            );
+            return;
+        };
+
+        for server in cluster_servers.values() {
+            if let Err(err) = server
+                .send_namespace_watch_configuration(namespaces.clone())
+                .await
+            {
+                warn!(
+                    cluster_id = %cluster_id,
+                    error = ?err,
+                    "Failed to send namespace watch configuration to KubeManager"
+                );
+            }
+        }
+    }
+
+    pub async fn set_devbox_routes(
+        &self,
+        cluster_id: Uuid,
+        environment_id: Uuid,
+        routes: HashMap<Uuid, DevboxRouteConfig>,
+    ) -> Result<(), String> {
+        let servers = self.kube_cluster_servers.read().await;
+        let Some(cluster_servers) = servers.get(&cluster_id) else {
+            return Err(format!(
+                "No connected KubeManager instances for cluster {}",
+                cluster_id
+            ));
+        };
+
+        let mut last_err: Option<String> = None;
+        for server in cluster_servers.values() {
+            match server
+                .set_devbox_routes(environment_id, routes.clone())
+                .await
+            {
+                Ok(()) => return Ok(()),
+                Err(err) => last_err = Some(err),
+            }
+        }
+
+        Err(last_err.unwrap_or_else(|| {
+            "Failed to dispatch set_devbox_routes to any KubeManager instances".to_string()
+        }))
+    }
+
+    pub async fn set_devbox_route(
+        &self,
+        cluster_id: Uuid,
+        environment_id: Uuid,
+        route: DevboxRouteConfig,
+    ) -> Result<(), String> {
+        let servers = self.kube_cluster_servers.read().await;
+        let Some(cluster_servers) = servers.get(&cluster_id) else {
+            return Err(format!(
+                "No connected KubeManager instances for cluster {}",
+                cluster_id
+            ));
+        };
+
+        let mut last_err: Option<String> = None;
+        for server in cluster_servers.values() {
+            match server.set_devbox_route(environment_id, route.clone()).await {
+                Ok(()) => return Ok(()),
+                Err(err) => last_err = Some(err),
+            }
+        }
+
+        Err(last_err.unwrap_or_else(|| {
+            "Failed to dispatch set_devbox_route to any KubeManager instances".to_string()
+        }))
+    }
+
+    pub async fn remove_devbox_route(
+        &self,
+        cluster_id: Uuid,
+        environment_id: Uuid,
+        workload_id: Uuid,
+        branch_environment_id: Option<Uuid>,
+    ) -> Result<(), String> {
+        let servers = self.kube_cluster_servers.read().await;
+        let Some(cluster_servers) = servers.get(&cluster_id) else {
+            return Err(format!(
+                "No connected KubeManager instances for cluster {}",
+                cluster_id
+            ));
+        };
+
+        let mut last_err: Option<String> = None;
+        for server in cluster_servers.values() {
+            match server
+                .remove_devbox_route(environment_id, workload_id, branch_environment_id)
+                .await
+            {
+                Ok(()) => return Ok(()),
+                Err(err) => last_err = Some(err),
+            }
+        }
+
+        Err(last_err.unwrap_or_else(|| {
+            "Failed to dispatch remove_devbox_route to any KubeManager instances".to_string()
+        }))
+    }
+
+    pub async fn clear_devbox_routes(
+        &self,
+        cluster_id: Uuid,
+        environment_id: Uuid,
+        branch_environment_id: Option<Uuid>,
+    ) -> Result<(), String> {
+        let servers = self.kube_cluster_servers.read().await;
+        let Some(cluster_servers) = servers.get(&cluster_id) else {
+            return Err(format!(
+                "No connected KubeManager instances for cluster {}",
+                cluster_id
+            ));
+        };
+
+        let mut last_err: Option<String> = None;
+        for server in cluster_servers.values() {
+            match server
+                .clear_devbox_routes(environment_id, branch_environment_id)
+                .await
+            {
+                Ok(()) => return Ok(()),
+                Err(err) => last_err = Some(err),
+            }
+        }
+
+        Err(last_err.unwrap_or_else(|| {
+            "Failed to dispatch clear_devbox_routes to any KubeManager instances".to_string()
+        }))
+    }
+
+    pub async fn request_devbox_direct_config(
+        &self,
+        cluster_id: Uuid,
+        user_id: Uuid,
+        environment_id: Uuid,
+        namespace: String,
+        stun_observed_addr: Option<SocketAddr>,
+    ) -> Result<Option<DirectTunnelConfig>, String> {
+        let servers = self.kube_cluster_servers.read().await;
+        let Some(cluster_servers) = servers.get(&cluster_id) else {
+            return Err(format!(
+                "No connected KubeManager instances for cluster {}",
+                cluster_id
+            ));
+        };
+
+        let mut last_err: Option<String> = None;
+        for server in cluster_servers.values() {
+            match server
+                .get_devbox_direct_config(
+                    user_id,
+                    environment_id,
+                    namespace.clone(),
+                    stun_observed_addr,
+                )
+                .await
+            {
+                Ok(config) => return Ok(config),
+                Err(err) => last_err = Some(err),
+            }
+        }
+
+        Err(last_err.unwrap_or_else(|| {
+            "Failed to dispatch get_devbox_direct_config to any KubeManager instances".to_string()
+        }))
+    }
+
+    pub async fn update_branch_service_route(
+        &self,
+        cluster_id: Uuid,
+        base_environment_id: Uuid,
+        workload_id: Uuid,
+        route: ProxyBranchRouteConfig,
+    ) -> Result<(), String> {
+        let servers = self.kube_cluster_servers.read().await;
+        let Some(cluster_servers) = servers.get(&cluster_id) else {
+            return Err(format!(
+                "No connected KubeManager instances for cluster {}",
+                cluster_id
+            ));
+        };
+
+        let mut last_err: Option<String> = None;
+        for server in cluster_servers.values() {
+            match server
+                .rpc_client
+                .update_branch_service_route(
+                    Self::kube_manager_rpc_context(),
+                    base_environment_id,
+                    workload_id,
+                    route.clone(),
+                )
+                .await
+            {
+                Ok(Ok(())) => return Ok(()),
+                Ok(Err(err)) => last_err = Some(err),
+                Err(err) => last_err = Some(format!("{}", err)),
+            }
+        }
+
+        Err(last_err.unwrap_or_else(|| {
+            "Failed to dispatch update_branch_service_route to any KubeManager instances"
+                .to_string()
+        }))
+    }
+
+    pub async fn remove_branch_service_route(
+        &self,
+        cluster_id: Uuid,
+        base_environment_id: Uuid,
+        workload_id: Uuid,
+        branch_environment_id: Uuid,
+    ) -> Result<(), String> {
+        let servers = self.kube_cluster_servers.read().await;
+        let Some(cluster_servers) = servers.get(&cluster_id) else {
+            return Err(format!(
+                "No connected KubeManager instances for cluster {}",
+                cluster_id
+            ));
+        };
+
+        let mut last_err: Option<String> = None;
+        for server in cluster_servers.values() {
+            match server
+                .rpc_client
+                .remove_branch_service_route(
+                    Self::kube_manager_rpc_context(),
+                    base_environment_id,
+                    workload_id,
+                    branch_environment_id,
+                )
+                .await
+            {
+                Ok(Ok(())) => return Ok(()),
+                Ok(Err(err)) => last_err = Some(err),
+                Err(err) => last_err = Some(format!("{}", err)),
+            }
+        }
+
+        Err(last_err.unwrap_or_else(|| {
+            "Failed to dispatch remove_branch_service_route to any KubeManager instances"
+                .to_string()
+        }))
+    }
+}
diff --git a/crates/api/src/kube_controller/preview_url.rs b/crates/api/src/kube_controller/preview_url.rs
new file mode 100644
index 0000000..4108faa
--- /dev/null
+++ b/crates/api/src/kube_controller/preview_url.rs
@@ -0,0 +1,215 @@
+use uuid::Uuid;
+
+use lapdev_common::{kube::KubeEnvironmentPreviewUrl, utils::rand_string, LAPDEV_API_HOST};
+use lapdev_rpc::error::ApiError;
+
+use super::KubeController;
+
+impl KubeController {
+    pub async fn create_environment_preview_url(
+        &self,
+        user_id: Uuid,
+        environment: lapdev_db_entities::kube_environment::Model,
+        request: lapdev_common::kube::CreateKubeEnvironmentPreviewUrlRequest,
+    ) -> Result<KubeEnvironmentPreviewUrl, ApiError> {
+        // Verify service exists and belongs to the environment (or its base environment)
+        let service = self
+            .db
+            .get_kube_environment_service_by_id(request.service_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("Service not found".to_string()))?;
+
+        if let Some(base_environment_id) = environment.base_environment_id {
+            // Branch environment: service must belong to the base environment
+            if service.environment_id != base_environment_id {
+                return Err(ApiError::InvalidRequest(
+                    "Service not found in base environment".to_string(),
+                ));
+            }
+        } else if service.environment_id != environment.id {
+            return Err(ApiError::InvalidRequest(
+                "Service not found in environment".to_string(),
+            ));
+        }
+
+        // Validate the port exists on the service
+        let port_exists = service.ports.iter().any(|p| {
+            p.port == request.port
+                && (request.port_name.is_none() || p.name.as_ref() == request.port_name.as_ref())
+        });
+
+        if !port_exists {
+            return Err(ApiError::InvalidRequest(
+                "Specified port does not exist on the service".to_string(),
+            ));
+        }
+
+        // Auto-generate name based on service and port
+        let auto_name = format!("{}-{}-{}", request.port, service.name, rand_string(12));
+
+        // Set defaults
+        let protocol = request.protocol.unwrap_or_else(|| "HTTP".to_string());
+        let access_level = request
+            .access_level
+            .unwrap_or(lapdev_common::kube::PreviewUrlAccessLevel::Organization);
+
+        let url = format!("https://{auto_name}.{}", LAPDEV_API_HOST);
+
+        // Create preview URL in database
+        let preview_url = match self
+            .db
+            .create_environment_preview_url(
+                environment.id,
+                request.service_id,
+                user_id,
+                auto_name,
+                request.description,
+                request.port,
+                request.port_name,
+                protocol.clone(),
+                access_level.clone(),
+            )
+            .await
+        {
+            Ok(url) => url,
+            Err(db_err) => {
+                // Check if this is a unique constraint violation
+                if matches!(
+                    db_err.sql_err(),
+                    Some(sea_orm::SqlErr::UniqueConstraintViolation(_))
+                ) {
+                    return Err(ApiError::InvalidRequest(
+                        "A preview URL already exists for this service and port combination"
+                            .to_string(),
+                    ));
+                } else {
+                    return Err(ApiError::from(anyhow::Error::from(db_err)));
+                }
+            }
+        };
+
+        Ok(KubeEnvironmentPreviewUrl {
+            id: preview_url.id,
+            created_at: preview_url.created_at,
+            environment_id: preview_url.environment_id,
+            service_id: preview_url.service_id,
+            name: preview_url.name,
+            description: preview_url.description,
+            port: preview_url.port,
+            port_name: preview_url.port_name,
+            protocol: preview_url.protocol,
+            access_level: preview_url
+                .access_level
+                .parse()
+                .unwrap_or(lapdev_common::kube::PreviewUrlAccessLevel::Organization),
+            created_by: preview_url.created_by,
+            last_accessed_at: preview_url.last_accessed_at,
+            url,
+        })
+    }
+
+    pub async fn get_environment_preview_urls(
+        &self,
+        org_id: Uuid,
+        user_id: Uuid,
+        environment_id: Uuid,
+    ) -> Result<Vec<KubeEnvironmentPreviewUrl>, ApiError> {
+        // Verify environment belongs to the organization and check ownership
+        let environment = self
+            .db
+            .get_kube_environment(environment_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("Environment not found".to_string()))?;
+
+        if environment.organization_id != org_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        // If it's a personal environment, check ownership
+        if !environment.is_shared && environment.user_id != user_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        let preview_urls = self
+            .db
+            .get_environment_preview_urls(environment_id)
+            .await
+            .map_err(ApiError::from)?;
+
+        Ok(preview_urls
+            .into_iter()
+            .map(|preview_url| {
+                let url = format!("https://{}.{}", preview_url.name, LAPDEV_API_HOST);
+
+                KubeEnvironmentPreviewUrl {
+                    id: preview_url.id,
+                    created_at: preview_url.created_at,
+                    environment_id: preview_url.environment_id,
+                    service_id: preview_url.service_id,
+                    name: preview_url.name,
+                    description: preview_url.description,
+                    port: preview_url.port,
+                    port_name: preview_url.port_name,
+                    protocol: preview_url.protocol,
+                    access_level: preview_url
+                        .access_level
+                        .parse()
+                        .unwrap_or(lapdev_common::kube::PreviewUrlAccessLevel::Organization),
+                    created_by: preview_url.created_by,
+                    last_accessed_at: preview_url.last_accessed_at,
+                    url,
+                }
+            })
+            .collect())
+    }
+
+    pub async fn update_environment_preview_url(
+        &self,
+        preview_url_id: Uuid,
+        request: lapdev_common::kube::UpdateKubeEnvironmentPreviewUrlRequest,
+    ) -> Result<KubeEnvironmentPreviewUrl, ApiError> {
+        // Update the preview URL
+        let updated_preview_url = self
+            .db
+            .update_environment_preview_url(
+                preview_url_id,
+                request.description,
+                request.access_level,
+            )
+            .await
+            .map_err(ApiError::from)?;
+
+        let url = format!("https://{}.{}", updated_preview_url.name, LAPDEV_API_HOST);
+
+        Ok(KubeEnvironmentPreviewUrl {
+            id: updated_preview_url.id,
+            created_at: updated_preview_url.created_at,
+            environment_id: updated_preview_url.environment_id,
+            service_id: updated_preview_url.service_id,
+            name: updated_preview_url.name,
+            description: updated_preview_url.description,
+            port: updated_preview_url.port,
+            port_name: updated_preview_url.port_name,
+            protocol: updated_preview_url.protocol,
+            access_level: updated_preview_url
+                .access_level
+                .parse()
+                .unwrap_or(lapdev_common::kube::PreviewUrlAccessLevel::Organization),
+            created_by: updated_preview_url.created_by,
+            last_accessed_at: updated_preview_url.last_accessed_at,
+            url,
+        })
+    }
+
+    pub async fn delete_environment_preview_url(
+        &self,
+        preview_url_id: Uuid,
+    ) -> Result<(), ApiError> {
+        self.db
+            .delete_environment_preview_url(preview_url_id)
+            .await
+            .map_err(ApiError::from)
+    }
+}
diff --git a/crates/api/src/kube_controller/resource_cleaner.rs b/crates/api/src/kube_controller/resource_cleaner.rs
new file mode 100644
index 0000000..122a8fa
--- /dev/null
+++ b/crates/api/src/kube_controller/resource_cleaner.rs
@@ -0,0 +1,30 @@
+use k8s_openapi::api::core::v1::{ConfigMap, Secret};
+
+pub fn clean_configmap(configmap: ConfigMap) -> ConfigMap {
+    ConfigMap {
+        metadata: clean_metadata(configmap.metadata),
+        data: configmap.data,
+        binary_data: configmap.binary_data,
+        immutable: configmap.immutable,
+    }
+}
+
+pub fn clean_secret(secret: Secret) -> Secret {
+    Secret {
+        metadata: clean_metadata(secret.metadata),
+        data: secret.data,
+        string_data: secret.string_data,
+        type_: secret.type_,
+        immutable: secret.immutable,
+    }
+}
+
+fn clean_metadata(
+    metadata: k8s_openapi::apimachinery::pkg::apis::meta::v1::ObjectMeta,
+) -> k8s_openapi::apimachinery::pkg::apis::meta::v1::ObjectMeta {
+    k8s_openapi::apimachinery::pkg::apis::meta::v1::ObjectMeta {
+        name: metadata.name,
+        labels: metadata.labels,
+        ..Default::default()
+    }
+}
diff --git a/crates/api/src/kube_controller/resources.rs b/crates/api/src/kube_controller/resources.rs
new file mode 100644
index 0000000..b0c228e
--- /dev/null
+++ b/crates/api/src/kube_controller/resources.rs
@@ -0,0 +1,955 @@
+use std::collections::HashMap;
+
+use anyhow::{anyhow, Result};
+use k8s_openapi::{
+    api::{
+        apps::v1::{
+            DaemonSet, DaemonSetSpec, Deployment, DeploymentSpec, ReplicaSet, ReplicaSetSpec,
+            StatefulSet, StatefulSetSpec,
+        },
+        batch::v1::{CronJob, CronJobSpec, Job, JobSpec},
+        core::v1::{
+            ConfigMap, Container, ContainerPort, EnvVar, EnvVarSource, ObjectFieldSelector, Pod,
+            PodSpec, PodTemplateSpec, Secret, Service,
+        },
+    },
+    apimachinery::pkg::{api::resource::Quantity, apis::meta::v1::ObjectMeta},
+};
+use lapdev_common::kube::{
+    KubeContainerImage, KubeContainerInfo, KubeWorkloadKind, ProxyPortRoute,
+    DEFAULT_SIDECAR_PROXY_BIND_ADDR, DEFAULT_SIDECAR_PROXY_METRICS_PORT,
+    DEFAULT_SIDECAR_PROXY_PORT, SIDECAR_PROXY_BIND_ADDR_ENV_VAR,
+    SIDECAR_PROXY_MANAGER_ADDR_ENV_VAR, SIDECAR_PROXY_PORT_ENV_VAR, SIDECAR_PROXY_WORKLOAD_ENV_VAR,
+};
+use lapdev_kube_rpc::KubeWorkloadYamlOnly;
+use serde_json;
+use uuid::Uuid;
+
+use super::container_images;
+
+#[derive(Debug)]
+pub struct SidecarInjectionOptions<'a> {
+    pub environment_id: Uuid,
+    pub workload_id: Uuid,
+    pub namespace: &'a str,
+    pub auth_token: &'a str,
+    pub manager_namespace: Option<&'a str>,
+    pub proxy_routes: &'a [ProxyPortRoute],
+}
+
+/// Rebuild workload YAML so it reflects the latest container configuration while
+/// stripping server-managed metadata. Mirrors kube-manager's clean_* helpers.
+pub fn rebuild_workload_yaml(
+    kind: &KubeWorkloadKind,
+    yaml: &str,
+    containers: &[KubeContainerInfo],
+    sidecar: Option<&SidecarInjectionOptions<'_>>,
+) -> Result<String> {
+    match kind {
+        KubeWorkloadKind::Deployment => {
+            let deployment: Deployment = serde_yaml::from_str(yaml)?;
+            let mut cleaned = clean_deployment(deployment, containers);
+            if let Some(options) = sidecar {
+                inject_sidecar_proxy_into_deployment(&mut cleaned, options)?;
+            }
+            Ok(serde_yaml::to_string(&cleaned)?)
+        }
+        KubeWorkloadKind::StatefulSet => {
+            let statefulset: StatefulSet = serde_yaml::from_str(yaml)?;
+            let cleaned = clean_statefulset(statefulset, containers);
+            Ok(serde_yaml::to_string(&cleaned)?)
+        }
+        KubeWorkloadKind::DaemonSet => {
+            let daemonset: DaemonSet = serde_yaml::from_str(yaml)?;
+            let cleaned = clean_daemonset(daemonset, containers);
+            Ok(serde_yaml::to_string(&cleaned)?)
+        }
+        KubeWorkloadKind::ReplicaSet => {
+            let replicaset: ReplicaSet = serde_yaml::from_str(yaml)?;
+            let cleaned = clean_replicaset(replicaset, containers);
+            Ok(serde_yaml::to_string(&cleaned)?)
+        }
+        KubeWorkloadKind::Pod => {
+            let pod: Pod = serde_yaml::from_str(yaml)?;
+            let cleaned = clean_pod(pod, containers);
+            Ok(serde_yaml::to_string(&cleaned)?)
+        }
+        KubeWorkloadKind::Job => {
+            let job: Job = serde_yaml::from_str(yaml)?;
+            let cleaned = clean_job(job, containers);
+            Ok(serde_yaml::to_string(&cleaned)?)
+        }
+        KubeWorkloadKind::CronJob => {
+            let cronjob: CronJob = serde_yaml::from_str(yaml)?;
+            let cleaned = clean_cronjob(cronjob, containers);
+            Ok(serde_yaml::to_string(&cleaned)?)
+        }
+    }
+}
+
+pub fn inject_sidecar_proxy_into_deployment(
+    deployment: &mut Deployment,
+    options: &SidecarInjectionOptions<'_>,
+) -> Result<()> {
+    let spec = match deployment.spec.as_mut() {
+        Some(spec) => spec,
+        None => return Err(anyhow!("Deployment spec missing for sidecar injection")),
+    };
+
+    let pod_spec = spec
+        .template
+        .spec
+        .as_mut()
+        .ok_or_else(|| anyhow!("Deployment pod spec missing for sidecar injection"))?;
+
+    let routes_json = if options.proxy_routes.is_empty() {
+        None
+    } else {
+        Some(serde_json::to_string(options.proxy_routes)?)
+    };
+
+    let sidecar_index = ensure_sidecar_proxy_container(
+        pod_spec,
+        options.environment_id,
+        options.workload_id,
+        options.namespace,
+        options.auth_token,
+        options.manager_namespace,
+        routes_json.as_deref(),
+    );
+
+    if let (Some(json), Some(container)) = (routes_json, pod_spec.containers.get_mut(sidecar_index))
+    {
+        upsert_env_var(
+            container,
+            "LAPDEV_SIDECAR_PROXY_PORT_ROUTES",
+            json.to_string(),
+        );
+    }
+
+    Ok(())
+}
+
+#[allow(dead_code)]
+pub fn clean_configmap(configmap: ConfigMap) -> ConfigMap {
+    ConfigMap {
+        metadata: clean_metadata(configmap.metadata),
+        data: configmap.data,
+        binary_data: configmap.binary_data,
+        immutable: configmap.immutable,
+    }
+}
+
+#[allow(dead_code)]
+pub fn clean_secret(secret: Secret) -> Secret {
+    Secret {
+        metadata: clean_metadata(secret.metadata),
+        data: secret.data,
+        string_data: secret.string_data,
+        type_: secret.type_,
+        immutable: secret.immutable,
+    }
+}
+
+#[allow(dead_code)]
+pub fn clean_service(service: Service) -> Service {
+    let clean_spec = service.spec.map(|mut original_spec| {
+        original_spec.cluster_ip = None;
+        original_spec.cluster_ips = None;
+        original_spec.health_check_node_port = None;
+
+        if let Some(ports) = original_spec.ports.as_mut() {
+            for port in ports {
+                port.node_port = None;
+            }
+        }
+
+        original_spec
+    });
+
+    Service {
+        metadata: clean_metadata(service.metadata),
+        spec: clean_spec,
+        status: None,
+    }
+}
+
+fn clean_metadata(metadata: ObjectMeta) -> ObjectMeta {
+    ObjectMeta {
+        name: metadata.name,
+        labels: metadata.labels,
+        ..Default::default()
+    }
+}
+
+fn clean_deployment(
+    deployment: Deployment,
+    workload_containers: &[KubeContainerInfo],
+) -> Deployment {
+    let clean_spec = deployment.spec.map(|original_spec| {
+        let template = merge_template_containers(original_spec.template, workload_containers);
+
+        DeploymentSpec {
+            replicas: Some(1),
+            selector: original_spec.selector,
+            template,
+            min_ready_seconds: original_spec.min_ready_seconds,
+            paused: original_spec.paused,
+            progress_deadline_seconds: original_spec.progress_deadline_seconds,
+            revision_history_limit: original_spec.revision_history_limit,
+            strategy: original_spec.strategy,
+        }
+    });
+
+    Deployment {
+        metadata: clean_metadata(deployment.metadata),
+        spec: clean_spec,
+        status: None,
+    }
+}
+
+fn clean_statefulset(
+    statefulset: StatefulSet,
+    workload_containers: &[KubeContainerInfo],
+) -> StatefulSet {
+    let clean_spec = statefulset.spec.map(|original_spec| {
+        let template = merge_template_containers(original_spec.template, workload_containers);
+
+        StatefulSetSpec {
+            service_name: original_spec.service_name,
+            replicas: Some(1),
+            selector: original_spec.selector,
+            template,
+            volume_claim_templates: original_spec.volume_claim_templates,
+            update_strategy: original_spec.update_strategy,
+            min_ready_seconds: original_spec.min_ready_seconds,
+            persistent_volume_claim_retention_policy: original_spec
+                .persistent_volume_claim_retention_policy,
+            ordinals: original_spec.ordinals,
+            revision_history_limit: original_spec.revision_history_limit,
+            pod_management_policy: original_spec.pod_management_policy,
+        }
+    });
+
+    StatefulSet {
+        metadata: clean_metadata(statefulset.metadata),
+        spec: clean_spec,
+        status: None,
+    }
+}
+
+fn clean_daemonset(daemonset: DaemonSet, workload_containers: &[KubeContainerInfo]) -> DaemonSet {
+    let clean_spec = daemonset.spec.map(|original_spec| {
+        let template = merge_template_containers(original_spec.template, workload_containers);
+
+        DaemonSetSpec {
+            selector: original_spec.selector,
+            template,
+            update_strategy: original_spec.update_strategy,
+            min_ready_seconds: original_spec.min_ready_seconds,
+            revision_history_limit: original_spec.revision_history_limit,
+        }
+    });
+
+    DaemonSet {
+        metadata: clean_metadata(daemonset.metadata),
+        spec: clean_spec,
+        status: None,
+    }
+}
+
+fn clean_replicaset(
+    replicaset: ReplicaSet,
+    workload_containers: &[KubeContainerInfo],
+) -> ReplicaSet {
+    let clean_spec = replicaset.spec.map(|original_spec| {
+        let template = original_spec
+            .template
+            .map(|t| merge_template_containers(t, workload_containers));
+
+        ReplicaSetSpec {
+            replicas: Some(1),
+            selector: original_spec.selector,
+            template,
+            min_ready_seconds: original_spec.min_ready_seconds,
+        }
+    });
+
+    ReplicaSet {
+        metadata: clean_metadata(replicaset.metadata),
+        spec: clean_spec,
+        status: None,
+    }
+}
+
+fn clean_pod(pod: Pod, workload_containers: &[KubeContainerInfo]) -> Pod {
+    let clean_spec = pod.spec.map(|original_spec| {
+        let merged_containers = merge_containers(original_spec.containers, workload_containers);
+
+        PodSpec {
+            active_deadline_seconds: original_spec.active_deadline_seconds,
+            containers: merged_containers,
+            init_containers: original_spec.init_containers,
+            ephemeral_containers: original_spec.ephemeral_containers,
+            volumes: original_spec.volumes,
+            restart_policy: original_spec.restart_policy,
+            termination_grace_period_seconds: original_spec.termination_grace_period_seconds,
+            dns_policy: original_spec.dns_policy,
+            dns_config: original_spec.dns_config,
+            node_selector: original_spec.node_selector,
+            service_account_name: None,
+            service_account: None,
+            automount_service_account_token: None,
+            security_context: original_spec.security_context,
+            image_pull_secrets: original_spec.image_pull_secrets,
+            affinity: original_spec.affinity,
+            tolerations: original_spec.tolerations,
+            topology_spread_constraints: original_spec.topology_spread_constraints,
+            priority_class_name: original_spec.priority_class_name,
+            priority: original_spec.priority,
+            preemption_policy: original_spec.preemption_policy,
+            overhead: original_spec.overhead,
+            enable_service_links: original_spec.enable_service_links,
+            os: original_spec.os,
+            host_users: original_spec.host_users,
+            scheduling_gates: original_spec.scheduling_gates,
+            resource_claims: original_spec.resource_claims,
+            ..Default::default()
+        }
+    });
+
+    Pod {
+        metadata: clean_metadata(pod.metadata),
+        spec: clean_spec,
+        status: None,
+    }
+}
+
+fn clean_job(job: Job, workload_containers: &[KubeContainerInfo]) -> Job {
+    let clean_spec = job.spec.map(|original_spec| {
+        let template = merge_template_containers(original_spec.template, workload_containers);
+
+        JobSpec {
+            template,
+            parallelism: original_spec.parallelism,
+            completions: original_spec.completions,
+            completion_mode: original_spec.completion_mode,
+            active_deadline_seconds: original_spec.active_deadline_seconds,
+            backoff_limit: original_spec.backoff_limit,
+            backoff_limit_per_index: original_spec.backoff_limit_per_index,
+            max_failed_indexes: original_spec.max_failed_indexes,
+            selector: original_spec.selector,
+            manual_selector: original_spec.manual_selector,
+            ttl_seconds_after_finished: original_spec.ttl_seconds_after_finished,
+            suspend: original_spec.suspend,
+            pod_failure_policy: original_spec.pod_failure_policy,
+            pod_replacement_policy: original_spec.pod_replacement_policy,
+            managed_by: original_spec.managed_by,
+            success_policy: original_spec.success_policy,
+        }
+    });
+
+    Job {
+        metadata: clean_metadata(job.metadata),
+        spec: clean_spec,
+        status: None,
+    }
+}
+
+fn clean_cronjob(cronjob: CronJob, workload_containers: &[KubeContainerInfo]) -> CronJob {
+    let clean_spec = cronjob.spec.map(|original_spec| {
+        let mut job_template = original_spec.job_template;
+        if let Some(job_spec) = &mut job_template.spec {
+            job_spec.template =
+                merge_template_containers(job_spec.template.clone(), workload_containers);
+        }
+
+        CronJobSpec {
+            schedule: original_spec.schedule,
+            time_zone: original_spec.time_zone,
+            starting_deadline_seconds: original_spec.starting_deadline_seconds,
+            concurrency_policy: original_spec.concurrency_policy,
+            suspend: original_spec.suspend,
+            job_template,
+            successful_jobs_history_limit: original_spec.successful_jobs_history_limit,
+            failed_jobs_history_limit: original_spec.failed_jobs_history_limit,
+        }
+    });
+
+    CronJob {
+        metadata: clean_metadata(cronjob.metadata),
+        spec: clean_spec,
+        status: None,
+    }
+}
+
+fn merge_template_containers(
+    template: PodTemplateSpec,
+    workload_containers: &[KubeContainerInfo],
+) -> PodTemplateSpec {
+    let pod_spec = template.spec.map(|original_pod_spec| {
+        let mut new_spec = original_pod_spec;
+        let merged_containers = merge_containers(new_spec.containers, workload_containers);
+        new_spec.containers = merged_containers;
+        new_spec.service_account_name = None;
+        new_spec.service_account = None;
+        new_spec.automount_service_account_token = None;
+        new_spec
+    });
+
+    PodTemplateSpec {
+        spec: pod_spec,
+        ..template
+    }
+}
+
+fn merge_containers(
+    containers: Vec<Container>,
+    workload_containers: &[KubeContainerInfo],
+) -> Vec<Container> {
+    containers
+        .into_iter()
+        .map(|container| {
+            if let Some(workload_container) = workload_containers
+                .iter()
+                .find(|wc| wc.name == container.name)
+            {
+                merge_single_container(container, workload_container)
+            } else {
+                container
+            }
+        })
+        .collect()
+}
+
+fn merge_single_container(
+    container: Container,
+    workload_container: &KubeContainerInfo,
+) -> Container {
+    let mut new_container = container.clone();
+
+    match &workload_container.image {
+        KubeContainerImage::FollowOriginal => {
+            if !workload_container.original_image.is_empty() {
+                new_container.image = Some(workload_container.original_image.clone());
+            }
+        }
+        KubeContainerImage::Custom(custom_image) => {
+            if !custom_image.is_empty() {
+                new_container.image = Some(custom_image.clone());
+            }
+        }
+    }
+
+    let mut resources = container.resources.unwrap_or_default();
+    let mut requests = resources.requests.unwrap_or_default();
+    let mut limits = resources.limits.unwrap_or_default();
+
+    if let Some(cpu_request) = &workload_container.cpu_request {
+        if !cpu_request.is_empty() {
+            requests.insert("cpu".to_string(), Quantity(cpu_request.clone()));
+        }
+    }
+    if let Some(memory_request) = &workload_container.memory_request {
+        if !memory_request.is_empty() {
+            requests.insert("memory".to_string(), Quantity(memory_request.clone()));
+        }
+    }
+
+    if let Some(cpu_limit) = &workload_container.cpu_limit {
+        if !cpu_limit.is_empty() {
+            limits.insert("cpu".to_string(), Quantity(cpu_limit.clone()));
+        }
+    }
+    if let Some(memory_limit) = &workload_container.memory_limit {
+        if !memory_limit.is_empty() {
+            limits.insert("memory".to_string(), Quantity(memory_limit.clone()));
+        }
+    }
+
+    resources.requests = if requests.is_empty() {
+        None
+    } else {
+        Some(requests)
+    };
+    resources.limits = if limits.is_empty() {
+        None
+    } else {
+        Some(limits)
+    };
+    new_container.resources = Some(resources);
+
+    let mut env_map: HashMap<String, (Option<String>, Option<EnvVarSource>)> = HashMap::new();
+
+    if !workload_container.original_env_vars.is_empty() {
+        for env_var in &workload_container.original_env_vars {
+            env_map.insert(env_var.name.clone(), (Some(env_var.value.clone()), None));
+        }
+    }
+
+    for kube_env_var in &workload_container.env_vars {
+        env_map.insert(
+            kube_env_var.name.clone(),
+            (Some(kube_env_var.value.clone()), None),
+        );
+    }
+
+    let merged_env: Vec<EnvVar> = env_map
+        .into_iter()
+        .map(|(name, (value, value_from))| EnvVar {
+            name,
+            value,
+            value_from,
+        })
+        .collect();
+
+    new_container.env = Some(merged_env);
+
+    if !workload_container.ports.is_empty() {
+        let ports: Vec<ContainerPort> = workload_container
+            .ports
+            .iter()
+            .map(|port| ContainerPort {
+                name: port.name.clone(),
+                container_port: port.container_port,
+                protocol: port.protocol.clone(),
+                ..Default::default()
+            })
+            .collect();
+        new_container.ports = Some(ports);
+    }
+
+    new_container
+}
+
+fn ensure_sidecar_proxy_container(
+    pod_spec: &mut PodSpec,
+    environment_id: Uuid,
+    workload_id: Uuid,
+    namespace: &str,
+    auth_token: &str,
+    manager_namespace: Option<&str>,
+    proxy_routes_json: Option<&str>,
+) -> usize {
+    let manager_namespace = manager_namespace.unwrap_or("lapdev");
+    let manager_addr = format!("lapdev-kube-manager.{manager_namespace}.svc:5001");
+
+    if let Some(index) = pod_spec
+        .containers
+        .iter()
+        .position(|container| container.name == "lapdev-sidecar-proxy")
+    {
+        let container = &mut pod_spec.containers[index];
+        ensure_sidecar_ports(container);
+        apply_sidecar_env(
+            container,
+            environment_id,
+            workload_id,
+            namespace,
+            auth_token,
+            &manager_addr,
+        );
+        if let Some(json) = proxy_routes_json {
+            upsert_env_var(
+                container,
+                "LAPDEV_SIDECAR_PROXY_PORT_ROUTES",
+                json.to_string(),
+            );
+        }
+        return index;
+    }
+
+    let container = build_sidecar_proxy_container(
+        environment_id,
+        workload_id,
+        namespace,
+        auth_token,
+        &manager_addr,
+        proxy_routes_json.map(|value| value.to_string()),
+    );
+    pod_spec.containers.push(container);
+    pod_spec.containers.len() - 1
+}
+
+fn build_sidecar_proxy_container(
+    environment_id: Uuid,
+    workload_id: Uuid,
+    namespace: &str,
+    auth_token: &str,
+    manager_addr: &str,
+    proxy_routes_json: Option<String>,
+) -> Container {
+    let sidecar_image = container_images::sidecar_proxy_image_reference();
+
+    let mut container = Container {
+        name: "lapdev-sidecar-proxy".to_string(),
+        image: Some(sidecar_image),
+        image_pull_policy: Some("Always".to_string()),
+        ..Default::default()
+    };
+
+    ensure_sidecar_ports(&mut container);
+    apply_sidecar_env(
+        &mut container,
+        environment_id,
+        workload_id,
+        namespace,
+        auth_token,
+        manager_addr,
+    );
+
+    if let Some(routes_json) = proxy_routes_json {
+        upsert_env_var(
+            &mut container,
+            "LAPDEV_SIDECAR_PROXY_PORT_ROUTES",
+            routes_json,
+        );
+    }
+
+    container
+}
+
+fn ensure_sidecar_ports(container: &mut Container) {
+    let ports = container.ports.get_or_insert_with(Vec::new);
+
+    if !ports
+        .iter()
+        .any(|port| port.container_port == DEFAULT_SIDECAR_PROXY_PORT as i32)
+    {
+        ports.push(ContainerPort {
+            container_port: DEFAULT_SIDECAR_PROXY_PORT as i32,
+            name: Some("proxy".to_string()),
+            protocol: Some("TCP".to_string()),
+            ..Default::default()
+        });
+    }
+
+    if !ports
+        .iter()
+        .any(|port| port.container_port == DEFAULT_SIDECAR_PROXY_METRICS_PORT as i32)
+    {
+        ports.push(ContainerPort {
+            container_port: DEFAULT_SIDECAR_PROXY_METRICS_PORT as i32,
+            name: Some("metrics".to_string()),
+            protocol: Some("TCP".to_string()),
+            ..Default::default()
+        });
+    }
+}
+
+fn apply_sidecar_env(
+    container: &mut Container,
+    environment_id: Uuid,
+    workload_id: Uuid,
+    namespace: &str,
+    auth_token: &str,
+    manager_addr: &str,
+) {
+    upsert_env_var(
+        container,
+        "LAPDEV_ENVIRONMENT_ID",
+        environment_id.to_string(),
+    );
+    upsert_env_var(
+        container,
+        "LAPDEV_ENVIRONMENT_AUTH_TOKEN",
+        auth_token.to_string(),
+    );
+    upsert_env_var(container, "KUBERNETES_NAMESPACE", namespace.to_string());
+    upsert_env_var(
+        container,
+        SIDECAR_PROXY_BIND_ADDR_ENV_VAR,
+        DEFAULT_SIDECAR_PROXY_BIND_ADDR.to_string(),
+    );
+    upsert_env_var(
+        container,
+        SIDECAR_PROXY_PORT_ENV_VAR,
+        DEFAULT_SIDECAR_PROXY_PORT.to_string(),
+    );
+    upsert_env_var(
+        container,
+        SIDECAR_PROXY_MANAGER_ADDR_ENV_VAR,
+        manager_addr.to_string(),
+    );
+    upsert_env_var(
+        container,
+        SIDECAR_PROXY_WORKLOAD_ENV_VAR,
+        workload_id.to_string(),
+    );
+
+    ensure_hostname_env(container);
+}
+
+fn ensure_hostname_env(container: &mut Container) {
+    let env_list = container.env.get_or_insert_with(Vec::new);
+
+    if env_list.iter().any(|var| var.name == "HOSTNAME") {
+        return;
+    }
+
+    env_list.push(EnvVar {
+        name: "HOSTNAME".to_string(),
+        value: None,
+        value_from: Some(EnvVarSource {
+            field_ref: Some(ObjectFieldSelector {
+                field_path: "metadata.name".to_string(),
+                ..Default::default()
+            }),
+            ..Default::default()
+        }),
+        ..Default::default()
+    });
+}
+
+fn upsert_env_var(container: &mut Container, name: &str, value: String) {
+    let env_list = container.env.get_or_insert_with(Vec::new);
+
+    if let Some(existing) = env_list.iter_mut().find(|var| var.name == name) {
+        existing.value = Some(value);
+        existing.value_from = None;
+    } else {
+        env_list.push(EnvVar {
+            name: name.to_string(),
+            value: Some(value),
+            value_from: None,
+            ..Default::default()
+        });
+    }
+}
+
+pub fn set_workload_replicas(workload: &mut KubeWorkloadYamlOnly, replicas: i32) -> Result<()> {
+    match workload {
+        KubeWorkloadYamlOnly::Deployment(yaml) => {
+            let mut deployment: Deployment = serde_yaml::from_str(yaml)?;
+            if let Some(spec) = deployment.spec.as_mut() {
+                spec.replicas = Some(replicas);
+            }
+            *yaml = serde_yaml::to_string(&deployment)?;
+        }
+        KubeWorkloadYamlOnly::StatefulSet(yaml) => {
+            let mut statefulset: StatefulSet = serde_yaml::from_str(yaml)?;
+            if let Some(spec) = statefulset.spec.as_mut() {
+                spec.replicas = Some(replicas);
+            }
+            *yaml = serde_yaml::to_string(&statefulset)?;
+        }
+        KubeWorkloadYamlOnly::ReplicaSet(yaml) => {
+            let mut replicaset: ReplicaSet = serde_yaml::from_str(yaml)?;
+            if let Some(spec) = replicaset.spec.as_mut() {
+                spec.replicas = Some(replicas);
+            }
+            *yaml = serde_yaml::to_string(&replicaset)?;
+        }
+        _ => {}
+    }
+    Ok(())
+}
+
+pub fn set_cronjob_suspend(workload: &mut KubeWorkloadYamlOnly, suspend: bool) -> Result<()> {
+    if let KubeWorkloadYamlOnly::CronJob(yaml) = workload {
+        let mut cronjob: CronJob = serde_yaml::from_str(yaml)?;
+        if let Some(spec) = cronjob.spec.as_mut() {
+            spec.suspend = Some(suspend);
+        }
+        *yaml = serde_yaml::to_string(&cronjob)?;
+    }
+
+    Ok(())
+}
+
+pub fn set_daemonset_paused(workload: &mut KubeWorkloadYamlOnly, paused: bool) -> Result<()> {
+    if let KubeWorkloadYamlOnly::DaemonSet(yaml) = workload {
+        let mut daemonset: DaemonSet = serde_yaml::from_str(yaml)?;
+        if let Some(spec) = daemonset.spec.as_mut() {
+            if let Some(template) = spec.template.spec.as_mut() {
+                let selector = template.node_selector.get_or_insert_with(Default::default);
+
+                if paused {
+                    selector.insert("lapdev.io/paused".to_string(), "true".to_string());
+                } else if let Some(selector) = template.node_selector.as_mut() {
+                    selector.remove("lapdev.io/paused");
+                    if selector.is_empty() {
+                        template.node_selector = None;
+                    }
+                }
+            }
+        }
+        *yaml = serde_yaml::to_string(&daemonset)?;
+    }
+
+    Ok(())
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use k8s_openapi::api::apps::v1::Deployment as K8sDeployment;
+    use lapdev_common::kube::KubeEnvVar;
+    use serde_yaml::Value;
+
+    fn base_container(name: &str) -> KubeContainerInfo {
+        KubeContainerInfo {
+            name: name.to_string(),
+            original_image: "example:image".to_string(),
+            image: KubeContainerImage::FollowOriginal,
+            cpu_request: None,
+            cpu_limit: None,
+            memory_request: None,
+            memory_limit: None,
+            env_vars: Vec::new(),
+            original_env_vars: Vec::new(),
+            ports: Vec::new(),
+        }
+    }
+
+    fn assert_replica_clamped(kind: KubeWorkloadKind, yaml: &str) {
+        let containers = vec![base_container("app")];
+        let rebuilt = rebuild_workload_yaml(&kind, yaml, &containers, None).unwrap();
+        let parsed: Value = serde_yaml::from_str(&rebuilt).unwrap();
+        let replicas = parsed
+            .get("spec")
+            .and_then(|spec| spec.get("replicas"))
+            .and_then(|value| value.as_i64());
+        assert_eq!(
+            replicas,
+            Some(1),
+            "replica count not clamped for {:?}",
+            kind
+        );
+    }
+
+    #[test]
+    fn rebuild_workload_yaml_clamps_replicas_for_supported_kinds() {
+        let deployment = r#"
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-deploy
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: app
+  template:
+    metadata:
+      labels:
+        app: app
+    spec:
+      containers:
+        - name: app
+          image: nginx
+"#;
+        assert_replica_clamped(KubeWorkloadKind::Deployment, deployment);
+
+        let statefulset = r#"
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: test-sts
+spec:
+  serviceName: svc
+  replicas: 4
+  selector:
+    matchLabels:
+      app: app
+  template:
+    metadata:
+      labels:
+        app: app
+    spec:
+      containers:
+        - name: app
+          image: nginx
+"#;
+        assert_replica_clamped(KubeWorkloadKind::StatefulSet, statefulset);
+
+        let replicaset = r#"
+apiVersion: apps/v1
+kind: ReplicaSet
+metadata:
+  name: test-rs
+spec:
+  replicas: 5
+  selector:
+    matchLabels:
+      app: app
+  template:
+    metadata:
+      labels:
+        app: app
+    spec:
+      containers:
+        - name: app
+          image: nginx
+"#;
+        assert_replica_clamped(KubeWorkloadKind::ReplicaSet, replicaset);
+    }
+
+    #[test]
+    fn rebuild_workload_yaml_restores_follow_original_image_and_env() {
+        let yaml = r#"
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: app
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: app
+  template:
+    metadata:
+      labels:
+        app: app
+    spec:
+      containers:
+        - name: app
+          image: custom/image:2
+          env:
+            - name: CUSTOMIZED
+              value: stale
+"#;
+
+        let mut container = base_container("app");
+        container.original_image = "registry.example.com/app:v1".to_string();
+        container.original_env_vars = vec![KubeEnvVar {
+            name: "BASE".to_string(),
+            value: "original".to_string(),
+        }];
+        container.env_vars.clear();
+
+        let rebuilt =
+            rebuild_workload_yaml(&KubeWorkloadKind::Deployment, yaml, &[container], None)
+                .expect("rebuild should succeed");
+
+        let deployment: K8sDeployment = serde_yaml::from_str(&rebuilt).unwrap();
+        let pod_spec = deployment
+            .spec
+            .as_ref()
+            .and_then(|spec| spec.template.spec.as_ref())
+            .expect("pod spec should exist");
+        let container_spec = pod_spec.containers.first().expect("container should exist");
+
+        assert_eq!(
+            container_spec.image.as_deref(),
+            Some("registry.example.com/app:v1"),
+            "reset should restore original image"
+        );
+
+        let env = container_spec
+            .env
+            .as_ref()
+            .expect("env vars should be restored");
+        assert!(
+            env.iter()
+                .any(|var| var.name == "BASE" && var.value.as_deref() == Some("original")),
+            "original env vars should be present: {:?}",
+            env
+        );
+        assert!(
+            env.iter().all(|var| var.name != "CUSTOMIZED"),
+            "stale env vars should be removed: {:?}",
+            env
+        );
+    }
+}
diff --git a/crates/api/src/kube_controller/service.rs b/crates/api/src/kube_controller/service.rs
new file mode 100644
index 0000000..dab2319
--- /dev/null
+++ b/crates/api/src/kube_controller/service.rs
@@ -0,0 +1,69 @@
+use uuid::Uuid;
+
+use lapdev_rpc::error::ApiError;
+
+use super::KubeController;
+
+impl KubeController {
+    pub async fn get_environment_services(
+        &self,
+        org_id: Uuid,
+        user_id: Uuid,
+        environment_id: Uuid,
+    ) -> Result<Vec<lapdev_common::kube::KubeEnvironmentService>, ApiError> {
+        // Verify environment belongs to the organization
+        let environment = self
+            .db
+            .get_kube_environment(environment_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("Environment not found".to_string()))?;
+
+        // Check authorization
+        if environment.organization_id != org_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        // If it's a personal environment, check ownership
+        if !environment.is_shared && environment.user_id != user_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        if let Some(base_environment_id) = environment.base_environment_id {
+            // Branch environments inherit service definitions from their base environment.
+            // We return the base services but rewrite the environment_id so downstream callers
+            // keep treating them as belonging to the branch (important for preview URLs).
+            let base_environment = self
+                .db
+                .get_kube_environment(base_environment_id)
+                .await
+                .map_err(ApiError::from)?
+                .ok_or_else(|| {
+                    ApiError::InvalidRequest("Base environment not found".to_string())
+                })?;
+
+            if base_environment.organization_id != org_id {
+                return Err(ApiError::Unauthorized);
+            }
+
+            let mut base_services = self
+                .db
+                .get_environment_services(base_environment_id)
+                .await
+                .map_err(ApiError::from)?;
+            for service in &mut base_services {
+                service.environment_id = environment.id;
+            }
+
+            return Ok(base_services);
+        }
+
+        let services = self
+            .db
+            .get_environment_services(environment_id)
+            .await
+            .map_err(ApiError::from)?;
+
+        Ok(services)
+    }
+}
diff --git a/crates/api/src/kube_controller/validation.rs b/crates/api/src/kube_controller/validation.rs
new file mode 100644
index 0000000..695a6fc
--- /dev/null
+++ b/crates/api/src/kube_controller/validation.rs
@@ -0,0 +1,216 @@
+use lapdev_common::kube::{KubeContainerImage, KubeContainerInfo};
+use lapdev_rpc::error::ApiError;
+
+pub fn validate_containers(containers: &[KubeContainerInfo]) -> Result<(), ApiError> {
+    if containers.is_empty() {
+        return Err(ApiError::InvalidRequest(
+            "At least one container is required".to_string(),
+        ));
+    }
+
+    for (index, container) in containers.iter().enumerate() {
+        if container.name.trim().is_empty() {
+            return Err(ApiError::InvalidRequest(format!(
+                "Container {} name cannot be empty",
+                index + 1
+            )));
+        }
+
+        match &container.image {
+            KubeContainerImage::Custom(image) => {
+                if image.trim().is_empty() {
+                    return Err(ApiError::InvalidRequest(format!(
+                        "Container '{}' custom image cannot be empty",
+                        container.name
+                    )));
+                }
+            }
+            KubeContainerImage::FollowOriginal => {
+                // No validation needed for FollowOriginal
+            }
+        }
+
+        // Validate CPU resources
+        if let Some(cpu_request) = &container.cpu_request {
+            if !is_valid_cpu_quantity(cpu_request) {
+                return Err(ApiError::InvalidRequest(format!("Container '{}' has invalid CPU request format. Use formats like '100m', '0.1', '1'. Minimum precision is 1m (0.001 CPU)", container.name)));
+            }
+        }
+
+        if let Some(cpu_limit) = &container.cpu_limit {
+            if !is_valid_cpu_quantity(cpu_limit) {
+                return Err(ApiError::InvalidRequest(format!("Container '{}' has invalid CPU limit format. Use formats like '100m', '0.1', '1'. Minimum precision is 1m (0.001 CPU)", container.name)));
+            }
+        }
+
+        // Validate memory resources
+        if let Some(memory_request) = &container.memory_request {
+            if !is_valid_memory_quantity(memory_request) {
+                return Err(ApiError::InvalidRequest(format!("Container '{}' has invalid memory request format. Use formats like '128Mi', '1Gi', '512M'. Maximum 3 decimal places allowed", container.name)));
+            }
+        }
+
+        if let Some(memory_limit) = &container.memory_limit {
+            if !is_valid_memory_quantity(memory_limit) {
+                return Err(ApiError::InvalidRequest(format!("Container '{}' has invalid memory limit format. Use formats like '128Mi', '1Gi', '512M'. Maximum 3 decimal places allowed", container.name)));
+            }
+        }
+
+        // Validate environment variables
+        for env_var in &container.env_vars {
+            if env_var.name.trim().is_empty() {
+                return Err(ApiError::InvalidRequest(format!(
+                    "Container '{}' has environment variable with empty name",
+                    container.name
+                )));
+            }
+        }
+    }
+
+    Ok(())
+}
+
+pub fn is_valid_cpu_quantity(quantity: &str) -> bool {
+    // CPU validation for Kubernetes
+    // Supports formats like: 100m, 0.1, 1, 2.5, etc.
+    // Kubernetes minimum precision is 1m (0.001 CPU)
+    if quantity.trim().is_empty() {
+        return false; // Empty values are invalid - must specify a resource amount
+    }
+
+    let quantity = quantity.trim();
+
+    // CPU can have 'm' suffix for millicores or be a plain decimal number
+    let re = match regex::Regex::new(r"^(\d+\.?\d*|\.\d+)m?$") {
+        Ok(regex) => regex,
+        Err(_) => return false,
+    };
+
+    if !re.is_match(quantity) {
+        return false;
+    }
+
+    // Parse the numeric part and validate precision constraints
+    let (numeric_part, has_millicore_suffix) = if quantity.ends_with('m') {
+        (&quantity[..quantity.len() - 1], true)
+    } else {
+        (quantity, false)
+    };
+
+    if let Ok(value) = numeric_part.parse::<f64>() {
+        if value <= 0.0 {
+            return false; // Must be positive
+        }
+
+        if has_millicore_suffix {
+            // For millicores (m suffix), minimum is 1m, so value must be >= 1.0
+            value >= 1.0
+        } else {
+            // For plain decimal CPU values, minimum precision is 0.001 (1m equivalent)
+            value >= 0.001
+        }
+    } else {
+        false
+    }
+}
+
+pub fn is_valid_memory_quantity(quantity: &str) -> bool {
+    // Memory validation for Kubernetes
+    // Supports formats like: 128Mi, 1Gi, 512M, 1000000000, etc.
+    // Maximum precision is 3 decimal places
+    if quantity.trim().is_empty() {
+        return false; // Empty values are invalid - must specify a resource amount
+    }
+
+    let quantity = quantity.trim();
+
+    // Memory can have binary (Ki, Mi, Gi, Ti, Pi, Ei) or decimal (K, M, G, T, P, E) suffixes
+    let valid_suffixes = [
+        "Ki", "Mi", "Gi", "Ti", "Pi", "Ei", "K", "M", "G", "T", "P", "E",
+    ];
+
+    let (numeric_part, _suffix) =
+        if let Some(suffix) = valid_suffixes.iter().find(|&s| quantity.ends_with(s)) {
+            (&quantity[..quantity.len() - suffix.len()], Some(*suffix))
+        } else {
+            // No suffix means it's in bytes
+            (quantity, None)
+        };
+
+    // Validate the numeric part is a positive number with max 3 decimal places
+    if let Ok(value) = numeric_part.parse::<f64>() {
+        if value <= 0.0 {
+            return false; // Must be positive
+        }
+
+        // Check decimal places constraint (max 3 decimal places)
+        if let Some(decimal_pos) = numeric_part.find('.') {
+            let decimal_part = &numeric_part[decimal_pos + 1..];
+            if decimal_part.len() > 3 {
+                return false; // More than 3 decimal places
+            }
+        }
+
+        true
+    } else {
+        false
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_cpu_validation() {
+        // Valid CPU values
+        assert!(is_valid_cpu_quantity("100m")); // 100 millicores
+        assert!(is_valid_cpu_quantity("1m")); // 1 millicore (minimum)
+        assert!(is_valid_cpu_quantity("0.1")); // 0.1 CPU (100m equivalent)
+        assert!(is_valid_cpu_quantity("1")); // 1 CPU
+        assert!(is_valid_cpu_quantity("2.5")); // 2.5 CPUs
+        assert!(is_valid_cpu_quantity("500m")); // 500 millicores
+        assert!(is_valid_cpu_quantity("1.5m")); // 1.5 millicores
+        assert!(is_valid_cpu_quantity("0.001")); // Minimum decimal precision
+
+        // Invalid CPU values
+        assert!(!is_valid_cpu_quantity("")); // Empty
+        assert!(!is_valid_cpu_quantity("   ")); // Whitespace
+        assert!(!is_valid_cpu_quantity("0.5m")); // Below 1m minimum
+        assert!(!is_valid_cpu_quantity("0.0005")); // Below 0.001 minimum
+        assert!(!is_valid_cpu_quantity("0m")); // Zero millicores
+        assert!(!is_valid_cpu_quantity("0")); // Zero CPU
+        assert!(!is_valid_cpu_quantity("100Mi")); // Wrong suffix
+        assert!(!is_valid_cpu_quantity("-100m")); // Negative
+        assert!(!is_valid_cpu_quantity("abc")); // Non-numeric
+        assert!(!is_valid_cpu_quantity("100x")); // Invalid suffix
+    }
+
+    #[test]
+    fn test_memory_validation() {
+        // Valid memory values
+        assert!(is_valid_memory_quantity("128Mi"));
+        assert!(is_valid_memory_quantity("1Gi"));
+        assert!(is_valid_memory_quantity("512M"));
+        assert!(is_valid_memory_quantity("1000000000")); // Raw bytes
+        assert!(is_valid_memory_quantity("2Ti"));
+        assert!(is_valid_memory_quantity("1.5")); // 1 decimal place
+        assert!(is_valid_memory_quantity("1.5Gi")); // 1 decimal place
+        assert!(is_valid_memory_quantity("128.25Mi")); // 2 decimal places
+        assert!(is_valid_memory_quantity("1.125Gi")); // 3 decimal places (max)
+        assert!(is_valid_memory_quantity("0.5Gi")); // Decimal with suffix
+
+        // Invalid memory values
+        assert!(!is_valid_memory_quantity("")); // Empty
+        assert!(!is_valid_memory_quantity("   ")); // Whitespace
+        assert!(!is_valid_memory_quantity("100m")); // CPU suffix on memory
+        assert!(!is_valid_memory_quantity("-128Mi")); // Negative
+        assert!(!is_valid_memory_quantity("abc")); // Non-numeric
+        assert!(!is_valid_memory_quantity("100x")); // Invalid suffix
+        assert!(!is_valid_memory_quantity("0Mi")); // Zero
+        assert!(!is_valid_memory_quantity("1.1234Gi")); // 4 decimal places (too many)
+        assert!(!is_valid_memory_quantity("1.1234")); // 4 decimal places (too many)
+        assert!(!is_valid_memory_quantity("128.12345Mi")); // 5 decimal places (too many)
+        assert!(!is_valid_memory_quantity("128.12345")); // 5 decimal places (too many)
+    }
+}
diff --git a/crates/api/src/kube_controller/workload.rs b/crates/api/src/kube_controller/workload.rs
new file mode 100644
index 0000000..dde6440
--- /dev/null
+++ b/crates/api/src/kube_controller/workload.rs
@@ -0,0 +1,974 @@
+use uuid::Uuid;
+
+use std::{
+    collections::{BTreeMap, HashMap, HashSet},
+    str::FromStr,
+    time::{Duration, Instant},
+};
+
+use k8s_openapi::api::{
+    apps::v1::{DaemonSet, Deployment, ReplicaSet, StatefulSet},
+    batch::v1::{CronJob, Job},
+    core::v1::{Pod, Service},
+};
+use k8s_openapi::apimachinery::pkg::apis::meta::v1::{LabelSelector, ObjectMeta};
+use lapdev_common::kube::{
+    KubeEnvironment, KubeEnvironmentService, KubeEnvironmentWorkload,
+    KubeEnvironmentWorkloadDetail, KubeServiceDetails, KubeServiceWithYaml, KubeWorkloadKind,
+};
+use lapdev_kube::server::KubeClusterServer;
+use lapdev_kube_rpc::{
+    KubeWorkloadWithResources, KubeWorkloadYamlOnly, KubeWorkloadsWithResources,
+    NamespacedResourceKind, ProxyBranchRouteConfig,
+};
+use lapdev_rpc::error::ApiError;
+
+use super::{resources::rebuild_workload_yaml, KubeController};
+
+impl KubeController {
+    pub async fn get_environment_workloads(
+        &self,
+        org_id: Uuid,
+        user_id: Uuid,
+        environment_id: Uuid,
+    ) -> Result<Vec<lapdev_common::kube::KubeEnvironmentWorkload>, ApiError> {
+        // Verify environment belongs to the organization
+        let environment = self
+            .db
+            .get_kube_environment(environment_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("Environment not found".to_string()))?;
+
+        // Check authorization
+        if environment.organization_id != org_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        // If it's a personal environment, check ownership
+        if !environment.is_shared && environment.user_id != user_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        let mut workloads = self
+            .db
+            .get_environment_workloads(environment_id)
+            .await
+            .map_err(ApiError::from)?;
+
+        if let Some(base_environment_id) = environment.base_environment_id {
+            let base_workloads = self
+                .db
+                .get_environment_workloads(base_environment_id)
+                .await
+                .map_err(ApiError::from)?;
+            let overridden: HashSet<Uuid> = workloads
+                .iter()
+                .filter_map(|w| w.base_workload_id)
+                .collect();
+
+            for base_workload in base_workloads {
+                if overridden.contains(&base_workload.id) {
+                    continue;
+                }
+                let mut inherited = base_workload.clone();
+                inherited.environment_id = environment.id;
+                if inherited.base_workload_id.is_none() {
+                    inherited.base_workload_id = Some(base_workload.id);
+                }
+                workloads.push(inherited);
+            }
+        }
+
+        Ok(workloads)
+    }
+
+    pub async fn get_environment_workload_detail(
+        &self,
+        org_id: Uuid,
+        user_id: Uuid,
+        environment_id: Uuid,
+        workload_id: Uuid,
+    ) -> Result<KubeEnvironmentWorkloadDetail, ApiError> {
+        let environment = self
+            .get_kube_environment(org_id, user_id, environment_id)
+            .await?;
+
+        let workload = self
+            .db
+            .get_environment_workload(workload_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("Workload not found".to_string()))?;
+
+        let workload = Self::map_workload_to_environment(&environment, workload)?;
+
+        Ok(KubeEnvironmentWorkloadDetail {
+            environment,
+            workload,
+        })
+    }
+
+    pub async fn get_environment_workload(
+        &self,
+        org_id: Uuid,
+        user_id: Uuid,
+        workload_id: Uuid,
+    ) -> Result<Option<lapdev_common::kube::KubeEnvironmentWorkload>, ApiError> {
+        // First get the workload to find its environment
+        if let Some(workload) = self
+            .db
+            .get_environment_workload(workload_id)
+            .await
+            .map_err(ApiError::from)?
+        {
+            // Verify the environment belongs to the organization
+            let environment = self
+                .db
+                .get_kube_environment(workload.environment_id)
+                .await
+                .map_err(ApiError::from)?
+                .ok_or_else(|| ApiError::InvalidRequest("Environment not found".to_string()))?;
+            if environment.organization_id != org_id {
+                return Err(ApiError::Unauthorized);
+            }
+            if !environment.is_shared && environment.user_id != user_id {
+                return Err(ApiError::Unauthorized);
+            }
+            Ok(Some(workload))
+        } else {
+            Ok(None)
+        }
+    }
+
+    pub async fn delete_environment_workload(
+        &self,
+        org_id: Uuid,
+        user_id: Uuid,
+        environment_id: Uuid,
+        workload_id: Uuid,
+    ) -> Result<(), ApiError> {
+        let environment = self
+            .db
+            .get_kube_environment(environment_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("Environment not found".to_string()))?;
+
+        if environment.organization_id != org_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        if !environment.is_shared && environment.user_id != user_id {
+            return Err(ApiError::Unauthorized);
+        }
+
+        let workload = self
+            .db
+            .get_environment_workload(workload_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("Workload not found".to_string()))?;
+
+        if workload.environment_id != environment.id {
+            return Err(ApiError::InvalidRequest(
+                "Workload does not belong to this environment".to_string(),
+            ));
+        }
+
+        if environment.base_environment_id.is_some() {
+            let cluster_server = self
+                .get_random_kube_cluster_server(environment.cluster_id)
+                .await
+                .ok_or_else(|| {
+                    ApiError::InvalidRequest(
+                        "No connected KubeManager for this cluster; cannot delete branch workload"
+                            .to_string(),
+                    )
+                })?;
+
+            self.delete_branch_workload_resources(&cluster_server, &environment, &workload)
+                .await?;
+
+            if let Some((base_env_id, base_workload_id)) = environment
+                .base_environment_id
+                .zip(workload.base_workload_id)
+            {
+                Self::send_branch_service_route_removal(
+                    &cluster_server,
+                    base_env_id,
+                    base_workload_id,
+                    environment.id,
+                )
+                .await;
+            }
+        }
+
+        self.db
+            .delete_environment_workload(workload_id)
+            .await
+            .map_err(ApiError::from)?;
+
+        Ok(())
+    }
+
+    pub async fn update_environment_workload(
+        &self,
+        _org_id: Uuid,
+        _user_id: Uuid,
+        workload_id: Uuid,
+        containers: Vec<lapdev_common::kube::KubeContainerInfo>,
+        environment: lapdev_db_entities::kube_environment::Model,
+    ) -> Result<Uuid, ApiError> {
+        let existing_workload = self
+            .db
+            .get_environment_workload(workload_id)
+            .await
+            .map_err(ApiError::from)?
+            .ok_or_else(|| ApiError::InvalidRequest("Workload not found".to_string()))?;
+
+        let mut workload_record = existing_workload;
+        if let Some(base_environment_id) = environment.base_environment_id {
+            if workload_record.environment_id == base_environment_id {
+                workload_record = self
+                    .ensure_branch_workload_override(&environment, &workload_record)
+                    .await?;
+            }
+        }
+
+        let kind = KubeWorkloadKind::from_str(&workload_record.kind).map_err(|_| {
+            ApiError::InvalidRequest(format!(
+                "Invalid workload kind {} for environment {}",
+                workload_record.kind, workload_record.environment_id
+            ))
+        })?;
+
+        let target_workload_id = workload_record.id;
+
+        let (workload_with_resources, persisted_yaml, extra_labels) =
+            if environment.base_environment_id.is_some() {
+                let (manifest, yaml, labels) = self
+                    .build_branch_workload_manifest(
+                        &environment,
+                        &workload_record,
+                        kind.clone(),
+                        &containers,
+                    )
+                    .await?;
+                (manifest, yaml, Some(labels))
+            } else {
+                let (manifest, yaml) = Self::build_standard_workload_manifest(
+                    kind,
+                    &workload_record.workload_yaml,
+                    &containers,
+                )?;
+                let mut labels = HashMap::new();
+                labels.insert(
+                    "lapdev.base-workload".to_string(),
+                    workload_record.name.clone(),
+                );
+                labels.insert(
+                    "lapdev.base-workload-id".to_string(),
+                    workload_record.id.to_string(),
+                );
+                (manifest, yaml, Some(labels))
+            };
+
+        let cluster_server = self
+            .get_random_kube_cluster_server(environment.cluster_id)
+            .await
+            .ok_or_else(|| {
+                ApiError::InvalidRequest("No connected KubeManager for this cluster".to_string())
+            })?;
+
+        self.deploy_environment_resources(
+            &cluster_server,
+            &environment,
+            KubeWorkloadsWithResources {
+                workloads: vec![workload_with_resources.workload],
+                services: workload_with_resources.services,
+                configmaps: workload_with_resources.configmaps,
+                secrets: workload_with_resources.secrets,
+            },
+            extra_labels,
+        )
+        .await?;
+
+        if let Some(base_environment_id) = environment.base_environment_id {
+            match workload_record.base_workload_id {
+                Some(base_workload_id) => {
+                    let base_environment = self
+                        .db
+                        .get_kube_environment(base_environment_id)
+                        .await
+                        .map_err(ApiError::from)?
+                        .ok_or_else(|| {
+                            ApiError::InvalidRequest(format!(
+                                "Base environment {} not found",
+                                base_environment_id
+                            ))
+                        })?;
+
+                    match cluster_server
+                        .build_branch_service_route_config(
+                            &base_environment,
+                            base_workload_id,
+                            environment.id,
+                        )
+                        .await
+                    {
+                        Ok(Some(route)) => {
+                            Self::send_branch_service_route_update(
+                                &cluster_server,
+                                base_environment_id,
+                                base_workload_id,
+                                environment.id,
+                                route,
+                            )
+                            .await;
+                        }
+                        Ok(None) => {
+                            Self::send_branch_service_route_removal(
+                                &cluster_server,
+                                base_environment_id,
+                                base_workload_id,
+                                environment.id,
+                            )
+                            .await;
+                        }
+                        Err(err) => {
+                            tracing::warn!(
+                                base_environment_id = %base_environment_id,
+                                branch_environment_id = %environment.id,
+                                workload_id = %base_workload_id,
+                                error = ?err,
+                                "Failed to build branch service route config; falling back to full refresh"
+                            );
+                            Self::refresh_branch_service_routes_with_logging(
+                                &cluster_server,
+                                base_environment_id,
+                            )
+                            .await;
+                        }
+                    }
+                }
+                None => {
+                    tracing::warn!(
+                        environment_id = %environment.id,
+                        workload_id = %workload_id,
+                        "Branch workload missing base_workload_id; falling back to full refresh"
+                    );
+                    Self::refresh_branch_service_routes_with_logging(
+                        &cluster_server,
+                        base_environment_id,
+                    )
+                    .await;
+                }
+            }
+        }
+
+        self.db
+            .update_environment_workload(target_workload_id, containers, persisted_yaml)
+            .await
+            .map_err(ApiError::from)?;
+
+        Ok(target_workload_id)
+    }
+
+    async fn delete_branch_workload_resources(
+        &self,
+        cluster_server: &KubeClusterServer,
+        environment: &lapdev_db_entities::kube_environment::Model,
+        workload: &lapdev_common::kube::KubeEnvironmentWorkload,
+    ) -> Result<(), ApiError> {
+        let kind = KubeWorkloadKind::from_str(&workload.kind).map_err(|_| {
+            ApiError::InvalidRequest(format!(
+                "Invalid workload kind {} in branch environment",
+                workload.kind
+            ))
+        })?;
+
+        let mut resources = vec![(workload_kind_to_resource_kind(&kind), workload.name.clone())];
+
+        let services = self
+            .db
+            .get_environment_services(environment.id)
+            .await
+            .map_err(ApiError::from)?;
+
+        for service in services {
+            if service_targets_branch_workload(&service, &workload.name) {
+                resources.push((NamespacedResourceKind::Service, service.name.clone()));
+            }
+        }
+
+        let mut ctx = Self::kube_manager_rpc_context();
+
+        match cluster_server
+            .rpc_client
+            .delete_namespaced_resources(ctx, environment.namespace.clone(), resources)
+            .await
+        {
+            Ok(Ok(())) => Ok(()),
+            Ok(Err(err)) => Err(ApiError::InvalidRequest(format!(
+                "Failed to delete branch workload resources: {err}"
+            ))),
+            Err(err) => Err(ApiError::InvalidRequest(format!(
+                "Connection error while deleting branch workload resources: {err}"
+            ))),
+        }
+    }
+
+    pub(super) async fn send_branch_service_route_update(
+        cluster_server: &KubeClusterServer,
+        base_environment_id: Uuid,
+        base_workload_id: Uuid,
+        branch_environment_id: Uuid,
+        route: ProxyBranchRouteConfig,
+    ) {
+        match cluster_server
+            .rpc_client
+            .update_branch_service_route(
+                Self::kube_manager_rpc_context(),
+                base_environment_id,
+                base_workload_id,
+                route,
+            )
+            .await
+        {
+            Ok(Ok(())) => {}
+            Ok(Err(err)) => {
+                tracing::warn!(
+                    base_environment_id = %base_environment_id,
+                    branch_environment_id = %branch_environment_id,
+                    workload_id = %base_workload_id,
+                    error = %err,
+                    "KubeManager rejected branch service route update"
+                );
+            }
+            Err(err) => {
+                tracing::warn!(
+                    base_environment_id = %base_environment_id,
+                    branch_environment_id = %branch_environment_id,
+                    workload_id = %base_workload_id,
+                    error = %err,
+                    "Failed to send branch service route update to KubeManager"
+                );
+            }
+        }
+    }
+
+    pub(super) async fn send_branch_service_route_removal(
+        cluster_server: &KubeClusterServer,
+        base_environment_id: Uuid,
+        base_workload_id: Uuid,
+        branch_environment_id: Uuid,
+    ) {
+        match cluster_server
+            .rpc_client
+            .remove_branch_service_route(
+                Self::kube_manager_rpc_context(),
+                base_environment_id,
+                base_workload_id,
+                branch_environment_id,
+            )
+            .await
+        {
+            Ok(Ok(())) => {}
+            Ok(Err(err)) => {
+                tracing::warn!(
+                    base_environment_id = %base_environment_id,
+                    branch_environment_id = %branch_environment_id,
+                    workload_id = %base_workload_id,
+                    error = %err,
+                    "KubeManager rejected branch service route removal"
+                );
+            }
+            Err(err) => {
+                tracing::warn!(
+                    base_environment_id = %base_environment_id,
+                    branch_environment_id = %branch_environment_id,
+                    workload_id = %base_workload_id,
+                    error = %err,
+                    "Failed to send branch service route removal to KubeManager"
+                );
+            }
+        }
+    }
+
+    pub(super) async fn refresh_branch_service_routes_with_logging(
+        cluster_server: &KubeClusterServer,
+        base_environment_id: Uuid,
+    ) {
+        if let Err(err) = cluster_server
+            .rpc_client
+            .refresh_branch_service_routes(Self::kube_manager_rpc_context(), base_environment_id)
+            .await
+        {
+            tracing::warn!(
+                base_environment_id = %base_environment_id,
+                error = %err,
+                "Failed to refresh branch service routes during fallback"
+            );
+        }
+    }
+
+    pub(super) async fn build_branch_workload_manifest(
+        &self,
+        environment: &lapdev_db_entities::kube_environment::Model,
+        existing_workload: &lapdev_common::kube::KubeEnvironmentWorkload,
+        kind: KubeWorkloadKind,
+        containers: &[lapdev_common::kube::KubeContainerInfo],
+    ) -> Result<(KubeWorkloadWithResources, String, HashMap<String, String>), ApiError> {
+        let base_workload_name = existing_workload.name.clone();
+        let env_suffix = environment.id.to_string();
+        let branch_workload_name = if base_workload_name.ends_with(&env_suffix) {
+            base_workload_name.clone()
+        } else {
+            format!("{}-{}", base_workload_name, environment.id)
+        };
+        let branch_selector = build_branch_service_selector(&branch_workload_name);
+
+        let (mut workload_with_resources, persisted_yaml) = Self::build_standard_workload_manifest(
+            kind,
+            &existing_workload.workload_yaml,
+            containers,
+        )?;
+
+        let environment_services = self
+            .db
+            .get_environment_services(environment.id)
+            .await
+            .map_err(ApiError::from)?;
+
+        let mut updated_services: HashMap<String, KubeServiceWithYaml> = HashMap::new();
+        for service in environment_services {
+            let mut matches_workload =
+                service.name == base_workload_name || service.name == branch_workload_name;
+            if !matches_workload {
+                matches_workload = service
+                    .selector
+                    .values()
+                    .any(|value| value == &base_workload_name || value == &branch_workload_name);
+            }
+            if !matches_workload {
+                continue;
+            }
+
+            if service.yaml.trim().is_empty() {
+                tracing::warn!(
+                    environment_id = %environment.id,
+                    workload = %existing_workload.name,
+                    service = %service.name,
+                    "Branch workload service YAML is empty; skipping service deployment"
+                );
+                continue;
+            }
+
+            let branch_service_name = format!("{}-{}", service.name, environment.id);
+            updated_services.insert(
+                branch_service_name.clone(),
+                KubeServiceWithYaml {
+                    yaml: service.yaml.clone(),
+                    details: KubeServiceDetails {
+                        name: branch_service_name,
+                        ports: service.ports.clone(),
+                        selector: branch_selector.clone(),
+                    },
+                },
+            );
+        }
+        workload_with_resources.services = updated_services;
+        workload_with_resources.configmaps.clear();
+        workload_with_resources.secrets.clear();
+
+        let mut extra_labels = HashMap::new();
+        extra_labels.insert(
+            "lapdev.branch-environment".to_string(),
+            environment.id.to_string(),
+        );
+        extra_labels.insert(
+            "lapdev.base-workload".to_string(),
+            existing_workload.name.clone(),
+        );
+        extra_labels.insert(
+            "lapdev.io/routing-key".to_string(),
+            format!("branch-{}", environment.id),
+        );
+        extra_labels.insert(
+            "lapdev.io/proxy-target-port".to_string(),
+            "8080".to_string(),
+        );
+        extra_labels.insert(
+            "lapdev.base-workload-id".to_string(),
+            existing_workload.id.to_string(),
+        );
+
+        Ok((workload_with_resources, persisted_yaml, extra_labels))
+    }
+
+    fn build_standard_workload_manifest(
+        kind: KubeWorkloadKind,
+        original_yaml: &str,
+        containers: &[lapdev_common::kube::KubeContainerInfo],
+    ) -> Result<(KubeWorkloadWithResources, String), ApiError> {
+        let rebuilt_yaml =
+            rebuild_workload_yaml(&kind, original_yaml, containers, None).map_err(|err| {
+                ApiError::InvalidRequest(format!("Failed to rebuild workload manifest: {}", err))
+            })?;
+
+        let workload = match kind {
+            KubeWorkloadKind::Deployment => KubeWorkloadYamlOnly::Deployment(rebuilt_yaml.clone()),
+            KubeWorkloadKind::StatefulSet => {
+                KubeWorkloadYamlOnly::StatefulSet(rebuilt_yaml.clone())
+            }
+            KubeWorkloadKind::DaemonSet => KubeWorkloadYamlOnly::DaemonSet(rebuilt_yaml.clone()),
+            KubeWorkloadKind::ReplicaSet => KubeWorkloadYamlOnly::ReplicaSet(rebuilt_yaml.clone()),
+            KubeWorkloadKind::Pod => KubeWorkloadYamlOnly::Pod(rebuilt_yaml.clone()),
+            KubeWorkloadKind::Job => KubeWorkloadYamlOnly::Job(rebuilt_yaml.clone()),
+            KubeWorkloadKind::CronJob => KubeWorkloadYamlOnly::CronJob(rebuilt_yaml.clone()),
+        };
+
+        Ok((
+            KubeWorkloadWithResources {
+                workload,
+                services: HashMap::new(),
+                configmaps: HashMap::new(),
+                secrets: HashMap::new(),
+            },
+            rebuilt_yaml,
+        ))
+    }
+
+    fn map_workload_to_environment(
+        environment: &KubeEnvironment,
+        mut workload: KubeEnvironmentWorkload,
+    ) -> Result<KubeEnvironmentWorkload, ApiError> {
+        if workload.environment_id == environment.id {
+            return Ok(workload);
+        }
+
+        if let Some(base_environment_id) = environment.base_environment_id {
+            if workload.environment_id == base_environment_id {
+                if workload.base_workload_id.is_none() {
+                    workload.base_workload_id = Some(workload.id);
+                }
+                workload.environment_id = environment.id;
+                return Ok(workload);
+            }
+        }
+
+        Err(ApiError::InvalidRequest(
+            "Workload does not belong to this environment".to_string(),
+        ))
+    }
+}
+
+pub(super) fn rename_workload_yaml(
+    workload: &mut KubeWorkloadYamlOnly,
+    new_name: &str,
+    selector_labels: &BTreeMap<String, String>,
+) -> Result<(), ApiError> {
+    match workload {
+        KubeWorkloadYamlOnly::Deployment(yaml) => {
+            rename_deployment_yaml(yaml, new_name, selector_labels)
+        }
+        KubeWorkloadYamlOnly::StatefulSet(yaml) => {
+            rename_statefulset_yaml(yaml, new_name, selector_labels)
+        }
+        KubeWorkloadYamlOnly::DaemonSet(yaml) => {
+            rename_daemonset_yaml(yaml, new_name, selector_labels)
+        }
+        KubeWorkloadYamlOnly::ReplicaSet(yaml) => {
+            rename_replicaset_yaml(yaml, new_name, selector_labels)
+        }
+        KubeWorkloadYamlOnly::Pod(yaml) => rename_pod_yaml(yaml, new_name, selector_labels),
+        KubeWorkloadYamlOnly::Job(yaml) => rename_job_yaml(yaml, new_name, selector_labels),
+        KubeWorkloadYamlOnly::CronJob(yaml) => rename_cronjob_yaml(yaml, new_name, selector_labels),
+    }
+}
+
+pub(super) fn build_branch_service_selector(workload_name: &str) -> BTreeMap<String, String> {
+    let mut selector = BTreeMap::new();
+    selector.insert("app".to_string(), workload_name.to_string());
+    selector
+}
+
+fn service_targets_branch_workload(
+    service: &KubeEnvironmentService,
+    branch_workload_name: &str,
+) -> bool {
+    if service.name == branch_workload_name {
+        return true;
+    }
+    service
+        .selector
+        .values()
+        .any(|value| value == branch_workload_name)
+}
+
+fn workload_kind_to_resource_kind(kind: &KubeWorkloadKind) -> NamespacedResourceKind {
+    match kind {
+        KubeWorkloadKind::Deployment => NamespacedResourceKind::Deployment,
+        KubeWorkloadKind::StatefulSet => NamespacedResourceKind::StatefulSet,
+        KubeWorkloadKind::DaemonSet => NamespacedResourceKind::DaemonSet,
+        KubeWorkloadKind::ReplicaSet => NamespacedResourceKind::ReplicaSet,
+        KubeWorkloadKind::Pod => NamespacedResourceKind::Pod,
+        KubeWorkloadKind::Job => NamespacedResourceKind::Job,
+        KubeWorkloadKind::CronJob => NamespacedResourceKind::CronJob,
+    }
+}
+
+pub(super) fn rename_service_yaml(
+    yaml: &str,
+    new_service_name: &str,
+    selector_labels: &BTreeMap<String, String>,
+) -> Result<String, ApiError> {
+    let mut service: Service = serde_yaml::from_str(yaml).map_err(|err| {
+        ApiError::InvalidRequest(format!("Failed to parse service YAML for rename: {}", err))
+    })?;
+
+    service.metadata.name = Some(new_service_name.to_string());
+    let mut labels = BTreeMap::new();
+    labels.insert("app".to_string(), new_service_name.to_string());
+    service.metadata.labels = Some(labels);
+
+    if let Some(spec) = service.spec.as_mut() {
+        spec.selector = Some(selector_labels.clone());
+    }
+
+    serde_yaml::to_string(&service).map_err(|err| {
+        ApiError::InvalidRequest(format!("Failed to serialize renamed service YAML: {}", err))
+    })
+}
+
+fn rename_deployment_yaml(
+    yaml: &mut String,
+    new_name: &str,
+    selector_labels: &BTreeMap<String, String>,
+) -> Result<(), ApiError> {
+    let mut deployment: Deployment = serde_yaml::from_str(yaml).map_err(|err| {
+        ApiError::InvalidRequest(format!(
+            "Failed to parse deployment YAML for rename: {}",
+            err
+        ))
+    })?;
+
+    update_object_meta(&mut deployment.metadata, new_name, selector_labels);
+
+    if let Some(spec) = deployment.spec.as_mut() {
+        update_selector_labels(&mut spec.selector, selector_labels);
+        if let Some(template) = spec.template.metadata.as_mut() {
+            update_object_meta(template, new_name, selector_labels);
+        }
+    }
+
+    *yaml = serde_yaml::to_string(&deployment).map_err(|err| {
+        ApiError::InvalidRequest(format!(
+            "Failed to serialize renamed deployment YAML: {}",
+            err
+        ))
+    })?;
+    Ok(())
+}
+
+fn rename_statefulset_yaml(
+    yaml: &mut String,
+    new_name: &str,
+    selector_labels: &BTreeMap<String, String>,
+) -> Result<(), ApiError> {
+    let mut statefulset: StatefulSet = serde_yaml::from_str(yaml).map_err(|err| {
+        ApiError::InvalidRequest(format!(
+            "Failed to parse statefulset YAML for rename: {}",
+            err
+        ))
+    })?;
+
+    update_object_meta(&mut statefulset.metadata, new_name, selector_labels);
+
+    if let Some(spec) = statefulset.spec.as_mut() {
+        update_selector_labels(&mut spec.selector, selector_labels);
+        if let Some(template) = spec.template.metadata.as_mut() {
+            update_object_meta(template, new_name, selector_labels);
+        }
+    }
+
+    *yaml = serde_yaml::to_string(&statefulset).map_err(|err| {
+        ApiError::InvalidRequest(format!(
+            "Failed to serialize renamed statefulset YAML: {}",
+            err
+        ))
+    })?;
+    Ok(())
+}
+
+fn rename_daemonset_yaml(
+    yaml: &mut String,
+    new_name: &str,
+    selector_labels: &BTreeMap<String, String>,
+) -> Result<(), ApiError> {
+    let mut daemonset: DaemonSet = serde_yaml::from_str(yaml).map_err(|err| {
+        ApiError::InvalidRequest(format!(
+            "Failed to parse daemonset YAML for rename: {}",
+            err
+        ))
+    })?;
+
+    update_object_meta(&mut daemonset.metadata, new_name, selector_labels);
+
+    if let Some(spec) = daemonset.spec.as_mut() {
+        update_selector_labels(&mut spec.selector, selector_labels);
+        if let Some(template) = spec.template.metadata.as_mut() {
+            update_object_meta(template, new_name, selector_labels);
+        }
+    }
+
+    *yaml = serde_yaml::to_string(&daemonset).map_err(|err| {
+        ApiError::InvalidRequest(format!(
+            "Failed to serialize renamed daemonset YAML: {}",
+            err
+        ))
+    })?;
+    Ok(())
+}
+
+fn rename_replicaset_yaml(
+    yaml: &mut String,
+    new_name: &str,
+    selector_labels: &BTreeMap<String, String>,
+) -> Result<(), ApiError> {
+    let mut replicaset: ReplicaSet = serde_yaml::from_str(yaml).map_err(|err| {
+        ApiError::InvalidRequest(format!(
+            "Failed to parse replicaset YAML for rename: {}",
+            err
+        ))
+    })?;
+
+    update_object_meta(&mut replicaset.metadata, new_name, selector_labels);
+
+    if let Some(spec) = replicaset.spec.as_mut() {
+        update_selector_labels(&mut spec.selector, selector_labels);
+        if let Some(template) = spec.template.as_mut() {
+            if let Some(metadata) = template.metadata.as_mut() {
+                update_object_meta(metadata, new_name, selector_labels);
+            }
+        }
+    }
+
+    *yaml = serde_yaml::to_string(&replicaset).map_err(|err| {
+        ApiError::InvalidRequest(format!(
+            "Failed to serialize renamed replicaset YAML: {}",
+            err
+        ))
+    })?;
+    Ok(())
+}
+
+fn rename_pod_yaml(
+    yaml: &mut String,
+    new_name: &str,
+    selector_labels: &BTreeMap<String, String>,
+) -> Result<(), ApiError> {
+    let mut pod: Pod = serde_yaml::from_str(yaml).map_err(|err| {
+        ApiError::InvalidRequest(format!("Failed to parse pod YAML for rename: {}", err))
+    })?;
+
+    update_object_meta(&mut pod.metadata, new_name, selector_labels);
+
+    *yaml = serde_yaml::to_string(&pod).map_err(|err| {
+        ApiError::InvalidRequest(format!("Failed to serialize renamed pod YAML: {}", err))
+    })?;
+    Ok(())
+}
+
+fn rename_job_yaml(
+    yaml: &mut String,
+    new_name: &str,
+    selector_labels: &BTreeMap<String, String>,
+) -> Result<(), ApiError> {
+    let mut job: Job = serde_yaml::from_str(yaml).map_err(|err| {
+        ApiError::InvalidRequest(format!("Failed to parse job YAML for rename: {}", err))
+    })?;
+
+    update_object_meta(&mut job.metadata, new_name, selector_labels);
+
+    if let Some(spec) = job.spec.as_mut() {
+        update_optional_selector_labels(&mut spec.selector, selector_labels);
+        if let Some(template) = spec.template.metadata.as_mut() {
+            update_object_meta(template, new_name, selector_labels);
+        }
+    }
+
+    *yaml = serde_yaml::to_string(&job).map_err(|err| {
+        ApiError::InvalidRequest(format!("Failed to serialize renamed job YAML: {}", err))
+    })?;
+    Ok(())
+}
+
+fn rename_cronjob_yaml(
+    yaml: &mut String,
+    new_name: &str,
+    selector_labels: &BTreeMap<String, String>,
+) -> Result<(), ApiError> {
+    let mut cronjob: CronJob = serde_yaml::from_str(yaml).map_err(|err| {
+        ApiError::InvalidRequest(format!("Failed to parse cronjob YAML for rename: {}", err))
+    })?;
+
+    update_object_meta(&mut cronjob.metadata, new_name, selector_labels);
+
+    if let Some(spec) = cronjob.spec.as_mut() {
+        let job_template = &mut spec.job_template;
+        if let Some(job_spec) = job_template.spec.as_mut() {
+            update_optional_selector_labels(&mut job_spec.selector, selector_labels);
+            if let Some(template) = job_spec.template.metadata.as_mut() {
+                update_object_meta(template, new_name, selector_labels);
+            }
+        }
+    }
+
+    *yaml = serde_yaml::to_string(&cronjob).map_err(|err| {
+        ApiError::InvalidRequest(format!("Failed to serialize renamed cronjob YAML: {}", err))
+    })?;
+    Ok(())
+}
+
+fn update_object_meta(
+    metadata: &mut ObjectMeta,
+    new_name: &str,
+    selector_labels: &BTreeMap<String, String>,
+) {
+    metadata.name = Some(new_name.to_string());
+    ensure_labels_from_map(&mut metadata.labels, selector_labels);
+}
+
+fn ensure_labels_from_map(
+    labels: &mut Option<BTreeMap<String, String>>,
+    desired: &BTreeMap<String, String>,
+) {
+    *labels = Some(desired.clone());
+}
+
+fn update_selector_labels(selector: &mut LabelSelector, desired: &BTreeMap<String, String>) {
+    selector.match_labels = Some(desired.clone());
+}
+
+fn update_optional_selector_labels(
+    selector: &mut Option<LabelSelector>,
+    desired: &BTreeMap<String, String>,
+) {
+    match selector {
+        Some(existing) => update_selector_labels(existing, desired),
+        None => {
+            let mut new_selector = LabelSelector::default();
+            update_selector_labels(&mut new_selector, desired);
+            *selector = Some(new_selector);
+        }
+    }
+}
+
+fn to_btreemap(labels: &HashMap<String, String>) -> BTreeMap<String, String> {
+    labels
+        .iter()
+        .map(|(key, value)| (key.clone(), value.clone()))
+        .collect()
+}
diff --git a/crates/api/src/kube_controller/workload_yaml_cleaner.rs b/crates/api/src/kube_controller/workload_yaml_cleaner.rs
new file mode 100644
index 0000000..a3c4ba6
--- /dev/null
+++ b/crates/api/src/kube_controller/workload_yaml_cleaner.rs
@@ -0,0 +1,413 @@
+use std::collections::HashMap;
+
+use anyhow::Result;
+use k8s_openapi::{
+    api::{
+        apps::v1::{
+            DaemonSet, DaemonSetSpec, Deployment, DeploymentSpec, ReplicaSet, ReplicaSetSpec,
+            StatefulSet, StatefulSetSpec,
+        },
+        batch::v1::{CronJob, CronJobSpec, Job, JobSpec},
+        core::v1::{Container, ContainerPort, EnvVar, EnvVarSource, Pod, PodSpec, PodTemplateSpec},
+    },
+    apimachinery::pkg::{api::resource::Quantity, apis::meta::v1::ObjectMeta},
+};
+use lapdev_common::kube::{KubeContainerImage, KubeContainerInfo, KubeWorkloadKind};
+
+use super::resources::SidecarInjectionOptions;
+
+/// Rebuild workload YAML so it reflects the latest container configuration while
+/// stripping server-managed metadata. Mirrors kube-manager's clean_* helpers.
+pub fn rebuild_workload_yaml(
+    kind: &KubeWorkloadKind,
+    yaml: &str,
+    containers: &[KubeContainerInfo],
+    _sidecar: Option<&SidecarInjectionOptions<'_>>,
+) -> Result<String> {
+    match kind {
+        KubeWorkloadKind::Deployment => {
+            let deployment: Deployment = serde_yaml::from_str(yaml)?;
+            let cleaned = clean_deployment(deployment, containers);
+            Ok(serde_yaml::to_string(&cleaned)?)
+        }
+        KubeWorkloadKind::StatefulSet => {
+            let statefulset: StatefulSet = serde_yaml::from_str(yaml)?;
+            let cleaned = clean_statefulset(statefulset, containers);
+            Ok(serde_yaml::to_string(&cleaned)?)
+        }
+        KubeWorkloadKind::DaemonSet => {
+            let daemonset: DaemonSet = serde_yaml::from_str(yaml)?;
+            let cleaned = clean_daemonset(daemonset, containers);
+            Ok(serde_yaml::to_string(&cleaned)?)
+        }
+        KubeWorkloadKind::ReplicaSet => {
+            let replicaset: ReplicaSet = serde_yaml::from_str(yaml)?;
+            let cleaned = clean_replicaset(replicaset, containers);
+            Ok(serde_yaml::to_string(&cleaned)?)
+        }
+        KubeWorkloadKind::Pod => {
+            let pod: Pod = serde_yaml::from_str(yaml)?;
+            let cleaned = clean_pod(pod, containers);
+            Ok(serde_yaml::to_string(&cleaned)?)
+        }
+        KubeWorkloadKind::Job => {
+            let job: Job = serde_yaml::from_str(yaml)?;
+            let cleaned = clean_job(job, containers);
+            Ok(serde_yaml::to_string(&cleaned)?)
+        }
+        KubeWorkloadKind::CronJob => {
+            let cronjob: CronJob = serde_yaml::from_str(yaml)?;
+            let cleaned = clean_cronjob(cronjob, containers);
+            Ok(serde_yaml::to_string(&cleaned)?)
+        }
+    }
+}
+
+fn clean_metadata(metadata: ObjectMeta) -> ObjectMeta {
+    ObjectMeta {
+        name: metadata.name,
+        labels: metadata.labels,
+        ..Default::default()
+    }
+}
+
+fn clean_deployment(
+    deployment: Deployment,
+    workload_containers: &[KubeContainerInfo],
+) -> Deployment {
+    let clean_spec = deployment.spec.map(|original_spec| {
+        let template = merge_template_containers(original_spec.template, workload_containers);
+
+        DeploymentSpec {
+            replicas: original_spec.replicas,
+            selector: original_spec.selector,
+            template,
+            min_ready_seconds: original_spec.min_ready_seconds,
+            paused: original_spec.paused,
+            progress_deadline_seconds: original_spec.progress_deadline_seconds,
+            revision_history_limit: original_spec.revision_history_limit,
+            strategy: original_spec.strategy,
+        }
+    });
+
+    Deployment {
+        metadata: clean_metadata(deployment.metadata),
+        spec: clean_spec,
+        status: None,
+    }
+}
+
+fn clean_statefulset(
+    statefulset: StatefulSet,
+    workload_containers: &[KubeContainerInfo],
+) -> StatefulSet {
+    let clean_spec = statefulset.spec.map(|original_spec| {
+        let template = merge_template_containers(original_spec.template, workload_containers);
+
+        StatefulSetSpec {
+            service_name: original_spec.service_name,
+            replicas: original_spec.replicas,
+            selector: original_spec.selector,
+            template,
+            volume_claim_templates: original_spec.volume_claim_templates,
+            update_strategy: original_spec.update_strategy,
+            min_ready_seconds: original_spec.min_ready_seconds,
+            persistent_volume_claim_retention_policy: original_spec
+                .persistent_volume_claim_retention_policy,
+            ordinals: original_spec.ordinals,
+            revision_history_limit: original_spec.revision_history_limit,
+            pod_management_policy: original_spec.pod_management_policy,
+        }
+    });
+
+    StatefulSet {
+        metadata: clean_metadata(statefulset.metadata),
+        spec: clean_spec,
+        status: None,
+    }
+}
+
+fn clean_daemonset(daemonset: DaemonSet, workload_containers: &[KubeContainerInfo]) -> DaemonSet {
+    let clean_spec = daemonset.spec.map(|original_spec| {
+        let template = merge_template_containers(original_spec.template, workload_containers);
+
+        DaemonSetSpec {
+            selector: original_spec.selector,
+            template,
+            update_strategy: original_spec.update_strategy,
+            min_ready_seconds: original_spec.min_ready_seconds,
+            revision_history_limit: original_spec.revision_history_limit,
+        }
+    });
+
+    DaemonSet {
+        metadata: clean_metadata(daemonset.metadata),
+        spec: clean_spec,
+        status: None,
+    }
+}
+
+fn clean_replicaset(
+    replicaset: ReplicaSet,
+    workload_containers: &[KubeContainerInfo],
+) -> ReplicaSet {
+    let clean_spec = replicaset.spec.map(|original_spec| {
+        let template = original_spec
+            .template
+            .map(|t| merge_template_containers(t, workload_containers));
+
+        ReplicaSetSpec {
+            replicas: original_spec.replicas,
+            selector: original_spec.selector,
+            template,
+            min_ready_seconds: original_spec.min_ready_seconds,
+        }
+    });
+
+    ReplicaSet {
+        metadata: clean_metadata(replicaset.metadata),
+        spec: clean_spec,
+        status: None,
+    }
+}
+
+fn clean_pod(pod: Pod, workload_containers: &[KubeContainerInfo]) -> Pod {
+    let clean_spec = pod.spec.map(|original_spec| {
+        let merged_containers = merge_containers(original_spec.containers, workload_containers);
+
+        PodSpec {
+            active_deadline_seconds: original_spec.active_deadline_seconds,
+            containers: merged_containers,
+            init_containers: original_spec.init_containers,
+            ephemeral_containers: original_spec.ephemeral_containers,
+            volumes: original_spec.volumes,
+            restart_policy: original_spec.restart_policy,
+            termination_grace_period_seconds: original_spec.termination_grace_period_seconds,
+            dns_policy: original_spec.dns_policy,
+            dns_config: original_spec.dns_config,
+            node_selector: original_spec.node_selector,
+            service_account_name: None,
+            service_account: None,
+            automount_service_account_token: None,
+            security_context: original_spec.security_context,
+            image_pull_secrets: original_spec.image_pull_secrets,
+            affinity: original_spec.affinity,
+            tolerations: original_spec.tolerations,
+            topology_spread_constraints: original_spec.topology_spread_constraints,
+            priority_class_name: original_spec.priority_class_name,
+            priority: original_spec.priority,
+            preemption_policy: original_spec.preemption_policy,
+            overhead: original_spec.overhead,
+            enable_service_links: original_spec.enable_service_links,
+            os: original_spec.os,
+            host_users: original_spec.host_users,
+            scheduling_gates: original_spec.scheduling_gates,
+            resource_claims: original_spec.resource_claims,
+            ..Default::default()
+        }
+    });
+
+    Pod {
+        metadata: clean_metadata(pod.metadata),
+        spec: clean_spec,
+        status: None,
+    }
+}
+
+fn clean_job(job: Job, workload_containers: &[KubeContainerInfo]) -> Job {
+    let clean_spec = job.spec.map(|original_spec| {
+        let template = merge_template_containers(original_spec.template, workload_containers);
+
+        JobSpec {
+            template,
+            parallelism: original_spec.parallelism,
+            completions: original_spec.completions,
+            completion_mode: original_spec.completion_mode,
+            active_deadline_seconds: original_spec.active_deadline_seconds,
+            backoff_limit: original_spec.backoff_limit,
+            backoff_limit_per_index: original_spec.backoff_limit_per_index,
+            max_failed_indexes: original_spec.max_failed_indexes,
+            selector: original_spec.selector,
+            manual_selector: original_spec.manual_selector,
+            ttl_seconds_after_finished: original_spec.ttl_seconds_after_finished,
+            suspend: original_spec.suspend,
+            pod_failure_policy: original_spec.pod_failure_policy,
+            pod_replacement_policy: original_spec.pod_replacement_policy,
+            managed_by: original_spec.managed_by,
+            success_policy: original_spec.success_policy,
+        }
+    });
+
+    Job {
+        metadata: clean_metadata(job.metadata),
+        spec: clean_spec,
+        status: None,
+    }
+}
+
+fn clean_cronjob(cronjob: CronJob, workload_containers: &[KubeContainerInfo]) -> CronJob {
+    let clean_spec = cronjob.spec.map(|original_spec| {
+        let mut job_template = original_spec.job_template;
+        if let Some(job_spec) = &mut job_template.spec {
+            job_spec.template =
+                merge_template_containers(job_spec.template.clone(), workload_containers);
+        }
+
+        CronJobSpec {
+            schedule: original_spec.schedule,
+            time_zone: original_spec.time_zone,
+            starting_deadline_seconds: original_spec.starting_deadline_seconds,
+            concurrency_policy: original_spec.concurrency_policy,
+            suspend: original_spec.suspend,
+            job_template,
+            successful_jobs_history_limit: original_spec.successful_jobs_history_limit,
+            failed_jobs_history_limit: original_spec.failed_jobs_history_limit,
+        }
+    });
+
+    CronJob {
+        metadata: clean_metadata(cronjob.metadata),
+        spec: clean_spec,
+        status: None,
+    }
+}
+
+fn merge_template_containers(
+    template: PodTemplateSpec,
+    workload_containers: &[KubeContainerInfo],
+) -> PodTemplateSpec {
+    let pod_spec = template.spec.map(|original_pod_spec| {
+        let mut new_spec = original_pod_spec;
+        let merged_containers = merge_containers(new_spec.containers, workload_containers);
+        new_spec.containers = merged_containers;
+        new_spec.service_account_name = None;
+        new_spec.service_account = None;
+        new_spec.automount_service_account_token = None;
+        new_spec
+    });
+
+    PodTemplateSpec {
+        spec: pod_spec,
+        ..template
+    }
+}
+
+fn merge_containers(
+    containers: Vec<Container>,
+    workload_containers: &[KubeContainerInfo],
+) -> Vec<Container> {
+    containers
+        .into_iter()
+        .map(|container| {
+            if let Some(workload_container) = workload_containers
+                .iter()
+                .find(|wc| wc.name == container.name)
+            {
+                merge_single_container(container, workload_container)
+            } else {
+                container
+            }
+        })
+        .collect()
+}
+
+fn merge_single_container(
+    container: Container,
+    workload_container: &KubeContainerInfo,
+) -> Container {
+    let mut new_container = container.clone();
+
+    match &workload_container.image {
+        KubeContainerImage::FollowOriginal => {}
+        KubeContainerImage::Custom(custom_image) => {
+            if !custom_image.is_empty() {
+                new_container.image = Some(custom_image.clone());
+            }
+        }
+    }
+
+    let mut resources = container.resources.unwrap_or_default();
+    let mut requests = resources.requests.unwrap_or_default();
+    let mut limits = resources.limits.unwrap_or_default();
+
+    if let Some(cpu_request) = &workload_container.cpu_request {
+        if !cpu_request.is_empty() {
+            requests.insert("cpu".to_string(), Quantity(cpu_request.clone()));
+        }
+    }
+    if let Some(memory_request) = &workload_container.memory_request {
+        if !memory_request.is_empty() {
+            requests.insert("memory".to_string(), Quantity(memory_request.clone()));
+        }
+    }
+
+    if let Some(cpu_limit) = &workload_container.cpu_limit {
+        if !cpu_limit.is_empty() {
+            limits.insert("cpu".to_string(), Quantity(cpu_limit.clone()));
+        }
+    }
+    if let Some(memory_limit) = &workload_container.memory_limit {
+        if !memory_limit.is_empty() {
+            limits.insert("memory".to_string(), Quantity(memory_limit.clone()));
+        }
+    }
+
+    resources.requests = if requests.is_empty() {
+        None
+    } else {
+        Some(requests)
+    };
+    resources.limits = if limits.is_empty() {
+        None
+    } else {
+        Some(limits)
+    };
+    new_container.resources = Some(resources);
+
+    let mut env_map: HashMap<String, (Option<String>, Option<EnvVarSource>)> = HashMap::new();
+
+    if let Some(original_env) = container.env {
+        for env_var in original_env {
+            env_map.insert(env_var.name.clone(), (env_var.value, env_var.value_from));
+        }
+    }
+
+    for kube_env_var in &workload_container.env_vars {
+        env_map.insert(
+            kube_env_var.name.clone(),
+            (Some(kube_env_var.value.clone()), None),
+        );
+    }
+
+    let merged_env: Vec<EnvVar> = env_map
+        .into_iter()
+        .map(|(name, (value, value_from))| EnvVar {
+            name,
+            value,
+            value_from,
+        })
+        .collect();
+
+    new_container.env = if merged_env.is_empty() {
+        None
+    } else {
+        Some(merged_env)
+    };
+
+    // Preserve defined container ports; ensure they match desired ones
+    if !workload_container.ports.is_empty() {
+        let ports: Vec<ContainerPort> = workload_container
+            .ports
+            .iter()
+            .map(|port| ContainerPort {
+                name: port.name.clone(),
+                container_port: port.container_port,
+                protocol: port.protocol.clone(),
+                ..Default::default()
+            })
+            .collect();
+        new_container.ports = Some(ports);
+    }
+
+    new_container
+}
diff --git a/crates/api/src/kube_controller/yaml_parser.rs b/crates/api/src/kube_controller/yaml_parser.rs
new file mode 100644
index 0000000..48005d2
--- /dev/null
+++ b/crates/api/src/kube_controller/yaml_parser.rs
@@ -0,0 +1,257 @@
+use std::collections::{BTreeMap, HashSet};
+
+use anyhow::anyhow;
+use k8s_openapi::api::core::v1::PodSpec;
+use k8s_openapi::api::{
+    apps::v1::{DaemonSet, Deployment, ReplicaSet, StatefulSet},
+    batch::v1::{CronJob, Job},
+    core::v1::Pod,
+};
+use lapdev_common::kube::{
+    KubeContainerImage, KubeContainerInfo, KubeContainerPort, KubeServicePort, KubeWorkloadDetails,
+    KubeWorkloadKind,
+};
+use lapdev_db::api::CachedClusterService;
+use lapdev_kube_rpc::KubeRawWorkloadYaml;
+
+pub fn build_workload_details_from_yaml(
+    raw: KubeRawWorkloadYaml,
+    services: &[CachedClusterService],
+) -> anyhow::Result<KubeWorkloadDetails> {
+    let KubeRawWorkloadYaml {
+        name,
+        namespace,
+        kind,
+        workload_yaml,
+    } = raw;
+
+    let (containers, labels) = extract_containers_and_labels(&kind, &workload_yaml)?;
+    let ports = ports_from_cached_services(&labels, services);
+
+    Ok(KubeWorkloadDetails {
+        name,
+        namespace,
+        kind,
+        containers,
+        ports,
+        workload_yaml,
+        base_workload_id: None,
+    })
+}
+
+fn extract_containers_and_labels(
+    kind: &KubeWorkloadKind,
+    workload_yaml: &str,
+) -> anyhow::Result<(Vec<KubeContainerInfo>, BTreeMap<String, String>)> {
+    match kind {
+        KubeWorkloadKind::Deployment => {
+            let deployment: Deployment = serde_yaml::from_str(workload_yaml)?;
+            let labels = deployment
+                .spec
+                .as_ref()
+                .and_then(|s| s.template.metadata.as_ref())
+                .and_then(|m| m.labels.clone())
+                .unwrap_or_default();
+            let pod_spec = deployment
+                .spec
+                .as_ref()
+                .and_then(|s| s.template.spec.as_ref())
+                .ok_or_else(|| anyhow!("Deployment missing pod spec"))?;
+            let containers = extract_pod_spec_containers(pod_spec)?;
+            Ok((containers, labels))
+        }
+        KubeWorkloadKind::StatefulSet => {
+            let statefulset: StatefulSet = serde_yaml::from_str(workload_yaml)?;
+            let labels = statefulset
+                .spec
+                .as_ref()
+                .and_then(|s| s.template.metadata.as_ref())
+                .and_then(|m| m.labels.clone())
+                .unwrap_or_default();
+            let pod_spec = statefulset
+                .spec
+                .as_ref()
+                .and_then(|s| s.template.spec.as_ref())
+                .ok_or_else(|| anyhow!("StatefulSet missing pod spec"))?;
+            let containers = extract_pod_spec_containers(pod_spec)?;
+            Ok((containers, labels))
+        }
+        KubeWorkloadKind::DaemonSet => {
+            let daemonset: DaemonSet = serde_yaml::from_str(workload_yaml)?;
+            let labels = daemonset
+                .spec
+                .as_ref()
+                .and_then(|s| s.template.metadata.as_ref())
+                .and_then(|m| m.labels.clone())
+                .unwrap_or_default();
+            let pod_spec = daemonset
+                .spec
+                .as_ref()
+                .and_then(|s| s.template.spec.as_ref())
+                .ok_or_else(|| anyhow!("DaemonSet missing pod spec"))?;
+            let containers = extract_pod_spec_containers(pod_spec)?;
+            Ok((containers, labels))
+        }
+        KubeWorkloadKind::ReplicaSet => {
+            let replicaset: ReplicaSet = serde_yaml::from_str(workload_yaml)?;
+            let labels = replicaset
+                .spec
+                .as_ref()
+                .and_then(|s| s.template.as_ref())
+                .and_then(|t| t.metadata.as_ref())
+                .and_then(|m| m.labels.clone())
+                .unwrap_or_default();
+            let pod_spec = replicaset
+                .spec
+                .as_ref()
+                .and_then(|s| s.template.as_ref())
+                .and_then(|t| t.spec.as_ref())
+                .ok_or_else(|| anyhow!("ReplicaSet missing pod spec"))?;
+            let containers = extract_pod_spec_containers(pod_spec)?;
+            Ok((containers, labels))
+        }
+        KubeWorkloadKind::Pod => {
+            let pod: Pod = serde_yaml::from_str(workload_yaml)?;
+            let labels = pod.metadata.labels.clone().unwrap_or_default();
+            let pod_spec = pod
+                .spec
+                .as_ref()
+                .ok_or_else(|| anyhow!("Pod missing spec"))?;
+            let containers = extract_pod_spec_containers(pod_spec)?;
+            Ok((containers, labels))
+        }
+        KubeWorkloadKind::Job => {
+            let job: Job = serde_yaml::from_str(workload_yaml)?;
+            let labels = job
+                .spec
+                .as_ref()
+                .and_then(|s| s.template.metadata.as_ref())
+                .and_then(|m| m.labels.clone())
+                .unwrap_or_default();
+            let pod_spec = job
+                .spec
+                .as_ref()
+                .and_then(|s| s.template.spec.as_ref())
+                .ok_or_else(|| anyhow!("Job missing pod spec"))?;
+            let containers = extract_pod_spec_containers(pod_spec)?;
+            Ok((containers, labels))
+        }
+        KubeWorkloadKind::CronJob => {
+            let cronjob: CronJob = serde_yaml::from_str(workload_yaml)?;
+            let labels = cronjob
+                .spec
+                .as_ref()
+                .and_then(|s| s.job_template.spec.as_ref())
+                .and_then(|js| js.template.metadata.as_ref())
+                .and_then(|m| m.labels.clone())
+                .unwrap_or_default();
+            let pod_spec = cronjob
+                .spec
+                .as_ref()
+                .and_then(|s| s.job_template.spec.as_ref())
+                .and_then(|js| js.template.spec.as_ref())
+                .ok_or_else(|| anyhow!("CronJob missing pod spec"))?;
+            let containers = extract_pod_spec_containers(pod_spec)?;
+            Ok((containers, labels))
+        }
+    }
+}
+
+fn extract_pod_spec_containers(pod_spec: &PodSpec) -> anyhow::Result<Vec<KubeContainerInfo>> {
+    pod_spec
+        .containers
+        .iter()
+        .map(|container| {
+            let mut cpu_request = None;
+            let mut cpu_limit = None;
+            let mut memory_request = None;
+            let mut memory_limit = None;
+
+            if let Some(resources) = &container.resources {
+                if let Some(requests) = &resources.requests {
+                    if let Some(cpu_req) = requests.get("cpu") {
+                        cpu_request = Some(cpu_req.0.clone());
+                    }
+                    if let Some(memory_req) = requests.get("memory") {
+                        memory_request = Some(memory_req.0.clone());
+                    }
+                }
+
+                if let Some(limits) = &resources.limits {
+                    if let Some(cpu_lim) = limits.get("cpu") {
+                        cpu_limit = Some(cpu_lim.0.clone());
+                    }
+                    if let Some(memory_lim) = limits.get("memory") {
+                        memory_limit = Some(memory_lim.0.clone());
+                    }
+                }
+            }
+
+            let image = container
+                .image
+                .clone()
+                .ok_or_else(|| anyhow!("Container '{}' has no image specified", container.name))?;
+
+            let ports = container
+                .ports
+                .as_ref()
+                .map(|ports| {
+                    ports
+                        .iter()
+                        .map(|port| KubeContainerPort {
+                            name: port.name.clone(),
+                            container_port: port.container_port,
+                            protocol: port.protocol.clone(),
+                        })
+                        .collect::<Vec<_>>()
+                })
+                .unwrap_or_default();
+
+            Ok(KubeContainerInfo {
+                name: container.name.clone(),
+                original_image: image.clone(),
+                image: KubeContainerImage::FollowOriginal,
+                cpu_request,
+                cpu_limit,
+                memory_request,
+                memory_limit,
+                env_vars: Vec::new(),
+                original_env_vars: Vec::new(),
+                ports,
+            })
+        })
+        .collect()
+}
+
+fn ports_from_cached_services(
+    workload_labels: &BTreeMap<String, String>,
+    services: &[CachedClusterService],
+) -> Vec<KubeServicePort> {
+    let mut seen = HashSet::new();
+    let mut ports = Vec::new();
+
+    for service in services {
+        if service.selector.is_empty() {
+            continue;
+        }
+
+        let matches = service
+            .selector
+            .iter()
+            .all(|(key, value)| workload_labels.get(key).map_or(false, |v| v == value));
+
+        if !matches {
+            continue;
+        }
+
+        for port in &service.ports {
+            let original_target = port.original_target_port.or(port.target_port);
+            let key = (port.port, original_target, port.protocol.clone());
+            if seen.insert(key) {
+                ports.push(port.clone());
+            }
+        }
+    }
+
+    ports
+}
diff --git a/lapdev-api/src/lib.rs b/crates/api/src/lib.rs
similarity index 52%
rename from lapdev-api/src/lib.rs
rename to crates/api/src/lib.rs
index a0d05bf..155fd39 100644
--- a/lapdev-api/src/lib.rs
+++ b/crates/api/src/lib.rs
@@ -1,9 +1,19 @@
 pub mod account;
 pub mod admin;
+pub mod app_catalog_events;
 pub mod auth;
 pub mod cert;
+pub mod cli_auth;
+pub mod cluster_events;
+pub mod devbox;
+pub mod devbox_auth;
+pub mod devbox_tunnels;
+pub mod environment_events;
 pub mod github;
 pub mod gitlab;
+pub mod hrpc_service;
+pub mod kube;
+pub mod kube_controller;
 pub mod machine_type;
 pub mod organization;
 pub mod prebuild;
@@ -13,4 +23,5 @@ pub mod server;
 pub mod session;
 pub mod state;
 pub mod websocket;
+pub mod websocket_socket;
 pub mod workspace;
diff --git a/lapdev-api/src/machine_type.rs b/crates/api/src/machine_type.rs
similarity index 90%
rename from lapdev-api/src/machine_type.rs
rename to crates/api/src/machine_type.rs
index 6a630f7..08b33e7 100644
--- a/lapdev-api/src/machine_type.rs
+++ b/crates/api/src/machine_type.rs
@@ -1,3 +1,5 @@
+use std::sync::Arc;
+
 use axum::{
     extract::{Path, State},
     response::{IntoResponse, Response},
@@ -7,14 +9,13 @@ use axum_extra::{headers::Cookie, TypedHeader};
 use chrono::Utc;
 use hyper::StatusCode;
 use lapdev_common::{CreateMachineType, MachineType, UpdateMachineType};
-use lapdev_db::entities;
 use lapdev_rpc::error::ApiError;
 use sea_orm::{ActiveModelTrait, ActiveValue};
 use uuid::Uuid;
 
 use crate::state::CoreState;
 
-pub async fn all_machine_types(State(state): State<CoreState>) -> Result<Response, ApiError> {
+pub async fn all_machine_types(State(state): State<Arc<CoreState>>) -> Result<Response, ApiError> {
     let machine_types = state.db.get_all_machine_types().await?;
     let machine_types: Vec<MachineType> = machine_types
         .into_iter()
@@ -33,7 +34,7 @@ pub async fn all_machine_types(State(state): State<CoreState>) -> Result<Respons
 
 pub async fn create_machine_type(
     TypedHeader(cookie): TypedHeader<Cookie>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     Json(create_machine_type): Json<CreateMachineType>,
 ) -> Result<Json<MachineType>, ApiError> {
     state.authenticate_cluster_admin(&cookie).await?;
@@ -55,7 +56,7 @@ pub async fn create_machine_type(
         false
     };
 
-    let machine_type = entities::machine_type::ActiveModel {
+    let machine_type = lapdev_db_entities::machine_type::ActiveModel {
         id: ActiveValue::Set(Uuid::new_v4()),
         deleted_at: ActiveValue::Set(None),
         name: ActiveValue::Set(create_machine_type.name),
@@ -82,12 +83,12 @@ pub async fn create_machine_type(
 pub async fn update_machine_type(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path(machine_type_id): Path<Uuid>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     Json(update_machine_type): Json<UpdateMachineType>,
 ) -> Result<Json<MachineType>, ApiError> {
     state.authenticate_cluster_admin(&cookie).await?;
 
-    let machine_type = entities::machine_type::ActiveModel {
+    let machine_type = lapdev_db_entities::machine_type::ActiveModel {
         id: ActiveValue::Set(machine_type_id),
         name: ActiveValue::Set(update_machine_type.name),
         cost_per_second: ActiveValue::Set(update_machine_type.cost_per_second as i32),
@@ -110,7 +111,7 @@ pub async fn update_machine_type(
 pub async fn delete_machine_type(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path(machine_type_id): Path<Uuid>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
 ) -> Result<Response, ApiError> {
     state.authenticate_cluster_admin(&cookie).await?;
 
@@ -121,7 +122,7 @@ pub async fn delete_machine_type(
         ));
     }
 
-    entities::machine_type::ActiveModel {
+    lapdev_db_entities::machine_type::ActiveModel {
         id: ActiveValue::Set(machine_type_id),
         deleted_at: ActiveValue::Set(Some(Utc::now().into())),
         ..Default::default()
diff --git a/lapdev-api/src/organization.rs b/crates/api/src/organization.rs
similarity index 90%
rename from lapdev-api/src/organization.rs
rename to crates/api/src/organization.rs
index 4453bbd..72fc597 100644
--- a/lapdev-api/src/organization.rs
+++ b/crates/api/src/organization.rs
@@ -1,4 +1,4 @@
-use std::{str::FromStr, time::Duration};
+use std::{str::FromStr, sync::Arc, time::Duration};
 
 use axum::{
     extract::{Path, Query, State},
@@ -14,7 +14,6 @@ use lapdev_common::{
     UpdateOrgQuota, UpdateOrganizationAutoStartStop, UpdateOrganizationMember,
     UpdateOrganizationName, UsageRequest, UsageResult, UserRole,
 };
-use lapdev_db::entities;
 use lapdev_rpc::error::ApiError;
 use sea_orm::{
     ActiveModelTrait, ActiveValue, ColumnTrait, EntityTrait, QueryFilter, TransactionTrait,
@@ -25,7 +24,7 @@ use crate::state::{CoreState, RequestInfo};
 
 pub async fn create_organization(
     TypedHeader(cookie): TypedHeader<Cookie>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     info: RequestInfo,
     Json(org): Json<NewOrganization>,
 ) -> Result<Response, ApiError> {
@@ -45,7 +44,7 @@ pub async fn create_organization(
         .create_new_organization(&txn, name.to_string())
         .await?;
 
-    entities::organization_member::ActiveModel {
+    lapdev_db_entities::organization_member::ActiveModel {
         created_at: ActiveValue::Set(Utc::now().into()),
         user_id: ActiveValue::Set(user.id),
         organization_id: ActiveValue::Set(org.id),
@@ -55,7 +54,7 @@ pub async fn create_organization(
     .insert(&txn)
     .await?;
 
-    entities::user::ActiveModel {
+    lapdev_db_entities::user::ActiveModel {
         id: ActiveValue::Set(user.id),
         current_organization: ActiveValue::Set(org.id),
         ..Default::default()
@@ -97,7 +96,7 @@ pub async fn create_organization(
 pub async fn delete_organization(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path(org_id): Path<Uuid>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     info: RequestInfo,
 ) -> Result<Response, ApiError> {
     let user = state.authenticate(&cookie).await?;
@@ -121,7 +120,7 @@ pub async fn delete_organization(
     let now = Utc::now();
     let txn = state.db.conn.begin().await?;
 
-    entities::organization_member::ActiveModel {
+    lapdev_db_entities::organization_member::ActiveModel {
         id: ActiveValue::Set(member.id),
         deleted_at: ActiveValue::Set(Some(now.into())),
         ..Default::default()
@@ -129,7 +128,7 @@ pub async fn delete_organization(
     .update(&txn)
     .await?;
 
-    entities::organization::ActiveModel {
+    lapdev_db_entities::organization::ActiveModel {
         id: ActiveValue::Set(org.id),
         deleted_at: ActiveValue::Set(Some(now.into())),
         ..Default::default()
@@ -162,7 +161,7 @@ pub async fn delete_organization(
 pub async fn update_org_name(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path(org_id): Path<Uuid>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     info: RequestInfo,
     Json(update_org): Json<UpdateOrganizationName>,
 ) -> Result<Response, ApiError> {
@@ -180,7 +179,7 @@ pub async fn update_org_name(
     let now = Utc::now();
     let txn = state.db.conn.begin().await?;
 
-    entities::organization::ActiveModel {
+    lapdev_db_entities::organization::ActiveModel {
         id: ActiveValue::Set(org_id),
         name: ActiveValue::Set(update_org.name),
         ..Default::default()
@@ -213,7 +212,7 @@ pub async fn update_org_name(
 pub async fn update_org_auto_start_stop(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path(org_id): Path<Uuid>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     info: RequestInfo,
     Json(update_org): Json<UpdateOrganizationAutoStartStop>,
 ) -> Result<Response, ApiError> {
@@ -232,7 +231,7 @@ pub async fn update_org_auto_start_stop(
     let now = Utc::now();
     let txn = state.db.conn.begin().await?;
 
-    entities::organization::ActiveModel {
+    lapdev_db_entities::organization::ActiveModel {
         id: ActiveValue::Set(org_id),
         auto_start: ActiveValue::Set(update_org.auto_start),
         auto_stop: ActiveValue::Set(update_org.auto_stop),
@@ -272,14 +271,14 @@ pub async fn update_org_auto_start_stop(
 pub async fn join_organization(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path(invitation_id): Path<Uuid>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     info: RequestInfo,
 ) -> Result<Response, ApiError> {
     let user = state.authenticate(&cookie).await?;
 
-    let invitation = entities::user_invitation::Entity::find()
-        .filter(entities::user_invitation::Column::Id.eq(invitation_id))
-        .filter(entities::user_invitation::Column::UsedAt.is_null())
+    let invitation = lapdev_db_entities::user_invitation::Entity::find()
+        .filter(lapdev_db_entities::user_invitation::Column::Id.eq(invitation_id))
+        .filter(lapdev_db_entities::user_invitation::Column::UsedAt.is_null())
         .one(&state.db.conn)
         .await?
         .ok_or_else(|| ApiError::InvalidRequest("invitation id is invalid".to_string()))?;
@@ -290,10 +289,10 @@ pub async fn join_organization(
     }
 
     let org_id = invitation.organization_id;
-    let member = entities::organization_member::Entity::find()
-        .filter(entities::organization_member::Column::UserId.eq(user.id))
-        .filter(entities::organization_member::Column::OrganizationId.eq(org_id))
-        .filter(entities::organization_member::Column::DeletedAt.is_null())
+    let member = lapdev_db_entities::organization_member::Entity::find()
+        .filter(lapdev_db_entities::organization_member::Column::UserId.eq(user.id))
+        .filter(lapdev_db_entities::organization_member::Column::OrganizationId.eq(org_id))
+        .filter(lapdev_db_entities::organization_member::Column::DeletedAt.is_null())
         .one(&state.db.conn)
         .await?;
     if member.is_some() {
@@ -304,7 +303,7 @@ pub async fn join_organization(
 
     let now = Utc::now();
     let txn = state.db.conn.begin().await?;
-    entities::organization_member::ActiveModel {
+    lapdev_db_entities::organization_member::ActiveModel {
         created_at: ActiveValue::Set(now.into()),
         user_id: ActiveValue::Set(user.id),
         organization_id: ActiveValue::Set(org_id),
@@ -314,7 +313,7 @@ pub async fn join_organization(
     .insert(&txn)
     .await?;
 
-    entities::user::ActiveModel {
+    lapdev_db_entities::user::ActiveModel {
         id: ActiveValue::Set(user.id),
         current_organization: ActiveValue::Set(org_id),
         ..Default::default()
@@ -322,7 +321,7 @@ pub async fn join_organization(
     .update(&txn)
     .await?;
 
-    entities::user_invitation::ActiveModel {
+    lapdev_db_entities::user_invitation::ActiveModel {
         id: ActiveValue::Set(invitation_id),
         used_at: ActiveValue::Set(Some(now.into())),
         ..Default::default()
@@ -354,7 +353,7 @@ pub async fn join_organization(
 pub async fn get_organization_members(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path(org_id): Path<Uuid>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
 ) -> Result<Json<Vec<OrganizationMember>>, ApiError> {
     let user = state.authenticate(&cookie).await?;
     let member = state
@@ -389,7 +388,7 @@ pub async fn get_organization_members(
 pub async fn update_organization_member(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path((org_id, member_user_id)): Path<(Uuid, Uuid)>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     info: RequestInfo,
     Json(update_org_member): Json<UpdateOrganizationMember>,
 ) -> Result<Json<OrganizationMember>, ApiError> {
@@ -421,7 +420,7 @@ pub async fn update_organization_member(
     let now = Utc::now();
     let txn = state.db.conn.begin().await?;
 
-    let member = entities::organization_member::ActiveModel {
+    let member = lapdev_db_entities::organization_member::ActiveModel {
         id: ActiveValue::Set(member.id),
         role: ActiveValue::Set(update_org_member.role.to_string()),
         ..Default::default()
@@ -459,7 +458,7 @@ pub async fn update_organization_member(
 pub async fn delete_organization_member(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path((org_id, member_user_id)): Path<(Uuid, Uuid)>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     info: RequestInfo,
 ) -> Result<Response, ApiError> {
     let user = state.authenticate(&cookie).await?;
@@ -487,7 +486,7 @@ pub async fn delete_organization_member(
     let now = Utc::now();
     let txn = state.db.conn.begin().await?;
 
-    entities::organization_member::ActiveModel {
+    lapdev_db_entities::organization_member::ActiveModel {
         id: ActiveValue::Set(member.id),
         deleted_at: ActiveValue::Set(Some(now.into())),
         ..Default::default()
@@ -519,7 +518,7 @@ pub async fn delete_organization_member(
 pub async fn create_user_invitation(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path(org_id): Path<Uuid>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
 ) -> Result<String, ApiError> {
     let user = state.authenticate(&cookie).await?;
     let member = state
@@ -533,7 +532,7 @@ pub async fn create_user_invitation(
     let org = state.db.get_organization(member.organization_id).await?;
 
     let now = Utc::now();
-    let invitation = entities::user_invitation::ActiveModel {
+    let invitation = lapdev_db_entities::user_invitation::ActiveModel {
         id: ActiveValue::Set(Uuid::new_v4()),
         created_at: ActiveValue::Set(now.into()),
         expires_at: ActiveValue::Set((now + Duration::from_secs(1800)).into()),
@@ -549,7 +548,7 @@ pub async fn create_user_invitation(
 pub async fn get_organization_usage(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path(org_id): Path<Uuid>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     Query(usage_request): Query<UsageRequest>,
 ) -> Result<Json<UsageResult>, ApiError> {
     state.require_enterprise().await?;
@@ -584,7 +583,7 @@ pub async fn get_organization_usage(
 pub async fn get_organization_audit_log(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path(org_id): Path<Uuid>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     Query(audit_log_request): Query<AuditLogRequest>,
 ) -> Result<Json<AuditLogResult>, ApiError> {
     state.require_enterprise().await?;
@@ -617,7 +616,7 @@ pub async fn get_organization_audit_log(
 pub async fn get_organization_quota(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path(org_id): Path<Uuid>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
 ) -> Result<Json<OrgQuota>, ApiError> {
     state.require_enterprise().await?;
     let user = state.authenticate(&cookie).await?;
@@ -644,7 +643,7 @@ pub async fn get_organization_quota(
 pub async fn update_organization_quota(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path(org_id): Path<Uuid>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     info: RequestInfo,
     Json(update_quota): Json<UpdateOrgQuota>,
 ) -> Result<StatusCode, ApiError> {
@@ -703,14 +702,14 @@ pub async fn update_organization_quota(
 pub async fn clear_organization(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path(org_id): Path<Uuid>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
 ) -> Result<StatusCode, ApiError> {
     state.authenticate_cluster_admin(&cookie).await?;
     state.db.get_organization(org_id).await?;
 
-    let models = entities::workspace::Entity::find()
-        .filter(entities::workspace::Column::OrganizationId.eq(org_id))
-        .filter(entities::workspace::Column::DeletedAt.is_null())
+    let models = lapdev_db_entities::workspace::Entity::find()
+        .filter(lapdev_db_entities::workspace::Column::OrganizationId.eq(org_id))
+        .filter(lapdev_db_entities::workspace::Column::DeletedAt.is_null())
         .all(&state.db.conn)
         .await?;
 
diff --git a/lapdev-api/src/prebuild.rs b/crates/api/src/prebuild.rs
similarity index 100%
rename from lapdev-api/src/prebuild.rs
rename to crates/api/src/prebuild.rs
diff --git a/lapdev-api/src/project.rs b/crates/api/src/project.rs
similarity index 94%
rename from lapdev-api/src/project.rs
rename to crates/api/src/project.rs
index 650441d..cf7059a 100644
--- a/lapdev-api/src/project.rs
+++ b/crates/api/src/project.rs
@@ -1,4 +1,4 @@
-use std::str::FromStr;
+use std::{str::FromStr, sync::Arc};
 
 use axum::{
     extract::{Path, State},
@@ -12,7 +12,6 @@ use lapdev_common::{
     AuditAction, AuditResourceKind, NewProject, NewProjectPrebuild, PrebuildStatus, ProjectInfo,
     ProjectPrebuild, UserRole,
 };
-use lapdev_db::entities;
 use lapdev_rpc::error::ApiError;
 use sea_orm::{ActiveModelTrait, ActiveValue, TransactionTrait};
 use uuid::Uuid;
@@ -22,7 +21,7 @@ use crate::state::{CoreState, RequestInfo};
 pub async fn create_project(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path(org_id): Path<Uuid>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     info: RequestInfo,
     Json(project): Json<NewProject>,
 ) -> Result<Response, ApiError> {
@@ -44,7 +43,7 @@ pub async fn create_project(
 }
 
 pub async fn all_projects(
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     Path(org_id): Path<Uuid>,
     TypedHeader(cookie): TypedHeader<Cookie>,
 ) -> Result<Response, ApiError> {
@@ -72,7 +71,7 @@ pub async fn all_projects(
 pub async fn get_project(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path((org_id, project_id)): Path<(Uuid, Uuid)>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
 ) -> Result<Json<ProjectInfo>, ApiError> {
     let (_, project) = state.get_project(&cookie, org_id, project_id).await?;
 
@@ -90,7 +89,7 @@ pub async fn get_project(
 pub async fn delete_project(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path((org_id, project_id)): Path<(Uuid, Uuid)>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     info: RequestInfo,
 ) -> Result<Response, ApiError> {
     let (user, project) = state.get_project(&cookie, org_id, project_id).await?;
@@ -118,7 +117,7 @@ pub async fn delete_project(
 pub async fn get_project_branches(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path((org_id, project_id)): Path<(Uuid, Uuid)>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
 ) -> Result<Response, ApiError> {
     let (user, project) = state.get_project(&cookie, org_id, project_id).await?;
     let auth = if let Ok(Some(oauth)) = state.db.get_oauth(project.oauth_id).await {
@@ -137,7 +136,7 @@ pub async fn get_project_branches(
 pub async fn get_project_prebuilds(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path((org_id, project_id)): Path<(Uuid, Uuid)>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
 ) -> Result<Response, ApiError> {
     let (_, project) = state.get_project(&cookie, org_id, project_id).await?;
     let prebuilds = state.db.get_prebuilds(project.id).await?;
@@ -160,7 +159,7 @@ pub async fn get_project_prebuilds(
 pub async fn create_project_prebuild(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path((org_id, project_id)): Path<(Uuid, Uuid)>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     info: RequestInfo,
     Json(prebuild): Json<NewProjectPrebuild>,
 ) -> Result<Response, ApiError> {
@@ -190,7 +189,7 @@ pub async fn create_project_prebuild(
 pub async fn delete_project_prebuild(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path((org_id, project_id, prebuild_id)): Path<(Uuid, Uuid, Uuid)>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     info: RequestInfo,
 ) -> Result<Response, ApiError> {
     let (user, project) = state.get_project(&cookie, org_id, project_id).await?;
@@ -219,7 +218,7 @@ pub async fn delete_project_prebuild(
 pub async fn update_project_machine_type(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path((org_id, project_id, machine_type_id)): Path<(Uuid, Uuid, Uuid)>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     info: RequestInfo,
 ) -> Result<Response, ApiError> {
     let (user, project) = state.get_project(&cookie, org_id, project_id).await?;
@@ -243,7 +242,7 @@ pub async fn update_project_machine_type(
         .ok_or_else(|| ApiError::InvalidRequest("Machine type doesn't exist".to_string()))?;
 
     let txn = state.db.conn.begin().await?;
-    entities::project::ActiveModel {
+    lapdev_db_entities::project::ActiveModel {
         id: ActiveValue::Set(project.id),
         machine_type_id: ActiveValue::Set(machine_type.id),
         ..Default::default()
@@ -274,7 +273,7 @@ pub async fn update_project_machine_type(
 pub async fn get_project_env(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path((org_id, project_id)): Path<(Uuid, Uuid)>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
 ) -> Result<Json<Vec<(String, String)>>, ApiError> {
     let (user, project) = state.get_project(&cookie, org_id, project_id).await?;
     state
@@ -292,7 +291,7 @@ pub async fn get_project_env(
 pub async fn update_project_env(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path((org_id, project_id)): Path<(Uuid, Uuid)>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     info: RequestInfo,
     Json(envs): Json<Vec<(String, String)>>,
 ) -> Result<Response, ApiError> {
@@ -314,7 +313,7 @@ pub async fn update_project_env(
     let env = serde_json::to_string(&envs)?;
 
     let txn = state.db.conn.begin().await?;
-    entities::project::ActiveModel {
+    lapdev_db_entities::project::ActiveModel {
         id: ActiveValue::Set(project.id),
         env: ActiveValue::Set(Some(env)),
         ..Default::default()
diff --git a/crates/api/src/router.rs b/crates/api/src/router.rs
new file mode 100644
index 0000000..66d128f
--- /dev/null
+++ b/crates/api/src/router.rs
@@ -0,0 +1,749 @@
+use std::sync::Arc;
+
+use axum::{
+    debug_handler,
+    extract::{FromRequestParts, Query, Request, State, WebSocketUpgrade},
+    middleware::{self, Next},
+    response::{IntoResponse, Response},
+    routing::{any, delete, get, post, put},
+    Json, Router,
+};
+use axum_client_ip::ClientIpSource;
+use axum_extra::{extract::Host, headers, TypedHeader};
+use hyper::StatusCode;
+use lapdev_api_hrpc::{HrpcService, HrpcServiceResponse};
+use lapdev_common::{error_page::render_error_page, WorkspaceStatus};
+use lapdev_proxy_http::{forward::ProxyForward, proxy::WorkspaceForwardError};
+use lapdev_rpc::error::ApiError;
+use serde::Deserialize;
+
+use crate::{
+    account, admin, app_catalog_events, cli_auth, cluster_events,
+    devbox::{
+        devbox_client_tunnel_websocket, devbox_intercept_tunnel_websocket, devbox_rpc_websocket,
+        devbox_whoami,
+    },
+    environment_events,
+    kube::{
+        devbox_proxy_tunnel_websocket, kube_cluster_rpc_websocket, kube_data_plane_websocket,
+        sidecar_tunnel_websocket,
+    },
+    kube_controller::container_images,
+    machine_type, organization, project,
+    session::{logout, new_session, session_authorize},
+    state::CoreState,
+    websocket::handle_websocket,
+    workspace,
+};
+
+static STATIC_DIR: include_dir::Dir =
+    include_dir::include_dir!("$CARGO_MANIFEST_DIR/../dashboard/dist");
+
+fn preview_error_response(message: impl Into<String>) -> axum::response::Html<String> {
+    let message = message.into();
+    axum::response::Html(render_error_page(&message))
+}
+
+fn private_routes() -> Router<Arc<CoreState>> {
+    Router::new()
+        .route("/session", get(new_session))
+        .route("/session", delete(logout))
+        .route("/session/authorize", get(session_authorize))
+        .route("/me", get(account::me))
+        .route(
+            "/me/organization/{org_id}",
+            put(account::set_current_organization),
+        )
+}
+
+async fn not_found() -> impl IntoResponse {
+    StatusCode::NOT_FOUND
+}
+
+fn v1_api_routes() -> Router<Arc<CoreState>> {
+    Router::new()
+        .route("/", any(not_found))
+        .route("/{*wildcard}", any(not_found))
+        .route("/cluster_info", get(admin::get_cluster_info))
+        .route("/auth_providers", get(admin::get_auth_providers))
+        .route("/hostnames", get(admin::get_hostnames))
+        .route("/machine_types", get(machine_type::all_machine_types))
+        // CLI authentication endpoints
+        .route(
+            "/auth/cli/generate-token",
+            post(cli_auth::generate_cli_token),
+        )
+        .route("/auth/cli/token", get(cli_auth::cli_token_poll))
+        .route("/devbox/whoami", get(devbox_whoami))
+        .route(
+            "/join/{invitation_id}",
+            put(organization::join_organization),
+        )
+        .route("/kube/cluster/rpc", any(kube_cluster_rpc_websocket))
+        .route("/kube/cluster/tunnel", any(kube_data_plane_websocket))
+        .route("/kube/devbox/rpc", any(devbox_rpc_websocket))
+        .route(
+            "/kube/devbox/tunnel/intercept/{user_id}",
+            any(devbox_intercept_tunnel_websocket),
+        )
+        .route(
+            "/kube/devbox/tunnel/client/{user_id}",
+            any(devbox_client_tunnel_websocket),
+        )
+        .route(
+            "/kube/sidecar/tunnel/{environment_id}/{workload_id}",
+            any(sidecar_tunnel_websocket),
+        )
+        .route(
+            "/kube/devbox-proxy/tunnel/{environment_id}",
+            any(devbox_proxy_tunnel_websocket),
+        )
+        .route("/organizations", post(organization::create_organization))
+        .route(
+            "/organizations/{org_id}",
+            delete(organization::delete_organization),
+        )
+        .route(
+            "/organizations/{org_id}/name",
+            put(organization::update_org_name),
+        )
+        .route(
+            "/organizations/{org_id}/auto_start_stop",
+            put(organization::update_org_auto_start_stop),
+        )
+        .route(
+            "/organizations/{org_id}/members",
+            get(organization::get_organization_members),
+        )
+        .route(
+            "/organizations/{org_id}/members/{user_id}",
+            put(organization::update_organization_member),
+        )
+        .route(
+            "/organizations/{org_id}/members/{user_id}",
+            delete(organization::delete_organization_member),
+        )
+        .route(
+            "/organizations/{org_id}/invitations",
+            post(organization::create_user_invitation),
+        )
+        .route(
+            "/organizations/{org_id}/usage",
+            get(organization::get_organization_usage),
+        )
+        .route(
+            "/organizations/{org_id}/audit_logs",
+            get(organization::get_organization_audit_log),
+        )
+        .route(
+            "/organizations/{org_id}/quota",
+            get(organization::get_organization_quota),
+        )
+        .route(
+            "/organizations/{org_id}/quota",
+            put(organization::update_organization_quota),
+        )
+        .route(
+            "/organizations/{org_id}/kube/environments/{environment_id}/events",
+            get(environment_events::stream_environment_events),
+        )
+        .route(
+            "/organizations/{org_id}/kube/environments/{environment_id}/workloads/events",
+            get(environment_events::stream_environment_workload_events),
+        )
+        .route(
+            "/organizations/{org_id}/kube/environments/events",
+            get(environment_events::stream_organization_environment_events),
+        )
+        .route(
+            "/organizations/{org_id}/kube/clusters/{cluster_id}/events",
+            get(cluster_events::stream_cluster_status_events),
+        )
+        .route(
+            "/organizations/{org_id}/kube/clusters/events",
+            get(cluster_events::stream_organization_cluster_status_events),
+        )
+        .route(
+            "/organizations/{org_id}/kube/catalogs/{catalog_id}/events",
+            get(app_catalog_events::stream_app_catalog_events),
+        )
+        .route(
+            "/organizations/{org_id}/kube/catalogs/events",
+            get(app_catalog_events::stream_organization_app_catalog_events),
+        )
+        .route(
+            "/organizations/{org_id}/projects",
+            post(project::create_project),
+        )
+        .route(
+            "/organizations/{org_id}/projects",
+            get(project::all_projects),
+        )
+        .route(
+            "/organizations/{org_id}/projects/{project_id}",
+            get(project::get_project),
+        )
+        .route(
+            "/organizations/{org_id}/projects/{project_id}",
+            delete(project::delete_project),
+        )
+        .route(
+            "/organizations/{org_id}/projects/{project_id}/branches",
+            get(project::get_project_branches),
+        )
+        .route(
+            "/organizations/{org_id}/projects/{project_id}/prebuilds",
+            get(project::get_project_prebuilds),
+        )
+        .route(
+            "/organizations/{org_id}/projects/{project_id}/prebuilds",
+            post(project::create_project_prebuild),
+        )
+        .route(
+            "/organizations/{org_id}/projects/{project_id}/prebuilds/{prebuild_id}",
+            delete(project::delete_project_prebuild),
+        )
+        .route(
+            "/organizations/{org_id}/projects/{project_id}/machine_type/{machine_type_id}",
+            put(project::update_project_machine_type),
+        )
+        .route(
+            "/organizations/{org_id}/projects/{project_id}/env",
+            get(project::get_project_env),
+        )
+        .route(
+            "/organizations/{org_id}/projects/{project_id}/env",
+            put(project::update_project_env),
+        )
+        .route(
+            "/organizations/{org_id}/workspaces",
+            post(workspace::create_workspace),
+        )
+        .route(
+            "/organizations/{org_id}/workspaces",
+            get(workspace::all_workspaces),
+        )
+        .route(
+            "/organizations/{org_id}/workspaces/{workspace_name}",
+            get(workspace::get_workspace),
+        )
+        .route(
+            "/organizations/{org_id}/workspaces/{workspace_name}",
+            delete(workspace::delete_workspace),
+        )
+        .route(
+            "/organizations/{org_id}/workspaces/{workspace_name}/start",
+            post(workspace::start_workspace),
+        )
+        .route(
+            "/organizations/{org_id}/workspaces/{workspace_name}/stop",
+            post(workspace::stop_workspace),
+        )
+        .route(
+            "/organizations/{org_id}/workspaces/{workspace_name}/pin",
+            post(workspace::pin_workspace),
+        )
+        .route(
+            "/organizations/{org_id}/workspaces/{workspace_name}/unpin",
+            post(workspace::unpin_workspace),
+        )
+        .route(
+            "/organizations/{org_id}/workspaces/{workspace_name}/rebuild",
+            post(workspace::rebuild_workspace),
+        )
+        .route(
+            "/organizations/{org_id}/workspaces/{workspace_name}/ports",
+            get(workspace::workspace_ports),
+        )
+        .route(
+            "/organizations/{org_id}/workspaces/{workspace_name}/ports/{port}",
+            put(workspace::update_workspace_port),
+        )
+        .route("/account/ssh_keys", post(account::create_ssh_key))
+        .route("/account/ssh_keys", get(account::all_ssh_keys))
+        .route(
+            "/account/ssh_keys/{key_id}",
+            delete(account::delete_ssh_key),
+        )
+        .route("/account/git_providers", get(account::get_git_providers))
+        .route(
+            "/account/git_providers/connect",
+            put(account::connect_git_provider),
+        )
+        .route(
+            "/account/git_providers/disconnect",
+            put(account::disconnect_git_provider),
+        )
+        .route(
+            "/account/git_providers/update_scope",
+            put(account::update_scope),
+        )
+        .route("/admin/workspace_hosts", get(admin::get_workspace_hosts))
+        .route("/admin/workspace_hosts", post(admin::create_workspace_host))
+        .route(
+            "/admin/workspace_hosts/{workspace_host_id}",
+            put(admin::update_workspace_host),
+        )
+        .route(
+            "/admin/workspace_hosts/{workspace_host_id}",
+            delete(admin::delete_workspace_host),
+        )
+        .route("/admin/license", get(admin::get_license))
+        .route("/admin/license", put(admin::update_license))
+        .route("/admin/new_license", post(admin::new_license))
+        .route("/admin/oauth", get(admin::get_oauth))
+        .route("/admin/oauth", put(admin::update_oauth))
+        .route("/admin/certs", get(admin::get_certs))
+        .route("/admin/certs", put(admin::update_certs))
+        .route("/admin/hostnames", put(admin::update_hostnames))
+        .route("/admin/cpu_overcommit", get(admin::get_cpu_overcommit))
+        .route(
+            "/admin/cpu_overcommit/{value}",
+            put(admin::update_cpu_overcommit),
+        )
+        .route(
+            "/admin/machine_types",
+            post(machine_type::create_machine_type),
+        )
+        .route(
+            "/admin/machine_types/{machine_type_id}",
+            put(machine_type::update_machine_type),
+        )
+        .route(
+            "/admin/machine_types/{machine_type_id}",
+            delete(machine_type::delete_machine_type),
+        )
+        .route("/admin/users", get(admin::get_cluster_users))
+        .route("/admin/users/{user_id}", put(admin::update_cluster_user))
+        .route(
+            "/admin/organizations/{org_id}/clear",
+            put(organization::clear_organization),
+        )
+}
+
+fn main_routes() -> Router<Arc<CoreState>> {
+    Router::new()
+        .nest("/v1", v1_api_routes())
+        .nest("/private", private_routes())
+        .route("/rpc", any(handle_rpc))
+}
+
+pub fn add_forward_middleware(state: Arc<CoreState>, router: Router) -> Router {
+    router
+        .route_layer(middleware::from_fn_with_state(
+            state.clone(),
+            forward_middleware,
+        ))
+        .layer(ClientIpSource::ConnectInfo.into_extension())
+}
+
+pub fn build_router(state: Arc<CoreState>) -> Router {
+    Router::new()
+        .route("/", any(handle_catch_all))
+        .route("/{*wildcard}", any(handle_catch_all))
+        .route("/health-check", get(health_check))
+        .route(
+            "/install/lapdev-kube-manager.yaml",
+            get(kube_manager_install_manifest),
+        )
+        .nest("/api", main_routes())
+        .with_state(state)
+}
+
+async fn health_check() {}
+
+#[derive(Debug, Deserialize)]
+struct KubeManagerManifestQuery {
+    token: String,
+}
+
+async fn kube_manager_install_manifest(
+    State(state): State<Arc<CoreState>>,
+    Query(query): Query<KubeManagerManifestQuery>,
+) -> Result<Response, ApiError> {
+    let token = query.token.trim();
+    if token.is_empty() {
+        return Err(ApiError::InvalidRequest(
+            "token query parameter is required".to_string(),
+        ));
+    }
+
+    let ws_base = state.websocket_base_url().await;
+    let ws_base = ws_base.trim_end_matches('/');
+    let cluster_url = format!("{}/api/v1/kube/cluster/rpc", ws_base);
+    let tunnel_url = format!("{}/api/v1/kube/cluster/tunnel", ws_base);
+    let image = container_images::kube_manager_image_reference();
+
+    let manifest = format!(
+        r#"apiVersion: v1
+kind: Namespace
+metadata:
+  name: lapdev
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: lapdev-kube-manager
+  namespace: lapdev
+type: Opaque
+stringData:
+  LAPDEV_KUBE_CLUSTER_TOKEN: "{cluster_token}"
+  LAPDEV_KUBE_CLUSTER_URL: "{cluster_url}"
+  LAPDEV_KUBE_CLUSTER_TUNNEL_URL: "{tunnel_url}"
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: lapdev-kube-manager
+  namespace: lapdev
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: lapdev-kube-manager
+rules:
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["get", "list", "create", "update", "patch", "delete", "watch"]
+  - apiGroups: [""]
+    resources: ["pods", "services", "configmaps", "secrets"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["apps"]
+    resources: ["deployments", "statefulsets", "daemonsets", "replicasets"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: ["batch"]
+    resources: ["jobs", "cronjobs"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: lapdev-kube-manager
+subjects:
+  - kind: ServiceAccount
+    name: lapdev-kube-manager
+    namespace: lapdev
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: lapdev-kube-manager
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: lapdev-kube-manager
+  namespace: lapdev
+  labels:
+    app.kubernetes.io/name: lapdev-kube-manager
+    app.kubernetes.io/component: controller
+spec:
+  selector:
+    app.kubernetes.io/name: lapdev-kube-manager
+  ports:
+    - name: sidecar-rpc
+      port: 5001
+      targetPort: sidecar-rpc
+    - name: devbox-rpc
+      port: 7771
+      targetPort: devbox-rpc
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: lapdev-kube-manager
+  namespace: lapdev
+  labels:
+    app.kubernetes.io/name: lapdev-kube-manager
+    app.kubernetes.io/component: controller
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: lapdev-kube-manager
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: lapdev-kube-manager
+        app.kubernetes.io/component: controller
+    spec:
+      serviceAccountName: lapdev-kube-manager
+      containers:
+        - name: manager
+          image: {image}
+          imagePullPolicy: Always
+          env:
+            - name: LAPDEV_KUBE_CLUSTER_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: lapdev-kube-manager
+                  key: LAPDEV_KUBE_CLUSTER_TOKEN
+            - name: LAPDEV_KUBE_CLUSTER_URL
+              valueFrom:
+                secretKeyRef:
+                  name: lapdev-kube-manager
+                  key: LAPDEV_KUBE_CLUSTER_URL
+            - name: LAPDEV_KUBE_CLUSTER_TUNNEL_URL
+              valueFrom:
+                secretKeyRef:
+                  name: lapdev-kube-manager
+                  key: LAPDEV_KUBE_CLUSTER_TUNNEL_URL
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          ports:
+            - containerPort: 5001
+              name: sidecar-rpc
+            - containerPort: 7771
+              name: devbox-rpc
+          resources:
+            requests:
+              cpu: "100m"
+              memory: "256Mi"
+            limits:
+              cpu: "1"
+              memory: "512Mi"
+"#,
+        cluster_token = token,
+        cluster_url = cluster_url,
+        tunnel_url = tunnel_url,
+        image = image,
+    );
+
+    let headers = [
+        (axum::http::header::CONTENT_TYPE, "text/yaml"),
+        (axum::http::header::CACHE_CONTROL, "no-store"),
+    ];
+
+    Ok((StatusCode::OK, headers, manifest).into_response())
+}
+
+#[debug_handler]
+async fn handle_catch_all(
+    State(state): State<Arc<CoreState>>,
+    // websocket: WebSocketUpgrade,
+    TypedHeader(cookie): TypedHeader<headers::Cookie>,
+    req: Request,
+) -> Result<Response, ApiError> {
+    let (parts, _) = req.into_parts();
+    let mut parts_clone = parts.clone();
+    let websocket = WebSocketUpgrade::from_request_parts(&mut parts_clone, &())
+        .await
+        .ok();
+
+    let path = parts.uri.path();
+    tracing::debug!("handle catch all got {path}");
+
+    if let Some(websocket) = websocket {
+        let uri = &parts.uri;
+        let path = uri.path();
+        let query = uri.query();
+        let resp = handle_websocket(path, query, websocket, cookie, state).await?;
+        return Ok(resp);
+    }
+
+    if let Some(f) = path.strip_prefix("/static/") {
+        let accept_gzip = parts
+            .headers
+            .get("Accept-Encoding")
+            .and_then(|h| h.to_str().ok())
+            .map(|s| s.contains("gzip"))
+            .unwrap_or(false);
+        if let Some(file) = if let Some(d) = state.static_dir.as_ref() {
+            d.get_file(f)
+        } else {
+            STATIC_DIR.get_file(f)
+        } {
+            let content_type = if f.ends_with(".css") {
+                Some("text/css")
+            } else if f.ends_with(".js") {
+                Some("text/javascript")
+            } else if f.ends_with(".wasm") {
+                Some("application/wasm")
+            } else if f.ends_with(".ico") {
+                Some("image/vnd.microsoft.icon")
+            } else {
+                None
+            };
+            if let Some(content_type) = content_type {
+                if accept_gzip {
+                    if let Some(file) = if let Some(d) = state.static_dir.as_ref() {
+                        d.get_file(format!("{f}.gz"))
+                    } else {
+                        STATIC_DIR.get_file(format!("{f}.gz"))
+                    } {
+                        return Ok((
+                            [
+                                (axum::http::header::CONTENT_TYPE, content_type),
+                                (
+                                    axum::http::header::CACHE_CONTROL,
+                                    "public, max-age=31536000",
+                                ),
+                                (axum::http::header::CONTENT_ENCODING, "gzip"),
+                            ],
+                            file.contents(),
+                        )
+                            .into_response());
+                    }
+                }
+                return Ok((
+                    [
+                        (axum::http::header::CONTENT_TYPE, content_type),
+                        (
+                            axum::http::header::CACHE_CONTROL,
+                            "public, max-age=31536000",
+                        ),
+                    ],
+                    file.contents(),
+                )
+                    .into_response());
+            }
+        }
+    }
+
+    if let Some(file) = if let Some(d) = state.static_dir.as_ref() {
+        d.get_file("index.html")
+    } else {
+        STATIC_DIR.get_file("index.html")
+    } {
+        return Ok(axum::response::Html::from(file.contents()).into_response());
+    }
+
+    Err(ApiError::InvalidRequest("Invalid Request".to_string()))
+}
+
+async fn forward_middleware(
+    State(state): State<Arc<CoreState>>,
+    Host(hostname): Host,
+    TypedHeader(cookie): TypedHeader<headers::Cookie>,
+    req: Request,
+    next: Next,
+) -> Result<Response, ApiError> {
+    let hostname = hostname
+        .split(":")
+        .next()
+        .ok_or_else(|| ApiError::InternalError("can't split : from hostname".to_string()))?;
+    let is_forward = state
+        .conductor
+        .hostnames
+        .read()
+        .await
+        .values()
+        .any(|v| v != hostname && hostname.ends_with(v));
+    let (parts, body) = req.into_parts();
+    let mut parts_clone = parts.clone();
+    let websocket = WebSocketUpgrade::from_request_parts(&mut parts_clone, &())
+        .await
+        .ok();
+
+    let path = parts.uri.path();
+    let path_query = parts
+        .uri
+        .path_and_query()
+        .map(|v| v.as_str())
+        .unwrap_or(path);
+
+    if !is_forward {
+        if path == "/ws" || path == "/all_workspaces_ws" {
+            if let Some(websocket) = websocket {
+                let uri = &parts.uri;
+                let path = uri.path();
+                let query = uri.query();
+                let resp = handle_websocket(path, query, websocket, cookie, state).await?;
+                return Ok(resp);
+            }
+        }
+
+        return Ok(next.run(Request::from_parts(parts, body)).await);
+    }
+
+    let user = state.authenticate(&cookie).await.ok();
+    match lapdev_proxy_http::proxy::forward_workspace(hostname, &state.db, user.as_ref()).await {
+        Ok((ws, port)) => {
+            if ws.status != WorkspaceStatus::Running.to_string() {
+                return Ok(
+                    preview_error_response(format!(
+                        "Preview host `{hostname}` points to environment `{}` which isn’t running right now.",
+                        ws.name
+                    ))
+                    .into_response(),
+                );
+            }
+
+            let Some(workspace_host) = state.db.get_workspace_host(ws.host_id).await.ok().flatten()
+            else {
+                return Ok(preview_error_response(format!(
+                    "Lapdev couldn’t find a compute host for environment `{}`.",
+                    ws.name
+                ))
+                .into_response());
+            };
+
+            let port = port
+                .map(|p| p.host_port as u16)
+                .or_else(|| ws.ide_port.map(|p| p as u16));
+            if let Some(forward) = lapdev_proxy_http::forward::handler(
+                &workspace_host.host,
+                path_query,
+                websocket,
+                &parts.headers,
+                port,
+            )
+            .await
+            {
+                match forward {
+                    ProxyForward::Resp(resp) => Ok(resp),
+                    ProxyForward::Proxy(uri) => {
+                        // *req.uri_mut() = uri;
+                        let headers = parts.headers.clone();
+                        let mut new_req = Request::builder()
+                            .method(parts.method)
+                            .uri(uri)
+                            .body(body)
+                            .unwrap();
+                        *new_req.headers_mut() = headers;
+                        let resp = state.hyper_client.request(new_req).await?;
+                        Ok(resp.into_response())
+                    }
+                }
+            } else {
+                Ok(preview_error_response(format!(
+                    "Lapdev couldn’t find anything to serve at `{}{}{}`.",
+                    hostname,
+                    if path_query.starts_with('/') { "" } else { "/" },
+                    path_query
+                ))
+                .into_response())
+            }
+        }
+        Err(e) => {
+            let message = match e {
+                WorkspaceForwardError::WorkspaceNotFound => format!(
+                    "Lapdev couldn’t find any environment for preview host `{hostname}`."
+                ),
+                WorkspaceForwardError::PortNotForwarded => format!(
+                    "Preview host `{hostname}` isn’t exposing the requested service port right now. Publish the port from Lapdev and try again."
+                ),
+                WorkspaceForwardError::InvalidHostname => format!(
+                    "`{hostname}` isn’t a valid preview host."
+                ),
+                WorkspaceForwardError::Unauthorised => format!(
+                    "You don’t have access to preview host `{hostname}`. Sign in with the correct organization."
+                ),
+            };
+            Ok(preview_error_response(message).into_response())
+        }
+    }
+}
+
+async fn handle_rpc(
+    State(state): State<Arc<CoreState>>,
+    headers: axum::http::HeaderMap,
+    body: String,
+) -> Result<Json<HrpcServiceResponse>, ApiError> {
+    let r = state.handle_rpc(&headers, &body).await?;
+    Ok(Json(r))
+}
diff --git a/crates/api/src/server.rs b/crates/api/src/server.rs
new file mode 100644
index 0000000..61f2a61
--- /dev/null
+++ b/crates/api/src/server.rs
@@ -0,0 +1,203 @@
+use std::{env, net::SocketAddr, path::PathBuf, sync::Arc};
+
+use anyhow::{anyhow, Context, Result};
+use axum::Router;
+use clap::Parser;
+use lapdev_conductor::Conductor;
+use lapdev_db::api::DbApi;
+use tokio::{net::TcpListener, time::Duration};
+use tracing::{error, info, warn};
+
+use crate::{
+    router::{self, add_forward_middleware},
+    state::CoreState,
+};
+
+pub const LAPDEV_VERSION: &str = env!("CARGO_PKG_VERSION");
+
+#[derive(Clone)]
+struct LapdevConfig {
+    db_url: String,
+    bind_addr: String,
+    http_port: u16,
+    ssh_proxy_port: u16,
+    ssh_proxy_display_port: u16,
+    force_osuser: Option<String>,
+    preview_url_proxy_port: u16,
+}
+
+const DB_URL_ENV: &str = "LAPDEV_DB_URL";
+const BIND_ADDR_ENV: &str = "LAPDEV_BIND_ADDR";
+const HTTP_PORT_ENV: &str = "LAPDEV_HTTP_PORT";
+const SSH_PROXY_PORT_ENV: &str = "LAPDEV_SSH_PROXY_PORT";
+const SSH_PROXY_DISPLAY_PORT_ENV: &str = "LAPDEV_SSH_PROXY_DISPLAY_PORT";
+const FORCE_OSUSER_ENV: &str = "LAPDEV_FORCE_OSUSER";
+const PREVIEW_PROXY_PORT_ENV: &str = "LAPDEV_PREVIEW_URL_PROXY_PORT";
+
+impl LapdevConfig {
+    fn from_env() -> Result<Self> {
+        let db_url = env::var(DB_URL_ENV)
+            .map_err(|_| anyhow!("environment variable {DB_URL_ENV} is required"))?;
+        let bind_addr = env::var(BIND_ADDR_ENV).unwrap_or_else(|_| "0.0.0.0".to_string());
+        let http_port = Self::parse_port(HTTP_PORT_ENV, 8080)?;
+        let ssh_proxy_port = Self::parse_port(SSH_PROXY_PORT_ENV, 2222)?;
+        let ssh_proxy_display_port = Self::parse_port(SSH_PROXY_DISPLAY_PORT_ENV, 2222)?;
+        let preview_url_proxy_port = Self::parse_port(PREVIEW_PROXY_PORT_ENV, 8443)?;
+
+        let force_osuser = match env::var(FORCE_OSUSER_ENV) {
+            Ok(value) if value.trim().is_empty() => None,
+            Ok(value) => Some(value),
+            Err(env::VarError::NotPresent) => None,
+            Err(err) => return Err(anyhow!("error reading {FORCE_OSUSER_ENV}: {err}")),
+        };
+
+        Ok(Self {
+            db_url,
+            bind_addr,
+            http_port,
+            ssh_proxy_port,
+            ssh_proxy_display_port,
+            force_osuser,
+            preview_url_proxy_port,
+        })
+    }
+
+    fn parse_port(var: &str, default: u16) -> Result<u16> {
+        match env::var(var) {
+            Ok(value) => value
+                .parse::<u16>()
+                .map_err(|err| anyhow!("{var} must be a valid u16: {err}")),
+            Err(env::VarError::NotPresent) => Ok(default),
+            Err(err) => Err(anyhow!("error reading {var}: {err}")),
+        }
+    }
+}
+
+#[derive(Parser)]
+#[clap(name = "lapdev")]
+#[clap(version = env!("CARGO_PKG_VERSION"))]
+struct Cli {
+    /// The folder for putting data
+    #[clap(short, long, action, value_hint = clap::ValueHint::AnyPath)]
+    data_folder: Option<PathBuf>,
+}
+
+pub struct ApiServer {
+    config: LapdevConfig,
+    pub state: Arc<CoreState>,
+    pub app: Router,
+    pub conductor: Conductor,
+}
+
+impl ApiServer {
+    pub async fn new(static_dir: Option<include_dir::Dir<'static>>) -> Result<Self> {
+        let cli = Cli::parse();
+        let data_folder = cli
+            .data_folder
+            .clone()
+            .unwrap_or_else(|| PathBuf::from("/var/lib/lapdev"));
+
+        init_tracing();
+
+        let config = LapdevConfig::from_env()?;
+        let db = DbApi::new(&config.db_url).await?;
+        let conductor = Conductor::new(
+            LAPDEV_VERSION,
+            db.clone(),
+            data_folder,
+            config.force_osuser.clone(),
+        )
+        .await?;
+
+        let state = Arc::new(
+            CoreState::new(
+                conductor.clone(),
+                config.ssh_proxy_port,
+                config.ssh_proxy_display_port,
+                static_dir,
+            )
+            .await,
+        );
+
+        let app = router::build_router(state.clone());
+        Ok(Self {
+            config,
+            state,
+            conductor,
+            app,
+        })
+    }
+
+    pub async fn run(&self) -> Result<()> {
+        {
+            let db = self.conductor.db.clone();
+            let tunnel_registry = self.state.kube_controller.tunnel_registry.clone();
+            let host = self.config.bind_addr.clone();
+            let port = self.config.preview_url_proxy_port;
+            tokio::spawn(async move {
+                loop {
+                    let db_clone = db.clone();
+                    let tunnel_clone = tunnel_registry.clone();
+                    let bind = format!("{host}:{port}");
+                    match lapdev_kube::start_preview_url_proxy_server(db_clone, tunnel_clone, &bind)
+                        .await
+                    {
+                        Ok(_) => {
+                            info!("Preview URL proxy server exited gracefully");
+                            break;
+                        }
+                        Err(err) => {
+                            error!("Preview URL proxy server failed: {err:?}");
+                            warn!("Retrying preview URL proxy server in 5 seconds");
+                            tokio::time::sleep(Duration::from_secs(5)).await;
+                        }
+                    }
+                }
+            });
+        }
+
+        let app_with_forward = add_forward_middleware(self.state.clone(), self.app.clone());
+
+        let bind = format!(
+            "{}:{}",
+            self.config.bind_addr.clone(),
+            self.config.http_port
+        );
+        let tcp_listener = TcpListener::bind(&bind)
+            .await
+            .with_context(|| format!("bind to {bind}"))?;
+
+        info!(%bind, "Starting Axum HTTP server");
+
+        if let Err(err) = axum::serve(
+            tcp_listener,
+            app_with_forward.into_make_service_with_connect_info::<SocketAddr>(),
+        )
+        .await
+        {
+            tracing::error!("http server stopped error: {err}");
+        }
+
+        Ok(())
+    }
+}
+
+pub async fn start(static_dir: Option<include_dir::Dir<'static>>) {
+    match ApiServer::new(static_dir).await {
+        Ok(server) => {
+            if let Err(e) = server.run().await {
+                tracing::error!("lapdev api server error: {e:#}");
+            }
+        }
+        Err(e) => tracing::error!("failed to initialize lapdev api server: {e:#}"),
+    }
+}
+
+fn init_tracing() {
+    let var = std::env::var("RUST_LOG").unwrap_or_default();
+    let var = format!(
+        "error,tarpc=warn,tarpc::client=warn,lapdev=info,lapdev_api=info,lapdev_conductor=info,lapdev_rpc=info,lapdev_common=info,lapdev_db=info,lapdev_enterprise=info,lapdev_proxy_ssh=info,lapdev_proxy_http=info,lapdev_kube=info,lapdev_kube_manager=info,{var}"
+    );
+    let filter = tracing_subscriber::EnvFilter::builder().parse_lossy(var);
+    tracing_subscriber::fmt().with_env_filter(filter).init();
+}
diff --git a/lapdev-api/src/session.rs b/crates/api/src/session.rs
similarity index 88%
rename from lapdev-api/src/session.rs
rename to crates/api/src/session.rs
index 4025e9a..3baedcb 100644
--- a/lapdev-api/src/session.rs
+++ b/crates/api/src/session.rs
@@ -1,19 +1,18 @@
-use std::{collections::HashMap, net::IpAddr, str::FromStr};
+use std::{collections::HashMap, net::IpAddr, str::FromStr, sync::Arc};
 
 use axum::{
-    extract::{Host, Query, State},
+    extract::{Query, State},
     http::{header::SET_COOKIE, HeaderMap},
     response::{IntoResponse, Redirect, Response},
     Json,
 };
-use axum_extra::{headers, TypedHeader};
+use axum_extra::{extract::Host, headers, TypedHeader};
 use chrono::Utc;
 use hyper::StatusCode;
 use lapdev_common::{
     console::NewSessionResponse, AuditAction, AuditResourceKind, AuthProvider, ProviderUser,
     UserCreationWebhook,
 };
-use lapdev_db::entities;
 use lapdev_rpc::error::ApiError;
 use pasetors::claims::Claims;
 use sea_orm::{
@@ -23,10 +22,9 @@ use sea_orm::{
 use serde::Deserialize;
 use uuid::Uuid;
 
-use crate::state::{CoreState, RequestInfo, TOKEN_COOKIE_NAME};
+use crate::state::{CoreState, RequestInfo, OAUTH_STATE_COOKIE, TOKEN_COOKIE_NAME};
 
 pub const OAUTH_STATE: &str = "oauth_state";
-pub const OAUTH_STATE_COOKIE: &str = "state";
 pub const REDIRECT_URL: &str = "redirect_url";
 pub const CONNECT_USER: &str = "connect_user";
 pub const READ_REPO: &str = "read_repo";
@@ -98,7 +96,7 @@ pub async fn create_oauth_connection(
 pub(crate) async fn new_session(
     Host(hostname): Host,
     Query(query): Query<HashMap<String, String>>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
 ) -> Result<Response, ApiError> {
     let (headers, url) = create_oauth_connection(&state, None, false, &hostname, &query).await?;
     Ok((headers, Json(NewSessionResponse { url })).into_response())
@@ -107,7 +105,7 @@ pub(crate) async fn new_session(
 pub(crate) async fn session_authorize(
     Host(hostname): Host,
     Query(query): Query<AuthRequest>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     info: RequestInfo,
     TypedHeader(cookie): TypedHeader<headers::Cookie>,
 ) -> Result<Response, ApiError> {
@@ -200,29 +198,32 @@ pub(crate) async fn session_authorize(
         let read_repo: bool = serde_json::from_value(read_repo.to_owned())
             .map_err(|_| ApiError::InvalidRequest("invalid read repo".to_string()))?;
 
-        match entities::oauth_connection::Entity::find()
-            .filter(entities::oauth_connection::Column::Provider.eq(query.provider.to_string()))
-            .filter(entities::oauth_connection::Column::UserId.eq(user_id))
-            .filter(entities::oauth_connection::Column::DeletedAt.is_null())
+        match lapdev_db_entities::oauth_connection::Entity::find()
+            .filter(
+                lapdev_db_entities::oauth_connection::Column::Provider
+                    .eq(query.provider.to_string()),
+            )
+            .filter(lapdev_db_entities::oauth_connection::Column::UserId.eq(user_id))
+            .filter(lapdev_db_entities::oauth_connection::Column::DeletedAt.is_null())
             .one(&state.db.conn)
             .await?
         {
             Some(c) => {
-                entities::oauth_connection::ActiveModel {
+                lapdev_db_entities::oauth_connection::ActiveModel {
                     id: ActiveValue::Set(c.id),
                     provider_login: ActiveValue::Set(provider_user.login),
                     access_token: ActiveValue::Set(token.secret().to_string()),
                     avatar_url: ActiveValue::Set(provider_user.avatar_url.clone()),
                     email: ActiveValue::Set(provider_user.email.clone()),
                     name: ActiveValue::Set(provider_user.name.clone()),
-                    read_repo: ActiveValue::Set(read_repo),
+                    read_repo: ActiveValue::Set(Some(read_repo)),
                     ..Default::default()
                 }
                 .update(&state.db.conn)
                 .await?;
             }
             None => {
-                entities::oauth_connection::ActiveModel {
+                lapdev_db_entities::oauth_connection::ActiveModel {
                     id: ActiveValue::Set(Uuid::new_v4()),
                     user_id: ActiveValue::Set(user_id),
                     created_at: ActiveValue::Set(now.into()),
@@ -234,7 +235,7 @@ pub(crate) async fn session_authorize(
                     avatar_url: ActiveValue::Set(provider_user.avatar_url),
                     email: ActiveValue::Set(provider_user.email),
                     name: ActiveValue::Set(provider_user.name),
-                    read_repo: ActiveValue::Set(read_repo),
+                    read_repo: ActiveValue::Set(Some(read_repo)),
                 }
                 .insert(&state.db.conn)
                 .await?;
@@ -244,15 +245,17 @@ pub(crate) async fn session_authorize(
         return Ok(Redirect::temporary(query.next.as_deref().unwrap_or("/")).into_response());
     }
 
-    let user = match entities::oauth_connection::Entity::find()
-        .filter(entities::oauth_connection::Column::Provider.eq(query.provider.to_string()))
-        .filter(entities::oauth_connection::Column::ProviderId.eq(provider_user.id))
-        .filter(entities::oauth_connection::Column::DeletedAt.is_null())
+    let user = match lapdev_db_entities::oauth_connection::Entity::find()
+        .filter(
+            lapdev_db_entities::oauth_connection::Column::Provider.eq(query.provider.to_string()),
+        )
+        .filter(lapdev_db_entities::oauth_connection::Column::ProviderId.eq(provider_user.id))
+        .filter(lapdev_db_entities::oauth_connection::Column::DeletedAt.is_null())
         .one(&state.db.conn)
         .await?
     {
         Some(conn) => {
-            let conn = entities::oauth_connection::ActiveModel {
+            let conn = lapdev_db_entities::oauth_connection::ActiveModel {
                 id: ActiveValue::Set(conn.id),
                 provider_login: ActiveValue::Set(provider_user.login),
                 access_token: ActiveValue::Set(token.secret().to_string()),
@@ -264,7 +267,7 @@ pub(crate) async fn session_authorize(
             .update(&state.db.conn)
             .await?;
 
-            entities::user::ActiveModel {
+            lapdev_db_entities::user::ActiveModel {
                 id: ActiveValue::Set(conn.user_id),
                 avatar_url: ActiveValue::Set(provider_user.avatar_url),
                 email: ActiveValue::Set(provider_user.email),
@@ -285,8 +288,8 @@ pub(crate) async fn session_authorize(
                 .as_ref()
             {
                 if enterprise.users > 0 {
-                    let count = entities::user::Entity::find()
-                        .filter(entities::user::Column::DeletedAt.is_null())
+                    let count = lapdev_db_entities::user::Entity::find()
+                        .filter(lapdev_db_entities::user::Column::DeletedAt.is_null())
                         .count(&state.db.conn)
                         .await?;
                     if count >= enterprise.users as u64 {
diff --git a/crates/api/src/state.rs b/crates/api/src/state.rs
new file mode 100644
index 0000000..d8e0956
--- /dev/null
+++ b/crates/api/src/state.rs
@@ -0,0 +1,897 @@
+use std::{
+    collections::{BTreeMap, HashMap},
+    str::FromStr,
+    sync::Arc,
+};
+
+use anyhow::{anyhow, Context, Result};
+use axum::{body::Body, extract::FromRequestParts, http::request::Parts, RequestPartsExt};
+use axum_client_ip::ClientIp;
+use axum_extra::{
+    headers::{self, Cookie, HeaderMapExt, UserAgent},
+    TypedHeader,
+};
+use chrono::{DateTime, Utc};
+use hyper_util::{client::legacy::connect::HttpConnector, rt::TokioExecutor};
+use lapdev_common::{
+    devbox::DirectTunnelConfig,
+    kube::{AppCatalogStatusEvent, ClusterStatusEvent, EnvironmentWorkloadStatusEvent},
+    utils::resolve_api_host,
+    UserRole, LAPDEV_AUTH_STATE_COOKIE, LAPDEV_AUTH_TOKEN_COOKIE, LAPDEV_BASE_HOSTNAME,
+};
+use lapdev_conductor::{scheduler::LAPDEV_CPU_OVERCOMMIT, Conductor};
+use lapdev_db::api::DbApi;
+use lapdev_devbox_rpc::PortMapping;
+use lapdev_enterprise::license::LAPDEV_ENTERPRISE_LICENSE;
+use lapdev_kube_rpc::DevboxRouteConfig;
+use lapdev_rpc::error::ApiError;
+use pasetors::{
+    claims::ClaimsValidationRules,
+    keys::SymmetricKey,
+    token::{TrustedToken, UntrustedToken},
+    version4::V4,
+};
+use sea_orm::{ColumnTrait, EntityTrait, QueryFilter};
+use serde::Deserialize;
+use sqlx::postgres::PgNotification;
+use tokio::{
+    sync::{broadcast, RwLock},
+    time::{sleep, Duration},
+};
+use tokio_rustls::rustls::sign::CertifiedKey;
+use uuid::Uuid;
+
+use crate::{
+    auth::{Auth, AuthConfig},
+    cert::{load_cert, CertStore},
+    devbox_tunnels::DevboxTunnelRegistry,
+    github::GithubClient,
+    kube_controller::KubeController,
+};
+
+use crate::environment_events::EnvironmentLifecycleEvent;
+
+pub const OAUTH_STATE_COOKIE: &str = LAPDEV_AUTH_STATE_COOKIE;
+pub const TOKEN_COOKIE_NAME: &str = LAPDEV_AUTH_TOKEN_COOKIE;
+pub const LAPDEV_CERTS: &str = "lapdev-certs";
+
+pub type HyperClient = hyper_util::client::legacy::Client<HttpConnector, Body>;
+
+pub struct RequestInfo {
+    pub ip: Option<String>,
+    pub user_agent: Option<String>,
+}
+
+#[derive(Debug, Deserialize)]
+struct ConfigUpdatePayload {
+    name: String,
+    value: String,
+}
+
+impl<S: Send + Sync> FromRequestParts<S> for RequestInfo {
+    type Rejection = ApiError;
+
+    async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
+        let ip = parts
+            .extract::<ClientIp>()
+            .await
+            .ok()
+            .map(|ClientIp(ip)| ip.to_string());
+        let user_agent = parts.extract::<TypedHeader<UserAgent>>().await.ok();
+        let user_agent = user_agent.map(|u| u.to_string());
+        Ok(Self { user_agent, ip })
+    }
+}
+
+/// Temporary storage for CLI authentication tokens during browser login flow
+pub struct PendingCliAuth {
+    pub token: String,
+    pub expires_at: DateTime<Utc>,
+}
+
+#[derive(Clone)]
+pub struct CoreState {
+    pub conductor: Conductor,
+    pub github_client: GithubClient,
+    pub hyper_client: Arc<HyperClient>,
+    pub db: DbApi,
+    pub auth: Arc<Auth>,
+    pub auth_token_key: Arc<SymmetricKey<V4>>,
+    pub certs: CertStore,
+    // actuall ssh proxy port
+    pub ssh_proxy_port: u16,
+    // ssh proxy port to display in front end
+    pub ssh_proxy_display_port: u16,
+    pub static_dir: Arc<Option<include_dir::Dir<'static>>>,
+    // Kubernetes controller
+    pub kube_controller: KubeController,
+    // Devbox tunnel registry for session-level bridging
+    pub devbox_tunnels: Arc<DevboxTunnelRegistry>,
+    // Pending CLI authentication tokens (session_id -> token)
+    pub pending_cli_auth: Arc<RwLock<HashMap<Uuid, PendingCliAuth>>>,
+    // Active devbox sessions (user_id -> DevboxSessionHandle)
+    pub active_devbox_sessions: Arc<RwLock<HashMap<Uuid, BTreeMap<Uuid, DevboxSessionHandle>>>>,
+    // Lifecycle notifications for kube environments
+    pub environment_events: broadcast::Sender<EnvironmentLifecycleEvent>,
+    pub environment_workload_events: broadcast::Sender<EnvironmentWorkloadStatusEvent>,
+    pub cluster_events: broadcast::Sender<ClusterStatusEvent>,
+    pub app_catalog_events: broadcast::Sender<AppCatalogStatusEvent>,
+}
+
+/// Handle for an active devbox session
+#[derive(Clone)]
+pub struct DevboxSessionHandle {
+    pub session_id: Uuid,
+    pub device_name: String,
+    pub notify_tx: tokio::sync::mpsc::UnboundedSender<DevboxSessionNotification>,
+    pub rpc_client: lapdev_devbox_rpc::DevboxClientRpcClient,
+    pub connection_id: Uuid,
+}
+
+/// Notifications that can be sent to active devbox sessions
+#[derive(Debug, Clone)]
+pub enum DevboxSessionNotification {
+    Displaced { new_device_name: String },
+}
+
+impl CoreState {
+    pub async fn new(
+        conductor: Conductor,
+        ssh_proxy_port: u16,
+        ssh_proxy_display_port: u16,
+        static_dir: Option<include_dir::Dir<'static>>,
+    ) -> Self {
+        let github_client = GithubClient::new();
+        let key = conductor.db.load_api_auth_token_key().await;
+        let auth = Auth::new(&conductor.db).await;
+        let certs = load_certs(&conductor.db).await.unwrap_or_default();
+
+        let hyper_client: HyperClient =
+            hyper_util::client::legacy::Client::<(), ()>::builder(TokioExecutor::new())
+                .build(HttpConnector::new());
+
+        let db = conductor.db.clone();
+        let (environment_events, _) = broadcast::channel(128);
+        let (environment_workload_events, _) = broadcast::channel(256);
+        let (cluster_events, _) = broadcast::channel(128);
+        let (app_catalog_events, _) = broadcast::channel(128);
+        let state = Self {
+            db: db.clone(),
+            conductor,
+            github_client,
+            auth: Arc::new(auth),
+            auth_token_key: Arc::new(key),
+            certs: Arc::new(std::sync::RwLock::new(Arc::new(certs))),
+            ssh_proxy_port,
+            ssh_proxy_display_port,
+            hyper_client: Arc::new(hyper_client),
+            static_dir: Arc::new(static_dir),
+            kube_controller: KubeController::new(db, environment_events.clone()),
+            devbox_tunnels: Arc::new(DevboxTunnelRegistry::new()),
+            pending_cli_auth: Arc::new(RwLock::new(HashMap::new())),
+            active_devbox_sessions: Arc::new(RwLock::new(HashMap::new())),
+            environment_events,
+            environment_workload_events: environment_workload_events.clone(),
+            cluster_events,
+            app_catalog_events,
+        };
+
+        state.spawn_background_tasks();
+
+        state
+    }
+
+    fn spawn_background_tasks(&self) {
+        {
+            let state = self.clone();
+            tokio::spawn(async move {
+                if let Err(e) = state.monitor_config_updates().await {
+                    tracing::error!("api monitor config updates error: {e}");
+                }
+            });
+        }
+
+        {
+            let state = self.clone();
+            tokio::spawn(async move {
+                state.cleanup_pending_cli_auth_loop().await;
+            });
+        }
+
+        Self::spawn_listener("environment", self.clone(), |s| async move {
+            s.monitor_environment_events().await
+        });
+        Self::spawn_listener("environment_workload", self.clone(), |s| async move {
+            s.monitor_environment_workload_events().await
+        });
+        Self::spawn_listener("cluster", self.clone(), |s| async move {
+            s.monitor_cluster_events().await
+        });
+        Self::spawn_listener("app_catalog", self.clone(), |s| async move {
+            s.monitor_app_catalog_events().await
+        });
+    }
+
+    fn spawn_listener<F, Fut>(name: &'static str, state: CoreState, factory: F)
+    where
+        F: Fn(CoreState) -> Fut + Send + Sync + 'static,
+        Fut: std::future::Future<Output = Result<()>> + Send,
+    {
+        tokio::spawn(async move {
+            loop {
+                match factory(state.clone()).await {
+                    Ok(_) => break,
+                    Err(e) => {
+                        tracing::error!(
+                            listener = name,
+                            error = %e,
+                            "listener error; retrying in 5s"
+                        );
+                        sleep(Duration::from_secs(5)).await;
+                    }
+                }
+            }
+        });
+    }
+
+    async fn monitor_config_updates(&self) -> Result<()> {
+        let pool = self
+            .db
+            .pool
+            .clone()
+            .ok_or_else(|| anyhow!("db doesn't have pg pool"))?;
+        let mut listener = sqlx::postgres::PgListener::connect_with(&pool).await?;
+        listener.listen("config_update").await?;
+        loop {
+            let notification = listener.recv().await?;
+            if let Err(e) = self.handle_config_update_notification(notification).await {
+                tracing::error!("handle config update notification error: {e:#}");
+            }
+        }
+    }
+
+    async fn handle_config_update_notification(&self, notification: PgNotification) -> Result<()> {
+        let payload: ConfigUpdatePayload = serde_json::from_str(notification.payload())
+            .with_context(|| format!("trying to deserialize payload {}", notification.payload()))?;
+        if payload.name == AuthConfig::GITHUB.client_id
+            || payload.name == AuthConfig::GITHUB.client_secret
+            || payload.name == AuthConfig::GITLAB.client_id
+            || payload.name == AuthConfig::GITLAB.client_secret
+        {
+            self.auth.resync(&self.db).await;
+        } else if payload.name == LAPDEV_ENTERPRISE_LICENSE {
+            self.conductor.enterprise.license.resync_license().await;
+        } else if payload.name == LAPDEV_CPU_OVERCOMMIT {
+            if let Ok(v) = payload.value.parse::<usize>() {
+                *self.conductor.cpu_overcommit.write().await = v.max(1);
+            }
+        } else if payload.name == LAPDEV_BASE_HOSTNAME {
+            *self.conductor.hostnames.write().await = self
+                .conductor
+                .enterprise
+                .get_hostnames()
+                .await
+                .unwrap_or_default();
+        } else if payload.name == LAPDEV_CERTS {
+            if let Ok(certs) = load_certs(&self.db).await {
+                if let Ok(mut current) = self.certs.write() {
+                    *current = Arc::new(certs);
+                }
+            }
+        }
+        Ok(())
+    }
+
+    async fn cleanup_pending_cli_auth_loop(&self) {
+        loop {
+            tokio::time::sleep(tokio::time::Duration::from_secs(60)).await;
+            let now = Utc::now();
+            let mut pending = self.pending_cli_auth.write().await;
+            pending.retain(|_, auth| auth.expires_at > now);
+            let removed = pending.len();
+            if removed > 0 {
+                tracing::debug!("Cleaned up {} expired CLI auth tokens", removed);
+            }
+        }
+    }
+
+    async fn monitor_environment_events(&self) -> Result<()> {
+        let pool = self
+            .db
+            .pool
+            .clone()
+            .ok_or_else(|| anyhow!("db doesn't have pg pool"))?;
+        let mut listener = sqlx::postgres::PgListener::connect_with(&pool).await?;
+        listener.listen("environment_lifecycle").await?;
+        tracing::info!("environment lifecycle listener started");
+        loop {
+            let notification = listener.recv().await?;
+            match serde_json::from_str::<EnvironmentLifecycleEvent>(notification.payload()) {
+                Ok(event) => {
+                    let _ = self.environment_events.send(event);
+                }
+                Err(err) => {
+                    tracing::error!(
+                        payload = notification.payload(),
+                        error = ?err,
+                        "failed to deserialize environment lifecycle notification"
+                    );
+                }
+            }
+        }
+    }
+
+    async fn monitor_environment_workload_events(&self) -> Result<()> {
+        let pool = self
+            .db
+            .pool
+            .clone()
+            .ok_or_else(|| anyhow!("db doesn't have pg pool"))?;
+        let mut listener = sqlx::postgres::PgListener::connect_with(&pool).await?;
+        listener.listen("environment_workload_status").await?;
+        tracing::info!("environment workload listener started");
+        loop {
+            let notification = listener.recv().await?;
+            match serde_json::from_str::<EnvironmentWorkloadStatusEvent>(notification.payload()) {
+                Ok(event) => {
+                    let _ = self.environment_workload_events.send(event);
+                }
+                Err(err) => {
+                    tracing::error!(
+                        payload = notification.payload(),
+                        error = ?err,
+                        "failed to deserialize environment workload status notification"
+                    );
+                }
+            }
+        }
+    }
+
+    async fn monitor_cluster_events(&self) -> Result<()> {
+        let pool = self
+            .db
+            .pool
+            .clone()
+            .ok_or_else(|| anyhow!("db doesn't have pg pool"))?;
+        let mut listener = sqlx::postgres::PgListener::connect_with(&pool).await?;
+        listener.listen("cluster_status").await?;
+        tracing::info!("cluster status listener started");
+        loop {
+            let notification = listener.recv().await?;
+            match serde_json::from_str::<ClusterStatusEvent>(notification.payload()) {
+                Ok(event) => {
+                    let _ = self.cluster_events.send(event);
+                }
+                Err(err) => {
+                    tracing::error!(
+                        payload = notification.payload(),
+                        error = ?err,
+                        "failed to deserialize cluster status notification"
+                    );
+                }
+            }
+        }
+    }
+
+    async fn monitor_app_catalog_events(&self) -> Result<()> {
+        let pool = self
+            .db
+            .pool
+            .clone()
+            .ok_or_else(|| anyhow!("db doesn't have pg pool"))?;
+        let mut listener = sqlx::postgres::PgListener::connect_with(&pool).await?;
+        listener.listen("app_catalog_status").await?;
+        tracing::info!("app catalog status listener started");
+        loop {
+            let notification = listener.recv().await?;
+            match serde_json::from_str::<AppCatalogStatusEvent>(notification.payload()) {
+                Ok(event) => {
+                    let _ = self.app_catalog_events.send(event);
+                }
+                Err(err) => {
+                    tracing::error!(
+                        payload = notification.payload(),
+                        error = ?err,
+                        "failed to deserialize app catalog status notification"
+                    );
+                }
+            }
+        }
+    }
+
+    pub async fn websocket_base_url(&self) -> String {
+        let host = if let Ok(value) = std::env::var("LAPDEV_API_HOST") {
+            resolve_api_host(Some(value.as_str()))
+        } else {
+            let stored = self
+                .conductor
+                .hostnames
+                .read()
+                .await
+                .get("")
+                .cloned()
+                .unwrap_or_default();
+            let stored_ref = if stored.trim().is_empty() {
+                None
+            } else {
+                Some(stored.as_str())
+            };
+            resolve_api_host(stored_ref)
+        };
+
+        CoreState::normalize_ws_base(&host)
+    }
+
+    fn normalize_ws_base(candidate: &str) -> String {
+        let trimmed = candidate.trim();
+        let with_scheme = if trimmed.starts_with("http://")
+            || trimmed.starts_with("https://")
+            || trimmed.starts_with("ws://")
+            || trimmed.starts_with("wss://")
+        {
+            trimmed.to_string()
+        } else {
+            format!("https://{}", trimmed)
+        };
+
+        if with_scheme.starts_with("http://") {
+            with_scheme.replacen("http://", "ws://", 1)
+        } else if with_scheme.starts_with("https://") {
+            with_scheme.replacen("https://", "wss://", 1)
+        } else {
+            with_scheme
+        }
+    }
+
+    pub async fn push_devbox_routes(&self, user_id: Uuid, environment_id: Uuid) {
+        match self
+            .build_devbox_route_snapshot(user_id, environment_id)
+            .await
+        {
+            Ok((cluster_id, base_environment_id, routes)) => {
+                if let Err(err) = self
+                    .kube_controller
+                    .set_devbox_routes(
+                        cluster_id,
+                        base_environment_id.unwrap_or(environment_id),
+                        routes,
+                    )
+                    .await
+                {
+                    tracing::warn!(
+                        environment_id = %environment_id,
+                        error = %err,
+                        "Failed to push devbox routes to kube-manager"
+                    );
+                }
+            }
+            Err(err) => {
+                tracing::warn!(
+                    environment_id = %environment_id,
+                    error = %err,
+                    "Failed to build devbox route snapshot"
+                );
+            }
+        }
+    }
+
+    pub async fn push_devbox_route_for_intercept(
+        &self,
+        environment: lapdev_db_entities::kube_environment::Model,
+        intercept: lapdev_db_entities::kube_devbox_workload_intercept::Model,
+    ) {
+        let base = self.websocket_base_url().await;
+        let base_trimmed = base.trim_end_matches('/').to_string();
+
+        match self
+            .route_workload_id_for_intercept(&intercept)
+            .await
+            .and_then(|route_workload_id| {
+                Self::build_devbox_route_config_from_intercept(
+                    base_trimmed.as_str(),
+                    &environment,
+                    &intercept,
+                    route_workload_id,
+                )
+            }) {
+            Ok(route) => {
+                let (target_environment_id, _) = Self::route_environment_targets(&environment);
+                if let Err(err) = self
+                    .kube_controller
+                    .set_devbox_route(environment.cluster_id, target_environment_id, route)
+                    .await
+                {
+                    tracing::warn!(
+                        environment_id = %environment.id,
+                        workload_id = %intercept.workload_id,
+                        intercept_id = %intercept.id,
+                        error = %err,
+                        "Failed to push devbox route for intercept"
+                    );
+                }
+            }
+            Err(err) => {
+                tracing::warn!(
+                    environment_id = %environment.id,
+                    intercept_id = %intercept.id,
+                    error = %err,
+                    "Failed to build devbox route for intercept"
+                );
+            }
+        }
+    }
+
+    pub async fn clear_devbox_route_for_intercept(
+        &self,
+        environment: lapdev_db_entities::kube_environment::Model,
+        intercept: lapdev_db_entities::kube_devbox_workload_intercept::Model,
+    ) {
+        let (target_environment_id, branch_environment_id) =
+            Self::route_environment_targets(&environment);
+
+        let route_workload_id = match self.route_workload_id_for_intercept(&intercept).await {
+            Ok(id) => id,
+            Err(err) => {
+                tracing::warn!(
+                    environment_id = %environment.id,
+                    intercept_id = %intercept.id,
+                    workload_id = %intercept.workload_id,
+                    error = %err,
+                    "Failed to resolve workload for devbox route removal"
+                );
+                return;
+            }
+        };
+
+        if let Err(err) = self
+            .kube_controller
+            .remove_devbox_route(
+                environment.cluster_id,
+                target_environment_id,
+                route_workload_id,
+                branch_environment_id,
+            )
+            .await
+        {
+            tracing::warn!(
+                environment_id = %environment.id,
+                workload_id = %intercept.workload_id,
+                intercept_id = %intercept.id,
+                error = %err,
+                "Failed to clear devbox route for intercept"
+            );
+        }
+    }
+
+    pub async fn clear_devbox_routes_for_environment(&self, environment_id: Uuid) {
+        match self
+            .db
+            .get_kube_environment(environment_id)
+            .await
+            .map_err(|e| format!("Failed to fetch environment: {e}"))
+        {
+            Ok(Some(environment)) => {
+                if let Err(err) = self
+                    .kube_controller
+                    .clear_devbox_routes(
+                        environment.cluster_id,
+                        environment.base_environment_id.unwrap_or(environment_id),
+                        environment.base_environment_id.map(|_| environment_id),
+                    )
+                    .await
+                {
+                    tracing::warn!(
+                        environment_id = %environment_id,
+                        error = %err,
+                        "Failed to clear devbox routes for environment"
+                    );
+                }
+            }
+            Ok(None) => {
+                tracing::debug!(
+                    environment_id = %environment_id,
+                    "Environment not found while clearing devbox routes"
+                );
+            }
+            Err(err) => {
+                tracing::warn!(
+                    environment_id = %environment_id,
+                    error = %err,
+                    "Failed to clear devbox routes for environment"
+                );
+            }
+        }
+    }
+
+    async fn build_devbox_route_snapshot(
+        &self,
+        user_id: Uuid,
+        environment_id: Uuid,
+    ) -> Result<(Uuid, Option<Uuid>, HashMap<Uuid, DevboxRouteConfig>), String> {
+        let environment = self
+            .db
+            .get_kube_environment(environment_id)
+            .await
+            .map_err(|e| format!("Failed to fetch environment: {e}"))?
+            .ok_or_else(|| "Environment not found".to_string())?;
+
+        let intercepts = self
+            .db
+            .get_active_intercepts_for_environment(environment_id)
+            .await
+            .map_err(|e| format!("Failed to fetch intercepts: {e}"))?;
+
+        let base = self.websocket_base_url().await;
+        let base_trimmed = base.trim_end_matches('/');
+
+        let mut routes: HashMap<Uuid, DevboxRouteConfig> = HashMap::new();
+
+        for intercept in intercepts {
+            if intercept.user_id != user_id {
+                continue;
+            }
+
+            let route_workload_id = self.route_workload_id_for_intercept(&intercept).await?;
+
+            let route = Self::build_devbox_route_config_from_intercept(
+                base_trimmed,
+                &environment,
+                &intercept,
+                route_workload_id,
+            )?;
+
+            routes.insert(route_workload_id, route);
+        }
+
+        Ok((
+            environment.cluster_id,
+            environment.base_environment_id,
+            routes,
+        ))
+    }
+
+    fn build_devbox_route_config_from_intercept(
+        base_trimmed: &str,
+        environment: &lapdev_db_entities::kube_environment::Model,
+        intercept: &lapdev_db_entities::kube_devbox_workload_intercept::Model,
+        route_workload_id: Uuid,
+    ) -> Result<DevboxRouteConfig, String> {
+        let port_mappings = Self::intercept_port_map(intercept)?;
+        let websocket_url = format!(
+            "{}/api/v1/kube/sidecar/tunnel/{}/{}",
+            base_trimmed, environment.id, intercept.workload_id
+        );
+
+        Ok(DevboxRouteConfig {
+            intercept_id: intercept.id,
+            workload_id: route_workload_id,
+            auth_token: environment.auth_token.clone(),
+            websocket_url,
+            path_pattern: "/*".to_string(),
+            branch_environment_id: environment.base_environment_id.map(|_| environment.id),
+            created_at_epoch_seconds: Some(intercept.created_at.timestamp()),
+            expires_at_epoch_seconds: intercept.stopped_at.map(|dt| dt.timestamp()),
+            port_mappings,
+        })
+    }
+
+    fn intercept_port_map(
+        intercept: &lapdev_db_entities::kube_devbox_workload_intercept::Model,
+    ) -> Result<HashMap<u16, u16>, String> {
+        let value: serde_json::Value = intercept.port_mappings.clone().into();
+        let mappings: Vec<PortMapping> = serde_json::from_value(value).map_err(|e| {
+            format!(
+                "Failed to parse port mappings for intercept {}: {e}",
+                intercept.id
+            )
+        })?;
+
+        let mut port_map = HashMap::with_capacity(mappings.len());
+        for mapping in &mappings {
+            port_map.insert(mapping.workload_port, mapping.local_port);
+        }
+
+        Ok(port_map)
+    }
+
+    async fn route_workload_id_for_intercept(
+        &self,
+        intercept: &lapdev_db_entities::kube_devbox_workload_intercept::Model,
+    ) -> Result<Uuid, String> {
+        let workload = self
+            .db
+            .get_environment_workload(intercept.workload_id)
+            .await
+            .map_err(|e| {
+                format!(
+                    "Failed to load workload {} for intercept {}: {e}",
+                    intercept.workload_id, intercept.id
+                )
+            })?
+            .ok_or_else(|| {
+                format!(
+                    "Workload {} not found for intercept {}",
+                    intercept.workload_id, intercept.id
+                )
+            })?;
+
+        Ok(workload.base_workload_id.unwrap_or(workload.id))
+    }
+
+    fn route_environment_targets(
+        environment: &lapdev_db_entities::kube_environment::Model,
+    ) -> (Uuid, Option<Uuid>) {
+        (
+            environment.base_environment_id.unwrap_or(environment.id),
+            environment.base_environment_id.map(|_| environment.id),
+        )
+    }
+
+    fn cookie_token(&self, cookie: &headers::Cookie, name: &str) -> Result<TrustedToken, ApiError> {
+        let token = cookie.get(name).ok_or(ApiError::Unauthenticated)?;
+        let untrusted_token =
+            UntrustedToken::try_from(token).map_err(|_| ApiError::Unauthenticated)?;
+        let token = pasetors::local::decrypt(
+            &self.auth_token_key,
+            &untrusted_token,
+            &ClaimsValidationRules::new(),
+            None,
+            None,
+        )
+        .map_err(|_| ApiError::Unauthenticated)?;
+        Ok(token)
+    }
+
+    pub fn auth_state_token(&self, cookie: &headers::Cookie) -> Result<TrustedToken, ApiError> {
+        self.cookie_token(cookie, OAUTH_STATE_COOKIE)
+    }
+
+    pub fn token(&self, cookie: &headers::Cookie) -> Result<TrustedToken, ApiError> {
+        self.cookie_token(cookie, TOKEN_COOKIE_NAME)
+    }
+
+    pub async fn require_enterprise(&self) -> Result<(), ApiError> {
+        if self.conductor.enterprise.has_valid_license().await {
+            return Ok(());
+        }
+        Err(ApiError::EnterpriseInvalid)
+    }
+
+    async fn authorize_org(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+    ) -> Result<
+        (
+            lapdev_db_entities::user::Model,
+            lapdev_db_entities::organization_member::Model,
+        ),
+        ApiError,
+    > {
+        let user = self.authenticate_raw(headers).await?;
+        let member = self
+            .db
+            .get_organization_member(user.id, org_id)
+            .await
+            .map_err(|_| ApiError::Unauthorized)?;
+        Ok((user, member))
+    }
+
+    pub async fn authorize(
+        &self,
+        headers: &axum::http::HeaderMap,
+        org_id: Uuid,
+        required_role: Option<UserRole>,
+    ) -> Result<lapdev_db_entities::user::Model, ApiError> {
+        let (user, member) = self.authorize_org(headers, org_id).await?;
+
+        if let Some(required_role) = required_role {
+            let member_role =
+                UserRole::from_str(&member.role).map_err(|_| ApiError::Unauthorized)?;
+
+            match required_role {
+                UserRole::Owner => {
+                    if member_role != UserRole::Owner {
+                        return Err(ApiError::DetailedUnauthorized(
+                            "Owner role required".to_string(),
+                        ));
+                    }
+                }
+                UserRole::Admin => {
+                    if member_role != UserRole::Owner && member_role != UserRole::Admin {
+                        return Err(ApiError::DetailedUnauthorized(
+                            "Admin or Owner role required".to_string(),
+                        ));
+                    }
+                }
+                UserRole::Member => {
+                    // Any role is sufficient for Member access
+                }
+            }
+        }
+
+        Ok(user)
+    }
+
+    pub async fn authenticate_raw(
+        &self,
+        headers: &axum::http::HeaderMap,
+    ) -> Result<lapdev_db_entities::user::Model, ApiError> {
+        let cookie = headers
+            .typed_get::<Cookie>()
+            .ok_or(ApiError::Unauthenticated)?;
+        self.authenticate(&cookie).await
+    }
+
+    pub async fn authenticate(
+        &self,
+        cookie: &headers::Cookie,
+    ) -> Result<lapdev_db_entities::user::Model, ApiError> {
+        let token = self.token(cookie)?;
+        let user_id: Uuid = token
+            .payload_claims()
+            .and_then(|c| c.get_claim("user_id"))
+            .and_then(|v| serde_json::from_value(v.to_owned()).ok())
+            .ok_or(ApiError::Unauthenticated)?;
+        let user = lapdev_db_entities::user::Entity::find_by_id(user_id)
+            .filter(lapdev_db_entities::user::Column::DeletedAt.is_null())
+            .one(&self.db.conn)
+            .await?
+            .ok_or(ApiError::Unauthenticated)?;
+        Ok(user)
+    }
+
+    pub async fn authenticate_cluster_admin(
+        &self,
+        cookie: &headers::Cookie,
+    ) -> Result<lapdev_db_entities::user::Model, ApiError> {
+        let user = self.authenticate(cookie).await?;
+        if !user.cluster_admin {
+            return Err(ApiError::Unauthorized);
+        }
+        Ok(user)
+    }
+
+    pub async fn get_project(
+        &self,
+        cookie: &headers::Cookie,
+        org_id: Uuid,
+        project_id: Uuid,
+    ) -> Result<
+        (
+            lapdev_db_entities::user::Model,
+            lapdev_db_entities::project::Model,
+        ),
+        ApiError,
+    > {
+        let user = self.authenticate(cookie).await?;
+        self.db
+            .get_organization_member(user.id, org_id)
+            .await
+            .map_err(|_| ApiError::Unauthorized)?;
+        let project = self
+            .db
+            .get_project(project_id)
+            .await
+            .map_err(|_| ApiError::InvalidRequest("project doesn't exist".to_string()))?;
+        if project.organization_id != org_id {
+            return Err(ApiError::Unauthorized);
+        }
+        Ok((user, project))
+    }
+}
+
+async fn load_certs(db: &DbApi) -> Result<HashMap<String, Arc<CertifiedKey>>> {
+    let certs = db.get_config(LAPDEV_CERTS).await?;
+    let certs: Vec<(String, String)> = serde_json::from_str(&certs)?;
+
+    let mut final_certs = HashMap::new();
+    for (cert, key) in certs {
+        if let Ok((dns_names, cert)) = load_cert(&cert, &key) {
+            for dns_name in dns_names {
+                final_certs.insert(dns_name, Arc::new(cert.clone()));
+            }
+        }
+    }
+    Ok(final_certs)
+}
diff --git a/lapdev-api/src/websocket.rs b/crates/api/src/websocket.rs
similarity index 84%
rename from lapdev-api/src/websocket.rs
rename to crates/api/src/websocket.rs
index 75d7ffd..a98ea4e 100644
--- a/lapdev-api/src/websocket.rs
+++ b/crates/api/src/websocket.rs
@@ -1,3 +1,5 @@
+use std::sync::Arc;
+
 use axum::{
     extract::{
         ws::{Message, WebSocket},
@@ -8,7 +10,6 @@ use axum::{
 use axum_extra::headers;
 use futures_util::StreamExt;
 use hyper::StatusCode;
-use lapdev_db::entities;
 use lapdev_rpc::error::ApiError;
 use uuid::Uuid;
 
@@ -19,7 +20,7 @@ pub async fn handle_websocket(
     query: Option<&str>,
     websocket: WebSocketUpgrade,
     cookies: headers::Cookie,
-    state: CoreState,
+    state: Arc<CoreState>,
 ) -> Result<Response, ApiError> {
     if path == "/ws" {
         let ws_name = query
@@ -44,7 +45,6 @@ pub async fn handle_websocket(
                 state.conductor.cleanup_workspace_updates(ws.id).await;
             })
             .into_response();
-        println!("websocket finished");
         return Ok(resp);
     } else if path == "/all_workspaces_ws" {
         let user = state.authenticate(&cookies).await?;
@@ -54,7 +54,6 @@ pub async fn handle_websocket(
                 state.conductor.cleanup_all_workspace_updates(user.id).await;
             })
             .into_response();
-        println!("websocket finished");
         return Ok(resp);
     }
 
@@ -67,17 +66,17 @@ async fn handle_workspace_updates(ws_id: Uuid, socket: &mut WebSocket, state: &C
         tokio::select! {
             incoming = socket.recv() => {
                 if incoming.is_none() {
-                    println!("websocket closed by client");
+                    tracing::debug!("websocket closed by client");
                     return;
                 }
             }
             msg = rx.next() => {
                 if let Some(msg) = msg {
                     if let Ok(c) = serde_json::to_string(&msg) {
-                        let _ = socket.send(Message::Text(c)).await;
+                        let _ = socket.send(Message::Text(c.into())).await;
                     }
                 } else {
-                    println!("workspace update messages stopped");
+                    tracing::debug!("workspace update messages stopped");
                     return;
                 }
             }
@@ -86,7 +85,7 @@ async fn handle_workspace_updates(ws_id: Uuid, socket: &mut WebSocket, state: &C
 }
 
 async fn handle_all_workspaces_update(
-    user: &entities::user::Model,
+    user: &lapdev_db_entities::user::Model,
     socket: &mut WebSocket,
     state: &CoreState,
 ) {
@@ -95,17 +94,17 @@ async fn handle_all_workspaces_update(
         tokio::select! {
             incoming = socket.recv() => {
                 if incoming.is_none() {
-                    println!("websocket closed by client");
+                    tracing::debug!("websocket closed by client");
                     return;
                 }
             }
             msg = rx.next() => {
                 if let Some(msg) = msg {
                     if let Ok(c) = serde_json::to_string(&msg) {
-                        let _ = socket.send(Message::Text(c)).await;
+                        let _ = socket.send(Message::Text(c.into())).await;
                     }
                 } else {
-                    println!("workspace update messages stopped");
+                    tracing::debug!("workspace update messages stopped");
                     return;
                 }
             }
diff --git a/crates/api/src/websocket_socket.rs b/crates/api/src/websocket_socket.rs
new file mode 100644
index 0000000..df051d1
--- /dev/null
+++ b/crates/api/src/websocket_socket.rs
@@ -0,0 +1,73 @@
+use std::{
+    io,
+    pin::Pin,
+    task::{Context, Poll},
+};
+
+use axum::extract::ws::{Message, WebSocket};
+use bytes::Bytes;
+use futures::{Sink, Stream};
+use futures_util::StreamExt;
+use pin_project::pin_project;
+
+/// Adapter that exposes an Axum `WebSocket` as a binary sink/stream.
+#[pin_project]
+pub struct AxumBinarySocket {
+    #[pin]
+    inner: WebSocket,
+}
+
+impl AxumBinarySocket {
+    pub fn new(socket: WebSocket) -> Self {
+        Self { inner: socket }
+    }
+}
+
+impl Stream for AxumBinarySocket {
+    type Item = Result<Bytes, io::Error>;
+
+    fn poll_next(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Option<Self::Item>> {
+        let mut this = self.project();
+        loop {
+            match futures::ready!(this.inner.as_mut().poll_next_unpin(cx)) {
+                Some(Ok(Message::Binary(data))) => return Poll::Ready(Some(Ok(data))),
+                Some(Ok(Message::Close(_))) => return Poll::Ready(None),
+                Some(Ok(_)) => continue,
+                Some(Err(err)) => return Poll::Ready(Some(Err(io::Error::other(err)))),
+                None => return Poll::Ready(None),
+            }
+        }
+    }
+}
+
+impl Sink<Bytes> for AxumBinarySocket {
+    type Error = io::Error;
+
+    fn poll_ready(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
+        self.project()
+            .inner
+            .poll_ready(cx)
+            .map_err(io::Error::other)
+    }
+
+    fn start_send(self: Pin<&mut Self>, item: Bytes) -> Result<(), Self::Error> {
+        self.project()
+            .inner
+            .start_send(Message::Binary(item))
+            .map_err(io::Error::other)
+    }
+
+    fn poll_flush(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
+        self.project()
+            .inner
+            .poll_flush(cx)
+            .map_err(io::Error::other)
+    }
+
+    fn poll_close(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
+        self.project()
+            .inner
+            .poll_close(cx)
+            .map_err(io::Error::other)
+    }
+}
diff --git a/lapdev-api/src/workspace.rs b/crates/api/src/workspace.rs
similarity index 94%
rename from lapdev-api/src/workspace.rs
rename to crates/api/src/workspace.rs
index c43df07..a88b028 100644
--- a/lapdev-api/src/workspace.rs
+++ b/crates/api/src/workspace.rs
@@ -1,4 +1,4 @@
-use std::{cmp::Ordering, collections::HashMap, str::FromStr};
+use std::{cmp::Ordering, collections::HashMap, str::FromStr, sync::Arc};
 
 use anyhow::Result;
 use axum::{
@@ -14,7 +14,7 @@ use lapdev_common::{
     AuditAction, AuditResourceKind, NewWorkspace, RepoBuildResult, UpdateWorkspacePort,
     WorkspaceInfo, WorkspacePort, WorkspaceService, WorkspaceStatus, WorkspaceUpdateEvent,
 };
-use lapdev_db::{api::LAPDEV_PIN_UNPIN_ERROR, entities};
+use lapdev_db::api::LAPDEV_PIN_UNPIN_ERROR;
 use lapdev_rpc::error::ApiError;
 use sea_orm::{
     ActiveModelTrait, ActiveValue, ColumnTrait, EntityTrait, QueryFilter, TransactionTrait,
@@ -28,7 +28,7 @@ pub async fn create_workspace(
     info: RequestInfo,
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path(org_id): Path<Uuid>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     Json(workspace): Json<NewWorkspace>,
 ) -> Result<Response, ApiError> {
     let user = state.authenticate(&cookie).await?;
@@ -50,7 +50,7 @@ pub async fn create_workspace(
 }
 
 pub async fn all_workspaces(
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     Path(org_id): Path<Uuid>,
     TypedHeader(cookie): TypedHeader<Cookie>,
 ) -> Result<Json<Vec<WorkspaceInfo>>, ApiError> {
@@ -121,7 +121,7 @@ pub async fn all_workspaces(
 pub async fn delete_workspace(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path((org_id, workspace_name)): Path<(Uuid, String)>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     info: RequestInfo,
 ) -> Result<Response, ApiError> {
     let user = state.authenticate(&cookie).await?;
@@ -149,7 +149,7 @@ pub async fn delete_workspace(
 pub async fn get_workspace(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path((org_id, workspace_name)): Path<(Uuid, String)>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
 ) -> Result<Json<WorkspaceInfo>, ApiError> {
     let user = state.authenticate(&cookie).await?;
     state
@@ -167,9 +167,9 @@ pub async fn get_workspace(
     }
 
     let services = if ws.is_compose && ws.compose_parent.is_none() {
-        entities::workspace::Entity::find()
-            .filter(entities::workspace::Column::DeletedAt.is_null())
-            .filter(entities::workspace::Column::ComposeParent.eq(ws.id))
+        lapdev_db_entities::workspace::Entity::find()
+            .filter(lapdev_db_entities::workspace::Column::DeletedAt.is_null())
+            .filter(lapdev_db_entities::workspace::Column::ComposeParent.eq(ws.id))
             .all(&state.db.conn)
             .await?
             .into_iter()
@@ -216,7 +216,7 @@ pub async fn get_workspace(
 pub async fn start_workspace(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path((org_id, workspace_name)): Path<(Uuid, String)>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     info: RequestInfo,
 ) -> Result<Response, ApiError> {
     let user = state.authenticate(&cookie).await?;
@@ -250,7 +250,7 @@ pub async fn start_workspace(
 pub async fn stop_workspace(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path((org_id, workspace_name)): Path<(Uuid, String)>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     info: RequestInfo,
 ) -> Result<Response, ApiError> {
     let user = state.authenticate(&cookie).await?;
@@ -284,7 +284,7 @@ pub async fn stop_workspace(
 pub async fn pin_workspace(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path((org_id, workspace_name)): Path<(Uuid, String)>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     info: RequestInfo,
 ) -> Result<Response, ApiError> {
     let user = state.authenticate(&cookie).await?;
@@ -343,7 +343,7 @@ pub async fn pin_workspace(
             info.user_agent.clone(),
         )
         .await?;
-    let ws = entities::workspace::ActiveModel {
+    let ws = lapdev_db_entities::workspace::ActiveModel {
         id: ActiveValue::Set(ws.id),
         pinned: ActiveValue::Set(true),
         ..Default::default()
@@ -368,7 +368,7 @@ pub async fn pin_workspace(
 pub async fn unpin_workspace(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path((org_id, workspace_name)): Path<(Uuid, String)>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     info: RequestInfo,
 ) -> Result<Response, ApiError> {
     let user = state.authenticate(&cookie).await?;
@@ -427,7 +427,7 @@ pub async fn unpin_workspace(
             info.user_agent.clone(),
         )
         .await?;
-    let ws = entities::workspace::ActiveModel {
+    let ws = lapdev_db_entities::workspace::ActiveModel {
         id: ActiveValue::Set(ws.id),
         pinned: ActiveValue::Set(false),
         ..Default::default()
@@ -452,7 +452,7 @@ pub async fn unpin_workspace(
 pub async fn rebuild_workspace(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path((org_id, workspace_name)): Path<(Uuid, String)>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     info: RequestInfo,
 ) -> Result<Response, ApiError> {
     let user = state.authenticate(&cookie).await?;
@@ -480,7 +480,7 @@ pub async fn rebuild_workspace(
 pub async fn workspace_ports(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path((org_id, workspace_name)): Path<(Uuid, String)>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
 ) -> Result<Response, ApiError> {
     let user = state.authenticate(&cookie).await?;
     state
@@ -514,7 +514,7 @@ pub async fn workspace_ports(
 pub async fn update_workspace_port(
     TypedHeader(cookie): TypedHeader<Cookie>,
     Path((org_id, workspace_name, port)): Path<(Uuid, String, u16)>,
-    State(state): State<CoreState>,
+    State(state): State<Arc<CoreState>>,
     info: RequestInfo,
     Json(update_workspace_port): Json<UpdateWorkspacePort>,
 ) -> Result<Response, ApiError> {
@@ -556,7 +556,7 @@ pub async fn update_workspace_port(
             info.user_agent.clone(),
         )
         .await?;
-    entities::workspace_port::ActiveModel {
+    lapdev_db_entities::workspace_port::ActiveModel {
         id: ActiveValue::Set(port.id),
         shared: ActiveValue::Set(update_workspace_port.shared),
         public: ActiveValue::Set(update_workspace_port.public),
diff --git a/crates/cli/Cargo.toml b/crates/cli/Cargo.toml
new file mode 100644
index 0000000..3f66c13
--- /dev/null
+++ b/crates/cli/Cargo.toml
@@ -0,0 +1,48 @@
+[package]
+name = "lapdev-cli"
+version.workspace = true
+authors.workspace = true
+edition.workspace = true
+license.workspace = true
+description = "Lapdev CLI - Command line interface for Lapdev"
+
+[[bin]]
+name = "lapdev-cli"
+path = "src/main.rs"
+
+[dependencies]
+# Workspace dependencies
+clap = { workspace = true, features = ["env"] }
+anyhow.workspace = true
+thiserror.workspace = true
+uuid.workspace = true
+chrono.workspace = true
+serde.workspace = true
+serde_json.workspace = true
+reqwest.workspace = true
+tokio = { workspace = true, features = ["net", "signal", "io-util", "fs"] }
+tracing.workspace = true
+tracing-subscriber.workspace = true
+tokio-tungstenite.workspace = true
+tarpc.workspace = true
+lapdev-devbox-rpc.workspace = true
+lapdev-rpc.workspace = true
+futures.workspace = true
+lapdev-tunnel.workspace = true
+lapdev-common.workspace = true
+quinn.workspace = true
+
+# CLI-specific dependencies
+keyring = { version = "3.6.1", features = ["apple-native", "windows-native", "linux-native"] }
+webbrowser = "1.0.2"
+colored = "2.1.0"
+hostname = "0.4.0"
+futures-util = "0.3"
+tokio-util = { version = "0.7", features = ["codec"] }
+bytes = "1.5"
+http = "1.1"
+urlencoding = "2.1.3"
+tempfile.workspace = true
+windows-sys = { version = "0.59.0", features = ["Win32_Storage_FileSystem"] }
+tracing-appender.workspace = true
+dirs = "6.0.0"
diff --git a/crates/cli/src/api/client.rs b/crates/cli/src/api/client.rs
new file mode 100644
index 0000000..2bf3f64
--- /dev/null
+++ b/crates/cli/src/api/client.rs
@@ -0,0 +1,107 @@
+use anyhow::{Context, Result};
+use reqwest::{Client, StatusCode};
+use serde::Deserialize;
+use uuid::Uuid;
+
+pub struct LapdevClient {
+    client: Client,
+    base_url: String,
+    token: Option<String>,
+}
+
+#[derive(Debug, Deserialize)]
+pub struct CliTokenResponse {
+    pub token: String,
+    pub expires_in: u32,
+}
+
+#[derive(Debug, Deserialize)]
+pub struct WhoamiResponse {
+    pub user_id: Uuid,
+    pub email: String,
+    pub name: Option<String>,
+    pub organization_id: Uuid,
+    pub device_name: String,
+    pub authenticated_at: Option<String>,
+    pub expires_at: Option<String>,
+}
+
+impl LapdevClient {
+    pub fn new(base_url: String) -> Self {
+        Self {
+            client: Client::new(),
+            base_url,
+            token: None,
+        }
+    }
+
+    pub fn with_token(mut self, token: String) -> Self {
+        self.token = Some(token);
+        self
+    }
+
+    /// Poll for CLI token after browser auth
+    /// Returns Ok(Some(response)) if token is ready
+    /// Returns Ok(None) if still pending (404)
+    /// Returns Err for other errors
+    pub async fn poll_cli_token(&self, session_id: Uuid) -> Result<Option<CliTokenResponse>> {
+        let url = format!(
+            "{}/api/v1/auth/cli/token?session_id={}",
+            self.base_url, session_id
+        );
+
+        let resp = self
+            .client
+            .get(&url)
+            .send()
+            .await
+            .context("Failed to send token poll request")?;
+
+        match resp.status() {
+            StatusCode::OK => {
+                let token_resp = resp
+                    .json()
+                    .await
+                    .context("Failed to parse token response")?;
+                Ok(Some(token_resp))
+            }
+            StatusCode::NOT_FOUND => Ok(None),
+            status => Err(anyhow::anyhow!(
+                "Unexpected status code from server: {}",
+                status
+            )),
+        }
+    }
+
+    /// Get current user info
+    pub async fn whoami(&self) -> Result<WhoamiResponse> {
+        let token = self
+            .token
+            .as_ref()
+            .context("Not authenticated. Please run 'lapdev devbox login' first.")?;
+
+        let resp = self
+            .client
+            .get(format!("{}/api/v1/devbox/whoami", self.base_url))
+            .header("Authorization", format!("Bearer {}", token))
+            .send()
+            .await
+            .context("Failed to send whoami request")?;
+
+        if !resp.status().is_success() {
+            let status = resp.status();
+            let text = resp.text().await.unwrap_or_default();
+            anyhow::bail!(
+                "Request failed with status {}: {}",
+                status,
+                if text.is_empty() {
+                    "No error message"
+                } else {
+                    &text
+                }
+            );
+        }
+
+        resp.json().await.context("Failed to parse whoami response")
+    }
+}
diff --git a/crates/cli/src/api/mod.rs b/crates/cli/src/api/mod.rs
new file mode 100644
index 0000000..b9babe5
--- /dev/null
+++ b/crates/cli/src/api/mod.rs
@@ -0,0 +1 @@
+pub mod client;
diff --git a/crates/cli/src/auth.rs b/crates/cli/src/auth.rs
new file mode 100644
index 0000000..1a0fe88
--- /dev/null
+++ b/crates/cli/src/auth.rs
@@ -0,0 +1,41 @@
+use anyhow::{Context, Result};
+
+const SERVICE_NAME: &str = "dev.lap.cli";
+
+/// Store authentication token in OS keychain
+/// - macOS: Keychain
+/// - Linux: Secret Service (GNOME Keyring / KWallet)
+/// - Windows: Credential Manager
+pub fn store_token(api_host: &str, token: &str) -> Result<()> {
+    let entry =
+        keyring::Entry::new(SERVICE_NAME, api_host).context("Failed to create keychain entry")?;
+    entry
+        .set_password(token)
+        .context("Failed to store token in keychain")?;
+    Ok(())
+}
+
+/// Retrieve authentication token from OS keychain
+pub fn get_token(api_host: &str) -> Result<String> {
+    let entry =
+        keyring::Entry::new(SERVICE_NAME, api_host).context("Failed to create keychain entry")?;
+    let token = entry
+        .get_password()
+        .context("No authentication token found. Please run 'lapdev devbox login' first.")?;
+    Ok(token)
+}
+
+/// Delete authentication token from OS keychain
+pub fn delete_token(api_host: &str) -> Result<()> {
+    let entry =
+        keyring::Entry::new(SERVICE_NAME, api_host).context("Failed to create keychain entry")?;
+    entry
+        .delete_credential()
+        .context("Failed to delete token from keychain")?;
+    Ok(())
+}
+
+/// Check if a token exists in the keychain
+pub fn has_token(api_host: &str) -> bool {
+    get_token(api_host).is_ok()
+}
diff --git a/crates/cli/src/config.rs b/crates/cli/src/config.rs
new file mode 100644
index 0000000..b851eac
--- /dev/null
+++ b/crates/cli/src/config.rs
@@ -0,0 +1,15 @@
+use lapdev_common::utils::resolve_api_host;
+
+/// Resolve the Lapdev API host and base HTTPS URL.
+///
+/// Preference order:
+/// 1. CLI argument (`--api-host`)
+/// 2. `LAPDEV_API_HOST` environment variable
+/// 3. Built-in default (`lapdev_common::LAPDEV_API_HOST`)
+pub fn resolve_api_base_url(arg_host: Option<String>) -> (String, String) {
+    let candidate = arg_host.or_else(|| std::env::var("LAPDEV_API_HOST").ok());
+
+    let host = resolve_api_host(candidate.as_deref());
+    let base_url = format!("https://{}", host);
+    (host, base_url)
+}
diff --git a/crates/cli/src/devbox/commands/connect.rs b/crates/cli/src/devbox/commands/connect.rs
new file mode 100644
index 0000000..5dc72ab
--- /dev/null
+++ b/crates/cli/src/devbox/commands/connect.rs
@@ -0,0 +1,1344 @@
+use anyhow::{Context, Result};
+use chrono::Utc;
+use colored::Colorize;
+use futures::StreamExt;
+use lapdev_common::devbox::{DirectTunnelConfig, DirectTunnelCredential};
+use lapdev_devbox_rpc::{DevboxClientRpc, DevboxSessionRpcClient};
+use lapdev_rpc::spawn_twoway;
+use lapdev_tunnel::direct::DirectEndpoint;
+use lapdev_tunnel::{
+    run_tunnel_server, websocket_serde_transport, RelayEndpoint, TunnelClient, TunnelError,
+};
+use std::{
+    collections::{HashMap, HashSet},
+    net::SocketAddr,
+    sync::Arc,
+    time::Duration,
+};
+use tarpc::server::{BaseChannel, Channel};
+use tokio::{
+    signal,
+    sync::{mpsc, oneshot, Mutex, RwLock},
+    task::JoinHandle,
+    time::{sleep, timeout, MissedTickBehavior},
+};
+use tokio_tungstenite::tungstenite::client::IntoClientRequest;
+use uuid::Uuid;
+
+use crate::{
+    auth,
+    devbox::dns::{
+        is_tcp_protocol, HostsManager, ServiceBridge, ServiceBridgeStartReport, ServiceEndpoint,
+        SyntheticIpAllocator,
+    },
+};
+
+const DEVBOX_HEARTBEAT_INTERVAL_SECS: u64 = 30;
+const DEVBOX_HEARTBEAT_TIMEOUT_SECS: u64 = 10;
+
+#[derive(Debug)]
+enum HeartbeatEvent {
+    Failed(String),
+    TimedOut,
+}
+
+/// Execute the devbox connect command
+pub async fn execute(api_host: &str) -> Result<()> {
+    let tunnel_manager = DevboxTunnelManager::new(api_host)
+        .await
+        .map_err(|err| anyhow::anyhow!("Failed to initialize Devbox tunnel manager: {}", err))?;
+
+    // Load token from keychain, or prompt for login if not found
+    let token = match auth::get_token(tunnel_manager.api_host()) {
+        Ok(token) => token,
+        Err(_) => {
+            // No token found, run login flow
+            println!(
+                "{}",
+                "No authentication token found. Starting login...".yellow()
+            );
+            println!();
+
+            // Run login
+            super::login::execute(tunnel_manager.api_host(), None).await?;
+
+            // Retrieve the newly stored token
+            auth::get_token(tunnel_manager.api_host())
+                .context("Failed to load authentication token after login")?
+        }
+    };
+
+    // Check hosts file permissions early and warn user
+    tunnel_manager.check_and_warn_permissions();
+
+    let mut backoff = Duration::from_secs(1);
+    let mut is_first_connection = true;
+
+    {
+        let tunnel_manager = tunnel_manager.clone();
+        loop {
+            match tunnel_manager
+                .connect_and_run_rpc(&token, is_first_connection)
+                .await
+            {
+                Ok(should_exit) => {
+                    if should_exit {
+                        // Clean exit (Ctrl+C or session displaced)
+                        break;
+                    }
+                    // Otherwise fall through to retry
+                    tracing::info!("RPC connection closed, will retry...");
+                }
+                Err(e) => {
+                    if is_first_connection {
+                        // On first connection, fail fast for auth errors
+                        return Err(e);
+                    }
+                    eprintln!("{} Connection error: {}", "⚠".yellow(), e);
+                }
+            }
+
+            is_first_connection = false;
+
+            // Wait before reconnecting
+            println!(
+                "{} Reconnecting in {} seconds...",
+                "🔄".cyan(),
+                backoff.as_secs()
+            );
+            tokio::select! {
+                _ = signal::ctrl_c() => {
+                    println!("\n{}", "Received Ctrl+C, disconnecting...".yellow());
+                    break;
+                }
+                _ = sleep(backoff) => {
+                    backoff = (backoff.saturating_mul(2)).min(Duration::from_secs(30));
+                }
+            }
+        }
+    }
+
+    tunnel_manager.cleanup_dns().await;
+    tunnel_manager.shutdown().await;
+
+    Ok(())
+}
+
+/// RPC server implementation for the CLI
+/// This handles incoming calls from the server
+#[derive(Clone)]
+struct DevboxClientRpcServer {
+    shutdown_tx: mpsc::UnboundedSender<ShutdownSignal>,
+    env_change_tx: mpsc::UnboundedSender<Option<lapdev_devbox_rpc::DevboxEnvironmentInfo>>,
+    tunnel_manager: DevboxTunnelManager,
+}
+
+impl DevboxClientRpcServer {
+    fn new(
+        shutdown_tx: mpsc::UnboundedSender<ShutdownSignal>,
+        env_change_tx: mpsc::UnboundedSender<Option<lapdev_devbox_rpc::DevboxEnvironmentInfo>>,
+        tunnel_manager: DevboxTunnelManager,
+    ) -> Self {
+        Self {
+            shutdown_tx,
+            env_change_tx,
+            tunnel_manager,
+        }
+    }
+}
+
+impl DevboxClientRpc for DevboxClientRpcServer {
+    async fn session_displaced(self, _context: tarpc::context::Context, new_device_name: String) {
+        let shutdown_tx = self.shutdown_tx;
+
+        let _ = shutdown_tx.send(ShutdownSignal::Displaced(new_device_name.clone()));
+
+        tracing::warn!("Session displaced by: {}", new_device_name);
+    }
+
+    async fn environment_changed(
+        self,
+        _context: tarpc::context::Context,
+        environment: Option<lapdev_devbox_rpc::DevboxEnvironmentInfo>,
+    ) {
+        tracing::info!("environment_changed RPC handler called");
+        let env_change_tx = self.env_change_tx;
+
+        if let Some(ref env) = environment {
+            println!(
+                "\n{} Environment changed to: {} ({} / {})",
+                "🔄".cyan(),
+                env.environment_name.bright_white(),
+                env.cluster_name.cyan(),
+                env.namespace.cyan()
+            );
+            tracing::info!(
+                "Active environment changed to: {} ({})",
+                env.environment_id,
+                env.namespace
+            );
+        } else {
+            println!("\n{} Active environment cleared", "🔄".cyan());
+            tracing::info!("Active environment cleared");
+        }
+
+        match env_change_tx.send(environment.clone()) {
+            Ok(_) => {
+                tracing::info!("Successfully sent environment change to main loop");
+            }
+            Err(e) => {
+                tracing::error!("Failed to send environment change to main loop: {:?}", e);
+            }
+        }
+    }
+
+    async fn ping(self, _context: tarpc::context::Context) -> Result<(), String> {
+        tracing::trace!("Received ping");
+        Ok(())
+    }
+
+    async fn request_direct_config(
+        self,
+        _context: tarpc::context::Context,
+        user_id: Uuid,
+        stun_observed_addr: Option<SocketAddr>,
+    ) -> Result<Option<DirectTunnelConfig>, String> {
+        self.tunnel_manager
+            .build_direct_channel_config(user_id, stun_observed_addr)
+            .await
+    }
+}
+
+enum ShutdownSignal {
+    Displaced(String),
+}
+
+#[derive(Clone)]
+struct DevboxTunnelManager {
+    api_host: Arc<String>,
+    ws_base: Arc<String>,
+    intercept_task: Arc<Mutex<Option<TunnelTask>>>,
+    client_task: Arc<Mutex<Option<TunnelTask>>>,
+    active_environment: Arc<Mutex<Option<Uuid>>>,
+    direct_endpoint: Arc<DirectEndpoint>,
+    /// Shared tunnel client for DNS service bridge
+    tunnel_client: Arc<RwLock<Option<Arc<TunnelClient>>>>,
+    /// Service bridge for DNS resolution
+    service_bridge: Arc<ServiceBridge>,
+    /// Hosts file manager
+    hosts_manager: Arc<HostsManager>,
+    /// IP allocator
+    ip_allocator: Arc<Mutex<SyntheticIpAllocator>>,
+    client_token: Arc<RwLock<Option<String>>>,
+    client_user_id: Arc<RwLock<Option<Uuid>>>,
+}
+
+impl DevboxTunnelManager {
+    async fn new(api_host: impl Into<String>) -> Result<Self, TunnelError> {
+        let api_host = api_host.into();
+        let api_host = api_host.trim().trim_end_matches('/').to_string();
+        let ws_base = format!("wss://{}", api_host);
+        let tunnel_client = Arc::new(RwLock::new(None));
+        let direct_endpoint = Arc::new(DirectEndpoint::bind().await?);
+
+        {
+            let direct_endpoint = direct_endpoint.clone();
+            tokio::spawn(async move {
+                direct_endpoint.start_tunnel_server().await;
+            });
+        }
+
+        Ok(Self {
+            api_host: Arc::new(api_host),
+            ws_base: Arc::new(ws_base),
+            intercept_task: Arc::new(Mutex::new(None)),
+            client_task: Arc::new(Mutex::new(None)),
+            active_environment: Arc::new(Mutex::new(None)),
+            direct_endpoint,
+            tunnel_client: tunnel_client.clone(),
+            service_bridge: Arc::new(ServiceBridge::new(tunnel_client)),
+            hosts_manager: Arc::new(HostsManager::new()),
+            ip_allocator: Arc::new(Mutex::new(SyntheticIpAllocator::new())),
+            client_token: Arc::new(RwLock::new(None)),
+            client_user_id: Arc::new(RwLock::new(None)),
+        })
+    }
+
+    fn api_host(&self) -> &str {
+        self.api_host.as_str()
+    }
+
+    fn ws_base(&self) -> &str {
+        self.ws_base.as_str()
+    }
+
+    async fn connect_and_run_rpc(&self, token: &str, is_first_connection: bool) -> Result<bool> {
+        if is_first_connection {
+            println!("{}", "🔌 Connecting to Lapdev devbox...".cyan());
+        } else {
+            println!("{}", "🔌 Reconnecting to Lapdev devbox...".cyan());
+        }
+
+        // Construct WebSocket URL
+        let ws_url = format!("{}/api/v1/kube/devbox/rpc", self.ws_base());
+
+        tracing::info!("Connecting to: {}", ws_url);
+
+        // Create WebSocket request with authentication
+        let mut request = ws_url
+            .into_client_request()
+            .context("Failed to create WebSocket request")?;
+
+        // Add authentication header
+        let headers = request.headers_mut();
+        headers.insert(
+            "Authorization",
+            format!("Bearer {}", token)
+                .parse()
+                .context("Failed to parse authorization header")?,
+        );
+
+        // TODO: Add client version header
+        // headers.insert("X-Lapdev-Client-Version", env!("CARGO_PKG_VERSION").parse()?);
+
+        // Connect WebSocket
+        let (stream, _response) = tokio_tungstenite::connect_async(request)
+            .await
+            .context("Failed to establish WebSocket connection")?;
+
+        println!("{}", "✓ WebSocket connection established".green());
+
+        // Create transport layer
+        // Set up bidirectional RPC over the websocket stream
+        let transport =
+            websocket_serde_transport(stream, tarpc::tokio_serde::formats::Bincode::default());
+        let (server_chan, client_chan, _abort_handle) = spawn_twoway(transport);
+
+        // Create channels for this connection
+        let (shutdown_tx, mut shutdown_rx) = mpsc::unbounded_channel::<ShutdownSignal>();
+        let (env_change_tx, mut env_change_rx) =
+            mpsc::unbounded_channel::<Option<lapdev_devbox_rpc::DevboxEnvironmentInfo>>();
+
+        // Create RPC client (for calling server methods)
+        let rpc_client =
+            DevboxSessionRpcClient::new(tarpc::client::Config::default(), client_chan).spawn();
+
+        // Call whoami to get session info
+        let session_info = match rpc_client
+            .whoami(tarpc::context::current())
+            .await
+            .context("RPC call failed")?
+        {
+            Ok(info) => {
+                println!(
+                    "{} Connected as {} ({})",
+                    "✓".green(),
+                    info.email.bright_white().bold(),
+                    info.device_name.cyan()
+                );
+                println!(
+                    "  Session expires: {}",
+                    info.expires_at
+                        .format("%Y-%m-%d %H:%M:%S UTC")
+                        .to_string()
+                        .dimmed()
+                );
+                info
+            }
+            Err(e) => {
+                eprintln!("{} Failed to get session info: {}", "✗".red(), e);
+                return Err(anyhow::anyhow!("Authentication failed: {}", e));
+            }
+        };
+
+        // Create RPC server (for server to call us)
+        let client_rpc_server =
+            DevboxClientRpcServer::new(shutdown_tx.clone(), env_change_tx.clone(), self.clone());
+
+        // Spawn the RPC server task
+        let server_task = tokio::spawn(async move {
+            tracing::info!("Starting DevboxClientRpc server...");
+            BaseChannel::with_defaults(server_chan)
+                .execute(client_rpc_server.serve())
+                .for_each(|resp| async move {
+                    tokio::spawn(resp);
+                })
+                .await;
+            tracing::info!("DevboxClientRpc server stopped");
+        });
+
+        self.ensure_client(&rpc_client, token, session_info.user_id)
+            .await
+            .map_err(|e| anyhow::anyhow!("Failed to start client tunnel: {}", e))?;
+
+        if let Err(err) = self
+            .ensure_intercept(&rpc_client, token, session_info.user_id)
+            .await
+        {
+            tracing::error!(
+                user_id = %session_info.user_id,
+                "Failed to start intercept tunnel: {}",
+                err
+            );
+        }
+
+        {
+            let rpc_client = rpc_client.clone();
+            let env_change_tx = env_change_tx.clone();
+            tokio::spawn(async move {
+                let result = rpc_client
+                    .get_active_environment(tarpc::context::current())
+                    .await;
+                match result {
+                    Ok(Ok(env)) => {
+                        if env_change_tx.send(env).is_err() {
+                            tracing::debug!(
+                                "Failed to deliver initial active environment; receiver dropped"
+                            );
+                        }
+                    }
+                    Ok(Err(err)) => {
+                        eprintln!(
+                            "{} Failed to fetch active environment: {}",
+                            "⚠".yellow(),
+                            err
+                        );
+                    }
+                    Err(err) => {
+                        eprintln!(
+                            "{} Failed to fetch active environment: {}",
+                            "⚠".yellow(),
+                            err
+                        );
+                    }
+                }
+            });
+        }
+
+        if is_first_connection {
+            println!("{}", "\n✓ Connected and ready".green());
+            println!("{}", "  Press Ctrl+C to disconnect".dimmed());
+        } else {
+            println!("{}", "✓ Reconnected successfully".green());
+        }
+
+        let mut server_task = server_task;
+        let mut should_exit = false;
+        let (heartbeat_event_tx, mut heartbeat_event_rx) =
+            mpsc::unbounded_channel::<HeartbeatEvent>();
+        let (mut heartbeat_task, heartbeat_cancel_tx) = Self::spawn_heartbeat_task(
+            rpc_client.clone(),
+            session_info.user_id,
+            heartbeat_event_tx,
+        );
+
+        loop {
+            tokio::select! {
+                heartbeat_event = heartbeat_event_rx.recv() => {
+                    self.handle_heartbeat_event(session_info.user_id, heartbeat_event);
+                    break;
+                }
+                res = &mut server_task => {
+                    self.handle_server_task_result(res);
+                    break;
+                }
+                _ = signal::ctrl_c() => {
+                    println!("\n{}", "Received Ctrl+C, disconnecting...".yellow());
+                    should_exit = true;
+                    break;
+                }
+                maybe_signal = shutdown_rx.recv() => {
+                    if self.handle_shutdown_signal(maybe_signal) {
+                        should_exit = true;
+                    }
+                    break;
+                }
+                notification = env_change_rx.recv() => {
+                    match notification {
+                        Some(env) => {
+                            tracing::info!("Event loop received environment change notification");
+                            self
+                                .handle_environment_notification(env, &rpc_client, &session_info)
+                                .await;
+                        }
+                        None => {
+                            tracing::warn!("Environment change channel closed unexpectedly");
+                            break;
+                        }
+                    }
+                }
+            }
+        }
+
+        if !server_task.is_finished() {
+            server_task.abort();
+        }
+        if !heartbeat_task.is_finished() {
+            let _ = heartbeat_cancel_tx.send(());
+        }
+        if let Err(err) = heartbeat_task.await {
+            tracing::warn!("Heartbeat task join error: {}", err);
+        }
+
+        // Return true if we should exit completely, false to retry connection
+        Ok(should_exit)
+    }
+
+    fn handle_heartbeat_event(&self, user_id: Uuid, event: Option<HeartbeatEvent>) {
+        match event {
+            Some(HeartbeatEvent::Failed(err)) => {
+                tracing::warn!(
+                    user_id = %user_id,
+                    error = %err,
+                    "Devbox session heartbeat failed"
+                );
+                eprintln!(
+                    "{} Connection heartbeat lost ({}), reconnecting...",
+                    "⚠".yellow(),
+                    err
+                );
+            }
+            Some(HeartbeatEvent::TimedOut) => {
+                tracing::warn!(
+                    user_id = %user_id,
+                    timeout_secs = DEVBOX_HEARTBEAT_TIMEOUT_SECS,
+                    "Devbox session heartbeat timed out"
+                );
+                eprintln!(
+                    "{} Connection heartbeat timed out, reconnecting...",
+                    "⚠".yellow()
+                );
+            }
+            None => {
+                tracing::warn!(
+                    user_id = %user_id,
+                    "Heartbeat channel closed unexpectedly"
+                );
+                eprintln!("{} Heartbeat channel closed, reconnecting...", "⚠".yellow());
+            }
+        }
+    }
+
+    fn handle_server_task_result(&self, result: Result<(), tokio::task::JoinError>) {
+        match result {
+            Ok(()) => {
+                tracing::info!("RPC server task completed normally");
+            }
+            Err(err) => {
+                tracing::warn!("RPC server task failed: {}", err);
+            }
+        }
+    }
+
+    fn handle_shutdown_signal(&self, signal: Option<ShutdownSignal>) -> bool {
+        match signal {
+            Some(ShutdownSignal::Displaced(device)) => {
+                println!(
+                    "\n{} Session displaced by new login from: {}",
+                    "⚠".yellow(),
+                    device.bright_white()
+                );
+                true
+            }
+            None => {
+                tracing::warn!("Shutdown channel closed unexpectedly");
+                false
+            }
+        }
+    }
+
+    async fn handle_environment_notification(
+        &self,
+        environment: Option<lapdev_devbox_rpc::DevboxEnvironmentInfo>,
+        rpc_client: &DevboxSessionRpcClient,
+        session_info: &lapdev_devbox_rpc::DevboxSessionInfo,
+    ) {
+        {
+            *self.active_environment.lock().await = environment.as_ref().map(|e| e.environment_id);
+        }
+
+        match environment {
+            Some(env) => {
+                self.process_active_environment(env, rpc_client, session_info)
+                    .await;
+            }
+            None => {
+                self.process_environment_cleared().await;
+            }
+        }
+    }
+
+    async fn process_active_environment(
+        &self,
+        env: lapdev_devbox_rpc::DevboxEnvironmentInfo,
+        rpc_client: &DevboxSessionRpcClient,
+        session_info: &lapdev_devbox_rpc::DevboxSessionInfo,
+    ) {
+        println!(
+            "  Active environment: {} ({} / {})",
+            env.environment_name.bright_white(),
+            env.cluster_name.cyan(),
+            env.namespace.cyan()
+        );
+
+        self.print_device_intercepts(env.environment_id, rpc_client, session_info)
+            .await;
+
+        tracing::info!("Setting up DNS for environment {}", env.environment_id);
+        match self
+            .setup_dns_for_environment(env.environment_id, rpc_client)
+            .await
+        {
+            Ok(()) => tracing::info!("DNS setup completed successfully"),
+            Err(err) => eprintln!("{} Failed to refresh DNS: {}", "⚠".yellow(), err),
+        }
+
+        match self.restart_client_tunnel(rpc_client).await {
+            Ok(()) => {
+                tracing::info!(
+                    environment_id = %env.environment_id,
+                    "Client tunnel restarted after environment change"
+                );
+            }
+            Err(err) => {
+                tracing::warn!(
+                    environment_id = %env.environment_id,
+                    error = %err,
+                    "Failed to restart client tunnel after environment change"
+                );
+            }
+        }
+    }
+
+    async fn process_environment_cleared(&self) {
+        println!("{} No active environment selected", "ℹ".blue());
+        tracing::info!("Clearing DNS entries");
+        println!("{} Clearing DNS entries...", "🔧".cyan());
+        self.cleanup_dns().await;
+    }
+
+    async fn print_device_intercepts(
+        &self,
+        env_id: Uuid,
+        rpc_client: &DevboxSessionRpcClient,
+        session_info: &lapdev_devbox_rpc::DevboxSessionInfo,
+    ) {
+        match rpc_client
+            .list_workload_intercepts(tarpc::context::current(), env_id)
+            .await
+        {
+            Ok(Ok(intercepts)) => {
+                for intercept in intercepts {
+                    if intercept.device_name != session_info.device_name {
+                        continue;
+                    }
+                    let port_details = if intercept.port_mappings.is_empty() {
+                        "no port mappings".to_string()
+                    } else {
+                        intercept
+                            .port_mappings
+                            .iter()
+                            .map(|mapping| {
+                                format!(
+                                    "{} {} -> localhost:{}",
+                                    mapping.protocol.to_uppercase(),
+                                    mapping.workload_port,
+                                    mapping.local_port
+                                )
+                            })
+                            .collect::<Vec<_>>()
+                            .join(", ")
+                    };
+                    println!(
+                        "  {} Intercept active for {}/{} ({})",
+                        "↻".green(),
+                        intercept.namespace.bright_white(),
+                        intercept.workload_name.cyan(),
+                        port_details
+                    );
+                }
+            }
+            Ok(Err(err)) => {
+                eprintln!("{} Failed to list intercepts: {}", "⚠".yellow(), err);
+            }
+            Err(err) => {
+                eprintln!("{} Failed to list intercepts: {}", "⚠".yellow(), err);
+            }
+        }
+    }
+
+    /// Register a newly connected tunnel client and update shared state
+    async fn set_tunnel_client(&self, client: Arc<TunnelClient>) {
+        {
+            let mut guard = self.tunnel_client.write().await;
+            *guard = Some(Arc::clone(&client));
+        }
+    }
+
+    /// Clear the stored tunnel client if it matches the provided instance
+    async fn clear_tunnel_client(&self, client: &Arc<TunnelClient>) {
+        let mut guard = self.tunnel_client.write().await;
+        if guard
+            .as_ref()
+            .map_or(false, |current| Arc::ptr_eq(current, client))
+        {
+            *guard = None;
+        }
+    }
+
+    /// Check hosts file permissions and warn user if insufficient
+    fn check_and_warn_permissions(&self) {
+        if !self.hosts_manager.check_permissions() {
+            eprintln!();
+            eprintln!(
+                "{} {}",
+                "⚠".yellow(),
+                "Insufficient permissions to modify hosts file"
+                    .yellow()
+                    .bold()
+            );
+            eprintln!(
+                "  Service DNS resolution will not work without write access to the hosts file."
+            );
+            eprintln!();
+            if cfg!(unix) {
+                eprintln!("  To fix this, run the command with sudo:");
+                eprintln!("    {}", "sudo -E lapdev devbox connect".bright_white());
+            } else if cfg!(windows) {
+                eprintln!("  To fix this, run the command as Administrator:");
+                eprintln!("    Right-click the terminal and select 'Run as Administrator'");
+            }
+            eprintln!();
+            eprintln!(
+                "  Alternatively, you can manually add entries to the hosts file when prompted."
+            );
+            eprintln!();
+        }
+    }
+
+    /// Set up DNS for an environment by fetching services and configuring hosts/bridge
+    async fn setup_dns_for_environment(
+        &self,
+        env_id: Uuid,
+        rpc_client: &DevboxSessionRpcClient,
+    ) -> Result<()> {
+        println!("{} Setting up DNS for services...", "🔧".cyan());
+
+        // Check hosts file permissions upfront
+        if !self.hosts_manager.check_permissions() {
+            eprintln!("{} No write permission for hosts file", "⚠".yellow());
+            eprintln!(
+                "  DNS will not work until you grant permissions or manually update the hosts file."
+            );
+            if cfg!(unix) {
+                eprintln!("  Try running with: sudo -E lapdev devbox connect");
+            } else if cfg!(windows) {
+                eprintln!("  Try running as Administrator");
+            }
+            eprintln!();
+        }
+
+        // Fetch services for the environment
+        let services = match rpc_client
+            .list_services(tarpc::context::current(), env_id)
+            .await
+            .context("RPC call failed")?
+        {
+            Ok(services) => services,
+            Err(e) => {
+                eprintln!("{} Failed to fetch services: {}", "⚠".yellow(), e);
+                return Ok(());
+            }
+        };
+
+        if services.is_empty() {
+            println!("{} No services found in environment", "ℹ".blue());
+            return Ok(());
+        }
+
+        // Allocate synthetic IPs and create endpoints
+        let mut bridge_endpoints = Vec::new();
+        let mut hosts_endpoints = Vec::new();
+        let mut seen_services = HashSet::new();
+        let mut skipped_services = HashSet::new();
+        let mut skipped_endpoints = 0usize;
+        let mut skipped_non_tcp: HashMap<String, Vec<(u16, String)>> = HashMap::new();
+        let mut allocator = self.ip_allocator.lock().await;
+        allocator.clear();
+
+        for service in &services {
+            for port in &service.ports {
+                if !is_tcp_protocol(&port.protocol) {
+                    skipped_non_tcp
+                        .entry(format!("{}.{}", service.name, service.namespace))
+                        .or_default()
+                        .push((port.port, port.protocol.clone()));
+                    continue;
+                }
+
+                let service_key = format!("{}.{}", service.name, service.namespace);
+                if let Some(ip) = allocator.allocate(&service.name, &service.namespace) {
+                    let endpoint =
+                        ServiceEndpoint::new(service, port.port, port.protocol.clone(), ip);
+
+                    if seen_services.insert(service_key) {
+                        hosts_endpoints.push(endpoint.clone());
+                    }
+
+                    bridge_endpoints.push(endpoint);
+                } else {
+                    skipped_endpoints += 1;
+                    if skipped_services.insert(service_key.clone()) {
+                        tracing::warn!(
+                            service = %service.name,
+                            namespace = %service.namespace,
+                            "Synthetic IP pool exhausted; skipping service"
+                        );
+                    }
+                }
+            }
+        }
+        drop(allocator);
+
+        if !skipped_non_tcp.is_empty() {
+            let skipped_port_count: usize = skipped_non_tcp.values().map(|ports| ports.len()).sum();
+            let service_count = skipped_non_tcp.len();
+            eprintln!(
+                "{} Skipped {} non-TCP port(s) across {} service(s); UDP forwarding is not supported.",
+                "ℹ".blue(),
+                skipped_port_count,
+                service_count
+            );
+            for (service, ports) in skipped_non_tcp.iter() {
+                let formatted_ports: Vec<String> = ports
+                    .iter()
+                    .map(|(port, protocol)| format!("{}/{}", port, protocol.to_uppercase()))
+                    .collect();
+                eprintln!("    {}: {}", service, formatted_ports.join(", "));
+            }
+        }
+
+        println!(
+            "  {} service endpoint(s) allocated ({} host entry/entries)",
+            bridge_endpoints.len(),
+            hosts_endpoints.len()
+        );
+
+        if !skipped_services.is_empty() {
+            eprintln!(
+                "{} Synthetic IP pool exhausted. Skipped {} endpoint(s) across {} service(s).",
+                "⚠".yellow(),
+                skipped_endpoints,
+                skipped_services.len()
+            );
+            eprintln!(
+                "  Active connections may be incomplete. Please try reducing DNS scope or filing a support ticket."
+            );
+        }
+
+        let bridge_report: ServiceBridgeStartReport =
+            self.service_bridge.start(bridge_endpoints).await;
+
+        if !bridge_report.failed.is_empty() {
+            eprintln!(
+                "{} Failed to bind {} endpoint(s). These services will remain unresolved locally:",
+                "⚠".yellow(),
+                bridge_report.failed.len()
+            );
+            for (endpoint, err) in &bridge_report.failed {
+                eprintln!(
+                    "    {}/{}:{} ({}) - {}",
+                    endpoint.namespace,
+                    endpoint.service_name,
+                    endpoint.port,
+                    endpoint.protocol,
+                    err
+                );
+            }
+        }
+
+        if !bridge_report.started.is_empty() {
+            println!(
+                "{} Service bridge started ({} endpoint(s) active)",
+                "✓".green(),
+                bridge_report.started.len()
+            );
+        } else {
+            println!(
+                "{} Service bridge not running; no endpoints could be activated",
+                "⚠".yellow()
+            );
+        }
+
+        let active_service_keys: HashSet<String> = bridge_report
+            .started
+            .iter()
+            .map(|endpoint| format!("{}.{}", endpoint.service_name, endpoint.namespace))
+            .collect();
+
+        let mut effective_hosts = hosts_endpoints;
+        effective_hosts.retain(|endpoint| {
+            let key = format!("{}.{}", endpoint.service_name, endpoint.namespace);
+            active_service_keys.contains(&key)
+        });
+
+        if effective_hosts.len() < active_service_keys.len() {
+            tracing::warn!(
+                filtered_services = active_service_keys.len() - effective_hosts.len(),
+                "Filtered out host entries for services without active listeners"
+            );
+        }
+
+        // Update hosts file to reflect active listeners only
+        match self.hosts_manager.write_entries(&effective_hosts).await {
+            Ok(()) => {
+                if effective_hosts.is_empty() {
+                    println!(
+                        "{} No hosts entries written (no active listeners)",
+                        "ℹ".blue()
+                    );
+                } else {
+                    println!(
+                        "{} Hosts file updated with {} service entr{}",
+                        "✓".green(),
+                        effective_hosts.len(),
+                        if effective_hosts.len() == 1 {
+                            "y"
+                        } else {
+                            "ies"
+                        }
+                    );
+                }
+            }
+            Err(e) => {
+                eprintln!("{} Failed to update hosts file: {}", "⚠".yellow(), e);
+                if !effective_hosts.is_empty() {
+                    self.hosts_manager
+                        .print_manual_instructions(&effective_hosts);
+                }
+            }
+        }
+
+        Ok(())
+    }
+
+    /// Cleanup DNS entries
+    async fn cleanup_dns(&self) {
+        if let Err(e) = self.hosts_manager.remove_entries().await {
+            tracing::warn!("Failed to clean up hosts file: {}", e);
+        }
+        self.service_bridge.stop().await;
+        self.ip_allocator.lock().await.clear();
+    }
+
+    async fn send_session_heartbeat(rpc_client: &DevboxSessionRpcClient) -> Result<(), String> {
+        match rpc_client.heartbeat(tarpc::context::current()).await {
+            Ok(Ok(())) => Ok(()),
+            Ok(Err(err)) => Err(err),
+            Err(err) => Err(err.to_string()),
+        }
+    }
+
+    fn spawn_heartbeat_task(
+        rpc_client: DevboxSessionRpcClient,
+        user_id: Uuid,
+        event_tx: mpsc::UnboundedSender<HeartbeatEvent>,
+    ) -> (JoinHandle<()>, oneshot::Sender<()>) {
+        let (cancel_tx, cancel_rx) = oneshot::channel();
+        let task = tokio::spawn(async move {
+            Self::heartbeat_loop(rpc_client, user_id, event_tx, cancel_rx).await;
+        });
+        (task, cancel_tx)
+    }
+
+    async fn heartbeat_loop(
+        rpc_client: DevboxSessionRpcClient,
+        user_id: Uuid,
+        event_tx: mpsc::UnboundedSender<HeartbeatEvent>,
+        mut cancel_rx: oneshot::Receiver<()>,
+    ) {
+        let mut heartbeat_interval =
+            tokio::time::interval(Duration::from_secs(DEVBOX_HEARTBEAT_INTERVAL_SECS));
+        heartbeat_interval.set_missed_tick_behavior(MissedTickBehavior::Skip);
+
+        loop {
+            tokio::select! {
+                _ = &mut cancel_rx => {
+                    tracing::debug!(user_id = %user_id, "Heartbeat loop cancelled");
+                    break;
+                }
+                _ = heartbeat_interval.tick() => {
+                    let heartbeat_result = timeout(
+                        Duration::from_secs(DEVBOX_HEARTBEAT_TIMEOUT_SECS),
+                        Self::send_session_heartbeat(&rpc_client)
+                    )
+                    .await;
+
+                    match heartbeat_result {
+                        Ok(Ok(())) => {}
+                        Ok(Err(err)) => {
+                            let _ = event_tx.send(HeartbeatEvent::Failed(err));
+                            break;
+                        }
+                        Err(_) => {
+                            let _ = event_tx.send(HeartbeatEvent::TimedOut);
+                            break;
+                        }
+                    }
+                }
+            }
+        }
+    }
+}
+
+struct TunnelTask {
+    kind: TunnelKind,
+    intercept_id: Option<Uuid>,
+    shutdown: oneshot::Sender<()>,
+    handle: JoinHandle<()>,
+}
+
+#[derive(Copy, Clone)]
+enum TunnelKind {
+    Intercept,
+    Client,
+}
+
+impl TunnelKind {
+    fn path(self) -> &'static str {
+        match self {
+            TunnelKind::Intercept => "intercept",
+            TunnelKind::Client => "client",
+        }
+    }
+
+    fn as_str(self) -> &'static str {
+        self.path()
+    }
+}
+
+impl DevboxTunnelManager {
+    async fn ensure_intercept(
+        &self,
+        rpc_client: &DevboxSessionRpcClient,
+        token: &str,
+        user_id: Uuid,
+    ) -> Result<(), String> {
+        let mut guard = self.intercept_task.lock().await;
+        if guard.is_some() {
+            return Ok(());
+        }
+
+        let task = self.spawn_tunnel_task(rpc_client, TunnelKind::Intercept, token, user_id, None);
+
+        *guard = Some(task);
+        Ok(())
+    }
+
+    async fn ensure_client(
+        &self,
+        rpc_client: &DevboxSessionRpcClient,
+        token: &str,
+        user_id: Uuid,
+    ) -> Result<(), String> {
+        let mut guard = self.client_task.lock().await;
+        if guard.is_some() {
+            return Ok(());
+        }
+
+        {
+            let mut stored_token = self.client_token.write().await;
+            *stored_token = Some(token.to_string());
+        }
+
+        {
+            let mut stored_user = self.client_user_id.write().await;
+            *stored_user = Some(user_id);
+        }
+
+        let task = self.spawn_tunnel_task(rpc_client, TunnelKind::Client, token, user_id, None);
+        *guard = Some(task);
+        Ok(())
+    }
+
+    async fn stop_client(&self) {
+        if let Some(task) = self.client_task.lock().await.take() {
+            Self::stop_task(task, "Devbox client tunnel").await;
+        }
+    }
+
+    async fn restart_client_tunnel(
+        &self,
+        rpc_client: &DevboxSessionRpcClient,
+    ) -> Result<(), String> {
+        self.stop_client().await;
+        let token = { self.client_token.read().await.clone() };
+        let user_id = { self.client_user_id.read().await.clone() };
+        match (token, user_id) {
+            (Some(token), Some(user_id)) => self.ensure_client(rpc_client, &token, user_id).await,
+            _ => Ok(()),
+        }
+    }
+
+    async fn build_direct_channel_config(
+        &self,
+        user_id: Uuid,
+        stun_observed_addr: Option<SocketAddr>,
+    ) -> Result<Option<DirectTunnelConfig>, String> {
+        let active_user = { self.client_user_id.read().await.clone() };
+        let Some(current_user) = active_user else {
+            return Err("No active devbox client session available".to_string());
+        };
+
+        if current_user != user_id {
+            return Err("Requesting user does not match active session".to_string());
+        }
+
+        let Some(server_observed_addr) = self.direct_endpoint.observed_addr() else {
+            tracing::warn!("Direct endpoint has no STUN observed address; cannot provide config");
+            return Ok(None);
+        };
+
+        let token = Uuid::new_v4().to_string();
+        let expires_at = Utc::now() + chrono::Duration::minutes(2);
+        self.direct_endpoint
+            .credential()
+            .insert(token.clone(), expires_at)
+            .await;
+
+        let config = DirectTunnelConfig {
+            credential: DirectTunnelCredential { token, expires_at },
+            server_certificate: Some(self.direct_endpoint.server_certificate().to_vec()),
+            stun_observed_addr: Some(server_observed_addr),
+        };
+
+        if let Some(addr) = stun_observed_addr {
+            let direct_endpoint = self.direct_endpoint.clone();
+            tokio::spawn(async move {
+                if let Err(err) = direct_endpoint.send_probe(addr, false).await {
+                    tracing::warn!(
+                        %addr,
+                        error = %err,
+                        "Failed to send probe packet to requesting sidecar"
+                    );
+                }
+            });
+        }
+
+        Ok(Some(config))
+    }
+
+    async fn stop_intercept(&self) {
+        if let Some(task) = self.intercept_task.lock().await.take() {
+            Self::stop_task(task, "Devbox intercept tunnel").await;
+        }
+    }
+
+    async fn shutdown(&self) {
+        self.stop_intercept().await;
+        self.stop_client().await;
+    }
+
+    async fn stop_task(task: TunnelTask, context: &str) {
+        let TunnelTask {
+            kind,
+            intercept_id,
+            shutdown,
+            handle,
+        } = task;
+        let _ = shutdown.send(());
+        if let Err(err) = handle.await {
+            tracing::warn!(
+                tunnel_kind = kind.as_str(),
+                intercept_id = intercept_id.map(|id| id.to_string()),
+                error = %err,
+                "{} task exited with error",
+                context
+            );
+        }
+    }
+
+    fn spawn_tunnel_task(
+        &self,
+        rpc_client: &DevboxSessionRpcClient,
+        kind: TunnelKind,
+        token: &str,
+        user_id: Uuid,
+        intercept_id: Option<Uuid>,
+    ) -> TunnelTask {
+        let manager = self.clone();
+
+        let (shutdown_tx, shutdown_rx) = oneshot::channel();
+        let token = token.to_string();
+        let rpc_client = rpc_client.clone();
+        let handle = tokio::spawn(async move {
+            manager
+                .run_tunnel_loop(&rpc_client, kind, token, user_id, intercept_id, shutdown_rx)
+                .await;
+        });
+
+        TunnelTask {
+            kind,
+            intercept_id,
+            shutdown: shutdown_tx,
+            handle,
+        }
+    }
+}
+
+impl DevboxTunnelManager {
+    async fn run_tunnel_loop(
+        &self,
+        rpc_client: &DevboxSessionRpcClient,
+        kind: TunnelKind,
+        token: String,
+        user_id: Uuid,
+        intercept_id: Option<Uuid>,
+        mut shutdown_rx: oneshot::Receiver<()>,
+    ) {
+        let ws_url = format!(
+            "{}/api/v1/kube/devbox/tunnel/{}/{}",
+            self.ws_base(),
+            kind.path(),
+            user_id
+        );
+        let intercept_id_str = intercept_id.map(|id| id.to_string());
+
+        let mut backoff = Duration::from_secs(1);
+
+        loop {
+            tokio::select! {
+                _ = &mut shutdown_rx => {
+                    tracing::info!(
+                        %user_id,
+                        tunnel_kind = kind.as_str(),
+                        intercept_id = intercept_id_str.as_deref(),
+                        "Devbox tunnel shutdown signal received"
+                    );
+                    break;
+                }
+                result = self.connect_and_run_tunnel(rpc_client, kind, &ws_url, &token) => {
+                    match result {
+                        Ok(()) => {
+                            tracing::info!(
+                                %user_id,
+                                intercept_id = intercept_id_str.as_deref(),
+                                "Devbox {} tunnel closed gracefully", kind.as_str()
+                            );
+                            backoff = Duration::from_secs(1);
+                        }
+                        Err(err) => {
+                            tracing::warn!(
+                                %user_id,
+                                intercept_id = intercept_id_str.as_deref(),
+                                "Devbox {} tunnel disconnected: {}", kind.as_str(),
+                                err
+                            );
+                            backoff = (backoff.saturating_mul(2)).min(Duration::from_secs(30));
+                        }
+                    }
+
+                    tokio::select! {
+                        _ = &mut shutdown_rx => {
+                            tracing::info!(
+                                %user_id,
+                                intercept_id = intercept_id_str.as_deref(),
+                                "Devbox {} tunnel shutdown signal received", kind.as_str()
+                            );
+                            break;
+                        }
+                        _ = sleep(backoff) => {}
+                    }
+                }
+            }
+        }
+    }
+
+    async fn connect_and_run_tunnel(
+        &self,
+        rpc_client: &DevboxSessionRpcClient,
+        kind: TunnelKind,
+        ws_url: &str,
+        token: &str,
+    ) -> Result<(), TunnelError> {
+        let mut request = ws_url
+            .into_client_request()
+            .map_err(tunnel_transport_error)?;
+
+        let header = format!("Bearer {}", token)
+            .parse()
+            .map_err(tunnel_transport_error)?;
+        request
+            .headers_mut()
+            .insert(http::header::AUTHORIZATION, header);
+
+        let (stream, _) = tokio_tungstenite::connect_async(request)
+            .await
+            .map_err(tunnel_transport_error)?;
+
+        tracing::info!("Devbox {} tunnel connected: {}", kind.as_str(), ws_url);
+
+        if matches!(kind, TunnelKind::Client) {
+            let stun_observed_addr = self.direct_endpoint.observed_addr();
+            let direct_config = {
+                let active_environment = { *self.active_environment.lock().await };
+                if let Some(environment_id) = active_environment {
+                    rpc_client
+                        .request_direct_client_config(
+                            tarpc::context::current(),
+                            environment_id,
+                            stun_observed_addr,
+                        )
+                        .await
+                        .ok()
+                        .and_then(|r| r.ok())
+                        .flatten()
+                } else {
+                    None
+                }
+            };
+            let (client, mode) = TunnelClient::connect_with_direct_or_relay::<_, _, _, _>(
+                direct_config.as_ref(),
+                &self.direct_endpoint,
+                || async { Ok(stream) },
+                |err| {
+                    tracing::warn!(
+                        error = %err,
+                        "Direct devbox client tunnel attempt failed; falling back to relay"
+                    );
+                },
+            )
+            .await?;
+            let client = Arc::new(client);
+            match mode {
+                lapdev_tunnel::TunnelMode::Direct => {
+                    tracing::info!("Devbox client tunnel using direct QUIC transport");
+                }
+                lapdev_tunnel::TunnelMode::Relay => {
+                    tracing::info!("Devbox client tunnel using API relay transport");
+                }
+            }
+
+            self.set_tunnel_client(Arc::clone(&client)).await;
+
+            client.closed().await;
+            tracing::info!("Tunnel client closed for DNS service bridge");
+
+            self.clear_tunnel_client(&client).await;
+            Ok(())
+        } else {
+            let transport = RelayEndpoint::client_connection(stream).await?;
+            run_tunnel_server(transport).await
+        }
+    }
+}
+
+fn tunnel_transport_error<E>(err: E) -> TunnelError
+where
+    E: std::fmt::Display,
+{
+    TunnelError::Transport(std::io::Error::new(
+        std::io::ErrorKind::Other,
+        err.to_string(),
+    ))
+}
diff --git a/crates/cli/src/devbox/commands/login.rs b/crates/cli/src/devbox/commands/login.rs
new file mode 100644
index 0000000..5db2848
--- /dev/null
+++ b/crates/cli/src/devbox/commands/login.rs
@@ -0,0 +1,122 @@
+use anyhow::{Context, Result};
+use colored::Colorize;
+use urlencoding::encode;
+use uuid::Uuid;
+
+use crate::{api::client::LapdevClient, auth};
+
+const POLL_INTERVAL_SECONDS: u64 = 2;
+const TIMEOUT_SECONDS: u64 = 300; // 5 minutes
+
+pub async fn execute(api_host: &str, device_name: Option<String>) -> Result<()> {
+    // Check if already logged in
+    if auth::has_token(api_host) {
+        println!(
+            "{}",
+            "Already authenticated. Use 'lapdev logout' to sign out.".yellow()
+        );
+        return Ok(());
+    }
+
+    // Get or generate device name
+    let device_name = device_name.unwrap_or_else(|| {
+        hostname::get()
+            .ok()
+            .and_then(|h| h.into_string().ok())
+            .unwrap_or_else(|| "Unknown Device".to_string())
+    });
+
+    // Generate session ID
+    let session_id = Uuid::new_v4();
+
+    // Build auth URL
+    let base_url = format!("https://{}", api_host);
+    let auth_url = format!(
+        "{}/auth/cli?session_id={}&device_name={}",
+        base_url,
+        session_id,
+        encode(&device_name)
+    );
+
+    println!("{}", "Opening browser for authentication...".cyan());
+    println!();
+    println!("If browser doesn't open automatically, visit:");
+    println!("  {}", auth_url.bright_blue().underline());
+    println!();
+
+    // Open browser
+    if let Err(e) = webbrowser::open(&auth_url) {
+        tracing::warn!("Failed to open browser: {}", e);
+        println!(
+            "{}",
+            "Could not open browser automatically. Please open the URL above manually.".yellow()
+        );
+    }
+
+    println!("{}", "Waiting for authentication...".cyan());
+
+    // Poll for token
+    let client = LapdevClient::new(base_url.clone());
+    let start_time = std::time::Instant::now();
+    let mut poll_count = 0;
+
+    loop {
+        // Check timeout
+        if start_time.elapsed().as_secs() > TIMEOUT_SECONDS {
+            eprintln!("{}", "Authentication timeout. Please try again.".red());
+            anyhow::bail!("Authentication timed out after {} seconds", TIMEOUT_SECONDS);
+        }
+
+        // Poll for token
+        match client.poll_cli_token(session_id).await {
+            Ok(Some(response)) => {
+                // Success! Store the token
+                auth::store_token(api_host, &response.token)
+                    .context("Failed to store authentication token")?;
+
+                // Fetch user info to display
+                let client_with_token =
+                    LapdevClient::new(base_url).with_token(response.token.clone());
+
+                match client_with_token.whoami().await {
+                    Ok(whoami) => {
+                        println!();
+                        println!("{}", "✓ Authentication successful!".green().bold());
+                        println!();
+                        println!("  User:         {}", whoami.email.bright_white());
+                        println!("  Organization: {}", whoami.organization_id);
+                        println!("  Device:       {}", whoami.device_name.bright_white());
+                        println!(
+                            "  Expires:      {} days",
+                            (response.expires_in / 86400).to_string().bright_white()
+                        );
+                    }
+                    Err(e) => {
+                        // Token stored successfully but couldn't fetch user info
+                        println!();
+                        println!("{}", "✓ Authentication successful!".green().bold());
+                        tracing::debug!("Could not fetch user info: {}", e);
+                    }
+                }
+
+                return Ok(());
+            }
+            Ok(None) => {
+                // Still pending, continue polling
+                poll_count += 1;
+                if poll_count % 5 == 0 {
+                    // Print progress every 10 seconds
+                    println!(
+                        "  Still waiting... ({}s)",
+                        poll_count * POLL_INTERVAL_SECONDS
+                    );
+                }
+                tokio::time::sleep(tokio::time::Duration::from_secs(POLL_INTERVAL_SECONDS)).await;
+            }
+            Err(e) => {
+                eprintln!("{}", format!("Error polling for token: {:?}", e).red());
+                anyhow::bail!("Failed to authenticate: {}", e);
+            }
+        }
+    }
+}
diff --git a/crates/cli/src/devbox/commands/logout.rs b/crates/cli/src/devbox/commands/logout.rs
new file mode 100644
index 0000000..a06b52f
--- /dev/null
+++ b/crates/cli/src/devbox/commands/logout.rs
@@ -0,0 +1,31 @@
+use anyhow::Result;
+use colored::Colorize;
+
+use crate::auth;
+
+pub async fn execute(api_host: &str) -> Result<()> {
+    // Check if token exists
+    if !auth::has_token(api_host) {
+        println!(
+            "{}",
+            "Not currently authenticated. Use 'lapdev devbox login' to sign in.".yellow()
+        );
+        return Ok(());
+    }
+
+    // Delete token from keychain
+    auth::delete_token(api_host)?;
+
+    println!("{}", "✓ Logged out successfully".green());
+    println!();
+    println!(
+        "{}",
+        "Your authentication token has been removed from the keychain.".dimmed()
+    );
+    println!(
+        "{}",
+        "Note: This does not invalidate the token on the server.".dimmed()
+    );
+
+    Ok(())
+}
diff --git a/crates/cli/src/devbox/commands/mod.rs b/crates/cli/src/devbox/commands/mod.rs
new file mode 100644
index 0000000..8beb78e
--- /dev/null
+++ b/crates/cli/src/devbox/commands/mod.rs
@@ -0,0 +1,4 @@
+pub mod connect;
+pub mod login;
+pub mod logout;
+pub mod whoami;
diff --git a/crates/cli/src/devbox/commands/whoami.rs b/crates/cli/src/devbox/commands/whoami.rs
new file mode 100644
index 0000000..829b1c6
--- /dev/null
+++ b/crates/cli/src/devbox/commands/whoami.rs
@@ -0,0 +1,62 @@
+use anyhow::{Context, Result};
+use chrono::{DateTime, Utc};
+use colored::Colorize;
+
+use crate::{api::client::LapdevClient, auth};
+
+pub async fn execute(api_host: &str, api_url: &str) -> Result<()> {
+    // Get token from keychain
+    let token = auth::get_token(api_host)?;
+
+    // Create client and fetch user info
+    let client = LapdevClient::new(api_url.to_string()).with_token(token);
+    let whoami = client.whoami().await.context("Failed to fetch user info")?;
+
+    // Display user info
+    println!();
+    println!("{}", "Current Session:".bright_white().bold());
+    println!();
+    println!("  User:         {}", whoami.email.bright_cyan());
+
+    if let Some(name) = whoami.name {
+        println!("  Name:         {}", name);
+    }
+
+    println!("  User ID:      {}", whoami.user_id.to_string().dimmed());
+    println!("  Organization: {}", whoami.organization_id);
+    println!("  Device:       {}", whoami.device_name.bright_white());
+
+    if let Some(auth_at) = whoami.authenticated_at {
+        if let Ok(dt) = auth_at.parse::<DateTime<Utc>>() {
+            println!(
+                "  Authenticated: {}",
+                dt.format("%Y-%m-%d %H:%M:%S UTC").to_string().dimmed()
+            );
+        }
+    }
+
+    if let Some(exp_at) = whoami.expires_at {
+        if let Ok(dt) = exp_at.parse::<DateTime<Utc>>() {
+            let now = Utc::now();
+            let remaining = dt.signed_duration_since(now);
+            let days_remaining = remaining.num_days();
+
+            println!(
+                "  Expires:      {} ({} days remaining)",
+                dt.format("%Y-%m-%d %H:%M:%S UTC").to_string().dimmed(),
+                if days_remaining > 7 {
+                    days_remaining.to_string().green()
+                } else if days_remaining > 0 {
+                    days_remaining.to_string().yellow()
+                } else {
+                    "EXPIRED".to_string().red()
+                }
+            );
+        }
+    }
+
+    println!("  API URL:      {}", api_url.dimmed());
+    println!();
+
+    Ok(())
+}
diff --git a/crates/cli/src/devbox/dns/hosts.rs b/crates/cli/src/devbox/dns/hosts.rs
new file mode 100644
index 0000000..5cd8629
--- /dev/null
+++ b/crates/cli/src/devbox/dns/hosts.rs
@@ -0,0 +1,312 @@
+use anyhow::{anyhow, Context, Result};
+#[cfg(unix)]
+const EBUSY_ERRNO: i32 = 16;
+use std::{fs::OpenOptions as StdOpenOptions, path::PathBuf};
+use tempfile::NamedTempFile;
+use tokio::{fs::OpenOptions as AsyncOpenOptions, io::AsyncWriteExt};
+
+#[cfg(windows)]
+use std::path::Path;
+
+use super::ServiceEndpoint;
+
+const LINE_MARKER: &str = "# lapdev-devbox";
+
+/// Manages /etc/hosts file entries for devbox DNS
+pub struct HostsManager {
+    hosts_path: PathBuf,
+}
+
+impl Default for HostsManager {
+    fn default() -> Self {
+        Self::new()
+    }
+}
+
+impl HostsManager {
+    pub fn new() -> Self {
+        Self {
+            hosts_path: Self::get_hosts_path(),
+        }
+    }
+
+    /// Get the platform-specific hosts file path
+    fn get_hosts_path() -> PathBuf {
+        if cfg!(windows) {
+            PathBuf::from(r"C:\Windows\System32\drivers\etc\hosts")
+        } else {
+            PathBuf::from("/etc/hosts")
+        }
+    }
+
+    /// Write service endpoints to hosts file with per-line markers
+    pub async fn write_entries(&self, endpoints: &[ServiceEndpoint]) -> Result<()> {
+        // Read existing hosts file
+        let content = tokio::fs::read_to_string(&self.hosts_path)
+            .await
+            .with_context(|| format!("Failed to read hosts file: {:?}", self.hosts_path))?;
+
+        // Remove existing lapdev entries
+        let mut cleaned = self.remove_existing_entries(&content);
+
+        if !cleaned.ends_with('\n') && !cleaned.is_empty() {
+            cleaned.push('\n');
+        }
+
+        for endpoint in endpoints {
+            let aliases = endpoint.aliases().join(" ");
+            cleaned.push_str(&format!(
+                "{} {} {}\n",
+                endpoint.synthetic_ip, aliases, LINE_MARKER
+            ));
+        }
+
+        // Write back (requires elevated permissions)
+        self.write_hosts_file(&cleaned).await?;
+
+        Ok(())
+    }
+
+    /// Remove all lapdev entries from hosts file
+    pub async fn remove_entries(&self) -> Result<()> {
+        let content = tokio::fs::read_to_string(&self.hosts_path)
+            .await
+            .with_context(|| format!("Failed to read hosts file: {:?}", self.hosts_path))?;
+
+        let cleaned = self.remove_existing_entries(&content);
+
+        self.write_hosts_file(&cleaned).await?;
+
+        Ok(())
+    }
+
+    fn remove_existing_entries(&self, content: &str) -> String {
+        let mut result = String::new();
+
+        for line in content.lines() {
+            if line.trim_end().ends_with(LINE_MARKER) {
+                continue;
+            }
+            result.push_str(line);
+            result.push('\n');
+        }
+
+        result
+    }
+
+    /// Write content to hosts file with platform-specific line endings
+    async fn write_hosts_file(&self, content: &str) -> Result<()> {
+        #[cfg(windows)]
+        let content = {
+            // Preserve logical lines while enforcing CRLF endings
+            let mut lines: Vec<String> = content
+                .lines()
+                .map(|line| line.trim_end_matches('\r').to_string())
+                .collect();
+            if let Some(true) = lines.last().map(|line| line.is_empty()) {
+                lines.pop();
+            }
+            let mut normalized = lines.join("\r\n");
+            normalized.push_str("\r\n");
+            normalized
+        };
+
+        #[cfg(not(windows))]
+        let content = content.to_string();
+
+        let parent = self
+            .hosts_path
+            .parent()
+            .context("Hosts path has no parent directory")?;
+
+        let temp_file = NamedTempFile::new_in(parent)
+            .with_context(|| format!("Failed to create temporary hosts file in {:?}", parent))?;
+        let temp_path = temp_file.path().to_path_buf();
+
+        let std_file = temp_file.as_file().try_clone().with_context(|| {
+            format!(
+                "Failed to clone temporary hosts file handle: {:?}",
+                temp_path
+            )
+        })?;
+        let mut async_file = tokio::fs::File::from_std(std_file);
+
+        async_file
+            .write_all(content.as_bytes())
+            .await
+            .with_context(|| format!("Failed to write temporary hosts file: {:?}", temp_path))?;
+        async_file
+            .sync_all()
+            .await
+            .with_context(|| format!("Failed to sync temporary hosts file: {:?}", temp_path))?;
+
+        drop(async_file);
+
+        #[cfg(unix)]
+        if let Ok(metadata) = tokio::fs::metadata(&self.hosts_path).await {
+            use std::os::unix::fs::PermissionsExt;
+            let permissions = std::fs::Permissions::from_mode(metadata.permissions().mode());
+            let _ = tokio::fs::set_permissions(&temp_path, permissions).await;
+        }
+
+        #[cfg(windows)]
+        if let Ok(metadata) = tokio::fs::metadata(&self.hosts_path).await {
+            let permissions = metadata.permissions();
+            let _ = tokio::fs::set_permissions(&temp_path, permissions).await;
+        }
+
+        #[cfg(windows)]
+        {
+            use tempfile::TempPath;
+
+            let temp_path_handle: TempPath = temp_file.into_temp_path();
+            replace_file_windows(temp_path.as_path(), &self.hosts_path)?;
+            let _ = temp_path_handle.close();
+        }
+
+        #[cfg(not(windows))]
+        {
+            if let Err(err) = temp_file.persist(&self.hosts_path) {
+                #[cfg(unix)]
+                let is_busy = err.error.raw_os_error() == Some(EBUSY_ERRNO);
+                #[cfg(not(unix))]
+                let is_busy = false;
+
+                if is_busy {
+                    // Fall back to truncating the hosts file in-place when some Linux distros
+                    // reject atomic renames with EBUSY (e.g. immutable bind mounts).
+                    let mut fallback = AsyncOpenOptions::new()
+                        .write(true)
+                        .truncate(true)
+                        .open(&self.hosts_path)
+                        .await
+                        .with_context(|| {
+                            format!(
+                                "Failed to open hosts file for fallback write: {:?}",
+                                self.hosts_path
+                            )
+                        })?;
+
+                    fallback
+                        .write_all(content.as_bytes())
+                        .await
+                        .with_context(|| {
+                            format!(
+                                "Failed to write hosts file during fallback: {:?}",
+                                self.hosts_path
+                            )
+                        })?;
+                    fallback.sync_all().await.with_context(|| {
+                        format!(
+                            "Failed to sync hosts file during fallback: {:?}",
+                            self.hosts_path
+                        )
+                    })?;
+
+                    drop(fallback);
+                    let _ = err.file.close();
+                } else {
+                    return Err(anyhow!(
+                        "Failed to replace hosts file at {:?}: {}",
+                        self.hosts_path,
+                        err.error
+                    ));
+                }
+            }
+        }
+
+        #[cfg(unix)]
+        if let Ok(dir) = tokio::fs::File::open(parent).await {
+            let _ = dir.sync_all().await;
+        }
+
+        Ok(())
+    }
+
+    /// Check if we have permission to write to hosts file
+    pub fn check_permissions(&self) -> bool {
+        StdOpenOptions::new()
+            .write(true)
+            .append(true)
+            .open(&self.hosts_path)
+            .is_ok()
+    }
+
+    /// Print manual instructions if we can't modify hosts file
+    pub fn print_manual_instructions(&self, endpoints: &[ServiceEndpoint]) {
+        eprintln!("\n⚠️  Unable to automatically update hosts file.");
+        eprintln!(
+            "Please manually add the following entries to {:?}:",
+            self.hosts_path
+        );
+        for endpoint in endpoints {
+            let aliases = endpoint.aliases().join(" ");
+            eprintln!("{} {} {}", endpoint.synthetic_ip, aliases, LINE_MARKER);
+        }
+        eprintln!();
+
+        if cfg!(unix) {
+            eprintln!("Run this command with sudo, or edit the file manually:");
+            eprintln!("  sudo nano {:?}", self.hosts_path);
+        } else if cfg!(windows) {
+            eprintln!("Run this command as Administrator, or edit the file manually:");
+            eprintln!("  notepad {:?}", self.hosts_path);
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_remove_existing_entries_strips_tagged_lines() {
+        let manager = HostsManager::new();
+        let content = r#"127.0.0.1 localhost
+127.77.0.1 svc1.default.svc.cluster.local # lapdev-devbox
+127.0.0.2 other
+"#;
+
+        let cleaned = manager.remove_existing_entries(content);
+        assert!(cleaned.contains("127.0.0.1 localhost"));
+        assert!(cleaned.contains("127.0.0.2 other"));
+        assert!(!cleaned.contains("lapdev-devbox"));
+        assert!(cleaned.ends_with('\n'));
+    }
+}
+
+#[cfg(windows)]
+fn replace_file_windows(temp_path: &Path, target_path: &Path) -> Result<()> {
+    use std::ffi::OsStr;
+    use std::os::windows::ffi::OsStrExt;
+    use windows_sys::Win32::Storage::FileSystem::{ReplaceFileW, REPLACEFILE_WRITE_THROUGH};
+
+    let target_w: Vec<u16> = target_path
+        .as_os_str()
+        .encode_wide()
+        .chain(Some(0))
+        .collect();
+    let temp_w: Vec<u16> = temp_path.as_os_str().encode_wide().chain(Some(0)).collect();
+
+    let success = unsafe {
+        ReplaceFileW(
+            target_w.as_ptr(),
+            temp_w.as_ptr(),
+            std::ptr::null(),
+            REPLACEFILE_WRITE_THROUGH,
+            std::ptr::null_mut(),
+            std::ptr::null_mut(),
+        )
+    };
+
+    if success == 0 {
+        let err = std::io::Error::last_os_error();
+        Err(anyhow!(
+            "Failed to replace hosts file at {:?}: {}",
+            target_path,
+            err
+        ))
+    } else {
+        Ok(())
+    }
+}
diff --git a/crates/cli/src/devbox/dns/ip_allocator.rs b/crates/cli/src/devbox/dns/ip_allocator.rs
new file mode 100644
index 0000000..a175085
--- /dev/null
+++ b/crates/cli/src/devbox/dns/ip_allocator.rs
@@ -0,0 +1,172 @@
+use std::{
+    collections::{HashMap, HashSet},
+    net::{IpAddr, Ipv4Addr},
+};
+
+/// Allocates synthetic loopback IPs from a reserved subnet (127.77.0.0/16)
+pub struct SyntheticIpAllocator {
+    /// Base IP: 127.77.0.0
+    base: Ipv4Addr,
+    /// Next available offset (0-65535) tracked across the last two octets
+    next_offset: u16,
+    /// Allocated IPs mapped to their service keys (name.namespace)
+    allocated: HashMap<String, IpAddr>,
+    /// Reverse mapping from IP to service key
+    reverse: HashMap<IpAddr, String>,
+    /// Freed IPs that can be reused
+    free_pool: HashSet<u16>,
+}
+
+impl Default for SyntheticIpAllocator {
+    fn default() -> Self {
+        Self::new()
+    }
+}
+
+impl SyntheticIpAllocator {
+    pub fn new() -> Self {
+        Self {
+            base: Ipv4Addr::new(127, 77, 0, 0),
+            next_offset: 1, // Start from offset 1, skip 0
+            allocated: HashMap::new(),
+            reverse: HashMap::new(),
+            free_pool: HashSet::new(),
+        }
+    }
+
+    /// Allocate or reuse an IP for a service across all ports
+    pub fn allocate(&mut self, service_name: &str, namespace: &str) -> Option<IpAddr> {
+        let key = format!("{}.{}", service_name, namespace);
+
+        // If already allocated, return existing IP
+        if let Some(ip) = self.allocated.get(&key) {
+            return Some(*ip);
+        }
+
+        // Try to allocate from free pool first
+        let offset = if let Some(offset) = self.free_pool.iter().next().copied() {
+            self.free_pool.remove(&offset);
+            offset
+        } else {
+            // Allocate new IP
+            if self.next_offset == 0 {
+                // Wrapped around, no more IPs available
+                return None;
+            }
+            let offset = self.next_offset;
+            self.next_offset = self.next_offset.wrapping_add(1);
+            offset
+        };
+
+        let base_octets = self.base.octets();
+        let high = (offset >> 8) as u8;
+        let low = (offset & 0xFF) as u8;
+        let ip = IpAddr::V4(Ipv4Addr::new(
+            base_octets[0],
+            base_octets[1],
+            base_octets[2].wrapping_add(high),
+            low,
+        ));
+
+        self.allocated.insert(key.clone(), ip);
+        self.reverse.insert(ip, key);
+        Some(ip)
+    }
+
+    /// Deallocate an IP and return it to the free pool
+    pub fn deallocate(&mut self, service_name: &str, namespace: &str) {
+        let key = format!("{}.{}", service_name, namespace);
+        if let Some(ip) = self.allocated.remove(&key) {
+            self.reverse.remove(&ip);
+            if let IpAddr::V4(ipv4) = ip {
+                let ip_octets = ipv4.octets();
+                let base_octets = self.base.octets();
+                let high = (ip_octets[2] as u16).saturating_sub(base_octets[2] as u16);
+                let low = ip_octets[3] as u16;
+                let offset = (high << 8) | low;
+                if offset != 0 {
+                    self.free_pool.insert(offset);
+                }
+            }
+        }
+    }
+
+    /// Deallocate all IPs and reset
+    pub fn clear(&mut self) {
+        self.allocated.clear();
+        self.reverse.clear();
+        self.free_pool.clear();
+        self.next_offset = 1;
+    }
+
+    /// Get the service key for an IP address
+    pub fn lookup_ip(&self, ip: &IpAddr) -> Option<&str> {
+        self.reverse.get(ip).map(|s| s.as_str())
+    }
+
+    /// Get all allocated IPs
+    pub fn allocated_ips(&self) -> Vec<IpAddr> {
+        self.allocated.values().copied().collect()
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_allocate_and_reuse() {
+        let mut allocator = SyntheticIpAllocator::new();
+
+        let ip1 = allocator.allocate("service1", "default").unwrap();
+        let ip2 = allocator.allocate("service1", "default").unwrap();
+
+        assert_eq!(ip1, ip2); // Should reuse same IP
+
+        let ip3 = allocator.allocate("service2", "default").unwrap();
+        assert_ne!(ip1, ip3); // Different service should get different IP
+    }
+
+    #[test]
+    fn test_deallocate_and_reuse() {
+        let mut allocator = SyntheticIpAllocator::new();
+
+        let ip1 = allocator.allocate("service1", "default").unwrap();
+        allocator.deallocate("service1", "default");
+
+        let ip2 = allocator.allocate("service2", "default").unwrap();
+        assert_eq!(ip1, ip2); // Should reuse deallocated IP
+    }
+
+    #[test]
+    fn test_lookup() {
+        let mut allocator = SyntheticIpAllocator::new();
+
+        let ip = allocator.allocate("service1", "default").unwrap();
+        let key = allocator.lookup_ip(&ip).unwrap();
+        assert_eq!(key, "service1.default");
+    }
+
+    #[test]
+    fn test_multi_port_same_ip() {
+        let mut allocator = SyntheticIpAllocator::new();
+
+        let ip_http = allocator.allocate("service1", "default").unwrap();
+        let ip_https = allocator.allocate("service1", "default").unwrap();
+
+        assert_eq!(ip_http, ip_https);
+    }
+
+    #[test]
+    fn test_allocate_beyond_24_bit_range() {
+        let mut allocator = SyntheticIpAllocator::new();
+
+        for i in 0..300 {
+            let service = format!("service{}", i);
+            assert!(
+                allocator.allocate(&service, "default").is_some(),
+                "allocation failed at index {i}"
+            );
+        }
+    }
+}
diff --git a/crates/cli/src/devbox/dns/mod.rs b/crates/cli/src/devbox/dns/mod.rs
new file mode 100644
index 0000000..abbaa27
--- /dev/null
+++ b/crates/cli/src/devbox/dns/mod.rs
@@ -0,0 +1,57 @@
+mod hosts;
+mod ip_allocator;
+mod service_bridge;
+
+pub use hosts::HostsManager;
+pub use ip_allocator::SyntheticIpAllocator;
+pub use service_bridge::{ServiceBridge, ServiceBridgeStartReport};
+
+use lapdev_devbox_rpc::ServiceInfo;
+use std::net::IpAddr;
+
+/// Returns true if the provided protocol string represents TCP.
+pub fn is_tcp_protocol(protocol: &str) -> bool {
+    let trimmed = protocol.trim();
+    trimmed.is_empty() || trimmed.eq_ignore_ascii_case("tcp")
+}
+
+/// A service endpoint with synthetic IP and port
+#[derive(Debug, Clone)]
+pub struct ServiceEndpoint {
+    pub service_name: String,
+    pub namespace: String,
+    pub port: u16,
+    pub protocol: String,
+    pub synthetic_ip: IpAddr,
+    /// Fully qualified domain name: service.namespace.svc
+    pub fqdn: String,
+}
+
+impl ServiceEndpoint {
+    pub fn new(info: &ServiceInfo, port: u16, protocol: String, synthetic_ip: IpAddr) -> Self {
+        let fqdn = format!("{}.{}.svc", info.name, info.namespace);
+        let normalized_protocol = if is_tcp_protocol(&protocol) {
+            "TCP".to_string()
+        } else {
+            protocol
+        };
+        Self {
+            service_name: info.name.clone(),
+            namespace: info.namespace.clone(),
+            port,
+            protocol: normalized_protocol,
+            synthetic_ip,
+            fqdn,
+        }
+    }
+
+    /// Returns all DNS aliases for this service
+    pub fn aliases(&self) -> Vec<String> {
+        vec![
+            self.service_name.clone(),
+            format!("{}.{}", self.service_name, self.namespace),
+            format!("{}.{}.svc", self.service_name, self.namespace),
+            self.fqdn.clone(),
+        ]
+    }
+}
diff --git a/crates/cli/src/devbox/dns/service_bridge.rs b/crates/cli/src/devbox/dns/service_bridge.rs
new file mode 100644
index 0000000..959e2ce
--- /dev/null
+++ b/crates/cli/src/devbox/dns/service_bridge.rs
@@ -0,0 +1,213 @@
+use anyhow::{Context, Result};
+use lapdev_tunnel::TunnelClient;
+use std::{collections::HashMap, net::SocketAddr, sync::Arc};
+use tokio::{
+    net::{TcpListener, TcpStream},
+    sync::RwLock,
+    task::JoinHandle,
+};
+use tracing::{debug, error, info, warn};
+
+use super::{is_tcp_protocol, ServiceEndpoint};
+
+/// Bridges TCP connections from synthetic IPs to services via tunnel
+pub struct ServiceBridge {
+    /// Maps synthetic IP:port to service endpoint info
+    endpoints: Arc<RwLock<HashMap<SocketAddr, ServiceEndpoint>>>,
+    /// Listener tasks for each synthetic IP
+    listeners: Arc<RwLock<Vec<JoinHandle<()>>>>,
+    /// Tunnel client for connecting to services
+    tunnel_client: Arc<RwLock<Option<Arc<TunnelClient>>>>,
+}
+
+#[derive(Debug, Default)]
+pub struct ServiceBridgeStartReport {
+    pub started: Vec<ServiceEndpoint>,
+    pub failed: Vec<(ServiceEndpoint, anyhow::Error)>,
+}
+
+impl ServiceBridge {
+    pub fn new(tunnel_client: Arc<RwLock<Option<Arc<TunnelClient>>>>) -> Self {
+        Self {
+            endpoints: Arc::new(RwLock::new(HashMap::new())),
+            listeners: Arc::new(RwLock::new(Vec::new())),
+            tunnel_client,
+        }
+    }
+
+    /// Start listening on synthetic IPs for the given service endpoints
+    pub async fn start(&self, endpoints: Vec<ServiceEndpoint>) -> ServiceBridgeStartReport {
+        // Stop existing listeners
+        self.stop().await;
+
+        let mut tcp_endpoints = Vec::new();
+        let mut skipped = Vec::new();
+
+        for endpoint in endpoints {
+            if is_tcp_protocol(&endpoint.protocol) {
+                tcp_endpoints.push(endpoint);
+            } else {
+                skipped.push(endpoint);
+            }
+        }
+
+        if !skipped.is_empty() {
+            for endpoint in &skipped {
+                warn!(
+                    service = %endpoint.service_name,
+                    namespace = %endpoint.namespace,
+                    port = endpoint.port,
+                    protocol = %endpoint.protocol,
+                    "Skipping non-TCP service endpoint; protocol not supported"
+                );
+            }
+        }
+
+        {
+            // Clear any existing endpoint mappings before rebuilding
+            let mut endpoint_map = self.endpoints.write().await;
+            endpoint_map.clear();
+        }
+
+        // Start listener for each unique IP:port combination
+        let tunnel_client = Arc::clone(&self.tunnel_client);
+        let mut tasks = Vec::new();
+        let mut started = Vec::new();
+        let mut failed = Vec::new();
+
+        for endpoint in tcp_endpoints {
+            let addr = SocketAddr::new(endpoint.synthetic_ip, endpoint.port);
+            match self
+                .spawn_listener(addr, endpoint.clone(), Arc::clone(&tunnel_client))
+                .await
+            {
+                Ok(task) => {
+                    {
+                        let mut endpoint_map = self.endpoints.write().await;
+                        endpoint_map.insert(addr, endpoint.clone());
+                    }
+                    tasks.push(task);
+                    started.push(endpoint);
+                }
+                Err(e) => {
+                    error!("Failed to start listener on {}: {}", addr, e);
+                    failed.push((endpoint, e));
+                }
+            }
+        }
+
+        *self.listeners.write().await = tasks;
+
+        let num_started = started.len();
+        info!("Service bridge started with {} endpoints", num_started);
+
+        ServiceBridgeStartReport { started, failed }
+    }
+
+    /// Stop all listeners
+    pub async fn stop(&self) {
+        let mut listeners = self.listeners.write().await;
+        for task in listeners.drain(..) {
+            task.abort();
+        }
+        info!("Service bridge stopped");
+    }
+
+    /// Spawn a TCP listener for a specific address
+    async fn spawn_listener(
+        &self,
+        addr: SocketAddr,
+        endpoint: ServiceEndpoint,
+        tunnel_client: Arc<RwLock<Option<Arc<TunnelClient>>>>,
+    ) -> Result<JoinHandle<()>> {
+        let listener = TcpListener::bind(addr)
+            .await
+            .with_context(|| format!("Failed to bind to {}", addr))?;
+
+        let endpoints = Arc::clone(&self.endpoints);
+
+        info!(
+            "Started listener on {} for {}/{} (port {})",
+            addr, endpoint.namespace, endpoint.service_name, endpoint.port
+        );
+
+        let task = tokio::spawn(async move {
+            loop {
+                match listener.accept().await {
+                    Ok((stream, peer_addr)) => {
+                        debug!("Accepted connection from {} to {}", peer_addr, addr);
+
+                        let endpoints = Arc::clone(&endpoints);
+                        let tunnel_client = Arc::clone(&tunnel_client);
+
+                        tokio::spawn(async move {
+                            if let Err(e) =
+                                handle_connection(stream, addr, endpoints, tunnel_client).await
+                            {
+                                error!("Connection handler error: {:?}", e);
+                            }
+                        });
+                    }
+                    Err(e) => {
+                        error!("Failed to accept connection on {}: {}", addr, e);
+                    }
+                }
+            }
+        });
+
+        Ok(task)
+    }
+}
+
+/// Handle a single TCP connection by proxying it through the tunnel
+async fn handle_connection(
+    mut local_stream: TcpStream,
+    local_addr: SocketAddr,
+    endpoints: Arc<RwLock<HashMap<SocketAddr, ServiceEndpoint>>>,
+    tunnel_client: Arc<RwLock<Option<Arc<TunnelClient>>>>,
+) -> Result<()> {
+    // Look up the service endpoint
+    let endpoint = {
+        let endpoints = endpoints.read().await;
+        endpoints
+            .get(&local_addr)
+            .cloned()
+            .context(format!("No endpoint found for {}", local_addr))?
+    };
+
+    let tunnel_client = {
+        let guard = tunnel_client.read().await;
+        guard
+            .as_ref()
+            .cloned()
+            .context("Tunnel client not available")?
+    };
+
+    debug!(
+        "Connecting to service: {} ({}:{})",
+        endpoint.fqdn, endpoint.fqdn, endpoint.port
+    );
+
+    // Connect through tunnel
+    let tunnel_stream = tunnel_client
+        .connect_tcp(&endpoint.fqdn, endpoint.port)
+        .await
+        .context("Failed to establish tunnel connection")?;
+
+    debug!("Tunnel established to {}", endpoint.fqdn);
+
+    // Proxy bytes bidirectionally
+    match tokio::io::copy_bidirectional(&mut local_stream, &mut Box::pin(tunnel_stream)).await {
+        Ok((to_remote, to_local)) => {
+            debug!(
+                "Connection closed: {} bytes to remote, {} bytes to local",
+                to_remote, to_local
+            );
+        }
+        Err(e) => {
+            warn!("Proxy error: {}", e);
+        }
+    }
+
+    Ok(())
+}
diff --git a/crates/cli/src/devbox/mod.rs b/crates/cli/src/devbox/mod.rs
new file mode 100644
index 0000000..95a51e0
--- /dev/null
+++ b/crates/cli/src/devbox/mod.rs
@@ -0,0 +1,27 @@
+use clap::Subcommand;
+
+use crate::config;
+
+pub mod commands;
+pub mod dns;
+
+#[derive(Subcommand)]
+pub enum DevboxCommand {
+    /// Connect to Lapdev devbox and establish port forwarding tunnels
+    Connect {
+        /// API host (e.g. app.lap.dev)
+        #[arg(long = "api-host", alias = "api-url", env = "LAPDEV_API_HOST")]
+        api_host: Option<String>,
+    },
+}
+
+pub async fn handle_command(command: DevboxCommand) -> anyhow::Result<()> {
+    match command {
+        DevboxCommand::Connect { api_host } => {
+            let (api_host, _) = config::resolve_api_base_url(api_host);
+            commands::connect::execute(&api_host).await?;
+        }
+    }
+
+    Ok(())
+}
diff --git a/crates/cli/src/main.rs b/crates/cli/src/main.rs
new file mode 100644
index 0000000..57a0335
--- /dev/null
+++ b/crates/cli/src/main.rs
@@ -0,0 +1,148 @@
+use std::{fs, path::PathBuf};
+
+use anyhow::Context;
+use clap::{Parser, Subcommand};
+
+mod api;
+mod auth;
+mod config;
+mod devbox;
+
+#[derive(Parser)]
+#[command(name = "lapdev")]
+#[command(about = "Lapdev CLI - Self-Hosted Remote Dev Environment", long_about = None)]
+#[command(version)]
+struct Cli {
+    #[command(subcommand)]
+    command: Commands,
+
+    /// Enable verbose logging
+    #[arg(short, long, global = true)]
+    verbose: bool,
+
+    /// Directory for lapdev-cli log files
+    #[arg(long = "log-dir", env = "LAPDEV_LOG_DIR", value_name = "PATH")]
+    log_dir: Option<PathBuf>,
+}
+
+#[derive(Subcommand)]
+enum Commands {
+    /// Authenticate with Lapdev
+    Login {
+        /// Device name (defaults to hostname)
+        #[arg(long)]
+        device_name: Option<String>,
+
+        /// API host (e.g. app.lap.dev)
+        #[arg(long = "api-host", alias = "api-url", env = "LAPDEV_API_HOST")]
+        api_host: Option<String>,
+    },
+
+    /// Sign out (deletes token from keychain)
+    Logout {
+        /// API host (e.g. app.lap.dev)
+        #[arg(long = "api-host", alias = "api-url", env = "LAPDEV_API_HOST")]
+        api_host: Option<String>,
+    },
+
+    /// Show current session info
+    Whoami {
+        /// API host (e.g. app.lap.dev)
+        #[arg(long = "api-host", alias = "api-url", env = "LAPDEV_API_HOST")]
+        api_host: Option<String>,
+    },
+
+    /// Devbox commands
+    Devbox {
+        #[command(subcommand)]
+        command: devbox::DevboxCommand,
+    },
+}
+
+#[tokio::main]
+async fn main() -> anyhow::Result<()> {
+    let cli = Cli::parse();
+
+    let log_dir = resolve_log_dir(cli.log_dir.clone())?;
+    fs::create_dir_all(&log_dir)
+        .with_context(|| format!("failed to create log directory at {}", log_dir.display()))?;
+    let file_appender = tracing_appender::rolling::daily(&log_dir, "lapdev-cli.log");
+    let (file_writer, _file_guard) = tracing_appender::non_blocking(file_appender);
+
+    // Setup logging
+    let log_level = if cli.verbose {
+        tracing::Level::DEBUG
+    } else {
+        tracing::Level::INFO
+    };
+
+    use tracing_subscriber::{fmt, prelude::*, EnvFilter};
+
+    // Filter out tarpc internal tracing
+    let filter = EnvFilter::from_default_env()
+        .add_directive(log_level.into())
+        .add_directive("tarpc=warn".parse().unwrap())
+        .add_directive("tarpc::client=warn".parse().unwrap()); // Only show tarpc warnings/errors
+
+    let file_layer = fmt::layer()
+        .with_target(true)
+        .with_ansi(false)
+        .with_writer(file_writer);
+
+    tracing_subscriber::registry()
+        .with(filter)
+        .with(file_layer)
+        .init();
+
+    tracing::debug!("writing logs to {}", log_dir.display());
+
+    // Handle commands
+    match cli.command {
+        Commands::Login {
+            device_name,
+            api_host,
+        } => {
+            let (api_host, _) = config::resolve_api_base_url(api_host);
+            devbox::commands::login::execute(&api_host, device_name).await?;
+        }
+        Commands::Logout { api_host } => {
+            let (api_host, _) = config::resolve_api_base_url(api_host);
+            devbox::commands::logout::execute(&api_host).await?;
+        }
+        Commands::Whoami { api_host } => {
+            let (api_host, api_url) = config::resolve_api_base_url(api_host);
+            devbox::commands::whoami::execute(&api_host, &api_url).await?;
+        }
+        Commands::Devbox { command } => {
+            devbox::handle_command(command).await?;
+        }
+    }
+
+    Ok(())
+}
+
+fn resolve_log_dir(override_dir: Option<PathBuf>) -> anyhow::Result<PathBuf> {
+    override_dir
+        .or_else(default_log_dir)
+        .ok_or_else(|| anyhow::anyhow!("unable to determine log directory"))
+}
+
+#[cfg(target_os = "macos")]
+fn default_log_dir() -> Option<PathBuf> {
+    dirs::home_dir().map(|home| home.join("Library").join("Logs").join("Lapdev"))
+}
+
+#[cfg(target_os = "windows")]
+fn default_log_dir() -> Option<PathBuf> {
+    dirs::data_local_dir()
+        .or_else(|| dirs::home_dir().map(|home| home.join("AppData").join("Local")))
+        .map(|base| base.join("Lapdev").join("logs"))
+}
+
+#[cfg(not(any(target_os = "macos", target_os = "windows")))]
+fn default_log_dir() -> Option<PathBuf> {
+    std::env::var_os("XDG_STATE_HOME")
+        .map(PathBuf::from)
+        .or_else(|| dirs::home_dir().map(|home| home.join(".local").join("state")))
+        .map(|base| base.join("lapdev").join("logs"))
+}
diff --git a/lapdev-common/Cargo.toml b/crates/common/Cargo.toml
similarity index 93%
rename from lapdev-common/Cargo.toml
rename to crates/common/Cargo.toml
index 696b864..b895f2d 100644
--- a/lapdev-common/Cargo.toml
+++ b/crates/common/Cargo.toml
@@ -12,6 +12,7 @@ serde_json.workspace = true
 anyhow.workspace = true
 base16ct.workspace = true
 sha2.workspace = true
+secrecy.workspace = true
 rand.workspace = true
 strum.workspace = true
 strum_macros.workspace = true
diff --git a/crates/common/pages/error_page.html b/crates/common/pages/error_page.html
new file mode 100644
index 0000000..1cd9326
--- /dev/null
+++ b/crates/common/pages/error_page.html
@@ -0,0 +1,160 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Lapdev Dashboard</title>
+    <style>
+      :root {
+        color-scheme: light;
+      }
+      body {
+        margin: 0;
+        font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI",
+          "Helvetica Neue", Arial, "Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji",
+          "Segoe UI Symbol", "Noto Color Emoji";
+        background-color: #f9fafb;
+        color: #111827;
+      }
+      .page {
+        min-height: 100vh;
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        padding: 2rem 1rem;
+        background: radial-gradient(circle at top, #eef2ff 0%, #f9fafb 55%);
+      }
+      .card {
+        width: 100%;
+        max-width: 36rem;
+        display: flex;
+        flex-direction: column;
+        gap: 1rem;
+        padding: 2.5rem;
+        border-radius: 1.25rem;
+        background-color: #fff;
+        box-shadow: 0 25px 50px -12px rgba(15, 23, 42, 0.25);
+        border: 1px solid #e5e7eb;
+      }
+      .brand {
+        display: inline-flex;
+        align-items: center;
+        gap: 1rem;
+        font-size: 1.5rem;
+        font-weight: 600;
+        color: inherit;
+        text-decoration: none;
+      }
+      .brand svg {
+        width: 2.75rem;
+        height: 2.75rem;
+      }
+      .eyebrow {
+        margin: 0;
+        letter-spacing: 0.08em;
+        font-size: 0.85rem;
+        text-transform: uppercase;
+        color: #6366f1;
+      }
+      h1 {
+        margin: 0;
+        font-size: 1.9rem;
+        line-height: 1.2;
+      }
+      .lead {
+        margin: 0;
+        color: #4b5563;
+        font-size: 1rem;
+        line-height: 1.6;
+      }
+      .reason {
+        border-radius: 0.75rem;
+        padding: 1.25rem 1.5rem;
+        background: #fef2f2;
+        border: 1px solid #fecaca;
+      }
+      .reason-label {
+        font-size: 0.85rem;
+        text-transform: uppercase;
+        letter-spacing: 0.08em;
+        color: #b91c1c;
+        display: block;
+        margin-bottom: 0.4rem;
+      }
+      .reason-message {
+        margin: 0;
+        font-size: 1.05rem;
+        color: #991b1b;
+      }
+      .tips {
+        list-style: none;
+        padding: 0;
+        margin: 0;
+        display: flex;
+        flex-direction: column;
+        gap: 0.35rem;
+        color: #4b5563;
+      }
+      .tips li {
+        display: flex;
+        gap: 0.4rem;
+      }
+      .tips li::before {
+        content: "•";
+        color: #9ca3af;
+      }
+      .note {
+        margin: 0.75rem 0 0;
+        font-size: 0.95rem;
+        color: #374151;
+        line-height: 1.5;
+      }
+      .note strong {
+        color: #1f2937;
+      }
+      .help {
+        margin: 0.75rem 0 0;
+        font-size: 0.92rem;
+        color: #6b7280;
+      }
+      @media (min-width: 768px) {
+        .page {
+          padding: 0;
+        }
+      }
+    </style>
+  </head>
+  <body>
+    <section class="page">
+      <div class="card">
+        <a href="#" class="brand">
+          <svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" viewBox="0 0 1024 1024">
+            <path d="M512 0C390.759 0 279.426 42.2227 191.719 112.656L191.719 612L351.719 612L351.719 332L422 332L431.719 332L431.719 332.344C488.169 334.127 541.249 351.138 581.875 380.625C627.591 413.806 654.875 460.633 654.875 512C654.875 563.367 627.591 610.194 581.875 643.375C541.249 672.862 488.169 689.873 431.719 691.656L431.719 1017.69C457.88 1021.81 484.68 1024 512 1024C794.77 1024 1024 794.77 1024 512C1024 229.23 794.77 0 512 0ZM111.719 192.906C41.8539 280.432 0 391.303 0 512C0 738.766 147.487 930.96 351.719 998.25L351.719 692L151.719 692L151.719 691.844L111.719 691.844L111.719 192.906ZM738.219 372C741.597 372.107 745.042 373.02 748.312 374.812L946.281 483.312C952.311 486.616 956.692 492.393 959.188 499.156C959.821 500.874 960.317 502.641 960.688 504.469C960.764 504.834 960.841 505.196 960.906 505.562C961.12 506.807 961.225 508.071 961.312 509.344C961.378 510.235 961.498 511.112 961.5 512C961.498 512.888 961.378 513.765 961.312 514.656C961.226 515.929 961.12 517.193 960.906 518.438C960.841 518.804 960.764 519.166 960.688 519.531C960.317 521.359 959.821 523.126 959.188 524.844C956.692 531.608 952.311 537.384 946.281 540.688L748.312 649.188C735.232 656.355 719.818 649.367 713.875 633.594C707.932 617.82 713.7 599.23 726.781 592.062L872.875 512L726.781 431.938C713.7 424.771 707.932 406.18 713.875 390.406C718.332 378.576 728.085 371.678 738.219 372ZM431.719 412.344L431.719 611.656C513.56 608.208 574.875 561.985 574.875 512C574.875 462.015 513.56 415.792 431.719 412.344Z" />
+            <path d="M742 403.688C740.062 403.483 738.097 404.438 737.094 406.25C735.756 408.666 736.615 411.694 739.031 413.031L925.719 516.375C928.135 517.712 931.194 516.822 932.531 514.406C933.869 511.99 932.979 508.962 930.562 507.625L743.875 404.281C743.271 403.947 742.646 403.756 742 403.688Z" />
+            <path d="M927.5 507.031C926.856 507.115 926.221 507.339 925.625 507.688L738.938 616.906C736.554 618.301 735.762 621.335 737.156 623.719C738.551 626.102 741.616 626.926 744 625.531L930.688 516.312C933.071 514.918 933.863 511.852 932.469 509.469C931.423 507.681 929.432 506.78 927.5 507.031Z" />
+          </svg>
+          Lapdev
+        </a>
+        <p class="eyebrow">Preview URL issue</p>
+        <h1>We couldn&rsquo;t reach this preview</h1>
+        <p class="lead">
+          Lapdev tried to route your Preview URL but the backing environment didn&rsquo;t respond as expected. Review the reported reason below and follow the steps to get things moving again.
+        </p>
+        <div class="reason">
+          <span class="reason-label">What went wrong</span>
+          <p class="reason-message">{{MESSAGE}}</p>
+        </div>
+        <ul class="tips">
+          <li>Confirm the environment is running and the correct revision is deployed.</li>
+          <li>Verify this Preview URL still publishes the service/port you expect.</li>
+          <li>Ensure you&rsquo;re signed into the Lapdev organization that owns this link.</li>
+        </ul>
+        <p class="note">
+          <strong>If you manage this environment:</strong> restart or redeploy it, then recreate the Preview URL if the issue persists.
+        </p>
+        <p class="note">
+          <strong>If you&rsquo;re viewing someone else&rsquo;s link:</strong> share this page with the owner so they can republish the service or grant access.
+        </p>
+        <p class="help">Need a hand? Ask a Lapdev admin or teammate to review the environment status from the dashboard.</p>
+      </div>
+    </section>
+  </body>
+</html>
diff --git a/crates/common/src/config.rs b/crates/common/src/config.rs
new file mode 100644
index 0000000..d1e9349
--- /dev/null
+++ b/crates/common/src/config.rs
@@ -0,0 +1 @@
+pub const LAPDEV_CLUSTER_NOT_INITIATED: &str = "lapdev-cluster-not-initiated";
diff --git a/lapdev-common/src/console.rs b/crates/common/src/console.rs
similarity index 100%
rename from lapdev-common/src/console.rs
rename to crates/common/src/console.rs
diff --git a/crates/common/src/devbox.rs b/crates/common/src/devbox.rs
new file mode 100644
index 0000000..1cf8f2e
--- /dev/null
+++ b/crates/common/src/devbox.rs
@@ -0,0 +1,80 @@
+use chrono::{DateTime, Utc};
+use serde::{Deserialize, Serialize};
+use std::net::SocketAddr;
+use uuid::Uuid;
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct DevboxSessionSummary {
+    pub id: Uuid,
+    pub device_name: String,
+    pub token_prefix: String,
+    pub active_environment_id: Option<Uuid>,
+    pub created_at: DateTime<Utc>,
+    pub expires_at: DateTime<Utc>,
+    pub last_used_at: DateTime<Utc>,
+    pub revoked_at: Option<DateTime<Utc>>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct DevboxSessionWhoAmI {
+    pub user_id: Uuid,
+    pub email: Option<String>,
+    pub device_name: String,
+    pub authenticated_at: Option<DateTime<Utc>>,
+    pub expires_at: Option<DateTime<Utc>>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct DevboxEnvironmentSelection {
+    pub environment_id: Uuid,
+    pub cluster_name: String,
+    pub namespace: String,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct DevboxPortMapping {
+    pub workload_port: u16,
+    pub local_port: u16,
+    pub protocol: String,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct DevboxPortMappingOverride {
+    pub workload_port: u16,
+    pub local_port: Option<u16>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct DevboxWorkloadInterceptSummary {
+    pub intercept_id: Uuid,
+    pub session_id: Uuid,
+    pub workload_id: Uuid,
+    pub workload_name: String,
+    pub namespace: String,
+    pub port_mappings: Vec<DevboxPortMapping>,
+    pub created_at: DateTime<Utc>,
+    pub restored_at: Option<DateTime<Utc>>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct DevboxWorkloadInterceptListResponse {
+    pub intercepts: Vec<DevboxWorkloadInterceptSummary>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct DevboxStartWorkloadInterceptResponse {
+    pub intercept_id: Uuid,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct DirectTunnelCredential {
+    pub token: String,
+    pub expires_at: DateTime<Utc>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct DirectTunnelConfig {
+    pub credential: DirectTunnelCredential,
+    pub server_certificate: Option<Vec<u8>>,
+    pub stun_observed_addr: Option<SocketAddr>,
+}
diff --git a/lapdev-common/src/devcontainer.rs b/crates/common/src/devcontainer.rs
similarity index 100%
rename from lapdev-common/src/devcontainer.rs
rename to crates/common/src/devcontainer.rs
diff --git a/crates/common/src/error_page.rs b/crates/common/src/error_page.rs
new file mode 100644
index 0000000..03030fc
--- /dev/null
+++ b/crates/common/src/error_page.rs
@@ -0,0 +1,43 @@
+const TEMPLATE: &str = include_str!(concat!(
+    env!("CARGO_MANIFEST_DIR"),
+    "/pages/error_page.html"
+));
+const MESSAGE_PLACEHOLDER: &str = "{{MESSAGE}}";
+
+/// Render the shared error page template with the provided message.
+pub fn render_error_page(message: &str) -> String {
+    TEMPLATE.replace(MESSAGE_PLACEHOLDER, &escape_html(message))
+}
+
+fn escape_html(input: &str) -> String {
+    let mut escaped = String::with_capacity(input.len());
+    for ch in input.chars() {
+        match ch {
+            '&' => escaped.push_str("&amp;"),
+            '<' => escaped.push_str("&lt;"),
+            '>' => escaped.push_str("&gt;"),
+            '"' => escaped.push_str("&quot;"),
+            '\'' => escaped.push_str("&#x27;"),
+            _ => escaped.push(ch),
+        }
+    }
+    escaped
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn replaces_placeholder() {
+        let page = render_error_page("Example");
+        assert!(page.contains("Example"));
+        assert!(!page.contains(MESSAGE_PLACEHOLDER));
+    }
+
+    #[test]
+    fn escapes_html() {
+        let page = render_error_page("<script>alert('xss')</script>");
+        assert!(page.contains("&lt;script&gt;alert(&#x27;xss&#x27;)&lt;/script&gt;"));
+    }
+}
diff --git a/crates/common/src/hrpc.rs b/crates/common/src/hrpc.rs
new file mode 100644
index 0000000..2ab9708
--- /dev/null
+++ b/crates/common/src/hrpc.rs
@@ -0,0 +1,10 @@
+#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
+pub struct HrpcError {
+    pub error: String,
+}
+
+impl From<HrpcError> for anyhow::Error {
+    fn from(err: HrpcError) -> Self {
+        anyhow::anyhow!(err.error)
+    }
+}
diff --git a/crates/common/src/kube.rs b/crates/common/src/kube.rs
new file mode 100644
index 0000000..147447b
--- /dev/null
+++ b/crates/common/src/kube.rs
@@ -0,0 +1,477 @@
+use std::collections::BTreeMap;
+
+use chrono::{DateTime, FixedOffset, Utc};
+use serde::{Deserialize, Serialize};
+use uuid::Uuid;
+
+pub const KUBE_CLUSTER_TOKEN_HEADER: &str = "X-Cluster-Token";
+pub const KUBE_CLUSTER_TOKEN_ENV_VAR: &str = "LAPDEV_KUBE_CLUSTER_TOKEN";
+pub const KUBE_CLUSTER_URL_ENV_VAR: &str = "LAPDEV_KUBE_CLUSTER_URL";
+pub const KUBE_CLUSTER_TUNNEL_URL_ENV_VAR: &str = "LAPDEV_KUBE_CLUSTER_TUNNEL_URL";
+pub const DEFAULT_KUBE_CLUSTER_URL: &str = "wss://ws.lap.dev/api/v1/kube/cluster/rpc";
+pub const DEFAULT_KUBE_CLUSTER_TUNNEL_URL: &str = "wss://ws.lap.dev/api/v1/kube/cluster/tunnel";
+
+pub const KUBE_ENVIRONMENT_TOKEN_HEADER: &str = "X-Lapdev-Environment-Token";
+pub const KUBE_ENVIRONMENT_TOKEN_HEADER_LOWER: &str = "x-lapdev-environment-token";
+
+pub const SIDECAR_PROXY_MANAGER_ADDR_ENV_VAR: &str = "LAPDEV_SIDECAR_PROXY_MANAGER_ADDR";
+pub const SIDECAR_PROXY_MANAGER_PORT_ENV_VAR: &str = "LAPDEV_SIDECAR_PROXY_MANAGER_PORT";
+pub const DEFAULT_SIDECAR_PROXY_MANAGER_PORT: u16 = 5001;
+pub const SIDECAR_PROXY_PORT_ENV_VAR: &str = "LAPDEV_SIDECAR_PROXY_PORT";
+pub const DEFAULT_SIDECAR_PROXY_PORT: u16 = 25001;
+pub const DEFAULT_SIDECAR_PROXY_METRICS_PORT: u16 = 25090;
+pub const SIDECAR_PROXY_DYNAMIC_PORT_START: u16 = DEFAULT_SIDECAR_PROXY_PORT + 1000;
+pub const SIDECAR_PROXY_WORKLOAD_ENV_VAR: &str = "LAPDEV_SIDECAR_PROXY_WORKLOAD";
+pub const SIDECAR_PROXY_BIND_ADDR_ENV_VAR: &str = "LAPDEV_SIDECAR_PROXY_BIND_ADDR";
+pub const DEFAULT_SIDECAR_PROXY_BIND_ADDR: &str = "0.0.0.0";
+pub const SIDECAR_PROXY_PORT_ROUTES_ENV_VAR: &str = "LAPDEV_SIDECAR_PROXY_PORT_ROUTES";
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct KubeCluster {
+    pub id: Uuid,
+    pub name: String,
+    pub can_deploy_personal: bool,
+    pub can_deploy_shared: bool,
+    pub info: KubeClusterInfo,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct KubeClusterInfo {
+    pub cluster_version: String,
+    pub node_count: u32,
+    pub available_cpu: String,
+    pub available_memory: String,
+    pub provider: Option<String>,
+    pub region: Option<String>,
+    pub status: KubeClusterStatus,
+    pub manager_namespace: Option<String>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct ClusterStatusEvent {
+    pub organization_id: Uuid,
+    pub cluster_id: Uuid,
+    pub status: KubeClusterStatus,
+    pub cluster_version: Option<String>,
+    pub region: Option<String>,
+    pub updated_at: DateTime<Utc>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct AppCatalogStatusEvent {
+    pub organization_id: Uuid,
+    pub catalog_id: Uuid,
+    pub cluster_id: Uuid,
+    pub sync_version: i64,
+    pub last_synced_at: Option<String>,
+    pub last_sync_actor_id: Option<Uuid>,
+    pub updated_at: DateTime<Utc>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct EnvironmentWorkloadStatusEvent {
+    pub organization_id: Uuid,
+    pub environment_id: Uuid,
+    pub workload_id: Uuid,
+    pub ready_replicas: Option<i32>,
+    pub updated_at: DateTime<Utc>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, strum_macros::EnumString, strum_macros::Display)]
+pub enum KubeClusterStatus {
+    Ready,
+    #[strum(to_string = "Not Ready")]
+    NotReady,
+    Provisioning,
+    Error,
+}
+
+#[derive(
+    Debug,
+    Clone,
+    Serialize,
+    Deserialize,
+    strum_macros::EnumString,
+    strum_macros::Display,
+    PartialEq,
+    Eq,
+)]
+pub enum KubeEnvironmentSyncStatus {
+    Idle,
+    Syncing,
+}
+
+#[derive(
+    Debug,
+    Clone,
+    Copy,
+    Serialize,
+    Deserialize,
+    strum_macros::EnumString,
+    strum_macros::Display,
+    PartialEq,
+    Eq,
+)]
+pub enum KubeEnvironmentStatus {
+    Creating,
+    Running,
+    Failed,
+    Error,
+    Pausing,
+    Paused,
+    PauseFailed,
+    Resuming,
+    ResumeFailed,
+    Deleting,
+    Deleted,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct KubeWorkload {
+    pub name: String,
+    pub namespace: String,
+    pub kind: KubeWorkloadKind,
+    pub replicas: Option<i32>,
+    pub ready_replicas: Option<i32>,
+    pub created_at: Option<String>,
+    pub labels: std::collections::HashMap<String, String>,
+}
+
+#[derive(
+    PartialEq, Debug, Clone, Serialize, Deserialize, strum_macros::Display, strum_macros::EnumString,
+)]
+pub enum KubeWorkloadKind {
+    Deployment,
+    StatefulSet,
+    DaemonSet,
+    ReplicaSet,
+    Pod,
+    Job,
+    CronJob,
+}
+
+#[derive(
+    Debug, Clone, Serialize, Deserialize, PartialEq, strum_macros::EnumString, strum_macros::Display,
+)]
+pub enum PreviewUrlAccessLevel {
+    Organization, // Accessible by authenticated organization members
+    Public,       // Accessible by anyone without authentication
+}
+
+impl PreviewUrlAccessLevel {
+    pub fn get_detailed_message(&self) -> &'static str {
+        match self {
+            PreviewUrlAccessLevel::Organization => {
+                "Organization - Members of your Lapdev org after login"
+            }
+            PreviewUrlAccessLevel::Public => "Public - Anyone can access without authentication",
+        }
+    }
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct KubeWorkloadList {
+    pub workloads: Vec<KubeWorkload>,
+    pub next_cursor: Option<PaginationCursor>,
+}
+
+#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
+pub struct PaginationCursor {
+    pub workload_kind: KubeWorkloadKind,
+    pub continue_token: Option<String>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct PaginationParams {
+    pub cursor: Option<PaginationCursor>,
+    pub limit: usize,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct PagePaginationParams {
+    pub page: usize,
+    pub page_size: usize,
+}
+
+impl Default for PagePaginationParams {
+    fn default() -> Self {
+        Self {
+            page: 1,
+            page_size: 20,
+        }
+    }
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct PaginatedInfo {
+    pub total_count: usize,
+    pub page: usize,
+    pub page_size: usize,
+    pub total_pages: usize,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct PaginatedResult<T> {
+    pub data: Vec<T>,
+    pub pagination_info: PaginatedInfo,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct KubeEnvironmentStatusCount {
+    pub status: KubeEnvironmentStatus,
+    pub count: usize,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, Default)]
+pub struct KubeEnvironmentDashboardSummary {
+    pub personal_count: usize,
+    pub shared_count: usize,
+    pub branch_count: usize,
+    pub total_count: usize,
+    pub status_breakdown: Vec<KubeEnvironmentStatusCount>,
+    pub recent_environments: Vec<KubeEnvironment>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct CreateKubeClusterResponse {
+    pub cluster_id: Uuid,
+    pub token: String,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct KubeNamespace {
+    pub id: Uuid,
+    pub name: String,
+    pub description: Option<String>,
+    pub is_shared: bool,
+    pub created_at: DateTime<FixedOffset>,
+    pub created_by: Uuid,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct KubeNamespaceInfo {
+    pub name: String,
+    pub status: String,
+    pub created_at: Option<String>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct KubeAppCatalog {
+    pub id: Uuid,
+    pub name: String,
+    pub description: Option<String>,
+    pub created_at: DateTime<FixedOffset>,
+    pub created_by: Uuid,
+    pub cluster_id: Uuid,
+    pub cluster_name: String,
+    pub last_sync_actor_id: Option<Uuid>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct KubeAppCatalogWorkload {
+    pub id: Uuid,
+    pub name: String,
+    pub namespace: String,
+    pub kind: KubeWorkloadKind,
+    pub containers: Vec<KubeContainerInfo>,
+    pub ports: Vec<KubeServicePort>,
+    pub workload_yaml: String,
+    pub catalog_sync_version: i64,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct KubeAppCatalogWorkloadCreate {
+    pub name: String,
+    pub namespace: String,
+    pub kind: KubeWorkloadKind,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct KubeEnvironmentWorkload {
+    pub id: Uuid,
+    pub created_at: DateTime<FixedOffset>,
+    pub environment_id: Uuid,
+    pub base_workload_id: Option<Uuid>,
+    pub name: String,
+    pub namespace: String,
+    pub kind: String,
+    pub containers: Vec<KubeContainerInfo>,
+    pub ports: Vec<KubeServicePort>,
+    pub workload_yaml: String,
+    pub catalog_sync_version: i64,
+    pub ready_replicas: Option<i32>,
+}
+
+impl KubeEnvironmentWorkload {
+    /// Returns true if any containers in this workload have been customized
+    pub fn has_customized_containers(&self) -> bool {
+        self.containers.iter().any(|c| c.is_customized())
+    }
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct KubeEnvVar {
+    pub name: String,
+    pub value: String,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub enum KubeContainerImage {
+    /// Follow the image from the original workload (tracks updates)
+    FollowOriginal,
+    /// Use a custom specified image
+    Custom(String),
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct KubeContainerPort {
+    pub name: Option<String>,
+    pub container_port: i32,
+    pub protocol: Option<String>, // TCP, UDP, SCTP
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct KubeContainerInfo {
+    pub name: String,
+    pub original_image: String,
+    pub image: KubeContainerImage,
+    pub cpu_request: Option<String>,
+    pub cpu_limit: Option<String>,
+    pub memory_request: Option<String>,
+    pub memory_limit: Option<String>,
+    pub env_vars: Vec<KubeEnvVar>,
+    pub original_env_vars: Vec<KubeEnvVar>,
+    pub ports: Vec<KubeContainerPort>,
+}
+
+impl KubeContainerInfo {
+    /// Returns true if this container has been customized from its original configuration
+    pub fn is_customized(&self) -> bool {
+        // Check if image is customized
+        matches!(self.image, KubeContainerImage::Custom(_))
+            // Check if environment variables are customized (non-empty indicates customization)
+            || !self.env_vars.is_empty()
+    }
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct KubeWorkloadDetails {
+    pub name: String,
+    pub namespace: String,
+    pub kind: KubeWorkloadKind,
+    pub containers: Vec<KubeContainerInfo>,
+    pub ports: Vec<KubeServicePort>,
+    pub workload_yaml: String,
+    pub base_workload_id: Option<Uuid>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct KubeEnvironment {
+    pub id: Uuid,
+    pub user_id: Uuid,
+    pub name: String,
+    pub namespace: String,
+    pub app_catalog_id: Uuid,
+    pub app_catalog_name: String,
+    pub cluster_id: Uuid,
+    pub cluster_name: String,
+    pub status: KubeEnvironmentStatus,
+    pub created_at: String,
+    pub is_shared: bool,
+    pub base_environment_id: Option<Uuid>,
+    pub base_environment_name: Option<String>,
+    pub base_environment_catalog_sync_version: Option<i64>,
+    pub base_environment_last_catalog_synced_at: Option<String>,
+    pub catalog_sync_version: i64,
+    pub last_catalog_synced_at: Option<String>,
+    pub paused_at: Option<String>,
+    pub resumed_at: Option<String>,
+    pub catalog_update_available: bool,
+    pub catalog_last_sync_actor_id: Option<Uuid>,
+    pub sync_status: KubeEnvironmentSyncStatus,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct KubeEnvironmentWorkloadDetail {
+    pub environment: KubeEnvironment,
+    pub workload: KubeEnvironmentWorkload,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct KubeServicePort {
+    pub name: Option<String>,
+    pub port: i32,
+    pub target_port: Option<i32>,
+    pub protocol: Option<String>,
+    pub node_port: Option<i32>,
+    #[serde(default)]
+    pub original_target_port: Option<i32>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct KubeServiceDetails {
+    pub name: String,
+    pub ports: Vec<KubeServicePort>,
+    pub selector: BTreeMap<String, String>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct KubeServiceWithYaml {
+    pub yaml: String,
+    pub details: KubeServiceDetails,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+pub struct ProxyPortRoute {
+    /// Port exposed by the sidecar proxy inside the pod.
+    pub proxy_port: u16,
+    /// Service port advertised to the cluster.
+    pub service_port: u16,
+    /// Container port on the workload that should receive the traffic.
+    pub target_port: u16,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct KubeEnvironmentService {
+    pub id: Uuid,
+    pub created_at: DateTime<FixedOffset>,
+    pub environment_id: Uuid,
+    pub name: String,
+    pub namespace: String,
+    pub yaml: String,
+    pub ports: Vec<KubeServicePort>,
+    pub selector: BTreeMap<String, String>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct KubeEnvironmentPreviewUrl {
+    pub id: Uuid,
+    pub created_at: DateTime<FixedOffset>,
+    pub environment_id: Uuid,
+    pub service_id: Uuid,
+    pub name: String,
+    pub description: Option<String>,
+    pub port: i32,
+    pub port_name: Option<String>,
+    pub protocol: String,
+    pub access_level: PreviewUrlAccessLevel,
+    pub created_by: Uuid,
+    pub last_accessed_at: Option<DateTime<FixedOffset>>,
+    pub url: String, // Full preview URL
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct CreateKubeEnvironmentPreviewUrlRequest {
+    pub description: Option<String>,
+    pub service_id: Uuid,
+    pub port: i32,
+    pub port_name: Option<String>,
+    pub protocol: Option<String>,                    // Default to "HTTP"
+    pub access_level: Option<PreviewUrlAccessLevel>, // Default to Organization
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct UpdateKubeEnvironmentPreviewUrlRequest {
+    pub description: Option<String>,
+    pub access_level: Option<PreviewUrlAccessLevel>,
+}
diff --git a/lapdev-common/src/lib.rs b/crates/common/src/lib.rs
similarity index 98%
rename from lapdev-common/src/lib.rs
rename to crates/common/src/lib.rs
index 318d55f..0cf51b8 100644
--- a/lapdev-common/src/lib.rs
+++ b/crates/common/src/lib.rs
@@ -1,3 +1,13 @@
+pub mod config;
+pub mod console;
+pub mod devbox;
+pub mod devcontainer;
+pub mod error_page;
+pub mod hrpc;
+pub mod kube;
+pub mod token;
+pub mod utils;
+
 use std::collections::HashMap;
 
 use chrono::{DateTime, FixedOffset};
@@ -6,13 +16,12 @@ use serde::{Deserialize, Serialize};
 use strum_macros::EnumString;
 use uuid::Uuid;
 
-pub mod console;
-pub mod devcontainer;
-pub mod utils;
-
 pub const LAPDEV_DEFAULT_OSUSER: &str = "lapdev";
 pub const LAPDEV_BASE_HOSTNAME: &str = "lapdev-base-hostname";
+pub const LAPDEV_API_HOST: &str = "app.lap.dev";
 pub const LAPDEV_ISOLATE_CONTAINER: &str = "lapdev-isolate-container";
+pub const LAPDEV_AUTH_STATE_COOKIE: &str = "lapdev_auth_state";
+pub const LAPDEV_AUTH_TOKEN_COOKIE: &str = "lapdev_auth_token";
 
 #[derive(Serialize, Deserialize, Debug)]
 pub struct NewProject {
diff --git a/crates/common/src/token.rs b/crates/common/src/token.rs
new file mode 100644
index 0000000..5768bf3
--- /dev/null
+++ b/crates/common/src/token.rs
@@ -0,0 +1,49 @@
+use rand::distr::{Alphanumeric, SampleString};
+use secrecy::{ExposeSecret, SecretSlice, SecretString};
+use sha2::{Digest, Sha256};
+
+const TOKEN_LENGTH: usize = 64;
+
+pub struct HashedToken(SecretSlice<u8>);
+
+impl HashedToken {
+    pub fn parse(plaintext: &str) -> Self {
+        let sha256 = Self::hash(plaintext).into();
+        Self(sha256)
+    }
+
+    pub fn hash(plaintext: &str) -> Vec<u8> {
+        Sha256::digest(plaintext.as_bytes()).as_slice().to_vec()
+    }
+}
+
+impl ExposeSecret<[u8]> for HashedToken {
+    fn expose_secret(&self) -> &[u8] {
+        self.0.expose_secret()
+    }
+}
+
+pub struct PlainToken(SecretString);
+
+impl PlainToken {
+    pub fn generate() -> Self {
+        let plaintext = generate_secure_alphanumeric_string(TOKEN_LENGTH).into();
+
+        Self(plaintext)
+    }
+
+    pub fn hashed(&self) -> HashedToken {
+        let sha256 = HashedToken::hash(self.expose_secret()).into();
+        HashedToken(sha256)
+    }
+}
+
+impl ExposeSecret<str> for PlainToken {
+    fn expose_secret(&self) -> &str {
+        self.0.expose_secret()
+    }
+}
+
+fn generate_secure_alphanumeric_string(len: usize) -> String {
+    Alphanumeric.sample_string(&mut rand::rng(), len)
+}
diff --git a/crates/common/src/utils.rs b/crates/common/src/utils.rs
new file mode 100644
index 0000000..07a3f94
--- /dev/null
+++ b/crates/common/src/utils.rs
@@ -0,0 +1,82 @@
+use std::time::{SystemTime, UNIX_EPOCH};
+
+use crate::LAPDEV_API_HOST;
+
+use rand::{distr::Alphanumeric, Rng};
+use sha2::{Digest, Sha256};
+
+pub fn rand_string(n: usize) -> String {
+    rand::rng()
+        .sample_iter(&Alphanumeric)
+        .take(n)
+        .map(|i| i as char)
+        .collect::<String>()
+        .to_lowercase()
+}
+
+pub fn sha256(input: &str) -> String {
+    let hash = Sha256::digest(input.as_bytes());
+    base16ct::lower::encode_string(&hash)
+}
+
+pub fn format_repo_url(repo: &str) -> String {
+    let repo = repo.trim().to_lowercase();
+    let repo = if !repo.starts_with("http://")
+        && !repo.starts_with("https://")
+        && !repo.starts_with("ssh://")
+    {
+        format!("https://{repo}")
+    } else {
+        repo.to_string()
+    };
+    repo.strip_suffix('/')
+        .map(|r| r.to_string())
+        .unwrap_or(repo)
+}
+
+pub fn unix_timestamp() -> anyhow::Result<u64> {
+    Ok(SystemTime::now().duration_since(UNIX_EPOCH)?.as_secs())
+}
+
+/// Resolve the Lapdev API host from an optional input string.
+///
+/// Accepts raw values that may include schemes (http/https/ws/wss),
+/// trailing slashes, or the `/api` & `/api/v1` suffixes. Returns the
+/// canonical host form (no scheme, no path). Falls back to the default
+/// host when the input is `None` or empty.
+pub fn resolve_api_host(raw: Option<&str>) -> String {
+    let candidate = raw
+        .map(|value| value.trim())
+        .filter(|value| !value.is_empty())
+        .map(|value| value.to_string());
+
+    let mut host = match candidate {
+        Some(value) => value,
+        None => return LAPDEV_API_HOST.to_string(),
+    };
+
+    for prefix in ["https://", "http://", "wss://", "ws://"] {
+        if let Some(stripped) = host.strip_prefix(prefix) {
+            host = stripped.to_string();
+            break;
+        }
+    }
+
+    host = host
+        .trim_start_matches('/')
+        .trim_end_matches('/')
+        .to_string();
+
+    for suffix in ["/api/v1", "/api"] {
+        if let Some(stripped) = host.strip_suffix(suffix) {
+            host = stripped.trim_end_matches('/').to_string();
+            break;
+        }
+    }
+
+    if host.is_empty() {
+        LAPDEV_API_HOST.to_string()
+    } else {
+        host
+    }
+}
diff --git a/lapdev-conductor/Cargo.toml b/crates/conductor/Cargo.toml
similarity index 95%
rename from lapdev-conductor/Cargo.toml
rename to crates/conductor/Cargo.toml
index 9a07084..6a877c1 100644
--- a/lapdev-conductor/Cargo.toml
+++ b/crates/conductor/Cargo.toml
@@ -24,6 +24,7 @@ sea-orm.workspace = true
 tarpc.workspace = true
 uuid.workspace = true
 lapdev-db.workspace = true
+lapdev-db-entities.workspace = true
 lapdev-rpc.workspace = true
 lapdev-common.workspace = true
 lapdev-enterprise.workspace = true
diff --git a/lapdev-conductor/src/lib.rs b/crates/conductor/src/lib.rs
similarity index 100%
rename from lapdev-conductor/src/lib.rs
rename to crates/conductor/src/lib.rs
diff --git a/lapdev-conductor/src/rpc.rs b/crates/conductor/src/rpc.rs
similarity index 97%
rename from lapdev-conductor/src/rpc.rs
rename to crates/conductor/src/rpc.rs
index 3746a0e..ff1f95f 100644
--- a/lapdev-conductor/src/rpc.rs
+++ b/crates/conductor/src/rpc.rs
@@ -1,6 +1,5 @@
 use anyhow::Result;
 use lapdev_common::{BuildTarget, HostWorkspace, PrebuildUpdateEvent, WorkspaceUpdateEvent};
-use lapdev_db::entities;
 use lapdev_rpc::{error::ApiError, ConductorService};
 use sea_orm::{ActiveModelTrait, ActiveValue};
 use tarpc::context;
@@ -41,7 +40,7 @@ impl ConductorService for ConductorRpc {
         workspace_id: Uuid,
         last_inactivity: Option<chrono::prelude::DateTime<chrono::prelude::FixedOffset>>,
     ) {
-        let _ = entities::workspace::ActiveModel {
+        let _ = lapdev_db_entities::workspace::ActiveModel {
             id: ActiveValue::Set(workspace_id),
             last_inactivity: ActiveValue::Set(last_inactivity),
             ..Default::default()
diff --git a/lapdev-conductor/src/scheduler.rs b/crates/conductor/src/scheduler.rs
similarity index 53%
rename from lapdev-conductor/src/scheduler.rs
rename to crates/conductor/src/scheduler.rs
index b63ada3..ebf76e3 100644
--- a/lapdev-conductor/src/scheduler.rs
+++ b/crates/conductor/src/scheduler.rs
@@ -3,7 +3,7 @@ use std::collections::{HashMap, HashSet};
 use anyhow::Result;
 use itertools::Itertools;
 use lapdev_common::{CpuCore, PrebuildStatus, WorkspaceHostStatus};
-use lapdev_db::{entities, links};
+use lapdev_db::links;
 use sea_orm::{
     ActiveModelTrait, ActiveValue, ColumnTrait, DatabaseTransaction, EntityTrait, QueryFilter,
     QueryOrder, QuerySelect,
@@ -56,7 +56,7 @@ pub async fn pick_workspce_host(
     disk: usize,
     region: String,
     cpu_overcommit: usize,
-) -> Result<(entities::workspace_host::Model, CpuCore)> {
+) -> Result<(lapdev_db_entities::workspace_host::Model, CpuCore)> {
     let workspace_host = decide_workspace_host(
         txn,
         prebuild_workspace_host,
@@ -97,15 +97,15 @@ async fn decide_workspace_host(
     memory: usize,
     disk: usize,
     region: String,
-) -> Result<entities::workspace_host::Model> {
+) -> Result<lapdev_db_entities::workspace_host::Model> {
     // workspace_spreaded controls if Lapdev prefers to pick workspace host
     // that's busy or idle. When it's true, Lapdev prefers idle server.
     let workspace_spreaded = true;
 
     let cpu_column = if !shared {
-        entities::workspace_host::Column::AvailableDedicatedCpu
+        lapdev_db_entities::workspace_host::Column::AvailableDedicatedCpu
     } else {
-        entities::workspace_host::Column::AvailableSharedCpu
+        lapdev_db_entities::workspace_host::Column::AvailableSharedCpu
     };
 
     let order = if workspace_spreaded {
@@ -114,20 +114,21 @@ async fn decide_workspace_host(
         sea_orm::Order::Asc
     };
 
-    let query = entities::workspace_host::Entity::find()
-        .filter(entities::workspace_host::Column::Region.eq(region))
-        .filter(entities::workspace_host::Column::DeletedAt.is_null())
+    let query = lapdev_db_entities::workspace_host::Entity::find()
+        .filter(lapdev_db_entities::workspace_host::Column::Region.eq(region))
+        .filter(lapdev_db_entities::workspace_host::Column::DeletedAt.is_null())
         .filter(
-            entities::workspace_host::Column::Status.eq(WorkspaceHostStatus::Active.to_string()),
+            lapdev_db_entities::workspace_host::Column::Status
+                .eq(WorkspaceHostStatus::Active.to_string()),
         )
-        .filter(entities::workspace_host::Column::AvailableMemory.gte(memory as i32))
-        .filter(entities::workspace_host::Column::AvailableDisk.gte(disk as i32))
+        .filter(lapdev_db_entities::workspace_host::Column::AvailableMemory.gte(memory as i32))
+        .filter(lapdev_db_entities::workspace_host::Column::AvailableDisk.gte(disk as i32))
         .filter(cpu_column.gte(cpu as i32));
 
     if let Some(id) = prebuild_workspace_host {
         if let Some(host) = query
             .clone()
-            .filter(entities::workspace_host::Column::Id.eq(id))
+            .filter(lapdev_db_entities::workspace_host::Column::Id.eq(id))
             .lock_exclusive()
             .one(txn)
             .await?
@@ -141,14 +142,14 @@ async fn decide_workspace_host(
             .clone()
             .order_by(cpu_column, order.clone())
             .order_by(
-                entities::workspace_host::Column::AvailableMemory,
+                lapdev_db_entities::workspace_host::Column::AvailableMemory,
                 order.clone(),
             )
             .order_by(
-                entities::workspace_host::Column::AvailableDisk,
+                lapdev_db_entities::workspace_host::Column::AvailableDisk,
                 order.clone(),
             )
-            .filter(entities::workspace_host::Column::Id.is_in(prebuild_replica_hosts))
+            .filter(lapdev_db_entities::workspace_host::Column::Id.is_in(prebuild_replica_hosts))
             .limit(1)
             .lock_exclusive()
             .one(txn)
@@ -162,11 +163,11 @@ async fn decide_workspace_host(
         .clone()
         .order_by(cpu_column, order.clone())
         .order_by(
-            entities::workspace_host::Column::AvailableMemory,
+            lapdev_db_entities::workspace_host::Column::AvailableMemory,
             order.clone(),
         )
         .order_by(
-            entities::workspace_host::Column::AvailableDisk,
+            lapdev_db_entities::workspace_host::Column::AvailableDisk,
             order.clone(),
         )
         .limit(1)
@@ -180,15 +181,15 @@ async fn decide_workspace_host(
 
 pub async fn recalcuate_workspce_host(
     txn: &DatabaseTransaction,
-    host: &entities::workspace_host::Model,
+    host: &lapdev_db_entities::workspace_host::Model,
     cpu_overcommit: usize,
-) -> Result<entities::workspace_host::Model> {
+) -> Result<lapdev_db_entities::workspace_host::Model> {
     let existing = get_existing_resource(txn, host).await?;
     let available_core = available_cores(host.cpu as usize, cpu_overcommit, &existing.cores);
     let available_memory = host.memory - existing.memory as i32;
     let available_disk = host.disk - existing.disk as i32;
 
-    let model = entities::workspace_host::ActiveModel {
+    let model = lapdev_db_entities::workspace_host::ActiveModel {
         id: ActiveValue::Set(host.id),
         available_shared_cpu: ActiveValue::Set(available_core.available.len() as i32),
         available_dedicated_cpu: ActiveValue::Set(available_core.dedicated().len() as i32),
@@ -204,15 +205,15 @@ pub async fn recalcuate_workspce_host(
 
 async fn get_existing_resource(
     txn: &DatabaseTransaction,
-    host: &entities::workspace_host::Model,
+    host: &lapdev_db_entities::workspace_host::Model,
 ) -> Result<ExistingResource> {
     let mut existing = ExistingResource::default();
 
-    let models = entities::workspace::Entity::find()
-        .find_also_related(entities::machine_type::Entity)
-        .filter(entities::workspace::Column::HostId.eq(host.id))
-        .filter(entities::workspace::Column::DeletedAt.is_null())
-        .filter(entities::workspace::Column::ComposeParent.is_null())
+    let models = lapdev_db_entities::workspace::Entity::find()
+        .find_also_related(lapdev_db_entities::machine_type::Entity)
+        .filter(lapdev_db_entities::workspace::Column::HostId.eq(host.id))
+        .filter(lapdev_db_entities::workspace::Column::DeletedAt.is_null())
+        .filter(lapdev_db_entities::workspace::Column::ComposeParent.is_null())
         .all(txn)
         .await?;
 
@@ -228,12 +229,14 @@ async fn get_existing_resource(
         }
     }
 
-    let result = entities::prebuild::Entity::find()
+    let result = lapdev_db_entities::prebuild::Entity::find()
         .find_also_linked(links::PrebuildToMachineType)
-        .filter(entities::prebuild::Column::HostId.eq(host.id))
-        .filter(entities::prebuild::Column::Status.eq(PrebuildStatus::Building.to_string()))
-        .filter(entities::prebuild::Column::DeletedAt.is_null())
-        .filter(entities::prebuild::Column::ByWorkspace.eq(false))
+        .filter(lapdev_db_entities::prebuild::Column::HostId.eq(host.id))
+        .filter(
+            lapdev_db_entities::prebuild::Column::Status.eq(PrebuildStatus::Building.to_string()),
+        )
+        .filter(lapdev_db_entities::prebuild::Column::DeletedAt.is_null())
+        .filter(lapdev_db_entities::prebuild::Column::ByWorkspace.eq(false))
         .all(txn)
         .await?;
     for (prebuild, machine_type) in result {
@@ -296,8 +299,7 @@ mod tests {
     use std::collections::HashSet;
 
     use chrono::Utc;
-    use lapdev_common::{utils, PrebuildStatus, WorkspaceHostStatus, WorkspaceStatus};
-    use lapdev_db::{entities, tests::prepare_db};
+    use lapdev_db::tests::prepare_db;
     use sea_orm::{ActiveModelTrait, ActiveValue, TransactionTrait};
     use uuid::Uuid;
 
@@ -357,128 +359,128 @@ mod tests {
         assert_eq!(cores.available.len(), 0);
     }
 
-    #[tokio::test]
-    async fn test_recalcuate_workspce_host() {
-        let db = prepare_db().await.unwrap();
-        let txn = db.conn.begin().await.unwrap();
-
-        let machine_type = entities::machine_type::ActiveModel {
-            id: ActiveValue::Set(Uuid::new_v4()),
-            name: ActiveValue::Set("test".to_string()),
-            shared: ActiveValue::Set(true),
-            cpu: ActiveValue::Set(2),
-            memory: ActiveValue::Set(8),
-            disk: ActiveValue::Set(10),
-            cost_per_second: ActiveValue::Set(1),
-            ..Default::default()
-        }
-        .insert(&txn)
-        .await
-        .unwrap();
-
-        let workspace_host = entities::workspace_host::ActiveModel {
-            id: ActiveValue::Set(Uuid::new_v4()),
-            cpu: ActiveValue::Set(12),
-            memory: ActiveValue::Set(64),
-            disk: ActiveValue::Set(1000),
-            status: ActiveValue::Set(WorkspaceHostStatus::Active.to_string()),
-            host: ActiveValue::Set("127.0.0.1".to_string()),
-            port: ActiveValue::Set(6123),
-            inter_port: ActiveValue::Set(6122),
-            available_dedicated_cpu: ActiveValue::Set(0),
-            available_shared_cpu: ActiveValue::Set(0),
-            available_memory: ActiveValue::Set(0),
-            available_disk: ActiveValue::Set(0),
-            region: ActiveValue::Set("".to_string()),
-            zone: ActiveValue::Set("".to_string()),
-            ..Default::default()
-        }
-        .insert(&txn)
-        .await
-        .unwrap();
-
-        entities::workspace::ActiveModel {
-            id: ActiveValue::Set(Uuid::new_v4()),
-            status: ActiveValue::Set(WorkspaceStatus::Running.to_string()),
-            name: ActiveValue::Set(utils::rand_string(10)),
-            created_at: ActiveValue::Set(Utc::now().into()),
-            repo_url: ActiveValue::Set("".to_string()),
-            repo_name: ActiveValue::Set("".to_string()),
-            branch: ActiveValue::Set("".to_string()),
-            commit: ActiveValue::Set("".to_string()),
-            organization_id: ActiveValue::Set(Uuid::new_v4()),
-            user_id: ActiveValue::Set(Uuid::new_v4()),
-            project_id: ActiveValue::Set(None),
-            host_id: ActiveValue::Set(workspace_host.id),
-            osuser: ActiveValue::Set("".to_string()),
-            ssh_private_key: ActiveValue::Set("".to_string()),
-            ssh_public_key: ActiveValue::Set("".to_string()),
-            cores: ActiveValue::Set(serde_json::to_string(&[1, 2]).unwrap()),
-            ssh_port: ActiveValue::Set(None),
-            ide_port: ActiveValue::Set(None),
-            prebuild_id: ActiveValue::Set(None),
-            service: ActiveValue::Set(None),
-            usage_id: ActiveValue::Set(None),
-            machine_type_id: ActiveValue::Set(machine_type.id),
-            auto_start: ActiveValue::Set(true),
-            is_compose: ActiveValue::Set(false),
-            compose_parent: ActiveValue::Set(None),
-            auto_stop: ActiveValue::Set(None),
-            build_output: ActiveValue::Set(None),
-            updated_at: ActiveValue::Set(None),
-            deleted_at: ActiveValue::Set(None),
-            env: ActiveValue::Set(None),
-            last_inactivity: ActiveValue::Set(None),
-            pinned: ActiveValue::Set(false),
-        }
-        .insert(&txn)
-        .await
-        .unwrap();
-
-        let project = entities::project::ActiveModel {
-            id: ActiveValue::Set(Uuid::new_v4()),
-            name: ActiveValue::Set(utils::rand_string(10)),
-            created_at: ActiveValue::Set(Utc::now().into()),
-            created_by: ActiveValue::Set(Uuid::new_v4()),
-            repo_url: ActiveValue::Set("".to_string()),
-            repo_name: ActiveValue::Set("".to_string()),
-            oauth_id: ActiveValue::Set(Uuid::new_v4()),
-            host_id: ActiveValue::Set(Uuid::new_v4()),
-            osuser: ActiveValue::Set("".to_string()),
-            organization_id: ActiveValue::Set(Uuid::new_v4()),
-            machine_type_id: ActiveValue::Set(machine_type.id),
-            ..Default::default()
-        }
-        .insert(&txn)
-        .await
-        .unwrap();
-
-        entities::prebuild::ActiveModel {
-            id: ActiveValue::Set(Uuid::new_v4()),
-            status: ActiveValue::Set(PrebuildStatus::Building.to_string()),
-            created_at: ActiveValue::Set(Utc::now().into()),
-            branch: ActiveValue::Set("".to_string()),
-            commit: ActiveValue::Set("".to_string()),
-            project_id: ActiveValue::Set(project.id),
-            host_id: ActiveValue::Set(workspace_host.id),
-            osuser: ActiveValue::Set("".to_string()),
-            cores: ActiveValue::Set(serde_json::to_string(&[2, 3]).unwrap()),
-            by_workspace: ActiveValue::Set(false),
-            ..Default::default()
-        }
-        .insert(&txn)
-        .await
-        .unwrap();
-
-        let workspace_host = scheduler::recalcuate_workspce_host(&txn, &workspace_host, 4)
-            .await
-            .unwrap();
-
-        txn.commit().await.unwrap();
-
-        assert_eq!(workspace_host.available_dedicated_cpu, 9);
-        assert_eq!(workspace_host.available_shared_cpu, 9);
-        assert_eq!(workspace_host.available_memory, 48);
-        assert_eq!(workspace_host.available_disk, 980);
-    }
+    // #[tokio::test]
+    // async fn test_recalcuate_workspce_host() {
+    //     let db = prepare_db().await.unwrap();
+    //     let txn = db.conn.begin().await.unwrap();
+
+    //     let machine_type = lapdev_db_entities::machine_type::ActiveModel {
+    //         id: ActiveValue::Set(Uuid::new_v4()),
+    //         name: ActiveValue::Set("test".to_string()),
+    //         shared: ActiveValue::Set(true),
+    //         cpu: ActiveValue::Set(2),
+    //         memory: ActiveValue::Set(8),
+    //         disk: ActiveValue::Set(10),
+    //         cost_per_second: ActiveValue::Set(1),
+    //         ..Default::default()
+    //     }
+    //     .insert(&txn)
+    //     .await
+    //     .unwrap();
+
+    //     let workspace_host = lapdev_db_entities::workspace_host::ActiveModel {
+    //         id: ActiveValue::Set(Uuid::new_v4()),
+    //         cpu: ActiveValue::Set(12),
+    //         memory: ActiveValue::Set(64),
+    //         disk: ActiveValue::Set(1000),
+    //         status: ActiveValue::Set(WorkspaceHostStatus::Active.to_string()),
+    //         host: ActiveValue::Set("127.0.0.1".to_string()),
+    //         port: ActiveValue::Set(6123),
+    //         inter_port: ActiveValue::Set(6122),
+    //         available_dedicated_cpu: ActiveValue::Set(0),
+    //         available_shared_cpu: ActiveValue::Set(0),
+    //         available_memory: ActiveValue::Set(0),
+    //         available_disk: ActiveValue::Set(0),
+    //         region: ActiveValue::Set("".to_string()),
+    //         zone: ActiveValue::Set("".to_string()),
+    //         ..Default::default()
+    //     }
+    //     .insert(&txn)
+    //     .await
+    //     .unwrap();
+
+    //     lapdev_db_entities::workspace::ActiveModel {
+    //         id: ActiveValue::Set(Uuid::new_v4()),
+    //         status: ActiveValue::Set(WorkspaceStatus::Running.to_string()),
+    //         name: ActiveValue::Set(utils::rand_string(10)),
+    //         created_at: ActiveValue::Set(Utc::now().into()),
+    //         repo_url: ActiveValue::Set("".to_string()),
+    //         repo_name: ActiveValue::Set("".to_string()),
+    //         branch: ActiveValue::Set("".to_string()),
+    //         commit: ActiveValue::Set("".to_string()),
+    //         organization_id: ActiveValue::Set(Uuid::new_v4()),
+    //         user_id: ActiveValue::Set(Uuid::new_v4()),
+    //         project_id: ActiveValue::Set(None),
+    //         host_id: ActiveValue::Set(workspace_host.id),
+    //         osuser: ActiveValue::Set("".to_string()),
+    //         ssh_private_key: ActiveValue::Set("".to_string()),
+    //         ssh_public_key: ActiveValue::Set("".to_string()),
+    //         cores: ActiveValue::Set(serde_json::to_string(&[1, 2]).unwrap()),
+    //         ssh_port: ActiveValue::Set(None),
+    //         ide_port: ActiveValue::Set(None),
+    //         prebuild_id: ActiveValue::Set(None),
+    //         service: ActiveValue::Set(None),
+    //         usage_id: ActiveValue::Set(None),
+    //         machine_type_id: ActiveValue::Set(machine_type.id),
+    //         auto_start: ActiveValue::Set(true),
+    //         is_compose: ActiveValue::Set(false),
+    //         compose_parent: ActiveValue::Set(None),
+    //         auto_stop: ActiveValue::Set(None),
+    //         build_output: ActiveValue::Set(None),
+    //         updated_at: ActiveValue::Set(None),
+    //         deleted_at: ActiveValue::Set(None),
+    //         env: ActiveValue::Set(None),
+    //         last_inactivity: ActiveValue::Set(None),
+    //         pinned: ActiveValue::Set(false),
+    //     }
+    //     .insert(&txn)
+    //     .await
+    //     .unwrap();
+
+    //     let project = lapdev_db_entities::project::ActiveModel {
+    //         id: ActiveValue::Set(Uuid::new_v4()),
+    //         name: ActiveValue::Set(utils::rand_string(10)),
+    //         created_at: ActiveValue::Set(Utc::now().into()),
+    //         created_by: ActiveValue::Set(Uuid::new_v4()),
+    //         repo_url: ActiveValue::Set("".to_string()),
+    //         repo_name: ActiveValue::Set("".to_string()),
+    //         oauth_id: ActiveValue::Set(Uuid::new_v4()),
+    //         host_id: ActiveValue::Set(Uuid::new_v4()),
+    //         osuser: ActiveValue::Set("".to_string()),
+    //         organization_id: ActiveValue::Set(Uuid::new_v4()),
+    //         machine_type_id: ActiveValue::Set(machine_type.id),
+    //         ..Default::default()
+    //     }
+    //     .insert(&txn)
+    //     .await
+    //     .unwrap();
+
+    //     lapdev_db_entities::prebuild::ActiveModel {
+    //         id: ActiveValue::Set(Uuid::new_v4()),
+    //         status: ActiveValue::Set(PrebuildStatus::Building.to_string()),
+    //         created_at: ActiveValue::Set(Utc::now().into()),
+    //         branch: ActiveValue::Set("".to_string()),
+    //         commit: ActiveValue::Set("".to_string()),
+    //         project_id: ActiveValue::Set(project.id),
+    //         host_id: ActiveValue::Set(workspace_host.id),
+    //         osuser: ActiveValue::Set("".to_string()),
+    //         cores: ActiveValue::Set(serde_json::to_string(&[2, 3]).unwrap()),
+    //         by_workspace: ActiveValue::Set(false),
+    //         ..Default::default()
+    //     }
+    //     .insert(&txn)
+    //     .await
+    //     .unwrap();
+
+    //     let workspace_host = scheduler::recalcuate_workspce_host(&txn, &workspace_host, 4)
+    //         .await
+    //         .unwrap();
+
+    //     txn.commit().await.unwrap();
+
+    //     assert_eq!(workspace_host.available_dedicated_cpu, 9);
+    //     assert_eq!(workspace_host.available_shared_cpu, 9);
+    //     assert_eq!(workspace_host.available_memory, 48);
+    //     assert_eq!(workspace_host.available_disk, 980);
+    // }
 }
diff --git a/lapdev-conductor/src/server.rs b/crates/conductor/src/server.rs
similarity index 80%
rename from lapdev-conductor/src/server.rs
rename to crates/conductor/src/server.rs
index 8bbac75..1591703 100644
--- a/lapdev-conductor/src/server.rs
+++ b/crates/conductor/src/server.rs
@@ -13,12 +13,10 @@ use lapdev_common::{
     ProjectRequest, RepoBuildInfo, RepoBuildOutput, RepoSource, StartWorkspaceRequest,
     StopWorkspaceRequest, UsageResourceKind, WorkspaceStatus, WorkspaceUpdateEvent,
 };
+use lapdev_db::api::DbApi;
 use lapdev_db::api::LAPDEV_MAX_CPU_ERROR;
-use lapdev_db::{api::DbApi, entities};
 use lapdev_enterprise::enterprise::Enterprise;
-use lapdev_rpc::{
-    error::ApiError, long_running_context, spawn_twoway, ConductorService, WorkspaceServiceClient,
-};
+use lapdev_rpc::{error::ApiError, long_running_context, WorkspaceServiceClient};
 use russh::keys::ssh_key::rand_core::OsRng;
 use russh::keys::{pkcs8, Algorithm, HashAlg, PrivateKey, PublicKeyBase64};
 use sea_orm::{
@@ -26,18 +24,11 @@ use sea_orm::{
     TransactionTrait,
 };
 use serde::Deserialize;
-use sqlx::postgres::PgNotification;
-use tarpc::{
-    context,
-    server::{BaseChannel, Channel},
-};
+use tarpc::context;
 use tokio::sync::{Mutex, RwLock};
 use uuid::Uuid;
 
-use crate::{
-    rpc::ConductorRpc,
-    scheduler::{self, LAPDEV_CPU_OVERCOMMIT},
-};
+use crate::scheduler::{self, LAPDEV_CPU_OVERCOMMIT};
 
 #[derive(Clone, Default)]
 pub struct WorkspaceUpdate {
@@ -74,7 +65,7 @@ struct StatusUpdatePayload {
 }
 
 struct WorkspaceHostInfo {
-    model: entities::workspace_host::Model,
+    model: lapdev_db_entities::workspace_host::Model,
     latency: Option<u128>,
 }
 
@@ -84,7 +75,7 @@ pub struct RepoDetails {
     pub name: String,
     pub branch: String,
     pub commit: String,
-    pub project: Option<entities::project::Model>,
+    pub project: Option<lapdev_db_entities::project::Model>,
     pub auth: (String, String),
     // head branch name
     pub head: String,
@@ -94,10 +85,10 @@ pub struct RepoDetails {
 
 #[derive(Clone)]
 pub struct Conductor {
-    version: String,
-    rpc_aborts: Arc<RwLock<HashMap<Uuid, AbortHandle>>>,
+    pub version: String,
+    pub rpc_aborts: Arc<RwLock<HashMap<Uuid, AbortHandle>>>,
     rpcs: Arc<RwLock<HashMap<Uuid, WorkspaceServiceClient>>>,
-    ws_hosts: Arc<RwLock<HashMap<Uuid, WorkspaceHostInfo>>>,
+    pub ws_hosts: Arc<RwLock<HashMap<Uuid, WorkspaceHostInfo>>>,
     region: Arc<RwLock<String>>,
     data_folder: PathBuf,
     pub hostnames: Arc<RwLock<HashMap<String, String>>>,
@@ -156,414 +147,414 @@ impl Conductor {
             db,
         };
 
-        {
-            let conductor = conductor.clone();
-            tokio::spawn(async move {
-                conductor.monitor_workspace_hosts().await;
-            });
-        }
-
-        {
-            let conductor = conductor.clone();
-            tokio::spawn(async move {
-                if let Err(e) = conductor.monitor_status_updates().await {
-                    tracing::error!("conductor monitor status updates error: {e}");
-                }
-            });
-        }
-
-        {
-            let conductor = conductor.clone();
-            tokio::spawn(async move {
-                conductor.monitor_auto_start_stop().await;
-            });
-        }
+        // {
+        //     let conductor = conductor.clone();
+        //     tokio::spawn(async move {
+        //         conductor.monitor_workspace_hosts().await;
+        //     });
+        // }
+
+        // {
+        //     let conductor = conductor.clone();
+        //     tokio::spawn(async move {
+        //         if let Err(e) = conductor.monitor_status_updates().await {
+        //             tracing::error!("conductor monitor status updates error: {e}");
+        //         }
+        //     });
+        // }
+
+        // {
+        //     let conductor = conductor.clone();
+        //     tokio::spawn(async move {
+        //         conductor.monitor_auto_start_stop().await;
+        //     });
+        // }
 
         Ok(conductor)
     }
 
-    async fn listen_table_update(&self) -> Result<()> {
-        let pool = self
-            .db
-            .pool
-            .clone()
-            .ok_or_else(|| anyhow!("db doesn't have pg pool"))?;
-        let mut listener = sqlx::postgres::PgListener::connect_with(&pool).await?;
-        listener.listen("table_update").await?;
-        loop {
-            let notification = listener.recv().await?;
-            let _ = self
-                .handle_workspace_host_update_notification(notification)
-                .await;
-        }
-    }
-
-    async fn handle_workspace_host_update_notification(
-        &self,
-        notification: PgNotification,
-    ) -> Result<()> {
-        let payload: TableUpdatePayload = serde_json::from_str(notification.payload())?;
-        let workspace_host = self
-            .db
-            .get_workspace_host(payload.id)
-            .await?
-            .ok_or_else(|| anyhow!("can't find workspace host"))?;
-
-        if workspace_host.deleted_at.is_some() {
-            // the workspace host was deleted
-            self.ws_hosts.write().await.remove(&workspace_host.id);
-            self.rpcs.write().await.remove(&workspace_host.id);
-            if let Some(abort) = self.rpc_aborts.write().await.remove(&workspace_host.id) {
-                abort.abort();
-            }
-        } else {
-            let mut ws_hosts = self.ws_hosts.write().await;
-            if let Some(info) = ws_hosts.get_mut(&workspace_host.id) {
-                info.model = workspace_host;
-            } else {
-                let id = workspace_host.id;
-                let host = workspace_host.host.clone();
-                let port = workspace_host.port as u16;
-                ws_hosts.insert(
-                    id,
-                    WorkspaceHostInfo {
-                        model: workspace_host,
-                        latency: None,
-                    },
-                );
-                let conductor = self.clone();
-                tokio::spawn(async move {
-                    conductor.connect_workspace_host(id, host, port).await;
-                });
-            }
-        }
-
-        self.decide_current_region().await;
-
-        Ok(())
-    }
-
-    async fn monitor_workspace_hosts(&self) {
-        {
-            let conductor = self.clone();
-            tokio::spawn(async move {
-                if let Err(e) = conductor.listen_table_update().await {
-                    println!("listen table update error: {e}");
-                } else {
-                    println!("listen table update exited");
-                }
-            });
-        }
-
-        {
-            let mut ws_hosts = self.ws_hosts.write().await;
-            let hosts = self.get_workspace_hosts().await;
-
-            for workspace_host in hosts {
-                if !ws_hosts.contains_key(&workspace_host.id) {
-                    let id = workspace_host.id;
-                    let host = workspace_host.host.clone();
-                    let port = workspace_host.port as u16;
-                    ws_hosts.insert(
-                        id,
-                        WorkspaceHostInfo {
-                            model: workspace_host,
-                            latency: None,
-                        },
-                    );
-                    let conductor = self.clone();
-                    tokio::spawn(async move {
-                        conductor.connect_workspace_host(id, host, port).await;
-                    });
-                }
-            }
-        }
-
-        {
-            let mut tick = tokio::time::interval(Duration::from_secs(6));
-            loop {
-                tick.tick().await;
-                let rpcs = { self.rpcs.read().await.clone() };
-                for (_, rpc) in rpcs {
-                    tokio::spawn(async move {
-                        let _ = rpc.ping(context::current()).await;
-                    });
-                }
-            }
-        }
-    }
-
-    async fn monitor_status_updates(&self) -> Result<()> {
-        let pool = self
-            .db
-            .pool
-            .clone()
-            .ok_or_else(|| anyhow!("db doesn't have pg pool"))?;
-        let mut listener = sqlx::postgres::PgListener::connect_with(&pool).await?;
-        listener.listen("status_update").await?;
-        loop {
-            let notification = listener.recv().await?;
-            if let Err(e) = self.handle_status_update_notification(notification).await {
-                tracing::error!("handle status update notification error: {e:#}");
-            }
-        }
-    }
-
-    async fn handle_status_update_notification(&self, notification: PgNotification) -> Result<()> {
-        tracing::debug!(
-            "status update notification payload: {}",
-            notification.payload()
-        );
-        let payload: StatusUpdatePayload = serde_json::from_str(notification.payload())
-            .with_context(|| format!("trying to deserialize payload {}", notification.payload()))?;
-        match payload.table.as_str() {
-            "workspace" => {
-                let status = WorkspaceStatus::from_str(&payload.status).with_context(|| {
-                    format!("trying to deserialize workspace status {}", payload.status)
-                })?;
-                self.add_workspace_update_event(
-                    payload.user_id,
-                    payload.id,
-                    WorkspaceUpdateEvent::Status(status),
-                )
-                .await;
-            }
-            "prebuild" => {
-                let status = PrebuildStatus::from_str(&payload.status).with_context(|| {
-                    format!("trying to deserialize prebuild status {}", payload.status)
-                })?;
-                self.add_prebuild_update_event(payload.id, PrebuildUpdateEvent::Status(status))
-                    .await;
-            }
-            "prebuild_replica" => {
-                let status =
-                    PrebuildReplicaStatus::from_str(&payload.status).with_context(|| {
-                        format!(
-                            "trying to deserialize prebuild replica status {}",
-                            payload.status
-                        )
-                    })?;
-                self.add_prebuild_replica_update_event(payload.id, status)
-                    .await;
-            }
-            _ => {
-                return Err(anyhow!("status update table {} not handled", payload.table));
-            }
-        }
-        Ok(())
-    }
-
-    async fn get_workspace_hosts(&self) -> Vec<entities::workspace_host::Model> {
-        entities::workspace_host::Entity::find()
-            .filter(entities::workspace_host::Column::DeletedAt.is_null())
-            .all(&self.db.conn)
-            .await
-            .unwrap_or_default()
-    }
-
-    async fn connect_workspace_host(&self, id: Uuid, host: String, port: u16) {
-        loop {
-            {
-                if !self.ws_hosts.read().await.contains_key(&id) {
-                    // this means the workspace host server is removed,
-                    // so we don't connect to it anymore.
-                    return;
-                }
-            }
-
-            if let Err(e) = self.connect_workspace_host_once(id, &host, port).await {
-                tracing::error!("connect workspace host {host}:{port} failed: {e:?}");
-            }
-
-            let _ = entities::workspace_host::ActiveModel {
-                id: ActiveValue::Set(id),
-                status: ActiveValue::Set(WorkspaceHostStatus::Inactive.to_string()),
-                ..Default::default()
-            }
-            .update(&self.db.conn)
-            .await;
-
-            {
-                self.rpcs.write().await.remove(&id);
-                self.rpc_aborts.write().await.remove(&id);
-            }
-
-            let _ = tokio::time::sleep(tokio::time::Duration::from_secs(1)).await;
-        }
-    }
-
-    async fn decide_current_region(&self) {
-        if !self.enterprise.has_valid_license().await {
-            return;
-        }
-
-        let mut region_latencies = HashMap::new();
-        for (_, ws_host) in self.ws_hosts.read().await.iter() {
-            if let Some(latency) = ws_host.latency {
-                if let Some(existing) = region_latencies.get_mut(&ws_host.model.region) {
-                    if latency < *existing {
-                        *existing = latency;
-                    }
-                } else {
-                    region_latencies.insert(ws_host.model.region.clone(), latency);
-                }
-            }
-        }
-
-        if let Some((region, _)) = region_latencies.iter().min_by_key(|(_, l)| **l) {
-            let mut current_region = self.region.write().await;
-            if &*current_region != region {
-                tracing::info!("change current region from {current_region:?} to {region:?}");
-                *current_region = region.to_owned();
-            }
-        }
-    }
-
-    async fn connect_workspace_host_once(&self, id: Uuid, host: &str, port: u16) -> Result<()> {
-        tracing::debug!("start to connect to workspace host {host}:{port}");
-        let conn = tarpc::serde_transport::tcp::connect(
-            (host, port),
-            tarpc::tokio_serde::formats::Json::default,
-        )
-        .await?;
-        let (server_chan, client_chan, abort_handle) = spawn_twoway(conn);
-        let ws_client =
-            WorkspaceServiceClient::new(tarpc::client::Config::default(), client_chan).spawn();
-        {
-            self.rpcs.write().await.insert(id, ws_client.clone());
-            self.rpc_aborts
-                .write()
-                .await
-                .insert(id, abort_handle.clone());
-        }
-
-        {
-            let ws_client = ws_client.clone();
-            let conductor = self.clone();
-            tokio::spawn(async move {
-                let start = std::time::Instant::now();
-                if let Ok(pong) = ws_client.ping(context::current()).await {
-                    if pong == "pong" {
-                        let latency = start.elapsed().as_millis();
-                        {
-                            if let Some(info) = conductor.ws_hosts.write().await.get_mut(&id) {
-                                info.latency = Some(latency);
-                            }
-                        }
-
-                        conductor.decide_current_region().await;
-                    }
-                }
-            });
-        }
-
-        let rpc = ConductorRpc {
-            ws_host_id: id,
-            conductor: self.clone(),
-        };
-
-        let rpc_future = tokio::spawn(
-            BaseChannel::with_defaults(server_chan)
-                .execute(rpc.serve())
-                .for_each(|resp| async move {
-                    tokio::spawn(resp);
-                }),
-        );
-
-        let ws_version = ws_client.version(context::current()).await;
-        if ws_version.as_deref().unwrap_or_default() != self.version {
-            abort_handle.abort();
-            let ws_host = self
-                .db
-                .get_workspace_host(id)
-                .await?
-                .ok_or_else(|| anyhow!("can't find workspace host in db"))?;
-            if ws_host.status != WorkspaceHostStatus::VersionMismatch.to_string() {
-                entities::workspace_host::ActiveModel {
-                    id: ActiveValue::Set(id),
-                    status: ActiveValue::Set(WorkspaceHostStatus::VersionMismatch.to_string()),
-                    ..Default::default()
-                }
-                .update(&self.db.conn)
-                .await?;
-                tracing::error!(
-                    "version mismatch on lapdev ({}), and lapdev-ws ({ws_version:?})",
-                    self.version
-                );
-            }
-        } else {
-            entities::workspace_host::ActiveModel {
-                id: ActiveValue::Set(id),
-                status: ActiveValue::Set(WorkspaceHostStatus::Active.to_string()),
-                ..Default::default()
-            }
-            .update(&self.db.conn)
-            .await?;
-
-            let _ = rpc_future.await;
-            tracing::debug!("workspace host connection ended");
-            abort_handle.abort();
-        }
-
-        Ok(())
-    }
-
-    async fn monitor_auto_start_stop(&self) {
-        loop {
-            let orgs = if self.enterprise.license.has_valid().await {
-                self.enterprise
-                    .auto_start_stop
-                    .get_organization_auto_stop()
-                    .await
-                    .unwrap_or_default()
-            } else {
-                vec![]
-            };
-
-            if orgs.is_empty() {
-                tokio::time::sleep(Duration::from_secs(60)).await;
-            } else {
-                for org in orgs {
-                    {
-                        let workspaces = self
-                            .enterprise
-                            .auto_start_stop
-                            .organization_auto_stop_workspaces(&org)
-                            .await
-                            .unwrap_or_default();
-                        for workspace in workspaces {
-                            tracing::info!(
-                                "stop workspace {} because of auto stop timeout",
-                                workspace.name
-                            );
-                            let _ = self.stop_workspace(workspace, None, None).await;
-                        }
-                    }
-
-                    if org.running_workspace_limit > 0 {
-                        let usage = self
-                            .enterprise
-                            .usage
-                            .get_monthly_cost(org.id, None, None, Utc::now().into(), None)
-                            .await
-                            .unwrap_or(0);
-                        if usage as i64 >= org.usage_limit {
-                            if let Ok(workspaces) = self.db.get_org_running_workspaces(org.id).await
-                            {
-                                for workspace in workspaces {
-                                    tracing::info!(
-                                        "stop workspace {} because of usage limit",
-                                        workspace.name
-                                    );
-                                    let _ = self.stop_workspace(workspace, None, None).await;
-                                }
-                            }
-                        }
-                    }
-                }
-            }
-        }
-    }
+    // async fn listen_table_update(&self) -> Result<()> {
+    //     let pool = self
+    //         .db
+    //         .pool
+    //         .clone()
+    //         .ok_or_else(|| anyhow!("db doesn't have pg pool"))?;
+    //     let mut listener = sqlx::postgres::PgListener::connect_with(&pool).await?;
+    //     listener.listen("table_update").await?;
+    //     loop {
+    //         let notification = listener.recv().await?;
+    //         let _ = self
+    //             .handle_workspace_host_update_notification(notification)
+    //             .await;
+    //     }
+    // }
+
+    // async fn handle_workspace_host_update_notification(
+    //     &self,
+    //     notification: PgNotification,
+    // ) -> Result<()> {
+    //     let payload: TableUpdatePayload = serde_json::from_str(notification.payload())?;
+    //     let workspace_host = self
+    //         .db
+    //         .get_workspace_host(payload.id)
+    //         .await?
+    //         .ok_or_else(|| anyhow!("can't find workspace host"))?;
+
+    //     if workspace_host.deleted_at.is_some() {
+    //         // the workspace host was deleted
+    //         self.ws_hosts.write().await.remove(&workspace_host.id);
+    //         self.rpcs.write().await.remove(&workspace_host.id);
+    //         if let Some(abort) = self.rpc_aborts.write().await.remove(&workspace_host.id) {
+    //             abort.abort();
+    //         }
+    //     } else {
+    //         let mut ws_hosts = self.ws_hosts.write().await;
+    //         if let Some(info) = ws_hosts.get_mut(&workspace_host.id) {
+    //             info.model = workspace_host;
+    //         } else {
+    //             let id = workspace_host.id;
+    //             let host = workspace_host.host.clone();
+    //             let port = workspace_host.port as u16;
+    //             ws_hosts.insert(
+    //                 id,
+    //                 WorkspaceHostInfo {
+    //                     model: workspace_host,
+    //                     latency: None,
+    //                 },
+    //             );
+    //             let conductor = self.clone();
+    //             tokio::spawn(async move {
+    //                 conductor.connect_workspace_host(id, host, port).await;
+    //             });
+    //         }
+    //     }
+
+    //     self.decide_current_region().await;
+
+    //     Ok(())
+    // }
+
+    // async fn monitor_workspace_hosts(&self) {
+    //     {
+    //         let conductor = self.clone();
+    //         tokio::spawn(async move {
+    //             if let Err(e) = conductor.listen_table_update().await {
+    //                 tracing::error!("listen table update error: {e}");
+    //             } else {
+    //                 tracing::info!("listen table update exited");
+    //             }
+    //         });
+    //     }
+
+    //     {
+    //         let mut ws_hosts = self.ws_hosts.write().await;
+    //         let hosts = self.get_workspace_hosts().await;
+
+    //         for workspace_host in hosts {
+    //             if !ws_hosts.contains_key(&workspace_host.id) {
+    //                 let id = workspace_host.id;
+    //                 let host = workspace_host.host.clone();
+    //                 let port = workspace_host.port as u16;
+    //                 ws_hosts.insert(
+    //                     id,
+    //                     WorkspaceHostInfo {
+    //                         model: workspace_host,
+    //                         latency: None,
+    //                     },
+    //                 );
+    //                 let conductor = self.clone();
+    //                 tokio::spawn(async move {
+    //                     conductor.connect_workspace_host(id, host, port).await;
+    //                 });
+    //             }
+    //         }
+    //     }
+
+    //     {
+    //         let mut tick = tokio::time::interval(Duration::from_secs(6));
+    //         loop {
+    //             tick.tick().await;
+    //             let rpcs = { self.rpcs.read().await.clone() };
+    //             for (_, rpc) in rpcs {
+    //                 tokio::spawn(async move {
+    //                     let _ = rpc.ping(context::current()).await;
+    //                 });
+    //             }
+    //         }
+    //     }
+    // }
+
+    // async fn monitor_status_updates(&self) -> Result<()> {
+    //     let pool = self
+    //         .db
+    //         .pool
+    //         .clone()
+    //         .ok_or_else(|| anyhow!("db doesn't have pg pool"))?;
+    //     let mut listener = sqlx::postgres::PgListener::connect_with(&pool).await?;
+    //     listener.listen("status_update").await?;
+    //     loop {
+    //         let notification = listener.recv().await?;
+    //         if let Err(e) = self.handle_status_update_notification(notification).await {
+    //             tracing::error!("handle status update notification error: {e:#}");
+    //         }
+    //     }
+    // }
+
+    // async fn handle_status_update_notification(&self, notification: PgNotification) -> Result<()> {
+    //     tracing::debug!(
+    //         "status update notification payload: {}",
+    //         notification.payload()
+    //     );
+    //     let payload: StatusUpdatePayload = serde_json::from_str(notification.payload())
+    //         .with_context(|| format!("trying to deserialize payload {}", notification.payload()))?;
+    //     match payload.table.as_str() {
+    //         "workspace" => {
+    //             let status = WorkspaceStatus::from_str(&payload.status).with_context(|| {
+    //                 format!("trying to deserialize workspace status {}", payload.status)
+    //             })?;
+    //             self.add_workspace_update_event(
+    //                 payload.user_id,
+    //                 payload.id,
+    //                 WorkspaceUpdateEvent::Status(status),
+    //             )
+    //             .await;
+    //         }
+    //         "prebuild" => {
+    //             let status = PrebuildStatus::from_str(&payload.status).with_context(|| {
+    //                 format!("trying to deserialize prebuild status {}", payload.status)
+    //             })?;
+    //             self.add_prebuild_update_event(payload.id, PrebuildUpdateEvent::Status(status))
+    //                 .await;
+    //         }
+    //         "prebuild_replica" => {
+    //             let status =
+    //                 PrebuildReplicaStatus::from_str(&payload.status).with_context(|| {
+    //                     format!(
+    //                         "trying to deserialize prebuild replica status {}",
+    //                         payload.status
+    //                     )
+    //                 })?;
+    //             self.add_prebuild_replica_update_event(payload.id, status)
+    //                 .await;
+    //         }
+    //         _ => {
+    //             return Err(anyhow!("status update table {} not handled", payload.table));
+    //         }
+    //     }
+    //     Ok(())
+    // }
+
+    // async fn get_workspace_hosts(&self) -> Vec<lapdev_db_entities::workspace_host::Model> {
+    //     lapdev_db_entities::workspace_host::Entity::find()
+    //         .filter(lapdev_db_entities::workspace_host::Column::DeletedAt.is_null())
+    //         .all(&self.db.conn)
+    //         .await
+    //         .unwrap_or_default()
+    // }
+
+    // async fn connect_workspace_host(&self, id: Uuid, host: String, port: u16) {
+    //     loop {
+    //         {
+    //             if !self.ws_hosts.read().await.contains_key(&id) {
+    //                 // this means the workspace host server is removed,
+    //                 // so we don't connect to it anymore.
+    //                 return;
+    //             }
+    //         }
+
+    //         if let Err(e) = self.connect_workspace_host_once(id, &host, port).await {
+    //             tracing::error!("connect workspace host {host}:{port} failed: {e:?}");
+    //         }
+
+    //         let _ = lapdev_db_entities::workspace_host::ActiveModel {
+    //             id: ActiveValue::Set(id),
+    //             status: ActiveValue::Set(WorkspaceHostStatus::Inactive.to_string()),
+    //             ..Default::default()
+    //         }
+    //         .update(&self.db.conn)
+    //         .await;
+
+    //         {
+    //             self.rpcs.write().await.remove(&id);
+    //             self.rpc_aborts.write().await.remove(&id);
+    //         }
+
+    //         let _ = tokio::time::sleep(tokio::time::Duration::from_secs(1)).await;
+    //     }
+    // }
+
+    // async fn decide_current_region(&self) {
+    //     if !self.enterprise.has_valid_license().await {
+    //         return;
+    //     }
+
+    //     let mut region_latencies = HashMap::new();
+    //     for (_, ws_host) in self.ws_hosts.read().await.iter() {
+    //         if let Some(latency) = ws_host.latency {
+    //             if let Some(existing) = region_latencies.get_mut(&ws_host.model.region) {
+    //                 if latency < *existing {
+    //                     *existing = latency;
+    //                 }
+    //             } else {
+    //                 region_latencies.insert(ws_host.model.region.clone(), latency);
+    //             }
+    //         }
+    //     }
+
+    //     if let Some((region, _)) = region_latencies.iter().min_by_key(|(_, l)| **l) {
+    //         let mut current_region = self.region.write().await;
+    //         if &*current_region != region {
+    //             tracing::info!("change current region from {current_region:?} to {region:?}");
+    //             *current_region = region.to_owned();
+    //         }
+    //     }
+    // }
+
+    // async fn connect_workspace_host_once(&self, id: Uuid, host: &str, port: u16) -> Result<()> {
+    //     tracing::debug!("start to connect to workspace host {host}:{port}");
+    //     let conn = tarpc::serde_transport::tcp::connect(
+    //         (host, port),
+    //         tarpc::tokio_serde::formats::Json::default,
+    //     )
+    //     .await?;
+    //     let (server_chan, client_chan, abort_handle) = spawn_twoway(conn);
+    //     let ws_client =
+    //         WorkspaceServiceClient::new(tarpc::client::Config::default(), client_chan).spawn();
+    //     {
+    //         self.rpcs.write().await.insert(id, ws_client.clone());
+    //         self.rpc_aborts
+    //             .write()
+    //             .await
+    //             .insert(id, abort_handle.clone());
+    //     }
+
+    //     {
+    //         let ws_client = ws_client.clone();
+    //         let conductor = self.clone();
+    //         tokio::spawn(async move {
+    //             let start = std::time::Instant::now();
+    //             if let Ok(pong) = ws_client.ping(context::current()).await {
+    //                 if pong == "pong" {
+    //                     let latency = start.elapsed().as_millis();
+    //                     {
+    //                         if let Some(info) = conductor.ws_hosts.write().await.get_mut(&id) {
+    //                             info.latency = Some(latency);
+    //                         }
+    //                     }
+
+    //                     conductor.decide_current_region().await;
+    //                 }
+    //             }
+    //         });
+    //     }
+
+    //     let rpc = ConductorRpc {
+    //         ws_host_id: id,
+    //         conductor: self.clone(),
+    //     };
+
+    //     let rpc_future = tokio::spawn(
+    //         BaseChannel::with_defaults(server_chan)
+    //             .execute(rpc.serve())
+    //             .for_each(|resp| async move {
+    //                 tokio::spawn(resp);
+    //             }),
+    //     );
+
+    //     let ws_version = ws_client.version(context::current()).await;
+    //     if ws_version.as_deref().unwrap_or_default() != self.version {
+    //         abort_handle.abort();
+    //         let ws_host = self
+    //             .db
+    //             .get_workspace_host(id)
+    //             .await?
+    //             .ok_or_else(|| anyhow!("can't find workspace host in db"))?;
+    //         if ws_host.status != WorkspaceHostStatus::VersionMismatch.to_string() {
+    //             lapdev_db_entities::workspace_host::ActiveModel {
+    //                 id: ActiveValue::Set(id),
+    //                 status: ActiveValue::Set(WorkspaceHostStatus::VersionMismatch.to_string()),
+    //                 ..Default::default()
+    //             }
+    //             .update(&self.db.conn)
+    //             .await?;
+    //             tracing::error!(
+    //                 "version mismatch on lapdev ({}), and lapdev-ws ({ws_version:?})",
+    //                 self.version
+    //             );
+    //         }
+    //     } else {
+    //         lapdev_db_entities::workspace_host::ActiveModel {
+    //             id: ActiveValue::Set(id),
+    //             status: ActiveValue::Set(WorkspaceHostStatus::Active.to_string()),
+    //             ..Default::default()
+    //         }
+    //         .update(&self.db.conn)
+    //         .await?;
+
+    //         let _ = rpc_future.await;
+    //         tracing::debug!("workspace host connection ended");
+    //         abort_handle.abort();
+    //     }
+
+    //     Ok(())
+    // }
+
+    // async fn monitor_auto_start_stop(&self) {
+    //     loop {
+    //         let orgs = if self.enterprise.license.has_valid().await {
+    //             self.enterprise
+    //                 .auto_start_stop
+    //                 .get_organization_auto_stop()
+    //                 .await
+    //                 .unwrap_or_default()
+    //         } else {
+    //             vec![]
+    //         };
+
+    //         if orgs.is_empty() {
+    //             tokio::time::sleep(Duration::from_secs(60)).await;
+    //         } else {
+    //             for org in orgs {
+    //                 {
+    //                     let workspaces = self
+    //                         .enterprise
+    //                         .auto_start_stop
+    //                         .organization_auto_stop_workspaces(&org)
+    //                         .await
+    //                         .unwrap_or_default();
+    //                     for workspace in workspaces {
+    //                         tracing::info!(
+    //                             "stop workspace {} because of auto stop timeout",
+    //                             workspace.name
+    //                         );
+    //                         let _ = self.stop_workspace(workspace, None, None).await;
+    //                     }
+    //                 }
+
+    //                 if org.running_workspace_limit > 0 {
+    //                     let usage = self
+    //                         .enterprise
+    //                         .usage
+    //                         .get_monthly_cost(org.id, None, None, Utc::now().into(), None)
+    //                         .await
+    //                         .unwrap_or(0);
+    //                     if usage as i64 >= org.usage_limit {
+    //                         if let Ok(workspaces) = self.db.get_org_running_workspaces(org.id).await
+    //                         {
+    //                             for workspace in workspaces {
+    //                                 tracing::info!(
+    //                                     "stop workspace {} because of usage limit",
+    //                                     workspace.name
+    //                                 );
+    //                                 let _ = self.stop_workspace(workspace, None, None).await;
+    //                             }
+    //                         }
+    //                     }
+    //                 }
+    //             }
+    //         }
+    //     }
+    // }
 
     async fn get_raw_repo_details(
         &self,
@@ -635,7 +626,7 @@ impl Conductor {
 
         let path = repo_url
             .split('/')
-            .last()
+            .next_back()
             .ok_or_else(|| ApiError::RepositoryInvalid("invalid repo path".to_string()))?;
         let path = path
             .split('?')
@@ -657,9 +648,9 @@ impl Conductor {
 
     pub async fn find_match_oauth_for_repo(
         &self,
-        user: &entities::user::Model,
+        user: &lapdev_db_entities::user::Model,
         repo: &str,
-    ) -> Result<entities::oauth_connection::Model> {
+    ) -> Result<lapdev_db_entities::oauth_connection::Model> {
         let oauths = self.db.get_user_all_oauth(user.id).await?;
 
         let repo = repo.to_lowercase();
@@ -686,7 +677,7 @@ impl Conductor {
 
     pub async fn create_project(
         &self,
-        user: entities::user::Model,
+        user: lapdev_db_entities::user::Model,
         org_id: Uuid,
         project: NewProject,
         ip: Option<String>,
@@ -759,7 +750,7 @@ impl Conductor {
 
         let txn = self.db.conn.begin().await?;
         let now = Utc::now();
-        let project = entities::project::ActiveModel {
+        let project = lapdev_db_entities::project::ActiveModel {
             id: ActiveValue::Set(id),
             name: ActiveValue::Set(repo.name.clone()),
             created_at: ActiveValue::Set(now.into()),
@@ -800,7 +791,7 @@ impl Conductor {
 
     pub async fn project_branches(
         &self,
-        project: &entities::project::Model,
+        project: &lapdev_db_entities::project::Model,
         auth: (String, String),
     ) -> Result<Vec<GitBranch>, ApiError> {
         let ws_client = { self.rpcs.read().await.get(&project.host_id).cloned() }
@@ -824,10 +815,10 @@ impl Conductor {
         &self,
         org_id: Uuid,
         user_id: Uuid,
-        project: &entities::project::Model,
-        prebuild: &entities::prebuild::Model,
+        project: &lapdev_db_entities::project::Model,
+        prebuild: &lapdev_db_entities::prebuild::Model,
         repo: RepoDetails,
-        machine_type: &entities::machine_type::Model,
+        machine_type: &lapdev_db_entities::machine_type::Model,
         ip: Option<String>,
         user_agent: Option<String>,
     ) -> Result<RepoBuildResult, ApiError> {
@@ -837,10 +828,10 @@ impl Conductor {
             let current_prebuild = prebuild.id;
             let branch = prebuild.branch.clone();
             tokio::spawn(async move {
-                if let Ok(prebuilds) = entities::prebuild::Entity::find()
-                    .filter(entities::prebuild::Column::DeletedAt.is_null())
-                    .filter(entities::prebuild::Column::ProjectId.eq(project.id))
-                    .filter(entities::prebuild::Column::Branch.eq(branch))
+                if let Ok(prebuilds) = lapdev_db_entities::prebuild::Entity::find()
+                    .filter(lapdev_db_entities::prebuild::Column::DeletedAt.is_null())
+                    .filter(lapdev_db_entities::prebuild::Column::ProjectId.eq(project.id))
+                    .filter(lapdev_db_entities::prebuild::Column::Branch.eq(branch))
                     .all(&conductor.db.conn)
                     .await
                 {
@@ -909,13 +900,13 @@ impl Conductor {
 
     pub async fn create_project_prebuild(
         &self,
-        user: &entities::user::Model,
-        project: &entities::project::Model,
-        ws: Option<&entities::workspace::Model>,
+        user: &lapdev_db_entities::user::Model,
+        project: &lapdev_db_entities::project::Model,
+        ws: Option<&lapdev_db_entities::workspace::Model>,
         repo: &RepoDetails,
         ip: Option<String>,
         user_agent: Option<String>,
-    ) -> Result<entities::prebuild::Model, ApiError> {
+    ) -> Result<lapdev_db_entities::prebuild::Model, ApiError> {
         let id = uuid::Uuid::new_v4();
 
         let osuser = self.get_osuser(project.organization_id);
@@ -976,7 +967,7 @@ impl Conductor {
             )
             .await?;
 
-        let result = entities::prebuild::ActiveModel {
+        let result = lapdev_db_entities::prebuild::ActiveModel {
             id: ActiveValue::Set(id),
             deleted_at: ActiveValue::Set(None),
             created_at: ActiveValue::Set(now.into()),
@@ -1037,7 +1028,7 @@ impl Conductor {
         let org_id = project.organization_id;
         let project = project.to_owned();
         tokio::spawn(async move {
-            let mut update_prebuild = entities::prebuild::ActiveModel {
+            let mut update_prebuild = lapdev_db_entities::prebuild::ActiveModel {
                 id: ActiveValue::Set(prebuild.id),
                 ..Default::default()
             };
@@ -1128,13 +1119,13 @@ impl Conductor {
     #[allow(clippy::too_many_arguments)]
     async fn create_workspace_model(
         &self,
-        org: &entities::organization::Model,
-        user: &entities::user::Model,
+        org: &lapdev_db_entities::organization::Model,
+        user: &lapdev_db_entities::user::Model,
         repo: &RepoDetails,
-        machine_type: &entities::machine_type::Model,
+        machine_type: &lapdev_db_entities::machine_type::Model,
         ip: Option<String>,
         user_agent: Option<String>,
-    ) -> Result<entities::workspace::Model, ApiError> {
+    ) -> Result<lapdev_db_entities::workspace::Model, ApiError> {
         let name = format!("{}-{}", repo.name, rand_string(12));
         let (id_rsa, public_key) = self.generate_key_pair()?;
         let osuser = self.get_osuser(org.id);
@@ -1182,9 +1173,9 @@ impl Conductor {
         };
 
         let replica_hosts = if let Some(prebuild) = prebuild.as_ref() {
-            entities::prebuild_replica::Entity::find()
-                .filter(entities::prebuild_replica::Column::DeletedAt.is_null())
-                .filter(entities::prebuild_replica::Column::PrebuildId.eq(prebuild.id))
+            lapdev_db_entities::prebuild_replica::Entity::find()
+                .filter(lapdev_db_entities::prebuild_replica::Column::DeletedAt.is_null())
+                .filter(lapdev_db_entities::prebuild_replica::Column::PrebuildId.eq(prebuild.id))
                 .all(&txn)
                 .await?
                 .iter()
@@ -1212,7 +1203,7 @@ impl Conductor {
         })?;
         let workspace_id = Uuid::new_v4();
         let now = Utc::now();
-        let ws = entities::workspace::ActiveModel {
+        let ws = lapdev_db_entities::workspace::ActiveModel {
             id: ActiveValue::Set(workspace_id),
             deleted_at: ActiveValue::Set(None),
             name: ActiveValue::Set(name.clone()),
@@ -1271,7 +1262,7 @@ impl Conductor {
     // copy the prebuild repo content from the prebuild folder to workspace folder
     async fn copy_prebuild_content(
         &self,
-        prebuild: &entities::prebuild::Model,
+        prebuild: &lapdev_db_entities::prebuild::Model,
         info: RepoBuildInfo,
         ws_client: &WorkspaceServiceClient,
     ) -> Result<(), ApiError> {
@@ -1290,9 +1281,9 @@ impl Conductor {
 
     async fn copy_prebuild_image(
         &self,
-        prebuild: &entities::prebuild::Model,
+        prebuild: &lapdev_db_entities::prebuild::Model,
         output: &RepoBuildOutput,
-        ws: &entities::workspace::Model,
+        ws: &lapdev_db_entities::workspace::Model,
         ws_client: &WorkspaceServiceClient,
     ) -> Result<(), ApiError> {
         if ws.host_id != prebuild.host_id {
@@ -1303,7 +1294,7 @@ impl Conductor {
             let replica = if let Some(replica) = replica {
                 if replica.status == PrebuildReplicaStatus::Failed.to_string() {
                     // if the replica transfer was failed, we just try it again
-                    let replica = entities::prebuild_replica::ActiveModel {
+                    let replica = lapdev_db_entities::prebuild_replica::ActiveModel {
                         id: ActiveValue::Set(replica.id),
                         status: ActiveValue::Set(PrebuildReplicaStatus::Transferring.to_string()),
                         ..Default::default()
@@ -1368,12 +1359,12 @@ impl Conductor {
     async fn create_prebuild_replica(
         &self,
         user_id: Uuid,
-        prebuild: &entities::prebuild::Model,
+        prebuild: &lapdev_db_entities::prebuild::Model,
         host_id: Uuid,
         repo_name: &str,
     ) -> Result<(), ApiError> {
         let id = Uuid::new_v4();
-        let result = entities::prebuild_replica::ActiveModel {
+        let result = lapdev_db_entities::prebuild_replica::ActiveModel {
             id: ActiveValue::Set(id),
             deleted_at: ActiveValue::Set(None),
             created_at: ActiveValue::Set(Utc::now().into()),
@@ -1405,7 +1396,7 @@ impl Conductor {
     async fn transfer_prebuild_replica(
         &self,
         replica_id: Uuid,
-        prebuild: &entities::prebuild::Model,
+        prebuild: &lapdev_db_entities::prebuild::Model,
         host_id: Uuid,
         repo_name: &str,
     ) {
@@ -1427,7 +1418,7 @@ impl Conductor {
             } else {
                 PrebuildReplicaStatus::Ready
             };
-            let _ = entities::prebuild_replica::ActiveModel {
+            let _ = lapdev_db_entities::prebuild_replica::ActiveModel {
                 id: ActiveValue::Set(replica_id),
                 status: ActiveValue::Set(status.to_string()),
                 ..Default::default()
@@ -1439,7 +1430,7 @@ impl Conductor {
 
     async fn do_transfer_prebuild_replica(
         &self,
-        prebuild: &entities::prebuild::Model,
+        prebuild: &lapdev_db_entities::prebuild::Model,
         host_id: Uuid,
         repo_name: &str,
     ) -> Result<(), ApiError> {
@@ -1485,8 +1476,8 @@ impl Conductor {
 
     pub async fn get_project_repo_details(
         &self,
-        user: &entities::user::Model,
-        project: &entities::project::Model,
+        user: &lapdev_db_entities::user::Model,
+        project: &lapdev_db_entities::project::Model,
         branch: Option<&str>,
     ) -> Result<RepoDetails, ApiError> {
         let auth = if let Ok(Some(oauth)) = self.db.get_oauth(project.oauth_id).await {
@@ -1533,7 +1524,7 @@ impl Conductor {
     async fn get_repo_details(
         &self,
         org_id: Uuid,
-        user: &entities::user::Model,
+        user: &lapdev_db_entities::user::Model,
         source: &RepoSource,
         branch: Option<&str>,
     ) -> Result<RepoDetails, ApiError> {
@@ -1571,13 +1562,13 @@ impl Conductor {
 
     async fn prepare_prebuild(
         &self,
-        user: &entities::user::Model,
-        ws: &entities::workspace::Model,
-        project: &entities::project::Model,
+        user: &lapdev_db_entities::user::Model,
+        ws: &lapdev_db_entities::workspace::Model,
+        project: &lapdev_db_entities::project::Model,
         repo: &RepoDetails,
         ip: Option<String>,
         user_agent: Option<String>,
-    ) -> Result<Option<(entities::prebuild::Model, RepoBuildResult)>, ApiError> {
+    ) -> Result<Option<(lapdev_db_entities::prebuild::Model, RepoBuildResult)>, ApiError> {
         let prebuild = if let Some(prebuild_id) = ws.prebuild_id {
             self.db.get_prebuild(prebuild_id).await?
         } else {
@@ -1605,7 +1596,7 @@ impl Conductor {
                 )
                 .await?
                 .ok_or_else(|| anyhow!("prebuild should exist"))?;
-            entities::workspace::ActiveModel {
+            lapdev_db_entities::workspace::ActiveModel {
                 id: ActiveValue::Set(ws.id),
                 prebuild_id: ActiveValue::Set(Some(prebuild.id)),
                 ..Default::default()
@@ -1672,12 +1663,12 @@ impl Conductor {
     #[allow(clippy::too_many_arguments)]
     async fn prepare_workspace_image(
         &self,
-        user: &entities::user::Model,
+        user: &lapdev_db_entities::user::Model,
         repo: &RepoDetails,
         env: Vec<(String, String)>,
-        ws: &entities::workspace::Model,
+        ws: &lapdev_db_entities::workspace::Model,
         ws_client: &WorkspaceServiceClient,
-        machine_type: &entities::machine_type::Model,
+        machine_type: &lapdev_db_entities::machine_type::Model,
         ip: Option<String>,
         user_agent: Option<String>,
     ) -> Result<(Option<Uuid>, RepoBuildResult), ApiError> {
@@ -1737,7 +1728,7 @@ impl Conductor {
                 machine_type.cost_per_second,
             )
             .await?;
-        entities::workspace::ActiveModel {
+        lapdev_db_entities::workspace::ActiveModel {
             id: ActiveValue::Set(ws.id),
             status: ActiveValue::Set(WorkspaceStatus::Building.to_string()),
             usage_id: ActiveValue::Set(Some(usage.id)),
@@ -1758,12 +1749,12 @@ impl Conductor {
 
     async fn create_workspace_from_output(
         &self,
-        ws: &entities::workspace::Model,
+        ws: &lapdev_db_entities::workspace::Model,
         prebuild_id: Option<Uuid>,
         output: RepoBuildResult,
         env: Vec<(String, String)>,
         ws_client: &WorkspaceServiceClient,
-        machine_type: &entities::machine_type::Model,
+        machine_type: &lapdev_db_entities::machine_type::Model,
     ) -> Result<(), ApiError> {
         let flatten_env = env
             .iter()
@@ -1914,7 +1905,7 @@ impl Conductor {
                     usage.id
                 };
 
-                entities::workspace::ActiveModel {
+                lapdev_db_entities::workspace::ActiveModel {
                     id: ActiveValue::Set(ws.id),
                     ssh_port: ActiveValue::Set(ssh_port.map(|port| port as i32)),
                     ide_port: ActiveValue::Set(ide_port.map(|port| port as i32)),
@@ -1933,7 +1924,7 @@ impl Conductor {
                 ws.id
             } else {
                 let service_ws_id = Uuid::new_v4();
-                entities::workspace::ActiveModel {
+                lapdev_db_entities::workspace::ActiveModel {
                     id: ActiveValue::Set(service_ws_id),
                     name: ActiveValue::Set(workspace_name),
                     created_at: ActiveValue::Set(Utc::now().into()),
@@ -1974,7 +1965,7 @@ impl Conductor {
 
             if !exposed_ports.is_empty() {
                 for (port, host_port) in exposed_ports {
-                    entities::workspace_port::ActiveModel {
+                    lapdev_db_entities::workspace_port::ActiveModel {
                         id: ActiveValue::Set(Uuid::new_v4()),
                         deleted_at: ActiveValue::Set(None),
                         workspace_id: ActiveValue::Set(actual_ws_id),
@@ -2000,10 +1991,10 @@ impl Conductor {
     #[allow(clippy::too_many_arguments)]
     async fn do_create_workspace(
         &self,
-        user: &entities::user::Model,
-        ws: &entities::workspace::Model,
+        user: &lapdev_db_entities::user::Model,
+        ws: &lapdev_db_entities::workspace::Model,
         repo: RepoDetails,
-        machine_type: &entities::machine_type::Model,
+        machine_type: &lapdev_db_entities::machine_type::Model,
         ip: Option<String>,
         user_agent: Option<String>,
     ) -> Result<(), ApiError> {
@@ -2040,7 +2031,7 @@ impl Conductor {
         )
         .await;
 
-        entities::organization::ActiveModel {
+        lapdev_db_entities::organization::ActiveModel {
             id: ActiveValue::Set(ws.organization_id),
             has_running_workspace: ActiveValue::Set(true),
             ..Default::default()
@@ -2053,8 +2044,8 @@ impl Conductor {
 
     pub async fn create_workspace(
         &self,
-        user: entities::user::Model,
-        org: entities::organization::Model,
+        user: lapdev_db_entities::user::Model,
+        org: lapdev_db_entities::organization::Model,
         workspace: NewWorkspace,
         ip: Option<String>,
         user_agent: Option<String>,
@@ -2126,7 +2117,7 @@ impl Conductor {
                         }
                     }
                 }
-                let _ = entities::workspace::ActiveModel {
+                let _ = lapdev_db_entities::workspace::ActiveModel {
                     id: ActiveValue::Set(ws.id),
                     status: ActiveValue::Set(WorkspaceStatus::Failed.to_string()),
                     ..Default::default()
@@ -2181,10 +2172,10 @@ impl Conductor {
 
     pub async fn update_workspace_status(
         &self,
-        ws: &entities::workspace::Model,
+        ws: &lapdev_db_entities::workspace::Model,
         status: WorkspaceStatus,
-    ) -> Result<entities::workspace::Model, ApiError> {
-        let update_ws = entities::workspace::ActiveModel {
+    ) -> Result<lapdev_db_entities::workspace::Model, ApiError> {
+        let update_ws = lapdev_db_entities::workspace::ActiveModel {
             id: ActiveValue::Set(ws.id),
             status: ActiveValue::Set(status.to_string()),
             ..Default::default()
@@ -2254,7 +2245,7 @@ impl Conductor {
 
     pub async fn delete_workspace(
         &self,
-        workspace: &entities::workspace::Model,
+        workspace: &lapdev_db_entities::workspace::Model,
         ip: Option<String>,
         user_agent: Option<String>,
     ) -> Result<(), ApiError> {
@@ -2297,7 +2288,7 @@ impl Conductor {
                 .end_usage(&txn, usage_id, now.into())
                 .await?;
         }
-        let update_ws = entities::workspace::ActiveModel {
+        let update_ws = lapdev_db_entities::workspace::ActiveModel {
             id: ActiveValue::Set(workspace.id),
             status: ActiveValue::Set(WorkspaceStatus::Deleting.to_string()),
             updated_at: ActiveValue::Set(Some(now.into())),
@@ -2309,9 +2300,9 @@ impl Conductor {
         txn.commit().await?;
 
         let compose_services = if ws.is_compose {
-            entities::workspace::Entity::find()
-                .filter(entities::workspace::Column::DeletedAt.is_null())
-                .filter(entities::workspace::Column::ComposeParent.eq(ws.id))
+            lapdev_db_entities::workspace::Entity::find()
+                .filter(lapdev_db_entities::workspace::Column::DeletedAt.is_null())
+                .filter(lapdev_db_entities::workspace::Column::ComposeParent.eq(ws.id))
                 .all(&self.db.conn)
                 .await?
         } else {
@@ -2343,7 +2334,7 @@ impl Conductor {
 
     async fn do_delete_workspace(
         &self,
-        ws: &entities::workspace::Model,
+        ws: &lapdev_db_entities::workspace::Model,
         network: Option<String>,
         ip: Option<String>,
         user_agent: Option<String>,
@@ -2394,7 +2385,7 @@ impl Conductor {
                     .db
                     .get_workspace_host_with_lock(&txn, ws.host_id)
                     .await?;
-                entities::workspace::ActiveModel {
+                lapdev_db_entities::workspace::ActiveModel {
                     id: ActiveValue::Set(ws.id),
                     status: ActiveValue::Set(status.to_string()),
                     deleted_at: ActiveValue::Set(Some(now.into())),
@@ -2439,7 +2430,7 @@ impl Conductor {
                 };
                 tracing::error!("delete workspace {} failed: {e}", ws.id);
                 let status = WorkspaceStatus::DeleteFailed;
-                entities::workspace::ActiveModel {
+                lapdev_db_entities::workspace::ActiveModel {
                     id: ActiveValue::Set(ws.id),
                     status: ActiveValue::Set(status.to_string()),
                     updated_at: ActiveValue::Set(Some(now.into())),
@@ -2459,7 +2450,7 @@ impl Conductor {
     async fn update_org_has_running_workspace(&self, org_id: Uuid) -> Result<()> {
         let ws = self.db.get_org_running_workspace(org_id).await?;
         if ws.is_none() {
-            entities::organization::ActiveModel {
+            lapdev_db_entities::organization::ActiveModel {
                 id: ActiveValue::Set(org_id),
                 has_running_workspace: ActiveValue::Set(false),
                 ..Default::default()
@@ -2472,7 +2463,7 @@ impl Conductor {
 
     pub async fn start_workspace(
         &self,
-        workspace: entities::workspace::Model,
+        workspace: lapdev_db_entities::workspace::Model,
         // waiting for the actual start on workspace host
         waiting: bool,
         ip: Option<String>,
@@ -2513,7 +2504,7 @@ impl Conductor {
                 user_agent,
             )
             .await?;
-        let update_ws = entities::workspace::ActiveModel {
+        let update_ws = lapdev_db_entities::workspace::ActiveModel {
             id: ActiveValue::Set(workspace.id),
             updated_at: ActiveValue::Set(Some(now.into())),
             status: ActiveValue::Set(WorkspaceStatus::Starting.to_string()),
@@ -2527,9 +2518,9 @@ impl Conductor {
             ws_client.ok_or_else(|| anyhow!("can't connect to the workspace servic client"))?;
 
         let compose_services = if ws.is_compose {
-            entities::workspace::Entity::find()
-                .filter(entities::workspace::Column::DeletedAt.is_null())
-                .filter(entities::workspace::Column::ComposeParent.eq(ws.id))
+            lapdev_db_entities::workspace::Entity::find()
+                .filter(lapdev_db_entities::workspace::Column::DeletedAt.is_null())
+                .filter(lapdev_db_entities::workspace::Column::ComposeParent.eq(ws.id))
                 .all(&self.db.conn)
                 .await?
         } else {
@@ -2560,7 +2551,7 @@ impl Conductor {
 
     pub async fn stop_workspace(
         &self,
-        workspace: entities::workspace::Model,
+        workspace: lapdev_db_entities::workspace::Model,
         ip: Option<String>,
         user_agent: Option<String>,
     ) -> Result<(), ApiError> {
@@ -2594,7 +2585,7 @@ impl Conductor {
                 .end_usage(&txn, usage_id, now.into())
                 .await?;
         }
-        let update_ws = entities::workspace::ActiveModel {
+        let update_ws = lapdev_db_entities::workspace::ActiveModel {
             id: ActiveValue::Set(workspace.id),
             status: ActiveValue::Set(WorkspaceStatus::Stopping.to_string()),
             updated_at: ActiveValue::Set(Some(now.into())),
@@ -2609,9 +2600,9 @@ impl Conductor {
             ws_client.ok_or_else(|| anyhow!("can't connect to the workspace servic client"))?;
 
         let compose_services = if ws.is_compose {
-            entities::workspace::Entity::find()
-                .filter(entities::workspace::Column::DeletedAt.is_null())
-                .filter(entities::workspace::Column::ComposeParent.eq(ws.id))
+            lapdev_db_entities::workspace::Entity::find()
+                .filter(lapdev_db_entities::workspace::Column::DeletedAt.is_null())
+                .filter(lapdev_db_entities::workspace::Column::ComposeParent.eq(ws.id))
                 .all(&self.db.conn)
                 .await?
         } else {
@@ -2637,7 +2628,7 @@ impl Conductor {
 
     pub async fn rebuild_workspace(
         &self,
-        workspace: entities::workspace::Model,
+        workspace: lapdev_db_entities::workspace::Model,
         ip: Option<String>,
         user_agent: Option<String>,
     ) -> Result<(), ApiError> {
@@ -2715,7 +2706,7 @@ impl Conductor {
                 .await?;
             usage.id
         };
-        let ws = entities::workspace::ActiveModel {
+        let ws = lapdev_db_entities::workspace::ActiveModel {
             id: ActiveValue::Set(workspace.id),
             status: ActiveValue::Set(WorkspaceStatus::Building.to_string()),
             usage_id: ActiveValue::Set(Some(usage_id)),
@@ -2742,7 +2733,7 @@ impl Conductor {
                         .end_usage(&txn, usage_id, now.into())
                         .await?;
 
-                    entities::workspace::ActiveModel {
+                    lapdev_db_entities::workspace::ActiveModel {
                         id: ActiveValue::Set(workspace.id),
                         status: ActiveValue::Set(WorkspaceStatus::Failed.to_string()),
                         updated_at: ActiveValue::Set(Some(now.into())),
@@ -2763,16 +2754,16 @@ impl Conductor {
 
     async fn do_rebuild_workspace(
         &self,
-        ws: &entities::workspace::Model,
-        machine_type: &entities::machine_type::Model,
+        ws: &lapdev_db_entities::workspace::Model,
+        machine_type: &lapdev_db_entities::machine_type::Model,
     ) -> Result<(), ApiError> {
         let ws_client = { self.rpcs.read().await.get(&ws.host_id).cloned() }
             .ok_or_else(|| anyhow!("can't find the workspace host rpc client"))?;
 
         let compose_services = if ws.is_compose {
-            entities::workspace::Entity::find()
-                .filter(entities::workspace::Column::DeletedAt.is_null())
-                .filter(entities::workspace::Column::ComposeParent.eq(ws.id))
+            lapdev_db_entities::workspace::Entity::find()
+                .filter(lapdev_db_entities::workspace::Column::DeletedAt.is_null())
+                .filter(lapdev_db_entities::workspace::Column::ComposeParent.eq(ws.id))
                 .all(&self.db.conn)
                 .await?
         } else {
@@ -2792,7 +2783,7 @@ impl Conductor {
                 )
                 .await??;
             let now = Utc::now();
-            entities::workspace::ActiveModel {
+            lapdev_db_entities::workspace::ActiveModel {
                 id: ActiveValue::Set(service_ws.id),
                 status: ActiveValue::Set(WorkspaceStatus::Deleted.to_string()),
                 deleted_at: ActiveValue::Set(Some(now.into())),
@@ -2803,13 +2794,13 @@ impl Conductor {
         }
 
         let now = Utc::now();
-        entities::workspace_port::Entity::update_many()
-            .set(entities::workspace_port::ActiveModel {
+        lapdev_db_entities::workspace_port::Entity::update_many()
+            .set(lapdev_db_entities::workspace_port::ActiveModel {
                 deleted_at: ActiveValue::Set(Some(now.into())),
                 ..Default::default()
             })
-            .filter(entities::workspace_port::Column::WorkspaceId.eq(ws.id))
-            .filter(entities::workspace_port::Column::DeletedAt.is_null())
+            .filter(lapdev_db_entities::workspace_port::Column::WorkspaceId.eq(ws.id))
+            .filter(lapdev_db_entities::workspace_port::Column::DeletedAt.is_null())
             .exec(&self.db.conn)
             .await?;
 
@@ -2898,7 +2889,7 @@ impl Conductor {
         )
         .await;
 
-        entities::organization::ActiveModel {
+        lapdev_db_entities::organization::ActiveModel {
             id: ActiveValue::Set(ws.organization_id),
             has_running_workspace: ActiveValue::Set(true),
             ..Default::default()
@@ -2912,7 +2903,7 @@ impl Conductor {
     async fn do_start_workspace(
         &self,
         ws_client: &WorkspaceServiceClient,
-        ws: &entities::workspace::Model,
+        ws: &lapdev_db_entities::workspace::Model,
     ) -> Result<()> {
         let result = ws_client
             .start_workspace(
@@ -2954,7 +2945,7 @@ impl Conductor {
                 } else {
                     None
                 };
-                entities::workspace::ActiveModel {
+                lapdev_db_entities::workspace::ActiveModel {
                     id: ActiveValue::Set(ws.id),
                     status: ActiveValue::Set(status.to_string()),
                     usage_id: ActiveValue::Set(usage.map(|u| u.id)),
@@ -2966,7 +2957,7 @@ impl Conductor {
                 .await?;
                 txn.commit().await?;
 
-                entities::organization::ActiveModel {
+                lapdev_db_entities::organization::ActiveModel {
                     id: ActiveValue::Set(ws.organization_id),
                     has_running_workspace: ActiveValue::Set(true),
                     ..Default::default()
@@ -2984,7 +2975,7 @@ impl Conductor {
                 };
                 tracing::error!("start workspace {} failed: {e}", ws.id);
                 let status = WorkspaceStatus::Failed;
-                entities::workspace::ActiveModel {
+                lapdev_db_entities::workspace::ActiveModel {
                     id: ActiveValue::Set(ws.id),
                     updated_at: ActiveValue::Set(Some(now.into())),
                     status: ActiveValue::Set(WorkspaceStatus::Failed.to_string()),
@@ -3002,7 +2993,7 @@ impl Conductor {
     async fn do_stop_workspace(
         &self,
         ws_client: &WorkspaceServiceClient,
-        ws: &entities::workspace::Model,
+        ws: &lapdev_db_entities::workspace::Model,
     ) -> Result<()> {
         let result = ws_client
             .stop_workspace(
@@ -3017,7 +3008,7 @@ impl Conductor {
         match result {
             Ok(_) => {
                 let status = WorkspaceStatus::Stopped;
-                entities::workspace::ActiveModel {
+                lapdev_db_entities::workspace::ActiveModel {
                     id: ActiveValue::Set(ws.id),
                     status: ActiveValue::Set(status.to_string()),
                     updated_at: ActiveValue::Set(Some(now.into())),
@@ -3034,7 +3025,7 @@ impl Conductor {
                 };
                 tracing::error!("stop workspace {} failed: {e}", ws.id);
                 let status = WorkspaceStatus::StopFailed;
-                entities::workspace::ActiveModel {
+                lapdev_db_entities::workspace::ActiveModel {
                     id: ActiveValue::Set(ws.id),
                     status: ActiveValue::Set(status.to_string()),
                     updated_at: ActiveValue::Set(Some(now.into())),
@@ -3133,13 +3124,13 @@ impl Conductor {
         &self,
         org_id: Uuid,
         user_id: Uuid,
-        project: &entities::project::Model,
+        project: &lapdev_db_entities::project::Model,
         ip: Option<String>,
         user_agent: Option<String>,
     ) -> Result<(), ApiError> {
         let now = Utc::now();
         let txn = self.db.conn.begin().await?;
-        let project = entities::project::ActiveModel {
+        let project = lapdev_db_entities::project::ActiveModel {
             id: ActiveValue::Set(project.id),
             deleted_at: ActiveValue::Set(Some(now.into())),
             ..Default::default()
@@ -3179,10 +3170,13 @@ impl Conductor {
         Ok(())
     }
 
-    async fn do_delete_project(&self, project: &entities::project::Model) -> Result<(), ApiError> {
-        let prebuilds = entities::prebuild::Entity::find()
-            .filter(entities::prebuild::Column::ProjectId.eq(project.id))
-            .filter(entities::prebuild::Column::DeletedAt.is_null())
+    async fn do_delete_project(
+        &self,
+        project: &lapdev_db_entities::project::Model,
+    ) -> Result<(), ApiError> {
+        let prebuilds = lapdev_db_entities::prebuild::Entity::find()
+            .filter(lapdev_db_entities::prebuild::Column::ProjectId.eq(project.id))
+            .filter(lapdev_db_entities::prebuild::Column::DeletedAt.is_null())
             .all(&self.db.conn)
             .await?;
 
@@ -3207,8 +3201,8 @@ impl Conductor {
         &self,
         org_id: Uuid,
         user_id: Uuid,
-        project: &entities::project::Model,
-        prebuild: &entities::prebuild::Model,
+        project: &lapdev_db_entities::project::Model,
+        prebuild: &lapdev_db_entities::prebuild::Model,
         ip: Option<String>,
         user_agent: Option<String>,
     ) -> Result<(), ApiError> {
@@ -3219,9 +3213,9 @@ impl Conductor {
         }
 
         let txn = self.db.conn.begin().await?;
-        if entities::workspace::Entity::find()
-            .filter(entities::workspace::Column::DeletedAt.is_null())
-            .filter(entities::workspace::Column::PrebuildId.eq(prebuild.id))
+        if lapdev_db_entities::workspace::Entity::find()
+            .filter(lapdev_db_entities::workspace::Column::DeletedAt.is_null())
+            .filter(lapdev_db_entities::workspace::Column::PrebuildId.eq(prebuild.id))
             .lock_exclusive()
             .one(&txn)
             .await?
@@ -3232,7 +3226,7 @@ impl Conductor {
             ));
         }
 
-        entities::prebuild::ActiveModel {
+        lapdev_db_entities::prebuild::ActiveModel {
             id: ActiveValue::Set(prebuild.id),
             deleted_at: ActiveValue::Set(Some(Utc::now().into())),
             ..Default::default()
@@ -3280,7 +3274,7 @@ impl Conductor {
 
     async fn do_delete_prebuild(
         &self,
-        prebuild: &entities::prebuild::Model,
+        prebuild: &lapdev_db_entities::prebuild::Model,
     ) -> Result<(), ApiError> {
         let ws_client = { self.rpcs.read().await.get(&prebuild.host_id).cloned() }
             .ok_or_else(|| anyhow!("can't find the workspace host rpc client"))?;
@@ -3299,9 +3293,9 @@ impl Conductor {
             )
             .await??;
 
-        let replicas = entities::prebuild_replica::Entity::find()
-            .filter(entities::prebuild_replica::Column::DeletedAt.is_null())
-            .filter(entities::prebuild_replica::Column::PrebuildId.eq(prebuild.id))
+        let replicas = lapdev_db_entities::prebuild_replica::Entity::find()
+            .filter(lapdev_db_entities::prebuild_replica::Column::DeletedAt.is_null())
+            .filter(lapdev_db_entities::prebuild_replica::Column::PrebuildId.eq(prebuild.id))
             .all(&self.db.conn)
             .await?;
         for replica in replicas {
@@ -3317,7 +3311,7 @@ impl Conductor {
                     output.clone(),
                 )
                 .await??;
-            entities::prebuild_replica::ActiveModel {
+            lapdev_db_entities::prebuild_replica::ActiveModel {
                 id: ActiveValue::Set(replica.id),
                 deleted_at: ActiveValue::Set(Some(Utc::now().into())),
                 ..Default::default()
@@ -3340,7 +3334,7 @@ impl Conductor {
         ip: Option<String>,
         user_agent: Option<String>,
     ) -> Result<(), ApiError> {
-        let prebuild = entities::prebuild::Entity::find_by_id(prebuild_id)
+        let prebuild = lapdev_db_entities::prebuild::Entity::find_by_id(prebuild_id)
             .one(&self.db.conn)
             .await?
             .ok_or_else(|| anyhow!("no prebuild"))?;
@@ -3349,10 +3343,10 @@ impl Conductor {
         }
 
         let project = self.db.get_project(prebuild.project_id).await?;
-        let latest = entities::prebuild::Entity::find()
-            .filter(entities::prebuild::Column::ProjectId.eq(prebuild.project_id))
-            .filter(entities::prebuild::Column::DeletedAt.is_null())
-            .order_by_desc(entities::prebuild::Column::CreatedAt)
+        let latest = lapdev_db_entities::prebuild::Entity::find()
+            .filter(lapdev_db_entities::prebuild::Column::ProjectId.eq(prebuild.project_id))
+            .filter(lapdev_db_entities::prebuild::Column::DeletedAt.is_null())
+            .order_by_desc(lapdev_db_entities::prebuild::Column::CreatedAt)
             .one(&self.db.conn)
             .await?
             .ok_or_else(|| anyhow!("project doesn't have prebuilds"))?;
@@ -3380,14 +3374,14 @@ impl Conductor {
         &self,
         org_id: Uuid,
         user_id: Uuid,
-        project: &entities::project::Model,
-        prebuild: &entities::prebuild::Model,
+        project: &lapdev_db_entities::project::Model,
+        prebuild: &lapdev_db_entities::prebuild::Model,
         ip: Option<String>,
         user_agent: Option<String>,
     ) -> Result<(), ApiError> {
-        if entities::workspace::Entity::find()
-            .filter(entities::workspace::Column::DeletedAt.is_null())
-            .filter(entities::workspace::Column::PrebuildId.eq(prebuild.id))
+        if lapdev_db_entities::workspace::Entity::find()
+            .filter(lapdev_db_entities::workspace::Column::DeletedAt.is_null())
+            .filter(lapdev_db_entities::workspace::Column::PrebuildId.eq(prebuild.id))
             .one(&self.db.conn)
             .await?
             .is_some()
diff --git a/lapdev-dashboard/Cargo.lock b/crates/dashboard/Cargo.lock
similarity index 100%
rename from lapdev-dashboard/Cargo.lock
rename to crates/dashboard/Cargo.lock
diff --git a/crates/dashboard/Cargo.toml b/crates/dashboard/Cargo.toml
new file mode 100644
index 0000000..83a5e13
--- /dev/null
+++ b/crates/dashboard/Cargo.toml
@@ -0,0 +1,26 @@
+[package]
+name = "lapdev-dashboard"
+version.workspace = true
+authors.workspace = true
+edition.workspace = true
+
+[dependencies]
+gloo-net = "0.6.0"
+gloo-timers = { version = "0.2", features = ["futures"] }
+wasm-bindgen = "0.2.100"
+web-sys = { version = "0.3.77", features = ["Navigator", "Clipboard", "DomRect", "Element"] }
+urlencoding = "2.1.3"
+lucide-leptos = "1.2.0"
+uuid = { version = "1.16.0", features = ["v4", "serde", "js"] }
+getrandom = { version = "0.3", features = ["wasm_js"] }
+tailwind_fuse = { version = "0.3.2", features = ["variant"] }
+leptos = { version = "0.8.2", features = ["csr"] }
+leptos_router = { version = "0.8.2" }
+rust_decimal.workspace = true
+chrono.workspace = true
+serde.workspace = true
+serde_json.workspace = true
+anyhow.workspace = true
+futures.workspace = true
+lapdev-common.workspace = true
+lapdev-api-hrpc.workspace = true
diff --git a/lapdev-dashboard/Trunk.toml b/crates/dashboard/Trunk.toml
similarity index 100%
rename from lapdev-dashboard/Trunk.toml
rename to crates/dashboard/Trunk.toml
diff --git a/lapdev-dashboard/main.css b/crates/dashboard/dist/.stage/main-10252f88a73a5884.css
similarity index 100%
rename from lapdev-dashboard/main.css
rename to crates/dashboard/dist/.stage/main-10252f88a73a5884.css
diff --git a/lapdev-dashboard/index.html b/crates/dashboard/index.html
similarity index 100%
rename from lapdev-dashboard/index.html
rename to crates/dashboard/index.html
diff --git a/crates/dashboard/main.css b/crates/dashboard/main.css
new file mode 100644
index 0000000..76b9cd8
--- /dev/null
+++ b/crates/dashboard/main.css
@@ -0,0 +1,2727 @@
+/*
+! tailwindcss v3.4.1 | MIT License | https://tailwindcss.com
+*/
+
+/*
+1. Prevent padding and border from affecting element width. (https://github.com/mozdevs/cssremedy/issues/4)
+2. Allow adding a border to an element by just adding a border-width. (https://github.com/tailwindcss/tailwindcss/pull/116)
+*/
+
+*,
+::before,
+::after {
+  box-sizing: border-box;
+  /* 1 */
+  border-width: 0;
+  /* 2 */
+  border-style: solid;
+  /* 2 */
+  border-color: #E5E7EB;
+  /* 2 */
+}
+
+::before,
+::after {
+  --tw-content: '';
+}
+
+/*
+1. Use a consistent sensible line-height in all browsers.
+2. Prevent adjustments of font size after orientation changes in iOS.
+3. Use a more readable tab size.
+4. Use the user's configured `sans` font-family by default.
+5. Use the user's configured `sans` font-feature-settings by default.
+6. Use the user's configured `sans` font-variation-settings by default.
+7. Disable tap highlights on iOS
+*/
+
+html,
+:host {
+  line-height: 1.5;
+  /* 1 */
+  -webkit-text-size-adjust: 100%;
+  /* 2 */
+  -moz-tab-size: 4;
+  /* 3 */
+  -o-tab-size: 4;
+     tab-size: 4;
+  /* 3 */
+  font-family: ui-sans-serif, system-ui, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";
+  /* 4 */
+  font-feature-settings: normal;
+  /* 5 */
+  font-variation-settings: normal;
+  /* 6 */
+  -webkit-tap-highlight-color: transparent;
+  /* 7 */
+}
+
+/*
+1. Remove the margin in all browsers.
+2. Inherit line-height from `html` so users can set them as a class directly on the `html` element.
+*/
+
+body {
+  margin: 0;
+  /* 1 */
+  line-height: inherit;
+  /* 2 */
+}
+
+/*
+1. Add the correct height in Firefox.
+2. Correct the inheritance of border color in Firefox. (https://bugzilla.mozilla.org/show_bug.cgi?id=190655)
+3. Ensure horizontal rules are visible by default.
+*/
+
+hr {
+  height: 0;
+  /* 1 */
+  color: inherit;
+  /* 2 */
+  border-top-width: 1px;
+  /* 3 */
+}
+
+/*
+Add the correct text decoration in Chrome, Edge, and Safari.
+*/
+
+abbr:where([title]) {
+  -webkit-text-decoration: underline dotted;
+          text-decoration: underline dotted;
+}
+
+/*
+Remove the default font size and weight for headings.
+*/
+
+h1,
+h2,
+h3,
+h4,
+h5,
+h6 {
+  font-size: inherit;
+  font-weight: inherit;
+}
+
+/*
+Reset links to optimize for opt-in styling instead of opt-out.
+*/
+
+a {
+  color: inherit;
+  text-decoration: inherit;
+}
+
+/*
+Add the correct font weight in Edge and Safari.
+*/
+
+b,
+strong {
+  font-weight: bolder;
+}
+
+/*
+1. Use the user's configured `mono` font-family by default.
+2. Use the user's configured `mono` font-feature-settings by default.
+3. Use the user's configured `mono` font-variation-settings by default.
+4. Correct the odd `em` font sizing in all browsers.
+*/
+
+code,
+kbd,
+samp,
+pre {
+  font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", monospace;
+  /* 1 */
+  font-feature-settings: normal;
+  /* 2 */
+  font-variation-settings: normal;
+  /* 3 */
+  font-size: 1em;
+  /* 4 */
+}
+
+/*
+Add the correct font size in all browsers.
+*/
+
+small {
+  font-size: 80%;
+}
+
+/*
+Prevent `sub` and `sup` elements from affecting the line height in all browsers.
+*/
+
+sub,
+sup {
+  font-size: 75%;
+  line-height: 0;
+  position: relative;
+  vertical-align: baseline;
+}
+
+sub {
+  bottom: -0.25em;
+}
+
+sup {
+  top: -0.5em;
+}
+
+/*
+1. Remove text indentation from table contents in Chrome and Safari. (https://bugs.chromium.org/p/chromium/issues/detail?id=999088, https://bugs.webkit.org/show_bug.cgi?id=201297)
+2. Correct table border color inheritance in all Chrome and Safari. (https://bugs.chromium.org/p/chromium/issues/detail?id=935729, https://bugs.webkit.org/show_bug.cgi?id=195016)
+3. Remove gaps between table borders by default.
+*/
+
+table {
+  text-indent: 0;
+  /* 1 */
+  border-color: inherit;
+  /* 2 */
+  border-collapse: collapse;
+  /* 3 */
+}
+
+/*
+1. Change the font styles in all browsers.
+2. Remove the margin in Firefox and Safari.
+3. Remove default padding in all browsers.
+*/
+
+button,
+input,
+optgroup,
+select,
+textarea {
+  font-family: inherit;
+  /* 1 */
+  font-feature-settings: inherit;
+  /* 1 */
+  font-variation-settings: inherit;
+  /* 1 */
+  font-size: 100%;
+  /* 1 */
+  font-weight: inherit;
+  /* 1 */
+  line-height: inherit;
+  /* 1 */
+  color: inherit;
+  /* 1 */
+  margin: 0;
+  /* 2 */
+  padding: 0;
+  /* 3 */
+}
+
+/*
+Remove the inheritance of text transform in Edge and Firefox.
+*/
+
+button,
+select {
+  text-transform: none;
+}
+
+/*
+1. Correct the inability to style clickable types in iOS and Safari.
+2. Remove default button styles.
+*/
+
+button,
+[type='button'],
+[type='reset'],
+[type='submit'] {
+  -webkit-appearance: button;
+  /* 1 */
+  background-color: transparent;
+  /* 2 */
+  background-image: none;
+  /* 2 */
+}
+
+/*
+Use the modern Firefox focus style for all focusable elements.
+*/
+
+:-moz-focusring {
+  outline: auto;
+}
+
+/*
+Remove the additional `:invalid` styles in Firefox. (https://github.com/mozilla/gecko-dev/blob/2f9eacd9d3d995c937b4251a5557d95d494c9be1/layout/style/res/forms.css#L728-L737)
+*/
+
+:-moz-ui-invalid {
+  box-shadow: none;
+}
+
+/*
+Add the correct vertical alignment in Chrome and Firefox.
+*/
+
+progress {
+  vertical-align: baseline;
+}
+
+/*
+Correct the cursor style of increment and decrement buttons in Safari.
+*/
+
+::-webkit-inner-spin-button,
+::-webkit-outer-spin-button {
+  height: auto;
+}
+
+/*
+1. Correct the odd appearance in Chrome and Safari.
+2. Correct the outline style in Safari.
+*/
+
+[type='search'] {
+  -webkit-appearance: textfield;
+  /* 1 */
+  outline-offset: -2px;
+  /* 2 */
+}
+
+/*
+Remove the inner padding in Chrome and Safari on macOS.
+*/
+
+::-webkit-search-decoration {
+  -webkit-appearance: none;
+}
+
+/*
+1. Correct the inability to style clickable types in iOS and Safari.
+2. Change font properties to `inherit` in Safari.
+*/
+
+::-webkit-file-upload-button {
+  -webkit-appearance: button;
+  /* 1 */
+  font: inherit;
+  /* 2 */
+}
+
+/*
+Add the correct display in Chrome and Safari.
+*/
+
+summary {
+  display: list-item;
+}
+
+/*
+Removes the default spacing and border for appropriate elements.
+*/
+
+blockquote,
+dl,
+dd,
+h1,
+h2,
+h3,
+h4,
+h5,
+h6,
+hr,
+figure,
+p,
+pre {
+  margin: 0;
+}
+
+fieldset {
+  margin: 0;
+  padding: 0;
+}
+
+legend {
+  padding: 0;
+}
+
+ol,
+ul,
+menu {
+  list-style: none;
+  margin: 0;
+  padding: 0;
+}
+
+/*
+Reset default styling for dialogs.
+*/
+
+dialog {
+  padding: 0;
+}
+
+/*
+Prevent resizing textareas horizontally by default.
+*/
+
+textarea {
+  resize: vertical;
+}
+
+/*
+1. Reset the default placeholder opacity in Firefox. (https://github.com/tailwindlabs/tailwindcss/issues/3300)
+2. Set the default placeholder color to the user's configured gray 400 color.
+*/
+
+input::-moz-placeholder, textarea::-moz-placeholder {
+  opacity: 1;
+  /* 1 */
+  color: #9CA3AF;
+  /* 2 */
+}
+
+input::placeholder,
+textarea::placeholder {
+  opacity: 1;
+  /* 1 */
+  color: #9CA3AF;
+  /* 2 */
+}
+
+/*
+Set the default cursor for buttons.
+*/
+
+button,
+[role="button"] {
+  cursor: pointer;
+}
+
+/*
+Make sure disabled buttons don't get the pointer cursor.
+*/
+
+:disabled {
+  cursor: default;
+}
+
+/*
+1. Make replaced elements `display: block` by default. (https://github.com/mozdevs/cssremedy/issues/14)
+2. Add `vertical-align: middle` to align replaced elements more sensibly by default. (https://github.com/jensimmons/cssremedy/issues/14#issuecomment-634934210)
+   This can trigger a poorly considered lint error in some tools but is included by design.
+*/
+
+img,
+svg,
+video,
+canvas,
+audio,
+iframe,
+embed,
+object {
+  display: block;
+  /* 1 */
+  vertical-align: middle;
+  /* 2 */
+}
+
+/*
+Constrain images and videos to the parent width and preserve their intrinsic aspect ratio. (https://github.com/mozdevs/cssremedy/issues/14)
+*/
+
+img,
+video {
+  max-width: 100%;
+  height: auto;
+}
+
+/* Make elements with the HTML hidden attribute stay hidden by default */
+
+[hidden] {
+  display: none;
+}
+
+[data-popper-arrow],[data-popper-arrow]:before {
+  position: absolute;
+  width: 8px;
+  height: 8px;
+  background: inherit;
+}
+
+[data-popper-arrow] {
+  visibility: hidden;
+}
+
+[data-popper-arrow]:before {
+  content: "";
+  visibility: visible;
+  transform: rotate(45deg);
+}
+
+[data-popper-arrow]:after {
+  content: "";
+  visibility: visible;
+  transform: rotate(45deg);
+  position: absolute;
+  width: 9px;
+  height: 9px;
+  background: inherit;
+}
+
+[role="tooltip"] > [data-popper-arrow]:before {
+  border-style: solid;
+  border-color: #e5e7eb;
+}
+
+.dark [role="tooltip"] > [data-popper-arrow]:before {
+  border-style: solid;
+  border-color: #4b5563;
+}
+
+[role="tooltip"] > [data-popper-arrow]:after {
+  border-style: solid;
+  border-color: #e5e7eb;
+}
+
+.dark [role="tooltip"] > [data-popper-arrow]:after {
+  border-style: solid;
+  border-color: #4b5563;
+}
+
+[data-popover][role="tooltip"][data-popper-placement^='top'] > [data-popper-arrow]:before {
+  border-bottom-width: 1px;
+  border-right-width: 1px;
+}
+
+[data-popover][role="tooltip"][data-popper-placement^='top'] > [data-popper-arrow]:after {
+  border-bottom-width: 1px;
+  border-right-width: 1px;
+}
+
+[data-popover][role="tooltip"][data-popper-placement^='right'] > [data-popper-arrow]:before {
+  border-bottom-width: 1px;
+  border-left-width: 1px;
+}
+
+[data-popover][role="tooltip"][data-popper-placement^='right'] > [data-popper-arrow]:after {
+  border-bottom-width: 1px;
+  border-left-width: 1px;
+}
+
+[data-popover][role="tooltip"][data-popper-placement^='bottom'] > [data-popper-arrow]:before {
+  border-top-width: 1px;
+  border-left-width: 1px;
+}
+
+[data-popover][role="tooltip"][data-popper-placement^='bottom'] > [data-popper-arrow]:after {
+  border-top-width: 1px;
+  border-left-width: 1px;
+}
+
+[data-popover][role="tooltip"][data-popper-placement^='left'] > [data-popper-arrow]:before {
+  border-top-width: 1px;
+  border-right-width: 1px;
+}
+
+[data-popover][role="tooltip"][data-popper-placement^='left'] > [data-popper-arrow]:after {
+  border-top-width: 1px;
+  border-right-width: 1px;
+}
+
+[data-popover][role="tooltip"][data-popper-placement^='top'] > [data-popper-arrow] {
+  bottom: -5px;
+}
+
+[data-popover][role="tooltip"][data-popper-placement^='bottom'] > [data-popper-arrow] {
+  top: -5px;
+}
+
+[data-popover][role="tooltip"][data-popper-placement^='left'] > [data-popper-arrow] {
+  right: -5px;
+}
+
+[data-popover][role="tooltip"][data-popper-placement^='right'] > [data-popper-arrow] {
+  left: -5px;
+}
+
+[type='text'],[type='email'],[type='url'],[type='password'],[type='number'],[type='date'],[type='datetime-local'],[type='month'],[type='search'],[type='tel'],[type='time'],[type='week'],[multiple],textarea,select {
+  -webkit-appearance: none;
+     -moz-appearance: none;
+          appearance: none;
+  background-color: #fff;
+  border-color: #6B7280;
+  border-width: 1px;
+  border-radius: 0px;
+  padding-top: 0.5rem;
+  padding-right: 0.75rem;
+  padding-bottom: 0.5rem;
+  padding-left: 0.75rem;
+  font-size: 1rem;
+  line-height: 1.5rem;
+  --tw-shadow: 0 0 #0000;
+}
+
+[type='text']:focus, [type='email']:focus, [type='url']:focus, [type='password']:focus, [type='number']:focus, [type='date']:focus, [type='datetime-local']:focus, [type='month']:focus, [type='search']:focus, [type='tel']:focus, [type='time']:focus, [type='week']:focus, [multiple]:focus, textarea:focus, select:focus {
+  outline: 2px solid transparent;
+  outline-offset: 2px;
+  --tw-ring-inset: var(--tw-empty,/*!*/ /*!*/);
+  --tw-ring-offset-width: 0px;
+  --tw-ring-offset-color: #fff;
+  --tw-ring-color: #1C64F2;
+  --tw-ring-offset-shadow: var(--tw-ring-inset) 0 0 0 var(--tw-ring-offset-width) var(--tw-ring-offset-color);
+  --tw-ring-shadow: var(--tw-ring-inset) 0 0 0 calc(1px + var(--tw-ring-offset-width)) var(--tw-ring-color);
+  box-shadow: var(--tw-ring-offset-shadow), var(--tw-ring-shadow), var(--tw-shadow);
+  border-color: #1C64F2;
+}
+
+input::-moz-placeholder, textarea::-moz-placeholder {
+  color: #6B7280;
+  opacity: 1;
+}
+
+input::placeholder,textarea::placeholder {
+  color: #6B7280;
+  opacity: 1;
+}
+
+::-webkit-datetime-edit-fields-wrapper {
+  padding: 0;
+}
+
+::-webkit-date-and-time-value {
+  min-height: 1.5em;
+}
+
+select:not([size]) {
+  background-image: url("data:image/svg+xml,%3csvg aria-hidden='true' xmlns='http://www.w3.org/2000/svg' fill='none' viewBox='0 0 10 6'%3e %3cpath stroke='%236B7280' stroke-linecap='round' stroke-linejoin='round' stroke-width='2' d='m1 1 4 4 4-4'/%3e %3c/svg%3e");
+  background-position: right 0.75rem center;
+  background-repeat: no-repeat;
+  background-size: 0.75em 0.75em;
+  padding-right: 2.5rem;
+  -webkit-print-color-adjust: exact;
+          print-color-adjust: exact;
+}
+
+:is([dir=rtl]) select:not([size]) {
+  background-position: left 0.75rem center;
+  padding-right: 0.75rem;
+  padding-left: 0;
+}
+
+[multiple] {
+  background-image: initial;
+  background-position: initial;
+  background-repeat: unset;
+  background-size: initial;
+  padding-right: 0.75rem;
+  -webkit-print-color-adjust: unset;
+          print-color-adjust: unset;
+}
+
+[type='checkbox'],[type='radio'] {
+  -webkit-appearance: none;
+     -moz-appearance: none;
+          appearance: none;
+  padding: 0;
+  -webkit-print-color-adjust: exact;
+          print-color-adjust: exact;
+  display: inline-block;
+  vertical-align: middle;
+  background-origin: border-box;
+  -webkit-user-select: none;
+     -moz-user-select: none;
+          user-select: none;
+  flex-shrink: 0;
+  height: 1rem;
+  width: 1rem;
+  color: #1C64F2;
+  background-color: #fff;
+  border-color: #6B7280;
+  border-width: 1px;
+  --tw-shadow: 0 0 #0000;
+}
+
+[type='checkbox'] {
+  border-radius: 0px;
+}
+
+[type='radio'] {
+  border-radius: 100%;
+}
+
+[type='checkbox']:focus,[type='radio']:focus {
+  outline: 2px solid transparent;
+  outline-offset: 2px;
+  --tw-ring-inset: var(--tw-empty,/*!*/ /*!*/);
+  --tw-ring-offset-width: 2px;
+  --tw-ring-offset-color: #fff;
+  --tw-ring-color: #1C64F2;
+  --tw-ring-offset-shadow: var(--tw-ring-inset) 0 0 0 var(--tw-ring-offset-width) var(--tw-ring-offset-color);
+  --tw-ring-shadow: var(--tw-ring-inset) 0 0 0 calc(2px + var(--tw-ring-offset-width)) var(--tw-ring-color);
+  box-shadow: var(--tw-ring-offset-shadow), var(--tw-ring-shadow), var(--tw-shadow);
+}
+
+[type='checkbox']:checked,[type='radio']:checked,.dark [type='checkbox']:checked,.dark [type='radio']:checked {
+  border-color: transparent;
+  background-color: currentColor;
+  background-size: 0.55em 0.55em;
+  background-position: center;
+  background-repeat: no-repeat;
+}
+
+[type='checkbox']:checked {
+  background-image: url("data:image/svg+xml,%3csvg aria-hidden='true' xmlns='http://www.w3.org/2000/svg' fill='none' viewBox='0 0 16 12'%3e %3cpath stroke='white' stroke-linecap='round' stroke-linejoin='round' stroke-width='3' d='M1 5.917 5.724 10.5 15 1.5'/%3e %3c/svg%3e");
+  background-repeat: no-repeat;
+  background-size: 0.55em 0.55em;
+  -webkit-print-color-adjust: exact;
+          print-color-adjust: exact;
+}
+
+[type='radio']:checked {
+  background-image: url("data:image/svg+xml,%3csvg viewBox='0 0 16 16' fill='white' xmlns='http://www.w3.org/2000/svg'%3e%3ccircle cx='8' cy='8' r='3'/%3e%3c/svg%3e");
+  background-size: 1em 1em;
+}
+
+.dark [type='radio']:checked {
+  background-image: url("data:image/svg+xml,%3csvg viewBox='0 0 16 16' fill='white' xmlns='http://www.w3.org/2000/svg'%3e%3ccircle cx='8' cy='8' r='3'/%3e%3c/svg%3e");
+  background-size: 1em 1em;
+}
+
+[type='checkbox']:indeterminate {
+  background-image: url("data:image/svg+xml,%3csvg aria-hidden='true' xmlns='http://www.w3.org/2000/svg' fill='none' viewBox='0 0 16 12'%3e %3cpath stroke='white' stroke-linecap='round' stroke-linejoin='round' stroke-width='3' d='M1 5.917 5.724 10.5 15 1.5'/%3e %3c/svg%3e");
+  background-color: currentColor;
+  border-color: transparent;
+  background-position: center;
+  background-repeat: no-repeat;
+  background-size: 0.55em 0.55em;
+  -webkit-print-color-adjust: exact;
+          print-color-adjust: exact;
+}
+
+[type='checkbox']:indeterminate:hover,[type='checkbox']:indeterminate:focus {
+  border-color: transparent;
+  background-color: currentColor;
+}
+
+[type='file'] {
+  background: unset;
+  border-color: inherit;
+  border-width: 0;
+  border-radius: 0;
+  padding: 0;
+  font-size: unset;
+  line-height: inherit;
+}
+
+[type='file']:focus {
+  outline: 1px auto inherit;
+}
+
+input[type=file]::file-selector-button {
+  color: white;
+  background: #1F2937;
+  border: 0;
+  font-weight: 500;
+  font-size: 0.875rem;
+  cursor: pointer;
+  padding-top: 0.625rem;
+  padding-bottom: 0.625rem;
+  padding-left: 2rem;
+  padding-right: 1rem;
+  margin-inline-start: -1rem;
+  margin-inline-end: 1rem;
+}
+
+input[type=file]::file-selector-button:hover {
+  background: #374151;
+}
+
+:is([dir=rtl]) input[type=file]::file-selector-button {
+  padding-right: 2rem;
+  padding-left: 1rem;
+}
+
+.dark input[type=file]::file-selector-button {
+  color: white;
+  background: #4B5563;
+}
+
+.dark input[type=file]::file-selector-button:hover {
+  background: #6B7280;
+}
+
+input[type="range"]::-webkit-slider-thumb {
+  height: 1.25rem;
+  width: 1.25rem;
+  background: #1C64F2;
+  border-radius: 9999px;
+  border: 0;
+  appearance: none;
+  -moz-appearance: none;
+  -webkit-appearance: none;
+  cursor: pointer;
+}
+
+input[type="range"]:disabled::-webkit-slider-thumb {
+  background: #9CA3AF;
+}
+
+.dark input[type="range"]:disabled::-webkit-slider-thumb {
+  background: #6B7280;
+}
+
+input[type="range"]:focus::-webkit-slider-thumb {
+  outline: 2px solid transparent;
+  outline-offset: 2px;
+  --tw-ring-offset-shadow: var(--tw-ring-inset) 0 0 0 var(--tw-ring-offset-width) var(--tw-ring-offset-color);
+  --tw-ring-shadow: var(--tw-ring-inset) 0 0 0 calc(4px + var(--tw-ring-offset-width)) var(--tw-ring-color);
+  box-shadow: var(--tw-ring-offset-shadow), var(--tw-ring-shadow), var(--tw-shadow, 0 0 #0000);
+  --tw-ring-opacity: 1px;
+  --tw-ring-color: rgb(164 202 254 / var(--tw-ring-opacity));
+}
+
+input[type="range"]::-moz-range-thumb {
+  height: 1.25rem;
+  width: 1.25rem;
+  background: #1C64F2;
+  border-radius: 9999px;
+  border: 0;
+  appearance: none;
+  -moz-appearance: none;
+  -webkit-appearance: none;
+  cursor: pointer;
+}
+
+input[type="range"]:disabled::-moz-range-thumb {
+  background: #9CA3AF;
+}
+
+.dark input[type="range"]:disabled::-moz-range-thumb {
+  background: #6B7280;
+}
+
+input[type="range"]::-moz-range-progress {
+  background: #3F83F8;
+}
+
+input[type="range"]::-ms-fill-lower {
+  background: #3F83F8;
+}
+
+*, ::before, ::after {
+  --tw-border-spacing-x: 0;
+  --tw-border-spacing-y: 0;
+  --tw-translate-x: 0;
+  --tw-translate-y: 0;
+  --tw-rotate: 0;
+  --tw-skew-x: 0;
+  --tw-skew-y: 0;
+  --tw-scale-x: 1;
+  --tw-scale-y: 1;
+  --tw-pan-x:  ;
+  --tw-pan-y:  ;
+  --tw-pinch-zoom:  ;
+  --tw-scroll-snap-strictness: proximity;
+  --tw-gradient-from-position:  ;
+  --tw-gradient-via-position:  ;
+  --tw-gradient-to-position:  ;
+  --tw-ordinal:  ;
+  --tw-slashed-zero:  ;
+  --tw-numeric-figure:  ;
+  --tw-numeric-spacing:  ;
+  --tw-numeric-fraction:  ;
+  --tw-ring-inset:  ;
+  --tw-ring-offset-width: 0px;
+  --tw-ring-offset-color: #fff;
+  --tw-ring-color: rgb(63 131 248 / 0.5);
+  --tw-ring-offset-shadow: 0 0 #0000;
+  --tw-ring-shadow: 0 0 #0000;
+  --tw-shadow: 0 0 #0000;
+  --tw-shadow-colored: 0 0 #0000;
+  --tw-blur:  ;
+  --tw-brightness:  ;
+  --tw-contrast:  ;
+  --tw-grayscale:  ;
+  --tw-hue-rotate:  ;
+  --tw-invert:  ;
+  --tw-saturate:  ;
+  --tw-sepia:  ;
+  --tw-drop-shadow:  ;
+  --tw-backdrop-blur:  ;
+  --tw-backdrop-brightness:  ;
+  --tw-backdrop-contrast:  ;
+  --tw-backdrop-grayscale:  ;
+  --tw-backdrop-hue-rotate:  ;
+  --tw-backdrop-invert:  ;
+  --tw-backdrop-opacity:  ;
+  --tw-backdrop-saturate:  ;
+  --tw-backdrop-sepia:  ;
+}
+
+::backdrop {
+  --tw-border-spacing-x: 0;
+  --tw-border-spacing-y: 0;
+  --tw-translate-x: 0;
+  --tw-translate-y: 0;
+  --tw-rotate: 0;
+  --tw-skew-x: 0;
+  --tw-skew-y: 0;
+  --tw-scale-x: 1;
+  --tw-scale-y: 1;
+  --tw-pan-x:  ;
+  --tw-pan-y:  ;
+  --tw-pinch-zoom:  ;
+  --tw-scroll-snap-strictness: proximity;
+  --tw-gradient-from-position:  ;
+  --tw-gradient-via-position:  ;
+  --tw-gradient-to-position:  ;
+  --tw-ordinal:  ;
+  --tw-slashed-zero:  ;
+  --tw-numeric-figure:  ;
+  --tw-numeric-spacing:  ;
+  --tw-numeric-fraction:  ;
+  --tw-ring-inset:  ;
+  --tw-ring-offset-width: 0px;
+  --tw-ring-offset-color: #fff;
+  --tw-ring-color: rgb(63 131 248 / 0.5);
+  --tw-ring-offset-shadow: 0 0 #0000;
+  --tw-ring-shadow: 0 0 #0000;
+  --tw-shadow: 0 0 #0000;
+  --tw-shadow-colored: 0 0 #0000;
+  --tw-blur:  ;
+  --tw-brightness:  ;
+  --tw-contrast:  ;
+  --tw-grayscale:  ;
+  --tw-hue-rotate:  ;
+  --tw-invert:  ;
+  --tw-saturate:  ;
+  --tw-sepia:  ;
+  --tw-drop-shadow:  ;
+  --tw-backdrop-blur:  ;
+  --tw-backdrop-brightness:  ;
+  --tw-backdrop-contrast:  ;
+  --tw-backdrop-grayscale:  ;
+  --tw-backdrop-hue-rotate:  ;
+  --tw-backdrop-invert:  ;
+  --tw-backdrop-opacity:  ;
+  --tw-backdrop-saturate:  ;
+  --tw-backdrop-sepia:  ;
+}
+
+.container {
+  width: 100%;
+}
+
+@media (min-width: 640px) {
+  .container {
+    max-width: 640px;
+  }
+}
+
+@media (min-width: 768px) {
+  .container {
+    max-width: 768px;
+  }
+}
+
+@media (min-width: 1024px) {
+  .container {
+    max-width: 1024px;
+  }
+}
+
+@media (min-width: 1280px) {
+  .container {
+    max-width: 1280px;
+  }
+}
+
+@media (min-width: 1536px) {
+  .container {
+    max-width: 1536px;
+  }
+}
+
+.sr-only {
+  position: absolute;
+  width: 1px;
+  height: 1px;
+  padding: 0;
+  margin: -1px;
+  overflow: hidden;
+  clip: rect(0, 0, 0, 0);
+  white-space: nowrap;
+  border-width: 0;
+}
+
+.pointer-events-none {
+  pointer-events: none;
+}
+
+.static {
+  position: static;
+}
+
+.fixed {
+  position: fixed;
+}
+
+.absolute {
+  position: absolute;
+}
+
+.relative {
+  position: relative;
+}
+
+.inset-y-0 {
+  top: 0px;
+  bottom: 0px;
+}
+
+.-left-3 {
+  left: -0.75rem;
+}
+
+.bottom-6 {
+  bottom: 1.5rem;
+}
+
+.end-2 {
+  inset-inline-end: 0.5rem;
+}
+
+.end-2\.5 {
+  inset-inline-end: 0.625rem;
+}
+
+.left-0 {
+  left: 0px;
+}
+
+.right-0 {
+  right: 0px;
+}
+
+.start-0 {
+  inset-inline-start: 0px;
+}
+
+.top-0 {
+  top: 0px;
+}
+
+.top-12 {
+  top: 3rem;
+}
+
+.top-3 {
+  top: 0.75rem;
+}
+
+.z-10 {
+  z-index: 10;
+}
+
+.z-20 {
+  z-index: 20;
+}
+
+.z-40 {
+  z-index: 40;
+}
+
+.z-50 {
+  z-index: 50;
+}
+
+.mx-1 {
+  margin-left: 0.25rem;
+  margin-right: 0.25rem;
+}
+
+.mx-2 {
+  margin-left: 0.5rem;
+  margin-right: 0.5rem;
+}
+
+.mx-auto {
+  margin-left: auto;
+  margin-right: auto;
+}
+
+.my-2 {
+  margin-top: 0.5rem;
+  margin-bottom: 0.5rem;
+}
+
+.my-4 {
+  margin-top: 1rem;
+  margin-bottom: 1rem;
+}
+
+.my-8 {
+  margin-top: 2rem;
+  margin-bottom: 2rem;
+}
+
+.-mb-px {
+  margin-bottom: -1px;
+}
+
+.mb-1 {
+  margin-bottom: 0.25rem;
+}
+
+.mb-2 {
+  margin-bottom: 0.5rem;
+}
+
+.mb-4 {
+  margin-bottom: 1rem;
+}
+
+.mb-5 {
+  margin-bottom: 1.25rem;
+}
+
+.mb-6 {
+  margin-bottom: 1.5rem;
+}
+
+.mb-8 {
+  margin-bottom: 2rem;
+}
+
+.me-2 {
+  margin-inline-end: 0.5rem;
+}
+
+.me-3 {
+  margin-inline-end: 0.75rem;
+}
+
+.ml-2 {
+  margin-left: 0.5rem;
+}
+
+.ml-3 {
+  margin-left: 0.75rem;
+}
+
+.ml-4 {
+  margin-left: 1rem;
+}
+
+.ml-8 {
+  margin-left: 2rem;
+}
+
+.mr-1 {
+  margin-right: 0.25rem;
+}
+
+.mr-10 {
+  margin-right: 2.5rem;
+}
+
+.mr-2 {
+  margin-right: 0.5rem;
+}
+
+.mr-2\.5 {
+  margin-right: 0.625rem;
+}
+
+.mr-3 {
+  margin-right: 0.75rem;
+}
+
+.mr-4 {
+  margin-right: 1rem;
+}
+
+.mr-8 {
+  margin-right: 2rem;
+}
+
+.ms-3 {
+  margin-inline-start: 0.75rem;
+}
+
+.ms-auto {
+  margin-inline-start: auto;
+}
+
+.mt-1 {
+  margin-top: 0.25rem;
+}
+
+.mt-2 {
+  margin-top: 0.5rem;
+}
+
+.mt-4 {
+  margin-top: 1rem;
+}
+
+.mt-5 {
+  margin-top: 1.25rem;
+}
+
+.mt-8 {
+  margin-top: 2rem;
+}
+
+.block {
+  display: block;
+}
+
+.inline-block {
+  display: inline-block;
+}
+
+.inline {
+  display: inline;
+}
+
+.flex {
+  display: flex;
+}
+
+.inline-flex {
+  display: inline-flex;
+}
+
+.grid {
+  display: grid;
+}
+
+.\!hidden {
+  display: none !important;
+}
+
+.hidden {
+  display: none;
+}
+
+.h-1 {
+  height: 0.25rem;
+}
+
+.h-1\.5 {
+  height: 0.375rem;
+}
+
+.h-10 {
+  height: 2.5rem;
+}
+
+.h-12 {
+  height: 3rem;
+}
+
+.h-2 {
+  height: 0.5rem;
+}
+
+.h-2\.5 {
+  height: 0.625rem;
+}
+
+.h-3 {
+  height: 0.75rem;
+}
+
+.h-32 {
+  height: 8rem;
+}
+
+.h-4 {
+  height: 1rem;
+}
+
+.h-40 {
+  height: 10rem;
+}
+
+.h-48 {
+  height: 12rem;
+}
+
+.h-5 {
+  height: 1.25rem;
+}
+
+.h-6 {
+  height: 1.5rem;
+}
+
+.h-8 {
+  height: 2rem;
+}
+
+.h-9 {
+  height: 2.25rem;
+}
+
+.h-full {
+  height: 100%;
+}
+
+.h-screen {
+  height: 100vh;
+}
+
+.max-h-full {
+  max-height: 100%;
+}
+
+.max-h-screen {
+  max-height: 100vh;
+}
+
+.w-1\/2 {
+  width: 50%;
+}
+
+.w-1\/3 {
+  width: 33.333333%;
+}
+
+.w-1\/4 {
+  width: 25%;
+}
+
+.w-1\/6 {
+  width: 16.666667%;
+}
+
+.w-10 {
+  width: 2.5rem;
+}
+
+.w-11 {
+  width: 2.75rem;
+}
+
+.w-12 {
+  width: 3rem;
+}
+
+.w-2 {
+  width: 0.5rem;
+}
+
+.w-2\.5 {
+  width: 0.625rem;
+}
+
+.w-2\/3 {
+  width: 66.666667%;
+}
+
+.w-3 {
+  width: 0.75rem;
+}
+
+.w-3\.5 {
+  width: 0.875rem;
+}
+
+.w-3\/6 {
+  width: 50%;
+}
+
+.w-36 {
+  width: 9rem;
+}
+
+.w-4 {
+  width: 1rem;
+}
+
+.w-44 {
+  width: 11rem;
+}
+
+.w-48 {
+  width: 12rem;
+}
+
+.w-5 {
+  width: 1.25rem;
+}
+
+.w-5\/6 {
+  width: 83.333333%;
+}
+
+.w-56 {
+  width: 14rem;
+}
+
+.w-6 {
+  width: 1.5rem;
+}
+
+.w-64 {
+  width: 16rem;
+}
+
+.w-8 {
+  width: 2rem;
+}
+
+.w-9 {
+  width: 2.25rem;
+}
+
+.w-96 {
+  width: 24rem;
+}
+
+.w-\[calc\(100\%-16rem\)\] {
+  width: calc(100% - 16rem);
+}
+
+.w-full {
+  width: 100%;
+}
+
+.min-w-0 {
+  min-width: 0px;
+}
+
+.max-w-2xl {
+  max-width: 42rem;
+}
+
+.max-w-48 {
+  max-width: 12rem;
+}
+
+.max-w-96 {
+  max-width: 24rem;
+}
+
+.max-w-md {
+  max-width: 28rem;
+}
+
+.flex-1 {
+  flex: 1 1 0%;
+}
+
+.flex-shrink-0 {
+  flex-shrink: 0;
+}
+
+.grow {
+  flex-grow: 1;
+}
+
+.basis-0 {
+  flex-basis: 0px;
+}
+
+.-translate-x-full {
+  --tw-translate-x: -100%;
+  transform: translate(var(--tw-translate-x), var(--tw-translate-y)) rotate(var(--tw-rotate)) skewX(var(--tw-skew-x)) skewY(var(--tw-skew-y)) scaleX(var(--tw-scale-x)) scaleY(var(--tw-scale-y));
+}
+
+@keyframes spin {
+  to {
+    transform: rotate(360deg);
+  }
+}
+
+.animate-spin {
+  animation: spin 1s linear infinite;
+}
+
+.cursor-pointer {
+  cursor: pointer;
+}
+
+.list-none {
+  list-style-type: none;
+}
+
+.grid-cols-4 {
+  grid-template-columns: repeat(4, minmax(0, 1fr));
+}
+
+.grid-cols-7 {
+  grid-template-columns: repeat(7, minmax(0, 1fr));
+}
+
+.flex-row {
+  flex-direction: row;
+}
+
+.flex-col {
+  flex-direction: column;
+}
+
+.flex-wrap {
+  flex-wrap: wrap;
+}
+
+.items-start {
+  align-items: flex-start;
+}
+
+.items-end {
+  align-items: flex-end;
+}
+
+.items-center {
+  align-items: center;
+}
+
+.justify-start {
+  justify-content: flex-start;
+}
+
+.justify-end {
+  justify-content: flex-end;
+}
+
+.justify-center {
+  justify-content: center;
+}
+
+.justify-between {
+  justify-content: space-between;
+}
+
+.gap-y-3 {
+  row-gap: 0.75rem;
+}
+
+.gap-y-6 {
+  row-gap: 1.5rem;
+}
+
+.gap-y-8 {
+  row-gap: 2rem;
+}
+
+.space-x-2 > :not([hidden]) ~ :not([hidden]) {
+  --tw-space-x-reverse: 0;
+  margin-right: calc(0.5rem * var(--tw-space-x-reverse));
+  margin-left: calc(0.5rem * calc(1 - var(--tw-space-x-reverse)));
+}
+
+.space-x-8 > :not([hidden]) ~ :not([hidden]) {
+  --tw-space-x-reverse: 0;
+  margin-right: calc(2rem * var(--tw-space-x-reverse));
+  margin-left: calc(2rem * calc(1 - var(--tw-space-x-reverse)));
+}
+
+.space-y-2 > :not([hidden]) ~ :not([hidden]) {
+  --tw-space-y-reverse: 0;
+  margin-top: calc(0.5rem * calc(1 - var(--tw-space-y-reverse)));
+  margin-bottom: calc(0.5rem * var(--tw-space-y-reverse));
+}
+
+.space-y-3 > :not([hidden]) ~ :not([hidden]) {
+  --tw-space-y-reverse: 0;
+  margin-top: calc(0.75rem * calc(1 - var(--tw-space-y-reverse)));
+  margin-bottom: calc(0.75rem * var(--tw-space-y-reverse));
+}
+
+.space-y-4 > :not([hidden]) ~ :not([hidden]) {
+  --tw-space-y-reverse: 0;
+  margin-top: calc(1rem * calc(1 - var(--tw-space-y-reverse)));
+  margin-bottom: calc(1rem * var(--tw-space-y-reverse));
+}
+
+.space-y-8 > :not([hidden]) ~ :not([hidden]) {
+  --tw-space-y-reverse: 0;
+  margin-top: calc(2rem * calc(1 - var(--tw-space-y-reverse)));
+  margin-bottom: calc(2rem * var(--tw-space-y-reverse));
+}
+
+.divide-y > :not([hidden]) ~ :not([hidden]) {
+  --tw-divide-y-reverse: 0;
+  border-top-width: calc(1px * calc(1 - var(--tw-divide-y-reverse)));
+  border-bottom-width: calc(1px * var(--tw-divide-y-reverse));
+}
+
+.divide-gray-100 > :not([hidden]) ~ :not([hidden]) {
+  --tw-divide-opacity: 1;
+  border-color: rgb(243 244 246 / var(--tw-divide-opacity));
+}
+
+.self-center {
+  align-self: center;
+}
+
+.justify-self-start {
+  justify-self: start;
+}
+
+.overflow-y-auto {
+  overflow-y: auto;
+}
+
+.overflow-x-hidden {
+  overflow-x: hidden;
+}
+
+.truncate {
+  overflow: hidden;
+  text-overflow: ellipsis;
+  white-space: nowrap;
+}
+
+.whitespace-nowrap {
+  white-space: nowrap;
+}
+
+.text-nowrap {
+  text-wrap: nowrap;
+}
+
+.rounded {
+  border-radius: 0.25rem;
+}
+
+.rounded-full {
+  border-radius: 9999px;
+}
+
+.rounded-lg {
+  border-radius: 0.5rem;
+}
+
+.rounded-xl {
+  border-radius: 0.75rem;
+}
+
+.rounded-b {
+  border-bottom-right-radius: 0.25rem;
+  border-bottom-left-radius: 0.25rem;
+}
+
+.rounded-e-lg {
+  border-start-end-radius: 0.5rem;
+  border-end-end-radius: 0.5rem;
+}
+
+.rounded-l-lg {
+  border-top-left-radius: 0.5rem;
+  border-bottom-left-radius: 0.5rem;
+}
+
+.rounded-r-lg {
+  border-top-right-radius: 0.5rem;
+  border-bottom-right-radius: 0.5rem;
+}
+
+.rounded-s-lg {
+  border-start-start-radius: 0.5rem;
+  border-end-start-radius: 0.5rem;
+}
+
+.rounded-t {
+  border-top-left-radius: 0.25rem;
+  border-top-right-radius: 0.25rem;
+}
+
+.rounded-t-lg {
+  border-top-left-radius: 0.5rem;
+  border-top-right-radius: 0.5rem;
+}
+
+.border {
+  border-width: 1px;
+}
+
+.border-0 {
+  border-width: 0px;
+}
+
+.border-b {
+  border-bottom-width: 1px;
+}
+
+.border-b-2 {
+  border-bottom-width: 2px;
+}
+
+.border-r {
+  border-right-width: 1px;
+}
+
+.border-t {
+  border-top-width: 1px;
+}
+
+.border-blue-600 {
+  --tw-border-opacity: 1;
+  border-color: rgb(28 100 242 / var(--tw-border-opacity));
+}
+
+.border-gray-200 {
+  --tw-border-opacity: 1;
+  border-color: rgb(229 231 235 / var(--tw-border-opacity));
+}
+
+.border-gray-300 {
+  --tw-border-opacity: 1;
+  border-color: rgb(209 213 219 / var(--tw-border-opacity));
+}
+
+.border-transparent {
+  border-color: transparent;
+}
+
+.bg-blue-700 {
+  --tw-bg-opacity: 1;
+  background-color: rgb(26 86 219 / var(--tw-bg-opacity));
+}
+
+.bg-gray-100 {
+  --tw-bg-opacity: 1;
+  background-color: rgb(243 244 246 / var(--tw-bg-opacity));
+}
+
+.bg-gray-200 {
+  --tw-bg-opacity: 1;
+  background-color: rgb(229 231 235 / var(--tw-bg-opacity));
+}
+
+.bg-gray-50 {
+  --tw-bg-opacity: 1;
+  background-color: rgb(249 250 251 / var(--tw-bg-opacity));
+}
+
+.bg-gray-900\/50 {
+  background-color: rgb(17 24 39 / 0.5);
+}
+
+.bg-green-100 {
+  --tw-bg-opacity: 1;
+  background-color: rgb(222 247 236 / var(--tw-bg-opacity));
+}
+
+.bg-green-200 {
+  --tw-bg-opacity: 1;
+  background-color: rgb(188 240 218 / var(--tw-bg-opacity));
+}
+
+.bg-green-50 {
+  --tw-bg-opacity: 1;
+  background-color: rgb(243 250 247 / var(--tw-bg-opacity));
+}
+
+.bg-green-600 {
+  --tw-bg-opacity: 1;
+  background-color: rgb(5 122 85 / var(--tw-bg-opacity));
+}
+
+.bg-green-700 {
+  --tw-bg-opacity: 1;
+  background-color: rgb(4 108 78 / var(--tw-bg-opacity));
+}
+
+.bg-red-100 {
+  --tw-bg-opacity: 1;
+  background-color: rgb(253 232 232 / var(--tw-bg-opacity));
+}
+
+.bg-red-50 {
+  --tw-bg-opacity: 1;
+  background-color: rgb(253 242 242 / var(--tw-bg-opacity));
+}
+
+.bg-red-600 {
+  --tw-bg-opacity: 1;
+  background-color: rgb(224 36 36 / var(--tw-bg-opacity));
+}
+
+.bg-red-700 {
+  --tw-bg-opacity: 1;
+  background-color: rgb(200 30 30 / var(--tw-bg-opacity));
+}
+
+.bg-transparent {
+  background-color: transparent;
+}
+
+.bg-white {
+  --tw-bg-opacity: 1;
+  background-color: rgb(255 255 255 / var(--tw-bg-opacity));
+}
+
+.bg-yellow-100 {
+  --tw-bg-opacity: 1;
+  background-color: rgb(253 246 178 / var(--tw-bg-opacity));
+}
+
+.bg-yellow-400 {
+  --tw-bg-opacity: 1;
+  background-color: rgb(227 160 8 / var(--tw-bg-opacity));
+}
+
+.bg-gradient-to-tr {
+  background-image: linear-gradient(to top right, var(--tw-gradient-stops));
+}
+
+.from-sky-500 {
+  --tw-gradient-from: #0ea5e9 var(--tw-gradient-from-position);
+  --tw-gradient-to: rgb(14 165 233 / 0) var(--tw-gradient-to-position);
+  --tw-gradient-stops: var(--tw-gradient-from), var(--tw-gradient-to);
+}
+
+.from-30\% {
+  --tw-gradient-from-position: 30%;
+}
+
+.to-indigo-500 {
+  --tw-gradient-to: #6875F5 var(--tw-gradient-to-position);
+}
+
+.to-70\% {
+  --tw-gradient-to-position: 70%;
+}
+
+.object-contain {
+  -o-object-fit: contain;
+     object-fit: contain;
+}
+
+.object-left {
+  -o-object-position: left;
+     object-position: left;
+}
+
+.p-1 {
+  padding: 0.25rem;
+}
+
+.p-2 {
+  padding: 0.5rem;
+}
+
+.p-2\.5 {
+  padding: 0.625rem;
+}
+
+.p-4 {
+  padding: 1rem;
+}
+
+.p-6 {
+  padding: 1.5rem;
+}
+
+.p-8 {
+  padding: 2rem;
+}
+
+.px-1 {
+  padding-left: 0.25rem;
+  padding-right: 0.25rem;
+}
+
+.px-2 {
+  padding-left: 0.5rem;
+  padding-right: 0.5rem;
+}
+
+.px-2\.5 {
+  padding-left: 0.625rem;
+  padding-right: 0.625rem;
+}
+
+.px-3 {
+  padding-left: 0.75rem;
+  padding-right: 0.75rem;
+}
+
+.px-4 {
+  padding-left: 1rem;
+  padding-right: 1rem;
+}
+
+.px-5 {
+  padding-left: 1.25rem;
+  padding-right: 1.25rem;
+}
+
+.px-6 {
+  padding-left: 1.5rem;
+  padding-right: 1.5rem;
+}
+
+.px-8 {
+  padding-left: 2rem;
+  padding-right: 2rem;
+}
+
+.py-0 {
+  padding-top: 0px;
+  padding-bottom: 0px;
+}
+
+.py-0\.5 {
+  padding-top: 0.125rem;
+  padding-bottom: 0.125rem;
+}
+
+.py-1 {
+  padding-top: 0.25rem;
+  padding-bottom: 0.25rem;
+}
+
+.py-2 {
+  padding-top: 0.5rem;
+  padding-bottom: 0.5rem;
+}
+
+.py-2\.5 {
+  padding-top: 0.625rem;
+  padding-bottom: 0.625rem;
+}
+
+.py-3 {
+  padding-top: 0.75rem;
+  padding-bottom: 0.75rem;
+}
+
+.py-4 {
+  padding-top: 1rem;
+  padding-bottom: 1rem;
+}
+
+.py-5 {
+  padding-top: 1.25rem;
+  padding-bottom: 1.25rem;
+}
+
+.py-8 {
+  padding-top: 2rem;
+  padding-bottom: 2rem;
+}
+
+.pb-20 {
+  padding-bottom: 5rem;
+}
+
+.pb-4 {
+  padding-bottom: 1rem;
+}
+
+.pb-8 {
+  padding-bottom: 2rem;
+}
+
+.pl-10 {
+  padding-left: 2.5rem;
+}
+
+.pl-2 {
+  padding-left: 0.5rem;
+}
+
+.pl-3 {
+  padding-left: 0.75rem;
+}
+
+.pr-2 {
+  padding-right: 0.5rem;
+}
+
+.pr-6 {
+  padding-right: 1.5rem;
+}
+
+.ps-10 {
+  padding-inline-start: 2.5rem;
+}
+
+.ps-3 {
+  padding-inline-start: 0.75rem;
+}
+
+.pt-2 {
+  padding-top: 0.5rem;
+}
+
+.pt-5 {
+  padding-top: 1.25rem;
+}
+
+.pt-8 {
+  padding-top: 2rem;
+}
+
+.text-left {
+  text-align: left;
+}
+
+.text-center {
+  text-align: center;
+}
+
+.text-2xl {
+  font-size: 1.5rem;
+  line-height: 2rem;
+}
+
+.text-base {
+  font-size: 1rem;
+  line-height: 1.5rem;
+}
+
+.text-lg {
+  font-size: 1.125rem;
+  line-height: 1.75rem;
+}
+
+.text-sm {
+  font-size: 0.875rem;
+  line-height: 1.25rem;
+}
+
+.text-xl {
+  font-size: 1.25rem;
+  line-height: 1.75rem;
+}
+
+.font-bold {
+  font-weight: 700;
+}
+
+.font-medium {
+  font-weight: 500;
+}
+
+.font-normal {
+  font-weight: 400;
+}
+
+.font-semibold {
+  font-weight: 600;
+}
+
+.leading-6 {
+  line-height: 1.5rem;
+}
+
+.leading-9 {
+  line-height: 2.25rem;
+}
+
+.leading-tight {
+  line-height: 1.25;
+}
+
+.tracking-tight {
+  letter-spacing: -0.025em;
+}
+
+.text-blue-600 {
+  --tw-text-opacity: 1;
+  color: rgb(28 100 242 / var(--tw-text-opacity));
+}
+
+.text-blue-700 {
+  --tw-text-opacity: 1;
+  color: rgb(26 86 219 / var(--tw-text-opacity));
+}
+
+.text-gray-300 {
+  --tw-text-opacity: 1;
+  color: rgb(209 213 219 / var(--tw-text-opacity));
+}
+
+.text-gray-400 {
+  --tw-text-opacity: 1;
+  color: rgb(156 163 175 / var(--tw-text-opacity));
+}
+
+.text-gray-500 {
+  --tw-text-opacity: 1;
+  color: rgb(107 114 128 / var(--tw-text-opacity));
+}
+
+.text-gray-600 {
+  --tw-text-opacity: 1;
+  color: rgb(75 85 99 / var(--tw-text-opacity));
+}
+
+.text-gray-700 {
+  --tw-text-opacity: 1;
+  color: rgb(55 65 81 / var(--tw-text-opacity));
+}
+
+.text-gray-800 {
+  --tw-text-opacity: 1;
+  color: rgb(31 41 55 / var(--tw-text-opacity));
+}
+
+.text-gray-900 {
+  --tw-text-opacity: 1;
+  color: rgb(17 24 39 / var(--tw-text-opacity));
+}
+
+.text-green-800 {
+  --tw-text-opacity: 1;
+  color: rgb(3 84 63 / var(--tw-text-opacity));
+}
+
+.text-red-500 {
+  --tw-text-opacity: 1;
+  color: rgb(240 82 82 / var(--tw-text-opacity));
+}
+
+.text-red-700 {
+  --tw-text-opacity: 1;
+  color: rgb(200 30 30 / var(--tw-text-opacity));
+}
+
+.text-red-800 {
+  --tw-text-opacity: 1;
+  color: rgb(155 28 28 / var(--tw-text-opacity));
+}
+
+.text-white {
+  --tw-text-opacity: 1;
+  color: rgb(255 255 255 / var(--tw-text-opacity));
+}
+
+.text-yellow-500 {
+  --tw-text-opacity: 1;
+  color: rgb(194 120 3 / var(--tw-text-opacity));
+}
+
+.text-yellow-800 {
+  --tw-text-opacity: 1;
+  color: rgb(114 59 19 / var(--tw-text-opacity));
+}
+
+.shadow {
+  --tw-shadow: 0 1px 3px 0 rgb(0 0 0 / 0.1), 0 1px 2px -1px rgb(0 0 0 / 0.1);
+  --tw-shadow-colored: 0 1px 3px 0 var(--tw-shadow-color), 0 1px 2px -1px var(--tw-shadow-color);
+  box-shadow: var(--tw-ring-offset-shadow, 0 0 #0000), var(--tw-ring-shadow, 0 0 #0000), var(--tw-shadow);
+}
+
+.shadow-lg {
+  --tw-shadow: 0 10px 15px -3px rgb(0 0 0 / 0.1), 0 4px 6px -4px rgb(0 0 0 / 0.1);
+  --tw-shadow-colored: 0 10px 15px -3px var(--tw-shadow-color), 0 4px 6px -4px var(--tw-shadow-color);
+  box-shadow: var(--tw-ring-offset-shadow, 0 0 #0000), var(--tw-ring-shadow, 0 0 #0000), var(--tw-shadow);
+}
+
+.shadow-sm {
+  --tw-shadow: 0 1px 2px 0 rgb(0 0 0 / 0.05);
+  --tw-shadow-colored: 0 1px 2px 0 var(--tw-shadow-color);
+  box-shadow: var(--tw-ring-offset-shadow, 0 0 #0000), var(--tw-ring-shadow, 0 0 #0000), var(--tw-shadow);
+}
+
+.\!filter {
+  filter: var(--tw-blur) var(--tw-brightness) var(--tw-contrast) var(--tw-grayscale) var(--tw-hue-rotate) var(--tw-invert) var(--tw-saturate) var(--tw-sepia) var(--tw-drop-shadow) !important;
+}
+
+.filter {
+  filter: var(--tw-blur) var(--tw-brightness) var(--tw-contrast) var(--tw-grayscale) var(--tw-hue-rotate) var(--tw-invert) var(--tw-saturate) var(--tw-sepia) var(--tw-drop-shadow);
+}
+
+.transition {
+  transition-property: color, background-color, border-color, text-decoration-color, fill, stroke, opacity, box-shadow, transform, filter, -webkit-backdrop-filter;
+  transition-property: color, background-color, border-color, text-decoration-color, fill, stroke, opacity, box-shadow, transform, filter, backdrop-filter;
+  transition-property: color, background-color, border-color, text-decoration-color, fill, stroke, opacity, box-shadow, transform, filter, backdrop-filter, -webkit-backdrop-filter;
+  transition-timing-function: cubic-bezier(0.4, 0, 0.2, 1);
+  transition-duration: 150ms;
+}
+
+.transition-transform {
+  transition-property: transform;
+  transition-timing-function: cubic-bezier(0.4, 0, 0.2, 1);
+  transition-duration: 150ms;
+}
+
+.duration-75 {
+  transition-duration: 75ms;
+}
+
+.after\:absolute::after {
+  content: var(--tw-content);
+  position: absolute;
+}
+
+.after\:start-\[2px\]::after {
+  content: var(--tw-content);
+  inset-inline-start: 2px;
+}
+
+.after\:top-\[2px\]::after {
+  content: var(--tw-content);
+  top: 2px;
+}
+
+.after\:h-5::after {
+  content: var(--tw-content);
+  height: 1.25rem;
+}
+
+.after\:w-5::after {
+  content: var(--tw-content);
+  width: 1.25rem;
+}
+
+.after\:rounded-full::after {
+  content: var(--tw-content);
+  border-radius: 9999px;
+}
+
+.after\:border::after {
+  content: var(--tw-content);
+  border-width: 1px;
+}
+
+.after\:border-gray-300::after {
+  content: var(--tw-content);
+  --tw-border-opacity: 1;
+  border-color: rgb(209 213 219 / var(--tw-border-opacity));
+}
+
+.after\:bg-white::after {
+  content: var(--tw-content);
+  --tw-bg-opacity: 1;
+  background-color: rgb(255 255 255 / var(--tw-bg-opacity));
+}
+
+.after\:transition-all::after {
+  content: var(--tw-content);
+  transition-property: all;
+  transition-timing-function: cubic-bezier(0.4, 0, 0.2, 1);
+  transition-duration: 150ms;
+}
+
+.after\:content-\[\'\'\]::after {
+  --tw-content: '';
+  content: var(--tw-content);
+}
+
+.hover\:border-gray-300:hover {
+  --tw-border-opacity: 1;
+  border-color: rgb(209 213 219 / var(--tw-border-opacity));
+}
+
+.hover\:bg-blue-800:hover {
+  --tw-bg-opacity: 1;
+  background-color: rgb(30 66 159 / var(--tw-bg-opacity));
+}
+
+.hover\:bg-gray-100:hover {
+  --tw-bg-opacity: 1;
+  background-color: rgb(243 244 246 / var(--tw-bg-opacity));
+}
+
+.hover\:bg-gray-200:hover {
+  --tw-bg-opacity: 1;
+  background-color: rgb(229 231 235 / var(--tw-bg-opacity));
+}
+
+.hover\:bg-green-800:hover {
+  --tw-bg-opacity: 1;
+  background-color: rgb(3 84 63 / var(--tw-bg-opacity));
+}
+
+.hover\:bg-red-800:hover {
+  --tw-bg-opacity: 1;
+  background-color: rgb(155 28 28 / var(--tw-bg-opacity));
+}
+
+.hover\:text-blue-700:hover {
+  --tw-text-opacity: 1;
+  color: rgb(26 86 219 / var(--tw-text-opacity));
+}
+
+.hover\:text-gray-600:hover {
+  --tw-text-opacity: 1;
+  color: rgb(75 85 99 / var(--tw-text-opacity));
+}
+
+.hover\:text-gray-900:hover {
+  --tw-text-opacity: 1;
+  color: rgb(17 24 39 / var(--tw-text-opacity));
+}
+
+.focus\:z-10:focus {
+  z-index: 10;
+}
+
+.focus\:border-blue-500:focus {
+  --tw-border-opacity: 1;
+  border-color: rgb(63 131 248 / var(--tw-border-opacity));
+}
+
+.focus\:bg-gray-100:focus {
+  --tw-bg-opacity: 1;
+  background-color: rgb(243 244 246 / var(--tw-bg-opacity));
+}
+
+.focus\:outline-none:focus {
+  outline: 2px solid transparent;
+  outline-offset: 2px;
+}
+
+.focus\:ring-2:focus {
+  --tw-ring-offset-shadow: var(--tw-ring-inset) 0 0 0 var(--tw-ring-offset-width) var(--tw-ring-offset-color);
+  --tw-ring-shadow: var(--tw-ring-inset) 0 0 0 calc(2px + var(--tw-ring-offset-width)) var(--tw-ring-color);
+  box-shadow: var(--tw-ring-offset-shadow), var(--tw-ring-shadow), var(--tw-shadow, 0 0 #0000);
+}
+
+.focus\:ring-4:focus {
+  --tw-ring-offset-shadow: var(--tw-ring-inset) 0 0 0 var(--tw-ring-offset-width) var(--tw-ring-offset-color);
+  --tw-ring-shadow: var(--tw-ring-inset) 0 0 0 calc(4px + var(--tw-ring-offset-width)) var(--tw-ring-color);
+  box-shadow: var(--tw-ring-offset-shadow), var(--tw-ring-shadow), var(--tw-shadow, 0 0 #0000);
+}
+
+.focus\:ring-blue-300:focus {
+  --tw-ring-opacity: 1;
+  --tw-ring-color: rgb(164 202 254 / var(--tw-ring-opacity));
+}
+
+.focus\:ring-blue-500:focus {
+  --tw-ring-opacity: 1;
+  --tw-ring-color: rgb(63 131 248 / var(--tw-ring-opacity));
+}
+
+.focus\:ring-gray-100:focus {
+  --tw-ring-opacity: 1;
+  --tw-ring-color: rgb(243 244 246 / var(--tw-ring-opacity));
+}
+
+.focus\:ring-gray-200:focus {
+  --tw-ring-opacity: 1;
+  --tw-ring-color: rgb(229 231 235 / var(--tw-ring-opacity));
+}
+
+.focus\:ring-gray-300:focus {
+  --tw-ring-opacity: 1;
+  --tw-ring-color: rgb(209 213 219 / var(--tw-ring-opacity));
+}
+
+.focus\:ring-green-300:focus {
+  --tw-ring-opacity: 1;
+  --tw-ring-color: rgb(132 225 188 / var(--tw-ring-opacity));
+}
+
+.focus\:ring-red-300:focus {
+  --tw-ring-opacity: 1;
+  --tw-ring-color: rgb(248 180 180 / var(--tw-ring-opacity));
+}
+
+.disabled\:bg-red-400:disabled {
+  --tw-bg-opacity: 1;
+  background-color: rgb(249 128 128 / var(--tw-bg-opacity));
+}
+
+.peer:checked ~ .peer-checked\:bg-blue-600 {
+  --tw-bg-opacity: 1;
+  background-color: rgb(28 100 242 / var(--tw-bg-opacity));
+}
+
+.peer:checked ~ .peer-checked\:after\:translate-x-full::after {
+  content: var(--tw-content);
+  --tw-translate-x: 100%;
+  transform: translate(var(--tw-translate-x), var(--tw-translate-y)) rotate(var(--tw-rotate)) skewX(var(--tw-skew-x)) skewY(var(--tw-skew-y)) scaleX(var(--tw-scale-x)) scaleY(var(--tw-scale-y));
+}
+
+.peer:checked ~ .peer-checked\:after\:border-white::after {
+  content: var(--tw-content);
+  --tw-border-opacity: 1;
+  border-color: rgb(255 255 255 / var(--tw-border-opacity));
+}
+
+.peer:focus ~ .peer-focus\:outline-none {
+  outline: 2px solid transparent;
+  outline-offset: 2px;
+}
+
+.peer:focus ~ .peer-focus\:ring-4 {
+  --tw-ring-offset-shadow: var(--tw-ring-inset) 0 0 0 var(--tw-ring-offset-width) var(--tw-ring-offset-color);
+  --tw-ring-shadow: var(--tw-ring-inset) 0 0 0 calc(4px + var(--tw-ring-offset-width)) var(--tw-ring-color);
+  box-shadow: var(--tw-ring-offset-shadow), var(--tw-ring-shadow), var(--tw-shadow, 0 0 #0000);
+}
+
+.peer:focus ~ .peer-focus\:ring-blue-300 {
+  --tw-ring-opacity: 1;
+  --tw-ring-color: rgb(164 202 254 / var(--tw-ring-opacity));
+}
+
+:is(.dark .dark\:divide-gray-600) > :not([hidden]) ~ :not([hidden]) {
+  --tw-divide-opacity: 1;
+  border-color: rgb(75 85 99 / var(--tw-divide-opacity));
+}
+
+:is(.dark .dark\:border) {
+  border-width: 1px;
+}
+
+:is(.dark .dark\:border-blue-500) {
+  --tw-border-opacity: 1;
+  border-color: rgb(63 131 248 / var(--tw-border-opacity));
+}
+
+:is(.dark .dark\:border-gray-500) {
+  --tw-border-opacity: 1;
+  border-color: rgb(107 114 128 / var(--tw-border-opacity));
+}
+
+:is(.dark .dark\:border-gray-600) {
+  --tw-border-opacity: 1;
+  border-color: rgb(75 85 99 / var(--tw-border-opacity));
+}
+
+:is(.dark .dark\:border-gray-700) {
+  --tw-border-opacity: 1;
+  border-color: rgb(55 65 81 / var(--tw-border-opacity));
+}
+
+:is(.dark .dark\:bg-blue-600) {
+  --tw-bg-opacity: 1;
+  background-color: rgb(28 100 242 / var(--tw-bg-opacity));
+}
+
+:is(.dark .dark\:bg-gray-600) {
+  --tw-bg-opacity: 1;
+  background-color: rgb(75 85 99 / var(--tw-bg-opacity));
+}
+
+:is(.dark .dark\:bg-gray-700) {
+  --tw-bg-opacity: 1;
+  background-color: rgb(55 65 81 / var(--tw-bg-opacity));
+}
+
+:is(.dark .dark\:bg-gray-800) {
+  --tw-bg-opacity: 1;
+  background-color: rgb(31 41 55 / var(--tw-bg-opacity));
+}
+
+:is(.dark .dark\:bg-gray-900) {
+  --tw-bg-opacity: 1;
+  background-color: rgb(17 24 39 / var(--tw-bg-opacity));
+}
+
+:is(.dark .dark\:bg-gray-900\/80) {
+  background-color: rgb(17 24 39 / 0.8);
+}
+
+:is(.dark .dark\:bg-green-600) {
+  --tw-bg-opacity: 1;
+  background-color: rgb(5 122 85 / var(--tw-bg-opacity));
+}
+
+:is(.dark .dark\:bg-green-700) {
+  --tw-bg-opacity: 1;
+  background-color: rgb(4 108 78 / var(--tw-bg-opacity));
+}
+
+:is(.dark .dark\:bg-green-900) {
+  --tw-bg-opacity: 1;
+  background-color: rgb(1 71 55 / var(--tw-bg-opacity));
+}
+
+:is(.dark .dark\:bg-red-600) {
+  --tw-bg-opacity: 1;
+  background-color: rgb(224 36 36 / var(--tw-bg-opacity));
+}
+
+:is(.dark .dark\:bg-red-900) {
+  --tw-bg-opacity: 1;
+  background-color: rgb(119 29 29 / var(--tw-bg-opacity));
+}
+
+:is(.dark .dark\:bg-yellow-900) {
+  --tw-bg-opacity: 1;
+  background-color: rgb(99 49 18 / var(--tw-bg-opacity));
+}
+
+:is(.dark .dark\:text-blue-500) {
+  --tw-text-opacity: 1;
+  color: rgb(63 131 248 / var(--tw-text-opacity));
+}
+
+:is(.dark .dark\:text-gray-200) {
+  --tw-text-opacity: 1;
+  color: rgb(229 231 235 / var(--tw-text-opacity));
+}
+
+:is(.dark .dark\:text-gray-300) {
+  --tw-text-opacity: 1;
+  color: rgb(209 213 219 / var(--tw-text-opacity));
+}
+
+:is(.dark .dark\:text-gray-400) {
+  --tw-text-opacity: 1;
+  color: rgb(156 163 175 / var(--tw-text-opacity));
+}
+
+:is(.dark .dark\:text-gray-500) {
+  --tw-text-opacity: 1;
+  color: rgb(107 114 128 / var(--tw-text-opacity));
+}
+
+:is(.dark .dark\:text-green-300) {
+  --tw-text-opacity: 1;
+  color: rgb(132 225 188 / var(--tw-text-opacity));
+}
+
+:is(.dark .dark\:text-green-400) {
+  --tw-text-opacity: 1;
+  color: rgb(49 196 141 / var(--tw-text-opacity));
+}
+
+:is(.dark .dark\:text-red-300) {
+  --tw-text-opacity: 1;
+  color: rgb(248 180 180 / var(--tw-text-opacity));
+}
+
+:is(.dark .dark\:text-red-400) {
+  --tw-text-opacity: 1;
+  color: rgb(249 128 128 / var(--tw-text-opacity));
+}
+
+:is(.dark .dark\:text-white) {
+  --tw-text-opacity: 1;
+  color: rgb(255 255 255 / var(--tw-text-opacity));
+}
+
+:is(.dark .dark\:text-yellow-300) {
+  --tw-text-opacity: 1;
+  color: rgb(250 202 21 / var(--tw-text-opacity));
+}
+
+:is(.dark .dark\:placeholder-gray-400)::-moz-placeholder {
+  --tw-placeholder-opacity: 1;
+  color: rgb(156 163 175 / var(--tw-placeholder-opacity));
+}
+
+:is(.dark .dark\:placeholder-gray-400)::placeholder {
+  --tw-placeholder-opacity: 1;
+  color: rgb(156 163 175 / var(--tw-placeholder-opacity));
+}
+
+:is(.dark .dark\:ring-offset-gray-800) {
+  --tw-ring-offset-color: #1F2937;
+}
+
+:is(.dark .dark\:hover\:bg-blue-700:hover) {
+  --tw-bg-opacity: 1;
+  background-color: rgb(26 86 219 / var(--tw-bg-opacity));
+}
+
+:is(.dark .dark\:hover\:bg-gray-600:hover) {
+  --tw-bg-opacity: 1;
+  background-color: rgb(75 85 99 / var(--tw-bg-opacity));
+}
+
+:is(.dark .dark\:hover\:bg-gray-700:hover) {
+  --tw-bg-opacity: 1;
+  background-color: rgb(55 65 81 / var(--tw-bg-opacity));
+}
+
+:is(.dark .dark\:hover\:bg-green-700:hover) {
+  --tw-bg-opacity: 1;
+  background-color: rgb(4 108 78 / var(--tw-bg-opacity));
+}
+
+:is(.dark .dark\:hover\:bg-red-700:hover) {
+  --tw-bg-opacity: 1;
+  background-color: rgb(200 30 30 / var(--tw-bg-opacity));
+}
+
+:is(.dark .dark\:hover\:text-gray-300:hover) {
+  --tw-text-opacity: 1;
+  color: rgb(209 213 219 / var(--tw-text-opacity));
+}
+
+:is(.dark .dark\:hover\:text-white:hover) {
+  --tw-text-opacity: 1;
+  color: rgb(255 255 255 / var(--tw-text-opacity));
+}
+
+:is(.dark .dark\:focus\:border-blue-500:focus) {
+  --tw-border-opacity: 1;
+  border-color: rgb(63 131 248 / var(--tw-border-opacity));
+}
+
+:is(.dark .dark\:focus\:bg-gray-700:focus) {
+  --tw-bg-opacity: 1;
+  background-color: rgb(55 65 81 / var(--tw-bg-opacity));
+}
+
+:is(.dark .dark\:focus\:ring-blue-500:focus) {
+  --tw-ring-opacity: 1;
+  --tw-ring-color: rgb(63 131 248 / var(--tw-ring-opacity));
+}
+
+:is(.dark .dark\:focus\:ring-blue-600:focus) {
+  --tw-ring-opacity: 1;
+  --tw-ring-color: rgb(28 100 242 / var(--tw-ring-opacity));
+}
+
+:is(.dark .dark\:focus\:ring-blue-800:focus) {
+  --tw-ring-opacity: 1;
+  --tw-ring-color: rgb(30 66 159 / var(--tw-ring-opacity));
+}
+
+:is(.dark .dark\:focus\:ring-gray-600:focus) {
+  --tw-ring-opacity: 1;
+  --tw-ring-color: rgb(75 85 99 / var(--tw-ring-opacity));
+}
+
+:is(.dark .dark\:focus\:ring-gray-700:focus) {
+  --tw-ring-opacity: 1;
+  --tw-ring-color: rgb(55 65 81 / var(--tw-ring-opacity));
+}
+
+:is(.dark .dark\:focus\:ring-green-800:focus) {
+  --tw-ring-opacity: 1;
+  --tw-ring-color: rgb(3 84 63 / var(--tw-ring-opacity));
+}
+
+:is(.dark .dark\:focus\:ring-red-800:focus) {
+  --tw-ring-opacity: 1;
+  --tw-ring-color: rgb(155 28 28 / var(--tw-ring-opacity));
+}
+
+:is(.dark .peer:focus ~ .dark\:peer-focus\:ring-blue-800) {
+  --tw-ring-opacity: 1;
+  --tw-ring-color: rgb(30 66 159 / var(--tw-ring-opacity));
+}
+
+@media (min-width: 640px) {
+  .sm\:flex {
+    display: flex;
+  }
+
+  .sm\:max-w-md {
+    max-width: 28rem;
+  }
+
+  .sm\:translate-x-0 {
+    --tw-translate-x: 0px;
+    transform: translate(var(--tw-translate-x), var(--tw-translate-y)) rotate(var(--tw-rotate)) skewX(var(--tw-skew-x)) skewY(var(--tw-skew-y)) scaleX(var(--tw-scale-x)) scaleY(var(--tw-scale-y));
+  }
+
+  .sm\:space-x-4 > :not([hidden]) ~ :not([hidden]) {
+    --tw-space-x-reverse: 0;
+    margin-right: calc(1rem * var(--tw-space-x-reverse));
+    margin-left: calc(1rem * calc(1 - var(--tw-space-x-reverse)));
+  }
+
+  .sm\:space-y-0 > :not([hidden]) ~ :not([hidden]) {
+    --tw-space-y-reverse: 0;
+    margin-top: calc(0px * calc(1 - var(--tw-space-y-reverse)));
+    margin-bottom: calc(0px * var(--tw-space-y-reverse));
+  }
+}
+
+@media (min-width: 768px) {
+  .md\:mt-0 {
+    margin-top: 0px;
+  }
+
+  .md\:hidden {
+    display: none;
+  }
+
+  .md\:h-screen {
+    height: 100vh;
+  }
+
+  .md\:w-1\/2 {
+    width: 50%;
+  }
+
+  .md\:w-1\/3 {
+    width: 33.333333%;
+  }
+
+  .md\:w-1\/6 {
+    width: 16.666667%;
+  }
+
+  .md\:flex-row {
+    flex-direction: row;
+  }
+
+  .md\:space-x-4 > :not([hidden]) ~ :not([hidden]) {
+    --tw-space-x-reverse: 0;
+    margin-right: calc(1rem * var(--tw-space-x-reverse));
+    margin-left: calc(1rem * calc(1 - var(--tw-space-x-reverse)));
+  }
+
+  .md\:space-y-0 > :not([hidden]) ~ :not([hidden]) {
+    --tw-space-y-reverse: 0;
+    margin-top: calc(0px * calc(1 - var(--tw-space-y-reverse)));
+    margin-bottom: calc(0px * var(--tw-space-y-reverse));
+  }
+
+  .md\:p-5 {
+    padding: 1.25rem;
+  }
+}
+
+@media (min-width: 1024px) {
+  .lg\:w-1\/3 {
+    width: 33.333333%;
+  }
+
+  .lg\:flex-row {
+    flex-direction: row;
+  }
+
+  .lg\:justify-between {
+    justify-content: space-between;
+  }
+
+  .lg\:space-y-0 > :not([hidden]) ~ :not([hidden]) {
+    --tw-space-y-reverse: 0;
+    margin-top: calc(0px * calc(1 - var(--tw-space-y-reverse)));
+    margin-bottom: calc(0px * var(--tw-space-y-reverse));
+  }
+
+  .lg\:object-left {
+    -o-object-position: left;
+       object-position: left;
+  }
+
+  .lg\:py-0 {
+    padding-top: 0px;
+    padding-bottom: 0px;
+  }
+}
+
+@media (min-width: 1280px) {
+  .xl\:p-0 {
+    padding: 0px;
+  }
+}
+
+.rtl\:rotate-180:where([dir="rtl"], [dir="rtl"] *) {
+  --tw-rotate: 180deg;
+  transform: translate(var(--tw-translate-x), var(--tw-translate-y)) rotate(var(--tw-rotate)) skewX(var(--tw-skew-x)) skewY(var(--tw-skew-y)) scaleX(var(--tw-scale-x)) scaleY(var(--tw-scale-y));
+}
+
+.rtl\:space-x-reverse:where([dir="rtl"], [dir="rtl"] *) > :not([hidden]) ~ :not([hidden]) {
+  --tw-space-x-reverse: 1;
+}
+
+.peer:checked ~ .rtl\:peer-checked\:after\:-translate-x-full:where([dir="rtl"], [dir="rtl"] *)::after {
+  content: var(--tw-content);
+  --tw-translate-x: -100%;
+  transform: translate(var(--tw-translate-x), var(--tw-translate-y)) rotate(var(--tw-rotate)) skewX(var(--tw-skew-x)) skewY(var(--tw-skew-y)) scaleX(var(--tw-scale-x)) scaleY(var(--tw-scale-y));
+}
\ No newline at end of file
diff --git a/crates/dashboard/src/account.rs b/crates/dashboard/src/account.rs
new file mode 100644
index 0000000..13b42e1
--- /dev/null
+++ b/crates/dashboard/src/account.rs
@@ -0,0 +1,294 @@
+use anyhow::Result;
+use gloo_net::http::Request;
+use lapdev_common::{
+    console::{MeUser, NewSessionResponse},
+    AuthProvider,
+};
+use leptos::prelude::*;
+use leptos_router::hooks::use_params_map;
+
+use crate::{
+    cluster::{get_cluster_info, OauthSettings},
+    component::badge::{Badge, BadgeVariant},
+    modal::ErrorResponse,
+};
+
+pub async fn get_login() -> Result<MeUser> {
+    let resp: MeUser = Request::get("/api/private/me").send().await?.json().await?;
+    Ok(resp)
+}
+
+async fn now_login(provider: AuthProvider) -> Result<()> {
+    let location = window().window().location();
+    let next = location.href().unwrap_or_default();
+    let next = urlencoding::encode(&next).to_string();
+    let resp = Request::get("/api/private/session")
+        .query([
+            ("provider", &provider.to_string()),
+            ("next", &next),
+            ("host", &location.origin().unwrap_or_default()),
+        ])
+        .send()
+        .await?;
+    let resp: NewSessionResponse = resp.json().await?;
+    let _ = window().location().set_href(&resp.url);
+
+    Ok(())
+}
+
+async fn now_logout() {
+    let _ = Request::delete("/api/private/session").send().await;
+    let _ = window().location().set_href("/");
+}
+
+#[component]
+pub fn Login() -> impl IntoView {
+    let cluster_info = get_cluster_info();
+
+    view! {
+        <section class="min-h-screen bg-gray-50 text-gray-900">
+            <div class="mx-auto flex min-h-screen w-full flex-col lg:flex-row">
+                <div class="order-2 flex w-full items-center bg-gray-50 px-8 py-16 sm:px-12 lg:order-1 lg:w-1/2">
+                    <div class="mx-auto w-full max-w-xl space-y-6">
+                        <a href="/" class="inline-flex items-center gap-4 text-lg font-semibold text-gray-900">
+                            <svg class="h-11 w-11 text-black" xmlns="http://www.w3.org/2000/svg" fill="currentColor" viewBox="0 0 1024 1024">
+                                <path d="M512 0C390.759 0 279.426 42.2227 191.719 112.656L191.719 612L351.719 612L351.719 332L422 332L431.719 332L431.719 332.344C488.169 334.127 541.249 351.138 581.875 380.625C627.591 413.806 654.875 460.633 654.875 512C654.875 563.367 627.591 610.194 581.875 643.375C541.249 672.862 488.169 689.873 431.719 691.656L431.719 1017.69C457.88 1021.81 484.68 1024 512 1024C794.77 1024 1024 794.77 1024 512C1024 229.23 794.77 0 512 0ZM111.719 192.906C41.8539 280.432 0 391.303 0 512C0 738.766 147.487 930.96 351.719 998.25L351.719 692L151.719 692L151.719 691.844L111.719 691.844L111.719 192.906ZM738.219 372C741.597 372.107 745.042 373.02 748.312 374.812L946.281 483.312C952.311 486.616 956.692 492.393 959.188 499.156C959.821 500.874 960.317 502.641 960.688 504.469C960.764 504.834 960.841 505.196 960.906 505.562C961.12 506.807 961.225 508.071 961.312 509.344C961.378 510.235 961.498 511.112 961.5 512C961.498 512.888 961.378 513.765 961.312 514.656C961.226 515.929 961.12 517.193 960.906 518.438C960.841 518.804 960.764 519.166 960.688 519.531C960.317 521.359 959.821 523.126 959.188 524.844C956.692 531.608 952.311 537.384 946.281 540.688L748.312 649.188C735.232 656.355 719.818 649.367 713.875 633.594C707.932 617.82 713.7 599.23 726.781 592.062L872.875 512L726.781 431.938C713.7 424.771 707.932 406.18 713.875 390.406C718.332 378.576 728.085 371.678 738.219 372ZM431.719 412.344L431.719 611.656C513.56 608.208 574.875 561.985 574.875 512C574.875 462.015 513.56 415.792 431.719 412.344Z" />
+                                <path d="M742 403.688C740.062 403.483 738.097 404.438 737.094 406.25C735.756 408.666 736.615 411.694 739.031 413.031L925.719 516.375C928.135 517.712 931.194 516.822 932.531 514.406C933.869 511.99 932.979 508.962 930.562 507.625L743.875 404.281C743.271 403.947 742.646 403.756 742 403.688Z" />
+                                <path d="M927.5 507.031C926.856 507.115 926.221 507.339 925.625 507.688L738.938 616.906C736.554 618.301 735.762 621.335 737.156 623.719C738.551 626.102 741.616 626.926 744 625.531L930.688 516.312C933.071 514.918 933.863 511.852 932.469 509.469C931.423 507.681 929.432 506.78 927.5 507.031Z" />
+                            </svg>
+                            <span>Lapdev</span>
+                        </a>
+                        <div class="space-y-5">
+                            <h1 class="max-w-xl text-4xl font-semibold tracking-tight text-gray-900 sm:text-5xl">
+                                Spin up production grade Kubernetes environments in minutes.
+                            </h1>
+                            <p class="max-w-lg text-lg text-gray-600">
+                                Lapdev mirrors your live manifests, keeps every dev space in sync, and lets teams ship without wrestling YAML or waiting on pipelines.
+                            </p>
+                        </div>
+                        <div class="flex flex-wrap items-center gap-3 text-sm text-gray-600">
+                            <span class="inline-flex items-center gap-2 rounded-full border border-gray-200 bg-white px-3 py-2">
+                                <svg class="h-4 w-4 text-emerald-500" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5" d="M4.5 12.75l6 6 9-13.5" />
+                                </svg>
+                                One click replicas of prod workloads, config, and secrets.
+                            </span>
+                            <span class="inline-flex items-center gap-2 rounded-full border border-gray-200 bg-white px-3 py-2">
+                                <svg class="h-4 w-4 text-sky-500" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5" d="M12 6v12m6-6H6" />
+                                </svg>
+                                Devbox intercepts traffic for true local debugging.
+                            </span>
+                            <span class="inline-flex items-center gap-2 rounded-full border border-gray-200 bg-white px-3 py-2">
+                                <svg class="h-4 w-4 text-indigo-500" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5" d="M3 7.5l9-5.25 9 5.25M4.5 10.5v6.75L12 21l7.5-3.75V10.5" />
+                                </svg>
+                                Instant preview URLs with SSO gated sharing.
+                            </span>
+                        </div>
+                    </div>
+                </div>
+                <div class="order-1 flex w-full items-center bg-white px-8 py-16 shadow sm:px-12 lg:order-2 lg:w-1/2 lg:px-16">
+                    <div class="mx-auto w-full max-w-md">
+                        {move || match cluster_info.with(|i| i.as_ref().map(|i| i.auth_providers.clone())) {
+                            Some(auth_providers) if !auth_providers.is_empty() => view! { <LoginWithView auth_providers /> }.into_any(),
+                            Some(_) => view! {
+                                <div class="space-y-4">
+                                    <h2 class="text-2xl font-semibold text-gray-900">
+                                        Configure your identity provider
+                                    </h2>
+                                    <p class="text-sm text-gray-600">
+                                        Connect GitHub or GitLab to unlock Lapdev SSO for your organization.
+                                    </p>
+                                    <div class="rounded-2xl border border-gray-200 bg-gray-50 p-6">
+                                        <InitAuthProvidersView />
+                                    </div>
+                                </div>
+                            }.into_any(),
+                            None => view! {
+                                <div class="space-y-4 animate-pulse" aria-live="polite">
+                                    <div class="h-4 w-40 rounded bg-gray-200"></div>
+                                    <div class="h-10 rounded bg-gray-100"></div>
+                                    <div class="h-10 rounded bg-gray-100"></div>
+                                    <div class="h-10 w-2/3 rounded bg-gray-100"></div>
+                                    <div class="h-4 w-48 rounded bg-gray-200"></div>
+                                    <p class="pt-2 text-sm text-gray-500">
+                                        Loading cluster SSO providers...
+                                    </p>
+                                </div>
+                            }.into_any(),
+                        }}
+                    </div>
+                </div>
+            </div>
+        </section>
+    }
+}
+
+#[component]
+pub fn LoginWithView(auth_providers: Vec<AuthProvider>) -> impl IntoView {
+    let login = use_context::<LocalResource<Option<MeUser>>>().unwrap();
+    view! {
+        <div
+            class="mx-auto w-full max-w-md"
+            class:hidden=move || login.with(|l| l.is_none())
+        >
+            <div class="p-10 sm:p-12">
+                <div class="relative">
+                    <h1 class="text-center text-2xl font-semibold leading-tight tracking-tight text-gray-900 flex items-center justify-center gap-2">
+                        <span>Sign in to Lapdev</span>
+                        <Badge
+                            variant=BadgeVariant::Secondary
+                            class="text-[10px] uppercase tracking-wide"
+                        >
+                            "Public beta"
+                        </Badge>
+                    </h1>
+                    <p class="mt-2 text-center text-sm text-gray-600">
+                        Choose your identity provider to launch your personal or branch workspace.
+                    </p>
+                    <div class="mt-8 flex flex-col space-y-3">
+                        <button type="button"
+                            class="group relative flex w-full items-center justify-center gap-3 rounded-xl bg-[#24292F] px-5 py-3 text-sm font-semibold text-white transition hover:bg-[#1f2328] focus:outline-none focus:ring-2 focus:ring-sky-400 focus:ring-offset-2 focus:ring-offset-white"
+                            class:hidden={ let auth_providers = auth_providers.clone(); move || !auth_providers.contains(&AuthProvider::Github) }
+                            on:click=move |_| { Action::new_local(move |_| {now_login(AuthProvider::Github)}).dispatch(()); }
+                        >
+                            <svg class="h-5 w-5" aria-hidden="true" xmlns="http://www.w3.org/2000/svg" fill="currentColor" viewBox="0 0 20 20">
+                                <path fill-rule="evenodd" d="M10 .333A9.911 9.911 0 0 0 6.866 19.65c.5.092.678-.215.678-.477 0-.237-.01-1.017-.014-1.845-2.757.6-3.338-1.169-3.338-1.169a2.627 2.627 0 0 0-1.1-1.451c-.9-.615.07-.6.07-.6a2.084 2.084 0 0 1 1.518 1.021 2.11 2.11 0 0 0 2.884.823c.044-.503.268-.973.63-1.325-2.2-.25-4.516-1.1-4.516-4.9A3.832 3.832 0 0 1 4.7 7.068a3.56 3.56 0 0 1 .095-2.623s.832-.266 2.726 1.016a9.409 9.409 0 0 1 4.962 0c1.89-1.282 2.717-1.016 2.717-1.016.366.83.402 1.768.1 2.623a3.827 3.827 0 0 1 1.02 2.659c0 3.807-2.319 4.644-4.525 4.889a2.366 2.366 0 0 1 .673 1.834c0 1.326-.012 2.394-.012 2.72 0 .263.18.572.681.475A9.911 9.911 0 0 0 10 .333Z" clip-rule="evenodd"/>
+                            </svg>
+                            Sign in with GitHub
+                            <span class="pointer-events-none absolute inset-y-0 right-0 hidden items-center pr-5 text-gray-200/60 transition group-hover:flex">
+                                <svg class="h-4 w-4" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5" d="M13.5 4.5L21 12l-7.5 7.5M21 12H3" />
+                                </svg>
+                            </span>
+                        </button>
+
+                        <button type="button"
+                            class="group relative flex w-full items-center justify-center gap-3 rounded-xl border border-[#FC6D26] bg-white px-5 py-3 text-sm font-semibold text-[#FC6D26] transition hover:bg-[#FC6D26]/10 focus:outline-none focus:ring-2 focus:ring-amber-300 focus:ring-offset-2 focus:ring-offset-white"
+                            class:hidden=move || !auth_providers.contains(&AuthProvider::Gitlab)
+                            on:click=move |_| { Action::new_local(move |_| {now_login(AuthProvider::Gitlab)}).dispatch(()); }
+                        >
+                            <svg class="h-5 w-5" viewBox="0 0 25 24" xmlns="http://www.w3.org/2000/svg"><path d="M24.507 9.5l-.034-.09L21.082.562a.896.896 0 00-1.694.091l-2.29 7.01H7.825L5.535.653a.898.898 0 00-1.694-.09L.451 9.411.416 9.5a6.297 6.297 0 002.09 7.278l.012.01.03.022 5.16 3.867 2.56 1.935 1.554 1.176a1.051 1.051 0 001.268 0l1.555-1.176 2.56-1.935 5.197-3.89.014-.01A6.297 6.297 0 0024.507 9.5z" fill="#E24329"/><path d="M24.507 9.5l-.034-.09a11.44 11.44 0 00-4.56 2.051l-7.447 5.632 4.742 3.584 5.197-3.89.014-.01A6.297 6.297 0 0024.507 9.5z" fill="#FC6D26"/><path d="M7.707 20.677l2.56 1.935 1.555 1.176a1.051 1.051 0 001.268 0l1.555-1.176 2.56-1.935-4.743-3.584-4.755 3.584z" fill="#FCA326"/><path d="M5.01 11.461a11.43 11.43 0 00-4.56-2.05L.416 9.5a6.297 6.297 0 002.09 7.278l.012.01.03.022 5.16 3.867 4.745-3.584-7.444-5.632z" fill="#FC6D26"/></svg>
+                            Sign in with GitLab
+                            <span class="pointer-events-none absolute inset-y-0 right-0 hidden items-center pr-5 text-[#FC6D26]/70 transition group-hover:flex">
+                                <svg class="h-4 w-4" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5" d="M13.5 4.5L21 12l-7.5 7.5M21 12H3" />
+                                </svg>
+                            </span>
+                        </button>
+                    </div>
+                </div>
+            </div>
+        </div>
+    }
+}
+
+#[component]
+pub fn InitAuthProvidersView() -> impl IntoView {
+    view! {
+        <OauthSettings reload=true />
+    }
+}
+
+#[component]
+pub fn NavUserControl(user_control_hidden: RwSignal<bool, LocalStorage>) -> impl IntoView {
+    let login = use_context::<LocalResource<Option<MeUser>>>().unwrap();
+
+    let logout = move |_| {
+        user_control_hidden.set(true);
+        Action::new_local(move |_| now_logout()).dispatch(());
+    };
+
+    view! {
+      <div
+        class="absolute z-50 my-2 right-0 w-56 text-base list-none bg-white rounded divide-y divide-gray-100 shadow border rounded-xl"
+        class:hidden=move || user_control_hidden.get()
+      >
+        <div class="py-3 px-4">
+          <span class="block text-sm font-semibold text-gray-900">
+            { move || login.get().flatten().and_then(|l| l.name.clone()).unwrap_or("".to_string()) }
+          </span>
+          <span class="block text-sm text-gray-900 truncate">
+            { move || login.get().flatten().and_then(|l| l.email.clone()).unwrap_or("".to_string()) }
+          </span>
+        </div>
+        <ul
+          class="py-1 text-gray-700"
+          aria-labelledby="dropdown"
+        >
+          <li>
+            <a
+              href="/account"
+              class="block py-2 px-4 text-sm hover:bg-gray-100"
+              >User settings</a
+            >
+          </li>
+        </ul>
+        <ul
+          class="py-1 text-gray-700"
+          aria-labelledby="dropdown"
+        >
+          <li>
+            <a
+              href="#"
+              class="block py-2 px-4 text-sm hover:bg-gray-100"
+              on:click=logout
+              >Sign out</a
+            >
+          </li>
+        </ul>
+      </div>
+    }
+}
+
+#[component]
+pub fn AccountSettings() -> impl IntoView {
+    view! {
+        <div class="border-b pb-4">
+            <h5 class="mr-3 text-2xl font-semibold">
+                User Settings
+            </h5>
+            <p class="text-gray-700">{"Manage your account settings"}</p>
+        </div>
+    }
+}
+
+async fn join_org(invitation_id: String) -> Result<Option<ErrorResponse>> {
+    let resp = Request::put(&format!("/api/v1/join/{invitation_id}"))
+        .send()
+        .await?;
+    if resp.status() != 204 {
+        let error = resp
+            .json::<ErrorResponse>()
+            .await
+            .unwrap_or_else(|_| ErrorResponse {
+                error: "Internal Server Error".to_string(),
+            });
+        return Ok(Some(error));
+    }
+    let _ = window().location().set_href("/");
+    Ok(None)
+}
+
+#[component]
+pub fn JoinView() -> impl IntoView {
+    let params = use_params_map();
+    let id = Signal::derive(move || params.with(|params| params.get("id")).unwrap_or_default());
+
+    let result = { LocalResource::new(move || async move { join_org(id.get_untracked()).await }) };
+
+    view! {
+        {
+            move || if let Some(error) = result.with(|r| r.as_ref().and_then(|r| r.as_ref().ok().cloned())).flatten() {
+                view! {
+                    <div class="my-2 p-4 rounded-lg bg-red-50">
+                        <span class="text-sm font-medium text-red-800">{ error.error }</span>
+                    </div>
+                }.into_any()
+            } else {
+                ().into_any()
+            }
+        }
+    }
+}
diff --git a/crates/dashboard/src/app.rs b/crates/dashboard/src/app.rs
new file mode 100644
index 0000000..bb6b14b
--- /dev/null
+++ b/crates/dashboard/src/app.rs
@@ -0,0 +1,247 @@
+use std::sync::Arc;
+
+use anyhow::Result;
+use gloo_net::http::Request;
+use lapdev_api_hrpc::HrpcServiceClient;
+use lapdev_common::{console::MeUser, ClusterInfo};
+use leptos::prelude::*;
+use leptos_router::{
+    components::{Route, Router, Routes},
+    path,
+};
+
+use crate::{
+    account::{get_login, AccountSettings, JoinView, Login},
+    audit_log::AuditLogView,
+    cli_auth::CliAuth,
+    cli_success::CliSuccess,
+    cluster::{ClusterSettings, ClusterUsersView, MachineTypeView, WorkspaceHostView},
+    component::sidebar::SidebarData,
+    git_provider::GitProviderView,
+    home::DashboardHome,
+    kube_app_catalog::KubeAppCatalog,
+    kube_app_catalog_detail::KubeAppCatalogDetail,
+    kube_app_catalog_workload::KubeAppCatalogWorkload,
+    kube_cluster::KubeCluster,
+    kube_environment::{EnvironmentType, KubeEnvironment},
+    kube_environment_detail::KubeEnvironmentDetail,
+    kube_environment_workload::KubeEnvironmentWorkload,
+    kube_resource::KubeResource,
+    license::{LicenseView, SignLicenseView},
+    nav::{AdminSideNav, NavExpanded, SideNav, TopNav},
+    organization::{NewOrgModal, OrgMembers, OrgSettings},
+    project::{ProjectDetails, Projects},
+    quota::QuotaView,
+    ssh_key::SshKeys,
+    usage::UsageView,
+    workspace::{WorkspaceDetails, Workspaces},
+};
+
+#[derive(Clone)]
+pub struct AppConfig {
+    pub show_lapdev_website: RwSignal<bool>,
+    pub environment_type: RwSignal<EnvironmentType>,
+    pub current_page: RwSignal<String>,
+    pub header_links: RwSignal<Vec<(String, String)>>,
+}
+
+#[component]
+fn Root() -> impl IntoView {
+    view! {
+        <DashboardHome />
+    }
+}
+
+pub fn get_hrpc_client() -> HrpcServiceClient {
+    HrpcServiceClient::new("/api/rpc".to_string())
+}
+
+async fn get_cluster_info() -> Result<ClusterInfo> {
+    let resp = Request::get("/api/v1/cluster_info").send().await?;
+    let info: ClusterInfo = resp.json().await?;
+    Ok(info)
+}
+
+pub fn set_context() {
+    let login_counter = RwSignal::new_local(0);
+    provide_context(login_counter);
+
+    let login_fetching = RwSignal::new_local(true);
+    provide_context(login_fetching);
+
+    let login_fetching_for_resource = login_fetching;
+    let login = LocalResource::new(move || {
+        login_fetching_for_resource.set(true);
+        async move {
+            let result = get_login().await.ok();
+            login_fetching_for_resource.set(false);
+            result
+        }
+    });
+    Effect::new(move |_| {
+        login_counter.track();
+        login_fetching.set(true);
+        login.refetch();
+    });
+    provide_context(login);
+
+    let cluster_info = LocalResource::new(|| async move { get_cluster_info().await.ok() });
+    let cluster_info = Signal::derive_local(move || cluster_info.get().flatten());
+    provide_context(cluster_info);
+
+    let current_org = Signal::derive_local(move || {
+        let login = login.get().flatten();
+        login.map(|u| u.organization)
+    });
+    provide_context(current_org);
+
+    let pathname = window().location().pathname().unwrap_or_default();
+    let nav_expanded = NavExpanded {
+        orgnization: RwSignal::new(pathname.starts_with("/organization")),
+        account: RwSignal::new(pathname.starts_with("/account")),
+        k8s_environments: RwSignal::new(pathname.starts_with("/kubernetes/environments")),
+    };
+    provide_context(nav_expanded);
+
+    provide_context(AppConfig {
+        show_lapdev_website: RwSignal::new(false),
+        environment_type: RwSignal::new(EnvironmentType::Personal),
+        current_page: RwSignal::new(String::new()),
+        header_links: RwSignal::new(Vec::new()),
+    });
+
+    provide_context(SidebarData {
+        open: RwSignal::new(true),
+    });
+
+    provide_context(Arc::new(HrpcServiceClient::new("/api/rpc".to_string())));
+}
+
+#[component]
+pub fn App() -> impl IntoView {
+    set_context();
+    view! {
+        <Router>
+            <Routes fallback=|| "Not found.">
+                <Route path=path!("/") view=move || view! { <WrappedView element=Root /> } />
+                <Route path=path!("/projects") view=move || view! { <WrappedView element=Projects /> } />
+                <Route path=path!("/projects/:id") view=move || view! { <WrappedView element=ProjectDetails /> } />
+                <Route path=path!("/workspaces") view=move || view! { <WrappedView element=Workspaces /> } />
+                <Route path=path!("/workspaces/:name") view=move || view! { <WrappedView element=WorkspaceDetails /> } />
+                <Route path=path!("/organization/usage") view=move || view! { <WrappedView element=UsageView /> } />
+                <Route path=path!("/organization/members") view=move || view! { <WrappedView element=OrgMembers /> } />
+                <Route path=path!("/organization/quota") view=move || view! { <WrappedView element=QuotaView /> } />
+                <Route path=path!("/organization/audit_log") view=move || view! { <WrappedView element=AuditLogView /> } />
+                <Route path=path!("/organization/settings") view=move || view! { <WrappedView element=OrgSettings /> } />
+                <Route path=path!("/kubernetes/catalogs") view=move || view! { <WrappedView element=KubeAppCatalog /> } />
+                <Route path=path!("/kubernetes/catalogs/:catalog_id") view=move || view! { <WrappedView element=KubeAppCatalogDetail /> } />
+                <Route path=path!("/kubernetes/catalogs/:catalog_id/workloads/:workload_id") view=move || view! { <WrappedView element=KubeAppCatalogWorkload /> } />
+                <Route path=path!("/kubernetes/environments") view=move || view! { <WrappedView element=KubeEnvironment /> } />
+                <Route path=path!("/kubernetes/environments/personal") view=move || view! { <WrappedView element=KubeEnvironment /> } />
+                <Route path=path!("/kubernetes/environments/shared") view=move || view! { <WrappedView element=KubeEnvironment /> } />
+                <Route path=path!("/kubernetes/environments/branch") view=move || view! { <WrappedView element=KubeEnvironment /> } />
+                <Route path=path!("/kubernetes/environments/:environment_id") view=move || view! { <WrappedView element=KubeEnvironmentDetail /> } />
+                <Route path=path!("/kubernetes/environments/:environment_id/workloads/:workload_id") view=move || view! { <WrappedView element=KubeEnvironmentWorkload /> } />
+                <Route path=path!("/kubernetes/clusters/:cluster_id") view=move || view! { <WrappedView element=KubeResource /> } />
+                <Route path=path!("/kubernetes/clusters") view=move || view! { <WrappedView element=KubeCluster /> } />
+                <Route path=path!("/account") view=move || view! { <WrappedView element=AccountSettings /> } />
+                <Route path=path!("/join/:id") view=move || view! { <WrappedView element=JoinView /> } />
+                <Route path=path!("/account/ssh-keys") view=move || view! { <WrappedView element=SshKeys /> } />
+                <Route path=path!("/account/git-providers") view=move || view! { <WrappedView element=GitProviderView /> } />
+                <Route path=path!("/admin") view=move || view! { <AdminWrappedView element=WorkspaceHostView /> } />
+                <Route path=path!("/admin/workspace_hosts") view=move || view! { <AdminWrappedView element=WorkspaceHostView /> } />
+                <Route path=path!("/admin/machine_types") view=move || view! { <AdminWrappedView element=MachineTypeView /> } />
+                <Route path=path!("/admin/users") view=move || view! { <AdminWrappedView element=ClusterUsersView /> } />
+                <Route path=path!("/admin/settings") view=move || view! { <AdminWrappedView element=ClusterSettings /> } />
+                <Route path=path!("/admin/license") view=move || view! { <AdminWrappedView element=LicenseView /> } />
+                <Route path=path!("/admin/sign_license") view=move || view! { <AdminWrappedView element=SignLicenseView /> } />
+                <Route path=path!("/auth/cli") view=move || view! { <WrappedView element=CliAuth /> } />
+                <Route path=path!("/cli/success") view=CliSuccess />
+            </Routes>
+        </Router>
+    }
+}
+
+#[component]
+pub fn WrappedView<T>(element: T) -> impl IntoView
+where
+    T: IntoView + Copy + 'static + Send + Sync,
+{
+    let login = use_context::<LocalResource<Option<MeUser>>>().unwrap();
+    let login_fetching = expect_context::<RwSignal<bool, LocalStorage>>();
+    let new_org_modal_hidden = RwSignal::new_local(true);
+    view! {
+        <Show
+            when=move || { login.get().flatten().is_some() }
+            fallback=move || {
+                let login_fetching = login_fetching;
+                view! {
+                    <Show
+                        when=move || { !login_fetching.get() }
+                        fallback=move || view! { <AppLoading /> }
+                    >
+                        <Login />
+                    </Show>
+                }
+            }
+        >
+            <div class="flex flex-col h-screen">
+                <TopNav />
+                <div class="container mx-auto flex flex-row basis-0 grow">
+                    <SideNav />
+                    <div class="p-8 w-[calc(100%-16rem)] h-full">
+                        {element}
+                    </div>
+                </div>
+                <NewOrgModal modal_hidden=new_org_modal_hidden />
+            </div>
+        </Show>
+    }
+}
+
+#[component]
+pub fn AdminWrappedView<T>(element: T) -> impl IntoView
+where
+    T: IntoView + Copy + 'static + Send + Sync,
+{
+    let login = use_context::<LocalResource<Option<MeUser>>>().unwrap();
+    let login_fetching = expect_context::<RwSignal<bool, LocalStorage>>();
+    view! {
+        <Show
+            when=move || { login.get().flatten().is_some() }
+            fallback=move || {
+                let login_fetching = login_fetching;
+                view! {
+                    <Show
+                        when=move || { !login_fetching.get() }
+                        fallback=move || view! { <AppLoading /> }
+                    >
+                        <Login />
+                    </Show>
+                }
+            }
+        >
+            <div class="flex flex-col h-screen">
+                <TopNav />
+                <div class="container mx-auto flex flex-row basis-0 grow">
+                    <AdminSideNav />
+                    <div class="px-8 pt-8 w-[calc(100%-16rem)] h-full">
+                        {element}
+                    </div>
+                </div>
+            </div>
+        </Show>
+    }
+}
+
+#[component]
+fn AppLoading() -> impl IntoView {
+    view! {
+        <div class="flex h-screen items-center justify-center bg-slate-50">
+            <div class="flex flex-col items-center gap-3 text-sm text-slate-500">
+                <span class="inline-block h-6 w-6 animate-spin rounded-full border-2 border-slate-300 border-t-sky-500"></span>
+                Loading your workspace...
+            </div>
+        </div>
+    }
+}
diff --git a/lapdev-dashboard/src/audit_log.rs b/crates/dashboard/src/audit_log.rs
similarity index 87%
rename from lapdev-dashboard/src/audit_log.rs
rename to crates/dashboard/src/audit_log.rs
index 8c489a5..ca40849 100644
--- a/lapdev-dashboard/src/audit_log.rs
+++ b/crates/dashboard/src/audit_log.rs
@@ -2,23 +2,23 @@ use anyhow::{anyhow, Result};
 use chrono::{DateTime, FixedOffset, Local, NaiveDate, TimeZone};
 use gloo_net::http::Request;
 use lapdev_common::{console::Organization, AuditLogRecord, AuditLogResult};
-use leptos::{
-    component, create_action, create_rw_signal, event_target_value, use_context, view, For,
-    IntoView, Signal, SignalGet, SignalGetUntracked, SignalSet, SignalUpdate, SignalWith,
-    SignalWithUntracked,
-};
+use leptos::prelude::*;
 
 use crate::{
+    component::button::Button,
     datepicker::Datepicker,
     modal::{DatetimeModal, ErrorResponse},
+    organization::get_current_org,
 };
 
 async fn get_audit_logs(
+    org: Signal<Option<Organization>>,
     start: Option<NaiveDate>,
     end: Option<NaiveDate>,
     page_size: String,
     page: u64,
 ) -> Result<AuditLogResult, ErrorResponse> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
     let start: DateTime<FixedOffset> = start
         .and_then(|t| {
             Local
@@ -44,12 +44,6 @@ async fn get_audit_logs(
         })
         .into();
 
-    let org =
-        use_context::<Signal<Option<Organization>>>().ok_or_else(|| anyhow!("can't get org"))?;
-    let org = org
-        .get_untracked()
-        .ok_or_else(|| anyhow!("can't get org"))?;
-
     let page_size = page_size.parse::<u64>().unwrap_or(10);
 
     let resp = Request::get(&format!("/api/v1/organizations/{}/audit_logs", org.id))
@@ -79,16 +73,18 @@ async fn get_audit_logs(
 
 #[component]
 pub fn AuditLogView() -> impl IntoView {
-    let from_date = create_rw_signal(Some(Local::now().date_naive()));
-    let to_date = create_rw_signal(Some(Local::now().date_naive()));
-    let page_size = create_rw_signal(String::new());
-    let page = create_rw_signal(0);
+    let from_date = RwSignal::new(Some(Local::now().date_naive()));
+    let to_date = RwSignal::new(Some(Local::now().date_naive()));
+    let page_size = RwSignal::new(String::new());
+    let page = RwSignal::new(0);
+    let org = get_current_org();
 
-    let error = create_rw_signal(None);
+    let error = RwSignal::new(None);
 
-    let get_action = create_action(move |()| async move {
+    let get_action = Action::new_local(move |()| async move {
         error.set(None);
         let result = get_audit_logs(
+            org,
             from_date.get_untracked(),
             to_date.get_untracked(),
             page_size.get_untracked(),
@@ -155,22 +151,21 @@ pub fn AuditLogView() -> impl IntoView {
                 <Datepicker value=from_date />
                 <span class="mx-2">to</span>
                 <Datepicker value=to_date />
-                <button
-                    type="button"
-                    class="ml-4 px-4 py-2 text-sm font-medium text-white rounded-lg bg-blue-700 hover:bg-blue-800 focus:ring-4 focus:ring-blue-300 focus:outline-none"
-                    on:click=move |_| get_action.dispatch(())
+                <Button
+                    class="ml-4"
+                    on:click=move |_| {get_action.dispatch(());}
                 >
                     Search
-                </button>
+                </Button>
             </div>
             { move || if let Some(error) = error.get() {
                 view! {
                     <div class="my-4 p-4 rounded-lg bg-red-50">
                         <span class="text-sm font-medium text-red-800">{ error }</span>
                     </div>
-                }.into_view()
+                }.into_any()
             } else {
-                view!{}.into_view()
+                ().into_any()
             }}
 
             <div class="mt-4 flex flex-row items-center justify-between">
@@ -200,7 +195,7 @@ pub fn AuditLogView() -> impl IntoView {
                         class=("text-gray-300", move || audit_logs.with(|a| a.page == 0))
                         class=("cursor-pointer", move || !audit_logs.with(|a| a.page == 0))
                         class=("hover:bg-gray-100", move || !audit_logs.with(|a| a.page == 0))
-                        disabled=move || audit_logs.with(|a| a.page == 0)
+                        class=("disabled", move || audit_logs.with(|a| a.page == 0))
                         on:click=prev_page
                     >
                         <svg class="w-5 h-5" aria-hidden="true" fill="currentColor" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg">
@@ -254,7 +249,7 @@ fn RecordItemView(i: usize, record: AuditLogRecord) -> impl IntoView {
             class="w-full bg-white"
             class=("border-t", move || i > 0)
         >
-            <td scope="row" class="px-4 py-2">
+            <td class="px-4 py-2">
                 <DatetimeModal time=record.time />
             </td>
             <td class="px-4 py-2">
diff --git a/crates/dashboard/src/cli_auth.rs b/crates/dashboard/src/cli_auth.rs
new file mode 100644
index 0000000..60f7102
--- /dev/null
+++ b/crates/dashboard/src/cli_auth.rs
@@ -0,0 +1,144 @@
+use gloo_net::http::Request;
+use leptos::prelude::*;
+use leptos::task::spawn_local;
+use leptos_router::hooks::use_query_map;
+use serde::{Deserialize, Serialize};
+use uuid::Uuid;
+
+#[derive(Debug, Serialize)]
+struct GenerateTokenRequest {
+    session_id: Uuid,
+    device_name: String,
+}
+
+#[derive(Debug, Deserialize)]
+struct GenerateTokenResponse {
+    token: String,
+    expires_in: u32,
+}
+
+#[component]
+pub fn CliAuth() -> impl IntoView {
+    let query = use_query_map();
+    let session_id = move || {
+        query
+            .read()
+            .get("session_id")
+            .and_then(|s| Uuid::parse_str(&s).ok())
+    };
+    let device_name = move || query.read().get("device_name").unwrap_or_default();
+
+    let (generating, set_generating) = signal(false);
+    let (error, set_error) = signal(None::<String>);
+
+    // Auto-generate token when component mounts (user is already authenticated by WrappedView)
+    Effect::new(move |_| {
+        let sid = session_id();
+        let dname = device_name();
+
+        if let Some(session_id) = sid {
+            if !dname.is_empty() && !generating.get() {
+                set_generating.set(true);
+                spawn_local(async move {
+                    match generate_token(session_id, dname).await {
+                        Ok(_) => {
+                            // Redirect to success page
+                            if let Some(window) = web_sys::window() {
+                                let _ = window.location().set_href("/cli/success");
+                            }
+                        }
+                        Err(e) => {
+                            set_error.set(Some(format!("Failed to generate token: {}", e)));
+                            set_generating.set(false);
+                        }
+                    }
+                });
+            }
+        } else {
+            set_error.set(Some("Missing session_id parameter".to_string()));
+        }
+    });
+
+    view! {
+        <div class="flex flex-col items-center justify-center min-h-screen bg-gray-50">
+            <div class="text-center p-8 bg-white rounded-lg shadow-lg max-w-md">
+                <div class="mb-6 flex items-center justify-center">
+                    <svg class="w-12 h-12 mr-3" xmlns="http://www.w3.org/2000/svg" fill="currentColor" viewBox="0 0 1024 1024">
+                        <path d="M512 0C390.759 0 279.426 42.2227 191.719 112.656L191.719 612L351.719 612L351.719 332L422 332L431.719 332L431.719 332.344C488.169 334.127 541.249 351.138 581.875 380.625C627.591 413.806 654.875 460.633 654.875 512C654.875 563.367 627.591 610.194 581.875 643.375C541.249 672.862 488.169 689.873 431.719 691.656L431.719 1017.69C457.88 1021.81 484.68 1024 512 1024C794.77 1024 1024 794.77 1024 512C1024 229.23 794.77 0 512 0ZM111.719 192.906C41.8539 280.432 0 391.303 0 512C0 738.766 147.487 930.96 351.719 998.25L351.719 692L151.719 692L151.719 691.844L111.719 691.844L111.719 192.906ZM738.219 372C741.597 372.107 745.042 373.02 748.312 374.812L946.281 483.312C952.311 486.616 956.692 492.393 959.188 499.156C959.821 500.874 960.317 502.641 960.688 504.469C960.764 504.834 960.841 505.196 960.906 505.562C961.12 506.807 961.225 508.071 961.312 509.344C961.378 510.235 961.498 511.112 961.5 512C961.498 512.888 961.378 513.765 961.312 514.656C961.226 515.929 961.12 517.193 960.906 518.438C960.841 518.804 960.764 519.166 960.688 519.531C960.317 521.359 959.821 523.126 959.188 524.844C956.692 531.608 952.311 537.384 946.281 540.688L748.312 649.188C735.232 656.355 719.818 649.367 713.875 633.594C707.932 617.82 713.7 599.23 726.781 592.062L872.875 512L726.781 431.938C713.7 424.771 707.932 406.18 713.875 390.406C718.332 378.576 728.085 371.678 738.219 372ZM431.719 412.344L431.719 611.656C513.56 608.208 574.875 561.985 574.875 512C574.875 462.015 513.56 415.792 431.719 412.344Z" />
+                        <path d="M742 403.688C740.062 403.483 738.097 404.438 737.094 406.25C735.756 408.666 736.615 411.694 739.031 413.031L925.719 516.375C928.135 517.712 931.194 516.822 932.531 514.406C933.869 511.99 932.979 508.962 930.562 507.625L743.875 404.281C743.271 403.947 742.646 403.756 742 403.688Z" />
+                        <path d="M927.5 507.031C926.856 507.115 926.221 507.339 925.625 507.688L738.938 616.906C736.554 618.301 735.762 621.335 737.156 623.719C738.551 626.102 741.616 626.926 744 625.531L930.688 516.312C933.071 514.918 933.863 511.852 932.469 509.469C931.423 507.681 929.432 506.78 927.5 507.031Z" />
+                    </svg>
+                    <span class="text-3xl font-semibold">Lapdev</span>
+                </div>
+                <Show
+                    when=move || error.get().is_none()
+                    fallback=move || {
+                        view! {
+                            <div class="mb-4">
+                                <svg
+                                    class="w-16 h-16 mx-auto text-red-500"
+                                    fill="none"
+                                    stroke="currentColor"
+                                    viewBox="0 0 24 24"
+                                >
+                                    <path
+                                        stroke-linecap="round"
+                                        stroke-linejoin="round"
+                                        stroke-width="2"
+                                        d="M12 8v4m0 4h.01M21 12a9 9 0 11-18 0 9 9 0 0118 0z"
+                                    />
+                                </svg>
+                            </div>
+                            <h1 class="text-3xl font-bold text-red-600 mb-4">"Error"</h1>
+                            <p class="text-gray-700">{move || error.get().unwrap_or_default()}</p>
+                        }
+                    }
+                >
+                    <div class="mb-4">
+                        <svg
+                            class="w-16 h-16 mx-auto text-blue-500 animate-spin"
+                            fill="none"
+                            stroke="currentColor"
+                            viewBox="0 0 24 24"
+                        >
+                            <path
+                                stroke-linecap="round"
+                                stroke-linejoin="round"
+                                stroke-width="2"
+                                d="M4 4v5h.582m15.356 2A8.001 8.001 0 004.582 9m0 0H9m11 11v-5h-.581m0 0a8.003 8.003 0 01-15.357-2m15.357 2H15"
+                            />
+                        </svg>
+                    </div>
+                    <h1 class="text-3xl font-bold text-gray-800 mb-4">
+                        "Authenticating CLI..."
+                    </h1>
+                    <p class="text-gray-600 mb-2">
+                        "Generating your authentication token."
+                    </p>
+                    <p class="text-sm text-gray-500">
+                        "Please wait, redirecting to success page..."
+                    </p>
+                </Show>
+            </div>
+        </div>
+    }
+}
+
+async fn generate_token(session_id: Uuid, device_name: String) -> Result<(), String> {
+    let req = GenerateTokenRequest {
+        session_id,
+        device_name,
+    };
+
+    let _response: GenerateTokenResponse = Request::post("/api/v1/auth/cli/generate-token")
+        .json(&req)
+        .map_err(|e| format!("Failed to serialize request: {}", e))?
+        .send()
+        .await
+        .map_err(|e| format!("Failed to send request: {}", e))?
+        .json()
+        .await
+        .map_err(|e| format!("Failed to parse response: {}", e))?;
+
+    Ok(())
+}
diff --git a/crates/dashboard/src/cli_success.rs b/crates/dashboard/src/cli_success.rs
new file mode 100644
index 0000000..d77dcc4
--- /dev/null
+++ b/crates/dashboard/src/cli_success.rs
@@ -0,0 +1,40 @@
+use leptos::prelude::*;
+
+#[component]
+pub fn CliSuccess() -> impl IntoView {
+    view! {
+        <div class="flex flex-col items-center justify-center min-h-screen bg-gray-50">
+            <div class="text-center p-8 bg-white rounded-lg shadow-lg max-w-md">
+                <div class="mb-6 flex items-center justify-center">
+                    <svg class="w-12 h-12 mr-3" xmlns="http://www.w3.org/2000/svg" fill="currentColor" viewBox="0 0 1024 1024">
+                        <path d="M512 0C390.759 0 279.426 42.2227 191.719 112.656L191.719 612L351.719 612L351.719 332L422 332L431.719 332L431.719 332.344C488.169 334.127 541.249 351.138 581.875 380.625C627.591 413.806 654.875 460.633 654.875 512C654.875 563.367 627.591 610.194 581.875 643.375C541.249 672.862 488.169 689.873 431.719 691.656L431.719 1017.69C457.88 1021.81 484.68 1024 512 1024C794.77 1024 1024 794.77 1024 512C1024 229.23 794.77 0 512 0ZM111.719 192.906C41.8539 280.432 0 391.303 0 512C0 738.766 147.487 930.96 351.719 998.25L351.719 692L151.719 692L151.719 691.844L111.719 691.844L111.719 192.906ZM738.219 372C741.597 372.107 745.042 373.02 748.312 374.812L946.281 483.312C952.311 486.616 956.692 492.393 959.188 499.156C959.821 500.874 960.317 502.641 960.688 504.469C960.764 504.834 960.841 505.196 960.906 505.562C961.12 506.807 961.225 508.071 961.312 509.344C961.378 510.235 961.498 511.112 961.5 512C961.498 512.888 961.378 513.765 961.312 514.656C961.226 515.929 961.12 517.193 960.906 518.438C960.841 518.804 960.764 519.166 960.688 519.531C960.317 521.359 959.821 523.126 959.188 524.844C956.692 531.608 952.311 537.384 946.281 540.688L748.312 649.188C735.232 656.355 719.818 649.367 713.875 633.594C707.932 617.82 713.7 599.23 726.781 592.062L872.875 512L726.781 431.938C713.7 424.771 707.932 406.18 713.875 390.406C718.332 378.576 728.085 371.678 738.219 372ZM431.719 412.344L431.719 611.656C513.56 608.208 574.875 561.985 574.875 512C574.875 462.015 513.56 415.792 431.719 412.344Z" />
+                        <path d="M742 403.688C740.062 403.483 738.097 404.438 737.094 406.25C735.756 408.666 736.615 411.694 739.031 413.031L925.719 516.375C928.135 517.712 931.194 516.822 932.531 514.406C933.869 511.99 932.979 508.962 930.562 507.625L743.875 404.281C743.271 403.947 742.646 403.756 742 403.688Z" />
+                        <path d="M927.5 507.031C926.856 507.115 926.221 507.339 925.625 507.688L738.938 616.906C736.554 618.301 735.762 621.335 737.156 623.719C738.551 626.102 741.616 626.926 744 625.531L930.688 516.312C933.071 514.918 933.863 511.852 932.469 509.469C931.423 507.681 929.432 506.78 927.5 507.031Z" />
+                    </svg>
+                    <span class="text-3xl font-semibold">Lapdev</span>
+                </div>
+                <div class="mb-4">
+                    <svg
+                        class="w-16 h-16 mx-auto text-green-500"
+                        fill="none"
+                        stroke="currentColor"
+                        viewBox="0 0 24 24"
+                    >
+                        <path
+                            stroke-linecap="round"
+                            stroke-linejoin="round"
+                            stroke-width="2"
+                            d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z"
+                        />
+                    </svg>
+                </div>
+                <h1 class="text-3xl font-bold text-gray-800 mb-4">
+                    "CLI Authenticated Successfully"
+                </h1>
+                <p class="text-gray-600 mb-2">
+                    "You can close this window and return to your terminal."
+                </p>
+            </div>
+        </div>
+    }
+}
diff --git a/lapdev-dashboard/src/cluster.rs b/crates/dashboard/src/cluster.rs
similarity index 76%
rename from lapdev-dashboard/src/cluster.rs
rename to crates/dashboard/src/cluster.rs
index b998adf..9308417 100644
--- a/lapdev-dashboard/src/cluster.rs
+++ b/crates/dashboard/src/cluster.rs
@@ -7,18 +7,14 @@ use lapdev_common::{
     NewWorkspaceHost, OauthSettings, UpdateClusterUser, UpdateMachineType, UpdateWorkspaceHost,
     WorkspaceHost,
 };
-use leptos::{
-    component, create_action, create_effect, create_local_resource, create_rw_signal, document,
-    event_target_checked, event_target_value, expect_context, leptos_dom::helpers::location,
-    set_timeout, view, Action, For, IntoView, RwSignal, Signal, SignalGet, SignalGetUntracked,
-    SignalSet, SignalUpdate, SignalWith, SignalWithUntracked,
-};
+use leptos::prelude::*;
 use uuid::Uuid;
 use wasm_bindgen::{JsCast, UnwrapThrowExt};
 use web_sys::FocusEvent;
 
-use crate::modal::{
-    CreationInput, CreationModal, DatetimeModal, DeletionModal, ErrorResponse, SettingView,
+use crate::{
+    component::input::Input,
+    modal::{CreationInput, DatetimeModal, DeleteModal, ErrorResponse, Modal, SettingView},
 };
 
 async fn get_all_workspaces() -> Result<Vec<WorkspaceHost>> {
@@ -27,15 +23,20 @@ async fn get_all_workspaces() -> Result<Vec<WorkspaceHost>> {
     Ok(hosts)
 }
 
+pub fn get_cluster_info() -> Signal<Option<ClusterInfo>, LocalStorage> {
+    expect_context::<Signal<Option<ClusterInfo>, LocalStorage>>()
+}
+
 #[component]
 pub fn WorkspaceHostView() -> impl IntoView {
-    let new_workspace_host_modal_hidden = create_rw_signal(true);
-    let update_counter = create_rw_signal(0);
-    let hosts = create_local_resource(
-        move || update_counter.get(),
-        move |_| async move { get_all_workspaces().await },
-    );
-    let host_filter = create_rw_signal(String::new());
+    let new_workspace_host_modal_open = RwSignal::new(false);
+    let update_counter = RwSignal::new_local(0);
+    let hosts = LocalResource::new(move || async move { get_all_workspaces().await });
+    Effect::new(move |_| {
+        update_counter.track();
+        hosts.refetch();
+    });
+    let host_filter = RwSignal::new_local(String::new());
     let hosts = Signal::derive(move || {
         let host_filter = host_filter.get();
         let mut hosts = hosts.with(|hosts| {
@@ -77,7 +78,7 @@ pub fn WorkspaceHostView() -> impl IntoView {
                 <button
                     type="button"
                     class="px-4 py-2 text-sm font-medium text-white rounded-lg bg-blue-700 hover:bg-blue-800 focus:ring-4 focus:ring-blue-300"
-                    on:click=move |_| new_workspace_host_modal_hidden.set(false)
+                    on:click=move |_| new_workspace_host_modal_open.set(true)
                 >
                     New Workspace Host
                 </button>
@@ -95,23 +96,23 @@ pub fn WorkspaceHostView() -> impl IntoView {
                 }
             />
         </div>
-        <NewWorkspaceHostView new_workspace_host_modal_hidden update_counter />
+        <NewWorkspaceHostView new_workspace_host_modal_open update_counter />
     }
 }
 
 #[component]
 pub fn NewWorkspaceHostView(
-    new_workspace_host_modal_hidden: RwSignal<bool>,
-    update_counter: RwSignal<i32>,
+    new_workspace_host_modal_open: RwSignal<bool>,
+    update_counter: RwSignal<i32, LocalStorage>,
 ) -> impl IntoView {
-    let cluster_info = expect_context::<Signal<Option<ClusterInfo>>>();
-    let host = create_rw_signal(String::new());
-    let region = create_rw_signal(String::new());
-    let zone = create_rw_signal(String::new());
-    let cpu = create_rw_signal(String::new());
-    let memory = create_rw_signal(String::new());
-    let disk = create_rw_signal(String::new());
-    let action = create_action(move |_| {
+    let cluster_info = get_cluster_info();
+    let host = RwSignal::new_local(String::new());
+    let region = RwSignal::new_local(String::new());
+    let zone = RwSignal::new_local(String::new());
+    let cpu = RwSignal::new_local(String::new());
+    let memory = RwSignal::new_local(String::new());
+    let disk = RwSignal::new_local(String::new());
+    let action = Action::new_local(move |_| {
         create_workspace_host(
             host.get_untracked(),
             region.get_untracked(),
@@ -120,43 +121,46 @@ pub fn NewWorkspaceHostView(
             memory.get_untracked(),
             disk.get_untracked(),
             update_counter,
-            new_workspace_host_modal_hidden,
+            new_workspace_host_modal_open,
         )
     });
-    let body = view! {
-        <CreationInput label="The host".to_string() value=host placeholder="IP or hostname".to_string() />
-        <div
-            class:hidden=move || !cluster_info.with(|i| i.as_ref().map(|i| i.has_enterprise)).unwrap_or(false)
-        >
-            <CreationInput label="Region of the workspace host".to_string() value=region placeholder="".to_string() />
-        </div>
-        <div
-            class:hidden=move || !cluster_info.with(|i| i.as_ref().map(|i| i.has_enterprise)).unwrap_or(false)
-        >
-            <CreationInput label="Zone of the workspace host".to_string() value=zone placeholder="".to_string() />
-        </div>
-        <CreationInput label="CPU Cores".to_string() value=cpu placeholder="number of CPU cores".to_string() />
-        <CreationInput label="Memory (GB)".to_string() value=memory placeholder="memory in GB".to_string() />
-        <CreationInput label="Disk (GB)".to_string() value=disk placeholder="disk in GB".to_string() />
-    };
     view! {
-        <CreationModal title="Create New Workspace Host".to_string() modal_hidden=new_workspace_host_modal_hidden action body update_text=Some("Create".to_string()) updating_text=Some("Creating".to_string()) width_class=None create_button_hidden=Box::new(|| false) />
+        <Modal
+            title="Create New Workspace Host"
+            open=new_workspace_host_modal_open
+            action
+        >
+            <CreationInput label="The host".to_string() value=host placeholder="IP or hostname".to_string() />
+            <div
+                class:hidden=move || !cluster_info.with(|i| i.as_ref().map(|i| i.has_enterprise)).unwrap_or(false)
+            >
+                <CreationInput label="Region of the workspace host".to_string() value=region placeholder="".to_string() />
+            </div>
+            <div
+                class:hidden=move || !cluster_info.with(|i| i.as_ref().map(|i| i.has_enterprise)).unwrap_or(false)
+            >
+                <CreationInput label="Zone of the workspace host".to_string() value=zone placeholder="".to_string() />
+            </div>
+            <CreationInput label="CPU Cores".to_string() value=cpu placeholder="number of CPU cores".to_string() />
+            <CreationInput label="Memory (GB)".to_string() value=memory placeholder="memory in GB".to_string() />
+            <CreationInput label="Disk (GB)".to_string() value=disk placeholder="disk in GB".to_string() />
+        </Modal>
     }
 }
 
 #[component]
 pub fn UpdateWorkspaceHostModal(
     host: WorkspaceHost,
-    update_workspace_host_modal_hidden: RwSignal<bool>,
-    update_counter: RwSignal<i32>,
+    update_workspace_host_modal_open: RwSignal<bool>,
+    update_counter: RwSignal<i32, LocalStorage>,
 ) -> impl IntoView {
-    let cluster_info = expect_context::<Signal<Option<ClusterInfo>>>();
-    let region = create_rw_signal(host.region.clone());
-    let zone = create_rw_signal(host.zone.clone());
-    let cpu = create_rw_signal(host.cpu.to_string());
-    let memory = create_rw_signal(host.memory.to_string());
-    let disk = create_rw_signal(host.disk.to_string());
-    let action = create_action(move |_| {
+    let cluster_info = get_cluster_info();
+    let region = RwSignal::new_local(host.region.clone());
+    let zone = RwSignal::new_local(host.zone.clone());
+    let cpu = RwSignal::new_local(host.cpu.to_string());
+    let memory = RwSignal::new_local(host.memory.to_string());
+    let disk = RwSignal::new_local(host.disk.to_string());
+    let action = Action::new_local(move |_| {
         update_workspace_host(
             host.id,
             region.get_untracked(),
@@ -165,26 +169,31 @@ pub fn UpdateWorkspaceHostModal(
             memory.get_untracked(),
             disk.get_untracked(),
             update_counter,
-            update_workspace_host_modal_hidden,
+            update_workspace_host_modal_open,
         )
     });
-    let body = view! {
-        <div
-            class:hidden=move || !cluster_info.with(|i| i.as_ref().map(|i| i.has_enterprise)).unwrap_or(false)
-        >
-            <CreationInput label="Region of the workspace host".to_string() value=region placeholder="".to_string() />
-        </div>
-        <div
-            class:hidden=move || !cluster_info.with(|i| i.as_ref().map(|i| i.has_enterprise)).unwrap_or(false)
-        >
-            <CreationInput label="Zone of the workspace host".to_string() value=zone placeholder="".to_string() />
-        </div>
-        <CreationInput label="CPU Cores".to_string() value=cpu placeholder="number of CPU cores".to_string() />
-        <CreationInput label="Memory (GB)".to_string() value=memory placeholder="memory in GB".to_string() />
-        <CreationInput label="Disk (GB)".to_string() value=disk placeholder="disk in GB".to_string() />
-    };
     view! {
-        <CreationModal title="Update Workspace Host".to_string() modal_hidden=update_workspace_host_modal_hidden action body update_text=None updating_text=None  width_class=None create_button_hidden=Box::new(|| false) />
+        <Modal
+            title="Update Workspace Host"
+            open=update_workspace_host_modal_open
+            action
+            action_text="Update"
+            action_progress_text="Updating"
+        >
+            <div
+                class:hidden=move || !cluster_info.with(|i| i.as_ref().map(|i| i.has_enterprise)).unwrap_or(false)
+            >
+                <CreationInput label="Region of the workspace host".to_string() value=region placeholder="".to_string() />
+            </div>
+            <div
+                class:hidden=move || !cluster_info.with(|i| i.as_ref().map(|i| i.has_enterprise)).unwrap_or(false)
+            >
+                <CreationInput label="Zone of the workspace host".to_string() value=zone placeholder="".to_string() />
+            </div>
+            <CreationInput label="CPU Cores".to_string() value=cpu placeholder="number of CPU cores".to_string() />
+            <CreationInput label="Memory (GB)".to_string() value=memory placeholder="memory in GB".to_string() />
+            <CreationInput label="Disk (GB)".to_string() value=disk placeholder="disk in GB".to_string() />
+        </Modal>
     }
 }
 
@@ -196,8 +205,8 @@ async fn create_workspace_host(
     cpu: String,
     memory: String,
     disk: String,
-    update_counter: RwSignal<i32>,
-    new_workspace_host_modal_hidden: RwSignal<bool>,
+    update_counter: RwSignal<i32, LocalStorage>,
+    new_workspace_host_modal_open: RwSignal<bool>,
 ) -> Result<(), ErrorResponse> {
     let cpu: usize = match cpu.parse() {
         Ok(n) => n,
@@ -244,7 +253,7 @@ async fn create_workspace_host(
         return Err(error);
     }
     update_counter.update(|c| *c += 1);
-    new_workspace_host_modal_hidden.set(true);
+    new_workspace_host_modal_open.set(false);
     Ok(())
 }
 
@@ -256,8 +265,8 @@ async fn update_workspace_host(
     cpu: String,
     memory: String,
     disk: String,
-    update_counter: RwSignal<i32>,
-    update_workspace_host_modal_hidden: RwSignal<bool>,
+    update_counter: RwSignal<i32, LocalStorage>,
+    update_workspace_host_modal_open: RwSignal<bool>,
 ) -> Result<(), ErrorResponse> {
     let cpu: usize = match cpu.parse() {
         Ok(n) => n,
@@ -304,14 +313,14 @@ async fn update_workspace_host(
         return Err(error);
     }
     update_counter.update(|c| *c += 1);
-    update_workspace_host_modal_hidden.set(true);
+    update_workspace_host_modal_open.set(false);
     Ok(())
 }
 
 async fn delete_workspace_host(
     id: Uuid,
-    update_counter: RwSignal<i32>,
-    delete_modal_hidden: RwSignal<bool>,
+    update_counter: RwSignal<i32, LocalStorage>,
+    delete_modal_open: RwSignal<bool>,
 ) -> Result<(), ErrorResponse> {
     let resp = Request::delete(&format!("/api/v1/admin/workspace_hosts/{id}"))
         .send()
@@ -326,19 +335,22 @@ async fn delete_workspace_host(
         return Err(error);
     }
     update_counter.update(|c| *c += 1);
-    delete_modal_hidden.set(true);
+    delete_modal_open.set(false);
     Ok(())
 }
 
 #[component]
-fn WorkspaceHostItem(host: WorkspaceHost, update_counter: RwSignal<i32>) -> impl IntoView {
-    let cluster_info = expect_context::<Signal<Option<ClusterInfo>>>();
-    let update_workspace_host_modal_hidden = create_rw_signal(true);
-    let delete_modal_hidden = create_rw_signal(true);
+fn WorkspaceHostItem(
+    host: WorkspaceHost,
+    update_counter: RwSignal<i32, LocalStorage>,
+) -> impl IntoView {
+    let cluster_info = get_cluster_info();
+    let update_workspace_host_modal_open = RwSignal::new(false);
+    let delete_modal_open = RwSignal::new(false);
     let delete_action = {
         let id = host.id;
-        create_action(move |_| async move {
-            delete_workspace_host(id, update_counter, delete_modal_hidden).await
+        Action::new_local(move |_| async move {
+            delete_workspace_host(id, update_counter, delete_modal_open).await
         })
     };
     view! {
@@ -365,22 +377,22 @@ fn WorkspaceHostItem(host: WorkspaceHost, update_counter: RwSignal<i32>) -> impl
                     <p><span class="text-gray-500 mr-1">{"Disk:"}</span>{format!("{}GB/{}GB", host.disk - host.available_disk, host.disk)}</p>
                 </div>
                 <div class="w-1/6">
-                    <WorkspaceHostControl delete_modal_hidden update_workspace_host_modal_hidden align_right=true />
+                    <WorkspaceHostControl delete_modal_open update_workspace_host_modal_open align_right=true />
                 </div>
             </div>
         </div>
-        <DeletionModal resource=host.host.clone() modal_hidden=delete_modal_hidden delete_action />
-        <UpdateWorkspaceHostModal host=host.clone() update_workspace_host_modal_hidden update_counter />
+        <DeleteModal resource=host.host.clone() open=delete_modal_open delete_action />
+        <UpdateWorkspaceHostModal host=host.clone() update_workspace_host_modal_open update_counter />
     }
 }
 
 #[component]
 fn WorkspaceHostControl(
-    delete_modal_hidden: RwSignal<bool>,
-    update_workspace_host_modal_hidden: RwSignal<bool>,
+    delete_modal_open: RwSignal<bool>,
+    update_workspace_host_modal_open: RwSignal<bool>,
     align_right: bool,
 ) -> impl IntoView {
-    let dropdown_hidden = create_rw_signal(true);
+    let dropdown_hidden = RwSignal::new_local(true);
 
     let toggle_dropdown = move |_| {
         if dropdown_hidden.get_untracked() {
@@ -415,7 +427,7 @@ fn WorkspaceHostControl(
     let delete_workspace_host = {
         move |_| {
             dropdown_hidden.set(true);
-            delete_modal_hidden.set(false);
+            delete_modal_open.set(true);
         }
     };
 
@@ -445,7 +457,7 @@ fn WorkspaceHostControl(
                             class="block px-4 py-2 hover:bg-gray-100"
                             on:click=move |_| {
                                 dropdown_hidden.set(true);
-                                update_workspace_host_modal_hidden.set(false);
+                                update_workspace_host_modal_open.set(true);
                             }
                         >
                             Update
@@ -468,7 +480,7 @@ fn WorkspaceHostControl(
 
 #[component]
 pub fn ClusterSettings() -> impl IntoView {
-    let cluster_info = expect_context::<Signal<Option<ClusterInfo>>>();
+    let cluster_info = get_cluster_info();
     view! {
         <div class="border-b pb-4 mb-8">
             <h5 class="mr-3 text-2xl font-semibold">
@@ -535,13 +547,14 @@ async fn get_cpu_overcommit() -> Result<usize, ErrorResponse> {
 
 #[component]
 fn CpuOvercommitSetting() -> impl IntoView {
-    let update_counter = create_rw_signal(0);
-    let current_value = create_local_resource(
-        move || update_counter.get(),
-        move |_| async move { get_cpu_overcommit().await },
-    );
-    let value = create_rw_signal(String::new());
-    create_effect(move |_| {
+    let update_counter = RwSignal::new_local(0);
+    let current_value = LocalResource::new(move || async move { get_cpu_overcommit().await });
+    Effect::new(move |_| {
+        update_counter.get();
+        current_value.refetch();
+    });
+    let value = RwSignal::new_local(String::new());
+    Effect::new(move |_| {
         let v = current_value.with(|v| v.as_ref().and_then(|v| v.as_ref().ok().copied()));
         if let Some(v) = v {
             value.set(v.to_string());
@@ -549,17 +562,19 @@ fn CpuOvercommitSetting() -> impl IntoView {
     });
     let body = view! {
         <div class="mt-2">
-            <input
+            <Input
                 prop:value={move || value.get()}
                 on:input=move |ev| {
                     value.set(event_target_value(&ev));
                 }
-                class="max-w-96 bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5"
+                class="max-w-96"
             />
         </div>
     };
     let save_action =
-        create_action(move |_| async move { update_cpu_overcommit(value.get_untracked()).await });
+        Action::new_local(
+            move |_| async move { update_cpu_overcommit(value.get_untracked()).await },
+        );
     view! {
         <SettingView title="CPU Overcommit Setting".to_string() action=save_action body update_counter extra=None />
     }
@@ -567,7 +582,7 @@ fn CpuOvercommitSetting() -> impl IntoView {
 
 async fn update_oauth2(
     update_oauth: OauthSettings,
-    update_counter: RwSignal<i32>,
+    update_counter: RwSignal<i32, LocalStorage>,
     reload: bool,
 ) -> Result<(), ErrorResponse> {
     let resp = Request::put("/api/v1/admin/oauth")
@@ -602,18 +617,19 @@ async fn get_oauth2() -> Result<OauthSettings> {
 
 #[component]
 pub fn OauthSettings(reload: bool) -> impl IntoView {
-    let update_counter = create_rw_signal(0);
-    let github_client_id = create_rw_signal(String::new());
-    let github_client_secret = create_rw_signal(String::new());
-    let gitlab_client_id = create_rw_signal(String::new());
-    let gitlab_client_secret = create_rw_signal(String::new());
-
-    let oauth = create_local_resource(
-        move || update_counter.get(),
-        move |_| async move { get_oauth2().await },
-    );
-
-    create_effect(move |_| {
+    let update_counter = RwSignal::new_local(0);
+    let github_client_id = RwSignal::new_local(String::new());
+    let github_client_secret = RwSignal::new_local(String::new());
+    let gitlab_client_id = RwSignal::new_local(String::new());
+    let gitlab_client_secret = RwSignal::new_local(String::new());
+
+    let oauth = LocalResource::new(move || async move { get_oauth2().await });
+    Effect::new(move |_| {
+        update_counter.track();
+        oauth.refetch();
+    });
+
+    Effect::new(move |_| {
         let oauth = oauth.with(|oauth| oauth.as_ref().and_then(|o| o.as_ref().ok().cloned()));
         if let Some(oauth) = oauth {
             github_client_id.set(oauth.github_client_id);
@@ -631,10 +647,10 @@ pub fn OauthSettings(reload: bool) -> impl IntoView {
                 </svg>
                 <span>GitHub Client Id</span>
             </div>
-            <input
+            <Input
                 prop:value={move || github_client_id.get()}
                 on:input=move |ev| { github_client_id.set(event_target_value(&ev)) }
-                class="max-w-96 bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5"
+                class="max-w-96"
             />
         </div>
         <div class="mt-2">
@@ -644,10 +660,10 @@ pub fn OauthSettings(reload: bool) -> impl IntoView {
                 </svg>
                 <span>GitHub Client Secret</span>
             </div>
-            <input
+            <Input
                 prop:value={move || github_client_secret.get()}
                 on:input=move |ev| { github_client_secret.set(event_target_value(&ev)) }
-                class="max-w-96 bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5"
+                class="max-w-96"
             />
         </div>
         <div class="mt-2">
@@ -655,10 +671,10 @@ pub fn OauthSettings(reload: bool) -> impl IntoView {
                 <svg class="w-4 h-4 me-2" viewBox="0 0 25 24" xmlns="http://www.w3.org/2000/svg"><path d="M24.507 9.5l-.034-.09L21.082.562a.896.896 0 00-1.694.091l-2.29 7.01H7.825L5.535.653a.898.898 0 00-1.694-.09L.451 9.411.416 9.5a6.297 6.297 0 002.09 7.278l.012.01.03.022 5.16 3.867 2.56 1.935 1.554 1.176a1.051 1.051 0 001.268 0l1.555-1.176 2.56-1.935 5.197-3.89.014-.01A6.297 6.297 0 0024.507 9.5z" fill="#E24329"/><path d="M24.507 9.5l-.034-.09a11.44 11.44 0 00-4.56 2.051l-7.447 5.632 4.742 3.584 5.197-3.89.014-.01A6.297 6.297 0 0024.507 9.5z" fill="#FC6D26"/><path d="M7.707 20.677l2.56 1.935 1.555 1.176a1.051 1.051 0 001.268 0l1.555-1.176 2.56-1.935-4.743-3.584-4.755 3.584z" fill="#FCA326"/><path d="M5.01 11.461a11.43 11.43 0 00-4.56-2.05L.416 9.5a6.297 6.297 0 002.09 7.278l.012.01.03.022 5.16 3.867 4.745-3.584-7.444-5.632z" fill="#FC6D26"/></svg>
                 <span>GitLab Client Id</span>
             </div>
-            <input
+            <Input
                 prop:value={move || gitlab_client_id.get()}
                 on:input=move |ev| { gitlab_client_id.set(event_target_value(&ev)) }
-                class="max-w-96 bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5"
+                class="max-w-96"
             />
         </div>
         <div class="mt-2">
@@ -666,14 +682,14 @@ pub fn OauthSettings(reload: bool) -> impl IntoView {
                 <svg class="w-4 h-4 me-2" viewBox="0 0 25 24" xmlns="http://www.w3.org/2000/svg"><path d="M24.507 9.5l-.034-.09L21.082.562a.896.896 0 00-1.694.091l-2.29 7.01H7.825L5.535.653a.898.898 0 00-1.694-.09L.451 9.411.416 9.5a6.297 6.297 0 002.09 7.278l.012.01.03.022 5.16 3.867 2.56 1.935 1.554 1.176a1.051 1.051 0 001.268 0l1.555-1.176 2.56-1.935 5.197-3.89.014-.01A6.297 6.297 0 0024.507 9.5z" fill="#E24329"/><path d="M24.507 9.5l-.034-.09a11.44 11.44 0 00-4.56 2.051l-7.447 5.632 4.742 3.584 5.197-3.89.014-.01A6.297 6.297 0 0024.507 9.5z" fill="#FC6D26"/><path d="M7.707 20.677l2.56 1.935 1.555 1.176a1.051 1.051 0 001.268 0l1.555-1.176 2.56-1.935-4.743-3.584-4.755 3.584z" fill="#FCA326"/><path d="M5.01 11.461a11.43 11.43 0 00-4.56-2.05L.416 9.5a6.297 6.297 0 002.09 7.278l.012.01.03.022 5.16 3.867 4.745-3.584-7.444-5.632z" fill="#FC6D26"/></svg>
                 <span>GitLab Client Secret</span>
             </div>
-            <input
+            <Input
                 prop:value={move || gitlab_client_secret.get()}
                 on:input=move |ev| { gitlab_client_secret.set(event_target_value(&ev)) }
-                class="max-w-96 bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5"
+                class="max-w-96"
             />
         </div>
     };
-    let save_action = create_action(move |_| async move {
+    let save_action = Action::new_local(move |_| async move {
         update_oauth2(
             OauthSettings {
                 github_client_id: github_client_id.get_untracked(),
@@ -699,7 +715,7 @@ async fn get_hostnames() -> Result<HashMap<String, String>> {
 
 async fn update_hostnames(
     value: Vec<(String, String)>,
-    update_counter: RwSignal<i32>,
+    update_counter: RwSignal<i32, LocalStorage>,
 ) -> Result<(), ErrorResponse> {
     let resp = Request::put("/api/v1/admin/hostnames")
         .json(&value)?
@@ -720,22 +736,23 @@ async fn update_hostnames(
 
 #[component]
 pub fn ClusterHostnameSetting() -> impl IntoView {
-    let cluster_info = expect_context::<Signal<Option<ClusterInfo>>>();
+    let cluster_info = get_cluster_info();
 
-    let update_counter = create_rw_signal(0);
+    let update_counter = RwSignal::new_local(0);
 
-    let set_hostnames = create_rw_signal(vec![]);
+    let set_hostnames = RwSignal::new_local(vec![]);
 
-    let hostnames = create_local_resource(
-        move || update_counter.get(),
-        |_| async move { get_hostnames().await.unwrap_or_default() },
-    );
+    let hostnames = LocalResource::new(|| async move { get_hostnames().await.unwrap_or_default() });
+    Effect::new(move |_| {
+        update_counter.track();
+        hostnames.refetch();
+    });
 
-    create_effect(move |_| {
-        let hostnames = hostnames.with(|h| h.clone()).unwrap_or_default();
-        let mut hostnames: Vec<(String, RwSignal<String>)> = hostnames
+    Effect::new(move |_| {
+        let hostnames = hostnames.get().unwrap_or_default();
+        let mut hostnames: Vec<(String, RwSignal<String, LocalStorage>)> = hostnames
             .into_iter()
-            .map(|(key, value)| (key, create_rw_signal(value)))
+            .map(|(key, value)| (key, RwSignal::new_local(value)))
             .collect();
         hostnames.sort_by_key(|(region, _)| region.to_owned());
         set_hostnames.set(hostnames);
@@ -755,36 +772,36 @@ pub fn ClusterHostnameSetting() -> impl IntoView {
                                         <div class="flex flex-row items-center mb-2 text-sm font-medium text-gray-900">
                                             <span>{format!("Region: {region}")}</span>
                                         </div>
-                                        <input
+                                        <Input
                                             prop:value={move || hostname.get()}
                                             on:input=move |ev| { hostname.set(event_target_value(&ev)) }
-                                            class="max-w-96 bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5"
+                                            class="max-w-96"
                                         />
                                     </div>
                                 }
                             }
                         />
-                    }.into_view()
+                    }.into_any()
                 } else {
                     view! {
                         <div class="mt-2">
-                            <input
+                            <Input
                                 prop:value={move || set_hostnames.get().iter().find(|(k,_)| k.is_empty()).map(|(_,v)| v.get()).unwrap_or_default()}
                                 on:input=move |ev| {
                                     if let Some(h) = set_hostnames.get().iter().find(|(k,_)| k.is_empty()).map(|(_,v)| *v) {
                                         h.set(event_target_value(&ev))
                                     }
                                 }
-                                class="max-w-96 bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5"
+                                class="max-w-96"
                             />
                         </div>
-                    }.into_view()
+                    }.into_any()
                 }
             }
         }
     };
 
-    let save_action = create_action(move |_| async move {
+    let save_action = Action::new_local(move |_| async move {
         let value = set_hostnames
             .get_untracked()
             .into_iter()
@@ -834,12 +851,12 @@ async fn update_certs(certs: Vec<(String, String)>) -> Result<(), ErrorResponse>
 
 #[component]
 pub fn ClusterCertsSetting() -> impl IntoView {
-    let certs = create_rw_signal(vec![]);
+    let certs = RwSignal::new_local(vec![]);
     let new_cert = move |_| {
         certs.update(|certs| {
             certs.push((
-                create_rw_signal(String::new()),
-                create_rw_signal(String::new()),
+                RwSignal::new_local(String::new()),
+                RwSignal::new_local(String::new()),
             ));
         });
     };
@@ -849,22 +866,25 @@ pub fn ClusterCertsSetting() -> impl IntoView {
         })
     };
 
-    let update_counter = create_rw_signal(0);
-    let current_certs = create_local_resource(
-        move || update_counter.get(),
-        move |_| async move { get_certs().await.unwrap_or_default() },
-    );
-    create_effect(move |_| {
-        let current_certs = current_certs.with(|certs| certs.clone().unwrap_or_default());
+    let update_counter = RwSignal::new_local(0);
+    let current_certs =
+        LocalResource::new(move || async move { get_certs().await.unwrap_or_default() });
+    Effect::new(move |_| {
+        update_counter.track();
+        current_certs.refetch();
+    });
+
+    Effect::new(move |_| {
+        let current_certs = current_certs.get().unwrap_or_default();
         certs.update(|certs| {
             *certs = current_certs
                 .into_iter()
-                .map(|(name, value)| (create_rw_signal(name), create_rw_signal(value)))
+                .map(|(name, value)| (RwSignal::new_local(name), RwSignal::new_local(value)))
                 .collect();
         });
     });
 
-    let save_action = create_action(move |_| async move {
+    let save_action = Action::new_local(move |_| async move {
         let certs = certs.get_untracked();
         let certs: Vec<(String, String)> = certs
             .into_iter()
@@ -931,7 +951,7 @@ pub fn ClusterCertsSetting() -> impl IntoView {
         >
             New Certificate
         </button>
-    }.into_view();
+    }.into_any();
 
     view! {
         <SettingView title="Certificate Settings".to_string() action=save_action body update_counter extra=Some(extra) />
@@ -946,17 +966,18 @@ async fn all_machine_types() -> Result<Vec<MachineType>> {
 
 #[component]
 pub fn MachineTypeView() -> impl IntoView {
-    let new_machine_type_modal_hidden = create_rw_signal(true);
-    let update_counter = create_rw_signal(0);
-    let machine_types = create_local_resource(
-        move || update_counter.get(),
-        |_| async move { all_machine_types().await.unwrap_or_default() },
-    );
-    let machine_type_filter = create_rw_signal(String::new());
+    let new_machine_type_modal_open = RwSignal::new(false);
+    let update_counter = RwSignal::new_local(0);
+    let machine_types =
+        LocalResource::new(|| async move { all_machine_types().await.unwrap_or_default() });
+    Effect::new(move |_| {
+        update_counter.track();
+        machine_types.refetch();
+    });
+    let machine_type_filter = RwSignal::new_local(String::new());
     let machine_types = Signal::derive(move || {
         let machine_type_filter = machine_type_filter.get();
-        let mut machine_types =
-            machine_types.with(|machine_types| machine_types.clone().unwrap_or_default());
+        let mut machine_types = machine_types.get().unwrap_or_default();
         machine_types.retain(|h| h.name.contains(&machine_type_filter));
         machine_types
     });
@@ -989,7 +1010,7 @@ pub fn MachineTypeView() -> impl IntoView {
                 <button
                     type="button"
                     class="px-4 py-2 text-sm font-medium text-white rounded-lg bg-blue-700 hover:bg-blue-800 focus:ring-4 focus:ring-blue-300 focus:outline-none"
-                    on:click=move |_| new_machine_type_modal_hidden.set(false)
+                    on:click=move |_| new_machine_type_modal_open.set(true)
                 >
                     New Machine Type
                 </button>
@@ -1007,18 +1028,21 @@ pub fn MachineTypeView() -> impl IntoView {
                 }
             />
         </div>
-        <NewMachineTypeView new_machine_type_modal_hidden update_counter />
+        <NewMachineTypeView new_machine_type_modal_open update_counter />
     }
 }
 
 #[component]
-fn MachineTypeItem(machine_type: MachineType, update_counter: RwSignal<i32>) -> impl IntoView {
-    let update_machine_type_modal_hidden = create_rw_signal(true);
-    let delete_modal_hidden = create_rw_signal(true);
+fn MachineTypeItem(
+    machine_type: MachineType,
+    update_counter: RwSignal<i32, LocalStorage>,
+) -> impl IntoView {
+    let update_machine_type_modal_open = RwSignal::new(false);
+    let delete_modal_open = RwSignal::new(false);
     let delete_action = {
         let id = machine_type.id;
-        create_action(move |_| async move {
-            delete_machine_type(id, update_counter, delete_modal_hidden).await
+        Action::new_local(move |_| async move {
+            delete_machine_type(id, update_counter, delete_modal_open).await
         })
     };
     view! {
@@ -1036,28 +1060,30 @@ fn MachineTypeItem(machine_type: MachineType, update_counter: RwSignal<i32>) ->
                     <p><span class="text-gray-500 mr-1">{"Disk:"}</span>{format!("{}GB", machine_type.disk)}</p>
                 </div>
                 <div class="w-1/6">
-                    <MachineTypeControl delete_modal_hidden update_machine_type_modal_hidden align_right=true />
+                    <MachineTypeControl delete_modal_open update_machine_type_modal_open align_right=true />
                 </div>
             </div>
         </div>
-        <DeletionModal resource=machine_type.name.clone() modal_hidden=delete_modal_hidden delete_action />
-        <UpdateMachineTypeModal machine_type=machine_type.clone() update_machine_type_modal_hidden update_counter />
+        <DeleteModal
+        resource=machine_type.name.clone()
+        open=delete_modal_open delete_action />
+        <UpdateMachineTypeModal machine_type=machine_type.clone() update_machine_type_modal_open update_counter />
     }
 }
 
 #[component]
 pub fn NewMachineTypeView(
-    new_machine_type_modal_hidden: RwSignal<bool>,
-    update_counter: RwSignal<i32>,
+    new_machine_type_modal_open: RwSignal<bool>,
+    update_counter: RwSignal<i32, LocalStorage>,
 ) -> impl IntoView {
-    let name = create_rw_signal(String::new());
-    let cpu = create_rw_signal(String::new());
-    let memory = create_rw_signal(String::new());
-    let disk = create_rw_signal(String::new());
-    let cost = create_rw_signal("0".to_string());
-    let shared_cpu = create_rw_signal(false);
-    let cluster_info = expect_context::<Signal<Option<ClusterInfo>>>();
-    let action = create_action(move |_| {
+    let name = RwSignal::new_local(String::new());
+    let cpu = RwSignal::new_local(String::new());
+    let memory = RwSignal::new_local(String::new());
+    let disk = RwSignal::new_local(String::new());
+    let cost = RwSignal::new_local("0".to_string());
+    let shared_cpu = RwSignal::new_local(false);
+    let cluster_info = get_cluster_info();
+    let action = Action::new_local(move |_| {
         create_machine_type(
             name.get_untracked(),
             cpu.get_untracked(),
@@ -1066,78 +1092,86 @@ pub fn NewMachineTypeView(
             disk.get_untracked(),
             cost.get_untracked(),
             update_counter,
-            new_machine_type_modal_hidden,
+            new_machine_type_modal_open,
         )
     });
-    let body = view! {
-        <CreationInput label="Name".to_string() value=name placeholder="name of the machine type".to_string() />
-        <div
-            class="flex items-start mb-6"
-            class:hidden=move || !cluster_info.with(|i| i.as_ref().map(|i| i.has_enterprise)).unwrap_or(false)
+    view! {
+        <Modal
+            title="Create New Machine Type"
+            open=new_machine_type_modal_open
+            action
         >
-            <div class="flex items-center h-5">
-            <input
-                type="checkbox"
-                value=""
-                class="w-4 h-4 border border-gray-300 rounded bg-gray-50 focus:ring-3 focus:ring-blue-300"
-                prop:checked=move || shared_cpu.get()
-                on:change=move |e| shared_cpu.set(event_target_checked(&e))
-            />
+            <CreationInput label="Name".to_string() value=name placeholder="name of the machine type".to_string() />
+            <div
+                class="flex items-start mb-6"
+                class:hidden=move || !cluster_info.with(|i| i.as_ref().map(|i| i.has_enterprise)).unwrap_or(false)
+            >
+                <div class="flex items-center h-5">
+                <input
+                    type="checkbox"
+                    value=""
+                    class="w-4 h-4 border border-gray-300 rounded bg-gray-50 focus:ring-3 focus:ring-blue-300"
+                    prop:checked=move || shared_cpu.get()
+                    on:change=move |e| shared_cpu.set(event_target_checked(&e))
+                />
+                </div>
+                <label for="remember" class="ml-2 text-sm font-medium text-gray-900">Shared cpu cores</label>
             </div>
-            <label for="remember" class="ml-2 text-sm font-medium text-gray-900">Shared cpu cores</label>
-        </div>
-        <CreationInput label="CPU Cores".to_string() value=cpu placeholder="number of CPU cores".to_string() />
-        <CreationInput label="Memory (GB)".to_string() value=memory placeholder="memory in GB".to_string() />
-        <CreationInput label="Disk (GB)".to_string() value=disk placeholder="disk in GB".to_string() />
-        <div
-            class:hidden=move || !cluster_info.with(|i| i.as_ref().map(|i| i.has_enterprise)).unwrap_or(false)
-        >
-            <CreationInput label="Cost per second".to_string() value=cost placeholder="cost per second of the machine type".to_string() />
-        </div>
-    };
-    view! {
-        <CreationModal title="Create New Machine Type".to_string() modal_hidden=new_machine_type_modal_hidden action body update_text=Some("Create".to_string()) updating_text=Some("Creating".to_string())  width_class=None create_button_hidden=Box::new(|| false) />
+            <CreationInput label="CPU Cores".to_string() value=cpu placeholder="number of CPU cores".to_string() />
+            <CreationInput label="Memory (GB)".to_string() value=memory placeholder="memory in GB".to_string() />
+            <CreationInput label="Disk (GB)".to_string() value=disk placeholder="disk in GB".to_string() />
+            <div
+                class:hidden=move || !cluster_info.with(|i| i.as_ref().map(|i| i.has_enterprise)).unwrap_or(false)
+            >
+                <CreationInput label="Cost per second".to_string() value=cost placeholder="cost per second of the machine type".to_string() />
+            </div>
+        </Modal>
     }
 }
 
 #[component]
 pub fn UpdateMachineTypeModal(
     machine_type: MachineType,
-    update_machine_type_modal_hidden: RwSignal<bool>,
-    update_counter: RwSignal<i32>,
+    update_machine_type_modal_open: RwSignal<bool>,
+    update_counter: RwSignal<i32, LocalStorage>,
 ) -> impl IntoView {
-    let name = create_rw_signal(machine_type.name.clone());
-    let cost = create_rw_signal(machine_type.cost_per_second.to_string());
-    let cluster_info = expect_context::<Signal<Option<ClusterInfo>>>();
-    let action = create_action(move |_| {
+    let name = RwSignal::new_local(machine_type.name.clone());
+    let cost = RwSignal::new_local(machine_type.cost_per_second.to_string());
+    let cluster_info = get_cluster_info();
+    let action = Action::new_local(move |_| {
         update_machine_type(
             machine_type.id,
             name.get_untracked(),
             cost.get_untracked(),
             update_counter,
-            update_machine_type_modal_hidden,
+            update_machine_type_modal_open,
         )
     });
-    let body = view! {
-        <CreationInput label="Name".to_string() value=name placeholder="name of the machine type".to_string() />
-        <div
-            class:hidden=move || !cluster_info.with(|i| i.as_ref().map(|i| i.has_enterprise)).unwrap_or(false)
-        >
-            <CreationInput label="Cost per second".to_string() value=cost placeholder="cost per second of the machine type".to_string() />
-        </div>
-    };
     view! {
-        <CreationModal title="Update Workspace Host".to_string() modal_hidden=update_machine_type_modal_hidden action body update_text=None updating_text=None  width_class=None create_button_hidden=Box::new(|| false) />
+        <Modal
+            title="Update Workspace Host"
+            open=update_machine_type_modal_open
+            action
+            action_text="Update"
+            action_progress_text="Updating"
+        >
+            <CreationInput label="Name".to_string() value=name placeholder="name of the machine type".to_string() />
+            <div
+                class:hidden=move || !cluster_info.with(|i| i.as_ref().map(|i| i.has_enterprise)).unwrap_or(false)
+            >
+                <CreationInput label="Cost per second".to_string() value=cost placeholder="cost per second of the machine type".to_string() />
+            </div>
+        </Modal>
     }
 }
 
 #[component]
 fn MachineTypeControl(
-    delete_modal_hidden: RwSignal<bool>,
-    update_machine_type_modal_hidden: RwSignal<bool>,
+    delete_modal_open: RwSignal<bool>,
+    update_machine_type_modal_open: RwSignal<bool>,
     align_right: bool,
 ) -> impl IntoView {
-    let dropdown_hidden = create_rw_signal(true);
+    let dropdown_hidden = RwSignal::new_local(true);
 
     let toggle_dropdown = move |_| {
         if dropdown_hidden.get_untracked() {
@@ -1172,7 +1206,7 @@ fn MachineTypeControl(
     let delete_workspace_host = {
         move |_| {
             dropdown_hidden.set(true);
-            delete_modal_hidden.set(false);
+            delete_modal_open.set(true);
         }
     };
 
@@ -1202,7 +1236,7 @@ fn MachineTypeControl(
                             class="block px-4 py-2 hover:bg-gray-100"
                             on:click=move |_| {
                                 dropdown_hidden.set(true);
-                                update_machine_type_modal_hidden.set(false);
+                                update_machine_type_modal_open.set(true);
                             }
                         >
                             Update
@@ -1231,8 +1265,8 @@ async fn create_machine_type(
     memory: String,
     disk: String,
     cost: String,
-    update_counter: RwSignal<i32>,
-    new_workspace_host_modal_hidden: RwSignal<bool>,
+    update_counter: RwSignal<i32, LocalStorage>,
+    new_workspace_host_modal_open: RwSignal<bool>,
 ) -> Result<(), ErrorResponse> {
     let cpu: usize = match cpu.parse() {
         Ok(n) => n,
@@ -1287,7 +1321,7 @@ async fn create_machine_type(
         return Err(error);
     }
     update_counter.update(|c| *c += 1);
-    new_workspace_host_modal_hidden.set(true);
+    new_workspace_host_modal_open.set(false);
     Ok(())
 }
 
@@ -1295,8 +1329,8 @@ async fn update_machine_type(
     id: Uuid,
     name: String,
     cost: String,
-    update_counter: RwSignal<i32>,
-    update_workspace_host_modal_hidden: RwSignal<bool>,
+    update_counter: RwSignal<i32, LocalStorage>,
+    update_workspace_host_modal_open: RwSignal<bool>,
 ) -> Result<(), ErrorResponse> {
     let cost: usize = match cost.parse() {
         Ok(n) => n,
@@ -1324,14 +1358,14 @@ async fn update_machine_type(
         return Err(error);
     }
     update_counter.update(|c| *c += 1);
-    update_workspace_host_modal_hidden.set(true);
+    update_workspace_host_modal_open.set(false);
     Ok(())
 }
 
 async fn delete_machine_type(
     id: Uuid,
-    update_counter: RwSignal<i32>,
-    delete_modal_hidden: RwSignal<bool>,
+    update_counter: RwSignal<i32, LocalStorage>,
+    delete_modal_open: RwSignal<bool>,
 ) -> Result<(), ErrorResponse> {
     let resp = Request::delete(&format!("/api/v1/admin/machine_types/{id}"))
         .send()
@@ -1346,7 +1380,7 @@ async fn delete_machine_type(
         return Err(error);
     }
     update_counter.update(|c| *c += 1);
-    delete_modal_hidden.set(true);
+    delete_modal_open.set(false);
     Ok(())
 }
 
@@ -1389,7 +1423,7 @@ async fn update_cluster_user(
     id: Uuid,
     cluster_admin: bool,
     search_action: Action<(), Result<ClusterUserResult, ErrorResponse>>,
-    update_modal_hidden: RwSignal<bool>,
+    update_modal_open: RwSignal<bool>,
 ) -> Result<(), ErrorResponse> {
     let resp = Request::put(&format!("/api/v1/admin/users/{id}"))
         .json(&UpdateClusterUser { cluster_admin })?
@@ -1405,18 +1439,18 @@ async fn update_cluster_user(
         return Err(error);
     }
     search_action.dispatch(());
-    update_modal_hidden.set(true);
+    update_modal_open.set(false);
     Ok(())
 }
 
 #[component]
 pub fn ClusterUsersView() -> impl IntoView {
-    let page_size = create_rw_signal(String::new());
-    let page = create_rw_signal(0);
+    let page_size = RwSignal::new_local(String::new());
+    let page = RwSignal::new_local(0);
 
-    let error = create_rw_signal(None);
-    let user_filter = create_rw_signal(String::new());
-    let search_action = create_action(move |_| async move {
+    let error = RwSignal::new_local(None);
+    let user_filter = RwSignal::new_local(String::new());
+    let search_action = Action::new_local(move |_| async move {
         error.set(None);
         let result = get_cluster_users(
             user_filter.get_untracked(),
@@ -1497,7 +1531,7 @@ pub fn ClusterUsersView() -> impl IntoView {
                 <button
                     type="button"
                     class="px-4 py-2 text-sm font-medium text-white rounded-lg bg-blue-700 hover:bg-blue-800 focus:ring-4 focus:ring-blue-300 focus:outline-none"
-                    on:click=move |_| search_action.dispatch(())
+                    on:click=move |_| { search_action.dispatch(()); }
                 >
                     Search User
                 </button>
@@ -1509,9 +1543,9 @@ pub fn ClusterUsersView() -> impl IntoView {
                 <div class="my-4 p-4 rounded-lg bg-red-50">
                     <span class="text-sm font-medium text-red-800">{ error }</span>
                 </div>
-            }.into_view()
+            }.into_any()
         } else {
-            view!{}.into_view()
+            ().into_any()
         }}
 
         <div class="mt-4 flex flex-row items-center justify-between">
@@ -1537,7 +1571,7 @@ pub fn ClusterUsersView() -> impl IntoView {
                     <option>200</option>
                 </select>
 
-                <span class="ml-2 p-2 rounded"
+                <button class="ml-2 p-2 rounded"
                     class=("text-gray-300", move || users.with(|a| a.page == 0))
                     class=("cursor-pointer", move || !users.with(|a| a.page == 0))
                     class=("hover:bg-gray-100", move || !users.with(|a| a.page == 0))
@@ -1547,7 +1581,7 @@ pub fn ClusterUsersView() -> impl IntoView {
                     <svg class="w-5 h-5" aria-hidden="true" fill="currentColor" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg">
                         <path fill-rule="evenodd" d="M12.707 5.293a1 1 0 010 1.414L9.414 10l3.293 3.293a1 1 0 01-1.414 1.414l-4-4a1 1 0 010-1.414l4-4a1 1 0 011.414 0z" clip-rule="evenodd"></path>
                     </svg>
-                </span>
+                </button>
                 <span class="p-2 rounded"
                     class=("text-gray-300", move || users.with(|a| a.page + 1 >= a.num_pages))
                     class=("cursor-pointer", move || !users.with(|a| a.page + 1 >= a.num_pages))
@@ -1595,38 +1629,15 @@ fn ClusterUserItemView(
     search_action: Action<(), Result<ClusterUserResult, ErrorResponse>>,
 ) -> impl IntoView {
     let user_id = user.id;
-    let update_modal_hidden = create_rw_signal(true);
-    let is_cluster_admin = create_rw_signal(user.cluster_admin);
+    let update_modal_open = RwSignal::new(false);
+    let is_cluster_admin = RwSignal::new_local(user.cluster_admin);
 
-    let update_modal_body = view! {
-        <div
-            class="flex items-start"
-        >
-            <div class="flex items-center h-5">
-            <input
-                id={user_id.to_string()}
-                type="checkbox"
-                value=""
-                class="w-4 h-4 border border-gray-300 rounded bg-gray-50 focus:ring-3 focus:ring-blue-300"
-                prop:checked=move || is_cluster_admin.get()
-                on:change=move |e| is_cluster_admin.set(event_target_checked(&e))
-            />
-            </div>
-            <label
-                for={move || user_id.to_string()}
-                class="ml-2 text-sm font-medium text-gray-900"
-            >
-                Is Cluster Admin
-            </label>
-        </div>
-    };
-
-    let update_action = create_action(move |()| async move {
+    let update_action = Action::new_local(move |()| async move {
         update_cluster_user(
             user_id,
             is_cluster_admin.get_untracked(),
             search_action,
-            update_modal_hidden,
+            update_modal_open,
         )
         .await
     });
@@ -1636,17 +1647,17 @@ fn ClusterUserItemView(
             <svg class="w-4 h-4 me-2" aria-hidden="true" xmlns="http://www.w3.org/2000/svg" fill="currentColor" viewBox="0 0 20 20">
                 <path fill-rule="evenodd" d="M10 .333A9.911 9.911 0 0 0 6.866 19.65c.5.092.678-.215.678-.477 0-.237-.01-1.017-.014-1.845-2.757.6-3.338-1.169-3.338-1.169a2.627 2.627 0 0 0-1.1-1.451c-.9-.615.07-.6.07-.6a2.084 2.084 0 0 1 1.518 1.021 2.11 2.11 0 0 0 2.884.823c.044-.503.268-.973.63-1.325-2.2-.25-4.516-1.1-4.516-4.9A3.832 3.832 0 0 1 4.7 7.068a3.56 3.56 0 0 1 .095-2.623s.832-.266 2.726 1.016a9.409 9.409 0 0 1 4.962 0c1.89-1.282 2.717-1.016 2.717-1.016.366.83.402 1.768.1 2.623a3.827 3.827 0 0 1 1.02 2.659c0 3.807-2.319 4.644-4.525 4.889a2.366 2.366 0 0 1 .673 1.834c0 1.326-.012 2.394-.012 2.72 0 .263.18.572.681.475A9.911 9.911 0 0 0 10 .333Z" clip-rule="evenodd"/>
             </svg>
-        },
+        }.into_any(),
         AuthProvider::Gitlab => view! {
             <svg class="w-4 h-4 me-2" viewBox="0 0 25 24" xmlns="http://www.w3.org/2000/svg"><path d="M24.507 9.5l-.034-.09L21.082.562a.896.896 0 00-1.694.091l-2.29 7.01H7.825L5.535.653a.898.898 0 00-1.694-.09L.451 9.411.416 9.5a6.297 6.297 0 002.09 7.278l.012.01.03.022 5.16 3.867 2.56 1.935 1.554 1.176a1.051 1.051 0 001.268 0l1.555-1.176 2.56-1.935 5.197-3.89.014-.01A6.297 6.297 0 0024.507 9.5z" fill="#E24329"/><path d="M24.507 9.5l-.034-.09a11.44 11.44 0 00-4.56 2.051l-7.447 5.632 4.742 3.584 5.197-3.89.014-.01A6.297 6.297 0 0024.507 9.5z" fill="#FC6D26"/><path d="M7.707 20.677l2.56 1.935 1.555 1.176a1.051 1.051 0 001.268 0l1.555-1.176 2.56-1.935-4.743-3.584-4.755 3.584z" fill="#FCA326"/><path d="M5.01 11.461a11.43 11.43 0 00-4.56-2.05L.416 9.5a6.297 6.297 0 002.09 7.278l.012.01.03.022 5.16 3.867 4.745-3.584-7.444-5.632z" fill="#FC6D26"/></svg>
-        },
+        }.into_any(),
     };
     view! {
         <tr
             class="w-full bg-white"
             class=("border-t", move || i > 0)
         >
-            <td scope="row" class="px-4 py-2">
+            <td class="px-4 py-2">
                 <div class="flex flex-row items-center">
                     {icon}
                     <p>{user.auth_provider.to_string()}</p>
@@ -1674,12 +1685,39 @@ fn ClusterUserItemView(
             <td class="px-4 py-2">
                 <button
                     class="px-4 py-2 text-sm font-medium text-white rounded-lg bg-green-700 hover:bg-green-800 focus:ring-4 focus:ring-green-300 focus:outline-none"
-                    on:click=move |_| update_modal_hidden.set(false)
+                    on:click=move |_| update_modal_open.set(true)
                 >
                     Update
                 </button>
             </td>
         </tr>
-        <CreationModal title=format!("Update Cluster User") modal_hidden=update_modal_hidden action=update_action body=update_modal_body update_text=None updating_text=None  width_class=None create_button_hidden=Box::new(|| false) />
+        <Modal
+            title="Update Cluster User"
+            open=update_modal_open
+            action=update_action
+            action_text="Update"
+            action_progress_text="Updating"
+        >
+            <div
+                class="flex items-start"
+            >
+                <div class="flex items-center h-5">
+                <input
+                    id={user_id.to_string()}
+                    type="checkbox"
+                    value=""
+                    class="w-4 h-4 border border-gray-300 rounded bg-gray-50 focus:ring-3 focus:ring-blue-300"
+                    prop:checked=move || is_cluster_admin.get()
+                    on:change=move |e| is_cluster_admin.set(event_target_checked(&e))
+                />
+                </div>
+                <label
+                    for={move || user_id.to_string()}
+                    class="ml-2 text-sm font-medium text-gray-900"
+                >
+                    Is Cluster Admin
+                </label>
+            </div>
+        </Modal>
     }
 }
diff --git a/crates/dashboard/src/component/alert.rs b/crates/dashboard/src/component/alert.rs
new file mode 100644
index 0000000..fc9d1d4
--- /dev/null
+++ b/crates/dashboard/src/component/alert.rs
@@ -0,0 +1,81 @@
+use leptos::prelude::*;
+use tailwind_fuse::*;
+
+#[derive(PartialEq, TwVariant)]
+pub enum AlertVariant {
+    #[tw(default, class = "bg-card text-card-foreground")]
+    Default,
+    #[tw(
+        class = "text-destructive bg-card [&>svg]:text-current *:data-[slot=alert-description]:text-destructive/90"
+    )]
+    Destructive,
+}
+
+#[component]
+pub fn Alert(
+    #[prop(into, optional)] variant: Signal<AlertVariant>,
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <div
+            class=move || tw_merge!(
+                "relative w-full rounded-lg border px-4 py-3 text-sm grid has-[>svg]:grid-cols-[calc(var(--spacing)*4)_1fr] grid-cols-[0_1fr] has-[>svg]:gap-x-3 gap-y-0.5 items-start [&>svg]:size-4 [&>svg]:translate-y-0.5 [&>svg]:text-current",
+                variant.get(),
+                class.get()
+            )
+            data-slot="alert"
+            role="alert"
+        >
+            {children}
+        </div>
+    }
+}
+
+#[component]
+pub fn AlertTitle(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <div
+            class=move || tw_merge!(
+                "col-start-2 line-clamp-1 min-h-4 font-medium tracking-tight",
+                class.get()
+            )
+            data-slot="alert-title"
+        >
+            {children}
+        </div>
+    }
+}
+
+#[component]
+pub fn AlertDescription(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <div
+            class=move || tw_merge!(
+                "text-muted-foreground col-start-2 grid justify-items-start gap-1 text-sm [&_p]:leading-relaxed",
+                class.get()
+            )
+            data-slot="alert-description"
+        >
+            {children}
+        </div>
+    }
+}
diff --git a/crates/dashboard/src/component/alert_dialog.rs b/crates/dashboard/src/component/alert_dialog.rs
new file mode 100644
index 0000000..56d6393
--- /dev/null
+++ b/crates/dashboard/src/component/alert_dialog.rs
@@ -0,0 +1,172 @@
+use leptos::prelude::*;
+use tailwind_fuse::*;
+
+#[component]
+pub fn AlertDialogTrigger(
+    #[prop()] open: RwSignal<bool>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <div
+            data-slot="alert-dialog-trigger"
+            on:click=move |_| {
+                open.update(|open| {
+                    *open = !*open;
+                });
+            }
+        >
+            {children}
+        </div>
+    }
+}
+
+#[component]
+pub fn AlertDialogContent(
+    #[prop()] open: RwSignal<bool>,
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<ChildrenFn>,
+) -> impl IntoView {
+    let hide_delay = std::time::Duration::from_millis(100);
+    let handle: StoredValue<Option<TimeoutHandle>> = StoredValue::new(None);
+    let show = RwSignal::new(open.get_untracked());
+
+    let eff = RenderEffect::new(move |_| {
+        if open.get() {
+            // clear any possibly active timer
+            if let Some(h) = handle.get_value() {
+                h.clear();
+            }
+
+            show.set(true);
+        } else {
+            let h = leptos::leptos_dom::helpers::set_timeout_with_handle(
+                move || show.set(false),
+                hide_delay,
+            )
+            .expect("set timeout in AnimatedShow");
+            handle.set_value(Some(h));
+        }
+    });
+
+    on_cleanup(move || {
+        if let Some(Some(h)) = handle.try_get_value() {
+            h.clear();
+        }
+        drop(eff);
+    });
+
+    view! {
+        <Show when=move || show.get() fallback=|| ()>
+            <div
+                class="data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 fixed inset-0 z-50 bg-black/50"
+                data-slot="alert-dialog-overlay"
+                data-state=move || { if open.get() { "open" } else { "closed" } }
+                on:pointerdown=move |_| open.set(false)
+            ></div>
+            <div
+                class=move || {
+                    tw_merge!(
+                        "bg-background data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 data-[state=closed]:zoom-out-95 data-[state=open]:zoom-in-95 fixed top-[50%] left-[50%] z-50 grid w-full max-w-[calc(100%-2rem)] translate-x-[-50%] translate-y-[-50%] gap-4 rounded-lg border p-6 shadow-lg duration-200 sm:max-w-lg",
+                        class.get()
+                    )
+                }
+                data-state=move || { if open.get() { "open" } else { "closed" } }
+                data-slot="alert-dialog-content"
+            >
+                {children.clone().map(|c| c().into_any()).unwrap_or_else(|| ().into_any())}
+            </div>
+        </Show>
+    }
+}
+
+#[component]
+pub fn AlertDialogHeader(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <div
+            class=move || tw_merge!(
+                "flex flex-col gap-2 text-center sm:text-left",
+                class.get()
+            )
+            data-slot="alert-dialog-header"
+        >
+            {children}
+        </div>
+    }
+}
+
+#[component]
+pub fn AlertDialogFooter(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <div
+            class=move || tw_merge!(
+                "flex flex-col-reverse gap-2 sm:flex-row sm:justify-end",
+                class.get()
+            )
+            data-slot="alert-dialog-footer"
+        >
+            {children}
+        </div>
+    }
+}
+
+#[component]
+pub fn AlertDialogTitle(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <span
+            class=move || tw_merge!(
+                "text-lg font-semibold",
+                class.get()
+            )
+            data-slot="alert-dialog-title"
+        >
+            {children}
+        </span>
+    }
+}
+
+#[component]
+pub fn AlertDialogDescription(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <span
+            class=move || tw_merge!(
+                "text-muted-foreground text-sm",
+                class.get()
+            )
+            data-slot="alert-dialog-description"
+        >
+            {children}
+        </span>
+    }
+}
diff --git a/crates/dashboard/src/component/avatar.rs b/crates/dashboard/src/component/avatar.rs
new file mode 100644
index 0000000..22170ad
--- /dev/null
+++ b/crates/dashboard/src/component/avatar.rs
@@ -0,0 +1,41 @@
+use leptos::prelude::*;
+use tailwind_fuse::*;
+
+#[component]
+pub fn Avatar(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <span
+            class=move || tw_merge!(
+                "relative flex size-8 shrink-0 overflow-hidden rounded-full",
+                class.get()
+            )
+            data-slot="avatar"
+        >
+            {children}
+        </span>
+    }
+}
+
+#[component]
+pub fn AvatarImage(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(into, optional)] src: MaybeProp<String>,
+) -> impl IntoView {
+    view! {
+        <img
+            class=move || tw_merge!(
+                "aspect-square size-full",
+                class.get()
+            )
+            src=move || src.get().unwrap_or_default()
+            data-slot="avatar-image"
+        />
+    }
+}
diff --git a/crates/dashboard/src/component/badge.rs b/crates/dashboard/src/component/badge.rs
new file mode 100644
index 0000000..5f2a4be
--- /dev/null
+++ b/crates/dashboard/src/component/badge.rs
@@ -0,0 +1,44 @@
+use leptos::prelude::*;
+use tailwind_fuse::*;
+
+#[derive(PartialEq, TwVariant)]
+pub enum BadgeVariant {
+    #[tw(
+        default,
+        class = "border-transparent bg-primary text-primary-foreground [a&]:hover:bg-primary/90"
+    )]
+    Default,
+    #[tw(
+        class = "border-transparent bg-secondary text-secondary-foreground [a&]:hover:bg-secondary/90"
+    )]
+    Secondary,
+    #[tw(
+        class = "border-transparent bg-destructive text-white [a&]:hover:bg-destructive/90 focus-visible:ring-destructive/20 dark:focus-visible:ring-destructive/40 dark:bg-destructive/60"
+    )]
+    Destructive,
+    #[tw(class = "text-foreground [a&]:hover:bg-accent [a&]:hover:text-accent-foreground")]
+    Outline,
+}
+
+#[component]
+pub fn Badge(
+    #[prop(into, optional)] variant: Signal<BadgeVariant>,
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+    view! {
+        <span
+            class=move || tw_merge!(
+                "inline-flex items-center justify-center rounded-md border px-2 py-0.5 text-xs font-medium w-fit whitespace-nowrap shrink-0 [&>svg]:size-3 gap-1 [&>svg]:pointer-events-none focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px] aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive transition-[color,box-shadow] overflow-hidden",
+                variant.get(),
+                class.get()
+            )
+            data-slot="badge"
+        >
+            {children}
+        </span>
+    }
+}
diff --git a/crates/dashboard/src/component/breadcrumb.rs b/crates/dashboard/src/component/breadcrumb.rs
new file mode 100644
index 0000000..513e719
--- /dev/null
+++ b/crates/dashboard/src/component/breadcrumb.rs
@@ -0,0 +1,136 @@
+use leptos::prelude::*;
+use lucide_leptos::ChevronRight;
+use tailwind_fuse::*;
+
+#[component]
+pub fn Breadcrumb(#[prop(optional)] children: Option<Children>) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <nav
+            aria-label="breadcrumb"
+            data-slot="breadcrumb"
+        >
+            {children}
+        </nav>
+    }
+}
+
+#[component]
+pub fn BreadcrumbList(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <ol
+            class=move || tw_merge!(
+                "text-muted-foreground flex flex-wrap items-center gap-1.5 text-sm break-words sm:gap-2.5",
+                class.get()
+            )
+            data-slot="breadcrumb-list"
+        >
+            {children}
+        </ol>
+    }
+}
+
+#[component]
+pub fn BreadcrumbItem(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <li
+            class=move || tw_merge!(
+                "inline-flex items-center gap-1.5",
+                class.get()
+            )
+            data-slot="breadcrumb-item"
+        >
+            {children}
+        </li>
+    }
+}
+
+#[component]
+pub fn BreadcrumbPage(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <span
+            class=move || tw_merge!(
+                "text-foreground font-normal",
+                class.get()
+            )
+            data-slot="breadcrumb-page"
+            role="link"
+            aria-disabled="true"
+            aria-current="page"
+        >
+            {children}
+        </span>
+    }
+}
+
+#[component]
+pub fn BreadcrumbSeparator(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| view! { <ChevronRight /> }.into_any());
+
+    view! {
+        <span
+            class=move || tw_merge!(
+                "[&>svg]:size-3.5",
+                class.get()
+            )
+            data-slot="breadcrumb-separator"
+            role="presentation"
+            aria-hidden="true"
+        >
+            {children}
+        </span>
+    }
+}
+
+#[component]
+pub fn BreadcrumbLink(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(into, optional)] href: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <a
+            class=move || tw_merge!(
+                "hover:text-foreground transition-colors",
+                class.get()
+            )
+            href=move || href.get()
+            data-slot="breadcrumb-link"
+        >
+            {children}
+        </a>
+    }
+}
diff --git a/crates/dashboard/src/component/button.rs b/crates/dashboard/src/component/button.rs
new file mode 100644
index 0000000..9eaeab6
--- /dev/null
+++ b/crates/dashboard/src/component/button.rs
@@ -0,0 +1,186 @@
+use leptos::prelude::*;
+// use leptos::{ev::MouseEvent, prelude::*};
+// use leptos_node_ref::AnyNodeRef;
+// use leptos_struct_component::{struct_component, StructComponent};
+// use leptos_style::Style;
+use tailwind_fuse::*;
+
+#[derive(TwClass)]
+#[tw(
+    class = "inline-flex items-center justify-center gap-2 whitespace-nowrap rounded-md text-sm font-medium transition-all disabled:pointer-events-none disabled:opacity-50 [&_svg]:pointer-events-none [&_svg:not([class*='size-'])]:size-4 shrink-0 [&_svg]:shrink-0 outline-none focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px] aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive"
+)]
+pub struct ButtonClass {
+    pub variant: ButtonVariant,
+    pub size: ButtonSize,
+}
+
+#[derive(PartialEq, TwVariant)]
+pub enum ButtonVariant {
+    #[tw(
+        default,
+        class = "bg-primary text-primary-foreground shadow-xs hover:bg-primary/90"
+    )]
+    Default,
+    #[tw(
+        class = "bg-destructive text-white shadow-xs hover:bg-destructive/90 focus-visible:ring-destructive/20 dark:focus-visible:ring-destructive/40 dark:bg-destructive/60"
+    )]
+    Destructive,
+    #[tw(
+        class = "border bg-background shadow-xs hover:bg-accent hover:text-accent-foreground dark:bg-input/30 dark:border-input dark:hover:bg-input/50"
+    )]
+    Outline,
+    #[tw(class = "bg-secondary text-secondary-foreground shadow-xs hover:bg-secondary/80")]
+    Secondary,
+    #[tw(class = "hover:bg-accent hover:text-accent-foreground dark:hover:bg-accent/50")]
+    Ghost,
+    #[tw(class = "text-primary underline-offset-4 hover:underline")]
+    Link,
+}
+
+#[derive(PartialEq, TwVariant)]
+pub enum ButtonSize {
+    #[tw(default, class = "h-9 px-4 py-2 has-[>svg]:px-3")]
+    Default,
+    #[tw(class = "h-8 rounded-md gap-1.5 px-3 has-[>svg]:px-2.5")]
+    Sm,
+    #[tw(class = "h-10 rounded-md px-6 has-[>svg]:px-4")]
+    Lg,
+    #[tw(class = "size-9")]
+    Icon,
+}
+
+// #[derive(Clone, StructComponent)]
+// #[struct_component(tag = "button")]
+// pub struct ButtonChildProps {
+//     pub node_ref: AnyNodeRef,
+
+//     // Global attributes
+//     pub autofocus: Signal<bool>,
+//     pub class: Signal<String>,
+//     pub id: MaybeProp<String>,
+//     pub style: Signal<Style>,
+
+//     // Attributes from `button`
+//     // pub command: MaybeProp<String>,
+//     // pub commandfor: MaybeProp<String>,
+//     pub disabled: Signal<bool>,
+//     pub form: MaybeProp<String>,
+//     pub formaction: MaybeProp<String>,
+//     pub formenctype: MaybeProp<String>,
+//     pub formmethod: MaybeProp<String>,
+//     pub formnovalidate: Signal<bool>,
+//     pub formtarget: MaybeProp<String>,
+//     pub name: MaybeProp<String>,
+//     // pub popovertarget: MaybeProp<String>,
+//     // pub popovertargetaction: MaybeProp<String>,
+//     pub r#type: MaybeProp<String>,
+//     pub value: MaybeProp<String>,
+
+//     // Event handler attributes
+//     pub onclick: Option<Callback<MouseEvent>>,
+// }
+
+// #[component]
+// pub fn OldButton(
+//     #[prop(into, optional)] variant: Signal<ButtonVariant>,
+//     #[prop(into, optional)] size: Signal<ButtonSize>,
+
+//     // Global attributes
+//     #[prop(into, optional)] autofocus: Signal<bool>,
+//     #[prop(into, optional)] class: MaybeProp<String>,
+//     #[prop(into, optional)] id: MaybeProp<String>,
+//     #[prop(into, optional)] style: Signal<Style>,
+
+//     // Attributes from `button`
+//     // #[prop(into, optional)] command: MaybeProp<String>,
+//     // #[prop(into, optional)] commandfor: MaybeProp<String>,
+//     #[prop(into, optional)] disabled: Signal<bool>,
+//     #[prop(into, optional)] form: MaybeProp<String>,
+//     #[prop(into, optional)] formaction: MaybeProp<String>,
+//     #[prop(into, optional)] formenctype: MaybeProp<String>,
+//     #[prop(into, optional)] formmethod: MaybeProp<String>,
+//     #[prop(into, optional)] formnovalidate: Signal<bool>,
+//     #[prop(into, optional)] formtarget: MaybeProp<String>,
+//     #[prop(into, optional)] name: MaybeProp<String>,
+//     // #[prop(into, optional)] popovertarget: MaybeProp<String>,
+//     // #[prop(into, optional)] popovertargetaction: MaybeProp<String>,
+//     #[prop(into, optional)] r#type: MaybeProp<String>,
+//     #[prop(into, optional)] value: MaybeProp<String>,
+
+//     // Event handler attributes
+//     #[prop(into, optional)] onclick: Option<Callback<MouseEvent>>,
+
+//     #[prop(into, optional)] node_ref: AnyNodeRef,
+//     #[prop(into, optional)] as_child: Option<Callback<ButtonChildProps, AnyView>>,
+//     #[prop(optional)] children: Option<Children>,
+// ) -> impl IntoView {
+//     let class = Memo::new(move |_| {
+//         ButtonClass {
+//             variant: variant.get(),
+//             size: size.get(),
+//         }
+//         .with_class(class.get().unwrap_or_default())
+//     });
+
+//     let child_props = ButtonChildProps {
+//         node_ref,
+
+//         // Global attributes
+//         autofocus,
+//         class: class.into(),
+//         id,
+//         style,
+
+//         // Attributes from `button`
+//         // command,
+//         // commandfor,
+//         disabled,
+//         form,
+//         formaction,
+//         formenctype,
+//         formmethod,
+//         formnovalidate,
+//         formtarget,
+//         name,
+//         // popovertarget,
+//         // popovertargetaction,
+//         r#type,
+//         value,
+
+//         // Event handler attributes
+//         onclick,
+//     };
+
+//     if let Some(as_child) = as_child.as_ref() {
+//         as_child.run(child_props)
+//     } else {
+//         child_props.render(children)
+//     }
+// }
+
+#[component]
+pub fn Button(
+    #[prop(into, optional)] variant: Signal<ButtonVariant>,
+    #[prop(into, optional)] size: Signal<ButtonSize>,
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(into, optional)] disabled: MaybeProp<bool>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let class = Memo::new(move |_| {
+        tw_merge!(
+            ButtonClass {
+                variant: variant.get(),
+                size: size.get(),
+            }
+            .to_class(),
+            class.get()
+        )
+    });
+
+    view! {
+        <button
+            class={move || class.get()}
+            disabled=move || disabled.get().unwrap_or(false)
+        >{ children.map(|c| c().into_any()).unwrap_or_else(|| ().into_any()) }</button>
+    }
+}
diff --git a/crates/dashboard/src/component/card.rs b/crates/dashboard/src/component/card.rs
new file mode 100644
index 0000000..ee9996c
--- /dev/null
+++ b/crates/dashboard/src/component/card.rs
@@ -0,0 +1,104 @@
+use leptos::prelude::*;
+use tailwind_fuse::*;
+
+#[component]
+pub fn Card(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+    view! {
+        <div
+            class=move || tw_merge!("rounded-lg border bg-card text-card-foreground shadow-sm", class.get())
+        >
+            { children }
+        </div>
+    }
+}
+
+#[component]
+pub fn CardHeader(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+    view! {
+        <div
+            class=move || tw_merge!("flex flex-col space-y-1.5 p-6", class.get())
+        >
+            { children }
+        </div>
+    }
+}
+
+#[component]
+pub fn CardTitle(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+    view! {
+        <div
+            class=move || tw_merge!("text-2xl font-semibold leading-none tracking-tight", class.get())
+        >
+            { children }
+        </div>
+    }
+}
+
+#[component]
+pub fn CardDescription(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+    view! {
+        <div
+            class=move || tw_merge!("text-sm text-muted-foreground", class.get())
+        >
+            { children }
+        </div>
+    }
+}
+
+#[component]
+pub fn CardContent(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+    view! {
+        <div
+            class=move || tw_merge!("p-6 pt-0", class.get())
+        >
+            { children }
+        </div>
+    }
+}
+
+#[component]
+pub fn CardFooter(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+    view! {
+        <div
+            class=move || tw_merge!("flex items-center p-6 pt-0", class.get())
+        >
+            { children }
+        </div>
+    }
+}
diff --git a/crates/dashboard/src/component/checkbox.rs b/crates/dashboard/src/component/checkbox.rs
new file mode 100644
index 0000000..59d7219
--- /dev/null
+++ b/crates/dashboard/src/component/checkbox.rs
@@ -0,0 +1,16 @@
+use leptos::prelude::*;
+use tailwind_fuse::*;
+
+#[component]
+pub fn Checkbox(#[prop(into, optional)] class: MaybeProp<String>) -> impl IntoView {
+    view! {
+        <input
+            type="checkbox"
+            class=move || tw_merge!(
+                "peer border-input dark:bg-input/30 data-[state=checked]:bg-primary data-[state=checked]:text-primary-foreground dark:data-[state=checked]:bg-primary data-[state=checked]:border-primary focus-visible:border-ring focus-visible:ring-ring/50 aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive size-4 shrink-0 rounded-[4px] border shadow-xs transition-shadow outline-none focus-visible:ring-[3px] disabled:cursor-not-allowed disabled:opacity-50",
+                class.get(),
+            )
+            data-slot="checkbox"
+        />
+    }
+}
diff --git a/crates/dashboard/src/component/collapsible.rs b/crates/dashboard/src/component/collapsible.rs
new file mode 100644
index 0000000..ed6cc00
--- /dev/null
+++ b/crates/dashboard/src/component/collapsible.rs
@@ -0,0 +1,36 @@
+use leptos::prelude::*;
+
+#[component]
+pub fn CollapsibleTrigger(
+    #[prop()] open: RwSignal<bool>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <div
+            data-slot="collapsible-trigger"
+            on:click=move |_| {
+                open.update(|open| {
+                    *open = !*open;
+                });
+            }
+        >
+            {children}
+        </div>
+    }
+}
+
+#[component]
+pub fn CollapsibleContent(
+    #[prop()] open: ReadSignal<bool>,
+    #[prop(optional)] children: Option<ChildrenFn>,
+) -> impl IntoView {
+    view! {
+        <Show when=move || open.get() fallback=|| ()>
+            {children.clone().map(|c| c().into_any()).unwrap_or_else(|| ().into_any())}
+        </Show>
+    }
+}
diff --git a/crates/dashboard/src/component/dialog.rs b/crates/dashboard/src/component/dialog.rs
new file mode 100644
index 0000000..bfcb665
--- /dev/null
+++ b/crates/dashboard/src/component/dialog.rs
@@ -0,0 +1,164 @@
+use leptos::prelude::*;
+use tailwind_fuse::*;
+
+#[component]
+pub fn DialogTrigger(
+    #[prop()] open: RwSignal<bool>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <div
+            data-slot="dialog-trigger"
+            on:click=move |_| {
+                open.update(|open| {
+                    *open = !*open;
+                });
+            }
+        >
+            {children}
+        </div>
+    }
+}
+
+#[component]
+pub fn DialogContent(
+    #[prop()] open: RwSignal<bool>,
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<ChildrenFn>,
+) -> impl IntoView {
+    let hide_delay = std::time::Duration::from_millis(100);
+    let handle: StoredValue<Option<TimeoutHandle>> = StoredValue::new(None);
+    let show = RwSignal::new(open.get_untracked());
+
+    let eff = RenderEffect::new(move |_| {
+        if open.get() {
+            // clear any possibly active timer
+            if let Some(h) = handle.get_value() {
+                h.clear();
+            }
+
+            show.set(true);
+        } else {
+            let h = leptos::leptos_dom::helpers::set_timeout_with_handle(
+                move || show.set(false),
+                hide_delay,
+            )
+            .expect("set timeout in AnimatedShow");
+            handle.set_value(Some(h));
+        }
+    });
+
+    on_cleanup(move || {
+        if let Some(Some(h)) = handle.try_get_value() {
+            h.clear();
+        }
+        drop(eff);
+    });
+
+    view! {
+        <Show when=move || show.get() fallback=|| ()>
+            <div
+                class="fixed inset-0 z-50 overflow-y-auto flex items-center justify-center w-full h-full"
+            >
+                <div
+                    class="data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 fixed inset-0 z-50 bg-black/50"
+                    data-slot="dialog-overlay"
+                    data-state=move || { if open.get() { "open" } else { "closed" } }
+                    on:pointerdown=move |_| open.set(false)
+                >
+                </div>
+                <div class="max-h-full p-4">
+                    <div
+                        class=move || {
+                            tw_merge!(
+                                "bg-background data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 data-[state=closed]:zoom-out-95 data-[state=open]:zoom-in-95 z-50 flex flex-col w-full gap-4 rounded-lg border p-6 shadow-lg duration-200 sm:max-w-lg relative",
+                                class.get()
+                            )
+                        }
+                        data-state=move || { if open.get() { "open" } else { "closed" } }
+                        data-slot="dialog-content"
+                    >
+                        {children.clone().map(|c| c().into_any()).unwrap_or_else(|| ().into_any())}
+                        <button
+                            on:click=move |_| open.set(false)
+                            class="ring-offset-background focus:ring-ring data-[state=open]:bg-accent data-[state=open]:text-muted-foreground absolute top-4 right-4 rounded-xs opacity-70 transition-opacity hover:opacity-100 focus:ring-2 focus:ring-offset-2 focus:outline-hidden disabled:pointer-events-none [&_svg]:pointer-events-none [&_svg]:shrink-0 [&_svg:not([class*='size-'])]:size-4"
+                        >
+                            <lucide_leptos::X />
+                            <span class="sr-only">Close</span>
+                        </button>
+                    </div>
+                </div>
+            </div>
+        </Show>
+    }
+}
+
+#[component]
+pub fn DialogHeader(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <div
+            class=move || tw_merge!(
+                "flex flex-col gap-2 text-center sm:text-left",
+                class.get()
+            )
+            data-slot="dialog-header"
+        >
+            {children}
+        </div>
+    }
+}
+
+#[component]
+pub fn DialogTitle(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <span
+            class=move || tw_merge!(
+                "text-lg leading-none font-semibold",
+                class.get()
+            )
+            data-slot="dialog-title"
+        >
+            {children}
+        </span>
+    }
+}
+
+#[component]
+pub fn DialogFooter(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <div
+            class=move || tw_merge!(
+                "flex flex-col-reverse gap-2 sm:flex-row sm:justify-end",
+                class.get()
+            )
+            data-slot="dialog-footer"
+        >
+            {children}
+        </div>
+    }
+}
diff --git a/crates/dashboard/src/component/dropdown_menu.rs b/crates/dashboard/src/component/dropdown_menu.rs
new file mode 100644
index 0000000..df277fc
--- /dev/null
+++ b/crates/dashboard/src/component/dropdown_menu.rs
@@ -0,0 +1,273 @@
+use leptos::{context::Provider, prelude::*};
+use tailwind_fuse::*;
+
+#[derive(Clone)]
+struct DropdownContext {
+    position: RwSignal<(f64, f64)>,
+    width: RwSignal<f64>,
+    height: RwSignal<f64>,
+}
+
+#[component]
+pub fn DropdownMenu(
+    #[prop()] open: RwSignal<bool>,
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let context = DropdownContext {
+        position: RwSignal::new((0.0, 0.0)),
+        width: RwSignal::new(0.0),
+        height: RwSignal::new(0.0),
+    };
+
+    view! {
+        <Provider value=context>
+            <div
+                class=move || tw_merge!("", class.get())
+                data-slot="dropdown-menu"
+            >
+                <Show when=move || open.get() fallback=|| ()>
+                    <div
+                        class="fixed inset-0 z-50 overflow-y-auto flex items-center justify-center w-full h-full"
+                        on:click=move |_| open.set(false)
+                    >
+                    </div>
+                </Show>
+                {children .map(|c| c().into_any()) .unwrap_or_else(|| ().into_any())}
+            </div>
+        </Provider>
+    }
+}
+
+#[derive(Clone, Copy, PartialEq)]
+pub enum DropdownPlacement {
+    BottomLeft,
+    BottomRight,
+    TopLeft,
+    TopRight,
+    RightTop,
+    RightBottom,
+    LeftTop,
+    LeftBottom,
+}
+
+impl Default for DropdownPlacement {
+    fn default() -> Self {
+        Self::BottomRight
+    }
+}
+
+#[component]
+pub fn DropdownMenuTrigger(
+    #[prop()] open: RwSignal<bool>,
+    #[prop(into, optional)] disabled: MaybeProp<bool>,
+    #[prop(default = DropdownPlacement::default())] placement: DropdownPlacement,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let context = use_context::<DropdownContext>().unwrap();
+    let trigger_ref = NodeRef::<leptos::html::Div>::new();
+
+    Effect::new(move || {
+        if open.get() {
+            // Also trigger when width/height changes
+            let dropdown_width = context.width.get();
+            let dropdown_height = context.height.get();
+
+            if let Some(element) = trigger_ref.get() {
+                let element: &web_sys::Element = element.as_ref();
+                let rect = element.get_bounding_client_rect();
+                if let Some(window) = web_sys::window() {
+                    let viewport_width = window.inner_width().unwrap().as_f64().unwrap();
+                    let viewport_height = window.inner_height().unwrap().as_f64().unwrap();
+
+                    let (mut x, mut y) = match placement {
+                        DropdownPlacement::BottomLeft => (rect.x(), rect.y() + rect.height()),
+                        DropdownPlacement::BottomRight => (
+                            rect.x() + rect.width() - dropdown_width,
+                            rect.y() + rect.height(),
+                        ),
+                        DropdownPlacement::TopLeft => (rect.x(), rect.y() - dropdown_height),
+                        DropdownPlacement::TopRight => (
+                            rect.x() + rect.width() - dropdown_width,
+                            rect.y() - dropdown_height,
+                        ),
+                        DropdownPlacement::RightTop => (rect.x() + rect.width(), rect.y()),
+                        DropdownPlacement::RightBottom => (
+                            rect.x() + rect.width(),
+                            rect.y() + rect.height() - dropdown_height,
+                        ),
+                        DropdownPlacement::LeftTop => (rect.x() - dropdown_width, rect.y()),
+                        DropdownPlacement::LeftBottom => (
+                            rect.x() - dropdown_width,
+                            rect.y() + rect.height() - dropdown_height,
+                        ),
+                    };
+
+                    // Viewport boundary detection and adjustment
+                    if dropdown_width > 0.0 && x + dropdown_width > viewport_width {
+                        x = viewport_width - dropdown_width - 10.0; // 10px margin
+                    }
+                    if x < 10.0 {
+                        x = 10.0;
+                    }
+
+                    if dropdown_height > 0.0 && y + dropdown_height > viewport_height {
+                        y = viewport_height - dropdown_height - 10.0;
+                    }
+                    if y < 10.0 {
+                        y = 10.0;
+                    }
+
+                    context.position.set((x, y));
+                }
+            }
+        }
+    });
+
+    view! {
+        <div
+            node_ref=trigger_ref
+            data-slot="dropdown-menu-trigger"
+            data-disabled=move || disabled.get()
+            class="data-[disabled]:pointer-events-none"
+            on:click=move |_| {
+                open.update(|open| {
+                    *open = !*open;
+                });
+            }
+        >
+            {children.map(|c| c().into_any()) .unwrap_or_else(|| ().into_any())}
+        </div>
+    }
+}
+
+#[component]
+pub fn DropdownMenuContent(
+    #[prop()] open: ReadSignal<bool>,
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<ChildrenFn>,
+) -> impl IntoView {
+    let hide_delay = std::time::Duration::from_millis(100);
+    let handle: StoredValue<Option<TimeoutHandle>> = StoredValue::new(None);
+    let show = RwSignal::new(open.get_untracked());
+    let content_ref = NodeRef::<leptos::html::Div>::new();
+
+    let eff = RenderEffect::new(move |_| {
+        if open.get() {
+            // clear any possibly active timer
+            if let Some(h) = handle.get_value() {
+                h.clear();
+            }
+
+            show.set(true);
+        } else {
+            let h = leptos::leptos_dom::helpers::set_timeout_with_handle(
+                move || show.set(false),
+                hide_delay,
+            )
+            .expect("set timeout in AnimatedShow");
+            handle.set_value(Some(h));
+        }
+    });
+
+    on_cleanup(move || {
+        if let Some(Some(h)) = handle.try_get_value() {
+            h.clear();
+        }
+        drop(eff);
+    });
+
+    let context = use_context::<DropdownContext>().unwrap();
+
+    // Measure dropdown size when it becomes visible
+    Effect::new(move || {
+        if show.get() {
+            if let Some(element) = content_ref.get() {
+                let element: &web_sys::Element = element.as_ref();
+                let rect = element.get_bounding_client_rect();
+                context.width.set(rect.width());
+                context.height.set(rect.height());
+            }
+        }
+    });
+
+    view! {
+        <Show when=move || show.get() fallback=|| ()>
+            <div
+                node_ref=content_ref
+                class=move || {
+                    tw_merge!(
+                        "fixed z-50 outline-none bg-popover text-popover-foreground data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 data-[state=closed]:zoom-out-95 data-[state=open]:zoom-in-95 data-[side=bottom]:slide-in-from-top-2 data-[side=left]:slide-in-from-right-2 data-[side=right]:slide-in-from-left-2 data-[side=top]:slide-in-from-bottom-2 z-50 max-h-(--radix-dropdown-menu-content-available-height) min-w-[8rem] origin-(--radix-dropdown-menu-content-transform-origin) overflow-x-hidden overflow-y-auto rounded-md border p-1 shadow-md",
+                            class.get()
+                    )
+                }
+                style=move || {
+                    let (x, y) = context.position.get();
+                    format!("left: {x}px; top: {y}px;--radix-popper-transform-origin: 0px 0%; will-change: transform; --radix-popper-available-width: 1669px; --radix-popper-available-height: 932px; --radix-popper-anchor-width: 239px; --radix-popper-anchor-height: 48px;")
+                }
+                data-state=move || { if open.get() { "open" } else { "closed" } }
+                data-slot="dropdown-menu-content"
+                tabindex="0"
+            >
+                {children.clone().map(|c| c().into_any()).unwrap_or_else(|| ().into_any())}
+            </div>
+        </Show>
+    }
+}
+
+#[component]
+pub fn DropdownMenuLabel(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <div
+            class=move || {
+                tw_merge!(
+                    "px-2 py-1.5 text-sm font-medium data-[inset]:pl-8",
+                class.get()
+                )
+            }
+            data-slot="dropdown-menu-label"
+        >
+            {children}
+        </div>
+    }
+}
+
+#[component]
+pub fn DropdownMenuItem(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(into, optional)] disabled: MaybeProp<bool>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    view! {
+        <div
+            class=move || {
+                tw_merge!(
+                    "hover:bg-accent hover:text-accent-foreground focus:bg-accent focus:text-accent-foreground data-[variant=destructive]:text-destructive data-[variant=destructive]:focus:bg-destructive/10 dark:data-[variant=destructive]:focus:bg-destructive/20 data-[variant=destructive]:focus:text-destructive data-[variant=destructive]:*:[svg]:!text-destructive [&_svg:not([class*='text-'])]:text-muted-foreground relative flex cursor-default items-center gap-2 rounded-sm px-2 py-1.5 text-sm outline-hidden select-none data-[disabled]:pointer-events-none data-[disabled]:opacity-50 data-[inset]:pl-8 [&_svg]:pointer-events-none [&_svg]:shrink-0 [&_svg:not([class*='size-'])]:size-4",
+                class.get()
+                )
+            }
+            data-slot="dropdown-menu-item"
+            data-disabled=move || disabled.get()
+        >
+            {children.map(|c| c().into_any()).unwrap_or_else(|| ().into_any())}
+        </div>
+    }
+}
+
+#[component]
+pub fn DropdownMenuSeparator(#[prop(into, optional)] class: MaybeProp<String>) -> impl IntoView {
+    view! {
+        <div
+            class=move || tw_merge!("bg-border -mx-1 my-1 h-px",
+                class.get())
+            data-slot="dropdown-menu-separator"
+        />
+    }
+}
diff --git a/crates/dashboard/src/component/fade_effect.rs b/crates/dashboard/src/component/fade_effect.rs
new file mode 100644
index 0000000..a5d63c6
--- /dev/null
+++ b/crates/dashboard/src/component/fade_effect.rs
@@ -0,0 +1,34 @@
+use leptos::prelude::*;
+
+pub fn fade_effect(open: ReadSignal<bool>) -> RwSignal<bool> {
+    let handle: StoredValue<Option<TimeoutHandle>> = StoredValue::new(None);
+    let hide_delay = std::time::Duration::from_millis(100);
+    let show = RwSignal::new(open.get_untracked());
+
+    let eff = RenderEffect::new(move |_| {
+        if open.get() {
+            // clear any possibly active timer
+            if let Some(h) = handle.get_value() {
+                h.clear();
+            }
+
+            show.set(true);
+        } else {
+            let h = leptos::leptos_dom::helpers::set_timeout_with_handle(
+                move || show.set(false),
+                hide_delay,
+            )
+            .expect("set timeout in AnimatedShow");
+            handle.set_value(Some(h));
+        }
+    });
+
+    on_cleanup(move || {
+        if let Some(Some(h)) = handle.try_get_value() {
+            h.clear();
+        }
+        drop(eff);
+    });
+
+    show
+}
diff --git a/crates/dashboard/src/component/hover_card.rs b/crates/dashboard/src/component/hover_card.rs
new file mode 100644
index 0000000..7bb5525
--- /dev/null
+++ b/crates/dashboard/src/component/hover_card.rs
@@ -0,0 +1,221 @@
+use leptos::{context::Provider, prelude::*};
+use tailwind_fuse::*;
+
+#[derive(Clone)]
+struct HoverCardContext {
+    position: RwSignal<(f64, f64)>,
+    width: RwSignal<f64>,
+    height: RwSignal<f64>,
+    // dictates whether the hovercard is actually showing or not
+    show: RwSignal<bool>,
+}
+
+#[derive(Clone, Copy, PartialEq)]
+pub enum HoverCardPlacement {
+    BottomLeft,
+    BottomRight,
+    TopLeft,
+    TopRight,
+    RightTop,
+    RightBottom,
+    LeftTop,
+    LeftBottom,
+}
+
+impl Default for HoverCardPlacement {
+    fn default() -> Self {
+        Self::BottomRight
+    }
+}
+
+#[component]
+pub fn HoverCard(
+    #[prop()] open: RwSignal<bool>,
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let show_delay = std::time::Duration::from_millis(500);
+    let hide_delay = std::time::Duration::from_millis(500);
+    let show_handle: StoredValue<Option<TimeoutHandle>> = StoredValue::new(None);
+    let hide_handle: StoredValue<Option<TimeoutHandle>> = StoredValue::new(None);
+    let show = RwSignal::new(open.get_untracked());
+
+    let eff = RenderEffect::new(move |_| {
+        if open.get() {
+            // clear any possibly active hide timer
+            if let Some(h) = hide_handle.get_value() {
+                h.clear();
+            }
+            // set show timer
+            let h = leptos::leptos_dom::helpers::set_timeout_with_handle(
+                move || show.set(true),
+                show_delay,
+            )
+            .expect("set timeout for show");
+            show_handle.set_value(Some(h));
+        } else {
+            // clear any possibly active show timer
+            if let Some(h) = show_handle.get_value() {
+                h.clear();
+            }
+            // set hide timer
+            let h = leptos::leptos_dom::helpers::set_timeout_with_handle(
+                move || show.set(false),
+                hide_delay,
+            )
+            .expect("set timeout for hide");
+            hide_handle.set_value(Some(h));
+        }
+    });
+
+    on_cleanup(move || {
+        if let Some(Some(h)) = show_handle.try_get_value() {
+            h.clear();
+        }
+        if let Some(Some(h)) = hide_handle.try_get_value() {
+            h.clear();
+        }
+        drop(eff);
+    });
+
+    let context = HoverCardContext {
+        position: RwSignal::new((0.0, 0.0)),
+        width: RwSignal::new(0.0),
+        height: RwSignal::new(0.0),
+        show,
+    };
+    view! {
+        <Provider value=context>
+            <div
+                class=move || tw_merge!("", class.get())
+                on:mouseenter=move |_| open.set(true)
+                on:mouseleave=move |_| open.set(false)
+                data-slot="hover-card"
+            >
+                {children .map(|c| c().into_any()) .unwrap_or_else(|| ().into_any())}
+            </div>
+        </Provider>
+    }
+}
+
+#[component]
+pub fn HoverCardTrigger(
+    #[prop(default = HoverCardPlacement::default())] placement: HoverCardPlacement,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let context = use_context::<HoverCardContext>().unwrap();
+    let trigger_ref = NodeRef::<leptos::html::Div>::new();
+
+    Effect::new(move || {
+        if context.show.get() {
+            // Also trigger when width/height changes
+            let hover_card_width = context.width.get();
+            let hover_card_height = context.height.get();
+
+            if let Some(element) = trigger_ref.get() {
+                let element: &web_sys::Element = element.as_ref();
+                let rect = element.get_bounding_client_rect();
+                if let Some(window) = web_sys::window() {
+                    let viewport_width = window.inner_width().unwrap().as_f64().unwrap();
+                    let viewport_height = window.inner_height().unwrap().as_f64().unwrap();
+
+                    let (mut x, mut y) = match placement {
+                        HoverCardPlacement::BottomLeft => (rect.x(), rect.y() + rect.height()),
+                        HoverCardPlacement::BottomRight => (
+                            rect.x() + rect.width() - hover_card_width,
+                            rect.y() + rect.height(),
+                        ),
+                        HoverCardPlacement::TopLeft => (rect.x(), rect.y() - hover_card_height),
+                        HoverCardPlacement::TopRight => (
+                            rect.x() + rect.width() - hover_card_width,
+                            rect.y() - hover_card_height,
+                        ),
+                        HoverCardPlacement::RightTop => (rect.x() + rect.width(), rect.y()),
+                        HoverCardPlacement::RightBottom => (
+                            rect.x() + rect.width(),
+                            rect.y() + rect.height() - hover_card_height,
+                        ),
+                        HoverCardPlacement::LeftTop => (rect.x() - hover_card_width, rect.y()),
+                        HoverCardPlacement::LeftBottom => (
+                            rect.x() - hover_card_width,
+                            rect.y() + rect.height() - hover_card_height,
+                        ),
+                    };
+
+                    // Viewport boundary detection and adjustment
+                    if hover_card_width > 0.0 && x + hover_card_width > viewport_width {
+                        x = viewport_width - hover_card_width - 10.0; // 10px margin
+                    }
+                    if x < 10.0 {
+                        x = 10.0;
+                    }
+
+                    if hover_card_height > 0.0 && y + hover_card_height > viewport_height {
+                        y = viewport_height - hover_card_height - 10.0;
+                    }
+                    if y < 10.0 {
+                        y = 10.0;
+                    }
+
+                    context.position.set((x, y));
+                }
+            }
+        }
+    });
+
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <div
+            node_ref=trigger_ref
+            data-slot="hover-card-trigger"
+        >
+            {children}
+        </div>
+    }
+}
+
+#[component]
+pub fn HoverCardContent(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<ChildrenFn>,
+) -> impl IntoView {
+    let content_ref = NodeRef::<leptos::html::Div>::new();
+    let context = use_context::<HoverCardContext>().unwrap();
+
+    // Measure hover card size when it becomes visible
+    Effect::new(move || {
+        if context.show.get() {
+            if let Some(element) = content_ref.get() {
+                let element: &web_sys::Element = element.as_ref();
+                let rect = element.get_bounding_client_rect();
+                context.width.set(rect.width());
+                context.height.set(rect.height());
+            }
+        }
+    });
+
+    view! {
+        <Show when=move || context.show.get() fallback=|| ()>
+            <div
+                node_ref=content_ref
+                class=move || {
+                    tw_merge!(
+                        "fixed z-50 outline-none bg-popover text-popover-foreground data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 data-[state=closed]:zoom-out-95 data-[state=open]:zoom-in-95 data-[side=bottom]:slide-in-from-top-2 data-[side=left]:slide-in-from-right-2 data-[side=right]:slide-in-from-left-2 data-[side=top]:slide-in-from-bottom-2 z-50 w-64 origin-(--radix-hover-card-content-transform-origin) rounded-md border p-4 shadow-md",
+                         class.get()
+                    )
+                }
+                style=move || {
+                    let (x, y) = context.position.get();
+                    format!("left: {x}px; top: {y}px;")
+                }
+                data-state=move || { if context.show.get() { "open" } else { "closed" } }
+                data-slot="hover-card-content"
+            >
+                {children.clone().map(|c| c().into_any()).unwrap_or_else(|| ().into_any())}
+            </div>
+        </Show>
+    }
+}
diff --git a/crates/dashboard/src/component/icon.rs b/crates/dashboard/src/component/icon.rs
new file mode 100644
index 0000000..774cd2d
--- /dev/null
+++ b/crates/dashboard/src/component/icon.rs
@@ -0,0 +1,95 @@
+use leptos::{prelude::*, svg::Svg};
+use tailwind_fuse::*;
+
+#[component]
+pub fn LoaderCircle(
+    #[prop(default = 24.into(), into)] size: Signal<usize>,
+    #[prop(default = "currentColor".into(), into)] color: Signal<String>,
+    #[prop(default = "none".into(), into)] fill: Signal<String>,
+    #[prop(default = 2.into(), into)] stroke_width: Signal<usize>,
+    #[prop(default = false.into(), into)] absolute_stroke_width: Signal<bool>,
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] node_ref: NodeRef<Svg>,
+) -> impl IntoView {
+    let stroke_width = Signal::derive(move || {
+        if absolute_stroke_width.get() {
+            stroke_width.get() * 24 / size.get()
+        } else {
+            stroke_width.get()
+        }
+    });
+    view! {
+        <svg
+            node_ref=node_ref
+            class=move || tw_merge!("lucide",
+                class.get())
+            xmlns="http://www.w3.org/2000/svg"
+            width=size
+            height=size
+            viewBox="0 0 24 24"
+            fill=fill
+            stroke=color
+            stroke-width=stroke_width
+            stroke-linecap="round"
+            stroke-linejoin="round"
+        >
+            <path d="M21 12a9 9 0 1 1-6.219-8.56" />
+        </svg>
+    }
+}
+
+#[component]
+pub fn BoxMargin() -> impl IntoView {
+    view! {
+        <svg
+            xmlns="http://www.w3.org/2000/svg"
+            width="24"
+            height="24"
+            viewBox="0 0 24 24"
+            fill="none"
+            stroke="currentColor"
+            stroke-width="2"
+            stroke-linecap="round"
+            stroke-linejoin="round"
+            class="tabler-icon tabler-icon-box-margin "
+        >
+            <path d="M8 8h8v8h-8z"></path>
+            <path d="M4 4v.01"></path>
+            <path d="M8 4v.01"></path>
+            <path d="M12 4v.01"></path>
+            <path d="M16 4v.01"></path>
+            <path d="M20 4v.01"></path>
+            <path d="M4 20v.01"></path>
+            <path d="M8 20v.01"></path>
+            <path d="M12 20v.01"></path>
+            <path d="M16 20v.01"></path>
+            <path d="M20 20v.01"></path>
+            <path d="M20 16v.01"></path>
+            <path d="M20 12v.01"></path>
+            <path d="M20 8v.01"></path>
+            <path d="M4 16v.01"></path>
+            <path d="M4 12v.01"></path>
+            <path d="M4 8v.01"></path>
+        </svg>
+    }
+}
+
+#[component]
+pub fn BrandGoogle() -> impl IntoView {
+    view! {
+        <svg
+            xmlns="http://www.w3.org/2000/svg"
+            width="24"
+            height="24"
+            viewBox="0 0 24 24"
+            fill="none"
+            stroke="currentColor"
+            stroke-width="2"
+            stroke-linecap="round"
+            stroke-linejoin="round"
+            class="tabler-icon tabler-icon-brand-google "
+        >
+            <path d="M20.945 11a9 9 0 1 1 -3.284 -5.997l-2.655 2.392a5.5 5.5 0 1 0 2.119 6.605h-4.125v-3h7.945z"></path>
+        </svg>
+    }
+}
diff --git a/crates/dashboard/src/component/input.rs b/crates/dashboard/src/component/input.rs
new file mode 100644
index 0000000..3cc3240
--- /dev/null
+++ b/crates/dashboard/src/component/input.rs
@@ -0,0 +1,19 @@
+use leptos::prelude::*;
+use tailwind_fuse::*;
+
+#[component]
+pub fn Input(#[prop(into, optional)] class: MaybeProp<String>) -> impl IntoView {
+    view! {
+        <input
+            class=move || tw_join!(
+                "focus-visible:ring-ring/50",
+                tw_merge!(
+                    "file:text-foreground placeholder:text-muted-foreground selection:bg-primary selection:text-primary-foreground dark:bg-input/30 border-input flex h-9 w-full min-w-0 rounded-md border bg-transparent px-3 py-1 text-base shadow-xs transition-[color,box-shadow] outline-none file:inline-flex file:h-7 file:border-0 file:bg-transparent file:text-sm file:font-medium disabled:pointer-events-none disabled:cursor-not-allowed disabled:opacity-50 md:text-sm",
+                    "focus-visible:border-ring focus-visible:ring-[3px] aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive",
+                    class.get(),
+                )
+            )
+            data-slot="input"
+        />
+    }
+}
diff --git a/crates/dashboard/src/component/label.rs b/crates/dashboard/src/component/label.rs
new file mode 100644
index 0000000..aec2592
--- /dev/null
+++ b/crates/dashboard/src/component/label.rs
@@ -0,0 +1,26 @@
+use leptos::prelude::*;
+use tailwind_fuse::*;
+
+#[component]
+pub fn Label(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(into, optional)] for_: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <label
+            class=move || tw_merge!(
+                "flex items-center gap-2 text-sm leading-none font-medium select-none group-data-[disabled=true]:pointer-events-none group-data-[disabled=true]:opacity-50 peer-disabled:cursor-not-allowed peer-disabled:opacity-50",
+                class.get()
+            )
+            for=move || for_.get()
+            data-slot="label"
+        >
+            {children}
+        </label>
+    }
+}
diff --git a/crates/dashboard/src/component/mod.rs b/crates/dashboard/src/component/mod.rs
new file mode 100644
index 0000000..12c0f5d
--- /dev/null
+++ b/crates/dashboard/src/component/mod.rs
@@ -0,0 +1,24 @@
+pub mod alert;
+pub mod alert_dialog;
+pub mod avatar;
+pub mod badge;
+pub mod breadcrumb;
+pub mod button;
+pub mod card;
+pub mod checkbox;
+pub mod collapsible;
+pub mod dialog;
+pub mod dropdown_menu;
+pub mod fade_effect;
+pub mod hover_card;
+pub mod icon;
+pub mod input;
+pub mod label;
+pub mod pagination;
+pub mod select;
+pub mod separator;
+pub mod sidebar;
+pub mod table;
+pub mod tabs;
+pub mod textarea;
+pub mod typography;
diff --git a/crates/dashboard/src/component/pagination.rs b/crates/dashboard/src/component/pagination.rs
new file mode 100644
index 0000000..a1d7c0a
--- /dev/null
+++ b/crates/dashboard/src/component/pagination.rs
@@ -0,0 +1,558 @@
+use lapdev_common::kube::PaginatedInfo;
+use leptos::prelude::*;
+use tailwind_fuse::*;
+
+use crate::component::{
+    button::{ButtonClass, ButtonVariant},
+    select::{Select, SelectContent, SelectItem, SelectTrigger},
+};
+
+use super::button::ButtonSize;
+
+// Pagination component variants
+#[derive(Debug, Clone, Copy, PartialEq)]
+pub enum PaginationSize {
+    Default,
+    Sm,
+    Lg,
+}
+
+impl PaginationSize {
+    fn to_class(&self) -> &'static str {
+        match self {
+            PaginationSize::Default => "h-9 px-3",
+            PaginationSize::Sm => "h-8 px-2 text-xs",
+            PaginationSize::Lg => "h-11 px-4",
+        }
+    }
+}
+
+// Base Pagination container
+#[component]
+pub fn Pagination(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    view! {
+        <nav
+            role="navigation"
+            aria-label="pagination"
+            data-slot="pagination"
+            class=move || class.get()
+        >
+
+            {children.map(|c| c().into_any()).unwrap_or_else(|| ().into_any())}
+        </nav>
+    }
+}
+
+// Pagination content wrapper - contains all pagination items
+#[component]
+pub fn PaginationContent(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    view! {
+        <ul
+            data-slot="pagination-content"
+            class=move || {
+                tw_merge!("flex flex-row items-center gap-1",
+                    class.get())
+            }
+        >
+            {children.map(|c| c().into_any()).unwrap_or_else(|| ().into_any())}
+        </ul>
+    }
+}
+
+// Individual pagination item wrapper
+#[component]
+pub fn PaginationItem(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    view! {
+        <li data-slot="pagination-item" class=move || class.get()>
+            {children.map(|c| c().into_any()).unwrap_or_else(|| ().into_any())}
+        </li>
+    }
+}
+
+// Base pagination link/button component
+#[component]
+pub fn PaginationButton(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(into, optional)] size: MaybeProp<ButtonSize>,
+    #[prop(into, optional)] is_active: MaybeProp<bool>,
+    #[prop(into, optional)] disabled: MaybeProp<bool>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let class = Memo::new(move |_| {
+        tw_merge!(
+            ButtonClass {
+                variant: if is_active.get().unwrap_or(false) {
+                    ButtonVariant::Outline
+                } else {
+                    ButtonVariant::Ghost
+                },
+                size: size.get().unwrap_or_default(),
+            }
+            .to_class(),
+            "cursor-pointer",
+            class.get(),
+        )
+    });
+    view! {
+        <button
+            class=move || class.get()
+            disabled=move || disabled.get().unwrap_or(false)
+            aria-current=move || if is_active.get().unwrap_or(false) { Some("page") } else { None }
+            data-slot="pagination-link"
+            data-active=move || is_active.get()
+        >
+            {children.map(|c| c().into_any()).unwrap_or_else(|| ().into_any())}
+        </button>
+    }
+}
+
+// Previous button component
+#[component]
+pub fn PaginationPrevious(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(into, optional)] is_active: MaybeProp<bool>,
+) -> impl IntoView {
+    let class = Signal::derive(move || tw_merge!("gap-1 px-2.5 sm:pl-2.5", class.get()));
+    view! {
+        <PaginationButton
+            class
+            is_active
+            disabled=Memo::new(move |_| !is_active.get().unwrap_or(false))
+            attr:aria-label="Go to previous page"
+        >
+            <lucide_leptos::ChevronLeft />
+            <span class="hidden sm:block">Previous</span>
+        </PaginationButton>
+    }
+}
+
+// Next button component
+#[component]
+pub fn PaginationNext(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(into, optional)] is_active: MaybeProp<bool>,
+) -> impl IntoView {
+    let class = Signal::derive(move || tw_merge!("gap-1 px-2.5 sm:pr-2.5", class.get()));
+    view! {
+        <PaginationButton
+            class
+            is_active
+            disabled=Memo::new(move |_| !is_active.get().unwrap_or(false))
+            attr:aria-label="Go to next page"
+        >
+            <span class="hidden sm:block">Next</span>
+            <lucide_leptos::ChevronRight />
+        </PaginationButton>
+    }
+}
+
+// Ellipsis component for indicating more pages
+#[component]
+pub fn PaginationEllipsis(#[prop(into, optional)] class: MaybeProp<String>) -> impl IntoView {
+    view! {
+        <span
+            aria-hidden
+            data-slot="pagination-ellipsis"
+            class=move || {
+                tw_merge!(
+                    "flex size-9 items-center justify-center",
+                                        class.get()
+                )
+            }
+        >
+            <lucide_leptos::Ellipsis />
+        </span>
+    }
+}
+
+#[derive(Debug, Clone)]
+enum PageItem {
+    Page(usize),
+    Ellipsis(String),
+}
+
+impl PageItem {
+    fn key(&self) -> String {
+        match self {
+            PageItem::Page(page) => format!("page-{}", page),
+            PageItem::Ellipsis(id) => id.clone(),
+        }
+    }
+}
+
+// Page-based pagination component
+#[component]
+pub fn PagePagination(
+    pagination_info: Signal<PaginatedInfo>,
+    page_size: RwSignal<usize>,
+    current_page: Signal<usize>,
+    total_pages: Signal<usize>,
+    #[prop(into)] on_page_change: Callback<usize>,
+) -> impl IntoView {
+    // Separate visual state that updates immediately
+    let visual_current_page = RwSignal::new(current_page.get_untracked());
+
+    // Sync visual state when actual current_page changes (from external sources)
+    Effect::new(move |_| {
+        visual_current_page.set(current_page.get());
+    });
+
+    // Create memoized signals for navigation state based on visual state
+    let has_previous = Memo::new(move |_| visual_current_page.get() > 1);
+    let has_next = Memo::new(move |_| {
+        let current = visual_current_page.get();
+        let total = total_pages.get();
+        current < total && total > 1
+    });
+    let visible_pages = Memo::new(move |_| {
+        let current = visual_current_page.get();
+        let total = total_pages.get();
+        get_visible_pages(current, total)
+    });
+
+    // Debounced page change with 300ms delay
+    let debounce_timeout_handle: StoredValue<Option<leptos::leptos_dom::helpers::TimeoutHandle>> =
+        StoredValue::new(None);
+
+    let debounced_page_change = move |new_page: usize| {
+        // Update visual state immediately
+        visual_current_page.set(new_page);
+
+        // Clear any existing timeout
+        if let Some(h) = debounce_timeout_handle.get_value() {
+            h.clear();
+        }
+
+        // Set new timeout for debounced action
+        let h = leptos::leptos_dom::helpers::set_timeout_with_handle(
+            move || {
+                on_page_change.run(new_page);
+            },
+            std::time::Duration::from_millis(300),
+        )
+        .expect("set timeout for page change debounce");
+        debounce_timeout_handle.set_value(Some(h));
+    };
+
+    let handle_previous = move |_| {
+        let current = visual_current_page.get();
+        if current > 1 {
+            debounced_page_change(current - 1);
+        }
+    };
+
+    let handle_next = move |_| {
+        let current = visual_current_page.get_untracked();
+        let total = total_pages.get_untracked();
+        if current < total {
+            debounced_page_change(current + 1);
+        }
+    };
+
+    let handle_page_click = move |page: usize| {
+        debounced_page_change(page);
+    };
+
+    // Cleanup debounce timeout on component destroy
+    on_cleanup(move || {
+        if let Some(Some(h)) = debounce_timeout_handle.try_get_value() {
+            h.clear();
+        }
+    });
+
+    let page_size_select_open = RwSignal::new(false);
+
+    view! {
+        <div class="flex flex-wrap items-center justify-between gap-4">
+            <div class="text-sm text-muted-foreground">
+                {move || {
+                    let info = pagination_info.get();
+                    let start = ((info.page - 1) * info.page_size) + 1;
+                    let end = std::cmp::min(info.page * info.page_size, info.total_count);
+                    if info.total_count > 0 {
+                        format!("Showing {}-{} of {} results", start, end, info.total_count)
+                    } else {
+                        "No results found".to_string()
+                    }
+                }}
+            </div>
+            <div class="flex items-center gap-4 flex-wrap">
+                <div class="flex items-center gap-2">
+                    <span class="text-sm text-muted-foreground">"Rows per page:"</span>
+                    <div class="w-20">
+                        <Select open=page_size_select_open value=page_size>
+                            <SelectTrigger class="h-8 text-sm">
+                                {move || page_size.get().to_string()}
+                            </SelectTrigger>
+                            <SelectContent>
+                                <SelectItem value=10usize>10</SelectItem>
+                                <SelectItem value=20usize>20</SelectItem>
+                                <SelectItem value=50usize>50</SelectItem>
+                                <SelectItem value=100usize>100</SelectItem>
+                            </SelectContent>
+                        </Select>
+                    </div>
+                </div>
+                <Pagination>
+                    <PaginationContent>
+                        // Previous button
+                        <PaginationPrevious
+                            is_active=Memo::new(move |_| has_previous.get())
+                            on:click=handle_previous
+                        />
+
+                        // Render visible pages with ellipsis handling
+                        <For
+                            each=move || {
+                                let current = visual_current_page.get();
+                                let pages = visible_pages.get();
+                                let mut page_items = Vec::new();
+                                for (i, &page) in pages.iter().enumerate() {
+                                    if i > 0 && page > pages[i - 1] + 1 {
+                                        page_items
+                                            .push(PageItem::Ellipsis(format!("ellipsis-{}", i)));
+                                    }
+                                    page_items.push(PageItem::Page(page));
+                                }
+                                page_items
+                            }
+                            key=|item| item.key()
+                            children=move |item| {
+                                match item {
+                                    PageItem::Ellipsis(_) => {
+                                        view! { <PaginationEllipsis /> }.into_any()
+                                    }
+                                    PageItem::Page(page) => {
+                                        view! {
+                                            <PaginationItem>
+                                                <PaginationButton
+                                                    is_active=Memo::new(move |_| {
+                                                        page == visual_current_page.get()
+                                                    })
+                                                    on:click=move |_| { handle_page_click(page) }
+                                                >
+                                                    {page.to_string()}
+                                                </PaginationButton>
+                                            </PaginationItem>
+                                        }
+                                            .into_any()
+                                    }
+                                }
+                            }
+                        />
+
+                        // Next button
+                        <PaginationNext
+                            is_active=Memo::new(move |_| has_next.get())
+                            on:click=handle_next
+                        />
+                    </PaginationContent>
+                </Pagination>
+            </div>
+        </div>
+    }
+}
+
+// Utility functions for pagination logic (extracted for testing)
+pub fn calculate_page_range(current_page: usize, total_pages: usize) -> (usize, usize) {
+    let start_page = (current_page.saturating_sub(2)).max(1);
+    let end_page = (current_page + 2).min(total_pages);
+    (start_page, end_page)
+}
+
+pub fn get_visible_pages(current_page: usize, total_pages: usize) -> Vec<usize> {
+    let (start_page, end_page) = calculate_page_range(current_page, total_pages);
+    let mut pages = Vec::new();
+
+    // Always include page 1 if not in the visible range
+    if start_page > 1 {
+        pages.push(1);
+    }
+
+    // Add all pages in the visible range
+    pages.extend(start_page..=end_page);
+
+    // Add last page if not already included
+    if end_page < total_pages {
+        pages.push(total_pages);
+    }
+
+    pages
+}
+
+pub fn should_show_ellipsis_after(current_page: usize, total_pages: usize) -> bool {
+    let (_, end_page) = calculate_page_range(current_page, total_pages);
+    end_page < total_pages - 1
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_page_range_calculation() {
+        // Test page 1
+        assert_eq!(calculate_page_range(1, 10), (1, 3));
+
+        // Test middle page
+        assert_eq!(calculate_page_range(5, 10), (3, 7));
+
+        // Test last page
+        assert_eq!(calculate_page_range(10, 10), (8, 10));
+
+        // Test near last page
+        assert_eq!(calculate_page_range(9, 10), (7, 10));
+
+        // Test single page
+        assert_eq!(calculate_page_range(1, 1), (1, 1));
+
+        // Test two pages
+        assert_eq!(calculate_page_range(1, 2), (1, 2));
+        assert_eq!(calculate_page_range(2, 2), (1, 2));
+    }
+
+    #[test]
+    fn test_visible_pages() {
+        // Test page 1 of 10 - should show pages 1, 2, 3, and 10
+        let pages = get_visible_pages(1, 10);
+        assert_eq!(pages, vec![1, 2, 3, 10]);
+
+        // Test page 5 of 10 - should show pages 1, 3, 4, 5, 6, 7, and 10
+        let pages = get_visible_pages(5, 10);
+        assert_eq!(pages, vec![1, 3, 4, 5, 6, 7, 10]);
+
+        // Test page 10 of 10 - should show pages 1, 8, 9, 10
+        let pages = get_visible_pages(10, 10);
+        assert_eq!(pages, vec![1, 8, 9, 10]);
+
+        // Test page 9 of 10 - should show pages 1, 7, 8, 9, 10
+        let pages = get_visible_pages(9, 10);
+        assert_eq!(pages, vec![1, 7, 8, 9, 10]);
+
+        // Test page 3 of 10 - visible range includes page 1, so no duplicate
+        let pages = get_visible_pages(3, 10);
+        assert_eq!(pages, vec![1, 2, 3, 4, 5, 10]);
+
+        // Test single page
+        let pages = get_visible_pages(1, 1);
+        assert_eq!(pages, vec![1]);
+
+        // Test two pages
+        let pages = get_visible_pages(1, 2);
+        assert_eq!(pages, vec![1, 2]);
+
+        // Test small total pages where end_page equals total
+        let pages = get_visible_pages(2, 4);
+        assert_eq!(pages, vec![1, 2, 3, 4]);
+    }
+
+    #[test]
+    fn test_ellipsis_logic() {
+        // Should show ellipsis when there's a gap to the last page
+        assert!(should_show_ellipsis_after(1, 10)); // 1,2,3 ... 10
+        assert!(should_show_ellipsis_after(3, 10)); // 1,2,3,4,5 ... 10
+
+        // Should not show ellipsis when end_page is adjacent to total
+        assert!(!should_show_ellipsis_after(8, 10)); // 6,7,8,9,10 (no gap)
+        assert!(!should_show_ellipsis_after(9, 10)); // 7,8,9,10 (no gap)
+        assert!(!should_show_ellipsis_after(10, 10)); // 8,9,10 (no gap)
+
+        // Edge cases
+        assert!(!should_show_ellipsis_after(1, 1)); // Single page
+        assert!(!should_show_ellipsis_after(1, 2)); // Two pages
+        assert!(!should_show_ellipsis_after(1, 3)); // Three pages
+    }
+
+    #[test]
+    fn test_page_1_always_visible() {
+        // This is the key test for the bug we fixed
+        let pages = get_visible_pages(1, 10);
+        assert!(
+            pages.contains(&1),
+            "Page 1 should always be visible when current_page is 1"
+        );
+
+        let pages = get_visible_pages(1, 5);
+        assert!(
+            pages.contains(&1),
+            "Page 1 should always be visible when current_page is 1"
+        );
+
+        let pages = get_visible_pages(1, 1);
+        assert!(
+            pages.contains(&1),
+            "Page 1 should always be visible when current_page is 1"
+        );
+
+        // Test the specific bug scenario: when paging down to higher pages, page 1 should still be visible
+        let pages = get_visible_pages(5, 10);
+        assert!(
+            pages.contains(&1),
+            "Page 1 should be visible even when on page 5 of 10"
+        );
+
+        let pages = get_visible_pages(7, 10);
+        assert!(
+            pages.contains(&1),
+            "Page 1 should be visible even when on page 7 of 10"
+        );
+
+        let pages = get_visible_pages(8, 10);
+        assert!(
+            pages.contains(&1),
+            "Page 1 should be visible even when on page 8 of 10"
+        );
+
+        // Test with larger page counts
+        let pages = get_visible_pages(15, 20);
+        assert!(
+            pages.contains(&1),
+            "Page 1 should be visible even when on page 15 of 20"
+        );
+    }
+
+    #[test]
+    fn test_current_page_always_visible() {
+        for current in 1..=10 {
+            let pages = get_visible_pages(current, 10);
+            assert!(
+                pages.contains(&current),
+                "Current page {} should always be visible in pages: {:?}",
+                current,
+                pages
+            );
+        }
+    }
+
+    #[test]
+    fn test_edge_cases() {
+        // Test edge case with very small total pages
+        assert_eq!(get_visible_pages(1, 1), vec![1]);
+        assert_eq!(get_visible_pages(1, 2), vec![1, 2]);
+        assert_eq!(get_visible_pages(2, 2), vec![1, 2]);
+
+        // Test edge case where current page is out of bounds (shouldn't happen in practice)
+        let pages = get_visible_pages(0, 10); // current_page = 0
+        assert!(
+            !pages.is_empty(),
+            "Should still return some pages even with invalid current_page"
+        );
+
+        // Test edge case with zero total pages (shouldn't happen in practice)
+        let pages = get_visible_pages(1, 0);
+        // This would be an invalid state, but our function should handle it gracefully
+        assert!(
+            pages.is_empty() || pages == vec![0],
+            "Should handle zero total pages gracefully"
+        );
+    }
+}
diff --git a/crates/dashboard/src/component/select.rs b/crates/dashboard/src/component/select.rs
new file mode 100644
index 0000000..5451755
--- /dev/null
+++ b/crates/dashboard/src/component/select.rs
@@ -0,0 +1,255 @@
+use leptos::{context::Provider, leptos_dom::logging::console_log, prelude::*};
+use tailwind_fuse::*;
+
+use crate::component::{fade_effect::fade_effect, input::Input};
+
+#[derive(Clone)]
+pub struct SelectValueContext<T: PartialEq + Clone + Send + Sync + 'static> {
+    value: RwSignal<T>,
+}
+
+#[derive(Clone)]
+pub struct SelectContext {
+    open: RwSignal<bool>,
+    search_filter: RwSignal<String>,
+}
+
+#[derive(TwVariant)]
+pub enum SelectTriggerSize {
+    #[tw(default, class = "")]
+    Default,
+    #[tw(class = "")]
+    Sm,
+}
+
+#[component]
+pub fn Select<T>(
+    #[prop()] value: RwSignal<T>,
+    // #[prop()] on_change: impl Fn(String) + 'static + Send + Sync,
+    #[prop()] open: RwSignal<bool>,
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView
+where
+    T: PartialEq + Clone + Send + Sync + 'static,
+{
+    let search_filter = RwSignal::new("".to_string());
+    Effect::new(move |_| {
+        open.track();
+        search_filter.set("".to_string());
+    });
+    view! {
+        <Provider value=SelectValueContext { value }>
+            <Provider value=SelectContext { open, search_filter }>
+                <div class=move || tw_merge!("relative", class.get()) data-slot="select">
+                    <Show when=move || open.get() fallback=|| ()>
+                        <div
+                            class="fixed inset-0 z-50 overflow-y-auto flex items-center justify-center w-full h-full"
+                            on:click=move |_| open.set(false)
+                        >
+                        </div>
+                    </Show>
+                    { children.map(|c| c().into_any()).unwrap_or_else(|| ().into_any())}
+                </div>
+            </Provider>
+        </Provider>
+    }
+}
+
+#[component]
+pub fn SelectTrigger(
+    #[prop(into, optional)] size: Signal<SelectTriggerSize>,
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let context = use_context::<SelectContext>().expect("SelectItem must be used within Select");
+
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <button
+            type="button"
+            class=move || tw_merge!(
+                "border-input data-[placeholder]:text-muted-foreground [&_svg:not([class*='text-'])]:text-muted-foreground focus-visible:border-ring focus-visible:ring-ring/50 aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive dark:bg-input/30 dark:hover:bg-input/50 flex w-fit items-center justify-between gap-2 rounded-md border bg-transparent px-3 py-2 text-sm whitespace-nowrap shadow-xs transition-[color,box-shadow] outline-none focus-visible:ring-[3px] disabled:cursor-not-allowed disabled:opacity-50 data-[size=default]:h-9 data-[size=sm]:h-8 *:data-[slot=select-value]:line-clamp-1 *:data-[slot=select-value]:flex *:data-[slot=select-value]:items-center *:data-[slot=select-value]:gap-2 [&_svg]:pointer-events-none [&_svg]:shrink-0 [&_svg:not([class*='size-'])]:size-4",
+                class.get()
+            )
+            data-slot="select-trigger"
+            data-size={move || match size.get() {
+                SelectTriggerSize::Sm => "sm",
+                SelectTriggerSize::Default => "default",
+            }}
+            on:click=move |_| {
+                context.open.update(|open| *open = !*open);
+            }
+        >
+            { children }
+            // <span class="pointer-events-none">
+            //     {move || context.current_value.get()}
+            // </span>
+            <lucide_leptos::ChevronDown />
+        </button>
+    }
+}
+
+#[component]
+pub fn SelectContent(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<ChildrenFn>,
+) -> impl IntoView {
+    let open_context =
+        use_context::<SelectContext>().expect("SelectItem needs to have SelectOpenContext");
+    let open = open_context.open;
+    let show = fade_effect(open.read_only());
+
+    view! {
+        <Show when=move || show.get() fallback=|| ()>
+            <div
+                class=move || tw_merge!(
+                    "absolute z-50 bg-popover text-popover-foreground data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 data-[state=closed]:zoom-out-95 data-[state=open]:zoom-in-95 data-[side=bottom]:slide-in-from-top-2 data-[side=left]:slide-in-from-right-2 data-[side=right]:slide-in-from-left-2 data-[side=top]:slide-in-from-bottom-2 max-h-(--radix-select-content-available-height) min-w-[8rem] origin-(--radix-select-content-transform-origin) overflow-x-hidden overflow-y-auto rounded-md border shadow-md",
+                    "data-[side=bottom]:translate-y-1 data-[side=left]:-translate-x-1 data-[side=right]:translate-x-1 data-[side=top]:-translate-y-1",
+                    class.get()
+                )
+                data-side="bottom"
+                data-state=move || { if open.get() { "open" } else { "closed" } }
+                data-slot="select-content"
+            >
+                <div
+                    class=move || tw_merge!(
+                        "p-1",
+                        "h-[var(--radix-select-trigger-height)] w-full min-w-[var(--radix-select-trigger-width)] scroll-my-1",
+                    )
+                >
+                    {children.clone().map(|c| c().into_any()).unwrap_or_else(|| ().into_any())}
+                </div>
+            </div>
+        </Show>
+    }
+}
+
+#[component]
+pub fn SelectItem<T>(
+    #[prop()] value: T,
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(into, optional)] display: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView
+where
+    T: PartialEq + std::fmt::Debug + Clone + Send + Sync + 'static,
+{
+    let value_context = use_context::<SelectValueContext<T>>();
+    let context =
+        use_context::<SelectContext>().expect("SelectItem needs to have SelectOpenContext");
+    if value_context.is_none() {
+        console_log(&format!(
+            "Select Item {value:?} won't be selected because it's the different type of value in Select"
+        ));
+    }
+    // let item_value = value.clone();
+    // let display_value = value.clone();
+
+    let is_selected = {
+        let context = value_context.clone();
+        let value = value.clone();
+        Signal::derive(move || context.as_ref().map(|c| c.value.get()).as_ref() == Some(&value))
+    };
+
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <div
+            class=move || tw_merge!(
+                "hover:bg-accent hover:text-accent-foreground [&_svg:not([class*='text-'])]:text-muted-foreground relative flex w-full cursor-default items-center gap-2 rounded-sm py-1.5 pr-8 pl-2 text-sm outline-hidden select-none data-[disabled]:pointer-events-none data-[disabled]:opacity-50 [&_svg]:pointer-events-none [&_svg]:shrink-0 [&_svg:not([class*='size-'])]:size-4 *:[span]:last:flex *:[span]:last:items-center *:[span]:last:gap-2",
+                // if is_selected.get() { "bg-accent text-accent-foreground" } else { "" },
+                class.get()
+            )
+            class:hidden=move || {
+                if let Some(display) = display.get() {
+                    if !display.contains(context.search_filter.get().as_str()) {
+                        return true
+                    }
+                }
+                false
+            }
+            // data-value=display_value.clone()
+            // data-selected=move || is_selected.get()
+            data-slot="select-item"
+            on:click=move |_| {
+                if let Some(context) = &value_context {
+                    context.value.set(value.clone());
+                }
+                context.open.set(false);
+            }
+        >
+            <span class="absolute right-2 flex size-3.5 items-center justify-center">
+                <Show when=move || is_selected.get() fallback=|| ()>
+                    <lucide_leptos::Check  />
+                </Show>
+            </span>
+            {children}
+        </div>
+    }
+}
+
+#[component]
+pub fn SelectLabel(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    children: Children,
+) -> impl IntoView {
+    view! {
+        <div
+            class=move || tw_merge!(
+                "px-2 py-1.5 text-sm font-semibold text-foreground",
+                class.get()
+            )
+            data-slot="select-label"
+        >
+            {children()}
+        </div>
+    }
+}
+
+#[component]
+pub fn SelectSearchInput(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(into, optional)] placeholder: MaybeProp<String>,
+) -> impl IntoView {
+    let class = Signal::derive(move || {
+        tw_merge!(
+            "w-full px-2 border-none focus-visible:ring-[0px] focus-visible:border-0 shadow-none",
+            class.get()
+        )
+    });
+
+    let context = use_context::<SelectContext>().expect("SelectItem must be used within Select");
+
+    view! {
+        <div class="flex items-center pl-2 [&_svg:not([class*='text-'])]:text-muted-foreground [&_svg]:shrink-0 [&_svg:not([class*='size-'])]:size-4">
+            <lucide_leptos::Search />
+            <Input
+                class
+                attr:placeholder=move || placeholder.get().unwrap_or_else(|| "Search ...".to_string())
+                prop:value=move || context.search_filter.get()
+                on:input=move |ev| {
+                    context.search_filter.set(event_target_value(&ev));
+                }
+            />
+        </div>
+    }
+}
+
+#[component]
+pub fn SelectSeparator(#[prop(into, optional)] class: MaybeProp<String>) -> impl IntoView {
+    view! {
+        <div
+            class=move || tw_merge!(
+                "bg-muted -mx-1 my-1 h-px",
+                class.get()
+            )
+            data-slot="select-separator"
+        />
+    }
+}
diff --git a/crates/dashboard/src/component/separator.rs b/crates/dashboard/src/component/separator.rs
new file mode 100644
index 0000000..ef5e4a6
--- /dev/null
+++ b/crates/dashboard/src/component/separator.rs
@@ -0,0 +1,43 @@
+use leptos::prelude::*;
+use tailwind_fuse::*;
+
+#[derive(Default)]
+pub enum SeparatorOrientation {
+    #[default]
+    Horizontal,
+    Vertical,
+}
+
+impl std::fmt::Display for SeparatorOrientation {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        let s = match self {
+            SeparatorOrientation::Horizontal => "horizontal",
+            SeparatorOrientation::Vertical => "vertical",
+        };
+        f.write_str(s)
+    }
+}
+
+#[component]
+pub fn Separator(
+    #[prop(into, optional)] orientation: Signal<SeparatorOrientation>,
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <div
+            class=move || tw_merge!(
+                "bg-border shrink-0 data-[orientation=horizontal]:h-px data-[orientation=horizontal]:w-full data-[orientation=vertical]:h-full data-[orientation=vertical]:w-px",
+                class.get()
+            )
+            data-slot="separator-root"
+            data-orientation=move || orientation.with(|o| o.to_string())
+        >
+            {children}
+        </div>
+    }
+}
diff --git a/crates/dashboard/src/component/sidebar.rs b/crates/dashboard/src/component/sidebar.rs
new file mode 100644
index 0000000..e6d700a
--- /dev/null
+++ b/crates/dashboard/src/component/sidebar.rs
@@ -0,0 +1,446 @@
+use leptos::prelude::*;
+use lucide_leptos::PanelLeft;
+use tailwind_fuse::*;
+
+use crate::component::button::{Button, ButtonSize, ButtonVariant};
+
+#[derive(Clone)]
+pub struct SidebarData {
+    pub open: RwSignal<bool>,
+}
+
+#[component]
+pub fn SidebarProvider(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <div
+            style="--sidebar-width: 16em"
+            style=("--sidebar-width-icon", "3em")
+            class=move || tw_merge!(
+                "group/sidebar-wrapper has-data-[variant=inset]:bg-sidebar flex min-h-svh w-full",
+                class.get()
+            )
+            data-slot="sidebar-wrapper"
+        >
+            {children}
+        </div>
+    }
+}
+
+#[component]
+pub fn Sidebar(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    let data: SidebarData = expect_context();
+
+    view! {
+        <div
+            class="group peer text-sidebar-foreground hidden md:block"
+            data-state=move || match data.open.get() {
+                true => "expanded",
+                false => "collapsed",
+            }
+            data-collapsible=move || if !data.open.get() { "offcanvas" } else { "" }
+            data-slot="sidebar"
+            data-side="left"
+            data-variant="sidebar"
+        >
+            <div
+                class=move || tw_merge!(
+                    "relative w-(--sidebar-width) bg-transparent transition-[width] duration-200 ease-linear",
+                    "group-data-[collapsible=offcanvas]:w-0",
+                    "group-data-[side=right]:rotate-180",
+                    "group-data-[collapsible=icon]:w-(--sidebar-width-icon)",
+                )
+                data-slot="sidebar-gap"
+            >
+            </div>
+            <div
+                class=move || tw_merge!(
+                    "fixed inset-y-0 z-10 hidden h-svh w-(--sidebar-width) transition-[left,right,width] duration-200 ease-linear md:flex",
+                    "left-0 group-data-[collapsible=offcanvas]:left-[calc(var(--sidebar-width)*-1)]",
+                    "group-data-[collapsible=icon]:w-(--sidebar-width-icon) group-data-[side=left]:border-r group-data-[side=right]:border-l",
+                    class.get()
+                )
+                data-slot="sidebar-container"
+            >
+                <div
+                    data-sidebar="sidebar"
+                    data-slot="sidebar-inner"
+                    class="bg-sidebar group-data-[variant=floating]:border-sidebar-border flex h-full w-full flex-col group-data-[variant=floating]:rounded-lg group-data-[variant=floating]:border group-data-[variant=floating]:shadow-sm"
+                >
+                    {children}
+                </div>
+            </div>
+        </div>
+    }
+}
+
+#[component]
+pub fn SidebarHeader(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <div
+            class=move || tw_merge!("flex flex-col gap-2 p-2", class.get())
+            data-slot="sidebar-header"
+            data-sidebar="header"
+        >
+            {children}
+        </div>
+    }
+}
+
+#[component]
+pub fn SidebarFooter(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <div
+            class=move || tw_merge!("flex flex-col gap-2 p-2", class.get())
+            data-slot="sidebar-footer"
+            data-sidebar="footer"
+        >
+            {children}
+        </div>
+    }
+}
+
+#[component]
+pub fn SidebarContent(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <div
+            class=move || tw_merge!("flex min-h-0 flex-1 flex-col gap-2 overflow-auto group-data-[collapsible=icon]:overflow-hidden", class.get())
+            data-slot="sidebar-content"
+            data-sidebar="content"
+        >
+            {children}
+        </div>
+    }
+}
+
+#[component]
+pub fn SidebarGroup(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <div
+            class=move || tw_merge!("relative flex w-full min-w-0 flex-col p-2", class.get())
+            data-slot="sidebar-group"
+            data-sidebar="group"
+        >
+            {children}
+        </div>
+    }
+}
+
+#[component]
+pub fn SidebarGroupContent(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <div
+            class=move || tw_merge!(
+                "w-full text-sm",
+                class.get()
+            )
+            data-slot="sidebar-group-content"
+            data-sidebar="group-content"
+        >
+            {children}
+        </div>
+    }
+}
+
+#[component]
+pub fn SidebarGroupLabel(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <div
+            class=move || tw_merge!(
+                    "text-sidebar-foreground/70 ring-sidebar-ring flex h-8 shrink-0 items-center rounded-md px-2 text-xs font-medium outline-hidden transition-[margin,opacity] duration-200 ease-linear focus-visible:ring-2 [&>svg]:size-4 [&>svg]:shrink-0",
+                    "group-data-[collapsible=icon]:-mt-8 group-data-[collapsible=icon]:opacity-0",
+                    class.get()
+                )
+            data-slot="sidebar-group-label"
+            data-sidebar="group-label"
+        >
+            {children}
+        </div>
+    }
+}
+
+#[component]
+pub fn SidebarMenu(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <ul
+            class=move || tw_merge!(
+                "flex w-full min-w-0 flex-col gap-1",
+                class.get()
+            )
+            data-slot="sidebar-menu"
+            data-sidebar="menu"
+        >
+            {children}
+        </ul>
+    }
+}
+
+#[component]
+pub fn SidebarMenuItem(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <li
+            class=move || tw_merge!(
+                "group/menu-item relative",
+                class.get()
+            )
+            data-slot="sidebar-menu-item"
+            data-sidebar="menu-item"
+        >
+            {children}
+        </li>
+    }
+}
+
+#[component]
+pub fn SidebarMenuSub(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <ul
+            class=move || tw_merge!(
+                "border-sidebar-border mx-3.5 flex min-w-0 translate-x-px flex-col gap-1 border-l px-2.5 py-0.5",
+                "group-data-[collapsible=icon]:hidden",
+                class.get()
+            )
+            data-slot="sidebar-menu-sub"
+            data-sidebar="menu-sub"
+        >
+            {children}
+        </ul>
+    }
+}
+
+#[component]
+pub fn SidebarMenuSubItem(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <li
+            class=move || tw_merge!(
+                "group/menu-sub-item relative",
+                class.get()
+            )
+            data-slot="sidebar-menu-sub-item"
+            data-sidebar="menu-sub-item"
+        >
+            {children}
+        </li>
+    }
+}
+
+#[component]
+pub fn SidebarMenuSubButton(
+    #[prop(into, optional)] size: Signal<SidebarSubButtonSize>,
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(into, optional)] href: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let class = Memo::new(move |_| {
+        tw_merge!(
+            "text-sidebar-foreground ring-sidebar-ring hover:bg-sidebar-accent hover:text-sidebar-accent-foreground active:bg-sidebar-accent active:text-sidebar-accent-foreground [&>svg]:text-sidebar-accent-foreground flex h-7 min-w-0 -translate-x-px items-center gap-2 overflow-hidden rounded-md px-2 outline-hidden focus-visible:ring-2 disabled:pointer-events-none disabled:opacity-50 aria-disabled:pointer-events-none aria-disabled:opacity-50 [&>span:last-child]:truncate [&>svg]:size-4 [&>svg]:shrink-0",
+            "data-[active=true]:bg-sidebar-accent data-[active=true]:text-sidebar-accent-foreground",
+            "group-data-[collapsible=icon]:hidden",
+            size.get(),
+            class.get()
+        )
+    });
+
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <a
+            class={move || class.get()}
+            href=move || href.get().unwrap_or_default()
+        >
+            { children }
+        </a>
+    }
+}
+
+#[derive(TwClass)]
+#[tw(
+    class = "peer/menu-button flex w-full items-center gap-2 overflow-hidden rounded-md p-2 text-left text-sm outline-hidden ring-sidebar-ring transition-[width,height,padding] hover:bg-sidebar-accent hover:text-sidebar-accent-foreground focus-visible:ring-2 active:bg-sidebar-accent active:text-sidebar-accent-foreground disabled:pointer-events-none disabled:opacity-50 group-has-data-[sidebar=menu-action]/menu-item:pr-8 aria-disabled:pointer-events-none aria-disabled:opacity-50 data-[active=true]:bg-sidebar-accent data-[active=true]:font-medium data-[active=true]:text-sidebar-accent-foreground data-[state=open]:hover:bg-sidebar-accent data-[state=open]:hover:text-sidebar-accent-foreground group-data-[collapsible=icon]:size-8! group-data-[collapsible=icon]:p-2! [&>span:last-child]:truncate [&>svg]:size-4 [&>svg]:shrink-0"
+)]
+pub struct SidebarButtonClass {
+    pub variant: SidebarButtonVariant,
+    pub size: SidebarButtonSize,
+}
+
+#[derive(PartialEq, TwVariant)]
+pub enum SidebarButtonVariant {
+    #[tw(
+        default,
+        class = "hover:bg-sidebar-accent hover:text-sidebar-accent-foreground"
+    )]
+    Default,
+    #[tw(
+        class = "bg-background shadow-[0_0_0_1px_hsl(var(--sidebar-border))] hover:bg-sidebar-accent hover:text-sidebar-accent-foreground hover:shadow-[0_0_0_1px_hsl(var(--sidebar-accent))]"
+    )]
+    Outline,
+}
+
+#[derive(PartialEq, TwVariant)]
+pub enum SidebarButtonSize {
+    #[tw(default, class = "h-8 text-sm")]
+    Default,
+    #[tw(class = "h-7 text-xs")]
+    Sm,
+    #[tw(class = "h-12 text-sm group-data-[collapsible=icon]:p-0!")]
+    Lg,
+}
+
+#[derive(PartialEq, TwVariant)]
+pub enum SidebarSubButtonSize {
+    #[tw(default, class = "text-sm")]
+    Md,
+    #[tw(class = "text-xs")]
+    Sm,
+}
+
+#[component]
+pub fn SidebarMenuButton(
+    #[prop(into, optional)] variant: Signal<SidebarButtonVariant>,
+    #[prop(into, optional)] size: Signal<SidebarButtonSize>,
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let class = Memo::new(move |_| {
+        SidebarButtonClass {
+            variant: variant.get(),
+            size: size.get(),
+        }
+        .with_class(class.get().unwrap_or_default())
+    });
+
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <button
+            class={move || class.get()}
+        >
+            { children }
+        </button>
+    }
+}
+
+#[component]
+pub fn SidebarInset(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+
+    view! {
+        <main
+            class=move || tw_merge!(
+                "bg-background relative flex w-full flex-1 flex-col",
+                "md:peer-data-[variant=inset]:m-2 md:peer-data-[variant=inset]:ml-0 md:peer-data-[variant=inset]:rounded-xl md:peer-data-[variant=inset]:shadow-sm md:peer-data-[variant=inset]:peer-data-[state=collapsed]:ml-2",
+                class.get()
+            )
+            data-slot="sidebar-inset"
+        >
+            {children}
+        </main>
+    }
+}
+
+#[component]
+pub fn SidebarTrigger(#[prop(into, optional)] class: MaybeProp<String>) -> impl IntoView {
+    let class = MaybeProp::derive(move || Some(tw_merge!("size-7", class.get())));
+
+    view! {
+        <Button
+            variant=ButtonVariant::Ghost
+            size=ButtonSize::Icon
+            class
+        >
+            <PanelLeft />
+            <span class="sr-only">Toggle Sidebar</span>
+        </Button>
+    }
+}
diff --git a/crates/dashboard/src/component/table.rs b/crates/dashboard/src/component/table.rs
new file mode 100644
index 0000000..b9c413e
--- /dev/null
+++ b/crates/dashboard/src/component/table.rs
@@ -0,0 +1,175 @@
+use leptos::prelude::*;
+use tailwind_fuse::*;
+
+#[component]
+pub fn Table(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+    view! {
+        <div
+            data-slot="table-container"
+            class="relative w-full overflow-x-auto"
+        >
+            <table
+                data-slot="table"
+                class=move || tw_merge!(
+                    "w-full caption-bottom text-sm",
+                    class.get()
+                )
+            >
+                { children }
+            </table>
+        </div>
+    }
+}
+
+#[component]
+pub fn TableHeader(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+    view! {
+        <thead
+            data-slot="table-header"
+            class=move || tw_merge!(
+                "[&_tr]:border-b",
+                class.get()
+            )
+        >
+            { children }
+        </thead>
+    }
+}
+
+#[component]
+pub fn TableBody(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+    view! {
+        <tbody
+            data-slot="table-body"
+            class=move || tw_merge!(
+                "[&_tr:last-child]:border-0",
+                class.get()
+            )
+        >
+            { children }
+        </tbody>
+    }
+}
+
+#[component]
+pub fn TableFooter(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+    view! {
+        <tfoot
+            data-slot="table-footer"
+            class=move || tw_merge!(
+                "bg-muted/50 border-t font-medium [&>tr]:last:border-b-0",
+                class.get()
+            )
+        >
+            { children }
+        </tfoot>
+    }
+}
+
+#[component]
+pub fn TableRow(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+    view! {
+        <tr
+            data-slot="table-row"
+            class=move || tw_merge!(
+                "hover:bg-muted/50 data-[state=selected]:bg-muted border-b transition-colors",
+                class.get()
+            )
+        >
+            { children }
+        </tr>
+    }
+}
+
+#[component]
+pub fn TableHead(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+    view! {
+        <th
+            data-slot="table-head"
+            class=move || tw_merge!(
+                "text-foreground h-10 px-2 text-left align-middle font-medium whitespace-nowrap [&:has([role=checkbox])]:pr-0 [&>[role=checkbox]]:translate-y-[2px]",
+                class.get()
+            )
+        >
+            { children }
+        </th>
+    }
+}
+
+#[component]
+pub fn TableCell(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+    view! {
+        <td
+            data-slot="table-cell"
+            class=move || tw_merge!(
+                "p-2 align-middle whitespace-nowrap [&:has([role=checkbox])]:pr-0 [&>[role=checkbox]]:translate-y-[2px]",
+                class.get()
+            )
+        >
+            { children }
+        </td>
+    }
+}
+
+#[component]
+pub fn TableCaption(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+    view! {
+        <td
+            data-slot="table-caption"
+            class=move || tw_merge!(
+                "text-muted-foreground mt-4 text-sm",
+                class.get()
+            )
+        >
+            { children }
+        </td>
+    }
+}
diff --git a/crates/dashboard/src/component/tabs.rs b/crates/dashboard/src/component/tabs.rs
new file mode 100644
index 0000000..26c38a5
--- /dev/null
+++ b/crates/dashboard/src/component/tabs.rs
@@ -0,0 +1,114 @@
+use leptos::{context::Provider, prelude::*};
+use tailwind_fuse::*;
+
+#[derive(Clone)]
+struct TabsContext<T: PartialEq + Clone + Send + Sync + 'static> {
+    value: RwSignal<T>,
+}
+
+#[component]
+pub fn Tabs<T>(
+    #[prop()] default_value: RwSignal<T>,
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<ChildrenFn>,
+) -> impl IntoView
+where
+    T: PartialEq + Clone + Send + Sync + 'static,
+{
+    view! {
+        <Provider value=TabsContext { value: default_value }>
+            <div
+                data-slot="tabs"
+                class=move || tw_merge!(
+                    "flex flex-col gap-2",
+                    class.get()
+                )
+            >
+                {children.clone().map(|c| c().into_any()).unwrap_or_else(|| ().into_any())}
+            </div>
+        </Provider>
+    }
+}
+
+#[component]
+pub fn TabsList(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<ChildrenFn>,
+) -> impl IntoView {
+    view! {
+        <div
+            data-slot="tabs-list"
+            class=move || tw_merge!(
+                "bg-muted text-muted-foreground inline-flex h-9 w-fit items-center justify-center rounded-lg p-[3px]",
+                class.get()
+            )
+        >
+            {children.clone().map(|c| c().into_any()).unwrap_or_else(|| ().into_any())}
+        </div>
+    }
+}
+
+#[component]
+pub fn TabsTrigger<T>(
+    #[prop()] value: T,
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<ChildrenFn>,
+) -> impl IntoView
+where
+    T: PartialEq + Clone + Send + Sync + 'static,
+{
+    let context = use_context::<TabsContext<T>>();
+    let is_active = {
+        let value = value.clone();
+        let context = context.clone();
+        Signal::derive(move || context.as_ref().map(|c| c.value.get()).as_ref() == Some(&value))
+    };
+
+    view! {
+        <button
+            data-slot="tabs-trigger"
+            class=move || tw_merge!(
+                "data-[state=active]:bg-background dark:data-[state=active]:text-foreground focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:outline-ring dark:data-[state=active]:border-input dark:data-[state=active]:bg-input/30 text-foreground dark:text-muted-foreground inline-flex h-[calc(100%-1px)] flex-1 items-center justify-center gap-1.5 rounded-md border border-transparent px-2 py-1 text-sm font-medium whitespace-nowrap transition-[color,box-shadow] focus-visible:ring-[3px] focus-visible:outline-1 disabled:pointer-events-none disabled:opacity-50 data-[state=active]:shadow-sm [&_svg]:pointer-events-none [&_svg]:shrink-0 [&_svg:not([class*='size-'])]:size-4",
+                class.get()
+            )
+            data-state=move || { if is_active.get() { "active" } else { "inactive" } }
+            on:click=move |_| {
+                if let Some(context) = &context {
+                    context.value.set(value.clone());
+                }
+            }
+        >
+            {children.clone().map(|c| c().into_any()).unwrap_or_else(|| ().into_any())}
+        </button>
+    }
+}
+
+#[component]
+pub fn TabsContent<T>(
+    #[prop()] value: T,
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<ChildrenFn>,
+) -> impl IntoView
+where
+    T: PartialEq + Clone + Send + Sync + 'static,
+{
+    let context = use_context::<TabsContext<T>>();
+    let is_active = {
+        let value = value.clone();
+        Signal::derive(move || context.as_ref().map(|c| c.value.get()).as_ref() == Some(&value))
+    };
+
+    view! {
+        <Show when=move || is_active.get()>
+            <div
+                data-slot="tabs-content"
+                class=move || tw_merge!(
+                    "flex-1 outline-none",
+                    class.get()
+                )
+            >
+                {children.clone().map(|c| c().into_any()).unwrap_or_else(|| ().into_any())}
+            </div>
+        </Show>
+    }
+}
diff --git a/crates/dashboard/src/component/textarea.rs b/crates/dashboard/src/component/textarea.rs
new file mode 100644
index 0000000..10939fd
--- /dev/null
+++ b/crates/dashboard/src/component/textarea.rs
@@ -0,0 +1,18 @@
+use leptos::prelude::*;
+use tailwind_fuse::*;
+
+#[component]
+pub fn Textarea(#[prop(into, optional)] class: MaybeProp<String>) -> impl IntoView {
+    view! {
+        <textarea
+            class=move || tw_join!(
+                "focus-visible:ring-ring/50",
+                tw_merge!(
+                    "border-input placeholder:text-muted-foreground focus-visible:border-ring aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive dark:bg-input/30 flex field-sizing-content min-h-16 w-full rounded-md border bg-transparent px-3 py-2 text-base shadow-xs transition-[color,box-shadow] outline-none focus-visible:ring-[3px] disabled:cursor-not-allowed disabled:opacity-50 md:text-sm",
+                    class.get(),
+                )
+            )
+            data-slot="textarea"
+        />
+    }
+}
diff --git a/crates/dashboard/src/component/typography.rs b/crates/dashboard/src/component/typography.rs
new file mode 100644
index 0000000..3a37249
--- /dev/null
+++ b/crates/dashboard/src/component/typography.rs
@@ -0,0 +1,102 @@
+use leptos::prelude::*;
+use tailwind_fuse::*;
+
+#[component]
+pub fn H2(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+    view! {
+        <h2
+            class=move || tw_merge!(
+                "scroll-m-20 border-b pb-2 text-3xl font-semibold tracking-tight first:mt-0",
+                class.get()
+            )
+        >
+            {children}
+        </h2>
+    }
+}
+
+#[component]
+pub fn H3(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+    view! {
+        <h3
+            class=move || tw_merge!(
+                "scroll-m-20 text-2xl font-semibold tracking-tight",
+                class.get()
+            )
+        >
+            {children}
+        </h3>
+    }
+}
+
+#[component]
+pub fn H4(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+    view! {
+        <h4
+            class=move || tw_merge!(
+                "scroll-m-20 text-xl font-semibold tracking-tight",
+                class.get()
+            )
+        >
+            {children}
+        </h4>
+    }
+}
+
+#[component]
+pub fn Lead(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+    view! {
+        <p
+            class=move || tw_merge!(
+                "text-muted-foreground text-xl",
+                class.get()
+            )
+        >
+            {children}
+        </p>
+    }
+}
+
+#[component]
+pub fn P(
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<Children>,
+) -> impl IntoView {
+    let children = children
+        .map(|c| c().into_any())
+        .unwrap_or_else(|| ().into_any());
+    view! {
+        <p
+            class=move || tw_merge!(
+                "leading-7",
+                class.get()
+            )
+        >
+            {children}
+        </p>
+    }
+}
diff --git a/lapdev-dashboard/src/datepicker.rs b/crates/dashboard/src/datepicker.rs
similarity index 89%
rename from lapdev-dashboard/src/datepicker.rs
rename to crates/dashboard/src/datepicker.rs
index abc3282..8902579 100644
--- a/lapdev-dashboard/src/datepicker.rs
+++ b/crates/dashboard/src/datepicker.rs
@@ -1,14 +1,12 @@
 use std::{ops::Deref, time::Duration};
 
 use chrono::{Datelike, Days, Local, Month, Months, NaiveDate};
-use leptos::{
-    component, create_effect, create_memo, create_rw_signal, document, event_target_value,
-    set_timeout, untrack, view, Callable, Callback, CollectView, IntoView, RwSignal, SignalDispose,
-    SignalGet, SignalGetUntracked, SignalSet, SignalUpdate, SignalWith, SignalWithUntracked,
-};
+use leptos::prelude::*;
 use wasm_bindgen::{JsCast, UnwrapThrowExt};
 use web_sys::FocusEvent;
 
+use crate::component::input::Input;
+
 #[derive(Default, Clone)]
 pub enum PanelKind {
     #[default]
@@ -34,9 +32,9 @@ impl PanelRef {
 
 #[component]
 pub fn Datepicker(value: RwSignal<Option<NaiveDate>>) -> impl IntoView {
-    let is_show_panel = create_rw_signal(false);
+    let is_show_panel = RwSignal::new(false);
 
-    let show_date_text = create_rw_signal(String::new());
+    let show_date_text = RwSignal::new(String::new());
     let show_date_format = "%Y-%m-%d";
 
     let update_show_date_text = move || {
@@ -49,8 +47,8 @@ pub fn Datepicker(value: RwSignal<Option<NaiveDate>>) -> impl IntoView {
     };
     update_show_date_text();
 
-    let panel_ref: RwSignal<Option<PanelRef>> = create_rw_signal(None);
-    let panel_selected_date = create_rw_signal(None::<NaiveDate>);
+    let panel_ref: RwSignal<Option<PanelRef>> = RwSignal::new(None);
+    let panel_selected_date = RwSignal::new(None::<NaiveDate>);
     _ = panel_selected_date.watch(move |date| {
         let text = date.as_ref().map_or(String::new(), |date| {
             date.format(show_date_format).to_string()
@@ -110,7 +108,7 @@ pub fn Datepicker(value: RwSignal<Option<NaiveDate>>) -> impl IntoView {
                     false
                 };
                 if !has_focus && is_show_panel.get_untracked() {
-                    close_panel.call(None);
+                    close_panel.run(None);
                 }
             },
             Duration::from_millis(0),
@@ -126,11 +124,13 @@ pub fn Datepicker(value: RwSignal<Option<NaiveDate>>) -> impl IntoView {
                     <path d="M20 4a2 2 0 0 0-2-2h-2V1a1 1 0 0 0-2 0v1h-3V1a1 1 0 0 0-2 0v1H6V1a1 1 0 0 0-2 0v1H2a2 2 0 0 0-2 2v2h20V4ZM0 18a2 2 0 0 0 2 2h16a2 2 0 0 0 2-2V8H0v10Zm5-8h10a1 1 0 0 1 0 2H5a1 1 0 0 1 0-2Z"></path>
                 </svg>
             </div>
-            <input datepicker="" datepicker-buttons="" datepicker-autoselect-today="" type="text" class="bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full ps-10 p-2.5 datepicker-input" placeholder="Select date"
+            <Input
+                class="block w-full ps-10 datepicker-input"
+                attr:placeholder="Select date"
                 prop:value=move || show_date_text.get()
                 on:input=move |e| show_date_text.set(event_target_value(&e))
-                on:focus=move |e| open_panel.call(e)
-                on:blur=move |e| on_input_blur.call(e)
+                on:focus=move |e| open_panel.run(e)
+                on:blur=move |e| on_input_blur.run(e)
             />
             <Panel selected_date=panel_selected_date is_show_panel close_panel clear_input comp_ref=panel_ref />
         </div>
@@ -145,8 +145,8 @@ fn Panel(
     clear_input: Callback<()>,
     comp_ref: RwSignal<Option<PanelRef>>,
 ) -> impl IntoView {
-    let panel_kind = create_rw_signal(PanelKind::Date);
-    let show_date = create_rw_signal(selected_date.get_untracked().unwrap_or(now_date()));
+    let panel_kind = RwSignal::new(PanelKind::Date);
+    let show_date = RwSignal::new(selected_date.get_untracked().unwrap_or(now_date()));
 
     comp_ref.update(|current| {
         *current = Some(PanelRef {
@@ -162,9 +162,9 @@ fn Panel(
         >
         {move || {
             match panel_kind.get() {
-                PanelKind::Date => view! { <DatePanel value=selected_date show_date close_panel clear_input /> },
-                PanelKind::Month => view! { <MonthPanel /> },
-                PanelKind::Year => view! { <YearPanel /> },
+                PanelKind::Date => view! { <DatePanel value=selected_date show_date close_panel clear_input /> }.into_any(),
+                PanelKind::Month => view! { <MonthPanel /> }.into_any(),
+                PanelKind::Year => view! { <YearPanel /> }.into_any(),
             }
 
         }}
@@ -179,7 +179,7 @@ fn DatePanel(
     close_panel: Callback<Option<NaiveDate>>,
     clear_input: Callback<()>,
 ) -> impl IntoView {
-    let dates = create_memo(move |_| {
+    let dates = Memo::new(move |_| {
         let show_date = show_date.get();
         let show_date_month = show_date.month();
         let mut dates = vec![];
@@ -241,7 +241,7 @@ fn DatePanel(
     };
 
     let pick_today = move |_| {
-        close_panel.call(Some(now_date()));
+        close_panel.run(Some(now_date()));
     };
 
     view! {
@@ -302,7 +302,7 @@ fn DatePanel(
                         Today
                     </button>
                     <button type="button" class="button clear-btn text-gray-900 bg-white border border-gray-300 hover:bg-gray-100 focus:ring-4 focus:ring-blue-300 focus:!ring-primary-300 font-medium rounded-lg text-sm px-5 py-2 text-center w-1/2"
-                        on:click=move |_| clear_input.call(())
+                        on:click=move |_| clear_input.run(())
                     >
                         Clear
                     </button>
@@ -318,7 +318,7 @@ fn DatePanelItem(
     date: CalendarItemDate,
     close_panel: Callback<Option<NaiveDate>>,
 ) -> impl IntoView {
-    let is_selected = create_memo({
+    let is_selected = Memo::new({
         let date = date.clone();
         move |_| value.with(|value_date| value_date.as_ref() == Some(date.deref()))
     });
@@ -326,7 +326,7 @@ fn DatePanelItem(
     let on_click = {
         let date = date.clone();
         move |_| {
-            close_panel.call(Some(*date.deref()));
+            close_panel.run(Some(*date.deref()));
         }
     };
     view! {
@@ -351,12 +351,12 @@ fn DatePanelItem(
 
 #[component]
 fn MonthPanel() -> impl IntoView {
-    view! {}
+    {}
 }
 
 #[component]
 fn YearPanel() -> impl IntoView {
-    view! {}
+    {}
 }
 
 #[derive(Clone, PartialEq)]
@@ -403,12 +403,16 @@ pub trait SignalWatch {
     fn watch(&self, f: impl Fn(&Self::Value) + 'static) -> Box<dyn FnOnce()>;
 }
 
-impl<T> SignalWatch for RwSignal<T> {
+impl<T, S> SignalWatch for RwSignal<T, S>
+where
+    T: 'static,
+    S: Storage<ArcRwSignal<T>>,
+{
     type Value = T;
     fn watch(&self, f: impl Fn(&Self::Value) + 'static) -> Box<dyn FnOnce()> {
         let signal = *self;
 
-        let effect = create_effect(move |prev| {
+        let effect = Effect::new(move |prev: Option<()>| {
             signal.with(|value| {
                 if prev.is_some() {
                     untrack(|| f(value));
diff --git a/lapdev-dashboard/src/git_provider.rs b/crates/dashboard/src/git_provider.rs
similarity index 80%
rename from lapdev-dashboard/src/git_provider.rs
rename to crates/dashboard/src/git_provider.rs
index e180d99..d41754a 100644
--- a/lapdev-dashboard/src/git_provider.rs
+++ b/crates/dashboard/src/git_provider.rs
@@ -3,16 +3,12 @@ use std::time::Duration;
 use anyhow::Result;
 use gloo_net::http::Request;
 use lapdev_common::{console::NewSessionResponse, AuthProvider, GitProvider};
-use leptos::{
-    component, create_action, create_local_resource, create_rw_signal, document,
-    event_target_checked, set_timeout, view, window, For, IntoView, RwSignal, Signal, SignalGet,
-    SignalGetUntracked, SignalSet, SignalUpdate,
-};
-use leptos_router::use_location;
+use leptos::prelude::*;
+use leptos_router::{hooks::use_location, location::Location};
 use wasm_bindgen::{JsCast, UnwrapThrowExt};
 use web_sys::FocusEvent;
 
-use crate::modal::{CreationModal, ErrorResponse};
+use crate::modal::{ErrorResponse, Modal};
 
 async fn get_git_providers() -> Result<Vec<GitProvider>> {
     let resp = Request::get("/api/v1/account/git_providers").send().await?;
@@ -65,8 +61,7 @@ async fn connect_oauth(
     Ok(())
 }
 
-async fn disconnect_oauth(provider: AuthProvider) -> Result<(), ErrorResponse> {
-    let location = use_location();
+async fn disconnect_oauth(location: Location, provider: AuthProvider) -> Result<(), ErrorResponse> {
     let next = format!(
         "{}{}{}",
         window().location().origin().unwrap_or_default(),
@@ -94,13 +89,15 @@ async fn disconnect_oauth(provider: AuthProvider) -> Result<(), ErrorResponse> {
 
 #[component]
 pub fn GitProviderView() -> impl IntoView {
-    let error = create_rw_signal(None);
+    let error = RwSignal::new_local(None);
 
-    let git_provider_counter = create_rw_signal(0);
-    let git_providers = create_local_resource(
-        move || git_provider_counter.get(),
-        |_| async move { get_git_providers().await.unwrap_or_default() },
-    );
+    let git_provider_counter = RwSignal::new_local(0);
+    let git_providers =
+        LocalResource::new(|| async move { get_git_providers().await.unwrap_or_default() });
+    Effect::new(move |_| {
+        git_provider_counter.track();
+        git_providers.refetch();
+    });
     let git_providers = Signal::derive(move || git_providers.get().unwrap_or_default());
 
     view! {
@@ -121,9 +118,9 @@ pub fn GitProviderView() -> impl IntoView {
                     <div class="w-full mt-8 p-4 rounded-lg bg-red-50">
                         <span class="text-sm font-medium text-red-800">{ error }</span>
                     </div>
-                }.into_view()
+                }.into_any()
             } else {
-                view!{}.into_view()
+                ().into_any()
             }}
 
             <div class="my-8 flex flex-col gap-y-6">
@@ -145,11 +142,11 @@ pub fn GitProviderView() -> impl IntoView {
 #[component]
 fn GitProviderControl(
     provider: AuthProvider,
-    error: RwSignal<Option<String>>,
-    git_provider_counter: RwSignal<i32>,
-    update_scope_modal_hidden: RwSignal<bool>,
+    error: RwSignal<Option<String>, LocalStorage>,
+    git_provider_counter: RwSignal<i32, LocalStorage>,
+    update_scope_modal_open: RwSignal<bool>,
 ) -> impl IntoView {
-    let dropdown_hidden = create_rw_signal(true);
+    let dropdown_hidden = RwSignal::new_local(true);
     let toggle_dropdown = move |_| {
         if dropdown_hidden.get_untracked() {
             dropdown_hidden.set(false);
@@ -158,7 +155,7 @@ fn GitProviderControl(
         }
     };
 
-    let connect_action = create_action(move |_| async move {
+    let connect_action = Action::new_local(move |_| async move {
         if let Err(e) = connect_oauth(provider, None).await {
             error.set(Some(e.error));
         }
@@ -169,13 +166,17 @@ fn GitProviderControl(
         connect_action.dispatch(());
     };
 
-    let disconnect_action = create_action(move |_| async move {
-        if let Err(e) = disconnect_oauth(provider).await {
-            error.set(Some(e.error));
-        } else {
-            git_provider_counter.update(|c| {
-                *c += 1;
-            });
+    let location = use_location();
+    let disconnect_action = Action::new_local(move |_| {
+        let location = location.clone();
+        async move {
+            if let Err(e) = disconnect_oauth(location.clone(), provider).await {
+                error.set(Some(e.error));
+            } else {
+                git_provider_counter.update(|c| {
+                    *c += 1;
+                });
+            }
         }
     });
     let disconnect = move |_| {
@@ -252,7 +253,7 @@ fn GitProviderControl(
                             class="block px-4 py-2 hover:bg-gray-100 text-red-700"
                             on:click=move |_| {
                                 dropdown_hidden.set(true);
-                                update_scope_modal_hidden.set(false);
+                                update_scope_modal_open.set(true);
                             }
                         >
                             Update Permission
@@ -268,20 +269,20 @@ fn GitProviderControl(
 #[component]
 fn GitProviderItem(
     provider: GitProvider,
-    error: RwSignal<Option<String>>,
-    git_provider_counter: RwSignal<i32>,
+    error: RwSignal<Option<String>, LocalStorage>,
+    git_provider_counter: RwSignal<i32, LocalStorage>,
 ) -> impl IntoView {
-    let update_scope_modal_hidden = create_rw_signal(true);
+    let update_scope_modal_open = RwSignal::new(false);
 
     let icon = match provider.auth_provider {
         AuthProvider::Github => view! {
             <svg class="w-4 h-4 me-2" aria-hidden="true" xmlns="http://www.w3.org/2000/svg" fill="currentColor" viewBox="0 0 20 20">
                 <path fill-rule="evenodd" d="M10 .333A9.911 9.911 0 0 0 6.866 19.65c.5.092.678-.215.678-.477 0-.237-.01-1.017-.014-1.845-2.757.6-3.338-1.169-3.338-1.169a2.627 2.627 0 0 0-1.1-1.451c-.9-.615.07-.6.07-.6a2.084 2.084 0 0 1 1.518 1.021 2.11 2.11 0 0 0 2.884.823c.044-.503.268-.973.63-1.325-2.2-.25-4.516-1.1-4.516-4.9A3.832 3.832 0 0 1 4.7 7.068a3.56 3.56 0 0 1 .095-2.623s.832-.266 2.726 1.016a9.409 9.409 0 0 1 4.962 0c1.89-1.282 2.717-1.016 2.717-1.016.366.83.402 1.768.1 2.623a3.827 3.827 0 0 1 1.02 2.659c0 3.807-2.319 4.644-4.525 4.889a2.366 2.366 0 0 1 .673 1.834c0 1.326-.012 2.394-.012 2.72 0 .263.18.572.681.475A9.911 9.911 0 0 0 10 .333Z" clip-rule="evenodd"/>
             </svg>
-        },
+        }.into_any(),
         AuthProvider::Gitlab => view! {
             <svg class="w-4 h-4 me-2" viewBox="0 0 25 24" xmlns="http://www.w3.org/2000/svg"><path d="M24.507 9.5l-.034-.09L21.082.562a.896.896 0 00-1.694.091l-2.29 7.01H7.825L5.535.653a.898.898 0 00-1.694-.09L.451 9.411.416 9.5a6.297 6.297 0 002.09 7.278l.012.01.03.022 5.16 3.867 2.56 1.935 1.554 1.176a1.051 1.051 0 001.268 0l1.555-1.176 2.56-1.935 5.197-3.89.014-.01A6.297 6.297 0 0024.507 9.5z" fill="#E24329"/><path d="M24.507 9.5l-.034-.09a11.44 11.44 0 00-4.56 2.051l-7.447 5.632 4.742 3.584 5.197-3.89.014-.01A6.297 6.297 0 0024.507 9.5z" fill="#FC6D26"/><path d="M7.707 20.677l2.56 1.935 1.555 1.176a1.051 1.051 0 001.268 0l1.555-1.176 2.56-1.935-4.743-3.584-4.755 3.584z" fill="#FCA326"/><path d="M5.01 11.461a11.43 11.43 0 00-4.56-2.05L.416 9.5a6.297 6.297 0 002.09 7.278l.012.01.03.022 5.16 3.867 4.745-3.584-7.444-5.632z" fill="#FC6D26"/></svg>
-        },
+        }.into_any(),
     };
 
     view! {
@@ -330,7 +331,7 @@ fn GitProviderItem(
                         provider=provider.auth_provider
                         error
                         git_provider_counter
-                        update_scope_modal_hidden
+                        update_scope_modal_open
                     />
                 </div>
             </div>
@@ -338,7 +339,7 @@ fn GitProviderItem(
         <UpdateScopeModal
             provider=provider.auth_provider
             read_repo=provider.read_repo.unwrap_or(false)
-            update_scope_modal_hidden
+            update_scope_modal_open
         />
     }
 }
@@ -347,42 +348,38 @@ fn GitProviderItem(
 pub fn UpdateScopeModal(
     provider: AuthProvider,
     read_repo: bool,
-    update_scope_modal_hidden: RwSignal<bool>,
+    update_scope_modal_open: RwSignal<bool>,
 ) -> impl IntoView {
-    let read_repo = create_rw_signal(read_repo);
-
-    let body = view! {
-        <div class="block mb-2 text-sm font-medium text-gray-900">
-            Turn this option on if you want to open private repo in Lapdev
-        </div>
-        <div
-            class="flex items-start"
-        >
-            <div class="flex items-center h-5">
-            <input
-                id={format!("read_repo_{provider}")}
-                type="checkbox"
-                value=""
-                class="w-4 h-4 border border-gray-300 rounded bg-gray-50 focus:ring-3 focus:ring-blue-300"
-                prop:checked=move || read_repo.get()
-                on:change=move |e| read_repo.set(event_target_checked(&e))
-            />
-            </div>
-            <label for={format!("read_repo_{provider}")} class="ml-2 text-sm font-medium text-gray-900">Can read private repo</label>
-        </div>
-    };
+    let read_repo = RwSignal::new_local(read_repo);
 
-    let action = create_action(move |_| connect_oauth(provider, Some(read_repo.get_untracked())));
+    let action =
+        Action::new_local(move |_| connect_oauth(provider, Some(read_repo.get_untracked())));
     view! {
-        <CreationModal
-            title="Update Permission".to_string()
-            modal_hidden=update_scope_modal_hidden
+        <Modal
+            title="Update Permission"
+            open=update_scope_modal_open
             action
-            body
-            update_text=None
-            updating_text=None
-            create_button_hidden=Box::new(|| false)
-            width_class=None
-        />
+            action_text="Update"
+            action_progress_text="Updating"
+        >
+            <div class="block mb-2 text-sm font-medium text-gray-900">
+                Turn this option on if you want to open private repo in Lapdev
+            </div>
+            <div
+                class="flex items-start"
+            >
+                <div class="flex items-center h-5">
+                <input
+                    id={format!("read_repo_{provider}")}
+                    type="checkbox"
+                    value=""
+                    class="w-4 h-4 border border-gray-300 rounded bg-gray-50 focus:ring-3 focus:ring-blue-300"
+                    prop:checked=move || read_repo.get()
+                    on:change=move |e| read_repo.set(event_target_checked(&e))
+                />
+                </div>
+                <label for={format!("read_repo_{provider}")} class="ml-2 text-sm font-medium text-gray-900">Can read private repo</label>
+            </div>
+        </Modal>
     }
 }
diff --git a/crates/dashboard/src/home.rs b/crates/dashboard/src/home.rs
new file mode 100644
index 0000000..73104ec
--- /dev/null
+++ b/crates/dashboard/src/home.rs
@@ -0,0 +1,335 @@
+use std::sync::Arc;
+
+use chrono::{DateTime, FixedOffset};
+use lapdev_api_hrpc::HrpcServiceClient;
+use lapdev_common::kube::{
+    KubeEnvironment, KubeEnvironmentDashboardSummary, KubeEnvironmentStatus,
+};
+use leptos::prelude::*;
+
+use crate::{
+    component::{
+        badge::{Badge, BadgeVariant},
+        button::{Button, ButtonSize, ButtonVariant},
+        card::{Card, CardContent, CardDescription, CardHeader, CardTitle},
+        table::{Table, TableBody, TableCell, TableHead, TableHeader, TableRow},
+        typography::{Lead, H2, H3, P},
+    },
+    modal::DatetimeModal,
+    organization::get_current_org,
+};
+
+#[component]
+pub fn DashboardHome() -> impl IntoView {
+    let org = get_current_org();
+    let hrpc_client = use_context::<Arc<HrpcServiceClient>>().expect("hrpc client missing");
+
+    let summary_resource = LocalResource::new(move || {
+        let client = hrpc_client.clone();
+        let org = org.get();
+        async move {
+            let Some(org) = org else {
+                return None;
+            };
+            match client
+                .get_environment_dashboard_summary(org.id, Some(6))
+                .await
+            {
+                Ok(Ok(summary)) => Some(summary),
+                Ok(Err(err)) => {
+                    leptos::logging::error!("failed to load k8s dashboard summary: {err:?}");
+                    Some(KubeEnvironmentDashboardSummary::default())
+                }
+                Err(err) => {
+                    leptos::logging::error!("failed to reach dashboard summary endpoint: {err:?}");
+                    Some(KubeEnvironmentDashboardSummary::default())
+                }
+            }
+        }
+    });
+
+    let summary = Signal::derive(move || summary_resource.get().flatten());
+    let is_loading = Signal::derive(move || summary_resource.get().is_none());
+
+    view! {
+        <div class="flex flex-col gap-6">
+            <section class="flex flex-col gap-2">
+                <H3>{"Kubernetes Dev Environments"}</H3>
+                <P>{"Keep an eye on personal, shared, and branch environments in one place. Branch environments reuse the shared baseline until you override a service, so you work on your feature without cloning every workload."}</P>
+                <div class="flex flex-wrap gap-3">
+                    <a href="/kubernetes/environments/personal" class="inline-flex">
+                        <Button size=ButtonSize::Sm variant=ButtonVariant::Outline>
+                            <lucide_leptos::User attr:class="h-4 w-4" />
+                            "Personal environments"
+                        </Button>
+                    </a>
+                    <a href="/kubernetes/environments/branch" class="inline-flex">
+                        <Button size=ButtonSize::Sm variant=ButtonVariant::Outline>
+                            <lucide_leptos::GitBranch attr:class="h-4 w-4" />
+                            "Branch environments"
+                        </Button>
+                    </a>
+                    <a href="/kubernetes/environments/shared" class="inline-flex">
+                        <Button size=ButtonSize::Sm variant=ButtonVariant::Outline>
+                            <lucide_leptos::Users attr:class="h-4 w-4" />
+                            "Shared environments"
+                        </Button>
+                    </a>
+                    <a href="/kubernetes/catalogs" class="inline-flex">
+                        <Button size=ButtonSize::Sm variant=ButtonVariant::Outline>
+                            <lucide_leptos::Shapes attr:class="h-4 w-4" />
+                            "Browse app catalogs"
+                        </Button>
+                    </a>
+                </div>
+            </section>
+
+            <Show
+                when=move || !is_loading.get()
+                fallback=move || view! { <DashboardSkeleton /> }
+            >
+                {move || {
+                    let summary = summary.get().unwrap_or_default();
+                    view! {
+                        <div class="grid gap-4 sm:grid-cols-2 xl:grid-cols-4">
+                            <MetricCard title="Total environments" value=summary.total_count description="Across personal, shared, and branch spaces." />
+                            <MetricCard title="Personal" value=summary.personal_count description="Fully isolated copies of your app, deployed just for you." />
+                            <MetricCard title="Branch" value=summary.branch_count description="Spin up only the services you change while the rest run on the shared baseline." />
+                            <MetricCard title="Shared" value=summary.shared_count description="Team baselines that branch environments inherit from." />
+                        </div>
+
+                        <div class="grid gap-6">
+                            <Card class="min-h-[22rem] w-full min-w-0">
+                                <CardHeader>
+                                    <CardTitle>"Recent environments"</CardTitle>
+                                    <CardDescription>
+                                        "Latest activity across every environment you can access."
+                                    </CardDescription>
+                                </CardHeader>
+                                <CardContent class="overflow-x-auto">
+                                    {render_recent_environments(summary.recent_environments.clone())}
+                                </CardContent>
+                            </Card>
+                        </div>
+                    }
+                }}
+            </Show>
+        </div>
+    }
+}
+
+#[component]
+fn MetricCard(title: &'static str, value: usize, description: &'static str) -> impl IntoView {
+    view! {
+        <Card>
+            <CardHeader class="space-y-1">
+                <CardTitle class="text-base font-medium text-muted-foreground">{title}</CardTitle>
+                <span class="text-3xl font-semibold text-foreground">{value}</span>
+            </CardHeader>
+            <CardContent class="text-sm text-muted-foreground">{description}</CardContent>
+        </Card>
+    }
+}
+
+#[component]
+fn DashboardSkeleton() -> impl IntoView {
+    view! {
+        <div class="grid gap-4 sm:grid-cols-2 xl:grid-cols-4">
+            {(0..4).map(|_| {
+                view! {
+                    <div class="h-36 animate-pulse rounded-lg border bg-white/60" />
+                }
+            }).collect::<Vec<_>>()}
+        </div>
+    }
+}
+
+fn render_recent_environments(environments: Vec<KubeEnvironment>) -> AnyView {
+    if environments.is_empty() {
+        return view! {
+            <div class="flex flex-col items-start gap-3 rounded-lg border border-dashed border-border/70 px-6 py-8">
+                <P class="font-medium text-foreground">"No recent activity yet"</P>
+                <P class="text-sm text-muted-foreground">
+                    "Create an environment from an App Catalog to get started, then invite your team when you're ready to share."
+                </P>
+                <a href="/kubernetes/catalogs">
+                    <Button size=ButtonSize::Sm>
+                        <lucide_leptos::Rocket attr:class="h-4 w-4" />
+                        "Create your first environment"
+                    </Button>
+                </a>
+            </div>
+        }
+        .into_any();
+    }
+
+    let rows = environments
+        .into_iter()
+        .map(render_environment_row)
+        .collect::<Vec<_>>();
+
+    view! {
+        <div class="min-w-[48rem] lg:min-w-0">
+            <Table class="w-full">
+                <TableHeader>
+                    <TableRow>
+                        <TableHead>"Name"</TableHead>
+                        <TableHead>"Type"</TableHead>
+                        <TableHead>"Cluster"</TableHead>
+                        <TableHead>"Status"</TableHead>
+                        <TableHead>"Activity"</TableHead>
+                        <TableHead class="text-right">"Actions"</TableHead>
+                    </TableRow>
+                </TableHeader>
+                <TableBody>
+                    {rows}
+                </TableBody>
+            </Table>
+        </div>
+    }
+    .into_any()
+}
+
+fn render_environment_row(environment: KubeEnvironment) -> AnyView {
+    let env_type = environment_kind_badge(&environment);
+    let status_variant = status_badge_variant(&environment.status);
+    let status_label = environment.status.to_string();
+    let (activity_label, activity_time) = last_activity(&environment);
+    let activity_view = match activity_time {
+        Some(ts) => {
+            let label = activity_label.clone();
+            view! {
+                <span class="flex items-center gap-1 text-sm text-muted-foreground">
+                    <span>{label}</span>
+                    <span aria-hidden="true">"•"</span>
+                    <DatetimeModal time=ts />
+                </span>
+            }
+            .into_any()
+        }
+        None => {
+            let label = activity_label;
+            view! {
+                <span class="text-sm text-muted-foreground">{label}</span>
+            }
+            .into_any()
+        }
+    };
+    let detail_href = format!("/kubernetes/environments/{}", environment.id);
+    let catalog_href = format!("/kubernetes/catalogs/{}", environment.app_catalog_id);
+    let detail_href_for_name = detail_href.clone();
+
+    view! {
+        <TableRow>
+            <TableCell>
+                <div class="flex flex-col gap-1">
+                    <a href=detail_href_for_name class="font-medium text-foreground hover:underline">
+                        {environment.name.clone()}
+                    </a>
+                    <a href=catalog_href class="text-xs text-primary hover:underline">
+                        {environment.app_catalog_name.clone()}
+                    </a>
+                </div>
+            </TableCell>
+            <TableCell>
+                <Badge variant=env_type.1>{env_type.0}</Badge>
+            </TableCell>
+            <TableCell>
+                <span class="text-sm text-muted-foreground">{environment.cluster_name.clone()}</span>
+            </TableCell>
+            <TableCell>
+                <div class="flex flex-col gap-1">
+                    <Badge variant=status_variant>{status_label}</Badge>
+                    {if environment.catalog_update_available {
+                        view! {
+                            <Badge variant=BadgeVariant::Destructive class="uppercase tracking-wide">"Sync required"</Badge>
+                        }.into_any()
+                    } else {
+                        view! { <></> }.into_any()
+                    }}
+                </div>
+            </TableCell>
+            <TableCell>
+                {activity_view}
+            </TableCell>
+            <TableCell class="text-right">
+                <a href=detail_href class="inline-flex">
+                    <Button variant=ButtonVariant::Link size=ButtonSize::Sm>
+                        "View details"
+                        <lucide_leptos::ArrowRight attr:class="h-4 w-4" />
+                    </Button>
+                </a>
+            </TableCell>
+        </TableRow>
+    }
+    .into_any()
+}
+
+fn environment_kind_badge(environment: &KubeEnvironment) -> (&'static str, BadgeVariant) {
+    if environment.base_environment_id.is_some() {
+        ("Branch", BadgeVariant::Outline)
+    } else if environment.is_shared {
+        ("Shared", BadgeVariant::Secondary)
+    } else {
+        ("Personal", BadgeVariant::Default)
+    }
+}
+
+fn status_badge_variant(status: &KubeEnvironmentStatus) -> BadgeVariant {
+    match status {
+        KubeEnvironmentStatus::Running => BadgeVariant::Secondary,
+        KubeEnvironmentStatus::Creating
+        | KubeEnvironmentStatus::Pausing
+        | KubeEnvironmentStatus::Resuming => BadgeVariant::Outline,
+        KubeEnvironmentStatus::Paused => BadgeVariant::Outline,
+        KubeEnvironmentStatus::Deleting | KubeEnvironmentStatus::Deleted => BadgeVariant::Outline,
+        KubeEnvironmentStatus::Failed
+        | KubeEnvironmentStatus::Error
+        | KubeEnvironmentStatus::PauseFailed
+        | KubeEnvironmentStatus::ResumeFailed => BadgeVariant::Destructive,
+    }
+}
+
+fn parse_datetime(value: &str) -> Option<DateTime<FixedOffset>> {
+    DateTime::parse_from_str(value, "%Y-%m-%d %H:%M:%S%.f %z")
+        .or_else(|_| DateTime::parse_from_rfc3339(value))
+        .ok()
+}
+
+fn last_activity(environment: &KubeEnvironment) -> (String, Option<DateTime<FixedOffset>>) {
+    let mut events = Vec::with_capacity(4);
+    if let Some(ts) = environment
+        .resumed_at
+        .as_ref()
+        .and_then(|value| parse_datetime(value))
+    {
+        events.push((ts, "Resumed"));
+    }
+    if let Some(ts) = environment
+        .paused_at
+        .as_ref()
+        .and_then(|value| parse_datetime(value))
+    {
+        events.push((ts, "Paused"));
+    }
+    if let Some(ts) = environment
+        .last_catalog_synced_at
+        .as_ref()
+        .and_then(|value| parse_datetime(value))
+    {
+        events.push((ts, "Catalog synced"));
+    }
+    if let Some(ts) = parse_datetime(&environment.created_at) {
+        events.push((ts, "Created"));
+    }
+
+    events
+        .into_iter()
+        .max_by(|(a, _), (b, _)| a.cmp(b))
+        .map(|(ts, label)| (label.to_string(), Some(ts)))
+        .unwrap_or_else(|| ("Created".to_string(), None))
+}
+
+fn format_timestamp(ts: &DateTime<FixedOffset>) -> String {
+    ts.format("%b %e, %Y • %H:%M %Z").to_string()
+}
diff --git a/crates/dashboard/src/kube_app_catalog.rs b/crates/dashboard/src/kube_app_catalog.rs
new file mode 100644
index 0000000..359f37a
--- /dev/null
+++ b/crates/dashboard/src/kube_app_catalog.rs
@@ -0,0 +1,640 @@
+use anyhow::{anyhow, Result};
+use lapdev_api_hrpc::HrpcServiceClient;
+use lapdev_common::console::Organization;
+use lapdev_common::kube::{
+    KubeAppCatalog, KubeCluster, KubeClusterStatus, PagePaginationParams, PaginatedInfo,
+    PaginatedResult,
+};
+use leptos::{prelude::*, task::spawn_local_scoped_with_cancellation};
+use uuid::Uuid;
+
+use crate::component::hover_card::HoverCardPlacement;
+use crate::{
+    component::{
+        badge::{Badge, BadgeVariant},
+        button::{Button, ButtonVariant},
+        dropdown_menu::{
+            DropdownMenu, DropdownMenuContent, DropdownMenuItem, DropdownMenuTrigger,
+            DropdownPlacement,
+        },
+        hover_card::{HoverCard, HoverCardContent, HoverCardTrigger},
+        input::Input,
+        label::Label,
+        pagination::PagePagination,
+        select::{Select, SelectContent, SelectItem, SelectTrigger},
+        table::{Table, TableBody, TableCell, TableHead, TableHeader, TableRow},
+        typography::{H3, H4, P},
+    },
+    docs_url,
+    modal::{DatetimeModal, DeleteModal, ErrorResponse, Modal},
+    organization::get_current_org,
+    sse::run_sse_with_retry,
+    DOCS_APP_CATALOG_PATH,
+};
+
+#[component]
+pub fn KubeAppCatalog() -> impl IntoView {
+    let update_counter = RwSignal::new(0);
+
+    view! {
+        <div class="flex flex-col gap-6">
+            <div class="flex flex-col gap-2 items-start">
+                <H3>Kubernetes App Catalog</H3>
+                <P>
+                    {"View and manage your Kubernetes application catalogs. Create collections of workloads that can be deployed as dev environments."}
+                </P>
+                <a href=docs_url(DOCS_APP_CATALOG_PATH) target="_blank" rel="noopener noreferrer">
+                    <Badge variant=BadgeVariant::Secondary>
+                        Docs <lucide_leptos::ExternalLink />
+                    </Badge>
+                </a>
+            </div>
+
+            <AppCatalogList update_counter />
+        </div>
+    }
+}
+
+async fn all_app_catalogs(
+    org: Signal<Option<Organization>>,
+    search: Option<String>,
+    pagination: Option<PagePaginationParams>,
+) -> Result<PaginatedResult<KubeAppCatalog>> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+    Ok(client
+        .all_app_catalogs(org.id, search, pagination)
+        .await??)
+}
+
+async fn delete_app_catalog(
+    org: Signal<Option<Organization>>,
+    catalog_id: uuid::Uuid,
+    delete_modal_open: RwSignal<bool>,
+    update_counter: RwSignal<usize>,
+) -> Result<(), ErrorResponse> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+
+    client.delete_app_catalog(org.id, catalog_id).await??;
+
+    delete_modal_open.set(false);
+    update_counter.update(|c| *c += 1);
+
+    Ok(())
+}
+
+#[component]
+pub fn AppCatalogList(update_counter: RwSignal<usize>) -> impl IntoView {
+    let org = get_current_org();
+    let search_query = RwSignal::new(String::new());
+    let debounced_search = RwSignal::new(String::new());
+    let current_page = RwSignal::new(1usize);
+    let page_size = RwSignal::new(20usize);
+    let is_loading = RwSignal::new(false);
+    let sse_started = StoredValue::new(false);
+
+    // Debounce search input (300ms delay)
+    let search_timeout_handle: StoredValue<Option<leptos::leptos_dom::helpers::TimeoutHandle>> =
+        StoredValue::new(None);
+
+    Effect::new(move |_| {
+        let query = search_query.get();
+
+        // Clear any existing timeout
+        if let Some(h) = search_timeout_handle.get_value() {
+            h.clear();
+        }
+
+        // Set new timeout
+        let h = leptos::leptos_dom::helpers::set_timeout_with_handle(
+            move || {
+                debounced_search.set(query.clone());
+                current_page.set(1); // Reset to first page on search
+            },
+            std::time::Duration::from_millis(300),
+        )
+        .expect("set timeout for search debounce");
+        search_timeout_handle.set_value(Some(h));
+    });
+
+    on_cleanup(move || {
+        if let Some(Some(h)) = search_timeout_handle.try_get_value() {
+            h.clear();
+        }
+    });
+
+    let catalogs_result = LocalResource::new(move || {
+        let search = debounced_search.get();
+        let page = current_page.get();
+        let search_param = if search.trim().is_empty() {
+            None
+        } else {
+            Some(search)
+        };
+        let pagination = Some(PagePaginationParams {
+            page,
+            page_size: page_size.get(),
+        });
+        async move {
+            is_loading.set(true);
+            let result = all_app_catalogs(org, search_param, pagination)
+                .await
+                .unwrap_or_else(|_| PaginatedResult {
+                    data: vec![],
+                    pagination_info: PaginatedInfo {
+                        total_count: 0,
+                        page: 1,
+                        page_size: 20,
+                        total_pages: 0,
+                    },
+                });
+            is_loading.set(false);
+            result
+        }
+    });
+
+    Effect::new(move |_| {
+        update_counter.track();
+        catalogs_result.refetch();
+    });
+
+    Effect::new(move |_| {
+        debounced_search.track();
+        catalogs_result.refetch();
+    });
+
+    Effect::new(move |_| {
+        current_page.track();
+        catalogs_result.refetch();
+    });
+
+    Effect::new(move |_| {
+        page_size.track();
+        current_page.set(1); // Reset to first page when page size changes
+        catalogs_result.refetch();
+    });
+
+    Effect::new(move |_| {
+        if sse_started.get_value() {
+            return;
+        }
+
+        if let Some(org) = org.get() {
+            sse_started.set_value(true);
+            let org_id = org.id;
+            let update_counter = update_counter;
+            spawn_local_scoped_with_cancellation(async move {
+                let url = format!("/api/v1/organizations/{}/kube/catalogs/events", org_id);
+                let listener_name = format!("organization {} catalogs", org_id);
+                run_sse_with_retry(url, "catalog", listener_name, move |_message| {
+                    update_counter.update(|c| *c += 1);
+                })
+                .await;
+            });
+        }
+    });
+
+    // Auto-adjust current page when data changes (e.g., after delete)
+    Effect::new(move |_| {
+        if let Some(result) = catalogs_result.get() {
+            let current_page_val = current_page.get();
+            let total_pages = result.pagination_info.total_pages;
+
+            // If current page is beyond the last page and we're not on page 1, go to the last available page
+            if current_page_val > total_pages && total_pages > 0 {
+                current_page.set(total_pages);
+            }
+        }
+    });
+
+    let catalog_list =
+        Signal::derive(move || catalogs_result.get().map(|r| r.data).unwrap_or_default());
+    let pagination_info = Signal::derive(move || {
+        catalogs_result
+            .get()
+            .map(|r| r.pagination_info)
+            .unwrap_or_else(|| PaginatedInfo {
+                total_count: 0,
+                page: 1,
+                page_size: page_size.get(),
+                total_pages: 0,
+            })
+    });
+    let current_page_signal = Signal::derive(move || current_page.get());
+    let total_pages_signal = Signal::derive(move || pagination_info.with(|i| i.total_pages));
+
+    view! {
+        <div class="flex flex-col gap-4">
+            <div class="flex items-center gap-4">
+                <div class="relative flex-1 max-w-sm">
+                    <lucide_leptos::Search attr:class="absolute left-3 top-1/2 transform -translate-y-1/2 text-muted-foreground h-4 w-4" />
+                    <input
+                        type="text"
+                        placeholder="Search app catalogs..."
+                        class="pl-10 pr-4 py-2 w-full border border-input rounded-md bg-background text-sm focus:outline-none focus:ring-2 focus:ring-ring focus:border-transparent"
+                        on:input=move |ev| {
+                            search_query.set(event_target_value(&ev));
+                        }
+                        prop:value=move || search_query.get()
+                    />
+                </div>
+            </div>
+
+            <PagePagination
+                pagination_info
+                page_size
+                current_page=current_page_signal
+                total_pages=total_pages_signal
+                on_page_change=Callback::new(move |page| {
+                    current_page.set(page);
+                })
+            />
+
+            <div class="rounded-lg border relative">
+                // Loading overlay
+                <Show when=move || is_loading.get()>
+                    <div class="absolute inset-0 bg-white/50 backdrop-blur-sm z-10 flex items-center justify-center">
+                        <div class="flex items-center gap-2 text-sm text-muted-foreground">
+                            <div class="animate-spin rounded-full h-4 w-4 border-2 border-current border-t-transparent"></div>
+                            "Loading..."
+                        </div>
+                    </div>
+                </Show>
+
+                <Table>
+                    <TableHeader class="bg-muted">
+                        <TableRow>
+                            <TableHead>Name</TableHead>
+                            <TableHead>Description</TableHead>
+                            <TableHead>Cluster</TableHead>
+                            <TableHead>Created</TableHead>
+                            <TableHead class="pr-4">Actions</TableHead>
+                        </TableRow>
+                    </TableHeader>
+                    <TableBody>
+                        <For
+                            each=move || catalog_list.get()
+                            key=|catalog| catalog.id
+                            children=move |catalog| {
+                                view! { <AppCatalogItem catalog=catalog.clone() update_counter /> }
+                            }
+                        />
+                    </TableBody>
+                </Table>
+
+                {move || {
+                    let catalogs = catalog_list.get();
+                    let search_term = debounced_search.get();
+                    let is_searching = !search_term.trim().is_empty();
+                    if catalogs.is_empty() {
+                        if is_searching {
+
+                            view! {
+                                <div class="flex flex-col items-center justify-center py-12 text-center">
+                                    <div class="rounded-full bg-muted p-3 mb-4">
+                                        <lucide_leptos::Search />
+                                    </div>
+                                    <H4 class="mb-2">No Results Found</H4>
+                                    <P class="text-muted-foreground mb-4 max-w-sm">
+                                        {format!(
+                                            "No app catalogs match your search for \"{search_term}\". Try adjusting your search terms.",
+                                        )}
+                                    </P>
+                                </div>
+                            }
+                                .into_any()
+                        } else {
+                            view! {
+                                <div class="flex flex-col items-center justify-center py-12 text-center">
+                                    <div class="rounded-full bg-muted p-3 mb-4">
+                                        <lucide_leptos::Package />
+                                    </div>
+                                    <H4 class="mb-2">No App Catalogs</H4>
+                                    <P class="text-muted-foreground mb-4 max-w-sm">
+                                        Create your first app catalog by selecting workloads from a Kubernetes cluster.
+                                    </P>
+                                </div>
+                            }
+                                .into_any()
+                        }
+                    } else {
+                        view! { <div></div> }.into_any()
+                    }
+                }}
+            </div>
+
+        // Pagination controls
+        </div>
+    }
+}
+
+#[component]
+pub fn AppCatalogItem(catalog: KubeAppCatalog, update_counter: RwSignal<usize>) -> impl IntoView {
+    let dropdown_expanded = RwSignal::new(false);
+    let delete_modal_open = RwSignal::new(false);
+    let create_env_modal_open = RwSignal::new(false);
+    let org = get_current_org();
+
+    let catalog_id = catalog.id;
+    let catalog_name = catalog.name.clone();
+    let catalog_name_clone = catalog_name.clone();
+    let catalog_clone = catalog.clone();
+    let cluster_id = catalog.cluster_id;
+    let cluster_name = catalog.cluster_name.clone();
+
+    let delete_action = Action::new_local(move |_| {
+        delete_app_catalog(org, catalog_id, delete_modal_open, update_counter)
+    });
+
+    let create_environment = move |_| {
+        create_env_modal_open.set(true);
+    };
+
+    view! {
+        <TableRow>
+            <TableCell>
+                <a href=format!("/kubernetes/catalogs/{}", catalog_id)>
+                    <Button variant=ButtonVariant::Link class="p-0">
+                        <span class="font-medium">{catalog_name.clone()}</span>
+                    </Button>
+                </a>
+            </TableCell>
+            <TableCell>
+                <ExpandableDescription description=catalog.description.clone() />
+            </TableCell>
+            <TableCell>
+                <a href=format!("/kubernetes/clusters/{}", cluster_id)>
+                    <Button variant=ButtonVariant::Link class="p-0">
+                        <span class="font-medium">{cluster_name.clone()}</span>
+                    </Button>
+                </a>
+            </TableCell>
+            <TableCell>
+                <DatetimeModal time=catalog.created_at />
+            </TableCell>
+            <TableCell class="pr-4">
+                <div class="flex items-center gap-2">
+                    <Button
+                        variant=ButtonVariant::Outline
+                        size=crate::component::button::ButtonSize::Sm
+                        on:click=create_environment
+                    >
+                        <lucide_leptos::Plus />
+                        Create Environment
+                    </Button>
+                    <DropdownMenu open=dropdown_expanded>
+                        <DropdownMenuTrigger
+                            open=dropdown_expanded
+                            placement=DropdownPlacement::BottomRight
+                        >
+                            <Button variant=ButtonVariant::Ghost class="px-2">
+                                <lucide_leptos::EllipsisVertical />
+                            </Button>
+                        </DropdownMenuTrigger>
+                        <DropdownMenuContent
+                            open=dropdown_expanded.read_only()
+                            class="min-w-56 -translate-x-2"
+                        >
+                            <a href=format!("/kubernetes/catalogs/{}", catalog_id)>
+                                <DropdownMenuItem class="cursor-pointer">
+                                    <lucide_leptos::Eye />
+                                    View Workloads
+                                </DropdownMenuItem>
+                            </a>
+                            <DropdownMenuItem
+                                on:click=move |_| {
+                                    dropdown_expanded.set(false);
+                                    delete_modal_open.set(true);
+                                }
+                                class="cursor-pointer text-destructive focus:text-destructive"
+                            >
+                                <lucide_leptos::Trash2 />
+                                Delete
+                            </DropdownMenuItem>
+                        </DropdownMenuContent>
+                    </DropdownMenu>
+                </div>
+                <CreateEnvironmentModal
+                    modal_open=create_env_modal_open
+                    app_catalog=catalog_clone
+                    update_counter
+                />
+                <DeleteModal
+                    resource=catalog_name_clone
+                    open=delete_modal_open
+                    delete_action
+                />
+            </TableCell>
+        </TableRow>
+    }
+}
+
+#[component]
+pub fn ExpandableDescription(description: Option<String>) -> impl IntoView {
+    let description_text =
+        StoredValue::new(description.unwrap_or_else(|| "No description".to_string()));
+    let open = RwSignal::new(false);
+
+    view! {
+        <HoverCard open=open>
+            <HoverCardTrigger placement=HoverCardPlacement::BottomRight>
+                <div class="max-w-xs text-muted-foreground text-sm text-ellipsis overflow-hidden whitespace-nowrap cursor-help">
+                    {move || description_text.get_value()}
+                </div>
+            </HoverCardTrigger>
+            <HoverCardContent class="w-80 max-w-sm -translate-y-6">
+                <P class="text-sm whitespace-normal break-words">
+                    {move || description_text.get_value()}
+                </P>
+            </HoverCardContent>
+        </HoverCard>
+    }
+}
+
+#[component]
+pub fn CreateEnvironmentModal(
+    modal_open: RwSignal<bool>,
+    app_catalog: KubeAppCatalog,
+    update_counter: RwSignal<usize>,
+) -> impl IntoView {
+    let environment_name = RwSignal::new_local("".to_string());
+    let selected_cluster = RwSignal::new(app_catalog.cluster_id);
+    let is_shared = RwSignal::new(false);
+    let org = get_current_org();
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+
+    // Load available clusters
+    let clusters_resource = LocalResource::new(move || async move {
+        let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+        let client = HrpcServiceClient::new("/api/rpc".to_string());
+        Ok::<Vec<KubeCluster>, anyhow::Error>(client.all_kube_clusters(org.id).await??)
+    });
+
+    let clusters = Signal::derive(move || {
+        clusters_resource.with(|result| {
+            result
+                .as_ref()
+                .map(|res| res.as_ref().unwrap_or(&vec![]).clone())
+                .unwrap_or_default()
+        })
+    });
+
+    let navigate = leptos_router::hooks::use_navigate();
+    let create_action = Action::new_local(move |_| {
+        let client = client.clone();
+        let nav = navigate.clone();
+        async move {
+            let created_environment = client
+                .create_kube_environment(
+                    org.get_untracked()
+                        .ok_or_else(|| anyhow!("can't get org"))?
+                        .id,
+                    app_catalog.id,
+                    selected_cluster.get_untracked(),
+                    environment_name.get_untracked(),
+                    is_shared.get_untracked(),
+                )
+                .await??;
+
+            update_counter.update(|c| {
+                *c += 1;
+            });
+            modal_open.set(false);
+            environment_name.set("".to_string());
+
+            // Navigate to the created environment detail page
+            nav(
+                &format!("/kubernetes/environments/{}", created_environment.id),
+                Default::default(),
+            );
+
+            Ok(())
+        }
+    });
+
+    view! {
+        <Modal
+            title=format!("Create Environment from {}", app_catalog.name)
+            open=modal_open
+            action=create_action
+        >
+            <div class="flex flex-col gap-4">
+                <div class="flex flex-col gap-2">
+                    <Label>Environment Name</Label>
+                    <Input
+                        prop:value=move || environment_name.get()
+                        on:input=move |ev| {
+                            environment_name.set(event_target_value(&ev));
+                        }
+                        attr:placeholder="Enter environment name"
+                        attr:required=true
+                    />
+                </div>
+                <div class="flex flex-col gap-2">
+                    <Label>Cluster</Label>
+                    {
+                        let dropdown_open = RwSignal::new(false);
+                        view! {
+                            <Select value=selected_cluster open=dropdown_open class="w-full">
+                                <SelectTrigger class="w-full">
+                                    {move || {
+                                        let cluster_id = selected_cluster.get();
+                                        if let Some(cluster) = clusters.get()
+                                            .into_iter()
+                                            .find(|c| c.id == cluster_id && (c.can_deploy_personal || c.can_deploy_shared)) {
+                                            let status_variant = match cluster.info.status {
+                                                KubeClusterStatus::Ready => BadgeVariant::Secondary,
+                                                KubeClusterStatus::Provisioning => BadgeVariant::Secondary,
+                                                KubeClusterStatus::NotReady | KubeClusterStatus::Error => BadgeVariant::Destructive,
+                                            };
+                                            view! {
+                                                <div class="flex items-center justify-between w-full">
+                                                    <span class="max-w-60 text-ellipsis overflow-hidden whitespace-nowrap">{cluster.name}</span>
+                                                    <Badge variant=status_variant class="ml-2 text-xs">
+                                                        {cluster.info.status.to_string()}
+                                                    </Badge>
+                                                </div>
+                                            }.into_any()
+                                        } else {
+                                            view! { "Select deployable cluster" }.into_any()
+                                        }
+                                    }}
+                                </SelectTrigger>
+                                <SelectContent class="w-full">
+                                    {move || {
+                                        clusters.get()
+                                            .into_iter()
+                                            .filter(|cluster| cluster.can_deploy_personal || cluster.can_deploy_shared)
+                                            .map(|cluster| {
+                                                let status_variant = match cluster.info.status {
+                                                    KubeClusterStatus::Ready => BadgeVariant::Secondary,
+                                                    KubeClusterStatus::Provisioning => BadgeVariant::Secondary,
+                                                    KubeClusterStatus::NotReady | KubeClusterStatus::Error => BadgeVariant::Destructive,
+                                                };
+                                                view! {
+                                                    <SelectItem
+                                                        value=cluster.id
+                                                        display=cluster.name.clone()
+                                                    >
+                                                        <div class="flex items-center justify-between w-full">
+                                                            <span class="max-w-60 text-ellipsis overflow-hidden whitespace-nowrap">{cluster.name}</span>
+                                                            <Badge variant=status_variant class="ml-2 text-xs">
+                                                                {cluster.info.status.to_string()}
+                                                            </Badge>
+                                                        </div>
+                                                    </SelectItem>
+                                                }
+                                            })
+                                            .collect::<Vec<_>>()
+                                    }}
+                                </SelectContent>
+                            </Select>
+                        }
+                    }
+                </div>
+                <div class="flex flex-col gap-2">
+                    <Label>Environment Type</Label>
+                    <div class="flex items-center space-x-4">
+                        <div class="flex items-center space-x-2">
+                            <input
+                                type="radio"
+                                id="personal"
+                                name="environment_type"
+                                checked=move || !is_shared.get()
+                                on:change=move |_| is_shared.set(false)
+                                class="radio radio-primary"
+                            />
+                            <label for="personal" class="text-sm font-medium">Personal</label>
+                        </div>
+                        <div class="flex items-center space-x-2">
+                            <input
+                                type="radio"
+                                id="shared"
+                                name="environment_type"
+                                checked=move || is_shared.get()
+                                on:change=move |_| is_shared.set(true)
+                                class="radio radio-primary"
+                            />
+                            <label for="shared" class="text-sm font-medium">Shared</label>
+                        </div>
+                    </div>
+                </div>
+                <P class="text-sm text-muted-foreground">
+                    {"Namespaces are generated automatically to keep every environment isolated."}
+                </P>
+                <div class="flex flex-col gap-2 p-4 bg-muted rounded-lg text-wrap">
+                    <P class="font-medium text-sm">App Catalog Details:</P>
+                    <ul class="text-sm space-y-1">
+                        <li>{format!("• Name: {}", app_catalog.name)}</li>
+                        <li>{format!("• Cluster: {}", app_catalog.cluster_name)}</li>
+                        {app_catalog.description.as_ref().map(|desc| {
+                            view! { <li>{format!("• Description: {}", desc)}</li> }
+                        })}
+                    </ul>
+                </div>
+            </div>
+        </Modal>
+
+    }
+}
diff --git a/crates/dashboard/src/kube_app_catalog_detail.rs b/crates/dashboard/src/kube_app_catalog_detail.rs
new file mode 100644
index 0000000..2b0ada5
--- /dev/null
+++ b/crates/dashboard/src/kube_app_catalog_detail.rs
@@ -0,0 +1,568 @@
+use std::str::FromStr;
+
+use anyhow::{anyhow, Result};
+use lapdev_api_hrpc::HrpcServiceClient;
+use lapdev_common::{
+    console::Organization,
+    kube::{KubeAppCatalog, KubeAppCatalogWorkload, KubeContainerInfo},
+};
+use leptos::{prelude::*, task::spawn_local_scoped_with_cancellation};
+use leptos_router::hooks::use_params_map;
+use uuid::Uuid;
+
+use crate::{
+    app::AppConfig,
+    component::{
+        badge::{Badge, BadgeVariant},
+        button::{Button, ButtonVariant},
+        card::Card,
+        input::Input,
+        table::{Table, TableBody, TableCell, TableHead, TableHeader, TableRow},
+        typography::{H3, H4, P},
+    },
+    docs_url,
+    kube_app_catalog::CreateEnvironmentModal,
+    modal::{DatetimeModal, DeleteModal, ErrorResponse},
+    organization::get_current_org,
+    sse::run_sse_with_retry,
+    DOCS_APP_CATALOG_PATH,
+};
+
+#[component]
+pub fn KubeAppCatalogDetail() -> impl IntoView {
+    let params = use_params_map();
+    let catalog_id = params.with_untracked(|params| {
+        params
+            .get("catalog_id")
+            .and_then(|id| Uuid::from_str(id.as_str()).ok())
+            .unwrap_or_default()
+    });
+
+    view! {
+        <div class="flex flex-col gap-6">
+            <div class="flex flex-col gap-2 items-start">
+                <H3>App Catalog Workloads</H3>
+                <P>
+                    View workloads included in this Kubernetes application catalog.
+                </P>
+                <a href=docs_url(DOCS_APP_CATALOG_PATH) target="_blank" rel="noopener noreferrer">
+                    <Badge variant=BadgeVariant::Secondary>
+                        Docs <lucide_leptos::ExternalLink />
+                    </Badge>
+                </a>
+            </div>
+
+            <WorkloadsList catalog_id />
+        </div>
+    }
+}
+
+pub async fn get_app_catalog(
+    org: Signal<Option<Organization>>,
+    catalog_id: Uuid,
+) -> Result<KubeAppCatalog> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+    Ok(client.get_app_catalog(org.id, catalog_id).await??)
+}
+
+async fn get_app_catalog_workloads(
+    org: Signal<Option<Organization>>,
+    catalog_id: Uuid,
+) -> Result<Vec<KubeAppCatalogWorkload>> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+    Ok(client
+        .get_app_catalog_workloads(org.id, catalog_id)
+        .await??)
+}
+
+async fn delete_workload(
+    org: Signal<Option<Organization>>,
+    workload_id: Uuid,
+    delete_modal_open: RwSignal<bool>,
+    update_counter: RwSignal<usize>,
+) -> Result<(), ErrorResponse> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+
+    client
+        .delete_app_catalog_workload(org.id, workload_id)
+        .await??;
+
+    delete_modal_open.set(false);
+    update_counter.update(|c| *c += 1);
+
+    Ok(())
+}
+
+async fn delete_catalog(
+    org: Signal<Option<Organization>>,
+    catalog_id: Uuid,
+    delete_modal_open: RwSignal<bool>,
+) -> Result<(), ErrorResponse> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+
+    client.delete_app_catalog(org.id, catalog_id).await??;
+
+    delete_modal_open.set(false);
+
+    Ok(())
+}
+
+#[component]
+pub fn WorkloadsList(catalog_id: Uuid) -> impl IntoView {
+    let org = get_current_org();
+    let is_loading = RwSignal::new(false);
+    let search_query = RwSignal::new(String::new());
+    let debounced_search = RwSignal::new(String::new());
+    let update_counter = RwSignal::new(0usize);
+    let create_env_modal_open = RwSignal::new(false);
+    let delete_catalog_modal_open = RwSignal::new(false);
+
+    // Debounce search input (300ms delay)
+    let search_timeout_handle: StoredValue<Option<leptos::leptos_dom::helpers::TimeoutHandle>> =
+        StoredValue::new(None);
+
+    Effect::new(move |_| {
+        let query = search_query.get();
+
+        // Clear any existing timeout
+        if let Some(h) = search_timeout_handle.get_value() {
+            h.clear();
+        }
+
+        // Set new timeout
+        let h = leptos::leptos_dom::helpers::set_timeout_with_handle(
+            move || {
+                debounced_search.set(query.clone());
+            },
+            std::time::Duration::from_millis(300),
+        )
+        .expect("set timeout for search debounce");
+        search_timeout_handle.set_value(Some(h));
+    });
+
+    on_cleanup(move || {
+        if let Some(Some(h)) = search_timeout_handle.try_get_value() {
+            h.clear();
+        }
+    });
+
+    let config = use_context::<AppConfig>().unwrap();
+    let catalog_result = LocalResource::new(move || async move {
+        is_loading.set(true);
+        let result = get_app_catalog(org, catalog_id).await.ok();
+        if let Some(app_catalog) = result.as_ref() {
+            config.current_page.set(app_catalog.name.clone());
+        }
+        result
+    });
+
+    let workloads_result = LocalResource::new(move || {
+        update_counter.track();
+        async move {
+            let result = get_app_catalog_workloads(org, catalog_id)
+                .await
+                .unwrap_or_else(|_| vec![]);
+            is_loading.set(false);
+            result
+        }
+    });
+
+    let sse_started = RwSignal::new_local(false);
+    let catalog_result_for_sse = catalog_result.clone();
+    let update_counter_for_sse = update_counter.clone();
+    let org_for_sse = org;
+    Effect::new(move |_| {
+        if sse_started.get_untracked() {
+            return;
+        }
+
+        if let Some(org) = org_for_sse.get() {
+            sse_started.set(true);
+            let org_id = org.id;
+            let catalog_result_for_sse = catalog_result_for_sse.clone();
+            let update_counter = update_counter_for_sse.clone();
+            spawn_local_scoped_with_cancellation({
+                async move {
+                    let url = format!(
+                        "/api/v1/organizations/{}/kube/catalogs/{}/events",
+                        org_id, catalog_id
+                    );
+                    let listener_name = format!("catalog {} detail", catalog_id);
+                    run_sse_with_retry(url, "catalog", listener_name, move |_message| {
+                        catalog_result_for_sse.refetch();
+                        update_counter.update(|c| *c += 1);
+                    })
+                    .await;
+                }
+            });
+        }
+    });
+
+    let catalog_info = Signal::derive(move || catalog_result.get().flatten());
+    let all_workloads = Signal::derive(move || workloads_result.get().unwrap_or_default());
+
+    let navigate = leptos_router::hooks::use_navigate();
+    let delete_catalog_action = Action::new_local(move |_| {
+        let nav = navigate.clone();
+        async move {
+            match delete_catalog(org, catalog_id, delete_catalog_modal_open).await {
+                Ok(_) => {
+                    nav("/kubernetes/catalogs", Default::default());
+                    Ok(())
+                }
+                Err(e) => Err(e),
+            }
+        }
+    });
+
+    // Filter workloads based on search query
+    let filtered_workloads = Signal::derive(move || {
+        let workloads = all_workloads.get();
+        let search_term = debounced_search.get().to_lowercase();
+
+        if search_term.trim().is_empty() {
+            workloads
+        } else {
+            workloads
+                .into_iter()
+                .filter(|workload| workload.name.to_lowercase().contains(&search_term))
+                .collect()
+        }
+    });
+
+    view! {
+        <div class="flex flex-col gap-4">
+            // App Catalog Information Section
+            <Show when=move || catalog_info.get().is_some()>
+                <AppCatalogInfo catalog=catalog_info delete_modal_open=delete_catalog_modal_open delete_action=delete_catalog_action />
+            </Show>
+
+            // Search Input and Action Buttons
+            <div class="flex flex-col items-start gap-4">
+                <div class="flex items-center gap-2">
+                    <AddWorkloadsButton catalog_id catalog_info />
+                    <Button
+                        variant=ButtonVariant::Outline
+                        on:click=move |_| create_env_modal_open.set(true)
+                    >
+                        <lucide_leptos::Plus />
+                        Create Environment
+                    </Button>
+                </div>
+                <div class="relative flex-1 max-w-sm">
+                    <lucide_leptos::Search attr:class="absolute left-3 top-1/2 transform -translate-y-1/2 text-muted-foreground h-4 w-4" />
+                    <Input
+                        attr:placeholder="Search workloads..."
+                        class="pl-10"
+                        prop:value=move || search_query.get()
+                        on:input=move |ev| {
+                            search_query.set(event_target_value(&ev));
+                        }
+                    />
+                </div>
+            </div>
+
+            <div class="rounded-lg border relative">
+                // Loading overlay
+                <Show when=move || is_loading.get()>
+                    <div class="absolute inset-0 bg-white/50 backdrop-blur-sm z-10 flex items-center justify-center">
+                        <div class="flex items-center gap-2 text-sm text-muted-foreground">
+                            <div class="animate-spin rounded-full h-4 w-4 border-2 border-current border-t-transparent"></div>
+                            "Loading workloads..."
+                        </div>
+                    </div>
+                </Show>
+
+                <Table>
+                    <TableHeader class="bg-muted">
+                        <TableRow>
+                            <TableHead>Name</TableHead>
+                            <TableHead>Namespace</TableHead>
+                            <TableHead>Kind</TableHead>
+                            <TableHead>Containers</TableHead>
+                            <TableHead>Actions</TableHead>
+                        </TableRow>
+                    </TableHeader>
+                    <TableBody>
+                        <For
+                            each=move || filtered_workloads.get()
+                            key=|workload| format!("{}-{}-{}", workload.name, workload.namespace, workload.kind)
+                            children=move |workload| {
+                                view! { <WorkloadItem catalog_id workload=workload.clone() update_counter /> }
+                            }
+                        />
+                    </TableBody>
+                </Table>
+
+                {move || {
+                    let filtered = filtered_workloads.get();
+                    let all_workloads = all_workloads.get();
+                    let search_term = debounced_search.get();
+                    let is_searching = !search_term.trim().is_empty();
+
+                    if filtered.is_empty() {
+                        if is_searching {
+                            view! {
+                                <div class="flex flex-col items-center justify-center py-12 text-center">
+                                    <div class="rounded-full bg-muted p-3 mb-4">
+                                        <lucide_leptos::Search />
+                                    </div>
+                                    <H4 class="mb-2">No Results Found</H4>
+                                    <P class="text-muted-foreground mb-4 max-w-sm">
+                                        {format!(
+                                            "No workloads match your search for \"{}\". Try adjusting your search terms.",
+                                            search_term
+                                        )}
+                                    </P>
+                                </div>
+                            }
+                            .into_any()
+                        } else if all_workloads.is_empty() {
+                            view! {
+                                <div class="flex flex-col items-center justify-center py-12 text-center">
+                                    <div class="rounded-full bg-muted p-3 mb-4">
+                                        <lucide_leptos::Package />
+                                    </div>
+                                    <H4 class="mb-2">No Workloads Found</H4>
+                                    <P class="text-muted-foreground mb-4 max-w-sm">
+                                        "This app catalog doesn't contain any workloads yet."
+                                    </P>
+                                </div>
+                            }
+                            .into_any()
+                        } else {
+                            view! { <div></div> }.into_any()
+                        }
+                    } else {
+                        view! { <div></div> }.into_any()
+                    }
+                }}
+            </div>
+
+            <Show when=move || catalog_info.get().is_some()>
+                {move || {
+                    if let Some(catalog) = catalog_info.get() {
+                        view! {
+                            <CreateEnvironmentModal
+                                modal_open=create_env_modal_open
+                                app_catalog=catalog
+                                update_counter
+                            />
+                        }.into_any()
+                    } else {
+                        ().into_any()
+                    }
+                }}
+            </Show>
+
+            // Delete Catalog Modal
+            {move || {
+                if let Some(catalog) = catalog_info.get() {
+                    view! {
+                        <DeleteModal
+                            resource=catalog.name
+                            open=delete_catalog_modal_open
+                            delete_action=delete_catalog_action
+                        />
+                    }.into_any()
+                } else {
+                    view! { <div></div> }.into_any()
+                }
+            }}
+        </div>
+    }
+}
+
+#[component]
+pub fn WorkloadItem(
+    catalog_id: Uuid,
+    workload: KubeAppCatalogWorkload,
+    update_counter: RwSignal<usize>,
+) -> impl IntoView {
+    let org = get_current_org();
+    let delete_modal_open = RwSignal::new(false);
+    let workload_name = workload.name.clone();
+    let workload_id = workload.id;
+
+    let delete_action = Action::new_local(move |_| {
+        delete_workload(org, workload_id, delete_modal_open, update_counter)
+    });
+
+    let kind_variant = BadgeVariant::Outline;
+
+    view! {
+        <TableRow>
+            <TableCell>
+                <a href=format!("/kubernetes/catalogs/{}/workloads/{}", catalog_id, workload.id)>
+                    <Button variant=ButtonVariant::Link class="p-0">
+                        <span class="font-medium">{workload.name}</span>
+                    </Button>
+                </a>
+            </TableCell>
+            <TableCell>
+                <Badge variant=BadgeVariant::Secondary>
+                    {workload.namespace}
+                </Badge>
+            </TableCell>
+            <TableCell>
+                <Badge variant=BadgeVariant::Outline>
+                    {workload.kind.to_string()}
+                </Badge>
+            </TableCell>
+            <TableCell>
+                <div class="text-sm flex flex-col gap-2">
+                    {
+                        let containers = workload.containers.clone();
+                        containers.iter().map(|container| {
+                            view! {
+                                <ContainerDisplay
+                                    container=container.clone()
+                                />
+                            }
+                        }).collect::<Vec<_>>()
+                    }
+                    {if workload.containers.clone().is_empty() {
+                        view! { <span class="text-muted-foreground">"No containers"</span> }.into_any()
+                    } else {
+                        ().into_any()
+                    }}
+                </div>
+            </TableCell>
+            <TableCell>
+                <Button
+                    variant=ButtonVariant::Ghost
+                    class="px-2"
+                    on:click=move |_| {
+                        delete_modal_open.set(true);
+                    }
+                >
+                    <lucide_leptos::Trash />
+                </Button>
+
+                <DeleteModal
+                    resource=workload_name.clone()
+                    open=delete_modal_open
+                    delete_action
+                />
+            </TableCell>
+        </TableRow>
+    }
+}
+
+#[component]
+pub fn AppCatalogInfo(
+    catalog: Signal<Option<KubeAppCatalog>>,
+    delete_modal_open: RwSignal<bool>,
+    delete_action: Action<(), Result<(), ErrorResponse>>,
+) -> impl IntoView {
+    view! {
+        {move || {
+            if let Some(catalog) = catalog.get() {
+                view! {
+                    <Card class="p-6">
+                        <div class="flex flex-col gap-4">
+                            <div class="flex items-start justify-between">
+                                <div class="flex flex-col gap-2">
+                                    <H3>{catalog.name.clone()}</H3>
+                                    {catalog.description.clone().map(|desc| {
+                                        view! {
+                                            <P class="text-muted-foreground">{desc}</P>
+                                        }
+                                    })}
+                                </div>
+                                <Button
+                                    variant=ButtonVariant::Destructive
+                                    on:click=move |_| delete_modal_open.set(true)
+                                >
+                                    <lucide_leptos::Trash2 />
+                                    Delete Catalog
+                                </Button>
+                            </div>
+                            <div class="grid grid-cols-[auto_1fr] gap-x-4 gap-y-3 text-sm">
+                                <div class="flex items-center gap-2 text-muted-foreground font-medium">
+                                    <div class="[&>svg]:size-4 [&>svg]:shrink-0">
+                                        <lucide_leptos::Server />
+                                    </div>
+                                    <span>Cluster</span>
+                                </div>
+                                <div>
+                                    <a href=format!("/kubernetes/clusters/{}", catalog.cluster_id) class="text-foreground hover:underline">
+                                        {catalog.cluster_name.clone()}
+                                    </a>
+                                </div>
+
+                                <div class="flex items-center gap-2 text-muted-foreground font-medium">
+                                    <div class="[&>svg]:size-4 [&>svg]:shrink-0">
+                                        <lucide_leptos::Calendar />
+                                    </div>
+                                    <span>Created</span>
+                                </div>
+                                <div>
+                                    <DatetimeModal time=catalog.created_at />
+                                </div>
+                            </div>
+                        </div>
+                    </Card>
+                }
+                .into_any()
+            } else {
+                view! { <div></div> }.into_any()
+            }
+        }}
+    }
+}
+
+#[component]
+pub fn AddWorkloadsButton(
+    catalog_id: Uuid,
+    catalog_info: Signal<Option<KubeAppCatalog>>,
+) -> impl IntoView {
+    let navigate = leptos_router::hooks::use_navigate();
+
+    let on_click = move |_| {
+        if let Some(catalog) = catalog_info.get_untracked() {
+            let url = format!(
+                "/kubernetes/clusters/{}?catalog_id={}",
+                catalog.cluster_id, catalog_id
+            );
+            navigate(&url, Default::default());
+        }
+    };
+
+    view! {
+        <Button
+            variant=ButtonVariant::Default
+            on:click=on_click
+        >
+            <lucide_leptos::Plus />
+            "Add Workloads"
+        </Button>
+    }
+}
+
+#[component]
+pub fn ContainerDisplay(container: KubeContainerInfo) -> impl IntoView {
+    view! {
+        <div class="flex flex-col p-2 bg-muted/30 rounded border">
+            <div class="flex justify-between items-center">
+                <span class="font-medium text-foreground">{container.name.clone()}</span>
+            </div>
+
+            <div class="text-sm text-foreground mt-1">
+                <div class="flex items-center gap-1">
+                    <lucide_leptos::Box attr:class="w-3 h-3" />
+                    <span class="truncate w-80 text-muted-foreground">{
+                        match &container.image {
+                            lapdev_common::kube::KubeContainerImage::FollowOriginal => container.original_image.clone(),
+                            lapdev_common::kube::KubeContainerImage::Custom(image) => image.clone(),
+                        }
+                    }</span>
+                </div>
+            </div>
+        </div>
+    }
+}
diff --git a/crates/dashboard/src/kube_app_catalog_workload.rs b/crates/dashboard/src/kube_app_catalog_workload.rs
new file mode 100644
index 0000000..ed57f1e
--- /dev/null
+++ b/crates/dashboard/src/kube_app_catalog_workload.rs
@@ -0,0 +1,348 @@
+use std::str::FromStr;
+
+use anyhow::{anyhow, Result};
+use lapdev_api_hrpc::HrpcServiceClient;
+use lapdev_common::{
+    console::Organization,
+    kube::{KubeAppCatalog, KubeAppCatalogWorkload, KubeContainerInfo},
+};
+use leptos::prelude::*;
+use leptos_router::hooks::use_params_map;
+use uuid::Uuid;
+
+use crate::{
+    app::AppConfig,
+    component::{
+        badge::{Badge, BadgeVariant},
+        button::{Button, ButtonVariant},
+        card::Card,
+        typography::{H3, P},
+    },
+    docs_url,
+    kube_container::{ContainerEditorConfig, ContainersCard},
+    modal::{DeleteModal, ErrorResponse},
+    organization::get_current_org,
+    DOCS_APP_CATALOG_PATH,
+};
+
+#[component]
+pub fn KubeAppCatalogWorkload() -> impl IntoView {
+    let params = use_params_map();
+    let (catalog_id, workload_id) = params.with_untracked(|params| {
+        let catalog_id = params
+            .get("catalog_id")
+            .and_then(|id| Uuid::from_str(id.as_str()).ok())
+            .unwrap_or_default();
+        let workload_id = params
+            .get("workload_id")
+            .and_then(|id| Uuid::from_str(id.as_str()).ok())
+            .unwrap_or_default();
+        (catalog_id, workload_id)
+    });
+
+    view! {
+        <div class="flex flex-col gap-6">
+            <div class="flex flex-col gap-2 items-start">
+                <H3>Workload Details</H3>
+                <P>
+                    View and manage details for this Kubernetes workload.
+                </P>
+                <a href=docs_url(DOCS_APP_CATALOG_PATH) target="_blank" rel="noopener noreferrer">
+                    <Badge variant=BadgeVariant::Secondary>
+                        Docs <lucide_leptos::ExternalLink />
+                    </Badge>
+                </a>
+            </div>
+
+            <WorkloadDetail catalog_id workload_id />
+        </div>
+    }
+}
+
+async fn get_workload_detail(
+    org: Signal<Option<Organization>>,
+    catalog_id: Uuid,
+    workload_id: Uuid,
+) -> Result<(KubeAppCatalog, KubeAppCatalogWorkload)> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+
+    // Get catalog info
+    let catalog = client.get_app_catalog(org.id, catalog_id).await??;
+
+    // Get all workloads and find the specific one
+    let workloads = client
+        .get_app_catalog_workloads(org.id, catalog_id)
+        .await??;
+    let workload = workloads
+        .into_iter()
+        .find(|w| w.id == workload_id)
+        .ok_or_else(|| anyhow!("Workload not found"))?;
+
+    Ok((catalog, workload))
+}
+
+async fn update_workload_containers(
+    org: Signal<Option<Organization>>,
+    workload_id: Uuid,
+    containers: Vec<KubeContainerInfo>,
+    update_counter: RwSignal<usize>,
+) -> Result<Uuid, ErrorResponse> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+
+    client
+        .update_app_catalog_workload(org.id, workload_id, containers)
+        .await??;
+
+    update_counter.update(|c| *c += 1);
+
+    Ok(workload_id)
+}
+
+async fn delete_workload(
+    org: Signal<Option<Organization>>,
+    workload_id: Uuid,
+    delete_modal_open: RwSignal<bool>,
+) -> Result<(), ErrorResponse> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+
+    client
+        .delete_app_catalog_workload(org.id, workload_id)
+        .await??;
+
+    delete_modal_open.set(false);
+
+    Ok(())
+}
+
+#[component]
+pub fn WorkloadDetail(catalog_id: Uuid, workload_id: Uuid) -> impl IntoView {
+    let org = get_current_org();
+    let is_loading = RwSignal::new(false);
+    let update_counter = RwSignal::new(0usize);
+    let delete_modal_open = RwSignal::new(false);
+
+    let config = use_context::<AppConfig>().unwrap();
+    let detail_result = LocalResource::new(move || {
+        update_counter.track();
+        async move {
+            is_loading.set(true);
+            let result = get_workload_detail(org, catalog_id, workload_id).await.ok();
+            if let Some((catalog, workload)) = result.as_ref() {
+                config.current_page.set(workload.name.clone());
+                config.header_links.update(|header_links| {
+                    header_links.push((
+                        catalog.name.clone(),
+                        format!("/kubernetes/catalogs/{catalog_id}"),
+                    ));
+                });
+            }
+            is_loading.set(false);
+            result
+        }
+    });
+
+    let catalog_info =
+        Signal::derive(move || detail_result.get().and_then(|opt| opt.map(|(c, _)| c)));
+    let workload_info =
+        Signal::derive(move || detail_result.get().and_then(|opt| opt.map(|(_, w)| w)));
+
+    let navigate = leptos_router::hooks::use_navigate();
+    let delete_action = Action::new_local(move |_| {
+        let nav = navigate.clone();
+        async move {
+            match delete_workload(org, workload_id, delete_modal_open).await {
+                Ok(_) => {
+                    nav(
+                        &format!("/kubernetes/catalogs/{}", catalog_id),
+                        Default::default(),
+                    );
+                    Ok(())
+                }
+                Err(e) => Err(e),
+            }
+        }
+    });
+
+    view! {
+        <div class="flex flex-col gap-6">
+            // Loading State
+            <Show when=move || is_loading.get()>
+                <div class="flex items-center justify-center py-12">
+                    <div class="flex items-center gap-2 text-sm text-muted-foreground">
+                        <div class="animate-spin rounded-full h-4 w-4 border-2 border-current border-t-transparent"></div>
+                        "Loading workload details..."
+                    </div>
+                </div>
+            </Show>
+
+            // Workload Information Card
+            <Show when=move || workload_info.get().is_some()>
+                <WorkloadInfoCard workload_info catalog_info delete_modal_open delete_action />
+            </Show>
+
+            // Containers Section
+            <Show when=move || workload_info.get().is_some()>
+                {move || {
+                    if let Some(workload) = workload_info.get() {
+                        let workload_id = workload.id;
+                        let all_containers = workload.containers.clone();
+                        let update_action = Action::new_local(move |containers: &Vec<KubeContainerInfo>| {
+                            let containers = containers.clone();
+                            async move {
+                                update_workload_containers(org, workload_id, containers, update_counter).await
+                            }
+                        });
+
+                        let config = ContainerEditorConfig {
+                            enable_resource_limits: true,
+                            show_customization_badge: false,
+                            is_branch_environment: false,
+                            branch_reset_action: None,
+                        };
+                        view! {
+                            <ContainersCard
+                                all_containers
+                                title="Container Configuration"
+                                empty_message="This workload doesn't have any container configurations."
+                                workload_id
+                                update_counter
+                                config
+                                update_action
+                            />
+                        }.into_any()
+                    } else {
+                        view! { <div></div> }.into_any()
+                    }
+                }}
+            </Show>
+
+            // Delete Modal
+            {move || {
+                if let Some(workload) = workload_info.get() {
+                    view! {
+                        <DeleteModal
+                            resource=workload.name
+                            open=delete_modal_open
+                            delete_action
+                        />
+                    }.into_any()
+                } else {
+                    view! { <div></div> }.into_any()
+                }
+            }}
+        </div>
+    }
+}
+
+#[component]
+pub fn WorkloadInfoCard(
+    workload_info: Signal<Option<KubeAppCatalogWorkload>>,
+    catalog_info: Signal<Option<KubeAppCatalog>>,
+    delete_modal_open: RwSignal<bool>,
+    delete_action: Action<(), Result<(), ErrorResponse>>,
+) -> impl IntoView {
+    view! {
+        {move || {
+            if let (Some(workload), Some(catalog)) = (workload_info.get(), catalog_info.get()) {
+                let workload_name = workload.name.clone();
+                let workload_namespace1 = workload.namespace.clone();  // For badge
+                let workload_namespace2 = workload.namespace.clone();  // For metadata
+                let workload_kind_str1 = workload.kind.to_string();    // For badge
+                let workload_kind_str2 = workload.kind.to_string();    // For metadata
+                let workload_containers_len = workload.containers.len();
+                let catalog_id = catalog.id;
+                let catalog_name = catalog.name.clone();
+                let catalog_cluster_id = catalog.cluster_id;
+                let catalog_cluster_name = catalog.cluster_name.clone();
+
+                view! {
+                    <Card class="p-6">
+                        <div class="flex flex-col gap-6">
+                            // Header with actions
+                            <div class="flex items-start justify-between">
+                                <div class="flex flex-col gap-2">
+                                    <H3>{workload_name.clone()}</H3>
+                                    <div class="flex items-center gap-2">
+                                        <Badge variant=BadgeVariant::Secondary>
+                                            {workload_namespace1}
+                                        </Badge>
+                                    </div>
+                                </div>
+                                <Button
+                                    variant=ButtonVariant::Destructive
+                                    on:click=move |_| delete_modal_open.set(true)
+                                >
+                                    <lucide_leptos::Trash2 />
+                                    Delete Workload
+                                </Button>
+                            </div>
+
+                            // Metadata grid
+                            <div class="grid grid-cols-[auto_1fr] gap-x-4 gap-y-3 text-sm">
+                                <div class="flex items-center gap-2 text-muted-foreground font-medium">
+                                    <div class="[&>svg]:size-4 [&>svg]:shrink-0">
+                                        <lucide_leptos::Package />
+                                    </div>
+                                    <span>App Catalog</span>
+                                </div>
+                                <div>
+                                    <a href=format!("/kubernetes/catalogs/{}", catalog_id) class="text-foreground hover:underline">
+                                        {catalog_name.clone()}
+                                    </a>
+                                </div>
+
+                                <div class="flex items-center gap-2 text-muted-foreground font-medium">
+                                    <div class="[&>svg]:size-4 [&>svg]:shrink-0">
+                                        <lucide_leptos::Server />
+                                    </div>
+                                    <span>Cluster</span>
+                                </div>
+                                <div>
+                                    <a href=format!("/kubernetes/clusters/{}", catalog_cluster_id) class="text-foreground hover:underline">
+                                        {catalog_cluster_name}
+                                    </a>
+                                </div>
+
+                                <div class="flex items-center gap-2 text-muted-foreground font-medium">
+                                    <div class="[&>svg]:size-4 [&>svg]:shrink-0">
+                                        <lucide_leptos::Hash />
+                                    </div>
+                                    <span>Namespace</span>
+                                </div>
+                                <div class="font-mono text-sm">
+                                    {workload_namespace2}
+                                </div>
+
+                                <div class="flex items-center gap-2 text-muted-foreground font-medium">
+                                    <div class="[&>svg]:size-4 [&>svg]:shrink-0">
+                                        <lucide_leptos::Layers />
+                                    </div>
+                                    <span>Kind</span>
+                                </div>
+                                <div>
+                                    {workload_kind_str2}
+                                </div>
+
+                                <div class="flex items-center gap-2 text-muted-foreground font-medium">
+                                    <div class="[&>svg]:size-4 [&>svg]:shrink-0">
+                                        <lucide_leptos::Box />
+                                    </div>
+                                    <span>Containers</span>
+                                </div>
+                                <div>
+                                    {format!("{} container{}", workload_containers_len, if workload_containers_len == 1 { "" } else { "s" })}
+                                </div>
+                            </div>
+                        </div>
+                    </Card>
+                }
+                .into_any()
+            } else {
+                view! { <div></div> }.into_any()
+            }
+        }}
+    }
+}
diff --git a/crates/dashboard/src/kube_cluster.rs b/crates/dashboard/src/kube_cluster.rs
new file mode 100644
index 0000000..3ae4710
--- /dev/null
+++ b/crates/dashboard/src/kube_cluster.rs
@@ -0,0 +1,625 @@
+use anyhow::{anyhow, Result};
+use lapdev_api_hrpc::HrpcServiceClient;
+use lapdev_common::{
+    console::Organization,
+    kube::{CreateKubeClusterResponse, KubeCluster, KubeClusterStatus},
+};
+use leptos::prelude::*;
+use leptos::task::{spawn_local, spawn_local_scoped_with_cancellation};
+use std::rc::Rc;
+
+use crate::{
+    component::{
+        badge::{Badge, BadgeVariant},
+        button::{Button, ButtonVariant},
+        dropdown_menu::{
+            DropdownMenu, DropdownMenuContent, DropdownMenuItem, DropdownMenuTrigger,
+            DropdownPlacement,
+        },
+        input::Input,
+        label::Label,
+        table::{Table, TableBody, TableCell, TableHead, TableHeader, TableRow},
+        textarea::Textarea,
+        typography::{H3, H4, P},
+    },
+    docs_url,
+    modal::{DeleteModal, ErrorResponse, Modal},
+    organization::get_current_org,
+    sse::run_sse_with_retry,
+    DOCS_CLUSTER_PATH,
+};
+
+#[component]
+pub fn KubeCluster() -> impl IntoView {
+    let update_counter = RwSignal::new_local(0);
+    view! {
+        <div class="flex flex-col gap-6">
+            <div class="flex flex-col gap-2 items-start">
+                <H3>Kubernetes Clusters</H3>
+                <P>
+                    {"Clusters are Lapdev’s bridge into your infrastructure. Connect them here, check their health, and decide which ones supply App Catalog manifests or host development environments."}
+                </P>
+                <a href=docs_url(DOCS_CLUSTER_PATH) target="_blank" rel="noopener noreferrer">
+                    <Badge variant=BadgeVariant::Secondary>Docs <lucide_leptos::ExternalLink /></Badge>
+                </a>
+            </div>
+
+            <KubeClusterList update_counter />
+        </div>
+    }
+}
+
+async fn all_kube_clusters(org: Signal<Option<Organization>>) -> Result<Vec<KubeCluster>> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+    Ok(client.all_kube_clusters(org.id).await??)
+}
+
+async fn delete_kube_cluster(
+    org: Signal<Option<Organization>>,
+    cluster_id: uuid::Uuid,
+    delete_modal_open: RwSignal<bool>,
+    update_counter: RwSignal<usize, LocalStorage>,
+) -> Result<(), ErrorResponse> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+
+    client.delete_kube_cluster(org.id, cluster_id).await??;
+
+    delete_modal_open.set(false);
+    update_counter.update(|c| *c += 1);
+
+    Ok(())
+}
+
+#[component]
+pub fn KubeClusterList(update_counter: RwSignal<usize, LocalStorage>) -> impl IntoView {
+    let org = get_current_org();
+    let clusters =
+        LocalResource::new(move || async move { all_kube_clusters(org).await.unwrap_or_default() });
+    Effect::new(move |_| {
+        update_counter.track();
+        clusters.refetch();
+    });
+    let clusters = Signal::derive(move || clusters.get().unwrap_or_default());
+    let sse_started = StoredValue::new(false);
+
+    Effect::new(move |_| {
+        if sse_started.get_value() {
+            return;
+        }
+
+        if let Some(org) = org.get() {
+            sse_started.set_value(true);
+            let org_id = org.id;
+            let update_counter = update_counter;
+            spawn_local_scoped_with_cancellation(async move {
+                let url = format!("/api/v1/organizations/{}/kube/clusters/events", org_id);
+                let listener_name = format!("organization {} clusters", org_id);
+                run_sse_with_retry(url, "cluster", listener_name, move |_message| {
+                    update_counter.update(|c| *c += 1);
+                })
+                .await;
+            });
+        }
+    });
+
+    let create_cluster_modal_open = RwSignal::new(false);
+    let token_modal_open = RwSignal::new(false);
+    let cluster_response = RwSignal::new_local(None::<CreateKubeClusterResponse>);
+
+    let create_cluster = move |_| {
+        create_cluster_modal_open.set(true);
+    };
+
+    view! {
+        <div>
+            <div class="flex justify-between items-center mb-4">
+                <Button on:click=create_cluster>
+                    <lucide_leptos::Plus  />
+                    Create New Cluster
+                </Button>
+                <CreateClusterModal
+                    modal_open=create_cluster_modal_open
+                    update_counter
+                    token_modal_open
+                    cluster_response
+                />
+                <TokenDisplayModal
+                    modal_open=token_modal_open
+                    cluster_response
+                />
+            </div>
+            <div class="rounded-lg border">
+                <Table class="table-auto">
+                    <TableHeader class="bg-muted">
+                        <TableRow>
+                            <TableHead class="pl-4">Name</TableHead>
+                            <TableHead>Status</TableHead>
+                            <TableHead>Version</TableHead>
+                            <TableHead>Provider</TableHead>
+                            <TableHead>Region</TableHead>
+                            <TableHead>Nodes</TableHead>
+                            <TableHead>Can Deploy Personal</TableHead>
+                            <TableHead>Can Deploy Shared</TableHead>
+                            <TableHead class="w-24">Actions</TableHead>
+                        </TableRow>
+                    </TableHeader>
+                    <TableBody>
+                        <For
+                            each=move || clusters.get()
+                            key=|c| format!("{}_{}_{}", c.id, c.can_deploy_personal, c.can_deploy_shared)
+                            children=move |cluster| {
+                                view! { <KubeClusterItem cluster update_counter /> }
+                            }
+                        />
+                    </TableBody>
+                </Table>
+
+                {move || {
+                    let cluster_list = clusters.get();
+                    if cluster_list.is_empty() {
+                        view! {
+                            <div class="flex flex-col items-center justify-center py-12 text-center">
+                                <div class="rounded-full bg-muted p-3 mb-4">
+                                    <lucide_leptos::Server />
+                                </div>
+                                <H4 class="mb-2">No Kubernetes Clusters</H4>
+                                <P class="text-muted-foreground mb-4 max-w-sm">
+                                    Connect your first Kubernetes cluster to start deploying workspaces and managing resources.
+                                </P>
+                            </div>
+                        }.into_any()
+                    } else {
+                        view! { <div></div> }.into_any()
+                    }
+                }}
+            </div>
+        </div>
+
+    }
+}
+
+#[component]
+pub fn KubeClusterItem(
+    cluster: KubeCluster,
+    update_counter: RwSignal<usize, LocalStorage>,
+) -> impl IntoView {
+    let status_variant = match cluster.info.status {
+        KubeClusterStatus::Ready => BadgeVariant::Secondary,
+        KubeClusterStatus::Provisioning => BadgeVariant::Secondary,
+        KubeClusterStatus::NotReady | KubeClusterStatus::Error => BadgeVariant::Destructive,
+    };
+
+    let status_text = cluster.info.status.to_string();
+    let dropdown_expanded = RwSignal::new(false);
+    let delete_modal_open = RwSignal::new(false);
+    let org = get_current_org();
+
+    let cluster_id = cluster.id;
+    let cluster_id_for_delete = cluster_id;
+    let cluster_id_for_resources = cluster_id;
+    let cluster_name = cluster.name.clone();
+    let provider = cluster
+        .info
+        .provider
+        .clone()
+        .unwrap_or_else(|| "Unknown".to_string());
+    let cluster_name_clone = cluster_name.clone();
+
+    let delete_action = Action::new_local(move |_| {
+        delete_kube_cluster(
+            org,
+            cluster_id_for_delete.clone(),
+            delete_modal_open,
+            update_counter,
+        )
+    });
+
+    view! {
+        <TableRow>
+            <TableCell class="pl-4">
+                <a href={ format!("/kubernetes/clusters/{}", cluster.id) }>
+                    <Button variant=ButtonVariant::Link class="p-0">
+                        <span class="font-medium">{cluster_name.clone()}</span>
+                    </Button>
+                </a>
+            </TableCell>
+            <TableCell>
+                <Badge variant=status_variant>{status_text}</Badge>
+            </TableCell>
+            <TableCell>{cluster.info.cluster_version}</TableCell>
+            <TableCell>{provider}</TableCell>
+            <TableCell>{cluster.info.region.unwrap_or("N/A".to_string())}</TableCell>
+            <TableCell>{cluster.info.node_count.to_string()}</TableCell>
+            <TableCell>
+                <Badge variant={
+                    if cluster.can_deploy_personal {
+                        BadgeVariant::Secondary
+                    } else {
+                        BadgeVariant::Destructive
+                    }
+                }>
+                    {if cluster.can_deploy_personal { "Yes" } else { "No" }}
+                </Badge>
+            </TableCell>
+            <TableCell>
+                <Badge variant={
+                    if cluster.can_deploy_shared {
+                        BadgeVariant::Secondary
+                    } else {
+                        BadgeVariant::Destructive
+                    }
+                }>
+                    {if cluster.can_deploy_shared { "Yes" } else { "No" }}
+                </Badge>
+            </TableCell>
+            <TableCell>
+                <DropdownMenu open=dropdown_expanded>
+                    <div class="flex">
+                        <DropdownMenuTrigger
+                            open=dropdown_expanded
+                            placement=DropdownPlacement::BottomRight
+                        >
+                            <Button variant=ButtonVariant::Ghost class="px-2">
+                                <lucide_leptos::EllipsisVertical />
+                            </Button>
+                        </DropdownMenuTrigger>
+                    </div>
+                    <DropdownMenuContent
+                        open=dropdown_expanded.read_only()
+                        class="min-w-56 -translate-x-2"
+                    >
+                        <a href=format!("/kubernetes/clusters/{}", cluster_id_for_resources)>
+                            <DropdownMenuItem class="cursor-pointer">
+                                <lucide_leptos::Box />
+                                View Resources
+                            </DropdownMenuItem>
+                        </a>
+                        <DropdownMenuItem
+                            on:click=move |_| {
+                                if !cluster.can_deploy_personal {
+                                    dropdown_expanded.set(false);
+                                    // Enable personal deployment
+                                    let org = org.get_untracked();
+                                    let cluster_id = cluster.id;
+                                    spawn_local(async move {
+                                        if let Some(org) = org {
+                                            let client = HrpcServiceClient::new("/api/rpc".to_string());
+                                            let _ = client.set_cluster_personal_deployable(org.id, cluster_id, true).await;
+                                            update_counter.update(|c| *c += 1);
+                                        }
+                                    });
+                                }
+                            }
+                            class=if cluster.can_deploy_personal {
+                                "cursor-not-allowed opacity-50"
+                            } else {
+                                "cursor-pointer"
+                            }
+                        >
+                            <lucide_leptos::Check />
+                            "Enable Personal Deployment"
+                        </DropdownMenuItem>
+                        <DropdownMenuItem
+                            on:click=move |_| {
+                                if cluster.can_deploy_personal {
+                                    dropdown_expanded.set(false);
+                                    // Disable personal deployment
+                                    let org = org.get_untracked();
+                                    let cluster_id = cluster.id;
+                                    spawn_local(async move {
+                                        if let Some(org) = org {
+                                            let client = HrpcServiceClient::new("/api/rpc".to_string());
+                                            let _ = client.set_cluster_personal_deployable(org.id, cluster_id, false).await;
+                                            update_counter.update(|c| *c += 1);
+                                        }
+                                    });
+                                }
+                            }
+                            class=if !cluster.can_deploy_personal {
+                                "cursor-not-allowed opacity-50"
+                            } else {
+                                "cursor-pointer"
+                            }
+                        >
+                            <lucide_leptos::X />
+                            "Disable Personal Deployment"
+                        </DropdownMenuItem>
+                        <DropdownMenuItem
+                            on:click=move |_| {
+                                if !cluster.can_deploy_shared {
+                                    dropdown_expanded.set(false);
+                                    // Enable shared deployment
+                                    let org = org.get_untracked();
+                                    let cluster_id = cluster.id;
+                                    spawn_local(async move {
+                                        if let Some(org) = org {
+                                            let client = HrpcServiceClient::new("/api/rpc".to_string());
+                                            let _ = client.set_cluster_shared_deployable(org.id, cluster_id, true).await;
+                                            update_counter.update(|c| *c += 1);
+                                        }
+                                    });
+                                }
+                            }
+                            class=if cluster.can_deploy_shared {
+                                "cursor-not-allowed opacity-50"
+                            } else {
+                                "cursor-pointer"
+                            }
+                        >
+                            <lucide_leptos::Check />
+                            "Enable Shared Deployment"
+                        </DropdownMenuItem>
+                        <DropdownMenuItem
+                            on:click=move |_| {
+                                if cluster.can_deploy_shared {
+                                    dropdown_expanded.set(false);
+                                    // Disable shared deployment
+                                    let org = org.get_untracked();
+                                    let cluster_id = cluster.id;
+                                    spawn_local(async move {
+                                        if let Some(org) = org {
+                                            let client = HrpcServiceClient::new("/api/rpc".to_string());
+                                            let _ = client.set_cluster_shared_deployable(org.id, cluster_id, false).await;
+                                            update_counter.update(|c| *c += 1);
+                                        }
+                                    });
+                                }
+                            }
+                            class=if !cluster.can_deploy_shared {
+                                "cursor-not-allowed opacity-50"
+                            } else {
+                                "cursor-pointer"
+                            }
+                        >
+                            <lucide_leptos::X />
+                            "Disable Shared Deployment"
+                        </DropdownMenuItem>
+                        <DropdownMenuItem
+                            on:click=move |_| {
+                                dropdown_expanded.set(false);
+                                delete_modal_open.set(true);
+                            }
+                            class="cursor-pointer text-destructive focus:text-destructive"
+                        >
+                            <lucide_leptos::Trash2 />
+                            Delete
+                        </DropdownMenuItem>
+                    </DropdownMenuContent>
+                </DropdownMenu>
+                <DeleteModal
+                    resource=cluster_name_clone
+                    open=delete_modal_open
+                    delete_action
+                />
+            </TableCell>
+        </TableRow>
+    }
+}
+
+#[component]
+pub fn CreateClusterModal(
+    modal_open: RwSignal<bool>,
+    update_counter: RwSignal<usize, LocalStorage>,
+    token_modal_open: RwSignal<bool>,
+    cluster_response: RwSignal<Option<CreateKubeClusterResponse>, LocalStorage>,
+) -> impl IntoView {
+    let cluster_name = RwSignal::new_local("".to_string());
+    let org = get_current_org();
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+
+    let create_action = Action::new_local(move |_| {
+        let client = client.clone();
+        async move {
+            let response = client
+                .create_kube_cluster(
+                    org.get_untracked()
+                        .ok_or_else(|| anyhow!("can't get org"))?
+                        .id,
+                    cluster_name.get_untracked(),
+                )
+                .await??;
+
+            cluster_response.set(Some(response));
+            update_counter.update(|c| {
+                *c += 1;
+            });
+            modal_open.set(false);
+            token_modal_open.set(true);
+            Ok(())
+        }
+    });
+
+    view! {
+        <Modal
+            title="Create New Cluster"
+            open=modal_open
+            action=create_action
+        >
+            <div class="flex flex-col gap-2">
+                <Label>Cluster Name</Label>
+                <Input
+                    prop:value=move || cluster_name.get()
+                    on:input=move |ev| {
+                        cluster_name.set(event_target_value(&ev));
+                    }
+                    attr:placeholder="Enter cluster name"
+                    attr:required=true
+                />
+            </div>
+        </Modal>
+    }
+}
+
+#[component]
+pub fn TokenDisplayModal(
+    modal_open: RwSignal<bool>,
+    cluster_response: RwSignal<Option<CreateKubeClusterResponse>, LocalStorage>,
+) -> impl IntoView {
+    let copy_success = RwSignal::new_local(false);
+    let command_copy_success = RwSignal::new_local(false);
+    let origin = StoredValue::new(
+        window()
+            .location()
+            .origin()
+            .unwrap_or_else(|_| "".to_string())
+            .trim_end_matches('/')
+            .to_string(),
+    );
+
+    let copy_token = move |_| {
+        if let Some(response) = cluster_response.get_untracked() {
+            let navigator = window().navigator();
+            let clipboard = navigator.clipboard();
+            let _ = clipboard.write_text(&response.token);
+            copy_success.set(true);
+
+            // Reset copy success after 2 seconds
+            set_timeout(
+                move || copy_success.set(false),
+                std::time::Duration::from_secs(2),
+            );
+        }
+    };
+
+    let manifest_path = Memo::new(move |_| {
+        cluster_response
+            .get()
+            .map(|response| format!("/install/lapdev-kube-manager.yaml?token={}", response.token))
+    });
+
+    let install_command = {
+        Memo::new(move |_| {
+            manifest_path
+                .get()
+                .map(|path| {
+                    let origin = origin.get_value();
+                    if origin.is_empty() {
+                        format!("kubectl apply -f {}", path)
+                    } else {
+                        format!("kubectl apply -f {origin}{path}")
+                    }
+                })
+                .unwrap_or_default()
+        })
+    };
+
+    let copy_install_command = move |_| {
+        let command = install_command.get();
+        if command.is_empty() {
+            return;
+        }
+        let navigator = window().navigator();
+        let clipboard = navigator.clipboard();
+        let _ = clipboard.write_text(&command);
+        command_copy_success.set(true);
+        set_timeout(
+            move || command_copy_success.set(false),
+            std::time::Duration::from_secs(2),
+        );
+    };
+
+    view! {
+        <Modal
+            title="Cluster Token"
+            open=modal_open
+            action=Action::new_local(move |_| async move { Ok(()) })
+            hide_action=true
+        >
+            <div class="flex flex-col gap-4">
+                <div class="flex flex-col gap-2">
+                    <P class="text-sm text-muted-foreground">
+                        Use this token to connect your cluster to Lapdev.
+                        Copy and save it securely - it will not be shown again.
+                    </P>
+                </div>
+
+                <div class="flex flex-col gap-2">
+                    <Label>Cluster ID</Label>
+                    <Input
+                        prop:value=move || cluster_response.get().map(|r| r.cluster_id.to_string()).unwrap_or_default()
+                        prop:readonly=true
+                        class="font-mono text-sm"
+                    />
+                </div>
+
+                <div class="flex flex-col gap-2">
+                    <Label>Authentication Token</Label>
+                    <div class="relative">
+                        <Textarea
+                            prop:value=move || cluster_response.get().map(|r| r.token).unwrap_or_default()
+                            prop:readonly=true
+                            class="font-mono text-sm min-h-24 pr-16"
+                        />
+                        <Button
+                            on:click=copy_token
+                            class="absolute top-2 right-2 h-8 w-8 p-0"
+                            variant=ButtonVariant::Outline
+                        >
+                            {move || if copy_success.get() {
+                                view! { <lucide_leptos::Check /> }.into_any()
+                            } else {
+                                view! { <lucide_leptos::Copy /> }.into_any()
+                            }}
+                        </Button>
+                    </div>
+                    {move || if copy_success.get() {
+                        view! { <P class="text-sm text-green-600">Token copied to clipboard!</P> }
+                    } else {
+                        view! { <P class="text-sm text-muted-foreground">Click the copy button to copy the token</P> }
+                    }}
+                </div>
+
+                <div class="flex flex-col gap-2">
+                    <Label>Install Command</Label>
+                    <div class="relative">
+                        <Textarea
+                            prop:value=move || install_command.get()
+                            prop:readonly=true
+                            class="font-mono text-sm min-h-20 pr-16"
+                        />
+                        <Button
+                            on:click=copy_install_command
+                            class="absolute top-2 right-2 h-8 w-8 p-0"
+                            variant=ButtonVariant::Outline
+                        >
+                            {move || if command_copy_success.get() {
+                                view! { <lucide_leptos::Check /> }.into_any()
+                            } else {
+                                view! { <lucide_leptos::Copy /> }.into_any()
+                            }}
+                        </Button>
+                    </div>
+                    {move || if command_copy_success.get() {
+                        view! { <P class="text-sm text-green-600">Install command copied!</P> }
+                    } else {
+                        view! { <P class="text-sm text-muted-foreground">Run this command in a shell with kubectl access to your cluster</P> }
+                    }}
+                </div>
+
+                <div class="flex flex-col gap-2 p-4 bg-muted rounded-lg">
+                    <P class="font-medium text-sm">Next Steps:</P>
+                    <ul class="text-sm space-y-1">
+                        <li>{"- Install lapdev-kube-manager in your cluster"}</li>
+                        <li>{"- Configure it with this token"}</li>
+                        <li>{"- Your cluster will appear in the list once connected"}</li>
+                    </ul>
+                    {move || manifest_path.get().map(|href| {
+                        view! {
+                            <a
+                                class="text-sm text-primary underline"
+                                target="_blank"
+                                rel="noopener noreferrer"
+                                href=href
+                            >
+                                "Open manifest in a new tab"
+                            </a>
+                        }
+                        .into_any()
+                    }).unwrap_or_else(|| ().into_any() )}
+                </div>
+            </div>
+        </Modal>
+    }
+}
diff --git a/crates/dashboard/src/kube_container.rs b/crates/dashboard/src/kube_container.rs
new file mode 100644
index 0000000..80003f7
--- /dev/null
+++ b/crates/dashboard/src/kube_container.rs
@@ -0,0 +1,857 @@
+use lapdev_common::kube::{KubeContainerImage, KubeContainerInfo, KubeEnvVar};
+use leptos::prelude::*;
+use uuid::Uuid;
+
+use crate::{
+    component::{
+        alert_dialog::{
+            AlertDialogContent, AlertDialogDescription, AlertDialogFooter, AlertDialogHeader,
+            AlertDialogTitle,
+        },
+        badge::{Badge, BadgeVariant},
+        button::{Button, ButtonVariant},
+        card::Card,
+        input::Input,
+        typography::{H4, P},
+    },
+    modal::ErrorResponse,
+};
+
+#[component]
+pub fn ContainersCard(
+    all_containers: Vec<KubeContainerInfo>,
+    title: &'static str,
+    empty_message: &'static str,
+    workload_id: Uuid,
+    update_counter: RwSignal<usize>,
+    config: ContainerEditorConfig,
+    update_action: Action<Vec<KubeContainerInfo>, Result<Uuid, ErrorResponse>>,
+) -> impl IntoView {
+    view! {
+        <Card class="p-6">
+            <div class="flex flex-col gap-6">
+                <div class="flex items-center justify-between">
+                    <H4>{title}</H4>
+                    <Badge variant=BadgeVariant::Secondary>
+                        {format!("{} container{}", all_containers.len(), if all_containers.len() != 1 { "s" } else { "" })}
+                    </Badge>
+                </div>
+
+                {
+                    if all_containers.is_empty() {
+                        view! {
+                            <div class="flex flex-col items-center justify-center py-12 text-center">
+                                <div class="rounded-full bg-muted p-3 mb-4">
+                                    <lucide_leptos::Package />
+                                </div>
+                                <H4 class="mb-2">No Containers</H4>
+                                <P class="text-muted-foreground mb-4 max-w-sm">
+                                    {empty_message}
+                                </P>
+                            </div>
+                        }.into_any()
+                    } else {
+                        view! {
+                            <div class="space-y-4">
+                                {
+                                    all_containers.iter().enumerate().map(|(index, container)| {
+                                        view! {
+                                            <ContainerEditor
+                                                workload_id
+                                                container_index=index
+                                                container=container.clone()
+                                                all_containers=all_containers.clone()
+                                                update_counter
+                                                config=config.clone()
+                                                update_action
+                                            />
+                                        }.into_any()
+                                    }).collect::<Vec<_>>()
+                                }
+                            </div>
+                        }.into_any()
+                    }
+                }
+            </div>
+        </Card>
+    }
+}
+
+#[derive(Clone)]
+pub struct ContainerEditorConfig {
+    pub enable_resource_limits: bool,
+    pub show_customization_badge: bool,
+    pub is_branch_environment: bool,
+    pub branch_reset_action: Option<Action<(), Result<(), ErrorResponse>>>,
+}
+
+impl Default for ContainerEditorConfig {
+    fn default() -> Self {
+        Self {
+            enable_resource_limits: true,
+            show_customization_badge: true,
+            is_branch_environment: false,
+            branch_reset_action: None,
+        }
+    }
+}
+
+#[component]
+fn ContainerEditor(
+    workload_id: Uuid,
+    container_index: usize,
+    container: KubeContainerInfo,
+    all_containers: Vec<KubeContainerInfo>,
+    update_counter: RwSignal<usize>,
+    config: ContainerEditorConfig,
+    update_action: Action<Vec<KubeContainerInfo>, Result<Uuid, ErrorResponse>>,
+) -> impl IntoView {
+    let _ = workload_id;
+    let _ = update_counter;
+    let is_editing = RwSignal::new(false);
+    let error_message = RwSignal::new(None::<String>);
+    let reset_dialog_open = RwSignal::new(false);
+    let has_customizations = config.show_customization_badge && container.is_customized();
+
+    // Clone container fields to avoid move conflicts
+    let container_image = container.image.clone();
+    let container_env_vars = container.env_vars.clone();
+    let container_original_image = container.original_image.clone();
+    let name = container.name.clone();
+    let reset_title_text = StoredValue::new(format!("Reset {}?", name.clone()));
+    let containers_store = StoredValue::new(all_containers.clone());
+    let branch_reset_action = config.branch_reset_action.clone();
+    if let Some(action) = branch_reset_action.clone() {
+        let error_message = error_message.clone();
+        Effect::new(move |_| {
+            if let Some(result) = action.value().get() {
+                if let Err(err) = result {
+                    error_message.set(Some(err.error));
+                }
+            }
+        });
+    }
+
+    // Clone resource values for display (since they need to be used in multiple places)
+    let cpu_request_display = container.cpu_request.clone();
+    let cpu_limit_display = container.cpu_limit.clone();
+    let memory_request_display = container.memory_request.clone();
+    let memory_limit_display = container.memory_limit.clone();
+
+    // Create signals for editable fields
+    let image_signal = RwSignal::new(container_image.clone());
+    let custom_image_signal = RwSignal::new(match &container_image {
+        KubeContainerImage::Custom(img) => img.clone(),
+        KubeContainerImage::FollowOriginal => String::new(),
+    });
+    let cpu_request_signal = RwSignal::new(container.cpu_request.clone().unwrap_or_default());
+    let cpu_limit_signal = RwSignal::new(container.cpu_limit.clone().unwrap_or_default());
+    let memory_request_signal = RwSignal::new(container.memory_request.clone().unwrap_or_default());
+    let memory_limit_signal = RwSignal::new(container.memory_limit.clone().unwrap_or_default());
+    let env_vars_signal = RwSignal::new(container_env_vars.clone());
+
+    // Monitor the update action for error handling
+    Effect::new(move || {
+        if let Some(result) = update_action.value().get() {
+            match result {
+                Ok(_) => {
+                    error_message.set(None);
+                    is_editing.set(false);
+                }
+                Err(err) => {
+                    error_message.set(Some(err.error.clone()));
+                }
+            }
+        }
+    });
+
+    let save_changes = {
+        let container_name = container.name.clone();
+        let all_containers_clone = all_containers.clone();
+        let original_image = container.original_image.clone();
+        let original_env_vars = container.original_env_vars.clone();
+        let ports = container.ports.clone();
+        let enable_resources = config.enable_resource_limits;
+
+        Callback::new(move |_| {
+            let updated_container = KubeContainerInfo {
+                name: container_name.clone(),
+                original_image: original_image.clone(),
+                image: image_signal.get(),
+                cpu_request: if enable_resources && !cpu_request_signal.get().trim().is_empty() {
+                    Some(cpu_request_signal.get().trim().to_string())
+                } else {
+                    None
+                },
+                cpu_limit: if enable_resources && !cpu_limit_signal.get().trim().is_empty() {
+                    Some(cpu_limit_signal.get().trim().to_string())
+                } else {
+                    None
+                },
+                memory_request: if enable_resources
+                    && !memory_request_signal.get().trim().is_empty()
+                {
+                    Some(memory_request_signal.get().trim().to_string())
+                } else {
+                    None
+                },
+                memory_limit: if enable_resources && !memory_limit_signal.get().trim().is_empty() {
+                    Some(memory_limit_signal.get().trim().to_string())
+                } else {
+                    None
+                },
+                env_vars: env_vars_signal
+                    .get()
+                    .into_iter()
+                    .filter(|var| !var.name.trim().is_empty())
+                    .collect(),
+                original_env_vars: original_env_vars.clone(),
+                ports: ports.clone(),
+            };
+
+            let mut updated_containers = all_containers_clone.clone();
+            updated_containers[container_index] = updated_container;
+            update_action.dispatch(updated_containers);
+        })
+    };
+
+    let cancel_changes = {
+        let container_image_reset = container.image.clone();
+        let container_env_vars_reset = container.env_vars.clone();
+        let cpu_request_reset = container.cpu_request.clone().unwrap_or_default();
+        let cpu_limit_reset = container.cpu_limit.clone().unwrap_or_default();
+        let memory_request_reset = container.memory_request.clone().unwrap_or_default();
+        let memory_limit_reset = container.memory_limit.clone().unwrap_or_default();
+        let custom_img_reset = match &container.image {
+            KubeContainerImage::Custom(img) => img.clone(),
+            KubeContainerImage::FollowOriginal => String::new(),
+        };
+        Callback::new(move |_| {
+            image_signal.set(container_image_reset.clone());
+            custom_image_signal.set(custom_img_reset.clone());
+            cpu_request_signal.set(cpu_request_reset.clone());
+            cpu_limit_signal.set(cpu_limit_reset.clone());
+            memory_request_signal.set(memory_request_reset.clone());
+            memory_limit_signal.set(memory_limit_reset.clone());
+            env_vars_signal.set(container_env_vars_reset.clone());
+            error_message.set(None);
+            is_editing.set(false);
+        })
+    };
+
+    view! {
+        <div class="border rounded-lg">
+            <div class="p-4 border-b bg-muted/20">
+                <div class="flex items-center justify-between">
+                    <div class="flex items-center gap-3">
+                        <div class="rounded-full bg-primary/10 p-2">
+                            <lucide_leptos::Box attr:class="h-4 w-4 text-primary" />
+                        </div>
+                        <div>
+                            <H4 class="text-base">{name.clone()}</H4>
+                            {if config.show_customization_badge && container.is_customized() {
+                                view! {
+                                    <Badge variant=BadgeVariant::Secondary class="text-xs mt-1">
+                                        <lucide_leptos::Settings attr:class="w-3 h-3 mr-1" />
+                                        "Customized"
+                                    </Badge>
+                                }.into_any()
+                            } else {
+                                ().into_any()
+                            }}
+                        </div>
+                    </div>
+                    <Show when=move || !is_editing.get()>
+                        <div class="flex gap-2">
+                            <Show when=move || has_customizations>
+                                <Button
+                                    variant=ButtonVariant::Destructive
+                                    on:click=move |_| reset_dialog_open.set(true)
+                                >
+                                    Reset
+                                </Button>
+                            </Show>
+                            <Button
+                                variant=ButtonVariant::Outline
+                                on:click=move |_| {
+                                    is_editing.set(true);
+                                    error_message.set(None);
+                                }
+                            >
+                                Edit
+                            </Button>
+                        </div>
+                    </Show>
+
+                    <Show when=move || is_editing.get()>
+                        <div class="flex gap-2">
+                            <Button
+                                variant=ButtonVariant::Outline
+                                on:click=move |_| cancel_changes.run(())
+                                disabled=Signal::derive(move || update_action.pending().get())
+                            >
+                                Cancel
+                            </Button>
+                            <Button
+                                variant=ButtonVariant::Default
+                                on:click=move |_| save_changes.run(())
+                                disabled=Signal::derive(move || update_action.pending().get())
+                            >
+                                {move || if update_action.pending().get() { "Saving..." } else { "Save Changes" }}
+                            </Button>
+                        </div>
+                    </Show>
+                </div>
+            </div>
+
+            // Container configuration
+            <div class="p-4 space-y-4">
+                <div class="grid grid-cols-1 md:grid-cols-2 gap-4">
+                    // Image Configuration
+                    <div class="space-y-3">
+                        <div class="font-medium text-sm flex items-center gap-2">
+                            <lucide_leptos::Box attr:class="w-4 h-4 text-primary" />
+                            Image Configuration
+                        </div>
+                        <div class="space-y-2">
+                            <div class="text-sm">
+                                <span class="text-muted-foreground">{"Original: "}</span>
+                                <code class="text-xs bg-muted px-1 py-0.5 rounded break-all">
+                                    {container_original_image.clone()}
+                                </code>
+                            </div>
+
+                            <Show when=move || !is_editing.get()>
+                                {move || {
+                                    let display_image = image_signal.get();
+                                    view! {
+                                        <div class="text-sm">
+                                            {match &display_image {
+                                                KubeContainerImage::FollowOriginal => view! {
+                                                    <span class="text-muted-foreground">{"Current: "}</span>
+                                                    <span class="text-xs text-muted-foreground">{"Following original"}</span>
+                                                }.into_any(),
+                                                KubeContainerImage::Custom(custom_img) => view! {
+                                                    <span class="text-muted-foreground">{"Current: "}</span>
+                                                    <code class="text-xs bg-muted px-1 py-0.5 rounded break-all">
+                                                        {custom_img.clone()}
+                                                    </code>
+                                                    <span class="ml-2 text-xs text-muted-foreground">
+                                                        {"(Custom)"}
+                                                    </span>
+                                                }.into_any(),
+                                            }}
+                                        </div>
+                                    }
+                                }}
+                            </Show>
+
+                            <Show when=move || is_editing.get()>
+                                <div class="space-y-2">
+                                    <div class="flex items-center space-x-2">
+                                        <input
+                                            type="radio"
+                                            name=format!("image_choice_{}", container_index)
+                                            prop:checked=move || matches!(image_signal.get(), KubeContainerImage::FollowOriginal)
+                                            on:change=move |_| {
+                                                image_signal.set(KubeContainerImage::FollowOriginal);
+                                            }
+                                        />
+                                        <label class="text-sm">Follow Original</label>
+                                    </div>
+                                    <div class="flex items-center space-x-2">
+                                        <input
+                                            type="radio"
+                                            name=format!("image_choice_{}", container_index)
+                                            prop:checked=move || matches!(image_signal.get(), KubeContainerImage::Custom(_))
+                                            on:change=move |_| {
+                                                let custom_img = custom_image_signal.get();
+                                                image_signal.set(KubeContainerImage::Custom(custom_img));
+                                            }
+                                        />
+                                        <label class="text-sm">Use Custom Image</label>
+                                    </div>
+                                    <Show when=move || matches!(image_signal.get(), KubeContainerImage::Custom(_))>
+                                        <Input
+                                            prop:value=move || custom_image_signal.get()
+                                            on:input=move |ev| {
+                                                let new_value = event_target_value(&ev);
+                                                custom_image_signal.set(new_value.clone());
+                                                image_signal.set(KubeContainerImage::Custom(new_value));
+                                            }
+                                            attr:placeholder="Enter custom image (e.g., ubuntu:22.04)"
+                                        />
+                                    </Show>
+                                </div>
+                            </Show>
+                        </div>
+                    </div>
+
+                    // Environment Variables
+                    <div class="space-y-3">
+                        <div class="font-medium text-sm flex items-center gap-2">
+                            <lucide_leptos::Settings attr:class="w-4 h-4 text-primary" />
+                            Environment Variables
+                        </div>
+                        <Show when=move || !is_editing.get()>
+                            <EnvVarsDisplay env_vars=env_vars_signal.get() />
+                        </Show>
+                        <Show when=move || is_editing.get()>
+                            <EnvVarsEditor env_vars_signal />
+                        </Show>
+                    </div>
+                </div>
+
+                // Resource Configuration
+                {if config.enable_resource_limits {
+                    view! {
+                        <div class="border-t pt-4">
+                            <div class="font-medium text-sm mb-3 flex items-center gap-2">
+                                <lucide_leptos::Cpu attr:class="w-4 h-4 text-primary" />
+                                Resource Configuration
+                            </div>
+                            <div class="grid grid-cols-2 md:grid-cols-4 gap-4 text-sm">
+                                <div>
+                                    <div class="text-muted-foreground text-xs mb-1 flex items-center gap-1">
+                                        <lucide_leptos::Gauge attr:class="w-3 h-3" />
+                                        CPU Request
+                                    </div>
+                                    <Show
+                                        when=move || is_editing.get()
+                                        fallback=move || view! {
+                                            <div class="font-mono text-xs bg-muted px-2 py-1 rounded">
+                                                {move || if cpu_request_signal.get().is_empty() { "Not set".to_string() } else { cpu_request_signal.get() }}
+                                            </div>
+                                        }
+                                    >
+                                        <Input
+                                            prop:value=move || cpu_request_signal.get()
+                                            on:input=move |ev| cpu_request_signal.set(event_target_value(&ev))
+                                            class="text-xs font-mono"
+                                            attr:placeholder="e.g., 100m"
+                                        />
+                                    </Show>
+                                </div>
+                                <div>
+                                    <div class="text-muted-foreground text-xs mb-1 flex items-center gap-1">
+                                        <lucide_leptos::Zap attr:class="w-3 h-3" />
+                                        CPU Limit
+                                    </div>
+                                    <Show
+                                        when=move || is_editing.get()
+                                        fallback=move || view! {
+                                            <div class="font-mono text-xs bg-muted px-2 py-1 rounded">
+                                                {move || if cpu_limit_signal.get().is_empty() { "Not set".to_string() } else { cpu_limit_signal.get() }}
+                                            </div>
+                                        }
+                                    >
+                                        <Input
+                                            prop:value=move || cpu_limit_signal.get()
+                                            on:input=move |ev| cpu_limit_signal.set(event_target_value(&ev))
+                                            class="text-xs font-mono"
+                                            attr:placeholder="e.g., 500m"
+                                        />
+                                    </Show>
+                                </div>
+                                <div>
+                                    <div class="text-muted-foreground text-xs mb-1 flex items-center gap-1">
+                                        <lucide_leptos::Database attr:class="w-3 h-3" />
+                                        Memory Request
+                                    </div>
+                                    <Show
+                                        when=move || is_editing.get()
+                                        fallback=move || view! {
+                                            <div class="font-mono text-xs bg-muted px-2 py-1 rounded">
+                                                {move || if memory_request_signal.get().is_empty() { "Not set".to_string() } else { memory_request_signal.get() }}
+                                            </div>
+                                        }
+                                    >
+                                        <Input
+                                            prop:value=move || memory_request_signal.get()
+                                            on:input=move |ev| memory_request_signal.set(event_target_value(&ev))
+                                            class="text-xs font-mono"
+                                            attr:placeholder="e.g., 128Mi"
+                                        />
+                                    </Show>
+                                </div>
+                                <div>
+                                    <div class="text-muted-foreground text-xs mb-1 flex items-center gap-1">
+                                        <lucide_leptos::HardDrive attr:class="w-3 h-3" />
+                                        Memory Limit
+                                    </div>
+                                    <Show
+                                        when=move || is_editing.get()
+                                        fallback=move || view! {
+                                            <div class="font-mono text-xs bg-muted px-2 py-1 rounded">
+                                                {move || if memory_limit_signal.get().is_empty() { "Not set".to_string() } else { memory_limit_signal.get() }}
+                                            </div>
+                                        }
+                                    >
+                                        <Input
+                                            prop:value=move || memory_limit_signal.get()
+                                            on:input=move |ev| memory_limit_signal.set(event_target_value(&ev))
+                                            class="text-xs font-mono"
+                                            attr:placeholder="e.g., 512Mi"
+                                        />
+                                    </Show>
+                                </div>
+                            </div>
+                        </div>
+                    }.into_any()
+                } else {
+                    view! {
+                        <div class="border-t pt-4">
+                            <div class="font-medium text-sm mb-3 flex items-center gap-2">
+                                <lucide_leptos::Cpu attr:class="w-4 h-4 text-primary" />
+                                Resource Configuration
+                            </div>
+                            <div class="text-xs text-muted-foreground mb-2">
+                                Resource limits and requests are managed at the app catalog level and cannot be customized per environment.
+                            </div>
+                            <div class="grid grid-cols-2 md:grid-cols-4 gap-4 text-sm">
+                                <div>
+                                    <div class="text-muted-foreground text-xs mb-1 flex items-center gap-1">
+                                        <lucide_leptos::Gauge attr:class="w-3 h-3" />
+                                        CPU Request
+                                    </div>
+                                    <div class="font-mono text-xs bg-muted px-2 py-1 rounded">
+                                        {cpu_request_display.clone().unwrap_or_else(|| "Not set".to_string())}
+                                    </div>
+                                </div>
+                                <div>
+                                    <div class="text-muted-foreground text-xs mb-1 flex items-center gap-1">
+                                        <lucide_leptos::Zap attr:class="w-3 h-3" />
+                                        CPU Limit
+                                    </div>
+                                    <div class="font-mono text-xs bg-muted px-2 py-1 rounded">
+                                        {cpu_limit_display.clone().unwrap_or_else(|| "Not set".to_string())}
+                                    </div>
+                                </div>
+                                <div>
+                                    <div class="text-muted-foreground text-xs mb-1 flex items-center gap-1">
+                                        <lucide_leptos::Database attr:class="w-3 h-3" />
+                                        Memory Request
+                                    </div>
+                                    <div class="font-mono text-xs bg-muted px-2 py-1 rounded">
+                                        {memory_request_display.clone().unwrap_or_else(|| "Not set".to_string())}
+                                    </div>
+                                </div>
+                                <div>
+                                    <div class="text-muted-foreground text-xs mb-1 flex items-center gap-1">
+                                        <lucide_leptos::HardDrive attr:class="w-3 h-3" />
+                                        Memory Limit
+                                    </div>
+                                    <div class="font-mono text-xs bg-muted px-2 py-1 rounded">
+                                        {memory_limit_display.clone().unwrap_or_else(|| "Not set".to_string())}
+                                    </div>
+                                </div>
+                            </div>
+                        </div>
+                    }.into_any()
+                }}
+
+                // Error message
+                <Show when=move || error_message.get().is_some()>
+                    <div class="p-3 bg-destructive/10 border border-destructive/20 rounded-md">
+                        <div class="text-sm text-destructive">
+                            {move || error_message.get().unwrap_or_default()}
+                        </div>
+                    </div>
+                </Show>
+            </div>
+        </div>
+        <AlertDialogContent open=reset_dialog_open>
+            <AlertDialogHeader>
+                <AlertDialogTitle>{reset_title_text.get_value()}</AlertDialogTitle>
+                <AlertDialogDescription>
+                    "This will remove all customizations for this container and restore the original configuration."
+                </AlertDialogDescription>
+            </AlertDialogHeader>
+            <AlertDialogFooter>
+                <Button variant=ButtonVariant::Outline on:click=move |_| reset_dialog_open.set(false)>
+                    Cancel
+                </Button>
+                <Button
+                    variant=ButtonVariant::Destructive
+                    on:click=move |_| {
+                        reset_dialog_open.set(false);
+                        if config.is_branch_environment {
+                            if let Some(action) = branch_reset_action.clone() {
+                                action.dispatch(());
+                            }
+                        } else {
+                            let mut containers_clone = containers_store.get_value();
+                            if let Some(target) = containers_clone.get_mut(container_index) {
+                                target.image = KubeContainerImage::FollowOriginal;
+                                target.cpu_request = None;
+                                target.cpu_limit = None;
+                                target.memory_request = None;
+                                target.memory_limit = None;
+                                target.env_vars.clear();
+                            }
+                            update_action.dispatch(containers_clone);
+                        }
+                    }
+                    disabled=Signal::derive(move || {
+                        let branch_pending = branch_reset_action
+                            .as_ref()
+                            .map(|action| action.pending().get())
+                            .unwrap_or(false);
+                        update_action.pending().get() || branch_pending
+                    })
+                >
+                    Reset Container
+                </Button>
+            </AlertDialogFooter>
+        </AlertDialogContent>
+    }
+}
+
+#[component]
+pub fn EnvVarsEditor(env_vars_signal: RwSignal<Vec<KubeEnvVar>>) -> impl IntoView {
+    let add_env_var = Callback::new(move |_| {
+        env_vars_signal.update(|vars| {
+            vars.push(KubeEnvVar {
+                name: String::new(),
+                value: String::new(),
+            });
+        });
+    });
+
+    view! {
+        <div class="flex flex-col gap-2">
+            <div class="flex items-center justify-between">
+                <span class="text-xs font-medium text-muted-foreground">Variables</span>
+                <Button
+                    variant=ButtonVariant::Outline
+                    class="px-2 py-1 h-auto text-xs"
+                    on:click=move |_| add_env_var.run(())
+                >
+                    <lucide_leptos::Plus attr:class="w-3 h-3" />
+                    Add Variable
+                </Button>
+            </div>
+
+            <div class="space-y-2">
+                {move || {
+                    env_vars_signal.with(|env_vars| {
+                        env_vars.iter().enumerate().map(|(index, env_var)| {
+                            let env_var_name = env_var.name.clone();
+                            let env_var_value = env_var.value.clone();
+
+                            view! {
+                                <div class="flex gap-2 items-center">
+                                    <Input
+                                        prop:value=env_var_name.clone()
+                                        on:input=move |ev| {
+                                            let new_name = event_target_value(&ev);
+                                            env_vars_signal.update(|vars| {
+                                                if let Some(var) = vars.get_mut(index) {
+                                                    var.name = new_name;
+                                                }
+                                            });
+                                        }
+                                        attr:placeholder="Variable name"
+                                        class="text-xs font-mono flex-1"
+                                    />
+                                    <Input
+                                        prop:value=env_var_value.clone()
+                                        on:input=move |ev| {
+                                            let new_value = event_target_value(&ev);
+                                            env_vars_signal.update(|vars| {
+                                                if let Some(var) = vars.get_mut(index) {
+                                                    var.value = new_value;
+                                                }
+                                            });
+                                        }
+                                        attr:placeholder="Variable value"
+                                        class="text-xs font-mono flex-1"
+                                    />
+                                    <Button
+                                        variant=ButtonVariant::Ghost
+                                        class="px-2 py-1 h-auto text-red-600 hover:text-red-700"
+                                        on:click=move |_| {
+                                            env_vars_signal.update(|vars| {
+                                                if index < vars.len() {
+                                                    vars.remove(index);
+                                                }
+                                            });
+                                        }
+                                    >
+                                        <lucide_leptos::Trash2 attr:class="w-3 h-3" />
+                                    </Button>
+                                </div>
+                            }
+                        }).collect::<Vec<_>>()
+                    })
+                }}
+
+                {move || {
+                    let vars = env_vars_signal.get();
+                    if vars.is_empty() {
+                        view! {
+                            <div class="text-xs text-muted-foreground italic py-2">
+                                No environment variables configured
+                            </div>
+                        }.into_any()
+                    } else {
+                        view! { <div></div> }.into_any()
+                    }
+                }}
+            </div>
+        </div>
+    }
+}
+
+#[component]
+pub fn EnvVarsDisplay(env_vars: Vec<KubeEnvVar>) -> impl IntoView {
+    view! {
+        <div class="space-y-2">
+            {
+                if env_vars.is_empty() {
+                    view! {
+                        <div class="text-sm text-muted-foreground italic text-center py-4">
+                            No environment variables configured
+                        </div>
+                    }.into_any()
+                } else {
+                    env_vars.into_iter().map(|env_var| {
+                        let is_long_value = env_var.value.len() > 60;
+                        let is_expanded = RwSignal::new(false);
+                        let should_mask = should_mask_env_value(&env_var.name);
+                        let is_value_visible = RwSignal::new(!should_mask);
+
+                        view! {
+                            <EnvVarCard
+                                env_var
+                                is_long_value
+                                is_expanded
+                                should_mask
+                                is_value_visible
+                            />
+                        }
+                    }).collect::<Vec<_>>().into_any()
+                }
+            }
+        </div>
+    }
+}
+
+#[component]
+fn EnvVarCard(
+    env_var: KubeEnvVar,
+    is_long_value: bool,
+    is_expanded: RwSignal<bool>,
+    should_mask: bool,
+    is_value_visible: RwSignal<bool>,
+) -> impl IntoView {
+    // Clone values upfront to avoid move conflicts
+    let env_name = env_var.name.clone();
+    let env_value = env_var.value.clone();
+
+    view! {
+        <div class="border rounded-lg p-3 bg-card hover:bg-muted/20 transition-colors">
+            <div class="flex items-start justify-between gap-3">
+                <div class="flex-1 min-w-0">
+                    // Environment variable name
+                    <div class="flex items-center gap-2 mb-2">
+                        <code class="font-mono text-sm font-semibold text-foreground break-all">
+                            {env_name.clone()}
+                        </code>
+                        {if should_mask {
+                            view! {
+                                <Badge variant=BadgeVariant::Secondary class="text-xs px-1 py-0">
+                                    <lucide_leptos::Lock attr:class="w-3 h-3 mr-1" />
+                                    "Sensitive"
+                                </Badge>
+                            }.into_any()
+                        } else {
+                            view! { <div></div> }.into_any()
+                        }}
+                    </div>
+
+                    // Environment variable value
+                    <div class="font-mono text-xs text-muted-foreground">
+                        {
+                            let env_value_for_display = env_value.clone();
+                            move || {
+                                let display_value = if is_value_visible.get() {
+                                    if is_long_value && !is_expanded.get() {
+                                        format!("{}...", &env_value_for_display[..57])
+                                    } else {
+                                        env_value_for_display.clone()
+                                    }
+                                } else {
+                                    "••••••••••••••••".to_string()
+                                };
+
+                                view! {
+                                    <div class="break-all leading-relaxed">
+                                        {display_value}
+                                    </div>
+                                }
+                            }
+                        }
+                    </div>
+                </div>
+
+                // Action buttons
+                <div class="flex gap-1">
+                    // Show/hide sensitive values button
+                    {if should_mask {
+                        view! {
+                            <Button
+                                variant=ButtonVariant::Ghost
+                                class="h-6 w-6 p-0 hover:bg-muted"
+                                on:click=move |_| is_value_visible.update(|v| *v = !*v)
+                                attr:title=move || if is_value_visible.get() { "Hide value" } else { "Show value" }
+                            >
+                                {move || if is_value_visible.get() {
+                                    view! { <lucide_leptos::EyeOff attr:class="w-3 h-3" /> }.into_any()
+                                } else {
+                                    view! { <lucide_leptos::Eye attr:class="w-3 h-3" /> }.into_any()
+                                }}
+                            </Button>
+                        }.into_any()
+                    } else {
+                        view! { <div></div> }.into_any()
+                    }}
+
+                    // Expand/collapse long values button
+                    {if is_long_value {
+                        view! {
+                            <Button
+                                variant=ButtonVariant::Ghost
+                                class="h-6 w-6 p-0 hover:bg-muted"
+                                on:click=move |_| is_expanded.update(|e| *e = !*e)
+                                attr:title=move || if is_expanded.get() { "Collapse" } else { "Expand" }
+                            >
+                                {move || if is_expanded.get() {
+                                    view! { <lucide_leptos::ChevronUp attr:class="w-3 h-3" /> }.into_any()
+                                } else {
+                                    view! { <lucide_leptos::ChevronDown attr:class="w-3 h-3" /> }.into_any()
+                                }}
+                            </Button>
+                        }.into_any()
+                    } else {
+                        view! { <div></div> }.into_any()
+                    }}
+                </div>
+            </div>
+        </div>
+    }
+}
+
+// Helper function to determine if an environment variable value should be masked
+fn should_mask_env_value(name: &str) -> bool {
+    let name_lower = name.to_lowercase();
+    name_lower.contains("password")
+        || name_lower.contains("secret")
+        || name_lower.contains("key")
+        || name_lower.contains("token")
+        || name_lower.contains("api_key")
+        || name_lower.contains("auth")
+        || name_lower.ends_with("_key")
+        || name_lower.ends_with("_secret")
+        || name_lower.ends_with("_token")
+}
diff --git a/crates/dashboard/src/kube_environment.rs b/crates/dashboard/src/kube_environment.rs
new file mode 100644
index 0000000..1c82c3d
--- /dev/null
+++ b/crates/dashboard/src/kube_environment.rs
@@ -0,0 +1,617 @@
+use anyhow::{anyhow, Result};
+use chrono::DateTime;
+use lapdev_api_hrpc::HrpcServiceClient;
+use lapdev_common::console::Organization;
+use lapdev_common::kube::{
+    KubeEnvironment, KubeEnvironmentStatus, PagePaginationParams, PaginatedInfo, PaginatedResult,
+};
+use leptos::{prelude::*, task::spawn_local_scoped_with_cancellation};
+use leptos_router::hooks::use_location;
+use uuid::Uuid;
+
+use crate::{
+    component::{
+        badge::{Badge, BadgeVariant},
+        button::{Button, ButtonVariant},
+        dropdown_menu::{
+            DropdownMenu, DropdownMenuContent, DropdownMenuItem, DropdownMenuTrigger,
+            DropdownPlacement,
+        },
+        pagination::PagePagination,
+        table::{Table, TableBody, TableCell, TableHead, TableHeader, TableRow},
+        typography::{H3, H4, P},
+    },
+    docs_url,
+    modal::{DatetimeModal, DeleteModal, ErrorResponse},
+    organization::get_current_org,
+    sse::run_sse_with_retry,
+    DOCS_ENVIRONMENT_PATH,
+};
+
+#[component]
+pub fn KubeEnvironment() -> impl IntoView {
+    let update_counter = RwSignal::new_local(0);
+    let location = use_location();
+
+    // Derive environment type from the route
+    let environment_type = Signal::derive(move || {
+        let pathname = location.pathname.get();
+        if pathname.ends_with("/shared") {
+            EnvironmentType::Shared
+        } else if pathname.ends_with("/branch") {
+            EnvironmentType::Branch
+        } else {
+            // Default to Personal for /kubernetes/environments and /kubernetes/environments/personal
+            EnvironmentType::Personal
+        }
+    });
+
+    let title = move || match environment_type.get() {
+        EnvironmentType::Personal => "Personal Environments",
+        EnvironmentType::Shared => "Shared Environments",
+        EnvironmentType::Branch => "Branch Environments",
+    };
+
+    let description = move || match environment_type.get() {
+        EnvironmentType::Personal => {
+            "View and manage your personal Kubernetes development environments."
+        }
+        EnvironmentType::Shared => {
+            "View and manage shared Kubernetes development environments accessible to your team."
+        }
+        EnvironmentType::Branch => "View and manage branch Kubernetes development environments.",
+    };
+
+    view! {
+        <div class="flex flex-col gap-6">
+            <div class="flex flex-col gap-2 items-start">
+                <H3>{title}</H3>
+                <P>{description}</P>
+                <a href=docs_url(DOCS_ENVIRONMENT_PATH) target="_blank" rel="noopener noreferrer">
+                    <Badge variant=BadgeVariant::Secondary>Docs <lucide_leptos::ExternalLink /></Badge>
+                </a>
+            </div>
+
+            <KubeEnvironmentList update_counter environment_type />
+        </div>
+    }
+}
+
+async fn all_kube_environments(
+    org: Signal<Option<Organization>>,
+    search: Option<String>,
+    is_shared: bool,
+    is_branch: bool,
+    pagination: Option<PagePaginationParams>,
+) -> Result<PaginatedResult<KubeEnvironment>> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+    Ok(client
+        .all_kube_environments(org.id, search, is_shared, is_branch, pagination)
+        .await??)
+}
+
+async fn delete_environment(
+    org: Signal<Option<Organization>>,
+    environment_id: Uuid,
+    delete_modal_open: RwSignal<bool>,
+    update_counter: RwSignal<usize, LocalStorage>,
+) -> Result<(), ErrorResponse> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+
+    client
+        .delete_kube_environment(org.id, environment_id)
+        .await??;
+
+    delete_modal_open.set(false);
+    update_counter.update(|c| *c += 1);
+
+    Ok(())
+}
+
+#[derive(Clone, PartialEq)]
+pub enum EnvironmentType {
+    Personal,
+    Shared,
+    Branch,
+}
+
+#[component]
+pub fn KubeEnvironmentList(
+    update_counter: RwSignal<usize, LocalStorage>,
+    environment_type: Signal<EnvironmentType>,
+) -> impl IntoView {
+    let org = get_current_org();
+    let search_query = RwSignal::new(String::new());
+    let debounced_search = RwSignal::new(String::new());
+    let current_page = RwSignal::new(1usize);
+    let page_size = RwSignal::new(20usize);
+    let is_loading = RwSignal::new(false);
+    let sse_started = StoredValue::new(false);
+
+    // Debounce search input (300ms delay)
+    let search_timeout_handle: StoredValue<Option<leptos::leptos_dom::helpers::TimeoutHandle>> =
+        StoredValue::new(None);
+
+    Effect::new(move |_| {
+        let query = search_query.get();
+
+        // Clear any existing timeout
+        if let Some(h) = search_timeout_handle.get_value() {
+            h.clear();
+        }
+
+        // Set new timeout
+        let h = leptos::leptos_dom::helpers::set_timeout_with_handle(
+            move || {
+                debounced_search.set(query.clone());
+                current_page.set(1); // Reset to first page on search
+            },
+            std::time::Duration::from_millis(300),
+        )
+        .expect("set timeout for search debounce");
+        search_timeout_handle.set_value(Some(h));
+    });
+
+    on_cleanup(move || {
+        if let Some(Some(h)) = search_timeout_handle.try_get_value() {
+            h.clear();
+        }
+    });
+
+    let environments_result = LocalResource::new(move || {
+        let search = debounced_search.get();
+        let page = current_page.get();
+        let env_type = environment_type.get();
+        let is_shared = env_type == EnvironmentType::Shared;
+        let is_branch = env_type == EnvironmentType::Branch;
+        let search_param = if search.trim().is_empty() {
+            None
+        } else {
+            Some(search)
+        };
+        let pagination = Some(PagePaginationParams {
+            page,
+            page_size: page_size.get(),
+        });
+        async move {
+            is_loading.set(true);
+            let result = all_kube_environments(org, search_param, is_shared, is_branch, pagination)
+                .await
+                .unwrap_or_else(|_| PaginatedResult {
+                    data: vec![],
+                    pagination_info: PaginatedInfo {
+                        total_count: 0,
+                        page: 1,
+                        page_size: 20,
+                        total_pages: 0,
+                    },
+                });
+            is_loading.set(false);
+            result
+        }
+    });
+
+    Effect::new(move |_| {
+        update_counter.track();
+        environments_result.refetch();
+    });
+
+    Effect::new(move |_| {
+        debounced_search.track();
+        environments_result.refetch();
+    });
+
+    Effect::new(move |_| {
+        current_page.track();
+        environments_result.refetch();
+    });
+
+    Effect::new(move |_| {
+        page_size.track();
+        current_page.set(1); // Reset to first page when page size changes
+        environments_result.refetch();
+    });
+
+    Effect::new(move |_| {
+        environment_type.track();
+        current_page.set(1); // Reset to first page when environment type changes
+        environments_result.refetch();
+    });
+
+    Effect::new(move |_| {
+        if sse_started.get_value() {
+            return;
+        }
+
+        if let Some(org) = org.get() {
+            sse_started.set_value(true);
+            let org_id = org.id;
+            let update_counter = update_counter;
+            spawn_local_scoped_with_cancellation(async move {
+                let url = format!("/api/v1/organizations/{}/kube/environments/events", org_id);
+                let listener_name = format!("organization {} environments", org_id);
+                run_sse_with_retry(url, "environment", listener_name, move |_message| {
+                    update_counter.update(|c| *c += 1);
+                })
+                .await;
+            });
+        }
+    });
+
+    let environment_list = Signal::derive(move || {
+        environments_result
+            .get()
+            .map(|r| r.data)
+            .unwrap_or_default()
+    });
+    let pagination_info = Signal::derive(move || {
+        environments_result
+            .get()
+            .map(|r| r.pagination_info)
+            .unwrap_or_else(|| PaginatedInfo {
+                total_count: 0,
+                page: 1,
+                page_size: page_size.get(),
+                total_pages: 0,
+            })
+    });
+    let current_page_signal = Signal::derive(move || current_page.get());
+    let total_pages_signal = Signal::derive(move || pagination_info.with(|i| i.total_pages));
+
+    view! {
+        <EnvironmentContent
+            search_query
+            debounced_search
+            environment_list
+            pagination_info
+            current_page_signal
+            total_pages_signal
+            current_page
+            is_loading
+            page_size
+            update_counter
+        />
+    }
+}
+
+#[component]
+pub fn EnvironmentContent(
+    search_query: RwSignal<String>,
+    debounced_search: RwSignal<String>,
+    environment_list: Signal<Vec<KubeEnvironment>>,
+    pagination_info: Signal<PaginatedInfo>,
+    current_page_signal: Signal<usize>,
+    total_pages_signal: Signal<usize>,
+    current_page: RwSignal<usize>,
+    is_loading: RwSignal<bool>,
+    page_size: RwSignal<usize>,
+    update_counter: RwSignal<usize, LocalStorage>,
+) -> impl IntoView {
+    view! {
+        <div class="flex flex-col gap-4">
+            <div class="flex items-center gap-4">
+                <div class="relative flex-1 max-w-sm">
+                    <lucide_leptos::Search attr:class="absolute left-3 top-1/2 transform -translate-y-1/2 text-muted-foreground h-4 w-4" />
+                    <input
+                        type="text"
+                        placeholder="Search environments..."
+                        class="pl-10 pr-4 py-2 w-full border border-input rounded-md bg-background text-sm focus:outline-none focus:ring-2 focus:ring-ring focus:border-transparent"
+                        on:input=move |ev| {
+                            search_query.set(event_target_value(&ev));
+                        }
+                        prop:value=move || search_query.get()
+                    />
+                </div>
+            </div>
+
+            <PagePagination
+                pagination_info
+                page_size
+                current_page=current_page_signal
+                total_pages=total_pages_signal
+                on_page_change=Callback::new(move |page| {
+                    current_page.set(page);
+                })
+            />
+
+            <div class="rounded-lg border relative">
+                // Loading overlay
+                <Show when=move || is_loading.get()>
+                    <div class="absolute inset-0 bg-white/50 backdrop-blur-sm z-10 flex items-center justify-center">
+                        <div class="flex items-center gap-2 text-sm text-muted-foreground">
+                            <div class="animate-spin rounded-full h-4 w-4 border-2 border-current border-t-transparent"></div>
+                            "Loading..."
+                        </div>
+                    </div>
+                </Show>
+
+                <Table>
+                    <TableHeader class="bg-muted">
+                        <TableRow>
+                            <TableHead>Name</TableHead>
+                            <TableHead>Namespace</TableHead>
+                            <TableHead>App Catalog</TableHead>
+                            <TableHead>Cluster</TableHead>
+                            <TableHead>Type</TableHead>
+                            <TableHead>Status</TableHead>
+                            <TableHead>Created</TableHead>
+                            <TableHead class="pr-4">Actions</TableHead>
+                        </TableRow>
+                    </TableHeader>
+                    <TableBody>
+                        <For
+                            each=move || environment_list.get()
+                            key=|env| env.id
+                            children=move |environment| {
+                                let env_id = environment.id;
+                                let initial_status = environment.status;
+                                let status_signal = Signal::derive(move || {
+                                    environment_list.with(|list| {
+                                        list.iter()
+                                            .find(|env| env.id == env_id)
+                                            .map(|env| env.status)
+                                            .unwrap_or(initial_status)
+                                    })
+                                });
+
+                                view! {
+                                    <KubeEnvironmentItem
+                                        environment=environment.clone()
+                                        status=status_signal
+                                        update_counter
+                                    />
+                                }
+                            }
+                        />
+                    </TableBody>
+                </Table>
+
+                {move || {
+                    let environments = environment_list.get();
+                    let search_term = debounced_search.get();
+                    let is_searching = !search_term.trim().is_empty();
+                    if environments.is_empty() {
+                        if is_searching {
+                            view! {
+                                <div class="flex flex-col items-center justify-center py-12 text-center">
+                                    <div class="rounded-full bg-muted p-3 mb-4">
+                                        <lucide_leptos::Search />
+                                    </div>
+                                    <H4 class="mb-2">No Results Found</H4>
+                                    <P class="text-muted-foreground mb-4 max-w-sm">
+                                        {format!(
+                                            "No environments match your search for \"{search_term}\". Try adjusting your search terms.",
+                                        )}
+                                    </P>
+                                </div>
+                            }
+                                .into_any()
+                        } else {
+                            view! {
+                                <div class="flex flex-col items-center justify-center py-12 text-center">
+                                    <div class="rounded-full bg-muted p-3 mb-4">
+                                        <lucide_leptos::Container />
+                                    </div>
+                                    <H4 class="mb-2">No Environments</H4>
+                                    <P class="text-muted-foreground mb-4 max-w-sm">
+                                        Deploy your first environment from an app catalog to get started.
+                                    </P>
+                                </div>
+                            }
+                                .into_any()
+                        }
+                    } else {
+                        ().into_any()
+                    }
+                }}
+            </div>
+        </div>
+    }
+}
+
+#[component]
+pub fn KubeEnvironmentItem(
+    environment: KubeEnvironment,
+    status: Signal<KubeEnvironmentStatus>,
+    update_counter: RwSignal<usize, LocalStorage>,
+) -> impl IntoView {
+    let env_name_for_delete = environment.name.clone();
+
+    let navigate = leptos_router::hooks::use_navigate();
+    let environment_id = environment.id;
+    let needs_catalog_sync = environment.catalog_update_available;
+    // let view_details = move |_| {
+    //     let url = format!("/kubernetes/environments/{}", environment_id);
+    //     navigate(&url, Default::default());
+    // };
+
+    // let delete_environment = move |_| {
+    //     // TODO: Implement delete functionality
+    //     leptos::logging::log!("Delete environment: {}", env_name_for_delete);
+    // };
+
+    let status_signal = status;
+    let status_variant = Signal::derive(move || match status_signal.get() {
+        KubeEnvironmentStatus::Running => BadgeVariant::Secondary,
+        KubeEnvironmentStatus::Creating
+        | KubeEnvironmentStatus::Pausing
+        | KubeEnvironmentStatus::Resuming
+        | KubeEnvironmentStatus::Paused
+        | KubeEnvironmentStatus::Deleting
+        | KubeEnvironmentStatus::Deleted => BadgeVariant::Outline,
+        KubeEnvironmentStatus::Failed
+        | KubeEnvironmentStatus::Error
+        | KubeEnvironmentStatus::PauseFailed
+        | KubeEnvironmentStatus::ResumeFailed => BadgeVariant::Destructive,
+    });
+
+    let dropdown_expanded = RwSignal::new(false);
+    let delete_modal_open = RwSignal::new(false);
+    let org = get_current_org();
+    let environment_id_for_delete = environment_id;
+    let delete_action = Action::new_local(move |_| {
+        delete_environment(
+            org,
+            environment_id_for_delete,
+            delete_modal_open,
+            update_counter,
+        )
+    });
+    let details_url = format!("/kubernetes/environments/{}", environment_id);
+    let catalog_url = format!("/kubernetes/catalogs/{}", environment.app_catalog_id);
+    let cluster_url = format!("/kubernetes/clusters/{}", environment.cluster_id);
+    let resources_url = format!(
+        "/kubernetes/clusters/{}?namespace={}",
+        environment.cluster_id, environment.namespace
+    );
+
+    let is_branch = environment.base_environment_id.is_some();
+    let is_shared = environment.is_shared;
+
+    view! {
+        <TableRow>
+            <TableCell>
+                <div class="flex items-center gap-2">
+                    <a href={format!("/kubernetes/environments/{}", environment.id)}>
+                        <Button variant=ButtonVariant::Link class="p-0">
+                            <span class="font-medium">{environment.name.clone()}</span>
+                        </Button>
+                    </a>
+                    {if needs_catalog_sync {
+                        view! {
+                            <Badge variant=BadgeVariant::Destructive class="text-[10px] uppercase tracking-wide">"Sync required"</Badge>
+                        }.into_any()
+                    } else {
+                        view! { <></> }.into_any()
+                    }}
+                </div>
+            </TableCell>
+            <TableCell>
+                <Badge variant=BadgeVariant::Outline>{environment.namespace.clone()}</Badge>
+            </TableCell>
+            <TableCell>
+                <a href={format!("/kubernetes/catalogs/{}", environment.app_catalog_id)}>
+                    <Button variant=ButtonVariant::Link class="p-0">
+                        <span class="font-medium">{environment.app_catalog_name.clone()}</span>
+                    </Button>
+                </a>
+            </TableCell>
+            <TableCell>
+                <a href={format!("/kubernetes/clusters/{}", environment.cluster_id)}>
+                    <Button variant=ButtonVariant::Link class="p-0">
+                        <span class="font-medium">{environment.cluster_name.clone()}</span>
+                    </Button>
+                </a>
+            </TableCell>
+            <TableCell>
+                <div class="flex flex-col gap-1">
+                    <Badge variant=BadgeVariant::Secondary>
+                        <span class="inline-flex items-center gap-2">
+                            {if is_branch {
+                                view! {
+                                    <>
+                                        <lucide_leptos::GitBranch attr:class="h-3 w-3" />
+                                        <span>"Branch"</span>
+                                    </>
+                                }.into_any()
+                            } else if is_shared {
+                                view! {
+                                    <>
+                                        <lucide_leptos::Users attr:class="h-3 w-3" />
+                                        <span>"Shared"</span>
+                                    </>
+                                }.into_any()
+                            } else {
+                                view! {
+                                    <>
+                                        <lucide_leptos::User attr:class="h-3 w-3" />
+                                        <span>"Personal"</span>
+                                    </>
+                                }.into_any()
+                            }}
+                        </span>
+                    </Badge>
+                    {if let (Some(base_name), Some(base_env_id)) = (environment.base_environment_name.clone(), environment.base_environment_id) {
+                        view! {
+                            <span class="text-xs text-muted-foreground">
+                                {"from "}
+                                <a href={format!("/kubernetes/environments/{}", base_env_id)}>
+                                    <Button variant=ButtonVariant::Link class="p-0 h-auto text-xs text-muted-foreground hover:text-foreground">
+                                        {base_name}
+                                    </Button>
+                                </a>
+                            </span>
+                        }.into_any()
+                    } else {
+                        view! { <div></div> }.into_any()
+                    }}
+                </div>
+            </TableCell>
+            <TableCell>
+                <Badge variant=status_variant>
+                    {move || status_signal.get().to_string()}
+                </Badge>
+            </TableCell>
+            <TableCell>
+                {match DateTime::parse_from_str(&environment.created_at, "%Y-%m-%d %H:%M:%S%.f %z") {
+                    Ok(time) => view! { <DatetimeModal time /> }.into_any(),
+                    Err(_) => view! {
+                        <span class="text-sm text-muted-foreground">{environment.created_at.clone()}</span>
+                    }.into_any(),
+                }}
+            </TableCell>
+            <TableCell class="pr-4">
+                <DropdownMenu open=dropdown_expanded>
+                    <DropdownMenuTrigger
+                        open=dropdown_expanded
+                        placement=DropdownPlacement::BottomRight
+                    >
+                        <Button variant=ButtonVariant::Ghost size=crate::component::button::ButtonSize::Sm class="px-2">
+                            <lucide_leptos::EllipsisVertical />
+                        </Button>
+                    </DropdownMenuTrigger>
+                    <DropdownMenuContent
+                        open=dropdown_expanded.read_only()
+                        class="min-w-48 -translate-x-2"
+                    >
+                        <DropdownMenuItem class="p-0">
+                            <a href=format!("/kubernetes/environments/{}", environment_id) class="flex items-center gap-2 px-2 py-1.5 w-full">
+                                <lucide_leptos::Eye />
+                                View Details
+                            </a>
+                        </DropdownMenuItem>
+                        <DropdownMenuItem class="p-0">
+                            <a href=format!("/kubernetes/catalogs/{}", environment.app_catalog_id) class="flex items-center gap-2 px-2 py-1.5 w-full">
+                                <lucide_leptos::Package />
+                                View App Catalog
+                            </a>
+                        </DropdownMenuItem>
+                        <DropdownMenuItem class="p-0">
+                            <a href=format!("/kubernetes/clusters/{}", environment.cluster_id) class="flex items-center gap-2 px-2 py-1.5 w-full">
+                                <lucide_leptos::Server />
+                                View Cluster
+                            </a>
+                        </DropdownMenuItem>
+                        <DropdownMenuItem
+                            on:click=move |_| {
+                                dropdown_expanded.set(false);
+                                delete_modal_open.set(true);
+                            }
+                            class="cursor-pointer text-destructive focus:text-destructive"
+                        >
+                            <lucide_leptos::Trash2 />
+                            Delete
+                        </DropdownMenuItem>
+                    </DropdownMenuContent>
+                </DropdownMenu>
+                <DeleteModal
+                    resource=env_name_for_delete
+                    open=delete_modal_open
+                    delete_action
+                />
+            </TableCell>
+        </TableRow>
+    }
+}
diff --git a/crates/dashboard/src/kube_environment_detail.rs b/crates/dashboard/src/kube_environment_detail.rs
new file mode 100644
index 0000000..55b19f9
--- /dev/null
+++ b/crates/dashboard/src/kube_environment_detail.rs
@@ -0,0 +1,2664 @@
+use std::{collections::HashMap, str::FromStr};
+
+use anyhow::{anyhow, Result};
+use futures::StreamExt;
+use lapdev_api_hrpc::HrpcServiceClient;
+use lapdev_common::{
+    console::Organization,
+    devbox::{
+        DevboxPortMapping, DevboxPortMappingOverride, DevboxSessionSummary,
+        DevboxWorkloadInterceptSummary,
+    },
+    kube::{
+        EnvironmentWorkloadStatusEvent, KubeCluster, KubeContainerInfo, KubeEnvironment,
+        KubeEnvironmentPreviewUrl, KubeEnvironmentService, KubeEnvironmentStatus,
+        KubeEnvironmentSyncStatus, KubeEnvironmentWorkload,
+    },
+};
+use leptos::{prelude::*, task::spawn_local_scoped_with_cancellation};
+use leptos_router::hooks::use_params_map;
+use serde::Deserialize;
+use uuid::Uuid;
+
+use crate::{
+    app::AppConfig,
+    component::{
+        alert::{Alert, AlertDescription, AlertTitle},
+        badge::{Badge, BadgeVariant},
+        button::{Button, ButtonSize, ButtonVariant},
+        card::Card,
+        input::Input,
+        label::Label,
+        table::{Table, TableBody, TableCell, TableHead, TableHeader, TableRow},
+        tabs::{Tabs, TabsContent, TabsList, TabsTrigger},
+        typography::{H3, H4, P},
+    },
+    docs_url,
+    modal::{DatetimeModal, DeleteModal, ErrorResponse, Modal},
+    organization::get_current_org,
+    sse::run_sse_with_retry,
+    DOCS_DEVBOX_PATH, DOCS_ENVIRONMENT_PATH,
+};
+
+#[derive(Clone, Debug, Deserialize)]
+struct EnvironmentLifecycleEvent {
+    status: KubeEnvironmentStatus,
+}
+
+const DEVBOX_INSTALL_UNIX_CMD: &str = "curl -fsSL https://get.lap.dev/lapdev-cli.sh | bash";
+const DEVBOX_INSTALL_WINDOWS_CMD: &str = "irm https://get.lap.dev/lapdev-cli.ps1 | iex";
+const DEVBOX_CONNECT_CMD: &str = "lapdev devbox connect";
+
+#[derive(Clone, Copy, Debug, PartialEq, Eq)]
+enum DevboxInstallTab {
+    LinuxMac,
+    Windows,
+}
+
+fn detect_devbox_install_tab() -> DevboxInstallTab {
+    #[cfg(target_arch = "wasm32")]
+    {
+        if let Ok(user_agent) = window().navigator().user_agent() {
+            let ua = user_agent.to_lowercase();
+            if ua.contains("windows") {
+                return DevboxInstallTab::Windows;
+            }
+        }
+    }
+
+    DevboxInstallTab::LinuxMac
+}
+
+#[component]
+pub fn KubeEnvironmentDetail() -> impl IntoView {
+    let params = use_params_map();
+    let environment_id = Signal::derive(move || {
+        params.with(|params| {
+            params
+                .get("environment_id")
+                .and_then(|id| Uuid::from_str(id.as_str()).ok())
+                .unwrap_or_default()
+        })
+    });
+
+    view! {
+        <div class="flex flex-col gap-6">
+            <div class="flex flex-col gap-2 items-start">
+                <H3>Environment Details</H3>
+                <P>
+                    View and manage details for this Kubernetes development environment.
+                </P>
+                <a href=docs_url(DOCS_ENVIRONMENT_PATH) target="_blank" rel="noopener noreferrer">
+                    <Badge variant=BadgeVariant::Secondary>
+                        Docs <lucide_leptos::ExternalLink />
+                    </Badge>
+                </a>
+            </div>
+
+            {
+                move || view!{
+                    <EnvironmentDetailView environment_id=environment_id.get() />
+                }
+            }
+        </div>
+    }
+}
+
+async fn get_environment_detail(
+    org: Signal<Option<Organization>>,
+    environment_id: Uuid,
+) -> Result<KubeEnvironment> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+    Ok(client
+        .get_kube_environment(org.id, environment_id)
+        .await??)
+}
+
+async fn get_environment_cluster_info(
+    org: Signal<Option<Organization>>,
+    cluster_id: Uuid,
+) -> Result<KubeCluster> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+    Ok(client.get_cluster_info(org.id, cluster_id).await??)
+}
+
+async fn get_environment_workloads(
+    org: Signal<Option<Organization>>,
+    environment_id: Uuid,
+) -> Result<Vec<KubeEnvironmentWorkload>> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+    Ok(client
+        .get_environment_workloads(org.id, environment_id)
+        .await??)
+}
+
+async fn get_environment_services(
+    org: Signal<Option<Organization>>,
+    environment_id: Uuid,
+) -> Result<Vec<lapdev_common::kube::KubeEnvironmentService>> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+    Ok(client
+        .get_environment_services(org.id, environment_id)
+        .await??)
+}
+
+async fn get_environment_preview_urls(
+    org: Signal<Option<Organization>>,
+    environment_id: Uuid,
+) -> Result<Vec<lapdev_common::kube::KubeEnvironmentPreviewUrl>> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+    Ok(client
+        .get_environment_preview_urls(org.id, environment_id)
+        .await??)
+}
+
+async fn get_environment_intercepts(
+    environment_id: Uuid,
+) -> Result<Vec<DevboxWorkloadInterceptSummary>> {
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+    let response = client.devbox_intercept_list(environment_id).await??;
+    Ok(response.intercepts)
+}
+
+async fn start_workload_intercept(
+    workload_id: Uuid,
+    port_mappings: Vec<DevboxPortMappingOverride>,
+    update_counter: RwSignal<usize>,
+) -> Result<(), ErrorResponse> {
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+
+    client
+        .devbox_intercept_start(workload_id, port_mappings)
+        .await??;
+
+    update_counter.update(|c| *c += 1);
+
+    Ok(())
+}
+
+async fn stop_workload_intercept(
+    intercept_id: Uuid,
+    update_counter: RwSignal<usize>,
+) -> Result<(), ErrorResponse> {
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+
+    client.devbox_intercept_stop(intercept_id).await??;
+
+    update_counter.update(|c| *c += 1);
+
+    Ok(())
+}
+
+async fn delete_environment(
+    org: Signal<Option<Organization>>,
+    environment_id: Uuid,
+    delete_modal_open: RwSignal<bool>,
+) -> Result<(), ErrorResponse> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+
+    client
+        .delete_kube_environment(org.id, environment_id)
+        .await??;
+
+    delete_modal_open.set(false);
+
+    Ok(())
+}
+
+async fn pause_environment(
+    org: Signal<Option<Organization>>,
+    environment_id: Uuid,
+) -> Result<(), ErrorResponse> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+
+    client
+        .pause_kube_environment(org.id, environment_id)
+        .await??;
+
+    Ok(())
+}
+
+async fn resume_environment(
+    org: Signal<Option<Organization>>,
+    environment_id: Uuid,
+) -> Result<(), ErrorResponse> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+
+    client
+        .resume_kube_environment(org.id, environment_id)
+        .await??;
+
+    Ok(())
+}
+
+async fn create_branch_environment(
+    org: Signal<Option<Organization>>,
+    base_environment_id: Uuid,
+    name: String,
+    create_branch_modal_open: RwSignal<bool>,
+) -> Result<KubeEnvironment, ErrorResponse> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+
+    let env = client
+        .create_branch_environment(org.id, base_environment_id, name)
+        .await??;
+
+    create_branch_modal_open.set(false);
+
+    Ok(env)
+}
+
+async fn sync_environment_from_catalog(
+    org: Signal<Option<Organization>>,
+    environment_id: Uuid,
+) -> Result<(), ErrorResponse> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+
+    client
+        .sync_environment_from_catalog(org.id, environment_id)
+        .await??;
+
+    Ok(())
+}
+
+async fn rebase_branch_environment(
+    org: Signal<Option<Organization>>,
+    environment_id: Uuid,
+) -> Result<(), ErrorResponse> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+
+    client
+        .rebase_branch_environment(org.id, environment_id)
+        .await??;
+
+    Ok(())
+}
+
+async fn get_active_devbox_session() -> Result<Option<DevboxSessionSummary>> {
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+    let session = client
+        .devbox_session_get_session()
+        .await
+        .map_err(|err| anyhow!("failed to fetch devbox session: {err:?}"))?
+        .map_err(|err| anyhow!("failed to fetch devbox session: {err:?}"))?;
+
+    Ok(session)
+}
+
+fn build_port_overrides_from_workload_ports(
+    ports: &[lapdev_common::kube::KubeServicePort],
+    previous_mappings: Option<&[DevboxPortMapping]>,
+) -> Result<Vec<DevboxPortMappingOverride>, ErrorResponse> {
+    use std::convert::TryFrom;
+
+    let mut overrides = Vec::new();
+
+    if ports.is_empty() {
+        return Err(ErrorResponse {
+            error: "No ports available to intercept".to_string(),
+        });
+    }
+
+    for port in ports {
+        // Prefer the original container port when present; otherwise fall back to the current target or service port.
+        let target_port = port.original_target_port.unwrap_or(port.port);
+
+        let workload_port = u16::try_from(target_port).map_err(|_| ErrorResponse {
+            error: format!("Unsupported workload port: {}", target_port),
+        })?;
+
+        let local_port = previous_mappings
+            .and_then(|existing| {
+                existing
+                    .iter()
+                    .find(|mapping| mapping.workload_port == workload_port)
+            })
+            .map(|mapping| mapping.local_port)
+            .unwrap_or(workload_port);
+
+        overrides.push(DevboxPortMappingOverride {
+            workload_port,
+            local_port: Some(local_port),
+        });
+    }
+
+    Ok(overrides)
+}
+
+#[component]
+pub fn EnvironmentDetailView(environment_id: Uuid) -> impl IntoView {
+    let org = get_current_org();
+    let is_loading = RwSignal::new(false);
+    let delete_modal_open = RwSignal::new(false);
+    let create_branch_modal_open = RwSignal::new(false);
+    let branch_name = RwSignal::new(String::new());
+    let search_query = RwSignal::new(String::new());
+    let debounced_search = RwSignal::new(String::new());
+    let update_counter = RwSignal::new(0usize);
+    let readiness_map: RwSignal<HashMap<Uuid, Option<i32>>> = RwSignal::new(HashMap::new());
+    let sse_started = StoredValue::new(false);
+    let readiness_sse_started = StoredValue::new(false);
+    let environment_status = RwSignal::new(KubeEnvironmentStatus::Creating);
+
+    // Debounce search input (300ms delay)
+    let search_timeout_handle: StoredValue<Option<leptos::leptos_dom::helpers::TimeoutHandle>> =
+        StoredValue::new(None);
+
+    Effect::new(move |_| {
+        let query = search_query.get();
+
+        // Clear any existing timeout
+        if let Some(h) = search_timeout_handle.get_value() {
+            h.clear();
+        }
+
+        // Set new timeout
+        let h = leptos::leptos_dom::helpers::set_timeout_with_handle(
+            move || {
+                debounced_search.set(query.clone());
+            },
+            std::time::Duration::from_millis(300),
+        )
+        .expect("set timeout for search debounce");
+        search_timeout_handle.set_value(Some(h));
+    });
+
+    on_cleanup(move || {
+        if let Some(Some(h)) = search_timeout_handle.try_get_value() {
+            h.clear();
+        }
+    });
+
+    let config = use_context::<AppConfig>().unwrap();
+
+    let environment_result = LocalResource::new(move || async move {
+        is_loading.set(true);
+        let result = get_environment_detail(org, environment_id).await.ok();
+        if let Some(env) = result.as_ref() {
+            config.current_page.set(env.name.clone());
+            config.header_links.update(|header_links| {
+                if let Some((name, link)) = header_links.first_mut() {
+                    let (t, l) = if env.base_environment_id.is_some() {
+                        ("Branch", "branch")
+                    } else if env.is_shared {
+                        ("Shared", "shared")
+                    } else {
+                        ("Personal", "personal")
+                    };
+                    *name = format!("{t} Environments");
+                    *link = format!("/kubernetes/environments/{l}");
+                }
+            });
+        }
+        is_loading.set(false);
+        result
+    });
+
+    let workloads_result = LocalResource::new(move || {
+        update_counter.track();
+        async move {
+            let result = get_environment_workloads(org, environment_id)
+                .await
+                .unwrap_or_else(|_| vec![]);
+            result
+        }
+    });
+
+    let services_result = LocalResource::new(move || {
+        update_counter.track();
+        async move {
+            let result = get_environment_services(org, environment_id)
+                .await
+                .unwrap_or_else(|_| vec![]);
+            result
+        }
+    });
+
+    let preview_urls_result = LocalResource::new(move || {
+        update_counter.track();
+        async move {
+            get_environment_preview_urls(org, environment_id)
+                .await
+                .unwrap_or_else(|_| vec![])
+        }
+    });
+
+    let intercepts_result = LocalResource::new(move || {
+        update_counter.track();
+        async move {
+            get_environment_intercepts(environment_id)
+                .await
+                .unwrap_or_else(|_| vec![])
+        }
+    });
+
+    // Fetch active devbox session
+    let active_session =
+        LocalResource::new(move || async move { get_active_devbox_session().await.ok().flatten() });
+
+    Effect::new(move |_| {
+        if sse_started.get_value() {
+            return;
+        }
+
+        if let Some(org) = org.get() {
+            sse_started.set_value(true);
+            let org_id = org.id;
+            let environment_status = environment_status.clone();
+            spawn_local_scoped_with_cancellation({
+                let environment_status = environment_status.clone();
+                async move {
+                    let url = format!(
+                        "/api/v1/organizations/{}/kube/environments/{}/events",
+                        org_id, environment_id
+                    );
+
+                    let listener_name = format!("environment {} status", environment_id);
+                    run_sse_with_retry(url, "environment", listener_name, move |message| {
+                        if let Some(data) = message.data().as_string() {
+                            match serde_json::from_str::<EnvironmentLifecycleEvent>(&data) {
+                                Ok(payload) => {
+                                    environment_status.set(payload.status);
+                                    update_counter.update(|c| *c += 1);
+                                }
+                                Err(err) => {
+                                    web_sys::console::error_1(
+                                        &format!(
+                                            "Failed to parse environment event payload: {err}"
+                                        )
+                                        .into(),
+                                    );
+                                }
+                            }
+                        }
+                    })
+                    .await;
+                }
+            });
+        }
+    });
+
+    Effect::new(move |_| {
+        if readiness_sse_started.get_value() {
+            return;
+        }
+
+        if let Some(org) = org.get() {
+            readiness_sse_started.set_value(true);
+            let org_id = org.id;
+            spawn_local_scoped_with_cancellation({
+                let readiness_map = readiness_map.clone();
+                async move {
+                    let url = format!(
+                        "/api/v1/organizations/{}/kube/environments/{}/workloads/events",
+                        org_id, environment_id
+                    );
+
+                    let listener_name = format!("environment {} workloads", environment_id);
+                    run_sse_with_retry(
+                        url,
+                        "environment_workload",
+                        listener_name,
+                        move |message| {
+                            if let Some(data) = message.data().as_string() {
+                                match serde_json::from_str::<EnvironmentWorkloadStatusEvent>(&data)
+                                {
+                                    Ok(payload) => {
+                                        readiness_map.update(|map| {
+                                            map.insert(payload.workload_id, payload.ready_replicas);
+                                        });
+                                    }
+                                    Err(err) => {
+                                        web_sys::console::error_1(
+                                            &format!(
+                                                "Failed to parse environment workload event payload: {err}"
+                                            )
+                                            .into(),
+                                        );
+                                    }
+                                }
+                            }
+                        },
+                    )
+                    .await;
+                }
+            });
+        }
+    });
+
+    let environment_info = Signal::derive(move || environment_result.get().flatten());
+    {
+        let environment_status = environment_status.clone();
+        Effect::new(move |_| {
+            if let Some(env) = environment_info.get() {
+                environment_status.set(env.status.clone());
+            }
+        });
+    }
+    let environment_catalog_version = Signal::derive(move || {
+        environment_info
+            .get()
+            .map(|env| env.catalog_sync_version)
+            .unwrap_or(0)
+    });
+
+    let env_catalog_version_for_filter = environment_catalog_version.clone();
+    let all_workloads = Signal::derive(move || workloads_result.get().unwrap_or_default());
+    {
+        let readiness_map = readiness_map.clone();
+        Effect::new(move |_| {
+            let workloads = all_workloads.get();
+            readiness_map.update(|map| {
+                map.retain(|workload_id, _| workloads.iter().any(|w| w.id == *workload_id));
+                for workload in &workloads {
+                    map.insert(workload.id, workload.ready_replicas);
+                }
+            });
+        });
+    }
+    let all_services = Signal::derive(move || services_result.get().unwrap_or_default());
+    let all_preview_urls = Signal::derive(move || preview_urls_result.get().unwrap_or_default());
+    let all_intercepts = Signal::derive(move || intercepts_result.get().unwrap_or_default());
+
+    // Filter workloads based on search query
+    let filtered_workloads = Signal::derive(move || {
+        let env_version = env_catalog_version_for_filter.get();
+        let workloads = all_workloads.get();
+        let search_term = debounced_search.get().to_lowercase();
+
+        workloads
+            .into_iter()
+            .filter(|workload| {
+                workload.catalog_sync_version >= env_version
+                    && (search_term.trim().is_empty()
+                        || workload.name.to_lowercase().contains(&search_term))
+            })
+            .collect()
+    });
+
+    let navigate = leptos_router::hooks::use_navigate();
+    let navigate_clone = navigate.clone();
+    let delete_action = Action::new_local(move |_| {
+        let nav = navigate.clone();
+        async move {
+            match delete_environment(org, environment_id, delete_modal_open).await {
+                Ok(_) => {
+                    let t = if let Some(info) = environment_info.get_untracked() {
+                        if info.base_environment_id.is_some() {
+                            "branch"
+                        } else if info.is_shared {
+                            "shared"
+                        } else {
+                            "personal"
+                        }
+                    } else {
+                        "personal"
+                    };
+                    nav(&format!("/kubernetes/environments/{t}"), Default::default());
+                    Ok(())
+                }
+                Err(e) => Err(e),
+            }
+        }
+    });
+
+    let create_branch_action = Action::new_local(move |_| {
+        let nav = navigate_clone.clone();
+        async move {
+            let name = branch_name.get().trim().to_string();
+            if name.is_empty() {
+                return Err(ErrorResponse {
+                    error: "Branch environment name is required".to_string(),
+                });
+            }
+
+            match create_branch_environment(org, environment_id, name, create_branch_modal_open)
+                .await
+            {
+                Ok(env) => {
+                    nav(
+                        &format!("/kubernetes/environments/{}", env.id),
+                        Default::default(),
+                    );
+                    Ok(())
+                }
+                Err(e) => Err(e),
+            }
+        }
+    });
+
+    let environment_info_for_sync = environment_info.clone();
+    let sync_action = Action::new_local(move |_| {
+        let env_signal = environment_info_for_sync.clone();
+        async move {
+            let should_rebase = env_signal
+                .get_untracked()
+                .map(|env| env.base_environment_id.is_some())
+                .unwrap_or(false);
+
+            let result = if should_rebase {
+                rebase_branch_environment(org, environment_id).await
+            } else {
+                sync_environment_from_catalog(org, environment_id).await
+            };
+
+            match result {
+                Ok(_) => {
+                    environment_result.refetch();
+                    update_counter.update(|c| *c += 1);
+                    Ok(())
+                }
+                Err(e) => Err(e),
+            }
+        }
+    });
+
+    let pause_action = Action::new_local(move |_| async move {
+        match pause_environment(org, environment_id).await {
+            Ok(_) => {
+                environment_result.refetch();
+                update_counter.update(|c| *c += 1);
+                Ok(())
+            }
+            Err(e) => Err(e),
+        }
+    });
+
+    let resume_action = Action::new_local(move |_| async move {
+        match resume_environment(org, environment_id).await {
+            Ok(_) => {
+                environment_result.refetch();
+                update_counter.update(|c| *c += 1);
+                Ok(())
+            }
+            Err(e) => Err(e),
+        }
+    });
+
+    view! {
+        <div class="flex flex-col gap-6">
+            // Loading State
+            <Show when=move || is_loading.get()>
+                <div class="flex items-center justify-center py-12">
+                    <div class="flex items-center gap-2 text-sm text-muted-foreground">
+                        <div class="animate-spin rounded-full h-4 w-4 border-2 border-current border-t-transparent"></div>
+                        "Loading environment details..."
+                    </div>
+                </div>
+            </Show>
+
+            // Environment Information Card
+            <Show when=move || environment_info.get().is_some()>
+                <EnvironmentInfoCard
+                    environment_info
+                    environment_status=environment_status.into()
+                    delete_modal_open
+                    delete_action
+                    create_branch_modal_open
+                    create_branch_action
+                    branch_name
+                    sync_action
+                    pause_action
+                    resume_action
+                />
+            </Show>
+
+            // Devbox info
+            <Show when=move || environment_info.get().map(|env| env.is_shared).unwrap_or(false)>
+                <SharedEnvironmentDevboxCard />
+            </Show>
+            <Show when=move || environment_info.get().map(|env| !env.is_shared).unwrap_or(false)>
+                <DevboxSessionBanner active_session environment_id />
+            </Show>
+
+            // Environment Resources (Workloads & Services)
+            <Show when=move || environment_info.get().is_some()>
+                <EnvironmentResourcesTabs
+                    environment_id
+                    environment_is_shared=environment_info
+                        .get()
+                        .map(|env| env.is_shared)
+                        .unwrap_or(false)
+                    filtered_workloads
+                    search_query
+                    debounced_search
+                    all_workloads
+                    all_services
+                    all_preview_urls
+                    all_intercepts
+                    active_session
+                    update_counter
+                    readiness_map=readiness_map.clone()
+                />
+            </Show>
+
+            // Delete Modal
+            {move || {
+                if let Some(env) = environment_info.get() {
+                    view! {
+                        <DeleteModal
+                            resource=env.name
+                            open=delete_modal_open
+                            delete_action
+                        />
+                    }.into_any()
+                } else {
+                    view! { <div></div> }.into_any()
+                }
+            }}
+        </div>
+    }
+}
+
+#[component]
+pub fn EnvironmentInfoCard(
+    environment_info: Signal<Option<KubeEnvironment>>,
+    environment_status: Signal<KubeEnvironmentStatus>,
+    delete_modal_open: RwSignal<bool>,
+    delete_action: Action<(), Result<(), ErrorResponse>>,
+    create_branch_modal_open: RwSignal<bool>,
+    create_branch_action: Action<(), Result<(), ErrorResponse>>,
+    branch_name: RwSignal<String>,
+    sync_action: Action<(), Result<(), ErrorResponse>>,
+    pause_action: Action<(), Result<(), ErrorResponse>>,
+    resume_action: Action<(), Result<(), ErrorResponse>>,
+) -> impl IntoView {
+    let pause_pending = pause_action.pending();
+    let resume_pending = resume_action.pending();
+    let pause_result = pause_action.value();
+    let resume_result = resume_action.value();
+
+    let status_text = {
+        let environment_status = environment_status.clone();
+        Signal::derive(move || environment_status.get().to_string())
+    };
+    let status_variant = {
+        let environment_status = environment_status.clone();
+        Signal::derive(move || match environment_status.get() {
+            KubeEnvironmentStatus::Running => BadgeVariant::Secondary,
+            KubeEnvironmentStatus::Creating
+            | KubeEnvironmentStatus::Pausing
+            | KubeEnvironmentStatus::Resuming
+            | KubeEnvironmentStatus::Paused
+            | KubeEnvironmentStatus::Deleting
+            | KubeEnvironmentStatus::Deleted => BadgeVariant::Outline,
+            KubeEnvironmentStatus::Failed
+            | KubeEnvironmentStatus::Error
+            | KubeEnvironmentStatus::PauseFailed
+            | KubeEnvironmentStatus::ResumeFailed => BadgeVariant::Destructive,
+        })
+    };
+    let can_pause = {
+        let environment_status = environment_status.clone();
+        Signal::derive(move || {
+            matches!(
+                environment_status.get(),
+                KubeEnvironmentStatus::Running | KubeEnvironmentStatus::PauseFailed
+            )
+        })
+    };
+    let can_resume = {
+        let environment_status = environment_status.clone();
+        Signal::derive(move || {
+            matches!(
+                environment_status.get(),
+                KubeEnvironmentStatus::Paused
+                    | KubeEnvironmentStatus::PauseFailed
+                    | KubeEnvironmentStatus::ResumeFailed
+            )
+        })
+    };
+    let is_deleting = {
+        let environment_status = environment_status.clone();
+        Signal::derive(move || {
+            matches!(
+                environment_status.get(),
+                KubeEnvironmentStatus::Deleting | KubeEnvironmentStatus::Deleted
+            )
+        })
+    };
+    let delete_button_text = {
+        let environment_status = environment_status.clone();
+        Signal::derive(move || match environment_status.get() {
+            KubeEnvironmentStatus::Deleted => "Deleted".to_string(),
+            KubeEnvironmentStatus::Deleting => "Deleting...".to_string(),
+            _ => "Delete Environment".to_string(),
+        })
+    };
+    let pause_disabled = {
+        let can_pause = can_pause.clone();
+        let pause_pending = pause_pending.clone();
+        Signal::derive(move || !can_pause.get() || pause_pending.get())
+    };
+    let resume_disabled = {
+        let can_resume = can_resume.clone();
+        let resume_pending = resume_pending.clone();
+        Signal::derive(move || !can_resume.get() || resume_pending.get())
+    };
+
+    view! {
+        <Show when=move || environment_info.get().is_some() fallback=|| view! { <div></div> }>
+           {
+                let environment = environment_info.get().unwrap();
+                let env_name = environment.name.clone();
+                let env_namespace = environment.namespace.clone();
+                let env_namespace2 = environment.namespace.clone();
+                let created_at_str = environment.created_at.clone();
+                let is_shared = environment.is_shared;
+                let is_branch = environment.base_environment_id.is_some();
+                let app_catalog_id = environment.app_catalog_id;
+                let app_catalog_name = environment.app_catalog_name.clone();
+                let cluster_id = environment.cluster_id;
+                let cluster_name = environment.cluster_name.clone();
+                let catalog_update_available = environment.catalog_update_available;
+                let catalog_last_sync_actor_id = environment.catalog_last_sync_actor_id;
+                let last_catalog_synced_at = environment.last_catalog_synced_at.clone();
+                let base_environment_last_synced_at = environment
+                    .base_environment_last_catalog_synced_at
+                    .clone();
+                let sync_status = environment.sync_status;
+                let last_sync_message = last_catalog_synced_at
+                    .clone()
+                    .map(|ts| format!("Last synced at {ts}"))
+                    .unwrap_or_else(|| "This environment has not been synced from the catalog yet.".to_string());
+
+                // Determine if this is a cluster auto-update or admin edit
+                let is_cluster_update = catalog_last_sync_actor_id.is_none();
+                let sync_source = if is_branch {
+                    environment
+                        .base_environment_name
+                        .clone()
+                        .unwrap_or_else(|| "shared environment".to_string())
+                } else if is_cluster_update {
+                    "cluster".to_string()
+                } else {
+                    "catalog".to_string()
+                };
+                let sync_button_text = if is_branch {
+                    "Rebase from Shared"
+                } else if is_cluster_update {
+                    "Sync From Cluster"
+                } else {
+                    "Sync From Catalog"
+                };
+                let sync_description = if is_branch {
+                    "New changes are available in the shared environment. Rebase to align this branch with the shared workloads before continuing your edits."
+                } else if is_cluster_update {
+                    "New cluster changes are ready to apply. Sync the environment to pull the latest workloads from the production cluster."
+                } else {
+                    "New catalog changes are ready to apply. Sync the environment to pull the latest workloads."
+                };
+
+                let (type_label, type_description) = if is_branch {
+                    ("Branch", "Based on a shared environment")
+                } else if is_shared {
+                    ("Shared", "Accessible by all organization members")
+                } else {
+                    ("Personal", "Private to you")
+                };
+
+                view! {
+                    <div class="flex flex-col gap-4">
+                        {if catalog_update_available || sync_status == KubeEnvironmentSyncStatus::Syncing {
+                            let sync_pending = sync_action.pending();
+                            let sync_result = sync_action.value();
+                            let is_syncing = sync_status == KubeEnvironmentSyncStatus::Syncing || sync_pending.get();
+
+                            view! {
+                                <Alert class="border-amber-200 bg-amber-50 dark:border-amber-900/60 dark:bg-amber-950/40 text-amber-900 dark:text-amber-100">
+                                    <lucide_leptos::TriangleAlert attr:class="h-5 w-5 text-amber-600 dark:text-amber-400" />
+                                    <AlertTitle>{
+                                        if is_syncing {
+                                            "Sync in progress".to_string()
+                                        } else {
+                                            format!("Update available from {}", sync_source)
+                                        }
+                                    }</AlertTitle>
+                                    <AlertDescription class="gap-3">
+                                        <span>{
+                                            if is_syncing {
+                                                "Syncing environment with latest changes..."
+                                            } else {
+                                                sync_description
+                                            }
+                                        }</span>
+                                        <Show when=move || !is_syncing>
+                                            <span class="text-xs text-amber-800 dark:text-amber-300">{
+                                                if is_branch {
+                                                    base_environment_last_synced_at
+                                                        .clone()
+                                                        .map(|ts| format!("Shared environment last synced at {ts}"))
+                                                        .unwrap_or_else(|| last_sync_message.clone())
+                                                } else {
+                                                    last_sync_message.clone()
+                                                }
+                                            }</span>
+                                        </Show>
+                                        <Button
+                                            variant=ButtonVariant::Outline
+                                            size=ButtonSize::Sm
+                                            on:click=move |_| { sync_action.dispatch(()); }
+                                            disabled=is_syncing
+                                        >
+                                            <lucide_leptos::RefreshCcw attr:class=move || if is_syncing { "animate-spin" } else { "" } />
+                                            {move || if is_syncing { "Syncing..." } else { sync_button_text }}
+                                        </Button>
+                                        <Show when=move || matches!(sync_result.get(), Some(Err(_)))>
+                                            <span class="text-xs text-red-800 dark:text-red-300">
+                                                {move || {
+                                                    sync_result
+                                                        .get()
+                                                        .and_then(|res| res.err())
+                                                        .map(|err| err.error)
+                                                        .unwrap_or_default()
+                                                }}
+                                            </span>
+                                        </Show>
+                                    </AlertDescription>
+                                </Alert>
+                            }.into_any()
+                        } else {
+                            view! { <></> }.into_any()
+                        }}
+
+                        <Card class="p-6">
+                        <div class="flex flex-col gap-6">
+                            // Header with actions
+                            <div class="flex items-start justify-between">
+                                <div class="flex flex-col gap-2">
+                                    <div class="flex items-center gap-2">
+                                        {if is_branch {
+                                            view! { <lucide_leptos::GitBranch attr:class="h-5 w-5 text-muted-foreground" /> }.into_any()
+                                        } else if is_shared {
+                                            view! { <lucide_leptos::Users attr:class="h-5 w-5 text-muted-foreground" /> }.into_any()
+                                        } else {
+                                            view! { <lucide_leptos::User attr:class="h-5 w-5 text-muted-foreground" /> }.into_any()
+                                        }}
+                                        <H3 class="m-0">{env_name}</H3>
+                                    </div>
+                                    <div class="flex items-center gap-2">
+                                        <Badge variant=BadgeVariant::Secondary>
+                                            {env_namespace}
+                                        </Badge>
+                                    </div>
+                                </div>
+                                <div class="flex flex-col items-end gap-2">
+                                    <div class="flex items-center gap-2">
+                                        <Show when=move || is_shared>
+                                            <Button
+                                                variant=ButtonVariant::Outline
+                                                on:click=move |_| create_branch_modal_open.set(true)
+                                            >
+                                                <lucide_leptos::GitBranch />
+                                                Create Branch
+                                            </Button>
+                                        </Show>
+                                        <Show when=move || !is_shared>
+                                            {let pause_disabled = pause_disabled.clone();
+                                            let resume_disabled = resume_disabled.clone();
+                                            view! {
+                                                <>
+                                                    <Button
+                                                        variant=ButtonVariant::Outline
+                                                        on:click=move |_| { pause_action.dispatch(()); }
+                                                        disabled=pause_disabled.clone()
+                                                    >
+                                                        <lucide_leptos::Pause />
+                                                        {move || if pause_pending.get() { "Pausing...".to_string() } else { "Pause".to_string() }}
+                                                    </Button>
+                                                    <Button
+                                                        variant=ButtonVariant::Outline
+                                                        on:click=move |_| { resume_action.dispatch(()); }
+                                                        disabled=resume_disabled.clone()
+                                                    >
+                                                        <lucide_leptos::Play />
+                                                        {move || if resume_pending.get() { "Resuming...".to_string() } else { "Resume".to_string() }}
+                                                    </Button>
+                                                </>
+                                            }.into_any()}
+                                        </Show>
+                                        {let delete_button_text = delete_button_text.clone();
+                                        let delete_disabled = is_deleting.clone();
+                                        view! {
+                                            <Button
+                                                variant=ButtonVariant::Destructive
+                                                on:click=move |_| delete_modal_open.set(true)
+                                                disabled=delete_disabled
+                                            >
+                                                <lucide_leptos::Trash2 />
+                                                {move || delete_button_text.get()}
+                                            </Button>
+                                        }.into_any()}
+                                    </div>
+                                    <Show when=move || matches!(pause_result.get(), Some(Err(_)))>
+                                        <span class="text-xs text-red-600 dark:text-red-400">
+                                            {move || {
+                                                pause_result
+                                                    .get()
+                                                    .and_then(|res| res.err())
+                                                    .map(|err| err.error)
+                                                    .unwrap_or_default()
+                                            }}
+                                        </span>
+                                    </Show>
+                                    <Show when=move || matches!(resume_result.get(), Some(Err(_)))>
+                                        <span class="text-xs text-red-600 dark:text-red-400">
+                                            {move || {
+                                                resume_result
+                                                    .get()
+                                                    .and_then(|res| res.err())
+                                                    .map(|err| err.error)
+                                                    .unwrap_or_default()
+                                            }}
+                                        </span>
+                                    </Show>
+                                </div>
+                            </div>
+
+                            // Metadata grid
+                            <div class="grid grid-cols-[auto_1fr] gap-x-4 gap-y-4 text-sm">
+                                <div class="flex items-center gap-2 text-muted-foreground font-medium">
+                                    <div class="[&>svg]:size-4 [&>svg]:shrink-0">
+                                        <lucide_leptos::Package />
+                                    </div>
+                                    <span>App Catalog</span>
+                                </div>
+                                <div>
+                                    <a href=format!("/kubernetes/catalogs/{}", app_catalog_id) class="text-foreground hover:underline">
+                                        {app_catalog_name.clone()}
+                                    </a>
+                                </div>
+
+                                <div class="flex items-center gap-2 text-muted-foreground font-medium">
+                                    <div class="[&>svg]:size-4 [&>svg]:shrink-0">
+                                        <lucide_leptos::Server />
+                                    </div>
+                                    <span>Cluster</span>
+                                </div>
+                                <div class="flex items-center gap-2">
+                                    <a href=format!("/kubernetes/clusters/{}", cluster_id) class="text-foreground hover:underline">
+                                        {cluster_name}
+                                    </a>
+                                </div>
+                                // Show base environment if this is a branch
+                                {if let (Some(base_name), Some(base_env_id)) = (environment.base_environment_name.clone(), environment.base_environment_id) {
+                                    view! {
+                                        <div class="flex items-center gap-2 text-muted-foreground font-medium">
+                                            <div class="[&>svg]:size-4 [&>svg]:shrink-0">
+                                                <lucide_leptos::Layers />
+                                            </div>
+                                            <span>Base Environment</span>
+                                        </div>
+                                        <div>
+                                            <a href=format!("/kubernetes/environments/{}", base_env_id) class="text-foreground hover:underline">
+                                                {base_name}
+                                            </a>
+                                        </div>
+                                    }.into_any()
+                                } else {
+                                    ().into_any()
+                                }}
+
+                                <div class="flex items-center gap-2 text-muted-foreground font-medium">
+                                    <div class="[&>svg]:size-4 [&>svg]:shrink-0">
+                                        <lucide_leptos::Hash />
+                                    </div>
+                                    <span>Namespace</span>
+                                </div>
+                                <div class="font-mono text-sm">
+                                    {env_namespace2}
+                                </div>
+
+                                <div class="flex items-center gap-2 text-muted-foreground font-medium">
+                                    <div class="[&>svg]:size-4 [&>svg]:shrink-0">
+                                        {if is_branch {
+                                            view! { <lucide_leptos::GitBranch /> }.into_any()
+                                        } else if is_shared {
+                                            view! { <lucide_leptos::Users /> }.into_any()
+                                        } else {
+                                            view! { <lucide_leptos::User /> }.into_any()
+                                        }}
+                                    </div>
+                                    <span>Type</span>
+                                </div>
+                                <div class="flex gap-1 items-center">
+                                    <Badge variant=BadgeVariant::Secondary class="flex items-center gap-2 text-sm">
+                                        {if is_branch {
+                                            view! { <lucide_leptos::GitBranch attr:class="h-3 w-3" /> }.into_any()
+                                        } else if is_shared {
+                                            view! { <lucide_leptos::Users attr:class="h-3 w-3" /> }.into_any()
+                                        } else {
+                                            view! { <lucide_leptos::User attr:class="h-3 w-3" /> }.into_any()
+                                        }}
+                                        <span>{type_label}</span>
+                                    </Badge>
+                                    <span class="text-sm text-muted-foreground">
+                                        {type_description}
+                                    </span>
+                                </div>
+
+                                <div class="flex items-center gap-2 text-muted-foreground font-medium">
+                                    <div class="[&>svg]:size-4 [&>svg]:shrink-0">
+                                        <lucide_leptos::Calendar />
+                                    </div>
+                                    <span>Created</span>
+                                </div>
+                                <div>
+                                    {match chrono::DateTime::parse_from_str(&created_at_str, "%Y-%m-%d %H:%M:%S%.f %z") {
+                                        Ok(time) => view! { <DatetimeModal time /> }.into_any(),
+                                        Err(_) => view! {
+                                            <span class="text-sm text-muted-foreground">{created_at_str}</span>
+                                        }.into_any(),
+                                    }}
+                                </div>
+
+                                <div class="flex items-center gap-2 text-muted-foreground font-medium">
+                                    <div class="[&>svg]:size-4 [&>svg]:shrink-0">
+                                        <lucide_leptos::Activity />
+                                    </div>
+                                    <span>Status</span>
+                                </div>
+                                <div>
+                                    <Badge variant=status_variant.clone() class="text-sm">
+                                        {move || status_text.get()}
+                                    </Badge>
+                                </div>
+                            </div>
+                        </div>
+                        </Card>
+
+                        // Create Branch Environment Modal
+                        <CreateBranchEnvironmentModal
+                            open=create_branch_modal_open
+                            create_branch_action
+                            branch_name
+                        />
+                    </div>
+                }
+            }
+        </Show>
+    }
+}
+
+#[component]
+pub fn EnvironmentResourcesCard(
+    environment_info: Signal<Option<KubeEnvironment>>,
+) -> impl IntoView {
+    view! {
+        <Show when=move || environment_info.get().is_some() fallback=|| view! { <div></div> }>
+            {move || {
+                let environment = environment_info.get().unwrap();
+                let cluster_id = environment.cluster_id;
+                let namespace = environment.namespace.clone();
+
+                view! {
+                    <Card class="p-6">
+                        <div class="flex flex-col gap-4">
+                            <div class="flex items-center justify-between">
+                                <H4>Environment Resources</H4>
+                            </div>
+
+                            <div class="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-4">
+                                // Namespace info
+                                <div class="p-4 bg-muted/30 rounded-lg border">
+                                    <div class="flex items-center gap-2 mb-2">
+                                        <lucide_leptos::Hash attr:class="h-4 w-4 text-muted-foreground" />
+                                        <span class="font-medium text-sm">Namespace</span>
+                                    </div>
+                                    <div class="font-mono text-sm">{namespace.clone()}</div>
+                                    <div class="text-xs text-muted-foreground mt-1">
+                                        Kubernetes namespace containing all resources for this environment
+                                    </div>
+                                </div>
+
+                                // Cluster info
+                                <div class="p-4 bg-muted/30 rounded-lg border">
+                                    <div class="flex items-center gap-2 mb-2">
+                                        <lucide_leptos::Server attr:class="h-4 w-4 text-muted-foreground" />
+                                        <span class="font-medium text-sm">Target Cluster</span>
+                                    </div>
+                                    <div class="text-sm">{environment.cluster_name.clone()}</div>
+                                    <div class="text-xs text-muted-foreground mt-1">
+                                        Kubernetes cluster where this environment is deployed
+                                    </div>
+                                </div>
+
+                                // App catalog info
+                                <div class="p-4 bg-muted/30 rounded-lg border">
+                                    <div class="flex items-center gap-2 mb-2">
+                                        <lucide_leptos::Package attr:class="h-4 w-4 text-muted-foreground" />
+                                        <span class="font-medium text-sm">Source Catalog</span>
+                                    </div>
+                                    <div class="text-sm">{environment.app_catalog_name.clone()}</div>
+                                    <div class="text-xs text-muted-foreground mt-1">
+                                        App catalog used to create this environment
+                                    </div>
+                                </div>
+                            </div>
+
+                            <div class="border-t pt-4">
+                                <div class="flex items-center gap-2 text-sm text-muted-foreground">
+                                    <lucide_leptos::Info attr:class="h-4 w-4" />
+                                    <span>
+                                        This environment contains all workloads from the source app catalog deployed in the specified namespace.
+                                        Use the actions menu to view the actual Kubernetes resources or navigate to related components.
+                                    </span>
+                                </div>
+                            </div>
+                        </div>
+                    </Card>
+                }
+            }}
+        </Show>
+    }
+}
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+enum ResourceTab {
+    Workloads,
+    Services,
+    PreviewUrls,
+}
+
+impl std::fmt::Display for ResourceTab {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            ResourceTab::Workloads => write!(f, "workloads"),
+            ResourceTab::Services => write!(f, "services"),
+            ResourceTab::PreviewUrls => write!(f, "preview-urls"),
+        }
+    }
+}
+
+#[component]
+pub fn EnvironmentResourcesTabs(
+    environment_id: Uuid,
+    environment_is_shared: bool,
+    filtered_workloads: Signal<Vec<KubeEnvironmentWorkload>>,
+    search_query: RwSignal<String>,
+    debounced_search: RwSignal<String>,
+    all_workloads: Signal<Vec<KubeEnvironmentWorkload>>,
+    all_services: Signal<Vec<KubeEnvironmentService>>,
+    all_preview_urls: Signal<Vec<lapdev_common::kube::KubeEnvironmentPreviewUrl>>,
+    all_intercepts: Signal<Vec<DevboxWorkloadInterceptSummary>>,
+    active_session: LocalResource<Option<DevboxSessionSummary>>,
+    update_counter: RwSignal<usize>,
+    readiness_map: RwSignal<HashMap<Uuid, Option<i32>>>,
+) -> impl IntoView {
+    let active_tab = RwSignal::new(ResourceTab::Workloads);
+    let focus_preview_tab = Callback::new({
+        let active_tab = active_tab.clone();
+        move |_| active_tab.set(ResourceTab::PreviewUrls)
+    });
+
+    view! {
+        <Tabs default_value=active_tab class="gap-4">
+            <TabsList>
+                <TabsTrigger value=ResourceTab::Workloads>
+                    "Workloads"
+                    <Badge variant=BadgeVariant::Secondary>
+                        {move || all_workloads.get().len()}
+                    </Badge>
+                </TabsTrigger>
+                <TabsTrigger value=ResourceTab::Services>
+                    "Services"
+                    <Badge variant=BadgeVariant::Secondary>
+                        {move || all_services.get().len()}
+                    </Badge>
+                </TabsTrigger>
+                <TabsTrigger value=ResourceTab::PreviewUrls>
+                    "Preview URLs"
+                    <Badge variant=BadgeVariant::Secondary>
+                        {move || all_preview_urls.get().len()}
+                    </Badge>
+                </TabsTrigger>
+            </TabsList>
+
+            <TabsContent value=ResourceTab::Workloads>
+                <EnvironmentWorkloadsContent
+                    environment_id
+                    environment_is_shared
+                    filtered_workloads
+                    search_query
+                    debounced_search
+                    all_workloads
+                    all_intercepts
+                    active_session
+                    update_counter
+                    readiness_map=readiness_map.clone()
+                />
+            </TabsContent>
+
+            <TabsContent value=ResourceTab::Services>
+                <EnvironmentServicesContent
+                    environment_id
+                    all_services
+                    update_counter
+                    focus_preview_tab=focus_preview_tab.clone()
+                    preview_urls=all_preview_urls.clone()
+                />
+            </TabsContent>
+
+            <TabsContent value=ResourceTab::PreviewUrls>
+                <crate::kube_environment_preview_url::PreviewUrlsContent
+                    environment_id
+                    services=all_services
+                    preview_urls=all_preview_urls
+                    update_counter
+                    focus_preview_tab=focus_preview_tab.clone()
+                />
+            </TabsContent>
+        </Tabs>
+    }
+}
+
+#[component]
+pub fn EnvironmentWorkloadsContent(
+    environment_id: Uuid,
+    environment_is_shared: bool,
+    filtered_workloads: Signal<Vec<KubeEnvironmentWorkload>>,
+    search_query: RwSignal<String>,
+    debounced_search: RwSignal<String>,
+    all_workloads: Signal<Vec<KubeEnvironmentWorkload>>,
+    all_intercepts: Signal<Vec<DevboxWorkloadInterceptSummary>>,
+    active_session: LocalResource<Option<DevboxSessionSummary>>,
+    update_counter: RwSignal<usize>,
+    readiness_map: RwSignal<HashMap<Uuid, Option<i32>>>,
+) -> impl IntoView {
+    view! {
+            <div class="flex flex-col gap-4">
+                <div class="relative max-w-sm">
+                    <lucide_leptos::Search attr:class="absolute left-3 top-1/2 transform -translate-y-1/2 text-muted-foreground h-4 w-4" />
+                    <Input
+                        attr:placeholder="Search workloads..."
+                        class="pl-10"
+                        prop:value=move || search_query.get()
+                        on:input=move |ev| {
+                            search_query.set(event_target_value(&ev));
+                        }
+                    />
+                </div>
+
+                // Workloads table
+                <div class="rounded-lg border relative">
+                    <Table>
+                        <TableHeader class="bg-muted">
+                            <TableRow>
+                                <TableHead class="w-0">
+                                    <span class="sr-only">Branch</span>
+                                </TableHead>
+                                <TableHead>Name</TableHead>
+                                <TableHead>Kind</TableHead>
+                                <TableHead>Ready</TableHead>
+                                {if environment_is_shared {
+                                    view! { <></> }.into_any()
+                                } else {
+                                    view! { <TableHead>Intercepts</TableHead> }.into_any()
+                                }}
+                                <TableHead>Containers</TableHead>
+                                <TableHead>Actions</TableHead>
+                            </TableRow>
+                        </TableHeader>
+                        <TableBody>
+                            <For
+                                each=move || filtered_workloads.get()
+                                key=|workload| format!("{}-{}-{}", workload.name, workload.namespace, workload.kind)
+                            children=move |workload| {
+                                let ready_signal = {
+                                    let readiness_map = readiness_map.clone();
+                                    let workload_id = workload.id;
+                                    let fallback_ready = workload.ready_replicas;
+                                    Signal::derive(move || {
+                                        readiness_map
+                                            .get()
+                                            .get(&workload_id)
+                                            .copied()
+                                            .flatten()
+                                            .or(fallback_ready)
+                                    })
+                                };
+                                view! {
+                                    <EnvironmentWorkloadItem
+                                        environment_id
+                                        environment_is_shared
+                                        workload=workload.clone()
+                                        all_intercepts
+                                        active_session
+                                        update_counter
+                                        ready_signal
+                                    />
+                                }
+                                }
+                            />
+                        </TableBody>
+                    </Table>
+
+                    // Empty states
+                    {move || {
+                        let filtered = filtered_workloads.get();
+                        let all_workloads = all_workloads.get();
+                        let search_term = debounced_search.get();
+                        let is_searching = !search_term.trim().is_empty();
+
+                        if filtered.is_empty() {
+                            if is_searching {
+                                view! {
+                                    <div class="flex flex-col items-center justify-center py-12 text-center">
+                                        <div class="rounded-full bg-muted p-3 mb-4">
+                                            <lucide_leptos::Search />
+                                        </div>
+                                        <H4 class="mb-2">No Results Found</H4>
+                                        <P class="text-muted-foreground mb-4 max-w-sm">
+                                            {format!(
+                                                "No workloads match your search for \"{}\". Try adjusting your search terms.",
+                                                search_term
+                                            )}
+                                        </P>
+                                    </div>
+                                }
+                                .into_any()
+                            } else if all_workloads.is_empty() {
+                                view! {
+                                    <div class="flex flex-col items-center justify-center py-12 text-center">
+                                        <div class="rounded-full bg-muted p-3 mb-4">
+                                            <lucide_leptos::Package />
+                                        </div>
+                                        <H4 class="mb-2">No Workloads Found</H4>
+                                        <P class="text-muted-foreground mb-4 max-w-sm">
+                                            "This environment doesn't contain any workloads yet."
+                                        </P>
+                                    </div>
+                                }
+                                .into_any()
+                            } else {
+                                view! { <div></div> }.into_any()
+                            }
+                        } else {
+                            view! { <div></div> }.into_any()
+                        }
+                    }}
+                </div>
+            </div>
+    }
+}
+
+#[component]
+pub fn EnvironmentWorkloadItem(
+    environment_id: Uuid,
+    environment_is_shared: bool,
+    workload: KubeEnvironmentWorkload,
+    all_intercepts: Signal<Vec<DevboxWorkloadInterceptSummary>>,
+    active_session: LocalResource<Option<DevboxSessionSummary>>,
+    update_counter: RwSignal<usize>,
+    ready_signal: Signal<Option<i32>>,
+) -> impl IntoView {
+    let workload_id = workload.id;
+    let workload_name = workload.name.clone();
+    let workload_ports = workload.ports.clone();
+    let is_branch_workload = workload
+        .base_workload_id
+        .map(|base_id| base_id != workload_id)
+        .unwrap_or(false);
+
+    // Find intercepts for this workload
+    let workload_intercepts = Signal::derive(move || {
+        all_intercepts
+            .get()
+            .into_iter()
+            .filter(|intercept| {
+                intercept.workload_id == workload_id && intercept.restored_at.is_none()
+            })
+            .collect::<Vec<_>>()
+    });
+    let start_error = RwSignal::new(None::<String>);
+
+    let start_action = {
+        let all_intercepts = all_intercepts;
+        let ports_for_start = workload_ports.clone();
+        Action::new_local(move |_| {
+            let all_intercepts = all_intercepts;
+            let ports_for_start = ports_for_start.clone();
+            async move {
+                start_error.set(None);
+
+                let previous_ports = all_intercepts
+                    .get_untracked()
+                    .into_iter()
+                    .filter(|summary| summary.workload_id == workload_id)
+                    .max_by(|a, b| a.created_at.cmp(&b.created_at))
+                    .map(|summary| summary.port_mappings);
+
+                let port_overrides = match build_port_overrides_from_workload_ports(
+                    &ports_for_start,
+                    previous_ports.as_ref().map(|v| v.as_slice()),
+                ) {
+                    Ok(overrides) => overrides,
+                    Err(err) => {
+                        start_error.set(Some(err.error.clone()));
+                        return Err(err);
+                    }
+                };
+
+                match start_workload_intercept(workload_id, port_overrides, update_counter).await {
+                    Ok(()) => Ok(()),
+                    Err(err) => {
+                        start_error.set(Some(err.error.clone()));
+                        Err(err)
+                    }
+                }
+            }
+        })
+    };
+    let start_pending = start_action.pending();
+
+    view! {
+        <>
+            <TableRow>
+                <TableCell class="w-0">
+                    {if is_branch_workload {
+                        view! { <lucide_leptos::GitBranch attr:class="h-4 w-4 text-muted-foreground" /> }.into_any()
+                    } else {
+                        view! { <></> }.into_any()
+                    }}
+                </TableCell>
+                <TableCell>
+                    <a href=format!("/kubernetes/environments/{}/workloads/{}", environment_id, workload.id)>
+                        <Button variant=ButtonVariant::Link class="p-0">
+                            <span class="font-medium">{workload.name}</span>
+                        </Button>
+                    </a>
+                </TableCell>
+                <TableCell>
+                    <Badge variant=BadgeVariant::Outline>
+                        {workload.kind.to_string()}
+                    </Badge>
+                </TableCell>
+                <TableCell>
+                    {move || {
+                        let ready = ready_signal.get().unwrap_or(0);
+                        format!("{ready}/1")
+                    }}
+                </TableCell>
+                {if !environment_is_shared {
+                    view! {
+                        <TableCell>
+                            {move || {
+                                let intercepts = workload_intercepts.get();
+                                let (has_active_session, is_active_environment) =
+                                    match active_session.get().flatten() {
+                                        Some(session) => {
+                                            let is_active_env =
+                                                session.active_environment_id == Some(environment_id);
+                                            (true, is_active_env)
+                                        }
+                                        None => (false, false),
+                                    };
+
+                                if intercepts.is_empty() {
+                                    view! {
+                                        <div class="flex flex-col gap-2">
+                                            <Button
+                                                variant=ButtonVariant::Outline
+                                                size=ButtonSize::Sm
+                                                class="self-start w-auto"
+                                                on:click=move |_| { start_action.dispatch(()); }
+                                                disabled=Signal::derive(move || start_pending.get())
+                                            >
+                                                <lucide_leptos::Cable />
+                                                {move || if start_pending.get() { "Starting..." } else { "Start Intercept" }}
+                                            </Button>
+                                            <Show when=move || start_error.get().is_some()>
+                                                <P class="text-xs text-destructive">
+                                                    {move || start_error.get().unwrap_or_default()}
+                                                </P>
+                                            </Show>
+                                        </div>
+                                    }.into_any()
+                                } else {
+                                    view! {
+                                        <div class="flex flex-col gap-2">
+                                            {intercepts.into_iter().map(|intercept| {
+                                                view! {
+                                                    <WorkloadInterceptCard
+                                                        intercept=intercept
+                                                        has_active_session=has_active_session
+                                                        is_active_environment=is_active_environment
+                                                        update_counter
+                                                        workload_ports=workload_ports.clone()
+                                                        workload_id
+                                                        workload_name=workload_name.clone()
+                                                    />
+                                                }
+                                            }).collect::<Vec<_>>()}
+                                        </div>
+                                    }.into_any()
+                                }
+                            }}
+                        </TableCell>
+                    }.into_any()
+                } else {
+                    view! { <></> }.into_any()
+                }}
+                <TableCell>
+                    <div class="text-sm flex flex-col gap-2">
+                        {
+                            let containers = workload.containers.clone();
+                            containers.iter().map(|container| {
+                                view! {
+                                    <ContainerDisplay
+                                        container=container.clone()
+                                    />
+                                }
+                            }).collect::<Vec<_>>()
+                        }
+                        {if workload.containers.clone().is_empty() {
+                            view! { <span class="text-muted-foreground">"No containers"</span> }.into_any()
+                        } else {
+                            ().into_any()
+                        }}
+                    </div>
+                </TableCell>
+                <TableCell>
+                    // Actions removed - workload deletion is no longer available
+                </TableCell>
+            </TableRow>
+        </>
+    }
+}
+
+#[component]
+fn WorkloadInterceptCard(
+    intercept: DevboxWorkloadInterceptSummary,
+    has_active_session: bool,
+    is_active_environment: bool,
+    update_counter: RwSignal<usize>,
+    workload_ports: Vec<lapdev_common::kube::KubeServicePort>,
+    workload_id: Uuid,
+    workload_name: String,
+) -> impl IntoView {
+    let intercept_id = intercept.intercept_id;
+    let restored_at = intercept.restored_at;
+    let port_mappings = intercept.port_mappings.clone();
+
+    let is_stopped = restored_at.is_some();
+
+    let (bg_class, border_class, badge_class, status_text) = if is_stopped {
+        (
+            "bg-gray-50 dark:bg-gray-950/20",
+            "border-gray-200 dark:border-gray-900",
+            "text-xs",
+            "Stopped",
+        )
+    } else if has_active_session && is_active_environment {
+        (
+            "bg-green-50 dark:bg-green-950/20",
+            "border-green-200 dark:border-green-900",
+            "text-xs bg-green-100 text-green-800 dark:bg-green-900/30 dark:text-green-300",
+            "Active",
+        )
+    } else if has_active_session {
+        (
+            "bg-red-50 dark:bg-red-950/20",
+            "border-red-200 dark:border-red-900",
+            "text-xs bg-red-100 text-red-800 dark:bg-red-900/30 dark:text-red-300",
+            "Inactive Environment",
+        )
+    } else {
+        (
+            "bg-amber-50 dark:bg-amber-950/20",
+            "border-amber-200 dark:border-amber-900",
+            "text-xs bg-amber-100 text-amber-800 dark:bg-amber-900/30 dark:text-amber-300",
+            "No Session",
+        )
+    };
+
+    let error_message = RwSignal::new(None::<String>);
+    let edit_modal_open = RwSignal::new(false);
+    let stop_action = Action::new_local({
+        move |_| {
+            let error_message = error_message;
+            async move {
+                let result = stop_workload_intercept(intercept_id, update_counter).await;
+                if let Err(err) = &result {
+                    error_message.set(Some(err.error.clone()));
+                } else {
+                    error_message.set(None);
+                }
+                result
+            }
+        }
+    });
+    let stop_pending = stop_action.pending();
+
+    let port_mappings_for_modal = port_mappings.clone();
+
+    view! {
+        <div class=format!("flex flex-col gap-3 p-3 rounded border {} {}", bg_class, border_class)>
+            <div class="flex flex-col gap-2 sm:flex-row sm:items-center sm:justify-between sm:gap-4">
+                <div class="flex items-center gap-2">
+                    <lucide_leptos::Cable attr:class="h-3 w-3" />
+                    <Badge variant=BadgeVariant::Secondary class=badge_class>
+                        {status_text}
+                    </Badge>
+                </div>
+                {if !is_stopped {
+                    view! {
+                        <div class="flex items-center gap-2">
+                            <Button
+                                variant=ButtonVariant::Outline
+                                size=ButtonSize::Sm
+                                class="h-7 px-2 text-xs gap-1"
+                                on:click=move |_| edit_modal_open.set(true)
+                            >
+                                <lucide_leptos::SlidersHorizontal attr:class="h-3 w-3" />
+                                "Edit Ports"
+                            </Button>
+                            <Button
+                                variant=ButtonVariant::Destructive
+                                size=ButtonSize::Sm
+                                class="h-7 px-2 text-xs gap-1"
+                                on:click=move |_| { stop_action.dispatch(()); }
+                                disabled=Signal::derive(move || stop_pending.get())
+                            >
+                                <lucide_leptos::X attr:class="h-3 w-3" />
+                                {move || if stop_pending.get() { "Stopping..." } else { "Stop" }}
+                            </Button>
+                        </div>
+                    }.into_any()
+                } else {
+                    ().into_any()
+                }}
+            </div>
+            <div class="flex flex-col gap-1">
+                <span class="text-[10px] uppercase tracking-wide text-muted-foreground">
+                    Ports
+                </span>
+                <div class="text-xs font-mono flex flex-col gap-1">
+                    {port_mappings
+                        .iter()
+                        .map(|pm| {
+                            let mapping = format!("{} → {}", pm.workload_port, pm.local_port);
+                            view! { <span>{mapping}</span> }
+                        })
+                        .collect::<Vec<_>>()
+                        .into_any()}
+                </div>
+            </div>
+            <Show when=move || error_message.get().is_some()>
+                <P class="text-xs text-destructive">
+                    {move || error_message.get().unwrap_or_default()}
+                </P>
+            </Show>
+            <EditInterceptModal
+                open=edit_modal_open
+                intercept_id
+                workload_id
+                workload_name=workload_name.clone()
+                workload_ports=workload_ports.clone()
+                existing_mappings=port_mappings_for_modal
+                update_counter
+            />
+        </div>
+    }
+}
+
+#[component]
+pub fn ContainerDisplay(container: KubeContainerInfo) -> impl IntoView {
+    view! {
+        <div class="flex flex-col p-2 bg-muted/30 rounded border">
+            <div class="flex justify-between items-center">
+                <span class="font-medium text-foreground">{container.name.clone()}</span>
+                {if container.is_customized() {
+                    view! {
+                        <Badge variant=BadgeVariant::Secondary class="text-xs">
+                            <lucide_leptos::Settings attr:class="w-3 h-3 mr-1" />
+                            "Customized"
+                        </Badge>
+                    }.into_any()
+                } else {
+                    ().into_any()
+                }}
+            </div>
+
+            <div class="text-sm text-foreground mt-1">
+                <div class="flex items-center gap-1">
+                    <lucide_leptos::Box attr:class="w-3 h-3" />
+                    <span class="truncate w-80 text-muted-foreground">{
+                        match &container.image {
+                            lapdev_common::kube::KubeContainerImage::FollowOriginal => container.original_image.clone(),
+                            lapdev_common::kube::KubeContainerImage::Custom(image) => image.clone(),
+                        }
+                    }</span>
+                </div>
+            </div>
+        </div>
+    }
+}
+
+#[component]
+pub fn EnvironmentServicesContent(
+    environment_id: Uuid,
+    all_services: Signal<Vec<KubeEnvironmentService>>,
+    update_counter: RwSignal<usize>,
+    focus_preview_tab: Callback<()>,
+    preview_urls: Signal<Vec<KubeEnvironmentPreviewUrl>>,
+) -> impl IntoView {
+    view! {
+                // Services table
+                <div class="rounded-lg border relative">
+                    <Table>
+                        <TableHeader class="bg-muted">
+                            <TableRow>
+                                <TableHead>Name</TableHead>
+                                <TableHead>Ports</TableHead>
+                                <TableHead>Selectors</TableHead>
+                                <TableHead>Actions</TableHead>
+                            </TableRow>
+                        </TableHeader>
+                        <TableBody>
+                            <For
+                                each=move || all_services.get()
+                                key=|service| format!("{}-{}", service.name, service.namespace)
+                                children=move |service| {
+                                    view! {
+                                        <EnvironmentServiceItem
+                                            environment_id
+                                            service=service.clone()
+                                            update_counter
+                                            focus_preview_tab=focus_preview_tab.clone()
+                                            preview_urls=preview_urls.clone()
+                                        />
+                                    }
+                                }
+                            />
+                        </TableBody>
+                    </Table>
+
+                    // Empty state
+                    {move || {
+                        let services = all_services.get();
+                        if services.is_empty() {
+                            view! {
+                                <div class="flex flex-col items-center justify-center py-12 text-center">
+                                    <div class="rounded-full bg-muted p-3 mb-4">
+                                        <lucide_leptos::Network />
+                                    </div>
+                                    <H4 class="mb-2">No Services Found</H4>
+                                    <P class="text-muted-foreground mb-4 max-w-sm">
+                                        "This environment doesn't contain any services yet."
+                                    </P>
+                                </div>
+                            }
+                            .into_any()
+                        } else {
+                            view! { <div></div> }.into_any()
+                        }
+                    }}
+                </div>
+    }
+}
+
+#[component]
+pub fn EnvironmentServiceItem(
+    environment_id: Uuid,
+    service: KubeEnvironmentService,
+    update_counter: RwSignal<usize>,
+    focus_preview_tab: Callback<()>,
+    preview_urls: Signal<Vec<KubeEnvironmentPreviewUrl>>,
+) -> impl IntoView {
+    let create_preview_url_modal_open = RwSignal::new(false);
+    let ports = service.ports.clone();
+    let selectors = service.selector.clone();
+    let service_for_button = service.clone();
+    let service_for_modal = service.clone();
+
+    view! {
+        <TableRow>
+            <TableCell>
+                <div class="font-medium">{service.name.clone()}</div>
+            </TableCell>
+            <TableCell>
+                <div class="text-sm flex flex-col gap-1">
+                    {if ports.is_empty() {
+                        view! { <span class="text-muted-foreground">"No ports"</span> }.into_any()
+                    } else {
+                        ports
+                            .into_iter()
+                            .map(|port| {
+                                let target_port = port
+                                    .original_target_port
+                                    .map(|tp| format!(":{tp}"))
+                                    .unwrap_or_default();
+                                let protocol = port.protocol.as_deref().unwrap_or("TCP");
+                                let port_text = format!("{}{} ({protocol})", port.port, target_port);
+                                let port_number = port.port;
+                                let service_id = service.id;
+                                let preview_urls = preview_urls.clone();
+                                let preview_for_port = Signal::derive(move || {
+                                    preview_urls
+                                        .get()
+                                        .into_iter()
+                                        .find(|url| url.service_id == service_id && url.port == port_number)
+                                });
+                                view! {
+                                    <div class="flex flex-row items-center gap-2">
+                                        <Badge variant=BadgeVariant::Outline class="text-xs w-fit">
+                                            {port_text.clone()}
+                                        </Badge>
+                                        <Show
+                                            when=move || preview_for_port.get().is_some()
+                                            fallback=|| view! { <></> }
+                                        >
+                                            {move || {
+                                                let preview = preview_for_port.get().unwrap();
+                                                let preview_url = preview.url.clone();
+                                                view! {
+                                                    <a
+                                                        href=preview.url.clone()
+                                                        target="_blank"
+                                                        rel="noopener noreferrer"
+                                                        class="text-primary text-xs inline-flex items-center gap-1"
+                                                    >
+                                                        <Button variant=ButtonVariant::Link>
+                                                            <span class="text-xs">{preview_url}</span>
+                                                            <lucide_leptos::ExternalLink attr:class="h-3 w-3" />
+                                                        </Button>
+                                                    </a>
+                                                }
+                                            }}
+                                        </Show>
+                                    </div>
+                                }
+                            })
+                            .collect::<Vec<_>>()
+                            .into_any()
+                    }}
+                </div>
+            </TableCell>
+            <TableCell>
+                <div class="text-sm flex flex-col gap-1">
+                    {if selectors.is_empty() {
+                        view! { <span class="text-muted-foreground">"No selectors"</span> }.into_any()
+                    } else {
+                        selectors.into_iter().map(|(k, v)| {
+                            let selector_text = format!("{k}={v}");
+                            view! {
+                                <Badge variant=BadgeVariant::Secondary class="text-xs">
+                                    {selector_text}
+                                </Badge>
+                            }
+                        }).collect::<Vec<_>>().into_any()
+                    }}
+                </div>
+            </TableCell>
+            <TableCell>
+                <Button
+                    variant=ButtonVariant::Outline
+                    size=ButtonSize::Sm
+                    on:click=move |_| create_preview_url_modal_open.set(true)
+                    disabled=Signal::derive(move || service_for_button.ports.is_empty())
+                >
+                    <lucide_leptos::Globe />
+                    "Create Preview URL"
+                </Button>
+
+                // Quick Create Preview URL Modal
+                <crate::kube_environment_preview_url::CreatePreviewUrlModal
+                    open=create_preview_url_modal_open
+                    environment_id
+                    service=service_for_modal.clone()
+                    update_counter
+                    on_created=focus_preview_tab.clone()
+                />
+            </TableCell>
+        </TableRow>
+    }
+}
+
+#[component]
+pub fn CreateBranchEnvironmentModal(
+    open: RwSignal<bool>,
+    create_branch_action: Action<(), Result<(), ErrorResponse>>,
+    branch_name: RwSignal<String>,
+) -> impl IntoView {
+    // Reset form when modal opens/closes
+    Effect::new(move |_| {
+        if !open.get() {
+            branch_name.set(String::new());
+        }
+    });
+
+    view! {
+        <Modal
+            open=open
+            action=create_branch_action
+            title="Create Branch Environment"
+            action_text="Create Branch"
+            action_progress_text="Creating..."
+        >
+            <div class="flex flex-col gap-4">
+                <div class="flex flex-col gap-2">
+                    <Label for_="branch-name">Branch Environment Name</Label>
+                    <Input
+                        attr:id="branch-name"
+                        prop:value=move || branch_name.get()
+                        on:input=move |ev| {
+                            branch_name.set(event_target_value(&ev));
+                        }
+                        attr:placeholder="Enter a name for the branch environment"
+                    />
+                    <P class="text-sm text-muted-foreground">
+                        "A new environment will be created based on this environment's configuration."
+                    </P>
+                </div>
+            </div>
+        </Modal>
+    }
+}
+
+#[derive(Debug, Clone)]
+struct AvailablePort {
+    container_name: String,
+    port: i32,
+    port_name: Option<String>,
+    protocol: Option<String>,
+}
+
+#[derive(Debug, Clone)]
+struct PortMapping {
+    port: i32,
+    default_local_port: String,
+    local_port: RwSignal<String>,
+}
+
+#[component]
+pub fn EditInterceptModal(
+    open: RwSignal<bool>,
+    intercept_id: Uuid,
+    workload_id: Uuid,
+    workload_name: String,
+    workload_ports: Vec<lapdev_common::kube::KubeServicePort>,
+    existing_mappings: Vec<DevboxPortMapping>,
+    update_counter: RwSignal<usize>,
+) -> impl IntoView {
+    // Extract all available ports from workload service ports, preferring the recorded original container port.
+    let available_ports: Vec<AvailablePort> = workload_ports
+        .iter()
+        .map(|port| AvailablePort {
+            container_name: String::new(), // Service ports don't have container names
+            port: port.original_target_port.unwrap_or(port.port),
+            port_name: port.name.clone(),
+            protocol: port.protocol.clone(),
+        })
+        .collect();
+
+    use std::convert::TryFrom;
+
+    let mapping_lookup: std::collections::HashMap<u16, u16> = existing_mappings
+        .into_iter()
+        .map(|mapping| (mapping.workload_port, mapping.local_port))
+        .collect();
+
+    let mut port_mappings_vec = Vec::new();
+    for ap in &available_ports {
+        let default_local_port = u16::try_from(ap.port)
+            .ok()
+            .map(|workload_port| {
+                mapping_lookup
+                    .get(&workload_port)
+                    .copied()
+                    .unwrap_or(workload_port)
+                    .to_string()
+            })
+            .unwrap_or_default();
+
+        port_mappings_vec.push(PortMapping {
+            port: ap.port,
+            default_local_port: default_local_port.clone(),
+            local_port: RwSignal::new(default_local_port),
+        });
+    }
+    let port_mappings_stored = StoredValue::new(port_mappings_vec);
+
+    // Reset form when modal closes
+    Effect::new(move |_| {
+        if !open.get() {
+            for mapping in &port_mappings_stored.get_value() {
+                mapping.local_port.set(mapping.default_local_port.clone());
+            }
+        }
+    });
+
+    let error_message = RwSignal::new(None::<String>);
+    let update_action = Action::new_local(move |_| async move {
+        error_message.set(None);
+
+        let mut port_overrides = Vec::new();
+        for mapping in &port_mappings_stored.get_value() {
+            let workload_port = match u16::try_from(mapping.port) {
+                Ok(value) => value,
+                Err(_) => {
+                    let err = ErrorResponse {
+                        error: format!("Unsupported workload port: {}", mapping.port),
+                    };
+                    error_message.set(Some(err.error.clone()));
+                    return Err(err);
+                }
+            };
+
+            let local_port_str = mapping.local_port.get().trim().to_string();
+            let local_port = if local_port_str.is_empty() {
+                Some(workload_port)
+            } else {
+                match local_port_str.parse::<u16>() {
+                    Ok(value) => Some(value),
+                    Err(_) => {
+                        let err = ErrorResponse {
+                            error: format!("Invalid local port: {}", local_port_str),
+                        };
+                        error_message.set(Some(err.error.clone()));
+                        return Err(err);
+                    }
+                }
+            };
+
+            port_overrides.push(DevboxPortMappingOverride {
+                workload_port,
+                local_port,
+            });
+        }
+
+        if port_overrides.is_empty() {
+            let err = ErrorResponse {
+                error: "No ports available to intercept".to_string(),
+            };
+            error_message.set(Some(err.error.clone()));
+            return Err(err);
+        }
+
+        if let Err(err) = stop_workload_intercept(intercept_id, update_counter).await {
+            error_message.set(Some(err.error.clone()));
+            return Err(err);
+        }
+
+        match start_workload_intercept(workload_id, port_overrides, update_counter).await {
+            Ok(_) => {
+                open.set(false);
+                Ok(())
+            }
+            Err(err) => {
+                error_message.set(Some(err.error.clone()));
+                Err(err)
+            }
+        }
+    });
+    view! {
+        <Modal
+            open=open
+            action=update_action
+            title="Edit Intercept Ports"
+            action_text="Save Changes"
+            action_progress_text="Saving..."
+        >
+            <div class="flex flex-col gap-4">
+                <P class="text-sm text-muted-foreground">
+                    {format!(
+                        "Adjust local port overrides for workload: {}. Changes will restart the intercept.",
+                        workload_name
+                    )}
+                </P>
+
+                {if available_ports.is_empty() {
+                    view! {
+                        <div class="bg-amber-50 dark:bg-amber-950/20 border border-amber-200 dark:border-amber-900 rounded p-4">
+                            <div class="flex items-start gap-3">
+                                <lucide_leptos::TriangleAlert attr:class="h-5 w-5 text-amber-600 dark:text-amber-400 shrink-0 mt-0.5" />
+                                <div class="flex flex-col gap-1">
+                                    <span class="font-medium text-sm text-amber-900 dark:text-amber-200">
+                                        "No exposed ports found"
+                                    </span>
+                                    <span class="text-xs text-amber-800 dark:text-amber-300">
+                                        "This workload does not expose any container ports. Make sure your containers define port specifications in their Kubernetes manifests."
+                                    </span>
+                                </div>
+                            </div>
+                        </div>
+                    }.into_any()
+                } else {
+                    view! {
+                        <div class="flex flex-col gap-3">
+                            <div class="flex items-center justify-between">
+                                <Label>"Port mappings"</Label>
+                                <Badge variant=BadgeVariant::Secondary class="text-xs">
+                                    {format!("{} port{}", available_ports.len(), if available_ports.len() == 1 { "" } else { "s" })}
+                                </Badge>
+                            </div>
+
+                            <div class="flex flex-col gap-2 max-h-64 overflow-y-auto">
+                                {available_ports.iter().enumerate().map(|(idx, port)| {
+                                    let mapping = port_mappings_stored.get_value()[idx].clone();
+                                    let port_display = if let Some(name) = &port.port_name {
+                                        format!("{} ({})", port.port, name)
+                                    } else {
+                                        format!("{}", port.port)
+                                    };
+                                    let protocol_display = port.protocol.clone().unwrap_or_else(|| "TCP".to_string());
+
+                                    view! {
+                                        <div class="flex items-center gap-3 p-3 border rounded bg-muted/30">
+                                            <div class="flex-1 flex items-center gap-2">
+                                                <lucide_leptos::Network attr:class="h-4 w-4 text-muted-foreground" />
+                                                <span class="font-medium">{port_display}</span>
+                                                <Badge variant=BadgeVariant::Outline class="text-xs">
+                                                    {protocol_display}
+                                                </Badge>
+                                            </div>
+                                            <div class="w-40">
+                                                <Input
+                                                    attr:id=format!("local-port-{}", idx)
+                                                    attr:r#type="number"
+                                                    attr:min="1"
+                                                    attr:max="65535"
+                                                    prop:value=move || mapping.local_port.get()
+                                                    on:input=move |ev| {
+                                                        mapping.local_port.set(event_target_value(&ev));
+                                                    }
+                                                    attr:placeholder=format!("{}", port.port)
+                                                    class="h-8 text-sm"
+                                                />
+                                            </div>
+                                        </div>
+                                    }
+                                }).collect::<Vec<_>>()}
+                            </div>
+                        </div>
+
+                        <div class="text-xs text-muted-foreground bg-muted/30 p-3 rounded">
+                            <div class="flex gap-2">
+                                <lucide_leptos::Info attr:class="h-4 w-4 shrink-0 mt-0.5" />
+                                <div class="flex flex-col gap-1">
+                                    <span class="font-medium">"Tips"</span>
+                                    <ul class="list-disc list-inside space-y-1">
+                                        <li>"Leave a field blank to use the workload port as the local port"</li>
+                                        <li>"Updates are applied by restarting the intercept with the new configuration"</li>
+                                    </ul>
+                                </div>
+                            </div>
+                        </div>
+                    }.into_any()
+                }}
+
+                <Show when=move || error_message.get().is_some()>
+                    <P class="text-xs text-destructive">
+                        {move || error_message.get().unwrap_or_default()}
+                    </P>
+                </Show>
+            </div>
+        </Modal>
+    }
+}
+
+#[component]
+pub fn SharedEnvironmentDevboxCard() -> impl IntoView {
+    view! {
+        <Card class="border-amber-200 bg-amber-50 dark:border-amber-900/60 dark:bg-amber-950/30">
+            <div class="p-4 flex flex-col gap-4 md:flex-row md:items-start md:justify-between">
+                <div class="flex gap-3">
+                    <div class="rounded-full bg-amber-100 dark:bg-amber-900/40 p-2">
+                        <lucide_leptos::ShieldAlert attr:class="h-5 w-5 text-amber-700 dark:text-amber-300" />
+                    </div>
+                    <div class="flex flex-col gap-1">
+                        <span class="font-semibold text-amber-900 dark:text-amber-100">
+                            "Devbox isn't available on shared environments"
+                        </span>
+                        <p class="text-sm text-amber-800 dark:text-amber-300">
+                            "Branch this shared baseline to unlock Devbox intercepts. Personal and branch environments can be selected as your active Devbox namespace."
+                        </p>
+                    </div>
+                </div>
+                <div class="flex items-center gap-2">
+                    <a href=docs_url(DOCS_DEVBOX_PATH) target="_blank" rel="noopener noreferrer">
+                        <Button
+                            variant=ButtonVariant::Outline
+                            size=ButtonSize::Sm
+                            class="border-amber-300 text-amber-800 dark:border-amber-800 dark:text-amber-100"
+                        >
+                            <lucide_leptos::BookOpen attr:class="h-4 w-4" />
+                            "Devbox Docs"
+                            <lucide_leptos::ExternalLink attr:class="h-3 w-3" />
+                        </Button>
+                    </a>
+                </div>
+            </div>
+        </Card>
+    }
+}
+
+#[component]
+pub fn DevboxSessionBanner(
+    active_session: LocalResource<Option<DevboxSessionSummary>>,
+    environment_id: Uuid,
+) -> impl IntoView {
+    let is_expanded = RwSignal::new(false);
+
+    // Action to set this environment as active
+    let active_session_clone = active_session.clone();
+    let set_active_action = Action::new_local(move |_| {
+        let active_session_clone = active_session_clone.clone();
+        async move {
+            let client = HrpcServiceClient::new("/api/rpc".to_string());
+            match client
+                .devbox_session_set_active_environment(environment_id)
+                .await
+            {
+                Ok(Ok(())) => {
+                    active_session_clone.refetch();
+                    Ok(())
+                }
+                Ok(Err(e)) => Err(ErrorResponse {
+                    error: format!("{:?}", e),
+                }),
+                Err(e) => Err(ErrorResponse {
+                    error: e.to_string(),
+                }),
+            }
+        }
+    });
+    let set_active_pending = set_active_action.pending();
+    let set_active_result = set_active_action.value();
+
+    view! {
+        <Suspense fallback=move || view! { <div></div> }>
+            {move || {
+                active_session
+                    .get()
+                    .map(|session_opt| {
+                        if let Some(session) = session_opt {
+                            // Active session exists
+                            let is_active = session.active_environment_id == Some(environment_id);
+
+                            view! {
+                                <div class="rounded-lg border bg-muted/50 p-4">
+                                    <div class="flex items-center justify-between">
+                                        <div class="flex items-center gap-3">
+                                            <div class="rounded-full bg-primary/10 p-2">
+                                                <lucide_leptos::Plug attr:class="h-5 w-5 text-primary" />
+                                            </div>
+                                            <div class="flex flex-col gap-1">
+                                                <div class="flex items-center gap-2">
+                                                    <span class="font-semibold">Devbox Connected</span>
+                                                    <Badge variant=BadgeVariant::Secondary>
+                                                        <lucide_leptos::Monitor attr:class="h-3 w-3" />
+                                                        {session.device_name.clone()}
+                                                    </Badge>
+                                                    {if is_active {
+                                                        view! {
+                                                            <Badge variant=BadgeVariant::Secondary class="flex items-center gap-1 text-sm bg-green-100 text-green-800 dark:bg-green-900/30 dark:text-green-300">
+                                                                <lucide_leptos::Check attr:class="h-3 w-3" />
+                                                                "Active Environment"
+                                                            </Badge>
+                                                        }.into_any()
+                                                    } else {
+                                                        view! {
+                                                            <Badge variant=BadgeVariant::Secondary class="flex items-center gap-1 text-sm bg-red-100 text-red-800 dark:bg-red-900/30 dark:text-red-300">
+                                                                <lucide_leptos::Ban attr:class="h-3 w-3" />
+                                                                "Inactive Environment"
+                                                            </Badge>
+                                                        }
+                                                            .into_any()
+                                                    }}
+                                                </div>
+                                                <div class="text-sm text-muted-foreground flex items-center gap-1">
+                                                    <span>"Last active: "</span>
+                                                    <DatetimeModal time=session.last_used_at.fixed_offset() />
+                                                </div>
+                                            </div>
+                                        </div>
+                                        {if !is_active {
+                                            view! {
+                                                <Button
+                                                    variant=ButtonVariant::Outline
+                                                    size=ButtonSize::Sm
+                                                    on:click=move |_| { set_active_action.dispatch(()); }
+                                                    disabled=Signal::derive(move || set_active_pending.get())
+                                                >
+                                                    <lucide_leptos::Check attr:class="h-4 w-4" />
+                                                    {move || if set_active_pending.get() { "Setting..." } else { "Set as Active" }}
+                                                </Button>
+                                            }
+                                                .into_any()
+                                        } else {
+                                            ().into_any()
+                                        }}
+                                        <Show when=move || matches!(set_active_result.get(), Some(Err(_)))>
+                                            <P class="text-sm text-destructive mt-2">
+                                                {move || {
+                                                    set_active_result
+                                                        .get()
+                                                        .and_then(|res| res.err())
+                                                        .map(|err| err.error)
+                                                        .unwrap_or_default()
+                                                }}
+                                            </P>
+                                        </Show>
+                                    </div>
+                                </div>
+                            }
+                                .into_any()
+                        } else {
+                            // No active session - expandable panel
+                            view! {
+                                <div class="rounded-lg border bg-amber-50 dark:bg-amber-950/20 border-amber-200 dark:border-amber-900">
+                                    <div class="p-4">
+                                        <div class="flex items-start justify-between gap-3">
+                                            <div
+                                                class="flex items-start gap-3 flex-1 cursor-pointer"
+                                                on:click=move |_| {
+                                                    is_expanded.update(|v| *v = !*v);
+                                                }
+                                            >
+                                                <div class="rounded-full bg-amber-100 dark:bg-amber-900/30 p-2 mt-0.5">
+                                                    <lucide_leptos::Info attr:class="h-5 w-5 text-amber-700 dark:text-amber-500" />
+                                                </div>
+                                                <div class="flex-1">
+                                                    <h4 class="font-semibold text-amber-900 dark:text-amber-200 mb-1">
+                                                        "You Can Connect Your Local Development Machine"
+                                                    </h4>
+                                        <Show when=move || !is_expanded.get() fallback=|| view! {
+                                            <p class="text-sm text-amber-800 dark:text-amber-300">
+                                                "To intercept workloads and develop locally, you can connect your machine using the Lapdev CLI."
+                                            </p>
+                                        }>
+                                                        <p class="text-sm text-amber-800 dark:text-amber-300 hover:text-amber-900 dark:hover:text-amber-200">
+                                                            "Click to view setup instructions"
+                                                        </p>
+                                                    </Show>
+                                                </div>
+                                            </div>
+                                            <Button
+                                                variant=ButtonVariant::Ghost
+                                                size=ButtonSize::Sm
+                                                on:click=move |_| is_expanded.update(|v| *v = !*v)
+                                                class="text-amber-700 dark:text-amber-400 hover:bg-amber-100 dark:hover:bg-amber-900/30 shrink-0"
+                                            >
+                                                <Show when=move || is_expanded.get() fallback=|| view! {
+                                                    <lucide_leptos::ChevronDown attr:class="h-4 w-4" />
+                                                }>
+                                                    <lucide_leptos::ChevronUp attr:class="h-4 w-4" />
+                                                </Show>
+                                            </Button>
+                                        </div>
+
+                                        <Show when=move || is_expanded.get()>
+                                            <DevboxInstallInstructions />
+                                        </Show>
+                                    </div>
+                                </div>
+                            }
+                                .into_any()
+                        }
+                    })
+            }}
+        </Suspense>
+    }
+}
+
+#[component]
+fn DevboxInstallInstructions() -> impl IntoView {
+    let default_tab = RwSignal::new(detect_devbox_install_tab());
+    let unix_copy_success = RwSignal::new(false);
+    let windows_copy_success = RwSignal::new(false);
+    let connect_copy_success = RwSignal::new(false);
+
+    let copy_unix_command = move |_| {
+        let navigator = window().navigator();
+        let clipboard = navigator.clipboard();
+        let _ = clipboard.write_text(DEVBOX_INSTALL_UNIX_CMD);
+        unix_copy_success.set(true);
+        set_timeout(
+            move || unix_copy_success.set(false),
+            std::time::Duration::from_secs(2),
+        );
+    };
+
+    let copy_windows_command = move |_| {
+        let navigator = window().navigator();
+        let clipboard = navigator.clipboard();
+        let _ = clipboard.write_text(DEVBOX_INSTALL_WINDOWS_CMD);
+        windows_copy_success.set(true);
+        set_timeout(
+            move || windows_copy_success.set(false),
+            std::time::Duration::from_secs(2),
+        );
+    };
+
+    let copy_connect_command = move |_| {
+        let navigator = window().navigator();
+        let clipboard = navigator.clipboard();
+        let _ = clipboard.write_text(DEVBOX_CONNECT_CMD);
+        connect_copy_success.set(true);
+        set_timeout(
+            move || connect_copy_success.set(false),
+            std::time::Duration::from_secs(2),
+        );
+    };
+
+    view! {
+        <div class="mt-3 ml-14 flex flex-col gap-3">
+            <div class="flex flex-col gap-2 text-sm">
+                <div class="flex items-start gap-2">
+                    <span class="font-medium text-amber-900 dark:text-amber-200 min-w-[2rem]">
+                        "1."
+                    </span>
+                    <div class="flex-1 flex flex-col gap-2">
+                        <span class="text-amber-800 dark:text-amber-300">
+                            "Install the CLI:"
+                        </span>
+                        <Tabs default_value=default_tab class="gap-2">
+                            <TabsList class="gap-2">
+                                <TabsTrigger value=DevboxInstallTab::LinuxMac class="flex-1">
+                                    "Linux / macOS"
+                                </TabsTrigger>
+                                <TabsTrigger value=DevboxInstallTab::Windows class="flex-1">
+                                    "Windows PowerShell"
+                                </TabsTrigger>
+                            </TabsList>
+                            <TabsContent value=DevboxInstallTab::LinuxMac class="mt-2 flex">
+                                <div class="relative">
+                                    <code class="px-2 py-1 pr-12 rounded bg-amber-100 dark:bg-amber-900/50 text-amber-900 dark:text-amber-200 font-mono text-xs break-all">
+                                        {DEVBOX_INSTALL_UNIX_CMD}
+                                    </code>
+                                    <Button
+                                        variant=ButtonVariant::Ghost
+                                        size=ButtonSize::Icon
+                                        class="absolute -top-1/4 right-1 h-8 w-8 p-0 text-amber-800 dark:text-amber-200"
+                                        on:click=copy_unix_command
+                                        attr:aria-label="Copy Linux or macOS install command"
+                                    >
+                                        {move || if unix_copy_success.get() {
+                                            view! { <lucide_leptos::Check attr:class="h-4 w-4" /> }.into_any()
+                                        } else {
+                                            view! { <lucide_leptos::Copy attr:class="h-4 w-4" /> }.into_any()
+                                        }}
+                                    </Button>
+                                </div>
+                            </TabsContent>
+                            <TabsContent value=DevboxInstallTab::Windows class="mt-2 flex">
+                                <div class="relative">
+                                    <code class="px-2 py-1 pr-12 rounded bg-amber-100 dark:bg-amber-900/50 text-amber-900 dark:text-amber-200 font-mono text-xs break-all">
+                                        {DEVBOX_INSTALL_WINDOWS_CMD}
+                                    </code>
+                                    <Button
+                                        variant=ButtonVariant::Ghost
+                                        size=ButtonSize::Icon
+                                        class="absolute -top-1/4 right-1 h-8 w-8 p-0 text-amber-800 dark:text-amber-200"
+                                        on:click=copy_windows_command
+                                        attr:aria-label="Copy Windows PowerShell install command"
+                                    >
+                                        {move || if windows_copy_success.get() {
+                                            view! { <lucide_leptos::Check attr:class="h-4 w-4" /> }.into_any()
+                                        } else {
+                                            view! { <lucide_leptos::Copy attr:class="h-4 w-4" /> }.into_any()
+                                        }}
+                                    </Button>
+                                </div>
+                            </TabsContent>
+                        </Tabs>
+                    </div>
+                </div>
+                <div class="flex items-start gap-2">
+                    <span class="font-medium text-amber-900 dark:text-amber-200 min-w-[2rem]">
+                        "2."
+                    </span>
+                    <div class="flex-1 flex items-center gap-2 flex-wrap">
+                        <span class="text-amber-800 dark:text-amber-300">
+                            "Connect: "
+                        </span>
+                        <div class="relative">
+                            <code class="inline-flex items-center px-2 py-1 pr-12 rounded bg-amber-100 dark:bg-amber-900/50 text-amber-900 dark:text-amber-200 font-mono text-xs">
+                                {DEVBOX_CONNECT_CMD}
+                            </code>
+                            <Button
+                                variant=ButtonVariant::Ghost
+                                size=ButtonSize::Icon
+                                class="absolute top-1/2 right-1 h-8 w-8 p-0 -translate-y-1/2 text-amber-800 dark:text-amber-200"
+                                on:click=copy_connect_command
+                                attr:aria-label="Copy connect command"
+                            >
+                                {move || if connect_copy_success.get() {
+                                    view! { <lucide_leptos::Check attr:class="h-4 w-4" /> }.into_any()
+                                } else {
+                                    view! { <lucide_leptos::Copy attr:class="h-4 w-4" /> }.into_any()
+                                }}
+                            </Button>
+                        </div>
+                    </div>
+                </div>
+            </div>
+            <div class="flex gap-2">
+                <a href=docs_url(DOCS_DEVBOX_PATH) target="_blank" rel="noopener noreferrer">
+                    <Button
+                        variant=ButtonVariant::Outline
+                        size=ButtonSize::Sm
+                        class="text-amber-700 dark:text-amber-400 border-amber-300 dark:border-amber-700 hover:bg-amber-100 dark:hover:bg-amber-900/30"
+                    >
+                        <lucide_leptos::BookOpen attr:class="h-4 w-4" />
+                        "View Documentation"
+                        <lucide_leptos::ExternalLink attr:class="h-3 w-3" />
+                    </Button>
+                </a>
+            </div>
+        </div>
+    }
+}
diff --git a/crates/dashboard/src/kube_environment_preview_url.rs b/crates/dashboard/src/kube_environment_preview_url.rs
new file mode 100644
index 0000000..8174969
--- /dev/null
+++ b/crates/dashboard/src/kube_environment_preview_url.rs
@@ -0,0 +1,551 @@
+use anyhow::anyhow;
+use lapdev_api_hrpc::HrpcServiceClient;
+use lapdev_common::{
+    console::Organization,
+    kube::{
+        CreateKubeEnvironmentPreviewUrlRequest, KubeEnvironmentPreviewUrl, KubeEnvironmentService,
+        PreviewUrlAccessLevel, UpdateKubeEnvironmentPreviewUrlRequest,
+    },
+};
+use leptos::prelude::*;
+use uuid::Uuid;
+
+use crate::{
+    component::{
+        badge::{Badge, BadgeVariant},
+        button::{Button, ButtonSize, ButtonVariant},
+        card::{Card, CardContent},
+        input::Input,
+        label::Label,
+        select::{Select, SelectContent, SelectItem, SelectTrigger},
+        table::{Table, TableBody, TableCell, TableHead, TableHeader, TableRow},
+        typography::{H4, P},
+    },
+    modal::{DeleteModal, ErrorResponse, Modal},
+    organization::get_current_org,
+};
+
+#[component]
+pub fn PreviewUrlsContent(
+    environment_id: Uuid,
+    services: Signal<Vec<KubeEnvironmentService>>,
+    preview_urls: Signal<Vec<KubeEnvironmentPreviewUrl>>,
+    update_counter: RwSignal<usize>,
+    focus_preview_tab: Callback<()>,
+) -> impl IntoView {
+    let create_modal_open = RwSignal::new(false);
+    let edit_modal_open = RwSignal::new(false);
+    let edit_preview_url = RwSignal::new(None::<KubeEnvironmentPreviewUrl>);
+
+    // Use the passed preview URLs signal
+
+    view! {
+        <div class="flex flex-col gap-4">
+            // Header with create button
+            <div class="flex justify-between items-center">
+                <div>
+                    <h3 class="text-lg font-semibold">"Preview URLs"</h3>
+                    <p class="text-sm text-muted-foreground">
+                        "Create preview URLs to access your services"
+                    </p>
+                </div>
+            </div>
+
+            // Preview URLs table
+            <Card>
+                <CardContent class="p-0">
+                    <Suspense fallback=move || view! { <div class="p-4">"Loading preview URLs..."</div> }>
+                        <Table>
+                            <TableHeader class="bg-muted">
+                                <TableRow>
+                                    <TableHead class="px-4">"URL"</TableHead>
+                                    <TableHead>"Description"</TableHead>
+                                    <TableHead>"Service"</TableHead>
+                                    <TableHead>"Port"</TableHead>
+                                    <TableHead>"Access"</TableHead>
+                                    <TableHead>"Actions"</TableHead>
+                                </TableRow>
+                            </TableHeader>
+                            <TableBody>
+                                {move || {
+                                    let urls = preview_urls.get();
+                                    if urls.is_empty() {
+                                        view! {
+                                            <TableRow>
+                                                <TableCell attr:colspan="5" class="py-12 text-center">
+                                                    <div class="flex flex-col items-center justify-center">
+                                                        <div class="rounded-full bg-muted p-3 mb-4">
+                                                            <lucide_leptos::Globe />
+                                                        </div>
+                                                        <H4 class="mb-2">"No Preview URLs Found"</H4>
+                                                        <P class="text-muted-foreground mb-4 max-w-sm">
+                                                            "Create a preview URL from services to access them externally"
+                                                        </P>
+                                                    </div>
+                                                </TableCell>
+                                            </TableRow>
+                                        }.into_any()
+                                    } else {
+                                        view! {
+                                            <For
+                                                each=move || urls.clone()
+                                                key=|url| url.id
+                                                children=move |preview_url| {
+                                                    view! {
+                                                        <PreviewUrlRow
+                                                            preview_url=preview_url.clone()
+                                                            services=services
+                                                            on_edit=Box::new(move |url| {
+                                                                edit_preview_url.set(Some(url));
+                                                                edit_modal_open.set(true);
+                                                            })
+                                                            update_counter=update_counter
+                                                        />
+                                                    }
+                                                }
+                                            />
+                                        }.into_any()
+                                    }
+                                }}
+                            </TableBody>
+                        </Table>
+                    </Suspense>
+                </CardContent>
+            </Card>
+
+            // Create modal - only show if we have at least one service
+            {move || {
+                let services_list = services.get();
+                if !services_list.is_empty() {
+                    view! {
+                        <CreatePreviewUrlModal
+                            open=create_modal_open
+                            environment_id=environment_id
+                            service=services_list[0].clone()
+                            update_counter=update_counter
+                            on_created=focus_preview_tab.clone()
+                        />
+                    }.into_any()
+                } else {
+                    view! { <div></div> }.into_any()
+                }
+            }}
+
+            // Edit modal
+            <EditPreviewUrlModal
+                open=edit_modal_open
+                preview_url=edit_preview_url.into()
+                update_counter=update_counter
+            />
+        </div>
+    }
+}
+
+#[component]
+fn PreviewUrlRow(
+    preview_url: KubeEnvironmentPreviewUrl,
+    services: Signal<Vec<KubeEnvironmentService>>,
+    on_edit: Box<dyn Fn(KubeEnvironmentPreviewUrl) + Send + 'static>,
+    update_counter: RwSignal<usize>,
+) -> impl IntoView {
+    let org = get_current_org();
+    let delete_modal_open = RwSignal::new(false);
+
+    // Find the service name
+    let service_name = Signal::derive(move || {
+        services
+            .get()
+            .iter()
+            .find(|s| s.id == preview_url.service_id)
+            .map(|s| s.name.clone())
+            .unwrap_or_else(|| "Unknown".to_string())
+    });
+
+    // Delete action
+    let delete_action = Action::new_local({
+        let preview_url = preview_url.clone();
+        move |_| {
+            let preview_url = preview_url.clone();
+            async move {
+                delete_environment_preview_url(org, preview_url.id)
+                    .await
+                    .map_err(ErrorResponse::from)?;
+                update_counter.update(|c| *c += 1);
+                Ok::<(), ErrorResponse>(())
+            }
+        }
+    });
+
+    let preview_url_for_view = preview_url.clone();
+    let preview_url_for_href = preview_url.clone();
+    let preview_url_name = preview_url_for_view.name.clone();
+    view! {
+        <TableRow>
+            <TableCell>
+                <a
+                    href=preview_url_for_href.url.clone()
+                    target="_blank"
+                    rel="noopener noreferrer"
+                    // class="text-blue-600 hover:text-blue-800 underline font-mono text-sm"
+                >
+                    <Button variant=ButtonVariant::Link>
+                    {preview_url_for_view.url.clone()}
+                    <lucide_leptos::ExternalLink />
+                    </Button>
+                </a>
+            </TableCell>
+            <TableCell>
+                {preview_url_for_view
+                    .description
+                    .clone()
+                    .filter(|desc| !desc.trim().is_empty())
+                    .map(|desc| desc)
+                    .unwrap_or_else(|| "No description".to_string())}
+            </TableCell>
+            <TableCell>{service_name}</TableCell>
+            <TableCell>
+                {preview_url_for_view.port.to_string()}
+                {preview_url_for_view.port_name.clone().map(|name| view! {
+                    <span class="text-muted-foreground ml-1">{format!("({})", name)}</span>
+                })}
+            </TableCell>
+            <TableCell>
+                <div class="flex gap-1">
+                    {
+                        let variant = match preview_url_for_view.access_level {
+                            lapdev_common::kube::PreviewUrlAccessLevel::Public => BadgeVariant::Default,
+                            lapdev_common::kube::PreviewUrlAccessLevel::Organization => BadgeVariant::Secondary,
+                        };
+                        view! {
+                            <Badge variant=variant class="text-xs">
+                                {preview_url_for_view.access_level.to_string()}
+                            </Badge>
+                        }
+                    }
+                </div>
+            </TableCell>
+            <TableCell>
+                <div class="flex gap-2">
+                    <Button
+                        variant=ButtonVariant::Ghost
+                        size=ButtonSize::Sm
+                        on:click={
+                            let preview_url = preview_url.clone();
+                            move |_| on_edit(preview_url.clone())
+                        }
+                    >
+                        <lucide_leptos::Pen />
+                    </Button>
+                    <Button
+                        variant=ButtonVariant::Ghost
+                        size=ButtonSize::Sm
+                        on:click=move |_| { delete_modal_open.set(true); }
+                        class="text-destructive hover:text-destructive"
+                    >
+                        <lucide_leptos::Trash  />
+                    </Button>
+                </div>
+            </TableCell>
+        </TableRow>
+
+        <DeleteModal
+            resource=preview_url_name
+            open=delete_modal_open
+            delete_action
+        />
+    }
+}
+
+#[component]
+pub fn CreatePreviewUrlModal(
+    open: RwSignal<bool>,
+    environment_id: Uuid,
+    service: KubeEnvironmentService,
+    update_counter: RwSignal<usize>,
+    on_created: Callback<()>,
+) -> impl IntoView {
+    let org = get_current_org();
+
+    // Form state
+    let description = RwSignal::new(String::new());
+    let selected_port = RwSignal::new(None::<i32>);
+    let selected_port_name = RwSignal::new(None::<String>);
+    let access_level = RwSignal::new(PreviewUrlAccessLevel::Organization);
+    let select_open = RwSignal::new(false);
+
+    // Available ports for the service
+    let available_ports = Signal::derive(move || service.ports.clone());
+
+    // Set port name when port is selected
+    Effect::new(move |_| {
+        if let Some(port) = selected_port.get() {
+            let ports = available_ports.get();
+            if let Some(port_info) = ports.iter().find(|p| p.port == port) {
+                selected_port_name.set(port_info.name.clone());
+            }
+        }
+    });
+
+    // Reset form when modal opens/closes
+    Effect::new(move |_| {
+        if !open.get() {
+            description.set(String::new());
+            selected_port.set(None);
+            selected_port_name.set(None);
+            access_level.set(PreviewUrlAccessLevel::Organization);
+        }
+    });
+
+    let create_action = Action::new_local(move |_| {
+        let on_created = on_created.clone();
+        async move {
+            let port = selected_port
+                .get()
+                .ok_or_else(|| anyhow!("Please select a port"))?;
+
+            let request = CreateKubeEnvironmentPreviewUrlRequest {
+                description: if description.get().trim().is_empty() {
+                    None
+                } else {
+                    Some(description.get())
+                },
+                service_id: service.id,
+                port,
+                port_name: selected_port_name.get(),
+                protocol: Some("HTTP".to_string()),
+                access_level: Some(access_level.get_untracked()),
+            };
+
+            create_environment_preview_url(org, environment_id, request).await?;
+            open.set(false);
+            update_counter.update(|c| *c += 1);
+            on_created.run(());
+            Ok(())
+        }
+    });
+
+    view! {
+        <Modal
+            open=open
+            action=create_action
+            title="Create Preview URL"
+            action_text="Create"
+            action_progress_text="Creating..."
+        >
+            <div class="flex flex-col gap-4">
+                <div class="flex flex-col gap-2">
+                    <Label>"Description"</Label>
+                    <Input
+                        prop:value=move || description.get()
+                        on:input=move |ev| description.set(event_target_value(&ev))
+                        attr:placeholder="Optional description"
+                    />
+                </div>
+
+                <div class="flex flex-col gap-2">
+                    <Label>"Service"</Label>
+                    <div class="px-3 py-2 border border-input bg-muted rounded-md text-sm">
+                        {service.name.clone()}
+                    </div>
+                    <p class="text-sm text-muted-foreground">
+                        "Preview URL will be created for this service"
+                    </p>
+                </div>
+
+                <div class="flex flex-col gap-2">
+                    <Label>"Port" <span class="text-destructive">"*"</span></Label>
+                    <Select
+                        value=selected_port
+                        open=RwSignal::new(false)
+                    >
+                        <SelectTrigger class="w-full">
+                            {
+                                move || {
+                                    selected_port.get().map(|p| p.to_string()).unwrap_or_else(|| "Select Port".to_string())
+                                }
+                            }
+                        </SelectTrigger>
+                        <SelectContent class="w-full">
+                            <For
+                                each=move || available_ports.get()
+                                key=|port| port.port
+                                children=move |port| {
+                                    view! {
+                                        <SelectItem value=Some(port.port)>
+                                            {port.port.to_string()}
+                                            {port.name.as_ref().map(|name| view! {
+                                                <span class="text-muted-foreground ml-1">
+                                                    {format!("({})", name)}
+                                                </span>
+                                            })}
+                                        </SelectItem>
+                                    }
+                                }
+                            />
+                        </SelectContent>
+                    </Select>
+                </div>
+
+                <div class="flex flex-col gap-3">
+                    <Label>"Security & Access"</Label>
+
+                    <div class="flex flex-col gap-2">
+                        <Label>"Access Level"</Label>
+                        <Select
+                            value=access_level
+                            open=select_open
+                        >
+                            <SelectTrigger class="w-full">
+                                {move || access_level.get().get_detailed_message() }
+                            </SelectTrigger>
+                            <SelectContent class="w-full">
+                                <SelectItem value=PreviewUrlAccessLevel::Organization>{PreviewUrlAccessLevel::Organization.get_detailed_message()}</SelectItem>
+                                <SelectItem value=PreviewUrlAccessLevel::Public>{PreviewUrlAccessLevel::Public.get_detailed_message()}</SelectItem>
+                            </SelectContent>
+                        </Select>
+                    </div>
+                </div>
+            </div>
+        </Modal>
+    }
+}
+
+#[component]
+fn EditPreviewUrlModal(
+    open: RwSignal<bool>,
+    preview_url: Signal<Option<KubeEnvironmentPreviewUrl>>,
+    update_counter: RwSignal<usize>,
+) -> impl IntoView {
+    let org = get_current_org();
+
+    // Form state
+    let description = RwSignal::new(String::new());
+    let access_level = RwSignal::new(PreviewUrlAccessLevel::Organization);
+    let edit_select_open = RwSignal::new(false);
+
+    // Initialize form when preview URL changes
+    Effect::new(move |_| {
+        if let Some(url) = preview_url.get() {
+            description.set(url.description.unwrap_or_default());
+            access_level.set(url.access_level);
+        }
+    });
+
+    let update_action = Action::new_local(move |_| async move {
+        let url = preview_url
+            .get()
+            .ok_or_else(|| anyhow!("No preview URL to update"))?;
+
+        let request = UpdateKubeEnvironmentPreviewUrlRequest {
+            description: if description.get().trim().is_empty() {
+                None
+            } else {
+                Some(description.get())
+            },
+            access_level: Some(access_level.get_untracked()),
+        };
+
+        update_environment_preview_url(org, url.id, request).await?;
+        open.set(false);
+        update_counter.update(|c| *c += 1);
+        Ok(())
+    });
+
+    view! {
+        <Modal
+            open=open
+            action=update_action
+            title="Edit Preview URL"
+            action_text="Save Changes"
+            action_progress_text="Saving..."
+        >
+            <div class="flex flex-col gap-4">
+                <div class="flex flex-col gap-2">
+                    <Label>"Name"</Label>
+                    <div class="px-3 py-2 border border-input bg-muted rounded-md text-sm font-mono">
+                        {move || preview_url.get().map(|url| url.name).unwrap_or_default()}
+                    </div>
+                    <p class="text-sm text-muted-foreground">
+                        "Name is auto-generated and cannot be changed"
+                    </p>
+                </div>
+
+                <div class="flex flex-col gap-2">
+                    <Label>"Description"</Label>
+                    <Input
+                        prop:value=move || description.get()
+                        on:input=move |ev| description.set(event_target_value(&ev))
+                        attr:placeholder="Optional description"
+                    />
+                </div>
+
+                <div class="flex flex-col gap-3">
+                    <Label>"Settings"</Label>
+
+                    <div class="flex flex-col gap-2">
+                        <Label>"Access Level"</Label>
+                        <Select
+                            value=access_level
+                            open=edit_select_open
+                        >
+                            <SelectTrigger class="w-full">
+                                {move || access_level.get().get_detailed_message() }
+                            </SelectTrigger>
+                            <SelectContent class="w-full">
+                                <SelectItem value=PreviewUrlAccessLevel::Organization>{PreviewUrlAccessLevel::Organization.get_detailed_message()}</SelectItem>
+                                <SelectItem value=PreviewUrlAccessLevel::Public>{PreviewUrlAccessLevel::Public.get_detailed_message()}</SelectItem>
+                            </SelectContent>
+                        </Select>
+                    </div>
+                </div>
+            </div>
+        </Modal>
+    }
+}
+
+// API functions
+async fn get_environment_preview_urls(
+    org: Signal<Option<Organization>>,
+    environment_id: Uuid,
+) -> anyhow::Result<Vec<KubeEnvironmentPreviewUrl>> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+    Ok(client
+        .get_environment_preview_urls(org.id, environment_id)
+        .await??)
+}
+
+async fn create_environment_preview_url(
+    org: Signal<Option<Organization>>,
+    environment_id: Uuid,
+    request: CreateKubeEnvironmentPreviewUrlRequest,
+) -> anyhow::Result<KubeEnvironmentPreviewUrl> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+    Ok(client
+        .create_environment_preview_url(org.id, environment_id, request)
+        .await??)
+}
+
+async fn update_environment_preview_url(
+    org: Signal<Option<Organization>>,
+    preview_url_id: Uuid,
+    request: UpdateKubeEnvironmentPreviewUrlRequest,
+) -> anyhow::Result<KubeEnvironmentPreviewUrl> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+    Ok(client
+        .update_environment_preview_url(org.id, preview_url_id, request)
+        .await??)
+}
+
+async fn delete_environment_preview_url(
+    org: Signal<Option<Organization>>,
+    preview_url_id: Uuid,
+) -> anyhow::Result<()> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = HrpcServiceClient::new("/api/rpc".to_string());
+    Ok(client
+        .delete_environment_preview_url(org.id, preview_url_id)
+        .await??)
+}
diff --git a/crates/dashboard/src/kube_environment_workload.rs b/crates/dashboard/src/kube_environment_workload.rs
new file mode 100644
index 0000000..b9b0343
--- /dev/null
+++ b/crates/dashboard/src/kube_environment_workload.rs
@@ -0,0 +1,385 @@
+use std::str::FromStr;
+
+use anyhow::{anyhow, Result};
+use lapdev_common::{
+    console::Organization,
+    kube::{KubeContainerInfo, KubeEnvironment, KubeEnvironmentWorkload},
+};
+use leptos::prelude::*;
+use leptos_router::hooks::{use_navigate, use_params_map};
+use uuid::Uuid;
+
+use crate::{
+    app::{get_hrpc_client, AppConfig},
+    component::{
+        badge::{Badge, BadgeVariant},
+        button::{Button, ButtonVariant},
+        card::Card,
+        typography::{H3, P},
+    },
+    docs_url,
+    kube_container::{ContainerEditorConfig, ContainersCard},
+    modal::{DatetimeModal, ErrorResponse},
+    organization::get_current_org,
+    DOCS_ENVIRONMENT_PATH,
+};
+
+#[component]
+pub fn KubeEnvironmentWorkload() -> impl IntoView {
+    let params = use_params_map();
+    let environment_id = Memo::new(move |_| {
+        params.with(|params| {
+            params
+                .get("environment_id")
+                .and_then(|id| Uuid::from_str(id.as_str()).ok())
+                .unwrap_or_default()
+        })
+    });
+    let workload_id = Memo::new(move |_| {
+        params.with(|params| {
+            params
+                .get("workload_id")
+                .and_then(|id| Uuid::from_str(id.as_str()).ok())
+                .unwrap_or_default()
+        })
+    });
+
+    view! {
+        <div class="flex flex-col gap-6">
+            <div class="flex flex-col gap-2 items-start">
+                <H3>Environment Workload Details</H3>
+                <P>
+                    View and manage details for this environment workload.
+                </P>
+                <a href=docs_url(DOCS_ENVIRONMENT_PATH) target="_blank" rel="noopener noreferrer">
+                    <Badge variant=BadgeVariant::Secondary>
+                        Docs <lucide_leptos::ExternalLink />
+                    </Badge>
+                </a>
+            </div>
+
+            <EnvironmentWorkloadDetail environment_id workload_id />
+        </div>
+    }
+}
+
+async fn get_environment_workload_detail(
+    org: Signal<Option<Organization>>,
+    environment_id: Uuid,
+    workload_id: Uuid,
+) -> Result<(KubeEnvironment, KubeEnvironmentWorkload)> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = get_hrpc_client();
+
+    let detail = client
+        .get_environment_workload_detail(org.id, environment_id, workload_id)
+        .await??;
+
+    Ok((detail.environment, detail.workload))
+}
+
+async fn update_environment_workload_containers(
+    org: Signal<Option<Organization>>,
+    environment_id: Uuid,
+    workload_id: Uuid,
+    containers: Vec<KubeContainerInfo>,
+    update_counter: RwSignal<usize>,
+) -> Result<Uuid, ErrorResponse> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = get_hrpc_client();
+
+    let new_id = client
+        .update_environment_workload(org.id, environment_id, workload_id, containers)
+        .await??;
+
+    update_counter.update(|c| *c += 1);
+
+    Ok(new_id)
+}
+
+async fn delete_environment_workload_api(
+    org: Signal<Option<Organization>>,
+    environment_id: Uuid,
+    workload_id: Uuid,
+) -> Result<(), ErrorResponse> {
+    let org = org.get().ok_or_else(|| ErrorResponse {
+        error: "Organization not found".to_string(),
+    })?;
+    let client = get_hrpc_client();
+
+    client
+        .delete_environment_workload(org.id, environment_id, workload_id)
+        .await??;
+
+    Ok(())
+}
+
+#[component]
+pub fn EnvironmentWorkloadDetail(
+    environment_id: Memo<Uuid>,
+    workload_id: Memo<Uuid>,
+) -> impl IntoView {
+    let org = get_current_org();
+    let is_loading = RwSignal::new(false);
+    let update_counter = RwSignal::new(0usize);
+    let navigate = StoredValue::new_local(use_navigate());
+
+    let config = use_context::<AppConfig>().unwrap();
+
+    let workload_result = LocalResource::new(move || {
+        update_counter.track(); // Make reactive to updates
+        async move {
+            is_loading.set(true);
+            let environment_id = environment_id.get_untracked();
+            let workload_id = workload_id.get_untracked();
+            let result = get_environment_workload_detail(org, environment_id, workload_id)
+                .await
+                .ok();
+            if let Some((env, workload)) = result.as_ref() {
+                config.current_page.set(workload.name.clone());
+                config.header_links.update(|header_links| {
+                    if let Some((name, link)) = header_links.first_mut() {
+                        let (t, l) = if env.base_environment_id.is_some() {
+                            ("Branch", "branch")
+                        } else if env.is_shared {
+                            ("Shared", "shared")
+                        } else {
+                            ("Personal", "personal")
+                        };
+                        *name = format!("{t} Environments");
+                        *link = format!("/kubernetes/environments/{l}");
+                    }
+                    header_links.push((
+                        env.name.clone(),
+                        format!("/kubernetes/environments/{environment_id}"),
+                    ));
+                });
+            }
+            is_loading.set(false);
+            result
+        }
+    });
+
+    let workload_info = Signal::derive(move || workload_result.get().flatten());
+
+    view! {
+        <div class="flex flex-col gap-6">
+            // Loading State
+            <Show when=move || is_loading.get()>
+                <div class="flex items-center justify-center py-12">
+                    <div class="flex items-center gap-2 text-sm text-muted-foreground">
+                        <div class="animate-spin rounded-full h-4 w-4 border-2 border-current border-t-transparent"></div>
+                        "Loading workload details..."
+                    </div>
+                </div>
+            </Show>
+
+            // Workload Information Card
+            <Show when=move || workload_info.get().is_some()>
+                <EnvironmentWorkloadInfoCard
+                    workload_info
+                />
+            </Show>
+
+            // Containers Card
+            <Show when=move || workload_info.get().is_some()>
+                {move || {
+                    if let Some((environment, workload)) = workload_info.get() {
+                        let workload_id = workload.id;
+                        let all_containers = workload.containers.clone();
+                        let navigate_for_action = navigate.get_value();
+                        let update_action = Action::new_local(move |containers: &Vec<KubeContainerInfo>| {
+                            let containers = containers.clone();
+                            let current_workload_id = workload_id;
+                            let navigate = navigate_for_action.clone();
+                            async move {
+                                let result = update_environment_workload_containers(
+                                    org,
+                                    environment_id.get_untracked(),
+                                    current_workload_id,
+                                    containers,
+                                    update_counter,
+                                )
+                                .await;
+
+                                if let Ok(new_id) = &result {
+                                    if *new_id != current_workload_id {
+                                        let url = format!(
+                                            "/kubernetes/environments/{}/workloads/{}",
+                                            environment_id.get_untracked(), new_id
+                                        );
+                                        let _ = navigate(&url, Default::default());
+                                    }
+                                }
+
+                                result
+                            }
+                        });
+
+                        let branch_reset_action = if environment
+                            .base_environment_id
+                            .is_some()
+                        {
+                            let org_signal = org;
+                            let environment_id_value = environment_id.get_untracked();
+                            let workload_id_value = workload.id;
+                            let update_counter = update_counter.clone();
+                            let navigate_for_reset = navigate.get_value();
+                            Some(Action::new_local(move |_| {
+                                let org_signal = org_signal;
+                                let navigate_for_reset = navigate_for_reset.clone();
+                                async move {
+                                    delete_environment_workload_api(
+                                        org_signal,
+                                        environment_id_value,
+                                        workload_id_value,
+                                    )
+                                    .await?;
+                                    update_counter.update(|c| *c += 1);
+                                    let _ = navigate_for_reset(
+                                        &format!("/kubernetes/environments/{}", environment_id_value),
+                                        Default::default(),
+                                    );
+                                    Ok(())
+                                }
+                            }))
+                        } else {
+                            None
+                        };
+
+                        let config = ContainerEditorConfig {
+                            enable_resource_limits: false,
+                            show_customization_badge: true,
+                            is_branch_environment: environment.base_environment_id.is_some(),
+                            branch_reset_action,
+                        };
+                        view! {
+                            <ContainersCard
+                                all_containers
+                                title="Container Configuration"
+                                empty_message="This workload doesn't have any container configurations."
+                                workload_id
+                                update_counter
+                                config
+                                update_action
+                            />
+                        }.into_any()
+                    } else {
+                        view! { <div></div> }.into_any()
+                    }
+                }}
+            </Show>
+
+        </div>
+    }
+}
+
+#[component]
+pub fn EnvironmentWorkloadInfoCard(
+    workload_info: Signal<Option<(KubeEnvironment, KubeEnvironmentWorkload)>>,
+) -> impl IntoView {
+    view! {
+        <Show when=move || workload_info.get().is_some() fallback=|| view! { <div></div> }>
+           {
+                let (environment, workload) = workload_info.get().unwrap();
+                let workload_name = workload.name.clone();
+                let workload_namespace = workload.namespace.clone();
+                let workload_namespace2 = workload.namespace.clone();
+                let workload_kind = workload.kind.clone();
+                let workload_kind2 = workload.kind.clone();
+                let created_at_str = workload.created_at.clone();
+                let environment_name = environment.name.clone();
+                let environment_id = environment.id;
+                let environment_cluster_id = environment.cluster_id;
+                let environment_cluster_name = environment.cluster_name.clone();
+                let is_branch = environment.base_environment_id.is_some();
+                let is_shared = environment.is_shared;
+
+                view! {
+                    <Card class="p-6">
+                        <div class="flex flex-col gap-6">
+                            // Header
+                            <div class="flex flex-col gap-2">
+                                <H3>{workload_name}</H3>
+                                <div class="flex items-center gap-2">
+                                    <Badge variant=BadgeVariant::Secondary>
+                                        {workload_namespace}
+                                    </Badge>
+                                    <Badge variant=BadgeVariant::Outline>
+                                        {workload_kind}
+                                    </Badge>
+                                </div>
+                            </div>
+
+                            // Metadata grid
+                            <div class="grid grid-cols-[auto_1fr] gap-x-4 gap-y-4 text-sm">
+                                <div class="flex items-center gap-2 text-muted-foreground font-medium">
+                                    <div class="[&>svg]:size-4 [&>svg]:shrink-0">
+                                        <lucide_leptos::Layers />
+                                    </div>
+                                    <span>Environment</span>
+                                </div>
+                                <div class="flex items-center gap-2">
+                                    {if is_branch {
+                                        view! { <lucide_leptos::GitBranch attr:class="h-4 w-4 text-muted-foreground" /> }.into_any()
+                                    } else if is_shared {
+                                        view! { <lucide_leptos::Users attr:class="h-4 w-4 text-muted-foreground" /> }.into_any()
+                                    } else {
+                                        view! { <lucide_leptos::User attr:class="h-4 w-4 text-muted-foreground" /> }.into_any()
+                                    }}
+                                    <a href=format!("/kubernetes/environments/{}", environment_id) class="text-foreground hover:underline">
+                                        {environment_name.clone()}
+                                    </a>
+                                </div>
+
+                                <div class="flex items-center gap-2 text-muted-foreground font-medium">
+                                    <div class="[&>svg]:size-4 [&>svg]:shrink-0">
+                                        <lucide_leptos::Server />
+                                    </div>
+                                    <span>Cluster</span>
+                                </div>
+                                <div class="flex items-center gap-2">
+                                    <a href=format!("/kubernetes/clusters/{}", environment_cluster_id) class="text-foreground hover:underline">
+                                        {environment_cluster_name}
+                                    </a>
+                                </div>
+
+                                <div class="flex items-center gap-2 text-muted-foreground font-medium">
+                                    <div class="[&>svg]:size-4 [&>svg]:shrink-0">
+                                        <lucide_leptos::Hash />
+                                    </div>
+                                    <span>Namespace</span>
+                                </div>
+                                <div class="font-mono text-sm">
+                                    {workload_namespace2}
+                                </div>
+
+                                <div class="flex items-center gap-2 text-muted-foreground font-medium">
+                                    <div class="[&>svg]:size-4 [&>svg]:shrink-0">
+                                        <lucide_leptos::Package />
+                                    </div>
+                                    <span>Workload Kind</span>
+                                </div>
+                                <div>
+                                    <Badge variant=BadgeVariant::Outline>
+                                        {workload_kind2}
+                                    </Badge>
+                                </div>
+
+                                <div class="flex items-center gap-2 text-muted-foreground font-medium">
+                                    <div class="[&>svg]:size-4 [&>svg]:shrink-0">
+                                        <lucide_leptos::Calendar />
+                                    </div>
+                                    <span>Created</span>
+                                </div>
+                                <div>
+                                    <DatetimeModal time=workload.created_at />
+                                </div>
+                            </div>
+                        </div>
+                    </Card>
+                }
+            }
+        </Show>
+    }
+}
diff --git a/crates/dashboard/src/kube_resource.rs b/crates/dashboard/src/kube_resource.rs
new file mode 100644
index 0000000..ae630ed
--- /dev/null
+++ b/crates/dashboard/src/kube_resource.rs
@@ -0,0 +1,1366 @@
+use std::{collections::HashSet, str::FromStr};
+
+use anyhow::{anyhow, Result};
+use lapdev_common::{
+    console::Organization,
+    kube::{
+        KubeAppCatalogWorkloadCreate, KubeCluster, KubeClusterInfo, KubeClusterStatus,
+        KubeNamespace, KubeNamespaceInfo, KubeWorkload, KubeWorkloadKind, KubeWorkloadList,
+        PaginationCursor, PaginationParams,
+    },
+};
+use leptos::{prelude::*, task::spawn_local_scoped_with_cancellation};
+use leptos_router::hooks::{use_location, use_params_map};
+use uuid::Uuid;
+
+use crate::{
+    app::{get_hrpc_client, AppConfig},
+    component::{
+        badge::{Badge, BadgeVariant},
+        button::{Button, ButtonSize, ButtonVariant},
+        card::Card,
+        checkbox::Checkbox,
+        input::Input,
+        label::Label,
+        select::{
+            Select, SelectContent, SelectItem, SelectSearchInput, SelectSeparator, SelectTrigger,
+        },
+        table::{Table, TableBody, TableCell, TableHead, TableHeader, TableRow},
+        textarea::Textarea,
+        typography::{H3, H4, P},
+    },
+    docs_url,
+    kube_app_catalog_detail::get_app_catalog,
+    modal::{ErrorResponse, Modal},
+    organization::get_current_org,
+    sse::run_sse_with_retry,
+    DOCS_CLUSTER_PATH,
+};
+
+#[component]
+pub fn KubeResource() -> impl IntoView {
+    let update_counter = RwSignal::new_local(0);
+    let params = use_params_map();
+    let cluster_id = params.with_untracked(|params| params.get("cluster_id").clone().unwrap());
+    let cluster_id = Uuid::from_str(&cluster_id).unwrap_or_default();
+
+    view! {
+        <div class="flex flex-col gap-6">
+            <div class="flex flex-col gap-2 items-start">
+                <H3>Kubernetes Resources</H3>
+                <P>
+                    {"Use this page to see every workload currently running in the connected cluster and turn those production manifests into new App Catalogs."}
+                </P>
+                <a href=docs_url(DOCS_CLUSTER_PATH) target="_blank" rel="noopener noreferrer">
+                    <Badge variant=BadgeVariant::Secondary>Docs <lucide_leptos::ExternalLink /></Badge>
+                </a>
+            </div>
+
+            <ClusterInfo cluster_id update_counter />
+
+            <KubeResourceList update_counter cluster_id />
+        </div>
+    }
+}
+
+async fn get_workloads_from_api(
+    org: Signal<Option<Organization>>,
+    cluster_id: uuid::Uuid,
+    namespace_filter: Option<String>,
+    workload_kind_filter: Option<KubeWorkloadKind>,
+    include_system_workloads: bool,
+    pagination: PaginationParams,
+) -> Result<KubeWorkloadList> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = get_hrpc_client();
+
+    Ok(client
+        .get_workloads(
+            org.id,
+            cluster_id,
+            namespace_filter,
+            workload_kind_filter,
+            include_system_workloads,
+            Some(pagination),
+        )
+        .await??)
+}
+
+async fn get_namespaces_from_api(
+    org: Signal<Option<Organization>>,
+    cluster_id: uuid::Uuid,
+) -> Result<Vec<KubeNamespaceInfo>> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = get_hrpc_client();
+
+    Ok(client.get_cluster_namespaces(org.id, cluster_id).await??)
+}
+
+async fn get_cluster_info_from_api(
+    org: Signal<Option<Organization>>,
+    cluster_id: uuid::Uuid,
+) -> Result<KubeCluster> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let client = get_hrpc_client();
+
+    Ok(client.get_cluster_info(org.id, cluster_id).await??)
+}
+
+#[component]
+pub fn ClusterInfo(
+    cluster_id: Uuid,
+    update_counter: RwSignal<usize, LocalStorage>,
+) -> impl IntoView {
+    let org = get_current_org();
+
+    let config = use_context::<AppConfig>().unwrap();
+    let cluster_info_resource =
+        LocalResource::new(
+            move || async move { get_cluster_info_from_api(org, cluster_id).await.ok() },
+        );
+
+    let cluster_info_signal = cluster_info_resource.clone();
+    let cluster = Signal::derive(move || {
+        let cluster_data = cluster_info_signal.get();
+        if let Some(Some(cluster)) = cluster_data.as_ref() {
+            config.current_page.set(cluster.name.clone());
+        }
+        cluster_data.flatten().unwrap_or_else(|| KubeCluster {
+            id: cluster_id,
+            name: "Unknown".to_string(),
+            can_deploy_personal: false,
+            can_deploy_shared: false,
+            info: KubeClusterInfo {
+                cluster_version: "Unknown".to_string(),
+                node_count: 0,
+                available_cpu: "N/A".to_string(),
+                available_memory: "N/A".to_string(),
+                provider: None,
+                region: None,
+                status: KubeClusterStatus::NotReady,
+                manager_namespace: None,
+            },
+        })
+    });
+
+    let sse_started = RwSignal::new_local(false);
+    let cluster_info_for_sse = cluster_info_resource.clone();
+    let org_for_sse = org;
+    Effect::new(move |_| {
+        if sse_started.get_untracked() {
+            return;
+        }
+
+        if let Some(org) = org_for_sse.get() {
+            sse_started.set(true);
+            let org_id = org.id;
+            spawn_local_scoped_with_cancellation({
+                let cluster_info_for_sse = cluster_info_for_sse.clone();
+                async move {
+                    let url = format!(
+                        "/api/v1/organizations/{}/kube/clusters/{}/events",
+                        org_id, cluster_id
+                    );
+                    let listener_name = format!("cluster {} detail", cluster_id);
+                    run_sse_with_retry(url, "cluster", listener_name, move |_message| {
+                        cluster_info_for_sse.refetch();
+                        update_counter.update(|c| *c += 1);
+                    })
+                    .await;
+                }
+            });
+        }
+    });
+
+    view! {
+        <Card class="p-6 flex flex-col gap-4">
+            <H4>Cluster Information</H4>
+            {move || {
+                let cluster = cluster.get();
+                let info = cluster.info.clone();
+
+                let cluster_name = cluster.name.clone();
+                let cluster_version = info.cluster_version.clone();
+                let status = info.status.clone();
+                let status_label = status.to_string();
+                let status_variant = match status {
+                    KubeClusterStatus::Ready => BadgeVariant::Secondary,
+                    KubeClusterStatus::NotReady => BadgeVariant::Destructive,
+                    KubeClusterStatus::Error => BadgeVariant::Destructive,
+                    KubeClusterStatus::Provisioning => BadgeVariant::Outline,
+                };
+                let region = info.region.clone().unwrap_or_else(|| "N/A".to_string());
+                let provider = info.provider.clone().unwrap_or_else(|| "Unknown".to_string());
+
+                view! {
+                    <div class="grid grid-cols-2 md:grid-cols-5 gap-4">
+                        <div>
+                            <div class="flex flex-col gap-1">
+                                <Label>Name</Label>
+                                <P class="font-medium">{cluster_name}</P>
+                            </div>
+                        </div>
+                        <div>
+                            <div class="flex flex-col gap-1">
+                                <Label>Version</Label>
+                                <P class="font-medium">{cluster_version}</P>
+                            </div>
+                        </div>
+                        <div>
+                            <div class="flex flex-col gap-1">
+                                <Label>Status</Label>
+                                <Badge variant=status_variant>{status_label}</Badge>
+                            </div>
+                        </div>
+                        <div>
+                            <div class="flex flex-col gap-1">
+                                <Label>Provider</Label>
+                                <P class="font-medium">{provider}</P>
+                            </div>
+                        </div>
+                        <div>
+                            <div class="flex flex-col gap-1">
+                                <Label>Region</Label>
+                                <P class="font-medium">{region}</P>
+                            </div>
+                        </div>
+                    </div>
+                }
+            }}
+        </Card>
+    }
+}
+
+#[component]
+pub fn KubeResourceList(
+    update_counter: RwSignal<usize, LocalStorage>,
+    cluster_id: Uuid,
+) -> impl IntoView {
+    let org = get_current_org();
+    let location = use_location();
+
+    // Initialize from URL search parameters
+    let initial_namespace = move || {
+        let search = location.search.get_untracked();
+        let params = web_sys::UrlSearchParams::new_with_str(&search).ok()?;
+        params.get("namespace")
+    };
+
+    let catalog_id_from_url = {
+        let search = location.search.get_untracked();
+        let params = web_sys::UrlSearchParams::new_with_str(&search).ok();
+        params.and_then(|p| p.get("catalog_id").and_then(|id| Uuid::from_str(&id).ok()))
+    };
+
+    let namespace_filter = RwSignal::new_local(initial_namespace());
+    let kind_filter = RwSignal::new_local(None::<KubeWorkloadKind>);
+    let limit = RwSignal::new_local(20usize);
+    let is_loading = RwSignal::new(false);
+    let workload_cache = RwSignal::new_local(WorkloadCache::new(kind_filter.get_untracked()));
+    let cache_offset = RwSignal::new_local(0usize);
+
+    let namespace_select_value = RwSignal::new(initial_namespace());
+    let workload_kind_select_value = RwSignal::new(None::<KubeWorkloadKind>);
+    let limit_select_value = RwSignal::new(20usize);
+    let include_system_workloads = RwSignal::new(false);
+
+    let cluster_resource =
+        LocalResource::new(
+            move || async move { get_cluster_info_from_api(org, cluster_id).await.ok() },
+        );
+    let cluster_status = Signal::derive(move || {
+        cluster_resource
+            .get()
+            .flatten()
+            .map(|cluster| cluster.info.status)
+            .unwrap_or(KubeClusterStatus::NotReady)
+    });
+
+    let workloads = LocalResource::new(move || async move {
+        is_loading.set(true);
+        let offset = cache_offset.get_untracked();
+        let limit = limit.get_untracked();
+        let needs_more_retrieve =
+            workload_cache.with_untracked(|c| c.needs_more_retrieve(offset, limit));
+
+        if needs_more_retrieve {
+            let pagination_params = PaginationParams {
+                cursor: workload_cache.with_untracked(|c| c.cursor.clone()),
+                limit,
+            };
+            let result = get_workloads_from_api(
+                org,
+                cluster_id,
+                namespace_filter.get_untracked(),
+                kind_filter.get_untracked(),
+                include_system_workloads.get_untracked(),
+                pagination_params,
+            )
+            .await
+            .unwrap_or_else(|_| KubeWorkloadList {
+                workloads: vec![],
+                next_cursor: None,
+            });
+
+            workload_cache.update(|c| {
+                c.update_cache(result);
+            });
+        }
+
+        is_loading.set(false);
+        workload_cache.with_untracked(|c| c.retrieve_list(offset, limit))
+    });
+
+    Effect::new(move |_| {
+        update_counter.track();
+        namespace_filter.track();
+        kind_filter.track();
+        include_system_workloads.track();
+        limit.track();
+
+        // Clear cache when filters change or limit changes
+        workload_cache.set(WorkloadCache::new(kind_filter.get_untracked()));
+        cache_offset.set(0);
+        workloads.refetch();
+    });
+
+    Effect::new(move |_| {
+        cache_offset.track();
+        workloads.refetch();
+    });
+
+    let workload_list = Signal::derive(move || workloads.get().unwrap_or_default());
+
+    let filtered_workloads = Signal::derive(move || workload_list.get());
+
+    let detail_modal_open = RwSignal::new(false);
+    let selected_workload = RwSignal::new_local(None::<KubeWorkload>);
+
+    // Sync namespace select with namespace filter and update URL
+    Effect::new(move |_| {
+        let selected_namespace = namespace_select_value.get();
+        let current_filter = namespace_filter.get_untracked();
+        if selected_namespace != current_filter {
+            namespace_filter.set(selected_namespace.clone());
+
+            // Update URL with new namespace parameter (without navigation)
+            let current_path = location.pathname.get_untracked();
+            let search = location.search.get_untracked();
+            let params = web_sys::UrlSearchParams::new_with_str(&search)
+                .unwrap_or_else(|_| web_sys::UrlSearchParams::new().unwrap());
+
+            if let Some(ns) = &selected_namespace {
+                params.set("namespace", ns);
+            } else {
+                params.delete("namespace");
+            }
+
+            let new_search = params.to_string().as_string().unwrap_or_default();
+            let new_url = if new_search.is_empty() {
+                current_path
+            } else {
+                format!("{}?{}", current_path, new_search)
+            };
+
+            // Use replaceState to update URL without navigation
+            if let Some(history) = web_sys::window().and_then(|w| w.history().ok()) {
+                let _ = history.replace_state_with_url(
+                    &wasm_bindgen::JsValue::NULL,
+                    "",
+                    Some(&new_url),
+                );
+            }
+        }
+    });
+
+    // Sync workload kind select with kind filter
+    Effect::new(move |_| {
+        let selected_kind = workload_kind_select_value.get();
+        let current_filter = kind_filter.get_untracked();
+        if selected_kind != current_filter {
+            kind_filter.set(selected_kind);
+        }
+    });
+
+    // Sync limit select with limit signal
+    Effect::new(move |_| {
+        let selected_limit = limit_select_value.get();
+        if selected_limit != limit.get_untracked() {
+            limit.set(selected_limit);
+        }
+    });
+
+    let selected_workloads = RwSignal::new(std::collections::HashSet::<WorkloadKey>::new());
+
+    view! {
+        <div class="flex flex-col gap-4">
+            <AppCatalogActions
+                selected_workloads
+                filtered_workloads
+                cluster_id
+                catalog_id_from_url
+            />
+            <div class="flex flex-wrap gap-4 items-center">
+               <NamespaceFilters namespace_select_value cluster_id />
+               <WorkloadFilters workload_kind_select_value />
+               <SystemWorkloadsCheckbox include_system_workloads />
+            </div>
+            <WorkloadPagination
+                workload_list
+                limit_select_value
+                workload_cache
+                cache_offset
+                is_loading=is_loading.read_only().into()
+            />
+
+            <WorkloadTable
+                selected_workloads
+                filtered_workloads
+                is_loading=is_loading.read_only().into()
+                cluster_status
+            />
+
+            <WorkloadDetailModal modal_open=detail_modal_open workload=selected_workload />
+        </div>
+    }
+}
+
+#[component]
+pub fn KubeResourceItem(
+    workload: KubeWorkload,
+    selected_workloads: RwSignal<std::collections::HashSet<WorkloadKey>>,
+) -> impl IntoView {
+    let replica_text = match (workload.ready_replicas, workload.replicas) {
+        (Some(ready), Some(total)) => format!("{}/{}", ready, total),
+        (Some(ready), None) => ready.to_string(),
+        (None, Some(total)) => format!("?/{}", total),
+        (None, None) => "-".to_string(),
+    };
+
+    let workload_key = WorkloadKey::from_workload(&workload);
+    let workload_key_clone = workload_key.clone();
+    let is_selected =
+        Signal::derive(move || selected_workloads.with(|s| s.contains(&workload_key)));
+
+    let toggle_selection = move |_| {
+        selected_workloads.update(|selected| {
+            if selected.contains(&workload_key_clone) {
+                selected.remove(&workload_key_clone);
+            } else {
+                selected.insert(workload_key_clone.clone());
+            }
+        });
+    };
+
+    view! {
+        <TableRow>
+            <TableCell class="w-10">
+                <div class="flex items-center justify-center">
+                    <Checkbox
+                        prop:checked=move || is_selected.get()
+                        on:change=toggle_selection
+                    />
+                </div>
+            </TableCell>
+            <TableCell>
+                <span class="font-medium">{workload.name.clone()}</span>
+            </TableCell>
+            <TableCell>
+                <Badge variant=BadgeVariant::Outline>{workload.namespace.clone()}</Badge>
+            </TableCell>
+            <TableCell>{format!("{:?}", workload.kind)}</TableCell>
+            <TableCell>{replica_text}</TableCell>
+        </TableRow>
+    }
+}
+
+#[component]
+pub fn WorkloadDetailModal(
+    modal_open: RwSignal<bool>,
+    workload: RwSignal<Option<KubeWorkload>, LocalStorage>,
+) -> impl IntoView {
+    view! {
+        <Modal
+            title="Workload Details"
+            open=modal_open
+            action=Action::new_local(move |_| async move { Ok(()) })
+            hide_action=true
+        >
+            {move || {
+                if let Some(w) = workload.get() {
+                    view! {
+                        <div class="flex flex-col gap-4">
+                            <div class="grid grid-cols-2 gap-4">
+                                <div>
+                                    <Label>Name</Label>
+                                    <P class="font-mono text-sm">{w.name.clone()}</P>
+                                </div>
+                                <div>
+                                    <Label>Namespace</Label>
+                                    <P class="font-mono text-sm">{w.namespace.clone()}</P>
+                                </div>
+                                <div>
+                                    <Label>Kind</Label>
+                                    <P class="font-mono text-sm">{format!("{:?}", w.kind)}</P>
+                                </div>
+                                {if let (Some(ready), Some(total)) = (
+                                    w.ready_replicas,
+                                    w.replicas,
+                                ) {
+                                    view! {
+                                        <div>
+                                            <Label>Replicas</Label>
+                                            <P class="font-mono text-sm">
+                                                {format!("{}/{}", ready, total)}
+                                            </P>
+                                        </div>
+                                    }
+                                        .into_any()
+                                } else {
+                                    view! { <div></div> }.into_any()
+                                }}
+                                {if let Some(created) = &w.created_at {
+                                    let created_str = created.clone();
+                                    view! {
+                                        <div>
+                                            <Label>Created</Label>
+                                            <P class="font-mono text-sm">{created_str}</P>
+                                        </div>
+                                    }
+                                        .into_any()
+                                } else {
+                                    view! { <div></div> }.into_any()
+                                }}
+                            </div>
+
+                            {if !w.labels.is_empty() {
+                                let labels_vec: Vec<_> = w
+                                    .labels
+                                    .iter()
+                                    .map(|(k, v)| (k.clone(), v.clone()))
+                                    .collect();
+                                view! {
+                                    <div>
+                                        <Label>Labels</Label>
+                                        <div class="mt-2 space-y-1">
+                                            <For
+                                                each=move || labels_vec.clone()
+                                                key=|(k, _)| k.clone()
+                                                children=move |(key, value)| {
+                                                    view! {
+                                                        <div class="flex items-center gap-2">
+                                                            <Badge
+                                                                variant=BadgeVariant::Outline
+                                                                class="font-mono text-xs"
+                                                            >
+                                                                {format!("{}={}", key, value)}
+                                                            </Badge>
+                                                        </div>
+                                                    }
+                                                }
+                                            />
+                                        </div>
+                                    </div>
+                                }
+                                    .into_any()
+                            } else {
+                                view! { <div></div> }.into_any()
+                            }}
+                        </div>
+                    }
+                        .into_any()
+                } else {
+                    view! { <P>No workload selected</P> }.into_any()
+                }
+            }}
+        </Modal>
+    }
+}
+
+#[component]
+pub fn SystemWorkloadsCheckbox(include_system_workloads: RwSignal<bool>) -> impl IntoView {
+    view! {
+        <div class="flex items-center gap-2">
+            <Checkbox
+                attr:id="system-workloads"
+                prop:checked=move || include_system_workloads.get()
+                on:change=move |ev| {
+                    let checked = event_target_checked(&ev);
+                    include_system_workloads.set(checked);
+                }
+            />
+            <label for="system-workloads" class="text-sm text-gray-700">
+                "Show System Workloads"
+            </label>
+        </div>
+    }
+}
+
+#[component]
+pub fn WorkloadFilters(
+    workload_kind_select_value: RwSignal<Option<KubeWorkloadKind>>,
+) -> impl IntoView {
+    let workload_kind_select_open = RwSignal::new(false);
+
+    view! {
+        <Select open=workload_kind_select_open value=workload_kind_select_value>
+            <SelectTrigger
+                class="w-48"
+            >
+                {move || match workload_kind_select_value.get() {
+                    Some(k) => k.to_string(),
+                    None => "All Workload Types".to_string(),
+                }}
+            </SelectTrigger>
+            <SelectContent
+                class="w-48"
+            >
+                <SelectItem value={None::<KubeWorkloadKind>}>All Types</SelectItem>
+                <SelectItem value=Some(KubeWorkloadKind::Deployment)>Deployment</SelectItem>
+                <SelectItem value=Some(KubeWorkloadKind::StatefulSet)>StatefulSet</SelectItem>
+                <SelectItem value=Some(KubeWorkloadKind::DaemonSet)>DaemonSet</SelectItem>
+                <SelectItem value=Some(KubeWorkloadKind::Pod)>Pod</SelectItem>
+                <SelectItem value=Some(KubeWorkloadKind::Job)>Job</SelectItem>
+                <SelectItem value=Some(KubeWorkloadKind::CronJob)>CronJob</SelectItem>
+            </SelectContent>
+        </Select>
+    }
+}
+
+#[component]
+pub fn NamespaceFilters(
+    namespace_select_value: RwSignal<Option<String>>,
+    cluster_id: Uuid,
+) -> impl IntoView {
+    let namespace_select_open = RwSignal::new(false);
+    let org = get_current_org();
+
+    let namespaces = LocalResource::new(move || async move {
+        get_namespaces_from_api(org, cluster_id)
+            .await
+            .unwrap_or_default()
+    });
+
+    view! {
+        <Select
+            open=namespace_select_open
+            value=namespace_select_value
+        >
+            <SelectTrigger
+                class="w-64"
+            >
+                {move || match namespace_select_value.get() {
+                    Some(ns) => ns,
+                    None => "All Namespaces".to_string(),
+                }}
+            </SelectTrigger>
+            <SelectContent
+                class="w-64"
+            >
+                <SelectSearchInput />
+                <SelectSeparator />
+                <SelectItem value={None::<String>}>All Namespaces</SelectItem>
+                <For
+                    each=move || namespaces.get().unwrap_or_default()
+                    key=|ns| ns.name.clone()
+                    children=move |namespace| {
+                        let name = namespace.name.clone();
+                        view! {
+                            <SelectItem value=Some(name.clone()) display=name.clone()>{name}</SelectItem>
+                        }
+                    }
+                />
+            </SelectContent>
+        </Select>
+    }
+}
+
+async fn create_app_catalog_api(
+    org: Signal<Option<Organization>>,
+    cluster_id: Uuid,
+    name: String,
+    description: String,
+    selected_workloads: std::collections::HashSet<WorkloadKey>,
+    filtered_workloads: Vec<KubeWorkload>,
+) -> Result<Uuid, ErrorResponse> {
+    let org = org
+        .get_untracked()
+        .ok_or_else(|| anyhow!("can't get org"))?;
+
+    let selected_workloads_data: Vec<KubeWorkload> = filtered_workloads
+        .into_iter()
+        .filter(|w| selected_workloads.contains(&WorkloadKey::from_workload(w)))
+        .collect();
+
+    if name.trim().is_empty() {
+        return Err(anyhow!("Catalog name is required"))?;
+    }
+
+    if selected_workloads_data.is_empty() {
+        return Err(anyhow!(
+            "At least one workload must be selected to create a catalog"
+        ))?;
+    }
+
+    // Convert KubeWorkload to KubeAppCatalogWorkloadCreate
+    let workloads: Vec<KubeAppCatalogWorkloadCreate> = selected_workloads_data
+        .into_iter()
+        .map(|w| KubeAppCatalogWorkloadCreate {
+            name: w.name,
+            namespace: w.namespace,
+            kind: w.kind,
+        })
+        .collect();
+
+    let client = get_hrpc_client();
+    let catalog_id = client
+        .create_app_catalog(
+            org.id,
+            cluster_id,
+            name.clone(),
+            if description.trim().is_empty() {
+                None
+            } else {
+                Some(description)
+            },
+            workloads,
+        )
+        .await??;
+
+    Ok(catalog_id)
+}
+
+async fn add_workloads_to_catalog_api(
+    org: Signal<Option<Organization>>,
+    catalog_id: Uuid,
+    selected_workloads: std::collections::HashSet<WorkloadKey>,
+    filtered_workloads: Vec<KubeWorkload>,
+) -> Result<(), ErrorResponse> {
+    let org = org
+        .get_untracked()
+        .ok_or_else(|| anyhow!("can't get org"))?;
+
+    let selected_workloads_data: Vec<KubeWorkload> = filtered_workloads
+        .into_iter()
+        .filter(|w| selected_workloads.contains(&WorkloadKey::from_workload(w)))
+        .collect();
+
+    if selected_workloads_data.is_empty() {
+        return Err(anyhow!(
+            "At least one workload must be selected to add to the catalog"
+        ))?;
+    }
+
+    // Convert KubeWorkload to KubeAppCatalogWorkloadCreate
+    let workloads: Vec<KubeAppCatalogWorkloadCreate> = selected_workloads_data
+        .into_iter()
+        .map(|w| KubeAppCatalogWorkloadCreate {
+            name: w.name,
+            namespace: w.namespace,
+            kind: w.kind,
+        })
+        .collect();
+
+    let client = get_hrpc_client();
+    client
+        .add_workloads_to_app_catalog(org.id, catalog_id, workloads)
+        .await??;
+
+    Ok(())
+}
+
+#[component]
+pub fn AppCatalogModal(
+    modal_open: RwSignal<bool>,
+    selected_workloads: RwSignal<std::collections::HashSet<WorkloadKey>>,
+    filtered_workloads: Signal<Vec<KubeWorkload>>,
+    cluster_id: Uuid,
+    catalog_id_from_url: Option<Uuid>,
+) -> impl IntoView {
+    let catalog_name = RwSignal::new_local("".to_string());
+    let catalog_description = RwSignal::new_local("".to_string());
+    let org = get_current_org();
+
+    // Load existing catalog info when adding to existing catalog
+    let existing_catalog = LocalResource::new(move || async move {
+        if let Some(catalog_id) = catalog_id_from_url {
+            get_app_catalog(org, catalog_id).await.ok()
+        } else {
+            None
+        }
+    });
+
+    let navigate = leptos_router::hooks::use_navigate();
+    let create_action = Action::new_local(move |_| {
+        let navigate = navigate.clone();
+        async move {
+            let selected = selected_workloads.get_untracked();
+            let workloads = filtered_workloads.get_untracked();
+
+            if let Some(existing_catalog_id) = catalog_id_from_url {
+                // Add to existing catalog mode
+                add_workloads_to_catalog_api(org, existing_catalog_id, selected, workloads).await?;
+
+                // Clear form and close modal
+                modal_open.set(false);
+
+                // Clear selections after successful addition
+                selected_workloads.set(std::collections::HashSet::new());
+
+                // Navigate back to the catalog workloads page
+                navigate(
+                    &format!("/kubernetes/catalogs/{existing_catalog_id}"),
+                    Default::default(),
+                );
+            } else {
+                // Create new catalog mode
+                let name = catalog_name.get_untracked();
+                let description = catalog_description.get_untracked();
+
+                let new_catalog_id =
+                    create_app_catalog_api(org, cluster_id, name, description, selected, workloads)
+                        .await?;
+
+                // Clear form and close modal
+                catalog_name.set("".to_string());
+                catalog_description.set("".to_string());
+                modal_open.set(false);
+
+                // Clear selections after successful creation
+                selected_workloads.set(std::collections::HashSet::new());
+
+                // Navigate to the created app catalog workloads page
+                navigate(
+                    &format!("/kubernetes/catalogs/{new_catalog_id}"),
+                    Default::default(),
+                );
+            }
+
+            Ok(())
+        }
+    });
+
+    view! {
+        <Modal
+            title={if catalog_id_from_url.is_some() {
+                "Add Workloads to Catalog"
+            } else {
+                "Create App Catalog"
+            }}
+            open=modal_open
+            action=create_action
+        >
+            <div class="flex flex-col gap-4">
+                // Only show name and description fields when creating new catalog
+                <Show when=move || catalog_id_from_url.is_none()>
+                    <div class="flex flex-col gap-2">
+                        <Label>Catalog Name</Label>
+                        <Input
+                            prop:value=move || catalog_name.get()
+                            on:input=move |ev| {
+                                catalog_name.set(event_target_value(&ev));
+                            }
+                            attr:placeholder="Enter catalog name"
+                            attr:required=true
+                        />
+                    </div>
+
+                    <div class="flex flex-col gap-2">
+                        <Label>Description</Label>
+                        <Textarea
+                            prop:value=move || catalog_description.get()
+                            on:input=move |ev| {
+                                catalog_description.set(event_target_value(&ev));
+                            }
+                            attr:placeholder="Describe what this app does..."
+                            class="min-h-20"
+                        />
+                    </div>
+                </Show>
+
+                // Show existing catalog info when adding to existing catalog
+                {move || {
+                    if catalog_id_from_url.is_some() {
+                        view! {
+                            <div class="flex flex-col gap-2 p-4 bg-muted rounded-lg">
+                                <P class="font-medium text-sm">Target Catalog:</P>
+                                {move || {
+                                    if let Some(catalog) = existing_catalog.get().flatten() {
+                                        view! {
+                                            <div class="space-y-2 text-sm">
+                                                <div class="flex items-center gap-2">
+                                                    <span class="font-medium">Name:</span>
+                                                    <span>{catalog.name}</span>
+                                                </div>
+                                                {if let Some(desc) = &catalog.description {
+                                                    view! {
+                                                        <div class="flex flex-col gap-1">
+                                                            <span class="font-medium">Description:</span>
+                                                            <span class="text-muted-foreground leading-relaxed">{desc.clone()}</span>
+                                                        </div>
+                                                    }.into_any()
+                                                } else {
+                                                    view! {
+                                                        <div class="text-muted-foreground text-xs">No description</div>
+                                                    }.into_any()
+                                                }}
+                                            </div>
+                                        }.into_any()
+                                    } else {
+                                        view! {
+                                            <div class="flex items-center gap-2 text-sm text-muted-foreground">
+                                                <div class="animate-spin rounded-full h-4 w-4 border-2 border-current border-t-transparent"></div>
+                                                "Loading catalog information..."
+                                            </div>
+                                        }.into_any()
+                                    }
+                                }}
+                            </div>
+                        }.into_any()
+                    } else {
+                        view! { <div></div> }.into_any()
+                    }
+                }}
+
+                <div class="flex flex-col gap-2">
+                    <Label>
+                        {move || {
+                            let count = selected_workloads.with(|s| s.len());
+                            format!("Selected Workloads ({})", count)
+                        }}
+                    </Label>
+                    <div class="h-64 overflow-y-auto border rounded p-2 bg-muted/30">
+                        {move || {
+                            let selected = selected_workloads.get();
+                            let workloads: Vec<KubeWorkload> = filtered_workloads
+                                .get()
+                                .into_iter()
+                                .filter(|w| selected.contains(&WorkloadKey::from_workload(w)))
+                                .collect();
+
+                            if workloads.is_empty() {
+                                view! {
+                                    <P class="text-sm text-muted-foreground">No workloads selected</P>
+                                }.into_any()
+                            } else {
+                                view! {
+                                    <div class="flex flex-col gap-1">
+                                        <For
+                                            each=move || workloads.clone()
+                                            key=|w| WorkloadKey::from_workload(w)
+                                            children=move |workload| {
+                                                view! {
+                                                    <div class="flex items-center gap-2 text-sm">
+                                                        <Badge variant=BadgeVariant::Outline class="text-xs">
+                                                            {format!("{:?}", workload.kind)}
+                                                        </Badge>
+                                                        <span class="font-medium">{workload.name}</span>
+                                                        <span class="text-muted-foreground">
+                                                            "in " {workload.namespace}
+                                                        </span>
+                                                    </div>
+                                                }
+                                            }
+                                        />
+                                    </div>
+                                }.into_any()
+                            }
+                        }}
+                    </div>
+                </div>
+            </div>
+        </Modal>
+    }
+}
+
+#[component]
+pub fn AppCatalogActions(
+    selected_workloads: RwSignal<HashSet<WorkloadKey>>,
+    filtered_workloads: Signal<Vec<KubeWorkload>>,
+    cluster_id: Uuid,
+    catalog_id_from_url: Option<Uuid>,
+) -> impl IntoView {
+    let modal_open = RwSignal::new(false);
+
+    let create_app_catalog = move |_| {
+        modal_open.set(true);
+    };
+
+    let clear_selections = move |_| {
+        selected_workloads.set(std::collections::HashSet::new());
+    };
+
+    view! {
+        <AppCatalogModal
+            modal_open
+            selected_workloads
+            filtered_workloads
+            cluster_id
+            catalog_id_from_url
+        />
+
+        // Action buttons row - always visible
+        {move || {
+            let selected_count = selected_workloads.with(|s| s.len());
+            let has_selections = selected_count > 0;
+
+            view! {
+                <div class="flex items-center gap-4">
+                    {if let Some(existing_catalog_id) = catalog_id_from_url {
+                        view! {
+                            <a href=format!("/kubernetes/catalogs/{}", existing_catalog_id)>
+                                <Button variant=ButtonVariant::Secondary>
+                                    <lucide_leptos::ArrowLeft />
+                                    "Back to Catalog"
+                                </Button>
+                            </a>
+                        }.into_any()
+                    } else {
+                        ().into_any()
+                    }}
+                    <Button
+                        variant=ButtonVariant::Default
+                        disabled=!has_selections
+                        on:click=create_app_catalog
+                    >
+                        <lucide_leptos::Plus />
+                        {if catalog_id_from_url.is_some() {
+                            "Add to Catalog"
+                        } else {
+                            "Create App Catalog"
+                        }}
+                    </Button>
+                    <Button
+                        variant=ButtonVariant::Outline
+                        disabled=!has_selections
+                        on:click=clear_selections
+                    >
+                        <lucide_leptos::X />
+                        "Clear Selections"
+                    </Button>
+                    <span class="text-sm text-muted-foreground">
+                        {if has_selections {
+                            format!("{} selected", selected_count)
+                        } else {
+                            "No workloads selected".to_string()
+                        }}
+                    </span>
+                </div>
+            }.into_any()
+        }}
+    }
+}
+
+#[component]
+pub fn WorkloadTable(
+    selected_workloads: RwSignal<HashSet<WorkloadKey>>,
+    filtered_workloads: Signal<Vec<KubeWorkload>>,
+    is_loading: Signal<bool>,
+    cluster_status: Signal<KubeClusterStatus>,
+) -> impl IntoView {
+    let all_selected = Signal::derive(move || {
+        let workloads = filtered_workloads.get();
+        let selected = selected_workloads.get();
+        if workloads.is_empty() {
+            false
+        } else {
+            workloads
+                .iter()
+                .all(|w| selected.contains(&WorkloadKey::from_workload(w)))
+        }
+    });
+
+    let some_selected = Signal::derive(move || {
+        let workloads = filtered_workloads.get();
+        let selected = selected_workloads.get();
+        workloads
+            .iter()
+            .any(|w| selected.contains(&WorkloadKey::from_workload(w)))
+    });
+
+    let toggle_all = move |_| {
+        let workloads = filtered_workloads.get_untracked();
+        if all_selected.get_untracked() {
+            // Unselect only the workloads currently visible in the table
+            let current_workload_keys: std::collections::HashSet<WorkloadKey> = workloads
+                .iter()
+                .map(|w| WorkloadKey::from_workload(w))
+                .collect();
+
+            selected_workloads.update(|selected| {
+                for key in &current_workload_keys {
+                    selected.remove(key);
+                }
+            });
+        } else {
+            // Select all current workloads
+            let all_keys: std::collections::HashSet<WorkloadKey> = workloads
+                .iter()
+                .map(|w| WorkloadKey::from_workload(w))
+                .collect();
+
+            selected_workloads.update(|selected| {
+                for key in all_keys {
+                    selected.insert(key);
+                }
+            });
+        }
+    };
+    view! {
+        <div class="flex flex-col gap-4">
+
+            <div class="relative rounded-lg border">
+            <Table class="table-auto">
+                <TableHeader class="bg-muted">
+                    <TableRow>
+                        <TableHead class="w-10">
+                            <div class="flex items-center justify-center">
+                                <Checkbox
+                                    prop:checked=move || all_selected.get()
+                                    prop:indeterminate=move || some_selected.get() && !all_selected.get()
+                                    on:change=toggle_all
+                                />
+                            </div>
+                        </TableHead>
+                        <TableHead>Name</TableHead>
+                        <TableHead>Namespace</TableHead>
+                        <TableHead>Kind</TableHead>
+                        <TableHead>Replicas</TableHead>
+                    </TableRow>
+                </TableHeader>
+                <TableBody>
+                    <For
+                        each=move || filtered_workloads.get()
+                        key=|w| WorkloadKey::from_workload(w)
+                        children=move |workload| {
+                            view! {
+                                <KubeResourceItem
+                                    workload=workload.clone()
+                                    selected_workloads
+                                />
+                            }
+                        }
+                    />
+                </TableBody>
+            </Table>
+
+            {move || {
+                let workload_list = filtered_workloads.get();
+                if workload_list.is_empty() && !is_loading.get() {
+                    let status = cluster_status.get();
+                    let (title, message) = match status {
+                        KubeClusterStatus::Ready => (
+                            "No Workloads Found",
+                            "No workloads match your current filters. Try adjusting your namespace or workload type filters."
+                        ),
+                        KubeClusterStatus::NotReady => (
+                            "Cluster Not Ready",
+                            "The cluster is not ready yet. Workloads will appear once the cluster is fully connected and operational."
+                        ),
+                        KubeClusterStatus::Error => (
+                            "Cluster Error",
+                            "The cluster is experiencing issues. Please check the cluster status and connection before workloads can be displayed."
+                        ),
+                        KubeClusterStatus::Provisioning => (
+                            "Cluster Provisioning",
+                            "The cluster is still being provisioned. Workloads will be available once the cluster setup is complete."
+                        ),
+                    };
+
+                    view! {
+                        <div class="flex flex-col items-center justify-center py-12 text-center">
+                            <div class="rounded-full bg-muted p-3 mb-4">
+                                <lucide_leptos::Layers />
+                            </div>
+                            <H4 class="mb-2">{title}</H4>
+                            <P class="text-muted-foreground mb-4 max-w-sm">
+                                {message}
+                            </P>
+                        </div>
+                    }.into_any()
+                } else {
+                    view! { <div></div> }.into_any()
+                }
+            }}
+
+            // Loading overlay
+            {move || {
+                if is_loading.get() {
+                    view! {
+                        <div class="absolute inset-0 bg-white/80 backdrop-blur-none flex items-center justify-center rounded-lg">
+                            <div class="flex items-center gap-3 text-sm text-muted-foreground">
+                                <div class="animate-spin rounded-full h-5 w-5 border-b-2 border-gray-900"></div>
+                                "Loading workloads..."
+                            </div>
+                        </div>
+                    }
+                        .into_any()
+                } else {
+                    view! { <div></div> }.into_any()
+                }
+            }}
+            </div>
+        </div>
+    }
+}
+
+#[component]
+pub fn WorkloadPagination(
+    workload_list: Signal<Vec<KubeWorkload>>,
+    limit_select_value: RwSignal<usize>,
+    workload_cache: RwSignal<WorkloadCache, LocalStorage>,
+    cache_offset: RwSignal<usize, LocalStorage>,
+    is_loading: Signal<bool>,
+) -> impl IntoView {
+    let limit_select_open = RwSignal::new(false);
+    view! {
+        {move || {
+            let list = workload_list.get();
+            let has_previous = cache_offset.get() > 0;
+            let has_next = workload_cache
+                .with(|c| c.has_next(cache_offset.get(), limit_select_value.get()));
+
+            view! {
+                <div class="flex items-center justify-between flex-wrap gap-4">
+                    <div class="flex items-center gap-4">
+                        <div class="text-sm text-muted-foreground">
+                            {
+                                let offset = cache_offset.get();
+                                let count = list.len();
+                                let total_count = workload_cache
+                                    .with(|c| {
+                                        if c.cursor.is_none() {
+                                            Some(c.workloads.len())
+                                        } else {
+                                            None
+                                        }
+                                    });
+                                if count > 0 {
+                                    format!(
+                                        "Showing {}-{} of {}workloads",
+                                        offset + 1,
+                                        offset + count,
+                                        if let Some(total_count) = total_count {
+                                            format!("{total_count} ")
+                                        } else {
+                                            "".to_string()
+                                        },
+                                    )
+                                } else {
+                                    "No workloads found".to_string()
+                                }
+                            }
+                        </div>
+                    </div>
+                    <div class="flex items-center gap-2">
+                        <div class="flex items-center gap-2">
+                            <span class="text-sm text-muted-foreground">"Rows per page:"</span>
+                            <div class="w-20">
+                                <Select open=limit_select_open value=limit_select_value>
+                                    <SelectTrigger class="h-8 text-sm">
+                                        {move || { limit_select_value.get().to_string() }}
+                                    </SelectTrigger>
+                                    <SelectContent>
+                                        <SelectItem value=10usize>10</SelectItem>
+                                        <SelectItem value=20usize>20</SelectItem>
+                                        <SelectItem value=50usize>50</SelectItem>
+                                        <SelectItem value=100usize>100</SelectItem>
+                                    </SelectContent>
+                                </Select>
+                            </div>
+                        </div>
+                        <Button
+                            variant=ButtonVariant::Outline
+                            size=ButtonSize::Sm
+                            disabled=!has_previous || is_loading.get()
+                            on:click=move |_| {
+                                cache_offset
+                                    .set(
+                                        cache_offset
+                                            .get_untracked()
+                                            .saturating_sub(limit_select_value.get_untracked()),
+                                    );
+                            }
+                        >
+                            <lucide_leptos::ChevronLeft />
+                            Previous
+                        </Button>
+                        <Button
+                            variant=ButtonVariant::Outline
+                            size=ButtonSize::Sm
+                            disabled=!has_next || is_loading.get()
+                            on:click=move |_| {
+                                cache_offset.set(cache_offset.get() + limit_select_value.get());
+                            }
+                        >
+                            Next
+                            <lucide_leptos::ChevronRight />
+                        </Button>
+                    </div>
+                </div>
+            }
+                .into_any()
+        }}
+    }
+}
+
+#[derive(Debug, Clone, PartialEq, Eq, Hash)]
+pub struct WorkloadKey {
+    pub namespace: String,
+    pub name: String,
+}
+
+impl WorkloadKey {
+    pub fn from_workload(workload: &KubeWorkload) -> Self {
+        Self {
+            namespace: workload.namespace.clone(),
+            name: workload.name.clone(),
+        }
+    }
+}
+
+impl std::fmt::Display for WorkloadKey {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        write!(f, "{}_{}", self.namespace, self.name)
+    }
+}
+
+#[derive(Debug, Clone)]
+pub struct WorkloadCache {
+    workloads: Vec<KubeWorkload>,
+    cursor: Option<PaginationCursor>, // The next cursor from API response
+}
+
+impl WorkloadCache {
+    fn new(kind_filter: Option<KubeWorkloadKind>) -> Self {
+        Self {
+            workloads: vec![],
+            cursor: Some(PaginationCursor {
+                workload_kind: kind_filter.unwrap_or(KubeWorkloadKind::Deployment),
+                continue_token: None,
+            }),
+        }
+    }
+
+    fn has_next(&self, offset: usize, limit: usize) -> bool {
+        offset + limit < self.workloads.len() || self.cursor.is_some()
+    }
+
+    fn needs_more_retrieve(&self, offset: usize, limit: usize) -> bool {
+        if self.cursor.is_none() {
+            // cursor is none, which means there's no more from the api
+            return false;
+        }
+
+        self.workloads.len() < offset + limit
+    }
+
+    fn update_cache(&mut self, list: KubeWorkloadList) {
+        self.workloads.extend(list.workloads);
+        self.cursor = list.next_cursor;
+    }
+
+    fn retrieve_list(&self, offset: usize, limit: usize) -> Vec<KubeWorkload> {
+        self.workloads[offset..(offset + limit).min(self.workloads.len())].to_vec()
+    }
+}
diff --git a/crates/dashboard/src/lib.rs b/crates/dashboard/src/lib.rs
new file mode 100644
index 0000000..942137d
--- /dev/null
+++ b/crates/dashboard/src/lib.rs
@@ -0,0 +1,41 @@
+pub mod account;
+pub mod app;
+pub mod audit_log;
+pub mod cli_auth;
+pub mod cli_success;
+pub mod cluster;
+pub mod component;
+pub mod datepicker;
+pub mod git_provider;
+pub mod home;
+pub mod kube_app_catalog;
+pub mod kube_app_catalog_detail;
+pub mod kube_app_catalog_workload;
+pub mod kube_cluster;
+pub mod kube_container;
+pub mod kube_environment;
+pub mod kube_environment_detail;
+pub mod kube_environment_preview_url;
+pub mod kube_environment_workload;
+pub mod kube_resource;
+pub mod license;
+pub mod modal;
+pub mod nav;
+pub mod organization;
+pub mod project;
+pub mod quota;
+pub mod sse;
+pub mod ssh_key;
+pub mod usage;
+pub mod workspace;
+
+pub const DOCS_URL: &str = "https://lapdev.gitbook.io/docs/";
+pub const DOCS_ENVIRONMENT_PATH: &str = "how-to-guides/create-lapdev-environment";
+pub const DOCS_APP_CATALOG_PATH: &str = "how-to-guides/create-an-app-catalog";
+pub const DOCS_CLUSTER_PATH: &str = "how-to-guides/connect-your-kubernetes-cluster";
+pub const DOCS_DEVBOX_PATH: &str = "how-to-guides/local-development-with-devbox";
+
+#[inline]
+pub fn docs_url(path: &str) -> String {
+    format!("{DOCS_URL}{path}")
+}
diff --git a/lapdev-dashboard/src/license.rs b/crates/dashboard/src/license.rs
similarity index 69%
rename from lapdev-dashboard/src/license.rs
rename to crates/dashboard/src/license.rs
index 657c00a..1be28fe 100644
--- a/lapdev-dashboard/src/license.rs
+++ b/crates/dashboard/src/license.rs
@@ -2,13 +2,9 @@ use anyhow::Result;
 use chrono::{DateTime, FixedOffset};
 use gloo_net::http::Request;
 use lapdev_common::{EnterpriseLicense, NewLicense, NewLicenseKey};
-use leptos::{
-    component, create_action, create_local_resource, create_rw_signal,
-    leptos_dom::helpers::location, view, IntoView, RwSignal, SignalGet, SignalGetUntracked,
-    SignalSet, SignalUpdate, SignalWith,
-};
+use leptos::prelude::*;
 
-use crate::modal::{CreationInput, CreationModal, ErrorResponse};
+use crate::modal::{CreationInput, ErrorResponse, Modal};
 
 async fn get_license() -> Result<EnterpriseLicense> {
     let resp = Request::get("/api/v1/admin/license").send().await?;
@@ -18,11 +14,12 @@ async fn get_license() -> Result<EnterpriseLicense> {
 
 #[component]
 pub fn LicenseView() -> impl IntoView {
-    let update_counter = create_rw_signal(0);
-    let license = create_local_resource(
-        move || update_counter.get(),
-        move |_| async move { get_license().await },
-    );
+    let update_counter = RwSignal::new_local(0);
+    let license = LocalResource::new(move || async move { get_license().await });
+    Effect::new(move |_| {
+        update_counter.track();
+        license.refetch();
+    });
 
     view! {
         <div class="border-b pb-4 mb-8">
@@ -62,11 +59,11 @@ pub fn LicenseView() -> impl IntoView {
                                 <p>{ license.expires_at.to_rfc2822() }</p>
                             </div>
                         </div>
-                    }.into_view()
+                    }.into_any()
                 } else {
                     view! {
                         <p>{"You don't have a valid Enterprise License"}</p>
-                    }.into_view()
+                    }.into_any()
                 }
             }
     }
@@ -76,8 +73,8 @@ pub fn LicenseView() -> impl IntoView {
 
 async fn update_license(
     secret: String,
-    modal_hidden: RwSignal<bool>,
-    update_counter: RwSignal<i32>,
+    modal_open: RwSignal<bool>,
+    update_counter: RwSignal<i32, LocalStorage>,
 ) -> Result<(), ErrorResponse> {
     let resp = Request::put("/api/v1/admin/license")
         .json(&NewLicenseKey { key: secret })?
@@ -94,7 +91,7 @@ async fn update_license(
         return Err(error);
     }
 
-    modal_hidden.set(true);
+    modal_open.set(false);
     update_counter.update(|c| *c += 1);
     let _ = location().reload();
 
@@ -102,22 +99,28 @@ async fn update_license(
 }
 
 #[component]
-pub fn UpdateLicenseView(update_counter: RwSignal<i32>) -> impl IntoView {
-    let modal_hidden = create_rw_signal(true);
-    let secret = create_rw_signal(String::new());
-    let body = view! {
-        <CreationInput label="New License Key".to_string() value=secret placeholder="".to_string() />
-    };
-    let action = create_action(move |_| update_license(secret.get(), modal_hidden, update_counter));
+pub fn UpdateLicenseView(update_counter: RwSignal<i32, LocalStorage>) -> impl IntoView {
+    let modal_open = RwSignal::new(false);
+    let secret = RwSignal::new_local(String::new());
+    let action =
+        Action::new_local(move |_| update_license(secret.get(), modal_open, update_counter));
     view! {
         <button
             type="button"
             class="flex items-center justify-center px-4 py-2 text-sm font-medium text-white rounded-lg bg-blue-700 hover:bg-blue-800 focus:ring-4 focus:ring-blue-300 focus:outline-none"
-            on:click=move |_| modal_hidden.set(false)
+            on:click=move |_| modal_open.set(true)
         >
             Update Enterprise License
         </button>
-        <CreationModal title="Update Enterprise License".to_string() modal_hidden body action update_text=None updating_text=None  width_class=None create_button_hidden=Box::new(|| false) />
+        <Modal
+            title="Update Enterprise License"
+            open=modal_open
+            action
+            action_text="Update"
+            action_progress_text="Updating"
+        >
+            <CreationInput label="New License Key".to_string() value=secret placeholder="".to_string() />
+        </Modal>
     }
 }
 
@@ -170,18 +173,12 @@ async fn sign_new_license(
 
 #[component]
 pub fn SignLicenseView() -> impl IntoView {
-    let secret = create_rw_signal(String::new());
-    let expires_at = create_rw_signal(String::new());
-    let users = create_rw_signal(String::new());
-    let hostname = create_rw_signal(String::new());
-    let modal_hidden = create_rw_signal(true);
-    let body = view! {
-        <CreationInput label="Signing Secret".to_string() value=secret placeholder="".to_string() />
-        <CreationInput label="Expires".to_string() value=expires_at placeholder="".to_string() />
-        <CreationInput label="Users".to_string() value=users placeholder="".to_string() />
-        <CreationInput label="Hostname".to_string() value=hostname placeholder="".to_string() />
-    };
-    let action = create_action(move |_| {
+    let secret = RwSignal::new_local(String::new());
+    let expires_at = RwSignal::new_local(String::new());
+    let users = RwSignal::new_local(String::new());
+    let hostname = RwSignal::new_local(String::new());
+    let modal_open = RwSignal::new(false);
+    let action = Action::new_local(move |_| {
         sign_new_license(
             secret.get_untracked(),
             expires_at.get_untracked(),
@@ -198,10 +195,19 @@ pub fn SignLicenseView() -> impl IntoView {
         <button
             type="button"
             class="flex items-center justify-center px-4 py-2 text-sm font-medium text-white rounded-lg bg-blue-700 hover:bg-blue-800 focus:ring-4 focus:ring-blue-300 focus:outline-none"
-            on:click=move |_| modal_hidden.set(false)
+            on:click=move |_| modal_open.set(true)
         >
             Sign New License
         </button>
-        <CreationModal title="Sign Enterprise License".to_string() modal_hidden body action update_text=Some("Create".to_string()) updating_text=Some("Creating".to_string()) width_class=None create_button_hidden=Box::new(|| false) />
+        <Modal
+            title="Sign Enterprise License"
+            open=modal_open
+            action
+        >
+            <CreationInput label="Signing Secret".to_string() value=secret placeholder="".to_string() />
+            <CreationInput label="Expires".to_string() value=expires_at placeholder="".to_string() />
+            <CreationInput label="Users".to_string() value=users placeholder="".to_string() />
+            <CreationInput label="Hostname".to_string() value=hostname placeholder="".to_string() />
+        </Modal>
     }
 }
diff --git a/crates/dashboard/src/main.rs b/crates/dashboard/src/main.rs
new file mode 100644
index 0000000..eed5c06
--- /dev/null
+++ b/crates/dashboard/src/main.rs
@@ -0,0 +1,14 @@
+use lapdev_dashboard::app::App;
+use leptos::{mount::mount_to_body, view};
+
+pub fn main() {
+    leptos::prelude::document()
+        .body()
+        .unwrap()
+        .set_inner_html("");
+    mount_to_body(move || {
+        view! {
+            <App />
+        }
+    })
+}
diff --git a/crates/dashboard/src/modal.rs b/crates/dashboard/src/modal.rs
new file mode 100644
index 0000000..e5ef9a9
--- /dev/null
+++ b/crates/dashboard/src/modal.rs
@@ -0,0 +1,386 @@
+use anyhow::Result;
+use chrono::{DateTime, FixedOffset};
+use leptos::prelude::*;
+use serde::Deserialize;
+
+use crate::component::{
+    alert::{Alert, AlertDescription, AlertTitle, AlertVariant},
+    alert_dialog::{
+        AlertDialogContent, AlertDialogDescription, AlertDialogFooter, AlertDialogHeader,
+        AlertDialogTitle,
+    },
+    button::{Button, ButtonVariant},
+    dialog::{DialogContent, DialogFooter, DialogHeader, DialogTitle},
+    hover_card::{HoverCard, HoverCardContent, HoverCardPlacement, HoverCardTrigger},
+    icon,
+    input::Input,
+    label::Label,
+};
+
+#[derive(Debug, Deserialize, Clone)]
+pub struct ErrorResponse {
+    pub error: String,
+}
+
+impl<E> From<E> for ErrorResponse
+where
+    E: Into<anyhow::Error>,
+{
+    fn from(err: E) -> Self {
+        let err: anyhow::Error = err.into();
+        Self {
+            error: err.to_string(),
+        }
+    }
+}
+
+#[component]
+pub fn CreationInput(
+    label: String,
+    value: RwSignal<String, LocalStorage>,
+    placeholder: String,
+) -> impl IntoView {
+    view! {
+        <div class="flex flex-col gap-2">
+            <Label>{label}</Label>
+            <Input
+                prop:value=move || value.get()
+                on:input=move |ev| {
+                    value.set(event_target_value(&ev));
+                }
+                attr:placeholder=placeholder
+            />
+        </div>
+    }
+}
+
+#[component]
+pub fn Modal(
+    #[prop()] open: RwSignal<bool>,
+    action: Action<(), Result<(), ErrorResponse>>,
+    #[prop(into)] title: MaybeProp<String>,
+    #[prop(into, optional)] hide_action: MaybeProp<bool>,
+    #[prop(into, optional)] action_text: MaybeProp<String>,
+    #[prop(into, optional)] action_progress_text: MaybeProp<String>,
+    #[prop(into, optional)] class: MaybeProp<String>,
+    #[prop(optional)] children: Option<ChildrenFn>,
+) -> impl IntoView {
+    let error = RwSignal::new_local(None);
+
+    let owner = RwSignal::new(Owner::new());
+    let handle_action = move |_| {
+        error.set(None);
+        owner.get_untracked().with(move || {
+            action.dispatch(());
+        });
+    };
+
+    let action_pending = action.pending();
+    Effect::new(move |_| {
+        open.track();
+        error.set(None);
+    });
+    Effect::new(move |_| {
+        action.value().with(|result| {
+            if let Some(result) = result {
+                match result {
+                    Ok(_) => {}
+                    Err(e) => {
+                        error.set(Some(e.error.clone()));
+                    }
+                }
+            }
+        })
+    });
+
+    view! {
+        <DialogContent class open>
+            <DialogHeader>
+                <DialogTitle class="text-wrap">{move || title.get()}</DialogTitle>
+            </DialogHeader>
+            <div class="py-4 gap-4 flex flex-col sm:min-w-116 max-w-full">
+                {move || {
+                    if let Some(error) = error.get() {
+                        view! {
+                            <Alert variant=AlertVariant::Destructive>
+                                <lucide_leptos::CircleAlert />
+                                <AlertTitle>Error</AlertTitle>
+                                <AlertDescription class="text-wrap">{error}</AlertDescription>
+                            </Alert>
+                        }
+                            .into_any()
+                    } else {
+                        ().into_any()
+                    }
+                }} {children.clone().map(|c| c().into_any()).unwrap_or_else(|| ().into_any())}
+            </div>
+            <DialogFooter>
+                <Show when=move || { hide_action.get() != Some(true) } fallback=|| ()>
+                    <Button disabled=action_pending on:click=handle_action>
+                        {move || {
+                            if action_pending.get() {
+                                view! { <icon::LoaderCircle class="animate-spin" /> }.into_any()
+                            } else {
+                                ().into_any()
+                            }
+                        }}
+                        {move || {
+                            if action_pending.get() {
+                                action_progress_text.get().unwrap_or_else(|| "Creating".to_string())
+                            } else {
+                                action_text.get().unwrap_or_else(|| "Create".to_string())
+                            }
+                        }}
+                    </Button>
+                </Show>
+                <Button
+                    variant=ButtonVariant::Outline
+                    disabled=action_pending
+                    on:click=move |_| open.set(false)
+                >
+                    Cancel
+                </Button>
+            </DialogFooter>
+        </DialogContent>
+    }
+}
+
+#[component]
+pub fn DeleteModal(
+    #[prop()] open: RwSignal<bool>,
+    delete_action: Action<(), Result<(), ErrorResponse>>,
+    #[prop(into)] resource: MaybeProp<String>,
+) -> impl IntoView {
+    let error = RwSignal::new_local(None);
+
+    let owner = RwSignal::new(Owner::new());
+    let handle_delete = move |_| {
+        error.set(None);
+        owner.get_untracked().with(move || {
+            delete_action.dispatch(());
+        });
+    };
+
+    let delete_pending = delete_action.pending();
+    Effect::new(move |_| {
+        delete_action.value().with(|result| {
+            if let Some(result) = result {
+                match result {
+                    Ok(_) => {}
+                    Err(e) => {
+                        error.set(Some(e.error.clone()));
+                    }
+                }
+            }
+        })
+    });
+
+    Effect::new(move |_| {
+        open.track();
+        error.set(None);
+    });
+
+    view! {
+        <AlertDialogContent open>
+            <AlertDialogHeader>
+                <AlertDialogTitle class="text-wrap">
+                    {format!(
+                        "Are you sure you want to delete {}",
+                        resource.get().unwrap_or_default(),
+                    )}
+                </AlertDialogTitle>
+            </AlertDialogHeader>
+            <div class="pb-4 gap-4 flex flex-col">
+                <AlertDialogDescription>
+                    {"This action cannot be undone. It will permanently delete your resource."}
+                </AlertDialogDescription>
+                {move || {
+                    if let Some(error) = error.get() {
+                        view! {
+                            <Alert variant=AlertVariant::Destructive>
+                                <lucide_leptos::CircleAlert />
+                                <AlertTitle>Error</AlertTitle>
+                                <AlertDescription class="text-wrap">{error}</AlertDescription>
+                            </Alert>
+                        }
+                            .into_any()
+                    } else {
+                        ().into_any()
+                    }
+                }}
+            </div>
+            <AlertDialogFooter>
+                <Button disabled=delete_pending on:click=handle_delete>
+                    {move || {
+                        if delete_pending.get() {
+                            view! { <icon::LoaderCircle class="animate-spin" /> }.into_any()
+                        } else {
+                            ().into_any()
+                        }
+                    }}
+                    {move || if delete_pending.get() { "Deleting" } else { "Delete" }}
+                </Button>
+                <Button
+                    variant=ButtonVariant::Outline
+                    disabled=delete_pending
+                    on:click=move |_| open.set(false)
+                >
+                    Cancel
+                </Button>
+            </AlertDialogFooter>
+        </AlertDialogContent>
+    }
+}
+
+#[component]
+pub fn DatetimeModal(time: DateTime<FixedOffset>) -> impl IntoView {
+    let offset = web_sys::js_sys::Date::new_0().get_timezone_offset();
+    let time = if let Some(offset) = FixedOffset::west_opt((offset * 60.0) as i32) {
+        time.to_utc().with_timezone(&offset)
+    } else {
+        time
+    };
+
+    let open = RwSignal::new(false);
+    let duration = chrono::Utc::now() - time.with_timezone(&chrono::Utc);
+    let days = duration.num_days();
+    let formatted = move || {
+        if days > 365 {
+            let unit = days / 365;
+            format!("{} year{} ago", unit, if unit > 1 { "s" } else { "" })
+        } else if days > 30 {
+            let unit = days / 30;
+            format!("{} month{} ago", unit, if unit > 1 { "s" } else { "" })
+        } else if days > 7 {
+            let unit = days / 7;
+            format!("{} week{} ago", unit, if unit > 1 { "s" } else { "" })
+        } else if days > 0 {
+            let unit = days;
+            format!("{} day{} ago", unit, if unit > 1 { "s" } else { "" })
+        } else {
+            let hours = duration.num_hours();
+            if hours > 0 {
+                format!("{hours} hour{} ago", if hours > 1 { "s" } else { "" })
+            } else {
+                let minutes = duration.num_minutes();
+                if minutes > 0 {
+                    format!("{minutes} minute{} ago", if minutes > 1 { "s" } else { "" })
+                } else {
+                    format!("{} seconds ago", duration.num_seconds())
+                }
+            }
+        }
+    };
+    view! {
+        <HoverCard open>
+            <HoverCardTrigger placement=HoverCardPlacement::TopLeft>
+                <span>{formatted}</span>
+            </HoverCardTrigger>
+            <HoverCardContent class="w-auto -translate-y-2">
+                <span class="text-nowrap">{format!("{}", time.format("%Y-%m-%d %H:%M:%S"))}</span>
+            </HoverCardContent>
+        </HoverCard>
+    }
+}
+
+#[component]
+pub fn SettingView<T>(
+    title: String,
+    action: Action<(), Result<(), ErrorResponse>>,
+    body: T,
+    update_counter: RwSignal<i32, LocalStorage>,
+    extra: Option<AnyView>,
+) -> impl IntoView
+where
+    T: IntoView + 'static,
+{
+    let success = RwSignal::new_local(None);
+    let error = RwSignal::new_local(None);
+    let handle_save = move |_| {
+        success.set(None);
+        error.set(None);
+        action.dispatch(());
+    };
+    let save_pending = action.pending();
+
+    Effect::new(move |_| {
+        action.value().with(|result| {
+            if let Some(result) = result {
+                match result {
+                    Ok(_) => {
+                        update_counter.update(|c| *c += 1);
+                        success.set(Some("Saved successfully"));
+                    }
+                    Err(e) => {
+                        error.set(Some(e.error.clone()));
+                    }
+                }
+            }
+        })
+    });
+
+    view! {
+        {if title.is_empty() {
+            ().into_any()
+        } else {
+            view! { <h5 class="text-lg font-semibold">{title}</h5> }.into_any()
+        }}
+        {body}
+        <div class="mt-4 flex flex-col gap-4 items-start">
+            <div class="flex flex-row items-center gap-2">
+                <Button attr:disabled=move || save_pending.get() on:click=handle_save>
+                    {move || {
+                        if save_pending.get() {
+                            view! { <icon::LoaderCircle class="animate-spin" /> }.into_any()
+                        } else {
+                            ().into_any()
+                        }
+                    }}
+                    {move || if save_pending.get() { "Saving" } else { "Save" }}
+                </Button>
+                {if let Some(extra) = extra { extra.into_any() } else { ().into_any() }}
+            </div>
+            {move || {
+                if let Some(error) = error.get() {
+                    view! {
+                        <Alert variant=AlertVariant::Destructive
+                        class="w-auto"
+                        >
+                            <lucide_leptos::CircleAlert />
+                            // <AlertTitle>Error</AlertTitle>
+                            <AlertTitle>
+                            {error}
+                            </AlertTitle>
+                        </Alert>
+                    }
+                        .into_any()
+                } else {
+                    ().into_any()
+                }
+            }}
+            {move || {
+                if let Some(success) = success.get() {
+                        view! {
+                            <Alert variant=AlertVariant::Default
+                            class="w-auto"
+                            >
+                                <lucide_leptos::CircleCheck />
+                                // <AlertTitle>Error</AlertTitle>
+                                <AlertTitle>
+                                {success}
+                                </AlertTitle>
+                            </Alert>
+                        }
+                    // view! {
+                    //     <div class="ml-4 py-2 px-4 rounded-lg bg-green-50">
+                    //         <span class="text-sm font-medium text-green-800">{success}</span>
+                    //     </div>
+                    // }
+                        .into_any()
+                } else {
+                    ().into_any()
+                }
+            }}
+        </div>
+    }
+}
diff --git a/lapdev-dashboard/src/nav.rs b/crates/dashboard/src/nav.rs
similarity index 76%
rename from lapdev-dashboard/src/nav.rs
rename to crates/dashboard/src/nav.rs
index 8775479..0e0bf02 100644
--- a/lapdev-dashboard/src/nav.rs
+++ b/crates/dashboard/src/nav.rs
@@ -1,28 +1,32 @@
 use std::time::Duration;
 
-use lapdev_common::{console::MeUser, ClusterInfo, UserRole};
-use leptos::{
-    component, create_rw_signal, document, expect_context, set_timeout, use_context, view,
-    IntoView, Resource, RwSignal, Signal, SignalGet, SignalGetUntracked, SignalSet, SignalUpdate,
-    SignalWith,
-};
-use leptos_router::use_location;
+use lapdev_common::{console::MeUser, UserRole};
+use leptos::prelude::*;
+use leptos_router::hooks::use_location;
 use wasm_bindgen::{JsCast, UnwrapThrowExt};
 use web_sys::FocusEvent;
 
-use crate::{account::NavUserControl, app::AppConfig, organization::OrgSelector};
+use crate::{
+    account::NavUserControl,
+    app::AppConfig,
+    cluster::get_cluster_info,
+    component::badge::{Badge, BadgeVariant},
+    organization::OrgSelector,
+    DOCS_URL,
+};
 
 #[derive(Clone, Copy)]
 pub struct NavExpanded {
     pub orgnization: RwSignal<bool>,
     pub account: RwSignal<bool>,
+    pub k8s_environments: RwSignal<bool>,
 }
 
 #[component]
 pub fn TopNav() -> impl IntoView {
-    let login = use_context::<Resource<i32, Option<MeUser>>>().unwrap();
-    let config = use_context::<RwSignal<AppConfig>>().unwrap();
-    let user_control_hidden = create_rw_signal(true);
+    let login = use_context::<LocalResource<Option<MeUser>>>().unwrap();
+    let config = use_context::<AppConfig>().unwrap();
+    let user_control_hidden = RwSignal::new_local(true);
     let toggle_user_control = move |_| {
         if user_control_hidden.get_untracked() {
             user_control_hidden.set(false);
@@ -58,15 +62,23 @@ pub fn TopNav() -> impl IntoView {
 
     view! {
         <nav class="bg-white border-b border-gray-200 left-0 right-0 top-0 z-50">
-            <div class="container mx-auto px-8 py-4 flex flex-wrap justify-between items-center">
+            <div class="px-8 py-4 flex flex-wrap justify-between items-center">
                 <div class="flex justify-start items-center">
-                    <a href="/" class="flex items-center justify-between mr-4">
-                        <svg class="w-10 h-10 mr-4" xmlns="http://www.w3.org/2000/svg" fill="currentColor" viewBox="0 0 1024 1024">
+                    <a href="/" class="flex items-center gap-3 mr-4">
+                        <svg class="w-10 h-10" xmlns="http://www.w3.org/2000/svg" fill="currentColor" viewBox="0 0 1024 1024">
                             <path d="M512 0C390.759 0 279.426 42.2227 191.719 112.656L191.719 612L351.719 612L351.719 332L422 332L431.719 332L431.719 332.344C488.169 334.127 541.249 351.138 581.875 380.625C627.591 413.806 654.875 460.633 654.875 512C654.875 563.367 627.591 610.194 581.875 643.375C541.249 672.862 488.169 689.873 431.719 691.656L431.719 1017.69C457.88 1021.81 484.68 1024 512 1024C794.77 1024 1024 794.77 1024 512C1024 229.23 794.77 0 512 0ZM111.719 192.906C41.8539 280.432 0 391.303 0 512C0 738.766 147.487 930.96 351.719 998.25L351.719 692L151.719 692L151.719 691.844L111.719 691.844L111.719 192.906ZM738.219 372C741.597 372.107 745.042 373.02 748.312 374.812L946.281 483.312C952.311 486.616 956.692 492.393 959.188 499.156C959.821 500.874 960.317 502.641 960.688 504.469C960.764 504.834 960.841 505.196 960.906 505.562C961.12 506.807 961.225 508.071 961.312 509.344C961.378 510.235 961.498 511.112 961.5 512C961.498 512.888 961.378 513.765 961.312 514.656C961.226 515.929 961.12 517.193 960.906 518.438C960.841 518.804 960.764 519.166 960.688 519.531C960.317 521.359 959.821 523.126 959.188 524.844C956.692 531.608 952.311 537.384 946.281 540.688L748.312 649.188C735.232 656.355 719.818 649.367 713.875 633.594C707.932 617.82 713.7 599.23 726.781 592.062L872.875 512L726.781 431.938C713.7 424.771 707.932 406.18 713.875 390.406C718.332 378.576 728.085 371.678 738.219 372ZM431.719 412.344L431.719 611.656C513.56 608.208 574.875 561.985 574.875 512C574.875 462.015 513.56 415.792 431.719 412.344Z" />
                             <path d="M742 403.688C740.062 403.483 738.097 404.438 737.094 406.25C735.756 408.666 736.615 411.694 739.031 413.031L925.719 516.375C928.135 517.712 931.194 516.822 932.531 514.406C933.869 511.99 932.979 508.962 930.562 507.625L743.875 404.281C743.271 403.947 742.646 403.756 742 403.688Z" />
                             <path d="M927.5 507.031C926.856 507.115 926.221 507.339 925.625 507.688L738.938 616.906C736.554 618.301 735.762 621.335 737.156 623.719C738.551 626.102 741.616 626.926 744 625.531L930.688 516.312C933.071 514.918 933.863 511.852 932.469 509.469C931.423 507.681 929.432 506.78 927.5 507.031Z" />
                         </svg>
-                        <span class="self-center text-2xl font-semibold whitespace-nowrap">Lapdev</span>
+                        <div class="flex items-center gap-2">
+                            <span class="self-center text-2xl font-semibold whitespace-nowrap">Lapdev</span>
+                            <Badge
+                                variant=BadgeVariant::Secondary
+                                class="text-[10px] uppercase tracking-wide"
+                            >
+                                "Public beta"
+                            </Badge>
+                        </div>
                     </a>
                 </div>
         <div class="flex flex-row items-center">
@@ -74,14 +86,14 @@ pub fn TopNav() -> impl IntoView {
                 class="font-medium flex flex-row space-x-8 mr-8"
             >
                 <li
-                    class:hidden=move || !config.get().show_lapdev_website
+                    class:hidden=move || !config.show_lapdev_website.get()
                 >
                     <a href="https://lap.dev/">Home</a>
                 </li>
                 <li
-                    class:hidden=move || !config.get().show_lapdev_website
+                    class:hidden=move || !config.show_lapdev_website.get()
                 >
-                    <a href="https://docs.lap.dev/">Docs</a>
+                    <a href=DOCS_URL target="_blank" rel="noopener noreferrer">Docs</a>
                 </li>
                 <li
                     class:hidden=move || !login.with(|l| l.as_ref().and_then(|l| l.as_ref().map(|l| l.cluster_admin))).unwrap_or(false)
@@ -109,7 +121,7 @@ pub fn TopNav() -> impl IntoView {
                 <span class="sr-only">Open user menu</span>
                 <img
                 class="w-8 h-8 rounded-full"
-                src=move ||  { login.get().flatten().and_then(|l| l.avatar_url).unwrap_or("https://flowbite.s3.amazonaws.com/blocks/marketing-ui/avatars/michael-gough.png".to_string()) }
+                src=move ||  { login.get().flatten().and_then(|l| l.avatar_url.clone()).unwrap_or("https://flowbite.s3.amazonaws.com/blocks/marketing-ui/avatars/michael-gough.png".to_string()) }
                 alt="user photo"
                 />
             </button>
@@ -125,8 +137,14 @@ pub fn TopNav() -> impl IntoView {
 
 #[component]
 pub fn SideNavMain() -> impl IntoView {
+    let nav_expanded: NavExpanded = expect_context();
     view! {
         <ul class="space-y-2">
+            <li>
+                <a href="/" class="flex items-center p-2 text-base font-normal text-gray-900 rounded-lg hover:bg-gray-100 group">
+                    <span class="ml-3">Dashboard</span>
+                </a>
+            </li>
             <li>
                 <a href="/workspaces" class="flex items-center p-2 text-base font-normal text-gray-900 rounded-lg hover:bg-gray-100 group">
                     <span class="ml-3">Workspaces</span>
@@ -137,6 +155,52 @@ pub fn SideNavMain() -> impl IntoView {
                     <span class="ml-3">Projects</span>
                 </a>
             </li>
+            <li>
+                <a href="/kubernetes/clusters" class="flex items-center p-2 text-base font-normal text-gray-900 rounded-lg hover:bg-gray-100 group">
+                    <span class="ml-3">K8s Clusters</span>
+                </a>
+            </li>
+            <li>
+                <a href="#" class="flex items-center justify-between p-2 text-base font-normal text-gray-900 rounded-lg transition duration-75 hover:bg-gray-100 group"
+                    on:click=move |_| nav_expanded.k8s_environments.update(|expanded| *expanded = !*expanded)
+                >
+                    <span class="ml-3">Dev Environments</span>
+                    <svg class="w-3 h-3"  xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 6 10"
+                        class:hidden=move || nav_expanded.k8s_environments.get()
+                    >
+                        <path stroke="currentColor" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="m1 9 4-4-4-4"/>
+                    </svg>
+                    <svg class="w-3 h-3"  xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 10 6"
+                        class:hidden=move || !nav_expanded.k8s_environments.get()
+                    >
+                        <path stroke="currentColor" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="m1 1 4 4 4-4"/>
+                    </svg>
+                </a>
+            </li>
+
+            <li
+                class:hidden=move || !nav_expanded.k8s_environments.get()
+            >
+                <a href="/kubernetes/environments/personal" class="flex items-center p-2 text-base font-normal text-gray-900 rounded-lg transition duration-75 hover:bg-gray-100 group">
+                    <span class="ml-8">Personal</span>
+                </a>
+            </li>
+
+            <li
+                class:hidden=move || !nav_expanded.k8s_environments.get()
+            >
+                <a href="/kubernetes/environments/shared" class="flex items-center p-2 text-base font-normal text-gray-900 rounded-lg transition duration-75 hover:bg-gray-100 group">
+                    <span class="ml-8">Shared</span>
+                </a>
+            </li>
+
+            <li
+                class:hidden=move || !nav_expanded.k8s_environments.get()
+            >
+                <a href="/kubernetes/environments/branch" class="flex items-center p-2 text-base font-normal text-gray-900 rounded-lg transition duration-75 hover:bg-gray-100 group">
+                    <span class="ml-8">Branch</span>
+                </a>
+            </li>
         </ul>
     }
 }
@@ -183,9 +247,9 @@ pub fn SideNavAccount() -> impl IntoView {
 
 #[component]
 pub fn SideNavOrg() -> impl IntoView {
-    let cluster_info = expect_context::<Signal<Option<ClusterInfo>>>();
+    let cluster_info = get_cluster_info();
     let nav_expanded: NavExpanded = expect_context();
-    let login = use_context::<Resource<i32, Option<MeUser>>>().unwrap();
+    let login = use_context::<LocalResource<Option<MeUser>>>().unwrap();
     let role = Signal::derive(move || {
         let role = login.with(|l| {
             l.as_ref()
@@ -313,11 +377,11 @@ pub fn SideNavOrg() -> impl IntoView {
 }
 
 #[component]
-pub fn SideNav(new_org_modal_hidden: RwSignal<bool>) -> impl IntoView {
+pub fn SideNav() -> impl IntoView {
     view! {
         <aside class="top-0 left-0 z-40 w-64 h-full transition-transform -translate-x-full sm:translate-x-0" aria-label="Sidenav">
             <div class="overflow-y-auto py-5 px-3 h-full bg-white border-r border-gray-200">
-                <OrgSelector new_org_modal_hidden />
+                <OrgSelector />
                 <SideNavMain />
                 <ul class="pt-5 mt-5 space-y-2 border-t border-gray-200">
                     <SideNavAccount />
diff --git a/crates/dashboard/src/organization.rs b/crates/dashboard/src/organization.rs
new file mode 100644
index 0000000..e7f92e7
--- /dev/null
+++ b/crates/dashboard/src/organization.rs
@@ -0,0 +1,1211 @@
+use std::{str::FromStr, time::Duration};
+
+use anyhow::{anyhow, Result};
+use gloo_net::http::Request;
+use lapdev_common::{
+    console::{MeUser, Organization, OrganizationMember},
+    NewOrganization, UpdateOrganizationAutoStartStop, UpdateOrganizationMember,
+    UpdateOrganizationName, UserRole,
+};
+use leptos::{leptos_dom::logging::console_log, prelude::*};
+use uuid::Uuid;
+use wasm_bindgen::{JsCast, UnwrapThrowExt};
+use web_sys::FocusEvent;
+
+use crate::{
+    cluster::get_cluster_info,
+    component::{
+        button::{Button, ButtonVariant},
+        dialog::DialogTrigger,
+        dropdown_menu::{
+            DropdownMenu, DropdownMenuContent, DropdownMenuItem, DropdownMenuLabel,
+            DropdownMenuSeparator, DropdownMenuTrigger, DropdownPlacement,
+        },
+        input::Input,
+        label::Label,
+        sidebar::{SidebarButtonSize, SidebarMenu, SidebarMenuButton},
+    },
+    modal::{DatetimeModal, DeleteModal, ErrorResponse, Modal, SettingView},
+};
+
+async fn create_org(name: RwSignal<String, LocalStorage>) -> Result<(), ErrorResponse> {
+    let org_name = name.get_untracked();
+    let resp = Request::post("/api/v1/organizations")
+        .json(&NewOrganization { name: org_name })?
+        .send()
+        .await?;
+    if resp.status() != 200 {
+        let error = resp
+            .json::<ErrorResponse>()
+            .await
+            .unwrap_or_else(|_| ErrorResponse {
+                error: "Internal Server Error".to_string(),
+            });
+        return Err(error);
+    }
+    let _resp: Organization = resp.json().await?;
+
+    let _ = window().location().set_href("/");
+
+    Ok(())
+}
+
+async fn switch_org(org_id: String) -> Result<()> {
+    let _ = Request::put(&format!("/api/private/me/organization/{org_id}"))
+        .send()
+        .await;
+    let _ = window().location().set_href("/");
+    Ok(())
+}
+
+pub fn get_current_org() -> Signal<Option<Organization>> {
+    let current_org = use_context::<Signal<Option<Organization>, LocalStorage>>();
+    Signal::derive(move || current_org.and_then(|org| org.get()))
+}
+
+#[component]
+pub fn OrgSelector() -> impl IntoView {
+    let menu_open = RwSignal::new(false);
+    let new_org_dialog_open = RwSignal::new(false);
+    let login = use_context::<LocalResource<Option<MeUser>>>().unwrap();
+
+    let org_name = RwSignal::new_local("".to_string());
+    let action = Action::new_local(move |_| create_org(org_name));
+
+    view! {
+        <SidebarMenu>
+            <DropdownMenu open=menu_open>
+                <DropdownMenuTrigger
+                    open=menu_open
+                    placement=DropdownPlacement::RightTop
+                >
+                    <SidebarMenuButton
+                        size=SidebarButtonSize::Lg
+                        class="data-[state=open]:bg-sidebar-accent data-[state=open]:text-sidebar-accent-foreground"
+                    >
+                        <div class="flex aspect-square size-8 items-center justify-center rounded-lg bg-sidebar-primary text-sidebar-primary-foreground">
+                            {move || {
+                                login
+                                    .get()
+                                    .flatten()
+                                    .and_then(|l| l.organization.name.chars().next())
+                                    .unwrap_or('P')
+                            }}
+                        </div>
+                        <div class="grid flex-1 text-left text-sm leading-tight">
+                            <span class="truncate font-semibold">
+                                {move || {
+                                    login
+                                        .get()
+                                        .flatten()
+                                        .map(|l| l.organization.name.clone())
+                                        .unwrap_or_else(|| "Personal".to_string())
+                                }}
+                            </span>
+                        </div>
+                        <lucide_leptos::ChevronsUpDown />
+                    </SidebarMenuButton>
+                </DropdownMenuTrigger>
+                <DropdownMenuContent
+                    open=menu_open.read_only()
+                    class="w-56 min-w-56 max-w-56 rounded-lg"
+                >
+                    <DropdownMenuLabel class="text-xs text-muted-foreground">
+                        Switch Organization
+                    </DropdownMenuLabel>
+
+                    <For
+                        each=move || {
+                            login
+                                .get()
+                                .flatten()
+                                .map(|l| {
+                                    let mut orgs = l.all_organizations.clone();
+                                    orgs.retain(|o| o.id != l.organization.id);
+                                    orgs
+                                })
+                                .unwrap_or_default()
+                        }
+                        key=|o| o.id
+                        children=move |org| {
+                            view! {
+                                <DropdownMenuItem
+                                    class="cursor-pointer"
+                                    on:click=move |_| {
+                                        Action::new_local(move |org_id: &String| switch_org(
+                                                org_id.clone(),
+                                            ))
+                                            .dispatch(org.id.to_string());
+                                    }
+                                >
+                                    <div class="flex aspect-square size-6 items-center justify-center rounded-sm bg-sidebar-primary text-sidebar-primary-foreground">
+                                        {org.name.chars().next().unwrap_or('O')}
+                                    </div>
+                                    <span class="truncate">{org.name}</span>
+                                </DropdownMenuItem>
+                            }
+                        }
+                    />
+
+                    <DropdownMenuSeparator />
+                    <DialogTrigger on:click=move |_| menu_open.set(false) open=new_org_dialog_open>
+                        <DropdownMenuItem class="cursor-pointer">
+                            <lucide_leptos::Plus />
+                            Create New Organization
+                        </DropdownMenuItem>
+                    </DialogTrigger>
+                </DropdownMenuContent>
+            </DropdownMenu>
+            <Modal title="Create New Organization" open=new_org_dialog_open action>
+                <div class="flex flex-col gap-2">
+                    <Label>Your Organization Name</Label>
+                    <Input
+                        prop:value=move || org_name.get()
+                        on:input=move |ev| {
+                            org_name.set(event_target_value(&ev));
+                        }
+                        {..}
+                        required=true
+                    />
+                </div>
+            </Modal>
+        </SidebarMenu>
+    }
+}
+
+#[component]
+pub fn NewOrgModal(modal_hidden: RwSignal<bool, LocalStorage>) -> impl IntoView {
+    let org_name = RwSignal::new_local("".to_string());
+    let action = Action::new_local(move |_| create_org(org_name));
+    let handle_create_org = move |_| {
+        action.dispatch(());
+    };
+    let create_pending = action.pending();
+    view! {
+        <div
+            id="default-modal"
+            tabindex="-1"
+            aria-hidden="true"
+            class="bg-gray-900/50 flex overflow-y-auto overflow-x-hidden fixed top-0 right-0 left-0 z-50 justify-center items-center w-full h-full"
+            class:hidden=move || modal_hidden.get()
+            on:click=move |_| modal_hidden.set(true)
+        >
+            <div
+                class="relative p-4 w-full max-w-2xl max-h-full"
+                on:click=move |e| e.stop_propagation()
+            >
+                <div class="relative bg-white rounded-lg shadow">
+                    <div class="flex items-center justify-between p-4 md:p-5 border-b rounded-t">
+                        <h3 class="text-xl font-semibold text-gray-900">Create New Organization</h3>
+                        <button
+                            type="button"
+                            class="text-gray-400 bg-transparent hover:bg-gray-200 hover:text-gray-900 rounded-lg text-sm w-8 h-8 ms-auto inline-flex justify-center items-center"
+                            data-modal-hide="default-modal"
+                            on:click=move |_| modal_hidden.set(true)
+                        >
+                            <svg
+                                class="w-3 h-3"
+                                aria-hidden="true"
+                                xmlns="http://www.w3.org/2000/svg"
+                                fill="none"
+                                viewBox="0 0 14 14"
+                            >
+                                <path
+                                    stroke="currentColor"
+                                    stroke-linecap="round"
+                                    stroke-linejoin="round"
+                                    stroke-width="2"
+                                    d="m1 1 6 6m0 0 6 6M7 7l6-6M7 7l-6 6"
+                                />
+                            </svg>
+                            <span class="sr-only">Close modal</span>
+                        </button>
+                    </div>
+                    <div class="p-4 md:p-5 space-y-4">
+                        <div>
+                            <label class="block mb-2 text-sm font-medium text-gray-900">
+                                Your Organization Name
+                            </label>
+                            <input
+                                prop:value=move || org_name.get()
+                                on:input=move |ev| {
+                                    org_name.set(event_target_value(&ev));
+                                }
+                                class="bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5"
+                                required
+                            />
+                        </div>
+                    </div>
+                    <div class="flex items-center p-4 md:p-5 border-t border-gray-200 rounded-b">
+                        <button
+                            type="button"
+                            class="flex flex-row items-center text-white bg-blue-700 hover:bg-blue-800 focus:ring-4 focus:outline-none focus:ring-blue-300 font-medium rounded-lg text-sm px-5 py-2.5 text-center"
+                            disabled=move || create_pending.get()
+                            on:click=handle_create_org
+                        >
+                            <svg
+                                aria-hidden="true"
+                                role="status"
+                                class="w-4 h-4 me-3 text-white animate-spin"
+                                viewBox="0 0 100 101"
+                                fill="none"
+                                xmlns="http://www.w3.org/2000/svg"
+                                class:hidden=move || !create_pending.get()
+                            >
+                                <path
+                                    d="M100 50.5908C100 78.2051 77.6142 100.591 50 100.591C22.3858 100.591 0 78.2051 0 50.5908C0 22.9766 22.3858 0.59082 50 0.59082C77.6142 0.59082 100 22.9766 100 50.5908ZM9.08144 50.5908C9.08144 73.1895 27.4013 91.5094 50 91.5094C72.5987 91.5094 90.9186 73.1895 90.9186 50.5908C90.9186 27.9921 72.5987 9.67226 50 9.67226C27.4013 9.67226 9.08144 27.9921 9.08144 50.5908Z"
+                                    fill="#E5E7EB"
+                                />
+                                <path
+                                    d="M93.9676 39.0409C96.393 38.4038 97.8624 35.9116 97.0079 33.5539C95.2932 28.8227 92.871 24.3692 89.8167 20.348C85.8452 15.1192 80.8826 10.7238 75.2124 7.41289C69.5422 4.10194 63.2754 1.94025 56.7698 1.05124C51.7666 0.367541 46.6976 0.446843 41.7345 1.27873C39.2613 1.69328 37.813 4.19778 38.4501 6.62326C39.0873 9.04874 41.5694 10.4717 44.0505 10.1071C47.8511 9.54855 51.7191 9.52689 55.5402 10.0491C60.8642 10.7766 65.9928 12.5457 70.6331 15.2552C75.2735 17.9648 79.3347 21.5619 82.5849 25.841C84.9175 28.9121 86.7997 32.2913 88.1811 35.8758C89.083 38.2158 91.5421 39.6781 93.9676 39.0409Z"
+                                    fill="currentColor"
+                                />
+                            </svg>
+                            {move || if create_pending.get() { "Creating" } else { "Create" }}
+                        </button>
+                        <button
+                            type="button"
+                            class="ms-3 text-gray-500 bg-white hover:bg-gray-100 focus:ring-4 focus:outline-none focus:ring-blue-300 rounded-lg border border-gray-200 text-sm font-medium px-5 py-2.5 hover:text-gray-900 focus:z-10"
+                            disabled=move || create_pending.get()
+                            on:click=move |_| modal_hidden.set(true)
+                        >
+                            Cancel
+                        </button>
+                    </div>
+                </div>
+            </div>
+        </div>
+    }
+}
+
+async fn delete_org(org: Signal<Option<Organization>>) -> Result<Option<ErrorResponse>> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let resp = Request::delete(&format!("/api/v1/organizations/{}", org.id))
+        .send()
+        .await?;
+    if resp.status() == 200 {
+        let _ = window().location().set_href("/");
+    } else {
+        let error = resp
+            .json::<ErrorResponse>()
+            .await
+            .unwrap_or_else(|_| ErrorResponse {
+                error: "Internal Server Error".to_string(),
+            });
+        return Ok(Some(error));
+    }
+    Ok(None)
+}
+
+#[component]
+pub fn OrgSettings() -> impl IntoView {
+    let modal_hidden = RwSignal::new_local(true);
+    let org = get_current_org();
+    let delete_action = Action::new_local(move |()| delete_org(org));
+    let login = use_context::<LocalResource<Option<MeUser>>>().unwrap();
+    let cluster_info = get_cluster_info();
+    view! {
+        <div class="border-b pb-4 mb-8">
+            <h5 class="mr-3 text-2xl font-semibold">Organization Settings</h5>
+            <p class="text-gray-700">{"Manage your organization's settings"}</p>
+        </div>
+        <div class="mb-8">
+            <div class="w-full p-8 border rounded-xl shadow">
+                <UpdateNameView />
+            </div>
+            // <div
+            //     class="mt-8 w-full p-8 border rounded-xl shadow"
+            //     class:hidden=move || {
+            //         !cluster_info.with(|i| i.as_ref().map(|i| i.has_enterprise)).unwrap_or(false)
+            //     }
+            // >
+            //     <AutoStartStopView />
+            // </div>
+
+            <div
+                class="mt-8 w-full p-8 border rounded-xl shadow"
+                class:hidden=move || {
+                    !login
+                        .with(|l| {
+                            l.as_ref()
+                                .and_then(|l| {
+                                    l.as_ref().map(|l| l.organization.role == UserRole::Owner)
+                                })
+                                .unwrap_or(false)
+                        })
+                }
+            >
+                <h5 class="text-lg font-semibold mb-4">Delete Organization</h5>
+                <Button
+                    variant=ButtonVariant::Destructive
+                    on:click=move |_| modal_hidden.set(false)
+                >
+                    Delete
+                </Button>
+            </div>
+        </div>
+        <DeleteOrgModal modal_hidden delete_action />
+    }
+}
+
+#[component]
+pub fn DeleteOrgModal(
+    modal_hidden: RwSignal<bool, LocalStorage>,
+    delete_action: Action<(), Result<Option<ErrorResponse>>>,
+) -> impl IntoView {
+    let error = RwSignal::new_local(None);
+    let confirmation = RwSignal::new_local(String::new());
+    let handle_delete = move |_| {
+        delete_action.dispatch(());
+    };
+    let delete_pending = delete_action.pending();
+    let org = use_context::<Signal<Option<Organization>, LocalStorage>>().unwrap();
+    Effect::new(move |_| {
+        delete_action.value().with(|result| {
+            if let Some(result) = result {
+                match result {
+                    Ok(err) => {
+                        if let Some(err) = err {
+                            error.set(Some(err.error.to_string()));
+                        }
+                    }
+                    Err(e) => {
+                        console_log(&format!("creation error: {e}"));
+                    }
+                }
+            }
+        })
+    });
+    view! {
+        <div
+            tabindex="-1"
+            class="bg-gray-900/50 flex overflow-y-auto overflow-x-hidden fixed top-0 right-0 left-0 z-50 justify-center items-center w-full h-full"
+            class:hidden=move || modal_hidden.get()
+            on:click=move |_| modal_hidden.set(true)
+        >
+            <div
+                class="relative p-4 w-full max-w-md max-h-full"
+                on:click=move |e| e.stop_propagation()
+            >
+                <div class="relative bg-white rounded-lg shadow">
+                    <button
+                        type="button"
+                        class="absolute top-3 end-2.5 text-gray-400 bg-transparent hover:bg-gray-200 hover:text-gray-900 rounded-lg text-sm w-8 h-8 ms-auto inline-flex justify-center items-center"
+                        on:click=move |_| modal_hidden.set(true)
+                    >
+                        <svg
+                            class="w-3 h-3"
+                            aria-hidden="true"
+                            xmlns="http://www.w3.org/2000/svg"
+                            fill="none"
+                            viewBox="0 0 14 14"
+                        >
+                            <path
+                                stroke="currentColor"
+                                stroke-linecap="round"
+                                stroke-linejoin="round"
+                                stroke-width="2"
+                                d="m1 1 6 6m0 0 6 6M7 7l6-6M7 7l-6 6"
+                            />
+                        </svg>
+                        <span class="sr-only">Close modal</span>
+                    </button>
+                    <div class="p-4 md:p-5 text-center text-gray-500">
+                        <svg
+                            class="mx-auto mb-4 text-gray-400 w-12 h-12"
+                            aria-hidden="true"
+                            xmlns="http://www.w3.org/2000/svg"
+                            fill="none"
+                            viewBox="0 0 20 20"
+                        >
+                            <path
+                                stroke="currentColor"
+                                stroke-linecap="round"
+                                stroke-linejoin="round"
+                                stroke-width="2"
+                                d="M10 11V6m0 8h.01M19 10a9 9 0 1 1-18 0 9 9 0 0 1 18 0Z"
+                            />
+                        </svg>
+                        <h3 class="mb-5 text-lg font-normalflex flex-col items-center">
+                            <p>Are you sure you want to delete organization</p>
+                            <p class="text-bold text-gray-600">
+                                {move || org.get().map(|org| org.name).unwrap_or_default()}
+                            </p>
+                        </h3>
+                        {move || {
+                            if let Some(error) = error.get() {
+                                view! {
+                                    <div class="text-left p-4 mb-4 rounded-lg bg-red-50">
+                                        <span class="text-sm font-medium text-red-800">
+                                            {error}
+                                        </span>
+                                    </div>
+                                }
+                                    .into_any()
+                            } else {
+                                ().into_any()
+                            }
+                        }}
+                        <div class="text-left">
+                            <p>
+                                {"1. You'll lose all the projects and workspaces in this organization and this cannot be restored."}
+                            </p>
+                            <p>
+                                {"2. All organization members will lose access to this organization and all the associated workspaces."}
+                            </p>
+                        </div>
+                        <p class="mt-4 text-left">
+                            Type
+                            <span class="text-semibold mx-1 px-1 text-gray-800 bg-gray-200 rounded">
+                                {move || org.get().map(|org| org.name).unwrap_or_default()}
+                            </span>To Confirm
+                        </p>
+                        <input
+                            class="w-full border rounded py-1 px-1 my-2"
+                            prop:value=move || confirmation.get()
+                            on:input=move |ev| {
+                                confirmation.set(event_target_value(&ev));
+                            }
+                        />
+                        <button
+                            type="button"
+                            class="text-white bg-red-600 disabled:bg-red-400 hover:bg-red-800 focus:ring-4 focus:outline-none focus:ring-red-300 font-medium rounded-lg text-sm inline-flex items-center px-5 py-2.5 text-center me-2"
+                            on:click=handle_delete
+                            disabled=move || {
+                                delete_pending.get()
+                                    || {
+                                        let confirmation = confirmation.get();
+                                        let org = org.get().map(|org| org.name).unwrap_or_default();
+                                        confirmation != org
+                                    }
+                            }
+                        >
+                            <svg
+                                aria-hidden="true"
+                                role="status"
+                                class="w-3 h-3 me-3 text-white animate-spin"
+                                viewBox="0 0 100 101"
+                                fill="none"
+                                xmlns="http://www.w3.org/2000/svg"
+                                class:hidden=move || !delete_pending.get()
+                            >
+                                <path
+                                    d="M100 50.5908C100 78.2051 77.6142 100.591 50 100.591C22.3858 100.591 0 78.2051 0 50.5908C0 22.9766 22.3858 0.59082 50 0.59082C77.6142 0.59082 100 22.9766 100 50.5908ZM9.08144 50.5908C9.08144 73.1895 27.4013 91.5094 50 91.5094C72.5987 91.5094 90.9186 73.1895 90.9186 50.5908C90.9186 27.9921 72.5987 9.67226 50 9.67226C27.4013 9.67226 9.08144 27.9921 9.08144 50.5908Z"
+                                    fill="#E5E7EB"
+                                />
+                                <path
+                                    d="M93.9676 39.0409C96.393 38.4038 97.8624 35.9116 97.0079 33.5539C95.2932 28.8227 92.871 24.3692 89.8167 20.348C85.8452 15.1192 80.8826 10.7238 75.2124 7.41289C69.5422 4.10194 63.2754 1.94025 56.7698 1.05124C51.7666 0.367541 46.6976 0.446843 41.7345 1.27873C39.2613 1.69328 37.813 4.19778 38.4501 6.62326C39.0873 9.04874 41.5694 10.4717 44.0505 10.1071C47.8511 9.54855 51.7191 9.52689 55.5402 10.0491C60.8642 10.7766 65.9928 12.5457 70.6331 15.2552C75.2735 17.9648 79.3347 21.5619 82.5849 25.841C84.9175 28.9121 86.7997 32.2913 88.1811 35.8758C89.083 38.2158 91.5421 39.6781 93.9676 39.0409Z"
+                                    fill="currentColor"
+                                />
+                            </svg>
+                            {move || {
+                                if delete_pending.get() { "Deleting" } else { "Yes, I'm sure" }
+                            }}
+                        </button>
+                        <button
+                            type="button"
+                            class="text-gray-500 bg-white hover:bg-gray-100 focus:ring-4 focus:outline-none focus:ring-gray-200 rounded-lg border border-gray-200 text-sm font-medium px-5 py-2.5 hover:text-gray-900 focus:z-10"
+                            disabled=move || delete_pending.get()
+                            on:click=move |_| modal_hidden.set(true)
+                        >
+                            No, cancel
+                        </button>
+                    </div>
+                </div>
+            </div>
+        </div>
+    }
+}
+
+async fn update_name(id: Uuid, name: String) -> Result<(), ErrorResponse> {
+    let resp = Request::put(&format!("/api/v1/organizations/{id}/name"))
+        .json(&UpdateOrganizationName { name })?
+        .send()
+        .await?;
+
+    if resp.status() != 204 {
+        let error = resp
+            .json::<ErrorResponse>()
+            .await
+            .unwrap_or_else(|_| ErrorResponse {
+                error: "Internal Server Error".to_string(),
+            });
+        return Err(error);
+    }
+
+    Ok(())
+}
+
+async fn update_auto_start_stop(
+    id: Uuid,
+    auto_start: bool,
+    allow_workspace_change_auto_start: bool,
+    auto_stop: Option<i32>,
+    allow_workspace_change_auto_stop: bool,
+) -> Result<(), ErrorResponse> {
+    let resp = Request::put(&format!("/api/v1/organizations/{id}/auto_start_stop"))
+        .json(&UpdateOrganizationAutoStartStop {
+            auto_start,
+            auto_stop,
+            allow_workspace_change_auto_start,
+            allow_workspace_change_auto_stop,
+        })?
+        .send()
+        .await?;
+
+    if resp.status() != 204 {
+        let error = resp
+            .json::<ErrorResponse>()
+            .await
+            .unwrap_or_else(|_| ErrorResponse {
+                error: "Internal Server Error".to_string(),
+            });
+        return Err(error);
+    }
+
+    Ok(())
+}
+
+#[component]
+fn AutoStartStopView() -> impl IntoView {
+    let org = use_context::<Signal<Option<Organization>, LocalStorage>>().unwrap();
+    let login_counter = expect_context::<RwSignal<i32, LocalStorage>>();
+
+    let auto_start_enabled = RwSignal::new_local(false);
+    Effect::new(move |_| {
+        if let Some(enabled) = org.with(|o| o.as_ref().map(|o| o.auto_start)) {
+            auto_start_enabled.set(enabled);
+        }
+    });
+
+    let allow_workspace_change_auto_start = RwSignal::new_local(false);
+    Effect::new(move |_| {
+        if let Some(enabled) = org.with(|o| o.as_ref().map(|o| o.allow_workspace_change_auto_start))
+        {
+            allow_workspace_change_auto_start.set(enabled);
+        }
+    });
+
+    let auto_stop_enabled = RwSignal::new_local(false);
+    Effect::new(move |_| {
+        if let Some(enabled) = org.with(|o| o.as_ref().map(|o| o.auto_stop.is_some())) {
+            auto_stop_enabled.set(enabled);
+        }
+    });
+
+    let auto_stop_seconds = RwSignal::new_local(3600);
+    Effect::new(move |_| {
+        if let Some(seconds) = org.with(|o| o.as_ref().map(|o| o.auto_stop)).flatten() {
+            auto_stop_seconds.set(seconds);
+        }
+    });
+
+    let allow_workspace_change_auto_stop = RwSignal::new_local(false);
+    Effect::new(move |_| {
+        if let Some(enabled) = org.with(|o| o.as_ref().map(|o| o.allow_workspace_change_auto_stop))
+        {
+            allow_workspace_change_auto_stop.set(enabled);
+        }
+    });
+
+    let save_action = Action::new_local(move |_| async move {
+        if let Some(id) = org.with(|o| o.as_ref().map(|o| o.id)) {
+            update_auto_start_stop(
+                id,
+                auto_start_enabled.get_untracked(),
+                allow_workspace_change_auto_start.get_untracked(),
+                if auto_stop_enabled.get_untracked() {
+                    Some(auto_stop_seconds.get_untracked())
+                } else {
+                    None
+                },
+                allow_workspace_change_auto_stop.get_untracked(),
+            )
+            .await
+        } else {
+            Err(ErrorResponse {
+                error: "Organization not loaded yet".to_string(),
+            })
+        }
+    });
+
+    let body = view! {
+        <div class="mt-2">
+            <label class="inline-flex items-center cursor-pointer">
+                <input
+                    type="checkbox"
+                    value=""
+                    class="sr-only peer"
+                    prop:checked=move || auto_start_enabled.get()
+                    on:change=move |e| auto_start_enabled.set(event_target_checked(&e))
+                />
+                <div class="relative w-11 h-6 bg-gray-200 peer-focus:outline-none peer-focus:ring-4 peer-focus:ring-blue-300 rounded-full peer peer-checked:after:translate-x-full rtl:peer-checked:after:-translate-x-full peer-checked:after:border-white after:content-[''] after:absolute after:top-[2px] after:start-[2px] after:bg-white after:border-gray-300 after:border after:rounded-full after:h-5 after:w-5 after:transition-all peer-checked:bg-blue-600"></div>
+                <span class="ms-3 text-sm font-medium text-gray-900">Auto Start Enabled</span>
+            </label>
+        </div>
+        <div class="mt-2">
+            <label class="inline-flex items-center cursor-pointer">
+                <input
+                    type="checkbox"
+                    value=""
+                    class="sr-only peer"
+                    prop:checked=move || allow_workspace_change_auto_start.get()
+                    on:change=move |e| {
+                        allow_workspace_change_auto_start.set(event_target_checked(&e))
+                    }
+                />
+                <div class="relative w-11 h-6 bg-gray-200 peer-focus:outline-none peer-focus:ring-4 peer-focus:ring-blue-300 rounded-full peer peer-checked:after:translate-x-full rtl:peer-checked:after:-translate-x-full peer-checked:after:border-white after:content-[''] after:absolute after:top-[2px] after:start-[2px] after:bg-white after:border-gray-300 after:border after:rounded-full after:h-5 after:w-5 after:transition-all peer-checked:bg-blue-600"></div>
+                <span class="ms-3 text-sm font-medium text-gray-900">
+                    Allow Changing Auto Start on Workspace
+                </span>
+            </label>
+        </div>
+        <div class="mt-2">
+            <label class="inline-flex items-center cursor-pointer">
+                <input
+                    type="checkbox"
+                    value=""
+                    class="sr-only peer"
+                    prop:checked=move || auto_stop_enabled.get()
+                    on:change=move |e| auto_stop_enabled.set(event_target_checked(&e))
+                />
+                <div class="relative w-11 h-6 bg-gray-200 peer-focus:outline-none peer-focus:ring-4 peer-focus:ring-blue-300 rounded-full peer peer-checked:after:translate-x-full rtl:peer-checked:after:-translate-x-full peer-checked:after:border-white after:content-[''] after:absolute after:top-[2px] after:start-[2px] after:bg-white after:border-gray-300 after:border after:rounded-full after:h-5 after:w-5 after:transition-all peer-checked:bg-blue-600"></div>
+                <span class="ms-3 text-sm font-medium text-gray-900">Auto Stop Enabled</span>
+            </label>
+        </div>
+        <div class="mt-2">
+            <label class="inline-flex items-center cursor-pointer">
+                <input
+                    type="checkbox"
+                    value=""
+                    class="sr-only peer"
+                    prop:checked=move || allow_workspace_change_auto_stop.get()
+                    on:change=move |e| {
+                        allow_workspace_change_auto_stop.set(event_target_checked(&e))
+                    }
+                />
+                <div class="relative w-11 h-6 bg-gray-200 peer-focus:outline-none peer-focus:ring-4 peer-focus:ring-blue-300 rounded-full peer peer-checked:after:translate-x-full rtl:peer-checked:after:-translate-x-full peer-checked:after:border-white after:content-[''] after:absolute after:top-[2px] after:start-[2px] after:bg-white after:border-gray-300 after:border after:rounded-full after:h-5 after:w-5 after:transition-all peer-checked:bg-blue-600"></div>
+                <span class="ms-3 text-sm font-medium text-gray-900">
+                    Allow Changing Auto Stop on Workspace
+                </span>
+            </label>
+        </div>
+        {move || {
+            if auto_stop_enabled.get() {
+                view! {
+                    <div class="mt-2">
+                        <label class="block mb-2 text-sm font-medium text-gray-900">
+                            Auto Stop Seconds
+                        </label>
+                        <input
+                            prop:value=move || auto_stop_seconds.get()
+                            on:input=move |ev| {
+                                if let Ok(seconds) = event_target_value(&ev).parse() {
+                                    auto_stop_seconds.set(seconds);
+                                }
+                            }
+                            class="max-w-96 bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5"
+                        />
+                    // placeholder={placeholder}
+                    </div>
+                }
+                    .into_any()
+            } else {
+                ().into_any()
+            }
+        }}
+    };
+
+    view! {
+        <SettingView
+            title="Auto Start Stop Settings".to_string()
+            action=save_action
+            body
+            update_counter=login_counter
+            extra=None
+        />
+    }
+}
+
+#[component]
+fn UpdateNameView() -> impl IntoView {
+    let org = use_context::<Signal<Option<Organization>, LocalStorage>>().unwrap();
+    let login_counter = expect_context::<RwSignal<i32, LocalStorage>>();
+
+    let org_name = RwSignal::new_local(String::new());
+    Effect::new(move |_| {
+        if let Some(name) = org.with(|o| o.as_ref().map(|o| o.name.clone())) {
+            org_name.set(name);
+        }
+    });
+
+    let save_action = Action::new_local(move |_| async move {
+        if let Some(id) = org.with(|o| o.as_ref().map(|o| o.id)) {
+            update_name(id, org_name.get_untracked()).await
+        } else {
+            Err(ErrorResponse {
+                error: "Organization not loaded yet".to_string(),
+            })
+        }
+    });
+
+    let body = view! {
+        <div class="mt-2">
+            <input
+                prop:value=move || org_name.get()
+                on:input=move |ev| {
+                    org_name.set(event_target_value(&ev));
+                }
+                class="max-w-96 bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5"
+            />
+        // placeholder={placeholder}
+        </div>
+    };
+
+    view! {
+        <SettingView
+            title="Organization Name".to_string()
+            action=save_action
+            body
+            update_counter=login_counter
+            extra=None
+        />
+    }
+}
+
+async fn get_org_members(org: Signal<Option<Organization>>) -> Result<Vec<OrganizationMember>> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let resp = Request::get(&format!("/api/v1/organizations/{}/members", org.id))
+        .send()
+        .await?;
+    let members: Vec<OrganizationMember> = resp.json().await?;
+    Ok(members)
+}
+
+#[component]
+pub fn OrgMembers() -> impl IntoView {
+    let invite_member_modal_open = RwSignal::new(false);
+    let member_filter = RwSignal::new_local(String::new());
+
+    let org = get_current_org();
+    let update_counter = RwSignal::new_local(0);
+    let members = LocalResource::new(move || get_org_members(org));
+    Effect::new(move |_| {
+        update_counter.track();
+        members.refetch();
+    });
+
+    let members = Signal::derive(move || {
+        let filter = member_filter.get();
+        let mut members = members
+            .with(|m| m.as_ref().and_then(|m| m.as_ref().ok().cloned()))
+            .unwrap_or_default();
+        if !filter.trim().is_empty() {
+            members.retain(|m| {
+                m.name
+                    .as_ref()
+                    .map(|n| n.contains(&filter))
+                    .unwrap_or(false)
+            });
+        }
+        members
+    });
+
+    view! {
+        <div class="pb-4">
+            <h5 class="mr-3 text-2xl font-semibold">Organization Members</h5>
+            <p class="text-gray-700">{"Manage your organization's members"}</p>
+            <div class="flex flex-col items-center justify-between py-4 gap-y-3 md:flex-row md:space-y-0 md:space-x-4">
+                <div class="w-full md:w-1/2">
+                    <form class="flex items-center">
+                        <label for="simple-search" class="sr-only">
+                            Filter Members
+                        </label>
+                        <div class="relative w-full">
+                            <div class="absolute inset-y-0 left-0 flex items-center pl-3 pointer-events-none">
+                                <svg
+                                    aria-hidden="true"
+                                    class="w-5 h-5 text-gray-500"
+                                    fill="currentColor"
+                                    viewbox="0 0 20 20"
+                                    xmlns="http://www.w3.org/2000/svg"
+                                >
+                                    <path
+                                        fill-rule="evenodd"
+                                        d="M8 4a4 4 0 100 8 4 4 0 000-8zM2 8a6 6 0 1110.89 3.476l4.817 4.817a1 1 0 01-1.414 1.414l-4.816-4.816A6 6 0 012 8z"
+                                        clip-rule="evenodd"
+                                    />
+                                </svg>
+                            </div>
+                            <input
+                                prop:value=move || member_filter.get()
+                                on:input=move |ev| {
+                                    member_filter.set(event_target_value(&ev));
+                                }
+                                type="text"
+                                class="bg-white block w-full p-2 pl-10 text-sm text-gray-900 border border-gray-300 rounded-lg bg-gray-50 focus:ring-blue-500 focus:border-blue-500"
+                                placeholder="Filter Members"
+                            />
+                        </div>
+                    </form>
+                </div>
+                <Button on:click=move |_| {
+                    invite_member_modal_open.set(true)
+                }>Invite New Member</Button>
+            </div>
+        </div>
+
+        <div class="flex items-center w-full px-4 py-2 text-gray-900 bg-gray-50">
+            <span class="w-1/3 truncate pr-2">Name</span>
+            <span class="w-1/3 truncate">Joined</span>
+            <span class="w-1/3 truncate pl-2 flex flex-row items-center">
+                <div class="w-2/3 flex flex-row justify-center">
+                    <span>Role</span>
+                </div>
+                <span class="w-1/3"></span>
+            </span>
+        </div>
+
+        <For
+            each=move || members.get().into_iter().enumerate()
+            key=|(i, m)| (*i, m.clone())
+            children=move |(i, m)| {
+                view! { <MemberItemView i member=m update_counter /> }
+            }
+        />
+
+        <InviteMemberView invite_member_modal_open />
+    }
+}
+
+async fn delete_org_member(
+    org: Signal<Option<Organization>>,
+    user_id: Uuid,
+    delete_modal_open: RwSignal<bool>,
+    update_counter: RwSignal<i32, LocalStorage>,
+) -> Result<(), ErrorResponse> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let resp = Request::delete(&format!(
+        "/api/v1/organizations/{}/members/{user_id}",
+        org.id
+    ))
+    .send()
+    .await?;
+    if resp.status() != 204 {
+        let error = resp
+            .json::<ErrorResponse>()
+            .await
+            .unwrap_or_else(|_| ErrorResponse {
+                error: "Internal Server Error".to_string(),
+            });
+        return Err(error);
+    }
+    delete_modal_open.set(false);
+    update_counter.update(|c| *c += 1);
+    Ok(())
+}
+
+async fn update_org_member(
+    org: Signal<Option<Organization>>,
+    user_id: Uuid,
+    role: String,
+    update_modal_open: RwSignal<bool>,
+    update_counter: RwSignal<i32, LocalStorage>,
+) -> Result<(), ErrorResponse> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+
+    let role: UserRole = match UserRole::from_str(&role) {
+        Ok(r) => r,
+        Err(_) => {
+            return Err(ErrorResponse {
+                error: "role is invalid".to_string(),
+            })
+        }
+    };
+
+    let resp = Request::put(&format!(
+        "/api/v1/organizations/{}/members/{user_id}",
+        org.id
+    ))
+    .json(&UpdateOrganizationMember { role })?
+    .send()
+    .await?;
+    if resp.status() != 200 {
+        let error = resp
+            .json::<ErrorResponse>()
+            .await
+            .unwrap_or_else(|_| ErrorResponse {
+                error: "Internal Server Error".to_string(),
+            });
+        return Err(error);
+    }
+    update_modal_open.set(false);
+    update_counter.update(|c| *c += 1);
+    Ok(())
+}
+
+#[component]
+fn MemberItemView(
+    i: usize,
+    member: OrganizationMember,
+    update_counter: RwSignal<i32, LocalStorage>,
+) -> impl IntoView {
+    let update_member_modal_open = RwSignal::new(false);
+    let delete_modal_open = RwSignal::new(false);
+    let org = get_current_org();
+    let delete_action = Action::new_local(move |_| {
+        delete_org_member(org, member.user_id, delete_modal_open, update_counter)
+    });
+
+    view! {
+        <div class="flex items-center w-full px-4 py-2" class=("border-t", move || i > 0)>
+            <span class="w-1/3 truncate pr-2 text-gray-900 flex flex-row items-center">
+                <img
+                    class="w-8 h-8 rounded-full mr-2"
+                    src=member
+                        .avatar_url
+                        .clone()
+                        .unwrap_or(
+                            "https://flowbite.s3.amazonaws.com/blocks/marketing-ui/avatars/michael-gough.png"
+                                .to_string(),
+                        )
+                    alt="user photo"
+                />
+                {member.name.clone()}
+            </span>
+            <div class="w-1/3 flex flex-col">
+                <DatetimeModal time=member.joined />
+            </div>
+            <span class="w-1/3 pl-2 flex flex-row items-center">
+                <div class="w-2/3 flex flex-row justify-center">
+                    <span>{member.role.to_string()}</span>
+                </div>
+                <span class="w-1/3">
+                    <MemberControl delete_modal_open update_member_modal_open align_right=true />
+                </span>
+            </span>
+        </div>
+        <DeleteModal
+            resource=member.name.clone().unwrap_or_default()
+            open=delete_modal_open
+            delete_action
+        />
+        <UpdateMemberView
+            member=member.clone()
+            update_modal_open=update_member_modal_open
+            update_counter
+        />
+    }
+}
+
+#[component]
+fn UpdateMemberView(
+    member: OrganizationMember,
+    update_modal_open: RwSignal<bool>,
+    update_counter: RwSignal<i32, LocalStorage>,
+) -> impl IntoView {
+    let role = RwSignal::new_local(member.role.to_string());
+    let org = get_current_org();
+    let update_action = Action::new_local(move |_| {
+        update_org_member(
+            org,
+            member.user_id,
+            role.get_untracked(),
+            update_modal_open,
+            update_counter,
+        )
+    });
+    let select_on_change = move |ev: web_sys::Event| {
+        role.set(event_target_value(&ev));
+    };
+    view! {
+        <Modal
+            title="Update Member".to_string()
+            open=update_modal_open
+            action=update_action
+            action_text="Update"
+            action_progress_text="Updating"
+        >
+            <div>
+                <label class="block mb-2 text-sm font-medium text-gray-900">Role</label>
+                <select
+                    class="bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5"
+                    on:change=select_on_change
+                >
+                    <For
+                        each=move || vec![UserRole::Admin, UserRole::Member]
+                        key=|b| b.clone()
+                        children=move |r| {
+                            let current_role = r.to_string();
+                            view! {
+                                <option selected=move || {
+                                    current_role == role.get()
+                                }>{r.to_string()}</option>
+                            }
+                        }
+                    />
+                </select>
+            </div>
+        </Modal>
+    }
+}
+
+#[component]
+fn MemberControl(
+    delete_modal_open: RwSignal<bool>,
+    update_member_modal_open: RwSignal<bool>,
+    align_right: bool,
+) -> impl IntoView {
+    let dropdown_hidden = RwSignal::new_local(true);
+
+    let toggle_dropdown = move |_| {
+        if dropdown_hidden.get_untracked() {
+            dropdown_hidden.set(false);
+        } else {
+            dropdown_hidden.set(true);
+        }
+    };
+
+    let on_focusout = move |e: FocusEvent| {
+        let node = e
+            .current_target()
+            .unwrap_throw()
+            .unchecked_into::<web_sys::HtmlElement>();
+
+        set_timeout(
+            move || {
+                let has_focus = if let Some(active) = document().active_element() {
+                    let active: web_sys::Node = active.into();
+                    node.contains(Some(&active))
+                } else {
+                    false
+                };
+                if !has_focus && !dropdown_hidden.get_untracked() {
+                    dropdown_hidden.set(true);
+                }
+            },
+            Duration::from_secs(0),
+        );
+    };
+
+    let delete_member = {
+        move |_| {
+            dropdown_hidden.set(true);
+            delete_modal_open.set(true);
+        }
+    };
+
+    view! {
+        <div class="relative w-9" on:focusout=on_focusout>
+            <button
+                class="hover:bg-gray-100 focus:outline-none font-medium rounded-lg text-sm px-2.5 py-2.5 text-center inline-flex items-center"
+                type="button"
+                on:click=toggle_dropdown
+            >
+                <svg
+                    class="w-4 h-4 text-white"
+                    viewBox="0 0 16 16"
+                    xmlns="http://www.w3.org/2000/svg"
+                >
+                    <path d="M9.5 13a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0z" />
+                </svg>
+            </button>
+            <div
+                class="absolute pt-2 z-10 divide-y divide-gray-100"
+                class:hidden=move || dropdown_hidden.get()
+                class=("right-0", move || align_right)
+            >
+                <ul class="py-2 text-sm text-gray-700 bg-white rounded-lg border shadow w-44">
+                    <li>
+                        <a
+                            href="#"
+                            class="block px-4 py-2 hover:bg-gray-100"
+                            on:click=move |_| {
+                                dropdown_hidden.set(true);
+                                update_member_modal_open.set(true);
+                            }
+                        >
+                            Update Member
+                        </a>
+                    </li>
+                    <li>
+                        <a
+                            href="#"
+                            class="block px-4 py-2 hover:bg-gray-100 text-red-700"
+                            on:click=delete_member
+                        >
+                            Delete Member
+                        </a>
+                    </li>
+                </ul>
+            </div>
+        </div>
+    }
+}
+
+async fn create_user_invitation(org: Signal<Option<Organization>>) -> Result<String> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let resp = Request::post(&format!("/api/v1/organizations/{}/invitations", org.id))
+        .send()
+        .await?;
+    if resp.status() != 200 {
+        return Err(anyhow!(resp.text().await?));
+    }
+    let invitation: String = resp.text().await?;
+    Ok(invitation)
+}
+
+#[component]
+fn InviteMemberView(invite_member_modal_open: RwSignal<bool>) -> impl IntoView {
+    let action = Action::new_local(move |_| async move { Ok(()) });
+
+    let org = get_current_org();
+    let update_counter = RwSignal::new_local(0);
+    let invitation_resource = LocalResource::new(move || create_user_invitation(org));
+    Effect::new(move |_| {
+        update_counter.track();
+        invitation_resource.refetch();
+    });
+
+    let invitation = RwSignal::new_local(String::new());
+    Effect::new(move |_| {
+        let open = invite_member_modal_open.get();
+        invitation.set(String::new());
+        if open {
+            update_counter.update(|c| *c += 1);
+        }
+    });
+
+    Effect::new(move |_| {
+        if let Some(i) =
+            invitation_resource.with(|i| i.as_ref().and_then(|i| i.as_ref().ok().cloned()))
+        {
+            invitation.set(i);
+        }
+    });
+
+    view! {
+        <Modal
+            title="Invite New Member".to_string()
+            open=invite_member_modal_open
+            action
+            hide_action=true
+        >
+            <div>
+                <label class="block mb-2 text-sm font-medium text-gray-900">Invite URL</label>
+                <span class="bg-gray-50 text-gray-900 text-sm rounded-lg block w-full p-2.5">
+                    {move || {
+                        format!(
+                            "{}/join/{}",
+                            window().location().origin().unwrap(),
+                            invitation.get(),
+                        )
+                    }}
+                </span>
+                <label class="block mt-2 text-sm font-medium text-yellow-500">
+                    This URL will expiry in 30 minutes
+                </label>
+            </div>
+        </Modal>
+    }
+}
diff --git a/lapdev-dashboard/src/project.rs b/crates/dashboard/src/project.rs
similarity index 72%
rename from lapdev-dashboard/src/project.rs
rename to crates/dashboard/src/project.rs
index ec20315..0494bb0 100644
--- a/lapdev-dashboard/src/project.rs
+++ b/crates/dashboard/src/project.rs
@@ -6,33 +6,42 @@ use lapdev_common::{
     console::Organization, ClusterInfo, GitBranch, NewProject, NewProjectPrebuild,
     NewProjectResponse, PrebuildStatus, ProjectInfo, ProjectPrebuild,
 };
-use leptos::{
-    component, create_action, create_effect, create_local_resource, create_rw_signal, document,
-    event_target_value, expect_context, set_timeout, use_context, view, For, IntoView, RwSignal,
-    Signal, SignalGet, SignalGetUntracked, SignalSet, SignalUpdate, SignalWith,
-    SignalWithUntracked,
+use leptos::prelude::*;
+use leptos_router::{
+    hooks::{use_navigate, use_params_map},
+    NavigateOptions,
 };
-use leptos_router::{use_navigate, use_params_map};
 use uuid::Uuid;
 use wasm_bindgen::{JsCast, UnwrapThrowExt};
 use web_sys::FocusEvent;
 
 use crate::{
-    modal::{
-        CreationInput, CreationModal, DatetimeModal, DeletionModal, ErrorResponse, SettingView,
+    app::AppConfig,
+    cluster::get_cluster_info,
+    component::{
+        button::{Button, ButtonVariant},
+        dropdown_menu::{
+            DropdownMenu, DropdownMenuContent, DropdownMenuItem, DropdownMenuTrigger,
+            DropdownPlacement,
+        },
+        input::Input,
+        label::Label,
     },
+    modal::{CreationInput, DatetimeModal, DeleteModal, ErrorResponse, Modal, SettingView},
+    organization::get_current_org,
     workspace::{repo_img, CreateWorkspaceProjectInfo, NewWorkspaceModal},
 };
 
-async fn create_project(repo: String, machine_type: Option<Uuid>) -> Result<(), ErrorResponse> {
-    let current_org =
-        use_context::<Signal<Option<Organization>>>().ok_or_else(|| anyhow!("can't get org"))?;
-    let org = current_org
-        .get_untracked()
-        .ok_or_else(|| anyhow!("can't get org"))?;
+async fn create_project(
+    navigate: impl Fn(&str, NavigateOptions) + Clone,
+    org: Signal<Option<Organization>>,
+    cluster_info: Signal<Option<ClusterInfo>, LocalStorage>,
+    repo: String,
+    machine_type: Option<Uuid>,
+) -> Result<(), ErrorResponse> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
 
     let machine_type_id = machine_type.unwrap_or_else(|| {
-        let cluster_info = expect_context::<Signal<Option<ClusterInfo>>>();
         cluster_info
             .get_untracked()
             .and_then(|i| i.machine_types.first().map(|m| m.id))
@@ -56,66 +65,51 @@ async fn create_project(repo: String, machine_type: Option<Uuid>) -> Result<(),
     }
 
     let resp: NewProjectResponse = resp.json().await?;
-    use_navigate()(&format!("/projects/{}", resp.id), Default::default());
+    navigate(&format!("/projects/{}", resp.id), Default::default());
 
     Ok(())
 }
 
 #[component]
-pub fn NewProjectView(new_project_modal_hidden: RwSignal<bool>) -> impl IntoView {
-    let repo = create_rw_signal(String::new());
-    let current_machine_type = create_rw_signal(None);
-    let preferred_machine_type = Signal::derive(|| None);
-    let action =
-        create_action(move |_| create_project(repo.get_untracked(), current_machine_type.get()));
-    let body = view! {
-        <CreationInput label="Your repository url".to_string() value=repo placeholder="https://github.com/owner/repo".to_string() />
-        <MachineTypeView current_machine_type preferred_machine_type />
-    };
+pub fn NewProjectView(new_project_modal_open: RwSignal<bool>) -> impl IntoView {
+    let repo = RwSignal::new_local(String::new());
+    let current_machine_type = RwSignal::new_local(None);
+    let preferred_machine_type = Signal::derive_local(|| None);
+    let org = get_current_org();
+    let navigate = use_navigate();
+    let cluster_info = get_cluster_info();
+    let action = Action::new_local(move |_| {
+        create_project(
+            navigate.clone(),
+            org,
+            cluster_info,
+            repo.get_untracked(),
+            current_machine_type.get(),
+        )
+    });
     view! {
-        <CreationModal title="Create New Project".to_string() modal_hidden=new_project_modal_hidden action body update_text=Some("Create".to_string()) updating_text=Some("Creating".to_string()) width_class=None create_button_hidden=Box::new(|| false) />
+        <Modal
+            title="Create New Project".to_string()
+            open=new_project_modal_open
+            action
+        >
+            <CreationInput label="Your repository url".to_string() value=repo placeholder="https://github.com/owner/repo".to_string() />
+            <MachineTypeView current_machine_type preferred_machine_type />
+        </Modal>
     }
 }
 
 #[component]
 fn ProjectControl(
     project_info: Option<ProjectInfo>,
-    delete_modal_hidden: RwSignal<bool>,
+    delete_modal_open: RwSignal<bool>,
     project_id: Uuid,
     align_right: bool,
-    new_workspace_modal_hidden: RwSignal<bool>,
-    create_workspace_project: RwSignal<Option<CreateWorkspaceProjectInfo>>,
+    new_workspace_modal_open: RwSignal<bool>,
+    create_workspace_project: RwSignal<Option<CreateWorkspaceProjectInfo>, LocalStorage>,
 ) -> impl IntoView {
-    let hidden = create_rw_signal(true);
-    let toggle_dropdown = move |_| {
-        if hidden.get_untracked() {
-            hidden.set(false);
-        } else {
-            hidden.set(true);
-        }
-    };
-
-    let on_focusout = move |e: FocusEvent| {
-        let node = e
-            .current_target()
-            .unwrap_throw()
-            .unchecked_into::<web_sys::HtmlElement>();
-
-        set_timeout(
-            move || {
-                let has_focus = if let Some(active) = document().active_element() {
-                    let active: web_sys::Node = active.into();
-                    node.contains(Some(&active))
-                } else {
-                    false
-                };
-                if !has_focus && !hidden.get_untracked() {
-                    hidden.set(true);
-                }
-            },
-            Duration::from_secs(0),
-        );
-    };
+    let dropdown_expanded = RwSignal::new(false);
+    let org = get_current_org();
 
     let handle_create_workspace = {
         let project_info = project_info.clone();
@@ -130,13 +124,15 @@ fn ProjectControl(
                     });
                 });
                 project_branches_signal(
-                    Signal::derive(move || project_id.to_string()),
-                    create_rw_signal("".to_string()),
+                    org,
+                    Signal::derive_local(move || project_id.to_string()),
+                    RwSignal::new_local("".to_string()),
                     create_workspace_project,
                 );
                 project_prebuilds_signal(
-                    Signal::derive(move || project_id.to_string()),
-                    create_rw_signal("".to_string()),
+                    org,
+                    Signal::derive_local(move || project_id.to_string()),
+                    RwSignal::new_local("".to_string()),
                     create_workspace_project,
                 );
             } else {
@@ -146,62 +142,51 @@ fn ProjectControl(
                     }
                 });
             }
-            new_workspace_modal_hidden.set(false);
+            new_workspace_modal_open.set(true);
         }
     };
 
     view! {
         <div class="flex flex-row items-center">
-            <button
-                class="px-4 py-2 text-sm font-medium text-white rounded-lg bg-green-700 hover:bg-green-800 focus:ring-4 focus:ring-green-300 focus:outline-none"
+            <Button
                 on:click=handle_create_workspace
             >
                 New Workspace
-            </button>
-            <div
-                class="ml-2 relative"
-                on:focusout=on_focusout
-            >
-                <button
-                    class="hover:bg-gray-100 focus:outline-none font-medium rounded-lg text-sm px-2.5 py-2.5 text-center inline-flex items-center"
-                    type="button"
-                    on:click=toggle_dropdown
+            </Button>
+            <DropdownMenu class="ml-2" open=dropdown_expanded>
+                <DropdownMenuTrigger
+                    open=dropdown_expanded
+                    placement={if align_right {DropdownPlacement::BottomRight} else {DropdownPlacement::BottomLeft} }
                 >
-                    <svg class="w-4 h-4 text-white" viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
-                        <path d="M9.5 13a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0z"/>
-                    </svg>
-                </button>
-                <div
-                    class="absolute pt-2 z-10 divide-y divide-gray-100"
-                    class:hidden=move || hidden.get()
-                    class=("right-0", move || align_right)
+                    <Button variant=ButtonVariant::Ghost class="px-2">
+                        <lucide_leptos::EllipsisVertical />
+                    </Button>
+                </DropdownMenuTrigger>
+                <DropdownMenuContent
+                    open=dropdown_expanded.read_only()
+                    class="mt-2 min-w-56"
                 >
-                    <ul class="py-2 text-sm text-gray-700 bg-white rounded-lg border shadow w-44">
-                        <li>
-                            <a
-                                href="#"
-                                class="block px-4 py-2 hover:bg-gray-100 text-red-700"
-                                on:click=move |_| delete_modal_hidden.set(false)
-                            >
-                                Delete
-                            </a>
-                        </li>
-                    </ul>
-                </div>
-            </div>
+                    <DropdownMenuItem
+                        on:click=move |_| {
+                            dropdown_expanded.set(false);
+                            delete_modal_open.set(true);
+                        }
+                        class="cursor-pointer"
+                    >
+                        Delete
+                    </DropdownMenuItem>
+                </DropdownMenuContent>
+            </DropdownMenu>
         </div>
     }
 }
 
 async fn update_project_machine_type(
+    org: Signal<Option<Organization>>,
     project_id: Uuid,
     machine_type_id: Uuid,
 ) -> Result<(), ErrorResponse> {
-    let current_org =
-        use_context::<Signal<Option<Organization>>>().ok_or_else(|| anyhow!("can't get org"))?;
-    let org = current_org
-        .get_untracked()
-        .ok_or_else(|| anyhow!("can't get org"))?;
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
 
     let resp = Request::put(&format!(
         "/api/v1/organizations/{}/projects/{project_id}/machine_type/{machine_type_id}",
@@ -223,16 +208,13 @@ async fn update_project_machine_type(
 }
 
 async fn delete_project_prebuild(
+    org: Signal<Option<Organization>>,
     project: String,
     prebuild_id: Uuid,
-    prebuilds_counter: RwSignal<i32>,
-    delete_modal_hidden: RwSignal<bool>,
+    prebuilds_counter: RwSignal<i32, LocalStorage>,
+    delete_modal_open: RwSignal<bool>,
 ) -> Result<(), ErrorResponse> {
-    let current_org =
-        use_context::<Signal<Option<Organization>>>().ok_or_else(|| anyhow!("can't get org"))?;
-    let org = current_org
-        .get_untracked()
-        .ok_or_else(|| anyhow!("can't get org"))?;
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
 
     let resp = Request::delete(&format!(
         "/api/v1/organizations/{}/projects/{project}/prebuilds/{prebuild_id}",
@@ -249,22 +231,20 @@ async fn delete_project_prebuild(
             });
         return Err(error);
     }
-    delete_modal_hidden.set(true);
+    delete_modal_open.set(false);
     prebuilds_counter.update(|c| *c += 1);
 
     Ok(())
 }
 
 async fn delete_project(
+    navigate: impl Fn(&str, NavigateOptions) + Clone,
+    org: Signal<Option<Organization>>,
     id: Uuid,
-    delete_modal_hidden: RwSignal<bool>,
-    update_counter: Option<RwSignal<i32>>,
+    delete_modal_open: RwSignal<bool>,
+    update_counter: Option<RwSignal<i32, LocalStorage>>,
 ) -> Result<(), ErrorResponse> {
-    let current_org =
-        use_context::<Signal<Option<Organization>>>().ok_or_else(|| anyhow!("can't get org"))?;
-    let org = current_org
-        .get_untracked()
-        .ok_or_else(|| anyhow!("can't get org"))?;
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
     let resp = Request::delete(&format!("/api/v1/organizations/{}/projects/{id}", org.id))
         .send()
         .await?;
@@ -277,11 +257,11 @@ async fn delete_project(
             });
         return Err(error);
     }
-    delete_modal_hidden.set(true);
+    delete_modal_open.set(false);
     if let Some(update_counter) = update_counter {
         update_counter.update(|c| *c += 1);
     } else {
-        use_navigate()("/projects", Default::default());
+        navigate("/projects", Default::default());
     }
     Ok(())
 }
@@ -289,15 +269,24 @@ async fn delete_project(
 #[component]
 pub fn ProjectItem(
     project: ProjectInfo,
-    update_counter: RwSignal<i32>,
-    new_workspace_modal_hidden: RwSignal<bool>,
-    create_workspace_project: RwSignal<Option<CreateWorkspaceProjectInfo>>,
+    update_counter: RwSignal<i32, LocalStorage>,
+    new_workspace_modal_open: RwSignal<bool>,
+    create_workspace_project: RwSignal<Option<CreateWorkspaceProjectInfo>, LocalStorage>,
 ) -> impl IntoView {
+    let org = get_current_org();
     let id = project.id;
     let local_project = project.clone();
-    let delete_modal_hidden = create_rw_signal(true);
-    let delete_action =
-        create_action(move |_| delete_project(id, delete_modal_hidden, Some(update_counter)));
+    let delete_modal_open = RwSignal::new(false);
+    let navigate = use_navigate();
+    let delete_action = Action::new_local(move |_| {
+        delete_project(
+            navigate.clone(),
+            org,
+            id,
+            delete_modal_open,
+            Some(update_counter),
+        )
+    });
     view! {
         <div class="flex flex-col items-center bg-white border border-gray-200 rounded-lg shadow-lg lg:flex-row w-full">
             <div class="lg:w-1/3 flex flex-row">
@@ -328,19 +317,19 @@ pub fn ProjectItem(
                 </div>
             </div>
             <div class="lg:w-1/3 flex flex-row items-center p-4 justify-center">
-                <ProjectControl project_info=Some(local_project) delete_modal_hidden project_id=id align_right=true new_workspace_modal_hidden create_workspace_project />
+                <ProjectControl project_info=Some(local_project) delete_modal_open project_id=id align_right=true new_workspace_modal_open create_workspace_project />
             </div>
         </div>
-        <DeletionModal resource=project.name.clone() modal_hidden=delete_modal_hidden delete_action />
+        <DeleteModal
+            resource=project.name
+            open=delete_modal_open
+            delete_action
+        />
     }
 }
 
-async fn all_projects() -> Result<Vec<ProjectInfo>> {
-    let org =
-        use_context::<Signal<Option<Organization>>>().ok_or_else(|| anyhow!("can't get org"))?;
-    let org = org
-        .get_untracked()
-        .ok_or_else(|| anyhow!("can't get org"))?;
+async fn all_projects(org: Signal<Option<Organization>>) -> Result<Vec<ProjectInfo>> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
     let resp = Request::get(&format!("/api/v1/organizations/{}/projects", org.id))
         .send()
         .await?;
@@ -350,16 +339,19 @@ async fn all_projects() -> Result<Vec<ProjectInfo>> {
 
 #[component]
 pub fn Projects() -> impl IntoView {
-    let project_filter = create_rw_signal(String::new());
-    let new_project_modal_hidden = create_rw_signal(true);
-    let new_workspace_modal_hidden = create_rw_signal(true);
-    let create_workspace_project = create_rw_signal(None);
-    let update_counter = create_rw_signal(0);
-
-    let projects = create_local_resource(
-        move || update_counter.get(),
-        |_| async move { all_projects().await.unwrap_or_default() },
-    );
+    let project_filter = RwSignal::new_local(String::new());
+    let new_project_modal_open = RwSignal::new(false);
+    let new_workspace_modal_open = RwSignal::new(false);
+    let create_workspace_project = RwSignal::new_local(None);
+    let update_counter = RwSignal::new_local(0);
+    let org = get_current_org();
+
+    let projects =
+        LocalResource::new(move || async move { all_projects(org).await.unwrap_or_default() });
+    Effect::new(move |_| {
+        update_counter.track();
+        projects.refetch();
+    });
 
     let projects = Signal::derive(move || {
         let mut projects = projects.get().unwrap_or_default();
@@ -389,51 +381,47 @@ pub fn Projects() -> impl IntoView {
                             <path fill-rule="evenodd" d="M8 4a4 4 0 100 8 4 4 0 000-8zM2 8a6 6 0 1110.89 3.476l4.817 4.817a1 1 0 01-1.414 1.414l-4.816-4.816A6 6 0 012 8z" clip-rule="evenodd" />
                             </svg>
                         </div>
-                        <input
+                        <Input
                             prop:value={move || project_filter.get()}
                             on:input=move |ev| { project_filter.set(event_target_value(&ev)); }
-                            type="text"
-                            class="bg-white block w-full p-2 pl-10 text-sm text-gray-900 border border-gray-300 rounded-lg bg-gray-50 focus:ring-blue-500 focus:border-blue-500"
-                            placeholder="Filter Projects"
+                            class="pl-10"
+                            attr:placeholder="Filter Projects"
                         />
                         </div>
                     </form>
                 </div>
-                <button
-                    type="button"
-                    class="flex items-center justify-center px-4 py-2 text-sm font-medium text-white rounded-lg bg-blue-700 hover:bg-blue-800 focus:ring-4 focus:ring-blue-300 focus:outline-none"
-                    on:click=move |_| new_project_modal_hidden.set(false)
+                <Button
+                    on:click=move |_| new_project_modal_open.set(true)
                 >
                     New Project
-                </button>
+                </Button>
             </div>
 
             <div class="relative w-full basis-0 grow">
-                <div class="absolute w-full h-full flex flex-col py-4 gap-y-8 overflow-y-auto">
+                <div class="w-full h-full flex flex-col py-4 gap-y-8 overflow-y-auto">
                     <For
                         each=move || projects.get()
                         key=|p| p.clone()
                         children=move |project| {
                             view! {
-                                <ProjectItem project update_counter new_workspace_modal_hidden create_workspace_project />
+                                <ProjectItem project update_counter new_workspace_modal_open create_workspace_project />
                             }
                         }
                     />
                 </div>
             </div>
 
-            <NewProjectView new_project_modal_hidden />
-            <NewWorkspaceModal modal_hidden=new_workspace_modal_hidden project_info=create_workspace_project />
+            <NewProjectView new_project_modal_open />
+            <NewWorkspaceModal modal_open=new_workspace_modal_open project_info=create_workspace_project />
         </section>
     }
 }
 
-async fn project_prebuilds(id: &str) -> Result<Vec<ProjectPrebuild>> {
-    let org =
-        use_context::<Signal<Option<Organization>>>().ok_or_else(|| anyhow!("can't get org"))?;
-    let org = org
-        .get_untracked()
-        .ok_or_else(|| anyhow!("can't get org"))?;
+async fn project_prebuilds(
+    org: Signal<Option<Organization>>,
+    id: &str,
+) -> Result<Vec<ProjectPrebuild>> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
     let resp = Request::get(&format!(
         "/api/v1/organizations/{}/projects/{id}/prebuilds",
         org.id
@@ -446,19 +434,22 @@ async fn project_prebuilds(id: &str) -> Result<Vec<ProjectPrebuild>> {
 
 #[allow(clippy::type_complexity)]
 fn project_prebuilds_signal(
-    id: Signal<String>,
-    prebuild_filter: RwSignal<String>,
-    create_workspace_project: RwSignal<Option<CreateWorkspaceProjectInfo>>,
+    org: Signal<Option<Organization>>,
+    id: Signal<String, LocalStorage>,
+    prebuild_filter: RwSignal<String, LocalStorage>,
+    create_workspace_project: RwSignal<Option<CreateWorkspaceProjectInfo>, LocalStorage>,
 ) -> (
-    RwSignal<i32>,
-    Signal<Vec<ProjectPrebuild>>,
-    Signal<HashMap<String, ProjectPrebuild>>,
+    RwSignal<i32, LocalStorage>,
+    Signal<Vec<ProjectPrebuild>, LocalStorage>,
+    Signal<HashMap<String, ProjectPrebuild>, LocalStorage>,
 ) {
-    let prebuilds_counter = create_rw_signal(0);
-    let prebuilds = create_local_resource(
-        move || prebuilds_counter.get(),
-        move |_| async move { project_prebuilds(&id.get()).await },
-    );
+    let prebuilds_counter = RwSignal::new_local(0);
+    let prebuilds =
+        LocalResource::new(move || async move { project_prebuilds(org, &id.get()).await });
+    Effect::new(move |_| {
+        prebuilds_counter.track();
+        prebuilds.refetch();
+    });
 
     let prebuilds = Signal::derive(move || {
         prebuilds
@@ -467,7 +458,7 @@ fn project_prebuilds_signal(
             .unwrap_or_default()
     });
 
-    let prebuilds_map = Signal::derive(move || {
+    let prebuilds_map = Signal::derive_local(move || {
         let mut prebuilds = prebuilds.get();
         prebuilds.reverse();
         prebuilds
@@ -476,7 +467,7 @@ fn project_prebuilds_signal(
             .collect::<HashMap<String, _>>()
     });
 
-    create_effect(move |_| {
+    Effect::new(move |_| {
         prebuilds.track();
         create_workspace_project.update(|project| {
             if let Some(project) = project.as_mut() {
@@ -499,7 +490,7 @@ fn project_prebuilds_signal(
         });
     });
 
-    let prebuilds = Signal::derive(move || {
+    let prebuilds = Signal::derive_local(move || {
         let mut prebuilds = prebuilds.get();
         let prebuild_filter = prebuild_filter.get();
         prebuilds
@@ -510,12 +501,8 @@ fn project_prebuilds_signal(
     (prebuilds_counter, prebuilds, prebuilds_map)
 }
 
-async fn project_branches(id: &str) -> Result<Vec<GitBranch>> {
-    let org =
-        use_context::<Signal<Option<Organization>>>().ok_or_else(|| anyhow!("can't get org"))?;
-    let org = org
-        .get_untracked()
-        .ok_or_else(|| anyhow!("can't get org"))?;
+async fn project_branches(org: Signal<Option<Organization>>, id: &str) -> Result<Vec<GitBranch>> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
     let resp = Request::get(&format!(
         "/api/v1/organizations/{}/projects/{id}/branches",
         org.id
@@ -527,16 +514,15 @@ async fn project_branches(id: &str) -> Result<Vec<GitBranch>> {
 }
 
 fn project_branches_signal(
-    id: Signal<String>,
-    branch_filter: RwSignal<String>,
-    create_workspace_project: RwSignal<Option<CreateWorkspaceProjectInfo>>,
-) -> Signal<Vec<GitBranch>> {
-    let branches = create_local_resource(
-        || (),
-        move |_| async move { project_branches(&id.get()).await },
-    );
-
-    create_effect(move |_| {
+    org: Signal<Option<Organization>>,
+    id: Signal<String, LocalStorage>,
+    branch_filter: RwSignal<String, LocalStorage>,
+    create_workspace_project: RwSignal<Option<CreateWorkspaceProjectInfo>, LocalStorage>,
+) -> Signal<Vec<GitBranch>, LocalStorage> {
+    let branches =
+        LocalResource::new(move || async move { project_branches(org, &id.get()).await });
+
+    Effect::new(move |_| {
         branches.with(|branches| {
             if let Some(Ok(branches)) = branches {
                 create_workspace_project.update(|project| {
@@ -562,7 +548,7 @@ fn project_branches_signal(
         });
     });
 
-    let branches = Signal::derive(move || {
+    let branches = Signal::derive_local(move || {
         let mut branches = branches
             .with(|branches| {
                 branches
@@ -583,12 +569,11 @@ fn project_branches_signal(
     branches
 }
 
-async fn get_project(id: Uuid) -> Result<ProjectInfo, ErrorResponse> {
-    let org =
-        use_context::<Signal<Option<Organization>>>().ok_or_else(|| anyhow!("can't get org"))?;
-    let org = org
-        .get_untracked()
-        .ok_or_else(|| anyhow!("can't get org"))?;
+async fn get_project(
+    org: Signal<Option<Organization>>,
+    id: Uuid,
+) -> Result<ProjectInfo, ErrorResponse> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
     let resp = Request::get(&format!("/api/v1/organizations/{}/projects/{id}", org.id))
         .send()
         .await?;
@@ -609,15 +594,12 @@ async fn get_project(id: Uuid) -> Result<ProjectInfo, ErrorResponse> {
 }
 
 async fn create_project_prebuild(
+    org: Signal<Option<Organization>>,
     project: String,
     branch: String,
-    prebuilds_counter: RwSignal<i32>,
+    prebuilds_counter: RwSignal<i32, LocalStorage>,
 ) -> Result<()> {
-    let current_org =
-        use_context::<Signal<Option<Organization>>>().ok_or_else(|| anyhow!("can't get org"))?;
-    let org = current_org
-        .get_untracked()
-        .ok_or_else(|| anyhow!("can't get org"))?;
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
 
     let resp = Request::post(&format!(
         "/api/v1/organizations/{}/projects/{project}/prebuilds",
@@ -638,12 +620,13 @@ async fn create_project_prebuild(
 pub fn ProjectBranchControl(
     project: String,
     branch: String,
-    prebuild: Signal<Option<ProjectPrebuild>>,
-    prebuilds_counter: RwSignal<i32>,
-    new_workspace_modal_hidden: RwSignal<bool>,
-    create_workspace_project: RwSignal<Option<CreateWorkspaceProjectInfo>>,
+    prebuild: Signal<Option<ProjectPrebuild>, LocalStorage>,
+    prebuilds_counter: RwSignal<i32, LocalStorage>,
+    new_workspace_modal_open: RwSignal<bool>,
+    create_workspace_project: RwSignal<Option<CreateWorkspaceProjectInfo>, LocalStorage>,
 ) -> impl IntoView {
-    let hidden = create_rw_signal(true);
+    let hidden = RwSignal::new_local(true);
+    let org = get_current_org();
     let toggle_dropdown = move |_| {
         if hidden.get_untracked() {
             hidden.set(false);
@@ -680,22 +663,28 @@ pub fn ProjectBranchControl(
             hidden.set(true);
             let project = project.clone();
             let branch = branch.clone();
-            create_action(move |_| {
+            Action::new_local(move |_| {
                 let project = project.clone();
                 let branch = branch.clone();
-                create_project_prebuild(project, branch, prebuilds_counter)
+                create_project_prebuild(org, project, branch, prebuilds_counter)
             })
             .dispatch(());
         }
     };
 
-    let delete_modal_hidden = create_rw_signal(true);
+    let delete_modal_open = RwSignal::new(false);
     let delete_action = {
         let project = project.clone();
-        create_action(move |_| {
+        Action::new_local(move |_| {
             let prebuild = prebuild.get_untracked().unwrap();
             let id = prebuild.id;
-            delete_project_prebuild(project.clone(), id, prebuilds_counter, delete_modal_hidden)
+            delete_project_prebuild(
+                org,
+                project.clone(),
+                id,
+                prebuilds_counter,
+                delete_modal_open,
+            )
         })
     };
 
@@ -708,18 +697,17 @@ pub fn ProjectBranchControl(
                     project.branch = branch;
                 }
             });
-            new_workspace_modal_hidden.set(false);
+            new_workspace_modal_open.set(true);
         }
     };
 
     view! {
         <div class="flex flex-row items-center py-1">
-            <button
-                class="px-4 py-2 text-sm font-medium text-white rounded-lg bg-green-700 hover:bg-green-800 focus:ring-4 focus:ring-green-300 focus:outline-none"
+            <Button
                 on:click=handle_create_workspace
             >
                 New Workspace
-            </button>
+            </Button>
             <div
                 class="ml-2 relative"
                 on:focusout=on_focusout
@@ -753,14 +741,14 @@ pub fn ProjectBranchControl(
                             <a
                                 href="#"
                                 class="block px-4 py-2 hover:bg-gray-100"
-                                on:click=move |_| delete_modal_hidden.set(false)
+                                on:click=move |_| delete_modal_open.set(true)
                             >Delete Prebuild</a>
                         </li>
                     </ul>
                 </div>
             </div>
         </div>
-        <DeletionModal resource=format!("prebuild for {}", branch.clone()) modal_hidden=delete_modal_hidden delete_action />
+        <DeleteModal resource=format!("prebuild for {}", branch.clone()) open=delete_modal_open delete_action />
     }
 }
 
@@ -768,22 +756,27 @@ pub fn ProjectBranchControl(
 pub fn ProjectDetails() -> impl IntoView {
     let params = use_params_map();
     let id =
-        params.with_untracked(|params| params.get("id").and_then(|id| Uuid::from_str(id).ok()));
+        params.with_untracked(|params| params.get("id").and_then(|id| Uuid::from_str(&id).ok()));
     let Some(id) = id else {
-        return view! {}.into_view();
+        return ().into_any();
     };
 
-    let delete_modal_hidden = create_rw_signal(true);
-    let new_workspace_modal_hidden = create_rw_signal(true);
-    let create_workspace_project: RwSignal<Option<CreateWorkspaceProjectInfo>> =
-        create_rw_signal(None);
-    let delete_action = create_action(move |_| delete_project(id, delete_modal_hidden, None));
+    let org = get_current_org();
+    let delete_modal_open = RwSignal::new(false);
+    let new_workspace_modal_open = RwSignal::new(false);
+    let create_workspace_project: RwSignal<Option<CreateWorkspaceProjectInfo>, LocalStorage> =
+        RwSignal::new_local(None);
+    let navigate = use_navigate();
+    let delete_action = Action::new_local(move |_| {
+        delete_project(navigate.clone(), org, id, delete_modal_open, None)
+    });
 
-    let project_update_counter = create_rw_signal(0);
-    let project_info = create_local_resource(
-        move || project_update_counter.get(),
-        move |_| async move { get_project(id).await },
-    );
+    let project_update_counter = RwSignal::new_local(0);
+    let project_info = LocalResource::new(move || async move { get_project(org, id).await });
+    Effect::new(move |_| {
+        project_update_counter.track();
+        project_info.refetch();
+    });
     let project_info = Signal::derive(move || {
         project_info.with(|info| {
             info.as_ref()
@@ -793,9 +786,11 @@ pub fn ProjectDetails() -> impl IntoView {
         })
     });
 
-    create_effect(move |_| {
+    let config = use_context::<AppConfig>().unwrap();
+    Effect::new(move |_| {
         project_info.with(|info| {
             if let Some(info) = info {
+                config.current_page.set(info.name.clone());
                 create_workspace_project.update(|project| {
                     if let Some(project) = project.as_mut() {
                         project.project = info.to_owned();
@@ -823,36 +818,40 @@ pub fn ProjectDetails() -> impl IntoView {
             {
                 move || if let Some(info) = project_info.get() {
                     view! {
-                        <ProjectInfoView info delete_modal_hidden new_workspace_modal_hidden create_workspace_project />
-                    }.into_view()
+                        <ProjectInfoView info delete_modal_open new_workspace_modal_open create_workspace_project />
+                    }.into_any()
                 } else {
-                    view! {}.into_view()
+                    ().into_any()
                 }
             }
-            <ProjectDetailsTabView project_id=id project_update_counter new_workspace_modal_hidden create_workspace_project />
+            <ProjectDetailsTabView project_id=id project_update_counter new_workspace_modal_open create_workspace_project />
             {
                 move || if let Some(info) = project_info.get() {
                     view! {
-                        <DeletionModal resource=info.name modal_hidden=delete_modal_hidden delete_action />
-                    }.into_view()
+                        <DeleteModal
+                            resource=info.name
+                            open=delete_modal_open
+                            delete_action
+                        />
+                    }.into_any()
                 } else {
-                    view! {}.into_view()
+                    ().into_any()
                 }
             }
-            <NewWorkspaceModal modal_hidden=new_workspace_modal_hidden project_info=create_workspace_project />
+            <NewWorkspaceModal modal_open=new_workspace_modal_open project_info=create_workspace_project />
         </div>
-    }.into_view()
+    }.into_any()
 }
 
 #[component]
 fn ProjectInfoView(
     info: ProjectInfo,
-    delete_modal_hidden: RwSignal<bool>,
-    new_workspace_modal_hidden: RwSignal<bool>,
-    create_workspace_project: RwSignal<Option<CreateWorkspaceProjectInfo>>,
+    delete_modal_open: RwSignal<bool>,
+    new_workspace_modal_open: RwSignal<bool>,
+    create_workspace_project: RwSignal<Option<CreateWorkspaceProjectInfo>, LocalStorage>,
 ) -> impl IntoView {
-    let cluster_info = expect_context::<Signal<Option<ClusterInfo>>>();
-    let machine_types = create_rw_signal(cluster_info.get_untracked().map(|i| i.machine_types));
+    let cluster_info = get_cluster_info();
+    let machine_types = RwSignal::new_local(cluster_info.get_untracked().map(|i| i.machine_types));
     view! {
         <h5 class="text-semibold text-2xl mt-4">
             { info.name.clone() }
@@ -865,8 +864,8 @@ fn ProjectInfoView(
                 <svg class="w-3 h-3 mr-2" aria-hidden="true" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 14 20">
                     <path stroke="currentColor" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M3 5v10M3 5a2 2 0 1 0 0-4 2 2 0 0 0 0 4Zm0 10a2 2 0 1 0 0 4 2 2 0 0 0 0-4Zm6-3.976-2-.01A4.015 4.015 0 0 1 3 7m10 4a2 2 0 1 1-4 0 2 2 0 0 1 4 0Z"/>
                 </svg>
-                <span class="mr-1 text-gray-500">{"Repository URL:"}</span>
-                <span>{ move || info.repo_url.clone() }</span>
+                <span class="text-gray-500 w-36">{"Repository URL"}</span>
+                <span>{ info.repo_url.clone() }</span>
             </a>
         </span>
         <span class="mt-2 text-sm flex flex-row items-center rounded me-2">
@@ -875,7 +874,7 @@ fn ProjectInfoView(
                 <path d="M5 11.5a.5.5 0 1 1-1 0 .5.5 0 0 1 1 0m-2 0a.5.5 0 1 1-1 0 .5.5 0 0 1 1 0M14 3a1 1 0 0 1 1 1v1a1 1 0 0 1-1 1H2a1 1 0 0 1-1-1V4a1 1 0 0 1 1-1zM2 2a2 2 0 0 0-2 2v1a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V4a2 2 0 0 0-2-2z"/>
                 <path d="M5 4.5a.5.5 0 1 1-1 0 .5.5 0 0 1 1 0m-2 0a.5.5 0 1 1-1 0 .5.5 0 0 1 1 0"/>
             </svg>
-            <span class="mr-1 text-gray-500">{"Machine Type:"}</span>
+            <span class="text-gray-500 w-36">{"Machine Type"}</span>
             {
                 move || machine_types.get()
                     .and_then(|m|
@@ -890,11 +889,11 @@ fn ProjectInfoView(
             <svg class="w-2.5 h-2.5 mr-2" aria-hidden="true" xmlns="http://www.w3.org/2000/svg" fill="currentColor" viewBox="0 0 20 20">
             <path d="M10 0a10 10 0 1 0 10 10A10.011 10.011 0 0 0 10 0Zm3.982 13.982a1 1 0 0 1-1.414 0l-3.274-3.274A1.012 1.012 0 0 1 9 10V6a1 1 0 0 1 2 0v3.586l2.982 2.982a1 1 0 0 1 0 1.414Z"/>
             </svg>
-            <span class="mr-1 text-gray-500">{"Created:"}</span>
+            <span class="text-gray-500 w-36">{"Created"}</span>
             <DatetimeModal time=info.created_at />
         </span>
         <div class="mt-4">
-            <ProjectControl project_info=None delete_modal_hidden project_id=info.id align_right=false new_workspace_modal_hidden create_workspace_project />
+            <ProjectControl project_info=None delete_modal_open project_id=info.id align_right=false new_workspace_modal_open create_workspace_project />
         </div>
     }
 }
@@ -910,11 +909,11 @@ enum TabKind {
 #[component]
 fn ProjectDetailsTabView(
     project_id: Uuid,
-    project_update_counter: RwSignal<i32>,
-    new_workspace_modal_hidden: RwSignal<bool>,
-    create_workspace_project: RwSignal<Option<CreateWorkspaceProjectInfo>>,
+    project_update_counter: RwSignal<i32, LocalStorage>,
+    new_workspace_modal_open: RwSignal<bool>,
+    create_workspace_project: RwSignal<Option<CreateWorkspaceProjectInfo>, LocalStorage>,
 ) -> impl IntoView {
-    let tab_kind = create_rw_signal(TabKind::Branch);
+    let tab_kind = RwSignal::new_local(TabKind::Branch);
     let active_class =
         "inline-block p-4 text-blue-600 border-b-2 border-blue-600 rounded-t-lg active";
     let inactive_class = "inline-block p-4 border-b-2 border-transparent rounded-t-lg hover:text-gray-600 hover:border-gray-300";
@@ -922,9 +921,11 @@ fn ProjectDetailsTabView(
         tab_kind.set(kind);
     };
 
-    let prebuild_filter = create_rw_signal(String::new());
+    let org = get_current_org();
+    let prebuild_filter = RwSignal::new_local(String::new());
     let (prebuilds_counter, prebuilds, prebuilds_map) = project_prebuilds_signal(
-        Signal::derive(move || project_id.to_string()),
+        org,
+        Signal::derive_local(move || project_id.to_string()),
         prebuild_filter,
         create_workspace_project,
     );
@@ -962,8 +963,8 @@ fn ProjectDetailsTabView(
                 </li>
             </ul>
         </div>
-        <ProjectBranchesView tab_kind project_id prebuilds=prebuilds_map prebuilds_counter new_workspace_modal_hidden create_workspace_project />
-        <ProjectPrebuildsView tab_kind project_id prebuilds prebuilds_counter prebuild_filter new_workspace_modal_hidden create_workspace_project />
+        <ProjectBranchesView tab_kind project_id prebuilds=prebuilds_map prebuilds_counter new_workspace_modal_open create_workspace_project />
+        <ProjectPrebuildsView tab_kind project_id prebuilds prebuilds_counter prebuild_filter new_workspace_modal_open create_workspace_project />
         <ProjectEnvView tab_kind project_id />
         <ProjectSettingsView tab_kind project_id project_update_counter />
     }
@@ -971,16 +972,18 @@ fn ProjectDetailsTabView(
 
 #[component]
 fn ProjectBranchesView(
-    tab_kind: RwSignal<TabKind>,
+    tab_kind: RwSignal<TabKind, LocalStorage>,
     project_id: Uuid,
-    prebuilds: Signal<HashMap<String, ProjectPrebuild>>,
-    prebuilds_counter: RwSignal<i32>,
-    new_workspace_modal_hidden: RwSignal<bool>,
-    create_workspace_project: RwSignal<Option<CreateWorkspaceProjectInfo>>,
+    prebuilds: Signal<HashMap<String, ProjectPrebuild>, LocalStorage>,
+    prebuilds_counter: RwSignal<i32, LocalStorage>,
+    new_workspace_modal_open: RwSignal<bool>,
+    create_workspace_project: RwSignal<Option<CreateWorkspaceProjectInfo>, LocalStorage>,
 ) -> impl IntoView {
-    let branch_filter = create_rw_signal(String::new());
+    let branch_filter = RwSignal::new_local(String::new());
+    let org = get_current_org();
     let branches = project_branches_signal(
-        Signal::derive(move || project_id.to_string()),
+        org,
+        Signal::derive_local(move || project_id.to_string()),
         branch_filter,
         create_workspace_project,
     );
@@ -1025,7 +1028,7 @@ fn ProjectBranchesView(
                     children=move |(i,branch)| {
                         let prebuild = {
                             let branch_name = branch.name.clone();
-                            Signal::derive(move || {
+                            Signal::derive_local(move || {
                                 prebuilds.with(|prebuilds| {
                                     prebuilds.get(&branch_name).cloned()
                                 })
@@ -1041,7 +1044,7 @@ fn ProjectBranchesView(
                                     <div class="truncate">{branch.summary}</div>
                                     <div class="truncate text-sm mt-1">
                                         <span class="mr-2">{branch.time.to_string()}</span>
-                                        <span>{&branch.commit[..7].to_string()}</span>
+                                        <span>{branch.commit[..7].to_string()}</span>
                                     </div>
                                 </div>
                                 <span class="w-1/3 pl-2 flex flex-row items-center">
@@ -1061,7 +1064,7 @@ fn ProjectBranchesView(
                                         }</span>
                                     </div>
                                     <span class="w-2/3">
-                                        <ProjectBranchControl project=project_id.to_string() branch=branch.name.clone() prebuild prebuilds_counter new_workspace_modal_hidden create_workspace_project />
+                                        <ProjectBranchControl project=project_id.to_string() branch=branch.name.clone() prebuild prebuilds_counter new_workspace_modal_open create_workspace_project />
                                     </span>
                                 </span>
                             </div>
@@ -1075,13 +1078,13 @@ fn ProjectBranchesView(
 
 #[component]
 fn ProjectPrebuildsView(
-    tab_kind: RwSignal<TabKind>,
+    tab_kind: RwSignal<TabKind, LocalStorage>,
     project_id: Uuid,
-    prebuilds: Signal<Vec<ProjectPrebuild>>,
-    prebuilds_counter: RwSignal<i32>,
-    prebuild_filter: RwSignal<String>,
-    new_workspace_modal_hidden: RwSignal<bool>,
-    create_workspace_project: RwSignal<Option<CreateWorkspaceProjectInfo>>,
+    prebuilds: Signal<Vec<ProjectPrebuild>, LocalStorage>,
+    prebuilds_counter: RwSignal<i32, LocalStorage>,
+    prebuild_filter: RwSignal<String, LocalStorage>,
+    new_workspace_modal_open: RwSignal<bool>,
+    create_workspace_project: RwSignal<Option<CreateWorkspaceProjectInfo>, LocalStorage>,
 ) -> impl IntoView {
     view! {
         <div
@@ -1148,7 +1151,7 @@ fn ProjectPrebuildsView(
                                         </span>
                                     </div>
                                     <span class="w-2/3">
-                                        <ProjectBranchControl project=project_id.to_string() branch=prebuild.branch.clone() prebuild=Signal::derive(move || {Some(prebuild.clone())}) prebuilds_counter new_workspace_modal_hidden create_workspace_project />
+                                        <ProjectBranchControl project=project_id.to_string() branch=prebuild.branch.clone() prebuild=Signal::derive_local(move || {Some(prebuild.clone())}) prebuilds_counter new_workspace_modal_open create_workspace_project />
                                     </span>
                                 </span>
                             </div>
@@ -1162,9 +1165,9 @@ fn ProjectPrebuildsView(
 
 #[component]
 fn ProjectSettingsView(
-    tab_kind: RwSignal<TabKind>,
+    tab_kind: RwSignal<TabKind, LocalStorage>,
     project_id: Uuid,
-    project_update_counter: RwSignal<i32>,
+    project_update_counter: RwSignal<i32, LocalStorage>,
 ) -> impl IntoView {
     view! {
         <div
@@ -1177,19 +1180,23 @@ fn ProjectSettingsView(
 }
 
 #[component]
-fn SaveMachineTypeView(project_id: Uuid, project_update_counter: RwSignal<i32>) -> impl IntoView {
-    let current_machine_type = create_rw_signal(None);
-    let preferred_machine_type = Signal::derive(|| None);
+fn SaveMachineTypeView(
+    project_id: Uuid,
+    project_update_counter: RwSignal<i32, LocalStorage>,
+) -> impl IntoView {
+    let current_machine_type = RwSignal::new_local(None);
+    let preferred_machine_type = Signal::derive_local(|| None);
+    let org = get_current_org();
 
-    let save_action = create_action(move |_| async move {
+    let save_action = Action::new_local(move |_| async move {
         let machine_type_id = current_machine_type.get_untracked().unwrap_or_else(|| {
-            let cluster_info = expect_context::<Signal<Option<ClusterInfo>>>();
+            let cluster_info = get_cluster_info();
             cluster_info
                 .get_untracked()
                 .and_then(|i| i.machine_types.first().map(|m| m.id))
                 .unwrap_or_else(|| Uuid::from_u128(0))
         });
-        update_project_machine_type(project_id, machine_type_id).await
+        update_project_machine_type(org, project_id, machine_type_id).await
     });
 
     let body = view! {
@@ -1205,11 +1212,11 @@ fn SaveMachineTypeView(project_id: Uuid, project_update_counter: RwSignal<i32>)
 
 #[component]
 pub fn MachineTypeView(
-    current_machine_type: RwSignal<Option<Uuid>>,
-    preferred_machine_type: Signal<Option<Uuid>>,
+    current_machine_type: RwSignal<Option<Uuid>, LocalStorage>,
+    preferred_machine_type: Signal<Option<Uuid>, LocalStorage>,
 ) -> impl IntoView {
-    let cluster_info = expect_context::<Signal<Option<ClusterInfo>>>();
-    let machine_types = create_rw_signal(cluster_info.get_untracked().map(|i| i.machine_types));
+    let cluster_info = get_cluster_info();
+    let machine_types = RwSignal::new_local(cluster_info.get_untracked().map(|i| i.machine_types));
     let change_machine_type = move |ev: web_sys::Event| {
         let element = ev
             .target()
@@ -1222,17 +1229,15 @@ pub fn MachineTypeView(
         }
     };
 
-    create_effect(move |_| {
+    Effect::new(move |_| {
         if let Some(uuid) = preferred_machine_type.get() {
             current_machine_type.set(Some(uuid));
         }
     });
 
     view! {
-        <div>
-            <label class="block mb-2 text-sm font-medium text-gray-900">
-                Machine Type
-            </label>
+        <div class="flex flex-col gap-2">
+            <Label>Machine Type</Label>
             <select
                 id="select"
                 class="bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5"
@@ -1258,12 +1263,11 @@ pub fn MachineTypeView(
     }
 }
 
-async fn get_env(project_id: Uuid) -> Result<Vec<(String, String)>, ErrorResponse> {
-    let current_org =
-        use_context::<Signal<Option<Organization>>>().ok_or_else(|| anyhow!("can't get org"))?;
-    let org = current_org
-        .get_untracked()
-        .ok_or_else(|| anyhow!("can't get org"))?;
+async fn get_env(
+    org: Signal<Option<Organization>>,
+    project_id: Uuid,
+) -> Result<Vec<(String, String)>, ErrorResponse> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
 
     let resp = Request::get(&format!(
         "/api/v1/organizations/{}/projects/{project_id}/env",
@@ -1285,12 +1289,12 @@ async fn get_env(project_id: Uuid) -> Result<Vec<(String, String)>, ErrorRespons
     Ok(envs)
 }
 
-async fn update_env(project_id: Uuid, envs: Vec<(String, String)>) -> Result<(), ErrorResponse> {
-    let current_org =
-        use_context::<Signal<Option<Organization>>>().ok_or_else(|| anyhow!("can't get org"))?;
-    let org = current_org
-        .get_untracked()
-        .ok_or_else(|| anyhow!("can't get org"))?;
+async fn update_env(
+    org: Signal<Option<Organization>>,
+    project_id: Uuid,
+    envs: Vec<(String, String)>,
+) -> Result<(), ErrorResponse> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
 
     let resp = Request::put(&format!(
         "/api/v1/organizations/{}/projects/{project_id}/env",
@@ -1313,20 +1317,26 @@ async fn update_env(project_id: Uuid, envs: Vec<(String, String)>) -> Result<(),
 }
 
 #[component]
-fn ProjectEnvView(project_id: Uuid, tab_kind: RwSignal<TabKind>) -> impl IntoView {
-    let envs = create_rw_signal(vec![]);
+fn ProjectEnvView(project_id: Uuid, tab_kind: RwSignal<TabKind, LocalStorage>) -> impl IntoView {
+    let envs = RwSignal::new_local(vec![]);
+    let org = get_current_org();
+
+    let update_counter = RwSignal::new_local(0);
+    let current_envs =
+        LocalResource::new(
+            move || async move { get_env(org, project_id).await.unwrap_or_default() },
+        );
+    Effect::new(move |_| {
+        update_counter.track();
+        current_envs.refetch();
+    });
 
-    let update_counter = create_rw_signal(0);
-    let current_envs = create_local_resource(
-        move || update_counter.get(),
-        move |_| async move { get_env(project_id).await.unwrap_or_default() },
-    );
-    create_effect(move |_| {
+    Effect::new(move |_| {
         let current_envs = current_envs.with(|envs| envs.clone().unwrap_or_default());
         envs.update(|envs| {
             *envs = current_envs
                 .into_iter()
-                .map(|(name, value)| (create_rw_signal(name), create_rw_signal(value)))
+                .map(|(name, value)| (RwSignal::new_local(name), RwSignal::new_local(value)))
                 .collect();
         });
     });
@@ -1334,8 +1344,8 @@ fn ProjectEnvView(project_id: Uuid, tab_kind: RwSignal<TabKind>) -> impl IntoVie
     let new_variable = move |_| {
         envs.update(|envs| {
             envs.push((
-                create_rw_signal(String::new()),
-                create_rw_signal(String::new()),
+                RwSignal::new_local(String::new()),
+                RwSignal::new_local(String::new()),
             ));
         });
     };
@@ -1344,7 +1354,7 @@ fn ProjectEnvView(project_id: Uuid, tab_kind: RwSignal<TabKind>) -> impl IntoVie
             envs.remove(i);
         })
     };
-    let save_action = create_action(move |_| async move {
+    let save_action = Action::new_local(move |_| async move {
         let envs = envs.get_untracked();
         let envs: Vec<(String, String)> = envs
             .into_iter()
@@ -1357,7 +1367,7 @@ fn ProjectEnvView(project_id: Uuid, tab_kind: RwSignal<TabKind>) -> impl IntoVie
                 Some((name, value))
             })
             .collect();
-        update_env(project_id, envs).await
+        update_env(org, project_id, envs).await
     });
     let body = view! {
         <For
@@ -1397,20 +1407,23 @@ fn ProjectEnvView(project_id: Uuid, tab_kind: RwSignal<TabKind>) -> impl IntoVie
         />
     };
     let extra = view! {
-        <button
-            type="button"
-            class="ml-2 py-2.5 px-5 text-sm font-medium text-gray-900 focus:outline-none bg-white rounded-lg border border-gray-200 hover:bg-gray-100 hover:text-blue-700 focus:z-10 focus:ring-4 focus:ring-gray-100"
+        <Button
+            variant=ButtonVariant::Secondary
             on:click=new_variable
         >
             New Variable
-        </button>
-    }.into_view();
+        </Button>
+    }
+    .into_any();
     view! {
         <div
-            class="p-4"
+            class="pb-4 px-4"
             class:hidden=move || tab_kind.get() != TabKind::Env
         >
-            <SettingView title="".to_string() action=save_action body update_counter extra=Some(extra) />
+            <SettingView title="".to_string() action=save_action body=() update_counter extra=Some(extra) />
+            <div class="mt-4">
+            {body}
+            </div>
         </div>
     }
 }
diff --git a/lapdev-dashboard/src/quota.rs b/crates/dashboard/src/quota.rs
similarity index 72%
rename from lapdev-dashboard/src/quota.rs
rename to crates/dashboard/src/quota.rs
index 42f031b..ee5849c 100644
--- a/lapdev-dashboard/src/quota.rs
+++ b/crates/dashboard/src/quota.rs
@@ -1,19 +1,16 @@
 use anyhow::{anyhow, Result};
 use gloo_net::http::Request;
 use lapdev_common::{console::Organization, OrgQuota, OrgQuotaValue, QuotaKind, UpdateOrgQuota};
-use leptos::{
-    component, create_action, create_rw_signal, use_context, view, Action, IntoView, RwSignal,
-    Signal, SignalGet, SignalGetUntracked, SignalSet,
-};
+use leptos::prelude::*;
 
-use crate::modal::{CreationInput, CreationModal, ErrorResponse};
+use crate::{
+    component::button::Button,
+    modal::{CreationInput, ErrorResponse, Modal},
+    organization::get_current_org,
+};
 
-async fn get_org_quota() -> Result<OrgQuota, ErrorResponse> {
-    let org =
-        use_context::<Signal<Option<Organization>>>().ok_or_else(|| anyhow!("can't get org"))?;
-    let org = org
-        .get_untracked()
-        .ok_or_else(|| anyhow!("can't get org"))?;
+async fn get_org_quota(org: Signal<Option<Organization>>) -> Result<OrgQuota, ErrorResponse> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
 
     let resp = Request::get(&format!("/api/v1/organizations/{}/quota", org.id))
         .send()
@@ -36,11 +33,12 @@ async fn get_org_quota() -> Result<OrgQuota, ErrorResponse> {
 
 #[component]
 pub fn QuotaView() -> impl IntoView {
-    let error = create_rw_signal(None);
+    let error = RwSignal::new_local(None);
+    let org = get_current_org();
 
-    let get_action = create_action(move |()| async move {
+    let get_action = Action::new_local(move |()| async move {
         error.set(None);
-        let result = get_org_quota().await;
+        let result = get_org_quota(org).await;
 
         if let Err(e) = &result {
             error.set(Some(e.error.clone()));
@@ -91,11 +89,12 @@ pub fn QuotaView() -> impl IntoView {
 }
 
 async fn update_org_quota(
+    org: Signal<Option<Organization>>,
     kind: QuotaKind,
     default_user_quota: String,
     org_quota: String,
     get_action: Action<(), Result<OrgQuota, ErrorResponse>>,
-    update_modal_hidden: RwSignal<bool>,
+    update_modal_open: RwSignal<bool>,
 ) -> Result<(), ErrorResponse> {
     let default_user_quota: usize = match default_user_quota.parse() {
         Ok(n) => n,
@@ -114,11 +113,7 @@ async fn update_org_quota(
         }
     };
 
-    let org =
-        use_context::<Signal<Option<Organization>>>().ok_or_else(|| anyhow!("can't get org"))?;
-    let org = org
-        .get_untracked()
-        .ok_or_else(|| anyhow!("can't get org"))?;
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
 
     let resp = Request::put(&format!("/api/v1/organizations/{}/quota", org.id))
         .json(&UpdateOrgQuota {
@@ -138,7 +133,7 @@ async fn update_org_quota(
         return Err(error);
     }
 
-    update_modal_hidden.set(true);
+    update_modal_open.set(false);
     get_action.dispatch(());
 
     Ok(())
@@ -163,23 +158,20 @@ fn QuotaItemView(
     } else {
         "bg-green-600"
     };
-    let update_modal_hidden = create_rw_signal(true);
-
-    let org_quota = create_rw_signal(value.org_quota.to_string());
-    let default_user_quota = create_rw_signal(value.default_user_quota.to_string());
+    let update_modal_open = RwSignal::new(false);
 
-    let update_modal_body = view! {
-        <CreationInput label="Default User Quota".to_string() value=default_user_quota placeholder="quota number, 0 means disabled".to_string() />
-        <CreationInput label="Organization Quota".to_string() value=org_quota placeholder="quota number, 0 means disabled".to_string() />
-    };
+    let org_quota = RwSignal::new_local(value.org_quota.to_string());
+    let default_user_quota = RwSignal::new_local(value.default_user_quota.to_string());
+    let org = get_current_org();
 
-    let update_action = create_action(move |()| async move {
+    let update_action = Action::new_local(move |()| async move {
         update_org_quota(
+            org,
             kind,
             default_user_quota.get_untracked(),
             org_quota.get_untracked(),
             get_action,
-            update_modal_hidden,
+            update_modal_open,
         )
         .await
     });
@@ -194,8 +186,7 @@ fn QuotaItemView(
 
     view! {
         <div
-            class="flex items-center w-full px-4 py-2"
-            class=("border-t", move || i > 0)
+            class=format!("flex items-center w-full px-4 py-2 {}", if i > 0 {"border-t"} else {""})
         >
             <div class="w-1/4 flex flex-col">
                 <p>{kind.to_string()}</p>
@@ -204,7 +195,7 @@ fn QuotaItemView(
                 <p><span class="text-gray-500 mr-1">{"Default User Quota:"}</span>{value.default_user_quota}</p>
                 <p><span class="text-gray-500 mr-1">{"Organization Quota:"}</span>{value.org_quota}</p>
             </div>
-            <div class="w-1/2 flex flex-row">
+            <div class="w-1/2 flex flex-row items-center">
                 <div class="w-1/3 flex flex-col">
                     <p>{current_usage}</p>
                 </div>
@@ -215,15 +206,23 @@ fn QuotaItemView(
                         </div>
                         <span class="ml-2">{format!("{percentage}%")}</span>
                     </div>
-                    <button
-                        class="px-4 py-2 text-sm font-medium text-white rounded-lg bg-green-700 hover:bg-green-800 focus:ring-4 focus:ring-green-300 focus:outline-none"
-                        on:click=move |_| update_modal_hidden.set(false)
+                    <Button
+                        on:click=move |_| update_modal_open.set(true)
                     >
                         Update
-                    </button>
+                    </Button>
                 </div>
             </div>
         </div>
-        <CreationModal title=format!("Update {kind} Quota") modal_hidden=update_modal_hidden action=update_action body=update_modal_body update_text=None updating_text=None width_class=None create_button_hidden=Box::new(|| false) />
+        <Modal
+            title=format!("Update {kind} Quota")
+            open=update_modal_open
+            action=update_action
+            action_text="Update"
+            action_progress_text="Updating"
+        >
+            <CreationInput label="Default User Quota".to_string() value=default_user_quota placeholder="quota number, 0 means disabled".to_string() />
+            <CreationInput label="Organization Quota".to_string() value=org_quota placeholder="quota number, 0 means disabled".to_string() />
+        </Modal>
     }
 }
diff --git a/crates/dashboard/src/sse.rs b/crates/dashboard/src/sse.rs
new file mode 100644
index 0000000..aaea220
--- /dev/null
+++ b/crates/dashboard/src/sse.rs
@@ -0,0 +1,71 @@
+use std::time::Duration;
+
+use futures::StreamExt;
+use gloo_net::eventsource::futures::EventSource;
+use gloo_timers::future::TimeoutFuture;
+
+/// Runs an EventSource subscription with automatic reconnection and console logging.
+pub async fn run_sse_with_retry<F>(
+    url: String,
+    event_name: &'static str,
+    listener_name: String,
+    mut handle_event: F,
+) where
+    F: FnMut(web_sys::MessageEvent) + 'static,
+{
+    let mut backoff = Duration::from_secs(1);
+
+    loop {
+        match EventSource::new(&url) {
+            Ok(mut event_source) => {
+                match event_source.subscribe(event_name) {
+                    Ok(mut stream) => {
+                        web_sys::console::log_1(&format!("[{listener_name}] connected").into());
+                        backoff = Duration::from_secs(1);
+
+                        while let Some(event) = stream.next().await {
+                            match event {
+                                Ok((_, message)) => {
+                                    handle_event(message);
+                                }
+                                Err(err) => {
+                                    web_sys::console::error_1(
+                                        &format!("[{listener_name}] stream error: {err}").into(),
+                                    );
+                                    break;
+                                }
+                            }
+                        }
+
+                        web_sys::console::warn_1(
+                            &format!("[{listener_name}] stream ended; attempting to reconnect")
+                                .into(),
+                        );
+                    }
+                    Err(err) => {
+                        web_sys::console::error_1(
+                            &format!(
+                                "[{listener_name}] failed to subscribe to '{event_name}': {err}"
+                            )
+                            .into(),
+                        );
+                    }
+                }
+
+                event_source.close();
+            }
+            Err(err) => {
+                web_sys::console::error_1(
+                    &format!("[{listener_name}] failed to connect to EventSource: {err}").into(),
+                );
+            }
+        }
+
+        let wait_ms = backoff.as_millis().min(u128::from(u32::MAX)) as u32;
+        web_sys::console::warn_1(
+            &format!("[{listener_name}] reconnecting in {}s", backoff.as_secs()).into(),
+        );
+        TimeoutFuture::new(wait_ms).await;
+        backoff = (backoff * 2).min(Duration::from_secs(30));
+    }
+}
diff --git a/crates/dashboard/src/ssh_key.rs b/crates/dashboard/src/ssh_key.rs
new file mode 100644
index 0000000..a04d67c
--- /dev/null
+++ b/crates/dashboard/src/ssh_key.rs
@@ -0,0 +1,164 @@
+use anyhow::Result;
+use gloo_net::http::Request;
+use lapdev_common::{NewSshKey, SshKey};
+use leptos::prelude::*;
+
+use crate::{
+    component::button::{Button, ButtonVariant},
+    modal::{CreationInput, DeleteModal, ErrorResponse, Modal},
+};
+
+async fn delete_ssh_key(
+    id: String,
+    delete_modal_open: RwSignal<bool>,
+    update_counter: RwSignal<i32, LocalStorage>,
+) -> Result<(), ErrorResponse> {
+    let resp = Request::delete(&format!("/api/v1/account/ssh_keys/{id}"))
+        .send()
+        .await?;
+    if resp.status() != 204 {
+        let error = resp
+            .json::<ErrorResponse>()
+            .await
+            .unwrap_or_else(|_| ErrorResponse {
+                error: "Internal Server Error".to_string(),
+            });
+        return Err(error);
+    }
+    delete_modal_open.set(false);
+    update_counter.update(|c| *c += 1);
+    Ok(())
+}
+
+#[component]
+pub fn SshKeyItem(key: SshKey, update_counter: RwSignal<i32, LocalStorage>) -> impl IntoView {
+    let id = key.id;
+    let name = key.name.clone();
+    let delete_modal_open = RwSignal::new(false);
+    let delete_action = Action::new_local(move |_| {
+        delete_ssh_key(id.to_string(), delete_modal_open, update_counter)
+    });
+
+    view! {
+        <div class="flex flex-row items-center border rounded-xl px-4 py-2">
+            <div class="w-1/6">{key.name}</div>
+            <div class="w-3/6 truncate p-2">{key.key}</div>
+            <div class="w-1/6 truncate p-2">{key.created_at.to_rfc2822()}</div>
+            <div class="w-1/6 flex justify-end items-center">
+                <Button variant=ButtonVariant::Destructive
+                    on:click=move |_| delete_modal_open.set(true)
+                >Delete</Button>
+            </div>
+            <DeleteModal
+            resource=name
+            open=delete_modal_open delete_action />
+        </div>
+    }
+}
+
+async fn all_ssh_keys() -> Result<Vec<SshKey>> {
+    let resp = Request::get("/api/v1/account/ssh_keys").send().await?;
+    let ssh_keys: Vec<SshKey> = resp.json().await?;
+    Ok(ssh_keys)
+}
+
+#[component]
+pub fn SshKeys() -> impl IntoView {
+    let update_counter = RwSignal::new_local(0);
+    let ssh_keys = LocalResource::new(|| async move { all_ssh_keys().await.unwrap_or_default() });
+    Effect::new(move |_| {
+        update_counter.track();
+        ssh_keys.refetch();
+    });
+
+    view! {
+        <section class="w-full flex flex-col">
+            <div class="border-b pb-4 w-full">
+                <div class="flex items-end justify-between">
+                    <div class="min-w-0 mr-4">
+                        <h5 class="mr-3 text-2xl font-semibold">
+                            SSH Keys
+                        </h5>
+                        <p class="text-gray-700">{"Manage your SSH keys. Add your SSH public keys to your account will enable you to SSH into all your workspaces."}</p>
+                    </div>
+                    <NewSshKey update_counter />
+                </div>
+            </div>
+            <div class="flex flex-col py-4 space-y-4">
+                <For
+                    each=move || ssh_keys.get().unwrap_or_default()
+                    key=|key|  key.id
+                    children=move |key| {
+                        view! {
+                            <SshKeyItem key update_counter />
+                        }
+                    }
+                />
+            </div>
+        </section>
+    }
+}
+
+async fn create_ssh_key(
+    name: RwSignal<String, LocalStorage>,
+    key: RwSignal<String, LocalStorage>,
+    modal_open: RwSignal<bool>,
+    update_counter: RwSignal<i32, LocalStorage>,
+) -> Result<(), ErrorResponse> {
+    let resp = Request::post("/api/v1/account/ssh_keys")
+        .json(&NewSshKey {
+            name: name.get_untracked(),
+            key: key.get_untracked(),
+        })?
+        .send()
+        .await?;
+    if resp.status() != 200 {
+        let error = resp
+            .json::<ErrorResponse>()
+            .await
+            .unwrap_or_else(|_| ErrorResponse {
+                error: "Internal Server Error".to_string(),
+            });
+        return Err(error);
+    }
+
+    modal_open.set(false);
+    update_counter.update(|c| *c += 1);
+    name.set(String::new());
+    key.set(String::new());
+
+    Ok(())
+}
+
+#[component]
+pub fn NewSshKey(update_counter: RwSignal<i32, LocalStorage>) -> impl IntoView {
+    let name = RwSignal::new_local(String::new());
+    let key = RwSignal::new_local(String::new());
+
+    let modal_open = RwSignal::new(false);
+    let action = Action::new_local(move |_| create_ssh_key(name, key, modal_open, update_counter));
+
+    view! {
+        <Button
+            on:click=move |_| modal_open.set(true)
+        >
+            New SSH Key
+        </Button>
+        <Modal
+            title="New SSH Key"
+            open=modal_open
+            action
+        >
+            <CreationInput label="Name".to_string() value=name placeholder="".to_string() />
+            <div>
+                <label class="block mb-2 text-sm font-medium text-gray-900">SSH Public Key</label>
+                <textarea
+                    rows=4
+                    prop:value={move || key.get()}
+                    on:input=move |ev| { key.set(event_target_value(&ev)); }
+                    class="bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5"
+                />
+            </div>
+        </Modal>
+    }
+}
diff --git a/lapdev-dashboard/src/usage.rs b/crates/dashboard/src/usage.rs
similarity index 88%
rename from lapdev-dashboard/src/usage.rs
rename to crates/dashboard/src/usage.rs
index 83adb38..d41d7be 100644
--- a/lapdev-dashboard/src/usage.rs
+++ b/crates/dashboard/src/usage.rs
@@ -2,24 +2,25 @@ use anyhow::{anyhow, Result};
 use chrono::{DateTime, FixedOffset, Local, NaiveDate, TimeZone};
 use gloo_net::http::Request;
 use lapdev_common::{console::Organization, UsageRecord, UsageResult};
-use leptos::{
-    component, create_action, create_rw_signal, event_target_value, use_context, view, For,
-    IntoView, Signal, SignalGet, SignalGetUntracked, SignalSet, SignalUpdate, SignalWith,
-    SignalWithUntracked,
-};
+use leptos::prelude::*;
 use rust_decimal::{prelude::FromPrimitive, Decimal};
 
 use crate::{
+    component::button::Button,
     datepicker::Datepicker,
     modal::{DatetimeModal, ErrorResponse},
+    organization::get_current_org,
 };
 
 async fn get_org_usage(
+    org: Signal<Option<Organization>>,
     start: Option<NaiveDate>,
     end: Option<NaiveDate>,
     page_size: String,
     page: u64,
 ) -> Result<UsageResult, ErrorResponse> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+
     let start: DateTime<FixedOffset> = start
         .and_then(|t| {
             Local
@@ -45,12 +46,6 @@ async fn get_org_usage(
         })
         .into();
 
-    let org =
-        use_context::<Signal<Option<Organization>>>().ok_or_else(|| anyhow!("can't get org"))?;
-    let org = org
-        .get_untracked()
-        .ok_or_else(|| anyhow!("can't get org"))?;
-
     let page_size = page_size.parse::<u64>().unwrap_or(10);
 
     let resp = Request::get(&format!("/api/v1/organizations/{}/usage", org.id))
@@ -80,21 +75,23 @@ async fn get_org_usage(
 
 #[component]
 pub fn UsageView() -> impl IntoView {
-    let from_date = create_rw_signal(Some(Local::now().date_naive()));
-    let to_date = create_rw_signal(Some(Local::now().date_naive()));
-    let page_size = create_rw_signal(String::new());
-    let page = create_rw_signal(0);
+    let from_date = RwSignal::new(Some(Local::now().date_naive()));
+    let to_date = RwSignal::new(Some(Local::now().date_naive()));
+    let page_size = RwSignal::new(String::new());
+    let page = RwSignal::new(0);
 
-    let error = create_rw_signal(None);
+    let error = RwSignal::new(None);
 
-    let counter = create_rw_signal(0);
+    let counter = RwSignal::new(0);
+    let org = get_current_org();
 
-    let get_action = create_action(move |()| async move {
+    let get_action = Action::new_local(move |()| async move {
         counter.update(|c| {
             *c += 1;
         });
         error.set(None);
         let result = get_org_usage(
+            org,
             from_date.get_untracked(),
             to_date.get_untracked(),
             page_size.get_untracked(),
@@ -162,22 +159,21 @@ pub fn UsageView() -> impl IntoView {
                 <Datepicker value=from_date />
                 <span class="mx-2">to</span>
                 <Datepicker value=to_date />
-                <button
-                    type="button"
-                    class="ml-4 px-4 py-2 text-sm font-medium text-white rounded-lg bg-blue-700 hover:bg-blue-800 focus:ring-4 focus:ring-blue-300 focus:outline-none"
-                    on:click=move |_| get_action.dispatch(())
+                <Button
+                    on:click=move |_| { get_action.dispatch(()); }
+                    class="ml-4"
                 >
                     Search
-                </button>
+                </Button>
             </div>
             { move || if let Some(error) = error.get() {
                 view! {
                     <div class="my-4 p-4 rounded-lg bg-red-50">
                         <span class="text-sm font-medium text-red-800">{ error }</span>
                     </div>
-                }.into_view()
+                }.into_any()
             } else {
-                view!{}.into_view()
+                ().into_any()
             }}
             <div class="mt-4 flex flex-row items-center justify-between">
                 <span class="text-sm font-normal text-gray-500">
@@ -203,7 +199,7 @@ pub fn UsageView() -> impl IntoView {
                         <option>200</option>
                     </select>
 
-                    <span class="ml-2 p-2 rounded"
+                    <button class="ml-2 p-2 rounded"
                         class=("text-gray-300", move || usage.with(|u| u.page == 0))
                         class=("cursor-pointer", move || !usage.with(|u| u.page == 0))
                         class=("hover:bg-gray-100", move || !usage.with(|u| u.page == 0))
@@ -213,7 +209,7 @@ pub fn UsageView() -> impl IntoView {
                         <svg class="w-5 h-5" aria-hidden="true" fill="currentColor" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg">
                             <path fill-rule="evenodd" d="M12.707 5.293a1 1 0 010 1.414L9.414 10l3.293 3.293a1 1 0 01-1.414 1.414l-4-4a1 1 0 010-1.414l4-4a1 1 0 011.414 0z" clip-rule="evenodd"></path>
                         </svg>
-                    </span>
+                    </button>
                     <span class="p-2 rounded"
                         class=("text-gray-300", move || usage.with(|u| u.page + 1 >= u.num_pages))
                         class=("cursor-pointer", move || !usage.with(|u| u.page + 1 >= u.num_pages))
@@ -281,7 +277,7 @@ fn RecordItemView(i: usize, record: UsageRecord) -> impl IntoView {
             class="w-full bg-white"
             class=("border-t", move || i > 0)
         >
-            <td scope="row" class="px-4 py-2">
+            <td class="px-4 py-2">
                 <p>{record.resource_kind}</p>
             </td>
             <td class="px-4 py-2">
diff --git a/crates/dashboard/src/workspace.rs b/crates/dashboard/src/workspace.rs
new file mode 100644
index 0000000..1197a04
--- /dev/null
+++ b/crates/dashboard/src/workspace.rs
@@ -0,0 +1,1998 @@
+use std::collections::HashMap;
+
+use anyhow::{anyhow, Result};
+use futures::StreamExt;
+use gloo_net::{
+    http::Request,
+    websocket::{futures::WebSocket, Message},
+};
+use lapdev_common::{
+    console::Organization, utils, ClusterInfo, GitBranch, NewWorkspace, NewWorkspaceResponse,
+    PrebuildStatus, ProjectInfo, ProjectPrebuild, RepoSource, RepobuildError, UpdateWorkspacePort,
+    WorkspaceInfo, WorkspacePort, WorkspaceService, WorkspaceStatus, WorkspaceUpdateEvent,
+};
+use leptos::{prelude::*, task::spawn_local_scoped_with_cancellation};
+use leptos_router::{
+    hooks::{use_location, use_navigate, use_params_map},
+    NavigateOptions,
+};
+use uuid::Uuid;
+
+use crate::{
+    app::AppConfig,
+    cluster::get_cluster_info,
+    component::{
+        alert::{Alert, AlertDescription, AlertTitle, AlertVariant},
+        button::{Button, ButtonVariant},
+        dropdown_menu::{
+            DropdownMenu, DropdownMenuContent, DropdownMenuItem, DropdownMenuSeparator,
+            DropdownMenuTrigger, DropdownPlacement,
+        },
+        input::Input,
+        label::Label,
+    },
+    modal::{DatetimeModal, DeleteModal, ErrorResponse, Modal},
+    organization::get_current_org,
+    project::MachineTypeView,
+};
+
+#[derive(Clone)]
+enum BuildMessage {
+    Stdout(String),
+    Stderr(String),
+}
+
+impl BuildMessage {
+    fn msg(&self) -> &str {
+        match self {
+            BuildMessage::Stdout(s) => s,
+            BuildMessage::Stderr(s) => s,
+        }
+    }
+
+    fn is_error(&self) -> bool {
+        matches!(self, BuildMessage::Stderr(_))
+    }
+}
+
+async fn all_workspaces(org: Signal<Option<Organization>>) -> Result<Vec<WorkspaceInfo>> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let resp = Request::get(&format!("/api/v1/organizations/{}/workspaces", org.id))
+        .send()
+        .await?;
+    let workspaces: Vec<WorkspaceInfo> = resp.json().await?;
+    Ok(workspaces)
+}
+
+async fn get_workspace(org: Signal<Option<Organization>>, name: &str) -> Result<WorkspaceInfo> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let resp = Request::get(&format!(
+        "/api/v1/organizations/{}/workspaces/{name}",
+        org.id
+    ))
+    .send()
+    .await?;
+    let workspace: WorkspaceInfo = resp.json().await?;
+    Ok(workspace)
+}
+
+async fn delete_workspace(
+    navigate: impl Fn(&str, NavigateOptions) + Clone,
+    org: Signal<Option<Organization>>,
+    name: String,
+    delete_modal_open: RwSignal<bool>,
+    update_counter: Option<RwSignal<i32, LocalStorage>>,
+) -> Result<(), ErrorResponse> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let resp = Request::delete(&format!(
+        "/api/v1/organizations/{}/workspaces/{name}",
+        org.id
+    ))
+    .send()
+    .await?;
+    if resp.status() != 204 {
+        let error = resp
+            .json::<ErrorResponse>()
+            .await
+            .unwrap_or_else(|_| ErrorResponse {
+                error: "Internal Server Error".to_string(),
+            });
+        return Err(error);
+    }
+
+    delete_modal_open.set(false);
+    if let Some(update_counter) = update_counter {
+        update_counter.update(|c| *c += 1);
+    } else {
+        navigate("/workspaces", Default::default());
+    }
+
+    Ok(())
+}
+
+async fn rebuild_workspace(
+    org: Signal<Option<Organization>>,
+    name: String,
+    rebuild_modal_open: RwSignal<bool>,
+) -> Result<(), ErrorResponse> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let resp = Request::post(&format!(
+        "/api/v1/organizations/{}/workspaces/{name}/rebuild",
+        org.id
+    ))
+    .send()
+    .await?;
+    if resp.status() != 204 {
+        let error = resp
+            .json::<ErrorResponse>()
+            .await
+            .unwrap_or_else(|_| ErrorResponse {
+                error: "Internal Server Error".to_string(),
+            });
+        return Err(error);
+    }
+
+    rebuild_modal_open.set(false);
+
+    Ok(())
+}
+
+async fn stop_workspace(
+    org: Signal<Option<Organization>>,
+    name: String,
+) -> Result<(), ErrorResponse> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let resp = Request::post(&format!(
+        "/api/v1/organizations/{}/workspaces/{name}/stop",
+        org.id
+    ))
+    .send()
+    .await?;
+    if resp.status() != 204 {
+        let error = resp
+            .json::<ErrorResponse>()
+            .await
+            .unwrap_or_else(|_| ErrorResponse {
+                error: "Internal Server Error".to_string(),
+            });
+        return Err(error);
+    }
+    Ok(())
+}
+
+async fn start_workspace(
+    org: Signal<Option<Organization>>,
+    name: String,
+) -> Result<(), ErrorResponse> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let resp = Request::post(&format!(
+        "/api/v1/organizations/{}/workspaces/{name}/start",
+        org.id
+    ))
+    .send()
+    .await?;
+    if resp.status() != 204 {
+        let error = resp
+            .json::<ErrorResponse>()
+            .await
+            .unwrap_or_else(|_| ErrorResponse {
+                error: "Internal Server Error".to_string(),
+            });
+        return Err(error);
+    }
+    Ok(())
+}
+
+async fn pin_workspace(
+    org: Signal<Option<Organization>>,
+    name: String,
+) -> Result<(), ErrorResponse> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let resp = Request::post(&format!(
+        "/api/v1/organizations/{}/workspaces/{name}/pin",
+        org.id
+    ))
+    .send()
+    .await?;
+    if resp.status() != 204 {
+        let error = resp
+            .json::<ErrorResponse>()
+            .await
+            .unwrap_or_else(|_| ErrorResponse {
+                error: "Internal Server Error".to_string(),
+            });
+        return Err(error);
+    }
+    Ok(())
+}
+
+async fn unpin_workspace(
+    org: Signal<Option<Organization>>,
+    name: String,
+) -> Result<(), ErrorResponse> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let resp = Request::post(&format!(
+        "/api/v1/organizations/{}/workspaces/{name}/unpin",
+        org.id
+    ))
+    .send()
+    .await?;
+    if resp.status() != 204 {
+        let error = resp
+            .json::<ErrorResponse>()
+            .await
+            .unwrap_or_else(|_| ErrorResponse {
+                error: "Internal Server Error".to_string(),
+            });
+        return Err(error);
+    }
+    Ok(())
+}
+
+#[component]
+fn OpenWorkspaceView(
+    workspace_name: String,
+    workspace_status: WorkspaceStatus,
+    workspace_folder: String,
+    workspace_hostname: String,
+    align_right: bool,
+) -> impl IntoView {
+    let dropdown_expanded = RwSignal::new(false);
+
+    let workspace_hostname = workspace_hostname.clone();
+    let cluster_info = get_cluster_info();
+    let port =
+        cluster_info.with_untracked(|i| i.as_ref().map(|i| i.ssh_proxy_port).unwrap_or(2222));
+    view! {
+        <DropdownMenu open=dropdown_expanded>
+            <div class="flex flex-row items-center">
+                <a
+                    // class={format!("{open_button_class} px-4 rounded-l-lg inline-block")}
+                    class=if workspace_status == WorkspaceStatus::Running {
+                        ""
+                    } else {
+                        "pointer-events-none cursor-default"
+                    }
+                    target="_blank"
+                    href=format!("https://{workspace_name}.{workspace_hostname}/")
+                >
+                    <Button
+                        class="rounded-r-none"
+                        attr:disabled=move || workspace_status != WorkspaceStatus::Running
+                    >
+                        Open
+                    </Button>
+                </a>
+                <DropdownMenuTrigger
+                    placement={if align_right {DropdownPlacement::BottomRight} else {DropdownPlacement::BottomLeft} }
+                    open=dropdown_expanded
+                    disabled=workspace_status != WorkspaceStatus::Running
+                >
+                    <Button
+                        class="px-2 rounded-l-none"
+                        attr:disabled=move || workspace_status != WorkspaceStatus::Running
+                    >
+                        <lucide_leptos::ChevronDown />
+                    </Button>
+                </DropdownMenuTrigger>
+            </div>
+            <DropdownMenuContent
+                open=dropdown_expanded.read_only()
+                class="mt-2 min-w-56"
+            >
+                {
+                    let workspace_hostname = workspace_hostname.clone();
+                    let workspace_name = workspace_name.clone();
+                    let workspace_folder = workspace_folder.clone();
+                    view! {
+                        <DropdownMenuItem class="cursor-pointer">
+                            <a
+                                href=format!(
+                                    "vscode://vscode-remote/ssh-remote+{workspace_name}@{}{}/workspaces/{workspace_folder}",
+                                    workspace_hostname.split(':').next().unwrap_or(""),
+                                    if port == 22 { "".to_string() } else { format!(":{port}") },
+                                )
+                                target="_blank"
+                            >
+                                Open in VSCode Desktop
+                            </a>
+                        </DropdownMenuItem>
+                    }
+                }
+            </DropdownMenuContent>
+        </DropdownMenu>
+    }
+}
+
+#[component]
+fn WorkspaceControl(
+    workspace_name: String,
+    workspace_status: WorkspaceStatus,
+    workspace_folder: String,
+    workspace_hostname: String,
+    workspace_pinned: bool,
+    rebuild_modal_open: RwSignal<bool>,
+    delete_modal_open: RwSignal<bool>,
+    error: RwSignal<Option<String>, LocalStorage>,
+    align_right: bool,
+) -> impl IntoView {
+    let org = get_current_org();
+    let dropdown_expanded = RwSignal::new(false);
+
+    let delete_workspace = {
+        move |_| {
+            dropdown_expanded.set(false);
+            delete_modal_open.set(true);
+        }
+    };
+
+    let rebuild_workspace = {
+        move |_| {
+            dropdown_expanded.set(false);
+            rebuild_modal_open.set(true);
+        }
+    };
+
+    let stop_action = {
+        let workspace_name = workspace_name.clone();
+        Action::new_local(move |_| {
+            let workspace_name = workspace_name.clone();
+            async move {
+                if let Err(e) = stop_workspace(org, workspace_name.clone()).await {
+                    error.set(Some(e.error));
+                }
+            }
+        })
+    };
+    let stop_workspace = move |_| {
+        dropdown_expanded.set(false);
+        error.set(None);
+        stop_action.dispatch(());
+    };
+
+    let start_action = {
+        let workspace_name = workspace_name.clone();
+        Action::new_local(move |_| {
+            let workspace_name = workspace_name.clone();
+            async move {
+                if let Err(e) = start_workspace(org, workspace_name.clone()).await {
+                    error.set(Some(e.error));
+                }
+            }
+        })
+    };
+    let start_workspace = move |_| {
+        dropdown_expanded.set(false);
+        error.set(None);
+        start_action.dispatch(());
+    };
+
+    let pin_action = {
+        let workspace_name = workspace_name.clone();
+        Action::new_local(move |_| {
+            let workspace_name = workspace_name.clone();
+            async move {
+                if let Err(e) = pin_workspace(org, workspace_name.clone()).await {
+                    error.set(Some(e.error));
+                }
+            }
+        })
+    };
+    let pin_workspace = move |_| {
+        dropdown_expanded.set(false);
+        error.set(None);
+        pin_action.dispatch(());
+    };
+
+    let unpin_action = {
+        let workspace_name = workspace_name.clone();
+        Action::new_local(move |_| {
+            let workspace_name = workspace_name.clone();
+            async move {
+                if let Err(e) = unpin_workspace(org, workspace_name.clone()).await {
+                    error.set(Some(e.error));
+                }
+            }
+        })
+    };
+    let unpin_workspace = move |_| {
+        dropdown_expanded.set(false);
+        error.set(None);
+        unpin_action.dispatch(());
+    };
+
+    view! {
+        <div class="flex flex-row items-center">
+            <OpenWorkspaceView
+                workspace_name
+                workspace_status
+                workspace_folder
+                workspace_hostname
+                align_right
+            />
+
+            <DropdownMenu class="ml-2" open=dropdown_expanded>
+                <DropdownMenuTrigger open=dropdown_expanded
+                    placement={if align_right {DropdownPlacement::BottomRight} else {DropdownPlacement::BottomLeft} }
+                >
+                    <Button variant=ButtonVariant::Ghost class="px-2">
+                        <lucide_leptos::EllipsisVertical />
+                    </Button>
+                </DropdownMenuTrigger>
+                <DropdownMenuContent
+                    open=dropdown_expanded.read_only()
+                    class="mt-2 min-w-56"
+                >
+                    <DropdownMenuItem
+                        on:click=start_workspace
+                        disabled=workspace_status != WorkspaceStatus::Stopped
+                        class="cursor-pointer"
+                    >
+                        Start
+                    </DropdownMenuItem>
+                    <DropdownMenuItem
+                        on:click=stop_workspace
+                        disabled=workspace_status == WorkspaceStatus::Stopped
+                        class="cursor-pointer"
+                    >
+                        Stop
+                    </DropdownMenuItem>
+                    <DropdownMenuSeparator />
+
+                    <DropdownMenuItem
+                        on:click=pin_workspace
+                        disabled=workspace_pinned
+                        class="cursor-pointer"
+                    >
+                        Pin
+                    </DropdownMenuItem>
+                    <DropdownMenuItem
+                        on:click=unpin_workspace
+                        disabled=!workspace_pinned
+                        class="cursor-pointer"
+                    >
+                        Unpin
+                    </DropdownMenuItem>
+                    <DropdownMenuSeparator />
+                    <DropdownMenuItem on:click=rebuild_workspace class="cursor-pointer">
+                        Rebuild
+                    </DropdownMenuItem>
+                    <DropdownMenuItem on:click=delete_workspace class="cursor-pointer">
+                        Delete
+                    </DropdownMenuItem>
+                </DropdownMenuContent>
+            </DropdownMenu>
+        </div>
+    }
+}
+
+fn workspace_status_class(status: &WorkspaceStatus) -> &str {
+    match status {
+        WorkspaceStatus::Running => "bg-green-100 text-green-800",
+        WorkspaceStatus::Failed
+        | WorkspaceStatus::Deleting
+        | WorkspaceStatus::DeleteFailed
+        | WorkspaceStatus::StopFailed => "bg-red-100 text-red-800",
+        WorkspaceStatus::New
+        | WorkspaceStatus::Building
+        | WorkspaceStatus::PrebuildBuilding
+        | WorkspaceStatus::PrebuildCopying
+        | WorkspaceStatus::Stopping
+        | WorkspaceStatus::Starting => "bg-yellow-100 text-yellow-800",
+        WorkspaceStatus::Stopped | WorkspaceStatus::Deleted => "bg-gray-100 text-gray-800",
+    }
+}
+
+#[component]
+fn WorkspaceRebuildModal(
+    workspace_name: String,
+    rebuild_modal_open: RwSignal<bool>,
+) -> impl IntoView {
+    let org = get_current_org();
+    let rebuild_action = {
+        let workspace_name = workspace_name.clone();
+        Action::new_local(move |_| {
+            rebuild_workspace(org, workspace_name.clone(), rebuild_modal_open)
+        })
+    };
+
+    view! {
+        <Modal
+            title="Create New Workspace"
+            open=rebuild_modal_open
+            action=rebuild_action
+            action_text="Rebuild"
+            action_progress_text="Rebuilding"
+        >
+            <p>Rebuild your workspace image.</p>
+            <p>It will pick up your devcontainer config changes.</p>
+            <p>
+                All files in
+                <span class="text-semibold mx-1 px-1 text-gray-800 bg-gray-200 rounded">
+                    /workspaces
+                </span>folder will persist.
+            </p>
+        </Modal>
+    }
+}
+
+#[component]
+pub fn WorkspaceItem(
+    workspace: WorkspaceInfo,
+    error: RwSignal<Option<String>, LocalStorage>,
+    update_counter: RwSignal<i32, LocalStorage>,
+) -> impl IntoView {
+    let rebuild_modal_open = RwSignal::new(false);
+    let delete_modal_open = RwSignal::new(false);
+    let org = get_current_org();
+    let workspace_name = workspace.name.clone();
+    let workspace_folder = workspace.repo_name.clone();
+    let workspace_hostname = workspace.hostname.clone();
+    let workspace_hostname = if workspace_hostname.is_empty() {
+        window().window().location().hostname().unwrap_or_default()
+    } else {
+        workspace_hostname
+    };
+    let delete_action = {
+        let workspace_name = workspace_name.clone();
+        let navigate = use_navigate();
+        Action::new_local(move |_| {
+            delete_workspace(
+                navigate.clone(),
+                org,
+                workspace_name.clone(),
+                delete_modal_open,
+                Some(update_counter),
+            )
+        })
+    };
+    let status_class = workspace_status_class(&workspace.status);
+    let status_class = format!("{status_class} text-sm font-medium me-2 px-2.5 py-0.5 rounded");
+    view! {
+        <div class="w-full mb-8 bg-white rounded-lg border border-gray-200 shadow-lg">
+            <div class="flex flex-col items-center w-full lg:flex-row">
+                <div class="lg:w-1/3 flex flex-row">
+                    <a href=workspace.repo_url.clone() target="_blank">
+                        <img
+                            src=repo_img(&workspace.repo_url)
+                            class="object-contain lg:object-left h-40 rounded-lg justify-self-start"
+                        />
+                    </a>
+                </div>
+                <div class="lg:w-1/3 flex flex-col justify-center">
+                    <div class="flex flex-col p-4">
+                        <a href=format!("/workspaces/{}", workspace.name)>
+                            <a
+                                class="font-semibold"
+                                href=format!("/workspaces/{}", workspace.name.clone())
+                            >
+                                {
+                                    let workspace_name = workspace.name.clone();
+                                    move || workspace_name.clone()
+                                }
+                            </a>
+                            <a
+                                href=workspace.repo_url.clone()
+                                target="_blank"
+                                class="flex flex-row items-center text-sm text-gray-700 mt-2"
+                            >
+                                <svg
+                                    class="w-4 h-4 mr-1"
+                                    aria-hidden="true"
+                                    xmlns="http://www.w3.org/2000/svg"
+                                    fill="none"
+                                    viewBox="0 0 24 24"
+                                >
+                                    <path
+                                        stroke="currentColor"
+                                        stroke-linecap="round"
+                                        stroke-linejoin="round"
+                                        stroke-width="2"
+                                        d="M13.2 9.8a3.4 3.4 0 0 0-4.8 0L5 13.2A3.4 3.4 0 0 0 9.8 18l.3-.3m-.3-4.5a3.4 3.4 0 0 0 4.8 0L18 9.8A3.4 3.4 0 0 0 13.2 5l-1 1"
+                                    />
+                                </svg>
+                                <p>
+                                    {
+                                        let repo_url = workspace.repo_url.clone();
+                                        move || repo_url.clone()
+                                    }
+                                </p>
+                            </a>
+                            <span class="flex flex-row truncate items-center text-sm text-gray-700 mt-2">
+                                <svg
+                                    class="w-3 h-3 mr-2"
+                                    aria-hidden="true"
+                                    xmlns="http://www.w3.org/2000/svg"
+                                    fill="none"
+                                    viewBox="0 0 14 20"
+                                >
+                                    <path
+                                        stroke="currentColor"
+                                        stroke-linecap="round"
+                                        stroke-linejoin="round"
+                                        stroke-width="2"
+                                        d="M3 5v10M3 5a2 2 0 1 0 0-4 2 2 0 0 0 0 4Zm0 10a2 2 0 1 0 0 4 2 2 0 0 0 0-4Zm6-3.976-2-.01A4.015 4.015 0 0 1 3 7m10 4a2 2 0 1 1-4 0 2 2 0 0 1 4 0Z"
+                                    />
+                                </svg>
+                                <span class="mr-2">{workspace.branch}</span>
+                                <span>{workspace.commit[..7].to_string()}</span>
+                            </span>
+                            <span class="mt-2 text-sm text-gray-800 inline-flex items-center rounded me-2 text-gray-700">
+                                <svg
+                                    class="w-2.5 h-2.5 mr-2.5"
+                                    aria-hidden="true"
+                                    xmlns="http://www.w3.org/2000/svg"
+                                    fill="currentColor"
+                                    viewBox="0 0 20 20"
+                                >
+                                    <path d="M10 0a10 10 0 1 0 10 10A10.011 10.011 0 0 0 10 0Zm3.982 13.982a1 1 0 0 1-1.414 0l-3.274-3.274A1.012 1.012 0 0 1 9 10V6a1 1 0 0 1 2 0v3.586l2.982 2.982a1 1 0 0 1 0 1.414Z" />
+                                </svg>
+                                <span class="mr-1">Created</span>
+                                <DatetimeModal time=workspace.created_at />
+                            </span>
+                        </a>
+                    </div>
+                </div>
+                <div class="lg:w-1/3 flex flex-col xl:flex-row items-center justify-between">
+                    <div class="flex flex-row items-center">
+                        <span class=status_class>{move || workspace.status.to_string()}</span>
+                    </div>
+                    <div class="flex flex-row items-center p-4 justify-center">
+                        <div class="w-4 h-4 mr-6">
+                            <svg
+                                class:hidden=move || !workspace.pinned
+                                class="w-4 h-4"
+                                xmlns="http://www.w3.org/2000/svg"
+                                width="24px"
+                                height="24px"
+                                viewBox="0 0 24 24"
+                                fill="none"
+                                stroke="currentColor"
+                                stroke-width="2"
+                                stroke-linecap="round"
+                                stroke-linejoin="round"
+                            >
+                                <line x1="12" x2="12" y1="17" y2="22"></line>
+                                <path d="M5 17h14v-1.76a2 2 0 0 0-1.11-1.79l-1.78-.9A2 2 0 0 1 15 10.76V6h1a2 2 0 0 0 0-4H8a2 2 0 0 0 0 4h1v4.76a2 2 0 0 1-1.11 1.79l-1.78.9A2 2 0 0 0 5 15.24Z"></path>
+                            </svg>
+                        </div>
+                        <WorkspaceControl
+                            workspace_name=workspace_name.clone()
+                            workspace_status=workspace.status
+                            workspace_folder=workspace_folder.clone()
+                            workspace_hostname=workspace_hostname.clone()
+                            workspace_pinned=workspace.pinned
+                            align_right=true
+                            delete_modal_open
+                            rebuild_modal_open
+                            error
+                        />
+                    </div>
+                </div>
+            </div>
+            <For
+                each=move || workspace.services.clone()
+                key=move |s| s.clone()
+                children={
+                    let workspace_folder = workspace_folder.clone();
+                    let workspace_hostname = workspace_hostname.clone();
+                    move |ws_service| {
+                        view! {
+                            <div class="flex flex-col border-t items-center shadow-sm lg:flex-row w-full">
+                                <div class="hidden w-1/3 lg:flex flex-row"></div>
+                                <div class="w-full lg:w-1/3 flex flex-col items-center lg:items-start">
+                                    <div class="flex flex-col p-4">
+                                        <span class="font-semibold">{ws_service.name.clone()}</span>
+                                        <div class="flex flex-row items-center text-sm text-gray-700 mt-2">
+                                            <svg
+                                                class="w-4 h-4 mr-1"
+                                                xmlns="http://www.w3.org/2000/svg"
+                                                fill="currentColor"
+                                                viewBox="0 0 16 16"
+                                            >
+                                                <path
+                                                    fill-rule="evenodd"
+                                                    d="M6 3.5A1.5 1.5 0 0 1 7.5 2h1A1.5 1.5 0 0 1 10 3.5v1A1.5 1.5 0 0 1 8.5 6v1H11a.5.5 0 0 1 .5.5v1a.5.5 0 0 1-1 0V8h-5v.5a.5.5 0 0 1-1 0v-1A.5.5 0 0 1 5 7h2.5V6A1.5 1.5 0 0 1 6 4.5zM8.5 5a.5.5 0 0 0 .5-.5v-1a.5.5 0 0 0-.5-.5h-1a.5.5 0 0 0-.5.5v1a.5.5 0 0 0 .5.5zM3 11.5A1.5 1.5 0 0 1 4.5 10h1A1.5 1.5 0 0 1 7 11.5v1A1.5 1.5 0 0 1 5.5 14h-1A1.5 1.5 0 0 1 3 12.5zm1.5-.5a.5.5 0 0 0-.5.5v1a.5.5 0 0 0 .5.5h1a.5.5 0 0 0 .5-.5v-1a.5.5 0 0 0-.5-.5zm4.5.5a1.5 1.5 0 0 1 1.5-1.5h1a1.5 1.5 0 0 1 1.5 1.5v1a1.5 1.5 0 0 1-1.5 1.5h-1A1.5 1.5 0 0 1 9 12.5zm1.5-.5a.5.5 0 0 0-.5.5v1a.5.5 0 0 0 .5.5h1a.5.5 0 0 0 .5-.5v-1a.5.5 0 0 0-.5-.5z"
+                                                />
+                                            </svg>
+                                            <p>{ws_service.service.clone()}</p>
+                                        </div>
+                                    </div>
+                                </div>
+                                <div class="w-full lg:w-1/3 flex flex-row items-center p-4 justify-center xl:justify-end">
+                                    <div class="mx-11">
+                                        <OpenWorkspaceView
+                                            workspace_name=ws_service.name.clone()
+                                            workspace_status=workspace.status
+                                            workspace_folder=workspace_folder.clone()
+                                            workspace_hostname=workspace_hostname.clone()
+                                            align_right=true
+                                        />
+                                    </div>
+                                </div>
+                            </div>
+                        }
+                    }
+                }
+            />
+        </div>
+        <DeleteModal resource=workspace_name.clone() open=delete_modal_open delete_action />
+        <WorkspaceRebuildModal workspace_name=workspace_name.clone() rebuild_modal_open />
+    }
+}
+
+async fn watch_all_workspace_status(
+    status_update: RwSignal<(String, WorkspaceStatus), LocalStorage>,
+) -> Result<()> {
+    let location = window().location();
+    let protocol = if location.protocol().map(|p| p == "http:").unwrap_or(false) {
+        "ws"
+    } else {
+        "wss"
+    };
+    let host = location.host().unwrap();
+    let mut websocket = WebSocket::open(&format!("{protocol}://{host}/all_workspaces_ws"))?;
+
+    while let Some(Ok(msg)) = websocket.next().await {
+        if let Message::Text(s) = msg {
+            if let Ok((ws_name, status)) = serde_json::from_str::<(String, WorkspaceStatus)>(&s) {
+                status_update.set((ws_name, status));
+            }
+        }
+    }
+
+    Ok(())
+}
+
+#[component]
+pub fn Workspaces() -> impl IntoView {
+    let error = RwSignal::new_local(None);
+    let status_update = RwSignal::new_local(("".to_string(), WorkspaceStatus::New));
+    let org = get_current_org();
+
+    spawn_local_scoped_with_cancellation(async move {
+        let _ = watch_all_workspace_status(status_update).await;
+    });
+
+    let new_workspace_modal_open = RwSignal::new(false);
+
+    let delete_counter = RwSignal::new_local(0);
+    Effect::new(move |_| {
+        status_update.track();
+        delete_counter.update(|c| {
+            *c += 1;
+        });
+    });
+
+    let workspaces_resource =
+        LocalResource::new(move || async move { all_workspaces(org).await.unwrap_or_default() });
+    Effect::new(move |_| {
+        delete_counter.track();
+        workspaces_resource.refetch();
+    });
+
+    let workspace_filter = RwSignal::new_local(String::new());
+
+    let workspaces = Signal::derive(move || {
+        let mut workspaces = workspaces_resource.get().unwrap_or_default();
+        let workspace_filter = workspace_filter.get();
+        workspaces.retain(|w| w.name.contains(&workspace_filter));
+        workspaces
+    });
+
+    let new_workspace = move |_| {
+        new_workspace_modal_open.set(true);
+    };
+
+    {
+        let hash = use_location().hash.get_untracked();
+        if let Some(url) = hash.strip_prefix("#") {
+            let url = utils::format_repo_url(url);
+            let action_dispatched = RwSignal::new_local(false);
+            let cluster_info = get_cluster_info();
+            let current_org = get_current_org();
+            let navigate = use_navigate();
+            let action = Action::new_local(move |url: &String| {
+                let cluster_info = get_cluster_info();
+                create_workspace(
+                    navigate.clone(),
+                    current_org,
+                    cluster_info,
+                    RepoSource::Url(url.clone()),
+                    None,
+                    None,
+                    true,
+                )
+            });
+            Effect::new(move |_| {
+                let org = current_org.get();
+                if org.is_none() {
+                    return;
+                }
+                let cluster_info = cluster_info.get();
+                if cluster_info.is_none() {
+                    return;
+                }
+                if !action_dispatched.get_untracked() {
+                    action.dispatch(url.clone());
+                    action_dispatched.set(true);
+                }
+            });
+            Effect::new(move |_| {
+                action.value().with(|result| {
+                    if let Some(result) = result {
+                        match result {
+                            Ok(_) => {}
+                            Err(e) => {
+                                error.set(Some(e.error.clone()));
+                            }
+                        }
+                    }
+                })
+            });
+        }
+    }
+
+    view! {
+        <section class="w-full h-full flex items-center flex-col">
+            <div class="mx-auto w-full">
+                <div class="flex-row items-center justify-between space-y-3 sm:flex sm:space-y-0 sm:space-x-4">
+                    <div>
+                        <h5 class="mr-3 text-2xl font-semibold">All Workspaces</h5>
+                        <p class="text-gray-700">
+                            Manage all your existing workspaces or add a new one
+                        </p>
+                    </div>
+                </div>
+                <div class="flex flex-row items-center justify-between py-4 space-x-4">
+                    <div class="w-1/2">
+                        <form class="flex items-center">
+                            <label for="simple-search" class="sr-only">
+                                Filter Workspaces
+                            </label>
+                            <div class="relative w-full">
+                                <div class="absolute inset-y-0 left-0 flex items-center pl-3 pointer-events-none">
+                                    <svg
+                                        aria-hidden="true"
+                                        class="w-5 h-5 text-gray-500"
+                                        fill="currentColor"
+                                        viewbox="0 0 20 20"
+                                        xmlns="http://www.w3.org/2000/svg"
+                                    >
+                                        <path
+                                            fill-rule="evenodd"
+                                            d="M8 4a4 4 0 100 8 4 4 0 000-8zM2 8a6 6 0 1110.89 3.476l4.817 4.817a1 1 0 01-1.414 1.414l-4.816-4.816A6 6 0 012 8z"
+                                            clip-rule="evenodd"
+                                        />
+                                    </svg>
+                                </div>
+                                <Input
+                                    prop:value=move || workspace_filter.get()
+                                    on:input=move |ev| {
+                                        workspace_filter.set(event_target_value(&ev));
+                                    }
+                                    class="pl-10"
+                                    attr:placeholder="Filter Workspaces"
+                                />
+                            </div>
+                        </form>
+                    </div>
+                    <Button on:click=new_workspace>New Workspace</Button>
+                </div>
+            </div>
+
+            {move || {
+                if let Some(error) = error.get() {
+                    view! {
+                        <Alert variant=AlertVariant::Destructive>
+                            <lucide_leptos::CircleAlert />
+                            <AlertTitle>Error</AlertTitle>
+                            <AlertDescription>{error}</AlertDescription>
+                        </Alert>
+                    }
+                        .into_any()
+                } else {
+                    ().into_any()
+                }
+            }}
+
+            <div class="w-full basis-0 grow">
+                <div class="w-full h-full flex flex-col py-4">
+                    <For
+                        each=move || workspaces.get()
+                        key=|w| (w.name.clone(), w.status, w.pinned)
+                        children=move |workspace| {
+                            view! {
+                                <WorkspaceItem
+                                    workspace=workspace
+                                    update_counter=delete_counter
+                                    error
+                                />
+                            }
+                        }
+                    />
+                </div>
+            </div>
+
+            <NewWorkspaceModal
+                modal_open=new_workspace_modal_open
+                project_info=RwSignal::new_local(None)
+            />
+
+        </section>
+    }
+}
+
+pub async fn create_workspace(
+    navigate: impl Fn(&str, NavigateOptions) + Clone,
+    org: Signal<Option<Organization>>,
+    cluster_info: Signal<Option<ClusterInfo>, LocalStorage>,
+    source: RepoSource,
+    branch: Option<String>,
+    machine_type: Option<Uuid>,
+    from_hash: bool,
+) -> Result<(), ErrorResponse> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+
+    let machine_type_id = machine_type.unwrap_or_else(|| {
+        cluster_info
+            .get_untracked()
+            .and_then(|i| i.machine_types.first().map(|m| m.id))
+            .unwrap_or_else(|| Uuid::from_u128(0))
+    });
+    let resp = Request::post(&format!("/api/v1/organizations/{}/workspaces", org.id))
+        .json(&NewWorkspace {
+            source,
+            branch,
+            machine_type_id,
+            from_hash,
+        })?
+        .send()
+        .await?;
+    if resp.status() != 200 {
+        let error = resp
+            .json::<ErrorResponse>()
+            .await
+            .unwrap_or_else(|_| ErrorResponse {
+                error: "Internal Server Error".to_string(),
+            });
+        return Err(error);
+    }
+
+    let resp: NewWorkspaceResponse = resp.json().await?;
+    navigate(&format!("/workspaces/{}", resp.name), Default::default());
+
+    Ok(())
+}
+
+#[derive(Clone)]
+pub struct CreateWorkspaceProjectInfo {
+    pub project: ProjectInfo,
+    pub branch: Option<GitBranch>,
+    pub branches: Vec<GitBranch>,
+    pub prebuilds: HashMap<String, ProjectPrebuild>,
+}
+
+pub fn repo_img(repo_url: &str) -> String {
+    if let Some(sufix) = repo_url.strip_prefix("https://github.com/") {
+        format!("https://opengraph.githubassets.com/a/{sufix}")
+    } else {
+        "".to_string()
+    }
+}
+
+#[component]
+pub fn NewWorkspaceModal(
+    modal_open: RwSignal<bool>,
+    project_info: RwSignal<Option<CreateWorkspaceProjectInfo>, LocalStorage>,
+) -> impl IntoView {
+    let repo_url = RwSignal::new_local("".to_string());
+    let current_branch = RwSignal::new_local(None);
+    let current_machine_type = RwSignal::new_local(None);
+    let org = get_current_org();
+
+    Effect::new(move |_| {
+        let branch = project_info.with(|info| {
+            info.as_ref()
+                .and_then(|info| info.branch.as_ref().or(info.branches.first()))
+                .cloned()
+        });
+        current_branch.set(branch);
+    });
+
+    let preferred_machine_type = Signal::derive_local(move || {
+        project_info.with(|info| info.as_ref().map(|info| info.project.machine_type))
+    });
+
+    let current_project =
+        Signal::derive(move || project_info.with(|info| info.as_ref().map(|info| info.project.id)));
+
+    let select_on_change = move |ev: web_sys::Event| {
+        let name = event_target_value(&ev);
+        let branch = project_info.with_untracked(|info| {
+            info.as_ref()
+                .and_then(|info| info.branches.iter().find(|b| b.name == name))
+                .cloned()
+        });
+        current_branch.set(branch);
+    };
+
+    let navigate = use_navigate();
+    let action = Action::new_unsync_local(move |_| {
+        let source = if let Some(project) = current_project.get_untracked() {
+            RepoSource::Project(project)
+        } else {
+            RepoSource::Url(repo_url.get_untracked())
+        };
+        let cluster_info = get_cluster_info();
+        create_workspace(
+            navigate.clone(),
+            org,
+            cluster_info,
+            source,
+            current_branch.get_untracked().map(|b| b.name),
+            current_machine_type.get_untracked(),
+            false,
+        )
+    });
+
+    let no_project_view = move || {
+        view! {
+            <div class="flex flex-col gap-2">
+                <Label>Your repository url</Label>
+                <Input
+                    prop:value=move || repo_url.get()
+                    on:input=move |ev| {
+                        repo_url.set(event_target_value(&ev));
+                    }
+                    {..}
+                    placeholder="https://github.com/owner/repo"
+                    required=true
+                />
+            </div>
+            <MachineTypeView current_machine_type preferred_machine_type />
+        }
+    };
+
+    view! {
+        <Modal title="Create New Workspace" open=modal_open action>
+            <Show when=move || { project_info.with(|i| i.is_some()) } fallback=no_project_view>
+                {if let Some(project_info) = project_info.get() {
+                    let branches = project_info.branches.clone();
+                    view! {
+                        <div class="flex flex-col gap-2">
+                            <Label>Project Name</Label>
+                            <Input
+                                class="disabled:opacity-80 disabled:cursor-text disabled:pointer-events-auto shadow-none border-none"
+                                attr:value=project_info.project.name
+                                attr:disabled=true
+                            />
+                        </div>
+                        <div class="flex flex-col gap-2">
+                            <Label>Project Repository</Label>
+                            <Input
+                                class="disabled:opacity-80 disabled:cursor-text disabled:pointer-events-auto shadow-none border-none"
+                                attr:value=project_info.project.repo_url
+                                attr:disabled=true
+                            />
+                        </div>
+                        <div class="flex flex-col gap-2">
+                            <Label>Branch</Label>
+                            <select
+                                class="bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5"
+                                on:change=select_on_change
+                            >
+                                <For
+                                    each=move || branches.clone()
+                                    key=|b| b.name.clone()
+                                    children=move |branch| {
+                                        let branch_name = branch.name.clone();
+                                        view! {
+                                            <option selected=move || {
+                                                Some(&branch_name)
+                                                    == current_branch.get().as_ref().map(|b| &b.name)
+                                            }>{branch.name}</option>
+                                        }
+                                    }
+                                />
+                            </select>
+                        </div>
+                        <div class="flex flex-col gap-2">
+                            <Label>Prebuild Status</Label>
+                            <Input
+                                class="disabled:opacity-80 disabled:cursor-text disabled:pointer-events-auto shadow-none border-none"
+                                attr:value=move || {
+                                    if let Some(branch) = current_branch.get() {
+                                        project_info
+                                            .prebuilds
+                                            .get(&branch.name)
+                                            .and_then(|prebuild| {
+                                                if prebuild.commit == branch.commit {
+                                                    Some(prebuild.status.to_string())
+                                                } else if prebuild.status == PrebuildStatus::Ready {
+                                                    Some("Outdated".to_string())
+                                                } else {
+                                                    None
+                                                }
+                                            })
+                                    } else {
+                                        None
+                                    }
+                                        .unwrap_or_else(|| "Not Created".to_string())
+                                }
+                                attr:disabled=true
+                            />
+                        </div>
+                        <MachineTypeView current_machine_type preferred_machine_type />
+                    }
+                        .into_any()
+                } else {
+                    ().into_any()
+                }}
+            </Show>
+        </Modal>
+    }
+}
+
+async fn watch_workspace_updates(
+    navigate: impl Fn(&str, NavigateOptions) + Clone,
+    name: &str,
+    status: RwSignal<WorkspaceStatus, LocalStorage>,
+    build_messages: RwSignal<Vec<BuildMessage>, LocalStorage>,
+) -> Result<()> {
+    let location = window().location();
+    let host = location.host().map_err(|_| anyhow!("can't get host"))?;
+    let protocol = if location.protocol().map(|p| p == "http:").unwrap_or(false) {
+        "ws"
+    } else {
+        "wss"
+    };
+    let mut websocket = WebSocket::open(&format!("{protocol}://{host}/ws?name={}", name))?;
+    while let Some(Ok(msg)) = websocket.next().await {
+        if let Message::Text(s) = msg {
+            if let Ok(event) = serde_json::from_str::<WorkspaceUpdateEvent>(&s) {
+                match event {
+                    WorkspaceUpdateEvent::Status(s) => {
+                        status.set(s);
+                        if s == WorkspaceStatus::Deleted {
+                            if let Ok(pathname) = window().location().pathname() {
+                                if pathname.ends_with(name) {
+                                    navigate("/workspaces", Default::default());
+                                }
+                            }
+                        }
+                    }
+                    WorkspaceUpdateEvent::Stdout(line) => {
+                        build_messages.update(|messages| {
+                            messages.push(BuildMessage::Stdout(line));
+                        });
+                        let _ = scroll_build_messages();
+                    }
+                    WorkspaceUpdateEvent::Stderr(line) => {
+                        build_messages.update(|messages| {
+                            messages.push(BuildMessage::Stderr(line));
+                        });
+                        let _ = scroll_build_messages();
+                    }
+                }
+            }
+        }
+    }
+    Ok(())
+}
+
+fn scroll_build_messages() -> Result<()> {
+    let scroll = window()
+        .document()
+        .ok_or_else(|| anyhow!("can't find document"))?
+        .get_element_by_id("build-messages-scroll")
+        .ok_or_else(|| anyhow!("can't find element"))?;
+    scroll.set_scroll_top(scroll.scroll_height());
+    Ok(())
+}
+
+#[component]
+pub fn WorkspaceDetails() -> impl IntoView {
+    let error = RwSignal::new_local(None);
+    let params = use_params_map();
+    let name = params.with_untracked(|params| params.get("name").clone().unwrap());
+    let local_name = name.clone();
+    let workspace_name = name.clone();
+    let rebuild_modal_open = RwSignal::new(false);
+    let delete_modal_open = RwSignal::new(false);
+    let org = get_current_org();
+    let delete_action = {
+        let workspace_name = workspace_name.clone();
+        let navigate = use_navigate();
+        Action::new_local(move |_| {
+            delete_workspace(
+                navigate.clone(),
+                org,
+                workspace_name.clone(),
+                delete_modal_open,
+                None,
+            )
+        })
+    };
+    let cluster_info = get_cluster_info();
+    let machine_types = RwSignal::new_local(cluster_info.get_untracked().map(|i| i.machine_types));
+
+    let update_counter = RwSignal::new_local(0);
+    let workspace_info = LocalResource::new(move || async move {
+        let name = params.with_untracked(|params| params.get("name").unwrap_or_default());
+        get_workspace(org, &name).await
+    });
+    Effect::new(move |_| {
+        update_counter.track();
+        workspace_info.refetch();
+    });
+
+    let build_messages = RwSignal::new_local(Vec::new());
+    let status = RwSignal::new_local(WorkspaceStatus::New);
+    {
+        let name = local_name.clone();
+        let navigate = use_navigate();
+        spawn_local_scoped_with_cancellation(async move {
+            let _ = watch_workspace_updates(navigate, &name, status, build_messages).await;
+        });
+    }
+
+    let config = use_context::<AppConfig>().unwrap();
+    Effect::new(move |_| {
+        if let Some(info) = workspace_info.with(|info| {
+            info.as_ref()
+                .map(|info| info.as_ref().ok().cloned())
+                .clone()
+                .flatten()
+        }) {
+            config.current_page.set(info.name);
+            if status.get_untracked() != info.status {
+                status.set(info.status);
+            }
+        }
+    });
+    Effect::new(move |_| {
+        status.track();
+        update_counter.update(|c| *c += 1);
+    });
+    view! {
+        <section class="w-full flex flex-col">
+            <a href="/workspaces" class="text-sm inline-flex items-center text-gray-700">
+                <svg
+                    class="w-2 h-2 mr-2"
+                    aria-hidden="true"
+                    xmlns="http://www.w3.org/2000/svg"
+                    fill="none"
+                    viewBox="0 0 14 10"
+                >
+                    <path
+                        stroke="currentColor"
+                        stroke-linecap="round"
+                        stroke-linejoin="round"
+                        stroke-width="2"
+                        d="M13 5H1m0 0 4 4M1 5l4-4"
+                    />
+                </svg>
+                Back to Workspace List
+            </a>
+            <h5 class="text-semibold text-2xl mt-4">{local_name.clone()}</h5>
+            <Show
+                when=move || {
+                    workspace_info
+                        .with(|info| info.as_ref().map(|info| info.is_ok()).unwrap_or(false))
+                }
+                fallback=move || {}
+            >
+                {if let Some(info) = workspace_info
+                    .with(|info| {
+                        info.as_ref().map(|info| info.as_ref().ok().cloned()).clone().flatten()
+                    })
+                {
+                    let workspace_hostname = info.hostname.clone();
+                    let workspace_hostname = if workspace_hostname.is_empty() {
+                        window().window().location().hostname().unwrap_or_default()
+                    } else {
+                        workspace_hostname
+                    };
+                    view! {
+                        <div>
+                            {move || {
+                                let status = status.get();
+                                let status_class = workspace_status_class(&status);
+                                let status_class = format!(
+                                    "{status_class} text-sm font-medium me-2 px-2.5 py-0.5 rounded",
+                                );
+                                view! {
+                                    <div class="mt-2">
+                                        <span class=status_class>{move || status.to_string()}</span>
+                                    </div>
+                                }
+                            }}
+                            <a
+                                href=info.repo_url.clone()
+                                target="_blank"
+                                class="inline-flex border rounded-lg mt-8"
+                            >
+                                <img
+                                    src=repo_img(&info.repo_url)
+                                    class="object-contain object-left h-40"
+                                />
+                            </a> <span class="flex flex-row items-center text-sm mt-4">
+                                <a
+                                    href=info.repo_url.clone()
+                                    target="_blank"
+                                    class="inline-flex items-center"
+                                >
+                                    <svg
+                                        class="w-4 h-4 mr-1"
+                                        aria-hidden="true"
+                                        xmlns="http://www.w3.org/2000/svg"
+                                        fill="none"
+                                        viewBox="0 0 24 24"
+                                    >
+                                        <path
+                                            stroke="currentColor"
+                                            stroke-linecap="round"
+                                            stroke-linejoin="round"
+                                            stroke-width="2"
+                                            d="M13.2 9.8a3.4 3.4 0 0 0-4.8 0L5 13.2A3.4 3.4 0 0 0 9.8 18l.3-.3m-.3-4.5a3.4 3.4 0 0 0 4.8 0L18 9.8A3.4 3.4 0 0 0 13.2 5l-1 1"
+                                        />
+                                    </svg>
+                                    <span class="text-gray-500 w-36">{"Repository URL"}</span>
+                                    <p>
+                                        {
+                                            let repo_url = info.repo_url.clone();
+                                            move || repo_url.clone()
+                                        }
+                                    </p>
+                                </a>
+                            </span>
+                            <span class="mt-2 text-sm flex flex-row items-center rounded me-2">
+                                <svg
+                                    class="w-3 h-3 mr-2"
+                                    aria-hidden="true"
+                                    xmlns="http://www.w3.org/2000/svg"
+                                    fill="none"
+                                    viewBox="0 0 14 20"
+                                >
+                                    <path
+                                        stroke="currentColor"
+                                        stroke-linecap="round"
+                                        stroke-linejoin="round"
+                                        stroke-width="2"
+                                        d="M3 5v10M3 5a2 2 0 1 0 0-4 2 2 0 0 0 0 4Zm0 10a2 2 0 1 0 0 4 2 2 0 0 0 0-4Zm6-3.976-2-.01A4.015 4.015 0 0 1 3 7m10 4a2 2 0 1 1-4 0 2 2 0 0 1 4 0Z"
+                                    />
+                                </svg>
+                                <span class="text-gray-500 w-36">{"Branch"}</span>
+                                <span class="mr-2">{info.branch}</span>
+                                <span>{info.commit}</span>
+                            </span>
+                            <span class="mt-2 text-sm flex flex-row items-center rounded me-2">
+                                <svg
+                                    class="w-2.5 h-2.5 mr-2"
+                                    xmlns="http://www.w3.org/2000/svg"
+                                    width="16"
+                                    height="16"
+                                    fill="currentColor"
+                                    viewBox="0 0 16 16"
+                                >
+                                    <path d="M6 9a.5.5 0 0 1 .5-.5h3a.5.5 0 0 1 0 1h-3A.5.5 0 0 1 6 9M3.854 4.146a.5.5 0 1 0-.708.708L4.793 6.5 3.146 8.146a.5.5 0 1 0 .708.708l2-2a.5.5 0 0 0 0-.708z" />
+                                    <path d="M2 1a2 2 0 0 0-2 2v10a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V3a2 2 0 0 0-2-2zm12 1a1 1 0 0 1 1 1v10a1 1 0 0 1-1 1H2a1 1 0 0 1-1-1V3a1 1 0 0 1 1-1z" />
+                                </svg>
+                                <span class="text-gray-500 w-36">{"SSH Connection"}</span>
+                                {
+                                    let workspace_name = workspace_name.clone();
+                                    let workspace_hostname = workspace_hostname.clone();
+                                    move || {
+                                        let ssh_port = cluster_info
+                                            .with(|i| {
+                                                i.as_ref().map(|i| i.ssh_proxy_port).unwrap_or(2222)
+                                            });
+                                        format!(
+                                            "ssh {workspace_name}@{}{}",
+                                            workspace_hostname.split(':').next().unwrap_or(""),
+                                            if ssh_port == 22 {
+                                                "".to_string()
+                                            } else {
+                                                format!(" -p {ssh_port}")
+                                            },
+                                        )
+                                    }
+                                }
+                            </span>
+                            <span class="mt-2 text-sm flex flex-row items-center rounded me-2">
+                                <svg
+                                    class="w-2.5 h-2.5 mr-2"
+                                    xmlns="http://www.w3.org/2000/svg"
+                                    width="16"
+                                    height="16"
+                                    fill="currentColor"
+                                    viewBox="0 0 16 16"
+                                >
+                                    <path d="M14 10a1 1 0 0 1 1 1v1a1 1 0 0 1-1 1H2a1 1 0 0 1-1-1v-1a1 1 0 0 1 1-1zM2 9a2 2 0 0 0-2 2v1a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2v-1a2 2 0 0 0-2-2z" />
+                                    <path d="M5 11.5a.5.5 0 1 1-1 0 .5.5 0 0 1 1 0m-2 0a.5.5 0 1 1-1 0 .5.5 0 0 1 1 0M14 3a1 1 0 0 1 1 1v1a1 1 0 0 1-1 1H2a1 1 0 0 1-1-1V4a1 1 0 0 1 1-1zM2 2a2 2 0 0 0-2 2v1a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V4a2 2 0 0 0-2-2z" />
+                                    <path d="M5 4.5a.5.5 0 1 1-1 0 .5.5 0 0 1 1 0m-2 0a.5.5 0 1 1-1 0 .5.5 0 0 1 1 0" />
+                                </svg>
+                                <span class="text-gray-500 w-36">{"Machine Type"}</span>
+                                {machine_types
+                                    .get()
+                                    .and_then(|m| m.into_iter().find(|m| m.id == info.machine_type))
+                                    .map(|machine_type| {
+                                        format!(
+                                            "{} - {} vCPUs, {}GB memory, {}GB disk",
+                                            machine_type.name,
+                                            machine_type.cpu,
+                                            machine_type.memory,
+                                            machine_type.disk,
+                                        )
+                                    })}
+                            </span>
+                            <span class="mt-2 text-sm flex flex-row items-center rounded me-2">
+                                <svg
+                                    class="w-2.5 h-2.5 mr-2"
+                                    xmlns="http://www.w3.org/2000/svg"
+                                    width="24px"
+                                    height="24px"
+                                    viewBox="0 0 24 24"
+                                    fill="none"
+                                    stroke="currentColor"
+                                    stroke-width="2"
+                                    stroke-linecap="round"
+                                    stroke-linejoin="round"
+                                >
+                                    <line x1="12" x2="12" y1="17" y2="22"></line>
+                                    <path d="M5 17h14v-1.76a2 2 0 0 0-1.11-1.79l-1.78-.9A2 2 0 0 1 15 10.76V6h1a2 2 0 0 0 0-4H8a2 2 0 0 0 0 4h1v4.76a2 2 0 0 1-1.11 1.79l-1.78.9A2 2 0 0 0 5 15.24Z"></path>
+                                </svg>
+                                <span class="text-gray-500 w-36">{"Pinned"}</span>
+                                <span>{info.pinned}</span>
+                            </span>
+                            <span class="mt-2 text-sm flex flex-row items-center rounded me-2">
+                                <svg
+                                    class="w-2.5 h-2.5 mr-2"
+                                    aria-hidden="true"
+                                    xmlns="http://www.w3.org/2000/svg"
+                                    fill="currentColor"
+                                    viewBox="0 0 20 20"
+                                >
+                                    <path d="M10 0a10 10 0 1 0 10 10A10.011 10.011 0 0 0 10 0Zm3.982 13.982a1 1 0 0 1-1.414 0l-3.274-3.274A1.012 1.012 0 0 1 9 10V6a1 1 0 0 1 2 0v3.586l2.982 2.982a1 1 0 0 1 0 1.414Z" />
+                                </svg>
+                                <span class="text-gray-500 w-36">{"Created"}</span>
+                                <DatetimeModal time=info.created_at />
+                            </span> <div class="mt-4">
+                                <WorkspaceControl
+                                    workspace_name=workspace_name.clone()
+                                    workspace_status=status.get()
+                                    workspace_folder=info.repo_name.clone()
+                                    workspace_hostname=workspace_hostname.clone()
+                                    workspace_pinned=info.pinned
+                                    align_right=false
+                                    delete_modal_open
+                                    rebuild_modal_open
+                                    error
+                                />
+                            </div>
+                            {move || {
+                                if let Some(error) = error.get() {
+                                    view! {
+                                        <div class="w-full my-4 p-4 rounded-lg bg-red-50">
+                                            <span class="text-sm font-medium text-red-800">
+                                                {error}
+                                            </span>
+                                        </div>
+                                    }
+                                        .into_any()
+                                } else {
+                                    ().into_any()
+                                }
+                            }}
+                            <Show when=move || {
+                                let status = status.get();
+                                status == WorkspaceStatus::New
+                                    || status == WorkspaceStatus::Building
+                                    || status == WorkspaceStatus::PrebuildBuilding
+                                    || status == WorkspaceStatus::PrebuildCopying
+                                    || status == WorkspaceStatus::Failed
+                            }>
+                                <div
+                                    id="build-messages-scroll"
+                                    class="overflow-y-auto p-4 h-48 w-full mt-8 border rounded"
+                                >
+                                    <For
+                                        each=move || build_messages.get().into_iter().enumerate()
+                                        key=|(i, _)| *i
+                                        children=move |(_, msg)| {
+                                            let is_error = msg.is_error();
+                                            view! {
+                                                <p class=(
+                                                    "text-red-500",
+                                                    move || is_error,
+                                                )>{msg.msg().to_string()}</p>
+                                            }
+                                        }
+                                    />
+                                </div>
+                            </Show> <div class="flex flex-col">
+                                <For
+                                    each=move || info.services.clone()
+                                    key=move |s| s.clone()
+                                    children={
+                                        let workspace_folder = info.repo_name.clone();
+                                        let workspace_hostname = workspace_hostname.clone();
+                                        move |ws_service| {
+                                            view! {
+                                                <WorkspaceServiceView
+                                                    ws_service
+                                                    workspace_hostname=workspace_hostname.clone()
+                                                    workspace_folder=workspace_folder.clone()
+                                                    status
+                                                    cluster_info
+                                                />
+                                            }
+                                        }
+                                    }
+                                />
+                            </div>
+                            <WorkspaceTabView
+                                name=info.name.clone()
+                                workspace_hostname=workspace_hostname.clone()
+                                show_build_error=true
+                                build_error=info.build_error.clone()
+                            />
+                            <DeleteModal
+                                resource=info.name.clone()
+                                open=delete_modal_open
+                                delete_action
+                            />
+                            <WorkspaceRebuildModal
+                                workspace_name=workspace_name.clone()
+                                rebuild_modal_open
+                            />
+                        </div>
+                    }
+                        .into_any()
+                } else {
+                    view! { <div></div> }.into_any()
+                }}
+            </Show>
+        </section>
+    }
+}
+
+#[derive(Copy, Clone, PartialEq, Eq)]
+enum TabKind {
+    Port,
+    BuildOutput,
+}
+
+#[component]
+fn WorkspaceServiceView(
+    ws_service: WorkspaceService,
+    workspace_hostname: String,
+    workspace_folder: String,
+    status: RwSignal<WorkspaceStatus, LocalStorage>,
+    cluster_info: Signal<Option<ClusterInfo>, LocalStorage>,
+) -> impl IntoView {
+    let expanded = RwSignal::new_local(false);
+    let toggle_expand_view = move |_| {
+        expanded.update(|e| {
+            *e = !*e;
+        });
+    };
+    view! {
+        <div class="border rounded-lg p-8 mt-8">
+            <div class="flex flex-row flex-wrap justify-between items-center">
+                <div class="flex flex-row items-center">
+                    <button class="p-2" on:click=toggle_expand_view>
+                        <svg
+                            class:hidden=move || expanded.get()
+                            class="text-gray-600 w-3 h-3 mr-3"
+                            xmlns="http://www.w3.org/2000/svg"
+                            fill="none"
+                            viewBox="0 0 6 10"
+                        >
+                            <path
+                                stroke="currentColor"
+                                stroke-linecap="round"
+                                stroke-linejoin="round"
+                                stroke-width="2"
+                                d="m1 9 4-4-4-4"
+                            ></path>
+                        </svg>
+                        <svg
+                            class:hidden=move || !expanded.get()
+                            class="text-gray-600 w-3 h-3 mr-3"
+                            xmlns="http://www.w3.org/2000/svg"
+                            fill="none"
+                            viewBox="0 0 10 6"
+                        >
+                            <path
+                                stroke="currentColor"
+                                stroke-linecap="round"
+                                stroke-linejoin="round"
+                                stroke-width="2"
+                                d="m1 1 4 4 4-4"
+                            />
+                        </svg>
+                    </button>
+                    <div class="flex flex-col text-sm">
+                        <div class="flex flex-row items-center">
+                            <svg
+                                class="w-4 h-4 mr-1"
+                                xmlns="http://www.w3.org/2000/svg"
+                                fill="currentColor"
+                                viewBox="0 0 16 16"
+                            >
+                                <path
+                                    fill-rule="evenodd"
+                                    d="M6 3.5A1.5 1.5 0 0 1 7.5 2h1A1.5 1.5 0 0 1 10 3.5v1A1.5 1.5 0 0 1 8.5 6v1H11a.5.5 0 0 1 .5.5v1a.5.5 0 0 1-1 0V8h-5v.5a.5.5 0 0 1-1 0v-1A.5.5 0 0 1 5 7h2.5V6A1.5 1.5 0 0 1 6 4.5zM8.5 5a.5.5 0 0 0 .5-.5v-1a.5.5 0 0 0-.5-.5h-1a.5.5 0 0 0-.5.5v1a.5.5 0 0 0 .5.5zM3 11.5A1.5 1.5 0 0 1 4.5 10h1A1.5 1.5 0 0 1 7 11.5v1A1.5 1.5 0 0 1 5.5 14h-1A1.5 1.5 0 0 1 3 12.5zm1.5-.5a.5.5 0 0 0-.5.5v1a.5.5 0 0 0 .5.5h1a.5.5 0 0 0 .5-.5v-1a.5.5 0 0 0-.5-.5zm4.5.5a1.5 1.5 0 0 1 1.5-1.5h1a1.5 1.5 0 0 1 1.5 1.5v1a1.5 1.5 0 0 1-1.5 1.5h-1A1.5 1.5 0 0 1 9 12.5zm1.5-.5a.5.5 0 0 0-.5.5v1a.5.5 0 0 0 .5.5h1a.5.5 0 0 0 .5-.5v-1a.5.5 0 0 0-.5-.5z"
+                                />
+                            </svg>
+                            <span class="text-gray-500">{"Service"}</span>
+                        </div>
+                        {ws_service.service.clone()}
+                    </div>
+                </div>
+                <div class="flex flex-col text-sm">
+                    <div class="flex flex-row items-center">
+                        <svg
+                            class="w-2.5 h-2.5 mr-2"
+                            xmlns="http://www.w3.org/2000/svg"
+                            width="16"
+                            height="16"
+                            fill="currentColor"
+                            viewBox="0 0 16 16"
+                        >
+                            <path d="M6 9a.5.5 0 0 1 .5-.5h3a.5.5 0 0 1 0 1h-3A.5.5 0 0 1 6 9M3.854 4.146a.5.5 0 1 0-.708.708L4.793 6.5 3.146 8.146a.5.5 0 1 0 .708.708l2-2a.5.5 0 0 0 0-.708z" />
+                            <path d="M2 1a2 2 0 0 0-2 2v10a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V3a2 2 0 0 0-2-2zm12 1a1 1 0 0 1 1 1v10a1 1 0 0 1-1 1H2a1 1 0 0 1-1-1V3a1 1 0 0 1 1-1z" />
+                        </svg>
+                        <span class="text-gray-500">{"SSH Connection"}</span>
+                    </div>
+                    <WorkspaceSSHConnView
+                        name=ws_service.name.clone()
+                        workspace_hostname=workspace_hostname.clone()
+                        cluster_info
+                    />
+                </div>
+                <div class="flex flex-row">
+                    <OpenWorkspaceView
+                        workspace_name=ws_service.name.clone()
+                        workspace_status=status.get()
+                        workspace_folder=workspace_folder.clone()
+                        workspace_hostname=workspace_hostname.clone()
+                        align_right=false
+                    />
+                </div>
+            </div>
+            <div class="pl-10" class:hidden=move || !expanded.get()>
+                <WorkspaceTabView
+                    name=ws_service.name.clone()
+                    workspace_hostname=workspace_hostname.clone()
+                    show_build_error=false
+                    build_error=None
+                />
+            </div>
+        </div>
+    }
+}
+
+#[component]
+fn WorkspaceSSHConnView(
+    name: String,
+    workspace_hostname: String,
+    cluster_info: Signal<Option<ClusterInfo>, LocalStorage>,
+) -> impl IntoView {
+    view! {
+        <span>
+            {
+                let ws_service_name = name.clone();
+                let workspace_hostname = workspace_hostname.clone();
+                move || {
+                    let ssh_proxy_port = cluster_info
+                        .with(|i| i.as_ref().map(|i| i.ssh_proxy_port).unwrap_or(2222));
+                    format!(
+                        "ssh {ws_service_name}@{}{}",
+                        workspace_hostname.split(':').next().unwrap_or(""),
+                        if ssh_proxy_port == 22 {
+                            "".to_string()
+                        } else {
+                            format!(" -p {ssh_proxy_port}")
+                        },
+                    )
+                }
+            }
+        </span>
+    }
+}
+
+#[component]
+pub fn WorkspaceTabView(
+    name: String,
+    workspace_hostname: String,
+    show_build_error: bool,
+    build_error: Option<RepobuildError>,
+) -> impl IntoView {
+    let tab_kind = RwSignal::new_local(TabKind::Port);
+    let active_class =
+        "inline-block p-4 text-blue-600 border-b-2 border-blue-600 rounded-t-lg active";
+    let inactive_class = "inline-block p-4 border-b-2 border-transparent rounded-t-lg hover:text-gray-600 hover:border-gray-300";
+    let change_tab = move |kind: TabKind| {
+        tab_kind.set(kind);
+    };
+
+    view! {
+        <div class="mt-8 text-sm font-medium text-center text-gray-500 border-b border-gray-200">
+            <ul class="flex flex-wrap -mb-px">
+                <li class="me-2">
+                    <a
+                        href="#"
+                        class=move || {
+                            if tab_kind.get() == TabKind::Port {
+                                active_class
+                            } else {
+                                inactive_class
+                            }
+                        }
+                        on:click=move |_| change_tab(TabKind::Port)
+                    >
+                        Ports
+                    </a>
+                </li>
+                <li class="me-2" class:hidden=move || !show_build_error>
+                    <a
+                        href="#"
+                        class=move || {
+                            if tab_kind.get() == TabKind::BuildOutput {
+                                active_class
+                            } else {
+                                inactive_class
+                            }
+                        }
+                        on:click=move |_| change_tab(TabKind::BuildOutput)
+                    >
+                        Build Output
+                    </a>
+                </li>
+            </ul>
+        </div>
+        <div class="text-gray-600" class=("min-h-32", move || show_build_error)>
+            <div class:hidden=move || tab_kind.get() != TabKind::Port>
+                <WorkspacePortsView name=name workspace_hostname=workspace_hostname.clone() />
+            </div>
+            <div class:hidden=move || {
+                tab_kind.get() != TabKind::BuildOutput
+            }>
+                {if let Some(e) = build_error {
+                    view! {
+                        <p class="mt-4 text-sm text-gray-900">{e.msg}</p>
+                        <p class="text-sm text-gray-500">
+                            So the workspace was created with a default image.
+                        </p>
+                        <div class="overflow-y-auto p-4 h-48 w-full mt-4 border rounded">
+                            <For
+                                each=move || e.stderr.clone()
+                                key=|l| l.clone()
+                                children=move |line| {
+                                    view! { <p class="text-sm text-red-600">{line}</p> }
+                                }
+                            />
+                        </div>
+                    }
+                        .into_any()
+                } else {
+                    view! {
+                        <p class="my-4 text-sm text-gray-900">
+                            Workspace image was built successfully
+                        </p>
+                    }
+                        .into_any()
+                }}
+            </div>
+        </div>
+    }
+}
+
+async fn workspace_ports(
+    org: Signal<Option<Organization>>,
+    name: &str,
+) -> Result<Vec<WorkspacePort>> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let resp = Request::get(&format!(
+        "/api/v1/organizations/{}/workspaces/{name}/ports",
+        org.id
+    ))
+    .send()
+    .await?;
+    let ports: Vec<WorkspacePort> = resp.json().await?;
+    Ok(ports)
+}
+
+async fn update_workspace_port(
+    org: Signal<Option<Organization>>,
+    name: &str,
+    port: u16,
+    shared: bool,
+    public: bool,
+) -> Result<(), ErrorResponse> {
+    let org = org.get().ok_or_else(|| anyhow!("can't get org"))?;
+    let resp = Request::put(&format!(
+        "/api/v1/organizations/{}/workspaces/{name}/ports/{port}",
+        org.id
+    ))
+    .json(&UpdateWorkspacePort { shared, public })?
+    .send()
+    .await?;
+    if resp.status() != 204 {
+        let error = resp
+            .json::<ErrorResponse>()
+            .await
+            .unwrap_or_else(|_| ErrorResponse {
+                error: "Internal Server Error".to_string(),
+            });
+        return Err(error);
+    }
+    Ok(())
+}
+
+#[component]
+pub fn WorkspacePortsView(name: String, workspace_hostname: String) -> impl IntoView {
+    let org = get_current_org();
+    let ports = {
+        let name = name.clone();
+        LocalResource::new(move || {
+            let name = name.clone();
+            async move { workspace_ports(org, &name.clone()).await }
+        })
+    };
+    let ports = Signal::derive(move || {
+        ports
+            .with(|p| p.as_ref().map(|p| p.as_ref().ok().cloned()))
+            .flatten()
+            .unwrap_or_default()
+    });
+
+    let success = RwSignal::new_local(None);
+    let error = RwSignal::new_local(None);
+
+    view! {
+        <p class="mt-2 py-2 text-sm text-gray-900">Exposed ports of your workspace</p>
+        <div class="text-sm text-gray-500">
+            <p>Only you can access the ports by default.</p>
+            <p>If you make the port shared, all members in the same organisation can access it.</p>
+            <p>If you make the port public, everyone who has the url can access it.</p>
+        </div>
+        {move || {
+            if let Some(success) = success.get() {
+                view! {
+                    <Alert variant=AlertVariant::Default class="mt-4">
+                        <lucide_leptos::CircleCheck />
+                        <AlertTitle> {success} </AlertTitle>
+                    </Alert>
+                }
+                    .into_any()
+            } else {
+                ().into_any()
+            }
+        }}
+
+        {move || {
+            if let Some(error) = error.get() {
+                view! {
+                    <Alert variant=AlertVariant::Destructive class="mt-4">
+                        <lucide_leptos::CircleAlert />
+                        <AlertTitle>{error}</AlertTitle>
+                    </Alert>
+                }
+                    .into_any()
+            } else {
+                ().into_any()
+            }
+        }}
+
+        <div class="mt-4 flex items-center w-full px-4 py-2 text-gray-900 bg-gray-50">
+            <span class="w-1/3 truncate pr-2">Port</span>
+            <div class="w-1/3 truncate flex flex-row items-center">
+                <span class="w-1/2 truncate text-center">shared</span>
+                <span class="w-1/2 truncate text-center">public</span>
+            </div>
+            <span class="w-1/3 truncate"></span>
+        </div>
+
+        <For
+            each=move || ports.get()
+            key=|p| p.clone()
+            children=move |p| {
+                view! {
+                    <WorkspacePortView
+                        name=name.clone()
+                        p=p
+                        workspace_hostname=workspace_hostname.clone()
+                        success
+                        error
+                    />
+                }
+            }
+        />
+    }
+}
+
+#[component]
+fn WorkspacePortView(
+    name: String,
+    p: WorkspacePort,
+    workspace_hostname: String,
+    success: RwSignal<Option<String>, LocalStorage>,
+    error: RwSignal<Option<String>, LocalStorage>,
+) -> impl IntoView {
+    let shared = RwSignal::new_local(p.shared);
+    let public = RwSignal::new_local(p.public);
+    let org = get_current_org();
+    let action = {
+        let name = name.clone();
+        let port = p.port;
+        Action::new_local(move |_| {
+            let name = name.clone();
+            async move {
+                error.set(None);
+                success.set(None);
+                if let Err(e) = update_workspace_port(
+                    org,
+                    &name.clone(),
+                    port,
+                    shared.get_untracked(),
+                    public.get_untracked(),
+                )
+                .await
+                {
+                    error.set(Some(e.error.clone()));
+                } else {
+                    success.set(Some(format!("Port {port} updated successfully")));
+                }
+            }
+        })
+    };
+
+    view! {
+        <div class="flex flex-row items-center w-full px-4 py-2 border-b">
+            <span class="w-1/3 truncate pr-2">
+                {if let Some(label) = p.label.as_ref() {
+                    format!("{label} ({})", p.port)
+                } else {
+                    p.port.to_string()
+                }}
+            </span>
+            <div class="w-1/3 truncate flex flex-row items-center">
+                <div class="w-1/2 flex items-center justify-center">
+                    <input
+                        type="checkbox"
+                        value=""
+                        class="w-4 h-4 border border-gray-300 rounded bg-gray-50  focus:ring-0"
+                        prop:checked=p.shared
+                        on:change=move |e| shared.set(event_target_checked(&e))
+                    />
+                </div>
+                <div class="w-1/2 flex items-center justify-center">
+                    <input
+                        type="checkbox"
+                        value=""
+                        class="w-4 h-4 border border-gray-300 rounded bg-gray-50 focus:ring-0"
+                        prop:checked=p.public
+                        on:change=move |e| public.set(event_target_checked(&e))
+                    />
+                </div>
+            </div>
+            <div class="w-1/3 flex flex-row items-center gap-4">
+                <a href=format!("https://{}-{name}.{workspace_hostname}/", p.port) target="_blank">
+                    <Button>Open</Button>
+                </a>
+                <Button
+                    variant=ButtonVariant::Outline
+                    on:click=move |_| {
+                        action.dispatch(());
+                    }
+                >
+                    Update
+                </Button>
+            </div>
+        </div>
+    }
+}
diff --git a/lapdev-dashboard/tailwind.config.js b/crates/dashboard/tailwind.config.js
similarity index 100%
rename from lapdev-dashboard/tailwind.config.js
rename to crates/dashboard/tailwind.config.js
diff --git a/lapdev-db/Cargo.toml b/crates/db/Cargo.toml
similarity index 68%
rename from lapdev-db/Cargo.toml
rename to crates/db/Cargo.toml
index 63ab14f..9a2c15b 100644
--- a/lapdev-db/Cargo.toml
+++ b/crates/db/Cargo.toml
@@ -10,10 +10,18 @@ edition.workspace = true
 tokio.workspace = true
 chrono.workspace = true
 base64.workspace = true
+hex.workspace = true
 pasetors.workspace = true
 anyhow.workspace = true
 uuid.workspace = true
 sqlx.workspace = true
 sea-orm.workspace = true
 sea-orm-migration.workspace = true
+serde_json.workspace = true
+serde.workspace = true
+lapdev-db-migration.workspace = true
+lapdev-db-entities.workspace = true
 lapdev-common.workspace = true
+secrecy.workspace = true
+serde_yaml.workspace = true
+tracing.workspace = true
diff --git a/crates/db/entities/Cargo.toml b/crates/db/entities/Cargo.toml
new file mode 100644
index 0000000..b956138
--- /dev/null
+++ b/crates/db/entities/Cargo.toml
@@ -0,0 +1,12 @@
+[package]
+name = "lapdev-db-entities"
+version.workspace = true
+authors.workspace = true
+edition.workspace = true
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+tokio.workspace = true
+sea-orm.workspace = true
+sea-orm-cli.workspace = true
diff --git a/lapdev-db/src/entities/audit_log.rs b/crates/db/entities/src/audit_log.rs
similarity index 94%
rename from lapdev-db/src/entities/audit_log.rs
rename to crates/db/entities/src/audit_log.rs
index 51ce831..9f0558b 100644
--- a/lapdev-db/src/entities/audit_log.rs
+++ b/crates/db/entities/src/audit_log.rs
@@ -1,4 +1,4 @@
-//! `SeaORM` Entity. Generated by sea-orm-codegen 0.12.4
+//! `SeaORM` Entity, @generated by sea-orm-codegen 1.1.14
 
 use sea_orm::entity::prelude::*;
 
diff --git a/lapdev-db/src/entities/config.rs b/crates/db/entities/src/config.rs
similarity index 86%
rename from lapdev-db/src/entities/config.rs
rename to crates/db/entities/src/config.rs
index 91f4522..9c47de5 100644
--- a/lapdev-db/src/entities/config.rs
+++ b/crates/db/entities/src/config.rs
@@ -1,4 +1,4 @@
-//! `SeaORM` Entity. Generated by sea-orm-codegen 0.12.4
+//! `SeaORM` Entity, @generated by sea-orm-codegen 1.1.14
 
 use sea_orm::entity::prelude::*;
 
diff --git a/crates/db/entities/src/kube_app_catalog.rs b/crates/db/entities/src/kube_app_catalog.rs
new file mode 100644
index 0000000..ebe2052
--- /dev/null
+++ b/crates/db/entities/src/kube_app_catalog.rs
@@ -0,0 +1,59 @@
+//! `SeaORM` Entity, @generated by sea-orm-codegen 1.1.14
+
+use sea_orm::entity::prelude::*;
+
+#[derive(Clone, Debug, PartialEq, DeriveEntityModel, Eq)]
+#[sea_orm(table_name = "kube_app_catalog")]
+pub struct Model {
+    #[sea_orm(primary_key, auto_increment = false)]
+    pub id: Uuid,
+    pub created_at: DateTimeWithTimeZone,
+    pub deleted_at: Option<DateTimeWithTimeZone>,
+    pub organization_id: Uuid,
+    pub created_by: Uuid,
+    pub name: String,
+    #[sea_orm(column_type = "Text", nullable)]
+    pub description: Option<String>,
+    #[sea_orm(column_type = "Text")]
+    pub resources: String,
+    pub cluster_id: Uuid,
+    pub sync_version: i64,
+    pub last_synced_at: Option<DateTimeWithTimeZone>,
+    pub last_sync_actor_id: Option<Uuid>,
+}
+
+#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
+pub enum Relation {
+    #[sea_orm(has_many = "super::kube_app_catalog_workload::Entity")]
+    KubeAppCatalogWorkload,
+    #[sea_orm(
+        belongs_to = "super::kube_cluster::Entity",
+        from = "Column::ClusterId",
+        to = "super::kube_cluster::Column::Id",
+        on_update = "NoAction",
+        on_delete = "NoAction"
+    )]
+    KubeCluster,
+    #[sea_orm(has_many = "super::kube_environment::Entity")]
+    KubeEnvironment,
+}
+
+impl Related<super::kube_app_catalog_workload::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubeAppCatalogWorkload.def()
+    }
+}
+
+impl Related<super::kube_cluster::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubeCluster.def()
+    }
+}
+
+impl Related<super::kube_environment::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubeEnvironment.def()
+    }
+}
+
+impl ActiveModelBehavior for ActiveModel {}
diff --git a/crates/db/entities/src/kube_app_catalog_workload.rs b/crates/db/entities/src/kube_app_catalog_workload.rs
new file mode 100644
index 0000000..4976860
--- /dev/null
+++ b/crates/db/entities/src/kube_app_catalog_workload.rs
@@ -0,0 +1,56 @@
+//! `SeaORM` Entity, @generated by sea-orm-codegen 1.1.14
+
+use sea_orm::entity::prelude::*;
+
+#[derive(Clone, Debug, PartialEq, DeriveEntityModel, Eq)]
+#[sea_orm(table_name = "kube_app_catalog_workload")]
+pub struct Model {
+    #[sea_orm(primary_key, auto_increment = false)]
+    pub id: Uuid,
+    pub created_at: DateTimeWithTimeZone,
+    pub deleted_at: Option<DateTimeWithTimeZone>,
+    pub app_catalog_id: Uuid,
+    pub cluster_id: Uuid,
+    pub name: String,
+    pub namespace: String,
+    pub kind: String,
+    pub containers: Json,
+    pub ports: Json,
+    #[sea_orm(column_type = "Text")]
+    pub workload_yaml: String,
+    pub catalog_sync_version: i64,
+}
+
+#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
+pub enum Relation {
+    #[sea_orm(
+        belongs_to = "super::kube_app_catalog::Entity",
+        from = "Column::AppCatalogId",
+        to = "super::kube_app_catalog::Column::Id",
+        on_update = "NoAction",
+        on_delete = "NoAction"
+    )]
+    KubeAppCatalog,
+    #[sea_orm(
+        belongs_to = "super::kube_cluster::Entity",
+        from = "Column::ClusterId",
+        to = "super::kube_cluster::Column::Id",
+        on_update = "NoAction",
+        on_delete = "NoAction"
+    )]
+    KubeCluster,
+}
+
+impl Related<super::kube_app_catalog::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubeAppCatalog.def()
+    }
+}
+
+impl Related<super::kube_cluster::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubeCluster.def()
+    }
+}
+
+impl ActiveModelBehavior for ActiveModel {}
diff --git a/crates/db/entities/src/kube_app_catalog_workload_dependency.rs b/crates/db/entities/src/kube_app_catalog_workload_dependency.rs
new file mode 100644
index 0000000..5a452dd
--- /dev/null
+++ b/crates/db/entities/src/kube_app_catalog_workload_dependency.rs
@@ -0,0 +1,64 @@
+use sea_orm::entity::prelude::*;
+
+#[derive(Clone, Debug, PartialEq, DeriveEntityModel, Eq)]
+#[sea_orm(table_name = "kube_app_catalog_workload_dependency")]
+pub struct Model {
+    #[sea_orm(primary_key, auto_increment = false)]
+    pub id: Uuid,
+    pub created_at: DateTimeWithTimeZone,
+    pub deleted_at: Option<DateTimeWithTimeZone>,
+    pub app_catalog_id: Uuid,
+    pub workload_id: Uuid,
+    pub cluster_id: Uuid,
+    pub namespace: String,
+    pub resource_name: String,
+    pub resource_type: String,
+}
+
+#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
+pub enum Relation {
+    #[sea_orm(
+        belongs_to = "super::kube_app_catalog::Entity",
+        from = "Column::AppCatalogId",
+        to = "super::kube_app_catalog::Column::Id",
+        on_update = "NoAction",
+        on_delete = "NoAction"
+    )]
+    KubeAppCatalog,
+    #[sea_orm(
+        belongs_to = "super::kube_app_catalog_workload::Entity",
+        from = "Column::WorkloadId",
+        to = "super::kube_app_catalog_workload::Column::Id",
+        on_update = "NoAction",
+        on_delete = "NoAction"
+    )]
+    KubeAppCatalogWorkload,
+    #[sea_orm(
+        belongs_to = "super::kube_cluster::Entity",
+        from = "Column::ClusterId",
+        to = "super::kube_cluster::Column::Id",
+        on_update = "NoAction",
+        on_delete = "NoAction"
+    )]
+    KubeCluster,
+}
+
+impl Related<super::kube_app_catalog::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubeAppCatalog.def()
+    }
+}
+
+impl Related<super::kube_app_catalog_workload::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubeAppCatalogWorkload.def()
+    }
+}
+
+impl Related<super::kube_cluster::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubeCluster.def()
+    }
+}
+
+impl ActiveModelBehavior for ActiveModel {}
diff --git a/crates/db/entities/src/kube_app_catalog_workload_label.rs b/crates/db/entities/src/kube_app_catalog_workload_label.rs
new file mode 100644
index 0000000..63cf299
--- /dev/null
+++ b/crates/db/entities/src/kube_app_catalog_workload_label.rs
@@ -0,0 +1,64 @@
+use sea_orm::entity::prelude::*;
+
+#[derive(Clone, Debug, PartialEq, DeriveEntityModel, Eq)]
+#[sea_orm(table_name = "kube_app_catalog_workload_label")]
+pub struct Model {
+    #[sea_orm(primary_key, auto_increment = false)]
+    pub id: Uuid,
+    pub created_at: DateTimeWithTimeZone,
+    pub deleted_at: Option<DateTimeWithTimeZone>,
+    pub app_catalog_id: Uuid,
+    pub workload_id: Uuid,
+    pub cluster_id: Uuid,
+    pub namespace: String,
+    pub label_key: String,
+    pub label_value: String,
+}
+
+#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
+pub enum Relation {
+    #[sea_orm(
+        belongs_to = "super::kube_app_catalog::Entity",
+        from = "Column::AppCatalogId",
+        to = "super::kube_app_catalog::Column::Id",
+        on_update = "NoAction",
+        on_delete = "NoAction"
+    )]
+    KubeAppCatalog,
+    #[sea_orm(
+        belongs_to = "super::kube_app_catalog_workload::Entity",
+        from = "Column::WorkloadId",
+        to = "super::kube_app_catalog_workload::Column::Id",
+        on_update = "NoAction",
+        on_delete = "NoAction"
+    )]
+    KubeAppCatalogWorkload,
+    #[sea_orm(
+        belongs_to = "super::kube_cluster::Entity",
+        from = "Column::ClusterId",
+        to = "super::kube_cluster::Column::Id",
+        on_update = "NoAction",
+        on_delete = "NoAction"
+    )]
+    KubeCluster,
+}
+
+impl Related<super::kube_app_catalog::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubeAppCatalog.def()
+    }
+}
+
+impl Related<super::kube_app_catalog_workload::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubeAppCatalogWorkload.def()
+    }
+}
+
+impl Related<super::kube_cluster::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubeCluster.def()
+    }
+}
+
+impl ActiveModelBehavior for ActiveModel {}
diff --git a/crates/db/entities/src/kube_cluster.rs b/crates/db/entities/src/kube_cluster.rs
new file mode 100644
index 0000000..b19edbf
--- /dev/null
+++ b/crates/db/entities/src/kube_cluster.rs
@@ -0,0 +1,45 @@
+//! `SeaORM` Entity, @generated by sea-orm-codegen 1.1.14
+
+use sea_orm::entity::prelude::*;
+
+#[derive(Clone, Debug, PartialEq, DeriveEntityModel, Eq)]
+#[sea_orm(table_name = "kube_cluster")]
+pub struct Model {
+    #[sea_orm(primary_key, auto_increment = false)]
+    pub id: Uuid,
+    pub created_at: DateTimeWithTimeZone,
+    pub deleted_at: Option<DateTimeWithTimeZone>,
+    pub organization_id: Uuid,
+    pub created_by: Uuid,
+    pub name: String,
+    pub cluster_version: Option<String>,
+    pub status: String,
+    pub provider: Option<String>,
+    pub region: Option<String>,
+    pub manager_namespace: Option<String>,
+    pub last_reported_at: Option<DateTimeWithTimeZone>,
+    pub can_deploy_personal: bool,
+    pub can_deploy_shared: bool,
+}
+
+#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
+pub enum Relation {
+    #[sea_orm(has_many = "super::kube_app_catalog::Entity")]
+    KubeAppCatalog,
+    #[sea_orm(has_many = "super::kube_environment::Entity")]
+    KubeEnvironment,
+}
+
+impl Related<super::kube_app_catalog::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubeAppCatalog.def()
+    }
+}
+
+impl Related<super::kube_environment::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubeEnvironment.def()
+    }
+}
+
+impl ActiveModelBehavior for ActiveModel {}
diff --git a/crates/db/entities/src/kube_cluster_service.rs b/crates/db/entities/src/kube_cluster_service.rs
new file mode 100644
index 0000000..3e6002c
--- /dev/null
+++ b/crates/db/entities/src/kube_cluster_service.rs
@@ -0,0 +1,44 @@
+//! `SeaORM` Entity, @generated by sea-orm-codegen 1.1.14 (manually extended)
+
+use sea_orm::entity::prelude::*;
+
+#[derive(Clone, Debug, PartialEq, DeriveEntityModel, Eq)]
+#[sea_orm(table_name = "kube_cluster_service")]
+pub struct Model {
+    #[sea_orm(primary_key, auto_increment = false)]
+    pub id: Uuid,
+    pub created_at: DateTimeWithTimeZone,
+    pub updated_at: DateTimeWithTimeZone,
+    pub deleted_at: Option<DateTimeWithTimeZone>,
+    pub cluster_id: Uuid,
+    pub namespace: String,
+    pub name: String,
+    pub resource_version: String,
+    #[sea_orm(column_type = "Text")]
+    pub service_yaml: String,
+    pub selector: Json,
+    pub ports: Json,
+    pub service_type: Option<String>,
+    pub cluster_ip: Option<String>,
+    pub last_observed_at: DateTimeWithTimeZone,
+}
+
+#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
+pub enum Relation {
+    #[sea_orm(
+        belongs_to = "super::kube_cluster::Entity",
+        from = "Column::ClusterId",
+        to = "super::kube_cluster::Column::Id",
+        on_update = "NoAction",
+        on_delete = "Cascade"
+    )]
+    KubeCluster,
+}
+
+impl Related<super::kube_cluster::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubeCluster.def()
+    }
+}
+
+impl ActiveModelBehavior for ActiveModel {}
diff --git a/crates/db/entities/src/kube_cluster_service_selector.rs b/crates/db/entities/src/kube_cluster_service_selector.rs
new file mode 100644
index 0000000..5319d6d
--- /dev/null
+++ b/crates/db/entities/src/kube_cluster_service_selector.rs
@@ -0,0 +1,49 @@
+use sea_orm::entity::prelude::*;
+
+#[derive(Clone, Debug, PartialEq, DeriveEntityModel, Eq)]
+#[sea_orm(table_name = "kube_cluster_service_selector")]
+pub struct Model {
+    #[sea_orm(primary_key, auto_increment = false)]
+    pub id: Uuid,
+    pub created_at: DateTimeWithTimeZone,
+    pub deleted_at: Option<DateTimeWithTimeZone>,
+    pub cluster_id: Uuid,
+    pub namespace: String,
+    pub service_id: Uuid,
+    pub label_key: String,
+    pub label_value: String,
+}
+
+#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
+pub enum Relation {
+    #[sea_orm(
+        belongs_to = "super::kube_cluster_service::Entity",
+        from = "Column::ServiceId",
+        to = "super::kube_cluster_service::Column::Id",
+        on_update = "NoAction",
+        on_delete = "NoAction"
+    )]
+    KubeClusterService,
+    #[sea_orm(
+        belongs_to = "super::kube_cluster::Entity",
+        from = "Column::ClusterId",
+        to = "super::kube_cluster::Column::Id",
+        on_update = "NoAction",
+        on_delete = "NoAction"
+    )]
+    KubeCluster,
+}
+
+impl Related<super::kube_cluster_service::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubeClusterService.def()
+    }
+}
+
+impl Related<super::kube_cluster::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubeCluster.def()
+    }
+}
+
+impl ActiveModelBehavior for ActiveModel {}
diff --git a/crates/db/entities/src/kube_cluster_token.rs b/crates/db/entities/src/kube_cluster_token.rs
new file mode 100644
index 0000000..a956d03
--- /dev/null
+++ b/crates/db/entities/src/kube_cluster_token.rs
@@ -0,0 +1,23 @@
+//! `SeaORM` Entity, @generated by sea-orm-codegen 1.1.14
+
+use sea_orm::entity::prelude::*;
+
+#[derive(Clone, Debug, PartialEq, DeriveEntityModel, Eq)]
+#[sea_orm(table_name = "kube_cluster_token")]
+pub struct Model {
+    #[sea_orm(primary_key, auto_increment = false)]
+    pub id: Uuid,
+    pub created_at: DateTimeWithTimeZone,
+    pub deleted_at: Option<DateTimeWithTimeZone>,
+    pub last_used_at: Option<DateTimeWithTimeZone>,
+    pub cluster_id: Uuid,
+    pub created_by: Uuid,
+    pub name: String,
+    #[sea_orm(column_type = "VarBinary(StringLen::None)")]
+    pub token: Vec<u8>,
+}
+
+#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
+pub enum Relation {}
+
+impl ActiveModelBehavior for ActiveModel {}
diff --git a/crates/db/entities/src/kube_devbox_service_intercept.rs b/crates/db/entities/src/kube_devbox_service_intercept.rs
new file mode 100644
index 0000000..9c56e86
--- /dev/null
+++ b/crates/db/entities/src/kube_devbox_service_intercept.rs
@@ -0,0 +1,101 @@
+//! `SeaORM` Entity, @generated by devbox_session plan implementation
+
+use sea_orm::entity::prelude::*;
+
+#[derive(Clone, Debug, PartialEq, DeriveEntityModel, Eq)]
+#[sea_orm(table_name = "kube_devbox_service_intercept")]
+pub struct Model {
+    #[sea_orm(primary_key, auto_increment = false)]
+    pub id: Uuid,
+    pub session_id: Uuid,
+    pub user_id: Uuid,
+    pub environment_id: Uuid,
+    pub workload_id: Uuid,
+    pub service_id: Option<Uuid>,
+    pub target_port: i32,
+    pub local_port: i32,
+    pub intercept_mode: String,
+    pub config_map_name: String,
+    pub routing_key: String,
+    pub sidecar_auth_token_hash: String,
+    pub tunnel_id: Uuid,
+    pub original_proxy_config: String,
+    pub created_at: DateTimeWithTimeZone,
+    pub restored_at: Option<DateTimeWithTimeZone>,
+}
+
+#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
+pub enum Relation {
+    #[sea_orm(
+        belongs_to = "super::kube_devbox_session::Entity",
+        from = "Column::SessionId",
+        to = "super::kube_devbox_session::Column::Id",
+        on_update = "NoAction",
+        on_delete = "NoAction"
+    )]
+    KubeDevboxSession,
+    #[sea_orm(
+        belongs_to = "super::user::Entity",
+        from = "Column::UserId",
+        to = "super::user::Column::Id",
+        on_update = "NoAction",
+        on_delete = "NoAction"
+    )]
+    User,
+    #[sea_orm(
+        belongs_to = "super::kube_environment::Entity",
+        from = "Column::EnvironmentId",
+        to = "super::kube_environment::Column::Id",
+        on_update = "NoAction",
+        on_delete = "NoAction"
+    )]
+    KubeEnvironment,
+    #[sea_orm(
+        belongs_to = "super::kube_environment_workload::Entity",
+        from = "Column::WorkloadId",
+        to = "super::kube_environment_workload::Column::Id",
+        on_update = "NoAction",
+        on_delete = "NoAction"
+    )]
+    KubeEnvironmentWorkload,
+    #[sea_orm(
+        belongs_to = "super::kube_environment_service::Entity",
+        from = "Column::ServiceId",
+        to = "super::kube_environment_service::Column::Id",
+        on_update = "NoAction",
+        on_delete = "NoAction"
+    )]
+    KubeEnvironmentService,
+}
+
+impl Related<super::kube_devbox_session::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubeDevboxSession.def()
+    }
+}
+
+impl Related<super::user::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::User.def()
+    }
+}
+
+impl Related<super::kube_environment::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubeEnvironment.def()
+    }
+}
+
+impl Related<super::kube_environment_workload::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubeEnvironmentWorkload.def()
+    }
+}
+
+impl Related<super::kube_environment_service::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubeEnvironmentService.def()
+    }
+}
+
+impl ActiveModelBehavior for ActiveModel {}
diff --git a/crates/db/entities/src/kube_devbox_session.rs b/crates/db/entities/src/kube_devbox_session.rs
new file mode 100644
index 0000000..1567711
--- /dev/null
+++ b/crates/db/entities/src/kube_devbox_session.rs
@@ -0,0 +1,53 @@
+//! `SeaORM` Entity, @generated by devbox_session plan implementation
+
+use sea_orm::entity::prelude::*;
+
+#[derive(Clone, Debug, PartialEq, DeriveEntityModel, Eq)]
+#[sea_orm(table_name = "kube_devbox_session")]
+pub struct Model {
+    #[sea_orm(primary_key, auto_increment = false)]
+    pub id: Uuid,
+    pub user_id: Uuid,
+    pub session_token_hash: String,
+    pub token_prefix: String,
+    pub device_name: String,
+    pub active_environment_id: Option<Uuid>,
+    pub created_at: DateTimeWithTimeZone,
+    pub expires_at: DateTimeWithTimeZone,
+    pub last_used_at: DateTimeWithTimeZone,
+    pub revoked_at: Option<DateTimeWithTimeZone>,
+}
+
+#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
+pub enum Relation {
+    #[sea_orm(
+        belongs_to = "super::user::Entity",
+        from = "Column::UserId",
+        to = "super::user::Column::Id",
+        on_update = "NoAction",
+        on_delete = "NoAction"
+    )]
+    User,
+    #[sea_orm(
+        belongs_to = "super::kube_environment::Entity",
+        from = "Column::ActiveEnvironmentId",
+        to = "super::kube_environment::Column::Id",
+        on_update = "NoAction",
+        on_delete = "NoAction"
+    )]
+    ActiveEnvironment,
+}
+
+impl Related<super::user::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::User.def()
+    }
+}
+
+impl Related<super::kube_environment::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::ActiveEnvironment.def()
+    }
+}
+
+impl ActiveModelBehavior for ActiveModel {}
diff --git a/crates/db/entities/src/kube_devbox_workload_intercept.rs b/crates/db/entities/src/kube_devbox_workload_intercept.rs
new file mode 100644
index 0000000..7fa9322
--- /dev/null
+++ b/crates/db/entities/src/kube_devbox_workload_intercept.rs
@@ -0,0 +1,64 @@
+//! `SeaORM` Entity for kube_devbox_workload_intercept
+
+use sea_orm::entity::prelude::*;
+
+#[derive(Clone, Debug, PartialEq, DeriveEntityModel, Eq)]
+#[sea_orm(table_name = "kube_devbox_workload_intercept")]
+pub struct Model {
+    #[sea_orm(primary_key, auto_increment = false)]
+    pub id: Uuid,
+    pub user_id: Uuid,
+    pub environment_id: Uuid,
+    pub workload_id: Uuid,
+    pub port_mappings: Json,
+    pub created_at: DateTimeWithTimeZone,
+    pub stopped_at: Option<DateTimeWithTimeZone>,
+}
+
+#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
+pub enum Relation {
+    #[sea_orm(
+        belongs_to = "super::user::Entity",
+        from = "Column::UserId",
+        to = "super::user::Column::Id",
+        on_update = "NoAction",
+        on_delete = "NoAction"
+    )]
+    User,
+    #[sea_orm(
+        belongs_to = "super::kube_environment::Entity",
+        from = "Column::EnvironmentId",
+        to = "super::kube_environment::Column::Id",
+        on_update = "NoAction",
+        on_delete = "NoAction"
+    )]
+    Environment,
+    #[sea_orm(
+        belongs_to = "super::kube_environment_workload::Entity",
+        from = "Column::WorkloadId",
+        to = "super::kube_environment_workload::Column::Id",
+        on_update = "NoAction",
+        on_delete = "NoAction"
+    )]
+    Workload,
+}
+
+impl Related<super::kube_environment::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::Environment.def()
+    }
+}
+
+impl Related<super::user::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::User.def()
+    }
+}
+
+impl Related<super::kube_environment_workload::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::Workload.def()
+    }
+}
+
+impl ActiveModelBehavior for ActiveModel {}
diff --git a/crates/db/entities/src/kube_environment.rs b/crates/db/entities/src/kube_environment.rs
new file mode 100644
index 0000000..7b15bf0
--- /dev/null
+++ b/crates/db/entities/src/kube_environment.rs
@@ -0,0 +1,93 @@
+//! `SeaORM` Entity, @generated by sea-orm-codegen 1.1.14
+
+use sea_orm::entity::prelude::*;
+
+#[derive(Clone, Debug, PartialEq, DeriveEntityModel, Eq)]
+#[sea_orm(table_name = "kube_environment")]
+pub struct Model {
+    #[sea_orm(primary_key, auto_increment = false)]
+    pub id: Uuid,
+    pub created_at: DateTimeWithTimeZone,
+    pub deleted_at: Option<DateTimeWithTimeZone>,
+    pub organization_id: Uuid,
+    pub user_id: Uuid,
+    pub app_catalog_id: Uuid,
+    pub cluster_id: Uuid,
+    pub name: String,
+    pub namespace: String,
+    pub status: String,
+    pub is_shared: bool,
+    pub catalog_sync_version: i64,
+    pub last_catalog_synced_at: Option<DateTimeWithTimeZone>,
+    pub paused_at: Option<DateTimeWithTimeZone>,
+    pub resumed_at: Option<DateTimeWithTimeZone>,
+    pub sync_status: String,
+    pub base_environment_id: Option<Uuid>,
+    pub auth_token: String,
+}
+
+#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
+pub enum Relation {
+    #[sea_orm(
+        belongs_to = "super::kube_app_catalog::Entity",
+        from = "Column::AppCatalogId",
+        to = "super::kube_app_catalog::Column::Id",
+        on_update = "NoAction",
+        on_delete = "NoAction"
+    )]
+    KubeAppCatalog,
+    #[sea_orm(
+        belongs_to = "super::kube_cluster::Entity",
+        from = "Column::ClusterId",
+        to = "super::kube_cluster::Column::Id",
+        on_update = "NoAction",
+        on_delete = "NoAction"
+    )]
+    KubeCluster,
+    #[sea_orm(
+        belongs_to = "Entity",
+        from = "Column::BaseEnvironmentId",
+        to = "Column::Id",
+        on_update = "NoAction",
+        on_delete = "NoAction"
+    )]
+    SelfRef,
+    #[sea_orm(has_many = "super::kube_environment_preview_url::Entity")]
+    KubeEnvironmentPreviewUrl,
+    #[sea_orm(has_many = "super::kube_environment_service::Entity")]
+    KubeEnvironmentService,
+    #[sea_orm(has_many = "super::kube_environment_workload::Entity")]
+    KubeEnvironmentWorkload,
+}
+
+impl Related<super::kube_app_catalog::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubeAppCatalog.def()
+    }
+}
+
+impl Related<super::kube_cluster::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubeCluster.def()
+    }
+}
+
+impl Related<super::kube_environment_preview_url::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubeEnvironmentPreviewUrl.def()
+    }
+}
+
+impl Related<super::kube_environment_service::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubeEnvironmentService.def()
+    }
+}
+
+impl Related<super::kube_environment_workload::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubeEnvironmentWorkload.def()
+    }
+}
+
+impl ActiveModelBehavior for ActiveModel {}
diff --git a/crates/db/entities/src/kube_environment_preview_url.rs b/crates/db/entities/src/kube_environment_preview_url.rs
new file mode 100644
index 0000000..6f1d77b
--- /dev/null
+++ b/crates/db/entities/src/kube_environment_preview_url.rs
@@ -0,0 +1,59 @@
+//! `SeaORM` Entity, @generated by sea-orm-codegen 1.1.14
+
+use sea_orm::entity::prelude::*;
+
+#[derive(Clone, Debug, PartialEq, DeriveEntityModel, Eq)]
+#[sea_orm(table_name = "kube_environment_preview_url")]
+pub struct Model {
+    #[sea_orm(primary_key, auto_increment = false)]
+    pub id: Uuid,
+    pub created_at: DateTimeWithTimeZone,
+    pub updated_at: DateTimeWithTimeZone,
+    pub deleted_at: Option<DateTimeWithTimeZone>,
+    pub environment_id: Uuid,
+    pub service_id: Uuid,
+    pub name: String,
+    #[sea_orm(column_type = "Text", nullable)]
+    pub description: Option<String>,
+    pub port: i32,
+    pub port_name: Option<String>,
+    pub protocol: String,
+    pub access_level: String,
+    pub created_by: Uuid,
+    pub last_accessed_at: Option<DateTimeWithTimeZone>,
+    pub metadata: Json,
+}
+
+#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
+pub enum Relation {
+    #[sea_orm(
+        belongs_to = "super::kube_environment::Entity",
+        from = "Column::EnvironmentId",
+        to = "super::kube_environment::Column::Id",
+        on_update = "NoAction",
+        on_delete = "NoAction"
+    )]
+    KubeEnvironment,
+    #[sea_orm(
+        belongs_to = "super::kube_environment_service::Entity",
+        from = "Column::ServiceId",
+        to = "super::kube_environment_service::Column::Id",
+        on_update = "NoAction",
+        on_delete = "NoAction"
+    )]
+    KubeEnvironmentService,
+}
+
+impl Related<super::kube_environment::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubeEnvironment.def()
+    }
+}
+
+impl Related<super::kube_environment_service::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubeEnvironmentService.def()
+    }
+}
+
+impl ActiveModelBehavior for ActiveModel {}
diff --git a/crates/db/entities/src/kube_environment_service.rs b/crates/db/entities/src/kube_environment_service.rs
new file mode 100644
index 0000000..5347678
--- /dev/null
+++ b/crates/db/entities/src/kube_environment_service.rs
@@ -0,0 +1,47 @@
+//! `SeaORM` Entity, @generated by sea-orm-codegen 1.1.14
+
+use sea_orm::entity::prelude::*;
+
+#[derive(Clone, Debug, PartialEq, DeriveEntityModel, Eq)]
+#[sea_orm(table_name = "kube_environment_service")]
+pub struct Model {
+    #[sea_orm(primary_key, auto_increment = false)]
+    pub id: Uuid,
+    pub created_at: DateTimeWithTimeZone,
+    pub deleted_at: Option<DateTimeWithTimeZone>,
+    pub environment_id: Uuid,
+    pub name: String,
+    pub namespace: String,
+    #[sea_orm(column_type = "Text")]
+    pub yaml: String,
+    pub ports: Json,
+    pub selector: Json,
+}
+
+#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
+pub enum Relation {
+    #[sea_orm(
+        belongs_to = "super::kube_environment::Entity",
+        from = "Column::EnvironmentId",
+        to = "super::kube_environment::Column::Id",
+        on_update = "NoAction",
+        on_delete = "NoAction"
+    )]
+    KubeEnvironment,
+    #[sea_orm(has_many = "super::kube_environment_preview_url::Entity")]
+    KubeEnvironmentPreviewUrl,
+}
+
+impl Related<super::kube_environment::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubeEnvironment.def()
+    }
+}
+
+impl Related<super::kube_environment_preview_url::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubeEnvironmentPreviewUrl.def()
+    }
+}
+
+impl ActiveModelBehavior for ActiveModel {}
diff --git a/crates/db/entities/src/kube_environment_workload.rs b/crates/db/entities/src/kube_environment_workload.rs
new file mode 100644
index 0000000..58fb326
--- /dev/null
+++ b/crates/db/entities/src/kube_environment_workload.rs
@@ -0,0 +1,42 @@
+//! `SeaORM` Entity, @generated by sea-orm-codegen 1.1.14
+
+use sea_orm::entity::prelude::*;
+
+#[derive(Clone, Debug, PartialEq, DeriveEntityModel, Eq)]
+#[sea_orm(table_name = "kube_environment_workload")]
+pub struct Model {
+    #[sea_orm(primary_key, auto_increment = false)]
+    pub id: Uuid,
+    pub created_at: DateTimeWithTimeZone,
+    pub deleted_at: Option<DateTimeWithTimeZone>,
+    pub environment_id: Uuid,
+    pub base_workload_id: Option<Uuid>,
+    pub name: String,
+    pub namespace: String,
+    pub kind: String,
+    pub containers: Json,
+    pub ports: Json,
+    pub workload_yaml: String,
+    pub catalog_sync_version: i64,
+    pub ready_replicas: Option<i32>,
+}
+
+#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
+pub enum Relation {
+    #[sea_orm(
+        belongs_to = "super::kube_environment::Entity",
+        from = "Column::EnvironmentId",
+        to = "super::kube_environment::Column::Id",
+        on_update = "NoAction",
+        on_delete = "NoAction"
+    )]
+    KubeEnvironment,
+}
+
+impl Related<super::kube_environment::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubeEnvironment.def()
+    }
+}
+
+impl ActiveModelBehavior for ActiveModel {}
diff --git a/crates/db/entities/src/kube_environment_workload_label.rs b/crates/db/entities/src/kube_environment_workload_label.rs
new file mode 100644
index 0000000..81752c6
--- /dev/null
+++ b/crates/db/entities/src/kube_environment_workload_label.rs
@@ -0,0 +1,50 @@
+//! `SeaORM` Entity, @generated manually
+
+use sea_orm::entity::prelude::*;
+
+#[derive(Clone, Debug, PartialEq, DeriveEntityModel, Eq)]
+#[sea_orm(table_name = "kube_environment_workload_label")]
+pub struct Model {
+    #[sea_orm(primary_key, auto_increment = false)]
+    pub id: Uuid,
+    pub created_at: DateTimeWithTimeZone,
+    pub deleted_at: Option<DateTimeWithTimeZone>,
+    pub environment_id: Uuid,
+    pub workload_id: Uuid,
+    pub label_key: String,
+    pub label_value: String,
+}
+
+#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
+pub enum Relation {
+    #[sea_orm(
+        belongs_to = "super::kube_environment::Entity",
+        from = "Column::EnvironmentId",
+        to = "super::kube_environment::Column::Id",
+        on_update = "NoAction",
+        on_delete = "NoAction"
+    )]
+    KubeEnvironment,
+    #[sea_orm(
+        belongs_to = "super::kube_environment_workload::Entity",
+        from = "Column::WorkloadId",
+        to = "super::kube_environment_workload::Column::Id",
+        on_update = "NoAction",
+        on_delete = "NoAction"
+    )]
+    KubeEnvironmentWorkload,
+}
+
+impl Related<super::kube_environment::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubeEnvironment.def()
+    }
+}
+
+impl Related<super::kube_environment_workload::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubeEnvironmentWorkload.def()
+    }
+}
+
+impl ActiveModelBehavior for ActiveModel {}
diff --git a/crates/db/entities/src/kube_namespace.rs b/crates/db/entities/src/kube_namespace.rs
new file mode 100644
index 0000000..157da61
--- /dev/null
+++ b/crates/db/entities/src/kube_namespace.rs
@@ -0,0 +1,22 @@
+//! `SeaORM` Entity, @generated by sea-orm-codegen 1.1.14
+
+use sea_orm::entity::prelude::*;
+
+#[derive(Clone, Debug, PartialEq, DeriveEntityModel, Eq)]
+#[sea_orm(table_name = "kube_namespace")]
+pub struct Model {
+    #[sea_orm(primary_key, auto_increment = false)]
+    pub id: Uuid,
+    pub created_at: DateTimeWithTimeZone,
+    pub deleted_at: Option<DateTimeWithTimeZone>,
+    pub organization_id: Uuid,
+    pub user_id: Uuid,
+    pub name: String,
+    pub description: Option<String>,
+    pub is_shared: bool,
+}
+
+#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
+pub enum Relation {}
+
+impl ActiveModelBehavior for ActiveModel {}
diff --git a/crates/db/entities/src/lib.rs b/crates/db/entities/src/lib.rs
new file mode 100644
index 0000000..6bf0e0b
--- /dev/null
+++ b/crates/db/entities/src/lib.rs
@@ -0,0 +1,37 @@
+//! `SeaORM` Entity, @generated by sea-orm-codegen 1.1.14
+
+pub mod prelude;
+
+pub mod audit_log;
+pub mod config;
+pub mod kube_app_catalog;
+pub mod kube_app_catalog_workload;
+pub mod kube_app_catalog_workload_dependency;
+pub mod kube_app_catalog_workload_label;
+pub mod kube_cluster;
+pub mod kube_cluster_service;
+pub mod kube_cluster_service_selector;
+pub mod kube_cluster_token;
+pub mod kube_devbox_session;
+pub mod kube_devbox_workload_intercept;
+pub mod kube_environment;
+pub mod kube_environment_preview_url;
+pub mod kube_environment_service;
+pub mod kube_environment_workload;
+pub mod kube_environment_workload_label;
+pub mod kube_namespace;
+pub mod machine_type;
+pub mod oauth_connection;
+pub mod organization;
+pub mod organization_member;
+pub mod prebuild;
+pub mod prebuild_replica;
+pub mod project;
+pub mod quota;
+pub mod ssh_public_key;
+pub mod usage;
+pub mod user;
+pub mod user_invitation;
+pub mod workspace;
+pub mod workspace_host;
+pub mod workspace_port;
diff --git a/lapdev-db/src/entities/machine_type.rs b/crates/db/entities/src/machine_type.rs
similarity index 94%
rename from lapdev-db/src/entities/machine_type.rs
rename to crates/db/entities/src/machine_type.rs
index ecf77fb..1aeff86 100644
--- a/lapdev-db/src/entities/machine_type.rs
+++ b/crates/db/entities/src/machine_type.rs
@@ -1,4 +1,4 @@
-//! `SeaORM` Entity. Generated by sea-orm-codegen 0.12.4
+//! `SeaORM` Entity, @generated by sea-orm-codegen 1.1.14
 
 use sea_orm::entity::prelude::*;
 
diff --git a/crates/db/entities/src/main.rs b/crates/db/entities/src/main.rs
new file mode 100644
index 0000000..26496d6
--- /dev/null
+++ b/crates/db/entities/src/main.rs
@@ -0,0 +1,4 @@
+#[tokio::main]
+pub async fn main() {
+    sea_orm_cli::main().await
+}
diff --git a/lapdev-db/src/entities/oauth_connection.rs b/crates/db/entities/src/oauth_connection.rs
similarity index 88%
rename from lapdev-db/src/entities/oauth_connection.rs
rename to crates/db/entities/src/oauth_connection.rs
index 5df7e58..dbc0803 100644
--- a/lapdev-db/src/entities/oauth_connection.rs
+++ b/crates/db/entities/src/oauth_connection.rs
@@ -1,4 +1,4 @@
-//! `SeaORM` Entity. Generated by sea-orm-codegen 0.12.4
+//! `SeaORM` Entity, @generated by sea-orm-codegen 1.1.14
 
 use sea_orm::entity::prelude::*;
 
@@ -17,7 +17,7 @@ pub struct Model {
     pub avatar_url: Option<String>,
     pub email: Option<String>,
     pub name: Option<String>,
-    pub read_repo: bool,
+    pub read_repo: Option<bool>,
 }
 
 #[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
diff --git a/lapdev-db/src/entities/organization.rs b/crates/db/entities/src/organization.rs
similarity index 92%
rename from lapdev-db/src/entities/organization.rs
rename to crates/db/entities/src/organization.rs
index 5801ddf..a5d265f 100644
--- a/lapdev-db/src/entities/organization.rs
+++ b/crates/db/entities/src/organization.rs
@@ -1,4 +1,4 @@
-//! `SeaORM` Entity. Generated by sea-orm-codegen 0.12.4
+//! `SeaORM` Entity, @generated by sea-orm-codegen 1.1.14
 
 use sea_orm::entity::prelude::*;
 
diff --git a/lapdev-db/src/entities/organization_member.rs b/crates/db/entities/src/organization_member.rs
similarity index 89%
rename from lapdev-db/src/entities/organization_member.rs
rename to crates/db/entities/src/organization_member.rs
index 3ee3ba7..5e88937 100644
--- a/lapdev-db/src/entities/organization_member.rs
+++ b/crates/db/entities/src/organization_member.rs
@@ -1,4 +1,4 @@
-//! `SeaORM` Entity. Generated by sea-orm-codegen 0.12.4
+//! `SeaORM` Entity, @generated by sea-orm-codegen 1.1.14
 
 use sea_orm::entity::prelude::*;
 
diff --git a/lapdev-db/src/entities/prebuild.rs b/crates/db/entities/src/prebuild.rs
similarity index 96%
rename from lapdev-db/src/entities/prebuild.rs
rename to crates/db/entities/src/prebuild.rs
index 2ccb4e1..f89f6ec 100644
--- a/lapdev-db/src/entities/prebuild.rs
+++ b/crates/db/entities/src/prebuild.rs
@@ -1,4 +1,4 @@
-//! `SeaORM` Entity. Generated by sea-orm-codegen 0.12.4
+//! `SeaORM` Entity, @generated by sea-orm-codegen 1.1.14
 
 use sea_orm::entity::prelude::*;
 
diff --git a/lapdev-db/src/entities/prebuild_replica.rs b/crates/db/entities/src/prebuild_replica.rs
similarity index 95%
rename from lapdev-db/src/entities/prebuild_replica.rs
rename to crates/db/entities/src/prebuild_replica.rs
index 6a51123..83c2133 100644
--- a/lapdev-db/src/entities/prebuild_replica.rs
+++ b/crates/db/entities/src/prebuild_replica.rs
@@ -1,4 +1,4 @@
-//! `SeaORM` Entity. Generated by sea-orm-codegen 0.12.4
+//! `SeaORM` Entity, @generated by sea-orm-codegen 1.1.14
 
 use sea_orm::entity::prelude::*;
 
diff --git a/crates/db/entities/src/prelude.rs b/crates/db/entities/src/prelude.rs
new file mode 100644
index 0000000..7afbd9f
--- /dev/null
+++ b/crates/db/entities/src/prelude.rs
@@ -0,0 +1,35 @@
+//! `SeaORM` Entity, @generated by sea-orm-codegen 1.1.14
+
+pub use super::audit_log::Entity as AuditLog;
+pub use super::config::Entity as Config;
+pub use super::kube_app_catalog::Entity as KubeAppCatalog;
+pub use super::kube_app_catalog_workload::Entity as KubeAppCatalogWorkload;
+pub use super::kube_app_catalog_workload_dependency::Entity as KubeAppCatalogWorkloadDependency;
+pub use super::kube_app_catalog_workload_label::Entity as KubeAppCatalogWorkloadLabel;
+pub use super::kube_cluster::Entity as KubeCluster;
+pub use super::kube_cluster_service::Entity as KubeClusterService;
+pub use super::kube_cluster_service_selector::Entity as KubeClusterServiceSelector;
+pub use super::kube_cluster_token::Entity as KubeClusterToken;
+pub use super::kube_devbox_session::Entity as KubeDevboxSession;
+pub use super::kube_devbox_workload_intercept::Entity as KubeDevboxWorkloadIntercept;
+pub use super::kube_environment::Entity as KubeEnvironment;
+pub use super::kube_environment_preview_url::Entity as KubeEnvironmentPreviewUrl;
+pub use super::kube_environment_service::Entity as KubeEnvironmentService;
+pub use super::kube_environment_workload::Entity as KubeEnvironmentWorkload;
+pub use super::kube_environment_workload_label::Entity as KubeEnvironmentWorkloadLabel;
+pub use super::kube_namespace::Entity as KubeNamespace;
+pub use super::machine_type::Entity as MachineType;
+pub use super::oauth_connection::Entity as OauthConnection;
+pub use super::organization::Entity as Organization;
+pub use super::organization_member::Entity as OrganizationMember;
+pub use super::prebuild::Entity as Prebuild;
+pub use super::prebuild_replica::Entity as PrebuildReplica;
+pub use super::project::Entity as Project;
+pub use super::quota::Entity as Quota;
+pub use super::ssh_public_key::Entity as SshPublicKey;
+pub use super::usage::Entity as Usage;
+pub use super::user::Entity as User;
+pub use super::user_invitation::Entity as UserInvitation;
+pub use super::workspace::Entity as Workspace;
+pub use super::workspace_host::Entity as WorkspaceHost;
+pub use super::workspace_port::Entity as WorkspacePort;
diff --git a/lapdev-db/src/entities/project.rs b/crates/db/entities/src/project.rs
similarity index 95%
rename from lapdev-db/src/entities/project.rs
rename to crates/db/entities/src/project.rs
index d61208f..0a2dbb6 100644
--- a/lapdev-db/src/entities/project.rs
+++ b/crates/db/entities/src/project.rs
@@ -1,4 +1,4 @@
-//! `SeaORM` Entity. Generated by sea-orm-codegen 0.12.4
+//! `SeaORM` Entity, @generated by sea-orm-codegen 1.1.14
 
 use sea_orm::entity::prelude::*;
 
@@ -16,9 +16,9 @@ pub struct Model {
     pub repo_url: String,
     pub repo_name: String,
     pub machine_type_id: Uuid,
-    pub osuser: String,
-    pub host_id: Uuid,
     pub env: Option<String>,
+    pub host_id: Uuid,
+    pub osuser: String,
 }
 
 #[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
diff --git a/lapdev-db/src/entities/quota.rs b/crates/db/entities/src/quota.rs
similarity index 90%
rename from lapdev-db/src/entities/quota.rs
rename to crates/db/entities/src/quota.rs
index f7429d1..549fb59 100644
--- a/lapdev-db/src/entities/quota.rs
+++ b/crates/db/entities/src/quota.rs
@@ -1,4 +1,4 @@
-//! `SeaORM` Entity. Generated by sea-orm-codegen 0.12.4
+//! `SeaORM` Entity, @generated by sea-orm-codegen 1.1.14
 
 use sea_orm::entity::prelude::*;
 
diff --git a/lapdev-db/src/entities/ssh_public_key.rs b/crates/db/entities/src/ssh_public_key.rs
similarity index 90%
rename from lapdev-db/src/entities/ssh_public_key.rs
rename to crates/db/entities/src/ssh_public_key.rs
index b50f059..5c73b8d 100644
--- a/lapdev-db/src/entities/ssh_public_key.rs
+++ b/crates/db/entities/src/ssh_public_key.rs
@@ -1,4 +1,4 @@
-//! `SeaORM` Entity. Generated by sea-orm-codegen 0.12.4
+//! `SeaORM` Entity, @generated by sea-orm-codegen 1.1.14
 
 use sea_orm::entity::prelude::*;
 
diff --git a/lapdev-db/src/entities/usage.rs b/crates/db/entities/src/usage.rs
similarity index 95%
rename from lapdev-db/src/entities/usage.rs
rename to crates/db/entities/src/usage.rs
index c0eca29..316c26c 100644
--- a/lapdev-db/src/entities/usage.rs
+++ b/crates/db/entities/src/usage.rs
@@ -1,4 +1,4 @@
-//! `SeaORM` Entity. Generated by sea-orm-codegen 0.12.4
+//! `SeaORM` Entity, @generated by sea-orm-codegen 1.1.14
 
 use sea_orm::entity::prelude::*;
 
diff --git a/lapdev-db/src/entities/user.rs b/crates/db/entities/src/user.rs
similarity index 94%
rename from lapdev-db/src/entities/user.rs
rename to crates/db/entities/src/user.rs
index 5fc75a3..3f2ae79 100644
--- a/lapdev-db/src/entities/user.rs
+++ b/crates/db/entities/src/user.rs
@@ -1,4 +1,4 @@
-//! `SeaORM` Entity. Generated by sea-orm-codegen 0.12.4
+//! `SeaORM` Entity, @generated by sea-orm-codegen 1.1.14
 
 use sea_orm::entity::prelude::*;
 
diff --git a/lapdev-db/src/entities/user_invitation.rs b/crates/db/entities/src/user_invitation.rs
similarity index 89%
rename from lapdev-db/src/entities/user_invitation.rs
rename to crates/db/entities/src/user_invitation.rs
index d47c480..e7a9945 100644
--- a/lapdev-db/src/entities/user_invitation.rs
+++ b/crates/db/entities/src/user_invitation.rs
@@ -1,4 +1,4 @@
-//! `SeaORM` Entity. Generated by sea-orm-codegen 0.12.4
+//! `SeaORM` Entity, @generated by sea-orm-codegen 1.1.14
 
 use sea_orm::entity::prelude::*;
 
diff --git a/lapdev-db/src/entities/workspace.rs b/crates/db/entities/src/workspace.rs
similarity index 97%
rename from lapdev-db/src/entities/workspace.rs
rename to crates/db/entities/src/workspace.rs
index bd1269f..ef2711f 100644
--- a/lapdev-db/src/entities/workspace.rs
+++ b/crates/db/entities/src/workspace.rs
@@ -1,4 +1,4 @@
-//! `SeaORM` Entity. Generated by sea-orm-codegen 0.12.4
+//! `SeaORM` Entity, @generated by sea-orm-codegen 1.1.14
 
 use sea_orm::entity::prelude::*;
 
@@ -8,7 +8,6 @@ pub struct Model {
     #[sea_orm(primary_key, auto_increment = false)]
     pub id: Uuid,
     pub created_at: DateTimeWithTimeZone,
-    pub updated_at: Option<DateTimeWithTimeZone>,
     pub deleted_at: Option<DateTimeWithTimeZone>,
     pub organization_id: Uuid,
     pub user_id: Uuid,
@@ -37,6 +36,7 @@ pub struct Model {
     pub auto_stop: Option<i32>,
     pub is_compose: bool,
     pub compose_parent: Option<Uuid>,
+    pub updated_at: Option<DateTimeWithTimeZone>,
     pub pinned: bool,
 }
 
diff --git a/lapdev-db/src/entities/workspace_host.rs b/crates/db/entities/src/workspace_host.rs
similarity index 95%
rename from lapdev-db/src/entities/workspace_host.rs
rename to crates/db/entities/src/workspace_host.rs
index b10afa6..c7bcaa0 100644
--- a/lapdev-db/src/entities/workspace_host.rs
+++ b/crates/db/entities/src/workspace_host.rs
@@ -1,4 +1,4 @@
-//! `SeaORM` Entity. Generated by sea-orm-codegen 0.12.4
+//! `SeaORM` Entity, @generated by sea-orm-codegen 1.1.14
 
 use sea_orm::entity::prelude::*;
 
diff --git a/lapdev-db/src/entities/workspace_port.rs b/crates/db/entities/src/workspace_port.rs
similarity index 93%
rename from lapdev-db/src/entities/workspace_port.rs
rename to crates/db/entities/src/workspace_port.rs
index ad98c42..feff708 100644
--- a/lapdev-db/src/entities/workspace_port.rs
+++ b/crates/db/entities/src/workspace_port.rs
@@ -1,4 +1,4 @@
-//! `SeaORM` Entity. Generated by sea-orm-codegen 0.12.4
+//! `SeaORM` Entity, @generated by sea-orm-codegen 1.1.14
 
 use sea_orm::entity::prelude::*;
 
@@ -7,13 +7,13 @@ use sea_orm::entity::prelude::*;
 pub struct Model {
     #[sea_orm(primary_key, auto_increment = false)]
     pub id: Uuid,
-    pub deleted_at: Option<DateTimeWithTimeZone>,
     pub workspace_id: Uuid,
     pub port: i32,
     pub host_port: i32,
     pub shared: bool,
     pub public: bool,
     pub label: Option<String>,
+    pub deleted_at: Option<DateTimeWithTimeZone>,
 }
 
 #[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
diff --git a/crates/db/generate_entities.sh b/crates/db/generate_entities.sh
new file mode 100755
index 0000000..d5ed7db
--- /dev/null
+++ b/crates/db/generate_entities.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
+(cd "${SCRIPT_DIR}/entities/src" && cargo run -- generate entity -l)
\ No newline at end of file
diff --git a/crates/db/generate_migration.sh b/crates/db/generate_migration.sh
new file mode 100755
index 0000000..93ae169
--- /dev/null
+++ b/crates/db/generate_migration.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
+(cd "${SCRIPT_DIR}/migration" && cargo run -- generate $1)
\ No newline at end of file
diff --git a/crates/db/migration/Cargo.toml b/crates/db/migration/Cargo.toml
new file mode 100644
index 0000000..be02f72
--- /dev/null
+++ b/crates/db/migration/Cargo.toml
@@ -0,0 +1,15 @@
+[package]
+name = "lapdev-db-migration"
+version.workspace = true
+authors.workspace = true
+edition.workspace = true
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+tokio.workspace = true
+sea-orm-cli.workspace = true
+sea-orm-migration.workspace = true
+uuid.workspace = true
+lapdev-db-entities.workspace = true
+lapdev-common.workspace = true
diff --git a/crates/db/migration/src/lib.rs b/crates/db/migration/src/lib.rs
new file mode 100644
index 0000000..bb954bb
--- /dev/null
+++ b/crates/db/migration/src/lib.rs
@@ -0,0 +1,80 @@
+use sea_orm_migration::prelude::*;
+
+mod m20231105_152940_create_machine_type_table;
+mod m20231105_193627_create_workspace_host_table;
+mod m20231106_100019_create_user_table;
+mod m20231106_100804_create_workspace_table;
+mod m20231109_171859_create_project_table;
+mod m20231113_170211_create_ssh_public_key_table;
+mod m20231114_110943_create_config_table;
+mod m20231130_151650_create_organization_table;
+mod m20231130_151937_create_organization_member_table;
+mod m20231213_143210_create_prebuild_table;
+mod m20240125_135149_create_quota_table;
+mod m20240129_215530_create_usage_table;
+mod m20240205_113409_create_audit_log_table;
+mod m20240228_141013_create_user_invitation_table;
+mod m20240311_220708_create_prebuild_replica_table;
+mod m20240312_175753_create_table_update_trigger;
+mod m20240316_194115_create_workspace_port_table;
+mod m20240823_165223_create_oauth_table;
+mod m20250729_082625_create_kube_cluster;
+mod m20250729_091307_create_kube_cluster_token;
+mod m20250801_000000_create_kube_app_catalog;
+mod m20250801_000002_create_kube_app_catalog_workload;
+mod m20250808_000001_create_kube_namespace;
+mod m20250809_000001_create_kube_environment;
+mod m20250809_000002_create_kube_environment_workload;
+mod m20250809_000003_create_kube_environment_service;
+mod m20250815_000001_create_kube_environment_preview_url;
+mod m20250820_000001_create_kube_cluster_service;
+mod m20250825_000001_create_kube_app_catalog_workload_label;
+mod m20250825_000002_create_kube_cluster_service_selector;
+mod m20250825_000003_create_kube_app_catalog_workload_dependency;
+mod m20250901_000001_create_kube_environment_workload_label;
+mod m20251008_000001_create_kube_devbox_session;
+mod m20251008_000002_create_kube_devbox_workload_intercept;
+
+pub struct Migrator;
+
+#[async_trait::async_trait]
+impl MigratorTrait for Migrator {
+    fn migrations() -> Vec<Box<dyn MigrationTrait>> {
+        vec![
+            Box::new(m20231105_152940_create_machine_type_table::Migration),
+            Box::new(m20231105_193627_create_workspace_host_table::Migration),
+            Box::new(m20231106_100019_create_user_table::Migration),
+            Box::new(m20231106_100804_create_workspace_table::Migration),
+            Box::new(m20231109_171859_create_project_table::Migration),
+            Box::new(m20231113_170211_create_ssh_public_key_table::Migration),
+            Box::new(m20231114_110943_create_config_table::Migration),
+            Box::new(m20231130_151650_create_organization_table::Migration),
+            Box::new(m20231130_151937_create_organization_member_table::Migration),
+            Box::new(m20231213_143210_create_prebuild_table::Migration),
+            Box::new(m20240125_135149_create_quota_table::Migration),
+            Box::new(m20240129_215530_create_usage_table::Migration),
+            Box::new(m20240205_113409_create_audit_log_table::Migration),
+            Box::new(m20240228_141013_create_user_invitation_table::Migration),
+            Box::new(m20240311_220708_create_prebuild_replica_table::Migration),
+            Box::new(m20240312_175753_create_table_update_trigger::Migration),
+            Box::new(m20240316_194115_create_workspace_port_table::Migration),
+            Box::new(m20240823_165223_create_oauth_table::Migration),
+            Box::new(m20250729_082625_create_kube_cluster::Migration),
+            Box::new(m20250729_091307_create_kube_cluster_token::Migration),
+            Box::new(m20250801_000000_create_kube_app_catalog::Migration),
+            Box::new(m20250801_000002_create_kube_app_catalog_workload::Migration),
+            Box::new(m20250808_000001_create_kube_namespace::Migration),
+            Box::new(m20250809_000001_create_kube_environment::Migration),
+            Box::new(m20250809_000002_create_kube_environment_workload::Migration),
+            Box::new(m20250809_000003_create_kube_environment_service::Migration),
+            Box::new(m20250815_000001_create_kube_environment_preview_url::Migration),
+            Box::new(m20250820_000001_create_kube_cluster_service::Migration),
+            Box::new(m20250825_000001_create_kube_app_catalog_workload_label::Migration),
+            Box::new(m20250825_000002_create_kube_cluster_service_selector::Migration),
+            Box::new(m20250825_000003_create_kube_app_catalog_workload_dependency::Migration),
+            Box::new(m20250901_000001_create_kube_environment_workload_label::Migration),
+            Box::new(m20251008_000001_create_kube_devbox_session::Migration),
+            Box::new(m20251008_000002_create_kube_devbox_workload_intercept::Migration),
+        ]
+    }
+}
diff --git a/lapdev-db/src/migration/m20231105_152940_create_machine_type_table.rs b/crates/db/migration/src/m20231105_152940_create_machine_type_table.rs
similarity index 95%
rename from lapdev-db/src/migration/m20231105_152940_create_machine_type_table.rs
rename to crates/db/migration/src/m20231105_152940_create_machine_type_table.rs
index dd9b234..2f018c1 100644
--- a/lapdev-db/src/migration/m20231105_152940_create_machine_type_table.rs
+++ b/crates/db/migration/src/m20231105_152940_create_machine_type_table.rs
@@ -2,8 +2,6 @@ use sea_orm::{ActiveModelTrait, ActiveValue};
 use sea_orm_migration::prelude::*;
 use uuid::Uuid;
 
-use crate::entities;
-
 #[derive(DeriveMigrationName)]
 pub struct Migration;
 
@@ -37,7 +35,7 @@ impl MigrationTrait for Migration {
             .await?;
 
         let conn = manager.get_connection();
-        entities::machine_type::ActiveModel {
+        lapdev_db_entities::machine_type::ActiveModel {
             id: ActiveValue::Set(Uuid::new_v4()),
             name: ActiveValue::Set("Standard".to_string()),
             shared: ActiveValue::Set(false),
@@ -49,7 +47,7 @@ impl MigrationTrait for Migration {
         }
         .insert(conn)
         .await?;
-        entities::machine_type::ActiveModel {
+        lapdev_db_entities::machine_type::ActiveModel {
             id: ActiveValue::Set(Uuid::new_v4()),
             name: ActiveValue::Set("Large".to_string()),
             shared: ActiveValue::Set(false),
diff --git a/lapdev-db/src/migration/m20231105_193627_create_workspace_host_table.rs b/crates/db/migration/src/m20231105_193627_create_workspace_host_table.rs
similarity index 100%
rename from lapdev-db/src/migration/m20231105_193627_create_workspace_host_table.rs
rename to crates/db/migration/src/m20231105_193627_create_workspace_host_table.rs
diff --git a/lapdev-db/src/migration/m20231106_100019_create_user_table.rs b/crates/db/migration/src/m20231106_100019_create_user_table.rs
similarity index 100%
rename from lapdev-db/src/migration/m20231106_100019_create_user_table.rs
rename to crates/db/migration/src/m20231106_100019_create_user_table.rs
diff --git a/lapdev-db/src/migration/m20231106_100804_create_workspace_table.rs b/crates/db/migration/src/m20231106_100804_create_workspace_table.rs
similarity index 99%
rename from lapdev-db/src/migration/m20231106_100804_create_workspace_table.rs
rename to crates/db/migration/src/m20231106_100804_create_workspace_table.rs
index 7e03b68..38f55d1 100644
--- a/lapdev-db/src/migration/m20231106_100804_create_workspace_table.rs
+++ b/crates/db/migration/src/m20231106_100804_create_workspace_table.rs
@@ -1,6 +1,6 @@
 use sea_orm_migration::prelude::*;
 
-use crate::migration::{
+use crate::{
     m20231105_152940_create_machine_type_table::MachineType,
     m20231105_193627_create_workspace_host_table::WorkspaceHost,
 };
diff --git a/lapdev-db/src/migration/m20231109_171859_create_project_table.rs b/crates/db/migration/src/m20231109_171859_create_project_table.rs
similarity index 96%
rename from lapdev-db/src/migration/m20231109_171859_create_project_table.rs
rename to crates/db/migration/src/m20231109_171859_create_project_table.rs
index 29ccc16..b99bc2f 100644
--- a/lapdev-db/src/migration/m20231109_171859_create_project_table.rs
+++ b/crates/db/migration/src/m20231109_171859_create_project_table.rs
@@ -1,6 +1,6 @@
 use sea_orm_migration::prelude::*;
 
-use crate::migration::m20231105_152940_create_machine_type_table::MachineType;
+use crate::m20231105_152940_create_machine_type_table::MachineType;
 
 #[derive(DeriveMigrationName)]
 pub struct Migration;
diff --git a/lapdev-db/src/migration/m20231113_170211_create_ssh_public_key_table.rs b/crates/db/migration/src/m20231113_170211_create_ssh_public_key_table.rs
similarity index 100%
rename from lapdev-db/src/migration/m20231113_170211_create_ssh_public_key_table.rs
rename to crates/db/migration/src/m20231113_170211_create_ssh_public_key_table.rs
diff --git a/lapdev-db/src/migration/m20231114_110943_create_config_table.rs b/crates/db/migration/src/m20231114_110943_create_config_table.rs
similarity index 91%
rename from lapdev-db/src/migration/m20231114_110943_create_config_table.rs
rename to crates/db/migration/src/m20231114_110943_create_config_table.rs
index 91f684d..87ce566 100644
--- a/lapdev-db/src/migration/m20231114_110943_create_config_table.rs
+++ b/crates/db/migration/src/m20231114_110943_create_config_table.rs
@@ -1,8 +1,7 @@
+use lapdev_common::config::LAPDEV_CLUSTER_NOT_INITIATED;
 use sea_orm::{ActiveModelTrait, ActiveValue};
 use sea_orm_migration::prelude::*;
 
-use crate::{api::LAPDEV_CLUSTER_NOT_INITIATED, entities};
-
 #[derive(DeriveMigrationName)]
 pub struct Migration;
 
@@ -26,7 +25,7 @@ impl MigrationTrait for Migration {
             .await?;
 
         let conn = manager.get_connection();
-        entities::config::ActiveModel {
+        lapdev_db_entities::config::ActiveModel {
             name: ActiveValue::Set(LAPDEV_CLUSTER_NOT_INITIATED.to_string()),
             value: ActiveValue::Set("yes".to_string()),
         }
diff --git a/lapdev-db/src/migration/m20231130_151650_create_organization_table.rs b/crates/db/migration/src/m20231130_151650_create_organization_table.rs
similarity index 100%
rename from lapdev-db/src/migration/m20231130_151650_create_organization_table.rs
rename to crates/db/migration/src/m20231130_151650_create_organization_table.rs
diff --git a/lapdev-db/src/migration/m20231130_151937_create_organization_member_table.rs b/crates/db/migration/src/m20231130_151937_create_organization_member_table.rs
similarity index 100%
rename from lapdev-db/src/migration/m20231130_151937_create_organization_member_table.rs
rename to crates/db/migration/src/m20231130_151937_create_organization_member_table.rs
diff --git a/lapdev-db/src/migration/m20231213_143210_create_prebuild_table.rs b/crates/db/migration/src/m20231213_143210_create_prebuild_table.rs
similarity index 96%
rename from lapdev-db/src/migration/m20231213_143210_create_prebuild_table.rs
rename to crates/db/migration/src/m20231213_143210_create_prebuild_table.rs
index 92bb126..bf6d084 100644
--- a/lapdev-db/src/migration/m20231213_143210_create_prebuild_table.rs
+++ b/crates/db/migration/src/m20231213_143210_create_prebuild_table.rs
@@ -1,8 +1,8 @@
 use sea_orm_migration::prelude::*;
 
 use crate::{
-    migration::m20231105_193627_create_workspace_host_table::WorkspaceHost,
-    migration::m20231109_171859_create_project_table::Project,
+    m20231105_193627_create_workspace_host_table::WorkspaceHost,
+    m20231109_171859_create_project_table::Project,
 };
 
 #[derive(DeriveMigrationName)]
diff --git a/lapdev-db/src/migration/m20240125_135149_create_quota_table.rs b/crates/db/migration/src/m20240125_135149_create_quota_table.rs
similarity index 100%
rename from lapdev-db/src/migration/m20240125_135149_create_quota_table.rs
rename to crates/db/migration/src/m20240125_135149_create_quota_table.rs
diff --git a/lapdev-db/src/migration/m20240129_215530_create_usage_table.rs b/crates/db/migration/src/m20240129_215530_create_usage_table.rs
similarity index 100%
rename from lapdev-db/src/migration/m20240129_215530_create_usage_table.rs
rename to crates/db/migration/src/m20240129_215530_create_usage_table.rs
diff --git a/lapdev-db/src/migration/m20240205_113409_create_audit_log_table.rs b/crates/db/migration/src/m20240205_113409_create_audit_log_table.rs
similarity index 100%
rename from lapdev-db/src/migration/m20240205_113409_create_audit_log_table.rs
rename to crates/db/migration/src/m20240205_113409_create_audit_log_table.rs
diff --git a/lapdev-db/src/migration/m20240228_141013_create_user_invitation_table.rs b/crates/db/migration/src/m20240228_141013_create_user_invitation_table.rs
similarity index 100%
rename from lapdev-db/src/migration/m20240228_141013_create_user_invitation_table.rs
rename to crates/db/migration/src/m20240228_141013_create_user_invitation_table.rs
diff --git a/lapdev-db/src/migration/m20240311_220708_create_prebuild_replica_table.rs b/crates/db/migration/src/m20240311_220708_create_prebuild_replica_table.rs
similarity index 100%
rename from lapdev-db/src/migration/m20240311_220708_create_prebuild_replica_table.rs
rename to crates/db/migration/src/m20240311_220708_create_prebuild_replica_table.rs
diff --git a/lapdev-db/src/migration/m20240312_175753_create_table_update_trigger.rs b/crates/db/migration/src/m20240312_175753_create_table_update_trigger.rs
similarity index 100%
rename from lapdev-db/src/migration/m20240312_175753_create_table_update_trigger.rs
rename to crates/db/migration/src/m20240312_175753_create_table_update_trigger.rs
diff --git a/lapdev-db/src/migration/m20240316_194115_create_workspace_port_table.rs b/crates/db/migration/src/m20240316_194115_create_workspace_port_table.rs
similarity index 100%
rename from lapdev-db/src/migration/m20240316_194115_create_workspace_port_table.rs
rename to crates/db/migration/src/m20240316_194115_create_workspace_port_table.rs
diff --git a/lapdev-db/src/migration/m20240823_165223_create_oauth_table.rs b/crates/db/migration/src/m20240823_165223_create_oauth_table.rs
similarity index 99%
rename from lapdev-db/src/migration/m20240823_165223_create_oauth_table.rs
rename to crates/db/migration/src/m20240823_165223_create_oauth_table.rs
index 939bc3a..2796d3e 100644
--- a/lapdev-db/src/migration/m20240823_165223_create_oauth_table.rs
+++ b/crates/db/migration/src/m20240823_165223_create_oauth_table.rs
@@ -85,7 +85,7 @@ impl MigrationTrait for Migration {
 }
 
 #[derive(DeriveIden)]
-enum OauthConnection {
+pub enum OauthConnection {
     Table,
     Id,
     UserId,
diff --git a/crates/db/migration/src/m20250729_082625_create_kube_cluster.rs b/crates/db/migration/src/m20250729_082625_create_kube_cluster.rs
new file mode 100644
index 0000000..b9b485e
--- /dev/null
+++ b/crates/db/migration/src/m20250729_082625_create_kube_cluster.rs
@@ -0,0 +1,86 @@
+use sea_orm_migration::prelude::*;
+
+#[derive(DeriveMigrationName)]
+pub struct Migration;
+
+#[async_trait::async_trait]
+impl MigrationTrait for Migration {
+    async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        manager
+            .create_table(
+                Table::create()
+                    .table(KubeCluster::Table)
+                    .if_not_exists()
+                    .col(
+                        ColumnDef::new(KubeCluster::Id)
+                            .uuid()
+                            .not_null()
+                            .primary_key(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeCluster::CreatedAt)
+                            .timestamp_with_time_zone()
+                            .not_null(),
+                    )
+                    .col(ColumnDef::new(KubeCluster::DeletedAt).timestamp_with_time_zone())
+                    .col(
+                        ColumnDef::new(KubeCluster::OrganizationId)
+                            .uuid()
+                            .not_null(),
+                    )
+                    .col(ColumnDef::new(KubeCluster::CreatedBy).uuid().not_null())
+                    .col(ColumnDef::new(KubeCluster::Name).string().not_null())
+                    .col(ColumnDef::new(KubeCluster::ClusterVersion).string())
+                    .col(ColumnDef::new(KubeCluster::Status).string().not_null())
+                    .col(ColumnDef::new(KubeCluster::Provider).string())
+                    .col(ColumnDef::new(KubeCluster::Region).string())
+                    .col(ColumnDef::new(KubeCluster::ManagerNamespace).string())
+                    .col(ColumnDef::new(KubeCluster::LastReportedAt).timestamp_with_time_zone())
+                    .col(
+                        ColumnDef::new(KubeCluster::CanDeployPersonal)
+                            .boolean()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeCluster::CanDeployShared)
+                            .boolean()
+                            .not_null(),
+                    )
+                    .to_owned(),
+            )
+            .await?;
+
+        // Create optimal composite index for get_all_kube_clusters query
+        // Covers: organization_id, deleted_at, created_at (for ordering)
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_cluster_org_deleted_created_idx")
+                    .table(KubeCluster::Table)
+                    .col(KubeCluster::OrganizationId)
+                    .col(KubeCluster::DeletedAt)
+                    .col(KubeCluster::CreatedAt)
+                    .to_owned(),
+            )
+            .await
+    }
+}
+
+#[derive(DeriveIden)]
+pub enum KubeCluster {
+    Table,
+    Id,
+    CreatedAt,
+    DeletedAt,
+    OrganizationId,
+    CreatedBy,
+    Name,
+    ClusterVersion,
+    Status,
+    Provider,
+    Region,
+    LastReportedAt,
+    CanDeployPersonal,
+    CanDeployShared,
+    ManagerNamespace,
+}
diff --git a/crates/db/migration/src/m20250729_091307_create_kube_cluster_token.rs b/crates/db/migration/src/m20250729_091307_create_kube_cluster_token.rs
new file mode 100644
index 0000000..f746346
--- /dev/null
+++ b/crates/db/migration/src/m20250729_091307_create_kube_cluster_token.rs
@@ -0,0 +1,71 @@
+use sea_orm_migration::prelude::*;
+
+#[derive(DeriveMigrationName)]
+pub struct Migration;
+
+#[async_trait::async_trait]
+impl MigrationTrait for Migration {
+    async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        manager
+            .create_table(
+                Table::create()
+                    .table(KubeClusterToken::Table)
+                    .if_not_exists()
+                    .col(
+                        ColumnDef::new(KubeClusterToken::Id)
+                            .uuid()
+                            .not_null()
+                            .primary_key(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeClusterToken::CreatedAt)
+                            .timestamp_with_time_zone()
+                            .not_null(),
+                    )
+                    .col(ColumnDef::new(KubeClusterToken::DeletedAt).timestamp_with_time_zone())
+                    .col(ColumnDef::new(KubeClusterToken::LastUsedAt).timestamp_with_time_zone())
+                    .col(
+                        ColumnDef::new(KubeClusterToken::ClusterId)
+                            .uuid()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeClusterToken::CreatedBy)
+                            .uuid()
+                            .not_null(),
+                    )
+                    .col(ColumnDef::new(KubeClusterToken::Name).string().not_null())
+                    .col(ColumnDef::new(KubeClusterToken::Token).binary().not_null())
+                    .to_owned(),
+            )
+            .await?;
+
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_cluster_token_token_deleted_at_idx")
+                    .table(KubeClusterToken::Table)
+                    .unique()
+                    .nulls_not_distinct()
+                    .col(KubeClusterToken::Token)
+                    .col(KubeClusterToken::DeletedAt)
+                    .to_owned(),
+            )
+            .await?;
+
+        Ok(())
+    }
+}
+
+#[derive(DeriveIden)]
+enum KubeClusterToken {
+    Table,
+    Id,
+    CreatedAt,
+    DeletedAt,
+    LastUsedAt,
+    ClusterId,
+    CreatedBy,
+    Name,
+    Token,
+}
diff --git a/crates/db/migration/src/m20250801_000000_create_kube_app_catalog.rs b/crates/db/migration/src/m20250801_000000_create_kube_app_catalog.rs
new file mode 100644
index 0000000..a527302
--- /dev/null
+++ b/crates/db/migration/src/m20250801_000000_create_kube_app_catalog.rs
@@ -0,0 +1,128 @@
+use sea_orm_migration::prelude::*;
+
+use crate::{
+    m20231106_100019_create_user_table::User, m20250729_082625_create_kube_cluster::KubeCluster,
+};
+
+#[derive(DeriveMigrationName)]
+pub struct Migration;
+
+#[async_trait::async_trait]
+impl MigrationTrait for Migration {
+    async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        manager
+            .create_table(
+                Table::create()
+                    .table(KubeAppCatalog::Table)
+                    .if_not_exists()
+                    .col(
+                        ColumnDef::new(KubeAppCatalog::Id)
+                            .uuid()
+                            .not_null()
+                            .primary_key(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeAppCatalog::CreatedAt)
+                            .timestamp_with_time_zone()
+                            .not_null(),
+                    )
+                    .col(ColumnDef::new(KubeAppCatalog::DeletedAt).timestamp_with_time_zone())
+                    .col(
+                        ColumnDef::new(KubeAppCatalog::OrganizationId)
+                            .uuid()
+                            .not_null(),
+                    )
+                    .col(ColumnDef::new(KubeAppCatalog::CreatedBy).uuid().not_null())
+                    .col(ColumnDef::new(KubeAppCatalog::Name).string().not_null())
+                    .col(ColumnDef::new(KubeAppCatalog::Description).text())
+                    .col(ColumnDef::new(KubeAppCatalog::Resources).text().not_null())
+                    .col(ColumnDef::new(KubeAppCatalog::ClusterId).uuid().not_null())
+                    .col(
+                        ColumnDef::new(KubeAppCatalog::SyncVersion)
+                            .big_integer()
+                            .not_null()
+                            .default(0),
+                    )
+                    .col(ColumnDef::new(KubeAppCatalog::LastSyncedAt).timestamp_with_time_zone())
+                    .col(ColumnDef::new(KubeAppCatalog::LastSyncActorId).uuid())
+                    .foreign_key(
+                        ForeignKey::create()
+                            .from(KubeAppCatalog::Table, KubeAppCatalog::ClusterId)
+                            .to(KubeCluster::Table, KubeCluster::Id),
+                    )
+                    .foreign_key(
+                        ForeignKey::create()
+                            .from(KubeAppCatalog::Table, KubeAppCatalog::LastSyncActorId)
+                            .to(User::Table, User::Id)
+                            .on_delete(ForeignKeyAction::SetNull)
+                            .on_update(ForeignKeyAction::Cascade),
+                    )
+                    .to_owned(),
+            )
+            .await?;
+
+        // Enable extensions for trigram text search and btree types in GIN
+        manager
+            .get_connection()
+            .execute_unprepared("CREATE EXTENSION IF NOT EXISTS pg_trgm;")
+            .await?;
+
+        manager
+            .get_connection()
+            .execute_unprepared("CREATE EXTENSION IF NOT EXISTS btree_gin;")
+            .await?;
+
+        // Create partial B-tree index for active catalog pagination without name search
+        manager
+            .get_connection()
+            .execute_unprepared(
+                "CREATE INDEX kube_app_catalog_org_deleted_created_idx ON kube_app_catalog \
+                 (organization_id, deleted_at DESC, created_at DESC) \
+                 WHERE deleted_at IS NULL;",
+            )
+            .await?;
+
+        // Create trigram GIN index for case-insensitive wildcard name searches.
+        // We rely on the B-tree indexes above for organization / deleted filters to avoid
+        // the unsupported gin_btree_ops operator class on some Postgres installations.
+        manager
+            .get_connection()
+            .execute_unprepared(
+                "CREATE INDEX kube_app_catalog_gin_search_idx ON kube_app_catalog \
+                 USING gin (LOWER(name) gin_trgm_ops) \
+                 WHERE deleted_at IS NULL;",
+            )
+            .await?;
+
+        // Create index for cluster dependency checks (used when deleting clusters)
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_app_catalog_cluster_deleted_idx")
+                    .table(KubeAppCatalog::Table)
+                    .col(KubeAppCatalog::ClusterId)
+                    .col(KubeAppCatalog::DeletedAt)
+                    .to_owned(),
+            )
+            .await?;
+
+        Ok(())
+    }
+}
+
+#[derive(DeriveIden)]
+pub enum KubeAppCatalog {
+    Table,
+    Id,
+    CreatedAt,
+    DeletedAt,
+    OrganizationId,
+    CreatedBy,
+    Name,
+    Description,
+    Resources,
+    ClusterId,
+    SyncVersion,
+    LastSyncedAt,
+    LastSyncActorId,
+}
diff --git a/crates/db/migration/src/m20250801_000002_create_kube_app_catalog_workload.rs b/crates/db/migration/src/m20250801_000002_create_kube_app_catalog_workload.rs
new file mode 100644
index 0000000..614c39e
--- /dev/null
+++ b/crates/db/migration/src/m20250801_000002_create_kube_app_catalog_workload.rs
@@ -0,0 +1,173 @@
+use sea_orm_migration::prelude::*;
+
+use crate::{
+    m20250729_082625_create_kube_cluster::KubeCluster,
+    m20250801_000000_create_kube_app_catalog::KubeAppCatalog,
+};
+
+#[derive(DeriveMigrationName)]
+pub struct Migration;
+
+#[async_trait::async_trait]
+impl MigrationTrait for Migration {
+    async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        manager
+            .create_table(
+                Table::create()
+                    .table(KubeAppCatalogWorkload::Table)
+                    .if_not_exists()
+                    .col(
+                        ColumnDef::new(KubeAppCatalogWorkload::Id)
+                            .uuid()
+                            .not_null()
+                            .primary_key(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeAppCatalogWorkload::CreatedAt)
+                            .timestamp_with_time_zone()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeAppCatalogWorkload::DeletedAt)
+                            .timestamp_with_time_zone(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeAppCatalogWorkload::AppCatalogId)
+                            .uuid()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeAppCatalogWorkload::ClusterId)
+                            .uuid()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeAppCatalogWorkload::Name)
+                            .string()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeAppCatalogWorkload::Namespace)
+                            .string()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeAppCatalogWorkload::Kind)
+                            .string()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeAppCatalogWorkload::Containers)
+                            .json()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeAppCatalogWorkload::Ports)
+                            .json()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeAppCatalogWorkload::WorkloadYaml)
+                            .text()
+                            .not_null()
+                            .default(""),
+                    )
+                    .col(
+                        ColumnDef::new(KubeAppCatalogWorkload::CatalogSyncVersion)
+                            .big_integer()
+                            .not_null()
+                            .default(0),
+                    )
+                    .foreign_key(
+                        ForeignKey::create()
+                            .from(
+                                KubeAppCatalogWorkload::Table,
+                                KubeAppCatalogWorkload::AppCatalogId,
+                            )
+                            .to(KubeAppCatalog::Table, KubeAppCatalog::Id),
+                    )
+                    .foreign_key(
+                        ForeignKey::create()
+                            .from(
+                                KubeAppCatalogWorkload::Table,
+                                KubeAppCatalogWorkload::ClusterId,
+                            )
+                            .to(KubeCluster::Table, KubeCluster::Id),
+                    )
+                    .to_owned(),
+            )
+            .await?;
+
+        // Create index for efficient lookups by app catalog
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_app_catalog_workload_app_catalog_deleted_idx")
+                    .table(KubeAppCatalogWorkload::Table)
+                    .col(KubeAppCatalogWorkload::AppCatalogId)
+                    .col(KubeAppCatalogWorkload::DeletedAt)
+                    .to_owned(),
+            )
+            .await?;
+
+        // Cluster scoped index to quickly find workloads by cluster/name/namespace
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_app_catalog_workload_cluster_lookup_idx")
+                    .table(KubeAppCatalogWorkload::Table)
+                    .col(KubeAppCatalogWorkload::ClusterId)
+                    .col(KubeAppCatalogWorkload::Name)
+                    .col(KubeAppCatalogWorkload::Namespace)
+                    .col(KubeAppCatalogWorkload::DeletedAt)
+                    .to_owned(),
+            )
+            .await?;
+
+        // Partial index to support namespace aggregation by cluster while skipping deleted rows
+        manager
+            .get_connection()
+            .execute_unprepared(
+                "CREATE INDEX kube_app_catalog_workload_cluster_namespace_active_idx \
+                 ON kube_app_catalog_workload (cluster_id, namespace) \
+                 WHERE deleted_at IS NULL;",
+            )
+            .await?;
+
+        // Create unique index to prevent duplicate workloads per app catalog
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_app_catalog_workload_unique_idx")
+                    .table(KubeAppCatalogWorkload::Table)
+                    .col(KubeAppCatalogWorkload::AppCatalogId)
+                    .col(KubeAppCatalogWorkload::Name)
+                    .col(KubeAppCatalogWorkload::Namespace)
+                    .col(KubeAppCatalogWorkload::Kind)
+                    .col(KubeAppCatalogWorkload::DeletedAt)
+                    .unique()
+                    .nulls_not_distinct()
+                    .to_owned(),
+            )
+            .await?;
+
+        Ok(())
+    }
+}
+
+#[derive(DeriveIden)]
+pub enum KubeAppCatalogWorkload {
+    Table,
+    Id,
+    CreatedAt,
+    DeletedAt,
+    AppCatalogId,
+    ClusterId,
+    Name,
+    Namespace,
+    Kind,
+    Containers,
+    Ports,
+    WorkloadYaml,
+    CatalogSyncVersion,
+}
diff --git a/crates/db/migration/src/m20250808_000001_create_kube_namespace.rs b/crates/db/migration/src/m20250808_000001_create_kube_namespace.rs
new file mode 100644
index 0000000..88d5c12
--- /dev/null
+++ b/crates/db/migration/src/m20250808_000001_create_kube_namespace.rs
@@ -0,0 +1,89 @@
+use sea_orm_migration::prelude::*;
+
+#[derive(DeriveMigrationName)]
+pub struct Migration;
+
+#[async_trait::async_trait]
+impl MigrationTrait for Migration {
+    async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        manager
+            .create_table(
+                Table::create()
+                    .table(KubeNamespace::Table)
+                    .if_not_exists()
+                    .col(
+                        ColumnDef::new(KubeNamespace::Id)
+                            .uuid()
+                            .not_null()
+                            .primary_key(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeNamespace::CreatedAt)
+                            .timestamp_with_time_zone()
+                            .not_null(),
+                    )
+                    .col(ColumnDef::new(KubeNamespace::DeletedAt).timestamp_with_time_zone())
+                    .col(
+                        ColumnDef::new(KubeNamespace::OrganizationId)
+                            .uuid()
+                            .not_null(),
+                    )
+                    .col(ColumnDef::new(KubeNamespace::UserId).uuid().not_null())
+                    .col(ColumnDef::new(KubeNamespace::Name).string().not_null())
+                    .col(ColumnDef::new(KubeNamespace::Description).string())
+                    .col(
+                        ColumnDef::new(KubeNamespace::IsShared)
+                            .boolean()
+                            .not_null()
+                            .default(false),
+                    )
+                    .to_owned(),
+            )
+            .await?;
+
+        // Create unique index to prevent duplicate namespace names within organization
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_namespace_org_deleted_name_unique_idx")
+                    .table(KubeNamespace::Table)
+                    .col(KubeNamespace::OrganizationId)
+                    .col(KubeNamespace::DeletedAt)
+                    .col(KubeNamespace::Name)
+                    .unique()
+                    .nulls_not_distinct()
+                    .to_owned(),
+            )
+            .await?;
+
+        // Create optimal composite index for get_all_kube_namespaces query
+        // Covers: organization_id, is_shared, user_id, deleted_at
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_namespace_org_shared_user_deleted_idx")
+                    .table(KubeNamespace::Table)
+                    .col(KubeNamespace::OrganizationId)
+                    .col(KubeNamespace::IsShared)
+                    .col(KubeNamespace::UserId)
+                    .col(KubeNamespace::DeletedAt)
+                    .to_owned(),
+            )
+            .await?;
+
+        Ok(())
+    }
+}
+
+#[derive(DeriveIden)]
+pub enum KubeNamespace {
+    Table,
+    Id,
+    CreatedAt,
+    DeletedAt,
+    OrganizationId,
+    UserId,
+    Name,
+    Description,
+    IsShared,
+}
diff --git a/crates/db/migration/src/m20250809_000001_create_kube_environment.rs b/crates/db/migration/src/m20250809_000001_create_kube_environment.rs
new file mode 100644
index 0000000..a029d6b
--- /dev/null
+++ b/crates/db/migration/src/m20250809_000001_create_kube_environment.rs
@@ -0,0 +1,225 @@
+use sea_orm_migration::prelude::*;
+
+use crate::m20250729_082625_create_kube_cluster::KubeCluster;
+use crate::m20250801_000000_create_kube_app_catalog::KubeAppCatalog;
+
+#[derive(DeriveMigrationName)]
+pub struct Migration;
+
+#[async_trait::async_trait]
+impl MigrationTrait for Migration {
+    async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        manager
+            .create_table(
+                Table::create()
+                    .table(KubeEnvironment::Table)
+                    .if_not_exists()
+                    .col(
+                        ColumnDef::new(KubeEnvironment::Id)
+                            .uuid()
+                            .not_null()
+                            .primary_key(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironment::CreatedAt)
+                            .timestamp_with_time_zone()
+                            .not_null(),
+                    )
+                    .col(ColumnDef::new(KubeEnvironment::DeletedAt).timestamp_with_time_zone())
+                    .col(
+                        ColumnDef::new(KubeEnvironment::OrganizationId)
+                            .uuid()
+                            .not_null(),
+                    )
+                    .col(ColumnDef::new(KubeEnvironment::UserId).uuid().not_null())
+                    .col(
+                        ColumnDef::new(KubeEnvironment::AppCatalogId)
+                            .uuid()
+                            .not_null(),
+                    )
+                    .col(ColumnDef::new(KubeEnvironment::ClusterId).uuid().not_null())
+                    .col(ColumnDef::new(KubeEnvironment::Name).string().not_null())
+                    .col(
+                        ColumnDef::new(KubeEnvironment::Namespace)
+                            .string()
+                            .not_null(),
+                    )
+                    .col(ColumnDef::new(KubeEnvironment::Status).string().not_null())
+                    .col(
+                        ColumnDef::new(KubeEnvironment::IsShared)
+                            .boolean()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironment::CatalogSyncVersion)
+                            .big_integer()
+                            .not_null()
+                            .default(0),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironment::LastCatalogSyncedAt)
+                            .timestamp_with_time_zone(),
+                    )
+                    .col(ColumnDef::new(KubeEnvironment::PausedAt).timestamp_with_time_zone())
+                    .col(ColumnDef::new(KubeEnvironment::ResumedAt).timestamp_with_time_zone())
+                    .col(
+                        ColumnDef::new(KubeEnvironment::SyncStatus)
+                            .string()
+                            .not_null()
+                            .default("idle"),
+                    )
+                    .col(ColumnDef::new(KubeEnvironment::BaseEnvironmentId).uuid())
+                    .col(
+                        ColumnDef::new(KubeEnvironment::AuthToken)
+                            .string()
+                            .not_null(),
+                    )
+                    .foreign_key(
+                        ForeignKey::create()
+                            .from(KubeEnvironment::Table, KubeEnvironment::AppCatalogId)
+                            .to(KubeAppCatalog::Table, KubeAppCatalog::Id),
+                    )
+                    .foreign_key(
+                        ForeignKey::create()
+                            .from(KubeEnvironment::Table, KubeEnvironment::ClusterId)
+                            .to(KubeCluster::Table, KubeCluster::Id),
+                    )
+                    .foreign_key(
+                        ForeignKey::create()
+                            .from(KubeEnvironment::Table, KubeEnvironment::BaseEnvironmentId)
+                            .to(KubeEnvironment::Table, KubeEnvironment::Id),
+                    )
+                    .to_owned(),
+            )
+            .await?;
+
+        // Enable extensions for trigram text search and btree types in GIN
+        manager
+            .get_connection()
+            .execute_unprepared("CREATE EXTENSION IF NOT EXISTS pg_trgm;")
+            .await?;
+
+        manager
+            .get_connection()
+            .execute_unprepared("CREATE EXTENSION IF NOT EXISTS btree_gin;")
+            .await?;
+
+        // Create optimal composite index for get_all_kube_environments query
+        // Covers: organization_id, is_shared, user_id, deleted_at
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_environment_org_shared_base_deleted_user_idx")
+                    .table(KubeEnvironment::Table)
+                    .col(KubeEnvironment::OrganizationId)
+                    .col(KubeEnvironment::IsShared)
+                    .col(KubeEnvironment::BaseEnvironmentId)
+                    .col(KubeEnvironment::DeletedAt)
+                    .col(KubeEnvironment::UserId)
+                    .col((KubeEnvironment::CreatedAt, IndexOrder::Desc))
+                    .to_owned(),
+            )
+            .await?;
+
+        // Create GIN index for case-insensitive wildcard name searches
+        manager
+            .get_connection()
+            .execute_unprepared(
+                "CREATE INDEX kube_environment_shared_gin_search_idx ON kube_environment 
+                 USING gin (LOWER(name) gin_trgm_ops)
+                 WHERE deleted_at IS NULL AND is_shared = true;",
+            )
+            .await?;
+
+        manager
+            .get_connection()
+            .execute_unprepared(
+                "CREATE INDEX kube_environment_personal_gin_search_idx ON kube_environment 
+                 USING gin (LOWER(name) gin_trgm_ops)
+                 WHERE deleted_at IS NULL AND is_shared = false;",
+            )
+            .await?;
+
+        // Create index for cluster dependency checks (used when deleting clusters)
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_environment_cluster_deleted_idx")
+                    .table(KubeEnvironment::Table)
+                    .col(KubeEnvironment::ClusterId)
+                    .col(KubeEnvironment::DeletedAt)
+                    .to_owned(),
+            )
+            .await?;
+
+        // Cover high-volume ready replica updates that probe by cluster + namespace
+        manager
+            .get_connection()
+            .execute_unprepared(
+                "CREATE INDEX kube_environment_cluster_namespace_active_idx
+                 ON kube_environment (cluster_id, namespace)
+                 WHERE deleted_at IS NULL;",
+            )
+            .await?;
+
+        // Create index for app catalog dependency checks (used when deleting app catalogs)
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_environment_app_catalog_deleted_idx")
+                    .table(KubeEnvironment::Table)
+                    .col(KubeEnvironment::AppCatalogId)
+                    .col(KubeEnvironment::DeletedAt)
+                    .to_owned(),
+            )
+            .await?;
+
+        // Create index for branch lookups (check_environment_has_branches / get_branch_environments)
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_environment_base_env_deleted_idx")
+                    .table(KubeEnvironment::Table)
+                    .col(KubeEnvironment::BaseEnvironmentId)
+                    .col(KubeEnvironment::DeletedAt)
+                    .to_owned(),
+            )
+            .await?;
+
+        // Create unique index to ensure same app catalog can only be deployed once per (cluster_id, namespace)
+        // for base environments (base_environment_id IS NULL), but allow multiple branch environments
+        manager
+            .get_connection()
+            .execute_unprepared(
+                "CREATE UNIQUE INDEX kube_environment_app_cluster_namespace_unique_idx
+                 ON kube_environment (app_catalog_id, cluster_id, namespace, deleted_at) NULLS NOT DISTINCT
+                 WHERE base_environment_id IS NULL",
+            )
+            .await?;
+
+        Ok(())
+    }
+}
+
+#[derive(DeriveIden)]
+pub enum KubeEnvironment {
+    Table,
+    Id,
+    CreatedAt,
+    DeletedAt,
+    OrganizationId,
+    UserId,
+    AppCatalogId,
+    ClusterId,
+    Name,
+    Namespace,
+    Status,
+    IsShared,
+    CatalogSyncVersion,
+    LastCatalogSyncedAt,
+    PausedAt,
+    ResumedAt,
+    SyncStatus,
+    BaseEnvironmentId,
+    AuthToken,
+}
diff --git a/crates/db/migration/src/m20250809_000002_create_kube_environment_workload.rs b/crates/db/migration/src/m20250809_000002_create_kube_environment_workload.rs
new file mode 100644
index 0000000..a064f05
--- /dev/null
+++ b/crates/db/migration/src/m20250809_000002_create_kube_environment_workload.rs
@@ -0,0 +1,156 @@
+use sea_orm_migration::prelude::*;
+
+use crate::m20250809_000001_create_kube_environment::KubeEnvironment;
+
+#[derive(DeriveMigrationName)]
+pub struct Migration;
+
+#[async_trait::async_trait]
+impl MigrationTrait for Migration {
+    async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        manager
+            .create_table(
+                Table::create()
+                    .table(KubeEnvironmentWorkload::Table)
+                    .if_not_exists()
+                    .col(
+                        ColumnDef::new(KubeEnvironmentWorkload::Id)
+                            .uuid()
+                            .not_null()
+                            .primary_key(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironmentWorkload::CreatedAt)
+                            .timestamp_with_time_zone()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironmentWorkload::DeletedAt)
+                            .timestamp_with_time_zone(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironmentWorkload::EnvironmentId)
+                            .uuid()
+                            .not_null(),
+                    )
+                    .col(ColumnDef::new(KubeEnvironmentWorkload::BaseWorkloadId).uuid())
+                    .col(
+                        ColumnDef::new(KubeEnvironmentWorkload::Name)
+                            .string()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironmentWorkload::Namespace)
+                            .string()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironmentWorkload::Kind)
+                            .string()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironmentWorkload::Containers)
+                            .json()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironmentWorkload::Ports)
+                            .json()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironmentWorkload::WorkloadYaml)
+                            .text()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironmentWorkload::CatalogSyncVersion)
+                            .big_integer()
+                            .not_null()
+                            .default(0),
+                    )
+                    .col(ColumnDef::new(KubeEnvironmentWorkload::ReadyReplicas).integer())
+                    .foreign_key(
+                        ForeignKey::create()
+                            .from(
+                                KubeEnvironmentWorkload::Table,
+                                KubeEnvironmentWorkload::EnvironmentId,
+                            )
+                            .to(KubeEnvironment::Table, KubeEnvironment::Id),
+                    )
+                    .to_owned(),
+            )
+            .await?;
+
+        // Create index for efficient lookups by environment
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_environment_workload_environment_deleted_idx")
+                    .table(KubeEnvironmentWorkload::Table)
+                    .col(KubeEnvironmentWorkload::EnvironmentId)
+                    .col(KubeEnvironmentWorkload::DeletedAt)
+                    .to_owned(),
+            )
+            .await?;
+
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_environment_workload_base_deleted_idx")
+                    .table(KubeEnvironmentWorkload::Table)
+                    .col(KubeEnvironmentWorkload::BaseWorkloadId)
+                    .col(KubeEnvironmentWorkload::DeletedAt)
+                    .to_owned(),
+            )
+            .await?;
+
+        // Accelerate ready-replica updates that probe by (environment_id, base_workload_id)
+        manager
+            .get_connection()
+            .execute_unprepared(
+                "CREATE INDEX kube_environment_workload_env_base_active_idx
+                 ON kube_environment_workload (environment_id, base_workload_id)
+                 WHERE deleted_at IS NULL;",
+            )
+            .await?;
+
+        // Create unique index to prevent duplicate workloads per environment
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_environment_workload_unique_idx")
+                    .table(KubeEnvironmentWorkload::Table)
+                    .col(KubeEnvironmentWorkload::EnvironmentId)
+                    .col(KubeEnvironmentWorkload::Name)
+                    .col(KubeEnvironmentWorkload::Namespace)
+                    .col(KubeEnvironmentWorkload::Kind)
+                    .col(KubeEnvironmentWorkload::DeletedAt)
+                    .unique()
+                    .nulls_not_distinct()
+                    .to_owned(),
+            )
+            .await?;
+
+        Ok(())
+    }
+}
+
+#[derive(DeriveIden)]
+pub enum KubeEnvironmentWorkload {
+    Table,
+    Id,
+    CreatedAt,
+    DeletedAt,
+    EnvironmentId,
+    BaseWorkloadId,
+    Name,
+    Namespace,
+    Kind,
+    Containers,
+    Ports,
+    WorkloadYaml,
+    CatalogSyncVersion,
+    ReadyReplicas,
+}
diff --git a/crates/db/migration/src/m20250809_000003_create_kube_environment_service.rs b/crates/db/migration/src/m20250809_000003_create_kube_environment_service.rs
new file mode 100644
index 0000000..4d1f35a
--- /dev/null
+++ b/crates/db/migration/src/m20250809_000003_create_kube_environment_service.rs
@@ -0,0 +1,127 @@
+use sea_orm_migration::prelude::*;
+
+use crate::m20250809_000001_create_kube_environment::KubeEnvironment;
+
+#[derive(DeriveMigrationName)]
+pub struct Migration;
+
+#[async_trait::async_trait]
+impl MigrationTrait for Migration {
+    async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        manager
+            .create_table(
+                Table::create()
+                    .table(KubeEnvironmentService::Table)
+                    .if_not_exists()
+                    .col(
+                        ColumnDef::new(KubeEnvironmentService::Id)
+                            .uuid()
+                            .not_null()
+                            .primary_key(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironmentService::CreatedAt)
+                            .timestamp_with_time_zone()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironmentService::DeletedAt)
+                            .timestamp_with_time_zone(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironmentService::EnvironmentId)
+                            .uuid()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironmentService::Name)
+                            .string()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironmentService::Namespace)
+                            .string()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironmentService::Yaml)
+                            .text()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironmentService::Ports)
+                            .json()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironmentService::Selector)
+                            .json()
+                            .not_null(),
+                    )
+                    .foreign_key(
+                        ForeignKey::create()
+                            .from(
+                                KubeEnvironmentService::Table,
+                                KubeEnvironmentService::EnvironmentId,
+                            )
+                            .to(KubeEnvironment::Table, KubeEnvironment::Id),
+                    )
+                    .to_owned(),
+            )
+            .await?;
+
+        // Create index for efficient lookups by environment
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_environment_service_environment_deleted_idx")
+                    .table(KubeEnvironmentService::Table)
+                    .col(KubeEnvironmentService::EnvironmentId)
+                    .col(KubeEnvironmentService::DeletedAt)
+                    .to_owned(),
+            )
+            .await?;
+
+        // Create unique index to prevent duplicate services per environment
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_environment_service_unique_idx")
+                    .table(KubeEnvironmentService::Table)
+                    .col(KubeEnvironmentService::EnvironmentId)
+                    .col(KubeEnvironmentService::Name)
+                    .col(KubeEnvironmentService::Namespace)
+                    .col(KubeEnvironmentService::DeletedAt)
+                    .unique()
+                    .nulls_not_distinct()
+                    .to_owned(),
+            )
+            .await?;
+
+        Ok(())
+    }
+
+    async fn down(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        manager
+            .drop_table(
+                Table::drop()
+                    .table(KubeEnvironmentService::Table)
+                    .to_owned(),
+            )
+            .await
+    }
+}
+
+#[derive(DeriveIden)]
+pub enum KubeEnvironmentService {
+    Table,
+    Id,
+    CreatedAt,
+    DeletedAt,
+    EnvironmentId,
+    Name,
+    Namespace,
+    Yaml,
+    Ports,
+    Selector,
+}
diff --git a/crates/db/migration/src/m20250815_000001_create_kube_environment_preview_url.rs b/crates/db/migration/src/m20250815_000001_create_kube_environment_preview_url.rs
new file mode 100644
index 0000000..4f32c34
--- /dev/null
+++ b/crates/db/migration/src/m20250815_000001_create_kube_environment_preview_url.rs
@@ -0,0 +1,174 @@
+use sea_orm_migration::prelude::*;
+
+use crate::m20250809_000001_create_kube_environment::KubeEnvironment;
+use crate::m20250809_000003_create_kube_environment_service::KubeEnvironmentService;
+
+#[derive(DeriveMigrationName)]
+pub struct Migration;
+
+#[async_trait::async_trait]
+impl MigrationTrait for Migration {
+    async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        manager
+            .create_table(
+                Table::create()
+                    .table(KubeEnvironmentPreviewUrl::Table)
+                    .if_not_exists()
+                    .col(
+                        ColumnDef::new(KubeEnvironmentPreviewUrl::Id)
+                            .uuid()
+                            .not_null()
+                            .primary_key(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironmentPreviewUrl::CreatedAt)
+                            .timestamp_with_time_zone()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironmentPreviewUrl::UpdatedAt)
+                            .timestamp_with_time_zone()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironmentPreviewUrl::DeletedAt)
+                            .timestamp_with_time_zone(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironmentPreviewUrl::EnvironmentId)
+                            .uuid()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironmentPreviewUrl::ServiceId)
+                            .uuid()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironmentPreviewUrl::Name)
+                            .string()
+                            .not_null(),
+                    )
+                    .col(ColumnDef::new(KubeEnvironmentPreviewUrl::Description).text())
+                    .col(
+                        ColumnDef::new(KubeEnvironmentPreviewUrl::Port)
+                            .integer()
+                            .not_null(),
+                    )
+                    .col(ColumnDef::new(KubeEnvironmentPreviewUrl::PortName).string())
+                    .col(
+                        ColumnDef::new(KubeEnvironmentPreviewUrl::Protocol)
+                            .string()
+                            .not_null()
+                            .default("HTTP"),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironmentPreviewUrl::AccessLevel)
+                            .string()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironmentPreviewUrl::CreatedBy)
+                            .uuid()
+                            .not_null(),
+                    )
+                    // Track last access time for analytics and cleanup
+                    .col(
+                        ColumnDef::new(KubeEnvironmentPreviewUrl::LastAccessedAt)
+                            .timestamp_with_time_zone(),
+                    )
+                    // Metadata for custom headers, rate limiting, etc.
+                    .col(
+                        ColumnDef::new(KubeEnvironmentPreviewUrl::Metadata)
+                            .json()
+                            .not_null()
+                            .default("{}"),
+                    )
+                    // Foreign key to environment (for ownership)
+                    .foreign_key(
+                        ForeignKey::create()
+                            .from(
+                                KubeEnvironmentPreviewUrl::Table,
+                                KubeEnvironmentPreviewUrl::EnvironmentId,
+                            )
+                            .to(KubeEnvironment::Table, KubeEnvironment::Id),
+                    )
+                    // Foreign key to service
+                    .foreign_key(
+                        ForeignKey::create()
+                            .from(
+                                KubeEnvironmentPreviewUrl::Table,
+                                KubeEnvironmentPreviewUrl::ServiceId,
+                            )
+                            .to(KubeEnvironmentService::Table, KubeEnvironmentService::Id),
+                    )
+                    .to_owned(),
+            )
+            .await?;
+
+        // Index for efficient lookups by environment and deleted status
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_environment_preview_url_environment_deleted_idx")
+                    .table(KubeEnvironmentPreviewUrl::Table)
+                    .col(KubeEnvironmentPreviewUrl::EnvironmentId)
+                    .col(KubeEnvironmentPreviewUrl::DeletedAt)
+                    .col((KubeEnvironmentPreviewUrl::CreatedAt, IndexOrder::Desc))
+                    .to_owned(),
+            )
+            .await?;
+
+        // Unique index to prevent duplicate names (globally unique)
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_environment_preview_url_name_unique_idx")
+                    .table(KubeEnvironmentPreviewUrl::Table)
+                    .col(KubeEnvironmentPreviewUrl::Name)
+                    .col(KubeEnvironmentPreviewUrl::DeletedAt)
+                    .unique()
+                    .nulls_not_distinct()
+                    .to_owned(),
+            )
+            .await?;
+
+        // Unique index for port within environment/service tuple
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_environment_preview_url_service_port_unique_idx")
+                    .table(KubeEnvironmentPreviewUrl::Table)
+                    .col(KubeEnvironmentPreviewUrl::EnvironmentId)
+                    .col(KubeEnvironmentPreviewUrl::ServiceId)
+                    .col(KubeEnvironmentPreviewUrl::Port)
+                    .col(KubeEnvironmentPreviewUrl::DeletedAt)
+                    .unique()
+                    .nulls_not_distinct()
+                    .to_owned(),
+            )
+            .await?;
+
+        Ok(())
+    }
+}
+
+#[derive(DeriveIden)]
+pub enum KubeEnvironmentPreviewUrl {
+    Table,
+    Id,
+    CreatedAt,
+    UpdatedAt,
+    DeletedAt,
+    EnvironmentId,
+    ServiceId,
+    Name,
+    Description,
+    Port,
+    PortName,
+    Protocol,
+    AccessLevel,
+    CreatedBy,
+    LastAccessedAt,
+    Metadata,
+}
diff --git a/crates/db/migration/src/m20250820_000001_create_kube_cluster_service.rs b/crates/db/migration/src/m20250820_000001_create_kube_cluster_service.rs
new file mode 100644
index 0000000..52f8a5a
--- /dev/null
+++ b/crates/db/migration/src/m20250820_000001_create_kube_cluster_service.rs
@@ -0,0 +1,141 @@
+use sea_orm_migration::prelude::*;
+
+use crate::m20250729_082625_create_kube_cluster::KubeCluster;
+
+#[derive(DeriveMigrationName)]
+pub struct Migration;
+
+#[async_trait::async_trait]
+impl MigrationTrait for Migration {
+    async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        manager
+            .create_table(
+                Table::create()
+                    .table(KubeClusterService::Table)
+                    .if_not_exists()
+                    .col(
+                        ColumnDef::new(KubeClusterService::Id)
+                            .uuid()
+                            .not_null()
+                            .primary_key(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeClusterService::CreatedAt)
+                            .timestamp_with_time_zone()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeClusterService::UpdatedAt)
+                            .timestamp_with_time_zone()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeClusterService::DeletedAt)
+                            .timestamp_with_time_zone()
+                            .null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeClusterService::ClusterId)
+                            .uuid()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeClusterService::Namespace)
+                            .string()
+                            .not_null(),
+                    )
+                    .col(ColumnDef::new(KubeClusterService::Name).string().not_null())
+                    .col(
+                        ColumnDef::new(KubeClusterService::ResourceVersion)
+                            .string()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeClusterService::ServiceYaml)
+                            .text()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeClusterService::Selector)
+                            .json()
+                            .not_null()
+                            .default("{}"),
+                    )
+                    .col(
+                        ColumnDef::new(KubeClusterService::Ports)
+                            .json()
+                            .not_null()
+                            .default("[]"),
+                    )
+                    .col(
+                        ColumnDef::new(KubeClusterService::ServiceType)
+                            .string()
+                            .null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeClusterService::ClusterIp)
+                            .string()
+                            .null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeClusterService::LastObservedAt)
+                            .timestamp_with_time_zone()
+                            .not_null(),
+                    )
+                    .foreign_key(
+                        ForeignKey::create()
+                            .from(KubeClusterService::Table, KubeClusterService::ClusterId)
+                            .to(KubeCluster::Table, KubeCluster::Id)
+                            .on_delete(ForeignKeyAction::Cascade),
+                    )
+                    .to_owned(),
+            )
+            .await?;
+
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_cluster_service_cluster_namespace_name_idx")
+                    .table(KubeClusterService::Table)
+                    .col(KubeClusterService::ClusterId)
+                    .col(KubeClusterService::Namespace)
+                    .col(KubeClusterService::Name)
+                    .unique()
+                    .to_owned(),
+            )
+            .await?;
+
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_cluster_service_cluster_namespace_deleted_idx")
+                    .table(KubeClusterService::Table)
+                    .col(KubeClusterService::ClusterId)
+                    .col(KubeClusterService::Namespace)
+                    .col(KubeClusterService::DeletedAt)
+                    .to_owned(),
+            )
+            .await?;
+
+        Ok(())
+    }
+}
+
+#[derive(DeriveIden)]
+pub enum KubeClusterService {
+    Table,
+    Id,
+    CreatedAt,
+    UpdatedAt,
+    DeletedAt,
+    ClusterId,
+    Namespace,
+    Name,
+    ResourceVersion,
+    ServiceYaml,
+    Selector,
+    Ports,
+    ServiceType,
+    ClusterIp,
+    LastObservedAt,
+}
diff --git a/crates/db/migration/src/m20250825_000001_create_kube_app_catalog_workload_label.rs b/crates/db/migration/src/m20250825_000001_create_kube_app_catalog_workload_label.rs
new file mode 100644
index 0000000..3717f50
--- /dev/null
+++ b/crates/db/migration/src/m20250825_000001_create_kube_app_catalog_workload_label.rs
@@ -0,0 +1,144 @@
+use sea_orm_migration::prelude::*;
+
+use crate::{
+    m20250729_082625_create_kube_cluster::KubeCluster,
+    m20250801_000000_create_kube_app_catalog::KubeAppCatalog,
+    m20250801_000002_create_kube_app_catalog_workload::KubeAppCatalogWorkload,
+};
+
+#[derive(DeriveMigrationName)]
+pub struct Migration;
+
+#[async_trait::async_trait]
+impl MigrationTrait for Migration {
+    async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        manager
+            .create_table(
+                Table::create()
+                    .table(KubeAppCatalogWorkloadLabel::Table)
+                    .if_not_exists()
+                    .col(
+                        ColumnDef::new(KubeAppCatalogWorkloadLabel::Id)
+                            .uuid()
+                            .not_null()
+                            .primary_key(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeAppCatalogWorkloadLabel::CreatedAt)
+                            .timestamp_with_time_zone()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeAppCatalogWorkloadLabel::DeletedAt)
+                            .timestamp_with_time_zone(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeAppCatalogWorkloadLabel::AppCatalogId)
+                            .uuid()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeAppCatalogWorkloadLabel::WorkloadId)
+                            .uuid()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeAppCatalogWorkloadLabel::ClusterId)
+                            .uuid()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeAppCatalogWorkloadLabel::Namespace)
+                            .string()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeAppCatalogWorkloadLabel::LabelKey)
+                            .string_len(255)
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeAppCatalogWorkloadLabel::LabelValue)
+                            .string_len(255)
+                            .not_null(),
+                    )
+                    .foreign_key(
+                        ForeignKey::create()
+                            .from(
+                                KubeAppCatalogWorkloadLabel::Table,
+                                KubeAppCatalogWorkloadLabel::AppCatalogId,
+                            )
+                            .to(KubeAppCatalog::Table, KubeAppCatalog::Id),
+                    )
+                    .foreign_key(
+                        ForeignKey::create()
+                            .from(
+                                KubeAppCatalogWorkloadLabel::Table,
+                                KubeAppCatalogWorkloadLabel::WorkloadId,
+                            )
+                            .to(KubeAppCatalogWorkload::Table, KubeAppCatalogWorkload::Id),
+                    )
+                    .foreign_key(
+                        ForeignKey::create()
+                            .from(
+                                KubeAppCatalogWorkloadLabel::Table,
+                                KubeAppCatalogWorkloadLabel::ClusterId,
+                            )
+                            .to(KubeCluster::Table, KubeCluster::Id),
+                    )
+                    .to_owned(),
+            )
+            .await?;
+
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_app_catalog_workload_label_workload_idx")
+                    .table(KubeAppCatalogWorkloadLabel::Table)
+                    .col(KubeAppCatalogWorkloadLabel::WorkloadId)
+                    .col(KubeAppCatalogWorkloadLabel::DeletedAt)
+                    .to_owned(),
+            )
+            .await?;
+
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_app_catalog_workload_label_selector_idx")
+                    .table(KubeAppCatalogWorkloadLabel::Table)
+                    .col(KubeAppCatalogWorkloadLabel::ClusterId)
+                    .col(KubeAppCatalogWorkloadLabel::Namespace)
+                    .col(KubeAppCatalogWorkloadLabel::LabelKey)
+                    .col(KubeAppCatalogWorkloadLabel::LabelValue)
+                    .col(KubeAppCatalogWorkloadLabel::DeletedAt)
+                    .to_owned(),
+            )
+            .await?;
+
+        Ok(())
+    }
+
+    async fn down(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        manager
+            .drop_table(
+                Table::drop()
+                    .table(KubeAppCatalogWorkloadLabel::Table)
+                    .to_owned(),
+            )
+            .await
+    }
+}
+
+#[derive(DeriveIden)]
+pub enum KubeAppCatalogWorkloadLabel {
+    Table,
+    Id,
+    CreatedAt,
+    DeletedAt,
+    AppCatalogId,
+    WorkloadId,
+    ClusterId,
+    Namespace,
+    LabelKey,
+    LabelValue,
+}
diff --git a/crates/db/migration/src/m20250825_000002_create_kube_cluster_service_selector.rs b/crates/db/migration/src/m20250825_000002_create_kube_cluster_service_selector.rs
new file mode 100644
index 0000000..009f538
--- /dev/null
+++ b/crates/db/migration/src/m20250825_000002_create_kube_cluster_service_selector.rs
@@ -0,0 +1,118 @@
+use sea_orm_migration::prelude::*;
+
+use crate::m20250820_000001_create_kube_cluster_service::KubeClusterService;
+
+#[derive(DeriveMigrationName)]
+pub struct Migration;
+
+#[async_trait::async_trait]
+impl MigrationTrait for Migration {
+    async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        manager
+            .create_table(
+                Table::create()
+                    .table(KubeClusterServiceSelector::Table)
+                    .if_not_exists()
+                    .col(
+                        ColumnDef::new(KubeClusterServiceSelector::Id)
+                            .uuid()
+                            .not_null()
+                            .primary_key(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeClusterServiceSelector::CreatedAt)
+                            .timestamp_with_time_zone()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeClusterServiceSelector::DeletedAt)
+                            .timestamp_with_time_zone(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeClusterServiceSelector::ClusterId)
+                            .uuid()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeClusterServiceSelector::Namespace)
+                            .string()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeClusterServiceSelector::ServiceId)
+                            .uuid()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeClusterServiceSelector::LabelKey)
+                            .string_len(255)
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeClusterServiceSelector::LabelValue)
+                            .string_len(255)
+                            .not_null(),
+                    )
+                    .foreign_key(
+                        ForeignKey::create()
+                            .from(
+                                KubeClusterServiceSelector::Table,
+                                KubeClusterServiceSelector::ServiceId,
+                            )
+                            .to(KubeClusterService::Table, KubeClusterService::Id),
+                    )
+                    .to_owned(),
+            )
+            .await?;
+
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_cluster_service_selector_service_idx")
+                    .table(KubeClusterServiceSelector::Table)
+                    .col(KubeClusterServiceSelector::ServiceId)
+                    .col(KubeClusterServiceSelector::DeletedAt)
+                    .to_owned(),
+            )
+            .await?;
+
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_cluster_service_selector_lookup_idx")
+                    .table(KubeClusterServiceSelector::Table)
+                    .col(KubeClusterServiceSelector::ClusterId)
+                    .col(KubeClusterServiceSelector::Namespace)
+                    .col(KubeClusterServiceSelector::LabelKey)
+                    .col(KubeClusterServiceSelector::LabelValue)
+                    .col(KubeClusterServiceSelector::DeletedAt)
+                    .to_owned(),
+            )
+            .await?;
+
+        Ok(())
+    }
+
+    async fn down(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        manager
+            .drop_table(
+                Table::drop()
+                    .table(KubeClusterServiceSelector::Table)
+                    .to_owned(),
+            )
+            .await
+    }
+}
+
+#[derive(DeriveIden)]
+pub enum KubeClusterServiceSelector {
+    Table,
+    Id,
+    CreatedAt,
+    DeletedAt,
+    ClusterId,
+    Namespace,
+    ServiceId,
+    LabelKey,
+    LabelValue,
+}
diff --git a/crates/db/migration/src/m20250825_000003_create_kube_app_catalog_workload_dependency.rs b/crates/db/migration/src/m20250825_000003_create_kube_app_catalog_workload_dependency.rs
new file mode 100644
index 0000000..8ddcb04
--- /dev/null
+++ b/crates/db/migration/src/m20250825_000003_create_kube_app_catalog_workload_dependency.rs
@@ -0,0 +1,142 @@
+use sea_orm_migration::prelude::*;
+
+use crate::m20250729_082625_create_kube_cluster::KubeCluster;
+use crate::m20250801_000000_create_kube_app_catalog::KubeAppCatalog;
+use crate::m20250801_000002_create_kube_app_catalog_workload::KubeAppCatalogWorkload;
+
+#[derive(DeriveMigrationName)]
+pub struct Migration;
+
+#[async_trait::async_trait]
+impl MigrationTrait for Migration {
+    async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        manager
+            .create_table(
+                Table::create()
+                    .table(KubeAppCatalogWorkloadDependency::Table)
+                    .if_not_exists()
+                    .col(
+                        ColumnDef::new(KubeAppCatalogWorkloadDependency::Id)
+                            .uuid()
+                            .not_null()
+                            .primary_key(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeAppCatalogWorkloadDependency::CreatedAt)
+                            .timestamp_with_time_zone()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeAppCatalogWorkloadDependency::DeletedAt)
+                            .timestamp_with_time_zone(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeAppCatalogWorkloadDependency::AppCatalogId)
+                            .uuid()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeAppCatalogWorkloadDependency::WorkloadId)
+                            .uuid()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeAppCatalogWorkloadDependency::ClusterId)
+                            .uuid()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeAppCatalogWorkloadDependency::Namespace)
+                            .string()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeAppCatalogWorkloadDependency::ResourceName)
+                            .string()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeAppCatalogWorkloadDependency::ResourceType)
+                            .string_len(32)
+                            .not_null(),
+                    )
+                    .foreign_key(
+                        ForeignKey::create()
+                            .from(
+                                KubeAppCatalogWorkloadDependency::Table,
+                                KubeAppCatalogWorkloadDependency::AppCatalogId,
+                            )
+                            .to(KubeAppCatalog::Table, KubeAppCatalog::Id),
+                    )
+                    .foreign_key(
+                        ForeignKey::create()
+                            .from(
+                                KubeAppCatalogWorkloadDependency::Table,
+                                KubeAppCatalogWorkloadDependency::WorkloadId,
+                            )
+                            .to(KubeAppCatalogWorkload::Table, KubeAppCatalogWorkload::Id),
+                    )
+                    .foreign_key(
+                        ForeignKey::create()
+                            .from(
+                                KubeAppCatalogWorkloadDependency::Table,
+                                KubeAppCatalogWorkloadDependency::ClusterId,
+                            )
+                            .to(KubeCluster::Table, KubeCluster::Id),
+                    )
+                    .to_owned(),
+            )
+            .await?;
+
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_app_catalog_workload_dep_workload_idx")
+                    .table(KubeAppCatalogWorkloadDependency::Table)
+                    .col(KubeAppCatalogWorkloadDependency::WorkloadId)
+                    .col(KubeAppCatalogWorkloadDependency::DeletedAt)
+                    .to_owned(),
+            )
+            .await?;
+
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_app_catalog_workload_dep_lookup_idx")
+                    .table(KubeAppCatalogWorkloadDependency::Table)
+                    .col(KubeAppCatalogWorkloadDependency::ClusterId)
+                    .col(KubeAppCatalogWorkloadDependency::Namespace)
+                    .col(KubeAppCatalogWorkloadDependency::ResourceType)
+                    .col(KubeAppCatalogWorkloadDependency::ResourceName)
+                    .col(KubeAppCatalogWorkloadDependency::DeletedAt)
+                    .to_owned(),
+            )
+            .await?;
+
+        Ok(())
+    }
+
+    async fn down(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        manager
+            .drop_table(
+                Table::drop()
+                    .table(KubeAppCatalogWorkloadDependency::Table)
+                    .to_owned(),
+            )
+            .await
+    }
+}
+
+#[derive(DeriveIden)]
+pub enum KubeAppCatalogWorkloadDependency {
+    Table,
+    Id,
+    CreatedAt,
+    DeletedAt,
+    AppCatalogId,
+    WorkloadId,
+    ClusterId,
+    Namespace,
+    ResourceName,
+    ResourceType,
+}
diff --git a/crates/db/migration/src/m20250901_000001_create_kube_environment_workload_label.rs b/crates/db/migration/src/m20250901_000001_create_kube_environment_workload_label.rs
new file mode 100644
index 0000000..df914fa
--- /dev/null
+++ b/crates/db/migration/src/m20250901_000001_create_kube_environment_workload_label.rs
@@ -0,0 +1,111 @@
+use sea_orm_migration::prelude::*;
+
+use crate::m20250809_000001_create_kube_environment::KubeEnvironment;
+use crate::m20250809_000002_create_kube_environment_workload::KubeEnvironmentWorkload;
+
+#[derive(DeriveMigrationName)]
+pub struct Migration;
+
+#[async_trait::async_trait]
+impl MigrationTrait for Migration {
+    async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        manager
+            .create_table(
+                Table::create()
+                    .table(KubeEnvironmentWorkloadLabel::Table)
+                    .if_not_exists()
+                    .col(
+                        ColumnDef::new(KubeEnvironmentWorkloadLabel::Id)
+                            .uuid()
+                            .not_null()
+                            .primary_key(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironmentWorkloadLabel::CreatedAt)
+                            .timestamp_with_time_zone()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironmentWorkloadLabel::DeletedAt)
+                            .timestamp_with_time_zone(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironmentWorkloadLabel::EnvironmentId)
+                            .uuid()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironmentWorkloadLabel::WorkloadId)
+                            .uuid()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironmentWorkloadLabel::LabelKey)
+                            .string()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeEnvironmentWorkloadLabel::LabelValue)
+                            .string()
+                            .not_null(),
+                    )
+                    .foreign_key(
+                        ForeignKey::create()
+                            .from(
+                                KubeEnvironmentWorkloadLabel::Table,
+                                KubeEnvironmentWorkloadLabel::EnvironmentId,
+                            )
+                            .to(KubeEnvironment::Table, KubeEnvironment::Id),
+                    )
+                    .foreign_key(
+                        ForeignKey::create()
+                            .from(
+                                KubeEnvironmentWorkloadLabel::Table,
+                                KubeEnvironmentWorkloadLabel::WorkloadId,
+                            )
+                            .to(KubeEnvironmentWorkload::Table, KubeEnvironmentWorkload::Id),
+                    )
+                    .to_owned(),
+            )
+            .await?;
+
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_env_workload_label_workload_deleted_idx")
+                    .table(KubeEnvironmentWorkloadLabel::Table)
+                    .col(KubeEnvironmentWorkloadLabel::WorkloadId)
+                    .col(KubeEnvironmentWorkloadLabel::DeletedAt)
+                    .to_owned(),
+            )
+            .await?;
+
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_env_workload_label_unique_idx")
+                    .table(KubeEnvironmentWorkloadLabel::Table)
+                    .col(KubeEnvironmentWorkloadLabel::WorkloadId)
+                    .col(KubeEnvironmentWorkloadLabel::LabelKey)
+                    .col(KubeEnvironmentWorkloadLabel::DeletedAt)
+                    .unique()
+                    .nulls_not_distinct()
+                    .to_owned(),
+            )
+            .await?;
+
+        Ok(())
+    }
+}
+
+#[derive(DeriveIden)]
+pub enum KubeEnvironmentWorkloadLabel {
+    Table,
+    Id,
+    CreatedAt,
+    DeletedAt,
+    EnvironmentId,
+    WorkloadId,
+    LabelKey,
+    LabelValue,
+}
diff --git a/crates/db/migration/src/m20251008_000001_create_kube_devbox_session.rs b/crates/db/migration/src/m20251008_000001_create_kube_devbox_session.rs
new file mode 100644
index 0000000..308784a
--- /dev/null
+++ b/crates/db/migration/src/m20251008_000001_create_kube_devbox_session.rs
@@ -0,0 +1,115 @@
+use sea_orm_migration::prelude::*;
+
+use crate::m20231106_100019_create_user_table::User;
+use crate::m20250809_000001_create_kube_environment::KubeEnvironment;
+
+#[derive(DeriveMigrationName)]
+pub struct Migration;
+
+#[async_trait::async_trait]
+impl MigrationTrait for Migration {
+    async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        manager
+            .create_table(
+                Table::create()
+                    .table(KubeDevboxSession::Table)
+                    .if_not_exists()
+                    .col(
+                        ColumnDef::new(KubeDevboxSession::Id)
+                            .uuid()
+                            .not_null()
+                            .primary_key(),
+                    )
+                    .col(ColumnDef::new(KubeDevboxSession::UserId).uuid().not_null())
+                    .col(
+                        ColumnDef::new(KubeDevboxSession::SessionTokenHash)
+                            .string()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeDevboxSession::TokenPrefix)
+                            .string()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeDevboxSession::DeviceName)
+                            .string()
+                            .not_null(),
+                    )
+                    .col(ColumnDef::new(KubeDevboxSession::ActiveEnvironmentId).uuid())
+                    .col(
+                        ColumnDef::new(KubeDevboxSession::CreatedAt)
+                            .timestamp_with_time_zone()
+                            .not_null()
+                            .default(Expr::current_timestamp()),
+                    )
+                    .col(
+                        ColumnDef::new(KubeDevboxSession::ExpiresAt)
+                            .timestamp_with_time_zone()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeDevboxSession::LastUsedAt)
+                            .timestamp_with_time_zone()
+                            .not_null()
+                            .default(Expr::current_timestamp()),
+                    )
+                    .col(ColumnDef::new(KubeDevboxSession::RevokedAt).timestamp_with_time_zone())
+                    .foreign_key(
+                        ForeignKey::create()
+                            .from(KubeDevboxSession::Table, KubeDevboxSession::UserId)
+                            .to(User::Table, User::Id),
+                    )
+                    .foreign_key(
+                        ForeignKey::create()
+                            .from(
+                                KubeDevboxSession::Table,
+                                KubeDevboxSession::ActiveEnvironmentId,
+                            )
+                            .to(KubeEnvironment::Table, KubeEnvironment::Id),
+                    )
+                    .to_owned(),
+            )
+            .await?;
+
+        // Create unique index to ensure only one session row per user
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_devbox_session_user_unique_idx")
+                    .table(KubeDevboxSession::Table)
+                    .col(KubeDevboxSession::UserId)
+                    .unique()
+                    .to_owned(),
+            )
+            .await?;
+
+        // Create index for session token hash lookups (used during authentication)
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_devbox_session_token_hash_idx")
+                    .table(KubeDevboxSession::Table)
+                    .col(KubeDevboxSession::SessionTokenHash)
+                    .to_owned(),
+            )
+            .await?;
+
+        Ok(())
+    }
+}
+
+#[derive(DeriveIden)]
+pub enum KubeDevboxSession {
+    Table,
+    Id,
+    UserId,
+    SessionTokenHash,
+    TokenPrefix,
+    DeviceName,
+    ActiveEnvironmentId,
+    CreatedAt,
+    ExpiresAt,
+    LastUsedAt,
+    RevokedAt,
+}
diff --git a/crates/db/migration/src/m20251008_000002_create_kube_devbox_workload_intercept.rs b/crates/db/migration/src/m20251008_000002_create_kube_devbox_workload_intercept.rs
new file mode 100644
index 0000000..687b483
--- /dev/null
+++ b/crates/db/migration/src/m20251008_000002_create_kube_devbox_workload_intercept.rs
@@ -0,0 +1,153 @@
+use sea_orm_migration::prelude::*;
+
+use crate::m20231106_100019_create_user_table::User;
+use crate::m20250809_000001_create_kube_environment::KubeEnvironment;
+use crate::m20250809_000002_create_kube_environment_workload::KubeEnvironmentWorkload;
+
+#[derive(DeriveMigrationName)]
+pub struct Migration;
+
+#[async_trait::async_trait]
+impl MigrationTrait for Migration {
+    async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        manager
+            .create_table(
+                Table::create()
+                    .table(KubeDevboxWorkloadIntercept::Table)
+                    .if_not_exists()
+                    .col(
+                        ColumnDef::new(KubeDevboxWorkloadIntercept::Id)
+                            .uuid()
+                            .not_null()
+                            .primary_key(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeDevboxWorkloadIntercept::UserId)
+                            .uuid()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeDevboxWorkloadIntercept::EnvironmentId)
+                            .uuid()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeDevboxWorkloadIntercept::WorkloadId)
+                            .uuid()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeDevboxWorkloadIntercept::PortMappings)
+                            .json_binary()
+                            .not_null(),
+                    )
+                    .col(
+                        ColumnDef::new(KubeDevboxWorkloadIntercept::CreatedAt)
+                            .timestamp_with_time_zone()
+                            .not_null()
+                            .default(Expr::current_timestamp()),
+                    )
+                    .col(
+                        ColumnDef::new(KubeDevboxWorkloadIntercept::StoppedAt)
+                            .timestamp_with_time_zone(),
+                    )
+                    .foreign_key(
+                        ForeignKey::create()
+                            .from(
+                                KubeDevboxWorkloadIntercept::Table,
+                                KubeDevboxWorkloadIntercept::UserId,
+                            )
+                            .to(User::Table, User::Id),
+                    )
+                    .foreign_key(
+                        ForeignKey::create()
+                            .from(
+                                KubeDevboxWorkloadIntercept::Table,
+                                KubeDevboxWorkloadIntercept::EnvironmentId,
+                            )
+                            .to(KubeEnvironment::Table, KubeEnvironment::Id),
+                    )
+                    .foreign_key(
+                        ForeignKey::create()
+                            .from(
+                                KubeDevboxWorkloadIntercept::Table,
+                                KubeDevboxWorkloadIntercept::WorkloadId,
+                            )
+                            .to(KubeEnvironmentWorkload::Table, KubeEnvironmentWorkload::Id),
+                    )
+                    .to_owned(),
+            )
+            .await?;
+
+        // Create partial unique index to prevent duplicate active intercepts per workload
+        manager
+            .get_connection()
+            .execute_unprepared(
+                "CREATE UNIQUE INDEX kube_devbox_workload_intercept_user_workload_unique_idx
+                 ON kube_devbox_workload_intercept (user_id, workload_id)
+                 WHERE stopped_at IS NULL",
+            )
+            .await?;
+
+        // Composite index to cover active + historical intercept lookups
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_devbox_workload_intercept_user_workload_stopped_idx")
+                    .table(KubeDevboxWorkloadIntercept::Table)
+                    .col(KubeDevboxWorkloadIntercept::UserId)
+                    .col(KubeDevboxWorkloadIntercept::WorkloadId)
+                    .col(KubeDevboxWorkloadIntercept::StoppedAt)
+                    .to_owned(),
+            )
+            .await?;
+
+        // Composite index for environment-scoped active intercept lookups
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_devbox_workload_intercept_environment_stopped_idx")
+                    .table(KubeDevboxWorkloadIntercept::Table)
+                    .col(KubeDevboxWorkloadIntercept::EnvironmentId)
+                    .col(KubeDevboxWorkloadIntercept::StoppedAt)
+                    .to_owned(),
+            )
+            .await?;
+
+        // Composite index for environment-scoped ordering by created_at
+        manager
+            .create_index(
+                Index::create()
+                    .name("kube_devbox_workload_intercept_environment_created_idx")
+                    .table(KubeDevboxWorkloadIntercept::Table)
+                    .col(KubeDevboxWorkloadIntercept::EnvironmentId)
+                    .col((KubeDevboxWorkloadIntercept::CreatedAt, IndexOrder::Desc))
+                    .to_owned(),
+            )
+            .await?;
+
+        Ok(())
+    }
+
+    async fn down(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        manager
+            .drop_table(
+                Table::drop()
+                    .table(KubeDevboxWorkloadIntercept::Table)
+                    .to_owned(),
+            )
+            .await
+    }
+}
+
+#[derive(DeriveIden)]
+pub enum KubeDevboxWorkloadIntercept {
+    Table,
+    Id,
+    UserId,
+    EnvironmentId,
+    WorkloadId,
+    PortMappings,
+    CreatedAt,
+    StoppedAt,
+}
diff --git a/crates/db/migration/src/main.rs b/crates/db/migration/src/main.rs
new file mode 100644
index 0000000..173bb4a
--- /dev/null
+++ b/crates/db/migration/src/main.rs
@@ -0,0 +1,6 @@
+use lapdev_db_migration::Migrator;
+
+#[tokio::main]
+pub async fn main() {
+    sea_orm_migration::cli::run_cli(Migrator).await
+}
diff --git a/crates/db/run_migration.sh b/crates/db/run_migration.sh
new file mode 100755
index 0000000..8ab0c71
--- /dev/null
+++ b/crates/db/run_migration.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
+(cd "${SCRIPT_DIR}/migration" && cargo run -- up)
\ No newline at end of file
diff --git a/crates/db/src/api.rs b/crates/db/src/api.rs
new file mode 100644
index 0000000..9ba7416
--- /dev/null
+++ b/crates/db/src/api.rs
@@ -0,0 +1,4487 @@
+use anyhow::{anyhow, Result};
+use base64::{engine::general_purpose::STANDARD, Engine};
+use chrono::{DateTime, FixedOffset, Utc};
+use lapdev_common::{
+    config::LAPDEV_CLUSTER_NOT_INITIATED,
+    kube::{
+        AppCatalogStatusEvent, ClusterStatusEvent, EnvironmentWorkloadStatusEvent,
+        KubeAppCatalogWorkload, KubeClusterStatus, KubeContainerInfo, KubeEnvironment,
+        KubeEnvironmentDashboardSummary, KubeEnvironmentStatus, KubeEnvironmentStatusCount,
+        KubeEnvironmentSyncStatus, KubeEnvironmentWorkload, KubeServicePort, KubeWorkloadDetails,
+        KubeWorkloadKind, PagePaginationParams,
+    },
+    AuthProvider, ProviderUser, UserRole, WorkspaceStatus, LAPDEV_BASE_HOSTNAME,
+    LAPDEV_ISOLATE_CONTAINER,
+};
+use lapdev_db_entities::{
+    kube_app_catalog_workload, kube_app_catalog_workload_dependency,
+    kube_app_catalog_workload_label, kube_cluster_service, kube_cluster_service_selector,
+    kube_environment_workload_label,
+};
+use lapdev_db_migration::Migrator;
+use pasetors::{
+    keys::{Generate, SymmetricKey},
+    version4::V4,
+};
+use sea_orm::{
+    prelude::{DateTimeWithTimeZone, Json},
+    sea_query::{Alias, Condition, Expr, Func, OnConflict},
+    ActiveModelTrait, ActiveValue, ColumnTrait, ConnectionTrait, DatabaseConnection,
+    DatabaseTransaction, EntityTrait, FromQueryResult, JoinType, PaginatorTrait, QueryFilter,
+    QueryOrder, QuerySelect, RelationTrait, TransactionTrait,
+};
+use sea_orm_migration::MigratorTrait;
+use serde::Deserialize;
+use serde_json;
+use serde_yaml::Value;
+use sqlx::PgPool;
+use std::collections::{BTreeMap, BTreeSet, HashMap, HashSet};
+use std::convert::TryFrom;
+use std::str::FromStr;
+use tracing::{info, warn};
+use uuid::Uuid;
+
+#[derive(Clone, Debug)]
+pub struct NewEnvironmentWorkload {
+    pub id: Uuid,
+    pub details: KubeWorkloadDetails,
+}
+
+// Custom result structure for multi-table join
+#[derive(FromQueryResult)]
+struct KubeEnvironmentWithRelated {
+    // Environment fields
+    pub env_id: Uuid,
+    pub env_name: String,
+    pub env_namespace: String,
+    pub env_app_catalog_id: Uuid,
+    pub env_cluster_id: Uuid,
+    pub env_status: String,
+    pub env_created_at: DateTimeWithTimeZone,
+    pub env_is_shared: bool,
+    pub env_organization_id: Uuid,
+    pub env_user_id: Uuid,
+    pub env_deleted_at: Option<DateTimeWithTimeZone>,
+    pub env_base_environment_id: Option<Uuid>,
+    pub env_auth_token: String,
+    pub env_catalog_sync_version: i64,
+    pub env_last_catalog_synced_at: Option<DateTimeWithTimeZone>,
+    pub env_paused_at: Option<DateTimeWithTimeZone>,
+    pub env_resumed_at: Option<DateTimeWithTimeZone>,
+    pub env_sync_status: String,
+
+    // App catalog fields
+    pub catalog_name: Option<String>,
+    pub catalog_description: Option<String>,
+    pub catalog_sync_version: Option<i64>,
+    pub catalog_last_synced_at: Option<DateTimeWithTimeZone>,
+    pub catalog_last_sync_actor_id: Option<Uuid>,
+
+    // Cluster fields
+    pub cluster_name: Option<String>,
+
+    // Base environment fields
+    pub base_environment_name: Option<String>,
+    pub base_environment_catalog_sync_version: Option<i64>,
+    pub base_environment_last_synced_at: Option<DateTimeWithTimeZone>,
+}
+
+#[derive(FromQueryResult)]
+struct StatusCountRow {
+    pub status: String,
+    pub count: i64,
+}
+
+pub const LAPDEV_PIN_UNPIN_ERROR: &str = "lapdev-pin-unpin-error";
+pub const LAPDEV_MAX_CPU_ERROR: &str = "lapdev-max-cpu-error";
+const LAPDEV_API_AUTH_TOKEN_KEY: &str = "lapdev-api-auth-token-key";
+const LAPDEV_DEFAULT_USAGE_LIMIT: &str = "lapdev-default-org-usage-limit";
+const LAPDEV_DEFAULT_RUNNING_WORKSPACE_LIMIT: &str = "lapdev-default-org-running-workspace-limit";
+const LAPDEV_USER_CREATION_WEBHOOK: &str = "lapdev-user-creation-webhook";
+
+#[derive(Clone)]
+pub struct DbApi {
+    pub conn: DatabaseConnection,
+    pub pool: Option<PgPool>,
+}
+
+#[derive(Clone, Debug)]
+pub struct CachedClusterService {
+    pub name: String,
+    pub selector: BTreeMap<String, String>,
+    pub ports: Vec<KubeServicePort>,
+    pub service_yaml: String,
+}
+
+#[derive(Debug, Deserialize)]
+struct StoredServicePort {
+    pub name: Option<String>,
+    pub port: i32,
+    #[serde(default)]
+    pub target_port: Option<serde_json::Value>,
+    #[serde(default)]
+    pub protocol: Option<String>,
+    #[serde(default)]
+    pub node_port: Option<i32>,
+    #[serde(default)]
+    pub original_target_port: Option<i32>,
+}
+
+impl StoredServicePort {
+    fn into_service_port(self) -> Option<KubeServicePort> {
+        let target_port = self
+            .target_port
+            .and_then(|value| value.as_i64())
+            .and_then(|v| i32::try_from(v).ok());
+        let original_target_port = self.original_target_port.or(target_port);
+
+        Some(KubeServicePort {
+            name: self.name,
+            port: self.port,
+            target_port,
+            protocol: self.protocol,
+            node_port: self.node_port,
+            original_target_port,
+        })
+    }
+}
+
+async fn connect_db(conn_url: &str) -> Result<sqlx::PgPool> {
+    let redacted_url = redact_connection_url(conn_url);
+    info!(%redacted_url, "Connecting to PostgreSQL database");
+    let pool: sqlx::PgPool = sqlx::pool::PoolOptions::new()
+        .max_connections(100)
+        .connect(conn_url)
+        .await?;
+    Ok(pool)
+}
+
+fn redact_connection_url(conn_url: &str) -> String {
+    let (scheme, remainder) = conn_url.split_once("://").unwrap_or(("postgres", conn_url));
+
+    let target_host = remainder
+        .split_once('@')
+        .map(|(_, after)| after)
+        .unwrap_or(remainder);
+
+    let mut redacted = String::from(scheme);
+    redacted.push_str("://");
+
+    if target_host.is_empty() {
+        redacted.push_str("<unknown>");
+        return redacted;
+    }
+
+    let mut segments = target_host.splitn(2, '/');
+    let host_port = segments.next().unwrap_or("");
+
+    if host_port.is_empty() {
+        redacted.push_str("<unknown>");
+        return redacted;
+    }
+
+    redacted.push_str(host_port);
+
+    if let Some(path_and_query) = segments.next() {
+        if let Some(database) = path_and_query.split('?').next() {
+            if !database.is_empty() {
+                redacted.push('/');
+                redacted.push_str(database);
+            }
+        }
+    }
+
+    redacted
+}
+
+impl DbApi {
+    pub async fn new(conn_url: &str) -> Result<Self> {
+        let pool = connect_db(conn_url).await?;
+        let conn = sea_orm::SqlxPostgresConnector::from_sqlx_postgres_pool(pool.clone());
+        let db = DbApi {
+            conn,
+            pool: Some(pool),
+        };
+        Ok(db)
+    }
+
+    pub async fn migrate(&self) -> Result<()> {
+        Migrator::up(&self.conn, None).await?;
+        Ok(())
+    }
+
+    pub async fn is_cluster_initiated(&self, txn: &DatabaseTransaction) -> bool {
+        // before the cluster is initiated, the auth providers can be configured
+        // without any authentication,
+        // also the user created before cluster is intiated is a cluster admin,
+        // so the value is default to true even when we've got an error
+        if lapdev_db_entities::config::Entity::find()
+            .filter(lapdev_db_entities::config::Column::Name.eq(LAPDEV_CLUSTER_NOT_INITIATED))
+            .one(txn)
+            .await
+            .as_ref()
+            .map(|v| v.as_ref().map(|v| v.value.as_str()))
+            == Ok(Some("yes"))
+        {
+            return false;
+        }
+        true
+    }
+
+    async fn generate_api_auth_token_key(&self) -> SymmetricKey<V4> {
+        let key = SymmetricKey::generate().unwrap();
+        {
+            let key = STANDARD.encode(key.as_bytes());
+            let _ = lapdev_db_entities::config::ActiveModel {
+                name: ActiveValue::Set(LAPDEV_API_AUTH_TOKEN_KEY.to_string()),
+                value: ActiveValue::Set(key),
+            }
+            .insert(&self.conn)
+            .await;
+        }
+
+        key
+    }
+
+    pub async fn load_api_auth_token_key(&self) -> SymmetricKey<V4> {
+        if let Ok(key) = self.get_api_auth_token_key().await {
+            return key;
+        }
+
+        self.generate_api_auth_token_key().await
+    }
+
+    async fn get_api_auth_token_key(&self) -> Result<SymmetricKey<V4>> {
+        let key = self.get_config(LAPDEV_API_AUTH_TOKEN_KEY).await?;
+        let key = STANDARD.decode(key)?;
+        let key = SymmetricKey::from(&key)?;
+        Ok(key)
+    }
+
+    pub async fn update_config(
+        &self,
+        name: &str,
+        value: &str,
+    ) -> Result<lapdev_db_entities::config::Model> {
+        let model =
+            lapdev_db_entities::config::Entity::insert(lapdev_db_entities::config::ActiveModel {
+                name: ActiveValue::set(name.to_string()),
+                value: ActiveValue::set(value.to_string()),
+            })
+            .on_conflict(
+                OnConflict::column(lapdev_db_entities::config::Column::Name)
+                    .update_column(lapdev_db_entities::config::Column::Value)
+                    .to_owned(),
+            )
+            .exec_with_returning(&self.conn)
+            .await?;
+        Ok(model)
+    }
+
+    pub async fn get_config(&self, name: &str) -> Result<String> {
+        let model = lapdev_db_entities::config::Entity::find()
+            .filter(lapdev_db_entities::config::Column::Name.eq(name))
+            .one(&self.conn)
+            .await?
+            .ok_or_else(|| anyhow!("no config found"))?;
+        Ok(model.value)
+    }
+
+    async fn get_config_in_txn(&self, txn: &DatabaseTransaction, name: &str) -> Result<String> {
+        let model = lapdev_db_entities::config::Entity::find()
+            .filter(lapdev_db_entities::config::Column::Name.eq(name))
+            .one(txn)
+            .await?
+            .ok_or_else(|| anyhow!("no config found"))?;
+        Ok(model.value)
+    }
+
+    pub async fn get_base_hostname(&self) -> Result<String> {
+        self.get_config(LAPDEV_BASE_HOSTNAME).await
+    }
+
+    pub async fn get_user_creation_webhook(&self) -> Result<String> {
+        self.get_config(LAPDEV_USER_CREATION_WEBHOOK).await
+    }
+
+    pub async fn is_container_isolated(&self) -> Result<bool> {
+        Ok(lapdev_db_entities::config::Entity::find()
+            .filter(lapdev_db_entities::config::Column::Name.eq(LAPDEV_ISOLATE_CONTAINER))
+            .one(&self.conn)
+            .await?
+            .map(|v| v.value == "yes")
+            .unwrap_or(false))
+    }
+
+    pub async fn get_all_workspaces(
+        &self,
+        user_id: Uuid,
+        org_id: Uuid,
+    ) -> Result<
+        Vec<(
+            lapdev_db_entities::workspace::Model,
+            Option<lapdev_db_entities::workspace_host::Model>,
+        )>,
+    > {
+        let model = lapdev_db_entities::workspace::Entity::find()
+            .find_also_related(lapdev_db_entities::workspace_host::Entity)
+            .filter(lapdev_db_entities::workspace::Column::UserId.eq(user_id))
+            .filter(lapdev_db_entities::workspace::Column::OrganizationId.eq(org_id))
+            .filter(lapdev_db_entities::workspace::Column::DeletedAt.is_null())
+            .order_by_asc(lapdev_db_entities::workspace::Column::CreatedAt)
+            .all(&self.conn)
+            .await?;
+        Ok(model)
+    }
+
+    pub async fn get_workspace(&self, id: Uuid) -> Result<lapdev_db_entities::workspace::Model> {
+        let model = lapdev_db_entities::workspace::Entity::find_by_id(id)
+            .filter(lapdev_db_entities::workspace::Column::DeletedAt.is_null())
+            .one(&self.conn)
+            .await?
+            .ok_or_else(|| anyhow!("no workspace found"))?;
+        Ok(model)
+    }
+
+    pub async fn get_workspace_by_name(
+        &self,
+        name: &str,
+    ) -> Result<lapdev_db_entities::workspace::Model> {
+        let model = lapdev_db_entities::workspace::Entity::find()
+            .filter(lapdev_db_entities::workspace::Column::Name.eq(name))
+            .filter(lapdev_db_entities::workspace::Column::DeletedAt.is_null())
+            .one(&self.conn)
+            .await?
+            .ok_or_else(|| anyhow!("no workspace found"))?;
+        Ok(model)
+    }
+
+    pub async fn get_workspace_by_url(
+        &self,
+        org_id: Uuid,
+        user_id: Uuid,
+        url: &str,
+    ) -> Result<Option<lapdev_db_entities::workspace::Model>> {
+        let model = lapdev_db_entities::workspace::Entity::find()
+            .filter(lapdev_db_entities::workspace::Column::OrganizationId.eq(org_id))
+            .filter(lapdev_db_entities::workspace::Column::UserId.eq(user_id))
+            .filter(lapdev_db_entities::workspace::Column::DeletedAt.is_null())
+            .filter(lapdev_db_entities::workspace::Column::RepoUrl.eq(url))
+            .one(&self.conn)
+            .await?;
+        Ok(model)
+    }
+
+    pub async fn get_running_workspaces_on_host(
+        &self,
+        ws_host_id: Uuid,
+    ) -> Result<Vec<lapdev_db_entities::workspace::Model>> {
+        let model = lapdev_db_entities::workspace::Entity::find()
+            .filter(lapdev_db_entities::workspace::Column::HostId.eq(ws_host_id))
+            .filter(lapdev_db_entities::workspace::Column::DeletedAt.is_null())
+            .filter(
+                lapdev_db_entities::workspace::Column::Status
+                    .eq(WorkspaceStatus::Running.to_string()),
+            )
+            .all(&self.conn)
+            .await?;
+        Ok(model)
+    }
+
+    pub async fn get_inactive_workspaces_on_host(
+        &self,
+        ws_host_id: Uuid,
+        last_updated_at: DateTime<FixedOffset>,
+    ) -> Result<Vec<lapdev_db_entities::workspace::Model>> {
+        let model = lapdev_db_entities::workspace::Entity::find()
+            .filter(lapdev_db_entities::workspace::Column::HostId.eq(ws_host_id))
+            .filter(lapdev_db_entities::workspace::Column::DeletedAt.is_null())
+            .filter(
+                lapdev_db_entities::workspace::Column::Status
+                    .eq(WorkspaceStatus::Stopped.to_string()),
+            )
+            .filter(lapdev_db_entities::workspace::Column::Pinned.eq(false))
+            .filter(lapdev_db_entities::workspace::Column::UpdatedAt.lt(last_updated_at))
+            .all(&self.conn)
+            .await?;
+        Ok(model)
+    }
+
+    pub async fn get_org_running_workspace(
+        &self,
+        org_id: Uuid,
+    ) -> Result<Option<lapdev_db_entities::workspace::Model>> {
+        let model = lapdev_db_entities::workspace::Entity::find()
+            .filter(lapdev_db_entities::workspace::Column::OrganizationId.eq(org_id))
+            .filter(lapdev_db_entities::workspace::Column::DeletedAt.is_null())
+            .filter(
+                lapdev_db_entities::workspace::Column::Status
+                    .eq(WorkspaceStatus::Running.to_string()),
+            )
+            .one(&self.conn)
+            .await?;
+        Ok(model)
+    }
+
+    pub async fn get_org_running_workspaces(
+        &self,
+        org_id: Uuid,
+    ) -> Result<Vec<lapdev_db_entities::workspace::Model>> {
+        let model = lapdev_db_entities::workspace::Entity::find()
+            .filter(lapdev_db_entities::workspace::Column::OrganizationId.eq(org_id))
+            .filter(
+                lapdev_db_entities::workspace::Column::Status
+                    .eq(WorkspaceStatus::Running.to_string()),
+            )
+            .filter(lapdev_db_entities::workspace::Column::DeletedAt.is_null())
+            .all(&self.conn)
+            .await?;
+        Ok(model)
+    }
+
+    pub async fn validate_ssh_public_key(
+        &self,
+        user_id: Uuid,
+        public_key: &str,
+    ) -> Result<lapdev_db_entities::ssh_public_key::Model> {
+        let model = lapdev_db_entities::ssh_public_key::Entity::find()
+            .filter(lapdev_db_entities::ssh_public_key::Column::UserId.eq(user_id))
+            .filter(lapdev_db_entities::ssh_public_key::Column::ParsedKey.eq(public_key))
+            .filter(lapdev_db_entities::ssh_public_key::Column::DeletedAt.is_null())
+            .one(&self.conn)
+            .await?
+            .ok_or_else(|| anyhow!("no workspace found"))?;
+        Ok(model)
+    }
+
+    pub async fn get_organization(
+        &self,
+        id: Uuid,
+    ) -> Result<lapdev_db_entities::organization::Model> {
+        let model = lapdev_db_entities::organization::Entity::find_by_id(id)
+            .filter(lapdev_db_entities::organization::Column::DeletedAt.is_null())
+            .one(&self.conn)
+            .await?
+            .ok_or_else(|| anyhow!("no organization found"))?;
+        Ok(model)
+    }
+
+    pub async fn get_organization_member(
+        &self,
+        user_id: Uuid,
+        org_id: Uuid,
+    ) -> Result<lapdev_db_entities::organization_member::Model> {
+        let model = lapdev_db_entities::organization_member::Entity::find()
+            .filter(lapdev_db_entities::organization_member::Column::UserId.eq(user_id))
+            .filter(lapdev_db_entities::organization_member::Column::OrganizationId.eq(org_id))
+            .filter(lapdev_db_entities::organization_member::Column::DeletedAt.is_null())
+            .one(&self.conn)
+            .await?
+            .ok_or_else(|| anyhow!("no organization member found"))?;
+        Ok(model)
+    }
+
+    pub async fn get_all_organization_members(
+        &self,
+        org_id: Uuid,
+    ) -> Result<Vec<lapdev_db_entities::organization_member::Model>> {
+        let models = lapdev_db_entities::organization_member::Entity::find()
+            .filter(lapdev_db_entities::organization_member::Column::OrganizationId.eq(org_id))
+            .filter(lapdev_db_entities::organization_member::Column::DeletedAt.is_null())
+            .all(&self.conn)
+            .await?;
+        Ok(models)
+    }
+
+    pub async fn create_new_organization(
+        &self,
+        txn: &DatabaseTransaction,
+        name: String,
+    ) -> Result<lapdev_db_entities::organization::Model> {
+        let default_usage_limit = self
+            .get_config_in_txn(txn, LAPDEV_DEFAULT_USAGE_LIMIT)
+            .await
+            .ok()
+            .and_then(|v| v.parse::<i64>().ok())
+            .unwrap_or(0);
+        let default_running_workspace_limit = self
+            .get_config_in_txn(txn, LAPDEV_DEFAULT_RUNNING_WORKSPACE_LIMIT)
+            .await
+            .ok()
+            .and_then(|v| v.parse::<i32>().ok())
+            .unwrap_or(0);
+
+        let org = lapdev_db_entities::organization::ActiveModel {
+            id: ActiveValue::Set(Uuid::new_v4()),
+            deleted_at: ActiveValue::Set(None),
+            name: ActiveValue::Set(name.to_string()),
+            auto_start: ActiveValue::Set(true),
+            allow_workspace_change_auto_start: ActiveValue::Set(true),
+            auto_stop: ActiveValue::Set(Some(3600)),
+            allow_workspace_change_auto_stop: ActiveValue::Set(true),
+            last_auto_stop_check: ActiveValue::Set(None),
+            usage_limit: ActiveValue::Set(default_usage_limit),
+            running_workspace_limit: ActiveValue::Set(default_running_workspace_limit),
+            has_running_workspace: ActiveValue::Set(false),
+            max_cpu: ActiveValue::Set(4),
+        }
+        .insert(txn)
+        .await?;
+
+        Ok(org)
+    }
+
+    pub async fn create_new_user(
+        &self,
+        txn: &DatabaseTransaction,
+        provider: &AuthProvider,
+        provider_user: ProviderUser,
+        token: String,
+    ) -> Result<lapdev_db_entities::user::Model> {
+        let cluster_admin = if !self.is_cluster_initiated(txn).await {
+            lapdev_db_entities::config::ActiveModel {
+                name: ActiveValue::Set(LAPDEV_CLUSTER_NOT_INITIATED.to_string()),
+                value: ActiveValue::Set("no".to_string()),
+            }
+            .update(txn)
+            .await?;
+            true
+        } else {
+            false
+        };
+
+        let now = Utc::now();
+        let org = self
+            .create_new_organization(txn, "Personal".to_string())
+            .await?;
+
+        let user = lapdev_db_entities::user::ActiveModel {
+            id: ActiveValue::Set(Uuid::new_v4()),
+            created_at: ActiveValue::Set(now.into()),
+            deleted_at: ActiveValue::Set(None),
+            provider: ActiveValue::Set(provider.to_string()),
+            osuser: ActiveValue::Set(format!("{provider}_{}", provider_user.login)),
+            avatar_url: ActiveValue::Set(provider_user.avatar_url.clone()),
+            email: ActiveValue::Set(provider_user.email.clone()),
+            name: ActiveValue::Set(provider_user.name.clone()),
+            current_organization: ActiveValue::Set(org.id),
+            cluster_admin: ActiveValue::Set(cluster_admin),
+            disabled: ActiveValue::Set(false),
+        }
+        .insert(txn)
+        .await?;
+
+        lapdev_db_entities::oauth_connection::ActiveModel {
+            id: ActiveValue::Set(Uuid::new_v4()),
+            user_id: ActiveValue::Set(user.id),
+            created_at: ActiveValue::Set(now.into()),
+            deleted_at: ActiveValue::Set(None),
+            provider: ActiveValue::Set(provider.to_string()),
+            provider_id: ActiveValue::Set(provider_user.id),
+            provider_login: ActiveValue::Set(provider_user.login),
+            access_token: ActiveValue::Set(token),
+            avatar_url: ActiveValue::Set(provider_user.avatar_url),
+            email: ActiveValue::Set(provider_user.email),
+            name: ActiveValue::Set(provider_user.name),
+            read_repo: ActiveValue::Set(Some(false)),
+        }
+        .insert(txn)
+        .await?;
+
+        lapdev_db_entities::organization_member::ActiveModel {
+            created_at: ActiveValue::Set(now.into()),
+            user_id: ActiveValue::Set(user.id),
+            organization_id: ActiveValue::Set(org.id),
+            role: ActiveValue::Set(UserRole::Owner.to_string()),
+            ..Default::default()
+        }
+        .insert(txn)
+        .await?;
+
+        Ok(user)
+    }
+
+    pub async fn get_user(&self, user_id: Uuid) -> Result<Option<lapdev_db_entities::user::Model>> {
+        let model = lapdev_db_entities::user::Entity::find()
+            .filter(lapdev_db_entities::user::Column::Id.eq(user_id))
+            .filter(lapdev_db_entities::user::Column::DeletedAt.is_null())
+            .one(&self.conn)
+            .await?;
+        Ok(model)
+    }
+
+    pub async fn get_oauth(
+        &self,
+        id: Uuid,
+    ) -> Result<Option<lapdev_db_entities::oauth_connection::Model>> {
+        let model = lapdev_db_entities::oauth_connection::Entity::find()
+            .filter(lapdev_db_entities::oauth_connection::Column::Id.eq(id))
+            .filter(lapdev_db_entities::oauth_connection::Column::DeletedAt.is_null())
+            .one(&self.conn)
+            .await?;
+        Ok(model)
+    }
+
+    pub async fn get_kube_token(
+        &self,
+        token: &[u8],
+    ) -> Result<Option<lapdev_db_entities::kube_cluster_token::Model>> {
+        let model = lapdev_db_entities::kube_cluster_token::Entity::find()
+            .filter(lapdev_db_entities::kube_cluster_token::Column::Token.eq(token))
+            .filter(lapdev_db_entities::kube_cluster_token::Column::DeletedAt.is_null())
+            .one(&self.conn)
+            .await?;
+        Ok(model)
+    }
+
+    pub async fn update_kube_token_last_used(
+        &self,
+        id: Uuid,
+    ) -> Result<lapdev_db_entities::kube_cluster_token::Model> {
+        let model = lapdev_db_entities::kube_cluster_token::ActiveModel {
+            id: ActiveValue::Set(id),
+            last_used_at: ActiveValue::Set(Some(Utc::now().into())),
+            ..Default::default()
+        }
+        .update(&self.conn)
+        .await?;
+        Ok(model)
+    }
+
+    pub async fn get_kube_cluster(
+        &self,
+        id: Uuid,
+    ) -> Result<Option<lapdev_db_entities::kube_cluster::Model>> {
+        let model = lapdev_db_entities::kube_cluster::Entity::find()
+            .filter(lapdev_db_entities::kube_cluster::Column::Id.eq(id))
+            .filter(lapdev_db_entities::kube_cluster::Column::DeletedAt.is_null())
+            .one(&self.conn)
+            .await?;
+        Ok(model)
+    }
+
+    pub async fn update_kube_cluster_info(
+        &self,
+        id: Uuid,
+        cluster_version: Option<String>,
+        status: Option<String>,
+        provider: Option<String>,
+        region: Option<String>,
+        manager_namespace: Option<String>,
+    ) -> Result<lapdev_db_entities::kube_cluster::Model> {
+        use lapdev_db_entities::kube_cluster;
+        use sea_orm::ActiveValue;
+
+        let now = chrono::Utc::now().into();
+        let model = kube_cluster::ActiveModel {
+            id: ActiveValue::Set(id),
+            cluster_version: ActiveValue::Set(cluster_version),
+            status: status.map(ActiveValue::Set).unwrap_or(ActiveValue::NotSet),
+            provider: ActiveValue::Set(provider),
+            region: ActiveValue::Set(region),
+            manager_namespace: ActiveValue::Set(manager_namespace),
+            last_reported_at: ActiveValue::Set(Some(now)),
+            ..Default::default()
+        };
+        let updated = model.update(&self.conn).await?;
+        self.publish_cluster_status_event(&updated).await;
+        Ok(updated)
+    }
+
+    async fn publish_cluster_status_event(
+        &self,
+        cluster: &lapdev_db_entities::kube_cluster::Model,
+    ) {
+        let Some(pool) = self.pool.as_ref() else {
+            return;
+        };
+
+        let status =
+            KubeClusterStatus::from_str(&cluster.status).unwrap_or(KubeClusterStatus::NotReady);
+        let updated_at = cluster
+            .last_reported_at
+            .map(|ts| ts.with_timezone(&Utc))
+            .unwrap_or_else(Utc::now);
+
+        let event = ClusterStatusEvent {
+            organization_id: cluster.organization_id,
+            cluster_id: cluster.id,
+            status,
+            cluster_version: cluster.cluster_version.clone(),
+            region: cluster.region.clone(),
+            updated_at,
+        };
+
+        match serde_json::to_string(&event) {
+            Ok(payload) => {
+                if let Err(err) = sqlx::query("SELECT pg_notify('cluster_status', $1)")
+                    .bind(payload)
+                    .execute(pool)
+                    .await
+                {
+                    warn!(
+                        error = %err,
+                        "failed to publish cluster status event via NOTIFY"
+                    );
+                }
+            }
+            Err(err) => {
+                warn!(
+                    error = %err,
+                    "failed to serialize cluster status event"
+                );
+            }
+        }
+    }
+
+    async fn publish_app_catalog_status_event(
+        &self,
+        catalog: &lapdev_db_entities::kube_app_catalog::Model,
+    ) {
+        let Some(pool) = self.pool.as_ref() else {
+            return;
+        };
+
+        let event = AppCatalogStatusEvent {
+            organization_id: catalog.organization_id,
+            catalog_id: catalog.id,
+            cluster_id: catalog.cluster_id,
+            sync_version: catalog.sync_version,
+            last_synced_at: catalog.last_synced_at.map(|ts| ts.to_string()),
+            last_sync_actor_id: catalog.last_sync_actor_id,
+            updated_at: Utc::now(),
+        };
+
+        match serde_json::to_string(&event) {
+            Ok(payload) => {
+                if let Err(err) = sqlx::query("SELECT pg_notify('app_catalog_status', $1)")
+                    .bind(payload)
+                    .execute(pool)
+                    .await
+                {
+                    warn!(
+                        error = %err,
+                        "failed to publish app catalog status event via NOTIFY"
+                    );
+                }
+            }
+            Err(err) => {
+                warn!(
+                    error = %err,
+                    "failed to serialize app catalog status event"
+                );
+            }
+        }
+    }
+
+    pub async fn publish_environment_workload_status_event(
+        &self,
+        event: &EnvironmentWorkloadStatusEvent,
+    ) {
+        let Some(pool) = self.pool.as_ref() else {
+            return;
+        };
+
+        match serde_json::to_string(event) {
+            Ok(payload) => {
+                if let Err(err) = sqlx::query("SELECT pg_notify('environment_workload_status', $1)")
+                    .bind(payload)
+                    .execute(pool)
+                    .await
+                {
+                    warn!(
+                        error = %err,
+                        "failed to publish environment workload status event via NOTIFY"
+                    );
+                }
+            }
+            Err(err) => {
+                warn!(
+                    error = %err,
+                    "failed to serialize environment workload status event"
+                );
+            }
+        }
+    }
+
+    pub async fn get_user_all_oauth(
+        &self,
+        user_id: Uuid,
+    ) -> Result<Vec<lapdev_db_entities::oauth_connection::Model>> {
+        let model = lapdev_db_entities::oauth_connection::Entity::find()
+            .filter(lapdev_db_entities::oauth_connection::Column::UserId.eq(user_id))
+            .filter(lapdev_db_entities::oauth_connection::Column::DeletedAt.is_null())
+            .all(&self.conn)
+            .await?;
+        Ok(model)
+    }
+
+    pub async fn get_user_oauth(
+        &self,
+        user_id: Uuid,
+        provider_name: &str,
+    ) -> Result<Option<lapdev_db_entities::oauth_connection::Model>> {
+        let model = lapdev_db_entities::oauth_connection::Entity::find()
+            .filter(lapdev_db_entities::oauth_connection::Column::UserId.eq(user_id))
+            .filter(lapdev_db_entities::oauth_connection::Column::Provider.eq(provider_name))
+            .filter(lapdev_db_entities::oauth_connection::Column::DeletedAt.is_null())
+            .one(&self.conn)
+            .await?;
+        Ok(model)
+    }
+
+    pub async fn get_user_organizations(
+        &self,
+        user_id: Uuid,
+    ) -> Result<Vec<lapdev_db_entities::organization_member::Model>> {
+        let model = lapdev_db_entities::organization_member::Entity::find()
+            .filter(lapdev_db_entities::organization_member::Column::UserId.eq(user_id))
+            .filter(lapdev_db_entities::organization_member::Column::DeletedAt.is_null())
+            .order_by_asc(lapdev_db_entities::organization_member::Column::CreatedAt)
+            .all(&self.conn)
+            .await?;
+        Ok(model)
+    }
+
+    pub async fn get_all_ssh_keys(
+        &self,
+        user_id: Uuid,
+    ) -> Result<Vec<lapdev_db_entities::ssh_public_key::Model>> {
+        let model = lapdev_db_entities::ssh_public_key::Entity::find()
+            .filter(lapdev_db_entities::ssh_public_key::Column::UserId.eq(user_id))
+            .filter(lapdev_db_entities::ssh_public_key::Column::DeletedAt.is_null())
+            .order_by_asc(lapdev_db_entities::ssh_public_key::Column::CreatedAt)
+            .all(&self.conn)
+            .await?;
+        Ok(model)
+    }
+
+    pub async fn get_ssh_key(&self, id: Uuid) -> Result<lapdev_db_entities::ssh_public_key::Model> {
+        let model = lapdev_db_entities::ssh_public_key::Entity::find_by_id(id)
+            .filter(lapdev_db_entities::ssh_public_key::Column::DeletedAt.is_null())
+            .one(&self.conn)
+            .await?
+            .ok_or_else(|| anyhow!("no ssh key found"))?;
+        Ok(model)
+    }
+
+    pub async fn get_project(&self, id: Uuid) -> Result<lapdev_db_entities::project::Model> {
+        let model = lapdev_db_entities::project::Entity::find_by_id(id)
+            .filter(lapdev_db_entities::project::Column::DeletedAt.is_null())
+            .one(&self.conn)
+            .await?
+            .ok_or_else(|| anyhow!("no project found"))?;
+        Ok(model)
+    }
+
+    pub async fn get_project_by_repo(
+        &self,
+        org_id: Uuid,
+        repo: &str,
+    ) -> Result<Option<lapdev_db_entities::project::Model>> {
+        let model = lapdev_db_entities::project::Entity::find()
+            .filter(lapdev_db_entities::project::Column::OrganizationId.eq(org_id))
+            .filter(lapdev_db_entities::project::Column::DeletedAt.is_null())
+            .filter(
+                Expr::expr(Func::lower(
+                    lapdev_db_entities::project::Column::RepoUrl.into_expr(),
+                ))
+                .eq(repo.to_lowercase()),
+            )
+            .one(&self.conn)
+            .await?;
+        Ok(model)
+    }
+
+    pub async fn get_all_projects(
+        &self,
+        org_id: Uuid,
+    ) -> Result<Vec<lapdev_db_entities::project::Model>> {
+        let model = lapdev_db_entities::project::Entity::find()
+            .filter(lapdev_db_entities::project::Column::OrganizationId.eq(org_id))
+            .filter(lapdev_db_entities::project::Column::DeletedAt.is_null())
+            .order_by_asc(lapdev_db_entities::project::Column::CreatedAt)
+            .all(&self.conn)
+            .await?;
+        Ok(model)
+    }
+
+    pub async fn get_all_kube_clusters(
+        &self,
+        org_id: Uuid,
+    ) -> Result<Vec<lapdev_db_entities::kube_cluster::Model>> {
+        let model = lapdev_db_entities::kube_cluster::Entity::find()
+            .filter(lapdev_db_entities::kube_cluster::Column::OrganizationId.eq(org_id))
+            .filter(lapdev_db_entities::kube_cluster::Column::DeletedAt.is_null())
+            .order_by_asc(lapdev_db_entities::kube_cluster::Column::CreatedAt)
+            .all(&self.conn)
+            .await?;
+        Ok(model)
+    }
+
+    pub async fn get_prebuild(
+        &self,
+        id: Uuid,
+    ) -> Result<Option<lapdev_db_entities::prebuild::Model>> {
+        let model = lapdev_db_entities::prebuild::Entity::find_by_id(id)
+            .filter(lapdev_db_entities::prebuild::Column::DeletedAt.is_null())
+            .one(&self.conn)
+            .await?;
+        Ok(model)
+    }
+
+    pub async fn get_prebuild_by_branch_and_commit(
+        &self,
+        project_id: Uuid,
+        branch: &str,
+        commit: &str,
+    ) -> Result<Option<lapdev_db_entities::prebuild::Model>> {
+        let model = lapdev_db_entities::prebuild::Entity::find()
+            .filter(lapdev_db_entities::prebuild::Column::ProjectId.eq(project_id))
+            .filter(lapdev_db_entities::prebuild::Column::Branch.eq(branch))
+            .filter(lapdev_db_entities::prebuild::Column::Commit.eq(commit))
+            .filter(lapdev_db_entities::prebuild::Column::DeletedAt.is_null())
+            .one(&self.conn)
+            .await?;
+        Ok(model)
+    }
+
+    pub async fn get_prebuild_by_branch_and_commit_with_lock(
+        &self,
+        txn: &DatabaseTransaction,
+        project_id: Uuid,
+        branch: &str,
+        commit: &str,
+    ) -> Result<Option<lapdev_db_entities::prebuild::Model>> {
+        let model = lapdev_db_entities::prebuild::Entity::find()
+            .filter(lapdev_db_entities::prebuild::Column::ProjectId.eq(project_id))
+            .filter(lapdev_db_entities::prebuild::Column::Branch.eq(branch))
+            .filter(lapdev_db_entities::prebuild::Column::Commit.eq(commit))
+            .filter(lapdev_db_entities::prebuild::Column::DeletedAt.is_null())
+            .lock_exclusive()
+            .one(txn)
+            .await?;
+        Ok(model)
+    }
+
+    pub async fn get_prebuilds(
+        &self,
+        project_id: Uuid,
+    ) -> Result<Vec<lapdev_db_entities::prebuild::Model>> {
+        let model = lapdev_db_entities::prebuild::Entity::find()
+            .filter(lapdev_db_entities::prebuild::Column::ProjectId.eq(project_id))
+            .filter(lapdev_db_entities::prebuild::Column::DeletedAt.is_null())
+            .order_by_desc(lapdev_db_entities::prebuild::Column::CreatedAt)
+            .all(&self.conn)
+            .await?;
+        Ok(model)
+    }
+
+    pub async fn get_prebuild_replica(
+        &self,
+        prebuild_id: Uuid,
+        host_id: Uuid,
+    ) -> Result<Option<lapdev_db_entities::prebuild_replica::Model>> {
+        let replica = lapdev_db_entities::prebuild_replica::Entity::find()
+            .filter(lapdev_db_entities::prebuild_replica::Column::DeletedAt.is_null())
+            .filter(lapdev_db_entities::prebuild_replica::Column::PrebuildId.eq(prebuild_id))
+            .filter(lapdev_db_entities::prebuild_replica::Column::HostId.eq(host_id))
+            .one(&self.conn)
+            .await?;
+        Ok(replica)
+    }
+
+    pub async fn get_all_workspace_hosts(
+        &self,
+    ) -> Result<Vec<lapdev_db_entities::workspace_host::Model>> {
+        let model = lapdev_db_entities::workspace_host::Entity::find()
+            .filter(lapdev_db_entities::workspace_host::Column::DeletedAt.is_null())
+            .all(&self.conn)
+            .await?;
+        Ok(model)
+    }
+
+    pub async fn get_workspace_host(
+        &self,
+        id: Uuid,
+    ) -> Result<Option<lapdev_db_entities::workspace_host::Model>> {
+        let model = lapdev_db_entities::workspace_host::Entity::find()
+            .filter(lapdev_db_entities::workspace_host::Column::Id.eq(id))
+            .one(&self.conn)
+            .await?;
+        Ok(model)
+    }
+
+    pub async fn get_workspace_port(
+        &self,
+        ws_id: Uuid,
+        port: u16,
+    ) -> Result<Option<lapdev_db_entities::workspace_port::Model>> {
+        let model = lapdev_db_entities::workspace_port::Entity::find()
+            .filter(lapdev_db_entities::workspace_port::Column::WorkspaceId.eq(ws_id))
+            .filter(lapdev_db_entities::workspace_port::Column::Port.eq(port))
+            .filter(lapdev_db_entities::workspace_port::Column::DeletedAt.is_null())
+            .one(&self.conn)
+            .await?;
+        Ok(model)
+    }
+
+    pub async fn get_workspace_ports(
+        &self,
+        ws_id: Uuid,
+    ) -> Result<Vec<lapdev_db_entities::workspace_port::Model>> {
+        let model = lapdev_db_entities::workspace_port::Entity::find()
+            .filter(lapdev_db_entities::workspace_port::Column::WorkspaceId.eq(ws_id))
+            .filter(lapdev_db_entities::workspace_port::Column::DeletedAt.is_null())
+            .all(&self.conn)
+            .await?;
+        Ok(model)
+    }
+
+    pub async fn get_workspace_host_by_host(
+        &self,
+        host: &str,
+    ) -> Result<Option<lapdev_db_entities::workspace_host::Model>> {
+        let model = lapdev_db_entities::workspace_host::Entity::find()
+            .filter(lapdev_db_entities::workspace_host::Column::Host.eq(host))
+            .filter(lapdev_db_entities::workspace_host::Column::DeletedAt.is_null())
+            .one(&self.conn)
+            .await?;
+        Ok(model)
+    }
+
+    pub async fn get_workspace_host_with_lock(
+        &self,
+        txn: &DatabaseTransaction,
+        id: Uuid,
+    ) -> Result<Option<lapdev_db_entities::workspace_host::Model>> {
+        let model = lapdev_db_entities::workspace_host::Entity::find()
+            .filter(lapdev_db_entities::workspace_host::Column::Id.eq(id))
+            .filter(lapdev_db_entities::workspace_host::Column::DeletedAt.is_null())
+            .lock_exclusive()
+            .one(txn)
+            .await?;
+        Ok(model)
+    }
+
+    pub async fn get_machine_type(
+        &self,
+        id: Uuid,
+    ) -> Result<Option<lapdev_db_entities::machine_type::Model>> {
+        let model = lapdev_db_entities::machine_type::Entity::find_by_id(id)
+            .one(&self.conn)
+            .await?;
+        Ok(model)
+    }
+
+    pub async fn get_all_machine_types(
+        &self,
+    ) -> Result<Vec<lapdev_db_entities::machine_type::Model>> {
+        let models = lapdev_db_entities::machine_type::Entity::find()
+            .filter(lapdev_db_entities::machine_type::Column::DeletedAt.is_null())
+            .order_by_desc(lapdev_db_entities::machine_type::Column::Shared)
+            .order_by_asc(lapdev_db_entities::machine_type::Column::Cpu)
+            .all(&self.conn)
+            .await?;
+        Ok(models)
+    }
+
+    // Kubernetes cluster operations
+    pub async fn create_kube_cluster(
+        &self,
+        cluster_id: Uuid,
+        org_id: Uuid,
+        user_id: Uuid,
+        name: String,
+        status: String,
+    ) -> Result<lapdev_db_entities::kube_cluster::Model> {
+        let cluster = lapdev_db_entities::kube_cluster::ActiveModel {
+            id: ActiveValue::Set(cluster_id),
+            created_at: ActiveValue::Set(Utc::now().into()),
+            name: ActiveValue::Set(name),
+            cluster_version: ActiveValue::Set(None),
+            status: ActiveValue::Set(status),
+            provider: ActiveValue::Set(None),
+            region: ActiveValue::Set(None),
+            manager_namespace: ActiveValue::Set(None),
+            created_by: ActiveValue::Set(user_id),
+            organization_id: ActiveValue::Set(org_id),
+            deleted_at: ActiveValue::Set(None),
+            last_reported_at: ActiveValue::Set(None),
+            can_deploy_personal: ActiveValue::Set(true),
+            can_deploy_shared: ActiveValue::Set(true),
+        }
+        .insert(&self.conn)
+        .await?;
+        Ok(cluster)
+    }
+
+    pub async fn create_kube_cluster_token(
+        &self,
+        cluster_id: Uuid,
+        user_id: Uuid,
+        name: String,
+        token_hash: Vec<u8>,
+    ) -> Result<lapdev_db_entities::kube_cluster_token::Model> {
+        let token = lapdev_db_entities::kube_cluster_token::ActiveModel {
+            id: ActiveValue::Set(Uuid::new_v4()),
+            created_at: ActiveValue::Set(Utc::now().into()),
+            deleted_at: ActiveValue::Set(None),
+            last_used_at: ActiveValue::Set(None),
+            cluster_id: ActiveValue::Set(cluster_id),
+            created_by: ActiveValue::Set(user_id),
+            name: ActiveValue::Set(name),
+            token: ActiveValue::Set(token_hash),
+        }
+        .insert(&self.conn)
+        .await?;
+        Ok(token)
+    }
+
+    pub async fn delete_kube_cluster(&self, cluster_id: Uuid) -> Result<()> {
+        lapdev_db_entities::kube_cluster::ActiveModel {
+            id: ActiveValue::Set(cluster_id),
+            deleted_at: ActiveValue::Set(Some(Utc::now().into())),
+            ..Default::default()
+        }
+        .update(&self.conn)
+        .await?;
+        Ok(())
+    }
+
+    pub async fn check_kube_cluster_has_app_catalogs(&self, cluster_id: Uuid) -> Result<bool> {
+        let has_catalogs = lapdev_db_entities::kube_app_catalog::Entity::find()
+            .filter(lapdev_db_entities::kube_app_catalog::Column::ClusterId.eq(cluster_id))
+            .filter(lapdev_db_entities::kube_app_catalog::Column::DeletedAt.is_null())
+            .one(&self.conn)
+            .await?
+            .is_some();
+        Ok(has_catalogs)
+    }
+
+    pub async fn check_kube_cluster_has_environments(&self, cluster_id: Uuid) -> Result<bool> {
+        let has_environments = lapdev_db_entities::kube_environment::Entity::find()
+            .filter(lapdev_db_entities::kube_environment::Column::ClusterId.eq(cluster_id))
+            .filter(lapdev_db_entities::kube_environment::Column::DeletedAt.is_null())
+            .one(&self.conn)
+            .await?
+            .is_some();
+        Ok(has_environments)
+    }
+
+    pub async fn set_cluster_deployable(
+        &self,
+        cluster_id: Uuid,
+        can_deploy_personal: bool,
+        can_deploy_shared: bool,
+    ) -> Result<lapdev_db_entities::kube_cluster::Model> {
+        let active_model = lapdev_db_entities::kube_cluster::ActiveModel {
+            id: ActiveValue::Set(cluster_id),
+            can_deploy_personal: ActiveValue::Set(can_deploy_personal),
+            can_deploy_shared: ActiveValue::Set(can_deploy_shared),
+            ..Default::default()
+        };
+        let updated = active_model.update(&self.conn).await?;
+        Ok(updated)
+    }
+
+    pub async fn get_active_cluster_services(
+        &self,
+        cluster_id: Uuid,
+        namespace: &str,
+    ) -> Result<Vec<CachedClusterService>> {
+        let services = kube_cluster_service::Entity::find()
+            .filter(kube_cluster_service::Column::ClusterId.eq(cluster_id))
+            .filter(kube_cluster_service::Column::Namespace.eq(namespace))
+            .filter(kube_cluster_service::Column::DeletedAt.is_null())
+            .all(&self.conn)
+            .await?;
+
+        let mut results = Vec::with_capacity(services.len());
+        for svc in services {
+            let selector: BTreeMap<String, String> =
+                serde_json::from_value(svc.selector.clone()).unwrap_or_default();
+            let ports_raw: Vec<StoredServicePort> =
+                serde_json::from_value(svc.ports.clone()).unwrap_or_default();
+            let ports = ports_raw
+                .into_iter()
+                .filter_map(StoredServicePort::into_service_port)
+                .collect();
+
+            results.push(CachedClusterService {
+                name: svc.name,
+                selector,
+                ports,
+                service_yaml: svc.service_yaml,
+            });
+        }
+
+        Ok(results)
+    }
+
+    pub async fn upsert_cluster_service(
+        &self,
+        cluster_id: Uuid,
+        namespace: &str,
+        name: &str,
+        resource_version: &str,
+        service_yaml: String,
+        selector: serde_json::Value,
+        ports: serde_json::Value,
+        service_type: Option<String>,
+        cluster_ip: Option<String>,
+        observed_at: chrono::DateTime<chrono::Utc>,
+    ) -> Result<Uuid> {
+        let observed = observed_at.into();
+        let selector_map: BTreeMap<String, String> =
+            serde_json::from_value(selector.clone()).unwrap_or_default();
+        let selector_json = Json::from(selector);
+        let ports_json = Json::from(ports);
+
+        let existing = kube_cluster_service::Entity::find()
+            .filter(kube_cluster_service::Column::ClusterId.eq(cluster_id))
+            .filter(kube_cluster_service::Column::Namespace.eq(namespace))
+            .filter(kube_cluster_service::Column::Name.eq(name))
+            .one(&self.conn)
+            .await?;
+
+        if let Some(model) = existing {
+            let same_resource_version = model.resource_version == resource_version;
+            let mut active: kube_cluster_service::ActiveModel = model.into();
+            if !same_resource_version {
+                active.resource_version = ActiveValue::Set(resource_version.to_string());
+            }
+            active.service_yaml = ActiveValue::Set(service_yaml);
+            active.selector = ActiveValue::Set(selector_json);
+            active.ports = ActiveValue::Set(ports_json);
+            active.service_type = ActiveValue::Set(service_type);
+            active.cluster_ip = ActiveValue::Set(cluster_ip);
+            active.updated_at = ActiveValue::Set(observed);
+            active.last_observed_at = ActiveValue::Set(observed);
+            active.deleted_at = ActiveValue::Set(None);
+
+            let updated = active.update(&self.conn).await?;
+            self.replace_service_selectors(
+                updated.id,
+                cluster_id,
+                namespace,
+                &selector_map,
+                observed,
+            )
+            .await?;
+            Ok(updated.id)
+        } else {
+            let new_id = Uuid::new_v4();
+            let active = kube_cluster_service::ActiveModel {
+                id: ActiveValue::Set(new_id),
+                created_at: ActiveValue::Set(observed),
+                updated_at: ActiveValue::Set(observed),
+                deleted_at: ActiveValue::Set(None),
+                cluster_id: ActiveValue::Set(cluster_id),
+                namespace: ActiveValue::Set(namespace.to_string()),
+                name: ActiveValue::Set(name.to_string()),
+                resource_version: ActiveValue::Set(resource_version.to_string()),
+                service_yaml: ActiveValue::Set(service_yaml),
+                selector: ActiveValue::Set(selector_json),
+                ports: ActiveValue::Set(ports_json),
+                service_type: ActiveValue::Set(service_type),
+                cluster_ip: ActiveValue::Set(cluster_ip),
+                last_observed_at: ActiveValue::Set(observed),
+            };
+
+            active.insert(&self.conn).await?;
+            self.replace_service_selectors(new_id, cluster_id, namespace, &selector_map, observed)
+                .await?;
+            Ok(new_id)
+        }
+    }
+
+    pub async fn get_service_selector_map(
+        &self,
+        cluster_id: Uuid,
+        namespace: &str,
+        name: &str,
+    ) -> Result<Option<BTreeMap<String, String>>> {
+        let Some(model) = kube_cluster_service::Entity::find()
+            .filter(kube_cluster_service::Column::ClusterId.eq(cluster_id))
+            .filter(kube_cluster_service::Column::Namespace.eq(namespace))
+            .filter(kube_cluster_service::Column::Name.eq(name))
+            .one(&self.conn)
+            .await?
+        else {
+            return Ok(None);
+        };
+
+        let selector: BTreeMap<String, String> =
+            serde_json::from_value(model.selector.clone()).unwrap_or_default();
+
+        Ok(Some(selector))
+    }
+
+    pub async fn mark_cluster_service_deleted(
+        &self,
+        cluster_id: Uuid,
+        namespace: &str,
+        name: &str,
+        observed_at: chrono::DateTime<chrono::Utc>,
+    ) -> Result<()> {
+        let model = match kube_cluster_service::Entity::find()
+            .filter(kube_cluster_service::Column::ClusterId.eq(cluster_id))
+            .filter(kube_cluster_service::Column::Namespace.eq(namespace))
+            .filter(kube_cluster_service::Column::Name.eq(name))
+            .one(&self.conn)
+            .await?
+        {
+            Some(model) => model,
+            None => return Ok(()),
+        };
+
+        let observed = observed_at.into();
+        let service_id = model.id;
+        let mut active: kube_cluster_service::ActiveModel = model.into();
+        active.deleted_at = ActiveValue::Set(Some(observed));
+        active.updated_at = ActiveValue::Set(chrono::Utc::now().into());
+        active.last_observed_at = ActiveValue::Set(observed);
+        active.update(&self.conn).await?;
+        self.mark_service_selectors_deleted(service_id, observed)
+            .await?;
+        Ok(())
+    }
+
+    // App catalog operations
+    pub async fn create_app_catalog(
+        &self,
+        org_id: Uuid,
+        user_id: Uuid,
+        cluster_id: Uuid,
+        name: String,
+        description: Option<String>,
+        workloads: Vec<lapdev_common::kube::KubeAppCatalogWorkloadCreate>,
+    ) -> Result<Uuid> {
+        let txn = self.conn.begin().await?;
+
+        let catalog_id = Uuid::new_v4();
+        let now = Utc::now().into();
+
+        // Create the app catalog
+        lapdev_db_entities::kube_app_catalog::ActiveModel {
+            id: ActiveValue::Set(catalog_id),
+            created_at: ActiveValue::Set(now),
+            name: ActiveValue::Set(name),
+            description: ActiveValue::Set(description),
+            resources: ActiveValue::Set("".to_string()), // Keep empty for backward compatibility
+            cluster_id: ActiveValue::Set(cluster_id),
+            created_by: ActiveValue::Set(user_id),
+            organization_id: ActiveValue::Set(org_id),
+            deleted_at: ActiveValue::Set(None),
+            sync_version: ActiveValue::Set(0),
+            last_synced_at: ActiveValue::Set(None),
+            last_sync_actor_id: ActiveValue::Set(None),
+        }
+        .insert(&txn)
+        .await?;
+
+        // Insert individual workloads
+        self.insert_workloads_to_catalog(&txn, catalog_id, cluster_id, workloads, now)
+            .await?;
+
+        txn.commit().await?;
+        if let Ok(Some(catalog)) = self.get_app_catalog(catalog_id).await {
+            self.publish_app_catalog_status_event(&catalog).await;
+        }
+        Ok(catalog_id)
+    }
+
+    pub async fn create_app_catalog_with_enriched_workloads(
+        &self,
+        org_id: Uuid,
+        user_id: Uuid,
+        cluster_id: Uuid,
+        name: String,
+        description: Option<String>,
+        enriched_workloads: Vec<KubeWorkloadDetails>,
+    ) -> Result<Uuid> {
+        let txn = self.conn.begin().await?;
+
+        let catalog_id = Uuid::new_v4();
+        let now = Utc::now().into();
+
+        // Create the app catalog
+        lapdev_db_entities::kube_app_catalog::ActiveModel {
+            id: ActiveValue::Set(catalog_id),
+            created_at: ActiveValue::Set(now),
+            name: ActiveValue::Set(name),
+            description: ActiveValue::Set(description),
+            resources: ActiveValue::Set("".to_string()), // Keep empty for backward compatibility
+            cluster_id: ActiveValue::Set(cluster_id),
+            created_by: ActiveValue::Set(user_id),
+            organization_id: ActiveValue::Set(org_id),
+            deleted_at: ActiveValue::Set(None),
+            sync_version: ActiveValue::Set(0),
+            last_synced_at: ActiveValue::Set(None),
+            last_sync_actor_id: ActiveValue::Set(Some(user_id)),
+        }
+        .insert(&txn)
+        .await?;
+
+        // Insert enriched workloads
+        let _ = self
+            .insert_enriched_workloads_to_catalog(
+                &txn,
+                catalog_id,
+                cluster_id,
+                enriched_workloads,
+                now,
+            )
+            .await?;
+
+        txn.commit().await?;
+        if let Ok(Some(catalog)) = self.get_app_catalog(catalog_id).await {
+            self.publish_app_catalog_status_event(&catalog).await;
+        }
+        Ok(catalog_id)
+    }
+
+    pub async fn get_all_app_catalogs_paginated(
+        &self,
+        org_id: Uuid,
+        search: Option<String>,
+        pagination: Option<PagePaginationParams>,
+    ) -> Result<(
+        Vec<(
+            lapdev_db_entities::kube_app_catalog::Model,
+            Option<lapdev_db_entities::kube_cluster::Model>,
+        )>,
+        usize,
+    )> {
+        let pagination = pagination.unwrap_or_default();
+
+        // Build base query
+        let mut base_query = lapdev_db_entities::kube_app_catalog::Entity::find()
+            .filter(lapdev_db_entities::kube_app_catalog::Column::OrganizationId.eq(org_id))
+            .filter(lapdev_db_entities::kube_app_catalog::Column::DeletedAt.is_null());
+
+        if let Some(search_term) = search.as_ref().filter(|s| !s.trim().is_empty()) {
+            use sea_orm::sea_query::{extension::postgres::PgExpr, Expr, SimpleExpr};
+            let search_pattern = format!("%{}%", search_term.trim().to_lowercase());
+            base_query = base_query.filter(
+                SimpleExpr::FunctionCall(sea_orm::sea_query::Func::lower(Expr::col((
+                    lapdev_db_entities::kube_app_catalog::Entity,
+                    lapdev_db_entities::kube_app_catalog::Column::Name,
+                ))))
+                .ilike(&search_pattern),
+            );
+        }
+
+        // Get total count
+        let total_count = base_query.clone().count(&self.conn).await? as usize;
+
+        // Apply pagination
+        let offset = (pagination.page.saturating_sub(1)) * pagination.page_size;
+        let paginated_query = base_query
+            .limit(pagination.page_size as u64)
+            .offset(offset as u64)
+            .order_by_desc(lapdev_db_entities::kube_app_catalog::Column::OrganizationId)
+            .order_by_desc(lapdev_db_entities::kube_app_catalog::Column::DeletedAt)
+            .order_by_desc(lapdev_db_entities::kube_app_catalog::Column::CreatedAt);
+
+        let catalogs_with_clusters = paginated_query
+            .find_also_related(lapdev_db_entities::kube_cluster::Entity)
+            .all(&self.conn)
+            .await?;
+
+        Ok((catalogs_with_clusters, total_count))
+    }
+
+    pub async fn delete_app_catalog(&self, catalog_id: Uuid) -> Result<()> {
+        lapdev_db_entities::kube_app_catalog::ActiveModel {
+            id: ActiveValue::Set(catalog_id),
+            deleted_at: ActiveValue::Set(Some(Utc::now().into())),
+            ..Default::default()
+        }
+        .update(&self.conn)
+        .await?;
+        Ok(())
+    }
+
+    pub async fn get_app_catalog(
+        &self,
+        catalog_id: Uuid,
+    ) -> Result<Option<lapdev_db_entities::kube_app_catalog::Model>> {
+        let catalog = lapdev_db_entities::kube_app_catalog::Entity::find_by_id(catalog_id)
+            .filter(lapdev_db_entities::kube_app_catalog::Column::DeletedAt.is_null())
+            .one(&self.conn)
+            .await?;
+        Ok(catalog)
+    }
+
+    pub async fn get_app_catalog_workloads(
+        &self,
+        catalog_id: Uuid,
+    ) -> Result<Vec<KubeAppCatalogWorkload>> {
+        let workloads = lapdev_db_entities::kube_app_catalog_workload::Entity::find()
+            .filter(
+                lapdev_db_entities::kube_app_catalog_workload::Column::AppCatalogId.eq(catalog_id),
+            )
+            .filter(lapdev_db_entities::kube_app_catalog_workload::Column::DeletedAt.is_null())
+            .all(&self.conn)
+            .await?;
+
+        Ok(workloads
+            .into_iter()
+            .filter_map(|w| {
+                if w.workload_yaml.is_empty() {
+                    return None;
+                }
+
+                let containers = serde_json::from_value(w.containers.clone()).ok()?;
+                let ports: Vec<lapdev_common::kube::KubeServicePort> =
+                    serde_json::from_value(w.ports.clone()).unwrap_or_default();
+
+                Some(KubeAppCatalogWorkload {
+                    id: w.id,
+                    name: w.name,
+                    namespace: w.namespace,
+                    kind: w
+                        .kind
+                        .parse()
+                        .unwrap_or(lapdev_common::kube::KubeWorkloadKind::Deployment),
+                    containers,
+                    ports,
+                    workload_yaml: w.workload_yaml,
+                    catalog_sync_version: w.catalog_sync_version,
+                })
+            })
+            .collect())
+    }
+
+    pub async fn get_app_catalog_workload(
+        &self,
+        workload_id: Uuid,
+    ) -> Result<Option<lapdev_db_entities::kube_app_catalog_workload::Model>> {
+        let workload =
+            lapdev_db_entities::kube_app_catalog_workload::Entity::find_by_id(workload_id)
+                .filter(lapdev_db_entities::kube_app_catalog_workload::Column::DeletedAt.is_null())
+                .one(&self.conn)
+                .await?;
+        Ok(workload)
+    }
+
+    pub async fn get_cluster_catalog_namespaces(&self, cluster_id: Uuid) -> Result<Vec<String>> {
+        let namespaces = kube_app_catalog_workload::Entity::find()
+            .filter(kube_app_catalog_workload::Column::ClusterId.eq(cluster_id))
+            .filter(kube_app_catalog_workload::Column::DeletedAt.is_null())
+            .select_only()
+            .column(kube_app_catalog_workload::Column::Namespace)
+            .distinct()
+            .into_tuple::<String>()
+            .all(&self.conn)
+            .await?;
+
+        Ok(namespaces)
+    }
+
+    pub async fn get_cluster_environment_namespaces(
+        &self,
+        cluster_id: Uuid,
+    ) -> Result<Vec<String>> {
+        let namespaces = lapdev_db_entities::kube_environment::Entity::find()
+            .filter(lapdev_db_entities::kube_environment::Column::ClusterId.eq(cluster_id))
+            .filter(lapdev_db_entities::kube_environment::Column::DeletedAt.is_null())
+            .select_only()
+            .column(lapdev_db_entities::kube_environment::Column::Namespace)
+            .distinct()
+            .into_tuple::<String>()
+            .all(&self.conn)
+            .await?;
+
+        Ok(namespaces)
+    }
+
+    pub async fn get_cluster_watch_namespaces(&self, cluster_id: Uuid) -> Result<Vec<String>> {
+        let mut namespaces: BTreeSet<String> = BTreeSet::new();
+        namespaces.extend(self.get_cluster_catalog_namespaces(cluster_id).await?);
+        namespaces.extend(self.get_cluster_environment_namespaces(cluster_id).await?);
+        Ok(namespaces.into_iter().collect())
+    }
+
+    pub async fn delete_app_catalog_workload(&self, workload_id: Uuid) -> Result<()> {
+        lapdev_db_entities::kube_app_catalog_workload::ActiveModel {
+            id: ActiveValue::Set(workload_id),
+            deleted_at: ActiveValue::Set(Some(Utc::now().into())),
+            ..Default::default()
+        }
+        .update(&self.conn)
+        .await?;
+        Ok(())
+    }
+
+    pub async fn bump_app_catalog_sync_version(
+        &self,
+        catalog_id: Uuid,
+        synced_at: DateTimeWithTimeZone,
+    ) -> Result<i64> {
+        let updated = lapdev_db_entities::kube_app_catalog::Entity::update_many()
+            .filter(lapdev_db_entities::kube_app_catalog::Column::Id.eq(catalog_id))
+            .filter(lapdev_db_entities::kube_app_catalog::Column::DeletedAt.is_null())
+            .col_expr(
+                lapdev_db_entities::kube_app_catalog::Column::SyncVersion,
+                Expr::col(lapdev_db_entities::kube_app_catalog::Column::SyncVersion).add(1),
+            )
+            .col_expr(
+                lapdev_db_entities::kube_app_catalog::Column::LastSyncedAt,
+                Expr::value(synced_at),
+            )
+            .exec_with_returning(&self.conn)
+            .await?;
+
+        if let Some(model) = updated.into_iter().next() {
+            self.publish_app_catalog_status_event(&model).await;
+            Ok(model.sync_version)
+        } else {
+            Err(anyhow!(
+                "App catalog {} not found or already deleted",
+                catalog_id
+            ))
+        }
+    }
+
+    pub async fn update_app_catalog_workload(
+        &self,
+        workload_id: Uuid,
+        containers: Vec<lapdev_common::kube::KubeContainerInfo>,
+    ) -> Result<()> {
+        let containers_json = serde_json::to_value(containers)?;
+        lapdev_db_entities::kube_app_catalog_workload::ActiveModel {
+            id: ActiveValue::Set(workload_id),
+            containers: ActiveValue::Set(containers_json),
+            ..Default::default()
+        }
+        .update(&self.conn)
+        .await?;
+        Ok(())
+    }
+
+    pub async fn check_app_catalog_has_environments(&self, catalog_id: Uuid) -> Result<bool> {
+        let has_environments = lapdev_db_entities::kube_environment::Entity::find()
+            .filter(lapdev_db_entities::kube_environment::Column::AppCatalogId.eq(catalog_id))
+            .filter(lapdev_db_entities::kube_environment::Column::DeletedAt.is_null())
+            .one(&self.conn)
+            .await?
+            .is_some();
+        Ok(has_environments)
+    }
+
+    // Environment operations
+    pub async fn check_environment_has_branches(&self, environment_id: Uuid) -> Result<bool> {
+        let has_branches = lapdev_db_entities::kube_environment::Entity::find()
+            .filter(
+                lapdev_db_entities::kube_environment::Column::BaseEnvironmentId.eq(environment_id),
+            )
+            .filter(lapdev_db_entities::kube_environment::Column::DeletedAt.is_null())
+            .one(&self.conn)
+            .await?
+            .is_some();
+        Ok(has_branches)
+    }
+    pub async fn get_all_kube_environments_paginated(
+        &self,
+        org_id: Uuid,
+        user_id: Uuid,
+        search: Option<String>,
+        is_shared: bool,
+        is_branch: bool,
+        pagination: Option<PagePaginationParams>,
+    ) -> Result<(
+        Vec<(
+            lapdev_db_entities::kube_environment::Model,
+            Option<lapdev_db_entities::kube_app_catalog::Model>,
+            Option<lapdev_db_entities::kube_cluster::Model>,
+            Option<String>,               // base_environment_name
+            Option<i64>,                  // base_environment_catalog_sync_version
+            Option<DateTimeWithTimeZone>, // base_environment_last_synced_at
+        )>,
+        usize,
+    )> {
+        let pagination = pagination.unwrap_or_default();
+
+        // Build base query - filter by shared status and ownership
+        let mut base_query = lapdev_db_entities::kube_environment::Entity::find()
+            .filter(lapdev_db_entities::kube_environment::Column::OrganizationId.eq(org_id))
+            .filter(lapdev_db_entities::kube_environment::Column::IsShared.eq(is_shared))
+            .filter(lapdev_db_entities::kube_environment::Column::DeletedAt.is_null());
+
+        // Filter by branch environment
+        match is_branch {
+            true => {
+                // Return only branch environments
+                base_query = base_query.filter(
+                    lapdev_db_entities::kube_environment::Column::BaseEnvironmentId.is_not_null(),
+                );
+            }
+            false => {
+                // Return only regular environments
+                base_query = base_query.filter(
+                    lapdev_db_entities::kube_environment::Column::BaseEnvironmentId.is_null(),
+                );
+            }
+        }
+
+        // For personal environments, only show user's own environments
+        if !is_shared {
+            base_query =
+                base_query.filter(lapdev_db_entities::kube_environment::Column::UserId.eq(user_id));
+        }
+
+        if let Some(search_term) = search.as_ref().filter(|s| !s.trim().is_empty()) {
+            use sea_orm::sea_query::{extension::postgres::PgExpr, Expr, SimpleExpr};
+            let search_pattern = format!("%{}%", search_term.trim().to_lowercase());
+            base_query = base_query.filter(
+                SimpleExpr::FunctionCall(sea_orm::sea_query::Func::lower(Expr::col((
+                    lapdev_db_entities::kube_environment::Entity,
+                    lapdev_db_entities::kube_environment::Column::Name,
+                ))))
+                .ilike(&search_pattern),
+            );
+        }
+
+        // Get total count
+        let total_count = base_query.clone().count(&self.conn).await? as usize;
+
+        // Apply pagination
+        let offset = (pagination.page.saturating_sub(1)) * pagination.page_size;
+        let paginated_query = base_query
+            .limit(pagination.page_size as u64)
+            .offset(offset as u64)
+            .order_by_desc(lapdev_db_entities::kube_environment::Column::OrganizationId)
+            .order_by_desc(lapdev_db_entities::kube_environment::Column::UserId)
+            .order_by_desc(lapdev_db_entities::kube_environment::Column::DeletedAt)
+            .order_by_desc(lapdev_db_entities::kube_environment::Column::CreatedAt);
+
+        let environments_with_related: Vec<KubeEnvironmentWithRelated> = paginated_query
+            .select_only()
+            // Select environment columns with aliases
+            .column_as(lapdev_db_entities::kube_environment::Column::Id, "env_id")
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::Name,
+                "env_name",
+            )
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::Namespace,
+                "env_namespace",
+            )
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::AppCatalogId,
+                "env_app_catalog_id",
+            )
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::ClusterId,
+                "env_cluster_id",
+            )
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::Status,
+                "env_status",
+            )
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::CreatedAt,
+                "env_created_at",
+            )
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::IsShared,
+                "env_is_shared",
+            )
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::CatalogSyncVersion,
+                "env_catalog_sync_version",
+            )
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::LastCatalogSyncedAt,
+                "env_last_catalog_synced_at",
+            )
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::PausedAt,
+                "env_paused_at",
+            )
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::ResumedAt,
+                "env_resumed_at",
+            )
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::OrganizationId,
+                "env_organization_id",
+            )
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::UserId,
+                "env_user_id",
+            )
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::DeletedAt,
+                "env_deleted_at",
+            )
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::BaseEnvironmentId,
+                "env_base_environment_id",
+            )
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::AuthToken,
+                "env_auth_token",
+            )
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::SyncStatus,
+                "env_sync_status",
+            )
+            // Join and select app catalog columns
+            .join(
+                JoinType::LeftJoin,
+                lapdev_db_entities::kube_environment::Relation::KubeAppCatalog.def(),
+            )
+            .column_as(
+                lapdev_db_entities::kube_app_catalog::Column::Name,
+                "catalog_name",
+            )
+            .column_as(
+                lapdev_db_entities::kube_app_catalog::Column::Description,
+                "catalog_description",
+            )
+            .column_as(
+                lapdev_db_entities::kube_app_catalog::Column::SyncVersion,
+                "catalog_sync_version",
+            )
+            .column_as(
+                lapdev_db_entities::kube_app_catalog::Column::LastSyncedAt,
+                "catalog_last_synced_at",
+            )
+            .column_as(
+                lapdev_db_entities::kube_app_catalog::Column::LastSyncActorId,
+                "catalog_last_sync_actor_id",
+            )
+            // Join and select cluster columns
+            .join(
+                JoinType::LeftJoin,
+                lapdev_db_entities::kube_environment::Relation::KubeCluster.def(),
+            )
+            .column_as(
+                lapdev_db_entities::kube_cluster::Column::Name,
+                "cluster_name",
+            )
+            // Join with base environment (self-referencing join)
+            .join_as(
+                JoinType::LeftJoin,
+                lapdev_db_entities::kube_environment::Relation::SelfRef.def(),
+                Alias::new("base_env"),
+            )
+            .expr_as(
+                Expr::col((
+                    Alias::new("base_env"),
+                    lapdev_db_entities::kube_environment::Column::Name,
+                )),
+                "base_environment_name",
+            )
+            .expr_as(
+                Expr::col((
+                    Alias::new("base_env"),
+                    lapdev_db_entities::kube_environment::Column::CatalogSyncVersion,
+                )),
+                "base_environment_catalog_sync_version",
+            )
+            .expr_as(
+                Expr::col((
+                    Alias::new("base_env"),
+                    lapdev_db_entities::kube_environment::Column::LastCatalogSyncedAt,
+                )),
+                "base_environment_last_synced_at",
+            )
+            .expr_as(
+                Expr::col((
+                    Alias::new("base_env"),
+                    lapdev_db_entities::kube_environment::Column::CatalogSyncVersion,
+                )),
+                "base_environment_catalog_sync_version",
+            )
+            .expr_as(
+                Expr::col((
+                    Alias::new("base_env"),
+                    lapdev_db_entities::kube_environment::Column::LastCatalogSyncedAt,
+                )),
+                "base_environment_last_synced_at",
+            )
+            .expr_as(
+                Expr::col((
+                    Alias::new("base_env"),
+                    lapdev_db_entities::kube_environment::Column::CatalogSyncVersion,
+                )),
+                "base_environment_catalog_sync_version",
+            )
+            .expr_as(
+                Expr::col((
+                    Alias::new("base_env"),
+                    lapdev_db_entities::kube_environment::Column::LastCatalogSyncedAt,
+                )),
+                "base_environment_last_synced_at",
+            )
+            .into_model::<KubeEnvironmentWithRelated>()
+            .all(&self.conn)
+            .await?;
+
+        // Transform the result to match the expected tuple structure
+        let environments_with_catalogs_and_clusters = environments_with_related
+            .into_iter()
+            .map(|related| {
+                let env = lapdev_db_entities::kube_environment::Model {
+                    id: related.env_id,
+                    created_at: related.env_created_at,
+                    deleted_at: related.env_deleted_at,
+                    organization_id: related.env_organization_id,
+                    user_id: related.env_user_id,
+                    app_catalog_id: related.env_app_catalog_id,
+                    cluster_id: related.env_cluster_id,
+                    name: related.env_name,
+                    namespace: related.env_namespace,
+                    status: related.env_status,
+                    is_shared: related.env_is_shared,
+                    catalog_sync_version: related.env_catalog_sync_version,
+                    last_catalog_synced_at: related.env_last_catalog_synced_at,
+                    paused_at: related.env_paused_at,
+                    resumed_at: related.env_resumed_at,
+                    sync_status: related.env_sync_status.clone(),
+                    base_environment_id: related.env_base_environment_id,
+                    auth_token: related.env_auth_token,
+                };
+
+                let catalog =
+                    related
+                        .catalog_name
+                        .map(|name| lapdev_db_entities::kube_app_catalog::Model {
+                            id: related.env_app_catalog_id,
+                            name,
+                            description: related.catalog_description,
+                            resources: String::new(),
+                            cluster_id: related.env_cluster_id,
+                            created_at: related.env_created_at,
+                            created_by: related.env_user_id,
+                            organization_id: related.env_organization_id,
+                            deleted_at: None,
+                            sync_version: related.catalog_sync_version.unwrap_or(0),
+                            last_synced_at: related.catalog_last_synced_at,
+                            last_sync_actor_id: related.catalog_last_sync_actor_id,
+                        });
+
+                let cluster =
+                    related
+                        .cluster_name
+                        .map(|name| lapdev_db_entities::kube_cluster::Model {
+                            id: related.env_cluster_id,
+                            name,
+                            cluster_version: None,
+                            status: "Not Ready".to_string(),
+                            provider: None,
+                            region: None,
+                            manager_namespace: None,
+                            created_at: related.env_created_at,
+                            created_by: related.env_user_id,
+                            organization_id: related.env_organization_id,
+                            deleted_at: None,
+                            last_reported_at: None,
+                            can_deploy_personal: true,
+                            can_deploy_shared: true,
+                        });
+
+                (
+                    env,
+                    catalog,
+                    cluster,
+                    related.base_environment_name,
+                    related.base_environment_catalog_sync_version,
+                    related.base_environment_last_synced_at,
+                )
+            })
+            .collect();
+
+        Ok((environments_with_catalogs_and_clusters, total_count))
+    }
+
+    pub async fn get_environment_dashboard_summary(
+        &self,
+        org_id: Uuid,
+        user_id: Uuid,
+        recent_limit: usize,
+    ) -> Result<KubeEnvironmentDashboardSummary> {
+        let limited_recent = recent_limit.max(1).min(25) as u64;
+
+        // Counts by environment type
+        let personal_count = lapdev_db_entities::kube_environment::Entity::find()
+            .filter(lapdev_db_entities::kube_environment::Column::OrganizationId.eq(org_id))
+            .filter(lapdev_db_entities::kube_environment::Column::DeletedAt.is_null())
+            .filter(lapdev_db_entities::kube_environment::Column::IsShared.eq(false))
+            .filter(lapdev_db_entities::kube_environment::Column::BaseEnvironmentId.is_null())
+            .filter(lapdev_db_entities::kube_environment::Column::UserId.eq(user_id))
+            .count(&self.conn)
+            .await? as usize;
+
+        let shared_count = lapdev_db_entities::kube_environment::Entity::find()
+            .filter(lapdev_db_entities::kube_environment::Column::OrganizationId.eq(org_id))
+            .filter(lapdev_db_entities::kube_environment::Column::DeletedAt.is_null())
+            .filter(lapdev_db_entities::kube_environment::Column::IsShared.eq(true))
+            .filter(lapdev_db_entities::kube_environment::Column::BaseEnvironmentId.is_null())
+            .count(&self.conn)
+            .await? as usize;
+
+        let branch_access = Condition::all()
+            .add(lapdev_db_entities::kube_environment::Column::OrganizationId.eq(org_id))
+            .add(lapdev_db_entities::kube_environment::Column::DeletedAt.is_null())
+            .add(lapdev_db_entities::kube_environment::Column::BaseEnvironmentId.is_not_null())
+            .add(
+                Condition::any()
+                    .add(lapdev_db_entities::kube_environment::Column::IsShared.eq(true))
+                    .add(lapdev_db_entities::kube_environment::Column::UserId.eq(user_id)),
+            );
+
+        let branch_count = lapdev_db_entities::kube_environment::Entity::find()
+            .filter(branch_access.clone())
+            .count(&self.conn)
+            .await? as usize;
+
+        // Accessible environments condition (used for status breakdown & recent list)
+        let accessible_condition = Condition::all()
+            .add(lapdev_db_entities::kube_environment::Column::OrganizationId.eq(org_id))
+            .add(lapdev_db_entities::kube_environment::Column::DeletedAt.is_null())
+            .add(
+                Condition::any()
+                    .add(
+                        Condition::all()
+                            .add(lapdev_db_entities::kube_environment::Column::IsShared.eq(false))
+                            .add(
+                                lapdev_db_entities::kube_environment::Column::BaseEnvironmentId
+                                    .is_null(),
+                            )
+                            .add(lapdev_db_entities::kube_environment::Column::UserId.eq(user_id)),
+                    )
+                    .add(lapdev_db_entities::kube_environment::Column::IsShared.eq(true))
+                    .add(
+                        Condition::all()
+                            .add(
+                                lapdev_db_entities::kube_environment::Column::BaseEnvironmentId
+                                    .is_not_null(),
+                            )
+                            .add(lapdev_db_entities::kube_environment::Column::UserId.eq(user_id)),
+                    ),
+            );
+
+        let status_counts_raw: Vec<StatusCountRow> =
+            lapdev_db_entities::kube_environment::Entity::find()
+                .select_only()
+                .column(lapdev_db_entities::kube_environment::Column::Status)
+                .column_as(
+                    Expr::col((
+                        lapdev_db_entities::kube_environment::Entity,
+                        lapdev_db_entities::kube_environment::Column::Id,
+                    ))
+                    .count(),
+                    "count",
+                )
+                .filter(accessible_condition.clone())
+                .group_by(lapdev_db_entities::kube_environment::Column::Status)
+                .into_model::<StatusCountRow>()
+                .all(&self.conn)
+                .await?;
+
+        let mut status_breakdown: Vec<KubeEnvironmentStatusCount> = status_counts_raw
+            .into_iter()
+            .filter_map(|row| {
+                KubeEnvironmentStatus::from_str(&row.status)
+                    .ok()
+                    .map(|status| KubeEnvironmentStatusCount {
+                        status,
+                        count: row.count as usize,
+                    })
+            })
+            .collect();
+        status_breakdown.sort_by(|a, b| b.count.cmp(&a.count));
+
+        let recent_query = lapdev_db_entities::kube_environment::Entity::find()
+            .filter(accessible_condition)
+            .order_by_desc(lapdev_db_entities::kube_environment::Column::ResumedAt)
+            .order_by_desc(lapdev_db_entities::kube_environment::Column::LastCatalogSyncedAt)
+            .order_by_desc(lapdev_db_entities::kube_environment::Column::PausedAt)
+            .order_by_desc(lapdev_db_entities::kube_environment::Column::CreatedAt)
+            .limit(limited_recent);
+
+        let recent_with_related: Vec<KubeEnvironmentWithRelated> = recent_query
+            .select_only()
+            .column_as(lapdev_db_entities::kube_environment::Column::Id, "env_id")
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::Name,
+                "env_name",
+            )
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::Namespace,
+                "env_namespace",
+            )
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::AppCatalogId,
+                "env_app_catalog_id",
+            )
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::ClusterId,
+                "env_cluster_id",
+            )
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::Status,
+                "env_status",
+            )
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::CreatedAt,
+                "env_created_at",
+            )
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::IsShared,
+                "env_is_shared",
+            )
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::OrganizationId,
+                "env_organization_id",
+            )
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::UserId,
+                "env_user_id",
+            )
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::DeletedAt,
+                "env_deleted_at",
+            )
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::BaseEnvironmentId,
+                "env_base_environment_id",
+            )
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::AuthToken,
+                "env_auth_token",
+            )
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::CatalogSyncVersion,
+                "env_catalog_sync_version",
+            )
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::LastCatalogSyncedAt,
+                "env_last_catalog_synced_at",
+            )
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::PausedAt,
+                "env_paused_at",
+            )
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::ResumedAt,
+                "env_resumed_at",
+            )
+            .column_as(
+                lapdev_db_entities::kube_environment::Column::SyncStatus,
+                "env_sync_status",
+            )
+            .join(
+                JoinType::LeftJoin,
+                lapdev_db_entities::kube_environment::Relation::KubeAppCatalog.def(),
+            )
+            .column_as(
+                lapdev_db_entities::kube_app_catalog::Column::Name,
+                "catalog_name",
+            )
+            .column_as(
+                lapdev_db_entities::kube_app_catalog::Column::Description,
+                "catalog_description",
+            )
+            .column_as(
+                lapdev_db_entities::kube_app_catalog::Column::SyncVersion,
+                "catalog_sync_version",
+            )
+            .column_as(
+                lapdev_db_entities::kube_app_catalog::Column::LastSyncedAt,
+                "catalog_last_synced_at",
+            )
+            .column_as(
+                lapdev_db_entities::kube_app_catalog::Column::LastSyncActorId,
+                "catalog_last_sync_actor_id",
+            )
+            .join(
+                JoinType::LeftJoin,
+                lapdev_db_entities::kube_environment::Relation::KubeCluster.def(),
+            )
+            .column_as(
+                lapdev_db_entities::kube_cluster::Column::Name,
+                "cluster_name",
+            )
+            .join_as(
+                JoinType::LeftJoin,
+                lapdev_db_entities::kube_environment::Relation::SelfRef.def(),
+                Alias::new("base_env"),
+            )
+            .expr_as(
+                Expr::col((
+                    Alias::new("base_env"),
+                    lapdev_db_entities::kube_environment::Column::Name,
+                )),
+                "base_environment_name",
+            )
+            .into_model::<KubeEnvironmentWithRelated>()
+            .all(&self.conn)
+            .await?;
+
+        let recent_environments = recent_with_related
+            .into_iter()
+            .filter_map(|related| {
+                let catalog_name = related.catalog_name?;
+                let cluster_name = related.cluster_name?;
+                let status = KubeEnvironmentStatus::from_str(&related.env_status)
+                    .unwrap_or(KubeEnvironmentStatus::Creating);
+                let sync_status = KubeEnvironmentSyncStatus::from_str(&related.env_sync_status)
+                    .unwrap_or(KubeEnvironmentSyncStatus::Idle);
+
+                let catalog_update_available = if related.env_base_environment_id.is_some() {
+                    related
+                        .base_environment_catalog_sync_version
+                        .map(|version| version > related.env_catalog_sync_version)
+                        .unwrap_or(false)
+                } else {
+                    related
+                        .catalog_sync_version
+                        .map(|catalog_version| catalog_version > related.env_catalog_sync_version)
+                        .unwrap_or(false)
+                };
+
+                Some(KubeEnvironment {
+                    id: related.env_id,
+                    user_id: related.env_user_id,
+                    name: related.env_name,
+                    namespace: related.env_namespace,
+                    app_catalog_id: related.env_app_catalog_id,
+                    app_catalog_name: catalog_name,
+                    cluster_id: related.env_cluster_id,
+                    cluster_name,
+                    status,
+                    created_at: related.env_created_at.to_string(),
+                    is_shared: related.env_is_shared,
+                    base_environment_id: related.env_base_environment_id,
+                    base_environment_name: related.base_environment_name.clone(),
+                    base_environment_catalog_sync_version: related
+                        .base_environment_catalog_sync_version,
+                    base_environment_last_catalog_synced_at: related
+                        .base_environment_last_synced_at
+                        .map(|dt| dt.to_string()),
+                    catalog_sync_version: related.env_catalog_sync_version,
+                    last_catalog_synced_at: related
+                        .env_last_catalog_synced_at
+                        .map(|dt| dt.to_string()),
+                    paused_at: related.env_paused_at.map(|dt| dt.to_string()),
+                    resumed_at: related.env_resumed_at.map(|dt| dt.to_string()),
+                    catalog_update_available,
+                    catalog_last_sync_actor_id: related.catalog_last_sync_actor_id,
+                    sync_status,
+                })
+            })
+            .collect::<Vec<_>>();
+
+        Ok(KubeEnvironmentDashboardSummary {
+            personal_count,
+            shared_count,
+            branch_count,
+            total_count: personal_count + shared_count + branch_count,
+            status_breakdown,
+            recent_environments,
+        })
+    }
+
+    pub async fn get_kube_environment(
+        &self,
+        environment_id: Uuid,
+    ) -> Result<Option<lapdev_db_entities::kube_environment::Model>, sea_orm::DbErr> {
+        lapdev_db_entities::kube_environment::Entity::find()
+            .filter(lapdev_db_entities::kube_environment::Column::Id.eq(environment_id))
+            .filter(lapdev_db_entities::kube_environment::Column::DeletedAt.is_null())
+            .one(&self.conn)
+            .await
+    }
+
+    pub async fn get_branch_environments(
+        &self,
+        base_environment_id: Uuid,
+    ) -> Result<Vec<lapdev_db_entities::kube_environment::Model>> {
+        let environments = lapdev_db_entities::kube_environment::Entity::find()
+            .filter(
+                lapdev_db_entities::kube_environment::Column::BaseEnvironmentId
+                    .eq(base_environment_id),
+            )
+            .filter(lapdev_db_entities::kube_environment::Column::DeletedAt.is_null())
+            .all(&self.conn)
+            .await?;
+        Ok(environments)
+    }
+
+    pub async fn delete_kube_environment(&self, environment_id: Uuid) -> Result<()> {
+        lapdev_db_entities::kube_environment::ActiveModel {
+            id: ActiveValue::Set(environment_id),
+            deleted_at: ActiveValue::Set(Some(Utc::now().into())),
+            ..Default::default()
+        }
+        .update(&self.conn)
+        .await?;
+        Ok(())
+    }
+
+    // Kube Namespace operations
+    pub async fn create_kube_namespace(
+        &self,
+        org_id: Uuid,
+        user_id: Uuid,
+        name: String,
+        description: Option<String>,
+        is_shared: bool,
+    ) -> Result<lapdev_db_entities::kube_namespace::Model> {
+        let namespace = lapdev_db_entities::kube_namespace::ActiveModel {
+            id: ActiveValue::Set(Uuid::new_v4()),
+            created_at: ActiveValue::Set(Utc::now().into()),
+            deleted_at: ActiveValue::Set(None),
+            organization_id: ActiveValue::Set(org_id),
+            user_id: ActiveValue::Set(user_id),
+            name: ActiveValue::Set(name),
+            description: ActiveValue::Set(description),
+            is_shared: ActiveValue::Set(is_shared),
+        }
+        .insert(&self.conn)
+        .await?;
+        Ok(namespace)
+    }
+
+    pub async fn get_all_kube_namespaces(
+        &self,
+        org_id: Uuid,
+        user_id: Uuid,
+        is_shared: bool,
+    ) -> Result<Vec<lapdev_db_entities::kube_namespace::Model>> {
+        let mut query = lapdev_db_entities::kube_namespace::Entity::find()
+            .filter(lapdev_db_entities::kube_namespace::Column::OrganizationId.eq(org_id))
+            .filter(lapdev_db_entities::kube_namespace::Column::IsShared.eq(is_shared))
+            .filter(lapdev_db_entities::kube_namespace::Column::DeletedAt.is_null());
+
+        // For personal namespaces, only show those created by the user
+        if !is_shared {
+            query = query.filter(lapdev_db_entities::kube_namespace::Column::UserId.eq(user_id));
+        }
+
+        let namespaces = query
+            .order_by_asc(lapdev_db_entities::kube_namespace::Column::Name)
+            .all(&self.conn)
+            .await?;
+        Ok(namespaces)
+    }
+
+    pub async fn get_kube_namespace(
+        &self,
+        namespace_id: Uuid,
+    ) -> Result<Option<lapdev_db_entities::kube_namespace::Model>> {
+        let namespace = lapdev_db_entities::kube_namespace::Entity::find_by_id(namespace_id)
+            .filter(lapdev_db_entities::kube_namespace::Column::DeletedAt.is_null())
+            .one(&self.conn)
+            .await?;
+        Ok(namespace)
+    }
+
+    pub async fn delete_kube_namespace(
+        &self,
+        namespace_id: Uuid,
+    ) -> Result<lapdev_db_entities::kube_namespace::Model> {
+        let namespace = lapdev_db_entities::kube_namespace::ActiveModel {
+            id: ActiveValue::Set(namespace_id),
+            deleted_at: ActiveValue::Set(Some(Utc::now().into())),
+            ..Default::default()
+        };
+        let updated = namespace.update(&self.conn).await?;
+        Ok(updated)
+    }
+
+    async fn insert_workloads_to_catalog(
+        &self,
+        txn: &sea_orm::DatabaseTransaction,
+        catalog_id: Uuid,
+        cluster_id: Uuid,
+        workloads: Vec<lapdev_common::kube::KubeAppCatalogWorkloadCreate>,
+        created_at: sea_orm::prelude::DateTimeWithTimeZone,
+    ) -> Result<(), sea_orm::DbErr> {
+        for workload in workloads {
+            lapdev_db_entities::kube_app_catalog_workload::ActiveModel {
+                id: ActiveValue::Set(Uuid::new_v4()),
+                created_at: ActiveValue::Set(created_at),
+                deleted_at: ActiveValue::Set(None),
+                app_catalog_id: ActiveValue::Set(catalog_id),
+                cluster_id: ActiveValue::Set(cluster_id),
+                name: ActiveValue::Set(workload.name.clone()),
+                namespace: ActiveValue::Set(workload.namespace.clone()),
+                kind: ActiveValue::Set(workload.kind.to_string()),
+                containers: ActiveValue::Set(Json::from(serde_json::json!([]))),
+                ports: ActiveValue::Set(Json::from(serde_json::json!([]))),
+                workload_yaml: ActiveValue::Set(String::new()),
+                catalog_sync_version: ActiveValue::Set(0),
+            }
+            .insert(txn)
+            .await?;
+        }
+        Ok(())
+    }
+
+    pub async fn insert_enriched_workloads_to_catalog(
+        &self,
+        txn: &sea_orm::DatabaseTransaction,
+        catalog_id: Uuid,
+        cluster_id: Uuid,
+        enriched_workloads: Vec<KubeWorkloadDetails>,
+        created_at: sea_orm::prelude::DateTimeWithTimeZone,
+    ) -> Result<Vec<Uuid>, sea_orm::DbErr> {
+        let mut inserted_ids = Vec::new();
+        for workload in enriched_workloads {
+            let KubeWorkloadDetails {
+                name,
+                namespace,
+                kind,
+                containers,
+                ports,
+                workload_yaml,
+                ..
+            } = workload;
+
+            let containers_json = serde_json::to_value(&containers)
+                .map(Json::from)
+                .unwrap_or_else(|_| Json::from(serde_json::json!([])));
+
+            let ports_json = serde_json::to_value(&ports)
+                .map(Json::from)
+                .unwrap_or_else(|_| Json::from(serde_json::json!([])));
+
+            let workload_id = Uuid::new_v4();
+            let labels = labels_from_workload_yaml(&kind, &workload_yaml);
+            let (configmap_refs, secret_refs) =
+                dependencies_from_workload_yaml(&kind, &workload_yaml);
+
+            lapdev_db_entities::kube_app_catalog_workload::ActiveModel {
+                id: ActiveValue::Set(workload_id),
+                created_at: ActiveValue::Set(created_at),
+                deleted_at: ActiveValue::Set(None),
+                app_catalog_id: ActiveValue::Set(catalog_id),
+                cluster_id: ActiveValue::Set(cluster_id),
+                name: ActiveValue::Set(name.clone()),
+                namespace: ActiveValue::Set(namespace.clone()),
+                kind: ActiveValue::Set(kind.to_string()),
+                containers: ActiveValue::Set(containers_json),
+                ports: ActiveValue::Set(ports_json),
+                workload_yaml: ActiveValue::Set(workload_yaml),
+                catalog_sync_version: ActiveValue::Set(0),
+            }
+            .insert(txn)
+            .await?;
+
+            self.replace_workload_labels_txn(
+                txn,
+                workload_id,
+                catalog_id,
+                cluster_id,
+                &namespace,
+                &labels,
+                created_at,
+            )
+            .await?;
+
+            self.replace_workload_dependencies_txn(
+                txn,
+                workload_id,
+                catalog_id,
+                cluster_id,
+                &namespace,
+                &configmap_refs,
+                &secret_refs,
+                created_at,
+            )
+            .await?;
+
+            inserted_ids.push(workload_id);
+        }
+        Ok(inserted_ids)
+    }
+
+    pub async fn replace_workload_labels_txn(
+        &self,
+        txn: &DatabaseTransaction,
+        workload_id: Uuid,
+        app_catalog_id: Uuid,
+        cluster_id: Uuid,
+        namespace: &str,
+        labels: &BTreeMap<String, String>,
+        timestamp: DateTimeWithTimeZone,
+    ) -> Result<(), sea_orm::DbErr> {
+        replace_workload_labels_with_conn(
+            txn,
+            workload_id,
+            app_catalog_id,
+            cluster_id,
+            namespace,
+            labels,
+            timestamp,
+        )
+        .await
+    }
+
+    pub async fn replace_workload_labels(
+        &self,
+        workload_id: Uuid,
+        app_catalog_id: Uuid,
+        cluster_id: Uuid,
+        namespace: &str,
+        labels: &BTreeMap<String, String>,
+        timestamp: DateTimeWithTimeZone,
+    ) -> Result<(), sea_orm::DbErr> {
+        replace_workload_labels_with_conn(
+            &self.conn,
+            workload_id,
+            app_catalog_id,
+            cluster_id,
+            namespace,
+            labels,
+            timestamp,
+        )
+        .await
+    }
+
+    pub async fn replace_workload_dependencies_txn(
+        &self,
+        txn: &DatabaseTransaction,
+        workload_id: Uuid,
+        app_catalog_id: Uuid,
+        cluster_id: Uuid,
+        namespace: &str,
+        configmaps: &BTreeSet<String>,
+        secrets: &BTreeSet<String>,
+        timestamp: DateTimeWithTimeZone,
+    ) -> Result<(), sea_orm::DbErr> {
+        replace_workload_dependencies_with_conn(
+            txn,
+            workload_id,
+            app_catalog_id,
+            cluster_id,
+            namespace,
+            configmaps,
+            secrets,
+            timestamp,
+        )
+        .await
+    }
+
+    pub async fn replace_workload_dependencies(
+        &self,
+        workload_id: Uuid,
+        app_catalog_id: Uuid,
+        cluster_id: Uuid,
+        namespace: &str,
+        configmaps: &BTreeSet<String>,
+        secrets: &BTreeSet<String>,
+        timestamp: DateTimeWithTimeZone,
+    ) -> Result<(), sea_orm::DbErr> {
+        replace_workload_dependencies_with_conn(
+            &self.conn,
+            workload_id,
+            app_catalog_id,
+            cluster_id,
+            namespace,
+            configmaps,
+            secrets,
+            timestamp,
+        )
+        .await
+    }
+
+    pub async fn find_workloads_matching_selector(
+        &self,
+        cluster_id: Uuid,
+        namespace: &str,
+        selector: &BTreeMap<String, String>,
+    ) -> Result<Vec<Uuid>> {
+        if selector.is_empty() {
+            return Ok(vec![]);
+        }
+
+        let mut condition = Condition::any();
+        for (key, value) in selector {
+            condition = condition.add(
+                Condition::all()
+                    .add(
+                        lapdev_db_entities::kube_app_catalog_workload_label::Column::LabelKey
+                            .eq(key.clone()),
+                    )
+                    .add(
+                        lapdev_db_entities::kube_app_catalog_workload_label::Column::LabelValue
+                            .eq(value.clone()),
+                    ),
+            );
+        }
+
+        let required_matches = selector.len() as i32;
+
+        let workloads = lapdev_db_entities::kube_app_catalog_workload_label::Entity::find()
+            .select_only()
+            .column(lapdev_db_entities::kube_app_catalog_workload_label::Column::WorkloadId)
+            .filter(
+                lapdev_db_entities::kube_app_catalog_workload_label::Column::ClusterId
+                    .eq(cluster_id),
+            )
+            .filter(
+                lapdev_db_entities::kube_app_catalog_workload_label::Column::Namespace
+                    .eq(namespace.to_string()),
+            )
+            .filter(
+                lapdev_db_entities::kube_app_catalog_workload_label::Column::DeletedAt.is_null(),
+            )
+            .filter(condition)
+            .group_by(lapdev_db_entities::kube_app_catalog_workload_label::Column::WorkloadId)
+            .having(
+                Expr::col(lapdev_db_entities::kube_app_catalog_workload_label::Column::WorkloadId)
+                    .count()
+                    .eq(required_matches),
+            )
+            .into_tuple::<Uuid>()
+            .all(&self.conn)
+            .await?;
+
+        Ok(workloads)
+    }
+
+    pub async fn get_matching_cluster_services(
+        &self,
+        cluster_id: Uuid,
+        namespace: &str,
+        labels: &BTreeMap<String, String>,
+    ) -> Result<Vec<CachedClusterService>> {
+        if labels.is_empty() {
+            return Ok(Vec::new());
+        }
+
+        let selector_rows = kube_cluster_service_selector::Entity::find()
+            .filter(kube_cluster_service_selector::Column::ClusterId.eq(cluster_id))
+            .filter(kube_cluster_service_selector::Column::Namespace.eq(namespace))
+            .filter(kube_cluster_service_selector::Column::DeletedAt.is_null())
+            .all(&self.conn)
+            .await?;
+
+        let mut grouped: HashMap<Uuid, Vec<(String, String)>> = HashMap::new();
+        for row in selector_rows {
+            grouped
+                .entry(row.service_id)
+                .or_default()
+                .push((row.label_key, row.label_value));
+        }
+
+        let matching_ids: Vec<Uuid> = grouped
+            .into_iter()
+            .filter_map(|(service_id, selectors)| {
+                if selectors.iter().all(|(key, value)| {
+                    labels
+                        .get(key)
+                        .map(|existing| existing == value)
+                        .unwrap_or(false)
+                }) {
+                    Some(service_id)
+                } else {
+                    None
+                }
+            })
+            .collect();
+
+        if matching_ids.is_empty() {
+            return Ok(Vec::new());
+        }
+
+        let services = kube_cluster_service::Entity::find()
+            .filter(kube_cluster_service::Column::Id.is_in(matching_ids))
+            .filter(kube_cluster_service::Column::DeletedAt.is_null())
+            .all(&self.conn)
+            .await?;
+
+        let mut results = Vec::with_capacity(services.len());
+        for svc in services {
+            let selector: BTreeMap<String, String> =
+                serde_json::from_value(svc.selector.clone()).unwrap_or_default();
+            let ports_raw: Vec<StoredServicePort> =
+                serde_json::from_value(svc.ports.clone()).unwrap_or_default();
+            let ports = ports_raw
+                .into_iter()
+                .filter_map(StoredServicePort::into_service_port)
+                .collect();
+
+            results.push(CachedClusterService {
+                name: svc.name,
+                selector,
+                ports,
+                service_yaml: svc.service_yaml,
+            });
+        }
+
+        Ok(results)
+    }
+
+    /// Get services that select the given catalog workloads based on their pod labels.
+    /// Uses the workload label table and service selector table for efficient matching.
+    /// Processes each workload individually and queries service selectors by namespace and label pairs.
+    pub async fn get_services_for_catalog_workloads(
+        &self,
+        cluster_id: Uuid,
+        workload_ids: &[Uuid],
+    ) -> Result<HashMap<Uuid, Vec<CachedClusterService>>> {
+        if workload_ids.is_empty() {
+            return Ok(HashMap::new());
+        }
+
+        let workload_ids_vec: Vec<Uuid> = workload_ids.to_vec();
+
+        let label_rows = kube_app_catalog_workload_label::Entity::find()
+            .filter(
+                kube_app_catalog_workload_label::Column::WorkloadId.is_in(workload_ids_vec.clone()),
+            )
+            .filter(kube_app_catalog_workload_label::Column::DeletedAt.is_null())
+            .all(&self.conn)
+            .await?;
+
+        if label_rows.is_empty() {
+            return Ok(HashMap::new());
+        }
+
+        let mut workload_labels: HashMap<Uuid, BTreeMap<String, String>> = HashMap::new();
+        let mut workload_namespaces: HashMap<Uuid, String> = HashMap::new();
+
+        for row in label_rows {
+            workload_labels
+                .entry(row.workload_id)
+                .or_default()
+                .insert(row.label_key.clone(), row.label_value.clone());
+            workload_namespaces
+                .entry(row.workload_id)
+                .or_insert(row.namespace);
+        }
+
+        let mut workloads_by_namespace: HashMap<String, Vec<Uuid>> = HashMap::new();
+        for workload_id in workload_ids_vec.iter().copied() {
+            if let (Some(labels), Some(namespace)) = (
+                workload_labels.get(&workload_id),
+                workload_namespaces.get(&workload_id),
+            ) {
+                if !labels.is_empty() {
+                    workloads_by_namespace
+                        .entry(namespace.clone())
+                        .or_default()
+                        .push(workload_id);
+                }
+            }
+        }
+
+        if workloads_by_namespace.is_empty() {
+            return Ok(HashMap::new());
+        }
+
+        let mut workload_service_ids: HashMap<Uuid, HashSet<Uuid>> = HashMap::new();
+
+        for (namespace, workloads_in_namespace) in workloads_by_namespace {
+            let mut label_pairs: BTreeSet<(String, String)> = BTreeSet::new();
+            for workload_id in &workloads_in_namespace {
+                if let Some(labels) = workload_labels.get(workload_id) {
+                    for (key, value) in labels {
+                        label_pairs.insert((key.clone(), value.clone()));
+                    }
+                }
+            }
+
+            if label_pairs.is_empty() {
+                continue;
+            }
+
+            let mut label_condition = Condition::any();
+            for (key, value) in &label_pairs {
+                label_condition = label_condition.add(
+                    Condition::all()
+                        .add(kube_cluster_service_selector::Column::LabelKey.eq(key.clone()))
+                        .add(kube_cluster_service_selector::Column::LabelValue.eq(value.clone())),
+                );
+            }
+
+            let selector_rows = kube_cluster_service_selector::Entity::find()
+                .filter(kube_cluster_service_selector::Column::ClusterId.eq(cluster_id))
+                .filter(kube_cluster_service_selector::Column::Namespace.eq(namespace.clone()))
+                .filter(kube_cluster_service_selector::Column::DeletedAt.is_null())
+                .filter(label_condition)
+                .all(&self.conn)
+                .await?;
+
+            if selector_rows.is_empty() {
+                continue;
+            }
+
+            let candidate_service_ids: HashSet<Uuid> =
+                selector_rows.iter().map(|row| row.service_id).collect();
+
+            if candidate_service_ids.is_empty() {
+                continue;
+            }
+
+            let selector_rows_full = kube_cluster_service_selector::Entity::find()
+                .filter(kube_cluster_service_selector::Column::ClusterId.eq(cluster_id))
+                .filter(kube_cluster_service_selector::Column::Namespace.eq(namespace.clone()))
+                .filter(kube_cluster_service_selector::Column::DeletedAt.is_null())
+                .filter(
+                    kube_cluster_service_selector::Column::ServiceId
+                        .is_in(candidate_service_ids.iter().copied().collect::<Vec<_>>()),
+                )
+                .all(&self.conn)
+                .await?;
+
+            if selector_rows_full.is_empty() {
+                continue;
+            }
+
+            let mut selectors_by_service: HashMap<Uuid, Vec<(String, String)>> = HashMap::new();
+            for row in selector_rows_full {
+                selectors_by_service
+                    .entry(row.service_id)
+                    .or_default()
+                    .push((row.label_key, row.label_value));
+            }
+
+            for workload_id in workloads_in_namespace {
+                if let Some(labels) = workload_labels.get(&workload_id) {
+                    for (service_id, selectors) in &selectors_by_service {
+                        if selectors.iter().all(|(key, value)| {
+                            labels
+                                .get(key)
+                                .map(|existing| existing == value)
+                                .unwrap_or(false)
+                        }) {
+                            workload_service_ids
+                                .entry(workload_id)
+                                .or_default()
+                                .insert(*service_id);
+                        }
+                    }
+                }
+            }
+        }
+
+        if workload_service_ids.is_empty() {
+            return Ok(HashMap::new());
+        }
+
+        let all_service_ids: HashSet<Uuid> = workload_service_ids
+            .values()
+            .flat_map(|set| set.iter().copied())
+            .collect();
+
+        let services = kube_cluster_service::Entity::find()
+            .filter(
+                kube_cluster_service::Column::Id
+                    .is_in(all_service_ids.iter().copied().collect::<Vec<_>>()),
+            )
+            .filter(kube_cluster_service::Column::DeletedAt.is_null())
+            .filter(
+                Condition::any()
+                    .add(kube_cluster_service::Column::ServiceType.eq("ClusterIP"))
+                    .add(kube_cluster_service::Column::ServiceType.is_null()),
+            )
+            .all(&self.conn)
+            .await?;
+
+        let mut service_by_id: HashMap<Uuid, CachedClusterService> = HashMap::new();
+        for svc in services {
+            let selector: BTreeMap<String, String> =
+                serde_json::from_value(svc.selector.clone()).unwrap_or_default();
+            let ports_raw: Vec<StoredServicePort> =
+                serde_json::from_value(svc.ports.clone()).unwrap_or_default();
+            let ports = ports_raw
+                .into_iter()
+                .filter_map(StoredServicePort::into_service_port)
+                .collect();
+
+            service_by_id.insert(
+                svc.id,
+                CachedClusterService {
+                    name: svc.name,
+                    selector,
+                    ports,
+                    service_yaml: svc.service_yaml,
+                },
+            );
+        }
+
+        let mut results: HashMap<Uuid, Vec<CachedClusterService>> = HashMap::new();
+        for (workload_id, service_ids) in workload_service_ids {
+            let services_for_workload = service_ids
+                .into_iter()
+                .filter_map(|service_id| service_by_id.get(&service_id).cloned())
+                .collect::<Vec<_>>();
+
+            if !services_for_workload.is_empty() {
+                results.insert(workload_id, services_for_workload);
+            }
+        }
+
+        Ok(results)
+    }
+
+    pub async fn find_workloads_by_dependency(
+        &self,
+        cluster_id: Uuid,
+        namespace: &str,
+        resource_type: &str,
+        resource_name: &str,
+    ) -> Result<Vec<(Uuid, Uuid)>> {
+        let rows = kube_app_catalog_workload_dependency::Entity::find()
+            .select_only()
+            .column(kube_app_catalog_workload_dependency::Column::WorkloadId)
+            .column(kube_app_catalog_workload_dependency::Column::AppCatalogId)
+            .filter(kube_app_catalog_workload_dependency::Column::ClusterId.eq(cluster_id))
+            .filter(kube_app_catalog_workload_dependency::Column::Namespace.eq(namespace))
+            .filter(kube_app_catalog_workload_dependency::Column::ResourceType.eq(resource_type))
+            .filter(kube_app_catalog_workload_dependency::Column::ResourceName.eq(resource_name))
+            .filter(kube_app_catalog_workload_dependency::Column::DeletedAt.is_null())
+            .into_tuple::<(Uuid, Uuid)>()
+            .all(&self.conn)
+            .await?;
+
+        Ok(rows)
+    }
+
+    pub async fn update_catalog_workload_versions(
+        &self,
+        workload_ids: &[Uuid],
+        version: i64,
+    ) -> Result<()> {
+        if workload_ids.is_empty() {
+            return Ok(());
+        }
+
+        lapdev_db_entities::kube_app_catalog_workload::Entity::update_many()
+            .filter(
+                lapdev_db_entities::kube_app_catalog_workload::Column::Id
+                    .is_in(workload_ids.iter().cloned().collect::<Vec<_>>()),
+            )
+            .col_expr(
+                lapdev_db_entities::kube_app_catalog_workload::Column::CatalogSyncVersion,
+                Expr::value(version),
+            )
+            .exec(&self.conn)
+            .await?;
+
+        Ok(())
+    }
+
+    pub async fn replace_service_selectors(
+        &self,
+        service_id: Uuid,
+        cluster_id: Uuid,
+        namespace: &str,
+        selectors: &BTreeMap<String, String>,
+        timestamp: DateTimeWithTimeZone,
+    ) -> Result<(), sea_orm::DbErr> {
+        replace_service_selectors_with_conn(
+            &self.conn, service_id, cluster_id, namespace, selectors, timestamp,
+        )
+        .await
+    }
+
+    pub async fn mark_service_selectors_deleted(
+        &self,
+        service_id: Uuid,
+        timestamp: DateTimeWithTimeZone,
+    ) -> Result<(), sea_orm::DbErr> {
+        mark_service_selectors_deleted_with_conn(&self.conn, service_id, timestamp).await
+    }
+
+    pub async fn get_environment_workloads(
+        &self,
+        environment_id: Uuid,
+    ) -> Result<Vec<KubeEnvironmentWorkload>> {
+        let workloads = lapdev_db_entities::kube_environment_workload::Entity::find()
+            .filter(
+                lapdev_db_entities::kube_environment_workload::Column::EnvironmentId
+                    .eq(environment_id),
+            )
+            .filter(lapdev_db_entities::kube_environment_workload::Column::DeletedAt.is_null())
+            .all(&self.conn)
+            .await?;
+
+        let mut result = Vec::new();
+        for workload in workloads {
+            let containers: Vec<KubeContainerInfo> =
+                if let Ok(containers) = serde_json::from_value(workload.containers.clone()) {
+                    containers
+                } else {
+                    vec![]
+                };
+
+            let ports: Vec<lapdev_common::kube::KubeServicePort> =
+                if let Ok(ports) = serde_json::from_value(workload.ports.clone()) {
+                    ports
+                } else {
+                    vec![]
+                };
+
+            result.push(KubeEnvironmentWorkload {
+                id: workload.id,
+                created_at: workload.created_at,
+                environment_id: workload.environment_id,
+                base_workload_id: workload.base_workload_id,
+                name: workload.name,
+                namespace: workload.namespace,
+                kind: workload.kind,
+                containers,
+                ports,
+                workload_yaml: workload.workload_yaml,
+                catalog_sync_version: workload.catalog_sync_version,
+                ready_replicas: workload.ready_replicas,
+            });
+        }
+        Ok(result)
+    }
+
+    pub async fn get_environment_workload(
+        &self,
+        workload_id: Uuid,
+    ) -> Result<Option<KubeEnvironmentWorkload>> {
+        let workload =
+            lapdev_db_entities::kube_environment_workload::Entity::find_by_id(workload_id)
+                .filter(lapdev_db_entities::kube_environment_workload::Column::DeletedAt.is_null())
+                .one(&self.conn)
+                .await?;
+
+        if let Some(workload) = workload {
+            let containers: Vec<KubeContainerInfo> =
+                if let Ok(containers) = serde_json::from_value(workload.containers.clone()) {
+                    containers
+                } else {
+                    vec![]
+                };
+
+            let ports: Vec<lapdev_common::kube::KubeServicePort> =
+                if let Ok(ports) = serde_json::from_value(workload.ports.clone()) {
+                    ports
+                } else {
+                    vec![]
+                };
+
+            Ok(Some(KubeEnvironmentWorkload {
+                id: workload.id,
+                created_at: workload.created_at,
+                environment_id: workload.environment_id,
+                base_workload_id: workload.base_workload_id,
+                name: workload.name,
+                namespace: workload.namespace,
+                kind: workload.kind,
+                containers,
+                ports,
+                workload_yaml: workload.workload_yaml,
+                catalog_sync_version: workload.catalog_sync_version,
+                ready_replicas: workload.ready_replicas,
+            }))
+        } else {
+            Ok(None)
+        }
+    }
+
+    pub async fn get_environment_workload_labels(
+        &self,
+        workload_id: Uuid,
+    ) -> Result<BTreeMap<String, String>> {
+        let rows = kube_environment_workload_label::Entity::find()
+            .filter(kube_environment_workload_label::Column::WorkloadId.eq(workload_id))
+            .filter(kube_environment_workload_label::Column::DeletedAt.is_null())
+            .all(&self.conn)
+            .await?;
+
+        let mut map: BTreeMap<String, String> = BTreeMap::new();
+
+        for row in rows {
+            map.insert(row.label_key, row.label_value);
+        }
+
+        Ok(map)
+    }
+
+    pub async fn get_workloads_by_base_workload_id(
+        &self,
+        base_workload_id: Uuid,
+    ) -> Result<Vec<KubeEnvironmentWorkload>> {
+        let workloads = lapdev_db_entities::kube_environment_workload::Entity::find()
+            .filter(
+                lapdev_db_entities::kube_environment_workload::Column::BaseWorkloadId
+                    .eq(base_workload_id),
+            )
+            .filter(lapdev_db_entities::kube_environment_workload::Column::DeletedAt.is_null())
+            .all(&self.conn)
+            .await?;
+
+        let mut result = Vec::new();
+
+        for workload in workloads {
+            let containers: Vec<KubeContainerInfo> =
+                if let Ok(containers) = serde_json::from_value(workload.containers.clone()) {
+                    containers
+                } else {
+                    vec![]
+                };
+
+            let ports: Vec<lapdev_common::kube::KubeServicePort> =
+                if let Ok(ports) = serde_json::from_value(workload.ports.clone()) {
+                    ports
+                } else {
+                    vec![]
+                };
+
+            result.push(KubeEnvironmentWorkload {
+                id: workload.id,
+                created_at: workload.created_at,
+                environment_id: workload.environment_id,
+                base_workload_id: workload.base_workload_id,
+                name: workload.name,
+                namespace: workload.namespace,
+                kind: workload.kind,
+                containers,
+                ports,
+                workload_yaml: workload.workload_yaml,
+                catalog_sync_version: workload.catalog_sync_version,
+                ready_replicas: workload.ready_replicas,
+            });
+        }
+
+        Ok(result)
+    }
+
+    pub async fn get_branch_workload_override(
+        &self,
+        base_workload_id: Uuid,
+        branch_environment_id: Uuid,
+    ) -> Result<Option<KubeEnvironmentWorkload>> {
+        let workload = lapdev_db_entities::kube_environment_workload::Entity::find()
+            .filter(
+                lapdev_db_entities::kube_environment_workload::Column::BaseWorkloadId
+                    .eq(base_workload_id),
+            )
+            .filter(
+                lapdev_db_entities::kube_environment_workload::Column::EnvironmentId
+                    .eq(branch_environment_id),
+            )
+            .filter(lapdev_db_entities::kube_environment_workload::Column::DeletedAt.is_null())
+            .one(&self.conn)
+            .await?;
+
+        if let Some(workload) = workload {
+            let containers: Vec<KubeContainerInfo> =
+                serde_json::from_value(workload.containers.clone()).unwrap_or_default();
+            let ports: Vec<lapdev_common::kube::KubeServicePort> =
+                serde_json::from_value(workload.ports.clone()).unwrap_or_default();
+
+            Ok(Some(KubeEnvironmentWorkload {
+                id: workload.id,
+                created_at: workload.created_at,
+                environment_id: workload.environment_id,
+                base_workload_id: workload.base_workload_id,
+                name: workload.name,
+                namespace: workload.namespace,
+                kind: workload.kind,
+                containers,
+                ports,
+                workload_yaml: workload.workload_yaml,
+                catalog_sync_version: workload.catalog_sync_version,
+                ready_replicas: workload.ready_replicas,
+            }))
+        } else {
+            Ok(None)
+        }
+    }
+
+    pub async fn delete_environment_workload(&self, workload_id: Uuid) -> Result<()> {
+        let timestamp = Utc::now().into();
+
+        lapdev_db_entities::kube_environment_workload::ActiveModel {
+            id: ActiveValue::Set(workload_id),
+            deleted_at: ActiveValue::Set(Some(timestamp)),
+            ..Default::default()
+        }
+        .update(&self.conn)
+        .await?;
+
+        kube_environment_workload_label::Entity::update_many()
+            .filter(kube_environment_workload_label::Column::WorkloadId.eq(workload_id))
+            .filter(kube_environment_workload_label::Column::DeletedAt.is_null())
+            .col_expr(
+                kube_environment_workload_label::Column::DeletedAt,
+                Expr::value(timestamp),
+            )
+            .exec(&self.conn)
+            .await?;
+
+        Ok(())
+    }
+
+    pub async fn update_environment_workload(
+        &self,
+        workload_id: Uuid,
+        containers: Vec<lapdev_common::kube::KubeContainerInfo>,
+        workload_yaml: String,
+    ) -> Result<lapdev_db_entities::kube_environment_workload::Model> {
+        let containers_json = serde_json::to_value(containers)?;
+        let updated_model = lapdev_db_entities::kube_environment_workload::ActiveModel {
+            id: ActiveValue::Set(workload_id),
+            containers: ActiveValue::Set(containers_json),
+            workload_yaml: ActiveValue::Set(workload_yaml),
+            ..Default::default()
+        }
+        .update(&self.conn)
+        .await?;
+
+        if let Ok(kind) = updated_model.kind.parse::<KubeWorkloadKind>() {
+            let labels = labels_from_workload_yaml(&kind, &updated_model.workload_yaml);
+            let timestamp = Utc::now().into();
+            replace_environment_workload_labels_with_conn(
+                &self.conn,
+                updated_model.id,
+                updated_model.environment_id,
+                &labels,
+                timestamp,
+            )
+            .await?;
+        }
+
+        Ok(updated_model)
+    }
+
+    pub async fn insert_environment_workload(
+        &self,
+        environment_id: Uuid,
+        workload: NewEnvironmentWorkload,
+        catalog_sync_version: i64,
+    ) -> Result<lapdev_db_entities::kube_environment_workload::Model, sea_orm::DbErr> {
+        let created_at = Utc::now().into();
+        let NewEnvironmentWorkload { id, details } = workload;
+        let KubeWorkloadDetails {
+            name,
+            namespace,
+            kind,
+            containers,
+            ports,
+            workload_yaml,
+            base_workload_id,
+        } = details;
+
+        let containers_json = serde_json::to_value(&containers)
+            .map(Json::from)
+            .unwrap_or_else(|_| Json::from(serde_json::json!([])));
+        let ports_json = serde_json::to_value(&ports)
+            .map(Json::from)
+            .unwrap_or_else(|_| Json::from(serde_json::json!([])));
+
+        let labels = labels_from_workload_yaml(&kind, &workload_yaml);
+
+        let model = lapdev_db_entities::kube_environment_workload::ActiveModel {
+            id: ActiveValue::Set(id),
+            created_at: ActiveValue::Set(created_at),
+            deleted_at: ActiveValue::Set(None),
+            environment_id: ActiveValue::Set(environment_id),
+            base_workload_id: ActiveValue::Set(base_workload_id.or(Some(id))),
+            name: ActiveValue::Set(name),
+            namespace: ActiveValue::Set(namespace),
+            kind: ActiveValue::Set(kind.to_string()),
+            containers: ActiveValue::Set(containers_json),
+            ports: ActiveValue::Set(ports_json),
+            workload_yaml: ActiveValue::Set(workload_yaml.clone()),
+            catalog_sync_version: ActiveValue::Set(catalog_sync_version),
+            ready_replicas: ActiveValue::Set(None),
+        }
+        .insert(&self.conn)
+        .await?;
+
+        replace_environment_workload_labels_with_conn(
+            &self.conn,
+            id,
+            environment_id,
+            &labels,
+            created_at,
+        )
+        .await?;
+
+        Ok(model)
+    }
+
+    pub async fn update_branch_workload_link(
+        &self,
+        workload_id: Uuid,
+        base_workload_id: Uuid,
+        catalog_sync_version: i64,
+    ) -> Result<()> {
+        lapdev_db_entities::kube_environment_workload::ActiveModel {
+            id: ActiveValue::Set(workload_id),
+            base_workload_id: ActiveValue::Set(Some(base_workload_id)),
+            catalog_sync_version: ActiveValue::Set(catalog_sync_version),
+            ..Default::default()
+        }
+        .update(&self.conn)
+        .await?;
+        Ok(())
+    }
+
+    pub async fn insert_environment_service(
+        &self,
+        environment_id: Uuid,
+        namespace: &str,
+        service: lapdev_common::kube::KubeServiceWithYaml,
+    ) -> Result<lapdev_db_entities::kube_environment_service::Model, sea_orm::DbErr> {
+        let created_at = Utc::now().into();
+        let ports_json = serde_json::to_value(&service.details.ports)
+            .map(Json::from)
+            .unwrap_or_else(|_| Json::from(serde_json::json!([])));
+        let selector_json = serde_json::to_value(&service.details.selector)
+            .map(Json::from)
+            .unwrap_or_else(|_| Json::from(serde_json::json!({})));
+
+        lapdev_db_entities::kube_environment_service::ActiveModel {
+            id: ActiveValue::Set(Uuid::new_v4()),
+            created_at: ActiveValue::Set(created_at),
+            deleted_at: ActiveValue::Set(None),
+            environment_id: ActiveValue::Set(environment_id),
+            name: ActiveValue::Set(service.details.name.clone()),
+            namespace: ActiveValue::Set(namespace.to_string()),
+            yaml: ActiveValue::Set(service.yaml),
+            ports: ActiveValue::Set(ports_json),
+            selector: ActiveValue::Set(selector_json),
+        }
+        .insert(&self.conn)
+        .await
+    }
+
+    pub async fn soft_delete_environment_service(
+        &self,
+        environment_id: Uuid,
+        service_name: &str,
+    ) -> Result<()> {
+        let now: DateTimeWithTimeZone = Utc::now().into();
+        lapdev_db_entities::kube_environment_service::Entity::update_many()
+            .filter(
+                lapdev_db_entities::kube_environment_service::Column::EnvironmentId
+                    .eq(environment_id),
+            )
+            .filter(
+                lapdev_db_entities::kube_environment_service::Column::Name
+                    .eq(service_name.to_string()),
+            )
+            .filter(lapdev_db_entities::kube_environment_service::Column::DeletedAt.is_null())
+            .col_expr(
+                lapdev_db_entities::kube_environment_service::Column::DeletedAt,
+                Expr::value(now),
+            )
+            .exec(&self.conn)
+            .await?;
+        Ok(())
+    }
+
+    /// Creates a kube environment and its associated workloads within a single database transaction.
+    /// This ensures atomicity - either both operations succeed or both are rolled back.
+    pub async fn create_kube_environment(
+        &self,
+        environment_id: Uuid,
+        org_id: Uuid,
+        user_id: Uuid,
+        app_catalog_id: Uuid,
+        cluster_id: Uuid,
+        name: String,
+        namespace: String,
+        status: String,
+        is_shared: bool,
+        catalog_sync_version: i64,
+        base_environment_id: Option<Uuid>,
+        workloads: Vec<NewEnvironmentWorkload>,
+        services: std::collections::HashMap<String, lapdev_common::kube::KubeServiceWithYaml>,
+        auth_token: String,
+    ) -> Result<lapdev_db_entities::kube_environment::Model, sea_orm::DbErr> {
+        let txn = self.conn.begin().await?;
+
+        let created_at = Utc::now().into();
+
+        // Create the environment
+        let environment = lapdev_db_entities::kube_environment::ActiveModel {
+            id: ActiveValue::Set(environment_id),
+            created_at: ActiveValue::Set(created_at),
+            deleted_at: ActiveValue::Set(None),
+            organization_id: ActiveValue::Set(org_id),
+            user_id: ActiveValue::Set(user_id),
+            app_catalog_id: ActiveValue::Set(app_catalog_id),
+            cluster_id: ActiveValue::Set(cluster_id),
+            name: ActiveValue::Set(name),
+            namespace: ActiveValue::Set(namespace.clone()),
+            status: ActiveValue::Set(status),
+            is_shared: ActiveValue::Set(is_shared),
+            catalog_sync_version: ActiveValue::Set(catalog_sync_version),
+            last_catalog_synced_at: ActiveValue::Set(Some(created_at)),
+            paused_at: ActiveValue::Set(None),
+            resumed_at: ActiveValue::Set(None),
+            sync_status: ActiveValue::Set("idle".to_string()),
+            base_environment_id: ActiveValue::Set(base_environment_id),
+            auth_token: ActiveValue::Set(auth_token),
+        }
+        .insert(&txn)
+        .await?;
+
+        // Create all associated workloads
+        for workload in workloads {
+            let NewEnvironmentWorkload {
+                id: new_workload_id,
+                details,
+            } = workload;
+            let KubeWorkloadDetails {
+                name,
+                namespace: workload_namespace,
+                kind,
+                containers,
+                ports,
+                workload_yaml,
+                base_workload_id,
+            } = details;
+            let effective_base_workload_id = base_workload_id.unwrap_or(new_workload_id);
+
+            // Serialize all containers
+            let containers_json = serde_json::to_value(&containers)
+                .map(Json::from)
+                .unwrap_or_else(|_| Json::from(serde_json::json!([])));
+
+            // Serialize ports
+            let ports_json = serde_json::to_value(&ports)
+                .map(Json::from)
+                .unwrap_or_else(|_| Json::from(serde_json::json!([])));
+
+            let labels = labels_from_workload_yaml(&kind, &workload_yaml);
+
+            lapdev_db_entities::kube_environment_workload::ActiveModel {
+                id: ActiveValue::Set(new_workload_id),
+                created_at: ActiveValue::Set(created_at),
+                deleted_at: ActiveValue::Set(None),
+                environment_id: ActiveValue::Set(environment_id),
+                base_workload_id: ActiveValue::Set(Some(effective_base_workload_id)),
+                name: ActiveValue::Set(name),
+                namespace: ActiveValue::Set(workload_namespace),
+                kind: ActiveValue::Set(kind.to_string()),
+                containers: ActiveValue::Set(containers_json),
+                ports: ActiveValue::Set(ports_json),
+                workload_yaml: ActiveValue::Set(workload_yaml.clone()),
+                catalog_sync_version: ActiveValue::Set(catalog_sync_version),
+                ready_replicas: ActiveValue::Set(None),
+            }
+            .insert(&txn)
+            .await?;
+
+            replace_environment_workload_labels_with_conn(
+                &txn,
+                new_workload_id,
+                environment_id,
+                &labels,
+                created_at,
+            )
+            .await?;
+        }
+
+        // Create all associated services
+        for (service_name, service_with_yaml) in services {
+            // Serialize ports
+            let ports_json = serde_json::to_value(&service_with_yaml.details.ports)
+                .map(Json::from)
+                .unwrap_or_else(|_| Json::from(serde_json::json!([])));
+
+            // Serialize selector
+            let selector_json = serde_json::to_value(&service_with_yaml.details.selector)
+                .map(Json::from)
+                .unwrap_or_else(|_| Json::from(serde_json::json!({})));
+
+            lapdev_db_entities::kube_environment_service::ActiveModel {
+                id: ActiveValue::Set(Uuid::new_v4()),
+                created_at: ActiveValue::Set(created_at),
+                deleted_at: ActiveValue::Set(None),
+                environment_id: ActiveValue::Set(environment_id),
+                name: ActiveValue::Set(service_name),
+                namespace: ActiveValue::Set(namespace.clone()),
+                yaml: ActiveValue::Set(service_with_yaml.yaml),
+                ports: ActiveValue::Set(ports_json),
+                selector: ActiveValue::Set(selector_json),
+            }
+            .insert(&txn)
+            .await?;
+        }
+
+        // Commit the transaction
+        txn.commit().await?;
+
+        Ok(environment)
+    }
+
+    pub async fn get_environment_services(
+        &self,
+        environment_id: Uuid,
+    ) -> Result<Vec<lapdev_common::kube::KubeEnvironmentService>> {
+        let services = lapdev_db_entities::kube_environment_service::Entity::find()
+            .filter(
+                lapdev_db_entities::kube_environment_service::Column::EnvironmentId
+                    .eq(environment_id),
+            )
+            .filter(lapdev_db_entities::kube_environment_service::Column::DeletedAt.is_null())
+            .all(&self.conn)
+            .await?;
+
+        let mut result = Vec::new();
+        for service in services {
+            let ports: Vec<lapdev_common::kube::KubeServicePort> =
+                if let Ok(ports) = serde_json::from_value(service.ports.clone()) {
+                    ports
+                } else {
+                    vec![]
+                };
+
+            let selector: std::collections::BTreeMap<String, String> =
+                if let Ok(selector) = serde_json::from_value(service.selector.clone()) {
+                    selector
+                } else {
+                    std::collections::BTreeMap::new()
+                };
+
+            result.push(lapdev_common::kube::KubeEnvironmentService {
+                id: service.id,
+                created_at: service.created_at,
+                environment_id: service.environment_id,
+                name: service.name,
+                namespace: service.namespace,
+                yaml: service.yaml,
+                ports,
+                selector,
+            });
+        }
+        Ok(result)
+    }
+
+    pub async fn get_kube_environment_service_by_id(
+        &self,
+        service_id: Uuid,
+    ) -> Result<Option<lapdev_common::kube::KubeEnvironmentService>> {
+        let service = lapdev_db_entities::kube_environment_service::Entity::find()
+            .filter(lapdev_db_entities::kube_environment_service::Column::Id.eq(service_id))
+            .filter(lapdev_db_entities::kube_environment_service::Column::DeletedAt.is_null())
+            .one(&self.conn)
+            .await?;
+
+        if let Some(service) = service {
+            let ports: Vec<lapdev_common::kube::KubeServicePort> =
+                if let Ok(ports) = serde_json::from_value(service.ports.clone()) {
+                    ports
+                } else {
+                    vec![]
+                };
+
+            let selector: std::collections::BTreeMap<String, String> =
+                serde_json::from_value(service.selector.clone()).unwrap_or_default();
+
+            Ok(Some(lapdev_common::kube::KubeEnvironmentService {
+                id: service.id,
+                created_at: service.created_at,
+                environment_id: service.environment_id,
+                name: service.name,
+                namespace: service.namespace,
+                yaml: service.yaml,
+                ports,
+                selector,
+            }))
+        } else {
+            Ok(None)
+        }
+    }
+
+    // Preview URL operations
+    pub async fn create_environment_preview_url(
+        &self,
+        environment_id: Uuid,
+        service_id: Uuid,
+        user_id: Uuid,
+        name: String,
+        description: Option<String>,
+        port: i32,
+        port_name: Option<String>,
+        protocol: String,
+        access_level: lapdev_common::kube::PreviewUrlAccessLevel,
+    ) -> Result<lapdev_db_entities::kube_environment_preview_url::Model, sea_orm::DbErr> {
+        let now = Utc::now();
+        let preview_url = lapdev_db_entities::kube_environment_preview_url::ActiveModel {
+            id: ActiveValue::Set(Uuid::new_v4()),
+            environment_id: ActiveValue::Set(environment_id),
+            service_id: ActiveValue::Set(service_id),
+            name: ActiveValue::Set(name),
+            description: ActiveValue::Set(description),
+            port: ActiveValue::Set(port),
+            port_name: ActiveValue::Set(port_name),
+            protocol: ActiveValue::Set(protocol),
+            access_level: ActiveValue::Set(access_level.to_string()),
+            created_by: ActiveValue::Set(user_id),
+            last_accessed_at: ActiveValue::Set(None),
+            metadata: ActiveValue::Set(serde_json::json!({})),
+            deleted_at: ActiveValue::Set(None),
+            created_at: ActiveValue::Set(now.into()),
+            updated_at: ActiveValue::Set(now.into()),
+        }
+        .insert(&self.conn)
+        .await?;
+        Ok(preview_url)
+    }
+
+    pub async fn get_environment_preview_urls(
+        &self,
+        environment_id: Uuid,
+    ) -> Result<Vec<lapdev_db_entities::kube_environment_preview_url::Model>, sea_orm::DbErr> {
+        lapdev_db_entities::kube_environment_preview_url::Entity::find()
+            .filter(
+                lapdev_db_entities::kube_environment_preview_url::Column::EnvironmentId
+                    .eq(environment_id),
+            )
+            .filter(lapdev_db_entities::kube_environment_preview_url::Column::DeletedAt.is_null())
+            .order_by_asc(lapdev_db_entities::kube_environment_preview_url::Column::CreatedAt)
+            .all(&self.conn)
+            .await
+    }
+
+    pub async fn get_environment_preview_url(
+        &self,
+        preview_url_id: Uuid,
+    ) -> Result<Option<lapdev_db_entities::kube_environment_preview_url::Model>, sea_orm::DbErr>
+    {
+        lapdev_db_entities::kube_environment_preview_url::Entity::find_by_id(preview_url_id)
+            .filter(lapdev_db_entities::kube_environment_preview_url::Column::DeletedAt.is_null())
+            .one(&self.conn)
+            .await
+    }
+
+    pub async fn update_environment_preview_url(
+        &self,
+        preview_url_id: Uuid,
+        description: Option<String>,
+        access_level: Option<lapdev_common::kube::PreviewUrlAccessLevel>,
+    ) -> Result<lapdev_db_entities::kube_environment_preview_url::Model, sea_orm::DbErr> {
+        let mut active_model = lapdev_db_entities::kube_environment_preview_url::ActiveModel {
+            id: ActiveValue::Set(preview_url_id),
+            ..Default::default()
+        };
+
+        if let Some(description) = description {
+            active_model.description = ActiveValue::Set(Some(description));
+        }
+        if let Some(access_level) = access_level {
+            active_model.access_level = ActiveValue::Set(access_level.to_string());
+        }
+
+        active_model.update(&self.conn).await
+    }
+
+    pub async fn delete_environment_preview_url(
+        &self,
+        preview_url_id: Uuid,
+    ) -> Result<(), sea_orm::DbErr> {
+        lapdev_db_entities::kube_environment_preview_url::ActiveModel {
+            id: ActiveValue::Set(preview_url_id),
+            deleted_at: ActiveValue::Set(Some(Utc::now().into())),
+            ..Default::default()
+        }
+        .update(&self.conn)
+        .await?;
+        Ok(())
+    }
+
+    pub async fn update_preview_url_last_accessed(
+        &self,
+        preview_url_id: Uuid,
+    ) -> Result<(), sea_orm::DbErr> {
+        lapdev_db_entities::kube_environment_preview_url::ActiveModel {
+            id: ActiveValue::Set(preview_url_id),
+            last_accessed_at: ActiveValue::Set(Some(Utc::now().into())),
+            ..Default::default()
+        }
+        .update(&self.conn)
+        .await?;
+        Ok(())
+    }
+
+    // Methods for preview URL resolution
+    pub async fn find_preview_url_by_name(
+        &self,
+        name: &str,
+    ) -> Result<Option<lapdev_db_entities::kube_environment_preview_url::Model>> {
+        let preview_url = lapdev_db_entities::kube_environment_preview_url::Entity::find()
+            .filter(lapdev_db_entities::kube_environment_preview_url::Column::Name.eq(name))
+            .filter(lapdev_db_entities::kube_environment_preview_url::Column::DeletedAt.is_null())
+            .one(&self.conn)
+            .await
+            .map_err(|e| anyhow::anyhow!("Database error: {}", e))?;
+        Ok(preview_url)
+    }
+
+    pub async fn find_environment_service(
+        &self,
+        env_id: Uuid,
+        service_name: &str,
+    ) -> Result<Option<lapdev_db_entities::kube_environment_service::Model>> {
+        let service = lapdev_db_entities::kube_environment_service::Entity::find()
+            .filter(lapdev_db_entities::kube_environment_service::Column::EnvironmentId.eq(env_id))
+            .filter(lapdev_db_entities::kube_environment_service::Column::Name.eq(service_name))
+            .filter(lapdev_db_entities::kube_environment_service::Column::DeletedAt.is_null())
+            .one(&self.conn)
+            .await
+            .map_err(|e| anyhow::anyhow!("Database error: {}", e))?;
+        Ok(service)
+    }
+
+    pub async fn update_preview_url_access(
+        &self,
+        preview_url_id: Uuid,
+    ) -> Result<(), sea_orm::DbErr> {
+        lapdev_db_entities::kube_environment_preview_url::ActiveModel {
+            id: ActiveValue::Set(preview_url_id),
+            last_accessed_at: ActiveValue::Set(Some(Utc::now().into())),
+            ..Default::default()
+        }
+        .update(&self.conn)
+        .await?;
+        Ok(())
+    }
+
+    // Devbox Session Methods
+
+    /// Create or update a devbox session. Revokes any existing active session for the user.
+    pub async fn create_or_update_devbox_session(
+        &self,
+        user_id: Uuid,
+        session_token: &str,
+        device_name: String,
+        expires_at: DateTimeWithTimeZone,
+    ) -> Result<lapdev_db_entities::kube_devbox_session::Model> {
+        use lapdev_common::token::HashedToken;
+
+        // Hash the token
+        let token_hash_bytes = HashedToken::hash(session_token);
+        let token_hash = hex::encode(&token_hash_bytes);
+
+        // Get first 12 characters (or fewer) as prefix for support tooling
+        let token_prefix = session_token.chars().take(12).collect::<String>();
+
+        // Start a transaction to handle the atomic operation
+        let txn = self.conn.begin().await?;
+
+        let now: DateTimeWithTimeZone = Utc::now().into();
+
+        let existing_session = lapdev_db_entities::kube_devbox_session::Entity::find()
+            .filter(lapdev_db_entities::kube_devbox_session::Column::UserId.eq(user_id))
+            .order_by_desc(lapdev_db_entities::kube_devbox_session::Column::CreatedAt)
+            .one(&txn)
+            .await?;
+
+        // Reuse the existing session row when present, otherwise create a new one.
+        let session = if let Some(existing) = existing_session {
+            lapdev_db_entities::kube_devbox_session::ActiveModel {
+                id: ActiveValue::Set(existing.id),
+                session_token_hash: ActiveValue::Set(token_hash.clone()),
+                token_prefix: ActiveValue::Set(token_prefix.clone()),
+                device_name: ActiveValue::Set(device_name.clone()),
+                expires_at: ActiveValue::Set(expires_at.clone()),
+                last_used_at: ActiveValue::Set(now.clone()),
+                revoked_at: ActiveValue::Set(None),
+                ..Default::default()
+            }
+            .update(&txn)
+            .await?
+        } else {
+            lapdev_db_entities::kube_devbox_session::ActiveModel {
+                id: ActiveValue::Set(Uuid::new_v4()),
+                user_id: ActiveValue::Set(user_id),
+                session_token_hash: ActiveValue::Set(token_hash),
+                token_prefix: ActiveValue::Set(token_prefix),
+                device_name: ActiveValue::Set(device_name),
+                active_environment_id: ActiveValue::Set(None),
+                created_at: ActiveValue::Set(now.clone()),
+                expires_at: ActiveValue::Set(expires_at),
+                last_used_at: ActiveValue::Set(now),
+                revoked_at: ActiveValue::Set(None),
+            }
+            .insert(&txn)
+            .await?
+        };
+
+        txn.commit().await?;
+
+        Ok(session)
+    }
+
+    /// Get a devbox session by token hash
+    pub async fn get_devbox_session_by_token_hash(
+        &self,
+        session_token: &str,
+    ) -> Result<Option<lapdev_db_entities::kube_devbox_session::Model>> {
+        use lapdev_common::token::HashedToken;
+
+        let token_hash_bytes = HashedToken::hash(session_token);
+        let token_hash = hex::encode(&token_hash_bytes);
+
+        let session = lapdev_db_entities::kube_devbox_session::Entity::find()
+            .filter(
+                lapdev_db_entities::kube_devbox_session::Column::SessionTokenHash.eq(token_hash),
+            )
+            .filter(lapdev_db_entities::kube_devbox_session::Column::RevokedAt.is_null())
+            .one(&self.conn)
+            .await?;
+
+        Ok(session)
+    }
+
+    /// Get the active devbox session for a user
+    pub async fn get_active_devbox_session(
+        &self,
+        user_id: Uuid,
+    ) -> Result<Option<lapdev_db_entities::kube_devbox_session::Model>> {
+        let session = lapdev_db_entities::kube_devbox_session::Entity::find()
+            .filter(lapdev_db_entities::kube_devbox_session::Column::UserId.eq(user_id))
+            .filter(lapdev_db_entities::kube_devbox_session::Column::RevokedAt.is_null())
+            .one(&self.conn)
+            .await?;
+
+        Ok(session)
+    }
+
+    /// Revoke the active devbox session for a user (if any)
+    pub async fn revoke_active_devbox_session(&self, user_id: Uuid) -> Result<()> {
+        if let Some(existing) = lapdev_db_entities::kube_devbox_session::Entity::find()
+            .filter(lapdev_db_entities::kube_devbox_session::Column::UserId.eq(user_id))
+            .filter(lapdev_db_entities::kube_devbox_session::Column::RevokedAt.is_null())
+            .one(&self.conn)
+            .await?
+        {
+            lapdev_db_entities::kube_devbox_session::ActiveModel {
+                id: ActiveValue::Set(existing.id),
+                revoked_at: ActiveValue::Set(Some(Utc::now().into())),
+                ..Default::default()
+            }
+            .update(&self.conn)
+            .await?;
+        }
+
+        Ok(())
+    }
+
+    /// Revoke a specific devbox session by primary key
+    pub async fn revoke_devbox_session_by_id(&self, id: Uuid) -> Result<()> {
+        if lapdev_db_entities::kube_devbox_session::Entity::find_by_id(id)
+            .one(&self.conn)
+            .await?
+            .is_some()
+        {
+            lapdev_db_entities::kube_devbox_session::ActiveModel {
+                id: ActiveValue::Set(id),
+                revoked_at: ActiveValue::Set(Some(Utc::now().into())),
+                ..Default::default()
+            }
+            .update(&self.conn)
+            .await?;
+        }
+        Ok(())
+    }
+
+    /// Update the last_used_at timestamp for the active devbox session
+    pub async fn update_devbox_session_last_used(&self, user_id: Uuid) -> Result<()> {
+        if let Some(existing) = lapdev_db_entities::kube_devbox_session::Entity::find()
+            .filter(lapdev_db_entities::kube_devbox_session::Column::UserId.eq(user_id))
+            .filter(lapdev_db_entities::kube_devbox_session::Column::RevokedAt.is_null())
+            .one(&self.conn)
+            .await?
+        {
+            lapdev_db_entities::kube_devbox_session::ActiveModel {
+                id: ActiveValue::Set(existing.id),
+                last_used_at: ActiveValue::Set(Utc::now().into()),
+                ..Default::default()
+            }
+            .update(&self.conn)
+            .await?;
+        }
+
+        Ok(())
+    }
+
+    /// Update the device name for a devbox session
+    pub async fn update_devbox_session_device_name(
+        &self,
+        user_id: Uuid,
+        device_name: String,
+    ) -> Result<()> {
+        if let Some(existing) = lapdev_db_entities::kube_devbox_session::Entity::find()
+            .filter(lapdev_db_entities::kube_devbox_session::Column::UserId.eq(user_id))
+            .filter(lapdev_db_entities::kube_devbox_session::Column::RevokedAt.is_null())
+            .one(&self.conn)
+            .await?
+        {
+            lapdev_db_entities::kube_devbox_session::ActiveModel {
+                id: ActiveValue::Set(existing.id),
+                device_name: ActiveValue::Set(device_name.into()),
+                ..Default::default()
+            }
+            .update(&self.conn)
+            .await?;
+        }
+
+        Ok(())
+    }
+
+    /// Update the active environment for a devbox session
+    pub async fn update_devbox_session_active_environment(
+        &self,
+        user_id: Uuid,
+        environment_id: Option<Uuid>,
+    ) -> Result<()> {
+        if let Some(existing) = lapdev_db_entities::kube_devbox_session::Entity::find()
+            .filter(lapdev_db_entities::kube_devbox_session::Column::UserId.eq(user_id))
+            .filter(lapdev_db_entities::kube_devbox_session::Column::RevokedAt.is_null())
+            .one(&self.conn)
+            .await?
+        {
+            lapdev_db_entities::kube_devbox_session::ActiveModel {
+                id: ActiveValue::Set(existing.id),
+                active_environment_id: ActiveValue::Set(environment_id),
+                ..Default::default()
+            }
+            .update(&self.conn)
+            .await?;
+        }
+
+        Ok(())
+    }
+
+    /// Get a devbox session by primary key (including revoked entries)
+    pub async fn get_devbox_session_by_id(
+        &self,
+        id: Uuid,
+    ) -> Result<Option<lapdev_db_entities::kube_devbox_session::Model>> {
+        let session = lapdev_db_entities::kube_devbox_session::Entity::find_by_id(id)
+            .one(&self.conn)
+            .await?;
+
+        Ok(session)
+    }
+
+    // Devbox Workload Intercept Methods
+
+    /// Create a new workload intercept
+    pub async fn create_workload_intercept(
+        &self,
+        user_id: Uuid,
+        environment_id: Uuid,
+        workload_id: Uuid,
+        port_mappings: serde_json::Value,
+    ) -> Result<lapdev_db_entities::kube_devbox_workload_intercept::Model> {
+        use lapdev_db_entities::kube_devbox_workload_intercept;
+
+        let txn = self.conn.begin().await?;
+
+        // Check if an active intercept already exists for this workload
+        let existing_active = kube_devbox_workload_intercept::Entity::find()
+            .filter(kube_devbox_workload_intercept::Column::UserId.eq(user_id))
+            .filter(kube_devbox_workload_intercept::Column::WorkloadId.eq(workload_id))
+            .filter(kube_devbox_workload_intercept::Column::StoppedAt.is_null())
+            .one(&txn)
+            .await?;
+
+        let intercept = if let Some(model) = existing_active {
+            let mut active = kube_devbox_workload_intercept::ActiveModel::from(model);
+            active.environment_id = ActiveValue::Set(environment_id);
+            active.port_mappings = ActiveValue::Set(port_mappings.clone().into());
+            active.stopped_at = ActiveValue::Set(None);
+            active.update(&txn).await?
+        } else {
+            let existing_stopped = kube_devbox_workload_intercept::Entity::find()
+                .filter(kube_devbox_workload_intercept::Column::UserId.eq(user_id))
+                .filter(kube_devbox_workload_intercept::Column::WorkloadId.eq(workload_id))
+                .filter(kube_devbox_workload_intercept::Column::StoppedAt.is_not_null())
+                .order_by_desc(kube_devbox_workload_intercept::Column::StoppedAt)
+                .one(&txn)
+                .await?;
+
+            if let Some(model) = existing_stopped {
+                let mut active = kube_devbox_workload_intercept::ActiveModel::from(model);
+                active.environment_id = ActiveValue::Set(environment_id);
+                active.port_mappings = ActiveValue::Set(port_mappings.clone().into());
+                active.stopped_at = ActiveValue::Set(None);
+                active.update(&txn).await?
+            } else {
+                kube_devbox_workload_intercept::ActiveModel {
+                    id: ActiveValue::Set(Uuid::new_v4()),
+                    user_id: ActiveValue::Set(user_id),
+                    environment_id: ActiveValue::Set(environment_id),
+                    workload_id: ActiveValue::Set(workload_id),
+                    port_mappings: ActiveValue::Set(port_mappings.into()),
+                    created_at: ActiveValue::Set(Utc::now().into()),
+                    stopped_at: ActiveValue::Set(None),
+                }
+                .insert(&txn)
+                .await?
+            }
+        };
+
+        txn.commit().await?;
+
+        Ok(intercept)
+    }
+
+    /// Stop a workload intercept
+    pub async fn stop_workload_intercept(
+        &self,
+        intercept_id: Uuid,
+    ) -> Result<lapdev_db_entities::kube_devbox_workload_intercept::Model> {
+        use lapdev_db_entities::kube_devbox_workload_intercept;
+
+        let intercept = kube_devbox_workload_intercept::ActiveModel {
+            id: ActiveValue::Set(intercept_id),
+            stopped_at: ActiveValue::Set(Some(Utc::now().into())),
+            ..Default::default()
+        }
+        .update(&self.conn)
+        .await?;
+
+        Ok(intercept)
+    }
+
+    /// Get a workload intercept by ID
+    pub async fn get_workload_intercept(
+        &self,
+        intercept_id: Uuid,
+    ) -> Result<Option<lapdev_db_entities::kube_devbox_workload_intercept::Model>> {
+        use lapdev_db_entities::kube_devbox_workload_intercept;
+
+        let intercept = kube_devbox_workload_intercept::Entity::find_by_id(intercept_id)
+            .one(&self.conn)
+            .await?;
+        Ok(intercept)
+    }
+
+    /// Get active workload intercepts for an environment
+    pub async fn get_active_intercepts_for_environment(
+        &self,
+        environment_id: Uuid,
+    ) -> Result<Vec<lapdev_db_entities::kube_devbox_workload_intercept::Model>> {
+        use lapdev_db_entities::kube_devbox_workload_intercept;
+
+        let intercepts = kube_devbox_workload_intercept::Entity::find()
+            .filter(kube_devbox_workload_intercept::Column::EnvironmentId.eq(environment_id))
+            .filter(kube_devbox_workload_intercept::Column::StoppedAt.is_null())
+            .all(&self.conn)
+            .await?;
+        Ok(intercepts)
+    }
+
+    /// List workload intercepts for an environment (active + historical)
+    pub async fn list_workload_intercepts_for_environment(
+        &self,
+        environment_id: Uuid,
+    ) -> Result<Vec<lapdev_db_entities::kube_devbox_workload_intercept::Model>> {
+        use lapdev_db_entities::kube_devbox_workload_intercept;
+
+        let intercepts = kube_devbox_workload_intercept::Entity::find()
+            .filter(kube_devbox_workload_intercept::Column::EnvironmentId.eq(environment_id))
+            .order_by_desc(kube_devbox_workload_intercept::Column::CreatedAt)
+            .all(&self.conn)
+            .await?;
+
+        Ok(intercepts)
+    }
+}
+
+fn labels_from_workload_yaml(
+    kind: &lapdev_common::kube::KubeWorkloadKind,
+    yaml: &str,
+) -> BTreeMap<String, String> {
+    let value: Value = match serde_yaml::from_str(yaml) {
+        Ok(v) => v,
+        Err(_) => return BTreeMap::new(),
+    };
+
+    let path: &[&str] = match kind {
+        lapdev_common::kube::KubeWorkloadKind::Deployment
+        | lapdev_common::kube::KubeWorkloadKind::StatefulSet
+        | lapdev_common::kube::KubeWorkloadKind::DaemonSet
+        | lapdev_common::kube::KubeWorkloadKind::ReplicaSet
+        | lapdev_common::kube::KubeWorkloadKind::Job => &["spec", "template", "metadata", "labels"],
+        lapdev_common::kube::KubeWorkloadKind::Pod => &["metadata", "labels"],
+        lapdev_common::kube::KubeWorkloadKind::CronJob => &[
+            "spec",
+            "jobTemplate",
+            "spec",
+            "template",
+            "metadata",
+            "labels",
+        ],
+    };
+
+    traverse_yaml(&value, path)
+        .map(mapping_to_labels)
+        .unwrap_or_default()
+}
+
+fn traverse_yaml<'a>(value: &'a Value, path: &[&str]) -> Option<&'a Value> {
+    let mut current = value;
+    for key in path {
+        let mapping = current.as_mapping()?;
+        current = mapping.get(&Value::String((*key).to_string()))?;
+    }
+    Some(current)
+}
+
+fn mapping_to_labels(node: &Value) -> BTreeMap<String, String> {
+    let mut labels = BTreeMap::new();
+    if let Some(mapping) = node.as_mapping() {
+        for (key, value) in mapping {
+            if let (Value::String(k), Value::String(v)) = (key, value) {
+                labels.insert(k.clone(), v.clone());
+            }
+        }
+    }
+    labels
+}
+
+fn dependencies_from_workload_yaml(
+    kind: &lapdev_common::kube::KubeWorkloadKind,
+    yaml: &str,
+) -> (BTreeSet<String>, BTreeSet<String>) {
+    let value: Value = match serde_yaml::from_str(yaml) {
+        Ok(v) => v,
+        Err(_) => return (BTreeSet::new(), BTreeSet::new()),
+    };
+
+    let pod_spec_path: &[&str] = match kind {
+        lapdev_common::kube::KubeWorkloadKind::Deployment
+        | lapdev_common::kube::KubeWorkloadKind::StatefulSet
+        | lapdev_common::kube::KubeWorkloadKind::DaemonSet
+        | lapdev_common::kube::KubeWorkloadKind::ReplicaSet
+        | lapdev_common::kube::KubeWorkloadKind::Job => &["spec", "template", "spec"],
+        lapdev_common::kube::KubeWorkloadKind::Pod => &["spec"],
+        lapdev_common::kube::KubeWorkloadKind::CronJob => {
+            &["spec", "jobTemplate", "spec", "template", "spec"]
+        }
+    };
+
+    let pod_spec = match traverse_yaml(&value, pod_spec_path) {
+        Some(spec) => spec,
+        None => return (BTreeSet::new(), BTreeSet::new()),
+    };
+
+    collect_dependencies_from_spec(pod_spec)
+}
+
+fn collect_dependencies_from_spec(spec: &Value) -> (BTreeSet<String>, BTreeSet<String>) {
+    let mut configmaps = BTreeSet::new();
+    let mut secrets = BTreeSet::new();
+
+    let collect_env =
+        |container: &Value, configmaps: &mut BTreeSet<String>, secrets: &mut BTreeSet<String>| {
+            if let Some(envs) = container.get("env").and_then(|v| v.as_sequence()) {
+                for env in envs {
+                    if let Some(value_from) = env.get("valueFrom") {
+                        if let Some(cfg) = value_from
+                            .get("configMapKeyRef")
+                            .and_then(|v| v.get("name"))
+                            .and_then(|v| v.as_str())
+                        {
+                            configmaps.insert(cfg.to_string());
+                        }
+                        if let Some(sec) = value_from
+                            .get("secretKeyRef")
+                            .and_then(|v| v.get("name"))
+                            .and_then(|v| v.as_str())
+                        {
+                            secrets.insert(sec.to_string());
+                        }
+                    }
+                }
+            }
+
+            if let Some(env_from) = container.get("envFrom").and_then(|v| v.as_sequence()) {
+                for source in env_from {
+                    if let Some(cfg) = source
+                        .get("configMapRef")
+                        .and_then(|v| v.get("name"))
+                        .and_then(|v| v.as_str())
+                    {
+                        configmaps.insert(cfg.to_string());
+                    }
+                    if let Some(sec) = source
+                        .get("secretRef")
+                        .and_then(|v| v.get("name"))
+                        .and_then(|v| v.as_str())
+                    {
+                        secrets.insert(sec.to_string());
+                    }
+                }
+            }
+        };
+
+    if let Some(containers) = spec.get("containers").and_then(|v| v.as_sequence()) {
+        for container in containers {
+            collect_env(container, &mut configmaps, &mut secrets);
+        }
+    }
+
+    if let Some(init_containers) = spec.get("initContainers").and_then(|v| v.as_sequence()) {
+        for container in init_containers {
+            collect_env(container, &mut configmaps, &mut secrets);
+        }
+    }
+
+    if let Some(ephemeral) = spec
+        .get("ephemeralContainers")
+        .and_then(|v| v.as_sequence())
+    {
+        for container in ephemeral {
+            collect_env(container, &mut configmaps, &mut secrets);
+        }
+    }
+
+    if let Some(volumes) = spec.get("volumes").and_then(|v| v.as_sequence()) {
+        for volume in volumes {
+            if let Some(cfg) = volume
+                .get("configMap")
+                .and_then(|v| v.get("name"))
+                .and_then(|v| v.as_str())
+            {
+                configmaps.insert(cfg.to_string());
+            }
+            if let Some(sec) = volume
+                .get("secret")
+                .and_then(|v| v.get("secretName"))
+                .and_then(|v| v.as_str())
+            {
+                secrets.insert(sec.to_string());
+            }
+            if let Some(projected_sources) = volume
+                .get("projected")
+                .and_then(|v| v.get("sources"))
+                .and_then(|v| v.as_sequence())
+            {
+                for source in projected_sources {
+                    if let Some(cfg) = source
+                        .get("configMap")
+                        .and_then(|v| v.get("name"))
+                        .and_then(|v| v.as_str())
+                    {
+                        configmaps.insert(cfg.to_string());
+                    }
+                    if let Some(sec) = source
+                        .get("secret")
+                        .and_then(|v| v.get("name"))
+                        .and_then(|v| v.as_str())
+                    {
+                        secrets.insert(sec.to_string());
+                    }
+                }
+            }
+        }
+    }
+
+    (configmaps, secrets)
+}
+
+async fn replace_workload_labels_with_conn<C>(
+    conn: &C,
+    workload_id: Uuid,
+    app_catalog_id: Uuid,
+    cluster_id: Uuid,
+    namespace: &str,
+    labels: &BTreeMap<String, String>,
+    timestamp: DateTimeWithTimeZone,
+) -> Result<(), sea_orm::DbErr>
+where
+    C: ConnectionTrait + Send + Sync,
+{
+    lapdev_db_entities::kube_app_catalog_workload_label::Entity::update_many()
+        .filter(
+            lapdev_db_entities::kube_app_catalog_workload_label::Column::WorkloadId.eq(workload_id),
+        )
+        .filter(lapdev_db_entities::kube_app_catalog_workload_label::Column::DeletedAt.is_null())
+        .col_expr(
+            lapdev_db_entities::kube_app_catalog_workload_label::Column::DeletedAt,
+            Expr::value(timestamp),
+        )
+        .exec(conn)
+        .await?;
+
+    for (key, value) in labels {
+        lapdev_db_entities::kube_app_catalog_workload_label::ActiveModel {
+            id: ActiveValue::Set(Uuid::new_v4()),
+            created_at: ActiveValue::Set(timestamp),
+            deleted_at: ActiveValue::Set(None),
+            app_catalog_id: ActiveValue::Set(app_catalog_id),
+            workload_id: ActiveValue::Set(workload_id),
+            cluster_id: ActiveValue::Set(cluster_id),
+            namespace: ActiveValue::Set(namespace.to_owned()),
+            label_key: ActiveValue::Set(key.clone()),
+            label_value: ActiveValue::Set(value.clone()),
+        }
+        .insert(conn)
+        .await?;
+    }
+
+    Ok(())
+}
+
+async fn replace_environment_workload_labels_with_conn<C>(
+    conn: &C,
+    workload_id: Uuid,
+    environment_id: Uuid,
+    labels: &BTreeMap<String, String>,
+    timestamp: DateTimeWithTimeZone,
+) -> Result<(), sea_orm::DbErr>
+where
+    C: ConnectionTrait + Send + Sync,
+{
+    kube_environment_workload_label::Entity::update_many()
+        .filter(kube_environment_workload_label::Column::WorkloadId.eq(workload_id))
+        .filter(kube_environment_workload_label::Column::DeletedAt.is_null())
+        .col_expr(
+            kube_environment_workload_label::Column::DeletedAt,
+            Expr::value(timestamp),
+        )
+        .exec(conn)
+        .await?;
+
+    for (key, value) in labels {
+        kube_environment_workload_label::ActiveModel {
+            id: ActiveValue::Set(Uuid::new_v4()),
+            created_at: ActiveValue::Set(timestamp),
+            deleted_at: ActiveValue::Set(None),
+            environment_id: ActiveValue::Set(environment_id),
+            workload_id: ActiveValue::Set(workload_id),
+            label_key: ActiveValue::Set(key.clone()),
+            label_value: ActiveValue::Set(value.clone()),
+        }
+        .insert(conn)
+        .await?;
+    }
+
+    Ok(())
+}
+
+async fn replace_workload_dependencies_with_conn<C>(
+    conn: &C,
+    workload_id: Uuid,
+    app_catalog_id: Uuid,
+    cluster_id: Uuid,
+    namespace: &str,
+    configmaps: &BTreeSet<String>,
+    secrets: &BTreeSet<String>,
+    timestamp: DateTimeWithTimeZone,
+) -> Result<(), sea_orm::DbErr>
+where
+    C: ConnectionTrait + Send + Sync,
+{
+    kube_app_catalog_workload_dependency::Entity::update_many()
+        .filter(kube_app_catalog_workload_dependency::Column::WorkloadId.eq(workload_id))
+        .filter(kube_app_catalog_workload_dependency::Column::DeletedAt.is_null())
+        .col_expr(
+            kube_app_catalog_workload_dependency::Column::DeletedAt,
+            Expr::value(timestamp),
+        )
+        .exec(conn)
+        .await?;
+
+    for name in configmaps {
+        kube_app_catalog_workload_dependency::ActiveModel {
+            id: ActiveValue::Set(Uuid::new_v4()),
+            created_at: ActiveValue::Set(timestamp),
+            deleted_at: ActiveValue::Set(None),
+            app_catalog_id: ActiveValue::Set(app_catalog_id),
+            workload_id: ActiveValue::Set(workload_id),
+            cluster_id: ActiveValue::Set(cluster_id),
+            namespace: ActiveValue::Set(namespace.to_owned()),
+            resource_name: ActiveValue::Set(name.clone()),
+            resource_type: ActiveValue::Set("configmap".to_string()),
+        }
+        .insert(conn)
+        .await?;
+    }
+
+    for name in secrets {
+        kube_app_catalog_workload_dependency::ActiveModel {
+            id: ActiveValue::Set(Uuid::new_v4()),
+            created_at: ActiveValue::Set(timestamp),
+            deleted_at: ActiveValue::Set(None),
+            app_catalog_id: ActiveValue::Set(app_catalog_id),
+            workload_id: ActiveValue::Set(workload_id),
+            cluster_id: ActiveValue::Set(cluster_id),
+            namespace: ActiveValue::Set(namespace.to_owned()),
+            resource_name: ActiveValue::Set(name.clone()),
+            resource_type: ActiveValue::Set("secret".to_string()),
+        }
+        .insert(conn)
+        .await?;
+    }
+
+    Ok(())
+}
+
+async fn replace_service_selectors_with_conn<C>(
+    conn: &C,
+    service_id: Uuid,
+    cluster_id: Uuid,
+    namespace: &str,
+    selectors: &BTreeMap<String, String>,
+    timestamp: DateTimeWithTimeZone,
+) -> Result<(), sea_orm::DbErr>
+where
+    C: ConnectionTrait + Send + Sync,
+{
+    kube_cluster_service_selector::Entity::update_many()
+        .filter(kube_cluster_service_selector::Column::ServiceId.eq(service_id))
+        .filter(kube_cluster_service_selector::Column::DeletedAt.is_null())
+        .col_expr(
+            kube_cluster_service_selector::Column::DeletedAt,
+            Expr::value(timestamp),
+        )
+        .exec(conn)
+        .await?;
+
+    for (key, value) in selectors {
+        kube_cluster_service_selector::ActiveModel {
+            id: ActiveValue::Set(Uuid::new_v4()),
+            created_at: ActiveValue::Set(timestamp),
+            deleted_at: ActiveValue::Set(None),
+            cluster_id: ActiveValue::Set(cluster_id),
+            namespace: ActiveValue::Set(namespace.to_owned()),
+            service_id: ActiveValue::Set(service_id),
+            label_key: ActiveValue::Set(key.clone()),
+            label_value: ActiveValue::Set(value.clone()),
+        }
+        .insert(conn)
+        .await?;
+    }
+
+    Ok(())
+}
+
+async fn mark_service_selectors_deleted_with_conn<C>(
+    conn: &C,
+    service_id: Uuid,
+    timestamp: DateTimeWithTimeZone,
+) -> Result<(), sea_orm::DbErr>
+where
+    C: ConnectionTrait + Send + Sync,
+{
+    kube_cluster_service_selector::Entity::update_many()
+        .filter(kube_cluster_service_selector::Column::ServiceId.eq(service_id))
+        .filter(kube_cluster_service_selector::Column::DeletedAt.is_null())
+        .col_expr(
+            kube_cluster_service_selector::Column::DeletedAt,
+            Expr::value(timestamp),
+        )
+        .exec(conn)
+        .await?;
+    Ok(())
+}
diff --git a/lapdev-db/src/lib.rs b/crates/db/src/lib.rs
similarity index 81%
rename from lapdev-db/src/lib.rs
rename to crates/db/src/lib.rs
index def59e5..990d414 100644
--- a/lapdev-db/src/lib.rs
+++ b/crates/db/src/lib.rs
@@ -1,15 +1,15 @@
 pub mod api;
-pub mod entities;
+// pub mod entities;
 pub mod links;
-pub mod migration;
 pub mod relations;
 
 pub mod tests {
     use anyhow::Result;
+    use lapdev_db_migration::Migrator;
     use sea_orm::Database;
     use sea_orm_migration::MigratorTrait;
 
-    use crate::{api::DbApi, migration::Migrator};
+    use crate::api::DbApi;
 
     pub async fn prepare_db() -> Result<DbApi> {
         let conn = Database::connect("sqlite::memory:").await?;
diff --git a/crates/db/src/links.rs b/crates/db/src/links.rs
new file mode 100644
index 0000000..41e7a72
--- /dev/null
+++ b/crates/db/src/links.rs
@@ -0,0 +1,15 @@
+use sea_orm::{Linked, RelationTrait};
+
+pub struct PrebuildToMachineType;
+
+impl Linked for PrebuildToMachineType {
+    type FromEntity = lapdev_db_entities::prebuild::Entity;
+    type ToEntity = lapdev_db_entities::machine_type::Entity;
+
+    fn link(&self) -> Vec<sea_orm::LinkDef> {
+        vec![
+            lapdev_db_entities::project::Relation::Prebuild.def().rev(),
+            lapdev_db_entities::project::Relation::MachineType.def(),
+        ]
+    }
+}
diff --git a/lapdev-db/src/relations.rs b/crates/db/src/relations.rs
similarity index 100%
rename from lapdev-db/src/relations.rs
rename to crates/db/src/relations.rs
diff --git a/crates/devbox-rpc/Cargo.toml b/crates/devbox-rpc/Cargo.toml
new file mode 100644
index 0000000..a3d578b
--- /dev/null
+++ b/crates/devbox-rpc/Cargo.toml
@@ -0,0 +1,13 @@
+[package]
+name = "lapdev-devbox-rpc"
+version.workspace = true
+authors.workspace = true
+edition.workspace = true
+license.workspace = true
+
+[dependencies]
+serde.workspace = true
+uuid.workspace = true
+tarpc.workspace = true
+chrono.workspace = true
+lapdev-common.workspace = true
diff --git a/crates/devbox-rpc/src/lib.rs b/crates/devbox-rpc/src/lib.rs
new file mode 100644
index 0000000..cefaa5d
--- /dev/null
+++ b/crates/devbox-rpc/src/lib.rs
@@ -0,0 +1,116 @@
+use lapdev_common::devbox::DirectTunnelConfig;
+use serde::{Deserialize, Serialize};
+use std::net::SocketAddr;
+use uuid::Uuid;
+
+// Devbox session RPC - Server to CLI
+// These are methods that the CLI can call on the server
+#[tarpc::service]
+pub trait DevboxSessionRpc {
+    async fn whoami() -> Result<DevboxSessionInfo, String>;
+
+    async fn get_active_environment() -> Result<Option<DevboxEnvironmentInfo>, String>;
+
+    async fn set_active_environment(environment_id: Uuid) -> Result<(), String>;
+
+    async fn heartbeat() -> Result<(), String>;
+
+    async fn list_workload_intercepts(
+        environment_id: Uuid,
+    ) -> Result<Vec<WorkloadInterceptInfo>, String>;
+
+    async fn list_services(environment_id: Uuid) -> Result<Vec<ServiceInfo>, String>;
+
+    async fn request_direct_client_config(
+        environment_id: Uuid,
+        stun_observed_addr: Option<SocketAddr>,
+    ) -> Result<Option<DirectTunnelConfig>, String>;
+
+    async fn update_device_name(device_name: String) -> Result<(), String>;
+}
+
+// Devbox client RPC - CLI to Server
+// These are methods that the server calls on the CLI
+#[tarpc::service]
+pub trait DevboxClientRpc {
+    async fn session_displaced(new_device_name: String);
+    async fn environment_changed(environment: Option<DevboxEnvironmentInfo>);
+    async fn ping() -> Result<(), String>;
+    async fn request_direct_config(
+        user_id: Uuid,
+        stun_observed_addr: Option<SocketAddr>,
+    ) -> Result<Option<DirectTunnelConfig>, String>;
+}
+
+// Devbox intercept control RPC - Dashboard/CLI to Server
+#[tarpc::service]
+pub trait DevboxInterceptRpc {
+    async fn start_workload_intercept(
+        workload_id: Uuid,
+        port_mappings: Vec<PortMappingOverride>,
+    ) -> Result<Uuid, String>;
+
+    async fn stop_workload_intercept(intercept_id: Uuid) -> Result<(), String>;
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct DevboxSessionInfo {
+    pub user_id: Uuid,
+    pub email: String,
+    pub device_name: String,
+    pub created_at: chrono::DateTime<chrono::Utc>,
+    pub expires_at: chrono::DateTime<chrono::Utc>,
+    pub last_used_at: chrono::DateTime<chrono::Utc>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct DevboxEnvironmentInfo {
+    pub environment_id: Uuid,
+    pub environment_name: String,
+    pub cluster_name: String,
+    pub namespace: String,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct WorkloadInterceptInfo {
+    pub intercept_id: Uuid,
+    pub workload_id: Uuid,
+    pub workload_name: String,
+    pub namespace: String,
+    pub port_mappings: Vec<PortMapping>,
+    pub created_at: chrono::DateTime<chrono::Utc>,
+    pub device_name: String,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct PortMapping {
+    pub workload_port: u16,
+    pub local_port: u16,
+    #[serde(default = "default_protocol")]
+    pub protocol: String,
+}
+
+fn default_protocol() -> String {
+    "TCP".to_string()
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct PortMappingOverride {
+    pub workload_port: u16,
+    pub local_port: Option<u16>, // None means use same port as workload
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct ServiceInfo {
+    pub name: String,
+    pub namespace: String,
+    pub ports: Vec<ServicePort>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct ServicePort {
+    pub name: Option<String>,
+    pub port: u16,
+    #[serde(default = "default_protocol")]
+    pub protocol: String,
+}
diff --git a/lapdev-enterprise/Cargo.toml b/crates/enterprise/Cargo.toml
similarity index 93%
rename from lapdev-enterprise/Cargo.toml
rename to crates/enterprise/Cargo.toml
index 4e36c02..9b8dd0f 100644
--- a/lapdev-enterprise/Cargo.toml
+++ b/crates/enterprise/Cargo.toml
@@ -18,5 +18,6 @@ pasetors.workspace = true
 serde_json.workspace = true
 sea-orm.workspace = true
 lapdev-db.workspace = true
+lapdev-db-entities.workspace = true
 lapdev-rpc.workspace = true
 lapdev-common.workspace = true
diff --git a/lapdev-enterprise/LICENSE b/crates/enterprise/LICENSE
similarity index 100%
rename from lapdev-enterprise/LICENSE
rename to crates/enterprise/LICENSE
diff --git a/lapdev-enterprise/keys/public b/crates/enterprise/keys/public
similarity index 100%
rename from lapdev-enterprise/keys/public
rename to crates/enterprise/keys/public
diff --git a/crates/enterprise/src/auto_start_stop.rs b/crates/enterprise/src/auto_start_stop.rs
new file mode 100644
index 0000000..33a4644
--- /dev/null
+++ b/crates/enterprise/src/auto_start_stop.rs
@@ -0,0 +1,355 @@
+use std::{collections::HashMap, time::Duration};
+
+use anyhow::Result;
+use chrono::Utc;
+use lapdev_common::WorkspaceStatus;
+use lapdev_db::api::DbApi;
+use sea_orm::{
+    sea_query::{Expr, Query},
+    ColumnTrait, Condition, EntityTrait, QueryFilter,
+};
+
+pub struct AutoStartStop {
+    db: DbApi,
+}
+
+impl AutoStartStop {
+    pub fn new(db: DbApi) -> Self {
+        Self { db }
+    }
+
+    pub async fn get_organization_auto_stop(
+        &self,
+    ) -> Result<Vec<lapdev_db_entities::organization::Model>> {
+        let organizations: Vec<lapdev_db_entities::organization::Model> =
+            lapdev_db_entities::organization::Entity::update_many()
+                .col_expr(
+                    lapdev_db_entities::organization::Column::LastAutoStopCheck,
+                    Expr::value(Some(Utc::now())),
+                )
+                .filter(
+                    Condition::any().add(
+                        lapdev_db_entities::organization::Column::Id.in_subquery(
+                            Query::select()
+                                .column(lapdev_db_entities::organization::Column::Id)
+                                .from(lapdev_db_entities::organization::Entity)
+                                .and_where(lapdev_db_entities::organization::Column::DeletedAt.is_null())
+                                .and_where(
+                                    lapdev_db_entities::organization::Column::HasRunningWorkspace.eq(true),
+                                )
+                                .cond_where(
+                                    Condition::any()
+                                        .add(
+                                            lapdev_db_entities::organization::Column::LastAutoStopCheck
+                                                .lt(Utc::now() - Duration::from_secs(60)),
+                                        )
+                                        .add(
+                                            lapdev_db_entities::organization::Column::LastAutoStopCheck
+                                                .is_null(),
+                                        ),
+                                )
+                                .order_by(
+                                    lapdev_db_entities::organization::Column::LastAutoStopCheck,
+                                    sea_orm::Order::Asc,
+                                )
+                                .limit(1)
+                                .to_owned(),
+                        ),
+                    ),
+                )
+                .exec_with_returning(&self.db.conn)
+                .await?;
+        Ok(organizations)
+    }
+
+    pub async fn organization_auto_stop_workspaces(
+        &self,
+        org: &lapdev_db_entities::organization::Model,
+    ) -> Result<Vec<lapdev_db_entities::workspace::Model>> {
+        let workspaces = match (org.auto_stop, org.allow_workspace_change_auto_stop) {
+            (None, false) => {
+                // auto stop is not set and we don't allow workspace to set their own
+                return Ok(vec![]);
+            }
+            (Some(timeout), false) => {
+                lapdev_db_entities::workspace::Entity::find()
+                    .filter(
+                        lapdev_db_entities::workspace::Column::Status
+                            .eq(WorkspaceStatus::Running.to_string()),
+                    )
+                    .filter(lapdev_db_entities::workspace::Column::DeletedAt.is_null())
+                    .filter(
+                        lapdev_db_entities::workspace::Column::LastInactivity
+                            .lt(Utc::now() - Duration::from_secs(timeout as u64)),
+                    )
+                    .all(&self.db.conn)
+                    .await?
+            }
+            (_, true) => {
+                let mut workspaces = lapdev_db_entities::workspace::Entity::find()
+                    .filter(
+                        lapdev_db_entities::workspace::Column::Status
+                            .eq(WorkspaceStatus::Running.to_string()),
+                    )
+                    .filter(lapdev_db_entities::workspace::Column::DeletedAt.is_null())
+                    .filter(lapdev_db_entities::workspace::Column::LastInactivity.is_not_null())
+                    .filter(lapdev_db_entities::workspace::Column::AutoStop.is_not_null())
+                    .all(&self.db.conn)
+                    .await?;
+                workspaces.retain(|w| {
+                    let Some(last_inactivity) = w.last_inactivity else {
+                        return false;
+                    };
+
+                    let Some(auto_stop) = w.auto_stop else {
+                        return false;
+                    };
+
+                    (Utc::now() - last_inactivity.with_timezone(&Utc)).num_seconds()
+                        > auto_stop as i64
+                });
+                workspaces
+            }
+        };
+
+        let services = workspaces
+            .iter()
+            .filter_map(|ws| {
+                if ws.is_compose && ws.compose_parent.is_some() {
+                    Some((ws.id, ws.id))
+                } else {
+                    None
+                }
+            })
+            .collect::<HashMap<_, _>>();
+
+        let mut remaining = Vec::new();
+        for ws in workspaces {
+            if !ws.is_compose {
+                remaining.push(ws);
+            } else if ws.compose_parent.is_none() {
+                let children = lapdev_db_entities::workspace::Entity::find()
+                    .filter(lapdev_db_entities::workspace::Column::DeletedAt.is_null())
+                    .filter(lapdev_db_entities::workspace::Column::ComposeParent.eq(ws.id))
+                    .all(&self.db.conn)
+                    .await?;
+                if children.iter().all(|ws| services.contains_key(&ws.id)) {
+                    // only stop the workspace if all services had inactivity timeout
+                    remaining.push(ws);
+                }
+            }
+        }
+
+        Ok(remaining)
+    }
+
+    pub async fn can_workspace_auto_start(
+        &self,
+        ws: &lapdev_db_entities::workspace::Model,
+    ) -> Result<bool> {
+        let org = self.db.get_organization(ws.organization_id).await?;
+        let auto_start = if org.allow_workspace_change_auto_start {
+            ws.auto_start
+        } else {
+            org.auto_start
+        };
+        Ok(auto_start)
+    }
+}
+
+#[cfg(test)]
+pub mod tests {
+    use std::time::Duration;
+
+    use chrono::Utc;
+    use lapdev_common::{utils, WorkspaceHostStatus, WorkspaceStatus};
+    use sea_orm::{ActiveModelTrait, ActiveValue};
+    use uuid::Uuid;
+
+    use crate::tests::prepare_enterprise;
+
+    // #[tokio::test]
+    // async fn test_organization_auto_stop_workspaces() {
+    //     let enterprise = prepare_enterprise().await.unwrap();
+
+    //     let db = enterprise.auto_start_stop.db.clone();
+
+    //     let user_id = Uuid::new_v4();
+
+    //     let workspace_host = lapdev_db_entities::workspace_host::ActiveModel {
+    //         id: ActiveValue::Set(Uuid::new_v4()),
+    //         host: ActiveValue::Set("".to_string()),
+    //         port: ActiveValue::Set(6123),
+    //         inter_port: ActiveValue::Set(6122),
+    //         cpu: ActiveValue::Set(12),
+    //         memory: ActiveValue::Set(64),
+    //         disk: ActiveValue::Set(1000),
+    //         status: ActiveValue::Set(WorkspaceHostStatus::Active.to_string()),
+    //         available_shared_cpu: ActiveValue::Set(12),
+    //         available_dedicated_cpu: ActiveValue::Set(12),
+    //         available_memory: ActiveValue::Set(64),
+    //         available_disk: ActiveValue::Set(1000),
+    //         region: ActiveValue::Set("".to_string()),
+    //         zone: ActiveValue::Set("".to_string()),
+    //         ..Default::default()
+    //     }
+    //     .insert(&db.conn)
+    //     .await
+    //     .unwrap();
+    //     let machine_type = lapdev_db_entities::machine_type::ActiveModel {
+    //         id: ActiveValue::Set(Uuid::new_v4()),
+    //         name: ActiveValue::Set("".to_string()),
+    //         shared: ActiveValue::Set(true),
+    //         cpu: ActiveValue::Set(2),
+    //         memory: ActiveValue::Set(8),
+    //         disk: ActiveValue::Set(10),
+    //         cost_per_second: ActiveValue::Set(1),
+    //         ..Default::default()
+    //     }
+    //     .insert(&db.conn)
+    //     .await
+    //     .unwrap();
+
+    //     let org = lapdev_db_entities::organization::ActiveModel {
+    //         id: ActiveValue::Set(uuid::Uuid::new_v4()),
+    //         name: ActiveValue::Set("Personal".to_string()),
+    //         auto_start: ActiveValue::Set(true),
+    //         auto_stop: ActiveValue::Set(Some(3600)),
+    //         allow_workspace_change_auto_start: ActiveValue::Set(true),
+    //         allow_workspace_change_auto_stop: ActiveValue::Set(false),
+    //         usage_limit: ActiveValue::Set(108000),
+    //         running_workspace_limit: ActiveValue::Set(3),
+    //         has_running_workspace: ActiveValue::Set(false),
+    //         deleted_at: ActiveValue::Set(None),
+    //         last_auto_stop_check: ActiveValue::Set(None),
+    //         max_cpu: ActiveValue::Set(4),
+    //     }
+    //     .insert(&db.conn)
+    //     .await
+    //     .unwrap();
+
+    //     lapdev_db_entities::workspace::ActiveModel {
+    //         id: ActiveValue::Set(Uuid::new_v4()),
+    //         updated_at: ActiveValue::Set(None),
+    //         deleted_at: ActiveValue::Set(None),
+    //         name: ActiveValue::Set(utils::rand_string(10)),
+    //         created_at: ActiveValue::Set(Utc::now().into()),
+    //         status: ActiveValue::Set(WorkspaceStatus::Running.to_string()),
+    //         repo_url: ActiveValue::Set("".to_string()),
+    //         repo_name: ActiveValue::Set("".to_string()),
+    //         branch: ActiveValue::Set("".to_string()),
+    //         commit: ActiveValue::Set("".to_string()),
+    //         organization_id: ActiveValue::Set(org.id),
+    //         user_id: ActiveValue::Set(user_id),
+    //         project_id: ActiveValue::Set(None),
+    //         host_id: ActiveValue::Set(workspace_host.id),
+    //         osuser: ActiveValue::Set("".to_string()),
+    //         ssh_private_key: ActiveValue::Set("".to_string()),
+    //         ssh_public_key: ActiveValue::Set("".to_string()),
+    //         cores: ActiveValue::Set(serde_json::to_string(&[1, 2]).unwrap()),
+    //         ssh_port: ActiveValue::Set(None),
+    //         ide_port: ActiveValue::Set(None),
+    //         prebuild_id: ActiveValue::Set(None),
+    //         service: ActiveValue::Set(None),
+    //         usage_id: ActiveValue::Set(None),
+    //         machine_type_id: ActiveValue::Set(machine_type.id),
+    //         last_inactivity: ActiveValue::Set(None),
+    //         auto_stop: ActiveValue::Set(None),
+    //         auto_start: ActiveValue::Set(true),
+    //         env: ActiveValue::Set(None),
+    //         build_output: ActiveValue::Set(None),
+    //         is_compose: ActiveValue::Set(false),
+    //         compose_parent: ActiveValue::Set(None),
+    //         pinned: ActiveValue::Set(false),
+    //     }
+    //     .insert(&enterprise.auto_start_stop.db.conn)
+    //     .await
+    //     .unwrap();
+
+    //     let worksapces = enterprise
+    //         .auto_start_stop
+    //         .organization_auto_stop_workspaces(&org)
+    //         .await
+    //         .unwrap();
+    //     assert!(worksapces.is_empty());
+
+    //     let ws = lapdev_db_entities::workspace::ActiveModel {
+    //         id: ActiveValue::Set(Uuid::new_v4()),
+    //         updated_at: ActiveValue::Set(None),
+    //         deleted_at: ActiveValue::Set(None),
+    //         name: ActiveValue::Set(utils::rand_string(10)),
+    //         created_at: ActiveValue::Set(Utc::now().into()),
+    //         status: ActiveValue::Set(WorkspaceStatus::Running.to_string()),
+    //         repo_url: ActiveValue::Set("".to_string()),
+    //         repo_name: ActiveValue::Set("".to_string()),
+    //         branch: ActiveValue::Set("".to_string()),
+    //         commit: ActiveValue::Set("".to_string()),
+    //         organization_id: ActiveValue::Set(org.id),
+    //         user_id: ActiveValue::Set(user_id),
+    //         project_id: ActiveValue::Set(None),
+    //         host_id: ActiveValue::Set(workspace_host.id),
+    //         osuser: ActiveValue::Set("".to_string()),
+    //         ssh_private_key: ActiveValue::Set("".to_string()),
+    //         ssh_public_key: ActiveValue::Set("".to_string()),
+    //         cores: ActiveValue::Set(serde_json::to_string(&[1, 2]).unwrap()),
+    //         ssh_port: ActiveValue::Set(None),
+    //         ide_port: ActiveValue::Set(None),
+    //         prebuild_id: ActiveValue::Set(None),
+    //         service: ActiveValue::Set(None),
+    //         usage_id: ActiveValue::Set(None),
+    //         machine_type_id: ActiveValue::Set(machine_type.id),
+    //         last_inactivity: ActiveValue::Set(Some(
+    //             (Utc::now() - Duration::from_secs(3700)).into(),
+    //         )),
+    //         auto_stop: ActiveValue::Set(None),
+    //         auto_start: ActiveValue::Set(true),
+    //         env: ActiveValue::Set(None),
+    //         build_output: ActiveValue::Set(None),
+    //         is_compose: ActiveValue::Set(false),
+    //         compose_parent: ActiveValue::Set(None),
+    //         pinned: ActiveValue::Set(false),
+    //     }
+    //     .insert(&enterprise.auto_start_stop.db.conn)
+    //     .await
+    //     .unwrap();
+
+    //     let worksapces = enterprise
+    //         .auto_start_stop
+    //         .organization_auto_stop_workspaces(&org)
+    //         .await
+    //         .unwrap();
+    //     assert_eq!(worksapces.len(), 1);
+
+    //     let org = lapdev_db_entities::organization::ActiveModel {
+    //         id: ActiveValue::Set(org.id),
+    //         allow_workspace_change_auto_stop: ActiveValue::Set(true),
+    //         ..Default::default()
+    //     }
+    //     .update(&db.conn)
+    //     .await
+    //     .unwrap();
+
+    //     let worksapces = enterprise
+    //         .auto_start_stop
+    //         .organization_auto_stop_workspaces(&org)
+    //         .await
+    //         .unwrap();
+    //     assert_eq!(worksapces.len(), 0);
+
+    //     lapdev_db_entities::workspace::ActiveModel {
+    //         id: ActiveValue::Set(ws.id),
+    //         auto_stop: ActiveValue::Set(Some(3600)),
+    //         ..Default::default()
+    //     }
+    //     .update(&db.conn)
+    //     .await
+    //     .unwrap();
+
+    //     let worksapces = enterprise
+    //         .auto_start_stop
+    //         .organization_auto_stop_workspaces(&org)
+    //         .await
+    //         .unwrap();
+    //     assert_eq!(worksapces.len(), 1);
+    // }
+}
diff --git a/lapdev-enterprise/src/enterprise.rs b/crates/enterprise/src/enterprise.rs
similarity index 92%
rename from lapdev-enterprise/src/enterprise.rs
rename to crates/enterprise/src/enterprise.rs
index 6c5e297..fcc64b5 100644
--- a/lapdev-enterprise/src/enterprise.rs
+++ b/crates/enterprise/src/enterprise.rs
@@ -4,7 +4,7 @@ use anyhow::Result;
 use chrono::{DateTime, FixedOffset, Utc};
 use lapdev_common::{AuditLogRecord, LAPDEV_BASE_HOSTNAME};
 use lapdev_common::{AuditLogResult, QuotaKind, QuotaResult};
-use lapdev_db::{api::DbApi, entities};
+use lapdev_db::api::DbApi;
 use lapdev_rpc::error::ApiError;
 use sea_orm::{
     ActiveModelTrait, ActiveValue, ColumnTrait, DatabaseTransaction, EntityTrait, PaginatorTrait,
@@ -47,7 +47,7 @@ impl Enterprise {
 
     pub async fn check_organization_limit(
         &self,
-        organization: &entities::organization::Model,
+        organization: &lapdev_db_entities::organization::Model,
         user_id: Uuid,
     ) -> Result<(), ApiError> {
         if !self.license.has_valid().await {
@@ -262,12 +262,12 @@ impl Enterprise {
         page_size: u64,
         page: u64,
     ) -> Result<AuditLogResult> {
-        let result = entities::audit_log::Entity::find()
-            .find_also_related(entities::user::Entity)
-            .filter(entities::audit_log::Column::OrganizationId.eq(organization))
-            .filter(entities::audit_log::Column::Time.gte(start))
-            .filter(entities::audit_log::Column::Time.lte(end))
-            .order_by_desc(entities::audit_log::Column::Time)
+        let result = lapdev_db_entities::audit_log::Entity::find()
+            .find_also_related(lapdev_db_entities::user::Entity)
+            .filter(lapdev_db_entities::audit_log::Column::OrganizationId.eq(organization))
+            .filter(lapdev_db_entities::audit_log::Column::Time.gte(start))
+            .filter(lapdev_db_entities::audit_log::Column::Time.lte(end))
+            .order_by_desc(lapdev_db_entities::audit_log::Column::Time)
             .paginate(&self.db.conn, page_size);
 
         let items_and_pages = result.num_items_and_pages().await?;
@@ -308,8 +308,8 @@ impl Enterprise {
         action: String,
         ip: Option<String>,
         user_agent: Option<String>,
-    ) -> Result<entities::audit_log::Model> {
-        Ok(entities::audit_log::ActiveModel {
+    ) -> Result<lapdev_db_entities::audit_log::Model> {
+        Ok(lapdev_db_entities::audit_log::ActiveModel {
             time: ActiveValue::Set(time),
             user_id: ActiveValue::Set(user_id),
             organization_id: ActiveValue::Set(org_id),
@@ -326,10 +326,10 @@ impl Enterprise {
     }
 
     pub async fn get_hostnames(&self) -> Result<HashMap<String, String>> {
-        let regions: Vec<Option<String>> = entities::workspace_host::Entity::find()
-            .filter(entities::workspace_host::Column::DeletedAt.is_null())
+        let regions: Vec<Option<String>> = lapdev_db_entities::workspace_host::Entity::find()
+            .filter(lapdev_db_entities::workspace_host::Column::DeletedAt.is_null())
             .select_only()
-            .column_as(entities::workspace_host::Column::Region, "region")
+            .column_as(lapdev_db_entities::workspace_host::Column::Region, "region")
             .distinct()
             .into_tuple()
             .all(&self.db.conn)
diff --git a/lapdev-enterprise/src/lib.rs b/crates/enterprise/src/lib.rs
similarity index 100%
rename from lapdev-enterprise/src/lib.rs
rename to crates/enterprise/src/lib.rs
diff --git a/lapdev-enterprise/src/license.rs b/crates/enterprise/src/license.rs
similarity index 100%
rename from lapdev-enterprise/src/license.rs
rename to crates/enterprise/src/license.rs
diff --git a/crates/enterprise/src/quota.rs b/crates/enterprise/src/quota.rs
new file mode 100644
index 0000000..0ec499f
--- /dev/null
+++ b/crates/enterprise/src/quota.rs
@@ -0,0 +1,726 @@
+use anyhow::Result;
+use chrono::Utc;
+use lapdev_common::{
+    OrgQuota, OrgQuotaValue, QuotaKind, QuotaLevel, QuotaResult, QuotaValue, WorkspaceStatus,
+};
+use lapdev_db::api::DbApi;
+use sea_orm::{
+    sea_query::OnConflict, ActiveValue, ColumnTrait, Condition, DatabaseTransaction, EntityTrait,
+    PaginatorTrait, QueryFilter, QuerySelect,
+};
+use uuid::Uuid;
+
+use crate::usage::Usage;
+
+pub struct Quota {
+    usage: Usage,
+    db: DbApi,
+}
+
+impl Quota {
+    pub fn new(usage: Usage, db: DbApi) -> Self {
+        Self { usage, db }
+    }
+
+    async fn quota_value(
+        &self,
+        txn: &DatabaseTransaction,
+        kind: &QuotaKind,
+        organization: Uuid,
+        user: Uuid,
+    ) -> Result<QuotaValue> {
+        // lock on quota rows so that we don't calculate the existing
+        // resources at the same time
+        let default_user = Uuid::from_u128(0);
+        let quotas = lapdev_db_entities::quota::Entity::find()
+            .filter(lapdev_db_entities::quota::Column::DeletedAt.is_null())
+            .filter(lapdev_db_entities::quota::Column::Organization.eq(organization))
+            .filter(lapdev_db_entities::quota::Column::Kind.eq(kind.to_string()))
+            .filter(
+                Condition::any()
+                    .add(lapdev_db_entities::quota::Column::User.is_null())
+                    .add(lapdev_db_entities::quota::Column::User.eq(Some(user)))
+                    .add(lapdev_db_entities::quota::Column::User.eq(Some(default_user))),
+            )
+            .lock_exclusive()
+            .all(txn)
+            .await?;
+
+        let mut value = QuotaValue {
+            kind: kind.to_owned(),
+            user: 0,
+            organization: 0,
+        };
+
+        for quota in &quotas {
+            if quota.user.is_none() && quota.value > 0 {
+                value.organization = quota.value as usize;
+            } else if quota.user == Some(user) && quota.value > 0 {
+                value.user = quota.value as usize;
+            }
+        }
+
+        if value.user == 0 {
+            // we haven't got a user specific quota, so we do another pass to find
+            // default user quota
+            for quota in &quotas {
+                if quota.user == Some(default_user) && quota.value > 0 {
+                    value.user = quota.value as usize;
+                }
+            }
+        }
+
+        Ok(value)
+    }
+
+    async fn do_check(
+        &self,
+        quota: QuotaValue,
+        organization: Uuid,
+        user: Uuid,
+    ) -> Result<Option<QuotaResult>> {
+        if quota.user > 0 {
+            let n = self
+                .get_user_existing(&quota.kind, organization, user)
+                .await?;
+            if n >= quota.user {
+                return Ok(Some(QuotaResult {
+                    kind: quota.kind,
+                    level: QuotaLevel::User,
+                    existing: n,
+                    quota: quota.user,
+                }));
+            }
+        }
+
+        if quota.organization > 0 {
+            let n = self
+                .get_organization_existing(&quota.kind, organization)
+                .await?;
+            if n >= quota.organization {
+                return Ok(Some(QuotaResult {
+                    kind: quota.kind,
+                    level: QuotaLevel::Organization,
+                    existing: n,
+                    quota: quota.organization,
+                }));
+            }
+        }
+
+        Ok(None)
+    }
+
+    pub(crate) async fn check(
+        &self,
+        txn: &DatabaseTransaction,
+        kind: QuotaKind,
+        organization: Uuid,
+        user: Uuid,
+    ) -> Result<Option<QuotaResult>> {
+        let quota = self.quota_value(txn, &kind, organization, user).await?;
+        self.do_check(quota, organization, user).await
+    }
+
+    async fn update(
+        &self,
+        txn: &DatabaseTransaction,
+        organization: Uuid,
+        user: Option<Uuid>,
+        kind: &QuotaKind,
+        value: usize,
+    ) -> Result<lapdev_db_entities::quota::Model> {
+        let model = lapdev_db_entities::quota::ActiveModel {
+            id: ActiveValue::set(Uuid::new_v4()),
+            created_at: ActiveValue::Set(Utc::now().into()),
+            deleted_at: ActiveValue::Set(None),
+            kind: ActiveValue::Set(kind.to_string()),
+            value: ActiveValue::Set(value as i32),
+            organization: ActiveValue::Set(organization),
+            user: ActiveValue::Set(user),
+        };
+        let model = lapdev_db_entities::quota::Entity::insert(model)
+            .on_conflict(
+                OnConflict::columns([
+                    lapdev_db_entities::quota::Column::DeletedAt,
+                    lapdev_db_entities::quota::Column::Organization,
+                    lapdev_db_entities::quota::Column::User,
+                    lapdev_db_entities::quota::Column::Kind,
+                ])
+                .update_column(lapdev_db_entities::quota::Column::Value)
+                .to_owned(),
+            )
+            .exec_with_returning(txn)
+            .await?;
+        Ok(model)
+    }
+
+    pub async fn update_for_organization(
+        &self,
+        txn: &DatabaseTransaction,
+        organization: Uuid,
+        kind: QuotaKind,
+        value: usize,
+    ) -> Result<lapdev_db_entities::quota::Model> {
+        self.update(txn, organization, None, &kind, value).await
+    }
+
+    pub async fn update_for_default_user(
+        &self,
+        txn: &DatabaseTransaction,
+        organization: Uuid,
+        kind: QuotaKind,
+        value: usize,
+    ) -> Result<lapdev_db_entities::quota::Model> {
+        self.update(txn, organization, Some(Uuid::from_u128(0)), &kind, value)
+            .await
+    }
+
+    pub async fn update_for_user(
+        &self,
+        txn: &DatabaseTransaction,
+        organization: Uuid,
+        user: Uuid,
+        kind: QuotaKind,
+        value: usize,
+    ) -> Result<lapdev_db_entities::quota::Model> {
+        self.update(txn, organization, Some(user), &kind, value)
+            .await
+    }
+
+    async fn get_user_existing(
+        &self,
+        kind: &QuotaKind,
+        organization: Uuid,
+        user: Uuid,
+    ) -> Result<usize> {
+        let existing = match kind {
+            QuotaKind::Workspace => {
+                lapdev_db_entities::workspace::Entity::find()
+                    .filter(lapdev_db_entities::workspace::Column::DeletedAt.is_null())
+                    .filter(lapdev_db_entities::workspace::Column::OrganizationId.eq(organization))
+                    .filter(lapdev_db_entities::workspace::Column::UserId.eq(user))
+                    .count(&self.db.conn)
+                    .await? as usize
+            }
+            QuotaKind::RunningWorkspace => {
+                lapdev_db_entities::workspace::Entity::find()
+                    .filter(lapdev_db_entities::workspace::Column::DeletedAt.is_null())
+                    .filter(lapdev_db_entities::workspace::Column::OrganizationId.eq(organization))
+                    .filter(lapdev_db_entities::workspace::Column::UserId.eq(user))
+                    .filter(
+                        lapdev_db_entities::workspace::Column::Status
+                            .ne(WorkspaceStatus::Stopped.to_string()),
+                    )
+                    .filter(lapdev_db_entities::workspace::Column::ComposeParent.is_null())
+                    .count(&self.db.conn)
+                    .await? as usize
+            }
+            QuotaKind::Project => 0,
+            QuotaKind::DailyCost => {
+                self.usage
+                    .get_daily_cost(organization, Some(user), None, Utc::now().into(), None)
+                    .await?
+            }
+            QuotaKind::MonthlyCost => {
+                self.usage
+                    .get_monthly_cost(organization, Some(user), None, Utc::now().into(), None)
+                    .await?
+            }
+        };
+        Ok(existing)
+    }
+
+    pub async fn get_organization_existing(
+        &self,
+        kind: &QuotaKind,
+        organization: Uuid,
+    ) -> Result<usize> {
+        let existing = match kind {
+            QuotaKind::Workspace => {
+                lapdev_db_entities::workspace::Entity::find()
+                    .filter(lapdev_db_entities::workspace::Column::DeletedAt.is_null())
+                    .filter(lapdev_db_entities::workspace::Column::OrganizationId.eq(organization))
+                    .count(&self.db.conn)
+                    .await? as usize
+            }
+            QuotaKind::RunningWorkspace => {
+                lapdev_db_entities::workspace::Entity::find()
+                    .filter(lapdev_db_entities::workspace::Column::DeletedAt.is_null())
+                    .filter(lapdev_db_entities::workspace::Column::OrganizationId.eq(organization))
+                    .filter(
+                        lapdev_db_entities::workspace::Column::Status
+                            .ne(WorkspaceStatus::Stopped.to_string()),
+                    )
+                    .filter(lapdev_db_entities::workspace::Column::ComposeParent.is_null())
+                    .count(&self.db.conn)
+                    .await? as usize
+            }
+            QuotaKind::Project => {
+                lapdev_db_entities::project::Entity::find()
+                    .filter(lapdev_db_entities::project::Column::DeletedAt.is_null())
+                    .filter(lapdev_db_entities::project::Column::OrganizationId.eq(organization))
+                    .count(&self.db.conn)
+                    .await? as usize
+            }
+            QuotaKind::DailyCost => {
+                self.usage
+                    .get_daily_cost(organization, None, None, Utc::now().into(), None)
+                    .await?
+                    / 60
+                    / 60
+            }
+            QuotaKind::MonthlyCost => {
+                self.usage
+                    .get_monthly_cost(organization, None, None, Utc::now().into(), None)
+                    .await?
+                    / 60
+                    / 60
+            }
+        };
+        Ok(existing)
+    }
+
+    pub async fn get_org_quota(&self, organization: Uuid) -> Result<OrgQuota> {
+        let org_quota = OrgQuota {
+            workspace: self
+                .get_org_quota_value(organization, QuotaKind::Workspace)
+                .await?,
+            running_workspace: self
+                .get_org_quota_value(organization, QuotaKind::RunningWorkspace)
+                .await?,
+            project: self
+                .get_org_quota_value(organization, QuotaKind::Project)
+                .await?,
+            daily_cost: self
+                .get_org_quota_value(organization, QuotaKind::DailyCost)
+                .await?,
+            monthly_cost: self
+                .get_org_quota_value(organization, QuotaKind::MonthlyCost)
+                .await?,
+        };
+
+        Ok(org_quota)
+    }
+
+    async fn get_org_quota_value(
+        &self,
+        organization: Uuid,
+        quota_kind: QuotaKind,
+    ) -> Result<OrgQuotaValue> {
+        let existing = self
+            .get_organization_existing(&quota_kind, organization)
+            .await?;
+
+        let org_quota = lapdev_db_entities::quota::Entity::find()
+            .filter(lapdev_db_entities::quota::Column::DeletedAt.is_null())
+            .filter(lapdev_db_entities::quota::Column::Organization.eq(organization))
+            .filter(lapdev_db_entities::quota::Column::Kind.eq(quota_kind.to_string()))
+            .filter(lapdev_db_entities::quota::Column::User.is_null())
+            .one(&self.db.conn)
+            .await?
+            .map(|q| q.value as usize)
+            .unwrap_or(0);
+        let default_user = Uuid::from_u128(0);
+        let default_user_quota = lapdev_db_entities::quota::Entity::find()
+            .filter(lapdev_db_entities::quota::Column::DeletedAt.is_null())
+            .filter(lapdev_db_entities::quota::Column::Organization.eq(organization))
+            .filter(lapdev_db_entities::quota::Column::Kind.eq(quota_kind.to_string()))
+            .filter(lapdev_db_entities::quota::Column::User.eq(Some(default_user)))
+            .one(&self.db.conn)
+            .await?
+            .map(|q| q.value as usize)
+            .unwrap_or(0);
+        Ok(OrgQuotaValue {
+            existing,
+            org_quota,
+            default_user_quota,
+        })
+    }
+}
+
+#[cfg(test)]
+pub mod tests {
+    use anyhow::Result;
+    use chrono::Utc;
+    use lapdev_common::{
+        utils, AuthProvider, ProviderUser, QuotaKind, QuotaLevel, WorkspaceHostStatus,
+        WorkspaceStatus,
+    };
+    use lapdev_db::api::DbApi;
+    use sea_orm::{ActiveModelTrait, ActiveValue, TransactionTrait};
+    use uuid::Uuid;
+
+    use crate::tests::prepare_enterprise;
+
+    async fn insert_workspace_host(
+        db: &DbApi,
+    ) -> Result<lapdev_db_entities::workspace_host::Model> {
+        Ok(lapdev_db_entities::workspace_host::ActiveModel {
+            id: ActiveValue::Set(Uuid::new_v4()),
+            host: ActiveValue::Set("".to_string()),
+            port: ActiveValue::Set(6123),
+            inter_port: ActiveValue::Set(6122),
+            cpu: ActiveValue::Set(12),
+            memory: ActiveValue::Set(64),
+            disk: ActiveValue::Set(1000),
+            status: ActiveValue::Set(WorkspaceHostStatus::Active.to_string()),
+            available_shared_cpu: ActiveValue::Set(12),
+            available_dedicated_cpu: ActiveValue::Set(12),
+            available_memory: ActiveValue::Set(64),
+            available_disk: ActiveValue::Set(1000),
+            region: ActiveValue::Set("".to_string()),
+            zone: ActiveValue::Set("".to_string()),
+            ..Default::default()
+        }
+        .insert(&db.conn)
+        .await?)
+    }
+
+    async fn insert_machine_type(db: &DbApi) -> Result<lapdev_db_entities::machine_type::Model> {
+        Ok(lapdev_db_entities::machine_type::ActiveModel {
+            id: ActiveValue::Set(Uuid::new_v4()),
+            name: ActiveValue::Set("".to_string()),
+            shared: ActiveValue::Set(true),
+            cpu: ActiveValue::Set(2),
+            memory: ActiveValue::Set(8),
+            disk: ActiveValue::Set(10),
+            cost_per_second: ActiveValue::Set(1),
+            ..Default::default()
+        }
+        .insert(&db.conn)
+        .await?)
+    }
+
+    // async fn insert_workspace(
+    //     db: &DbApi,
+    //     organization: Uuid,
+    //     user: Uuid,
+    //     status: Option<WorkspaceStatus>,
+    //     workspace_host_id: Uuid,
+    //     machine_type_id: Uuid,
+    // ) -> Result<lapdev_db_entities::workspace::Model> {
+    //     let ws = lapdev_db_entities::workspace::ActiveModel {
+    //         id: ActiveValue::Set(Uuid::new_v4()),
+    //         updated_at: ActiveValue::Set(None),
+    //         deleted_at: ActiveValue::Set(None),
+    //         name: ActiveValue::Set(utils::rand_string(10)),
+    //         created_at: ActiveValue::Set(Utc::now().into()),
+    //         status: ActiveValue::Set(status.unwrap_or(WorkspaceStatus::New).to_string()),
+    //         repo_url: ActiveValue::Set("".to_string()),
+    //         repo_name: ActiveValue::Set("".to_string()),
+    //         branch: ActiveValue::Set("".to_string()),
+    //         commit: ActiveValue::Set("".to_string()),
+    //         organization_id: ActiveValue::Set(organization),
+    //         user_id: ActiveValue::Set(user),
+    //         project_id: ActiveValue::Set(None),
+    //         host_id: ActiveValue::Set(workspace_host_id),
+    //         osuser: ActiveValue::Set("".to_string()),
+    //         ssh_private_key: ActiveValue::Set("".to_string()),
+    //         ssh_public_key: ActiveValue::Set("".to_string()),
+    //         cores: ActiveValue::Set(serde_json::to_string(&[1, 2])?),
+    //         ssh_port: ActiveValue::Set(None),
+    //         ide_port: ActiveValue::Set(None),
+    //         prebuild_id: ActiveValue::Set(None),
+    //         service: ActiveValue::Set(None),
+    //         usage_id: ActiveValue::Set(None),
+    //         machine_type_id: ActiveValue::Set(machine_type_id),
+    //         last_inactivity: ActiveValue::Set(None),
+    //         auto_stop: ActiveValue::Set(None),
+    //         auto_start: ActiveValue::Set(true),
+    //         env: ActiveValue::Set(None),
+    //         build_output: ActiveValue::Set(None),
+    //         is_compose: ActiveValue::Set(false),
+    //         compose_parent: ActiveValue::Set(None),
+    //         pinned: ActiveValue::Set(false),
+    //     };
+    //     let ws = ws.insert(&db.conn).await?;
+    //     Ok(ws)
+    // }
+
+    // #[tokio::test]
+    // async fn test_insert_quota() {
+    //     let enterprise = prepare_enterprise().await.unwrap();
+    //     let user = uuid::Uuid::new_v4();
+    //     let organization = uuid::Uuid::new_v4();
+    //     let db = enterprise.quota.db.clone();
+    //     let txn = db.conn.begin().await.unwrap();
+    //     let quota = enterprise
+    //         .quota
+    //         .update_for_user(&txn, organization, user, QuotaKind::Workspace, 10)
+    //         .await
+    //         .unwrap();
+    //     assert_eq!(quota.user, Some(user));
+    //     assert_eq!(quota.organization, organization);
+    //     assert_eq!(quota.kind, QuotaKind::Workspace.to_string());
+    //     assert_eq!(quota.value, 10);
+    // }
+
+    // #[tokio::test]
+    // async fn test_update_quota() {
+    //     let enterprise = prepare_enterprise().await.unwrap();
+    //     let user = uuid::Uuid::new_v4();
+    //     let organization = uuid::Uuid::new_v4();
+    //     let db = enterprise.quota.db.clone();
+    //     let txn = db.conn.begin().await.unwrap();
+    //     let quota = enterprise
+    //         .quota
+    //         .update_for_user(&txn, organization, user, QuotaKind::Workspace, 10)
+    //         .await
+    //         .unwrap();
+    //     assert_eq!(quota.user, Some(user));
+    //     assert_eq!(quota.organization, organization);
+    //     assert_eq!(quota.kind, QuotaKind::Workspace.to_string());
+    //     assert_eq!(quota.value, 10);
+
+    //     let quota = enterprise
+    //         .quota
+    //         .update_for_user(&txn, organization, user, QuotaKind::Workspace, 20)
+    //         .await
+    //         .unwrap();
+    //     assert_eq!(quota.user, Some(user));
+    //     assert_eq!(quota.organization, organization);
+    //     assert_eq!(quota.kind, QuotaKind::Workspace.to_string());
+    //     assert_eq!(quota.value, 20);
+    // }
+
+    // #[tokio::test]
+    // async fn test_workspace_quota() {
+    //     let enterprise = prepare_enterprise().await.unwrap();
+    //     let db = enterprise.quota.db.clone();
+    //     let txn = db.conn.begin().await.unwrap();
+    //     let user = db
+    //         .create_new_user(
+    //             &txn,
+    //             &AuthProvider::Github,
+    //             ProviderUser {
+    //                 avatar_url: None,
+    //                 email: None,
+    //                 id: 0,
+    //                 login: "test".to_string(),
+    //                 name: None,
+    //             },
+    //             "".to_string(),
+    //         )
+    //         .await
+    //         .unwrap();
+    //     enterprise
+    //         .quota
+    //         .update_for_user(
+    //             &txn,
+    //             user.current_organization,
+    //             user.id,
+    //             QuotaKind::Workspace,
+    //             10,
+    //         )
+    //         .await
+    //         .unwrap();
+    //     txn.commit().await.unwrap();
+
+    //     let workspace_host = insert_workspace_host(&db).await.unwrap();
+    //     let machine_type = insert_machine_type(&db).await.unwrap();
+    //     for _ in 0..10 {
+    //         insert_workspace(
+    //             &db,
+    //             user.current_organization,
+    //             user.id,
+    //             None,
+    //             workspace_host.id,
+    //             machine_type.id,
+    //         )
+    //         .await
+    //         .unwrap();
+    //     }
+    //     let txn = db.conn.begin().await.unwrap();
+    //     let quota = enterprise
+    //         .quota
+    //         .quota_value(
+    //             &txn,
+    //             &QuotaKind::Workspace,
+    //             user.current_organization,
+    //             user.id,
+    //         )
+    //         .await
+    //         .unwrap();
+    //     txn.commit().await.unwrap();
+    //     let result = enterprise
+    //         .quota
+    //         .do_check(quota, user.current_organization, user.id)
+    //         .await
+    //         .unwrap()
+    //         .unwrap();
+    //     assert_eq!(result.existing, 10);
+    //     assert_eq!(result.quota, 10);
+    //     assert_eq!(result.level, QuotaLevel::User);
+    //     assert_eq!(result.kind, QuotaKind::Workspace);
+    // }
+
+    // #[tokio::test]
+    // async fn test_workspace_quota_organization_level() {
+    //     let enterprise = prepare_enterprise().await.unwrap();
+    //     let db = enterprise.quota.db.clone();
+    //     let txn = db.conn.begin().await.unwrap();
+    //     let user = db
+    //         .create_new_user(
+    //             &txn,
+    //             &AuthProvider::Github,
+    //             ProviderUser {
+    //                 avatar_url: None,
+    //                 email: None,
+    //                 id: 0,
+    //                 login: "test".to_string(),
+    //                 name: None,
+    //             },
+    //             "".to_string(),
+    //         )
+    //         .await
+    //         .unwrap();
+    //     enterprise
+    //         .quota
+    //         .update_for_user(
+    //             &txn,
+    //             user.current_organization,
+    //             user.id,
+    //             QuotaKind::Workspace,
+    //             10,
+    //         )
+    //         .await
+    //         .unwrap();
+    //     enterprise
+    //         .quota
+    //         .update_for_organization(&txn, user.current_organization, QuotaKind::Workspace, 5)
+    //         .await
+    //         .unwrap();
+    //     txn.commit().await.unwrap();
+
+    //     let workspace_host = insert_workspace_host(&db).await.unwrap();
+    //     let machine_type = insert_machine_type(&db).await.unwrap();
+    //     for _ in 0..6 {
+    //         insert_workspace(
+    //             &db,
+    //             user.current_organization,
+    //             user.id,
+    //             None,
+    //             workspace_host.id,
+    //             machine_type.id,
+    //         )
+    //         .await
+    //         .unwrap();
+    //     }
+    //     let txn = db.conn.begin().await.unwrap();
+    //     let quota = enterprise
+    //         .quota
+    //         .quota_value(
+    //             &txn,
+    //             &QuotaKind::Workspace,
+    //             user.current_organization,
+    //             user.id,
+    //         )
+    //         .await
+    //         .unwrap();
+    //     txn.commit().await.unwrap();
+    //     let result = enterprise
+    //         .quota
+    //         .do_check(quota, user.current_organization, user.id)
+    //         .await
+    //         .unwrap()
+    //         .unwrap();
+    //     assert_eq!(result.existing, 6);
+    //     assert_eq!(result.quota, 5);
+    //     assert_eq!(result.level, QuotaLevel::Organization);
+    //     assert_eq!(result.kind, QuotaKind::Workspace);
+    // }
+
+    // #[tokio::test]
+    // async fn test_running_workspace_quota() {
+    //     let enterprise = prepare_enterprise().await.unwrap();
+    //     let db = enterprise.quota.db.clone();
+    //     let txn = db.conn.begin().await.unwrap();
+    //     let user = db
+    //         .create_new_user(
+    //             &txn,
+    //             &AuthProvider::Github,
+    //             ProviderUser {
+    //                 avatar_url: None,
+    //                 email: None,
+    //                 id: 0,
+    //                 login: "test".to_string(),
+    //                 name: None,
+    //             },
+    //             "".to_string(),
+    //         )
+    //         .await
+    //         .unwrap();
+    //     enterprise
+    //         .quota
+    //         .update_for_user(
+    //             &txn,
+    //             user.current_organization,
+    //             user.id,
+    //             QuotaKind::RunningWorkspace,
+    //             5,
+    //         )
+    //         .await
+    //         .unwrap();
+    //     enterprise
+    //         .quota
+    //         .update_for_user(
+    //             &txn,
+    //             user.current_organization,
+    //             user.id,
+    //             QuotaKind::Workspace,
+    //             15,
+    //         )
+    //         .await
+    //         .unwrap();
+    //     txn.commit().await.unwrap();
+
+    //     let workspace_host = insert_workspace_host(&db).await.unwrap();
+    //     let machine_type = insert_machine_type(&db).await.unwrap();
+    //     for _ in 0..5 {
+    //         insert_workspace(
+    //             &db,
+    //             user.current_organization,
+    //             user.id,
+    //             Some(WorkspaceStatus::Running),
+    //             workspace_host.id,
+    //             machine_type.id,
+    //         )
+    //         .await
+    //         .unwrap();
+    //     }
+    //     for _ in 0..5 {
+    //         insert_workspace(
+    //             &db,
+    //             user.current_organization,
+    //             user.id,
+    //             Some(WorkspaceStatus::Stopped),
+    //             workspace_host.id,
+    //             machine_type.id,
+    //         )
+    //         .await
+    //         .unwrap();
+    //     }
+    //     let txn = db.conn.begin().await.unwrap();
+    //     let quota = enterprise
+    //         .quota
+    //         .quota_value(
+    //             &txn,
+    //             &QuotaKind::RunningWorkspace,
+    //             user.current_organization,
+    //             user.id,
+    //         )
+    //         .await
+    //         .unwrap();
+    //     txn.commit().await.unwrap();
+    //     let result = enterprise
+    //         .quota
+    //         .do_check(quota, user.current_organization, user.id)
+    //         .await
+    //         .unwrap()
+    //         .unwrap();
+    //     assert_eq!(result.existing, 5);
+    //     assert_eq!(result.quota, 5);
+    //     assert_eq!(result.level, QuotaLevel::User);
+    //     assert_eq!(result.kind, QuotaKind::RunningWorkspace);
+    // }
+}
diff --git a/lapdev-enterprise/src/usage.rs b/crates/enterprise/src/usage.rs
similarity index 50%
rename from lapdev-enterprise/src/usage.rs
rename to crates/enterprise/src/usage.rs
index b14f4fe..1961a55 100644
--- a/lapdev-enterprise/src/usage.rs
+++ b/crates/enterprise/src/usage.rs
@@ -3,7 +3,7 @@ use std::collections::HashMap;
 use anyhow::{anyhow, Result};
 use chrono::{DateTime, Datelike, FixedOffset, TimeZone, Utc};
 use lapdev_common::{UsageRecord, UsageResourceKind, UsageResult};
-use lapdev_db::{api::DbApi, entities};
+use lapdev_db::api::DbApi;
 use sea_orm::{
     ActiveModelTrait, ActiveValue, ColumnTrait, Condition, DatabaseTransaction, EntityTrait,
     PaginatorTrait, QueryFilter, QueryOrder, QuerySelect,
@@ -32,8 +32,8 @@ impl Usage {
         resource_name: String,
         machine_type_id: Uuid,
         cost_per_second: i32,
-    ) -> Result<entities::usage::Model> {
-        let usage = entities::usage::ActiveModel {
+    ) -> Result<lapdev_db_entities::usage::Model> {
+        let usage = lapdev_db_entities::usage::ActiveModel {
             start: ActiveValue::Set(start),
             organization_id: ActiveValue::Set(org_id),
             user_id: ActiveValue::Set(user_id),
@@ -55,8 +55,8 @@ impl Usage {
         txn: &DatabaseTransaction,
         id: i32,
         end: DateTime<FixedOffset>,
-    ) -> Result<entities::usage::Model> {
-        let usage = entities::usage::Entity::find_by_id(id)
+    ) -> Result<lapdev_db_entities::usage::Model> {
+        let usage = lapdev_db_entities::usage::Entity::find_by_id(id)
             .one(txn)
             .await?
             .ok_or_else(|| anyhow!("can't find usage"))?;
@@ -65,7 +65,7 @@ impl Usage {
         let duration = duration.num_seconds().max(0) as i32;
         let total_cost = usage.cost_per_second * duration;
 
-        let usage = entities::usage::ActiveModel {
+        let usage = lapdev_db_entities::usage::ActiveModel {
             id: ActiveValue::Set(id),
             end: ActiveValue::Set(Some(end)),
             duration: ActiveValue::Set(Some(duration)),
@@ -86,48 +86,48 @@ impl Usage {
         page_size: u64,
         page: u64,
     ) -> Result<UsageResult> {
-        let mut query = entities::usage::Entity::find()
-            .find_also_related(entities::user::Entity)
-            .filter(entities::usage::Column::OrganizationId.eq(organization));
+        let mut query = lapdev_db_entities::usage::Entity::find()
+            .find_also_related(lapdev_db_entities::user::Entity)
+            .filter(lapdev_db_entities::usage::Column::OrganizationId.eq(organization));
         if let Some(user) = user {
-            query = query.filter(entities::usage::Column::UserId.eq(user));
+            query = query.filter(lapdev_db_entities::usage::Column::UserId.eq(user));
         }
         query = query
             .filter(
                 Condition::any()
                     .add(
                         Condition::all()
-                            .add(entities::usage::Column::Start.gte(start))
-                            .add(entities::usage::Column::End.lte(end)),
+                            .add(lapdev_db_entities::usage::Column::Start.gte(start))
+                            .add(lapdev_db_entities::usage::Column::End.lte(end)),
                     )
                     .add(
                         Condition::all()
-                            .add(entities::usage::Column::Start.lt(end))
-                            .add(entities::usage::Column::End.is_null()),
+                            .add(lapdev_db_entities::usage::Column::Start.lt(end))
+                            .add(lapdev_db_entities::usage::Column::End.is_null()),
                     )
                     .add(
                         Condition::all()
-                            .add(entities::usage::Column::Start.lt(end))
-                            .add(entities::usage::Column::End.gt(end)),
+                            .add(lapdev_db_entities::usage::Column::Start.lt(end))
+                            .add(lapdev_db_entities::usage::Column::End.gt(end)),
                     )
                     .add(
                         Condition::all()
-                            .add(entities::usage::Column::Start.lt(start))
-                            .add(entities::usage::Column::End.gt(start)),
+                            .add(lapdev_db_entities::usage::Column::Start.lt(start))
+                            .add(lapdev_db_entities::usage::Column::End.gt(start)),
                     ),
             )
-            .order_by_desc(entities::usage::Column::Start);
+            .order_by_desc(lapdev_db_entities::usage::Column::Start);
 
         let result = query.paginate(&self.db.conn, page_size);
         let items_and_pages = result.num_items_and_pages().await?;
         let records = result.fetch_page(page).await?;
 
         let machine_types = {
-            let machine_types = entities::machine_type::Entity::find()
+            let machine_types = lapdev_db_entities::machine_type::Entity::find()
                 .all(&self.db.conn)
                 .await
                 .unwrap_or_default();
-            let machine_types: HashMap<Uuid, entities::machine_type::Model> =
+            let machine_types: HashMap<Uuid, lapdev_db_entities::machine_type::Model> =
                 machine_types.into_iter().map(|m| (m.id, m)).collect();
             machine_types
         };
@@ -192,50 +192,52 @@ impl Usage {
         now: DateTime<FixedOffset>,
     ) -> Result<usize> {
         let fixed_cost = {
-            let mut query = entities::usage::Entity::find()
-                .filter(entities::usage::Column::OrganizationId.eq(organization))
-                .filter(entities::usage::Column::End.lte(end))
-                .filter(entities::usage::Column::Start.gte(start));
+            let mut query = lapdev_db_entities::usage::Entity::find()
+                .filter(lapdev_db_entities::usage::Column::OrganizationId.eq(organization))
+                .filter(lapdev_db_entities::usage::Column::End.lte(end))
+                .filter(lapdev_db_entities::usage::Column::Start.gte(start));
             if let Some(user) = user {
-                query = query.filter(entities::usage::Column::UserId.eq(user));
+                query = query.filter(lapdev_db_entities::usage::Column::UserId.eq(user));
             }
             if let Some(cost_per_second) = cost_per_second {
-                query = query.filter(entities::usage::Column::CostPerSecond.eq(cost_per_second));
+                query = query
+                    .filter(lapdev_db_entities::usage::Column::CostPerSecond.eq(cost_per_second));
             }
             let fixed_cost: Vec<Option<i64>> = query
                 .select_only()
-                .column_as(entities::usage::Column::TotalCost.sum(), "cost")
+                .column_as(lapdev_db_entities::usage::Column::TotalCost.sum(), "cost")
                 .into_tuple()
                 .all(&self.db.conn)
                 .await?;
             fixed_cost.first().copied().flatten().unwrap_or(0).max(0) as usize
         };
 
-        let mut query = entities::usage::Entity::find()
-            .filter(entities::usage::Column::OrganizationId.eq(organization))
+        let mut query = lapdev_db_entities::usage::Entity::find()
+            .filter(lapdev_db_entities::usage::Column::OrganizationId.eq(organization))
             .filter(
                 Condition::any()
                     .add(
                         Condition::all()
-                            .add(entities::usage::Column::Start.lt(end))
-                            .add(entities::usage::Column::End.is_null()),
+                            .add(lapdev_db_entities::usage::Column::Start.lt(end))
+                            .add(lapdev_db_entities::usage::Column::End.is_null()),
                     )
                     .add(
                         Condition::all()
-                            .add(entities::usage::Column::Start.lt(end))
-                            .add(entities::usage::Column::End.gt(end)),
+                            .add(lapdev_db_entities::usage::Column::Start.lt(end))
+                            .add(lapdev_db_entities::usage::Column::End.gt(end)),
                     )
                     .add(
                         Condition::all()
-                            .add(entities::usage::Column::Start.lt(start))
-                            .add(entities::usage::Column::End.gt(start)),
+                            .add(lapdev_db_entities::usage::Column::Start.lt(start))
+                            .add(lapdev_db_entities::usage::Column::End.gt(start)),
                     ),
             );
         if let Some(user) = user {
-            query = query.filter(entities::usage::Column::UserId.eq(user));
+            query = query.filter(lapdev_db_entities::usage::Column::UserId.eq(user));
         }
         if let Some(cost_per_second) = cost_per_second {
-            query = query.filter(entities::usage::Column::CostPerSecond.eq(cost_per_second));
+            query =
+                query.filter(lapdev_db_entities::usage::Column::CostPerSecond.eq(cost_per_second));
         }
 
         let usages = query.all(&self.db.conn).await?;
@@ -330,15 +332,13 @@ impl Usage {
 pub mod tests {
     use anyhow::Result;
     use chrono::{DateTime, TimeZone, Utc};
-    use lapdev_common::{AuthProvider, ProviderUser, UsageResourceKind};
-    use lapdev_db::{api::DbApi, entities};
+    use lapdev_common::UsageResourceKind;
+    use lapdev_db::api::DbApi;
     use sea_orm::{ActiveModelTrait, ActiveValue, TransactionTrait};
     use uuid::Uuid;
 
-    use crate::tests::prepare_enterprise;
-
-    async fn insert_machine_type(db: &DbApi) -> Result<entities::machine_type::Model> {
-        Ok(entities::machine_type::ActiveModel {
+    async fn insert_machine_type(db: &DbApi) -> Result<lapdev_db_entities::machine_type::Model> {
+        Ok(lapdev_db_entities::machine_type::ActiveModel {
             id: ActiveValue::Set(Uuid::new_v4()),
             name: ActiveValue::Set("".to_string()),
             shared: ActiveValue::Set(true),
@@ -369,7 +369,7 @@ pub mod tests {
         };
 
         let machine_type = insert_machine_type(db).await.unwrap();
-        entities::usage::ActiveModel {
+        lapdev_db_entities::usage::ActiveModel {
             start: ActiveValue::Set(start.into()),
             end: ActiveValue::Set(end.map(|end| end.into())),
             organization_id: ActiveValue::Set(organization),
@@ -388,240 +388,240 @@ pub mod tests {
         Ok(())
     }
 
-    #[tokio::test]
-    async fn test_get_daily_cost() {
-        let enterprise = prepare_enterprise().await.unwrap();
-        let db = enterprise.usage.db.clone();
-        let organization = uuid::Uuid::new_v4();
-
-        let txn = db.conn.begin().await.unwrap();
-        let user = db
-            .create_new_user(
-                &txn,
-                &AuthProvider::Github,
-                ProviderUser {
-                    avatar_url: None,
-                    email: None,
-                    id: 0,
-                    login: "test".to_string(),
-                    name: None,
-                },
-                "".to_string(),
-            )
-            .await
-            .unwrap();
-        txn.commit().await.unwrap();
-
-        insert_usage_record(
-            &db,
-            organization,
-            Some(user.id),
-            Utc.with_ymd_and_hms(2024, 1, 29, 15, 0, 0).unwrap(),
-            Some(Utc.with_ymd_and_hms(2024, 1, 29, 16, 0, 0).unwrap()),
-        )
-        .await
-        .unwrap();
-
-        let cost = enterprise
-            .usage
-            .get_daily_cost(
-                organization,
-                Some(user.id),
-                None,
-                Utc.with_ymd_and_hms(2024, 1, 29, 1, 0, 0).unwrap().into(),
-                None,
-            )
-            .await
-            .unwrap();
-        assert_eq!(cost, 3600);
-
-        insert_usage_record(
-            &db,
-            organization,
-            Some(user.id),
-            Utc.with_ymd_and_hms(2024, 1, 29, 15, 0, 0).unwrap(),
-            Some(Utc.with_ymd_and_hms(2024, 1, 29, 16, 0, 0).unwrap()),
-        )
-        .await
-        .unwrap();
-
-        let cost = enterprise
-            .usage
-            .get_daily_cost(
-                organization,
-                Some(user.id),
-                None,
-                Utc.with_ymd_and_hms(2024, 1, 29, 1, 0, 0).unwrap().into(),
-                None,
-            )
-            .await
-            .unwrap();
-        assert_eq!(cost, 7200);
-
-        insert_usage_record(
-            &db,
-            organization,
-            Some(user.id),
-            Utc.with_ymd_and_hms(2024, 1, 29, 15, 0, 0).unwrap(),
-            None,
-        )
-        .await
-        .unwrap();
-
-        let cost = enterprise
-            .usage
-            .get_daily_cost(
-                organization,
-                Some(user.id),
-                None,
-                Utc.with_ymd_and_hms(2024, 1, 29, 1, 0, 0).unwrap().into(),
-                Some(Utc.with_ymd_and_hms(2024, 1, 29, 15, 1, 0).unwrap().into()),
-            )
-            .await
-            .unwrap();
-        assert_eq!(cost, 7260);
-
-        let cost = enterprise
-            .usage
-            .get_daily_cost(
-                organization,
-                Some(user.id),
-                None,
-                Utc.with_ymd_and_hms(2024, 1, 30, 1, 0, 0).unwrap().into(),
-                Some(Utc.with_ymd_and_hms(2024, 1, 30, 1, 0, 0).unwrap().into()),
-            )
-            .await
-            .unwrap();
-        assert_eq!(cost, 3600);
-
-        insert_usage_record(
-            &db,
-            organization,
-            Some(user.id),
-            Utc.with_ymd_and_hms(2024, 1, 29, 23, 0, 0).unwrap(),
-            Some(Utc.with_ymd_and_hms(2024, 1, 30, 1, 0, 0).unwrap()),
-        )
-        .await
-        .unwrap();
-
-        let cost = enterprise
-            .usage
-            .get_daily_cost(
-                organization,
-                Some(user.id),
-                None,
-                Utc.with_ymd_and_hms(2024, 1, 29, 1, 0, 0).unwrap().into(),
-                Some(Utc.with_ymd_and_hms(2024, 1, 29, 15, 1, 0).unwrap().into()),
-            )
-            .await
-            .unwrap();
-        assert_eq!(cost, 10860);
-
-        insert_usage_record(
-            &db,
-            organization,
-            Some(user.id),
-            Utc.with_ymd_and_hms(2024, 1, 28, 23, 0, 0).unwrap(),
-            Some(Utc.with_ymd_and_hms(2024, 1, 30, 1, 0, 0).unwrap()),
-        )
-        .await
-        .unwrap();
-
-        let cost = enterprise
-            .usage
-            .get_daily_cost(
-                organization,
-                Some(user.id),
-                None,
-                Utc.with_ymd_and_hms(2024, 1, 29, 1, 0, 0).unwrap().into(),
-                Some(Utc.with_ymd_and_hms(2024, 1, 29, 15, 1, 0).unwrap().into()),
-            )
-            .await
-            .unwrap();
-        assert_eq!(cost, 97260);
-    }
-
-    #[tokio::test]
-    async fn test_get_monthly_cost() {
-        let enterprise = prepare_enterprise().await.unwrap();
-        let db = enterprise.usage.db.clone();
-        let organization = uuid::Uuid::new_v4();
-
-        let txn = db.conn.begin().await.unwrap();
-        let user = db
-            .create_new_user(
-                &txn,
-                &AuthProvider::Github,
-                ProviderUser {
-                    avatar_url: None,
-                    email: None,
-                    id: 0,
-                    login: "test".to_string(),
-                    name: None,
-                },
-                "".to_string(),
-            )
-            .await
-            .unwrap();
-        txn.commit().await.unwrap();
-
-        insert_usage_record(
-            &db,
-            organization,
-            Some(user.id),
-            Utc.with_ymd_and_hms(2024, 1, 29, 15, 0, 0).unwrap(),
-            Some(Utc.with_ymd_and_hms(2024, 1, 29, 16, 0, 0).unwrap()),
-        )
-        .await
-        .unwrap();
-
-        let cost = enterprise
-            .usage
-            .get_monthly_cost(
-                organization,
-                Some(user.id),
-                None,
-                Utc.with_ymd_and_hms(2024, 1, 29, 1, 0, 0).unwrap().into(),
-                None,
-            )
-            .await
-            .unwrap();
-        assert_eq!(cost, 3600);
-
-        insert_usage_record(
-            &db,
-            organization,
-            Some(user.id),
-            Utc.with_ymd_and_hms(2023, 12, 31, 23, 0, 0).unwrap(),
-            Some(Utc.with_ymd_and_hms(2024, 1, 1, 1, 0, 0).unwrap()),
-        )
-        .await
-        .unwrap();
-
-        let cost = enterprise
-            .usage
-            .get_monthly_cost(
-                organization,
-                Some(user.id),
-                None,
-                Utc.with_ymd_and_hms(2024, 1, 29, 1, 0, 0).unwrap().into(),
-                None,
-            )
-            .await
-            .unwrap();
-        assert_eq!(cost, 7200);
-
-        let cost = enterprise
-            .usage
-            .get_monthly_cost(
-                organization,
-                Some(user.id),
-                None,
-                Utc.with_ymd_and_hms(2023, 12, 29, 1, 0, 0).unwrap().into(),
-                None,
-            )
-            .await
-            .unwrap();
-        assert_eq!(cost, 3600);
-    }
+    // #[tokio::test]
+    // async fn test_get_daily_cost() {
+    //     let enterprise = prepare_enterprise().await.unwrap();
+    //     let db = enterprise.usage.db.clone();
+    //     let organization = uuid::Uuid::new_v4();
+
+    //     let txn = db.conn.begin().await.unwrap();
+    //     let user = db
+    //         .create_new_user(
+    //             &txn,
+    //             &AuthProvider::Github,
+    //             ProviderUser {
+    //                 avatar_url: None,
+    //                 email: None,
+    //                 id: 0,
+    //                 login: "test".to_string(),
+    //                 name: None,
+    //             },
+    //             "".to_string(),
+    //         )
+    //         .await
+    //         .unwrap();
+    //     txn.commit().await.unwrap();
+
+    //     insert_usage_record(
+    //         &db,
+    //         organization,
+    //         Some(user.id),
+    //         Utc.with_ymd_and_hms(2024, 1, 29, 15, 0, 0).unwrap(),
+    //         Some(Utc.with_ymd_and_hms(2024, 1, 29, 16, 0, 0).unwrap()),
+    //     )
+    //     .await
+    //     .unwrap();
+
+    //     let cost = enterprise
+    //         .usage
+    //         .get_daily_cost(
+    //             organization,
+    //             Some(user.id),
+    //             None,
+    //             Utc.with_ymd_and_hms(2024, 1, 29, 1, 0, 0).unwrap().into(),
+    //             None,
+    //         )
+    //         .await
+    //         .unwrap();
+    //     assert_eq!(cost, 3600);
+
+    //     insert_usage_record(
+    //         &db,
+    //         organization,
+    //         Some(user.id),
+    //         Utc.with_ymd_and_hms(2024, 1, 29, 15, 0, 0).unwrap(),
+    //         Some(Utc.with_ymd_and_hms(2024, 1, 29, 16, 0, 0).unwrap()),
+    //     )
+    //     .await
+    //     .unwrap();
+
+    //     let cost = enterprise
+    //         .usage
+    //         .get_daily_cost(
+    //             organization,
+    //             Some(user.id),
+    //             None,
+    //             Utc.with_ymd_and_hms(2024, 1, 29, 1, 0, 0).unwrap().into(),
+    //             None,
+    //         )
+    //         .await
+    //         .unwrap();
+    //     assert_eq!(cost, 7200);
+
+    //     insert_usage_record(
+    //         &db,
+    //         organization,
+    //         Some(user.id),
+    //         Utc.with_ymd_and_hms(2024, 1, 29, 15, 0, 0).unwrap(),
+    //         None,
+    //     )
+    //     .await
+    //     .unwrap();
+
+    //     let cost = enterprise
+    //         .usage
+    //         .get_daily_cost(
+    //             organization,
+    //             Some(user.id),
+    //             None,
+    //             Utc.with_ymd_and_hms(2024, 1, 29, 1, 0, 0).unwrap().into(),
+    //             Some(Utc.with_ymd_and_hms(2024, 1, 29, 15, 1, 0).unwrap().into()),
+    //         )
+    //         .await
+    //         .unwrap();
+    //     assert_eq!(cost, 7260);
+
+    //     let cost = enterprise
+    //         .usage
+    //         .get_daily_cost(
+    //             organization,
+    //             Some(user.id),
+    //             None,
+    //             Utc.with_ymd_and_hms(2024, 1, 30, 1, 0, 0).unwrap().into(),
+    //             Some(Utc.with_ymd_and_hms(2024, 1, 30, 1, 0, 0).unwrap().into()),
+    //         )
+    //         .await
+    //         .unwrap();
+    //     assert_eq!(cost, 3600);
+
+    //     insert_usage_record(
+    //         &db,
+    //         organization,
+    //         Some(user.id),
+    //         Utc.with_ymd_and_hms(2024, 1, 29, 23, 0, 0).unwrap(),
+    //         Some(Utc.with_ymd_and_hms(2024, 1, 30, 1, 0, 0).unwrap()),
+    //     )
+    //     .await
+    //     .unwrap();
+
+    //     let cost = enterprise
+    //         .usage
+    //         .get_daily_cost(
+    //             organization,
+    //             Some(user.id),
+    //             None,
+    //             Utc.with_ymd_and_hms(2024, 1, 29, 1, 0, 0).unwrap().into(),
+    //             Some(Utc.with_ymd_and_hms(2024, 1, 29, 15, 1, 0).unwrap().into()),
+    //         )
+    //         .await
+    //         .unwrap();
+    //     assert_eq!(cost, 10860);
+
+    //     insert_usage_record(
+    //         &db,
+    //         organization,
+    //         Some(user.id),
+    //         Utc.with_ymd_and_hms(2024, 1, 28, 23, 0, 0).unwrap(),
+    //         Some(Utc.with_ymd_and_hms(2024, 1, 30, 1, 0, 0).unwrap()),
+    //     )
+    //     .await
+    //     .unwrap();
+
+    //     let cost = enterprise
+    //         .usage
+    //         .get_daily_cost(
+    //             organization,
+    //             Some(user.id),
+    //             None,
+    //             Utc.with_ymd_and_hms(2024, 1, 29, 1, 0, 0).unwrap().into(),
+    //             Some(Utc.with_ymd_and_hms(2024, 1, 29, 15, 1, 0).unwrap().into()),
+    //         )
+    //         .await
+    //         .unwrap();
+    //     assert_eq!(cost, 97260);
+    // }
+
+    // #[tokio::test]
+    // async fn test_get_monthly_cost() {
+    //     let enterprise = prepare_enterprise().await.unwrap();
+    //     let db = enterprise.usage.db.clone();
+    //     let organization = uuid::Uuid::new_v4();
+
+    //     let txn = db.conn.begin().await.unwrap();
+    //     let user = db
+    //         .create_new_user(
+    //             &txn,
+    //             &AuthProvider::Github,
+    //             ProviderUser {
+    //                 avatar_url: None,
+    //                 email: None,
+    //                 id: 0,
+    //                 login: "test".to_string(),
+    //                 name: None,
+    //             },
+    //             "".to_string(),
+    //         )
+    //         .await
+    //         .unwrap();
+    //     txn.commit().await.unwrap();
+
+    //     insert_usage_record(
+    //         &db,
+    //         organization,
+    //         Some(user.id),
+    //         Utc.with_ymd_and_hms(2024, 1, 29, 15, 0, 0).unwrap(),
+    //         Some(Utc.with_ymd_and_hms(2024, 1, 29, 16, 0, 0).unwrap()),
+    //     )
+    //     .await
+    //     .unwrap();
+
+    //     let cost = enterprise
+    //         .usage
+    //         .get_monthly_cost(
+    //             organization,
+    //             Some(user.id),
+    //             None,
+    //             Utc.with_ymd_and_hms(2024, 1, 29, 1, 0, 0).unwrap().into(),
+    //             None,
+    //         )
+    //         .await
+    //         .unwrap();
+    //     assert_eq!(cost, 3600);
+
+    //     insert_usage_record(
+    //         &db,
+    //         organization,
+    //         Some(user.id),
+    //         Utc.with_ymd_and_hms(2023, 12, 31, 23, 0, 0).unwrap(),
+    //         Some(Utc.with_ymd_and_hms(2024, 1, 1, 1, 0, 0).unwrap()),
+    //     )
+    //     .await
+    //     .unwrap();
+
+    //     let cost = enterprise
+    //         .usage
+    //         .get_monthly_cost(
+    //             organization,
+    //             Some(user.id),
+    //             None,
+    //             Utc.with_ymd_and_hms(2024, 1, 29, 1, 0, 0).unwrap().into(),
+    //             None,
+    //         )
+    //         .await
+    //         .unwrap();
+    //     assert_eq!(cost, 7200);
+
+    //     let cost = enterprise
+    //         .usage
+    //         .get_monthly_cost(
+    //             organization,
+    //             Some(user.id),
+    //             None,
+    //             Utc.with_ymd_and_hms(2023, 12, 29, 1, 0, 0).unwrap().into(),
+    //             None,
+    //         )
+    //         .await
+    //         .unwrap();
+    //     assert_eq!(cost, 3600);
+    // }
 }
diff --git a/lapdev-guest-agent/Cargo.toml b/crates/guest-agent/Cargo.toml
similarity index 86%
rename from lapdev-guest-agent/Cargo.toml
rename to crates/guest-agent/Cargo.toml
index 7de276c..ac21ae8 100644
--- a/lapdev-guest-agent/Cargo.toml
+++ b/crates/guest-agent/Cargo.toml
@@ -6,3 +6,4 @@ edition.workspace = true
 
 [dependencies]
 serde_json.workspace = true
+tracing.workspace = true
diff --git a/lapdev-guest-agent/src/lib.rs b/crates/guest-agent/src/lib.rs
similarity index 100%
rename from lapdev-guest-agent/src/lib.rs
rename to crates/guest-agent/src/lib.rs
diff --git a/lapdev-guest-agent/src/main.rs b/crates/guest-agent/src/main.rs
similarity index 100%
rename from lapdev-guest-agent/src/main.rs
rename to crates/guest-agent/src/main.rs
diff --git a/crates/hrpc-proc-macro/Cargo.toml b/crates/hrpc-proc-macro/Cargo.toml
new file mode 100644
index 0000000..9ef50a8
--- /dev/null
+++ b/crates/hrpc-proc-macro/Cargo.toml
@@ -0,0 +1,18 @@
+[package]
+name = "lapdev-hrpc-proc-macro"
+version.workspace = true
+authors.workspace = true
+edition.workspace = true
+
+[lib]
+proc-macro = true
+
+[dependencies]
+proc-macro2 = "1.0"
+quote = "1.0"
+syn = { version = "2.0", features = ["full", "extra-traits"] }
+
+[dev-dependencies]
+lapdev-hrpc = { path = "../hrpc" }
+
+
diff --git a/crates/hrpc-proc-macro/src/lib.rs b/crates/hrpc-proc-macro/src/lib.rs
new file mode 100644
index 0000000..8751802
--- /dev/null
+++ b/crates/hrpc-proc-macro/src/lib.rs
@@ -0,0 +1,416 @@
+extern crate proc_macro;
+
+use proc_macro::TokenStream;
+use proc_macro2::TokenStream as TokenStream2;
+use quote::{format_ident, quote, ToTokens};
+use syn::{
+    braced,
+    ext::IdentExt,
+    parenthesized,
+    parse::{Parse, ParseStream},
+    parse_macro_input, parse_quote,
+    spanned::Spanned,
+    token::Comma,
+    AttrStyle, Attribute, FnArg, Ident, Pat, PatType, ReturnType, Token, Type, Visibility,
+};
+
+/// Accumulates multiple errors into a result.
+/// Only use this for recoverable errors, i.e. non-parse errors. Fatal errors should early exit to
+/// avoid further complications.
+macro_rules! extend_errors {
+    ($errors: ident, $e: expr) => {
+        match $errors {
+            Ok(_) => $errors = Err($e),
+            Err(ref mut errors) => errors.extend($e),
+        }
+    };
+}
+
+struct RpcMethod {
+    attrs: Vec<Attribute>,
+    ident: Ident,
+    args: Vec<FnArg>,
+    output: ReturnType,
+}
+
+impl Parse for RpcMethod {
+    fn parse(input: ParseStream) -> syn::Result<Self> {
+        let attrs = input.call(Attribute::parse_outer)?;
+        input.parse::<Token![async]>()?;
+        input.parse::<Token![fn]>()?;
+        let ident = input.parse()?;
+        let content;
+        parenthesized!(content in input);
+        let mut args = Vec::new();
+        let mut errors = Ok(());
+        for arg in content.parse_terminated(FnArg::parse, Comma)? {
+            match &arg {
+                FnArg::Typed(captured) if matches!(&*captured.pat, Pat::Ident(_)) => {
+                    args.push(arg);
+                }
+                FnArg::Typed(captured) => {
+                    extend_errors!(
+                        errors,
+                        syn::Error::new(captured.pat.span(), "patterns aren't allowed in RPC args")
+                    );
+                }
+                FnArg::Receiver(_) => {
+                    // args.push(arg);
+                }
+            }
+        }
+        errors?;
+        let output = input.parse()?;
+        input.parse::<Token![;]>()?;
+
+        Ok(Self {
+            attrs,
+            ident,
+            args,
+            output,
+        })
+    }
+}
+
+struct Service {
+    vis: Visibility,
+    ident: Ident,
+    attrs: Vec<Attribute>,
+    rpcs: Vec<RpcMethod>,
+}
+
+impl Parse for Service {
+    fn parse(input: ParseStream) -> syn::Result<Self> {
+        let vis = input.parse()?;
+        input.parse::<Token![trait]>()?;
+        let ident: Ident = input.parse()?;
+        let attrs = input.call(Attribute::parse_outer)?;
+
+        let content;
+        braced!(content in input);
+        let mut rpcs = Vec::<RpcMethod>::new();
+        while !content.is_empty() {
+            rpcs.push(content.parse()?);
+        }
+
+        let mut ident_errors = Ok(());
+        for rpc in &rpcs {
+            if rpc.ident == "new" {
+                extend_errors!(
+                    ident_errors,
+                    syn::Error::new(
+                        rpc.ident.span(),
+                        format!(
+                            "method name conflicts with generated fn `{}Client::new`",
+                            ident.unraw()
+                        )
+                    )
+                );
+            }
+        }
+        ident_errors?;
+
+        Ok(Self {
+            vis,
+            ident,
+            attrs,
+            rpcs,
+        })
+    }
+}
+
+struct ServiceGenerator<'a> {
+    vis: &'a Visibility,
+    service_ident: &'a Ident,
+    rpcs: &'a [RpcMethod],
+    return_types: &'a [&'a Type],
+    attrs: &'a [Attribute],
+    client_ident: &'a Ident,
+    method_idents: &'a [&'a Ident],
+    arg_pats: &'a [Vec<&'a Pat>],
+    request_ident: &'a Ident,
+    response_ident: &'a Ident,
+    // derives: Option<&'a TokenStream2>,
+    camel_case_idents: &'a [Ident],
+    args: &'a [Vec<&'a PatType>],
+    // request_names: &'a [String],
+    method_cfgs: &'a [Vec<&'a Attribute>],
+}
+
+impl ToTokens for ServiceGenerator<'_> {
+    fn to_tokens(&self, output: &mut TokenStream2) {
+        output.extend(vec![
+            self.trait_service(),
+            self.enum_request(),
+            self.enum_response(),
+            self.struct_client(),
+            self.impl_client_new(),
+        ]);
+    }
+}
+
+impl ServiceGenerator<'_> {
+    fn trait_service(&self) -> TokenStream2 {
+        let &Self {
+            vis,
+            attrs,
+            service_ident,
+            request_ident,
+            response_ident,
+            rpcs,
+            return_types,
+            method_idents,
+            camel_case_idents,
+            arg_pats,
+            ..
+        } = self;
+
+        let rpc_fns = rpcs.iter().zip(return_types.iter()).map(
+            |(
+                RpcMethod {
+                    attrs, ident, args, ..
+                },
+                output,
+            )| {
+                quote! {
+                    #( #attrs )*
+                    async fn #ident(&self, headers: &::lapdev_hrpc::HeaderMap, #( #args ),*) -> #output;
+                }
+            },
+        );
+
+        quote! {
+            #( #attrs )*
+            #vis trait #service_ident: ::core::marker::Sized {
+                #( #rpc_fns )*
+
+                async fn handle_rpc(&self, headers: &::lapdev_hrpc::HeaderMap, body: &str) -> ::lapdev_hrpc::anyhow::Result<#response_ident> {
+                    let req: Result<#request_ident, ::lapdev_hrpc::serde_json::Error> = ::lapdev_hrpc::serde_json::from_str(body);
+                    let req = req?;
+
+                    match req {
+                        #(
+                            #request_ident::#camel_case_idents{ #( #arg_pats ),* } => {
+                                Ok(#response_ident::#camel_case_idents(self.#method_idents(headers, #( #arg_pats ),*).await))
+                            }
+                        )*
+                    }
+                }
+            }
+        }
+    }
+
+    fn struct_client(&self) -> TokenStream2 {
+        let &Self {
+            vis, client_ident, ..
+        } = self;
+
+        quote! {
+            #[allow(unused)]
+            #[derive(Clone, Debug)]
+            /// The client stub that makes RPC calls to the server. All request methods return
+            /// [Futures](::core::future::Future).
+            #vis struct #client_ident(String);
+        }
+    }
+
+    fn impl_client_new(&self) -> TokenStream2 {
+        let &Self {
+            client_ident,
+            method_idents,
+            vis,
+            request_ident,
+            arg_pats,
+            return_types,
+            args,
+            camel_case_idents,
+            response_ident,
+            ..
+        } = self;
+
+        quote! {
+            impl #client_ident
+            {
+                pub fn new(url: String) -> Self {
+                    Self(url)
+                }
+
+                #(
+                    #[allow(unused)]
+                    #vis async fn #method_idents(&self, #( #args ),*) -> ::lapdev_hrpc::anyhow::Result<#return_types> {
+                        let request = #request_ident::#camel_case_idents { #( #arg_pats ),* };
+                        // let resp = self.0.call(ctx, request);
+                        let resp: #response_ident = ::lapdev_hrpc::gloo_net::http::Request::post(&self.0).json(&request)?.send().await?.json().await?;
+                        match resp {
+                            #response_ident::#camel_case_idents(msg) => Ok(msg),
+                            _ => ::core::unreachable!(),
+                        }
+                    }
+                )*
+            }
+        }
+    }
+
+    fn enum_request(&self) -> TokenStream2 {
+        let &Self {
+            // derives,
+            vis,
+            request_ident,
+            camel_case_idents,
+            args,
+            method_cfgs,
+            ..
+        } = self;
+
+        quote! {
+            /// The request sent over the wire from the client to the server.
+            #[allow(missing_docs)]
+            #[derive(Debug, ::lapdev_hrpc::serde::Serialize, ::lapdev_hrpc::serde::Deserialize)]
+            #vis enum #request_ident {
+                #(
+                    #( #method_cfgs )*
+                    #camel_case_idents{ #( #args ),* }
+                ),*
+            }
+            // impl ::tarpc::RequestName for #request_ident {
+            //     fn name(&self) -> &str {
+            //         match self {
+            //             #(
+            //                 #( #method_cfgs )*
+            //                 #request_ident::#camel_case_idents{..} => {
+            //                     #request_names
+            //                 }
+            //             )*
+            //         }
+            //     }
+            // }
+        }
+    }
+
+    fn enum_response(&self) -> TokenStream2 {
+        let &Self {
+            vis,
+            response_ident,
+            camel_case_idents,
+            return_types,
+            ..
+        } = self;
+
+        quote! {
+            /// The response sent over the wire from the server to the client.
+            #[allow(missing_docs)]
+            #[derive(Debug, ::lapdev_hrpc::serde::Serialize, ::lapdev_hrpc::serde::Deserialize)]
+            #vis enum #response_ident {
+                #( #camel_case_idents(#return_types) ),*
+            }
+        }
+    }
+}
+
+#[proc_macro_attribute]
+pub fn service(_attr: TokenStream, input: TokenStream) -> TokenStream {
+    let unit_type: &Type = &parse_quote!(());
+    let Service {
+        ref vis,
+        ref ident,
+        ref attrs,
+        ref rpcs,
+    } = parse_macro_input!(input as Service);
+
+    let camel_case_fn_names: &Vec<_> = &rpcs
+        .iter()
+        .map(|rpc| snake_to_camel(&rpc.ident.unraw().to_string()))
+        .collect();
+
+    let methods = rpcs.iter().map(|rpc| &rpc.ident).collect::<Vec<_>>();
+    let args: &[Vec<&PatType>] = &rpcs
+        .iter()
+        .map(|rpc| {
+            rpc.args
+                .iter()
+                .filter_map(|a| {
+                    if let FnArg::Typed(p) = a {
+                        Some(p)
+                    } else {
+                        None
+                    }
+                })
+                .collect::<Vec<_>>()
+        })
+        .collect::<Vec<_>>();
+
+    // let request_names = methods
+    //     .iter()
+    //     .map(|m| format!("{ident}.{m}"))
+    //     .collect::<Vec<_>>();
+
+    ServiceGenerator {
+        vis,
+        service_ident: ident,
+        rpcs,
+        return_types: &rpcs
+            .iter()
+            .map(|rpc| match rpc.output {
+                ReturnType::Type(_, ref ty) => ty.as_ref(),
+                ReturnType::Default => unit_type,
+            })
+            .collect::<Vec<_>>(),
+        attrs,
+        request_ident: &format_ident!("{}Request", ident),
+        response_ident: &format_ident!("{}Response", ident),
+        client_ident: &format_ident!("{}Client", ident),
+        method_idents: &methods,
+        arg_pats: &args
+            .iter()
+            .map(|args| args.iter().map(|arg| &*arg.pat).collect())
+            .collect::<Vec<_>>(),
+        camel_case_idents: &rpcs
+            .iter()
+            .zip(camel_case_fn_names.iter())
+            .map(|(rpc, name)| Ident::new(name, rpc.ident.span()))
+            .collect::<Vec<_>>(),
+        args,
+        method_cfgs: &collect_cfg_attrs(rpcs),
+        // request_names: &request_names,
+    }
+    .into_token_stream()
+    .into()
+}
+
+fn snake_to_camel(ident_str: &str) -> String {
+    let mut camel_ty = String::with_capacity(ident_str.len());
+
+    let mut last_char_was_underscore = true;
+    for c in ident_str.chars() {
+        match c {
+            '_' => last_char_was_underscore = true,
+            c if last_char_was_underscore => {
+                camel_ty.extend(c.to_uppercase());
+                last_char_was_underscore = false;
+            }
+            c => camel_ty.extend(c.to_lowercase()),
+        }
+    }
+
+    camel_ty.shrink_to_fit();
+    camel_ty
+}
+
+fn collect_cfg_attrs(rpcs: &[RpcMethod]) -> Vec<Vec<&Attribute>> {
+    rpcs.iter()
+        .map(|rpc| {
+            rpc.attrs
+                .iter()
+                .filter(|att| {
+                    att.style == AttrStyle::Outer
+                        && match &att.meta {
+                            syn::Meta::List(syn::MetaList { path, .. }) => {
+                                path.get_ident() == Some(&Ident::new("cfg", rpc.ident.span()))
+                            }
+                            _ => false,
+                        }
+                })
+                .collect::<Vec<_>>()
+        })
+        .collect::<Vec<_>>()
+}
diff --git a/crates/hrpc/Cargo.toml b/crates/hrpc/Cargo.toml
new file mode 100644
index 0000000..1bd7724
--- /dev/null
+++ b/crates/hrpc/Cargo.toml
@@ -0,0 +1,14 @@
+[package]
+name = "lapdev-hrpc"
+version.workspace = true
+authors.workspace = true
+edition.workspace = true
+
+[dependencies]
+gloo-net = "0.6.0"
+http = "1.2"
+reqwest.workspace = true
+anyhow.workspace = true
+serde.workspace = true
+serde_json.workspace = true
+lapdev-hrpc-proc-macro.workspace = true
diff --git a/crates/hrpc/src/lib.rs b/crates/hrpc/src/lib.rs
new file mode 100644
index 0000000..fbccbdf
--- /dev/null
+++ b/crates/hrpc/src/lib.rs
@@ -0,0 +1,7 @@
+pub use anyhow;
+pub use gloo_net;
+pub use http::HeaderMap;
+pub use lapdev_hrpc_proc_macro::service;
+pub use reqwest;
+pub use serde;
+pub use serde_json;
diff --git a/crates/kube-manager/Cargo.toml b/crates/kube-manager/Cargo.toml
new file mode 100644
index 0000000..5dadc93
--- /dev/null
+++ b/crates/kube-manager/Cargo.toml
@@ -0,0 +1,29 @@
+[package]
+name = "lapdev-kube-manager"
+version.workspace = true
+authors.workspace = true
+edition.workspace = true
+
+[dependencies]
+uuid.workspace = true
+serde.workspace = true
+serde_yaml.workspace = true
+chrono.workspace = true
+reqwest.workspace = true
+tarpc.workspace = true
+anyhow.workspace = true
+bytes.workspace = true
+futures.workspace = true
+futures-util.workspace = true
+kube.workspace = true
+k8s-openapi.workspace = true
+tokio.workspace = true
+tokio-util.workspace = true
+tokio-tungstenite.workspace = true
+tracing.workspace = true
+tracing-subscriber.workspace = true
+tracing-journald = "0.3.0"
+lapdev-rpc.workspace = true
+lapdev-common.workspace = true
+lapdev-kube-rpc.workspace = true
+lapdev-tunnel.workspace = true
diff --git a/crates/kube-manager/src/devbox_proxy_manager.rs b/crates/kube-manager/src/devbox_proxy_manager.rs
new file mode 100644
index 0000000..d148996
--- /dev/null
+++ b/crates/kube-manager/src/devbox_proxy_manager.rs
@@ -0,0 +1,82 @@
+use anyhow::Result;
+use futures::StreamExt;
+use lapdev_kube_rpc::{DevboxProxyManagerRpc, DevboxProxyRpcClient};
+use lapdev_rpc::spawn_twoway;
+use std::{collections::HashMap, sync::Arc};
+use tarpc::server::{BaseChannel, Channel};
+use tokio::sync::RwLock;
+use tracing::{error, info};
+use uuid::Uuid;
+
+use crate::devbox_proxy_manager_rpc::DevboxProxyManagerRpcServer;
+
+pub const DEFAULT_DEVBOX_PROXY_MANAGER_PORT: u16 = 7771;
+pub const DEVBOX_PROXY_MANAGER_PORT_ENV_VAR: &str = "LAPDEV_DEVBOX_PROXY_MANAGER_PORT";
+
+#[derive(Debug, Clone)]
+pub struct DevboxProxyInfo {
+    pub environment_id: Uuid,
+    pub last_heartbeat: std::time::Instant,
+}
+
+#[derive(Clone)]
+pub struct DevboxProxyManager {
+    pub(crate) devbox_proxies: Arc<RwLock<HashMap<Uuid, DevboxProxyRpcClient>>>,
+}
+
+impl DevboxProxyManager {
+    pub(crate) async fn new() -> Result<Self> {
+        let port = std::env::var(DEVBOX_PROXY_MANAGER_PORT_ENV_VAR)
+            .ok()
+            .and_then(|p| p.parse::<u16>().ok())
+            .unwrap_or(DEFAULT_DEVBOX_PROXY_MANAGER_PORT);
+        let bind_addr = format!("0.0.0.0:{port}");
+        info!("Starting TCP server for devbox proxies on: {}", bind_addr);
+
+        let mut listener = tarpc::serde_transport::tcp::listen(
+            ("0.0.0.0", port),
+            tarpc::tokio_serde::formats::Bincode::default,
+        )
+        .await?;
+        info!("TCP server listening on: {}", bind_addr);
+
+        let m = Self {
+            devbox_proxies: Arc::new(RwLock::new(HashMap::new())),
+        };
+
+        {
+            let m = m.clone();
+            tokio::spawn(async move {
+                while let Some(conn) = listener.next().await {
+                    if let Ok(conn) = conn {
+                        let m = m.clone();
+                        tokio::spawn(async move {
+                            let (server_chan, client_chan, _) = spawn_twoway(conn);
+                            let rpc_client = DevboxProxyRpcClient::new(
+                                tarpc::client::Config::default(),
+                                client_chan,
+                            )
+                            .spawn();
+                            let rpc_server =
+                                DevboxProxyManagerRpcServer::new(m.clone(), rpc_client);
+                            BaseChannel::with_defaults(server_chan)
+                                .execute(rpc_server.serve())
+                                .for_each(|resp| async move {
+                                    tokio::spawn(resp);
+                                })
+                                .await;
+                        });
+                    }
+                }
+                error!("Devbox proxy manager TCP connection stopped");
+            });
+        }
+
+        Ok(m)
+    }
+
+    pub async fn get_proxy_client(&self, environment_id: Uuid) -> Option<DevboxProxyRpcClient> {
+        let proxies = self.devbox_proxies.read().await;
+        proxies.get(&environment_id).cloned()
+    }
+}
diff --git a/crates/kube-manager/src/devbox_proxy_manager_rpc.rs b/crates/kube-manager/src/devbox_proxy_manager_rpc.rs
new file mode 100644
index 0000000..8808556
--- /dev/null
+++ b/crates/kube-manager/src/devbox_proxy_manager_rpc.rs
@@ -0,0 +1,54 @@
+use lapdev_kube_rpc::{DevboxProxyManagerRpc, DevboxProxyRpcClient};
+use tracing::info;
+use uuid::Uuid;
+
+use crate::devbox_proxy_manager::DevboxProxyManager;
+
+#[derive(Clone)]
+pub struct DevboxProxyManagerRpcServer {
+    manager: DevboxProxyManager,
+    rpc_client: DevboxProxyRpcClient,
+}
+
+impl DevboxProxyManagerRpcServer {
+    pub(crate) fn new(manager: DevboxProxyManager, rpc_client: DevboxProxyRpcClient) -> Self {
+        Self {
+            manager,
+            rpc_client,
+        }
+    }
+}
+
+impl DevboxProxyManagerRpc for DevboxProxyManagerRpcServer {
+    async fn register_devbox_proxy(
+        self,
+        _context: ::tarpc::context::Context,
+        environment_id: Uuid,
+    ) -> Result<(), String> {
+        info!(
+            "Registering devbox-proxy for environment {}",
+            environment_id
+        );
+
+        self.manager
+            .devbox_proxies
+            .write()
+            .await
+            .insert(environment_id, self.rpc_client.clone());
+
+        Ok(())
+    }
+
+    async fn heartbeat(
+        self,
+        _context: ::tarpc::context::Context,
+        environment_id: Uuid,
+    ) -> Result<(), String> {
+        // TODO: Update last_heartbeat timestamp
+        tracing::debug!(
+            "Heartbeat from devbox-proxy for environment {}",
+            environment_id
+        );
+        Ok(())
+    }
+}
diff --git a/crates/kube-manager/src/lib.rs b/crates/kube-manager/src/lib.rs
new file mode 100644
index 0000000..9e329b5
--- /dev/null
+++ b/crates/kube-manager/src/lib.rs
@@ -0,0 +1,8 @@
+pub mod devbox_proxy_manager;
+pub mod devbox_proxy_manager_rpc;
+pub mod manager;
+pub mod manager_rpc;
+pub mod sidecar_proxy_manager;
+pub mod sidecar_proxy_manager_rpc;
+pub mod tunnel;
+pub mod watch_manager;
diff --git a/crates/kube-manager/src/main.rs b/crates/kube-manager/src/main.rs
new file mode 100644
index 0000000..4251795
--- /dev/null
+++ b/crates/kube-manager/src/main.rs
@@ -0,0 +1,28 @@
+use tracing_subscriber::prelude::*;
+
+#[tokio::main]
+pub async fn main() {
+    // Initialize tracing with journald
+    let var = std::env::var("RUST_LOG").unwrap_or_default();
+    let var = format!(
+        "error,tarpc=warn,tarpc::client=warn,lapdev_kube_manager=info,lapdev_kube=info,lapdev_rpc=info,lapdev_common=info,{var}"
+    );
+    let filter = tracing_subscriber::EnvFilter::builder().parse_lossy(var);
+
+    match tracing_journald::layer() {
+        Ok(journald_layer) => {
+            tracing_subscriber::registry()
+                .with(filter)
+                .with(journald_layer)
+                .init();
+        }
+        Err(_) => {
+            // Fallback to stdout if journald is not available
+            tracing_subscriber::fmt().with_env_filter(filter).init();
+        }
+    }
+
+    if let Err(e) = lapdev_kube_manager::manager::KubeManager::connect_cluster().await {
+        tracing::error!("error: {e:?}");
+    }
+}
diff --git a/crates/kube-manager/src/manager.rs b/crates/kube-manager/src/manager.rs
new file mode 100644
index 0000000..cf1455b
--- /dev/null
+++ b/crates/kube-manager/src/manager.rs
@@ -0,0 +1,2034 @@
+use std::{collections::HashMap, fs, net::SocketAddr, sync::Arc, time::Instant};
+
+use anyhow::{anyhow, Result};
+use chrono::Utc;
+use futures::StreamExt;
+use k8s_openapi::{
+    api::{
+        apps::v1::{DaemonSet, Deployment, ReplicaSet, StatefulSet},
+        batch::v1::{CronJob, Job},
+        core::v1::{ConfigMap, Namespace, Pod, Secret, Service},
+    },
+    NamespaceResourceScope,
+};
+use kube::{
+    api::{DeleteParams, ListParams},
+    Resource,
+};
+use lapdev_common::{
+    devbox::{DirectTunnelConfig, DirectTunnelCredential},
+    kube::{
+        KubeClusterInfo, KubeClusterStatus, KubeNamespaceInfo, KubeWorkload, KubeWorkloadKind,
+        KubeWorkloadList, PaginationCursor, PaginationParams, DEFAULT_KUBE_CLUSTER_TUNNEL_URL,
+        DEFAULT_KUBE_CLUSTER_URL, KUBE_CLUSTER_TOKEN_ENV_VAR, KUBE_CLUSTER_TOKEN_HEADER,
+        KUBE_CLUSTER_TUNNEL_URL_ENV_VAR, KUBE_CLUSTER_URL_ENV_VAR,
+    },
+};
+use lapdev_kube_rpc::{
+    DevboxRouteConfig, KubeClusterRpcClient, KubeManagerRpc, KubeWorkloadYamlOnly,
+    KubeWorkloadsWithResources, NamespacedResourceKind, NamespacedResourceRequest,
+    NamespacedResourceResponse, ProxyBranchRouteConfig,
+};
+use lapdev_rpc::spawn_twoway;
+use lapdev_tunnel::{direct::DirectEndpoint, websocket_serde_transport};
+use serde::de::DeserializeOwned;
+use tarpc::server::{BaseChannel, Channel};
+use tokio::{
+    task::JoinHandle,
+    time::{sleep, Duration, MissedTickBehavior},
+};
+use tokio_tungstenite::tungstenite::client::IntoClientRequest;
+use uuid::Uuid;
+
+use crate::manager_rpc::KubeManagerRpcServer;
+use crate::{
+    devbox_proxy_manager::DevboxProxyManager, sidecar_proxy_manager::SidecarProxyManager,
+    tunnel::TunnelManager, watch_manager::WatchManager,
+};
+
+const CLUSTER_HEARTBEAT_INTERVAL_SECS: u64 = 30;
+
+#[derive(Clone)]
+pub struct KubeManager {
+    pub(crate) kube_client: Arc<kube::Client>,
+    // rpc_client: KubeClusterRpcClient,
+    proxy_manager: Arc<SidecarProxyManager>,
+    pub(crate) devbox_proxy_manager: Arc<DevboxProxyManager>,
+    tunnel_manager: TunnelManager,
+    pub(crate) watch_manager: Arc<WatchManager>,
+    manager_namespace: Option<String>,
+    direct_endpoint: Arc<DirectEndpoint>,
+}
+
+impl KubeManager {
+    pub async fn connect_cluster() -> Result<()> {
+        let kube_client = Arc::new(Self::new_kube_client().await.map_err(|e| {
+            tracing::error!("Failed to create Kubernetes client: {}", e);
+            e
+        })?);
+
+        let proxy_manager = Arc::new(SidecarProxyManager::new().await?);
+        let devbox_proxy_manager = Arc::new(DevboxProxyManager::new().await?);
+        let watch_manager = Arc::new(WatchManager::new(kube_client.clone()));
+        let direct_endpoint = Arc::new(
+            DirectEndpoint::bind()
+                .await
+                .map_err(|e| anyhow::anyhow!("failed to initialize direct endpoint: {e}"))?,
+        );
+        {
+            let direct_endpoint = Arc::clone(&direct_endpoint);
+            tokio::spawn(async move {
+                direct_endpoint.start_tunnel_server().await;
+            });
+        }
+        let token = std::env::var(KUBE_CLUSTER_TOKEN_ENV_VAR)
+            .map_err(|_| anyhow::anyhow!("can't find env var {}", KUBE_CLUSTER_TOKEN_ENV_VAR))?;
+        let url = std::env::var(KUBE_CLUSTER_URL_ENV_VAR)
+            .unwrap_or_else(|_| DEFAULT_KUBE_CLUSTER_URL.to_string());
+        let tunnel_url = std::env::var(KUBE_CLUSTER_TUNNEL_URL_ENV_VAR)
+            .unwrap_or_else(|_| DEFAULT_KUBE_CLUSTER_TUNNEL_URL.to_string());
+
+        tracing::info!("Connecting to Lapdev cluster at: {}", url);
+
+        let mut request = url.into_client_request()?;
+        request
+            .headers_mut()
+            .insert(KUBE_CLUSTER_TOKEN_HEADER, token.parse()?);
+
+        let mut tunnel_request = tunnel_url.into_client_request()?;
+        tunnel_request
+            .headers_mut()
+            .insert(KUBE_CLUSTER_TOKEN_HEADER, token.parse()?);
+
+        let manager_namespace = Self::detect_manager_namespace();
+
+        let manager = KubeManager {
+            kube_client,
+            proxy_manager,
+            devbox_proxy_manager,
+            tunnel_manager: TunnelManager::new(tunnel_request, token.clone()),
+            watch_manager,
+            manager_namespace,
+            direct_endpoint,
+        };
+
+        // Start the tunnel manager connection cycle in the background
+        let tunnel_manager = manager.tunnel_manager.clone();
+        let tunnel_task = tokio::spawn(async move {
+            if let Err(e) = tunnel_manager.start_tunnel_cycle().await {
+                tracing::error!("Tunnel connection cycle failed: {}", e);
+            }
+        });
+
+        // Start the main RPC connection cycle
+        let main_task = tokio::spawn(async move {
+            loop {
+                match manager.handle_connection_cycle(request.clone()).await {
+                    Ok(_) => {
+                        tracing::warn!("Connection cycle completed, will retry in 5 second...");
+                    }
+                    Err(e) => {
+                        tracing::warn!("Connection cycle failed: {}, retrying in 5 seconds...", e);
+                    }
+                }
+                tokio::time::sleep(std::time::Duration::from_secs(5)).await;
+            }
+        });
+
+        // Wait for either task to complete (they should run forever)
+        tokio::select! {
+            result = tunnel_task => {
+                tracing::error!("Tunnel task completed unexpectedly: {:?}", result);
+                Err(anyhow!("Tunnel task completed unexpectedly"))
+            }
+            result = main_task => {
+                tracing::error!("Main task completed unexpectedly: {:?}", result);
+                Err(anyhow!("Main task completed unexpectedly"))
+            }
+        }
+    }
+
+    async fn handle_connection_cycle(
+        &self,
+        request: tokio_tungstenite::tungstenite::http::Request<()>,
+    ) -> Result<()> {
+        tracing::info!("Attempting to connect to cluster...");
+
+        let (stream, _) = tokio_tungstenite::connect_async(request.clone()).await?;
+
+        tracing::info!("WebSocket connection established");
+
+        let transport =
+            websocket_serde_transport(stream, tarpc::tokio_serde::formats::Bincode::default());
+        let (server_chan, client_chan, _) = spawn_twoway(transport);
+
+        let rpc_client =
+            KubeClusterRpcClient::new(tarpc::client::Config::default(), client_chan).spawn();
+
+        self.watch_manager.set_rpc_client(rpc_client.clone()).await;
+        self.proxy_manager
+            .set_cluster_rpc_client(rpc_client.clone())
+            .await;
+
+        let rpc_server = KubeManagerRpcServer::new(self.clone(), rpc_client.clone());
+
+        // Spawn the WebSocket RPC server mainloop in the background
+        let rpc_clone = rpc_server.clone();
+        let websocket_server_task = tokio::spawn(async move {
+            tracing::info!("Starting WebSocket RPC server...");
+            BaseChannel::with_defaults(server_chan)
+                .execute(rpc_clone.serve())
+                .for_each(|resp| async move {
+                    tokio::spawn(resp);
+                })
+                .await;
+            tracing::info!("WebSocket RPC server stopped");
+        });
+
+        // // Spawn the TCP server for sidecar proxies in the background
+        // let tcp_proxy_manager = proxy_manager.clone();
+        // let tcp_server_task = tokio::spawn(async move {
+        //     if let Err(e) = tcp_proxy_manager.start_tcp_server().await {
+        //         tracing::error!("TCP server failed: {}", e);
+        //     }
+        // });
+
+        // Report cluster info immediately after connection
+        if let Err(e) = rpc_server.report_cluster_info().await {
+            tracing::error!("Failed to report cluster info: {}", e);
+            // Don't fail the entire connection for this, just log and continue
+        } else {
+            tracing::info!("Successfully reported cluster info");
+        }
+
+        let heartbeat_task = Self::spawn_cluster_heartbeat_task(rpc_client.clone());
+
+        let websocket_result = websocket_server_task.await;
+
+        self.watch_manager.clear_rpc_client().await;
+        self.proxy_manager.clear_cluster_rpc_client().await;
+        heartbeat_task.abort();
+        let _ = heartbeat_task.await;
+
+        if let Err(e) = websocket_result {
+            return Err(anyhow!("WebSocket RPC server task failed: {}", e));
+        }
+
+        Ok(())
+    }
+
+    async fn new_kube_client() -> Result<kube::Client> {
+        let config = Self::retrieve_cluster_config().await?;
+        let client = kube::Client::try_from(config)?;
+        Ok(client)
+    }
+
+    async fn retrieve_cluster_config() -> Result<kube::Config> {
+        Ok(kube::Config::infer().await?)
+    }
+
+    fn detect_manager_namespace() -> Option<String> {
+        if let Ok(ns) = std::env::var("POD_NAMESPACE") {
+            let trimmed = ns.trim();
+            if !trimmed.is_empty() {
+                return Some(trimmed.to_string());
+            }
+        }
+
+        fs::read_to_string("/var/run/secrets/kubernetes.io/serviceaccount/namespace")
+            .ok()
+            .map(|contents| contents.trim().to_string())
+            .filter(|value| !value.is_empty())
+    }
+}
+
+impl KubeManager {
+    fn spawn_cluster_heartbeat_task(rpc_client: KubeClusterRpcClient) -> JoinHandle<()> {
+        tokio::spawn(async move {
+            let mut interval =
+                tokio::time::interval(Duration::from_secs(CLUSTER_HEARTBEAT_INTERVAL_SECS));
+            interval.set_missed_tick_behavior(MissedTickBehavior::Skip);
+
+            if !Self::send_cluster_heartbeat(&rpc_client).await {
+                return;
+            }
+
+            loop {
+                interval.tick().await;
+                if !Self::send_cluster_heartbeat(&rpc_client).await {
+                    break;
+                }
+            }
+        })
+    }
+
+    async fn send_cluster_heartbeat(rpc_client: &KubeClusterRpcClient) -> bool {
+        match rpc_client.heartbeat(tarpc::context::current()).await {
+            Ok(Ok(())) => true,
+            Ok(Err(err)) => {
+                tracing::warn!("Cluster heartbeat rejected by API: {}", err);
+                false
+            }
+            Err(err) => {
+                tracing::debug!("Cluster heartbeat stopped: {}", err);
+                false
+            }
+        }
+    }
+
+    pub(crate) async fn collect_cluster_info(&self) -> Result<KubeClusterInfo> {
+        let client = &self.kube_client;
+
+        // Get cluster version
+        let version = client.apiserver_version().await?;
+
+        // Get nodes and calculate cluster resources
+        let nodes = self.get_cluster_nodes(client).await?;
+        let (total_cpu_millicores, total_memory_bytes) = self.calculate_cluster_resources(&nodes);
+        let node_count = nodes.len() as u32;
+        let status = KubeClusterStatus::Ready;
+
+        // Detect provider and region from node labels
+        let (detected_provider, detected_region) = self.detect_provider_and_region(&nodes);
+
+        // Use detected values with environment variable fallbacks
+        let provider = detected_provider.or_else(|| std::env::var("CLUSTER_PROVIDER").ok());
+        let region = detected_region.or_else(|| std::env::var("CLUSTER_REGION").ok());
+
+        Ok(KubeClusterInfo {
+            cluster_version: format!("{}.{}", version.major, version.minor),
+            node_count,
+            available_cpu: format!("{}m", total_cpu_millicores),
+            available_memory: format!("{}bytes", total_memory_bytes),
+            provider,
+            region,
+            status,
+            manager_namespace: self.manager_namespace.clone(),
+        })
+    }
+
+    async fn get_cluster_nodes(
+        &self,
+        client: &kube::Client,
+    ) -> Result<Vec<k8s_openapi::api::core::v1::Node>> {
+        let nodes: kube::Api<k8s_openapi::api::core::v1::Node> = kube::Api::all(client.clone());
+        let node_list = nodes.list(&ListParams::default()).await?;
+        Ok(node_list.items)
+    }
+
+    fn calculate_cluster_resources(
+        &self,
+        nodes: &[k8s_openapi::api::core::v1::Node],
+    ) -> (i64, i64) {
+        let mut total_cpu_millicores = 0i64;
+        let mut total_memory_bytes = 0i64;
+
+        for node in nodes {
+            if let Some(status) = &node.status {
+                if let Some(allocatable) = &status.allocatable {
+                    total_cpu_millicores += Self::parse_cpu_resource(allocatable.get("cpu"));
+                    total_memory_bytes += Self::parse_memory_resource(allocatable.get("memory"));
+                }
+            }
+        }
+
+        (total_cpu_millicores, total_memory_bytes)
+    }
+
+    fn parse_cpu_resource(
+        cpu_quantity: Option<&k8s_openapi::apimachinery::pkg::api::resource::Quantity>,
+    ) -> i64 {
+        if let Some(cpu) = cpu_quantity {
+            let cpu_str = cpu.0.as_str();
+            if cpu_str.ends_with('m') {
+                cpu_str.trim_end_matches('m').parse::<i64>().unwrap_or(0)
+            } else {
+                cpu_str.parse::<i64>().unwrap_or(0) * 1000
+            }
+        } else {
+            0
+        }
+    }
+
+    pub(crate) async fn configure_namespace_watches(&self, namespaces: Vec<String>) -> Result<()> {
+        tracing::info!(
+            namespace_count = namespaces.len(),
+            "Configuring namespace watches"
+        );
+        self.watch_manager.configure_watches(namespaces).await
+    }
+
+    pub(crate) async fn add_namespace_watch(&self, namespace: String) -> Result<()> {
+        tracing::info!(namespace = namespace.as_str(), "Adding namespace watch");
+        self.watch_manager.add_namespace_watch(namespace).await
+    }
+
+    pub(crate) async fn remove_namespace_watch(&self, namespace: String) -> Result<()> {
+        tracing::info!(namespace = namespace.as_str(), "Removing namespace watch");
+        self.watch_manager.remove_namespace_watch(namespace).await
+    }
+
+    fn parse_memory_resource(
+        memory_quantity: Option<&k8s_openapi::apimachinery::pkg::api::resource::Quantity>,
+    ) -> i64 {
+        if let Some(memory) = memory_quantity {
+            let memory_str = memory.0.as_str();
+            if memory_str.ends_with("Ki") {
+                memory_str
+                    .trim_end_matches("Ki")
+                    .parse::<i64>()
+                    .unwrap_or(0)
+                    * 1024
+            } else if memory_str.ends_with("Mi") {
+                memory_str
+                    .trim_end_matches("Mi")
+                    .parse::<i64>()
+                    .unwrap_or(0)
+                    * 1024
+                    * 1024
+            } else if memory_str.ends_with("Gi") {
+                memory_str
+                    .trim_end_matches("Gi")
+                    .parse::<i64>()
+                    .unwrap_or(0)
+                    * 1024
+                    * 1024
+                    * 1024
+            } else {
+                0
+            }
+        } else {
+            0
+        }
+    }
+
+    fn detect_provider_and_region(
+        &self,
+        nodes: &[k8s_openapi::api::core::v1::Node],
+    ) -> (Option<String>, Option<String>) {
+        let mut detected_provider = nodes
+            .iter()
+            .filter_map(|node| {
+                node.spec
+                    .as_ref()
+                    .and_then(|spec| spec.provider_id.as_deref())
+                    .and_then(Self::detect_provider_from_provider_id)
+            })
+            .next();
+        let mut detected_region = None;
+
+        for node in nodes {
+            if let Some(labels) = &node.metadata.labels {
+                // Get region from topology labels
+                if detected_region.is_none() {
+                    detected_region = labels
+                        .get("topology.kubernetes.io/region")
+                        .or_else(|| labels.get("failure-domain.beta.kubernetes.io/region"))
+                        .cloned();
+                }
+
+                // Detect provider from instance type
+                if detected_provider.is_none() {
+                    detected_provider = Self::detect_provider_from_labels(labels).or_else(|| {
+                        labels
+                            .get("node.kubernetes.io/instance-type")
+                            .and_then(|value| Self::detect_provider_from_instance_type(value))
+                    });
+                }
+
+                // Break early if we have both
+                if detected_provider.is_some() && detected_region.is_some() {
+                    break;
+                }
+            }
+        }
+
+        (detected_provider, detected_region)
+    }
+
+    fn detect_provider_from_provider_id(provider_id: &str) -> Option<String> {
+        if provider_id.starts_with("aws:///") {
+            Some("AWS".to_string())
+        } else if provider_id.starts_with("gce://") {
+            Some("GCP".to_string())
+        } else if provider_id.starts_with("azure:///") {
+            Some("Azure".to_string())
+        } else {
+            None
+        }
+    }
+
+    fn detect_provider_from_instance_type(instance_type: &str) -> Option<String> {
+        if instance_type.starts_with('m')
+            || instance_type.starts_with('c')
+            || instance_type.starts_with('r')
+            || instance_type.starts_with('t')
+            || instance_type.starts_with('a')
+            || instance_type.starts_with('i')
+        {
+            Some("AWS".to_string())
+        } else if instance_type.starts_with('n')
+            || instance_type.starts_with('e')
+            || instance_type.contains("standard")
+        {
+            Some("GCP".to_string())
+        } else if instance_type.starts_with("Standard_") {
+            Some("Azure".to_string())
+        } else {
+            None
+        }
+    }
+
+    fn detect_provider_from_labels(
+        labels: &std::collections::BTreeMap<String, String>,
+    ) -> Option<String> {
+        if labels.contains_key("eks.amazonaws.com/nodegroup")
+            || labels.contains_key("alpha.eksctl.io/nodegroup-name")
+            || labels.contains_key("karpenter.sh/nodepool")
+        {
+            Some("AWS".to_string())
+        } else if labels.contains_key("cloud.google.com/gke-nodepool")
+            || labels.contains_key("cloud.google.com/machine-family")
+            || labels.contains_key("topology.gke.io/zone")
+        {
+            Some("GCP".to_string())
+        } else if labels.contains_key("kubernetes.azure.com/nodepool-name")
+            || labels.contains_key("agentpool")
+            || labels.contains_key("azure.microsoft.com/machine")
+        {
+            Some("Azure".to_string())
+        } else {
+            None
+        }
+    }
+
+    pub(crate) async fn collect_workloads(
+        &self,
+        namespace: Option<String>,
+        workload_kind_filter: Option<KubeWorkloadKind>,
+        include_system_workloads: bool,
+        pagination: Option<PaginationParams>,
+    ) -> Result<KubeWorkloadList> {
+        tracing::debug!("pagination is {pagination:?}");
+
+        let (cursor, limit) = if let Some(pagination) = pagination {
+            (pagination.cursor, pagination.limit.max(1))
+        } else {
+            (None, 50) // Default reasonable limit
+        };
+
+        tracing::debug!("cursor {cursor:?}");
+
+        // Collect workloads sequentially by resource type, starting from the cursor position
+        let mut all_workloads = Vec::new();
+        let all_resource_types = [
+            KubeWorkloadKind::Deployment,
+            KubeWorkloadKind::StatefulSet,
+            KubeWorkloadKind::DaemonSet,
+            KubeWorkloadKind::ReplicaSet,
+            KubeWorkloadKind::Pod,
+            KubeWorkloadKind::Job,
+            KubeWorkloadKind::CronJob,
+        ];
+
+        // Filter resource types based on workload_kind_filter
+        let resource_types: Vec<KubeWorkloadKind> = if let Some(filter_kind) = workload_kind_filter
+        {
+            vec![filter_kind]
+        } else {
+            all_resource_types.to_vec()
+        };
+
+        // Find starting resource type index
+        let start_index = if let Some(cursor) = &cursor {
+            resource_types
+                .iter()
+                .position(|rt| *rt == cursor.workload_kind)
+                .unwrap_or(0)
+        } else {
+            0
+        };
+
+        let mut resource_types_iter = resource_types.iter().skip(start_index).peekable();
+        while let Some(current_resource_type) = resource_types_iter.next() {
+            // Use cursor only for the first resource type we're collecting from
+            let current_cursor = if let Some(cursor) = &cursor {
+                if *current_resource_type == cursor.workload_kind {
+                    cursor.continue_token.clone()
+                } else {
+                    None
+                }
+            } else {
+                None
+            };
+            let collect_limit = limit.saturating_sub(all_workloads.len());
+
+            let (collected_workloads, resource_continue_token) = match *current_resource_type {
+                KubeWorkloadKind::Deployment => {
+                    self.collect_resources_with_cursor(
+                        namespace.as_deref(),
+                        current_cursor,
+                        collect_limit,
+                        include_system_workloads,
+                        Self::deployment_to_workload,
+                    )
+                    .await?
+                }
+                KubeWorkloadKind::StatefulSet => {
+                    self.collect_resources_with_cursor(
+                        namespace.as_deref(),
+                        current_cursor,
+                        collect_limit,
+                        include_system_workloads,
+                        Self::statefulset_to_workload,
+                    )
+                    .await?
+                }
+                KubeWorkloadKind::DaemonSet => {
+                    self.collect_resources_with_cursor(
+                        namespace.as_deref(),
+                        current_cursor,
+                        collect_limit,
+                        include_system_workloads,
+                        Self::daemonset_to_workload,
+                    )
+                    .await?
+                }
+                KubeWorkloadKind::ReplicaSet => {
+                    self.collect_resources_with_cursor(
+                        namespace.as_deref(),
+                        current_cursor,
+                        collect_limit,
+                        include_system_workloads,
+                        Self::replicaset_to_workload,
+                    )
+                    .await?
+                }
+                KubeWorkloadKind::Pod => {
+                    self.collect_resources_with_cursor(
+                        namespace.as_deref(),
+                        current_cursor,
+                        collect_limit,
+                        include_system_workloads,
+                        Self::pod_to_workload,
+                    )
+                    .await?
+                }
+                KubeWorkloadKind::Job => {
+                    self.collect_resources_with_cursor(
+                        namespace.as_deref(),
+                        current_cursor,
+                        collect_limit,
+                        include_system_workloads,
+                        Self::job_to_workload,
+                    )
+                    .await?
+                }
+                KubeWorkloadKind::CronJob => {
+                    self.collect_resources_with_cursor(
+                        namespace.as_deref(),
+                        current_cursor,
+                        collect_limit,
+                        include_system_workloads,
+                        Self::cronjob_to_workload,
+                    )
+                    .await?
+                }
+            };
+
+            all_workloads.extend(collected_workloads);
+            if all_workloads.len() >= limit {
+                let next_cursor = if let Some(continue_token) = resource_continue_token {
+                    // If we have a continue token for this resource type,
+                    // we know that we filled our limit,
+                    // so we are done for the collection
+                    // and we should use this token for the next request
+                    Some(PaginationCursor {
+                        workload_kind: current_resource_type.clone(),
+                        continue_token: Some(continue_token),
+                    })
+                } else {
+                    // if we don't have a continue token
+                    // we know that we had everything from this current resource type
+                    // so we need to set the cursor to the next workload kind
+                    resource_types_iter.peek().map(|next| PaginationCursor {
+                        workload_kind: (**next).clone(),
+                        continue_token: None,
+                    })
+                };
+                return Ok(KubeWorkloadList {
+                    workloads: all_workloads,
+                    next_cursor,
+                });
+            }
+        }
+
+        // at this point, we should already iter over all the resources we can find
+        // so we know there no more
+        Ok(KubeWorkloadList {
+            workloads: all_workloads,
+            next_cursor: None,
+        })
+    }
+
+    pub(crate) async fn collect_namespaces(&self) -> Result<Vec<KubeNamespaceInfo>> {
+        let client = &self.kube_client;
+        let namespaces: kube::Api<Namespace> = kube::Api::all((**client).clone());
+
+        let namespace_list = namespaces.list(&ListParams::default()).await?;
+
+        let mut kube_namespaces = Vec::new();
+        for namespace in namespace_list.items {
+            let name = namespace.metadata.name.unwrap_or_default();
+            let status = namespace
+                .status
+                .as_ref()
+                .and_then(|s| s.phase.as_ref())
+                .map(|p| p.clone())
+                .unwrap_or_else(|| "Unknown".to_string());
+            let created_at = namespace
+                .metadata
+                .creation_timestamp
+                .map(|t| format!("{t:?}"));
+
+            kube_namespaces.push(KubeNamespaceInfo {
+                name,
+                status,
+                created_at,
+            });
+        }
+
+        kube_namespaces.sort_by(|a, b| a.name.cmp(&b.name));
+
+        Ok(kube_namespaces)
+    }
+
+    // Generic helper method for collecting resources with cursor-based pagination
+    // Only includes top-level resources (those without owner references)
+    async fn collect_resources_with_cursor<T, F>(
+        &self,
+        namespace: Option<&str>,
+        cursor: Option<String>,
+        limit: usize,
+        include_system_workloads: bool,
+        converter: F,
+    ) -> Result<(Vec<KubeWorkload>, Option<String>)>
+    where
+        T: kube::Resource<Scope = NamespaceResourceScope>
+            + Clone
+            + serde::de::DeserializeOwned
+            + std::fmt::Debug,
+        T::DynamicType: Default,
+        F: Fn(T) -> KubeWorkload,
+    {
+        let client = &self.kube_client;
+        let api: kube::Api<T> = if let Some(ns) = namespace {
+            kube::Api::namespaced((**client).clone(), ns)
+        } else {
+            kube::Api::all((**client).clone())
+        };
+
+        let batch_size = 50;
+        let mut all_workloads = Vec::new();
+        let mut continue_token = cursor;
+
+        loop {
+            let list_params = ListParams {
+                limit: Some(batch_size),
+                continue_token: continue_token.clone(),
+                ..Default::default()
+            };
+
+            let list = api.list(&list_params).await?;
+            for item in list.items {
+                // Only include top-level resources (no owner references)
+                if !Self::has_owner_references(&item) {
+                    let is_system_workload = Self::is_system_workload(&item);
+
+                    // Include workload based on system workloads filter
+                    if include_system_workloads || !is_system_workload {
+                        let workload = converter(item);
+                        all_workloads.push(workload);
+                    }
+                }
+            }
+
+            continue_token = list.metadata.continue_;
+            if continue_token.is_none() || all_workloads.len() >= limit {
+                break;
+            }
+        }
+
+        Ok((all_workloads, continue_token))
+    }
+
+    fn deployment_to_workload(deployment: Deployment) -> KubeWorkload {
+        KubeWorkload {
+            name: deployment.metadata.name.unwrap_or_default(),
+            namespace: deployment.metadata.namespace.unwrap_or_default(),
+            kind: KubeWorkloadKind::Deployment,
+            replicas: deployment.spec.as_ref().and_then(|s| s.replicas),
+            ready_replicas: deployment.status.as_ref().and_then(|s| s.ready_replicas),
+            created_at: deployment
+                .metadata
+                .creation_timestamp
+                .map(|t| format!("{t:?}")),
+            labels: deployment
+                .metadata
+                .labels
+                .unwrap_or_default()
+                .into_iter()
+                .collect(),
+        }
+    }
+
+    fn statefulset_to_workload(statefulset: StatefulSet) -> KubeWorkload {
+        KubeWorkload {
+            name: statefulset.metadata.name.unwrap_or_default(),
+            namespace: statefulset.metadata.namespace.unwrap_or_default(),
+            kind: KubeWorkloadKind::StatefulSet,
+            replicas: statefulset.spec.as_ref().and_then(|s| s.replicas),
+            ready_replicas: statefulset.status.as_ref().and_then(|s| s.ready_replicas),
+            created_at: statefulset
+                .metadata
+                .creation_timestamp
+                .map(|t| format!("{t:?}")),
+            labels: statefulset
+                .metadata
+                .labels
+                .unwrap_or_default()
+                .into_iter()
+                .collect(),
+        }
+    }
+
+    fn daemonset_to_workload(daemonset: DaemonSet) -> KubeWorkload {
+        KubeWorkload {
+            name: daemonset.metadata.name.unwrap_or_default(),
+            namespace: daemonset.metadata.namespace.unwrap_or_default(),
+            kind: KubeWorkloadKind::DaemonSet,
+            replicas: daemonset
+                .status
+                .as_ref()
+                .map(|s| s.desired_number_scheduled),
+            ready_replicas: daemonset.status.as_ref().map(|s| s.number_ready),
+            created_at: daemonset
+                .metadata
+                .creation_timestamp
+                .map(|t| format!("{t:?}")),
+            labels: daemonset
+                .metadata
+                .labels
+                .unwrap_or_default()
+                .into_iter()
+                .collect(),
+        }
+    }
+
+    fn pod_to_workload(pod: Pod) -> KubeWorkload {
+        let ready_replicas = match pod.status.as_ref().and_then(|s| s.phase.as_deref()) {
+            Some("Running") | Some("Succeeded") => Some(1),
+            Some("Pending") | Some("Failed") => Some(0),
+            _ => None,
+        };
+
+        KubeWorkload {
+            name: pod.metadata.name.unwrap_or_default(),
+            namespace: pod.metadata.namespace.unwrap_or_default(),
+            kind: KubeWorkloadKind::Pod,
+            replicas: Some(1),
+            ready_replicas,
+            created_at: pod.metadata.creation_timestamp.map(|t| format!("{:?}", t)),
+            labels: pod
+                .metadata
+                .labels
+                .unwrap_or_default()
+                .into_iter()
+                .collect(),
+        }
+    }
+
+    // Generic helper function to check if a resource has owner references (not top-level)
+    fn has_owner_references<T>(resource: &T) -> bool
+    where
+        T: kube::Resource,
+    {
+        resource
+            .meta()
+            .owner_references
+            .as_ref()
+            .is_some_and(|refs| !refs.is_empty())
+    }
+
+    // Helper function to check if a workload is a system workload
+    fn is_system_workload<T>(resource: &T) -> bool
+    where
+        T: kube::Resource,
+    {
+        let meta = resource.meta();
+
+        // Check if in kube-system namespace
+        if let Some(namespace) = &meta.namespace {
+            return namespace == "kube-system";
+        }
+
+        false
+    }
+
+    fn job_to_workload(job: Job) -> KubeWorkload {
+        KubeWorkload {
+            name: job.metadata.name.unwrap_or_default(),
+            namespace: job.metadata.namespace.unwrap_or_default(),
+            kind: KubeWorkloadKind::Job,
+            replicas: job.spec.as_ref().and_then(|s| s.parallelism),
+            ready_replicas: job.status.as_ref().and_then(|s| s.succeeded),
+            created_at: job.metadata.creation_timestamp.map(|t| format!("{t:?}")),
+            labels: job
+                .metadata
+                .labels
+                .unwrap_or_default()
+                .into_iter()
+                .collect(),
+        }
+    }
+
+    fn replicaset_to_workload(replicaset: ReplicaSet) -> KubeWorkload {
+        KubeWorkload {
+            name: replicaset.metadata.name.unwrap_or_default(),
+            namespace: replicaset.metadata.namespace.unwrap_or_default(),
+            kind: KubeWorkloadKind::ReplicaSet,
+            replicas: replicaset.spec.as_ref().and_then(|s| s.replicas),
+            ready_replicas: replicaset.status.as_ref().and_then(|s| s.ready_replicas),
+            created_at: replicaset
+                .metadata
+                .creation_timestamp
+                .map(|t| format!("{t:?}")),
+            labels: replicaset
+                .metadata
+                .labels
+                .unwrap_or_default()
+                .into_iter()
+                .collect(),
+        }
+    }
+
+    fn cronjob_to_workload(cronjob: CronJob) -> KubeWorkload {
+        KubeWorkload {
+            name: cronjob.metadata.name.unwrap_or_default(),
+            namespace: cronjob.metadata.namespace.unwrap_or_default(),
+            kind: KubeWorkloadKind::CronJob,
+            replicas: Some(1), // CronJobs don't have replicas concept
+            ready_replicas: Some(1),
+            created_at: cronjob
+                .metadata
+                .creation_timestamp
+                .map(|t| format!("{t:?}")),
+            labels: cronjob
+                .metadata
+                .labels
+                .unwrap_or_default()
+                .into_iter()
+                .collect(),
+        }
+    }
+
+    pub(crate) async fn get_workload_by_name(
+        &self,
+        name: String,
+        namespace: String,
+    ) -> Result<Option<KubeWorkload>> {
+        let client = &self.kube_client;
+
+        // Try to find the workload by checking different resource types
+        // Check Deployment first
+        let deployments: kube::Api<Deployment> =
+            kube::Api::namespaced((**client).clone(), &namespace);
+        if let Ok(deployment) = deployments.get(&name).await {
+            return Ok(Some(Self::deployment_to_workload(deployment)));
+        }
+
+        // Check StatefulSet
+        let statefulsets: kube::Api<StatefulSet> =
+            kube::Api::namespaced((**client).clone(), &namespace);
+        if let Ok(statefulset) = statefulsets.get(&name).await {
+            return Ok(Some(Self::statefulset_to_workload(statefulset)));
+        }
+
+        // Check DaemonSet
+        let daemonsets: kube::Api<DaemonSet> =
+            kube::Api::namespaced((**client).clone(), &namespace);
+        if let Ok(daemonset) = daemonsets.get(&name).await {
+            return Ok(Some(Self::daemonset_to_workload(daemonset)));
+        }
+
+        // Check Pod
+        let pods: kube::Api<Pod> = kube::Api::namespaced((**client).clone(), &namespace);
+        if let Ok(pod) = pods.get(&name).await {
+            return Ok(Some(Self::pod_to_workload(pod)));
+        }
+
+        // Check Job
+        let jobs: kube::Api<Job> = kube::Api::namespaced((**client).clone(), &namespace);
+        if let Ok(job) = jobs.get(&name).await {
+            return Ok(Some(Self::job_to_workload(job)));
+        }
+
+        Ok(None)
+    }
+
+    pub(crate) async fn fetch_namespaced_resources(
+        &self,
+        requests: Vec<NamespacedResourceRequest>,
+    ) -> Result<Vec<NamespacedResourceResponse>> {
+        let client = &self.kube_client;
+        let mut results = Vec::with_capacity(requests.len());
+
+        for request in requests {
+            let namespace = request.namespace.clone();
+            let configmaps_api: kube::Api<ConfigMap> =
+                kube::Api::namespaced((**client).clone(), &namespace);
+            let secrets_api: kube::Api<Secret> =
+                kube::Api::namespaced((**client).clone(), &namespace);
+
+            let mut configmap_yamls = HashMap::new();
+            for name in request.configmaps {
+                match configmaps_api.get(&name).await {
+                    Ok(configmap) => {
+                        if let Ok(yaml) = serde_yaml::to_string(&configmap) {
+                            configmap_yamls.insert(name.clone(), yaml);
+                        }
+                    }
+                    Err(err) => {
+                        tracing::warn!("Could not fetch ConfigMap {}/{}: {}", namespace, name, err);
+                    }
+                }
+            }
+
+            let mut secret_yamls = HashMap::new();
+            for name in request.secrets {
+                match secrets_api.get(&name).await {
+                    Ok(secret) => {
+                        if let Ok(yaml) = serde_yaml::to_string(&secret) {
+                            secret_yamls.insert(name.clone(), yaml);
+                        }
+                    }
+                    Err(err) => {
+                        tracing::warn!("Could not fetch Secret {}/{}: {}", namespace, name, err);
+                    }
+                }
+            }
+
+            results.push(NamespacedResourceResponse {
+                namespace,
+                configmaps: configmap_yamls,
+                secrets: secret_yamls,
+            });
+        }
+
+        Ok(results)
+    }
+
+    pub(crate) async fn apply_workloads_with_resources(
+        &self,
+        namespace: String,
+        workloads_with_resources: KubeWorkloadsWithResources,
+        labels: std::collections::HashMap<String, String>,
+    ) -> Result<()> {
+        let client = &self.kube_client;
+
+        // Step 1: Ensure namespace exists
+        self.ensure_namespace_exists(&namespace).await?;
+
+        // Step 2: Apply shared resources first (configmaps, secrets, then services)
+        // Apply configmaps first as they might be referenced by workloads
+        for (name, configmap_yaml) in &workloads_with_resources.configmaps {
+            tracing::info!("Applying ConfigMap '{}' to namespace '{}'", name, namespace);
+            self.apply_single_configmap(client, &namespace, configmap_yaml, &labels)
+                .await?;
+        }
+
+        // Apply secrets next as they might be referenced by workloads
+        for (name, secret_yaml) in &workloads_with_resources.secrets {
+            tracing::info!("Applying Secret '{}' to namespace '{}'", name, namespace);
+            self.apply_single_secret(client, &namespace, secret_yaml, &labels)
+                .await?;
+        }
+
+        // Step 3: Apply all workloads
+        for workload in &workloads_with_resources.workloads {
+            tracing::info!("Applying workload to namespace '{}'", namespace);
+            self.apply_workload_only(client, &namespace, workload, &labels)
+                .await?;
+        }
+
+        // Step 4: Apply services last as they reference workloads
+        for (name, service_with_yaml) in &workloads_with_resources.services {
+            tracing::info!("Applying Service '{}' to namespace '{}'", name, namespace);
+            self.apply_single_service(client, &namespace, &service_with_yaml.yaml, &labels)
+                .await?;
+        }
+
+        tracing::info!(
+            "Successfully applied all workloads and resources to namespace '{}'",
+            namespace
+        );
+        Ok(())
+    }
+
+    async fn apply_single_configmap(
+        &self,
+        client: &kube::Client,
+        namespace: &str,
+        configmap_yaml: &str,
+        labels: &std::collections::HashMap<String, String>,
+    ) -> Result<()> {
+        let mut configmap: ConfigMap = serde_yaml::from_str(configmap_yaml)?;
+
+        // Add environment labels to configmap
+        self.add_labels_to_metadata(&mut configmap.metadata, labels);
+
+        // Force namespace
+        configmap.metadata.namespace = Some(namespace.to_string());
+
+        let configmaps_api: kube::Api<ConfigMap> =
+            kube::Api::namespaced((*client).clone(), namespace);
+
+        match configmaps_api
+            .get_opt(&configmap.metadata.name.as_ref().unwrap())
+            .await?
+        {
+            Some(_) => {
+                configmaps_api
+                    .replace(
+                        &configmap.metadata.name.as_ref().unwrap(),
+                        &Default::default(),
+                        &configmap,
+                    )
+                    .await?;
+                tracing::info!(
+                    "Updated configmap: {}",
+                    configmap.metadata.name.as_ref().unwrap()
+                );
+            }
+            None => {
+                configmaps_api
+                    .create(&Default::default(), &configmap)
+                    .await?;
+                tracing::info!(
+                    "Created configmap: {}",
+                    configmap.metadata.name.as_ref().unwrap()
+                );
+            }
+        }
+        Ok(())
+    }
+
+    async fn apply_single_secret(
+        &self,
+        client: &kube::Client,
+        namespace: &str,
+        secret_yaml: &str,
+        labels: &std::collections::HashMap<String, String>,
+    ) -> Result<()> {
+        let mut secret: Secret = serde_yaml::from_str(secret_yaml)?;
+
+        // Add environment labels to secret
+        self.add_labels_to_metadata(&mut secret.metadata, labels);
+
+        // Force namespace
+        secret.metadata.namespace = Some(namespace.to_string());
+
+        let secrets_api: kube::Api<Secret> = kube::Api::namespaced((*client).clone(), namespace);
+
+        match secrets_api
+            .get_opt(&secret.metadata.name.as_ref().unwrap())
+            .await?
+        {
+            Some(_) => {
+                secrets_api
+                    .replace(
+                        &secret.metadata.name.as_ref().unwrap(),
+                        &Default::default(),
+                        &secret,
+                    )
+                    .await?;
+                tracing::info!("Updated secret: {}", secret.metadata.name.as_ref().unwrap());
+            }
+            None => {
+                secrets_api.create(&Default::default(), &secret).await?;
+                tracing::info!("Created secret: {}", secret.metadata.name.as_ref().unwrap());
+            }
+        }
+        Ok(())
+    }
+
+    async fn apply_single_service(
+        &self,
+        client: &kube::Client,
+        namespace: &str,
+        service_yaml: &str,
+        labels: &std::collections::HashMap<String, String>,
+    ) -> Result<()> {
+        let mut service: Service = serde_yaml::from_str(service_yaml)?;
+
+        // Add environment labels to service
+        self.add_labels_to_metadata(&mut service.metadata, labels);
+
+        // Force namespace
+        service.metadata.namespace = Some(namespace.to_string());
+
+        let services_api: kube::Api<Service> = kube::Api::namespaced((*client).clone(), namespace);
+
+        match services_api
+            .get_opt(&service.metadata.name.as_ref().unwrap())
+            .await?
+        {
+            Some(_) => {
+                services_api
+                    .replace(
+                        &service.metadata.name.as_ref().unwrap(),
+                        &Default::default(),
+                        &service,
+                    )
+                    .await?;
+                tracing::info!(
+                    "Updated service: {}",
+                    service.metadata.name.as_ref().unwrap()
+                );
+            }
+            None => {
+                services_api.create(&Default::default(), &service).await?;
+                tracing::info!(
+                    "Created service: {}",
+                    service.metadata.name.as_ref().unwrap()
+                );
+            }
+        }
+        Ok(())
+    }
+
+    async fn apply_workload_only(
+        &self,
+        client: &kube::Client,
+        namespace: &str,
+        workload: &KubeWorkloadYamlOnly,
+        labels: &std::collections::HashMap<String, String>,
+    ) -> Result<()> {
+        match workload {
+            KubeWorkloadYamlOnly::Deployment(yaml) => {
+                self.apply_deployment(namespace, yaml, labels).await?;
+            }
+            KubeWorkloadYamlOnly::StatefulSet(yaml) => {
+                self.apply_statefulset(client, namespace, yaml, labels)
+                    .await?;
+            }
+            KubeWorkloadYamlOnly::DaemonSet(yaml) => {
+                self.apply_daemonset(client, namespace, yaml, labels)
+                    .await?;
+            }
+            KubeWorkloadYamlOnly::ReplicaSet(yaml) => {
+                self.apply_replicaset(client, namespace, yaml, labels)
+                    .await?;
+            }
+            KubeWorkloadYamlOnly::Pod(yaml) => {
+                self.apply_pod(client, namespace, yaml, labels).await?;
+            }
+            KubeWorkloadYamlOnly::Job(yaml) => {
+                self.apply_job(client, namespace, yaml, labels).await?;
+            }
+            KubeWorkloadYamlOnly::CronJob(yaml) => {
+                self.apply_cronjob(client, namespace, yaml, labels).await?;
+            }
+        }
+        Ok(())
+    }
+
+    async fn ensure_namespace_exists(&self, namespace: &str) -> Result<()> {
+        let client = &self.kube_client;
+
+        let namespaces: kube::Api<Namespace> = kube::Api::all((**client).clone());
+
+        // Check if namespace exists
+        if namespaces.get_opt(namespace).await?.is_some() {
+            return Ok(());
+        }
+
+        // Create namespace if it doesn't exist
+        let ns = Namespace {
+            metadata: k8s_openapi::apimachinery::pkg::apis::meta::v1::ObjectMeta {
+                name: Some(namespace.to_string()),
+                ..Default::default()
+            },
+            ..Default::default()
+        };
+
+        namespaces.create(&Default::default(), &ns).await?;
+        tracing::info!("Created namespace: {}", namespace);
+        Ok(())
+    }
+
+    pub(crate) async fn destroy_environment(
+        &self,
+        environment_id: Uuid,
+        namespace: &str,
+    ) -> Result<()> {
+        tracing::info!(
+            "Destroying environment {} and cleaning namespace '{}'",
+            environment_id,
+            namespace
+        );
+        self.delete_namespace(namespace).await
+    }
+
+    pub(crate) async fn delete_namespaced_resource(
+        &self,
+        kind: NamespacedResourceKind,
+        namespace: &str,
+        name: &str,
+    ) -> Result<()> {
+        match kind {
+            NamespacedResourceKind::Deployment => {
+                self.delete_single::<Deployment>(namespace, name).await
+            }
+            NamespacedResourceKind::StatefulSet => {
+                self.delete_single::<StatefulSet>(namespace, name).await
+            }
+            NamespacedResourceKind::DaemonSet => {
+                self.delete_single::<DaemonSet>(namespace, name).await
+            }
+            NamespacedResourceKind::ReplicaSet => {
+                self.delete_single::<ReplicaSet>(namespace, name).await
+            }
+            NamespacedResourceKind::Pod => self.delete_single::<Pod>(namespace, name).await,
+            NamespacedResourceKind::Job => self.delete_single::<Job>(namespace, name).await,
+            NamespacedResourceKind::CronJob => self.delete_single::<CronJob>(namespace, name).await,
+            NamespacedResourceKind::Service => self.delete_single::<Service>(namespace, name).await,
+            NamespacedResourceKind::ConfigMap => {
+                self.delete_single::<ConfigMap>(namespace, name).await
+            }
+            NamespacedResourceKind::Secret => self.delete_single::<Secret>(namespace, name).await,
+        }
+    }
+
+    async fn delete_single<T>(&self, namespace: &str, name: &str) -> Result<()>
+    where
+        T: Clone
+            + DeserializeOwned
+            + std::fmt::Debug
+            + Resource<DynamicType = (), Scope = NamespaceResourceScope>,
+    {
+        let api: kube::Api<T> = kube::Api::namespaced((*self.kube_client).clone(), namespace);
+        match api.delete(name, &DeleteParams::background()).await {
+            Ok(_) => Ok(()),
+            Err(err) => Err(anyhow!(
+                "failed to delete resource {name} in {namespace}: {err}"
+            )),
+        }
+    }
+
+    async fn delete_namespace(&self, namespace: &str) -> Result<()> {
+        let client = &self.kube_client;
+        let namespaces: kube::Api<Namespace> = kube::Api::all((**client).clone());
+
+        if namespaces.get_opt(namespace).await?.is_none() {
+            tracing::info!(
+                "Namespace '{}' not found during deletion, assuming already removed",
+                namespace
+            );
+            return Ok(());
+        }
+
+        match namespaces.delete(namespace, &DeleteParams::default()).await {
+            Ok(_) => {
+                let timeout = Duration::from_secs(60);
+                let start = Instant::now();
+                loop {
+                    if namespaces.get_opt(namespace).await?.is_none() {
+                        tracing::info!("Namespace '{}' deleted successfully", namespace);
+                        break;
+                    }
+
+                    if start.elapsed() >= timeout {
+                        return Err(anyhow!(
+                            "Timed out waiting for namespace '{}' deletion",
+                            namespace
+                        ));
+                    }
+
+                    sleep(Duration::from_secs(1)).await;
+                }
+            }
+            Err(kube::Error::Api(ae)) if ae.code == 404 => {
+                tracing::info!("Namespace '{}' already deleted", namespace);
+            }
+            Err(e) => {
+                return Err(anyhow!("Failed to delete namespace '{}': {}", namespace, e));
+            }
+        }
+
+        Ok(())
+    }
+
+    async fn apply_deployment(
+        &self,
+        namespace: &str,
+        yaml_manifest: &str,
+        labels: &std::collections::HashMap<String, String>,
+    ) -> Result<()> {
+        let mut deployment: Deployment = serde_yaml::from_str(yaml_manifest)?;
+
+        // Add environment labels to deployment
+        self.add_labels_to_metadata(&mut deployment.metadata, labels);
+
+        // Force namespace
+        deployment.metadata.namespace = Some(namespace.to_string());
+
+        let api: kube::Api<Deployment> =
+            kube::Api::namespaced((*self.kube_client).clone(), namespace);
+
+        // Try to create or update the deployment
+        match api
+            .get_opt(&deployment.metadata.name.as_ref().unwrap())
+            .await?
+        {
+            Some(_) => {
+                // Update existing deployment
+                api.replace(
+                    &deployment.metadata.name.as_ref().unwrap(),
+                    &Default::default(),
+                    &deployment,
+                )
+                .await?;
+                tracing::info!(
+                    "Updated deployment: {}",
+                    deployment.metadata.name.as_ref().unwrap()
+                );
+            }
+            None => {
+                // Create new deployment
+                api.create(&Default::default(), &deployment).await?;
+                tracing::info!(
+                    "Created deployment: {}",
+                    deployment.metadata.name.as_ref().unwrap()
+                );
+            }
+        }
+
+        Ok(())
+    }
+
+    async fn apply_statefulset(
+        &self,
+        client: &kube::Client,
+        namespace: &str,
+        yaml_manifest: &str,
+        labels: &std::collections::HashMap<String, String>,
+    ) -> Result<()> {
+        let mut statefulset: StatefulSet = serde_yaml::from_str(yaml_manifest)?;
+
+        self.add_labels_to_metadata(&mut statefulset.metadata, labels);
+        statefulset.metadata.namespace = Some(namespace.to_string());
+
+        let api: kube::Api<StatefulSet> = kube::Api::namespaced((*client).clone(), namespace);
+
+        match api
+            .get_opt(&statefulset.metadata.name.as_ref().unwrap())
+            .await?
+        {
+            Some(_) => {
+                api.replace(
+                    &statefulset.metadata.name.as_ref().unwrap(),
+                    &Default::default(),
+                    &statefulset,
+                )
+                .await?;
+                tracing::info!(
+                    "Updated statefulset: {}",
+                    statefulset.metadata.name.as_ref().unwrap()
+                );
+            }
+            None => {
+                api.create(&Default::default(), &statefulset).await?;
+                tracing::info!(
+                    "Created statefulset: {}",
+                    statefulset.metadata.name.as_ref().unwrap()
+                );
+            }
+        }
+
+        Ok(())
+    }
+
+    async fn apply_daemonset(
+        &self,
+        client: &kube::Client,
+        namespace: &str,
+        yaml_manifest: &str,
+        labels: &std::collections::HashMap<String, String>,
+    ) -> Result<()> {
+        let mut daemonset: DaemonSet = serde_yaml::from_str(yaml_manifest)?;
+
+        self.add_labels_to_metadata(&mut daemonset.metadata, labels);
+        daemonset.metadata.namespace = Some(namespace.to_string());
+
+        let api: kube::Api<DaemonSet> = kube::Api::namespaced((*client).clone(), namespace);
+
+        match api
+            .get_opt(&daemonset.metadata.name.as_ref().unwrap())
+            .await?
+        {
+            Some(_) => {
+                api.replace(
+                    &daemonset.metadata.name.as_ref().unwrap(),
+                    &Default::default(),
+                    &daemonset,
+                )
+                .await?;
+                tracing::info!(
+                    "Updated daemonset: {}",
+                    daemonset.metadata.name.as_ref().unwrap()
+                );
+            }
+            None => {
+                api.create(&Default::default(), &daemonset).await?;
+                tracing::info!(
+                    "Created daemonset: {}",
+                    daemonset.metadata.name.as_ref().unwrap()
+                );
+            }
+        }
+
+        Ok(())
+    }
+
+    async fn apply_pod(
+        &self,
+        client: &kube::Client,
+        namespace: &str,
+        yaml_manifest: &str,
+        labels: &std::collections::HashMap<String, String>,
+    ) -> Result<()> {
+        let mut pod: Pod = serde_yaml::from_str(yaml_manifest)?;
+
+        self.add_labels_to_metadata(&mut pod.metadata, labels);
+        pod.metadata.namespace = Some(namespace.to_string());
+
+        let api: kube::Api<Pod> = kube::Api::namespaced((*client).clone(), namespace);
+
+        match api.get_opt(&pod.metadata.name.as_ref().unwrap()).await? {
+            Some(_) => {
+                api.replace(
+                    &pod.metadata.name.as_ref().unwrap(),
+                    &Default::default(),
+                    &pod,
+                )
+                .await?;
+                tracing::info!("Updated pod: {}", pod.metadata.name.as_ref().unwrap());
+            }
+            None => {
+                api.create(&Default::default(), &pod).await?;
+                tracing::info!("Created pod: {}", pod.metadata.name.as_ref().unwrap());
+            }
+        }
+
+        Ok(())
+    }
+
+    async fn apply_job(
+        &self,
+        client: &kube::Client,
+        namespace: &str,
+        yaml_manifest: &str,
+        labels: &std::collections::HashMap<String, String>,
+    ) -> Result<()> {
+        let mut job: Job = serde_yaml::from_str(yaml_manifest)?;
+
+        self.add_labels_to_metadata(&mut job.metadata, labels);
+        job.metadata.namespace = Some(namespace.to_string());
+
+        let api: kube::Api<Job> = kube::Api::namespaced((*client).clone(), namespace);
+
+        match api.get_opt(&job.metadata.name.as_ref().unwrap()).await? {
+            Some(_) => {
+                api.replace(
+                    &job.metadata.name.as_ref().unwrap(),
+                    &Default::default(),
+                    &job,
+                )
+                .await?;
+                tracing::info!("Updated job: {}", job.metadata.name.as_ref().unwrap());
+            }
+            None => {
+                api.create(&Default::default(), &job).await?;
+                tracing::info!("Created job: {}", job.metadata.name.as_ref().unwrap());
+            }
+        }
+
+        Ok(())
+    }
+
+    async fn apply_cronjob(
+        &self,
+        client: &kube::Client,
+        namespace: &str,
+        yaml_manifest: &str,
+        labels: &std::collections::HashMap<String, String>,
+    ) -> Result<()> {
+        let mut cronjob: CronJob = serde_yaml::from_str(yaml_manifest)?;
+
+        self.add_labels_to_metadata(&mut cronjob.metadata, labels);
+        cronjob.metadata.namespace = Some(namespace.to_string());
+
+        let api: kube::Api<CronJob> = kube::Api::namespaced((*client).clone(), namespace);
+
+        match api
+            .get_opt(&cronjob.metadata.name.as_ref().unwrap())
+            .await?
+        {
+            Some(_) => {
+                api.replace(
+                    &cronjob.metadata.name.as_ref().unwrap(),
+                    &Default::default(),
+                    &cronjob,
+                )
+                .await?;
+                tracing::info!(
+                    "Updated cronjob: {}",
+                    cronjob.metadata.name.as_ref().unwrap()
+                );
+            }
+            None => {
+                api.create(&Default::default(), &cronjob).await?;
+                tracing::info!(
+                    "Created cronjob: {}",
+                    cronjob.metadata.name.as_ref().unwrap()
+                );
+            }
+        }
+
+        Ok(())
+    }
+
+    async fn apply_replicaset(
+        &self,
+        client: &kube::Client,
+        namespace: &str,
+        yaml_manifest: &str,
+        labels: &std::collections::HashMap<String, String>,
+    ) -> Result<()> {
+        let mut replicaset: ReplicaSet = serde_yaml::from_str(yaml_manifest)?;
+
+        self.add_labels_to_metadata(&mut replicaset.metadata, labels);
+        replicaset.metadata.namespace = Some(namespace.to_string());
+
+        let api: kube::Api<ReplicaSet> = kube::Api::namespaced((*client).clone(), namespace);
+
+        match api
+            .get_opt(&replicaset.metadata.name.as_ref().unwrap())
+            .await?
+        {
+            Some(_) => {
+                api.replace(
+                    &replicaset.metadata.name.as_ref().unwrap(),
+                    &Default::default(),
+                    &replicaset,
+                )
+                .await?;
+                tracing::info!(
+                    "Updated replicaset: {}",
+                    replicaset.metadata.name.as_ref().unwrap()
+                );
+            }
+            None => {
+                api.create(&Default::default(), &replicaset).await?;
+                tracing::info!(
+                    "Created replicaset: {}",
+                    replicaset.metadata.name.as_ref().unwrap()
+                );
+            }
+        }
+
+        Ok(())
+    }
+
+    fn add_labels_to_metadata(
+        &self,
+        metadata: &mut k8s_openapi::apimachinery::pkg::apis::meta::v1::ObjectMeta,
+        new_labels: &std::collections::HashMap<String, String>,
+    ) {
+        let labels = metadata.labels.get_or_insert_with(Default::default);
+        for (key, value) in new_labels {
+            labels.insert(key.clone(), value.clone());
+        }
+    }
+
+    pub(crate) async fn get_raw_workload_yaml(
+        &self,
+        name: &str,
+        namespace: &str,
+        kind: &KubeWorkloadKind,
+    ) -> Result<String> {
+        let client = &self.kube_client;
+        match kind {
+            KubeWorkloadKind::Deployment => {
+                let api: kube::Api<Deployment> =
+                    kube::Api::namespaced((**client).clone(), namespace);
+                let deployment = api.get(name).await?;
+                Ok(serde_yaml::to_string(&deployment)?)
+            }
+            KubeWorkloadKind::StatefulSet => {
+                let api: kube::Api<StatefulSet> =
+                    kube::Api::namespaced((**client).clone(), namespace);
+                let statefulset = api.get(name).await?;
+                Ok(serde_yaml::to_string(&statefulset)?)
+            }
+            KubeWorkloadKind::DaemonSet => {
+                let api: kube::Api<DaemonSet> =
+                    kube::Api::namespaced((**client).clone(), namespace);
+                let daemonset = api.get(name).await?;
+                Ok(serde_yaml::to_string(&daemonset)?)
+            }
+            KubeWorkloadKind::ReplicaSet => {
+                let api: kube::Api<ReplicaSet> =
+                    kube::Api::namespaced((**client).clone(), namespace);
+                let replicaset = api.get(name).await?;
+                Ok(serde_yaml::to_string(&replicaset)?)
+            }
+            KubeWorkloadKind::Pod => {
+                let api: kube::Api<Pod> = kube::Api::namespaced((**client).clone(), namespace);
+                let pod = api.get(name).await?;
+                Ok(serde_yaml::to_string(&pod)?)
+            }
+            KubeWorkloadKind::Job => {
+                let api: kube::Api<Job> = kube::Api::namespaced((**client).clone(), namespace);
+                let job = api.get(name).await?;
+                Ok(serde_yaml::to_string(&job)?)
+            }
+            KubeWorkloadKind::CronJob => {
+                let api: kube::Api<CronJob> = kube::Api::namespaced((**client).clone(), namespace);
+                let cronjob = api.get(name).await?;
+                Ok(serde_yaml::to_string(&cronjob)?)
+            }
+        }
+    }
+
+    pub async fn refresh_branch_service_routes(&self, environment_id: Uuid) -> Result<()> {
+        self.proxy_manager
+            .set_service_routes_if_registered(environment_id)
+            .await
+    }
+
+    pub async fn get_devbox_direct_config(
+        &self,
+        user_id: Uuid,
+        environment_id: Uuid,
+        namespace: String,
+        stun_observed_addr: Option<SocketAddr>,
+    ) -> Result<Option<DirectTunnelConfig>, String> {
+        let token = Uuid::new_v4().to_string();
+        let expires_at = Utc::now() + chrono::Duration::minutes(2);
+        self.direct_endpoint
+            .credential()
+            .insert(token.clone(), expires_at)
+            .await;
+
+        let server_observed_addr = self.direct_endpoint.observed_addr();
+
+        if let Some(addr) = stun_observed_addr {
+            let direct_endpoint = self.direct_endpoint.clone();
+            tokio::spawn(async move {
+                match direct_endpoint.send_probe(addr, false).await {
+                    Ok(()) => {
+                        tracing::debug!(
+                            %addr,
+                            "Sent hole-punch probe to devbox client before issuing config"
+                        )
+                    }
+                    Err(err) => {
+                        tracing::warn!(%addr, error = %err, "Failed to send probe to devbox client");
+                    }
+                }
+            });
+        }
+
+        Ok(Some(DirectTunnelConfig {
+            credential: DirectTunnelCredential { token, expires_at },
+            server_certificate: Some(self.direct_endpoint.server_certificate().to_vec()),
+            stun_observed_addr: server_observed_addr,
+        }))
+    }
+
+    pub async fn set_devbox_routes(
+        &self,
+        environment_id: Uuid,
+        routes: HashMap<Uuid, DevboxRouteConfig>,
+    ) -> Result<(), String> {
+        self.proxy_manager
+            .set_devbox_routes(environment_id, routes)
+            .await
+    }
+
+    pub async fn set_devbox_route(
+        &self,
+        environment_id: Uuid,
+        route: DevboxRouteConfig,
+    ) -> Result<(), String> {
+        self.proxy_manager
+            .set_devbox_route(environment_id, route)
+            .await
+    }
+
+    pub async fn remove_devbox_route(
+        &self,
+        environment_id: Uuid,
+        workload_id: Uuid,
+        branch_environment_id: Option<Uuid>,
+    ) -> Result<(), String> {
+        self.proxy_manager
+            .remove_devbox_route(environment_id, workload_id, branch_environment_id)
+            .await
+    }
+
+    pub async fn update_branch_service_route(
+        &self,
+        base_environment_id: Uuid,
+        workload_id: Uuid,
+        route: ProxyBranchRouteConfig,
+    ) -> Result<(), String> {
+        self.proxy_manager
+            .upsert_branch_service_route(base_environment_id, workload_id, route)
+            .await
+    }
+
+    pub async fn remove_branch_service_route(
+        &self,
+        base_environment_id: Uuid,
+        workload_id: Uuid,
+        branch_environment_id: Uuid,
+    ) -> Result<(), String> {
+        self.proxy_manager
+            .remove_branch_service_route(base_environment_id, workload_id, branch_environment_id)
+            .await
+    }
+
+    pub async fn clear_devbox_routes(
+        &self,
+        environment_id: Uuid,
+        branch_environment_id: Option<Uuid>,
+    ) -> Result<(), String> {
+        self.proxy_manager
+            .clear_devbox_routes(environment_id, branch_environment_id)
+            .await
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use k8s_openapi::apimachinery::pkg::api::resource::Quantity;
+
+    // Helper function to create Quantity objects for testing
+
+    fn create_quantity(value: &str) -> Quantity {
+        Quantity(value.to_string())
+    }
+
+    #[test]
+    fn test_parse_cpu_resource_millicores() {
+        // Test millicores format
+        let cpu_1000m = create_quantity("1000m");
+        assert_eq!(KubeManager::parse_cpu_resource(Some(&cpu_1000m)), 1000);
+
+        let cpu_500m = create_quantity("500m");
+        assert_eq!(KubeManager::parse_cpu_resource(Some(&cpu_500m)), 500);
+
+        let cpu_2500m = create_quantity("2500m");
+        assert_eq!(KubeManager::parse_cpu_resource(Some(&cpu_2500m)), 2500);
+    }
+
+    #[test]
+    fn test_parse_cpu_resource_cores() {
+        // Test cores format (should be converted to millicores)
+        let cpu_1 = create_quantity("1");
+        assert_eq!(KubeManager::parse_cpu_resource(Some(&cpu_1)), 1000);
+
+        let cpu_2 = create_quantity("2");
+        assert_eq!(KubeManager::parse_cpu_resource(Some(&cpu_2)), 2000);
+
+        let cpu_4 = create_quantity("4");
+        assert_eq!(KubeManager::parse_cpu_resource(Some(&cpu_4)), 4000);
+    }
+
+    #[test]
+    fn test_parse_cpu_resource_edge_cases() {
+        // Test None
+        assert_eq!(KubeManager::parse_cpu_resource(None), 0);
+
+        // Test invalid format
+        let invalid_cpu = create_quantity("invalid");
+        assert_eq!(KubeManager::parse_cpu_resource(Some(&invalid_cpu)), 0);
+
+        // Test empty string
+        let empty_cpu = create_quantity("");
+        assert_eq!(KubeManager::parse_cpu_resource(Some(&empty_cpu)), 0);
+
+        // Test zero values
+        let zero_cpu = create_quantity("0");
+        assert_eq!(KubeManager::parse_cpu_resource(Some(&zero_cpu)), 0);
+
+        let zero_cpu_m = create_quantity("0m");
+        assert_eq!(KubeManager::parse_cpu_resource(Some(&zero_cpu_m)), 0);
+    }
+
+    #[test]
+    fn test_parse_memory_resource_kibibytes() {
+        // Test Ki format
+        let mem_1024ki = create_quantity("1024Ki");
+        assert_eq!(
+            KubeManager::parse_memory_resource(Some(&mem_1024ki)),
+            1024 * 1024
+        );
+
+        let mem_2048ki = create_quantity("2048Ki");
+        assert_eq!(
+            KubeManager::parse_memory_resource(Some(&mem_2048ki)),
+            2048 * 1024
+        );
+
+        let mem_512ki = create_quantity("512Ki");
+        assert_eq!(
+            KubeManager::parse_memory_resource(Some(&mem_512ki)),
+            512 * 1024
+        );
+    }
+
+    #[test]
+    fn test_parse_memory_resource_mebibytes() {
+        // Test Mi format
+        let mem_1mi = create_quantity("1Mi");
+        assert_eq!(
+            KubeManager::parse_memory_resource(Some(&mem_1mi)),
+            1024 * 1024
+        );
+
+        let mem_256mi = create_quantity("256Mi");
+        assert_eq!(
+            KubeManager::parse_memory_resource(Some(&mem_256mi)),
+            256 * 1024 * 1024
+        );
+
+        let mem_512mi = create_quantity("512Mi");
+        assert_eq!(
+            KubeManager::parse_memory_resource(Some(&mem_512mi)),
+            512 * 1024 * 1024
+        );
+    }
+
+    #[test]
+    fn test_parse_memory_resource_gibibytes() {
+        // Test Gi format
+        let mem_1gi = create_quantity("1Gi");
+        assert_eq!(
+            KubeManager::parse_memory_resource(Some(&mem_1gi)),
+            1024 * 1024 * 1024
+        );
+
+        let mem_2gi = create_quantity("2Gi");
+        assert_eq!(
+            KubeManager::parse_memory_resource(Some(&mem_2gi)),
+            2 * 1024 * 1024 * 1024
+        );
+
+        let mem_8gi = create_quantity("8Gi");
+        assert_eq!(
+            KubeManager::parse_memory_resource(Some(&mem_8gi)),
+            8 * 1024 * 1024 * 1024
+        );
+    }
+
+    #[test]
+    fn test_parse_memory_resource_edge_cases() {
+        // Test None
+        assert_eq!(KubeManager::parse_memory_resource(None), 0);
+
+        // Test unsupported format (should return 0)
+        let unsupported_mem = create_quantity("100bytes");
+        assert_eq!(
+            KubeManager::parse_memory_resource(Some(&unsupported_mem)),
+            0
+        );
+
+        // Test invalid format
+        let invalid_mem = create_quantity("invalid");
+        assert_eq!(KubeManager::parse_memory_resource(Some(&invalid_mem)), 0);
+
+        // Test empty string
+        let empty_mem = create_quantity("");
+        assert_eq!(KubeManager::parse_memory_resource(Some(&empty_mem)), 0);
+
+        // Test zero values
+        let zero_mem_ki = create_quantity("0Ki");
+        assert_eq!(KubeManager::parse_memory_resource(Some(&zero_mem_ki)), 0);
+
+        let zero_mem_mi = create_quantity("0Mi");
+        assert_eq!(KubeManager::parse_memory_resource(Some(&zero_mem_mi)), 0);
+
+        let zero_mem_gi = create_quantity("0Gi");
+        assert_eq!(KubeManager::parse_memory_resource(Some(&zero_mem_gi)), 0);
+    }
+
+    #[test]
+    fn test_parse_memory_resource_large_values() {
+        // Test large realistic values
+        let mem_7922180ki = create_quantity("7922180Ki");
+        assert_eq!(
+            KubeManager::parse_memory_resource(Some(&mem_7922180ki)),
+            7922180 * 1024
+        );
+
+        let mem_16gi = create_quantity("16Gi");
+        assert_eq!(
+            KubeManager::parse_memory_resource(Some(&mem_16gi)),
+            16 * 1024 * 1024 * 1024
+        );
+
+        let mem_32768mi = create_quantity("32768Mi");
+        assert_eq!(
+            KubeManager::parse_memory_resource(Some(&mem_32768mi)),
+            32768 * 1024 * 1024
+        );
+    }
+
+    #[test]
+    fn test_parse_resources_real_world_examples() {
+        // Common GKE node CPU allocations
+        let gke_cpu_1 = create_quantity("940m");
+        assert_eq!(KubeManager::parse_cpu_resource(Some(&gke_cpu_1)), 940);
+
+        let gke_cpu_2 = create_quantity("1930m");
+        assert_eq!(KubeManager::parse_cpu_resource(Some(&gke_cpu_2)), 1930);
+
+        // Common GKE node memory allocations
+        let gke_mem_1 = create_quantity("2702988Ki");
+        assert_eq!(
+            KubeManager::parse_memory_resource(Some(&gke_mem_1)),
+            2702988 * 1024
+        );
+
+        let gke_mem_2 = create_quantity("6601900Ki");
+        assert_eq!(
+            KubeManager::parse_memory_resource(Some(&gke_mem_2)),
+            6601900 * 1024
+        );
+
+        // AWS EKS examples
+        let eks_cpu = create_quantity("1930m");
+        assert_eq!(KubeManager::parse_cpu_resource(Some(&eks_cpu)), 1930);
+
+        let eks_mem = create_quantity("3843684Ki");
+        assert_eq!(
+            KubeManager::parse_memory_resource(Some(&eks_mem)),
+            3843684 * 1024
+        );
+    }
+}
diff --git a/crates/kube-manager/src/manager_rpc.rs b/crates/kube-manager/src/manager_rpc.rs
new file mode 100644
index 0000000..11ca9b1
--- /dev/null
+++ b/crates/kube-manager/src/manager_rpc.rs
@@ -0,0 +1,453 @@
+use anyhow::{anyhow, Result};
+use lapdev_common::{
+    devbox::DirectTunnelConfig,
+    kube::{KubeNamespaceInfo, KubeWorkload, KubeWorkloadKind, KubeWorkloadList, PaginationParams},
+};
+use lapdev_kube_rpc::{
+    DevboxRouteConfig, KubeClusterRpcClient, KubeManagerRpc, KubeRawWorkloadYaml,
+    KubeWorkloadsWithResources, NamespacedResourceKind, NamespacedResourceRequest,
+    NamespacedResourceResponse, ProxyBranchRouteConfig, WorkloadIdentifier,
+};
+use std::{collections::HashMap, net::SocketAddr};
+use uuid::Uuid;
+
+use crate::manager::KubeManager;
+
+#[derive(Clone)]
+pub struct KubeManagerRpcServer {
+    manager: KubeManager,
+    rpc_client: KubeClusterRpcClient,
+}
+
+impl KubeManagerRpcServer {
+    pub(crate) fn new(manager: KubeManager, rpc_client: KubeClusterRpcClient) -> Self {
+        Self {
+            manager,
+            rpc_client,
+        }
+    }
+
+    pub(crate) async fn report_cluster_info(&self) -> Result<()> {
+        let cluster_info = self.manager.collect_cluster_info().await?;
+        tracing::info!("Reporting cluster info: {:?}", cluster_info);
+
+        let _ = self
+            .rpc_client
+            .report_cluster_info(tarpc::context::current(), cluster_info)
+            .await
+            .map_err(|e| {
+                tracing::error!("RPC call failed: {}", e);
+                anyhow!("report_cluster_info RPC failed: {e}")
+            })?;
+
+        tracing::info!("Successfully reported cluster info");
+
+        Ok(())
+    }
+}
+
+impl KubeManagerRpc for KubeManagerRpcServer {
+    async fn get_workloads(
+        self,
+        _context: ::tarpc::context::Context,
+        namespace: Option<String>,
+        workload_kind_filter: Option<KubeWorkloadKind>,
+        include_system_workloads: bool,
+        pagination: Option<PaginationParams>,
+    ) -> Result<KubeWorkloadList, String> {
+        match self
+            .manager
+            .collect_workloads(
+                namespace,
+                workload_kind_filter,
+                include_system_workloads,
+                pagination,
+            )
+            .await
+        {
+            Ok(workloads) => {
+                tracing::info!(
+                    "Successfully collected {} workloads",
+                    workloads.workloads.len()
+                );
+                Ok(workloads)
+            }
+            Err(e) => {
+                tracing::error!("Failed to collect workloads: {e}");
+                Err(format!("Failed to collect workloads: {e}"))
+            }
+        }
+    }
+
+    async fn get_workload_details(
+        self,
+        _context: ::tarpc::context::Context,
+        name: String,
+        namespace: String,
+    ) -> Result<Option<KubeWorkload>, String> {
+        match self
+            .manager
+            .get_workload_by_name(name.clone(), namespace.clone())
+            .await
+        {
+            Ok(workload) => {
+                if workload.is_some() {
+                    tracing::info!("Successfully found workload: {namespace}/{name}");
+                } else {
+                    tracing::warn!("Workload not found: {namespace}/{name}");
+                }
+                Ok(workload)
+            }
+            Err(e) => {
+                tracing::error!("Failed to get workload details for {namespace}/{name}: {e}");
+                Err(format!("Failed to get workload details: {e}"))
+            }
+        }
+    }
+
+    async fn get_namespaces(
+        self,
+        _context: ::tarpc::context::Context,
+    ) -> Result<Vec<KubeNamespaceInfo>, String> {
+        match self.manager.collect_namespaces().await {
+            Ok(namespaces) => {
+                tracing::info!("Successfully collected {} namespaces", namespaces.len());
+                Ok(namespaces)
+            }
+            Err(e) => {
+                tracing::error!("Failed to collect namespaces: {e}");
+                Err(format!("Failed to collect namespaces: {e}"))
+            }
+        }
+    }
+
+    async fn deploy_workload_yaml(
+        self,
+        _context: ::tarpc::context::Context,
+        namespace: String,
+        workloads_with_resources: KubeWorkloadsWithResources,
+        labels: std::collections::HashMap<String, String>,
+    ) -> Result<(), String> {
+        match self
+            .manager
+            .apply_workloads_with_resources(namespace.clone(), workloads_with_resources, labels)
+            .await
+        {
+            Ok(()) => {
+                tracing::info!("Successfully deployed workloads to namespace: {namespace}");
+                Ok(())
+            }
+            Err(e) => {
+                tracing::error!("Failed to deploy workloads to namespace {namespace}: {e}");
+                Err(format!("Failed to deploy workloads: {e}"))
+            }
+        }
+    }
+
+    async fn get_workloads_raw_yaml(
+        self,
+        _context: ::tarpc::context::Context,
+        workloads: Vec<WorkloadIdentifier>,
+    ) -> Result<Vec<KubeRawWorkloadYaml>, String> {
+        let mut result = Vec::with_capacity(workloads.len());
+
+        for workload in workloads {
+            match self
+                .manager
+                .get_raw_workload_yaml(&workload.name, &workload.namespace, &workload.kind)
+                .await
+            {
+                Ok(yaml) => {
+                    result.push(KubeRawWorkloadYaml {
+                        name: workload.name,
+                        namespace: workload.namespace,
+                        kind: workload.kind,
+                        workload_yaml: yaml,
+                    });
+                }
+                Err(e) => {
+                    let msg = format!(
+                        "Failed to fetch raw YAML for {}/{}: {e}",
+                        workload.namespace, workload.name
+                    );
+                    tracing::error!("{}", msg);
+                    return Err(msg);
+                }
+            }
+        }
+
+        Ok(result)
+    }
+
+    async fn get_namespaced_resources(
+        self,
+        _context: ::tarpc::context::Context,
+        requests: Vec<NamespacedResourceRequest>,
+    ) -> Result<Vec<NamespacedResourceResponse>, String> {
+        match self.manager.fetch_namespaced_resources(requests).await {
+            Ok(resources) => Ok(resources),
+            Err(e) => {
+                tracing::error!("Failed to fetch namespaced resources: {e}");
+                Err(format!("Failed to fetch namespaced resources: {e}"))
+            }
+        }
+    }
+
+    async fn set_devbox_routes(
+        self,
+        _context: ::tarpc::context::Context,
+        environment_id: Uuid,
+        routes: HashMap<Uuid, DevboxRouteConfig>,
+    ) -> Result<(), String> {
+        self.manager.set_devbox_routes(environment_id, routes).await
+    }
+
+    async fn set_devbox_route(
+        self,
+        _context: ::tarpc::context::Context,
+        environment_id: Uuid,
+        route: DevboxRouteConfig,
+    ) -> Result<(), String> {
+        self.manager.set_devbox_route(environment_id, route).await
+    }
+
+    async fn remove_devbox_route(
+        self,
+        _context: ::tarpc::context::Context,
+        environment_id: Uuid,
+        workload_id: Uuid,
+        branch_environment_id: Option<Uuid>,
+    ) -> Result<(), String> {
+        self.manager
+            .remove_devbox_route(environment_id, workload_id, branch_environment_id)
+            .await
+    }
+
+    async fn update_branch_service_route(
+        self,
+        _context: ::tarpc::context::Context,
+        base_environment_id: Uuid,
+        workload_id: Uuid,
+        route: ProxyBranchRouteConfig,
+    ) -> Result<(), String> {
+        self.manager
+            .update_branch_service_route(base_environment_id, workload_id, route)
+            .await
+    }
+
+    async fn remove_branch_service_route(
+        self,
+        _context: ::tarpc::context::Context,
+        base_environment_id: Uuid,
+        workload_id: Uuid,
+        branch_environment_id: Uuid,
+    ) -> Result<(), String> {
+        self.manager
+            .remove_branch_service_route(base_environment_id, workload_id, branch_environment_id)
+            .await
+    }
+
+    async fn clear_devbox_routes(
+        self,
+        _context: ::tarpc::context::Context,
+        environment_id: Uuid,
+        branch_environment_id: Option<Uuid>,
+    ) -> Result<(), String> {
+        self.manager
+            .clear_devbox_routes(environment_id, branch_environment_id)
+            .await
+    }
+
+    async fn get_devbox_direct_config(
+        self,
+        _context: ::tarpc::context::Context,
+        user_id: Uuid,
+        environment_id: Uuid,
+        namespace: String,
+        stun_observed_addr: Option<SocketAddr>,
+    ) -> Result<Option<DirectTunnelConfig>, String> {
+        self.manager
+            .get_devbox_direct_config(user_id, environment_id, namespace, stun_observed_addr)
+            .await
+    }
+
+    async fn refresh_branch_service_routes(
+        self,
+        _context: ::tarpc::context::Context,
+        environment_id: Uuid,
+    ) -> Result<(), String> {
+        match self
+            .manager
+            .refresh_branch_service_routes(environment_id)
+            .await
+        {
+            Ok(()) => Ok(()),
+            Err(e) => {
+                tracing::warn!(
+                    "Failed to refresh branch service routes for environment {}: {}",
+                    environment_id,
+                    e
+                );
+                Err(format!("Failed to refresh branch service routes: {}", e))
+            }
+        }
+    }
+
+    async fn destroy_environment(
+        self,
+        _context: ::tarpc::context::Context,
+        environment_id: Uuid,
+        namespace: String,
+    ) -> Result<(), String> {
+        tracing::info!(
+            "Received request to destroy environment {} in namespace {}",
+            environment_id,
+            namespace
+        );
+
+        match self
+            .manager
+            .destroy_environment(environment_id, &namespace)
+            .await
+        {
+            Ok(()) => Ok(()),
+            Err(e) => {
+                tracing::error!(
+                    "Failed to destroy environment {} in namespace {}: {}",
+                    environment_id,
+                    namespace,
+                    e
+                );
+                Err(format!("Failed to destroy environment: {}", e))
+            }
+        }
+    }
+
+    async fn delete_namespaced_resources(
+        self,
+        _context: ::tarpc::context::Context,
+        namespace: String,
+        resources: Vec<(NamespacedResourceKind, String)>,
+    ) -> Result<(), String> {
+        for (kind, name) in resources {
+            if let Err(err) = self
+                .manager
+                .delete_namespaced_resource(kind, &namespace, &name)
+                .await
+            {
+                tracing::warn!(
+                    namespace = %namespace,
+                    resource_kind = ?kind,
+                    resource = %name,
+                    error = ?err,
+                    "Failed to delete namespaced resource"
+                );
+            }
+        }
+        Ok(())
+    }
+
+    async fn configure_watches(
+        self,
+        _context: ::tarpc::context::Context,
+        namespaces: Vec<String>,
+    ) -> Result<(), String> {
+        self.manager
+            .configure_namespace_watches(namespaces)
+            .await
+            .map_err(|e| {
+                tracing::error!("Failed to configure namespace watches: {e}");
+                format!("Failed to configure namespace watches: {e}")
+            })
+    }
+
+    async fn add_namespace_watch(
+        self,
+        _context: ::tarpc::context::Context,
+        namespace: String,
+    ) -> Result<(), String> {
+        self.manager
+            .add_namespace_watch(namespace)
+            .await
+            .map_err(|e| {
+                tracing::error!("Failed to add namespace watch: {e}");
+                format!("Failed to add namespace watch: {e}")
+            })
+    }
+
+    async fn remove_namespace_watch(
+        self,
+        _context: ::tarpc::context::Context,
+        namespace: String,
+    ) -> Result<(), String> {
+        self.manager
+            .remove_namespace_watch(namespace)
+            .await
+            .map_err(|e| {
+                tracing::error!("Failed to remove namespace watch: {e}");
+                format!("Failed to remove namespace watch: {e}")
+            })
+    }
+
+    async fn add_branch_environment(
+        self,
+        _context: ::tarpc::context::Context,
+        base_environment_id: Uuid,
+        branch: lapdev_kube_rpc::BranchEnvironmentInfo,
+    ) -> Result<(), String> {
+        tracing::info!(
+            "Adding branch environment {} to devbox-proxy for base environment {}",
+            branch.environment_id,
+            base_environment_id
+        );
+
+        // Get the devbox-proxy RPC client for the base environment
+        let proxy_client = self
+            .manager
+            .devbox_proxy_manager
+            .get_proxy_client(base_environment_id)
+            .await
+            .ok_or_else(|| {
+                format!(
+                    "No devbox-proxy registered for base environment {}",
+                    base_environment_id
+                )
+            })?;
+
+        // Forward the request to the devbox-proxy
+        proxy_client
+            .add_branch_environment(tarpc::context::current(), branch)
+            .await
+            .map_err(|e| format!("RPC call to devbox-proxy failed: {}", e))?
+    }
+
+    async fn remove_branch_environment(
+        self,
+        _context: ::tarpc::context::Context,
+        base_environment_id: Uuid,
+        branch_environment_id: Uuid,
+    ) -> Result<(), String> {
+        tracing::info!(
+            "Removing branch environment {} from devbox-proxy for base environment {}",
+            branch_environment_id,
+            base_environment_id
+        );
+
+        // Get the devbox-proxy RPC client for the base environment
+        let Some(proxy_client) = self
+            .manager
+            .devbox_proxy_manager
+            .get_proxy_client(base_environment_id)
+            .await
+        else {
+            // if the devbox proxy doesn't connect, we don't need to do anything
+            return Ok(());
+        };
+
+        // Forward the request to the devbox-proxy
+        proxy_client
+            .remove_branch_environment(tarpc::context::current(), branch_environment_id)
+            .await
+            .map_err(|e| format!("RPC call to devbox-proxy failed: {}", e))?
+    }
+}
diff --git a/crates/kube-manager/src/sidecar_proxy_manager.rs b/crates/kube-manager/src/sidecar_proxy_manager.rs
new file mode 100644
index 0000000..f6dec10
--- /dev/null
+++ b/crates/kube-manager/src/sidecar_proxy_manager.rs
@@ -0,0 +1,603 @@
+use anyhow::Result;
+use futures::StreamExt;
+use lapdev_common::{
+    devbox::DirectTunnelConfig,
+    kube::{DEFAULT_SIDECAR_PROXY_MANAGER_PORT, SIDECAR_PROXY_MANAGER_PORT_ENV_VAR},
+};
+use lapdev_kube_rpc::{
+    DevboxRouteConfig, KubeClusterRpcClient, ProxyBranchRouteConfig, SidecarProxyManagerRpc,
+    SidecarProxyRpcClient,
+};
+use lapdev_rpc::spawn_twoway;
+use std::{
+    collections::{BTreeMap, HashMap},
+    net::SocketAddr,
+    sync::{
+        atomic::{AtomicU64, Ordering},
+        Arc,
+    },
+};
+use tarpc::server::{BaseChannel, Channel};
+use tokio::sync::RwLock;
+use tracing::{error, info, warn};
+use uuid::Uuid;
+
+use crate::sidecar_proxy_manager_rpc::SidecarProxyManagerRpcServer;
+
+#[derive(Clone)]
+pub struct SidecarProxyManager {
+    pub(crate) sidecar_proxies:
+        Arc<RwLock<HashMap<Uuid, HashMap<Uuid, BTreeMap<u64, SidecarProxyRpcClient>>>>>,
+    kube_cluster_rpc_client: Arc<RwLock<Option<KubeClusterRpcClient>>>,
+    generation_counter: Arc<AtomicU64>,
+    devbox_route_snapshots: Arc<RwLock<HashMap<Uuid, HashMap<Uuid, DevboxRouteConfig>>>>,
+}
+
+impl SidecarProxyManager {
+    pub(crate) async fn new() -> Result<Self> {
+        // Parse the URL to extract the port
+        let port = std::env::var(SIDECAR_PROXY_MANAGER_PORT_ENV_VAR)
+            .ok()
+            .and_then(|p| p.parse::<u16>().ok())
+            .unwrap_or(DEFAULT_SIDECAR_PROXY_MANAGER_PORT);
+        let bind_addr = format!("0.0.0.0:{port}");
+        info!("Starting TCP server for sidecar proxies on: {}", bind_addr);
+
+        let mut listener = tarpc::serde_transport::tcp::listen(
+            ("0.0.0.0", port),
+            tarpc::tokio_serde::formats::Bincode::default,
+        )
+        .await?;
+        info!("TCP server listening on: {}", bind_addr);
+
+        let m = Self {
+            sidecar_proxies: Arc::new(RwLock::new(HashMap::new())),
+            kube_cluster_rpc_client: Arc::new(RwLock::new(None)),
+            generation_counter: Arc::new(AtomicU64::new(1)),
+            devbox_route_snapshots: Arc::new(RwLock::new(HashMap::new())),
+        };
+
+        {
+            let manager = m.clone();
+            tokio::spawn(async move {
+                while let Some(conn) = listener.next().await {
+                    if let Ok(conn) = conn {
+                        let manager = manager.clone();
+                        tokio::spawn(async move {
+                            let peer_addr = conn.peer_addr().ok();
+                            let (server_chan, client_chan, _) = spawn_twoway(conn);
+                            let rpc_client = SidecarProxyRpcClient::new(
+                                tarpc::client::Config::default(),
+                                client_chan,
+                            )
+                            .spawn();
+                            let rpc_server = SidecarProxyManagerRpcServer::new(
+                                manager.clone(),
+                                rpc_client,
+                                peer_addr,
+                            );
+                            let server_clone = rpc_server.clone();
+                            BaseChannel::with_defaults(server_chan)
+                                .execute(server_clone.serve())
+                                .for_each(|resp| async move {
+                                    tokio::spawn(resp);
+                                })
+                                .await;
+                            rpc_server.handle_disconnect().await;
+                        });
+                    }
+                }
+                error!("TCP connection stopped");
+            });
+        }
+
+        Ok(m)
+    }
+
+    fn next_generation(&self) -> u64 {
+        self.generation_counter.fetch_add(1, Ordering::SeqCst)
+    }
+
+    pub async fn register_sidecar(
+        &self,
+        environment_id: Uuid,
+        workload_id: Uuid,
+        client: SidecarProxyRpcClient,
+    ) -> u64 {
+        let mut map = self.sidecar_proxies.write().await;
+        let generation = self.next_generation();
+        map.entry(environment_id)
+            .or_default()
+            .entry(workload_id)
+            .or_insert_with(BTreeMap::new)
+            .insert(generation, client);
+        generation
+    }
+
+    pub async fn remove_sidecar(&self, environment_id: Uuid, workload_id: Uuid, generation: u64) {
+        let mut map = self.sidecar_proxies.write().await;
+        if let Some(workloads) = map.get_mut(&environment_id) {
+            if let Some(entries) = workloads.get_mut(&workload_id) {
+                let removed = entries.remove(&generation).is_some();
+                if entries.is_empty() {
+                    workloads.remove(&workload_id);
+                }
+                if removed && workloads.is_empty() {
+                    map.remove(&environment_id);
+                }
+            }
+        }
+    }
+
+    pub async fn latest_clients_for_environment(
+        &self,
+        environment_id: Uuid,
+    ) -> Option<HashMap<Uuid, SidecarProxyRpcClient>> {
+        let map = self.sidecar_proxies.read().await;
+        map.get(&environment_id).map(|workloads| {
+            workloads
+                .iter()
+                .filter_map(|(workload_id, entries)| {
+                    entries
+                        .iter()
+                        .next_back()
+                        .map(|(_, client)| (*workload_id, client.clone()))
+                })
+                .collect()
+        })
+    }
+
+    pub async fn record_sidecar_heartbeat(&self, environment_id: Uuid, workload_id: Uuid) -> bool {
+        let map = self.sidecar_proxies.read().await;
+        map.get(&environment_id)
+            .and_then(|workloads| workloads.get(&workload_id))
+            .map(|entries| !entries.is_empty())
+            .unwrap_or(false)
+    }
+
+    pub async fn set_service_routes_if_registered(&self, environment_id: Uuid) -> Result<()> {
+        let Some(connections) = self.latest_clients_for_environment(environment_id).await else {
+            return Ok(());
+        };
+
+        let cluster_client = {
+            let guard = self.kube_cluster_rpc_client.read().await;
+            guard.clone()
+        };
+
+        let Some(cluster_client) = cluster_client else {
+            warn!(
+                "Cluster RPC client unavailable; skipping route sync for environment {}",
+                environment_id
+            );
+            return Ok(());
+        };
+
+        for (workload_id, client) in connections {
+            let routes = match cluster_client
+                .clone()
+                .list_branch_service_routes(tarpc::context::current(), environment_id, workload_id)
+                .await
+            {
+                Ok(Ok(routes)) => routes,
+                Ok(Err(err)) => {
+                    return Err(anyhow::anyhow!(
+                        "API rejected route request for environment {} workload {}: {}",
+                        environment_id,
+                        workload_id,
+                        err
+                    ));
+                }
+                Err(err) => {
+                    return Err(anyhow::anyhow!(
+                        "Failed to fetch routes for environment {} workload {}: {}",
+                        environment_id,
+                        workload_id,
+                        err
+                    ));
+                }
+            };
+
+            if let Err(e) = client
+                .set_service_routes(tarpc::context::current(), routes)
+                .await
+            {
+                return Err(anyhow::anyhow!(
+                    "Failed to push service routes to workload {}: {}",
+                    workload_id,
+                    e
+                ));
+            }
+        }
+
+        Ok(())
+    }
+
+    pub async fn set_devbox_routes(
+        &self,
+        environment_id: Uuid,
+        mut routes: HashMap<Uuid, DevboxRouteConfig>,
+    ) -> Result<(), String> {
+        let previous_routes = self
+            .snapshot_devbox_routes_for_environment(environment_id, routes.clone())
+            .await;
+
+        let Some(connections) = self.latest_clients_for_environment(environment_id).await else {
+            warn!(
+                "No sidecar proxy registered for environment {} when sending devbox routes",
+                environment_id
+            );
+            return Ok(());
+        };
+
+        for (workload_id, client) in connections {
+            let client = client.clone();
+            if let Some(route) = routes.remove(&workload_id) {
+                if let Err(e) = client
+                    .set_devbox_route(tarpc::context::current(), route)
+                    .await
+                {
+                    return Err(format!(
+                        "Failed to send devbox routes to sidecar (workload {}): {}",
+                        workload_id, e
+                    ));
+                }
+            } else {
+                let prior_branch = previous_routes
+                    .get(&workload_id)
+                    .and_then(|route| route.branch_environment_id);
+                if let Err(e) = client
+                    .stop_devbox(tarpc::context::current(), prior_branch)
+                    .await
+                {
+                    return Err(format!(
+                        "Failed to clear devbox routes for workload {}: {}",
+                        workload_id, e
+                    ));
+                }
+            }
+        }
+
+        for workload_id in routes.into_keys() {
+            warn!(
+                "No sidecar proxy registered for workload {} when sending devbox route",
+                workload_id
+            );
+        }
+
+        Ok(())
+    }
+
+    pub async fn set_devbox_route(
+        &self,
+        environment_id: Uuid,
+        route: DevboxRouteConfig,
+    ) -> Result<(), String> {
+        self.upsert_devbox_route_snapshot(environment_id, route.clone())
+            .await;
+
+        let Some(connections) = self.latest_clients_for_environment(environment_id).await else {
+            warn!(
+                "No sidecar proxy registered for environment {} when sending devbox route",
+                environment_id
+            );
+            return Ok(());
+        };
+
+        let Some(client) = connections.get(&route.workload_id) else {
+            warn!(
+                "No sidecar proxy registered for workload {} when sending devbox route",
+                route.workload_id
+            );
+            return Ok(());
+        };
+
+        let workload_id = route.workload_id;
+
+        if let Err(err) = client
+            .clone()
+            .set_devbox_route(tarpc::context::current(), route)
+            .await
+        {
+            return Err(format!(
+                "Failed to send devbox route to workload {}: {}",
+                workload_id, err
+            ));
+        }
+
+        Ok(())
+    }
+
+    pub async fn remove_devbox_route(
+        &self,
+        environment_id: Uuid,
+        workload_id: Uuid,
+        branch_environment_id: Option<Uuid>,
+    ) -> Result<(), String> {
+        let removed = self
+            .remove_devbox_route_snapshot(
+                environment_id,
+                workload_id,
+                branch_environment_id.clone(),
+            )
+            .await;
+
+        if !removed {
+            return Ok(());
+        }
+
+        let Some(connections) = self.latest_clients_for_environment(environment_id).await else {
+            return Ok(());
+        };
+
+        let Some(client) = connections.get(&workload_id) else {
+            return Ok(());
+        };
+
+        if let Err(err) = client
+            .clone()
+            .stop_devbox(tarpc::context::current(), branch_environment_id)
+            .await
+        {
+            return Err(format!(
+                "Failed to clear devbox route for workload {}: {}",
+                workload_id, err
+            ));
+        }
+
+        Ok(())
+    }
+
+    pub async fn upsert_branch_service_route(
+        &self,
+        base_environment_id: Uuid,
+        workload_id: Uuid,
+        route: ProxyBranchRouteConfig,
+    ) -> Result<(), String> {
+        let Some(connections) = self
+            .latest_clients_for_environment(base_environment_id)
+            .await
+        else {
+            warn!(
+                "No sidecar proxy registered for environment {} when updating branch service route",
+                base_environment_id
+            );
+            return Ok(());
+        };
+
+        let Some(client) = connections.get(&workload_id) else {
+            warn!(
+                "No sidecar proxy registered for workload {} in environment {} when updating branch service route",
+                workload_id, base_environment_id
+            );
+            return Ok(());
+        };
+
+        if let Err(err) = client
+            .upsert_branch_service_route(tarpc::context::current(), route)
+            .await
+        {
+            return Err(format!(
+                "Failed to update branch service route for workload {}: {}",
+                workload_id, err
+            ));
+        }
+
+        Ok(())
+    }
+
+    pub async fn remove_branch_service_route(
+        &self,
+        base_environment_id: Uuid,
+        workload_id: Uuid,
+        branch_environment_id: Uuid,
+    ) -> Result<(), String> {
+        let Some(connections) = self
+            .latest_clients_for_environment(base_environment_id)
+            .await
+        else {
+            return Ok(());
+        };
+
+        let Some(client) = connections.get(&workload_id) else {
+            return Ok(());
+        };
+
+        if let Err(err) = client
+            .remove_branch_service_route(tarpc::context::current(), branch_environment_id)
+            .await
+        {
+            return Err(format!(
+                "Failed to remove branch service route for workload {} branch {}: {}",
+                workload_id, branch_environment_id, err
+            ));
+        }
+
+        Ok(())
+    }
+
+    pub async fn clear_devbox_routes(
+        &self,
+        environment_id: Uuid,
+        branch_environment_id: Option<Uuid>,
+    ) -> Result<(), String> {
+        self.prune_devbox_route_snapshot(environment_id, branch_environment_id)
+            .await;
+
+        let Some(connections) = self.latest_clients_for_environment(environment_id).await else {
+            return Ok(());
+        };
+
+        for (workload_id, client) in connections {
+            if let Err(err) = client
+                .stop_devbox(tarpc::context::current(), branch_environment_id)
+                .await
+            {
+                return Err(format!(
+                    "Failed to clear devbox routes for workload {}: {}",
+                    workload_id, err
+                ));
+            }
+        }
+
+        Ok(())
+    }
+
+    pub async fn set_cluster_rpc_client(&self, client: KubeClusterRpcClient) {
+        let mut guard = self.kube_cluster_rpc_client.write().await;
+        *guard = Some(client);
+    }
+
+    pub async fn clear_cluster_rpc_client(&self) {
+        let mut guard = self.kube_cluster_rpc_client.write().await;
+        *guard = None;
+    }
+
+    pub async fn request_direct_config(
+        &self,
+        environment_id: Uuid,
+        stun_observed_addr: Option<SocketAddr>,
+    ) -> Result<Option<DirectTunnelConfig>, String> {
+        let cluster_client = {
+            let guard = self.kube_cluster_rpc_client.read().await;
+            guard.clone()
+        };
+
+        let Some(client) = cluster_client else {
+            return Err("Cluster RPC client unavailable; cannot request direct config".to_string());
+        };
+
+        match client
+            .request_direct_config(
+                tarpc::context::current(),
+                environment_id,
+                stun_observed_addr,
+            )
+            .await
+        {
+            Ok(Ok(config)) => Ok(config),
+            Ok(Err(err)) => Err(err),
+            Err(err) => Err(format!(
+                "Failed to request direct config from KubeCluster: {}",
+                err
+            )),
+        }
+    }
+
+    async fn snapshot_devbox_routes_for_environment(
+        &self,
+        environment_id: Uuid,
+        routes: HashMap<Uuid, DevboxRouteConfig>,
+    ) -> HashMap<Uuid, DevboxRouteConfig> {
+        let mut guard = self.devbox_route_snapshots.write().await;
+        guard.insert(environment_id, routes).unwrap_or_default()
+    }
+
+    async fn upsert_devbox_route_snapshot(&self, environment_id: Uuid, route: DevboxRouteConfig) {
+        let mut guard = self.devbox_route_snapshots.write().await;
+        guard
+            .entry(environment_id)
+            .or_default()
+            .insert(route.workload_id, route);
+    }
+
+    async fn remove_devbox_route_snapshot(
+        &self,
+        environment_id: Uuid,
+        workload_id: Uuid,
+        branch_environment_id: Option<Uuid>,
+    ) -> bool {
+        let mut guard = self.devbox_route_snapshots.write().await;
+        let Some(routes) = guard.get_mut(&environment_id) else {
+            return false;
+        };
+
+        let should_remove = routes
+            .get(&workload_id)
+            .map(|route| route.branch_environment_id == branch_environment_id)
+            .unwrap_or(false);
+
+        if should_remove {
+            routes.remove(&workload_id);
+        }
+
+        if routes.is_empty() {
+            guard.remove(&environment_id);
+        }
+
+        should_remove
+    }
+
+    async fn devbox_route_for_workload(
+        &self,
+        environment_id: Uuid,
+        workload_id: Uuid,
+    ) -> Option<DevboxRouteConfig> {
+        let guard = self.devbox_route_snapshots.read().await;
+        guard
+            .get(&environment_id)
+            .and_then(|routes| routes.get(&workload_id).cloned())
+    }
+
+    async fn prune_devbox_route_snapshot(
+        &self,
+        environment_id: Uuid,
+        branch_environment_id: Option<Uuid>,
+    ) {
+        let mut guard = self.devbox_route_snapshots.write().await;
+        let Some(routes) = guard.get_mut(&environment_id) else {
+            return;
+        };
+
+        match branch_environment_id {
+            Some(branch_id) => {
+                routes.retain(|_, route| route.branch_environment_id != Some(branch_id));
+            }
+            None => {
+                routes.retain(|_, route| route.branch_environment_id.is_some());
+            }
+        }
+
+        if routes.is_empty() {
+            guard.remove(&environment_id);
+        }
+    }
+
+    pub async fn replay_devbox_route(
+        &self,
+        environment_id: Uuid,
+        workload_id: Uuid,
+    ) -> Result<(), String> {
+        let Some(route) = self
+            .devbox_route_for_workload(environment_id, workload_id)
+            .await
+        else {
+            return Ok(());
+        };
+
+        let Some(connections) = self.latest_clients_for_environment(environment_id).await else {
+            return Ok(());
+        };
+
+        let Some(client) = connections.get(&workload_id) else {
+            return Ok(());
+        };
+
+        client
+            .clone()
+            .set_devbox_route(tarpc::context::current(), route)
+            .await
+            .map_err(|e| {
+                format!(
+                    "Failed to replay devbox route for workload {} (RPC error): {}",
+                    workload_id, e
+                )
+            })?
+            .map_err(|e| {
+                format!(
+                    "Failed to replay devbox route for workload {}: {}",
+                    workload_id, e
+                )
+            })
+    }
+}
diff --git a/crates/kube-manager/src/sidecar_proxy_manager_rpc.rs b/crates/kube-manager/src/sidecar_proxy_manager_rpc.rs
new file mode 100644
index 0000000..5c58aeb
--- /dev/null
+++ b/crates/kube-manager/src/sidecar_proxy_manager_rpc.rs
@@ -0,0 +1,143 @@
+use lapdev_common::devbox::DirectTunnelConfig;
+use lapdev_kube_rpc::{SidecarProxyManagerRpc, SidecarProxyRpcClient};
+use std::{net::SocketAddr, sync::Arc};
+use tarpc::context::Context;
+use tokio::sync::RwLock;
+use uuid::Uuid;
+
+use crate::sidecar_proxy_manager::SidecarProxyManager;
+
+#[derive(Clone)]
+pub struct SidecarProxyManagerRpcServer {
+    manager: SidecarProxyManager,
+    pub(crate) rpc_client: SidecarProxyRpcClient,
+    connection_generation: Arc<RwLock<Option<u64>>>,
+    environment: Arc<RwLock<Option<Uuid>>>,
+    workload: Arc<RwLock<Option<Uuid>>>,
+    peer_addr: Option<SocketAddr>,
+}
+
+impl SidecarProxyManagerRpcServer {
+    pub(crate) fn new(
+        manager: SidecarProxyManager,
+        rpc_client: SidecarProxyRpcClient,
+        peer_addr: Option<SocketAddr>,
+    ) -> Self {
+        Self {
+            manager,
+            rpc_client,
+            connection_generation: Arc::new(RwLock::new(None)),
+            environment: Arc::new(RwLock::new(None)),
+            workload: Arc::new(RwLock::new(None)),
+            peer_addr,
+        }
+    }
+
+    pub async fn handle_disconnect(&self) {
+        let env = self.environment.read().await.clone();
+        let workload = self.workload.read().await.clone();
+        let generation = self.connection_generation.read().await.clone();
+
+        if let (Some(environment_id), Some(workload_id), Some(gen)) = (env, workload, generation) {
+            self.manager
+                .remove_sidecar(environment_id, workload_id, gen)
+                .await;
+        }
+    }
+}
+
+impl SidecarProxyManagerRpc for SidecarProxyManagerRpcServer {
+    async fn heartbeat(
+        self,
+        _context: Context,
+        workload_id: Uuid,
+        environment_id: Uuid,
+    ) -> Result<(), String> {
+        if self
+            .manager
+            .record_sidecar_heartbeat(environment_id, workload_id)
+            .await
+        {
+            Ok(())
+        } else {
+            Err("sidecar proxy not registered".to_string())
+        }
+    }
+
+    async fn register_sidecar_proxy(
+        self,
+        _context: Context,
+        workload_id: Uuid,
+        environment_id: Uuid,
+        _namespace: String,
+    ) -> Result<(), String> {
+        {
+            *self.environment.write().await = Some(environment_id);
+            *self.workload.write().await = Some(workload_id);
+        }
+
+        let generation = self
+            .manager
+            .register_sidecar(environment_id, workload_id, self.rpc_client.clone())
+            .await;
+
+        {
+            let mut guard = self.connection_generation.write().await;
+            *guard = Some(generation);
+        }
+
+        self.manager
+            .set_service_routes_if_registered(environment_id)
+            .await
+            .map_err(|e| e.to_string())?;
+
+        if let Err(err) = self
+            .manager
+            .replay_devbox_route(environment_id, workload_id)
+            .await
+        {
+            tracing::warn!(
+                environment_id = %environment_id,
+                workload_id = %workload_id,
+                error = %err,
+                "Failed to replay devbox route after sidecar registration"
+            );
+        }
+
+        Ok(())
+    }
+
+    async fn report_routing_metrics(
+        self,
+        _context: Context,
+        _request_count: u64,
+        _byte_count: u64,
+        _active_connections: u32,
+    ) -> Result<(), String> {
+        Ok(())
+    }
+
+    async fn request_direct_config(
+        self,
+        _context: Context,
+        environment_id: Uuid,
+        stun_observed_addr: Option<SocketAddr>,
+    ) -> Result<Option<DirectTunnelConfig>, String> {
+        let bound_environment = { self.environment.read().await.clone() };
+        if bound_environment.is_none() {
+            return Err("sidecar proxy has not completed registration".to_string());
+        }
+        if bound_environment != Some(environment_id) {
+            tracing::warn!(
+                registered = ?bound_environment,
+                requested = %environment_id,
+                peer = ?self.peer_addr,
+                "Sidecar attempted to request direct config for unauthorized environment",
+            );
+            return Err("environment mismatch for sidecar proxy".to_string());
+        }
+        self.manager
+            .request_direct_config(environment_id, stun_observed_addr)
+            .await
+    }
+}
diff --git a/crates/kube-manager/src/tunnel.rs b/crates/kube-manager/src/tunnel.rs
new file mode 100644
index 0000000..5d83891
--- /dev/null
+++ b/crates/kube-manager/src/tunnel.rs
@@ -0,0 +1,54 @@
+use anyhow::Result;
+use lapdev_tunnel::{run_tunnel_server, RelayEndpoint};
+
+/// Manages the lifecycle of the background tunnel connection used for preview URLs.
+#[derive(Clone)]
+pub struct TunnelManager {
+    tunnel_request: tokio_tungstenite::tungstenite::http::Request<()>,
+    auth_token: String,
+}
+
+impl TunnelManager {
+    pub fn new(
+        tunnel_request: tokio_tungstenite::tungstenite::http::Request<()>,
+        auth_token: String,
+    ) -> Self {
+        Self {
+            tunnel_request,
+            auth_token,
+        }
+    }
+
+    /// Start the tunnel manager connection cycle
+    pub async fn start_tunnel_cycle(&self) -> Result<()> {
+        loop {
+            match self.handle_tunnel_connection_cycle().await {
+                Ok(_) => {
+                    tracing::warn!("Tunnel connection cycle completed, will retry in 5 seconds...");
+                }
+                Err(e) => {
+                    tracing::warn!(
+                        "Tunnel connection cycle failed: {}, retrying in 5 seconds...",
+                        e
+                    );
+                }
+            }
+            tokio::time::sleep(std::time::Duration::from_secs(5)).await;
+        }
+    }
+
+    /// Handle a single tunnel connection cycle
+    async fn handle_tunnel_connection_cycle(&self) -> Result<()> {
+        tracing::info!("Attempting to establish tunnel connection...");
+
+        let (stream, _) = tokio_tungstenite::connect_async(self.tunnel_request.clone()).await?;
+
+        tracing::info!("Tunnel WebSocket connection established");
+
+        let connection = RelayEndpoint::client_connection(stream).await?;
+        run_tunnel_server(connection).await?;
+
+        tracing::info!("Tunnel server session ended");
+        Ok(())
+    }
+}
diff --git a/crates/kube-manager/src/watch_manager.rs b/crates/kube-manager/src/watch_manager.rs
new file mode 100644
index 0000000..0cd9d39
--- /dev/null
+++ b/crates/kube-manager/src/watch_manager.rs
@@ -0,0 +1,651 @@
+use std::{
+    collections::{HashMap, HashSet},
+    sync::Arc,
+    time::Duration,
+};
+
+use anyhow::{anyhow, Result};
+use futures::{pin_mut, TryStreamExt};
+use k8s_openapi::NamespaceResourceScope;
+use kube::{
+    runtime::watcher::{self, watcher, Error as WatcherError, Event},
+    Api, Resource, ResourceExt,
+};
+use lapdev_kube_rpc::{
+    KubeClusterRpcClient, ResourceChangeEvent, ResourceChangeType, ResourceType,
+};
+use serde::de::DeserializeOwned;
+use tokio::{sync::RwLock, task::JoinHandle, time::sleep};
+use tracing::{debug, error, info, warn};
+
+const WATCHED_RESOURCE_TYPES: &[ResourceType] = &[
+    ResourceType::Deployment,
+    ResourceType::StatefulSet,
+    ResourceType::DaemonSet,
+    ResourceType::ReplicaSet,
+    ResourceType::Job,
+    ResourceType::CronJob,
+    ResourceType::ConfigMap,
+    ResourceType::Secret,
+    ResourceType::Service,
+];
+
+type WatchKey = (ResourceType, String);
+
+#[derive(Clone)]
+pub struct WatchManager {
+    kube_client: Arc<kube::Client>,
+    rpc_client: Arc<RwLock<Option<KubeClusterRpcClient>>>,
+    namespaces: Arc<RwLock<HashSet<String>>>,
+    tasks: Arc<RwLock<HashMap<WatchKey, JoinHandle<()>>>>,
+}
+
+impl WatchManager {
+    pub fn new(kube_client: Arc<kube::Client>) -> Self {
+        Self {
+            kube_client,
+            rpc_client: Arc::new(RwLock::new(None)),
+            namespaces: Arc::new(RwLock::new(HashSet::new())),
+            tasks: Arc::new(RwLock::new(HashMap::new())),
+        }
+    }
+
+    pub async fn set_rpc_client(&self, client: KubeClusterRpcClient) {
+        let mut guard = self.rpc_client.write().await;
+        *guard = Some(client);
+    }
+
+    pub async fn clear_rpc_client(&self) {
+        let mut guard = self.rpc_client.write().await;
+        *guard = None;
+    }
+
+    pub async fn configure_watches(&self, namespaces: Vec<String>) -> Result<()> {
+        let new_namespaces: HashSet<String> = namespaces
+            .into_iter()
+            .map(|ns| ns.trim().to_string())
+            .filter(|ns| !ns.is_empty())
+            .collect();
+
+        let (to_remove, to_add) = {
+            let current_namespaces = self.namespaces.read().await;
+            let to_remove: Vec<String> = current_namespaces
+                .iter()
+                .filter(|ns| !new_namespaces.contains(*ns))
+                .cloned()
+                .collect();
+            let to_add: Vec<String> = new_namespaces
+                .iter()
+                .filter(|ns| !current_namespaces.contains(*ns))
+                .cloned()
+                .collect();
+            (to_remove, to_add)
+        };
+
+        for namespace in &to_remove {
+            self.stop_namespace(namespace).await;
+        }
+
+        for namespace in &to_add {
+            self.start_namespace(namespace.clone()).await;
+        }
+
+        let mut current_namespaces = self.namespaces.write().await;
+        *current_namespaces = new_namespaces;
+
+        Ok(())
+    }
+
+    pub async fn add_namespace_watch(&self, namespace: String) -> Result<()> {
+        let namespace = namespace.trim().to_string();
+        if namespace.is_empty() {
+            return Ok(());
+        }
+
+        {
+            let namespaces = self.namespaces.read().await;
+            if namespaces.contains(&namespace) {
+                return Ok(());
+            }
+        }
+
+        self.start_namespace(namespace.clone()).await;
+
+        let mut namespaces = self.namespaces.write().await;
+        namespaces.insert(namespace);
+        Ok(())
+    }
+
+    pub async fn remove_namespace_watch(&self, namespace: String) -> Result<()> {
+        let namespace = namespace.trim().to_string();
+        if namespace.is_empty() {
+            return Ok(());
+        }
+
+        let removed = {
+            let mut namespaces = self.namespaces.write().await;
+            namespaces.remove(&namespace)
+        };
+
+        if removed {
+            self.stop_namespace(&namespace).await;
+        }
+
+        Ok(())
+    }
+
+    async fn stop_namespace(&self, namespace: &str) {
+        let mut tasks = self.tasks.write().await;
+        let keys: Vec<WatchKey> = tasks
+            .keys()
+            .filter(|(_, ns)| ns.as_str() == namespace)
+            .cloned()
+            .collect();
+
+        for key in keys {
+            if let Some(handle) = tasks.remove(&key) {
+                handle.abort();
+                debug!(
+                    namespace = namespace,
+                    resource_type = ?key.0,
+                    "Stopped watcher for namespace"
+                );
+            }
+        }
+    }
+
+    async fn start_namespace(&self, namespace: String) {
+        let mut tasks_guard = self.tasks.write().await;
+
+        for rt in WATCHED_RESOURCE_TYPES {
+            let resource_type = *rt;
+            let key = (resource_type, namespace.clone());
+
+            if tasks_guard.contains_key(&key) {
+                continue;
+            }
+
+            let kube_client = self.kube_client.clone();
+            let rpc_client = self.rpc_client.clone();
+            let namespace_clone = namespace.clone();
+
+            let handle = tokio::spawn(async move {
+                info!(
+                    namespace = namespace_clone.as_str(),
+                    resource_type = ?resource_type,
+                    "Starting watcher task"
+                );
+                let mut backoff = Duration::from_secs(1);
+                loop {
+                    let result = watch_resource(
+                        kube_client.clone(),
+                        rpc_client.clone(),
+                        namespace_clone.clone(),
+                        resource_type,
+                    )
+                    .await;
+
+                    match result {
+                        Ok(()) => {
+                            info!(
+                                namespace = namespace_clone.as_str(),
+                                resource_type = ?resource_type,
+                                "Watcher completed gracefully, restarting"
+                            );
+                            backoff = Duration::from_secs(1);
+                        }
+                        Err(err) => {
+                            warn!(
+                                namespace = namespace_clone.as_str(),
+                                resource_type = ?resource_type,
+                                error = ?err,
+                                "Watcher encountered error, restarting with backoff"
+                            );
+                            sleep(backoff).await;
+                            backoff = (backoff * 2).min(Duration::from_secs(30));
+                        }
+                    }
+                }
+            });
+
+            tasks_guard.insert(key, handle);
+        }
+    }
+}
+
+async fn watch_resource(
+    kube_client: Arc<kube::Client>,
+    rpc_client: Arc<RwLock<Option<KubeClusterRpcClient>>>,
+    namespace: String,
+    resource_type: ResourceType,
+) -> Result<()> {
+    match resource_type {
+        ResourceType::Deployment => {
+            watch_kind::<k8s_openapi::api::apps::v1::Deployment>(
+                kube_client,
+                rpc_client,
+                namespace,
+                resource_type,
+            )
+            .await
+        }
+        ResourceType::StatefulSet => {
+            watch_kind::<k8s_openapi::api::apps::v1::StatefulSet>(
+                kube_client,
+                rpc_client,
+                namespace,
+                resource_type,
+            )
+            .await
+        }
+        ResourceType::DaemonSet => {
+            watch_kind::<k8s_openapi::api::apps::v1::DaemonSet>(
+                kube_client,
+                rpc_client,
+                namespace,
+                resource_type,
+            )
+            .await
+        }
+        ResourceType::ReplicaSet => {
+            watch_kind::<k8s_openapi::api::apps::v1::ReplicaSet>(
+                kube_client,
+                rpc_client,
+                namespace,
+                resource_type,
+            )
+            .await
+        }
+        ResourceType::Job => {
+            watch_kind::<k8s_openapi::api::batch::v1::Job>(
+                kube_client,
+                rpc_client,
+                namespace,
+                resource_type,
+            )
+            .await
+        }
+        ResourceType::CronJob => {
+            watch_kind::<k8s_openapi::api::batch::v1::CronJob>(
+                kube_client,
+                rpc_client,
+                namespace,
+                resource_type,
+            )
+            .await
+        }
+        ResourceType::ConfigMap => {
+            watch_kind::<k8s_openapi::api::core::v1::ConfigMap>(
+                kube_client,
+                rpc_client,
+                namespace,
+                resource_type,
+            )
+            .await
+        }
+        ResourceType::Secret => {
+            watch_kind::<k8s_openapi::api::core::v1::Secret>(
+                kube_client,
+                rpc_client,
+                namespace,
+                resource_type,
+            )
+            .await
+        }
+        ResourceType::Service => {
+            watch_kind::<k8s_openapi::api::core::v1::Service>(
+                kube_client,
+                rpc_client,
+                namespace,
+                resource_type,
+            )
+            .await
+        }
+    }
+}
+
+async fn watch_kind<K>(
+    kube_client: Arc<kube::Client>,
+    rpc_client: Arc<RwLock<Option<KubeClusterRpcClient>>>,
+    namespace: String,
+    resource_type: ResourceType,
+) -> Result<()>
+where
+    K: Clone
+        + std::fmt::Debug
+        + DeserializeOwned
+        + Resource<Scope = NamespaceResourceScope>
+        + Send
+        + Sync
+        + 'static
+        + serde::Serialize,
+    <K as Resource>::DynamicType:
+        Default + Eq + std::hash::Hash + Clone + std::fmt::Debug + Send + Sync,
+{
+    let api: Api<K> = Api::namespaced(kube_client.as_ref().clone(), &namespace);
+    let watcher_stream = watcher(api, watcher::Config::default().timeout(60));
+    pin_mut!(watcher_stream);
+    let mut seen_versions: HashMap<String, String> = HashMap::new();
+
+    while let Some(event) = watcher_stream.try_next().await.map_err(map_watcher_error)? {
+        match event {
+            Event::Apply(obj) => {
+                if let Some(change_event) = build_event(
+                    &namespace,
+                    resource_type,
+                    ResourceChangeType::Created,
+                    &mut seen_versions,
+                    obj,
+                ) {
+                    send_event(rpc_client.clone(), change_event).await;
+                }
+            }
+            Event::Delete(obj) => {
+                if let Some(change_event) = build_event(
+                    &namespace,
+                    resource_type,
+                    ResourceChangeType::Deleted,
+                    &mut seen_versions,
+                    obj,
+                ) {
+                    send_event(rpc_client.clone(), change_event).await;
+                }
+            }
+            Event::Init => {
+                debug!(
+                    namespace = namespace.as_str(),
+                    resource_type = ?resource_type,
+                    "Watcher received init signal"
+                );
+            }
+            Event::InitApply(obj) => {
+                if let Some(change_event) = build_event(
+                    &namespace,
+                    resource_type,
+                    ResourceChangeType::Created,
+                    &mut seen_versions,
+                    obj,
+                ) {
+                    send_event(rpc_client.clone(), change_event).await;
+                }
+            }
+            Event::InitDone => {
+                debug!(
+                    namespace = namespace.as_str(),
+                    resource_type = ?resource_type,
+                    "Watcher initial sync completed"
+                );
+            }
+        }
+    }
+
+    Ok(())
+}
+
+fn map_watcher_error(err: WatcherError) -> anyhow::Error {
+    match err {
+        WatcherError::InitialListFailed(source) => anyhow!("initial list request failed: {source}"),
+        WatcherError::WatchStartFailed(source) => anyhow!("failed to start watcher: {source}"),
+        WatcherError::WatchError(source) => anyhow!("watch error from API server: {source}"),
+        WatcherError::WatchFailed(source) => anyhow!("watch stream failed: {source}"),
+        WatcherError::NoResourceVersion => {
+            anyhow!("watch event missing resourceVersion (resource may not support watch)")
+        }
+    }
+}
+fn build_event<K>(
+    namespace: &str,
+    resource_type: ResourceType,
+    initial_change_type: ResourceChangeType,
+    seen_versions: &mut HashMap<String, String>,
+    obj: K,
+) -> Option<ResourceChangeEvent>
+where
+    K: ResourceExt + serde::Serialize,
+{
+    let name = obj.name_any();
+    if name.is_empty() {
+        warn!(
+            namespace = namespace,
+            resource_type = ?resource_type,
+            "Skipping resource with empty name"
+        );
+        return None;
+    }
+
+    let resource_version = match obj.resource_version() {
+        Some(rv) => rv,
+        None => {
+            warn!(
+                namespace = namespace,
+                resource = name,
+                resource_type = ?resource_type,
+                "Skipping resource without resourceVersion"
+            );
+            return None;
+        }
+    };
+
+    let change_type = match initial_change_type {
+        ResourceChangeType::Created => {
+            if seen_versions.contains_key(&name) {
+                ResourceChangeType::Updated
+            } else {
+                ResourceChangeType::Created
+            }
+        }
+        ResourceChangeType::Updated => {
+            if seen_versions
+                .get(&name)
+                .map(|prev| prev == &resource_version)
+                == Some(true)
+            {
+                return None;
+            }
+            ResourceChangeType::Updated
+        }
+        ResourceChangeType::Deleted => ResourceChangeType::Deleted,
+    };
+
+    match change_type {
+        ResourceChangeType::Deleted => {
+            seen_versions.remove(&name);
+        }
+        _ => {
+            seen_versions.insert(name.clone(), resource_version.clone());
+        }
+    }
+
+    let resource_yaml = if should_include_yaml(resource_type) {
+        match serde_yaml::to_string(&obj) {
+            Ok(yaml) => Some(yaml),
+            Err(err) => {
+                warn!(
+                    namespace = namespace,
+                    resource = name,
+                    resource_type = ?resource_type,
+                    error = ?err,
+                    "Failed to serialize resource to YAML"
+                );
+                None
+            }
+        }
+    } else {
+        None
+    };
+
+    Some(ResourceChangeEvent {
+        namespace: namespace.to_string(),
+        resource_type,
+        resource_name: name,
+        change_type,
+        resource_version,
+        resource_yaml,
+        timestamp: chrono::Utc::now(),
+    })
+}
+
+fn should_include_yaml(resource_type: ResourceType) -> bool {
+    matches!(
+        resource_type,
+        ResourceType::Deployment
+            | ResourceType::StatefulSet
+            | ResourceType::DaemonSet
+            | ResourceType::ReplicaSet
+            | ResourceType::Job
+            | ResourceType::CronJob
+            | ResourceType::Service
+    )
+}
+
+async fn send_event(
+    rpc_client_store: Arc<RwLock<Option<KubeClusterRpcClient>>>,
+    event: ResourceChangeEvent,
+) {
+    let client = {
+        let guard = rpc_client_store.read().await;
+        guard.clone()
+    };
+
+    let Some(client) = client else {
+        debug!(
+            namespace = event.namespace.as_str(),
+            resource_type = ?event.resource_type,
+            resource_name = event.resource_name.as_str(),
+            "RPC client not available, skipping resource change event"
+        );
+        return;
+    };
+
+    match client
+        .report_resource_change(tarpc::context::current(), event.clone())
+        .await
+    {
+        Ok(_) => {
+            debug!(
+                namespace = event.namespace.as_str(),
+                resource_type = ?event.resource_type,
+                resource_name = event.resource_name.as_str(),
+                change_type = ?event.change_type,
+                "Sent resource change event"
+            );
+        }
+        Err(err) => {
+            error!(
+                namespace = event.namespace.as_str(),
+                resource_type = ?event.resource_type,
+                resource_name = event.resource_name.as_str(),
+                change_type = ?event.change_type,
+                error = ?err,
+                "Failed to send resource change event"
+            );
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use k8s_openapi::api::apps::v1::Deployment;
+    use serde_yaml::Value;
+    use std::collections::HashMap;
+
+    #[test]
+    fn build_event_preserves_status_ready_replicas_in_yaml() {
+        let deployment_yaml = r#"
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: web
+  namespace: default
+  resourceVersion: "123"
+spec:
+  selector:
+    matchLabels:
+      app: web
+  template:
+    metadata:
+      labels:
+        app: web
+    spec:
+      containers:
+        - name: web
+          image: nginx:1.27
+status:
+  readyReplicas: 1
+"#;
+        let deployment: Deployment = serde_yaml::from_str(deployment_yaml).unwrap();
+        let mut seen_versions = HashMap::new();
+
+        let event = build_event(
+            "default",
+            ResourceType::Deployment,
+            ResourceChangeType::Created,
+            &mut seen_versions,
+            deployment,
+        )
+        .expect("expected change event");
+
+        assert_eq!(event.resource_name, "web");
+        assert_eq!(event.change_type, ResourceChangeType::Created);
+
+        let yaml = event
+            .resource_yaml
+            .expect("expected serialized resource YAML in change event");
+        let parsed: Value = serde_yaml::from_str(&yaml).expect("YAML should parse");
+
+        let ready_replicas = parsed
+            .get("status")
+            .and_then(|status| status.get("readyReplicas"))
+            .and_then(Value::as_i64);
+
+        assert_eq!(
+            ready_replicas,
+            Some(1),
+            "readyReplicas should round-trip in YAML"
+        );
+    }
+
+    #[test]
+    fn build_event_provides_yaml_for_deleted_workloads() {
+        let deployment_yaml = r#"
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: web
+  namespace: default
+  resourceVersion: "123"
+  labels:
+    lapdev.io/branch-environment-id: "abc"
+spec:
+  selector:
+    matchLabels:
+      app: web
+  template:
+    metadata:
+      labels:
+        app: web
+    spec:
+      containers:
+        - name: web
+          image: nginx:1.27
+"#;
+        let deployment: Deployment = serde_yaml::from_str(deployment_yaml).unwrap();
+        let mut seen_versions = HashMap::new();
+
+        let event = build_event(
+            "default",
+            ResourceType::Deployment,
+            ResourceChangeType::Deleted,
+            &mut seen_versions,
+            deployment,
+        )
+        .expect("expected delete event");
+
+        assert_eq!(event.change_type, ResourceChangeType::Deleted);
+        assert!(
+            event.resource_yaml.is_some(),
+            "deleted events should still include serialized YAML"
+        );
+    }
+}
diff --git a/crates/kube-rpc/Cargo.toml b/crates/kube-rpc/Cargo.toml
new file mode 100644
index 0000000..f8c185c
--- /dev/null
+++ b/crates/kube-rpc/Cargo.toml
@@ -0,0 +1,17 @@
+[package]
+name = "lapdev-kube-rpc"
+version.workspace = true
+authors.workspace = true
+edition.workspace = true
+
+[dependencies]
+uuid.workspace = true
+tarpc.workspace = true
+serde.workspace = true
+serde_json.workspace = true
+chrono.workspace = true
+k8s-openapi.workspace = true
+lapdev-common.workspace = true
+tokio.workspace = true
+httparse = "1.8"
+tracing.workspace = true
diff --git a/crates/kube-rpc/src/http_parser.rs b/crates/kube-rpc/src/http_parser.rs
new file mode 100644
index 0000000..c74464b
--- /dev/null
+++ b/crates/kube-rpc/src/http_parser.rs
@@ -0,0 +1,710 @@
+use std::io;
+use tokio::{
+    io::{AsyncRead, AsyncReadExt},
+    time::{timeout, Instant},
+};
+use tracing::debug;
+
+/// Parsed HTTP request information
+#[derive(Debug, Clone)]
+pub struct ParsedHttpRequest {
+    pub method: String,
+    pub path: String,
+    pub headers: Vec<(String, String)>,
+}
+
+/// Result of parsing HTTP headers with body start position
+pub type HttpParseResult = (ParsedHttpRequest, usize);
+
+const MAX_HEADER_SIZE: usize = 8192;
+const READ_CHUNK_SIZE: usize = 1024;
+const HEADER_END_MARKER: &[u8] = b"\r\n\r\n";
+
+/// Outcome of attempting to read HTTP headers with an optional deadline.
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum HeaderReadStatus {
+    Complete,
+    TimedOut,
+}
+
+/// Parse HTTP request from a buffer using httparse
+pub fn parse_http_request_from_buffer(buffer: &[u8]) -> io::Result<HttpParseResult> {
+    let mut headers = [httparse::EMPTY_HEADER; 64];
+    let mut req = httparse::Request::new(&mut headers);
+
+    let result = req.parse(buffer).map_err(|e| {
+        io::Error::new(
+            io::ErrorKind::InvalidData,
+            format!("HTTP parse error: {}", e),
+        )
+    })?;
+
+    let body_start = match result {
+        httparse::Status::Complete(headers_len) => headers_len,
+        httparse::Status::Partial => {
+            return Err(io::Error::new(
+                io::ErrorKind::InvalidData,
+                "Incomplete HTTP request",
+            ));
+        }
+    };
+
+    let method = req
+        .method
+        .ok_or_else(|| io::Error::new(io::ErrorKind::InvalidData, "Missing HTTP method"))?
+        .to_string();
+
+    let path = req
+        .path
+        .ok_or_else(|| io::Error::new(io::ErrorKind::InvalidData, "Missing HTTP path"))?
+        .to_string();
+
+    let headers = req
+        .headers
+        .iter()
+        .map(|h| {
+            let name = h.name.to_string();
+            let value = String::from_utf8_lossy(h.value).to_string();
+            (name, value)
+        })
+        .collect();
+
+    let parsed_request = ParsedHttpRequest {
+        method,
+        path,
+        headers,
+    };
+
+    debug!(
+        "Parsed HTTP request: {} {}",
+        parsed_request.method, parsed_request.path
+    );
+    Ok((parsed_request, body_start))
+}
+
+/// Read from the stream until complete HTTP headers are buffered.
+/// Returns Ok(()) once `buffer` contains the full header block (ending with CRLFCRLF).
+pub async fn read_http_headers<R>(stream: &mut R, buffer: &mut Vec<u8>) -> io::Result<()>
+where
+    R: AsyncRead + Unpin,
+{
+    let status = read_http_headers_with_deadline(stream, buffer, None).await?;
+    debug_assert!(matches!(status, HeaderReadStatus::Complete));
+    Ok(())
+}
+
+/// Read HTTP headers while honoring an optional deadline. Returns whether the read completed
+/// before the deadline expired.
+pub async fn read_http_headers_with_deadline<R>(
+    stream: &mut R,
+    buffer: &mut Vec<u8>,
+    deadline: Option<Instant>,
+) -> io::Result<HeaderReadStatus>
+where
+    R: AsyncRead + Unpin,
+{
+    if headers_complete(buffer, HEADER_END_MARKER) {
+        return Ok(HeaderReadStatus::Complete);
+    }
+
+    let mut status = HeaderReadStatus::Complete;
+
+    while buffer.len() < MAX_HEADER_SIZE {
+        let prev_len = buffer.len();
+        let remaining_capacity = MAX_HEADER_SIZE - prev_len;
+        let read_len = remaining_capacity.min(READ_CHUNK_SIZE);
+        let mut temp_buffer = vec![0u8; read_len];
+        let read_result = read_chunk_with_deadline(stream, &mut temp_buffer, deadline).await?;
+
+        let bytes_read = match read_result {
+            Some(n) => n,
+            None => {
+                status = HeaderReadStatus::TimedOut;
+                break;
+            }
+        };
+
+        if bytes_read == 0 {
+            return Err(io::Error::new(
+                io::ErrorKind::UnexpectedEof,
+                "Connection closed before complete HTTP headers received",
+            ));
+        }
+
+        buffer.extend_from_slice(&temp_buffer[..bytes_read]);
+
+        let search_start = if prev_len >= HEADER_END_MARKER.len() - 1 {
+            prev_len - (HEADER_END_MARKER.len() - 1)
+        } else {
+            0
+        };
+
+        if headers_complete(&buffer[search_start..], HEADER_END_MARKER) {
+            debug!(
+                "Successfully read HTTP headers after buffering {} bytes",
+                buffer.len()
+            );
+            return Ok(HeaderReadStatus::Complete);
+        }
+    }
+
+    if matches!(status, HeaderReadStatus::TimedOut) {
+        Ok(HeaderReadStatus::TimedOut)
+    } else {
+        Err(io::Error::new(
+            io::ErrorKind::InvalidData,
+            format!(
+                "HTTP headers exceed maximum size of {} bytes",
+                MAX_HEADER_SIZE
+            ),
+        ))
+    }
+}
+
+fn headers_complete(buffer: &[u8], marker: &[u8]) -> bool {
+    buffer.windows(marker.len()).any(|window| window == marker)
+}
+
+/// Extract Content-Length from parsed headers if present
+pub fn get_content_length(headers: &[(String, String)]) -> Option<usize> {
+    headers
+        .iter()
+        .find(|(name, _)| name.to_lowercase() == "content-length")
+        .and_then(|(_, value)| value.parse().ok())
+}
+
+/// Extract Host header from parsed headers
+pub fn get_host_header(headers: &[(String, String)]) -> Option<&String> {
+    headers
+        .iter()
+        .find(|(name, _)| name.to_lowercase() == "host")
+        .map(|(_, value)| value)
+}
+
+/// Extract a specific header value (case-insensitive)
+pub fn get_header_value<'a>(
+    headers: &'a [(String, String)],
+    header_name: &str,
+) -> Option<&'a String> {
+    let target_name = header_name.to_lowercase();
+    headers
+        .iter()
+        .find(|(name, _)| name.to_lowercase() == target_name)
+        .map(|(_, value)| value)
+}
+
+async fn read_chunk_with_deadline<R>(
+    reader: &mut R,
+    chunk: &mut [u8],
+    deadline: Option<Instant>,
+) -> io::Result<Option<usize>>
+where
+    R: AsyncRead + Unpin,
+{
+    if chunk.is_empty() {
+        return Ok(Some(0));
+    }
+
+    if let Some(deadline) = deadline {
+        match deadline.checked_duration_since(Instant::now()) {
+            Some(remaining) if !remaining.is_zero() => {
+                match timeout(remaining, reader.read(chunk)).await {
+                    Ok(result) => result.map(Some),
+                    Err(_) => Ok(None),
+                }
+            }
+            _ => Ok(None),
+        }
+    } else {
+        reader.read(chunk).await.map(Some)
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use std::{
+        io,
+        pin::Pin,
+        task::{Context, Poll},
+    };
+    use tokio::{
+        io::{AsyncRead, ReadBuf},
+        time::{Duration, Instant},
+    };
+
+    #[test]
+    fn test_parse_basic_get_request() {
+        let request_data =
+            b"GET /api/health HTTP/1.1\r\nHost: localhost:8080\r\nUser-Agent: test\r\n\r\n";
+
+        let (request, body_start) = parse_http_request_from_buffer(request_data).unwrap();
+
+        assert_eq!(request.method, "GET");
+        assert_eq!(request.path, "/api/health");
+        assert_eq!(body_start, request_data.len());
+
+        let host = get_host_header(&request.headers);
+        assert_eq!(host, Some(&"localhost:8080".to_string()));
+    }
+
+    #[test]
+    fn test_parse_post_with_body() {
+        let request_data = b"POST /api/data HTTP/1.1\r\nHost: localhost:8080\r\nContent-Type: application/json\r\nContent-Length: 13\r\n\r\n{\"test\": true}";
+
+        let (request, body_start) = parse_http_request_from_buffer(request_data).unwrap();
+
+        assert_eq!(request.method, "POST");
+        assert_eq!(request.path, "/api/data");
+
+        let body = &request_data[body_start..];
+        assert_eq!(body, b"{\"test\": true}");
+
+        let content_length = get_content_length(&request.headers);
+        assert_eq!(content_length, Some(13));
+    }
+
+    #[test]
+    fn test_get_header_value() {
+        let headers = vec![
+            ("Host".to_string(), "example.com".to_string()),
+            ("Content-Type".to_string(), "application/json".to_string()),
+            ("Authorization".to_string(), "Bearer token123".to_string()),
+        ];
+
+        assert_eq!(
+            get_header_value(&headers, "host"),
+            Some(&"example.com".to_string())
+        );
+        assert_eq!(
+            get_header_value(&headers, "HOST"),
+            Some(&"example.com".to_string())
+        );
+        assert_eq!(
+            get_header_value(&headers, "content-type"),
+            Some(&"application/json".to_string())
+        );
+        assert_eq!(
+            get_header_value(&headers, "authorization"),
+            Some(&"Bearer token123".to_string())
+        );
+        assert_eq!(get_header_value(&headers, "nonexistent"), None);
+    }
+
+    #[test]
+    fn test_incomplete_request() {
+        let incomplete_data = b"GET /api/health HTTP/1.1\r\nHost: localhost";
+        assert!(parse_http_request_from_buffer(incomplete_data).is_err());
+
+        let complete_data = b"GET /api/health HTTP/1.1\r\nHost: localhost\r\n\r\n";
+        assert!(parse_http_request_from_buffer(complete_data).is_ok());
+    }
+
+    #[test]
+    fn test_parse_request_with_multiple_headers() {
+        // Test parsing a request with various headers to ensure all functions work together
+        let request_data = b"POST /api/test HTTP/1.1\r\nHost: example.com\r\nUser-Agent: test-client\r\nContent-Type: application/json\r\nContent-Length: 26\r\nAuthorization: Bearer abc123\r\n\r\n{\"message\": \"hello world\"}";
+
+        let (parsed_request, body_start) = parse_http_request_from_buffer(request_data).unwrap();
+
+        // Test basic parsing
+        assert_eq!(parsed_request.method, "POST");
+        assert_eq!(parsed_request.path, "/api/test");
+
+        // Test all utility functions
+        assert_eq!(
+            get_host_header(&parsed_request.headers),
+            Some(&"example.com".to_string())
+        );
+        assert_eq!(get_content_length(&parsed_request.headers), Some(26));
+        assert_eq!(
+            get_header_value(&parsed_request.headers, "user-agent"),
+            Some(&"test-client".to_string())
+        );
+        assert_eq!(
+            get_header_value(&parsed_request.headers, "content-type"),
+            Some(&"application/json".to_string())
+        );
+        assert_eq!(
+            get_header_value(&parsed_request.headers, "authorization"),
+            Some(&"Bearer abc123".to_string())
+        );
+
+        // Test body extraction
+        let body = &request_data[body_start..];
+        assert_eq!(body, b"{\"message\": \"hello world\"}");
+        assert_eq!(body.len(), 26); // Should match content-length
+    }
+
+    #[test]
+    fn test_get_host_header() {
+        let headers = vec![
+            ("Content-Type".to_string(), "application/json".to_string()),
+            ("Host".to_string(), "api.example.com".to_string()),
+            ("Authorization".to_string(), "Bearer token".to_string()),
+        ];
+
+        assert_eq!(
+            get_host_header(&headers),
+            Some(&"api.example.com".to_string())
+        );
+
+        // Test case-insensitive
+        let headers_mixed_case = vec![("host".to_string(), "lowercase.example.com".to_string())];
+        assert_eq!(
+            get_host_header(&headers_mixed_case),
+            Some(&"lowercase.example.com".to_string())
+        );
+
+        // Test missing host header
+        let headers_no_host = vec![("Content-Type".to_string(), "application/json".to_string())];
+        assert_eq!(get_host_header(&headers_no_host), None);
+    }
+
+    #[test]
+    fn test_get_content_length() {
+        let headers = vec![
+            ("Host".to_string(), "example.com".to_string()),
+            ("Content-Length".to_string(), "42".to_string()),
+            ("Content-Type".to_string(), "application/json".to_string()),
+        ];
+
+        assert_eq!(get_content_length(&headers), Some(42));
+
+        // Test case-insensitive
+        let headers_mixed_case = vec![("content-length".to_string(), "1024".to_string())];
+        assert_eq!(get_content_length(&headers_mixed_case), Some(1024));
+
+        // Test invalid content-length
+        let headers_invalid = vec![("Content-Length".to_string(), "not-a-number".to_string())];
+        assert_eq!(get_content_length(&headers_invalid), None);
+
+        // Test missing content-length
+        let headers_no_cl = vec![("Host".to_string(), "example.com".to_string())];
+        assert_eq!(get_content_length(&headers_no_cl), None);
+    }
+
+    #[tokio::test]
+    async fn test_boundary_spanning_with_chunked_stream() {
+        use std::pin::Pin;
+        use std::task::{Context, Poll};
+        use tokio::io::{AsyncRead, ReadBuf};
+
+        // Mock stream that returns data in controlled chunks to test boundary scenarios
+        struct ChunkedMockStream {
+            chunks: Vec<Vec<u8>>,
+            current_chunk: usize,
+        }
+
+        impl ChunkedMockStream {
+            fn new(chunks: Vec<Vec<u8>>) -> Self {
+                Self {
+                    chunks,
+                    current_chunk: 0,
+                }
+            }
+        }
+
+        impl AsyncRead for ChunkedMockStream {
+            fn poll_read(
+                mut self: Pin<&mut Self>,
+                _cx: &mut Context<'_>,
+                buf: &mut ReadBuf<'_>,
+            ) -> Poll<std::io::Result<()>> {
+                if self.current_chunk >= self.chunks.len() {
+                    // No more data (EOF)
+                    return Poll::Ready(Ok(()));
+                }
+
+                let chunk = &self.chunks[self.current_chunk];
+                let to_copy = std::cmp::min(chunk.len(), buf.remaining());
+                buf.put_slice(&chunk[..to_copy]);
+
+                self.current_chunk += 1;
+                Poll::Ready(Ok(()))
+            }
+        }
+
+        // Test case 1: Header end marker \r\n\r\n spans across chunks (\r | \n\r\n)
+        let chunks = vec![
+            b"GET /test HTTP/1.1\r\nHost: example.com\r".to_vec(), // Ends with \r
+            b"\n\r\n".to_vec(), // Starts with \n, completes marker
+            b"Body data here".to_vec(),
+        ];
+
+        let mut mock_stream = ChunkedMockStream::new(chunks);
+        let mut buffer = Vec::new();
+
+        let read_result = read_http_headers(&mut mock_stream, &mut buffer).await;
+        assert!(
+            read_result.is_ok(),
+            "Should successfully read request with boundary-spanning marker"
+        );
+
+        let (parsed_request, _body_start) =
+            parse_http_request_from_buffer(&buffer).expect("Failed to parse request");
+        assert_eq!(parsed_request.method, "GET");
+        assert_eq!(parsed_request.path, "/test");
+        assert_eq!(
+            get_host_header(&parsed_request.headers),
+            Some(&"example.com".to_string())
+        );
+
+        // Test case 2: Different boundary split (\r\n | \r\n)
+        let chunks2 = vec![
+            b"POST /api HTTP/1.1\r\nContent-Type: application/json\r\n".to_vec(),
+            b"\r\n".to_vec(), // Complete header terminator in second chunk
+            b"{\"data\": \"test\"}".to_vec(),
+        ];
+
+        let mut mock_stream2 = ChunkedMockStream::new(chunks2);
+        let mut buffer2 = Vec::new();
+
+        let read_result2 = read_http_headers(&mut mock_stream2, &mut buffer2).await;
+        assert!(
+            read_result2.is_ok(),
+            "Should handle different boundary split"
+        );
+
+        let (parsed_request2, _) =
+            parse_http_request_from_buffer(&buffer2).expect("Failed to parse request");
+        assert_eq!(parsed_request2.method, "POST");
+        assert_eq!(parsed_request2.path, "/api");
+        assert_eq!(
+            get_header_value(&parsed_request2.headers, "content-type"),
+            Some(&"application/json".to_string())
+        );
+
+        // Test case 3: Very fragmented - each byte of \r\n\r\n in separate chunks
+        let chunks3 = vec![
+            b"PUT /upload HTTP/1.1\r\nHost: api.example.com".to_vec(),
+            b"\r".to_vec(), // Just \r
+            b"\n".to_vec(), // Just \n
+            b"\r".to_vec(), // Just \r
+            b"\n".to_vec(), // Just \n - completes header marker
+            b"Upload content".to_vec(),
+        ];
+
+        let mut mock_stream3 = ChunkedMockStream::new(chunks3);
+        let mut buffer3 = Vec::new();
+
+        let read_result3 = read_http_headers(&mut mock_stream3, &mut buffer3).await;
+        assert!(
+            read_result3.is_ok(),
+            "Should handle extremely fragmented boundary marker"
+        );
+
+        let (parsed_request3, _) =
+            parse_http_request_from_buffer(&buffer3).expect("Failed to parse request");
+        assert_eq!(parsed_request3.method, "PUT");
+        assert_eq!(parsed_request3.path, "/upload");
+        assert_eq!(
+            get_host_header(&parsed_request3.headers),
+            Some(&"api.example.com".to_string())
+        );
+    }
+
+    #[tokio::test]
+    async fn test_all_possible_boundary_splits() {
+        use std::pin::Pin;
+        use std::task::{Context, Poll};
+        use tokio::io::{AsyncRead, ReadBuf};
+
+        // Mock stream that returns data in controlled chunks
+        struct ChunkedMockStream {
+            chunks: Vec<Vec<u8>>,
+            current_chunk: usize,
+        }
+
+        impl ChunkedMockStream {
+            fn new(chunks: Vec<Vec<u8>>) -> Self {
+                Self {
+                    chunks,
+                    current_chunk: 0,
+                }
+            }
+        }
+
+        impl AsyncRead for ChunkedMockStream {
+            fn poll_read(
+                mut self: Pin<&mut Self>,
+                _cx: &mut Context<'_>,
+                buf: &mut ReadBuf<'_>,
+            ) -> Poll<std::io::Result<()>> {
+                if self.current_chunk >= self.chunks.len() {
+                    return Poll::Ready(Ok(()));
+                }
+
+                let chunk = &self.chunks[self.current_chunk];
+                let to_copy = std::cmp::min(chunk.len(), buf.remaining());
+                buf.put_slice(&chunk[..to_copy]);
+
+                self.current_chunk += 1;
+                Poll::Ready(Ok(()))
+            }
+        }
+
+        let base_request = b"HEAD /status HTTP/1.1\r\nHost: test.example.com";
+        let marker = b"\r\n\r\n";
+        let body = b"Optional body content";
+
+        // Test all possible ways to split \r\n\r\n across chunks
+        let test_cases = vec![
+            // Split position 1: \r | \n\r\n
+            (1, "\\r | \\n\\r\\n"),
+            // Split position 2: \r\n | \r\n
+            (2, "\\r\\n | \\r\\n"),
+            // Split position 3: \r\n\r | \n
+            (3, "\\r\\n\\r | \\n"),
+        ];
+
+        for (split_pos, description) in test_cases {
+            let first_part = [base_request, &marker[..split_pos]].concat();
+            let second_part = [&marker[split_pos..], body].concat();
+
+            let chunks = vec![first_part, second_part];
+            let mut mock_stream = ChunkedMockStream::new(chunks);
+            let mut buffer = Vec::new();
+
+            let read_result = read_http_headers(&mut mock_stream, &mut buffer).await;
+            assert!(
+                read_result.is_ok(),
+                "Should handle boundary split at position {} ({})",
+                split_pos,
+                description
+            );
+
+            let (parsed_request, _) =
+                parse_http_request_from_buffer(&buffer).expect("Failed to parse request");
+            assert_eq!(parsed_request.method, "HEAD");
+            assert_eq!(parsed_request.path, "/status");
+            assert_eq!(
+                get_host_header(&parsed_request.headers),
+                Some(&"test.example.com".to_string())
+            );
+        }
+
+        // Test additional complex splits
+        let complex_cases = vec![
+            // Three-way split: base | \r | \n\r\n + body
+            (
+                vec![
+                    base_request.to_vec(),
+                    b"\r".to_vec(),
+                    [&b"\n\r\n"[..], body].concat(),
+                ],
+                "three-way: base | \\r | \\n\\r\\n+body",
+            ),
+            // Four-way split: base | \r | \n | \r\n + body
+            (
+                vec![
+                    base_request.to_vec(),
+                    b"\r".to_vec(),
+                    b"\n".to_vec(),
+                    [&b"\r\n"[..], body].concat(),
+                ],
+                "four-way: base | \\r | \\n | \\r\\n+body",
+            ),
+            // Five-way split: base | \r | \n | \r | \n + body
+            (
+                vec![
+                    base_request.to_vec(),
+                    b"\r".to_vec(),
+                    b"\n".to_vec(),
+                    b"\r".to_vec(),
+                    [&b"\n"[..], body].concat(),
+                ],
+                "five-way: base | \\r | \\n | \\r | \\n+body",
+            ),
+            // Six-way split: completely separate
+            (
+                vec![
+                    base_request.to_vec(),
+                    b"\r".to_vec(),
+                    b"\n".to_vec(),
+                    b"\r".to_vec(),
+                    b"\n".to_vec(),
+                    body.to_vec(),
+                ],
+                "six-way: all separate",
+            ),
+        ];
+
+        for (chunks, description) in complex_cases {
+            let mut mock_stream = ChunkedMockStream::new(chunks);
+            let mut buffer = Vec::new();
+
+            let read_result = read_http_headers(&mut mock_stream, &mut buffer).await;
+            assert!(
+                read_result.is_ok(),
+                "Should handle complex boundary split: {}",
+                description
+            );
+
+            let (parsed_request, _) =
+                parse_http_request_from_buffer(&buffer).expect("Failed to parse request");
+            assert_eq!(parsed_request.method, "HEAD");
+            assert_eq!(parsed_request.path, "/status");
+            assert_eq!(
+                get_host_header(&parsed_request.headers),
+                Some(&"test.example.com".to_string())
+            );
+        }
+    }
+
+    #[tokio::test]
+    async fn test_read_http_headers_immediate_deadline_times_out() {
+        let mut stream = tokio::io::empty();
+        let mut buffer = Vec::new();
+
+        let status =
+            read_http_headers_with_deadline(&mut stream, &mut buffer, Some(Instant::now()))
+                .await
+                .expect("Immediate deadline should not error");
+
+        assert_eq!(status, HeaderReadStatus::TimedOut);
+        assert!(buffer.is_empty());
+    }
+
+    #[tokio::test]
+    async fn test_read_http_headers_deadline_succeeds_before_timeout() {
+        struct SingleChunkStream {
+            data: Vec<u8>,
+            sent: bool,
+        }
+
+        impl AsyncRead for SingleChunkStream {
+            fn poll_read(
+                mut self: Pin<&mut Self>,
+                _cx: &mut Context<'_>,
+                buf: &mut ReadBuf<'_>,
+            ) -> Poll<io::Result<()>> {
+                if self.sent {
+                    return Poll::Ready(Ok(()));
+                }
+
+                buf.put_slice(&self.data);
+                self.sent = true;
+                Poll::Ready(Ok(()))
+            }
+        }
+
+        let request = b"GET /ok HTTP/1.1\r\nHost: example.com\r\nUser-Agent: test\r\n\r\n".to_vec();
+        let mut stream = SingleChunkStream {
+            data: request.clone(),
+            sent: false,
+        };
+        let mut buffer = Vec::new();
+
+        let status = read_http_headers_with_deadline(
+            &mut stream,
+            &mut buffer,
+            Some(Instant::now() + Duration::from_secs(5)),
+        )
+        .await
+        .expect("Should finish before timeout");
+
+        assert_eq!(status, HeaderReadStatus::Complete);
+        assert_eq!(buffer, request);
+    }
+}
diff --git a/crates/kube-rpc/src/lib.rs b/crates/kube-rpc/src/lib.rs
new file mode 100644
index 0000000..a99dd14
--- /dev/null
+++ b/crates/kube-rpc/src/lib.rs
@@ -0,0 +1,652 @@
+use chrono::{DateTime, Utc};
+use lapdev_common::{
+    devbox::DirectTunnelConfig,
+    kube::{
+        KubeClusterInfo, KubeNamespaceInfo, KubeServiceWithYaml, KubeWorkloadKind,
+        KubeWorkloadList, PaginationParams,
+    },
+};
+use serde::{Deserialize, Serialize};
+use std::{collections::HashMap, net::SocketAddr};
+use uuid::Uuid;
+
+// HTTP parsing utilities
+pub mod http_parser;
+
+// TCP Tunneling Protocol Structures
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct TunnelEstablishmentResponse {
+    pub success: bool,
+    pub tunnel_id: String,
+    pub websocket_endpoint: String,
+    pub error_message: Option<String>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct TunnelStatus {
+    pub tunnel_id: Option<String>,
+    pub is_connected: bool,
+    pub connected_at: Option<chrono::DateTime<chrono::Utc>>,
+    pub last_heartbeat: Option<chrono::DateTime<chrono::Utc>>,
+    pub active_connections: u32,
+    pub total_connections: u64,
+    pub bytes_transferred: u64,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct TunnelInfo {
+    pub tunnel_id: String,
+    pub websocket_endpoint: String,
+    pub supported_protocols: Vec<String>,
+    pub max_concurrent_connections: u32,
+}
+
+#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq, Hash)]
+pub enum ResourceType {
+    Deployment,
+    StatefulSet,
+    DaemonSet,
+    ReplicaSet,
+    Job,
+    CronJob,
+    ConfigMap,
+    Secret,
+    Service,
+}
+
+#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq)]
+pub enum ResourceChangeType {
+    Created,
+    Updated,
+    Deleted,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct ResourceChangeEvent {
+    pub namespace: String,
+    pub resource_type: ResourceType,
+    pub resource_name: String,
+    pub change_type: ResourceChangeType,
+    pub resource_version: String,
+    pub resource_yaml: Option<String>,
+    pub timestamp: DateTime<Utc>,
+}
+
+// Messages sent FROM KubeManager TO Server (Client -> Server)
+#[derive(Serialize, Deserialize, Debug, Clone)]
+#[serde(tag = "type")]
+pub enum ClientTunnelMessage {
+    // Connection responses (KubeManager responds to server requests)
+    ConnectionOpened {
+        tunnel_id: String,
+        local_addr: String,
+    },
+    ConnectionFailed {
+        tunnel_id: String,
+        error: String,
+        error_code: TunnelErrorCode,
+    },
+    ConnectionClosed {
+        tunnel_id: String,
+        bytes_transferred: u64,
+    },
+
+    // Connection lifecycle (KubeManager can also initiate close)
+    CloseConnection {
+        tunnel_id: String,
+        reason: CloseReason,
+    },
+
+    // Data transfer (bidirectional)
+    Data {
+        tunnel_id: String,
+        payload: Vec<u8>,
+        sequence_num: Option<u32>,
+    },
+
+    // Control messages
+    Pong {
+        timestamp: u64,
+    },
+
+    // Tunnel management
+    TunnelStats {
+        active_connections: u32,
+        total_connections: u64,
+        bytes_sent: u64,
+        bytes_received: u64,
+        connection_errors: u64,
+    },
+
+    // Authentication
+    Authenticate {
+        cluster_id: Uuid,
+        auth_token: String,
+        tunnel_capabilities: Vec<String>,
+    },
+}
+
+// Messages sent FROM Server TO KubeManager (Server -> Client)
+#[derive(Serialize, Deserialize, Debug, Clone)]
+#[serde(tag = "type")]
+pub enum ServerTunnelMessage {
+    // Connection lifecycle (server requests connections)
+    OpenConnection {
+        tunnel_id: String,
+        target_host: String,
+        target_port: u16,
+        protocol_hint: Option<String>,
+    },
+    CloseConnection {
+        tunnel_id: String,
+        reason: CloseReason,
+    },
+
+    // Data transfer (bidirectional)
+    Data {
+        tunnel_id: String,
+        payload: Vec<u8>,
+        sequence_num: Option<u32>,
+    },
+
+    // Control messages
+    Ping {
+        timestamp: u64,
+    },
+
+    // Authentication response
+    AuthenticationResult {
+        success: bool,
+        session_id: Option<String>,
+        error_message: Option<String>,
+    },
+}
+
+// Legacy enum for backward compatibility during transition
+#[derive(Serialize, Deserialize, Debug, Clone)]
+#[serde(tag = "type")]
+pub enum TunnelMessage {
+    // Connection lifecycle
+    OpenConnection {
+        tunnel_id: String,
+        target_host: String,
+        target_port: u16,
+        protocol_hint: Option<String>,
+    },
+    ConnectionOpened {
+        tunnel_id: String,
+        local_addr: String,
+    },
+    ConnectionFailed {
+        tunnel_id: String,
+        error: String,
+        error_code: TunnelErrorCode,
+    },
+    CloseConnection {
+        tunnel_id: String,
+        reason: CloseReason,
+    },
+    ConnectionClosed {
+        tunnel_id: String,
+        bytes_transferred: u64,
+    },
+
+    // Data transfer
+    Data {
+        tunnel_id: String,
+        payload: Vec<u8>,
+        sequence_num: Option<u32>,
+    },
+
+    // Control messages
+    Ping {
+        timestamp: u64,
+    },
+    Pong {
+        timestamp: u64,
+    },
+
+    // Tunnel management
+    TunnelStats {
+        active_connections: u32,
+        total_connections: u64,
+        bytes_sent: u64,
+        bytes_received: u64,
+        connection_errors: u64,
+    },
+
+    // Authentication
+    Authenticate {
+        cluster_id: Uuid,
+        auth_token: String,
+        tunnel_capabilities: Vec<String>,
+    },
+    AuthenticationResult {
+        success: bool,
+        session_id: Option<String>,
+        error_message: Option<String>,
+    },
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone)]
+pub enum TunnelErrorCode {
+    ConnectionRefused,
+    Timeout,
+    NetworkUnreachable,
+    PermissionDenied,
+    InternalError,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone)]
+pub enum CloseReason {
+    ClientRequest,
+    ServerRequest,
+    Timeout,
+    Error,
+    Shutdown,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct ClientTunnelFrame {
+    pub message: ClientTunnelMessage,
+    pub timestamp: chrono::DateTime<chrono::Utc>,
+    pub message_id: Uuid,
+}
+
+impl ClientTunnelFrame {
+    pub fn serialize(&self) -> Result<Vec<u8>, serde_json::Error> {
+        serde_json::to_vec(self)
+    }
+
+    pub fn deserialize(data: &[u8]) -> Result<Self, serde_json::Error> {
+        serde_json::from_slice(data)
+    }
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct ServerTunnelFrame {
+    pub message: ServerTunnelMessage,
+    pub timestamp: chrono::DateTime<chrono::Utc>,
+    pub message_id: Uuid,
+}
+
+impl ServerTunnelFrame {
+    pub fn serialize(&self) -> Result<Vec<u8>, serde_json::Error> {
+        serde_json::to_vec(self)
+    }
+
+    pub fn deserialize(data: &[u8]) -> Result<Self, serde_json::Error> {
+        serde_json::from_slice(data)
+    }
+}
+
+// Legacy frame for backward compatibility during transition
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct TunnelFrame {
+    pub message: TunnelMessage,
+    pub timestamp: chrono::DateTime<chrono::Utc>,
+    pub message_id: Uuid,
+}
+
+impl TunnelFrame {
+    pub fn serialize(&self) -> Result<Vec<u8>, serde_json::Error> {
+        serde_json::to_vec(self)
+    }
+
+    pub fn deserialize(data: &[u8]) -> Result<Self, serde_json::Error> {
+        serde_json::from_slice(data)
+    }
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct KubeWorkloadWithServices {
+    pub workload_yaml: String,
+    pub services: Vec<String>,   // Names of matching services
+    pub configmaps: Vec<String>, // Names of referenced ConfigMaps
+    pub secrets: Vec<String>,    // Names of referenced Secrets
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct WorkloadIdentifier {
+    pub name: String,
+    pub namespace: String,
+    pub kind: KubeWorkloadKind,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub enum KubeWorkloadYaml {
+    Deployment(KubeWorkloadWithServices),
+    StatefulSet(KubeWorkloadWithServices),
+    DaemonSet(KubeWorkloadWithServices),
+    ReplicaSet(KubeWorkloadWithServices),
+    Pod(KubeWorkloadWithServices),
+    Job(KubeWorkloadWithServices),
+    CronJob(KubeWorkloadWithServices),
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub enum KubeWorkloadYamlOnly {
+    Deployment(String),
+    StatefulSet(String),
+    DaemonSet(String),
+    ReplicaSet(String),
+    Pod(String),
+    Job(String),
+    CronJob(String),
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct KubeWorkloadWithResources {
+    pub workload: KubeWorkloadYamlOnly,
+    pub services: HashMap<String, KubeServiceWithYaml>, // name -> service with YAML and details
+    pub configmaps: HashMap<String, String>,            // name -> YAML content
+    pub secrets: HashMap<String, String>,               // name -> YAML content
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct KubeWorkloadsWithResources {
+    pub workloads: Vec<KubeWorkloadYamlOnly>,
+    pub services: HashMap<String, KubeServiceWithYaml>, // name -> service with YAML and details
+    pub configmaps: HashMap<String, String>,            // name -> YAML content
+    pub secrets: HashMap<String, String>,               // name -> YAML content
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct NamespacedResourceRequest {
+    pub namespace: String,
+    pub configmaps: Vec<String>,
+    pub secrets: Vec<String>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct NamespacedResourceResponse {
+    pub namespace: String,
+    pub configmaps: HashMap<String, String>,
+    pub secrets: HashMap<String, String>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct KubeRawWorkloadYaml {
+    pub name: String,
+    pub namespace: String,
+    pub kind: KubeWorkloadKind,
+    pub workload_yaml: String,
+}
+
+#[tarpc::service]
+pub trait KubeClusterRpc {
+    async fn report_cluster_info(cluster_info: KubeClusterInfo) -> Result<(), String>;
+    async fn heartbeat() -> Result<(), String>;
+
+    // Tunnel lifecycle management
+    async fn tunnel_heartbeat() -> Result<(), String>;
+
+    async fn report_tunnel_metrics(
+        active_connections: u32,
+        bytes_transferred: u64,
+        connection_count: u64,
+        connection_errors: u64,
+    ) -> Result<(), String>;
+
+    async fn report_resource_change(event: ResourceChangeEvent) -> Result<(), String>;
+
+    /// Retrieve route configuration for branch-aware service routing
+    async fn list_branch_service_routes(
+        environment_id: Uuid,
+        workload_id: Uuid,
+    ) -> Result<Vec<ProxyBranchRouteConfig>, String>;
+
+    async fn request_direct_config(
+        environment_id: Uuid,
+        stun_observed_addr: Option<SocketAddr>,
+    ) -> Result<Option<DirectTunnelConfig>, String>;
+}
+
+#[tarpc::service]
+pub trait KubeManagerRpc {
+    async fn get_workloads(
+        namespace: Option<String>,
+        workload_kind_filter: Option<KubeWorkloadKind>,
+        include_system_workloads: bool,
+        pagination: Option<PaginationParams>,
+    ) -> Result<KubeWorkloadList, String>;
+
+    async fn get_workload_details(
+        name: String,
+        namespace: String,
+    ) -> Result<Option<lapdev_common::kube::KubeWorkload>, String>;
+
+    async fn get_namespaces() -> Result<Vec<KubeNamespaceInfo>, String>;
+
+    async fn deploy_workload_yaml(
+        namespace: String,
+        workloads_with_resources: KubeWorkloadsWithResources,
+        labels: std::collections::HashMap<String, String>,
+    ) -> Result<(), String>;
+
+    async fn get_workloads_raw_yaml(
+        workloads: Vec<WorkloadIdentifier>,
+    ) -> Result<Vec<KubeRawWorkloadYaml>, String>;
+
+    async fn get_namespaced_resources(
+        requests: Vec<NamespacedResourceRequest>,
+    ) -> Result<Vec<NamespacedResourceResponse>, String>;
+
+    async fn set_devbox_routes(
+        environment_id: Uuid,
+        routes: HashMap<Uuid, DevboxRouteConfig>,
+    ) -> Result<(), String>;
+
+    async fn set_devbox_route(environment_id: Uuid, route: DevboxRouteConfig)
+        -> Result<(), String>;
+
+    async fn remove_devbox_route(
+        environment_id: Uuid,
+        workload_id: Uuid,
+        branch_environment_id: Option<Uuid>,
+    ) -> Result<(), String>;
+
+    async fn update_branch_service_route(
+        base_environment_id: Uuid,
+        workload_id: Uuid,
+        route: ProxyBranchRouteConfig,
+    ) -> Result<(), String>;
+
+    async fn remove_branch_service_route(
+        base_environment_id: Uuid,
+        workload_id: Uuid,
+        branch_environment_id: Uuid,
+    ) -> Result<(), String>;
+
+    async fn clear_devbox_routes(
+        environment_id: Uuid,
+        branch_environment_id: Option<Uuid>,
+    ) -> Result<(), String>;
+
+    async fn get_devbox_direct_config(
+        user_id: Uuid,
+        environment_id: Uuid,
+        namespace: String,
+        stun_observed_addr: Option<SocketAddr>,
+    ) -> Result<Option<DirectTunnelConfig>, String>;
+
+    async fn refresh_branch_service_routes(environment_id: Uuid) -> Result<(), String>;
+
+    async fn destroy_environment(environment_id: Uuid, namespace: String) -> Result<(), String>;
+
+    async fn delete_namespaced_resources(
+        namespace: String,
+        resources: Vec<(NamespacedResourceKind, String)>,
+    ) -> Result<(), String>;
+
+    async fn configure_watches(namespaces: Vec<String>) -> Result<(), String>;
+
+    async fn add_namespace_watch(namespace: String) -> Result<(), String>;
+
+    async fn remove_namespace_watch(namespace: String) -> Result<(), String>;
+
+    // Devbox-proxy management methods
+    async fn add_branch_environment(
+        base_environment_id: Uuid,
+        branch: BranchEnvironmentInfo,
+    ) -> Result<(), String>;
+
+    async fn remove_branch_environment(
+        base_environment_id: Uuid,
+        branch_environment_id: Uuid,
+    ) -> Result<(), String>;
+}
+
+#[tarpc::service]
+pub trait SidecarProxyManagerRpc {
+    async fn register_sidecar_proxy(
+        workload_id: Uuid,
+        environment_id: Uuid,
+        namespace: String,
+    ) -> Result<(), String>;
+
+    async fn heartbeat(workload_id: Uuid, environment_id: Uuid) -> Result<(), String>;
+
+    async fn report_routing_metrics(
+        request_count: u64,
+        byte_count: u64,
+        active_connections: u32,
+    ) -> Result<(), String>;
+
+    async fn request_direct_config(
+        environment_id: Uuid,
+        stun_observed_addr: Option<SocketAddr>,
+    ) -> Result<Option<DirectTunnelConfig>, String>;
+}
+
+/// Information returned when requesting a devbox tunnel
+/// Sidecar uses this to establish direct WebSocket connection to API
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct DevboxTunnelInfo {
+    /// Unique tunnel identifier
+    pub tunnel_id: String,
+    /// WebSocket URL to connect to (e.g., "wss://api.lapdev.io/kube/devbox/tunnel/{tunnel_id}")
+    pub websocket_url: String,
+    /// Authentication token for the tunnel
+    pub auth_token: String,
+    /// Session ID for tracking
+    pub session_id: Uuid,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct DevboxRouteConfig {
+    pub intercept_id: Uuid,
+    pub workload_id: Uuid,
+    pub auth_token: String,
+    pub websocket_url: String,
+    /// Path pattern for this route (e.g., "/*" for all traffic)
+    pub path_pattern: String,
+    pub branch_environment_id: Option<Uuid>,
+    pub created_at_epoch_seconds: Option<i64>,
+    pub expires_at_epoch_seconds: Option<i64>,
+    pub port_mappings: HashMap<u16, u16>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct ProxyBranchRouteConfig {
+    pub branch_environment_id: Uuid,
+    pub service_names: HashMap<u16, String>,
+    pub headers: HashMap<String, String>,
+    pub requires_auth: bool,
+    pub access_level: ProxyRouteAccessLevel,
+    pub timeout_ms: Option<u64>,
+    pub devbox_route: Option<DevboxRouteConfig>,
+}
+
+#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq)]
+pub enum ProxyRouteAccessLevel {
+    Personal,
+    Shared,
+    Public,
+}
+
+impl Default for ProxyRouteAccessLevel {
+    fn default() -> Self {
+        ProxyRouteAccessLevel::Personal
+    }
+}
+
+#[tarpc::service]
+pub trait SidecarProxyRpc {
+    async fn heartbeat() -> Result<(), String>;
+
+    /// Replace the service routes with the provided configuration
+    async fn set_service_routes(routes: Vec<ProxyBranchRouteConfig>) -> Result<(), String>;
+
+    /// Set the DevboxTunnel route for this sidecar's workload
+    async fn set_devbox_route(route: DevboxRouteConfig) -> Result<(), String>;
+
+    /// Stop the active devbox route for either the default environment or a branch environment
+    async fn stop_devbox(branch_environment: Option<Uuid>) -> Result<(), String>;
+
+    /// Update (or insert) the branch service route for a specific branch environment
+    async fn upsert_branch_service_route(route: ProxyBranchRouteConfig) -> Result<(), String>;
+
+    /// Remove the branch service route for a specific branch environment
+    async fn remove_branch_service_route(branch_environment_id: Uuid) -> Result<(), String>;
+}
+
+/// Information about a branch environment that shares the devbox-proxy
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct BranchEnvironmentInfo {
+    pub environment_id: Uuid,
+    pub auth_token: String,
+    pub namespace: String,
+}
+
+#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq, Hash)]
+pub enum NamespacedResourceKind {
+    Deployment,
+    StatefulSet,
+    DaemonSet,
+    ReplicaSet,
+    Pod,
+    Job,
+    CronJob,
+    Service,
+    ConfigMap,
+    Secret,
+}
+
+#[tarpc::service]
+pub trait DevboxProxyRpc {
+    /// Heartbeat to keep the RPC connection alive
+    async fn heartbeat() -> Result<(), String>;
+
+    /// Add a new branch environment to the devbox-proxy (shared environments only)
+    /// Called when a branch environment is created
+    async fn add_branch_environment(branch: BranchEnvironmentInfo) -> Result<(), String>;
+
+    /// Remove a branch environment from the devbox-proxy (shared environments only)
+    /// Called when a branch environment is deleted
+    async fn remove_branch_environment(environment_id: Uuid) -> Result<(), String>;
+
+    /// Get list of all configured branch environments (shared environments only)
+    async fn list_branch_environments() -> Result<Vec<BranchEnvironmentInfo>, String>;
+
+    /// Start a tunnel
+    /// - Personal environment: pass None to start the base tunnel
+    /// - Shared environment: pass Some(branch_environment_id) to start a branch tunnel
+    async fn start_tunnel(environment_id: Option<Uuid>) -> Result<(), String>;
+
+    /// Stop a tunnel
+    /// - Personal environment: pass None to stop the base tunnel
+    /// - Shared environment: pass Some(branch_environment_id) to stop a branch tunnel
+    async fn stop_tunnel(environment_id: Option<Uuid>) -> Result<(), String>;
+}
+
+#[tarpc::service]
+pub trait DevboxProxyManagerRpc {
+    /// Register a devbox-proxy with the manager
+    /// Called when devbox-proxy starts up
+    async fn register_devbox_proxy(environment_id: Uuid) -> Result<(), String>;
+
+    /// Heartbeat from devbox-proxy to manager
+    async fn heartbeat(environment_id: Uuid) -> Result<(), String>;
+}
diff --git a/crates/kube-sidecar-proxy/Cargo.toml b/crates/kube-sidecar-proxy/Cargo.toml
new file mode 100644
index 0000000..a679e30
--- /dev/null
+++ b/crates/kube-sidecar-proxy/Cargo.toml
@@ -0,0 +1,75 @@
+[package]
+name = "lapdev-kube-sidecar-proxy"
+version.workspace = true
+authors.workspace = true
+edition.workspace = true
+
+[[bin]]
+name = "lapdev-kube-sidecar-proxy"
+path = "src/main.rs"
+
+[dependencies]
+# Kubernetes
+kube = { workspace = true, features = ["runtime", "derive"] }
+k8s-openapi.workspace = true
+
+# HTTP/Proxy
+axum.workspace = true
+hyper.workspace = true
+hyper-util.workspace = true
+http-body-util.workspace = true
+tower.workspace = true
+tower-http = { workspace = true, features = ["cors", "timeout", "trace"] }
+h2 = "0.4"
+
+# Async runtime
+tokio.workspace = true
+tokio-util.workspace = true
+
+# RPC
+tarpc.workspace = true
+
+# Async runtime utilities
+futures.workspace = true
+futures-util.workspace = true
+
+# WebSocket
+tokio-tungstenite.workspace = true
+
+# Serialization
+serde.workspace = true
+serde_json.workspace = true
+serde_yaml.workspace = true
+
+# Error handling
+anyhow.workspace = true
+thiserror.workspace = true
+
+# Logging and tracing
+tracing.workspace = true
+tracing-subscriber.workspace = true
+
+# Lapdev crates
+lapdev-common.workspace = true
+lapdev-hrpc.workspace = true
+lapdev-kube-rpc.workspace = true
+lapdev-rpc.workspace = true
+lapdev-tunnel.workspace = true
+
+# Utilities
+uuid.workspace = true
+chrono.workspace = true
+bytes.workspace = true
+url = "2.5"
+httparse = "1.8"
+http = "1.0"
+
+# Low-level networking support
+libc = "0.2"
+nix = { version = "0.29", features = ["socket", "net"] }
+
+# Additional networking support
+socket2 = "0.5"
+
+# CLI
+clap = { workspace = true, features = ["derive", "env"] }
diff --git a/crates/kube-sidecar-proxy/examples/configmap.yaml b/crates/kube-sidecar-proxy/examples/configmap.yaml
new file mode 100644
index 0000000..43482cb
--- /dev/null
+++ b/crates/kube-sidecar-proxy/examples/configmap.yaml
@@ -0,0 +1,39 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: lapdev-proxy-config
+  namespace: lapdev-environments
+  labels:
+    lapdev.io/proxy-config: "true"
+data:
+  proxy-config.yaml: |
+    listen_addr: "0.0.0.0:8080"
+    default_target: "127.0.0.1:3000"
+    namespace: "lapdev-environments"
+    routes:
+      - path: "/api/*"
+        target:
+          Service:
+            name: "backend-service"
+            namespace: "lapdev-environments"
+            port: 8000
+        headers:
+          X-Forwarded-Service: "backend"
+        timeout_ms: 10000
+        requires_auth: true
+        access_level: "Personal"
+      - path: "/public/*"
+        target:
+          Address: "127.0.0.1:3000"
+        headers:
+          Cache-Control: "no-cache"
+        requires_auth: false
+        access_level: "Public"
+    health_check:
+      path: "/health"
+      interval_seconds: 30
+      timeout_ms: 5000
+      failure_threshold: 3
+    metrics:
+      enabled: true
+      path: "/metrics"
\ No newline at end of file
diff --git a/crates/kube-sidecar-proxy/examples/deployment.yaml b/crates/kube-sidecar-proxy/examples/deployment.yaml
new file mode 100644
index 0000000..80225e4
--- /dev/null
+++ b/crates/kube-sidecar-proxy/examples/deployment.yaml
@@ -0,0 +1,104 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: lapdev-environment-example
+  namespace: lapdev-environments
+  labels:
+    app: lapdev-environment-example
+    lapdev.io/environment: "true"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: lapdev-environment-example
+  template:
+    metadata:
+      labels:
+        app: lapdev-environment-example
+      annotations:
+        # Proxy configuration via annotations
+        lapdev.io/proxy-target-service: "127.0.0.1:3000"
+        lapdev.io/proxy-target-port: "3000"
+        lapdev.io/proxy-access-level: "personal"
+        lapdev.io/proxy-require-auth: "true"
+        lapdev.io/proxy-custom-headers: '{"X-Environment": "lapdev", "X-Proxy-Version": "1.0"}'
+        lapdev.io/proxy-timeout-ms: "30000"
+    spec:
+      serviceAccountName: lapdev-sidecar-proxy
+      containers:
+        # Main application container
+        - name: app
+          image: node:18-alpine
+          ports:
+            - containerPort: 3000
+              name: http
+          command: ["node", "-e", "require('http').createServer((req,res) => res.end('Hello from app')).listen(3000)"]
+          resources:
+            requests:
+              memory: "64Mi"
+              cpu: "50m"
+            limits:
+              memory: "128Mi"
+              cpu: "100m"
+          
+        # Sidecar proxy container
+        - name: sidecar-proxy
+          image: ghcr.io/lapdev/lapdev-kube-sidecar-proxy:0.1.0
+          ports:
+            - containerPort: 25001
+              name: proxy
+          env:
+            - name: KUBERNETES_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: HOSTNAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: LAPDEV_ENVIRONMENT_ID
+              value: "550e8400-e29b-41d4-a716-446655440000"
+            - name: LAPDEV_SIDECAR_PROXY_BIND_ADDR
+              value: "0.0.0.0"
+            - name: LAPDEV_SIDECAR_PROXY_PORT
+              value: "25001"
+          args:
+            - "--log-level=info"
+          resources:
+            requests:
+              memory: "32Mi"
+              cpu: "25m"
+            limits:
+              memory: "64Mi"
+              cpu: "50m"
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 25001
+            initialDelaySeconds: 10
+            periodSeconds: 30
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: 25001
+            initialDelaySeconds: 5
+            periodSeconds: 10
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: lapdev-environment-example
+  namespace: lapdev-environments
+  annotations:
+    # Service-level proxy configuration
+    lapdev.io/proxy-target-port: "8080"
+    lapdev.io/proxy-access-level: "shared"
+spec:
+  selector:
+    app: lapdev-environment-example
+  ports:
+    - name: http
+      port: 80
+      targetPort: 25001
+      protocol: TCP
+  type: ClusterIP
diff --git a/crates/kube-sidecar-proxy/examples/rbac.yaml b/crates/kube-sidecar-proxy/examples/rbac.yaml
new file mode 100644
index 0000000..cb9c1ab
--- /dev/null
+++ b/crates/kube-sidecar-proxy/examples/rbac.yaml
@@ -0,0 +1,41 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: lapdev-sidecar-proxy
+  namespace: lapdev-environments
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: lapdev-sidecar-proxy
+  namespace: lapdev-environments
+rules:
+  # Allow reading services and endpoints for service discovery
+  - apiGroups: [""]
+    resources: ["services", "endpoints"]
+    verbs: ["get", "list", "watch"]
+  
+  # Allow reading ConfigMaps for configuration
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get", "list", "watch"]
+    resourceNames: ["lapdev-proxy-config"]
+  
+  # Allow reading pods (for self-identification and annotations)
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: lapdev-sidecar-proxy
+  namespace: lapdev-environments
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: lapdev-sidecar-proxy
+subjects:
+  - kind: ServiceAccount
+    name: lapdev-sidecar-proxy
+    namespace: lapdev-environments
\ No newline at end of file
diff --git a/crates/kube-sidecar-proxy/src/config.rs b/crates/kube-sidecar-proxy/src/config.rs
new file mode 100644
index 0000000..b47f788
--- /dev/null
+++ b/crates/kube-sidecar-proxy/src/config.rs
@@ -0,0 +1,624 @@
+use http::header::HeaderName;
+use lapdev_common::{
+    devbox::DirectTunnelConfig,
+    kube::{ProxyPortRoute, KUBE_ENVIRONMENT_TOKEN_HEADER_LOWER},
+};
+use lapdev_kube_rpc::SidecarProxyManagerRpcClient;
+use lapdev_tunnel::{
+    direct::DirectEndpoint, TunnelClient, TunnelError, TunnelMode, TunnelTcpStream,
+};
+use serde::{Deserialize, Serialize};
+use std::{collections::HashMap, io, net::SocketAddr, sync::Arc};
+use tarpc::context;
+use tokio::sync::{OnceCell, RwLock};
+use tokio_tungstenite::connect_async;
+use tokio_tungstenite::tungstenite::client::IntoClientRequest;
+use tracing::{debug, info, warn};
+use uuid::Uuid;
+
+/// Immutable settings for the sidecar proxy determined at boot time.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct SidecarSettings {
+    /// Address the sidecar listens on for redirected service traffic.
+    pub listen_addr: SocketAddr,
+    /// Namespace the sidecar is running in.
+    pub namespace: Option<String>,
+    /// Pod name for identification/logging.
+    pub pod_name: Option<String>,
+    /// Lapdev environment identifier for this workload.
+    pub environment_id: Uuid,
+    /// Lapdev environment scoped auth token used for RPC calls.
+    pub environment_auth_token: String,
+    /// Health check configuration for readiness/liveness.
+    pub health_check: HealthCheckConfig,
+    /// Metrics export configuration.
+    pub metrics: MetricsConfig,
+}
+
+impl SidecarSettings {
+    pub fn new(
+        listen_addr: SocketAddr,
+        namespace: Option<String>,
+        pod_name: Option<String>,
+        environment_id: Uuid,
+        environment_auth_token: String,
+    ) -> Self {
+        Self {
+            listen_addr,
+            namespace,
+            pod_name,
+            environment_id,
+            environment_auth_token,
+            health_check: HealthCheckConfig::default(),
+            metrics: MetricsConfig::default(),
+        }
+    }
+}
+
+/// Mutable routing state shared between RPC handlers and the proxy loop.
+#[derive(Default)]
+pub struct RoutingTable {
+    pub branch_routes: HashMap<Uuid, BranchRoute>,
+    pub default_route: DefaultRoute,
+    pub port_routes: HashMap<u16, ProxyPortRoute>,
+}
+
+impl RoutingTable {
+    pub fn resolve_http(&self, port: u16, branch_id: Option<Uuid>) -> RouteDecision {
+        if let Some(branch_id) = branch_id {
+            if let Some(route) = self.branch_routes.get(&branch_id) {
+                match &route.mode {
+                    BranchMode::Devbox(connection) => {
+                        return RouteDecision::BranchDevbox {
+                            branch_id,
+                            connection: connection.clone(),
+                            target_port: connection.resolve_target_port(port),
+                        };
+                    }
+                    BranchMode::Service => {
+                        return RouteDecision::BranchService {
+                            service: route.service.clone(),
+                        };
+                    }
+                }
+            }
+        }
+
+        if let DefaultRoute::Devbox(connection) = &self.default_route {
+            return RouteDecision::DefaultDevbox {
+                connection: connection.clone(),
+                target_port: connection.resolve_target_port(port),
+            };
+        }
+
+        RouteDecision::DefaultLocal {
+            target_port: self.target_port_for_service(port),
+        }
+    }
+
+    pub fn resolve_tcp(&self, port: u16) -> RouteDecision {
+        if let DefaultRoute::Devbox(connection) = &self.default_route {
+            return RouteDecision::DefaultDevbox {
+                connection: connection.clone(),
+                target_port: connection.resolve_target_port(port),
+            };
+        }
+
+        RouteDecision::DefaultLocal {
+            target_port: self.target_port_for_service(port),
+        }
+    }
+
+    pub async fn replace_branch_routes(
+        &mut self,
+        routes: impl IntoIterator<Item = (Uuid, BranchServiceRoute)>,
+    ) {
+        let mut old_routes = std::mem::take(&mut self.branch_routes);
+        let mut new_routes = HashMap::new();
+
+        for (env_id, service_route) in routes.into_iter() {
+            if let Some(existing) = old_routes.remove(&env_id) {
+                let mode = existing.mode;
+                new_routes.insert(
+                    env_id,
+                    BranchRoute {
+                        service: service_route,
+                        mode,
+                    },
+                );
+            } else {
+                new_routes.insert(
+                    env_id,
+                    BranchRoute {
+                        service: service_route,
+                        mode: BranchMode::Service,
+                    },
+                );
+            }
+        }
+
+        self.branch_routes = new_routes;
+    }
+
+    pub fn set_branch_devbox(
+        &mut self,
+        branch_id: &Uuid,
+        connection: Arc<DevboxConnection>,
+    ) -> bool {
+        let Some(entry) = self.branch_routes.get_mut(branch_id) else {
+            return false;
+        };
+
+        entry.mode = BranchMode::Devbox(connection);
+        true
+    }
+
+    pub fn clear_branch_devboxes(&mut self) {
+        for route in self.branch_routes.values_mut() {
+            if matches!(route.mode, BranchMode::Devbox(_)) {
+                route.mode = BranchMode::Service;
+            }
+        }
+    }
+
+    pub fn remove_branch_devbox(&mut self, branch_id: &Uuid) -> bool {
+        let Some(route) = self.branch_routes.get_mut(branch_id) else {
+            return false;
+        };
+
+        if matches!(route.mode, BranchMode::Devbox(_)) {
+            route.mode = BranchMode::Service;
+            true
+        } else {
+            false
+        }
+    }
+
+    pub async fn upsert_branch_service_route(
+        &mut self,
+        branch_id: Uuid,
+        service_route: BranchServiceRoute,
+    ) {
+        if let Some(existing) = self.branch_routes.remove(&branch_id) {
+            let mode = existing.mode;
+            self.branch_routes.insert(
+                branch_id,
+                BranchRoute {
+                    service: service_route,
+                    mode,
+                },
+            );
+        } else {
+            self.branch_routes.insert(
+                branch_id,
+                BranchRoute {
+                    service: service_route,
+                    mode: BranchMode::Service,
+                },
+            );
+        }
+    }
+
+    pub async fn remove_branch_service_route(&mut self, branch_id: &Uuid) -> bool {
+        self.branch_routes.remove(branch_id).is_some()
+    }
+
+    pub fn remove_branch_devbox_by_intercept(&mut self, intercept_id: &Uuid) -> Option<Uuid> {
+        for (branch_id, route) in self.branch_routes.iter_mut() {
+            if let BranchMode::Devbox(connection) = &route.mode {
+                if connection.metadata().intercept_id == *intercept_id {
+                    route.mode = BranchMode::Service;
+                    return Some(*branch_id);
+                }
+            }
+        }
+        None
+    }
+
+    pub fn set_default_devbox(&mut self, connection: Arc<DevboxConnection>) {
+        self.default_route = DefaultRoute::Devbox(connection);
+    }
+
+    pub fn clear_default_devbox(&mut self) {
+        self.default_route = DefaultRoute::Local;
+    }
+
+    pub fn default_devbox(&self) -> Option<Arc<DevboxConnection>> {
+        match &self.default_route {
+            DefaultRoute::Devbox(connection) => Some(connection.clone()),
+            DefaultRoute::Local => None,
+        }
+    }
+
+    pub fn remove_default_devbox_by_intercept(&mut self, intercept_id: &Uuid) -> bool {
+        match &self.default_route {
+            DefaultRoute::Devbox(connection)
+                if connection.metadata().intercept_id == *intercept_id =>
+            {
+                self.default_route = DefaultRoute::Local;
+                true
+            }
+            _ => false,
+        }
+    }
+
+    pub fn set_port_routes(
+        &mut self,
+        routes: impl IntoIterator<Item = ProxyPortRoute>,
+    ) -> &mut Self {
+        self.port_routes.clear();
+        for route in routes {
+            self.port_routes.insert(route.proxy_port, route);
+        }
+        self
+    }
+
+    pub fn upsert_port_route(&mut self, route: ProxyPortRoute) -> Option<ProxyPortRoute> {
+        self.port_routes.insert(route.proxy_port, route)
+    }
+
+    pub fn remove_port_route(&mut self, proxy_port: u16) -> Option<ProxyPortRoute> {
+        self.port_routes.remove(&proxy_port)
+    }
+
+    pub fn port_route(&self, proxy_port: u16) -> Option<&ProxyPortRoute> {
+        self.port_routes.get(&proxy_port)
+    }
+
+    pub fn port_routes(&self) -> impl Iterator<Item = &ProxyPortRoute> {
+        self.port_routes.values()
+    }
+
+    pub fn service_port_for_proxy(&self, proxy_port: u16) -> u16 {
+        self.port_routes
+            .get(&proxy_port)
+            .map(|route| route.service_port)
+            .unwrap_or(proxy_port)
+    }
+
+    pub fn target_port_for_service(&self, service_port: u16) -> u16 {
+        self.port_routes
+            .values()
+            .find(|route| route.service_port == service_port)
+            .map(|route| route.target_port)
+            .unwrap_or(service_port)
+    }
+}
+
+#[derive(Clone)]
+pub struct BranchRoute {
+    pub service: BranchServiceRoute,
+    pub mode: BranchMode,
+}
+
+#[derive(Clone)]
+pub struct BranchServiceRoute {
+    pub service_names: HashMap<u16, String>,
+    pub headers: HashMap<String, String>,
+    pub requires_auth: bool,
+    pub access_level: AccessLevel,
+    pub timeout_ms: Option<u64>,
+}
+
+impl BranchServiceRoute {
+    pub fn new_service(port: u16, service_name: String) -> Self {
+        let mut service_names = HashMap::new();
+        service_names.insert(port, service_name);
+        Self {
+            service_names,
+            headers: HashMap::new(),
+            requires_auth: true,
+            access_level: AccessLevel::Personal,
+            timeout_ms: None,
+        }
+    }
+
+    pub fn service_name_for_port(&self, port: u16) -> Option<&str> {
+        self.service_names.get(&port).map(String::as_str)
+    }
+}
+
+#[derive(Clone)]
+pub enum BranchMode {
+    Service,
+    Devbox(Arc<DevboxConnection>),
+}
+
+pub enum DefaultRoute {
+    Local,
+    Devbox(Arc<DevboxConnection>),
+}
+
+impl Default for DefaultRoute {
+    fn default() -> Self {
+        DefaultRoute::Local
+    }
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct DevboxRouteMetadata {
+    pub intercept_id: Uuid,
+    pub workload_id: Uuid,
+    pub auth_token: String,
+    pub websocket_url: String,
+    pub path_pattern: String,
+    pub port_mappings: HashMap<u16, u16>,
+    pub created_at_epoch_seconds: Option<i64>,
+    pub expires_at_epoch_seconds: Option<i64>,
+}
+
+impl DevboxRouteMetadata {
+    pub fn resolve_target_port(&self, original_port: u16) -> u16 {
+        self.port_mappings
+            .get(&original_port)
+            .copied()
+            .unwrap_or(original_port)
+    }
+}
+
+pub struct DevboxConnection {
+    metadata: DevboxRouteMetadata,
+    direct_endpoint: Arc<DirectEndpoint>,
+    rpc_client: SidecarProxyManagerRpcClient,
+    target_environment_id: Uuid,
+    client: RwLock<OnceCell<Arc<TunnelClient>>>,
+}
+
+impl DevboxConnection {
+    pub fn new(
+        metadata: DevboxRouteMetadata,
+        direct_endpoint: Arc<DirectEndpoint>,
+        rpc_client: SidecarProxyManagerRpcClient,
+        target_environment_id: Uuid,
+    ) -> Self {
+        Self {
+            metadata,
+            direct_endpoint,
+            rpc_client,
+            target_environment_id,
+            client: RwLock::new(OnceCell::new()),
+        }
+    }
+
+    pub fn metadata(&self) -> &DevboxRouteMetadata {
+        &self.metadata
+    }
+
+    pub fn resolve_target_port(&self, original_port: u16) -> u16 {
+        self.metadata.resolve_target_port(original_port)
+    }
+
+    pub async fn connect_tcp_stream(
+        &self,
+        target_host: &str,
+        target_port: u16,
+    ) -> io::Result<TunnelTcpStream> {
+        let client = self.ensure_client().await.map_err(io::Error::from)?;
+
+        match client
+            .connect_tcp(target_host.to_string(), target_port)
+            .await
+        {
+            Ok(stream) => Ok(stream),
+            Err(TunnelError::ConnectionClosed) => {
+                self.clear_client().await;
+                let client = self.ensure_client().await.map_err(io::Error::from)?;
+                client
+                    .connect_tcp(target_host.to_string(), target_port)
+                    .await
+                    .map_err(io::Error::from)
+            }
+            Err(err) => Err(io::Error::from(err)),
+        }
+    }
+
+    pub async fn clear_client(&self) {
+        self.client.write().await.take();
+    }
+
+    async fn ensure_client(&self) -> Result<Arc<TunnelClient>, TunnelError> {
+        if let Some(client) = self.client.read().await.get() {
+            return Ok(client.clone());
+        }
+
+        let client = self
+            .client
+            .read()
+            .await
+            .get_or_try_init(|| async {
+                let client = self.create_client().await?;
+                Ok::<Arc<TunnelClient>, TunnelError>(Arc::new(client))
+            })
+            .await?
+            .clone();
+
+        Ok(client.clone())
+    }
+
+    async fn create_client(&self) -> Result<TunnelClient, TunnelError> {
+        let intercept_id = self.metadata.intercept_id;
+        let workload_id = self.metadata.workload_id;
+        let websocket_url = self.metadata.websocket_url.clone();
+        let auth_token = self.metadata.auth_token.clone();
+        let direct_config = match self.fetch_direct_config().await {
+            Ok(config) => config,
+            Err(err) => {
+                warn!(
+                    intercept_id = %intercept_id,
+                    workload_id = %workload_id,
+                    target_environment_id = %self.target_environment_id,
+                    error = %err,
+                    "Failed to fetch direct Devbox config; continuing without direct candidates"
+                );
+                None
+            }
+        };
+
+        let direct = direct_config.as_ref();
+
+        let (client, mode) = TunnelClient::connect_with_direct_or_relay(
+            direct,
+            &self.direct_endpoint,
+            || {
+                let websocket_url = websocket_url.clone();
+                let auth_token = auth_token.clone();
+                async move {
+                    let mut request = websocket_url
+                        .into_client_request()
+                        .map_err(tunnel_transport_error)?;
+
+                    let env_header_value = auth_token.parse().map_err(tunnel_transport_error)?;
+                    request.headers_mut().insert(
+                        HeaderName::from_static(KUBE_ENVIRONMENT_TOKEN_HEADER_LOWER),
+                        env_header_value,
+                    );
+
+                    let (stream, _) = connect_async(request)
+                        .await
+                        .map_err(tunnel_transport_error)?;
+                    Ok(stream)
+                }
+            },
+            |err| {
+                debug!(
+                    intercept_id = %intercept_id,
+                    workload_id = %workload_id,
+                    error = %err,
+                    "Direct tunnel attempt failed; falling back to relay"
+                );
+            },
+        )
+        .await?;
+
+        match mode {
+            TunnelMode::Direct => info!(
+                intercept_id = %intercept_id,
+                workload_id = %workload_id,
+                "Established direct Devbox tunnel"
+            ),
+            TunnelMode::Relay => info!(
+                intercept_id = %intercept_id,
+                workload_id = %workload_id,
+                "Using relay Devbox tunnel"
+            ),
+        }
+
+        Ok(client)
+    }
+
+    async fn fetch_direct_config(&self) -> Result<Option<DirectTunnelConfig>, String> {
+        match self
+            .rpc_client
+            .request_direct_config(
+                context::current(),
+                self.target_environment_id,
+                self.direct_endpoint.observed_addr(),
+            )
+            .await
+        {
+            Ok(Ok(config)) => Ok(config),
+            Ok(Err(err)) => Err(err),
+            Err(err) => Err(format!(
+                "failed to request direct config from manager RPC: {}",
+                err
+            )),
+        }
+    }
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
+pub enum AccessLevel {
+    /// Only accessible by the owner with authentication
+    Personal,
+    /// Accessible by organization members with authentication
+    Shared,
+    /// Accessible by anyone without authentication
+    Public,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct HealthCheckConfig {
+    pub path: String,
+    pub interval_seconds: u64,
+    pub timeout_ms: u64,
+    pub failure_threshold: u32,
+}
+
+impl Default for HealthCheckConfig {
+    fn default() -> Self {
+        Self {
+            path: "/health".to_string(),
+            interval_seconds: 30,
+            timeout_ms: 5000,
+            failure_threshold: 3,
+        }
+    }
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct MetricsConfig {
+    pub enabled: bool,
+    pub path: String,
+    pub port: Option<u16>,
+}
+
+impl Default for MetricsConfig {
+    fn default() -> Self {
+        Self {
+            enabled: true,
+            path: "/metrics".to_string(),
+            port: None,
+        }
+    }
+}
+
+pub enum RouteDecision {
+    BranchService {
+        service: BranchServiceRoute,
+    },
+    BranchDevbox {
+        branch_id: Uuid,
+        connection: Arc<DevboxConnection>,
+        target_port: u16,
+    },
+    DefaultDevbox {
+        connection: Arc<DevboxConnection>,
+        target_port: u16,
+    },
+    DefaultLocal {
+        target_port: u16,
+    },
+}
+
+/// Kubernetes annotations used for configuration
+pub struct ProxyAnnotations;
+
+impl ProxyAnnotations {
+    /// Annotation for specifying target service
+    pub const TARGET_SERVICE: &'static str = "lapdev.io/proxy-target-service";
+
+    /// Annotation for specifying target port
+    pub const TARGET_PORT: &'static str = "lapdev.io/proxy-target-port";
+
+    /// Annotation for routing rules (JSON)
+    pub const ROUTING_RULES: &'static str = "lapdev.io/proxy-routing-rules";
+
+    /// Annotation for access level
+    pub const ACCESS_LEVEL: &'static str = "lapdev.io/proxy-access-level";
+
+    /// Annotation for enabling/disabling authentication
+    pub const REQUIRE_AUTH: &'static str = "lapdev.io/proxy-require-auth";
+
+    /// Annotation for custom headers (JSON)
+    pub const CUSTOM_HEADERS: &'static str = "lapdev.io/proxy-custom-headers";
+
+    /// Annotation for timeout in milliseconds
+    pub const TIMEOUT_MS: &'static str = "lapdev.io/proxy-timeout-ms";
+}
+
+fn tunnel_transport_error<E>(err: E) -> TunnelError
+where
+    E: std::fmt::Display,
+{
+    TunnelError::Transport(io::Error::new(io::ErrorKind::Other, err.to_string()))
+}
diff --git a/crates/kube-sidecar-proxy/src/connection_registry.rs b/crates/kube-sidecar-proxy/src/connection_registry.rs
new file mode 100644
index 0000000..72df9f8
--- /dev/null
+++ b/crates/kube-sidecar-proxy/src/connection_registry.rs
@@ -0,0 +1,57 @@
+use std::{collections::HashMap, sync::Arc};
+
+use tokio::sync::{watch, RwLock};
+use uuid::Uuid;
+
+type BranchKey = Option<Uuid>;
+
+struct BranchChannel {
+    sender: watch::Sender<bool>,
+    receiver: watch::Receiver<bool>,
+}
+
+impl BranchChannel {
+    fn new() -> Self {
+        let (sender, receiver) = watch::channel(false);
+        Self { sender, receiver }
+    }
+}
+
+/// Tracks active proxy connections per branch (or shared/default bucket) and
+/// provides broadcast-style shutdown signals whenever routing changes.
+#[derive(Clone, Default)]
+pub struct ConnectionRegistry {
+    branches: Arc<RwLock<HashMap<BranchKey, BranchChannel>>>,
+}
+
+impl ConnectionRegistry {
+    /// Subscribe to shutdown notifications for the given branch bucket.
+    pub async fn subscribe(&self, branch: BranchKey) -> watch::Receiver<bool> {
+        let mut guard = self.branches.write().await;
+        guard
+            .entry(branch)
+            .or_insert_with(BranchChannel::new)
+            .receiver
+            .clone()
+    }
+
+    /// Broadcasts a shutdown signal to all connections registered under the
+    /// provided branch key. Future subscriptions for the same branch will
+    /// receive a fresh channel, ensuring they are not immediately cancelled.
+    pub async fn shutdown_branch(&self, branch: BranchKey) {
+        let mut guard = self.branches.write().await;
+        if let Some(channel) = guard.remove(&branch) {
+            let _ = channel.sender.send(true);
+        }
+    }
+
+    /// Convenience helper to broadcast shutdowns to several branches.
+    pub async fn shutdown_branches<I>(&self, branches: I)
+    where
+        I: IntoIterator<Item = BranchKey>,
+    {
+        for branch in branches {
+            self.shutdown_branch(branch).await;
+        }
+    }
+}
diff --git a/crates/kube-sidecar-proxy/src/error.rs b/crates/kube-sidecar-proxy/src/error.rs
new file mode 100644
index 0000000..7ca57e5
--- /dev/null
+++ b/crates/kube-sidecar-proxy/src/error.rs
@@ -0,0 +1,48 @@
+use thiserror::Error;
+
+#[derive(Error, Debug)]
+pub enum SidecarProxyError {
+    #[error("Configuration error: {0}")]
+    Config(String),
+
+    #[error("Kubernetes API error: {0}")]
+    Kubernetes(#[from] kube::Error),
+
+    #[error("HTTP proxy error: {0}")]
+    Http(#[from] hyper::Error),
+
+    #[error("HTTP error: {0}")]
+    HttpRequest(#[from] hyper::http::Error),
+
+    #[error("Kubernetes watcher error: {0}")]
+    Watcher(#[from] kube::runtime::watcher::Error),
+
+    #[error("Service discovery error: {0}")]
+    ServiceDiscovery(String),
+
+    #[error("Target service not found for port {port}")]
+    TargetNotFound { port: u16 },
+
+    #[error("Authorization error: {0}")]
+    Authorization(String),
+
+    #[error("IO error: {0}")]
+    Io(#[from] std::io::Error),
+
+    #[error("JSON error: {0}")]
+    Json(#[from] serde_json::Error),
+
+    #[error("YAML error: {0}")]
+    Yaml(#[from] serde_yaml::Error),
+
+    #[error("Connection error: {0}")]
+    Connection(String),
+
+    #[error("RPC error: {0}")]
+    Rpc(String),
+
+    #[error("Generic error: {0}")]
+    Generic(#[from] anyhow::Error),
+}
+
+pub type Result<T> = std::result::Result<T, SidecarProxyError>;
diff --git a/crates/kube-sidecar-proxy/src/http2_proxy.rs b/crates/kube-sidecar-proxy/src/http2_proxy.rs
new file mode 100644
index 0000000..890fb8a
--- /dev/null
+++ b/crates/kube-sidecar-proxy/src/http2_proxy.rs
@@ -0,0 +1,648 @@
+use std::{
+    io,
+    net::SocketAddr,
+    pin::Pin,
+    sync::Arc,
+    task::{Context, Poll},
+};
+
+use bytes::Bytes;
+use h2::{client, server, RecvStream, SendStream};
+use http::{
+    header::{HeaderName, HeaderValue},
+    HeaderMap, Request, Response,
+};
+use tokio::{
+    io::{AsyncRead, AsyncWrite, ReadBuf},
+    net::TcpStream,
+    sync::RwLock,
+};
+use tracing::{debug, info, warn};
+use uuid::Uuid;
+
+use crate::{
+    config::{DevboxConnection, RouteDecision, RoutingTable, SidecarSettings},
+    connection_registry::ConnectionRegistry,
+    otel_routing::{extract_routing_context, TRACESTATE_HEADER},
+};
+
+/// Connection-level routing plan derived from the first HTTP/2 stream.
+struct ConnectionRoutePlan {
+    upstream: UpstreamConnector,
+    service_port: u16,
+    branch_id: Option<Uuid>,
+    target_environment_id: Uuid,
+    description: String,
+}
+
+/// Represents how the sidecar should connect upstream for the lifetime of a
+/// single HTTP/2 connection from the workload.
+enum UpstreamConnector {
+    Local {
+        target: SocketAddr,
+    },
+    BranchService {
+        service_name: String,
+        port: u16,
+    },
+    Devbox {
+        connection: Arc<DevboxConnection>,
+        target_port: u16,
+        label: &'static str,
+    },
+}
+
+#[derive(Clone)]
+struct ConnectionContext {
+    client_addr: SocketAddr,
+    proxy_port: u16,
+    service_port: u16,
+    branch_id: Option<Uuid>,
+    description: Arc<str>,
+    target_environment_id: Uuid,
+}
+
+/// Handle an inbound HTTP/2 connection using connection-level routing. Once we
+/// inspect the first stream to determine the routing target, all subsequent
+/// streams on the same connection are forwarded to that same upstream.
+#[allow(clippy::too_many_arguments)]
+pub async fn handle_http2_proxy(
+    inbound_stream: TcpStream,
+    client_addr: SocketAddr,
+    proxy_port: u16,
+    initial_data: Vec<u8>,
+    settings: Arc<SidecarSettings>,
+    routing_table: Arc<RwLock<RoutingTable>>,
+    _rpc_client: Arc<RwLock<Option<lapdev_kube_rpc::SidecarProxyManagerRpcClient>>>,
+    connection_registry: Arc<ConnectionRegistry>,
+) -> io::Result<()> {
+    // Prepare the inbound HTTP/2 connection (server side).
+    let inbound_prefaced = PrefacedStream::new(inbound_stream, initial_data);
+    let mut inbound_connection = server::handshake(inbound_prefaced)
+        .await
+        .map_err(map_h2_err)?;
+
+    // We need the first stream to determine the routing decision for the whole
+    // connection. If the client closes the connection before sending a stream,
+    // we can exit early.
+    let first_stream = match inbound_connection.accept().await {
+        Some(Ok(stream)) => stream,
+        Some(Err(err)) => {
+            warn!(
+                "HTTP/2 accept error for {} on proxy port {}: {}",
+                client_addr, proxy_port, err
+            );
+            return Err(map_h2_err(err));
+        }
+        None => return Ok(()),
+    };
+
+    let route_plan = determine_connection_route(
+        &first_stream,
+        proxy_port,
+        Arc::clone(&routing_table),
+        settings.environment_id,
+    )
+    .await?;
+
+    debug!(
+        target = %route_plan.description,
+        service_port = route_plan.service_port,
+        branch = ?route_plan.branch_id,
+        "HTTP/2 connection from {} (proxy port {}) routed",
+        client_addr,
+        proxy_port
+    );
+
+    let (outbound_sender, _driver_task) = establish_upstream_connection(&route_plan).await?;
+
+    let connection_context = Arc::new(ConnectionContext {
+        client_addr,
+        proxy_port,
+        service_port: route_plan.service_port,
+        branch_id: route_plan.branch_id,
+        description: Arc::from(route_plan.description.into_boxed_str()),
+        target_environment_id: route_plan.target_environment_id,
+    });
+
+    // Process the first stream immediately using the newly established upstream.
+    let mut stream_sender = outbound_sender.clone();
+    let (first_request, mut first_respond) = first_stream;
+    let context_clone = Arc::clone(&connection_context);
+    tokio::spawn(async move {
+        if let Err(err) = proxy_http2_stream(
+            &mut stream_sender,
+            first_request,
+            &mut first_respond,
+            context_clone,
+        )
+        .await
+        {
+            warn!("HTTP/2 stream proxy failure: {}", err);
+        }
+    });
+
+    let mut shutdown_rx = connection_registry.subscribe(None).await;
+
+    // Forward the remaining streams (if any) to the same upstream target.
+    loop {
+        tokio::select! {
+            biased;
+            recv = shutdown_rx.changed() => {
+                if recv.is_ok() || recv.is_err() {
+                    info!(
+                        "HTTP/2 connection for {} on proxy port {} closing due to routing update",
+                        client_addr, proxy_port
+                    );
+                    break;
+                }
+            }
+            result = inbound_connection.accept() => {
+                let Some(result) = result else {
+                    break;
+                };
+
+                let (request, mut respond) = match result {
+                    Ok(stream) => stream,
+                    Err(err) => {
+                        warn!(
+                            "HTTP/2 accept error for {} on proxy port {}: {}",
+                            client_addr, proxy_port, err
+                        );
+                        break;
+                    }
+                };
+
+                let mut stream_sender = outbound_sender.clone();
+                let context_clone = Arc::clone(&connection_context);
+                tokio::spawn(async move {
+                    if let Err(err) = proxy_http2_stream(
+                        &mut stream_sender,
+                        request,
+                        &mut respond,
+                        context_clone,
+                    )
+                    .await
+                    {
+                        warn!("HTTP/2 stream proxy failure: {}", err);
+                    }
+                });
+            }
+        }
+    }
+
+    Ok(())
+}
+
+async fn determine_connection_route(
+    first_stream: &(Request<RecvStream>, server::SendResponse<Bytes>),
+    proxy_port: u16,
+    routing_table: Arc<RwLock<RoutingTable>>,
+    default_environment_id: Uuid,
+) -> io::Result<ConnectionRoutePlan> {
+    let (request, _) = first_stream;
+    let header_pairs = header_map_to_vec(request.headers());
+    let routing_context = extract_routing_context(&header_pairs);
+    let branch_id = routing_context.lapdev_environment_id;
+    let target_environment_id = branch_id.unwrap_or(default_environment_id);
+
+    let (service_port, decision) = {
+        let table = routing_table.read().await;
+        let service_port = table.service_port_for_proxy(proxy_port);
+        let decision = table.resolve_http(service_port, branch_id);
+        (service_port, decision)
+    };
+
+    let (upstream, description) = match decision {
+        RouteDecision::BranchService { service } => {
+            let Some(service_name) = service.service_name_for_port(service_port) else {
+                return Err(io::Error::new(
+                    io::ErrorKind::Other,
+                    format!(
+                        "missing branch service mapping for port {} (branch {:?})",
+                        service_port, branch_id
+                    ),
+                ));
+            };
+
+            let description = format!(
+                "branch service {}:{} (branch {:?})",
+                service_name, service_port, branch_id
+            );
+
+            (
+                UpstreamConnector::BranchService {
+                    service_name: service_name.to_string(),
+                    port: service_port,
+                },
+                description,
+            )
+        }
+        RouteDecision::BranchDevbox {
+            branch_id: branch_env_id,
+            connection,
+            target_port,
+        } => {
+            let metadata = connection.metadata().clone();
+            let description = format!(
+                "branch devbox intercept_id={} workload_id={} target_port={} (branch {:?})",
+                metadata.intercept_id, metadata.workload_id, target_port, branch_env_id
+            );
+            (
+                UpstreamConnector::Devbox {
+                    connection,
+                    target_port,
+                    label: "branch-devbox",
+                },
+                description,
+            )
+        }
+        RouteDecision::DefaultDevbox {
+            connection,
+            target_port,
+        } => {
+            let metadata = connection.metadata().clone();
+            let description = format!(
+                "shared devbox intercept_id={} workload_id={} target_port={}",
+                metadata.intercept_id, metadata.workload_id, target_port
+            );
+            (
+                UpstreamConnector::Devbox {
+                    connection,
+                    target_port,
+                    label: "shared-devbox",
+                },
+                description,
+            )
+        }
+        RouteDecision::DefaultLocal { target_port } => {
+            let target = SocketAddr::new("127.0.0.1".parse().unwrap(), target_port);
+            let description = format!("shared target {}", target);
+            (UpstreamConnector::Local { target }, description)
+        }
+    };
+
+    Ok(ConnectionRoutePlan {
+        upstream,
+        service_port,
+        branch_id,
+        target_environment_id,
+        description,
+    })
+}
+
+async fn establish_upstream_connection(
+    plan: &ConnectionRoutePlan,
+) -> io::Result<(client::SendRequest<Bytes>, tokio::task::JoinHandle<()>)> {
+    match &plan.upstream {
+        UpstreamConnector::Local { target } => {
+            let stream = TcpStream::connect(target).await?;
+            spawn_upstream_driver(client::handshake(stream).await.map_err(map_h2_err)?, plan)
+        }
+        UpstreamConnector::BranchService { service_name, port } => {
+            let stream = TcpStream::connect((service_name.as_str(), *port)).await?;
+            spawn_upstream_driver(client::handshake(stream).await.map_err(map_h2_err)?, plan)
+        }
+        UpstreamConnector::Devbox {
+            connection,
+            target_port,
+            label,
+        } => match connection
+            .connect_tcp_stream("127.0.0.1", *target_port)
+            .await
+        {
+            Ok(stream) => match client::handshake(stream).await {
+                Ok(res) => spawn_upstream_driver(res, plan),
+                Err(err) => {
+                    warn!("HTTP/2 handshake with {} failed: {}", label, err);
+                    Err(map_h2_err(err))
+                }
+            },
+            Err(err) => {
+                warn!(
+                    "Failed to connect to {} target_port={}: {}",
+                    label, target_port, err
+                );
+                Err(err)
+            }
+        },
+    }
+}
+
+fn spawn_upstream_driver<T>(
+    pair: (client::SendRequest<Bytes>, client::Connection<T, Bytes>),
+    plan: &ConnectionRoutePlan,
+) -> io::Result<(client::SendRequest<Bytes>, tokio::task::JoinHandle<()>)>
+where
+    T: AsyncRead + AsyncWrite + Unpin + Send + 'static,
+{
+    let (sender, connection) = pair;
+    let description = plan.description.clone();
+    let handle = tokio::spawn(async move {
+        if let Err(err) = connection.await {
+            warn!(target = %description, "Upstream HTTP/2 connection ended: {}", err);
+        }
+    });
+    Ok((sender, handle))
+}
+
+async fn proxy_http2_stream(
+    outbound_sender: &mut client::SendRequest<Bytes>,
+    request: Request<RecvStream>,
+    respond: &mut server::SendResponse<Bytes>,
+    context: Arc<ConnectionContext>,
+) -> io::Result<()> {
+    let (mut parts, body) = request.into_parts();
+    let method = parts.method.clone();
+    let path = parts.uri.path().to_string();
+    let authority = parts
+        .uri
+        .authority()
+        .map(|auth| auth.to_string())
+        .unwrap_or_default();
+
+    ensure_environment_tracestate(&mut parts.headers, context.target_environment_id)?;
+
+    info!(
+        target = %context.description,
+        branch = ?context.branch_id,
+        client = %context.client_addr,
+        proxy_port = context.proxy_port,
+        service_port = context.service_port,
+        "HTTP/2 {} {} (authority {}) forwarded",
+        method,
+        path,
+        authority
+    );
+
+    forward_http2_via_sender(outbound_sender, &parts, body, respond).await
+}
+
+async fn forward_http2_via_sender(
+    sender: &mut client::SendRequest<Bytes>,
+    parts: &http::request::Parts,
+    body: RecvStream,
+    respond: &mut server::SendResponse<Bytes>,
+) -> io::Result<()> {
+    let outbound_request = build_outbound_request(parts)?;
+    let end_of_stream = body.is_end_stream();
+
+    let mut ready_sender = sender.clone().ready().await.map_err(map_h2_err)?;
+
+    let (response_future, outbound_stream) = ready_sender
+        .send_request(outbound_request, end_of_stream)
+        .map_err(map_h2_err)?;
+    *sender = ready_sender;
+
+    let request_forward = async move {
+        if end_of_stream {
+            Ok(())
+        } else {
+            forward_request_body(body, outbound_stream).await
+        }
+    };
+
+    let response_forward = async move {
+        let response = response_future.await.map_err(map_h2_err)?;
+        let (response_parts, mut response_body) = response.into_parts();
+        let response_end_of_stream = response_body.is_end_stream();
+        let head = Response::from_parts(response_parts, ());
+        let mut inbound_stream = respond
+            .send_response(head, response_end_of_stream)
+            .map_err(map_h2_err)?;
+
+        if !response_end_of_stream {
+            forward_response_body(&mut response_body, &mut inbound_stream).await?;
+        }
+
+        Ok(())
+    };
+
+    tokio::try_join!(request_forward, response_forward)?;
+
+    Ok(())
+}
+
+fn build_outbound_request(parts: &http::request::Parts) -> io::Result<Request<()>> {
+    let mut builder = Request::builder()
+        .method(&parts.method)
+        .uri(&parts.uri)
+        .version(parts.version);
+
+    for (name, value) in parts.headers.iter() {
+        builder = builder.header(name, value);
+    }
+
+    builder
+        .body(())
+        .map_err(|err| io::Error::new(io::ErrorKind::Other, err))
+}
+
+async fn forward_response_body(
+    body: &mut RecvStream,
+    inbound_stream: &mut SendStream<Bytes>,
+) -> io::Result<()> {
+    while let Some(chunk) = body.data().await {
+        let data = chunk.map_err(map_h2_err)?;
+        let len = data.len();
+        inbound_stream.send_data(data, false).map_err(map_h2_err)?;
+        if let Err(err) = body.flow_control().release_capacity(len) {
+            warn!("Failed to release HTTP/2 response capacity: {}", err);
+        }
+    }
+
+    if let Some(trailers) = body.trailers().await.map_err(map_h2_err)? {
+        inbound_stream.send_trailers(trailers).map_err(map_h2_err)?;
+    } else {
+        inbound_stream
+            .send_data(Bytes::new(), true)
+            .map_err(map_h2_err)?;
+    }
+
+    Ok(())
+}
+
+async fn forward_request_body(
+    mut body: RecvStream,
+    mut outbound_stream: SendStream<Bytes>,
+) -> io::Result<()> {
+    while let Some(chunk_result) = body.data().await {
+        let data = chunk_result.map_err(map_h2_err)?;
+        let len = data.len();
+        outbound_stream.send_data(data, false).map_err(map_h2_err)?;
+        if let Err(err) = body.flow_control().release_capacity(len) {
+            warn!("Failed to release HTTP/2 request capacity: {}", err);
+        }
+    }
+
+    if let Some(trailers) = body.trailers().await.map_err(map_h2_err)? {
+        outbound_stream
+            .send_trailers(trailers)
+            .map_err(map_h2_err)?;
+    } else {
+        outbound_stream
+            .send_data(Bytes::new(), true)
+            .map_err(map_h2_err)?;
+    }
+
+    Ok(())
+}
+
+fn header_map_to_vec(headers: &HeaderMap) -> Vec<(String, String)> {
+    headers
+        .iter()
+        .map(|(name, value)| {
+            let value_str = value
+                .to_str()
+                .map(|s| s.to_string())
+                .unwrap_or_else(|_| String::from_utf8_lossy(value.as_bytes()).to_string());
+            (name.as_str().to_string(), value_str)
+        })
+        .collect()
+}
+
+fn ensure_environment_tracestate(headers: &mut HeaderMap, environment_id: Uuid) -> io::Result<()> {
+    let env_id_str = environment_id.to_string();
+    let target_entry = format!("lapdev-env-id={}", env_id_str);
+
+    let new_value = if let Some(existing_value) = headers.get(TRACESTATE_HEADER) {
+        let existing = existing_value
+            .to_str()
+            .map(|s| s.to_string())
+            .unwrap_or_else(|_| String::from_utf8_lossy(existing_value.as_bytes()).to_string());
+
+        let mut entries: Vec<String> = Vec::new();
+
+        for entry in existing.split(',') {
+            let trimmed = entry.trim();
+            if trimmed.is_empty() {
+                continue;
+            }
+
+            if let Some((key, _)) = trimmed.split_once('=') {
+                if key.trim().eq_ignore_ascii_case("lapdev-env-id") {
+                    continue;
+                }
+            }
+
+            entries.push(trimmed.to_string());
+        }
+
+        entries.push(target_entry);
+        entries.join(",")
+    } else {
+        target_entry
+    };
+
+    let header_value = HeaderValue::from_str(&new_value)
+        .map_err(|err| io::Error::new(io::ErrorKind::InvalidInput, err))?;
+    headers.insert(HeaderName::from_static(TRACESTATE_HEADER), header_value);
+
+    Ok(())
+}
+
+fn map_h2_err(err: h2::Error) -> io::Error {
+    io::Error::new(io::ErrorKind::Other, err)
+}
+
+struct PrefacedStream<T> {
+    buffer: Vec<u8>,
+    position: usize,
+    inner: T,
+}
+
+impl<T> PrefacedStream<T> {
+    fn new(inner: T, buffer: Vec<u8>) -> Self {
+        Self {
+            buffer,
+            position: 0,
+            inner,
+        }
+    }
+}
+
+impl<T> AsyncRead for PrefacedStream<T>
+where
+    T: AsyncRead + Unpin,
+{
+    fn poll_read(
+        mut self: Pin<&mut Self>,
+        cx: &mut Context<'_>,
+        buf: &mut ReadBuf<'_>,
+    ) -> Poll<io::Result<()>> {
+        if self.position < self.buffer.len() {
+            let remaining = self.buffer.len() - self.position;
+            let bytes_to_copy = remaining.min(buf.remaining());
+            buf.put_slice(&self.buffer[self.position..self.position + bytes_to_copy]);
+            self.position += bytes_to_copy;
+            Poll::Ready(Ok(()))
+        } else {
+            Pin::new(&mut self.inner).poll_read(cx, buf)
+        }
+    }
+}
+
+impl<T> AsyncWrite for PrefacedStream<T>
+where
+    T: AsyncWrite + Unpin,
+{
+    fn poll_write(
+        mut self: Pin<&mut Self>,
+        cx: &mut Context<'_>,
+        buf: &[u8],
+    ) -> Poll<io::Result<usize>> {
+        Pin::new(&mut self.inner).poll_write(cx, buf)
+    }
+
+    fn poll_flush(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<io::Result<()>> {
+        Pin::new(&mut self.inner).poll_flush(cx)
+    }
+
+    fn poll_shutdown(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<io::Result<()>> {
+        Pin::new(&mut self.inner).poll_shutdown(cx)
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn ensure_tracestate_inserted_when_missing() {
+        let mut headers = HeaderMap::new();
+        let env_id = Uuid::parse_str("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee").unwrap();
+
+        ensure_environment_tracestate(&mut headers, env_id).unwrap();
+
+        let expected = format!("lapdev-env-id={}", env_id);
+        assert_eq!(
+            headers
+                .get(TRACESTATE_HEADER)
+                .and_then(|value| value.to_str().ok())
+                .unwrap(),
+            expected
+        );
+    }
+
+    #[test]
+    fn ensure_tracestate_replaces_existing_entry() {
+        let mut headers = HeaderMap::new();
+        headers.insert(
+            HeaderName::from_static(TRACESTATE_HEADER),
+            HeaderValue::from_static("foo=bar, lapdev-env-id=old-env ,baz=qux"),
+        );
+
+        let env_id = Uuid::parse_str("11111111-2222-3333-4444-555555555555").unwrap();
+
+        ensure_environment_tracestate(&mut headers, env_id).unwrap();
+
+        let expected = format!("foo=bar,baz=qux,lapdev-env-id={}", env_id);
+        assert_eq!(
+            headers
+                .get(TRACESTATE_HEADER)
+                .and_then(|value| value.to_str().ok())
+                .unwrap(),
+            expected
+        );
+    }
+}
diff --git a/crates/kube-sidecar-proxy/src/lib.rs b/crates/kube-sidecar-proxy/src/lib.rs
new file mode 100644
index 0000000..fee0843
--- /dev/null
+++ b/crates/kube-sidecar-proxy/src/lib.rs
@@ -0,0 +1,10 @@
+pub mod config;
+pub mod connection_registry;
+pub mod error;
+pub mod http2_proxy;
+pub mod otel_routing;
+pub mod protocol_detector;
+pub mod rpc;
+pub mod server;
+
+pub use server::SidecarProxyServer;
diff --git a/crates/kube-sidecar-proxy/src/main.rs b/crates/kube-sidecar-proxy/src/main.rs
new file mode 100644
index 0000000..acba129
--- /dev/null
+++ b/crates/kube-sidecar-proxy/src/main.rs
@@ -0,0 +1,110 @@
+use anyhow::Result;
+use clap::Parser;
+use lapdev_common::kube::{
+    DEFAULT_SIDECAR_PROXY_BIND_ADDR, DEFAULT_SIDECAR_PROXY_PORT, SIDECAR_PROXY_BIND_ADDR_ENV_VAR,
+    SIDECAR_PROXY_PORT_ENV_VAR,
+};
+use lapdev_kube_sidecar_proxy::SidecarProxyServer;
+use std::net::{IpAddr, SocketAddr};
+use tracing::{info, level_filters::LevelFilter};
+use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt, EnvFilter};
+
+#[derive(Parser)]
+#[command(author, version, about, long_about = None)]
+struct Args {
+    /// Proxy bind address
+    #[arg(
+        long,
+        env = SIDECAR_PROXY_BIND_ADDR_ENV_VAR,
+        default_value = DEFAULT_SIDECAR_PROXY_BIND_ADDR
+    )]
+    bind_addr: String,
+
+    /// Proxy listening port
+    #[arg(
+        long,
+        env = SIDECAR_PROXY_PORT_ENV_VAR,
+        default_value_t = DEFAULT_SIDECAR_PROXY_PORT
+    )]
+    listen_port: u16,
+
+    /// Kubernetes namespace to watch for services
+    #[arg(long, env = "KUBERNETES_NAMESPACE")]
+    namespace: Option<String>,
+
+    /// Pod name (for self-identification)
+    #[arg(long, env = "HOSTNAME")]
+    pod_name: Option<String>,
+
+    /// Lapdev environment ID
+    #[arg(long, env = "LAPDEV_ENVIRONMENT_ID")]
+    environment_id: Option<String>,
+
+    /// Lapdev environment auth token
+    #[arg(long, env = "LAPDEV_ENVIRONMENT_AUTH_TOKEN")]
+    environment_auth_token: Option<String>,
+
+    /// Log level
+    #[arg(long, default_value = "info")]
+    log_level: String,
+}
+
+#[tokio::main]
+async fn main() -> Result<()> {
+    let args = Args::parse();
+
+    // Initialize tracing
+    let filter = EnvFilter::builder()
+        .with_default_directive(LevelFilter::INFO.into())
+        .from_env_lossy();
+
+    let filter = filter.add_directive("tarpc=warn".parse()?);
+    let filter = filter.add_directive("tarpc::client=warn".parse()?);
+    let filter =
+        filter.add_directive(format!("lapdev_kube_sidecar_proxy={}", args.log_level).parse()?);
+
+    tracing_subscriber::registry()
+        .with(tracing_subscriber::fmt::layer())
+        .with(filter)
+        .init();
+
+    info!("Starting Lapdev Kubernetes Sidecar Proxy");
+    info!("Listen address: {}:{}", args.bind_addr, args.listen_port);
+    info!("Namespace: {:?}", args.namespace);
+    info!("Pod name: {:?}", args.pod_name);
+
+    // Validate that environment ID and auth token are present
+    let environment_id = args
+        .environment_id
+        .ok_or_else(|| anyhow::anyhow!("LAPDEV_ENVIRONMENT_ID environment variable is required"))?;
+    let environment_auth_token = args.environment_auth_token.ok_or_else(|| {
+        anyhow::anyhow!("LAPDEV_ENVIRONMENT_AUTH_TOKEN environment variable is required")
+    })?;
+
+    info!("Environment ID: {}", environment_id);
+
+    let bind_ip: IpAddr = args.bind_addr.parse()?;
+    let listen_addr = SocketAddr::new(bind_ip, args.listen_port);
+
+    let server = SidecarProxyServer::new(
+        listen_addr,
+        args.namespace,
+        args.pod_name,
+        environment_id,
+        environment_auth_token,
+    )
+    .await?;
+
+    // Graceful shutdown handling
+    let shutdown_signal = async {
+        tokio::signal::ctrl_c()
+            .await
+            .expect("Failed to install CTRL+C signal handler");
+        info!("Received shutdown signal");
+    };
+
+    server.serve_with_graceful_shutdown(shutdown_signal).await?;
+
+    info!("Sidecar proxy shut down gracefully");
+    Ok(())
+}
diff --git a/crates/kube-sidecar-proxy/src/otel_routing.rs b/crates/kube-sidecar-proxy/src/otel_routing.rs
new file mode 100644
index 0000000..769b315
--- /dev/null
+++ b/crates/kube-sidecar-proxy/src/otel_routing.rs
@@ -0,0 +1,347 @@
+use std::collections::HashMap;
+use tracing::{debug, warn};
+use uuid::Uuid;
+
+/// OpenTelemetry header names
+pub const TRACEPARENT_HEADER: &str = "traceparent";
+pub const TRACESTATE_HEADER: &str = "tracestate";
+pub const BAGGAGE_HEADER: &str = "baggage";
+
+/// Custom routing headers that can influence routing decisions
+pub const X_ROUTING_KEY: &str = "x-routing-key";
+pub const X_SERVICE_VERSION: &str = "x-service-version";
+pub const X_CANARY_DEPLOYMENT: &str = "x-canary-deployment";
+
+/// OpenTelemetry trace context
+#[derive(Debug, Clone)]
+pub struct TraceContext {
+    pub trace_id: Option<String>,
+    pub span_id: Option<String>,
+    pub trace_flags: Option<String>,
+    pub trace_state: Option<String>,
+    pub baggage: HashMap<String, String>,
+}
+
+/// Routing decision based on headers
+#[derive(Debug, Clone)]
+pub struct RoutingContext {
+    pub trace_context: TraceContext,
+    pub lapdev_environment_id: Option<Uuid>,
+    pub routing_key: Option<String>,
+    pub service_version: Option<String>,
+    pub canary_deployment: Option<String>,
+    /// Additional custom headers that might influence routing
+    pub custom_headers: HashMap<String, String>,
+}
+
+/// Extract OpenTelemetry and routing context from parsed headers
+pub fn extract_routing_context(headers: &[(String, String)]) -> RoutingContext {
+    let trace_context = extract_trace_context(headers);
+    let lapdev_environment_id = extract_lapdev_environment_id(trace_context.trace_state.as_ref());
+
+    RoutingContext {
+        trace_context,
+        lapdev_environment_id,
+        routing_key: get_header_value(headers, X_ROUTING_KEY),
+        service_version: get_header_value(headers, X_SERVICE_VERSION),
+        canary_deployment: get_header_value(headers, X_CANARY_DEPLOYMENT),
+        custom_headers: extract_custom_headers(headers),
+    }
+}
+
+/// Extract OpenTelemetry trace context from headers
+fn extract_trace_context(headers: &[(String, String)]) -> TraceContext {
+    let mut trace_context = TraceContext {
+        trace_id: None,
+        span_id: None,
+        trace_flags: None,
+        trace_state: None,
+        baggage: HashMap::new(),
+    };
+
+    // Parse traceparent header (W3C Trace Context)
+    if let Some(traceparent) = get_header_value(headers, TRACEPARENT_HEADER) {
+        if let Some(parsed) = parse_traceparent(&traceparent) {
+            trace_context.trace_id = parsed.0;
+            trace_context.span_id = parsed.1;
+            trace_context.trace_flags = parsed.2;
+        }
+    }
+
+    // Parse tracestate header
+    if let Some(tracestate) = get_header_value(headers, TRACESTATE_HEADER) {
+        trace_context.trace_state = Some(tracestate);
+    }
+
+    // Parse baggage header
+    if let Some(baggage) = get_header_value(headers, BAGGAGE_HEADER) {
+        trace_context.baggage = parse_baggage(&baggage);
+    }
+
+    trace_context
+}
+
+/// Get header value as String from parsed headers
+fn get_header_value(headers: &[(String, String)], name: &str) -> Option<String> {
+    headers
+        .iter()
+        .find(|(h_name, _)| h_name.eq_ignore_ascii_case(name))
+        .map(|(_, value)| value.clone())
+}
+
+/// Parse W3C traceparent header
+/// Format: 00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-01
+fn parse_traceparent(
+    traceparent: &str,
+) -> Option<(Option<String>, Option<String>, Option<String>)> {
+    let parts: Vec<&str> = traceparent.split('-').collect();
+
+    if parts.len() != 4 {
+        warn!("Invalid traceparent format: {}", traceparent);
+        return None;
+    }
+
+    Some((
+        Some(parts[1].to_string()), // trace-id
+        Some(parts[2].to_string()), // parent-id
+        Some(parts[3].to_string()), // trace-flags
+    ))
+}
+
+/// Parse baggage header into key-value pairs
+/// Format: key1=value1,key2=value2
+fn parse_baggage(baggage: &str) -> HashMap<String, String> {
+    let mut result = HashMap::new();
+
+    for item in baggage.split(',') {
+        let item = item.trim();
+        if let Some(eq_pos) = item.find('=') {
+            let key = item[..eq_pos].trim();
+            let value = item[eq_pos + 1..].trim();
+            result.insert(key.to_string(), value.to_string());
+        }
+    }
+
+    result
+}
+
+/// Extract custom routing headers (prefixed with x-routing-)
+fn extract_custom_headers(headers: &[(String, String)]) -> HashMap<String, String> {
+    let mut custom_headers = HashMap::new();
+
+    for (name, value) in headers {
+        if name.starts_with("x-routing-") {
+            custom_headers.insert(name.clone(), value.clone());
+        }
+    }
+
+    custom_headers
+}
+
+fn extract_lapdev_environment_id(tracestate: Option<&String>) -> Option<Uuid> {
+    let tracestate = tracestate?;
+
+    tracestate.split(',').find_map(|entry| {
+        let entry = entry.trim();
+        let (key, value) = entry.split_once('=')?;
+
+        if key.trim().eq_ignore_ascii_case("lapdev-env-id") {
+            Uuid::parse_str(value.trim()).ok()
+        } else {
+            None
+        }
+    })
+}
+
+/// Determine routing target based on context
+pub fn determine_routing_target(
+    routing_context: &RoutingContext,
+    original_port: u16,
+) -> RoutingTarget {
+    // Example routing logic based on headers
+
+    // Check for canary deployment
+    if let Some(canary) = &routing_context.canary_deployment {
+        if canary.to_lowercase() == "true" {
+            debug!("Routing to canary deployment");
+            return RoutingTarget::Canary {
+                port: original_port,
+                weight: 10, // 10% traffic to canary
+            };
+        }
+    }
+
+    // Check for specific service version
+    if let Some(version) = &routing_context.service_version {
+        debug!("Routing to service version: {}", version);
+        return RoutingTarget::Version {
+            port: original_port,
+            version: version.clone(),
+        };
+    }
+
+    // Check trace context for sampling or special routing
+    if let Some(trace_id) = &routing_context.trace_context.trace_id {
+        // Example: Route high-value traces to premium instances
+        if is_high_priority_trace(trace_id) {
+            debug!("Routing high-priority trace to premium instance");
+            return RoutingTarget::Premium {
+                port: original_port,
+            };
+        }
+    }
+
+    // Check custom routing headers
+    if let Some(routing_key) = &routing_context.routing_key {
+        debug!("Using custom routing key: {}", routing_key);
+        return RoutingTarget::Custom {
+            port: original_port,
+            key: routing_key.clone(),
+        };
+    }
+
+    // Default routing
+    RoutingTarget::Default {
+        port: original_port,
+    }
+}
+
+/// Routing target options
+#[derive(Debug, Clone)]
+pub enum RoutingTarget {
+    Default { port: u16 },
+    Canary { port: u16, weight: u8 },
+    Version { port: u16, version: String },
+    Premium { port: u16 },
+    Custom { port: u16, key: String },
+}
+
+impl RoutingTarget {
+    /// Get the target port for this routing decision
+    pub fn get_port(&self) -> u16 {
+        match self {
+            RoutingTarget::Default { port } => *port,
+            RoutingTarget::Canary { port, .. } => *port,
+            RoutingTarget::Version { port, .. } => *port,
+            RoutingTarget::Premium { port } => *port,
+            RoutingTarget::Custom { port, .. } => *port,
+        }
+    }
+
+    /// Get routing metadata for logging
+    pub fn get_metadata(&self) -> String {
+        match self {
+            RoutingTarget::Default { .. } => "default".to_string(),
+            RoutingTarget::Canary { weight, .. } => format!("canary({}%)", weight),
+            RoutingTarget::Version { version, .. } => format!("version({})", version),
+            RoutingTarget::Premium { .. } => "premium".to_string(),
+            RoutingTarget::Custom { key, .. } => format!("custom({})", key),
+        }
+    }
+}
+
+/// Example function to determine if a trace is high priority
+/// This could be based on trace sampling, customer tier, etc.
+fn is_high_priority_trace(trace_id: &str) -> bool {
+    // Example: Check if trace_id ends with specific patterns
+    // In practice, this might check against a database or rules engine
+    trace_id.ends_with("0001") || trace_id.ends_with("0002")
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    fn create_test_headers(headers: &[(&str, &str)]) -> Vec<(String, String)> {
+        headers
+            .iter()
+            .map(|(name, value)| (name.to_string(), value.to_string()))
+            .collect()
+    }
+
+    #[test]
+    fn test_extract_trace_context() {
+        let headers = create_test_headers(&[
+            (
+                "traceparent",
+                "00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-01",
+            ),
+            ("baggage", "userId=alice,serverNode=DF28"),
+        ]);
+
+        let context = extract_routing_context(&headers);
+
+        assert_eq!(
+            context.trace_context.trace_id,
+            Some("4bf92f3577b34da6a3ce929d0e0e4736".to_string())
+        );
+        assert_eq!(
+            context.trace_context.span_id,
+            Some("00f067aa0ba902b7".to_string())
+        );
+        assert_eq!(
+            context.trace_context.baggage.get("userId"),
+            Some(&"alice".to_string())
+        );
+        assert!(context.lapdev_environment_id.is_none());
+    }
+
+    #[test]
+    fn test_custom_routing_headers() {
+        let headers = create_test_headers(&[
+            ("x-routing-key", "premium-customer"),
+            ("x-canary-deployment", "true"),
+        ]);
+
+        let context = extract_routing_context(&headers);
+
+        assert_eq!(context.routing_key, Some("premium-customer".to_string()));
+        assert_eq!(context.canary_deployment, Some("true".to_string()));
+    }
+
+    #[test]
+    fn test_routing_target_determination() {
+        let context = RoutingContext {
+            trace_context: TraceContext {
+                trace_id: None,
+                span_id: None,
+                trace_flags: None,
+                trace_state: None,
+                baggage: HashMap::new(),
+            },
+            lapdev_environment_id: None,
+            routing_key: None,
+            service_version: None,
+            canary_deployment: Some("true".to_string()),
+            custom_headers: HashMap::new(),
+        };
+
+        let target = determine_routing_target(&context, 8080);
+
+        match target {
+            RoutingTarget::Canary { port, weight } => {
+                assert_eq!(port, 8080);
+                assert_eq!(weight, 10);
+            }
+            _ => panic!("Expected canary routing"),
+        }
+    }
+
+    #[test]
+    fn test_extract_lapdev_environment_id() {
+        let headers = create_test_headers(&[(
+            "tracestate",
+            "vendor=value,lapdev-env-id=123e4567-e89b-12d3-a456-426614174000",
+        )]);
+
+        let context = extract_routing_context(&headers);
+
+        assert_eq!(
+            context.lapdev_environment_id,
+            Some(
+                Uuid::parse_str("123e4567-e89b-12d3-a456-426614174000")
+                    .expect("valid uuid literal")
+            )
+        );
+    }
+}
diff --git a/crates/kube-sidecar-proxy/src/protocol_detector.rs b/crates/kube-sidecar-proxy/src/protocol_detector.rs
new file mode 100644
index 0000000..9744974
--- /dev/null
+++ b/crates/kube-sidecar-proxy/src/protocol_detector.rs
@@ -0,0 +1,376 @@
+use lapdev_kube_rpc::http_parser::{self, HeaderReadStatus};
+use std::io;
+use tokio::{
+    io::{AsyncRead, AsyncReadExt},
+    time::{timeout, Duration, Instant},
+};
+use tracing::debug;
+
+/// Maximum bytes to read while attempting to detect HTTP.
+const MAX_DETECTION_BYTES: usize = 8192;
+const READ_CHUNK_SIZE: usize = 1024;
+
+/// HTTP/2 client preface sent at the start of cleartext connections.
+const HTTP2_PREFACE: &[u8] = b"PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n";
+
+/// Result of protocol detection
+#[derive(Debug, Clone)]
+pub enum ProtocolType {
+    Http { method: String, path: String },
+    Http2,
+    Tcp,
+}
+
+/// Result of protocol detection attempt.
+pub struct ProtocolDetectionResult {
+    pub protocol: ProtocolType,
+    pub buffer: Vec<u8>,
+    pub timed_out: bool,
+}
+
+/// Detect if incoming data looks like HTTP, with an optional timeout budget.
+pub async fn detect_protocol<R>(
+    reader: &mut R,
+    timeout_duration: Option<Duration>,
+) -> std::io::Result<ProtocolDetectionResult>
+where
+    R: AsyncRead + Unpin,
+{
+    let mut buffer = Vec::with_capacity(1024);
+    let mut timed_out = false;
+    let deadline = timeout_duration.map(|d| Instant::now() + d);
+
+    loop {
+        if buffer.len() >= MAX_DETECTION_BYTES {
+            break;
+        }
+
+        let remaining_capacity = MAX_DETECTION_BYTES - buffer.len();
+        if remaining_capacity == 0 {
+            break;
+        }
+
+        let mut chunk = [0u8; READ_CHUNK_SIZE];
+        let read_len = remaining_capacity.min(READ_CHUNK_SIZE);
+        let read_result =
+            read_chunk_with_deadline(reader, &mut chunk[..read_len], deadline, &mut timed_out)
+                .await?;
+
+        let bytes_read = match read_result {
+            Some(n) => n,
+            None => break,
+        };
+
+        if bytes_read == 0 {
+            break;
+        }
+
+        buffer.extend_from_slice(&chunk[..bytes_read]);
+
+        // Stop once we've seen the end of the first line.
+        if buffer.iter().any(|&b| b == b'\n') {
+            break;
+        }
+    }
+
+    if buffer.is_empty() {
+        return Ok(ProtocolDetectionResult {
+            protocol: ProtocolType::Tcp,
+            buffer,
+            timed_out,
+        });
+    }
+
+    // Check if it starts with the HTTP/2 client connection preface
+    if buffer.starts_with(HTTP2_PREFACE)
+        || (buffer.len() < HTTP2_PREFACE.len() && HTTP2_PREFACE.starts_with(&buffer))
+    // partial preface
+    {
+        debug!("Detected HTTP/2 protocol preface");
+        return Ok(ProtocolDetectionResult {
+            protocol: ProtocolType::Http2,
+            buffer,
+            timed_out,
+        });
+    }
+
+    // Check if it starts with an HTTP method (HTTP/1.x)
+    if let Some(protocol) = detect_http_in_buffer(&buffer) {
+        debug!("Detected HTTP protocol: {:?}", protocol);
+        match http_parser::read_http_headers_with_deadline(reader, &mut buffer, deadline).await {
+            Ok(HeaderReadStatus::TimedOut) => {
+                timed_out = true;
+            }
+            Ok(HeaderReadStatus::Complete) => {}
+            Err(err)
+                if matches!(
+                    err.kind(),
+                    io::ErrorKind::InvalidData | io::ErrorKind::UnexpectedEof
+                ) =>
+            {
+                debug!(
+                    "HTTP header read finished early while detecting protocol: {}",
+                    err
+                );
+            }
+            Err(err) => return Err(err),
+        }
+        Ok(ProtocolDetectionResult {
+            protocol,
+            buffer,
+            timed_out,
+        })
+    } else {
+        debug!("Detected TCP protocol (not HTTP)");
+        Ok(ProtocolDetectionResult {
+            protocol: ProtocolType::Tcp,
+            buffer,
+            timed_out,
+        })
+    }
+}
+
+/// Check if the buffer contains HTTP request data
+fn detect_http_in_buffer(buffer: &[u8]) -> Option<ProtocolType> {
+    if let Some(request_line) = get_request_line(buffer) {
+        if let Some((method, path)) = parse_request_line(&request_line) {
+            if method.chars().all(|c| c.is_ascii_uppercase()) {
+                return Some(ProtocolType::Http {
+                    method: method.to_string(),
+                    path: path.to_string(),
+                });
+            }
+        }
+    }
+
+    None
+}
+
+/// Extract the first line (request line) from HTTP request
+fn get_request_line(buffer: &[u8]) -> Option<String> {
+    // Find the first \r\n or \n
+    let line_end = buffer.iter().position(|&b| b == b'\r' || b == b'\n')?;
+
+    String::from_utf8(buffer[..line_end].to_vec()).ok()
+}
+
+/// Parse HTTP request line to extract method and path
+fn parse_request_line(line: &str) -> Option<(String, String)> {
+    let parts: Vec<&str> = line.split_whitespace().collect();
+
+    if parts.len() >= 2 {
+        Some((parts[0].to_string(), parts[1].to_string()))
+    } else {
+        None
+    }
+}
+
+async fn read_chunk_with_deadline<R>(
+    reader: &mut R,
+    chunk: &mut [u8],
+    deadline: Option<Instant>,
+    timed_out: &mut bool,
+) -> std::io::Result<Option<usize>>
+where
+    R: AsyncRead + Unpin,
+{
+    if chunk.is_empty() {
+        return Ok(Some(0));
+    }
+
+    if let Some(deadline) = deadline {
+        let now = Instant::now();
+        if now >= deadline {
+            *timed_out = true;
+            return Ok(None);
+        }
+
+        let remaining = deadline - now;
+        match timeout(remaining, reader.read(chunk)).await {
+            Ok(result) => result.map(Some),
+            Err(_) => {
+                *timed_out = true;
+                Ok(None)
+            }
+        }
+    } else {
+        reader.read(chunk).await.map(Some)
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use std::{
+        io,
+        pin::Pin,
+        task::{Context, Poll},
+    };
+    use tokio::io::{AsyncRead, ReadBuf};
+
+    #[test]
+    fn test_detect_http_get() {
+        let buffer = b"GET /api/health HTTP/1.1\r\nHost: localhost\r\n\r\n";
+        let result = detect_http_in_buffer(buffer);
+
+        match result {
+            Some(ProtocolType::Http { method, path }) => {
+                assert_eq!(method, "GET");
+                assert_eq!(path, "/api/health");
+            }
+            _ => panic!("Expected HTTP detection"),
+        }
+    }
+
+    #[test]
+    fn test_detect_http_post() {
+        let buffer =
+            b"POST /api/data HTTP/1.1\r\nContent-Type: application/json\r\n\r\n{\"test\": true}";
+        let result = detect_http_in_buffer(buffer);
+
+        match result {
+            Some(ProtocolType::Http { method, path }) => {
+                assert_eq!(method, "POST");
+                assert_eq!(path, "/api/data");
+            }
+            _ => panic!("Expected HTTP detection"),
+        }
+    }
+
+    #[test]
+    fn test_detect_non_http() {
+        let buffer = b"\x16\x03\x01\x00\xf4\x01\x00\x00\xf0\x03\x03"; // TLS handshake
+        let result = detect_http_in_buffer(buffer);
+
+        assert!(result.is_none());
+    }
+
+    #[test]
+    fn test_detect_binary() {
+        let buffer = b"\x00\x01\x02\x03\x04\x05"; // Binary data
+        let result = detect_http_in_buffer(buffer);
+
+        assert!(result.is_none());
+    }
+
+    #[tokio::test]
+    async fn test_detect_http2_preface() {
+        let buffer = super::HTTP2_PREFACE;
+        let detection = super::detect_protocol(&mut &buffer[..], None)
+            .await
+            .unwrap();
+
+        match detection.protocol {
+            ProtocolType::Http2 => {}
+            _ => panic!("Expected HTTP/2 detection"),
+        }
+    }
+
+    #[tokio::test]
+    async fn test_detect_http_uncommon_verb() {
+        let request = b"PROPFIND /calendar HTTP/1.1\r\nHost: example.com\r\n\r\n";
+        let detection = detect_protocol(&mut std::io::Cursor::new(request), None)
+            .await
+            .unwrap();
+
+        match detection.protocol {
+            ProtocolType::Http { method, path } => {
+                assert_eq!(method, "PROPFIND");
+                assert_eq!(path, "/calendar");
+            }
+            _ => panic!("Expected HTTP detection for PROPFIND"),
+        }
+    }
+
+    #[tokio::test]
+    async fn test_detect_http_reads_until_headers_complete() {
+        let headers = b"GET / HTTP/1.1\r\nHost: example.com\r\nUser-Agent: test\r\n\r\n";
+        let mut data = headers.to_vec();
+        data.extend_from_slice(b"body-should-remain");
+        let mut reader = ChunkedReader::new(data, headers.len());
+
+        let detection = detect_protocol(&mut reader, None).await.unwrap();
+        let ProtocolDetectionResult {
+            protocol, buffer, ..
+        } = detection;
+
+        match protocol {
+            ProtocolType::Http { .. } => {
+                assert_eq!(buffer.len(), headers.len());
+                assert_eq!(buffer, headers.to_vec());
+            }
+            _ => panic!("Expected HTTP detection"),
+        }
+    }
+
+    #[tokio::test]
+    async fn test_detect_http_gathers_headers_across_chunks() {
+        let headers =
+            b"POST /submit HTTP/1.1\r\nHost: example.com\r\nContent-Type: text/plain\r\n\r\n";
+        let mut reader = ChunkedReader::new(headers.to_vec(), 7);
+        let detection = detect_protocol(&mut reader, None).await.unwrap();
+        let ProtocolDetectionResult {
+            protocol, buffer, ..
+        } = detection;
+
+        match protocol {
+            ProtocolType::Http { .. } => {
+                assert!(buffer.ends_with(b"\r\n\r\n"));
+            }
+            _ => panic!("Expected HTTP detection"),
+        }
+    }
+
+    #[tokio::test]
+    async fn test_detect_http_long_first_line() {
+        let long_path = format!("/{}", "a".repeat(5000));
+        let request = format!(
+            "GET {} HTTP/1.1\r\nHost: example.com\r\nUser-Agent: test\r\n\r\n",
+            long_path
+        );
+        let mut reader = ChunkedReader::new(request.into_bytes(), 512);
+        let detection = detect_protocol(&mut reader, None).await.unwrap();
+
+        match detection.protocol {
+            ProtocolType::Http { method, path } => {
+                assert_eq!(method, "GET");
+                assert_eq!(path, long_path);
+            }
+            _ => panic!("Expected HTTP detection for long request line"),
+        }
+    }
+
+    struct ChunkedReader {
+        data: Vec<u8>,
+        position: usize,
+        chunk_size: usize,
+    }
+
+    impl ChunkedReader {
+        fn new(data: Vec<u8>, chunk_size: usize) -> Self {
+            Self {
+                data,
+                position: 0,
+                chunk_size,
+            }
+        }
+    }
+
+    impl AsyncRead for ChunkedReader {
+        fn poll_read(
+            mut self: Pin<&mut Self>,
+            _cx: &mut Context<'_>,
+            buf: &mut ReadBuf<'_>,
+        ) -> Poll<io::Result<()>> {
+            if self.position >= self.data.len() {
+                return Poll::Ready(Ok(()));
+            }
+
+            let end = (self.position + self.chunk_size).min(self.data.len());
+            let slice = &self.data[self.position..end];
+            buf.put_slice(slice);
+            self.position = end;
+            Poll::Ready(Ok(()))
+        }
+    }
+}
diff --git a/crates/kube-sidecar-proxy/src/rpc.rs b/crates/kube-sidecar-proxy/src/rpc.rs
new file mode 100644
index 0000000..b9a5d3e
--- /dev/null
+++ b/crates/kube-sidecar-proxy/src/rpc.rs
@@ -0,0 +1,346 @@
+use anyhow::Result;
+use lapdev_kube_rpc::{
+    DevboxRouteConfig, ProxyBranchRouteConfig, ProxyRouteAccessLevel, SidecarProxyManagerRpcClient,
+    SidecarProxyRpc,
+};
+use lapdev_tunnel::direct::DirectEndpoint;
+use std::{collections::HashSet, sync::Arc};
+use tokio::sync::RwLock;
+use tracing::{info, warn};
+use uuid::Uuid;
+
+use crate::{
+    config::{
+        AccessLevel, BranchServiceRoute, DevboxConnection, DevboxRouteMetadata, RoutingTable,
+    },
+    connection_registry::ConnectionRegistry,
+};
+
+#[derive(Clone)]
+pub(crate) struct SidecarProxyRpcServer {
+    workload_id: Uuid,
+    environment_id: Uuid,
+    namespace: String,
+    rpc_client: SidecarProxyManagerRpcClient,
+    routing_table: Arc<RwLock<RoutingTable>>,
+    connection_registry: Arc<ConnectionRegistry>,
+    direct_endpoint: Arc<DirectEndpoint>,
+}
+
+impl SidecarProxyRpcServer {
+    pub(crate) fn new(
+        workload_id: Uuid,
+        environment_id: Uuid,
+        namespace: String,
+        rpc_client: SidecarProxyManagerRpcClient,
+        routing_table: Arc<RwLock<RoutingTable>>,
+        connection_registry: Arc<ConnectionRegistry>,
+        direct_endpoint: Arc<DirectEndpoint>,
+    ) -> Self {
+        Self {
+            workload_id,
+            environment_id,
+            namespace,
+            rpc_client,
+            routing_table,
+            connection_registry,
+            direct_endpoint,
+        }
+    }
+
+    pub(crate) fn manager_client(&self) -> SidecarProxyManagerRpcClient {
+        self.rpc_client.clone()
+    }
+
+    pub(crate) async fn register_sidecar_proxy(&self) -> Result<()> {
+        let _ = self
+            .rpc_client
+            .register_sidecar_proxy(
+                tarpc::context::current(),
+                self.workload_id,
+                self.environment_id,
+                self.namespace.clone(),
+            )
+            .await?;
+        Ok(())
+    }
+}
+
+impl SidecarProxyRpc for SidecarProxyRpcServer {
+    async fn heartbeat(self, _context: ::tarpc::context::Context) -> Result<(), String> {
+        // TODO: Implement heartbeat logic
+        // - Report health status
+        // - Update last_seen timestamp
+        // - Return metrics
+        Ok(())
+    }
+
+    async fn set_service_routes(
+        self,
+        _context: ::tarpc::context::Context,
+        routes: Vec<ProxyBranchRouteConfig>,
+    ) -> Result<(), String> {
+        let mut routing_table = self.routing_table.write().await;
+        let previous_branches: HashSet<Uuid> =
+            routing_table.branch_routes.keys().copied().collect();
+        let mut updates: Vec<(Uuid, BranchServiceRoute)> = Vec::new();
+        let mut devbox_overrides: Vec<(Uuid, Arc<DevboxConnection>)> = Vec::new();
+
+        for route in &routes {
+            let branch_id = route.branch_environment_id;
+
+            if !route.service_names.is_empty() {
+                let service_route = BranchServiceRoute {
+                    service_names: route.service_names.clone(),
+                    headers: route.headers.clone(),
+                    requires_auth: route.requires_auth,
+                    access_level: access_level_from_proxy(route.access_level),
+                    timeout_ms: route.timeout_ms,
+                };
+                updates.push((branch_id, service_route));
+            }
+
+            if let Some(devbox) = route.devbox_route.clone() {
+                let connection = devbox_connection_from_config(
+                    devbox,
+                    Arc::clone(&self.direct_endpoint),
+                    self.rpc_client.clone(),
+                    branch_id,
+                );
+                devbox_overrides.push((branch_id, connection));
+            }
+        }
+
+        routing_table.replace_branch_routes(updates).await;
+
+        for (branch_id, devbox) in devbox_overrides {
+            if !routing_table.set_branch_devbox(&branch_id, devbox) {
+                warn!(
+                    "Received devbox override for unknown branch environment {}",
+                    branch_id
+                );
+            }
+        }
+
+        info!(
+            "Updated branch routes; total routes: {}",
+            routing_table.branch_routes.len()
+        );
+
+        let mut updated_branches: HashSet<Uuid> = routes
+            .iter()
+            .map(|route| route.branch_environment_id)
+            .collect();
+        for branch in previous_branches {
+            if !updated_branches.contains(&branch) {
+                updated_branches.insert(branch);
+            }
+        }
+        drop(routing_table);
+        self.connection_registry
+            .shutdown_branches(updated_branches.into_iter().map(Some))
+            .await;
+
+        Ok(())
+    }
+
+    async fn set_devbox_route(
+        self,
+        _context: ::tarpc::context::Context,
+        route: DevboxRouteConfig,
+    ) -> Result<(), String> {
+        if route.workload_id != self.workload_id {
+            warn!(
+                "Ignoring devbox route for workload {} on sidecar workload {}",
+                route.workload_id, self.workload_id
+            );
+            return Ok(());
+        }
+
+        let target_environment_id = route.branch_environment_id.unwrap_or(self.environment_id);
+        let devbox_connection = devbox_connection_from_config(
+            route.clone(),
+            Arc::clone(&self.direct_endpoint),
+            self.rpc_client.clone(),
+            target_environment_id,
+        );
+
+        let mut routing_table = self.routing_table.write().await;
+
+        match route.branch_environment_id {
+            Some(branch_id) => {
+                if routing_table.set_branch_devbox(&branch_id, devbox_connection.clone()) {
+                    info!(
+                        "Attached devbox route to branch {} (intercept_id={})",
+                        branch_id, route.intercept_id
+                    );
+                } else {
+                    warn!(
+                        "Received branch devbox route for unknown environment {}",
+                        branch_id
+                    );
+                }
+            }
+            None => {
+                routing_table.set_default_devbox(devbox_connection.clone());
+                info!(
+                    "Registered default devbox route (intercept_id={})",
+                    route.intercept_id
+                );
+            }
+        }
+
+        drop(routing_table);
+        let key = route.branch_environment_id;
+        self.connection_registry.shutdown_branch(key).await;
+
+        Ok(())
+    }
+
+    async fn stop_devbox(
+        self,
+        _context: ::tarpc::context::Context,
+        branch_environment: Option<Uuid>,
+    ) -> Result<(), String> {
+        let mut routing_table = self.routing_table.write().await;
+
+        match branch_environment {
+            Some(branch_id) => {
+                if routing_table.remove_branch_devbox(&branch_id) {
+                    info!(
+                        "Cleared devbox route for branch environment {} on workload {}",
+                        branch_id, self.workload_id
+                    );
+                } else {
+                    info!(
+                        "No devbox route to clear for branch environment {} on workload {}",
+                        branch_id, self.workload_id
+                    );
+                }
+            }
+            None => {
+                routing_table.clear_default_devbox();
+                info!(
+                    "Cleared default devbox route for workload {}",
+                    self.workload_id
+                );
+            }
+        }
+
+        drop(routing_table);
+        self.connection_registry
+            .shutdown_branch(branch_environment)
+            .await;
+
+        Ok(())
+    }
+
+    async fn upsert_branch_service_route(
+        self,
+        _context: ::tarpc::context::Context,
+        route: ProxyBranchRouteConfig,
+    ) -> Result<(), String> {
+        let branch_id = route.branch_environment_id;
+        if route.service_names.is_empty() {
+            return Err("Missing service_names for branch service route update".to_string());
+        }
+
+        let service_route = BranchServiceRoute {
+            service_names: route.service_names.clone(),
+            headers: route.headers.clone(),
+            requires_auth: route.requires_auth,
+            access_level: access_level_from_proxy(route.access_level),
+            timeout_ms: route.timeout_ms,
+        };
+
+        let devbox_override = route.devbox_route.map(|devbox| {
+            devbox_connection_from_config(
+                devbox,
+                Arc::clone(&self.direct_endpoint),
+                self.rpc_client.clone(),
+                branch_id,
+            )
+        });
+
+        let mut routing_table = self.routing_table.write().await;
+        routing_table
+            .upsert_branch_service_route(branch_id, service_route)
+            .await;
+
+        if let Some(connection) = devbox_override {
+            routing_table.set_branch_devbox(&branch_id, connection);
+        }
+
+        info!(
+            "Updated branch service route for branch {} on workload {}",
+            branch_id, self.workload_id
+        );
+
+        drop(routing_table);
+        self.connection_registry
+            .shutdown_branch(Some(branch_id))
+            .await;
+
+        Ok(())
+    }
+
+    async fn remove_branch_service_route(
+        self,
+        _context: ::tarpc::context::Context,
+        branch_environment_id: Uuid,
+    ) -> Result<(), String> {
+        let mut routing_table = self.routing_table.write().await;
+        if routing_table
+            .remove_branch_service_route(&branch_environment_id)
+            .await
+        {
+            info!(
+                "Removed branch service route for branch {} on workload {}",
+                branch_environment_id, self.workload_id
+            );
+        } else {
+            info!(
+                "No branch service route found for branch {} on workload {}",
+                branch_environment_id, self.workload_id
+            );
+        }
+
+        drop(routing_table);
+        self.connection_registry
+            .shutdown_branch(Some(branch_environment_id))
+            .await;
+
+        Ok(())
+    }
+}
+
+fn devbox_connection_from_config(
+    route: DevboxRouteConfig,
+    direct_endpoint: Arc<DirectEndpoint>,
+    rpc_client: SidecarProxyManagerRpcClient,
+    target_environment_id: Uuid,
+) -> Arc<DevboxConnection> {
+    Arc::new(DevboxConnection::new(
+        DevboxRouteMetadata {
+            intercept_id: route.intercept_id,
+            workload_id: route.workload_id,
+            auth_token: route.auth_token,
+            websocket_url: route.websocket_url,
+            path_pattern: route.path_pattern,
+            port_mappings: route.port_mappings,
+            created_at_epoch_seconds: route.created_at_epoch_seconds,
+            expires_at_epoch_seconds: route.expires_at_epoch_seconds,
+        },
+        direct_endpoint,
+        rpc_client,
+        target_environment_id,
+    ))
+}
+
+fn access_level_from_proxy(level: ProxyRouteAccessLevel) -> AccessLevel {
+    match level {
+        ProxyRouteAccessLevel::Personal => AccessLevel::Personal,
+        ProxyRouteAccessLevel::Shared => AccessLevel::Shared,
+        ProxyRouteAccessLevel::Public => AccessLevel::Public,
+    }
+}
diff --git a/crates/kube-sidecar-proxy/src/server.rs b/crates/kube-sidecar-proxy/src/server.rs
new file mode 100644
index 0000000..04c677c
--- /dev/null
+++ b/crates/kube-sidecar-proxy/src/server.rs
@@ -0,0 +1,1042 @@
+use crate::{
+    config::{DevboxConnection, RouteDecision, RoutingTable, SidecarSettings},
+    connection_registry::ConnectionRegistry,
+    error::Result,
+    http2_proxy::handle_http2_proxy,
+    otel_routing::{determine_routing_target, extract_routing_context},
+    protocol_detector::{detect_protocol, ProtocolDetectionResult, ProtocolType},
+    rpc::SidecarProxyRpcServer,
+};
+use anyhow::{anyhow, Context};
+use futures::StreamExt;
+use lapdev_common::kube::{
+    ProxyPortRoute, SIDECAR_PROXY_MANAGER_ADDR_ENV_VAR, SIDECAR_PROXY_PORT_ROUTES_ENV_VAR,
+    SIDECAR_PROXY_WORKLOAD_ENV_VAR,
+};
+use lapdev_kube_rpc::{http_parser, SidecarProxyManagerRpcClient, SidecarProxyRpc};
+use lapdev_rpc::spawn_twoway;
+use lapdev_tunnel::direct::DirectEndpoint;
+use std::{collections::HashSet, env, io, net::SocketAddr, str::FromStr, sync::Arc};
+use tarpc::server::{BaseChannel, Channel};
+use tokio::{
+    io::{copy_bidirectional, AsyncRead, AsyncWrite},
+    net::{TcpListener, TcpStream},
+    sync::{mpsc, watch, RwLock},
+    time::{sleep, Duration, MissedTickBehavior},
+};
+use tracing::{debug, error, info, warn};
+use uuid::Uuid;
+
+const SIDECAR_HEARTBEAT_INTERVAL_SECS: u64 = 30;
+
+/// Main sidecar proxy server
+#[derive(Clone)]
+pub struct SidecarProxyServer {
+    workload_id: Uuid,
+    sidecar_proxy_manager_addr: String,
+    settings: Arc<SidecarSettings>,
+    routing_table: Arc<RwLock<RoutingTable>>,
+    connection_registry: Arc<ConnectionRegistry>,
+    direct_endpoint: Arc<DirectEndpoint>,
+    /// RPC client to kube-manager (None until connection established)
+    rpc_client: Arc<RwLock<Option<SidecarProxyManagerRpcClient>>>,
+}
+
+impl SidecarProxyServer {
+    /// Create a new sidecar proxy server
+    pub async fn new(
+        listen_addr: SocketAddr,
+        namespace: Option<String>,
+        pod_name: Option<String>,
+        environment_id: String,
+        environment_auth_token: String,
+    ) -> Result<Self> {
+        let sidecar_proxy_manager_addr = std::env::var(SIDECAR_PROXY_MANAGER_ADDR_ENV_VAR)
+            .map_err(|_| {
+                anyhow!(format!(
+                    "can't find {SIDECAR_PROXY_MANAGER_ADDR_ENV_VAR} env var"
+                ))
+            })?;
+
+        let raw_workload_id =
+            env::var(SIDECAR_PROXY_WORKLOAD_ENV_VAR).map_err(|err| match err {
+                env::VarError::NotPresent => {
+                    anyhow!(format!(
+                        "{SIDECAR_PROXY_WORKLOAD_ENV_VAR} env var must be set"
+                    ))
+                }
+                env::VarError::NotUnicode(_) => anyhow!(format!(
+                    "{SIDECAR_PROXY_WORKLOAD_ENV_VAR} must be valid UTF-8"
+                )),
+            })?;
+
+        let workload_id = Uuid::from_str(&raw_workload_id).map_err(|_| {
+            anyhow!(format!(
+                "{SIDECAR_PROXY_WORKLOAD_ENV_VAR} isn't a valid uuid"
+            ))
+        })?;
+
+        info!(
+            workload_id = %workload_id,
+            namespace = namespace
+                .as_deref()
+                .unwrap_or("unknown"),
+            pod_name = pod_name
+                .as_deref()
+                .unwrap_or("unknown"),
+            "Starting sidecar proxy workload"
+        );
+
+        // Parse environment ID - now required
+        let env_id = Uuid::parse_str(&environment_id)
+            .map_err(|e| anyhow!("Failed to parse environment_id as UUID: {}", e))?;
+
+        let settings = SidecarSettings::new(
+            listen_addr,
+            namespace.clone(),
+            pod_name.clone(),
+            env_id,
+            environment_auth_token,
+        );
+
+        let mut routing_table = RoutingTable::default();
+
+        match env::var(SIDECAR_PROXY_PORT_ROUTES_ENV_VAR) {
+            Ok(raw_routes) => {
+                let routes: Vec<ProxyPortRoute> =
+                    serde_json::from_str(&raw_routes).with_context(|| {
+                        format!(
+                            "failed to parse {} as JSON array of proxy routes",
+                            SIDECAR_PROXY_PORT_ROUTES_ENV_VAR
+                        )
+                    })?;
+
+                if routes.is_empty() {
+                    warn!(
+                        "{} provided but contained no routes; sidecar will fall back to default port",
+                        SIDECAR_PROXY_PORT_ROUTES_ENV_VAR
+                    );
+                } else {
+                    info!(
+                        "Loaded {} proxy port routes from {}",
+                        routes.len(),
+                        SIDECAR_PROXY_PORT_ROUTES_ENV_VAR
+                    );
+                }
+
+                routing_table.set_port_routes(routes);
+            }
+            Err(env::VarError::NotPresent) => {
+                debug!(
+                    "{} not set; using default listener port {}",
+                    SIDECAR_PROXY_PORT_ROUTES_ENV_VAR,
+                    listen_addr.port()
+                );
+            }
+            Err(env::VarError::NotUnicode(_)) => {
+                return Err(
+                    anyhow!("{} must be valid UTF-8", SIDECAR_PROXY_PORT_ROUTES_ENV_VAR).into(),
+                );
+            }
+        }
+
+        let server = Self {
+            workload_id,
+            sidecar_proxy_manager_addr,
+            settings: Arc::new(settings),
+            routing_table: Arc::new(RwLock::new(routing_table)),
+            connection_registry: Arc::new(ConnectionRegistry::default()),
+            direct_endpoint: Arc::new(
+                DirectEndpoint::bind()
+                    .await
+                    .map_err(|e| anyhow!("failed to initialize direct endpoint: {}", e))?,
+            ),
+            rpc_client: Arc::new(RwLock::new(None)),
+        };
+
+        Ok(server)
+    }
+
+    /// Start the server with graceful shutdown support
+    pub async fn serve_with_graceful_shutdown<F>(self, shutdown_signal: F) -> Result<()>
+    where
+        F: std::future::Future<Output = ()> + Send + 'static,
+    {
+        // Start RPC connection to kube manager
+        {
+            let server = self.clone();
+            tokio::spawn(async move {
+                server.connect_rpc().await;
+            });
+        }
+
+        // Determine which ports we should listen on.
+        let listen_addr = self.settings.as_ref().listen_addr;
+        let listen_ip = listen_addr.ip();
+        let default_port = listen_addr.port();
+
+        let initial_ports: Vec<u16> = {
+            let table = self.routing_table.read().await;
+            let mut ports: HashSet<u16> = HashSet::new();
+            ports.insert(default_port);
+            ports.extend(table.port_routes().map(|route| route.proxy_port));
+            ports.into_iter().collect()
+        };
+
+        if initial_ports.is_empty() {
+            return Err(anyhow!("no listener ports configured for sidecar proxy").into());
+        }
+
+        let (listener_err_tx, mut listener_err_rx) =
+            mpsc::unbounded_channel::<(SocketAddr, String)>();
+        let mut listener_handles = Vec::new();
+
+        for port in initial_ports {
+            let addr = SocketAddr::new(listen_ip, port);
+            let listener = TcpListener::bind(addr).await?;
+            info!("Sidecar proxy listening on: {}", addr);
+
+            let routing_table = Arc::clone(&self.routing_table);
+            let rpc_client = Arc::clone(&self.rpc_client);
+            let settings = Arc::clone(&self.settings);
+            let connection_registry = Arc::clone(&self.connection_registry);
+            let err_tx = listener_err_tx.clone();
+
+            let handle = tokio::spawn(async move {
+                if let Err(err) = run_listener(
+                    listener,
+                    addr,
+                    settings,
+                    routing_table,
+                    rpc_client,
+                    connection_registry,
+                )
+                .await
+                {
+                    let _ = err_tx.send((addr, err.to_string()));
+                }
+            });
+
+            listener_handles.push(handle);
+        }
+
+        drop(listener_err_tx);
+
+        let mut server = Box::pin(async move {
+            if let Some((addr, err)) = listener_err_rx.recv().await {
+                error!("Listener {} failed: {}", addr, err);
+            }
+        });
+
+        tokio::select! {
+            _ = &mut server => {
+                info!("Server shut down gracefully");
+            }
+            _ = shutdown_signal => {
+                info!("Shutdown signal received");
+            }
+        }
+
+        for handle in listener_handles {
+            handle.abort();
+            let _ = handle.await;
+        }
+
+        Ok(())
+    }
+
+    async fn connect_rpc(&self) {
+        loop {
+            match self.handle_rpc_connection_cycle().await {
+                Ok(_) => {
+                    warn!("Connection to kube manager exited, retrying in 5 seconds...",);
+                }
+                Err(e) => {
+                    warn!(
+                        "Connection to kube manager failed: {}, retrying in 5 seconds...",
+                        e
+                    );
+                }
+            }
+            tokio::time::sleep(std::time::Duration::from_secs(5)).await;
+        }
+    }
+
+    async fn handle_rpc_connection_cycle(&self) -> Result<()> {
+        info!(
+            "Attempting to connect to sidecar proxy manager rpc at: {}",
+            self.sidecar_proxy_manager_addr,
+        );
+
+        // Connect via TCP
+        let conn = tarpc::serde_transport::tcp::connect(
+            &self.sidecar_proxy_manager_addr,
+            tarpc::tokio_serde::formats::Bincode::default,
+        )
+        .await?;
+
+        debug!(
+            "TCP connection established to {}",
+            self.sidecar_proxy_manager_addr
+        );
+
+        // Create length-delimited codec for message framing
+        let (server_chan, client_chan, _) = spawn_twoway(conn);
+
+        // Create RPC client
+        let rpc_client =
+            SidecarProxyManagerRpcClient::new(tarpc::client::Config::default(), client_chan)
+                .spawn();
+
+        // Store RPC client for use by connection handlers
+        {
+            let mut client_lock = self.rpc_client.write().await;
+            *client_lock = Some(rpc_client.clone());
+        }
+
+        let namespace = self
+            .settings
+            .as_ref()
+            .namespace
+            .clone()
+            .unwrap_or_else(|| "default".to_string());
+        let rpc_server = SidecarProxyRpcServer::new(
+            self.workload_id,
+            self.settings.as_ref().environment_id,
+            namespace,
+            rpc_client,
+            Arc::clone(&self.routing_table),
+            Arc::clone(&self.connection_registry),
+            Arc::clone(&self.direct_endpoint),
+        );
+        let rpc_server_clone = rpc_server.clone();
+        let rpc_server_task = tokio::spawn(async move {
+            BaseChannel::with_defaults(server_chan)
+                .execute(rpc_server_clone.serve())
+                .for_each(|resp| async move {
+                    tokio::spawn(resp);
+                })
+                .await;
+        });
+
+        let register_result = rpc_server.register_sidecar_proxy().await;
+        if let Err(err) = register_result {
+            rpc_server_task.abort();
+            let _ = rpc_server_task.await;
+            return Err(err.into());
+        }
+
+        info!("RPC client connected to kube manager");
+
+        let (hb_shutdown_tx, hb_shutdown_rx) = watch::channel(false);
+        let mut heartbeat_task = Box::pin(run_manager_heartbeat(
+            hb_shutdown_rx,
+            rpc_server.manager_client(),
+            self.workload_id,
+            self.settings.as_ref().environment_id,
+        ));
+
+        tokio::pin!(rpc_server_task);
+
+        tokio::select! {
+            res = &mut rpc_server_task => {
+                let _ = hb_shutdown_tx.send(true);
+                if let Err(join_err) = heartbeat_task.await {
+                    warn!("Heartbeat task ended: {}", join_err);
+                }
+                res.map_err(|e| anyhow!("sidecar RPC server task failed: {}", e))?;
+            }
+            res = &mut heartbeat_task => {
+                let _ = hb_shutdown_tx.send(true);
+                rpc_server_task.abort();
+                let _ = rpc_server_task.await;
+                match res {
+                    Ok(()) => return Err(anyhow!("Sidecar heartbeat stopped unexpectedly").into()),
+                    Err(err) => return Err(err.into()),
+                }
+            }
+        }
+
+        // Clear RPC client when connection ends
+        {
+            let mut client_lock = self.rpc_client.write().await;
+            *client_lock = None;
+        }
+
+        Ok(())
+    }
+
+    /// Start the server (blocking)
+    pub async fn serve(self) -> Result<()> {
+        // Use a never-completing future as the shutdown signal
+        let shutdown_signal = std::future::pending::<()>();
+        self.serve_with_graceful_shutdown(shutdown_signal).await
+    }
+}
+
+async fn run_listener(
+    listener: TcpListener,
+    listener_addr: SocketAddr,
+    settings: Arc<SidecarSettings>,
+    routing_table: Arc<RwLock<RoutingTable>>,
+    rpc_client: Arc<RwLock<Option<SidecarProxyManagerRpcClient>>>,
+    connection_registry: Arc<ConnectionRegistry>,
+) -> io::Result<()> {
+    loop {
+        match listener.accept().await {
+            Ok((inbound_stream, client_addr)) => {
+                debug!(
+                    "Accepted connection on {} from {}",
+                    listener_addr, client_addr
+                );
+                let routing_table = Arc::clone(&routing_table);
+                let rpc_client = Arc::clone(&rpc_client);
+                let settings = Arc::clone(&settings);
+                let connection_registry = Arc::clone(&connection_registry);
+
+                tokio::spawn(async move {
+                    if let Err(e) = handle_connection(
+                        inbound_stream,
+                        client_addr,
+                        settings,
+                        routing_table,
+                        rpc_client,
+                        connection_registry,
+                    )
+                    .await
+                    {
+                        if is_route_update_error(&e) {
+                            debug!(
+                                "Connection from {} closed due to routing update",
+                                client_addr
+                            );
+                        } else {
+                            error!("Error handling connection from {}: {}", client_addr, e);
+                        }
+                    }
+                });
+            }
+            Err(e) => match e.kind() {
+                io::ErrorKind::ConnectionAborted
+                | io::ErrorKind::ConnectionReset
+                | io::ErrorKind::Interrupted => {
+                    warn!(
+                        "Transient accept error on listener {}: {}",
+                        listener_addr, e
+                    );
+                    continue;
+                }
+                _ => {
+                    if let Some(raw_os_error) = e.raw_os_error() {
+                        const EMFILE: i32 = 24;
+                        const WSAEMFILE: i32 = 10024;
+
+                        if raw_os_error == EMFILE || raw_os_error == WSAEMFILE {
+                            error!(
+                                "File descriptor limit hit on listener {}: {} (errno={}), backing off before retrying",
+                                listener_addr, e, raw_os_error
+                            );
+                            sleep(Duration::from_millis(100)).await;
+                            continue;
+                        }
+                    }
+
+                    error!(
+                        "Failed to accept connection on listener {}: {}",
+                        listener_addr, e
+                    );
+                    return Err(e);
+                }
+            },
+        }
+    }
+}
+
+async fn run_manager_heartbeat(
+    mut shutdown_rx: watch::Receiver<bool>,
+    client: SidecarProxyManagerRpcClient,
+    workload_id: Uuid,
+    environment_id: Uuid,
+) -> anyhow::Result<()> {
+    let mut interval = tokio::time::interval(Duration::from_secs(SIDECAR_HEARTBEAT_INTERVAL_SECS));
+    interval.set_missed_tick_behavior(MissedTickBehavior::Skip);
+
+    loop {
+        tokio::select! {
+            _ = shutdown_rx.changed(), if *shutdown_rx.borrow() => {
+                return Ok(());
+            }
+            _ = interval.tick() => {
+                match client
+                    .heartbeat(tarpc::context::current(), workload_id, environment_id)
+                    .await
+                {
+                    Ok(Ok(())) => {}
+                    Ok(Err(err)) => return Err(anyhow!("Heartbeat rejected by kube-manager: {}", err)),
+                    Err(err) => return Err(anyhow!("Heartbeat RPC failed: {}", err)),
+                }
+            }
+        }
+    }
+}
+
+/// Handle a single TCP connection by extracting original destination and forwarding
+async fn handle_connection(
+    mut inbound_stream: TcpStream,
+    client_addr: SocketAddr,
+    settings: Arc<SidecarSettings>,
+    routing_table: Arc<RwLock<RoutingTable>>,
+    rpc_client: Arc<RwLock<Option<SidecarProxyManagerRpcClient>>>,
+    connection_registry: Arc<ConnectionRegistry>,
+) -> io::Result<()> {
+    let local_addr = inbound_stream.local_addr()?;
+    let proxy_port = local_addr.port();
+
+    debug!(
+        "Connection from {} accepted on proxy port {}",
+        client_addr, proxy_port
+    );
+
+    // Detect protocol by reading initial data with a bounded timeout
+    let detection = detect_protocol(&mut inbound_stream, Some(Duration::from_secs(10))).await;
+    let detection = match detection {
+        Ok(result) => result,
+        Err(e) => {
+            warn!("Failed to detect protocol for {}: {}", client_addr, e);
+            return Err(e);
+        }
+    };
+
+    let ProtocolDetectionResult {
+        protocol: protocol_type,
+        buffer: initial_data,
+        timed_out,
+    } = detection;
+
+    if timed_out {
+        debug!(
+            "Protocol detection for {} timed out after 10s; falling back to {:?}",
+            client_addr, protocol_type
+        );
+    }
+
+    match protocol_type {
+        ProtocolType::Http { .. } => {
+            handle_http_proxy(
+                inbound_stream,
+                client_addr,
+                proxy_port,
+                initial_data,
+                Arc::clone(&settings),
+                Arc::clone(&routing_table),
+                Arc::clone(&rpc_client),
+                Arc::clone(&connection_registry),
+            )
+            .await
+        }
+        ProtocolType::Http2 => {
+            handle_http2_proxy(
+                inbound_stream,
+                client_addr,
+                proxy_port,
+                initial_data,
+                settings,
+                Arc::clone(&routing_table),
+                Arc::clone(&rpc_client),
+                Arc::clone(&connection_registry),
+            )
+            .await
+        }
+        ProtocolType::Tcp => {
+            let (service_port, decision) = {
+                let table = routing_table.read().await;
+                let service_port = table.service_port_for_proxy(proxy_port);
+                let decision = table.resolve_tcp(service_port);
+                (service_port, decision)
+            };
+
+            match decision {
+                RouteDecision::BranchDevbox {
+                    branch_id: branch_env_id,
+                    connection,
+                    target_port,
+                } => {
+                    let shutdown_rx = connection_registry.subscribe(Some(branch_env_id)).await;
+                    let metadata = connection.metadata();
+                    info!(
+                        "TCP {} via proxy port {} (service {}) intercepted by Devbox (intercept_id={}, workload_id={}, target_port={})",
+                        client_addr,
+                        proxy_port,
+                        service_port,
+                        metadata.intercept_id,
+                        metadata.workload_id,
+                        target_port
+                    );
+                    handle_devbox_tunnel(
+                        inbound_stream,
+                        client_addr,
+                        service_port,
+                        initial_data,
+                        connection,
+                        target_port,
+                        shutdown_rx,
+                    )
+                    .await
+                }
+                RouteDecision::DefaultDevbox {
+                    connection,
+                    target_port,
+                } => {
+                    let shutdown_rx = connection_registry.subscribe(None).await;
+                    let metadata = connection.metadata();
+                    info!(
+                        "TCP {} via proxy port {} (service {}) intercepted by Devbox (intercept_id={}, workload_id={}, target_port={})",
+                        client_addr,
+                        proxy_port,
+                        service_port,
+                        metadata.intercept_id,
+                        metadata.workload_id,
+                        target_port
+                    );
+                    handle_devbox_tunnel(
+                        inbound_stream,
+                        client_addr,
+                        service_port,
+                        initial_data,
+                        connection,
+                        target_port,
+                        shutdown_rx,
+                    )
+                    .await
+                }
+                RouteDecision::DefaultLocal { target_port } => {
+                    let shutdown_rx = connection_registry.subscribe(None).await;
+                    let local_target = SocketAddr::new("127.0.0.1".parse().unwrap(), target_port);
+                    info!(
+                        "Proxying TCP from {} (proxy port {}, service {}) to {}",
+                        client_addr, proxy_port, service_port, local_target
+                    );
+                    handle_tcp_proxy(inbound_stream, local_target, initial_data, shutdown_rx).await
+                }
+                RouteDecision::BranchService { .. } => {
+                    let shutdown_rx = connection_registry.subscribe(None).await;
+                    let local_target = SocketAddr::new("127.0.0.1".parse().unwrap(), service_port);
+                    info!(
+                        "TCP connection from {} on proxy port {} matched branch service route unexpectedly; proxying to local {}",
+                        client_addr, proxy_port, local_target
+                    );
+                    handle_tcp_proxy(inbound_stream, local_target, initial_data, shutdown_rx).await
+                }
+            }
+        }
+    }
+}
+
+/// Handle HTTP proxying with OpenTelemetry header parsing and intelligent routing
+async fn handle_http_proxy(
+    mut inbound_stream: TcpStream,
+    client_addr: SocketAddr,
+    proxy_port: u16,
+    initial_data: Vec<u8>,
+    _settings: Arc<SidecarSettings>,
+    routing_table: Arc<RwLock<RoutingTable>>,
+    _rpc_client: Arc<RwLock<Option<SidecarProxyManagerRpcClient>>>,
+    connection_registry: Arc<ConnectionRegistry>,
+) -> io::Result<()> {
+    // Try to parse the HTTP request from the buffered data that protocol detection accumulated
+    let (http_request, _body_start) =
+        match http_parser::parse_http_request_from_buffer(&initial_data) {
+            Ok(parsed) => parsed,
+            Err(e) => {
+                warn!(
+                    "Failed to parse HTTP request: {}, falling back to TCP proxy",
+                    e
+                );
+                let fallback_port = {
+                    let table = routing_table.read().await;
+                    let service_port = table.service_port_for_proxy(proxy_port);
+                    table.target_port_for_service(service_port)
+                };
+                let fallback_target = SocketAddr::new("127.0.0.1".parse().unwrap(), fallback_port);
+                let shutdown_rx = connection_registry.subscribe(None).await;
+                return handle_tcp_proxy(
+                    inbound_stream,
+                    fallback_target,
+                    initial_data,
+                    shutdown_rx,
+                )
+                .await;
+            }
+        };
+
+    // Extract OpenTelemetry and routing context from headers
+    let routing_context = extract_routing_context(&http_request.headers);
+
+    let branch_id = routing_context.lapdev_environment_id;
+    let (service_port, decision) = {
+        let table = routing_table.read().await;
+        let service_port = table.service_port_for_proxy(proxy_port);
+        let decision = table.resolve_http(service_port, branch_id);
+        (service_port, decision)
+    };
+
+    let mut fallback_port = service_port;
+
+    match decision {
+        RouteDecision::BranchService { service } => {
+            if let Some(service_name) = service.service_name_for_port(service_port) {
+                info!(
+                    "HTTP {} {} routing to branch {:?} service {}:{}",
+                    http_request.method, http_request.path, branch_id, service_name, service_port
+                );
+
+                let shutdown_rx = connection_registry.subscribe(branch_id).await;
+                match proxy_branch_stream(
+                    &mut inbound_stream,
+                    service_name,
+                    service_port,
+                    &initial_data,
+                    shutdown_rx,
+                )
+                .await
+                {
+                    Ok(()) => return Ok(()),
+                    Err(err) => {
+                        if is_route_update_error(&err) {
+                            return Err(err);
+                        }
+                        warn!(
+                            "Branch route {} for env {:?} failed: {}; returning error",
+                            service_name, branch_id, err
+                        );
+                        return Err(err);
+                    }
+                }
+            } else {
+                warn!(
+                    "Missing branch service mapping for port {} in env {:?}",
+                    service_port, branch_id
+                );
+                return Err(io::Error::new(
+                    io::ErrorKind::Other,
+                    format!(
+                        "missing branch service mapping for port {} in env {:?}",
+                        service_port, branch_id
+                    ),
+                ));
+            }
+        }
+        RouteDecision::BranchDevbox {
+            branch_id: branch_env_id,
+            connection,
+            target_port,
+        } => {
+            let metadata = connection.metadata();
+            info!(
+                "HTTP {} {} intercepted by branch devbox (env {:?}, intercept_id={}, workload_id={}, target_port={})",
+                http_request.method,
+                http_request.path,
+                branch_env_id,
+                metadata.intercept_id,
+                metadata.workload_id,
+                target_port
+            );
+            let shutdown_rx = connection_registry.subscribe(Some(branch_env_id)).await;
+            return handle_devbox_tunnel(
+                inbound_stream,
+                client_addr,
+                service_port,
+                initial_data,
+                connection,
+                target_port,
+                shutdown_rx,
+            )
+            .await;
+        }
+        RouteDecision::DefaultDevbox {
+            connection,
+            target_port,
+        } => {
+            let metadata = connection.metadata();
+            info!(
+                "HTTP {} {} intercepted by shared devbox (proxy port {}, service port {}, intercept_id={}, workload_id={}, target_port={})",
+                http_request.method,
+                http_request.path,
+                proxy_port,
+                service_port,
+                metadata.intercept_id,
+                metadata.workload_id,
+                target_port
+            );
+            let shutdown_rx = connection_registry.subscribe(None).await;
+            return handle_devbox_tunnel(
+                inbound_stream,
+                client_addr,
+                service_port,
+                initial_data,
+                connection,
+                target_port,
+                shutdown_rx,
+            )
+            .await;
+        }
+        RouteDecision::DefaultLocal { target_port } => {
+            fallback_port = target_port;
+        }
+    }
+
+    let fallback_target = SocketAddr::new("127.0.0.1".parse().unwrap(), fallback_port);
+
+    // Determine routing target based on headers for fallback logging
+    let routing_target = determine_routing_target(&routing_context, service_port);
+    info!(
+        "HTTP {} {} -> {} (routing: {}, trace_id: {:?})",
+        http_request.method,
+        http_request.path,
+        fallback_target,
+        routing_target.get_metadata(),
+        routing_context.trace_context.trace_id
+    );
+
+    let shutdown_rx = connection_registry.subscribe(None).await;
+    proxy_stream(
+        &mut inbound_stream,
+        fallback_target,
+        &initial_data,
+        shutdown_rx,
+    )
+    .await
+}
+
+async fn proxy_stream(
+    inbound_stream: &mut TcpStream,
+    target: SocketAddr,
+    initial_data: &[u8],
+    shutdown_rx: watch::Receiver<bool>,
+) -> io::Result<()> {
+    let mut outbound_stream = TcpStream::connect(target).await?;
+
+    if !initial_data.is_empty() {
+        tokio::io::AsyncWriteExt::write_all(&mut outbound_stream, initial_data).await?;
+    }
+
+    match bidirectional_with_shutdown(inbound_stream, &mut outbound_stream, shutdown_rx).await {
+        Ok((bytes_tx, bytes_rx)) => {
+            debug!(
+                "HTTP connection completed via {}: {} bytes tx, {} bytes rx",
+                target, bytes_tx, bytes_rx
+            );
+        }
+        Err(err) if is_route_update_error(&err) => {
+            debug!(
+                "HTTP connection via {} closed due to routing update",
+                target
+            );
+            return Err(err);
+        }
+        Err(e) => {
+            debug!("HTTP connection via {} ended: {}", target, e);
+            return Err(e);
+        }
+    }
+
+    Ok(())
+}
+
+async fn proxy_branch_stream(
+    inbound_stream: &mut TcpStream,
+    service_name: &str,
+    port: u16,
+    initial_data: &[u8],
+    shutdown_rx: watch::Receiver<bool>,
+) -> io::Result<()> {
+    let mut outbound_stream = TcpStream::connect((service_name, port)).await?;
+
+    if !initial_data.is_empty() {
+        tokio::io::AsyncWriteExt::write_all(&mut outbound_stream, initial_data).await?;
+    }
+
+    match bidirectional_with_shutdown(inbound_stream, &mut outbound_stream, shutdown_rx).await {
+        Ok((bytes_tx, bytes_rx)) => {
+            debug!(
+                "HTTP connection completed via branch service {}:{}: {} bytes tx, {} bytes rx",
+                service_name, port, bytes_tx, bytes_rx
+            );
+        }
+        Err(err) if is_route_update_error(&err) => {
+            debug!(
+                "HTTP connection via branch service {}:{} closed due to routing update",
+                service_name, port
+            );
+            return Err(err);
+        }
+        Err(e) => {
+            debug!(
+                "HTTP connection via branch service {}:{} ended: {}",
+                service_name, port, e
+            );
+            return Err(e);
+        }
+    }
+
+    Ok(())
+}
+
+/// Handle TCP proxying (raw byte forwarding)
+async fn handle_tcp_proxy(
+    mut inbound_stream: TcpStream,
+    local_target: SocketAddr,
+    initial_data: Vec<u8>,
+    shutdown_rx: watch::Receiver<bool>,
+) -> io::Result<()> {
+    // Connect to the local service
+    let mut outbound_stream = TcpStream::connect(&local_target).await?;
+
+    // Send the initial data we read for protocol detection
+    if !initial_data.is_empty() {
+        tokio::io::AsyncWriteExt::write_all(&mut outbound_stream, &initial_data).await?;
+    }
+
+    // Start bidirectional copying for the rest of the connection
+    match bidirectional_with_shutdown(&mut inbound_stream, &mut outbound_stream, shutdown_rx).await
+    {
+        Ok((bytes_tx, bytes_rx)) => {
+            debug!(
+                "TCP connection completed: {} bytes tx, {} bytes rx",
+                bytes_tx, bytes_rx
+            );
+        }
+        Err(err) if is_route_update_error(&err) => {
+            debug!(
+                "TCP connection via {} closed due to routing update",
+                local_target
+            );
+            return Err(err);
+        }
+        Err(e) => {
+            debug!("TCP connection ended: {}", e);
+            return Err(e);
+        }
+    }
+
+    Ok(())
+}
+
+/// Handle a connection that should be routed through a devbox tunnel
+///
+/// Architecture:
+///   Sidecar opens a websocket directly to the Lapdev API using the intercept session token,
+///   then proxies data between the cluster workload and the developer's machine over that tunnel.
+async fn handle_devbox_tunnel(
+    mut inbound_stream: TcpStream,
+    client_addr: SocketAddr,
+    service_port: u16,
+    initial_data: Vec<u8>,
+    connection: Arc<DevboxConnection>,
+    target_port: u16,
+    shutdown_rx: watch::Receiver<bool>,
+) -> io::Result<()> {
+    let metadata = connection.metadata();
+
+    info!(
+        "Routing {} (service port {}) through devbox tunnel (intercept_id={}, workload_id={}, target_port={})",
+        client_addr, service_port, metadata.intercept_id, metadata.workload_id, target_port
+    );
+
+    info!(
+        "Connecting to devbox tunnel websocket for intercept_id={} at {}",
+        metadata.intercept_id, metadata.websocket_url
+    );
+
+    let mut devbox_stream = match connection
+        .connect_tcp_stream("127.0.0.1", target_port)
+        .await
+    {
+        Ok(stream) => stream,
+        Err(err) => {
+            error!(
+                "Failed to establish tunnel stream for intercept {}: {}",
+                metadata.intercept_id, err
+            );
+            return Err(io::Error::from(err));
+        }
+    };
+
+    if !initial_data.is_empty() {
+        tokio::io::AsyncWriteExt::write_all(&mut devbox_stream, &initial_data).await?;
+    }
+
+    match bidirectional_with_shutdown(&mut inbound_stream, &mut devbox_stream, shutdown_rx).await {
+        Ok((bytes_tx, bytes_rx)) => {
+            info!(
+                "Devbox tunnel completed: {} bytes sent, {} bytes received (intercept_id={})",
+                bytes_tx, bytes_rx, metadata.intercept_id
+            );
+        }
+        Err(err) if is_route_update_error(&err) => {
+            info!(
+                "Devbox tunnel for intercept_id={} closed due to routing update",
+                metadata.intercept_id
+            );
+            return Err(err);
+        }
+        Err(err) => {
+            warn!(
+                "Devbox tunnel error for intercept_id={}: {}",
+                metadata.intercept_id, err
+            );
+            return Err(io::Error::from(err));
+        }
+    }
+
+    if let Err(err) = tokio::io::AsyncWriteExt::shutdown(&mut devbox_stream).await {
+        debug!("Failed to shutdown tunnel stream cleanly: {}", err);
+    }
+
+    Ok(())
+}
+
+async fn bidirectional_with_shutdown<Inbound, Outbound>(
+    inbound_stream: &mut Inbound,
+    outbound_stream: &mut Outbound,
+    mut shutdown_rx: watch::Receiver<bool>,
+) -> io::Result<(u64, u64)>
+where
+    Inbound: AsyncRead + AsyncWrite + Unpin + ?Sized,
+    Outbound: AsyncRead + AsyncWrite + Unpin + ?Sized,
+{
+    let copy_future = copy_bidirectional(inbound_stream, outbound_stream);
+    tokio::pin!(copy_future);
+    tokio::select! {
+        res = &mut copy_future => res,
+        recv = shutdown_rx.changed() => {
+            match recv {
+                Ok(_) => Err(route_update_error()),
+                Err(_) => Err(route_update_error()),
+            }
+        }
+    }
+}
+
+fn route_update_error() -> io::Error {
+    io::Error::new(io::ErrorKind::ConnectionAborted, RouteUpdateError)
+}
+
+fn is_route_update_error(err: &io::Error) -> bool {
+    err.kind() == io::ErrorKind::ConnectionAborted
+        && err
+            .get_ref()
+            .and_then(|inner| inner.downcast_ref::<RouteUpdateError>())
+            .is_some()
+}
+
+#[derive(Debug)]
+struct RouteUpdateError;
+
+impl std::fmt::Display for RouteUpdateError {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        write!(f, "connection closed due to routing update")
+    }
+}
+
+impl std::error::Error for RouteUpdateError {}
diff --git a/crates/kube/Cargo.toml b/crates/kube/Cargo.toml
new file mode 100644
index 0000000..74a9018
--- /dev/null
+++ b/crates/kube/Cargo.toml
@@ -0,0 +1,39 @@
+[package]
+name = "lapdev-kube"
+version.workspace = true
+authors.workspace = true
+edition.workspace = true
+
+[dependencies]
+pem = "3.0.5"
+yup-oauth2 = { version = "12.1.0", default-features = false, features = [
+    "hyper-rustls",
+    "service-account",
+    "ring",
+] }
+httparse = "1.8"
+uuid.workspace = true
+base64.workspace = true
+anyhow.workspace = true
+reqwest.workspace = true
+chrono.workspace = true
+thiserror.workspace = true
+sea-orm.workspace = true
+serde_json.workspace = true
+serde.workspace = true
+serde_yaml.workspace = true
+pasetors.workspace = true
+lapdev-rpc.workspace = true
+lapdev-kube-rpc.workspace = true
+lapdev-common.workspace = true
+lapdev-db.workspace = true
+lapdev-db-entities.workspace = true
+tracing.workspace = true
+kube.workspace = true
+k8s-openapi.workspace = true
+tarpc.workspace = true
+tokio.workspace = true
+futures.workspace = true
+axum.workspace = true
+tokio-tungstenite.workspace = true
+lapdev-tunnel.workspace = true
diff --git a/crates/kube/src/http_proxy.rs b/crates/kube/src/http_proxy.rs
new file mode 100644
index 0000000..e963bd4
--- /dev/null
+++ b/crates/kube/src/http_proxy.rs
@@ -0,0 +1,944 @@
+use anyhow::Result;
+use axum::{http::StatusCode, response::IntoResponse};
+use std::{io, sync::Arc};
+use tokio::{
+    io::{copy_bidirectional, AsyncReadExt, AsyncWriteExt},
+    net::{TcpListener, TcpStream},
+};
+use tracing::{debug, error, info, warn};
+use uuid::Uuid;
+
+use crate::{
+    preview_url::{PreviewUrlError, PreviewUrlResolver, PreviewUrlTarget},
+    tunnel::TunnelRegistry,
+};
+use chrono::Utc;
+use lapdev_common::{
+    devbox::DevboxPortMapping, error_page::render_error_page, kube::PreviewUrlAccessLevel,
+    LAPDEV_AUTH_TOKEN_COOKIE,
+};
+use lapdev_db::api::DbApi;
+use lapdev_kube_rpc::http_parser;
+use lapdev_tunnel::TunnelError;
+use pasetors::{
+    claims::ClaimsValidationRules, keys::SymmetricKey, local, token::UntrustedToken, version4::V4,
+};
+
+pub struct PreviewUrlProxy {
+    url_resolver: PreviewUrlResolver,
+    tunnel_registry: Arc<TunnelRegistry>,
+    db: DbApi,
+    auth_token_key: Arc<SymmetricKey<V4>>,
+}
+
+impl PreviewUrlProxy {
+    pub async fn new(db: DbApi, tunnel_registry: Arc<TunnelRegistry>) -> Self {
+        let auth_token_key = Arc::new(db.load_api_auth_token_key().await);
+        let url_resolver = PreviewUrlResolver::new(db.clone());
+
+        Self {
+            url_resolver,
+            tunnel_registry,
+            db,
+            auth_token_key,
+        }
+    }
+
+    /// Start the standalone TCP server for preview URL proxy
+    pub async fn start_tcp_server(self: Arc<Self>, bind_addr: &str) -> Result<(), ProxyError> {
+        let listener = TcpListener::bind(bind_addr)
+            .await
+            .map_err(|e| ProxyError::Internal(format!("Failed to bind to {}: {}", bind_addr, e)))?;
+
+        info!("PreviewUrlProxy TCP server listening on {}", bind_addr);
+
+        loop {
+            match listener.accept().await {
+                Ok((stream, client_addr)) => {
+                    debug!("New client connection from: {}", client_addr);
+                    let proxy = Arc::clone(&self);
+
+                    // Spawn a new task for each client connection
+                    tokio::spawn(async move {
+                        if let Err(e) = proxy.handle_client_connection(stream).await {
+                            error!(
+                                "Error handling client connection from {}: {}",
+                                client_addr, e
+                            );
+                        }
+                    });
+                }
+                Err(e) => {
+                    error!("Failed to accept client connection: {}", e);
+                    // Continue accepting other connections
+                    continue;
+                }
+            }
+        }
+    }
+
+    /// Handle a single client TCP connection with direct TCP stream proxying
+    async fn handle_client_connection(&self, mut stream: TcpStream) -> Result<(), ProxyError> {
+        // Use the shared HTTP parser that handles incremental reading
+        let mut buffer = Vec::new();
+
+        match http_parser::read_http_headers(&mut stream, &mut buffer).await {
+            Ok(()) => match http_parser::parse_http_request_from_buffer(&buffer) {
+                Ok((parsed_request, headers_len)) => {
+                    debug!(
+                        "Parsed request: {} {}",
+                        parsed_request.method, parsed_request.path
+                    );
+
+                    // Extract Host header using the shared utility
+                    let host =
+                        http_parser::get_host_header(&parsed_request.headers).ok_or_else(|| {
+                            ProxyError::InvalidUrl(
+                                "Lapdev didn’t receive a Host header for this preview request."
+                                    .to_string(),
+                            )
+                        })?;
+
+                    let subdomain = host
+                        .split('.')
+                        .next()
+                        .ok_or_else(|| {
+                            ProxyError::InvalidUrl(
+                                "The preview hostname is invalid. Double-check the URL."
+                                    .to_string(),
+                            )
+                        })?
+                        .to_string();
+
+                    debug!("Extracted subdomain: {} from host: {}", subdomain, host);
+
+                    // Resolve preview URL target
+                    let target = match self.resolve_preview_url_target(&subdomain).await {
+                        Ok(target) => target,
+                        Err(err) => {
+                            self.respond_with_proxy_error(&mut stream, err).await?;
+                            return Ok(());
+                        }
+                    };
+
+                    // Enforce access controls based on preview URL configuration
+                    if let Err(err) = self.authorize_request(&parsed_request, &target).await {
+                        self.respond_with_proxy_error(&mut stream, err).await?;
+                        return Ok(());
+                    }
+
+                    info!(
+                        "Resolved target: service={}:{} in cluster={}",
+                        target.service_name, target.service_port, target.cluster_id
+                    );
+
+                    // Modify the initial request data to add environment ID to tracestate header
+                    let initial_request_data = Self::add_environment_id_to_headers(
+                        &buffer,
+                        headers_len,
+                        target.environment_id,
+                    )?;
+
+                    // Start direct TCP proxying; on errors respond with a friendly page
+                    match self
+                        .start_tcp_proxy(&mut stream, target, initial_request_data)
+                        .await
+                    {
+                        Ok(()) => Ok(()),
+                        Err(proxy_err) => {
+                            self.respond_with_proxy_error(&mut stream, proxy_err).await
+                        }
+                    }
+                }
+                Err(e) => {
+                    debug!("Failed to parse buffered HTTP request: {}", e);
+                    let page = render_error_page(
+                        "Lapdev couldn’t understand the HTTP request for this preview. Refresh and try again.",
+                    );
+                    self.send_error_page(&mut stream, StatusCode::BAD_REQUEST, &page)
+                        .await
+                }
+            },
+            Err(e) => {
+                debug!("Failed to read complete HTTP headers from client: {}", e);
+                if e.kind() == io::ErrorKind::InvalidData
+                    && e.to_string().contains("exceed maximum size")
+                {
+                    let page = render_error_page(
+                        "The preview request headers exceeded Lapdev’s size limit. Reduce header size and try again.",
+                    );
+                    self.send_error_page(&mut stream, StatusCode::PAYLOAD_TOO_LARGE, &page)
+                        .await
+                } else {
+                    let page = render_error_page(
+                        "Lapdev couldn’t finish reading the HTTP request for this preview.",
+                    );
+                    self.send_error_page(&mut stream, StatusCode::BAD_REQUEST, &page)
+                        .await
+                }
+            }
+        }
+    }
+
+    /// Send error response to client
+    async fn send_error_page(
+        &self,
+        stream: &mut TcpStream,
+        status: StatusCode,
+        body: &str,
+    ) -> Result<(), ProxyError> {
+        let status_line = format!(
+            "HTTP/1.1 {} {}\r\n",
+            status.as_u16(),
+            status.canonical_reason().unwrap_or("Unknown")
+        );
+        stream
+            .write_all(status_line.as_bytes())
+            .await
+            .map_err(|e| ProxyError::Internal(format!("Failed to write status line: {e}")))?;
+
+        let headers = format!(
+            "Content-Type: text/html; charset=utf-8\r\nContent-Length: {}\r\nConnection: close\r\n\r\n",
+            body.len()
+        );
+
+        stream
+            .write_all(headers.as_bytes())
+            .await
+            .map_err(|e| ProxyError::Internal(format!("Failed to write headers: {e}")))?;
+
+        stream
+            .write_all(body.as_bytes())
+            .await
+            .map_err(|e| ProxyError::Internal(format!("Failed to write body: {e}")))?;
+
+        stream
+            .flush()
+            .await
+            .map_err(|e| ProxyError::Internal(format!("Failed to flush response: {e}")))?;
+
+        Ok(())
+    }
+
+    /// Resolve preview URL target from subdomain
+    async fn resolve_preview_url_target(
+        &self,
+        subdomain: &str,
+    ) -> Result<PreviewUrlTarget, ProxyError> {
+        // Parse subdomain
+        let url_info = PreviewUrlResolver::parse_preview_url(subdomain).map_err(|e| {
+            let message = match e {
+                PreviewUrlError::InvalidFormat => {
+                    "Preview links must follow the pattern <port>-<service>-<hash>.".to_string()
+                }
+                PreviewUrlError::InvalidPort => {
+                    "The preview link starts with an invalid port number.".to_string()
+                }
+                _ => format!("Lapdev couldn’t parse this preview link: {e}"),
+            };
+            ProxyError::InvalidUrl(message)
+        })?;
+
+        debug!("Parsed URL info: {:?}", url_info);
+
+        let service_name_for_error = url_info.service_name.clone();
+        let port_for_error = url_info.port;
+        let preview_summary = format!(
+            "service `{}` on port {} (preview link `{}`)",
+            service_name_for_error.as_str(),
+            port_for_error,
+            subdomain
+        );
+
+        // Resolve preview URL target
+        let target = self
+            .url_resolver
+            .resolve_preview_url(url_info)
+            .await
+            .map_err(|e| match e {
+                PreviewUrlError::EnvironmentNotFound => {
+                    ProxyError::NotFound(format!(
+                        "Lapdev couldn’t find any environment that matches {}.",
+                        preview_summary.clone()
+                    ))
+                }
+                PreviewUrlError::ServiceNotFound => {
+                    ProxyError::NotFound(format!(
+                        "The environment behind this preview doesn’t expose service `{}` on port {}.",
+                        service_name_for_error.as_str(),
+                        port_for_error
+                    ))
+                }
+                PreviewUrlError::PreviewUrlNotConfigured => {
+                    ProxyError::NotFound(format!(
+                        "This preview link hasn’t been configured yet for service `{}` on port {}. Recreate it from the Lapdev dashboard.",
+                        service_name_for_error.as_str(),
+                        port_for_error
+                    ))
+                }
+                PreviewUrlError::AccessDenied => ProxyError::Forbidden(format!(
+                    "You don’t have permission to view {}. Ask the environment owner to grant you access.",
+                    preview_summary.clone()
+                )),
+                _ => ProxyError::Internal(e.to_string()),
+            })?;
+
+        // Update access timestamp
+        if let Err(e) = self
+            .url_resolver
+            .update_preview_url_access(target.preview_url_id)
+            .await
+        {
+            warn!("Failed to update preview URL access timestamp: {}", e);
+        }
+
+        Ok(target)
+    }
+
+    async fn respond_with_proxy_error(
+        &self,
+        stream: &mut TcpStream,
+        error: ProxyError,
+    ) -> Result<(), ProxyError> {
+        let (status, reason) = match &error {
+            ProxyError::Forbidden(msg) => (StatusCode::FORBIDDEN, msg.clone()),
+            ProxyError::NotFound(msg) => (StatusCode::NOT_FOUND, msg.clone()),
+            ProxyError::TunnelNotAvailable(msg) => (
+                StatusCode::SERVICE_UNAVAILABLE,
+                if msg.is_empty() {
+                    "Lapdev couldn’t reach the preview environment right now. Please retry in a few seconds."
+                        .to_string()
+                } else {
+                    msg.clone()
+                },
+            ),
+            ProxyError::Timeout(msg) => (
+                StatusCode::GATEWAY_TIMEOUT,
+                if msg.is_empty() {
+                    "The preview environment took too long to answer. Refresh the page or restart the environment."
+                        .to_string()
+                } else {
+                    msg.clone()
+                },
+            ),
+            ProxyError::InvalidUrl(msg) => (
+                StatusCode::BAD_REQUEST,
+                if msg.is_empty() {
+                    "This preview link was malformed. Double-check the URL and try again.".to_string()
+                } else {
+                    msg.clone()
+                },
+            ),
+            ProxyError::NetworkError(msg) => (
+                StatusCode::BAD_GATEWAY,
+                if msg.is_empty() {
+                    "Lapdev couldn’t proxy the request to the environment. Try again shortly."
+                        .to_string()
+                } else {
+                    msg.clone()
+                },
+            ),
+            ProxyError::Internal(_) => (
+                StatusCode::INTERNAL_SERVER_ERROR,
+                "Lapdev hit an unexpected error while loading this preview. Please retry or recreate the Preview URL."
+                    .to_string(),
+            ),
+        };
+
+        warn!("Responding with error page: {:?} ({})", status, error);
+        let page = render_error_page(&reason);
+        self.send_error_page(stream, status, &page).await
+    }
+
+    /// Ensure the caller is authorized to access the resolved preview target
+    async fn authorize_request(
+        &self,
+        request: &http_parser::ParsedHttpRequest,
+        target: &PreviewUrlTarget,
+    ) -> Result<(), ProxyError> {
+        match target.access_level {
+            PreviewUrlAccessLevel::Public => Ok(()),
+            PreviewUrlAccessLevel::Organization => {
+                let token = self
+                    .extract_cookie_value(&request.headers, LAPDEV_AUTH_TOKEN_COOKIE)
+                    .ok_or_else(|| {
+                        ProxyError::Forbidden(
+                            "Sign in to Lapdev to view this Preview URL.".to_string(),
+                        )
+                    })?;
+
+                let user_id = self.user_id_from_token(&token)?;
+
+                self.ensure_org_membership(user_id, target.organization_id)
+                    .await?;
+
+                debug!(
+                    "Authorized organization member {} for preview {}",
+                    user_id, target.preview_url_id
+                );
+
+                Ok(())
+            }
+        }
+    }
+
+    fn extract_cookie_value(
+        &self,
+        headers: &[(String, String)],
+        cookie_name: &str,
+    ) -> Option<String> {
+        let prefix = format!("{cookie_name}=");
+
+        headers
+            .iter()
+            .filter(|(name, _)| name.eq_ignore_ascii_case("cookie"))
+            .flat_map(|(_, value)| value.split(';'))
+            .map(|cookie| cookie.trim())
+            .find_map(|cookie| cookie.strip_prefix(&prefix).map(|value| value.to_string()))
+    }
+
+    fn user_id_from_token(&self, token: &str) -> Result<Uuid, ProxyError> {
+        let invalid_token_msg =
+            "Your preview session expired. Please sign in again to refresh your access.";
+
+        let untrusted = UntrustedToken::try_from(token)
+            .map_err(|_| ProxyError::Forbidden(invalid_token_msg.to_string()))?;
+
+        let trusted = local::decrypt(
+            self.auth_token_key.as_ref(),
+            &untrusted,
+            &ClaimsValidationRules::new(),
+            None,
+            None,
+        )
+        .map_err(|_| ProxyError::Forbidden(invalid_token_msg.to_string()))?;
+
+        let claims = trusted
+            .payload_claims()
+            .ok_or_else(|| ProxyError::Forbidden(invalid_token_msg.to_string()))?;
+
+        let user_id_value = claims
+            .get_claim("user_id")
+            .ok_or_else(|| ProxyError::Forbidden(invalid_token_msg.to_string()))?;
+
+        let user_id: String = serde_json::from_value(user_id_value.clone())
+            .map_err(|_| ProxyError::Forbidden(invalid_token_msg.to_string()))?;
+
+        Uuid::parse_str(&user_id).map_err(|_| ProxyError::Forbidden(invalid_token_msg.to_string()))
+    }
+
+    async fn ensure_org_membership(
+        &self,
+        user_id: Uuid,
+        organization_id: Uuid,
+    ) -> Result<(), ProxyError> {
+        self.db
+            .get_organization_member(user_id, organization_id)
+            .await
+            .map(|_| ())
+            .map_err(|err| {
+                if err
+                    .to_string()
+                    .contains("no organization member found")
+                {
+                    ProxyError::Forbidden(
+                        "You need to be a member of the organization that owns this preview."
+                            .to_string(),
+                    )
+                } else {
+                    error!(
+                        "Failed to verify organization membership for user {} in organization {}: {}",
+                        user_id, organization_id, err
+                    );
+                    ProxyError::Internal(
+                        "Failed to verify organization membership".to_string(),
+                    )
+                }
+            })
+    }
+
+    /// Start direct TCP proxying between client and target service
+    async fn start_tcp_proxy(
+        &self,
+        client_stream: &mut TcpStream,
+        target: PreviewUrlTarget,
+        initial_request_data: Vec<u8>,
+    ) -> Result<(), ProxyError> {
+        info!(
+            "Starting TCP proxy to {}:{} in cluster {}",
+            target.service_name, target.service_port, target.cluster_id
+        );
+
+        let tunnel_client = self
+            .tunnel_registry
+            .get_client(target.cluster_id)
+            .await
+            .ok_or_else(|| {
+                ProxyError::TunnelNotAvailable(
+                    "Lapdev can’t reach the Kubernetes cluster that hosts this preview. Make sure the cluster agent is running."
+                        .to_string(),
+                )
+            })?;
+
+        if tunnel_client.is_closed() {
+            return Err(ProxyError::TunnelNotAvailable(
+                "Lapdev’s connection to the preview cluster closed unexpectedly. Refresh the page or restart the environment."
+                    .to_string(),
+            ));
+        }
+
+        // Build the target host for the service inside the cluster
+        let target_host = format!("{}.{}.svc", target.service_name, target.namespace);
+
+        debug!("Target: {}:{}", target_host, target.service_port);
+
+        let mut tunnel_stream = tunnel_client
+            .connect_tcp(target_host.clone(), target.service_port)
+            .await
+            .map_err(|err| {
+                warn!(
+                    service = %target.service_name,
+                    port = target.service_port,
+                    cluster = %target.cluster_id,
+                    "Failed to open tunnel connection: {err}"
+                );
+                Self::map_tunnel_connect_error(err)
+            })?;
+
+        if !initial_request_data.is_empty() {
+            tunnel_stream
+                .write_all(&initial_request_data)
+                .await
+                .map_err(|e| {
+                    ProxyError::NetworkError(format!(
+                        "Failed to send initial request through tunnel: {}",
+                        e
+                    ))
+                })?;
+        }
+
+        let mut downstream_bytes = 0u64;
+
+        let mut initial_buffer = vec![0u8; 8192];
+        match tunnel_stream
+            .read(&mut initial_buffer)
+            .await
+            .map_err(Self::map_tunnel_runtime_error)?
+        {
+            0 => {
+                warn!(
+                    "Tunnel to {}:{} closed before any downstream bytes were sent (cluster={})",
+                    target.service_name, target.service_port, target.cluster_id
+                );
+                if let Some(hint) = self.intercept_hint(&target).await {
+                    return Err(ProxyError::Timeout(hint));
+                }
+                return Err(ProxyError::Timeout(
+                    "Target service did not produce a response".to_string(),
+                ));
+            }
+            n => {
+                client_stream
+                    .write_all(&initial_buffer[..n])
+                    .await
+                    .map_err(|e| {
+                        ProxyError::NetworkError(format!(
+                            "Failed to send initial response chunk to client: {}",
+                            e
+                        ))
+                    })?;
+                downstream_bytes += n as u64;
+            }
+        }
+
+        let (bytes_tx, bytes_rx) = copy_bidirectional(client_stream, &mut tunnel_stream)
+            .await
+            .map_err(Self::map_tunnel_runtime_error)?;
+
+        downstream_bytes += bytes_rx;
+
+        info!(
+            "Tunnel proxied {} bytes upstream and {} bytes downstream (cluster={})",
+            bytes_tx, downstream_bytes, target.cluster_id
+        );
+
+        if let Err(err) = AsyncWriteExt::shutdown(&mut tunnel_stream).await {
+            debug!("Failed to shutdown tunnel stream cleanly: {}", err);
+        }
+
+        Ok(())
+    }
+
+    fn map_tunnel_connect_error(err: TunnelError) -> ProxyError {
+        match err {
+            TunnelError::Remote(reason) => {
+                ProxyError::Timeout(format!("Target reported connection error: {}", reason))
+            }
+            TunnelError::Transport(io_err) => {
+                let message = format!("Transport error while opening tunnel: {}", io_err);
+                match io_err.kind() {
+                    io::ErrorKind::ConnectionRefused
+                    | io::ErrorKind::ConnectionAborted
+                    | io::ErrorKind::ConnectionReset
+                    | io::ErrorKind::TimedOut
+                    | io::ErrorKind::NotConnected => ProxyError::Timeout(message),
+                    _ => ProxyError::NetworkError(message),
+                }
+            }
+            TunnelError::ConnectionClosed => ProxyError::NetworkError(
+                "Tunnel connection closed before target connection was established".to_string(),
+            ),
+        }
+    }
+
+    fn map_tunnel_runtime_error(err: io::Error) -> ProxyError {
+        if let Some(tunnel_error) = Self::tunnel_error_from_io(&err) {
+            return match tunnel_error {
+                TunnelError::Remote(reason) => {
+                    ProxyError::Timeout(format!("Tunnel closed remotely: {}", reason))
+                }
+                TunnelError::ConnectionClosed => ProxyError::TunnelNotAvailable(
+                    "Lapdev’s tunnel to the preview environment closed unexpectedly.".to_string(),
+                ),
+                TunnelError::Transport(inner) => {
+                    ProxyError::NetworkError(format!("Tunnel transport error: {}", inner))
+                }
+            };
+        }
+
+        ProxyError::NetworkError(format!("Tunnel proxying failed: {}", err))
+    }
+
+    fn tunnel_error_from_io(err: &io::Error) -> Option<&TunnelError> {
+        err.get_ref()
+            .and_then(|inner| inner.downcast_ref::<TunnelError>())
+    }
+
+    async fn intercept_hint(&self, target: &PreviewUrlTarget) -> Option<String> {
+        let intercepts = match self
+            .db
+            .get_active_intercepts_for_environment(target.environment_id)
+            .await
+        {
+            Ok(list) => list,
+            Err(err) => {
+                warn!(
+                    "Failed to load intercepts for environment {}: {}",
+                    target.environment_id, err
+                );
+                return None;
+            }
+        };
+
+        for intercept in intercepts {
+            let Ok(port_mappings) =
+                serde_json::from_value::<Vec<DevboxPortMapping>>(intercept.port_mappings.clone())
+            else {
+                continue;
+            };
+
+            if !port_mappings
+                .iter()
+                .any(|mapping| mapping.workload_port == target.service_port)
+            {
+                continue;
+            }
+
+            let workload_name = self
+                .db
+                .get_environment_workload(intercept.workload_id)
+                .await
+                .ok()
+                .flatten()
+                .map(|w| w.name)
+                .unwrap_or_else(|| "this workload".to_string());
+
+            let user_label = self
+                .db
+                .get_user(intercept.user_id)
+                .await
+                .ok()
+                .flatten()
+                .and_then(|u| {
+                    u.name
+                        .clone()
+                        .filter(|name| !name.is_empty())
+                        .or(u.email.clone())
+                })
+                .unwrap_or_else(|| format!("user {}", intercept.user_id));
+
+            let since = intercept
+                .created_at
+                .with_timezone(&Utc)
+                .format("%Y-%m-%d %H:%M:%S UTC");
+            let local_port = port_mappings
+                .iter()
+                .find(|mapping| mapping.workload_port == target.service_port)
+                .map(|mapping| mapping.local_port);
+
+            return Some(format!(
+                "Service `{}` port {} is intercepted by {} on workload `{}` (active since {}). Lapdev routed this preview through their local port {} but it didn’t respond.",
+                target.service_name,
+                target.service_port,
+                user_label,
+                workload_name,
+                since,
+                local_port
+                    .map(|p| p.to_string())
+                    .unwrap_or_else(|| "unknown".to_string())
+            ));
+        }
+
+        None
+    }
+
+    /// Add environment ID to the tracestate header in HTTP request using parsed header info
+    fn add_environment_id_to_headers(
+        request_data: &[u8],
+        headers_len: usize,
+        environment_id: Uuid,
+    ) -> Result<Vec<u8>, ProxyError> {
+        // Split headers and body based on headers_len from httparse
+        let headers_part = &request_data[..headers_len];
+        let body_part = &request_data[headers_len..];
+
+        // Convert headers to string for modification
+        let headers_str = std::str::from_utf8(headers_part)
+            .map_err(|e| ProxyError::Internal(format!("Invalid UTF-8 in headers: {}", e)))?;
+
+        let environment_tracestate = format!("lapdev-env-id={}", environment_id);
+        let mut modified_headers = String::new();
+        let mut tracestate_added = false;
+        let mut connection_header_written = false;
+        let mut is_upgrade_request = false;
+
+        for line in headers_str.lines() {
+            let lower = line.to_lowercase();
+
+            if lower.starts_with("tracestate:") {
+                // Existing tracestate header - append our environment ID
+                let existing_value = line[11..].trim(); // Skip "tracestate:"
+                if existing_value.is_empty() {
+                    modified_headers
+                        .push_str(&format!("tracestate: {}\r\n", environment_tracestate));
+                } else {
+                    modified_headers.push_str(&format!(
+                        "tracestate: {},{}\r\n",
+                        existing_value, environment_tracestate
+                    ));
+                }
+                tracestate_added = true;
+            } else if lower.starts_with("connection:") {
+                connection_header_written = true;
+                if lower.contains("upgrade") {
+                    is_upgrade_request = true;
+                    modified_headers.push_str(line);
+                    modified_headers.push_str("\r\n");
+                } else {
+                    // Force HTTP/1.1 keep-alive clients to close after the response
+                    modified_headers.push_str("connection: close\r\n");
+                }
+            } else if lower.starts_with("upgrade:") {
+                is_upgrade_request = true;
+                modified_headers.push_str(line);
+                modified_headers.push_str("\r\n");
+            } else if line.is_empty() {
+                if !tracestate_added {
+                    modified_headers
+                        .push_str(&format!("tracestate: {}\r\n", environment_tracestate));
+                    tracestate_added = true;
+                }
+                if !connection_header_written && !is_upgrade_request {
+                    modified_headers.push_str("connection: close\r\n");
+                    connection_header_written = true;
+                }
+                modified_headers.push_str("\r\n");
+            } else {
+                modified_headers.push_str(line);
+                modified_headers.push_str("\r\n");
+            }
+        }
+
+        // If we didn't add tracestate yet (no empty line found), add it at the end
+        if !tracestate_added {
+            modified_headers.push_str(&format!("tracestate: {}\r\n", environment_tracestate));
+        }
+        // Ensure keep-alive traffic doesn't get multiplexed across previews
+        if !connection_header_written && !is_upgrade_request {
+            modified_headers.push_str("connection: close\r\n");
+        }
+
+        // Reconstruct the complete request
+        let mut modified_request = Vec::new();
+        modified_request.extend_from_slice(modified_headers.as_bytes());
+        modified_request.extend_from_slice(body_part);
+
+        debug!(
+            "Added environment ID {} to tracestate header",
+            environment_id
+        );
+
+        Ok(modified_request)
+    }
+}
+
+#[derive(Debug, thiserror::Error)]
+pub enum ProxyError {
+    #[error("Invalid URL: {0}")]
+    InvalidUrl(String),
+    #[error("Not found: {0}")]
+    NotFound(String),
+    #[error("Forbidden: {0}")]
+    Forbidden(String),
+    #[error("Tunnel not available: {0}")]
+    TunnelNotAvailable(String),
+    #[error("Timeout: {0}")]
+    Timeout(String),
+    #[error("Network error: {0}")]
+    NetworkError(String),
+    #[error("Internal error: {0}")]
+    Internal(String),
+}
+
+impl IntoResponse for ProxyError {
+    fn into_response(self) -> axum::response::Response {
+        let (status_code, error_message) = match self {
+            ProxyError::InvalidUrl(msg) => (StatusCode::BAD_REQUEST, msg),
+            ProxyError::NotFound(msg) => (StatusCode::NOT_FOUND, msg),
+            ProxyError::Forbidden(msg) => (StatusCode::FORBIDDEN, msg),
+            ProxyError::TunnelNotAvailable(msg) => (StatusCode::SERVICE_UNAVAILABLE, msg),
+            ProxyError::Timeout(msg) => (StatusCode::GATEWAY_TIMEOUT, msg),
+            ProxyError::NetworkError(msg) => (StatusCode::BAD_GATEWAY, msg),
+            ProxyError::Internal(msg) => (StatusCode::INTERNAL_SERVER_ERROR, msg),
+        };
+
+        (status_code, error_message).into_response()
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use lapdev_tunnel::TunnelError;
+    use std::io;
+
+    // Mock test for basic URL parsing flow
+    #[tokio::test]
+    async fn test_preview_url_parsing() {
+        // This would require a proper database setup for full testing
+        // For now, we can test the URL parsing logic
+        use crate::preview_url::PreviewUrlResolver;
+
+        let result = PreviewUrlResolver::parse_preview_url("8080-webapp-abc123");
+        assert!(result.is_ok());
+
+        let info = result.unwrap();
+        assert_eq!(info.service_name, "webapp");
+        assert_eq!(info.port, 8080);
+        assert_eq!(info.environment_hash, "abc123");
+    }
+
+    #[test]
+    fn test_proxy_error_types() {
+        let invalid_url_error = ProxyError::InvalidUrl("test".to_string());
+        let not_found_error = ProxyError::NotFound("test".to_string());
+        let forbidden_error = ProxyError::Forbidden("test".to_string());
+        let tunnel_error = ProxyError::TunnelNotAvailable("test".to_string());
+        let timeout_error = ProxyError::Timeout("test".to_string());
+        let network_error = ProxyError::NetworkError("test".to_string());
+        let internal_error = ProxyError::Internal("test".to_string());
+
+        // Test that all error variants can be created and displayed
+        assert!(invalid_url_error.to_string().contains("Invalid URL"));
+        assert!(not_found_error.to_string().contains("Not found"));
+        assert!(forbidden_error.to_string().contains("Forbidden"));
+        assert!(tunnel_error.to_string().contains("Tunnel not available"));
+        assert!(timeout_error.to_string().contains("Timeout"));
+        assert!(network_error.to_string().contains("Network error"));
+        assert!(internal_error.to_string().contains("Internal error"));
+    }
+
+    #[test]
+    fn test_add_environment_headers_force_connection_close() {
+        let request = b"GET / HTTP/1.1\r\nHost: example.test\r\n\r\n";
+        let env_id = Uuid::new_v4();
+        let modified =
+            PreviewUrlProxy::add_environment_id_to_headers(request, request.len(), env_id)
+                .expect("request rewrite should succeed");
+        let modified_str = String::from_utf8(modified).unwrap();
+        assert!(modified_str.contains(&format!("lapdev-env-id={env_id}")));
+        assert!(modified_str.to_lowercase().contains("connection: close"));
+    }
+
+    #[test]
+    fn test_add_environment_headers_respect_upgrades() {
+        let request = b"GET /chat HTTP/1.1\r\nHost: example.test\r\nConnection: Upgrade\r\nUpgrade: websocket\r\n\r\n";
+        let env_id = Uuid::new_v4();
+        let modified =
+            PreviewUrlProxy::add_environment_id_to_headers(request, request.len(), env_id)
+                .expect("request rewrite should succeed");
+        let modified_str = String::from_utf8(modified).unwrap();
+        assert!(modified_str.contains("Connection: Upgrade"));
+        assert!(modified_str.contains("Upgrade: websocket"));
+        assert!(!modified_str.to_lowercase().contains("connection: close"));
+    }
+
+    #[test]
+    fn test_shared_http_parser_integration() {
+        // Test shared HTTP parser to ensure it works as expected
+        let request_data = b"GET /path HTTP/1.1\r\nHost: webapp-8080-abc123.example.com\r\nContent-Length: 13\r\n\r\nHello, world!";
+
+        let (parsed_request, body_start) =
+            http_parser::parse_http_request_from_buffer(request_data).unwrap();
+
+        assert_eq!(parsed_request.method, "GET");
+        assert_eq!(parsed_request.path, "/path");
+
+        // Find Host header using shared utility
+        let host_header = http_parser::get_host_header(&parsed_request.headers);
+        assert!(host_header.is_some());
+        assert_eq!(host_header.unwrap(), "webapp-8080-abc123.example.com");
+
+        // Find Content-Length header using shared utility
+        let content_length = http_parser::get_content_length(&parsed_request.headers);
+        assert_eq!(content_length, Some(13));
+
+        // Verify body parsing
+        let body = &request_data[body_start..];
+        assert_eq!(body, b"Hello, world!");
+    }
+
+    #[test]
+    fn test_map_tunnel_connect_error_remote_maps_to_timeout() {
+        let err = TunnelError::Remote("connection refused".to_string());
+        match PreviewUrlProxy::map_tunnel_connect_error(err) {
+            ProxyError::Timeout(message) => {
+                assert!(message.contains("connection error"));
+            }
+            other => panic!("expected timeout error, got {other:?}"),
+        }
+    }
+
+    #[test]
+    fn test_map_tunnel_connect_error_transport_connection_refused() {
+        let err =
+            TunnelError::Transport(io::Error::new(io::ErrorKind::ConnectionRefused, "refused"));
+        match PreviewUrlProxy::map_tunnel_connect_error(err) {
+            ProxyError::Timeout(message) => {
+                assert!(message.contains("Transport error"));
+            }
+            other => panic!("expected timeout error, got {other:?}"),
+        }
+    }
+
+    #[test]
+    fn test_map_tunnel_runtime_error_remote_reason() {
+        let io_err = io::Error::from(TunnelError::Remote("devbox offline".into()));
+        match PreviewUrlProxy::map_tunnel_runtime_error(io_err) {
+            ProxyError::Timeout(message) => {
+                assert!(message.contains("devbox offline"));
+            }
+            other => panic!("expected timeout proxy error, got {other:?}"),
+        }
+    }
+}
diff --git a/crates/kube/src/lib.rs b/crates/kube/src/lib.rs
new file mode 100644
index 0000000..405435e
--- /dev/null
+++ b/crates/kube/src/lib.rs
@@ -0,0 +1,31 @@
+pub mod http_proxy;
+pub mod preview_url;
+pub mod server;
+pub mod tunnel;
+
+use crate::{http_proxy::PreviewUrlProxy, tunnel::TunnelRegistry};
+use anyhow::Result;
+use lapdev_db::api::DbApi;
+use std::sync::Arc;
+
+pub async fn run() -> Result<()> {
+    Ok(())
+}
+
+/// Start the standalone PreviewUrlProxy TCP server
+pub async fn start_preview_url_proxy_server(
+    db: DbApi,
+    tunnel_registry: Arc<TunnelRegistry>,
+    bind_addr: &str,
+) -> Result<()> {
+    let proxy = Arc::new(PreviewUrlProxy::new(db, tunnel_registry).await);
+
+    tracing::info!("Starting PreviewUrlProxy TCP server on {}", bind_addr);
+
+    proxy
+        .start_tcp_server(bind_addr)
+        .await
+        .map_err(|e| anyhow::anyhow!("Failed to start preview URL proxy server: {}", e))?;
+
+    Ok(())
+}
diff --git a/crates/kube/src/preview_url.rs b/crates/kube/src/preview_url.rs
new file mode 100644
index 0000000..31af343
--- /dev/null
+++ b/crates/kube/src/preview_url.rs
@@ -0,0 +1,193 @@
+use anyhow::Result;
+use lapdev_common::kube::PreviewUrlAccessLevel;
+use lapdev_db::api::DbApi;
+use serde::{Deserialize, Serialize};
+use uuid::Uuid;
+
+#[derive(Debug, Clone)]
+pub struct PreviewUrlInfo {
+    pub service_name: String,
+    pub port: u16,
+    pub environment_hash: String,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct PreviewUrlTarget {
+    pub cluster_id: Uuid,
+    pub namespace: String,
+    pub service_name: String,
+    pub service_port: u16,
+    pub access_level: PreviewUrlAccessLevel,
+    pub protocol: String,
+    pub environment_id: Uuid,
+    pub organization_id: Uuid,
+    pub preview_url_id: Uuid,
+}
+
+#[derive(Debug, thiserror::Error)]
+pub enum PreviewUrlError {
+    #[error("Invalid preview URL format")]
+    InvalidFormat,
+    #[error("Invalid port number")]
+    InvalidPort,
+    #[error("Environment not found")]
+    EnvironmentNotFound,
+    #[error("Service not found")]
+    ServiceNotFound,
+    #[error("Preview URL not configured")]
+    PreviewUrlNotConfigured,
+    #[error("Access denied")]
+    AccessDenied,
+    #[error("Database error: {0}")]
+    Database(#[from] anyhow::Error),
+    #[error("SeaORM error: {0}")]
+    SeaOrm(#[from] sea_orm::DbErr),
+}
+
+pub struct PreviewUrlResolver {
+    db: DbApi,
+}
+
+impl PreviewUrlResolver {
+    pub fn new(db: DbApi) -> Self {
+        Self { db }
+    }
+
+    /// Parse subdomain format: port-service-hash.app.lap.dev
+    pub fn parse_preview_url(subdomain: &str) -> Result<PreviewUrlInfo, PreviewUrlError> {
+        // Expected format: "8080-webapp-abc123"
+        let parts: Vec<&str> = subdomain.split('-').collect();
+        if parts.len() < 3 {
+            return Err(PreviewUrlError::InvalidFormat);
+        }
+
+        let port: u16 = parts[0].parse().map_err(|_| PreviewUrlError::InvalidPort)?;
+        let service_name = parts[1..parts.len() - 1].join("-"); // Handle multi-part service names
+        let env_hash = parts[parts.len() - 1];
+
+        Ok(PreviewUrlInfo {
+            service_name,
+            port,
+            environment_hash: env_hash.to_string(),
+        })
+    }
+
+    /// Resolve preview URL to target using existing database entities
+    pub async fn resolve_preview_url(
+        &self,
+        info: PreviewUrlInfo,
+    ) -> Result<PreviewUrlTarget, PreviewUrlError> {
+        // Reconstruct the preview slug (port-service-random)
+        let preview_name = format!(
+            "{}-{}-{}",
+            info.port, info.service_name, info.environment_hash
+        );
+
+        // 1. Load preview URL configuration by unique name
+        let preview_url = self
+            .db
+            .find_preview_url_by_name(&preview_name)
+            .await?
+            .ok_or(PreviewUrlError::PreviewUrlNotConfigured)?;
+
+        if preview_url.port != info.port as i32 {
+            return Err(PreviewUrlError::PreviewUrlNotConfigured);
+        }
+
+        // 2. Load environment referenced by the preview URL
+        let environment = self
+            .db
+            .get_kube_environment(preview_url.environment_id)
+            .await
+            .map_err(PreviewUrlError::SeaOrm)?
+            .ok_or(PreviewUrlError::EnvironmentNotFound)?;
+
+        // 3. Load the service referenced by the preview URL and validate the name matches
+        let service = self
+            .db
+            .get_kube_environment_service_by_id(preview_url.service_id)
+            .await?
+            .ok_or(PreviewUrlError::ServiceNotFound)?;
+
+        let expected_service_environment_id =
+            environment.base_environment_id.unwrap_or(environment.id);
+
+        if service.environment_id != expected_service_environment_id
+            || service.name != info.service_name
+        {
+            return Err(PreviewUrlError::ServiceNotFound);
+        }
+
+        // 4. Validate access level and permissions (basic validation)
+        let access_level = self.parse_access_level(&preview_url.access_level)?;
+
+        Ok(PreviewUrlTarget {
+            cluster_id: environment.cluster_id,
+            namespace: environment.namespace,
+            service_name: service.name,
+            service_port: info.port,
+            access_level,
+            protocol: preview_url.protocol,
+            environment_id: environment.id,
+            organization_id: environment.organization_id,
+            preview_url_id: preview_url.id,
+        })
+    }
+
+    fn parse_access_level(
+        &self,
+        access_level: &str,
+    ) -> Result<PreviewUrlAccessLevel, PreviewUrlError> {
+        access_level
+            .parse::<PreviewUrlAccessLevel>()
+            .map_err(|_| PreviewUrlError::AccessDenied)
+    }
+
+    /// Update last accessed timestamp for the preview URL
+    pub async fn update_preview_url_access(
+        &self,
+        preview_url_id: Uuid,
+    ) -> Result<(), PreviewUrlError> {
+        self.db
+            .update_preview_url_access(preview_url_id)
+            .await
+            .map_err(PreviewUrlError::SeaOrm)
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_parse_preview_url_simple() {
+        let result = PreviewUrlResolver::parse_preview_url("8080-webapp-abc123");
+        assert!(result.is_ok());
+        let info = result.unwrap();
+        assert_eq!(info.service_name, "webapp");
+        assert_eq!(info.port, 8080);
+        assert_eq!(info.environment_hash, "abc123");
+    }
+
+    #[test]
+    fn test_parse_preview_url_multi_part_service() {
+        let result = PreviewUrlResolver::parse_preview_url("8080-my-web-app-abc123");
+        assert!(result.is_ok());
+        let info = result.unwrap();
+        assert_eq!(info.service_name, "my-web-app");
+        assert_eq!(info.port, 8080);
+        assert_eq!(info.environment_hash, "abc123");
+    }
+
+    #[test]
+    fn test_parse_preview_url_invalid_format() {
+        let result = PreviewUrlResolver::parse_preview_url("8080-webapp");
+        assert!(matches!(result, Err(PreviewUrlError::InvalidFormat)));
+    }
+
+    #[test]
+    fn test_parse_preview_url_invalid_port() {
+        let result = PreviewUrlResolver::parse_preview_url("abc-webapp-xyz123");
+        assert!(matches!(result, Err(PreviewUrlError::InvalidPort)));
+    }
+}
diff --git a/crates/kube/src/server.rs b/crates/kube/src/server.rs
new file mode 100644
index 0000000..04e75fe
--- /dev/null
+++ b/crates/kube/src/server.rs
@@ -0,0 +1,2046 @@
+use anyhow::{anyhow, Context as _, Result as AnyResult};
+use chrono::{DateTime, Utc};
+use futures::future::BoxFuture;
+use k8s_openapi::api::{
+    apps::v1::{DaemonSet, Deployment, ReplicaSet, StatefulSet},
+    batch::v1::{CronJob, Job},
+    core::v1::{PodSpec, Service},
+};
+use lapdev_common::{
+    devbox::DirectTunnelConfig,
+    kube::{
+        EnvironmentWorkloadStatusEvent, KubeClusterInfo, KubeContainerImage, KubeContainerInfo,
+        KubeContainerPort, KubeServicePort, KubeWorkloadKind,
+    },
+};
+use lapdev_db::api::{CachedClusterService, DbApi};
+use lapdev_db_entities::{
+    kube_app_catalog_workload::{self, Entity as CatalogWorkloadEntity},
+    kube_app_catalog_workload_dependency, kube_app_catalog_workload_label, kube_environment,
+    kube_environment_workload,
+};
+use lapdev_kube_rpc::{
+    DevboxRouteConfig, KubeClusterRpc, KubeManagerRpcClient, ProxyBranchRouteConfig,
+    ProxyRouteAccessLevel, ResourceChangeEvent, ResourceChangeType, ResourceType,
+};
+use lapdev_rpc::error::ApiError;
+use sea_orm::prelude::{DateTimeWithTimeZone, Json};
+use sea_orm::{ActiveModelTrait, ActiveValue, ColumnTrait, EntityTrait, QueryFilter};
+use serde::Serialize;
+use serde_json::json;
+use std::convert::TryFrom;
+use std::sync::{
+    atomic::{AtomicU64, Ordering},
+    Arc,
+};
+use std::{
+    collections::{BTreeMap, BTreeSet, HashMap, HashSet},
+    net::SocketAddr,
+    time::{Duration, Instant},
+};
+use tokio::sync::RwLock;
+use uuid::Uuid;
+
+use crate::tunnel::TunnelRegistry;
+
+pub trait DirectConfigProvider: Send + Sync {
+    fn request_direct_config(
+        &self,
+        user_id: Uuid,
+        stun_observed_addr: Option<SocketAddr>,
+    ) -> BoxFuture<'static, Result<Option<DirectTunnelConfig>, String>>;
+}
+
+/// KubeClusterServer is the central server where
+/// KubeManager and KubeCli connects to
+#[derive(Clone)]
+pub struct KubeClusterServer {
+    cluster_id: Uuid,
+    pub rpc_client: KubeManagerRpcClient,
+    db: DbApi,
+    kube_cluster_servers: Arc<RwLock<HashMap<Uuid, BTreeMap<u64, KubeClusterServer>>>>,
+    generation_counter: Arc<AtomicU64>,
+    connection_generation: Arc<RwLock<Option<u64>>>,
+    tunnel_registry: Arc<TunnelRegistry>,
+    direct_config_provider: Arc<dyn DirectConfigProvider>,
+}
+
+impl KubeClusterServer {
+    const RPC_TIMEOUT_SECS: u64 = 300;
+
+    fn rpc_context_with_timeout(timeout: Duration) -> tarpc::context::Context {
+        let mut ctx = tarpc::context::current();
+        ctx.deadline = Instant::now() + timeout;
+        ctx
+    }
+
+    fn rpc_context() -> tarpc::context::Context {
+        Self::rpc_context_with_timeout(Duration::from_secs(Self::RPC_TIMEOUT_SECS))
+    }
+
+    pub fn new(
+        cluster_id: Uuid,
+        client: KubeManagerRpcClient,
+        db: DbApi,
+        kube_cluster_servers: Arc<RwLock<HashMap<Uuid, BTreeMap<u64, KubeClusterServer>>>>,
+        generation_counter: Arc<AtomicU64>,
+        tunnel_registry: Arc<TunnelRegistry>,
+        direct_config_provider: Arc<dyn DirectConfigProvider>,
+    ) -> Self {
+        Self {
+            cluster_id,
+            rpc_client: client,
+            db,
+            kube_cluster_servers,
+            generation_counter,
+            connection_generation: Arc::new(RwLock::new(None)),
+            tunnel_registry,
+            direct_config_provider,
+        }
+    }
+
+    pub fn cluster_id(&self) -> Uuid {
+        self.cluster_id
+    }
+
+    pub async fn register(&self) {
+        let generation = self.generation_counter.fetch_add(1, Ordering::SeqCst);
+        {
+            let mut guard = self.connection_generation.write().await;
+            *guard = Some(generation);
+        }
+
+        {
+            let mut servers = self.kube_cluster_servers.write().await;
+            servers
+                .entry(self.cluster_id)
+                .or_insert_with(BTreeMap::new)
+                .insert(generation, self.clone());
+        }
+        tracing::info!(
+            "Registered KubeClusterServer for cluster {}",
+            self.cluster_id
+        );
+
+        if let Err(err) = self.sync_namespace_watches_from_db().await {
+            tracing::warn!(
+                cluster_id = %self.cluster_id,
+                error = ?err,
+                "Failed to send initial namespace watch configuration"
+            );
+        }
+    }
+
+    pub async fn unregister(&self) {
+        let generation = { *self.connection_generation.read().await };
+        let Some(generation) = generation else {
+            tracing::warn!(
+                cluster_id = %self.cluster_id,
+                "KubeClusterServer unregister called without recorded generation"
+            );
+            return;
+        };
+
+        let mut servers = self.kube_cluster_servers.write().await;
+        if let Some(cluster_servers) = servers.get_mut(&self.cluster_id) {
+            if cluster_servers.remove(&generation).is_some() {
+                tracing::info!(
+                    "Unregistered KubeClusterServer for cluster {} generation {}",
+                    self.cluster_id,
+                    generation
+                );
+            }
+
+            if cluster_servers.is_empty() {
+                servers.remove(&self.cluster_id);
+            }
+        }
+    }
+
+    pub async fn send_namespace_watch_configuration(
+        &self,
+        namespaces: Vec<String>,
+    ) -> AnyResult<()> {
+        let namespace_count = namespaces.len();
+        tracing::info!(
+            cluster_id = %self.cluster_id,
+            namespace_count,
+            "Sending namespace watch configuration to KubeManager"
+        );
+
+        match self
+            .rpc_client
+            .configure_watches(Self::rpc_context(), namespaces)
+            .await
+        {
+            Ok(Ok(())) => Ok(()),
+            Ok(Err(err)) => Err(anyhow!(
+                "KubeManager rejected namespace watch configuration: {}",
+                err
+            )),
+            Err(err) => Err(anyhow!(
+                "Failed to send namespace watch configuration RPC: {}",
+                err
+            )),
+        }
+    }
+
+    async fn fetch_cluster_namespaces(&self) -> AnyResult<Vec<String>> {
+        Ok(self
+            .db
+            .get_cluster_watch_namespaces(self.cluster_id)
+            .await?)
+    }
+
+    pub async fn sync_namespace_watches_from_db(&self) -> AnyResult<()> {
+        let namespaces = self.fetch_cluster_namespaces().await?;
+        self.send_namespace_watch_configuration(namespaces).await
+    }
+
+    pub async fn add_namespace_watch(&self, namespace: String) -> AnyResult<()> {
+        let namespace = namespace.trim().to_string();
+        if namespace.is_empty() {
+            return Ok(());
+        }
+        tracing::info!(
+            cluster_id = %self.cluster_id,
+            namespace = namespace.as_str(),
+            "Adding namespace watch via RPC"
+        );
+        match self
+            .rpc_client
+            .add_namespace_watch(Self::rpc_context(), namespace)
+            .await
+        {
+            Ok(Ok(())) => Ok(()),
+            Ok(Err(err)) => Err(anyhow!("KubeManager rejected namespace watch add: {err}")),
+            Err(err) => Err(anyhow!("Failed to add namespace watch RPC: {err}")),
+        }
+    }
+
+    pub async fn remove_namespace_watch(&self, namespace: String) -> AnyResult<()> {
+        let namespace = namespace.trim().to_string();
+        if namespace.is_empty() {
+            return Ok(());
+        }
+        tracing::info!(
+            cluster_id = %self.cluster_id,
+            namespace = namespace.as_str(),
+            "Removing namespace watch via RPC"
+        );
+        match self
+            .rpc_client
+            .remove_namespace_watch(Self::rpc_context(), namespace)
+            .await
+        {
+            Ok(Ok(())) => Ok(()),
+            Ok(Err(err)) => Err(anyhow!(
+                "KubeManager rejected namespace watch removal: {err}"
+            )),
+            Err(err) => Err(anyhow!("Failed to remove namespace watch RPC: {err}")),
+        }
+    }
+
+    pub async fn set_devbox_routes(
+        &self,
+        environment_id: Uuid,
+        routes: HashMap<Uuid, DevboxRouteConfig>,
+    ) -> Result<(), String> {
+        match self
+            .rpc_client
+            .set_devbox_routes(Self::rpc_context(), environment_id, routes)
+            .await
+        {
+            Ok(result) => result,
+            Err(err) => Err(format!(
+                "Failed to send set_devbox_routes RPC to kube-manager: {}",
+                err
+            )),
+        }
+    }
+
+    pub async fn set_devbox_route(
+        &self,
+        environment_id: Uuid,
+        route: DevboxRouteConfig,
+    ) -> Result<(), String> {
+        match self
+            .rpc_client
+            .set_devbox_route(Self::rpc_context(), environment_id, route)
+            .await
+        {
+            Ok(result) => result,
+            Err(err) => Err(format!(
+                "Failed to send set_devbox_route RPC to kube-manager: {}",
+                err
+            )),
+        }
+    }
+
+    pub async fn remove_devbox_route(
+        &self,
+        environment_id: Uuid,
+        workload_id: Uuid,
+        branch_environment_id: Option<Uuid>,
+    ) -> Result<(), String> {
+        match self
+            .rpc_client
+            .remove_devbox_route(
+                Self::rpc_context(),
+                environment_id,
+                workload_id,
+                branch_environment_id,
+            )
+            .await
+        {
+            Ok(result) => result,
+            Err(err) => Err(format!(
+                "Failed to send remove_devbox_route RPC to kube-manager: {}",
+                err
+            )),
+        }
+    }
+
+    pub async fn clear_devbox_routes(
+        &self,
+        environment_id: Uuid,
+        branch_environment_id: Option<Uuid>,
+    ) -> Result<(), String> {
+        match self
+            .rpc_client
+            .clear_devbox_routes(Self::rpc_context(), environment_id, branch_environment_id)
+            .await
+        {
+            Ok(result) => result,
+            Err(err) => Err(format!(
+                "Failed to send clear_devbox_routes RPC to kube-manager: {}",
+                err
+            )),
+        }
+    }
+
+    pub async fn get_devbox_direct_config(
+        &self,
+        user_id: Uuid,
+        environment_id: Uuid,
+        namespace: String,
+        stun_observed_addr: Option<SocketAddr>,
+    ) -> Result<Option<DirectTunnelConfig>, String> {
+        match self
+            .rpc_client
+            .get_devbox_direct_config(
+                Self::rpc_context(),
+                user_id,
+                environment_id,
+                namespace,
+                stun_observed_addr,
+            )
+            .await
+        {
+            Ok(result) => result,
+            Err(err) => Err(format!(
+                "Failed to send get_devbox_direct_config RPC to kube-manager: {}",
+                err
+            )),
+        }
+    }
+
+    pub async fn build_branch_service_route_config(
+        &self,
+        base_environment: &lapdev_db_entities::kube_environment::Model,
+        base_workload_id: Uuid,
+        branch_environment_id: Uuid,
+    ) -> Result<Option<ProxyBranchRouteConfig>, ApiError> {
+        let workload_labels = self
+            .db
+            .get_environment_workload_labels(base_workload_id)
+            .await
+            .map_err(ApiError::from)?;
+
+        let shared_services = self
+            .db
+            .get_matching_cluster_services(
+                base_environment.cluster_id,
+                &base_environment.namespace,
+                &workload_labels,
+            )
+            .await
+            .map_err(ApiError::from)?;
+
+        if shared_services.is_empty() {
+            return Ok(None);
+        }
+
+        Ok(Self::build_branch_service_route_config_from_services(
+            branch_environment_id,
+            &shared_services,
+        ))
+    }
+
+    fn build_branch_service_route_config_from_services(
+        branch_environment_id: Uuid,
+        shared_services: &[CachedClusterService],
+    ) -> Option<ProxyBranchRouteConfig> {
+        let mut service_names = HashMap::new();
+        let branch_suffix = format!("-{}", branch_environment_id);
+
+        for service in shared_services {
+            let branch_service_name = format!("{}{branch_suffix}", service.name);
+            for port in &service.ports {
+                match u16::try_from(port.port) {
+                    Ok(port_number) => {
+                        service_names.insert(port_number, branch_service_name.clone());
+                    }
+                    Err(_) => {
+                        tracing::warn!(
+                            "Skipping branch service mapping for {} in env {} due to unsupported port {}",
+                            branch_service_name,
+                            branch_environment_id,
+                            port.port
+                        );
+                    }
+                }
+            }
+        }
+
+        if service_names.is_empty() {
+            tracing::warn!(
+                "Found shared services for branch env {} but no valid ports; skipping branch route",
+                branch_environment_id
+            );
+            return None;
+        }
+
+        Some(ProxyBranchRouteConfig {
+            branch_environment_id,
+            service_names,
+            headers: HashMap::new(),
+            requires_auth: true,
+            access_level: ProxyRouteAccessLevel::Personal,
+            timeout_ms: None,
+            devbox_route: None,
+        })
+    }
+}
+
+impl KubeClusterRpc for KubeClusterServer {
+    async fn report_cluster_info(
+        self,
+        _context: ::tarpc::context::Context,
+        cluster_info: KubeClusterInfo,
+    ) -> Result<(), String> {
+        tracing::info!(
+            "Received cluster info for cluster {}: {:?}",
+            self.cluster_id,
+            cluster_info
+        );
+
+        // Verify cluster exists, error out if not found
+        let _cluster = self
+            .db
+            .get_kube_cluster(self.cluster_id)
+            .await
+            .map_err(|e| format!("Database error: {}", e))?
+            .ok_or_else(|| format!("Cluster {} not found", self.cluster_id))?;
+
+        // Update cluster info in database
+        let status_str = format!("{:?}", cluster_info.status);
+        self.db
+            .update_kube_cluster_info(
+                self.cluster_id,
+                Some(cluster_info.cluster_version),
+                Some(status_str),
+                cluster_info.provider,
+                cluster_info.region,
+                cluster_info.manager_namespace,
+            )
+            .await
+            .map_err(|e| format!("Failed to update cluster info: {}", e))?;
+
+        tracing::info!(
+            "Successfully updated cluster {} info in database",
+            self.cluster_id
+        );
+
+        Ok(())
+    }
+
+    async fn heartbeat(self, _context: ::tarpc::context::Context) -> Result<(), String> {
+        tracing::trace!("Received heartbeat from cluster {}", self.cluster_id);
+        Ok(())
+    }
+
+    async fn tunnel_heartbeat(self, _context: ::tarpc::context::Context) -> Result<(), String> {
+        tracing::debug!("Received heartbeat from cluster {}", self.cluster_id);
+
+        self.tunnel_registry.update_heartbeat(self.cluster_id).await
+    }
+
+    async fn report_tunnel_metrics(
+        self,
+        _context: ::tarpc::context::Context,
+        active_connections: u32,
+        bytes_transferred: u64,
+        connection_count: u64,
+        connection_errors: u64,
+    ) -> Result<(), String> {
+        tracing::debug!(
+            "Received tunnel metrics from cluster {}: connections={}, bytes={}, errors={}",
+            self.cluster_id,
+            active_connections,
+            bytes_transferred,
+            connection_errors
+        );
+
+        self.tunnel_registry
+            .update_metrics(
+                self.cluster_id,
+                active_connections,
+                bytes_transferred,
+                connection_count,
+                connection_errors,
+            )
+            .await
+    }
+
+    async fn report_resource_change(
+        self,
+        _context: ::tarpc::context::Context,
+        event: ResourceChangeEvent,
+    ) -> Result<(), String> {
+        tracing::debug!(
+            cluster_id = %self.cluster_id,
+            namespace = %event.namespace,
+            resource_name = %event.resource_name,
+            resource_type = ?event.resource_type,
+            change_type = ?event.change_type,
+            "Received resource change event"
+        );
+
+        let result = match event.resource_type {
+            ResourceType::Service => self.handle_service_change(&event).await,
+            ResourceType::ConfigMap => self.handle_dependency_change(&event, "configmap").await,
+            ResourceType::Secret => self.handle_dependency_change(&event, "secret").await,
+            _ => self.handle_workload_change(&event).await,
+        };
+
+        if let Err(err) = result {
+            tracing::error!(
+                cluster_id = %self.cluster_id,
+                namespace = %event.namespace,
+                resource_name = %event.resource_name,
+                error = ?err,
+                "Failed to process resource change event"
+            );
+            return Err(err.to_string());
+        }
+
+        Ok(())
+    }
+
+    async fn list_branch_service_routes(
+        self,
+        _context: ::tarpc::context::Context,
+        environment_id: Uuid,
+        workload_id: Uuid,
+    ) -> Result<Vec<ProxyBranchRouteConfig>, String> {
+        let environment = self
+            .db
+            .get_kube_environment(environment_id)
+            .await
+            .map_err(|e| format!("Failed to fetch environment {}: {}", environment_id, e))?
+            .ok_or_else(|| format!("Environment {} not found", environment_id))?;
+
+        if environment.cluster_id != self.cluster_id {
+            return Err(format!(
+                "Environment {} does not belong to cluster {}",
+                environment_id, self.cluster_id
+            ));
+        }
+
+        let _workload = self
+            .db
+            .get_environment_workload(workload_id)
+            .await
+            .map_err(|e| format!("Failed to fetch workload {}: {}", workload_id, e))?
+            .ok_or_else(|| format!("Workload {} not found", workload_id))?;
+
+        let workload_labels = self
+            .db
+            .get_environment_workload_labels(workload_id)
+            .await
+            .map_err(|e| format!("Failed to fetch labels for workload {}: {}", workload_id, e))?;
+
+        let shared_services = self
+            .db
+            .get_matching_cluster_services(
+                self.cluster_id,
+                &environment.namespace,
+                &workload_labels,
+            )
+            .await
+            .map_err(|e| {
+                format!(
+                    "Failed to resolve services for workload {} in namespace {}: {}",
+                    workload_id, environment.namespace, e
+                )
+            })?;
+
+        if shared_services.is_empty() {
+            return Ok(Vec::new());
+        }
+
+        let branch_workloads = self
+            .db
+            .get_workloads_by_base_workload_id(workload_id)
+            .await
+            .map_err(|e| {
+                format!(
+                    "Failed to fetch workloads for base workload {}: {}",
+                    workload_id, e
+                )
+            })?;
+
+        let mut routes = Vec::new();
+
+        for branch_workload in branch_workloads {
+            let branch_env_id = branch_workload.environment_id;
+
+            if branch_env_id == environment_id {
+                continue;
+            }
+
+            let Some(environment) = self
+                .db
+                .get_kube_environment(branch_env_id)
+                .await
+                .map_err(|e| format!("Failed to fetch environment {}: {}", branch_env_id, e))?
+            else {
+                continue;
+            };
+
+            if environment.cluster_id != self.cluster_id {
+                continue;
+            }
+
+            if let Some(route) = Self::build_branch_service_route_config_from_services(
+                branch_env_id,
+                &shared_services,
+            ) {
+                routes.push(route);
+            }
+        }
+
+        Ok(routes)
+    }
+
+    async fn request_direct_config(
+        self,
+        _context: ::tarpc::context::Context,
+        environment_id: Uuid,
+        stun_observed_addr: Option<SocketAddr>,
+    ) -> Result<Option<DirectTunnelConfig>, String> {
+        let environment = self
+            .db
+            .get_kube_environment(environment_id)
+            .await
+            .map_err(|e| format!("Failed to fetch environment {}: {}", environment_id, e))?
+            .ok_or_else(|| format!("Environment {} not found", environment_id))?;
+
+        if environment.cluster_id != self.cluster_id {
+            return Err(format!(
+                "Environment {} does not belong to cluster {}",
+                environment_id, self.cluster_id
+            ));
+        }
+
+        self.direct_config_provider
+            .request_direct_config(environment.user_id, stun_observed_addr)
+            .await
+    }
+}
+
+impl KubeClusterServer {
+    async fn handle_workload_change(&self, event: &ResourceChangeEvent) -> AnyResult<()> {
+        let Some(workload_kind) = workload_kind_for(event.resource_type) else {
+            // Ignore non-workload resources for now.
+            return Ok(());
+        };
+
+        if matches!(event.change_type, ResourceChangeType::Deleted) {
+            self.handle_workload_deleted(event).await?;
+            return Ok(());
+        }
+
+        let yaml = event
+            .resource_yaml
+            .as_ref()
+            .context("workload event missing resource YAML")?;
+
+        let ExtractedWorkload {
+            containers: new_containers,
+            pod_labels: workload_labels,
+            metadata_labels,
+            configmap_refs,
+            secret_refs,
+            ready_replicas,
+            spec_snapshot,
+        } = extract_workload_from_yaml(event.resource_type, yaml).with_context(|| {
+            format!(
+                "failed to parse workload YAML for {}/{} ({:?})",
+                event.namespace, event.resource_name, event.resource_type
+            )
+        })?;
+
+        if new_containers.is_empty() {
+            tracing::warn!(
+                namespace = %event.namespace,
+                resource_name = %event.resource_name,
+                "Parsed workload contains no containers; skipping update"
+            );
+            return Ok(());
+        }
+
+        self.sync_catalog_from_workload_event(
+            event,
+            workload_kind,
+            yaml,
+            spec_snapshot.as_ref(),
+            &workload_labels,
+            &new_containers,
+            &configmap_refs,
+            &secret_refs,
+        )
+        .await?;
+
+        self.update_environment_workload_ready_replicas(
+            &event.namespace,
+            &event.resource_name,
+            &metadata_labels,
+            ready_replicas,
+            event.timestamp,
+        )
+        .await
+        .with_context(|| {
+            format!(
+                "failed to update environment ready replicas for {}/{}",
+                event.namespace, event.resource_name
+            )
+        })?;
+
+        Ok(())
+    }
+
+    async fn handle_workload_deleted(&self, event: &ResourceChangeEvent) -> AnyResult<()> {
+        let metadata_labels = if let Some(yaml) = event.resource_yaml.as_ref() {
+            match extract_workload_from_yaml(event.resource_type, yaml)
+                .map(|extracted| extracted.metadata_labels)
+            {
+                Ok(labels) => labels,
+                Err(err) => {
+                    tracing::debug!(
+                        namespace = %event.namespace,
+                        resource_name = %event.resource_name,
+                        error = ?err,
+                        "Failed to parse workload YAML for delete event; will clear ready replicas using namespace lookup"
+                    );
+                    BTreeMap::new()
+                }
+            }
+        } else {
+            BTreeMap::new()
+        };
+
+        self.update_environment_workload_ready_replicas(
+            &event.namespace,
+            &event.resource_name,
+            &metadata_labels,
+            None,
+            event.timestamp,
+        )
+        .await
+        .with_context(|| {
+            format!(
+                "failed to clear environment ready replicas for deleted workload {}/{}",
+                event.namespace, event.resource_name
+            )
+        })?;
+
+        tracing::debug!(
+            namespace = %event.namespace,
+            resource_name = %event.resource_name,
+            "Cleared environment workload ready replicas after workload deletion"
+        );
+
+        Ok(())
+    }
+
+    async fn sync_catalog_from_workload_event(
+        &self,
+        event: &ResourceChangeEvent,
+        workload_kind: KubeWorkloadKind,
+        yaml: &str,
+        new_spec_snapshot: Option<&serde_json::Value>,
+        workload_labels: &BTreeMap<String, String>,
+        new_containers: &[KubeContainerInfo],
+        configmap_refs: &BTreeSet<String>,
+        secret_refs: &BTreeSet<String>,
+    ) -> AnyResult<()> {
+        let workloads = CatalogWorkloadEntity::find()
+            .filter(kube_app_catalog_workload::Column::Name.eq(event.resource_name.clone()))
+            .filter(kube_app_catalog_workload::Column::Namespace.eq(event.namespace.clone()))
+            .filter(kube_app_catalog_workload::Column::DeletedAt.is_null())
+            .filter(kube_app_catalog_workload::Column::ClusterId.eq(self.cluster_id))
+            .all(&self.db.conn)
+            .await
+            .with_context(|| {
+                format!(
+                    "failed querying catalog workloads for {}/{}",
+                    event.namespace, event.resource_name
+                )
+            })?;
+
+        if workloads.is_empty() {
+            tracing::trace!(
+                namespace = %event.namespace,
+                resource_name = %event.resource_name,
+                "Workload not tracked in any catalog; skipping catalog sync update"
+            );
+            return Ok(());
+        }
+
+        let matching_services = self
+            .db
+            .get_matching_cluster_services(self.cluster_id, &event.namespace, workload_labels)
+            .await?;
+        let service_ports = ports_from_cached_services(workload_labels, &matching_services);
+
+        let workload_ids: Vec<Uuid> = workloads.iter().map(|w| w.id).collect();
+        let existing_state = self.load_existing_catalog_state(&workload_ids).await?;
+
+        let mut workloads_by_catalog: HashMap<Uuid, Vec<Uuid>> = HashMap::new();
+
+        for workload in workloads {
+            if let Ok(stored_kind) = workload.kind.parse::<KubeWorkloadKind>() {
+                if stored_kind != workload_kind {
+                    tracing::warn!(
+                        namespace = %event.namespace,
+                        resource_name = %event.resource_name,
+                        stored_kind = %workload.kind,
+                        event_kind = ?workload_kind,
+                        "Catalog workload kind mismatch; skipping update"
+                    );
+                    continue;
+                }
+            }
+
+            let mut update = Self::compute_catalog_workload_update(
+                event,
+                &workload,
+                new_containers,
+                &service_ports,
+                yaml,
+                new_spec_snapshot,
+                workload_labels,
+                existing_state.labels.get(&workload.id),
+                configmap_refs,
+                secret_refs,
+                existing_state.dependencies.get(&workload.id),
+            )?;
+
+            let requires_bump = update.requires_catalog_bump();
+
+            if update.has_model_updates() {
+                let mut active_model = kube_app_catalog_workload::ActiveModel {
+                    id: ActiveValue::Set(workload.id),
+                    ..Default::default()
+                };
+
+                if let Some(containers_json) = update.containers.take() {
+                    active_model.containers = ActiveValue::Set(containers_json);
+                }
+                if let Some(ports_json) = update.ports.take() {
+                    active_model.ports = ActiveValue::Set(ports_json);
+                }
+                if let Some(updated_yaml) = update.workload_yaml.take() {
+                    active_model.workload_yaml = ActiveValue::Set(updated_yaml);
+                }
+
+                active_model
+                    .update(&self.db.conn)
+                    .await
+                    .with_context(|| format!("failed to update workload {}", workload.id))?;
+            }
+
+            if update.labels_changed {
+                self.db
+                    .replace_workload_labels(
+                        workload.id,
+                        workload.app_catalog_id,
+                        workload.cluster_id,
+                        &workload.namespace,
+                        workload_labels,
+                        event.timestamp.into(),
+                    )
+                    .await
+                    .with_context(|| {
+                        format!(
+                            "failed to update workload label mapping for {}",
+                            workload.id
+                        )
+                    })?;
+            }
+
+            if update.dependencies_changed {
+                self.db
+                    .replace_workload_dependencies(
+                        workload.id,
+                        workload.app_catalog_id,
+                        workload.cluster_id,
+                        &workload.namespace,
+                        configmap_refs,
+                        secret_refs,
+                        event.timestamp.into(),
+                    )
+                    .await
+                    .with_context(|| {
+                        format!(
+                            "failed to update workload dependency mapping for {}",
+                            workload.id
+                        )
+                    })?;
+            }
+
+            if requires_bump {
+                tracing::info!(
+                    workload_id = %workload.id,
+                    namespace = %event.namespace,
+                    resource_name = %event.resource_name,
+                    "Recorded catalog workload update from cluster event"
+                );
+
+                workloads_by_catalog
+                    .entry(workload.app_catalog_id)
+                    .or_default()
+                    .push(workload.id);
+            } else {
+                tracing::trace!(
+                    workload_id = %workload.id,
+                    namespace = %event.namespace,
+                    resource_name = %event.resource_name,
+                    "No substantive catalog workload change detected; skipping version bump"
+                );
+            }
+        }
+
+        if !workloads_by_catalog.is_empty() {
+            let synced_at: DateTimeWithTimeZone = event.timestamp.into();
+            for (catalog_id, workload_ids) in workloads_by_catalog {
+                let new_version = self
+                    .db
+                    .bump_app_catalog_sync_version(catalog_id, synced_at.clone())
+                    .await
+                    .with_context(|| {
+                        format!(
+                            "failed to bump sync version for catalog {} after workload update",
+                            catalog_id
+                        )
+                    })?;
+                self.db
+                    .update_catalog_workload_versions(&workload_ids, new_version)
+                    .await
+                    .with_context(|| {
+                        format!(
+                            "failed to update workload sync version for catalog {}",
+                            catalog_id
+                        )
+                    })?;
+            }
+        }
+
+        Ok(())
+    }
+
+    async fn load_existing_catalog_state(
+        &self,
+        workload_ids: &[Uuid],
+    ) -> AnyResult<ExistingCatalogState> {
+        let mut state = ExistingCatalogState::default();
+        if workload_ids.is_empty() {
+            return Ok(state);
+        }
+
+        let id_list: Vec<Uuid> = workload_ids.to_vec();
+
+        let label_rows = kube_app_catalog_workload_label::Entity::find()
+            .filter(kube_app_catalog_workload_label::Column::WorkloadId.is_in(id_list.clone()))
+            .filter(kube_app_catalog_workload_label::Column::DeletedAt.is_null())
+            .all(&self.db.conn)
+            .await?;
+
+        for row in label_rows {
+            state
+                .labels
+                .entry(row.workload_id)
+                .or_default()
+                .insert(row.label_key, row.label_value);
+        }
+
+        let dependency_rows = kube_app_catalog_workload_dependency::Entity::find()
+            .filter(kube_app_catalog_workload_dependency::Column::WorkloadId.is_in(id_list))
+            .filter(kube_app_catalog_workload_dependency::Column::DeletedAt.is_null())
+            .all(&self.db.conn)
+            .await?;
+
+        for row in dependency_rows {
+            let entry = state
+                .dependencies
+                .entry(row.workload_id)
+                .or_insert_with(|| (BTreeSet::new(), BTreeSet::new()));
+
+            match row.resource_type.to_ascii_lowercase().as_str() {
+                "configmap" => {
+                    entry.0.insert(row.resource_name);
+                }
+                "secret" => {
+                    entry.1.insert(row.resource_name);
+                }
+                _ => {}
+            }
+        }
+
+        Ok(state)
+    }
+
+    fn compute_catalog_workload_update(
+        event: &ResourceChangeEvent,
+        workload: &kube_app_catalog_workload::Model,
+        new_containers: &[KubeContainerInfo],
+        service_ports: &[KubeServicePort],
+        yaml: &str,
+        new_spec_snapshot: Option<&serde_json::Value>,
+        new_labels: &BTreeMap<String, String>,
+        existing_labels: Option<&BTreeMap<String, String>>,
+        new_configmaps: &BTreeSet<String>,
+        new_secrets: &BTreeSet<String>,
+        existing_dependencies: Option<&(BTreeSet<String>, BTreeSet<String>)>,
+    ) -> AnyResult<CatalogWorkloadUpdate> {
+        let merged_containers = merge_containers(&workload.containers, new_containers)
+            .with_context(|| {
+                format!(
+                    "failed to merge container definitions for workload {}",
+                    workload.id
+                )
+            })?;
+
+        let containers_json = Json::from(
+            serde_json::to_value(&merged_containers)
+                .context("failed to serialize merged container definition")?,
+        );
+        let containers_changed = containers_json != workload.containers;
+
+        let ports_json = Json::from(
+            serde_json::to_value(service_ports)
+                .context("failed to serialize workload ports definition")?,
+        );
+        let ports_changed = ports_json != workload.ports;
+
+        let (stored_spec_snapshot, stored_spec_failed) =
+            match spec_section_from_yaml(&workload.workload_yaml) {
+                Ok(snapshot) => (snapshot, false),
+                Err(err) => {
+                    tracing::debug!(
+                        workload_id = %workload.id,
+                        namespace = %event.namespace,
+                        resource_name = %event.resource_name,
+                        error = ?err,
+                        "Failed to extract stored spec from workload YAML"
+                    );
+                    (None, true)
+                }
+            };
+
+        let spec_changed = if stored_spec_failed {
+            true
+        } else {
+            match (new_spec_snapshot, stored_spec_snapshot.as_ref()) {
+                (Some(new_spec), Some(existing_spec)) => new_spec != existing_spec,
+                (None, None) => false,
+                _ => true,
+            }
+        };
+
+        let labels_changed = match existing_labels {
+            Some(current_labels) => current_labels != new_labels,
+            None => !new_labels.is_empty(),
+        };
+
+        let dependencies_changed = match existing_dependencies {
+            Some((existing_configmaps, existing_secrets)) => {
+                existing_configmaps != new_configmaps || existing_secrets != new_secrets
+            }
+            None => !(new_configmaps.is_empty() && new_secrets.is_empty()),
+        };
+
+        Ok(CatalogWorkloadUpdate {
+            containers: if containers_changed {
+                Some(containers_json)
+            } else {
+                None
+            },
+            ports: if ports_changed {
+                Some(ports_json)
+            } else {
+                None
+            },
+            workload_yaml: if spec_changed || labels_changed {
+                Some(yaml.to_owned())
+            } else {
+                None
+            },
+            containers_changed,
+            ports_changed,
+            spec_changed,
+            labels_changed,
+            dependencies_changed,
+        })
+    }
+
+    async fn update_environment_workload_ready_replicas(
+        &self,
+        namespace: &str,
+        resource_name: &str,
+        metadata_labels: &BTreeMap<String, String>,
+        ready_replicas: Option<i32>,
+        event_timestamp: DateTime<Utc>,
+    ) -> AnyResult<()> {
+        let branch_environment_id = metadata_labels
+            .get("lapdev.io/branch-environment-id")
+            .and_then(|value| Uuid::parse_str(value).ok());
+
+        let environment = if let Some(env_id) = branch_environment_id {
+            let environment = kube_environment::Entity::find_by_id(env_id)
+                .filter(kube_environment::Column::DeletedAt.is_null())
+                .one(&self.db.conn)
+                .await?;
+
+            match environment {
+                Some(env) if env.cluster_id == self.cluster_id => Some(env),
+                Some(env) => {
+                    tracing::debug!(
+                        environment_id = %env_id,
+                        event_cluster = %self.cluster_id,
+                        stored_cluster = %env.cluster_id,
+                        "Environment from workload labels belongs to different cluster; skipping ready replica update"
+                    );
+                    None
+                }
+                None => {
+                    tracing::debug!(
+                        environment_id = %env_id,
+                        namespace,
+                        "Environment referenced by workload labels not found; skipping ready replica update"
+                    );
+                    None
+                }
+            }
+        } else {
+            kube_environment::Entity::find()
+                .filter(kube_environment::Column::ClusterId.eq(self.cluster_id))
+                .filter(kube_environment::Column::Namespace.eq(namespace.to_string()))
+                .filter(kube_environment::Column::DeletedAt.is_null())
+                .one(&self.db.conn)
+                .await?
+        };
+
+        let Some(environment) = environment else {
+            return Ok(());
+        };
+
+        let mut workload = if let Some(base_workload_id) = metadata_labels
+            .get("lapdev.base-workload-id")
+            .and_then(|value| {
+                Uuid::parse_str(value)
+                    .map_err(|err| {
+                        tracing::debug!(
+                            label_value = value,
+                            error = ?err,
+                            "Invalid lapdev.base-workload-id label; ignoring"
+                        );
+                        err
+                    })
+                    .ok()
+            }) {
+            kube_environment_workload::Entity::find()
+                .filter(kube_environment_workload::Column::EnvironmentId.eq(environment.id))
+                .filter(
+                    kube_environment_workload::Column::BaseWorkloadId.eq(Some(base_workload_id)),
+                )
+                .filter(kube_environment_workload::Column::DeletedAt.is_null())
+                .one(&self.db.conn)
+                .await?
+        } else {
+            None
+        };
+
+        if workload.is_none() {
+            workload = kube_environment_workload::Entity::find()
+                .filter(kube_environment_workload::Column::EnvironmentId.eq(environment.id))
+                .filter(kube_environment_workload::Column::Name.eq(resource_name.to_string()))
+                .filter(kube_environment_workload::Column::DeletedAt.is_null())
+                .one(&self.db.conn)
+                .await?;
+        }
+
+        let Some(workload) = workload else {
+            tracing::trace!(
+                environment_id = %environment.id,
+                namespace,
+                resource_name,
+                "No matching environment workload found while updating ready replicas"
+            );
+            return Ok(());
+        };
+
+        if workload.ready_replicas == ready_replicas {
+            return Ok(());
+        }
+
+        let workload_id = workload.id;
+        let organization_id = environment.organization_id;
+        let environment_id = environment.id;
+        let mut active_model: kube_environment_workload::ActiveModel = workload.into();
+        active_model.ready_replicas = ActiveValue::Set(ready_replicas);
+        active_model.update(&self.db.conn).await?;
+
+        let status_event = EnvironmentWorkloadStatusEvent {
+            organization_id,
+            environment_id,
+            workload_id,
+            ready_replicas,
+            updated_at: event_timestamp,
+        };
+
+        self.db
+            .publish_environment_workload_status_event(&status_event)
+            .await;
+
+        tracing::debug!(
+            environment_id = %environment_id,
+            workload_id = %workload_id,
+            namespace,
+            resource_name,
+            ready_replicas = ?ready_replicas,
+            "Updated environment workload ready replicas"
+        );
+
+        Ok(())
+    }
+
+    async fn handle_service_change(&self, event: &ResourceChangeEvent) -> AnyResult<()> {
+        if matches!(event.change_type, ResourceChangeType::Deleted) {
+            let selector_map = self
+                .db
+                .get_service_selector_map(self.cluster_id, &event.namespace, &event.resource_name)
+                .await?;
+            self.db
+                .mark_cluster_service_deleted(
+                    self.cluster_id,
+                    &event.namespace,
+                    &event.resource_name,
+                    event.timestamp,
+                )
+                .await?;
+            if let Some(selector_map) = selector_map {
+                self.reconcile_workloads_for_selector(
+                    &event.namespace,
+                    &event.resource_name,
+                    &selector_map,
+                    event.timestamp,
+                )
+                .await?;
+            }
+            return Ok(());
+        }
+
+        let yaml = event
+            .resource_yaml
+            .as_ref()
+            .context("service event missing resource YAML")?;
+
+        let service: Service = serde_yaml::from_str(yaml)?;
+
+        let (selector_map, selector_json, ports_json, service_type, cluster_ip) = {
+            let spec = service.spec.as_ref();
+            let selector = spec
+                .and_then(|spec| spec.selector.clone())
+                .unwrap_or_default();
+            let selector_map: BTreeMap<String, String> = selector.into_iter().collect();
+            let selector_json = json!(selector_map);
+
+            let ports = spec
+                .and_then(|spec| spec.ports.clone())
+                .unwrap_or_default()
+                .into_iter()
+                .map(|port| {
+                    let target_port = port.target_port.map(|tp| match tp {
+                        k8s_openapi::apimachinery::pkg::util::intstr::IntOrString::Int(v) => {
+                            json!(v)
+                        }
+                        k8s_openapi::apimachinery::pkg::util::intstr::IntOrString::String(s) => {
+                            json!(s)
+                        }
+                    });
+
+                    json!({
+                        "name": port.name,
+                        "port": port.port,
+                        "target_port": target_port,
+                        "protocol": port.protocol,
+                        "app_protocol": port.app_protocol,
+                        "node_port": port.node_port,
+                    })
+                })
+                .collect::<Vec<_>>();
+            let ports_json = json!(ports);
+
+            let service_type = spec.and_then(|spec| spec.type_.clone());
+            let cluster_ip = spec.and_then(|spec| spec.cluster_ip.clone());
+
+            (
+                selector_map,
+                selector_json,
+                ports_json,
+                service_type,
+                cluster_ip,
+            )
+        };
+
+        self.db
+            .upsert_cluster_service(
+                self.cluster_id,
+                &event.namespace,
+                &event.resource_name,
+                &event.resource_version,
+                yaml.clone(),
+                selector_json,
+                ports_json,
+                service_type,
+                cluster_ip,
+                event.timestamp,
+            )
+            .await?;
+
+        self.reconcile_workloads_for_selector(
+            &event.namespace,
+            &event.resource_name,
+            &selector_map,
+            event.timestamp,
+        )
+        .await
+    }
+
+    async fn reconcile_workloads_for_selector(
+        &self,
+        namespace: &str,
+        resource_name: &str,
+        selector_map: &BTreeMap<String, String>,
+        observed_at: chrono::DateTime<chrono::Utc>,
+    ) -> AnyResult<()> {
+        if selector_map.is_empty() {
+            return Ok(());
+        }
+
+        let matching_workload_ids = self
+            .db
+            .find_workloads_matching_selector(self.cluster_id, namespace, selector_map)
+            .await
+            .with_context(|| {
+                format!(
+                    "failed to resolve workloads matching service selector for {}",
+                    resource_name
+                )
+            })?;
+
+        if matching_workload_ids.is_empty() {
+            return Ok(());
+        }
+
+        let workloads = CatalogWorkloadEntity::find()
+            .filter(kube_app_catalog_workload::Column::Id.is_in(matching_workload_ids.clone()))
+            .filter(kube_app_catalog_workload::Column::DeletedAt.is_null())
+            .all(&self.db.conn)
+            .await
+            .with_context(|| {
+                format!(
+                    "failed querying catalog workloads for service selector {}/{}",
+                    namespace, resource_name
+                )
+            })?;
+
+        if workloads.is_empty() {
+            return Ok(());
+        }
+
+        let label_rows = kube_app_catalog_workload_label::Entity::find()
+            .filter(
+                kube_app_catalog_workload_label::Column::WorkloadId.is_in(matching_workload_ids),
+            )
+            .filter(kube_app_catalog_workload_label::Column::DeletedAt.is_null())
+            .all(&self.db.conn)
+            .await?
+            .into_iter()
+            .fold(
+                HashMap::<Uuid, BTreeMap<String, String>>::new(),
+                |mut acc, row| {
+                    acc.entry(row.workload_id)
+                        .or_default()
+                        .insert(row.label_key, row.label_value);
+                    acc
+                },
+            );
+
+        let mut workloads_by_catalog: HashMap<Uuid, Vec<Uuid>> = HashMap::new();
+
+        for workload in workloads {
+            let labels = label_rows.get(&workload.id).cloned().unwrap_or_default();
+            let matching_services = self
+                .db
+                .get_matching_cluster_services(self.cluster_id, namespace, &labels)
+                .await?;
+            let service_ports = ports_from_cached_services(&labels, &matching_services);
+            let ports_json = Json::from(serde_json::to_value(&service_ports)?);
+
+            if ports_json != workload.ports {
+                let active_model = kube_app_catalog_workload::ActiveModel {
+                    id: ActiveValue::Set(workload.id),
+                    ports: ActiveValue::Set(ports_json),
+                    ..Default::default()
+                };
+
+                active_model.update(&self.db.conn).await.with_context(|| {
+                    format!("failed to update workload ports for {}", workload.id)
+                })?;
+
+                workloads_by_catalog
+                    .entry(workload.app_catalog_id)
+                    .or_default()
+                    .push(workload.id);
+            }
+        }
+
+        if !workloads_by_catalog.is_empty() {
+            let synced_at: DateTimeWithTimeZone = observed_at.into();
+            for (catalog_id, workload_ids) in workloads_by_catalog {
+                let new_version = self
+                    .db
+                    .bump_app_catalog_sync_version(catalog_id, synced_at.clone())
+                    .await
+                    .with_context(|| {
+                        format!(
+                            "failed to bump sync version for catalog {} after service update",
+                            catalog_id
+                        )
+                    })?;
+                self.db
+                    .update_catalog_workload_versions(&workload_ids, new_version)
+                    .await
+                    .with_context(|| {
+                        format!(
+                            "failed to update workload sync version for catalog {}",
+                            catalog_id
+                        )
+                    })?;
+            }
+        }
+
+        Ok(())
+    }
+
+    async fn handle_dependency_change(
+        &self,
+        event: &ResourceChangeEvent,
+        resource_type: &str,
+    ) -> AnyResult<()> {
+        let workloads = self
+            .db
+            .find_workloads_by_dependency(
+                self.cluster_id,
+                &event.namespace,
+                resource_type,
+                &event.resource_name,
+            )
+            .await?;
+
+        if workloads.is_empty() {
+            return Ok(());
+        }
+
+        let mut workloads_by_catalog: HashMap<Uuid, Vec<Uuid>> = HashMap::new();
+        for (workload_id, catalog_id) in workloads {
+            workloads_by_catalog
+                .entry(catalog_id)
+                .or_default()
+                .push(workload_id);
+        }
+
+        let synced_at: DateTimeWithTimeZone = event.timestamp.into();
+        for (catalog_id, workload_ids) in workloads_by_catalog {
+            let new_version = self
+                .db
+                .bump_app_catalog_sync_version(catalog_id, synced_at)
+                .await
+                .with_context(|| {
+                    format!(
+                        "failed to bump sync version for catalog {} after {} change",
+                        catalog_id, resource_type
+                    )
+                })?;
+
+            self.db
+                .update_catalog_workload_versions(&workload_ids, new_version)
+                .await
+                .with_context(|| {
+                    format!(
+                        "failed to update workload sync version for catalog {}",
+                        catalog_id
+                    )
+                })?;
+        }
+
+        Ok(())
+    }
+}
+
+#[derive(Default)]
+struct ExistingCatalogState {
+    labels: HashMap<Uuid, BTreeMap<String, String>>,
+    dependencies: HashMap<Uuid, (BTreeSet<String>, BTreeSet<String>)>,
+}
+
+struct CatalogWorkloadUpdate {
+    containers: Option<Json>,
+    ports: Option<Json>,
+    workload_yaml: Option<String>,
+    containers_changed: bool,
+    ports_changed: bool,
+    spec_changed: bool,
+    labels_changed: bool,
+    dependencies_changed: bool,
+}
+
+impl CatalogWorkloadUpdate {
+    fn has_model_updates(&self) -> bool {
+        self.containers.is_some() || self.ports.is_some() || self.workload_yaml.is_some()
+    }
+
+    fn requires_catalog_bump(&self) -> bool {
+        self.containers_changed
+            || self.ports_changed
+            || self.spec_changed
+            || self.labels_changed
+            || self.dependencies_changed
+    }
+}
+
+fn workload_kind_for(resource_type: ResourceType) -> Option<KubeWorkloadKind> {
+    match resource_type {
+        ResourceType::Deployment => Some(KubeWorkloadKind::Deployment),
+        ResourceType::StatefulSet => Some(KubeWorkloadKind::StatefulSet),
+        ResourceType::DaemonSet => Some(KubeWorkloadKind::DaemonSet),
+        ResourceType::ReplicaSet => Some(KubeWorkloadKind::ReplicaSet),
+        ResourceType::Job => Some(KubeWorkloadKind::Job),
+        ResourceType::CronJob => Some(KubeWorkloadKind::CronJob),
+        ResourceType::ConfigMap | ResourceType::Secret | ResourceType::Service => None,
+    }
+}
+
+struct ExtractedWorkload {
+    containers: Vec<KubeContainerInfo>,
+    pod_labels: BTreeMap<String, String>,
+    metadata_labels: BTreeMap<String, String>,
+    configmap_refs: BTreeSet<String>,
+    secret_refs: BTreeSet<String>,
+    ready_replicas: Option<i32>,
+    spec_snapshot: Option<serde_json::Value>,
+}
+
+fn extract_workload_from_yaml(
+    resource_type: ResourceType,
+    yaml: &str,
+) -> AnyResult<ExtractedWorkload> {
+    match resource_type {
+        ResourceType::Deployment => {
+            let deployment: Deployment = serde_yaml::from_str(yaml)?;
+            let pod_spec = deployment
+                .spec
+                .as_ref()
+                .and_then(|s| s.template.spec.as_ref())
+                .context("deployment missing pod spec")?;
+            let pod_labels = deployment
+                .spec
+                .as_ref()
+                .and_then(|s| s.template.metadata.as_ref())
+                .and_then(|m| m.labels.clone())
+                .unwrap_or_default();
+            let metadata_labels = deployment.metadata.labels.clone().unwrap_or_default();
+            let ready_replicas = deployment
+                .status
+                .as_ref()
+                .and_then(|status| status.ready_replicas);
+            let spec_snapshot = deployment
+                .spec
+                .as_ref()
+                .map(|spec| serialize_spec_for_catalog(spec))
+                .transpose()
+                .context("failed to serialize deployment spec")?;
+            let containers = extract_pod_spec_containers(pod_spec)?;
+            let (configmap_refs, secret_refs) = extract_pod_spec_dependencies(pod_spec);
+            Ok(ExtractedWorkload {
+                containers,
+                pod_labels,
+                metadata_labels,
+                configmap_refs,
+                secret_refs,
+                ready_replicas,
+                spec_snapshot,
+            })
+        }
+        ResourceType::StatefulSet => {
+            let statefulset: StatefulSet = serde_yaml::from_str(yaml)?;
+            let pod_spec = statefulset
+                .spec
+                .as_ref()
+                .and_then(|s| s.template.spec.as_ref())
+                .context("statefulset missing pod spec")?;
+            let pod_labels = statefulset
+                .spec
+                .as_ref()
+                .and_then(|s| s.template.metadata.as_ref())
+                .and_then(|m| m.labels.clone())
+                .unwrap_or_default();
+            let metadata_labels = statefulset.metadata.labels.clone().unwrap_or_default();
+            let ready_replicas = statefulset
+                .status
+                .as_ref()
+                .and_then(|status| status.ready_replicas);
+            let spec_snapshot = statefulset
+                .spec
+                .as_ref()
+                .map(|spec| serialize_spec_for_catalog(spec))
+                .transpose()
+                .context("failed to serialize statefulset spec")?;
+            let containers = extract_pod_spec_containers(pod_spec)?;
+            let (configmap_refs, secret_refs) = extract_pod_spec_dependencies(pod_spec);
+            Ok(ExtractedWorkload {
+                containers,
+                pod_labels,
+                metadata_labels,
+                configmap_refs,
+                secret_refs,
+                ready_replicas,
+                spec_snapshot,
+            })
+        }
+        ResourceType::DaemonSet => {
+            let daemonset: DaemonSet = serde_yaml::from_str(yaml)?;
+            let pod_spec = daemonset
+                .spec
+                .as_ref()
+                .and_then(|s| s.template.spec.as_ref())
+                .context("daemonset missing pod spec")?;
+            let pod_labels = daemonset
+                .spec
+                .as_ref()
+                .and_then(|s| s.template.metadata.as_ref())
+                .and_then(|m| m.labels.clone())
+                .unwrap_or_default();
+            let metadata_labels = daemonset.metadata.labels.clone().unwrap_or_default();
+            let ready_replicas = daemonset.status.as_ref().map(|status| status.number_ready);
+            let spec_snapshot = daemonset
+                .spec
+                .as_ref()
+                .map(|spec| serialize_spec_for_catalog(spec))
+                .transpose()
+                .context("failed to serialize daemonset spec")?;
+            let containers = extract_pod_spec_containers(pod_spec)?;
+            let (configmap_refs, secret_refs) = extract_pod_spec_dependencies(pod_spec);
+            Ok(ExtractedWorkload {
+                containers,
+                pod_labels,
+                metadata_labels,
+                configmap_refs,
+                secret_refs,
+                ready_replicas,
+                spec_snapshot,
+            })
+        }
+        ResourceType::ReplicaSet => {
+            let replicaset: ReplicaSet = serde_yaml::from_str(yaml)?;
+            let pod_spec = replicaset
+                .spec
+                .as_ref()
+                .and_then(|s| s.template.as_ref())
+                .and_then(|t| t.spec.as_ref())
+                .context("replicaset missing pod spec")?;
+            let pod_labels = replicaset
+                .spec
+                .as_ref()
+                .and_then(|s| s.template.as_ref())
+                .and_then(|t| t.metadata.as_ref())
+                .and_then(|m| m.labels.clone())
+                .unwrap_or_default();
+            let metadata_labels = replicaset.metadata.labels.clone().unwrap_or_default();
+            let ready_replicas = replicaset
+                .status
+                .as_ref()
+                .and_then(|status| status.ready_replicas);
+            let spec_snapshot = replicaset
+                .spec
+                .as_ref()
+                .map(|spec| serialize_spec_for_catalog(spec))
+                .transpose()
+                .context("failed to serialize replicaset spec")?;
+            let containers = extract_pod_spec_containers(pod_spec)?;
+            let (configmap_refs, secret_refs) = extract_pod_spec_dependencies(pod_spec);
+            Ok(ExtractedWorkload {
+                containers,
+                pod_labels,
+                metadata_labels,
+                configmap_refs,
+                secret_refs,
+                ready_replicas,
+                spec_snapshot,
+            })
+        }
+        ResourceType::Job => {
+            let job: Job = serde_yaml::from_str(yaml)?;
+            let pod_spec = job
+                .spec
+                .as_ref()
+                .and_then(|s| s.template.spec.as_ref())
+                .context("job missing pod spec")?;
+            let pod_labels = job
+                .spec
+                .as_ref()
+                .and_then(|s| s.template.metadata.as_ref())
+                .and_then(|m| m.labels.clone())
+                .unwrap_or_default();
+            let metadata_labels = job.metadata.labels.clone().unwrap_or_default();
+            let ready_replicas = job.status.as_ref().and_then(|status| status.succeeded);
+            let spec_snapshot = job
+                .spec
+                .as_ref()
+                .map(|spec| serialize_spec_for_catalog(spec))
+                .transpose()
+                .context("failed to serialize job spec")?;
+            let containers = extract_pod_spec_containers(pod_spec)?;
+            let (configmap_refs, secret_refs) = extract_pod_spec_dependencies(pod_spec);
+            Ok(ExtractedWorkload {
+                containers,
+                pod_labels,
+                metadata_labels,
+                configmap_refs,
+                secret_refs,
+                ready_replicas,
+                spec_snapshot,
+            })
+        }
+        ResourceType::CronJob => {
+            let cron_job: CronJob = serde_yaml::from_str(yaml)?;
+            let pod_spec = cron_job
+                .spec
+                .as_ref()
+                .and_then(|s| s.job_template.spec.as_ref())
+                .and_then(|s| s.template.spec.as_ref())
+                .context("cronjob missing pod spec")?;
+            let pod_labels = cron_job
+                .spec
+                .as_ref()
+                .and_then(|s| s.job_template.metadata.as_ref())
+                .and_then(|m| m.labels.clone())
+                .unwrap_or_default();
+            let metadata_labels = cron_job.metadata.labels.clone().unwrap_or_default();
+            let containers = extract_pod_spec_containers(pod_spec)?;
+            let (configmap_refs, secret_refs) = extract_pod_spec_dependencies(pod_spec);
+            let spec_snapshot = cron_job
+                .spec
+                .as_ref()
+                .map(|spec| serialize_spec_for_catalog(spec))
+                .transpose()
+                .context("failed to serialize cronjob spec")?;
+            Ok(ExtractedWorkload {
+                containers,
+                pod_labels,
+                metadata_labels,
+                configmap_refs,
+                secret_refs,
+                ready_replicas: Some(1),
+                spec_snapshot,
+            })
+        }
+        ResourceType::ConfigMap | ResourceType::Secret | ResourceType::Service => {
+            Ok(ExtractedWorkload {
+                containers: Vec::new(),
+                pod_labels: BTreeMap::new(),
+                metadata_labels: BTreeMap::new(),
+                configmap_refs: BTreeSet::new(),
+                secret_refs: BTreeSet::new(),
+                ready_replicas: None,
+                spec_snapshot: None,
+            })
+        }
+    }
+}
+
+fn extract_pod_spec_containers(pod_spec: &PodSpec) -> AnyResult<Vec<KubeContainerInfo>> {
+    pod_spec
+        .containers
+        .iter()
+        .map(|container| {
+            let mut cpu_request = None;
+            let mut cpu_limit = None;
+            let mut memory_request = None;
+            let mut memory_limit = None;
+
+            if let Some(resources) = &container.resources {
+                if let Some(requests) = &resources.requests {
+                    if let Some(cpu) = requests.get("cpu") {
+                        cpu_request = Some(cpu.0.clone());
+                    }
+                    if let Some(memory) = requests.get("memory") {
+                        memory_request = Some(memory.0.clone());
+                    }
+                }
+                if let Some(limits) = &resources.limits {
+                    if let Some(cpu) = limits.get("cpu") {
+                        cpu_limit = Some(cpu.0.clone());
+                    }
+                    if let Some(memory) = limits.get("memory") {
+                        memory_limit = Some(memory.0.clone());
+                    }
+                }
+            }
+
+            let image = container
+                .image
+                .clone()
+                .ok_or_else(|| anyhow!("container '{}' missing image", container.name))?;
+
+            let ports = container
+                .ports
+                .as_ref()
+                .map(|ports| {
+                    ports
+                        .iter()
+                        .map(|port| KubeContainerPort {
+                            name: port.name.clone(),
+                            container_port: port.container_port,
+                            protocol: port.protocol.clone(),
+                        })
+                        .collect::<Vec<_>>()
+                })
+                .unwrap_or_default();
+
+            Ok(KubeContainerInfo {
+                name: container.name.clone(),
+                original_image: image.clone(),
+                image: KubeContainerImage::FollowOriginal,
+                cpu_request,
+                cpu_limit,
+                memory_request,
+                memory_limit,
+                env_vars: Vec::new(),
+                original_env_vars: Vec::new(),
+                ports,
+            })
+        })
+        .collect()
+}
+
+fn extract_pod_spec_dependencies(pod_spec: &PodSpec) -> (BTreeSet<String>, BTreeSet<String>) {
+    let mut configmaps = BTreeSet::new();
+    let mut secrets = BTreeSet::new();
+
+    let insert_trimmed = |set: &mut BTreeSet<String>, raw: &str| {
+        let trimmed = raw.trim();
+        if !trimmed.is_empty() {
+            set.insert(trimmed.to_owned());
+        }
+    };
+
+    let mut process_env_sources =
+        |env: &Option<Vec<k8s_openapi::api::core::v1::EnvVar>>,
+         env_from: &Option<Vec<k8s_openapi::api::core::v1::EnvFromSource>>| {
+            if let Some(envs) = env {
+                for item in envs {
+                    if let Some(value_from) = &item.value_from {
+                        if let Some(cfg) = &value_from.config_map_key_ref {
+                            insert_trimmed(&mut configmaps, &cfg.name);
+                        }
+                        if let Some(sec) = &value_from.secret_key_ref {
+                            insert_trimmed(&mut secrets, &sec.name);
+                        }
+                    }
+                }
+            }
+
+            if let Some(env_from) = env_from {
+                for source in env_from {
+                    if let Some(cfg) = &source.config_map_ref {
+                        insert_trimmed(&mut configmaps, &cfg.name);
+                    }
+                    if let Some(sec) = &source.secret_ref {
+                        insert_trimmed(&mut secrets, &sec.name);
+                    }
+                }
+            }
+        };
+
+    for container in &pod_spec.containers {
+        process_env_sources(&container.env, &container.env_from);
+    }
+
+    if let Some(init_containers) = pod_spec.init_containers.as_ref() {
+        for container in init_containers {
+            process_env_sources(&container.env, &container.env_from);
+        }
+    }
+
+    if let Some(ephemeral) = pod_spec.ephemeral_containers.as_ref() {
+        for container in ephemeral {
+            process_env_sources(&container.env, &container.env_from);
+        }
+    }
+
+    if let Some(volumes) = pod_spec.volumes.as_ref() {
+        for volume in volumes {
+            if let Some(cfg) = &volume.config_map {
+                insert_trimmed(&mut configmaps, &cfg.name);
+            }
+            if let Some(secret) = &volume.secret {
+                if let Some(name) = secret.secret_name.as_ref() {
+                    insert_trimmed(&mut secrets, name);
+                }
+            }
+            if let Some(projected) = &volume.projected {
+                if let Some(sources) = projected.sources.as_ref() {
+                    for source in sources {
+                        if let Some(cfg) = &source.config_map {
+                            insert_trimmed(&mut configmaps, &cfg.name);
+                        }
+                        if let Some(secret) = &source.secret {
+                            insert_trimmed(&mut secrets, &secret.name);
+                        }
+                    }
+                }
+            }
+        }
+    }
+
+    (configmaps, secrets)
+}
+
+fn normalize_spec_for_catalog(spec: &mut serde_json::Value) {
+    if let Some(obj) = spec.as_object_mut() {
+        obj.remove("replicas");
+    }
+}
+
+fn serialize_spec_for_catalog<T>(spec: &T) -> AnyResult<serde_json::Value>
+where
+    T: Serialize + ?Sized,
+{
+    let mut value = serde_json::to_value(spec)?;
+    normalize_spec_for_catalog(&mut value);
+    Ok(value)
+}
+
+fn spec_section_from_yaml(yaml: &str) -> AnyResult<Option<serde_json::Value>> {
+    let document: serde_yaml::Value = serde_yaml::from_str(yaml)?;
+
+    match document.get("spec") {
+        Some(spec_value) => Ok(Some(serialize_spec_for_catalog(spec_value)?)),
+        None => Ok(None),
+    }
+}
+
+fn merge_containers(
+    existing: &Json,
+    new_containers: &[KubeContainerInfo],
+) -> AnyResult<Vec<KubeContainerInfo>> {
+    let existing_containers: Vec<KubeContainerInfo> =
+        serde_json::from_value(existing.clone()).unwrap_or_default();
+    let mut existing_map: HashMap<String, KubeContainerInfo> = existing_containers
+        .into_iter()
+        .map(|container| (container.name.clone(), container))
+        .collect();
+
+    let mut merged = Vec::new();
+    for new_container in new_containers {
+        if let Some(mut existing) = existing_map.remove(&new_container.name) {
+            existing.original_image = new_container.original_image.clone();
+            existing.cpu_request = new_container.cpu_request.clone();
+            existing.cpu_limit = new_container.cpu_limit.clone();
+            existing.memory_request = new_container.memory_request.clone();
+            existing.memory_limit = new_container.memory_limit.clone();
+            existing.ports = new_container.ports.clone();
+            // Preserve customized image choices; otherwise keep following original.
+            if let KubeContainerImage::FollowOriginal = existing.image {
+                existing.image = KubeContainerImage::FollowOriginal;
+            }
+            merged.push(existing);
+        } else {
+            merged.push(new_container.clone());
+        }
+    }
+
+    if !existing_map.is_empty() {
+        tracing::debug!(
+            removed_containers = ?existing_map.keys().collect::<Vec<_>>(),
+            "Dropping containers no longer present in source workload"
+        );
+    }
+
+    Ok(merged)
+}
+
+fn ports_from_cached_services(
+    workload_labels: &BTreeMap<String, String>,
+    services: &[CachedClusterService],
+) -> Vec<KubeServicePort> {
+    if services.is_empty() {
+        return Vec::new();
+    }
+
+    let mut ports = Vec::new();
+    let mut seen = HashSet::new();
+
+    for service in services {
+        if service.selector.is_empty() {
+            continue;
+        }
+
+        let matches = service
+            .selector
+            .iter()
+            .all(|(key, value)| workload_labels.get(key).map_or(false, |v| v == value));
+
+        if !matches {
+            continue;
+        }
+
+        for port in &service.ports {
+            let original_target = port.original_target_port.or(port.target_port);
+            let key = (port.port, original_target, port.protocol.clone());
+            if seen.insert(key) {
+                ports.push(port.clone());
+            }
+        }
+    }
+
+    ports
+}
+
+#[cfg(test)]
+mod tests;
diff --git a/crates/kube/src/server/tests.rs b/crates/kube/src/server/tests.rs
new file mode 100644
index 0000000..3c05b3e
--- /dev/null
+++ b/crates/kube/src/server/tests.rs
@@ -0,0 +1,644 @@
+use super::*;
+use chrono::Utc;
+use lapdev_common::kube::{
+    KubeContainerImage, KubeContainerInfo, KubeContainerPort, KubeServicePort, KubeWorkloadKind,
+};
+use lapdev_db_entities::kube_app_catalog_workload;
+use lapdev_kube_rpc::{ResourceChangeEvent, ResourceChangeType, ResourceType};
+use sea_orm::prelude::Json;
+use serde_json::json;
+use std::collections::{BTreeMap, BTreeSet};
+use uuid::Uuid;
+
+#[test]
+fn extract_workload_from_yaml_reads_ready_replicas_for_deployments() {
+    let deployment_yaml = r#"
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: web
+  namespace: default
+spec:
+  selector:
+    matchLabels:
+      app: web
+  template:
+    metadata:
+      labels:
+        app: web
+    spec:
+      containers:
+        - name: web
+          image: nginx:1.27
+status:
+  readyReplicas: 3
+"#;
+
+    let extracted = extract_workload_from_yaml(ResourceType::Deployment, deployment_yaml).unwrap();
+    assert_eq!(extracted.ready_replicas, Some(3));
+}
+
+#[test]
+fn extract_workload_from_yaml_reads_ready_replicas_for_jobs() {
+    let job_yaml = r#"
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: data-migrate
+  namespace: default
+spec:
+  template:
+    metadata:
+      labels:
+        job-name: data-migrate
+    spec:
+      containers:
+        - name: migrate
+          image: alpine:3
+          command: ["/bin/true"]
+      restartPolicy: Never
+status:
+  succeeded: 1
+"#;
+
+    let extracted = extract_workload_from_yaml(ResourceType::Job, job_yaml).unwrap();
+    assert_eq!(extracted.ready_replicas, Some(1));
+}
+
+#[test]
+fn extract_workload_from_yaml_returns_labels_even_without_status() {
+    let deployment_yaml = format!(
+        r#"
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: web
+  namespace: default
+  labels:
+    lapdev.io/branch-environment-id: "{env_id}"
+spec:
+  selector:
+    matchLabels:
+      app: web
+  template:
+    metadata:
+      labels:
+        app: web
+    spec:
+      containers:
+        - name: web
+          image: nginx:1.27
+"#,
+        env_id = Uuid::new_v4()
+    );
+
+    let extracted =
+        extract_workload_from_yaml(ResourceType::Deployment, deployment_yaml.as_str()).unwrap();
+    assert!(extracted.ready_replicas.is_none());
+    assert!(extracted
+        .metadata_labels
+        .contains_key("lapdev.io/branch-environment-id"));
+}
+
+#[test]
+fn spec_section_from_yaml_ignores_status_updates() {
+    let base_yaml = r#"
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: api
+  namespace: default
+  resourceVersion: "123"
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: api
+  template:
+    metadata:
+      labels:
+        app: api
+    spec:
+      containers:
+        - name: api
+          image: nginx:1.27
+status:
+  readyReplicas: 1
+"#;
+
+    let status_only_yaml = r#"
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: api
+  namespace: default
+  resourceVersion: "456"
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: api
+  template:
+    metadata:
+      labels:
+        app: api
+    spec:
+      containers:
+        - name: api
+          image: nginx:1.27
+status:
+  readyReplicas: 0
+"#;
+
+    let base_spec = spec_section_from_yaml(base_yaml)
+        .expect("base spec parsing should succeed")
+        .expect("base spec should be present");
+    let status_spec = spec_section_from_yaml(status_only_yaml)
+        .expect("status-only spec parsing should succeed")
+        .expect("status-only spec should be present");
+
+    assert_eq!(base_spec, status_spec);
+}
+
+#[test]
+fn spec_section_from_yaml_ignores_replica_changes() {
+    let base_yaml = r#"
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: api
+  namespace: default
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: api
+  template:
+    metadata:
+      labels:
+        app: api
+    spec:
+      containers:
+        - name: api
+          image: nginx:1.27
+"#;
+
+    let scaled_yaml = r#"
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: api
+  namespace: default
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: api
+  template:
+    metadata:
+      labels:
+        app: api
+    spec:
+      containers:
+        - name: api
+          image: nginx:1.27
+"#;
+
+    let base_spec = spec_section_from_yaml(base_yaml)
+        .expect("base spec parsing should succeed")
+        .expect("base spec should be present");
+    let scaled_spec = spec_section_from_yaml(scaled_yaml)
+        .expect("scaled spec parsing should succeed")
+        .expect("scaled spec should be present");
+
+    assert_eq!(base_spec, scaled_spec);
+}
+
+#[test]
+fn extract_workload_from_yaml_returns_spec_snapshot() {
+    let deployment_yaml = r#"
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: api
+  namespace: default
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: api
+  template:
+    metadata:
+      labels:
+        app: api
+    spec:
+      containers:
+        - name: api
+          image: nginx:1.27
+"#;
+
+    let extracted = extract_workload_from_yaml(ResourceType::Deployment, deployment_yaml)
+        .expect("yaml should parse");
+    let spec_snapshot = extracted
+        .spec_snapshot
+        .expect("deployment should expose spec snapshot");
+
+    let spec_from_yaml = spec_section_from_yaml(deployment_yaml)
+        .expect("spec extraction should succeed")
+        .expect("spec should be present");
+
+    assert_eq!(spec_snapshot, spec_from_yaml);
+}
+
+struct WorkloadTestFixture {
+    event: ResourceChangeEvent,
+    workload: kube_app_catalog_workload::Model,
+    base_yaml: String,
+    base_containers: Vec<KubeContainerInfo>,
+    base_ports: Vec<KubeServicePort>,
+    base_spec_snapshot: serde_json::Value,
+    base_labels: BTreeMap<String, String>,
+    base_configmaps: BTreeSet<String>,
+    base_secrets: BTreeSet<String>,
+}
+
+impl WorkloadTestFixture {
+    fn new() -> Self {
+        let base_yaml = r#"
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: api
+  namespace: default
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: api
+  template:
+    metadata:
+      labels:
+        app: api
+    spec:
+      containers:
+        - name: api
+          image: nginx:1.27
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi
+            limits:
+              cpu: 200m
+              memory: 256Mi
+"#
+        .trim()
+        .to_string();
+
+        let base_spec_snapshot = spec_section_from_yaml(&base_yaml)
+            .expect("spec snapshot extraction should succeed")
+            .expect("spec snapshot should be present");
+
+        let base_containers = vec![KubeContainerInfo {
+            name: "api".to_string(),
+            original_image: "nginx:1.27".to_string(),
+            image: KubeContainerImage::FollowOriginal,
+            cpu_request: Some("100m".to_string()),
+            cpu_limit: Some("200m".to_string()),
+            memory_request: Some("128Mi".to_string()),
+            memory_limit: Some("256Mi".to_string()),
+            env_vars: Vec::new(),
+            original_env_vars: Vec::new(),
+            ports: vec![KubeContainerPort {
+                name: Some("http".to_string()),
+                container_port: 8080,
+                protocol: Some("TCP".to_string()),
+            }],
+        }];
+
+        let base_ports = vec![KubeServicePort {
+            name: Some("http".to_string()),
+            port: 80,
+            target_port: Some(8080),
+            protocol: Some("TCP".to_string()),
+            node_port: None,
+            original_target_port: Some(8080),
+        }];
+
+        let mut base_configmaps = BTreeSet::new();
+        base_configmaps.insert("cfg-main".to_string());
+        let mut base_secrets = BTreeSet::new();
+        base_secrets.insert("sec-main".to_string());
+
+        let base_labels = BTreeMap::from([("app".to_string(), "api".to_string())]);
+
+        let workload = kube_app_catalog_workload::Model {
+            id: Uuid::new_v4(),
+            created_at: Utc::now().into(),
+            deleted_at: None,
+            app_catalog_id: Uuid::new_v4(),
+            cluster_id: Uuid::new_v4(),
+            name: "api".to_string(),
+            namespace: "default".to_string(),
+            kind: KubeWorkloadKind::Deployment.to_string(),
+            containers: Json::from(serde_json::to_value(&base_containers).unwrap()),
+            ports: Json::from(serde_json::to_value(&base_ports).unwrap()),
+            workload_yaml: base_yaml.clone(),
+            catalog_sync_version: 1,
+        };
+
+        let event = ResourceChangeEvent {
+            namespace: "default".to_string(),
+            resource_type: ResourceType::Deployment,
+            resource_name: "api".to_string(),
+            change_type: ResourceChangeType::Updated,
+            resource_version: "1".to_string(),
+            resource_yaml: Some(base_yaml.clone()),
+            timestamp: Utc::now(),
+        };
+
+        Self {
+            event,
+            workload,
+            base_yaml,
+            base_containers,
+            base_ports,
+            base_spec_snapshot,
+            base_labels,
+            base_configmaps,
+            base_secrets,
+        }
+    }
+}
+
+fn compute_update(
+    event: &ResourceChangeEvent,
+    workload: &kube_app_catalog_workload::Model,
+    new_containers: &[KubeContainerInfo],
+    service_ports: &[KubeServicePort],
+    yaml: &str,
+    new_spec_snapshot: Option<&serde_json::Value>,
+    new_labels: &BTreeMap<String, String>,
+    existing_labels: Option<&BTreeMap<String, String>>,
+    new_configmaps: &BTreeSet<String>,
+    new_secrets: &BTreeSet<String>,
+    existing_dependencies: Option<&(BTreeSet<String>, BTreeSet<String>)>,
+) -> CatalogWorkloadUpdate {
+    KubeClusterServer::compute_catalog_workload_update(
+        event,
+        workload,
+        new_containers,
+        service_ports,
+        yaml,
+        new_spec_snapshot,
+        new_labels,
+        existing_labels,
+        new_configmaps,
+        new_secrets,
+        existing_dependencies,
+    )
+    .expect("catalog workload update computation should succeed")
+}
+
+#[test]
+fn compute_catalog_workload_update_detects_no_changes() {
+    let fixture = WorkloadTestFixture::new();
+    let new_containers = fixture.base_containers.clone();
+    let service_ports = fixture.base_ports.clone();
+    let new_labels = fixture.base_labels.clone();
+    let existing_labels = fixture.base_labels.clone();
+    let new_configmaps = fixture.base_configmaps.clone();
+    let new_secrets = fixture.base_secrets.clone();
+    let existing_dependencies = (
+        fixture.base_configmaps.clone(),
+        fixture.base_secrets.clone(),
+    );
+    let spec_snapshot = fixture.base_spec_snapshot.clone();
+
+    let update = compute_update(
+        &fixture.event,
+        &fixture.workload,
+        &new_containers,
+        &service_ports,
+        &fixture.base_yaml,
+        Some(&spec_snapshot),
+        &new_labels,
+        Some(&existing_labels),
+        &new_configmaps,
+        &new_secrets,
+        Some(&existing_dependencies),
+    );
+
+    assert!(!update.requires_catalog_bump());
+    assert!(!update.containers_changed);
+    assert!(!update.ports_changed);
+    assert!(!update.spec_changed);
+    assert!(!update.labels_changed);
+    assert!(!update.dependencies_changed);
+    assert!(!update.has_model_updates());
+}
+
+#[test]
+fn compute_catalog_workload_update_detects_spec_change() {
+    let fixture = WorkloadTestFixture::new();
+    let new_containers = fixture.base_containers.clone();
+    let service_ports = fixture.base_ports.clone();
+    let new_labels = fixture.base_labels.clone();
+    let existing_labels = fixture.base_labels.clone();
+    let new_configmaps = fixture.base_configmaps.clone();
+    let new_secrets = fixture.base_secrets.clone();
+    let existing_dependencies = (
+        fixture.base_configmaps.clone(),
+        fixture.base_secrets.clone(),
+    );
+
+    let mut spec_snapshot = fixture.base_spec_snapshot.clone();
+    spec_snapshot["revisionHistoryLimit"] = json!(5);
+
+    let new_yaml = fixture
+        .base_yaml
+        .replace("replicas: 2", "replicas: 2\n  revisionHistoryLimit: 5")
+        .to_string();
+
+    let update = compute_update(
+        &fixture.event,
+        &fixture.workload,
+        &new_containers,
+        &service_ports,
+        &new_yaml,
+        Some(&spec_snapshot),
+        &new_labels,
+        Some(&existing_labels),
+        &new_configmaps,
+        &new_secrets,
+        Some(&existing_dependencies),
+    );
+
+    assert!(update.requires_catalog_bump());
+    assert!(update.spec_changed);
+    assert!(update.workload_yaml.is_some());
+    assert!(!update.containers_changed);
+    assert!(!update.ports_changed);
+    assert!(!update.labels_changed);
+    assert!(!update.dependencies_changed);
+}
+
+#[test]
+fn compute_catalog_workload_update_detects_container_change() {
+    let fixture = WorkloadTestFixture::new();
+    let mut new_containers = fixture.base_containers.clone();
+    new_containers[0].cpu_request = Some("250m".to_string());
+    new_containers[0].cpu_limit = Some("500m".to_string());
+
+    let service_ports = fixture.base_ports.clone();
+    let new_labels = fixture.base_labels.clone();
+    let existing_labels = fixture.base_labels.clone();
+    let new_configmaps = fixture.base_configmaps.clone();
+    let new_secrets = fixture.base_secrets.clone();
+    let existing_dependencies = (
+        fixture.base_configmaps.clone(),
+        fixture.base_secrets.clone(),
+    );
+    let spec_snapshot = fixture.base_spec_snapshot.clone();
+
+    let update = compute_update(
+        &fixture.event,
+        &fixture.workload,
+        &new_containers,
+        &service_ports,
+        &fixture.base_yaml,
+        Some(&spec_snapshot),
+        &new_labels,
+        Some(&existing_labels),
+        &new_configmaps,
+        &new_secrets,
+        Some(&existing_dependencies),
+    );
+
+    assert!(update.requires_catalog_bump());
+    assert!(update.containers_changed);
+    assert!(update.containers.is_some());
+    assert!(!update.ports_changed);
+    assert!(!update.spec_changed);
+    assert!(!update.labels_changed);
+    assert!(!update.dependencies_changed);
+}
+
+#[test]
+fn compute_catalog_workload_update_detects_port_change() {
+    let fixture = WorkloadTestFixture::new();
+    let new_containers = fixture.base_containers.clone();
+    let mut service_ports = fixture.base_ports.clone();
+    service_ports[0].port = 443;
+    service_ports[0].target_port = Some(8443);
+    service_ports[0].original_target_port = Some(8443);
+
+    let new_labels = fixture.base_labels.clone();
+    let existing_labels = fixture.base_labels.clone();
+    let new_configmaps = fixture.base_configmaps.clone();
+    let new_secrets = fixture.base_secrets.clone();
+    let existing_dependencies = (
+        fixture.base_configmaps.clone(),
+        fixture.base_secrets.clone(),
+    );
+    let spec_snapshot = fixture.base_spec_snapshot.clone();
+
+    let update = compute_update(
+        &fixture.event,
+        &fixture.workload,
+        &new_containers,
+        &service_ports,
+        &fixture.base_yaml,
+        Some(&spec_snapshot),
+        &new_labels,
+        Some(&existing_labels),
+        &new_configmaps,
+        &new_secrets,
+        Some(&existing_dependencies),
+    );
+
+    assert!(update.requires_catalog_bump());
+    assert!(update.ports_changed);
+    assert!(update.ports.is_some());
+    assert!(!update.containers_changed);
+    assert!(!update.spec_changed);
+    assert!(!update.labels_changed);
+    assert!(!update.dependencies_changed);
+}
+
+#[test]
+fn compute_catalog_workload_update_detects_label_change() {
+    let fixture = WorkloadTestFixture::new();
+    let new_containers = fixture.base_containers.clone();
+    let service_ports = fixture.base_ports.clone();
+    let mut new_labels = fixture.base_labels.clone();
+    new_labels.insert("version".to_string(), "v2".to_string());
+    let existing_labels = fixture.base_labels.clone();
+    let new_configmaps = fixture.base_configmaps.clone();
+    let new_secrets = fixture.base_secrets.clone();
+    let existing_dependencies = (
+        fixture.base_configmaps.clone(),
+        fixture.base_secrets.clone(),
+    );
+    let spec_snapshot = fixture.base_spec_snapshot.clone();
+
+    let update = compute_update(
+        &fixture.event,
+        &fixture.workload,
+        &new_containers,
+        &service_ports,
+        &fixture.base_yaml,
+        Some(&spec_snapshot),
+        &new_labels,
+        Some(&existing_labels),
+        &new_configmaps,
+        &new_secrets,
+        Some(&existing_dependencies),
+    );
+
+    assert!(update.requires_catalog_bump());
+    assert!(update.labels_changed);
+    assert!(!update.containers_changed);
+    assert!(!update.ports_changed);
+    assert!(!update.spec_changed);
+    assert!(!update.dependencies_changed);
+    assert!(update.workload_yaml.is_some());
+    assert!(update.has_model_updates());
+}
+
+#[test]
+fn compute_catalog_workload_update_detects_dependency_change() {
+    let fixture = WorkloadTestFixture::new();
+    let new_containers = fixture.base_containers.clone();
+    let service_ports = fixture.base_ports.clone();
+    let new_labels = fixture.base_labels.clone();
+    let existing_labels = fixture.base_labels.clone();
+    let mut new_configmaps = fixture.base_configmaps.clone();
+    new_configmaps.insert("cfg-extra".to_string());
+    let new_secrets = fixture.base_secrets.clone();
+    let existing_dependencies = (
+        fixture.base_configmaps.clone(),
+        fixture.base_secrets.clone(),
+    );
+    let spec_snapshot = fixture.base_spec_snapshot.clone();
+
+    let update = compute_update(
+        &fixture.event,
+        &fixture.workload,
+        &new_containers,
+        &service_ports,
+        &fixture.base_yaml,
+        Some(&spec_snapshot),
+        &new_labels,
+        Some(&existing_labels),
+        &new_configmaps,
+        &new_secrets,
+        Some(&existing_dependencies),
+    );
+
+    assert!(update.requires_catalog_bump());
+    assert!(update.dependencies_changed);
+    assert!(!update.containers_changed);
+    assert!(!update.ports_changed);
+    assert!(!update.spec_changed);
+    assert!(!update.labels_changed);
+}
diff --git a/crates/kube/src/tunnel.rs b/crates/kube/src/tunnel.rs
new file mode 100644
index 0000000..a29e185
--- /dev/null
+++ b/crates/kube/src/tunnel.rs
@@ -0,0 +1,146 @@
+use lapdev_tunnel::TunnelClient;
+use std::{
+    collections::{BTreeMap, HashMap},
+    sync::{
+        atomic::{AtomicU64, Ordering},
+        Arc,
+    },
+};
+use tokio::sync::RwLock;
+use uuid::Uuid;
+
+#[derive(Debug, Clone, Default)]
+pub struct TunnelMetrics {
+    pub active_connections: u32,
+    pub total_connections: u64,
+    pub bytes_transferred: u64,
+    pub connection_errors: u64,
+}
+
+pub struct TunnelRegistry {
+    metrics: Arc<RwLock<HashMap<Uuid, TunnelMetrics>>>,
+    clients: Arc<RwLock<HashMap<Uuid, BTreeMap<u64, Arc<TunnelClient>>>>>,
+    generation_counter: AtomicU64,
+}
+
+impl TunnelRegistry {
+    pub fn new() -> Self {
+        Self {
+            metrics: Arc::new(RwLock::new(HashMap::new())),
+            clients: Arc::new(RwLock::new(HashMap::new())),
+            generation_counter: AtomicU64::new(1),
+        }
+    }
+
+    pub async fn update_heartbeat(&self, _cluster_id: Uuid) -> Result<(), String> {
+        Ok(())
+    }
+
+    pub async fn update_metrics(
+        &self,
+        cluster_id: Uuid,
+        active_connections: u32,
+        bytes_transferred: u64,
+        connection_count: u64,
+        connection_errors: u64,
+    ) -> Result<(), String> {
+        let mut guard = self.metrics.write().await;
+        let entry = guard
+            .entry(cluster_id)
+            .or_insert_with(TunnelMetrics::default);
+        entry.active_connections = active_connections;
+        entry.bytes_transferred = entry.bytes_transferred.saturating_add(bytes_transferred);
+        entry.total_connections = entry.total_connections.saturating_add(connection_count);
+        entry.connection_errors = entry.connection_errors.saturating_add(connection_errors);
+        Ok(())
+    }
+
+    fn next_generation(&self) -> u64 {
+        self.generation_counter.fetch_add(1, Ordering::SeqCst)
+    }
+
+    pub async fn register_client(&self, cluster_id: Uuid, client: Arc<TunnelClient>) -> u64 {
+        let generation = self.next_generation();
+        {
+            let mut metrics = self.metrics.write().await;
+            metrics
+                .entry(cluster_id)
+                .or_insert_with(TunnelMetrics::default);
+        }
+
+        let mut clients = self.clients.write().await;
+        let cluster_clients = clients.entry(cluster_id).or_insert_with(BTreeMap::new);
+        let replaced = cluster_clients
+            .insert(generation, Arc::clone(&client))
+            .is_some();
+        if replaced {
+            tracing::warn!(
+                "Overwrote existing tunnel client entry for cluster {} at generation {}; this should be rare",
+                cluster_id,
+                generation
+            );
+        }
+        tracing::info!(
+            "Registered tunnel client for cluster {}; generation {}; active entries {}",
+            cluster_id,
+            generation,
+            cluster_clients.len()
+        );
+        generation
+    }
+
+    pub async fn remove_client(&self, cluster_id: Uuid, generation: u64) {
+        let mut removed = false;
+        let mut cluster_empty_after = false;
+        {
+            let mut clients = self.clients.write().await;
+            match clients.get_mut(&cluster_id) {
+                Some(cluster_clients) => {
+                    removed = cluster_clients.remove(&generation).is_some();
+                    if removed {
+                        tracing::info!(
+                            "Removed tunnel client for cluster {} with generation {}; remaining {}",
+                            cluster_id,
+                            generation,
+                            cluster_clients.len()
+                        );
+                        if cluster_clients.is_empty() {
+                            clients.remove(&cluster_id);
+                            cluster_empty_after = true;
+                        }
+                    } else {
+                        let latest_generation = cluster_clients.keys().next_back().copied();
+                        tracing::info!(
+                            "Skip removing tunnel client for cluster {} due to generation mismatch (requested {}, latest {:?})",
+                            cluster_id,
+                            generation,
+                            latest_generation
+                        );
+                    }
+                }
+                None => {
+                    tracing::info!(
+                        "No tunnel clients registered for cluster {}; requested removal generation {}",
+                        cluster_id,
+                        generation
+                    );
+                }
+            }
+        }
+        if removed && cluster_empty_after {
+            let mut metrics = self.metrics.write().await;
+            metrics.remove(&cluster_id);
+        }
+    }
+
+    pub async fn get_client(&self, cluster_id: Uuid) -> Option<Arc<TunnelClient>> {
+        let clients = self.clients.read().await;
+        clients.get(&cluster_id).and_then(|cluster_clients| {
+            cluster_clients
+                .values()
+                .rev()
+                .find(|client| !client.is_closed())
+                .cloned()
+        })
+    }
+}
diff --git a/lapdev-proxy-http/Cargo.toml b/crates/proxy-http/Cargo.toml
similarity index 83%
rename from lapdev-proxy-http/Cargo.toml
rename to crates/proxy-http/Cargo.toml
index b1942b6..2de47be 100644
--- a/lapdev-proxy-http/Cargo.toml
+++ b/crates/proxy-http/Cargo.toml
@@ -11,4 +11,6 @@ anyhow.workspace = true
 futures.workspace = true
 tokio.workspace = true
 tokio-tungstenite.workspace = true
+tracing.workspace = true
 lapdev-db.workspace = true
+lapdev-db-entities.workspace = true
diff --git a/lapdev-proxy-http/src/forward.rs b/crates/proxy-http/src/forward.rs
similarity index 83%
rename from lapdev-proxy-http/src/forward.rs
rename to crates/proxy-http/src/forward.rs
index 465b972..2bc6d12 100644
--- a/lapdev-proxy-http/src/forward.rs
+++ b/crates/proxy-http/src/forward.rs
@@ -32,13 +32,14 @@ pub async fn handler(
             vec![]
         };
         let uri = format!("ws://{host}:{port}{}", path_query);
+        let headers = headers.clone();
         let resp = websocket
             .protocols(protocols)
             .on_upgrade(move |socket| async move {
-                if let Err(e) = proxy_socket(socket, uri).await {
-                    println!("handle websocket error: {e}");
+                if let Err(e) = proxy_socket(socket, uri, headers).await {
+                    tracing::error!("handle websocket error: {e}");
                 } else {
-                    println!("handle websocket finished");
+                    tracing::debug!("handle websocket finished");
                 }
             });
         return Some(ProxyForward::Resp(resp));
@@ -49,7 +50,7 @@ pub async fn handler(
     Some(ProxyForward::Proxy(uri))
 }
 
-async fn proxy_socket(socket: WebSocket, req: String) -> Result<()> {
+async fn proxy_socket(socket: WebSocket, req: String, headers: HeaderMap) -> Result<()> {
     let protocol = socket.protocol();
     let mut req = req.into_client_request()?;
 
@@ -58,6 +59,12 @@ async fn proxy_socket(socket: WebSocket, req: String) -> Result<()> {
             .insert("Sec-Websocket-Protocol", protocol.to_owned());
     }
 
+    for (key, val) in headers {
+        if let Some(key) = key {
+            req.headers_mut().insert(key, val);
+        }
+    }
+
     let (ws_stream, _) = tokio_tungstenite::connect_async(req).await?;
     let (mut server_sender, mut server_receiver) = ws_stream.split();
 
@@ -95,16 +102,16 @@ fn msg_into_tungstenite(
 ) -> tokio_tungstenite::tungstenite::Message {
     match msg {
         axum::extract::ws::Message::Text(text) => {
-            tokio_tungstenite::tungstenite::Message::Text(text.into())
+            tokio_tungstenite::tungstenite::Message::Text(text.as_str().into())
         }
         axum::extract::ws::Message::Binary(binary) => {
-            tokio_tungstenite::tungstenite::Message::Binary(binary.into())
+            tokio_tungstenite::tungstenite::Message::Binary(binary)
         }
         axum::extract::ws::Message::Ping(ping) => {
-            tokio_tungstenite::tungstenite::Message::Ping(ping.into())
+            tokio_tungstenite::tungstenite::Message::Ping(ping)
         }
         axum::extract::ws::Message::Pong(pong) => {
-            tokio_tungstenite::tungstenite::Message::Pong(pong.into())
+            tokio_tungstenite::tungstenite::Message::Pong(pong)
         }
         axum::extract::ws::Message::Close(Some(close)) => {
             tokio_tungstenite::tungstenite::Message::Close(Some(
@@ -127,16 +134,16 @@ fn msg_from_tungstenite(
 ) -> Option<axum::extract::ws::Message> {
     match message {
         tokio_tungstenite::tungstenite::Message::Text(text) => {
-            Some(axum::extract::ws::Message::Text(text.to_string()))
+            Some(axum::extract::ws::Message::Text(text.as_str().into()))
         }
         tokio_tungstenite::tungstenite::Message::Binary(binary) => {
-            Some(axum::extract::ws::Message::Binary(binary.to_vec()))
+            Some(axum::extract::ws::Message::Binary(binary))
         }
         tokio_tungstenite::tungstenite::Message::Ping(ping) => {
-            Some(axum::extract::ws::Message::Ping(ping.to_vec()))
+            Some(axum::extract::ws::Message::Ping(ping))
         }
         tokio_tungstenite::tungstenite::Message::Pong(pong) => {
-            Some(axum::extract::ws::Message::Pong(pong.to_vec()))
+            Some(axum::extract::ws::Message::Pong(pong))
         }
         tokio_tungstenite::tungstenite::Message::Close(Some(close)) => Some(
             axum::extract::ws::Message::Close(Some(axum::extract::ws::CloseFrame {
diff --git a/lapdev-proxy-http/src/lib.rs b/crates/proxy-http/src/lib.rs
similarity index 100%
rename from lapdev-proxy-http/src/lib.rs
rename to crates/proxy-http/src/lib.rs
diff --git a/lapdev-proxy-http/src/port.rs b/crates/proxy-http/src/port.rs
similarity index 100%
rename from lapdev-proxy-http/src/port.rs
rename to crates/proxy-http/src/port.rs
diff --git a/lapdev-proxy-http/src/proxy.rs b/crates/proxy-http/src/proxy.rs
similarity index 92%
rename from lapdev-proxy-http/src/proxy.rs
rename to crates/proxy-http/src/proxy.rs
index fbb526d..f7b9f4c 100644
--- a/lapdev-proxy-http/src/proxy.rs
+++ b/crates/proxy-http/src/proxy.rs
@@ -1,7 +1,4 @@
-use lapdev_db::{
-    api::DbApi,
-    entities::{self},
-};
+use lapdev_db::api::DbApi;
 
 pub enum WorkspaceForwardError {
     WorkspaceNotFound,
@@ -13,11 +10,11 @@ pub enum WorkspaceForwardError {
 pub async fn forward_workspace(
     hostname: &str,
     db: &DbApi,
-    user: Option<&entities::user::Model>,
+    user: Option<&lapdev_db_entities::user::Model>,
 ) -> Result<
     (
-        entities::workspace::Model,
-        Option<entities::workspace_port::Model>,
+        lapdev_db_entities::workspace::Model,
+        Option<lapdev_db_entities::workspace_port::Model>,
     ),
     WorkspaceForwardError,
 > {
diff --git a/lapdev-proxy-ssh/Cargo.toml b/crates/proxy-ssh/Cargo.toml
similarity index 92%
rename from lapdev-proxy-ssh/Cargo.toml
rename to crates/proxy-ssh/Cargo.toml
index 1716c24..2df6e37 100644
--- a/lapdev-proxy-ssh/Cargo.toml
+++ b/crates/proxy-ssh/Cargo.toml
@@ -15,4 +15,5 @@ anyhow.workspace = true
 sea-orm.workspace = true
 lapdev-common.workspace = true
 lapdev-db.workspace = true
+lapdev-db-entities.workspace = true
 lapdev-conductor.workspace = true
diff --git a/lapdev-proxy-ssh/src/client.rs b/crates/proxy-ssh/src/client.rs
similarity index 100%
rename from lapdev-proxy-ssh/src/client.rs
rename to crates/proxy-ssh/src/client.rs
diff --git a/lapdev-proxy-ssh/src/key.rs b/crates/proxy-ssh/src/key.rs
similarity index 85%
rename from lapdev-proxy-ssh/src/key.rs
rename to crates/proxy-ssh/src/key.rs
index 3d2571b..ad9d8d9 100644
--- a/lapdev-proxy-ssh/src/key.rs
+++ b/crates/proxy-ssh/src/key.rs
@@ -1,12 +1,15 @@
 use anyhow::{anyhow, Result};
 use lapdev_conductor::server::encode_pkcs8_pem;
-use lapdev_db::{api::DbApi, entities};
+use lapdev_db::api::DbApi;
 use russh::keys::{decode_secret_key, ssh_key::rand_core::OsRng, Algorithm, HashAlg, PrivateKey};
 use sea_orm::{ActiveModelTrait, ActiveValue, EntityTrait, TransactionTrait};
 
 pub async fn load_key(kind: &str, db: &DbApi) -> Result<PrivateKey> {
     let txn = db.conn.begin().await?;
-    let key = if let Some(model) = entities::config::Entity::find_by_id(kind).one(&txn).await? {
+    let key = if let Some(model) = lapdev_db_entities::config::Entity::find_by_id(kind)
+        .one(&txn)
+        .await?
+    {
         decode_secret_key(&model.value, None)?
     } else {
         let algorithm = match kind {
@@ -18,7 +21,7 @@ pub async fn load_key(kind: &str, db: &DbApi) -> Result<PrivateKey> {
         };
         let key = PrivateKey::random(&mut OsRng, algorithm)?;
         let secret = encode_pkcs8_pem(&key)?;
-        entities::config::ActiveModel {
+        lapdev_db_entities::config::ActiveModel {
             name: ActiveValue::Set(kind.to_string()),
             value: ActiveValue::Set(secret),
         }
diff --git a/lapdev-proxy-ssh/src/lib.rs b/crates/proxy-ssh/src/lib.rs
similarity index 100%
rename from lapdev-proxy-ssh/src/lib.rs
rename to crates/proxy-ssh/src/lib.rs
diff --git a/lapdev-proxy-ssh/src/proxy.rs b/crates/proxy-ssh/src/proxy.rs
similarity index 98%
rename from lapdev-proxy-ssh/src/proxy.rs
rename to crates/proxy-ssh/src/proxy.rs
index 5219ddc..7a39427 100644
--- a/lapdev-proxy-ssh/src/proxy.rs
+++ b/crates/proxy-ssh/src/proxy.rs
@@ -53,6 +53,7 @@ impl russh::server::Handler for SshProxyHandler {
     async fn auth_none(&mut self, _user: &str) -> Result<Auth, Self::Error> {
         Ok(Auth::Reject {
             proceed_with_methods: None,
+            partial_success: false,
         })
     }
 
@@ -70,7 +71,7 @@ impl russh::server::Handler for SshProxyHandler {
         public_key: &russh::keys::PublicKey,
     ) -> Result<Auth, Self::Error> {
         let public_key = public_key.public_key_base64();
-        println!("auth public key");
+        tracing::debug!("auth public key");
         let ws = self.db.get_workspace_by_name(user).await?;
         let workspace_host = self
             .db
@@ -121,7 +122,7 @@ impl russh::server::Handler for SshProxyHandler {
     }
 
     async fn auth_succeeded(&mut self, _session: &mut Session) -> Result<(), Self::Error> {
-        println!("auth succedded");
+        tracing::info!("auth succeeded");
         let (addr, port) = self
             .ws_addr
             .as_ref()
@@ -136,7 +137,7 @@ impl russh::server::Handler for SshProxyHandler {
                 self.ws_session = Some(session);
             }
             Err(e) => {
-                println!("error connection: {e}");
+                tracing::error!("error connection: {e}");
             }
         }
         Ok(())
diff --git a/lapdev-proxy-ssh/src/server.rs b/crates/proxy-ssh/src/server.rs
similarity index 100%
rename from lapdev-proxy-ssh/src/server.rs
rename to crates/proxy-ssh/src/server.rs
diff --git a/lapdev-rpc/Cargo.toml b/crates/rpc/Cargo.toml
similarity index 87%
rename from lapdev-rpc/Cargo.toml
rename to crates/rpc/Cargo.toml
index 4d41610..732c0a6 100644
--- a/lapdev-rpc/Cargo.toml
+++ b/crates/rpc/Cargo.toml
@@ -16,3 +16,5 @@ anyhow.workspace = true
 tracing.workspace = true
 futures.workspace = true
 lapdev-common.workspace = true
+tokio-util.workspace = true
+pin-project.workspace = true
diff --git a/lapdev-rpc/src/error.rs b/crates/rpc/src/error.rs
similarity index 79%
rename from lapdev-rpc/src/error.rs
rename to crates/rpc/src/error.rs
index 2ddafcb..8d6b97d 100644
--- a/lapdev-rpc/src/error.rs
+++ b/crates/rpc/src/error.rs
@@ -1,11 +1,12 @@
 use axum::{http::StatusCode, response::IntoResponse, Json};
-use lapdev_common::{QuotaResult, RepobuildError};
+use lapdev_common::{hrpc::HrpcError, QuotaResult, RepobuildError};
 use serde::{Deserialize, Serialize};
 
 #[derive(Debug, Serialize, Deserialize)]
 pub enum ApiError {
     Unauthenticated,
     Unauthorized,
+    DetailedUnauthorized(String),
     EnterpriseInvalid,
     RepositoryBuildFailure(RepobuildError),
     RepositoryInvalid(String),
@@ -25,12 +26,26 @@ where
     }
 }
 
+impl From<ApiError> for HrpcError {
+    fn from(err: ApiError) -> Self {
+        if let ApiError::InternalError(e) = &err {
+            tracing::error!("internal server error: {e:#}");
+        }
+        HrpcError {
+            error: err.to_string(),
+        }
+    }
+}
+
 impl std::fmt::Display for ApiError {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
         use ApiError::*;
         let err = match self {
             Unauthenticated => "Not authenticated",
             Unauthorized => "Not authorized",
+            DetailedUnauthorized(detail) => {
+                return f.write_str(&format!("Not authorized: {detail}"))
+            }
             EnterpriseInvalid => "Doesn't have enterprise license or enterprise license is invalid",
             InvalidRequest(s) => s,
             InternalError(_) => "Internal Server Error",
@@ -56,7 +71,7 @@ impl IntoResponse for ApiError {
         }
         let status = match self {
             Unauthenticated => StatusCode::FORBIDDEN,
-            Unauthorized | EnterpriseInvalid => StatusCode::UNAUTHORIZED,
+            Unauthorized | DetailedUnauthorized(_) | EnterpriseInvalid => StatusCode::UNAUTHORIZED,
             RepositoryInvalid(_)
             | InvalidRequest(_)
             | QuotaReached(_)
diff --git a/crates/rpc/src/lib.rs b/crates/rpc/src/lib.rs
new file mode 100644
index 0000000..823a76a
--- /dev/null
+++ b/crates/rpc/src/lib.rs
@@ -0,0 +1,412 @@
+pub mod error;
+
+use pin_project::pin_project;
+use std::{
+    fmt, io,
+    pin::Pin,
+    task::{Context, Poll},
+    time::{Duration, Instant},
+};
+
+use anyhow::{anyhow, Result};
+use chrono::{DateTime, FixedOffset};
+use error::ApiError;
+use futures::{
+    stream::{AbortHandle, Abortable},
+    Sink, SinkExt, Stream, StreamExt, TryFutureExt,
+};
+use lapdev_common::{
+    BuildTarget, ContainerInfo, CreateWorkspaceRequest, DeleteWorkspaceRequest, GitBranch,
+    HostWorkspace, PrebuildInfo, ProjectRequest, RepoBuildInfo, RepoBuildOutput, RepoBuildResult,
+    RepoContent, StartWorkspaceRequest, StopWorkspaceRequest,
+};
+use serde::{Deserialize, Serialize};
+use tokio::sync::mpsc;
+use tokio_util::sync::PollSender;
+use uuid::Uuid;
+
+/// A tarpc message that can be either a request or a response.
+#[derive(Debug, serde::Serialize, serde::Deserialize)]
+pub enum TwoWayMessage<Req, Resp> {
+    ClientMessage(tarpc::ClientMessage<Req>),
+    Response(tarpc::Response<Resp>),
+}
+
+/// Returns two transports that multiplex over the given transport.
+/// The first transport can be used by a server: it receives requests and sends back responses.
+/// The second transport can be used by a client: it sends requests and receives back responses.
+#[allow(clippy::complexity)]
+pub fn spawn_twoway<Req1, Resp1, Req2, Resp2, T>(
+    transport: T,
+) -> (
+    ChannelTransport<tarpc::ClientMessage<Req1>, tarpc::Response<Resp1>>,
+    ChannelTransport<tarpc::Response<Resp2>, tarpc::ClientMessage<Req2>>,
+    AbortHandle,
+)
+where
+    T: Stream<Item = Result<TwoWayMessage<Req1, Resp2>, io::Error>>,
+    T: Sink<TwoWayMessage<Req2, Resp1>, Error = io::Error>,
+    T: Unpin + Send + 'static,
+    Req1: Send + 'static,
+    Resp1: Send + 'static,
+    Req2: Send + 'static,
+    Resp2: Send + 'static,
+{
+    let (mut transport_sink, mut transport_stream) = transport.split();
+
+    let (abort_handle, abort_registration) = AbortHandle::new_pair();
+    let (server_in_tx, server_in_rx) =
+        mpsc::channel::<Result<tarpc::ClientMessage<Req1>, io::Error>>(RPC_CHANNEL_CAPACITY);
+    let (client_in_tx, client_in_rx) =
+        mpsc::channel::<Result<tarpc::Response<Resp2>, io::Error>>(RPC_CHANNEL_CAPACITY);
+    let (server_out_tx, mut server_out_rx) =
+        mpsc::channel::<tarpc::Response<Resp1>>(RPC_CHANNEL_CAPACITY);
+    let (client_out_tx, mut client_out_rx) =
+        mpsc::channel::<tarpc::ClientMessage<Req2>>(RPC_CHANNEL_CAPACITY);
+
+    let (server_transport, client_transport) = (
+        ChannelTransport::new(server_in_rx, PollSender::new(server_out_tx)),
+        ChannelTransport::new(client_in_rx, PollSender::new(client_out_tx)),
+    );
+
+    {
+        let abort_on_exit = abort_handle.clone();
+        let loop_abort = abort_handle.clone();
+        let server_in_tx = server_in_tx;
+        let client_in_tx = client_in_tx;
+        tokio::spawn(async move {
+            let e: Result<()> = async move {
+                while !loop_abort.is_aborted() {
+                    match transport_stream.next().await {
+                        Some(Ok(TwoWayMessage::ClientMessage(req))) => {
+                            if server_in_tx.send(Ok(req)).await.is_err() {
+                                break;
+                            }
+                        }
+                        Some(Ok(TwoWayMessage::Response(resp))) => {
+                            if client_in_tx.send(Ok(resp)).await.is_err() {
+                                break;
+                            }
+                        }
+                        Some(Err(err)) => {
+                            let cloned = clone_io_error(&err);
+                            let _ = server_in_tx.send(Err(err)).await;
+                            let _ = client_in_tx.send(Err(cloned)).await;
+                            break;
+                        }
+                        None => break,
+                    }
+                }
+                Ok(())
+            }
+            .await;
+
+            match e {
+                Ok(()) => tracing::debug!("transport_stream done"),
+                Err(e) => tracing::warn!("Error in inbound multiplexing: {}", e),
+            }
+
+            abort_on_exit.abort();
+        });
+    }
+
+    let outbound = async move {
+        loop {
+            tokio::select! {
+                Some(resp) = server_out_rx.recv() => {
+                    if let Err(e) = transport_sink.send(TwoWayMessage::Response(resp)).await.map_err(|e| anyhow!(e)) {
+                        return Err(e);
+                    }
+                }
+                Some(msg) = client_out_rx.recv() => {
+                    if let Err(e) = transport_sink.send(TwoWayMessage::ClientMessage(msg)).await.map_err(|e| anyhow!(e)) {
+                        return Err(e);
+                    }
+                }
+                else => break,
+            }
+        }
+
+        transport_sink.sink_map_err(|e| anyhow!(e)).close().await
+    };
+
+    tokio::spawn(
+        Abortable::new(outbound, abort_registration)
+            .inspect_ok(|_| tracing::debug!("transport_sink done"))
+            .inspect_err(|e| tracing::warn!("Error in outbound multiplexing: {}", e)),
+    );
+
+    (server_transport, client_transport, abort_handle)
+}
+
+const RPC_CHANNEL_CAPACITY: usize = 32;
+
+fn clone_io_error(err: &io::Error) -> io::Error {
+    io::Error::new(err.kind(), err.to_string())
+}
+
+#[derive(Debug)]
+pub enum TwoWayTransportError {
+    Closed,
+    Io(io::Error),
+}
+
+impl fmt::Display for TwoWayTransportError {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        match self {
+            Self::Closed => write!(f, "transport closed"),
+            Self::Io(err) => err.fmt(f),
+        }
+    }
+}
+
+impl std::error::Error for TwoWayTransportError {}
+
+impl From<io::Error> for TwoWayTransportError {
+    fn from(err: io::Error) -> Self {
+        TwoWayTransportError::Io(err)
+    }
+}
+
+#[pin_project]
+pub struct ChannelTransport<In, Out> {
+    receiver: mpsc::Receiver<Result<In, io::Error>>,
+    #[pin]
+    sender: PollSender<Out>,
+}
+
+impl<In, Out> ChannelTransport<In, Out> {
+    fn new(receiver: mpsc::Receiver<Result<In, io::Error>>, sender: PollSender<Out>) -> Self {
+        Self { receiver, sender }
+    }
+}
+
+impl<In, Out> Stream for ChannelTransport<In, Out> {
+    type Item = Result<In, TwoWayTransportError>;
+
+    fn poll_next(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Option<Self::Item>> {
+        let this = self.project();
+        match this.receiver.poll_recv(cx) {
+            Poll::Ready(Some(Ok(item))) => Poll::Ready(Some(Ok(item))),
+            Poll::Ready(Some(Err(err))) => Poll::Ready(Some(Err(TwoWayTransportError::Io(err)))),
+            Poll::Ready(None) => Poll::Ready(None),
+            Poll::Pending => Poll::Pending,
+        }
+    }
+}
+
+impl<In, Out> Sink<Out> for ChannelTransport<In, Out>
+where
+    Out: Send,
+{
+    type Error = TwoWayTransportError;
+
+    fn poll_ready(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
+        self.project()
+            .sender
+            .poll_ready(cx)
+            .map_err(|_| TwoWayTransportError::Closed)
+    }
+
+    fn start_send(self: Pin<&mut Self>, item: Out) -> Result<(), Self::Error> {
+        self.project()
+            .sender
+            .start_send(item)
+            .map_err(|_| TwoWayTransportError::Closed)
+    }
+
+    fn poll_flush(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
+        self.project()
+            .sender
+            .poll_flush(cx)
+            .map_err(|_| TwoWayTransportError::Closed)
+    }
+
+    fn poll_close(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
+        self.project()
+            .sender
+            .poll_close(cx)
+            .map_err(|_| TwoWayTransportError::Closed)
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use futures::{SinkExt, StreamExt};
+    use tarpc::{context, trace};
+    use tokio::io::duplex;
+    use tokio_util::codec::LengthDelimitedCodec;
+
+    #[tokio::test]
+    async fn spawn_twoway_moves_messages_between_halves() {
+        let (io_a, io_b) = duplex(1024);
+        let framed_a = LengthDelimitedCodec::builder().new_framed(io_a);
+        let framed_b = LengthDelimitedCodec::builder().new_framed(io_b);
+        let transport_a = tarpc::serde_transport::new::<
+            _,
+            TwoWayMessage<String, String>,
+            TwoWayMessage<String, String>,
+            _,
+        >(framed_a, tarpc::tokio_serde::formats::Bincode::default());
+        let transport_b = tarpc::serde_transport::new::<
+            _,
+            TwoWayMessage<String, String>,
+            TwoWayMessage<String, String>,
+            _,
+        >(framed_b, tarpc::tokio_serde::formats::Bincode::default());
+        let (mut server, mut client, abort_handle) =
+            spawn_twoway::<String, String, String, String, _>(transport_a);
+        let (mut transport_sink, mut transport_stream) = transport_b.split();
+
+        let cancel: tarpc::ClientMessage<String> = tarpc::ClientMessage::Cancel {
+            trace_context: trace::Context {
+                trace_id: trace::TraceId::from(1u128),
+                span_id: trace::SpanId::from(2u64),
+                sampling_decision: trace::SamplingDecision::Sampled,
+            },
+            request_id: 7,
+        };
+        transport_sink
+            .send(TwoWayMessage::ClientMessage(cancel))
+            .await
+            .unwrap();
+        match server.next().await.unwrap().unwrap() {
+            tarpc::ClientMessage::Cancel { request_id, .. } => assert_eq!(request_id, 7),
+            other => panic!("unexpected client message: {:?}", other),
+        }
+
+        let inbound_response = tarpc::Response {
+            request_id: 9,
+            message: Ok("pong".to_string()),
+        };
+        transport_sink
+            .send(TwoWayMessage::Response(inbound_response.clone()))
+            .await
+            .unwrap();
+        let received = client.next().await.unwrap().unwrap();
+        assert_eq!(received.request_id, 9);
+
+        let outbound_request = tarpc::ClientMessage::Request(tarpc::Request {
+            context: context::current(),
+            id: 11,
+            message: "ping".to_string(),
+        });
+        client.send(outbound_request).await.unwrap();
+        match transport_stream.next().await.unwrap().unwrap() {
+            TwoWayMessage::ClientMessage(tarpc::ClientMessage::Request(sent)) => {
+                assert_eq!(sent.id, 11);
+                assert_eq!(sent.message, "ping");
+            }
+            msg => panic!("unexpected outbound message: {:?}", msg),
+        }
+
+        let outbound_response = tarpc::Response {
+            request_id: 13,
+            message: Ok("ok".to_string()),
+        };
+        server.send(outbound_response).await.unwrap();
+        match transport_stream.next().await.unwrap().unwrap() {
+            TwoWayMessage::Response(sent) => assert_eq!(sent.request_id, 13),
+            msg => panic!("unexpected outbound response: {:?}", msg),
+        }
+
+        abort_handle.abort();
+    }
+}
+
+#[tarpc::service]
+pub trait ConductorService {
+    async fn update_workspace_last_inactivity(
+        workspace_id: Uuid,
+        last_inactivity: Option<DateTime<FixedOffset>>,
+    );
+
+    async fn update_build_repo_stdout(target: BuildTarget, line: String);
+
+    async fn update_build_repo_stderr(target: BuildTarget, line: String);
+
+    async fn running_workspaces_on_host() -> Result<Vec<HostWorkspace>, ApiError>;
+
+    async fn auto_delete_inactive_workspaces();
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+pub struct Workspace {
+    pub image: String,
+}
+
+#[tarpc::service]
+pub trait WorkspaceService {
+    async fn ping() -> String;
+
+    async fn version() -> String;
+
+    async fn create_workspace(req: CreateWorkspaceRequest) -> Result<(), ApiError>;
+
+    async fn start_workspace(req: StartWorkspaceRequest) -> Result<ContainerInfo, ApiError>;
+
+    async fn delete_workspace(req: DeleteWorkspaceRequest) -> Result<(), ApiError>;
+
+    async fn stop_workspace(req: StopWorkspaceRequest) -> Result<(), ApiError>;
+
+    async fn create_project(req: ProjectRequest) -> Result<(), ApiError>;
+
+    async fn get_project_branches(req: ProjectRequest) -> Result<Vec<GitBranch>, ApiError>;
+
+    async fn transfer_repo(info: RepoBuildInfo, repo: RepoContent) -> Result<(), ApiError>;
+
+    async fn unarchive_repo(info: RepoBuildInfo) -> Result<(), ApiError>;
+
+    async fn build_repo(info: RepoBuildInfo) -> RepoBuildResult;
+
+    async fn rebuild_repo(info: RepoBuildInfo) -> RepoBuildResult;
+
+    async fn create_prebuild_archive(
+        output: RepoBuildOutput,
+        prebuild: PrebuildInfo,
+        repo_name: String,
+    ) -> Result<(), ApiError>;
+
+    async fn copy_prebuild_image(
+        prebuild: PrebuildInfo,
+        output: RepoBuildOutput,
+        dest_osuser: String,
+        target: BuildTarget,
+    ) -> Result<(), ApiError>;
+
+    async fn copy_prebuild_content(
+        prebuild: PrebuildInfo,
+        info: RepoBuildInfo,
+    ) -> Result<(), ApiError>;
+
+    async fn delete_prebuild(
+        prebuild: PrebuildInfo,
+        output: Option<RepoBuildOutput>,
+    ) -> Result<(), ApiError>;
+
+    async fn transfer_prebuild(
+        prebuild: PrebuildInfo,
+        output: RepoBuildOutput,
+        dst_host: String,
+        dst_port: u16,
+    ) -> Result<(), ApiError>;
+
+    async fn unarchive_prebuild(prebuild: PrebuildInfo, repo_name: String) -> Result<(), ApiError>;
+}
+
+#[tarpc::service]
+pub trait InterWorkspaceService {
+    async fn transfer_prebuild_archive(
+        archive: PrebuildInfo,
+        file: String,
+        content: Vec<u8>,
+        append: bool,
+    ) -> Result<(), ApiError>;
+}
+
+pub fn long_running_context() -> tarpc::context::Context {
+    let mut context = tarpc::context::current();
+    context.deadline = Instant::now() + Duration::from_secs(86400);
+    context
+}
diff --git a/crates/tunnel/Cargo.toml b/crates/tunnel/Cargo.toml
new file mode 100644
index 0000000..822342c
--- /dev/null
+++ b/crates/tunnel/Cargo.toml
@@ -0,0 +1,29 @@
+[package]
+name = "lapdev-tunnel"
+version.workspace = true
+edition.workspace = true
+authors.workspace = true
+license.workspace = true
+description.workspace = true
+
+[dependencies]
+tokio.workspace = true
+futures.workspace = true
+futures-util.workspace = true
+thiserror.workspace = true
+uuid.workspace = true
+bytes.workspace = true
+tracing.workspace = true
+tokio-util.workspace = true
+tokio-tungstenite.workspace = true
+lapdev-common.workspace = true
+quinn.workspace = true
+rcgen.workspace = true
+rand.workspace = true
+serde.workspace = true
+tokio-serde.workspace = true
+pin-project.workspace = true
+chrono.workspace = true
+
+[dev-dependencies]
+chrono.workspace = true
diff --git a/crates/tunnel/src/client.rs b/crates/tunnel/src/client.rs
new file mode 100644
index 0000000..c05afdd
--- /dev/null
+++ b/crates/tunnel/src/client.rs
@@ -0,0 +1,220 @@
+use std::{
+    fmt, io,
+    pin::Pin,
+    task::{Context, Poll},
+};
+
+use lapdev_common::devbox::DirectTunnelConfig;
+use quinn::{Connection, RecvStream, SendStream, WriteError};
+use tokio::io::{AsyncRead, AsyncWrite, ReadBuf};
+use tokio_tungstenite::WebSocketStream;
+
+use crate::{
+    direct::DirectEndpoint,
+    error::TunnelError,
+    message::{self, Protocol, TunnelTarget},
+    RelayEndpoint,
+};
+
+/// Client capable of opening TCP tunnels by mapping each request to a native QUIC stream.
+pub struct TunnelClient {
+    connection: Connection,
+    mode: TunnelMode,
+}
+
+impl fmt::Debug for TunnelClient {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        f.debug_struct("TunnelClient")
+            .field("mode", &self.mode)
+            .finish()
+    }
+}
+
+impl TunnelClient {
+    pub fn new_direct(connection: Connection) -> Self {
+        Self {
+            connection,
+            mode: TunnelMode::Direct,
+        }
+    }
+
+    pub fn new_relay(connection: Connection) -> Self {
+        Self {
+            connection,
+            mode: TunnelMode::Relay,
+        }
+    }
+
+    pub async fn connect_tcp(
+        &self,
+        target_host: impl Into<String>,
+        target_port: u16,
+    ) -> Result<TunnelTcpStream, TunnelError> {
+        self.connect_with_protocol(Protocol::Tcp, TunnelTarget::new(target_host, target_port))
+            .await
+    }
+
+    pub async fn connect_udp(
+        &self,
+        target_host: impl Into<String>,
+        target_port: u16,
+    ) -> Result<TunnelTcpStream, TunnelError> {
+        self.connect_with_protocol(Protocol::Udp, TunnelTarget::new(target_host, target_port))
+            .await
+    }
+
+    pub async fn connect_with_direct_or_relay<S, F, Fut, G>(
+        direct: Option<&DirectTunnelConfig>,
+        direct_endpoint: &DirectEndpoint,
+        ws_connector: F,
+        on_direct_failure: G,
+    ) -> Result<(Self, TunnelMode), TunnelError>
+    where
+        S: AsyncRead + AsyncWrite + Unpin + Send + 'static,
+        F: FnOnce() -> Fut,
+        Fut: std::future::Future<Output = Result<WebSocketStream<S>, TunnelError>>,
+        G: FnOnce(&TunnelError),
+    {
+        if let Some(config) = direct {
+            let direct_result = direct_endpoint.connect_tunnel(config).await;
+
+            match direct_result {
+                Ok(client) => {
+                    tracing::info!("Established direct tunnel connection");
+                    return Ok((client, TunnelMode::Direct));
+                }
+                Err(err) => {
+                    on_direct_failure(&err);
+                    tracing::info!(
+                        error = %err,
+                        "Direct tunnel attempt failed; falling back to relay transport"
+                    );
+                }
+            }
+        }
+
+        let websocket = ws_connector().await?;
+        let connection = RelayEndpoint::client_connection(websocket).await?;
+        tracing::info!("Using relay tunnel connection over QUIC");
+        Ok((TunnelClient::new_relay(connection), TunnelMode::Relay))
+    }
+
+    pub fn mode(&self) -> TunnelMode {
+        self.mode
+    }
+
+    pub fn is_closed(&self) -> bool {
+        self.connection.close_reason().is_some()
+    }
+
+    pub async fn closed(&self) {
+        let _ = self.connection.clone().closed().await;
+    }
+
+    async fn connect_with_protocol(
+        &self,
+        protocol: Protocol,
+        target: TunnelTarget,
+    ) -> Result<TunnelTcpStream, TunnelError> {
+        let (mut send, mut recv) = self
+            .connection
+            .clone()
+            .open_bi()
+            .await
+            .map_err(to_transport_err)?;
+
+        message::write_stream_open_request(&mut send, protocol, &target).await?;
+        let response = message::read_stream_open_response(&mut recv).await?;
+        if !response.success {
+            let reason = response
+                .error
+                .unwrap_or_else(|| "remote open failed".to_string());
+            return Err(TunnelError::Remote(reason));
+        }
+
+        Ok(TunnelTcpStream::new(send, recv))
+    }
+}
+
+impl Drop for TunnelClient {
+    fn drop(&mut self) {
+        self.connection.close(0u32.into(), b"client dropped");
+    }
+}
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum TunnelMode {
+    Direct,
+    Relay,
+}
+
+/// Convenience wrapper owning both the tunnel client and an established TCP tunnel.
+pub struct TunnelTcpConnection {
+    pub client: TunnelClient,
+    pub stream: TunnelTcpStream,
+}
+
+impl TunnelTcpConnection {
+    pub fn new(client: TunnelClient, stream: TunnelTcpStream) -> Self {
+        Self { client, stream }
+    }
+}
+
+pub struct TunnelTcpStream {
+    send: SendStream,
+    recv: RecvStream,
+}
+
+impl fmt::Debug for TunnelTcpStream {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        f.debug_struct("TunnelTcpStream").finish()
+    }
+}
+
+impl Unpin for TunnelTcpStream {}
+
+impl TunnelTcpStream {
+    fn new(send: SendStream, recv: RecvStream) -> Self {
+        Self { send, recv }
+    }
+}
+
+impl AsyncRead for TunnelTcpStream {
+    fn poll_read(
+        mut self: Pin<&mut Self>,
+        cx: &mut Context<'_>,
+        buf: &mut ReadBuf<'_>,
+    ) -> Poll<io::Result<()>> {
+        Pin::new(&mut self.recv).poll_read(cx, buf)
+    }
+}
+
+impl AsyncWrite for TunnelTcpStream {
+    fn poll_write(
+        mut self: Pin<&mut Self>,
+        cx: &mut Context<'_>,
+        buf: &[u8],
+    ) -> Poll<io::Result<usize>> {
+        map_write_poll(Pin::new(&mut self.send).poll_write(cx, buf))
+    }
+
+    fn poll_flush(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<io::Result<()>> {
+        Pin::new(&mut self.send).poll_flush(cx)
+    }
+
+    fn poll_shutdown(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<io::Result<()>> {
+        Pin::new(&mut self.send).poll_shutdown(cx)
+    }
+}
+
+fn to_transport_err(err: impl Into<io::Error>) -> TunnelError {
+    TunnelError::Transport(err.into())
+}
+
+fn map_write_poll<T>(poll: Poll<Result<T, WriteError>>) -> Poll<io::Result<T>> {
+    match poll {
+        Poll::Ready(Ok(value)) => Poll::Ready(Ok(value)),
+        Poll::Ready(Err(err)) => Poll::Ready(Err(io::Error::other(err))),
+        Poll::Pending => Poll::Pending,
+    }
+}
diff --git a/crates/tunnel/src/direct/credential.rs b/crates/tunnel/src/direct/credential.rs
new file mode 100644
index 0000000..e87eb9b
--- /dev/null
+++ b/crates/tunnel/src/direct/credential.rs
@@ -0,0 +1,105 @@
+use std::{collections::HashMap, sync::Arc, time::Duration};
+
+use chrono::{DateTime, Utc};
+use tokio::{
+    sync::{oneshot, RwLock},
+    task::JoinHandle,
+    time::{self, MissedTickBehavior},
+};
+
+const CREDENTIAL_CLEANUP_INTERVAL: Duration = Duration::from_secs(60);
+
+#[derive(Default)]
+pub struct DirectCredentialStore {
+    tokens: RwLock<HashMap<String, DateTime<Utc>>>,
+}
+
+impl DirectCredentialStore {
+    pub fn new() -> Self {
+        Self {
+            tokens: RwLock::new(HashMap::new()),
+        }
+    }
+
+    pub async fn replace(&self, token: impl Into<String>, expires_at: DateTime<Utc>) {
+        let mut guard = self.tokens.write().await;
+        guard.clear();
+        guard.insert(token.into(), expires_at);
+        cleanup_expired(&mut guard);
+    }
+
+    pub async fn insert(&self, token: impl Into<String>, expires_at: DateTime<Utc>) {
+        let mut guard = self.tokens.write().await;
+        guard.insert(token.into(), expires_at);
+        cleanup_expired(&mut guard);
+    }
+
+    pub async fn remove(&self, token: &str) -> bool {
+        let mut guard = self.tokens.write().await;
+        cleanup_expired(&mut guard);
+        match guard.remove(token) {
+            Some(expiry) if expiry >= Utc::now() => true,
+            _ => false,
+        }
+    }
+
+    pub async fn contains(&self, token: &str) -> bool {
+        let guard = self.tokens.read().await;
+        guard
+            .get(token)
+            .map(|expiry| *expiry >= Utc::now())
+            .unwrap_or(false)
+    }
+
+    pub async fn cleanup_expired_now(&self) {
+        let mut guard = self.tokens.write().await;
+        cleanup_expired(&mut guard);
+    }
+}
+
+fn cleanup_expired(tokens: &mut HashMap<String, DateTime<Utc>>) {
+    if tokens.is_empty() {
+        return;
+    }
+    let now = Utc::now();
+    tokens.retain(|_, expires_at| *expires_at >= now);
+}
+
+pub(super) fn start_credential_cleanup(
+    credential: Arc<DirectCredentialStore>,
+) -> CredentialCleanupHandle {
+    let (shutdown_tx, mut shutdown_rx) = oneshot::channel();
+    let mut ticker = time::interval(CREDENTIAL_CLEANUP_INTERVAL);
+    ticker.set_missed_tick_behavior(MissedTickBehavior::Delay);
+    let task = tokio::spawn(async move {
+        loop {
+            tokio::select! {
+                _ = &mut shutdown_rx => {
+                    break;
+                }
+                _ = ticker.tick() => {
+                    credential.cleanup_expired_now().await;
+                }
+            }
+        }
+    });
+
+    CredentialCleanupHandle {
+        shutdown: Some(shutdown_tx),
+        task,
+    }
+}
+
+pub(super) struct CredentialCleanupHandle {
+    shutdown: Option<oneshot::Sender<()>>,
+    task: JoinHandle<()>,
+}
+
+impl CredentialCleanupHandle {
+    pub(super) fn stop(mut self) {
+        if let Some(tx) = self.shutdown.take() {
+            let _ = tx.send(());
+        }
+        self.task.abort();
+    }
+}
diff --git a/crates/tunnel/src/direct/endpoint.rs b/crates/tunnel/src/direct/endpoint.rs
new file mode 100644
index 0000000..a76a672
--- /dev/null
+++ b/crates/tunnel/src/direct/endpoint.rs
@@ -0,0 +1,408 @@
+use std::{
+    io,
+    net::SocketAddr,
+    sync::{Arc, Mutex},
+    time::Duration,
+};
+
+use lapdev_common::devbox::DirectTunnelConfig;
+use quinn::{self, AsyncUdpSocket, Connection, Endpoint, Incoming};
+use tokio::{net::UdpSocket as TokioUdpSocket, time::timeout};
+use tracing::{debug, info, warn};
+
+use crate::{client::TunnelClient, error::TunnelError, run_tunnel_server};
+
+use super::{
+    credential::{start_credential_cleanup, CredentialCleanupHandle, DirectCredentialStore},
+    handshake::{read_server_ack, read_token, write_server_ack, write_token},
+    probe,
+    stun::{default_stun_servers, run_stun_probes, start_stun_keepalive, StunKeepaliveHandle},
+    transport::{build_server_config, client_config_with_pinned_certificate},
+    udp::DirectUdpSocket,
+};
+
+const DIRECT_SERVER_NAME: &str = "lapdev.devbox";
+const DIRECT_CONNECT_TIMEOUT: Duration = Duration::from_secs(3);
+const DEFAULT_STUN_KEEPALIVE_INTERVAL: Duration = Duration::from_secs(20);
+const MAX_PROBES: usize = 6;
+const PROBE_INTERVAL_MS: u64 = 500;
+
+/// Options controlling direct QUIC server behavior.
+#[derive(Debug, Clone)]
+pub struct DirectEndpointOptions {
+    /// STUN servers that should be queried to discover the server's reflexive address.
+    pub stun_servers: Vec<SocketAddr>,
+    /// How long to wait for a STUN response.
+    pub stun_timeout: Duration,
+    /// How often to send STUN keepalive probes.
+    pub stun_keepalive_interval: Option<Duration>,
+}
+
+impl Default for DirectEndpointOptions {
+    fn default() -> Self {
+        Self {
+            stun_servers: Vec::new(),
+            stun_timeout: Duration::from_millis(750),
+            stun_keepalive_interval: Some(DEFAULT_STUN_KEEPALIVE_INTERVAL),
+        }
+    }
+}
+
+/// Wrapper that pairs a Quinn endpoint with NAT discovery metadata.
+#[derive(Clone)]
+pub struct DirectEndpoint {
+    endpoint: Endpoint,
+    observed_addr: Arc<Mutex<Option<SocketAddr>>>,
+    server_certificate: Arc<Vec<u8>>,
+    credential: Arc<DirectCredentialStore>,
+    hole_punch_socket: Arc<TokioUdpSocket>,
+    stun_keepalive: Arc<Mutex<Option<StunKeepaliveHandle>>>,
+    credential_cleanup: Arc<Mutex<Option<CredentialCleanupHandle>>>,
+}
+
+impl DirectEndpoint {
+    /// Bind a new endpoint on 0.0.0.0:0 using the default STUN servers.
+    pub async fn bind() -> Result<Self, TunnelError> {
+        Self::bind_on(([0, 0, 0, 0], 0).into()).await
+    }
+
+    /// Bind on the provided address using the default STUN servers.
+    pub async fn bind_on(bind_addr: SocketAddr) -> Result<Self, TunnelError> {
+        let options = DirectEndpointOptions {
+            stun_servers: default_stun_servers(),
+            ..Default::default()
+        };
+        Self::bind_with_options(bind_addr, options).await
+    }
+
+    /// Bind using custom STUN options with the default Quinn configuration.
+    pub async fn bind_with_options(
+        bind_addr: SocketAddr,
+        options: DirectEndpointOptions,
+    ) -> Result<Self, TunnelError> {
+        Self::bind_with_quinn_config(bind_addr, quinn::EndpointConfig::default(), None, options)
+            .await
+    }
+
+    /// Bind with custom Quinn configuration and STUN options.
+    pub async fn bind_with_quinn_config(
+        bind_addr: SocketAddr,
+        endpoint_config: quinn::EndpointConfig,
+        server_config: Option<(quinn::ServerConfig, Vec<u8>)>,
+        options: DirectEndpointOptions,
+    ) -> Result<Self, TunnelError> {
+        let socket = TokioUdpSocket::bind(bind_addr)
+            .await
+            .map_err(|err| TunnelError::Transport(io::Error::other(err)))?;
+        Self::from_bound_socket(socket, endpoint_config, server_config, options).await
+    }
+
+    /// Construct from an already-bound socket, applying the provided Quinn configuration.
+    pub async fn from_bound_socket(
+        socket: TokioUdpSocket,
+        endpoint_config: quinn::EndpointConfig,
+        server_config: Option<(quinn::ServerConfig, Vec<u8>)>,
+        options: DirectEndpointOptions,
+    ) -> Result<Self, TunnelError> {
+        let DirectEndpointOptions {
+            stun_servers,
+            stun_timeout,
+            stun_keepalive_interval,
+        } = options;
+
+        let keepalive_interval = stun_keepalive_interval;
+        let keepalive_servers = stun_servers.clone();
+
+        let direct_udp_socket = Arc::new(
+            DirectUdpSocket::new(socket)
+                .map_err(|err| TunnelError::Transport(io::Error::other(err)))?,
+        );
+        let hole_punch_socket = direct_udp_socket.io();
+
+        let (server_config, server_certificate) = match server_config {
+            Some((config, cert)) => (config, Arc::new(cert)),
+            None => {
+                let (config, cert) = build_server_config()?;
+                (config, Arc::new(cert))
+            }
+        };
+
+        let runtime = quinn::default_runtime()
+            .ok_or_else(|| TunnelError::Transport(io::Error::other("no async runtime found")))?;
+        let endpoint = Endpoint::new_with_abstract_socket(
+            endpoint_config,
+            Some(server_config),
+            Arc::clone(&direct_udp_socket) as Arc<dyn AsyncUdpSocket>,
+            runtime,
+        )
+        .map_err(|err| TunnelError::Transport(io::Error::other(err)))?;
+
+        let initial_observed_addr = if stun_servers.is_empty() {
+            None
+        } else {
+            match run_stun_probes(Arc::clone(&direct_udp_socket), &stun_servers, stun_timeout).await
+            {
+                Ok(addr) => addr,
+                Err(err) => {
+                    warn!(error = %err, "STUN probe failed");
+                    None
+                }
+            }
+        };
+        let observed_addr = Arc::new(Mutex::new(initial_observed_addr));
+
+        let stun_keepalive = match keepalive_interval {
+            Some(interval) if !keepalive_servers.is_empty() => Some(start_stun_keepalive(
+                Arc::clone(&direct_udp_socket),
+                keepalive_servers,
+                interval,
+                stun_timeout,
+                Arc::clone(&observed_addr),
+            )),
+            _ => None,
+        };
+
+        let credential = Arc::new(DirectCredentialStore::new());
+        let cleanup_handle = start_credential_cleanup(Arc::clone(&credential));
+
+        Ok(Self {
+            endpoint,
+            observed_addr,
+            server_certificate,
+            credential,
+            hole_punch_socket,
+            stun_keepalive: Arc::new(Mutex::new(stun_keepalive)),
+            credential_cleanup: Arc::new(Mutex::new(Some(cleanup_handle))),
+        })
+    }
+
+    pub fn endpoint(&self) -> Endpoint {
+        self.endpoint.clone()
+    }
+
+    pub fn observed_addr(&self) -> Option<SocketAddr> {
+        *self
+            .observed_addr
+            .lock()
+            .expect("observed addr mutex poisoned")
+    }
+
+    pub fn server_certificate(&self) -> &[u8] {
+        self.server_certificate.as_slice()
+    }
+
+    pub fn credential(&self) -> &DirectCredentialStore {
+        &self.credential
+    }
+
+    /// Send a STUN-like UDP probe to the provided address to prime NAT state.
+    pub async fn send_probe(&self, addr: SocketAddr, client: bool) -> Result<(), TunnelError> {
+        let mut probes_sent = 0usize;
+        let source_addr = self.observed_addr();
+        loop {
+            let payload = if client {
+                probe::build_request_probe_payload()
+            } else {
+                probe::build_response_probe_payload(addr)
+            };
+            self.hole_punch_socket
+                .send_to(&payload, addr)
+                .await
+                .map(|_| ())
+                .map_err(|err| TunnelError::Transport(io::Error::other(err)))?;
+            tracing::info!("Sending hole-punch probe from {source_addr:?} to {addr}");
+            probes_sent += 1;
+            if probes_sent >= MAX_PROBES {
+                break;
+            }
+            tokio::time::sleep(Duration::from_millis(PROBE_INTERVAL_MS)).await;
+        }
+
+        Ok(())
+    }
+
+    pub async fn connect_tunnel(
+        &self,
+        config: &DirectTunnelConfig,
+    ) -> Result<TunnelClient, TunnelError> {
+        match timeout(DIRECT_CONNECT_TIMEOUT, self.connect_tunnel_inner(config)).await {
+            Ok(result) => result,
+            Err(_) => Err(TunnelError::Transport(io::Error::new(
+                io::ErrorKind::TimedOut,
+                format!(
+                    "direct tunnel attempt exceeded {}s",
+                    DIRECT_CONNECT_TIMEOUT.as_secs()
+                ),
+            ))),
+        }
+    }
+
+    async fn connect_tunnel_inner(
+        &self,
+        config: &DirectTunnelConfig,
+    ) -> Result<TunnelClient, TunnelError> {
+        let server_cert = config
+            .server_certificate
+            .as_deref()
+            .ok_or_else(|| TunnelError::Remote("direct server certificate missing".into()))?;
+        let client_config = client_config_with_pinned_certificate(server_cert)?;
+        let target_addr = config
+            .stun_observed_addr
+            .ok_or_else(|| TunnelError::Remote("direct server STUN address unavailable".into()))?;
+
+        {
+            let endpoint = self.clone();
+            tokio::spawn(async move {
+                let _ = endpoint.send_probe(target_addr, true).await;
+            });
+        }
+
+        debug!(candidate = %target_addr, "Attempting direct QUIC connect via STUN address");
+        let connecting = self
+            .endpoint
+            .connect_with(client_config, target_addr, DIRECT_SERVER_NAME)
+            .map_err(|err| {
+                warn!(
+                    candidate = %target_addr,
+                    error = %err,
+                    "Unable to initiate direct QUIC connect"
+                );
+                TunnelError::Transport(std::io::Error::other(err))
+            })?;
+
+        match connecting.await {
+            Ok(connection) => {
+                match self
+                    .establish_client_connection(connection, &config.credential.token)
+                    .await
+                {
+                    Ok(connection) => {
+                        info!(peer = %target_addr, "Direct QUIC tunnel established");
+                        Ok(TunnelClient::new_direct(connection))
+                    }
+                    Err(err) => {
+                        warn!(
+                            candidate = %target_addr,
+                            error = %err,
+                            "Direct QUIC handshake failed"
+                        );
+                        Err(err)
+                    }
+                }
+            }
+            Err(err) => {
+                warn!(
+                    candidate = %target_addr,
+                    error = %err,
+                    "Direct QUIC connect failed"
+                );
+                Err(TunnelError::Transport(std::io::Error::other(err)))
+            }
+        }
+    }
+
+    async fn establish_client_connection(
+        &self,
+        connection: Connection,
+        token: &str,
+    ) -> Result<Connection, TunnelError> {
+        let (mut send, mut recv) = connection
+            .open_bi()
+            .await
+            .map_err(|err| TunnelError::Transport(std::io::Error::other(err)))?;
+        write_token(&mut send, token).await?;
+        read_server_ack(&mut recv).await?;
+        send.finish()
+            .map_err(|err| TunnelError::Transport(std::io::Error::other(err)))?;
+        Ok(connection)
+    }
+
+    pub fn local_addr(&self) -> Result<SocketAddr, TunnelError> {
+        self.endpoint
+            .local_addr()
+            .map_err(|err| TunnelError::Transport(std::io::Error::other(err)))
+    }
+
+    pub fn close(&self) {
+        self.endpoint
+            .close(0u32.into(), b"direct endpoint shutdown");
+        self.stop_stun_keepalive();
+        self.stop_credential_cleanup();
+    }
+
+    fn stop_stun_keepalive(&self) {
+        if let Some(handle) = self
+            .stun_keepalive
+            .lock()
+            .expect("stun keepalive mutex poisoned")
+            .take()
+        {
+            handle.stop();
+        }
+    }
+
+    fn stop_credential_cleanup(&self) {
+        if let Some(handle) = self
+            .credential_cleanup
+            .lock()
+            .expect("credential cleanup mutex poisoned")
+            .take()
+        {
+            handle.stop();
+        }
+    }
+
+    pub async fn start_tunnel_server(&self) {
+        let local_addr = self.endpoint.local_addr().ok();
+        let observed_addr = self.observed_addr();
+        info!(
+            ?local_addr,
+            ?observed_addr,
+            "Direct tunnel server listening for incoming peers"
+        );
+        while let Some(incoming) = self.endpoint.accept().await {
+            debug!("Direct endpoint received incoming QUIC connection");
+            let endpoint = self.clone();
+            tokio::spawn(async move {
+                if let Err(err) = endpoint.handle_incoming(incoming).await {
+                    warn!(error = %err, "Direct tunnel connection ended with error");
+                }
+            });
+        }
+        warn!("Direct endpoint stopped accepting incoming connections");
+    }
+
+    async fn handle_incoming(&self, incoming: Incoming) -> Result<(), TunnelError> {
+        let connecting = incoming
+            .accept()
+            .map_err(|err| TunnelError::Transport(std::io::Error::other(err)))?;
+
+        let connection = connecting
+            .await
+            .map_err(|err| TunnelError::Transport(std::io::Error::other(err)))?;
+        let remote_addr = connection.remote_address();
+        let (mut send, mut recv) = connection
+            .accept_bi()
+            .await
+            .map_err(|err| TunnelError::Transport(std::io::Error::other(err)))?;
+
+        let presented = read_token(&mut recv).await?;
+        if !self.credential.remove(&presented).await {
+            warn!(?remote_addr, "Direct endpoint rejected invalid credential");
+            return Err(TunnelError::Remote("invalid direct credential".into()));
+        }
+
+        debug!(
+            ?remote_addr,
+            "Direct endpoint authenticated peer credential"
+        );
+        write_server_ack(&mut send).await?;
+        send.finish()
+            .map_err(|err| TunnelError::Transport(std::io::Error::other(err)))?;
+
+        info!(?remote_addr, "Direct endpoint established tunnel session");
+        run_tunnel_server(connection).await?;
+
+        Ok(())
+    }
+}
diff --git a/crates/tunnel/src/direct/handshake.rs b/crates/tunnel/src/direct/handshake.rs
new file mode 100644
index 0000000..e15422c
--- /dev/null
+++ b/crates/tunnel/src/direct/handshake.rs
@@ -0,0 +1,62 @@
+use std::io;
+
+use quinn::{RecvStream, SendStream};
+use tokio::io::{AsyncReadExt, AsyncWriteExt};
+
+use crate::error::TunnelError;
+
+const HANDSHAKE_MAX_TOKEN_LEN: usize = u16::MAX as usize;
+
+pub(crate) async fn write_token(stream: &mut SendStream, token: &str) -> Result<(), TunnelError> {
+    let token_bytes = token.as_bytes();
+    if token_bytes.len() > HANDSHAKE_MAX_TOKEN_LEN {
+        return Err(TunnelError::Remote("direct credential too long".into()));
+    }
+    stream
+        .write_u16(token_bytes.len() as u16)
+        .await
+        .map_err(|err| TunnelError::Transport(io::Error::other(err)))?;
+    stream
+        .write_all(token_bytes)
+        .await
+        .map_err(|err| TunnelError::Transport(io::Error::other(err)))?;
+    stream
+        .flush()
+        .await
+        .map_err(|err| TunnelError::Transport(io::Error::other(err)))?;
+    Ok(())
+}
+
+pub(crate) async fn read_token(stream: &mut RecvStream) -> Result<String, TunnelError> {
+    let len = stream
+        .read_u16()
+        .await
+        .map_err(|err| TunnelError::Transport(io::Error::other(err)))?;
+    let mut buf = vec![0u8; len as usize];
+    stream
+        .read_exact(&mut buf)
+        .await
+        .map_err(|err| TunnelError::Transport(io::Error::other(err)))?;
+    String::from_utf8(buf).map_err(|_| TunnelError::Remote("invalid credential encoding".into()))
+}
+
+pub(crate) async fn read_server_ack(stream: &mut RecvStream) -> Result<(), TunnelError> {
+    let ack = stream
+        .read_u8()
+        .await
+        .map_err(|err| TunnelError::Transport(io::Error::other(err)))?;
+    if ack == 1 {
+        Ok(())
+    } else {
+        Err(TunnelError::Remote(
+            "direct server rejected credential".into(),
+        ))
+    }
+}
+
+pub(crate) async fn write_server_ack(stream: &mut SendStream) -> Result<(), TunnelError> {
+    stream
+        .write_all(&[1u8])
+        .await
+        .map_err(|err| TunnelError::Transport(io::Error::other(err)))
+}
diff --git a/crates/tunnel/src/direct/mod.rs b/crates/tunnel/src/direct/mod.rs
new file mode 100644
index 0000000..34f384f
--- /dev/null
+++ b/crates/tunnel/src/direct/mod.rs
@@ -0,0 +1,14 @@
+mod credential;
+mod endpoint;
+mod handshake;
+mod probe;
+mod stun;
+mod transport;
+mod udp;
+
+pub use credential::DirectCredentialStore;
+pub use endpoint::{DirectEndpoint, DirectEndpointOptions};
+pub(crate) use transport::{build_server_config, client_config};
+
+#[cfg(test)]
+mod tests;
diff --git a/crates/tunnel/src/direct/probe.rs b/crates/tunnel/src/direct/probe.rs
new file mode 100644
index 0000000..b468b80
--- /dev/null
+++ b/crates/tunnel/src/direct/probe.rs
@@ -0,0 +1,76 @@
+use std::net::{IpAddr, SocketAddr};
+
+use rand::{rng, RngCore};
+
+use super::stun::{
+    STUN_BINDING_REQUEST, STUN_BINDING_SUCCESS, STUN_HEADER_SIZE, STUN_MAGIC_COOKIE,
+};
+
+const STUN_ATTR_XOR_MAPPED_ADDRESS: u16 = 0x0020;
+
+/// Build a STUN Binding Success response carrying an XOR-MAPPED-ADDRESS payload.
+pub(super) fn build_response_probe_payload(target: SocketAddr) -> Vec<u8> {
+    let mut rng = rng();
+    let mut transaction_id = [0u8; 12];
+    rng.fill_bytes(&mut transaction_id);
+
+    let attr = encode_xor_mapped_address(target, &transaction_id);
+    let mut packet = vec![0u8; STUN_HEADER_SIZE + attr.len()];
+    packet[..2].copy_from_slice(&STUN_BINDING_SUCCESS.to_be_bytes());
+    packet[2..4].copy_from_slice(&(attr.len() as u16).to_be_bytes());
+    packet[4..8].copy_from_slice(&STUN_MAGIC_COOKIE.to_be_bytes());
+    packet[8..20].copy_from_slice(&transaction_id);
+    packet[STUN_HEADER_SIZE..].copy_from_slice(&attr);
+    packet
+}
+
+/// Build a STUN Binding Request payload.
+pub(super) fn build_request_probe_payload() -> Vec<u8> {
+    let mut rng = rng();
+    let mut transaction_id = [0u8; 12];
+    rng.fill_bytes(&mut transaction_id);
+
+    let mut packet = vec![0u8; STUN_HEADER_SIZE];
+    packet[..2].copy_from_slice(&STUN_BINDING_REQUEST.to_be_bytes());
+    // Message length remains zero
+    packet[4..8].copy_from_slice(&STUN_MAGIC_COOKIE.to_be_bytes());
+    packet[8..20].copy_from_slice(&transaction_id);
+    packet
+}
+
+fn encode_xor_mapped_address(addr: SocketAddr, transaction_id: &[u8; 12]) -> Vec<u8> {
+    let (family, raw_ip_bytes, port_bytes) = match addr.ip() {
+        IpAddr::V4(v4) => {
+            let port = addr.port() ^ (STUN_MAGIC_COOKIE >> 16) as u16;
+            let mut ip_bytes = v4.octets();
+            for (idx, byte) in STUN_MAGIC_COOKIE.to_be_bytes().iter().enumerate() {
+                ip_bytes[idx] ^= byte;
+            }
+            (0x01, ip_bytes.to_vec(), port.to_be_bytes())
+        }
+        IpAddr::V6(v6) => {
+            let port = addr.port() ^ (STUN_MAGIC_COOKIE >> 16) as u16;
+            let mut ip_bytes = v6.octets();
+            let cookie = STUN_MAGIC_COOKIE.to_be_bytes();
+            for idx in 0..16 {
+                let xor_byte = if idx < 4 {
+                    cookie[idx]
+                } else {
+                    transaction_id[idx - 4]
+                };
+                ip_bytes[idx] ^= xor_byte;
+            }
+            (0x02, ip_bytes.to_vec(), port.to_be_bytes())
+        }
+    };
+
+    let value_len = 4 + raw_ip_bytes.len();
+    let mut attr = vec![0u8; 4 + value_len];
+    attr[..2].copy_from_slice(&STUN_ATTR_XOR_MAPPED_ADDRESS.to_be_bytes());
+    attr[2..4].copy_from_slice(&(value_len as u16).to_be_bytes());
+    attr[4] = 0;
+    attr[5] = family;
+    attr[6..8].copy_from_slice(&port_bytes);
+    attr[8..8 + raw_ip_bytes.len()].copy_from_slice(&raw_ip_bytes);
+    attr
+}
diff --git a/crates/tunnel/src/direct/stun.rs b/crates/tunnel/src/direct/stun.rs
new file mode 100644
index 0000000..d0e1634
--- /dev/null
+++ b/crates/tunnel/src/direct/stun.rs
@@ -0,0 +1,327 @@
+use std::{
+    io,
+    net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr, ToSocketAddrs},
+    sync::{Arc, Mutex},
+    time::Duration,
+};
+
+use rand::random;
+use tokio::{
+    sync::oneshot,
+    task::JoinHandle,
+    time::{self, timeout, MissedTickBehavior},
+};
+use tracing::{debug, info, warn};
+
+use super::udp::DirectUdpSocket;
+
+const DEFAULT_STUN_ENDPOINTS: &[&str] = &[
+    "stun.l.google.com:19302",
+    "stun1.l.google.com:19302",
+    "stun2.l.google.com:19302",
+];
+pub(super) const STUN_MAGIC_COOKIE: u32 = 0x2112_A442;
+pub(super) const STUN_HEADER_SIZE: usize = 20;
+pub(super) const STUN_BINDING_REQUEST: u16 = 0x0001;
+pub(super) const STUN_BINDING_SUCCESS: u16 = 0x0101;
+const STUN_ATTR_MAPPED_ADDRESS: u16 = 0x0001;
+const STUN_ATTR_XOR_MAPPED_ADDRESS: u16 = 0x0020;
+
+pub(super) async fn run_stun_probes(
+    socket: Arc<DirectUdpSocket>,
+    servers: &[SocketAddr],
+    wait_timeout: Duration,
+) -> io::Result<Option<SocketAddr>> {
+    if servers.is_empty() {
+        return Ok(None);
+    }
+
+    let mut result = Ok(None);
+    for server in servers {
+        match send_async_stun_binding_request(Arc::clone(&socket), *server, wait_timeout).await {
+            Ok(Some(addr)) => {
+                debug!(?server, observed = %addr, "STUN reported public address");
+                result = Ok(Some(addr));
+                break;
+            }
+            Ok(None) => {
+                debug!(?server, "STUN response missing mapped address attribute");
+            }
+            Err(err)
+                if matches!(
+                    err.kind(),
+                    io::ErrorKind::WouldBlock | io::ErrorKind::TimedOut
+                ) =>
+            {
+                debug!(?server, "STUN probe timed out");
+            }
+            Err(err) => {
+                warn!(?server, error = %err, "STUN probe error");
+            }
+        }
+    }
+
+    result
+}
+
+async fn send_async_stun_binding_request(
+    socket: Arc<DirectUdpSocket>,
+    server: SocketAddr,
+    wait_timeout: Duration,
+) -> io::Result<Option<SocketAddr>> {
+    let transaction_id: [u8; 12] = random();
+
+    let mut request = [0u8; STUN_HEADER_SIZE];
+    request[0] = (STUN_BINDING_REQUEST >> 8) as u8;
+    request[1] = STUN_BINDING_REQUEST as u8;
+    request[2] = 0;
+    request[3] = 0;
+    request[4..8].copy_from_slice(&STUN_MAGIC_COOKIE.to_be_bytes());
+    request[8..20].copy_from_slice(&transaction_id);
+
+    let response = socket.register_stun_waiter(transaction_id);
+    if let Err(err) = socket.send_raw(&request, server).await {
+        socket.cancel_stun_waiter(&transaction_id);
+        return Err(err);
+    }
+
+    match timeout(wait_timeout, response).await {
+        Ok(Ok(datagram)) => parse_stun_response(&datagram.data, &transaction_id),
+        Ok(Err(_)) => Err(io::Error::new(
+            io::ErrorKind::ConnectionAborted,
+            "STUN waiter dropped",
+        )),
+        Err(_) => {
+            socket.cancel_stun_waiter(&transaction_id);
+            Err(io::Error::new(
+                io::ErrorKind::TimedOut,
+                "STUN keepalive timed out",
+            ))
+        }
+    }
+}
+
+fn parse_stun_response(data: &[u8], transaction_id: &[u8; 12]) -> io::Result<Option<SocketAddr>> {
+    if data.len() < STUN_HEADER_SIZE {
+        return Err(io::Error::new(
+            io::ErrorKind::InvalidData,
+            "STUN response too short",
+        ));
+    }
+
+    let message_type = u16::from_be_bytes([data[0], data[1]]);
+    if message_type != STUN_BINDING_SUCCESS {
+        return Err(io::Error::new(
+            io::ErrorKind::InvalidData,
+            "unexpected STUN response type",
+        ));
+    }
+
+    let message_len = u16::from_be_bytes([data[2], data[3]]) as usize;
+    if data.len() < STUN_HEADER_SIZE + message_len {
+        return Err(io::Error::new(
+            io::ErrorKind::InvalidData,
+            "STUN response truncated",
+        ));
+    }
+
+    if data[4..8] != STUN_MAGIC_COOKIE.to_be_bytes() {
+        return Err(io::Error::new(
+            io::ErrorKind::InvalidData,
+            "invalid STUN magic cookie",
+        ));
+    }
+
+    if data[8..20] != transaction_id[..] {
+        return Err(io::Error::new(
+            io::ErrorKind::InvalidData,
+            "mismatched STUN transaction id",
+        ));
+    }
+
+    let mut offset = STUN_HEADER_SIZE;
+    let end = STUN_HEADER_SIZE + message_len;
+    while offset + 4 <= end {
+        let attr_type = u16::from_be_bytes([data[offset], data[offset + 1]]);
+        let attr_len = u16::from_be_bytes([data[offset + 2], data[offset + 3]]) as usize;
+        let value_start = offset + 4;
+        let value_end = value_start + attr_len;
+        if value_end > data.len() {
+            return Err(io::Error::new(
+                io::ErrorKind::InvalidData,
+                "STUN attribute exceeds message length",
+            ));
+        }
+
+        let value = &data[value_start..value_end];
+        match attr_type {
+            STUN_ATTR_XOR_MAPPED_ADDRESS => {
+                if let Some(addr) = parse_xor_mapped_address(value, transaction_id) {
+                    return Ok(Some(addr));
+                }
+            }
+            STUN_ATTR_MAPPED_ADDRESS => {
+                if let Some(addr) = parse_mapped_address(value) {
+                    return Ok(Some(addr));
+                }
+            }
+            _ => {}
+        }
+
+        let padding = (4 - (attr_len % 4)) % 4;
+        offset = value_end + padding;
+    }
+
+    Ok(None)
+}
+
+fn parse_mapped_address(value: &[u8]) -> Option<SocketAddr> {
+    if value.len() < 4 {
+        return None;
+    }
+    let family = value[1];
+    let port = u16::from_be_bytes([value[2], value[3]]);
+    match family {
+        0x01 => {
+            if value.len() < 8 {
+                return None;
+            }
+            let addr = Ipv4Addr::new(value[4], value[5], value[6], value[7]);
+            Some(SocketAddr::new(IpAddr::V4(addr), port))
+        }
+        0x02 => {
+            if value.len() < 20 {
+                return None;
+            }
+            let mut bytes = [0u8; 16];
+            bytes.copy_from_slice(&value[4..20]);
+            Some(SocketAddr::new(IpAddr::V6(Ipv6Addr::from(bytes)), port))
+        }
+        _ => None,
+    }
+}
+
+fn parse_xor_mapped_address(value: &[u8], transaction_id: &[u8; 12]) -> Option<SocketAddr> {
+    if value.len() < 4 {
+        return None;
+    }
+    let family = value[1];
+    let mut port = u16::from_be_bytes([value[2], value[3]]);
+    port ^= (STUN_MAGIC_COOKIE >> 16) as u16;
+    match family {
+        0x01 => {
+            if value.len() < 8 {
+                return None;
+            }
+            let cookie = STUN_MAGIC_COOKIE.to_be_bytes();
+            let mut addr = [0u8; 4];
+            for i in 0..4 {
+                addr[i] = value[4 + i] ^ cookie[i];
+            }
+            Some(SocketAddr::new(
+                IpAddr::V4(Ipv4Addr::new(addr[0], addr[1], addr[2], addr[3])),
+                port,
+            ))
+        }
+        0x02 => {
+            if value.len() < 20 {
+                return None;
+            }
+            let cookie = STUN_MAGIC_COOKIE.to_be_bytes();
+            let mut addr = [0u8; 16];
+            for i in 0..16 {
+                let xor_byte = if i < 4 {
+                    cookie[i]
+                } else {
+                    transaction_id[i - 4]
+                };
+                addr[i] = value[4 + i] ^ xor_byte;
+            }
+            Some(SocketAddr::new(IpAddr::V6(Ipv6Addr::from(addr)), port))
+        }
+        _ => None,
+    }
+}
+
+pub(super) fn default_stun_servers() -> Vec<SocketAddr> {
+    DEFAULT_STUN_ENDPOINTS
+        .iter()
+        .filter_map(|endpoint| endpoint.to_socket_addrs().ok()?.find(|a| a.is_ipv4()))
+        .collect()
+}
+
+pub(super) fn start_stun_keepalive(
+    socket: Arc<DirectUdpSocket>,
+    servers: Vec<SocketAddr>,
+    interval: Duration,
+    timeout: Duration,
+    observed_addr: Arc<Mutex<Option<SocketAddr>>>,
+) -> StunKeepaliveHandle {
+    let (shutdown_tx, mut shutdown_rx) = oneshot::channel();
+    let mut ticker = time::interval(interval);
+    ticker.set_missed_tick_behavior(MissedTickBehavior::Delay);
+    let task = tokio::spawn({
+        let servers = servers.clone();
+        let socket = Arc::clone(&socket);
+        let observed_addr = Arc::clone(&observed_addr);
+        async move {
+            loop {
+                tokio::select! {
+                    _ = &mut shutdown_rx => {
+                        break;
+                    }
+                    _ = ticker.tick() => {
+                        for server in &servers {
+                            match send_async_stun_binding_request(Arc::clone(&socket), *server, timeout).await {
+                                Ok(Some(addr)) => {
+                                    if update_observed_addr(&observed_addr, addr) {
+                                        info!(?server, ?addr, "Updated STUN observed address");
+                                    }
+                                }
+                                Ok(None) => {
+                                    debug!(?server, "STUN keepalive response missing mapped address");
+                                }
+                                Err(err) => {
+                                    debug!(?server, error = %err, "STUN keepalive request failed");
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    });
+
+    StunKeepaliveHandle {
+        shutdown: Some(shutdown_tx),
+        task,
+    }
+}
+
+fn update_observed_addr(
+    observed_addr: &Arc<Mutex<Option<SocketAddr>>>,
+    new_addr: SocketAddr,
+) -> bool {
+    let mut guard = observed_addr.lock().expect("observed addr mutex poisoned");
+    if guard.map(|current| current != new_addr).unwrap_or(true) {
+        *guard = Some(new_addr);
+        true
+    } else {
+        false
+    }
+}
+
+pub(super) struct StunKeepaliveHandle {
+    shutdown: Option<oneshot::Sender<()>>,
+    task: JoinHandle<()>,
+}
+
+impl StunKeepaliveHandle {
+    pub(super) fn stop(mut self) {
+        info!("StunKeepaliveHandle stop");
+        if let Some(tx) = self.shutdown.take() {
+            let _ = tx.send(());
+        }
+        self.task.abort();
+    }
+}
diff --git a/crates/tunnel/src/direct/tests.rs b/crates/tunnel/src/direct/tests.rs
new file mode 100644
index 0000000..e2c11d3
--- /dev/null
+++ b/crates/tunnel/src/direct/tests.rs
@@ -0,0 +1,267 @@
+use super::{
+    handshake::{read_token, write_server_ack},
+    *,
+};
+use crate::{client::TunnelMode, TunnelError};
+use chrono::{Duration as ChronoDuration, Utc};
+use lapdev_common::devbox::{DirectTunnelConfig, DirectTunnelCredential};
+use rand::random;
+use std::{net::SocketAddr, sync::Arc, time::Duration};
+
+fn config_for_server(addr: SocketAddr, token: &str, certificate: &[u8]) -> DirectTunnelConfig {
+    DirectTunnelConfig {
+        credential: DirectTunnelCredential {
+            token: token.to_string(),
+            expires_at: Utc::now() + ChronoDuration::minutes(5),
+        },
+        server_certificate: Some(certificate.to_vec()),
+        stun_observed_addr: Some(addr),
+    }
+}
+
+async fn accept_direct_connection(endpoint: Arc<DirectEndpoint>) -> Result<String, TunnelError> {
+    let incoming = endpoint
+        .endpoint()
+        .accept()
+        .await
+        .ok_or(TunnelError::ConnectionClosed)?;
+
+    let connecting = incoming
+        .accept()
+        .map_err(|err| TunnelError::Transport(std::io::Error::other(err)))?;
+
+    let connection = connecting
+        .await
+        .map_err(|err| TunnelError::Transport(std::io::Error::other(err)))?;
+    let (mut send, mut recv) = connection
+        .accept_bi()
+        .await
+        .map_err(|err| TunnelError::Transport(std::io::Error::other(err)))?;
+
+    let presented = read_token(&mut recv).await?;
+    if !endpoint.credential().remove(&presented).await {
+        return Err(TunnelError::Remote("invalid direct credential".into()));
+    }
+
+    write_server_ack(&mut send).await?;
+    send.finish()
+        .map_err(|err| TunnelError::Transport(std::io::Error::other(err)))?;
+
+    Ok(presented)
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn direct_endpoint_can_bind_on_loopback() {
+    let endpoint = DirectEndpoint::bind_with_options(
+        "127.0.0.1:0".parse().unwrap(),
+        DirectEndpointOptions::default(),
+    )
+    .await
+    .expect("bind direct endpoint");
+    let addr = endpoint.local_addr().expect("local addr");
+    assert!(addr.ip().is_loopback());
+    endpoint.close();
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn direct_endpoint_tracks_server_certificate() {
+    let (server_config, certificate) = build_server_config().expect("server config");
+    let certificate_clone = certificate.clone();
+    let endpoint = DirectEndpoint::bind_with_quinn_config(
+        "127.0.0.1:0".parse().unwrap(),
+        quinn::EndpointConfig::default(),
+        Some((server_config, certificate)),
+        DirectEndpointOptions::default(),
+    )
+    .await
+    .expect("bind direct endpoint");
+    let stored = endpoint.server_certificate();
+    assert_eq!(stored, certificate_clone.as_slice());
+    endpoint.close();
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn direct_endpoint_can_send_probe() {
+    let endpoint = DirectEndpoint::bind_with_options(
+        "127.0.0.1:0".parse().unwrap(),
+        DirectEndpointOptions::default(),
+    )
+    .await
+    .expect("bind direct endpoint");
+
+    let listener = std::net::UdpSocket::bind("127.0.0.1:0").expect("bind listener");
+    listener
+        .set_read_timeout(Some(Duration::from_secs(1)))
+        .expect("set timeout");
+    let target_addr = listener.local_addr().expect("listener addr");
+    let recv_handle = tokio::task::spawn_blocking(move || {
+        let mut buf = [0u8; 512];
+        listener
+            .recv_from(&mut buf)
+            .map(|(len, addr)| (len, addr, buf))
+    });
+
+    let endpoint_addr = endpoint.local_addr().expect("endpoint addr");
+    endpoint
+        .send_probe(target_addr, false)
+        .await
+        .expect("send probe succeeds");
+
+    let (len, addr, buf) = recv_handle.await.expect("recv join").expect("recv result");
+    assert_eq!(addr.port(), endpoint_addr.port());
+    assert!(len >= super::stun::STUN_HEADER_SIZE);
+    assert_eq!(
+        u16::from_be_bytes([buf[0], buf[1]]),
+        super::stun::STUN_BINDING_SUCCESS
+    );
+    let declared_len = u16::from_be_bytes([buf[2], buf[3]]) as usize;
+    assert_eq!(declared_len, len - super::stun::STUN_HEADER_SIZE);
+    assert_eq!(
+        &buf[4..8],
+        &super::stun::STUN_MAGIC_COOKIE.to_be_bytes(),
+        "STUN magic cookie mismatch"
+    );
+    assert_eq!(
+        u16::from_be_bytes([buf[20], buf[21]]),
+        0x0020,
+        "Expected XOR-MAPPED-ADDRESS attribute"
+    );
+    assert!(buf[super::stun::STUN_HEADER_SIZE..len]
+        .iter()
+        .any(|byte| *byte != 0));
+
+    endpoint.close();
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn direct_endpoint_can_connect_tunnel() {
+    let server = Arc::new(
+        DirectEndpoint::bind_with_options(
+            "127.0.0.1:0".parse().unwrap(),
+            DirectEndpointOptions::default(),
+        )
+        .await
+        .expect("bind direct server"),
+    );
+    let client_endpoint = DirectEndpoint::bind_with_options(
+        "127.0.0.1:0".parse().unwrap(),
+        DirectEndpointOptions::default(),
+    )
+    .await
+    .expect("bind client endpoint");
+
+    let token = format!("test-token-{}", random::<u64>());
+    let expires_at = Utc::now() + ChronoDuration::minutes(5);
+    server.credential().insert(token.clone(), expires_at).await;
+
+    let server_addr = server.local_addr().expect("server address");
+    let config = config_for_server(server_addr, &token, server.server_certificate());
+
+    let accept_task = {
+        let server = Arc::clone(&server);
+        tokio::spawn(async move { accept_direct_connection(server).await })
+    };
+
+    let client = client_endpoint
+        .connect_tunnel(&config)
+        .await
+        .expect("connect tunnel");
+    assert_eq!(client.mode(), TunnelMode::Direct);
+
+    let accepted_token = accept_task
+        .await
+        .expect("accept task join")
+        .expect("direct accept");
+    assert_eq!(accepted_token, token);
+
+    client_endpoint.close();
+    server.close();
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn connect_direct_tunnel_can_bind_and_connect_on_loopback() {
+    let server = Arc::new(
+        DirectEndpoint::bind_with_options(
+            "127.0.0.1:0".parse().unwrap(),
+            DirectEndpointOptions::default(),
+        )
+        .await
+        .expect("bind direct server"),
+    );
+
+    let token = format!("test-token-{}", random::<u64>());
+    let expires_at = Utc::now() + ChronoDuration::minutes(5);
+    server.credential().insert(token.clone(), expires_at).await;
+
+    let server_addr = server.local_addr().expect("server address");
+    let config = config_for_server(server_addr, &token, server.server_certificate());
+
+    let accept_task = {
+        let server = Arc::clone(&server);
+        tokio::spawn(async move { accept_direct_connection(server).await })
+    };
+
+    let client = server
+        .connect_tunnel(&config)
+        .await
+        .expect("direct connect succeeded");
+    assert_eq!(client.mode(), TunnelMode::Direct);
+
+    let accepted_token = accept_task
+        .await
+        .expect("accept task join")
+        .expect("direct accept");
+    assert_eq!(accepted_token, token);
+
+    server.close();
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn direct_server_can_reuse_endpoint_for_outbound_connects() {
+    let listener = Arc::new(
+        DirectEndpoint::bind_with_options(
+            "127.0.0.1:0".parse().unwrap(),
+            DirectEndpointOptions::default(),
+        )
+        .await
+        .expect("bind listener"),
+    );
+    let dialer = Arc::new(
+        DirectEndpoint::bind_with_options(
+            "127.0.0.1:0".parse().unwrap(),
+            DirectEndpointOptions::default(),
+        )
+        .await
+        .expect("bind dialer"),
+    );
+
+    let token = format!("test-token-{}", random::<u64>());
+    let expires_at = Utc::now() + ChronoDuration::minutes(5);
+    listener
+        .credential()
+        .insert(token.clone(), expires_at)
+        .await;
+
+    let server_addr = listener.local_addr().expect("listener addr");
+    let config = config_for_server(server_addr, &token, listener.server_certificate());
+
+    let accept_task = {
+        let listener = Arc::clone(&listener);
+        tokio::spawn(async move { accept_direct_connection(listener).await })
+    };
+
+    let client = dialer
+        .connect_tunnel(&config)
+        .await
+        .expect("outbound connect");
+    assert_eq!(client.mode(), TunnelMode::Direct);
+
+    let accepted_token = accept_task
+        .await
+        .expect("accept task join")
+        .expect("listener accept");
+    assert_eq!(accepted_token, token);
+
+    listener.close();
+    dialer.close();
+}
diff --git a/crates/tunnel/src/direct/transport.rs b/crates/tunnel/src/direct/transport.rs
new file mode 100644
index 0000000..d527c87
--- /dev/null
+++ b/crates/tunnel/src/direct/transport.rs
@@ -0,0 +1,121 @@
+use std::{sync::Arc, time::Duration};
+
+use quinn::rustls::{
+    self,
+    client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
+    pki_types::{CertificateDer, PrivatePkcs8KeyDer, ServerName, UnixTime},
+    DigitallySignedStruct, SignatureScheme,
+};
+use quinn::{self, IdleTimeout, TransportConfig};
+use rcgen::generate_simple_self_signed;
+
+use crate::error::TunnelError;
+
+const CERTIFICATE_ALT_NAMES: &[&str] = &["lapdev.devbox", "lapdev-direct", "lapdev-relay"];
+const QUIC_KEEP_ALIVE_INTERVAL_SECS: u64 = 15;
+const QUIC_IDLE_TIMEOUT_SECS: u64 = 60 * 60;
+
+pub(crate) fn build_server_config() -> Result<(quinn::ServerConfig, Vec<u8>), TunnelError> {
+    let names: Vec<String> = CERTIFICATE_ALT_NAMES
+        .iter()
+        .map(|name| name.to_string())
+        .collect();
+    let rcgen::CertifiedKey { cert, signing_key } = generate_simple_self_signed(names)
+        .map_err(|err| TunnelError::Transport(std::io::Error::other(err)))?;
+    let cert_der_bytes = cert.der().as_ref().to_vec();
+    let cert_chain = vec![CertificateDer::from(cert)];
+    let private_key = PrivatePkcs8KeyDer::from(signing_key.serialize_der());
+
+    let mut config = quinn::ServerConfig::with_single_cert(cert_chain, private_key.into())
+        .map_err(|err| TunnelError::Transport(std::io::Error::other(err)))?;
+    config.transport_config(tunnel_transport_config()?);
+    Ok((config, cert_der_bytes))
+}
+
+pub(super) fn client_config_with_pinned_certificate(
+    server_certificate: &[u8],
+) -> Result<quinn::ClientConfig, TunnelError> {
+    let mut roots = rustls::RootCertStore::empty();
+    roots
+        .add(CertificateDer::from(server_certificate.to_vec()))
+        .map_err(|err| TunnelError::Transport(std::io::Error::other(err)))?;
+
+    let mut crypto = rustls::ClientConfig::builder()
+        .with_root_certificates(Arc::new(roots))
+        .with_no_client_auth();
+    crypto.enable_early_data = true;
+
+    let quic_crypto = quinn::crypto::rustls::QuicClientConfig::try_from(Arc::new(crypto))
+        .expect("invalid QUIC client crypto config");
+    let mut client_config = quinn::ClientConfig::new(Arc::new(quic_crypto));
+    client_config.transport_config(tunnel_transport_config()?);
+    Ok(client_config)
+}
+
+pub(crate) fn client_config() -> Result<quinn::ClientConfig, TunnelError> {
+    let roots = Arc::new(rustls::RootCertStore::empty());
+    let mut crypto = rustls::ClientConfig::builder()
+        .with_root_certificates(roots)
+        .with_no_client_auth();
+    crypto
+        .dangerous()
+        .set_certificate_verifier(Arc::new(SkipServerVerification));
+    crypto.enable_early_data = true;
+
+    let quic_crypto = quinn::crypto::rustls::QuicClientConfig::try_from(Arc::new(crypto))
+        .expect("invalid QUIC client crypto config");
+    let mut client_config = quinn::ClientConfig::new(Arc::new(quic_crypto));
+    client_config.transport_config(tunnel_transport_config()?);
+    Ok(client_config)
+}
+
+fn tunnel_transport_config() -> Result<Arc<TransportConfig>, TunnelError> {
+    let mut transport = TransportConfig::default();
+    transport.keep_alive_interval(Some(Duration::from_secs(QUIC_KEEP_ALIVE_INTERVAL_SECS)));
+    transport.max_idle_timeout(Some(
+        IdleTimeout::try_from(Duration::from_secs(QUIC_IDLE_TIMEOUT_SECS))
+            .map_err(|err| TunnelError::Transport(std::io::Error::other(err)))?,
+    ));
+    Ok(Arc::new(transport))
+}
+
+#[derive(Debug)]
+struct SkipServerVerification;
+
+impl ServerCertVerifier for SkipServerVerification {
+    fn verify_server_cert(
+        &self,
+        _end_entity: &CertificateDer<'_>,
+        _intermediates: &[CertificateDer<'_>],
+        _server_name: &ServerName<'_>,
+        _ocsp_response: &[u8],
+        _now: UnixTime,
+    ) -> Result<ServerCertVerified, rustls::Error> {
+        Ok(ServerCertVerified::assertion())
+    }
+
+    fn verify_tls12_signature(
+        &self,
+        _message: &[u8],
+        _cert: &CertificateDer<'_>,
+        _dss: &DigitallySignedStruct,
+    ) -> Result<HandshakeSignatureValid, rustls::Error> {
+        Ok(HandshakeSignatureValid::assertion())
+    }
+
+    fn verify_tls13_signature(
+        &self,
+        _message: &[u8],
+        _cert: &CertificateDer<'_>,
+        _dss: &DigitallySignedStruct,
+    ) -> Result<HandshakeSignatureValid, rustls::Error> {
+        Ok(HandshakeSignatureValid::assertion())
+    }
+
+    fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
+        vec![
+            SignatureScheme::RSA_PKCS1_SHA256,
+            SignatureScheme::ECDSA_NISTP256_SHA256,
+        ]
+    }
+}
diff --git a/crates/tunnel/src/direct/udp.rs b/crates/tunnel/src/direct/udp.rs
new file mode 100644
index 0000000..5206723
--- /dev/null
+++ b/crates/tunnel/src/direct/udp.rs
@@ -0,0 +1,232 @@
+use std::{
+    collections::HashMap,
+    future::Future,
+    io,
+    net::SocketAddr,
+    pin::Pin,
+    sync::{Arc, Mutex},
+    task::{ready, Context, Poll},
+};
+
+use quinn::udp::{self, RecvMeta, Transmit};
+use quinn::{AsyncUdpSocket, UdpPoller};
+use tokio::{io::Interest, net::UdpSocket as TokioUdpSocket, sync::oneshot};
+use tracing::{debug, warn};
+
+use super::stun::{STUN_BINDING_SUCCESS, STUN_HEADER_SIZE, STUN_MAGIC_COOKIE};
+
+#[derive(Debug)]
+pub(super) struct DirectUdpSocket {
+    io: Arc<TokioUdpSocket>,
+    inner: udp::UdpSocketState,
+    stun_waiters: Mutex<HashMap<[u8; 12], oneshot::Sender<StunDatagram>>>,
+}
+
+#[derive(Debug)]
+pub(super) struct StunDatagram {
+    pub(super) data: Vec<u8>,
+}
+
+impl DirectUdpSocket {
+    pub(super) fn new(socket: TokioUdpSocket) -> io::Result<Self> {
+        let inner = udp::UdpSocketState::new((&socket).into())?;
+        Ok(Self {
+            io: Arc::new(socket),
+            inner,
+            stun_waiters: Mutex::new(HashMap::new()),
+        })
+    }
+
+    pub(super) fn io(&self) -> Arc<TokioUdpSocket> {
+        Arc::clone(&self.io)
+    }
+
+    pub(super) fn register_stun_waiter(
+        &self,
+        transaction_id: [u8; 12],
+    ) -> oneshot::Receiver<StunDatagram> {
+        let (tx, rx) = oneshot::channel();
+        let mut waiters = self.stun_waiters.lock().expect("stun waiters poisoned");
+        if waiters.insert(transaction_id, tx).is_some() {
+            warn!("STUN waiter already existed for transaction id; replacing");
+        }
+        rx
+    }
+
+    pub(super) fn cancel_stun_waiter(&self, transaction_id: &[u8; 12]) {
+        let mut waiters = self.stun_waiters.lock().expect("stun waiters poisoned");
+        waiters.remove(transaction_id);
+    }
+
+    pub(super) fn try_handle_stun(&self, packet: &[u8], addr: SocketAddr) -> bool {
+        if !Self::is_stun_packet(packet) {
+            return false;
+        }
+
+        let message_type = u16::from_be_bytes([packet[0], packet[1]]);
+        if message_type != STUN_BINDING_SUCCESS {
+            debug!(
+                ?addr,
+                message_type, "Dropping non-success STUN packet received on direct socket"
+            );
+            return true;
+        }
+
+        let mut transaction_id = [0u8; 12];
+        transaction_id.copy_from_slice(&packet[8..20]);
+
+        let sender = {
+            let mut waiters = self.stun_waiters.lock().expect("stun waiters poisoned");
+            waiters.remove(&transaction_id)
+        };
+
+        if let Some(sender) = sender {
+            let _ = sender.send(StunDatagram {
+                data: packet.to_vec(),
+            });
+        } else {
+            debug!(
+                ?addr,
+                transaction_id = ?transaction_id,
+                "Dropping STUN response with no active waiter"
+            );
+        }
+
+        true
+    }
+
+    pub(super) async fn send_raw(&self, payload: &[u8], target: SocketAddr) -> io::Result<usize> {
+        self.io.as_ref().send_to(payload, target).await
+    }
+}
+
+impl AsyncUdpSocket for DirectUdpSocket {
+    fn create_io_poller(self: Arc<Self>) -> Pin<Box<dyn UdpPoller>> {
+        Box::pin(DirectUdpPoller {
+            socket: Arc::clone(&self.io),
+            waiter: Mutex::new(None),
+        })
+    }
+
+    fn try_send(&self, transmit: &Transmit) -> io::Result<()> {
+        let io_ref = self.io.as_ref();
+        io_ref.try_io(Interest::WRITABLE, || {
+            self.inner.send(io_ref.into(), transmit)
+        })
+    }
+
+    fn poll_recv(
+        &self,
+        cx: &mut Context<'_>,
+        bufs: &mut [io::IoSliceMut<'_>],
+        meta: &mut [RecvMeta],
+    ) -> Poll<io::Result<usize>> {
+        let io_ref = self.io.as_ref();
+        loop {
+            ready!(io_ref.poll_recv_ready(cx))?;
+            if let Ok(res) = io_ref.try_io(Interest::READABLE, || {
+                self.inner.recv(io_ref.into(), bufs, meta)
+            }) {
+                let kept = self.filter_stun_packets(bufs, meta, res);
+                if kept == 0 {
+                    continue;
+                }
+                return Poll::Ready(Ok(kept));
+            }
+        }
+    }
+
+    fn local_addr(&self) -> io::Result<SocketAddr> {
+        self.io.local_addr()
+    }
+
+    fn max_transmit_segments(&self) -> usize {
+        self.inner.max_gso_segments()
+    }
+
+    fn max_receive_segments(&self) -> usize {
+        self.inner.gro_segments()
+    }
+
+    fn may_fragment(&self) -> bool {
+        self.inner.may_fragment()
+    }
+}
+
+impl DirectUdpSocket {
+    fn filter_stun_packets(
+        &self,
+        bufs: &mut [io::IoSliceMut<'_>],
+        meta: &mut [RecvMeta],
+        count: usize,
+    ) -> usize {
+        let mut kept = 0;
+        for idx in 0..count {
+            let len = meta[idx].len;
+            let packet = &(*bufs[idx])[..len];
+            if self.try_handle_stun(packet, meta[idx].addr) {
+                continue;
+            }
+
+            if kept != idx {
+                let packet_bytes = packet.to_vec();
+                let target_slice: &mut [u8] = &mut *bufs[kept];
+                target_slice[..len].copy_from_slice(&packet_bytes);
+                meta[kept] = meta[idx];
+            }
+            kept += 1;
+        }
+        kept
+    }
+
+    fn is_stun_packet(packet: &[u8]) -> bool {
+        if packet.len() < STUN_HEADER_SIZE {
+            return false;
+        }
+
+        if packet[0] & 0b1100_0000 != 0 {
+            return false;
+        }
+
+        let message_len = u16::from_be_bytes([packet[2], packet[3]]) as usize;
+        if STUN_HEADER_SIZE + message_len > packet.len() {
+            return false;
+        }
+
+        let cookie = STUN_MAGIC_COOKIE.to_be_bytes();
+        &packet[4..8] == cookie.as_ref()
+    }
+}
+
+struct DirectUdpPoller {
+    socket: Arc<TokioUdpSocket>,
+    waiter: Mutex<Option<Pin<Box<dyn Future<Output = io::Result<()>> + Send>>>>,
+}
+
+impl UdpPoller for DirectUdpPoller {
+    fn poll_writable(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<io::Result<()>> {
+        let mut guard = self.waiter.lock().expect("poller waiter poisoned");
+        if guard.is_none() {
+            let socket = Arc::clone(&self.socket);
+            *guard = Some(Box::pin(async move { socket.writable().await }));
+        }
+
+        if let Some(waiter) = guard.as_mut() {
+            match waiter.as_mut().poll(cx) {
+                Poll::Ready(result) => {
+                    *guard = None;
+                    Poll::Ready(result)
+                }
+                Poll::Pending => Poll::Pending,
+            }
+        } else {
+            Poll::Ready(Ok(()))
+        }
+    }
+}
+
+impl std::fmt::Debug for DirectUdpPoller {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.debug_struct("DirectUdpPoller").finish()
+    }
+}
diff --git a/crates/tunnel/src/error.rs b/crates/tunnel/src/error.rs
new file mode 100644
index 0000000..8ff21f7
--- /dev/null
+++ b/crates/tunnel/src/error.rs
@@ -0,0 +1,23 @@
+use std::io;
+
+#[derive(thiserror::Error, Debug)]
+pub enum TunnelError {
+    #[error("transport error: {0}")]
+    Transport(#[from] io::Error),
+    #[error("connection closed")]
+    ConnectionClosed,
+    #[error("remote error: {0}")]
+    Remote(String),
+}
+
+impl From<TunnelError> for io::Error {
+    fn from(value: TunnelError) -> Self {
+        match value {
+            TunnelError::Transport(err) => err,
+            TunnelError::ConnectionClosed => {
+                io::Error::new(io::ErrorKind::BrokenPipe, TunnelError::ConnectionClosed)
+            }
+            TunnelError::Remote(reason) => io::Error::other(TunnelError::Remote(reason)),
+        }
+    }
+}
diff --git a/crates/tunnel/src/lib.rs b/crates/tunnel/src/lib.rs
new file mode 100644
index 0000000..fa306e0
--- /dev/null
+++ b/crates/tunnel/src/lib.rs
@@ -0,0 +1,19 @@
+mod client;
+pub mod direct;
+mod error;
+mod message;
+mod relay;
+mod server;
+mod websocket;
+
+pub use client::{TunnelClient, TunnelMode, TunnelTcpConnection, TunnelTcpStream};
+pub use error::TunnelError;
+pub use message::TunnelTarget;
+pub use relay::{relay_client_addr, relay_server_addr, RelayEndpoint, WebSocketUdpSocket};
+pub use server::{
+    run_tunnel_server, run_tunnel_server_with_connector, DynTunnelStream, TcpConnector,
+    TunnelConnector,
+};
+pub use websocket::{
+    websocket_serde_transport, websocket_serde_transport_from_socket, WebSocketTransport,
+};
diff --git a/crates/tunnel/src/message.rs b/crates/tunnel/src/message.rs
new file mode 100644
index 0000000..e033c85
--- /dev/null
+++ b/crates/tunnel/src/message.rs
@@ -0,0 +1,179 @@
+use std::io;
+
+use quinn::{ReadExactError, RecvStream, SendStream};
+use tokio::io::{AsyncReadExt, AsyncWriteExt};
+
+use crate::error::TunnelError;
+
+/// Abstraction representing the remote address a tunnel should connect to.
+#[derive(Debug, Clone)]
+pub struct TunnelTarget {
+    pub host: String,
+    pub port: u16,
+}
+
+impl TunnelTarget {
+    pub fn new(host: impl Into<String>, port: u16) -> Self {
+        Self {
+            host: host.into(),
+            port,
+        }
+    }
+}
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum Protocol {
+    Tcp,
+    Udp,
+}
+
+impl Protocol {
+    pub fn as_u8(self) -> u8 {
+        match self {
+            Protocol::Tcp => 0,
+            Protocol::Udp => 1,
+        }
+    }
+}
+
+impl TryFrom<u8> for Protocol {
+    type Error = ();
+
+    fn try_from(value: u8) -> Result<Self, Self::Error> {
+        match value {
+            0 => Ok(Protocol::Tcp),
+            1 => Ok(Protocol::Udp),
+            _ => Err(()),
+        }
+    }
+}
+
+#[derive(Debug, Clone)]
+pub struct StreamOpenRequest {
+    pub protocol: Protocol,
+    pub target: TunnelTarget,
+}
+
+#[derive(Debug, Clone)]
+pub struct StreamOpenResponse {
+    pub success: bool,
+    pub error: Option<String>,
+}
+
+const MAX_HOST_LEN: usize = u16::MAX as usize;
+const MAX_ERROR_LEN: usize = u16::MAX as usize;
+
+pub async fn write_stream_open_request(
+    stream: &mut SendStream,
+    protocol: Protocol,
+    target: &TunnelTarget,
+) -> Result<(), TunnelError> {
+    let host_bytes = target.host.as_bytes();
+    if host_bytes.len() > MAX_HOST_LEN {
+        return Err(TunnelError::Remote("target host too long".into()));
+    }
+
+    stream
+        .write_u8(protocol.as_u8())
+        .await
+        .map_err(to_transport_err)?;
+    stream
+        .write_u16(host_bytes.len() as u16)
+        .await
+        .map_err(to_transport_err)?;
+    stream
+        .write_all(host_bytes)
+        .await
+        .map_err(to_transport_err)?;
+    stream
+        .write_u16(target.port)
+        .await
+        .map_err(to_transport_err)?;
+    stream.flush().await.map_err(to_transport_err)?;
+    Ok(())
+}
+
+pub async fn read_stream_open_request(
+    stream: &mut RecvStream,
+) -> Result<StreamOpenRequest, TunnelError> {
+    let protocol = Protocol::try_from(stream.read_u8().await.map_err(to_transport_err)?)
+        .map_err(|_| TunnelError::Remote("unsupported protocol".into()))?;
+    let host_len = stream.read_u16().await.map_err(to_transport_err)? as usize;
+    if host_len > MAX_HOST_LEN {
+        return Err(TunnelError::Remote("target host too large".into()));
+    }
+    let mut host_bytes = vec![0u8; host_len];
+    read_exact_into(stream, &mut host_bytes).await?;
+    let host = String::from_utf8(host_bytes)
+        .map_err(|_| TunnelError::Remote("invalid target host encoding".into()))?;
+    let port = stream.read_u16().await.map_err(to_transport_err)?;
+
+    Ok(StreamOpenRequest {
+        protocol,
+        target: TunnelTarget::new(host, port),
+    })
+}
+
+pub async fn write_stream_open_response(
+    stream: &mut SendStream,
+    success: bool,
+    error: Option<&str>,
+) -> Result<(), TunnelError> {
+    stream
+        .write_u8(u8::from(success))
+        .await
+        .map_err(to_transport_err)?;
+    if success {
+        stream.flush().await.map_err(to_transport_err)?;
+        return Ok(());
+    }
+
+    let message = error.unwrap_or("remote open failed");
+    let reason_bytes = message.as_bytes();
+    let len = reason_bytes.len().min(MAX_ERROR_LEN);
+    stream
+        .write_u16(len as u16)
+        .await
+        .map_err(to_transport_err)?;
+    stream
+        .write_all(&reason_bytes[..len])
+        .await
+        .map_err(to_transport_err)?;
+    stream.flush().await.map_err(to_transport_err)?;
+    Ok(())
+}
+
+pub async fn read_stream_open_response(
+    stream: &mut RecvStream,
+) -> Result<StreamOpenResponse, TunnelError> {
+    let success = stream.read_u8().await.map_err(to_transport_err)? != 0;
+    if success {
+        return Ok(StreamOpenResponse {
+            success: true,
+            error: None,
+        });
+    }
+
+    let len = stream.read_u16().await.map_err(to_transport_err)? as usize;
+    if len > MAX_ERROR_LEN {
+        return Err(TunnelError::Remote("error message too large".into()));
+    }
+    let mut buf = vec![0u8; len];
+    read_exact_into(stream, &mut buf).await?;
+    let message = String::from_utf8(buf).unwrap_or_else(|_| "remote open failed".to_string());
+    Ok(StreamOpenResponse {
+        success: false,
+        error: Some(message),
+    })
+}
+
+fn to_transport_err(err: impl Into<io::Error>) -> TunnelError {
+    TunnelError::Transport(err.into())
+}
+
+async fn read_exact_into(stream: &mut RecvStream, buf: &mut [u8]) -> Result<(), TunnelError> {
+    stream.read_exact(buf).await.map_err(|err| match err {
+        ReadExactError::FinishedEarly(_) => TunnelError::ConnectionClosed,
+        ReadExactError::ReadError(inner) => TunnelError::Transport(io::Error::other(inner)),
+    })
+}
diff --git a/crates/tunnel/src/relay.rs b/crates/tunnel/src/relay.rs
new file mode 100644
index 0000000..cf413d7
--- /dev/null
+++ b/crates/tunnel/src/relay.rs
@@ -0,0 +1,573 @@
+use std::{
+    collections::VecDeque,
+    fmt, io,
+    net::SocketAddr,
+    pin::Pin,
+    sync::{
+        atomic::{AtomicBool, Ordering},
+        Arc, Mutex,
+    },
+    task::{Context, Poll},
+    time::Duration,
+};
+
+use bytes::Bytes;
+use futures::{future, Sink, SinkExt, Stream, StreamExt};
+use futures_util::task::AtomicWaker;
+use quinn::{
+    udp::{RecvMeta, Transmit},
+    AsyncUdpSocket, Connection, UdpPoller,
+};
+use tokio::{
+    io::{AsyncRead, AsyncWrite},
+    pin,
+    sync::Notify,
+};
+use tokio_tungstenite::{tungstenite::Message, WebSocketStream};
+
+use crate::{
+    direct::{build_server_config, client_config},
+    error::TunnelError,
+};
+
+const DEFAULT_BUFFER_CAPACITY: usize = 256;
+const WEBSOCKET_KEEPALIVE_INTERVAL: Duration = Duration::from_secs(15);
+
+pub fn relay_client_addr() -> SocketAddr {
+    SocketAddr::from(([127, 0, 0, 1], 60000))
+}
+
+pub fn relay_server_addr() -> SocketAddr {
+    SocketAddr::from(([127, 0, 0, 1], 60001))
+}
+
+pub struct RelayEndpoint;
+
+impl RelayEndpoint {
+    pub async fn client_connection<S>(
+        websocket: WebSocketStream<S>,
+    ) -> Result<Connection, TunnelError>
+    where
+        S: AsyncRead + AsyncWrite + Unpin + Send + 'static,
+    {
+        let socket = WebSocketUdpSocket::from_tungstenite(
+            websocket,
+            relay_client_addr(),
+            relay_server_addr(),
+        );
+
+        let runtime = quinn::default_runtime()
+            .ok_or_else(|| TunnelError::Transport(io::Error::other("no async runtime found")))?;
+        let mut endpoint = quinn::Endpoint::new_with_abstract_socket(
+            quinn::EndpointConfig::default(),
+            None,
+            socket,
+            runtime,
+        )
+        .map_err(|err| TunnelError::Transport(io::Error::other(err)))?;
+        endpoint.set_default_client_config(client_config()?);
+        let connecting = endpoint
+            .connect(relay_server_addr(), "lapdev-relay")
+            .map_err(|err| TunnelError::Transport(io::Error::other(err)))?;
+        let connection = connecting
+            .await
+            .map_err(|err| TunnelError::Transport(std::io::Error::other(err)))?;
+
+        Ok(connection)
+    }
+
+    pub async fn server_connection<S>(
+        websocket: WebSocketStream<S>,
+    ) -> Result<Connection, TunnelError>
+    where
+        S: AsyncRead + AsyncWrite + Unpin + Send + 'static,
+    {
+        let socket = WebSocketUdpSocket::from_tungstenite(
+            websocket,
+            relay_server_addr(),
+            relay_client_addr(),
+        );
+        Self::udp_server_connection(socket).await
+    }
+
+    pub async fn udp_server_connection(
+        socket: Arc<WebSocketUdpSocket>,
+    ) -> Result<Connection, TunnelError> {
+        let runtime = quinn::default_runtime()
+            .ok_or_else(|| TunnelError::Transport(io::Error::other("no async runtime found")))?;
+        let (server_config, _) = build_server_config()?;
+        let endpoint = quinn::Endpoint::new_with_abstract_socket(
+            quinn::EndpointConfig::default(),
+            Some(server_config),
+            socket,
+            runtime,
+        )
+        .map_err(|err| TunnelError::Transport(io::Error::other(err)))?;
+
+        let incoming = endpoint
+            .accept()
+            .await
+            .ok_or(TunnelError::ConnectionClosed)?;
+
+        let connecting = incoming
+            .accept()
+            .map_err(|err| TunnelError::Transport(std::io::Error::other(err)))?;
+        let connection = connecting
+            .await
+            .map_err(|err| TunnelError::Transport(std::io::Error::other(err)))?;
+
+        Ok(connection)
+    }
+}
+
+/// Adapter that exposes a WebSocket as a virtual UDP socket suitable for Quinn.
+pub struct WebSocketUdpSocket {
+    send_buffer: Arc<SendBuffer>,
+    recv_buffer: Arc<RecvBuffer>,
+    local_addr: SocketAddr,
+    peer_addr: SocketAddr,
+}
+
+impl fmt::Debug for WebSocketUdpSocket {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        f.debug_struct("WebSocketUdpSocket")
+            .field("local_addr", &self.local_addr)
+            .field("peer_addr", &self.peer_addr)
+            .finish()
+    }
+}
+
+impl WebSocketUdpSocket {
+    pub fn from_tungstenite<S>(
+        websocket: WebSocketStream<S>,
+        local_addr: SocketAddr,
+        peer_addr: SocketAddr,
+    ) -> Arc<Self>
+    where
+        S: AsyncRead + AsyncWrite + Unpin + Send + 'static,
+    {
+        Self::from_tungstenite_with_capacity(
+            websocket,
+            local_addr,
+            peer_addr,
+            DEFAULT_BUFFER_CAPACITY,
+        )
+    }
+
+    pub fn from_tungstenite_with_capacity<S>(
+        websocket: WebSocketStream<S>,
+        local_addr: SocketAddr,
+        peer_addr: SocketAddr,
+        capacity: usize,
+    ) -> Arc<Self>
+    where
+        S: AsyncRead + AsyncWrite + Unpin + Send + 'static,
+    {
+        let (sink, stream) = split_tungstenite(websocket);
+        Self::with_capacity_parts(sink, stream, local_addr, peer_addr, capacity)
+    }
+
+    pub fn from_parts<SinkT, StreamT>(
+        sink: SinkT,
+        stream: StreamT,
+        local_addr: SocketAddr,
+        peer_addr: SocketAddr,
+    ) -> Arc<Self>
+    where
+        SinkT: Sink<Message, Error = io::Error> + Send + 'static,
+        StreamT: Stream<Item = Result<Bytes, io::Error>> + Send + 'static,
+    {
+        Self::with_capacity_parts(sink, stream, local_addr, peer_addr, DEFAULT_BUFFER_CAPACITY)
+    }
+
+    pub fn with_capacity_parts<SinkT, StreamT>(
+        sink: SinkT,
+        stream: StreamT,
+        local_addr: SocketAddr,
+        peer_addr: SocketAddr,
+        capacity: usize,
+    ) -> Arc<Self>
+    where
+        SinkT: Sink<Message, Error = io::Error> + Send + 'static,
+        StreamT: Stream<Item = Result<Bytes, io::Error>> + Send + 'static,
+    {
+        let send_buffer = Arc::new(SendBuffer::new(capacity));
+        let recv_buffer = Arc::new(RecvBuffer::new(capacity));
+
+        tokio::spawn(run_sender_generic(
+            sink,
+            Arc::clone(&send_buffer),
+            Some(WEBSOCKET_KEEPALIVE_INTERVAL),
+        ));
+        tokio::spawn(run_receiver_generic(stream, Arc::clone(&recv_buffer)));
+
+        Arc::new(Self {
+            send_buffer,
+            recv_buffer,
+            local_addr,
+            peer_addr,
+        })
+    }
+}
+
+impl Drop for WebSocketUdpSocket {
+    fn drop(&mut self) {
+        self.send_buffer.close();
+        self.recv_buffer.close();
+    }
+}
+
+impl AsyncUdpSocket for WebSocketUdpSocket {
+    fn create_io_poller(self: Arc<Self>) -> Pin<Box<dyn UdpPoller>> {
+        Box::pin(WebSocketUdpPoller {
+            send_buffer: Arc::clone(&self.send_buffer),
+        })
+    }
+
+    fn try_send(&self, transmit: &Transmit) -> io::Result<()> {
+        if transmit.segment_size.is_some() {
+            return Err(io::Error::new(
+                io::ErrorKind::InvalidInput,
+                "segmented transmits are not supported",
+            ));
+        }
+
+        let bytes = Bytes::copy_from_slice(transmit.contents);
+        self.send_buffer.enqueue(bytes)
+    }
+
+    fn poll_recv(
+        &self,
+        cx: &mut Context<'_>,
+        bufs: &mut [io::IoSliceMut<'_>],
+        meta: &mut [RecvMeta],
+    ) -> Poll<io::Result<usize>> {
+        self.recv_buffer
+            .poll_recv(cx, bufs, meta, self.peer_addr, self.local_addr)
+    }
+
+    fn local_addr(&self) -> io::Result<SocketAddr> {
+        Ok(self.local_addr)
+    }
+
+    fn max_transmit_segments(&self) -> usize {
+        1
+    }
+
+    fn max_receive_segments(&self) -> usize {
+        1
+    }
+
+    fn may_fragment(&self) -> bool {
+        false
+    }
+}
+
+struct WebSocketUdpPoller {
+    send_buffer: Arc<SendBuffer>,
+}
+
+impl fmt::Debug for WebSocketUdpPoller {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        f.debug_struct("WebSocketUdpPoller").finish()
+    }
+}
+
+impl UdpPoller for WebSocketUdpPoller {
+    fn poll_writable(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<io::Result<()>> {
+        if self.send_buffer.has_capacity() {
+            Poll::Ready(Ok(()))
+        } else {
+            self.send_buffer.register_waker(cx);
+            if self.send_buffer.has_capacity() {
+                Poll::Ready(Ok(()))
+            } else if self.send_buffer.is_closed() {
+                Poll::Ready(Err(io::Error::new(
+                    io::ErrorKind::ConnectionReset,
+                    "send buffer closed",
+                )))
+            } else {
+                Poll::Pending
+            }
+        }
+    }
+}
+
+async fn run_sender_generic<SinkT>(
+    sink: SinkT,
+    buffer: Arc<SendBuffer>,
+    keepalive_interval: Option<Duration>,
+) where
+    SinkT: Sink<Message, Error = io::Error> + Send + 'static,
+{
+    pin!(sink);
+
+    loop {
+        let next_datagram = if let Some(interval) = keepalive_interval {
+            match tokio::time::timeout(interval, buffer.next_datagram()).await {
+                Ok(result) => result,
+                Err(_) => {
+                    if SinkExt::send(&mut sink, Message::Ping(Bytes::new()))
+                        .await
+                        .is_err()
+                    {
+                        break;
+                    }
+                    continue;
+                }
+            }
+        } else {
+            buffer.next_datagram().await
+        };
+
+        match next_datagram {
+            Some(datagram) => {
+                if SinkExt::send(&mut sink, Message::Binary(datagram))
+                    .await
+                    .is_err()
+                {
+                    break;
+                }
+            }
+            None => break,
+        }
+    }
+
+    buffer.close();
+    let _ = SinkExt::close(&mut sink).await;
+}
+
+async fn run_receiver_generic<StreamT>(stream: StreamT, buffer: Arc<RecvBuffer>)
+where
+    StreamT: Stream<Item = Result<Bytes, io::Error>> + Send + 'static,
+{
+    pin!(stream);
+
+    while let Some(result) = StreamExt::next(&mut stream).await {
+        match result {
+            Ok(data) => {
+                if buffer.push(data).await.is_err() {
+                    break;
+                }
+            }
+            Err(_) => break,
+        }
+    }
+
+    buffer.close();
+}
+
+fn split_tungstenite<S>(
+    websocket: WebSocketStream<S>,
+) -> (
+    impl Sink<Message, Error = io::Error> + Send + 'static,
+    impl Stream<Item = Result<Bytes, io::Error>> + Send + 'static,
+)
+where
+    S: AsyncRead + AsyncWrite + Unpin + Send + 'static,
+{
+    let (sink, stream) = websocket.split();
+
+    let sink = sink.sink_map_err(io::Error::other);
+
+    let stream = stream.filter_map(|msg| {
+        future::ready(match msg {
+            Ok(Message::Binary(data)) => Some(Ok(data)),
+            Ok(Message::Close(_)) => None,
+            Ok(_) => None,
+            Err(err) => Some(Err(io::Error::other(err))),
+        })
+    });
+
+    (sink, stream)
+}
+
+struct SendBuffer {
+    queue: Mutex<VecDeque<Bytes>>,
+    capacity: usize,
+    data_ready: Notify,
+    space_waker: AtomicWaker,
+    closed: AtomicBool,
+}
+
+impl SendBuffer {
+    fn new(capacity: usize) -> Self {
+        Self {
+            queue: Mutex::new(VecDeque::with_capacity(capacity)),
+            capacity,
+            data_ready: Notify::new(),
+            space_waker: AtomicWaker::new(),
+            closed: AtomicBool::new(false),
+        }
+    }
+
+    fn enqueue(&self, bytes: Bytes) -> io::Result<()> {
+        if self.closed.load(Ordering::SeqCst) {
+            return Err(io::Error::new(
+                io::ErrorKind::ConnectionReset,
+                "send buffer closed",
+            ));
+        }
+
+        let mut queue = self.queue.lock().unwrap();
+        if queue.len() >= self.capacity {
+            return Err(io::Error::new(
+                io::ErrorKind::WouldBlock,
+                "send buffer full",
+            ));
+        }
+        queue.push_back(bytes);
+        drop(queue);
+        self.data_ready.notify_one();
+        Ok(())
+    }
+
+    async fn next_datagram(&self) -> Option<Bytes> {
+        loop {
+            if let Some(datagram) = self.dequeue() {
+                return Some(datagram);
+            }
+
+            if self.closed.load(Ordering::SeqCst) {
+                return None;
+            }
+
+            self.data_ready.notified().await;
+        }
+    }
+
+    fn dequeue(&self) -> Option<Bytes> {
+        let mut queue = self.queue.lock().unwrap();
+        let popped = queue.pop_front();
+        if popped.is_some() {
+            self.space_waker.wake();
+        }
+        popped
+    }
+
+    fn has_capacity(&self) -> bool {
+        let queue = self.queue.lock().unwrap();
+        queue.len() < self.capacity
+    }
+
+    fn register_waker(&self, cx: &mut Context<'_>) {
+        self.space_waker.register(cx.waker());
+    }
+
+    fn is_closed(&self) -> bool {
+        self.closed.load(Ordering::SeqCst)
+    }
+
+    fn close(&self) {
+        self.closed.store(true, Ordering::SeqCst);
+        self.data_ready.notify_waiters();
+        self.space_waker.wake();
+    }
+}
+
+struct RecvBuffer {
+    queue: Mutex<VecDeque<Bytes>>,
+    capacity: usize,
+    space_available: Notify,
+    data_waker: AtomicWaker,
+    closed: AtomicBool,
+}
+
+impl RecvBuffer {
+    fn new(capacity: usize) -> Self {
+        Self {
+            queue: Mutex::new(VecDeque::with_capacity(capacity)),
+            capacity,
+            space_available: Notify::new(),
+            data_waker: AtomicWaker::new(),
+            closed: AtomicBool::new(false),
+        }
+    }
+
+    async fn push(&self, bytes: Bytes) -> io::Result<()> {
+        let mut pending = Some(bytes);
+
+        loop {
+            if self.closed.load(Ordering::SeqCst) {
+                return Err(io::Error::new(
+                    io::ErrorKind::ConnectionReset,
+                    "receive buffer closed",
+                ));
+            }
+
+            if let Some(data) = pending.take() {
+                let mut queue = self.queue.lock().unwrap();
+                if queue.len() < self.capacity {
+                    queue.push_back(data);
+                    drop(queue);
+                    self.data_waker.wake();
+                    return Ok(());
+                }
+                pending = Some(data);
+                drop(queue);
+            }
+
+            self.space_available.notified().await;
+        }
+    }
+
+    fn poll_recv(
+        &self,
+        cx: &mut Context<'_>,
+        bufs: &mut [io::IoSliceMut<'_>],
+        meta: &mut [RecvMeta],
+        peer_addr: SocketAddr,
+        local_addr: SocketAddr,
+    ) -> Poll<io::Result<usize>> {
+        if bufs.is_empty() || meta.is_empty() {
+            return Poll::Ready(Err(io::Error::new(
+                io::ErrorKind::InvalidInput,
+                "no receive buffers provided",
+            )));
+        }
+
+        if let Some(bytes) = self.dequeue() {
+            let target = bufs[0].as_mut();
+            if target.len() < bytes.len() {
+                return Poll::Ready(Err(io::Error::new(
+                    io::ErrorKind::InvalidData,
+                    "buffer too small for datagram",
+                )));
+            }
+            target[..bytes.len()].copy_from_slice(&bytes);
+            meta[0] = RecvMeta {
+                addr: peer_addr,
+                len: bytes.len(),
+                stride: bytes.len(),
+                ecn: None,
+                dst_ip: Some(local_addr.ip()),
+            };
+            return Poll::Ready(Ok(1));
+        }
+
+        if self.closed.load(Ordering::SeqCst) {
+            return Poll::Ready(Err(io::Error::new(
+                io::ErrorKind::BrokenPipe,
+                "websocket closed",
+            )));
+        }
+
+        self.data_waker.register(cx.waker());
+        Poll::Pending
+    }
+
+    fn dequeue(&self) -> Option<Bytes> {
+        let mut queue = self.queue.lock().unwrap();
+        let popped = queue.pop_front();
+        if popped.is_some() {
+            self.space_available.notify_one();
+        }
+        popped
+    }
+
+    fn close(&self) {
+        self.closed.store(true, Ordering::SeqCst);
+        self.space_available.notify_waiters();
+        self.data_waker.wake();
+    }
+}
diff --git a/crates/tunnel/src/server.rs b/crates/tunnel/src/server.rs
new file mode 100644
index 0000000..179928d
--- /dev/null
+++ b/crates/tunnel/src/server.rs
@@ -0,0 +1,199 @@
+use std::{
+    future::Future,
+    io,
+    pin::Pin,
+    sync::Arc,
+    task::{Context, Poll},
+};
+
+use futures::future::BoxFuture;
+use quinn::{Connection, RecvStream, SendStream, WriteError};
+use tokio::{
+    io::{self as tokio_io, AsyncRead, AsyncWrite, ReadBuf},
+    net::TcpStream,
+};
+use tracing::{debug, warn};
+
+use crate::{
+    error::TunnelError,
+    message::{self, Protocol, TunnelTarget},
+};
+
+const UNSUPPORTED_PROTOCOL: &str = "protocol not supported";
+
+pub trait TunnelStream: AsyncRead + AsyncWrite + Unpin + Send {}
+
+impl<T> TunnelStream for T where T: AsyncRead + AsyncWrite + Unpin + Send {}
+
+pub type DynTunnelStream = Box<dyn TunnelStream>;
+
+pub trait TunnelConnector: Send + Sync + 'static {
+    fn connect(
+        &self,
+        target: TunnelTarget,
+    ) -> BoxFuture<'static, Result<DynTunnelStream, TunnelError>>;
+}
+
+impl<F, Fut> TunnelConnector for F
+where
+    F: Fn(TunnelTarget) -> Fut + Send + Sync + 'static,
+    Fut: Future<Output = Result<DynTunnelStream, TunnelError>> + Send + 'static,
+{
+    fn connect(
+        &self,
+        target: TunnelTarget,
+    ) -> BoxFuture<'static, Result<DynTunnelStream, TunnelError>> {
+        Box::pin((self)(target))
+    }
+}
+
+#[derive(Clone, Default)]
+pub struct TcpConnector;
+
+impl TunnelConnector for TcpConnector {
+    fn connect(
+        &self,
+        target: TunnelTarget,
+    ) -> BoxFuture<'static, Result<DynTunnelStream, TunnelError>> {
+        Box::pin(async move {
+            let address = format!("{}:{}", target.host, target.port);
+            let stream = TcpStream::connect(address).await?;
+            Ok(Box::new(stream) as DynTunnelStream)
+        })
+    }
+}
+
+pub async fn run_tunnel_server(connection: Connection) -> Result<(), TunnelError> {
+    run_tunnel_server_with_connector(connection, TcpConnector).await
+}
+
+pub async fn run_tunnel_server_with_connector<C>(
+    connection: Connection,
+    connector: C,
+) -> Result<(), TunnelError>
+where
+    C: TunnelConnector,
+{
+    run_tunnel_server_inner(connection, Arc::new(connector)).await
+}
+
+async fn run_tunnel_server_inner(
+    connection: Connection,
+    connector: Arc<dyn TunnelConnector>,
+) -> Result<(), TunnelError> {
+    loop {
+        match connection.accept_bi().await {
+            Ok((send, recv)) => {
+                let connector = connector.clone();
+                tokio::spawn(async move {
+                    if let Err(err) = handle_stream(connector, send, recv).await {
+                        debug!("tunnel stream ended: {}", err);
+                    }
+                });
+            }
+            Err(quinn::ConnectionError::ApplicationClosed(_))
+            | Err(quinn::ConnectionError::ConnectionClosed(_)) => {
+                return Ok(());
+            }
+            Err(err) => {
+                return Err(TunnelError::Transport(io::Error::other(err)));
+            }
+        }
+    }
+}
+
+async fn handle_stream(
+    connector: Arc<dyn TunnelConnector>,
+    mut send: SendStream,
+    mut recv: RecvStream,
+) -> Result<(), TunnelError> {
+    let request = match message::read_stream_open_request(&mut recv).await {
+        Ok(request) => request,
+        Err(err) => {
+            warn!("failed to parse stream request: {}", err);
+            let _ =
+                message::write_stream_open_response(&mut send, false, Some("bad request")).await;
+            return Err(err);
+        }
+    };
+
+    if request.protocol != Protocol::Tcp {
+        message::write_stream_open_response(&mut send, false, Some(UNSUPPORTED_PROTOCOL)).await?;
+        return Err(TunnelError::Remote(UNSUPPORTED_PROTOCOL.into()));
+    }
+
+    let target = request.target.clone();
+    let stream = match connector.connect(target.clone()).await {
+        Ok(stream) => stream,
+        Err(err) => {
+            let reason = err.to_string();
+            message::write_stream_open_response(&mut send, false, Some(&reason)).await?;
+            return Err(err);
+        }
+    };
+
+    message::write_stream_open_response(&mut send, true, None).await?;
+    pipe_streams(send, recv, stream).await
+}
+
+async fn pipe_streams(
+    send: SendStream,
+    recv: RecvStream,
+    mut target: DynTunnelStream,
+) -> Result<(), TunnelError> {
+    let mut quic_stream = QuicServerStream::new(send, recv);
+
+    tokio_io::copy_bidirectional(&mut quic_stream, &mut target)
+        .await
+        .map_err(TunnelError::Transport)?;
+    Ok(())
+}
+
+struct QuicServerStream {
+    send: SendStream,
+    recv: RecvStream,
+}
+
+impl QuicServerStream {
+    fn new(send: SendStream, recv: RecvStream) -> Self {
+        Self { send, recv }
+    }
+}
+
+impl Unpin for QuicServerStream {}
+
+impl AsyncRead for QuicServerStream {
+    fn poll_read(
+        mut self: Pin<&mut Self>,
+        cx: &mut Context<'_>,
+        buf: &mut ReadBuf<'_>,
+    ) -> Poll<io::Result<()>> {
+        Pin::new(&mut self.recv).poll_read(cx, buf)
+    }
+}
+
+impl AsyncWrite for QuicServerStream {
+    fn poll_write(
+        mut self: Pin<&mut Self>,
+        cx: &mut Context<'_>,
+        buf: &[u8],
+    ) -> Poll<io::Result<usize>> {
+        map_write_poll(Pin::new(&mut self.send).poll_write(cx, buf))
+    }
+
+    fn poll_flush(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<io::Result<()>> {
+        Pin::new(&mut self.send).poll_flush(cx)
+    }
+
+    fn poll_shutdown(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<io::Result<()>> {
+        Pin::new(&mut self.send).poll_shutdown(cx)
+    }
+}
+
+fn map_write_poll<T>(poll: Poll<Result<T, WriteError>>) -> Poll<io::Result<T>> {
+    match poll {
+        Poll::Ready(Ok(value)) => Poll::Ready(Ok(value)),
+        Poll::Ready(Err(err)) => Poll::Ready(Err(io::Error::other(err))),
+        Poll::Pending => Poll::Pending,
+    }
+}
diff --git a/crates/tunnel/src/websocket.rs b/crates/tunnel/src/websocket.rs
new file mode 100644
index 0000000..f13d40e
--- /dev/null
+++ b/crates/tunnel/src/websocket.rs
@@ -0,0 +1,177 @@
+use std::{
+    io,
+    marker::PhantomData,
+    pin::Pin,
+    task::{Context, Poll},
+};
+
+use bytes::{Bytes, BytesMut};
+use futures::{Sink, Stream};
+use futures_util::StreamExt;
+use pin_project::pin_project;
+use serde::{Deserialize, Serialize};
+use tokio::io::{AsyncRead, AsyncWrite};
+use tokio_serde::{Deserializer, Serializer};
+use tokio_tungstenite::{tungstenite::Message, WebSocketStream};
+
+/// Builds a serde transport directly on top of a WebSocket stream.
+pub fn websocket_serde_transport<S, Item, SinkItem, Codec>(
+    socket: WebSocketStream<S>,
+    codec: Codec,
+) -> WebSocketTransport<SocketStream<S>, Item, SinkItem, Codec>
+where
+    S: AsyncRead + AsyncWrite + Unpin,
+    Item: for<'de> Deserialize<'de>,
+    SinkItem: Serialize,
+    Codec: Serializer<SinkItem> + Deserializer<Item>,
+{
+    WebSocketTransport {
+        inner: SocketStream(socket),
+        codec,
+        _marker: PhantomData,
+    }
+}
+
+/// Builds a serde transport from any socket that transmits binary websocket frames.
+pub fn websocket_serde_transport_from_socket<Socket, Item, SinkItem, Codec>(
+    socket: Socket,
+    codec: Codec,
+) -> WebSocketTransport<Socket, Item, SinkItem, Codec>
+where
+    Socket: Stream<Item = Result<Bytes, io::Error>> + Sink<Bytes, Error = io::Error>,
+    Socket: Unpin,
+    Item: for<'de> Deserialize<'de>,
+    SinkItem: Serialize,
+    Codec: Serializer<SinkItem> + Deserializer<Item>,
+{
+    WebSocketTransport {
+        inner: socket,
+        codec,
+        _marker: PhantomData,
+    }
+}
+
+#[pin_project]
+pub struct WebSocketTransport<Socket, Item, SinkItem, Codec> {
+    #[pin]
+    inner: Socket,
+    #[pin]
+    codec: Codec,
+    _marker: PhantomData<(Item, SinkItem)>,
+}
+
+impl<Socket, Item, SinkItem, Codec, CodecError> Stream
+    for WebSocketTransport<Socket, Item, SinkItem, Codec>
+where
+    Socket: Stream<Item = Result<Bytes, io::Error>> + Sink<Bytes, Error = io::Error>,
+    Socket: Unpin,
+    Item: for<'de> Deserialize<'de>,
+    SinkItem: Serialize,
+    Codec: Deserializer<Item, Error = CodecError> + Serializer<SinkItem, Error = CodecError>,
+    CodecError: std::error::Error + Send + Sync + 'static,
+{
+    type Item = io::Result<Item>;
+
+    fn poll_next(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Option<Self::Item>> {
+        let mut this = self.project();
+        match futures::ready!(this.inner.as_mut().poll_next(cx)) {
+            Some(Ok(bytes)) => {
+                let buf = BytesMut::from(bytes.as_ref());
+                match this.codec.as_mut().deserialize(&buf) {
+                    Ok(item) => Poll::Ready(Some(Ok(item))),
+                    Err(err) => Poll::Ready(Some(Err(io::Error::other(err)))),
+                }
+            }
+            Some(Err(err)) => Poll::Ready(Some(Err(err))),
+            None => Poll::Ready(None),
+        }
+    }
+}
+
+impl<Socket, Item, SinkItem, Codec, CodecError> Sink<SinkItem>
+    for WebSocketTransport<Socket, Item, SinkItem, Codec>
+where
+    Socket: Stream<Item = Result<Bytes, io::Error>> + Sink<Bytes, Error = io::Error>,
+    Socket: Unpin,
+    Item: for<'de> Deserialize<'de>,
+    SinkItem: Serialize,
+    Codec: Deserializer<Item, Error = CodecError> + Serializer<SinkItem, Error = CodecError>,
+    CodecError: std::error::Error + Send + Sync + 'static,
+{
+    type Error = io::Error;
+
+    fn poll_ready(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<io::Result<()>> {
+        self.project().inner.poll_ready(cx)
+    }
+
+    fn start_send(self: Pin<&mut Self>, item: SinkItem) -> io::Result<()> {
+        let mut this = self.project();
+        let bytes = this
+            .codec
+            .as_mut()
+            .serialize(&item)
+            .map_err(|err| io::Error::other(err))?;
+        this.inner.start_send(bytes)
+    }
+
+    fn poll_flush(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<io::Result<()>> {
+        self.project().inner.poll_flush(cx)
+    }
+
+    fn poll_close(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<io::Result<()>> {
+        self.project().inner.poll_close(cx)
+    }
+}
+
+#[pin_project]
+pub struct SocketStream<S>(#[pin] WebSocketStream<S>);
+
+impl<S> Stream for SocketStream<S>
+where
+    S: AsyncRead + AsyncWrite + Unpin,
+{
+    type Item = Result<Bytes, io::Error>;
+
+    fn poll_next(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Option<Self::Item>> {
+        let mut inner = self.project();
+        loop {
+            match futures::ready!(inner.0.poll_next_unpin(cx)) {
+                Some(Ok(Message::Binary(data))) => {
+                    return Poll::Ready(Some(Ok(data)));
+                }
+                Some(Ok(Message::Close(_))) => return Poll::Ready(None),
+                Some(Ok(_)) => continue,
+                Some(Err(err)) => {
+                    return Poll::Ready(Some(Err(io::Error::other(err))));
+                }
+                None => return Poll::Ready(None),
+            }
+        }
+    }
+}
+
+impl<S> Sink<Bytes> for SocketStream<S>
+where
+    S: AsyncRead + AsyncWrite + Unpin,
+{
+    type Error = io::Error;
+
+    fn poll_ready(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<io::Result<()>> {
+        self.project().0.poll_ready(cx).map_err(io::Error::other)
+    }
+
+    fn start_send(self: Pin<&mut Self>, item: Bytes) -> io::Result<()> {
+        self.project()
+            .0
+            .start_send(Message::Binary(item))
+            .map_err(io::Error::other)
+    }
+
+    fn poll_flush(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<io::Result<()>> {
+        self.project().0.poll_flush(cx).map_err(io::Error::other)
+    }
+
+    fn poll_close(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<io::Result<()>> {
+        self.project().0.poll_close(cx).map_err(io::Error::other)
+    }
+}
diff --git a/lapdev-ws/Cargo.toml b/crates/ws/Cargo.toml
similarity index 97%
rename from lapdev-ws/Cargo.toml
rename to crates/ws/Cargo.toml
index 6943c40..3d25796 100644
--- a/lapdev-ws/Cargo.toml
+++ b/crates/ws/Cargo.toml
@@ -40,7 +40,7 @@ hyper.workspace = true
 hyper-util.workspace = true
 http-body-util.workspace = true
 bytes.workspace = true
-fs4 = { version = "0.10", features = ["tokio"] }
+fs4 = { version = "0.13", features = ["tokio"] }
 hyperlocal = { git = "https://github.com/softprops/hyperlocal", rev = "70c0b8e4007b96ed392be7561b21add719d1dbce" }
 
 [package.metadata.deb]
diff --git a/lapdev-ws/scripts/install_guest_agent.sh b/crates/ws/scripts/install_guest_agent.sh
similarity index 100%
rename from lapdev-ws/scripts/install_guest_agent.sh
rename to crates/ws/scripts/install_guest_agent.sh
diff --git a/lapdev-ws/src/lib.rs b/crates/ws/src/lib.rs
similarity index 100%
rename from lapdev-ws/src/lib.rs
rename to crates/ws/src/lib.rs
diff --git a/lapdev-ws/src/main.rs b/crates/ws/src/main.rs
similarity index 100%
rename from lapdev-ws/src/main.rs
rename to crates/ws/src/main.rs
diff --git a/lapdev-ws/src/server.rs b/crates/ws/src/server.rs
similarity index 99%
rename from lapdev-ws/src/server.rs
rename to crates/ws/src/server.rs
index eba1cdd..6b90910 100644
--- a/lapdev-ws/src/server.rs
+++ b/crates/ws/src/server.rs
@@ -50,7 +50,7 @@ use crate::{
 pub const LAPDEV_WS_VERSION: &str = env!("CARGO_PKG_VERSION");
 const INSTALL_SCRIPT: &[u8] = include_bytes!("../scripts/install_guest_agent.sh");
 const LAPDEV_GUEST_AGENT: &[u8] =
-    include_bytes!("../../target/x86_64-unknown-linux-musl/release/lapdev-guest-agent");
+    include_bytes!("../../../target/x86_64-unknown-linux-musl/release/lapdev-guest-agent");
 
 #[derive(Clone, Deserialize, Default)]
 #[serde(rename_all = "kebab-case")]
@@ -373,7 +373,7 @@ impl WorkspaceServer {
 
         let osuser_lock_path = self.osuser_lock_path(osuser);
         let mut f = File::open(&osuser_lock_path).await?;
-        f.lock_exclusive_async().await?;
+        // f.lock_exclusive().await?;
         let mut buffer = String::new();
         f.read_to_string(&mut buffer).await?;
         let last_activity = buffer.trim().parse::<u64>()?;
@@ -477,7 +477,7 @@ impl WorkspaceServer {
 
     pub async fn os_user_uid(&self, username: &str) -> Result<String, ApiError> {
         let mut f = File::create(self.osuser_lock_path(username)).await?;
-        f.lock_exclusive_async().await?;
+        // f.lock_exclusive_async().await?;
         let ts = utils::unix_timestamp()?.to_string();
         f.write_all(ts.as_bytes()).await?;
 
@@ -1607,7 +1607,7 @@ async fn setup_log(
         .build(folder)?;
     let (non_blocking, guard) = tracing_appender::non_blocking(file_appender);
     let var = std::env::var("RUST_LOG").unwrap_or_default();
-    let var = format!("error,lapdev_ws=info,lapdev_rpc=info,lapdev_common=info,{var}");
+    let var = format!("error,tarpc=warn,tarpc::client=warn,lapdev_ws=info,lapdev_rpc=info,lapdev_common=info,{var}");
     let filter = tracing_subscriber::EnvFilter::builder().parse_lossy(var);
     tracing_subscriber::fmt()
         .with_ansi(false)
diff --git a/lapdev-ws/src/service.rs b/crates/ws/src/service.rs
similarity index 100%
rename from lapdev-ws/src/service.rs
rename to crates/ws/src/service.rs
diff --git a/lapdev-ws/src/watcher.rs b/crates/ws/src/watcher.rs
similarity index 100%
rename from lapdev-ws/src/watcher.rs
rename to crates/ws/src/watcher.rs
diff --git a/docs/.gitbook/assets/Screenshot 2025-10-16 at 18.16.13.png b/docs/.gitbook/assets/Screenshot 2025-10-16 at 18.16.13.png
new file mode 100644
index 0000000..14bbd17
Binary files /dev/null and b/docs/.gitbook/assets/Screenshot 2025-10-16 at 18.16.13.png differ
diff --git a/docs/.gitbook/assets/Screenshot 2025-10-16 at 18.17.07.png b/docs/.gitbook/assets/Screenshot 2025-10-16 at 18.17.07.png
new file mode 100644
index 0000000..71eb72e
Binary files /dev/null and b/docs/.gitbook/assets/Screenshot 2025-10-16 at 18.17.07.png differ
diff --git a/docs/.gitbook/assets/Screenshot 2025-11-19 at 20-27-19 Lapdev Dashboard.png b/docs/.gitbook/assets/Screenshot 2025-11-19 at 20-27-19 Lapdev Dashboard.png
new file mode 100644
index 0000000..5d4bc48
Binary files /dev/null and b/docs/.gitbook/assets/Screenshot 2025-11-19 at 20-27-19 Lapdev Dashboard.png differ
diff --git a/docs/.gitbook/assets/Screenshot 2025-11-19 at 20-28-39 Lapdev Dashboard.png b/docs/.gitbook/assets/Screenshot 2025-11-19 at 20-28-39 Lapdev Dashboard.png
new file mode 100644
index 0000000..c3e13ad
Binary files /dev/null and b/docs/.gitbook/assets/Screenshot 2025-11-19 at 20-28-39 Lapdev Dashboard.png differ
diff --git a/docs/.gitbook/assets/Screenshot 2025-11-19 at 20-29-35 Lapdev Dashboard.png b/docs/.gitbook/assets/Screenshot 2025-11-19 at 20-29-35 Lapdev Dashboard.png
new file mode 100644
index 0000000..390bee0
Binary files /dev/null and b/docs/.gitbook/assets/Screenshot 2025-11-19 at 20-29-35 Lapdev Dashboard.png differ
diff --git a/docs/.gitbook/assets/Screenshot 2025-11-19 at 20-30-01 Lapdev Dashboard.png b/docs/.gitbook/assets/Screenshot 2025-11-19 at 20-30-01 Lapdev Dashboard.png
new file mode 100644
index 0000000..70c5b4e
Binary files /dev/null and b/docs/.gitbook/assets/Screenshot 2025-11-19 at 20-30-01 Lapdev Dashboard.png differ
diff --git a/docs/.gitbook/assets/Screenshot 2025-11-19 at 20-30-23 Lapdev Dashboard.png b/docs/.gitbook/assets/Screenshot 2025-11-19 at 20-30-23 Lapdev Dashboard.png
new file mode 100644
index 0000000..005fe9e
Binary files /dev/null and b/docs/.gitbook/assets/Screenshot 2025-11-19 at 20-30-23 Lapdev Dashboard.png differ
diff --git a/docs/.gitbook/assets/Screenshot 2025-11-19 at 20-31-07 Lapdev Dashboard.png b/docs/.gitbook/assets/Screenshot 2025-11-19 at 20-31-07 Lapdev Dashboard.png
new file mode 100644
index 0000000..6dbf098
Binary files /dev/null and b/docs/.gitbook/assets/Screenshot 2025-11-19 at 20-31-07 Lapdev Dashboard.png differ
diff --git a/docs/.gitbook/assets/file.excalidraw (1).svg b/docs/.gitbook/assets/file.excalidraw (1).svg
new file mode 100644
index 0000000..512a448
--- /dev/null
+++ b/docs/.gitbook/assets/file.excalidraw (1).svg	
@@ -0,0 +1,8 @@
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1633.4806151945463 1358.8828750693292" width="3266.9612303890926" height="2717.7657501386584"><symbol id="image-9d2f28049a8a90ddebd6f916b59a887ae5df33f6"><image width="100%" height="100%" href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyNCIgaGVpZ2h0PSIyNCIgdmlld0JveD0iMCAwIDI0IDI0IiBmaWxsPSJub25lIiBzdHJva2U9ImN1cnJlbnRDb2xvciIgc3Ryb2tlLXdpZHRoPSIyIiBzdHJva2UtbGluZWNhcD0icm91bmQiIHN0cm9rZS1saW5lam9pbj0icm91bmQiIGNsYXNzPSJsdWNpZGUgbHVjaWRlLWdsb2JlLWljb24gbHVjaWRlLWdsb2JlIj48Y2lyY2xlIGN4PSIxMiIgY3k9IjEyIiByPSIxMCIvPjxwYXRoIGQ9Ik0xMiAyYTE0LjUgMTQuNSAwIDAgMCAwIDIwIDE0LjUgMTQuNSAwIDAgMCAwLTIwIi8+PHBhdGggZD0iTTIgMTJoMjAiLz48L3N2Zz4="/></symbol><symbol id="image-04f28670dff6fd1042c3404f1cdf3fc1d3e0ce96"><image width="100%" height="100%" href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIGNsYXNzPSJ3LTEwIGgtMTAgbXItNCIgZmlsbD0iY3VycmVudENvbG9yIiB2aWV3Qm94PSIwIDAgMTAyNCAxMDI0IiB3aWR0aD0iMTAyNCIgaGVpZ2h0PSIxMDI0Ij48cGF0aCBkPSJNNTEyIDBDMzkwLjc1OSAwIDI3OS40MjYgNDIuMjIyNyAxOTEuNzE5IDExMi42NTZMMTkxLjcxOSA2MTJMMzUxLjcxOSA2MTJMMzUxLjcxOSAzMzJMNDIyIDMzMkw0MzEuNzE5IDMzMkw0MzEuNzE5IDMzMi4zNDRDNDg4LjE2OSAzMzQuMTI3IDU0MS4yNDkgMzUxLjEzOCA1ODEuODc1IDM4MC42MjVDNjI3LjU5MSA0MTMuODA2IDY1NC44NzUgNDYwLjYzMyA2NTQuODc1IDUxMkM2NTQuODc1IDU2My4zNjcgNjI3LjU5MSA2MTAuMTk0IDU4MS44NzUgNjQzLjM3NUM1NDEuMjQ5IDY3Mi44NjIgNDg4LjE2OSA2ODkuODczIDQzMS43MTkgNjkxLjY1Nkw0MzEuNzE5IDEwMTcuNjlDNDU3Ljg4IDEwMjEuODEgNDg0LjY4IDEwMjQgNTEyIDEwMjRDNzk0Ljc3IDEwMjQgMTAyNCA3OTQuNzcgMTAyNCA1MTJDMTAyNCAyMjkuMjMgNzk0Ljc3IDAgNTEyIDBaTTExMS43MTkgMTkyLjkwNkM0MS44NTM5IDI4MC40MzIgMCAzOTEuMzAzIDAgNTEyQzAgNzM4Ljc2NiAxNDcuNDg3IDkzMC45NiAzNTEuNzE5IDk5OC4yNUwzNTEuNzE5IDY5MkwxNTEuNzE5IDY5MkwxNTEuNzE5IDY5MS44NDRMMTExLjcxOSA2OTEuODQ0TDExMS43MTkgMTkyLjkwNlpNNzM4LjIxOSAzNzJDNzQxLjU5NyAzNzIuMTA3IDc0NS4wNDIgMzczLjAyIDc0OC4zMTIgMzc0LjgxMkw5NDYuMjgxIDQ4My4zMTJDOTUyLjMxMSA0ODYuNjE2IDk1Ni42OTIgNDkyLjM5MyA5NTkuMTg4IDQ5OS4xNTZDOTU5LjgyMSA1MDAuODc0IDk2MC4zMTcgNTAyLjY0MSA5NjAuNjg4IDUwNC40NjlDOTYwLjc2NCA1MDQuODM0IDk2MC44NDEgNTA1LjE5NiA5NjAuOTA2IDUwNS41NjJDOTYxLjEyIDUwNi44MDcgOTYxLjIyNSA1MDguMDcxIDk2MS4zMTIgNTA5LjM0NEM5NjEuMzc4IDUxMC4yMzUgOTYxLjQ5OCA1MTEuMTEyIDk2MS41IDUxMkM5NjEuNDk4IDUxMi44ODggOTYxLjM3OCA1MTMuNzY1IDk2MS4zMTIgNTE0LjY1NkM5NjEuMjI2IDUxNS45MjkgOTYxLjEyIDUxNy4xOTMgOTYwLjkwNiA1MTguNDM4Qzk2MC44NDEgNTE4LjgwNCA5NjAuNzY0IDUxOS4xNjYgOTYwLjY4OCA1MTkuNTMxQzk2MC4zMTcgNTIxLjM1OSA5NTkuODIxIDUyMy4xMjYgOTU5LjE4OCA1MjQuODQ0Qzk1Ni42OTIgNTMxLjYwOCA5NTIuMzExIDUzNy4zODQgOTQ2LjI4MSA1NDAuNjg4TDc0OC4zMTIgNjQ5LjE4OEM3MzUuMjMyIDY1Ni4zNTUgNzE5LjgxOCA2NDkuMzY3IDcxMy44NzUgNjMzLjU5NEM3MDcuOTMyIDYxNy44MiA3MTMuNyA1OTkuMjMgNzI2Ljc4MSA1OTIuMDYyTDg3Mi44NzUgNTEyTDcyNi43ODEgNDMxLjkzOEM3MTMuNyA0MjQuNzcxIDcwNy45MzIgNDA2LjE4IDcxMy44NzUgMzkwLjQwNkM3MTguMzMyIDM3OC41NzYgNzI4LjA4NSAzNzEuNjc4IDczOC4yMTkgMzcyWk00MzEuNzE5IDQxMi4zNDRMNDMxLjcxOSA2MTEuNjU2QzUxMy41NiA2MDguMjA4IDU3NC44NzUgNTYxLjk4NSA1NzQuODc1IDUxMkM1NzQuODc1IDQ2Mi4wMTUgNTEzLjU2IDQxNS43OTIgNDMxLjcxOSA0MTIuMzQ0WiIvPjxwYXRoIGQ9Ik03NDIgNDAzLjY4OEM3NDAuMDYyIDQwMy40ODMgNzM4LjA5NyA0MDQuNDM4IDczNy4wOTQgNDA2LjI1QzczNS43NTYgNDA4LjY2NiA3MzYuNjE1IDQxMS42OTQgNzM5LjAzMSA0MTMuMDMxTDkyNS43MTkgNTE2LjM3NUM5MjguMTM1IDUxNy43MTIgOTMxLjE5NCA1MTYuODIyIDkzMi41MzEgNTE0LjQwNkM5MzMuODY5IDUxMS45OSA5MzIuOTc5IDUwOC45NjIgOTMwLjU2MiA1MDcuNjI1TDc0My44NzUgNDA0LjI4MUM3NDMuMjcxIDQwMy45NDcgNzQyLjY0NiA0MDMuNzU2IDc0MiA0MDMuNjg4WiIvPjxwYXRoIGQ9Ik05MjcuNSA1MDcuMDMxQzkyNi44NTYgNTA3LjExNSA5MjYuMjIxIDUwNy4zMzkgOTI1LjYyNSA1MDcuNjg4TDczOC45MzggNjE2LjkwNkM3MzYuNTU0IDYxOC4zMDEgNzM1Ljc2MiA2MjEuMzM1IDczNy4xNTYgNjIzLjcxOUM3MzguNTUxIDYyNi4xMDIgNzQxLjYxNiA2MjYuOTI2IDc0NCA2MjUuNTMxTDkzMC42ODggNTE2LjMxMkM5MzMuMDcxIDUxNC45MTggOTMzLjg2MyA1MTEuODUyIDkzMi40NjkgNTA5LjQ2OUM5MzEuNDIzIDUwNy42ODEgOTI5LjQzMiA1MDYuNzggOTI3LjUgNTA3LjAzMVoiLz48L3N2Zz4="/></symbol><symbol id="image-cd5a510c10be4b13edac83ff2c63d62659dd7515"><image width="100%" height="100%" href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyNCIgaGVpZ2h0PSIyNCIgdmlld0JveD0iMCAwIDI0IDI0IiBmaWxsPSJub25lIiBzdHJva2U9ImN1cnJlbnRDb2xvciIgc3Ryb2tlLXdpZHRoPSIwLjIiIHN0cm9rZS1saW5lY2FwPSJyb3VuZCIgc3Ryb2tlLWxpbmVqb2luPSJyb3VuZCIgY2xhc3M9Imljb24gaWNvbi10YWJsZXIgaWNvbnMtdGFibGVyLW91dGxpbmUgaWNvbi10YWJsZXItY2xvdWQiPjxwYXRoIHN0cm9rZT0ibm9uZSIgZD0iTTAgMGgyNHYyNEgweiIgZmlsbD0ibm9uZSIvPjxwYXRoIGQ9Ik02LjY1NyAxOGMtMi41NzIgMCAtNC42NTcgLTIuMDA3IC00LjY1NyAtNC40ODNjMCAtMi40NzUgMi4wODUgLTQuNDgyIDQuNjU3IC00LjQ4MmMuMzkzIC0xLjc2MiAxLjc5NCAtMy4yIDMuNjc1IC0zLjc3M2MxLjg4IC0uNTcyIDMuOTU2IC0uMTkzIDUuNDQ0IDFjMS40ODggMS4xOSAyLjE2MiAzLjAwNyAxLjc3IDQuNzY5aC45OWMxLjkxMyAwIDMuNDY0IDEuNTYgMy40NjQgMy40ODZjMCAxLjkyNyAtMS41NTEgMy40ODcgLTMuNDY1IDMuNDg3aC0xMS44NzgiLz48L3N2Zz4="/></symbol><symbol id="image-1fc42860614cb7357b66c1964aa081366cd82698"><image width="100%" height="100%" href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyNCIgaGVpZ2h0PSIyNCIgdmlld0JveD0iMCAwIDI0IDI0IiBmaWxsPSJub25lIiBzdHJva2U9ImN1cnJlbnRDb2xvciIgc3Ryb2tlLXdpZHRoPSIyIiBzdHJva2UtbGluZWNhcD0icm91bmQiIHN0cm9rZS1saW5lam9pbj0icm91bmQiIGNsYXNzPSJsdWNpZGUgbHVjaWRlLWNvbXB1dGVyLWljb24gbHVjaWRlLWNvbXB1dGVyIj48cmVjdCB3aWR0aD0iMTQiIGhlaWdodD0iOCIgeD0iNSIgeT0iMiIgcng9IjIiLz48cmVjdCB3aWR0aD0iMjAiIGhlaWdodD0iOCIgeD0iMiIgeT0iMTQiIHJ4PSIyIi8+PHBhdGggZD0iTTYgMThoMiIvPjxwYXRoIGQ9Ik0xMiAxOGg2Ii8+PC9zdmc+"/></symbol><symbol id="image-1eb35412189527b20624c29b9912c61108c16757"><image width="100%" height="100%" href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyNCIgaGVpZ2h0PSIyNCIgdmlld0JveD0iMCAwIDI0IDI0IiBmaWxsPSJub25lIiBzdHJva2U9ImN1cnJlbnRDb2xvciIgc3Ryb2tlLXdpZHRoPSIyIiBzdHJva2UtbGluZWNhcD0icm91bmQiIHN0cm9rZS1saW5lam9pbj0icm91bmQiIGNsYXNzPSJpY29uIGljb24tdGFibGVyIGljb25zLXRhYmxlci1vdXRsaW5lIGljb24tdGFibGVyLWJveCI+PHBhdGggc3Ryb2tlPSJub25lIiBkPSJNMCAwaDI0djI0SDB6IiBmaWxsPSJub25lIi8+PHBhdGggZD0iTTEyIDNsOCA0LjVsMCA5bC04IDQuNWwtOCAtNC41bDAgLTlsOCAtNC41Ii8+PHBhdGggZD0iTTEyIDEybDggLTQuNSIvPjxwYXRoIGQ9Ik0xMiAxMmwwIDkiLz48cGF0aCBkPSJNMTIgMTJsLTggLTQuNSIvPjwvc3ZnPg=="/></symbol><symbol id="image-60b076cb044084e59e74d2b41f84159dcede0ddd"><image width="100%" height="100%" href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSI4MDBweCIgaGVpZ2h0PSI4MDBweCIgdmlld0JveD0iMCAtMTAuNDQgNzIyLjg0NiA3MjIuODQ2Ij48cGF0aCBkPSJNMzU4Ljk4NiAxMC4wNmE0Ni43MjUgNDYuMzQyIDAgMDAtMTcuOTA2IDQuNTMxTDk2LjczNiAxMzEuMzQxYTQ2LjcyNSA0Ni4zNDIgMCAwMC0yNS4yOCAzMS40MzhsLTYwLjI4MiAyNjIuMjVhNDYuNzI1IDQ2LjM0MiAwIDAwNi4zNDQgMzUuNTMxIDQ2LjcyNSA0Ni4zNDIgMCAwMDIuNjU2IDMuNjg4bDE2OS4xMjUgMjEwLjI4YTQ2LjcyNSA0Ni4zNDIgMCAwMDM2LjUzMSAxNy40MzhsMjcxLjIxOS0uMDYyYTQ2LjcyNSA0Ni4zNDIgMCAwMDM2LjUzMS0xNy40MDZsMTY5LjA2My0yMTAuMzEzYTQ2LjcyNSA0Ni4zNDIgMCAwMDkuMDMtMzkuMjE5TDY1MS4zIDE2Mi43MTZhNDYuNzI1IDQ2LjM0MiAwIDAwLTI1LjI4MS0zMS40MzdMMzgxLjY0MyAxNC41OWE0Ni43MjUgNDYuMzQyIDAgMDAtMjIuNjU3LTQuNTN6IiBmaWxsPSIjMzI2Y2U1Ii8+PHBhdGggZD0iTTM2MS40MDggOTkuMzA3Yy04LjA3Ny4wMDEtMTQuNjI2IDcuMjc2LTE0LjYyNSAxNi4yNSAwIC4xMzguMDI4LjI3LjAzLjQwNi0uMDExIDEuMjItLjA3IDIuNjg5LS4wMyAzLjc1LjE5MiA1LjE3NiAxLjMyIDkuMTM4IDIgMTMuOTA3IDEuMjMgMTAuMjA2IDIuMjYgMTguNjY3IDEuNjI1IDI2LjUzMS0uNjIgMi45NjUtMi44MDMgNS42NzctNC43NSA3LjU2MmwtLjM0NCA2LjE4OGExOTAuMzM3IDE5MC4zMzcgMCAwMC0yNi40MzggNC4wNjJjLTM3Ljk3NCA4LjYyMy03MC42NyAyOC4xODQtOTUuNTYyIDU0LjU5NGEyNDUuMTY3IDI0NS4xNjcgMCAwMS01LjI4MS0zLjc1Yy0yLjYxMi4zNTMtNS4yNSAxLjE1OS04LjY4OC0uODQ0LTYuNTQ1LTQuNDA1LTEyLjUwNi0xMC40ODYtMTkuNzE5LTE3LjgxMi0zLjMwNS0zLjUwNC01LjY5OC02Ljg0MS05LjYyNS0xMC4yMTktLjg5MS0uNzY3LTIuMjUyLTEuODA0LTMuMjUtMi41OTQtMy4wNy0yLjQ0Ny02LjY5LTMuNzI0LTEwLjE4Ny0zLjg0My00LjQ5Ni0uMTU0LTguODI0IDEuNjA0LTExLjY1NiA1LjE1Ni01LjAzNiA2LjMxNS0zLjQyNCAxNS45NjggMy41OTMgMjEuNTYyLjA3MS4wNTcuMTQ3LjEwMS4yMTkuMTU3Ljk2NC43ODEgMi4xNDUgMS43ODMgMy4wMzEgMi40MzcgNC4xNjcgMy4wNzcgNy45NzMgNC42NTIgMTIuMTI1IDcuMDk0IDguNzQ3IDUuNDAyIDE1Ljk5OSA5Ljg4IDIxLjc1IDE1LjI4MSAyLjI0NiAyLjM5NCAyLjYzOSA2LjYxMyAyLjkzOCA4LjQzOGw0LjY4NyA0LjE4N2MtMjUuMDkzIDM3Ljc2NC0zNi43MDcgODQuNDEtMjkuODQzIDEzMS45MzhsLTYuMTI1IDEuNzgxYy0xLjYxNSAyLjA4NS0zLjg5NiA1LjM2NS02LjI4MiA2LjM0NC03LjUyNSAyLjM3LTE1Ljk5NCAzLjI0LTI2LjIxOCA0LjMxMi00LjguNC04Ljk0My4xNjEtMTQuMDMyIDEuMTI1LTEuMTIuMjEyLTIuNjguNjE5LTMuOTA2LjkwNmwtLjEyNS4wMzJjLS4wNjcuMDE1LS4xNTUuMDQ4LS4yMTkuMDYyLTguNjIgMi4wODMtMTQuMTU3IDEwLjAwNi0xMi4zNzUgMTcuODEzIDEuNzgzIDcuODA4IDEwLjIwMyAxMi41NTYgMTguODc1IDEwLjY4Ny4wNjMtLjAxNC4xNTQtLjAxNy4yMTktLjAzMS4wOTgtLjAyMi4xODQtLjA3LjI4MS0uMDk0IDEuMjEtLjI2NSAyLjcyNC0uNTYgMy43ODItLjg0MyA1LjAwMy0xLjM0IDguNjI2LTMuMzA4IDEzLjEyNS01LjAzMiA5LjY3Ni0zLjQ3IDE3LjY5MS02LjM3IDI1LjUtNy41IDMuMjYtLjI1NSA2LjY5NyAyLjAxMiA4LjQwNiAyLjk2OWw2LjM3NS0xLjA5NGMxNC42NyA0NS40ODMgNDUuNDE0IDgyLjI0NSA4NC4zNDQgMTA1LjMxM2wtMi42NTcgNi4zNzVjLjk1OCAyLjQ3NSAyLjAxNCA1LjgyNCAxLjMgOC4yNy0yLjgzOCA3LjM2LTcuNyAxNS4xMy0xMy4yMzcgMjMuNzkyLTIuNjgxIDQuMDAyLTUuNDI1IDcuMTA4LTcuODQ0IDExLjY4OC0uNTc5IDEuMDk2LTEuMzE2IDIuNzgtMS44NzUgMy45MzctMy43NTkgOC4wNDMtMS4wMDIgMTcuMzA1IDYuMjE5IDIwLjc4MiA3LjI2NiAzLjQ5NyAxNi4yODQtLjE5MiAyMC4xODctOC4yNS4wMDYtLjAxMi4wMjYtLjAyLjAzMS0uMDMyLjAwNC0uMDA5LS4wMDQtLjAyMiAwLS4wMy41NTYtMS4xNDMgMS4zNDQtMi42NDUgMS44MTMtMy43MiAyLjA3Mi00Ljc0NyAyLjc2Mi04LjgxNSA0LjIxOS0xMy40MDYgMy44Ny05LjcyIDUuOTk1LTE5LjkxOSAxMS4zMjItMjYuMjc0IDEuNDU5LTEuNzQgMy44MzctMi40MSA2LjMwMy0zLjA3bDMuMzEyLTZjMzMuOTM4IDEzLjAyNyA3MS45MjcgMTYuNTIzIDEwOS44NzUgNy45MDdhMTg5Ljc3IDE4OS43NyAwIDAwMjUuMDk0LTcuNTYzYy45MyAxLjY1MSAyLjY2MSA0LjgyNiAzLjEyNSA1LjYyNSAyLjUwNi44MTUgNS4yNCAxLjIzNiA3LjQ2OSA0LjUzMSAzLjk4NSA2LjgxIDYuNzEgMTQuODY1IDEwLjAzMSAyNC41OTQgMS40NTcgNC41OTEgMi4xNzggOC42NiA0LjI1IDEzLjQwNi40NzIgMS4wODIgMS4yNTYgMi42MDUgMS44MTIgMy43NSAzLjg5NSA4LjA4NSAxMi45NDMgMTEuNzg3IDIwLjIyIDguMjgyIDcuMjE5LTMuNDc4IDkuOTc5LTEyLjc0IDYuMjE4LTIwLjc4Mi0uNTU5LTEuMTU4LTEuMzI3LTIuODQxLTEuOTA2LTMuOTM3LTIuNDItNC41OC01LjE2My03LjY1NS03Ljg0NC0xMS42NTYtNS41MzctOC42NjItMTAuMTMtMTUuODU4LTEyLjk2OS0yMy4yMi0xLjE4Ny0zLjc5Ni4yLTYuMTU3IDEuMTI1LTguNjI0LS41NTQtLjYzNS0xLjczOS00LjIyLTIuNDM3LTUuOTA2IDQwLjQ1Ny0yMy44ODkgNzAuMjk4LTYyLjAyMiA4NC4zMTItMTA2LjA2MyAxLjg5My4yOTggNS4xODIuODggNi4yNSAxLjA5NCAyLjItMS40NSA0LjIyMi0zLjM0NCA4LjE4OC0zLjAzMSA3LjgwOCAxLjEyOSAxNS44MjMgNC4wMyAyNS41IDcuNSA0LjQ5OCAxLjcyMyA4LjEyMSAzLjcyMyAxMy4xMjUgNS4wNjIgMS4wNTcuMjgzIDIuNTcyLjU0NyAzLjc4MS44MTMuMDk3LjAyMy4xODMuMDcxLjI4MS4wOTMuMDY2LjAxNS4xNTYuMDE3LjIxOS4wMzIgOC42NzIgMS44NjYgMTcuMDk0LTIuODggMTguODc1LTEwLjY4OCAxLjc4LTcuODA3LTMuNzU0LTE1LjczMi0xMi4zNzUtMTcuODEyLTEuMjU0LS4yODYtMy4wMzItLjc3LTQuMjUtMS01LjA5LS45NjQtOS4yMzEtLjcyNy0xNC4wMzEtMS4xMjUtMTAuMjI1LTEuMDcyLTE4LjY5NC0xLjk0My0yNi4yMTktNC4zMTMtMy4wNjgtMS4xOS01LjI1MS00Ljg0MS02LjMxMy02LjM0NGwtNS45MDYtMS43MThjMy4wNjItMjIuMTU1IDIuMjM3LTQ1LjIxMi0zLjA2Mi02OC4yODItNS4zNDktMjMuMjg0LTE0LjgtNDQuNTgtMjcuNDA3LTYzLjM0MyAxLjUxNS0xLjM3OCA0LjM3Ny0zLjkxMSA1LjE4OC00LjY1Ny4yMzctMi42MjQuMDMzLTUuMzc1IDIuNzUtOC4yODEgNS43NTEtNS40IDEzLjAwMy05Ljg3OSAyMS43NS0xNS4yODEgNC4xNTItMi40NDMgNy45OS00LjAxNyAxMi4xNTYtNy4wOTQuOTQyLS42OTYgMi4yMy0xLjc5OCAzLjIxOS0yLjU5NCA3LjAxNS01LjU5NiA4LjYzLTE1LjI0OCAzLjU5NC0yMS41NjItNS4wMzctNi4zMTQtMTQuNzk3LTYuOTEtMjEuODEzLTEuMzEzLS45OTguNzkxLTIuMzUzIDEuODIzLTMuMjUgMi41OTQtMy45MjYgMy4zNzgtNi4zNTEgNi43MTQtOS42NTYgMTAuMjE5LTcuMjEzIDcuMzI2LTEzLjE3NCAxMy40MzgtMTkuNzE5IDE3Ljg0NC0yLjgzNiAxLjY1LTYuOTkgMS4wOC04Ljg3NS45NjhsLTUuNTYyIDMuOTY5Yy0zMS43Mi0zMy4yNi03NC45MDUtNTQuNTI1LTEyMS40MDYtNTguNjU2LS4xMy0xLjk0OS0uMy01LjQ3MS0uMzQ0LTYuNTMyLTEuOTA0LTEuODIxLTQuMjA0LTMuMzc2LTQuNzgxLTcuMzEyLS42MzctNy44NjQuNDI2LTE2LjMyNSAxLjY1Ni0yNi41MzEuNjc5LTQuNzY5IDEuODA3LTguNzMgMi0xMy45MDcuMDQ0LTEuMTc2LS4wMjctMi44ODQtLjAzMS00LjE1Ni0uMDAxLTguOTc0LTYuNTQ4LTE2LjI1LTE0LjYyNS0xNi4yNXptLTE4LjMxMyAxMTMuNDM4bC00LjM0NCA3Ni43MTgtLjMxMi4xNTdjLS4yOTIgNi44NjMtNS45NCAxMi4zNDMtMTIuODc1IDEyLjM0My0yLjg0MSAwLTUuNDYzLS45MTItNy41OTQtMi40NjhsLS4xMjUuMDYyLTYyLjkwNi00NC41OTRjMTkuMzMzLTE5LjAxIDQ0LjA2My0zMy4wNiA3Mi41NjItMzkuNTNhMTU0LjEyNSAxNTQuMTI1IDAgMDExNS41OTQtMi42ODh6bTM2LjY1NiAwYzMzLjI3NCA0LjA5MiA2NC4wNDUgMTkuMTU5IDg3LjYyNSA0Mi4yNWwtNjIuNSA0NC4zMTItLjIxOC0uMDkzYy01LjU0OCA0LjA1MS0xMy4zNjQgMy4wNDYtMTcuNjg4LTIuMzc1YTEyLjgwNyAxMi44MDcgMCAwMS0yLjgxMi03LjQ3bC0uMDYzLS4wM3pNMjMyLjEyNiAyODMuNjJsNTcuNDM4IDUxLjM3NS0uMDYzLjMxMmM1LjE4NSA0LjUwNyA1Ljk1IDEyLjMyOCAxLjYyNSAxNy43NWExMi44OTIgMTIuODkyIDAgMDEtNi42ODcgNC40MDZsLS4wNjMuMjUtNzMuNjI1IDIxLjI1Yy0zLjc0Ny0zNC4yNjUgNC4zMjktNjcuNTczIDIxLjM3NS05NS4zNDN6bTI1OC4xNTcuMDNjOC41MzQgMTMuODMzIDE0Ljk5NiAyOS4yODMgMTguODQzIDQ2LjAzMiAzLjgwMSAxNi41NDggNC43NTUgMzMuMDY3IDMuMTg4IDQ5LjAzMWwtNzQtMjEuMzEyLS4wNjMtLjMxM2MtNi42MjYtMS44MS0xMC42OTktOC41NTEtOS4xNTYtMTUuMzEyYTEyLjc4NiAxMi43ODYgMCAwMTQuMDk0LTYuODQ0bC0uMDMxLS4xNTYgNTcuMTI1LTUxLjEyNXptLTE0MC42NTcgNTUuMzEzaDIzLjUzMmwxNC42MjUgMTguMjgyLTUuMjUgMjIuODEyLTIxLjEyNSAxMC4xNTYtMjEuMTg4LTEwLjE4Ny01LjI1LTIyLjgxM3ptNzUuNDM4IDYyLjU2M2MxLS4wNSAxLjk5NS4wNCAyLjk2OS4yMTlsLjEyNS0uMTU3IDc2LjE1NiAxMi44NzVjLTExLjE0NiAzMS4zMTQtMzIuNDczIDU4LjQ0LTYwLjk2OSA3Ni41OTRsLTI5LjU2Mi03MS40MDYuMDkzLS4xMjVjLTIuNzE1LTYuMzEuMDAyLTEzLjcxIDYuMjUtMTYuNzE5IDEuNi0uNzcgMy4yNzEtMS4xOTcgNC45MzgtMS4yODF6bS0xMjcuOTA2LjMxMmM1LjgxMS4wODIgMTEuMDI0IDQuMTE2IDEyLjM3NSAxMC4wMzIuNjMyIDIuNzcuMzI0IDUuNTEzLS43MiA3LjkzN2wuMjIuMjgxLTI5LjI1IDcwLjY4OGMtMjcuMzQ4LTE3LjU0OS00OS4xMy00My44MjQtNjAuNzgyLTc2LjA2M2w3NS41LTEyLjgxMi4xMjUuMTU2Yy44NDUtLjE1NSAxLjcwMS0uMjMgMi41MzItLjIxOXptNjMuNzggMzAuOTdhMTIuNzY0IDEyLjc2NCAwIDAxNi4wMzIgMS4yOGMyLjU2IDEuMjMzIDQuNTM3IDMuMTc0IDUuNzgxIDUuNWguMjgybDM3LjIxOCA2Ny4yNWExNTQuMjU2IDE1NC4yNTYgMCAwMS0xNC44NzUgNC4xNTdjLTI4LjQ2NCA2LjQ2My01Ni44MzggNC41MDQtODIuNTMtNC4yNWwzNy4xMjQtNjcuMTI1aC4wNjNhMTIuOTEgMTIuOTEgMCAwMTEwLjkwNi02LjgxM3oiIHN0eWxlPSJ0ZXh0LWluZGVudDowO3RleHQtYWxpZ246c3RhcnQ7bGluZS1oZWlnaHQ6bm9ybWFsO3RleHQtdHJhbnNmb3JtOm5vbmU7YmxvY2stcHJvZ3Jlc3Npb246dGI7bWFya2VyOm5vbmU7LWlua3NjYXBlLWZvbnQtc3BlY2lmaWNhdGlvbjpTYW5zIiBmb250LXdlaWdodD0iNDAwIiBjb2xvcj0iIzAwMDAwMCIgZmlsbD0iI2ZmZmZmZiIgc3Ryb2tlPSIjZmZmZmZmIiBzdHJva2Utd2lkdGg9Ii4yNSIgb3ZlcmZsb3c9InZpc2libGUiIGZvbnQtZmFtaWx5PSJTYW5zIi8+PC9zdmc+"/></symbol>
+  <!-- svg-source:excalidraw -->
+  <!-- payload-type:application/vnd.excalidraw+json --><!-- payload-version:2 --><!-- payload-start -->eyJ2ZXJzaW9uIjoiMSIsImVuY29kaW5nIjoiYnN0cmluZyIsImNvbXByZXNzZWQiOnRydWUsImVuY29kZWQiOiJ4nO19a1dcIk2y7vf5XHUwMDE1vfp8nJGd98yas/ZcdTAwMDdcdTAwMTRE1Fx1MDAwMlFQ4ay9ekGByE1pQYHaa/77iYgsXHUwMDE1XHUwMDE0XHUwMDE0bbTtmdde76tcdTAwMTR1yUs8XHUwMDExT1xcMut///bt2/fxbNj6/s9v31vTqN7vNG/qk+//wON3rZtR5/pcbr5cdTAwMTL0eXR9e1x1MDAxM9GZl+PxcPTP//qv+nCYanfGjevrXiq6XHUwMDFl+Mta/dagdTVcdTAwMWXBif9cdTAwMGY+f/v2v/T/uVx1MDAwN3VcdTAwMDb1dotOpsOPzzHSPT1auL6iZ3JhlJNCu8czOqNcZjxr3GrC11x1MDAxN/X+qPX4XHJcdTAwMWX6ntalvcl4Vlx1MDAxYZ1yMZtWo5lVW9XHx150+v2T8axPTVx1MDAxYV1Dz1x1MDAxZr9cdTAwMWKNb657rbNOc3x53/2546uuurm+bV9etUbYdf5w9HpYjzrjXHUwMDE5XHUwMDFlY+zhaP2qTfd4PDKFT06oVMCNlJLpwFxi/nhcdTAwMTe8fos7nbLMMa2cUYGy9knDdq771zfYsPFN/Wo0rN/APDw2r1GPem1o41Xz5fMmSbeVSOmHg5etTvty/PToqEWjz3XgXHUwMDA0k0w99lx1MDAwNlx1MDAxZjTMN0lcbv7nccxv6oNWXHUwMDFlL7m67ffnXHUwMDA37qqZXGbcwlx1MDAxN1xy/FwiOydQj7e6XHUwMDFkNut+7rk1TCmrrVx1MDAxMuZxwPqdq97T2/Wvo95cdTAwMTJxXHUwMDE5jevjW7z992Hrqtm5ai9cYolv73fDXHUwMDFhzJqoXHUwMDAxj2JOtXTQsqopXHUwMDFhil84XHUwMDA1/W9GrWaLNZvzQlx1MDAwNHBqPaBcdTAwMDB/tlx1MDAxZZr37Vx1MDAxYk/++lx1MDAxZvr9r38sh8pNK1x1MDAxYXtRWVx1MDAwMlx1MDAxN6HESrhcdTAwMTgu4Fx1MDAxZltcdTAwMWYt21x1MDAxN7d3+/z253W8XHUwMDFiXHUwMDE0LN9y57sl81loYe9CXHUwMDBizHuK28BoK6TU2upFtFxixlJGaVx1MDAwNzNcdTAwMTZcdTAwMDSaa2VWweX/8Fx1MDAxNv57P1SMXHRSgVxuXHUwMDFj/Fx1MDAwNEow4Z7jRiqVglZaJWXAjHyOIcMt50LOTdm7MfS/XHUwMDBmUnYvSDI58q/PgdaLMj1uTcdLxdmxVeJsJGNcZlx1MDAxNKNaW5x3mk1pWal6XHUwMDE2XHUwMDE2alx1MDAwN4OoX779Ub7+2srfXHUwMDA2KmW1XHUwMDEyXHUwMDBlXHUwMDA23XBQ/0+Uv7QpXHUwMDBloqWZXHUwMDEzMFx1MDAxNGZO3DctzpxcdTAwMDUpXHSjzYxYYlx1MDAwMYR8Jrs84Epqp35ddH+D+r+4vlx1MDAxYZ90YpxcdTAwMTDBXHUwMDE2ju7WXHUwMDA3nf5sQVxiSHhh/KpAhr7t9G9H49bN94Vv0/1OXHUwMDFixfl7v3WxKOfjXHUwMDBlWISHr8fXw8dvI3havXPVunk+Otc3nXbnqt4vv/hk6G9r736GeIrruclcdTAwMWa18Fs8XHUwMDFlvN/YKKaeXHUwMDFlfTA2TmpcdTAwMTFY5daH5+z0quR0tnQyLPHdvZP0UEx1ZaPwbNZHl62N4pNrLVJOXHUwMDFipoGeXHUwMDA1zlx1MDAwNE/YmVAspVx1MDAwNJrdwIDdmeOym8Yn2LuUhCfwQFx1MDAwN1pcdTAwMDNcdTAwMTNcXEbTbCqY/3mGWYCMks7qx1x1MDAxMfxcXHvzcM3j1Vx1MDAwZuJxd9VcdTAwMWama9dH/Va3Nuhccm93+63C5cM4LFxibf3m5nry/eGbf93TqtWagjFcdTAwMTg4MY+cX7FmK51cdTAwMTnB5WrAOKdcdTAwMDPh1PqAuVx081x1MDAwNTVcZlx1MDAwNlf5o3a9sn15cNqPXHUwMDBmv7Y9XHUwMDAzm5By4KnQmEtp5FwiXFw0+DLCXHUwMDA1XHUwMDE22Fx1MDAxMOfAVNlKerZcdTAwMTFvRixcdTAwMDHJ3LF7VDhcdTAwMDX0TFx1MDAxObtcdTAwMWNcdTAwMTWPclx1MDAxZd/eXHUwMDFl9k5cdTAwMDe79ZPpj+NcdTAwMWa72Zutm95kTkK/X7LTgtg7dqYm+PmUXHUwMDFkXqmtrcb3Z9L5NU3iWlx1MDAxZVx1MDAxMW81pFag7lxcoIVtXGJgXHUwMDBiKlx1MDAxMkEjXGK4iFxmTmnEgaXYlzyiNztEK8mjXo02YVx1MDAwM6fnfNPXsFbc6Vx1MDAxZp2fnVx1MDAwNv0jvnWWj1x1MDAwZd1cdTAwMGXj3a+NNSd0XG5oIbNSiCVYg2+FcpqD5ntcdTAwMDVrv2ybXHUwMDA0UynwuZh1fD3yaCycajVbTlx1MDAxZf9TXHUwMDEw9y5cdTAwMTJ6WFx1MDAxZjZbd1tcdTAwMDe3jdZWWL9cdTAwMDJD9MlcXPTFXHUwMDA2fDgllWIl5lx1MDAxNXgk1pg5cvNcdTAwMWHoj+1wqlx1MDAxYdPbs8ObxmG0nzOivHv1xVx1MDAxOalccuRLXHUwMDE21vJUYOcs7Mdh3rhloUJcdTAwMDdH2dzPYydcdTAwMTPog6pcboCEykdttFx1MDAxY/qbQ/bGmeqwW1x1MDAxOVx1MDAwZstTzZtcdTAwMTelWq/erlx1MDAxN/Xe4aaY6mbjLi9jia1cdTAwMGW9M26dkUasXHUwMDFmTGTDSWurnblcdTAwMWRcdTAwMTeHpcmuLk9Kg+lm2epcdTAwMDe4d1xciZR0UnCltJOG2UU0aZtiwFx1MDAwZa1cdTAwMDG2I5nR/OPgXHUwMDA0juS8eyeXUFdtnoKJXHUwMDAzmVboz20gXGK/QZgsJW5zonJsXG6sXHUwMDEx7KvprTmubYlI5lx1MDAwNpd6XHUwMDBlJf9YfttP8Fx1MDAxMz8n6imZXlx0PIypWaesWVx1MDAxYnjLR/OrXHUwMDAzz7JcdTAwMTTgTihAXHUwMDFlXHUwMDE4Ma1cdTAwMTaBXHUwMDA3aNCfXHUwMDAzPO5kXG4mXlx1MDAxOL1m4NNYcFx1MDAxN5VY4S3+XHUwMDFic85v2au7zs311WBhXHUwMDFjXHUwMDE3KGdcdTAwMDRfzdPBZ6Rz0Gk2543RXCLvfM2GLKeiy9v18Uz0hUxcdTAwMWMmajXnbn3/s51tTFx1MDAwN/1cXPMmm1x1MDAxYl/cbO9ccq/HW8dfXHUwMDFlxGA9XHUwMDAzXHUwMDAxfigzQlx1MDAwMCZcdTAwMTZBLG0q4MwwbSxYNeE+LnfxPuNcdFqHS+BAvyv59j7beWVHXHUwMDA3/d1Sb1ZcdTAwMTn1d36Enf6u3DFf0caplY6aYDxcdTAwMTBKmzeEQpf3+qvDXHUwMDAznDFprbAw7k7Ap1x1MDAwNXholVKfXHUwMDAzjzebOK6MU5pcdTAwMDV2uZP2l437XHUwMDE1XHUwMDFi94qm/2xcdTAwMWK3XG6/3K7mqFx1MDAxY/xCrlxyW1x1MDAxZr/BXHUwMDA12zpvspPGeTjttiqDznntR+lrh1e5XHUwMDBleMpcdTAwMDaBZdI6p5V+WmrCLSbMrWRg/6yzX4iiKulcdTAwMDKsJvudXHUwMDE0VVx1MDAxOa3n9MeXge+HRkV/XHUwMDEzXHUwMDE1XHJU8PToPVadXHLAi2J6fSaaP+tcdTAwMGV+XHUwMDFlpK3oXHUwMDA0TV3esjnezO1/7aIw7lx1MDAwMCEuXHUwMDEwMjBcZriFY4tlNFxu7LCQzlpAqlx1MDAwM9KqnjRsc0hVKkhZXHUwMDAzysCg7Vx1MDAxMnJJTZhiJlx1MDAwNXTZXHUwMDE4XHUwMDBljFVo8awoTDAplFx1MDAwMmr6WjqyOZlMMuV9cb2nbPegV2pcZkb14teIkM4uZjw3mf1cdTAwMThcdTAwMGb2yplcbt9XO8d3w0U2++5cdTAwMTiNU1x1MDAxMlx1MDAwNkjOo+tX+Gur3+9cZkdLYeX0yvJcdTAwMTdcdTAwMGKGgWP8Ym1YXHUwMDFkiLNZq1XXp6Kof5THhu1eXHUwMDBmLr44rMCdSmFcdTAwMTZcdTAwMTX8WYuWblx1MDAxMVZaiJRVYGnAXG5cdTAwMDaK6Vx1MDAwZswvXHUwMDA2XCLFXHUwMDA0YFxuXHUwMDA2XVpll1x1MDAxOUFnXHUwMDE2Tnme5WfWSkyXLlx1MDAwZpV+XHUwMDBlrMTrsPo0wV9ZxFx1MDAxMrDVaXXFwXVbXHUwMDE43tfkfjo9LKmtvWj687zqhj/2r0rNg6OvzfxcdTAwMDRcdTAwMGKAcFx1MDAxOW2dXHUwMDExYFHmjCuJvVx1MDAxNSlcdTAwMWVYXHQ+nVx1MDAwNbmXq6T+XHUwMDEzK1isXHUwMDA1gGKB6CuifW2q/cagymX17GArrXI7dd44nlPL33uXTXmU7e5WXFz9IDva3U/fOlOZP2Fz4HgvsXw7XG7mJuhPq3CxbmWGzjlntDTuXHLZbnmzn7mYnmd3bzN3W6fd9CHfK3x1JLIgpXCdiWaodtxcdTAwMDJcdTAwMTKB1qaMXHUwMDE0XHUwMDA2PDTAY1x1MDAxMHycXHUwMDAxXHUwMDAyS5gy69dGXHUwMDFihZpBr1hcdTAwMWHz+Wh6iardhp2LXFyGbVx1MDAxZLS7zVxcObzUxVx1MDAxZrPcelTtXHUwMDFmL923fFx1MDAxYd+dqu1i1NnfXHUwMDBm73pcdTAwMTdcdTAwMDelK9P5bVx1MDAxNHAjzuVJp9mK6jffjm6up7Pf4l6uaMFHxoHcXHUwMDBiuUpcdTAwMDN+V2BcdTAwMDK7fpHATqW+Y3Kt9sicnF43XHUwMDA3YdgpnJ59dVx1MDAxZCRkijuD5d+OXHUwMDEy7lx1MDAwYkrIXHSTslx1MDAwMpST4k5cdTAwMTnHVvKBX1dCxqTWVkGCg85cdTAwMDSK8lqF3Vx1MDAxZm3Q31x1MDAwNeb0cPjt7Pqm17+uN79cdTAwMWRdNz9cdTAwMTfIq5++XHRcdTAwMTCv5vRqpStrLNc2sGZ9XCKRLZYyMrLZq/7JXa1VOCjtR5nZV1x1MDAwNzFYcCmdXHUwMDA2P1aAr2pcdTAwMTfL5iznKTDYQKGlXHUwMDBljOIrY7mfSOqhPVjbo5anJ1x1MDAxZlx1MDAxMXxcXPtxLjNnneisuPfjvGGP7GE1XiD1Ry7cu7g5XHUwMDFmpesn+Z+yeNqc7Fx1MDAxY/1cdTAwMGVS/0E05CPpwlx1MDAxZugyXHUwMDA0q713bjVcdTAwMGZcdTAwMTRcdTAwMTiytaHePuj2a63xrHfbz5ylzfWeOD+KvjrUXHUwMDE1gFlcdTAwMDTWOsmlUnLRfbdKpoRcdTAwMDXPSTL4XstcdTAwMGZM21xim3KGS7FuVTzXQopA8ldcdTAwMTei/GdcdTAwMWHtnXsr+/lcdTAwMTZ7yaM3Ya69JltcdTAwMDJiIecq3p6GnkGcmFx1MDAxNG/I6LysWzdSPHE9XHUwMDFlryqeeF/sXHUwMDE5+KtcdTAwMDWcXHUwMDAyUlx1MDAwM1x1MDAxOVxixviiwTYyWHD9V+6K8csoZuD4XHUwMDBioPVcdTAwMDHoXG54jllWW2RcdTAwMTg0VVx0+F7yQCqzpKBcdTAwMDLmzCihPo+Of0DwWc5cdTAwMDU03mZDb8bbXHUwMDFkbz5cdTAwMTdcdTAwMWGWbFx1MDAxYpNfIzxFKlwiXCJTvMVSjIF8gCFcdTAwMTOScVxc6GBcdTAwMWZcdTAwMDPSOLT1IVm71MJCXHUwMDA0rp71XHUwMDFmTPrr7XqZ7T5pl0MnXHUwMDEwmoQpV7C2+nmrRIpJJ1x1MDAxZLhn8M848TzT1q+PxjvXg0FcdTAwMDcxdXTduVx1MDAxYT9cdTAwMWRoXHUwMDFh0TQqj8tW/ZlcdTAwMTRAr+a/XHUwMDAz8e48yVx1MDAxY1x1MDAwZvGmi5L3+Ne3RyTSh4e//+dcdTAwMWZLz95ajVx1MDAxMPx5ho3H+63Fc1a6NNasXGZMWKFhXHUwMDEy3Fx1MDAxYlx1MDAxNi/s907SqlL80Tht2PbR/n5wutvZbGx08yqSq0CCiGt0WcC1XHUwMDExcjEwXHUwMDAxN+AprZRxQEvhLLVyLdBnrrXlhlnwwcxrodGwNNpmvdnRya3K9eq9zKQy4KVP9klu8lx1MDAxN5X88f7phbzryHqt1bvrTXqbWmlgXHUwMDAyXHUwMDE1zCUyN+6TXFxESjjcVERFXHIrtW1cdTAwMThcdTAwMTNx8G3rdVBSXHUwMDEyPjSdMIH7pDTG6l1eXHUwMDE4yqldP/iQXHUwMDExN1fji3qV5bcnovLzoDus2eDLI9WyXHUwMDE0V7hcdTAwMWNcdTAwMTdmnbsnOJU6pVx1MDAwMFx1MDAxNuCLMOHmjMbmtyxcdTAwMDKHZF1fRDDujFMrasg+XHUwMDFmqFx1MDAxZlx1MDAwMqV3+VwimdZd43r6uU7I02d+rPdh3Ervg1tcdTAwMDX2xM1vrPVcdTAwMWFiX85cdTAwMDR9UcRcdTAwMDaBSYGbZcElXHUwMDA3XHUwMDE1Ne/qkvtcdTAwMDHkUlx1MDAwN1xcXHUwMDAwy2BPirg2XGZZMNspcFx1MDAwNnFZg6Cio+fgZSnNnbTGXHUwMDA0lmv4Qz5fJlxi+JCg9j9mn7FPLmr5ML+CpVTAMGtiwa/goCjFXHUwMDEyp1x1MDAwMoNHQCyFMWBUpbXuWedcdTAwMTecisV+/GHEfqXs0eXPpO6NxH7lwpHVZFx1MDAwMamCs0q/YYtDXT/Iievb8sXRcFxcXGJ7XHUwMDE3P9vN0fnXXHUwMDBlYIJcdTAwMWIlUpzBeFuuoL/mXHUwMDExz5RwVCrFXHUwMDE0TotcdTAwMTSghkXwpGFcdTAwMWLUPVxcpbRef1dcdTAwMGZcdTAwMWUwqr9ccn7nslx1MDAxMZBHMydcdTAwMWafQ1x1MDAwNr51cE1I1Fx1MDAxYY6/wYheXFx0om9cdTAwMTc314Nv0e/YLO6NTfpYKmHdSi9cdTAwMWTosDRcXL+hhvblsuIvWUNLiUesS8VcdTAwMWRkXHUwMDE3Qlx1MDAxMlSZrmjv31x1MDAwMCDmwCdWXHUwMDFmuFx1MDAwNixcdTAwMTVoXHUwMDAzdEXhbqSgrJd465LpXHUwMDE0llxmgEJcdTAwMTe4glU941x1MDAxMYHDZWFmxd5cdTAwMWT/3jTi5WVcdTAwMTHfXHUwMDE2w4BcdTAwMWFcdTAwMWJcdTAwMDMjXHUwMDFkXHUwMDE4aVx1MDAwM9CIz3iEMCkpOFx1MDAxMFxyXHUwMDA21lx1MDAxM1S9si/ziFWt+vmjcTppjIZRpVYrXHUwMDE0xsFZrVvZXlx1MDAxOTTVuFx1MDAxNJFcdTAwMDdcdTAwMGVa5cBy8OfN4ikjjJBgYZ2Uzlx1MDAwNM9a9Vx1MDAwZVx1MDAwZbOEpzxhMlx1MDAwYtdvlsOslHv69rnIv5HEvHuFOFx1MDAwYlx1MDAxY/DLt+xcdTAwMDb401x1MDAxNIvbucl5u/5DuctcdTAwMWb100F9f7NVXHUwMDE3XHUwMDFmtb9cbthkcKWc42pR+21cdTAwMDHTScHIXHUwMDA31lx1MDAwMp9cdTAwMDahlE+b9ruXiFx1MDAwYqbBc3JqXHUwMDEzu9x+4lx1MDAxYfH84bhyMrkpzEr9bKG1//NoeFHd/0/aX+VcdTAwMDXggUvvmFx1MDAxMnL9+MXy0fzqwMP9VYRcdTAwMDbDXHUwMDAysFJCPNnYXGI3llx1MDAxNp+DvLevPndCglx1MDAxYs7FXHUwMDA2QPfX6vMnq89fsVwin72sdWV2b75s59n2XHUwMDExXHUwMDBld1Ngb9hcIml/e7dcdTAwMTWc/Ij76cl+rlip6lp4u/vFo1x1MDAwMFx1MDAxNpfXXHRupMDFd0+qmLaMS0lwy43kuL0nW73x9Ccm95TjUlx1MDAwM3F8bVx1MDAxOdLERlx1MDAxOVnbZudBIbNXS59cci46hs2T1oPB0WH+uDboXHUwMDFm51x1MDAxYeXTg6B0p8qN+Vx1MDAxM1x1MDAwNrPt7WJ+K7dcdTAwMTWYXHUwMDFmNdXgO0c3QJOfmZ9cdTAwMGZd3457L75rffufV1OoXtgo0MpcdTAwMDBcdTAwMWNcdTAwMGL7hlxm3u35VVadn5qRuUhvz8Tu5PKg/Wle/DvBaKRLYahcdTAwMDLfSOTAjX+yXHUwMDE3hJQpcJl0XHUwMDEwOFx1MDAwNe5cdTAwMWWQ+4+zpm9biYRbdVx1MDAwNIGwry5ccvyjXHUwMDEx9SsmN4mW/b41PctcdTAwMWLw8e92XHUwMDEw5unRe0xrXHUwMDFkIFx1MDAwMXvD7tlmIG5Zvlx1MDAxY/WP6/LYXHUwMDFjqvSdXHUwMDE53HxcdTAwMTak35nh04FLXHUwMDAxkDhuXFwtreJPdiBcZjD2bTQ3WjmAXHUwMDBm+7jQnHAshXtcdDChhNNGLVx1MDAwMTaolJQ0Vlx1MDAxYaeBqnPHl+5cdTAwMDQqwfq+VlezOZxvfNOIo1HvmP+4a970+pP0zajc6uRMbVOO55uVy4vIWlx1MDAxOe/mUqxcXGgjmGWaYVxyztq4etlcdTAwMTf/orhcdTAwMTJByvHAcaVcdTAwMWNi61x0rlx1MDAwNIZ8XGZcdTAwMWNHy1x1MDAwNPTVfNxcdTAwMTbVXFyqVKDxXHUwMDE1gqDOXHUwMDAyaebiw3PJc4EvXHUwMDA3XHUwMDEx0mA5XHUwMDFkOFx1MDAxNuqZXHLFOKhcdTAwMDLb//WS59Za8N3fS0LXiXq//M6eb0/iy8B9XHUwMDE0UCWOS5ekVM/T5zD5TFx1MDAxYUHjzIwzz3u/VtT75W1Cv82n9Fx1MDAwNcOcPqhYh8VVwWNcdTAwMTn5t7mKXFxcdTAwMGWyXHUwMDAxzouwgZZOPFx1MDAwZsX/cUHvlYJP1z9cdTAwMTf5xzuu5Ses9Nr1XFyc6dnWIUxw/qaNjbfP7jrFws9BkK01rlx1MDAwZUZHl+mbW/7FXHUwMDFkXHUwMDA1XHUwMDEwe3whXHUwMDE0JvWcml91Sek+4VJBoK2WXHUwMDAxpl/s6te5bcRrXHUwMDA3Slx1MDAwMb7C4497XHUwMDFj+sek3+pzXHUwMDFlYuBcdTAwMDbfLCledev3cnt3p/rMnlx1MDAxNS959ub6ojPY+jn5XFxcdTAwMTfCXG6sJ/0wpzxq6rrmLOKs0Vx1MDAwMu4kW8165OTFXHUwMDA1eOSyaYTRQbNpNZ/bfHtcdTAwMDNO+UqwObG6So9cdTAwMTlcdTAwMGJcdTAwMGWpZOtT+MlknC/OsuPerF+3jerOzDb2NryL+EfU1Vx1MDAwMqBcdTAwMDTWXHUwMDBmXHUwMDFidLvZYqVcZnBpNDfSgipkypiPXdUrecpYwbVWUoHzpOUytK0+54HHg2ZcdTAwMDCWuGJX4ke0NZhcdTAwMWR1J7tsNHHB7qS/JcTkqDRvXHUwMDAzv1x1MDAwMFx1MDAxY0HHyTmLsGk4MnUhnLGseXFhLpqcKVx1MDAxMUlcdTAwMDVcdTAwMDd51LyQXHUwMDE3XHUwMDExb8pcdTAwMTaLWoHZKFx1MDAxY1fFyLR8wfQ5ybHYfv2ytVomk96/Ytt8f1x1MDAxNmxcdTAwMWT3ypmrXHUwMDFm8c8vbvqUkSlcdTAwMWVcdTAwMDQgwFZap4Onm/VcdTAwMDQpXFxcZqtcdTAwMDJcdTAwMTZcdTAwMDBcdTAwMTdYXHLGX69y1yksK1x1MDAwMoQt3Sju+W6pNuBcdTAwMWOL3L6+fXs/oH4hRPY7omKfVJ7GRbC6PI1ZiW/1NOvb0Ja4XHUwMDBiXFy6lb85XHUwMDE3tfaoa88nI71Zd/0jbKhzKeOscYBcdTAwMTkt1WJkO7AmXHUwMDA1MMLVKVx1MDAxNt9W/YFbbMFzZOBsXHUwMDAwyiNQnC0pdFx1MDAxN9BSoKFOaVxyplx1MDAxZdyJZ9bTOSTV4mNeh/OLrjq0d27bxPe76k9Lwv9Nis1Xzj99+3zqXHUwMDFmb7iW2V6tXHUwMDAylFlcdTAwMTmxXHUwMDBiXHUwMDAysNxMvOFcdTAwMWTHLy9cdTAwMTn8olx1MDAxYVx1MDAwMDyWVMBwn3PhhFWLrykwLkhJMI641aDgbi6ct3lccmBgLkDLaEtLLJZcdTAwMTFoXHUwMDExmJTjXHUwMDBld7tcdTAwMDSeocWSpS6S4ZqdXHUwMDBmKdj6NVxy8EsrPtfTXHUwMDAwq1x1MDAwMmYvL2/+9lx1MDAxODDjKVx1MDAxOD3kXHUwMDE5QsJcdTAwMTizx6zut4dwmU6B54J5UFx1MDAwNX5cbnCnZ2Pyh2me1WKHP89cdTAwMDTujXpnpbvAV7pcdTAwMGJKci6YfoO3UN7v5kpunFx1MDAxYvHs1ex8VvtRVdOTL+4tXHUwMDAwJFLOKYSr44FcYlx1MDAxNlx1MDAxN9iBt5RigjH0XHUwMDE1wKebr1x1MDAwNdv8iyx5SnBcdTAwMTas6S1IXHUwMDE3QHvcip08PinMXHUwMDA1pHSuIOiT1rhE/Vx1MDAwZbTtYTXJ+Pq3Lm9ZozVcdTAwMWbrOii32uFcdTAwMGZAUzDH3vAq2peTn1+VODCbQnpkeSBxXHUwMDBiisVcIlNl4FuFO4RqzFx1MDAwN4lcdTAwMGbcXHUwMDE506mUXHUwMDExTFx1MDAwMpczxs57KY+vXcA1dVx1MDAxYVx1MDAxYsKEVMLZ58xcdTAwMDFj99yuKpX5vc6DUWojm++8nTq8XFza8W0+11x1MDAwNjrUXHTNZcC0lFbpJctnQas7QIZWXHUwMDAxZoDV81H508jDKsnDn63nQrcp9sBWhv7BXHUwMDA1ZsFbXq02m/Cf+41stdfdmXa6I7N9KydffIN+3Fx1MDAwMFxyPVx1MDAxNsdcdTAwMDJcdTAwMDeoXHUwMDE1i7WxTkmgqFx1MDAxMl/BojjX7lx1MDAwM1x1MDAxN5W8jTqAkFh8890m1s+9nzsw3PD1L+7wXHTcYWXmTr7whlxyjlx1MDAxNV5q/l1cdTAwMGWvXHUwMDAx2Fx1MDAwZdl0XHUwMDEyxfmb2unP/VxuXHUwMDFijYxcdTAwMWJsNubwXHUwMDAxe3RaTJMzXHUwMDExXHUwMDA0gVx1MDAxMe7JzlW0OsVZjuVcdMxcdTAwMDKA2crt/T6xulx1MDAxZPOpxln9Wlx1MDAxYZypLaOvXG4/wcptnYz6J/X0OVx1MDAwYuZccubhYTZ/zsuVQrjVzt7cRXb/Vp3OnzDq9C/6oja9ZFx1MDAwN/3A2IOrZu3ik1x1MDAxM1xyaLLcu5a//HnV7dytRiNcdTAwMTNgvZV+w4t8y93c8fH4xtxcdTAwMWRWXG6zzPVZKd6Zdb86XHUwMDFhhUw5XHUwMDAx1lxm/HBm3NOSPVx1MDAwZdZW4vtAXHUwMDAzjds72Fx1MDAwZqzYXHUwMDEzuFhegoVy65lU4FRKydez5X80pH55m/vPNbLLn/zxXHUwMDA17WplQTtcdTAwMGZcdTAwMTRuUCnfYFRzZ61psD+pp4Ojs+uTcfdytHv4aVx0+PfuWYVvXHUwMDFmdOCKW2Nwx9nFQP5cdTAwMTbHclx1MDAxOKHgXHUwMDBi7bRcZiT/OFx1MDAxY2+kpF1oa6GZr5a0b1x1MDAwZdvvKmnfJOTfRyfV6tJcdTAwMTNlhaXX9a4t+K47bEzAiW7m7i7dSJxcdTAwMGaua5nNvqdw84Eox3VcboZcdTAwMWP+MaOBLy7GobRcdTAwMTEpsFx1MDAxMVx1MDAxNuut1FdgksKBk86dfq3ghO+xfXZpf17c6Ou9rauLXHUwMDFm9fyw88lcdTAwMDWVyvFcdTAwMGbcpTRoilx1MDAwYtBcdTAwMTUqqLt6wJrNVqNpLsD3aWg44my9pZtcdTAwMTdSXnxOXHUwMDA111x1MDAwYiuisGhJKP6Gfccu62nd/5Frtlx1MDAwZlxcepoxP3u58HCztcubh5G1LFx1MDAxNejAWvhcdTAwMWaWVi6mZHRgUlx1MDAwMb5cdTAwMTM+gPlcblx1MDAwNP/ANY7cpFxmPmJdXHUwMDEyXGKultPavLpX6WdcdTAwMDHq4YlLVjm1RpXifr2TXHUwMDE5NO/22OmgP1x1MDAxOF6I202tcno/XFzfxTGPblp3ndbkW+X48HMp5tJcdTAwMDd/cLpHrK5cdTAwMTTDpU7gPL2h2vplKfia6sFcdTAwMDU2heubpZXMSMae1HdcdTAwMDKfw1x1MDAxN1or5Hz4suBcdTAwMGZTXHUwMDBmSumUXHUwMDA2XHUwMDBmUcKjmGZ62bIunsJCXCJneWCENYrbOW2VvKNRmFx1MDAwMOfsK67q+lx1MDAxNaO7zqqul43Tt/mcXHUwMDBlh1x1MDAwMaY339F7npeldOBcdTAwMWNcXGLlXHUwMDAyo5xcdTAwMTD6lSVdf3KN2mrBw5/nXCL3eL+1eMlLJWqrt0Q1UlpcdTAwMTh6sz41XHUwMDE5divjYXmqefOiVOvV2/Wi3jv84rpcdTAwMDfoiMLXNuH7JVx1MDAxOO7htchNcH91i6kgjtu8SfZxZapa2Vx1MDAxNO7MyowxXHUwMDFhtOHjsM+lmsFccmdcbveKMLj7wvNFXHUwMDFlUlx1MDAwNTzANStfT/c4hbZsXHUwMDAzuuftmeZjO5yqxvT27PCmcVx1MDAxOO3njCjvXi3XSlhTXHUwMDAwg+gw+lx1MDAwN36Umzsp0Uq0ep85xVxyUFnB+LNB+cN0z9ZKwaNvn8vcXHUwMDFilc/qOrXVW6npQHP2JtozrcW9ps3shTa05bI9XHUwMDFllk6i0kZVz8aD40BcdTAwMTJSjFx1MDAwYo57YGvL7GJsXHUwMDFjNH1KOHyfXHT4RcZcdTAwMDVcdTAwMWZcdTAwMThS08C+NF9/XHUwMDEzNYtv511cdTAwMTVcdTAwMTn/nOhcdTAwMDG+XHUwMDEw137eXsxzXsFvzzSv25aPfHWzWb1cdTAwMWFbMoVbnr4hr9WtzfbloNg4XHKzs8K1a+yfjO+aX1x1MDAxZLoqXHUwMDE1OFx1MDAxZSAjM4I/XVx1MDAxZFxu0GXCWMNcdTAwMDX4MuxcdTAwMGJBV+B2+mp+T8bfUCai+Xzk/S/ofnaJiFi5/6FccjRcdTAwMTBcdTAwMWEt1i/xau7l9lrn21lcdTAwMTVcdTAwMDXpwfl+9u7u4PbLv7BcdTAwMTngabCW0Fxi8D3V3I6ueFx1MDAwM9xwXHK5PjP4Miu1evvSz3y3mdVcdTAwMGXc5flcdTAwMWRvlochq/2jk0o9d9pcdTAwMTRcdTAwMWTh0oPqofm5u7Bpd+7ioDlMb3dHu2r7p1x1MDAwYn50xPXtQoXIzvFZtrA97DVr55fBQVxca19WbtVnp7NBXHUwMDAy/0P2P1x1MDAxNGwlXHUwMDE4ucF3sVxuXHUwMDFkrJ9avslt25/NW8fcUfOmfVx1MDAxOFWO+1x1MDAwN42vjkZcdTAwMDHGklx1MDAxYoEvVjQ2YIurRI1LMVxmeDCFXHUwMDFlmfvARaJvrVx1MDAwZlx1MDAwMdPPtTNqxYrQf1x1MDAxM0T9VSCyVoGIXVnnXHUwMDE14Csk5FuWer/84oUvWlx1MDAxZqI58GFcdTAwMTHQOlvczHRcdTAwMDHENiVBx1qwqVJrKfhcdTAwMDeuuNrIhocs4FxcWvNqXHUwMDE2fXPI3viOhy+/z2ZBst+x46E2Wr7ljSjvMo3WrVxcPY3LguhcdTAwMTXNa4Nq92rvKF1wR/10nIvMNLjY5XuVr21cdTAwMTlxu7uUxI2nwMxcdTAwMDBcdTAwMTd98oJcdTAwMWZtXHUwMDAxclwiME6iZeT640zjm1/WXHUwMDA1s2NNXHUwMDEw/E4v0ylwws273trz18u6XjeSf0v0w/f6cHhcdTAwMDKku/Wgw2CqO81k+Fx1MDAxZZv3XHUwMDFk3d7tl+Xub4mKIKr+qFx1MDAxNL9cdTAwMWLWXHUwMDAwjy1qwKwyp1o6aFnVXHUwMDE0XHLFL1x1MDAxY4h90IxazVx1MDAxNms2m3Nq9PugM2iV51x1MDAxZOH/XHUwMDFh3bX/Plx1MDAxZPRcdTAwMWb7m2wvvO7NXHUwMDFmrlx1MDAwMzmrY3HAP/2f/1xcuP3/xbEy6lx1MDAxZkd7XHUwMDA1UZttq8bZ9DaKWae+d8yizPXdoWzK5kzLcKbvokF0XHUwMDE3dtOTcCeIm4Ook99rXHUwMDBla3vH10cneVx1MDAxNWa2J62dfFx1MDAxYlxcuWFNXFyy+WPNQb/fZPt3rVxm64Q76XFYTt9cdTAwMTYypXYhzs9cdTAwMGW7bVbopGXYzd9cdTAwMTYzJZHvKlx1MDAxN+V2WX1nu3d0sl9cYuOKOuz2XHUwMDE0nDNccnfUpDDIwvlcbs6vtFx1MDAwYpnqbVx1MDAxOJdm+Uy6XHUwMDFkZvC+0W2xnFx1MDAxNvlM6bZQXHUwMDBlp+VMT1x1MDAxY3ajmK6Ns3jutFou4bFZ4SSN94lcdTAwMGKZfFx1MDAxYtpcdTAwMDR9YnBMzYo76Tg8USyML0eH5erksFx1MDAwYv3opGdcdTAwMDVoX9g9vcRnQrs5PFx1MDAwM+5cdTAwMTMy+G5cdTAwMDLPn/h7ldrQXnq2/37JczL520K3XHUwMDAybVxm4XdbNTJZUTxRU+xP2M3S81a2MVx1MDAxM8LxXG60Lz0tzHxcdTAwMWLDbjSFa6bFXHUwMDEzdlx1MDAxYmaqs9evZf7aTG1cdTAwMTSWq/qwm1x1MDAxNuGMzXBOYIzi1df34P7hOIzhdzery5kqh3GK89D+XHUwMDEw56NcXFs5NoflPKdxPGHJ2DbDMG5Du6ssnEFfdlx1MDAxNC+evTCvXVx1MDAxYTN5WMZ5LZh8Z3tQP5uOQMa6YZxcdTAwMTdVUeH5jvv70d72ZTPXbtdAzsrlUNCzMu12sVxmbY7TsjpjIEtpXHT9h/5kQV7gft08zEVcdTAwMDR9isRhOcugTdj3KbRcdTAwMDV/T/I7MDdxXHUwMDFi+p6Ha/NcdTAwMTKuj1x1MDAwZrslmG9cdTAwMWPvLMwzyFU3P8b75mlu2/rwXHUwMDA07j/D81wi6HdWwzjgb4lyXGLjXHUwMDAy/YL2lEOVx7Ethyiz0t8nbNM8dFGGUd6q8Llccves0vfQVlx1MDAxONv8/Tzi5zaMvYaxXHUwMDE5w2/AW9hcdTAwMDZcdTAwMTlcdTAwMTaFOFx1MDAxYcOYSmg/tLdcIsLBZIzzUdhJw7VZVcxlp0Wa71x1MDAxMO+rXHUwMDAxV3FcdTAwMThHjzjo4Fx1MDAxY7XbXHUwMDA1xFt3v3tYXHUwMDBl4T49XHTXK1x1MDAxY1x1MDAxZpBcdTAwMTdcdNeIwixccnhRU8DtuFhGua9C3yowhlx1MDAxNV3IZWeFTFx1MDAwNfqJbc8zaNe00E2eccJcdTAwMWXkXHUwMDAxx1xi5lx1MDAwNfRAdVx1MDAxYaK8lcMx4lx1MDAxMOdcdTAwMDDaykGu8ZmquMNQPzDAJDynxElcdTAwMTYyMK7lLFxcW8H5QP3AipkqzGtcdTAwMGbkMKvhO2h3XHUwMDFi7ovPXHQnXHUwMDA1elx1MDAxZZy7g8+varinQP1cdTAwMDPt0H7e6Vx1MDAxZYCFXHUwMDFljFdb01x1MDAxOMdVkDuci8pcZu5cdTAwMDdtSENcdTAwMWJC/Ixjzovl0jhcdTAwMDR5KlBcdTAwMWZKXGZ+XHUwMDBivDeeXHUwMDAzWIBzXHUwMDEx01lcdTAwMDXHY3rWjMH4lDTJT1x1MDAxOcZcbua3XGLj4+dcdTAwMTfvnUVcXPCCl1x1MDAxOfiNbU2jXHUwMDBlQ0xNfVx1MDAxZkozmFx1MDAwYvhcdTAwMWLnvt2G50M7QtRcdTAwMWY0XHUwMDA3KIsg+5NcdTAwMDLoQ5BxXHUwMDE4gyyMOfVcdTAwMGKfiXMpUD6KmSzKz1x1MDAxNOapXHLfw+dcdTAwMTDvNVx1MDAwMT2Ax1x1MDAxOcpcdTAwMDSc5+dccvuIn2fwzDjE46JQRvmFsSmjXFzCszI96Fx1MDAwN8hrXFyCOa/g/IA8ZKH9PV08ScNcdTAwMTi3UeanOOf+OMpAXHUwMDFh2ptHXHUwMDFiXHUwMDAwv0Nccv1CWYjhfEEyMcPPvbhIsleKi7lcdGJcdTAwMTTGXHUwMDEzxlxux1WATupW8Nmgi1BOI+hcdTAwMWKLSZdkonZcdTAwMTFtXHUwMDAxYr3bQ/lBfYU6SCf6PWk7jFx1MDAxYugjkENcdTAwMWN7XHUwMDE4V3xmWvmxbms/XHUwMDE3oYDPXCKxXHUwMDA3wuOJIb5m/nx4dtn3XHUwMDE1+lx1MDAxMGOfQG5cdTAwMDTp5lx1MDAxZGxriHJcYr9hfHZQpnsgXHUwMDBiOLZeXHUwMDBmXHUwMDAxdmekXHUwMDAzUFeW6Tfq2Vx1MDAxOcpeXHUwMDAxr+lmSabQvsG1YFx1MDAwN1x1MDAxMdNZtFkwX4BRnO8uzlx1MDAwMbRcdTAwMDGxVsYxKanD+3lcdTAwMDfbcEi6hHTGpIi6XHUwMDFjn1x1MDAwYvJcdTAwMDDPXHUwMDA1XHUwMDE5TXtcZiFcdTAwMDZjkFx1MDAwN7SlMFbJ2MQ4vyD7yp+bR/2G53KQN9JRxVxmzenEz1xytiVEnTgl+Vx1MDAwMYzQ37N7bJGNnVx1MDAxNMtt/HuGMog6XHUwMDA05TbRXHUwMDBiiSyhTszC8bzwY1xmdlx09Fx1MDAwMD1zhvKKelx1MDAxNzGF81x1MDAwM3qF5i/0Mlxi11x1MDAxME5janPsx8pjXHTmXHUwMDBm8Vx1MDAwZfqYsIT9l4jZkOZcdTAwMTd1XCLaq8pcdTAwMTjay9FOg1x1MDAxZcY28IKXSV0gmcT+k0xOvOz2RPFsQtejXHUwMDFlge9BXHUwMDA3htOC15Oo/1x1MDAxOOKrQLjIYlx1MDAxYr3cn4Cc7STcoUxyNlxyxVx1MDAwNHVcdTAwMGLgXHUwMDBi8EbzcdqF+/NcImGjJFx1MDAxM/mEe+P5bdJcdTAwMDVwXVx1MDAxYnTxzOuhNuJFosxcdTAwMWXCPFx1MDAxNmakK6Y4PiHOXHUwMDAx6vou6qfevXwhX4Exh/uiXHUwMDFlzyR4LkP/SFx1MDAwZUo4XHUwMDE303s9XGbt0jQ3yK9QVuMs2SuQkzHMq1wi+Zkhxlwi1I2yUO5h2yZcdTAwMDWUOZRXsntcdTAwMTHOXHI8p0p8XHUwMDAyrlx1MDAwN9mJXHUwMDEwW5Lmu0N2VlPbwVx1MDAxNnv5IFs6XHUwMDBiyeZEY+ov3a869vNcdTAwMDF/01xc0fjEXo7CXHUwMDE5yfZcdTAwMGX+nfa22cvaXGb5ibfVJMfYNtCFIepCnFx1MDAwZj9cdTAwMDdeNyqw09SXkOZcdTAwMWH0K2E5Yl5cdTAwMTZcIuBAiOk26lx1MDAwZZbwMVx1MDAxY2vgXHUwMDFmJKuo/zXKL+pF4COIcfjcg/Og3fA85Fx1MDAxMNB25CHeXHUwMDE2ZCpov1CX0vU0lqiTSVx1MDAwNkOU9Vx1MDAxONvRQPmMUU/UgFx1MDAwYqF+XGJcdTAwMTN5XHUwMDA3zjojO6BD1N9kN/OI50kxmSPU5WGmeVx0+MW2IVx1MDAwZVx1MDAxNHxcdTAwMDf8yPO2RK8ykqFyNa7i+bM02Sevt6vAsbC/IIM0X4gxlMlqolx1MDAxM9Eu49hV2mTTSU7zaMtgjkvAe/Fa4rMxcXzqXHUwMDFiylwi8kiwQaCfwJ4nelx1MDAwNedcdTAwMTP6tEM2XHUwMDE354RcdTAwMTE+6HNix4CzXHUwMDE0XHUwMDExb1x1MDAxZJpcdTAwMDPux1x1MDAwMfFcdOfG+TbpnFxm/Z6RXHUwMDBlgflcclx1MDAxZuY3TzqlQG1cdTAwMDGdf4LYRlx1MDAxYkBypUkuaD7a0stqfoZ6JoS+e/7o9XMhXHUwMDEzKeR3RcCI5yY4nyTjgKV7XHUwMDE5R1xm+fmFsVFcdTAwMWVDeeJcdTAwMTkg51PiXHUwMDE5qOdJ34d0XHUwMDFjMDmmvlx1MDAxMnfJXCJnl8RcdTAwMTNO8HdcdTAwMWJtXHUwMDExypFAOYax5igvNFx1MDAxNihXyPVQflx1MDAwMdvFXGY9z+urXHUwMDEz4P2oXHUwMDBmOqiv7jlKpFx1MDAxMW/eNlbko01cIp3KXHUwMDAwL9zr82rs9VxcXHUwMDA0tlx1MDAxYbGQ97pcdTAwMDRtMD7H+2HQ31x1MDAxMkedhDJcXMz0wOdDftuDNlx1MDAxME9BXGaS/oNnYDuF90dQToB/QdvARqDsXHUwMDAw3nFs2u2El3v9SvowPyZZ8LibJVxcj3mumkV9XHUwMDE1J7KD4zQpklxmZmeIu1x1MDAwMs57l7hcZtoz1CWk9/y9StqfXHUwMDFiQdvpXjMvp/RcdTAwMTmxTT5bgeyuly3iW120lXnUkSj/qFx1MDAxZmKac69DXHUwMDEwT5L6PcM+4Wfy35S3h/i5Kki3k1xyr6I9l16foJ3Pe/n2sqxcbuRcdTAwMWZEXHRG/fjc22LPO1FfU1x1MDAxZlx1MDAxMj1cdTAwMGVjQLxcdTAwMTR5J3KVKFx1MDAwZVx1MDAxZm3+OLH5xHOhbzjXM+LTxFx00dZG5INcdTAwMTH39bZcdTAwMTT1KXBQ4P/IM2K01Vx1MDAxMdqgKY0pfFx1MDAwZb1v62Wwm3CbTITPUGRLd1CGkFx1MDAwYpHfQfzAy0PoeXWXbFxu6lPki6B3iEOxxFajTfNcXCw3QbnXaFx1MDAwYpDLhuXLrr8+T/4jyDL3Plx1MDAxNcpnXHTvlfhcdTAwMDVp1N1cdTAwMDJtXHTyiVx1MDAwMun+3lx1MDAxOO0jzCXzPmF7XFygmFx1MDAwMrRcdTAwMDU4VoHGsUpy5mW1MvVYXGJlwvWkx1JcdTAwMGYwSTxcdTAwMWXlkFx1MDAxMV69/SXbXHUwMDEydon3xYhcdTAwMTc4xr1ccq2MfVuyKFtgO7PYJpbodNT7yKMlyO9cZvuJz6W4XHUwMDA1nk9cXCtPdlx1MDAwMvVcdTAwMTXqd49N5F6kx6akXHUwMDFmZihroFvLpVx1MDAxOcyfKHpdOPP8KUK5j1x1MDAxM1x1MDAxYjYjX464XHUwMDA0yiTOQVx1MDAwNfkwzl3sZSjP/Pl4XHUwMDFlwzZxXHUwMDFjc89LwVx1MDAwZu3gXFyWvK9cdTAwMWT3cNzgucjHs8QvXHUwMDEz/lx1MDAxMKNcdTAwMWNcdTAwMTVRx8S9KflbcYW4J8xJnPhb7Tl/S5NvPEO5bdMzYJzaxPnLJIvC89J0opdJP1x1MDAxM4fFeFx1MDAwMTwzJn98J+1tNPKWxGf0XFyQ9CnxKO+zV7lvd8/bXHUwMDEw4u9t6f0v9CPufV/U11Vccn5ETDJcYvKFOlxmeCY8XHUwMDBiZVx1MDAxMzglxTBcYlx1MDAwNzNcdTAwMWafgPkg3VpcdTAwMTGHXHRHQzxQPGeG412SxGPie983nCX2gXl/XHUwMDE0/CnCZOKXxlx1MDAxOMcokT9D/UZuXHUwMDAw40FzgTyki/5cdTAwMTCNXHUwMDAx4ibRpehvXHUwMDEy/jjGycCP0P5cdTAwMWVV7edcdTAwMDDlXHUwMDFk51x1MDAwNmxgh3hccvRcdTAwMDX1Tol5XHUwMDFiXHUwMDE2XHTiUV2Sa5Vw+dhjlXxY5F5T8nXL0b1cdTAwMGavfFx1MDAxYmgs2L3/Tfr9fDj2+lx1MDAwMfFccnNEdjVUXHLCXHUwMDEw6Xbp51x1MDAxYf2HMJHrZpf0XHUwMDE12HHkXHUwMDFj6H/Q/OykvX4jfyd/76fMPHZpjpFTTTzvrZJcdTAwMWOiLSrMXHUwMDEyWUMs4Vx1MDAxY3s9lvhRaLt66C8xzz+Ou+RjxYhl5HVp5NMsia3FpIcwxtnx2MBcdTAwMThaoVxcuCT/33Mm9JFcdTAwMTJfXHUwMDE0Y15ZxPT980Uxc2lcdTAwMWFljN9RXFxgUsXndPMov/hcZuTEgmI1yGW8j1x1MDAwZvPWllx0XHUwMDBmY4jtwlx1MDAxOehHjKNhXFwvsbfeNyVfXHUwMDBiuFx1MDAxZGGbef2VRj07JXx1S973p7hKRDFLj8+IV4lHtCeJblHobyfxnVlcdTAwMTJ3QZ4nXHUwMDFi9FxmXHUwMDFh20koh1x1MDAwNdCtM+o3cOlcIsVB90doO3GOgVx1MDAxZk9cdTAwMTNcdTAwMWbKX4PzO1xiSYd6u1xcweehn30/jzNv45K4XHUwMDFkcrizLLWnmMQngHckscQs6lxuXHUwMDE4T+KNXHUwMDE0XHUwMDAz9X6zj+eAfN/H2NAmY1xcKvZcdTAwMWOfxVx1MDAwNfQ10N7j2HXBRqFcdTAwMWQoR7E/l9qrve0owFxc5XmRdDFipNCFv1x1MDAwMVclXHUwMDFm61x1MDAwM31cdTAwMGbtZlx1MDAxNCfA/pPuXHUwMDBlXHUwMDEzu43xXHSMnZKPijx0XHUwMDEy+lgkL2QoXHUwMDFlXHUwMDA39lx1MDAwMOY4Jp4gyTctY0ylpOlcdTAwMWGc47hEujXBfeKHo09cdTAwMTlS39E/XCIu4mNdoPt7aG842pmi51x1MDAxY8RcdTAwMTPxej+/kY+9d9Dfrvr5pXhFj3CMvqGf33Dq41x1MDAwZdW2jzshrivEtVx1MDAxMjwzilx1MDAxOVwiZ/f3j+uo25H/XHUwMDBmJuQnk44ve05NNpFi4vmEk+Sn91hcdHeSdmI/yyiPXHUwMDBmMTbu9Uney59cdTAwMWPCeFRcdTAwMTK5QsxWXHUwMDA0jMOUxoX0Xk9cdTAwMTN/20n8d4qV9EdJrCDhv5HwOszLOPniXHUwMDE0o8N4NcUxvH2LkfuiPGC+gnT1xN+TdFx1MDAxNepcYrBcdTAwMTN5TW1cdTAwMDBcXCS6n7DndVx1MDAwYt5cdTAwMTftf5ZsXHLlK8hcdTAwMWZHW1x1MDAxNU29XHUwMDBmgTyqem+nblGvYkyObEzCtYreJ9Kh98VBtnZNXHUwMDAz57pcdTAwMWIlsaN7PLWnXHUwMDBm/lx1MDAxMHEyjEGiXHUwMDBlQl+ecCWTsZ5Q3yhuje0jXHUwMDFiyii+Vya7Lb3P3otcdTAwMGJicktcXKuLtlx1MDAwN/tKcVx1MDAwNM9DcyFxJ8CB8nHZXG7aOFb0No+Rj1x1MDAwYjyy0E2j7YJ+R95cdTAwMTdcdTAwMTBcdTAwMTO0s0mct026nvRwuVwiqmjPwKbS/NB8Rlx1MDAxM7KVXHUwMDE4Rydblug4kL9cdTAwMDLFO4BcdTAwMWaD/1Eso8+Lfaky31eMXHUwMDE5ks+LWCOeTWOXXHUwMDBiSWaS2Hyc5JVcdTAwMTLcRX5cZmL0V+H3mZfbXHUwMDA2xSAp5ieQ66EuKnjOjPfhpEfK1Xs9iXLvffGdxIaVMc9QXHUwMDEyPlZfQvvByYf28XiOsYtcIvlcdTAwMTfhmO51NolcdTAwMGLki5RIJyHu6lx1MDAxNLcvUFx1MDAxZsk3vv9N2EWskO1cdTAwMTJcdTAwMWUj1538XoG1zqb9o5N9Vju/ZIdn/dta7vS2mbmeXHUwMDE05XG/tVdcdTAwMWFXz6bDmlAmkseX0VXJNnJwzlx0v66d9a/qeyXTXHUwMDE4XHUwMDA0s8bZ7uj+/Obe/mXjqjBoyP1xcaDvXHUwMDFhg4qtXHUwMDBlpndVMVx1MDAxYUd7+3c1ud+PZGHYgHs2c3lcdTAwMGLXzuridHZ/LrahLsHDOd/uXHUwMDFmntXuXHUwMDFhV6VxJLf7VdFcdTAwMWbUz1xul81cXP+u0Vx1MDAxZJarZzrGfFBDaHZ43uzXz5rXzVxm61x1MDAwMEefwPFuQ0zvoi7r5GPMYWF+I9+uXHL6o1x1MDAwNpyTXHUwMDE3tVx1MDAwMf3r5NvQr1lDjPuYU0qOXHUwMDBl4PpcdTAwMTj6cVdcdTAwMTeVcVP0e81cXDvIk/+ZbzdkrVx1MDAxZlxyaqOGjIL8VW1cdTAwMTiJfqeRq3TyOd/W2mB3XFw/m2pcdTAwMTjTpI3u70c+b/r3ueT4TWu+XGJAOqONXHLmdjOuj8bHrfFNp3X3/Kz5XHUwMDFhlfVrRN+Tc357XHUwMDAx6mfknGeFxXwzfX6Sa57kSa/Bf1x1MDAwZjnD/VuQlf7c3Fx1MDAwNvlBgUdX+/3G1XGG5GVOXHUwMDFlQKZcdTAwMWWeNy9cdTAwMGYk/yCHXHUwMDExPCdcdTAwMWFcdTAwMDS8MShcdTAwMTGO4O9cdTAwMWLAxah+pvv1QTBsdOe+z1x1MDAxNUbV80JcZm1cdTAwMThWRXCbz/VBPtW4mdtcdTAwMDXZOZ35zzo+PD++XHUwMDA0rPSjXHUwMDBlv2ueXHUwMDFm072ennt4XHUwMDA2fdzJP+Q8XHUwMDFm5fehfz5/XHUwMDBlY1x1MDAwMHaWNcFPO8lsm+fj8DRvmlx1MDAwNT1fXHUwMDE4eVx1MDAxZXg6gus12HdFulx1MDAwZvhcdTAwMDVcdTAwMWOnOFRcdTAwMDP41CHYyvvPy++TXHUwMDA1fdhuky9xkr876k4n1fPj63yuXHUwMDE05HtcdTAwMTh3XHUwMDAw+zKYwFx1MDAxY/U6h/GTvD9xt32wmfPXT+5cIlm7Omr/93+/gCEqk3OvYciftYihi0hcdGeY4SpqWKltw5hcYt9RW68zLK03UdPhq6veh6F1b/5cdTAwMTeG1sTQqHlWXHUwMDE41nKVdmPvtFs/O1x1MDAwNjtRuGucb/Mm4YPwsvQ7qjFcdTAwMTmcdps721x1MDAxMr5jdexnXHUwMDE57335YD+KMFx1MDAwZdh/1PWtMnyP/blcdTAwMDL93817WX16fTe99Hq8jq7H++/tKz9cdTAwMDZPsYKxistrOHcpRoq5tljPflx1MDAwNFwiUPNbXHUwMDE2Lpf95KxcdTAwMDXZX/t1ju+R/be/K/LfUfYxZ/BMvqtid1x1MDAwMvecNeTpbW1n7jrgW43B6c+G6N/Of19cdTAwMTXTy0iG8Ewv33WU61x1MDAwZWfVs/1R7TzvP1+Fc3ZcIlx1MDAwMJnHe1WenjuGe901z0qdXHUwMDA3mbtvXHUwMDFiyCvwOeB3+UQ+wXfOtWeFPfCxs+1Jq/PIoZLznsqtj1XMUHZDqpOgmLW3XHUwMDE15Fx1MDAwM1JcZiGTlvmHuCh9x4rgL1ONXHUwMDE45WwqSa664m1AXHUwMDA2cy0lqlx1MDAwNfLXlVx1MDAxNPgy4FP04jzFkTFcdTAwMGZHflx1MDAwMMZ9ME4483VWXHUwMDExz1NcdTAwMWVcdTAwMDBGXHUwMDBl/T+sQ/B5zCRmXHUwMDA33Fx1MDAxY33YMtZcdTAwMTCgv4j5zt1uSDnbdtvHn9FHxFqnNMVhXHUwMDBiXHUwMDE098WcmY+TXHUwMDAx59bFM7x3XHUwMDBmY1ZcdTAwMTN6bqbqc3k+X82SWFxu3LOGfcRzMUc3ppgp8nP6XHUwMDBlx4au5f5cdTAwMWVtWfe5XHUwMDFk8Fx1MDAxM9qke1x1MDAwZSXIfaxW20BlrF3Y93ypXHUwMDFluD9rQVx1MDAwZqz9XHUwMDFlyffogbe/pPLj9MCjXHUwMDFkwbqNST6HMeB0u3GOebZH+a7K01x1MDAxOej622ZcdTAwMTawk1x1MDAwYtB+ifrZqSxcclx1MDAwMtTlXHUwMDEziiuV05TbXGa9npizKemnOsaf86TGsUBcXGk7XHUwMDAzcoz5QV48Ib0ji1x1MDAxOCPoVttcdTAwMDXKW+RnhCfKQZL/P/U1XHUwMDAytVx1MDAxMORcdTAwMTZlXHUwMDExZVRcdTAwMDBnXG7DuLLqc1x1MDAxY8b7IdxcdTAwMGblPlx1MDAwZXtcdTAwMTNG8V6635LPXHUwMDE0Nz3OgFxmYv5L+OspTon1PYzyqJle298/izVcdTAwMDe8SPFijLGGKqSYzikgXHUwMDFh6+YqXHUwMDFhc8U+XHUwMDA2hrnBKn/wfTNcdTAwMTgrqcaAXHUwMDFiUaCcL15fmYa9cP6z8PHIqD13P+Fzm1grUlH3tVx1MDAwN4CzmOJcdTAwMTeVkFx1MDAxN8h3L0F/qpLiN918e64/ooi5WorblHzMvtyD63s+Jr4wXHUwMDFl2YmPf/ZhPLCGqk21MElcdTAwMWVcdTAwMDPvSXVJ/lip7edcdTAwMTT/hvGLeyzJr9N3ibzIXCLF2KP7z1x1MDAxY+Yqk/w9w3olyk0+XFybTu65XVx1MDAwN249vW8r/Odj0b2QUf/LIdZS4Niz0OvcuEg5lnR8f49SXGa/41BR3Fx1MDAwM/RlXHUwMDAxc55cdTAwMTnMa/diuFx1MDAwZeOSmE9J+t3TVGdRmcxcdTAwMWSrapCV6YufsS2ZY5DN7IMsXHUwMDE2KV9RYuXMkvb3h1x1MDAwNd+mPMlpId6HcStNKa80w8+Yw8M6yYhRzFx1MDAwZeNWcUR1XHUwMDBleKzoY9p4jFFcXKM30VRH6mtbXHUwMDE0ylx1MDAwZY4v6PpcdTAwMTnFwEBcdTAwMTaLWGfQxXhXj1NcXFx1MDAxOHNcdTAwMDeZXHUwMDFl1aGBLOpcdTAwMDLF0n181cdGa3g95t8wXHUwMDE3zMF+oeyA7PVcdTAwMDTVUFJsk+pcIjCnoCmWRXKCNYeo//twPco6xZswloPx4PvrYbyyeD3VjMJcdTAwMWPQ9T6PXHUwMDBl11NeXHLbX6U4KFx1MDAxZEti7v5YnmovQqxJyGC8sCd8bDKP99SUN8mGcE+UhYji7FTrXGJ48ddTvptTLJDkjK6/xyFdXHUwMDA3Y+Ovo1x1MDAxY087uY5ynpxyNDHarPnnZr1tT65cdTAwMGap1rZCdYsg3+25vmDcfoo1jH58MD6F92xT7LZcdTAwMTTPj1x1MDAwZuaF2lx1MDAxOLP140sxvMqU5lx1MDAwN3Slv57y3pxyeuVwmlxcn8xcdTAwMGbF61HH0vxi/lxmrp/5fD5ej/Ob9dd3SySvcP2jfJTRxlexjlx1MDAwMK7HPFxi1lx1MDAwMFcwXHUwMDA2XHUwMDE3w7lwfUkkdY2ge/z8l+fkXHUwMDEzdJO/fzaUWCtcdTAwMWVSXFxcdTAwMTXzOpjDXHUwMDA03YV1qyCzXHUwMDE0P8Q64Vx1MDAxOOP80ZRqiEi3hT7XitdjTV6Zrsfxo9opmodcdTAwMTno4fK9/sBcdTAwMWHEiNpTJM5VnZVcdTAwMDHrPpZdIX1cdTAwMDDtw9yf9HqMOExM7fP3YjhcdTAwMGWgp6ZcdTAwMTjLpZqhXHUwMDE4ceJriefb5u1XXHR1kaQ4foxtQ/lA/lfFttzX1Fx1MDAwMJ4pz4jXx0Vfc4vYnZ312JzOLSW5u+PQt+vepmUpX1pcdTAwMDK7Q7VbXHUwMDFkOEa1OFjrV5FcdTAwMGZ2heSL6org+Vx1MDAwYnZl7nNJUN1YmcZcIvbx3lx1MDAxMsqo9Prg4bmMajLjXHUwMDEyO3vup0nURzAmMclcdTAwMWWMXHUwMDFkzj2ONdbAeF5cdTAwMTcmOjetaUypLjWk/if5+GRM87xcdTAwMDR6zef+0fZTrl1Q/jAmfcVpXFwob49rKEKd1LcwX19C61x1MDAxZbCWxdsyn+dFW1ximGtjXHUwMDFkXHUwMDEwT/AmUVx1MDAxZYskz1nt7Vx1MDAwZuZzkFx1MDAxYvRiXHUwMDFmP88mXHUwMDE4pjnVVF+WwZxwXHUwMDA1n081vZhcdTAwMWIoUj1gXHUwMDA1MIH5cLrnxOc5UFx1MDAxZkWUU0NcZjzIcIZqdVRYwXHC3Fx1MDAxYspcdTAwMTaNXHUwMDEz6GzAaFxcXCJcdTAwMWSKdVxcYYbqVbBGXHUwMDFm11x1MDAxM/jPgKklc6CpNuPEP1x1MDAxM8dcdTAwMDFwO6NcXDDlpDBHgXnVtPZ1doR7lGfgNKiL8vd1a0mbXHS3KJuaYu/drEjsrJ+Hclx1MDAwNeu6poRrxE2MOVx1MDAxNfI/hM+/4TjT3PqcWDdPeZxiXHUwMDA1r2/j9ZjTwfYhJ2x7W1x1MDAwNzim67HWgNYlUM0+5juS9Swx5ewwXHUwMDE36OeVdLPPXHUwMDA34lx1MDAxOFamlPspo25GPdHGWirS6eBD3c8r2KFeYlx1MDAxM0qiiHKBeMtgbSCNh0A9UKT8TSn2c1il3Fx0XHUwMDFjQ96VjCXI3On1ev6IXGZMYO3cztwr4lx1MDAxMv6sXHUwMDA1f2TtXZHf44+8fcvlf8e4xFx1MDAwN8fkmqOG2O8/j8f54+hcdTAwMGJVRX9WXHUwMDE10z7cR5GPXHUwMDA07azKXpBHbtDZntGxnaWxMcxRY01cdTAwMDDVitJ6XHUwMDFk9Mf8+Ex8nv35d1iH+TxcdTAwMDZH8eZrjOOtKdNcdTAwMTK3XHUwMDA24q/JtD/rYVx1MDAxMeK//vav/1x1MDAwZpfGmpsifQ==<!-- payload-end -->
+  <defs>
+    <style class="style-fonts">@font-face {font-family: "Virgil";src: url("data:application/font-woff;charset=utf-8;base64,d09GMk9UVE8AAO9AAAkAAAABO1AAAO73AAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAADYTJHQZgAIluATYCJAOQWAQGBY9lByBbpzpxQ1QZOitEWvl1ExHg7NqqxsS6RlCwSkciyuhqMfv//89KOsZwUAeGmJXV32EeijNbRUcYuVUTmWNvG5FWRBfkAW4YWVueXU6tq9d0pZufMcACcUzc7AmXTyBwYmw0WojBScItqLq853lRPMu/i21F/1VrveHFeyj+LdHE3AfsFiWacmNotmSIhpJesVGSFIFWJDgsMxNmRIsQQzGF4rvOX33MPtY+LeOF490dgR0G/l0zmGbP8ku9beGBOf2+EcKFm8Md59ESM5GZKYtFok/F14jmMBPlbsKEWTmjIcDMVCgM0RQv1VD4IZddn+x6g2Ff91p6BriTOHYqRgBPP/Z8O3Pn/WXBXUTBKoZoSbZg6N3qwPP/937uvc+bD5huHSziTSgio5mQNpAsr235cGq9P8/r5vc1H/KatrSSHj8fGwzDhavuia24cMyBvutkjYQtKFtwTcS1wVWcODY7KMSFOM69OS/+4fm59f7vRf5FsY0aMXLQQgsGrRwggmTYYCJVEmVBm4V5Z0ThidFYPeyrtRKEoeme3dvtgT6iOeJnlC8MsAKKT0UoFD469oV+l7DD8pn6lvkVc++0kSEfkCM0Vauqh+RnHNszHtYIqREKELpb3S0eAhMvIXmB7+tkb9/wpNO+5fOjmT/aU+6YYwu6wVlib1xrbGxcwNgduqmiNNOESimjUWmogISEAOOOe086XjvNccGlpjQnb8gjOY3Gyr1sLlmavf8vKSIJwtUoBiEBfY1jpaqrq1ET/z2/7f+/4/hmD/yU4cZxDvyseBGJ7/W9rVwMSlAkJUsk6hzqQCsqJVbd9NbifX/4r6pJ4LDfsD5vl0a3Nl1TSqk09SUxpviFT9KCpj3jFmScMz4t9f8VWXkadd4bSR35QqxNH33Ai5BewBI5hQAbQsZFe2nQZ84A787uLKHXduwYMHUawjI9wuP+7R+jZdW/WpL3hdof92mkcoac8YBwj3gJB7CB3aayqzgrsSIikYrAZYK2u3l6AJfgdm+OybOvB8+JTFAi4hU026JOz7fHCxQujUCxVVutY8Wgje+dK4CA+afpvl+9Nyecky85rLBnngvwxHEpBa9ATSI+MxnxjMcbadI6LaWIPXHlOeusTrrDBkAFCAzMc6UTOFEFKTY1Nm4GuAPasdAah4+DcVmNg/pfU5Nao+e7QykouG0KYR4ewkKQVmtP1n91ike6Kvt60/WySWeBpeOKr7QCg0hoKAwgPPOvqrl+UPI78CqVirROp/RhKm2YMy0C6CJQdAHdBNBOBOmKyGuC5AZe6X1LKQUflBN+2M7DB2VHoBs/KOcRvCZQfn6i0lsdM5Ypw5otoyCn0UlftixbMiaTk2XKy5Q1Y17G2zJOB7nKUm0/PkgM7J3K/X5azIxlS8eShkmeIYrIIuvN47j+8Xk5xmbzq/fd0AYlB/aifvZu/3or31eH2eCosZNM23gKUvMyo25K7fx8x2ZRqLM4/xxLbOST4x/7aOuym35y8olHctP4b8V/TX/YCP2p/1mult99+Gj0u488j59Q7/DTaWN4EkPx7itzRBhgghZ7XPAiQJAIcTLMtFCJKku1WqHHWlvsst9xLnKDYR4xwicQZ7tG+knSE5NnLF69LLqrR0X89vtHVudoGtiw59gDkletTr9hov04IcNsWAhCFGnUMYNrWMA6cqigBQoCbHTgQRhxDOMAjuIkzuIyzuAybuEuHmMEbxC773VEWIigqlrWqT4NbHCjmtiM5nd+y1vXlq5ob9d1c/f3eC93qA/7pk6NEihFn0Rmmnk61thin7O8wilOc4krXGeGedbYJEaSKhN6GOUQD/IKz/ACr/IW7/ERn/Il3/ITf/B1//9y0DjoHH5x+M2hIRCCxhEpTKlFmUZcYipGDGMmFmBNbIBtYYfYXewxq9h9hvn6/vr3thQeZ+KUArHScmqorznNakXbKqkpSqIM+SLlVlB9GtJ+HdUZXdZZXdGQ7uuZ3uizfnlBkASHEFk57pwrbnvKU17wunOuGjNrxbYj2+1zj/u92yM+4fO+5gu+7jt+6Od+40+uMZH/QTH0f6P/F2WjGegMdD6aieagxWg5WoU2oG0oH5WhWgfrEB2GI+UoOOqOGcc5+Rat6/9k/8+mUCCeJiIC5sZapHx9QEX2IMLTPuIbQjZoyoY9XgDCc1CSUcEfzRVFJcPJ4YfarTTXnEEp9Fll4bmCyF6huXD0c2NkyBrUclqFDS0fCcldmnBxq5ZzUdjQ0hBhra3noZkdrY2QIXdtwDXbzuJpombNK3hcpdld/aaHaGW4yOQ0Uq2KuSpqqHgkIlXMSxG5hZWvipLO5Yja+dGe2Ec0Xl7hJVeLriry+vKRHMnapHSSWh3Na/r0xosnKF8vBiOnHHm02DmrmKh7JKa/6Kx4A1EGB5L5gPZja3EC36Px8gVmpEMfpVo7eKal3dCDQk3OQWrtEfywxsP7kXKdc+xllnS10CSorh6UNHRFJNThKpI3Uj12NefH5EBdrYWSRruZkfa+i7mL+aR7b+irdu+/Svdr602Xpz3AJtUl38juYpi/pk0HYWKZtRHy//WcNGHEROmgcepGC9vOyzGRY1+qfJxX8Ka4G2gxbNKvLqrqBjSlQRMYHTrDDGsYBjAs71XrIXW0LYetKxhHqGHoNTTSyi1NsvSW9pYPZAY4gkxWtrU0z9vbRMU08fOJQxc+Syy+gtk9G54gA+xj+zrZX5Y0rjZrdBmGy68X/sBnzCF5AdMtKp4mqPbyQez0lZGifaq47Tf7SIZExoiy9kkO2JjFGs8VnQMdK9nMR0/nKEUbGADCEcjocG6DUGjz+CoAhQFwBBIDEwuFxo4bN+++CUBhAAhHIDEwsVBobBxhCwAAwIcDAomBiYVCY+OISUAQBH0SBIEgCIIgCIKgcvQdCMIRSAy0MCC+M6Y5BcVI/gkYkMn8sRZzoj6jjymGesj9+I2a22/ocz8NNPA2C+fgZtOvbe7ZbLKKuW1NchzK6mJ1Pf/1IF9PGNzuWk+fWr5AJLsGbXx6WqXtz7Sw5sK/2TRigdQEnKWCSwHOJDBxwFWcy/MuPpBExwGTydS++B38ygHYhoswSGJKao0cwRU+cxa87AMKDql645JDKYO+5m4QVzcJ3y7stzuYTaZTHAbNHXHpPfKmuHugSHKiUk/ZPC/TXrC0xqt/dsGQ57sgXd3hs/6nDbLRY/DknG/yxVziZVz+ldwy0Iy6cNfv9o1UVPeO7SRI/Eej3M5tWU/0ydP7mv8W+vb7QPcr3ytNdXF9bro22Y7bj7Zf+/5e7C/73n67/xrB1Iy9URj6uDPOjzvj1fgeZsnDRCrKMR3LsR2VaAcbarhhDXcEIhLDcSROx6U4E5fjZgzHoxiJt3PJ9GZwpV151l4c+73B+fGXExniT6JM1AELXkAM6XgMP5YTZEIWvN+8x96yP86/HmkfeR30BDeCq6FruBPGwn1qRw26oBG6Ql8N9qqpBupSDaqaqtbOeqAPtE9H9a6ua4yag2bZtBiT0RqTSZtKYzeKbdmu2Fors26rtyFbtJX2mzudd3CO+7zBVdzBKraziKWsZzf7OcUPuIzfccG8beSYgWdMypiWsTBjeUZ2xraMHRl1GW0ZwgxVhjlDyrAzchn1jJlUWRX48WpiZWxuhR6qmw57kBDolGzsgvY89rhb7XvJzwQfY4+20SX4OtWreKpuSFaXlECpiOVamcv4JA4/x8nKhM2qKCxtMjn4oyulp5+2+DzPxYtYzPSoPf9Yvlvd4vcuYU3142xsRkmAfbwfK6ODt6039/4JpW8VEqlHIZIunBL+6JmzfHyE3o3mF33fTPtyd+kt8NrwT5yY3tXcECqX0RZRjsN416y3bBO8IjDJcPLMjeX3UFc4USotsEQLOQvWwDz+tuofrKKIxg39EBCg4K6oeW4pSCLqm7ih+kAy7/Fydux5Ldh5nZZU05IuqzLvripqXcA6pZ2RPKH/d7Vhy+50yl+yFh/UIyLAjn8fv/fx2Z7SNsWc2qzj/U7z+cFG30qoPh7Z5qC3Ze5YhCSBZYH04b4xhJmKKLbQSuzNojJnYgVKYcrTV4jLFCCbX7QrsD8wOFpEHcVC6m7/T4/rDbOCMYvv9JxgP8P+5bnnhxblt29k79MERhrZfpNruPWEn9zyaWm9D6Yhlysalgwi4BGLoGwXLltLytTuk/Fts6n1vh2+DbWgbnrIDLRawWQ8nikM/EuPyg9/viTjuTpg3B1Y+hDUoC9ieivGQlh0cicgzznLfcQVZ3dVKCuRSmjBAmXfyhNu9pTGGImlCL53o0K42CnEDXXqbCl182f/Bf89gv5vwu2e7vJ4iWYg3CGwkKTThtD0GoseIwAWO58TjMhWCDTwf4n/MWnupK2x/YCzIig48kILRHftWSKYgi+uRo3xYmrCurpHP+wg/v01/53uutoVJiUQVDulJgTOfnkrR0ZI1k1tENAMdR8iv1SLeO3Yf8I/i8/b9WdwvtwVMZlpeDIIzYdmpyAtzZMJSHtCcxcsWTFrteeNzqfiMmfScU8kIho1b78owsx+mq4uQutyR6w+9Yo3PmDBKfNIugWybM4TIVcd0CWURQ0Sc9kHMwiRyovyick6zb2ikU77TH+AKiu2Gf+Ahqq76ShpCk2KlUBjcPCK11f9dj+F7vSs8H0W2JSabHDxn24YNFev43yHqeq6XfE4R3rTOnZgFh8dEP9Q12qAHDk022XQ1pUSyjS/MSNipVuDYUYp0cM2GyEIDULG3HlLVE2Auyq87HOQvZquGjVgYq9KECHaIH0yk/2vr37SWfBV8B39wF8uFIxNfTsoDBvADTTNVVQ7OCrfY6L0G9yaU8aGZUKY7KcewrBtVffi6ub8GXxbdpI97b8hBoFQUgYJ00i0awM2XFgyVBGcFpXLAuR+2yS9JkI/gib26ZWf37eeNzxCOI7hrUwsKtpDVjRC3jQBB+N9CokJWXc0xw4tO43puOVMxB3S5XQnpNSwKH7otNIEjQiM4uWWjq3nF5hOi5K7xSdq3G9gYjUCzpPda9tRcOW32Y1gO7B4VKSrcYl2suSDeHI+STDgD5mdKorFl+SBLm5wuaWCyjmlZRMIsqBi5kErzkGOJ4nBBsasiHSBSPGEh2GWK1XRkbr0idAO/blDD3UvNXmqJJmxpciGbqkJFkRNIUlDf+tr0yuVBmbNePeTRpvLyLH+s3osJPvlgTLqh3bYTHbiV3M6AGRNwjDRIuSterpZLzTWgcuy62rHrJUFzGaxIq+ArjzfVthhOorC0AiCppSU1uIeWScjvuX2saqaGLe8Fh3SttzX2jZ4L/t29aumKWwl4SBuLsVe6wvvnzl7f2Fj60x2nQvYoDXgEEtrWEGMMhekBIg0R6qwt5tu7aJsxFY80wzcmiOQL9SbhS37pegG7yUM0NERxJnuG9BGqdPXDMtrch5+Nbp6qOhNVG7d8BXcqZcV5coyFjc48CSzVlnjgNh2I9tCF1i0cmNaz0tWcdOWmnZQokq6pKW7cjrIj6FvBr7l+gH1AYTeF4etWFaoxef12lP4cFlvw7p8amqeUgDZqPYsC1MlUuNK8Mrdazc29gBZsdmRjPBrIuC6r/YdOIIzHVFYFJYrS6tbwdJCTvZNziE5kR7IqdUadOyGS3ESUHqK7/9NM3cbbyjUVkSsAOtQcaUIuezfbaVYT2V/XL5KOV9TQ9fG3WezS8MLr2cJBkVOfn9tH754Wao4QR+eb7wYvd2+107VAeA12lEZIBOssvLIFFCpkDpjRTY7Ovv0+7XIpQne3FTbfpFkF4sx2A8e2b/y6YM3OW4SCexYtGl0iDncNe3uxpa942A1SXQP5Cf61mjfYINvow1RZVm/4BbL9Xyj+fTag1N1gDdXtRHSP7w5j1qrmZ5xB3ApbsCAIKQ4zRDLkDfbE3FVSPJxnsxGk+P9wytWacTijZsSdBKq2ytb/prJ+O2mCchsWw3g0mDn9m7b4DN2d5seOaA066UNdPbUzuH6nQfXAunVgqo2ekuBJiumUfT9cxcjX6hdfdEzvjRfml7aBmEgqFVDoUAjb8kGGy6WB4uKKOG8vup5eFWweTsT9ItV3gQCp1IF8dX6Ok5ox9gPGraY2+n1iq7ZkiVZ5Dm9YDs7FyRqz+xpVVUolMUgZ/h2DpOmplbsrFN3TFtxNEArmqxBPWcSCxlJGisugPhwyHi/GDsfHF06QQKjxAP8pKgompEleE9YZHz32WddH0hyGDqskcSu9dgEuaqpMCjrBRHiIZeQsMiKnimZr0syQ+0SvxE9AFhxhQTs/AE/sanpzViT/b1wMD7ZvX1rBxCO8WcNLUCqHPuaarv1pOIBIHGalH2hk4EPA4jG3RO5MbMxXOhX7kx99f2ds1Vs7czum7f7DmvB5YZGY71ArWtIxnOaBSRdxAprUkE9EkEqH4Y6kuSWwazEblObCGPKRPDEqNqV1ZqTdw0xlgornRgwgOezRgQpEMGwA4+rQo3NbYvbG1gBuLaPrA9GzVMv9HbRsnav4EhDT3mZOlKNK+/e+Fx1s1pz/M9+UXf4Ja1DUcdd6aYJ8L++VzqQssWypCkghOsGqraGxEuQ2mgxXrGzpnFHzPRhhCT4J3DIYv5KjPnM8J3hYgyJRUFRERCiihSmv6uN1bjpzcsbV/NL2xfqs00vXq6mMiCiD4gbnSqNoxUtBqPV1/g+LIxqtIXWiofbm1thsPl6Tpp+Np3aKwM27ZYdKGpYoyiRVXwlWj4WDsx7Sn4iIWHC0NlwyGTXXr6wn4uzjyhq6JJ29+I1ABL4ss3q49ZkuZsSPlHwQmoZbRecMh/egNGDZJQi3KCtimV30adH2/PUB1KNGxptAPUUU7ajIqzWOquk8wrlY3tfbHumeo8VEOyryY9PbkV+J1BKHY2KWtbXAMeel6CQTZtybf3V627dbiPd71q46Ddo1HO0RRCRHyo+zBQ6YTv23devSKVABnQx4MJ/5Tlb/kCNO2giJf1rDycrANLWTQHC9x/Z272Dh6XbUfmlokgarA96u5NbV5DMzZEIEqnHX51L1IoVK7ndbzlCfP0n1UX1AtgGWfbL81d6m/JpVqBUQQS48gdViQ3PSvZD+VA4KO8s3VKOzdv7/ejA1bbLR/zvRoPib+DjXfcMJQd2I+MnyDoe/DePZDoN1QCCWscaqmlTQKd1AtMAB7bbbXfVsTEmNmOQ5EIvYqiRay296XeXArEJZJYnNeiPqoaL4seQk549GuJ/GTLKLduXFx+/SCHfYgMfIXRFrLHzo25iixS8ZaBbAuc7Cett9j01p1gzBodStOCUNZCCwIubdyN/utMxWO14HRr2m54XGI7nOpR6FsVAzvk0gLiVrFY4QZKKQSnXCC1RAq4xJbwHvP8Nyy0kkV7GC9pOVkK5M6vCwqa0z74TqahlwTSNmZKWbEHNZ6K6hPrG5FaXGRswXApnlnYWSWn6diVOZ79nOvEtn+Ox0RQ6xrJqA1cxLbjQJHiEZXWqYnb54dX2zEoxAQcYyxtX5JSdZTobF3KdImDFfgmUvYKII2bqGld+gzJ1Sapw1KJKJmbE8qJDxZTF08osFb/EMhMWs+mPDlXMCwmssLjEqUIZM9Ut8a2YS5QME1arzFoJ5lck07VmWSrXpid4zLMi0ww0pN7udPnlN1/hvUYAl62L039i1+t4moKRhtpjPKdhhJMXOPL0MpLpz0T2r4vrH581ODlaJd/z5uxALVOmys4gc4g4tnkm0yt9Yk0AMSu0KvP62glaZpuc/2JzG9suZErr5XUgDRhB1PifHrq0pvMFWDgK+c4wj14B5Om3O0g/F3lco3RR/aQgWEeRUE/slB77cjCLjTzqvCmGSrPM1EwiJDTNyALmpLmIgGrQ2pXdTLbk7vLBQQvjmUcktrqu72KCXYVU0+t1lYKg/gArCHwpVrmaQL0yckjHi1APcQhyykKTXX9tS/qqYwCZr16RoNHrtq9ceWLl/S0rn7jmlkW/waImOdjpXOn4bKbQpUscuG9fGb+xzmZMxYR6klAHLRZ/qJA2mjDlf+3hX0OMsUSsPQVhOPHsYmjyqGpQD4YJCCSMPCQv2q5IGDmI31OLvrQ01dvWVIanBA+Njw15M/XUSGnW/6I+tzKLo9Fj1+xXGPPUprENKxNidYwuiSiZbFutTvZlMVs5l9sqMQaR8LGJZeJUV3OWPWBkUfftVXC87aB2G39YDFYflLVYi5pIQDDNFBxKBlE1ZOZrWzjmgpJnu0o0AaR6neXUqQkJ19loSiYKkfHMwYnKfhMEUXOx02VkOGu+xrm6x6OvNc+9DajfWqqbU5OzpSUNwPN1zKNjWoHzF6kuw+EcRTkak/k0VudILpcSJXaPdFg+zHgJuWznOoTERhyYB5y6SCPWjrpkd39NaLQajfWd/uHWHoASlSRGba2322QquVondGQV20ZoNwLfO7l751szicl4a26KyEdv7bSPATtgJwUb6GRJtSGKRl4JhcO8qCVFZmPBKUkck2FO76rN17PktdM99RuLxKbn5gs3J3FHSuk4aqAk1ZACcNFGkJFaYxvBhvVyQ90LPqguF7fHJZ1+zh76WuBJPmLUuJoaNjBbPhdW4Abx+f51GmgAZIOYVBBv8i7WgQIt4w0bU4yN8UMzmMxcimVAllVR70rk+mJb1x1wRcsWr6SuCegtXmcFbZXI4pazvJwVljqqZGiqagmkGOQkoc5QGbD5S1rE/m9oYZeVhKXYlyqQFwoul/d5Nrp6SiKVmlThv1KiIog52ffqXvnT3xxQlwGT9OGGu9bWtn0+Dyqyyk9G51mb7sw/akWV73//dJNdcvmSQDNd/m6qUZ9XHRhWK0kRVetydUlKiYgFYr/8kEnFR2xXNiI/QK9CACmZ/+YXnf3LiOjMsS8ZnEgG63G1TZsNvzeGc4oeqmGeBLxogCYm2XWeAfNvJLvNO5S/onTtM7bnt9NTY6Rds26C4bbw/urcKix4S9t5hWLznuKpgW+FhAY3TMCEqVDWsJqeaX7XIyBw19HqWn68/u5qx/PVytZMTO8CGZaKfXMnuNX8WinQ8dW260lAKBdV2DWmsePLDauxHGxbE4d0lFBYwuzTG/gjJBPBQ0io/Z12b2eodtoTARgDpdIxSo5+/4l7YUDGSCgX6ha4JVZg4upSBZBjXQOimGEU1DcuUqbPWXsd/MczAA48M4B+0gpp9TEqiOV2NFhVIct11HPA3pfGoCQu+SIU8A0mREVOuSKXZNJys9d6O5kBWbq07svP1xb5aq4qn/nEGlSDh+O2g28bS6CG2abuNYKw7PjKDbQPhnlDt3AYZMLk87dDwAMyto8/2B+x8bvNlNB3R4DT6MZHUtVtlAr3xh0mpQ7aKnJAJSshCpAgdz2uiiAG/rD99o/XUODaTWr5BKoOdiMZ1Y0vug2o1ShyFVF2MZQNMMf84E66z0huVdwVpZcJeHZLG3DV0RwtJ1H6bzdWnZ87BkUEktYTxVcdByuZp1u352nwaA64cpHGX1aA2Pm3jjxjy9gGCbqilSAW9cM8wslgTjApO7u5Dfenl6eYOWrGoMI2wYTCoLyj7iub/VcZdDk6C4sywsci7sbhk8hs18B+32UvzeL7EfPPThkDuoYxqaeNzWhT9pdGnXHObIsHEEhWEMWpZYT7RoYhiGVN4sKs3B466Q88G8K/PDkP9IkN7Iz1rzCAmf77F10WCEy+W1mHfweg8htltqr2EqKSSNuco1kxc6ksA19TpZGFKQrTCvpJwff+YqgZbvttM8tTT5c0rLFVibKgWXl9dQLDI5NSoWLG85xuYziabFhAzljEhIlcrewjQnPG2JIPdCPjGA09JQRnNgLtVExzqGGWC3q32rimghfAFmMmuxwCFtd6EhrP7n49Pikn+aZp86ouacvA1mn3IePGfB5gDn3vkOwjCdNwINloGRy2xsRY2mQHAoyRCV2DVxhW5eUmnJwyej6yx6xUC4AFeVUyJfzK1gSvclTCoA8QxHkuhm18w3WELQ26hn0kcLfuCMexDQkAqbLKQ0aa4sHhljGG4RerELEjFJ+H9wGSr0eBevkxnn9Yj+AAEBlFqaAH6TGe5BUJUrcxwkWEAT4uJRw6HLZjXYjFmShkWEliKEhru1wMFQCNOrbRFVcPSBt1Aqe/GuP0BfzzGz9cW3I+s3JH6d7zPNHtRqA9bJS4IkTpohqK7cI6qzTpkji3uiYyGhZTZXFVE3ukSre9cPlO7S0ip6Bh7JQaNYUOwXblfCEELP1CJYAPUlOVjV22Q3ttPSpzFb4McMBEtXLzVyjNsgKRczcssaTDEjBDutnTgaqiTweDrT8SZi+58DlOCJA4XNTg6pG3U/rroamj7WTT52noPBolRUWR0KhujBe20ZBi/F4jVCOhWJwwKeXeqiF7lu/lHJE1eS3Fgno3UW1k+1QXR85btD3d3fid4lJjHUo3/rYpFQj5gWawRvTge6osbDe2V7rAwld3NSiXRX4eSTWdOV7Ob2nz9QKO9coZJknLzPQ6e/Jt+VZ4Mt1paA0aQ+thM1FdlCP1gXeqa7C620j7KLPb3JG2iqcmK8GUhSfWUbuXEtFXMZXtSe1Z4xlrg/nFGcjYOAWV63RehdtXnTvwHDIGuUElACLra3wCP9kk8z6Kp+485PnsZb+/93UWFVKh32aqSlfTEFNvkIBF4hRgVPUdi4tcKSxQDROKmCafwvL+3tp9tB7gt9AuTstW7Sf33LtyyzO4hcy2GMQ4HlBH3PWx/GOYBBg6pAoCzzBh+wGv0xsrLcud0OmyRYgILA719aT4ChbQnzhreVORUK1hc2QgKVp5pL8dMgHUrY2l5sZyFTOYl0Ie3AKZEO/arV6ApISCJVZEp2ShrijMQSgQTlGz9Ugrm2pkBKqe0ibpmTOQh/rAHv43T2BXA3BtpQT20woXrkiKQLjapGZ7h4vfq1XxZVLDHWtO2+bnFdWc4i8PrmBwRK1beJqSkhdouYDTZVGSrLkdCcwjdqTN9Ne9LNbR39Pzd4rTalZ93HbVhLdXXCCRZVqCgaAr8Gj87tPL7j3n7G9njhWADt4REmjnqRoioDdkDTLdubxDL66vjczXBWQu5CDUuenOC8ThncfkIbtmnAze4Cknur452dvk7onBc28W1MBtfGGvALu64uQCktJsnRNQHztGC4oC8VS1egptGIEFYKWtUI0AhPxo1jBcxcFaEp+t5ZUtEbD9N1IWtncO9q4hTrnohxYZcT1vNB3L5gxTN9tEM7meAeUFsOfSEBcB1tYFzCW0oOLCSvJiuKrd7NS6xIm6O/wtfvYGmRkRmJ6hTbcPrV96dZKYc0uxRmqTod/YN1QnUYBQWZV30MiB71ndge0w0Xx02zV7k1tlVu8PnhVE2BQEaXppK1/ZeMwaq2H9yW2jO5kVAjeIOQT+/dMN+LKlBy5ITd6ND6GVkyUH1cn9l0p1t/C0VvcJqUhZXU5qo/0JIKKDVEucSEAUUmwEouWEXvoJNWkLHblbNbhmvkXKnKyVmaxl+irxlHkwL/5Ra5I9SgxJVTBQwMcrFwu1tfhmdkFyAQSgwNckiY0Rl64mycf2XBdaxDnwBMstw5oUfzL21uQzxDz3RzFe8C1Mzaaqzi4Zh7UjbSzv1cbSQZQhONLcDC/ev/rS5iHAw5nPly+VltPTfd2eU7+qmzN5wlkJo6boBQ0yCh8oXmKKtEACgJtluJp6ALTs2NRoia7QexrLVMRfjfgkEFUqJmHYye/+FBiF7+HvZiIxE+IYVmdEJUI2HdQDDFyz1g8Z3yjfb5NpU4wr89e8J0aYqZCzVD1CY204dedr+ZHwA3nr3NjNrgs3e42TyL+kKQnl7yaf1wD+jxs3TCvVV1rHrbdjPpCNr9wSoULmayuo1SpVxEr1WkYulKtpEAt0bw7Hu4mSZkGtVhIqiLGUikkCcBAAcijrypeONwGX9CUfWlmqmUhN1zXFvviwT8YbCvtLxD3UHczdsNP5nHTQVGI/JR2+t0U7JK0P5LTmTAONui5V9bSYqPqsW6fzUlGcxfUq4IQyFqaxDSNnZi9TJQNrFMQgLI3JJoR78LIpAFfQe8H8NgFSaHZPhjiWRkW09lBpfpXIt4Gx/BH8ouFFgpmqEdCqrzRly+h5gK5+fVQAX6JqVtWopemdzmFeg0jjeBvZice2UQGpMHlDy2mBM91p0soCroBx1/GyD4tOEsKoFHT7ndb0n3iHBclEgKorBFnGKUFWMEzGd9xpIFOV4sTu+q6vH108hVZa1xwrwxOfZBVqPOVBm28UF7/OGhEQq7OKAZhmjNNcE+hyQTGEZTdRdZT1hul0ZzWEX3bNlsk7GdfaTeiWevtnKtqfMOVk1tegShNkeVSCRADUxkJMZlILhLjULCWm7Xl5ycQdqVJylBWKGpQRQvWGHBQH0bA2BLh3lzx1iAGLGksqHCV0bDyP0tzXVOUs3izGtqJIkq1NU70al0hAq+uiATV/cRFplJfYqQkspiM7UPViNi3jWxLH3z/JBY9ZuzfnIJFlu4uzTHYuY9ulEtHp5wS9QlvNZykyhU3FUrzVSjCNuRKm4rDMre2zU93UGNwL6RmwiyHvdrRl+bFONeLAdUsNvRUnTtXp/6mdEZrhQk8ypNZtbJYfS+mJ7TmOLQTYE43poPYIKwi//Qino7vU69FW3xQKX6mieISp2kuwQ8hwKOuRoRcfYcbSFzpdnVdPiNe4JHOgdMFTsco7JUmeJr9GX4pwBzsT+VMH3cF7JZoApHN8GUTX8mlDdsXuUj/tTm9ctLy9XEoYrUnanfZ1OvSVh2GrhngG7h2b22A8MMjgOB7bvhyRiFOuALGSfH9Fd1+DySdEwIph4gg9j4yBh/gIzpdNp8S/QXy07fKAqQpu/dOuGm1hZdocSc5cThCbiapoAv6jjzFDot/8ocOukugMCyVJPDrJtAopaTE4eaC+igv68rTrlyDpI/UFnyK0oBbUpttnn9b/mMxvM5kUNSWAmYENQVUB0A5kArSLFgF+v1Iq0AuUARuBOiAbdB1YAxQDfUAnsBrYACwGHQCzgAqgA2gE5gHdwCpgAFgIbAU2BWwHtgDbgG+CHWCQ2XlgP7PnwEpwABxiDgYcZv4D1oOl4ARzNHASdDHtwHnmjOAiOAcuME3AJXCNuRy4FX49sA4YAsPMbcFd5g6gB7SCR8z9wGPQr/0E6Mbv1Ay6+wnqFd4CevABGsLbQG+/gCPm7wEd/gCngH71h9OAp0D/3n8oAqoVXhJQDlSZXAJUgnerTQdqAF+ABMxVeBZQCBSAOcw7wFv35gfkBN4ErADfPLAWfOcbRAcgUAhoMFjobQdeXB7mKJfzlL+39BHAl+uXXvl/so5N/2RJKH9Sj7U5/fmhxseQzubqP3GyV3+yNnYcHb818XdREE6URRU0WPiFd/AeFsudUi8d0iU9clrOeDmvwh/o5/j3I+uDlACCuSAn/MtJnGbQK5KQllx0mWyGALVe/0NHdV5P6S3mr2ab+WTKzRv7k31i7dbLI3zgMT0qi2XGJmM/4qcTH02OJJk8mxxv7pOxZi5nVO+uXE++5Fv+Yx5b48U9xfcOczlXcPvO4MKlT5b+tQ+tuuv31P/sfKK5o+ltzbT/2rZ2/tWxdnO9W72S/o/9N5O/Tm6fLE0+TSV+8sNbXT16oe9i+pq/1lSu2V0rvLzm8quXT1xJy36Q8+DUZC7kKtf+3wTt3+9u8Jn+3Y2/nf3vQ3mz6dxffR1zIOSnYSML3sXCxcriT27//tLS8v/Ie5LPW21f/bWCduFHC+8WLhedXv89qlOx70Z3YzzaWNKxZPPmNyX/714rdS/tVPpqx8mMNptWbsr+FKedkpVby/m5k3l2ZbvKPpXh+ZdVn6iaVRAKSSFYeJ1wi/OFmlY1FyqFlX+te6L6/1M718+snaSNq7fqUuOPmz7YdKn1VvOXrFNtmL0QE7C72H5sPKdJ6yLiibarbQvtR9v7tP9DZkmW9Mkf8ydSN6ljtID+GS7VVeYxeC15vXhDuC2O5Eyuw33H/wX/C4KHBFHwBYfwSsgV6/t90ZD8jPxnknsURvk36eelRWpDlbVPyWq0P5V/Ux7X/2ZRT0WvsW7cNd5R/F8JytnK5UqbmZhr1suWaF232tahdU9VUq2orhW9J//ZTd2+2cZKRJ1qsiurIt89p76Ke843onpSvvxW/hFv4V/zNaJGxERCpIkMkSV5sn04J5nLOXN/cN58M77FhFwvs/VRpThMfU28hHnkBZWKr54RT6h3tX8vLZNeN/8snzE+biwZP2h+2XzTes76Bf1LesLJGDONa+af3H+2Br2u98D+tX8nmA+3w990RuJ/m5qXWpDKia/Hf5w+mv6lx8n9X1ea6unfujvZd2XLLaXdbnfb/fawPW5POjc6XEfoSJ2d7i91Z3vfVXq6PFeBDctGh6O36k+vbU6+0Jzf3LP+S+uP1rsba6eg81dTxVsT7i+5X7j/5+nxaDxaD7WzsPslb937ZW/K96Ozl2aUfmHgSOB/ULBUH7pywo/8Yu2X80+iumggmr9Tv2uIfyauENNH7xEqkRJbxJ+RWEG+YFCwST5PJol/UVgvfEg8SFSTv02+k/rctavUakpIM9fv03/Oo6irWTH3H4s+5HZz+7n7+W/dXimyd36VXOX5yn+8/302NfeT6t99+Hn+9/N7Cx97Ip8WycyaeM32n5fm6OW6L8pJ77/t1m/ojXI4q7U/EMXqXibzWQOct33KO7p78qQWcK2sTGv+kkDXjNWp2M49I1Q6L/q2WHP2BWDFnVwzBqFVqTVW48phjWgW1QgAq2uyBhveX4cDCDiwzY8u4tMErObflbyTvAPyR09/8Vrtj228o58s7AB/nZZNdnyWpFfGOpHuAfL1l505dxgxrAWyDzLMOTeGYxpvdRXF6aVDVqrJGoBWyAWyvl7CNcAdbjReNhsNNjaI79ewimqdXvT1XIQQYG6A9LGwTo9MAmeLkxvgZkmGleW0z8L4QB4biCACM6Q6Nwwi7OqW2+6F7+lOABJYISyTmeKVOsaMDKH829PqIqiLLw7X2FLIcZsqmBjpU8aYsnaVU9rmU2b++BFIPTHEGGm6HegMNZ4tcybgY4uhCgmKaDXkzOC76dpWsK5sS4DmV3nIm/OcndbuBmHXfJJvsTD+sdRuKFZ2T222Pgk0olNlHwdc6GaACrecfCB0VwvmHD5TsaSkXlNAr3mngRIfgBxbDY9VVFEFpwHK7VYqVwELH0G33Wss5cPV1bCslXILKfg2kHP+5RrUnzUSh50HK+9mhw+RztN6hTnR/xx32e/84W71GRAWuNBih/zhvlsGCENv0CWHUFbKHqtMJRP0DHYmvU23MNgfPIPzSIB66UhwB4TY6wYiwMKof9r1UcqjlqO+UvNJebyXL9okq0QcOxkmOrHV0NzS7zgb3ckuv976+mx7Y3LTnPnCfrNBJCWLbgHtXWurUmpJdvGoMwoqk+sm+BEgOUqR8UW62ZzHXHreFSGOx14FDUX7mkCJV7Nn0dVPNN/mu3d7xD7XEzdse8+Wzfjc37VU5IZ4LMe7kiuCMRhfJ17Q5pJA4mriTy9/nV5OQLhf20HsYMeyAzf19y6ZmcJig9+S6m8UNlRAndgQN+DZ05p5gshG6UbPSKFmKoKGvl2rA/fIHzQtcaKNkkSgCpWwBEaRe4I9m0dz/naSkFW/pwPUTGHwvETmjRclZYYI5U3VYsUcT8Q9XNxziuUgIGikhWj8/AIafZRmBY0jM7GUnbmFLFBkP5r6QLWpAdb272zUNGoBTDNqR3eN4RaowxPBagWjUW1Rcch/v7zyUuNtMhs23/gIkMQfsdI4V+a80am/guRmhiA/+R1MghTO3rpSA4EMWng7xLo+Y0MGC68IMN/7WpLVtlIHgT7t98OjKDb2GhTI4MyGe0s91U8bi+EWAX2ShzuIgKc4roCd7Mz33B7K+3X3PWnvXZu1EDjwb7N8QIvLJtjNUItzFCpqGs5IBcCC9itFn9xmXf4/dIhriZBnqyUZ1pFzGkHh1yudZljbjoBWtUMkXOaEX7xdbErxhW9KFBMPjPEyJ7HziGbku9OpneY97bc2JDJDIapthguGa/1MpaP+4q+szFdH5Op3URYsmnPCFAns1NnkU3GkZ09orWn62jd3Lu72nlLxexunYJG1Ya8AuDOBmsAZlKb4/XkH5Xpla0DjDlGIHJYzgkgUrKTZ74x0Kd61xe7T0lZrdvkrD3U59jYXwxBxrFCQIKJg9OMIyYq8+ilkjKGQk6lgVrxzpGDX1Sha1RJdSeo6jiKtrTbBO9oz/FZp3VAju6YpQBpSqYoSuhJgX+8vamqDCxuq3Aa8TChmHDlW/Youh4ZKXDf1lZhMVid1UuHblWYO0EHxUEIfIzZGHMoGdK9ay//aOOlXV4sikKS6wvapZIvQAU9hCQ5I5NyQkSWnpIo0tlaMxK5ZFVdtk3bYIoC4fJFzmvdNv9gpmmwt+dG/EdyAIpAFWqNSks3wOXndgtrphouiZyv3FAuQx31ihYZwBAvZMDSRVFm17TQTH/P/WHSwKtenDHx1uxjtpw6rVmEZ6ZUpPz9TRfahB/1nKNgXb+5ijOxxmdQGTwFtqiLtw7QoiRoC9fzx5xkXvEwt3EY6bKk0J20cyD6NVWjQlzEbBqtIfp3gmBgtwwvvaHv2qzDjxPTH3ITZWDUBpKukCof8jlRCyaAuyiJx+Lys5+vxdq0EXOSEWfW68pSK9UefUzldBRweqbbr8wMxwoBsnE733ZEKZkBOWKuktOnFjh+pUS1Y9g2jotCE08QyTwDdhrM21PkrQwq6GzGrk5RQkMRXUxGAwkogvxpfw86oxs00akFFXmWXXMUfqHhMRO15Rr/TPzXHsDfA6bN+XMFHmvXa683j6P1xLxiLyb4os9qZ01fSVCpjTriaUQj1chJ8+gmzMxT8Dake7+S+C9EbQjILkBE/bDlakqLfbu2v7gABfwBPTy2Zaf83aFabWmtZmf4ddn6M79SPrpbdU1GqSYnovxh+/gRbAib0/300uO+LdzdhW6vvXEZWi6qiGYRRVhoB94lK9b90rkT99iZQHjZ2K3PW86SXaE7bG8cuMMdG+gAu7135ygfo+hZxZDprXeEzeeufat9iVH+48h2ZNdkXj9K5Ao/W7n+jnXz9f7CmxDivEBeENMmyWUkXMBvNOJILtTShNjKyTlsKARilp8Z7FwgJBwesZEEOMYW6TRjUoYW8KWFWoGs4YanKfPYmWrdl9UkKB5TYXunDiVO+ZSKIKaoMMbvKo6bxjAuoI37cXIKhmt5P6Q9qMWL6iyOoAawnxEN6nV06fP8mQKfuCwOYKGCSopywHvvJcBJSb+OxRA3427Z/+Lzp2kXNNRO7thsKgX707IBog2dnyO6M/8PfLged30mDZafp5iYwA1eHTejpTeIraIVX87JfEWS3DYKgSm5K3d2OomhGDMgL9mGtQazxO+u810A4e1eqzq9+qe4OXz8QevXVkSPmcoXE62UxX90GFjFqfrg0li9ve2NoZ2XBQn58TAj1+BARufLyUqCKgEBIBLFTjx17Sm+a+CP8wcC1mnI6IaaVWHd9cHwsvk7PPx+qHeZ3Xtrczo+pQLABWjPv2OK3TVk5kaP/sX576na9XV0v1SOVU6vWqmDskY6cGpmhU4fmAXQKihyg1qms+B4ChJwrDZrLX/M1maLaLYacT+p7w8rveoc1rzNPOYmHpdMLRbIqMxogW16Ka7B+5/71L6L92VKnqDGlPi/jwHUvh3NaW7PN/APqrOrYEmAZcGj5ch5qgD6eiyTW/fHLiiY1JQ2DibypqaxqOqnD0FOloD8BDbXjjFhJ7lGNgtTgYYyoyuqaEb/ypl5pUpLECwWPdLPrBM+p7Fwq8FMvfcG3spNUq5IC2B7egfTBC0kTdnX3hxcQaSzbjjsXf/+Gloz27t4e7eoxF67aDBFqyvKVKxN9bdUtK99p8tUR1xIey7oAoEJH15ne3/y4BvnZoTNW6finnjU7vVvRo0zoVv9ucpd8dSAK3pr03AdPdt1KK6X/RMa1PVu2sE5TfNPo+68rGiAr/sCE/7LYQby4OOHH0AVfjzOwLg8YaVxtzPlyLGBaEEoTTPe5tA7r64a7zyMNze6ZMIRJgb8MBPZ8AZLDFVUSl6fixvWZhMF0RwdcMZZimKmqaoruhl/Hv5v2K3Z1eOUw713+Sr3UpEvn0ltUS89vAb0HP7wKu1X1+X1O9drnwsBSugt3LDV+GBXImeTD0bJeQTm1oOB1UhbFWFmH3MWPELhx/wuz+btnP6uoW5fZhY3o3uzeY6ulYeA2PX2rAIWi2F9GrVLFbGdv/Fxxpr+7e2/Nf/vW5nBPPgpBPk8WEsSXoH1aIKiWJXzqcoUhuDMr8zIbISoDPrmA6+MZeRQNuuvakN8qPLaf/HuDq/K0RAX0lx+8uogs1MJJSgHRQu99uq3NOUD0ItbUPTcS1uX01BdzigMHVitX9XNYx41CgIXKutwetHzSEVtAwhs7DPterpkpywo9NZNN48AK1N0wMsKExpVg3gVyeK6LwSioPpcnMwlR6zekdvXki1JDBDyvKDw6Ro7xrKTI3BMyrBn2cHgo3tT5+3SoAjITSsnmPaPcNQ0SgqcIOdB+cM6vsXFPNc1zVfX0QJwURMdUo/wT+vdb+dZTnyOeelHft+pTaAZKQNiwdvXrMWILoRLAxdNuaxe1xnbXtGNwfVJqXo/EjRUvtjHNvP7Fbu5gR4bXwKlmWqEhBiTKOybd5Jal7FxeyRSK/KcX/oYBB0ZzMd4NraWkZ4WDsT8IHlUj+ps0AnlJUhEcKxK4xAz7fA9Mqy/323BF+srclLgurTazBKF1iy69k9ktv6qPxFvzlrv6xa2NdAVY6snzvaGbr+iIO5McTvoAJLEKU2q3NMcNza5KRBKUSq59Bau5JQ0QeTXv6UEGWDw3AWXhAXvCnmcM1Cl1e7akO7pGvp4Gp9h3MWh2VAaptFa93NcY7rA1WO4ntOTF9Pm9S7VV6cvD16/b/Oy+fdHVoywQdFlT2JYnSo7lN+OzF3Imtbp92BRA4Oz8VJj2uZVMtHwwdBv777xsWcialW07ua7gzzOyoOuLhTB9cXnDLOwDgu5v5Zz5DF8CE4nFoGOsyZi2NGXxjj3ALeCwOdOAFCkJNTTg95sYB3bSf4hOveq2qdFSnBgklFaYMmKu3rNs3fMdxRcHfPu6DcaAR2bnHYlE6S7RFOXjejSTfh39E3i5pETJNRHqKWndh5Ztsx8haUZJL8F6kSqhkUvfIAksaq3w/R2psvFN2+nsulEwABYMPm+fKDnAC0hhadW2mAMNbTBm06h2oypKYjNAgli9s/XCSWsasY/88S5JrN3RQDty4D3ZGjeM6+Hdl7UIMKYtWdDpMWIVGXEp4VoLb8+dKFg721ycae/rnII38MQkaunht94ECG2qbqr1/SZeA3SBi7K12RVDyq0+NWP5v+bMb2/ONfcyKubxPeVB+24nxUeskxZPufbbbZKoFfSf+RLfwidfXWhkfCUFpvMjbgRlgLhvqq65bkZOmn3KaERyPUTG7ik3QS8QpKJ0/9IG2vMcpchSjPJSUYD8ijBy2G47AurTP4wprJKeMUFAORXuz2u/IZthDXyQb9EJmpAtyrisf85FRLpk+PBxkBDqMmZH9MWzB4CA8x0JPYDPecUq4MJ8DH8LDuF2uMW4Fs7B7Kc/XGdmwqo4dB0xci1No7t7mvZnr4k1p/Q7ifxMcrqRCgPRq4TnLD1kiOl/8WMIPfF8DQ0DEJS0KkrB9MOTaJ8GdPLx0WH4Wh4pua4p4hOGX0sO9AY2QooRGGEBe4Bwr121diEct8KBF7mRhE0Ibc1VVasmA1EDBmO5jHHywdz0EEj6H70vx+zZ6tbVLtgc/ZObl2H9Dj/8ElpayMitIIpFNA+st60L6B2GfqYi2SgZM0xR5pxnn3V8RRFEXnx2boLlRUmWn7lYbnVmwR+IDz043+zTIA67coeX1+Am3vtp0ejsLo6qNiBwMR9l0h8xHmL3GjctLz+ZebzYllD87A9xt2B9SrXH6HVH2a2pMi01LF9x7dEiBop/cUeEBxrc6PNoE3uRm8cLwRW//VobKtzhUCmbMY+FhOxbt+3xJjBBqzOpPXYu06YP3NxliCEI6ymusPZElicujdA2syBrOTSTwe/94PpSAf1g5GDbqIqrpHq9hFs+d8NKQNkJZQszmdGl8mK85b/Ve5jcHg2dra/IrqIgMnYbMDNVqQpDqr27GAk2VdFZ5vAUb9Q1zERi2Vh2QNuFVMAz88F+39rd6a8lXacZ9GsAqpKE0RFx0hDqJbqpEx1AVE6+PNj1CErlXtZk1zOdb6p9xVQt0Ve6O8ACCNtqs4MteqrFyPqTAMjh76caeccfpvfuX9o2CxnIpYw30PGMXUBQDgs4Z01AmsM89OKOUkWVvT361G6SGif39qXOsNR1fmfF+k7gZv1OTAu1XXjqCAeCFgUPAnYq0ljrVNGwEOEqzuHTJ6WOqUx1o3warTj3lKiSoNvVlIYUFJbMDcW78kM+Qm/pk+xhbIjhaONP/evFxgaxVVgcv4DFjCB03I0Tl6/EyU8+8+XAQrZFmSBWIoq2dOZpa/fGJSavrtCABcHQjUreTqTrWs9XJkoXKDByBL8FvcaxDtXYKQUIylakwrXC9xNxV2++C3V+GkvdeQ9IWH5Hh56+KJlDK+jywkwIWLaOa2i3NgYYvi5BtiD+ehK7gli5BgM1x4xwzNdshJCjFrbfogdqHVVWJYfLKJwpWSTUvYiPQCN5YZ2EGlMkBmzb6/U5dJCfLzWM5zz3cvcf7zFVbdAaFzMukJf40bt47edOoDqUIm7ZnrsYDgFMYQwnh7THjrNz3Pq+FlN2b+w3G4vjM2CZo9nzlmgAnqJUQqfHm2WMCOV4AbMiabvp8rq9tbOes/TA8KyYWSBYO6Nsylv74AFl6k7wLpOf8x/uv7UZjv2wgNJgujR5whx3NxJ3JG4V2lhCCZH8yooflYoTvHg5n6afuTTTKuan8xdn8YvNK4Pzh7NHK9/NN/bbfDlZXSFr49/1kaAwrlaaqE7uGvQFrZKj1YoldILCCnD1RRY73+fFbPyR1X9m1FIC71PVSPfMnBLA3dj2/JF8y7gz9K9DW9+uHkm/Gw8pP4oCnvSNws9A1SJ15rJyqnurNtKGhjEEZf3mkII2Hr9YTkn/RvjtD5Vv6K+IXXjiWKrttggIAEmURBH5A3FPuA76h7TEZE0xqFsYpC1x3ItdiiorOgI6X0dsQOUpJ5NkFBe3poSZgMTJBtvP4ZYMm8uldjUJ1Ax4wPFoKmI8H0tAEhc5LhCxGBtSQHK0deSKe1YTHGwdsYYAUvNPoyMQk7wXtqJqkjsLLqcOUXUFo2rtqMdBt15z2D60skWACbwX9TSR5ao1sfP8VvZevT4RsyN2O+309tod/3Z4p/SGGCidIk1fn3fKoWC5vgGDoSjKoh6c5vRGGhYuJPGXz+FMOUNi9PNKvTi788JMa+K+/bw+BdRgU27Cs2dMYwfV9dH6RAbtN1+Ey6fcdXxEQ5KYzgf/Ickt7xmtJA1KrX4TWLlQjaFb4cUYLUaOVwf5NB+t3Mx6ZkUsewupOVLamm+qqmyUtUIkKbRIRDwwo42AFlR7dScUlpeIPiUCNl7ulOHuhlfeeBa5ft0UK2tyPp14fJL8xDwmneLmu76Lapw1GtsCaA0ND5ok3KvWohN54VucbbF7xRofQACjsOdJ58foyJrkG1ybhpkRMw0M5T50y9hwkbdCVM66tbPViscnoP7k2sBiTNeB4/k7O3vUX9lw3KyvE1EyyoodrU5wu5Oi60uKxy/RBUEr0so3Qu1cQTJZWmDbYSMHWDIrydDXP9jPov3IyT8YRq2zNJQtlfAFx6y69QuSDUTu5SdYxAKisPcTI6m7dl6Tr10APJzqVPS4Dqkx6Ux4tTEfz42X0nn6QVbDirHOcI06oRv6LoD1ZYMGpkA0BhpTfO/m7b4XSef2b2UCmjneNU1MbQtj2637FbfUwQRe8aTVciiAkX675rSunp8fceYtU8ROc17lX/Ue+kzYH2lN+bKpcTtzhDeUoqkAF/otmfz5B9fzKkrVKtj7gZOGrr/3aHqpShWSuXolbZNzvuAuoIp6uuoAA88PLBiLhV4ZBYJjInMNa9k4yUbT14hN7dJp0ajijLgaOHw5mM0/3/uN1S3jTkuw0Vs/mXx0HFjsSb1uiB0lj8MzNXV13zXPktUNOKq/OJz2Jf984eQLJ1U6F6/SdXcDlrtICH6IffTDx1+6SNWNOqTOt6X+ir8LHFBS436tbWx/cdQmNanO1dWytEWINZCE5AXXjrVN77Bt73bSwsiL9XGmRXFPfcPQSqns0NRteq6ndpaStkZjX8kpsjKShv1m9KGRwbBE7LnIVGiZDoSIDNpGW1ww18wFbSNfSNerFb3dzAs40MerlmyBUsTfvhuPha64LTQJ4EZO4eQjkHDSUcon63FqderCH1YC3uFVJjBaAZYPwKPN5R296Q0yrF+0ZQKcyOq+AYVSXbRRPac107KHd4b/9eI2YFPwl59t0I18dwou3bOAWVNlFdqB1NUQ8MuaYANiLfhl0ahf6zypwIxlOI5djuSuMpGbVibLGK8PascMxUdFa4P2rUe9rd2jJtNeJw7dCWlX0nIKChCW+IYUA+FjFwxepmkvyyH6VWFc8ks20CPZvgy7O7z4KqqjN6sFVazVqv51TpEMR/O11GjtAflsosO88vuyXVYVr4Bj7We4y/yV7MjKhdxa2myVwyQvBspl7tsTLRIjs1XnBnAtr3HwgmTXCjS1qRG3D6QkE1t6Q+X35eZLk/ZJY4OaUF1qQ+wLRW6PWqQbLMvjvMAIAPXpqkikotSOfGAmedtBi08c3Dk+iUgaxcq3jpEj2uPFyIUthB5xDq7Zn2zLxXh2ynrNh7ydLGvY7rb0Vx1bVmji4dz0ym/9ZPN/E8On5zuoYf5LtN+0C6CCOfRKqEKGkQQeRckSFxeUT/ttIuyKxL/x9f0MlzpXbv04Ryr8sSNpRTd1WhZ66Ywv0N6qDtnyhg1I1QlH7N+tYAn6hLgsN2F0Sv3f9/Ce0nyCF8qdslgCTCKvqCxvsx12RK6bHHR48Y57FiKuJudd6eCZT7Eb/iBPx7NsrokQe75t9VwcSF87Htv7JiYkKGVAdQomKGGkYkhCmC5LYoqos/f9QdjKYuqinOy3hPRmC3cI+zlnLXkmjRsT4U+EttZSvOP1/eKad+9hg+o4J5+1XRDXrpCAVaOW2Rh2ymTT8ZRUS8qx4Cx3QvOn35q6+NRRhxhbGWjQ5w/kHBrtLq8PClK5XCBV0KxMr0ABxgxFicXOdZWvFe9pDk+V3BKNATHwkpny049pZnNn5tgfOtBlLF181v4axl9ImuWmCdWODqK9pjZ6efqRo7UD42ZtrT23HXL3dFdqPg5oDI8te7jaamnT1I5DvWvvLLb8IK8YmDOjjFAmn+q03xRTQIaIcTNzXCYm8bS21dZ7ipcSe3XsW0CKl3fKsLdXNTB0d+yw+0Q6gUt5VVbBmcTuDiMJB5LPspXKmyIWL+fXON7AgVQr4YrYsMvA3qGFMU2WDaUpmHOKQ+FaxNhqI0lo0/O6diuZCLeNTaCCJLosyGBIQdeB663BvWRxq69Yh7je28Y5/VX4oBgOQpJe9nUYJ4yn9Gi7Ssslr2kBK6P9XkgANE2VotqzrfiZBAZkTcbwLyCpFmjMyv5OkKpNy2lGKSaqphmbx5lTMFXDxHFu3zdHgWoU+B2kblXXulum7mpxHIqpSmISSRHvP17t5Lb7u8Ixd3xzX2/IJkPBCC7xhkw22TreDnYzf4vECuV2VuM0siTZOwqnFQ2TlAVRCO+Wu2oMiAgdkR8Tw0DqSawYuNcRsXqgD0oT/wUglYrBbDU6/4a47qpgqbjdUVrXPaCRgL4YBnizDcJJS5q6pn3htSqFPPR62MCOqFpyYEQlb+to83XvAp+GqVY4jI1AagF1Yr4tOECq+9zeBlybYxXn0FLRVuP6PM6k6ycCUEQfiC2YiakkRSuB443DJmiXXHgqNhSkHftxLpenRAQLomQg6BYUig5uu3b1JXMH33LCNUBAI3z4sUtzcY6ONQv7uPjzuAHEliSDB4YD2T7rDaB26Tgmapm1VtiOxE7QVUBq0FVDhNA8I1p715TXm7RRC+TNqwKH/VJNkcLaBRxc/pzff7YMOKqm1GBA9syyDYafHoBJzoLwWWPzgJHMSG/qKZ4R5HtG2L+rzuiKYVqW3mnQAc+TicdMIr8cJbioXv1v0dv/elwmJ4Wm6fCaLmrZdGTvwtCfq5Sqy8rp3l7PrlOaOZOPO2oYNiXXb+Bx2KN71BBIgfgAxNX5POQyV5fOnPw92vK8Y8sZt0JUqlSYY5upmRnWHv88y508uMB/3KN7KuDyjZIPKzo1KEqUa2m5c/Fo50i/h6llp1cbE1k0U0mWgWuSfkJImbVOOJTdD6goYbHsSu2KKdl531VV6Wwm1cMqwAr9ehPmRawm/tGosz05vH/DU1hoYXLe6ziMizY0ioRkRXXKV16w15kStlArbC24Xkm0aN42vmrYjMdWPslQyvmxxIFTUlhc0YArL/Zh+K7xnLU7bDbC56/HldpPTe7QU5TXY13Z8Q3OJ55sGI7VTpvDdmfQ60y2A1UxCJW3b6yXdzhQjbf32jJIG57ZZGC+6tdczlrAFg1oTk/opx9NSFpdw+pbt0q67fmyhymWhV8WF+bW2lUtU24IQGIUCbIcrqODh6Wj9mZg5KMEA4GpahykOVkQUZQqlJMy2APT4SEeqbGcGp640qzKLCXbiiH4VkXMeTZwhSCPOWuyoPmCWlc0VOOmeE2tY1hRDkv9gWmGoeAJjed93QLO5l87mIEtckVo2AmuWgpt9YbeIDzuf3fJn8ZhGKkdhWTiY8VQcD5v3ZC9FjomOk1HY8NKw3G4UJIsnk2F2Ny0XrV95IH9WuyEg/jdZwVhtRglP/n8zPL5miW5PboIPAbdc9hM/CAa1gARc+X/i3H+rFG9JoGRuI6w/m0gwUhwz4aX1WyPUS/+tfa+GFGlSIhhqqxZCbLTui9EAAoqZoZKvMY5VTs7kbf8Lu63GsPbh73x4WA8frfX4zdWVcuMybVmTEE856aKL+68HNJtPXL7UXp48HuVuGN39sxR0NKDRq1ZcVcMXQP3q5/f+7B3c/HSDv1TVvO43qKIb3M1jrt50/UWa6KBabJD7O4Mqm0nY6qWbPON0oZLll+ZXcWLa8ClmqcHzxz5oqPUmfc+KPbyFcKJrYE6iIeG6YdDp2WNlbaWZiM7as8akLGwpL+3Iy7HGwlhoAQa8YSjDa8MeRuIvEAEOIa6SRWxQrWkxJWfM1cqVzvjmFMfaz9KpWMfd3rxiNM40HuE7OywYtbGNiwOc+oQ1VOtsNFZ73C3uPWlA+bAO5Rj3PDdN5RI7nYf8BmPd+tX13YasgYmzWpXTcvNUggS3sWUgniwl5ZRXK2YnKmM+mvOSDvi+rlb5L31bMaRUE6v6sDEsrsKRNHYLaGg75hsiqG1q3ve/uV+yd0i3ItEKFdNPi+6y9fKkXRNbN4q6DWQbzJLg5Ymq6IkcvFN0SFARZf78KlQqU6TCiLcyJfOy0QPpB/3sTP9c5Zg4a5svueCabLzqstW+lK3y9gadS5rSxkRiU70QGhtuLa90OxkNigzQcIp4T4TAWib1jxodlZq9qUEiS2GS0NLUBZkkFwZT2T/C2RXz9ufCVCx+/+0MbGP74od/O859pzCf9NDClLEe68zaUTOfsNUCv2TmToicctpAMmxWXfgo6ZFDfCYzzANJN/bP34nYjKdrUqR4ZqICen3MFcgLdJGZq/+ggnSZQmy7YNK0sBiogH14ANABw6v2ScEvLzTpqmwbaZVyCLzenewu8qyQFrEn/+YAw593NbBnmtAjWVADV5t6JVZXjEEDGsgNeOrFC0OjP1NS/0kXZA2a2Fmt/N33VyovqABLyJqhVFCgcTzhIcRQpQ4dJwTX4pI0Me/fHUAI9wx8ht29Pe7vnIPKR/cNyWt19ZL652ZBACqSilyhlVZ6yu9+UjxfJKvewoYuhmTBVS/Jjr+IgojSlVsS21gSbfkezvPM8zZmuAhOFTS4PzU6452MbQ19IfSBmWZ66zLQyUCMuQLuIsDUNLHXApno4fCtmrGmVLItQcJyEyFTRUBpWkywpCYrASWp3A6KehFp9bIpVl/u0avFuyo5uS1b2v7AJWo4grbR+PlVgHw4WIC0+BJUuVioVzK8JjcyzGugsf+YlvKMoOicsc80R3sEocACgJMMSTjF9wJLiwk8A+ghXSElxgO7k//AKawQtraGgKnbGMLURD0aqn+VswRfaiPABhbJzGsgnfytJpjX9sgTJJ1LtgIpMuawFNcY+kWdlQDNKopURYQLJCA+38WzYzJCkyIbWlb03HG0l1V0xw3IxlamzC8WfQo25LPwCYBiAlNZfiRKSmhqgwAj101MatYsa9nbFfll1JsJekhPlHGIgtwTR3HZmIaqlM5nB8LWMqTmz+5TZU/6TRADEpyIBU2CpOeX8R+ivLP1s0Tb8DuYLTrIxkhRw2hbPVPdzDG9KBYCGQJwEweYjX3OuwyKcUY9SLWBK/owhNjyRRJ13mZIfbXbikAsSRayPVGA+tLm4wlHap9gLUl5syr69HcKdHhPrlENYsLU/v1JST3f64FITEsRM9w8LJAKcPZq1uyCgziiuXAng534eNoZnvxyEbhgHtEgXLf0QfZcaAAUCEyY1lvfPNTbV3dihG3hbq5HUUW9Of2VO2CfqPY/TEm80E69vu1H9pAyLQjjeQLYUiQ6Zh5KhRCAVl/m8AIKKB26HftmgsFk0aW/tLsXIIuXzGnJ9lp4K+8WR1AO080F03DX79IJjtccXA9bFVBEOtFF6/fYGAsFukraLOXLOyVwB+2MvXJdTpy3AW7cV0HaDjYyUJWLLjROiAsSCm19eyMdYVDEMs9+LwF57C+OrJd+8Bdw3uyosgEZZgpQaR1hRkYuaMQmAJ62rFQDfK6FEu05E50P7Fprm2Ck6meFzOFAf2Ny6xyWdd7rubPSKa/YTBlX8SzBDgdKokYyhSoGkQu5aPT/uizSwSofZLk4H9i667CftfWg06+vdCBy+GGHwhABlXDjpwJSEPVM+xe/qkPdpfZlvLYSLoc7DGsKpkKBha0Jt202wVQTdYpLI8HE9MEVsnwbEblnCplveAAKnPlcmBlPG2lzSAAsQ0vMp1OXoCI7vgRZ6K/TduWapAQ38CvXZXRPd2av+ulvUVeL1qJUujc3Seo3312OERUF/0nAizQOuL5PjDohB5keU82LUzYkdl+ZR8j3uSA51UHf4Y2b9ItwNingP6kCMSDC45rlfaOCxaIvWeKEEEJK0sHH3hF1uAFUoOROO/zaJDmBYNtb9hNd19IbtTMFtUaAnU4l7wFp0Xe3IMvvcjyaY18XoAYcuN+JbFuwVMBRHh83fdZt2/U3WBkRtbb3P4PaRL5pu3WtndX2S6v4VMtQIDJAqntwUkCNwRtOcaCjtxf+RjJbpxo0RV0NpE6xQlHigD+jyf7qlGm8j4pBUvwEyTV6M/KZmBBMPXWTQzz8lQ1uxchHTaY8RpjwKT+FrTANQBzvEKRCbJm1G0w+UDjooXEgdDxvzQJeo2xCfYwYVahIWStBHoBFcs76C6Yuy3tsmN4KxRhA+glqVUcCqldtcKmw1OMadZ9aFuCQ7qH5HWJuCQx7TQagEMTtJ2wNZD+WJZA8t7Raa8Fp19ODpsIqBirqJKagqmhZqgmF9dP9lxFhSEItN3mzV9uolKMu/Eyfkni63UYApyP1eWnr3M47M5x13gHUoDctYO5jkEMEAeWmqgLam1h7NTxuSCor3+/9v0cQqsv8x1YGjfMNgKKQqBYbRoGeo1hqGkwKGmYi0Z0TEUr+ydlkBOc71AYri7CQYoRIuQ1GSIdKg0NNiJt4TQAEum/IkHApsgojjCoELEq//IeATu7QmMVs9KS1ygfzmCVBNRW2HfOiG6um50PdpquZrkd4tXeaF3dB61tt4OAlRF3AvtKD+g972w0I9WuXzwoQ7FMkMXvE/o+mo5cJHAMCa+RvRusSt5x8wzPTX6Nzzqs6qSrjI6TMxCF5dyEgoJ9Gu9cHmLBc/ws9ktTVr7m+BxlxFhcDC7HVuU0hp16iExN2zwOnKHyMGRNRktT5PAY/K3WEQ3abAej2bT9LOVh1lSunF4kBFxyUls19FbwOfAORkI4aLWdZONY+cELzkxrgoDL+DblQ8uf8LjZDdPQBYOQd3QepgrcvxzAJaewkzK+u9SNjhLMBZsBqrJCynppqAAWnMDf42TzCeGMZz0ZH4E7321Z1Z3pYVB84N3y9X2SztzWkgI/kzjnPTruSyi3JpPLY8XdTsHh9IcvQ+/WrSBFNdsbzMf8tY1tBm2odi/Ff34e7Utjv1qE3QTHY8Kj7tjP7A8iYjSK82MHv1FcOH++3lrYfe8mEFJ1MYT5RLhpoxWLVfc6G4SyG46dCeKb6fx756NLr7pB/AaDAdAfi3aynwE4TPXtCTxUH8nyu2ij3rZUhwC0/SQoMay8IpnsLpsxP1q7mITcZTkE7b0BT8W1w7kYngYJzdXVULolhJPbbyIooOtXfhM5RevEZMDsE+au5fdAc1f+jTqMRDwZDa/9XjZRseAZSeYl5uT2EUmyjI3AhZp+YW7rh35Y+GI58R6K1hrPe50hWTxw2DQonPxuToOAanmUdjoZoNoBxnfuZOzycGAxamZ8oJn7+7e/3bA+On/sQ5PHQavQibYMDRkAtPDKdQeDu+815nHy+fOqWtrs7wIOUIKvK8iBgN121eJgyNSCvxuPsn3GmA/EuHhuDuqCpFQwZbbJekisy451w0iutQDdAsnILENknnVK3Vcm6uouLbHdTkmEtgZTnnoolQ1z24ohJ2cUFeM6hro8BUHxD9StgU9kXCpsegzUqIspqENvecyMyb0s7BA6r1xHJb78s7UAjJFWUYIJUdeQAfXBqMHkyMEFF+kHfVHKrkBUX5m/AgXHa3s0q87wHkwDoOBooUxySpAprjOgNOsEgqQkIgLo1pIkhTJX7j7hGZb/PTt+igOrm4r+F2hp+NG0C+WzD9d58ID9j5RjZAT5TatjfuPNTgPLj52KkEz8RYHrFOpASSoYTmVVap+ANEyH1bsvQBxwwmotkQT52uU4vjF/5kGCAKmAm/keHObWYvS3yLz/UU6AjIMw69XEK4CBXO6SxLhzH4/2viJCeyC/5udpGqHpSzeSBDztVZ0FRo5OCbM7D3TPj1naVLj5l/sRX6TSBJL95j2MoWA2LW5JJqdGMCinBVG0ugXLwK0oKrzod2JkwWeeWs2+D72DCBJVdDY6M0UZFBUzDX7yjIX0gWi07eMMBjnjphGwboh49tMgDt2zgiKKCmxTjoowq04/UNuptuk/DyHrbBD1xazXPXH2zlNDxtsVA256IpMhWn4NiCaTra2MO9gdq85Xbx8bOXx46Fn9rmXNOON+rwlTOcuwRwAkMEEAtmIBZSJeEOnNURQaj69sWVZoZ5UxnitWOzDa2R9ICAhYJuxIZkwQZaLAiLrY7DIyrExoXbUBZBh8pX5e02O8aEYUZBuu3tZgADAYH0B3NQnFFw2sn7L9dJlN0ppUY8LouUhn49BsUaUgArS+zUlUwxhOhwFdLjVjMLuZGcMLYQOKqCP1x/FkGGemwlhBCyAvFHQeSyyZU/HFuCdiwT2RQjI3MklP0FA6FcCYd6Ry/05v6DGFxuna22LmrtHLFSismVIAp7V4DdVgK7e7T/UAM8YsHvgboNoP1JSqUw/bTQWp+s2bz0J/tF9eQm3uqsC2afRvV9losn6nYoOcXzqchwezOzeHckzhWgodhmarnrkjAlHbzpYlk+1Sj9Qp1EBhyOhBCdRAayM0xG+GGJLWcfERSjOvJ2jbVKspL7gxq4Ck1rQDRpf7tPh9rwcI4nmtD9sr1VLoX0c+cWYxNn8I8Gb8KEfNlp7qXx2UC9CgStSAgo5wcB5VVHR2cmhK97wo/9RCDkDzozuV5aFoRT29n6yL3cfaxDuOZ1re6sfOI0ZmPuChTiuLHDotTRSp/CuNEWd+yxXA+lrkbz+1ZYGYBtyzZbsCR193ldnXtff55VYg7uuLfZgPKGtrRZm9i568IrR8yCR1y4YEO9ppwRQjtD30vQ+GC0Kzx74f2EKys8+2zpzmTOhFqmLMmU601O61CMgUD3T0GsKkL2951hdOVRGzpb8go4vCaxKG3LQJLGCe5oQssggKd4lr1gZ+oZ7j5he+vPbuO9aTcSZKV8pFxnqJu0BIYMy+A9wcXNzdJzErIBb2XHussr5Ufhp61kExc+c1W/NtMMTOxuao7b9/izU7FRq/OT9CfQ/T6M7HBVxeWv7m7gMrgKY/W28yl+Z+D4PmEyL5YXgtnkH0q4VSaeYjH1HcgSLJkym3899Ce355DvFaU/UnKPGpbhsVYfT0r34ztoup35dCYHRFfWa/JUq2xgRaKnmIzdoy7O1UeAvl5WIJ6hMyZZMNbuCLjctXRoYDbACzB8tmnmNaN6+vgloCrwbHR76sHwSe9pRiObYuwD5p7B3cfa2+vOQHRJnt/Sxceaa+bjF7DrM3d7jnwZ+/EEJbPlE/TVvYFsFI/9bFngX8lZcrHXj7/qWwBwlqkhIVR+pmlrbF9iVSBt4eqtGGWQbTGnq8oH21HGLDls+bbV56mtT4RrOcZEGzfH+1DQtyHaN0xvLMbjBsTjoWkJM6NaCeqpVs9P0/lX2d7krm+6ZY8mnzJr8c38DeMbffwUblm90UYwBX1TANKT/DA9tcz/2X136bl9GAnvZ3fWn3DSNw/AbqsFzNl9nW3O+n0RNsp4fh8SmpCcNW2gmA3a7lk2XwWM9LItQj6cg3jkGz5h1VQXv++NlBtxuji2pTPW0yZkCibTC3Hp5PixpVk+GwFikRoBiziSY6PSd63BQVE9WDevhr1cA4aPsWpbiEyQnrfIKbAmlYTMUKWK/AGSKSx880ndMvq9SSs+89GwBHbkzGvQ39gdQDwK4hBKetCJWf9L98O4GAdfYSEi5i4Fq/EEmYqcxCOUtZPb8Nuf7XF+1IwiMOL8MIHxbKKAUhY8zRCLQ19lroe5LQERkspdTtCWOPJc4GBNoRUbKRnALaQ5VA7fmy+BhWz234u9edKeS51+OH/eKszKihl7mFTFSSiBXKngrtxx+k7NAp1XMuGhjYURyYAGrR72hIhrFqfXdVB9lAdpCFDYBtyYYwy10Sg+oXiAtB4qgTy+aneAW3MNPInKp2JCH32L63DfW0IluIMw1Fh46+YVS7IB29u8JeL9zku8nnaAGSVMcSCtZm5RdqF9IU+SJJdJ3pTznxCmuwxtU8dB3UsT8BJnljUkJURJbuRnN1SWaImZ3BE5dP+uLae32wtiD/n7UEHS663cd/D9KFB3Sn3Rt9OAuEUTfdQIIyiDCcBm2GHo5nZKgJxWYC4+BIK6IaXt7rP1r8ZWC7dpPg/oPjkO9vG8faZGLMN+LO0KRxufGXvQgl/HlTOGK0ZAeYguiV4JLUxSsXYjC27XoX3UYEPYlMuKY8yMUwMFMFD3M1JLLuto7kyeuJGGyZFxY3eiDitwbzyP25TiQOXWblmLQdsWsDJ8ZdCYxqt7IRPFv8zgTbhCvkl61V6P7Tat6Tzy+PwF80q1gW6k132/Os+/eucynPMQTHZwI8C5V6PH3wx7EtiAC7aTvdI2ALJTajlfXKbx8jzoMPghkJb3twW0L/ypTKdXYRgV2JWBr/4zakFOXAdnxt3h6BU8cfrEzg7LDYvtmXd2e/szIAgu0mga7+bwLkNjZiW6rHB38pPS8dLL/WNS74A08h8M+tOoRCdkGBpVRCFgx85exllrAbKRIPioaTa+4YWjmZ99Co0ckmiqSXrAz7vVKPtVDe8EriZWOCu3dKwU+4KdcfvRJ3qKGsq0CaITqH4uB5WiMF5uBw3Kixq/x3pmkyLVdyavF3wrvSHgH3lGTzouhczo/wPeyvAtejRZyPY5Ft+puesfuzxFWrW2iBqb4UIQUAz240GujF/cS8RCVkr6kTYKitcFjBl5Eo1iU4LI0Fw5wAh0J4wM8D5WoskR0hbpoU0mZOU5kvdhLQ/LEMMtQustuB1m/y7QjMvZcVTxA069hCLzl7QNKoU9iYbnMj92tJinK/iwHNyWpbxTY4tr/PYvAK14JZEGe3Y4SstOcz3xNErGxMdbE+Fkvg+BKTX72Nxg1Sd2CVc+8zavPhr6UcBn3RgIY2TbFJH5sIdLg/lpzYm4P93YKLPg7JI0s2AgqKBpcFJ/iN++SUJFFk4VNp8d7YA3cwzU9xPbYKRYWXKlV4Z6RPC1FGrGaEOM660sZFLQz5E8c9sWYEL738W6GEZ4SfkVihfvfUcYfpH0EW0rjE+5bRq7bjS9S/MaD+n/qt+D8IWCzbdhAMxRi35IHe00AffN7gcTr0f3L8Q9gUt4Dmvz7gIIqmmYIZifZyhwPWFsovnNxOiOQ/a0PvFU5gwmS4phDSpp94QaomtXA50sySQhHAAphEEiipKFNFyD813AF+4v0lE7NYcw5IaFAryoBrDYNODuTA4shv/fPxdSgFltk/fGpmBwhPGNrWjcD1fqLoP6JtIb5qzuauYXMGCBGJnUPNWTe9qQPb35eqEuDGdQoroM2eRWZ3Cdgy+1YYz9V693bf2jSwZv56CSx3/YgJCtU0aOd/voAO24LcfW982yHJ3eIjWBjx3Bg8GnePRRy3yH3/GqicvEma5UBj5mKqa8dEAsotmc59qBmai79hF24oagXt+frQ8t3WaVzwrzGZIW/0Kubgy4cSjEUCs4j23dtvwyvuPnCD57rddzs0gZzHMq5eG++EAYN1sdB6YxMT6H0THMhEKTvzA9fAjqXLoezft63rN7U/bUOm6S1pE66c0/xdhNDjR08ev7YHKiMIIW0WGlo15Bwcj8IQZYOTgUmBMBYRgvgieNL9GBftlVTOkwvBBBgQsknBjPi9uJ0r+tllTABGPBtrItwXTV1uHvDLl3RkbUBf4yHJXgTinxZmrxVQYjDATTgEj5VP6Vs+Gm6c++2zW//5lW27wbqH7+Pu63po4EHlzK4/Qt89fraoQXn8ZAt8DVzaxDM++NzaUeEP+0S3Fzdc4Nv1NjeGn3xXiMFaYnQCQomvDedpQczPVTUgWVhYSx7W03dSRb8ICg8L3G0v5xBGQaBfqZoEmcOiGthpf7UwVsCmLPhc226kneypiQGkdBdlBfiqh9pLVaIJQVcXFX2GDuA/O6A1XWwyMr9SBG9JgGMvmCOWqKopwAQ5rdnyGAUROZNrsWPRsd59jbXjA21pwrV1dv1Cpx5FtHK3MAYF6JAC1+gi3NlhclU07pNlHWYOeY6hXR8a+QuUVk9TwMsFEr8KGAh4rahAFk6T0Q01nek9fLzigx25BYnx+309hxzaancoptvAUqQO4FtvjI+zshJgGaqAHyxzJiK+MMz6VyefmvvDpJGPOpCJOAraPqfTvrJVfn+EHk8CPaGn0BpIRo6+4FeLclrxkm1pCc74rc3LhwyADDUIrJC+DOL3PeNZ0fgdFnFpS3Hg3wGW5XmUPX9n+qAIBSFfHqptUoKTapNDDyy8CMWjp5FFH3trqhDVxpdjAZbn374lopNNpFNsAqTSHst+CwyzjJ3/mihTgrziKpcK9EtODmDt/Q8jbTvahD0Yv8U3hk+UmRt2FjpNF9MfvnNs1H5rrKrHg5ofpkBBRzqrYkjNmYW2BozgF5mFGv6/oHAmWcBOaGaGuq8/XeTaI7+4J8sW+wmxEVKfvvZuGLSph/zbstHbWj7u7IEcbPrXGAuRtGVSgcMSm4rQhbd7ILI6Q1S6+kKuYcSK3Hwqj30g2oxj/EkmAlq+tiAjp5PikoID1/65T0z65/em0GPuCA2oZDXdQXoqjb1erzOTHZzidnBfMsomfGtjbPjBqHbYNvQ2yMNA3rYz+qZbt6pbIM1Zq00kEc0NdYg26G107yr7VuafOLLtOq979sxlFsEGqbCX+bTaq39q8D8iSReKOcATtZLjgnjWrwZQ1jHVkWsGnhZO9h8umI+ACvnKsk/U2LJILd9YzukjgGyDh/4bkzBeo3WDZ5vEBf8PxP6/YonaXADWFvzCDQ9zSG0dfhiMemz0PUZBvoYA9VQL/fXGAr7CZbEPg368ewE2NBhMG+WFKVs8dYoYYstsqSPDQ6z4PCpw9MlMUwhegEqSf6UgvK3OuD/2CTHREVunW8oW8MYFkYKaqklXYAGEiiIhXq7sKq5dBsADO2FQRacsTt8BzUiONMMZwtZ273T3YKvn8+dW8KliFWUdcyJHNIEDnjVrl6mY52w+DGYY1VD99J8/+DCMXt356LNvo16XHhRGMk5N9MySSMaJx0PI/IwlEBlDBb1X2Kzwj119zAYENV/02h2XI2Ua5LwjcSO+KE7K6ObzqzCDHI7CCYNWRlNXjZz94bTIUczxUbxsVeCp64IHm7OTtRJiapcTacSBpUsfe5zMu94hH0bxyVOaiJXGy2qSXjrBEwcn10/BPJxd80jMIH0v+lP5fbdffoMZBSqzGnXgAyA8NTd27g0Zha3TbRWqHFxUmVagN+wKNbQPCnoRJ+zq7imDPZUSLXjBGNzV+7zNNPXln520kZdzEFdJpATOHvPH28jUuodJD7SL7j5OPVdQvbWB5DSpR/At9QMqKmyb/+oyolrL3Dv2AiLoor6P5ipehR33ULaqaDVqL7zNrfk0LokNtjSyN+ncl8c108wjdgyRdz/T2HqVQVOg6kRmJLRf2ZoYzCbjq1uATS3uH/Wz+x0mmhL0sgqeQV87lBD1qL7adPWZUPCgn8nrujqlFBRVZTX915fE2qnV03+UTrpjB3GzrwSODIBYl1ivzhRUJ5KeLkTpswsXq3QI9oJosJmi3ZAZKKoOS8G+ruX5yAcop/X8lo4VgUVYdioaWzEkgVqOkaoxHvTAuWwvZnInG9uHFrBeC54/QkP+HVFUgcsq2OynH/AY6Ev2xBSqGXV9rqxkEnmtbmsmU/wnHl2vmvCN7ZHhj3xTw7auNUAWBrO2nVO33IZRWwcOb6ymiB3NDQyINZgEun+TfSP77x3gMZ3xcL4SkY5BmsT3QM4/Wei4wFt+WG3BK581ZlxIUOIQUxyow1VKSPh1RgOhfpYgYJbFlEfP5IxXax7Bw1xRJwT1ZdqUCKydVEGHfLfQhAFcsz0nZTpGw++kg5YBJFMnGtSTfNVCKEHVkA7yo+nneK3RY91Rya/oW/UGAUI2DDlxRadaMNzYNGo+GmIMq5mFEqoTy3PsHjjN3KUKQpNVuYeTDsJIzJdqTXh+Cm2lvVI5U7CigT+kF1vE/urX8bI+qasd98VwT2mbI3Of2xxwXXFME72XaAmxig3feMLa9Zvu1IaZSRhbTJQW7945VLzh3vjortfBLbWVd8JALlqm2DmMFGDKVqBZZKxs4GK5Rw3amwV5xp26XNzeLDINdwawfs2z0IhFgg/8MKSNUzIwlPPDhQFjaob5AOk+b7uzr2rEMxP1BzcZ+sCFfrNEe/qlIQ06xlaOkOy1fKJprgLBNrKE3RhpobkTpb+VBO2ChM44NkRu7bry1ko+XBV7vfUbhu1CG6sBdsuC76KHGp6fkW0E+2vlRRTOVHVQVvHmSHtKC7o/vX2i1rX6H77qh/fpvIOA9EA9NsTY7aoRMn97f5b/UkX0ddQMa+deNVgqw29eMIZxLR0abJCBeNs04h+eaxKZS4fMW7LAe71Pw5IdNsmi2XUjyA7NmIuCIlTB8f1H5MA6FG++Ihtg+5xN+g3oR+RXzo/zWeKbTdNNB7vZmcf8NTztPZjVqeGGrxF53b7FXHRKALJeseC7m+OuTa9u0DW01h0IFmdLX3erZuXfYdIYkpStDnQor9QxdMcG++bWP0c9dnRz4pr6/4s6NlT8Qk+FuKULNv6ngJ+2KD+e+Nrr/OJk/pxqFBx6jO/XWYUfv6KmW69k5KRCYSqp9tA0zApCZcD2nTuSv/wI2PF8R4MoiHWJAnrx11voSQ+XbXge2MaWj24ayjexJAQaNrBtvP01OX2PUgW3ZhU04AMRzKyTsVDBGsNfWrHABTvSls6ct3S/wV+B6B3WNnqe7Uhu3Ohmzp59+3wiMlxR03wjlb7Z5SHDyqKA+onii3K0/FJPes4AoZAiSJB5aTMcyYg7boagzamjEMFk2GyHFjeGJn/gNEWbp9aB1GRnx/okn5KDmrQqSbKjLxFbaviVf2LSZNpB7pGdTp2f8oXa3XYgAir061vBD68+aBtak3zQsb+i5ZyW2RwAxhBVwvAhwcynwI7lhgZUcnQCrdhk38j9GxRMUCEvAgvYJAMXHmj87+waq0ZexFL3vQ6CTweXti17SqR1Qt+JnDiK4u/+oZA10Rg90UbJtD1hQAixNj/xnb79Rta4eUq4+IBJ/4+4DjMqHZLNu3bDcWynZaWkIQQFXZAVvj3Ha06Y8kj+ejxxPChHDV02ygXD8Qp1o+GNixN5IiwaoqZrtqTiRxpgueesWRJt8Gk2L1WMiYj5vGwKFGa4KPB8omdqf5gH9vP7yADFg/5IFLnTcqLPj/ba1CTeNv6twXVjNRJnH6RjAILcSbs/QaXDv1PSPMAU6KCBpkRKnX0gXqlPswAHmKpokfbcwcS5osF3PwUbwLXBA3rjaw4Te5MrXa32mUflLnTzdDhElbO7Cisow0AnbjpfITV39PS4HkiqfhmfwHGlrVK2jW2GIbBgmu4KMVujtKOrEBNKr9wSgJ2gDeNtF6JCQbmFA9ewORf2/+PWZHJDN/3Tw5APfQ++8vYHPESXJ8I63LgiVrvokwPWH8VWNYAHvfn5qQbXkEPjc2cdO2HTM/Jcllfn1kJzeTTR4sklHkBX4T6OWV3+/bX4BrskLD1Z2TOfCwpMMOU47C3jHT8nfB/DD4G/BYKk1DWDqcGMEaQpm63KI6uzxN9mpGHN+rPVOyv7LFu4TN0RjZeKKVBUNpIXHefCTd3lJOD0boa06rWHWcR6lwBTeYfxHuil8jwJ6bgFSzpRS9mR1LUaXGRe0u8OA1Dfhh9uTrh2vfpBz9A7Wv6gZW/oK27FLIqSRKVZHIK8PLlq8Qbr5oakgPd7DNIEEG6sg07H35nt20ASf6Xag3fvt5wJBZCgpBFWSUDHWdoSm9cIDQS6CawJswwhNfTogPpa0cf6DZczmoL0Am7weL0Zl0Cbcj/f8f+zu9pp2zFbQa817JlAEpzo0EjxFRUc1HZQ00gH6ad4x/kWo6dywtmTAF0Hlk7PF/+kDXKbm8iNgj38HDzRqzRFNtrqWnXIIacUs44NpASndAiyUyVoSq7pngrI5KR2yQuMjGrKaw480aG0UNhFpSD6sQNzgXqNIqRzBIZJ8XgMEGUew9va9gog5TplDYZQ9eMYLSA6kV8vQpmdqXJFYMLO+RzERzblz5DvsmiM5kVIjrZyCQ2nuQpoNzv6RK2o7gduFaGNVL589mYna4jNUUxr9KpDnhIdUP162YTK47eGSMoaluGAT88au3fRrevJRd7VMTe9VR69+8BUqy6QYbiy1OIE0DvQ/dSnUA6TrLLzv1SbWLVz41tbnhyFHN/ocBkcttEtocWesZbDMUt6w7ctoiFukHsa4bCiFWggyhBPR3AEUIzviwgtQgbkx/IvoHEo7/vH65ocAOrVDiPy1DtbqVOKFwRgYmjbillD37qL4YSJKUu0ztFzRO5DvkYJR69JcAzoWttB7LO/SlUdoB/spVe5DuLF7s991Uhgxy0HdQycqnujZPBavN8wW8CCoZlzLwtIcOTJI/txntcxmfWuenAOdnnaL1zOh0VVMEEEuYwmpp51LsB6pHwjKBTNH05PqJl8HYrAhEwpU26P7Jfi1ZccxFtvz7y8CZrGf2D+GNYzmNio8eEmr7E7amRZzVWb9lTgWsT+6zd+TEn/iGoQ0vdbDjwZ+kpq90aTtidsYmASEpgsdP0g6HlhwShNucqqp0GGkQUBTQiKb5JiqHpF9GM1leNA1/ZW0kFhlOPLUJtJFIS69IWjGeX8my+924Xcs3ycyDHcvKRMTLGrLzkSSQLJ5MV/e+5y2rQkLwgBPTCR+DylWH2TzXRd2V0wxW6VUkTiin4HdgM6fImssz5RtzS29OCzNtq1caO5/kPOo1jcLGb9IGkOlylCKVdq5EVPmHFtn1PY1JeZDZ6gZt90GrjNXmPGLVBcsjAy+GHAszUSSkCyx5hux/oK3d28+b2gx2TkIkgQZ4ZJoxV+zvWvLEUnwPwW2Ej6+s5TeZN3GolBtKYFxi1lJYEPgFnLFQMeMATDagTd7kpyQ9wTXc/m3usnbIfZFoNtA6XlRaJcabYbmIy6/omHE40qqqScu5ezn515t9PFC3ABsJ9bKYdU/IgEQqto4dMHsFr4D6Pltr3imj3xPAVBFwMNdxmP2KBPH6q3ZPXNQfWx+5Oj+ov3Sn3UasyL/pf70CFeUZkX/vjWTVcmzp+98Cf9NNrcBoAmpOVViJiONz/yPWNUhDW2ZJhFM/Ag2disRfNvTAZPj8cvf5oe4xlekSH9MC1cRwRgKEmqof6QGxd5TnAibbMMpLU1LoDylrNPJzw6O3UL4sUf/ujvEB2j3+JK/JOTwbJ944MUdLLaQed+49uLxKqqIzUNIr7jB19bTq6hCmywRdMsGr773Go0A1egmsdP/jiUTOzyJ8g6GtxveG1tfJiMC3wizEQgw4pg396ltPVqCGWgvaMKYQNg1O6uYxNdqSWAHT3xwMps3bMIOkX8gojeUArgF1dunLahHqRXGm+lV8Vc/7WFIjmnoPs3eX3F0d1FASSNLvXT6U/s+zpgE2O20RSGZmTqYT2f5U3gfBV4zGgWmXu206Gu623fRONkJxMh2z4ZqFu/pDc+88oCK9CoqEqaeA5L5Kr5DqfsGGbbAKAT5vhNIlz59Zz/FX0A7mCgnstDV/8kMXTjS/nIKwY1NFWPzqKfGYgkTsg6RiLBmvV+vOJ2rw21h0h1MAF/3h9Aw+Lo7yfhcpHro0/Tjar51tLArSF49qhPuvNFZYzlvT9qn0j3mv6dML6nkPUOiI/B0uPj7iAK+Npx0F1rzwxG+d8N3O6KDb8ZSrmuz9s3HOzPtfsRacj0L7nmgwVvRn1jcSQskgwUtmycjqN5PuatpZloAIzvig0a91H3E/QC6LAS/5dvwQQwrhvo2V2x4HPfjOuKxDAYdGDSoOlfdS8Git78GZsExZKgbHxH4d/mzVXmrIQHhpnKUneKYneMPGkLGZp+I+M0PvhqdqiK/AYsia8So+4G1UMVHEh5n1SMvcy9hPXbFhs1mzh3QD9ZJjHbJnI32IPsr0AR5GZ9qlcIoqAoiRSAbwGMy7JkfGsD7ODTA0v9rj/o31vTzp+DOPLJ4Q7pzs/rfzuxpAmW2h1m3uKAtO01vKkkdruTQpPk8fb6hnBJiizJfoXApzEzdV3orejfGZ1BYaE8TOcNJQLR1UUMA2nK3fpDEBnOhkSmuOb3zkGMD/dRO2niw3IVEZzpTrQ90Nh3H6j8B7TZb1f6Cd6EkwH2hEqS3FjVUDLcTKotfCf3NV1USIW46AHICliEXp245KHCRq/KbQAdFNEy4xiARTsUggIKx/BlxvxX97qJGht3A1CYHR7q5PGz2baPuJcQJvRMEp6z6k5hTVgH7iu2U2o/EDlF4dFetxVkBXPMejFZQCRgaUnm0emwH5cFSTlGIZ+oKwrLcV88ezkLabXPuVAiHkXoaF6fAoZWJ7AYnH0xRkMjd5pQOGlKpsmsyV9TtRNle7WowpWNcrlU86/k4xLMJwLss3QncwC55J7NID5qh/roG499ld+15Pq3QQF/CQKaSo4d+WtiiiO5QVMqvZCZ9UVm4IOI+3ycRr5tl2lHdKsldISIdvyGHzXUlIsWI8XM1XECWBHLEPUnRufy4gF5/nNcCHFVAQdqYKEvxOSuWkC+eF1gQFuy8Ng/d2SrUYwtN6haGMPx+gfBNF+2yqD00i2ZvvdiLlp4YzIE6LUFD2YeYfi9BRUI8okA6XRXMRSktLVqIOtu6huqCNZ2xVYNtL7mrD3bzmjn3OR84XUX6uczQK3upbLDjgVv+M4BysMyWzZKJUt5n8vHK3AjELqFGHoBs6nkw8xKMZlDxA+eCBWX5q8Ua5udq+RGnAdloLysCGE5OGteHqbPHjkLXWhyc6LYAEqEtbeBTO38tgb9/RZwMJL+tw7X8eVgCjOp2Ll5IXfWgnqQiKyfSOfEXP/l5aLx9w+/IeCCci+A4kOS6EKMSocELWtOzIidI4FlsUikuQ8pw+45EaL53q/vJJ5h/VblrpnShqyzDqRpCoycWcZrRuEd9MtPb7Umbb+qwkH22B+cRBNtuqKx1xIIf04LwkTxCa9MfNbIjDXA4sUkMGRJwiwypirRGEh8qpUmY3Wsu2PLzFC2SiIHNWW7f5pYn33qxKWIfoIUOoUOOlpjwB4MQA34SRutuGmg88Uzd3eKaPvmmSTzYpH5AUSqBjUnMM8mYgyUWaRCV/KO2No8G+8JWuPmTKL3XxIhfvjcL+28IjO8frbAtdhd9OQfE5Jlk6UbKbRwhHljdTHKNfbQTlimfdy2oRmOng6WJO8IbegLadv9uL9FB9jU5RJ9U06IDV8ModzXCvcOR4E2CIeW3QuSL3s4fBJfjr/SQ3XqOA2tgkHmreWpaP4f/Oact3mJH43bs1IC1IoQMEUiOYRfX79ywoFCSK+kr5FeFnPjU7PFI+4dv83lggKyuySCZFGVATadHm8PHj2YhDHcEcITLampmm0v7186KyMiP+5AJj035t7PQsq/W6Ln+01csGo/Zt6xH0/vsNv2VRC35LPHv8J1x7DJvmxcwQIZq/iqoiG522v+YAm40prMf+6cjtGvjh6Gfq3P8a+T8QSPgO69S3asn94CcHATU9Y5OqWmhdBjZKHuVaFPNoiZs1VlQzPYcreFKRAS/UaRJdOu6EIjo+o2ElXXJxS0C+02zZ2itdJ/hEhrSH3x9kTwzjdjqOZUzUVmshn4zVFjJrfwekrBjwtTg/2AYdA3xDP5s5a5pi07ZaPQobNJNFwpF6J7kmf+HVut62v/3QG2qI2ms0Ic+KSz+t6Z4xTdkOz1Hz776Ywa+PoEnB5pN3f4BKpp3XCQnolTb9Ttz7hDUxCIetmEr2WFd399WDNsm1oPlGGw4DhPGxm/adcOQIa3cx0kFcsNzcqFoVJHDzwYL+WfIDJuU70XT7mdP55Zc+JyH70oTSJpGldHdfmk7ksJY2qZXMsltmCYeSNws4WOAZUiDWn03KxDJRuKya4FfBsfwWEgsorCocdpE1YMn/xIioAL+gXQfbE8XBHgOODJ7SjdE5mU37JRXMMGFz7HlkYIaSKerFd4ZtYV7y+tZFBHeQ0iwjHSJwii/JVJflLb1jYBGNlTDUhk1ui1UuNLJAzDPveEuVPYdJpNgOnXZVdK3oQUOKPKVWu1uUr8EvQArpuoSEL36VkxQHjCAQErxAlk94jJCmIAx0iSiEbDYVwVZPLEeuHGlSZnQREArUFDDV5/mAndr8ZoMCH6EcHZGzvBRLYWDcMwEQcp1ilb5WQlFWIfhKqvcm147au0J4AUQ9c0ojszIKdNrhNKZgqCBWRwwM9rrMHune415abSBDwcz7le3mXdlsOrgqwXDdvxKrWiYKxOBIM8m1CgQ3lUGMC5lJc2hh03GqkGoKFiDSqmyJuoLVN/eupqVsHX/J+o1YLCWmWzEmZjMfRBcPB+rQ0vfJLxeJCsu058x4o2nKOcLBQkqylM4DHNVuGMk04CGtD1hl1xvYqb90QXtxVNksyi6XhVjisJxspEJKTwKQs65fv5LgwVhVJkpxzLSERYC2Y5aMQqgLqGVSjrkmCg8qVQL+R6pLa1DsLVgnkwD+M43vzUcmxS6UgQGJlfWI3n4SrAd9QiOLJ8bl9DT1HHg8GHmLA4EEhJrO/jhZzbguZmU9rkmHC7Z4bQpo62wEa7na0OThMrujroHueCUuIp/Igx/4HsbQ22la8alTKu1a6W4gLcDSSxrkjIy3FMgnpHEEicEgEd0pIgJ6Yz24VkCdGAzYFIQ0PBIK7wso2RxvA/8qgjVWfVadKdgDPGwzUIzAEhMENpkm3fnxZz/RTMEnSIjKb+9lMq5Dvg98bfLLHb5Nu/+gRWVt6/8bU+Lvjj0V9IKAzEOy5d4mOFlwg5++kPPClinJFFIpGqWwmKJqjGlLdX4NYj40Rcr2yemwjxQjozH6GX1l8DSEFarnvKEi06VOsLuMOXMBSdBRrVZJTsGy3X/dTSievHTQ6wMtRO6aU+CttESmgW55URe20DwAWPL2bd61lIqaslP55bNZl9fH6yrERaUw0yTL/+FMGGBHHpArTd8EZWrBh0Mo7YiOg6PfxE1fyth+T113gvA00y2TkDgjElNkafcNan5YZ8RxetKkgiA/5XyDhfePg2aaz6bc4PmzC8LV1DoGlc+DCBR1YcOHxsBjBOQ7VXvQmytohT6POv8ILLjyBkBjFL5iF3sr9D9RHy5vFhl2ygIjNVA5nRLfsAKqbu+0w+1l1XEZ+aWAZTNTbIgF3JuKddWTDlFMOdaLTDbmpBHR9TuorC8GB/wQVhTaYySwEnx+RyBcfbSBMX3mQpCtfggeKrtZdiX82cKtsuRcHBCFdEN5w58Vj4AixCodCA+SCy/zaWTbjYYRVjSkkmNIGpkiQ7yFS+2Idnz+we9+bbDLJxx4048mfL4b+n2ZDgeg0voi7gXm22Lhy3VuqpomRN9Lw6ZtBlUoJ+SrgsegQEwpX+degNKFz1OnGAZof0PuplVHgfAarOccyAyAksG9/ojGLWzWlr0L0oRF5fgu7tpFlJaoho5xyorwUqkjGlIrl2nNjlcTj02/S4WnBAN62RuU9u7oIsMNNSq+rK5OJmquVTdcCIlhpd9CXQ/99pqZOzIMWLiI//zkaePvxK4r4ijIN0XysMOqPWTCEGHnUbeDtuS7su+47FuQs24S2oN9UtwW43cOaym5LsQIXyUoNECzZbN1b/Azp14uFoXAWw+G9UfwY4V9MekzDPH4tQoZTmfBQEvqL8+OwpE27KWXJ7hWbaSKsuxihPwiKuFqzmr1gX5HAAzUfHlRwyu9uNYLg2mCnGnRBU+WqrKPf1uXFTP9TDfD2mu6TPBwU7M2rg7OWoCFgCIitWamjeCmVkKfEZ76U97Tw/AF9rMsz5LFRvm2ez6gqhMigPhykZyFbiRcSXE0WVXIly+rxpa2Sntm9tA16vB1jvr9+Kt1tvLobCd2Z8yf1JEwXwqK5Bx2w71ZbVv94RTECDcVmqGsI3eu7dtrDpIF1mCyJrNzk2MBVZcux8fGdNjcNd/fBKc5wR8mJzlYQ4L9aH+5YLJuOI+avEs/7V/vq1Z7EtEaaSa3aahHrDBlbG6GuR7mWcbItGIYB6pKrBBfMo0IPwPfhRYh+k6tGO3rox0Lp6bOr3DoeTq+BydBN2ecueXI3OXd4hv2PRXLlE14yrFIORHgQYZsGxRKwAg1KtHOjopu69XA/scGGiob5Qx7Zbb16I7g261M24960MtsyYlqpis5u5qPd8BUAfe1dPjM4+e7g5t3kbz/r83W7U6TXcP/LAXqRe+CkOivQFcpDpTcZCPm9dU8xXTvePuLdR/VuJQJkFHOKBuRxvMxSLNd94w2S1H98qE9YsBhS2MiDUjahrhpKo2FmoXmP6t9o15HdQpyHQYm2jkXMXD8NbQ64VZUu5C/YA/ns44f3i+IyyxlHNVTZDd0Pan6bM8t4LFRTbuOZ3oO95Cuw5BWniCD14kLq9AC1y33swsSKksJzULMWIQtcoD/24olootnyYXVoFCUkQGT68yuyr/7e/rdcILXGutdbB2AjXS1gD1JW64g/ApjaLWgTbD7o58gbqgjJ8gmbOjIbJ3wSlfoL41NzhnvyypBJngDemQ+wwMYlYG8ypspJsgDvaUsipsZ3gINu4iLqAbExKkxn5YFY/7E68iaNlXhs+2Lq9aw9ngCx7WJf1jEnUcRXG4/Xda0hiZEVCMYGXLV0qTbx90eMkSc6Vkg7ggXHYGhpDnvYWOVKu/hdvlhSnIz/Bxv8mxtK2K9ZkucaXV1+e0NApb/pWzYd2zsAqQvTTvxTA0E5e90PMXI/vqglyRfOKDcXpLGh8uncMEV6FJbGi8k/2de2UXeqiyI8vDo0qRsY/soc/0ewonCIpFzn5Oq2kaSmXpKslSZN1FZqqvmFRKFzNRr1nJqWEIjM8O8UdpuBtZyIDSJJ4/AzFS8DFYq2SSWJT0ex1wYWpgk9V9C8386emSIL/tLT2ccilzklQ9AnhZsLKqFPt1U9zdIexZJDGl4AfTjeCNhoatKpesCO7aqDeYMvVk3tnfdvtNvDLucGF3paOVHEsz5eKUfdiLbhL030mj9M3WC+IshYeUDnaVxtoOCW6cOiXtZdkOox9ZTXjy+mCBzECsiDEYHNoC8++EIVHRESXsrVJwEjmDoLvbiCVCvsQ1H9eJd9aQgvKiB0mwAn63wenqz/a9pr9XgHBR15/1sDW902ehHtpDyQwxVIJgGvuT3wzpk4q4zo6CmEJ5PB4aERnpAEIbvJby6l1VEWaTKBArfBrK2iB2mPRryh4ML2MtlxdGx/ShBe2pLkt1Q3qXUtNhvquIoLtCXTbEycfoS+vztT4TM8jeMOvwLm+VI7h558k/dMogTiBRvnTt5eWP52e03f93X4ueMDaXV6EpJbKgGFhLm1p4lHkxK+0MYx71YVIHu9NzILfPA2+3rJ7pJDy49eibtQjVhY8kERJqDMUximGoQwyAjs1ljoqBLBkEC3Hraai1GoBASaraSfp9NdHu40tAORAqYmGWWvOQ5ZV5BoawhhMpKwp4BIJLPmQ+ZIkyzIL1Fqe001pRuWmwkm77EPJJJr+P6027VbQCNOo2d+aHDbW9WamYlSShV6RkzjkI5V5WbD1id5Wuso3wCU3et0EuR/5PT0A64hc3Xj1Ys6SV8F8q6GkXUGOYwIhMdWt9gaeA1Zbw3VErO68eiFn/fnY3ORSglXocI6pbeEbWLp9U1V6InM2G9hbn148a0rt2yv97FOnV5ab53509ua+bCO+OvpzmTDqS5iRcsXWaL2HvP/YZBdN1zGH+CP1dY0Uzg5CMaXZmAGaZEsWAHns6do4moGwj7lCKd1UzRV533S4HESr9Bsg7R33DlLjTKnWjo+AjnNWzQJvjPjcsTs1h52aDRCtYiPahWCkv7MXLqVqx9pnD+yT/ptcLkmZDrLl9JugCrl0Ra/IIAaeExWlWl4p5/LrwyVxYYu7N1QpzVpTsw1bN4EEhGJB6SH/+FvFMWxmsOqgTWfiXBLj33zEOU+An0ikFVQfqzSwMnh1LlNVKCZsaWyytgtz1I7IXS5r87YcglPe5Po8kvml3MPwyxhyVkkmVB0ANXMNiDZg4ts9KW9XV1Suy6RzbecaD1cC252sI/NRnSOKDMvxIbpQDLvn1Y0W0ZkNONYiD3p0o7b/iKA3v2/ESE7X1tDQTgMafGnlxklQqM70+FH6dauAljFBeRj6yk6LOa+5u0FtUeP+A3fHdi7ytu/AvVXjNbojjj9MQg8Rg0zLXn0yCJ+lQx2/+pNsO1H3F/HJ0Bh/xroOjk+HnSl9oQf9Ic0IUMjfTcL+Rm9mOPZPiCRP2YGvA+66AVP2DceG0QGDiDisd8+6rwa3fZtHQZ/RWuhHeoXCocyWjNSa6Ob++q3Zyeiaid+DDB0+/wiehK+uI2unG6DD4wd8St1D3b5WBOjnTs4+G5Z2XbHjo81wHRdWi1zQuRHBbJ6DMDUMTdBx6p/kHDR/Ioj2DLBBAWve0udYF9j2U31lVSi4TxqvOA/9L6V//tkx2qfvtnn/yr163PFDGRyLDMCWwWvK2+G1SXeKlZnxJ4LWbkmT4arzoN+Rm8vF433yY+X7tX173BHfEGUtcpkXiD8qIOXYa7oyNxKW3hDzofr0L6KnAf/M1G2fiPYgZmFsybb9cjAZm989i+7snft6UQDXeGbDMBbwvvvgE6bXiBFi/z5hP63oadAH0cdmkQLR7pLVedJXyqKDWC/1E+K1FkexgjJxAjOazCqcfW3Uqa+GuEZGFy3ahX9E1CH/gTWl9fHHFynN6TeW+8xoEuEQn8Ty+Pa74TdO/ytKBepKMJd1jyBTkX1cHNcJw/sK4ACaCbK2BMQ5N0jmO7kfqNPu5CKw28XG7mJPb7NR6UmPBC1l0qDmG7kQcBiF5bEAR2h+wUOVpXFRWASJhIAFVoxyhGsA+40qj0aINHXsgYVRqa3Hk/C+B1hZM7tSJ1OgioYJIxG3U0S7OYU/XzsT+42XpbWE5FED1clZrVesS03Aeq75IaRuH2PbCBPHGEIUOXTUb0cGHwszgJoCQh0Dc4BVhT0xJjOKPAUNTCx01d8zL+wGJnBK+22b9znjvFKZURRG9xJsuL1bYpY1pnZz+38vmfcn+hsGZR0FZTRxKG7/IHHscuBg9Z59sZ3J0WW9BNGonTpoP63X5kpX7Ak3ISmC75MsPmDDkinEo7/2R94uTGgpiCAt/W9vn2fLE6xUEWvCtYUJki1yqYi5DMOPNaa4IQd0RpZN8l5aiGfqxtfTI/+5kekRIR9OuPbM6ZlkVYpFMO7fnx05YHToteoAvv64HikXMQQdjYikuFsYL9OaWLuOqUDUgmF12KBPzDP3QEh5vdxL+VWPMeq88GLLZLGK5i2DZvvDfC93C5bx2a7VjLqdYT+53pRBDGj6u6TQIy/adrCeOMhLsV8Z3uZM1wbivkfVNkz2qGaILuw3D289EIbi9MAbX1ulmIhdo9T2DgbDE+0byfHJkP5GrY/3255gYLzyAmUIWLvRyeFuvgWLDCdtuWbL7zWGbSvJHujZfHzFRu0o2tHinj1z0lqpTwvVcgx2Uzk9PD2bhu2wg/tHuEEqDQHHS9V878ALGuOinJSfWINbk10kCQ1esA8p6GMYNsc7w3KE5CbSUpxx0dWI1zO+u3rRJNBgwMWgqUUCn9SSuJC8aLGR+PPREHSXEuc7oJu/g3N9sRzDzz5OBbxbmE6wUWYLqVsf/wfi9feuv3+cCx60dpcC0s3NJdGO8li37vn4mfq0Gk5jqHP/S/JZUMN1ERiGu97LjlME+Y3j3EyB6RYL0yPO9L5ELx3j/33VUMA/JcqodCi4ITDu2IhgMKtK2pENjGm36nvI7GgGynXHqdk4ev1GyZMH4kzGXvVXoFGvaJ/FfjmDsyRU+c3aWi0D7PolT3F4WbP/djOvIZtJmIPXbpQpIaDSDDN2FfVFWYKvq0oUtYxP6pN59sLqcbFcsUjeD7pTrmw8upC1ZDEDVkIxVrVKARmsZUBe2dJQd4qV7c8DVgg3sRTjVaogkkk8g3dl+z11pQPViLCjxDL1EaLOw+d1CEitgkgC5jfc99kWqoncsyUllbsB7c+Isz9T077xmv+7Y7z7QJHspsZODXfWNgbf8wwct3bw2ZHdkfbSsw/Zor8OBSxhn5fzs+UJZwBMp39fBEXbuBE/5aCdby6PW5GFrt62gWukPY9/U3UT9XBBFlnuKWtTut+5AgDZ75+UXxzgsQRQNK7A2nRvq7ELlIHk1gNPJDzABS7qapynr04x9ni2s6E3DMACdeKCDw39hQBWJPesiOZA7LAHXyMM2sPWTKK30Zux21214OORSee+TD/o6Xozgni5oOVblyregnuwETaRpNJht8Mg0OJhwNcXooSp5/sQeeMFrMUgustU4YLCdUGuS3fHe3rpm3FflRgHtYvYJL7iCgUHcwcjXZWoY7JkI4YWDALKsjIbnQY7BhMFQliIqUpsG88JWYN2fX/9QPhLv4zzqszI/hObgFykB4BiE7CyRBTaJ/XAxo2vZklfRwugpVZzKKgZet3dzdQfDPszibhrlC+JreqfcO+L9MOevZ4KhsglbAXW3Suhsq94HMRMVnYA6e0w8klqA9Zblbn+Fpr2p0U3HY3RM3mm0UvN9UkU2bN6YL6YRMPC0aijZ3aHhbqhRJ4O83iXEUNfdX33z+IrXyYdXC2PpgvmM/StXbFMJ+OjE4RPO1RGQDZN2jR/AAqtIIVAego/6o5hkHqvFyoz0Djrc+gbg6QUhLrXvmThUfRivwRujzRFrLaLu6N1KNpt443Y6t5PBw5mx7HdngXnGFcj8I4DdcHZRDI+41XcwLwpfMr4UwNYZfPhta3ge/T6ynC3Us7JpYqUKwUuwTB+5uNXqEJ73LnJ46d2DjYOAH7So+iKISuwfCUjDQoxOnJ/vDnLnUbmsTxIbWzYr1aMmqSPZHMX747Ga1V8Nr+wmF0D6IpbJhHBoCx6qGVSK4tnZEkRFNE6snsiB4BNKIXjEtCZ5i1EXPjkdOnMLOpUgOFua3JA3HUyhv0018Pmb1ryZ6Kdui8qIlPAmZI8DEKgv1TGRGD95mQ6G4C54M+RMZNcAyQosB2xjFsreJJ1ZdIBLQinAfQAFkq76IkanpqgkXIiXDRD9cnDGgxcjoSCcOpOn1VaJiE4wEfcMSfDOM8lh9rEuKU7gRV0EIclzMdADS4c/4O7ggtcprbdbQFwchPlvBL/lX4e1Wh+Gy3qMoIxTKz2Hs/n83lsDFbRhKsgw0qN0Glqi1vnswBENOzGYHXw87H5yVzCVyRKDfAcvKBcopyuoIUx4LP6q7/lG5XTQHZCf8Pc4RuXqjZulk7uPOmYbIdInuwumE5zoHuRPVdfinX4r5/bgiuxdjeuJlyETtxx1H0tVK9GwT5zRlboStDKGAXGDnv5G6fYdHZVam08b5vLobyxwnPCjap+/ZiW1MsjODwKOOZuNg819NsjpKALNqy0fTJ+YBLYiEqoiu76hsO3OfRXn6fqr+UyObduZZRS43PjabbSehkjxHF66cMIHG/+p3sZF3M7s8Ct0OU4buCBqHfttN4tNZyvCuv+ql6cMbVFw4YaNW9W0XCHWsMtdcadNVbAN2o0tIfZdeRcQHL8MIFKr9wRV7r0g4rURaVDYnt+BES+Qoqwbq3Ro1C+ab2wIR39jNOUFTvRb8ghG2hG2omYYtcIZ4VOefFo78ZybihWB7vebxr+38zv5LZokeQKrgx05U3bx5Cx4zX6Igvh0CvZyQMo3zRS+BdByrjgBKyAZ1d0jZwSlDqGkQL70nwOCPUC12BEIbkZsyfXCC8pMlEWEOKOZ8j7fTK0V3ZqRRm+yyb65rih8w0ByM2PPtJj0UNT/I+EyampWLt9Z+64PNv12H+J3aoP1n/Ux7159ghUJOmEJ/wx2s3CWgBe1Z57K1ahSyEN2ZXKyxffWtQywaJ6WVkENfrp1RLUZj+otKAzoBkTxNYtjXjhTQD6cAx8gZLq6DTIUKEtLRKa+YB9pJ5rTWkFGVVTUh04pg6tGkrxLdymwo3mZpIDLAjxoxjgDEIsBBQrT53QfSMT5EEls+UeX5LqBA1KezsKCgCLzcA4E1jFRtzbJd0JDrAR3p5Mb4OlbsywcfOKK8B6Hb8Qoj26zVwN4oUru321Tg2WjGmfKGOntwWLCbVVl5wFAMfxqeDRGoU0AfkpJTWQ3jNlLwX6fXtphNAJMpqmoFlQpYqcCgoLKEVpbdvP2gUA+tXGdx6YHPr3W7Fo5/kLH91f0/JqvP60kz7hmLm006Frda1lxFIzF/KPddW+tG6kUhcHFlQoA2VbKMqzMIP018GJssDNp1QFUPmqDTBHD/THCdtNxif/dJrYZev4tW2EQpYvnkTuhLs+S2HipwGtBMtR7hZnkLoliAz+bJEmaHSiRmqylydqPp/rap2y5a/FY+UNbbjdhmdOvPZsEgtPzOB8okWm8/BvXzCw6VKRFtYvweFr/EmMFGQ7wuh4Yc+ELCvLAvLFYoKnuXVlQ85oBtViG9DFRlmTy8sJ1lRkZ7SEa+KHTprLqOdNycR6t26VC2MuKkBHtcdKGK6bdy82g3HUO+WHnuCOlh+TTmarlhYjACIvD0mIxj2Wpn9LzC+3GuWmoLVz7e3aiIjeUh2NT/RNFjxJn43vZUI5K7LYQXAjYbZaZH95tlwMxQa6ztPgOuJHB/slJEOJUEKXWVVuEpOVq8rriszvN38/a+vtN71ev92ZqFs+kFIBiWBxUqg00EKsUU8K7enFq+6USD73TbxPRoi6JDE0vchXY3v5dNBxejSiPC2yrKRRy0imja2kwVuwwA3wkAB7NPZNJJ+9OWzj25PoIP0h9v/zqh9PU1Yx7bTJGlYTI5DinC+ceK/3h2I1QytTSrzYt4sGHdnWY0GTMTkv3yhGVeCisMQ/3RpzoOvOSbs9kW5Z8NOraO63ZxyWuyV2Rm5x3tsy03AXVStDfBOy0FmVOSGbXnTrFil25n5nf5Edp+wK53zNxWLfq5vKrpKdyMEcpqmvAjNrPHnXvddVKipSjNTkW7JMfWFzE+qbUWLkJee549q6caf++mRnD2qb0uiV4Er+iviSW6JcLcsYWHhRQzyNZzURpUYPJd8Kljiv8Z8AeBa0CYDacGjlhmvIqzlupw1YK4kqLIsA40wfIQ9cSjEoIAGmlgF1svijIy/J0gjUwv88Nf0fG1kkg86Nyw34CsN/ZlovmwgRZR9BiFauwNQHRND4MERV5HsKzClrFEvZO6q1IQITyI20rmAb6QCax7S9pZ2PA+caFiP/Jsqx8bsPXT/xWI6cUhWdmNCO8p6GkMFwxyjTZ0QuzZy7bjkfrQYe4I9RP0C1Pa5vBNidOefoIQ8I1Ju5MZwJmYMAcX00whGACaoyIDaVhGR0hKx96uWYyoY9jggsMNXrCgMMNSzAoEHbnbPkgbKz7EKGwyS2y5CfRE8VUhHWNXxZru8KtIb2Ia17a2sIsRBbjFkQVkE4YIdYXtiIQYRhiR/zXrQzDbggph9k+3Bi3OoYSCxzjZIzJB07ou+WGpNlPW7E4xFPu5hxV1IXqht3+2A2uZsg4Ux+42gXlD19mm1WWhdq4Te5208t9thNe/UnsaVKD7yAfR2/3DIkP8AT+C4CwOnk7Yv7ejCwrb12wbIs9GoiTN92R6tWuSMAHlSZ7qjNMNMk1PqghkbYZUMQI+QBfIGfU4BiEt1m6sGAYeu58FNaFUQpp3yNqSFkBTZpurLHpi1xSLK9TRjgaXbZcTDE5FMM9oacJkp7ct3ONbD9Nd2JbFK1mYgF3HduTla6RsdkvosW9G4fKbCqqI+f6GsgxTmU5jmpKgEin9cRwHSraJdE36319KcAbf/t6hGhbb3TR/1veiOSUJ9UPtpI72Uc39dmb9TZgCSEKSDk76uWSt0qVF/Xf6n90nZCTsu33nCKQhEgcrx+grdNN53PyhAOeBvVkbVKjulyrdz9Ue2UdlZmNUR+lymBOYzxe/W6F7H3FThYDuUWrHzOpatPpyxSUno1FF/kC25FGdmHQtsUyHG3WDN7tNF/WdCDgGe/MIKtgWYrRhFHTSdse77Wyk3xkGqVai9BrDVEHZPhpJAd9jTAvvK7csBeY5sUFiOSIGX8BULOP+sbVQOueYy8qfcX5+ClRnbhp6QfKsn6Eg9iI6CXFVZj2rrsAl7B4nRI04RyaKjdaKCyL1QbbijvULUCommHa8PEMxrXgK18st5fmmAIBZgR9kyvpTXagUk6t29n5o6dnPJK0rYrIJHI3ZfZkakpMJU4ttfycbM88p3TiZE2960LtNuJAUWx7ZnFFdltH0vD6TLj4PI5uSgQJqQ4WUDqBt1ULZDWOlYQRz07EA68h1/3IP+x+e1bFdYpvylZuClEDESVTakgEWkDcnDdiqgcrKkTQCzBvt/Aef//ji5GemouQxrRmZwxmUJqhMcLS3lqMC5sIXZoSjHCUIdXGKrDJZM/LsYEMlinyJ8XP+VVPe38SNdoumta88Sf9G/nHx0LgGnjNr6/Q89rMmwXyVcoYfWcek5V4GVyrYoHBHjOXBSJnQy6P6lhbzBT7R7NiqyxmFVBTxffRoUI/vOq1e5RbQlAOy1nIPqubwZsbnzzp1f0NedRef6W0r3nWpaNhMTfMR60p13drjDbYVsE3+1d6zy3U2+QaiJgl0S7pjUiKV6wXlEI9JOeLnYYPUBtv2EKJZ6Nv7Ss3ek/rNhVceglYtDogYb2/804onJFZ0AC3wSsitctB8TSTsmDJWeeSSavF6nJ4N4iWUzEse2tRiwnFRVG44kCm+PLALjTS0jkRb7xei3C72uEoLRLazYY4VJbgsINx37xVTDD0MU/g6rxWGTLStiRijgdWvs3k5oywsNtE/JOW4JtDvzAwh149UrOOEFnIhvbo03Q7lr+lOPoKfI6T9ohwyXCABN8vvHKtVVYpti9UUSsbN1vbRndSYJDIh6cNXir6mFfb6hKCCwuKBvswLRyQK8FNOMzRT5YAZH0GIMtdrbIlAb2JnU4Fq87UUujZV4a5ZQjAlyzpzcYWOaTnEudqG+1Qp6W0cbL14i1eArPE4XXYyw24GP5gUK8gr63n4/B4e7EH6Q8rrJt47G79BHwG5xqqMZW21aaOK5GOT92jH2vcTqmGQO14OU0/o1/2nkhPsgNlIergw10NiQ7E/rLrTAyNj8ClVVgPZPM9FzwxpbhtP4nPnHp+LefRWpJWTPYt+fuOD1swL+4zENhnBki/ABiGLUoXqM4gQHD/NTW3O/PX4CBBMNqgWwvoI8Z4+3mg+6zIAw+JurEsBasAeKjiMUa0hhacv/dF9NJho2C1cLak6FWKEmmCSEsTPzyJ26PHsnBKPglemnPOwNE+jnggX7ftqKnfLT+WN2NdMXSIhoiGw6lIXcO4uRErCXQIg6IEoHhMuTLx/0XEzi7a5VWH6KXyS4c2geSUzSXxEiW+2JrD/dC1ClALo1rnkivvgpH7/zttW024GC3sfTF6w6TIzlo8GEZOTVRplrv4juxnfG+BKLzvzQWCspyVAVRo801YKpHj2WU3zmmVcSpfeagDFfnCNw6WtBU2ZiDln5RVW5nkVRSmu8oosif/oagLDsFcd20S7DgNDrAhRzhm/+nHVV3kTYFq1T93RLafkh5FExg+uHj7i3IxloEFmf4iW4j6DGpBols83q147QljyXoBej/A+Yf/L4D8kY+HuXz8P6rNCA9Ixu8CyfHf8iAGmXnAXL2pLB5yG+DKeViA4NCka+U0bAmL2lLwlCH+5BEZ8t8xaOvFl9tbaksxIfWfdEOeclNdLEvtOZPkdTixwFLJ9O/0L6Y2TB4XcprMCBv4zowNr4PC5GRMq72W6EPeIAYNaeAvwdoTICaDcaT40H0lMB1C0itkwRVWFsULtA1aV7ZDK/JCadU5bkay++94OOD3TbBnF0iHPgPfTSEXU6tAa9T/zpFzmd/+WxvLorQrajjH+lbdd4rls3/5ILKgKUi5xv+Q8sJrsylLf+q95sIXZvSYaev2cRWXP1bZlOrUacXM20zKzMgbNQHdsfYbkGuHO0E6zgYqzZgRsyHPOCz36MUx0vSCZxxEZiCgW1D0aGIFGXWBxduLYHlZy/+GuiNbgDxjffZWsuyI0Juu8YmaLzzeRPvjGibD5xylj7uqJhqfxj5+aXt9XkWkaNiidMaH7Umx19RWk+YRBu+qfRBOKlD3LDf/sHvTgFypDmOFMWipMxtj4eAI+SsBY29o548OY1vyx7dHnkNdgEJXLWurboBfaGdgM/D0E8CTdgHFlRshyRiAeiJ6s5Gk+9fuOk4BQ71Dsm/RUqqp3RzQHAFR781fHHJAProluJ01L9GQjThFqjMRj0Gl8I5sriTNEEq5RoOdCNz52JUzbKepdc90c6CkDEKlZGdbv3QB6UxZwOB/pztGuCdy67SPGvO7+V2g2CW4GIgOEc6A8bgY4gOP0E69U/6dfTOL23BM/EHCwq09PPrkr28afKOjk9AkVmUWwUIBY5aQVlTTZCkf3j/9Mz1EFr4UAJY9w9QPlkiFlw3NTNPjfJ65M7babeTsOlQ0EghARXkqYAM5eN7MLdaaTQFp+h/1O8ikbwQpLaRy9T57/MucJPdsnSj2s/ZOMwX7j0sorNI7cPXZQtJp/669vJjdAq/ucdDjUaWK2ik9ejevU2hX0eLLgCPwczWmixb7chdrSRgb/HD4+cr2Ejuyxa18VuaYA1564Pzh1x0XVX+817aMSNt+bXs5fQp8o7X1R4Pv/ysqBawYk7FMoNlo2tWftYbPwCkeGllowlRkDmf33pi2xFqSeH2qId5LV5Yd7OqS1ruaEk8E/c4VQ+m3ZaloUn/r166+u38DTnu+34QEQDalqrD5Ri+AbuzVe7mEjtj5XLaFWgn1bSabGP3j/6bBfb8+cNbSc50PHRUKyzbqJWx71znB2oOyyQA4/Ab67mDrRYCg8oGuxJ4KwuyTnSC5JKu1KqthdFKOSIUSwTITEVmYDaP61RRhF6tujLowUp2CAoVuM4923Vt1s43jFQt2XL/Pn/JmlJFLMsxBTotd8oJNIO5VrXMPz69/SEDjWQW9KJm5XT9E5RamQIkupgfkbs3D9dCsbfXRPExf617BXtz8IEwgR99c/3xmy9vzGF3MSa3qUbSkHkBSAZATrbNkOUjqoEgJj8OoaPPPL1VmN1A8R9zA29dX0QXek6pa+nvhpPJSgE+b0Fv6Tb5t8gQ6RpQRyzoiAhrP2kDtvutvZksVg1VESoYBNzdVsoUbAMrZZcSj//5aCOuT5dsWA5Gna2bBvvE2B0GEafbru2/Pel8Yt3uw0KsdkVFTwqwlCHjP1T0Y5SFXMnzPVrwMllg+cG8k4v+Wf8rSlGA7LPhLWoNkZxThcFRa5MoKmVchS/IyNNO7xdedCSsGoIC2pLeUEpk46de5tXDc5cnWQNud8gWSC+OHJDPf2np3KLZK0pUP/IjiAAepl9HR7BToBZ1GtBU0PnAsD55/TU9fOt6nWHVjJYfSv1Bl3rxYPSd/J0eaFmheb8686qOXwi0rIf6Wlb36tIV7Wp81Qa/D42KCPkrrdNxMzuE3cscEWbHu9W1U/zMUXWGRUZgVNSCPke3Z1j2jsYttkYwfuzFtAkLfbEE/5xuYmeCF7Y8GtKHpzvVgyz0jV7n1Rjv634HmFT+ZmU+i+wOgYnohD6untiKE8RgwfPM3Rysr7MEAoWmPUlouQpKxoWam/0HWPPwUrO6k4ski2u2MgQ53BP/3nq4qtdO04x/2NKQc58fWelcigEuF0LgmXPzwcm8Hq9W+k4HluLF8wP0v0Bzsm4iS2fVwotK51J118StnXUbmHl5GrRFjcEP4G4Ps+4vZx6vzml1mbZk71gPGDcaSvhjNGm9FJBQrUnFKnpYMfMLdlvjJbmBXfb68eZc7O2Wpvz+7nPTV0pfX80FTshOT83H5/95TV8jZM7czg7VNVRiCBmMYT6+MezCVuAJWNA4L//ZrUVXAetTvjSjRmMFZQPFKZ39iCTj3K8GrMYfhwEceKmILNuxf/C3VlAhWSRPlHwjhIpXli1UOtxaW1906P89a1NxDqUYQ8Lsk12c4f3MlCv+waN9Zbb81RRlm7im3ACdZu/TNXj0kPojXYA75G5p+6BeuLmPwSLr88OTugvssrMcvZCHxB1/pKz2R+zxaaybGzk//tdomHXt+rdwmvv+P3+Vnb1aSdrYL+z5oWuP2cCrtlpNb5pk/OSp2IwHfFyHVlGxrR22aoAHWxF6lohgnXfrCasPu05K8298IKL4OfWIuwWy1KonQk88ICuoWVfaZnJA6P7y/gEbDJEYn/pd2VP08u8k25kNFpjlU0zgioUOC71dZbKPBpfrTyQX7ZGjebE+/bGvP4XM+WsjYrHI18k2zviWkPZtVcxU0y/nlUbPpH18gl3tVMWJxvBq0CmnFPca2oAqDTXk4pyP35LebIRcLSOSFVrx/m5SMXiU83mMw7Xy/VK7CmxH+rpz5oZxoqg+zmOwInwspBirGPdTbWjQhhaJccHlj603yWDFRVHFHAzEnCvnkofTFhfkG+W4Aq6zZ/MF3o4srH9xsw1t5AshS/mluN/Qh7rUxEklWfZqJ8Q7+bCtTUCqSjjoRX1VQIEnpkK2n90ojsrAblC5C1ndX/ozFFl5cuf03NiTBcu698dVpprhihgwesqXnsFGYWT89Toa1tyWD+6/WNFKdopwUaJVjAuNYnulA8YO+zsbzKS6Z/TYxcKGPtQ2tHW9ZY289RL5UVD2WyJGTgiVSqvMVLnabLn/ulJU7A+Lx5D06C8rxoafMpmQp9nIEGioV6wmujM4pqaJazHleMM85zLXEoQK8ZhiAEFScJ2J4Yt+9KtxOCNytILL5SekSw+3YyxhQNZmBAhS6xV/iBLiFFTrtPonF0aQ2B3xW5dRH7bxv5eMnPxnrL1uZYUCFrLY57kGNFSMKg0FskZNYmntbOJJifQNv81ehs1NsfcltJ+87MXznFO49MAHkUxTbEBngKgGWtTHxjoGXELGKTLPlQEbD7sS/SbuJm4bUfrZE02bC2unrTC2LMQJ4IhyPnRAvOhVosQQI2qhXG7o6PH7S8kpcyulmMzwtShfrZUwjhDWykH3uZfAtf+dBnIfPXvNjcgrTmv0z+svo/aCfgqv/mflVzLytHi0xcjZttqGhVGR81Atvqlv9UDTSrn9geOKzaEgy1akEoj2tH0cdnTt37yOcr4bQ1o03pF2R9JJLtnZC11h2nimjUXNHFm/RK+iSNkV40sKO9ymLLmz+F7qYB//YM+ASqmvKcS/fV4NqOJfBxO76T+6qSlXdjZMhr76PV/+QNC6jpIAEwqfVUD+uXULDvOGNdkdxLi3upkbVCVWVmp6bSTsJYe0MFssy+RWZEMDAFrxoYHHNXiKL1KHqMA7qo12XOzRXsP8jL3lVdZeQDgFWjwx1elLh4CoxRYiwgduhJ6KCaHCPwChQt3H79W3H3vttEuTn6iRB04Yowk1kMQ/whiufeWca8AuAcFk+APSJSh3ZklOVhc8G1y0dE9YotGEEdiieCaaCuUOLdiu3ViQcnkAe1cLyLGe0Q17Azq9shCiunZMhl/UC6JQYzRZ9PHCkZX5BtC6AFN/bKledOajOgSDBAfMer5s1/xaXE7NWPdt1RtPbm/0N4AC+cKKS/N8VV5VdIyiSYYB0MDOgPbQkRTD+q4fLorRHYHd3uSGzIzat0tcWH1cijVXU37RtTgfxdW5XVMprm02tlNdU03FBgJcPHVvynnn8OjB3ykIzO2XFIr0WBv/itvObahnSRcGHygbyhbIJR7sZpWR6f/2pUk8utNheU19MQdtRKyShBW2d6ffv3iuY2R2DjstVnIIy1PGgB2/AbGgeuVXmbf4uLmCVIEUUebtqfmjYv1ZnHOLuAurNUmH0ulwOVg8TZr+HkWwS1u92gF3XDE86kPszOmmNIKvvW6/9hKbu/au9a2YsUxeTkYYBsXV5Rp6ruqaeQ3e2TgYXkQC55hJVa1lKJGnTAltQBwSapXw9cGWoqUK6KFasr/XCJRDX+GV0web27g7XUjFG/EkxhjTLsVlUTxvgnxKG7BxsFaK0ZJ2VB4+6BTIN6rzvXmjsa5KVt3sGRdQHUN1mhdiNHa4osTzXQLM23TCa9ugvbHDUobBmJ53cCMdjK3QVCt4i7JVT1AFUBR+7X9fZzs/qpg41uGSS6uSyIpo11cyIcaaR6cZTTBFrd/veh1n7PfsUQKWp776Sh4b84QmRfZws794a/OqTGlUUF9Zaa1kb/xxMhRsWD1n01oDeXEx4eH+yGLGQnmU12s67mUObZ7dXNjaO2G4qMfozg7TELeeVpGH44vr2gYIKMe5LpwoRa0RCtslDkPQ3d+UqyzMQP7iU8uaVqcWy4Mz5uCUmXgMCAmMGZCaAhQKZuGRKVnWNaYwstZPg6+9dIxuLhf4hs0L9VUMxH0ucwHqHtb6SEPyb5mbej8T6OhbhTAg+tz8IbhWMpPqkbckOZx56ue/b08glmWyFYJolGUvP5gFmJFP4Mo5tni09XiWFGe/bh55ZVCXQbc4SvddgbCBWhdxpWF/qfNm8AeZmHXuCTTx7rpNOi/pSQv05IV0n02kIse113p7w9dNtC56ajV+/jkI8kjRC5KTRQ9+Yok1k7iOnifDlXmIdWsd55Nt7Mx3L+H2i+7O7IjHvRE7TNjVsJbQkToyJ/IYICLIQpEQN2oKBHkPe1dJ7K6psnPHroNrxxttU8vM+wo/Kjvlq1cumwwYCuevW7BaR9wI0SDnbsA9B2xMnuywP38HwkR5QSjU2uNC3xfmx1bQSe43zbWpGCFFlWJ9Wl0mUsYN2Qm2yfG2qwrhtPeZL5GgC+kY7hpB2w1cNh2Z4nKe6EE7qDdsBKLkABtmeHy7N/rhxyr1byNcDlylzfpVWoOzVG2welVFr0BEF1/6ZCPmOieAIOnev1wZvAEJfKiDTQlG5ETQe8J/xE7Z/Q8Wwm5j6Mp9kMFaDMulhOsibYq6Q14FuscUrcWUrEp6HnJs9A1UDE2BY1i8lqAMKctMHPY6MPezU36SZmp/Md+hMTZIGhjEMl41hW6/9859o4gte/kIyST8UdLcur9YrJcwYUpRTATkWMO69vWv3bP7eABKtXqCLxSgrqjUf8ttDFhkmAc55zngdPU1Ns0lBfObbxvN2iDXJTBgBSacZ2GDqlURYMQMnlbwnCI+k6pyRczJ1RsLL0DDfhCJsRTJwCIWiOVEykg8JtF6wLOsyKSQRXS0ORgSLX34rrwXskqXAg+DypZcp2roVnwGKrjbYchxfHUCk0+GxxsdxBquLXeXTw+5MEfkLX0jeMLr1HfPKy0gyy+5KsyxarygByDim094qFL2ekVU6xgTe64MWhBCFOg7IsZNMuuqWVUHMt+Hcx5cN3lb2ei4t795OABfTtHW+K68mc748oj09RSbfGHV1d2XrN7pF5fjiPDolJawXealsE4aKhOlg4/K2f/syLbOAL+dCD3xK2L7m/juw+5F5zdl2wu4eKLK06LeX6YoXiKDKsB7gftBZexTejoCdt+1Wn3CcqfxwS3GOH7stTfAxaLs5h42K92tzKbzyPk7652FwWnlajqAH2HaWCiryKDdodmr9kqyVF0B0G5kJlxMSldc8tb70BPlCUGqhezvTD3pSywUcjkA/JSFvUfUzQLJlGtYiMkLSfMT3mr2ArLtlIq5g8GneoiZtzv3wkUAArSmL5V1rj0ty1zYorv0P1Q9SzCTvU45PYgw380+euDRr7fwa/pMWgIdQXz3TqfTtlgw0guj4NG5Uklcc2r/W1aoAHpaGDYY8KmVNwtyUqeMMKiJ1wIJykWSHKNjleacvahOPwVTu3Wg6rPh9hqTzi0LOaoVGIzX4j/2FHCzyeIvms4Qv/YWo16pTQnXAP5j1WRx/cuQfXU6gsvXRfvvvhpvTP56berAAiTgVU/pwUPZ27lSHpAQTZOvAJbftlN+r2Rn3q+GRGsy/E2Cs/RYOErfzcdbxlcxu5i327BTETKNKCiF7GsN357iTir3VjEkSQam2fd2Sp85V6Z3sGnhnOHBxy3mzzhLsi3asvVLX58P5d1y0J2GnaTD0BfU9+SkFKCv8i6wJPGniB9b1mlwHTRY8GFLXK99mZ7OvYOt80y/08n6btB2fPfrRXNvpzfm/tnQUvs0sEBaBhZiQF2QyqOm+IRTiAD+Cu3NxsRHT959vkUn3c0FWP/i2X3MIco0nQAY45HShBWyL6y9gT3Y98pqG872626I7u5ZOTP9Q4wLUyP1ltdNv6M05TkY1u4ZFMa4HRQ59pjJIgVy2dRgufJzbSTKvMtBjpKpLhSW6gWVWDYoG2hxwYURo97WUcaUkCbL39HaessAyIVEHEsZE8FbL6qno4zfwIhlI5zBgJheJlhCX3lzC+Avah7pRJeQ/YVu0X+IMb70pMWkmAJj3dnaO197jw+M43hjkykoApog3ZbuBbkFJLawtpDfpMhD20CYqIw00S1kWyBBm/1eYQATQEIzlZPy9/eanv+qCuQ1zsH88FqmQZwlFEbAmFLKA36/1ELO2N3hXVKj4/YaEchNNtd3GPDqj6/nvhfQOWW3w3BfJNasuhTQd+0NoGZUy2TK/IEoIXtI69mAyI6Q2FcEQ6ZMwbGqSmlJBWSqHtimYth32fXb2HsI80rC6Zih3b5APidjVIzErw/ZcraQ7cwcoPVP1mCWoWoFWQ1CW13mn4mz6iHdZ+VEgDUWTpDJiJmBDlY9KED3x41nitnEwizO8rnAPdKtmDkhigzwTb07pXjr9i/di7fZzS0NTFbFLqyO2oeb6Lmh9yoNuPZy0XuMWvvCg+0bwIVHIsvoQsUKaKVx54rkLWPcB/DEFwwy9YnxMmKRqjQBZWnJF2AoqSzHAmjuWGmTsHFg/iczfWvkz37Hv59rsr7uYEWpAlQ/yHbgJfPuGGWeedHt7YNA5XdfiMJW2QzaqDHC/+/og/QjgA8HadYEv++vvpjJTlXPI5tnJ+v/ONuTdBQqgeNwJnF4o4cIHI956Av5qoQ+BO2oLaP41NE/bpMt1uLrwYz6m0iUOW53MzNprBzH8c9ufOUzszVZTCzdnchjJmnFp6BAKQkOekrN1ym4Uv6X1wfYpcHmaNQA1++JgFbqOi04je+ULmVsbW6NpoVsAG2bWLsICRCKndqPUNzUSZIWadaiA14yP+q6G9fQdfLsKaM9u7miWsyhJxHuSWXNKHk4g77SXmDuONv2AlYJJHtqn8YGw0/kGyZRCw5A05G1AE69l3pIagOBG8dNqNUrcgVVjsYb+wPwjT8pYY/ZsGIqY8/5pk5n/KLQk0WpNgMYVGSKVeqU2n/6RR07E7WGcvDgnrdPo8/9QTMzG69TmD48omvIuMmQ3fKnfqGRmx/5bSxZI+s9xP2tJ+b8W+zoKIHVmpeOMfeEmLsf/ROElQyy9GP6HfUR9vKu67ILa8f3O6jsWUw5qNcTojax25gywLBau5FDUiBaBUiS30X5seUhC+uq8ZqJOrqG+iQBlhGEDvy3XSTp4Z3EBTOrKY6AMHYWauCplufK8iF96EKKGIyrNyKR0hP2Akh0mfrPPeZKfx5WWVeXURYoi1z6PwHs1AclYFoOLr7qzuF/AJcyS8BSrN1aPnk57bYIG/2ILVzFLNQhXmeRyXHXstrWhRk3Tjrf9kXmRuB3HeA4P/LER/5hLkg73U5/pl/r+TEAIEdUwufgBmfpl8ja8rc7Q2uNSJu2wjrRpi83n3CiXouGZ6i9yrthJzgX+tZ3K/tK9INfwRVJbjuRQJYyCYgH2Yw0m1hsoAshASTOBxcjGH31B+2Z8jZ+hAHvCrC/+R+WUjsq6p3ffiA8QuKuUstWc3Fu7uLMyNCbm/890m8pc+i7u5cufXKd9YLcmqdXv7KGXyvZ/dQ3jrT/Zjr4Jzw69SoFqPw2wrVffRBXBF3Cgr3Sa0wIsEek9Q3GoEY4YsNBT3Kh4afERGeQ+OMXluk9oATrXvUY8IXVhIuY0teUq1rNKbCOztWuCiE8s2mkbpVGrkm+8in/3jP/aFlbOLegsSzubGobjfQwkXqg5Te5j0mXF6eD31gEv/ff/QHnoa9JrZsmV6wVH9DOY0ZuK5jST5e6NC/VgMuz0g2g+CAhy7GODuRfJl17olFbY4ADoUcDAI78QNiadb1+Ybn/dvhZ6TXI36M/BP+h73zjOUsRW+rBZz1M5SA4+t8GpfLXachaVDANamqE3Cq04Ti+pbDL2vLPibaCe8OY9z0AKlJ9lkYjs1wLy/+luOEYnGw+fB0Rs4Oi096XP7munwmq7juDtc7fAuPVB5HbPrVzsnN/LXDAfav3umNGgXKoWZqhb03WBsLtG99dOdwkglMtti2h9oEpi8qbFtxuOP951DmHXQxnYp066gKEjwAa7gIu5NzCHiiZrd4YuucELC2jwq5f3r4wBD57CzBD/jZugcXc3q37XUffpR9FK7kXvnff70LB3eMs6rIfCOnBD43LU8oXxUX0LKDXR7NyXmJ5RhH4jGqLG5gokzZh6o6U9Pv8cM9oFV47MIlvYnXkJ5TyAnSfNwhNsEKAwItYhEHUdhzECR+xgIkmDFQEnoo5jQGSpTg/QQY47++TnNigtmqHKhDUJzmjbBFDejIEb5nB8uIk6Bw1THM0mLHmxyv+e5okeKPcgq7JanoWXg8/KNaxL8ZutBkPGwkilCio0fugFGIyak96Li0W60jVQeHoJ3ckD61eVLHmYg8qLiYvT0mWRzWuiO6Tu/Lzpz9rfPA183vbuTB7pvH6Bqa13jr/s9jIfJYJYbpkTuGK7IROd+USN9A2/WFpX3wsqJWffTJc8F8dSzG+ZWrjVhzE7JuIpUIfTvcZl9rKtQ6UpOsD9XIRUnFavsZ+spNp5ytCTQAa3nBSb2gS+cIW0MDjrbflvdsgbXhppa+aDzvB0XS0WAHI5RUg0PYuN7A+RKduLm29hVFdgas/OTe/2kZUogNW4oHYf1AzYSo01kM0m5jcvQPJUSdvubr0qZFwfjGKjyn7ZbtHg9aIMUIcB1OFsm8ql20M9PGsDbpAwq3JvvN9UwP0rOWmjOzObkhV8LDp+WM7BrmjJmLpsaWPXn0aktGSpZx+QNaPQTvocIJDrf3K3R95A8GWC6zCSfWGRtvsTH9V2nrsRpu3DvY0Jk8mxM2Xsr56M0QAQn7Zddp5/gLMs52gey93Hc0WUzdEr3z+IHdDQ+S83s4nn8BDp/7TfGV7NWLyNLgXu9AxdxHVI0zM4ZoBIBa5RYOTaEw/lz3NfyXu7f0KKXE2EUjov7+1ENQqD64cWffaZeDAc30P9loq5Q76DULaROD0BERlfvetUg9euIXIa4fYYIe7MlCI310ODsCLpfsx+8ueiPDvRI+7WHl/Tt9DvLZQtQX/A/pyuo3xS1oaMzWxzb0ivViiRIyV/xtqphUBy0i93WM05O3U5XduN87CGZ8L4RKwRs3uSeT9gZdS/tnCN/kcxHU54P31HRPtqZO/osoIq1Qt/ZSos4adOfxZB5hgFPg8tkEoqA2fRmHkaagicYTrZyAxsQ7ht3I8KfV+RD1UjsGUjH/wcJ+cwpd3OUXyXC0HYKpWZYwFmT2i6f3CrideqREqBuS+W6UEru39QWUY3ZUBb8pZXu4ZvMsB38C78z6c7m+nO/M6o6HH/UzIBOc3LnTPFlGi3C192MnOuIafGnTeybfg6aGvTmrQ5lh6K3Y1+93arMZqYKdwpcIwbfH6zj7gDE1/RH5kJ9ARiM2/KQnVTsG8l23AjHMSBUbpSPpwBbNbdTxL7gjfpQ4Jpmqc3U/eY2t7om5rtZX2EAPYyRYz2uLJRzkpfhaWe+iXdZSznv7Gika0SXdSOgSWGpuXbdQChcEQybAlssh+53obzoWbMUa3EL+yd8Dsjb768i4Mzv0MkTtfxf5sXvoSxIL8UNHpPqzJXf6oFcg9f/F6BiY+xvfB2VzmgJfdeMtKhiw0bfUYGdBSLCTUYsjDyoHEz+XsmCshYoOWw8XL9lPxPYEhTVCW2mFAWnlQ6+sk9Wuod1Begtw/OO+kzAsQB8m/z4zCa02m6ciwyR7k8s9B+6FPvVPowC2VbtS6+Jb0dWm6F+wikjmIdsXvu3eBS7aTyCGH9y/xCQ683ITZZJpNS3UKGS6ee6Q2gyrGfydmR2VtNd9ozxV16pmgGxXjOqD20IWtL33YdLiO/8+sJv8kWqmMxGt2CJ7JOTjHM33RGzkxgfuxo/VjaIckLkBaXW41KSoeUhyFD5V/n4NmF4f5PFJbkmEtuYOrbjm7nwddnsMbW3DdP2gh+g4HQWv+HpgnHftj+ao4GwBzCkgG1Ft85Qamsi6ECpR0ahxKZusXlqZG5Nw5kG2yeXLBofm3Tjhba122sViC6ObbsOt4FM48p5aUi++9Hmvlv6UvW1i6KCUdnsgYtOffT81cAdGDdC4iba7nipcj6uNsIwRjlndCROxRmMQ4Tnz36ubP7/8u7HV8TmPjCkh5kyJ7/NwOvgoed2F2xoU+sklWEJE+HewIm3gbFJibgZzVYhsWkr+wrgy+LaoR7FdbHUaOLK8TAvhd33PPK1H+ilzIH7cZ6NCiq0KzzXb2zAPzCJGjXn/6J6tYzRq/9EJw7lkSIcc0h7xlNU+nFQ1vvJm+F8u+bF/Evjt4+uZX2fdI6hiFUIxTZhKXNchAFQpgHs/+FyhGX3KKeo6cxfc6/3hH4nyn1dlYX/IJVuVWVtJ7gBwlfWaDPBLnKzVunpMVN0UCTjF22sP/TnXkyufyK2PmQf8lI4spowOOLTL7n9OKIBfZRCZPaNWNghdLtl3ErJ/Cx4z3GLlyCbC2UNKu9OFG9tEQwNo/Aa2vf1dev4If6JU64WZuTo45q5lEbW4Pt2/vlIAlH5ZCWGO8mCg45R5MmzVv2h9Y8nXlUWlj4utqzFTVKTFHmzWElJgOXQX4z+2+dO4TkNw8U0QEjhYWJDAPP92yb+zsHD00ZcKzYavNShjlS3oXDr6NclqzFIWoVZ1QgRMkFTQ28sVESVnAho+SyQ7TtI+fYfFvK4aoyyj+un7hfNj5LOD7mD6C1I9b56B/ISQmeTmmYYTr/+jm3ZM2S4CptPnd65BL8a/nAn/Nt7QpSzn+o177Rf/nG1yi+fAxBUEx0n7ODH8ouVcaY1PXhKKRxryY02Lxg5ov+q0X4Gb9D22g2uFnH9jtz/75msL6NqbtbYsft0fGC9K37Ck9D2VV1KZJRKQjcnICTFUJDUZCPjt6BaGuw/pff/zRCF9CqAaDEJvKhaUR3opCQ4wXW/f+3pMRmla/+vid3fmb9dfc2v/aaVwnvRjeDGx8mWf6B4V1ZI3c1w/bgEl9pVavVhnyhuZF7UsvDlfGrVPak1PEfXf2vPnpPxN7gYWU1rnmDQ6wxlbWwYJKIEfuWXVq/e/5HyDwmJW9wP+tH4hntuG233wHRs1j7TaQC34vTZkZmVefC82SizCGqYEiQijDMvHgYAE5+R3+piYL5+6Yo49Nfu/+ToWF+2yhEZ37OmXIfePBMPy3SF1rH9jyRPiepHk1meL3Ec2i4Feavifkne9dYjJ6t24vfu2gopt22eVj+/dB+eoQWQgdArJi063ve6KrYk/06naIFo7cOXROADmzXzohWLyiThpxp7I5nSfKM5M0ZPFtedg8AfNm/dR/MFzO/Y54kvLtYUf2n5WVZ/SpONb4UPAAD89H/nmyDUXi0MqjlvNiXNkELf5Pn7qvS88hu6BRSMB9YhKrI0XdAaPlnS8F0+gVHIEB843gF3cO+fWVSqFam8F7J1xVJjxAhpKJbrCLp6aUM7j+yV/7Utkk1lvBO8igVAm5G1dLuzXWMgjYaGyz7/R+/S2AGj26D/Dzq/cTm75/ZWOphFIMXlw6pR+zHJ4+Pi6PpqDsl8uSzONftnnBRCjGT2Y1Q1kclMoggsbA7t7iREkBT9QJh5ru16t2mPTxuU8WVxdRVtb7r/U5L7ZxPU8JyVdybdjspqaBEHHYYiN03KIllk5l/q4fob2LKS2CffxYhFZjHSPxRJXkd9g3itNrJ8HjjGY5LtOP7N7tyFLRRXL6P+v5IF//xb4yqGM4TI66a2SdZWu/9NL0fJSCTiK8ciUzLSKsL3gb+6gPiH1AvX7jvTBzzLW5gWS46g9ADjA3OQ7+WBO+Z+oICNqbEkTGvP/rFch93we+h++d5sf+PNYaCGgTf3pbENX4RBi64RW3ILZqocwrrpFBUVtXhuyS4+2HtAh5seZ1vohDQqfbZ0XS1kSOLptnoBCQElGWFwwmQnpCx/UYkrHgR0AfrpYhFoklSkUfQYdxDzR8UmES3a7efM2lBKuH//3+SYo5GogQugatafm5Q1zE3RxufBhDhBAqyxdDpvUeeJcsu8ZPAhbBzxAH/cipEp/+i2J/Kpd5p6BuRJvPofhKkz15mXvezOXV00YTLy8z/NCFYwR6NKJ7LhfB7G5zuP9CLWigQDzYVvuA3KchfxYAaPPfyB3eQGLxw5qbglKG2wwC1L4tt2/5EJ1lxKNThZL1kWUw+3TtvYeIFP6l0L1BtphWpyS9vCBkEPAVr8I/lGvL8K8xlDqmD28DVBTLlsX1LSkPqHxrBkaxLkFi0deAZrbmOXuekCrQy+/Dkzp6aY+zzTWsHYGNhPPrDaYtX8vbzgl7vK+7/MoBDzpdH6yM4FLMHfKovV/D+Ai8C2clkpyFIBz14/dvyLP7qJ6gxcCpD+JHFlSFRJuTZU1BWioXttfgrOqfvzXKjgf8WgDvfrxaYDM4F8u1hX++BSrnGxHkUpM64q3LiOl8hRQTwIh1LKKSZ7LegEQTnVBevJZyEjD1HBArfDmJ66EsNld4QQDVdZOBr4brhw+WzMfdhupyQJVgUqNOVskmsCm1hcGMT5+5Ozgh1VMqbgxcDCOpxM40mswGps4ShyUr56Ttqyc9ULK8C/barhgqwg4UqAwcDu3vLdNrnOLnD0jY2e/bN1CZqRHex6VRK6Nh9IipOOAevpXKRSY8rMYBm7KTHTbBKN6lyhAB7eqfaLa4Balimb/zjAiOi1EhB21/WijZ8z87ysXvSlKcycrelsmUxXOkAjvaOofLCFMHesCAFzL7d/lIzC/W0YaykcpjMEtejBrQ7w3sZfT6bfHvsNfQrzkt8zBC63gVtQpRltCYPWj2d4CZprqJpE4Nt8l0+Q9Gls/dYepgsyvt1bfYT9GBMPiV57IzwJFnG+tUj00NlCEYqThF7nLw4SMwoKhptgV0WaPkwiKmkq4dTn21efBwaiYd5Ob/Y8NENiGrXF4iZbq1HXWvPQ06J0yrWwSgO635rF9dlTL1sgcWtnuKV4Av54O5x5d9eOd8ZHdc3NsS0QTn6hj78/9dWnLn8PEXKs+S3WwWklsbDZ5t+wODqu8Mk6c004U3C+dnYWnn8Pnm9+0gcD0d+WWrSjpIn3r1xVY2/kJ87vcLXMQe97/xCA/stWZu9lAWeSI28qnbuMNPG6y8WjyPLwCxmcoHSA8jyHHmPMRHO15iWZQlx0pqedmsjYutHBaI8vxEt7V10eu9wRM879fzm087XouoBbPY//ICZbfv60JcNAFjjLlvz6kBuKvrpBoRlv1o+uG32YQRwu4cx4rCU3L9QYQffMkiF+6OnBzkjfNiA6538FHbBpr/5oCDjY2ecRnVMUJ2hRoVPneMF1Sgljn6RagE89hUCfF0WPrwO3Pe/fRb16nyaK7zWVv56MFar8NOIuRouMyDyDTaGHjbcGgAjL0dTXd5RtSggdK7l0+x5KNyVwi/jHUurChydUV5Ckq/fLNJaBqea07SxXBAf6Gn8+/JMjSM5EXGtUY74oWvRJ2o9fedStGoTuT7jPMc/ttbp1qrO7BgOBp0t9z4Dag+VDy0vZ+MkhHC1bLqnbuMw8mcqbjVECv5lJjdn3b5qOfHZlj2ORdMGNHuwaiWYwmBB4GvwmjU0V71RhCO9y1C81De0gAKGZGPO+/CQB9P/l5bLfmFDQkVLk4TUlpFD3U4CdJXRB5f8UoSURWqTNMIKLwoCrwx2meTqz22h3PyXMpIc4hfgMaZ0nZmQiXGILW2pF/fo4mbWdrz1Xq0aNLK0Z3zYQIMOqgh2wnfbbs5AYn/KuO/me5v4BhalXgasNL7KwTWgD2peyoy8mvrhAEy9agGZBiZMJTPrQOextLFqnwRlqS6IqEgP8aLcl2BT11P8SJqz3KM+e86MM4J1So63rM1vkAip/ZVgk0W8R0dqbriovdNPXNnVp1ChaAHw4UjWHHkrG7t3Dz7sxqp/PRffqnM1B5ua6MwzrzKxzWkGriOVCMMiANEPpJU9rlH13eir4lBa2+0ZQdiWrCBSpdkF+4+1FqLZ9Zp7/LxyilLwvNA9+lYv9OiI2r21m6Nv5OPa2ozFRvAZqpaBY7FXC+PDm4085UiSAiiLLLx2JwiQy6wojWql1AkgmSIRSoD+X5tinJyIsWrVvY0GaULObDH/unIglJPXbpLAEk1BQx1kMn7DaTBgRel1cgKWuLaZz1kQsTK+ZVaiLRdjfNlpvFfdVKtNpYT1+UzdeAaI9XAFueh6OgL9k906t0OAylLwmwf8NH+tdImcI2sjVNOruXTigOw0OBbfhWw9sNNuea75lKcglbisSncOqVnH0MyOAHRzwvpvI0cBnykaOm8rC7+LradeGy72/epXj3tzbG04YguzI8HoYDAQD3gfFCE+tOtxcdMYAzsiPQbSxDe7pbkpizTlyG7WOMue6pPDXiB2ISsYDaWtQXnX3mq2SShXdKqO0sR2NTq2h7VWKl4i4wRGFCSrAogXVVrkOKr5V4Ne6sKzy4RvVy5VeU4g9LACsS4jMl2A/bgVSll7dDUamOAaFrZ/BEWhId+bPUQTpeoGaDm4GDHW0+Prh27h6Dlu/JeCTKMInMoJlx0DF2eWdSmrJI8fIPBlhPdbgStbVhBiNdtmC8rfar4FZqJhRor5ZswxHjaV9ig+cMLGuwWY19DNagqZSumoL8Kk+z5lgljEd8uTbdP/4nRuJpjagb58wc5RlGY+6BgOmxLrAwS+nA3YurQEbjeDXjpnS+zQ46TLIvl9usBTKecXn+pF4VI5FaoBwNk91nkGl9EDATj5xeM/8eBZh6Z/BI3lfjTBf1PU+LH/9iYrrbfmHlrL+nNW3UNu4BR8KmKfTj+/bujvOp/h5zgGb0m1riscpAxux16t19+Q0wxSct37a4Rxo2GGPEPjprLW5njc2bDfVC/Kb/0lJzQsc42X5giz8bWNm63tfuyNt8SLABJKAdtgpQqNbRnXzL7+Wo1XZfaSyAetmpTlRbuiPjwq5RjLdcsnnuKJ0hFL4OQeiS40MiqxESFJzePuiedrWSzu90cFPuD8fI6NhHGdF8aSJ8BFOsJ01UxTaJFIGOiYxUP1g43DlaAGgj5Bch/851LQl93sLDyYP2de93E/agJxpSBybGCpEl1JgPMIZsQZKiW35GqckWpKpWsoNQErqNkeBBmpnhRqSMGHGVtPpFqXIajFFxm/v2hKacSs6Hr1zMwv0+PqWJ7KBzN+WvzYyC5K15MnG2QeHzWidkBRYe7Oul1JGd0z3DB6uOz97mXfPeTYewpf7eziFRlc387vNOasSot2oLJoqwEqDpd61xrAhgt9GzoD8fxPGrFx1DwUNtDa/ac1yKVVzgw75wAKEHH4SclVzr9za65hxFhBrcFNtJvTgyQAULeCRKUKYpGcKTHqmNZQAYH0q99dhtOgdqpbyRlKF/s33UhlKey4j/fX0EP5u6uhLBeDmId0Z9zkdIHgB3L3b3BmPu7PdYL6sjpF0i0/VBPuqYDSRUMyixR7zES1iVXdRXieBKX0azforhLXpg/HejgcJECwaBtNSB7AB1Bqidr7SLAYcQYfCqEJ3KKkbSMrsE2Qu8OMO5kYX24EUq/7Z3YAW52EKBouryx4iwfXVq91gcTQl1W2JH9DqFx8SshIgF70C5zFRI6m8bQB9onM2NQlbepVAEEljjjamJj7rlrFHIj9c0uX1IpoI7cq9kwy3ALUeLDgildRTd5l1M5c23UkN48yJTOee9tYK06UPc7hzgdF3ZxCAnyafNO/iRuVbD+Faikd3VSYQFbBsgvKO77jhJdvZFIz6Dqc+cN2S5tbHXxLrq4WJl1el4nx6IUQgxLpUgArCqF9EkCO6Wdear/QHWEtKhePLJB8rVrqaquqX5ZaCFL06g0tZ2mfnS5MXXqN+okePFJpHyIv1RXYbWWmkM5y7kL+EuE07dmdC3VSDMmXU1cYsB1PAnGrPSlzKofe7KWz8mbg4n612uA7LCEp36WJtWns+kKYNVh3civQJLV022b/fiTRGFnt9pvrwiKo2toFBRmY0yQmvi2YYFFnr1KM14OLQ3dxYDho9geurtF0ubRlp7pHo4unQLkCw0Uiekw8wH9cnm74rOm2orSwQ7Xmz5aC253u7nejOocVmAYjs8Xwu655wF0sxeCoKJJqnrwFNweZ/9nxnnlfrO7NWPx2LIN176ajOooK4vkJdetVlmvoiJ4ZeHWVHe2oxiUX+34hbyiRmSZmdkDR9uT44dXqkDb+TqBsvqiYRLA8Een7vkY7kWxlsSZx224572LFzrcbwimLpOW+kqDLfOP9rJ2S+l/HFkQTVlhwnL9dXIJWgwpkYyzf+KX00fP/xLoGXFaCgsVipVIrYyrTpKUqXd6dSa0R8ltQq6imr3Bj82TJ7AZyIUh/347kBJ9vTE4TLUB0VInqftCIlPBlUhVu6laFEsLm8om4DQ50Jns8ZON9cHvXDs10mqtdzPmQNDMBuHgnMkLsZwZ5+Z+KnIVJXOso4FXaF7HSc4BHF2WKiilrIDeHbi+gWN7Xzm09slaxpZqjVXIYrVYRP6oS3GCeHnlyfhKUIc+xW1iO1PUJGDdActLkJGlAxKrfiaRb+l+oqqRrmLQbQd5IGhC+vB/gb7+T0zOBBfxn7V9PsKJOVYB5HsNfBCDCVMuzdCpyLCtOO3LgThZ2kwnlUfCApeURJlkuqknlODMeuH7uahBpPekYDr6Gu9f14rSxIPbeH8FCXGjJ6Hxwu4fxNVyJ9+3fF4zRG0O2ClalvpC4Yq+kp7ub/ZMZU/PzuQxWwiDpuAmDTps3Nc81OTpCvEAuSS2O6LWLrj0+6CECpz1wkOCVMPGreB2daPSr22qKwsO3CDbKz/9kErBi3YFKrmNsblubFN7zIGxu5+sx+PmHt4mt4w/Tu7nd4rR6NQ27HVMSNdsSQXj2Xm6yzS9X7i9DpsbXfUS+kj37pFBzmZtfnv5NgeYYxNxDKsT1BojoGp1Cqld0hS/Udq6+eILXhBBfteo00dEH6hUlVagP+o5RWSx8AGEw/3dVRTNc5POJv6b80cLUKF8EJCEQFJ+AYxzuyhPwGThl9avHNkKs+zqnyEDBOiNMGjU0LWDcHyq+XTB/WCH3NrgOyyPDIxWZ7ZYZ3ZmGxelM/L27FYT1CD2uOu51FMylx1iVScGcfFb3EEt0v4KT4FCMS4JAEBWVHCJAxxq71VR1DNVOvTlB1kolyVhDr1rXPLjhWmOf7+ft2uRKSE1qZRmeMYbO/Mb4RL21dOpe6rWV2d7gjFxJFDzjo7iwVYytgFU0kDpUFOTY3JOJv6HENPNY5/H71oHUIVzB5Qx/LQFKuHgrbz16g86I7XdjRSkm186qEClopMW0AZLYamBD5oZB3nHvcilFs78R2dH5p9trxJ7j6tflELcsFAEYtDvySjRc+kQg+Fw7K+g9fGlywdT3ouvNC3sKoinNfTHxZnj8QPsZ7PzWUlUJPZEe7uYjSgjVx9uO81u1LKBUAxpNFRQJzguCz4SpQ5e5hX4MoTz4yVgY8fZWA48QNS/Teamjqu4QbEPIemoYduuXrJ8T4z5jC1EZpzQXNj3xFOY/fPB1hvkxd67qwNEIwuqCg/VS5UM6otF/8Bt8wfSQiuLqOyfsrhkCUPPrgQesx7Bv85TopRjHWch25aa+6pa6gybgDhZjsbfT9ahRx3cbETeC9LX6AfUezCTTDBmebG22MuOxZkRz5q1Pphoa0F3xx2GE36v8JdTzsxXBZmriFz0zWh8cKdP29IdnD9WUDw8rtRqb3ZJTDrzetlcvKA5aVUu0TB1z60VKen0TB3/0OcIf9flj3fWGP/sx0cg0VrF4ABfjzc+iU+eCq5/X/U3uBVx5etTx211gFLA9nWOA22udo75ziMUfHTKOxkhZzbdvb/DUs14Z5blldgax3UO5Vesn1LQhJNW90D6N+KJYEM6JX2beuDrcXFMGgMaDKmUyuCdAR2oQ223daqdkqvb7kVeyG4mXf0nxTU5o+QBwwg1DmSsEOUBOVQ4GWyA6uReN2pe+PTZ9ojluqpaYyekdJmlpya/Ruz6t6+7c1Yx8JxWM3nAH8L1F6B2gQoI9mxs843K6xwlZr4+c9KgQ+QCjlH4y23wbbjB/P29BfjYEWtjgpyx5nCL+afK6BTbLzECLXTG8nX7Q7pnvQ+mLzoTB3jjcpoVr/GrMwJe7NhbQ3ZAIwmFd1LaUJv6sH0KdugVw71Z05frSdf4vFCVW0obMDwv1Bj0guyAKObXh12QmRr2kvb8C6t123IcQjmWkH0+hBUgq0qyft0BtSSGQxE+rd9VDmeKVLfeIIA1LcV9YRYVAhD3fa8LrmHs8IQiZY475Y/kd2C11PlGDMDm0+KpwMX7qVhRShHt/EiozS3cnxEz6oLyBL9NJunb+JNStTyih7ftT/6obxyQUXyq2UW5fwfYSxeQR8Twqc8D4gw0SIOcUBuS8bGB3hf9Dz2ioHnfdPQtdWS5lvP9kz/TmB0h4HybjbCnmuy0jKUn9tkp8vUJ1RbIwLyGYk2v8RwvwEGxIBM4CTNlBS+mDvKSVK8zfRvichXdGbjH8lNxCNmEN/GakcpjlZ5XmzJGn9AW/daJm8e8B7UkVU2UrwRtZ3jydrP0phUREyahzvJcw4swSTkv6CzhXdbkAAnb14iWEgIvwLrQmz9wAwlZqSuMHBAkIsLxmCzGKNNjYL7dwdrVgQHihberG7A+YyYFPPZG31G2lLEykHvynZunQUHvHsxO5lUTUiwlNsGZN2VnAxVgWagaVa5S42E/P0OqQjjMPI/wRlaUmNPE86nAi23j0GyV3d1Dsysd6uQ6pWWWPmFBu8GY0nNU86Dqo7rFE10PU7Vv/bP+f9eDESxA9OE/1ZS3kapRS/jouP241I963zy896dviI4VXVeFNzFI6lGYMmdqdI7FY+X5u+nPSOBFc1kxsaSre1873GdWjY+oKAtsdczwzql3niY5pveEXXld2piLCSzwIifUrq4+I+jaSF1lFXvLv0Ce68jlv56T823txp+bcOk4ykG/2hLkA9t1UaS9hs9BCh/V/wF92FVZoU9r+i0AT+3hPeiDoaxg8ZTT2Gs3RSwYiCkWqwXuZnZtAL4U4Ua4c1mZzho39TXZ0fY7VlzVWc4wHHi70bptfSHDMOSX7fMfh+qMlVqDHxu6Z7nci5AIwTkQTVpBXxBz8GnCqnxYbC7UjnzXlx4XkJ2xZQf//1/rK93mz7Wtgv/rT+8l8f+vPxub73/hxxXhoEjL2+C2sCuTZTnG6Hup0MlY5UGeHHUOF3pRpyCjD7Na0MaH9wiep69tr39fR85VxYkRr1t6/er33ggh9Kot93zc133RV33T9zziD/7uf0UkmxQVXZKlUGqlW2bKtbJQ1gpen6jTNWyV/Qt9si+O/8wkmAfHZ4GztsXJyWArZ2JmZ2N25+dQ8FurN3u8GfOm983uNye4037v/P2DBv9usLaB7/88a/CyAc3/wXnGeZJzT8qplFHnb/Rv6KfoW+vH6XfqSXwf/qH+pf4X7n+w4RDMwHZoBg2MgQXi8C+UQN0fowDjBkaxjB2cxm1YgS0oQj2OohS16EAfRjCDxfgCq/AdfoU/DVHZcGfkY5zsGoDMWUUPlnTapneCi81A69x5ay7SGgML8tOLzXaZWuXbAlFZibqXPgfmne2ALIPOhJYalhedfcXg6M98cO+SnxmfTwVqbkRpWmPSrWVqwMnHRlMFQKsTodidS1O12WsE4+gJfm2SYPRVMSDSnCXpgLado3Zva3ftex4Hbv0kor34hxe3eEcXsf6zWxtQqMI1ftgcjjUWTw1jHRFLTmOkT7Qtcofa1/Z200k6bO/SbfXI/cPMbnnbJNfD4j1Mm72i4RZgwUlKy4YUWM19u3cL7PcP9pdRbKA6eNQdbhxu3pYSeV10apukMNppg0bgxVsV2NnuyPPoTv/52XCWLNzeOqEBPWMgX705rZrrQMkS3cVPVzcKmaMXn/cDqVB1Ge4z2SNqCDSqQsvQ04TvFpEr3/mQM/XgaHWQ7zK+y0eruGws7UrEz8y3vUMFMdNMvIbcFoO07T3fcCtOzQK4zVDogfogyUojN2ad8SjL6vRqeH8MKVU6NgBTZf0rPag9MGeQdaSxe8g0LM0XrtoyFyIE0c+0Lnp7WJun27gfx0cA8VHT3yDwL6fQ8JOLPMBWNIVMFWlbmSx7pfN55bCuCTY9DMci4Mz3aAGkzx7Lx/D81RHxq/ete9uL7u+6wYWHndPcsN5m+z9+8mjzrbo782C6yj7CnpFhApRkN4dNUsIgzl5oFupGyGzRiNhg/GXagTqjysm8whk14/2XH7rGToH15sgksypbPo9/YnBMCizui1CpjL0Corn8NGSVlVrrho1rpYsy+W/mFt0p3pPPGx7OYhHrHOAZXEf8GyzYBb29eS7BJP3IZqkngM3lT81jc0AwN20DvqRPS8RwxH10WrpR+VYbDVnNl6Q8zRMgpmXHZQjc+unnxvU1Pmv0e04waf/LneTu+cnfbiR3x2TWsTyKuEXDwaDuwEZG7L933+dEXnpTo8K8KEn0bMhgSYugnpJF26g2r36ZTyt/rQ2JVU35JUBMd7qON/94onSudlKDliIOw3375YCL5fXCcNggA9louHE9EFNF5T2JVo2bpqW3u9h90gYGxtpP0XIzDutcifbePmM6frVh2b7bdXbSTCITx6vNeHQhZnGsZMZFLWd75x7admbVarpC1VutNM1QGnuBriQ313Hq7deP3QMyyQijw28/czpUztdiIZt3aI6vXeBHBhuXdVaWn6A3KC0TX7eaSaCnDjCz6oAmWvWba/nypIh7dFQgBq/4IlBK1s5q5rin0mJDjWzPjwI10QOzT9Sgu/16WbD3uZPp45X10qRwSLheTHwMFDWMqIaNeqwYxSHVETvb764UtgqANguDHSYNl565XExYNIO7UToEm9pgkZFEJZcvrFZLVEuub9JuUFFKpH5EPij66KNkfHVfgzStiDU0zOqX92XqUEGreuWHj0ktW+9juoyDelnhXr5AVIk6yymMTQDalxihAlSRyHWG8Dk1cvwoZ5E0ooH9pJqb1b8+M8Ep82z6JqfAs1e0VyZVhDh/YKf2tf0Z+5FjGx7u7N7uP+T7wPHGiWHI0Ws71YrhRQ4Asko4W4bM9Tyq48s4uw8GmUdUQbgF2HvKepTFeM2AbNFASNqiBRWDaCpSP/fQk3HuTdv5A7P4WndXs+PzkpxpaFUCGm/UVRnAkqrCkiGvCcnc2s6otp09Odr9tB4qmeF4as9DRou37VZdvk4mMpgHxGClHSST491Xzws91oa4beFijVFssb3UUlia0I2CBng0F+swGNq7Z5v3KUrlyHF7miTZWaZ6NqohtCt5iAytagGLi1PaCPwic7R9lrkJS2KiJtOQdYjzoNTykV6HHuhwkyzrRhfUMs90QgyXxZ2Y3k65ySfh4dYYTsuhn0RPzdZUT66xzIPqHxKrxZitc409VkxsbFpkdhouG5K6DotnhKYp06zAScq07/Z4KNPnWCAHPFUptiRb8m9xQS20r1qzrrMos16QNt+Ru/hdvpQomG684wxZ/0JlvbwSUdAtykq5vFDZzi8PWZnReCfUa3rVaNVnBFrZADPxjODJnpKEbTfc+Z0bWAFCqSjvIP/EO6UJbOaw6qKLzvRGAuPffMAxTVRsi7K0mis1WxXwxlymqnIBak2sjw9ggdoXq1cUmrNF+mQ/NRdYaIsnxwFiW9g6DU4D6u6St4osJm7NnamP66nYx4v4hbh9dhT3x7uTdeHnPB8TJ+WS/4/n085y/78RaReNMO/h0lyjXfSs+o8fM8OdqeS0QEi/Aa7/37dOiI4q6eMeQerrobOvvG56vHeLquSz3lpzLW13ZneCQHTqvtaLgnYw6LzfnM9UMfXE2iktPg+gMSExC0sUWwxINt4CfHfnxv3SAF+1L8S0kuE0pbTw5YDNnrbw0JoJRroRdf3S2unoUG3IR4Wv9eaDc6GaGKXIsqTUlGnOyQmktZFv2avsZfUyeRmIzEtyzI73HR1XLwCXtRynmJssksc1z2vlC2Ky04XadX86+8lG8ODZU4mJ+px/z4tCkVNB96UuGAa28wZbPtbWzQwM1peOMREfqAPhfnVlpcIeomPjUr87H3SISI1rMY3PeJMsueViVX3Pl4YS6NC+YSLyDj5pSTacLPf7KFY1A9IERbSHLTpGaAdRH6k7QjYUdRP9IPubjZGZrUdFqpaqFdPIMZ1WzGQxTwqQb8dtctW9LoqUksyr8Wa6kdnPHwvDoUmi9ePqwZAlGpwu8HoDTcOwkJidwUCIt81W+qAR3jhujLsPK1LzS2TL2vIxZ3HLBHnOln08spMobW09WE4200nL/b/jjxHSfwPwMSGqqre3M6JBNIyTce5uRWUl5bonlMtls9J86cz+azeu3t6aYMDQYN8ThkJD6SsBuJqWu4pJFaJxUcXONQxMy2bZvplmlxgpX1vBl0uraVq4lCSrC62yQYF5a51vG0TQuvLJyXkbnH/XH806ezGO5AiXsC1k7Hf6YApyuapRlUEc7Bd0pVXIWBU1u/sktXlWQfMzRq0GHMh6qrdixt8b/yli3XP7M/Df9dofo2myXGMiDRSmauLwnBHitBUZoXN2dMBR3/cdXkNN2bxZ0J6NrX3inrnZmJqKbYA0AZ91FRciqAaNz6RQ2tIk5BlZSiVNAhR8zmb2uKbOpi1rWP+itAfYWh4DwhPKvWVTUNaXQx+s+q2oysjS+ZKiAxrPhyYMR2zLw4cVhHdgnErbXvPQ04uyP8kLZ1tRP/kxhw4anFn9ljb09Ky51J8XN6Xxjo3/uXHHLM7DZmDMUzko9xyY/e8S/Th+GtEIfCU8o7QW5T8+2OBfnKA3/pGsivlOJyTXrEv8TLBgdaRL0oBh7w0hgovHTsei8tAkMa6namxlQ63vgzw4c3LQ7aPWgalnnMc/cZMdU0V/s0dG7Bx+NRkFzuhab8zIe19oERWwW/lUjRRtKNteXtaT3Qx1u1gCi5gebRIs6xODCp4u02swYPRArVYLfDl9ZzMNTtFMrTBrppoEtuwomeVFF5EXHZqKCnN77/iNRc9RUdulm7n6iaAxeSFJKBil5wKb2jTjab1ai8VKJcNoBAqq5INWr3KWKdJFJzV58mcfSHNLfSZ2QDxlCzZUvaqpI2e4McpOzHv+OEvoxqgRt+0ioF1M1mZ0s7aBd6T+wpYU+UMhph6tDbB7vb+wi6cg2fP8fhk2t4T2PFpZU685M4A5uEBkzO1/La/Sk2d2FlTvKMX4Qne4/mi9eSEEAl7ZqcCIVhYLaAuvjAlXAVATHzQRLVFSb9LcX496ZlBsyIfFdnllCbSrMRODZdLBfgHpXee2IhMQVcSBfYv7wYE0XLi917s9i6vvWzi1EhChg6cG0dvZ6sZ7Et+Q/MRaLgGU/TIm5xZSHb7b1DkKcpeiTdp/nx9E9Onodx4ZAntsm9d7KI38JjHKRNbBY52tXdaCRsGFdCSU2wzlazqyjcG8m8j5sVu9a2kKI1b/Y0OQOwZeleXthohhlZE64lKKZroHztCQ/mkwwzg1z2HZfp8Q2LjPy9YOrjhfmzqmhbN/3ZhVAPXhw8X8fX8NzOJnWmAuvBchdE57bpzl/fCjt5A9MDZ+nFARnEL1aDHZ5azQ7nARcePk7nATNPV2MGaB26JMxrt+w0Ba1AMXI2l1NYmE1RI2kG1bRD8GnMXnC1AodeR5YktX2g8FZj57/8ZNSyEfLS/nN/TKUE9HjbDaxc2KxbkF1VJW6jYGmp+Lz8NS8qrxospsHfe+UcKPP8cg+/d8ixw+5ilaOELT7ubxp0jkSGGeDpDDwovwPyLTZTcdsWmmVgiOQlGhW4GHDVMwoVGAhOq5ulYDivZRAK0wY9zfdb6m4G1KeqM23emKiHdDw9x7H7leTAAWMjY0CGIDl6HM8rxjjyFkLPJ0h0jvorxKjoVaEu8hmQquuLZN3yJ9iRlfmEyzGK9ZJtCmnWJN8PtdRUmfm04XEfWynpYeUubMZLtWTKWHLvECw9TD6U6yyRdYv7GrHJjT5GdSLbdwB6efZZFlYtpNw5UNidZMCS9SN7oZPyat8e0JPfHbQuRferR+iB9u2l7ba6pppqzwzeHedJsb+gAloo3k+QbNf5lMFy41BT+9EePOAITdab0NBeZePwc09WuKM31vP2ASbuEH0v7uLWZn044FxNPjKPvdfaCERad5I0MpyJwjYFqPKSGacMItIDhU3n7Qqn8XOL/jhK+ECFGa3sssuTrGPGMGXXEQ9Pnian+POTptoKlN7/S9wMKSczUSTJz/Jc+iNgN3UrLGcT+RJdAzTG9y8Bpesy6mzpbm6bPQgodPZIA2Pk0wAHxwMQAIkjo2AKCejh8AwGA7+O0ikH3wHQBM9CZyCpO0fIBvx5GC/yZsy1hJAQA4V/8oAD29XwBQgzFEtsPnQCqvKJohkPDoeTP0sX/eTzDM20YxAgoGDgEJDToMmLBgw4ELDz4UAoSIECNBigw5il9tGEExnCApmmE5XhAlWVE13TAt23E9PwijOEmzvCirumm7fhineVm3/XA8nS/X2/3xfL0/398fSI+qNYGafhKnzUar0+v2B6PheG19c2NrZ/tg//Do/gOAfFZJQfoEOuVq/k+cmgJl2gEwnViTNJGa1HAAQPsAyFJ4AAwYtEjyYve7INu8/ADAYsVawoRY0Pt8yJd8zafU2w2Af6MDoP9RYwdenpPP+RayRJUi1SrUqlOvRpNmADRaZrkO7/TLeHkZm4AEmpsJGRd/aGcAEMcHhgIAWBQZsNYmg3HpH0xF+QvLz+VO3/l0L1dmMlPZm+N5OH9CJhrGHIuscJdfcWRHuL7x/xmglqmVaiO1Rm2ndldvZsJQY4QTc/77t+N//58YxlHTZ431ttgbtwTn17mIsU/d7Za3GtXQ9g504wOhbDTimSZQTc/t5/nPYv1JLYwuxj8F5bVZt7pv3a6v6xDczd+1tbpW1tI+wnEOhd8nJHVsypGjYytG4dFrpB4+pkvn2+Uvyuh6J4ZvdFwnyhff+h7rFwVSVTqJAgUUKKJApc7sBQXG1c3dm8VHn1FQqJgRjmJQLDcnMwdOKrWG8/tWf0n7p9uKzJWrsmbz9RLWJn51K8qqbtputz8cr641noylfxqdwWSxOf/vH3+TUn9ESv//94jEkk/1aWhqaevo6ukbGBoZWzOxbsOmLdt27Nqz78ChI7ccO3H7Wemiu+6BEIygGE6QFM2wHC+Ikqyomm6xBnfsDqd5Bt3Pg2PD3KPyMI+Onyd5egyYCT3L84zkRV7mVV7nTd7mXRSwETAtn2Oh67fwiNieE/cjnNIMAQL4+Dhk889zj38AmRfi8neu9fzNePf5FPA37Z+NlqdQqxmG2RAgfT6UeyabsyZtz1LhFeEjCZgBfZVevMDL8WzGAEBOs51NrLvMP3SQkh50J+GGArKZ8gMBjasI5BubL3vXdnZyAIDvCb0NOBWjl82sddszGZN+i7skhnwCEwMD7+IhZVH7jMJr6GMq5ppwGppaGMEwAb9+4rz2+EJkZtQZEraApDTWReP2R/S9nFu3CGun6CiitaQloo/J7nWOXZiEXh2jopChgDsG++RbYne9+tkv2Kmxxn01Doq7VSh/EfsNOzdoxmQ+X61fsX1HyjCk42d2ZP9fECD45tN6nShLQt8SZ4TuVoFWYee04lyZxQC8kiCpI/AmDSwPwjz5W0/gB5yZgM9KHE9SDQvUH/p3SDqIvmm6rgbXf0lqx2g3drn4/YTaybMgLNdAzrWE4sDE9zupq6gM6I2blFThVoLRJUR3kGP7+ZA9WvXwYQGoJpnTNhk05gTxcLyHUQWxEMdgkkgkRyDXmGGCYQFet2jvGFo7XrZ7iAQzzcArDqepxGAFBVw3YzaHprhh7bDCvA+g53Mk5HbW4pSJUSd+BTDug+suxPBKg54u+RKaH4F/YBzE97HNMAEwv2OmcDNFDwJCjIQ8IWZCnK/8Kt0Ibo3i/OZs7w+M76vP7T2EAscLqWJfcCMSnv1LHG857uwv5DjN8Qors1X7bhuTz87wik2OQCpMdYNvxL5bquIwK+6TiVKPbBL3OH7h9Rb/3oqJagkQghHv0B7bLBjlHljo2I65fMtl7Dlvx0JotXkSr1/acoVwidDYcmaksjZSjgtwGWqQiM77iXGBPZuW3YzaXRHdGqZ2oqkE6ySn8sLG+yauHAeSeLqOAm6EBRWzmCiuxgFvbzht8SruT26xOwk3eCxb6v54fiHznH/yOhzYyaXxdScuTxcTpAcH467LwvxEK2M7+w/Ly8jYWDa5DMZrXwzelRoIUlfxb4CetniasVNW8J4pcrjWgEN7XGoUdhGZuoLrBBj+Cs8Lka7CPXChvy3H+zmI7Tc8d1KpmMUtqwkeU308ue8N4d3XYO4Aaf+62QPQKfQuE/oenB7O0BeYuzE9gmgDui24Lsb3P3WvT5FuIawKM2qnK0ZVSmrHyEsifbuPH2/0Gde/f69kOlu/AkVIuX9hOX4YMIrjhZbuDV/C3Y6b1gOKLDRcn8PSapQf9q0wVEYpPQE8ZBzpa+ojxc8DKyy2mSAABb/LhXGBNL1m3hHKydyX7hJFA3w/Eo529nz2LaXP9xHNB2SeZC/ajTXEqPXamyOmz7GiASgmwEKByENh5Omcx0Qg4u5HMA+VOgIJiqtns8d1B6F/sAcB5jXvwliy8CqRH4e2j0JLg/jZ0b8+Fwp7EeEZwDAkw+s85zrSAGQHcYi6lYFMxdFR/B63tdMod2Gu7ejTiO47ycPXKq+vQxlhEwTC4obFfvg/l1NnIs+2Bm/PhLVdMFUE3Vr4hgJW5+FxQiMfHnfcje0XXe0apeCGA1nWZHPo3Npf0fJi4jB4mnHKoGJ3InmPT/B8ddJ32xftb9UY4QHCwUcAoDT/N46ML7AvgmCVAhgMQShD0PKP5VgexcAwOCxlOAw6GYEj68pIhCDAoEU/MDq+wRgDmYEGM5rIWLRnwdZsZHEAArTRAAClZyEkdC66icGwO8kQou56DYpodBmGcrwlDtF4RpDZ2YzEcoYZDcsNY3RKH1vGwHHbIZkUfcZYWr6kD9m8svO/jVCv+dDs4tveUJ29kdsblexxWt/fbLTC/dG/XNZj8K/eadcz9tqJb4uUrT3t/yOpic9MnM3sAvRqUup243FfKT0MKOc+VMVHasvt2TUKIeqNECoWdF735WA8cqSRnZSgt74lse54Tu8shUjoPJmmQ81IjFGfIeZrjGFCidYcCQbl3RrJcRjhcYI1AYczHSLabJvWuq4PehMSXDI42U+xoLrGOgPh/ihbOMGFdQezf0tcfIqDAT5jmcBLvQAFFvT5VuZy7pIYaFzy7zqMUlT2QiIiTkhJf+BEUHOaNLchX9LGhTdILfMM8WGAjERslyaOObp19wMe3xvT5+e4L1yG94Vn1vtJ6E3BzqT0x/iQOGNgrggGEnmWJVLrza95BFYFdZr0pqn4xxnAz7ZPOrvxu9ln9GCHuHCq4qq2L77Vp8JuQPrgG8R7iwRQrDcvyLhL2T1n5FNGYDi1WhnLFfWeY4GC7lB0PGKUoMbrzuuEsy8uljTmTmNQAmvoaLLZQOmok1jKn+jxKpDVzuCgR3FYa2Y1qrBICINYO3L1m0h4Nbwz8Pagv0tjAAAA") format("woff2");} @font-face {font-family: "Cascadia";src: url("data:application/font-woff;charset=utf-8;base64,d09GRgABAAAAAVMcABEAAAADQeQHdzXDAAAAAAAAAAAAAAAAAAAAAAAAAABHREVGAAABgAAAATAAAAG8nuKcikdQT1MAAAKwAAAHlwAAFlLMTxXFR1NVQgAACkgAACXhAABRIFkPGxpPUy8yAAAwLAAAAF4AAABgbEt/gWNtYXAAADCMAAAKPgAADSZvLoOeY3Z0IAAAOswAAADjAAABFlZAOwxmcGdtAAA7sAAACBUAAA+DV4sPEGdhc3AAAEPIAAAAEAAAABAAOwAmZ2x5ZgAAQ9gAAMcWAAH9uFaLzNxoZWFkAAEK8AAAADYAAAA2EapGVWhoZWEAAQsoAAAAIQAAACQABASPaG10eAABC0wAAAUuAAAYLrBaWdJsb2NhAAEQfAAADBoAAAwaQSrAaW1heHAAARyYAAAAIAAAACAJshCbbmFtZQABHLgAAAfUAAAZ3FI4deJwb3N0AAEkjAAALIQAAHpUjVe9UXByZXAAAVEQAAACCgAAArOJYnqCeJwd0c9Hw3Ecx/H36/3Z99uatl1SikmZlNGtJDPrh5126Jj6L6JDt0liIh2SDunepVNGTDqMItEhSWmmS4cOnWaHRE99+Dx8Dm9eH6+3ydwy9n90xnvJZIvcZdvDul1iw96wrYRJsZKYUhqzGsWc5nFBK1jRJm5pG2uq4Y52cFe7WNc+HugQj3SMJzrFM5Klc11gQ1fYVBOvdYMttfBWd3ivB3zUE77oBV/F3/SuNnbUwS99Y1dd7KmHP/rBX3eTRx5h0lOY9gwO+TCO+hiO+wTmPY+TPolTPo0FL+CMz+Csz2HRi1jyEpa9jBWvYNWruOpruO4bpuCBxNAX6C0MBHoL2ZDFwUBuyAVyo+fo00LUjWUhDnECk3G/BVoXi0myl8DMhxkzZun/mZE/IhM7bnicvVh9bFRFEJ/Zd+9aa+m9d9doRT4qIQ0KNg1BQxpCEJpqtFRSiLmgNopVtBykQb0gElMbbcrZACEVEZv6RQgQbNAYCgQJKn5ElKAhiICkIYhGDRqjaBDQ2dl5r3dbyBX+4DY7v5nZ2dl9s7N7+x4gABRBIywBp6a2bg6UPvLM4hSUpR5+ahGMg9updSKo6Xc2lMPE2Q3TicIYcGfcMaccxsy8t45ofV0N0Vl19xBtuHcmUYD//gNFPRHUwocXL4CShQsWLoBS1gBTaoFo6WMQYamQajH1i+A6NYFaHPeQ+yOA+1cUIR51ohEYTdqpZHUH2c+AdsLl8D68CNvgKLwLxzEC32IUC+ECFuEwRIzhcHRxJE5GH6uxBm/FWlxM0tP4DD6KrVSasY3KAnyBSgqX40u4EFfgKmzBLlyDT+JafA3T2ENlKW7CXnwWt+EOfB53UXkRd+MebMe9VJbjZ/g5ZnAffoWdeAAP4ko8TKULj+BRfBm/x+P4CvZTeRV/wd9wHf5F5XX8m8ob+C+VN/G8UviWcpWLG1WhKsJNapgqwS3qOnU99qrhajRuVTepMbhNjVVjcbuqUBW4Q41TN+NONV6Nx12qUlXiB+o2dTvuVlPUFNyjpqqp+KGapqbhR6pW1eLHqk7V4V41SyXxEzVX3Y/7HeW4eMApcArxoFPsDMNDTsyJ4WGn1Lkev3NGOqPxe7gJILGUaivVdqqbqXZSXW3VHsG1zCOtkYpvl9oMDug+W4dQ14c8+j0yHvHqZGQs0X1QhP2JUQDxCr87xBWXiW2XifZ4+bDLQtHH5hGWDGCcdkR8OID/DdXDAxhTllwoWCKo+9yVhaW5sp+husrvDjBWLlghOOHyMPQzMVceMp4hPEfPSs8Vp2eJTRacKlhjMGy/26CJWxa2ZcsXWX97vZZd2fr5xWac2Kys8UoGMHafvyb2wNBx0HME2HEJ/SD015j5Ca4QbLtMtP1cZTR5T1XyPsCgXcv+caPXGHs8V9bxyMEOS24bbBcvz8IOSw4xT3yvVpy6bP0l8qFtqHlzhfb58nWZweB8GpynWfHX+qicf4sEjwg+ZclLLTnAU4KtltxuyQF2yn4Oxu235NWWvFawJ1efADN/75icB+tN/vqfUv2S5H8MekUGA70XkfbNoj/p/+z/noWj5DzdKrhNzsmxIn8uuMuSP7JkQf8WkfeLPCrXXzjeQatdMFFG+BDNO011mVkvfzHN/4hgv+Apg2H7rwb9OZIPgrE/DOqfP1fiMpfG/0fwgkGOE6FfbzCw53hqvfTzvNz2UH8d2dJt0xshOI5qZRZO8qrZ3xAxWO+EnP9+lSUvyZVDBP99yped3jGDiWbBRtFPs+TaXDlAv1dk8ZdosmR7nHx2dSKnh+bHazD7NszjJOHvJi5eo9kHGhNNgqL3p5h+XpNgs/gJ9C2WLHnmtXkd3or8mCj2n/NfoHyoMuh1CW4X3G0wtFuSK9v989l56wTfsPQbLHkLzfE9kwd6/+h84X20XXC36JcYDPLLp7cqP0XtewW/EDxgMGw/lCv7j+XK9vmk14XlE4I/yTqeFvmsrPOfsg5nB/YpacJ7VXgvvcR9LjjXIdgvee4t9j03+N/148ZHdj/Ok+A+HA3uBxe/nw3tfyv7f9TMJxxXznl/j0SgTNA+P+V8TUikQmwSLJZ+VUG77OdPc/8XwnW01i/YF6HddOB7fHjeyfkYzDMYL+wfnL9yLgbneSJtzUfyJzi/B+2PcD8E51puHO28uPQ9NSvuJfnzIuc+Zq3fQH4MjGfHwd+Y+5zZ68T20u6/ZduL3Guta5afi4036L0tWLes/Ob1DP7vrfcfOy72fThfXOg9+MOCKk2jB5mfTLSCNRVuJ9F0dL+mrEmzTZpt+ljfx/o+1vdpvVOseYxw3xT7b2W+ii1rog2aFhxl+gPZbyrYQHRjgX4vr3VPaL3bzZaNbNNM3sqi5cR3cGuKPaTcd6jX19z3APdNuaeJNhsb40HbkJ8HmNet03Urxgv023+G/WTYJsOtGbbM6L5Oif5C4JRovVN8gUbHIp5DjX4iPOseI/0eph/wHHbxHDayh3n8dWGEptjLEUjzWGluTfNYJ7U3PMetSbcJMFLJvVaypp5n1cP29fws9RyNB9nmQbHRfmbx885n//NZ84RodN8k6+9jTSbawn5aeCYt3EoUJ4BLfFyvkVPMK5Vh2mrizCOm2Nsi9lNvxmJ9mmmFoTyrThNhHRnVY+bJdD5H9V3mR+h4kh/yGXmI+1abKJl803ykW/ORyVBEmuE8bhlbztV8xGM+ya2tzGcMNfnMft5mfp6mTo+OdqTbrAvru9imi/k+5veZXGVaZTKW+dlmjYhGwQOkMUG+MCLUwGn5wniCvzACDOMvjDeQ1iUt7Vu33+2Ha9wz7hkocs+65+FasnAgBjeSH3qHAXpvAXpXAR0tPXq7VVcLdgq/fgh1bRbfw0hZYOLHdDzTuIki0xqm9Yby01ebVuI9etYxMA4qYRJUwzSohTpogCQ0QhM0Qwuk2U6v0XjOk2rOkHkmAzknk8K/w3wj8zqrk3ySJPn0SPL5kORTJVmQYj8t/wM5o4LrAHicnXwNfJRHtffM7LNLSDYfJJuQQliSTcjH7uZrs0k2JIQkTSmlKfJiLi9yESmkiEhTDBQpRhoRub2YxogVESlFSilSihQRMUXESGmkiBgxUqQRKSIiIiJWRKT3PzNnn90ky2vv+3t+Z/Z5zs7M+c+ZM2fOmf1gnDEWzVssrcxSP6mhkTnmP9WymKUufnRZM1vCVuHdlUzUPTg9nSV8eHpdOvMz9v77LB58zgSzMINZmY3FsjjwEtgIlsiSmCNCHfuQOi5mvb+2MZ3VP/KhhnS2cGpDfTprn9bwcDrbO/1Dj6Sz06qXuAG9/Hs5wz5AnagPUGf4B6gT/QHqxAypk/zoo4uXsbb5snxm/qNLH+Od8+c/voRvaGp+4nG+ZUHLo/P59sVPzF/M96hyvyq7VHlElcdUeUKVvc1PPt7CzzzR0tTM+5d+onkBv7R0aZGPX126tLiC31j65Lyl/NbSJ5cs5XdXPtbyhDCATiiEjK3GnU2NIoEls1SWxsZiVrJZHvOyIlbCylgFq2ITWR17gE1mD7MPsensP9hM9p/sY2wee4x9nH2CLWbSTpayJ9kKWMpnWRv7PFvL1rF21sHWs+fY19g32AtsG9vBvsVeZXvZPvZd9j32ffY6+wE7wrrZUfYm+wl7i/2U/Yz9nP2C/ZL9ip1l51g/O88usN+x37M/sKvsGrvO/sr+xv7O/sH+ye5yxgU3uI1H8Whu53E8gSfxZD6S38dH8zF8LM/gWTyb53I3z+eFvJj7eRkP8Eo+gU/ktbyeP8gf4g/zR/g0/mGpC94itcJn8I+op0+gtPBF/JN8sXpuUuVcVc5R5cdU+VFVzlblfFUuVP08wT+lnhaocqkqn1TlY6r8uCqX8eXimpFqaxuW6BEeMSxr2AH12hPVUtwTtXZ4Ufn44VOHn59YJq/h16Ln5MyNXhITlbc1b2tMSsxaj4jZaE/zCHuBfX9hXWGdvTt2cmFd7KzYW8U9cdFxO4t78HogvrG4J35BglHck5CSsL80MeHYiKbK7hHLEx3FPYnZiUdR9iUtK1mT1JF0tzTRkeBoQ7k+ubo0sTQxuSH5EMqTKXhKmZZyBGXvyLry8SMbRx4tH4/X3tS6yu7UxtSjOXNT++6bdF/TfbvvOz5qqkeMmjvq1Khro8tGN44+W9wz+mpaS1rnmJTK7jG5YzaOOeDMLh/vDDh3VnY7u8a6K7vHVo3djfJw+qLK7sru9BXpR9L7M6ZmLM44J0eeccU1y7XCdbmuJlNkttTV4LUt8/r9q+5flXk3q7m4J6st6/qDPQ/2ZN0d1zy5atwz425l23CNyl6cvTK7I/tSDsuZnjM3pznnWM75XF9uQ+6W3IN50XlpeeuhyT1u5h7l7nRvc9+E7hM8yzwdnhteu3eOd4X3uPdi/uT8WflH8/sL6gpmF+wvOFnoh6anFR4oPFU0uWhW0ZGi3uKs4uriLui6zzfd1+Q777tdsrxkTcn6kosld/3z/K2lBjSZXtpSuqa0r/R6WWNZc9mRsrPlXuhvcvmm8t3ldwOpgUWBNYFzgfcqJlfMq9hfcXK8f/zU8VvHd1XaK7Mr90Mnp6pcVVVVHVU7J7AJoya0TGif0D/hVvWU6qbqQ9V9E3OhpfqJGyburRE1aTXLajpqztdcqxW1jbXNtcdqz9f5oLOpdVvr9t1v3O+8fwk0t/7+O/Up9W31m+pvPGB/YM4Dix9oe6D3gfMP3Jy0ZNK6SRcm3Xlw6oMLH+yCVvsmF0yumjztodyHJj0066GrD12dUveI/xH/lKNT1oIuPex4uOHhxQ+3P7y1wYbL0VDf4GooQjm9oRPXzobrjySifusjnY90Ko/D4XsF/MIk/jQ7wL7H29hB+IK17FnWxZ/mT/KlfDlv45/mK7BGH+Yr+VP8R7yb/1gkC4swhFXYxDARJYaLaBEj7CJWxIl4kSBGiESRJByiRSwVy8STYrn4tFghnhIrxWeMdlu0cVxcsP7N+p7179Z/WG9b/2m9Y/2X9a71fRuzcZvNNhyoJoHS2Cw2lz0Kr7gG3msfPFQfewc+xQl/UsPr+BT+GF/Cn+Ff4c/zN/gx/iY/zk/yn/FT/Oe8l/+C/5K/zc/xC/xdfpFf4r/nN0Sr+KxYJZ4WbeJzYrX4vFgjviB2W0qNmcZb1j7rr6xnrGetv7aes75j7bf+xnre+lvruzarLQo7h9YUFykskzXA685hC1kLa4WmOtkmtp3tgd6OYoc8Cx95ld2CL0zkqUCaBY9Xz6fyRj6HdwLZJX6D3+J3RQK80ipbNLOKj4uF0FOrWMsM8Qno67Piv3C3CHpbJZ7B3Sehv6fFf+NuMfTYJtbh7nHo83Pii7hrhl5Xi3bcPQH9fl48i7sl0PMa0YG7T4nPYIRfgpRfiNPit+IiJA4Tb4uz4nfiz8aLxh48C/EblBZxXlzHqyF+JS6Jvyhkl8UfxN+MvfKef4a3ip+LG7i3iU7xR/EPcdt4U7bmnxVX0cefVE/XZGk8i9Iu3hDHRK/xReObxsvGLuMV49vGj4yfKAk3xT/FHVXzgHw2vmpsMA7iLlWcEb8W58QF8a74vfireE/83eg01hsbja8bm4xvGFuN7cZOo8t43eg23jJOosVY8ab4iTgu3hFXxC3jS8aXja8YzxlfMzYbzxtbjG3GS8YO41vGbuM147vG94zvG4eMHxg/NN4weowTNoH20eItcUL0iX7jBeNV47BxxPixGvlPjaPGMeOnCuPPVLkOZZToESfFKaPD2Gd8x9gv+dZbNgssI5PPFR8Vc8THxFzxqJgn5osm8ZhYIDaKTeIb4nnxgnhRvCReFt8Sr4hXxR7xmjhgGWbJsXgs+ZYCS4ml1viI0WR9G3s/AyVixx/PprEFsC/07qtXZPHV++prr8qdUFqjr4gZviJfUe2Z2jOKZ6mdLS/Ga49SNAEeE7WTarGWfDbw95hcXlvEePF1Joqv125UXEP3WnyWWYrPFp+tXa241pCPGNcNLXxJzn8kjLVViizFW+UVxFiby4zidn1pyTUH5QU5KwjjMImxZlvNNvDmaQJXrjhe047nBmBsQCm5w3WvNb2QUyYv6sHEWFzEMKvGfoVxGCK7XERL07FSVyHukT1uUGSZiBAKEgllzWpmVF+tvgo/3aF4YsLyqungNzNL9ZnqMzUrNfaJd+QFfhNhj5F1J16aeInx6t3gTzW5fOIp8DYwUb2hJqC4dpKVgj7bqttqXFTXxO5ADWA/RBqOgH7iGUWWsrSK7IrsIPqJR5lRFlWRKC+Nvupg5XPg72WW0puBu4G7hL5aXowHLhP6OIU+d2IueL2awI1XkhIZL93HROBQ4JBZV8qaiT43B3YEdhA3tINo9N8Geg5f8rx4zVIQ2VLK4xRZyuPkFRxF2W2M4ra+NN7qDnnhnUuEd4TEW72iegV4pzSBmyj7rIbVlHUxUdaFUnKTqNft0NZ2eSmuw8TLy9be/ZXCZ0Wk7UIONZnNVj2tVCSqV1a3BbFVLwSahdXN1c1kHTcn3AR3NuFKke0mnAenDjTZ5MmWBeipoNqveCND2nJOgZ2KsJnOZgE2BQiWYKdDb5WXFInKS5WXgigqTzNL5Wl5KQ6vhS1XYk3KCM2sgzmv3Fu5t3YNIZ0yYQq4WwjpfQopVk3lOk3gjaKWy9HTcpSSNzqkp8pZ2Ikj6Cl/ryKRv7fyQFB6/hZmyd9Sub1yO9nhiaoT6GE9SR8j21Vh7edjBitXmTzZsgk9NVUuUjxnSE/pF+BzOsN8ThYyoMlKTxKDV5HI91adNjFgPPmjqrqrtE54FWY+Hz3lR1XtJVRlVdBAVVAn6aoWVqP3Al7XmTy86z3JhPdkldZJRhiqg0D15UGopiAiaFH2fUCRKD9QbmqmHHZYvl1eGkNFSvkNcNej1vry9ZpXuQXzxMtXEa5MZQfAU75IE3hZ1NsMtJuBUvLGheaqfDyruQcmlyJR7hofZWJKAKaEivcq3tPyA6vL52Bd3MUqultxkTBFV2I9V5wiTDmyr/HvoVYfuIdMnlxpsMSy7oqdipcb0pVrhfTI4tcDLL0BuepyZKToraJZkSh7pqI5iKwCFla2vGJ2xWyNovxy2VFwsWbKmlAq7zD+RPnpMthgRRm401CqmuNnjZ8FXjrhdSu82P3KssG1mzy8G7iFdokoJc8TwpvRo3aQjffCGzisSAQOoyS8gd3MEtgtL8IbKIOnCWxCrU0oNd608qwyWXctuGtRajvYVbELvCWEN19pBOs6MFsTeAUkYzLaTQ5o71IYmvOAly+5J9ZERSKQWLHfxIrXAKvYVqF3P1HWXroQtnANqK9VdGqsFUvKVpQ2gnsW3LMVrWQfcifhFQsIa7GScAW15CxMN3nSsjaj3eaKasXzhUUQqUq3m++Ft3yeIlFYhTJopdOYpdBdPg2vCkXpOT88SHk1aqWiVHgDR0p7/Fjn5W5wDZQa79QA9uNyB+H1K7zjGS84C26IJ20X8WvBMZSSVxpmu5cU3q/fC2/ZPkUi0BhoNPexrcBTJy/C6/XL3aYDtYoCRYQ3oTS1BDtIGfaZQFogjaxmSznWf8BGeMuVRuT6v6EJvADJqELt/vJ+qmfizTyo8G65J16hSJRvLN8YxFt6HV5grbw0Cn9ryUxw+1FrWfkyjbd8rn9hCWLQ0uPgzi2fS5ZzrewakE0hvOOVBKnbMk3gVZKMdul5yl1Uz8Sbe1bhfeFeeEunKxLj96MM4q3BWtpWWoNXhaLkhA8+pxT77PhOlApv2d6Sgz5EQKWjwG1FqfFWl8EiSw3CO0HhdcM/QIr/usnDu/5zaFeNUvKqQ3j9ZxTerffC621VJPzb/GZs6V3ELP5OeRHetGL4HO9M1FrlX0V4WUlU8UVw68Fd5F9EltNRiujH30h4a5RGEJ34azSBV0sybGjn9XupXmifyla+99174fWcUCQ8J3wiiNfTxSyeruLryA0UCt/iYvgcz07U2lncr/GWTvPNLEZM43kO3OeKj5Pl9PthkcX7Ce/9UoL/OGph70JGEORJGdi/PDOQEUhefVgMKTPI36oIUiBzej5S3OE/r0iUVKMkzP6TzFLi9Z/Eq0bSCK1x/yFCMkm1g15KkAP5d5o82RIj8N1AKXkPhmmuWc30SxERzFEk/HN8h0wEDZjlBt8u3y6a5d4SRNO+jYTgIdmuBDuHH/uQb43Jky3hn/2JviWKNyWEYCx8krGTYowoxJO5WDkN2M9lhLhR9denSJT0oSQcJUehiaPyUhxeDI9SAg9Vsg+l4hQgByzZCs5WlIqTvQkc+KeSjhLKfkocJdi/SloJfYOSJntfqAm8R0heI2o3opS8qaFdqSTAWyPprsSlSJS4vE0mZsQhJQne6d7pZHEbfNgBvTUkfZps50M26sNe4/WaPJkBY/S+Pm+q4v2fsD08Drp7mXQ3CIFvqyLhueDbGkTg64DNn/J1+Gj8PocP4/cFx/9h1U7aLfZq30KTJ1ti/J4NPj3+xjD7aVf2sy0SAs9cRcLn9DnNVTcV2b1dXhpB8fri9Zi924RghppLRMzFlzSB93+ppQO1e4t7qV4IQbRa+8cjIXD3KxLu/uLNQQTuE8ziPlG8rngdIUgoTgjL0j8i2xUh93Uj8ytuMnmyJaJY9/riaYo3K8yCn1EI3oyIYLYi4Z7tnm0imAIEU+SlERR1FMH/uQOEQLUrgv9zZ2kC76PUMgE9JaCUvDkhK8y7yZIjSc/rVySKOos6g9LzMP6iVfIi6QlF6K9oMUmfK9sVYvxFMzWB9yi1xPiL6ovqqV4oejitxn8iEoKiOEWiyFHkCCJA75YiIS+NoLCjEOMvvE4I5isEGH/hOU3gNVFLxN6FPYU9VC80A/XKCo9FQlDYrkgUri80YwH0bilsK1xbSLFAob0QMXPhMkKwQPkP7F6FmOXCuSZPtqxB7UmFDcQbcCpgvGGL1qcC+qxLobHgnXQVf4mCHQWwqcI4krJQSYH1e2HnBbdNHlORm/D2Flwi3uCzh9fo7OFFKSdyxliwQZFw3nbeDo66ABm387K8TA5yJmefs6+AbKHAKDAYdwZP1RbJnvIRMTj3agLvk9QygL43OzdTvVC+v1HNxHcizUSBUCScCwrM0xD0bnE25t/Jv6MR5K/OhwfMv0IIHlcIkDk5C/DaZ/JkS2SezlH53cQbOBPfDZ8Jo2nwTOSn5aehhzUk5QklBesoHXFN/hKTJ6VMg4dZmD+beINn4nskZdiQmTAz0ny7IuFZ7lkeHLX3Nvxwk7z0qPOu5yJC8V5Greke2h28K7wr4PWqCeOnVNwFf+RxawKvhXrbjXYpnhSqF5qLJuwOr98re/cuUwTf6G0zcc2TvtHb7KXzn7yZuYh+vNCBu8tLOarnvAeRiXcy4VoWjK/c0pL9Jk/2Bo/tXuVNJ95g3f2AdOe5t+48pxQJ93jPKXMHOQyMuZ7DHp2Vitz9OZ3gQgfuFA/lpZ4qTxV4wahkueoLuXoe4njPGpMne1uCUZ716Dn/dAjjmFxlx4cj7mvjFYmsZzyTTFS5zJK13OP3+DUCd5e7C1wXIXhK7QVY/VnYPTxxJk/6dGSkWVXu28QbrKXdtNZfM7U0eIfZrUhk3s40V7p7E7NkXpYXofG6EU9k9hGaz6h2iCYyuzWB10otsV9n7sncQ/VMNGnXYUuvRI403G5FInOF220iSAWCBe5UvGpL2pWHmMIdzPlWqd0JPioT0WreDZPH9H6V6c3TOd/TYQh0pPpqxH1upyKRtzM3MYgAvVvyNuQinCQEuXmwgJxrhOBzqh2inzzMfc5ZkydbYr/Om51zTPFWhxCMhj0b3ZF1kJetSORlu5aZCBxA4HDNc80jS92RCwtwTSME6vwzF6smF1bpqjJ5eFfmi7lnXfp06QthCBYBwY/+X7Fy7hZFIndL7pYgjtx2Zsltl5fJwf6XuzJ3ZXaLycHOk7swd2HmapODWCx3Ru6M0eQLci7nXAa3ntD/l5SWcxqcIk3gPUMt0yA/DaXk/XcoSsFwvjrYE+esz4EGcoLx3xdVr4j/XDfxesnk4V3Mh3Cdz+kl3uB18n3yJjn3Wic5axQJz7QcMxbKgZfxVOesyqH9L8fIwf6XE4yFnlVZA/Y/D9ZKzkyTJ1ti//MYOfXEG4ymh1bty/dC47yhSDhvoCQ0zvPYC8/LS6PJXp69HNyThOZLCs08cLo0gddJLXegpx1O/VnFl0Mad6672xdR+jJFInuay4xKnfD92dWuKS6KSsfdGocIyBWMSr8i241D7p4NXbiyTJ5sCV+ZbbgSiDdIF/yzpIuXxLfEgUhoXE2KhKtp3JUgGtd0ZnFNH3dm3BlCs2gcooxxxwjNVxUaZAEu+LVx+0yebJmKnlLHbVG8DWFodJ4gYwjk3JFnJeOsIpFxFiUhyehhloweeWkkWeezsP9lHCAkatVlYf/L2KYJvK9TS+SaGR0oJW9TaFYyWlhVJOlj7ygSY++MvROUPvYKs4y9Ii+SPi8LFjD2DEnfrKQjHx17VBN4z1PLvehp71gdtW0JSR/7HH8iknRax8J10nXS9AFOzMIheWnpmRczYQGuXSR9q2yXiT3atUETeN+k9XERPa12raZ6oVxhlZqFv0dcoXsUiZw9KIMrFCPM2SwvQjAvE+PPWUcIXlQIMP6c5ZrA204t56GneTn6U9aXQuPPmYScNoL0zCpFIqkHJUnPdDNL0oFMdyadtLouujD+zFSS/rKyXow/CRFIpmHypBViv0xqdenTtp0DrVD8k05+DlBkOggJ9mJJAtQaRKJi8UXq0khmuWQGOpOQ7FJI5DdJ6okYe4VaYk5B2kPvDumBOcI+f+LMZmB/Vt80k4gMFod3C/RZnMr1NAXRICIE6ZNqnnESnBpCsodqFBAx9u0BMovDZfLXpEzjIxFk0jjSa0yZfkTiRelFJBOjT08nma9RjUTw4oiDfi1hJ9xS7+p7FNA7Is7SoRIzFpkUXPmzsH5noVQS07H7ZQTPgL9DNQKacL8/bH07efhqTxC/Giot/Y4mVh+Uln4VKP3MT9KQ/yIW1tIOUI3jeoyKI/U2c7B3M46r8ZXgnaES12lyXjMlrsSu0e/sJ4lRYXvNQaoBCc5DxBmoy7dMXZZEkOUkyjJlxWH2HOn6DICPRd6YHjyf7iJ/dRV0gzgDZZ0gWfmRZI3dpynVjH7HbmMi9UrqFZIFy089S7IOUY028HqIY8qy90HWT8LyJRfzsTo2XZ0+8DFVJpGcMV7kCV6USo5c62PSFAXfR9Y3xu46r993wguk3SEch3WNtCuacP/DkMWknWIPhD11Wz4+dNRpezQ5zU/E0xD1Ofc56fTTiRzFuY2k/YhqwK84O4kzeF+8ojzSi5b8yKNPq9bkMuPrtAJ4IVy0HjFzaU71GnwfM55xIU1n+nwMvEtGL+H5sa4xGjOecYQ4oRj3isLzx6Fjjss2iWTEpTARl4JSy4D/iwtmGG/oGrE3NeH+WEinsWeZO+zpBN9h+uF0eMoajBr9xR7QJFYG5cUizhKLhPYQfATsNBa7niAPkQYJIugheqgFIi0RIM5Aq26nXWB32C4QLj2gyZJgSkecZVG3SjpmPxaxmLhO0ifj/jxJP65b2N8D7yRxBkp/lqTvIekDNG0/pGmUaV12ZJij9o0i6xp9Du8FresE1YBvGdVJnIGy1gd9RURZ0zSNvmXKqoEVXB59mWQhPxsdjHdOUg1Y2uhjxBko6ytBXxFZqzEXNDlOBKXF9DLhOOQwP+GI6cbz7hj6VsUo2LVjM0k/RTUQzzjWEceUPhy2aHwxLDuUUidhh0Yv8Z2aYhYHpcS3MREzO8aMvuOX4LmBJajeuNitZCOeiSkj2b1UD7Mck0WcwWv4pJrRVyKPPH6Vpmjz9C8eGXX0megz5vMcPPcgWlMjvw/Rf/RBkn6aasD/Re8gzmDpp5T0VyPNcXA3TzSCsuRuPuLmiJskqx32fJFk9YV28xG9xJE62TNQovg5WfBLeCd8vHWsUfaZnGoSyUxGy+SoZP29EJHSmozdzXFLkUZhw33wO1hndBvHaU24fzvkMRxdbGLY027LkkgIHBs0jTSjOMdaJkYuHqmtQCTfdmBkDszySG0HPBU56sigB/k1tZkOXoA4g3V+Tmlgk8UzwGvXQ746w3Y4NKWan344DOyN7anthGCFoxHRK/xjqokx6QJqLErR2Q4fCftPnUWI3qEa8Nmpk4ljIrLsUIjeiaSJpHZNqeZ3cpIQ3468NVJrXjiuJ8FnJC2GPFr1IxH/jAyeV/2G2kDmyKPEMeVGrVdy+4daXfQuTSPNk5DoTZDaMbKDZKSAgt9C+i3VWAHeYuIMjq6eU55l2KA9sh5rXJ2UJ7ebFLQ4jDK5NZm+V+KITrwE3mJFkmNJuZ50KxHWlTxLkUKVgtgkeRKhepf68WvC/cWQ3SWP4k+EPdnFbyLjctzUlLLBtAJkZylrU+jTj6SWxKnaylOWE66ZSXMTsdYd3eDpM2qejPg3JXh2dYn6QRyXUk0cU1tilNLW85HRwLsrciww/T0yFMcMxwyNJvHiCNiXPR019OmqJfl4Yq/c7eyI7R0UH0uNOdIJzWXyy0DoiCPO4JVyQa2U54esFEIVs8uk4D4AW4nZFLOJUE0dgYghZp0ijcqfWDUC/iVmhSKFygHrjAl+Z/YK9TNdE+7/GJqtmAC7P+zJbXl8qP06+jUlzDDn7SQTCZMSJpG0GXgvuD/8iWogw0vIIs7AnfFF8pebyH4H7Q+OJZoSzezfMRfjPpxofvvLgawvcY9DZyw86QzqBr9b+GeqgYwvsZ04A6VvN/OFfPNbGlnYBaSvatIn9EnXTAp6iX5YZ38SZSgy3ko6qUg9x0mfcViRerbJ9/co0gjLQEGEf6EeyRPh/kZI/0kt/KmwpybyYgNmI2maJvt6Ex3iFPtquz4x5YmI7+wtJO0m1UCcYp9LHFMffCb08U2KFAbGQgWaEs3vwiLSEYl9iX0kowkUPAN7j+wLWWTifuIMtvqfqhl/jfKmwbHQEU3C/FZFzF7UPiaOaWnigI51xAHSP9a42EHSb1ELRBTiOeIMlt6jpUeKCGLqNSWa38eJkRHBjRE3SBb8/4gLJOs21ZARwSniDJb1ExppfoR94IxJwX2gR0Y60bTHjYgLi3TuUI0dZqTzr5BlRLeHf7M6epUlwslF9CJNI8w8MHoWRmYfob/xwBOg0YRgHvg+1cD+nnCFOKEdtVWN7K2hMhIOEplrM2EnPMOeBLL8BPjuBLJ8zqnGWlA7cQbvbEfV2iyIlF8nNGiKM08q0LuI88eRJ47HjMTRSQW3UI1R4CUSZ6Af2Ete6EU6gR0gK/68ptCpCHoPOxWJl9/HCMqyUo09jE5FuPwNBzeahoxunx5dJDtEDKwo2sxbVRR8IfoC+Rh4iWjKW/mwsCj4CHEGjm6P6WMjjU5oEqOCstC7ENEimmRhhjh9EsLpFyBx0C6/TJyBsg6QRx0WdpYdFnPFPafJfteUtgb+6ppde1cR0xqN+DcO+amd/CtyZ24/QfJjqI30eF3EGSi/y/ToEcaKnFyTy5Rug9UkxunzAx67CRz6LTCP1TViEdvEXifOQFk/NE+AIsiK3aXJZmaQ6F3YLtsoloyFR7VRBsnjqQZ2bdsx4gyUtYvmMPi7jvCdapH+ZUcwN48NmBKRm8fmxuaaz6l4To0J5e7oPTYqytSG/Rbm4lYw37MMU94f828nn8dHUL1TmnCbGPI89gN8fdjTTuQBQ/eS5zQNM8/S7Zj/YVuG6WiY2xG7DOsgaQ6qMQ+8VuIM1MpBmoGcSDNgz9UUf9OUhfHHX4zX367nMYhK4k+TLPrFSAx2q/hu4gyU9SbNwMuRZFkOagr5CMvOcB8RUxPmI1KpxlrTR8jv0HHxypD9409M55KvRJA4SVOYxLJwidEnwyTSr0wsDlPiKCXx1SESr5HEV4dKFKc12czzAXEUbRpsDSRxNt6rIolpVGMbeG7iDMyU/xz0SuKlCLIWaooyowCB+CTqWBRFAcOxIqPo0y7upBqIrKK2E2fwuP6qx0WR9gBZ/I6mkCb5gFPv4WvCNJlONcxTb3CkJp8fNLrrNLrnI42OrzMpKHElIrCVfCVJRM98EUl0UY2ZmnCbGVplvJo9EvZUZHksgrQ0TVbznIPbYc83DTrnkDoz6JyDj9M1kCdwo5c4g3V5lWzkWxHOVPZqsponV2wrE9bd1t0kC/7JSidXnH67whCtWdcRZ6AW/0JafCGSFoPnN1HppixEa1EJUdq/8WGIxGVqr3rOY+b5zbBrxJHz9tKQ0d2k0R3433/mNEx++lVDEj1s0GdO3BuaKebgHWFPNhUpcktthHV+TpPVPBu0nIBGD5GGuQ3xr9KulEC/VrFg37FuIs7g8Z1h+rPmCCvBskRTmE+ZG74SbGGf//AiqlFtroQipdHXhkjs1RLxztB1ftek4Dq/Jn/HLK6RRPmb736S6KMaJzQx+bVoU4diH6sMe9puaYkgrVOTxfzmr2jD7hFnoc8DpM4UEtl3KdWYA7pKnNBpwmw1sgifoalzZpDVjILZIczXHitFwVZ4KWswCi6nGpBrbSfO4Djxa7TDRcgh/p09qk/egvZYMcQeQ78FkfbYPMAe31X2mBMpQ+NnNDHzVzccmQtshnJwhv2dH1SrUaOoD7OaKmqxwbSaKmU1mwaOW/zO3B1eiHR2zRs1CfM3frwetXeoTFBiSADHj/c3qF45fJW07y414xpJtekLuWgmzmDL/b32PpHWijrp7g1fK6w7fK1YpoaNusb0hcFR1yhUGweN+qL564sX/vezrc5dg7NdN2S2w052EDs+GPZks3xSofn/kbkwTOYDQ2ROGiCzfoDMJ5TMb0T+ZM8W0MTM3ynYEMvC4kybs6VKm7Ol0nz7ta8Iap+fCtP+ZN3CesnU/mQl+8VB2v9bMAsULw/VhHWHptB8WzeEzzefEyZxCtVYZkqcotaThw22sPeYjikjWJjVr4mb392zZiFKaOJ09smuqjWgJTZQDWRymHvNGSzrFsmK4EmMHpNIliF/ZXvQOEiy2sDZSbKmUo0NmnD7odDMGq1sethTs2X+AGnq10DqO+qaglY1AyhnsBkkTeqMTpu5/GUJl/+QMci2wqTAtsItzWZpVPMb2sH9wH9U9SwjYBn7pqs+VD1LgSpLVJkfihNYaqgOewf4ZN9dTH7KdBqv8n+XXud2ZIWHeTwykyN8Nd/HjvEf8R+zv4sUUa5OiLgh4/A1JFn3lqIwjGYZbBwrZ6+jt1+yX7PfsBuR/sNC+RLtx/Ur4/8RNrN2ZuFL+UpDnqlZ2Dv8MUtJuCZYskTPQ1FhOq0wWSMbpPYATr9mAUbB0vTvh1WsKdgdleEb1netF62XrL8Hh1v7rHQOYdmviJl9KL1Z6DNYeaLIDK0zpZsupZs/Kt1cCxtDLhvB/sWj6R9pbt3zP2lGSDT0PzFv3+OfYuQ4pb2nhWU86uSZzzLxBTP8/5T/SWb9mw33kGBjsbbhkBP+rwppLEb+K4/6T54u/iRfrv6J5yn1nyMx6v9x5L/j7GN9fKT6T5wl1rfDWsdh9GvZs/Kfe6QO5b/oyH/NYYY5P06F1aHe/S7u5Z5hYL0LpXXB7md3zRHpLEewajU/aq/ijxJviupD/X6Nz1O2/80wKZLilB3Eq/6T4AUivq9WriHXIt4Pt6JpqvUbYWMrYsn0T0Qf4H+I0CaZ/ifoA/xLUJjkU2H/0CH317ywp/3Ktk2M7/9BjfvlMN56NtbUnsv0K3U0+4+r+p0m3038ZmnjokV8Rj+b/b+n+K3iC2q/0r1mqdZe1YNuvUTNG8eqDvabZr4j239ULFDPgs0dkKXCVvjTvE2SmgO5476OGqFZctCrYXwCa96pYgfOPhLWRxaL/zdrCOsR6+e3CKfetb7L7FgxVlh9FNZNXPhY78r/yuDGWwNsIFrp66P/AwwX9+UAAAB4nGNgYdnAOIGBlYGB1ZjlLAMDwywIzXSWwYipBkhzs3EyASkGloUMTP8ZGH78ZmBhAINgRy9HBgcGTu3TbAr/FBhnsu9kfJDAwDj//nUGBhYV1h6gEgUGVgA6XBKoAAB4nG1XBXQVyRK91VUVCE4CwcPkQRIguLsFd3dd3N0tuLt7cHd3WNx18QSS4O5O8jvAcnb3/J5T1dX9ZubM7ddz7x0ABgDbSGQz/eglroftvyAIbugLd2RBPgykQTSRptB8WkQb6SE9pSiTwuQweUxd09XsNcfNSRPCwnHYg1NwGk7HPXggj+FxPIkX8SreyCf5PF+T5JJG8kugNJapMlPmyhLZIjtkjxyU83JDIuSxvIxXxHu49wLvz05ix9txOX5OOierk8PJ7xR0CjslnM5OH2eQM9pZ5Cx11jubnW3Obme/j/p4+iTxcfn4+WT2aeQz3Wely7jcXPFdHq7EruSu1K70rgBXGVdTV4s0CdL4pNngO813oW+UXzK/on7F/Zr4NfNr6dfW39O/lX+HdFEBWQJOBJyOirJr4A4HWZEfwb+wB9MGekBP6ItJarL/wr7HHLPYrzPY7Rd2P+5usQ+z2CfwZF7Cq3kTn7LYISkkrRSQEjJJZsgcWSzrZbvs/oH9uoTLI3lhsQdZ7MGOp5PEcX5hz+7k+429u8Ue5AQ7S5zlziZnq7PT2fsDu9cv7PV9Jv3GntBiT+by/oW9iau5xe5Y7PCd7hv8D+wtfmFvnw4BHgFHA05FRbnZXWEy2RVA5GfqE3kI/2qRlyNnRa6228af4/ycMRfMCXPIHDANo4Ls78ttDI8cZvPI6Ar43tvGHPynffv2Pcvf9bvDQNhjIDw4ehTeM/xGhMe9rOGjwlvbo0K4V7hXmAl79O/rI+pH1LC5ULhnRMGwfPb6RWGFwnKGZbTVj+cKixcW9+6T6OquF3CnOxByHAjNHZogNH7Im5BXIS9DW4YE3n51K/D3LaPfgE+2S0Tzfk5wDa7FdbgeN+CW3P7XXOsfuSV35t7/fJ7oEQ/5UdnM42xMs3HMxivxk4ySWbJKdikohaPPie6lqBS3VXSUs/FFY/53jf5u8k4+yCeNqbE0jiaInvmZf1SxfldxokPj/T3/c/wz3LL/v/u63Y550z2Re3L7H0aZ+eawWcYxuJjUNUfMKrPaLGF/M9tsMrPMCjPHzOXMHMCZzEKpY1cqOVLAB77Ig7wojGKohCqohjqoiyaWN/pjAAZjNCZgERZjBVZik1lnVpr1nMts1yfYgyv4C7dwB2/wFp/xjdwpDsWnxORF3pSX8lMBKkKlqQI1pibUglpSJ7NGmpu1nINhFliuSWHfuNTSQurrI2lAg8wBzmk2S0N9I005mxllRutTLiz1zCJ9a0ZSkDloppjJZqoJRkLLeu5IgvhIjKTwRnb4Ib3lubIIREmUgguN0Q5N0Qy90YbToyemYSImYwpWoR+VxGnsxWFcxEmcxyVcxzPcRQQeEyOSQITblIrSU2ryodzkzxkoJ1WjilSZqlArykdt4Imzlm33Wa49h5S4itS4YZnmJlLhGtIgBGkRipx4AX+EWf55glx4iXQIRwF8sFz8DoXsHi2IjyiKryhimboixUR5ckMJRKECxUBpfEdxUlSm2KhKcSkeqlMC1CQP1KCEqEWeqE2JUI+SoAElR31KRknRkFKgO2XHH+SgG2VDH8pjWb8ggqgwBlEhDKGiGE6BGEbFMZSKYRyVw1gqizFUxvJjI8yn+phElbCQGmIe1cMCaoCl9AdWU2uswWbqjK3UFVuoC5VCBwrADKphmfU9elAOeOECkuEyelEujKASGE/lsYE66BW9rC/1sb7Sd/pan+l1vaG39I7e1RC9plc1TEP1pt52U7cYJrP5brKYrCabVaWcprrJZXJbfq5n6puqppapZmqa2qaGqWPy0BgaS5tpBK2mVbSW1tF6WkErLbNPoUk0j5bQEBpKw2g4jaLRNI7G0wTL/pMt+y+w/L/Q6t9iWkbLaSmtsUq4iY7QUTpGx+kUnaZzdJ4u0EW6THfoLoVTGEXQPauWj6xqPKc39JbO0Fl6RyfomVXQF/SSXtFjqyev6QpdolC6TyPpJG2h97SVPtA2+kjb6RPtoM+0k77QLvpKu+kb7aHvtI+iaL8BHTBEB43BcmqOJdQUy6gZEuAUPHAGsXAEcXAMcXEc8XACsXEUgv1W1Q8iBg4hJv6E4gCy4Sly4Dly4xUy4B4y4gEy4SEy4xECcB/lSFCGDNpSOrSnDGhOLrSktGhFvmhNfmhBadCRMqIzZUYXyoKulBWdKBOmUlVMp+qYSTUxm2pjDtXBXKqLWVQL66gd1lJbrKf22EgdzQ7rIfaZnWa/2W0VdZe0lNZmMcditY4iISfixJyUvTk5x2R3js+p2IvjcjxmTsnJrOp6chJOIG2kEZfiQC7BJbk0l+GC1oU4XIhzc1HOyC7OylnYl9NKUn4jvhwl3vxJUvNnScHvJSV/kCT8gO/ya/HiexxqGTutFJF8HGkdSyHJw98knZSXvBwmZfihZW4j/lJOcvMdKc33LZeTJBaRDBzBIZJJYvBLcYlKgNX7XJb3Y/JXqwBuVgPKSk4Ol1ISy2oBS3p+ZP1QFnG37sCDn4knP+dLfJWf8m2+yE/4Fl+Q4pKD/5Jikp2vSCUpyTekopTg6/yYb/J5qyDZ+LJUkEDrMOJIbIkr8SShJJD4kkwcSSWJ+C1/4Y/8wnovH37H37kal+PyXIErciWuzFW4qlW3ulbjalulq2n1rj634tbchqvzDJ7Js3g2z+V5PJ8X8EIOtm5uMU/laTyFp1tvN9k6u618gA9bj7OND/IR3sP7eDNv50N8lLfwDv6Tj/Fe3s+jeLT1Q/14IrfjvtyH+3Nb7sAduZNV0W7WMXXhrtY1DeIgHmy903AewSN5CA/lE9Y5nuLjPMA6qaW8jJfzCt7Ju3g3t+eV1lmu5jXWa/bkXtybz/FpPstreR2v5w18Ri7KJa0ml3WKemp1uaKbNYd2k3c6VRNpDflL/9RAHaqiSzStNpf7ukVzand5r9M0sdaUq3pKy+tYq6drNKO2l+e6Rwtqf/mu8zSVNpRQPawldJiqLlVfbSEPdKvm0h7yQaerl9aSa3pOK+tETaAbNKt2ltd6QItqkJIGq482lXA9rmV0lLrrSk2vbeSJ7tR82se6gNmaXOvJLT2tFXScxtW1mkk7yAvdq4V0gETqfPXWRnJHj2hJHa5uukz9tKU81G2aW3vKR52hSbS2XNcLWlUnq4du0uzaVd7qIS2uQ5R1sabRZnJPT2o5HaOxdbUGaDt5pru1gPaTbzpXU2oDCdGzWkknaHxdr1m0k7zS/VpEByl0oTraRML0mJbWkdaTrNB02loe6w7Nq73ls87SZFpXbup5raKTNKFu1GzaRd7oQS2mg9XoInXpHxKhJ7SsjrYuZZVm0LbyVHdpfu0rX3WOptD6clvPaEUdr/F0nWbWjvJS92lhHShRukBTa2O5q0e1lI7QGLpc/bWVPNLtmkd7WZc0U5NqHfs90V8GyQAJst8hY60bH89zpKMMlT4yWnrICBks7aSfdJBOMky6ynDpKb1kpLSXIdJbRkl36SxdpJsMlL7/A5avJe8AAHicNY49agIBEIU/2XULa8tUYpU6p0jtCbyDjeQEEuyEkCI/JKIoYqIrKuqaXSVs/hSM2UqClZXkACG4eVkJw8C8mXnfTHxFMn66TzNNEsLtf+6Owq+//l4zw8dRLGkqfBI44TdFVXOu1G2FP5rmeKAvVSCgxzlv0lM6VFlJ3zKKndCWcnlho5nPO3d05cyLVeaeAY8iBmLa0Xwp5zUNKYeJ+HXt9PF4lXOtOzbP+i3gU5weY0pcyPcUMaq67KpeiHFDTbtDpvrgkooo3eiLDzZGyjywPPPMOLSOrayV+QWU4mJ+AHicjVfdb9zGEV9S932n4GwErgGq6BJbEgEo562FrBoJodOd9dHaJ93ZIWW7IY8n2UqT2Elby2miVnXr2ti+t+5/sbRfpDzFD/lj8leov9nlnT7gBiWW5M7HzszOzszuhmv/efnvfz3/x7O//+3pXw/+8uf9b77+01dP9h7/8Q+///KLRw8//+zT332y++D+zvY4G6XJx7+9d/fOVhx9dPvWcLDRv3njN79eX1tdud5772ftRn3eypuNjuhsN67Ms7zRRLd5Zd5SlY6qaqS6GXAVbkTu+mbUXXZcN3aEq0JV8rr0pmOZTQgxRGAUxkLE+kCsb2xFvCsTTQRmeAYy9IUpregpuzOMVC8AdAq+ruEpuHKOvDohC65YX8pxzmY84EMnt3Sn3PlnjJnEQo0C4YpoG7x5jbXcYdJBrzXpWfw6JPLDNhvhzT4Sh1bR24oUT3biFXAz21O6DQ7ZL8QT008UzzhXFU+M+pF0lZUIp4A3I3jMSh3pCpfH8eHxmzniFi5k2WwpF9aLjTy0Xgy2oqM2Y/zFMHplW3YnWYrzn4MWHXHGQo21CUtIAjgBbN3Cyryya5rfOQoZO9DUkkZoOMMsNK42wVksO7QNrm0U+VpRyGxQSoYSTrhLwNUM7sBwv1dw10BpE+VbZluMaaJ54CWsTNgoh7WwHrbsWRtrQahXwHwL3rrFXresWcvJIXNTow+tg7weOkda0mbBeQBOwh1McbCc2E4Jgj4z8VsnM7i1Fb1uMcjXX3As0XNlvpvbNwJxEtYbEVavm1s3ggShTeCM1+UIaxUOIuJNHMQ8onv5yjxFF4/EtiPi/N135aNu3m531mUHgYxY0wGWpxU/CaQJOQo00V5EmM54q5noJWARSBu0VaCy2zxRoyRAl7d7skdRkRI3u5TbM15ulTzrA/YB/FZpqYbYXlJNsTSlfMg+NJQKUapiSVmXjNe7ossv78pMjBCBYT+67+zEKWSrUKSqJJacvMSWkC+XLUypm7MbAea2jhi8GfTvIEnJGVzKZZ6HJT/NUoKXXeS9LEhieTk+NaLLpQrTLAFHN9bMyEQguyLlY3gZ04XnBgLdrS0aM9yKZGssxgIeDkOZYtoOz2JHxpn2OMbDNHZlvnxSnYriZFPOe9kOPoecjRIxMgjKzvO4++cRO+A6jRNrpE7/Lf2Xa6I7Bge96VjNIOJcPo5NyLC+rhv/k8k6xcSxplq4bP9qAlkFBABNqvtnwQdTsEdvAq+9b2JFlXyKvMhVnzjq0ziYsqTqYMQlb4tFQR89+Dq9iSqjc5ClVJwqFHtArAHBoxFiGQJ7iZxEHIaV/Kkm9XlwRiRKqjWEatuj6aiDPk9iniTAIntch6sy/nwnpeCists38+mj9uOXygHGMkogR1WxA+yk28JFtVaUtMb7ZGMJ1rFBpJgjpZDKgoleD8wQ76uKv0o/tEeBSLexiKSPp9t6bA/mau+QNKcr3Bgstqd9CcehWozok0lEo7qHbCt7F+RFya9KVK17KLglP7udYFvgbd7jeqlTRDI5YZWgGIIMY90jRozXzVefBfm9qneC0e1hYJhrWios24xUf8JS1Q2dLwJl/2QBRJq8tYn6UdILRc4re6twb4iocmg0V/YwKpZHj1+loc5kwcwwYHTZpW3RndjbNPYapRXdWrrVPVXzsNCqBBsMuUrTOQkC9GG0GTOjzTUTQB+qeEHRE0kKoORt6zmZ7ZBT+cRBIRX0OofH3/VRIxNBbxyT+ppWRCO0aGkEk7sqRHybKwpNpjWpreopnEY3dKtqm4lmplQ+6/jCe0fH3zHjObd4KGZols+LrCzybttRD+JgbEZVigrOUVFRubMNfdq4g2wQbhV1DNNHVnE1CLCJ6Lk9N15dM9WBotLqCdZDDBUddokpJlYs+jCkllhRNsBpT7yymVUTC/Sri4Xctqqo9lSM2rMtFHqZJWOzUcPLbMG5Rkejil7oul7bx1SahlHZKcU6ZHy1FxRRbL6Pgyl9j3KyOvFkjWhySixrcXsmNvzi+ziovXWUrP1/ymrFaqq6plE18ms/rmrGLNCaWa4120heM3UCWD+Tkkpbfu8dytCWfwH4izDtKoy8WlgJ33wDU/qkuqYxGkS6Vckcs2xeE4Q2eN+Y0G6C2IY1bxzDhXZ0fMweBxNu4wTY3fBMnBfkYrSJzr0gRq9HbwKWHr1FJjWLLG2dq/qFeLOm9bNEMRVGG72YSiQot1o4A5ecMjT6vA13LWp/+jAVsFzMrapfMJSJwfYWpWxO6j+V/yMcQJk+XLJYnkeofawH1nr27ZTaeeysRherPDv9E7JIh0ZHNTt0fqG9qU4B8D7Wd//7oubo48Qpx2gUpeJp7GXyfXVSEh4Gk7ETv+3olC7GnsMOo31gyVPf006iLPzLvkuvQ67T2ijGHwbFQXefVvepFvc04HwX56yOhdMWNspd2qo4cdd8XeQkDjy7aarrkL7GXMZZapNOx7gBiDa3rrFr5jIkinsG9oCSF11zrsa4Vxwe/zAXm1JlY5PHO5Scty+AJPlFXDTUM+3egiY0Drt4xS+4aAbPkJyGj6xv2XJ9ACfQjayx4DTolje5YL0MfozMaTyqlPpYPHHJFeq2+AqHhY5QnN9FSQTy+lwsJbZTKegmdTsyXyJZ83N0MqBTTMHrzOGOdgK25ijc0sPj13N0XZpq+3qi7Utoo46cqFPZW7VRlFl3TKyhafPzXzJh9Jf8Qqm8K7dwP3TVT0lxYQfAd+ZiLQGWvCRL/gvbMGjtAAAAAAEAAwAJAAoAMgAP//8ACnicrH0JeBRVEnC/7p6e+75yJ5MbwhEyCUm4MiD3GRUh3Mgikl7A7HAICIjcQkRAVETQCCxmEVnUqIjsiK66WXRZxIioQfBCXVkXFQFJ5uV/R3dPz2Si/t//O06SYarfq1evql5VvXr1GJZZyTB8oaaW4Rgt4w6YgFYEbJDhRUYXZArQf4U9/HafPcdn963kDoezWV34uqb2xoIQb2MYlumKnl6NntYyRiY9YNMBXtCLgsCgNnjSQlGBvbx7gd1RjtoBPpDF+TiA3l3BTpAJdp6eAnVTQOVxsO04bhRMhPv5C+EytpFpa6Nta3PZXAYwDBA01xmGMb7EmgAAdeOYguIIzEAFpjUC80gUjG42hWFyMQzQ4tbAADRiC5dkBaDzuMgz0lNwcqRl9NSXSvsJAROXQIBZBw/AK22zGfpYh31d+62+yFPPRz8lMOQpbwOX5AHMkbZrL3fw3L6Y3iBjiPTGpMR/Sluo0OwGpZkthq6azro0peUblGZgGnMdY+Q0Y4yuIIyUp9RUK4yh2g2JaikEuCOqxfZ27bd7Q8/tUVH7BqUbeQ6P32lnmJK4T63WHYjpDVNtKH3KDEDP+E9pyxSq/YyeNb/MRdgxMn5NrQKFxs9YGqJGHIezr3XI2TUyDOYGGWZuFIzwjdJOW2w7WEJhFZFQL5PMdAp4E4DLkyh6sIDqLaJLX825XFRQ7X4k7fZylaxmCm6Xv6hUK2Rl5pYU9yyNll1OXLQgq7ujW5f5y6vGRMtxVWWV8YD+jkkTlngiIq2MaY6Cb1hFw4ERGpL58TB5ROIvcwLjJlRkGA/DvNJ2OJqKM5TWoEEZ/TZ59J0RzEg0eivjZAoCiRa7qNGJFo1Fw9gAjzWdSS+aJEVVUFDuKC/v3p3oPOBzI5VH3yU+LeD89s5gC7sNHgc8bAUBaIIfDALTvmvV1DbAYQ1wSMPVq/yF1le5QQgz0iuZ3wSqufIJZq7IvHBMHYKZRzBLYHxMVsCl0zuSRIeDAXaigZMVDexACrS8nOjhIo/bJWjdHvwri8uy+4t6lhTncghL8kcd2H/20nN7T1+8cPLgwaNrtu3Ih5dBGvqtqX312VWP203c0aePvsufhPfeMXXyjPDrsPuSuTX3IBSZ6W2X+OWaOkTpxIBFrzGJOg0XZOwioyc4FBUUFfbQZNhtDELBq83Nzcpk7TZfUalXYK+GRTAaFD70cdH2rptufv1b8PnWB7odcrHNYBJYPmXcQwOHw/+0MeHTfQ4PxLNLeiK0Saa0qca0AR4NALUyX1OYQgWmJR4MzMAYKzAXCe+DFPRrUEft3KDtJLXvq0yBuRrbF+IiPFer0FwJjBmvkYxeBDoySeo1ElHHZ0dTgn7XgSp2Y3jRli3giKY2nBsezZ9suQyusCkSR+K2DIjWaNZZl0nEIqhxihrUoFk9635Mdb89q0Rq3ekjrfuy7L66RYtoH8/B11AvcOgW0J+dGWJF3Bs7E07EvcGxaHwEd0IDH6XlScKLFrWukXBiBSYTLzrkGSw1eE13IIHRaBgqLWjkaq4k41bkpI47GE5hC8On2C81tSFYFYLjQoyEAZWGHDrjaYTCUdqOwgxUYFojMI9EwxQqMC0dthOBuUFhbDEwmqFktcmh+j+Nrm3LyWrDKqsNiFkB6pBuV9rGa1ua3ANa21i6tgEkv9FrG8ZoRrverv12b+i542RtUz2H1rbldG1j6doW76mRZG1T9waZfLq2sXRti/sUkQFKtZ/TsF5mQfTaFgt1NR79MY3I+kdhEI2Q5o6iShyOuNbhTNbIMAITgZkbBUPWP9pOW2w7mJfR+od5OYXpGkhW87LNLRpt1clGo8LUfrIExuHs2IWwRMXqkVWwd6nC9nQBvOuO4TMdLmUsMxQ8Yb6C5zYFT0nm9ExywBolc1TgYrFSUMCdpoTCTZIWX4G0eDLWLF6P6PUycXU5bStGn7uRPu9ZakernV0Q2ObwGjAcdH74QsnD3TZVnrgAQkXjc+Cn4ELn92XVftt2pNq/bQufNulAZSg8w9xd1qcriCSXUUmeRvUy0qer1Dp3BZEkCtMSgantCOYGhcmIXQNWkDWAwnw1n3BbKuG2DTK30ZbKFKirsb0hytUi6mcTjZeMLECDyHGMgGivk0yDIrtEfewLIY2MftY2srrGRuwMhR9hxRsL2JnhXXit6IdaCqKWnMjiKggkGDmvVrSwLm+1yyEiPW9AWt6mbrWgCP0h6/kSP7I2/G6/O4v0gSejdvRo3BP6Gb6OnS/uP6Ev0X+hVg/ukcvEdhXBntCqn8qiBzaNSg7qEYyOjBCv8AxAXMGTJUcXWeH9aO5Rl4TD6sEI+CI3Hb4ARiFfLxRquRyS/D3sLZqZRGRNJniMOtFrsYqspZplGZcRNaeRVwjCZbRdtHr5kQDZ0RB9dhsowWP1oTH63WwNnN34wU/HwYaW8OHDrOmJ58HiN4GLE0KtfWAZqwmxxlAo/DNZR8gIiNbor/IHgUmj0hoUZqAC0xqBeSQaplCBaUctBaZMgaHWPhvpLC7U1XgYIY2oIxqxv8ojiNWIsWO71uHYamQYySMgMHOjYIhG7K/yCFTtYE5AGhFzQiqTE/DYPaLJXg2QGZzCmHRBmSnIxBVhoziaK3ztVKGKT+ANtTKUuSZGF9JRzFAwpFY7wVDRhVhiMZfZsS7kecZiRCIUZLSyCsPKEOmvTLbE7/JgG5hoLRfPDv0PbHysdsNDsJbtA6ELaL57ZP+WNVxSqDX/o//JWuWPZO5HE6/vBtNAKeQxq9cMhON2IsOpAavJyjlEjtEjdWCRBddRLlnkfns/1oGwYLUgC02J1l7XuOmdNYGTD20CM36EXwe2ViL9wJg3fAh0tZ/A4P3hWWxqVhctLCdrZQbuBeFSSbVXPuEMN+GMBYQzVOuChrEH9AynWhEkfeSua8QGV0tRCLV5n7Ky3kI9dniQjk9Q+4R03cxAXghZbZAyQP+App3Xirx6tQFOPwdIH+yNoqaJrTdQT/w+sAyuaZks94hHQVf8W+goXGQUWtUo5BVQgdKyTzGPgCCGMwEW+XQBebS9pNGamdyABxh4La/T6TkW0R9zpVFUFsOCIr/di6bAZ9eWlCIUc9wahCbgT5xoBNvhHHYlW1j9SjW7N/zW+6+8D3NDqG050mVFVq3dwJureaPIMwKrUvOoXWpz+5x+J7bmkZOF3KyVoNse2x7Q7XjSniN7ktCMPsHOuLGA3xJuYEe21GCO2Y7aTiHa1Rsw6jldTKuUVwCeryyQZd/eCo64jrfCoS5ExUa+DLVV1kJiXqQdMn8TonSc2jKiMIUKTEscXbEdzUoKoTeF+YpqHbMuirckKOSJIIo4OTvG2mQU7aZqu+ITR2OPvE9tXmnPniUlkXEc3L3KsHj06N6R4bj2/t1iqneYZk6tIgMDbSulnly4J4tOYwKMaALVSOMYiLrBPdlJTxxqvkRFK9LnIsPiXQrNwMHdMKPe4Tim+VImXutK+M2f/26KUGeGMnJZv6ijAiORFpiJ7CQt4gXsz+lE3iTyyEjSy/4cto2wz5Uj/WarwldYE2sKXwG94NvwbReLTL9wSrjwCJvAdgk3hb/BfZN2yexNV0csbbzKZqEwAxWY1gjMqmiYQgVGitC5YtqRInTT40XovHY5ZqY8JT2H1iOl7XYRugwCzHqI9C6LeDEEo3a9Xfvt3tBzNEKnek4VofO6SYQuzlMziRej7i0SoUPd4QhdvKfIajw9KkKnkD8yfmIzTldH6NQjjjOT1zqcyRoZRo7QYZgJapgLwkIJRou08BZ5Lhnmgygo0ttcFd9wCVG9IbxpS3NVeHNp7fFWt3QtXksEpkaGkfAmMNF4Eymaq5IiArMievwRGv0Sn94Yilgk09UxygglsTwiiwTLYyLjY9ICDkOaaODcjCi4q4Uk0SLoJQVRgZckbHaUlmRTsdRYWDe2AJA9wsmSum3+8iAyHZGwwr/0mDGg2+Ccrg7/7VRsYdUdk3bmeruydUR6X7nLnltRltQP2SfsSEWQOWZA21KETyuyPxKYdKYwkGpn01ypbqNOJwDGak0UrfqgQS9MF7yiwGGVkWQ7iRBEPxx4TfLmlebi6Ji31Kv1oD8y8ziXF+RmZYAMe3Ee8Pxz/dp7WFN98Pb1i1aGrzy7IDEXnBg6D74NeoFeBbDnsHUjvm4Ak9kvR9aPOPkK3BYuHM2uenUplzqw5Rib8K/7Wj8bguhKcCTUX6TmmQyhHYfOUGgvRUhtyixKunAkor0H0d4fyEh02UWzTTSb9S5dMElvEvVsUEghw/Qq5leBtK1DooI4EujwF3n8qohpppBXVGqnUUIHq3v/22/f71nZDWxRoqc1WRO65adlda1ZutIFloDx4Haw2iUFUl1HBD7fA8/Ba20M/Ea2V6aTmJkT2ytmPcKPAaZ43nEG73Yxviy7Uw6O1oE9gAPJ8CsY/hj998ShQ2iR+up7eAMO5U+G63ds3L5H1YOJroVWo8hZRCtn5RilD7sSG0Z+i1/qxx3pp/FjwIIU+CWESj/NNy6ijpq5H3E/Dz9FOL2YcLoNc1bAqXWLWg6Zlai3as4uGjmZ1XE/iFsUPnfb/H4tkFic2wNHw8mEw2+5NMsFZ0rMXQyO6G5i1xLWXtBPB2EDW6NwNUu8xEVyxDng0Bkdlki82SAv+O2izciwzczy2YEcZK4F35z7YdlCkHMZtun08ALIwO+7167V1F44+dh7PcJ/Y1PCX/InoWlFcPl6yTtdRDh1OeXUs4QLE9U2DYUpVGBa4sEgG2IRsWkozFcGormTou3l+xA/5yAKZyELMsFtTxB1mQZjepolWce47IiLBSUOgmSVMnBeqcfjzygpzsvLxT6NXw6JIFfH4/V6PG4bm/djQ9K8f90OXKuubn388ifrTk6rrdw0YuF9w4eeemKfa/SJ7j3evrd3zYCjG4++O3ba5qH9/3D7oPGZM4Yf3QZXYKsc40QocJ/aqsu2q2SVwhQqMC3xYBAFcsjaRWEuvkZgOqtj3rHtSN5t/q+1QykJclRxExwTQS2tRZTMZPICibpk0WvUpQga3uISLfogn0YMJikYXIBpiXnG1hOpPT/AGxR8FiUsYZq8PKT/cgW3vfZnYIVvAPjNk8/C1kuLb0nqeke3ezctEP8KMiZM2P8ItweYfzgA5+Z9svfTK95XdYYNy6ZvziwCoSLwWH3rVJXtZkOS6gs4XRqRdbkYs040q4NcNHxO7DjkpPpYX6Y2r6efGHROn4NYcyzXLxNu2PtAyq7DbA2y69ISw1vdLvZYeu8UcCLvuW7EugPH4EBs31dK+kHLOAMGATskkcgJdkKofwyuoEXaht4nkedbpH7OiiXOoBVEC3rWyHGMVn6exvmVViKeNm7tXVBMW0S/32UrG8CJUAj2bAgfxrNI2iYzfb+aY3ScSmYq0UxPJzJDYS4eJjAWBNqjI5ivWgg36KPlCnNDNhmJ7WUjzyKbGTmPFQUVfkJkbKYjGSK/BXYsLGtcvh7wjZdcoJl7s7XP5i0gDf/+/nssx7glIg2b1dJgU+NNYQYqMFIcx2ZUxXEoTKECI3G6y9iunTIFRo7j2IzqOE4tInI2ocBmdYwmxiaMxftah3jXyDByjAZ3N1eJNSLL3SEsRL5QcsBmRFrfUm0k7BSJ0BZEExV5RH6bVk3Zvq8c/z6auIa01+Hnla2vf/+9hIfGQXB9RE1jjzVKn07GeCgw0qiT2406qqVr8VoiMDUyjDxqN6eKTFGYGUo7kl+GYbapqTdKReFf4s8WpjGxKDerY1yRecA0RhYl5tYMJjVgtyMbJgWZkynVbsEiEnOywE8lVzEnVQystirZXdianEe5GX7avaqc2pPUkPQkg9fU7A033mzNC/iJQRnhhjkKpmHVeAZGj4dQZrOaMjZOFRHrIu0aYv2j50lsmqqPIrxb7wN+8kLaquYMGOkAI8/AGmTmpPGf31iAnnahp3cR2U0JWHmtmTNpBAPe/JYjFBXEbvVzfqf04nxcFtdQd3qxa3Xjfa7Fp+vgO9WmatSki1vTuoy/dGMBN7V1D8aetE3mbE+UNKtXbgpTqMDIkqpvB1OmwCiSqlfPfWxvsgzqVXM/AMHUkFhMUsBi0AKe1+PAhl4Jx5CxAkD/zwJgAHgBjroIeoAeF+Eo8MJF+G/4b/Y19l/hC2xG2B/uz7rD36F2E1G7j5IdGm/ABHQajtXrglqWhi+kYJQ0EVh35zSDiQ4wsRnmgGvcw+Fe7Nutf4R6NAbSDhlDvZpiBlZFDQpTqMBIFLMI7WDKFBiZYgZBTbFEpNseJbqtXi3ltuj4cyxOEl0N7furkWFkKccwc6NgiGzWq2UzzthmKDASv2MYhd+RjuC7EVonBiwCz4k8GwQ4AEyZnkbpSgBeLIHP/Qi7JVzDrQlPZo8c5tPQ2vv5YdQPaYOM6bkoOvMqXChMoQLT0iFMmQJzNQ4Mzpcykr4Q9+HMFdgkxWMC6DOOWaQZSO5TkjNq5zUmQ0HgI9kHMzuI9wl8JN63uIOIkQRDPD2lnRjLUG4HW5gzO6CHDIPHulj2GDHO6/huTBKTy/QIpDrdLtHjNgQzhCxRh7jCYkYuO85fSWCMkjfjKLcTG4ea29TG9hKrsNTLe9x2r1uTlyUgnxEHFpHlneF2gVN/ff3nzxZPfPgh6DoDtG0N8KDBbTwoTrmnX9ld5UgRPPlQfUNiufgHXnuM4z85DQd7Dhj+s3TpgYFiWcCqeWKXTN11wmQ0mlfJzH1E/d88CwDPq/cZ1wk3KTDnLikw9VEw2q8oDJOLYdDcfsQYwP1kbssLAMgdF3lG3p2cHGlZibTh9nGkzU+A2a6xkbb4fZ1lEuW+iuP2hZ/S5cQ89Rnq8Tef0r4f89T5tquRcTG2+E+pqPoJpVhBLFXf0B5WWv6EUgzcBcbieGG3fBwvPPvyuMhTappNjqHZJxLNSglwRzSL7e0sWP5bvZHnLsc89xm44/c8p3PFPIfpdoLQDT0IyuI/pflcoduZ72m8TCFvhAJ8NwVKik92jbbKYufgbGJHnL1LgfmM6QBGE4G5cCkGBss7sqWwvHdhypjiQHo+kne3QShRCXsPpquYnCEmd6IS/24BDSQgoa8o8Hck8lohditR+5tKIGvyHZENxpG/qRCAMH443XwcOMWWzKrVg0KfqcrYP70UmY+VkfkgPLJAmetPFdlPYJIa+N5I8x9p2xnQj1M/qJqj4Ur7568qtN1FacsxbgTzKF/GdGIKmT7MTYE8T1JXMY+xO5OSGKdQKgpCFiaxs7Po1AaLmR5iVqqYJevVImzGOmh6dXdHuaM8rn71og8OHMjxYWe81CtgemNKg0z0b8W5oAjTm0Y7QMHarW8cHtJ7V+1U11Sg+WPlc9ue5DhY4nowWF6RlD+h07LnCxPd94OnBg/igW9Q+K3KqtIxYyePcNVt2/+Su+QPC3juJU7/3D/g1R8zh6at22Z+RmdYHKxZym3b+tRTW8MJS+YOd1VVDr8FUYeMnHDwaaqbSe4O19cp613EefUIplLTzFjQWpMecJicImMyBq1CosgLWmQPSPvU6EX3Qv14qDipJTPXaZdDD1kZ9U0u689N38BT8D8TDy3tOqXbEwfvXQh/1DSHNzTBixDCn+EnRnYKvIVn//His3iymA2o52FoXhKx/WEQzKIedcig/o3qfEhGnUAjEJ+hJyYwewC2wC+AF3CPn+u+t2vtrQ/tfam+cveIhPFHXCAVGAEPMuZX3zOs8sWnX3zNYjrqIDtXpE9CkQ8oRSpptqKgWoliYZqL4sAgfx7hrsBc/JpmzqijRLHtfELbSWvXF9FXFObDQqWvJ9S2gA7NkJ3mHJkMBsaLpkeHqOVhXKJVYlXyqqiIRIu9eLqIvAObP6MEB8kFVvjnuU9PhJNdTSFHgmEHbLgKTPDHhfe6ECE1iGg5TeziG9mGQ5OmsClwRwNgQOHbGIdFhEsuMalMPtMz4DN5rS7ebXZbHHbR4qg2W0SPGfG8yAjVTJo8gQUkYF+AkCDeAE4loIE/P5unycvJzSv1eHO8Wo/D7bYxeRn2YmmC2aHnfzpx9L4X0uzaGliYD+aITxR9/zDw5R+97WbY+iNI2Ljy3vtXuYDw/emLd90B+H3r/ypW9po5dMHYv/acD99/vRAzxhHg2rxz7T2P/hlrAERBzWyyF++kOWoMKzKMSWcxIPcsqEsWjTptkPeINj4i9UTg5f35DLLVoKKnj9KTn1HUNDHMwkrw/E8STbfBQ4hqLGyF0i7+UDaFLWxPVnlmg2hmE5ksplsgyWWwmxxGk1GwMEHBR8UhRfSoVJGjvByLYPQkIwNdymfqaLLhTjCrSRQ7mnIw9dCcOYda+sVMO0u4Mx9JqBtRzRdw6k2JosnECB4RY2ZV5hkTSpZVB1GEVA8SOeWoBmRD8Af40Y0vP/xOCBenvFk3YOWApKm7tt2zzcwmbVAEFrZeH1ax9n6r+ajDwG3bufnBxyQZySdydJ7KLJEjNjVWjvKJHUhhzrkUmCeiYSLtNLs6aicC8wmF8cXC/IdYQuepZeKidtej1KLJTpMtGuUpWWdMjrSt5LbiHrDd1ZUAs1mxdhfubWC73s6CP/9Wb+i57cTuUj/3GXjgdzyXT+wu9XPnmTTJ7kIPYrsr3lNEj1G6nfHQdV6ZgLhQHzrizBKmEtGsFIZmt0bRJc48ne3f0VzuUmA+y+8ARhOBuRDLE1gKkG2GpSAXeaB5Aa+pMxGCPCwESeliEqNIgu1dZZcsnixEIl5ZNCL2a7Lhv3MwjYLlzV8eTKjpUE5MeYPo5iqOlbkBFZrI6IcrIzufpoxMydGIkW9Ok4RTYm160Ybk29NOvrECL/WRdVib17OnH4+RRbZkqQ8p7eFnLgnsuxL20x7vA2wg98ZFhHf4IsJbcw3j63IcTrfDL5AtEIbnj+7cvHkntgMGIn94puYyzVthbU6Rs9kYrVnUgiBjkHce/Ur0vgSrYmwNZNjdJIS/DT4PRoOrQdFTMb0r/BI8D0ez6w49wua6jugEuKfuUHgpsbAzeR2xNrKYToFElxBMt/lEBxppmiFF1BrQWIHIWGXTQ7J4nHk5JBEHG3Sywi31I5NEwylq9iUDGPvUVodhx2Kqbr3248jeuXhU0rMw85hN9+e9syZNURTu8dZe8Ct4xcg1K8qWeCUIQ6LDflJ7ydk2lXRQmMkKTHMEpr4jGMl3zG8PU6zAfH5VaWdlFAyRVgrz4X9i8FEyXpsZB94ztgtW2Wg0kpkrknNeid2I9zrtWWSZt9uRvegAQv2RppkTbxAj8d2j4dHs83fMhafCB3HL/aSWk/CJqkSLV+QMWpE1GDRGizaoYYJOpYfI7o6S34vYIrY/UWwCs+DOSK/8G3jVg3uie25ra/sbyZ5cicb9C81fhEeZSmyVeWPz+0ZrrjBGukeG9zzt0+020S4EnSazaDJIQbQk20k5pQIbP8hJACXSLpSb3dZ3/Pi+/caNC58C22E92wUM5t8l/9Cv7/iW4kPs24dbNx6SsyVH89kkLmrWIk7FOaSCLB+qvGKcqyi3dYhtPISfl3IDRxOeCKvtXoMGgGPyfFOYmxSYc0UKzPPRMJF2JJvW0q4dwjcU5kyxFDOVG1JOMSD6IahWqucHEz2fYmp3ikHd39lpHeG9S4H5bHAMDMMzjTCD+4bMFj6jl4ft6JRUMcUadKCJMzHTMxOFYAKdsqSTUk6ues586vlD3MyRBD070QRgsjSL4Kg8nTOa3jU0PrW1qY2BFyMzGplZPrulGWYcc1ie3MtdJMog7FIoFxnJhaLYkbDkrAXluzxkySal4ZiAZ7rZ4xRNHgPZerdTLsQL0kkigJgFizriwfbZxnG4Ep5RZx3H4VF1AnJkToYrIznfRxnJfnkkB9Cc1JKREM8To+6a7nKKSDVjAaKqOJ78UNqTdGRB0LLXZXRXYJrDmWxNzffHIjj+MvaYw/rEXq7sUGuvv/13iRVJE+55MZImC85M1GmRK6VS/kTrR/XQoGoXz5q6NTRW1Bo/FvMoMBB98QnzEo3oOnXKvFEJXkA0pS/gsBg5Oz7/gDpGytIsq7JIXogfZ7z0LPWzWuDjhKwse11TrzUHbvc29/g7KIM3fh5yyxxNc+uCSSefgUt3h9vAXjucR6UqA/eCcDHRfeZLZCfC1T7feQEavwOfJzdaKC56ICiYkFMTvxsTPht2icYE9VFFLCvstSIaCxpRYIKMSTEpaAyFUlgOmbCXjuyDjawpY8qkW+9LuPlhV2Mz98ShltBYsSj3qAfLB2lTuwiNzkp3G/YQvewQVHqZwBBfz024Cnt6vEEvGpggbxN5lUlDfTuuPR44D/toNC6yLxeNEqZ4FaJ4PqE4xekroseAM/p8jEQNCUrLPgX6gC7kjALWd2yDPDMy1RKZzoFELWtIxLnZgBGBxm0V3cYgVvuMPAQ5P9tZkkNGgPOzXaoAVEnJIpCER4EmqlEeybgj+8A/XnmITT4U/vPeV/bC09JYGptPoP5rELECyEpKZwoCXq/bnSakiAazmcOruhB0JCZSBsGHuIrwT/yDcInXT137nkRI8bKblan8qjlmsZkO3DTBatdMGDtvZtMtsxvGzuKz1+wYObLfxEVrWt/gOs/b0nqd6zcR/ZStCoRFtFUhtLcqvLGr/HG7N7LAZx+X1vbps+HHZG2Xzm5gWfXQddBFJVVt7zMUBnGQB60TbrfBKeoMWqwhNEw1WnStvEHOICN42BEXOdvjMvibWiEKnQuEhTJi0YqDVfPVGKwwDOIzHfaLJBgp2zxGsiUopFF9AZfFKlqswUTBK9NPMhfkMycRnG2slHIeS8fzP880rFpWE6HmQfhVG+M1ESXILpCMJtDWS+o3GfdrMwQ9RpeoN2qDQpRmpTa1vHbGEgyr2mO4NzXVZvx7L1a59l1ooTyuMtWg4W/fLlbOuuCVRqLLeUn3AtVKI/s5ePXHuegmUXCQGIZKG1Hr3kE9mhIlFlXVfOVK87mffjq38N57F6K3C2QAAWhBOvwM/gJvwAuhYwefffXVZw8eU3ulIE0Vb2UT4kYqJJhzjALTPlIhwXxCYVJi2zmD4wIYBvvpDI1CrKb+fXqi7N+ndBCFkJ77UukBRyHyaRQiLV4UorBdb2fB1t/qDT23Ekchop77DCz5Hc+RKETUc+cZgxSFQA/iKES8p7DlKdHtDEujEAnRUQg5wiBBSbs/aR1EGCSos107mstdCsxnrvgwRzQVEoxW8wXS+6S/BAFXWhii7u8I6a9AHavPiI46T5baKlBhzuW2x1zdEsU8piUCs0uBoZjHgxmuwJw3KDDbOuLUjwdHKB7Zb1OiLBLUBSaGTqooSyrTiexDZIsmbTCRERMFIU10CDQGSiIsSkZRLltCZdbFalVJ6mrx3T1/efCND7AEP1LbaVIFDanMkWRZylR3gJSfZYn+F/y5yJY7QMpXv0WWbbQWbGhbivA7hLOjmSycr+5kMz0+r0mv0wJkcqeIdmPQaNBO1yaKWm37fHUNyVfH8QOasM5myRnrmYITY5wHPKBr9fiHrjQvnDhh/rTtP527e7KvEyjr3m/hvVcW3tsZvtVj3YhdW4APo9rpyf5/2QI/xfqnALRsnMAWJr8a/u7YwdoJ4VOplOJLpXkpVnNTtrYd9w5XZoXOL5mVbfLemQvBPEL0eibTmSkNZOhSRB1vtOK4l8BbrQyfJ/LaYIJDTGCyJOvOT+0rullm98snfYribZLlRXbI7Da0CNjAHFgPql4YdsszMbti3905FORKW2LvbdmyB+kGNvfYMfUu2KlT0h5YFzAbzIY74A68vwWL+Uo0Arx7khPwuE1e0WoyBl1oBZBXRYs66IPMKcmacZBZys3LsoMMtDr5itA6hRfG5PA75879c/GjRhewwB+B6eq9sFhz+XgT/AT+DFvgt1MmhbdoKuGpNqYBzH7pbRkHaQcnHg5MPBzsHeLQ5IqHgrYeb7V1iEMVwoGJ0MFkCRqFIN5H0kv7SBb1PpJ6TSQRryx71NYCgEqsq8kVd1Ph+A0bWxO1n0AzdVciHLwYAwtjsItaZFjRUIYb2wly0AS9SYUceorZ6XdgQyGLSjXyWSsvvQlqshMcwLFv++lBo9avBTyOdcDLIPvY6QWzvv4AXjwkZ++uJFLQWyUFIMGgkoJYmGYmDgyyblaSFaM30eFftY2j1lditPW1C0mLi0SKMwMeQ7bZ4suwp+oYV5Lo0pKjtbL3QffDctW52zgtPluKbEay4l0CKyx+ZkhC9VNDn9rqL7my+yFE3E7b1nluXtb7+boBA998+vEbLovtuM1WMaiwu7lf/qLFh3bhuGffQd062Qvz16185nE8AoIZGWUFpQT1x/NcqlHGwjSnxYFBlHARSlAYKTu+q3rfM7adT2g7Bb/WjpQdnx+dHT8QtVSrucyUM0UBH/aCgFBmCGZ5c52dbeau+kKDkOQTk4xBwS8KQCGt5Nw5S/xKyEAgiRAebxqLi/rIhMd074Y3JbE9iv7GzJVlH7jzvx8eeCW9u9eZ07+g4LayF/88ZlmPhGE1BSuGFeWP9hclppYMG1iztIldc/jGh9/t2T548k1Z2cPKe9zWPX/SXUO21dksx632mmHT8rJG/GHo4OpuXWYNK6sAq+9uaWTXqKLdNuzb4CR3rl2suyA20o2MY7AfPgFmgLOL53kG3NEdos6VAHdrF+xv9yG54zORbKUG7GbkcBsEXTU2v+0K2/nl3AXiLdIyF8p+Omf54UN4FRiawOcw7Z4HimqGJgxei7xCcPEQCMDjh2D2iqBRf9RkUvWVjiPpyS4xGXVgtonAZK7m8XEmrajRC4qnRrWJswSPSOqWvJSuiavaBxiU7tUojPjhQ3D50FmKxNlD4yQsGpunY6uBYEK8fazVvHbk6CM9YmCqLQZTtUEI8m7F5ZezkdU+fwwN2API8x8ahw4R9789ORA390HcjOiBuHkIlYpLdKdfLRWxMF+VqjTIBrUGWcdn45NiAacVB/IMQTMvBHE9JKdKQSsz6bdLp/P9coYfuPH0y02zpy5Y1LQNHrQ6E7e5/vEieyw8cNIfHnqW7dW6y3PAcGbOAklOSX4TGKn2hb1mVWx1l5y5J8Gcu6rAPB8NE2nnEwqT3K4dYplTmDPXaUxYaUjSCjgvK1uB+vJzVa0Rxb6N7e9sVkd471JgPjPEwEi0PqOpYNKYzoEkb2KCmGgIWjw4n8EiYJon46I1kkVTVCGF2WOIjjWHH5k07YgP8qeMbZ6zKN4UGLyrFj/yes+wJWomzpARjVXPRDqvHhGizRli+49V0yanPW3ULWHaIKh0B0C+xlPRULsUqM8MHUMNV6Akzxpjtb+juf+4T2Rej0XmVc6Ak6AuSFzEq2eDZMBlM/m45ok3RfTaMftnS/yfo54L/CJR4fYS0EHCm0omotPb4spHTEqbWlqmKmP49GpkpBujR0poNlJNM69CM/m8EhoprgVq4BmEnRyZKbJHnTQ4BVd+DjIdIOFzuJHPbt3C1bQ0o+eRi8WL6HlcY8Gm5c2cgTGQRkxK9FZKuYk9bBBa3FjpWP7GcsfE04/A1mWmZajVZfiwAbempZkb3voSGgFpnczodDUv2tQ7LrEwksS72sEQiZ8eJfH4GEFE4mNbkmQ50hsaLw7gDkbjpWcNgJacNRCCenm0ylkDp5OcNeBEcA9cexnCy3AlWHkZhn9hTWwCfADMD18OXwI1cAtutRTp40moVTvedab7DVoudjLK8colz4dFCpKVgnNwYjOYaAVcMzzZ5+F3NjcY9t/753KJmL1C3yywuUIu67LVeISkHzLCWZSexBsHDjWtYmE+sSoZ6tEwhJ4U5oyd0tMRtasmjUqC0mq+BBMoBzpMaLHsqL+zfTrCaZcC81lWBzCaCMwFircDtGtnuAJzPlGBUSQC70eYyO6mfBJBoCcRZH8g6iRCHVsdfpSrCj/Nzj3Mvnn4cLjPYWnHyUTGdJfa1jfwMTuFaphmpgMYQmcK8yFUYJ6XvWKcT8Yr+WQFgSSLg4Q5GV1MOplTydwiR7k7yiZDpij2fnlH0fGJ4WK4Cqw8m0Czye6D//381OkLv5FKxjM/IiovJDFrLYly4jxBwtMahBfPTHcge0wXu7+JtYJUfSZqP5M70BQCxehHuK96H5PEr+UYdtz9S5rxWCNnMwpcnOxKGq+tkeO1AhcbgVciEzVyZELg4sRRqZdRI3sQAhfHo6HzXSPPpdRO9HwvYY7xpfw+VuA6IW4Qrh1BE7xDU8v0ZiqYm5ghzAhmDPNU4JaunTrl5Ph8qamJ/kCgomLo0CFDRo509uzVi2UFwWCwWJx2seimm/r1GzFi8OAxYzxotvPysrLS05OTPQmi0+P02BLZYBlCiNfpTCabVA6WvqRz78rn6FdH/x55IelwIv0e9c4q8ZM3nePYt9+dRd4YlkNvn8/pA/Jv9O6ZBmenHU6DrfiH8te+F9Leu4B+Ax7/2NH+LxkAQa/Gz7FD0T/D1pae6g8XyS8coIl+HyD/x/4rfR8g/+O/WEf775Hg/aST5g3P163MeGYSM435A3Mn815A7FteXlLSo0dXOocDbr115Mg//GHy5EmTxo278860it69S0v9/u7SjKVliDdVVo4aNX36lClVVePHz5yZPHj4cHmWHQ6PJzlRTEtOS07wscGhynzaXK6EqDklM+f4tXn9/fP7W3P9++b898w9+ul0Rnigi8IDcf6K5oamX/srmi+6pLFrCA9cfUP1ATTgB7aRv68FO+CR38Mrv49nIrzDXjvSVsk1CWOZ7oyfGRPokp0nZm8MegsLtUksqxVEj99vcFqtBiMOVxl4u5kNdk1NZsRknp529OMpVM+08hvbqHFmRp4BX0kmjmEzPr82KxMnuvv9Xkz5X77sCltiKbzv+fT3zqdpXx9XPw/cCQYVunT/hW0A/Fdn+XkU4NNhy2Fk5MSQhpLAtReUfgr+Cj5qgGtgPdwNl2xj38AjB1cvSrZkd2ZioCvVb4nubhK3S/rL63U6LW7O1skuBLvI/G5gKiSGpBbYrzIsl0XMz8hbMUtjX+T7HU+YtsPWelM9bN1ueoL++HReY6VrZ/M+1yH0PtJ8xLWv+RB673RVNs6Dn6IH2IvhJPWbWGOm1ivt3sjUxd+jeQcpnIb7XINr4mTiiKTHlcSIzvSkaiFd1JmEarNJNNvl0+K0giSInPzABz88HrcbOR3SmZqSkqxMtwv8fGdw4713DPnrK8Y9Dc/+8RdNcuKk4qqq+qmc5o7Js/+kZedy/DYAHtzwi7lGmN+n74ZAdtHI4QgblmO5QwgbaZfSxIgOUzXeqOTkXUp1Fkz0LuXOY8d2Pv7qq48PGTduCHpz7JFHd7z88o5Hjzwy69axs2aNvRUbX8DHebhVqAe6r661ipyWC+IyYUAuR0giJCT+HbWPD3yHDWbN2CF3rz46fzHnYVfM7zvgnrvgdLB++Wa4sa1NvqOAFUi990itFwsaC65vbFPVWrXHr29cRMKdQlak0jay8WrA8FWv//GPr6/qBS8D24odO3Al1u1z3li96u9z2H0wad3ceWvllX4e6R9NLMKhAX0eIFf0i6rxKvfXwG0O90KttRTh5wk8PlsK1tLMEmqVCOoqtxhmnPCGdIeDRgRcdWx9ahxQsjewHzeGczW1oCc04QoVLJMGP+W3IWxsiNMQNQzA6hHNVka06oK6RFHHKrvjNPLfjytRSqA6XcjtQBRJm5xSkGrl8lY0hlOOm5Pyk1kbnIhrxXave+PNW9i8liKYATJRPw9Uho4/XcbbZKqMJFTJYZTPZJS0CkXHNYHLFJg4dYoRLZLbWviHNVvRSjswkF/RT6wYXmIwFvNpI0b4hoppPl/6cGwPD9cFOxeIndPxabZ06Qy3nxQ2ojmbdqI4EOm8JcSDR/56aQmOhOOMAKQuMQci515KQsLf+5HaxGFaXCPPjcWPfO/Gzj55Bu9T0O+zkr3OtNsGJSUNui3N6Z04rsrVa9uBbb2dE26bSL7IzqZf3DbB2Rt90ctVNU4TSssE+f2H8mwXVjM0APIz00JTZsOG0mz2zvBj2aVg5OwpCASeDQzVIBB+aH94FoFMvROMLM0OP8bemV0KG+6ciukTwPvlSNIKmLyAJysbny+zMKkuMZULIidTZBm9FMpTcr40GZHdgKysvJ6SdAvavH6sP4PWpCfha4G1wK9e2HJr7cxdz720/RHPj6cefjb3zpnZid5Zy8qA++pTR8SXa9b+7HrmgUG91y4K3nNMN1u8NWhx6I5ondbjjy9/srNJM/aJ4PJXZ7WvqSjojLogKXxAk8DkDDBANoDA9uMucKHpuAtmaGpbTvPdbizgu7WcjpyfHoi4htbk0EfOTyu1RJS6iyCqtkdU3dRaxFci4iucae8xW0Qz8CZwXURSIirTJ2ZGKigVlFPWkZijtBSRiTCHVouUSJYbZyMhBqHMQfZXEHfUNp6cMdyZ6+41a/zAwm7ZlhLPlCVFRSurPSWW7G6Fo8bP6uXOdYyuPqmpDT82ZuKROxYUhQrLPqgSU8SqD8oKQ0ULZx6ZUBkm+fUEUzKarVRj0NF0U2uMHKnisQ1n7WKB0CHqGkWBlRaVwh6lJUUk05DIOhL1nNmTPFxuI5zkHb0HhO4MreJyEZFPhp/c8tVT41CvK2l9TSTRVUSipZrK6HM/RjmjrqlDn6cTPSjXXMY6y8gjPFWakGZu0a5ruR2N9NIZ/iTViJIGRy0tZZRT9KTlZEbeN6Pf3096Qv3xO4jGx/VkjTqOlGEmg1ZKQWEvHk2VEk9555795bB3M5hmA/ZmuLf44f+GcrrzS1uD3OaW5o27+5N+cbuEsx6nnEVzYq16mbNILblLSPs3MGa0snkR57htGo+o09iBW0SKGjCCXHaSnJ8im9I4lIsrf+WU+N08Lv7ltOXYs4FNY+dZFgbA8QPgDdjvBrJB+fBMwELo2teFNbAp3fbt6xL+PPxzwT72Y7C4S+u7ncEs+HgBV9wV4SpVxUA0eTqK+lYmMWDWM6Jez5t1QRPPKpf20DWdxjCpymcHfnOqMbgCJDQ2sr4vwmATXLhjI/vsjQWsj9Rc+ZTfIFeYxoKqZTiRMVRHVZi205UIt1bbCGDjvEZcSBZPLF4jVFVacStmwQC0UTVvEXn8klxJr5WNrx54FTeSz5/F7xsL8OhWSrjQuksCxsaoJfiYqyNNFcgZgqpXltRilarNlnzYGSEnjTFbPUZGX63Dzeqk7ALVGH1kjKyuEe6QBnljAVoVM2UbZJ5Ubw5X4LXienNcVLW57kqF3/bWRyOokk2Pz0EaMT2gLnhy48aTQfZM+JuHlizdJmcLzotYOsi6ocZOVP0qh9wTLs7tV/qS69rduIGYTerszTdRV/zJUPu+OGXeDKS3rIDTyCDrzS5ytvbjkkxvoh3JVSaYXEDucWXjig379m0AB0PhyQMHjpw8GQ+u5d//bsEqQOmSZUrIbiWuXpuGLWStV0QzrLHj+tXWBNGqiLc/Ys2VkFrRkV6zcGKf0nHJ9CGs+e5Fmzcvgh+80mczu6Bv316DB4fmbuP+TRHgT7Zeffbtm1U4rJRwcODM/YCHs4taF7ZctaREj9WN0JBWhSJ1/UB71Niz1GM/2zhv6fbtS+GJs6CpuLjfyJG0wDxFAJd8l3tva5Nr3SGZvo/qOaoHSX0/p9WBOlfK/7uiyv+3q/4vaJHd6Yh3ocvzF71s1/DpXPBG7LUun70Xgl3wrS6oZzs5g1uHLFwc3TPiU2hum+jmgjyjxcWz1RaFOr2g1FdCDm2R6mzYywTN67+bsGXCphkvfGALn2S7Jl46tR31+3cQAMPg265xtz0wrPTaudCpz1HHcCN8Ev4FLpUjd0S79WeUSN5v1m+X6oyjp0YT+uHqQrmk7nd6wK51YH6Sar2ZlWmU/YIsUqfNrySJZtkvN3PFsOb0R39vnFlzGpeAgzu+CMOlYN2OjeEqxCuVUuU6B+LXroEUQ4qHI9ntWrNTNOuDODmLC6qsdkotr2znOBxyyg2LhDOnqCf9227zVIZ2G/c/c+TPfz7y7H79bvC/sSNGjEVvzDhgDOgOn4L3wLXwGdAFjAzv2gdBEsgBWvgL/ARehAivochawKNOZ/Kx3JqMPq/oc3mw/Hh0wUwXXhH+RQ1jYg0Sg7i0FHlh/pJuHHb6yDotUOsG14kkjt9QX14/Z3bG3GGusjV3j2xtBp82wquj+1j93vmbwAfAA/9z94MPakJ5Q1b9aUAilzLiwUXvnEPy7dD26/PulLnsBwAuX75kkzQrVWRWEG9FzQoOI6sLVdPsBGlmcCS7JKOkGM0MsNxAU7M5BN5EetzSGiKTsx8OgzeF2n4JI3egrVXyycx45oHeJPJ6PYNv4VCrSfV9PFKNvoYjR7CvBobCI+ywELs2BMtD4ZeJF4JWisPIWryNGRooMJQUG/m0UaN8w4kDMhLTtv/IQPVIXXBAP3FAHEekO84K8Kudkf9nT4T4Hx35IpmZsi9iLVhxYEUXi+yLdOmCv1gV0t42wdIFfVNg/b9zRrjOHHZGzmWmoQU+NZ4/Qu0GbFd3DSSp7GqyamT7xGwms1rR5NQl+X3WNRrk77OuR4duGZ34K8Y1zAHZtsXLqH2tsnSsmCPpwo3VvUmL2NEQwVXRFRGbR7k5ZGZonnx3CDV9yP0hbW1ylTGkk+qJTpKrjtnpmgpEi2BA/TE8ctD1krWG+vGWE+4EJf4SyYSVbhEB4CdVKbKrVxtBXsgh1yNzhOBHIA/XTFNGlB1wW3DNNIFUxjcZxKgb0iROVKqnUd8rpoJa382hQEwNtTYyRFpHTaaek5zbJ5anw1rtMIuOiP2pnIKJskApBSNWKCKi2g6VCOmLtW4V00ouAaeaF0V/43kBCaRl+A2amPNIdy8Em5DuvjXO+hLxZTYwiv+I656BqJqEJvWNb5Gq8yays+sw2ESDAbVLKqma1aVLVRXoQQbnY4FStZTUoIdfJrPzkuGXID0xvCVRqUXPt8Je4O2WY+A4DMjeCcHpcYqT5J1oVCeS5OiPkVrKJk5nMIoas9nAigZdkGMjljLe/Xfa8b2ANPiDbwJMuxt0B5mg+/LGcAqY9R9w8T846iMb8/BTgW35lCd2c+SeUGdAL/Cq60GV2wbRS7pZsBkedcCjxOG70JJBfCiRnydkSvW4kRy4takIP7RcekCKaGOmA0y6pH/h/It/Sf5TLk4QLUUelAcvmlrkQ7F59p6OHJfDaxdYcP3iqVMXQ1+/997XF+cvXz4/vDi4bFnwkfXJYDyYAGaA21PWr09G1sVu+DSsT1rP3QK0wJ7esj8V6MOt8Ho6PyEd/k+yIHC1JoFUB2KZpehzH6TLEpgszN3OdNHqdDI6fMNUNZOoPrVOco/RkEpsTE6OF5ecdEuBTZfqlIeNFf8H2wALksGfDPDY1qeHeNOPrG14+0rz3avXLlmzxQX6At8itLL3LKwIlSaMf2jBjLuWXL3wLWw7Urft/oc3roRHEf0w9/YhWRlx7hoktdrkw7od3jWIFrvouwbrWc/eF3Zs3P1s/Y4afMvg8FsmdIKNYDD6zWdvWzdzvsbJbVi69iFu1uWK8vIKWAO/GXbTTcMYAPrgGnMIGyX+qRz+IbmF+Nh8H/bH8Od8dqh1Z1sbhSc74/+gu+eDlfinnIdBYAZo8qX4p0Din5EjyKRdooVRy/0awyf5bMDDfq070Yzlwx/JLoOFnsnTsWaHaMSrkCEouEVBiIl/0oiIHP8UcPgz/47ibmx4RWN49JHcLshZ2gJ/BO/edvlJsKp1JyzGSdDcyzuvTGHr5d1jvgzxy3km+ozCO8yv1oogu/4UJk79ChzPabvKb+K7/VbU06CKegq/GfUsUWyNEsXWcKtsjRLF1nArtoZbiXqWqCwNzEQ5Bd7ssX1zc/uOzfYWDJs9195zQcOCnvZ5dw4r8OTQL3I8BcPunCd9MXe2IZSSvg7ZGVwSh+yMdRnJoUl3HCjNBq/CQdmlB+6YFErOWIdtjCRsY6xLT6Ffw0HgVfI1pst8RD0TqbCF/LPsHKtFtFqZNK+YppV8E2MwNtqpTn7OysrDZ0ypOJLKEkU8kQv0E5k/S78bO2voK8OXP/jUPzsbyzZu6LJ32aA54xKHr64+D4R1q0ERbHUVj95e3HlU4Nab92VUdOnXz6xvMNhWb755k93V9cPaA4xypjCbRBVMBh7odEbEfUCQQp2O2FhnfZMLPPlRkwvezme3Qo5taebYVhjJYMA5kadIREoXiWM+H53lMFmGkc7gEBglr6ke+QQ9+E5MZ1zhgNhkHi/XiSyjQjA9TUyPPhbcsT2GFEj7UGd90/6A3z4ofcCM0QUFObmWwQkThj9ZONiSm+MrGH3nkPRBdn9gP58NR+UVPDPq5tSQK3NfzzIuBdTsy3SFUm8e9UxBHhyFR4KxJCN5X50PVqDSDEwFGq2F6D5vwIwDnDg7S07n9xdIUYFInFMQKion5bKwCT445GCodM1Ctici7yz44OsfT2Tk+BRpLyVgNXFmA7GUhKBOSXCjFlK7K4SyD9oOguwTSXv27Unis/EVQqjdfHyFUOvZKB5Q3UCnbrbdDXT1TeBIUxMcyhOGb2nGUsGodQxJ8o20rIqzKqpRHWet56aT1vBwkWok5zrJ+RTUUpmirYYR7fUBaXki3nUiLctV0SPnOFVV0b+Hc7hW9J4VCtF25UwwAeddKXlYmGvPUa5tUfK5lLymrgi11ZpmtP53ZkqQp5CQbDEwGYIf2ad6q6DNYbqJiSkpbkS/Cnr6t8JPdrvbVR2LPrpCz47gE55U3gFO2CQZTwLIXrVw0eqnHa4TLsfTqxctXDXmDi36WzsTHFu1clC/vuFN/QatXHVTPxdgQArIA/oT7LzwthPwGvwIftnGVI0LH2JvGVfF7SBHXQ6EGhvgmtABkhXVgEct5Q4iKtzByJyF58mMbVYtg/xcDqkBAyeoI7IZdmTS2OR4bCGsbGoGfFMTWAYO3bjRxoAbiA+WUR+Frms0jopmHEc/9dPJ9CS9Gyca2wQONW1oRAplJ55+vHApZ66lVmgmJ43qSnuysfHTmqZXGl5togmhUlIobgXhso7IjC9gp63QaKw5gk9H0diapoYDLzVNbIy02boF9sMV7AHzLGqXk2UGt6pnpusU9PxJtndj47HP4lHC13BrG7lFLc1oqbZgu+0YGmclakm6YQRZ4yYOB7EUSYmOx1KTSLKEjjWBqoPHjh1MgW+CPpVVVUge61995plXWQs8XFVZWSVHYnH7Junkv1W0aPC2W5TMREVi5V7kyOD16+BdoHvp7bdfSrl0aeKMGUiaYrrhlNmiMdjUgM3GIevYBMhJi8gBdXt5QcfR15qmKU8cPPgEeKcpPKh/f9VwsGJgM+GGGRMnzkAjwnr1IdSXFH31avFtozj6KijRV1nF/r7oa8WYXqx/NO4b/ni0Vy27rE+fIaNGhfpPYN+lCHCLwt+uf6xCGS+L95kIDjT66hYACbhqXXZOtNuj586PGSyKv+JEX6uafjg+h2DQ9ANrnDgR9Y9GvxEsghuf2Y0ozeBwGQxVVQ6vlLP8iHasIPIr14wk9apsTkR5pXCkR1U4Uoq+Mu3Cr57IUY+Y8pFr9zrBc/AW74vb4xWRrF11aP0DtIokwmKNdJ4cn7J3Gk1o2nEgNo6xEz8OWyrFYVnLfSd7zy7aNXndPjscAw4mN+5dvMbxp60gEfSA37qGFNfllD249tCaje43lKpZSpWYK2iFaFV29X+73o5UbQVRUk8oySj1lZCex/WVjBZWi5ZErQW9GFWBJRJTj+yaRddY8qsP8J86daoJTIV7XLYrTxxqmlh5kV96qKHhEAzic/tvs73Iuf1sNL3zsJdO6jsoUVrCTiRKawzSI7Qq3yImStszanXJUSXCzHvrAdOuJ3GU9qldhgfAidFDhoxGb8RgA658Ki8an/wAh+77y6tvP//826/+BWGzAlk4WMPh2CyyXw16n1v0+VwOLF4uQ9CRKToEibHssv0aic+W0IMGJD5L9uu1FjYSoF3h69TVW5QxfphvZ/3p4+BM0z39B2ZaC7KHzb4NrMHbiuOnTdOEsjKHd++WumPTjqfRyjLbkZ1y86AJXdgCEBg3ZvjNeK5wdQU0V5mMP5Dq8Yoea5DOlc+SjuYNTxmeMUouh3q+ZF0XM2PKFYPxZu6NM/MMtZPHxszfp9e/spqOOXQrV7EDpImUcvO7kfUU127Tm0ROiukK7Wu3qWO6oM/p09j/JFdVPX0I/DsE/3cITkAtdkfrzWZkFY/FMd3+FWL/fmL/EdTNGjnSNwy7WSPS8dSM+H1u1m/5WR7MUqQeckd+Fglx4odysSmDppg4Wt0rnGnTB+XmDpqe5qwYNmeBsXxg3cBy44I5w1Rf7Do9foqxbBD9Akd0l/UfoqGO1jISz63Lzrdim9KWl11H4rnLqKulGdL/7sw0ZCAY9VMn1+XkWbH5iYHunEqqfFAadUbSkxjrOfjSRF+GtOaf9FPN/Lu8B3Uot2PvYUXj2Gn5v+Y8wHJg1I2ZQfwHBddsEsd1ynFcgcRxDSosY2xvOY5L7O91jdtkC5waTcQKxydpkO2MT9LosOWkswR5FmiRU8fKTh3Wv8BOw6jYRJ7xOfJbfJ/DGaiRj3hv62muW8u3ME/Vkg1jabEE9ZzA6YCOnEMQgWRu2x3lsuPuK6GtEqHKsn8IvJHGQQL8punQIbPcgfkQ3kAm0oJosYbQIjvg5rXAgk//IGzlCLBcV0YVAcZnWpzUI1Wfa7n2j8ZZUQdb4AFCGHy4Be/MU5qTeDa1cs226TajaIvYugXIcnO0s3el6K9s8yLKR6xeifbLFP9W04zWoF8iaxC2s/EaFBWD+SGyV0hOipxSVYAgsdtjsvcRqdLioHlyVi+OIwgmMaoutLK/GanYQupo5uZyeI31qGq2zFpmARcsy2ah3zDDsqxd7RZu89Z167aGC/HP6PMs5+KfZ8FZBQjLIrLDmItXf5M5OUlMZoRMkqapRlLK6sq149MeqjifFHjMKpGCH0j92tjNsPU/4M1/ntu27rGnm7//0/IVC2bP+MNccfpl1zeABR+BH/72zIqdLgsfOtjYHFp999K1oTm3j5sKT8DO5BIM5eR5AT55zmWmp+n0pkQd47GKHkS7nHYnz0uK+7GlpUrMBS9k+LY9ZAJoBHWR7drwT4Or5+SdLen70PODF4+ylM8fjOwia/mEGfnwemmPTdsn11Un3Pov1+4tt9UMzNb7zV2KBw4BmmMa7snHx8zslW4caAnkDeudmPxyeopSU5LwxU+MElFDK9t4ZmCgU/+A2H+UsWepgR+ROSJ9tJiZnu4ehVX9KEMwgw126Sp2wcpekE3e/8uIGlJxHHr9qq6XY2pKUC1+VM3Yc0CZJqQpG9DT2D6yhr9swF91EFtDKp+b3/qANT+7g+iapO6teTlSfG0M0k45aHa7qOJrqSSPMJWpTnWLqdqI4UvtE6DKJlSnE6qyCZV0wlR4/tnayu3VGx+btmvSXQnnXt/0ZNlTxYmemUtKgeHH/WtTqxvmLf0GFr+wfWj/BxZPXtLnNd2cOeOX2Yx/05p1/9y79dE0rV0z4cDylW/VyCcgicc9kok6QcziOJkg6K5GnRul/0rO/UkRMcQNncm999KShtc3UiZPHRJrVyvv/1dETNPc+vCvRcQQltOQLrtZisjgfRYB2f2Gdvss08BskAlmN8NLDniJBHwWt26QNSHxaDyEPlLFNfTZzdBzsNSPT2DY9gdcsXqOPdDaWNv+ECvW1Dr+zBySp1WDaI091gzkQ7o8hqDLjE/UJiQn2xm9mCq7K9KxhTinal04WEPPqmVlks5H/THY1L1bt+4NUyc3vWF0+NYvK7DZprue24v3yEaOHT2Z/TicUlfHftlyVti5b9+Y2xAWt6BxIZOByWYKAolJCWKSR0yScUlJT/dFDvjKmBR0jItMBwmf7ip81jSu+DWMJNJQrOjtBzPJipyEYxKCxyB6GIQRY5NVpnLjQ57sesRk37MrPvuJbXKkvXDfK+/Aiys2rr/n3k2u5hPsNuia/ad/H3vzzJFFc+6YN188S2IUUn925MHinZAEk5jA4OqIqEuHevGQ+yQJY/F6feqdZvY6eNeR9HjNX45c+mDe3Qv+KM5H/YKmULuOJY+LVJ9MQzokQc+LyE43J4pmbVDLBAWDeulSZxBhLajyuNSHDjht3W7DA2+99YBxN/a43pB8LRd2r5AUbfz5nOxwHVGcLeJt4d27B5Av0w2vn1ohuRNaP+1o8PZqpYRQZP3MzCanuHGZDrRi0U08pMq9aZzbxUSfgTgDW488dNe87FmPPVkGhhvgYwPmBkpv6zLh2c1j4fUPV96/fdHSzVtdVz586d0Ub+KYKV1nLexpY5FLw1m6+Lv3TDMl9L3zL2u/gfDIwfs27ahbf39d7LmG2HMG8rkB/BmfG0Cjk/dgOSUSzAYZjZwDa6f6Qc/65G3Y8LvwC3Yk/ELaiMU7uXHy9qWbutDn59pn/f7/3fX+KoWdlwK/AhkJ4S0J6l3vPuDNlmPgTdgnzk49xnc7+VxJPitUA2+Qz7FZy1LWOfo8geA/k45XOr2Kz4vwokYDdHpRpwsqx1Nk/J34GLD0nsl90xrkitH7G5xwFN6J3jtCodhMaDXNwKMKzkp+s+o2NNy/neO1IlqZyIVoeuVCNHwenJ5Exl37AL4VDbwCh3BrwpvAAVjB1h1mE1kNQqEl/PXh2Bzp2LwTnC9M85YRTrvp55j84ZFS5iPOynJYDQbeCHQiskYxYnKqp3zaDHvY5IpFmxf96EkvWbSDn+CExvONnzXC8aBPD/AV2yv8NjxbxG1vndMDdCKfknrAt5S+8FkotEpoXThPzpaQYOQ4nLguZ1jiqH+RXdrR8cs3J2vdfrevpCf94HXPvgq/x9x041M4rxlfmnzlqL0X+ImtD1dBodB19OgY8D9wGdpgUtVRNPto3HLeAs6QyAu4zQK+e1pvYnlWb8SXY8t5DAV+ZPBJ93KQdZbzcfgUcw76/TPoiQSq5+n+cEd/WDaxaR64sh5krMeCBSbC/bwNn1w+FS5jG5Gckj5HSjkZeQEvjlhoGDPeKDdbRTNOOVYOKfnlm0CUm7fRm5zjno2E40tyvjCl5QXUIz6bVBWC40K0M7mfbKkfRFe652QWWJZ2o4sMzK/0Etl9Ir2MbQSBxkZ4PPwF6QJnM91YgDOZonvRSb3gVQWLD+1Ar2ToFkn1f3y0ppYb6XU6ipqvv2Z3fPttyzXUPMI8FGq5LA8AzY2iWYyIC1MDDmlCbESzmFS3lav0Cm5VKufGHoNVoB7UtzyOZyR85syZiE7Jxn20bo/cnk3GsYPcSEjiSTrAI43AcUazaFRyBHGWpnwPJD4xCAiV2Afg35uPOt5shn9rPYC6YgG3iaRfLYBMNJ0oj6cy3QPJyaliMhukvG62UW7HyV8ysxNeJ4YInpcSb4TfSym/4xF6KRULL8HreKCXm+CBujNnjoRvR1gcBY7e4EeJ8d3g6Cs3g+8J5ydPfEXCSp1Hy6b9Sh6tchMl2ykKSnUTJa6kABdiTcwk49ogJi+XJHKMDqlPx3QyqKSTJDYu2839WEeJ38Vq8V3SJIqbxyHb2V7XuOmdNYGTm9cDX0ZCY0JGy02P3YYYjzFv+BDoas/CJffDQT3G9IKDwf7sfoVgSV6hDpbL99yvQ34K4hRsZZjwsSdD0CAEhWQ5Rm9T3WYTdbe9Fxd7k6voROrM/SjfV7QNHjQlxa80R2oaxd5dU4d8Juynu5lOTG7AY0sWbcag3pCVKWZl2TiPyLGk5l6F5EiQElUxnjqNLzuxg+6PdtrrFF+9MbjB5Lp8+YrissNizT3EXX/caeFfe6axedbU8BrhEHXVFc8dz1U2wnABP5LxYMvT4hQtFrvHErQLQb1WVQkMYNeNRU5MaRrr8Gbb/TYNvjA+TaPx9rpj9NJpq8bkacD+pvAGjQYWz/ju/g9A/okH+/510OP/gl803slxrYVTV1+YFrG86pAf0AXpIrdOm5gnJjJ21LPNAoKML3r/RMrSoEV0pDvbvVq5Nh11HaPsr0lbPlz03N5N937x7+aGWfc+s7B6cs3D781bfPbBxVsfWTb/ga2uu/657uk39J5u62ftee6Peyv7Duw1NL1TzWt1D3646MgzDyzd/uTqNXWYLvsRnkmIi9JwFpWGdzhxFpXeImKyJERFgWiExV6cU5JdgiSToOd2abT4Xjs5ghFE9n4RvARCIHl5/40vXwNPJWTAJdeW7Q2UVr7nAl1OdXYNPgHYXi+WLqu1vbh1Ra79NU8SwuIwzOB7kf0RXNHYiFkZGcoeUVBfFIKphTNC8+glaEyJDeAiZ26eITEUfKt927TGYTchS/gcGwy/zY2ED8NX3nvtgcdhRkOvBUVlwNIK3gOB5KNHv4ZrXnv6r48/AP9HPGHEG7QCdmrAbsBcYY1TxPn31sBuWcWvkG/WkOJs5JwxjrOxvx5Ku9KMg2nNV5Ys1YPr+qVLli7RQ51+iQtMBCvRC62scCV67edbP/juuw9ajp39/nucabGKxPJwPFWq/o7wNsav/i4VXW99bjdsYpkR945elDBqMy489+Xh8KIVQVJnXcqw2IAoYqG5daIOeS4GM0dj3iZlr6q7t1w5/4FL9XgBshJAfZPHOmYoeOQx+CqY9V8I3+GzW9fPa5wIwnfD2eEPwRpI9vNvwtVO0ZxjzvOkpyYnAY3BYxc9xqBBIxpAZD9KCs/myccqijxeIBU1xUqD03q03E3gxcTkm3slZyX4S1fu6gzY5Fv7kg+r6rq8mJSef4FPGzdthO6oqWZ76zLyx8Kd7BLd6mD4fhoHKCa61ItjIXrOKYhuu9MYlHSqEWilmqHS0XQ5dy62HBz2kJ27VPXgOh/eU+BEqkfgw4vmL9+4hx3dugEXIrtwIYwrAjACqU6F6ZwYsBiRrRLE06dVxo59GB/Xjc0r9Ti8Tnoj9p/ybp4/cenOvf7pJpD5OVwJ1q37d23mX8vhL41wjVS1ajOSp0JE2074/rXMLDHTihrGe1kexo4DWgy+60xmkKKIUsbyLWugUiJcWbzb5tNqebfLR0RMI0W32Fmw59HmkwdWroRN3IZP4Vh2nGU/DIDe05C4vTXitmnDbnKBsbuPZTisj21asDrBffSo9b/w5xCf8u0BLHc3N6SO71VUFie7ZyL6jO+LICe87AZc6lfweKJzcahV7JNsq6jahnj7m63nbW93H2NJdSbk9Ov+0OobOFMn/PGYITx/VKvZ/SxbSDIl5Wq1FiYB31yvd4tmvTHIW3GRXalGLL2XCJ9AyIgUhyXnDHzI6Kr/+Txo+vr9mlqDCzBL1wHTVdRipy+uh09FysI+uZWUhaU5LNJNhmhVQHrObnaJNhwTSBK10XqOVgYglM4jJ2JiLmX002Klr0ybMWfhhPM/Rd3LuGvLxFWb65HGS5lUeifX7nJG9vFNq16RqrQfJrGRVJxHphMSYsIikrVQ7PDj8pFxlqBbP/7hh4/ZKXB1/zt61/xzw7y77543fxkN+4eBO5RgEPfe/tC5paFjB/c+99zeg8cYSVN1I/kNpE+qqszRfVJd5Y7VVtxBOFalr86EQrBYUliA0ZCIPM7dQO06dAK5ZCRyZ56fcDanxKedUmTLxq6Ec0BRv0VP7L4XHD/e5AKHQGBURWj543Dz5cvsxvAieAvS4ePgUH4ikiZ64jUH2TfkxKsgarRBeuwVec1KvTxq+QMnPu/K+Tl83tXptOXZewLkLArgey+8GRzyNHnAIXiz99S334Zrv/0WDgX1ncF1cL0zqIdVnaEO6jrDKu4EuLlbmO0GboZ/7cbCbpiC5QiXanJnRE7Am25JA3YLb0hyi0nWoE0gmlMbUZsViHcBp9KbTqRBnGrdyY0DO/dkT+xPdOWah0uDQHMZVu3OmXwT+Zd1O8tnX4eT2dNgz5RRSGku2gw/Zj1hH/zj1JHo4z3bgSn8C9lrG8oPRhTC58wceiZo4YUgdZ+NiuakayimC/GbEWkkv9kJfrLC2Sfetx63vn8CzrYiYvylK7jCOsLfw7e6a4pvvNsd9CafTF3heNwbmu1eaLZ92O62WBiPB3WHrBYxOVK0Ezt4cSKayh/KnbHT7l5Bw5n4R9Oq5bPn2HX2oBLMnDQXXIGmuZPGjsSf9z6398UX92IPYZWc58wGSIaf5lOye4UmOFLtapWc50xhNGfeoF4EBorkikyNaUl7hmFsAT3HArcChytEauRKv+xI2iOtJ+FxqHokMKRHqfInS3vEQJEeMdRQVUtaj9xjkk7do5LLzQ5W9RhdGYzMBYGpVGOV6VFhNVLZfyijMLQifZpR1Q6xQwlMHwpDc+LT9VG3chTTPF+2H4Vpd58ItuUW8nci+fDgSAO2XISg26DlAM8zeBW3VkcyJRztrBen4prlqayY0C+ZyU0OzzH4lsqQmQv/1vnWPvAm8Ki/IuUyXIRtvQWSza9lrMgnRH6Gx8bwJuK861SmdHnEe8+RvXhVrRm2CqaAL8GX6KcF/gh/BB585VLF+PGKM39E9uLBqvEV+N6lCiwVB6TqEgYkFU4NL2LtyokCH9ThpcUkmS80muSza0pycILIATADX+jXBPoc5fkFJxa3dDuKqbgCtTWU+HOpaF00C6LBrAk6AI5b04ak6jX+kmympFi5otDuYjRosTgIhoFB/4e6Nw+MqsgWxm9V3d6y9po9IZ3O0pCwJYQY1jbsEBbZjICACJi+IEJAWVWEsEUWRYgMIIOAgMggKqJGjAiKeQwyChn0+RjGlXGUQccVk76Vr07de7tvZ0Hn/X7fHx/hdjq3qk6dOnXqnFPbOd/fdrRv1QD6KDpJv6X/xNM/OY7WX/hx8oh1dy+iYz+i819J4zU9yDl2t+AVMnzOhBSXFOPJiBWFxBQD9+EdHXRnoC3St+a3QznGHppMihjPeWVQYu8/3L/90Md16QlfX7jvntLnSqsmfb/1VP2+yideot84k+LetGUvm7toxYr0J++9/a7S0nXlU575w/I3PK6kN7bXQghnYXDQr04q97IgCSQy0hQVVWESlbM/nZU7ao4i8KUEbMQvqA0m754/gD48u3r1WdSHkMbAi2RXYNpRegr10c6zDWRQU2B/MSY+SnLGi/GiAOfrRF2blaNFQS/SBYroYtN0k8fBtCNRWyzi0Ze/v7Ri0bon6KU19891YiqfdfZc0PPKZRpw/s+79y3d8ShKL8Ff1NC9CbbrV79oUOML9zJsZtKaz/pSY5KkCCZGTWYJGubUYaD6blBv9cSLre2OWLH0HQ2gp9ABp7wadmZqzn5/5f6HVz24fD0c6zN0QU+ig67aZPnz+xZfvfBF4NUdG5aueqySXlNP467QPGYQwYAlA8MgSh2h4A2Un+RG6E10QP7ovGinCeJ5eg5937BAN94ShSyhq5DpizM6HSYxKU9KEqLTJcaxQrauLbnB3fjQHFu3/qCPZOEI2+r4h/zMH1Y/9s+L9V9tWrVtn/yPOYsWzbl38eJ7H9mw4RH2OD88venVdrFpex587o03nlu2p11s+iubTn9Ipt0zsXzu3PKJ98jjGZutXr1o7jJO+waOs0r7eJOTWZsmvjtkqAgO1NBJrvicTJvHqDrYLcgXbC6rQBRGAOxuOPESheY//P07JNK7hy2vol8tWrHOWJuMUxWC089pYxcq0dvxC49VIieQP1xawU2hNJ/dGeGIFAUxWhJt3Hhy6E8xaIKKR9FIR2yekIPiNFElx8SiT27dDWePUUwkzekXFFX4/Yem4sGnGk/ghHkT5df/2NSEzE3XyBK8AJvwakEI1LM34xk6k/Bs9mYNe3OFvend1EQm4AfZm7Xszd/Ym1FN35CReD57wyZsgYvsDdOWZBqW2JsqtdQoBlnCU9ibR9U8/dmbubzUevXNNFZqJS+1QS0FeWbhCvZmY7DUd6wUvNnE3lz4fxVnkkCWwJ4M4AwYkwwyybCR/b2G/92b/T2Bp/Mbn2gUyz+S/833T5CPpU+D/RHAlacnEon//Sj/uz/7ey7Pv57/PY3l5/tQgKWaPsvwR/b3RvXvNDX/Jti90/D733hgK9l4+PDGDc89t6Hn4ME9ew8eTBJe2rL5+cNbt7y0d+KQwePHDx4CJzm0FjONyHSxmdmNBPlFphMNRqydGi7gN4xtpsIikN5o/Lu1tTv3kowNqG/BrkLq3sCgqHRiI5bNLZBNkAw2f6RBiiTBuQUqzAQlGNRCJqYD0XjUfubQUSV5q0fev+FHFEMynipfdmenKrfn3jt2roxeD/ipFBcyYU6R1i46yiRIUSbwhGeP9kOUF6Kteyk3ppAxGEtBVX66SjU5hjvcOie3fbvbClY/7Iu4a/zcu0a48uf1XbpqdL9hE/9AElFM9GZjbN9uC0yehK6pW60xg/p1GxaTEFna587pgJPa64pnocgoSTBHSkQ0mlU/SvnFihUPGq9A0XguTyHy4eH7ilbtHDBgJ1kvov+hf0IL6Pr1kqS0kvMNxAL2uaJJhFGQIox+J5vYO/0xNikGhzbCi5U+L3DyJqqazqTZRRMefvTN0nFTb+m03II+oJ8YOnWZt2wjSZw5KX9gvxT0wPrymDvHlc9nnKVypuDk+/4OlyAluvyxiVKkOdYPSo6oa3oaj4FGYPNMl065QfUuJ75r7dbPG817N5tjJ5VMuWfDmunTy0ni8gdcbx6zbBAnTevQadodM+auGDF0+DBoqToClNtDIhb8oM+U5kHLHIxUNjfBHde+shO7j5IM9PedKEeuFog2VmDNQ8iBtYF0QcpM99uNCZlSSoI/KkWKUnlBWadRRkaRXoupSkxB3KE14PYVj0t33XHX2iVL17Jf0uMr+/UrKRk7dgxJvKus3+jIyNLeQ0aNGtK7NDJydL+yu9Djvr59ffTLsbfdNpbTMU1PRzaAzMhvcJmBnDGJUgzRlkhy1dUKnaKCI15BdNDmEA1XrNvyeWF5+XSStsFwxxSFgoyiJ15EU4YPGzEULKTJKF+cJMLMO+ZlhAXYPVCUoSMHxddMInsmofy1eNsK0GKjm5rEcj7GY4QMoafP40yS3E6/NdYtRUXGREdGG2PtFWFj3xoc+4qHKu3ktkMnB1g9rQ3q0Vw80GmAAjU3H+BBoUGNgF2guPmIZ9gye2eSim2q0NeXZYt3SY6keCk2OUnDN/n34JufW9wS4/BBqUdWrg8N0BCecoDjeSR8xBJhMscS5JJXKBIG+Drkde0sdezWVWpf2E3KykkotFc0l1ZOJq5cCTYNVUViKXv4Cq6/S3a10grU4ybijP7YvHE3lW80nrd3e3h7DYyHromL1V7JFjoJ3aHNuclSTq7f5S7IkToX+GM7B9nJ8Zvdo43SZv1Dfueg1XfcL22N3xbclv2bA5q1tJS3VOlZH5vfjBLG+AoGFEq3DvB37jn8VmnIcH/7IZI3JzsrJyuhveN3drOtWbt/V1+T/4AiKPsmTHDjpnS6OUNE/07SaZRbz3ezC4XewgBhuK9Ljw5S9x7+zC4l3aU+Jf60PlJqSnJSSlJMmqMiWmyh6Kw6RdeSZm3qvf+EddD41nQk/ezmJGqmQWns76bKZJUqcGLBI+QKBUJvX5Y3Qcr0+u1pXTKlvC7+qDwpMsJijjAbohwVBJu4UlRI0QoVVB35H7W5vaJP6Tc3HzCqtv3dwwWht5uu4WvIydoW9TIEzOYTIm0OqS3WqPGwnVoEbFZuMy3FZwXKJGnES3CRQNDCH6PNo75axBJflEeABczhhyKlRtklRiLGNUZTaxYwaa1aLdA5sWp/Bi4HMcEcE6WGWLBJYqKkmCD8zs3g85MdGlwaYJiGgDb24jg3NQndWY8vQU6cg7fRCtYI9hs8xDCrfpsQbJOB2TSsRtamCOIXIyTRUYGswTYRJSZUsN6fje9HTNaiuteR84F8mqlrw9t0Y7ANsL8Z5Ye+iPELISrlqwcIGEziKHDgMpUyucaTEeItGpEaxgNsNgeH89BxTArGM57N9sU7icEuxqYJ/oQ0KcFRERlrlqJiQzKOR31Ghd2KQotNmYpFYHS5whry47490ydNPu6rGojIk6c/vLI81KqpZ8pnrBs2ZvKITXcveuHpv20ac/9oXSMZTttpJb9TAOMox5eQHpUqxSYl2OIMTrfApkVO3mi1xfk2ZTlM324Hj9LZvbCwgCOmbYmJeLxKi2RA6O19e2ZM5BhSWUeY0hd3X9nIUGJYTq9SsWQztrdxPr7G5rQm6Fs8kHF2F7SLLCfXWU9EvGRm5qCgMhFg0F1ztYjLRq8eNWr1aP6Jdmnf4BOsuzkIi33EbXxVzYGiYnBkBDEbRAvTrYLfuJrPMjjJcxxZRQbGLFnxBoeJoAX7Zbp3KCpN+igJlQ6le+X9nyG8HonTz21BEq3ecm46DaxHxYxHj7PZcQPjwRz8FP2ecaUJPwWXohmVF6kresnMzi7ypSbBtmKKg8Sa2kVKdmM7wn6EGAuuSAieSlLu9ymxtwv4vm9BG/7lwcM/ePOnzTzJh7zxd1T97Ld0Gq/5zQf6TDemi6XG97n04HFOtGOY08lXxvSjRyFPeVOJONU4lOWJPAabT2uFvnAhAxWgcpJZH7hcazLfuBGWL+plnk+VYCwjWR+4XE8y1ZwooukWctU4Vokgb4uVTDa/ySKZqoJnCJT7vTrf+eQ4fZ3+Idw7vrMO/R29HPJ+v4c+dAzwPcug79egKzHjIEp8EHp8ESxtWQVwTqJUdJbBRIg2MZhd0EA0k26nNXXH0Ao0GZWhZcdoDr2NDqNuhrnQ1IF8YZzAtLLH58zKjoyQIiNdQmfJJfhdKZKrqtkJFj5a+EWNQsUNijJ+Q7urIRMldDWH9Nj7Er5tdvuce0fjl/b2HOFO8NyaMmiY8X6//37jsEEpt3oS3CMunX5+7L6yW/om7srwdZq0e+yzr0RaDhkME0bfvuv2u+/FGXjelIm7xky82ygeskQCVc4zzF/UMLdZc/Ok3Fy3YJLcgt/NZjEtMQ8tfocWMZuvgPO7N64Mo9oUtKjHyNawHQktGjM7p/3s2/BLlxiiovHuiWN2TZwyjyF6790M5dETDAaG6CvPjt09qZMvY1di31vK9o19/jTMdBcwzK8apyneiQSDBLwlSmhdkFu0k5sLcAUdjw5dMt1S29C/lnNCB9IrWFKJ8i5KhmDJ+ELuZcN2Fu2i03DFpVrDidobdUCtv7Gpyd+4rREHHpGwQQydzFUOKSK4J+hC+Hv5G+z6Bj7wG3b8htzPLvcDCBcZhIsaBCNiEIjJrvoEsymHTBQIF8Gx2zfwEQLA5Mp0XC6WkgxsJF5+gjj4N36Bn1wYyP6WSEZwtK1URhuMXXCLUV7Ddzy8LNfa1nN5xak8F4Ot5mKwj3HY05tGiaX8/LYy4s3KiFfEwlEmFQAfeTTkwSaSKwiNXzAJvpOWklKBMgn+BntTwfLU0lIxm9kmOezNx40VTDa+0ZTBU+rwx9zfbQ4+0ZTBpeYJ4WPezlqWks1T3oA3ShnACu3HH5Px/Cx51Mtsoo6tSlsQYrbOfhSzpxp/zA0HhHaynKWt5HS4WVo1SqLfq1kZ1utZ3l4s7yD8hviRIJxkUxU47ygMFXuRj/juWgdfIrIYY6INEdgcaY6MIqJkjuX+APyEycvc/AK4Y8O5Iov1qcvgMhjU32IvmoC+ovUoT76hfRuKlm9Ey69+ZP/oavAbq3EBq3G6WqPXlxDFGNUUG4FJZIzRbIDDvmbGvdEGvjgR3KPKKoQfxkTqb7wM5bE6vgpYld9DeTV0+Ua6XPsG/XtNGEr287pSfFZkNGA4jcvbw1gKmpQb1hqyXx6Ia2gHdEnB/fJn9s9AijMob2tQTJgYRUNojOmgaDhGoEu0A64ZCsUvAyaM+kkkilTz3n676Rbe228L53hvf0ai8Fm1D4EHtT5kOhr97PzKyZKXy8tZXwXKcTnZxnncJFhfEVjtyLBS0agKp8MJj0Uk/cb7rAzjeBgZ5JdXdaXAA0o0slgMgpmfsOajRI30EgKhgvkxnUShoSRdAcWAoV9eFeaSk4YEwcHPa9gki9Vvd1jMyhqWxSxZVqonrNS4c0WFfQg/8VTYieQw0hgPXFzS1/HT7Igtzn7LPthDauZ+N2hcng3lncjDMbnjh3wnf72E0SRQTs+SKC1OhcEkGVZVwFGllUHbVA19ivs3ZBou17Hcu2rI7htmXvb/O45L+9obUgxfaDheHTqhU3MccZAWJmb3dPKlGhISJdGW4BdYFchq8ScDoyQZIf4przC+ODcYGruoEMEP4+ZmVcPhGFJzo56T6cYVU0aQTGiSHU2AquWvvus/tpNDQafD7Qo6Squ3MWwssM5pNEjE6LcwgWDxm8xBykF7ocVZEIaO1e5CZFtgXmAKeYo8IT+Aq+Zi4SAWvqP77XSf1sJtvIU2aCGJiZbESDZFsJklU4TNj4zWWAM2gmnQooV8RLEfg76qgaQGqgmcC6xs+MCQSx5RKk1YguOUSr9DP59AP6sIsDbhTPIVuaCcX7ULUpzdb4iWDJaIOG7nWNULSeqcrhNm81bgXaay0zC/RFsAk7r3ey5ctLDnzMaPyYKSC8XzK+YXd+l2djPO7DWq16S0mm0lZSV33Z4/8Lk3YIT56Fl8gvEdEYohJl77DvyeaqJYICWK/sR0KbGqAqaeq/S3zPj6OuPFrP+VDYR+rAtkXPhKM4O+unDnY+6EvvPzFz2kGBYPLcqf3zeh24P0rOnGDfPUz84NWDNYNYaGVQ5450NuDC2ZM2jFINUYGrqi/8KVijFEAiXMLtjGbCGIAjdGKPMVDB04sEeXgoIeRdKQQYN6opKSnn2kUQmJI8WePdhP93597RX53a0V5lipvdnfPkNqXxU6PMetdi6PFYEREhwFDrdTO23+e4yp1sJ4aeG7WNeBndU9Tf4Xemlv22YWwiNbmQygrvApd8SeNPkty+gZmV7/bai8YEa350/f1Bor8ndvO+aWtzh1WkJPxh/ybMYfGzl/RMJNEtEigRQ1g6UVxhcqR2j22pm6hitklLwEr1a6cY4p5WhDfzbnIIG+vIemgb9SIUcY5st1xMbmREkZcTkoLS2L2avxWTnsJ7pdsr3CFm2tIEYpgkgRpqCZHz6fgv7QPGQ5FJuPP60RPBQj7U55IzpEx+MK9PdWaCr/Gb2YRrvgaepESz4F5qN8qm2CsZH0Ee7CtE6Ztr4QJfBQVEZ/dEiG6yb5WUzjyLO1ef0esRR30abx3bnlJu9uuoanIifTn9vAWRjTn9uaFoAd9euPTdfQJCXlRheWAjlGKTnoXHAR9Ms1NIdsE1P46kmy4hlWjLNKEXFxKDVFSkWgdSsBLet59TYaLE2wftNh6NZ9N7A0GmVY/+NXKsb4be0LM8bItJoaej5sHYn9PsWaQW54hUsMk2Owl8Xw6OxLMSc5pZikJEEkEmZ2EEPEBBupSMJrQhJbw0kTqllt4EW2NW4UKwL7yKSfMrUVrIPql0uo6iyqukx/ttOfZzdHjtF3EZvdZxt2c+od49T7Y5MVLOPARzrqwf0pa4QoRSDQa80Ix/qUNKOagVvSgV/rta79ngTC6cPoovWueAurfbvau9v1vaukqL27Xe3d7bx3jb9cE3Yz/K7x9T7o3VyhCM5nZ+flS+kpeX7o4UTBHiUZE+1+iJBdqd09YEirZ4Jv0s/AB4Y20m8sb63/Gxa0xhnk7eZEBzJE1dS04BTGsYGPgm2K5ZyS5Yt3JklWpx/IHm0U+Ehi40lpC5C/+YhqDffQCNsoTm3cLU4N9ksIuyoFq/0hbAjH5hTHBnAp9GXExtgdDJ8oJyDhiJbsDonhZDP6mbllt0r2NZoc1O2y65f0NPOnVdxqSLfAOXHyr4da4CbbL6MIO4q4TB84S316DD8J0gsw7OpLZ+jEMnRipRirpGDqYORySDY7XD7Qja2WsgipoywMuwUqMoarjXvEyYFzpNuvl1vBTzfI6HXd6FpLS/EizsU7Gn8GrsU71gelmrKmpvL9Uwrf36hjKWuVlF9EzvdPNU7nJbftBCtXbNpJAobvuJXrijYZJRtmsxosWYkpysSsPs4ZBdbz2slpg4PpAf4UgJNm/siBr+U04nsq4BF7fnP2G/xD4PmnyPXGY19PRxdqUI8aVE/zauiZGn5G+pexao3JcOIgMtofEcnUkFIpYfWbuGA/w5jxjBozstBdpD5KnSb1IY3ntjdcN9w3ryHd2Hver6NNkTvO7hAvNrw/z/B0A55nvO/Xbtuno/yaT9gP6kbP8S/0PKNK4DKnCkipPwZ8GjVafb+dvy9hUm228r5xvyrVxoNOCMSxlG18tTpVcAsdGVe77QbiFM1ewZ/hlTIcFeluKT01NUFKtYatXfdVRtvNF7BR9+5F6g1vPRfNab6UjfbEZ5hIZcBIGhp63WxZGx1pPzO3hqaz0Tk+xFeNAYRFUdzG2re3cSNv994zrN2/lMJ7w9tCNvwNqT9f4a3f2zgB5UE5poeuMz0ULEc67hLgfVOJmG0cqoN34AyMr/KmW8gF41jBK+Tx+KIdPelSvMcfnyjFV1V0yc21OKxWS5TUtUMHcw5CZoNkMVvMItgrgmhX6GZvPboov3HSWuRXu1CgWxZlX4hishi6FTHuzaZ7WovgOqcPKqW6hdMuAfpyXzo2jS7mtguJNtM/pqHlllYisMagjNDqKspAMYo5c2TiGLrtDqDBWHVFNGhL9+wmJfX0J7mlpKqKEQMGmEt4y4cPHKhSY3CH3DEiEMISTom27OibEOP3zSWUPYtClU75wIPEzaZFdGMrtMLDUZtrrj2ZeS0vDFItN3PGaIv8TBpeKt7m97akXXd/0U1XZU8/321GgULOh1KLvXRbYc8Ehas6kFNB23ekr1NykhSX7IcbVesqPDl+j4UZw4yQmenp5jSMfy9b5d6EkKH776r9a3O3zkn7lCVWeSNN1+iAqtEHdHjL5uM+sAqL+4TsXyZ5ylkDMV/veabxO8VeEeKEY5DCJA/mkl1JMeKn4hRqXCOnmETKF7oLJcJU3y0pnqwk0ds73V/UWypyVMR7pXhbRcfu3S25DoUunQoKzF1/P12CtOGiqzXyaEe1QIR5QqKNzar5rIFTTCfPWqXcS5H//HPdZb4pJk2d/wi9H9JUCoqpmoxrQcTjZw7vvPqYslvm3zRo+ANzKvm0AkgaqAjqepWy28Io+wxfURODKclBjmqfEhfn8VhSVYJlxcczVspMSvo9RAsnHPdOcZM4yFzWA31gbtAaXZQ/0Ah8o6GAEwO/gm+0pIMymSILjh6lu9hU6xrsTGHGG6PISdYy0FX9fJmu9PQIp9XKNHBCu3amRISY/o0wRZh4a5JFwc8blFvQBhv8RkRn3g66pc34zeK9DZE3j9Z8lMdmZn3VhekTkeuTA411mn5ivM7ek+18B83EZ9I2MCaMRpNkrOQT6bVBu1bZVkOgTdkT6MI34vCRCWRjY/4EcQHfaBPTFaNVEAy/LGeQtwUhxyqrgLHMQI2JsPtNrBpjhL6K4IKVVktBoVIT/P5leai2XaL150pWIfsdrFOple8/8BZdZ/VGwl1XgiMi2dwoEknQrjUVosVkkExrdTM6bhPzZUDkgWV9Vxd8IjBGfqee1bhNnHyJG7rzG5HJTA/TbmeBltNYDedUWjZwvj/QNBtsxV8+ZimHlZSmUm4rHvilQsnROAfWmHl08G3GT5QzlGRVhRFmbiqPQBQU7rHD9curhvV1hvVHjxo/+TX9KF9LhXJ8f0RZm7arO52MOIFyUxdlhwS9TaxwlkDZ0SaZ7I16QgIzO1eAE1K76UlxjvEck4BJfGx2YPZWamRUTqJbSktMFFJRgmQgCFd4hQzJNdWh7BODp4fc85yJYS9AjTfCMI3TOziAuyHg4SmrW46tu4F/yWbfuu9G06peefeFvReufnK+W9X27aj74cP0LPu9feOKRzYZ1iMffSP21V0rdtiiSM2BmnP0JPKJ5+nDpzdk0a1Z/6Kdr85eYqCd0WLYJZnK8H+Q4Z8gpAm5vvjo2FhjCniUNxlJhRUlS/HNYstoXsqRLZPZL1kcZ6a7c2z5/JKgyQZROo0YL5GvogSEq1a903nLmM0REY9v6HTwVZqP+lcfYfgU3Iq3oN7ogXYon140Thr1xDJrY22voyWY1ot2WjRGzMmgP8CtU/qiOMRQISQK6YBdjNVqSpOiIyLMJrhJmSolMOwiW8UuGxd2sxeF0OvO7QiGnjMu3mY04tGXr//rb1Wr3sjdO+SRIY8NSBi2azhdu3R+xTL6IuqTgBJ+/BYlx6E+9O3IuVOWLkyWi1BMZE1sNKZnyOytx1PwG66jjHem0uOMeseELGZnFwjDfV7s8aSjjAzBnc5sx/R4Kd1S4YyL6xqVLTlstiirxRJrnmriZ3Pzk87lB6UXv6DMPqzv5QclGcpxZEMEH0e8idE23hFPeEuIdhvTQ1iGHMSs7Lh4RzZyxjuMRrRu7eB//vuTbmvzYmKLu+Wv7bawcEtS5ktWK4QuPBkbW7S2cHAflOBOf+GWISeyaJf+j02fS48noG0voBdQNrq3AGUnBEwoOYF+3HnCEzlpASOCMINnE1BeVKL4X2LA3t4pZlvkrz9YSfJ7fQ+x84SVYrn4DfgfF3r4PPHJTmy0WqLNkYlsnhmXKPhTEqWMFH9khmSKjTVHxvgjhc5qe3P5b2XXrSinCM6j5BTFgyeLongT6Op4Uw5ckS/SHeU/seCV0mHHHz5+14NLprz88IvDR7y04M0pSx+868qkuXMnsWdl5ckZj22aWbvs/a6dzy97febmzTPfqPyoc9cN86dMmQ8PjPhHGM9nMZ5PZzh3ZFhne+LsCVJeqre92ZKUmOGOyopCLrtNirWTig7IJLUDAWHR7uvm5xZwE5cHY+erwvG2HOUGfIjdwGclGwiE8RrDGjH+K+yG06+/kHTPqUnDH9/x9stV814et/7huYW79tF1O2x7hyLc7mk2MPLQ8LN5XQl6z1NSU3XwXQfqQi+Yx43dWOGgxYlDazbTlzrR98T9ZrQifeeA2+nOGPqgZ9vDKidWGC7DqXnWqiJfRnaO5Mz2OyMqbJFRkj0y0hgrVBjdiqeXFClO5+lFWYRT9uFDcSJg76aAh1AzhXt9gZUwbFQ9v9DtaGa9JNXaE3TeX9aTaSEHMGjykdmzjzT2CfcB03iDCVgkjFTjdbaH0zXxlgRTGmpnQu0t7CcqJ0PKsVRYoxxSrDJgFK/tMMMoLtbt7BUA4zBl310oCPMmzwgfH4zp6UknIxdivLDSi2yXH6vvetC7dPCiA+noEk1CBH1BOw9BBWtXdNp/jCaNQt9UeXM9GVUNKHZ++cPDxx3ZW5Wa1jWvir7GxgJqgt3XPswoKzL8kUn8jr7kKHOMFGkmFYkpbMotMRvfiSSnEOcXuE4p5sucxYoudtuC591D7lpgX1L9wabIv/7z6vsL1hev6n2/f/6yebgLXYcc9F9oIc794v1LXw8t2XTnmqUVy8U1Nbtr9vDzASOoR5zDaAhefeJio+xSgsUouSwWIQbIFvQSAD6cC9QNVcW7OPSw1Z3PSZZu486SnUxElkXMfmA2XPJEP1dIcX2ndqRfoBfpiKlnd1PPiVjbzr3YXHUIZztfNTMz+VgVTXjj60UOhkea6rXLBmt6SuTIKIskRkngucuqc3UVvFWq8znOf3avWEEOyym4i/w+k7yn/lElJtfSlNrXq/4hcA4/KT7ENW2KkCF09iUlutIkW4Zks8Qhl6UiKdoSK0WZpxotinQFjcDqes9ezP0EKPpKN0LdNmNQWyEbm2ba8Fz5O+QMVK09m7/1jmo00/vWg7QX6lG9D73dZWwmG5z5PfEO1AstVLXWyC2PRMl/l6dF54pcbeUNE72Z9Ed6J90ZZUb87NpAxt8Sn/n09LVLNCSJqWkCbLHnGtjosOdmSrmWihh7JJc0eg4HT2rFqocrvnsNa03Nd5u4ZzeV08MnykWFA5FUJ5/H73jn3TPs2VHrJ99YVfc/W3+m6+twL/nWgauXTPl0btLk7x+68uPIkei9LYe39Bo0eebgWzeOv3PDI8vucrIXPQeOKsvvdDar/aMPF1UkOdWYBEdZ/yYxOzAuzpQoOUQkWU2CKApRrK9doSNwbIAWKKf4lVihIV9W4JjPg7gbq92qI6uVy9AUWoM6fE//4Xt8FO5ahT/QnFn9ha5ZVyX/Bad68kzgw0r1g2dMZ1K7qy8pKzkmXfKkpCQkCLaIqQ5LDKnI07MZaFgwsGzqObxCdw6zCpSYeKBleGg8mA5ac8C7uifDxH4ZbXAeyu0aj3LQugM1h2d7shMTZh86XrdtdkJitmf2rkUfb0YTapLaIes3KAKN6bGjUsQrNufRry8fPowsE+XvcCExMwYOLKOHDtH1NQzrexnWExkXdBCKfWkuW4KUGpUW6TFmRhoNUexHcNoIsw91mDeTcsrNaWbBMGJ2K4RhE75mwgePEz6NIPkqCwfa973yyitX3gZB12H5sNvvRWvYPHUNnWEfVIi/qxm2fmCVxVJedeDUBSbgho66t3x/VbnFUjVo/VAuURZxv3LrmX5kowzuWBvZQCZR6dFWCUdHRZsSUywVyqWofFsoZrtyVKOo0FQIoyzLZXDB44zTs2bhojr2D12hGfBkTJvap2rS2IqPHnp1H+PCjOMZWzLQm/Tu0VtGH2fPwrFSfkHx/oF96i5PCfO3mOqLiSZWyUiIiCNiYwWz0Jdh0LdYi4FhBbNUBNuZ96zRZitF71ahdy/8VPUTTsGds1Ey/TJb/kD+AqeguR0CQ8nxDvQx+QuQMhqXO/ieS09fWqTJFBdHYpKT7XaCpUTBZSFEsFgYx1uDHA/OAYrtxeFzapX3UYF20Rt5bA6PEsJsy5YtAWR49yT7RRvfdTo3oRnOTfiRKvyI/DA8Vcov8RZ6kQ5BHXV42fi6bkdfYqpVisLOFMlCnKnsRzA4wmL1Bo+hajEmbO58MZ7hYRQ9gIdL8yPlYiMR7fkJJcSOHp9Iv/n6448/xm7nwUfXHXTJn5AxVej5T89XvXOJDhbP/3vBg/LB+dLfGCpBfFLYvN3LxmNPn7tjstQxHmfnSU7SLluKNrWzGrOy2rUTLGmSRXdLuzPrpwIVt/z888EYGDocQbiFoerolsO4uzvKV/AFjP+MTF1n3YbImHndaOAdhjX6etzjonwFewg99sY46sSfVM2qQh13Pl7ldGWkV236AzThvvvo2fTUWXH0Z0lSoxLB+d44iC/iYwaIZMGJbLJuM04lLruEBVdoUDJpAmvkquJS0AW37ILbwwegQwuioyLI7ArGZlT+GB2mYxl+u44cebpqQy2Ja/zyOm3YUPW0eF4+uK1qyx7Wu6O4byslTn2B0MuX3S7f3SWzozEhO1fKNlUksJlOZIUpwhbNw/pYJV0o16CLPM3xFQ/sYzU5PCTDo3CcEteLGdL8ig3Yqorah9sQcfEs86gvnn5u64bTc80WADNq9Gj09f3jEio7TV07sBSZ7xwe1z9z9kDfFsP6T87TT2bLR3CK/IV4Rb62ZnHlY40xzreTJpVsHb59NMpwvhoz3TNz6LOrKfgZ26daBKAxEhPMFfHMjjYiv8tkZAapyR8LYdJxyNlLbrFyrFENxuPhB7ZcccAQ2MTUxj40+57lVvkpPNV7jm4hu+n1BzMX3+f4Fd36Hf07TqmdfHvVy7W1zviqKvrTCPksToH5Lffyyv2BxyqRrWMkg9kiRU2FKFlmhYTKdDzk3dOtxoNDS3ejNbWN3+Evd9PFJEreRZY0XhYzAz/iaYHVOrmeBjECYyPtUpzBKCUaDEJMJKlA4DFL452Q7aXJcVuYBLcFZfeQEaaXm0nuhaZRQ5jULq+dUYV6B0U2fbtqxsmZNcE28nN2cAouVjRXRMC2FQo657WeUfxSwQqQ6ixplGiVt9BJopU952trG/PV4HQoCC2exy8hRslKnDhesmGCzXFmZtOZwckob5dO+gP0rEJDYZYKX5X/jI5PozH0T+zhdanf/1SHxm3pcbzHlh7ortpa+lYP5Q86Em3SyZZ4db1zkC/TGhWVlGQ2E1tGhsuVlsYksSUhOiVdAA+40UzuOcNlcTG/SRiSxqpEJozwhDsmhR9lTZB4iMNUkIMKHB54jt06/+6RF/ptz6/r+od+F0bePf9W+udBowb5bZ1sTYKz92JsdnoX4QFVcMoXjaPPwe8q+XU8QH6dTN60SS5Bz9CJ6Bld3Op48KluiYwRDVIsEv0QucgRJ/jjoioiuV+Q/OBanY2vnIFZ7lZDWGuWsadwDxpNj7Dp1SwtkvUsFEMPo7H0cN2bVYerSDR3qPoD+/rmm7Bypd68wEa8R1D87pSI04xDYd8LK16dPxNLxYPqamKiLwa61SBKYIbww5NnYMuzpT/nBOUh12tq6BLlaWpqqkYHDEl4KTaKCfz0cX/qwTNNVvB47bMIRn9oGhKcfRTwycYImGzUh+YWxgu/jlDmE2izbOf+YKP4yp5FMsDhVqKt7CFbaOpiQ5tDcxXZbizXZie/boST0GiyWErWCGxYHodD5wK/YMXdtAGjQqM+QpNx+xr6OOQWahldzik0iVA2gU3E4FfOGRbw+/tZ6hlNHivpBp2NtpxEW+jsWvRcDXqW3l5Dx/ET2Mpp79bObbM6tdPdi4UTYpG4j9UH53gtkWZsICZzRIQo+I0iPymsro8gVITAYaIJ/boczaA7lqMpaMpyugPNWE6fPrEYLUFLltL1aMFSupquXozm8z5+krXl33y1OBnaE2eV4qKjJLgaxE8rnc/NPd/8jECznV1c1mPMmB49R4+RL5CvaJTyx2jy0ZgePUaP7tFjDH2MMUHn0fCyZ4/RII2mozms1hTNyzocIws7ThPiKZWfiHpehFNf0Rh8bZtJGb79D3v/JuKPgp1/c0hdcMvG4Qnu/Reoe/8bX/0M+Z5iDNjztbOvfU7ffApdkd9+Fc3h+/5zGb6w778ZaL9ZuCSO4meWWG0EG00MTROSmP5nY9UoSsbgaQ/dqnYhcm2GYA6k9lLozAZAm8qgpXFobp/zpqeeQuedxLRACallU94v9KeYuD9Y4R6xF4cWCec1MTEZ2QgVLP7mOPJT2iEcHcHj5G7XQ+BThdQG+pHXUI/LH9k/ukwPnpX/yigNZ9XvEfNV+B19KeD5SsE5IlISIvx6zIXOwRMl/PqWeqQcahDzNfwDA6ESVHYWlUFN9Da1P2sYL9QpsWcZ5iKCk+UmA4PfWaFEkXqOT1sJmA4jSR1QaEtNDSqqQXfTp2rof9XAjQVhJ4N3DeeQAkbyDMEEv+kVPsrZuCVnBRd4ZjTFSBEmv93lJ3YpgvgjVBoBdcCJMJhBEFQJwo/AydrpSByyefOQ6Wcvl27bVroI1eajsWlp+9Ly6WH41VyGEL9OhhSCqcAY+SR+r0b+EN0HnHCOdCOf8Xsj1leMYlAL50P3cMfoHnIOiSgGiZf32/eTbrhMPohepYO5XEZl4hKxE2sHnN1w+2wWp9EeJ0gZKXF+LyzNG9XrA3zupRu78doZVE9GDng/KdL2093a8imbxzDxsHXr0tsX5eUtuh2+7R837v7iEqu1pLj3sGHo/T5Dh/bhf6Kyd/c+e7psypSy08/ufff48YOzx0+YPWvi7bNm3T5x1uwJ42eDb0o2ViEiVDSMcpMA3tNN4VF1wQMQTMLA8e1a9D56//KPP+IR6GsaJ7/IfufRevlFVVtwSe+C85TmGMmsX7cKaQydwA+qjpDcD+kQ0kuT/4GPQZeARznFtzjThh3DYyDgRNWH6C2ixH20Q6zYiAgmcsygbjTrFNoTr3oPBcvwzGzRWlVPN9YZqmtrGyRDdYMEUQoYFCVKQarPClEKID4BNsOupVUd/dwGjA+LUXCa9iaV8jL0Gs3Hf6o7ih/C5bW1crVcyW/ujVcxswCVMYGrGeagkxC45QX2DOLA7CfO32tHBnSKXqZX6/AdlNmmDDke0UfxV8va24+3X/PoNQjfLb6o3phRpa8Wl57Zx/q49Dz2m2v6SeJlBnB1DcsDN3s3qv54YPW/QCjwuSHeVqcMydvJn+KVUhwVcCxxd8hVj03p0iR+zqiF7gkLYAKuHdpIQ3Ob+fNZzB1sNDT38pP0wuNPvHCk+vEX9pYNGnrHHUMHlcn388vcKZDwwhM8YUhZ2ZBBZWysprP2/CmsPX2FYUJvX3ZiQsLAHtLAbj4pKRka14k1rVuKv5ulooUPIt6ofDZAz6v7UDdpHWmrdW29n9CsfVuh1f5ZK1bMmvXII7OyO3bMzu7Uia5s9qJNKsgjquZVVFVVzKt6rGeXrj17du3Sk/Zp8Qr44g0mmH7glEn1xaAIg5mYiSHSXmHg3WlTF6v46jZhRjQIOBtq8uZ/hbbEofVX8r1iD3oeb5PLUX7jGQbPjxLF+8SRcHfZZwfNY4hgZgLIyanqvSPGIKDOuLUAF6PAJuZa7UOUKt+PH6Wf420okUE+wWqhs+MAy5NN18jPaowQNhmriEAmUWSWB2DJQCoLD0oMJQhOAN/ZyMFj6eyvOJwrdIETb6PnxR6NZ1C+4m95IMO0lGOaymAKUiRGJojbIolTmQYDNi4uPh/SiWCqG/AVuZzB+Rw/Kt+PUlEiWh+HtihVMIi3qm13CF5fXLRDkGIcUQhHikabFMHgWsSpRgAMAj6++LxyiBeAm1zuwhyu15nGdMWjH+gI9OJpPPA0OkH7n5ZrTocqUkhCF1yBr7z/GGV+4B6pvD5njMFiihWxKcqGsS3KJFowrJ/1jWed2LkzTOgUh5OoIL7A5jHx7szx2AqKGKlu46TS9atKtA4/k9KfcQf50s+BYz/Ll3iNA3mN8UK+L9lqirQYbaIlxiGKjhiLiCJxhYvfSVRManuzuuNh+tOidrerDi2hS1sisAL5a2pwXBgOX3PbWmAziKP0Nlg9szGhLR6V7agvfUtLaXpcn4Iflh/RUoQP9CnkzcCtWgq26VPEpkakpZBR+hRjn19PaSniY/oU00M3Vmgphvf1KebaX0q0FDZ30qVY6M8YUrAtPIX9rWJgeD88xfA+8tGTCjShWkspsFWrwJQUlBcqg/JC9bCUU7qUU/oUXBZKYYaLPuW6LuW6PoVUhlKYrtOliEk6rJO0FICrtQfxekI1Qa5QWgErFd4mltemx0+hkAJRSQlB1KiHbeGtCtFVrcugpIQwaUQsHev6ysRzJGIliwKgEXEwrcFhvXowCCcsHan1yAcVDhObFIqE+l7DX8WyGRaQquVoHNUMlTZbpNZjCYOlnDLSVmEEG1x2Dj2u4MP+w004d5HLhMq9dC6+4Q18Iq71No4Sj2pPIIlcDZSgcjxevoDKz+wyLPei8sAnXnyjcZRXXPvrSa941Kv/bHiRXPUGSvB4r3zhjHeXINhvgluOkCt0Zhq7SOjJtDacY2XYFhWQcIxbYt6sFQXNH9ai3d46pVFdvPJB3jJy0htIaNa8sGe0eKRxyW5o726SJkfshjbvRhvp9t1ndhkHe3fTuazt8kEv7sIJEEjwkpOcCg1rectv/vmieMTbuIQTh6R55QhOIbTRS7cDmbL+IyoNE0YKY4TbhYnCFOFu4R5hlnCfMF9YKCwVHhZWCmuER4VNwhMter7Nx8BoblLo3jqNb/a0Rv82+gQepQMyvY3HeH+QSd7AMt49eItX7s97C53z0ijeeUj00nrWk72809vos5s9vD97iUMbr/SCTu1FVgT294Ke7YVr5Dm9oHt7oe9p917Qx71QB0p7ndnVa1oPPJX1aeMxsJihiwPLvGQS73G5vxdv4QxAo7zoHOcHWu9FYp1393Rvr4ZrvKP/f/psjOMMIw71Nl5RuGaFN7BfYZ0arzxH4Z/vvbQ7ZyLUwUsp46Rp3h4guYYJr4kzxIuMj4SsFn5bdl1bufLaLv75mvYFPplMCpVLblkyPDSgDsquQ++9d+jZ8+fDoFWff1Z5zWM0CnOYdkuD1XyAmwnHvDIL8kW7y4nFHOV2arZHcWfBYL9Mv9+6FcW8/DKK2bqVfv/y2rNz555du+bPc+f+eY7+PeSrnvvnNcF0IawNcW22oSX6LXH/bVi2VkjRggz4OifCb8BCbk7ZMFjyN0rZMHg4mmH7e1rpbtlJsr1FFzHMOLfgMgbLrIOklVULgC5Ta4RctnBmek1MUrOFYZbUBmat0e3Qe3RdKyyEFragnrM16tla0A4tbEE5BozJVz1+7drikBybOy7OAYdNmqO5p4r2j3tn2KIdjua4Vr8TR/tX7UGnULZjx6LfronYgp7NDay2+LCaxlTtee8Qg4iy6ccMWnhLygCFasClmuHx2zXx45NuPsIMcKayGan2VKETDN6z59Gp5s3C0YDDCYbMTxyPsLqcrbaK1ZPD96htxhbdPIaTZphKqWb9U8YqlxOCyMB+daiuRH7ur5XeKlLOgMQh5ZhtlnpSNKzXcjIzc9iDdo0cNGikbIfP8M4z4s+MRjnNiBbes7uLvLnL7nvYbzynC+xjaDhEck9inZkWhvs2U5jWXci07SZY0QxN/ePbuJppautK5/+F97gso337DPacVH/TZPXLO+pv/A/1S+BJ9QuZpr3Z1jyPvEj9gp7W4AXUL2Jv/os9wS/as6/5i0+bv/ik+Ytnmr8IAg3juuTW+SCkm4rCaNGKnnp25tKlM9nTur6q5mns4XuaIb0F93h/U3cVtbEMdFOdtmbtvn1r4ek/enT/fmPG3FzHVSt51+6rHtNPKQAe+bqgx8hy8gnnUqGtxShctmrv3lWr9+xZXTJqVAl70GPKn6v2VvO/2aOTtXDDWihis40sHYxhbCr3g1JmL5P7jVc/1EDw8y4KvQi/9yoUKmXbpBDMp5opT+iEOWDBDWvdmGC2BD7D64hidfDZkEeDXqDAFY8O05XCZ2BWFup/zRrBZxQIhbYC5bRT90LFZ4bbaVTLD5MPPnue6eA5GhfJBz/lKhN0JsNCtbAcGh96FBpptQO++IyuZtUuYzVrdpka76FAU6Uc42rFLgNicM0LdWn6mdflUitRwbOKBD7XPKPpZyYLPYWAEfnLe4dAtJ7hUHdpWpxhAFq8MFi1Umm1UqFmEai5NDw1BBXc+Pw42NtClgUDmWFaOofPTQ/qrD4+w82yGLUczMavpMvoMjUnXYYqebg4fQkjlDCElwjL3zI3saFQfl1uYm4NtujWAw/c0AEXWubGbncQeCATIM7RigphfA+zN2irIacovnl7UeXRo0ebNfroUX6jKnh+w8Bm8w6fxWwUsLlC4DsGyiotggtBORaM/k7noU1foT/Qexag7vQsrWfccUbuIfc4jJNwknyV9wzaLh4l3/O1EYebHBKNh9B2rVeCaSYlNcvtcEOOwEn8l3FyVyVjNcoTEHvmkEq1h/lqE+teGJzN6+BrI23UADLAbXOzYldJZWBZCDyTWiH4JqUGyAm10D6w0cTrqiaVuhkNUSQSk0Jc+IRJK5MqrRgMls4mltdlO8/FjPBwy1SxWwrhOA8P9Og0erJgxw3iPbp54Lc4NGz+hg3zcRJ8yl/ilC6sF+Qv2OdrwbdX52+oLu4SShJ0ekrlBA0fh4KzglM1OqWhxVjjFO3zn1oZ7t/xva38/+n7tr6LSe3y8tqxJ3Cn+gVFN/8ir1O/kBnNM7d807J48IvYm/+6yUPr/zdvmj86i1Nbh+E9iIJ+awpDnKU9vCvx9WraB/4LbcHIKrB5kPpwGNVsDChPkBlUmIIQ0QKGfj1Iwamg0GNQn7a+N6uHDbtWv2stgH+sCbpfcFdOjwn4Trcp9ZNC5DEUekgBctkKclhN1XTQGfzwlwPPyAu//ZaDRIYz6LUvv2RNWneG9v62bVhw6bCwyOMoQIWkoFCh8MNn6KAvv5xxBp0OQsMP00H1DBw6DXUIQrQOnpFHuLYG6ZQhZAleZrMp8Is8hiIPKcoxGYpyDIUmpHwzhd4YCnIMvBVyds8H0F97PrD57rvvptd8PnzdJwfYdySzD0n38pWqAWhc1QCOGhnSs2dPeoOl+ny+5ct99P27lX/8i/Lu+QEDBoBERdtJpSI1kSpRNbmpS1NXhMOloV5ytin15B/QQrquNanXUj62ndMYzKmyezBba7lQK+K2TUmIgrVDk07Bp57/w2Uo9GmwpDIC1apovUIUrSxjWEaYm5RV64VSsFHSrDSHdtO6dXjD1ooec/gO2zK/rzzgGt5ygAgOKqEPqpEoJolrld5yqKWrYfuF2xEiqNBqZsUhXU6ej+VRUgHKp2gk+YvYOxzKp5q6QSNVLcSghHLyfCyPkqrYd1fFo+JnoNELERiYZVdJICDCXQNm7yxgehtDC9EiEpgDprxS5hArsx9SGF8oGyKHSICl9GJlblHKZCEk3hIQWTEAyq0trSYDryvLzasLjMf76BFeaTXuwz07a/UaoGYLYVUHtuM+8imOAD2CRqPRHJ6GhYHjgTRUGAFGy5MYQnIehBfEOqx4TsSMSAW1agYzhAO38UI42jQsbWFzTS23qlE0xOmQoIJpu62AWVhbW+azKTWg0cFcrCfQZHGB2AnyO3hPoMn4fboN6M1SblFSLFhpE5qMysEbmq6UgZczZGVxSqIfaLQCYMuWLUCdIAwDQCE2g0ocyAawqIi8W6DfV6KuYkdxBMcDoZXor+ynK0kNfM7STgv/Jp+IO1RuOU1S/00O0VylVB9WaiK3GaGLaC45hPqQVEh7n5X6l1IK+uVfgc9ZQYDL3oRqM/D6styEVylPQrv+otRbjXiE9lDdnGOgpQwBeTGaQp/maPzlL38ROEQNEwPHBTlUdFgOOg1wopEKxBBeGscYFOSqGcQgEvpVeGUsiDMar3KrNTylCIWM2WYpNtRmiltJ0UttjdeJTa2qWr7KssijcFLzXKxORbRDoioDW8Ji9TPeVGRWEofVVj4YX/p8vE7SVC3bDUlkJJeFzAoiykF2lybKJUMlzI/oMpnNgxhrL62vb3hS3Fof6Eveqm+cxeoBCKSaQTCABlGcrCpl8alAvSgoBVkt/vpfTyuFMEpSa9XKuIKHfpNEIVBfz2u0G3trlfF6hIsqpiYVT/Yw/BqWGSoBL1pWXy9AiyAf34fldh1SIPODkFACn6pHrAyqrJcPQkFxa6BvfT15q3EWB8DrIdVqeSFHK8c+JZJXz4RkZf3FeoP/19PoIC8FrdHVyC/uAw35Z1I9yZMPsgovGns3PFmPDvLaBIUCpDq0s6xcj2C4yQwvvunON95FpX9U2Da+bqRrD9Ed8Ay1qx4Izkmob13Dk5z4CjmJ0mscrtbvDI5DuaIB/Q5w6oOdrgAAlJQeJEoPhsqjYKt12ASEej0aCgC1P5HSMrw0yDUuOO/pYRxAWYfSZax2O8vLUWY1IgVjlt+icZmWWxTUvMAswJNIwS6YNwhZFBS4jBdVsDo8TCE82KTfznCwaxioteexXAatdshDqtV6BS0Ho0gQP6AF5GKdIfF8UCPPiyrVOg0afqiSVEN9HLNgDg2aRlVUKQFBeT4AVq9rAcsbGapZa4XCCPZg9foS+EvNhoUfdB3GA5ydEHMh9HXjX5V8+BTLFzw9AbkYS/M8DR1btFq94AO50HV0UFIyirkNHRk41qrrar06eDBA2NuLSo3h7fYEcZPQQQAK8AwXG//KM7doefBHq18rAiiohbBO4kUG5R3vdSZLAvUKERQ5x3g9xKv4FCuj9W0h54DrIBoVekBWJt+CbQzmVa6ZqO2E3FysKXDBkuwtAj2IvieYeZfHTdje0A/wMHlR2fQOyRPvDD+JgiqVHPivaC1dFPgOPhUacl7V5i8sF3AMY73Wez7E7WE9z2Doe0rjd7XnVR4Oy6Hy8EUNBuptUFonMEkF9FWaJChpnLO0NJIXlqbhSFQKsnRufrE8Ur3E5u9ZjHJVKuVCcl53K4k8+2njjk+HsZ8QHYP0FBk98xk9v9OXV2najLbaQ87CNh9d1PwTejzUTqTytNoYIpQwPO8N4hmkOeBKpqHIxr+iyFUoMhxF1myGXxnDr05frjXMyGw0ie6Tfw59Qs+gAyQvdKIJ8qMDWv8DrixNoS3/kZShAjgow0TtAw7DoOVTcvVWRrOgcZkCSRmpHmWcclkHtYHcZHX3VvVEkEuUypRhrIMTxq3KibQ2xzfjRQVpjWuD4zskkZpxOOTX8gLsoKQJy6fBtFA9PJ4vWssHl4518lUKx0IK6gvOE5pcVKUASAtFCkB+La9KI4tCay69XRIX3bJKcia5pdbooUp6LonqQ4B5gVbwKFSsM4UeymhlikHSj1dV9qo59bRGvSXQIbzXWuqcVntmq1ogXFpH63oTruDp5DW1S7oWSMFyTFYsFWKgHGwkeQoL8sU4u4sVXPXJOknajIRTc1imA+s+WVU/51STsFm+I6httHL27pkFBS6+CcXKzTmFhM2StPbTVVCOA6hnsKAc3LnDcEozBvQD33WCO3XYKHokKVgDOlC/6tO1+IB8x+YmVphLfrirp5RDGZnZmBeLi2O1ikd5JighoQO8bijJaq+H+XgTEo8a3CCFXHCBoQChAji15UEIXaQdV6GL6OIq2pF/0I5NR/A0PO2IvIt/yLvYn/IuHRQ20gwAwwXcuErMbTJUHGnYeCQ8B6uHVSHmrmr8a9MRnoFrowNiEtcbJs4BPKhDUBsdYFqL2cfoetM7+FRIE4EVyuyc6ywxTA0p9Of9pp4nZXlUNdSG1RWyQHRWF4cQsro0+0O1uoJ9HLKkNIvCr9k6yg1KrmmUGQM0RdD6WZdC8kIpQQ2EwrQ9SHYJBozAddABpoOW6nRIIZMM4NtHfXQ6iFOPU1BkFMxnFPwuXHcR3cOpCf/aVDoat6nUBSvmuoo+6JwDTOcsDeoOtSfBPZ1e56gogba53lTGMNJpmxa4tKJoFBzwqdCJYZZXVTTN9UOBag1LYAorxqvKB+qYMWlzEE3yMfS4waobjwYtD+Tg6SoPqDAMwXnIdQ7A4OflFT4MwzJ4rrlN2zlMoja3nTk0U6iEmlvNybXLdb120WCq8Jhy0UvnoEQEv1DqJXlFjkoh410K13CtyHSVP1WE25TpBTZd63QivQ1a2FqlReuYaFqOW4ohrdi6llNyS5rY16m5NvS+qw2933wWxGnpKdTppOuSVkzRj1K4VlK5J1LjLmW2pcyAwZbina/jRT5vtuhzq3m1nApXJqlwLSH+5ysCClDgzSDMVnSpq8UsJsSELUaN2xakZHDYtDYjbT4328qHkAYxaO8Vhuw9dZC1Ni9zhc/LtvLRptp8B8JsPpdq86kDsg07xtZ8xqo361parlBClRQhw7WV+WizWbgKVJm7whwkZOOqckUzcVubg9vC5uAXQ2NSmQPoZJAy2oNmrrZ+xfGPDMk6vobFW6EuY5G3An2VpSwEJTh+Fr4OpY5eSTmxUH8RhPJbbMrJ6lYhW7TVJ/hRpQ0uu2jsDWtAYXR36NcoCmz6tReV7YMLMEHm11ZMcHDtyKSXFJzOWvmgJORiFgdXi4LaRVlhLFDWiWB1sT4oFtuUzK3KgLBREWb56yxddDAkmlux/F3NLP/W11VsrcvD5lwaph1s4dpBm3y0oh9s4fqhhc2s9VhhUEe5QnoqiI9Sni9GcEYKW7/Q0bJQr7dU7NRSYdor1FsunQbTsNQqgH0Qs3hUvCGkCj4h15eckZYlRYtSdyG1R+eEaEuExR2b5nfExkn2WPWOdbzqO64TzulEuKdHe9BpiymNwAVVLXB1Jxw6oRnfByvfjCRgHbpj3ZqaJUPjj3VZfNeqL+94olt59pTOi/ov2C0NSA5ce+LkkPGFfdNu7TG8h3/y2JnZJo8rt3+PKRULPkC14+8bk5c7dvqaKd6HFucgT0nJY3kddnkGTXjkThpTOqCqfVb/vB49brt1SvnMsd0mOGOKJhbNm7z0tZmwYsPvZht2C3FCBkSHjY2XiDXWjxxWSXA6JKe5wpIqWdQ7q5ovBfA8og+erDoecehO7B1HfY7U/nj5bz/UHkH96Bt10+9/+OH72XO8dkfyt+98+M03H77zbfKO2uPHsXXz6gfXrHlw9WbAJrPpmrjZsEJIErLBo5g5zmizGd2SKyLGaBQgagWuEJIlwRKMXwneW4qVO6WGDIWw8SjHyGZUTAKAm1DEMMRhl2Mvnf/ii/MTh6LE5DuGrsX9j92ZRhvmfXH+nvvuu4c9TmS8/mVjIpoUX3pMPrG274JE+vxDn1+nDbV7tjz65JOPbtnDWEgYIPQSZzHRGCck+qJiBadkF6ZGgbMMoXNuQZL1PI9Uk5FdaBWKRMGmRNIFgeSBYMjTZqPEBiQgx+xpk/3ew95Ze7asRmZ0cEs1LaMNq7dIU+gHqPMUSVePV0j32d1CtuSyJBjjzEYh1p85NY3VBg6C1eiA6q5gfFhc6/jgVf8QApay2XPvLO3mnbEATv7dNy0nf9Cdc2fdMXk+w6Viz+Lp/oc7dc/YWn7gz38+MHNLRoH3Yf/0xYun0zdQv+mLNZzEa4JTiHk5MkaQTDEwBiD2XzZWWTtec6KOMS7b/W3l5kUzNlqjrBtnLNpc+W2vCciCincfPLd75crd5w7upmfoLwL3keQV+xmczKqNeRkRiOQoKIHF4JzfJGpD36J/ePED+AG5iuV+iPHtTO45weWLEDEWjMGIncWd4ewav+3OZp79z5xfaEenz8vfwz138aOGBc3Gd54vpXdaD8mWJLXvIKCsLkabyxnRhw1wJeRF+AB35PQhRSHfig5wFhxDTDFYDVUMZzL1PRCDXU7Vq92xY8kDpN0L+i/qPCW7vNuWsi9X3bW4y7H4oUtq1qzbMRSPWn9hwfzJPfvlujym7Jljp5SzgX5rWt/C8UNOotpedz4yYZBnV4e8x0pK6N9yFj/knbJm+tjcvDH3yT/OfG3p5HlsSMc4J3QbO7N8yq239eiR1z+rfdWAUtbS2WxEdYHoH0IBSDJnJyk+2ek3JEsGW0WMV4owu2P8gluNQA6O1vg4h6i8ECsXvDIUejRnkbxnC60e1fWrEr9Wf9R3j3wWZSAj2nk4yn7fmFVPPLFm+H1xUd+98l9vnx27zOvMXZM2avyIoaMnjHHiL1AZWkSt8pL6+xb/7b+ufLz4vjRUSj+lv9J/0n+kpxxLSUdfLb5v5cKFK+/j3qdvYe2oY+3IEPKErr60dHuFMVdye9MSjYbkWPYjRNqlSFsFGyJqU1TPdvHFocDqRVq3eDSM41H3wgKryeHOgfsKBflFKJt9O//K36sfXfrX08+9cWlo/4kzRpQgS9eT5ddow8ydtOTBe56cTv8dYXnD+e4zj77V4fmtb/5l/7ZbB8wtH/LoCFq39iT977fo1wvWogfG+e9EhZGRQ4C3Mxm3rmXcGgteIyJMMRISTNaKKEHxuW8vVjy+KmyjeI5gxsv+1/5L/gYvO1h3CFc63tp/4kJtY754vhHijA9oyhRnGdOF7kI/Jhmc8Qki6XlrWruC/IiI7DwpO8ImgSeTzoqfNxR0FO7Wx6bLyeL1xRdyhaR6zFCoYkjDBqeWj70TZz2xZ9bM7+jPi54blOB/enD1Wm8e3fXUE6+/P/+RghvIuXl13G3Lej61oWNXNHDOxoGB42Xbplav3bf+YDXes/4RnJK7cNZzO2KsJ63WvgO6dI6e03XT5tVrUXzOkLuHH9kJDjh6D+jktS/yjn/QP2xM+qTpD4yaDOdakoRYsdrwID+f2EXI9sVlZLrT0jI7JIgCeFKwVghRkuI6l3u0U1x3ZSlRnvlnVr690IqBX5324BnwoDtdlYOZ8XsdTsIgO/vJo/X0+lsXL77Fnp+ef7Pm8B0PJy/NG1s69p678m5vn9BtXiyajvqj0WgBXU+P0BN053bkbGACzUP/Rn9poNcuHt694099i+cNGV1aNjkmaqc9ClZW9C3JhLuVvhR3gidHSsyWEjyJiZ4E0mqLOnfurHhIaatROTY39+8a78nxuBweF9gXbbanJ8pb8NCyqtfn3L1+/fpJv9WQz/GSWdO253967hy6cWjcuOatyBDag7chd5aUmCkluBMT3Tdrw2+2gGns34f/QwvWr1ix4vdg/8Cs+5fvQzcu+P0gP1KJUVzI9UU8+FOIsVgcUfY4kVitZiz4jRDAyap5gwVH49wph0N15MIdQDgKYFgScFnx+i506ekP/meUedQHm2OGPjA2hhgxrqyUKV5Nv0EueQn6mP6MImg2UK0b937yR+73P1vIFwp9mUmJkjvJ39Et5XT0J+dIyY6KhHhJSPDbBSnK7jdGBd2ftBKdS8e+jHvRzZyfVO4+enz/nZUpnIHvuG3MHQkT6LFwByjFAwYU9xg4kHR+5sknnga2HT5o6OjMnV5Kwt2fHBw3YNC4cYMGjIO9fkwwOaL6P4FY2wxfQe+0pW1vJrhs+4kT23e8/vqO0okTS9lD8KtPbnvllW1Pvlo9c8zYmTPHjpkJs4lrJIpkthIPGEI2XstHxkVqQGCMrCznRzwn+FAyGQQ/Nli1eMA8niZ78G4oIx8NleSlEfoxGOtUqWeVWg/MJX6sUwJVQotD+ZRovKJEDH5dtEulCFGK1dWRmWRSYF/jdPhk0v8yw7Ke0wukP3cTx93zcHJxf48Q6phNYYgSlww1GennKIWcJCiD/s2IrPjYQQgCdlAuVT2RKha7G/wuJprNRgchRoPETOTodlI0gxoXGoDFnUMRT9wZmcw0LsxnehD0N+scwcSkPHLGq5cCMTn5F/ru7Xve3L4i5V///exrTcK/+/93lfxj3Isnhg1YsPylP6a86przIBqC/B+8+TV9Zezdc3D3u8aXfHvwnnn0hqBrqQM8P8diItlxjMkoRZow+7EIfovSZO5yVvMGiRzqKWel9TA5c6CfzPTvMJhRuumkCWXTD1F7+t9mZEVxu1CvXQhTuou+vYt+zcZXD0aPSu7NJZ6fVO7oS0mzSwlp/qgEKSvKn5klZdorxIhIbPIbscoampcyGOKKhxfuiaYtHzxMCPT4ar3zMHvw3Kr9+6vWPfPMusK+fQu7+3wNeDIZjPvTSrRMPoGW0Up5y3MbNj333KYNzx0c5YP7Tb5RdFlVFcQZB2/J4k7Wc6nca110khTt8EdHC0Y2+o1+waqzXTpzc9OgxP7KhzmEyW3jKqvAKJIME5tfZ+NplH6FEuhPKBpj2X3H2gdfyn6yI6W1a+9AR8Y4US6KZWJ0KP0z/UdOHxv9YNijD718Ruwzlu5ED5Rw/51zxKmGNOUMlw0h8CVxA5uxeQ4/Igxet/j5ymHoUXGGiPjK/s1udqNHR2ycMmXjCOVT0N3WiW15i63F7bQWN9DCb/vAvS7xaPAmSD0qIZdFiHEjWAgcyoGrLahEvdWDmBF6gRwSraFTfkfwPnQBzl8iFIEWkMFignJKkQyWT+E+aAE/xYnQYCQQv7g+CPc7xnM2Nlk7g87QHiy9nJXdr5QFkpVDUX5Yk9e5jBwiNQpc9heDiJbBQVHekoO8JaIgFBGEyNWr/GzrQXwKHaOlMsfrII4jZvIAX9fnV3mOHj2K4+CyDkJ/RJuJjTTyNOJw4LLXXnsNbUbdUCH9M5RNFV4jT7R1+z7YJyM2ht++R2gh+pIUkwPB3eqF6BT6kt8PCd0c025kubUOh6vX2iVt3rZaNps6r55NdCPEj1mrLFQLDCXfkG/c/Fx46CA3WtjGuXDU8sR36E6cWXcnTr0Mp92Da61e1KJeuKrdWr05PGN1+K2e0MiJ1MaOIcuWZQiOIPkGqqAb6UbdSHr4Ejp06RIdz1sXHFHJLcfUb/o8CB9n1ROHDp0IT/Pbb4W28FtQwZtNWDd6TMDncC9BG0P8epg2kNSbYrpRoc/Pxwb9dtq0adoA2cv+KeeNNW63qPyexYQ6UpleXocj9tIyWhbk/mr0Ayg4VlOIz00Kp5t4XYzbXxswoL/G8RXsH+AV4vrf9B2hGwNTFHpNbNN3hG5UaLci4JbLQjgyX12tjI/qakEMRDRdI58xfecWSoQhjCvu8OXnRzulzraeqSNNg6VsU3Fyn/QRg25FaFB6ssmQamM/JI+p6FIyQMogjgqfOgXMDzrztykTGZs+mB/MDpnmZlPyrOyWc1iHMoc1hJLTbS1SPTDDZSYjMxSUX5T2fvAc3YzS+k18/Vk+0y0Z2i1TTjw+6jDaCO9vvfP1Z1E5f989g70f+dxXPZc1PH7ikeGfHSQB/mvKfDQbDenjf33Y0y/AJPi2YUUPFNOKpc/RczX0OydPLD9+29Mv0FOQWLywO0+se43+cOc89EDdVHRX3xr+KSA5jp4l25iNxS0s0SSJKytgEShkYXmUlVv5Sl2doaZhIFhngalM2sr9WcmToYj1LmfnLlLnzllipJQl+rPSpKwqPSRdxHrwsf87w7XDdNilXCeGqH9RzMiLu3NZYULfBV1DYeq7Luib4H7szgtf4TGzc9rPvg1/xU3Ich52feXC/iuGqmHXB60YNGcJD7v+4TsDKod18mXsSux7y+A1A859xtpTER5hPdLIQ6iZpIjWI6yr98Tkijo0FneXzxJBjbB+1HDi6I0vIMbuGQaxB4OYI05vegiioonTGy+AIfnTYJ1lC3v3HXxJMbFR0aIl0sxrtUDsNhOr1sDrVWOyKIFf1RNqTPy5QAb+NLiOpNfhLwyfUNr4tRinYAEPyjPslrecnYPWBz5Ejwr417lqX0ONbp8DRcdKOHpVhTlSMovQ9YoH4Pe02NSeoNNXN1Qq96+rM4799TA8gTxupssTwFmvPIkb7OTXbaxVm4KtyvYlRESaLaLBJII7XDCV14RzhNIeYAe1LQ1T6+rwSH1Lfu0W1oYQv/LYfTrMdYBZC8Kx13hX418FbSZx5HubfibDDdUc4zSf3WgSDSIiDBSRgj6BVTwNKo7yvRp+EWGoCSQQQU+Sd4Jxq0p9XQhulw4THF+7dKndmgox+f809yzQUZTnzj/PfWXfm8dCQp4kmBDiJiEEMCwPQ6A8NYTwKAZ8sXNShQjKoVRtsUqpx0uFI2ipeBSVSz3qqY/SNKW0entyEa1SpNYG5HC93F71YK5WHslmuP//z+xmd2d2MzM7G9tm2YyZ+f/v/X/f93/zfyV8lbligtfHMsVFuWU2e8HYMVTXdXYPn9VhtZvFvji4URruYFVZCa9ijjaOdK0qwW2tYrtaAR+I7WTFkT2D9wSePig8uvPL1/wn31zys5//6c2dzL9d/Yv3hfmAHPu0eDTyBWF97rzfPi68VCOcBsVg4R9baXC6dFb3zsP/6QSThKNDzxwHrBn8eNyBG9uEn2cJm8sOPID6AQaJo9Qx+gRRTpWLvaOpctQ7GnX7g3/ZB/8yBveLQr0vrT6Xy5oVImjaYgr5SZJlrRbeul1sTlIbiUeGz4AvcxVJZYCR0oHa4QK1OeG3j8EffAAxNR39SOd6C8vEDz7fO/JB53zjrp1HqbdFaMM0hnai2OkaQiv27i6nKi+3ou6FVCXuYsjhTu+voztwr+YnFO74Be4FT4ZpcBcVTnmaduR09jAtKmb0OG2CgmO+B5/uISLdKJ34lHd8xjsaabs0SNw46HO51Xbo63bxQ5NwvDvEj8iDDdQxJpdwETXBfLuDt1tdnMlJW6MHeFqZEOLBQ9GzXlHmBU/RUI+Pt2+oL0d7e+g4S7b30mfm8IUz3wya/Seo7g19BbndD7of7PYW9g19thX1aYyZbazSbIw1OhmcY6TZBp9iFlw4M/BLmleYjYzixhF5qJsdk53D09keAlINmDu4PNLhpHJZkwc1qPd43LwnMi3UYHxmp1M8sTNyUDiQQ0DuGeqkuq/e23u1m6u6cObKO+x8DAnY4AZ3ISiG/pEAFYWh2oehyoIx+ORgEQc1mnDaQ4BlSNricvIuC23L4imLLYRM+0ORBqAiZKK5jRw5jt5ALvNBF7K+iKH2hZup7qFOcs/gnCt97EVwVGi6ms2Vgh0byNytZHaf8Lhb2EVmd4f7wnVCd19Mr3TcnR1lAdziGfkOirOq7c4+ePCzgT8x+35x9R129+fHP2e+M7D8F2zz1dWK3dmxBCDszdIp7WbIeTPgWXPkBPTt8ae0l4nEhxOF12Nq/5B6JbwwQmHB0hMjw3lYhiGXs5zZoTyrLZd2cmh8CwdCTo53bo9Q0uWO0LGhvomCXAXSLPXVFObri3/ZOsNz5X/D28UpOY939rYPnoWc7Z/ZOskHYwVLFIAq0lnV1twPeQutx0fQRhRjGzEx3Cx1U55MvA7XjvnELvIi8xTWXNx5leWQ9iY5//09CXsQc/770Hx6w+Au5uDAauYg+LTvkvtSn7Dn7FDw6NFYPfYRU4KFdjdcI9wOn9nipR00gxu1dMCFlXM4bLxDFPMTlVjGRf2SaIEpUYYlvAxRQ9SyK38WxoAdpnVXLl7eI2wB57kpkrYJF/su7HTv/LQP+pGSzkH+vgytfR/u0FIXHEdarBTNcibEZYioA2KaBVG1QVzt+ED+wPD/pd6RUW0Tv0nxeP4rh8Tvl/tAwA0CfcKi48Ki4d8lbRcly0UEguNcNpLKcrKs2YI63IoiBmkBp40IWUBq1iHOOyxokZkHvsDc38PkDnx6dbqo6jGCF5UBhLiSXhMOOw88Dp4jKZa2Oj2808qYLTxtNfPQcbMO6/WJGL2W5i4rq2eQ8S6D8Fw+Is4NSEj9o+zFy61gB1d6NTvGzHz8cV+4e8je19ctrlSnIQ9eR1J4bQNehyZeHi+uZXgdAnBNFmH1oO4GXiJk84ZIYLWhs5CtdMgq6WAj3pcrR/DYKbGCoIDKYZGVefaDbbO9zKcDYz0ztp56QbQv/c1tVU6yqqcK+Ca1zoQyuSt2Fg/B2zzJZylLmGVwfnQay55vOpNPI82DZL8E6b+7sIj3+AtDJU5XMe3nHJD7dqj/fo73J9d/NKMvCkGcFbh0BM8dhcbckmALRDj6Y2EbtgkxVMgjqoJjbNk+PsubzZvzCN4E8nhLbo6VRh0mMWwiVBELnwAVtvfQxm+/8r/xEHEe6ocoW74BXFKABVzqF15wCwehdboIrdN4bJ2qw49J1mkqtE70V+ckz4WSTktvDJYWE6GxxejQ9xyad+aEWMbhdObl8iaOd5hCjrztXUDai6nEbXoaI9EOVUuBBF4mdiG5Opl93xI+GEWA+jg8HqNE32Z66hIR6b3eS70XDgiHFJgO2J6eoYcjzdYhZq1Q4j/GEl89+E+xf/d+pAkHZZpQfXkOxvy5wZXYI3vt2iVy97BPz9AcSxPQoYdiI/PpQb2ZdAFy90Ahc26wmM4e/MxC8sfJzqHxwmZqggDdROrKLhjVjJVFNdAE8tC7EaOauPgwGqUBcXTQ2htuHZ5AjM9AVcI89NfnhOOgPT4mzLI57LQJBoRwYRFjQjp1TCjOGD6EQsIr6xMnVZgYUVSK42UUhdEqoigVzoVxzXswrkGd5KqJJcFaU2ElPz6ruMQ/xmK+bkLBRJuzCBRCucrLc5by2R6Pq8Pp6sLbNXAhRJt8w81V/O9Gnf533WINDQyqRNdHXZte8P5AC3VyaDx9TAxrtr5RdWjWRhztPC2FN8IxUEZ+/zjY9ZHwhVugwavDQc0HWXevfqArX5gbjXzoF8zg+/l7xRDn/tK9D0DLvx5ifAxijPZbJxGtwUYoPMWALyrmiyAP8sv4avN1ldk5LFNa4i+3WQvH5bu63C7e6eadDt75SJfPWsXbYUznifa+Rv+LhnViY5W4iE5OgoSYDq6agzViTDdAI/wZWgrrTl7dFRfWDQo356JWxDisG0s+JNFh6P/AW8N0ODW0MxrcLRf2i8Ed1jsxgovoHYrtFhCi5kWivgQ5gVEg1rw4j6gk0mPHZFHoVXP23cqETjXkReQFDe6iN4jeEOg8CzqRSzT0PnSHkM1dDe1ZFfYE8l0E7+oAVgtJc1l2PosLohP/uQ7OxIv+LaoF80fc/shShI0X50M9h33SYnTC7P9m8MwFc/jSZ72ryaqt5HX9hV7s2+cWEORX56RVyIM7TZaYPDneMblus8mX5ecJqP+A7fDRvC8r6IIhjtPakeUkZmAXzB/xxUT1bBB7Avhi+wSUMdAhKyti2N5v6F4Mi5WGTlh/M7DYHgSWa8TXndcI5JLlFvSJvn6hV3TJ6vbsce/ZA+mNaXIM0gTBNz1YOjJ8iDiqAczBXiPH9l59XQSQbYUA/vPSBVPuhTOXT59Z3Y+A64+QzVvYP3R6a92DkHoPxvDLByErZt0ujrYBAjprProDLY62YBa0aXazrcPm4G0RpsVCJvlwIAYudIY5YiBcM4WpV14VoeKWg7eELZfX/vaPpn0wLgLuGJiAs08QOt2dQhhK9gK4cvRKK8oXUh5gC14xgsRBKPMXsIcL/Q0rlCYbklwouA4ouXaWyaLNUHotpOTfxq7qDZLmMtK3O1wNtbOGfJ96GPdemkP2HAQ9x0FPn/C2W3i7L+Z3kYcRj2oMUR3MR07VGOhVAZ8/L5tkoWuVA6HJjTpXYt+JmIgxZlGOQCD0DDsSxVfOiq7FY5FIUsnlktwL7FVIciXqWh7RFCxzQ3XLc3V4gDU3x0J6TZLO+SBg2Qlahxk4HG4raV4USr8oVPOvvHPmAld1tbt3qCYCY6IuSgzF0a7kA+wTOXlta5wlqh68LeoNH4RURXUfxXkFvL2C95TwHnseRQUIvioAvVZLFfJaLXTIEuO14sK1WA8ZVQoXwE8TVSt25LSTJcXVJHr/j4t3nSet2ri0bXPH+rnz2qdNWTz7D7d2BB+eunTx+iVrNq/qbJt967qg3OOl8seWVpfmlpTkdu1qhr/Bn/x8UuRJKl+HqsUWV/REX4V4LiVagjUVC/kChg/M4SfO40sIvqGJbyiZGCioYJ1eD+/3htwuv9nh5M2OkN8ccZ0rRUdPxFsqIolBzyejQ8K31Dm4mhIpMx5TKDw9Hmc5jdruWnH7gpkdy757Q1vnqs1rVnS1rQg6qrPq8prz5y2/Ibh2ydz1HZvb5u1+uC64oq2LrIolTL+cgrE/DPeMx4dICn+fNg3+g+Xh2iy6gp0P16WyYLYJoJqIHUkcFLxHkeOJZGNqQc0jgz9B6y31HrnoVLjvKKgG/cfBnj7kWtzBVFy5gvhwbRb0F+ZDLW4IlnJ22kU7GN6xowvaXbMVeZ4ewHsoWxZJQ6vnNotmJKdRdAsqo0EyKBmel8KBcrhk6I1T2wZvwg4PS7af2kE/Jq7yewfOgGzSFIFkERMU/iy4UKe7cC44Qu2j7iD8KEozu3hzVjYRorNhnB5CqhvJx7gacVYR+fCIlfXoBT9Wkm6fL5y7+8fT7tty37Q76PHhR2edbLyn657GmjpwpPmXv5u+ZPrqgu59s9pnrV0eQB5iEEcbzxDXEzcQ84lg8DoiwFdPnEOEmubwuWNC43L5Ei8fnFUyjp7Q5Olip/DWLDY0IYuf4JICuKgE4obIIL7wFQojLobFzeBKIi3iJjdMJmojpbKxu46eQmpyg7NIqjO0RQtin+zZUJ5318J5u3fP23IC0AuffHLhxCl59eCGsFg6myeVyTqGhmbcMQfsE4tnQXa0UPa7fz589/dw4znUf27VnR8CINXSHo0UzQq5pL9gvhDAtbTIJ5oD7iJ76G4chRUF3ajfVk6HycF7Kd7kteWEbJJH5JdyvBBukRm1PmcR5oXPhyph4EBPLdv7+N5lh48Ljy17as+Tbb0nmC3kywHQVV5XfqIgIGyF30cKhGM4CxxeLfkuART5+X18mZUvdPKFZX4KTKrhJ0wKXR+YIPZTDE3g+Alx1sAtWUExlEYwRKweV46EhRL1H/rocXF1cN2ts6E6b7plyfrFS6c+HOy49Q+zF0+Z1j4PKvO9y5ZuXDUpIc4m8/NFnW3e1SVp7Nh8KibURtlFgPxRP4w8SoPZWWN5Vy5PlfFcEc9RrizaWxHyeVGteI7UuBFEpAMZ7GgjwSLJMEVkCI4aXHD/Q63TF06bdnNw0X3rGx89Lpy68ac/vXHqzYtuaW68/0cznsFdBquryxsbyysqcK/BiorJLZPR78hnqAJ3QYl/FJ/9Ni7ogYrOWVFXRrgUkgyM0cSGcpEIGvXdKvKIuXthzz73+T4QBPbn6O+HK6iPqHVg59AL5ABqfYn3BUyDfde+oFtw7ZpYvTiTWEisIG4nlgYDTTfwLU2h6TNmNXa08K0rO0KLZq3ka2d5ulxOnnCF3A7WNobgy4vGhCaidzhwdWC0f21jZWXcRXzNICpUBuUgsvsaexZ0kVIDtByQA9i4o0KTPTKULZU+Uo90PlkYXrWaumh/cTu8HrxFqoWkF0m/CDZ0K7+3iNq/Ojw260XqcelR+a3DrdPWrxxqu5/8+MEn0MWhZTe2tLW13Lgs8h2+Dt13+wry6S1DFQ/slVVXDldZAmL/tS/ppbjD6bigy2YlOCfPkV2si6ClF2CwgohvvtTXQafAVejyQrWorytzeVnw8GdCU4Cc+/vWduHiTtexPzjpKuHOd481rf3JrwrCd9+2Fc7QS28C/8S8jTvpFaxpam9vgh96E/6CH1TT0Uv+Xro74bRvSunZJtkYwneGR6OIXmCNjlaSfLyUY6eaQ1gwPBuNZqP+EZ1tUvx8RSrmpm6S5hp6b0QgUgLDyGCZpg6aZOfmJocMvJn4l1QwKsDKKsA6Nz1oi3RCHv0v2lAYlgGO6L3WJsPlZuOw0cuTdLmkoF6mJLjekhls0+apUVyW3zMKfFdnJVLgqsaAqGI70lcFXNOzLjqx04dUDDIZ4Vuye/RgplNWlWQ0A3xL2xrpZpz+FU47dzTxQmlVSIPy6a3NyTmgDQWjNMa4tTtN2VJn1TPAN23enibrndpqMwq4aPdPNUGvDegYYA2iu35N16nxSjJkCN11artmwo8Uw6iBOxo/qVmuUwYGI9t4zWvXyLApEE+V669CZtNaaTVArmDktfp4qqy8YV6+Htx08klBRTPAOY36kMLMa2TciNZGs+UZGXptQGuMJNLyKtTDrlGaFKTIEMrr1XjNpB/BzmuiriZaKljOESmn1YMcGbKUFjLt6Dcdj1cD7BrprEdmtXq0I0OfylikJDyNYI3J5aqUWFXQqQNKkzet1ScdETaV3FbgMi2DVV0e3EBdjyEdhTL8MdCo84WT+rypXFyEedxcKjPyGnM2anIYaeQr0sgCqiGSnFmGZYq0RzAyyHVmqzOR4UuGjUZpkWH2r5fh0x7xy7DTJ3mG5CuM2C1RA3Z4bxTYDGRW097t0IaCwXTPoJ2KIbveHVeNUqFyy1U/5YzIqI9mjk1VVGO0zGYoy5bUEzJGapNm2VJ5ZOnZYjVgxSiRIfnJDOyjKNkmnXQzUN9jrU9KT1ZHritVEK87M6syo6Axk6A/25HsHjWwacxrGpRpSpOradPayFxTMmunBn65XVGfa0qltaOwpxCrtYbk6TKxp6Bg8HRSzkidjyEdlWCBklfnpcocqMwYaMlajGhTZHOrzP/pzvhoshnJoRuVnM+INkEGXyqVS5bzicvdGV+HmRAV6Ml3pZ/bVtBgKgGWDOhMDOpkXL2rnurZBP8mub4bkamLmUxDJKc+WtIbJWnL1emLhgyrW9Gc9dHsJ2iB/VuoL9KKj26+/AtUGGn1UzThl1xRM1JjlFSPNcKvDWz9GRA18GqVrabEv4xSBiSpx5RZm6Wh0khVllFPLJ+xnKdxmTs5iMbk7fRZxOSQa6KyoVk77d6HCiuXkuzfVs5uGCgtVT6jmrNTAjFtuqWds1MkXGqfVkduKs13wozKLRlVaZOJ7EJma23S8f6My9oZU21jYFbMoHob7ZJrQNZOZ/5Fq3+Wbt4unfxLmlZHV9WNutydugyVUsJALe66KvhSWZPU67amvJ0mq5EcNlV0Si9rN6JNkEEnV7mUhMtUzk55XR7lnF1KlyVjOTtF1En0fnx0tuS+kcwHkrs86mvrVMZ5KYvr9ObsVMb3cslJZerSiH/Ve536qtOMzj3oq0NLs/4sQ7kH9ZGSrgqztKsv0smNZKL+QpWHaFTeJs0KjAzpvK4dCt32TsO+UubkJv0cwCjIjWFZAEPlJmkWIPkKrz23JJ924Hx0Mp35j7TznMMg6MBbt77EIC6e5aPs2aSOcxQP81GduUkdgcp5pqf6QJNHqMZtMDT6VeMhqIBuVKJf9e8dJn60VR9kOOenYZ3IZM5PawWCMXqTWIGQns7HVxxliHO6olDjOac/Dk2Hc8ni0Jh4X0/tSKztVx1Da803KSxrZNxcumQuBnQgnkBHfZ70vDry98N4ShU3+G4tVBseIzaG1bXGqfFLkq1x6VYUa/NnR6oo1nfWg8H+bCoghzllUD1xOnTVS2kF3U/rtIeM8iUDxz1kgncG1txoZJ3xteD6am5U1oIbRPsM1dxofd/S8LcgMmCzNGRs9VFYFT2VbKjumEa91ZTBpn8zWqPkjnLdjda6Q0Non3bljdo6AAPiSS21NyPEk7ppZ2j1jdrcvAGZjLR1XqECR/KY0869DTvS8mkj9i46V2Zyb6lAkGlcDCyjWGOoBkS5rYuD9duuMdSGgsF012npNJI9oqta5VWbnUsFlNzKaaebAVZOHYhp002jNqkkXGoLpyNvpJQrUI27Kjokn1suNKqikeRSo9mGjAybAoNUmQadlFOZa9QIVaTeRllqNNfbKE2qwdIYU2+TGoh4zJPpi/Z6mxFQV7krlareJp5r2s8AULWjlsTOpXs6q6Zd1JQJO+NPPNRXcZP5zMMoVNyMWubB0IobDXmHdN9jTzfTrKXi5lvLNOuouBkFnVddcaMjq6Xi/Yl066j1Sk76sX+aa4EBG/FGVPHrlJ6kvrH2PU1tO1zxb5XryX0YkO9U0mRdu9kadSdWVyVPR2lvMjWG8kBHfdZGJewp0zZa4rl0tD4TkbDhOp/BWDgNjdcQCyf37Y3I9sm1fdSzfSl0PYP6kqDpMdqpoQJCsQwhJezqx06Zv9AQi6aZPTE0Gk0amcrml0tssmg0JurXUz+S4J2pi6RTxvEKFFMQcTJuLl0yFwM6EOtoyIakVTfAKpP3dGL4dM+1io7dlHwOPVU3mmJN2dzG78GqqiXVBltG92C1wquRrqO6B6tKFrTB36QTak1v6I3oV8jgUweWljhMDTzqeC8zi4ZHYZrOAtar8wo7FBnIWhqYwdAfw6d8r/VfJfuj7oSU0c7+pH6XOmPRu2JF8mhH76nfYMpc9K5ci67Sp08Vvcf79Nr3JFXFIwbuSeqP39X0xNK+J2lw/K7OKzBgP1dT/J561dcVDamJ31OdFKwGd0Mi+NSrtq44WKPOKGg8joE05euGQ6NYfUewS2OlnXeRzyDnWnSuzORdUoEg49nIeKvkWUrEI9G7EsdSn8lhVRotJex6Mh8KsyTArixtqeN3ReAB2RM9xYJQpO3wegfnJnuS7cGnjBcUt+AJiuxRF7+nHDvVHBp2pJJWaqiZOwP7UWrgSRkHyWBLJw4ie/TQThXf1PFPtTdrTN5H/V5UBvM+ivnpBE4YrzNx+ek4DdWj7wpZTuP5picKMZxvI0QhGeJb0hhEzZuVqfKsMW9Wqo6gNGcdlM46IOMopUfmYt9nBeKKJX8rNPp83FuhoryPlNWXzZ30rVDt9XHJZS49H9wgeVftg4tc1FYVmVTeVXjgavY0UsXc8rfXMxBzK1l0Mo5SemQu1sYCUYLl+zHR5xP2Y9T4kqkiF/l5Ddr8YFU+vKIfLNJtJB9eRjdlHx6IEQHxI0Q3RsmPPhy9WaIavjcn/u7UmB2WYwFELOTzRp+OPnTtGthPfkwtYB4lWfJ3BAGvHxcWkMcJAV4/ia/j/k4A8CplozqYo5AzltcAxQNiUmXN9QDUUuBVYH/2CcpG/mpo0bVrxGH6HM0y+0mW+Qo+RwKCPk29ypzH+NnfcBMsbyOISYHKAHw6GbbXNSxe3DBl0SKhVPqFPo2/pkiX8BtCdJI+TZ7FI1teg8MSIkQx45DtsscRJkX0OfIAuxpjQoDIc1StB3xy9BQEH2wTHkL3fUifo26W3eeBGH94+NTRyH0k8Xd43zv4Pg5iyMBb6SiG8O4i+CGXP3H28FA3/Ed8DD8KgBs++TR8kiWcbzI0LU1S62rET3pKyjng7n+p/1RXl/jY+fNEwlMUw0hPBdyNGIucBjgdiZ451Y+eOn9exMYC+fACO5twEc5fZxE0T5jxYxE+1Nf6vNm1gcn4F0i5A6+8cvOChTe98gp9+tBTlZUr1q5dUVn51CHEUZ5+mWpm10C6ewhP0OKEHHWGCJs4XAILygP1dSXFPi/ZvvEHP9iIPh0dHfTLG++8cyP6bLrt9ttvQxrzOX2c+g92PpSRMUGnl+IJb8hkDTlMPOEIieOikT31dbWBnGwIJwazpHh8+Xg4uu/zkzfeOqUme/JLPeOWNyytmE8fXzJw/dicNdOX9OcVTFw/Hc0gyWU8Nz31Rb7D1Gr6XE8PotFtkLIcux9C4fy1yc4TplAO5iRCCqI0ub4OTseVTxaRs5M+H7g0ub547Lza2eM2zVyzsbS6lD5XWj+jrshfUHlf8QR+ec20ibXlZjT2F/QR8iu2TkGavlj5UoA+EpG6t6gHqEeZGUiW3gR0CBBY1dC95Q2T62udDPgmMP23J4XnqQeet4z7SnhoKnrqpLCaPHttPdYFluDZ5LogrI7VhQNCIXn82iZRq4mIViOoDiw8u1koBK3CS8iykEIhtY24Ho7vC1rhjQwImRjeBOd5V+R5PWJ0Qw4H54LW9NnW+wteEgqfaJnzZdmG0u0fwpn2C+2Umygk3IQ3aLETvNkeMrFmNzGjtnZYaBrqG3zFrM9bG2jgWPLRe37QHOzn791UMsk9UWi/fdX829zNZGH7knbrYTOyURHbwjKnsc2KWASW+Su+jmg6y3yEryMazTJ/Q9dRzWWZj/Hfo5rF/D3hug9fR3SIZc7g64gmsMxZPF5EilnmE3wdkTmWOYeuo1RkmQuijZVowjL/g2wlIbBV1MvcFE22siLRVrJVSraSrSLP4pFHspXDjyOt+RI+99/c+ASpLSvKAV8LYeDvY6sGBrCthJC/I7uvoYgBH/YBvxAW7yOJq2wVvRDfh2wlIJjQsK1sKOKK4Ifc/Qzw9w5tQv+ix+CDAFBw/F9zNYqWEtQCZCkpQL8E6LPbtrFVgBbCu3Yh+BFFfyU9l2grAbKVSLTD8KGzCEZA79olhBE+FWwxtYObQ2RBS0ATlhDBxVnLWtFW1iK6/ezAK3NuaJr9ygG2eN/OeUuXztu5D1tJ5n2qmevUbyWZ9zvXretEn00rV61aibD5K1tA/Y1bR+QhK5kNrWR2yJwVckJL7ky0ktkJZhLbyb+enLBi6rSmPGgoi9fMrGzxz2cLAgP5Xu+4NQWB/sIcR8H6AjQP4ubf2X/IbeWHFMtWSbaSuUrN5jYQXoid2WrK4i3QXGLiYiLV1zUge4nNZW0A4sixPtI7q7zwpo45s5f+8r8mz8xnrvqKJuYVOWsr7/vOc9MXj3e50biP0G9QS9jNov2DFgmZwHj795vA9HePCc/TbzxvKf5StH+XnyE2UMeYXGIp0RKsmWPlp/r4mgK+spSvz+NnOPkZ9ZU1U+ewYNFivmVRaMnSFg4OzYFQC8e3bO8iEN1c7sbGykp3TmOlRMaG+iaqob6aLCm2ww/6Zlnx204hkjYgAjeRtYECMv47Ozunvpoqrwc+9sW/bJ3hCa67dXZb56pNt7Tf07YiWPfjPfOW3duxfu6StcEbls8b2+yvs090BFe03dN+y6ZVnW03fHfZ2uCC21fcvWzu+o57ly3duGqSd/a2D56lujf0z2yd5ANVZH4+XGjgz7Rp8J/ckpJcu/8ZjhH/W/RnbD5VRTqr2pr7hz7bCun6CbRlWewGhfXnk5Wn7oKewi5hA7L0HEtTOVBjZPeRXMFXK1kaVAmnFGxp5JpkWYZA8eoO+jQdwF6RgxgDVw1LNm3hKcBTTpqYVCupEhw2mcsLjv/o1BPCQ5JVIu+IuHLYEbLITByU2iFonV+D1lmFzr52qKdl+Yrmnn+nT79xZMv37r73N68j2SOg1r+qTuufe+OtRXPnLnrrdaT17bNmtUOt/3/vLPotAAAAAQAAB3c1w/mIN9tfDzz1AAsIAAAAAADYz+FlAAAAANn85G7y4P0SBWgIsgAAAAYAAgAAAAAAAHicY2BkYGDf+U+BgYFlw6cHvzezZjAARZABGzcAod8GkwAAAHic7ZhdaFxFFMfnrmOVPmmJYuMHFhSCdLEPfpaotUYRu2goQYqIDbIPMRgJGmoqWBINmIcgJUgQWWgeQlkKwoJF+tCK0CJFRKQ2KG3F6IMvLRHa6jb0ruv/3PlP7tm79yZrTOlLAj/OzNwzZ87MnDkzG1sxI7Zi8teQB8g06M1gWul4uVpkjTkBnqQs09fyf0D77hlN1Ldat76fNFP37YVrxHbi696nAuesGc1ggvrdKSRt/B82g7YUxP+NLTCVIM+98es7yvasWFgNbiMSG+MZiN4e1SdLbyV0LeGb+IRYrx+zrZ2Zk4n6IYVu35XBoI3PibEN56a+dZk1Wk3a1NjiVzKGSxl0kc4UsvqsBPHhuRT6waMtkJbrLnLufo1L/LbXVqpHbOXSzU7+/YetBHeBHNhk3Znxdg4r7kmMcSfYZhvzmT/H91uX73zemFB+dds4Hn1u8v1GVD/RN6w/TDnKfrfaxvzbRrvPu3I9pH/ers8PeqwyffO5oZdzzFNP6u85vaAzxnTYxtiSub5j0++Gp+i334OyKr+i9i/PvfZzHySfg6Nch0Ha28W9FBtjtvFsit5bYB/LYvNBNa6Pdz9WmX11nPh4KnENZH4v2cZ4Fd3dlINsE7nTxmfd++Hj6bAqT9k4NrwPeRvfkUXbGDdT9NvvobrP6vVsItsbbXzfibyPfh0EFTXvD1h+hvNZBz5We6VzlejeCF4Gj3M9+9kuvMbvnnF+L3Bcvx9D3Dfx533r4lf2dA/Xc4hlyADnNcB4wRMAaxFso0R+Cl6n7Lp+etGcdxJf9m8O1IMTYDKW5hGWT3C9P2N9C2PnSzDMWOhzBOshv4WU+PoecsjVzS/gR+oKkjs7CNsCGeMr6+40yOCgawt8HIqtC26MoB38bithn8uRgpR9XcsQ6xEiHmtvQuJ8hj+jjDhbuAwd2LsCH2rDze1Sj5hD+7j7dgW+hRbfeyDPEdgOb7eVq8hp1YKTQjR2T+xXKlsc1RGWsV/VM7Hvi3thFD5P+3eKxKTPu5IH5K38onW5spdrbbiGA9yzQsKm4fmdoRywcS4y7oxG+97v9qou572LvhUVexP1Sfqwj/tXTPAdpX8XiV95nucpnt8Sz1jRxaS5F8j76A3wNef3NNuOpcxrBeSQw217XM7SSe2/g+iyIuqX0t6E4ZrvyLBPW4v2lppTd1wONifKrfhCRL/lPv6N/xuRMYcpOzPqRrV3KvkhOE75Q0p9GV8kXgXJG77s67otqxzVxxy6LWqfb26XNpPSJ6knd3ekI/rb0/WXs5GF2Fz0Ra+t93m+WbfBr3nl13zzPJezsaRv7SltWes7lj1Ow36NZej4+UuOkbfFswrJc/4thvvBPKZ02hV3g4f4Bpc76BZw2WHOsb9I+c3kf4frM3kauut4dyFfB32uHp1Beb8eABgjeFf1S4tlbfe0sxXZUP1DjFHDfVRDPq29Db6xlb+gt4D3ysKn/Dbg9ORu1PdlVOb9lmyv9qh7Ve7KF1J0jtDm/pgQ639xzt2FVdwv4Re4R9F+aY71OyD74u+R3f2uz6KNQsLuDOsz/M5vYkvKMvfwVd6xyFdXZW9KXLeTa6yxxvUidzRGtyW/L/VtpX2j3xOTlPLb8pAxgQGnwCYwi8pZyA1kPehH23kgukVwARxnnwPG5HKQJfebJzhlo//RBLOwfRZyA5G8L2/n8zb6PZmTe6QEm/84O+ZPjr0AeQPbOzj2T2CWY3+EPDcN+SvGvcmNE401Dp2azAVl/P0LwMzxwwAAAAAAHwBNAF8AcQCMAKcAwgDeAPkBCwEnAUIBXgF5AZQBpwG6AcwB3gHwAjYCSQJdAm8CqgK8AwMDOANKA1wDbgOAA5IDuAPwBAIECgQxBEMEVQRnBHkElQSwBMwE5wUCBRUFJwU6BUwFXgVwBbIFxAXmBigGOgZMBl4GcQaDBqgG4gb0BxcHVQdnB3kHiweeB7AHwwfVB+cH+Qg4CEoIdwiKCL0I0AjnCPoJIAkzCUcJdQmjCccJ2QnrCf4KMwpoCnoKpgq4CsoK3Ar4CxMLLwtKC2ULeAuLC50LrwvCC9QL5wv5DAsMHQwwDEIMigzcDO4NAA1SDYMNtw31DjEOQw5VDmgOsg7EDtYO6A76Dw0PWA+TD68P3Q/vEAEQFBA5EEsQXRBvEIIQlRCnELkQ6xD9ERARIhE0EUYRWRFrEa4RwRHTEfISIBIyEkQSVxJpEpUSuRLLEt0S8BMDExUTJxM5E0sTbRN/E5EToxO/E9ET4xP1FAcUGRRuFIAUkhStFMgU4xT+FRkVKxVHFWIVfhWaFbUVyBXbFe0V/xYRFn0WkBatFr8XPBdOF4sXxRfXF+kX+xgNGB8YYRjAGQwZXBmfGbEZwxnVGecaAxoeGjoaVhpxGoQalhqpGrsazRrfGzobTBuPG8IcExwlHDccSRxbHG0cmhzXHOodIR1BHVMdZR13HYodnR2vHcEeFB4mHnkeix7IHu8fAh81H0gfeh+kH7Yf7iABIBUgVSCYIMUg1yEQISIhNSFxIa4hwCH0IgYiGCIqIkYiYSJ9IpkitCLHItoi7CL+IxIjJCM3I0kjWyNtI4AjkiPiJDkkSyRdJL4lACVCJYQlvCXOJeAl9CZBJlMmZSZ3JokmnCcGJzInaCetJ/AoAigVKEsoXShvKIEolCinKLkoyykQKSIpNSlIKVspbSmAKZIp4in1KgcqJypWKmgqeiqNKp8qyir+KxArIis1K0grWitsK34rkCuyK8Qr1ivoLDEsdCyGLJgsqiy8LM4s1i2yLtAvTS/MMBMwRDBxMHkwsTC5MNEw4zEAMTwxRDFWMWkx+TJNMnEygzKVMuoy/DMlMy0zNTM9M1ozYjNqM3IznjOwM/Qz/DQlNEg0azSXNLs07jUkNV01nzXeNeY2IzZjNms2fjaGNrU3ATdRN4M3rDhBOJo4yDjQOQM5OTlrOZM5mzmjObU57Tn/OjM6UjqfOqc68js5O1E7YzuAO7c7vzvRO+Q8cDzCPOc8+T0LPV49cD2YPcQ96T3xPg4+Fj4ePjo+Qj5UPr0+xT7sPw8/Mj9eP4M/sz/mQBxAXkCdQKVA6EEnQS9BQkFKQYhBz0IgQm1ClkMoQ35DrEPRRAREOERpRHFEeUSBRJNE1ETmRTFFhUWNRiBGdkZ+RolGlEbnRwZHDkcWRz9HgkfNSAVIQUiGSN1I5UjtSPVJGEkgSShJMEloSXBJeEmASYhJkEm6ScJJyknSSfxKBEoMShRKHEpSSo9KyUr9SzBLXUuUS8RMD0wiTDVMdEy6TQtNQ02XTdpOGU5HTnlOok7UTxpPVk+CT9hP4FAVUE5Qk1DOUPpRKVFvUbpR8VIzUkVSWFJsUn5SkVKlUrdSyVLbUu1S/1M9U3xTolPXVCVUUFSRVNZU9VVPVZRV0FXZVeJV61X0Vf1WBlYPVhhWIVYqVjNWPFZFVk5WV1ZgVmlWclZ7VoRWjFaUVpxWpFasVrRWvFbEVsxW1FcFVyhXVVefV8hYAVg9WFpYpVjhWPdZTlmhWhlajlsrW7ZcJVxBXFVchlyvXL9c6F0RXVtdpV2uXdBeAV4OXmBecl6GXpteyl74X1Vfsl/PX+xgDWAtYDVgPWBQYGNga2B9YIZgj2CcYKlgtmDLYOFg7GElYVthfmGgYa1hwmHdYgNiN2JVYoli0GL6Yzpjc2PbZINkrGUYZUBlTWVeZaNl8GX9Zi9mPGZNZrdm/mdPZ59nq2e4Z8hoAWhDaE9oW2hoaMto12jnaPNo/2mBaipqmGqlarFrRWtSa79sG2wnbFRskGzBbM5s32z7bQ5tF20fbR9tH20fbX9tzm4ebp9u+W9jb75wGnBgcKRw1HEucZRx1nIxcoly1HMHc1Nzm3P+dEJ0rXTvdR11YXWIdcl2LHZrdnN2e3aidqp2zHbwdwd3LHc/d213qHfGd/14JHhLeHt4rnjWeON5EnkpeUd5nHnBefJ5+noCeiV6T3pyenp6hXqcewR7kXu5e+R8Dnw3fHF8qnztfPp9B30UfSF9Ln07fUh9VX1ifW99fH2JfZZ9o32wfb19yn3YfeZ9834Bfg5+Hn4yfkJ+U35hfnd+h37Vf2iAj4CrgNeBDYEzgVmBgIGmgbmBzYH4gh2CUoKHgr2C84M1g/iEM4SIhK6Ey4T9hR6FQIVbhXaFiYWcha+FwoXSheuGAoYZhjCGR4Zoho+GnYazhsGGzobjhviHBYcah0yHaIgsiE6IcIi1iNuJA4lciWqJgImViaqJvYnRie6KDIosikyKbIqBio+KpIqyir+KzIrZiueK+4sPiySLOYtdi3GLhIuRi5+Ls4vIi9aL44vxi/+MFIwojD2MUoxfjGyMeYyFjJiMq4y/jNKM840NjSeNO41bjXSNjo2ijc6N7o4PjieOPY5TjmaOd46Njp6OtI7NjuGO8o8JjxqPMY9Lj2WPe4+Rj6aPvI/Kj96P75AAkA6QHJAukE6QdJCCkJ6QvJDKkN6Q75ECkRORIZE7kU+RY5F+kZSRqZHCkdiR7pIIkiSSQJJckniSlJK3ksiS2JLrkwCTDpMhkzKTQ5NQk12TcJOMk6+TvJPVk/GT/5QSlCSUNJRElFKUa5R+lJGUrJTClNiU8ZUHlR2VN5VTlWqVf5WUla2VwJXWleaV/JYNlieWOpZQlmCWdpaHlqCWtJbJluyXBZcflziXTJdgl3qXjpeil8WX3Zf1mGqYsZkFmTmZg5mvmcaZ5Zpamr6bHZtFm7icHZyAnN6dG52EnbWdyp3pnf2eHJ5DnpGey58gn2iffJ+Zn7mfxp/Wn+Sf8qACoBCgHqAwoD6gTqBqoHigjKChoLagyqDdoPKhBaEloVGhZaF9oZWhsqHJofWiCaKvosyjNKNdo2qjpaPVpAekLqRVpMmk1qUgpS2lPqVPpW6lmKXPpgamUaaXptCm+qc/p0ynfKfAp/2oPaiCqJOoxqj6qUmpjqmbqfuqB6oYqkCqdKqwqsGrOqu3q8Sr1awDrD2sjazbrSStMa1vrbmuCa4arn2ujq8ir1Kvma/SsF+wm7D/sUuxerI3smiyaLJ/sqay3bMjs3mz37RVtNu1UbW3ti22lLbqt1C3xrgsuIK46Lk/uYa53LpDurm7H7t2u9y8M7x5vNC9Nr2MvdO+Kb5wvqa+7L9Cv6jAHsCEwNrBQMGWwd3CNMKbwvLDOMOOw9XEDMRTxKvFEsVpxbDGBsZNxoTGzMcjx2rHocfnyB7IRch7yMLJGcmAyffKXsq1yxzLdMu6zBDMdszMzRLNaM2vzefOLs6Gzu3PRM+Mz+PQK9Bh0KjQ/tFE0XvRwdH40h7SVdKc0vPTWtOx0/jUT9SW1M3VFNVr1bLV6NYu1mXWjNbD1wvXYtep1+HYKNhf2IbYvtkF2TzZY9mZ2cDZ19n+2jXafNrT2zrbsdwY3G/c1t0u3XXdzN4z3ore0d8o33Dfpt/s4ELgqOD+4UThmuHh4hjiX+K14vzjM+N547Dj1+QO5FXkrOUT5WrlseYI5k/mh+bP5yfnb+em5+3oJehL6ILoyekg6Wfpnenj6hrqQep56sDq9+se61Tre+uS67nr8Ow37I7s9e1M7ZPt6u4y7mnusO8H707vhe/M8ATwK/Bi8KnxAPFH8X7xxfH98iPyWfKf8tby/fM081vzcvOZ89D0F/Ru9LX07PUz9Wr1kfXI9g/2RvZt9qT2y/bi9wn3QPeH97735fgc+EP4WviB+Lj43/j1+Rv5Mfk5+UH5Sfld+WX5kvmu+cL51vnz+g76KfpO+nj6qfq7+un6/fsY+zT7SPtp+5P7m/uj+6v7s/u7+8P7y/vT+9v74/vr+/P7+/wo/ET8WPxs/Ij8pPzA/OH9C/0//VH9ff2Y/in+Pf5R/ln+Yf6a/rv+3P7c/twAAAABAAAGDACUACUAUQAGAAIAEAAvAJoAAALND4MAAwACeJytWMtyG1UQvU7CI+GxoigqxUKVYuFQsh2HRxVkpcjyg8hSkOyELEcjWZ5ElsTMKIo3LFjzI2z4Cj6ABR/AR7CgWNF9uu9jNJJjDOWydOfevv04fbrvHRlj3je/mOtm7cZNY0yf/mW8Zm7Tk4yvkcwPOr5udsxPOr5hPjW/6fgNUzF/6/hNs752W8dvmR/XHur4bfPx2q86vmk+WPtDx++Ye2t/6vjdYPzeh79f+0TH75svP/rL/ExW7pt7Ztt8RaNDk5jYpGZiMvo/MTnN1WmUmik+I5pJaDQ2m7RSMyP6q5gOzQ3NKa1leBrQ94CkX9JnnyTrtC8jvRE9JfQpOvu0yrJDMyMtEcmzD9v0t0kebZNPD0yXbHxD/w9KOqyGjQUdq21VFiSfwMdM46mUrP8fFhMgwnM50OPZM+x6QXOMMK+cQnYZ9kM8zwh9Kx3T9xk9R+RzAqQ3CaXIPIeVI3NOawMzR7Ze0GoN1iTCh7TCGeNM5ST3tdmiv0x356W9m2ptmWcZvJqStgRZrtA8W8nBjGfwuoJYz+l7BkZIrIKJlea5CeJKSYK9GJgqPfchNwXG55jhiNnOlCQT3RurloE+R9A9RWbPSCrHGu/qwQ+L9QgR8S7rl+zIgHNamjlxMVQvlbcpnvu0J6bnKvCSihC7VWdnMYIEmZoDp5g+l2M210hZOqZoZmBWfyn2vGeE0TrJ36Vv5mBPcVmmXXy4KrZeex+ahjSXgqk5Mhe7HrIsAmu97NeDgAMcicSSw57tTqxfYu3TzByRT1B3F3EvKrBqgLxM9FOikvEMVTPDTvbWZtPqOUV9TS/kqPTNsWbGa7cVkijKzB/2twekJbe3aOUW1bjgzFGMEN/c4VzkdRW5iTDuKxN8nrrmwDTpu42c8squw2WxPtZdz8hc14gR4xRdfxN9dETfjNuQ1tukrUkZksr1nSJzaJXzIdgIbyxHIpwwF9Wr5XnPoTJTlhTj3YPWfVrtKSOnqNkE/qTQceKqv8yVMgZD7D2FRtsrt1AbxX6whdMhPCM2IM0c2qK9nMMedkaoEo5ti9A7oJOkYVqUqQYhafP/2FVgFpxe4q2waaAVOURNjJU/VUTDq4PgNDlF1QyVLbYehJ9TPSHFAvuY01qCk0f4Fim/p8rnsC96NnUVhzlshZZ8T+W4uQdIr7c6q8jvIPDQdxdZmwDRE5VNsZK4XtNDtQ4K50emp2C4255hVoYZVF4VryyL/020GTjynJ7ioO/kF1SydI2wEph1woBtdL4W7U2CDvJ6Tyo0L/yOXAc6AXdy14vZIvc1Pruk9uyNg7VKD8sQk/TpNnAe4knkxcJhCb3ifSvT/IW1mwEHf6KIX5ytE8f++4j96lYvn7dF73raV0aOfavY5pm0pX75yOaaM5+DbAlfpP9LHvw5HcFPviXJzcBXnj1jpDqzIL6IvJrgJu7lU3dfF0bk7hyz/Pf9r9h5uUPL+ZOpxggs6OnZtXiWFxkqN4gMfrKdDeROeCU9/RV8OsFZMlCOcH89w44NvSP2EdUIu051RrJseeDvEAN3/qSIPkX/zV1+Y0TKHizTzr0n17kc3U6YxbnMgmxaezYC8aKn/LRni43KIiGxD90za5ooskU7RZwHkLc3nZeQnC+9i8303mmr5zPtHJNL1MpVKiW859s3rvBdMNTSoj2M7zpJ3NWeK/hkiPGV3hliYMxYp+7WOTbhTbR8DhZPvkVUYuRH7qRT12clE/UlNbKv1StISgWIneX32vDOvfruMzD2nngWcMSiM1Z0/L07VSx9VEVdNteZy/bnwNXeF8cLeBez+7q4/a7wrKmh451idrnei1iToafJWSx9yDJ85u6sEqNU7xlk7D1gjDt+qoyz51ofTEuRi8z1tPNL8L2qrItxMwzfDmJ6Gx7jdJbePyxw3PZefwKIvv+Gc9iJVyOdFk4UkU0we7X6scz5osCci+825XvSRN9oyncof2+YQoPvlf69dwKURfMM1WVZseqslZpI4NFI+9BY8Vx9loV3Qm+pyMNVFkP9/i7lT7pVp6Z0jO9pv3h7ZuzbtX3zsB3A9wqRixShy0Qmb7/Sb2w8tg+dB7weuzflGGes9SX8Laav1Wj74+vr2r+n7tN7C0u2qdcfQZLfCo/MU2JzB2sHNFehN5oOrTyhpx2a3aGZOyTR1fU7yNRTGrPGtjmGLtHRoU/W/cxUoLuCZ356RPIt0sV7G+Y72GiQti4kO9B9SLP8ltVQOd5Rp5ljeubxnuHfzMRei3bxdxP72Bfx9IjmvdWiVwewaD07pKcO6d/X1RrpPoA+9r8KpHjccn7uqqc1YMSaj/BOeEy7alh5TOMOfbbxjih+7Ki3LcSwS+sSSwMeSCbEozp9PybbLLFHfh3BC7Z0pJJVRMjx7GA/W32EWfGsrVnmsdeyqViKH4z/E2e5i/ib+OXBMqTsRwWZbsJqB1loKPaMWtPxqhNgXwcqnB32b4fG7O+ey8Giv1ZbMQfLOGAt7CGKBvBoQrpLfjdI/sDNCOsOwLa6Iig6hd2S+WaAYR254vx9S1YbypwaECpGIXXA/vsoBOeaftaxt40nn+OW5rDuMtoGl8qoPEXFNSBVQz66DoVdVOmhen4c8Mjm8VhZ2HaeFfG11WLlLtMhRJe1Xcwg41mDdvaw69B4vd7Nq/2e9Q9nNlrDeJx9PAd4HMXVs3unKSq2LMmy3A2hE4y0e2VESNGdTrZB2Ma2cEyKc5LW0qHTnbhiW07vgfRCAgkk9Bo6IaR3CBAIpFc66YH0QpI//+7Mmy2z59ifbvaVeW3evHm7V5CJxL//XowsdzCQ9g93ui9HoXsNEy/H/XgFHsAr0T14FV6N1+C1eB2axOvRjXiDsdToRlPGMnQTep/Rg45Gx6D/oP+iaaPX6EPHol8by41+dBxyjBXGAPomPgIfiZ+Hj8JHo/uMdfgYdD8+1jjCOBIfh45HJ6B/GEcZR+PjjWPRicZxxvHo+cYJ6FvGiegB9CB6Dp+Avo1PNDYaJxuD6CRjCG3Ez0cnG7aRwicZGfQEGkRDRtbgeKNxCj4Z7XP9esg4FT2MB/EQtrCNU2gGp9F3ccYYxVnM8TA+Bb/AOM04HZ+K3m+cgW5GtyAb/R6lUNrYamzDL0QZ40z0FPqXsQO/CL8YvwRljbOM3XgE5xBH3zPORt9HsziPfoBHjVfgAh7Dm/BmvMWYMqYNx9hnzKBhdIoxa5SMc4w59AJ0KvqtUUafw6cZFXw6HsdnoBcaNfQLo240jKax3zhgHDQW0SgqGYfwVrwNb8dn4h1oDu/Eu/AEPgvvRmX8UnQO3mO83XgHqhjnoXl0qXE+KqAx9H/uAlaNdxrvQpvQb4x3GwbajBaM9xjvRTV8Nn4Zfjl+BX4lqhsX4L3oXPwq40LjIlzEk2gLOg3907jYuARPGZ9ApxuXGpehcfRD1DCuQPvRATyNmtgxrjauMa41rkNn4H3GDWgrnjFuRNuMm4yb8axxK3oSbUdnGrcZtxt34JJxJz4HHUQ70KJxF3o1nsNlPI8ruIpegxfQIXyu8WVcw3XcwE2837jbuAcfQJcZ96LXolvRTvQM2oUmjPuM+/FBdJbxAHoa/dt4EC+i84yH0G7jYeM7+BB+NXopep3xffQG9Eb8GvR6/FrjR/h1+PX4DfiN+E3GI8ajxmPG48YTaA8623jSeMp42vgFehl6Ofqd8Uv0Wfxm49f4Lfit+G3oFcbv0S+NZ4xnjT8YfzT+ZPzZ+IvxV+Nv+O34HcY/jefQJejj+Dx8Pn4nfhd+N34Pfi9+H34//gD+IP4QvgB/GH8EX4gvwh/FH8MX40vwx/En8KX4Mnw5vgJfia/CV+Nr8LX4Onw9vgF/Et+Ib8I341vwrfg2fDu+A38K34k/je/Cn8GfxZ/Dn8dfwF/EX8Jfxl/BX8Vfw1/H38B343vwN/G9+D58P/4WfgA/iL+NH8IP4+/g7+Lv4e/jH+Af4h/hH+Of4J/in+Gf40fwo/gx/Dh+Aj+Jn8JP41/gX+Jf4V/j3+Df4t/h3+Nn8LP4D/iP+E/4z/gv+K/4b/jv+B/4n/g5/C/8b/wf/H/4vwQRg5gkQZKkjWBCCCWMtJMO0km6yBKylHSTZaSH9JI+spz0kxVkgKwkq8hqsoasNd9nvt/8AFlnftD8kHmB+WHzI+aF5kXmR82PmRebl5gfNz9hXmpeZl5uXmFeaV5F1ptXm9eY15rXmdebN5ifNG80byIbzFvMW83bzNvNO8xPmXeanzbvMj9jfpYcYX7O/Lz5BfQx84vkSPPL5lfMr5pfM79ufsO827zH/KZ5r3mfeb/5LfMB80Hz2+ZD5sPkeagX9aHlqB+tQANoJVqFVqM15nfJUeRocgw5lhxHjicnkBPJ88lJ5iPmo+Zj5uPmE+aT5lPm0+YvzF+avzJ/bf7G/K35O/P35jPms+YfzD+SjeRkMkiGiEVskiJpkiFZ9Hn0F/RX9Dfzn+Zz5r/Mf6NlaClai9ahG1ASXYGORJejr6G3oy7CESbDqAe9GHWgTvRK9Cr0IvQScgp5Aeomp6Lb0O3khSiXSKCvo2+gO9Cn0J3o04kkug5dj76IvoTaUHuCJGiCJdoTHYnORFdiSWJpojuxLNGT6E30JZYn+hMrEgOJlYlVidWJNYm1iXWJ9YkNiSMSRyaelzgqcXTimMSxieMSxydOSJyYeH7ipMTGxMmJwcRQwkrYiVQincgksgmeGE6cknhB4tTECxMvSryYvAglyIvJS8gIyaG3kDz6AiKJMTJKCuhq9HcyRjaRzWRL4gxyGjmdjCfOJGeQrWQb2U7ORG8lO8hOsgt9mEyQsxIvJ7sTr0zsJS9FS9Cz6A/oLrQBvRcdgdajC9CH0AfRNaiIrkQj6AOJIrqY7CFno4+ii9BV5GXowoSDKLqbvJy8gryS7CWvIkUySabINHHIPjJDZkmJnEPmSJnMkwqpkgVyLqmROmmQJtlPDpCDZJEcIq8mryGvJa8jrydvIG8kbyJvJm8hbyVvI28n7yDnkfPJO8m7yLvJe8h7yfvI+8kHyAfJh8gF5MPkI+RCchH5KPkYuZhcQj5OPkEuJZeRy8kV5EpyFbmaXIM+Q64l15HryQ3kk+RGchO5mdxCbiW3kdvJHeRT5E7yaXIX+Qz5LPkc+Tz5Avki+RL5MvkK+Sr5Gvk6+Qa5m9xDvknuJfeR+8m3yAPkQfJt8hB5mHyHfJd8j3yf/ID8kPyI/Jj8hPyU/Iz8nDxCHiWPkcfJE+RJ8hR5mvyC/JL8ivya/Ib8lvyO/J48Q54lfyB/JH8ifyZ/IX8lfyN/J/8g/yTPkX+Rf5P/kP8j/6WIGtSkCZqkbRRTQilltJ120E7aRZfQpbSbLqM9tJf20eW0n66gA3QlXUVX0zV0LV1H19MN9Ah6JH0ePYoeTY+hx9Lj6PH0BHoifT49iW6kJ9NBOkQtatMUTdMMzVJOh+kp9AX0VPpC+iL6YvoSOkJzNE9HaYGO0U10M91CT6On03F6Bt1Kt9Ht9Ey6g+6ku+gEPYvupi+le+jZ9GX05fQV9JV0L30VLdJJOkWnqUP30Rk6S0v0HDpHy3SeVmgVPQ8x9A70NvROdD5dQO+i56I3J1+TfC3ai36F3kRr6Ku0nnwDbdAm3U8P0IN0kR6ir6avoa+lr6Ovp2+gb6Rvom+mb6FvpW+jb6fvoOfR8+k76bvou+l76Hvp++j76QeSlyYvS16evCJ5ZfKq5NXJa5LXJq9LXp+8IfnJ5I3Jm5I3J29J3pq8LXl78o7kp5J3Jj+dvCv5meRnk59Lfj75heQXk19Kfjn5leRXk19Lfj35jeTdyXuS30zem7wveX/yW8kHkg8mv518KPlw8jvJ7ya/l/x+8gfJHyZ/lPxx8ifJnyZ/lvx58pHko8nHko8nn0g+mXwq+TT9IP0QvYB+mH6EXkgvoh+lH6MX00vox+kn6KX0Mno5vYJeSa+iV9Nr6LX0Ono9vYF+kt5Ib6I301vorfQ2eju9g36K3kk/Te+in6GfpZ+jn6dfoF+kX6Jfpl+hX6Vfo1+n36B303voN+m99D56P/0WfYA+SL9NH6IP0+/Q79Lv0e/TH9Af0h/RH9Of0J/Sn9Gf00foo/Qx+jh9gj5Jn6JP01/QX9Jf0V/T39Df0t/R39Nn6LP0D/SP9E/0z/Qv9K/0b/Tv9B/0n/Q5+i/6b/of+n/0vwwxg5kswZKsjWFGGGWMtbMO1sm62BK2lHWzZayH9bI+tpz1sxVsgK1kq9hqtoatZevYeraBHcGOZM9jR7Gj2THsWHYcO56dwE5kz2cnsY3sZDbIhpjFbJZiaZZhWcbZMDuFvYCdyl7IXsRezF7CRliO5dkoK7AxtoltZlvYaex0Ns7OYFvZNradncl2sJ1sF5tgZ7Hd7KVsDzubvYy9nL2CvZLtZa9iRTbJptg0c9g+NsNmWYmdw+ZYmc2zCquyBXYuq7E6a7Am288OsINskR1ir2avYa9lr2OvZ29gb2RvYm9mb2FvZW9jb2fvYOex89k72bvYu9l72HvZ+9j72QfYB9mH2AXsw+wj7EJ2Efto2zNtz7KPsYvZJezj7BNtf2WXtv2dXcYub3uOXcGuZFeh96CfoTx6N3oU/Qg9jn6Kfo5+jH6CHkGPsavZNRhhg13LrmPXsxvYJzFhN2LGbsIduBN34SV4Ke5mN7NbcC/uwyOTNWe/0yGH4lSz4SyR19PVxqRTrh4A0kytuN9ZKq9nq9W54mTVn9Yolaed7pGpUm2qOb+v7BwUcnpDCCUszCQk9oUQvtgwl5DNRpSA9hGfi4zMF6dq1QoZqc5UK85c+0itVJkRqslIQYwd+UBQe96VUZyacioNPDpVdCe6Q61abOCCcAIXBLK7oLtRaOFGQXej0MqNguZGe8E3gRV8jwqBRwXwqCA9wgUxDW8SlnVsCsR1bpqqzs8Xpaz2Tb7Y5ObJYq1jc8BobjkNbxH+sS2+xi2Bxi2gcQto3CI0dpwWUnV6SBUeFzHB48KizvEQKTnuysdbJX2rpG8N0ROFygzb6mkuO/saeJswqnubHu1tLaK9TY/2tlbR3qYnzTbf4W0+V5t7Wau0i1ehsEtchjlrFaFkibj0J0qKEOxOabqJVmvOl4vNBtkGIdwmQ9ixrV4u1mdlHHbAIMOxIxzJnTJDd4YivTOyqE5tvliZnizX23ZOzR4oJne5S4t3CUl015QzXSqXi527wiIn5EJP+N5MBH5PCL8nAr8nIn5PBH5PRP2eCPyeiPg9AX5PSL/bJrzthydkyu6W3u0OvGO7p0tOzamX6ni3UNSxJ0TcoyzBewSxfU+Qo3ukIrxHij5biG4/20/67i0Cs/e0jeXqVHnr+OiSvEAIcPv46Uu2RsFtUXBnFDw7AuKirI/FUH0sRutjMVQfi1p9LIbqY1FP9WKLVC/qqV5slepFPdWL/kIWg7gVYYGKUB+LQX0sSlc6pkL1cSqoj9OyPjqyMDqyMDq6/U4L+x3dfqeV/Y5eGJ2gMPqBbQ/iSBxwxYEyJUPaVvc2Bp6R5XEmtJNmwjtpJiiPs155nA0YacmllZ16HZfk3in52ku+drN0DimBASUwoCQMoOfA9I5zQsrnQso752ZqjlMpuzu5NIXLshyUZTkoh6tn2auecmt2VIoL1XqjVl2YdXBF8lbCldRxK2nFr6RVWUmr+vJUWyxPVV+eaqvlqerpVfWjUg0qSlVUlGpQUaqRilINKko1WlGqQUWpRipKFYJchUpaDVXSGgwyHLVw2avLqNVDS1AP0dvK1cpMPdnwymdDls+GKp+NsJymTIGm70IzcLYpnG0GzjYjzjYDZ5tRZ5uBs82Is01wtgnlsynKZ1PWuAPSpQOhCnnAL58HZPlcDBEX/fK5KMvnYrB3FqF8LkrRh2T5PORvina52zcWy43ukqyk5/iVdCpaHCtRsBoF61HwUARsP7hxvllulBbKi92V5vxe+NtYLs0U+0IIHzngAc3KtFPbu1CsuXvITXZBaD+w1/0vLpOV+ep0cuSkqcW2nOO9niVeN3mveNM53tC5adZpLjSatYpHGRX0Ld5r+xZZtAWi6k04e1YAZ0tUSfCU6u4CNuSlz3560WM/XchvK5TF67x49ZQkt3mX2yWxJl7r3usuD5OccF/YhJLaVtjnvW4WAvNCP95VF8POWQ9Jd85OiQsyekiQO3ZW9zXqpRlPU8fmYm0arskep9b05o0Ls/BWOYweEloLXiQKXn7X6s60h9ni6d3jOdl2msdCdtWl+1ua4lVYNOqH0KtHcx6w1I3StFN3M8ddGRdecnoxAhYqYbBzwp1YLM3Mes72+IAvbcnmyOyl+ahwsnNWON+xveim0eycjIhX9cWKyMz2Lre5u7smHGuf8LFdYrVFAuY27egSCxVA+0JQ0pPXNin8l0s8I6I3I/2fCafQtKCXRAqVghQqiRSSa9R2SKJECpWCFCoFKSRcwXMyhRyRQo5IIUekkCesbUESRQo5IoUaYjG9BWJNP4UckUIiTnhKplBDplBdplBdpdA0pFA9lEKzoRRahBQqy9ypyGFappCIhBNOIZE8i+JVcJIGpFBJpFBJWDTthzBIoUNaCs1FU8iJplAznELNeArNRlNoSkuhOqTQQiiF6iqFSkEKVYMUagYptD+SQjMRaDoMLZGx9YmHIpBIBQX1BCkRQqnU8OcIU33IiWTvQoSzETFELr4PyiRQYLdKBoXoDSWDjwslReBCMwxN+jp27si1jZQXZovJnNMotm0quicqKSzUS+65mzzbRSUKLnrXrHuV3OIeOm71XFgouneS85PTRfOMprm1ab605N5GlbyYm9tLiR2z1badpZn5YmJXsUkmpKjE9tlSIu/+ba+X2oW+RrVSrXeCJgFQV5O4YJ4iSQe5EpgIMbdvm3dmgMljV+frUmBSMDu9WNq5OD9ZLbcVhZuTnpsznptuLSg3isQBZw95znrEhnC25Dk7J5wtS2crTfNgyW1zhEWJ2my1ve65ua9UKZbbxGWi4XrcBI8XXG+n3D8XbKt6xrKS71YpZPGyMCDJzZCjS5tRh/o0WM6ohuLUXvVD014MQu2EQ+2oUM+p8LBDTq260Xvp9F5KlX1OrVStdbjtjX/dOODjuxqzbmusoM59Va8DUkBpfzCnXjroz6m75afiQ45XCPxJLt6fJG2ZrlTnqateXri6xUW7UCwumacVrlyVks/VJ/mEMnkpNElGT428EjrcLqUmdIgLT4d3ATq8S6lDXnk6BJ+nQ/BJHeJS6hCMQod3JSJZby4EMQoAV5gCvBipaxkjHxJS/UmeYAUw12pBne0U1srreocnGK47hSwFOAen3ESerjYnyw51W8ta2ZV2zLzbS7s9rdudLbhr2/DuMSszZffesTg15zS8hnne7TKPlWw1T9T/4mv3ytHsonvrU+lya2TpkJtvxbJbmrtEK+g29m6Nnix3ndusNvzDqGum6bbzzrzT8MxY4kNCW4+UtlcOom1cGUGFKauiFPfmreiqEaSlgHNtEXBvC57VUVyE1g00735RIJaHEAG2H7BF935G3mUKdI8XJ8dzzzdglUAJH72medINhVuyZUMNUY3wrwFkyxk9Iiemw7FQKDnIwEVQYcpAlOKc2yyWBWFFlOD72QeIc5tuY1CqSpXLYtO7p6puydkrXmV8QojDoWPTA0SPREQWVqJ8ywbqjlsLBc6/knPlBtgrBxmQCCockGWKEkQijAnh+1QIwtN7fWTIRx8XCVrAGsjsL9Zd90r1ub3qQqDXx9BR+nIfHQ5Qr48VN+TS8SB/tNuzMMVPWrk7NAokqNQcooU8DmFDUR8IoSOhWBUiaAkeVhDEKTwhKDDSa+FsND7dEheKcwgRzjKJjmx/iQoi2B9ChNDrAjO8natbtSpE1kisWHFrYtkpFbtUULyHT3OkMllfcNehyyvXdcddLffkriUni7ONpPcghIl4eyFITrtTkk7TPcG9l6mm2xBX3BZ6punOqZTIbG1xf6VUTMyVFpLlYq2ULJdqxQ7vZVezNuc2tW3zxUqx0VYpuii84Cpz2yB3qLbVvDPDfV1wnA7xusVtP4oV9w7FOdcpu/c1lRkHN5oztdJc4kC1smSy6VbwRtXdEJ6tXdOl/aW6648IU4cb59L+Ytk1zVkRnBGed85BV5LH2O6eMN69WXmy4V82FnrK1ZnSVLHsxmkHHB2dHtW9mPLCldg2O89Klama4x1FbaIjancb9VnvGU2x7DZmI7Va9UC7qKDikk1XD1TklZfK4mqJd7XDZ+loLowqpqXyerJYdwTcW64ecGrbKk5BHLE5t5+e61O4M92ou7YJZL9A7vKOaclaF+glAr25WN4nwOUCHHPP7zDTimAuiKyHZO70TvgwO9vnxl5Kby4shKT3CjBqbI/naxTVC6iw+cs9XMx6ETLw2b3S7e73J0XMFrJiVss1kQaIy6hRMlDjSt9SAe7wp0hPffKxPjhSmR5XM9V1MG11jC+gRWRMeNcyJUICBd9x/5svELi06RNDyv+X0BgtLrS97t09lz24Q1zKNo2J6+liba5jsuwW6nypNlV2Og7MlhoOXLv7fwauB7wVkWni8u4OmFaKlWhJCSWuRgklXZTSG1EjcX1RDRK5PBypgNUPdEjmGh/p5ti0W+QiRD9pWhDXBinUihqY0ILa49aehleIxtxGVaI6p6uNhjMtAbLPraXOokO9Mlh3L2Tkc6IodpUqonRJqAegkPTVfgS3xGl+3OO0Tn/eSG2q02f0gCBHa1NdodxyoSAM/ixg7BSpM1oqzrv3mp3CAwD6IisJyOXRpQRsr3sI6Lj+STdW1fkYq9C3pbI7pKlH4La7x5cbLLf614rzPcKSCGqZ4DoLFmWHexi07/NuIaa9Syb4vatl4irMJnfHTvfcr8EayeuVck7VO6Gn8+69jRtqSZHat1RywURYegn0BQealxwwKZwvwOceTXV3lzamZgPkerE0XnAbVbESIqQ6XSCBQdZdRV/jnsnipGslvFv6Ol/0EdLhABHdoGBndFUlcoOfT6OgUGM4Isiqw3BsUCHJlcThXZkZd8//3cESrBHWTejbO0wc17e3JK4NiJENHKZOxLa3pC6T9TNkB2BCpveHeYLo9YcZA7Rb9gVqV60k7pd7an5dU6hlXhMSxciTNYRxxQiFUTERlBATxZRVtVSYfk3M7lJjdrTaWNFcGA+vvSIPNBd2RNbflxx4sb0qWrBu32RALAssDLOEEX0QGxEuJXpFIDqC7/ejFEX7eiPoPnC0heg4vt+PXFx0Cyna8eTjw01JCN8f6l3C6FDPEs6PQLqPCgQHK6tk+hhfnMKsmqweHBUPe0T/Wpne7JemPp3kzVuuI4XGXh8bTB/wcRMLEbk9UYIntTeKEjKX+ThVjNfFMBG5A63InvSVrQhCxwZBOVCR1Ii0naUgPCEGT54krdZJQqKkrQPaZqe4fzEidtxjGtDInlBBWNWCMLEgSCs1ktAmKKtbUWDWBo02saCZoiwdhzYyIIspAxpZFACPsKoFwRXukVZqJFkcPMrqVhSYtUGjhS2NMMgIR0yVS7BKZxBnjyCt1kny1BG0NS5NKIC0dm8+A8mr4kSVQ50B6UBlZRiI2NarUTyj+jScsKZHIYO5vgqVxT7gCfImiZnrFUUcU80F3Ym1LenKjy5FFbL8aLgFIiZoVZyopLQr0sTCiuAyEollEbznRX8UI9fkQKUnghZmdSuU0rdWR0RUrWhB9RQOtMD7IZTp0nofrQV6hOan6+pWVJh5RCuaUh+RHdkVviGrW1FhzxzRiqZkCw7lF0yIWe6twDj09aEEXRFHi3l9Iby/ist1pGD1saq3y3vt5tE61u/ddlWDZqw1lzzbqn5Dt8bnOszG1Yjhjevn2sowENu4YYrauGGcv3EFMrpxBUptXB/wVPibbb2i/I+NG6eHN25QBPxoHG7jasTwxh2XOdUfXCozPT9XRNGR/RzgPed6Ihh/446H03KtjohtXJ2qNq6O90MY3TDRY3OtoodpkY0bo4Y2bowW27jBMRyS7W/cGDW0cWO02MYNb3Xdcu/cnlg4bN8yECUHXcvKKCHUs2wQFKVMuBFtFdZEGDTiqggxYmp/jOTH/nBlaUWc5rczsDwxGwX3mgiDRlwVIUYWqz9G8tcwQEfzbEWcJvByZQ7bpQxEyUGPsjJKCHUoR7kUlRyHXfF1rZiCdV/fihxa/SND9MMs8ZoWLP5qrm1BDNYtLP0wi7OmBYu/DmtbEIOIh+Nz2Liva8UURH99K3JoDTaot6F3eJ/OcKbHytWasLzWkM/o2vY7lWY9OV+s1ZfUF4rTjrzdbJYaXVPl5qQPLZkVcxTYPS2fYfkINjXrTM25YuYGaodRxRZci7yHh9N4qlhzqvvwfKnifXC27ky5oljZvRmt7SzNVHClOe/Uqsx7n2jeEyWf1m12DnrHar8E/DgVyuXSQh0eAY0HT35DCHhSJRBniCcZ8AhuXRjl7hB1e5l3Ko2aEyGH7z6BHBY4Xj3kvU+0PoSK3NTClDUh+sSCRuySDwRdwPNzWfBMC6wNYUBdX+ThIETCRy7Wg0c1y7XnkjJG/cETvVwoxH3+A9bQw6IB/7ZcI/SEH4PCQ2RAhbhWuCj/eUsILx++qrWVQGxt5VOv0FIKRGQpwyiITpd8mqriGTwSVNGLPDNV0VPIcPQGivNuJ1cvVqb3+lfy/XnvbdDQ5xJ6PTj47IN8d1fh1OcbBLZTYOHjDwMAiL/wO7M9Chl6S74V35IoT7dO752ulsv6nIVys77Xe5EsPhjglgkwPKlfvp2sf3RhBbzLrH+uoFt/97k/hAihB8LoSADiqFURVITUJ0nap1YkUn97vFcJCC3f6iguaomihT50oVChN+0jqKhxrSxerSEjH/jRaYGaNTop8na+8D8kaEUIEcYPhPFhCcvDBD+QSwU2cH+dgGHN49J7BDnyGYVVEVREZZcgqQ2xTEE+ZnkY0wIbD4BM+ZCjrfaAIPj53u+D0U/hSEf96C8P4BB2rY6NyFgRokayIoT3Iy3djxsafD7LB8MR7wuwoTwPkMEHnGAdIh/jWqMhI/rX60RtsgxR8FGRFQEcrR8hEeFcCUtuqM/7+KhQoTmMfasOb5pUKb+REq6jbh33vmOyF0ZZlb2PqZw036zLO9VysTJ3klu6vTfcuqarjfqQgpYIyFLgUgnaCu4GOKUQyxQirTA9PiajUL0BKqtwfSEcb8HI4/KycbZsCzYesy0TY8rEZWVayMrEZWVjTNk4E9fjldZZ0jGb0nGb0i1sSsdtSsdsSsdtSsdsyugsmZicTFxOJiYnq7NkYyxcy6eUxpDS45OKxScVj0+qRXxS8fikYvFJxeOTisUnpccnFYtPKh6fVCw+KT0+qVh8Unp80hpDWrclHbMlHbclHbMlrduSjtmS1m3JaAwZXUYmJiOjy8hqDFmdwYdl/bGjZFvLF1vPFzuWL3Y8X+wW+WLH88WO5Ysdzxc7li+2ni92LF/seL7YsXyx9XyxY/li6/lia/li6/lix/LFjueLHcsXW88XO5Yvtp4vtpYvtp4vdixfbD1fbC1fbD1fbC1fUlFySotHSo9HKhaPVDweqVg8Uno8UrF4pPR4pLR4pPR4pGLxSOnxSGnxSOnxSGnxSEfJac2GtG5DOmZDWrchrdmQ1m1IazZkouSMNj+jz89o87NRclYj+6DoX6wI0YrWD0urH5ZeP6xY/bDi9cNqUT+seP2wYvXDitcPK1Y/LL1+WLH6YcXrhxWrH5ZeP6xY/bD0+mFp9cPS64cVqx9WvH5Ysfph6fXDitUPS68fllY/LL1+WLH6Yen1w9Lqh6XXD0urH1a0flha/bD0+mHF6ocVrx9WrH5Yev2wYvXD0uuHpdUPS68fVqx+WHr9sLT6Yen1w9LqhxWtH5ZWPyy9flix+mHp9cPS6oel1w9Lqx9WtH5YWv2w9PphafXDitYPS6sfVrR+2BGiHc0HW8sHW88HO5YPdjwf7Fg+2Ho+2LF8sPV8sLV8sPV8sGP5YOv5YGv5YOv5YGv5YEfzwdbywdbzwY7lg63ng63lg63ng63lgx3NB1vLB1vPB1vLBzuaD7aWD3Y0H1IRYirqf0rzP6X7n4r5n9L9T2n+p3T/U5r/qaj/Kc3/lO5/SvM/FfU/pfmfivqfjhDTUd1pTXda153WdKejutOa7nRUdyZCzETnZrS5mejcbISYjRIDSLwRUyyfJL6rIz+qF0F1Bb8GM1+dXiJ+scT7LQJn2gW795Vq9UajWnGmZsW3ezrVt3pdvklPk/yRDw9i4hvm4kr8Mod31R3+TRIPsST4VRHBKX4bRFyJX0fxrqj3SyUCJZ7/eFft8gvzQqf/yyMe1Bcy10dS7zdRvAvvk8/iZ0s8YGnot1g8uAN+pEXIlz+S4l0uCzu4capYF0UumCZQS3xXJej7K8DlutMC2xv1XE703ZegHwMBdqlASKIfDQEuDUIirYzERc5XcRDQgHywFn/stiywHn5LpT/qj0K3yW9si1epIPoVb9/6k6YWl4UBwZwY37KJNCulwcHBYW8cKowU5JjLwDgIowVjCvjUmIcR+Ec4jCMwwvwRNR/k54E/D/Q80PMgNwdyciAnJ/QMDlmKD/B5LvF2BsacHFNpOQ6PSr5R0DMKckdBzijoG1X2gD95sHMU9BQUP9BHgV4YlHoKI3JMSzusIdAzXJB4PibHjAV0JRf0F0B/AeaNgb0FxQd6C6B3DOaNgT4b7BtT8R+DuGVhHILRhjENfGqEOI0A/4jKhxyMMH9EzQf5eeDPAz0P9DzIzYGcHMjJjUp708Ownoof6Plh8CcL66lGWP8U+JtV6wF6R0HPKMgbBf2jyj7wLw92j4K+guJXeQL0whCsK+RTOgvrBnZnbICVHNBXAH0FsGcM7CsoPtBTAD1jMG8M5Ntgz9hwnzuOZLMp9SffcNGQPsGbZQ1mZZalhgZhHILRglFanRqEcVjxpWBMAx3wg2p+BsYsjBzGYeAbBXgE4DzAORgVrPgKMIK9FuizQJ8F9lrKXuC3wE4L7LTAHgvss8AuS9ml5IN+C+yzwK5BxafsVv4rPWDvIMgfBH2DoGcQ5FjKPtA3CPYPqxHmD4OeEcCPwLwc+J8DfA74c8CfB/oo6C0AX0HBhaWwjurHWgDORWHLp8t5Nsi1Ie42yLUh7mmVJ4oOcbEhTmmYn1Z0sBt2bcoG+2yIcxriaYNfaVgXqNopW8GKD+JjQ1xToC8F+lJgb0rZC/wpsBNOgVQK7IHqkUqBXSlll5IP+lNgXwrsSis+ZbfyX+kBe6H6p6BauD00jCAnpewDfWmVHyrOMG8Y+EcAPwL8OfA7B/gc8OeAPw98o2BvAfgKCh5bCusczQvb1mAtj+yMBmc1mGvwcBROj2r0EQ3W8tQei8Ipzd6UZk9K05/S9KfyGqzpTxU0/UPqZ45E3Oxhuc62PBUHbYizDV2JLbuXQVueNtYgH4RxCEYLRhvGFIxpGDMwqvkcxmE5ZmXeD8rT1B0tGEFeFuRlQV4W5GVBXhbkZYcZ/KDLZFli5A6zspk8jDKTB2U/YA3CiWBnC4AHz6DSFuTOtAZz6S7xAYZ5t2dvFGuLyUKzVpUkNSUHQciBsUqFbAndcQTGPNDBiRwEMQf8I+BMDoIzouYBfgTkycWy4Mh2Rxkce2Ssy+2Dg58FENgheYRYFpR61yFS9L6u31xoF6P4hBETl943v+SV92UveTVZbcwymDBd6fSvJuuOkJuGVEhDKqTdVHCp3vexAU7DmIEx2wbUhRCXTESXOgZjAcZRUt4XlpaDcQTGYVJrhOWAtmHQJguPO3IYh2GE+cMgbzgP4yiMoH94jJQb4gvkbeKVTM/JUVDzY3hKfslZgAUwXvbk7gihGYXQyB7OHcE42FXpUXB+FIwfA3hMwcA/Bvx5MDIPRufBqXyhvbrgVOTvTbBSZX9wFTZzFHwfBd8LYG5BmQtiR0HNKMRiFNzLgzmyRbZysolyRwVzGJVZEPsc6IG8T48U4JvJNWeqAShQOTLGJGmyehAwahLEUp4grhJwZgRiNgIxg02WHoGYweZKw+ZJj6h5KgjAVwC+AvAVgK8AfGPgxBjYMwb2jMHajik+COIYeDRWII1aqTjTXIAgZCQ8XYEgqeCAnBzYk1NrDfoKILcA+ALIrTXkWN4H88COPMQDilM6pxYDFjUP9ucUH/idU4sN9hSAXgD+gsKrXIV5YzBvDOI2BvoysB5p8CsN89Lgdwbmp8GvNMxPg99Qx9MZ0JtR88CutJIPdBvoQ2CvBXoHwe8hsDMF8i2AhxQM9gyCPRbgUyAno+xX+kFPCvhTIC8L62CDXUMwDgJ9EOTCSZbOgn2DSj/Mz0I8BkHfINiRBT4b+IYUv/JH+Q16U0C31KjwINcC+22AbQWDfzbYkVKjWg+wOwP8GeU/rEMW+LIgJ6viCeuagvlwsqctwA/B/EGAB5U8iH9W4SF+g2AXdArpQeAbBBg6iXRW+QV0KFrpIcWv/AX5luJT9oI8C+y2AbYVDP7ZsD4pNYKcDOhLg7y0ooN/NtDh+E6rOjek8hfwKeCzVdwUH8izwA9oEtIZtf9g/dNqfwKcAf602h9q/yh7lH1At0DukFp30J8B/+Wdi5UZGsb7nPli2Ul6L23iqwNJ7xsDbeKLAgS+HyCYs7BJsmDsECTxECT/ENCH1MkDTuYgaXKwWDnYDDkwMgcnV06dXFAUcnBC5aBY5qA45KAI5CCoOVjsHDibyyv56jACOyCJcnmYN6ToIB+KSQ42W25I2a38AXsg2DlL6QG7hgod8JFD7+OHAsdhY3AoKBw2PIdCwaHgcPCNwwJyKBQcCjeHws8hATic+nwYRrCBwwbn0PTwERih8PE8jFzpBTsgUTlsdA5NDYcDj8MBwaE54tDBcVgrDjnB4cDmcMBzKMwc1pZz5XcO9MMIhZJDYeZwYHM4MDlsDA7dEYcOkcMacNgoHBoCDg0Eh8LKISc4V3phHeAA4FAIOTQMHA58DgcXhyaRD8MIucXh4ONw8HJogDgUYA4HNedq3dMwjoIdMEJB51AAOTQoHBoNDgcwh+6PQ0fMIVc5FHgODQiHlo3DwcehOeVc6QU74EDhUIA5NLccGg8OBymHJphDJ89h73I46Dk0IhwaPQ4HF4e9y7nyexj0wwiFmMOByaFh4dDwcCjAfBRGuFPgUAM4NCgcGkMOjSSHws6hCedc6YV9CAcBhwOPQ+PIoQvm0OBwuFngwzBCjeBQSDl05xwaYQ6NC4fGkHO17y0YMzAWwB4Y4YDi0GjwMRihIeRQsDl0/RzuhDjUPg4HPS/ACHelHA5wnoeRK71gBxyQHA5mDjc1PAcjNHAcbo443MFxqIkcGkhegBEafA4HMYfazrnyewT0wwiNC4dGikODyuHunEPDyeHuiMMdIofaz+Fg43BDwOEGgkMjxKHWc670wjpA48Sh8eFww8DhqQGHxpHDTSIfhhHONA4HMofGm8MNEIeDmUMDz7la9xSMebADRmhkODRMHG5QODyV4NCIcLj743BHzOFM5dCAc7gB4SMwQgPH4WaUc6UX7IAGi0PDxuHmlsMNCYcbAQ43wRyeBHA4wzk02hxuNDjc6HFopHgeRq785qAfRmikODTYHG5IONwIcWiA+CiM8KSAwxnMoVHjcGPI4UaSQ+PFoXfgXOmFcxhuQDg0wBxuHDncBXO48eHwsIAPwwhnPocbHA535xyeNnFoEDncMHL5SG7QzsKjPFlfBy14hGfBI1QL3oCy4RG/DY/8bXjUb8OjfRve4rDheZENbyHY8NaBDW+52PAWiA1vUdjwloVt8U7QI96JBSAbBnJhwAoD+TCQCQMjYSAVAoaktA7/PeCpxe7QtSD+PzXnEgl4nG2KaVOSYRSG3xcEyczMCnlluUFBhCcU4QkEocilRSpEfJAHbLOF9oX2/a2ZZvyi4ww/wy/Qp/oRfOgXnWAGm2qcM3Of61znztDXU4Qv6Sr0NOFzivApWcfHJOHDLOF9MoF3CcLbmTrezBBexwiv4rt4GSe8OEl4HkmjFtHxLEJ4GiU84YTH4RoehQkPwy08mCbcnyLcm2rh7mQd1UnCnUkdt0M6boUIN9t7I1TEjRBw/QThGiviKiNcYTWsBwiVIKEc1CEDUyhNENb8LRT9BOEjrI4TCr40Vrw68l7CsreInJfjsteNS2OEi6N1ZEcJSx7CBU8O5z0hnPO4cNZNWHRzLLgI86DML8xBxxknIeMgnHboSKeqSCWXMJusYSZWRzzGwaM5RCOLmA7nwAIcwYCOgNOurU/Yh+DXRrT18ZZP+Ext8GqEMe0YRj06PFaC22YFdl3CNUxwVh3C0XZ2rmkVW8q6URnp0HCHjmsL1rXyUT4kjvBBMSQH5SHeL0y8R/TLHnk4MSAO8j7Ry81C5YoYkH3SLBV5gFuEkRuERRrkoGLMZEzqT3VHWWXZH720km1YlisNdbPhK3Qyky83zJsNRZQrpaaqbstvW1uKcy7b2CmUvhuVNsqmwTCfLzV7jNtyTmEKY0zpDuvyXqp/Tfet7rU7xP7xXWJ/7v/UPnLfFrP9BvOls3wAAA==") format("woff2");}</style>
+    
+  </defs>
+  <rect x="0" y="0" width="1633.4806151945463" height="1358.8828750693292" fill="transparent"/><g transform="translate(94.73667582606367 84.71406710150609) rotate(0 21.25 21.25)"><use href="#image-60b076cb044084e59e74d2b41f84159dcede0ddd" width="43" height="43" opacity="1" transform="scale(-1, 1) translate(-43 0)"/></g><g stroke-linecap="round" transform="translate(30 69.77631746693834) rotate(0 334.9749444471014 172.1678716953175)"><path d="M32 0 C195.24 0, 358.48 0, 637.95 0 M32 0 C238.38 0, 444.77 0, 637.95 0 M637.95 0 C659.28 0, 669.95 10.67, 669.95 32 M637.95 0 C659.28 0, 669.95 10.67, 669.95 32 M669.95 32 C669.95 130.12, 669.95 228.25, 669.95 312.34 M669.95 32 C669.95 98.26, 669.95 164.51, 669.95 312.34 M669.95 312.34 C669.95 333.67, 659.28 344.34, 637.95 344.34 M669.95 312.34 C669.95 333.67, 659.28 344.34, 637.95 344.34 M637.95 344.34 C492.88 344.34, 347.81 344.34, 32 344.34 M637.95 344.34 C439.81 344.34, 241.68 344.34, 32 344.34 M32 344.34 C10.67 344.34, 0 333.67, 0 312.34 M32 344.34 C10.67 344.34, 0 333.67, 0 312.34 M0 312.34 C0 239.31, 0 166.28, 0 32 M0 312.34 C0 203.51, 0 94.69, 0 32 M0 32 C0 10.67, 10.67 0, 32 0 M0 32 C0 10.67, 10.67 0, 32 0" stroke="#1e1e1e" stroke-width="2" fill="none"/></g><g transform="translate(64.5746303726387 133.31927113728705) rotate(0 54.658203125 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Your Cluster</text></g><g stroke-linecap="round" transform="translate(822.6763960763117 30) rotate(0 361.6726597977748 213.99999999999994)"><path d="M32 0 C272.29 -1.04, 511.14 0.18, 691.35 0 M691.35 0 C711.06 -0.11, 723.75 8.74, 723.35 32 M723.35 32 C725.54 128.12, 726.21 222.56, 723.35 396 M723.35 396 C724.23 417.82, 712.72 427.36, 691.35 428 M691.35 428 C441.96 430.16, 193.5 430.18, 32 428 M32 428 C11.83 427.23, 1.12 418.46, 0 396 M0 396 C-1.08 292.91, 0.53 188.53, 0 32 M0 32 C1.41 11.73, 9.07 -1.6, 32 0" stroke="#1e1e1e" stroke-width="2.5" fill="none" stroke-dasharray="8 10"/></g><g transform="translate(184.66894723677888 214.693142905343) rotate(0 12 12)"><use href="#image-1eb35412189527b20624c29b9912c61108c16757" width="24" height="24" opacity="1"/></g><g transform="translate(95.64941598677888 245.173611655343) rotate(0 102.2900390625 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Lapdev-Kube-Manager</text></g><g stroke-linecap="round" transform="translate(63.66894723677888 198.443142905343) rotate(0 134.25 44.25000000000001)"><path d="M22.13 0 C87.53 3.55, 153.51 1.79, 246.38 0 M246.38 0 C261.86 0.99, 267.28 8.26, 268.5 22.13 M268.5 22.13 C270.05 37.67, 269.7 48.93, 268.5 66.38 M268.5 66.38 C269.96 79.63, 262.65 89.66, 246.38 88.5 M246.38 88.5 C187.47 89.95, 127.9 88.77, 22.13 88.5 M22.13 88.5 C9.35 90.12, 1.89 82.53, 0 66.38 M0 66.38 C1.61 49.92, 1.69 36.03, 0 22.13 M0 22.13 C-1.32 6.83, 7.38 -0.97, 22.13 0" stroke="#1e1e1e" stroke-width="2.5" fill="none" stroke-dasharray="8 10"/></g><g stroke-linecap="round" transform="translate(412.20355722480326 213.3377450141473) rotate(0 120.17265979777471 28)"><path d="M14 0 C56.51 -1.9, 101.11 -0.97, 226.35 0 M226.35 0 C234.46 0.89, 240.83 4.7, 240.35 14 M240.35 14 C241.75 19.6, 242.03 27.51, 240.35 42 M240.35 42 C241.87 52.5, 234.91 57.12, 226.35 56 M226.35 56 C149.56 55.57, 76.83 57.82, 14 56 M14 56 C6.56 57.41, 1.06 49.73, 0 42 M0 42 C1.16 36.73, -1.5 29.12, 0 14 M0 14 C0.01 3.7, 5.41 -1.89, 14 0" stroke="#1e1e1e" stroke-width="2.5" fill="none" stroke-dasharray="8 10"/></g><g transform="translate(440.652584210078 229.8377450141473) rotate(0 91.7236328125 11.5)"><text x="91.7236328125" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="middle" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Lapdev Environment</text></g><g stroke-linecap="round" transform="translate(412.74859338938495 308.33272763840665) rotate(0 120.17265979777471 28)"><path d="M14 0 C75.82 -0.14, 140.22 -0.89, 226.35 0 M226.35 0 C235.04 1.54, 241.53 5.86, 240.35 14 M240.35 14 C242.08 20.9, 239.78 26.59, 240.35 42 M240.35 42 C241.47 51.07, 236.1 54.69, 226.35 56 M226.35 56 C174.31 58.75, 119.87 56.11, 14 56 M14 56 C3.07 57.26, -0.84 52.67, 0 42 M0 42 C0.19 31.38, 0.93 20.81, 0 14 M0 14 C-1 4.16, 6.21 0.29, 14 0" stroke="#1e1e1e" stroke-width="2.5" fill="none" stroke-dasharray="8 10"/></g><g transform="translate(441.19762037465966 324.83272763840665) rotate(0 91.7236328125 11.5)"><text x="91.7236328125" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="middle" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Lapdev Environment</text></g><g transform="translate(861.620046554988 53.10539171566671) rotate(0 91.7236328125 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Lapdev Environment</text></g><g stroke-linecap="round" transform="translate(1153.7127387684227 741.6608922245682) rotate(0 224.8839382130618 203.0313306726262)"><path d="M32 0 C122.39 0, 212.79 0, 417.77 0 M32 0 C127.32 0, 222.65 0, 417.77 0 M417.77 0 C439.1 0, 449.77 10.67, 449.77 32 M417.77 0 C439.1 0, 449.77 10.67, 449.77 32 M449.77 32 C449.77 119.46, 449.77 206.92, 449.77 374.06 M449.77 32 C449.77 168.67, 449.77 305.33, 449.77 374.06 M449.77 374.06 C449.77 395.4, 439.1 406.06, 417.77 406.06 M449.77 374.06 C449.77 395.4, 439.1 406.06, 417.77 406.06 M417.77 406.06 C278.2 406.06, 138.63 406.06, 32 406.06 M417.77 406.06 C317.63 406.06, 217.49 406.06, 32 406.06 M32 406.06 C10.67 406.06, 0 395.4, 0 374.06 M32 406.06 C10.67 406.06, 0 395.4, 0 374.06 M0 374.06 C0 264.69, 0 155.31, 0 32 M0 374.06 C0 281.41, 0 188.76, 0 32 M0 32 C0 10.67, 10.67 0, 32 0 M0 32 C0 10.67, 10.67 0, 32 0" stroke="#1e1e1e" stroke-width="2" fill="none"/></g><g stroke-linecap="round" transform="translate(1229.6743577381158 793.1710551358594) rotate(0 146.01321495687375 143.0132149568737)"><path d="M292.03 143.01 C292.03 146.75, 291.88 150.51, 291.58 154.23 C291.28 157.96, 290.83 161.69, 290.23 165.39 C289.63 169.08, 288.88 172.76, 287.99 176.4 C287.1 180.04, 286.06 183.65, 284.88 187.21 C283.7 190.76, 282.37 194.29, 280.91 197.74 C279.45 201.2, 277.85 204.61, 276.11 207.94 C274.38 211.27, 272.51 214.55, 270.51 217.74 C268.51 220.93, 266.38 224.05, 264.14 227.07 C261.9 230.1, 259.52 233.05, 257.04 235.89 C254.56 238.74, 251.96 241.49, 249.26 244.14 C246.56 246.78, 243.74 249.33, 240.84 251.76 C237.94 254.19, 234.93 256.51, 231.84 258.71 C228.75 260.91, 225.56 263, 222.3 264.95 C219.05 266.91, 215.7 268.74, 212.3 270.44 C208.9 272.14, 205.42 273.71, 201.89 275.14 C198.36 276.57, 194.77 277.87, 191.13 279.03 C187.5 280.18, 183.81 281.2, 180.1 282.07 C176.39 282.95, 172.63 283.68, 168.85 284.27 C165.08 284.85, 161.28 285.29, 157.47 285.59 C153.66 285.88, 149.83 286.03, 146.01 286.03 C142.19 286.03, 138.36 285.88, 134.56 285.59 C130.75 285.29, 126.94 284.85, 123.17 284.27 C119.4 283.68, 115.64 282.95, 111.93 282.07 C108.21 281.2, 104.52 280.18, 100.89 279.03 C97.26 277.87, 93.66 276.57, 90.14 275.14 C86.61 273.71, 83.13 272.14, 79.72 270.44 C76.32 268.74, 72.98 266.91, 69.72 264.95 C66.47 263, 63.28 260.91, 60.19 258.71 C57.1 256.51, 54.09 254.19, 51.19 251.76 C48.28 249.33, 45.47 246.78, 42.77 244.14 C40.07 241.49, 37.46 238.74, 34.98 235.89 C32.5 233.05, 30.13 230.1, 27.89 227.07 C25.64 224.05, 23.51 220.93, 21.52 217.74 C19.52 214.55, 17.65 211.27, 15.91 207.94 C14.18 204.61, 12.58 201.2, 11.11 197.74 C9.65 194.29, 8.33 190.76, 7.15 187.21 C5.97 183.65, 4.93 180.04, 4.03 176.4 C3.14 172.76, 2.4 169.08, 1.8 165.39 C1.2 161.69, 0.75 157.96, 0.45 154.23 C0.15 150.51, 0 146.75, 0 143.01 C0 139.27, 0.15 135.52, 0.45 131.79 C0.75 128.06, 1.2 124.34, 1.8 120.64 C2.4 116.95, 3.14 113.26, 4.03 109.63 C4.93 105.99, 5.97 102.38, 7.15 98.82 C8.33 95.26, 9.65 91.74, 11.11 88.28 C12.58 84.83, 14.18 81.42, 15.91 78.09 C17.65 74.75, 19.52 71.48, 21.52 68.29 C23.51 65.1, 25.64 61.98, 27.89 58.95 C30.13 55.93, 32.5 52.98, 34.98 50.13 C37.46 47.29, 40.07 44.53, 42.77 41.89 C45.47 39.24, 48.28 36.69, 51.19 34.27 C54.09 31.84, 57.1 29.51, 60.19 27.31 C63.28 25.11, 66.47 23.03, 69.72 21.07 C72.98 19.12, 76.32 17.29, 79.72 15.59 C83.13 13.89, 86.61 12.32, 90.14 10.89 C93.66 9.45, 97.26 8.16, 100.89 7 C104.52 5.84, 108.21 4.82, 111.93 3.95 C115.64 3.08, 119.4 2.35, 123.17 1.76 C126.94 1.18, 130.75 0.73, 134.56 0.44 C138.36 0.15, 142.19 0, 146.01 0 C149.83 0, 153.66 0.15, 157.47 0.44 C161.28 0.73, 165.08 1.18, 168.85 1.76 C172.63 2.35, 176.39 3.08, 180.1 3.95 C183.81 4.82, 187.5 5.84, 191.13 7 C194.77 8.16, 198.36 9.45, 201.89 10.89 C205.42 12.32, 208.9 13.89, 212.3 15.59 C215.7 17.29, 219.05 19.12, 222.3 21.07 C225.56 23.03, 228.75 25.11, 231.84 27.31 C234.93 29.51, 237.94 31.84, 240.84 34.27 C243.74 36.69, 246.56 39.24, 249.26 41.89 C251.96 44.53, 254.56 47.29, 257.04 50.13 C259.52 52.98, 261.9 55.93, 264.14 58.95 C266.38 61.98, 268.51 65.1, 270.51 68.29 C272.51 71.48, 274.38 74.75, 276.11 78.09 C277.85 81.42, 279.45 84.83, 280.91 88.28 C282.37 91.74, 283.7 95.26, 284.88 98.82 C286.06 102.38, 287.1 105.99, 287.99 109.63 C288.88 113.26, 289.63 116.95, 290.23 120.64 C290.83 124.34, 291.28 128.06, 291.58 131.79 C291.88 135.52, 292.03 139.27, 292.03 143.01" stroke="#1e1e1e" stroke-width="2" fill="none"/></g><g transform="translate(1363.2861290624915 842.6194828433968) rotate(0 12 12)"><use href="#image-1eb35412189527b20624c29b9912c61108c16757" width="24" height="24" opacity="1"/></g><g transform="translate(1279.3023777939206 876.0547923638534) rotate(0 97.83203125 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Lapdev Sidecar Proxy</text></g><g transform="translate(1293.006441447732 1097.144866151134) rotate(0 83.203125 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">App Workload Pod</text></g><g transform="translate(1365.1589143904998 982.367413326095) rotate(0 12 12)"><use href="#image-1eb35412189527b20624c29b9912c61108c16757" width="24" height="24" opacity="1"/></g><g transform="translate(1311.7501210798864 1013.6974850496069) rotate(0 63.9306640625 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">App Container</text></g><g stroke-linecap="round"><g transform="translate(1377.0931021584438 910.0547923638535) rotate(0 -0.3314019576998817 30.137119965967315)"><path d="M0 0 C-0.11 10.05, -0.55 50.23, -0.66 60.27" stroke="#1e1e1e" stroke-width="2.5" fill="none" stroke-dasharray="1.5 8"/></g><g transform="translate(1377.0931021584438 910.0547923638535) rotate(0 -0.3314019576998817 30.137119965967315)"><path d="M-0.66 60.27 L-6.85 46.61 L5.83 46.75 L-0.66 60.27" stroke="none" stroke-width="0" fill="#1e1e1e" fill-rule="evenodd"/><path d="M-0.66 60.27 C-2.26 56.75, -3.86 53.23, -6.85 46.61 M-6.85 46.61 C-2.4 46.66, 2.06 46.71, 5.83 46.75 M5.83 46.75 C3.3 52.01, 0.78 57.26, -0.66 60.27 M-0.66 60.27 C-0.66 60.27, -0.66 60.27, -0.66 60.27" stroke="#1e1e1e" stroke-width="2.5" fill="none"/></g></g><mask/><g transform="translate(762.825702400266 1271.9668109169886) rotate(0 12 11.999999999999943)"><use href="#image-1fc42860614cb7357b66c1964aa081366cd82698" width="24" height="24" opacity="1"/></g><g transform="translate(739.9628287156224 1305.8828750693292) rotate(0 33.90625 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Devbox</text></g><g stroke-linecap="round"><g transform="translate(1266.0240951265669 882.0133829717063) rotate(0 -174.17597771389956 0.2591883485791868)"><path d="M0 0 C-58.06 0.09, -290.29 0.43, -348.35 0.52" stroke="#1e1e1e" stroke-width="2.5" fill="none" stroke-dasharray="1.5 8"/></g><g transform="translate(1266.0240951265669 882.0133829717063) rotate(0 -174.17597771389956 0.2591883485791868)"><path d="M-348.35 0.52 L-334.77 -5.84 L-334.75 6.84 L-348.35 0.52" stroke="none" stroke-width="0" fill="#1e1e1e" fill-rule="evenodd"/><path d="M-348.35 0.52 C-344.56 -1.26, -340.77 -3.03, -334.77 -5.84 M-334.77 -5.84 C-334.76 -3.17, -334.76 -0.5, -334.75 6.84 M-334.75 6.84 C-338.6 5.05, -342.46 3.25, -348.35 0.52 M-348.35 0.52 C-348.35 0.52, -348.35 0.52, -348.35 0.52" stroke="#1e1e1e" stroke-width="2.5" fill="none"/></g></g><mask/><g transform="translate(801.9302599083192 1114.4673172919167) rotate(0 157.275390625 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Devbox intercept traffic from cluster</text></g><g stroke-linecap="round"><g transform="translate(1365.0845836072704 715.3391001530583) rotate(0 -0.978305228718682 -152.78044856074723)"><path d="M0 0 C-0.33 -50.93, -1.63 -254.63, -1.96 -305.56 M0 0 C-0.33 -50.93, -1.63 -254.63, -1.96 -305.56" stroke="#1e1e1e" stroke-width="2" fill="none"/></g><g transform="translate(1365.0845836072704 715.3391001530583) rotate(0 -0.978305228718682 -152.78044856074723)"><path d="M0 0 L-6.43 -13.55 L6.25 -13.63 L0 0" stroke="none" stroke-width="0" fill="#1e1e1e" fill-rule="evenodd"/><path d="M0 0 C-1.71 -3.61, -3.42 -7.21, -6.43 -13.55 M0 0 C-1.32 -2.78, -2.64 -5.57, -6.43 -13.55 M-6.43 -13.55 C-1.99 -13.58, 2.45 -13.61, 6.25 -13.63 M-6.43 -13.55 C-2.86 -13.58, 0.71 -13.6, 6.25 -13.63 M6.25 -13.63 C4.97 -10.83, 3.68 -8.03, 0 0 M6.25 -13.63 C4.4 -9.59, 2.55 -5.55, 0 0 M0 0 C0 0, 0 0, 0 0 M0 0 C0 0, 0 0, 0 0" stroke="#1e1e1e" stroke-width="2" fill="none"/></g></g><mask/><g stroke-linecap="round" transform="translate(412.1972631545905 116.70914469981648) rotate(0 120.17265979777471 28)"><path d="M14 0 C85.08 2.92, 157.33 2.55, 226.35 0 M226.35 0 C233.85 -0.36, 239.63 3.66, 240.35 14 M240.35 14 C238.7 25.07, 239.35 35.24, 240.35 42 M240.35 42 C240.51 51.02, 235.58 57.46, 226.35 56 M226.35 56 C170.66 58.03, 113.23 57.11, 14 56 M14 56 C4.76 57.92, 1.25 52.71, 0 42 M0 42 C-0.86 34.47, -1.04 27.99, 0 14 M0 14 C-1.91 4.22, 3.47 -0.38, 14 0" stroke="#1e1e1e" stroke-width="2.5" fill="none" stroke-dasharray="8 10"/></g><g transform="translate(440.6462901398652 133.20914469981648) rotate(0 91.7236328125 11.5)"><text x="91.7236328125" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="middle" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Lapdev Environment</text></g><g transform="translate(992.5419757380816 202.10955883534342) rotate(0 12 12)"><use href="#image-1eb35412189527b20624c29b9912c61108c16757" width="24" height="24" opacity="1"/></g><g transform="translate(907.9725692545251 236.9135221174427) rotate(0 97.83203125 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Lapdev Devbox Proxy</text></g><g stroke-linecap="round" transform="translate(868.4605007701839 175.86560541773775) rotate(0 140.09160121428226 55.18368428660908)"><path d="M27.59 0 C79.83 0, 132.06 0, 252.59 0 M27.59 0 C80.18 0, 132.76 0, 252.59 0 M252.59 0 C270.99 0, 280.18 9.2, 280.18 27.59 M252.59 0 C270.99 0, 280.18 9.2, 280.18 27.59 M280.18 27.59 C280.18 39.21, 280.18 50.84, 280.18 82.78 M280.18 27.59 C280.18 46.97, 280.18 66.35, 280.18 82.78 M280.18 82.78 C280.18 101.17, 270.99 110.37, 252.59 110.37 M280.18 82.78 C280.18 101.17, 270.99 110.37, 252.59 110.37 M252.59 110.37 C184.6 110.37, 116.62 110.37, 27.59 110.37 M252.59 110.37 C197.5 110.37, 142.4 110.37, 27.59 110.37 M27.59 110.37 C9.2 110.37, 0 101.17, 0 82.78 M27.59 110.37 C9.2 110.37, 0 101.17, 0 82.78 M0 82.78 C0 65.94, 0 49.1, 0 27.59 M0 82.78 C0 70.25, 0 57.71, 0 27.59 M0 27.59 C0 9.2, 9.2 0, 27.59 0 M0 27.59 C0 9.2, 9.2 0, 27.59 0" stroke="#1e1e1e" stroke-width="2" fill="none"/></g><g stroke-linecap="round"><g transform="translate(799.640157252243 246.70532180349062) rotate(0 -67.47741615196821 0.13501618074694122)"><path d="M0 0 C-22.49 0.05, -112.46 0.23, -134.95 0.27 M0 0 C-22.49 0.05, -112.46 0.23, -134.95 0.27" stroke="#1e1e1e" stroke-width="2" fill="none"/></g><g transform="translate(799.640157252243 246.70532180349062) rotate(0 -67.47741615196821 0.13501618074694122)"><path d="M0 0 L-13.58 6.37 L-13.61 -6.31 L0 0" stroke="none" stroke-width="0" fill="#1e1e1e" fill-rule="evenodd"/><path d="M0 0 C-4.7 2.2, -9.4 4.41, -13.58 6.37 M0 0 C-4.67 2.19, -9.33 4.38, -13.58 6.37 M-13.58 6.37 C-13.59 1.61, -13.6 -3.14, -13.61 -6.31 M-13.58 6.37 C-13.59 1.6, -13.6 -3.17, -13.61 -6.31 M-13.61 -6.31 C-9.12 -4.23, -4.63 -2.15, 0 0 M-13.61 -6.31 C-8.89 -4.13, -4.18 -1.94, 0 0 M0 0 C0 0, 0 0, 0 0 M0 0 C0 0, 0 0, 0 0" stroke="#1e1e1e" stroke-width="2" fill="none"/></g></g><mask/><g transform="translate(604.2432597513866 699.4178759126715) rotate(0 160.33333333333348 160.33333333333343)"><use href="#image-cd5a510c10be4b13edac83ff2c63d62659dd7515" width="321" height="321" opacity="1"/></g><g transform="translate(748.7405153675431 834.4584974469199) rotate(0 15.836077717177318 15.836077717177261)"><use href="#image-04f28670dff6fd1042c3404f1cdf3fc1d3e0ce96" width="32" height="32" opacity="1"/></g><g transform="translate(733.0195895043023 880.03537105786) rotate(0 32.8076171875 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Lapdev</text></g><g stroke-linecap="round"><g transform="translate(758.5080242917875 1246.7977295380715) rotate(0 -0.6869939868970505 -144.11842275030108)"><path d="M0 0 C-0.23 -48.04, -1.14 -240.2, -1.37 -288.24" stroke="#1e1e1e" stroke-width="2.5" fill="none" stroke-dasharray="1.5 8"/></g><g transform="translate(758.5080242917875 1246.7977295380715) rotate(0 -0.6869939868970505 -144.11842275030108)"><path d="M-1.37 -288.24 L5.03 -274.67 L-7.65 -274.61 L-1.37 -288.24" stroke="none" stroke-width="0" fill="#1e1e1e" fill-rule="evenodd"/><path d="M-1.37 -288.24 C0.53 -284.2, 2.44 -280.17, 5.03 -274.67 M5.03 -274.67 C0.78 -274.65, -3.46 -274.63, -7.65 -274.61 M-7.65 -274.61 C-6.21 -277.75, -4.76 -280.88, -1.37 -288.24 M-1.37 -288.24 C-1.37 -288.24, -1.37 -288.24, -1.37 -288.24" stroke="#1e1e1e" stroke-width="2.5" fill="none"/></g></g><mask/><g stroke-linecap="round"><g transform="translate(785.7273800491835 959.8033587886342) rotate(0 0.8232080788914118 148.4094864623263)"><path d="M0 0 C0.27 49.47, 1.37 247.35, 1.65 296.82" stroke="#1e1e1e" stroke-width="2.5" fill="none" stroke-dasharray="1.5 8"/></g><g transform="translate(785.7273800491835 959.8033587886342) rotate(0 0.8232080788914118 148.4094864623263)"><path d="M1.65 296.82 L-4.77 283.26 L7.91 283.19 L1.65 296.82" stroke="none" stroke-width="0" fill="#1e1e1e" fill-rule="evenodd"/><path d="M1.65 296.82 C-0.31 292.69, -2.26 288.56, -4.77 283.26 M-4.77 283.26 C-0.06 283.23, 4.64 283.21, 7.91 283.19 M7.91 283.19 C5.57 288.28, 3.23 293.38, 1.65 296.82 M1.65 296.82 C1.65 296.82, 1.65 296.82, 1.65 296.82" stroke="#1e1e1e" stroke-width="2.5" fill="none"/></g></g><mask/><g transform="translate(874.7047733483719 539.442131109855) rotate(0 130.60546875 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Devbox client traffic to cluster</text></g><g stroke-linecap="round"><g transform="translate(776.8488147027813 737.4705185123861) rotate(0 92.3101573333588 -216.07772951171438)"><path d="M0 0 C30.77 -72.03, 153.85 -360.13, 184.62 -432.16" stroke="#1e1e1e" stroke-width="2.5" fill="none" stroke-dasharray="1.5 8"/></g><g transform="translate(776.8488147027813 737.4705185123861) rotate(0 92.3101573333588 -216.07772951171438)"><path d="M184.62 -432.16 L185.11 -417.16 L173.45 -422.14 L184.62 -432.16" stroke="none" stroke-width="0" fill="#1e1e1e" fill-rule="evenodd"/><path d="M184.62 -432.16 C184.81 -426.49, 184.99 -420.82, 185.11 -417.16 M185.11 -417.16 C181.75 -418.6, 178.4 -420.03, 173.45 -422.14 M173.45 -422.14 C176.7 -425.05, 179.94 -427.96, 184.62 -432.16 M184.62 -432.16 C184.62 -432.16, 184.62 -432.16, 184.62 -432.16" stroke="#1e1e1e" stroke-width="2.5" fill="none"/></g></g><mask/><g transform="translate(473.72815257977163 1113.775764607612) rotate(0 130.60546875 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Devbox client traffic to cluster</text></g><g transform="translate(1344.2406427292767 132.55097265887173) rotate(0 12 12)"><use href="#image-1eb35412189527b20624c29b9912c61108c16757" width="24" height="24" opacity="1"/></g><g transform="translate(1293.642962057123 167.07702246625598) rotate(0 62.6318359375 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">App Workload</text></g><g stroke-linecap="round" transform="translate(1219.6097104278547 106.39770938106062) rotate(0 140.09160121428226 55.18368428660908)"><path d="M27.59 0 C92.81 0, 158.03 0, 252.59 0 M27.59 0 C94.56 0, 161.52 0, 252.59 0 M252.59 0 C270.99 0, 280.18 9.2, 280.18 27.59 M252.59 0 C270.99 0, 280.18 9.2, 280.18 27.59 M280.18 27.59 C280.18 48.37, 280.18 69.15, 280.18 82.78 M280.18 27.59 C280.18 48.41, 280.18 69.23, 280.18 82.78 M280.18 82.78 C280.18 101.17, 270.99 110.37, 252.59 110.37 M280.18 82.78 C280.18 101.17, 270.99 110.37, 252.59 110.37 M252.59 110.37 C168.15 110.37, 83.71 110.37, 27.59 110.37 M252.59 110.37 C169.81 110.37, 87.04 110.37, 27.59 110.37 M27.59 110.37 C9.2 110.37, 0 101.17, 0 82.78 M27.59 110.37 C9.2 110.37, 0 101.17, 0 82.78 M0 82.78 C0 65.36, 0 47.94, 0 27.59 M0 82.78 C0 64.44, 0 46.11, 0 27.59 M0 27.59 C0 9.2, 9.2 0, 27.59 0 M0 27.59 C0 9.2, 9.2 0, 27.59 0" stroke="#1e1e1e" stroke-width="2" fill="none"/></g><g transform="translate(84.99710983202522 832.8538765011538) rotate(0 12 12)"><use href="#image-9d2f28049a8a90ddebd6f916b59a887ae5df33f6" width="24" height="24" opacity="1"/></g><g transform="translate(40.780122357920845 867.3318910163757) rotate(0 58.349609375 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Preview URL</text></g><g stroke-linecap="round"><g transform="translate(167.66938007274337 880.8746622086211) rotate(0 222.78591701025272 0.8986935981382089)"><path d="M0 0 C74.26 0.3, 371.31 1.5, 445.57 1.8" stroke="#1e1e1e" stroke-width="2.5" fill="none" stroke-dasharray="1.5 8"/></g><g transform="translate(167.66938007274337 880.8746622086211) rotate(0 222.78591701025272 0.8986935981382089)"><path d="M445.57 1.8 L431.95 8.08 L432 -4.6 L445.57 1.8" stroke="none" stroke-width="0" fill="#1e1e1e" fill-rule="evenodd"/><path d="M445.57 1.8 C440.64 4.07, 435.71 6.35, 431.95 8.08 M431.95 8.08 C431.96 5.06, 431.98 2.03, 432 -4.6 M432 -4.6 C435.86 -2.78, 439.71 -0.96, 445.57 1.8 M445.57 1.8 C445.57 1.8, 445.57 1.8, 445.57 1.8" stroke="#1e1e1e" stroke-width="2.5" fill="none"/></g></g><mask/><g stroke-linecap="round"><g transform="translate(744.0963403684018 741.2034535407844) rotate(0 -273.9958533329249 -219.85211323314968)"><path d="M0 0 C-91.33 -73.28, -456.66 -366.42, -547.99 -439.7" stroke="#1e1e1e" stroke-width="2.5" fill="none" stroke-dasharray="1.5 8"/></g><g transform="translate(744.0963403684018 741.2034535407844) rotate(0 -273.9958533329249 -219.85211323314968)"><path d="M-547.99 -439.7 L-533.42 -436.14 L-541.36 -426.25 L-547.99 -439.7" stroke="none" stroke-width="0" fill="#1e1e1e" fill-rule="evenodd"/><path d="M-547.99 -439.7 C-544.4 -438.82, -540.8 -437.95, -533.42 -436.14 M-533.42 -436.14 C-535.65 -433.36, -537.89 -430.58, -541.36 -426.25 M-541.36 -426.25 C-543.13 -429.85, -544.9 -433.44, -547.99 -439.7 M-547.99 -439.7 C-547.99 -439.7, -547.99 -439.7, -547.99 -439.7" stroke="#1e1e1e" stroke-width="2.5" fill="none"/></g></g><mask/><g transform="translate(230.83249704214995 546.7037827361436) rotate(0 128.92578125 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Preview URL traffic to cluster</text></g><g transform="translate(234.80226239265312 846.4488831672636) rotate(0 128.92578125 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Preview URL traffic to cluster</text></g><g transform="translate(1346.4342490553868 303.9378626478181) rotate(0 12 12)"><use href="#image-1eb35412189527b20624c29b9912c61108c16757" width="24" height="24" opacity="1"/></g><g transform="translate(1295.836568383233 338.4639124552024) rotate(0 62.6318359375 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">App Workload</text></g><g stroke-linecap="round" transform="translate(1221.8033167539647 277.784599370007) rotate(0 140.09160121428226 55.18368428660908)"><path d="M27.59 0 C96.1 0, 164.6 0, 252.59 0 M27.59 0 C104.11 0, 180.62 0, 252.59 0 M252.59 0 C270.99 0, 280.18 9.2, 280.18 27.59 M252.59 0 C270.99 0, 280.18 9.2, 280.18 27.59 M280.18 27.59 C280.18 39.19, 280.18 50.79, 280.18 82.78 M280.18 27.59 C280.18 47.14, 280.18 66.69, 280.18 82.78 M280.18 82.78 C280.18 101.17, 270.99 110.37, 252.59 110.37 M280.18 82.78 C280.18 101.17, 270.99 110.37, 252.59 110.37 M252.59 110.37 C206.36 110.37, 160.13 110.37, 27.59 110.37 M252.59 110.37 C196.83 110.37, 141.06 110.37, 27.59 110.37 M27.59 110.37 C9.2 110.37, 0 101.17, 0 82.78 M27.59 110.37 C9.2 110.37, 0 101.17, 0 82.78 M0 82.78 C0 68.48, 0 54.18, 0 27.59 M0 82.78 C0 65.14, 0 47.5, 0 27.59 M0 27.59 C0 9.2, 9.2 0, 27.59 0 M0 27.59 C0 9.2, 9.2 0, 27.59 0" stroke="#1e1e1e" stroke-width="2" fill="none"/></g><g transform="translate(901.1976086345753 842.3518058538695) rotate(0 157.275390625 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Devbox intercept traffic from cluster</text></g></svg>
\ No newline at end of file
diff --git a/docs/.gitbook/assets/file.excalidraw (2).svg b/docs/.gitbook/assets/file.excalidraw (2).svg
new file mode 100644
index 0000000..fe752e9
--- /dev/null
+++ b/docs/.gitbook/assets/file.excalidraw (2).svg	
@@ -0,0 +1,8 @@
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1633.4806151945463 1358.8828750693292" width="3266.9612303890926" height="2717.7657501386584"><symbol id="image-9d2f28049a8a90ddebd6f916b59a887ae5df33f6"><image width="100%" height="100%" href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyNCIgaGVpZ2h0PSIyNCIgdmlld0JveD0iMCAwIDI0IDI0IiBmaWxsPSJub25lIiBzdHJva2U9ImN1cnJlbnRDb2xvciIgc3Ryb2tlLXdpZHRoPSIyIiBzdHJva2UtbGluZWNhcD0icm91bmQiIHN0cm9rZS1saW5lam9pbj0icm91bmQiIGNsYXNzPSJsdWNpZGUgbHVjaWRlLWdsb2JlLWljb24gbHVjaWRlLWdsb2JlIj48Y2lyY2xlIGN4PSIxMiIgY3k9IjEyIiByPSIxMCIvPjxwYXRoIGQ9Ik0xMiAyYTE0LjUgMTQuNSAwIDAgMCAwIDIwIDE0LjUgMTQuNSAwIDAgMCAwLTIwIi8+PHBhdGggZD0iTTIgMTJoMjAiLz48L3N2Zz4="/></symbol><symbol id="image-04f28670dff6fd1042c3404f1cdf3fc1d3e0ce96"><image width="100%" height="100%" href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIGNsYXNzPSJ3LTEwIGgtMTAgbXItNCIgZmlsbD0iY3VycmVudENvbG9yIiB2aWV3Qm94PSIwIDAgMTAyNCAxMDI0IiB3aWR0aD0iMTAyNCIgaGVpZ2h0PSIxMDI0Ij48cGF0aCBkPSJNNTEyIDBDMzkwLjc1OSAwIDI3OS40MjYgNDIuMjIyNyAxOTEuNzE5IDExMi42NTZMMTkxLjcxOSA2MTJMMzUxLjcxOSA2MTJMMzUxLjcxOSAzMzJMNDIyIDMzMkw0MzEuNzE5IDMzMkw0MzEuNzE5IDMzMi4zNDRDNDg4LjE2OSAzMzQuMTI3IDU0MS4yNDkgMzUxLjEzOCA1ODEuODc1IDM4MC42MjVDNjI3LjU5MSA0MTMuODA2IDY1NC44NzUgNDYwLjYzMyA2NTQuODc1IDUxMkM2NTQuODc1IDU2My4zNjcgNjI3LjU5MSA2MTAuMTk0IDU4MS44NzUgNjQzLjM3NUM1NDEuMjQ5IDY3Mi44NjIgNDg4LjE2OSA2ODkuODczIDQzMS43MTkgNjkxLjY1Nkw0MzEuNzE5IDEwMTcuNjlDNDU3Ljg4IDEwMjEuODEgNDg0LjY4IDEwMjQgNTEyIDEwMjRDNzk0Ljc3IDEwMjQgMTAyNCA3OTQuNzcgMTAyNCA1MTJDMTAyNCAyMjkuMjMgNzk0Ljc3IDAgNTEyIDBaTTExMS43MTkgMTkyLjkwNkM0MS44NTM5IDI4MC40MzIgMCAzOTEuMzAzIDAgNTEyQzAgNzM4Ljc2NiAxNDcuNDg3IDkzMC45NiAzNTEuNzE5IDk5OC4yNUwzNTEuNzE5IDY5MkwxNTEuNzE5IDY5MkwxNTEuNzE5IDY5MS44NDRMMTExLjcxOSA2OTEuODQ0TDExMS43MTkgMTkyLjkwNlpNNzM4LjIxOSAzNzJDNzQxLjU5NyAzNzIuMTA3IDc0NS4wNDIgMzczLjAyIDc0OC4zMTIgMzc0LjgxMkw5NDYuMjgxIDQ4My4zMTJDOTUyLjMxMSA0ODYuNjE2IDk1Ni42OTIgNDkyLjM5MyA5NTkuMTg4IDQ5OS4xNTZDOTU5LjgyMSA1MDAuODc0IDk2MC4zMTcgNTAyLjY0MSA5NjAuNjg4IDUwNC40NjlDOTYwLjc2NCA1MDQuODM0IDk2MC44NDEgNTA1LjE5NiA5NjAuOTA2IDUwNS41NjJDOTYxLjEyIDUwNi44MDcgOTYxLjIyNSA1MDguMDcxIDk2MS4zMTIgNTA5LjM0NEM5NjEuMzc4IDUxMC4yMzUgOTYxLjQ5OCA1MTEuMTEyIDk2MS41IDUxMkM5NjEuNDk4IDUxMi44ODggOTYxLjM3OCA1MTMuNzY1IDk2MS4zMTIgNTE0LjY1NkM5NjEuMjI2IDUxNS45MjkgOTYxLjEyIDUxNy4xOTMgOTYwLjkwNiA1MTguNDM4Qzk2MC44NDEgNTE4LjgwNCA5NjAuNzY0IDUxOS4xNjYgOTYwLjY4OCA1MTkuNTMxQzk2MC4zMTcgNTIxLjM1OSA5NTkuODIxIDUyMy4xMjYgOTU5LjE4OCA1MjQuODQ0Qzk1Ni42OTIgNTMxLjYwOCA5NTIuMzExIDUzNy4zODQgOTQ2LjI4MSA1NDAuNjg4TDc0OC4zMTIgNjQ5LjE4OEM3MzUuMjMyIDY1Ni4zNTUgNzE5LjgxOCA2NDkuMzY3IDcxMy44NzUgNjMzLjU5NEM3MDcuOTMyIDYxNy44MiA3MTMuNyA1OTkuMjMgNzI2Ljc4MSA1OTIuMDYyTDg3Mi44NzUgNTEyTDcyNi43ODEgNDMxLjkzOEM3MTMuNyA0MjQuNzcxIDcwNy45MzIgNDA2LjE4IDcxMy44NzUgMzkwLjQwNkM3MTguMzMyIDM3OC41NzYgNzI4LjA4NSAzNzEuNjc4IDczOC4yMTkgMzcyWk00MzEuNzE5IDQxMi4zNDRMNDMxLjcxOSA2MTEuNjU2QzUxMy41NiA2MDguMjA4IDU3NC44NzUgNTYxLjk4NSA1NzQuODc1IDUxMkM1NzQuODc1IDQ2Mi4wMTUgNTEzLjU2IDQxNS43OTIgNDMxLjcxOSA0MTIuMzQ0WiIvPjxwYXRoIGQ9Ik03NDIgNDAzLjY4OEM3NDAuMDYyIDQwMy40ODMgNzM4LjA5NyA0MDQuNDM4IDczNy4wOTQgNDA2LjI1QzczNS43NTYgNDA4LjY2NiA3MzYuNjE1IDQxMS42OTQgNzM5LjAzMSA0MTMuMDMxTDkyNS43MTkgNTE2LjM3NUM5MjguMTM1IDUxNy43MTIgOTMxLjE5NCA1MTYuODIyIDkzMi41MzEgNTE0LjQwNkM5MzMuODY5IDUxMS45OSA5MzIuOTc5IDUwOC45NjIgOTMwLjU2MiA1MDcuNjI1TDc0My44NzUgNDA0LjI4MUM3NDMuMjcxIDQwMy45NDcgNzQyLjY0NiA0MDMuNzU2IDc0MiA0MDMuNjg4WiIvPjxwYXRoIGQ9Ik05MjcuNSA1MDcuMDMxQzkyNi44NTYgNTA3LjExNSA5MjYuMjIxIDUwNy4zMzkgOTI1LjYyNSA1MDcuNjg4TDczOC45MzggNjE2LjkwNkM3MzYuNTU0IDYxOC4zMDEgNzM1Ljc2MiA2MjEuMzM1IDczNy4xNTYgNjIzLjcxOUM3MzguNTUxIDYyNi4xMDIgNzQxLjYxNiA2MjYuOTI2IDc0NCA2MjUuNTMxTDkzMC42ODggNTE2LjMxMkM5MzMuMDcxIDUxNC45MTggOTMzLjg2MyA1MTEuODUyIDkzMi40NjkgNTA5LjQ2OUM5MzEuNDIzIDUwNy42ODEgOTI5LjQzMiA1MDYuNzggOTI3LjUgNTA3LjAzMVoiLz48L3N2Zz4="/></symbol><symbol id="image-cd5a510c10be4b13edac83ff2c63d62659dd7515"><image width="100%" height="100%" href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyNCIgaGVpZ2h0PSIyNCIgdmlld0JveD0iMCAwIDI0IDI0IiBmaWxsPSJub25lIiBzdHJva2U9ImN1cnJlbnRDb2xvciIgc3Ryb2tlLXdpZHRoPSIwLjIiIHN0cm9rZS1saW5lY2FwPSJyb3VuZCIgc3Ryb2tlLWxpbmVqb2luPSJyb3VuZCIgY2xhc3M9Imljb24gaWNvbi10YWJsZXIgaWNvbnMtdGFibGVyLW91dGxpbmUgaWNvbi10YWJsZXItY2xvdWQiPjxwYXRoIHN0cm9rZT0ibm9uZSIgZD0iTTAgMGgyNHYyNEgweiIgZmlsbD0ibm9uZSIvPjxwYXRoIGQ9Ik02LjY1NyAxOGMtMi41NzIgMCAtNC42NTcgLTIuMDA3IC00LjY1NyAtNC40ODNjMCAtMi40NzUgMi4wODUgLTQuNDgyIDQuNjU3IC00LjQ4MmMuMzkzIC0xLjc2MiAxLjc5NCAtMy4yIDMuNjc1IC0zLjc3M2MxLjg4IC0uNTcyIDMuOTU2IC0uMTkzIDUuNDQ0IDFjMS40ODggMS4xOSAyLjE2MiAzLjAwNyAxLjc3IDQuNzY5aC45OWMxLjkxMyAwIDMuNDY0IDEuNTYgMy40NjQgMy40ODZjMCAxLjkyNyAtMS41NTEgMy40ODcgLTMuNDY1IDMuNDg3aC0xMS44NzgiLz48L3N2Zz4="/></symbol><symbol id="image-1fc42860614cb7357b66c1964aa081366cd82698"><image width="100%" height="100%" href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyNCIgaGVpZ2h0PSIyNCIgdmlld0JveD0iMCAwIDI0IDI0IiBmaWxsPSJub25lIiBzdHJva2U9ImN1cnJlbnRDb2xvciIgc3Ryb2tlLXdpZHRoPSIyIiBzdHJva2UtbGluZWNhcD0icm91bmQiIHN0cm9rZS1saW5lam9pbj0icm91bmQiIGNsYXNzPSJsdWNpZGUgbHVjaWRlLWNvbXB1dGVyLWljb24gbHVjaWRlLWNvbXB1dGVyIj48cmVjdCB3aWR0aD0iMTQiIGhlaWdodD0iOCIgeD0iNSIgeT0iMiIgcng9IjIiLz48cmVjdCB3aWR0aD0iMjAiIGhlaWdodD0iOCIgeD0iMiIgeT0iMTQiIHJ4PSIyIi8+PHBhdGggZD0iTTYgMThoMiIvPjxwYXRoIGQ9Ik0xMiAxOGg2Ii8+PC9zdmc+"/></symbol><symbol id="image-1eb35412189527b20624c29b9912c61108c16757"><image width="100%" height="100%" href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyNCIgaGVpZ2h0PSIyNCIgdmlld0JveD0iMCAwIDI0IDI0IiBmaWxsPSJub25lIiBzdHJva2U9ImN1cnJlbnRDb2xvciIgc3Ryb2tlLXdpZHRoPSIyIiBzdHJva2UtbGluZWNhcD0icm91bmQiIHN0cm9rZS1saW5lam9pbj0icm91bmQiIGNsYXNzPSJpY29uIGljb24tdGFibGVyIGljb25zLXRhYmxlci1vdXRsaW5lIGljb24tdGFibGVyLWJveCI+PHBhdGggc3Ryb2tlPSJub25lIiBkPSJNMCAwaDI0djI0SDB6IiBmaWxsPSJub25lIi8+PHBhdGggZD0iTTEyIDNsOCA0LjVsMCA5bC04IDQuNWwtOCAtNC41bDAgLTlsOCAtNC41Ii8+PHBhdGggZD0iTTEyIDEybDggLTQuNSIvPjxwYXRoIGQ9Ik0xMiAxMmwwIDkiLz48cGF0aCBkPSJNMTIgMTJsLTggLTQuNSIvPjwvc3ZnPg=="/></symbol><symbol id="image-60b076cb044084e59e74d2b41f84159dcede0ddd"><image width="100%" height="100%" href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSI4MDBweCIgaGVpZ2h0PSI4MDBweCIgdmlld0JveD0iMCAtMTAuNDQgNzIyLjg0NiA3MjIuODQ2Ij48cGF0aCBkPSJNMzU4Ljk4NiAxMC4wNmE0Ni43MjUgNDYuMzQyIDAgMDAtMTcuOTA2IDQuNTMxTDk2LjczNiAxMzEuMzQxYTQ2LjcyNSA0Ni4zNDIgMCAwMC0yNS4yOCAzMS40MzhsLTYwLjI4MiAyNjIuMjVhNDYuNzI1IDQ2LjM0MiAwIDAwNi4zNDQgMzUuNTMxIDQ2LjcyNSA0Ni4zNDIgMCAwMDIuNjU2IDMuNjg4bDE2OS4xMjUgMjEwLjI4YTQ2LjcyNSA0Ni4zNDIgMCAwMDM2LjUzMSAxNy40MzhsMjcxLjIxOS0uMDYyYTQ2LjcyNSA0Ni4zNDIgMCAwMDM2LjUzMS0xNy40MDZsMTY5LjA2My0yMTAuMzEzYTQ2LjcyNSA0Ni4zNDIgMCAwMDkuMDMtMzkuMjE5TDY1MS4zIDE2Mi43MTZhNDYuNzI1IDQ2LjM0MiAwIDAwLTI1LjI4MS0zMS40MzdMMzgxLjY0MyAxNC41OWE0Ni43MjUgNDYuMzQyIDAgMDAtMjIuNjU3LTQuNTN6IiBmaWxsPSIjMzI2Y2U1Ii8+PHBhdGggZD0iTTM2MS40MDggOTkuMzA3Yy04LjA3Ny4wMDEtMTQuNjI2IDcuMjc2LTE0LjYyNSAxNi4yNSAwIC4xMzguMDI4LjI3LjAzLjQwNi0uMDExIDEuMjItLjA3IDIuNjg5LS4wMyAzLjc1LjE5MiA1LjE3NiAxLjMyIDkuMTM4IDIgMTMuOTA3IDEuMjMgMTAuMjA2IDIuMjYgMTguNjY3IDEuNjI1IDI2LjUzMS0uNjIgMi45NjUtMi44MDMgNS42NzctNC43NSA3LjU2MmwtLjM0NCA2LjE4OGExOTAuMzM3IDE5MC4zMzcgMCAwMC0yNi40MzggNC4wNjJjLTM3Ljk3NCA4LjYyMy03MC42NyAyOC4xODQtOTUuNTYyIDU0LjU5NGEyNDUuMTY3IDI0NS4xNjcgMCAwMS01LjI4MS0zLjc1Yy0yLjYxMi4zNTMtNS4yNSAxLjE1OS04LjY4OC0uODQ0LTYuNTQ1LTQuNDA1LTEyLjUwNi0xMC40ODYtMTkuNzE5LTE3LjgxMi0zLjMwNS0zLjUwNC01LjY5OC02Ljg0MS05LjYyNS0xMC4yMTktLjg5MS0uNzY3LTIuMjUyLTEuODA0LTMuMjUtMi41OTQtMy4wNy0yLjQ0Ny02LjY5LTMuNzI0LTEwLjE4Ny0zLjg0My00LjQ5Ni0uMTU0LTguODI0IDEuNjA0LTExLjY1NiA1LjE1Ni01LjAzNiA2LjMxNS0zLjQyNCAxNS45NjggMy41OTMgMjEuNTYyLjA3MS4wNTcuMTQ3LjEwMS4yMTkuMTU3Ljk2NC43ODEgMi4xNDUgMS43ODMgMy4wMzEgMi40MzcgNC4xNjcgMy4wNzcgNy45NzMgNC42NTIgMTIuMTI1IDcuMDk0IDguNzQ3IDUuNDAyIDE1Ljk5OSA5Ljg4IDIxLjc1IDE1LjI4MSAyLjI0NiAyLjM5NCAyLjYzOSA2LjYxMyAyLjkzOCA4LjQzOGw0LjY4NyA0LjE4N2MtMjUuMDkzIDM3Ljc2NC0zNi43MDcgODQuNDEtMjkuODQzIDEzMS45MzhsLTYuMTI1IDEuNzgxYy0xLjYxNSAyLjA4NS0zLjg5NiA1LjM2NS02LjI4MiA2LjM0NC03LjUyNSAyLjM3LTE1Ljk5NCAzLjI0LTI2LjIxOCA0LjMxMi00LjguNC04Ljk0My4xNjEtMTQuMDMyIDEuMTI1LTEuMTIuMjEyLTIuNjguNjE5LTMuOTA2LjkwNmwtLjEyNS4wMzJjLS4wNjcuMDE1LS4xNTUuMDQ4LS4yMTkuMDYyLTguNjIgMi4wODMtMTQuMTU3IDEwLjAwNi0xMi4zNzUgMTcuODEzIDEuNzgzIDcuODA4IDEwLjIwMyAxMi41NTYgMTguODc1IDEwLjY4Ny4wNjMtLjAxNC4xNTQtLjAxNy4yMTktLjAzMS4wOTgtLjAyMi4xODQtLjA3LjI4MS0uMDk0IDEuMjEtLjI2NSAyLjcyNC0uNTYgMy43ODItLjg0MyA1LjAwMy0xLjM0IDguNjI2LTMuMzA4IDEzLjEyNS01LjAzMiA5LjY3Ni0zLjQ3IDE3LjY5MS02LjM3IDI1LjUtNy41IDMuMjYtLjI1NSA2LjY5NyAyLjAxMiA4LjQwNiAyLjk2OWw2LjM3NS0xLjA5NGMxNC42NyA0NS40ODMgNDUuNDE0IDgyLjI0NSA4NC4zNDQgMTA1LjMxM2wtMi42NTcgNi4zNzVjLjk1OCAyLjQ3NSAyLjAxNCA1LjgyNCAxLjMgOC4yNy0yLjgzOCA3LjM2LTcuNyAxNS4xMy0xMy4yMzcgMjMuNzkyLTIuNjgxIDQuMDAyLTUuNDI1IDcuMTA4LTcuODQ0IDExLjY4OC0uNTc5IDEuMDk2LTEuMzE2IDIuNzgtMS44NzUgMy45MzctMy43NTkgOC4wNDMtMS4wMDIgMTcuMzA1IDYuMjE5IDIwLjc4MiA3LjI2NiAzLjQ5NyAxNi4yODQtLjE5MiAyMC4xODctOC4yNS4wMDYtLjAxMi4wMjYtLjAyLjAzMS0uMDMyLjAwNC0uMDA5LS4wMDQtLjAyMiAwLS4wMy41NTYtMS4xNDMgMS4zNDQtMi42NDUgMS44MTMtMy43MiAyLjA3Mi00Ljc0NyAyLjc2Mi04LjgxNSA0LjIxOS0xMy40MDYgMy44Ny05LjcyIDUuOTk1LTE5LjkxOSAxMS4zMjItMjYuMjc0IDEuNDU5LTEuNzQgMy44MzctMi40MSA2LjMwMy0zLjA3bDMuMzEyLTZjMzMuOTM4IDEzLjAyNyA3MS45MjcgMTYuNTIzIDEwOS44NzUgNy45MDdhMTg5Ljc3IDE4OS43NyAwIDAwMjUuMDk0LTcuNTYzYy45MyAxLjY1MSAyLjY2MSA0LjgyNiAzLjEyNSA1LjYyNSAyLjUwNi44MTUgNS4yNCAxLjIzNiA3LjQ2OSA0LjUzMSAzLjk4NSA2LjgxIDYuNzEgMTQuODY1IDEwLjAzMSAyNC41OTQgMS40NTcgNC41OTEgMi4xNzggOC42NiA0LjI1IDEzLjQwNi40NzIgMS4wODIgMS4yNTYgMi42MDUgMS44MTIgMy43NSAzLjg5NSA4LjA4NSAxMi45NDMgMTEuNzg3IDIwLjIyIDguMjgyIDcuMjE5LTMuNDc4IDkuOTc5LTEyLjc0IDYuMjE4LTIwLjc4Mi0uNTU5LTEuMTU4LTEuMzI3LTIuODQxLTEuOTA2LTMuOTM3LTIuNDItNC41OC01LjE2My03LjY1NS03Ljg0NC0xMS42NTYtNS41MzctOC42NjItMTAuMTMtMTUuODU4LTEyLjk2OS0yMy4yMi0xLjE4Ny0zLjc5Ni4yLTYuMTU3IDEuMTI1LTguNjI0LS41NTQtLjYzNS0xLjczOS00LjIyLTIuNDM3LTUuOTA2IDQwLjQ1Ny0yMy44ODkgNzAuMjk4LTYyLjAyMiA4NC4zMTItMTA2LjA2MyAxLjg5My4yOTggNS4xODIuODggNi4yNSAxLjA5NCAyLjItMS40NSA0LjIyMi0zLjM0NCA4LjE4OC0zLjAzMSA3LjgwOCAxLjEyOSAxNS44MjMgNC4wMyAyNS41IDcuNSA0LjQ5OCAxLjcyMyA4LjEyMSAzLjcyMyAxMy4xMjUgNS4wNjIgMS4wNTcuMjgzIDIuNTcyLjU0NyAzLjc4MS44MTMuMDk3LjAyMy4xODMuMDcxLjI4MS4wOTMuMDY2LjAxNS4xNTYuMDE3LjIxOS4wMzIgOC42NzIgMS44NjYgMTcuMDk0LTIuODggMTguODc1LTEwLjY4OCAxLjc4LTcuODA3LTMuNzU0LTE1LjczMi0xMi4zNzUtMTcuODEyLTEuMjU0LS4yODYtMy4wMzItLjc3LTQuMjUtMS01LjA5LS45NjQtOS4yMzEtLjcyNy0xNC4wMzEtMS4xMjUtMTAuMjI1LTEuMDcyLTE4LjY5NC0xLjk0My0yNi4yMTktNC4zMTMtMy4wNjgtMS4xOS01LjI1MS00Ljg0MS02LjMxMy02LjM0NGwtNS45MDYtMS43MThjMy4wNjItMjIuMTU1IDIuMjM3LTQ1LjIxMi0zLjA2Mi02OC4yODItNS4zNDktMjMuMjg0LTE0LjgtNDQuNTgtMjcuNDA3LTYzLjM0MyAxLjUxNS0xLjM3OCA0LjM3Ny0zLjkxMSA1LjE4OC00LjY1Ny4yMzctMi42MjQuMDMzLTUuMzc1IDIuNzUtOC4yODEgNS43NTEtNS40IDEzLjAwMy05Ljg3OSAyMS43NS0xNS4yODEgNC4xNTItMi40NDMgNy45OS00LjAxNyAxMi4xNTYtNy4wOTQuOTQyLS42OTYgMi4yMy0xLjc5OCAzLjIxOS0yLjU5NCA3LjAxNS01LjU5NiA4LjYzLTE1LjI0OCAzLjU5NC0yMS41NjItNS4wMzctNi4zMTQtMTQuNzk3LTYuOTEtMjEuODEzLTEuMzEzLS45OTguNzkxLTIuMzUzIDEuODIzLTMuMjUgMi41OTQtMy45MjYgMy4zNzgtNi4zNTEgNi43MTQtOS42NTYgMTAuMjE5LTcuMjEzIDcuMzI2LTEzLjE3NCAxMy40MzgtMTkuNzE5IDE3Ljg0NC0yLjgzNiAxLjY1LTYuOTkgMS4wOC04Ljg3NS45NjhsLTUuNTYyIDMuOTY5Yy0zMS43Mi0zMy4yNi03NC45MDUtNTQuNTI1LTEyMS40MDYtNTguNjU2LS4xMy0xLjk0OS0uMy01LjQ3MS0uMzQ0LTYuNTMyLTEuOTA0LTEuODIxLTQuMjA0LTMuMzc2LTQuNzgxLTcuMzEyLS42MzctNy44NjQuNDI2LTE2LjMyNSAxLjY1Ni0yNi41MzEuNjc5LTQuNzY5IDEuODA3LTguNzMgMi0xMy45MDcuMDQ0LTEuMTc2LS4wMjctMi44ODQtLjAzMS00LjE1Ni0uMDAxLTguOTc0LTYuNTQ4LTE2LjI1LTE0LjYyNS0xNi4yNXptLTE4LjMxMyAxMTMuNDM4bC00LjM0NCA3Ni43MTgtLjMxMi4xNTdjLS4yOTIgNi44NjMtNS45NCAxMi4zNDMtMTIuODc1IDEyLjM0My0yLjg0MSAwLTUuNDYzLS45MTItNy41OTQtMi40NjhsLS4xMjUuMDYyLTYyLjkwNi00NC41OTRjMTkuMzMzLTE5LjAxIDQ0LjA2My0zMy4wNiA3Mi41NjItMzkuNTNhMTU0LjEyNSAxNTQuMTI1IDAgMDExNS41OTQtMi42ODh6bTM2LjY1NiAwYzMzLjI3NCA0LjA5MiA2NC4wNDUgMTkuMTU5IDg3LjYyNSA0Mi4yNWwtNjIuNSA0NC4zMTItLjIxOC0uMDkzYy01LjU0OCA0LjA1MS0xMy4zNjQgMy4wNDYtMTcuNjg4LTIuMzc1YTEyLjgwNyAxMi44MDcgMCAwMS0yLjgxMi03LjQ3bC0uMDYzLS4wM3pNMjMyLjEyNiAyODMuNjJsNTcuNDM4IDUxLjM3NS0uMDYzLjMxMmM1LjE4NSA0LjUwNyA1Ljk1IDEyLjMyOCAxLjYyNSAxNy43NWExMi44OTIgMTIuODkyIDAgMDEtNi42ODcgNC40MDZsLS4wNjMuMjUtNzMuNjI1IDIxLjI1Yy0zLjc0Ny0zNC4yNjUgNC4zMjktNjcuNTczIDIxLjM3NS05NS4zNDN6bTI1OC4xNTcuMDNjOC41MzQgMTMuODMzIDE0Ljk5NiAyOS4yODMgMTguODQzIDQ2LjAzMiAzLjgwMSAxNi41NDggNC43NTUgMzMuMDY3IDMuMTg4IDQ5LjAzMWwtNzQtMjEuMzEyLS4wNjMtLjMxM2MtNi42MjYtMS44MS0xMC42OTktOC41NTEtOS4xNTYtMTUuMzEyYTEyLjc4NiAxMi43ODYgMCAwMTQuMDk0LTYuODQ0bC0uMDMxLS4xNTYgNTcuMTI1LTUxLjEyNXptLTE0MC42NTcgNTUuMzEzaDIzLjUzMmwxNC42MjUgMTguMjgyLTUuMjUgMjIuODEyLTIxLjEyNSAxMC4xNTYtMjEuMTg4LTEwLjE4Ny01LjI1LTIyLjgxM3ptNzUuNDM4IDYyLjU2M2MxLS4wNSAxLjk5NS4wNCAyLjk2OS4yMTlsLjEyNS0uMTU3IDc2LjE1NiAxMi44NzVjLTExLjE0NiAzMS4zMTQtMzIuNDczIDU4LjQ0LTYwLjk2OSA3Ni41OTRsLTI5LjU2Mi03MS40MDYuMDkzLS4xMjVjLTIuNzE1LTYuMzEuMDAyLTEzLjcxIDYuMjUtMTYuNzE5IDEuNi0uNzcgMy4yNzEtMS4xOTcgNC45MzgtMS4yODF6bS0xMjcuOTA2LjMxMmM1LjgxMS4wODIgMTEuMDI0IDQuMTE2IDEyLjM3NSAxMC4wMzIuNjMyIDIuNzcuMzI0IDUuNTEzLS43MiA3LjkzN2wuMjIuMjgxLTI5LjI1IDcwLjY4OGMtMjcuMzQ4LTE3LjU0OS00OS4xMy00My44MjQtNjAuNzgyLTc2LjA2M2w3NS41LTEyLjgxMi4xMjUuMTU2Yy44NDUtLjE1NSAxLjcwMS0uMjMgMi41MzItLjIxOXptNjMuNzggMzAuOTdhMTIuNzY0IDEyLjc2NCAwIDAxNi4wMzIgMS4yOGMyLjU2IDEuMjMzIDQuNTM3IDMuMTc0IDUuNzgxIDUuNWguMjgybDM3LjIxOCA2Ny4yNWExNTQuMjU2IDE1NC4yNTYgMCAwMS0xNC44NzUgNC4xNTdjLTI4LjQ2NCA2LjQ2My01Ni44MzggNC41MDQtODIuNTMtNC4yNWwzNy4xMjQtNjcuMTI1aC4wNjNhMTIuOTEgMTIuOTEgMCAwMTEwLjkwNi02LjgxM3oiIHN0eWxlPSJ0ZXh0LWluZGVudDowO3RleHQtYWxpZ246c3RhcnQ7bGluZS1oZWlnaHQ6bm9ybWFsO3RleHQtdHJhbnNmb3JtOm5vbmU7YmxvY2stcHJvZ3Jlc3Npb246dGI7bWFya2VyOm5vbmU7LWlua3NjYXBlLWZvbnQtc3BlY2lmaWNhdGlvbjpTYW5zIiBmb250LXdlaWdodD0iNDAwIiBjb2xvcj0iIzAwMDAwMCIgZmlsbD0iI2ZmZmZmZiIgc3Ryb2tlPSIjZmZmZmZmIiBzdHJva2Utd2lkdGg9Ii4yNSIgb3ZlcmZsb3c9InZpc2libGUiIGZvbnQtZmFtaWx5PSJTYW5zIi8+PC9zdmc+"/></symbol>
+  <!-- svg-source:excalidraw -->
+  <!-- payload-type:application/vnd.excalidraw+json --><!-- payload-version:2 --><!-- payload-start -->eyJ2ZXJzaW9uIjoiMSIsImVuY29kaW5nIjoiYnN0cmluZyIsImNvbXByZXNzZWQiOnRydWUsImVuY29kZWQiOiJ4nO19a1dcIk2y7vf5XHUwMDE1vfp8nJGd96ycs/ZcdTAwMDdcdTAwMDRcdTAwMWGxLVx1MDAxMFx1MDAwNWk8a69eUCByXHUwMDEzW0Gg9pr/flwiXCJLXHUwMDAxXHUwMDA1RdtbvzP9rlx1MDAxOaSoS17iiXjikln/+7cvX76O55ftr//88rU9i1x1MDAxYYNu66ox/fpcdTAwMGY8ftO+uu6OLuAnQd+vR5OriM48XHUwMDFmjy+v//lf/9W4vEx1uuPmaNRPRaOhv6w9aFx1MDAwZttcdTAwMTfjazjx/8H3L1/+l/5/6UHdYaPTppPp8OI5RrH7R4ujXHUwMDBieiZcdTAwMGaccIJxXHUwMDFi3J3Rvc7Cs8btXHUwMDE2/HzWXHUwMDE4XFy3XHUwMDE3v+Chr7Y1uVx1MDAxY+Rcbmc3qsaOz1x1MDAwM9s6aZ12XHUwMDE2jz3rXHUwMDBlXHUwMDA2x+P5gJp0PYKeL367XHUwMDFlX4367Vq3NT6/7f7S8U1XXY0mnfOL9jV2nd9cdTAwMWRcdTAwMWRdNqLueI7H2KJ7jYtcdTAwMGXdY3FkXHUwMDA235RcYlLOXHUwMDE5aVx1MDAwMiFcdTAwMDLrmL77XHUwMDE1r99cdTAwMTFapKyw0jIlJdeBvtewzGgwusKGja9cdTAwMWFcdTAwMTfXl40rmIdF85qNqN+BNl60XHUwMDFlP2+adFuJ1OJcdTAwMDHn7W7nfHz/6HWbRp9LXHUwMDExXHUwMDE4q5VcXExcdTAwMGU+6LLQXCIp+J/FmF81hu1cdTAwMDJecjFcdTAwMTlcZpZcdTAwMDfuopVcZtzKXHUwMDBmTfwhtyRQi1tNLltccj/33Fx1MDAxYaZUoFx1MDAwMqaWRmTQvejfv91gXHUwMDE09deIy/W4MZ7g7b9eti9a3YtVIfHt/WpYk1lcdTAwMTM14VEsUG3t2la1RFPxs0Bx7VpRu9VmrdayXHUwMDEwXHUwMDAxnNp3KMB/O3dS8eVcdTAwMGJP/vpcdTAwMWb6/Nc/1kPlqlx1MDAxZI29qKyBi1BqI1xcLEyG1fJcdTAwMTlwXHUwMDE5Xn0rXFyyi2Bnr9pcdTAwMWGe8+Dgss3231x1MDAwYi7sRXCRRqWEdsZcdMWEXHUwMDE1JlD38GJsylx1MDAxOM1cdTAwMDVjxsLvwmxcdTAwMDLM/+Ft/O/lYDHGpZxyXHUwMDAx/HNKMFx1MDAxMTxEjlQqJaWGmZGOXHUwMDE5+Vx1MDAwMEWg3bTRlkv1+yj63zs5u1x1MDAxNSWZXHUwMDFj+df7gOtRqVx1MDAxZbdn47VcdTAwMDJcdTAwMWSIjVx1MDAwMs2cdUJcYse2XHUwMDE2aMfYzixbyZ/VMzNdmp1x0Tz98bn1v3RBKpBKXG5hXHUwMDAxvEbr+1x1MDAwMs1Uilx1MDAwYsGNkVx1MDAwZcyA1Vx1MDAxYi3Ab1x1MDAwYjRcZnhKcrDIRqyxXHUwMDAyQj6wXHUwMDAxWoFgv470foBccjhcdTAwMWJdjI+7cZtwuHL0W2PYXHUwMDFkzFfEgORcdTAwMTdcdTAwMDawXHUwMDBljOhLZjC5XHUwMDFlt6++rvyaXHUwMDFldDso0V9cdTAwMDfts1VRXHUwMDFmd8Es3P08XHUwMDFlXS5+jeBpje5F++rh6Iyuup3uRWNQefTJ0N/23u1cdTAwMTTxXHUwMDE010uzf93GX/G4e7nFXHUwMDAxadhcYlBQbFpwxrdcdTAwMDdozdXMXFxcXFx1MDAxY9tcdTAwMGL5LVx1MDAxN7mLwfWOTL8qQFuN6/P2q1wilIOOTjlpWFx1MDAxMCggaDK4R9EksymluJKAX2WMejuLY4VMSaUld9qBonBcdTAwMGLcLXE1XHUwMDBidHLp333QauugQ+5cdTAwMTVo24tcZs7dNYur74RjUDrcVTe783LYyt6UxHHjvFpejNaKyDaurkbTr3e//OuWWb2XOdvoz4glXHUwMDA03odcdTAwMGLMXHUwMDFhMPxli/dcdTAwMTRcXHY7vFx1MDAxMeSmw+5cXDUze2w/bs1U43PbM83Bn1x1MDAwMd9Agk/jNNN2XHUwMDE1LGDKUlZcdTAwMDXCKSOcXHUwMDA0s/am/oxYg5ClY7csXGZcZl9cdTAwMTBYqcRaUCzEfJD5se9cdTAwMGUnZ1dcdTAwMTOrxunvs0a4X3JLXHUwMDAy+jV98k2keflqXHUwMDE0XFzmXHUwMDA3de3mwc+Dg69cdTAwMGaE83Paw618XCLebkqtuFx1MDAwMOdcXFx1MDAwYttcdTAwMTTAXHUwMDE1VCRcXNM5LlwiwzlcdTAwMGJcIlx1MDAwZX6hfcwnerZLtJE86o1gXHUwMDBihOIu4Esq8imsXHUwMDE1psG3XFwnXHUwMDE47Vx1MDAwZlx1MDAwN0F08TM/alx1MDAwZlx1MDAwZYefXHUwMDFia0qAXHUwMDA3wlx1MDAxY1xmulxm1mDNiVx1MDAxNLhDgdCgdVx1MDAxZYPab9sl5Kg6YMxcdTAwMDZ8O+ZcdTAwMTjAzFxiJdm/Nd5exD9cdTAwMGZcdTAwMWGXrfbNzvdJs71cdTAwMTM2LsBcbr0zXHJ9tFx1MDAwMW/ORqXYzEZcclx1MDAwMMCAq71AwVOQ/8XKefYtV83HbWZtITrKTc3ruouvz0bBXHUwMDBifNS+SlxmJ25hX39cdTAwMWb0JlhcdTAwMTcsXGbgKFv6t+jlLVx1MDAwMVxyQFc5uzSR68H/eth+daKabY+/22FzZ6dcdTAwMTbt1ic71SAzulx1MDAxMttcdTAwMTHVfzx231attn/YKcSNLj+pXHUwMDFkXHUwMDBitXMhfl69XHUwMDA2XHUwMDAx5lx1MDAwMVx1MDAwYsBcbogl3+Q3XHTw4yjlXHUwMDFig/pWXHUwMDE5cKK03D5IeVx1MDAxMJSuyoN+/ftkf3iROZyE9evq69rl11x1MDAwNyn0MqWMXHUwMDE0ylx1MDAxOVx1MDAwMV7hXHUwMDEyXGJcdTAwMTJcdTAwMTKsUpxJ44RcdTAwMTZMcyv526FUsVx1MDAxNZdRrmHE2tzHKJfAnVx1MDAwMqM3MOKPQt9aPrgkKt9//TR75X2pr4P44rB+fSR+nDe3XHUwMDA131x1MDAxZuR9buLDktlNuFx1MDAxM8xcdFx1MDAwM1x1MDAwMue2XHUwMDA33vrR/OTAsypcdTAwMDWeiLDGcIFjflx1MDAwZnjMpsz7XHUwMDAwj1x1MDAwNzKlXHUwMDE0mDm9ZTTVXHUwMDA02ijH2Hq7+Fx1MDAxNyazX3JcdTAwMTc33avRxXBlXHUwMDFjV7hsXHUwMDA0Py3zzFx1MDAwN2x22G21lm3RKqF9yoas57jr2/X2XHUwMDE095FcdTAwMTRcdTAwMWbyPlx1MDAwZZP0jFxi0jBto1ncOc33vkXFvUb6+PtR9bODWNlcdTAwMTRjgVxitHWCc35cdTAwMGbE4PSCx2uZXHUwMDBiwLrCKW+XXHUwMDEweaHxxFx1MDAxOLFyXHUwMDFml9R7mfE8d+e/Lopn573RbvPXSbvfjLujwWc0cmpj0MdyXHUwMDAzZMvJ7fNcdTAwMTHrO/3J4WF1SmmwXcJaK4Gl3SeXYOKW4KHcm+Hj2TaOa1x1MDAwNlxyXHUwMDEzlv+ZVSOf28g9oerf28htwi+3XHUwMDFiSSqodcYkXHUwMDBinkFS9399T3f3jn5EezaY9E1mNP7Vv/7cUVtcdTAwMGXmJFx1MDAxNVhnMWhrLb9PUkWARSMgqlx1MDAxYXww52wg7zXtXHUwMDAzXHUwMDAxLJx4JFPy743fN1xyuH5cdTAwMTBcdTAwMTl1mt8/uijP1CxcYlx1MDAwMrnksDxcdTAwMTlvvdm5zFxcy72ofjLJsNFRfbhbO/3c9WaATptyVijJueVcdTAwMWM44FxuWFx1MDAxNVMpwZ3Sylx1MDAwMFTBs3wzqCrlUtbYwFx1MDAxYSXAt5Vrqs1cdTAwMTQzKWbAzVx1MDAwN+qpwcN9WLRcdTAwMTnoQMlA86dcdTAwMTIvwaDWY/FBz7D2vDLpmL0mu8h9jtjrfqum+pPuz/71ZTpdj9uz9vn37OdcZtO0XHUwMDA3g+7l9VpcXFx1MDAwNXpzXHUwMDFlw2omnOPB9rj6UVx1MDAxNFfXrU71wF5kTnfKhdNas3DyyXGljUyBQ8U041hdK1aNoNI6ZYUzOC9gL9VcdTAwMWLaQDBpKSZcdTAwMDBVMOZcdTAwMTJcXM91djAwK6c8qCBcdTAwMDBcdTAwMGbRYqB3vcf3PrhcdTAwMTJP4+rjy2OW69vvy700Mlx1MDAxMNY8g/xd/mrHv+z+/OJsYupR++TIXHUwMDFkXFypT07+jLMpXHLUTnBltOD3isk00yluYS7Aj1x1MDAwNZ4l7jfsQ8pjXHUwMDAwnFjf9lR1zNS4ecSiwXg2UzW3e1x1MDAxM+/0omXN/LXQXHUwMDE24uTn9bhYaX1vN6rpefP7JLd8wuvB4z/lM1+e9sSs25imXHUwMDAz4ZQmQCncXHUwMDFhjNdBMNhJp7+FY3VcdTAwMWVe/jLyVN5MPjtcdTAwMTi5TIHrwyzjzlx1MDAxOGVXk+laXHUwMDA2KThcdTAwMDMmLFx1MDAxMGCPg2BcdTAwMTNcdTAwMTh/31x1MDAwZlx1MDAwM4/QbF94bVx1MDAwMuYsNPrdrM3jcHqMrp1fVUrzm/J+e9wql3dNS4ZsLF8hVd5pld1RUG/J3sWvY53m15NcdTAwMWY/dj+MXHUwMDA2voqHedxttaPG1ZfDq9Fs/iE+5oZcdTAwMTa8ZTQo2JyyXHUwMDA05Fx1MDAwMYT1c1KWw9bOwbRcdTAwMTBWJvssPi1cZlx1MDAwZpqX48Fnj1x1MDAwNlx1MDAxOWFT5LOBY1x1MDAwNnZ/XHUwMDExrcXrrVx1MDAwNq+PSbDAhlx1MDAxYmXeMNfBjUltv/JDMumAXHUwMDE1PFnB90db9Fx1MDAxN4E5fXn5pTa66lx1MDAwZkaN1pfDUet9gbz56a9cdTAwMDHizbRebXZnpZXMXHUwMDAxzdk+Zzlvn8yPXHUwMDBmerX2oLq3XHUwMDFi7Dd6vW/fdz47ip1LKfDZmcFaW/BcdTAwMTVXYGyUSjmhncXVXHUwMDE3gJqN3uw70nqtmMNavKd81mwmf3iZb1x1MDAwN9PS0Fx1MDAxNPuXp7PJ5Egvs/Zql/dys3R9b79cXNurjFx1MDAwZXI/09+KXHUwMDFmQevfiIe8JV/4XHUwMDEznYbNXHUwMDFlvFLa8pU1t09BfSZcdTAwMDdB1Ds6qVx1MDAxY11l5sXzfXVZP1x0PjvUlUkx5lx1MDAwMi7BL1x1MDAwMLu96sFcdTAwMWJrUkKDWFjNlVPiXHKTN0BcdTAwMWOAXHUwMDE2SLFt1T1oJuBcdTAwMTj2XHUwMDFko79/ktHO3FrZ97fYa1x1MDAxZf1cdTAwMWHm2iuyNVx1MDAxOFx1MDAxNlLL+4dcdTAwMTf2WohcdTAwMDA84meEn1x1MDAxZtetr1JEMVx1MDAxYY83XHUwMDE1Ubww/mw5T0lQp05pUKGWrfJubcWK6/92NVx1MDAxNFxmXHUwMDFjf1x1MDAxMVx1MDAwMJ3mWjpnzbpcdTAwMWEjw1LCgipxTnInlVnDx3HhuFx1MDAxMlx1MDAxYnbjeFx1MDAwYmh/eFx1MDAwMHrZhl6Nd7vefK40LNmXprBFfIp0RESmeIeBelx1MDAxN5xcdTAwMDE/XHUwMDEyknGG4rFcYvnj0DYusd08tbLOgatcdTAwMDf9XHUwMDA3k/50u1x1MDAxZWe799pcdTAwMTXwQFx1MDAxOWhcdTAwMTKMmeZLe1x1MDAwMSxaJVJMXHUwMDA2MuBcZlgmM4F4mG5cdTAwMWI0rseZ0XDYRUxcdTAwMWSOulx1MDAxN+P7XHUwMDAzTSOaRu1x3m48kFx1MDAwMujV8m8g3t17+eNLvOmq5C3++rJAXCJ9ufv7f/6x9uydzVxiwX9cdTAwMGawsbjfVjxno09jzebIXHUwMDA07sZgnrUzUftcIpNcdTAwMWJcdTAwMDblulx1MDAxOLGzSdNcck5O641XXmr0+jqSOVx1MDAwYlwiXHUwMDA3o44lp87dy9HBaKe00ODfSVx1MDAxMLNlXHUwMDA348N8XHUwMDFhw2g/XG77lE9ja46dfVx1MDAxZk92j49+lLqdXHUwMDFkpXv61zt7JDzsjWf5w2/C3pwpd9BcdTAwMTmMw1xm+1M8krNcYkNSoFx1MDAxYVXUtFLbpjFcdTAwMTF3RjVcdTAwMWGgoiR8aVx1MDAwMTV2wft4JI9sIeOcYUyrZ3gkXHUwMDE13f1Wm4wnreF8dlCY/eKNXHUwMDFmh6+7J9JbXHUwMDAw1aqUXHUwMDEwQlO1tLxfpOJMsLJBhd2E1N/fXHUwMDEyXHQ8kmc4I1x1MDAxYXzFp7KK71x1MDAwNdXP44xk2zfN0ex9vZD7z3xb98NcdTAwMDSPVFx1MDAwMVx1MDAwMJNcdTAwMDJE24Vz/lx1MDAxNGJcdTAwMWZPXHUwMDA1PVx1MDAwM7H3LdhbXCJcdTAwMTbUUkpcdTAwMDTSXHUwMDA2Vlx1MDAwYifcarhcdTAwMTCofFxu/HQsK8ON//hmwIoz11bq5YCVKlx1MDAwMC+I4+pcdTAwMDZhrXOLUb+DLktp0CnWXHUwMDE4Z7mGP+TDXHUwMDA1XHUwMDBm1mhjhX2TPWVe7lVwx8G7U8tbXHUwMDE0fqBXwVK4uEvCQIFXwUFLijUuhVx1MDAwNC5cdTAwMWKA+21cZlx1MDAxOFVpbfCg8ysuxWo//jBav1H06PJcdTAwMDdC90xav3H1SLA58uFcdTAwMTjuv1x1MDAxOVx1MDAwNNtvIFDOnOf17rdiJmxcXJyWXHUwMDBmXHUwMDBlv5e67pPvN8qBnqWwrlxcg1x1MDAxOIKTu0Az5Vx1MDAxYi0wftowxGqLfOLtNFx1MDAwZlx1MDAwN1x1MDAxZKe33zJEcGBxTNjX2LnqRUxcdTAwMDDUXHS0XHUwMDE11Mlirt6HXHR86eK6kKh9Of5cdTAwMDIjenbWjb6cXY2GX6KP2IXumU16W1x1MDAxZWGDjS66tMB6MSizNZZcdTAwMWYvLP6cRbSYdZRcbvQn0Fx055xdpVx1MDAxMWBAUoFcdTAwMDMlKlxmKFMn347385TTxoA2wa1OQVmvcdYl0yltXHUwMDE4tIdcdTAwMGJMjKhcdTAwMDc0gqZcdTAwMGLXTn4uXHUwMDFh8S7BycdXRnxZXHJcdTAwMDJqKVx1MDAxNG4q61xmSDnjbuk0zyOESUlcdTAwMDHkRzCwniBcdTAwMTjKPs4jNrWqfbJ/fVx1MDAxMVaO8lrvTHaap4P6WbQxNMk0mHHQklx1MDAwMbQqUEbwh83iKVx1MDAxMEUhcd2IlIFxXHUwMDBmWvVcdTAwMDJcdTAwMGWzhqfcYzIr178uh9ko9/TrQ5F/Jol58Tpxy3Df3OBcdTAwMTlcdTAwMWJznp9cdTAwMGbNaU9cdTAwMWXmfl1cdTAwMWTu//qlLGveXHUwMDFjvm7Y4212WdFcdTAwMDZcdTAwMTikxuWwdjXqsSNcdTAwMDRLYVx0tVx1MDAwMz9cdTAwMGIhzDdcdTAwMTZTf9BCccellCwwf9YmK9ncdf1bL3OUrpfyhZtoXFzfPXeNf6dNVlx1MDAxZcGdY1x1MDAwZVx1MDAxYzdjtlx1MDAwZjeuXHUwMDFmzU+OO9xkhWlcdTAwMTdcYnDdtFx1MDAxM/dgh0vi3lx1MDAwN3bPX3+Or1DguID1g5yIz7x+9XfXnz9hQt57XetGt4E/tomgXHUwMDAyn1x1MDAxOFj1M/Yne1xcpX1Ov1x1MDAwMVxmXHUwMDBmeFx1MDAwNi5cdTAwMDBcblx01mp5yZXfOFx1MDAxNFxyp+FcdTAwMWOtKphV94ZcdTAwMGJcdTAwMWYkqFx1MDAxMq1cdTAwMDIpsKJcdTAwMThcYtRcdTAwMDKyS1x1MDAwMUhhXHUwMDE5gzNcZi6/XHJcdTAwMDKh1uwroVx1MDAwNWiaXHKVTX9t1+HxLdXvk3TwXHUwMDE3XHUwMDE0N1x1MDAxMmPLTi6Zslx1MDAwNUmXKSaBpOM4M1x1MDAwM+TkZa7D4zsufVmOi1xuhoFRXHUwMDExMOCrXCJcdTAwMDBS9KBNXFykOMhcdTAwMDbaXHUwMDEy2jtQPPRn/jjPYaPg0/VcdTAwMGZF/pmuw8ayXHUwMDA2Ldz9o7fKTzvnhHrGcovoV/W0fVrIdVx1MDAwZXfyO8BkJj+D7uvunvPq4U9cdTAwMTjNXHUwMDE0rq/WgmvQ9feKN2G8U87CZGBmhrFH1lu8SlGDXHUwMDE0WNuy+LdUc7eIm2w+Z/FcdTAwMTKZXHUwMDAwe1x1MDAxMjyVSu1HR43r42Zo2P5wwKuTq++7s8pcdTAwMDekUp+zXHTpMnyfrkuIWrqhOYs4a7ZVk8t2q1x1MDAxMVx1MDAwNfLsTERGtlxm8ETXalnN9ZJcdTAwMWP+fl3CRqhcdTAwMDVic65cdTAwMDFcdTAwMDZDm2e8XHTgtHtzwC+uRq3hJFcsXHUwMDE081x1MDAwN3HTxp++LFx1MDAwMfg5Y0wway1cdTAwMTOriytcdTAwMTXWXHUwMDE2cVx1MDAwYm5cdTAwMDTu11xi9vtt31x1MDAwNCB5yljAvFZSSVxyrvo6qG0+55ZnsFx1MDAwMLdcdTAwMDBQ+qlcdTAwMDKjRmt6XHUwMDE4nfys7VROWPA9fZG29ai5bP7++lhk6lxmX1x1MDAxMcdaZ2fmrFx1MDAwNVx1MDAwMi9cIqngII9aZ/Is4i3ZZlHbmXepXHUwMDEx0nKj1ePOciu04dvbPfatdJ7fuTrVvbk06XqmVylcdTAwMWZ/9lx1MDAwNUrMWCBcdTAwMTXglGOaXHUwMDEzXGbg6pbEXHUwMDFh3/HnJNXkYFx1MDAxNOvtVi1cdTAwMTidMlx1MDAxY1x1MDAxZYLVSFx1MDAwZiG4xmW3XHUwMDFjTlx1MDAxNtyt5/Z/XHUwMDExRP2GZ/+++b/7z3xbT124jbBcdTAwMDV/T2B0aftkPb9q/TpcdTAwMWT+XG6KP3O5bq90VctVjl6UrH/POiHmXHUwMDA0bvtkuTHgsnF1r7JcdTAwMGbf2KZccr4mlUl01zbC9oxcdTAwMDVcdTAwMTFjL4ctT0lcZlx1MDAwNOCuddYpztZcdTAwMTRcbokgSFx02jVCXHUwMDAzdWYr71x1MDAxZUjKc6GdwvLX2P3x1Vx1MDAwYoWAXHUwMDFjstdw0+/X1PxFqnU2zj/9+nDqXHUwMDE3N9zKbm9WXHUwMDAxakmo76tcdTAwMDBuXHUwMDE4Lp9fYOJJXHUwMDE18GjN9SdVXHUwMDAxnLtcdTAwMTSMPLNcdTAwMDJcdTAwMTSA42xVXHUwMDA1XHUwMDE4IVLgtjrBXHUwMDA1kFx1MDAxY+M270D3u1x1MDAxNTvAjpVRXHUwMDFjrLelXCK1dVx1MDAxNFo4k8JdKy2oJNzf6IFcbrBcdTAwMDFKXHUwMDBm27Dq+INrXHUwMDA1XHUwMDAz+WI+vJ1cbtiYaH90dciXRbSMp5hcdTAwMTbKwqRLXHUwMDE4Y1x1MDAxMImlc5JYmVx1MDAwNoughFx1MDAwMTZcIjRT9lWS7Fx1MDAxZql6NotcdTAwMWT+eyBwz1Q8m1x1MDAxY4bldXhcdTAwMGZKi7hcdTAwMDbP1iyoyZP7lJ38tOPeJJ++zOVcdTAwMGb33ayjOrXoc/tcdTAwMGKOw7hcdTAwMDcmXHUwMDAwd1gwKdxqnExwlULUWPCUXHUwMDE1kHOxubTod4mHMDyFL+jb0l3QXHUwMDAx7lx1MDAwMP4qRUS/USWIy1x1MDAwMd/NXHJISvKiQVx1MDAxN9p2V483XHUwMDFlfWiB4Fx1MDAxNq15W9fhXHUwMDExXHUwMDAwY0k4W651f1xuv4+/l+nT0lx1MDAwNo7vSdDMclx1MDAwNrQsWHX4XHUwMDE1YykmXHUwMDFjw53ErF1+a+lrXHUwMDAzWCuZslx1MDAwMpcxcCY0l2s8XHUwMDA3fI+hXHUwMDAy1OKroTBIq1x1MDAxZizsXHUwMDAzLWSlwjdcdTAwMTJ9Qt4gJVx1MDAwZtiyWL9cdTAwMWJvePxcdTAwMDV2X1aybMrhS05x11xubtak/UBYeCBBYDhmP7TWfzpv2NkoePTrQ5l7JeZcdTAwMDCka5PiwddTXHUwMDE4bZ+zwuD0/EcgZ7Vvolx1MDAxZv0s6PqsXHUwMDFknYv856ZcdTAwMGVcdTAwMDGz6K9cdTAwMDRKuVx1MDAwMNOJq9TBWpOS+L57dGjcyl66XHUwMDFmy1x1MDAxY1x1MDAwNHNcXFx1MDAwNSBcdTAwMGJcdTAwMWa1t72nXHUwMDBlglx1MDAwN4sh+Vx1MDAwZnV4O+qwMW0nXHUwMDFm2aPYSHwxkXvGa4W5dmdX0/Zl+/Dqm6rs6ur3TqP7uVx1MDAwMcyNpZd4Slx0Wlx1MDAxMyOL91x1MDAwYmuZSlx1MDAwNY6BV1x1MDAxNuCGZlwi2Mj+33M7M1AqXHUwMDBly57Xondh7ibVQWb8y7F847A8Pa43MtPvN/Vlk3k0XHUwMDFkd4aXP0psnJme1XLd01+9jFk+IexFl7NcdTAwMWa20epcdTAwMTVzXHUwMDA3R6Wfh1M+P/9TXHUwMDEyXHJ/3oZjfPNiYYcvwJXPKdZcdTAwMGJcdTAwMGZlbS/crc/UbnZ8MJlcdTAwMWPPjuajz45GXHUwMDAx9pRcdTAwMDFHUUpTyd4qXHUwMDFhuWUpLI7implArZSTv/6OYzoljDSWXHUwMDA3WybvnNSYl3gyX/5HY+q391x0fV8zu/7Jb/4qXHUwMDE5pTZcdTAwMDbyQZycdrjeeWsgd8+i4HJcXFPB0c4w2599r1x1MDAwN6Ve+r2A/NJXXmiZXG6MU0xcdTAwMDTAMVx1MDAwMn7frEqeYkpaXHUwMDExcHBcdTAwMTPYW5bdioClwNtcdTAwMTNcZvf210atXHUwMDAxM2h5UCtWmkBbXHSW4GE2j+NcdTAwMWLGsUzxqcz864H7RctcXF5cdTAwMTPzL2OUanP1SVx1MDAwMK6QMuJcdTAwMTlcdTAwMWLU6GJ8dnh+3odZaFx1MDAxY8zmmUlhnM588kowxVx1MDAxZG6KXHUwMDE5XHUwMDAwP5PKasFWbZhyOlx1MDAwNXRDyVx1MDAwMHfhXHUwMDBm3Oa31r8joYSZwVx1MDAxNykticeGupOri+txN51cdTAwMWblmLkwY/tzr2qHf4rp2opcdTAwMGW6ljjDlym7RtBwrNVqN1vmXGYmqanhSGBcdTAwMWJt3TqT8ux9KrmW31x1MDAxNPRw71x1MDAxOFx1MDAwYi6JXHUwMDEz25dV7k+buXJwflhcdTAwMWHOv513Tn5ccuS+fN03kr0+mKTVKbRcdTAwMGVcXMHsP3xphXDknFx1MDAwMe9cbnCTyzd8wzU3KeOc2JZcZlx1MDAwNrg11Vx1MDAxNlxc8L1cdTAwMDB198Q161x1MDAxNHfmUfFn+pT/yGWySk11pV/JL6qeVlx1MDAwNPWF61x1MDAxNN+PaVx1MDAxZV61b7rt6Zfq0cH7XHUwMDEyzbVcdTAwMGZ+26yP2ry6gZvAcm202T7v87hcdTAwMTR8zryPZjzlhMNqXHUwMDExq5Vl9+s8ZUpJKYRcdTAwMDJq57TZnPbBsthIvFxcO4CzintYIeRcdTAwMDVcdTAwMDM3fd3KLp6it6Ba7sDHNYrbpW12b1x1MDAxN2xqoTW3XHUwMDFiqj8/Nu/D+fKrpl9/ZdfjxunLcnZcdTAwMDecf81cXGCCXHUwMDAws1F6zdZScFx1MDAwZS6zXHUwMDAyhqVcdTAwMDLcKfBB1/8ytWqbJVx1MDAwZv89lLnF/bZcIiaPlaptzPxcYlx1MDAxY3miv1srn2x7/N1cdTAwMGWbOzu1aLc+2alcdTAwMDaZ0ZX45MqHM4ubeoHzKixwXHUwMDBmXHUwMDEx3OP5TKasXHUwMDExXGZ3vzOAnkdcdTAwMWPc39Q+oPlSXHUwMDBlMMqMMTpYXtO2SDpLfLWOwnd1XHUwMDE48GTdmtVcdTAwMWVcdTAwMTKkQ1utP6XyXHSE+5hitWcknaUzwEMx71xmtEcvmPtCLeEmYIZcdTAwMDWKXHUwMDFiXHUwMDA3xpvxXHUwMDA3g/KHKZ+djZJHvz5cdTAwMTS6Z2qfjVlnvjFKjq+3c5ptr3nO5iXVn0f5q5PTtrrozLtcdTAwMDe1dO9zXHUwMDA3yYHJpFx1MDAxOLpcIrjhY2DN6oJ2wVxcXG43XHUwMDFlUlx1MDAxYSRM2eBcclx1MDAxNY/QNlx1MDAxNcBkbLshhaJ9+1x1MDAxNf+oXHIpKOmMryR60SaZv+uPfHjKedu2vOUr8MxcdTAwMTKJfLhMVCCL19v7LHG28a1cdTAwMTVepc/DwlBMKia3Y1x1MDAwZj95rak2Llx1MDAwNXzAQUdxdf+qw1x1MDAwMtBlzOJqWSm0e+Q9XHUwMDFj71x1MDAwYlxcYzWjVTlcdTAwMWaKWyv5+1x1MDAxNYv8u+J2c6HIUi3jg0Wl2lrck+xcdTAwMTnvz22fy5vJd17YmYv8j3y5dnLFPv27K1x1MDAwM5YyTjqwX1x1MDAxYfcgWN1/ckfKXHUwMDE08Fx1MDAwZW1VXHUwMDAwnimWi2xC7zuG9Vx1MDAxZNB5o91cdTAwMDbgLvhpc193jsq6t1x1MDAxYt9cZm7Ci/KBUbXeMsu9PN7bb7R+jlx1MDAxOFx1MDAxN2eTUXNcdTAwMThcbibKyydk0pfGynP282TKfuVHKrwuqO5fKjHwqepEXHUwMDA034xGLmRcdTAwMDDEkG2fXHUwMDE4YMNRa/L9ui2Cg/26YSdnQ5F+Ucn3e6JRslx1MDAxNL5q04BcdTAwMTeunXariVx1MDAwMZ5iQiirnGBcdTAwMWF3N5GfqU5EY8RA8ye3MPmjMfWfOpGt6kTsRk82XHUwMDAwXHUwMDE0S/ucnVx1MDAxYVx1MDAxZd/B9rOWiVx1MDAxOKDDkjFcdTAwMDdsXHUwMDE0w1wiq0ZVu5TRXHUwMDA2X/FllNFWXHUwMDA3m1d8fo4yXHUwMDExzVx1MDAwMuNMsMHFfVx1MDAwYmy/4m6o2+xccr5cItvvkFx1MDAwZXyReXxkr3R0JFx1MDAwMqbd9lx1MDAxMaKjq4qoNUv6TGd/XHUwMDE0mo3+XptcdTAwMWR8/+TWUUidUiCkjDN8JfVSkYD3M1VcbtdWXHUwMDAzsDhYyOUt+z76zVx1MDAwN1ZpgJ+wr1x1MDAxMIX+jXVcdGY5WfifXHUwMDE3XHUwMDFmvMeLXHUwMDBmNteTLVx1MDAxMdn7a1x1MDAxYjXoW9Api+c9ucLoWOr2z/Jsp381KZy3v5v6eG4+OZaltCngXHTSXHUwMDE4w0RcdTAwMTDc34JcdTAwMTgrU1x1MDAwMo17a2uDr/K0XHUwMDFiw0bv6Hji4lwi45RZWl2y3lx1MDAwZfK41/5lWLP2PTZcdTAwMWTLLnaa0/7K3mHTczs+/jb9zkvdU1HYq+9UuvGKa1ooXpzXXHUwMDA2plx1MDAxNtaLubxcdTAwMWSNOuo4br1cdTAwMWZL5lx1MDAwMVxmvMO3XHUwMDE4/Zt4no+8gFx1MDAxMEiaxWWG229cdTAwMTbQOcm3roon+e+ucPazZFx1MDAwZq7y7WL1k+NRXHUwMDA0XHUwMDAwOGuBXHUwMDA0Osms1PcoayBS4N7ha4U0uIX2XHJ3XHUwMDE3e7bnKThKa7D88oD1qPyjMfVcdTAwMWbPc1x1MDAxYs9Tq81cdTAwMGL/OHeGXiaxNY7rXHUwMDFkvv8rPFBq3P2R39nLzkvR0fkndz1cdTAwMDVcdTAwMTcpXGaUSVx1MDAwNTRZXHUwMDE5u1o8tsNcdTAwMTXu52mouMaCX/h2b0V/pVx1MDAwNVxu1oGDtfy2ybfG9msuUHhcdTAwMTHkvfT/LWn218bl5THY0/Zd02BcdTAwMDS6rURcdTAwMTUsbvNcdTAwMTWTKbuPz9Hfkj6QXHUwMDE1XvT1KzBcdTAwMTVmTdSEkWaBamvXtqolmoqfXHUwMDA1imvXitqtNmu1Wkuj83XYXHUwMDFktivLLPe/rm86f59ccpc2j/Yg2vrmd9fBXHUwMDAwNrDg9J/+z3+u3P7/oqYw6lx1MDAxZod7RXE631XN2mxcdTAwMTLFrNvYO2JRdnRzIFuyNdcynOubaFx1MDAxON2EvfQ0zLi4NYy6hb3W5ene0ejwuKDC7O60nSl0XHUwMDFh+ZPLU3HOlo+1hoNBi+3ftLOsXHUwMDFiZtLjsJKeXHUwMDE0s+VOMS7MXHUwMDBmelx1MDAxZFbspmXYK0xK2bIo9FRcdTAwMTDlv7FGZrd/eLxfXGbjqjro9Vx1MDAxNZwzXHUwMDBiM2paXHUwMDFj5uB8XHUwMDA151c7xWx9XHUwMDEyxuV5IZvuhFm8bzQpVdKikC1PipVwVsn2xUEviunaOIfnzuqVMlx1MDAxZZtcdTAwMTeP03ifuJgtdKBN0CdcdTAwMDbH1LyUScfhsWJhfH59UKlPXHUwMDBmetCPbnpehPaFvZNzfCa0m8Mz4D4hg9+m8Pypv1e5XHUwMDAz7aVn+9/XPCdbmFx1MDAxNHtVaGNcYp9cdTAwMWTVzOZE6VjNsD9hL0fP29jGbFxix6vQvvSsOPdtXGZ70VxmrpmVjtkkzNbnT1/L/LXZ0+uwUtdcdTAwMDe9tFxi52yOc1x1MDAwMmNcdTAwMTRvvr5cdTAwMGb3XHUwMDBmx2FcZp+9nK5k61x1MDAxY8YpLkD7Q5yPyunGsTmoXHUwMDE0OI3jMUvGtlx1MDAxNYZxXHUwMDA32l1n4Vx1MDAxY/qSUbxUe2ReezRm8qCC81o0he7usFGbXYOM9cK4IOqiylx1MDAwYt3g74d7u+etfKdzXG5yVqmEgp6V7XRKXHUwMDE1aHOclvU5XHUwMDAzWUpL6D/0J1x1MDAwN/JcdTAwMDL361x1MDAxNWAuXCLoUyRcdTAwMGUqOVx1MDAwNm3Cvs+gLfg5LWRgbuJcdTAwMGX0vVx1MDAwMNdcdTAwMTYkXFxcdTAwMWZcdTAwMWb0yjDfON45mGeQq15hjPct0Nx29MEx3H+O50XQ75yGccBPiXJcYuNcdTAwMDL9gvZUQlXAsa2EKLPS3yfs0Dz0UIZR3urwvVx1MDAwM/es0+/QVlx1MDAxONvC7Tzi91x1MDAwZYy9hrFcdTAwMTnDJ+At7IBcZotiXHUwMDFjjWFMJbRcdTAwMWbaW1x1MDAxNeFwOsb5KGbScG1OlfK5WYnmO8T7asBVXHUwMDFjxtFcdTAwMDJcdTAwMDddnKNOp4h46+33XHUwMDBlKiHcpy/heoXjXHUwMDAz8lwi4Vx1MDAxYVGcp1x1MDAwMS9qXHUwMDA2uFx1MDAxZJcqKPd16FtcdTAwMTXGsKqL+dy8mK1CP7HtXHUwMDA1XHUwMDA27ZpcdTAwMTV7yTOO2Z084Fx1MDAxOMG8gFx1MDAxZajPQpS3SjhGXHUwMDFj4lx1MDAxY0BbOcg1PlOVMlxm9Vx1MDAwM1x1MDAwM0zCc8qcZCFcdTAwMGLjWsnBtVWcXHUwMDBm1Fx1MDAwZqyUrcO89kFcdTAwMGVzXHUwMDFhfoN2d+C++JxwWqTnwblcdTAwMTl8fl3DPVx1MDAwNepcdTAwMWZoh/bzTvdcdTAwMDAs9GG8OprGOK6D3OFcXFTncD9oQ1x1MDAxYdpcdTAwMTDid1x1MDAxY3NeqpTHIchTkfpQZvAp8N54XHUwMDBlYFx1MDAwMc5FTOdcdTAwMTRcdTAwMWOP6VlzXHUwMDA241PWJD9cdTAwMTVcdTAwMTgrmN9cdTAwMTKMj59fvHdcdTAwMGVxwYteZuBcdTAwMTPbmkZcdTAwMWSGmJr5PpTnMFx1MDAxN/A3zn2nXHUwMDAzz4d2hKg/aFx1MDAwZVBcdTAwMTZB9qdF0Icg4zBcdTAwMDY5XHUwMDE4c+pcdTAwMTc+XHUwMDEz51KgfJSyOZSfXHUwMDE5zFNcdTAwMDd+h+8h3mtcbnpcdTAwMDCPM5RcdDjPz1x1MDAxYvZcdTAwMTG/z+GZcYjHRbGC8lx1MDAwYmNTQbmEZ2X70Fx1MDAwZpDXuFxmc17F+Vx1MDAwMXnIQfv7unSchjHuoMzPcM79cZSBNLS3gDZcdTAwMDA+Q1xy/UJZiOF8QTIxx+/9uESyV45L+SliXHUwMDE0xlx1MDAxM8ZcbsdVgE7qVfHZoItQTiPoXHUwMDFii0mXZKNOXHRtXHUwMDAxYr3XR/lBfYU6SCf6PWk7jFx1MDAxYugjkENcdTAwMWN7XHUwMDE4V3xmWvmx7mg/XHUwMDE3oYDvXCKxXHUwMDA3wuOJIb7m/nx4dsX3XHUwMDE1+lx1MDAxMGOfQG5cdTAwMDTp5lxmtjVEOYRPXHUwMDE4n1xmynRcdTAwMWZkXHUwMDAxx9brIcDunHRcdTAwMDDqylxufaKenaPsXHUwMDE18ZpejmRcbu1cdTAwMWJcXFx1MDAwYnZcdTAwMTAxnUObXHUwMDA181x1MDAwNVx1MDAxOMX57uFcdTAwMWNAXHUwMDFiXHUwMDEwa1x1MDAxNVx1MDAxY5OyOridd7Bcclx1MDAwN6RLSGdMS6jL8bkgXHUwMDBm8FxckNG0x1x1MDAxMGIwXHUwMDA2eUBbXG5jlYxNjPNcdTAwMGKyr/y5XHUwMDA11G94Llx1MDAwN3kjXHUwMDFkVcrSnE793GBbQtSJM5JcdTAwMWbAXGL9Pb/FXHUwMDE22dhpqdLBv+cog6hDUG5cdTAwMTO9kMhcdTAwMTLqxFx1MDAxY1x1MDAxYy9cYj/GYJdAXHUwMDBm0DPnKK+od1x1MDAxMVM4P6BXaP5CL4NwXHLhNKY2x36sPJZg/lx1MDAxMO+gj1x0S9h/iZhccml+USeivaqOob1cdTAwMWPtNOhhbFx1MDAwMy96mdRFkknsP8nk1MtuX5RqU7pcdTAwMWX1XGL8XHUwMDBlOjCcXHUwMDE1vZ5E/cdcdTAwMTBfRcJFXHUwMDBl2+jl/lx1MDAxOOQsk3CHXG7J2SxcdTAwMTRT1C2AL8BcdTAwMWLNx0lcdTAwMGbuz0uEjbJM5Fx1MDAxM+6N53dIXHUwMDE3wHVcdTAwMWTQxXOvhzqIXHUwMDE3iTJ7XHUwMDAw81ick66Y4fiEOFx1MDAwN6jre6if+rfyhXxcdTAwMDXGXHUwMDFj7ot6PJvguVx1MDAwMv0jOSjjXFzMbvUwtEvT3CC/QlmNc2SvQE7GMK+K5GeOXHUwMDE4i1A3ymKlj22bXHUwMDE2UeZQXsnuRTg38Jw68Vx0uFx1MDAxZWQnQmxJmu8u2VlNbVx1MDAwN1vs5YNs6Twkm1x1MDAxM42pv3S/+tjPXHUwMDA3/E1zReNcdTAwMTN7OVxu5yTbXHUwMDE5/DvtbbOXtTnyXHUwMDEzb6tJjrFtoFx1MDAwYkPUhThcdTAwMWZ+XHUwMDBlvG5UYKepLyHNNehXwnLEvCxEwIFcdTAwMTDTXHUwMDFk1Fx1MDAxZCzhYzjWwD9IVlH/a5Rf1IvAR1x1MDAxMOPwvVx1MDAwZudBu+F5yCGg7chDvC3IVtF+oS6l62ksUSeTXGaGKOsxtqOJ8lx1MDAxOaOeOFx1MDAwNS6E+iFM5Fx1MDAxZDjrnOyAXHUwMDBlUX+T3SwgnqelZI5Ql4fZ1jngXHUwMDE324Y4UPBcdTAwMWLwI8/bXHUwMDEyvcpIhir1uI7nz9Nkn7zerlx1MDAwM8fC/oJcZtJ8IcZQJuuJTkS7jGNX7ZBNJzktoC2DOS5cdTAwMDPvxWuJz8bE8alvKIvII8FcdTAwMDaBflx1MDAwMnue6Fx1MDAxNZxP6FOGbC7OXHQjfND3xI5cdTAwMDFnKSHeujRcdTAwMDfcj1x1MDAwM+JcdTAwMTPOjVx1MDAwYlx1MDAxZNI5Wfqck1x1MDAwZYH5XHLv5rdAOqVIbVx1MDAwMZ1/jNhGXHUwMDFiQHKlSS5oPjrSy2phjnomhL57/uj1czFcdTAwMWIp5HclwIjnJjifJOOApVtcdTAwMTlHXGb5+YWxUVx1MDAxZUNcdTAwMDXiXHUwMDE5IOcz4lx1MDAxOajnSd+HdFx1MDAxYzA5pr5cdTAwMTJ3ySFnl8RcdTAwMTOO8bODtlxi5UigXHUwMDFjw1hzlFx1MDAxN1x1MDAxYVx1MDAwYpQr5Hoov4DtUpae5/XVMfB+1Fx1MDAwN13UV7dcdTAwMWMl0og3b1x1MDAxYqtyYZNIpzLAXHUwMDBi9/q8XHUwMDFlez1cdTAwMTeBrUYsXHUwMDE0vC5BXHUwMDFijM/xflx1MDAxOPS3zFEnoVxml7J98PmQ3/ahXHLEU1x1MDAxMIOk/+BcdTAwMTnYTuH9XHUwMDExlFx1MDAxM+Bf0DawXHUwMDExKDuAd1x1MDAxY5tOJ+HlXr+SPiyMSVx1MDAxNjzu5lx012Oeq+ZQX8WJ7OA4TUskg7k54q6I894jLoP2XGZ1XHTpPX+vsvbnRtB2utfcyyl9R2yTz1Yku+tli/hWXHUwMDBmbWVcdTAwMDF1JMo/6oeY5tzrXHUwMDEwxJOkfs+xT/id/Dfl7SF+r1x1MDAwYtLtZMPraM+l1ydo51x1MDAwYl6+vSyrXCL5XHUwMDA3UYJRPz63ttjzTtTX1IdEj8NcdTAwMThcdTAwMTAvRd6JXFwlisOFzVx1MDAxZic2n3gu9Fxy53pOfJo4IdraiHww4r7elqI+XHUwMDA1XHUwMDBlXG78XHUwMDFmeUaMtjpCXHUwMDFiNKMxhe+h9229XGb2XHUwMDEybpON8Fx1MDAxOYpsaVx1MDAwNmVcYrlcdTAwMTD5XHUwMDFkxFx1MDAwZrw8hJ5X98imoD5Fvlxieoc4XHUwMDE0S2w12jTPxfJTlHuNtlx1MDAwMLlsWDnv+etcdTAwMGLkP4Isc+9ToXyW8V6JX5BG3S3QliCfKJLu74/RPsJcXDLvXHUwMDEzdsZFiilAW4BjXHUwMDE1aVx1MDAxY+skZ15WqzOPhVAmXFxPeiz1XHUwMDAxk8TjUVx1MDAwZVx1MDAxOeHV21+yLWGPeF+MeIFj3NvQ6ti3JYeyXHUwMDA1tjOHbWKJTke9jzxagvzOsZ/4XFyKW+D5xLVcbmQnUF+hfvfYRO5FemxG+mGOslx1MDAwNrq1Up7D/ImS14Vzz59cIpT7OLFhc/LliEugTOJcdTAwMWNUkVx1MDAwZuPcxV6GXG7Mn4/nMWxcdTAwMTPHMfe8XHUwMDE0/NAuzmXZ+9pxXHUwMDFmx1xynot8PEf8MuFcdTAwMGYxylFcdHVM3J+Rv1x1MDAxNVeJe8KcxIm/1VnytzT5xnOU21x1MDAwZT1cdTAwMDPGqUOcv0KyKDwvTSd6mfQzcViMXHUwMDE3wDNj8sczaW+jkbckPqPngqRPiUd5n73Ofbv73oZcdTAwMTB/70jvf6FcdTAwMWZx6/uivq5r8CNikkGQL9RhwDPhWSibwCkphkE4mPv4XHUwMDA0zFx1MDAwN+nWqjhIOFx1MDAxYeKB4jlzXHUwMDFj77IkXHUwMDFlXHUwMDEz3/q+4TyxXHUwMDBmzPuj4E9cdTAwMTEmXHUwMDEzvzTGOEaZ/Fx1MDAxOeo3clx1MDAwM1x1MDAxOFx1MDAwZppcdTAwMGLkIT30h2hcZlx1MDAxMDeJLkV/k/DHMU5cdTAwMDZ+hPb3qGs/XHUwMDA3KO84N2BcdTAwMDO7xGugL6h3yszbsEhcdTAwMTCP6pFcXKuEy8dcdTAwMWWr5MNcIveaka9biW59eOXbQGPBbv1v0u8/LsdePyC+YY7IroaqSVx1MDAxOFwi3S79XFyj/1x1MDAxMCZy3eqRvlx1MDAwMjuOnFx1MDAwM/1cdTAwMGaan0za6zfyd1xut37K3GOX5lx1MDAxODnV1PPeOskh2qLiPJE1xFx1MDAxMs6x12OJXHUwMDFmhbarj/5cdTAwMTLz/OOoRz5WjFhGXpdGPs2S2FpMelxiY5xdj1xyjKFcdTAwMTUrxXPy/z1nQlx1MDAxZinxRTHmlUNM3z5flLLnplnB+Fx1MDAxZMVcdTAwMDWmdXxOr4Dyi89ATiwoVoNcXMb7+DBvXHUwMDFkmfAwhtgu1kA/Ylx1MDAxY1xy43qJvfW+KflawO1cYtvM66806tlcdTAwMTnhq1f2vj/FVVwiill6fEa8TjyiM010i0J/O4nvzJO4XHUwMDBi8jzZpGfQ2E5DeVlcdTAwMDTdOqd+XHUwMDAzly5RXHUwMDFjdP9cdTAwMWFtJ84x8ONZ4kP5a3B+hyHpUG+Xq/g89LNv53HubVxcXHUwMDEyt0NcdTAwMGVXy1F7Skl8XHUwMDAyeEdcdTAwMTJLzKGugPEk3kgxUO83+3hcdTAwMGXI922MXHJtMsalYs/xWVxcRF9cdTAwMDPtPY5dXHUwMDBmbFx1MDAxNNqBSlx1MDAxNPtzqb3a245cIsxVgZdIXHUwMDE3I0aKPfhcdTAwMWJwVfaxPtD30G5GcVx1MDAwMuw/6e4wsdtcdTAwMTifwNgp+ajIQ6ehj0XyYpbicWBcdTAwMGZgjmPiXHSSfNNcbsZUypquwTmOy6RbXHUwMDEz3Cd+OPqUIfVcdTAwMWT9I+JcIj7WXHUwMDA1ur+P9oajnSl5zkE8XHUwMDExr/fzXHUwMDFi+dh7XHUwMDE3/e26n1+KV/RcdMfoXHUwMDFi+vlccmc+7lDv+LhcdTAwMTPiukpcXCvBM6OYIXJ2f/+4gbpcdTAwMWT5/3BKfjLp+Irn1GRcdTAwMTMpJl5IOElhdouVMJO0XHUwMDEz+1lBebyLsXGvT1xuXv7kJYxHNZErxGxVwDjMaFxcSO/1NfG3TOK/U6xkcJ3EXG5cdTAwMTL+XHUwMDFiXHSvw7yMky9OMTqMV1NcdTAwMWPD27dcdTAwMTi5L8pcdTAwMDPmK0hXT/09SVehjlx1MDAwMDtR0NRcdTAwMDbARaL7XHR7XrfgfdH+58jWUL6C/HG0VdHM+1x1MDAxMMij6rd2aoJ6XHUwMDE1Y3JkY1x1MDAxMq5V8j6RXHUwMDBlvS9cdTAwMGWy9c00ca57UVx1MDAxMju6xVNndudcdTAwMGZcdTAwMTEnw1x1MDAxOCTqIPTlXHRXMlx1MDAxOesp9Y3i1tg+sqGM4ntcdTAwMTWy29L77P24KKZcdTAwMTPiWj20PdhXiiN4XHUwMDFlmlx1MDAwZok7XHUwMDAxXHUwMDBllI/LVtHGsZK3eYx8XFzgkcVeXHUwMDFhbVx1MDAxN/Q78r6AmKKdTeK8XHUwMDFk0vWkhytVUUd7XHUwMDA2NpXmh+YzmpKtxDg62bJEx4H8XHUwMDE1Kd5cdTAwMDH8XHUwMDE4/I9SXHUwMDA1fV7sS535vmLMkHxexFx1MDAxYfFsXHUwMDFhu3xIMpPE5uMkr5TgLvJjXHUwMDEwo79cbp81L7dNikFSzE8g10NdVPScXHUwMDE578NJj1Tqt3pcdTAwMTLl3vvimcSGVTDPUFx1MDAxNj5WX0b7wcmH9vF4jrGLXHUwMDEy+Vx1MDAxN+GY7lWbxkXyRcqkk1x1MDAxMHdccorbXHUwMDE3qY/kXHUwMDFi335cdTAwMTJ2XHUwMDExK2S7hMfIqFvYK7J2bTY4PN5npz/O2UFtMDnNn0xa2dG0JI9cdTAwMDbtvfK4XptdnlxuZVwieXRcdTAwMWVdlG0zXHUwMDBm51x1MDAxY/PRaW1w0dgrm+bQzZu1b9e357f29s+bXHUwMDE3xWFT7o9LQ33TXHUwMDFjVm19OLupi+txtLd/cyr3XHUwMDA3kSxeNuGerXzBwrXzhjiZ356LbWhI8HB+7Fx1MDAwZVx1MDAwZWqnN82L8jiSu4O6XHUwMDE4XGZcdTAwMWK14nkrP7hp9i4r9ZqOMVx1MDAxZtRcdTAwMTSaXHUwMDFk/Ghcclx1MDAxYbXWqJVlXeDoUzjea4rZTdRj3UKMOSzMb1x1MDAxNDqnw8F1XHUwMDEzzimI0yH91y10oF/zplx1MDAxOFx1MDAwZjCnlFx1MDAxY1x1MDAxZML1MfTjpiGq45ZcdTAwMTj0W/mOK5D/Weg05ekgXHUwMDFhnl43ZeRcblx1MDAxN6eXkVx1MDAxOHSb+Wq3kPdtPVx1MDAxZH5cdTAwMWI3ajNccmOatDH4+6HPm/59qVx1MDAwMuSqvVxc+SxcdTAwMDOjjV1a0olL/Y/a46tu++bhWctlXHUwMDFk25d/vSTn/PzasvfIOc+Lq/lm+n4v1zwtkF6D/93lXGb3JyArg6W5dYVhkUdcdTAwMTf7g+bFUZbkZUlcdTAwMWVApu6etyxcdTAwMGYk/yCHXHUwMDExPCdcdTAwMWE63lx1MDAxY5ZcdEfw91x1MDAxNeDiulHTg8bQXTZ7S7/ni9f1XHUwMDFmxVx1MDAxONpwWVx1MDAxN25SyFx1MDAwZkA+1biV/1x1MDAwNrJzMvffdXzw4+hcdTAwMWOwMoi6/Kb144judf/cg1x1MDAxYfQxU7jLeS7k965/Pn9cdTAwMGVjXHUwMDAwdpa1wE87zu6ah+NwP2+aXHUwMDAzPV+89jzw5Fx1MDAxYa7XYN9cdTAwMTXpPuBcdTAwMTdwnOJQTeBTXHUwMDA3YCtvv6+/T1x1MDAwZfRhp0O+xHHh5rA3m9Z/XHUwMDFjjVxu+bIr9DHuXHUwMDAw9mU4hTnqd1x1MDAwZuJ7eX/ibvtgM5evn95E8vTisPPf//1cYoao+iV4XG5D/qxVXGadRUpcdTAwMDSGXHUwMDE5rqKmldo2jYm4M6rRYFx1MDAwMZfwpVx1MDAxNVxi44KXYWjbm/9cdTAwMDdDW2LoulUrXp7mq53m3kmvUTtcdTAwMDI7Ubxp/tjlLcJcdTAwMDfhZe1vVGMyPOm1MrtcdTAwMTJ+Y1xy7GdcdTAwMDXvfX5nP0owXHUwMDBl2H/U9e1cbvyO/blcdTAwMDD93yt4Wb1/fS+99nq8jq7H++/tKz9cdTAwMDb3sYKxivNcdTAwMTGcu1x1MDAxNiOlfEdsZz+ccLh25lx02U/OWpH9rd9cdTAwMTP+XHUwMDEy2X/+S8j/irKPOYNcdTAwMDfyXVx1MDAxN9+mcM95U55MTjNL11x1MDAwMd9qXHUwMDBlT341xWCy/HtdzM4jXHUwMDE5wjO9fDdQrruc1Wv716c/XG7++0W4ZCdcdTAwMWPIPN6rev/cMdzrplUrd+9k7rZtIK/A54DfXHUwMDE1XHUwMDEy+Vx1MDAwNN8535lcdTAwMTf3wMfOdabt7oJDJefdl1tcdTAwMWarmKPshlQnQTFrbyvIXHUwMDA3pFx1MDAxOEI2LVx1MDAwYndxUfqNlcBfplx1MDAxYTHK2VSTXFx11duALOZaylRcdTAwMGLkrysr8GXAp+jHXHUwMDA1iiNjXHUwMDFljvxcdTAwMDCM+2CccO7rrFwiXqA8XHUwMDAwjFx1MDAxY/p/WIfg85hJzFx1MDAwZbg5+rBcdTAwMTWsIUB/XHUwMDEx853feiHlbDtcdTAwMWRcdTAwMWZ/Rlx1MDAxZlx1MDAxMWud0lx1MDAxNIctUtxcdTAwMTdzZj5OXHUwMDA2nFuXanjvPsaspvTcbN3n8ny+miWxXHUwMDE0uOcp9lx1MDAxMc/FXHUwMDFj3ZhipsjP6TdcdTAwMWNcdTAwMWK6lvt7dGTD53bAT+iQ7jmQIPex2mxcdTAwMDOVsVx1MDAxNizLXHUwMDEzeuD2rFx1MDAxNT2w9TvKX6JcdTAwMDee/1x1MDAwMvS301x1MDAwM1x1MDAwYjuCdVx1MDAxYtNCXHUwMDFlY8DpTvNcdTAwMDfm2Vx1MDAxNvJdlydz0PWTVlx1MDAwZbCTd2i/RKN2XCLLQ4e6fEpxpUqacpuh11x1MDAxM0s2JX1fx/hz7tU4XHUwMDE2iSvtZkGOMT/IS8ekd2RcdGNcdTAwMDS9eqdIeYvCnPBEOUjy/2e+RuA0XHUwMDA0uUVZRFx1MDAxOVx1MDAxNcCZwjCubvpcdTAwMWWH8X5cYvdDuY/D/pRRvJfut+Y7xU2PsiCDmP9cdTAwMTL+eopTYn1cdTAwMGajPGq23/H3z2HNXHUwMDAxL1G8XHUwMDE4Y6yhXG4ppnNcdTAwMDKIxrq5qsZcXLGPgWFusM7vfN8sxkrqMeBGXHUwMDE0KeeL11dnYT9cXP4ufDwy6izdT/jcJtaKVNVt7Vx1MDAwMeAspvhFNeRF8t3L0J+6pPhNr9BZ6o8oYa6W4jZlXHUwMDFms6/04fq+j4mvjEdu6uOfXHUwMDAzXHUwMDE4XHUwMDBmrKHqUC1MksfAe1Jdkj9W7vg5xb9h/OI+S/Lr9FtcIi+yRDH26PY7h7nKJn/PsV6JcpN316aTe+42gFvPbttcbv/zseh+yKj/lVx1MDAxMGspcOxZ6HVuXFyiXHUwMDFjSzq+vUc5hs84VFx1MDAxNPdcdTAwMDB9WcScZ1x1MDAxNvPa/Vx1MDAxOK7DuCTmU5J+9zXVWVSnS8fqXHUwMDFhZGX26HdsS/ZcYmQzdyeLJcpXlFklu6b9g8uib1OB5LRcdTAwMTjvw7iVZ5RXmuN3zOFhnWTEKGaHcas4ojpcdTAwMDc8VvIxbTzGKK7Rn2qqI/W1LVxuZVx1MDAwN8dcdTAwMTd0/ZxiYCCLJawz6GG8q88pLoy5g2yf6tBAXHUwMDE2dZFi6T6+6mOjp3g95t8wXHUwMDE3zMF+oeyA7PVcdTAwMDXVUFJsk+pcIjCnoCmWRXKCNYeo/1x1MDAwN3A9yjrFmzCWg/Hg2+thvHJ4PdWMwlx1MDAxY9D1Po9cdTAwMGXXU15ccttfpzgoXHUwMDFkS2Lu/liBai9CrEnIYrywL3xssoD31JQ3yYVwT5SFiOLsVOtcYnjx11O+m1MskOSMrr/FIV1cdTAwMDdj46+jXHUwMDFjTye5jnKenHI0Mdqs5efmvG1Prlx1MDAwZqnWtkp1iyDfnaW+YNx+hjWMfnwwPoX37FDstlx1MDAxYy+PXHUwMDBm5oU6XHUwMDE4s/XjSzG86ozmXHUwMDA3dKW/nvLenHJ6lXCWXFyfzFx1MDAwZsXrUcfS/GL+XGaun/t8Pl6P85vz1/fKJK9w/UI+Kmjj61hHXHUwMDAw12NcdTAwMWVcdTAwMDRrgKtcdTAwMTiDi+FcXLi+LJK6RtA9fv4rS/JcdLrJ3z9cdTAwMTdKrFx1MDAxNVx1MDAwZimuinlcdTAwMWTMYYLuwrpVkFmKXHUwMDFmYp1wjHH+aEY1RKTbQp9rxeuxJq9C1+P4Ue1cdTAwMTTNw1x1MDAxY/Rw5VZ/YFxyYkTtKVx1MDAxMeeqzyuAdVx1MDAxZsuukj6A9mHuT3o9Rlx1MDAxYyam9vl7MVx1MDAxY1x1MDAwN9BTM4zlUs1QjDjxtcTLbfP2q4y6SFJcdTAwMWM/xrahfCD/q2NbbmtqXHUwMDAwz5RnxOvjkq+5RezOa322pHPLSe7uKPTturVpOcqXlsHuUO1WXHUwMDE3jlEtXHUwMDBl1vpV5Z1dIfmiulwieP6KXVn6Xlx1MDAxNlQ3VqGxiH28t4wyKr0+uHsuo5rMuMxqXHUwMDBm/TSJ+lxixiQm2YOxw7nHscZcdTAwMWFcdTAwMTjP68JE56Y1jSnVpYbU/yRcdTAwMWafjGmBl0Gv+dw/2n7KtVx1MDAwYspcdTAwMWbGpK84jVx1MDAwYuXtcVxyRaiT+lx1MDAxNubrS2jdXHUwMDAz1rJ4W+bzvGhcdTAwMGJcdTAwMDFzXHUwMDFkrFx1MDAwM+JcdN4kymOJ5Dmnvf3BfFx1MDAwZXKDfuzj57lcdTAwMDTDNKea6suymFx1MDAxM67i86mmXHUwMDE3c1x1MDAwMyWqXHUwMDA3rFx1MDAwMiYwXHUwMDFmTvec+jxcdTAwMDfqo4hyaoiBO1x1MDAxOc5SrY5cbqs4Tph7Q9micVx1MDAwMp1cclx1MDAxOI3LpEOxjivMUr1cbtbo43pcdTAwMDL/XHUwMDFkMLVmXHUwMDBlNNVmXHUwMDFj+2fiOFx1MDAwMG7nlFx1MDAwYqacXHUwMDE05igwr5rWvs6OcI/yXGacXHUwMDA2dVHhtm4taTPhXHUwMDE2ZVNT7L2XXHUwMDEziZ3181CpYl3XjHCNuIkxp0L+h/D5N1x1MDAxY2eaW59cdTAwMTPrXHUwMDE1KI9TquL1XHUwMDFkvFx1MDAxZXM62D7khFx1MDAxZG/rXHUwMDAwx3Q91lx1MDAxYdC6XHUwMDA0qtnHfEeyniWmnFx1MDAxZOZcdTAwMDL9vJJu9vlAXHUwMDFjw+qMcj9cdTAwMTXUzagnOlhLRTpcdTAwMWR8qNt5XHUwMDA1O9RPbEJZlFAuXHUwMDEwb1msXHKk8Vx1MDAxMKhcdTAwMDdKlL8px35cdTAwMGXrlDuBY8i7krFcdTAwMDSZO1x1MDAxOW3nj0hnnLXSPlx1MDAxNZfwZ634I1u/aeMl/sjzX+PxV4xLvHFMrnXdXHUwMDE0+4OH8Th/XHUwMDFjfaG6XHUwMDE4zOtiNoD7KPKRoJ112XdcdTAwMDXkXHUwMDA23d05XHUwMDFky6yNjWGOXHUwMDFha1x1MDAwMqhWlNbroD/mx2fq8+xcdTAwMGZ/wzrMhzE4ijePMI63pUxLpezSetBccjLtz7pbhPivv/3r/1x1MDAwM3HOjYoifQ==<!-- payload-end -->
+  <defs>
+    <style class="style-fonts">@font-face {font-family: "Virgil";src: url("data:application/font-woff;charset=utf-8;base64,d09GMk9UVE8AAO9AAAkAAAABO1AAAO73AAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAADYTJHQZgAIluATYCJAOQWAQGBY9lByBbpzpxQ1QZOitEWvl1ExHg7NqqxsS6RlCwSkciyuhqMfv//89KOsZwUAeGmJXV32EeijNbRUcYuVUTmWNvG5FWRBfkAW4YWVueXU6tq9d0pZufMcACcUzc7AmXTyBwYmw0WojBScItqLq853lRPMu/i21F/1VrveHFeyj+LdHE3AfsFiWacmNotmSIhpJesVGSFIFWJDgsMxNmRIsQQzGF4rvOX33MPtY+LeOF490dgR0G/l0zmGbP8ku9beGBOf2+EcKFm8Md59ESM5GZKYtFok/F14jmMBPlbsKEWTmjIcDMVCgM0RQv1VD4IZddn+x6g2Ff91p6BriTOHYqRgBPP/Z8O3Pn/WXBXUTBKoZoSbZg6N3qwPP/937uvc+bD5huHSziTSgio5mQNpAsr235cGq9P8/r5vc1H/KatrSSHj8fGwzDhavuia24cMyBvutkjYQtKFtwTcS1wVWcODY7KMSFOM69OS/+4fm59f7vRf5FsY0aMXLQQgsGrRwggmTYYCJVEmVBm4V5Z0ThidFYPeyrtRKEoeme3dvtgT6iOeJnlC8MsAKKT0UoFD469oV+l7DD8pn6lvkVc++0kSEfkCM0Vauqh+RnHNszHtYIqREKELpb3S0eAhMvIXmB7+tkb9/wpNO+5fOjmT/aU+6YYwu6wVlib1xrbGxcwNgduqmiNNOESimjUWmogISEAOOOe086XjvNccGlpjQnb8gjOY3Gyr1sLlmavf8vKSIJwtUoBiEBfY1jpaqrq1ET/z2/7f+/4/hmD/yU4cZxDvyseBGJ7/W9rVwMSlAkJUsk6hzqQCsqJVbd9NbifX/4r6pJ4LDfsD5vl0a3Nl1TSqk09SUxpviFT9KCpj3jFmScMz4t9f8VWXkadd4bSR35QqxNH33Ai5BewBI5hQAbQsZFe2nQZ84A787uLKHXduwYMHUawjI9wuP+7R+jZdW/WpL3hdof92mkcoac8YBwj3gJB7CB3aayqzgrsSIikYrAZYK2u3l6AJfgdm+OybOvB8+JTFAi4hU026JOz7fHCxQujUCxVVutY8Wgje+dK4CA+afpvl+9Nyecky85rLBnngvwxHEpBa9ATSI+MxnxjMcbadI6LaWIPXHlOeusTrrDBkAFCAzMc6UTOFEFKTY1Nm4GuAPasdAah4+DcVmNg/pfU5Nao+e7QykouG0KYR4ewkKQVmtP1n91ike6Kvt60/WySWeBpeOKr7QCg0hoKAwgPPOvqrl+UPI78CqVirROp/RhKm2YMy0C6CJQdAHdBNBOBOmKyGuC5AZe6X1LKQUflBN+2M7DB2VHoBs/KOcRvCZQfn6i0lsdM5Ypw5otoyCn0UlftixbMiaTk2XKy5Q1Y17G2zJOB7nKUm0/PkgM7J3K/X5azIxlS8eShkmeIYrIIuvN47j+8Xk5xmbzq/fd0AYlB/aifvZu/3or31eH2eCosZNM23gKUvMyo25K7fx8x2ZRqLM4/xxLbOST4x/7aOuym35y8olHctP4b8V/TX/YCP2p/1mult99+Gj0u488j59Q7/DTaWN4EkPx7itzRBhgghZ7XPAiQJAIcTLMtFCJKku1WqHHWlvsst9xLnKDYR4xwicQZ7tG+knSE5NnLF69LLqrR0X89vtHVudoGtiw59gDkletTr9hov04IcNsWAhCFGnUMYNrWMA6cqigBQoCbHTgQRhxDOMAjuIkzuIyzuAybuEuHmMEbxC773VEWIigqlrWqT4NbHCjmtiM5nd+y1vXlq5ob9d1c/f3eC93qA/7pk6NEihFn0Rmmnk61thin7O8wilOc4krXGeGedbYJEaSKhN6GOUQD/IKz/ACr/IW7/ERn/Il3/ITf/B1//9y0DjoHH5x+M2hIRCCxhEpTKlFmUZcYipGDGMmFmBNbIBtYYfYXewxq9h9hvn6/vr3thQeZ+KUArHScmqorznNakXbKqkpSqIM+SLlVlB9GtJ+HdUZXdZZXdGQ7uuZ3uizfnlBkASHEFk57pwrbnvKU17wunOuGjNrxbYj2+1zj/u92yM+4fO+5gu+7jt+6Od+40+uMZH/QTH0f6P/F2WjGegMdD6aieagxWg5WoU2oG0oH5WhWgfrEB2GI+UoOOqOGcc5+Rat6/9k/8+mUCCeJiIC5sZapHx9QEX2IMLTPuIbQjZoyoY9XgDCc1CSUcEfzRVFJcPJ4YfarTTXnEEp9Fll4bmCyF6huXD0c2NkyBrUclqFDS0fCcldmnBxq5ZzUdjQ0hBhra3noZkdrY2QIXdtwDXbzuJpombNK3hcpdld/aaHaGW4yOQ0Uq2KuSpqqHgkIlXMSxG5hZWvipLO5Yja+dGe2Ec0Xl7hJVeLriry+vKRHMnapHSSWh3Na/r0xosnKF8vBiOnHHm02DmrmKh7JKa/6Kx4A1EGB5L5gPZja3EC36Px8gVmpEMfpVo7eKal3dCDQk3OQWrtEfywxsP7kXKdc+xllnS10CSorh6UNHRFJNThKpI3Uj12NefH5EBdrYWSRruZkfa+i7mL+aR7b+irdu+/Svdr602Xpz3AJtUl38juYpi/pk0HYWKZtRHy//WcNGHEROmgcepGC9vOyzGRY1+qfJxX8Ka4G2gxbNKvLqrqBjSlQRMYHTrDDGsYBjAs71XrIXW0LYetKxhHqGHoNTTSyi1NsvSW9pYPZAY4gkxWtrU0z9vbRMU08fOJQxc+Syy+gtk9G54gA+xj+zrZX5Y0rjZrdBmGy68X/sBnzCF5AdMtKp4mqPbyQez0lZGifaq47Tf7SIZExoiy9kkO2JjFGs8VnQMdK9nMR0/nKEUbGADCEcjocG6DUGjz+CoAhQFwBBIDEwuFxo4bN+++CUBhAAhHIDEwsVBobBxhCwAAwIcDAomBiYVCY+OISUAQBH0SBIEgCIIgCIKgcvQdCMIRSAy0MCC+M6Y5BcVI/gkYkMn8sRZzoj6jjymGesj9+I2a22/ocz8NNPA2C+fgZtOvbe7ZbLKKuW1NchzK6mJ1Pf/1IF9PGNzuWk+fWr5AJLsGbXx6WqXtz7Sw5sK/2TRigdQEnKWCSwHOJDBxwFWcy/MuPpBExwGTydS++B38ygHYhoswSGJKao0cwRU+cxa87AMKDql645JDKYO+5m4QVzcJ3y7stzuYTaZTHAbNHXHpPfKmuHugSHKiUk/ZPC/TXrC0xqt/dsGQ57sgXd3hs/6nDbLRY/DknG/yxVziZVz+ldwy0Iy6cNfv9o1UVPeO7SRI/Eej3M5tWU/0ydP7mv8W+vb7QPcr3ytNdXF9bro22Y7bj7Zf+/5e7C/73n67/xrB1Iy9URj6uDPOjzvj1fgeZsnDRCrKMR3LsR2VaAcbarhhDXcEIhLDcSROx6U4E5fjZgzHoxiJt3PJ9GZwpV151l4c+73B+fGXExniT6JM1AELXkAM6XgMP5YTZEIWvN+8x96yP86/HmkfeR30BDeCq6FruBPGwn1qRw26oBG6Ql8N9qqpBupSDaqaqtbOeqAPtE9H9a6ua4yag2bZtBiT0RqTSZtKYzeKbdmu2Fors26rtyFbtJX2mzudd3CO+7zBVdzBKraziKWsZzf7OcUPuIzfccG8beSYgWdMypiWsTBjeUZ2xraMHRl1GW0ZwgxVhjlDyrAzchn1jJlUWRX48WpiZWxuhR6qmw57kBDolGzsgvY89rhb7XvJzwQfY4+20SX4OtWreKpuSFaXlECpiOVamcv4JA4/x8nKhM2qKCxtMjn4oyulp5+2+DzPxYtYzPSoPf9Yvlvd4vcuYU3142xsRkmAfbwfK6ODt6039/4JpW8VEqlHIZIunBL+6JmzfHyE3o3mF33fTPtyd+kt8NrwT5yY3tXcECqX0RZRjsN416y3bBO8IjDJcPLMjeX3UFc4USotsEQLOQvWwDz+tuofrKKIxg39EBCg4K6oeW4pSCLqm7ih+kAy7/Fydux5Ldh5nZZU05IuqzLvripqXcA6pZ2RPKH/d7Vhy+50yl+yFh/UIyLAjn8fv/fx2Z7SNsWc2qzj/U7z+cFG30qoPh7Z5qC3Ze5YhCSBZYH04b4xhJmKKLbQSuzNojJnYgVKYcrTV4jLFCCbX7QrsD8wOFpEHcVC6m7/T4/rDbOCMYvv9JxgP8P+5bnnhxblt29k79MERhrZfpNruPWEn9zyaWm9D6Yhlysalgwi4BGLoGwXLltLytTuk/Fts6n1vh2+DbWgbnrIDLRawWQ8nikM/EuPyg9/viTjuTpg3B1Y+hDUoC9ieivGQlh0cicgzznLfcQVZ3dVKCuRSmjBAmXfyhNu9pTGGImlCL53o0K42CnEDXXqbCl182f/Bf89gv5vwu2e7vJ4iWYg3CGwkKTThtD0GoseIwAWO58TjMhWCDTwf4n/MWnupK2x/YCzIig48kILRHftWSKYgi+uRo3xYmrCurpHP+wg/v01/53uutoVJiUQVDulJgTOfnkrR0ZI1k1tENAMdR8iv1SLeO3Yf8I/i8/b9WdwvtwVMZlpeDIIzYdmpyAtzZMJSHtCcxcsWTFrteeNzqfiMmfScU8kIho1b78owsx+mq4uQutyR6w+9Yo3PmDBKfNIugWybM4TIVcd0CWURQ0Sc9kHMwiRyovyick6zb2ikU77TH+AKiu2Gf+Ahqq76ShpCk2KlUBjcPCK11f9dj+F7vSs8H0W2JSabHDxn24YNFev43yHqeq6XfE4R3rTOnZgFh8dEP9Q12qAHDk022XQ1pUSyjS/MSNipVuDYUYp0cM2GyEIDULG3HlLVE2Auyq87HOQvZquGjVgYq9KECHaIH0yk/2vr37SWfBV8B39wF8uFIxNfTsoDBvADTTNVVQ7OCrfY6L0G9yaU8aGZUKY7KcewrBtVffi6ub8GXxbdpI97b8hBoFQUgYJ00i0awM2XFgyVBGcFpXLAuR+2yS9JkI/gib26ZWf37eeNzxCOI7hrUwsKtpDVjRC3jQBB+N9CokJWXc0xw4tO43puOVMxB3S5XQnpNSwKH7otNIEjQiM4uWWjq3nF5hOi5K7xSdq3G9gYjUCzpPda9tRcOW32Y1gO7B4VKSrcYl2suSDeHI+STDgD5mdKorFl+SBLm5wuaWCyjmlZRMIsqBi5kErzkGOJ4nBBsasiHSBSPGEh2GWK1XRkbr0idAO/blDD3UvNXmqJJmxpciGbqkJFkRNIUlDf+tr0yuVBmbNePeTRpvLyLH+s3osJPvlgTLqh3bYTHbiV3M6AGRNwjDRIuSterpZLzTWgcuy62rHrJUFzGaxIq+ArjzfVthhOorC0AiCppSU1uIeWScjvuX2saqaGLe8Fh3SttzX2jZ4L/t29aumKWwl4SBuLsVe6wvvnzl7f2Fj60x2nQvYoDXgEEtrWEGMMhekBIg0R6qwt5tu7aJsxFY80wzcmiOQL9SbhS37pegG7yUM0NERxJnuG9BGqdPXDMtrch5+Nbp6qOhNVG7d8BXcqZcV5coyFjc48CSzVlnjgNh2I9tCF1i0cmNaz0tWcdOWmnZQokq6pKW7cjrIj6FvBr7l+gH1AYTeF4etWFaoxef12lP4cFlvw7p8amqeUgDZqPYsC1MlUuNK8Mrdazc29gBZsdmRjPBrIuC6r/YdOIIzHVFYFJYrS6tbwdJCTvZNziE5kR7IqdUadOyGS3ESUHqK7/9NM3cbbyjUVkSsAOtQcaUIuezfbaVYT2V/XL5KOV9TQ9fG3WezS8MLr2cJBkVOfn9tH754Wao4QR+eb7wYvd2+107VAeA12lEZIBOssvLIFFCpkDpjRTY7Ovv0+7XIpQne3FTbfpFkF4sx2A8e2b/y6YM3OW4SCexYtGl0iDncNe3uxpa942A1SXQP5Cf61mjfYINvow1RZVm/4BbL9Xyj+fTag1N1gDdXtRHSP7w5j1qrmZ5xB3ApbsCAIKQ4zRDLkDfbE3FVSPJxnsxGk+P9wytWacTijZsSdBKq2ytb/prJ+O2mCchsWw3g0mDn9m7b4DN2d5seOaA066UNdPbUzuH6nQfXAunVgqo2ekuBJiumUfT9cxcjX6hdfdEzvjRfml7aBmEgqFVDoUAjb8kGGy6WB4uKKOG8vup5eFWweTsT9ItV3gQCp1IF8dX6Ok5ox9gPGraY2+n1iq7ZkiVZ5Dm9YDs7FyRqz+xpVVUolMUgZ/h2DpOmplbsrFN3TFtxNEArmqxBPWcSCxlJGisugPhwyHi/GDsfHF06QQKjxAP8pKgompEleE9YZHz32WddH0hyGDqskcSu9dgEuaqpMCjrBRHiIZeQsMiKnimZr0syQ+0SvxE9AFhxhQTs/AE/sanpzViT/b1wMD7ZvX1rBxCO8WcNLUCqHPuaarv1pOIBIHGalH2hk4EPA4jG3RO5MbMxXOhX7kx99f2ds1Vs7czum7f7DmvB5YZGY71ArWtIxnOaBSRdxAprUkE9EkEqH4Y6kuSWwazEblObCGPKRPDEqNqV1ZqTdw0xlgornRgwgOezRgQpEMGwA4+rQo3NbYvbG1gBuLaPrA9GzVMv9HbRsnav4EhDT3mZOlKNK+/e+Fx1s1pz/M9+UXf4Ja1DUcdd6aYJ8L++VzqQssWypCkghOsGqraGxEuQ2mgxXrGzpnFHzPRhhCT4J3DIYv5KjPnM8J3hYgyJRUFRERCiihSmv6uN1bjpzcsbV/NL2xfqs00vXq6mMiCiD4gbnSqNoxUtBqPV1/g+LIxqtIXWiofbm1thsPl6Tpp+Np3aKwM27ZYdKGpYoyiRVXwlWj4WDsx7Sn4iIWHC0NlwyGTXXr6wn4uzjyhq6JJ29+I1ABL4ss3q49ZkuZsSPlHwQmoZbRecMh/egNGDZJQi3KCtimV30adH2/PUB1KNGxptAPUUU7ajIqzWOquk8wrlY3tfbHumeo8VEOyryY9PbkV+J1BKHY2KWtbXAMeel6CQTZtybf3V627dbiPd71q46Ddo1HO0RRCRHyo+zBQ6YTv23devSKVABnQx4MJ/5Tlb/kCNO2giJf1rDycrANLWTQHC9x/Z272Dh6XbUfmlokgarA96u5NbV5DMzZEIEqnHX51L1IoVK7ndbzlCfP0n1UX1AtgGWfbL81d6m/JpVqBUQQS48gdViQ3PSvZD+VA4KO8s3VKOzdv7/ejA1bbLR/zvRoPib+DjXfcMJQd2I+MnyDoe/DePZDoN1QCCWscaqmlTQKd1AtMAB7bbbXfVsTEmNmOQ5EIvYqiRay296XeXArEJZJYnNeiPqoaL4seQk549GuJ/GTLKLduXFx+/SCHfYgMfIXRFrLHzo25iixS8ZaBbAuc7Cett9j01p1gzBodStOCUNZCCwIubdyN/utMxWO14HRr2m54XGI7nOpR6FsVAzvk0gLiVrFY4QZKKQSnXCC1RAq4xJbwHvP8Nyy0kkV7GC9pOVkK5M6vCwqa0z74TqahlwTSNmZKWbEHNZ6K6hPrG5FaXGRswXApnlnYWSWn6diVOZ79nOvEtn+Ox0RQ6xrJqA1cxLbjQJHiEZXWqYnb54dX2zEoxAQcYyxtX5JSdZTobF3KdImDFfgmUvYKII2bqGld+gzJ1Sapw1KJKJmbE8qJDxZTF08osFb/EMhMWs+mPDlXMCwmssLjEqUIZM9Ut8a2YS5QME1arzFoJ5lck07VmWSrXpid4zLMi0ww0pN7udPnlN1/hvUYAl62L039i1+t4moKRhtpjPKdhhJMXOPL0MpLpz0T2r4vrH581ODlaJd/z5uxALVOmys4gc4g4tnkm0yt9Yk0AMSu0KvP62glaZpuc/2JzG9suZErr5XUgDRhB1PifHrq0pvMFWDgK+c4wj14B5Om3O0g/F3lco3RR/aQgWEeRUE/slB77cjCLjTzqvCmGSrPM1EwiJDTNyALmpLmIgGrQ2pXdTLbk7vLBQQvjmUcktrqu72KCXYVU0+t1lYKg/gArCHwpVrmaQL0yckjHi1APcQhyykKTXX9tS/qqYwCZr16RoNHrtq9ceWLl/S0rn7jmlkW/waImOdjpXOn4bKbQpUscuG9fGb+xzmZMxYR6klAHLRZ/qJA2mjDlf+3hX0OMsUSsPQVhOPHsYmjyqGpQD4YJCCSMPCQv2q5IGDmI31OLvrQ01dvWVIanBA+Njw15M/XUSGnW/6I+tzKLo9Fj1+xXGPPUprENKxNidYwuiSiZbFutTvZlMVs5l9sqMQaR8LGJZeJUV3OWPWBkUfftVXC87aB2G39YDFYflLVYi5pIQDDNFBxKBlE1ZOZrWzjmgpJnu0o0AaR6neXUqQkJ19loSiYKkfHMwYnKfhMEUXOx02VkOGu+xrm6x6OvNc+9DajfWqqbU5OzpSUNwPN1zKNjWoHzF6kuw+EcRTkak/k0VudILpcSJXaPdFg+zHgJuWznOoTERhyYB5y6SCPWjrpkd39NaLQajfWd/uHWHoASlSRGba2322QquVondGQV20ZoNwLfO7l751szicl4a26KyEdv7bSPATtgJwUb6GRJtSGKRl4JhcO8qCVFZmPBKUkck2FO76rN17PktdM99RuLxKbn5gs3J3FHSuk4aqAk1ZACcNFGkJFaYxvBhvVyQ90LPqguF7fHJZ1+zh76WuBJPmLUuJoaNjBbPhdW4Abx+f51GmgAZIOYVBBv8i7WgQIt4w0bU4yN8UMzmMxcimVAllVR70rk+mJb1x1wRcsWr6SuCegtXmcFbZXI4pazvJwVljqqZGiqagmkGOQkoc5QGbD5S1rE/m9oYZeVhKXYlyqQFwoul/d5Nrp6SiKVmlThv1KiIog52ffqXvnT3xxQlwGT9OGGu9bWtn0+Dyqyyk9G51mb7sw/akWV73//dJNdcvmSQDNd/m6qUZ9XHRhWK0kRVetydUlKiYgFYr/8kEnFR2xXNiI/QK9CACmZ/+YXnf3LiOjMsS8ZnEgG63G1TZsNvzeGc4oeqmGeBLxogCYm2XWeAfNvJLvNO5S/onTtM7bnt9NTY6Rds26C4bbw/urcKix4S9t5hWLznuKpgW+FhAY3TMCEqVDWsJqeaX7XIyBw19HqWn68/u5qx/PVytZMTO8CGZaKfXMnuNX8WinQ8dW260lAKBdV2DWmsePLDauxHGxbE4d0lFBYwuzTG/gjJBPBQ0io/Z12b2eodtoTARgDpdIxSo5+/4l7YUDGSCgX6ha4JVZg4upSBZBjXQOimGEU1DcuUqbPWXsd/MczAA48M4B+0gpp9TEqiOV2NFhVIct11HPA3pfGoCQu+SIU8A0mREVOuSKXZNJys9d6O5kBWbq07svP1xb5aq4qn/nEGlSDh+O2g28bS6CG2abuNYKw7PjKDbQPhnlDt3AYZMLk87dDwAMyto8/2B+x8bvNlNB3R4DT6MZHUtVtlAr3xh0mpQ7aKnJAJSshCpAgdz2uiiAG/rD99o/XUODaTWr5BKoOdiMZ1Y0vug2o1ShyFVF2MZQNMMf84E66z0huVdwVpZcJeHZLG3DV0RwtJ1H6bzdWnZ87BkUEktYTxVcdByuZp1u352nwaA64cpHGX1aA2Pm3jjxjy9gGCbqilSAW9cM8wslgTjApO7u5Dfenl6eYOWrGoMI2wYTCoLyj7iub/VcZdDk6C4sywsci7sbhk8hs18B+32UvzeL7EfPPThkDuoYxqaeNzWhT9pdGnXHObIsHEEhWEMWpZYT7RoYhiGVN4sKs3B466Q88G8K/PDkP9IkN7Iz1rzCAmf77F10WCEy+W1mHfweg8htltqr2EqKSSNuco1kxc6ksA19TpZGFKQrTCvpJwff+YqgZbvttM8tTT5c0rLFVibKgWXl9dQLDI5NSoWLG85xuYziabFhAzljEhIlcrewjQnPG2JIPdCPjGA09JQRnNgLtVExzqGGWC3q32rimghfAFmMmuxwCFtd6EhrP7n49Pikn+aZp86ouacvA1mn3IePGfB5gDn3vkOwjCdNwINloGRy2xsRY2mQHAoyRCV2DVxhW5eUmnJwyej6yx6xUC4AFeVUyJfzK1gSvclTCoA8QxHkuhm18w3WELQ26hn0kcLfuCMexDQkAqbLKQ0aa4sHhljGG4RerELEjFJ+H9wGSr0eBevkxnn9Yj+AAEBlFqaAH6TGe5BUJUrcxwkWEAT4uJRw6HLZjXYjFmShkWEliKEhru1wMFQCNOrbRFVcPSBt1Aqe/GuP0BfzzGz9cW3I+s3JH6d7zPNHtRqA9bJS4IkTpohqK7cI6qzTpkji3uiYyGhZTZXFVE3ukSre9cPlO7S0ip6Bh7JQaNYUOwXblfCEELP1CJYAPUlOVjV22Q3ttPSpzFb4McMBEtXLzVyjNsgKRczcssaTDEjBDutnTgaqiTweDrT8SZi+58DlOCJA4XNTg6pG3U/rroamj7WTT52noPBolRUWR0KhujBe20ZBi/F4jVCOhWJwwKeXeqiF7lu/lHJE1eS3Fgno3UW1k+1QXR85btD3d3fid4lJjHUo3/rYpFQj5gWawRvTge6osbDe2V7rAwld3NSiXRX4eSTWdOV7Ob2nz9QKO9coZJknLzPQ6e/Jt+VZ4Mt1paA0aQ+thM1FdlCP1gXeqa7C620j7KLPb3JG2iqcmK8GUhSfWUbuXEtFXMZXtSe1Z4xlrg/nFGcjYOAWV63RehdtXnTvwHDIGuUElACLra3wCP9kk8z6Kp+485PnsZb+/93UWFVKh32aqSlfTEFNvkIBF4hRgVPUdi4tcKSxQDROKmCafwvL+3tp9tB7gt9AuTstW7Sf33LtyyzO4hcy2GMQ4HlBH3PWx/GOYBBg6pAoCzzBh+wGv0xsrLcud0OmyRYgILA719aT4ChbQnzhreVORUK1hc2QgKVp5pL8dMgHUrY2l5sZyFTOYl0Ie3AKZEO/arV6ApISCJVZEp2ShrijMQSgQTlGz9Ugrm2pkBKqe0ibpmTOQh/rAHv43T2BXA3BtpQT20woXrkiKQLjapGZ7h4vfq1XxZVLDHWtO2+bnFdWc4i8PrmBwRK1beJqSkhdouYDTZVGSrLkdCcwjdqTN9Ne9LNbR39Pzd4rTalZ93HbVhLdXXCCRZVqCgaAr8Gj87tPL7j3n7G9njhWADt4REmjnqRoioDdkDTLdubxDL66vjczXBWQu5CDUuenOC8ThncfkIbtmnAze4Cknur452dvk7onBc28W1MBtfGGvALu64uQCktJsnRNQHztGC4oC8VS1egptGIEFYKWtUI0AhPxo1jBcxcFaEp+t5ZUtEbD9N1IWtncO9q4hTrnohxYZcT1vNB3L5gxTN9tEM7meAeUFsOfSEBcB1tYFzCW0oOLCSvJiuKrd7NS6xIm6O/wtfvYGmRkRmJ6hTbcPrV96dZKYc0uxRmqTod/YN1QnUYBQWZV30MiB71ndge0w0Xx02zV7k1tlVu8PnhVE2BQEaXppK1/ZeMwaq2H9yW2jO5kVAjeIOQT+/dMN+LKlBy5ITd6ND6GVkyUH1cn9l0p1t/C0VvcJqUhZXU5qo/0JIKKDVEucSEAUUmwEouWEXvoJNWkLHblbNbhmvkXKnKyVmaxl+irxlHkwL/5Ra5I9SgxJVTBQwMcrFwu1tfhmdkFyAQSgwNckiY0Rl64mycf2XBdaxDnwBMstw5oUfzL21uQzxDz3RzFe8C1Mzaaqzi4Zh7UjbSzv1cbSQZQhONLcDC/ev/rS5iHAw5nPly+VltPTfd2eU7+qmzN5wlkJo6boBQ0yCh8oXmKKtEACgJtluJp6ALTs2NRoia7QexrLVMRfjfgkEFUqJmHYye/+FBiF7+HvZiIxE+IYVmdEJUI2HdQDDFyz1g8Z3yjfb5NpU4wr89e8J0aYqZCzVD1CY204dedr+ZHwA3nr3NjNrgs3e42TyL+kKQnl7yaf1wD+jxs3TCvVV1rHrbdjPpCNr9wSoULmayuo1SpVxEr1WkYulKtpEAt0bw7Hu4mSZkGtVhIqiLGUikkCcBAAcijrypeONwGX9CUfWlmqmUhN1zXFvviwT8YbCvtLxD3UHczdsNP5nHTQVGI/JR2+t0U7JK0P5LTmTAONui5V9bSYqPqsW6fzUlGcxfUq4IQyFqaxDSNnZi9TJQNrFMQgLI3JJoR78LIpAFfQe8H8NgFSaHZPhjiWRkW09lBpfpXIt4Gx/BH8ouFFgpmqEdCqrzRly+h5gK5+fVQAX6JqVtWopemdzmFeg0jjeBvZice2UQGpMHlDy2mBM91p0soCroBx1/GyD4tOEsKoFHT7ndb0n3iHBclEgKorBFnGKUFWMEzGd9xpIFOV4sTu+q6vH108hVZa1xwrwxOfZBVqPOVBm28UF7/OGhEQq7OKAZhmjNNcE+hyQTGEZTdRdZT1hul0ZzWEX3bNlsk7GdfaTeiWevtnKtqfMOVk1tegShNkeVSCRADUxkJMZlILhLjULCWm7Xl5ycQdqVJylBWKGpQRQvWGHBQH0bA2BLh3lzx1iAGLGksqHCV0bDyP0tzXVOUs3izGtqJIkq1NU70al0hAq+uiATV/cRFplJfYqQkspiM7UPViNi3jWxLH3z/JBY9ZuzfnIJFlu4uzTHYuY9ulEtHp5wS9QlvNZykyhU3FUrzVSjCNuRKm4rDMre2zU93UGNwL6RmwiyHvdrRl+bFONeLAdUsNvRUnTtXp/6mdEZrhQk8ypNZtbJYfS+mJ7TmOLQTYE43poPYIKwi//Qino7vU69FW3xQKX6mieISp2kuwQ8hwKOuRoRcfYcbSFzpdnVdPiNe4JHOgdMFTsco7JUmeJr9GX4pwBzsT+VMH3cF7JZoApHN8GUTX8mlDdsXuUj/tTm9ctLy9XEoYrUnanfZ1OvSVh2GrhngG7h2b22A8MMjgOB7bvhyRiFOuALGSfH9Fd1+DySdEwIph4gg9j4yBh/gIzpdNp8S/QXy07fKAqQpu/dOuGm1hZdocSc5cThCbiapoAv6jjzFDot/8ocOukugMCyVJPDrJtAopaTE4eaC+igv68rTrlyDpI/UFnyK0oBbUpttnn9b/mMxvM5kUNSWAmYENQVUB0A5kArSLFgF+v1Iq0AuUARuBOiAbdB1YAxQDfUAnsBrYACwGHQCzgAqgA2gE5gHdwCpgAFgIbAU2BWwHtgDbgG+CHWCQ2XlgP7PnwEpwABxiDgYcZv4D1oOl4ARzNHASdDHtwHnmjOAiOAcuME3AJXCNuRy4FX49sA4YAsPMbcFd5g6gB7SCR8z9wGPQr/0E6Mbv1Ay6+wnqFd4CevABGsLbQG+/gCPm7wEd/gCngH71h9OAp0D/3n8oAqoVXhJQDlSZXAJUgnerTQdqAF+ABMxVeBZQCBSAOcw7wFv35gfkBN4ErADfPLAWfOcbRAcgUAhoMFjobQdeXB7mKJfzlL+39BHAl+uXXvl/so5N/2RJKH9Sj7U5/fmhxseQzubqP3GyV3+yNnYcHb818XdREE6URRU0WPiFd/AeFsudUi8d0iU9clrOeDmvwh/o5/j3I+uDlACCuSAn/MtJnGbQK5KQllx0mWyGALVe/0NHdV5P6S3mr2ab+WTKzRv7k31i7dbLI3zgMT0qi2XGJmM/4qcTH02OJJk8mxxv7pOxZi5nVO+uXE++5Fv+Yx5b48U9xfcOczlXcPvO4MKlT5b+tQ+tuuv31P/sfKK5o+ltzbT/2rZ2/tWxdnO9W72S/o/9N5O/Tm6fLE0+TSV+8sNbXT16oe9i+pq/1lSu2V0rvLzm8quXT1xJy36Q8+DUZC7kKtf+3wTt3+9u8Jn+3Y2/nf3vQ3mz6dxffR1zIOSnYSML3sXCxcriT27//tLS8v/Ie5LPW21f/bWCduFHC+8WLhedXv89qlOx70Z3YzzaWNKxZPPmNyX/714rdS/tVPpqx8mMNptWbsr+FKedkpVby/m5k3l2ZbvKPpXh+ZdVn6iaVRAKSSFYeJ1wi/OFmlY1FyqFlX+te6L6/1M718+snaSNq7fqUuOPmz7YdKn1VvOXrFNtmL0QE7C72H5sPKdJ6yLiibarbQvtR9v7tP9DZkmW9Mkf8ydSN6ljtID+GS7VVeYxeC15vXhDuC2O5Eyuw33H/wX/C4KHBFHwBYfwSsgV6/t90ZD8jPxnknsURvk36eelRWpDlbVPyWq0P5V/Ux7X/2ZRT0WvsW7cNd5R/F8JytnK5UqbmZhr1suWaF232tahdU9VUq2orhW9J//ZTd2+2cZKRJ1qsiurIt89p76Ke843onpSvvxW/hFv4V/zNaJGxERCpIkMkSV5sn04J5nLOXN/cN58M77FhFwvs/VRpThMfU28hHnkBZWKr54RT6h3tX8vLZNeN/8snzE+biwZP2h+2XzTes76Bf1LesLJGDONa+af3H+2Br2u98D+tX8nmA+3w990RuJ/m5qXWpDKia/Hf5w+mv6lx8n9X1ea6unfujvZd2XLLaXdbnfb/fawPW5POjc6XEfoSJ2d7i91Z3vfVXq6PFeBDctGh6O36k+vbU6+0Jzf3LP+S+uP1rsba6eg81dTxVsT7i+5X7j/5+nxaDxaD7WzsPslb937ZW/K96Ozl2aUfmHgSOB/ULBUH7pywo/8Yu2X80+iumggmr9Tv2uIfyauENNH7xEqkRJbxJ+RWEG+YFCwST5PJol/UVgvfEg8SFSTv02+k/rctavUakpIM9fv03/Oo6irWTH3H4s+5HZz+7n7+W/dXimyd36VXOX5yn+8/302NfeT6t99+Hn+9/N7Cx97Ip8WycyaeM32n5fm6OW6L8pJ77/t1m/ojXI4q7U/EMXqXibzWQOct33KO7p78qQWcK2sTGv+kkDXjNWp2M49I1Q6L/q2WHP2BWDFnVwzBqFVqTVW48phjWgW1QgAq2uyBhveX4cDCDiwzY8u4tMErObflbyTvAPyR09/8Vrtj228o58s7AB/nZZNdnyWpFfGOpHuAfL1l505dxgxrAWyDzLMOTeGYxpvdRXF6aVDVqrJGoBWyAWyvl7CNcAdbjReNhsNNjaI79ewimqdXvT1XIQQYG6A9LGwTo9MAmeLkxvgZkmGleW0z8L4QB4biCACM6Q6Nwwi7OqW2+6F7+lOABJYISyTmeKVOsaMDKH829PqIqiLLw7X2FLIcZsqmBjpU8aYsnaVU9rmU2b++BFIPTHEGGm6HegMNZ4tcybgY4uhCgmKaDXkzOC76dpWsK5sS4DmV3nIm/OcndbuBmHXfJJvsTD+sdRuKFZ2T222Pgk0olNlHwdc6GaACrecfCB0VwvmHD5TsaSkXlNAr3mngRIfgBxbDY9VVFEFpwHK7VYqVwELH0G33Wss5cPV1bCslXILKfg2kHP+5RrUnzUSh50HK+9mhw+RztN6hTnR/xx32e/84W71GRAWuNBih/zhvlsGCENv0CWHUFbKHqtMJRP0DHYmvU23MNgfPIPzSIB66UhwB4TY6wYiwMKof9r1UcqjlqO+UvNJebyXL9okq0QcOxkmOrHV0NzS7zgb3ckuv976+mx7Y3LTnPnCfrNBJCWLbgHtXWurUmpJdvGoMwoqk+sm+BEgOUqR8UW62ZzHXHreFSGOx14FDUX7mkCJV7Nn0dVPNN/mu3d7xD7XEzdse8+Wzfjc37VU5IZ4LMe7kiuCMRhfJ17Q5pJA4mriTy9/nV5OQLhf20HsYMeyAzf19y6ZmcJig9+S6m8UNlRAndgQN+DZ05p5gshG6UbPSKFmKoKGvl2rA/fIHzQtcaKNkkSgCpWwBEaRe4I9m0dz/naSkFW/pwPUTGHwvETmjRclZYYI5U3VYsUcT8Q9XNxziuUgIGikhWj8/AIafZRmBY0jM7GUnbmFLFBkP5r6QLWpAdb272zUNGoBTDNqR3eN4RaowxPBagWjUW1Rcch/v7zyUuNtMhs23/gIkMQfsdI4V+a80am/guRmhiA/+R1MghTO3rpSA4EMWng7xLo+Y0MGC68IMN/7WpLVtlIHgT7t98OjKDb2GhTI4MyGe0s91U8bi+EWAX2ShzuIgKc4roCd7Mz33B7K+3X3PWnvXZu1EDjwb7N8QIvLJtjNUItzFCpqGs5IBcCC9itFn9xmXf4/dIhriZBnqyUZ1pFzGkHh1yudZljbjoBWtUMkXOaEX7xdbErxhW9KFBMPjPEyJ7HziGbku9OpneY97bc2JDJDIapthguGa/1MpaP+4q+szFdH5Op3URYsmnPCFAns1NnkU3GkZ09orWn62jd3Lu72nlLxexunYJG1Ya8AuDOBmsAZlKb4/XkH5Xpla0DjDlGIHJYzgkgUrKTZ74x0Kd61xe7T0lZrdvkrD3U59jYXwxBxrFCQIKJg9OMIyYq8+ilkjKGQk6lgVrxzpGDX1Sha1RJdSeo6jiKtrTbBO9oz/FZp3VAju6YpQBpSqYoSuhJgX+8vamqDCxuq3Aa8TChmHDlW/Youh4ZKXDf1lZhMVid1UuHblWYO0EHxUEIfIzZGHMoGdK9ay//aOOlXV4sikKS6wvapZIvQAU9hCQ5I5NyQkSWnpIo0tlaMxK5ZFVdtk3bYIoC4fJFzmvdNv9gpmmwt+dG/EdyAIpAFWqNSks3wOXndgtrphouiZyv3FAuQx31ihYZwBAvZMDSRVFm17TQTH/P/WHSwKtenDHx1uxjtpw6rVmEZ6ZUpPz9TRfahB/1nKNgXb+5ijOxxmdQGTwFtqiLtw7QoiRoC9fzx5xkXvEwt3EY6bKk0J20cyD6NVWjQlzEbBqtIfp3gmBgtwwvvaHv2qzDjxPTH3ITZWDUBpKukCof8jlRCyaAuyiJx+Lys5+vxdq0EXOSEWfW68pSK9UefUzldBRweqbbr8wMxwoBsnE733ZEKZkBOWKuktOnFjh+pUS1Y9g2jotCE08QyTwDdhrM21PkrQwq6GzGrk5RQkMRXUxGAwkogvxpfw86oxs00akFFXmWXXMUfqHhMRO15Rr/TPzXHsDfA6bN+XMFHmvXa683j6P1xLxiLyb4os9qZ01fSVCpjTriaUQj1chJ8+gmzMxT8Dake7+S+C9EbQjILkBE/bDlakqLfbu2v7gABfwBPTy2Zaf83aFabWmtZmf4ddn6M79SPrpbdU1GqSYnovxh+/gRbAib0/300uO+LdzdhW6vvXEZWi6qiGYRRVhoB94lK9b90rkT99iZQHjZ2K3PW86SXaE7bG8cuMMdG+gAu7135ygfo+hZxZDprXeEzeeufat9iVH+48h2ZNdkXj9K5Ao/W7n+jnXz9f7CmxDivEBeENMmyWUkXMBvNOJILtTShNjKyTlsKARilp8Z7FwgJBwesZEEOMYW6TRjUoYW8KWFWoGs4YanKfPYmWrdl9UkKB5TYXunDiVO+ZSKIKaoMMbvKo6bxjAuoI37cXIKhmt5P6Q9qMWL6iyOoAawnxEN6nV06fP8mQKfuCwOYKGCSopywHvvJcBJSb+OxRA3427Z/+Lzp2kXNNRO7thsKgX707IBog2dnyO6M/8PfLged30mDZafp5iYwA1eHTejpTeIraIVX87JfEWS3DYKgSm5K3d2OomhGDMgL9mGtQazxO+u810A4e1eqzq9+qe4OXz8QevXVkSPmcoXE62UxX90GFjFqfrg0li9ve2NoZ2XBQn58TAj1+BARufLyUqCKgEBIBLFTjx17Sm+a+CP8wcC1mnI6IaaVWHd9cHwsvk7PPx+qHeZ3Xtrczo+pQLABWjPv2OK3TVk5kaP/sX576na9XV0v1SOVU6vWqmDskY6cGpmhU4fmAXQKihyg1qms+B4ChJwrDZrLX/M1maLaLYacT+p7w8rveoc1rzNPOYmHpdMLRbIqMxogW16Ka7B+5/71L6L92VKnqDGlPi/jwHUvh3NaW7PN/APqrOrYEmAZcGj5ch5qgD6eiyTW/fHLiiY1JQ2DibypqaxqOqnD0FOloD8BDbXjjFhJ7lGNgtTgYYyoyuqaEb/ypl5pUpLECwWPdLPrBM+p7Fwq8FMvfcG3spNUq5IC2B7egfTBC0kTdnX3hxcQaSzbjjsXf/+Gloz27t4e7eoxF67aDBFqyvKVKxN9bdUtK99p8tUR1xIey7oAoEJH15ne3/y4BvnZoTNW6finnjU7vVvRo0zoVv9ucpd8dSAK3pr03AdPdt1KK6X/RMa1PVu2sE5TfNPo+68rGiAr/sCE/7LYQby4OOHH0AVfjzOwLg8YaVxtzPlyLGBaEEoTTPe5tA7r64a7zyMNze6ZMIRJgb8MBPZ8AZLDFVUSl6fixvWZhMF0RwdcMZZimKmqaoruhl/Hv5v2K3Z1eOUw713+Sr3UpEvn0ltUS89vAb0HP7wKu1X1+X1O9drnwsBSugt3LDV+GBXImeTD0bJeQTm1oOB1UhbFWFmH3MWPELhx/wuz+btnP6uoW5fZhY3o3uzeY6ulYeA2PX2rAIWi2F9GrVLFbGdv/Fxxpr+7e2/Nf/vW5nBPPgpBPk8WEsSXoH1aIKiWJXzqcoUhuDMr8zIbISoDPrmA6+MZeRQNuuvakN8qPLaf/HuDq/K0RAX0lx+8uogs1MJJSgHRQu99uq3NOUD0ItbUPTcS1uX01BdzigMHVitX9XNYx41CgIXKutwetHzSEVtAwhs7DPterpkpywo9NZNN48AK1N0wMsKExpVg3gVyeK6LwSioPpcnMwlR6zekdvXki1JDBDyvKDw6Ro7xrKTI3BMyrBn2cHgo3tT5+3SoAjITSsnmPaPcNQ0SgqcIOdB+cM6vsXFPNc1zVfX0QJwURMdUo/wT+vdb+dZTnyOeelHft+pTaAZKQNiwdvXrMWILoRLAxdNuaxe1xnbXtGNwfVJqXo/EjRUvtjHNvP7Fbu5gR4bXwKlmWqEhBiTKOybd5Jal7FxeyRSK/KcX/oYBB0ZzMd4NraWkZ4WDsT8IHlUj+ps0AnlJUhEcKxK4xAz7fA9Mqy/323BF+srclLgurTazBKF1iy69k9ktv6qPxFvzlrv6xa2NdAVY6snzvaGbr+iIO5McTvoAJLEKU2q3NMcNza5KRBKUSq59Bau5JQ0QeTXv6UEGWDw3AWXhAXvCnmcM1Cl1e7akO7pGvp4Gp9h3MWh2VAaptFa93NcY7rA1WO4ntOTF9Pm9S7VV6cvD16/b/Oy+fdHVoywQdFlT2JYnSo7lN+OzF3Imtbp92BRA4Oz8VJj2uZVMtHwwdBv777xsWcialW07ua7gzzOyoOuLhTB9cXnDLOwDgu5v5Zz5DF8CE4nFoGOsyZi2NGXxjj3ALeCwOdOAFCkJNTTg95sYB3bSf4hOveq2qdFSnBgklFaYMmKu3rNs3fMdxRcHfPu6DcaAR2bnHYlE6S7RFOXjejSTfh39E3i5pETJNRHqKWndh5Ztsx8haUZJL8F6kSqhkUvfIAksaq3w/R2psvFN2+nsulEwABYMPm+fKDnAC0hhadW2mAMNbTBm06h2oypKYjNAgli9s/XCSWsasY/88S5JrN3RQDty4D3ZGjeM6+Hdl7UIMKYtWdDpMWIVGXEp4VoLb8+dKFg721ycae/rnII38MQkaunht94ECG2qbqr1/SZeA3SBi7K12RVDyq0+NWP5v+bMb2/ONfcyKubxPeVB+24nxUeskxZPufbbbZKoFfSf+RLfwidfXWhkfCUFpvMjbgRlgLhvqq65bkZOmn3KaERyPUTG7ik3QS8QpKJ0/9IG2vMcpchSjPJSUYD8ijBy2G47AurTP4wprJKeMUFAORXuz2u/IZthDXyQb9EJmpAtyrisf85FRLpk+PBxkBDqMmZH9MWzB4CA8x0JPYDPecUq4MJ8DH8LDuF2uMW4Fs7B7Kc/XGdmwqo4dB0xci1No7t7mvZnr4k1p/Q7ifxMcrqRCgPRq4TnLD1kiOl/8WMIPfF8DQ0DEJS0KkrB9MOTaJ8GdPLx0WH4Wh4pua4p4hOGX0sO9AY2QooRGGEBe4Bwr121diEct8KBF7mRhE0Ibc1VVasmA1EDBmO5jHHywdz0EEj6H70vx+zZ6tbVLtgc/ZObl2H9Dj/8ElpayMitIIpFNA+st60L6B2GfqYi2SgZM0xR5pxnn3V8RRFEXnx2boLlRUmWn7lYbnVmwR+IDz043+zTIA67coeX1+Am3vtp0ejsLo6qNiBwMR9l0h8xHmL3GjctLz+ZebzYllD87A9xt2B9SrXH6HVH2a2pMi01LF9x7dEiBop/cUeEBxrc6PNoE3uRm8cLwRW//VobKtzhUCmbMY+FhOxbt+3xJjBBqzOpPXYu06YP3NxliCEI6ymusPZElicujdA2syBrOTSTwe/94PpSAf1g5GDbqIqrpHq9hFs+d8NKQNkJZQszmdGl8mK85b/Ve5jcHg2dra/IrqIgMnYbMDNVqQpDqr27GAk2VdFZ5vAUb9Q1zERi2Vh2QNuFVMAz88F+39rd6a8lXacZ9GsAqpKE0RFx0hDqJbqpEx1AVE6+PNj1CErlXtZk1zOdb6p9xVQt0Ve6O8ACCNtqs4MteqrFyPqTAMjh76caeccfpvfuX9o2CxnIpYw30PGMXUBQDgs4Z01AmsM89OKOUkWVvT361G6SGif39qXOsNR1fmfF+k7gZv1OTAu1XXjqCAeCFgUPAnYq0ljrVNGwEOEqzuHTJ6WOqUx1o3warTj3lKiSoNvVlIYUFJbMDcW78kM+Qm/pk+xhbIjhaONP/evFxgaxVVgcv4DFjCB03I0Tl6/EyU8+8+XAQrZFmSBWIoq2dOZpa/fGJSavrtCABcHQjUreTqTrWs9XJkoXKDByBL8FvcaxDtXYKQUIylakwrXC9xNxV2++C3V+GkvdeQ9IWH5Hh56+KJlDK+jywkwIWLaOa2i3NgYYvi5BtiD+ehK7gli5BgM1x4xwzNdshJCjFrbfogdqHVVWJYfLKJwpWSTUvYiPQCN5YZ2EGlMkBmzb6/U5dJCfLzWM5zz3cvcf7zFVbdAaFzMukJf40bt47edOoDqUIm7ZnrsYDgFMYQwnh7THjrNz3Pq+FlN2b+w3G4vjM2CZo9nzlmgAnqJUQqfHm2WMCOV4AbMiabvp8rq9tbOes/TA8KyYWSBYO6Nsylv74AFl6k7wLpOf8x/uv7UZjv2wgNJgujR5whx3NxJ3JG4V2lhCCZH8yooflYoTvHg5n6afuTTTKuan8xdn8YvNK4Pzh7NHK9/NN/bbfDlZXSFr49/1kaAwrlaaqE7uGvQFrZKj1YoldILCCnD1RRY73+fFbPyR1X9m1FIC71PVSPfMnBLA3dj2/JF8y7gz9K9DW9+uHkm/Gw8pP4oCnvSNws9A1SJ15rJyqnurNtKGhjEEZf3mkII2Hr9YTkn/RvjtD5Vv6K+IXXjiWKrttggIAEmURBH5A3FPuA76h7TEZE0xqFsYpC1x3ItdiiorOgI6X0dsQOUpJ5NkFBe3poSZgMTJBtvP4ZYMm8uldjUJ1Ax4wPFoKmI8H0tAEhc5LhCxGBtSQHK0deSKe1YTHGwdsYYAUvNPoyMQk7wXtqJqkjsLLqcOUXUFo2rtqMdBt15z2D60skWACbwX9TSR5ao1sfP8VvZevT4RsyN2O+309tod/3Z4p/SGGCidIk1fn3fKoWC5vgGDoSjKoh6c5vRGGhYuJPGXz+FMOUNi9PNKvTi788JMa+K+/bw+BdRgU27Cs2dMYwfV9dH6RAbtN1+Ey6fcdXxEQ5KYzgf/Ickt7xmtJA1KrX4TWLlQjaFb4cUYLUaOVwf5NB+t3Mx6ZkUsewupOVLamm+qqmyUtUIkKbRIRDwwo42AFlR7dScUlpeIPiUCNl7ulOHuhlfeeBa5ft0UK2tyPp14fJL8xDwmneLmu76Lapw1GtsCaA0ND5ok3KvWohN54VucbbF7xRofQACjsOdJ58foyJrkG1ybhpkRMw0M5T50y9hwkbdCVM66tbPViscnoP7k2sBiTNeB4/k7O3vUX9lw3KyvE1EyyoodrU5wu5Oi60uKxy/RBUEr0so3Qu1cQTJZWmDbYSMHWDIrydDXP9jPov3IyT8YRq2zNJQtlfAFx6y69QuSDUTu5SdYxAKisPcTI6m7dl6Tr10APJzqVPS4Dqkx6Ux4tTEfz42X0nn6QVbDirHOcI06oRv6LoD1ZYMGpkA0BhpTfO/m7b4XSef2b2UCmjneNU1MbQtj2637FbfUwQRe8aTVciiAkX675rSunp8fceYtU8ROc17lX/Ue+kzYH2lN+bKpcTtzhDeUoqkAF/otmfz5B9fzKkrVKtj7gZOGrr/3aHqpShWSuXolbZNzvuAuoIp6uuoAA88PLBiLhV4ZBYJjInMNa9k4yUbT14hN7dJp0ajijLgaOHw5mM0/3/uN1S3jTkuw0Vs/mXx0HFjsSb1uiB0lj8MzNXV13zXPktUNOKq/OJz2Jf984eQLJ1U6F6/SdXcDlrtICH6IffTDx1+6SNWNOqTOt6X+ir8LHFBS436tbWx/cdQmNanO1dWytEWINZCE5AXXjrVN77Bt73bSwsiL9XGmRXFPfcPQSqns0NRteq6ndpaStkZjX8kpsjKShv1m9KGRwbBE7LnIVGiZDoSIDNpGW1ww18wFbSNfSNerFb3dzAs40MerlmyBUsTfvhuPha64LTQJ4EZO4eQjkHDSUcon63FqderCH1YC3uFVJjBaAZYPwKPN5R296Q0yrF+0ZQKcyOq+AYVSXbRRPac107KHd4b/9eI2YFPwl59t0I18dwou3bOAWVNlFdqB1NUQ8MuaYANiLfhl0ahf6zypwIxlOI5djuSuMpGbVibLGK8PascMxUdFa4P2rUe9rd2jJtNeJw7dCWlX0nIKChCW+IYUA+FjFwxepmkvyyH6VWFc8ks20CPZvgy7O7z4KqqjN6sFVazVqv51TpEMR/O11GjtAflsosO88vuyXVYVr4Bj7We4y/yV7MjKhdxa2myVwyQvBspl7tsTLRIjs1XnBnAtr3HwgmTXCjS1qRG3D6QkE1t6Q+X35eZLk/ZJY4OaUF1qQ+wLRW6PWqQbLMvjvMAIAPXpqkikotSOfGAmedtBi08c3Dk+iUgaxcq3jpEj2uPFyIUthB5xDq7Zn2zLxXh2ynrNh7ydLGvY7rb0Vx1bVmji4dz0ym/9ZPN/E8On5zuoYf5LtN+0C6CCOfRKqEKGkQQeRckSFxeUT/ttIuyKxL/x9f0MlzpXbv04Ryr8sSNpRTd1WhZ66Ywv0N6qDtnyhg1I1QlH7N+tYAn6hLgsN2F0Sv3f9/Ce0nyCF8qdslgCTCKvqCxvsx12RK6bHHR48Y57FiKuJudd6eCZT7Eb/iBPx7NsrokQe75t9VwcSF87Htv7JiYkKGVAdQomKGGkYkhCmC5LYoqos/f9QdjKYuqinOy3hPRmC3cI+zlnLXkmjRsT4U+EttZSvOP1/eKad+9hg+o4J5+1XRDXrpCAVaOW2Rh2ymTT8ZRUS8qx4Cx3QvOn35q6+NRRhxhbGWjQ5w/kHBrtLq8PClK5XCBV0KxMr0ABxgxFicXOdZWvFe9pDk+V3BKNATHwkpny049pZnNn5tgfOtBlLF181v4axl9ImuWmCdWODqK9pjZ6efqRo7UD42ZtrT23HXL3dFdqPg5oDI8te7jaamnT1I5DvWvvLLb8IK8YmDOjjFAmn+q03xRTQIaIcTNzXCYm8bS21dZ7ipcSe3XsW0CKl3fKsLdXNTB0d+yw+0Q6gUt5VVbBmcTuDiMJB5LPspXKmyIWL+fXON7AgVQr4YrYsMvA3qGFMU2WDaUpmHOKQ+FaxNhqI0lo0/O6diuZCLeNTaCCJLosyGBIQdeB663BvWRxq69Yh7je28Y5/VX4oBgOQpJe9nUYJ4yn9Gi7Ssslr2kBK6P9XkgANE2VotqzrfiZBAZkTcbwLyCpFmjMyv5OkKpNy2lGKSaqphmbx5lTMFXDxHFu3zdHgWoU+B2kblXXulum7mpxHIqpSmISSRHvP17t5Lb7u8Ixd3xzX2/IJkPBCC7xhkw22TreDnYzf4vECuV2VuM0siTZOwqnFQ2TlAVRCO+Wu2oMiAgdkR8Tw0DqSawYuNcRsXqgD0oT/wUglYrBbDU6/4a47qpgqbjdUVrXPaCRgL4YBnizDcJJS5q6pn3htSqFPPR62MCOqFpyYEQlb+to83XvAp+GqVY4jI1AagF1Yr4tOECq+9zeBlybYxXn0FLRVuP6PM6k6ycCUEQfiC2YiakkRSuB443DJmiXXHgqNhSkHftxLpenRAQLomQg6BYUig5uu3b1JXMH33LCNUBAI3z4sUtzcY6ONQv7uPjzuAHEliSDB4YD2T7rDaB26Tgmapm1VtiOxE7QVUBq0FVDhNA8I1p715TXm7RRC+TNqwKH/VJNkcLaBRxc/pzff7YMOKqm1GBA9syyDYafHoBJzoLwWWPzgJHMSG/qKZ4R5HtG2L+rzuiKYVqW3mnQAc+TicdMIr8cJbioXv1v0dv/elwmJ4Wm6fCaLmrZdGTvwtCfq5Sqy8rp3l7PrlOaOZOPO2oYNiXXb+Bx2KN71BBIgfgAxNX5POQyV5fOnPw92vK8Y8sZt0JUqlSYY5upmRnWHv88y508uMB/3KN7KuDyjZIPKzo1KEqUa2m5c/Fo50i/h6llp1cbE1k0U0mWgWuSfkJImbVOOJTdD6goYbHsSu2KKdl531VV6Wwm1cMqwAr9ehPmRawm/tGosz05vH/DU1hoYXLe6ziMizY0ioRkRXXKV16w15kStlArbC24Xkm0aN42vmrYjMdWPslQyvmxxIFTUlhc0YArL/Zh+K7xnLU7bDbC56/HldpPTe7QU5TXY13Z8Q3OJ55sGI7VTpvDdmfQ60y2A1UxCJW3b6yXdzhQjbf32jJIG57ZZGC+6tdczlrAFg1oTk/opx9NSFpdw+pbt0q67fmyhymWhV8WF+bW2lUtU24IQGIUCbIcrqODh6Wj9mZg5KMEA4GpahykOVkQUZQqlJMy2APT4SEeqbGcGp640qzKLCXbiiH4VkXMeTZwhSCPOWuyoPmCWlc0VOOmeE2tY1hRDkv9gWmGoeAJjed93QLO5l87mIEtckVo2AmuWgpt9YbeIDzuf3fJn8ZhGKkdhWTiY8VQcD5v3ZC9FjomOk1HY8NKw3G4UJIsnk2F2Ny0XrV95IH9WuyEg/jdZwVhtRglP/n8zPL5miW5PboIPAbdc9hM/CAa1gARc+X/i3H+rFG9JoGRuI6w/m0gwUhwz4aX1WyPUS/+tfa+GFGlSIhhqqxZCbLTui9EAAoqZoZKvMY5VTs7kbf8Lu63GsPbh73x4WA8frfX4zdWVcuMybVmTEE856aKL+68HNJtPXL7UXp48HuVuGN39sxR0NKDRq1ZcVcMXQP3q5/f+7B3c/HSDv1TVvO43qKIb3M1jrt50/UWa6KBabJD7O4Mqm0nY6qWbPON0oZLll+ZXcWLa8ClmqcHzxz5oqPUmfc+KPbyFcKJrYE6iIeG6YdDp2WNlbaWZiM7as8akLGwpL+3Iy7HGwlhoAQa8YSjDa8MeRuIvEAEOIa6SRWxQrWkxJWfM1cqVzvjmFMfaz9KpWMfd3rxiNM40HuE7OywYtbGNiwOc+oQ1VOtsNFZ73C3uPWlA+bAO5Rj3PDdN5RI7nYf8BmPd+tX13YasgYmzWpXTcvNUggS3sWUgniwl5ZRXK2YnKmM+mvOSDvi+rlb5L31bMaRUE6v6sDEsrsKRNHYLaGg75hsiqG1q3ve/uV+yd0i3ItEKFdNPi+6y9fKkXRNbN4q6DWQbzJLg5Ymq6IkcvFN0SFARZf78KlQqU6TCiLcyJfOy0QPpB/3sTP9c5Zg4a5svueCabLzqstW+lK3y9gadS5rSxkRiU70QGhtuLa90OxkNigzQcIp4T4TAWib1jxodlZq9qUEiS2GS0NLUBZkkFwZT2T/C2RXz9ufCVCx+/+0MbGP74od/O859pzCf9NDClLEe68zaUTOfsNUCv2TmToicctpAMmxWXfgo6ZFDfCYzzANJN/bP34nYjKdrUqR4ZqICen3MFcgLdJGZq/+ggnSZQmy7YNK0sBiogH14ANABw6v2ScEvLzTpqmwbaZVyCLzenewu8qyQFrEn/+YAw593NbBnmtAjWVADV5t6JVZXjEEDGsgNeOrFC0OjP1NS/0kXZA2a2Fmt/N33VyovqABLyJqhVFCgcTzhIcRQpQ4dJwTX4pI0Me/fHUAI9wx8ht29Pe7vnIPKR/cNyWt19ZL652ZBACqSilyhlVZ6yu9+UjxfJKvewoYuhmTBVS/Jjr+IgojSlVsS21gSbfkezvPM8zZmuAhOFTS4PzU6452MbQ19IfSBmWZ66zLQyUCMuQLuIsDUNLHXApno4fCtmrGmVLItQcJyEyFTRUBpWkywpCYrASWp3A6KehFp9bIpVl/u0avFuyo5uS1b2v7AJWo4grbR+PlVgHw4WIC0+BJUuVioVzK8JjcyzGugsf+YlvKMoOicsc80R3sEocACgJMMSTjF9wJLiwk8A+ghXSElxgO7k//AKawQtraGgKnbGMLURD0aqn+VswRfaiPABhbJzGsgnfytJpjX9sgTJJ1LtgIpMuawFNcY+kWdlQDNKopURYQLJCA+38WzYzJCkyIbWlb03HG0l1V0xw3IxlamzC8WfQo25LPwCYBiAlNZfiRKSmhqgwAj101MatYsa9nbFfll1JsJekhPlHGIgtwTR3HZmIaqlM5nB8LWMqTmz+5TZU/6TRADEpyIBU2CpOeX8R+ivLP1s0Tb8DuYLTrIxkhRw2hbPVPdzDG9KBYCGQJwEweYjX3OuwyKcUY9SLWBK/owhNjyRRJ13mZIfbXbikAsSRayPVGA+tLm4wlHap9gLUl5syr69HcKdHhPrlENYsLU/v1JST3f64FITEsRM9w8LJAKcPZq1uyCgziiuXAng534eNoZnvxyEbhgHtEgXLf0QfZcaAAUCEyY1lvfPNTbV3dihG3hbq5HUUW9Of2VO2CfqPY/TEm80E69vu1H9pAyLQjjeQLYUiQ6Zh5KhRCAVl/m8AIKKB26HftmgsFk0aW/tLsXIIuXzGnJ9lp4K+8WR1AO080F03DX79IJjtccXA9bFVBEOtFF6/fYGAsFukraLOXLOyVwB+2MvXJdTpy3AW7cV0HaDjYyUJWLLjROiAsSCm19eyMdYVDEMs9+LwF57C+OrJd+8Bdw3uyosgEZZgpQaR1hRkYuaMQmAJ62rFQDfK6FEu05E50P7Fprm2Ck6meFzOFAf2Ny6xyWdd7rubPSKa/YTBlX8SzBDgdKokYyhSoGkQu5aPT/uizSwSofZLk4H9i667CftfWg06+vdCBy+GGHwhABlXDjpwJSEPVM+xe/qkPdpfZlvLYSLoc7DGsKpkKBha0Jt202wVQTdYpLI8HE9MEVsnwbEblnCplveAAKnPlcmBlPG2lzSAAsQ0vMp1OXoCI7vgRZ6K/TduWapAQ38CvXZXRPd2av+ulvUVeL1qJUujc3Seo3312OERUF/0nAizQOuL5PjDohB5keU82LUzYkdl+ZR8j3uSA51UHf4Y2b9ItwNingP6kCMSDC45rlfaOCxaIvWeKEEEJK0sHH3hF1uAFUoOROO/zaJDmBYNtb9hNd19IbtTMFtUaAnU4l7wFp0Xe3IMvvcjyaY18XoAYcuN+JbFuwVMBRHh83fdZt2/U3WBkRtbb3P4PaRL5pu3WtndX2S6v4VMtQIDJAqntwUkCNwRtOcaCjtxf+RjJbpxo0RV0NpE6xQlHigD+jyf7qlGm8j4pBUvwEyTV6M/KZmBBMPXWTQzz8lQ1uxchHTaY8RpjwKT+FrTANQBzvEKRCbJm1G0w+UDjooXEgdDxvzQJeo2xCfYwYVahIWStBHoBFcs76C6Yuy3tsmN4KxRhA+glqVUcCqldtcKmw1OMadZ9aFuCQ7qH5HWJuCQx7TQagEMTtJ2wNZD+WJZA8t7Raa8Fp19ODpsIqBirqJKagqmhZqgmF9dP9lxFhSEItN3mzV9uolKMu/Eyfkni63UYApyP1eWnr3M47M5x13gHUoDctYO5jkEMEAeWmqgLam1h7NTxuSCor3+/9v0cQqsv8x1YGjfMNgKKQqBYbRoGeo1hqGkwKGmYi0Z0TEUr+ydlkBOc71AYri7CQYoRIuQ1GSIdKg0NNiJt4TQAEum/IkHApsgojjCoELEq//IeATu7QmMVs9KS1ygfzmCVBNRW2HfOiG6um50PdpquZrkd4tXeaF3dB61tt4OAlRF3AvtKD+g972w0I9WuXzwoQ7FMkMXvE/o+mo5cJHAMCa+RvRusSt5x8wzPTX6Nzzqs6qSrjI6TMxCF5dyEgoJ9Gu9cHmLBc/ws9ktTVr7m+BxlxFhcDC7HVuU0hp16iExN2zwOnKHyMGRNRktT5PAY/K3WEQ3abAej2bT9LOVh1lSunF4kBFxyUls19FbwOfAORkI4aLWdZONY+cELzkxrgoDL+DblQ8uf8LjZDdPQBYOQd3QepgrcvxzAJaewkzK+u9SNjhLMBZsBqrJCynppqAAWnMDf42TzCeGMZz0ZH4E7321Z1Z3pYVB84N3y9X2SztzWkgI/kzjnPTruSyi3JpPLY8XdTsHh9IcvQ+/WrSBFNdsbzMf8tY1tBm2odi/Ff34e7Utjv1qE3QTHY8Kj7tjP7A8iYjSK82MHv1FcOH++3lrYfe8mEFJ1MYT5RLhpoxWLVfc6G4SyG46dCeKb6fx756NLr7pB/AaDAdAfi3aynwE4TPXtCTxUH8nyu2ij3rZUhwC0/SQoMay8IpnsLpsxP1q7mITcZTkE7b0BT8W1w7kYngYJzdXVULolhJPbbyIooOtXfhM5RevEZMDsE+au5fdAc1f+jTqMRDwZDa/9XjZRseAZSeYl5uT2EUmyjI3AhZp+YW7rh35Y+GI58R6K1hrPe50hWTxw2DQonPxuToOAanmUdjoZoNoBxnfuZOzycGAxamZ8oJn7+7e/3bA+On/sQ5PHQavQibYMDRkAtPDKdQeDu+815nHy+fOqWtrs7wIOUIKvK8iBgN121eJgyNSCvxuPsn3GmA/EuHhuDuqCpFQwZbbJekisy451w0iutQDdAsnILENknnVK3Vcm6uouLbHdTkmEtgZTnnoolQ1z24ohJ2cUFeM6hro8BUHxD9StgU9kXCpsegzUqIspqENvecyMyb0s7BA6r1xHJb78s7UAjJFWUYIJUdeQAfXBqMHkyMEFF+kHfVHKrkBUX5m/AgXHa3s0q87wHkwDoOBooUxySpAprjOgNOsEgqQkIgLo1pIkhTJX7j7hGZb/PTt+igOrm4r+F2hp+NG0C+WzD9d58ID9j5RjZAT5TatjfuPNTgPLj52KkEz8RYHrFOpASSoYTmVVap+ANEyH1bsvQBxwwmotkQT52uU4vjF/5kGCAKmAm/keHObWYvS3yLz/UU6AjIMw69XEK4CBXO6SxLhzH4/2viJCeyC/5udpGqHpSzeSBDztVZ0FRo5OCbM7D3TPj1naVLj5l/sRX6TSBJL95j2MoWA2LW5JJqdGMCinBVG0ugXLwK0oKrzod2JkwWeeWs2+D72DCBJVdDY6M0UZFBUzDX7yjIX0gWi07eMMBjnjphGwboh49tMgDt2zgiKKCmxTjoowq04/UNuptuk/DyHrbBD1xazXPXH2zlNDxtsVA256IpMhWn4NiCaTra2MO9gdq85Xbx8bOXx46Fn9rmXNOON+rwlTOcuwRwAkMEEAtmIBZSJeEOnNURQaj69sWVZoZ5UxnitWOzDa2R9ICAhYJuxIZkwQZaLAiLrY7DIyrExoXbUBZBh8pX5e02O8aEYUZBuu3tZgADAYH0B3NQnFFw2sn7L9dJlN0ppUY8LouUhn49BsUaUgArS+zUlUwxhOhwFdLjVjMLuZGcMLYQOKqCP1x/FkGGemwlhBCyAvFHQeSyyZU/HFuCdiwT2RQjI3MklP0FA6FcCYd6Ry/05v6DGFxuna22LmrtHLFSismVIAp7V4DdVgK7e7T/UAM8YsHvgboNoP1JSqUw/bTQWp+s2bz0J/tF9eQm3uqsC2afRvV9losn6nYoOcXzqchwezOzeHckzhWgodhmarnrkjAlHbzpYlk+1Sj9Qp1EBhyOhBCdRAayM0xG+GGJLWcfERSjOvJ2jbVKspL7gxq4Ck1rQDRpf7tPh9rwcI4nmtD9sr1VLoX0c+cWYxNn8I8Gb8KEfNlp7qXx2UC9CgStSAgo5wcB5VVHR2cmhK97wo/9RCDkDzozuV5aFoRT29n6yL3cfaxDuOZ1re6sfOI0ZmPuChTiuLHDotTRSp/CuNEWd+yxXA+lrkbz+1ZYGYBtyzZbsCR193ldnXtff55VYg7uuLfZgPKGtrRZm9i568IrR8yCR1y4YEO9ppwRQjtD30vQ+GC0Kzx74f2EKys8+2zpzmTOhFqmLMmU601O61CMgUD3T0GsKkL2951hdOVRGzpb8go4vCaxKG3LQJLGCe5oQssggKd4lr1gZ+oZ7j5he+vPbuO9aTcSZKV8pFxnqJu0BIYMy+A9wcXNzdJzErIBb2XHussr5Ufhp61kExc+c1W/NtMMTOxuao7b9/izU7FRq/OT9CfQ/T6M7HBVxeWv7m7gMrgKY/W28yl+Z+D4PmEyL5YXgtnkH0q4VSaeYjH1HcgSLJkym3899Ce355DvFaU/UnKPGpbhsVYfT0r34ztoup35dCYHRFfWa/JUq2xgRaKnmIzdoy7O1UeAvl5WIJ6hMyZZMNbuCLjctXRoYDbACzB8tmnmNaN6+vgloCrwbHR76sHwSe9pRiObYuwD5p7B3cfa2+vOQHRJnt/Sxceaa+bjF7DrM3d7jnwZ+/EEJbPlE/TVvYFsFI/9bFngX8lZcrHXj7/qWwBwlqkhIVR+pmlrbF9iVSBt4eqtGGWQbTGnq8oH21HGLDls+bbV56mtT4RrOcZEGzfH+1DQtyHaN0xvLMbjBsTjoWkJM6NaCeqpVs9P0/lX2d7krm+6ZY8mnzJr8c38DeMbffwUblm90UYwBX1TANKT/DA9tcz/2X136bl9GAnvZ3fWn3DSNw/AbqsFzNl9nW3O+n0RNsp4fh8SmpCcNW2gmA3a7lk2XwWM9LItQj6cg3jkGz5h1VQXv++NlBtxuji2pTPW0yZkCibTC3Hp5PixpVk+GwFikRoBiziSY6PSd63BQVE9WDevhr1cA4aPsWpbiEyQnrfIKbAmlYTMUKWK/AGSKSx880ndMvq9SSs+89GwBHbkzGvQ39gdQDwK4hBKetCJWf9L98O4GAdfYSEi5i4Fq/EEmYqcxCOUtZPb8Nuf7XF+1IwiMOL8MIHxbKKAUhY8zRCLQ19lroe5LQERkspdTtCWOPJc4GBNoRUbKRnALaQ5VA7fmy+BhWz234u9edKeS51+OH/eKszKihl7mFTFSSiBXKngrtxx+k7NAp1XMuGhjYURyYAGrR72hIhrFqfXdVB9lAdpCFDYBtyYYwy10Sg+oXiAtB4qgTy+aneAW3MNPInKp2JCH32L63DfW0IluIMw1Fh46+YVS7IB29u8JeL9zku8nnaAGSVMcSCtZm5RdqF9IU+SJJdJ3pTznxCmuwxtU8dB3UsT8BJnljUkJURJbuRnN1SWaImZ3BE5dP+uLae32wtiD/n7UEHS663cd/D9KFB3Sn3Rt9OAuEUTfdQIIyiDCcBm2GHo5nZKgJxWYC4+BIK6IaXt7rP1r8ZWC7dpPg/oPjkO9vG8faZGLMN+LO0KRxufGXvQgl/HlTOGK0ZAeYguiV4JLUxSsXYjC27XoX3UYEPYlMuKY8yMUwMFMFD3M1JLLuto7kyeuJGGyZFxY3eiDitwbzyP25TiQOXWblmLQdsWsDJ8ZdCYxqt7IRPFv8zgTbhCvkl61V6P7Tat6Tzy+PwF80q1gW6k132/Os+/eucynPMQTHZwI8C5V6PH3wx7EtiAC7aTvdI2ALJTajlfXKbx8jzoMPghkJb3twW0L/ypTKdXYRgV2JWBr/4zakFOXAdnxt3h6BU8cfrEzg7LDYvtmXd2e/szIAgu0mga7+bwLkNjZiW6rHB38pPS8dLL/WNS74A08h8M+tOoRCdkGBpVRCFgx85exllrAbKRIPioaTa+4YWjmZ99Co0ckmiqSXrAz7vVKPtVDe8EriZWOCu3dKwU+4KdcfvRJ3qKGsq0CaITqH4uB5WiMF5uBw3Kixq/x3pmkyLVdyavF3wrvSHgH3lGTzouhczo/wPeyvAtejRZyPY5Ft+puesfuzxFWrW2iBqb4UIQUAz240GujF/cS8RCVkr6kTYKitcFjBl5Eo1iU4LI0Fw5wAh0J4wM8D5WoskR0hbpoU0mZOU5kvdhLQ/LEMMtQustuB1m/y7QjMvZcVTxA069hCLzl7QNKoU9iYbnMj92tJinK/iwHNyWpbxTY4tr/PYvAK14JZEGe3Y4SstOcz3xNErGxMdbE+Fkvg+BKTX72Nxg1Sd2CVc+8zavPhr6UcBn3RgIY2TbFJH5sIdLg/lpzYm4P93YKLPg7JI0s2AgqKBpcFJ/iN++SUJFFk4VNp8d7YA3cwzU9xPbYKRYWXKlV4Z6RPC1FGrGaEOM660sZFLQz5E8c9sWYEL738W6GEZ4SfkVihfvfUcYfpH0EW0rjE+5bRq7bjS9S/MaD+n/qt+D8IWCzbdhAMxRi35IHe00AffN7gcTr0f3L8Q9gUt4Dmvz7gIIqmmYIZifZyhwPWFsovnNxOiOQ/a0PvFU5gwmS4phDSpp94QaomtXA50sySQhHAAphEEiipKFNFyD813AF+4v0lE7NYcw5IaFAryoBrDYNODuTA4shv/fPxdSgFltk/fGpmBwhPGNrWjcD1fqLoP6JtIb5qzuauYXMGCBGJnUPNWTe9qQPb35eqEuDGdQoroM2eRWZ3Cdgy+1YYz9V693bf2jSwZv56CSx3/YgJCtU0aOd/voAO24LcfW982yHJ3eIjWBjx3Bg8GnePRRy3yH3/GqicvEma5UBj5mKqa8dEAsotmc59qBmai79hF24oagXt+frQ8t3WaVzwrzGZIW/0Kubgy4cSjEUCs4j23dtvwyvuPnCD57rddzs0gZzHMq5eG++EAYN1sdB6YxMT6H0THMhEKTvzA9fAjqXLoezft63rN7U/bUOm6S1pE66c0/xdhNDjR08ev7YHKiMIIW0WGlo15Bwcj8IQZYOTgUmBMBYRgvgieNL9GBftlVTOkwvBBBgQsknBjPi9uJ0r+tllTABGPBtrItwXTV1uHvDLl3RkbUBf4yHJXgTinxZmrxVQYjDATTgEj5VP6Vs+Gm6c++2zW//5lW27wbqH7+Pu63po4EHlzK4/Qt89fraoQXn8ZAt8DVzaxDM++NzaUeEP+0S3Fzdc4Nv1NjeGn3xXiMFaYnQCQomvDedpQczPVTUgWVhYSx7W03dSRb8ICg8L3G0v5xBGQaBfqZoEmcOiGthpf7UwVsCmLPhc226kneypiQGkdBdlBfiqh9pLVaIJQVcXFX2GDuA/O6A1XWwyMr9SBG9JgGMvmCOWqKopwAQ5rdnyGAUROZNrsWPRsd59jbXjA21pwrV1dv1Cpx5FtHK3MAYF6JAC1+gi3NlhclU07pNlHWYOeY6hXR8a+QuUVk9TwMsFEr8KGAh4rahAFk6T0Q01nek9fLzigx25BYnx+309hxzaancoptvAUqQO4FtvjI+zshJgGaqAHyxzJiK+MMz6VyefmvvDpJGPOpCJOAraPqfTvrJVfn+EHk8CPaGn0BpIRo6+4FeLclrxkm1pCc74rc3LhwyADDUIrJC+DOL3PeNZ0fgdFnFpS3Hg3wGW5XmUPX9n+qAIBSFfHqptUoKTapNDDyy8CMWjp5FFH3trqhDVxpdjAZbn374lopNNpFNsAqTSHst+CwyzjJ3/mihTgrziKpcK9EtODmDt/Q8jbTvahD0Yv8U3hk+UmRt2FjpNF9MfvnNs1H5rrKrHg5ofpkBBRzqrYkjNmYW2BozgF5mFGv6/oHAmWcBOaGaGuq8/XeTaI7+4J8sW+wmxEVKfvvZuGLSph/zbstHbWj7u7IEcbPrXGAuRtGVSgcMSm4rQhbd7ILI6Q1S6+kKuYcSK3Hwqj30g2oxj/EkmAlq+tiAjp5PikoID1/65T0z65/em0GPuCA2oZDXdQXoqjb1erzOTHZzidnBfMsomfGtjbPjBqHbYNvQ2yMNA3rYz+qZbt6pbIM1Zq00kEc0NdYg26G107yr7VuafOLLtOq979sxlFsEGqbCX+bTaq39q8D8iSReKOcATtZLjgnjWrwZQ1jHVkWsGnhZO9h8umI+ACvnKsk/U2LJILd9YzukjgGyDh/4bkzBeo3WDZ5vEBf8PxP6/YonaXADWFvzCDQ9zSG0dfhiMemz0PUZBvoYA9VQL/fXGAr7CZbEPg368ewE2NBhMG+WFKVs8dYoYYstsqSPDQ6z4PCpw9MlMUwhegEqSf6UgvK3OuD/2CTHREVunW8oW8MYFkYKaqklXYAGEiiIhXq7sKq5dBsADO2FQRacsTt8BzUiONMMZwtZ273T3YKvn8+dW8KliFWUdcyJHNIEDnjVrl6mY52w+DGYY1VD99J8/+DCMXt356LNvo16XHhRGMk5N9MySSMaJx0PI/IwlEBlDBb1X2Kzwj119zAYENV/02h2XI2Ua5LwjcSO+KE7K6ObzqzCDHI7CCYNWRlNXjZz94bTIUczxUbxsVeCp64IHm7OTtRJiapcTacSBpUsfe5zMu94hH0bxyVOaiJXGy2qSXjrBEwcn10/BPJxd80jMIH0v+lP5fbdffoMZBSqzGnXgAyA8NTd27g0Zha3TbRWqHFxUmVagN+wKNbQPCnoRJ+zq7imDPZUSLXjBGNzV+7zNNPXln520kZdzEFdJpATOHvPH28jUuodJD7SL7j5OPVdQvbWB5DSpR/At9QMqKmyb/+oyolrL3Dv2AiLoor6P5ipehR33ULaqaDVqL7zNrfk0LokNtjSyN+ncl8c108wjdgyRdz/T2HqVQVOg6kRmJLRf2ZoYzCbjq1uATS3uH/Wz+x0mmhL0sgqeQV87lBD1qL7adPWZUPCgn8nrujqlFBRVZTX915fE2qnV03+UTrpjB3GzrwSODIBYl1ivzhRUJ5KeLkTpswsXq3QI9oJosJmi3ZAZKKoOS8G+ruX5yAcop/X8lo4VgUVYdioaWzEkgVqOkaoxHvTAuWwvZnInG9uHFrBeC54/QkP+HVFUgcsq2OynH/AY6Ev2xBSqGXV9rqxkEnmtbmsmU/wnHl2vmvCN7ZHhj3xTw7auNUAWBrO2nVO33IZRWwcOb6ymiB3NDQyINZgEun+TfSP77x3gMZ3xcL4SkY5BmsT3QM4/Wei4wFt+WG3BK581ZlxIUOIQUxyow1VKSPh1RgOhfpYgYJbFlEfP5IxXax7Bw1xRJwT1ZdqUCKydVEGHfLfQhAFcsz0nZTpGw++kg5YBJFMnGtSTfNVCKEHVkA7yo+nneK3RY91Rya/oW/UGAUI2DDlxRadaMNzYNGo+GmIMq5mFEqoTy3PsHjjN3KUKQpNVuYeTDsJIzJdqTXh+Cm2lvVI5U7CigT+kF1vE/urX8bI+qasd98VwT2mbI3Of2xxwXXFME72XaAmxig3feMLa9Zvu1IaZSRhbTJQW7945VLzh3vjortfBLbWVd8JALlqm2DmMFGDKVqBZZKxs4GK5Rw3amwV5xp26XNzeLDINdwawfs2z0IhFgg/8MKSNUzIwlPPDhQFjaob5AOk+b7uzr2rEMxP1BzcZ+sCFfrNEe/qlIQ06xlaOkOy1fKJprgLBNrKE3RhpobkTpb+VBO2ChM44NkRu7bry1ko+XBV7vfUbhu1CG6sBdsuC76KHGp6fkW0E+2vlRRTOVHVQVvHmSHtKC7o/vX2i1rX6H77qh/fpvIOA9EA9NsTY7aoRMn97f5b/UkX0ddQMa+deNVgqw29eMIZxLR0abJCBeNs04h+eaxKZS4fMW7LAe71Pw5IdNsmi2XUjyA7NmIuCIlTB8f1H5MA6FG++Ihtg+5xN+g3oR+RXzo/zWeKbTdNNB7vZmcf8NTztPZjVqeGGrxF53b7FXHRKALJeseC7m+OuTa9u0DW01h0IFmdLX3erZuXfYdIYkpStDnQor9QxdMcG++bWP0c9dnRz4pr6/4s6NlT8Qk+FuKULNv6ngJ+2KD+e+Nrr/OJk/pxqFBx6jO/XWYUfv6KmW69k5KRCYSqp9tA0zApCZcD2nTuSv/wI2PF8R4MoiHWJAnrx11voSQ+XbXge2MaWj24ayjexJAQaNrBtvP01OX2PUgW3ZhU04AMRzKyTsVDBGsNfWrHABTvSls6ct3S/wV+B6B3WNnqe7Uhu3Ohmzp59+3wiMlxR03wjlb7Z5SHDyqKA+onii3K0/FJPes4AoZAiSJB5aTMcyYg7boagzamjEMFk2GyHFjeGJn/gNEWbp9aB1GRnx/okn5KDmrQqSbKjLxFbaviVf2LSZNpB7pGdTp2f8oXa3XYgAir061vBD68+aBtak3zQsb+i5ZyW2RwAxhBVwvAhwcynwI7lhgZUcnQCrdhk38j9GxRMUCEvAgvYJAMXHmj87+waq0ZexFL3vQ6CTweXti17SqR1Qt+JnDiK4u/+oZA10Rg90UbJtD1hQAixNj/xnb79Rta4eUq4+IBJ/4+4DjMqHZLNu3bDcWynZaWkIQQFXZAVvj3Ha06Y8kj+ejxxPChHDV02ygXD8Qp1o+GNixN5IiwaoqZrtqTiRxpgueesWRJt8Gk2L1WMiYj5vGwKFGa4KPB8omdqf5gH9vP7yADFg/5IFLnTcqLPj/ba1CTeNv6twXVjNRJnH6RjAILcSbs/QaXDv1PSPMAU6KCBpkRKnX0gXqlPswAHmKpokfbcwcS5osF3PwUbwLXBA3rjaw4Te5MrXa32mUflLnTzdDhElbO7Cisow0AnbjpfITV39PS4HkiqfhmfwHGlrVK2jW2GIbBgmu4KMVujtKOrEBNKr9wSgJ2gDeNtF6JCQbmFA9ewORf2/+PWZHJDN/3Tw5APfQ++8vYHPESXJ8I63LgiVrvokwPWH8VWNYAHvfn5qQbXkEPjc2cdO2HTM/Jcllfn1kJzeTTR4sklHkBX4T6OWV3+/bX4BrskLD1Z2TOfCwpMMOU47C3jHT8nfB/DD4G/BYKk1DWDqcGMEaQpm63KI6uzxN9mpGHN+rPVOyv7LFu4TN0RjZeKKVBUNpIXHefCTd3lJOD0boa06rWHWcR6lwBTeYfxHuil8jwJ6bgFSzpRS9mR1LUaXGRe0u8OA1Dfhh9uTrh2vfpBz9A7Wv6gZW/oK27FLIqSRKVZHIK8PLlq8Qbr5oakgPd7DNIEEG6sg07H35nt20ASf6Xag3fvt5wJBZCgpBFWSUDHWdoSm9cIDQS6CawJswwhNfTogPpa0cf6DZczmoL0Am7weL0Zl0Cbcj/f8f+zu9pp2zFbQa817JlAEpzo0EjxFRUc1HZQ00gH6ad4x/kWo6dywtmTAF0Hlk7PF/+kDXKbm8iNgj38HDzRqzRFNtrqWnXIIacUs44NpASndAiyUyVoSq7pngrI5KR2yQuMjGrKaw480aG0UNhFpSD6sQNzgXqNIqRzBIZJ8XgMEGUew9va9gog5TplDYZQ9eMYLSA6kV8vQpmdqXJFYMLO+RzERzblz5DvsmiM5kVIjrZyCQ2nuQpoNzv6RK2o7gduFaGNVL589mYna4jNUUxr9KpDnhIdUP162YTK47eGSMoaluGAT88au3fRrevJRd7VMTe9VR69+8BUqy6QYbiy1OIE0DvQ/dSnUA6TrLLzv1SbWLVz41tbnhyFHN/ocBkcttEtocWesZbDMUt6w7ctoiFukHsa4bCiFWggyhBPR3AEUIzviwgtQgbkx/IvoHEo7/vH65ocAOrVDiPy1DtbqVOKFwRgYmjbillD37qL4YSJKUu0ztFzRO5DvkYJR69JcAzoWttB7LO/SlUdoB/spVe5DuLF7s991Uhgxy0HdQycqnujZPBavN8wW8CCoZlzLwtIcOTJI/txntcxmfWuenAOdnnaL1zOh0VVMEEEuYwmpp51LsB6pHwjKBTNH05PqJl8HYrAhEwpU26P7Jfi1ZccxFtvz7y8CZrGf2D+GNYzmNio8eEmr7E7amRZzVWb9lTgWsT+6zd+TEn/iGoQ0vdbDjwZ+kpq90aTtidsYmASEpgsdP0g6HlhwShNucqqp0GGkQUBTQiKb5JiqHpF9GM1leNA1/ZW0kFhlOPLUJtJFIS69IWjGeX8my+924Xcs3ycyDHcvKRMTLGrLzkSSQLJ5MV/e+5y2rQkLwgBPTCR+DylWH2TzXRd2V0wxW6VUkTiin4HdgM6fImssz5RtzS29OCzNtq1caO5/kPOo1jcLGb9IGkOlylCKVdq5EVPmHFtn1PY1JeZDZ6gZt90GrjNXmPGLVBcsjAy+GHAszUSSkCyx5hux/oK3d28+b2gx2TkIkgQZ4ZJoxV+zvWvLEUnwPwW2Ej6+s5TeZN3GolBtKYFxi1lJYEPgFnLFQMeMATDagTd7kpyQ9wTXc/m3usnbIfZFoNtA6XlRaJcabYbmIy6/omHE40qqqScu5ezn515t9PFC3ABsJ9bKYdU/IgEQqto4dMHsFr4D6Pltr3imj3xPAVBFwMNdxmP2KBPH6q3ZPXNQfWx+5Oj+ov3Sn3UasyL/pf70CFeUZkX/vjWTVcmzp+98Cf9NNrcBoAmpOVViJiONz/yPWNUhDW2ZJhFM/Ag2disRfNvTAZPj8cvf5oe4xlekSH9MC1cRwRgKEmqof6QGxd5TnAibbMMpLU1LoDylrNPJzw6O3UL4sUf/ujvEB2j3+JK/JOTwbJ944MUdLLaQed+49uLxKqqIzUNIr7jB19bTq6hCmywRdMsGr773Go0A1egmsdP/jiUTOzyJ8g6GtxveG1tfJiMC3wizEQgw4pg396ltPVqCGWgvaMKYQNg1O6uYxNdqSWAHT3xwMps3bMIOkX8gojeUArgF1dunLahHqRXGm+lV8Vc/7WFIjmnoPs3eX3F0d1FASSNLvXT6U/s+zpgE2O20RSGZmTqYT2f5U3gfBV4zGgWmXu206Gu623fRONkJxMh2z4ZqFu/pDc+88oCK9CoqEqaeA5L5Kr5DqfsGGbbAKAT5vhNIlz59Zz/FX0A7mCgnstDV/8kMXTjS/nIKwY1NFWPzqKfGYgkTsg6RiLBmvV+vOJ2rw21h0h1MAF/3h9Aw+Lo7yfhcpHro0/Tjar51tLArSF49qhPuvNFZYzlvT9qn0j3mv6dML6nkPUOiI/B0uPj7iAK+Npx0F1rzwxG+d8N3O6KDb8ZSrmuz9s3HOzPtfsRacj0L7nmgwVvRn1jcSQskgwUtmycjqN5PuatpZloAIzvig0a91H3E/QC6LAS/5dvwQQwrhvo2V2x4HPfjOuKxDAYdGDSoOlfdS8Git78GZsExZKgbHxH4d/mzVXmrIQHhpnKUneKYneMPGkLGZp+I+M0PvhqdqiK/AYsia8So+4G1UMVHEh5n1SMvcy9hPXbFhs1mzh3QD9ZJjHbJnI32IPsr0AR5GZ9qlcIoqAoiRSAbwGMy7JkfGsD7ODTA0v9rj/o31vTzp+DOPLJ4Q7pzs/rfzuxpAmW2h1m3uKAtO01vKkkdruTQpPk8fb6hnBJiizJfoXApzEzdV3orejfGZ1BYaE8TOcNJQLR1UUMA2nK3fpDEBnOhkSmuOb3zkGMD/dRO2niw3IVEZzpTrQ90Nh3H6j8B7TZb1f6Cd6EkwH2hEqS3FjVUDLcTKotfCf3NV1USIW46AHICliEXp245KHCRq/KbQAdFNEy4xiARTsUggIKx/BlxvxX97qJGht3A1CYHR7q5PGz2baPuJcQJvRMEp6z6k5hTVgH7iu2U2o/EDlF4dFetxVkBXPMejFZQCRgaUnm0emwH5cFSTlGIZ+oKwrLcV88ezkLabXPuVAiHkXoaF6fAoZWJ7AYnH0xRkMjd5pQOGlKpsmsyV9TtRNle7WowpWNcrlU86/k4xLMJwLss3QncwC55J7NID5qh/roG499ld+15Pq3QQF/CQKaSo4d+WtiiiO5QVMqvZCZ9UVm4IOI+3ycRr5tl2lHdKsldISIdvyGHzXUlIsWI8XM1XECWBHLEPUnRufy4gF5/nNcCHFVAQdqYKEvxOSuWkC+eF1gQFuy8Ng/d2SrUYwtN6haGMPx+gfBNF+2yqD00i2ZvvdiLlp4YzIE6LUFD2YeYfi9BRUI8okA6XRXMRSktLVqIOtu6huqCNZ2xVYNtL7mrD3bzmjn3OR84XUX6uczQK3upbLDjgVv+M4BysMyWzZKJUt5n8vHK3AjELqFGHoBs6nkw8xKMZlDxA+eCBWX5q8Ua5udq+RGnAdloLysCGE5OGteHqbPHjkLXWhyc6LYAEqEtbeBTO38tgb9/RZwMJL+tw7X8eVgCjOp2Ll5IXfWgnqQiKyfSOfEXP/l5aLx9w+/IeCCci+A4kOS6EKMSocELWtOzIidI4FlsUikuQ8pw+45EaL53q/vJJ5h/VblrpnShqyzDqRpCoycWcZrRuEd9MtPb7Umbb+qwkH22B+cRBNtuqKx1xIIf04LwkTxCa9MfNbIjDXA4sUkMGRJwiwypirRGEh8qpUmY3Wsu2PLzFC2SiIHNWW7f5pYn33qxKWIfoIUOoUOOlpjwB4MQA34SRutuGmg88Uzd3eKaPvmmSTzYpH5AUSqBjUnMM8mYgyUWaRCV/KO2No8G+8JWuPmTKL3XxIhfvjcL+28IjO8frbAtdhd9OQfE5Jlk6UbKbRwhHljdTHKNfbQTlimfdy2oRmOng6WJO8IbegLadv9uL9FB9jU5RJ9U06IDV8ModzXCvcOR4E2CIeW3QuSL3s4fBJfjr/SQ3XqOA2tgkHmreWpaP4f/Oact3mJH43bs1IC1IoQMEUiOYRfX79ywoFCSK+kr5FeFnPjU7PFI+4dv83lggKyuySCZFGVATadHm8PHj2YhDHcEcITLampmm0v7186KyMiP+5AJj035t7PQsq/W6Ln+01csGo/Zt6xH0/vsNv2VRC35LPHv8J1x7DJvmxcwQIZq/iqoiG522v+YAm40prMf+6cjtGvjh6Gfq3P8a+T8QSPgO69S3asn94CcHATU9Y5OqWmhdBjZKHuVaFPNoiZs1VlQzPYcreFKRAS/UaRJdOu6EIjo+o2ElXXJxS0C+02zZ2itdJ/hEhrSH3x9kTwzjdjqOZUzUVmshn4zVFjJrfwekrBjwtTg/2AYdA3xDP5s5a5pi07ZaPQobNJNFwpF6J7kmf+HVut62v/3QG2qI2ms0Ic+KSz+t6Z4xTdkOz1Hz776Ywa+PoEnB5pN3f4BKpp3XCQnolTb9Ttz7hDUxCIetmEr2WFd399WDNsm1oPlGGw4DhPGxm/adcOQIa3cx0kFcsNzcqFoVJHDzwYL+WfIDJuU70XT7mdP55Zc+JyH70oTSJpGldHdfmk7ksJY2qZXMsltmCYeSNws4WOAZUiDWn03KxDJRuKya4FfBsfwWEgsorCocdpE1YMn/xIioAL+gXQfbE8XBHgOODJ7SjdE5mU37JRXMMGFz7HlkYIaSKerFd4ZtYV7y+tZFBHeQ0iwjHSJwii/JVJflLb1jYBGNlTDUhk1ui1UuNLJAzDPveEuVPYdJpNgOnXZVdK3oQUOKPKVWu1uUr8EvQArpuoSEL36VkxQHjCAQErxAlk94jJCmIAx0iSiEbDYVwVZPLEeuHGlSZnQREArUFDDV5/mAndr8ZoMCH6EcHZGzvBRLYWDcMwEQcp1ilb5WQlFWIfhKqvcm147au0J4AUQ9c0ojszIKdNrhNKZgqCBWRwwM9rrMHune415abSBDwcz7le3mXdlsOrgqwXDdvxKrWiYKxOBIM8m1CgQ3lUGMC5lJc2hh03GqkGoKFiDSqmyJuoLVN/eupqVsHX/J+o1YLCWmWzEmZjMfRBcPB+rQ0vfJLxeJCsu058x4o2nKOcLBQkqylM4DHNVuGMk04CGtD1hl1xvYqb90QXtxVNksyi6XhVjisJxspEJKTwKQs65fv5LgwVhVJkpxzLSERYC2Y5aMQqgLqGVSjrkmCg8qVQL+R6pLa1DsLVgnkwD+M43vzUcmxS6UgQGJlfWI3n4SrAd9QiOLJ8bl9DT1HHg8GHmLA4EEhJrO/jhZzbguZmU9rkmHC7Z4bQpo62wEa7na0OThMrujroHueCUuIp/Igx/4HsbQ22la8alTKu1a6W4gLcDSSxrkjIy3FMgnpHEEicEgEd0pIgJ6Yz24VkCdGAzYFIQ0PBIK7wso2RxvA/8qgjVWfVadKdgDPGwzUIzAEhMENpkm3fnxZz/RTMEnSIjKb+9lMq5Dvg98bfLLHb5Nu/+gRWVt6/8bU+Lvjj0V9IKAzEOy5d4mOFlwg5++kPPClinJFFIpGqWwmKJqjGlLdX4NYj40Rcr2yemwjxQjozH6GX1l8DSEFarnvKEi06VOsLuMOXMBSdBRrVZJTsGy3X/dTSievHTQ6wMtRO6aU+CttESmgW55URe20DwAWPL2bd61lIqaslP55bNZl9fH6yrERaUw0yTL/+FMGGBHHpArTd8EZWrBh0Mo7YiOg6PfxE1fyth+T113gvA00y2TkDgjElNkafcNan5YZ8RxetKkgiA/5XyDhfePg2aaz6bc4PmzC8LV1DoGlc+DCBR1YcOHxsBjBOQ7VXvQmytohT6POv8ILLjyBkBjFL5iF3sr9D9RHy5vFhl2ygIjNVA5nRLfsAKqbu+0w+1l1XEZ+aWAZTNTbIgF3JuKddWTDlFMOdaLTDbmpBHR9TuorC8GB/wQVhTaYySwEnx+RyBcfbSBMX3mQpCtfggeKrtZdiX82cKtsuRcHBCFdEN5w58Vj4AixCodCA+SCy/zaWTbjYYRVjSkkmNIGpkiQ7yFS+2Idnz+we9+bbDLJxx4048mfL4b+n2ZDgeg0voi7gXm22Lhy3VuqpomRN9Lw6ZtBlUoJ+SrgsegQEwpX+degNKFz1OnGAZof0PuplVHgfAarOccyAyAksG9/ojGLWzWlr0L0oRF5fgu7tpFlJaoho5xyorwUqkjGlIrl2nNjlcTj02/S4WnBAN62RuU9u7oIsMNNSq+rK5OJmquVTdcCIlhpd9CXQ/99pqZOzIMWLiI//zkaePvxK4r4ijIN0XysMOqPWTCEGHnUbeDtuS7su+47FuQs24S2oN9UtwW43cOaym5LsQIXyUoNECzZbN1b/Azp14uFoXAWw+G9UfwY4V9MekzDPH4tQoZTmfBQEvqL8+OwpE27KWXJ7hWbaSKsuxihPwiKuFqzmr1gX5HAAzUfHlRwyu9uNYLg2mCnGnRBU+WqrKPf1uXFTP9TDfD2mu6TPBwU7M2rg7OWoCFgCIitWamjeCmVkKfEZ76U97Tw/AF9rMsz5LFRvm2ez6gqhMigPhykZyFbiRcSXE0WVXIly+rxpa2Sntm9tA16vB1jvr9+Kt1tvLobCd2Z8yf1JEwXwqK5Bx2w71ZbVv94RTECDcVmqGsI3eu7dtrDpIF1mCyJrNzk2MBVZcux8fGdNjcNd/fBKc5wR8mJzlYQ4L9aH+5YLJuOI+avEs/7V/vq1Z7EtEaaSa3aahHrDBlbG6GuR7mWcbItGIYB6pKrBBfMo0IPwPfhRYh+k6tGO3rox0Lp6bOr3DoeTq+BydBN2ecueXI3OXd4hv2PRXLlE14yrFIORHgQYZsGxRKwAg1KtHOjopu69XA/scGGiob5Qx7Zbb16I7g261M24960MtsyYlqpis5u5qPd8BUAfe1dPjM4+e7g5t3kbz/r83W7U6TXcP/LAXqRe+CkOivQFcpDpTcZCPm9dU8xXTvePuLdR/VuJQJkFHOKBuRxvMxSLNd94w2S1H98qE9YsBhS2MiDUjahrhpKo2FmoXmP6t9o15HdQpyHQYm2jkXMXD8NbQ64VZUu5C/YA/ns44f3i+IyyxlHNVTZDd0Pan6bM8t4LFRTbuOZ3oO95Cuw5BWniCD14kLq9AC1y33swsSKksJzULMWIQtcoD/24olootnyYXVoFCUkQGT68yuyr/7e/rdcILXGutdbB2AjXS1gD1JW64g/ApjaLWgTbD7o58gbqgjJ8gmbOjIbJ3wSlfoL41NzhnvyypBJngDemQ+wwMYlYG8ypspJsgDvaUsipsZ3gINu4iLqAbExKkxn5YFY/7E68iaNlXhs+2Lq9aw9ngCx7WJf1jEnUcRXG4/Xda0hiZEVCMYGXLV0qTbx90eMkSc6Vkg7ggXHYGhpDnvYWOVKu/hdvlhSnIz/Bxv8mxtK2K9ZkucaXV1+e0NApb/pWzYd2zsAqQvTTvxTA0E5e90PMXI/vqglyRfOKDcXpLGh8uncMEV6FJbGi8k/2de2UXeqiyI8vDo0qRsY/soc/0ewonCIpFzn5Oq2kaSmXpKslSZN1FZqqvmFRKFzNRr1nJqWEIjM8O8UdpuBtZyIDSJJ4/AzFS8DFYq2SSWJT0ex1wYWpgk9V9C8386emSIL/tLT2ccilzklQ9AnhZsLKqFPt1U9zdIexZJDGl4AfTjeCNhoatKpesCO7aqDeYMvVk3tnfdvtNvDLucGF3paOVHEsz5eKUfdiLbhL030mj9M3WC+IshYeUDnaVxtoOCW6cOiXtZdkOox9ZTXjy+mCBzECsiDEYHNoC8++EIVHRESXsrVJwEjmDoLvbiCVCvsQ1H9eJd9aQgvKiB0mwAn63wenqz/a9pr9XgHBR15/1sDW902ehHtpDyQwxVIJgGvuT3wzpk4q4zo6CmEJ5PB4aERnpAEIbvJby6l1VEWaTKBArfBrK2iB2mPRryh4ML2MtlxdGx/ShBe2pLkt1Q3qXUtNhvquIoLtCXTbEycfoS+vztT4TM8jeMOvwLm+VI7h558k/dMogTiBRvnTt5eWP52e03f93X4ueMDaXV6EpJbKgGFhLm1p4lHkxK+0MYx71YVIHu9NzILfPA2+3rJ7pJDy49eibtQjVhY8kERJqDMUximGoQwyAjs1ljoqBLBkEC3Hraai1GoBASaraSfp9NdHu40tAORAqYmGWWvOQ5ZV5BoawhhMpKwp4BIJLPmQ+ZIkyzIL1Fqe001pRuWmwkm77EPJJJr+P6027VbQCNOo2d+aHDbW9WamYlSShV6RkzjkI5V5WbD1id5Wuso3wCU3et0EuR/5PT0A64hc3Xj1Ys6SV8F8q6GkXUGOYwIhMdWt9gaeA1Zbw3VErO68eiFn/fnY3ORSglXocI6pbeEbWLp9U1V6InM2G9hbn148a0rt2yv97FOnV5ab53509ua+bCO+OvpzmTDqS5iRcsXWaL2HvP/YZBdN1zGH+CP1dY0Uzg5CMaXZmAGaZEsWAHns6do4moGwj7lCKd1UzRV533S4HESr9Bsg7R33DlLjTKnWjo+AjnNWzQJvjPjcsTs1h52aDRCtYiPahWCkv7MXLqVqx9pnD+yT/ptcLkmZDrLl9JugCrl0Ra/IIAaeExWlWl4p5/LrwyVxYYu7N1QpzVpTsw1bN4EEhGJB6SH/+FvFMWxmsOqgTWfiXBLj33zEOU+An0ikFVQfqzSwMnh1LlNVKCZsaWyytgtz1I7IXS5r87YcglPe5Po8kvml3MPwyxhyVkkmVB0ANXMNiDZg4ts9KW9XV1Suy6RzbecaD1cC252sI/NRnSOKDMvxIbpQDLvn1Y0W0ZkNONYiD3p0o7b/iKA3v2/ESE7X1tDQTgMafGnlxklQqM70+FH6dauAljFBeRj6yk6LOa+5u0FtUeP+A3fHdi7ytu/AvVXjNbojjj9MQg8Rg0zLXn0yCJ+lQx2/+pNsO1H3F/HJ0Bh/xroOjk+HnSl9oQf9Ic0IUMjfTcL+Rm9mOPZPiCRP2YGvA+66AVP2DceG0QGDiDisd8+6rwa3fZtHQZ/RWuhHeoXCocyWjNSa6Ob++q3Zyeiaid+DDB0+/wiehK+uI2unG6DD4wd8St1D3b5WBOjnTs4+G5Z2XbHjo81wHRdWi1zQuRHBbJ6DMDUMTdBx6p/kHDR/Ioj2DLBBAWve0udYF9j2U31lVSi4TxqvOA/9L6V//tkx2qfvtnn/yr163PFDGRyLDMCWwWvK2+G1SXeKlZnxJ4LWbkmT4arzoN+Rm8vF433yY+X7tX173BHfEGUtcpkXiD8qIOXYa7oyNxKW3hDzofr0L6KnAf/M1G2fiPYgZmFsybb9cjAZm989i+7snft6UQDXeGbDMBbwvvvgE6bXiBFi/z5hP63oadAH0cdmkQLR7pLVedJXyqKDWC/1E+K1FkexgjJxAjOazCqcfW3Uqa+GuEZGFy3ahX9E1CH/gTWl9fHHFynN6TeW+8xoEuEQn8Ty+Pa74TdO/ytKBepKMJd1jyBTkX1cHNcJw/sK4ACaCbK2BMQ5N0jmO7kfqNPu5CKw28XG7mJPb7NR6UmPBC1l0qDmG7kQcBiF5bEAR2h+wUOVpXFRWASJhIAFVoxyhGsA+40qj0aINHXsgYVRqa3Hk/C+B1hZM7tSJ1OgioYJIxG3U0S7OYU/XzsT+42XpbWE5FED1clZrVesS03Aeq75IaRuH2PbCBPHGEIUOXTUb0cGHwszgJoCQh0Dc4BVhT0xJjOKPAUNTCx01d8zL+wGJnBK+22b9znjvFKZURRG9xJsuL1bYpY1pnZz+38vmfcn+hsGZR0FZTRxKG7/IHHscuBg9Z59sZ3J0WW9BNGonTpoP63X5kpX7Ak3ISmC75MsPmDDkinEo7/2R94uTGgpiCAt/W9vn2fLE6xUEWvCtYUJki1yqYi5DMOPNaa4IQd0RpZN8l5aiGfqxtfTI/+5kekRIR9OuPbM6ZlkVYpFMO7fnx05YHToteoAvv64HikXMQQdjYikuFsYL9OaWLuOqUDUgmF12KBPzDP3QEh5vdxL+VWPMeq88GLLZLGK5i2DZvvDfC93C5bx2a7VjLqdYT+53pRBDGj6u6TQIy/adrCeOMhLsV8Z3uZM1wbivkfVNkz2qGaILuw3D289EIbi9MAbX1ulmIhdo9T2DgbDE+0byfHJkP5GrY/3255gYLzyAmUIWLvRyeFuvgWLDCdtuWbL7zWGbSvJHujZfHzFRu0o2tHinj1z0lqpTwvVcgx2Uzk9PD2bhu2wg/tHuEEqDQHHS9V878ALGuOinJSfWINbk10kCQ1esA8p6GMYNsc7w3KE5CbSUpxx0dWI1zO+u3rRJNBgwMWgqUUCn9SSuJC8aLGR+PPREHSXEuc7oJu/g3N9sRzDzz5OBbxbmE6wUWYLqVsf/wfi9feuv3+cCx60dpcC0s3NJdGO8li37vn4mfq0Gk5jqHP/S/JZUMN1ERiGu97LjlME+Y3j3EyB6RYL0yPO9L5ELx3j/33VUMA/JcqodCi4ITDu2IhgMKtK2pENjGm36nvI7GgGynXHqdk4ev1GyZMH4kzGXvVXoFGvaJ/FfjmDsyRU+c3aWi0D7PolT3F4WbP/djOvIZtJmIPXbpQpIaDSDDN2FfVFWYKvq0oUtYxP6pN59sLqcbFcsUjeD7pTrmw8upC1ZDEDVkIxVrVKARmsZUBe2dJQd4qV7c8DVgg3sRTjVaogkkk8g3dl+z11pQPViLCjxDL1EaLOw+d1CEitgkgC5jfc99kWqoncsyUllbsB7c+Isz9T077xmv+7Y7z7QJHspsZODXfWNgbf8wwct3bw2ZHdkfbSsw/Zor8OBSxhn5fzs+UJZwBMp39fBEXbuBE/5aCdby6PW5GFrt62gWukPY9/U3UT9XBBFlnuKWtTut+5AgDZ75+UXxzgsQRQNK7A2nRvq7ELlIHk1gNPJDzABS7qapynr04x9ni2s6E3DMACdeKCDw39hQBWJPesiOZA7LAHXyMM2sPWTKK30Zux21214OORSee+TD/o6Xozgni5oOVblyregnuwETaRpNJht8Mg0OJhwNcXooSp5/sQeeMFrMUgustU4YLCdUGuS3fHe3rpm3FflRgHtYvYJL7iCgUHcwcjXZWoY7JkI4YWDALKsjIbnQY7BhMFQliIqUpsG88JWYN2fX/9QPhLv4zzqszI/hObgFykB4BiE7CyRBTaJ/XAxo2vZklfRwugpVZzKKgZet3dzdQfDPszibhrlC+JreqfcO+L9MOevZ4KhsglbAXW3Suhsq94HMRMVnYA6e0w8klqA9Zblbn+Fpr2p0U3HY3RM3mm0UvN9UkU2bN6YL6YRMPC0aijZ3aHhbqhRJ4O83iXEUNfdX33z+IrXyYdXC2PpgvmM/StXbFMJ+OjE4RPO1RGQDZN2jR/AAqtIIVAego/6o5hkHqvFyoz0Djrc+gbg6QUhLrXvmThUfRivwRujzRFrLaLu6N1KNpt443Y6t5PBw5mx7HdngXnGFcj8I4DdcHZRDI+41XcwLwpfMr4UwNYZfPhta3ge/T6ynC3Us7JpYqUKwUuwTB+5uNXqEJ73LnJ46d2DjYOAH7So+iKISuwfCUjDQoxOnJ/vDnLnUbmsTxIbWzYr1aMmqSPZHMX747Ga1V8Nr+wmF0D6IpbJhHBoCx6qGVSK4tnZEkRFNE6snsiB4BNKIXjEtCZ5i1EXPjkdOnMLOpUgOFua3JA3HUyhv0018Pmb1ryZ6Kdui8qIlPAmZI8DEKgv1TGRGD95mQ6G4C54M+RMZNcAyQosB2xjFsreJJ1ZdIBLQinAfQAFkq76IkanpqgkXIiXDRD9cnDGgxcjoSCcOpOn1VaJiE4wEfcMSfDOM8lh9rEuKU7gRV0EIclzMdADS4c/4O7ggtcprbdbQFwchPlvBL/lX4e1Wh+Gy3qMoIxTKz2Hs/n83lsDFbRhKsgw0qN0Glqi1vnswBENOzGYHXw87H5yVzCVyRKDfAcvKBcopyuoIUx4LP6q7/lG5XTQHZCf8Pc4RuXqjZulk7uPOmYbIdInuwumE5zoHuRPVdfinX4r5/bgiuxdjeuJlyETtxx1H0tVK9GwT5zRlboStDKGAXGDnv5G6fYdHZVam08b5vLobyxwnPCjap+/ZiW1MsjODwKOOZuNg819NsjpKALNqy0fTJ+YBLYiEqoiu76hsO3OfRXn6fqr+UyObduZZRS43PjabbSehkjxHF66cMIHG/+p3sZF3M7s8Ct0OU4buCBqHfttN4tNZyvCuv+ql6cMbVFw4YaNW9W0XCHWsMtdcadNVbAN2o0tIfZdeRcQHL8MIFKr9wRV7r0g4rURaVDYnt+BES+Qoqwbq3Ro1C+ab2wIR39jNOUFTvRb8ghG2hG2omYYtcIZ4VOefFo78ZybihWB7vebxr+38zv5LZokeQKrgx05U3bx5Cx4zX6Igvh0CvZyQMo3zRS+BdByrjgBKyAZ1d0jZwSlDqGkQL70nwOCPUC12BEIbkZsyfXCC8pMlEWEOKOZ8j7fTK0V3ZqRRm+yyb65rih8w0ByM2PPtJj0UNT/I+EyampWLt9Z+64PNv12H+J3aoP1n/Ux7159ghUJOmEJ/wx2s3CWgBe1Z57K1ahSyEN2ZXKyxffWtQywaJ6WVkENfrp1RLUZj+otKAzoBkTxNYtjXjhTQD6cAx8gZLq6DTIUKEtLRKa+YB9pJ5rTWkFGVVTUh04pg6tGkrxLdymwo3mZpIDLAjxoxjgDEIsBBQrT53QfSMT5EEls+UeX5LqBA1KezsKCgCLzcA4E1jFRtzbJd0JDrAR3p5Mb4OlbsywcfOKK8B6Hb8Qoj26zVwN4oUru321Tg2WjGmfKGOntwWLCbVVl5wFAMfxqeDRGoU0AfkpJTWQ3jNlLwX6fXtphNAJMpqmoFlQpYqcCgoLKEVpbdvP2gUA+tXGdx6YHPr3W7Fo5/kLH91f0/JqvP60kz7hmLm006Frda1lxFIzF/KPddW+tG6kUhcHFlQoA2VbKMqzMIP018GJssDNp1QFUPmqDTBHD/THCdtNxif/dJrYZev4tW2EQpYvnkTuhLs+S2HipwGtBMtR7hZnkLoliAz+bJEmaHSiRmqylydqPp/rap2y5a/FY+UNbbjdhmdOvPZsEgtPzOB8okWm8/BvXzCw6VKRFtYvweFr/EmMFGQ7wuh4Yc+ELCvLAvLFYoKnuXVlQ85oBtViG9DFRlmTy8sJ1lRkZ7SEa+KHTprLqOdNycR6t26VC2MuKkBHtcdKGK6bdy82g3HUO+WHnuCOlh+TTmarlhYjACIvD0mIxj2Wpn9LzC+3GuWmoLVz7e3aiIjeUh2NT/RNFjxJn43vZUI5K7LYQXAjYbZaZH95tlwMxQa6ztPgOuJHB/slJEOJUEKXWVVuEpOVq8rriszvN38/a+vtN71ev92ZqFs+kFIBiWBxUqg00EKsUU8K7enFq+6USD73TbxPRoi6JDE0vchXY3v5dNBxejSiPC2yrKRRy0imja2kwVuwwA3wkAB7NPZNJJ+9OWzj25PoIP0h9v/zqh9PU1Yx7bTJGlYTI5DinC+ceK/3h2I1QytTSrzYt4sGHdnWY0GTMTkv3yhGVeCisMQ/3RpzoOvOSbs9kW5Z8NOraO63ZxyWuyV2Rm5x3tsy03AXVStDfBOy0FmVOSGbXnTrFil25n5nf5Edp+wK53zNxWLfq5vKrpKdyMEcpqmvAjNrPHnXvddVKipSjNTkW7JMfWFzE+qbUWLkJee549q6caf++mRnD2qb0uiV4Er+iviSW6JcLcsYWHhRQzyNZzURpUYPJd8Kljiv8Z8AeBa0CYDacGjlhmvIqzlupw1YK4kqLIsA40wfIQ9cSjEoIAGmlgF1svijIy/J0gjUwv88Nf0fG1kkg86Nyw34CsN/ZlovmwgRZR9BiFauwNQHRND4MERV5HsKzClrFEvZO6q1IQITyI20rmAb6QCax7S9pZ2PA+caFiP/Jsqx8bsPXT/xWI6cUhWdmNCO8p6GkMFwxyjTZ0QuzZy7bjkfrQYe4I9RP0C1Pa5vBNidOefoIQ8I1Ju5MZwJmYMAcX00whGACaoyIDaVhGR0hKx96uWYyoY9jggsMNXrCgMMNSzAoEHbnbPkgbKz7EKGwyS2y5CfRE8VUhHWNXxZru8KtIb2Ia17a2sIsRBbjFkQVkE4YIdYXtiIQYRhiR/zXrQzDbggph9k+3Bi3OoYSCxzjZIzJB07ou+WGpNlPW7E4xFPu5hxV1IXqht3+2A2uZsg4Ux+42gXlD19mm1WWhdq4Te5208t9thNe/UnsaVKD7yAfR2/3DIkP8AT+C4CwOnk7Yv7ejCwrb12wbIs9GoiTN92R6tWuSMAHlSZ7qjNMNMk1PqghkbYZUMQI+QBfIGfU4BiEt1m6sGAYeu58FNaFUQpp3yNqSFkBTZpurLHpi1xSLK9TRjgaXbZcTDE5FMM9oacJkp7ct3ONbD9Nd2JbFK1mYgF3HduTla6RsdkvosW9G4fKbCqqI+f6GsgxTmU5jmpKgEin9cRwHSraJdE36319KcAbf/t6hGhbb3TR/1veiOSUJ9UPtpI72Uc39dmb9TZgCSEKSDk76uWSt0qVF/Xf6n90nZCTsu33nCKQhEgcrx+grdNN53PyhAOeBvVkbVKjulyrdz9Ue2UdlZmNUR+lymBOYzxe/W6F7H3FThYDuUWrHzOpatPpyxSUno1FF/kC25FGdmHQtsUyHG3WDN7tNF/WdCDgGe/MIKtgWYrRhFHTSdse77Wyk3xkGqVai9BrDVEHZPhpJAd9jTAvvK7csBeY5sUFiOSIGX8BULOP+sbVQOueYy8qfcX5+ClRnbhp6QfKsn6Eg9iI6CXFVZj2rrsAl7B4nRI04RyaKjdaKCyL1QbbijvULUCommHa8PEMxrXgK18st5fmmAIBZgR9kyvpTXagUk6t29n5o6dnPJK0rYrIJHI3ZfZkakpMJU4ttfycbM88p3TiZE2960LtNuJAUWx7ZnFFdltH0vD6TLj4PI5uSgQJqQ4WUDqBt1ULZDWOlYQRz07EA68h1/3IP+x+e1bFdYpvylZuClEDESVTakgEWkDcnDdiqgcrKkTQCzBvt/Aef//ji5GemouQxrRmZwxmUJqhMcLS3lqMC5sIXZoSjHCUIdXGKrDJZM/LsYEMlinyJ8XP+VVPe38SNdoumta88Sf9G/nHx0LgGnjNr6/Q89rMmwXyVcoYfWcek5V4GVyrYoHBHjOXBSJnQy6P6lhbzBT7R7NiqyxmFVBTxffRoUI/vOq1e5RbQlAOy1nIPqubwZsbnzzp1f0NedRef6W0r3nWpaNhMTfMR60p13drjDbYVsE3+1d6zy3U2+QaiJgl0S7pjUiKV6wXlEI9JOeLnYYPUBtv2EKJZ6Nv7Ss3ek/rNhVceglYtDogYb2/804onJFZ0AC3wSsitctB8TSTsmDJWeeSSavF6nJ4N4iWUzEse2tRiwnFRVG44kCm+PLALjTS0jkRb7xei3C72uEoLRLazYY4VJbgsINx37xVTDD0MU/g6rxWGTLStiRijgdWvs3k5oywsNtE/JOW4JtDvzAwh149UrOOEFnIhvbo03Q7lr+lOPoKfI6T9ohwyXCABN8vvHKtVVYpti9UUSsbN1vbRndSYJDIh6cNXir6mFfb6hKCCwuKBvswLRyQK8FNOMzRT5YAZH0GIMtdrbIlAb2JnU4Fq87UUujZV4a5ZQjAlyzpzcYWOaTnEudqG+1Qp6W0cbL14i1eArPE4XXYyw24GP5gUK8gr63n4/B4e7EH6Q8rrJt47G79BHwG5xqqMZW21aaOK5GOT92jH2vcTqmGQO14OU0/o1/2nkhPsgNlIergw10NiQ7E/rLrTAyNj8ClVVgPZPM9FzwxpbhtP4nPnHp+LefRWpJWTPYt+fuOD1swL+4zENhnBki/ABiGLUoXqM4gQHD/NTW3O/PX4CBBMNqgWwvoI8Z4+3mg+6zIAw+JurEsBasAeKjiMUa0hhacv/dF9NJho2C1cLak6FWKEmmCSEsTPzyJ26PHsnBKPglemnPOwNE+jnggX7ftqKnfLT+WN2NdMXSIhoiGw6lIXcO4uRErCXQIg6IEoHhMuTLx/0XEzi7a5VWH6KXyS4c2geSUzSXxEiW+2JrD/dC1ClALo1rnkivvgpH7/zttW024GC3sfTF6w6TIzlo8GEZOTVRplrv4juxnfG+BKLzvzQWCspyVAVRo801YKpHj2WU3zmmVcSpfeagDFfnCNw6WtBU2ZiDln5RVW5nkVRSmu8oosif/oagLDsFcd20S7DgNDrAhRzhm/+nHVV3kTYFq1T93RLafkh5FExg+uHj7i3IxloEFmf4iW4j6DGpBols83q147QljyXoBej/A+Yf/L4D8kY+HuXz8P6rNCA9Ixu8CyfHf8iAGmXnAXL2pLB5yG+DKeViA4NCka+U0bAmL2lLwlCH+5BEZ8t8xaOvFl9tbaksxIfWfdEOeclNdLEvtOZPkdTixwFLJ9O/0L6Y2TB4XcprMCBv4zowNr4PC5GRMq72W6EPeIAYNaeAvwdoTICaDcaT40H0lMB1C0itkwRVWFsULtA1aV7ZDK/JCadU5bkay++94OOD3TbBnF0iHPgPfTSEXU6tAa9T/zpFzmd/+WxvLorQrajjH+lbdd4rls3/5ILKgKUi5xv+Q8sJrsylLf+q95sIXZvSYaev2cRWXP1bZlOrUacXM20zKzMgbNQHdsfYbkGuHO0E6zgYqzZgRsyHPOCz36MUx0vSCZxxEZiCgW1D0aGIFGXWBxduLYHlZy/+GuiNbgDxjffZWsuyI0Juu8YmaLzzeRPvjGibD5xylj7uqJhqfxj5+aXt9XkWkaNiidMaH7Umx19RWk+YRBu+qfRBOKlD3LDf/sHvTgFypDmOFMWipMxtj4eAI+SsBY29o548OY1vyx7dHnkNdgEJXLWurboBfaGdgM/D0E8CTdgHFlRshyRiAeiJ6s5Gk+9fuOk4BQ71Dsm/RUqqp3RzQHAFR781fHHJAProluJ01L9GQjThFqjMRj0Gl8I5sriTNEEq5RoOdCNz52JUzbKepdc90c6CkDEKlZGdbv3QB6UxZwOB/pztGuCdy67SPGvO7+V2g2CW4GIgOEc6A8bgY4gOP0E69U/6dfTOL23BM/EHCwq09PPrkr28afKOjk9AkVmUWwUIBY5aQVlTTZCkf3j/9Mz1EFr4UAJY9w9QPlkiFlw3NTNPjfJ65M7babeTsOlQ0EghARXkqYAM5eN7MLdaaTQFp+h/1O8ikbwQpLaRy9T57/MucJPdsnSj2s/ZOMwX7j0sorNI7cPXZQtJp/669vJjdAq/ucdDjUaWK2ik9ejevU2hX0eLLgCPwczWmixb7chdrSRgb/HD4+cr2Ejuyxa18VuaYA1564Pzh1x0XVX+817aMSNt+bXs5fQp8o7X1R4Pv/ysqBawYk7FMoNlo2tWftYbPwCkeGllowlRkDmf33pi2xFqSeH2qId5LV5Yd7OqS1ruaEk8E/c4VQ+m3ZaloUn/r166+u38DTnu+34QEQDalqrD5Ri+AbuzVe7mEjtj5XLaFWgn1bSabGP3j/6bBfb8+cNbSc50PHRUKyzbqJWx71znB2oOyyQA4/Ab67mDrRYCg8oGuxJ4KwuyTnSC5JKu1KqthdFKOSIUSwTITEVmYDaP61RRhF6tujLowUp2CAoVuM4923Vt1s43jFQt2XL/Pn/JmlJFLMsxBTotd8oJNIO5VrXMPz69/SEDjWQW9KJm5XT9E5RamQIkupgfkbs3D9dCsbfXRPExf617BXtz8IEwgR99c/3xmy9vzGF3MSa3qUbSkHkBSAZATrbNkOUjqoEgJj8OoaPPPL1VmN1A8R9zA29dX0QXek6pa+nvhpPJSgE+b0Fv6Tb5t8gQ6RpQRyzoiAhrP2kDtvutvZksVg1VESoYBNzdVsoUbAMrZZcSj//5aCOuT5dsWA5Gna2bBvvE2B0GEafbru2/Pel8Yt3uw0KsdkVFTwqwlCHjP1T0Y5SFXMnzPVrwMllg+cG8k4v+Wf8rSlGA7LPhLWoNkZxThcFRa5MoKmVchS/IyNNO7xdedCSsGoIC2pLeUEpk46de5tXDc5cnWQNud8gWSC+OHJDPf2np3KLZK0pUP/IjiAAepl9HR7BToBZ1GtBU0PnAsD55/TU9fOt6nWHVjJYfSv1Bl3rxYPSd/J0eaFmheb8686qOXwi0rIf6Wlb36tIV7Wp81Qa/D42KCPkrrdNxMzuE3cscEWbHu9W1U/zMUXWGRUZgVNSCPke3Z1j2jsYttkYwfuzFtAkLfbEE/5xuYmeCF7Y8GtKHpzvVgyz0jV7n1Rjv634HmFT+ZmU+i+wOgYnohD6untiKE8RgwfPM3Rysr7MEAoWmPUlouQpKxoWam/0HWPPwUrO6k4ski2u2MgQ53BP/3nq4qtdO04x/2NKQc58fWelcigEuF0LgmXPzwcm8Hq9W+k4HluLF8wP0v0Bzsm4iS2fVwotK51J118StnXUbmHl5GrRFjcEP4G4Ps+4vZx6vzml1mbZk71gPGDcaSvhjNGm9FJBQrUnFKnpYMfMLdlvjJbmBXfb68eZc7O2Wpvz+7nPTV0pfX80FTshOT83H5/95TV8jZM7czg7VNVRiCBmMYT6+MezCVuAJWNA4L//ZrUVXAetTvjSjRmMFZQPFKZ39iCTj3K8GrMYfhwEceKmILNuxf/C3VlAhWSRPlHwjhIpXli1UOtxaW1906P89a1NxDqUYQ8Lsk12c4f3MlCv+waN9Zbb81RRlm7im3ACdZu/TNXj0kPojXYA75G5p+6BeuLmPwSLr88OTugvssrMcvZCHxB1/pKz2R+zxaaybGzk//tdomHXt+rdwmvv+P3+Vnb1aSdrYL+z5oWuP2cCrtlpNb5pk/OSp2IwHfFyHVlGxrR22aoAHWxF6lohgnXfrCasPu05K8298IKL4OfWIuwWy1KonQk88ICuoWVfaZnJA6P7y/gEbDJEYn/pd2VP08u8k25kNFpjlU0zgioUOC71dZbKPBpfrTyQX7ZGjebE+/bGvP4XM+WsjYrHI18k2zviWkPZtVcxU0y/nlUbPpH18gl3tVMWJxvBq0CmnFPca2oAqDTXk4pyP35LebIRcLSOSFVrx/m5SMXiU83mMw7Xy/VK7CmxH+rpz5oZxoqg+zmOwInwspBirGPdTbWjQhhaJccHlj603yWDFRVHFHAzEnCvnkofTFhfkG+W4Aq6zZ/MF3o4srH9xsw1t5AshS/mluN/Qh7rUxEklWfZqJ8Q7+bCtTUCqSjjoRX1VQIEnpkK2n90ojsrAblC5C1ndX/ozFFl5cuf03NiTBcu698dVpprhihgwesqXnsFGYWT89Toa1tyWD+6/WNFKdopwUaJVjAuNYnulA8YO+zsbzKS6Z/TYxcKGPtQ2tHW9ZY289RL5UVD2WyJGTgiVSqvMVLnabLn/ulJU7A+Lx5D06C8rxoafMpmQp9nIEGioV6wmujM4pqaJazHleMM85zLXEoQK8ZhiAEFScJ2J4Yt+9KtxOCNytILL5SekSw+3YyxhQNZmBAhS6xV/iBLiFFTrtPonF0aQ2B3xW5dRH7bxv5eMnPxnrL1uZYUCFrLY57kGNFSMKg0FskZNYmntbOJJifQNv81ehs1NsfcltJ+87MXznFO49MAHkUxTbEBngKgGWtTHxjoGXELGKTLPlQEbD7sS/SbuJm4bUfrZE02bC2unrTC2LMQJ4IhyPnRAvOhVosQQI2qhXG7o6PH7S8kpcyulmMzwtShfrZUwjhDWykH3uZfAtf+dBnIfPXvNjcgrTmv0z+svo/aCfgqv/mflVzLytHi0xcjZttqGhVGR81Atvqlv9UDTSrn9geOKzaEgy1akEoj2tH0cdnTt37yOcr4bQ1o03pF2R9JJLtnZC11h2nimjUXNHFm/RK+iSNkV40sKO9ymLLmz+F7qYB//YM+ASqmvKcS/fV4NqOJfBxO76T+6qSlXdjZMhr76PV/+QNC6jpIAEwqfVUD+uXULDvOGNdkdxLi3upkbVCVWVmp6bSTsJYe0MFssy+RWZEMDAFrxoYHHNXiKL1KHqMA7qo12XOzRXsP8jL3lVdZeQDgFWjwx1elLh4CoxRYiwgduhJ6KCaHCPwChQt3H79W3H3vttEuTn6iRB04Yowk1kMQ/whiufeWca8AuAcFk+APSJSh3ZklOVhc8G1y0dE9YotGEEdiieCaaCuUOLdiu3ViQcnkAe1cLyLGe0Q17Azq9shCiunZMhl/UC6JQYzRZ9PHCkZX5BtC6AFN/bKledOajOgSDBAfMer5s1/xaXE7NWPdt1RtPbm/0N4AC+cKKS/N8VV5VdIyiSYYB0MDOgPbQkRTD+q4fLorRHYHd3uSGzIzat0tcWH1cijVXU37RtTgfxdW5XVMprm02tlNdU03FBgJcPHVvynnn8OjB3ykIzO2XFIr0WBv/itvObahnSRcGHygbyhbIJR7sZpWR6f/2pUk8utNheU19MQdtRKyShBW2d6ffv3iuY2R2DjstVnIIy1PGgB2/AbGgeuVXmbf4uLmCVIEUUebtqfmjYv1ZnHOLuAurNUmH0ulwOVg8TZr+HkWwS1u92gF3XDE86kPszOmmNIKvvW6/9hKbu/au9a2YsUxeTkYYBsXV5Rp6ruqaeQ3e2TgYXkQC55hJVa1lKJGnTAltQBwSapXw9cGWoqUK6KFasr/XCJRDX+GV0web27g7XUjFG/EkxhjTLsVlUTxvgnxKG7BxsFaK0ZJ2VB4+6BTIN6rzvXmjsa5KVt3sGRdQHUN1mhdiNHa4osTzXQLM23TCa9ugvbHDUobBmJ53cCMdjK3QVCt4i7JVT1AFUBR+7X9fZzs/qpg41uGSS6uSyIpo11cyIcaaR6cZTTBFrd/veh1n7PfsUQKWp776Sh4b84QmRfZws794a/OqTGlUUF9Zaa1kb/xxMhRsWD1n01oDeXEx4eH+yGLGQnmU12s67mUObZ7dXNjaO2G4qMfozg7TELeeVpGH44vr2gYIKMe5LpwoRa0RCtslDkPQ3d+UqyzMQP7iU8uaVqcWy4Mz5uCUmXgMCAmMGZCaAhQKZuGRKVnWNaYwstZPg6+9dIxuLhf4hs0L9VUMxH0ucwHqHtb6SEPyb5mbej8T6OhbhTAg+tz8IbhWMpPqkbckOZx56ue/b08glmWyFYJolGUvP5gFmJFP4Mo5tni09XiWFGe/bh55ZVCXQbc4SvddgbCBWhdxpWF/qfNm8AeZmHXuCTTx7rpNOi/pSQv05IV0n02kIse113p7w9dNtC56ajV+/jkI8kjRC5KTRQ9+Yok1k7iOnifDlXmIdWsd55Nt7Mx3L+H2i+7O7IjHvRE7TNjVsJbQkToyJ/IYICLIQpEQN2oKBHkPe1dJ7K6psnPHroNrxxttU8vM+wo/Kjvlq1cumwwYCuevW7BaR9wI0SDnbsA9B2xMnuywP38HwkR5QSjU2uNC3xfmx1bQSe43zbWpGCFFlWJ9Wl0mUsYN2Qm2yfG2qwrhtPeZL5GgC+kY7hpB2w1cNh2Z4nKe6EE7qDdsBKLkABtmeHy7N/rhxyr1byNcDlylzfpVWoOzVG2welVFr0BEF1/6ZCPmOieAIOnev1wZvAEJfKiDTQlG5ETQe8J/xE7Z/Q8Wwm5j6Mp9kMFaDMulhOsibYq6Q14FuscUrcWUrEp6HnJs9A1UDE2BY1i8lqAMKctMHPY6MPezU36SZmp/Md+hMTZIGhjEMl41hW6/9859o4gte/kIyST8UdLcur9YrJcwYUpRTATkWMO69vWv3bP7eABKtXqCLxSgrqjUf8ttDFhkmAc55zngdPU1Ns0lBfObbxvN2iDXJTBgBSacZ2GDqlURYMQMnlbwnCI+k6pyRczJ1RsLL0DDfhCJsRTJwCIWiOVEykg8JtF6wLOsyKSQRXS0ORgSLX34rrwXskqXAg+DypZcp2roVnwGKrjbYchxfHUCk0+GxxsdxBquLXeXTw+5MEfkLX0jeMLr1HfPKy0gyy+5KsyxarygByDim094qFL2ekVU6xgTe64MWhBCFOg7IsZNMuuqWVUHMt+Hcx5cN3lb2ei4t795OABfTtHW+K68mc748oj09RSbfGHV1d2XrN7pF5fjiPDolJawXealsE4aKhOlg4/K2f/syLbOAL+dCD3xK2L7m/juw+5F5zdl2wu4eKLK06LeX6YoXiKDKsB7gftBZexTejoCdt+1Wn3CcqfxwS3GOH7stTfAxaLs5h42K92tzKbzyPk7652FwWnlajqAH2HaWCiryKDdodmr9kqyVF0B0G5kJlxMSldc8tb70BPlCUGqhezvTD3pSywUcjkA/JSFvUfUzQLJlGtYiMkLSfMT3mr2ArLtlIq5g8GneoiZtzv3wkUAArSmL5V1rj0ty1zYorv0P1Q9SzCTvU45PYgw380+euDRr7fwa/pMWgIdQXz3TqfTtlgw0guj4NG5Uklcc2r/W1aoAHpaGDYY8KmVNwtyUqeMMKiJ1wIJykWSHKNjleacvahOPwVTu3Wg6rPh9hqTzi0LOaoVGIzX4j/2FHCzyeIvms4Qv/YWo16pTQnXAP5j1WRx/cuQfXU6gsvXRfvvvhpvTP56berAAiTgVU/pwUPZ27lSHpAQTZOvAJbftlN+r2Rn3q+GRGsy/E2Cs/RYOErfzcdbxlcxu5i327BTETKNKCiF7GsN357iTir3VjEkSQam2fd2Sp85V6Z3sGnhnOHBxy3mzzhLsi3asvVLX58P5d1y0J2GnaTD0BfU9+SkFKCv8i6wJPGniB9b1mlwHTRY8GFLXK99mZ7OvYOt80y/08n6btB2fPfrRXNvpzfm/tnQUvs0sEBaBhZiQF2QyqOm+IRTiAD+Cu3NxsRHT959vkUn3c0FWP/i2X3MIco0nQAY45HShBWyL6y9gT3Y98pqG872626I7u5ZOTP9Q4wLUyP1ltdNv6M05TkY1u4ZFMa4HRQ59pjJIgVy2dRgufJzbSTKvMtBjpKpLhSW6gWVWDYoG2hxwYURo97WUcaUkCbL39HaessAyIVEHEsZE8FbL6qno4zfwIhlI5zBgJheJlhCX3lzC+Avah7pRJeQ/YVu0X+IMb70pMWkmAJj3dnaO197jw+M43hjkykoApog3ZbuBbkFJLawtpDfpMhD20CYqIw00S1kWyBBm/1eYQATQEIzlZPy9/eanv+qCuQ1zsH88FqmQZwlFEbAmFLKA36/1ELO2N3hXVKj4/YaEchNNtd3GPDqj6/nvhfQOWW3w3BfJNasuhTQd+0NoGZUy2TK/IEoIXtI69mAyI6Q2FcEQ6ZMwbGqSmlJBWSqHtimYth32fXb2HsI80rC6Zih3b5APidjVIzErw/ZcraQ7cwcoPVP1mCWoWoFWQ1CW13mn4mz6iHdZ+VEgDUWTpDJiJmBDlY9KED3x41nitnEwizO8rnAPdKtmDkhigzwTb07pXjr9i/di7fZzS0NTFbFLqyO2oeb6Lmh9yoNuPZy0XuMWvvCg+0bwIVHIsvoQsUKaKVx54rkLWPcB/DEFwwy9YnxMmKRqjQBZWnJF2AoqSzHAmjuWGmTsHFg/iczfWvkz37Hv59rsr7uYEWpAlQ/yHbgJfPuGGWeedHt7YNA5XdfiMJW2QzaqDHC/+/og/QjgA8HadYEv++vvpjJTlXPI5tnJ+v/ONuTdBQqgeNwJnF4o4cIHI956Av5qoQ+BO2oLaP41NE/bpMt1uLrwYz6m0iUOW53MzNprBzH8c9ufOUzszVZTCzdnchjJmnFp6BAKQkOekrN1ym4Uv6X1wfYpcHmaNQA1++JgFbqOi04je+ULmVsbW6NpoVsAG2bWLsICRCKndqPUNzUSZIWadaiA14yP+q6G9fQdfLsKaM9u7miWsyhJxHuSWXNKHk4g77SXmDuONv2AlYJJHtqn8YGw0/kGyZRCw5A05G1AE69l3pIagOBG8dNqNUrcgVVjsYb+wPwjT8pYY/ZsGIqY8/5pk5n/KLQk0WpNgMYVGSKVeqU2n/6RR07E7WGcvDgnrdPo8/9QTMzG69TmD48omvIuMmQ3fKnfqGRmx/5bSxZI+s9xP2tJ+b8W+zoKIHVmpeOMfeEmLsf/ROElQyy9GP6HfUR9vKu67ILa8f3O6jsWUw5qNcTojax25gywLBau5FDUiBaBUiS30X5seUhC+uq8ZqJOrqG+iQBlhGEDvy3XSTp4Z3EBTOrKY6AMHYWauCplufK8iF96EKKGIyrNyKR0hP2Akh0mfrPPeZKfx5WWVeXURYoi1z6PwHs1AclYFoOLr7qzuF/AJcyS8BSrN1aPnk57bYIG/2ILVzFLNQhXmeRyXHXstrWhRk3Tjrf9kXmRuB3HeA4P/LER/5hLkg73U5/pl/r+TEAIEdUwufgBmfpl8ja8rc7Q2uNSJu2wjrRpi83n3CiXouGZ6i9yrthJzgX+tZ3K/tK9INfwRVJbjuRQJYyCYgH2Yw0m1hsoAshASTOBxcjGH31B+2Z8jZ+hAHvCrC/+R+WUjsq6p3ffiA8QuKuUstWc3Fu7uLMyNCbm/890m8pc+i7u5cufXKd9YLcmqdXv7KGXyvZ/dQ3jrT/Zjr4Jzw69SoFqPw2wrVffRBXBF3Cgr3Sa0wIsEek9Q3GoEY4YsNBT3Kh4afERGeQ+OMXluk9oATrXvUY8IXVhIuY0teUq1rNKbCOztWuCiE8s2mkbpVGrkm+8in/3jP/aFlbOLegsSzubGobjfQwkXqg5Te5j0mXF6eD31gEv/ff/QHnoa9JrZsmV6wVH9DOY0ZuK5jST5e6NC/VgMuz0g2g+CAhy7GODuRfJl17olFbY4ADoUcDAI78QNiadb1+Ybn/dvhZ6TXI36M/BP+h73zjOUsRW+rBZz1M5SA4+t8GpfLXachaVDANamqE3Cq04Ti+pbDL2vLPibaCe8OY9z0AKlJ9lkYjs1wLy/+luOEYnGw+fB0Rs4Oi096XP7munwmq7juDtc7fAuPVB5HbPrVzsnN/LXDAfav3umNGgXKoWZqhb03WBsLtG99dOdwkglMtti2h9oEpi8qbFtxuOP951DmHXQxnYp066gKEjwAa7gIu5NzCHiiZrd4YuucELC2jwq5f3r4wBD57CzBD/jZugcXc3q37XUffpR9FK7kXvnff70LB3eMs6rIfCOnBD43LU8oXxUX0LKDXR7NyXmJ5RhH4jGqLG5gokzZh6o6U9Pv8cM9oFV47MIlvYnXkJ5TyAnSfNwhNsEKAwItYhEHUdhzECR+xgIkmDFQEnoo5jQGSpTg/QQY47++TnNigtmqHKhDUJzmjbBFDejIEb5nB8uIk6Bw1THM0mLHmxyv+e5okeKPcgq7JanoWXg8/KNaxL8ZutBkPGwkilCio0fugFGIyak96Li0W60jVQeHoJ3ckD61eVLHmYg8qLiYvT0mWRzWuiO6Tu/Lzpz9rfPA183vbuTB7pvH6Bqa13jr/s9jIfJYJYbpkTuGK7IROd+USN9A2/WFpX3wsqJWffTJc8F8dSzG+ZWrjVhzE7JuIpUIfTvcZl9rKtQ6UpOsD9XIRUnFavsZ+spNp5ytCTQAa3nBSb2gS+cIW0MDjrbflvdsgbXhppa+aDzvB0XS0WAHI5RUg0PYuN7A+RKduLm29hVFdgas/OTe/2kZUogNW4oHYf1AzYSo01kM0m5jcvQPJUSdvubr0qZFwfjGKjyn7ZbtHg9aIMUIcB1OFsm8ql20M9PGsDbpAwq3JvvN9UwP0rOWmjOzObkhV8LDp+WM7BrmjJmLpsaWPXn0aktGSpZx+QNaPQTvocIJDrf3K3R95A8GWC6zCSfWGRtvsTH9V2nrsRpu3DvY0Jk8mxM2Xsr56M0QAQn7Zddp5/gLMs52gey93Hc0WUzdEr3z+IHdDQ+S83s4nn8BDp/7TfGV7NWLyNLgXu9AxdxHVI0zM4ZoBIBa5RYOTaEw/lz3NfyXu7f0KKXE2EUjov7+1ENQqD64cWffaZeDAc30P9loq5Q76DULaROD0BERlfvetUg9euIXIa4fYYIe7MlCI310ODsCLpfsx+8ueiPDvRI+7WHl/Tt9DvLZQtQX/A/pyuo3xS1oaMzWxzb0ivViiRIyV/xtqphUBy0i93WM05O3U5XduN87CGZ8L4RKwRs3uSeT9gZdS/tnCN/kcxHU54P31HRPtqZO/osoIq1Qt/ZSos4adOfxZB5hgFPg8tkEoqA2fRmHkaagicYTrZyAxsQ7ht3I8KfV+RD1UjsGUjH/wcJ+cwpd3OUXyXC0HYKpWZYwFmT2i6f3CrideqREqBuS+W6UEru39QWUY3ZUBb8pZXu4ZvMsB38C78z6c7m+nO/M6o6HH/UzIBOc3LnTPFlGi3C192MnOuIafGnTeybfg6aGvTmrQ5lh6K3Y1+93arMZqYKdwpcIwbfH6zj7gDE1/RH5kJ9ARiM2/KQnVTsG8l23AjHMSBUbpSPpwBbNbdTxL7gjfpQ4Jpmqc3U/eY2t7om5rtZX2EAPYyRYz2uLJRzkpfhaWe+iXdZSznv7Gika0SXdSOgSWGpuXbdQChcEQybAlssh+53obzoWbMUa3EL+yd8Dsjb768i4Mzv0MkTtfxf5sXvoSxIL8UNHpPqzJXf6oFcg9f/F6BiY+xvfB2VzmgJfdeMtKhiw0bfUYGdBSLCTUYsjDyoHEz+XsmCshYoOWw8XL9lPxPYEhTVCW2mFAWnlQ6+sk9Wuod1Begtw/OO+kzAsQB8m/z4zCa02m6ciwyR7k8s9B+6FPvVPowC2VbtS6+Jb0dWm6F+wikjmIdsXvu3eBS7aTyCGH9y/xCQ683ITZZJpNS3UKGS6ee6Q2gyrGfydmR2VtNd9ozxV16pmgGxXjOqD20IWtL33YdLiO/8+sJv8kWqmMxGt2CJ7JOTjHM33RGzkxgfuxo/VjaIckLkBaXW41KSoeUhyFD5V/n4NmF4f5PFJbkmEtuYOrbjm7nwddnsMbW3DdP2gh+g4HQWv+HpgnHftj+ao4GwBzCkgG1Ft85Qamsi6ECpR0ahxKZusXlqZG5Nw5kG2yeXLBofm3Tjhba122sViC6ObbsOt4FM48p5aUi++9Hmvlv6UvW1i6KCUdnsgYtOffT81cAdGDdC4iba7nipcj6uNsIwRjlndCROxRmMQ4Tnz36ubP7/8u7HV8TmPjCkh5kyJ7/NwOvgoed2F2xoU+sklWEJE+HewIm3gbFJibgZzVYhsWkr+wrgy+LaoR7FdbHUaOLK8TAvhd33PPK1H+ilzIH7cZ6NCiq0KzzXb2zAPzCJGjXn/6J6tYzRq/9EJw7lkSIcc0h7xlNU+nFQ1vvJm+F8u+bF/Evjt4+uZX2fdI6hiFUIxTZhKXNchAFQpgHs/+FyhGX3KKeo6cxfc6/3hH4nyn1dlYX/IJVuVWVtJ7gBwlfWaDPBLnKzVunpMVN0UCTjF22sP/TnXkyufyK2PmQf8lI4spowOOLTL7n9OKIBfZRCZPaNWNghdLtl3ErJ/Cx4z3GLlyCbC2UNKu9OFG9tEQwNo/Aa2vf1dev4If6JU64WZuTo45q5lEbW4Pt2/vlIAlH5ZCWGO8mCg45R5MmzVv2h9Y8nXlUWlj4utqzFTVKTFHmzWElJgOXQX4z+2+dO4TkNw8U0QEjhYWJDAPP92yb+zsHD00ZcKzYavNShjlS3oXDr6NclqzFIWoVZ1QgRMkFTQ28sVESVnAho+SyQ7TtI+fYfFvK4aoyyj+un7hfNj5LOD7mD6C1I9b56B/ISQmeTmmYYTr/+jm3ZM2S4CptPnd65BL8a/nAn/Nt7QpSzn+o177Rf/nG1yi+fAxBUEx0n7ODH8ouVcaY1PXhKKRxryY02Lxg5ov+q0X4Gb9D22g2uFnH9jtz/75msL6NqbtbYsft0fGC9K37Ck9D2VV1KZJRKQjcnICTFUJDUZCPjt6BaGuw/pff/zRCF9CqAaDEJvKhaUR3opCQ4wXW/f+3pMRmla/+vid3fmb9dfc2v/aaVwnvRjeDGx8mWf6B4V1ZI3c1w/bgEl9pVavVhnyhuZF7UsvDlfGrVPak1PEfXf2vPnpPxN7gYWU1rnmDQ6wxlbWwYJKIEfuWXVq/e/5HyDwmJW9wP+tH4hntuG233wHRs1j7TaQC34vTZkZmVefC82SizCGqYEiQijDMvHgYAE5+R3+piYL5+6Yo49Nfu/+ToWF+2yhEZ37OmXIfePBMPy3SF1rH9jyRPiepHk1meL3Ec2i4Feavifkne9dYjJ6t24vfu2gopt22eVj+/dB+eoQWQgdArJi063ve6KrYk/06naIFo7cOXROADmzXzohWLyiThpxp7I5nSfKM5M0ZPFtedg8AfNm/dR/MFzO/Y54kvLtYUf2n5WVZ/SpONb4UPAAD89H/nmyDUXi0MqjlvNiXNkELf5Pn7qvS88hu6BRSMB9YhKrI0XdAaPlnS8F0+gVHIEB843gF3cO+fWVSqFam8F7J1xVJjxAhpKJbrCLp6aUM7j+yV/7Utkk1lvBO8igVAm5G1dLuzXWMgjYaGyz7/R+/S2AGj26D/Dzq/cTm75/ZWOphFIMXlw6pR+zHJ4+Pi6PpqDsl8uSzONftnnBRCjGT2Y1Q1kclMoggsbA7t7iREkBT9QJh5ru16t2mPTxuU8WVxdRVtb7r/U5L7ZxPU8JyVdybdjspqaBEHHYYiN03KIllk5l/q4fob2LKS2CffxYhFZjHSPxRJXkd9g3itNrJ8HjjGY5LtOP7N7tyFLRRXL6P+v5IF//xb4yqGM4TI66a2SdZWu/9NL0fJSCTiK8ciUzLSKsL3gb+6gPiH1AvX7jvTBzzLW5gWS46g9ADjA3OQ7+WBO+Z+oICNqbEkTGvP/rFch93we+h++d5sf+PNYaCGgTf3pbENX4RBi64RW3ILZqocwrrpFBUVtXhuyS4+2HtAh5seZ1vohDQqfbZ0XS1kSOLptnoBCQElGWFwwmQnpCx/UYkrHgR0AfrpYhFoklSkUfQYdxDzR8UmES3a7efM2lBKuH//3+SYo5GogQugatafm5Q1zE3RxufBhDhBAqyxdDpvUeeJcsu8ZPAhbBzxAH/cipEp/+i2J/Kpd5p6BuRJvPofhKkz15mXvezOXV00YTLy8z/NCFYwR6NKJ7LhfB7G5zuP9CLWigQDzYVvuA3KchfxYAaPPfyB3eQGLxw5qbglKG2wwC1L4tt2/5EJ1lxKNThZL1kWUw+3TtvYeIFP6l0L1BtphWpyS9vCBkEPAVr8I/lGvL8K8xlDqmD28DVBTLlsX1LSkPqHxrBkaxLkFi0deAZrbmOXuekCrQy+/Dkzp6aY+zzTWsHYGNhPPrDaYtX8vbzgl7vK+7/MoBDzpdH6yM4FLMHfKovV/D+Ai8C2clkpyFIBz14/dvyLP7qJ6gxcCpD+JHFlSFRJuTZU1BWioXttfgrOqfvzXKjgf8WgDvfrxaYDM4F8u1hX++BSrnGxHkUpM64q3LiOl8hRQTwIh1LKKSZ7LegEQTnVBevJZyEjD1HBArfDmJ66EsNld4QQDVdZOBr4brhw+WzMfdhupyQJVgUqNOVskmsCm1hcGMT5+5Ozgh1VMqbgxcDCOpxM40mswGps4ShyUr56Ttqyc9ULK8C/barhgqwg4UqAwcDu3vLdNrnOLnD0jY2e/bN1CZqRHex6VRK6Nh9IipOOAevpXKRSY8rMYBm7KTHTbBKN6lyhAB7eqfaLa4Balimb/zjAiOi1EhB21/WijZ8z87ysXvSlKcycrelsmUxXOkAjvaOofLCFMHesCAFzL7d/lIzC/W0YaykcpjMEtejBrQ7w3sZfT6bfHvsNfQrzkt8zBC63gVtQpRltCYPWj2d4CZprqJpE4Nt8l0+Q9Gls/dYepgsyvt1bfYT9GBMPiV57IzwJFnG+tUj00NlCEYqThF7nLw4SMwoKhptgV0WaPkwiKmkq4dTn21efBwaiYd5Ob/Y8NENiGrXF4iZbq1HXWvPQ06J0yrWwSgO635rF9dlTL1sgcWtnuKV4Av54O5x5d9eOd8ZHdc3NsS0QTn6hj78/9dWnLn8PEXKs+S3WwWklsbDZ5t+wODqu8Mk6c004U3C+dnYWnn8Pnm9+0gcD0d+WWrSjpIn3r1xVY2/kJ87vcLXMQe97/xCA/stWZu9lAWeSI28qnbuMNPG6y8WjyPLwCxmcoHSA8jyHHmPMRHO15iWZQlx0pqedmsjYutHBaI8vxEt7V10eu9wRM879fzm087XouoBbPY//ICZbfv60JcNAFjjLlvz6kBuKvrpBoRlv1o+uG32YQRwu4cx4rCU3L9QYQffMkiF+6OnBzkjfNiA6538FHbBpr/5oCDjY2ecRnVMUJ2hRoVPneMF1Sgljn6RagE89hUCfF0WPrwO3Pe/fRb16nyaK7zWVv56MFar8NOIuRouMyDyDTaGHjbcGgAjL0dTXd5RtSggdK7l0+x5KNyVwi/jHUurChydUV5Ckq/fLNJaBqea07SxXBAf6Gn8+/JMjSM5EXGtUY74oWvRJ2o9fedStGoTuT7jPMc/ttbp1qrO7BgOBp0t9z4Dag+VDy0vZ+MkhHC1bLqnbuMw8mcqbjVECv5lJjdn3b5qOfHZlj2ORdMGNHuwaiWYwmBB4GvwmjU0V71RhCO9y1C81De0gAKGZGPO+/CQB9P/l5bLfmFDQkVLk4TUlpFD3U4CdJXRB5f8UoSURWqTNMIKLwoCrwx2meTqz22h3PyXMpIc4hfgMaZ0nZmQiXGILW2pF/fo4mbWdrz1Xq0aNLK0Z3zYQIMOqgh2wnfbbs5AYn/KuO/me5v4BhalXgasNL7KwTWgD2peyoy8mvrhAEy9agGZBiZMJTPrQOextLFqnwRlqS6IqEgP8aLcl2BT11P8SJqz3KM+e86MM4J1So63rM1vkAip/ZVgk0W8R0dqbriovdNPXNnVp1ChaAHw4UjWHHkrG7t3Dz7sxqp/PRffqnM1B5ua6MwzrzKxzWkGriOVCMMiANEPpJU9rlH13eir4lBa2+0ZQdiWrCBSpdkF+4+1FqLZ9Zp7/LxyilLwvNA9+lYv9OiI2r21m6Nv5OPa2ozFRvAZqpaBY7FXC+PDm4085UiSAiiLLLx2JwiQy6wojWql1AkgmSIRSoD+X5tinJyIsWrVvY0GaULObDH/unIglJPXbpLAEk1BQx1kMn7DaTBgRel1cgKWuLaZz1kQsTK+ZVaiLRdjfNlpvFfdVKtNpYT1+UzdeAaI9XAFueh6OgL9k906t0OAylLwmwf8NH+tdImcI2sjVNOruXTigOw0OBbfhWw9sNNuea75lKcglbisSncOqVnH0MyOAHRzwvpvI0cBnykaOm8rC7+LradeGy72/epXj3tzbG04YguzI8HoYDAQD3gfFCE+tOtxcdMYAzsiPQbSxDe7pbkpizTlyG7WOMue6pPDXiB2ISsYDaWtQXnX3mq2SShXdKqO0sR2NTq2h7VWKl4i4wRGFCSrAogXVVrkOKr5V4Ne6sKzy4RvVy5VeU4g9LACsS4jMl2A/bgVSll7dDUamOAaFrZ/BEWhId+bPUQTpeoGaDm4GDHW0+Prh27h6Dlu/JeCTKMInMoJlx0DF2eWdSmrJI8fIPBlhPdbgStbVhBiNdtmC8rfar4FZqJhRor5ZswxHjaV9ig+cMLGuwWY19DNagqZSumoL8Kk+z5lgljEd8uTbdP/4nRuJpjagb58wc5RlGY+6BgOmxLrAwS+nA3YurQEbjeDXjpnS+zQ46TLIvl9usBTKecXn+pF4VI5FaoBwNk91nkGl9EDATj5xeM/8eBZh6Z/BI3lfjTBf1PU+LH/9iYrrbfmHlrL+nNW3UNu4BR8KmKfTj+/bujvOp/h5zgGb0m1riscpAxux16t19+Q0wxSct37a4Rxo2GGPEPjprLW5njc2bDfVC/Kb/0lJzQsc42X5giz8bWNm63tfuyNt8SLABJKAdtgpQqNbRnXzL7+Wo1XZfaSyAetmpTlRbuiPjwq5RjLdcsnnuKJ0hFL4OQeiS40MiqxESFJzePuiedrWSzu90cFPuD8fI6NhHGdF8aSJ8BFOsJ01UxTaJFIGOiYxUP1g43DlaAGgj5Bch/851LQl93sLDyYP2de93E/agJxpSBybGCpEl1JgPMIZsQZKiW35GqckWpKpWsoNQErqNkeBBmpnhRqSMGHGVtPpFqXIajFFxm/v2hKacSs6Hr1zMwv0+PqWJ7KBzN+WvzYyC5K15MnG2QeHzWidkBRYe7Oul1JGd0z3DB6uOz97mXfPeTYewpf7eziFRlc387vNOasSot2oLJoqwEqDpd61xrAhgt9GzoD8fxPGrFx1DwUNtDa/ac1yKVVzgw75wAKEHH4SclVzr9za65hxFhBrcFNtJvTgyQAULeCRKUKYpGcKTHqmNZQAYH0q99dhtOgdqpbyRlKF/s33UhlKey4j/fX0EP5u6uhLBeDmId0Z9zkdIHgB3L3b3BmPu7PdYL6sjpF0i0/VBPuqYDSRUMyixR7zES1iVXdRXieBKX0azforhLXpg/HejgcJECwaBtNSB7AB1Bqidr7SLAYcQYfCqEJ3KKkbSMrsE2Qu8OMO5kYX24EUq/7Z3YAW52EKBouryx4iwfXVq91gcTQl1W2JH9DqFx8SshIgF70C5zFRI6m8bQB9onM2NQlbepVAEEljjjamJj7rlrFHIj9c0uX1IpoI7cq9kwy3ALUeLDgildRTd5l1M5c23UkN48yJTOee9tYK06UPc7hzgdF3ZxCAnyafNO/iRuVbD+Faikd3VSYQFbBsgvKO77jhJdvZFIz6Dqc+cN2S5tbHXxLrq4WJl1el4nx6IUQgxLpUgArCqF9EkCO6Wdear/QHWEtKhePLJB8rVrqaquqX5ZaCFL06g0tZ2mfnS5MXXqN+okePFJpHyIv1RXYbWWmkM5y7kL+EuE07dmdC3VSDMmXU1cYsB1PAnGrPSlzKofe7KWz8mbg4n612uA7LCEp36WJtWns+kKYNVh3civQJLV022b/fiTRGFnt9pvrwiKo2toFBRmY0yQmvi2YYFFnr1KM14OLQ3dxYDho9geurtF0ubRlp7pHo4unQLkCw0Uiekw8wH9cnm74rOm2orSwQ7Xmz5aC253u7nejOocVmAYjs8Xwu655wF0sxeCoKJJqnrwFNweZ/9nxnnlfrO7NWPx2LIN176ajOooK4vkJdetVlmvoiJ4ZeHWVHe2oxiUX+34hbyiRmSZmdkDR9uT44dXqkDb+TqBsvqiYRLA8Een7vkY7kWxlsSZx224572LFzrcbwimLpOW+kqDLfOP9rJ2S+l/HFkQTVlhwnL9dXIJWgwpkYyzf+KX00fP/xLoGXFaCgsVipVIrYyrTpKUqXd6dSa0R8ltQq6imr3Bj82TJ7AZyIUh/347kBJ9vTE4TLUB0VInqftCIlPBlUhVu6laFEsLm8om4DQ50Jns8ZON9cHvXDs10mqtdzPmQNDMBuHgnMkLsZwZ5+Z+KnIVJXOso4FXaF7HSc4BHF2WKiilrIDeHbi+gWN7Xzm09slaxpZqjVXIYrVYRP6oS3GCeHnlyfhKUIc+xW1iO1PUJGDdActLkJGlAxKrfiaRb+l+oqqRrmLQbQd5IGhC+vB/gb7+T0zOBBfxn7V9PsKJOVYB5HsNfBCDCVMuzdCpyLCtOO3LgThZ2kwnlUfCApeURJlkuqknlODMeuH7uahBpPekYDr6Gu9f14rSxIPbeH8FCXGjJ6Hxwu4fxNVyJ9+3fF4zRG0O2ClalvpC4Yq+kp7ub/ZMZU/PzuQxWwiDpuAmDTps3Nc81OTpCvEAuSS2O6LWLrj0+6CECpz1wkOCVMPGreB2daPSr22qKwsO3CDbKz/9kErBi3YFKrmNsblubFN7zIGxu5+sx+PmHt4mt4w/Tu7nd4rR6NQ27HVMSNdsSQXj2Xm6yzS9X7i9DpsbXfUS+kj37pFBzmZtfnv5NgeYYxNxDKsT1BojoGp1Cqld0hS/Udq6+eILXhBBfteo00dEH6hUlVagP+o5RWSx8AGEw/3dVRTNc5POJv6b80cLUKF8EJCEQFJ+AYxzuyhPwGThl9avHNkKs+zqnyEDBOiNMGjU0LWDcHyq+XTB/WCH3NrgOyyPDIxWZ7ZYZ3ZmGxelM/L27FYT1CD2uOu51FMylx1iVScGcfFb3EEt0v4KT4FCMS4JAEBWVHCJAxxq71VR1DNVOvTlB1kolyVhDr1rXPLjhWmOf7+ft2uRKSE1qZRmeMYbO/Mb4RL21dOpe6rWV2d7gjFxJFDzjo7iwVYytgFU0kDpUFOTY3JOJv6HENPNY5/H71oHUIVzB5Qx/LQFKuHgrbz16g86I7XdjRSkm186qEClopMW0AZLYamBD5oZB3nHvcilFs78R2dH5p9trxJ7j6tflELcsFAEYtDvySjRc+kQg+Fw7K+g9fGlywdT3ouvNC3sKoinNfTHxZnj8QPsZ7PzWUlUJPZEe7uYjSgjVx9uO81u1LKBUAxpNFRQJzguCz4SpQ5e5hX4MoTz4yVgY8fZWA48QNS/Teamjqu4QbEPIemoYduuXrJ8T4z5jC1EZpzQXNj3xFOY/fPB1hvkxd67qwNEIwuqCg/VS5UM6otF/8Bt8wfSQiuLqOyfsrhkCUPPrgQesx7Bv85TopRjHWch25aa+6pa6gybgDhZjsbfT9ahRx3cbETeC9LX6AfUezCTTDBmebG22MuOxZkRz5q1Pphoa0F3xx2GE36v8JdTzsxXBZmriFz0zWh8cKdP29IdnD9WUDw8rtRqb3ZJTDrzetlcvKA5aVUu0TB1z60VKen0TB3/0OcIf9flj3fWGP/sx0cg0VrF4ABfjzc+iU+eCq5/X/U3uBVx5etTx211gFLA9nWOA22udo75ziMUfHTKOxkhZzbdvb/DUs14Z5blldgax3UO5Vesn1LQhJNW90D6N+KJYEM6JX2beuDrcXFMGgMaDKmUyuCdAR2oQ223daqdkqvb7kVeyG4mXf0nxTU5o+QBwwg1DmSsEOUBOVQ4GWyA6uReN2pe+PTZ9ojluqpaYyekdJmlpya/Ruz6t6+7c1Yx8JxWM3nAH8L1F6B2gQoI9mxs843K6xwlZr4+c9KgQ+QCjlH4y23wbbjB/P29BfjYEWtjgpyx5nCL+afK6BTbLzECLXTG8nX7Q7pnvQ+mLzoTB3jjcpoVr/GrMwJe7NhbQ3ZAIwmFd1LaUJv6sH0KdugVw71Z05frSdf4vFCVW0obMDwv1Bj0guyAKObXh12QmRr2kvb8C6t123IcQjmWkH0+hBUgq0qyft0BtSSGQxE+rd9VDmeKVLfeIIA1LcV9YRYVAhD3fa8LrmHs8IQiZY475Y/kd2C11PlGDMDm0+KpwMX7qVhRShHt/EiozS3cnxEz6oLyBL9NJunb+JNStTyih7ftT/6obxyQUXyq2UW5fwfYSxeQR8Twqc8D4gw0SIOcUBuS8bGB3hf9Dz2ioHnfdPQtdWS5lvP9kz/TmB0h4HybjbCnmuy0jKUn9tkp8vUJ1RbIwLyGYk2v8RwvwEGxIBM4CTNlBS+mDvKSVK8zfRvichXdGbjH8lNxCNmEN/GakcpjlZ5XmzJGn9AW/daJm8e8B7UkVU2UrwRtZ3jydrP0phUREyahzvJcw4swSTkv6CzhXdbkAAnb14iWEgIvwLrQmz9wAwlZqSuMHBAkIsLxmCzGKNNjYL7dwdrVgQHihberG7A+YyYFPPZG31G2lLEykHvynZunQUHvHsxO5lUTUiwlNsGZN2VnAxVgWagaVa5S42E/P0OqQjjMPI/wRlaUmNPE86nAi23j0GyV3d1Dsysd6uQ6pWWWPmFBu8GY0nNU86Dqo7rFE10PU7Vv/bP+f9eDESxA9OE/1ZS3kapRS/jouP241I963zy896dviI4VXVeFNzFI6lGYMmdqdI7FY+X5u+nPSOBFc1kxsaSre1873GdWjY+oKAtsdczwzql3niY5pveEXXld2piLCSzwIifUrq4+I+jaSF1lFXvLv0Ce68jlv56T823txp+bcOk4ykG/2hLkA9t1UaS9hs9BCh/V/wF92FVZoU9r+i0AT+3hPeiDoaxg8ZTT2Gs3RSwYiCkWqwXuZnZtAL4U4Ua4c1mZzho39TXZ0fY7VlzVWc4wHHi70bptfSHDMOSX7fMfh+qMlVqDHxu6Z7nci5AIwTkQTVpBXxBz8GnCqnxYbC7UjnzXlx4XkJ2xZQf//1/rK93mz7Wtgv/rT+8l8f+vPxub73/hxxXhoEjL2+C2sCuTZTnG6Hup0MlY5UGeHHUOF3pRpyCjD7Na0MaH9wiep69tr39fR85VxYkRr1t6/er33ggh9Kot93zc133RV33T9zziD/7uf0UkmxQVXZKlUGqlW2bKtbJQ1gpen6jTNWyV/Qt9si+O/8wkmAfHZ4GztsXJyWArZ2JmZ2N25+dQ8FurN3u8GfOm983uNye4037v/P2DBv9usLaB7/88a/CyAc3/wXnGeZJzT8qplFHnb/Rv6KfoW+vH6XfqSXwf/qH+pf4X7n+w4RDMwHZoBg2MgQXi8C+UQN0fowDjBkaxjB2cxm1YgS0oQj2OohS16EAfRjCDxfgCq/AdfoU/DVHZcGfkY5zsGoDMWUUPlnTapneCi81A69x5ay7SGgML8tOLzXaZWuXbAlFZibqXPgfmne2ALIPOhJYalhedfcXg6M98cO+SnxmfTwVqbkRpWmPSrWVqwMnHRlMFQKsTodidS1O12WsE4+gJfm2SYPRVMSDSnCXpgLado3Zva3ftex4Hbv0kor34hxe3eEcXsf6zWxtQqMI1ftgcjjUWTw1jHRFLTmOkT7Qtcofa1/Z200k6bO/SbfXI/cPMbnnbJNfD4j1Mm72i4RZgwUlKy4YUWM19u3cL7PcP9pdRbKA6eNQdbhxu3pYSeV10apukMNppg0bgxVsV2NnuyPPoTv/52XCWLNzeOqEBPWMgX705rZrrQMkS3cVPVzcKmaMXn/cDqVB1Ge4z2SNqCDSqQsvQ04TvFpEr3/mQM/XgaHWQ7zK+y0eruGws7UrEz8y3vUMFMdNMvIbcFoO07T3fcCtOzQK4zVDogfogyUojN2ad8SjL6vRqeH8MKVU6NgBTZf0rPag9MGeQdaSxe8g0LM0XrtoyFyIE0c+0Lnp7WJun27gfx0cA8VHT3yDwL6fQ8JOLPMBWNIVMFWlbmSx7pfN55bCuCTY9DMci4Mz3aAGkzx7Lx/D81RHxq/ete9uL7u+6wYWHndPcsN5m+z9+8mjzrbo782C6yj7CnpFhApRkN4dNUsIgzl5oFupGyGzRiNhg/GXagTqjysm8whk14/2XH7rGToH15sgksypbPo9/YnBMCizui1CpjL0Corn8NGSVlVrrho1rpYsy+W/mFt0p3pPPGx7OYhHrHOAZXEf8GyzYBb29eS7BJP3IZqkngM3lT81jc0AwN20DvqRPS8RwxH10WrpR+VYbDVnNl6Q8zRMgpmXHZQjc+unnxvU1Pmv0e04waf/LneTu+cnfbiR3x2TWsTyKuEXDwaDuwEZG7L933+dEXnpTo8K8KEn0bMhgSYugnpJF26g2r36ZTyt/rQ2JVU35JUBMd7qON/94onSudlKDliIOw3375YCL5fXCcNggA9louHE9EFNF5T2JVo2bpqW3u9h90gYGxtpP0XIzDutcifbePmM6frVh2b7bdXbSTCITx6vNeHQhZnGsZMZFLWd75x7admbVarpC1VutNM1QGnuBriQ313Hq7deP3QMyyQijw28/czpUztdiIZt3aI6vXeBHBhuXdVaWn6A3KC0TX7eaSaCnDjCz6oAmWvWba/nypIh7dFQgBq/4IlBK1s5q5rin0mJDjWzPjwI10QOzT9Sgu/16WbD3uZPp45X10qRwSLheTHwMFDWMqIaNeqwYxSHVETvb764UtgqANguDHSYNl565XExYNIO7UToEm9pgkZFEJZcvrFZLVEuub9JuUFFKpH5EPij66KNkfHVfgzStiDU0zOqX92XqUEGreuWHj0ktW+9juoyDelnhXr5AVIk6yymMTQDalxihAlSRyHWG8Dk1cvwoZ5E0ooH9pJqb1b8+M8Ep82z6JqfAs1e0VyZVhDh/YKf2tf0Z+5FjGx7u7N7uP+T7wPHGiWHI0Ws71YrhRQ4Asko4W4bM9Tyq48s4uw8GmUdUQbgF2HvKepTFeM2AbNFASNqiBRWDaCpSP/fQk3HuTdv5A7P4WndXs+PzkpxpaFUCGm/UVRnAkqrCkiGvCcnc2s6otp09Odr9tB4qmeF4as9DRou37VZdvk4mMpgHxGClHSST491Xzws91oa4beFijVFssb3UUlia0I2CBng0F+swGNq7Z5v3KUrlyHF7miTZWaZ6NqohtCt5iAytagGLi1PaCPwic7R9lrkJS2KiJtOQdYjzoNTykV6HHuhwkyzrRhfUMs90QgyXxZ2Y3k65ySfh4dYYTsuhn0RPzdZUT66xzIPqHxKrxZitc409VkxsbFpkdhouG5K6DotnhKYp06zAScq07/Z4KNPnWCAHPFUptiRb8m9xQS20r1qzrrMos16QNt+Ru/hdvpQomG684wxZ/0JlvbwSUdAtykq5vFDZzi8PWZnReCfUa3rVaNVnBFrZADPxjODJnpKEbTfc+Z0bWAFCqSjvIP/EO6UJbOaw6qKLzvRGAuPffMAxTVRsi7K0mis1WxXwxlymqnIBak2sjw9ggdoXq1cUmrNF+mQ/NRdYaIsnxwFiW9g6DU4D6u6St4osJm7NnamP66nYx4v4hbh9dhT3x7uTdeHnPB8TJ+WS/4/n085y/78RaReNMO/h0lyjXfSs+o8fM8OdqeS0QEi/Aa7/37dOiI4q6eMeQerrobOvvG56vHeLquSz3lpzLW13ZneCQHTqvtaLgnYw6LzfnM9UMfXE2iktPg+gMSExC0sUWwxINt4CfHfnxv3SAF+1L8S0kuE0pbTw5YDNnrbw0JoJRroRdf3S2unoUG3IR4Wv9eaDc6GaGKXIsqTUlGnOyQmktZFv2avsZfUyeRmIzEtyzI73HR1XLwCXtRynmJssksc1z2vlC2Ky04XadX86+8lG8ODZU4mJ+px/z4tCkVNB96UuGAa28wZbPtbWzQwM1peOMREfqAPhfnVlpcIeomPjUr87H3SISI1rMY3PeJMsueViVX3Pl4YS6NC+YSLyDj5pSTacLPf7KFY1A9IERbSHLTpGaAdRH6k7QjYUdRP9IPubjZGZrUdFqpaqFdPIMZ1WzGQxTwqQb8dtctW9LoqUksyr8Wa6kdnPHwvDoUmi9ePqwZAlGpwu8HoDTcOwkJidwUCIt81W+qAR3jhujLsPK1LzS2TL2vIxZ3HLBHnOln08spMobW09WE4200nL/b/jjxHSfwPwMSGqqre3M6JBNIyTce5uRWUl5bonlMtls9J86cz+azeu3t6aYMDQYN8ThkJD6SsBuJqWu4pJFaJxUcXONQxMy2bZvplmlxgpX1vBl0uraVq4lCSrC62yQYF5a51vG0TQuvLJyXkbnH/XH806ezGO5AiXsC1k7Hf6YApyuapRlUEc7Bd0pVXIWBU1u/sktXlWQfMzRq0GHMh6qrdixt8b/yli3XP7M/Df9dofo2myXGMiDRSmauLwnBHitBUZoXN2dMBR3/cdXkNN2bxZ0J6NrX3inrnZmJqKbYA0AZ91FRciqAaNz6RQ2tIk5BlZSiVNAhR8zmb2uKbOpi1rWP+itAfYWh4DwhPKvWVTUNaXQx+s+q2oysjS+ZKiAxrPhyYMR2zLw4cVhHdgnErbXvPQ04uyP8kLZ1tRP/kxhw4anFn9ljb09Ky51J8XN6Xxjo3/uXHHLM7DZmDMUzko9xyY/e8S/Th+GtEIfCU8o7QW5T8+2OBfnKA3/pGsivlOJyTXrEv8TLBgdaRL0oBh7w0hgovHTsei8tAkMa6namxlQ63vgzw4c3LQ7aPWgalnnMc/cZMdU0V/s0dG7Bx+NRkFzuhab8zIe19oERWwW/lUjRRtKNteXtaT3Qx1u1gCi5gebRIs6xODCp4u02swYPRArVYLfDl9ZzMNTtFMrTBrppoEtuwomeVFF5EXHZqKCnN77/iNRc9RUdulm7n6iaAxeSFJKBil5wKb2jTjab1ai8VKJcNoBAqq5INWr3KWKdJFJzV58mcfSHNLfSZ2QDxlCzZUvaqpI2e4McpOzHv+OEvoxqgRt+0ioF1M1mZ0s7aBd6T+wpYU+UMhph6tDbB7vb+wi6cg2fP8fhk2t4T2PFpZU685M4A5uEBkzO1/La/Sk2d2FlTvKMX4Qne4/mi9eSEEAl7ZqcCIVhYLaAuvjAlXAVATHzQRLVFSb9LcX496ZlBsyIfFdnllCbSrMRODZdLBfgHpXee2IhMQVcSBfYv7wYE0XLi917s9i6vvWzi1EhChg6cG0dvZ6sZ7Et+Q/MRaLgGU/TIm5xZSHb7b1DkKcpeiTdp/nx9E9Onodx4ZAntsm9d7KI38JjHKRNbBY52tXdaCRsGFdCSU2wzlazqyjcG8m8j5sVu9a2kKI1b/Y0OQOwZeleXthohhlZE64lKKZroHztCQ/mkwwzg1z2HZfp8Q2LjPy9YOrjhfmzqmhbN/3ZhVAPXhw8X8fX8NzOJnWmAuvBchdE57bpzl/fCjt5A9MDZ+nFARnEL1aDHZ5azQ7nARcePk7nATNPV2MGaB26JMxrt+w0Ba1AMXI2l1NYmE1RI2kG1bRD8GnMXnC1AodeR5YktX2g8FZj57/8ZNSyEfLS/nN/TKUE9HjbDaxc2KxbkF1VJW6jYGmp+Lz8NS8qrxospsHfe+UcKPP8cg+/d8ixw+5ilaOELT7ubxp0jkSGGeDpDDwovwPyLTZTcdsWmmVgiOQlGhW4GHDVMwoVGAhOq5ulYDivZRAK0wY9zfdb6m4G1KeqM23emKiHdDw9x7H7leTAAWMjY0CGIDl6HM8rxjjyFkLPJ0h0jvorxKjoVaEu8hmQquuLZN3yJ9iRlfmEyzGK9ZJtCmnWJN8PtdRUmfm04XEfWynpYeUubMZLtWTKWHLvECw9TD6U6yyRdYv7GrHJjT5GdSLbdwB6efZZFlYtpNw5UNidZMCS9SN7oZPyat8e0JPfHbQuRferR+iB9u2l7ba6pppqzwzeHedJsb+gAloo3k+QbNf5lMFy41BT+9EePOAITdab0NBeZePwc09WuKM31vP2ASbuEH0v7uLWZn044FxNPjKPvdfaCERad5I0MpyJwjYFqPKSGacMItIDhU3n7Qqn8XOL/jhK+ECFGa3sssuTrGPGMGXXEQ9Pnian+POTptoKlN7/S9wMKSczUSTJz/Jc+iNgN3UrLGcT+RJdAzTG9y8Bpesy6mzpbm6bPQgodPZIA2Pk0wAHxwMQAIkjo2AKCejh8AwGA7+O0ikH3wHQBM9CZyCpO0fIBvx5GC/yZsy1hJAQA4V/8oAD29XwBQgzFEtsPnQCqvKJohkPDoeTP0sX/eTzDM20YxAgoGDgEJDToMmLBgw4ELDz4UAoSIECNBigw5il9tGEExnCApmmE5XhAlWVE13TAt23E9PwijOEmzvCirumm7fhineVm3/XA8nS/X2/3xfL0/398fSI+qNYGafhKnzUar0+v2B6PheG19c2NrZ/tg//Do/gOAfFZJQfoEOuVq/k+cmgJl2gEwnViTNJGa1HAAQPsAyFJ4AAwYtEjyYve7INu8/ADAYsVawoRY0Pt8yJd8zafU2w2Af6MDoP9RYwdenpPP+RayRJUi1SrUqlOvRpNmADRaZrkO7/TLeHkZm4AEmpsJGRd/aGcAEMcHhgIAWBQZsNYmg3HpH0xF+QvLz+VO3/l0L1dmMlPZm+N5OH9CJhrGHIuscJdfcWRHuL7x/xmglqmVaiO1Rm2ndldvZsJQY4QTc/77t+N//58YxlHTZ431ttgbtwTn17mIsU/d7Za3GtXQ9g504wOhbDTimSZQTc/t5/nPYv1JLYwuxj8F5bVZt7pv3a6v6xDczd+1tbpW1tI+wnEOhd8nJHVsypGjYytG4dFrpB4+pkvn2+Uvyuh6J4ZvdFwnyhff+h7rFwVSVTqJAgUUKKJApc7sBQXG1c3dm8VHn1FQqJgRjmJQLDcnMwdOKrWG8/tWf0n7p9uKzJWrsmbz9RLWJn51K8qqbtputz8cr641noylfxqdwWSxOf/vH3+TUn9ESv//94jEkk/1aWhqaevo6ukbGBoZWzOxbsOmLdt27Nqz78ChI7ccO3H7Wemiu+6BEIygGE6QFM2wHC+Ikqyomm6xBnfsDqd5Bt3Pg2PD3KPyMI+Onyd5egyYCT3L84zkRV7mVV7nTd7mXRSwETAtn2Oh67fwiNieE/cjnNIMAQL4+Dhk889zj38AmRfi8neu9fzNePf5FPA37Z+NlqdQqxmG2RAgfT6UeyabsyZtz1LhFeEjCZgBfZVevMDL8WzGAEBOs51NrLvMP3SQkh50J+GGArKZ8gMBjasI5BubL3vXdnZyAIDvCb0NOBWjl82sddszGZN+i7skhnwCEwMD7+IhZVH7jMJr6GMq5ppwGppaGMEwAb9+4rz2+EJkZtQZEraApDTWReP2R/S9nFu3CGun6CiitaQloo/J7nWOXZiEXh2jopChgDsG++RbYne9+tkv2Kmxxn01Doq7VSh/EfsNOzdoxmQ+X61fsX1HyjCk42d2ZP9fECD45tN6nShLQt8SZ4TuVoFWYee04lyZxQC8kiCpI/AmDSwPwjz5W0/gB5yZgM9KHE9SDQvUH/p3SDqIvmm6rgbXf0lqx2g3drn4/YTaybMgLNdAzrWE4sDE9zupq6gM6I2blFThVoLRJUR3kGP7+ZA9WvXwYQGoJpnTNhk05gTxcLyHUQWxEMdgkkgkRyDXmGGCYQFet2jvGFo7XrZ7iAQzzcArDqepxGAFBVw3YzaHprhh7bDCvA+g53Mk5HbW4pSJUSd+BTDug+suxPBKg54u+RKaH4F/YBzE97HNMAEwv2OmcDNFDwJCjIQ8IWZCnK/8Kt0Ibo3i/OZs7w+M76vP7T2EAscLqWJfcCMSnv1LHG857uwv5DjN8Qors1X7bhuTz87wik2OQCpMdYNvxL5bquIwK+6TiVKPbBL3OH7h9Rb/3oqJagkQghHv0B7bLBjlHljo2I65fMtl7Dlvx0JotXkSr1/acoVwidDYcmaksjZSjgtwGWqQiM77iXGBPZuW3YzaXRHdGqZ2oqkE6ySn8sLG+yauHAeSeLqOAm6EBRWzmCiuxgFvbzht8SruT26xOwk3eCxb6v54fiHznH/yOhzYyaXxdScuTxcTpAcH467LwvxEK2M7+w/Ly8jYWDa5DMZrXwzelRoIUlfxb4CetniasVNW8J4pcrjWgEN7XGoUdhGZuoLrBBj+Cs8Lka7CPXChvy3H+zmI7Tc8d1KpmMUtqwkeU308ue8N4d3XYO4Aaf+62QPQKfQuE/oenB7O0BeYuzE9gmgDui24Lsb3P3WvT5FuIawKM2qnK0ZVSmrHyEsifbuPH2/0Gde/f69kOlu/AkVIuX9hOX4YMIrjhZbuDV/C3Y6b1gOKLDRcn8PSapQf9q0wVEYpPQE8ZBzpa+ojxc8DKyy2mSAABb/LhXGBNL1m3hHKydyX7hJFA3w/Eo529nz2LaXP9xHNB2SeZC/ajTXEqPXamyOmz7GiASgmwEKByENh5Omcx0Qg4u5HMA+VOgIJiqtns8d1B6F/sAcB5jXvwliy8CqRH4e2j0JLg/jZ0b8+Fwp7EeEZwDAkw+s85zrSAGQHcYi6lYFMxdFR/B63tdMod2Gu7ejTiO47ycPXKq+vQxlhEwTC4obFfvg/l1NnIs+2Bm/PhLVdMFUE3Vr4hgJW5+FxQiMfHnfcje0XXe0apeCGA1nWZHPo3Npf0fJi4jB4mnHKoGJ3InmPT/B8ddJ32xftb9UY4QHCwUcAoDT/N46ML7AvgmCVAhgMQShD0PKP5VgexcAwOCxlOAw6GYEj68pIhCDAoEU/MDq+wRgDmYEGM5rIWLRnwdZsZHEAArTRAAClZyEkdC66icGwO8kQou56DYpodBmGcrwlDtF4RpDZ2YzEcoYZDcsNY3RKH1vGwHHbIZkUfcZYWr6kD9m8svO/jVCv+dDs4tveUJ29kdsblexxWt/fbLTC/dG/XNZj8K/eadcz9tqJb4uUrT3t/yOpic9MnM3sAvRqUup243FfKT0MKOc+VMVHasvt2TUKIeqNECoWdF735WA8cqSRnZSgt74lse54Tu8shUjoPJmmQ81IjFGfIeZrjGFCidYcCQbl3RrJcRjhcYI1AYczHSLabJvWuq4PehMSXDI42U+xoLrGOgPh/ihbOMGFdQezf0tcfIqDAT5jmcBLvQAFFvT5VuZy7pIYaFzy7zqMUlT2QiIiTkhJf+BEUHOaNLchX9LGhTdILfMM8WGAjERslyaOObp19wMe3xvT5+e4L1yG94Vn1vtJ6E3BzqT0x/iQOGNgrggGEnmWJVLrza95BFYFdZr0pqn4xxnAz7ZPOrvxu9ln9GCHuHCq4qq2L77Vp8JuQPrgG8R7iwRQrDcvyLhL2T1n5FNGYDi1WhnLFfWeY4GC7lB0PGKUoMbrzuuEsy8uljTmTmNQAmvoaLLZQOmok1jKn+jxKpDVzuCgR3FYa2Y1qrBICINYO3L1m0h4Nbwz8Pagv0tjAAAA") format("woff2");} @font-face {font-family: "Cascadia";src: url("data:application/font-woff;charset=utf-8;base64,d09GRgABAAAAAVMcABEAAAADQeQHdzXDAAAAAAAAAAAAAAAAAAAAAAAAAABHREVGAAABgAAAATAAAAG8nuKcikdQT1MAAAKwAAAHlwAAFlLMTxXFR1NVQgAACkgAACXhAABRIFkPGxpPUy8yAAAwLAAAAF4AAABgbEt/gWNtYXAAADCMAAAKPgAADSZvLoOeY3Z0IAAAOswAAADjAAABFlZAOwxmcGdtAAA7sAAACBUAAA+DV4sPEGdhc3AAAEPIAAAAEAAAABAAOwAmZ2x5ZgAAQ9gAAMcWAAH9uFaLzNxoZWFkAAEK8AAAADYAAAA2EapGVWhoZWEAAQsoAAAAIQAAACQABASPaG10eAABC0wAAAUuAAAYLrBaWdJsb2NhAAEQfAAADBoAAAwaQSrAaW1heHAAARyYAAAAIAAAACAJshCbbmFtZQABHLgAAAfUAAAZ3FI4deJwb3N0AAEkjAAALIQAAHpUjVe9UXByZXAAAVEQAAACCgAAArOJYnqCeJwd0c9Hw3Ecx/H36/3Z99uatl1SikmZlNGtJDPrh5126Jj6L6JDt0liIh2SDunepVNGTDqMItEhSWmmS4cOnWaHRE99+Dx8Dm9eH6+3ydwy9n90xnvJZIvcZdvDul1iw96wrYRJsZKYUhqzGsWc5nFBK1jRJm5pG2uq4Y52cFe7WNc+HugQj3SMJzrFM5Klc11gQ1fYVBOvdYMttfBWd3ivB3zUE77oBV/F3/SuNnbUwS99Y1dd7KmHP/rBX3eTRx5h0lOY9gwO+TCO+hiO+wTmPY+TPolTPo0FL+CMz+Csz2HRi1jyEpa9jBWvYNWruOpruO4bpuCBxNAX6C0MBHoL2ZDFwUBuyAVyo+fo00LUjWUhDnECk3G/BVoXi0myl8DMhxkzZun/mZE/IhM7bnicvVh9bFRFEJ/Zd+9aa+m9d9doRT4qIQ0KNg1BQxpCEJpqtFRSiLmgNopVtBykQb0gElMbbcrZACEVEZv6RQgQbNAYCgQJKn5ElKAhiICkIYhGDRqjaBDQ2dl5r3dbyBX+4DY7v5nZ2dl9s7N7+x4gABRBIywBp6a2bg6UPvLM4hSUpR5+ahGMg9updSKo6Xc2lMPE2Q3TicIYcGfcMaccxsy8t45ofV0N0Vl19xBtuHcmUYD//gNFPRHUwocXL4CShQsWLoBS1gBTaoFo6WMQYamQajH1i+A6NYFaHPeQ+yOA+1cUIR51ohEYTdqpZHUH2c+AdsLl8D68CNvgKLwLxzEC32IUC+ECFuEwRIzhcHRxJE5GH6uxBm/FWlxM0tP4DD6KrVSasY3KAnyBSgqX40u4EFfgKmzBLlyDT+JafA3T2ENlKW7CXnwWt+EOfB53UXkRd+MebMe9VJbjZ/g5ZnAffoWdeAAP4ko8TKULj+BRfBm/x+P4CvZTeRV/wd9wHf5F5XX8m8ob+C+VN/G8UviWcpWLG1WhKsJNapgqwS3qOnU99qrhajRuVTepMbhNjVVjcbuqUBW4Q41TN+NONV6Nx12qUlXiB+o2dTvuVlPUFNyjpqqp+KGapqbhR6pW1eLHqk7V4V41SyXxEzVX3Y/7HeW4eMApcArxoFPsDMNDTsyJ4WGn1Lkev3NGOqPxe7gJILGUaivVdqqbqXZSXW3VHsG1zCOtkYpvl9oMDug+W4dQ14c8+j0yHvHqZGQs0X1QhP2JUQDxCr87xBWXiW2XifZ4+bDLQtHH5hGWDGCcdkR8OID/DdXDAxhTllwoWCKo+9yVhaW5sp+husrvDjBWLlghOOHyMPQzMVceMp4hPEfPSs8Vp2eJTRacKlhjMGy/26CJWxa2ZcsXWX97vZZd2fr5xWac2Kys8UoGMHafvyb2wNBx0HME2HEJ/SD015j5Ca4QbLtMtP1cZTR5T1XyPsCgXcv+caPXGHs8V9bxyMEOS24bbBcvz8IOSw4xT3yvVpy6bP0l8qFtqHlzhfb58nWZweB8GpynWfHX+qicf4sEjwg+ZclLLTnAU4KtltxuyQF2yn4Oxu235NWWvFawJ1efADN/75icB+tN/vqfUv2S5H8MekUGA70XkfbNoj/p/+z/noWj5DzdKrhNzsmxIn8uuMuSP7JkQf8WkfeLPCrXXzjeQatdMFFG+BDNO011mVkvfzHN/4hgv+Apg2H7rwb9OZIPgrE/DOqfP1fiMpfG/0fwgkGOE6FfbzCw53hqvfTzvNz2UH8d2dJt0xshOI5qZRZO8qrZ3xAxWO+EnP9+lSUvyZVDBP99yped3jGDiWbBRtFPs+TaXDlAv1dk8ZdosmR7nHx2dSKnh+bHazD7NszjJOHvJi5eo9kHGhNNgqL3p5h+XpNgs/gJ9C2WLHnmtXkd3or8mCj2n/NfoHyoMuh1CW4X3G0wtFuSK9v989l56wTfsPQbLHkLzfE9kwd6/+h84X20XXC36JcYDPLLp7cqP0XtewW/EDxgMGw/lCv7j+XK9vmk14XlE4I/yTqeFvmsrPOfsg5nB/YpacJ7VXgvvcR9LjjXIdgvee4t9j03+N/148ZHdj/Ok+A+HA3uBxe/nw3tfyv7f9TMJxxXznl/j0SgTNA+P+V8TUikQmwSLJZ+VUG77OdPc/8XwnW01i/YF6HddOB7fHjeyfkYzDMYL+wfnL9yLgbneSJtzUfyJzi/B+2PcD8E51puHO28uPQ9NSvuJfnzIuc+Zq3fQH4MjGfHwd+Y+5zZ68T20u6/ZduL3Guta5afi4036L0tWLes/Ob1DP7vrfcfOy72fThfXOg9+MOCKk2jB5mfTLSCNRVuJ9F0dL+mrEmzTZpt+ljfx/o+1vdpvVOseYxw3xT7b2W+ii1rog2aFhxl+gPZbyrYQHRjgX4vr3VPaL3bzZaNbNNM3sqi5cR3cGuKPaTcd6jX19z3APdNuaeJNhsb40HbkJ8HmNet03Urxgv023+G/WTYJsOtGbbM6L5Oif5C4JRovVN8gUbHIp5DjX4iPOseI/0eph/wHHbxHDayh3n8dWGEptjLEUjzWGluTfNYJ7U3PMetSbcJMFLJvVaypp5n1cP29fws9RyNB9nmQbHRfmbx885n//NZ84RodN8k6+9jTSbawn5aeCYt3EoUJ4BLfFyvkVPMK5Vh2mrizCOm2Nsi9lNvxmJ9mmmFoTyrThNhHRnVY+bJdD5H9V3mR+h4kh/yGXmI+1abKJl803ykW/ORyVBEmuE8bhlbztV8xGM+ya2tzGcMNfnMft5mfp6mTo+OdqTbrAvru9imi/k+5veZXGVaZTKW+dlmjYhGwQOkMUG+MCLUwGn5wniCvzACDOMvjDeQ1iUt7Vu33+2Ha9wz7hkocs+65+FasnAgBjeSH3qHAXpvAXpXAR0tPXq7VVcLdgq/fgh1bRbfw0hZYOLHdDzTuIki0xqm9Yby01ebVuI9etYxMA4qYRJUwzSohTpogCQ0QhM0Qwuk2U6v0XjOk2rOkHkmAzknk8K/w3wj8zqrk3ySJPn0SPL5kORTJVmQYj8t/wM5o4LrAHicnXwNfJRHtffM7LNLSDYfJJuQQliSTcjH7uZrs0k2JIQkTSmlKfJiLi9yESmkiEhTDBQpRhoRub2YxogVESlFSilSihQRMUXESGmkiBgxUqQRKSIiIiJWRKT3PzNnn90ky2vv+3t+Z/Z5zs7M+c+ZM2fOmf1gnDEWzVssrcxSP6mhkTnmP9WymKUufnRZM1vCVuHdlUzUPTg9nSV8eHpdOvMz9v77LB58zgSzMINZmY3FsjjwEtgIlsiSmCNCHfuQOi5mvb+2MZ3VP/KhhnS2cGpDfTprn9bwcDrbO/1Dj6Sz06qXuAG9/Hs5wz5AnagPUGf4B6gT/QHqxAypk/zoo4uXsbb5snxm/qNLH+Od8+c/voRvaGp+4nG+ZUHLo/P59sVPzF/M96hyvyq7VHlElcdUeUKVvc1PPt7CzzzR0tTM+5d+onkBv7R0aZGPX126tLiC31j65Lyl/NbSJ5cs5XdXPtbyhDCATiiEjK3GnU2NIoEls1SWxsZiVrJZHvOyIlbCylgFq2ITWR17gE1mD7MPsensP9hM9p/sY2wee4x9nH2CLWbSTpayJ9kKWMpnWRv7PFvL1rF21sHWs+fY19g32AtsG9vBvsVeZXvZPvZd9j32ffY6+wE7wrrZUfYm+wl7i/2U/Yz9nP2C/ZL9ip1l51g/O88usN+x37M/sKvsGrvO/sr+xv7O/sH+ye5yxgU3uI1H8Whu53E8gSfxZD6S38dH8zF8LM/gWTyb53I3z+eFvJj7eRkP8Eo+gU/ktbyeP8gf4g/zR/g0/mGpC94itcJn8I+op0+gtPBF/JN8sXpuUuVcVc5R5cdU+VFVzlblfFUuVP08wT+lnhaocqkqn1TlY6r8uCqX8eXimpFqaxuW6BEeMSxr2AH12hPVUtwTtXZ4Ufn44VOHn59YJq/h16Ln5MyNXhITlbc1b2tMSsxaj4jZaE/zCHuBfX9hXWGdvTt2cmFd7KzYW8U9cdFxO4t78HogvrG4J35BglHck5CSsL80MeHYiKbK7hHLEx3FPYnZiUdR9iUtK1mT1JF0tzTRkeBoQ7k+ubo0sTQxuSH5EMqTKXhKmZZyBGXvyLry8SMbRx4tH4/X3tS6yu7UxtSjOXNT++6bdF/TfbvvOz5qqkeMmjvq1Khro8tGN44+W9wz+mpaS1rnmJTK7jG5YzaOOeDMLh/vDDh3VnY7u8a6K7vHVo3djfJw+qLK7sru9BXpR9L7M6ZmLM44J0eeccU1y7XCdbmuJlNkttTV4LUt8/r9q+5flXk3q7m4J6st6/qDPQ/2ZN0d1zy5atwz425l23CNyl6cvTK7I/tSDsuZnjM3pznnWM75XF9uQ+6W3IN50XlpeeuhyT1u5h7l7nRvc9+E7hM8yzwdnhteu3eOd4X3uPdi/uT8WflH8/sL6gpmF+wvOFnoh6anFR4oPFU0uWhW0ZGi3uKs4uriLui6zzfd1+Q777tdsrxkTcn6kosld/3z/K2lBjSZXtpSuqa0r/R6WWNZc9mRsrPlXuhvcvmm8t3ldwOpgUWBNYFzgfcqJlfMq9hfcXK8f/zU8VvHd1XaK7Mr90Mnp6pcVVVVHVU7J7AJoya0TGif0D/hVvWU6qbqQ9V9E3OhpfqJGyburRE1aTXLajpqztdcqxW1jbXNtcdqz9f5oLOpdVvr9t1v3O+8fwk0t/7+O/Up9W31m+pvPGB/YM4Dix9oe6D3gfMP3Jy0ZNK6SRcm3Xlw6oMLH+yCVvsmF0yumjztodyHJj0066GrD12dUveI/xH/lKNT1oIuPex4uOHhxQ+3P7y1wYbL0VDf4GooQjm9oRPXzobrjySifusjnY90Ko/D4XsF/MIk/jQ7wL7H29hB+IK17FnWxZ/mT/KlfDlv45/mK7BGH+Yr+VP8R7yb/1gkC4swhFXYxDARJYaLaBEj7CJWxIl4kSBGiESRJByiRSwVy8STYrn4tFghnhIrxWeMdlu0cVxcsP7N+p7179Z/WG9b/2m9Y/2X9a71fRuzcZvNNhyoJoHS2Cw2lz0Kr7gG3msfPFQfewc+xQl/UsPr+BT+GF/Cn+Ff4c/zN/gx/iY/zk/yn/FT/Oe8l/+C/5K/zc/xC/xdfpFf4r/nN0Sr+KxYJZ4WbeJzYrX4vFgjviB2W0qNmcZb1j7rr6xnrGetv7aes75j7bf+xnre+lvruzarLQo7h9YUFykskzXA685hC1kLa4WmOtkmtp3tgd6OYoc8Cx95ld2CL0zkqUCaBY9Xz6fyRj6HdwLZJX6D3+J3RQK80ipbNLOKj4uF0FOrWMsM8Qno67Piv3C3CHpbJZ7B3Sehv6fFf+NuMfTYJtbh7nHo83Pii7hrhl5Xi3bcPQH9fl48i7sl0PMa0YG7T4nPYIRfgpRfiNPit+IiJA4Tb4uz4nfiz8aLxh48C/EblBZxXlzHqyF+JS6Jvyhkl8UfxN+MvfKef4a3ip+LG7i3iU7xR/EPcdt4U7bmnxVX0cefVE/XZGk8i9Iu3hDHRK/xReObxsvGLuMV49vGj4yfKAk3xT/FHVXzgHw2vmpsMA7iLlWcEb8W58QF8a74vfireE/83eg01hsbja8bm4xvGFuN7cZOo8t43eg23jJOosVY8ab4iTgu3hFXxC3jS8aXja8YzxlfMzYbzxtbjG3GS8YO41vGbuM147vG94zvG4eMHxg/NN4weowTNoH20eItcUL0iX7jBeNV47BxxPixGvlPjaPGMeOnCuPPVLkOZZToESfFKaPD2Gd8x9gv+dZbNgssI5PPFR8Vc8THxFzxqJgn5osm8ZhYIDaKTeIb4nnxgnhRvCReFt8Sr4hXxR7xmjhgGWbJsXgs+ZYCS4ml1viI0WR9G3s/AyVixx/PprEFsC/07qtXZPHV++prr8qdUFqjr4gZviJfUe2Z2jOKZ6mdLS/Ga49SNAEeE7WTarGWfDbw95hcXlvEePF1Joqv125UXEP3WnyWWYrPFp+tXa241pCPGNcNLXxJzn8kjLVViizFW+UVxFiby4zidn1pyTUH5QU5KwjjMImxZlvNNvDmaQJXrjhe047nBmBsQCm5w3WvNb2QUyYv6sHEWFzEMKvGfoVxGCK7XERL07FSVyHukT1uUGSZiBAKEgllzWpmVF+tvgo/3aF4YsLyqungNzNL9ZnqMzUrNfaJd+QFfhNhj5F1J16aeInx6t3gTzW5fOIp8DYwUb2hJqC4dpKVgj7bqttqXFTXxO5ADWA/RBqOgH7iGUWWsrSK7IrsIPqJR5lRFlWRKC+Nvupg5XPg72WW0puBu4G7hL5aXowHLhP6OIU+d2IueL2awI1XkhIZL93HROBQ4JBZV8qaiT43B3YEdhA3tINo9N8Geg5f8rx4zVIQ2VLK4xRZyuPkFRxF2W2M4ra+NN7qDnnhnUuEd4TEW72iegV4pzSBmyj7rIbVlHUxUdaFUnKTqNft0NZ2eSmuw8TLy9be/ZXCZ0Wk7UIONZnNVj2tVCSqV1a3BbFVLwSahdXN1c1kHTcn3AR3NuFKke0mnAenDjTZ5MmWBeipoNqveCND2nJOgZ2KsJnOZgE2BQiWYKdDb5WXFInKS5WXgigqTzNL5Wl5KQ6vhS1XYk3KCM2sgzmv3Fu5t3YNIZ0yYQq4WwjpfQopVk3lOk3gjaKWy9HTcpSSNzqkp8pZ2Ikj6Cl/ryKRv7fyQFB6/hZmyd9Sub1yO9nhiaoT6GE9SR8j21Vh7edjBitXmTzZsgk9NVUuUjxnSE/pF+BzOsN8ThYyoMlKTxKDV5HI91adNjFgPPmjqrqrtE54FWY+Hz3lR1XtJVRlVdBAVVAn6aoWVqP3Al7XmTy86z3JhPdkldZJRhiqg0D15UGopiAiaFH2fUCRKD9QbmqmHHZYvl1eGkNFSvkNcNej1vry9ZpXuQXzxMtXEa5MZQfAU75IE3hZ1NsMtJuBUvLGheaqfDyruQcmlyJR7hofZWJKAKaEivcq3tPyA6vL52Bd3MUqultxkTBFV2I9V5wiTDmyr/HvoVYfuIdMnlxpsMSy7oqdipcb0pVrhfTI4tcDLL0BuepyZKToraJZkSh7pqI5iKwCFla2vGJ2xWyNovxy2VFwsWbKmlAq7zD+RPnpMthgRRm401CqmuNnjZ8FXjrhdSu82P3KssG1mzy8G7iFdokoJc8TwpvRo3aQjffCGzisSAQOoyS8gd3MEtgtL8IbKIOnCWxCrU0oNd608qwyWXctuGtRajvYVbELvCWEN19pBOs6MFsTeAUkYzLaTQ5o71IYmvOAly+5J9ZERSKQWLHfxIrXAKvYVqF3P1HWXroQtnANqK9VdGqsFUvKVpQ2gnsW3LMVrWQfcifhFQsIa7GScAW15CxMN3nSsjaj3eaKasXzhUUQqUq3m++Ft3yeIlFYhTJopdOYpdBdPg2vCkXpOT88SHk1aqWiVHgDR0p7/Fjn5W5wDZQa79QA9uNyB+H1K7zjGS84C26IJ20X8WvBMZSSVxpmu5cU3q/fC2/ZPkUi0BhoNPexrcBTJy/C6/XL3aYDtYoCRYQ3oTS1BDtIGfaZQFogjaxmSznWf8BGeMuVRuT6v6EJvADJqELt/vJ+qmfizTyo8G65J16hSJRvLN8YxFt6HV5grbw0Cn9ryUxw+1FrWfkyjbd8rn9hCWLQ0uPgzi2fS5ZzrewakE0hvOOVBKnbMk3gVZKMdul5yl1Uz8Sbe1bhfeFeeEunKxLj96MM4q3BWtpWWoNXhaLkhA8+pxT77PhOlApv2d6Sgz5EQKWjwG1FqfFWl8EiSw3CO0HhdcM/QIr/usnDu/5zaFeNUvKqQ3j9ZxTerffC621VJPzb/GZs6V3ELP5OeRHetGL4HO9M1FrlX0V4WUlU8UVw68Fd5F9EltNRiujH30h4a5RGEJ34azSBV0sybGjn9XupXmifyla+99174fWcUCQ8J3wiiNfTxSyeruLryA0UCt/iYvgcz07U2lncr/GWTvPNLEZM43kO3OeKj5Pl9PthkcX7Ce/9UoL/OGph70JGEORJGdi/PDOQEUhefVgMKTPI36oIUiBzej5S3OE/r0iUVKMkzP6TzFLi9Z/Eq0bSCK1x/yFCMkm1g15KkAP5d5o82RIj8N1AKXkPhmmuWc30SxERzFEk/HN8h0wEDZjlBt8u3y6a5d4SRNO+jYTgIdmuBDuHH/uQb43Jky3hn/2JviWKNyWEYCx8krGTYowoxJO5WDkN2M9lhLhR9denSJT0oSQcJUehiaPyUhxeDI9SAg9Vsg+l4hQgByzZCs5WlIqTvQkc+KeSjhLKfkocJdi/SloJfYOSJntfqAm8R0heI2o3opS8qaFdqSTAWyPprsSlSJS4vE0mZsQhJQne6d7pZHEbfNgBvTUkfZps50M26sNe4/WaPJkBY/S+Pm+q4v2fsD08Drp7mXQ3CIFvqyLhueDbGkTg64DNn/J1+Gj8PocP4/cFx/9h1U7aLfZq30KTJ1ti/J4NPj3+xjD7aVf2sy0SAs9cRcLn9DnNVTcV2b1dXhpB8fri9Zi924RghppLRMzFlzSB93+ppQO1e4t7qV4IQbRa+8cjIXD3KxLu/uLNQQTuE8ziPlG8rngdIUgoTgjL0j8i2xUh93Uj8ytuMnmyJaJY9/riaYo3K8yCn1EI3oyIYLYi4Z7tnm0imAIEU+SlERR1FMH/uQOEQLUrgv9zZ2kC76PUMgE9JaCUvDkhK8y7yZIjSc/rVySKOos6g9LzMP6iVfIi6QlF6K9oMUmfK9sVYvxFMzWB9yi1xPiL6ovqqV4oejitxn8iEoKiOEWiyFHkCCJA75YiIS+NoLCjEOMvvE4I5isEGH/hOU3gNVFLxN6FPYU9VC80A/XKCo9FQlDYrkgUri80YwH0bilsK1xbSLFAob0QMXPhMkKwQPkP7F6FmOXCuSZPtqxB7UmFDcQbcCpgvGGL1qcC+qxLobHgnXQVf4mCHQWwqcI4krJQSYH1e2HnBbdNHlORm/D2Flwi3uCzh9fo7OFFKSdyxliwQZFw3nbeDo66ABm387K8TA5yJmefs6+AbKHAKDAYdwZP1RbJnvIRMTj3agLvk9QygL43OzdTvVC+v1HNxHcizUSBUCScCwrM0xD0bnE25t/Jv6MR5K/OhwfMv0IIHlcIkDk5C/DaZ/JkS2SezlH53cQbOBPfDZ8Jo2nwTOSn5aehhzUk5QklBesoHXFN/hKTJ6VMg4dZmD+beINn4nskZdiQmTAz0ny7IuFZ7lkeHLX3Nvxwk7z0qPOu5yJC8V5Greke2h28K7wr4PWqCeOnVNwFf+RxawKvhXrbjXYpnhSqF5qLJuwOr98re/cuUwTf6G0zcc2TvtHb7KXzn7yZuYh+vNCBu8tLOarnvAeRiXcy4VoWjK/c0pL9Jk/2Bo/tXuVNJ95g3f2AdOe5t+48pxQJ93jPKXMHOQyMuZ7DHp2Vitz9OZ3gQgfuFA/lpZ4qTxV4wahkueoLuXoe4njPGpMne1uCUZ716Dn/dAjjmFxlx4cj7mvjFYmsZzyTTFS5zJK13OP3+DUCd5e7C1wXIXhK7QVY/VnYPTxxJk/6dGSkWVXu28QbrKXdtNZfM7U0eIfZrUhk3s40V7p7E7NkXpYXofG6EU9k9hGaz6h2iCYyuzWB10otsV9n7sncQ/VMNGnXYUuvRI403G5FInOF220iSAWCBe5UvGpL2pWHmMIdzPlWqd0JPioT0WreDZPH9H6V6c3TOd/TYQh0pPpqxH1upyKRtzM3MYgAvVvyNuQinCQEuXmwgJxrhOBzqh2inzzMfc5ZkydbYr/Om51zTPFWhxCMhj0b3ZF1kJetSORlu5aZCBxA4HDNc80jS92RCwtwTSME6vwzF6smF1bpqjJ5eFfmi7lnXfp06QthCBYBwY/+X7Fy7hZFIndL7pYgjtx2Zsltl5fJwf6XuzJ3ZXaLycHOk7swd2HmapODWCx3Ru6M0eQLci7nXAa3ntD/l5SWcxqcIk3gPUMt0yA/DaXk/XcoSsFwvjrYE+esz4EGcoLx3xdVr4j/XDfxesnk4V3Mh3Cdz+kl3uB18n3yJjn3Wic5axQJz7QcMxbKgZfxVOesyqH9L8fIwf6XE4yFnlVZA/Y/D9ZKzkyTJ1ti//MYOfXEG4ymh1bty/dC47yhSDhvoCQ0zvPYC8/LS6PJXp69HNyThOZLCs08cLo0gddJLXegpx1O/VnFl0Mad6672xdR+jJFInuay4xKnfD92dWuKS6KSsfdGocIyBWMSr8i241D7p4NXbiyTJ5sCV+ZbbgSiDdIF/yzpIuXxLfEgUhoXE2KhKtp3JUgGtd0ZnFNH3dm3BlCs2gcooxxxwjNVxUaZAEu+LVx+0yebJmKnlLHbVG8DWFodJ4gYwjk3JFnJeOsIpFxFiUhyehhloweeWkkWeezsP9lHCAkatVlYf/L2KYJvK9TS+SaGR0oJW9TaFYyWlhVJOlj7ygSY++MvROUPvYKs4y9Ii+SPi8LFjD2DEnfrKQjHx17VBN4z1PLvehp71gdtW0JSR/7HH8iknRax8J10nXS9AFOzMIheWnpmRczYQGuXSR9q2yXiT3atUETeN+k9XERPa12raZ6oVxhlZqFv0dcoXsUiZw9KIMrFCPM2SwvQjAvE+PPWUcIXlQIMP6c5ZrA204t56GneTn6U9aXQuPPmYScNoL0zCpFIqkHJUnPdDNL0oFMdyadtLouujD+zFSS/rKyXow/CRFIpmHypBViv0xqdenTtp0DrVD8k05+DlBkOggJ9mJJAtQaRKJi8UXq0khmuWQGOpOQ7FJI5DdJ6okYe4VaYk5B2kPvDumBOcI+f+LMZmB/Vt80k4gMFod3C/RZnMr1NAXRICIE6ZNqnnESnBpCsodqFBAx9u0BMovDZfLXpEzjIxFk0jjSa0yZfkTiRelFJBOjT08nma9RjUTw4oiDfi1hJ9xS7+p7FNA7Is7SoRIzFpkUXPmzsH5noVQS07H7ZQTPgL9DNQKacL8/bH07efhqTxC/Giot/Y4mVh+Uln4VKP3MT9KQ/yIW1tIOUI3jeoyKI/U2c7B3M46r8ZXgnaES12lyXjMlrsSu0e/sJ4lRYXvNQaoBCc5DxBmoy7dMXZZEkOUkyjJlxWH2HOn6DICPRd6YHjyf7iJ/dRV0gzgDZZ0gWfmRZI3dpynVjH7HbmMi9UrqFZIFy089S7IOUY028HqIY8qy90HWT8LyJRfzsTo2XZ0+8DFVJpGcMV7kCV6USo5c62PSFAXfR9Y3xu46r993wguk3SEch3WNtCuacP/DkMWknWIPhD11Wz4+dNRpezQ5zU/E0xD1Ofc56fTTiRzFuY2k/YhqwK84O4kzeF+8ojzSi5b8yKNPq9bkMuPrtAJ4IVy0HjFzaU71GnwfM55xIU1n+nwMvEtGL+H5sa4xGjOecYQ4oRj3isLzx6Fjjss2iWTEpTARl4JSy4D/iwtmGG/oGrE3NeH+WEinsWeZO+zpBN9h+uF0eMoajBr9xR7QJFYG5cUizhKLhPYQfATsNBa7niAPkQYJIugheqgFIi0RIM5Aq26nXWB32C4QLj2gyZJgSkecZVG3SjpmPxaxmLhO0ifj/jxJP65b2N8D7yRxBkp/lqTvIekDNG0/pGmUaV12ZJij9o0i6xp9Du8FresE1YBvGdVJnIGy1gd9RURZ0zSNvmXKqoEVXB59mWQhPxsdjHdOUg1Y2uhjxBko6ytBXxFZqzEXNDlOBKXF9DLhOOQwP+GI6cbz7hj6VsUo2LVjM0k/RTUQzzjWEceUPhy2aHwxLDuUUidhh0Yv8Z2aYhYHpcS3MREzO8aMvuOX4LmBJajeuNitZCOeiSkj2b1UD7Mck0WcwWv4pJrRVyKPPH6Vpmjz9C8eGXX0megz5vMcPPcgWlMjvw/Rf/RBkn6aasD/Re8gzmDpp5T0VyPNcXA3TzSCsuRuPuLmiJskqx32fJFk9YV28xG9xJE62TNQovg5WfBLeCd8vHWsUfaZnGoSyUxGy+SoZP29EJHSmozdzXFLkUZhw33wO1hndBvHaU24fzvkMRxdbGLY027LkkgIHBs0jTSjOMdaJkYuHqmtQCTfdmBkDszySG0HPBU56sigB/k1tZkOXoA4g3V+Tmlgk8UzwGvXQ746w3Y4NKWan344DOyN7anthGCFoxHRK/xjqokx6QJqLErR2Q4fCftPnUWI3qEa8Nmpk4ljIrLsUIjeiaSJpHZNqeZ3cpIQ3468NVJrXjiuJ8FnJC2GPFr1IxH/jAyeV/2G2kDmyKPEMeVGrVdy+4daXfQuTSPNk5DoTZDaMbKDZKSAgt9C+i3VWAHeYuIMjq6eU55l2KA9sh5rXJ2UJ7ebFLQ4jDK5NZm+V+KITrwE3mJFkmNJuZ50KxHWlTxLkUKVgtgkeRKhepf68WvC/cWQ3SWP4k+EPdnFbyLjctzUlLLBtAJkZylrU+jTj6SWxKnaylOWE66ZSXMTsdYd3eDpM2qejPg3JXh2dYn6QRyXUk0cU1tilNLW85HRwLsrciww/T0yFMcMxwyNJvHiCNiXPR019OmqJfl4Yq/c7eyI7R0UH0uNOdIJzWXyy0DoiCPO4JVyQa2U54esFEIVs8uk4D4AW4nZFLOJUE0dgYghZp0ijcqfWDUC/iVmhSKFygHrjAl+Z/YK9TNdE+7/GJqtmAC7P+zJbXl8qP06+jUlzDDn7SQTCZMSJpG0GXgvuD/8iWogw0vIIs7AnfFF8pebyH4H7Q+OJZoSzezfMRfjPpxofvvLgawvcY9DZyw86QzqBr9b+GeqgYwvsZ04A6VvN/OFfPNbGlnYBaSvatIn9EnXTAp6iX5YZ38SZSgy3ko6qUg9x0mfcViRerbJ9/co0gjLQEGEf6EeyRPh/kZI/0kt/KmwpybyYgNmI2maJvt6Ex3iFPtquz4x5YmI7+wtJO0m1UCcYp9LHFMffCb08U2KFAbGQgWaEs3vwiLSEYl9iX0kowkUPAN7j+wLWWTifuIMtvqfqhl/jfKmwbHQEU3C/FZFzF7UPiaOaWnigI51xAHSP9a42EHSb1ELRBTiOeIMlt6jpUeKCGLqNSWa38eJkRHBjRE3SBb8/4gLJOs21ZARwSniDJb1ExppfoR94IxJwX2gR0Y60bTHjYgLi3TuUI0dZqTzr5BlRLeHf7M6epUlwslF9CJNI8w8MHoWRmYfob/xwBOg0YRgHvg+1cD+nnCFOKEdtVWN7K2hMhIOEplrM2EnPMOeBLL8BPjuBLJ8zqnGWlA7cQbvbEfV2iyIlF8nNGiKM08q0LuI88eRJ47HjMTRSQW3UI1R4CUSZ6Af2Ete6EU6gR0gK/68ptCpCHoPOxWJl9/HCMqyUo09jE5FuPwNBzeahoxunx5dJDtEDKwo2sxbVRR8IfoC+Rh4iWjKW/mwsCj4CHEGjm6P6WMjjU5oEqOCstC7ENEimmRhhjh9EsLpFyBx0C6/TJyBsg6QRx0WdpYdFnPFPafJfteUtgb+6ppde1cR0xqN+DcO+amd/CtyZ24/QfJjqI30eF3EGSi/y/ToEcaKnFyTy5Rug9UkxunzAx67CRz6LTCP1TViEdvEXifOQFk/NE+AIsiK3aXJZmaQ6F3YLtsoloyFR7VRBsnjqQZ2bdsx4gyUtYvmMPi7jvCdapH+ZUcwN48NmBKRm8fmxuaaz6l4To0J5e7oPTYqytSG/Rbm4lYw37MMU94f828nn8dHUL1TmnCbGPI89gN8fdjTTuQBQ/eS5zQNM8/S7Zj/YVuG6WiY2xG7DOsgaQ6qMQ+8VuIM1MpBmoGcSDNgz9UUf9OUhfHHX4zX367nMYhK4k+TLPrFSAx2q/hu4gyU9SbNwMuRZFkOagr5CMvOcB8RUxPmI1KpxlrTR8jv0HHxypD9409M55KvRJA4SVOYxLJwidEnwyTSr0wsDlPiKCXx1SESr5HEV4dKFKc12czzAXEUbRpsDSRxNt6rIolpVGMbeG7iDMyU/xz0SuKlCLIWaooyowCB+CTqWBRFAcOxIqPo0y7upBqIrKK2E2fwuP6qx0WR9gBZ/I6mkCb5gFPv4WvCNJlONcxTb3CkJp8fNLrrNLrnI42OrzMpKHElIrCVfCVJRM98EUl0UY2ZmnCbGVplvJo9EvZUZHksgrQ0TVbznIPbYc83DTrnkDoz6JyDj9M1kCdwo5c4g3V5lWzkWxHOVPZqsponV2wrE9bd1t0kC/7JSidXnH67whCtWdcRZ6AW/0JafCGSFoPnN1HppixEa1EJUdq/8WGIxGVqr3rOY+b5zbBrxJHz9tKQ0d2k0R3433/mNEx++lVDEj1s0GdO3BuaKebgHWFPNhUpcktthHV+TpPVPBu0nIBGD5GGuQ3xr9KulEC/VrFg37FuIs7g8Z1h+rPmCCvBskRTmE+ZG74SbGGf//AiqlFtroQipdHXhkjs1RLxztB1ftek4Dq/Jn/HLK6RRPmb736S6KMaJzQx+bVoU4diH6sMe9puaYkgrVOTxfzmr2jD7hFnoc8DpM4UEtl3KdWYA7pKnNBpwmw1sgifoalzZpDVjILZIczXHitFwVZ4KWswCi6nGpBrbSfO4Djxa7TDRcgh/p09qk/egvZYMcQeQ78FkfbYPMAe31X2mBMpQ+NnNDHzVzccmQtshnJwhv2dH1SrUaOoD7OaKmqxwbSaKmU1mwaOW/zO3B1eiHR2zRs1CfM3frwetXeoTFBiSADHj/c3qF45fJW07y414xpJtekLuWgmzmDL/b32PpHWijrp7g1fK6w7fK1YpoaNusb0hcFR1yhUGweN+qL564sX/vezrc5dg7NdN2S2w052EDs+GPZks3xSofn/kbkwTOYDQ2ROGiCzfoDMJ5TMb0T+ZM8W0MTM3ynYEMvC4kybs6VKm7Ol0nz7ta8Iap+fCtP+ZN3CesnU/mQl+8VB2v9bMAsULw/VhHWHptB8WzeEzzefEyZxCtVYZkqcotaThw22sPeYjikjWJjVr4mb392zZiFKaOJ09smuqjWgJTZQDWRymHvNGSzrFsmK4EmMHpNIliF/ZXvQOEiy2sDZSbKmUo0NmnD7odDMGq1sethTs2X+AGnq10DqO+qaglY1AyhnsBkkTeqMTpu5/GUJl/+QMci2wqTAtsItzWZpVPMb2sH9wH9U9SwjYBn7pqs+VD1LgSpLVJkfihNYaqgOewf4ZN9dTH7KdBqv8n+XXud2ZIWHeTwykyN8Nd/HjvEf8R+zv4sUUa5OiLgh4/A1JFn3lqIwjGYZbBwrZ6+jt1+yX7PfsBuR/sNC+RLtx/Ur4/8RNrN2ZuFL+UpDnqlZ2Dv8MUtJuCZYskTPQ1FhOq0wWSMbpPYATr9mAUbB0vTvh1WsKdgdleEb1netF62XrL8Hh1v7rHQOYdmviJl9KL1Z6DNYeaLIDK0zpZsupZs/Kt1cCxtDLhvB/sWj6R9pbt3zP2lGSDT0PzFv3+OfYuQ4pb2nhWU86uSZzzLxBTP8/5T/SWb9mw33kGBjsbbhkBP+rwppLEb+K4/6T54u/iRfrv6J5yn1nyMx6v9x5L/j7GN9fKT6T5wl1rfDWsdh9GvZs/Kfe6QO5b/oyH/NYYY5P06F1aHe/S7u5Z5hYL0LpXXB7md3zRHpLEewajU/aq/ijxJviupD/X6Nz1O2/80wKZLilB3Eq/6T4AUivq9WriHXIt4Pt6JpqvUbYWMrYsn0T0Qf4H+I0CaZ/ifoA/xLUJjkU2H/0CH317ywp/3Ktk2M7/9BjfvlMN56NtbUnsv0K3U0+4+r+p0m3038ZmnjokV8Rj+b/b+n+K3iC2q/0r1mqdZe1YNuvUTNG8eqDvabZr4j239ULFDPgs0dkKXCVvjTvE2SmgO5476OGqFZctCrYXwCa96pYgfOPhLWRxaL/zdrCOsR6+e3CKfetb7L7FgxVlh9FNZNXPhY78r/yuDGWwNsIFrp66P/AwwX9+UAAAB4nGNgYdnAOIGBlYGB1ZjlLAMDwywIzXSWwYipBkhzs3EyASkGloUMTP8ZGH78ZmBhAINgRy9HBgcGTu3TbAr/FBhnsu9kfJDAwDj//nUGBhYV1h6gEgUGVgA6XBKoAAB4nG1XBXQVyRK91VUVCE4CwcPkQRIguLsFd3dd3N0tuLt7cHd3WNx18QSS4O5O8jvAcnb3/J5T1dX9ZubM7ddz7x0ABgDbSGQz/eglroftvyAIbugLd2RBPgykQTSRptB8WkQb6SE9pSiTwuQweUxd09XsNcfNSRPCwnHYg1NwGk7HPXggj+FxPIkX8SreyCf5PF+T5JJG8kugNJapMlPmyhLZIjtkjxyU83JDIuSxvIxXxHu49wLvz05ix9txOX5OOierk8PJ7xR0CjslnM5OH2eQM9pZ5Cx11jubnW3Obme/j/p4+iTxcfn4+WT2aeQz3Wely7jcXPFdHq7EruSu1K70rgBXGVdTV4s0CdL4pNngO813oW+UXzK/on7F/Zr4NfNr6dfW39O/lX+HdFEBWQJOBJyOirJr4A4HWZEfwb+wB9MGekBP6ItJarL/wr7HHLPYrzPY7Rd2P+5usQ+z2CfwZF7Cq3kTn7LYISkkrRSQEjJJZsgcWSzrZbvs/oH9uoTLI3lhsQdZ7MGOp5PEcX5hz+7k+429u8Ue5AQ7S5zlziZnq7PT2fsDu9cv7PV9Jv3GntBiT+by/oW9iau5xe5Y7PCd7hv8D+wtfmFvnw4BHgFHA05FRbnZXWEy2RVA5GfqE3kI/2qRlyNnRa6228af4/ycMRfMCXPIHDANo4Ls78ttDI8cZvPI6Ar43tvGHPynffv2Pcvf9bvDQNhjIDw4ehTeM/xGhMe9rOGjwlvbo0K4V7hXmAl79O/rI+pH1LC5ULhnRMGwfPb6RWGFwnKGZbTVj+cKixcW9+6T6OquF3CnOxByHAjNHZogNH7Im5BXIS9DW4YE3n51K/D3LaPfgE+2S0Tzfk5wDa7FdbgeN+CW3P7XXOsfuSV35t7/fJ7oEQ/5UdnM42xMs3HMxivxk4ySWbJKdikohaPPie6lqBS3VXSUs/FFY/53jf5u8k4+yCeNqbE0jiaInvmZf1SxfldxokPj/T3/c/wz3LL/v/u63Y550z2Re3L7H0aZ+eawWcYxuJjUNUfMKrPaLGF/M9tsMrPMCjPHzOXMHMCZzEKpY1cqOVLAB77Ig7wojGKohCqohjqoiyaWN/pjAAZjNCZgERZjBVZik1lnVpr1nMts1yfYgyv4C7dwB2/wFp/xjdwpDsWnxORF3pSX8lMBKkKlqQI1pibUglpSJ7NGmpu1nINhFliuSWHfuNTSQurrI2lAg8wBzmk2S0N9I005mxllRutTLiz1zCJ9a0ZSkDloppjJZqoJRkLLeu5IgvhIjKTwRnb4Ib3lubIIREmUgguN0Q5N0Qy90YbToyemYSImYwpWoR+VxGnsxWFcxEmcxyVcxzPcRQQeEyOSQITblIrSU2ryodzkzxkoJ1WjilSZqlArykdt4Imzlm33Wa49h5S4itS4YZnmJlLhGtIgBGkRipx4AX+EWf55glx4iXQIRwF8sFz8DoXsHi2IjyiKryhimboixUR5ckMJRKECxUBpfEdxUlSm2KhKcSkeqlMC1CQP1KCEqEWeqE2JUI+SoAElR31KRknRkFKgO2XHH+SgG2VDH8pjWb8ggqgwBlEhDKGiGE6BGEbFMZSKYRyVw1gqizFUxvJjI8yn+phElbCQGmIe1cMCaoCl9AdWU2uswWbqjK3UFVuoC5VCBwrADKphmfU9elAOeOECkuEyelEujKASGE/lsYE66BW9rC/1sb7Sd/pan+l1vaG39I7e1RC9plc1TEP1pt52U7cYJrP5brKYrCabVaWcprrJZXJbfq5n6puqppapZmqa2qaGqWPy0BgaS5tpBK2mVbSW1tF6WkErLbNPoUk0j5bQEBpKw2g4jaLRNI7G0wTL/pMt+y+w/L/Q6t9iWkbLaSmtsUq4iY7QUTpGx+kUnaZzdJ4u0EW6THfoLoVTGEXQPauWj6xqPKc39JbO0Fl6RyfomVXQF/SSXtFjqyev6QpdolC6TyPpJG2h97SVPtA2+kjb6RPtoM+0k77QLvpKu+kb7aHvtI+iaL8BHTBEB43BcmqOJdQUy6gZEuAUPHAGsXAEcXAMcXEc8XACsXEUgv1W1Q8iBg4hJv6E4gCy4Sly4Dly4xUy4B4y4gEy4SEy4xECcB/lSFCGDNpSOrSnDGhOLrSktGhFvmhNfmhBadCRMqIzZUYXyoKulBWdKBOmUlVMp+qYSTUxm2pjDtXBXKqLWVQL66gd1lJbrKf22EgdzQ7rIfaZnWa/2W0VdZe0lNZmMcditY4iISfixJyUvTk5x2R3js+p2IvjcjxmTsnJrOp6chJOIG2kEZfiQC7BJbk0l+GC1oU4XIhzc1HOyC7OylnYl9NKUn4jvhwl3vxJUvNnScHvJSV/kCT8gO/ya/HiexxqGTutFJF8HGkdSyHJw98knZSXvBwmZfihZW4j/lJOcvMdKc33LZeTJBaRDBzBIZJJYvBLcYlKgNX7XJb3Y/JXqwBuVgPKSk4Ol1ISy2oBS3p+ZP1QFnG37sCDn4knP+dLfJWf8m2+yE/4Fl+Q4pKD/5Jikp2vSCUpyTekopTg6/yYb/J5qyDZ+LJUkEDrMOJIbIkr8SShJJD4kkwcSSWJ+C1/4Y/8wnovH37H37kal+PyXIErciWuzFW4qlW3ulbjalulq2n1rj634tbchqvzDJ7Js3g2z+V5PJ8X8EIOtm5uMU/laTyFp1tvN9k6u618gA9bj7OND/IR3sP7eDNv50N8lLfwDv6Tj/Fe3s+jeLT1Q/14IrfjvtyH+3Nb7sAduZNV0W7WMXXhrtY1DeIgHmy903AewSN5CA/lE9Y5nuLjPMA6qaW8jJfzCt7Ju3g3t+eV1lmu5jXWa/bkXtybz/FpPstreR2v5w18Ri7KJa0ml3WKemp1uaKbNYd2k3c6VRNpDflL/9RAHaqiSzStNpf7ukVzand5r9M0sdaUq3pKy+tYq6drNKO2l+e6Rwtqf/mu8zSVNpRQPawldJiqLlVfbSEPdKvm0h7yQaerl9aSa3pOK+tETaAbNKt2ltd6QItqkJIGq482lXA9rmV0lLrrSk2vbeSJ7tR82se6gNmaXOvJLT2tFXScxtW1mkk7yAvdq4V0gETqfPXWRnJHj2hJHa5uukz9tKU81G2aW3vKR52hSbS2XNcLWlUnq4du0uzaVd7qIS2uQ5R1sabRZnJPT2o5HaOxdbUGaDt5pru1gPaTbzpXU2oDCdGzWkknaHxdr1m0k7zS/VpEByl0oTraRML0mJbWkdaTrNB02loe6w7Nq73ls87SZFpXbup5raKTNKFu1GzaRd7oQS2mg9XoInXpHxKhJ7SsjrYuZZVm0LbyVHdpfu0rX3WOptD6clvPaEUdr/F0nWbWjvJS92lhHShRukBTa2O5q0e1lI7QGLpc/bWVPNLtmkd7WZc0U5NqHfs90V8GyQAJst8hY60bH89zpKMMlT4yWnrICBks7aSfdJBOMky6ynDpKb1kpLSXIdJbRkl36SxdpJsMlL7/A5avJe8AAHicNY49agIBEIU/2XULa8tUYpU6p0jtCbyDjeQEEuyEkCI/JKIoYqIrKuqaXSVs/hSM2UqClZXkACG4eVkJw8C8mXnfTHxFMn66TzNNEsLtf+6Owq+//l4zw8dRLGkqfBI44TdFVXOu1G2FP5rmeKAvVSCgxzlv0lM6VFlJ3zKKndCWcnlho5nPO3d05cyLVeaeAY8iBmLa0Xwp5zUNKYeJ+HXt9PF4lXOtOzbP+i3gU5weY0pcyPcUMaq67KpeiHFDTbtDpvrgkooo3eiLDzZGyjywPPPMOLSOrayV+QWU4mJ+AHicjVfdb9zGEV9S932n4GwErgGq6BJbEgEo562FrBoJodOd9dHaJ93ZIWW7IY8n2UqT2Elby2miVnXr2ti+t+5/sbRfpDzFD/lj8leov9nlnT7gBiWW5M7HzszOzszuhmv/efnvfz3/x7O//+3pXw/+8uf9b77+01dP9h7/8Q+///KLRw8//+zT332y++D+zvY4G6XJx7+9d/fOVhx9dPvWcLDRv3njN79eX1tdud5772ftRn3eypuNjuhsN67Ms7zRRLd5Zd5SlY6qaqS6GXAVbkTu+mbUXXZcN3aEq0JV8rr0pmOZTQgxRGAUxkLE+kCsb2xFvCsTTQRmeAYy9IUpregpuzOMVC8AdAq+ruEpuHKOvDohC65YX8pxzmY84EMnt3Sn3PlnjJnEQo0C4YpoG7x5jbXcYdJBrzXpWfw6JPLDNhvhzT4Sh1bR24oUT3biFXAz21O6DQ7ZL8QT008UzzhXFU+M+pF0lZUIp4A3I3jMSh3pCpfH8eHxmzniFi5k2WwpF9aLjTy0Xgy2oqM2Y/zFMHplW3YnWYrzn4MWHXHGQo21CUtIAjgBbN3Cyryya5rfOQoZO9DUkkZoOMMsNK42wVksO7QNrm0U+VpRyGxQSoYSTrhLwNUM7sBwv1dw10BpE+VbZluMaaJ54CWsTNgoh7WwHrbsWRtrQahXwHwL3rrFXresWcvJIXNTow+tg7weOkda0mbBeQBOwh1McbCc2E4Jgj4z8VsnM7i1Fb1uMcjXX3As0XNlvpvbNwJxEtYbEVavm1s3ggShTeCM1+UIaxUOIuJNHMQ8onv5yjxFF4/EtiPi/N135aNu3m531mUHgYxY0wGWpxU/CaQJOQo00V5EmM54q5noJWARSBu0VaCy2zxRoyRAl7d7skdRkRI3u5TbM15ulTzrA/YB/FZpqYbYXlJNsTSlfMg+NJQKUapiSVmXjNe7ossv78pMjBCBYT+67+zEKWSrUKSqJJacvMSWkC+XLUypm7MbAea2jhi8GfTvIEnJGVzKZZ6HJT/NUoKXXeS9LEhieTk+NaLLpQrTLAFHN9bMyEQguyLlY3gZ04XnBgLdrS0aM9yKZGssxgIeDkOZYtoOz2JHxpn2OMbDNHZlvnxSnYriZFPOe9kOPoecjRIxMgjKzvO4++cRO+A6jRNrpE7/Lf2Xa6I7Bge96VjNIOJcPo5NyLC+rhv/k8k6xcSxplq4bP9qAlkFBABNqvtnwQdTsEdvAq+9b2JFlXyKvMhVnzjq0ziYsqTqYMQlb4tFQR89+Dq9iSqjc5ClVJwqFHtArAHBoxFiGQJ7iZxEHIaV/Kkm9XlwRiRKqjWEatuj6aiDPk9iniTAIntch6sy/nwnpeCists38+mj9uOXygHGMkogR1WxA+yk28JFtVaUtMb7ZGMJ1rFBpJgjpZDKgoleD8wQ76uKv0o/tEeBSLexiKSPp9t6bA/mau+QNKcr3Bgstqd9CcehWozok0lEo7qHbCt7F+RFya9KVK17KLglP7udYFvgbd7jeqlTRDI5YZWgGIIMY90jRozXzVefBfm9qneC0e1hYJhrWios24xUf8JS1Q2dLwJl/2QBRJq8tYn6UdILRc4re6twb4iocmg0V/YwKpZHj1+loc5kwcwwYHTZpW3RndjbNPYapRXdWrrVPVXzsNCqBBsMuUrTOQkC9GG0GTOjzTUTQB+qeEHRE0kKoORt6zmZ7ZBT+cRBIRX0OofH3/VRIxNBbxyT+ppWRCO0aGkEk7sqRHybKwpNpjWpreopnEY3dKtqm4lmplQ+6/jCe0fH3zHjObd4KGZols+LrCzybttRD+JgbEZVigrOUVFRubMNfdq4g2wQbhV1DNNHVnE1CLCJ6Lk9N15dM9WBotLqCdZDDBUddokpJlYs+jCkllhRNsBpT7yymVUTC/Sri4Xctqqo9lSM2rMtFHqZJWOzUcPLbMG5Rkejil7oul7bx1SahlHZKcU6ZHy1FxRRbL6Pgyl9j3KyOvFkjWhySixrcXsmNvzi+ziovXWUrP1/ymrFaqq6plE18ms/rmrGLNCaWa4120heM3UCWD+Tkkpbfu8dytCWfwH4izDtKoy8WlgJ33wDU/qkuqYxGkS6Vckcs2xeE4Q2eN+Y0G6C2IY1bxzDhXZ0fMweBxNu4wTY3fBMnBfkYrSJzr0gRq9HbwKWHr1FJjWLLG2dq/qFeLOm9bNEMRVGG72YSiQot1o4A5ecMjT6vA13LWp/+jAVsFzMrapfMJSJwfYWpWxO6j+V/yMcQJk+XLJYnkeofawH1nr27ZTaeeysRherPDv9E7JIh0ZHNTt0fqG9qU4B8D7Wd//7oubo48Qpx2gUpeJp7GXyfXVSEh4Gk7ETv+3olC7GnsMOo31gyVPf006iLPzLvkuvQ67T2ijGHwbFQXefVvepFvc04HwX56yOhdMWNspd2qo4cdd8XeQkDjy7aarrkL7GXMZZapNOx7gBiDa3rrFr5jIkinsG9oCSF11zrsa4Vxwe/zAXm1JlY5PHO5Scty+AJPlFXDTUM+3egiY0Drt4xS+4aAbPkJyGj6xv2XJ9ACfQjayx4DTolje5YL0MfozMaTyqlPpYPHHJFeq2+AqHhY5QnN9FSQTy+lwsJbZTKegmdTsyXyJZ83N0MqBTTMHrzOGOdgK25ijc0sPj13N0XZpq+3qi7Utoo46cqFPZW7VRlFl3TKyhafPzXzJh9Jf8Qqm8K7dwP3TVT0lxYQfAd+ZiLQGWvCRL/gvbMGjtAAAAAAEAAwAJAAoAMgAP//8ACnicrH0JeBRVEnC/7p6e+75yJ5MbwhEyCUm4MiD3GRUh3Mgikl7A7HAICIjcQkRAVETQCCxmEVnUqIjsiK66WXRZxIioQfBCXVkXFQFJ5uV/R3dPz2Si/t//O06SYarfq1evql5VvXr1GJZZyTB8oaaW4Rgt4w6YgFYEbJDhRUYXZArQf4U9/HafPcdn963kDoezWV34uqb2xoIQb2MYlumKnl6NntYyRiY9YNMBXtCLgsCgNnjSQlGBvbx7gd1RjtoBPpDF+TiA3l3BTpAJdp6eAnVTQOVxsO04bhRMhPv5C+EytpFpa6Nta3PZXAYwDBA01xmGMb7EmgAAdeOYguIIzEAFpjUC80gUjG42hWFyMQzQ4tbAADRiC5dkBaDzuMgz0lNwcqRl9NSXSvsJAROXQIBZBw/AK22zGfpYh31d+62+yFPPRz8lMOQpbwOX5AHMkbZrL3fw3L6Y3iBjiPTGpMR/Sluo0OwGpZkthq6azro0peUblGZgGnMdY+Q0Y4yuIIyUp9RUK4yh2g2JaikEuCOqxfZ27bd7Q8/tUVH7BqUbeQ6P32lnmJK4T63WHYjpDVNtKH3KDEDP+E9pyxSq/YyeNb/MRdgxMn5NrQKFxs9YGqJGHIezr3XI2TUyDOYGGWZuFIzwjdJOW2w7WEJhFZFQL5PMdAp4E4DLkyh6sIDqLaJLX825XFRQ7X4k7fZylaxmCm6Xv6hUK2Rl5pYU9yyNll1OXLQgq7ujW5f5y6vGRMtxVWWV8YD+jkkTlngiIq2MaY6Cb1hFw4ERGpL58TB5ROIvcwLjJlRkGA/DvNJ2OJqKM5TWoEEZ/TZ59J0RzEg0eivjZAoCiRa7qNGJFo1Fw9gAjzWdSS+aJEVVUFDuKC/v3p3oPOBzI5VH3yU+LeD89s5gC7sNHgc8bAUBaIIfDALTvmvV1DbAYQ1wSMPVq/yF1le5QQgz0iuZ3wSqufIJZq7IvHBMHYKZRzBLYHxMVsCl0zuSRIeDAXaigZMVDexACrS8nOjhIo/bJWjdHvwri8uy+4t6lhTncghL8kcd2H/20nN7T1+8cPLgwaNrtu3Ih5dBGvqtqX312VWP203c0aePvsufhPfeMXXyjPDrsPuSuTX3IBSZ6W2X+OWaOkTpxIBFrzGJOg0XZOwioyc4FBUUFfbQZNhtDELBq83Nzcpk7TZfUalXYK+GRTAaFD70cdH2rptufv1b8PnWB7odcrHNYBJYPmXcQwOHw/+0MeHTfQ4PxLNLeiK0Saa0qca0AR4NALUyX1OYQgWmJR4MzMAYKzAXCe+DFPRrUEft3KDtJLXvq0yBuRrbF+IiPFer0FwJjBmvkYxeBDoySeo1ElHHZ0dTgn7XgSp2Y3jRli3giKY2nBsezZ9suQyusCkSR+K2DIjWaNZZl0nEIqhxihrUoFk9635Mdb89q0Rq3ekjrfuy7L66RYtoH8/B11AvcOgW0J+dGWJF3Bs7E07EvcGxaHwEd0IDH6XlScKLFrWukXBiBSYTLzrkGSw1eE13IIHRaBgqLWjkaq4k41bkpI47GE5hC8On2C81tSFYFYLjQoyEAZWGHDrjaYTCUdqOwgxUYFojMI9EwxQqMC0dthOBuUFhbDEwmqFktcmh+j+Nrm3LyWrDKqsNiFkB6pBuV9rGa1ua3ANa21i6tgEkv9FrG8ZoRrverv12b+i542RtUz2H1rbldG1j6doW76mRZG1T9waZfLq2sXRti/sUkQFKtZ/TsF5mQfTaFgt1NR79MY3I+kdhEI2Q5o6iShyOuNbhTNbIMAITgZkbBUPWP9pOW2w7mJfR+od5OYXpGkhW87LNLRpt1clGo8LUfrIExuHs2IWwRMXqkVWwd6nC9nQBvOuO4TMdLmUsMxQ8Yb6C5zYFT0nm9ExywBolc1TgYrFSUMCdpoTCTZIWX4G0eDLWLF6P6PUycXU5bStGn7uRPu9ZakernV0Q2ObwGjAcdH74QsnD3TZVnrgAQkXjc+Cn4ELn92XVftt2pNq/bQufNulAZSg8w9xd1qcriCSXUUmeRvUy0qer1Dp3BZEkCtMSgantCOYGhcmIXQNWkDWAwnw1n3BbKuG2DTK30ZbKFKirsb0hytUi6mcTjZeMLECDyHGMgGivk0yDIrtEfewLIY2MftY2srrGRuwMhR9hxRsL2JnhXXit6IdaCqKWnMjiKggkGDmvVrSwLm+1yyEiPW9AWt6mbrWgCP0h6/kSP7I2/G6/O4v0gSejdvRo3BP6Gb6OnS/uP6Ev0X+hVg/ukcvEdhXBntCqn8qiBzaNSg7qEYyOjBCv8AxAXMGTJUcXWeH9aO5Rl4TD6sEI+CI3Hb4ARiFfLxRquRyS/D3sLZqZRGRNJniMOtFrsYqspZplGZcRNaeRVwjCZbRdtHr5kQDZ0RB9dhsowWP1oTH63WwNnN34wU/HwYaW8OHDrOmJ58HiN4GLE0KtfWAZqwmxxlAo/DNZR8gIiNbor/IHgUmj0hoUZqAC0xqBeSQaplCBaUctBaZMgaHWPhvpLC7U1XgYIY2oIxqxv8ojiNWIsWO71uHYamQYySMgMHOjYIhG7K/yCFTtYE5AGhFzQiqTE/DYPaLJXg2QGZzCmHRBmSnIxBVhoziaK3ztVKGKT+ANtTKUuSZGF9JRzFAwpFY7wVDRhVhiMZfZsS7kecZiRCIUZLSyCsPKEOmvTLbE7/JgG5hoLRfPDv0PbHysdsNDsJbtA6ELaL57ZP+WNVxSqDX/o//JWuWPZO5HE6/vBtNAKeQxq9cMhON2IsOpAavJyjlEjtEjdWCRBddRLlnkfns/1oGwYLUgC02J1l7XuOmdNYGTD20CM36EXwe2ViL9wJg3fAh0tZ/A4P3hWWxqVhctLCdrZQbuBeFSSbVXPuEMN+GMBYQzVOuChrEH9AynWhEkfeSua8QGV0tRCLV5n7Ky3kI9dniQjk9Q+4R03cxAXghZbZAyQP+App3Xirx6tQFOPwdIH+yNoqaJrTdQT/w+sAyuaZks94hHQVf8W+goXGQUWtUo5BVQgdKyTzGPgCCGMwEW+XQBebS9pNGamdyABxh4La/T6TkW0R9zpVFUFsOCIr/di6bAZ9eWlCIUc9wahCbgT5xoBNvhHHYlW1j9SjW7N/zW+6+8D3NDqG050mVFVq3dwJureaPIMwKrUvOoXWpz+5x+J7bmkZOF3KyVoNse2x7Q7XjSniN7ktCMPsHOuLGA3xJuYEe21GCO2Y7aTiHa1Rsw6jldTKuUVwCeryyQZd/eCo64jrfCoS5ExUa+DLVV1kJiXqQdMn8TonSc2jKiMIUKTEscXbEdzUoKoTeF+YpqHbMuirckKOSJIIo4OTvG2mQU7aZqu+ITR2OPvE9tXmnPniUlkXEc3L3KsHj06N6R4bj2/t1iqneYZk6tIgMDbSulnly4J4tOYwKMaALVSOMYiLrBPdlJTxxqvkRFK9LnIsPiXQrNwMHdMKPe4Tim+VImXutK+M2f/26KUGeGMnJZv6ijAiORFpiJ7CQt4gXsz+lE3iTyyEjSy/4cto2wz5Uj/WarwldYE2sKXwG94NvwbReLTL9wSrjwCJvAdgk3hb/BfZN2yexNV0csbbzKZqEwAxWY1gjMqmiYQgVGitC5YtqRInTT40XovHY5ZqY8JT2H1iOl7XYRugwCzHqI9C6LeDEEo3a9Xfvt3tBzNEKnek4VofO6SYQuzlMziRej7i0SoUPd4QhdvKfIajw9KkKnkD8yfmIzTldH6NQjjjOT1zqcyRoZRo7QYZgJapgLwkIJRou08BZ5Lhnmgygo0ttcFd9wCVG9IbxpS3NVeHNp7fFWt3QtXksEpkaGkfAmMNF4Eymaq5IiArMievwRGv0Sn94Yilgk09UxygglsTwiiwTLYyLjY9ICDkOaaODcjCi4q4Uk0SLoJQVRgZckbHaUlmRTsdRYWDe2AJA9wsmSum3+8iAyHZGwwr/0mDGg2+Ccrg7/7VRsYdUdk3bmeruydUR6X7nLnltRltQP2SfsSEWQOWZA21KETyuyPxKYdKYwkGpn01ypbqNOJwDGak0UrfqgQS9MF7yiwGGVkWQ7iRBEPxx4TfLmlebi6Ji31Kv1oD8y8ziXF+RmZYAMe3Ee8Pxz/dp7WFN98Pb1i1aGrzy7IDEXnBg6D74NeoFeBbDnsHUjvm4Ak9kvR9aPOPkK3BYuHM2uenUplzqw5Rib8K/7Wj8bguhKcCTUX6TmmQyhHYfOUGgvRUhtyixKunAkor0H0d4fyEh02UWzTTSb9S5dMElvEvVsUEghw/Qq5leBtK1DooI4EujwF3n8qohpppBXVGqnUUIHq3v/22/f71nZDWxRoqc1WRO65adlda1ZutIFloDx4Haw2iUFUl1HBD7fA8/Ba20M/Ea2V6aTmJkT2ytmPcKPAaZ43nEG73Yxviy7Uw6O1oE9gAPJ8CsY/hj998ShQ2iR+up7eAMO5U+G63ds3L5H1YOJroVWo8hZRCtn5RilD7sSG0Z+i1/qxx3pp/FjwIIU+CWESj/NNy6ijpq5H3E/Dz9FOL2YcLoNc1bAqXWLWg6Zlai3as4uGjmZ1XE/iFsUPnfb/H4tkFic2wNHw8mEw2+5NMsFZ0rMXQyO6G5i1xLWXtBPB2EDW6NwNUu8xEVyxDng0Bkdlki82SAv+O2izciwzczy2YEcZK4F35z7YdlCkHMZtun08ALIwO+7167V1F44+dh7PcJ/Y1PCX/InoWlFcPl6yTtdRDh1OeXUs4QLE9U2DYUpVGBa4sEgG2IRsWkozFcGormTou3l+xA/5yAKZyELMsFtTxB1mQZjepolWce47IiLBSUOgmSVMnBeqcfjzygpzsvLxT6NXw6JIFfH4/V6PG4bm/djQ9K8f90OXKuubn388ifrTk6rrdw0YuF9w4eeemKfa/SJ7j3evrd3zYCjG4++O3ba5qH9/3D7oPGZM4Yf3QZXYKsc40QocJ/aqsu2q2SVwhQqMC3xYBAFcsjaRWEuvkZgOqtj3rHtSN5t/q+1QykJclRxExwTQS2tRZTMZPICibpk0WvUpQga3uISLfogn0YMJikYXIBpiXnG1hOpPT/AGxR8FiUsYZq8PKT/cgW3vfZnYIVvAPjNk8/C1kuLb0nqeke3ezctEP8KMiZM2P8ItweYfzgA5+Z9svfTK95XdYYNy6ZvziwCoSLwWH3rVJXtZkOS6gs4XRqRdbkYs040q4NcNHxO7DjkpPpYX6Y2r6efGHROn4NYcyzXLxNu2PtAyq7DbA2y69ISw1vdLvZYeu8UcCLvuW7EugPH4EBs31dK+kHLOAMGATskkcgJdkKofwyuoEXaht4nkedbpH7OiiXOoBVEC3rWyHGMVn6exvmVViKeNm7tXVBMW0S/32UrG8CJUAj2bAgfxrNI2iYzfb+aY3ScSmYq0UxPJzJDYS4eJjAWBNqjI5ivWgg36KPlCnNDNhmJ7WUjzyKbGTmPFQUVfkJkbKYjGSK/BXYsLGtcvh7wjZdcoJl7s7XP5i0gDf/+/nssx7glIg2b1dJgU+NNYQYqMFIcx2ZUxXEoTKECI3G6y9iunTIFRo7j2IzqOE4tInI2ocBmdYwmxiaMxftah3jXyDByjAZ3N1eJNSLL3SEsRL5QcsBmRFrfUm0k7BSJ0BZEExV5RH6bVk3Zvq8c/z6auIa01+Hnla2vf/+9hIfGQXB9RE1jjzVKn07GeCgw0qiT2406qqVr8VoiMDUyjDxqN6eKTFGYGUo7kl+GYbapqTdKReFf4s8WpjGxKDerY1yRecA0RhYl5tYMJjVgtyMbJgWZkynVbsEiEnOywE8lVzEnVQystirZXdianEe5GX7avaqc2pPUkPQkg9fU7A033mzNC/iJQRnhhjkKpmHVeAZGj4dQZrOaMjZOFRHrIu0aYv2j50lsmqqPIrxb7wN+8kLaquYMGOkAI8/AGmTmpPGf31iAnnahp3cR2U0JWHmtmTNpBAPe/JYjFBXEbvVzfqf04nxcFtdQd3qxa3Xjfa7Fp+vgO9WmatSki1vTuoy/dGMBN7V1D8aetE3mbE+UNKtXbgpTqMDIkqpvB1OmwCiSqlfPfWxvsgzqVXM/AMHUkFhMUsBi0AKe1+PAhl4Jx5CxAkD/zwJgAHgBjroIeoAeF+Eo8MJF+G/4b/Y19l/hC2xG2B/uz7rD36F2E1G7j5IdGm/ABHQajtXrglqWhi+kYJQ0EVh35zSDiQ4wsRnmgGvcw+Fe7Nutf4R6NAbSDhlDvZpiBlZFDQpTqMBIFLMI7WDKFBiZYgZBTbFEpNseJbqtXi3ltuj4cyxOEl0N7furkWFkKccwc6NgiGzWq2UzzthmKDASv2MYhd+RjuC7EVonBiwCz4k8GwQ4AEyZnkbpSgBeLIHP/Qi7JVzDrQlPZo8c5tPQ2vv5YdQPaYOM6bkoOvMqXChMoQLT0iFMmQJzNQ4Mzpcykr4Q9+HMFdgkxWMC6DOOWaQZSO5TkjNq5zUmQ0HgI9kHMzuI9wl8JN63uIOIkQRDPD2lnRjLUG4HW5gzO6CHDIPHulj2GDHO6/huTBKTy/QIpDrdLtHjNgQzhCxRh7jCYkYuO85fSWCMkjfjKLcTG4ea29TG9hKrsNTLe9x2r1uTlyUgnxEHFpHlneF2gVN/ff3nzxZPfPgh6DoDtG0N8KDBbTwoTrmnX9ld5UgRPPlQfUNiufgHXnuM4z85DQd7Dhj+s3TpgYFiWcCqeWKXTN11wmQ0mlfJzH1E/d88CwDPq/cZ1wk3KTDnLikw9VEw2q8oDJOLYdDcfsQYwP1kbssLAMgdF3lG3p2cHGlZibTh9nGkzU+A2a6xkbb4fZ1lEuW+iuP2hZ/S5cQ89Rnq8Tef0r4f89T5tquRcTG2+E+pqPoJpVhBLFXf0B5WWv6EUgzcBcbieGG3fBwvPPvyuMhTappNjqHZJxLNSglwRzSL7e0sWP5bvZHnLsc89xm44/c8p3PFPIfpdoLQDT0IyuI/pflcoduZ72m8TCFvhAJ8NwVKik92jbbKYufgbGJHnL1LgfmM6QBGE4G5cCkGBss7sqWwvHdhypjiQHo+kne3QShRCXsPpquYnCEmd6IS/24BDSQgoa8o8Hck8lohditR+5tKIGvyHZENxpG/qRCAMH443XwcOMWWzKrVg0KfqcrYP70UmY+VkfkgPLJAmetPFdlPYJIa+N5I8x9p2xnQj1M/qJqj4Ur7568qtN1FacsxbgTzKF/GdGIKmT7MTYE8T1JXMY+xO5OSGKdQKgpCFiaxs7Po1AaLmR5iVqqYJevVImzGOmh6dXdHuaM8rn71og8OHMjxYWe81CtgemNKg0z0b8W5oAjTm0Y7QMHarW8cHtJ7V+1U11Sg+WPlc9ue5DhY4nowWF6RlD+h07LnCxPd94OnBg/igW9Q+K3KqtIxYyePcNVt2/+Su+QPC3juJU7/3D/g1R8zh6at22Z+RmdYHKxZym3b+tRTW8MJS+YOd1VVDr8FUYeMnHDwaaqbSe4O19cp613EefUIplLTzFjQWpMecJicImMyBq1CosgLWmQPSPvU6EX3Qv14qDipJTPXaZdDD1kZ9U0u689N38BT8D8TDy3tOqXbEwfvXQh/1DSHNzTBixDCn+EnRnYKvIVn//His3iymA2o52FoXhKx/WEQzKIedcig/o3qfEhGnUAjEJ+hJyYwewC2wC+AF3CPn+u+t2vtrQ/tfam+cveIhPFHXCAVGAEPMuZX3zOs8sWnX3zNYjrqIDtXpE9CkQ8oRSpptqKgWoliYZqL4sAgfx7hrsBc/JpmzqijRLHtfELbSWvXF9FXFObDQqWvJ9S2gA7NkJ3mHJkMBsaLpkeHqOVhXKJVYlXyqqiIRIu9eLqIvAObP6MEB8kFVvjnuU9PhJNdTSFHgmEHbLgKTPDHhfe6ECE1iGg5TeziG9mGQ5OmsClwRwNgQOHbGIdFhEsuMalMPtMz4DN5rS7ebXZbHHbR4qg2W0SPGfG8yAjVTJo8gQUkYF+AkCDeAE4loIE/P5unycvJzSv1eHO8Wo/D7bYxeRn2YmmC2aHnfzpx9L4X0uzaGliYD+aITxR9/zDw5R+97WbY+iNI2Ljy3vtXuYDw/emLd90B+H3r/ypW9po5dMHYv/acD99/vRAzxhHg2rxz7T2P/hlrAERBzWyyF++kOWoMKzKMSWcxIPcsqEsWjTptkPeINj4i9UTg5f35DLLVoKKnj9KTn1HUNDHMwkrw/E8STbfBQ4hqLGyF0i7+UDaFLWxPVnlmg2hmE5ksplsgyWWwmxxGk1GwMEHBR8UhRfSoVJGjvByLYPQkIwNdymfqaLLhTjCrSRQ7mnIw9dCcOYda+sVMO0u4Mx9JqBtRzRdw6k2JosnECB4RY2ZV5hkTSpZVB1GEVA8SOeWoBmRD8Af40Y0vP/xOCBenvFk3YOWApKm7tt2zzcwmbVAEFrZeH1ax9n6r+ajDwG3bufnBxyQZySdydJ7KLJEjNjVWjvKJHUhhzrkUmCeiYSLtNLs6aicC8wmF8cXC/IdYQuepZeKidtej1KLJTpMtGuUpWWdMjrSt5LbiHrDd1ZUAs1mxdhfubWC73s6CP/9Wb+i57cTuUj/3GXjgdzyXT+wu9XPnmTTJ7kIPYrsr3lNEj1G6nfHQdV6ZgLhQHzrizBKmEtGsFIZmt0bRJc48ne3f0VzuUmA+y+8ARhOBuRDLE1gKkG2GpSAXeaB5Aa+pMxGCPCwESeliEqNIgu1dZZcsnixEIl5ZNCL2a7Lhv3MwjYLlzV8eTKjpUE5MeYPo5iqOlbkBFZrI6IcrIzufpoxMydGIkW9Ok4RTYm160Ybk29NOvrECL/WRdVib17OnH4+RRbZkqQ8p7eFnLgnsuxL20x7vA2wg98ZFhHf4IsJbcw3j63IcTrfDL5AtEIbnj+7cvHkntgMGIn94puYyzVthbU6Rs9kYrVnUgiBjkHce/Ur0vgSrYmwNZNjdJIS/DT4PRoOrQdFTMb0r/BI8D0ez6w49wua6jugEuKfuUHgpsbAzeR2xNrKYToFElxBMt/lEBxppmiFF1BrQWIHIWGXTQ7J4nHk5JBEHG3Sywi31I5NEwylq9iUDGPvUVodhx2Kqbr3248jeuXhU0rMw85hN9+e9syZNURTu8dZe8Ct4xcg1K8qWeCUIQ6LDflJ7ydk2lXRQmMkKTHMEpr4jGMl3zG8PU6zAfH5VaWdlFAyRVgrz4X9i8FEyXpsZB94ztgtW2Wg0kpkrknNeid2I9zrtWWSZt9uRvegAQv2RppkTbxAj8d2j4dHs83fMhafCB3HL/aSWk/CJqkSLV+QMWpE1GDRGizaoYYJOpYfI7o6S34vYIrY/UWwCs+DOSK/8G3jVg3uie25ra/sbyZ5cicb9C81fhEeZSmyVeWPz+0ZrrjBGukeG9zzt0+020S4EnSazaDJIQbQk20k5pQIbP8hJACXSLpSb3dZ3/Pi+/caNC58C22E92wUM5t8l/9Cv7/iW4kPs24dbNx6SsyVH89kkLmrWIk7FOaSCLB+qvGKcqyi3dYhtPISfl3IDRxOeCKvtXoMGgGPyfFOYmxSYc0UKzPPRMJF2JJvW0q4dwjcU5kyxFDOVG1JOMSD6IahWqucHEz2fYmp3ikHd39lpHeG9S4H5bHAMDMMzjTCD+4bMFj6jl4ft6JRUMcUadKCJMzHTMxOFYAKdsqSTUk6ues586vlD3MyRBD070QRgsjSL4Kg8nTOa3jU0PrW1qY2BFyMzGplZPrulGWYcc1ie3MtdJMog7FIoFxnJhaLYkbDkrAXluzxkySal4ZiAZ7rZ4xRNHgPZerdTLsQL0kkigJgFizriwfbZxnG4Ep5RZx3H4VF1AnJkToYrIznfRxnJfnkkB9Cc1JKREM8To+6a7nKKSDVjAaKqOJ78UNqTdGRB0LLXZXRXYJrDmWxNzffHIjj+MvaYw/rEXq7sUGuvv/13iRVJE+55MZImC85M1GmRK6VS/kTrR/XQoGoXz5q6NTRW1Bo/FvMoMBB98QnzEo3oOnXKvFEJXkA0pS/gsBg5Oz7/gDpGytIsq7JIXogfZ7z0LPWzWuDjhKwse11TrzUHbvc29/g7KIM3fh5yyxxNc+uCSSefgUt3h9vAXjucR6UqA/eCcDHRfeZLZCfC1T7feQEavwOfJzdaKC56ICiYkFMTvxsTPht2icYE9VFFLCvstSIaCxpRYIKMSTEpaAyFUlgOmbCXjuyDjawpY8qkW+9LuPlhV2Mz98ShltBYsSj3qAfLB2lTuwiNzkp3G/YQvewQVHqZwBBfz024Cnt6vEEvGpggbxN5lUlDfTuuPR44D/toNC6yLxeNEqZ4FaJ4PqE4xekroseAM/p8jEQNCUrLPgX6gC7kjALWd2yDPDMy1RKZzoFELWtIxLnZgBGBxm0V3cYgVvuMPAQ5P9tZkkNGgPOzXaoAVEnJIpCER4EmqlEeybgj+8A/XnmITT4U/vPeV/bC09JYGptPoP5rELECyEpKZwoCXq/bnSakiAazmcOruhB0JCZSBsGHuIrwT/yDcInXT137nkRI8bKblan8qjlmsZkO3DTBatdMGDtvZtMtsxvGzuKz1+wYObLfxEVrWt/gOs/b0nqd6zcR/ZStCoRFtFUhtLcqvLGr/HG7N7LAZx+X1vbps+HHZG2Xzm5gWfXQddBFJVVt7zMUBnGQB60TbrfBKeoMWqwhNEw1WnStvEHOICN42BEXOdvjMvibWiEKnQuEhTJi0YqDVfPVGKwwDOIzHfaLJBgp2zxGsiUopFF9AZfFKlqswUTBK9NPMhfkMycRnG2slHIeS8fzP880rFpWE6HmQfhVG+M1ESXILpCMJtDWS+o3GfdrMwQ9RpeoN2qDQpRmpTa1vHbGEgyr2mO4NzXVZvx7L1a59l1ooTyuMtWg4W/fLlbOuuCVRqLLeUn3AtVKI/s5ePXHuegmUXCQGIZKG1Hr3kE9mhIlFlXVfOVK87mffjq38N57F6K3C2QAAWhBOvwM/gJvwAuhYwefffXVZw8eU3ulIE0Vb2UT4kYqJJhzjALTPlIhwXxCYVJi2zmD4wIYBvvpDI1CrKb+fXqi7N+ndBCFkJ77UukBRyHyaRQiLV4UorBdb2fB1t/qDT23Ekchop77DCz5Hc+RKETUc+cZgxSFQA/iKES8p7DlKdHtDEujEAnRUQg5wiBBSbs/aR1EGCSos107mstdCsxnrvgwRzQVEoxW8wXS+6S/BAFXWhii7u8I6a9AHavPiI46T5baKlBhzuW2x1zdEsU8piUCs0uBoZjHgxmuwJw3KDDbOuLUjwdHKB7Zb1OiLBLUBSaGTqooSyrTiexDZIsmbTCRERMFIU10CDQGSiIsSkZRLltCZdbFalVJ6mrx3T1/efCND7AEP1LbaVIFDanMkWRZylR3gJSfZYn+F/y5yJY7QMpXv0WWbbQWbGhbivA7hLOjmSycr+5kMz0+r0mv0wJkcqeIdmPQaNBO1yaKWm37fHUNyVfH8QOasM5myRnrmYITY5wHPKBr9fiHrjQvnDhh/rTtP527e7KvEyjr3m/hvVcW3tsZvtVj3YhdW4APo9rpyf5/2QI/xfqnALRsnMAWJr8a/u7YwdoJ4VOplOJLpXkpVnNTtrYd9w5XZoXOL5mVbfLemQvBPEL0eibTmSkNZOhSRB1vtOK4l8BbrQyfJ/LaYIJDTGCyJOvOT+0rullm98snfYribZLlRXbI7Da0CNjAHFgPql4YdsszMbti3905FORKW2LvbdmyB+kGNvfYMfUu2KlT0h5YFzAbzIY74A68vwWL+Uo0Arx7khPwuE1e0WoyBl1oBZBXRYs66IPMKcmacZBZys3LsoMMtDr5itA6hRfG5PA75879c/GjRhewwB+B6eq9sFhz+XgT/AT+DFvgt1MmhbdoKuGpNqYBzH7pbRkHaQcnHg5MPBzsHeLQ5IqHgrYeb7V1iEMVwoGJ0MFkCRqFIN5H0kv7SBb1PpJ6TSQRryx71NYCgEqsq8kVd1Ph+A0bWxO1n0AzdVciHLwYAwtjsItaZFjRUIYb2wly0AS9SYUceorZ6XdgQyGLSjXyWSsvvQlqshMcwLFv++lBo9avBTyOdcDLIPvY6QWzvv4AXjwkZ++uJFLQWyUFIMGgkoJYmGYmDgyyblaSFaM30eFftY2j1lditPW1C0mLi0SKMwMeQ7bZ4suwp+oYV5Lo0pKjtbL3QffDctW52zgtPluKbEay4l0CKyx+ZkhC9VNDn9rqL7my+yFE3E7b1nluXtb7+boBA998+vEbLovtuM1WMaiwu7lf/qLFh3bhuGffQd062Qvz16185nE8AoIZGWUFpQT1x/NcqlHGwjSnxYFBlHARSlAYKTu+q3rfM7adT2g7Bb/WjpQdnx+dHT8QtVSrucyUM0UBH/aCgFBmCGZ5c52dbeau+kKDkOQTk4xBwS8KQCGt5Nw5S/xKyEAgiRAebxqLi/rIhMd074Y3JbE9iv7GzJVlH7jzvx8eeCW9u9eZ07+g4LayF/88ZlmPhGE1BSuGFeWP9hclppYMG1iztIldc/jGh9/t2T548k1Z2cPKe9zWPX/SXUO21dksx632mmHT8rJG/GHo4OpuXWYNK6sAq+9uaWTXqKLdNuzb4CR3rl2suyA20o2MY7AfPgFmgLOL53kG3NEdos6VAHdrF+xv9yG54zORbKUG7GbkcBsEXTU2v+0K2/nl3AXiLdIyF8p+Omf54UN4FRiawOcw7Z4HimqGJgxei7xCcPEQCMDjh2D2iqBRf9RkUvWVjiPpyS4xGXVgtonAZK7m8XEmrajRC4qnRrWJswSPSOqWvJSuiavaBxiU7tUojPjhQ3D50FmKxNlD4yQsGpunY6uBYEK8fazVvHbk6CM9YmCqLQZTtUEI8m7F5ZezkdU+fwwN2API8x8ahw4R9789ORA390HcjOiBuHkIlYpLdKdfLRWxMF+VqjTIBrUGWcdn45NiAacVB/IMQTMvBHE9JKdKQSsz6bdLp/P9coYfuPH0y02zpy5Y1LQNHrQ6E7e5/vEieyw8cNIfHnqW7dW6y3PAcGbOAklOSX4TGKn2hb1mVWx1l5y5J8Gcu6rAPB8NE2nnEwqT3K4dYplTmDPXaUxYaUjSCjgvK1uB+vJzVa0Rxb6N7e9sVkd471JgPjPEwEi0PqOpYNKYzoEkb2KCmGgIWjw4n8EiYJon46I1kkVTVCGF2WOIjjWHH5k07YgP8qeMbZ6zKN4UGLyrFj/yes+wJWomzpARjVXPRDqvHhGizRli+49V0yanPW3ULWHaIKh0B0C+xlPRULsUqM8MHUMNV6Akzxpjtb+juf+4T2Rej0XmVc6Ak6AuSFzEq2eDZMBlM/m45ok3RfTaMftnS/yfo54L/CJR4fYS0EHCm0omotPb4spHTEqbWlqmKmP49GpkpBujR0poNlJNM69CM/m8EhoprgVq4BmEnRyZKbJHnTQ4BVd+DjIdIOFzuJHPbt3C1bQ0o+eRi8WL6HlcY8Gm5c2cgTGQRkxK9FZKuYk9bBBa3FjpWP7GcsfE04/A1mWmZajVZfiwAbempZkb3voSGgFpnczodDUv2tQ7LrEwksS72sEQiZ8eJfH4GEFE4mNbkmQ50hsaLw7gDkbjpWcNgJacNRCCenm0ylkDp5OcNeBEcA9cexnCy3AlWHkZhn9hTWwCfADMD18OXwI1cAtutRTp40moVTvedab7DVoudjLK8colz4dFCpKVgnNwYjOYaAVcMzzZ5+F3NjcY9t/753KJmL1C3yywuUIu67LVeISkHzLCWZSexBsHDjWtYmE+sSoZ6tEwhJ4U5oyd0tMRtasmjUqC0mq+BBMoBzpMaLHsqL+zfTrCaZcC81lWBzCaCMwFircDtGtnuAJzPlGBUSQC70eYyO6mfBJBoCcRZH8g6iRCHVsdfpSrCj/Nzj3Mvnn4cLjPYWnHyUTGdJfa1jfwMTuFaphmpgMYQmcK8yFUYJ6XvWKcT8Yr+WQFgSSLg4Q5GV1MOplTydwiR7k7yiZDpij2fnlH0fGJ4WK4Cqw8m0Czye6D//381OkLv5FKxjM/IiovJDFrLYly4jxBwtMahBfPTHcge0wXu7+JtYJUfSZqP5M70BQCxehHuK96H5PEr+UYdtz9S5rxWCNnMwpcnOxKGq+tkeO1AhcbgVciEzVyZELg4sRRqZdRI3sQAhfHo6HzXSPPpdRO9HwvYY7xpfw+VuA6IW4Qrh1BE7xDU8v0ZiqYm5ghzAhmDPNU4JaunTrl5Ph8qamJ/kCgomLo0CFDRo509uzVi2UFwWCwWJx2seimm/r1GzFi8OAxYzxotvPysrLS05OTPQmi0+P02BLZYBlCiNfpTCabVA6WvqRz78rn6FdH/x55IelwIv0e9c4q8ZM3nePYt9+dRd4YlkNvn8/pA/Jv9O6ZBmenHU6DrfiH8te+F9Leu4B+Ax7/2NH+LxkAQa/Gz7FD0T/D1pae6g8XyS8coIl+HyD/x/4rfR8g/+O/WEf775Hg/aST5g3P163MeGYSM435A3Mn815A7FteXlLSo0dXOocDbr115Mg//GHy5EmTxo278860it69S0v9/u7SjKVliDdVVo4aNX36lClVVePHz5yZPHj4cHmWHQ6PJzlRTEtOS07wscGhynzaXK6EqDklM+f4tXn9/fP7W3P9++b898w9+ul0Rnigi8IDcf6K5oamX/srmi+6pLFrCA9cfUP1ATTgB7aRv68FO+CR38Mrv49nIrzDXjvSVsk1CWOZ7oyfGRPokp0nZm8MegsLtUksqxVEj99vcFqtBiMOVxl4u5kNdk1NZsRknp529OMpVM+08hvbqHFmRp4BX0kmjmEzPr82KxMnuvv9Xkz5X77sCltiKbzv+fT3zqdpXx9XPw/cCQYVunT/hW0A/Fdn+XkU4NNhy2Fk5MSQhpLAtReUfgr+Cj5qgGtgPdwNl2xj38AjB1cvSrZkd2ZioCvVb4nubhK3S/rL63U6LW7O1skuBLvI/G5gKiSGpBbYrzIsl0XMz8hbMUtjX+T7HU+YtsPWelM9bN1ueoL++HReY6VrZ/M+1yH0PtJ8xLWv+RB673RVNs6Dn6IH2IvhJPWbWGOm1ivt3sjUxd+jeQcpnIb7XINr4mTiiKTHlcSIzvSkaiFd1JmEarNJNNvl0+K0giSInPzABz88HrcbOR3SmZqSkqxMtwv8fGdw4713DPnrK8Y9Dc/+8RdNcuKk4qqq+qmc5o7Js/+kZedy/DYAHtzwi7lGmN+n74ZAdtHI4QgblmO5QwgbaZfSxIgOUzXeqOTkXUp1Fkz0LuXOY8d2Pv7qq48PGTduCHpz7JFHd7z88o5Hjzwy69axs2aNvRUbX8DHebhVqAe6r661ipyWC+IyYUAuR0giJCT+HbWPD3yHDWbN2CF3rz46fzHnYVfM7zvgnrvgdLB++Wa4sa1NvqOAFUi990itFwsaC65vbFPVWrXHr29cRMKdQlak0jay8WrA8FWv//GPr6/qBS8D24odO3Al1u1z3li96u9z2H0wad3ceWvllX4e6R9NLMKhAX0eIFf0i6rxKvfXwG0O90KttRTh5wk8PlsK1tLMEmqVCOoqtxhmnPCGdIeDRgRcdWx9ahxQsjewHzeGczW1oCc04QoVLJMGP+W3IWxsiNMQNQzA6hHNVka06oK6RFHHKrvjNPLfjytRSqA6XcjtQBRJm5xSkGrl8lY0hlOOm5Pyk1kbnIhrxXave+PNW9i8liKYATJRPw9Uho4/XcbbZKqMJFTJYZTPZJS0CkXHNYHLFJg4dYoRLZLbWviHNVvRSjswkF/RT6wYXmIwFvNpI0b4hoppPl/6cGwPD9cFOxeIndPxabZ06Qy3nxQ2ojmbdqI4EOm8JcSDR/56aQmOhOOMAKQuMQci515KQsLf+5HaxGFaXCPPjcWPfO/Gzj55Bu9T0O+zkr3OtNsGJSUNui3N6Z04rsrVa9uBbb2dE26bSL7IzqZf3DbB2Rt90ctVNU4TSssE+f2H8mwXVjM0APIz00JTZsOG0mz2zvBj2aVg5OwpCASeDQzVIBB+aH94FoFMvROMLM0OP8bemV0KG+6ciukTwPvlSNIKmLyAJysbny+zMKkuMZULIidTZBm9FMpTcr40GZHdgKysvJ6SdAvavH6sP4PWpCfha4G1wK9e2HJr7cxdz720/RHPj6cefjb3zpnZid5Zy8qA++pTR8SXa9b+7HrmgUG91y4K3nNMN1u8NWhx6I5ondbjjy9/srNJM/aJ4PJXZ7WvqSjojLogKXxAk8DkDDBANoDA9uMucKHpuAtmaGpbTvPdbizgu7WcjpyfHoi4htbk0EfOTyu1RJS6iyCqtkdU3dRaxFci4iucae8xW0Qz8CZwXURSIirTJ2ZGKigVlFPWkZijtBSRiTCHVouUSJYbZyMhBqHMQfZXEHfUNp6cMdyZ6+41a/zAwm7ZlhLPlCVFRSurPSWW7G6Fo8bP6uXOdYyuPqmpDT82ZuKROxYUhQrLPqgSU8SqD8oKQ0ULZx6ZUBkm+fUEUzKarVRj0NF0U2uMHKnisQ1n7WKB0CHqGkWBlRaVwh6lJUUk05DIOhL1nNmTPFxuI5zkHb0HhO4MreJyEZFPhp/c8tVT41CvK2l9TSTRVUSipZrK6HM/RjmjrqlDn6cTPSjXXMY6y8gjPFWakGZu0a5ruR2N9NIZ/iTViJIGRy0tZZRT9KTlZEbeN6Pf3096Qv3xO4jGx/VkjTqOlGEmg1ZKQWEvHk2VEk9555795bB3M5hmA/ZmuLf44f+GcrrzS1uD3OaW5o27+5N+cbuEsx6nnEVzYq16mbNILblLSPs3MGa0snkR57htGo+o09iBW0SKGjCCXHaSnJ8im9I4lIsrf+WU+N08Lv7ltOXYs4FNY+dZFgbA8QPgDdjvBrJB+fBMwELo2teFNbAp3fbt6xL+PPxzwT72Y7C4S+u7ncEs+HgBV9wV4SpVxUA0eTqK+lYmMWDWM6Jez5t1QRPPKpf20DWdxjCpymcHfnOqMbgCJDQ2sr4vwmATXLhjI/vsjQWsj9Rc+ZTfIFeYxoKqZTiRMVRHVZi205UIt1bbCGDjvEZcSBZPLF4jVFVacStmwQC0UTVvEXn8klxJr5WNrx54FTeSz5/F7xsL8OhWSrjQuksCxsaoJfiYqyNNFcgZgqpXltRilarNlnzYGSEnjTFbPUZGX63Dzeqk7ALVGH1kjKyuEe6QBnljAVoVM2UbZJ5Ubw5X4LXienNcVLW57kqF3/bWRyOokk2Pz0EaMT2gLnhy48aTQfZM+JuHlizdJmcLzotYOsi6ocZOVP0qh9wTLs7tV/qS69rduIGYTerszTdRV/zJUPu+OGXeDKS3rIDTyCDrzS5ytvbjkkxvoh3JVSaYXEDucWXjig379m0AB0PhyQMHjpw8GQ+u5d//bsEqQOmSZUrIbiWuXpuGLWStV0QzrLHj+tXWBNGqiLc/Ys2VkFrRkV6zcGKf0nHJ9CGs+e5Fmzcvgh+80mczu6Bv316DB4fmbuP+TRHgT7Zeffbtm1U4rJRwcODM/YCHs4taF7ZctaREj9WN0JBWhSJ1/UB71Niz1GM/2zhv6fbtS+GJs6CpuLjfyJG0wDxFAJd8l3tva5Nr3SGZvo/qOaoHSX0/p9WBOlfK/7uiyv+3q/4vaJHd6Yh3ocvzF71s1/DpXPBG7LUun70Xgl3wrS6oZzs5g1uHLFwc3TPiU2hum+jmgjyjxcWz1RaFOr2g1FdCDm2R6mzYywTN67+bsGXCphkvfGALn2S7Jl46tR31+3cQAMPg265xtz0wrPTaudCpz1HHcCN8Ev4FLpUjd0S79WeUSN5v1m+X6oyjp0YT+uHqQrmk7nd6wK51YH6Sar2ZlWmU/YIsUqfNrySJZtkvN3PFsOb0R39vnFlzGpeAgzu+CMOlYN2OjeEqxCuVUuU6B+LXroEUQ4qHI9ntWrNTNOuDODmLC6qsdkotr2znOBxyyg2LhDOnqCf9227zVIZ2G/c/c+TPfz7y7H79bvC/sSNGjEVvzDhgDOgOn4L3wLXwGdAFjAzv2gdBEsgBWvgL/ARehAivochawKNOZ/Kx3JqMPq/oc3mw/Hh0wUwXXhH+RQ1jYg0Sg7i0FHlh/pJuHHb6yDotUOsG14kkjt9QX14/Z3bG3GGusjV3j2xtBp82wquj+1j93vmbwAfAA/9z94MPakJ5Q1b9aUAilzLiwUXvnEPy7dD26/PulLnsBwAuX75kkzQrVWRWEG9FzQoOI6sLVdPsBGlmcCS7JKOkGM0MsNxAU7M5BN5EetzSGiKTsx8OgzeF2n4JI3egrVXyycx45oHeJPJ6PYNv4VCrSfV9PFKNvoYjR7CvBobCI+ywELs2BMtD4ZeJF4JWisPIWryNGRooMJQUG/m0UaN8w4kDMhLTtv/IQPVIXXBAP3FAHEekO84K8Kudkf9nT4T4Hx35IpmZsi9iLVhxYEUXi+yLdOmCv1gV0t42wdIFfVNg/b9zRrjOHHZGzmWmoQU+NZ4/Qu0GbFd3DSSp7GqyamT7xGwms1rR5NQl+X3WNRrk77OuR4duGZ34K8Y1zAHZtsXLqH2tsnSsmCPpwo3VvUmL2NEQwVXRFRGbR7k5ZGZonnx3CDV9yP0hbW1ylTGkk+qJTpKrjtnpmgpEi2BA/TE8ctD1krWG+vGWE+4EJf4SyYSVbhEB4CdVKbKrVxtBXsgh1yNzhOBHIA/XTFNGlB1wW3DNNIFUxjcZxKgb0iROVKqnUd8rpoJa382hQEwNtTYyRFpHTaaek5zbJ5anw1rtMIuOiP2pnIKJskApBSNWKCKi2g6VCOmLtW4V00ouAaeaF0V/43kBCaRl+A2amPNIdy8Em5DuvjXO+hLxZTYwiv+I656BqJqEJvWNb5Gq8yays+sw2ESDAbVLKqma1aVLVRXoQQbnY4FStZTUoIdfJrPzkuGXID0xvCVRqUXPt8Je4O2WY+A4DMjeCcHpcYqT5J1oVCeS5OiPkVrKJk5nMIoas9nAigZdkGMjljLe/Xfa8b2ANPiDbwJMuxt0B5mg+/LGcAqY9R9w8T846iMb8/BTgW35lCd2c+SeUGdAL/Cq60GV2wbRS7pZsBkedcCjxOG70JJBfCiRnydkSvW4kRy4takIP7RcekCKaGOmA0y6pH/h/It/Sf5TLk4QLUUelAcvmlrkQ7F59p6OHJfDaxdYcP3iqVMXQ1+/997XF+cvXz4/vDi4bFnwkfXJYDyYAGaA21PWr09G1sVu+DSsT1rP3QK0wJ7esj8V6MOt8Ho6PyEd/k+yIHC1JoFUB2KZpehzH6TLEpgszN3OdNHqdDI6fMNUNZOoPrVOco/RkEpsTE6OF5ecdEuBTZfqlIeNFf8H2wALksGfDPDY1qeHeNOPrG14+0rz3avXLlmzxQX6At8itLL3LKwIlSaMf2jBjLuWXL3wLWw7Urft/oc3roRHEf0w9/YhWRlx7hoktdrkw7od3jWIFrvouwbrWc/eF3Zs3P1s/Y4afMvg8FsmdIKNYDD6zWdvWzdzvsbJbVi69iFu1uWK8vIKWAO/GXbTTcMYAPrgGnMIGyX+qRz+IbmF+Nh8H/bH8Od8dqh1Z1sbhSc74/+gu+eDlfinnIdBYAZo8qX4p0Din5EjyKRdooVRy/0awyf5bMDDfq070Yzlwx/JLoOFnsnTsWaHaMSrkCEouEVBiIl/0oiIHP8UcPgz/47ibmx4RWN49JHcLshZ2gJ/BO/edvlJsKp1JyzGSdDcyzuvTGHr5d1jvgzxy3km+ozCO8yv1oogu/4UJk79ChzPabvKb+K7/VbU06CKegq/GfUsUWyNEsXWcKtsjRLF1nArtoZbiXqWqCwNzEQ5Bd7ssX1zc/uOzfYWDJs9195zQcOCnvZ5dw4r8OTQL3I8BcPunCd9MXe2IZSSvg7ZGVwSh+yMdRnJoUl3HCjNBq/CQdmlB+6YFErOWIdtjCRsY6xLT6Ffw0HgVfI1pst8RD0TqbCF/LPsHKtFtFqZNK+YppV8E2MwNtqpTn7OysrDZ0ypOJLKEkU8kQv0E5k/S78bO2voK8OXP/jUPzsbyzZu6LJ32aA54xKHr64+D4R1q0ERbHUVj95e3HlU4Nab92VUdOnXz6xvMNhWb755k93V9cPaA4xypjCbRBVMBh7odEbEfUCQQp2O2FhnfZMLPPlRkwvezme3Qo5taebYVhjJYMA5kadIREoXiWM+H53lMFmGkc7gEBglr6ke+QQ9+E5MZ1zhgNhkHi/XiSyjQjA9TUyPPhbcsT2GFEj7UGd90/6A3z4ofcCM0QUFObmWwQkThj9ZONiSm+MrGH3nkPRBdn9gP58NR+UVPDPq5tSQK3NfzzIuBdTsy3SFUm8e9UxBHhyFR4KxJCN5X50PVqDSDEwFGq2F6D5vwIwDnDg7S07n9xdIUYFInFMQKion5bKwCT445GCodM1Ctici7yz44OsfT2Tk+BRpLyVgNXFmA7GUhKBOSXCjFlK7K4SyD9oOguwTSXv27Unis/EVQqjdfHyFUOvZKB5Q3UCnbrbdDXT1TeBIUxMcyhOGb2nGUsGodQxJ8o20rIqzKqpRHWet56aT1vBwkWok5zrJ+RTUUpmirYYR7fUBaXki3nUiLctV0SPnOFVV0b+Hc7hW9J4VCtF25UwwAeddKXlYmGvPUa5tUfK5lLymrgi11ZpmtP53ZkqQp5CQbDEwGYIf2ad6q6DNYbqJiSkpbkS/Cnr6t8JPdrvbVR2LPrpCz47gE55U3gFO2CQZTwLIXrVw0eqnHa4TLsfTqxctXDXmDi36WzsTHFu1clC/vuFN/QatXHVTPxdgQArIA/oT7LzwthPwGvwIftnGVI0LH2JvGVfF7SBHXQ6EGhvgmtABkhXVgEct5Q4iKtzByJyF58mMbVYtg/xcDqkBAyeoI7IZdmTS2OR4bCGsbGoGfFMTWAYO3bjRxoAbiA+WUR+Frms0jopmHEc/9dPJ9CS9Gyca2wQONW1oRAplJ55+vHApZ66lVmgmJ43qSnuysfHTmqZXGl5togmhUlIobgXhso7IjC9gp63QaKw5gk9H0diapoYDLzVNbIy02boF9sMV7AHzLGqXk2UGt6pnpusU9PxJtndj47HP4lHC13BrG7lFLc1oqbZgu+0YGmclakm6YQRZ4yYOB7EUSYmOx1KTSLKEjjWBqoPHjh1MgW+CPpVVVUge61995plXWQs8XFVZWSVHYnH7Junkv1W0aPC2W5TMREVi5V7kyOD16+BdoHvp7bdfSrl0aeKMGUiaYrrhlNmiMdjUgM3GIevYBMhJi8gBdXt5QcfR15qmKU8cPPgEeKcpPKh/f9VwsGJgM+GGGRMnzkAjwnr1IdSXFH31avFtozj6KijRV1nF/r7oa8WYXqx/NO4b/ni0Vy27rE+fIaNGhfpPYN+lCHCLwt+uf6xCGS+L95kIDjT66hYACbhqXXZOtNuj586PGSyKv+JEX6uafjg+h2DQ9ANrnDgR9Y9GvxEsghuf2Y0ozeBwGQxVVQ6vlLP8iHasIPIr14wk9apsTkR5pXCkR1U4Uoq+Mu3Cr57IUY+Y8pFr9zrBc/AW74vb4xWRrF11aP0DtIokwmKNdJ4cn7J3Gk1o2nEgNo6xEz8OWyrFYVnLfSd7zy7aNXndPjscAw4mN+5dvMbxp60gEfSA37qGFNfllD249tCaje43lKpZSpWYK2iFaFV29X+73o5UbQVRUk8oySj1lZCex/WVjBZWi5ZErQW9GFWBJRJTj+yaRddY8qsP8J86daoJTIV7XLYrTxxqmlh5kV96qKHhEAzic/tvs73Iuf1sNL3zsJdO6jsoUVrCTiRKawzSI7Qq3yImStszanXJUSXCzHvrAdOuJ3GU9qldhgfAidFDhoxGb8RgA658Ki8an/wAh+77y6tvP//826/+BWGzAlk4WMPh2CyyXw16n1v0+VwOLF4uQ9CRKToEibHssv0aic+W0IMGJD5L9uu1FjYSoF3h69TVW5QxfphvZ/3p4+BM0z39B2ZaC7KHzb4NrMHbiuOnTdOEsjKHd++WumPTjqfRyjLbkZ1y86AJXdgCEBg3ZvjNeK5wdQU0V5mMP5Dq8Yoea5DOlc+SjuYNTxmeMUouh3q+ZF0XM2PKFYPxZu6NM/MMtZPHxszfp9e/spqOOXQrV7EDpImUcvO7kfUU127Tm0ROiukK7Wu3qWO6oM/p09j/JFdVPX0I/DsE/3cITkAtdkfrzWZkFY/FMd3+FWL/fmL/EdTNGjnSNwy7WSPS8dSM+H1u1m/5WR7MUqQeckd+Fglx4odysSmDppg4Wt0rnGnTB+XmDpqe5qwYNmeBsXxg3cBy44I5w1Rf7Do9foqxbBD9Akd0l/UfoqGO1jISz63Lzrdim9KWl11H4rnLqKulGdL/7sw0ZCAY9VMn1+XkWbH5iYHunEqqfFAadUbSkxjrOfjSRF+GtOaf9FPN/Lu8B3Uot2PvYUXj2Gn5v+Y8wHJg1I2ZQfwHBddsEsd1ynFcgcRxDSosY2xvOY5L7O91jdtkC5waTcQKxydpkO2MT9LosOWkswR5FmiRU8fKTh3Wv8BOw6jYRJ7xOfJbfJ/DGaiRj3hv62muW8u3ME/Vkg1jabEE9ZzA6YCOnEMQgWRu2x3lsuPuK6GtEqHKsn8IvJHGQQL8punQIbPcgfkQ3kAm0oJosYbQIjvg5rXAgk//IGzlCLBcV0YVAcZnWpzUI1Wfa7n2j8ZZUQdb4AFCGHy4Be/MU5qTeDa1cs226TajaIvYugXIcnO0s3el6K9s8yLKR6xeifbLFP9W04zWoF8iaxC2s/EaFBWD+SGyV0hOipxSVYAgsdtjsvcRqdLioHlyVi+OIwgmMaoutLK/GanYQupo5uZyeI31qGq2zFpmARcsy2ah3zDDsqxd7RZu89Z167aGC/HP6PMs5+KfZ8FZBQjLIrLDmItXf5M5OUlMZoRMkqapRlLK6sq149MeqjifFHjMKpGCH0j92tjNsPU/4M1/ntu27rGnm7//0/IVC2bP+MNccfpl1zeABR+BH/72zIqdLgsfOtjYHFp999K1oTm3j5sKT8DO5BIM5eR5AT55zmWmp+n0pkQd47GKHkS7nHYnz0uK+7GlpUrMBS9k+LY9ZAJoBHWR7drwT4Or5+SdLen70PODF4+ylM8fjOwia/mEGfnwemmPTdsn11Un3Pov1+4tt9UMzNb7zV2KBw4BmmMa7snHx8zslW4caAnkDeudmPxyeopSU5LwxU+MElFDK9t4ZmCgU/+A2H+UsWepgR+ROSJ9tJiZnu4ehVX9KEMwgw126Sp2wcpekE3e/8uIGlJxHHr9qq6XY2pKUC1+VM3Yc0CZJqQpG9DT2D6yhr9swF91EFtDKp+b3/qANT+7g+iapO6teTlSfG0M0k45aHa7qOJrqSSPMJWpTnWLqdqI4UvtE6DKJlSnE6qyCZV0wlR4/tnayu3VGx+btmvSXQnnXt/0ZNlTxYmemUtKgeHH/WtTqxvmLf0GFr+wfWj/BxZPXtLnNd2cOeOX2Yx/05p1/9y79dE0rV0z4cDylW/VyCcgicc9kok6QcziOJkg6K5GnRul/0rO/UkRMcQNncm999KShtc3UiZPHRJrVyvv/1dETNPc+vCvRcQQltOQLrtZisjgfRYB2f2Gdvss08BskAlmN8NLDniJBHwWt26QNSHxaDyEPlLFNfTZzdBzsNSPT2DY9gdcsXqOPdDaWNv+ECvW1Dr+zBySp1WDaI091gzkQ7o8hqDLjE/UJiQn2xm9mCq7K9KxhTinal04WEPPqmVlks5H/THY1L1bt+4NUyc3vWF0+NYvK7DZprue24v3yEaOHT2Z/TicUlfHftlyVti5b9+Y2xAWt6BxIZOByWYKAolJCWKSR0yScUlJT/dFDvjKmBR0jItMBwmf7ip81jSu+DWMJNJQrOjtBzPJipyEYxKCxyB6GIQRY5NVpnLjQ57sesRk37MrPvuJbXKkvXDfK+/Aiys2rr/n3k2u5hPsNuia/ad/H3vzzJFFc+6YN188S2IUUn925MHinZAEk5jA4OqIqEuHevGQ+yQJY/F6feqdZvY6eNeR9HjNX45c+mDe3Qv+KM5H/YKmULuOJY+LVJ9MQzokQc+LyE43J4pmbVDLBAWDeulSZxBhLajyuNSHDjht3W7DA2+99YBxN/a43pB8LRd2r5AUbfz5nOxwHVGcLeJt4d27B5Av0w2vn1ohuRNaP+1o8PZqpYRQZP3MzCanuHGZDrRi0U08pMq9aZzbxUSfgTgDW488dNe87FmPPVkGhhvgYwPmBkpv6zLh2c1j4fUPV96/fdHSzVtdVz586d0Ub+KYKV1nLexpY5FLw1m6+Lv3TDMl9L3zL2u/gfDIwfs27ahbf39d7LmG2HMG8rkB/BmfG0Cjk/dgOSUSzAYZjZwDa6f6Qc/65G3Y8LvwC3Yk/ELaiMU7uXHy9qWbutDn59pn/f7/3fX+KoWdlwK/AhkJ4S0J6l3vPuDNlmPgTdgnzk49xnc7+VxJPitUA2+Qz7FZy1LWOfo8geA/k45XOr2Kz4vwokYDdHpRpwsqx1Nk/J34GLD0nsl90xrkitH7G5xwFN6J3jtCodhMaDXNwKMKzkp+s+o2NNy/neO1IlqZyIVoeuVCNHwenJ5Exl37AL4VDbwCh3BrwpvAAVjB1h1mE1kNQqEl/PXh2Bzp2LwTnC9M85YRTrvp55j84ZFS5iPOynJYDQbeCHQiskYxYnKqp3zaDHvY5IpFmxf96EkvWbSDn+CExvONnzXC8aBPD/AV2yv8NjxbxG1vndMDdCKfknrAt5S+8FkotEpoXThPzpaQYOQ4nLguZ1jiqH+RXdrR8cs3J2vdfrevpCf94HXPvgq/x9x041M4rxlfmnzlqL0X+ImtD1dBodB19OgY8D9wGdpgUtVRNPto3HLeAs6QyAu4zQK+e1pvYnlWb8SXY8t5DAV+ZPBJ93KQdZbzcfgUcw76/TPoiQSq5+n+cEd/WDaxaR64sh5krMeCBSbC/bwNn1w+FS5jG5Gckj5HSjkZeQEvjlhoGDPeKDdbRTNOOVYOKfnlm0CUm7fRm5zjno2E40tyvjCl5QXUIz6bVBWC40K0M7mfbKkfRFe652QWWJZ2o4sMzK/0Etl9Ir2MbQSBxkZ4PPwF6QJnM91YgDOZonvRSb3gVQWLD+1Ar2ToFkn1f3y0ppYb6XU6ipqvv2Z3fPttyzXUPMI8FGq5LA8AzY2iWYyIC1MDDmlCbESzmFS3lav0Cm5VKufGHoNVoB7UtzyOZyR85syZiE7Jxn20bo/cnk3GsYPcSEjiSTrAI43AcUazaFRyBHGWpnwPJD4xCAiV2Afg35uPOt5shn9rPYC6YgG3iaRfLYBMNJ0oj6cy3QPJyaliMhukvG62UW7HyV8ysxNeJ4YInpcSb4TfSym/4xF6KRULL8HreKCXm+CBujNnjoRvR1gcBY7e4EeJ8d3g6Cs3g+8J5ydPfEXCSp1Hy6b9Sh6tchMl2ykKSnUTJa6kABdiTcwk49ogJi+XJHKMDqlPx3QyqKSTJDYu2839WEeJ38Vq8V3SJIqbxyHb2V7XuOmdNYGTm9cDX0ZCY0JGy02P3YYYjzFv+BDoas/CJffDQT3G9IKDwf7sfoVgSV6hDpbL99yvQ34K4hRsZZjwsSdD0CAEhWQ5Rm9T3WYTdbe9Fxd7k6voROrM/SjfV7QNHjQlxa80R2oaxd5dU4d8Juynu5lOTG7AY0sWbcag3pCVKWZl2TiPyLGk5l6F5EiQElUxnjqNLzuxg+6PdtrrFF+9MbjB5Lp8+YrissNizT3EXX/caeFfe6axedbU8BrhEHXVFc8dz1U2wnABP5LxYMvT4hQtFrvHErQLQb1WVQkMYNeNRU5MaRrr8Gbb/TYNvjA+TaPx9rpj9NJpq8bkacD+pvAGjQYWz/ju/g9A/okH+/510OP/gl803slxrYVTV1+YFrG86pAf0AXpIrdOm5gnJjJ21LPNAoKML3r/RMrSoEV0pDvbvVq5Nh11HaPsr0lbPlz03N5N937x7+aGWfc+s7B6cs3D781bfPbBxVsfWTb/ga2uu/657uk39J5u62ftee6Peyv7Duw1NL1TzWt1D3646MgzDyzd/uTqNXWYLvsRnkmIi9JwFpWGdzhxFpXeImKyJERFgWiExV6cU5JdgiSToOd2abT4Xjs5ghFE9n4RvARCIHl5/40vXwNPJWTAJdeW7Q2UVr7nAl1OdXYNPgHYXi+WLqu1vbh1Ra79NU8SwuIwzOB7kf0RXNHYiFkZGcoeUVBfFIKphTNC8+glaEyJDeAiZ26eITEUfKt927TGYTchS/gcGwy/zY2ED8NX3nvtgcdhRkOvBUVlwNIK3gOB5KNHv4ZrXnv6r48/AP9HPGHEG7QCdmrAbsBcYY1TxPn31sBuWcWvkG/WkOJs5JwxjrOxvx5Ku9KMg2nNV5Ys1YPr+qVLli7RQ51+iQtMBCvRC62scCV67edbP/juuw9ajp39/nucabGKxPJwPFWq/o7wNsav/i4VXW99bjdsYpkR945elDBqMy489+Xh8KIVQVJnXcqw2IAoYqG5daIOeS4GM0dj3iZlr6q7t1w5/4FL9XgBshJAfZPHOmYoeOQx+CqY9V8I3+GzW9fPa5wIwnfD2eEPwRpI9vNvwtVO0ZxjzvOkpyYnAY3BYxc9xqBBIxpAZD9KCs/myccqijxeIBU1xUqD03q03E3gxcTkm3slZyX4S1fu6gzY5Fv7kg+r6rq8mJSef4FPGzdthO6oqWZ76zLyx8Kd7BLd6mD4fhoHKCa61ItjIXrOKYhuu9MYlHSqEWilmqHS0XQ5dy62HBz2kJ27VPXgOh/eU+BEqkfgw4vmL9+4hx3dugEXIrtwIYwrAjACqU6F6ZwYsBiRrRLE06dVxo59GB/Xjc0r9Ti8Tnoj9p/ybp4/cenOvf7pJpD5OVwJ1q37d23mX8vhL41wjVS1ajOSp0JE2074/rXMLDHTihrGe1kexo4DWgy+60xmkKKIUsbyLWugUiJcWbzb5tNqebfLR0RMI0W32Fmw59HmkwdWroRN3IZP4Vh2nGU/DIDe05C4vTXitmnDbnKBsbuPZTisj21asDrBffSo9b/w5xCf8u0BLHc3N6SO71VUFie7ZyL6jO+LICe87AZc6lfweKJzcahV7JNsq6jahnj7m63nbW93H2NJdSbk9Ov+0OobOFMn/PGYITx/VKvZ/SxbSDIl5Wq1FiYB31yvd4tmvTHIW3GRXalGLL2XCJ9AyIgUhyXnDHzI6Kr/+Txo+vr9mlqDCzBL1wHTVdRipy+uh09FysI+uZWUhaU5LNJNhmhVQHrObnaJNhwTSBK10XqOVgYglM4jJ2JiLmX002Klr0ybMWfhhPM/Rd3LuGvLxFWb65HGS5lUeifX7nJG9vFNq16RqrQfJrGRVJxHphMSYsIikrVQ7PDj8pFxlqBbP/7hh4/ZKXB1/zt61/xzw7y77543fxkN+4eBO5RgEPfe/tC5paFjB/c+99zeg8cYSVN1I/kNpE+qqszRfVJd5Y7VVtxBOFalr86EQrBYUliA0ZCIPM7dQO06dAK5ZCRyZ56fcDanxKedUmTLxq6Ec0BRv0VP7L4XHD/e5AKHQGBURWj543Dz5cvsxvAieAvS4ePgUH4ikiZ64jUH2TfkxKsgarRBeuwVec1KvTxq+QMnPu/K+Tl83tXptOXZewLkLArgey+8GRzyNHnAIXiz99S334Zrv/0WDgX1ncF1cL0zqIdVnaEO6jrDKu4EuLlbmO0GboZ/7cbCbpiC5QiXanJnRE7Am25JA3YLb0hyi0nWoE0gmlMbUZsViHcBp9KbTqRBnGrdyY0DO/dkT+xPdOWah0uDQHMZVu3OmXwT+Zd1O8tnX4eT2dNgz5RRSGku2gw/Zj1hH/zj1JHo4z3bgSn8C9lrG8oPRhTC58wceiZo4YUgdZ+NiuakayimC/GbEWkkv9kJfrLC2Sfetx63vn8CzrYiYvylK7jCOsLfw7e6a4pvvNsd9CafTF3heNwbmu1eaLZ92O62WBiPB3WHrBYxOVK0Ezt4cSKayh/KnbHT7l5Bw5n4R9Oq5bPn2HX2oBLMnDQXXIGmuZPGjsSf9z6398UX92IPYZWc58wGSIaf5lOye4UmOFLtapWc50xhNGfeoF4EBorkikyNaUl7hmFsAT3HArcChytEauRKv+xI2iOtJ+FxqHokMKRHqfInS3vEQJEeMdRQVUtaj9xjkk7do5LLzQ5W9RhdGYzMBYGpVGOV6VFhNVLZfyijMLQifZpR1Q6xQwlMHwpDc+LT9VG3chTTPF+2H4Vpd58ItuUW8nci+fDgSAO2XISg26DlAM8zeBW3VkcyJRztrBen4prlqayY0C+ZyU0OzzH4lsqQmQv/1vnWPvAm8Ki/IuUyXIRtvQWSza9lrMgnRH6Gx8bwJuK861SmdHnEe8+RvXhVrRm2CqaAL8GX6KcF/gh/BB585VLF+PGKM39E9uLBqvEV+N6lCiwVB6TqEgYkFU4NL2LtyokCH9ThpcUkmS80muSza0pycILIATADX+jXBPoc5fkFJxa3dDuKqbgCtTWU+HOpaF00C6LBrAk6AI5b04ak6jX+kmympFi5otDuYjRosTgIhoFB/4e6Nw+MqsgWxm9V3d6y9po9IZ3O0pCwJYQY1jbsEBbZjICACJi+IEJAWVWEsEUWRYgMIIOAgMggKqJGjAiKeQwyChn0+RjGlXGUQccVk76Vr07de7tvZ0Hn/X7fHx/hdjq3qk6dOnXqnFPbOd/fdrRv1QD6KDpJv6X/xNM/OY7WX/hx8oh1dy+iYz+i819J4zU9yDl2t+AVMnzOhBSXFOPJiBWFxBQD9+EdHXRnoC3St+a3QznGHppMihjPeWVQYu8/3L/90Md16QlfX7jvntLnSqsmfb/1VP2+yideot84k+LetGUvm7toxYr0J++9/a7S0nXlU575w/I3PK6kN7bXQghnYXDQr04q97IgCSQy0hQVVWESlbM/nZU7ao4i8KUEbMQvqA0m754/gD48u3r1WdSHkMbAi2RXYNpRegr10c6zDWRQU2B/MSY+SnLGi/GiAOfrRF2blaNFQS/SBYroYtN0k8fBtCNRWyzi0Ze/v7Ri0bon6KU19891YiqfdfZc0PPKZRpw/s+79y3d8ShKL8Ff1NC9CbbrV79oUOML9zJsZtKaz/pSY5KkCCZGTWYJGubUYaD6blBv9cSLre2OWLH0HQ2gp9ABp7wadmZqzn5/5f6HVz24fD0c6zN0QU+ig67aZPnz+xZfvfBF4NUdG5aueqySXlNP467QPGYQwYAlA8MgSh2h4A2Un+RG6E10QP7ovGinCeJ5eg5937BAN94ShSyhq5DpizM6HSYxKU9KEqLTJcaxQrauLbnB3fjQHFu3/qCPZOEI2+r4h/zMH1Y/9s+L9V9tWrVtn/yPOYsWzbl38eJ7H9mw4RH2OD88venVdrFpex587o03nlu2p11s+iubTn9Ipt0zsXzu3PKJ98jjGZutXr1o7jJO+waOs0r7eJOTWZsmvjtkqAgO1NBJrvicTJvHqDrYLcgXbC6rQBRGAOxuOPESheY//P07JNK7hy2vol8tWrHOWJuMUxWC089pYxcq0dvxC49VIieQP1xawU2hNJ/dGeGIFAUxWhJt3Hhy6E8xaIKKR9FIR2yekIPiNFElx8SiT27dDWePUUwkzekXFFX4/Yem4sGnGk/ghHkT5df/2NSEzE3XyBK8AJvwakEI1LM34xk6k/Bs9mYNe3OFvend1EQm4AfZm7Xszd/Ym1FN35CReD57wyZsgYvsDdOWZBqW2JsqtdQoBlnCU9ibR9U8/dmbubzUevXNNFZqJS+1QS0FeWbhCvZmY7DUd6wUvNnE3lz4fxVnkkCWwJ4M4AwYkwwyybCR/b2G/92b/T2Bp/Mbn2gUyz+S/833T5CPpU+D/RHAlacnEon//Sj/uz/7ey7Pv57/PY3l5/tQgKWaPsvwR/b3RvXvNDX/Jti90/D733hgK9l4+PDGDc89t6Hn4ME9ew8eTBJe2rL5+cNbt7y0d+KQwePHDx4CJzm0FjONyHSxmdmNBPlFphMNRqydGi7gN4xtpsIikN5o/Lu1tTv3kowNqG/BrkLq3sCgqHRiI5bNLZBNkAw2f6RBiiTBuQUqzAQlGNRCJqYD0XjUfubQUSV5q0fev+FHFEMynipfdmenKrfn3jt2roxeD/ipFBcyYU6R1i46yiRIUSbwhGeP9kOUF6Kteyk3ppAxGEtBVX66SjU5hjvcOie3fbvbClY/7Iu4a/zcu0a48uf1XbpqdL9hE/9AElFM9GZjbN9uC0yehK6pW60xg/p1GxaTEFna587pgJPa64pnocgoSTBHSkQ0mlU/SvnFihUPGq9A0XguTyHy4eH7ilbtHDBgJ1kvov+hf0IL6Pr1kqS0kvMNxAL2uaJJhFGQIox+J5vYO/0xNikGhzbCi5U+L3DyJqqazqTZRRMefvTN0nFTb+m03II+oJ8YOnWZt2wjSZw5KX9gvxT0wPrymDvHlc9nnKVypuDk+/4OlyAluvyxiVKkOdYPSo6oa3oaj4FGYPNMl065QfUuJ75r7dbPG817N5tjJ5VMuWfDmunTy0ni8gdcbx6zbBAnTevQadodM+auGDF0+DBoqToClNtDIhb8oM+U5kHLHIxUNjfBHde+shO7j5IM9PedKEeuFog2VmDNQ8iBtYF0QcpM99uNCZlSSoI/KkWKUnlBWadRRkaRXoupSkxB3KE14PYVj0t33XHX2iVL17Jf0uMr+/UrKRk7dgxJvKus3+jIyNLeQ0aNGtK7NDJydL+yu9Djvr59ffTLsbfdNpbTMU1PRzaAzMhvcJmBnDGJUgzRlkhy1dUKnaKCI15BdNDmEA1XrNvyeWF5+XSStsFwxxSFgoyiJ15EU4YPGzEULKTJKF+cJMLMO+ZlhAXYPVCUoSMHxddMInsmofy1eNsK0GKjm5rEcj7GY4QMoafP40yS3E6/NdYtRUXGREdGG2PtFWFj3xoc+4qHKu3ktkMnB1g9rQ3q0Vw80GmAAjU3H+BBoUGNgF2guPmIZ9gye2eSim2q0NeXZYt3SY6keCk2OUnDN/n34JufW9wS4/BBqUdWrg8N0BCecoDjeSR8xBJhMscS5JJXKBIG+Drkde0sdezWVWpf2E3KykkotFc0l1ZOJq5cCTYNVUViKXv4Cq6/S3a10grU4ybijP7YvHE3lW80nrd3e3h7DYyHromL1V7JFjoJ3aHNuclSTq7f5S7IkToX+GM7B9nJ8Zvdo43SZv1Dfueg1XfcL22N3xbclv2bA5q1tJS3VOlZH5vfjBLG+AoGFEq3DvB37jn8VmnIcH/7IZI3JzsrJyuhveN3drOtWbt/V1+T/4AiKPsmTHDjpnS6OUNE/07SaZRbz3ezC4XewgBhuK9Ljw5S9x7+zC4l3aU+Jf60PlJqSnJSSlJMmqMiWmyh6Kw6RdeSZm3qvf+EddD41nQk/ezmJGqmQWns76bKZJUqcGLBI+QKBUJvX5Y3Qcr0+u1pXTKlvC7+qDwpMsJijjAbohwVBJu4UlRI0QoVVB35H7W5vaJP6Tc3HzCqtv3dwwWht5uu4WvIydoW9TIEzOYTIm0OqS3WqPGwnVoEbFZuMy3FZwXKJGnES3CRQNDCH6PNo75axBJflEeABczhhyKlRtklRiLGNUZTaxYwaa1aLdA5sWp/Bi4HMcEcE6WGWLBJYqKkmCD8zs3g85MdGlwaYJiGgDb24jg3NQndWY8vQU6cg7fRCtYI9hs8xDCrfpsQbJOB2TSsRtamCOIXIyTRUYGswTYRJSZUsN6fje9HTNaiuteR84F8mqlrw9t0Y7ANsL8Z5Ye+iPELISrlqwcIGEziKHDgMpUyucaTEeItGpEaxgNsNgeH89BxTArGM57N9sU7icEuxqYJ/oQ0KcFRERlrlqJiQzKOR31Ghd2KQotNmYpFYHS5whry47490ydNPu6rGojIk6c/vLI81KqpZ8pnrBs2ZvKITXcveuHpv20ac/9oXSMZTttpJb9TAOMox5eQHpUqxSYl2OIMTrfApkVO3mi1xfk2ZTlM324Hj9LZvbCwgCOmbYmJeLxKi2RA6O19e2ZM5BhSWUeY0hd3X9nIUGJYTq9SsWQztrdxPr7G5rQm6Fs8kHF2F7SLLCfXWU9EvGRm5qCgMhFg0F1ztYjLRq8eNWr1aP6Jdmnf4BOsuzkIi33EbXxVzYGiYnBkBDEbRAvTrYLfuJrPMjjJcxxZRQbGLFnxBoeJoAX7Zbp3KCpN+igJlQ6le+X9nyG8HonTz21BEq3ecm46DaxHxYxHj7PZcQPjwRz8FP2ecaUJPwWXohmVF6kresnMzi7ypSbBtmKKg8Sa2kVKdmM7wn6EGAuuSAieSlLu9ymxtwv4vm9BG/7lwcM/ePOnzTzJh7zxd1T97Ld0Gq/5zQf6TDemi6XG97n04HFOtGOY08lXxvSjRyFPeVOJONU4lOWJPAabT2uFvnAhAxWgcpJZH7hcazLfuBGWL+plnk+VYCwjWR+4XE8y1ZwooukWctU4Vokgb4uVTDa/ySKZqoJnCJT7vTrf+eQ4fZ3+Idw7vrMO/R29HPJ+v4c+dAzwPcug79egKzHjIEp8EHp8ESxtWQVwTqJUdJbBRIg2MZhd0EA0k26nNXXH0Ao0GZWhZcdoDr2NDqNuhrnQ1IF8YZzAtLLH58zKjoyQIiNdQmfJJfhdKZKrqtkJFj5a+EWNQsUNijJ+Q7urIRMldDWH9Nj7Er5tdvuce0fjl/b2HOFO8NyaMmiY8X6//37jsEEpt3oS3CMunX5+7L6yW/om7srwdZq0e+yzr0RaDhkME0bfvuv2u+/FGXjelIm7xky82ygeskQCVc4zzF/UMLdZc/Ok3Fy3YJLcgt/NZjEtMQ8tfocWMZuvgPO7N64Mo9oUtKjHyNawHQktGjM7p/3s2/BLlxiiovHuiWN2TZwyjyF6790M5dETDAaG6CvPjt09qZMvY1di31vK9o19/jTMdBcwzK8apyneiQSDBLwlSmhdkFu0k5sLcAUdjw5dMt1S29C/lnNCB9IrWFKJ8i5KhmDJ+ELuZcN2Fu2i03DFpVrDidobdUCtv7Gpyd+4rREHHpGwQQydzFUOKSK4J+hC+Hv5G+z6Bj7wG3b8htzPLvcDCBcZhIsaBCNiEIjJrvoEsymHTBQIF8Gx2zfwEQLA5Mp0XC6WkgxsJF5+gjj4N36Bn1wYyP6WSEZwtK1URhuMXXCLUV7Ddzy8LNfa1nN5xak8F4Ot5mKwj3HY05tGiaX8/LYy4s3KiFfEwlEmFQAfeTTkwSaSKwiNXzAJvpOWklKBMgn+BntTwfLU0lIxm9kmOezNx40VTDa+0ZTBU+rwx9zfbQ4+0ZTBpeYJ4WPezlqWks1T3oA3ShnACu3HH5Px/Cx51Mtsoo6tSlsQYrbOfhSzpxp/zA0HhHaynKWt5HS4WVo1SqLfq1kZ1utZ3l4s7yD8hviRIJxkUxU47ygMFXuRj/juWgdfIrIYY6INEdgcaY6MIqJkjuX+APyEycvc/AK4Y8O5Iov1qcvgMhjU32IvmoC+ovUoT76hfRuKlm9Ey69+ZP/oavAbq3EBq3G6WqPXlxDFGNUUG4FJZIzRbIDDvmbGvdEGvjgR3KPKKoQfxkTqb7wM5bE6vgpYld9DeTV0+Ua6XPsG/XtNGEr287pSfFZkNGA4jcvbw1gKmpQb1hqyXx6Ia2gHdEnB/fJn9s9AijMob2tQTJgYRUNojOmgaDhGoEu0A64ZCsUvAyaM+kkkilTz3n676Rbe228L53hvf0ai8Fm1D4EHtT5kOhr97PzKyZKXy8tZXwXKcTnZxnncJFhfEVjtyLBS0agKp8MJj0Uk/cb7rAzjeBgZ5JdXdaXAA0o0slgMgpmfsOajRI30EgKhgvkxnUShoSRdAcWAoV9eFeaSk4YEwcHPa9gki9Vvd1jMyhqWxSxZVqonrNS4c0WFfQg/8VTYieQw0hgPXFzS1/HT7Igtzn7LPthDauZ+N2hcng3lncjDMbnjh3wnf72E0SRQTs+SKC1OhcEkGVZVwFGllUHbVA19ivs3ZBou17Hcu2rI7htmXvb/O45L+9obUgxfaDheHTqhU3MccZAWJmb3dPKlGhISJdGW4BdYFchq8ScDoyQZIf4przC+ODcYGruoEMEP4+ZmVcPhGFJzo56T6cYVU0aQTGiSHU2AquWvvus/tpNDQafD7Qo6Squ3MWwssM5pNEjE6LcwgWDxm8xBykF7ocVZEIaO1e5CZFtgXmAKeYo8IT+Aq+Zi4SAWvqP77XSf1sJtvIU2aCGJiZbESDZFsJklU4TNj4zWWAM2gmnQooV8RLEfg76qgaQGqgmcC6xs+MCQSx5RKk1YguOUSr9DP59AP6sIsDbhTPIVuaCcX7ULUpzdb4iWDJaIOG7nWNULSeqcrhNm81bgXaay0zC/RFsAk7r3ey5ctLDnzMaPyYKSC8XzK+YXd+l2djPO7DWq16S0mm0lZSV33Z4/8Lk3YIT56Fl8gvEdEYohJl77DvyeaqJYICWK/sR0KbGqAqaeq/S3zPj6OuPFrP+VDYR+rAtkXPhKM4O+unDnY+6EvvPzFz2kGBYPLcqf3zeh24P0rOnGDfPUz84NWDNYNYaGVQ5450NuDC2ZM2jFINUYGrqi/8KVijFEAiXMLtjGbCGIAjdGKPMVDB04sEeXgoIeRdKQQYN6opKSnn2kUQmJI8WePdhP93597RX53a0V5lipvdnfPkNqXxU6PMetdi6PFYEREhwFDrdTO23+e4yp1sJ4aeG7WNeBndU9Tf4Xemlv22YWwiNbmQygrvApd8SeNPkty+gZmV7/bai8YEa350/f1Bor8ndvO+aWtzh1WkJPxh/ybMYfGzl/RMJNEtEigRQ1g6UVxhcqR2j22pm6hitklLwEr1a6cY4p5WhDfzbnIIG+vIemgb9SIUcY5st1xMbmREkZcTkoLS2L2avxWTnsJ7pdsr3CFm2tIEYpgkgRpqCZHz6fgv7QPGQ5FJuPP60RPBQj7U55IzpEx+MK9PdWaCr/Gb2YRrvgaepESz4F5qN8qm2CsZH0Ee7CtE6Ztr4QJfBQVEZ/dEiG6yb5WUzjyLO1ef0esRR30abx3bnlJu9uuoanIifTn9vAWRjTn9uaFoAd9euPTdfQJCXlRheWAjlGKTnoXHAR9Ms1NIdsE1P46kmy4hlWjLNKEXFxKDVFSkWgdSsBLet59TYaLE2wftNh6NZ9N7A0GmVY/+NXKsb4be0LM8bItJoaej5sHYn9PsWaQW54hUsMk2Owl8Xw6OxLMSc5pZikJEEkEmZ2EEPEBBupSMJrQhJbw0kTqllt4EW2NW4UKwL7yKSfMrUVrIPql0uo6iyqukx/ttOfZzdHjtF3EZvdZxt2c+od49T7Y5MVLOPARzrqwf0pa4QoRSDQa80Ix/qUNKOagVvSgV/rta79ngTC6cPoovWueAurfbvau9v1vaukqL27Xe3d7bx3jb9cE3Yz/K7x9T7o3VyhCM5nZ+flS+kpeX7o4UTBHiUZE+1+iJBdqd09YEirZ4Jv0s/AB4Y20m8sb63/Gxa0xhnk7eZEBzJE1dS04BTGsYGPgm2K5ZyS5Yt3JklWpx/IHm0U+Ehi40lpC5C/+YhqDffQCNsoTm3cLU4N9ksIuyoFq/0hbAjH5hTHBnAp9GXExtgdDJ8oJyDhiJbsDonhZDP6mbllt0r2NZoc1O2y65f0NPOnVdxqSLfAOXHyr4da4CbbL6MIO4q4TB84S316DD8J0gsw7OpLZ+jEMnRipRirpGDqYORySDY7XD7Qja2WsgipoywMuwUqMoarjXvEyYFzpNuvl1vBTzfI6HXd6FpLS/EizsU7Gn8GrsU71gelmrKmpvL9Uwrf36hjKWuVlF9EzvdPNU7nJbftBCtXbNpJAobvuJXrijYZJRtmsxosWYkpysSsPs4ZBdbz2slpg4PpAf4UgJNm/siBr+U04nsq4BF7fnP2G/xD4PmnyPXGY19PRxdqUI8aVE/zauiZGn5G+pexao3JcOIgMtofEcnUkFIpYfWbuGA/w5jxjBozstBdpD5KnSb1IY3ntjdcN9w3ryHd2Hver6NNkTvO7hAvNrw/z/B0A55nvO/Xbtuno/yaT9gP6kbP8S/0PKNK4DKnCkipPwZ8GjVafb+dvy9hUm228r5xvyrVxoNOCMSxlG18tTpVcAsdGVe77QbiFM1ewZ/hlTIcFeluKT01NUFKtYatXfdVRtvNF7BR9+5F6g1vPRfNab6UjfbEZ5hIZcBIGhp63WxZGx1pPzO3hqaz0Tk+xFeNAYRFUdzG2re3cSNv994zrN2/lMJ7w9tCNvwNqT9f4a3f2zgB5UE5poeuMz0ULEc67hLgfVOJmG0cqoN34AyMr/KmW8gF41jBK+Tx+KIdPelSvMcfnyjFV1V0yc21OKxWS5TUtUMHcw5CZoNkMVvMItgrgmhX6GZvPboov3HSWuRXu1CgWxZlX4hishi6FTHuzaZ7WovgOqcPKqW6hdMuAfpyXzo2jS7mtguJNtM/pqHlllYisMagjNDqKspAMYo5c2TiGLrtDqDBWHVFNGhL9+wmJfX0J7mlpKqKEQMGmEt4y4cPHKhSY3CH3DEiEMISTom27OibEOP3zSWUPYtClU75wIPEzaZFdGMrtMLDUZtrrj2ZeS0vDFItN3PGaIv8TBpeKt7m97akXXd/0U1XZU8/321GgULOh1KLvXRbYc8Ehas6kFNB23ekr1NykhSX7IcbVesqPDl+j4UZw4yQmenp5jSMfy9b5d6EkKH776r9a3O3zkn7lCVWeSNN1+iAqtEHdHjL5uM+sAqL+4TsXyZ5ylkDMV/veabxO8VeEeKEY5DCJA/mkl1JMeKn4hRqXCOnmETKF7oLJcJU3y0pnqwk0ds73V/UWypyVMR7pXhbRcfu3S25DoUunQoKzF1/P12CtOGiqzXyaEe1QIR5QqKNzar5rIFTTCfPWqXcS5H//HPdZb4pJk2d/wi9H9JUCoqpmoxrQcTjZw7vvPqYslvm3zRo+ANzKvm0AkgaqAjqepWy28Io+wxfURODKclBjmqfEhfn8VhSVYJlxcczVspMSvo9RAsnHPdOcZM4yFzWA31gbtAaXZQ/0Ah8o6GAEwO/gm+0pIMymSILjh6lu9hU6xrsTGHGG6PISdYy0FX9fJmu9PQIp9XKNHBCu3amRISY/o0wRZh4a5JFwc8blFvQBhv8RkRn3g66pc34zeK9DZE3j9Z8lMdmZn3VhekTkeuTA411mn5ivM7ek+18B83EZ9I2MCaMRpNkrOQT6bVBu1bZVkOgTdkT6MI34vCRCWRjY/4EcQHfaBPTFaNVEAy/LGeQtwUhxyqrgLHMQI2JsPtNrBpjhL6K4IKVVktBoVIT/P5leai2XaL150pWIfsdrFOple8/8BZdZ/VGwl1XgiMi2dwoEknQrjUVosVkkExrdTM6bhPzZUDkgWV9Vxd8IjBGfqee1bhNnHyJG7rzG5HJTA/TbmeBltNYDedUWjZwvj/QNBtsxV8+ZimHlZSmUm4rHvilQsnROAfWmHl08G3GT5QzlGRVhRFmbiqPQBQU7rHD9curhvV1hvVHjxo/+TX9KF9LhXJ8f0RZm7arO52MOIFyUxdlhwS9TaxwlkDZ0SaZ7I16QgIzO1eAE1K76UlxjvEck4BJfGx2YPZWamRUTqJbSktMFFJRgmQgCFd4hQzJNdWh7BODp4fc85yJYS9AjTfCMI3TOziAuyHg4SmrW46tu4F/yWbfuu9G06peefeFvReufnK+W9X27aj74cP0LPu9feOKRzYZ1iMffSP21V0rdtiiSM2BmnP0JPKJ5+nDpzdk0a1Z/6Kdr85eYqCd0WLYJZnK8H+Q4Z8gpAm5vvjo2FhjCniUNxlJhRUlS/HNYstoXsqRLZPZL1kcZ6a7c2z5/JKgyQZROo0YL5GvogSEq1a903nLmM0REY9v6HTwVZqP+lcfYfgU3Iq3oN7ogXYon140Thr1xDJrY22voyWY1ot2WjRGzMmgP8CtU/qiOMRQISQK6YBdjNVqSpOiIyLMJrhJmSolMOwiW8UuGxd2sxeF0OvO7QiGnjMu3mY04tGXr//rb1Wr3sjdO+SRIY8NSBi2azhdu3R+xTL6IuqTgBJ+/BYlx6E+9O3IuVOWLkyWi1BMZE1sNKZnyOytx1PwG66jjHem0uOMeseELGZnFwjDfV7s8aSjjAzBnc5sx/R4Kd1S4YyL6xqVLTlstiirxRJrnmriZ3Pzk87lB6UXv6DMPqzv5QclGcpxZEMEH0e8idE23hFPeEuIdhvTQ1iGHMSs7Lh4RzZyxjuMRrRu7eB//vuTbmvzYmKLu+Wv7bawcEtS5ktWK4QuPBkbW7S2cHAflOBOf+GWISeyaJf+j02fS48noG0voBdQNrq3AGUnBEwoOYF+3HnCEzlpASOCMINnE1BeVKL4X2LA3t4pZlvkrz9YSfJ7fQ+x84SVYrn4DfgfF3r4PPHJTmy0WqLNkYlsnhmXKPhTEqWMFH9khmSKjTVHxvgjhc5qe3P5b2XXrSinCM6j5BTFgyeLongT6Op4Uw5ckS/SHeU/seCV0mHHHz5+14NLprz88IvDR7y04M0pSx+868qkuXMnsWdl5ckZj22aWbvs/a6dzy97febmzTPfqPyoc9cN86dMmQ8PjPhHGM9nMZ5PZzh3ZFhne+LsCVJeqre92ZKUmOGOyopCLrtNirWTig7IJLUDAWHR7uvm5xZwE5cHY+erwvG2HOUGfIjdwGclGwiE8RrDGjH+K+yG06+/kHTPqUnDH9/x9stV814et/7huYW79tF1O2x7hyLc7mk2MPLQ8LN5XQl6z1NSU3XwXQfqQi+Yx43dWOGgxYlDazbTlzrR98T9ZrQifeeA2+nOGPqgZ9vDKidWGC7DqXnWqiJfRnaO5Mz2OyMqbJFRkj0y0hgrVBjdiqeXFClO5+lFWYRT9uFDcSJg76aAh1AzhXt9gZUwbFQ9v9DtaGa9JNXaE3TeX9aTaSEHMGjykdmzjzT2CfcB03iDCVgkjFTjdbaH0zXxlgRTGmpnQu0t7CcqJ0PKsVRYoxxSrDJgFK/tMMMoLtbt7BUA4zBl310oCPMmzwgfH4zp6UknIxdivLDSi2yXH6vvetC7dPCiA+noEk1CBH1BOw9BBWtXdNp/jCaNQt9UeXM9GVUNKHZ++cPDxx3ZW5Wa1jWvir7GxgJqgt3XPswoKzL8kUn8jr7kKHOMFGkmFYkpbMotMRvfiSSnEOcXuE4p5sucxYoudtuC591D7lpgX1L9wabIv/7z6vsL1hev6n2/f/6yebgLXYcc9F9oIc794v1LXw8t2XTnmqUVy8U1Nbtr9vDzASOoR5zDaAhefeJio+xSgsUouSwWIQbIFvQSAD6cC9QNVcW7OPSw1Z3PSZZu486SnUxElkXMfmA2XPJEP1dIcX2ndqRfoBfpiKlnd1PPiVjbzr3YXHUIZztfNTMz+VgVTXjj60UOhkea6rXLBmt6SuTIKIskRkngucuqc3UVvFWq8znOf3avWEEOyym4i/w+k7yn/lElJtfSlNrXq/4hcA4/KT7ENW2KkCF09iUlutIkW4Zks8Qhl6UiKdoSK0WZpxotinQFjcDqes9ezP0EKPpKN0LdNmNQWyEbm2ba8Fz5O+QMVK09m7/1jmo00/vWg7QX6lG9D73dZWwmG5z5PfEO1AstVLXWyC2PRMl/l6dF54pcbeUNE72Z9Ed6J90ZZUb87NpAxt8Sn/n09LVLNCSJqWkCbLHnGtjosOdmSrmWihh7JJc0eg4HT2rFqocrvnsNa03Nd5u4ZzeV08MnykWFA5FUJ5/H73jn3TPs2VHrJ99YVfc/W3+m6+twL/nWgauXTPl0btLk7x+68uPIkei9LYe39Bo0eebgWzeOv3PDI8vucrIXPQeOKsvvdDar/aMPF1UkOdWYBEdZ/yYxOzAuzpQoOUQkWU2CKApRrK9doSNwbIAWKKf4lVihIV9W4JjPg7gbq92qI6uVy9AUWoM6fE//4Xt8FO5ahT/QnFn9ha5ZVyX/Bad68kzgw0r1g2dMZ1K7qy8pKzkmXfKkpCQkCLaIqQ5LDKnI07MZaFgwsGzqObxCdw6zCpSYeKBleGg8mA5ac8C7uifDxH4ZbXAeyu0aj3LQugM1h2d7shMTZh86XrdtdkJitmf2rkUfb0YTapLaIes3KAKN6bGjUsQrNufRry8fPowsE+XvcCExMwYOLKOHDtH1NQzrexnWExkXdBCKfWkuW4KUGpUW6TFmRhoNUexHcNoIsw91mDeTcsrNaWbBMGJ2K4RhE75mwgePEz6NIPkqCwfa973yyitX3gZB12H5sNvvRWvYPHUNnWEfVIi/qxm2fmCVxVJedeDUBSbgho66t3x/VbnFUjVo/VAuURZxv3LrmX5kowzuWBvZQCZR6dFWCUdHRZsSUywVyqWofFsoZrtyVKOo0FQIoyzLZXDB44zTs2bhojr2D12hGfBkTJvap2rS2IqPHnp1H+PCjOMZWzLQm/Tu0VtGH2fPwrFSfkHx/oF96i5PCfO3mOqLiSZWyUiIiCNiYwWz0Jdh0LdYi4FhBbNUBNuZ96zRZitF71ahdy/8VPUTTsGds1Ey/TJb/kD+AqeguR0CQ8nxDvQx+QuQMhqXO/ieS09fWqTJFBdHYpKT7XaCpUTBZSFEsFgYx1uDHA/OAYrtxeFzapX3UYF20Rt5bA6PEsJsy5YtAWR49yT7RRvfdTo3oRnOTfiRKvyI/DA8Vcov8RZ6kQ5BHXV42fi6bkdfYqpVisLOFMlCnKnsRzA4wmL1Bo+hajEmbO58MZ7hYRQ9gIdL8yPlYiMR7fkJJcSOHp9Iv/n6448/xm7nwUfXHXTJn5AxVej5T89XvXOJDhbP/3vBg/LB+dLfGCpBfFLYvN3LxmNPn7tjstQxHmfnSU7SLluKNrWzGrOy2rUTLGmSRXdLuzPrpwIVt/z888EYGDocQbiFoerolsO4uzvKV/AFjP+MTF1n3YbImHndaOAdhjX6etzjonwFewg99sY46sSfVM2qQh13Pl7ldGWkV236AzThvvvo2fTUWXH0Z0lSoxLB+d44iC/iYwaIZMGJbLJuM04lLruEBVdoUDJpAmvkquJS0AW37ILbwwegQwuioyLI7ArGZlT+GB2mYxl+u44cebpqQy2Ja/zyOm3YUPW0eF4+uK1qyx7Wu6O4byslTn2B0MuX3S7f3SWzozEhO1fKNlUksJlOZIUpwhbNw/pYJV0o16CLPM3xFQ/sYzU5PCTDo3CcEteLGdL8ig3Yqorah9sQcfEs86gvnn5u64bTc80WADNq9Gj09f3jEio7TV07sBSZ7xwe1z9z9kDfFsP6T87TT2bLR3CK/IV4Rb62ZnHlY40xzreTJpVsHb59NMpwvhoz3TNz6LOrKfgZ26daBKAxEhPMFfHMjjYiv8tkZAapyR8LYdJxyNlLbrFyrFENxuPhB7ZcccAQ2MTUxj40+57lVvkpPNV7jm4hu+n1BzMX3+f4Fd36Hf07TqmdfHvVy7W1zviqKvrTCPksToH5Lffyyv2BxyqRrWMkg9kiRU2FKFlmhYTKdDzk3dOtxoNDS3ejNbWN3+Evd9PFJEreRZY0XhYzAz/iaYHVOrmeBjECYyPtUpzBKCUaDEJMJKlA4DFL452Q7aXJcVuYBLcFZfeQEaaXm0nuhaZRQ5jULq+dUYV6B0U2fbtqxsmZNcE28nN2cAouVjRXRMC2FQo657WeUfxSwQqQ6ixplGiVt9BJopU952trG/PV4HQoCC2exy8hRslKnDhesmGCzXFmZtOZwckob5dO+gP0rEJDYZYKX5X/jI5PozH0T+zhdanf/1SHxm3pcbzHlh7ortpa+lYP5Q86Em3SyZZ4db1zkC/TGhWVlGQ2E1tGhsuVlsYksSUhOiVdAA+40UzuOcNlcTG/SRiSxqpEJozwhDsmhR9lTZB4iMNUkIMKHB54jt06/+6RF/ptz6/r+od+F0bePf9W+udBowb5bZ1sTYKz92JsdnoX4QFVcMoXjaPPwe8q+XU8QH6dTN60SS5Bz9CJ6Bld3Op48KluiYwRDVIsEv0QucgRJ/jjoioiuV+Q/OBanY2vnIFZ7lZDWGuWsadwDxpNj7Dp1SwtkvUsFEMPo7H0cN2bVYerSDR3qPoD+/rmm7Bypd68wEa8R1D87pSI04xDYd8LK16dPxNLxYPqamKiLwa61SBKYIbww5NnYMuzpT/nBOUh12tq6BLlaWpqqkYHDEl4KTaKCfz0cX/qwTNNVvB47bMIRn9oGhKcfRTwycYImGzUh+YWxgu/jlDmE2izbOf+YKP4yp5FMsDhVqKt7CFbaOpiQ5tDcxXZbizXZie/boST0GiyWErWCGxYHodD5wK/YMXdtAGjQqM+QpNx+xr6OOQWahldzik0iVA2gU3E4FfOGRbw+/tZ6hlNHivpBp2NtpxEW+jsWvRcDXqW3l5Dx/ET2Mpp79bObbM6tdPdi4UTYpG4j9UH53gtkWZsICZzRIQo+I0iPymsro8gVITAYaIJ/boczaA7lqMpaMpyugPNWE6fPrEYLUFLltL1aMFSupquXozm8z5+krXl33y1OBnaE2eV4qKjJLgaxE8rnc/NPd/8jECznV1c1mPMmB49R4+RL5CvaJTyx2jy0ZgePUaP7tFjDH2MMUHn0fCyZ4/RII2mozms1hTNyzocIws7ThPiKZWfiHpehFNf0Rh8bZtJGb79D3v/JuKPgp1/c0hdcMvG4Qnu/Reoe/8bX/0M+Z5iDNjztbOvfU7ffApdkd9+Fc3h+/5zGb6w778ZaL9ZuCSO4meWWG0EG00MTROSmP5nY9UoSsbgaQ/dqnYhcm2GYA6k9lLozAZAm8qgpXFobp/zpqeeQuedxLRACallU94v9KeYuD9Y4R6xF4cWCec1MTEZ2QgVLP7mOPJT2iEcHcHj5G7XQ+BThdQG+pHXUI/LH9k/ukwPnpX/yigNZ9XvEfNV+B19KeD5SsE5IlISIvx6zIXOwRMl/PqWeqQcahDzNfwDA6ESVHYWlUFN9Da1P2sYL9QpsWcZ5iKCk+UmA4PfWaFEkXqOT1sJmA4jSR1QaEtNDSqqQXfTp2rof9XAjQVhJ4N3DeeQAkbyDMEEv+kVPsrZuCVnBRd4ZjTFSBEmv93lJ3YpgvgjVBoBdcCJMJhBEFQJwo/AydrpSByyefOQ6Wcvl27bVroI1eajsWlp+9Ly6WH41VyGEL9OhhSCqcAY+SR+r0b+EN0HnHCOdCOf8Xsj1leMYlAL50P3cMfoHnIOiSgGiZf32/eTbrhMPohepYO5XEZl4hKxE2sHnN1w+2wWp9EeJ0gZKXF+LyzNG9XrA3zupRu78doZVE9GDng/KdL2093a8imbxzDxsHXr0tsX5eUtuh2+7R837v7iEqu1pLj3sGHo/T5Dh/bhf6Kyd/c+e7psypSy08/ufff48YOzx0+YPWvi7bNm3T5x1uwJ42eDb0o2ViEiVDSMcpMA3tNN4VF1wQMQTMLA8e1a9D56//KPP+IR6GsaJ7/IfufRevlFVVtwSe+C85TmGMmsX7cKaQydwA+qjpDcD+kQ0kuT/4GPQZeARznFtzjThh3DYyDgRNWH6C2ixH20Q6zYiAgmcsygbjTrFNoTr3oPBcvwzGzRWlVPN9YZqmtrGyRDdYMEUQoYFCVKQarPClEKID4BNsOupVUd/dwGjA+LUXCa9iaV8jL0Gs3Hf6o7ih/C5bW1crVcyW/ujVcxswCVMYGrGeagkxC45QX2DOLA7CfO32tHBnSKXqZX6/AdlNmmDDke0UfxV8va24+3X/PoNQjfLb6o3phRpa8Wl57Zx/q49Dz2m2v6SeJlBnB1DcsDN3s3qv54YPW/QCjwuSHeVqcMydvJn+KVUhwVcCxxd8hVj03p0iR+zqiF7gkLYAKuHdpIQ3Ob+fNZzB1sNDT38pP0wuNPvHCk+vEX9pYNGnrHHUMHlcn388vcKZDwwhM8YUhZ2ZBBZWysprP2/CmsPX2FYUJvX3ZiQsLAHtLAbj4pKRka14k1rVuKv5ulooUPIt6ofDZAz6v7UDdpHWmrdW29n9CsfVuh1f5ZK1bMmvXII7OyO3bMzu7Uia5s9qJNKsgjquZVVFVVzKt6rGeXrj17du3Sk/Zp8Qr44g0mmH7glEn1xaAIg5mYiSHSXmHg3WlTF6v46jZhRjQIOBtq8uZ/hbbEofVX8r1iD3oeb5PLUX7jGQbPjxLF+8SRcHfZZwfNY4hgZgLIyanqvSPGIKDOuLUAF6PAJuZa7UOUKt+PH6Wf420okUE+wWqhs+MAy5NN18jPaowQNhmriEAmUWSWB2DJQCoLD0oMJQhOAN/ZyMFj6eyvOJwrdIETb6PnxR6NZ1C+4m95IMO0lGOaymAKUiRGJojbIolTmQYDNi4uPh/SiWCqG/AVuZzB+Rw/Kt+PUlEiWh+HtihVMIi3qm13CF5fXLRDkGIcUQhHikabFMHgWsSpRgAMAj6++LxyiBeAm1zuwhyu15nGdMWjH+gI9OJpPPA0OkH7n5ZrTocqUkhCF1yBr7z/GGV+4B6pvD5njMFiihWxKcqGsS3KJFowrJ/1jWed2LkzTOgUh5OoIL7A5jHx7szx2AqKGKlu46TS9atKtA4/k9KfcQf50s+BYz/Ll3iNA3mN8UK+L9lqirQYbaIlxiGKjhiLiCJxhYvfSVRManuzuuNh+tOidrerDi2hS1sisAL5a2pwXBgOX3PbWmAziKP0Nlg9szGhLR6V7agvfUtLaXpcn4Iflh/RUoQP9CnkzcCtWgq26VPEpkakpZBR+hRjn19PaSniY/oU00M3Vmgphvf1KebaX0q0FDZ30qVY6M8YUrAtPIX9rWJgeD88xfA+8tGTCjShWkspsFWrwJQUlBcqg/JC9bCUU7qUU/oUXBZKYYaLPuW6LuW6PoVUhlKYrtOliEk6rJO0FICrtQfxekI1Qa5QWgErFd4mltemx0+hkAJRSQlB1KiHbeGtCtFVrcugpIQwaUQsHev6ysRzJGIliwKgEXEwrcFhvXowCCcsHan1yAcVDhObFIqE+l7DX8WyGRaQquVoHNUMlTZbpNZjCYOlnDLSVmEEG1x2Dj2u4MP+w004d5HLhMq9dC6+4Q18Iq71No4Sj2pPIIlcDZSgcjxevoDKz+wyLPei8sAnXnyjcZRXXPvrSa941Kv/bHiRXPUGSvB4r3zhjHeXINhvgluOkCt0Zhq7SOjJtDacY2XYFhWQcIxbYt6sFQXNH9ai3d46pVFdvPJB3jJy0htIaNa8sGe0eKRxyW5o726SJkfshjbvRhvp9t1ndhkHe3fTuazt8kEv7sIJEEjwkpOcCg1rectv/vmieMTbuIQTh6R55QhOIbTRS7cDmbL+IyoNE0YKY4TbhYnCFOFu4R5hlnCfMF9YKCwVHhZWCmuER4VNwhMter7Nx8BoblLo3jqNb/a0Rv82+gQepQMyvY3HeH+QSd7AMt49eItX7s97C53z0ijeeUj00nrWk72809vos5s9vD97iUMbr/SCTu1FVgT294Ke7YVr5Dm9oHt7oe9p917Qx71QB0p7ndnVa1oPPJX1aeMxsJihiwPLvGQS73G5vxdv4QxAo7zoHOcHWu9FYp1393Rvr4ZrvKP/f/psjOMMIw71Nl5RuGaFN7BfYZ0arzxH4Z/vvbQ7ZyLUwUsp46Rp3h4guYYJr4kzxIuMj4SsFn5bdl1bufLaLv75mvYFPplMCpVLblkyPDSgDsquQ++9d+jZ8+fDoFWff1Z5zWM0CnOYdkuD1XyAmwnHvDIL8kW7y4nFHOV2arZHcWfBYL9Mv9+6FcW8/DKK2bqVfv/y2rNz555du+bPc+f+eY7+PeSrnvvnNcF0IawNcW22oSX6LXH/bVi2VkjRggz4OifCb8BCbk7ZMFjyN0rZMHg4mmH7e1rpbtlJsr1FFzHMOLfgMgbLrIOklVULgC5Ta4RctnBmek1MUrOFYZbUBmat0e3Qe3RdKyyEFragnrM16tla0A4tbEE5BozJVz1+7drikBybOy7OAYdNmqO5p4r2j3tn2KIdjua4Vr8TR/tX7UGnULZjx6LfronYgp7NDay2+LCaxlTtee8Qg4iy6ccMWnhLygCFasClmuHx2zXx45NuPsIMcKayGan2VKETDN6z59Gp5s3C0YDDCYbMTxyPsLqcrbaK1ZPD96htxhbdPIaTZphKqWb9U8YqlxOCyMB+daiuRH7ur5XeKlLOgMQh5ZhtlnpSNKzXcjIzc9iDdo0cNGikbIfP8M4z4s+MRjnNiBbes7uLvLnL7nvYbzynC+xjaDhEck9inZkWhvs2U5jWXci07SZY0QxN/ePbuJppautK5/+F97gso337DPacVH/TZPXLO+pv/A/1S+BJ9QuZpr3Z1jyPvEj9gp7W4AXUL2Jv/os9wS/as6/5i0+bv/ik+Ytnmr8IAg3juuTW+SCkm4rCaNGKnnp25tKlM9nTur6q5mns4XuaIb0F93h/U3cVtbEMdFOdtmbtvn1r4ek/enT/fmPG3FzHVSt51+6rHtNPKQAe+bqgx8hy8gnnUqGtxShctmrv3lWr9+xZXTJqVAl70GPKn6v2VvO/2aOTtXDDWihis40sHYxhbCr3g1JmL5P7jVc/1EDw8y4KvQi/9yoUKmXbpBDMp5opT+iEOWDBDWvdmGC2BD7D64hidfDZkEeDXqDAFY8O05XCZ2BWFup/zRrBZxQIhbYC5bRT90LFZ4bbaVTLD5MPPnue6eA5GhfJBz/lKhN0JsNCtbAcGh96FBpptQO++IyuZtUuYzVrdpka76FAU6Uc42rFLgNicM0LdWn6mdflUitRwbOKBD7XPKPpZyYLPYWAEfnLe4dAtJ7hUHdpWpxhAFq8MFi1Umm1UqFmEai5NDw1BBXc+Pw42NtClgUDmWFaOofPTQ/qrD4+w82yGLUczMavpMvoMjUnXYYqebg4fQkjlDCElwjL3zI3saFQfl1uYm4NtujWAw/c0AEXWubGbncQeCATIM7RigphfA+zN2irIacovnl7UeXRo0ebNfroUX6jKnh+w8Bm8w6fxWwUsLlC4DsGyiotggtBORaM/k7noU1foT/Qexag7vQsrWfccUbuIfc4jJNwknyV9wzaLh4l3/O1EYebHBKNh9B2rVeCaSYlNcvtcEOOwEn8l3FyVyVjNcoTEHvmkEq1h/lqE+teGJzN6+BrI23UADLAbXOzYldJZWBZCDyTWiH4JqUGyAm10D6w0cTrqiaVuhkNUSQSk0Jc+IRJK5MqrRgMls4mltdlO8/FjPBwy1SxWwrhOA8P9Og0erJgxw3iPbp54Lc4NGz+hg3zcRJ8yl/ilC6sF+Qv2OdrwbdX52+oLu4SShJ0ekrlBA0fh4KzglM1OqWhxVjjFO3zn1oZ7t/xva38/+n7tr6LSe3y8tqxJ3Cn+gVFN/8ir1O/kBnNM7d807J48IvYm/+6yUPr/zdvmj86i1Nbh+E9iIJ+awpDnKU9vCvx9WraB/4LbcHIKrB5kPpwGNVsDChPkBlUmIIQ0QKGfj1Iwamg0GNQn7a+N6uHDbtWv2stgH+sCbpfcFdOjwn4Trcp9ZNC5DEUekgBctkKclhN1XTQGfzwlwPPyAu//ZaDRIYz6LUvv2RNWneG9v62bVhw6bCwyOMoQIWkoFCh8MNn6KAvv5xxBp0OQsMP00H1DBw6DXUIQrQOnpFHuLYG6ZQhZAleZrMp8Is8hiIPKcoxGYpyDIUmpHwzhd4YCnIMvBVyds8H0F97PrD57rvvptd8PnzdJwfYdySzD0n38pWqAWhc1QCOGhnSs2dPeoOl+ny+5ct99P27lX/8i/Lu+QEDBoBERdtJpSI1kSpRNbmpS1NXhMOloV5ytin15B/QQrquNanXUj62ndMYzKmyezBba7lQK+K2TUmIgrVDk07Bp57/w2Uo9GmwpDIC1apovUIUrSxjWEaYm5RV64VSsFHSrDSHdtO6dXjD1ooec/gO2zK/rzzgGt5ygAgOKqEPqpEoJolrld5yqKWrYfuF2xEiqNBqZsUhXU6ej+VRUgHKp2gk+YvYOxzKp5q6QSNVLcSghHLyfCyPkqrYd1fFo+JnoNELERiYZVdJICDCXQNm7yxgehtDC9EiEpgDprxS5hArsx9SGF8oGyKHSICl9GJlblHKZCEk3hIQWTEAyq0trSYDryvLzasLjMf76BFeaTXuwz07a/UaoGYLYVUHtuM+8imOAD2CRqPRHJ6GhYHjgTRUGAFGy5MYQnIehBfEOqx4TsSMSAW1agYzhAO38UI42jQsbWFzTS23qlE0xOmQoIJpu62AWVhbW+azKTWg0cFcrCfQZHGB2AnyO3hPoMn4fboN6M1SblFSLFhpE5qMysEbmq6UgZczZGVxSqIfaLQCYMuWLUCdIAwDQCE2g0ocyAawqIi8W6DfV6KuYkdxBMcDoZXor+ynK0kNfM7STgv/Jp+IO1RuOU1S/00O0VylVB9WaiK3GaGLaC45hPqQVEh7n5X6l1IK+uVfgc9ZQYDL3oRqM/D6styEVylPQrv+otRbjXiE9lDdnGOgpQwBeTGaQp/maPzlL38ROEQNEwPHBTlUdFgOOg1wopEKxBBeGscYFOSqGcQgEvpVeGUsiDMar3KrNTylCIWM2WYpNtRmiltJ0UttjdeJTa2qWr7KssijcFLzXKxORbRDoioDW8Ji9TPeVGRWEofVVj4YX/p8vE7SVC3bDUlkJJeFzAoiykF2lybKJUMlzI/oMpnNgxhrL62vb3hS3Fof6Eveqm+cxeoBCKSaQTCABlGcrCpl8alAvSgoBVkt/vpfTyuFMEpSa9XKuIKHfpNEIVBfz2u0G3trlfF6hIsqpiYVT/Yw/BqWGSoBL1pWXy9AiyAf34fldh1SIPODkFACn6pHrAyqrJcPQkFxa6BvfT15q3EWB8DrIdVqeSFHK8c+JZJXz4RkZf3FeoP/19PoIC8FrdHVyC/uAw35Z1I9yZMPsgovGns3PFmPDvLaBIUCpDq0s6xcj2C4yQwvvunON95FpX9U2Da+bqRrD9Ed8Ay1qx4Izkmob13Dk5z4CjmJ0mscrtbvDI5DuaIB/Q5w6oOdrgAAlJQeJEoPhsqjYKt12ASEej0aCgC1P5HSMrw0yDUuOO/pYRxAWYfSZax2O8vLUWY1IgVjlt+icZmWWxTUvMAswJNIwS6YNwhZFBS4jBdVsDo8TCE82KTfznCwaxioteexXAatdshDqtV6BS0Ho0gQP6AF5GKdIfF8UCPPiyrVOg0afqiSVEN9HLNgDg2aRlVUKQFBeT4AVq9rAcsbGapZa4XCCPZg9foS+EvNhoUfdB3GA5ydEHMh9HXjX5V8+BTLFzw9AbkYS/M8DR1btFq94AO50HV0UFIyirkNHRk41qrrar06eDBA2NuLSo3h7fYEcZPQQQAK8AwXG//KM7doefBHq18rAiiohbBO4kUG5R3vdSZLAvUKERQ5x3g9xKv4FCuj9W0h54DrIBoVekBWJt+CbQzmVa6ZqO2E3FysKXDBkuwtAj2IvieYeZfHTdje0A/wMHlR2fQOyRPvDD+JgiqVHPivaC1dFPgOPhUacl7V5i8sF3AMY73Wez7E7WE9z2Doe0rjd7XnVR4Oy6Hy8EUNBuptUFonMEkF9FWaJChpnLO0NJIXlqbhSFQKsnRufrE8Ur3E5u9ZjHJVKuVCcl53K4k8+2njjk+HsZ8QHYP0FBk98xk9v9OXV2najLbaQ87CNh9d1PwTejzUTqTytNoYIpQwPO8N4hmkOeBKpqHIxr+iyFUoMhxF1myGXxnDr05frjXMyGw0ie6Tfw59Qs+gAyQvdKIJ8qMDWv8DrixNoS3/kZShAjgow0TtAw7DoOVTcvVWRrOgcZkCSRmpHmWcclkHtYHcZHX3VvVEkEuUypRhrIMTxq3KibQ2xzfjRQVpjWuD4zskkZpxOOTX8gLsoKQJy6fBtFA9PJ4vWssHl4518lUKx0IK6gvOE5pcVKUASAtFCkB+La9KI4tCay69XRIX3bJKcia5pdbooUp6LonqQ4B5gVbwKFSsM4UeymhlikHSj1dV9qo59bRGvSXQIbzXWuqcVntmq1ogXFpH63oTruDp5DW1S7oWSMFyTFYsFWKgHGwkeQoL8sU4u4sVXPXJOknajIRTc1imA+s+WVU/51STsFm+I6httHL27pkFBS6+CcXKzTmFhM2StPbTVVCOA6hnsKAc3LnDcEozBvQD33WCO3XYKHokKVgDOlC/6tO1+IB8x+YmVphLfrirp5RDGZnZmBeLi2O1ikd5JighoQO8bijJaq+H+XgTEo8a3CCFXHCBoQChAji15UEIXaQdV6GL6OIq2pF/0I5NR/A0PO2IvIt/yLvYn/IuHRQ20gwAwwXcuErMbTJUHGnYeCQ8B6uHVSHmrmr8a9MRnoFrowNiEtcbJs4BPKhDUBsdYFqL2cfoetM7+FRIE4EVyuyc6ywxTA0p9Of9pp4nZXlUNdSG1RWyQHRWF4cQsro0+0O1uoJ9HLKkNIvCr9k6yg1KrmmUGQM0RdD6WZdC8kIpQQ2EwrQ9SHYJBozAddABpoOW6nRIIZMM4NtHfXQ6iFOPU1BkFMxnFPwuXHcR3cOpCf/aVDoat6nUBSvmuoo+6JwDTOcsDeoOtSfBPZ1e56gogba53lTGMNJpmxa4tKJoFBzwqdCJYZZXVTTN9UOBag1LYAorxqvKB+qYMWlzEE3yMfS4waobjwYtD+Tg6SoPqDAMwXnIdQ7A4OflFT4MwzJ4rrlN2zlMoja3nTk0U6iEmlvNybXLdb120WCq8Jhy0UvnoEQEv1DqJXlFjkoh410K13CtyHSVP1WE25TpBTZd63QivQ1a2FqlReuYaFqOW4ohrdi6llNyS5rY16m5NvS+qw2933wWxGnpKdTppOuSVkzRj1K4VlK5J1LjLmW2pcyAwZbina/jRT5vtuhzq3m1nApXJqlwLSH+5ysCClDgzSDMVnSpq8UsJsSELUaN2xakZHDYtDYjbT4328qHkAYxaO8Vhuw9dZC1Ni9zhc/LtvLRptp8B8JsPpdq86kDsg07xtZ8xqo361parlBClRQhw7WV+WizWbgKVJm7whwkZOOqckUzcVubg9vC5uAXQ2NSmQPoZJAy2oNmrrZ+xfGPDMk6vobFW6EuY5G3An2VpSwEJTh+Fr4OpY5eSTmxUH8RhPJbbMrJ6lYhW7TVJ/hRpQ0uu2jsDWtAYXR36NcoCmz6tReV7YMLMEHm11ZMcHDtyKSXFJzOWvmgJORiFgdXi4LaRVlhLFDWiWB1sT4oFtuUzK3KgLBREWb56yxddDAkmlux/F3NLP/W11VsrcvD5lwaph1s4dpBm3y0oh9s4fqhhc2s9VhhUEe5QnoqiI9Sni9GcEYKW7/Q0bJQr7dU7NRSYdor1FsunQbTsNQqgH0Qs3hUvCGkCj4h15eckZYlRYtSdyG1R+eEaEuExR2b5nfExkn2WPWOdbzqO64TzulEuKdHe9BpiymNwAVVLXB1Jxw6oRnfByvfjCRgHbpj3ZqaJUPjj3VZfNeqL+94olt59pTOi/ov2C0NSA5ce+LkkPGFfdNu7TG8h3/y2JnZJo8rt3+PKRULPkC14+8bk5c7dvqaKd6HFucgT0nJY3kddnkGTXjkThpTOqCqfVb/vB49brt1SvnMsd0mOGOKJhbNm7z0tZmwYsPvZht2C3FCBkSHjY2XiDXWjxxWSXA6JKe5wpIqWdQ7q5ovBfA8og+erDoecehO7B1HfY7U/nj5bz/UHkH96Bt10+9/+OH72XO8dkfyt+98+M03H77zbfKO2uPHsXXz6gfXrHlw9WbAJrPpmrjZsEJIErLBo5g5zmizGd2SKyLGaBQgagWuEJIlwRKMXwneW4qVO6WGDIWw8SjHyGZUTAKAm1DEMMRhl2Mvnf/ii/MTh6LE5DuGrsX9j92ZRhvmfXH+nvvuu4c9TmS8/mVjIpoUX3pMPrG274JE+vxDn1+nDbV7tjz65JOPbtnDWEgYIPQSZzHRGCck+qJiBadkF6ZGgbMMoXNuQZL1PI9Uk5FdaBWKRMGmRNIFgeSBYMjTZqPEBiQgx+xpk/3ew95Ze7asRmZ0cEs1LaMNq7dIU+gHqPMUSVePV0j32d1CtuSyJBjjzEYh1p85NY3VBg6C1eiA6q5gfFhc6/jgVf8QApay2XPvLO3mnbEATv7dNy0nf9Cdc2fdMXk+w6Viz+Lp/oc7dc/YWn7gz38+MHNLRoH3Yf/0xYun0zdQv+mLNZzEa4JTiHk5MkaQTDEwBiD2XzZWWTtec6KOMS7b/W3l5kUzNlqjrBtnLNpc+W2vCciCincfPLd75crd5w7upmfoLwL3keQV+xmczKqNeRkRiOQoKIHF4JzfJGpD36J/ePED+AG5iuV+iPHtTO45weWLEDEWjMGIncWd4ewav+3OZp79z5xfaEenz8vfwz138aOGBc3Gd54vpXdaD8mWJLXvIKCsLkabyxnRhw1wJeRF+AB35PQhRSHfig5wFhxDTDFYDVUMZzL1PRCDXU7Vq92xY8kDpN0L+i/qPCW7vNuWsi9X3bW4y7H4oUtq1qzbMRSPWn9hwfzJPfvlujym7Jljp5SzgX5rWt/C8UNOotpedz4yYZBnV4e8x0pK6N9yFj/knbJm+tjcvDH3yT/OfG3p5HlsSMc4J3QbO7N8yq239eiR1z+rfdWAUtbS2WxEdYHoH0IBSDJnJyk+2ek3JEsGW0WMV4owu2P8gluNQA6O1vg4h6i8ECsXvDIUejRnkbxnC60e1fWrEr9Wf9R3j3wWZSAj2nk4yn7fmFVPPLFm+H1xUd+98l9vnx27zOvMXZM2avyIoaMnjHHiL1AZWkSt8pL6+xb/7b+ufLz4vjRUSj+lv9J/0n+kpxxLSUdfLb5v5cKFK+/j3qdvYe2oY+3IEPKErr60dHuFMVdye9MSjYbkWPYjRNqlSFsFGyJqU1TPdvHFocDqRVq3eDSM41H3wgKryeHOgfsKBflFKJt9O//K36sfXfrX08+9cWlo/4kzRpQgS9eT5ddow8ydtOTBe56cTv8dYXnD+e4zj77V4fmtb/5l/7ZbB8wtH/LoCFq39iT977fo1wvWogfG+e9EhZGRQ4C3Mxm3rmXcGgteIyJMMRISTNaKKEHxuW8vVjy+KmyjeI5gxsv+1/5L/gYvO1h3CFc63tp/4kJtY754vhHijA9oyhRnGdOF7kI/Jhmc8Qki6XlrWruC/IiI7DwpO8ImgSeTzoqfNxR0FO7Wx6bLyeL1xRdyhaR6zFCoYkjDBqeWj70TZz2xZ9bM7+jPi54blOB/enD1Wm8e3fXUE6+/P/+RghvIuXl13G3Lej61oWNXNHDOxoGB42Xbplav3bf+YDXes/4RnJK7cNZzO2KsJ63WvgO6dI6e03XT5tVrUXzOkLuHH9kJDjh6D+jktS/yjn/QP2xM+qTpD4yaDOdakoRYsdrwID+f2EXI9sVlZLrT0jI7JIgCeFKwVghRkuI6l3u0U1x3ZSlRnvlnVr690IqBX5324BnwoDtdlYOZ8XsdTsIgO/vJo/X0+lsXL77Fnp+ef7Pm8B0PJy/NG1s69p678m5vn9BtXiyajvqj0WgBXU+P0BN053bkbGACzUP/Rn9poNcuHt694099i+cNGV1aNjkmaqc9ClZW9C3JhLuVvhR3gidHSsyWEjyJiZ4E0mqLOnfurHhIaatROTY39+8a78nxuBweF9gXbbanJ8pb8NCyqtfn3L1+/fpJv9WQz/GSWdO253967hy6cWjcuOatyBDag7chd5aUmCkluBMT3Tdrw2+2gGns34f/QwvWr1ix4vdg/8Cs+5fvQzcu+P0gP1KJUVzI9UU8+FOIsVgcUfY4kVitZiz4jRDAyap5gwVH49wph0N15MIdQDgKYFgScFnx+i506ekP/meUedQHm2OGPjA2hhgxrqyUKV5Nv0EueQn6mP6MImg2UK0b937yR+73P1vIFwp9mUmJkjvJ39Et5XT0J+dIyY6KhHhJSPDbBSnK7jdGBd2ftBKdS8e+jHvRzZyfVO4+enz/nZUpnIHvuG3MHQkT6LFwByjFAwYU9xg4kHR+5sknnga2HT5o6OjMnV5Kwt2fHBw3YNC4cYMGjIO9fkwwOaL6P4FY2wxfQe+0pW1vJrhs+4kT23e8/vqO0okTS9lD8KtPbnvllW1Pvlo9c8zYmTPHjpkJs4lrJIpkthIPGEI2XstHxkVqQGCMrCznRzwn+FAyGQQ/Nli1eMA8niZ78G4oIx8NleSlEfoxGOtUqWeVWg/MJX6sUwJVQotD+ZRovKJEDH5dtEulCFGK1dWRmWRSYF/jdPhk0v8yw7Ke0wukP3cTx93zcHJxf48Q6phNYYgSlww1GennKIWcJCiD/s2IrPjYQQgCdlAuVT2RKha7G/wuJprNRgchRoPETOTodlI0gxoXGoDFnUMRT9wZmcw0LsxnehD0N+scwcSkPHLGq5cCMTn5F/ru7Xve3L4i5V///exrTcK/+/93lfxj3Isnhg1YsPylP6a86przIBqC/B+8+TV9Zezdc3D3u8aXfHvwnnn0hqBrqQM8P8diItlxjMkoRZow+7EIfovSZO5yVvMGiRzqKWel9TA5c6CfzPTvMJhRuumkCWXTD1F7+t9mZEVxu1CvXQhTuou+vYt+zcZXD0aPSu7NJZ6fVO7oS0mzSwlp/qgEKSvKn5klZdorxIhIbPIbscoampcyGOKKhxfuiaYtHzxMCPT4ar3zMHvw3Kr9+6vWPfPMusK+fQu7+3wNeDIZjPvTSrRMPoGW0Up5y3MbNj333KYNzx0c5YP7Tb5RdFlVFcQZB2/J4k7Wc6nca110khTt8EdHC0Y2+o1+waqzXTpzc9OgxP7KhzmEyW3jKqvAKJIME5tfZ+NplH6FEuhPKBpj2X3H2gdfyn6yI6W1a+9AR8Y4US6KZWJ0KP0z/UdOHxv9YNijD718Ruwzlu5ED5Rw/51zxKmGNOUMlw0h8CVxA5uxeQ4/Igxet/j5ymHoUXGGiPjK/s1udqNHR2ycMmXjCOVT0N3WiW15i63F7bQWN9DCb/vAvS7xaPAmSD0qIZdFiHEjWAgcyoGrLahEvdWDmBF6gRwSraFTfkfwPnQBzl8iFIEWkMFignJKkQyWT+E+aAE/xYnQYCQQv7g+CPc7xnM2Nlk7g87QHiy9nJXdr5QFkpVDUX5Yk9e5jBwiNQpc9heDiJbBQVHekoO8JaIgFBGEyNWr/GzrQXwKHaOlMsfrII4jZvIAX9fnV3mOHj2K4+CyDkJ/RJuJjTTyNOJw4LLXXnsNbUbdUCH9M5RNFV4jT7R1+z7YJyM2ht++R2gh+pIUkwPB3eqF6BT6kt8PCd0c025kubUOh6vX2iVt3rZaNps6r55NdCPEj1mrLFQLDCXfkG/c/Fx46CA3WtjGuXDU8sR36E6cWXcnTr0Mp92Da61e1KJeuKrdWr05PGN1+K2e0MiJ1MaOIcuWZQiOIPkGqqAb6UbdSHr4Ejp06RIdz1sXHFHJLcfUb/o8CB9n1ROHDp0IT/Pbb4W28FtQwZtNWDd6TMDncC9BG0P8epg2kNSbYrpRoc/Pxwb9dtq0adoA2cv+KeeNNW63qPyexYQ6UpleXocj9tIyWhbk/mr0Ayg4VlOIz00Kp5t4XYzbXxswoL/G8RXsH+AV4vrf9B2hGwNTFHpNbNN3hG5UaLci4JbLQjgyX12tjI/qakEMRDRdI58xfecWSoQhjCvu8OXnRzulzraeqSNNg6VsU3Fyn/QRg25FaFB6ssmQamM/JI+p6FIyQMogjgqfOgXMDzrztykTGZs+mB/MDpnmZlPyrOyWc1iHMoc1hJLTbS1SPTDDZSYjMxSUX5T2fvAc3YzS+k18/Vk+0y0Z2i1TTjw+6jDaCO9vvfP1Z1E5f989g70f+dxXPZc1PH7ikeGfHSQB/mvKfDQbDenjf33Y0y/AJPi2YUUPFNOKpc/RczX0OydPLD9+29Mv0FOQWLywO0+se43+cOc89EDdVHRX3xr+KSA5jp4l25iNxS0s0SSJKytgEShkYXmUlVv5Sl2doaZhIFhngalM2sr9WcmToYj1LmfnLlLnzllipJQl+rPSpKwqPSRdxHrwsf87w7XDdNilXCeGqH9RzMiLu3NZYULfBV1DYeq7Luib4H7szgtf4TGzc9rPvg1/xU3Ich52feXC/iuGqmHXB60YNGcJD7v+4TsDKod18mXsSux7y+A1A859xtpTER5hPdLIQ6iZpIjWI6yr98Tkijo0FneXzxJBjbB+1HDi6I0vIMbuGQaxB4OYI05vegiioonTGy+AIfnTYJ1lC3v3HXxJMbFR0aIl0sxrtUDsNhOr1sDrVWOyKIFf1RNqTPy5QAb+NLiOpNfhLwyfUNr4tRinYAEPyjPslrecnYPWBz5Ejwr417lqX0ONbp8DRcdKOHpVhTlSMovQ9YoH4Pe02NSeoNNXN1Qq96+rM4799TA8gTxupssTwFmvPIkb7OTXbaxVm4KtyvYlRESaLaLBJII7XDCV14RzhNIeYAe1LQ1T6+rwSH1Lfu0W1oYQv/LYfTrMdYBZC8Kx13hX418FbSZx5HubfibDDdUc4zSf3WgSDSIiDBSRgj6BVTwNKo7yvRp+EWGoCSQQQU+Sd4Jxq0p9XQhulw4THF+7dKndmgox+f809yzQUZTnzj/PfWXfm8dCQp4kmBDiJiEEMCwPQ6A8NYTwKAZ8sXNShQjKoVRtsUqpx0uFI2ipeBSVSz3qqY/SNKW0entyEa1SpNYG5HC93F71YK5WHslmuP//z+xmd2d2MzM7G9tm2YyZ+f/v/X/f93/zfyV8lbligtfHMsVFuWU2e8HYMVTXdXYPn9VhtZvFvji4URruYFVZCa9ijjaOdK0qwW2tYrtaAR+I7WTFkT2D9wSePig8uvPL1/wn31zys5//6c2dzL9d/Yv3hfmAHPu0eDTyBWF97rzfPi68VCOcBsVg4R9baXC6dFb3zsP/6QSThKNDzxwHrBn8eNyBG9uEn2cJm8sOPID6AQaJo9Qx+gRRTpWLvaOpctQ7GnX7g3/ZB/8yBveLQr0vrT6Xy5oVImjaYgr5SZJlrRbeul1sTlIbiUeGz4AvcxVJZYCR0oHa4QK1OeG3j8EffAAxNR39SOd6C8vEDz7fO/JB53zjrp1HqbdFaMM0hnai2OkaQiv27i6nKi+3ou6FVCXuYsjhTu+voztwr+YnFO74Be4FT4ZpcBcVTnmaduR09jAtKmb0OG2CgmO+B5/uISLdKJ34lHd8xjsaabs0SNw46HO51Xbo63bxQ5NwvDvEj8iDDdQxJpdwETXBfLuDt1tdnMlJW6MHeFqZEOLBQ9GzXlHmBU/RUI+Pt2+oL0d7e+g4S7b30mfm8IUz3wya/Seo7g19BbndD7of7PYW9g19thX1aYyZbazSbIw1OhmcY6TZBp9iFlw4M/BLmleYjYzixhF5qJsdk53D09keAlINmDu4PNLhpHJZkwc1qPd43LwnMi3UYHxmp1M8sTNyUDiQQ0DuGeqkuq/e23u1m6u6cObKO+x8DAnY4AZ3ISiG/pEAFYWh2oehyoIx+ORgEQc1mnDaQ4BlSNricvIuC23L4imLLYRM+0ORBqAiZKK5jRw5jt5ALvNBF7K+iKH2hZup7qFOcs/gnCt97EVwVGi6ms2Vgh0byNytZHaf8Lhb2EVmd4f7wnVCd19Mr3TcnR1lAdziGfkOirOq7c4+ePCzgT8x+35x9R129+fHP2e+M7D8F2zz1dWK3dmxBCDszdIp7WbIeTPgWXPkBPTt8ae0l4nEhxOF12Nq/5B6JbwwQmHB0hMjw3lYhiGXs5zZoTyrLZd2cmh8CwdCTo53bo9Q0uWO0LGhvomCXAXSLPXVFObri3/ZOsNz5X/D28UpOY939rYPnoWc7Z/ZOskHYwVLFIAq0lnV1twPeQutx0fQRhRjGzEx3Cx1U55MvA7XjvnELvIi8xTWXNx5leWQ9iY5//09CXsQc/770Hx6w+Au5uDAauYg+LTvkvtSn7Dn7FDw6NFYPfYRU4KFdjdcI9wOn9nipR00gxu1dMCFlXM4bLxDFPMTlVjGRf2SaIEpUYYlvAxRQ9SyK38WxoAdpnVXLl7eI2wB57kpkrYJF/su7HTv/LQP+pGSzkH+vgytfR/u0FIXHEdarBTNcibEZYioA2KaBVG1QVzt+ED+wPD/pd6RUW0Tv0nxeP4rh8Tvl/tAwA0CfcKi48Ki4d8lbRcly0UEguNcNpLKcrKs2YI63IoiBmkBp40IWUBq1iHOOyxokZkHvsDc38PkDnx6dbqo6jGCF5UBhLiSXhMOOw88Dp4jKZa2Oj2808qYLTxtNfPQcbMO6/WJGL2W5i4rq2eQ8S6D8Fw+Is4NSEj9o+zFy61gB1d6NTvGzHz8cV+4e8je19ctrlSnIQ9eR1J4bQNehyZeHi+uZXgdAnBNFmH1oO4GXiJk84ZIYLWhs5CtdMgq6WAj3pcrR/DYKbGCoIDKYZGVefaDbbO9zKcDYz0ztp56QbQv/c1tVU6yqqcK+Ca1zoQyuSt2Fg/B2zzJZylLmGVwfnQay55vOpNPI82DZL8E6b+7sIj3+AtDJU5XMe3nHJD7dqj/fo73J9d/NKMvCkGcFbh0BM8dhcbckmALRDj6Y2EbtgkxVMgjqoJjbNk+PsubzZvzCN4E8nhLbo6VRh0mMWwiVBELnwAVtvfQxm+/8r/xEHEe6ocoW74BXFKABVzqF15wCwehdboIrdN4bJ2qw49J1mkqtE70V+ckz4WSTktvDJYWE6GxxejQ9xyad+aEWMbhdObl8iaOd5hCjrztXUDai6nEbXoaI9EOVUuBBF4mdiG5Opl93xI+GEWA+jg8HqNE32Z66hIR6b3eS70XDgiHFJgO2J6eoYcjzdYhZq1Q4j/GEl89+E+xf/d+pAkHZZpQfXkOxvy5wZXYI3vt2iVy97BPz9AcSxPQoYdiI/PpQb2ZdAFy90Ahc26wmM4e/MxC8sfJzqHxwmZqggDdROrKLhjVjJVFNdAE8tC7EaOauPgwGqUBcXTQ2htuHZ5AjM9AVcI89NfnhOOgPT4mzLI57LQJBoRwYRFjQjp1TCjOGD6EQsIr6xMnVZgYUVSK42UUhdEqoigVzoVxzXswrkGd5KqJJcFaU2ElPz6ruMQ/xmK+bkLBRJuzCBRCucrLc5by2R6Pq8Pp6sLbNXAhRJt8w81V/O9Gnf533WINDQyqRNdHXZte8P5AC3VyaDx9TAxrtr5RdWjWRhztPC2FN8IxUEZ+/zjY9ZHwhVugwavDQc0HWXevfqArX5gbjXzoF8zg+/l7xRDn/tK9D0DLvx5ifAxijPZbJxGtwUYoPMWALyrmiyAP8sv4avN1ldk5LFNa4i+3WQvH5bu63C7e6eadDt75SJfPWsXbYUznifa+Rv+LhnViY5W4iE5OgoSYDq6agzViTDdAI/wZWgrrTl7dFRfWDQo356JWxDisG0s+JNFh6P/AW8N0ODW0MxrcLRf2i8Ed1jsxgovoHYrtFhCi5kWivgQ5gVEg1rw4j6gk0mPHZFHoVXP23cqETjXkReQFDe6iN4jeEOg8CzqRSzT0PnSHkM1dDe1ZFfYE8l0E7+oAVgtJc1l2PosLohP/uQ7OxIv+LaoF80fc/shShI0X50M9h33SYnTC7P9m8MwFc/jSZ72ryaqt5HX9hV7s2+cWEORX56RVyIM7TZaYPDneMblus8mX5ecJqP+A7fDRvC8r6IIhjtPakeUkZmAXzB/xxUT1bBB7Avhi+wSUMdAhKyti2N5v6F4Mi5WGTlh/M7DYHgSWa8TXndcI5JLlFvSJvn6hV3TJ6vbsce/ZA+mNaXIM0gTBNz1YOjJ8iDiqAczBXiPH9l59XQSQbYUA/vPSBVPuhTOXT59Z3Y+A64+QzVvYP3R6a92DkHoPxvDLByErZt0ujrYBAjprProDLY62YBa0aXazrcPm4G0RpsVCJvlwIAYudIY5YiBcM4WpV14VoeKWg7eELZfX/vaPpn0wLgLuGJiAs08QOt2dQhhK9gK4cvRKK8oXUh5gC14xgsRBKPMXsIcL/Q0rlCYbklwouA4ouXaWyaLNUHotpOTfxq7qDZLmMtK3O1wNtbOGfJ96GPdemkP2HAQ9x0FPn/C2W3i7L+Z3kYcRj2oMUR3MR07VGOhVAZ8/L5tkoWuVA6HJjTpXYt+JmIgxZlGOQCD0DDsSxVfOiq7FY5FIUsnlktwL7FVIciXqWh7RFCxzQ3XLc3V4gDU3x0J6TZLO+SBg2Qlahxk4HG4raV4USr8oVPOvvHPmAld1tbt3qCYCY6IuSgzF0a7kA+wTOXlta5wlqh68LeoNH4RURXUfxXkFvL2C95TwHnseRQUIvioAvVZLFfJaLXTIEuO14sK1WA8ZVQoXwE8TVSt25LSTJcXVJHr/j4t3nSet2ri0bXPH+rnz2qdNWTz7D7d2BB+eunTx+iVrNq/qbJt967qg3OOl8seWVpfmlpTkdu1qhr/Bn/x8UuRJKl+HqsUWV/REX4V4LiVagjUVC/kChg/M4SfO40sIvqGJbyiZGCioYJ1eD+/3htwuv9nh5M2OkN8ccZ0rRUdPxFsqIolBzyejQ8K31Dm4mhIpMx5TKDw9Hmc5jdruWnH7gpkdy757Q1vnqs1rVnS1rQg6qrPq8prz5y2/Ibh2ydz1HZvb5u1+uC64oq2LrIolTL+cgrE/DPeMx4dICn+fNg3+g+Xh2iy6gp0P16WyYLYJoJqIHUkcFLxHkeOJZGNqQc0jgz9B6y31HrnoVLjvKKgG/cfBnj7kWtzBVFy5gvhwbRb0F+ZDLW4IlnJ22kU7GN6xowvaXbMVeZ4ewHsoWxZJQ6vnNotmJKdRdAsqo0EyKBmel8KBcrhk6I1T2wZvwg4PS7af2kE/Jq7yewfOgGzSFIFkERMU/iy4UKe7cC44Qu2j7iD8KEozu3hzVjYRorNhnB5CqhvJx7gacVYR+fCIlfXoBT9Wkm6fL5y7+8fT7tty37Q76PHhR2edbLyn657GmjpwpPmXv5u+ZPrqgu59s9pnrV0eQB5iEEcbzxDXEzcQ84lg8DoiwFdPnEOEmubwuWNC43L5Ei8fnFUyjp7Q5Olip/DWLDY0IYuf4JICuKgE4obIIL7wFQojLobFzeBKIi3iJjdMJmojpbKxu46eQmpyg7NIqjO0RQtin+zZUJ5318J5u3fP23IC0AuffHLhxCl59eCGsFg6myeVyTqGhmbcMQfsE4tnQXa0UPa7fz589/dw4znUf27VnR8CINXSHo0UzQq5pL9gvhDAtbTIJ5oD7iJ76G4chRUF3ajfVk6HycF7Kd7kteWEbJJH5JdyvBBukRm1PmcR5oXPhyph4EBPLdv7+N5lh48Ljy17as+Tbb0nmC3kywHQVV5XfqIgIGyF30cKhGM4CxxeLfkuART5+X18mZUvdPKFZX4KTKrhJ0wKXR+YIPZTDE3g+Alx1sAtWUExlEYwRKweV46EhRL1H/rocXF1cN2ts6E6b7plyfrFS6c+HOy49Q+zF0+Z1j4PKvO9y5ZuXDUpIc4m8/NFnW3e1SVp7Nh8KibURtlFgPxRP4w8SoPZWWN5Vy5PlfFcEc9RrizaWxHyeVGteI7UuBFEpAMZ7GgjwSLJMEVkCI4aXHD/Q63TF06bdnNw0X3rGx89Lpy68ac/vXHqzYtuaW68/0cznsFdBquryxsbyysqcK/BiorJLZPR78hnqAJ3QYl/FJ/9Ni7ogYrOWVFXRrgUkgyM0cSGcpEIGvXdKvKIuXthzz73+T4QBPbn6O+HK6iPqHVg59AL5ABqfYn3BUyDfde+oFtw7ZpYvTiTWEisIG4nlgYDTTfwLU2h6TNmNXa08K0rO0KLZq3ka2d5ulxOnnCF3A7WNobgy4vGhCaidzhwdWC0f21jZWXcRXzNICpUBuUgsvsaexZ0kVIDtByQA9i4o0KTPTKULZU+Uo90PlkYXrWaumh/cTu8HrxFqoWkF0m/CDZ0K7+3iNq/Ojw260XqcelR+a3DrdPWrxxqu5/8+MEn0MWhZTe2tLW13Lgs8h2+Dt13+wry6S1DFQ/slVVXDldZAmL/tS/ppbjD6bigy2YlOCfPkV2si6ClF2CwgohvvtTXQafAVejyQrWorytzeVnw8GdCU4Cc+/vWduHiTtexPzjpKuHOd481rf3JrwrCd9+2Fc7QS28C/8S8jTvpFaxpam9vgh96E/6CH1TT0Uv+Xro74bRvSunZJtkYwneGR6OIXmCNjlaSfLyUY6eaQ1gwPBuNZqP+EZ1tUvx8RSrmpm6S5hp6b0QgUgLDyGCZpg6aZOfmJocMvJn4l1QwKsDKKsA6Nz1oi3RCHv0v2lAYlgGO6L3WJsPlZuOw0cuTdLmkoF6mJLjekhls0+apUVyW3zMKfFdnJVLgqsaAqGI70lcFXNOzLjqx04dUDDIZ4Vuye/RgplNWlWQ0A3xL2xrpZpz+FU47dzTxQmlVSIPy6a3NyTmgDQWjNMa4tTtN2VJn1TPAN23enibrndpqMwq4aPdPNUGvDegYYA2iu35N16nxSjJkCN11artmwo8Uw6iBOxo/qVmuUwYGI9t4zWvXyLApEE+V669CZtNaaTVArmDktfp4qqy8YV6+Htx08klBRTPAOY36kMLMa2TciNZGs+UZGXptQGuMJNLyKtTDrlGaFKTIEMrr1XjNpB/BzmuiriZaKljOESmn1YMcGbKUFjLt6Dcdj1cD7BrprEdmtXq0I0OfylikJDyNYI3J5aqUWFXQqQNKkzet1ScdETaV3FbgMi2DVV0e3EBdjyEdhTL8MdCo84WT+rypXFyEedxcKjPyGnM2anIYaeQr0sgCqiGSnFmGZYq0RzAyyHVmqzOR4UuGjUZpkWH2r5fh0x7xy7DTJ3mG5CuM2C1RA3Z4bxTYDGRW097t0IaCwXTPoJ2KIbveHVeNUqFyy1U/5YzIqI9mjk1VVGO0zGYoy5bUEzJGapNm2VJ5ZOnZYjVgxSiRIfnJDOyjKNkmnXQzUN9jrU9KT1ZHritVEK87M6syo6Axk6A/25HsHjWwacxrGpRpSpOradPayFxTMmunBn65XVGfa0qltaOwpxCrtYbk6TKxp6Bg8HRSzkidjyEdlWCBklfnpcocqMwYaMlajGhTZHOrzP/pzvhoshnJoRuVnM+INkEGXyqVS5bzicvdGV+HmRAV6Ml3pZ/bVtBgKgGWDOhMDOpkXL2rnurZBP8mub4bkamLmUxDJKc+WtIbJWnL1emLhgyrW9Gc9dHsJ2iB/VuoL9KKj26+/AtUGGn1UzThl1xRM1JjlFSPNcKvDWz9GRA18GqVrabEv4xSBiSpx5RZm6Wh0khVllFPLJ+xnKdxmTs5iMbk7fRZxOSQa6KyoVk77d6HCiuXkuzfVs5uGCgtVT6jmrNTAjFtuqWds1MkXGqfVkduKs13wozKLRlVaZOJ7EJma23S8f6My9oZU21jYFbMoHob7ZJrQNZOZ/5Fq3+Wbt4unfxLmlZHV9WNutydugyVUsJALe66KvhSWZPU67amvJ0mq5EcNlV0Si9rN6JNkEEnV7mUhMtUzk55XR7lnF1KlyVjOTtF1En0fnx0tuS+kcwHkrs86mvrVMZ5KYvr9ObsVMb3cslJZerSiH/Ve536qtOMzj3oq0NLs/4sQ7kH9ZGSrgqztKsv0smNZKL+QpWHaFTeJs0KjAzpvK4dCt32TsO+UubkJv0cwCjIjWFZAEPlJmkWIPkKrz23JJ924Hx0Mp35j7TznMMg6MBbt77EIC6e5aPs2aSOcxQP81GduUkdgcp5pqf6QJNHqMZtMDT6VeMhqIBuVKJf9e8dJn60VR9kOOenYZ3IZM5PawWCMXqTWIGQns7HVxxliHO6olDjOac/Dk2Hc8ni0Jh4X0/tSKztVx1Da803KSxrZNxcumQuBnQgnkBHfZ70vDry98N4ShU3+G4tVBseIzaG1bXGqfFLkq1x6VYUa/NnR6oo1nfWg8H+bCoghzllUD1xOnTVS2kF3U/rtIeM8iUDxz1kgncG1txoZJ3xteD6am5U1oIbRPsM1dxofd/S8LcgMmCzNGRs9VFYFT2VbKjumEa91ZTBpn8zWqPkjnLdjda6Q0Non3bljdo6AAPiSS21NyPEk7ppZ2j1jdrcvAGZjLR1XqECR/KY0869DTvS8mkj9i46V2Zyb6lAkGlcDCyjWGOoBkS5rYuD9duuMdSGgsF012npNJI9oqta5VWbnUsFlNzKaaebAVZOHYhp002jNqkkXGoLpyNvpJQrUI27Kjokn1suNKqikeRSo9mGjAybAoNUmQadlFOZa9QIVaTeRllqNNfbKE2qwdIYU2+TGoh4zJPpi/Z6mxFQV7krlareJp5r2s8AULWjlsTOpXs6q6Zd1JQJO+NPPNRXcZP5zMMoVNyMWubB0IobDXmHdN9jTzfTrKXi5lvLNOuouBkFnVddcaMjq6Xi/Yl066j1Sk76sX+aa4EBG/FGVPHrlJ6kvrH2PU1tO1zxb5XryX0YkO9U0mRdu9kadSdWVyVPR2lvMjWG8kBHfdZGJewp0zZa4rl0tD4TkbDhOp/BWDgNjdcQCyf37Y3I9sm1fdSzfSl0PYP6kqDpMdqpoQJCsQwhJezqx06Zv9AQi6aZPTE0Gk0amcrml0tssmg0JurXUz+S4J2pi6RTxvEKFFMQcTJuLl0yFwM6EOtoyIakVTfAKpP3dGL4dM+1io7dlHwOPVU3mmJN2dzG78GqqiXVBltG92C1wquRrqO6B6tKFrTB36QTak1v6I3oV8jgUweWljhMDTzqeC8zi4ZHYZrOAtar8wo7FBnIWhqYwdAfw6d8r/VfJfuj7oSU0c7+pH6XOmPRu2JF8mhH76nfYMpc9K5ci67Sp08Vvcf79Nr3JFXFIwbuSeqP39X0xNK+J2lw/K7OKzBgP1dT/J561dcVDamJ31OdFKwGd0Mi+NSrtq44WKPOKGg8joE05euGQ6NYfUewS2OlnXeRzyDnWnSuzORdUoEg49nIeKvkWUrEI9G7EsdSn8lhVRotJex6Mh8KsyTArixtqeN3ReAB2RM9xYJQpO3wegfnJnuS7cGnjBcUt+AJiuxRF7+nHDvVHBp2pJJWaqiZOwP7UWrgSRkHyWBLJw4ie/TQThXf1PFPtTdrTN5H/V5UBvM+ivnpBE4YrzNx+ek4DdWj7wpZTuP5picKMZxvI0QhGeJb0hhEzZuVqfKsMW9Wqo6gNGcdlM46IOMopUfmYt9nBeKKJX8rNPp83FuhoryPlNWXzZ30rVDt9XHJZS49H9wgeVftg4tc1FYVmVTeVXjgavY0UsXc8rfXMxBzK1l0Mo5SemQu1sYCUYLl+zHR5xP2Y9T4kqkiF/l5Ddr8YFU+vKIfLNJtJB9eRjdlHx6IEQHxI0Q3RsmPPhy9WaIavjcn/u7UmB2WYwFELOTzRp+OPnTtGthPfkwtYB4lWfJ3BAGvHxcWkMcJAV4/ia/j/k4A8CplozqYo5AzltcAxQNiUmXN9QDUUuBVYH/2CcpG/mpo0bVrxGH6HM0y+0mW+Qo+RwKCPk29ypzH+NnfcBMsbyOISYHKAHw6GbbXNSxe3DBl0SKhVPqFPo2/pkiX8BtCdJI+TZ7FI1teg8MSIkQx45DtsscRJkX0OfIAuxpjQoDIc1StB3xy9BQEH2wTHkL3fUifo26W3eeBGH94+NTRyH0k8Xd43zv4Pg5iyMBb6SiG8O4i+CGXP3H28FA3/Ed8DD8KgBs++TR8kiWcbzI0LU1S62rET3pKyjng7n+p/1RXl/jY+fNEwlMUw0hPBdyNGIucBjgdiZ451Y+eOn9exMYC+fACO5twEc5fZxE0T5jxYxE+1Nf6vNm1gcn4F0i5A6+8cvOChTe98gp9+tBTlZUr1q5dUVn51CHEUZ5+mWpm10C6ewhP0OKEHHWGCJs4XAILygP1dSXFPi/ZvvEHP9iIPh0dHfTLG++8cyP6bLrt9ttvQxrzOX2c+g92PpSRMUGnl+IJb8hkDTlMPOEIieOikT31dbWBnGwIJwazpHh8+Xg4uu/zkzfeOqUme/JLPeOWNyytmE8fXzJw/dicNdOX9OcVTFw/Hc0gyWU8Nz31Rb7D1Gr6XE8PotFtkLIcux9C4fy1yc4TplAO5iRCCqI0ub4OTseVTxaRs5M+H7g0ub547Lza2eM2zVyzsbS6lD5XWj+jrshfUHlf8QR+ec20ibXlZjT2F/QR8iu2TkGavlj5UoA+EpG6t6gHqEeZGUiW3gR0CBBY1dC95Q2T62udDPgmMP23J4XnqQeet4z7SnhoKnrqpLCaPHttPdYFluDZ5LogrI7VhQNCIXn82iZRq4mIViOoDiw8u1koBK3CS8iykEIhtY24Ho7vC1rhjQwImRjeBOd5V+R5PWJ0Qw4H54LW9NnW+wteEgqfaJnzZdmG0u0fwpn2C+2Umygk3IQ3aLETvNkeMrFmNzGjtnZYaBrqG3zFrM9bG2jgWPLRe37QHOzn791UMsk9UWi/fdX829zNZGH7knbrYTOyURHbwjKnsc2KWASW+Su+jmg6y3yEryMazTJ/Q9dRzWWZj/Hfo5rF/D3hug9fR3SIZc7g64gmsMxZPF5EilnmE3wdkTmWOYeuo1RkmQuijZVowjL/g2wlIbBV1MvcFE22siLRVrJVSraSrSLP4pFHspXDjyOt+RI+99/c+ASpLSvKAV8LYeDvY6sGBrCthJC/I7uvoYgBH/YBvxAW7yOJq2wVvRDfh2wlIJjQsK1sKOKK4Ifc/Qzw9w5tQv+ix+CDAFBw/F9zNYqWEtQCZCkpQL8E6LPbtrFVgBbCu3Yh+BFFfyU9l2grAbKVSLTD8KGzCEZA79olhBE+FWwxtYObQ2RBS0ATlhDBxVnLWtFW1iK6/ezAK3NuaJr9ygG2eN/OeUuXztu5D1tJ5n2qmevUbyWZ9zvXretEn00rV61aibD5K1tA/Y1bR+QhK5kNrWR2yJwVckJL7ky0ktkJZhLbyb+enLBi6rSmPGgoi9fMrGzxz2cLAgP5Xu+4NQWB/sIcR8H6AjQP4ubf2X/IbeWHFMtWSbaSuUrN5jYQXoid2WrK4i3QXGLiYiLV1zUge4nNZW0A4sixPtI7q7zwpo45s5f+8r8mz8xnrvqKJuYVOWsr7/vOc9MXj3e50biP0G9QS9jNov2DFgmZwHj795vA9HePCc/TbzxvKf5StH+XnyE2UMeYXGIp0RKsmWPlp/r4mgK+spSvz+NnOPkZ9ZU1U+ewYNFivmVRaMnSFg4OzYFQC8e3bO8iEN1c7sbGykp3TmOlRMaG+iaqob6aLCm2ww/6Zlnx204hkjYgAjeRtYECMv47Ozunvpoqrwc+9sW/bJ3hCa67dXZb56pNt7Tf07YiWPfjPfOW3duxfu6StcEbls8b2+yvs090BFe03dN+y6ZVnW03fHfZ2uCC21fcvWzu+o57ly3duGqSd/a2D56lujf0z2yd5ANVZH4+XGjgz7Rp8J/ckpJcu/8ZjhH/W/RnbD5VRTqr2pr7hz7bCun6CbRlWewGhfXnk5Wn7oKewi5hA7L0HEtTOVBjZPeRXMFXK1kaVAmnFGxp5JpkWYZA8eoO+jQdwF6RgxgDVw1LNm3hKcBTTpqYVCupEhw2mcsLjv/o1BPCQ5JVIu+IuHLYEbLITByU2iFonV+D1lmFzr52qKdl+Yrmnn+nT79xZMv37r73N68j2SOg1r+qTuufe+OtRXPnLnrrdaT17bNmtUOt/3/vLPotAAAAAQAAB3c1w/mIN9tfDzz1AAsIAAAAAADYz+FlAAAAANn85G7y4P0SBWgIsgAAAAYAAgAAAAAAAHicY2BkYGDf+U+BgYFlw6cHvzezZjAARZABGzcAod8GkwAAAHic7ZhdaFxFFMfnrmOVPmmJYuMHFhSCdLEPfpaotUYRu2goQYqIDbIPMRgJGmoqWBINmIcgJUgQWWgeQlkKwoJF+tCK0CJFRKQ2KG3F6IMvLRHa6jb0ruv/3PlP7tm79yZrTOlLAj/OzNwzZ87MnDkzG1sxI7Zi8teQB8g06M1gWul4uVpkjTkBnqQs09fyf0D77hlN1Ldat76fNFP37YVrxHbi696nAuesGc1ggvrdKSRt/B82g7YUxP+NLTCVIM+98es7yvasWFgNbiMSG+MZiN4e1SdLbyV0LeGb+IRYrx+zrZ2Zk4n6IYVu35XBoI3PibEN56a+dZk1Wk3a1NjiVzKGSxl0kc4UsvqsBPHhuRT6waMtkJbrLnLufo1L/LbXVqpHbOXSzU7+/YetBHeBHNhk3Znxdg4r7kmMcSfYZhvzmT/H91uX73zemFB+dds4Hn1u8v1GVD/RN6w/TDnKfrfaxvzbRrvPu3I9pH/ers8PeqwyffO5oZdzzFNP6u85vaAzxnTYxtiSub5j0++Gp+i334OyKr+i9i/PvfZzHySfg6Nch0Ha28W9FBtjtvFsit5bYB/LYvNBNa6Pdz9WmX11nPh4KnENZH4v2cZ4Fd3dlINsE7nTxmfd++Hj6bAqT9k4NrwPeRvfkUXbGDdT9NvvobrP6vVsItsbbXzfibyPfh0EFTXvD1h+hvNZBz5We6VzlejeCF4Gj3M9+9kuvMbvnnF+L3Bcvx9D3Dfx533r4lf2dA/Xc4hlyADnNcB4wRMAaxFso0R+Cl6n7Lp+etGcdxJf9m8O1IMTYDKW5hGWT3C9P2N9C2PnSzDMWOhzBOshv4WU+PoecsjVzS/gR+oKkjs7CNsCGeMr6+40yOCgawt8HIqtC26MoB38bithn8uRgpR9XcsQ6xEiHmtvQuJ8hj+jjDhbuAwd2LsCH2rDze1Sj5hD+7j7dgW+hRbfeyDPEdgOb7eVq8hp1YKTQjR2T+xXKlsc1RGWsV/VM7Hvi3thFD5P+3eKxKTPu5IH5K38onW5spdrbbiGA9yzQsKm4fmdoRywcS4y7oxG+97v9qou572LvhUVexP1Sfqwj/tXTPAdpX8XiV95nucpnt8Sz1jRxaS5F8j76A3wNef3NNuOpcxrBeSQw217XM7SSe2/g+iyIuqX0t6E4ZrvyLBPW4v2lppTd1wONifKrfhCRL/lPv6N/xuRMYcpOzPqRrV3KvkhOE75Q0p9GV8kXgXJG77s67otqxzVxxy6LWqfb26XNpPSJ6knd3ekI/rb0/WXs5GF2Fz0Ra+t93m+WbfBr3nl13zzPJezsaRv7SltWes7lj1Ow36NZej4+UuOkbfFswrJc/4thvvBPKZ02hV3g4f4Bpc76BZw2WHOsb9I+c3kf4frM3kauut4dyFfB32uHp1Beb8eABgjeFf1S4tlbfe0sxXZUP1DjFHDfVRDPq29Db6xlb+gt4D3ysKn/Dbg9ORu1PdlVOb9lmyv9qh7Ve7KF1J0jtDm/pgQ639xzt2FVdwv4Re4R9F+aY71OyD74u+R3f2uz6KNQsLuDOsz/M5vYkvKMvfwVd6xyFdXZW9KXLeTa6yxxvUidzRGtyW/L/VtpX2j3xOTlPLb8pAxgQGnwCYwi8pZyA1kPehH23kgukVwARxnnwPG5HKQJfebJzhlo//RBLOwfRZyA5G8L2/n8zb6PZmTe6QEm/84O+ZPjr0AeQPbOzj2T2CWY3+EPDcN+SvGvcmNE401Dp2azAVl/P0LwMzxwwAAAAAAHwBNAF8AcQCMAKcAwgDeAPkBCwEnAUIBXgF5AZQBpwG6AcwB3gHwAjYCSQJdAm8CqgK8AwMDOANKA1wDbgOAA5IDuAPwBAIECgQxBEMEVQRnBHkElQSwBMwE5wUCBRUFJwU6BUwFXgVwBbIFxAXmBigGOgZMBl4GcQaDBqgG4gb0BxcHVQdnB3kHiweeB7AHwwfVB+cH+Qg4CEoIdwiKCL0I0AjnCPoJIAkzCUcJdQmjCccJ2QnrCf4KMwpoCnoKpgq4CsoK3Ar4CxMLLwtKC2ULeAuLC50LrwvCC9QL5wv5DAsMHQwwDEIMigzcDO4NAA1SDYMNtw31DjEOQw5VDmgOsg7EDtYO6A76Dw0PWA+TD68P3Q/vEAEQFBA5EEsQXRBvEIIQlRCnELkQ6xD9ERARIhE0EUYRWRFrEa4RwRHTEfISIBIyEkQSVxJpEpUSuRLLEt0S8BMDExUTJxM5E0sTbRN/E5EToxO/E9ET4xP1FAcUGRRuFIAUkhStFMgU4xT+FRkVKxVHFWIVfhWaFbUVyBXbFe0V/xYRFn0WkBatFr8XPBdOF4sXxRfXF+kX+xgNGB8YYRjAGQwZXBmfGbEZwxnVGecaAxoeGjoaVhpxGoQalhqpGrsazRrfGzobTBuPG8IcExwlHDccSRxbHG0cmhzXHOodIR1BHVMdZR13HYodnR2vHcEeFB4mHnkeix7IHu8fAh81H0gfeh+kH7Yf7iABIBUgVSCYIMUg1yEQISIhNSFxIa4hwCH0IgYiGCIqIkYiYSJ9IpkitCLHItoi7CL+IxIjJCM3I0kjWyNtI4AjkiPiJDkkSyRdJL4lACVCJYQlvCXOJeAl9CZBJlMmZSZ3JokmnCcGJzInaCetJ/AoAigVKEsoXShvKIEolCinKLkoyykQKSIpNSlIKVspbSmAKZIp4in1KgcqJypWKmgqeiqNKp8qyir+KxArIis1K0grWitsK34rkCuyK8Qr1ivoLDEsdCyGLJgsqiy8LM4s1i2yLtAvTS/MMBMwRDBxMHkwsTC5MNEw4zEAMTwxRDFWMWkx+TJNMnEygzKVMuoy/DMlMy0zNTM9M1ozYjNqM3IznjOwM/Qz/DQlNEg0azSXNLs07jUkNV01nzXeNeY2IzZjNms2fjaGNrU3ATdRN4M3rDhBOJo4yDjQOQM5OTlrOZM5mzmjObU57Tn/OjM6UjqfOqc68js5O1E7YzuAO7c7vzvRO+Q8cDzCPOc8+T0LPV49cD2YPcQ96T3xPg4+Fj4ePjo+Qj5UPr0+xT7sPw8/Mj9eP4M/sz/mQBxAXkCdQKVA6EEnQS9BQkFKQYhBz0IgQm1ClkMoQ35DrEPRRAREOERpRHFEeUSBRJNE1ETmRTFFhUWNRiBGdkZ+RolGlEbnRwZHDkcWRz9HgkfNSAVIQUiGSN1I5UjtSPVJGEkgSShJMEloSXBJeEmASYhJkEm6ScJJyknSSfxKBEoMShRKHEpSSo9KyUr9SzBLXUuUS8RMD0wiTDVMdEy6TQtNQ02XTdpOGU5HTnlOok7UTxpPVk+CT9hP4FAVUE5Qk1DOUPpRKVFvUbpR8VIzUkVSWFJsUn5SkVKlUrdSyVLbUu1S/1M9U3xTolPXVCVUUFSRVNZU9VVPVZRV0FXZVeJV61X0Vf1WBlYPVhhWIVYqVjNWPFZFVk5WV1ZgVmlWclZ7VoRWjFaUVpxWpFasVrRWvFbEVsxW1FcFVyhXVVefV8hYAVg9WFpYpVjhWPdZTlmhWhlajlsrW7ZcJVxBXFVchlyvXL9c6F0RXVtdpV2uXdBeAV4OXmBecl6GXpteyl74X1Vfsl/PX+xgDWAtYDVgPWBQYGNga2B9YIZgj2CcYKlgtmDLYOFg7GElYVthfmGgYa1hwmHdYgNiN2JVYoli0GL6Yzpjc2PbZINkrGUYZUBlTWVeZaNl8GX9Zi9mPGZNZrdm/mdPZ59nq2e4Z8hoAWhDaE9oW2hoaMto12jnaPNo/2mBaipqmGqlarFrRWtSa79sG2wnbFRskGzBbM5s32z7bQ5tF20fbR9tH20fbX9tzm4ebp9u+W9jb75wGnBgcKRw1HEucZRx1nIxcoly1HMHc1Nzm3P+dEJ0rXTvdR11YXWIdcl2LHZrdnN2e3aidqp2zHbwdwd3LHc/d213qHfGd/14JHhLeHt4rnjWeON5EnkpeUd5nHnBefJ5+noCeiV6T3pyenp6hXqcewR7kXu5e+R8Dnw3fHF8qnztfPp9B30UfSF9Ln07fUh9VX1ifW99fH2JfZZ9o32wfb19yn3YfeZ9834Bfg5+Hn4yfkJ+U35hfnd+h37Vf2iAj4CrgNeBDYEzgVmBgIGmgbmBzYH4gh2CUoKHgr2C84M1g/iEM4SIhK6Ey4T9hR6FQIVbhXaFiYWcha+FwoXSheuGAoYZhjCGR4Zoho+GnYazhsGGzobjhviHBYcah0yHaIgsiE6IcIi1iNuJA4lciWqJgImViaqJvYnRie6KDIosikyKbIqBio+KpIqyir+KzIrZiueK+4sPiySLOYtdi3GLhIuRi5+Ls4vIi9aL44vxi/+MFIwojD2MUoxfjGyMeYyFjJiMq4y/jNKM840NjSeNO41bjXSNjo2ijc6N7o4PjieOPY5TjmaOd46Njp6OtI7NjuGO8o8JjxqPMY9Lj2WPe4+Rj6aPvI/Kj96P75AAkA6QHJAukE6QdJCCkJ6QvJDKkN6Q75ECkRORIZE7kU+RY5F+kZSRqZHCkdiR7pIIkiSSQJJckniSlJK3ksiS2JLrkwCTDpMhkzKTQ5NQk12TcJOMk6+TvJPVk/GT/5QSlCSUNJRElFKUa5R+lJGUrJTClNiU8ZUHlR2VN5VTlWqVf5WUla2VwJXWleaV/JYNlieWOpZQlmCWdpaHlqCWtJbJluyXBZcflziXTJdgl3qXjpeil8WX3Zf1mGqYsZkFmTmZg5mvmcaZ5Zpamr6bHZtFm7icHZyAnN6dG52EnbWdyp3pnf2eHJ5DnpGey58gn2iffJ+Zn7mfxp/Wn+Sf8qACoBCgHqAwoD6gTqBqoHigjKChoLagyqDdoPKhBaEloVGhZaF9oZWhsqHJofWiCaKvosyjNKNdo2qjpaPVpAekLqRVpMmk1qUgpS2lPqVPpW6lmKXPpgamUaaXptCm+qc/p0ynfKfAp/2oPaiCqJOoxqj6qUmpjqmbqfuqB6oYqkCqdKqwqsGrOqu3q8Sr1awDrD2sjazbrSStMa1vrbmuCa4arn2ujq8ir1Kvma/SsF+wm7D/sUuxerI3smiyaLJ/sqay3bMjs3mz37RVtNu1UbW3ti22lLbqt1C3xrgsuIK46Lk/uYa53LpDurm7H7t2u9y8M7x5vNC9Nr2MvdO+Kb5wvqa+7L9Cv6jAHsCEwNrBQMGWwd3CNMKbwvLDOMOOw9XEDMRTxKvFEsVpxbDGBsZNxoTGzMcjx2rHocfnyB7IRch7yMLJGcmAyffKXsq1yxzLdMu6zBDMdszMzRLNaM2vzefOLs6Gzu3PRM+Mz+PQK9Bh0KjQ/tFE0XvRwdH40h7SVdKc0vPTWtOx0/jUT9SW1M3VFNVr1bLV6NYu1mXWjNbD1wvXYtep1+HYKNhf2IbYvtkF2TzZY9mZ2cDZ19n+2jXafNrT2zrbsdwY3G/c1t0u3XXdzN4z3ore0d8o33Dfpt/s4ELgqOD+4UThmuHh4hjiX+K14vzjM+N547Dj1+QO5FXkrOUT5WrlseYI5k/mh+bP5yfnb+em5+3oJehL6ILoyekg6Wfpnenj6hrqQep56sDq9+se61Tre+uS67nr8Ow37I7s9e1M7ZPt6u4y7mnusO8H707vhe/M8ATwK/Bi8KnxAPFH8X7xxfH98iPyWfKf8tby/fM081vzcvOZ89D0F/Ru9LX07PUz9Wr1kfXI9g/2RvZt9qT2y/bi9wn3QPeH97735fgc+EP4WviB+Lj43/j1+Rv5Mfk5+UH5Sfld+WX5kvmu+cL51vnz+g76KfpO+nj6qfq7+un6/fsY+zT7SPtp+5P7m/uj+6v7s/u7+8P7y/vT+9v74/vr+/P7+/wo/ET8WPxs/Ij8pPzA/OH9C/0//VH9ff2Y/in+Pf5R/ln+Yf6a/rv+3P7c/twAAAABAAAGDACUACUAUQAGAAIAEAAvAJoAAALND4MAAwACeJytWMtyG1UQvU7CI+GxoigqxUKVYuFQsh2HRxVkpcjyg8hSkOyELEcjWZ5ElsTMKIo3LFjzI2z4Cj6ABR/AR7CgWNF9uu9jNJJjDOWydOfevv04fbrvHRlj3je/mOtm7cZNY0yf/mW8Zm7Tk4yvkcwPOr5udsxPOr5hPjW/6fgNUzF/6/hNs752W8dvmR/XHur4bfPx2q86vmk+WPtDx++Ye2t/6vjdYPzeh79f+0TH75svP/rL/ExW7pt7Ztt8RaNDk5jYpGZiMvo/MTnN1WmUmik+I5pJaDQ2m7RSMyP6q5gOzQ3NKa1leBrQ94CkX9JnnyTrtC8jvRE9JfQpOvu0yrJDMyMtEcmzD9v0t0kebZNPD0yXbHxD/w9KOqyGjQUdq21VFiSfwMdM46mUrP8fFhMgwnM50OPZM+x6QXOMMK+cQnYZ9kM8zwh9Kx3T9xk9R+RzAqQ3CaXIPIeVI3NOawMzR7Ze0GoN1iTCh7TCGeNM5ST3tdmiv0x356W9m2ptmWcZvJqStgRZrtA8W8nBjGfwuoJYz+l7BkZIrIKJlea5CeJKSYK9GJgqPfchNwXG55jhiNnOlCQT3RurloE+R9A9RWbPSCrHGu/qwQ+L9QgR8S7rl+zIgHNamjlxMVQvlbcpnvu0J6bnKvCSihC7VWdnMYIEmZoDp5g+l2M210hZOqZoZmBWfyn2vGeE0TrJ36Vv5mBPcVmmXXy4KrZeex+ahjSXgqk5Mhe7HrIsAmu97NeDgAMcicSSw57tTqxfYu3TzByRT1B3F3EvKrBqgLxM9FOikvEMVTPDTvbWZtPqOUV9TS/kqPTNsWbGa7cVkijKzB/2twekJbe3aOUW1bjgzFGMEN/c4VzkdRW5iTDuKxN8nrrmwDTpu42c8squw2WxPtZdz8hc14gR4xRdfxN9dETfjNuQ1tukrUkZksr1nSJzaJXzIdgIbyxHIpwwF9Wr5XnPoTJTlhTj3YPWfVrtKSOnqNkE/qTQceKqv8yVMgZD7D2FRtsrt1AbxX6whdMhPCM2IM0c2qK9nMMedkaoEo5ti9A7oJOkYVqUqQYhafP/2FVgFpxe4q2waaAVOURNjJU/VUTDq4PgNDlF1QyVLbYehJ9TPSHFAvuY01qCk0f4Fim/p8rnsC96NnUVhzlshZZ8T+W4uQdIr7c6q8jvIPDQdxdZmwDRE5VNsZK4XtNDtQ4K50emp2C4255hVoYZVF4VryyL/020GTjynJ7ioO/kF1SydI2wEph1woBtdL4W7U2CDvJ6Tyo0L/yOXAc6AXdy14vZIvc1Pruk9uyNg7VKD8sQk/TpNnAe4knkxcJhCb3ifSvT/IW1mwEHf6KIX5ytE8f++4j96lYvn7dF73raV0aOfavY5pm0pX75yOaaM5+DbAlfpP9LHvw5HcFPviXJzcBXnj1jpDqzIL6IvJrgJu7lU3dfF0bk7hyz/Pf9r9h5uUPL+ZOpxggs6OnZtXiWFxkqN4gMfrKdDeROeCU9/RV8OsFZMlCOcH89w44NvSP2EdUIu051RrJseeDvEAN3/qSIPkX/zV1+Y0TKHizTzr0n17kc3U6YxbnMgmxaezYC8aKn/LRni43KIiGxD90za5ooskU7RZwHkLc3nZeQnC+9i8303mmr5zPtHJNL1MpVKiW859s3rvBdMNTSoj2M7zpJ3NWeK/hkiPGV3hliYMxYp+7WOTbhTbR8DhZPvkVUYuRH7qRT12clE/UlNbKv1StISgWIneX32vDOvfruMzD2nngWcMSiM1Z0/L07VSx9VEVdNteZy/bnwNXeF8cLeBez+7q4/a7wrKmh451idrnei1iToafJWSx9yDJ85u6sEqNU7xlk7D1gjDt+qoyz51ofTEuRi8z1tPNL8L2qrItxMwzfDmJ6Gx7jdJbePyxw3PZefwKIvv+Gc9iJVyOdFk4UkU0we7X6scz5osCci+825XvSRN9oyncof2+YQoPvlf69dwKURfMM1WVZseqslZpI4NFI+9BY8Vx9loV3Qm+pyMNVFkP9/i7lT7pVp6Z0jO9pv3h7ZuzbtX3zsB3A9wqRixShy0Qmb7/Sb2w8tg+dB7weuzflGGes9SX8Laav1Wj74+vr2r+n7tN7C0u2qdcfQZLfCo/MU2JzB2sHNFehN5oOrTyhpx2a3aGZOyTR1fU7yNRTGrPGtjmGLtHRoU/W/cxUoLuCZ356RPIt0sV7G+Y72GiQti4kO9B9SLP8ltVQOd5Rp5ljeubxnuHfzMRei3bxdxP72Bfx9IjmvdWiVwewaD07pKcO6d/X1RrpPoA+9r8KpHjccn7uqqc1YMSaj/BOeEy7alh5TOMOfbbxjih+7Ki3LcSwS+sSSwMeSCbEozp9PybbLLFHfh3BC7Z0pJJVRMjx7GA/W32EWfGsrVnmsdeyqViKH4z/E2e5i/ib+OXBMqTsRwWZbsJqB1loKPaMWtPxqhNgXwcqnB32b4fG7O+ey8Giv1ZbMQfLOGAt7CGKBvBoQrpLfjdI/sDNCOsOwLa6Iig6hd2S+WaAYR254vx9S1YbypwaECpGIXXA/vsoBOeaftaxt40nn+OW5rDuMtoGl8qoPEXFNSBVQz66DoVdVOmhen4c8Mjm8VhZ2HaeFfG11WLlLtMhRJe1Xcwg41mDdvaw69B4vd7Nq/2e9Q9nNlrDeJx9PAd4HMXVs3unKSq2LMmy3A2hE4y0e2VESNGdTrZB2Ma2cEyKc5LW0qHTnbhiW07vgfRCAgkk9Bo6IaR3CBAIpFc66YH0QpI//+7Mmy2z59ifbvaVeW3evHm7V5CJxL//XowsdzCQ9g93ui9HoXsNEy/H/XgFHsAr0T14FV6N1+C1eB2axOvRjXiDsdToRlPGMnQTep/Rg45Gx6D/oP+iaaPX6EPHol8by41+dBxyjBXGAPomPgIfiZ+Hj8JHo/uMdfgYdD8+1jjCOBIfh45HJ6B/GEcZR+PjjWPRicZxxvHo+cYJ6FvGiegB9CB6Dp+Avo1PNDYaJxuD6CRjCG3Ez0cnG7aRwicZGfQEGkRDRtbgeKNxCj4Z7XP9esg4FT2MB/EQtrCNU2gGp9F3ccYYxVnM8TA+Bb/AOM04HZ+K3m+cgW5GtyAb/R6lUNrYamzDL0QZ40z0FPqXsQO/CL8YvwRljbOM3XgE5xBH3zPORt9HsziPfoBHjVfgAh7Dm/BmvMWYMqYNx9hnzKBhdIoxa5SMc4w59AJ0KvqtUUafw6cZFXw6HsdnoBcaNfQLo240jKax3zhgHDQW0SgqGYfwVrwNb8dn4h1oDu/Eu/AEPgvvRmX8UnQO3mO83XgHqhjnoXl0qXE+KqAx9H/uAlaNdxrvQpvQb4x3GwbajBaM9xjvRTV8Nn4Zfjl+BX4lqhsX4L3oXPwq40LjIlzEk2gLOg3907jYuARPGZ9ApxuXGpehcfRD1DCuQPvRATyNmtgxrjauMa41rkNn4H3GDWgrnjFuRNuMm4yb8axxK3oSbUdnGrcZtxt34JJxJz4HHUQ70KJxF3o1nsNlPI8ruIpegxfQIXyu8WVcw3XcwE2837jbuAcfQJcZ96LXolvRTvQM2oUmjPuM+/FBdJbxAHoa/dt4EC+i84yH0G7jYeM7+BB+NXopep3xffQG9Eb8GvR6/FrjR/h1+PX4DfiN+E3GI8ajxmPG48YTaA8623jSeMp42vgFehl6Ofqd8Uv0Wfxm49f4Lfit+G3oFcbv0S+NZ4xnjT8YfzT+ZPzZ+IvxV+Nv+O34HcY/jefQJejj+Dx8Pn4nfhd+N34Pfi9+H34//gD+IP4QvgB/GH8EX4gvwh/FH8MX40vwx/En8KX4Mnw5vgJfia/CV+Nr8LX4Onw9vgF/Et+Ib8I341vwrfg2fDu+A38K34k/je/Cn8GfxZ/Dn8dfwF/EX8Jfxl/BX8Vfw1/H38B343vwN/G9+D58P/4WfgA/iL+NH8IP4+/g7+Lv4e/jH+Af4h/hH+Of4J/in+Gf40fwo/gx/Dh+Aj+Jn8JP41/gX+Jf4V/j3+Df4t/h3+Nn8LP4D/iP+E/4z/gv+K/4b/jv+B/4n/g5/C/8b/wf/H/4vwQRg5gkQZKkjWBCCCWMtJMO0km6yBKylHSTZaSH9JI+spz0kxVkgKwkq8hqsoasNd9nvt/8AFlnftD8kHmB+WHzI+aF5kXmR82PmRebl5gfNz9hXmpeZl5uXmFeaV5F1ptXm9eY15rXmdebN5ifNG80byIbzFvMW83bzNvNO8xPmXeanzbvMj9jfpYcYX7O/Lz5BfQx84vkSPPL5lfMr5pfM79ufsO827zH/KZ5r3mfeb/5LfMB80Hz2+ZD5sPkeagX9aHlqB+tQANoJVqFVqM15nfJUeRocgw5lhxHjicnkBPJ88lJ5iPmo+Zj5uPmE+aT5lPm0+YvzF+avzJ/bf7G/K35O/P35jPms+YfzD+SjeRkMkiGiEVskiJpkiFZ9Hn0F/RX9Dfzn+Zz5r/Mf6NlaClai9ahG1ASXYGORJejr6G3oy7CESbDqAe9GHWgTvRK9Cr0IvQScgp5Aeomp6Lb0O3khSiXSKCvo2+gO9Cn0J3o04kkug5dj76IvoTaUHuCJGiCJdoTHYnORFdiSWJpojuxLNGT6E30JZYn+hMrEgOJlYlVidWJNYm1iXWJ9YkNiSMSRyaelzgqcXTimMSxieMSxydOSJyYeH7ipMTGxMmJwcRQwkrYiVQincgksgmeGE6cknhB4tTECxMvSryYvAglyIvJS8gIyaG3kDz6AiKJMTJKCuhq9HcyRjaRzWRL4gxyGjmdjCfOJGeQrWQb2U7ORG8lO8hOsgt9mEyQsxIvJ7sTr0zsJS9FS9Cz6A/oLrQBvRcdgdajC9CH0AfRNaiIrkQj6AOJIrqY7CFno4+ii9BV5GXowoSDKLqbvJy8gryS7CWvIkUySabINHHIPjJDZkmJnEPmSJnMkwqpkgVyLqmROmmQJtlPDpCDZJEcIq8mryGvJa8jrydvIG8kbyJvJm8hbyVvI28n7yDnkfPJO8m7yLvJe8h7yfvI+8kHyAfJh8gF5MPkI+RCchH5KPkYuZhcQj5OPkEuJZeRy8kV5EpyFbmaXIM+Q64l15HryQ3kk+RGchO5mdxCbiW3kdvJHeRT5E7yaXIX+Qz5LPkc+Tz5Avki+RL5MvkK+Sr5Gvk6+Qa5m9xDvknuJfeR+8m3yAPkQfJt8hB5mHyHfJd8j3yf/ID8kPyI/Jj8hPyU/Iz8nDxCHiWPkcfJE+RJ8hR5mvyC/JL8ivya/Ib8lvyO/J48Q54lfyB/JH8ifyZ/IX8lfyN/J/8g/yTPkX+Rf5P/kP8j/6WIGtSkCZqkbRRTQilltJ120E7aRZfQpbSbLqM9tJf20eW0n66gA3QlXUVX0zV0LV1H19MN9Ah6JH0ePYoeTY+hx9Lj6PH0BHoifT49iW6kJ9NBOkQtatMUTdMMzVJOh+kp9AX0VPpC+iL6YvoSOkJzNE9HaYGO0U10M91CT6On03F6Bt1Kt9Ht9Ey6g+6ku+gEPYvupi+le+jZ9GX05fQV9JV0L30VLdJJOkWnqUP30Rk6S0v0HDpHy3SeVmgVPQ8x9A70NvROdD5dQO+i56I3J1+TfC3ai36F3kRr6Ku0nnwDbdAm3U8P0IN0kR6ir6avoa+lr6Ovp2+gb6Rvom+mb6FvpW+jb6fvoOfR8+k76bvou+l76Hvp++j76QeSlyYvS16evCJ5ZfKq5NXJa5LXJq9LXp+8IfnJ5I3Jm5I3J29J3pq8LXl78o7kp5J3Jj+dvCv5meRnk59Lfj75heQXk19Kfjn5leRXk19Lfj35jeTdyXuS30zem7wveX/yW8kHkg8mv518KPlw8jvJ7ya/l/x+8gfJHyZ/lPxx8ifJnyZ/lvx58pHko8nHko8nn0g+mXwq+TT9IP0QvYB+mH6EXkgvoh+lH6MX00vox+kn6KX0Mno5vYJeSa+iV9Nr6LX0Ono9vYF+kt5Ib6I301vorfQ2eju9g36K3kk/Te+in6GfpZ+jn6dfoF+kX6Jfpl+hX6Vfo1+n36B303voN+m99D56P/0WfYA+SL9NH6IP0+/Q79Lv0e/TH9Af0h/RH9Of0J/Sn9Gf00foo/Qx+jh9gj5Jn6JP01/QX9Jf0V/T39Df0t/R39Nn6LP0D/SP9E/0z/Qv9K/0b/Tv9B/0n/Q5+i/6b/of+n/0vwwxg5kswZKsjWFGGGWMtbMO1sm62BK2lHWzZayH9bI+tpz1sxVsgK1kq9hqtoatZevYeraBHcGOZM9jR7Gj2THsWHYcO56dwE5kz2cnsY3sZDbIhpjFbJZiaZZhWcbZMDuFvYCdyl7IXsRezF7CRliO5dkoK7AxtoltZlvYaex0Ns7OYFvZNradncl2sJ1sF5tgZ7Hd7KVsDzubvYy9nL2CvZLtZa9iRTbJptg0c9g+NsNmWYmdw+ZYmc2zCquyBXYuq7E6a7Am288OsINskR1ir2avYa9lr2OvZ29gb2RvYm9mb2FvZW9jb2fvYOex89k72bvYu9l72HvZ+9j72QfYB9mH2AXsw+wj7EJ2Efto2zNtz7KPsYvZJezj7BNtf2WXtv2dXcYub3uOXcGuZFeh96CfoTx6N3oU/Qg9jn6Kfo5+jH6CHkGPsavZNRhhg13LrmPXsxvYJzFhN2LGbsIduBN34SV4Ke5mN7NbcC/uwyOTNWe/0yGH4lSz4SyR19PVxqRTrh4A0kytuN9ZKq9nq9W54mTVn9Yolaed7pGpUm2qOb+v7BwUcnpDCCUszCQk9oUQvtgwl5DNRpSA9hGfi4zMF6dq1QoZqc5UK85c+0itVJkRqslIQYwd+UBQe96VUZyacioNPDpVdCe6Q61abOCCcAIXBLK7oLtRaOFGQXej0MqNguZGe8E3gRV8jwqBRwXwqCA9wgUxDW8SlnVsCsR1bpqqzs8Xpaz2Tb7Y5ObJYq1jc8BobjkNbxH+sS2+xi2Bxi2gcQto3CI0dpwWUnV6SBUeFzHB48KizvEQKTnuysdbJX2rpG8N0ROFygzb6mkuO/saeJswqnubHu1tLaK9TY/2tlbR3qYnzTbf4W0+V5t7Wau0i1ehsEtchjlrFaFkibj0J0qKEOxOabqJVmvOl4vNBtkGIdwmQ9ixrV4u1mdlHHbAIMOxIxzJnTJDd4YivTOyqE5tvliZnizX23ZOzR4oJne5S4t3CUl015QzXSqXi527wiIn5EJP+N5MBH5PCL8nAr8nIn5PBH5PRP2eCPyeiPg9AX5PSL/bJrzthydkyu6W3u0OvGO7p0tOzamX6ni3UNSxJ0TcoyzBewSxfU+Qo3ukIrxHij5biG4/20/67i0Cs/e0jeXqVHnr+OiSvEAIcPv46Uu2RsFtUXBnFDw7AuKirI/FUH0sRutjMVQfi1p9LIbqY1FP9WKLVC/qqV5slepFPdWL/kIWg7gVYYGKUB+LQX0sSlc6pkL1cSqoj9OyPjqyMDqyMDq6/U4L+x3dfqeV/Y5eGJ2gMPqBbQ/iSBxwxYEyJUPaVvc2Bp6R5XEmtJNmwjtpJiiPs155nA0YacmllZ16HZfk3in52ku+drN0DimBASUwoCQMoOfA9I5zQsrnQso752ZqjlMpuzu5NIXLshyUZTkoh6tn2auecmt2VIoL1XqjVl2YdXBF8lbCldRxK2nFr6RVWUmr+vJUWyxPVV+eaqvlqerpVfWjUg0qSlVUlGpQUaqRilINKko1WlGqQUWpRipKFYJchUpaDVXSGgwyHLVw2avLqNVDS1AP0dvK1cpMPdnwymdDls+GKp+NsJymTIGm70IzcLYpnG0GzjYjzjYDZ5tRZ5uBs82Is01wtgnlsynKZ1PWuAPSpQOhCnnAL58HZPlcDBEX/fK5KMvnYrB3FqF8LkrRh2T5PORvina52zcWy43ukqyk5/iVdCpaHCtRsBoF61HwUARsP7hxvllulBbKi92V5vxe+NtYLs0U+0IIHzngAc3KtFPbu1CsuXvITXZBaD+w1/0vLpOV+ep0cuSkqcW2nOO9niVeN3mveNM53tC5adZpLjSatYpHGRX0Ld5r+xZZtAWi6k04e1YAZ0tUSfCU6u4CNuSlz3560WM/XchvK5TF67x49ZQkt3mX2yWxJl7r3usuD5OccF/YhJLaVtjnvW4WAvNCP95VF8POWQ9Jd85OiQsyekiQO3ZW9zXqpRlPU8fmYm0arskep9b05o0Ls/BWOYweEloLXiQKXn7X6s60h9ni6d3jOdl2msdCdtWl+1ua4lVYNOqH0KtHcx6w1I3StFN3M8ddGRdecnoxAhYqYbBzwp1YLM3Mes72+IAvbcnmyOyl+ahwsnNWON+xveim0eycjIhX9cWKyMz2Lre5u7smHGuf8LFdYrVFAuY27egSCxVA+0JQ0pPXNin8l0s8I6I3I/2fCafQtKCXRAqVghQqiRSSa9R2SKJECpWCFCoFKSRcwXMyhRyRQo5IIUekkCesbUESRQo5IoUaYjG9BWJNP4UckUIiTnhKplBDplBdplBdpdA0pFA9lEKzoRRahBQqy9ypyGFappCIhBNOIZE8i+JVcJIGpFBJpFBJWDTthzBIoUNaCs1FU8iJplAznELNeArNRlNoSkuhOqTQQiiF6iqFSkEKVYMUagYptD+SQjMRaDoMLZGx9YmHIpBIBQX1BCkRQqnU8OcIU33IiWTvQoSzETFELr4PyiRQYLdKBoXoDSWDjwslReBCMwxN+jp27si1jZQXZovJnNMotm0quicqKSzUS+65mzzbRSUKLnrXrHuV3OIeOm71XFgouneS85PTRfOMprm1ab605N5GlbyYm9tLiR2z1badpZn5YmJXsUkmpKjE9tlSIu/+ba+X2oW+RrVSrXeCJgFQV5O4YJ4iSQe5EpgIMbdvm3dmgMljV+frUmBSMDu9WNq5OD9ZLbcVhZuTnpsznptuLSg3isQBZw95znrEhnC25Dk7J5wtS2crTfNgyW1zhEWJ2my1ve65ua9UKZbbxGWi4XrcBI8XXG+n3D8XbKt6xrKS71YpZPGyMCDJzZCjS5tRh/o0WM6ohuLUXvVD014MQu2EQ+2oUM+p8LBDTq260Xvp9F5KlX1OrVStdbjtjX/dOODjuxqzbmusoM59Va8DUkBpfzCnXjroz6m75afiQ45XCPxJLt6fJG2ZrlTnqateXri6xUW7UCwumacVrlyVks/VJ/mEMnkpNElGT428EjrcLqUmdIgLT4d3ATq8S6lDXnk6BJ+nQ/BJHeJS6hCMQod3JSJZby4EMQoAV5gCvBipaxkjHxJS/UmeYAUw12pBne0U1srreocnGK47hSwFOAen3ESerjYnyw51W8ta2ZV2zLzbS7s9rdudLbhr2/DuMSszZffesTg15zS8hnne7TKPlWw1T9T/4mv3ytHsonvrU+lya2TpkJtvxbJbmrtEK+g29m6Nnix3ndusNvzDqGum6bbzzrzT8MxY4kNCW4+UtlcOom1cGUGFKauiFPfmreiqEaSlgHNtEXBvC57VUVyE1g00735RIJaHEAG2H7BF935G3mUKdI8XJ8dzzzdglUAJH72medINhVuyZUMNUY3wrwFkyxk9Iiemw7FQKDnIwEVQYcpAlOKc2yyWBWFFlOD72QeIc5tuY1CqSpXLYtO7p6puydkrXmV8QojDoWPTA0SPREQWVqJ8ywbqjlsLBc6/knPlBtgrBxmQCCockGWKEkQijAnh+1QIwtN7fWTIRx8XCVrAGsjsL9Zd90r1ub3qQqDXx9BR+nIfHQ5Qr48VN+TS8SB/tNuzMMVPWrk7NAokqNQcooU8DmFDUR8IoSOhWBUiaAkeVhDEKTwhKDDSa+FsND7dEheKcwgRzjKJjmx/iQoi2B9ChNDrAjO8natbtSpE1kisWHFrYtkpFbtUULyHT3OkMllfcNehyyvXdcddLffkriUni7ONpPcghIl4eyFITrtTkk7TPcG9l6mm2xBX3BZ6punOqZTIbG1xf6VUTMyVFpLlYq2ULJdqxQ7vZVezNuc2tW3zxUqx0VYpuii84Cpz2yB3qLbVvDPDfV1wnA7xusVtP4oV9w7FOdcpu/c1lRkHN5oztdJc4kC1smSy6VbwRtXdEJ6tXdOl/aW6648IU4cb59L+Ytk1zVkRnBGed85BV5LH2O6eMN69WXmy4V82FnrK1ZnSVLHsxmkHHB2dHtW9mPLCldg2O89Klama4x1FbaIjancb9VnvGU2x7DZmI7Va9UC7qKDikk1XD1TklZfK4mqJd7XDZ+loLowqpqXyerJYdwTcW64ecGrbKk5BHLE5t5+e61O4M92ou7YJZL9A7vKOaclaF+glAr25WN4nwOUCHHPP7zDTimAuiKyHZO70TvgwO9vnxl5Kby4shKT3CjBqbI/naxTVC6iw+cs9XMx6ETLw2b3S7e73J0XMFrJiVss1kQaIy6hRMlDjSt9SAe7wp0hPffKxPjhSmR5XM9V1MG11jC+gRWRMeNcyJUICBd9x/5svELi06RNDyv+X0BgtLrS97t09lz24Q1zKNo2J6+liba5jsuwW6nypNlV2Og7MlhoOXLv7fwauB7wVkWni8u4OmFaKlWhJCSWuRgklXZTSG1EjcX1RDRK5PBypgNUPdEjmGh/p5ti0W+QiRD9pWhDXBinUihqY0ILa49aehleIxtxGVaI6p6uNhjMtAbLPraXOokO9Mlh3L2Tkc6IodpUqonRJqAegkPTVfgS3xGl+3OO0Tn/eSG2q02f0gCBHa1NdodxyoSAM/ixg7BSpM1oqzrv3mp3CAwD6IisJyOXRpQRsr3sI6Lj+STdW1fkYq9C3pbI7pKlH4La7x5cbLLf614rzPcKSCGqZ4DoLFmWHexi07/NuIaa9Syb4vatl4irMJnfHTvfcr8EayeuVck7VO6Gn8+69jRtqSZHat1RywURYegn0BQealxwwKZwvwOceTXV3lzamZgPkerE0XnAbVbESIqQ6XSCBQdZdRV/jnsnipGslvFv6Ol/0EdLhABHdoGBndFUlcoOfT6OgUGM4Isiqw3BsUCHJlcThXZkZd8//3cESrBHWTejbO0wc17e3JK4NiJENHKZOxLa3pC6T9TNkB2BCpveHeYLo9YcZA7Rb9gVqV60k7pd7an5dU6hlXhMSxciTNYRxxQiFUTERlBATxZRVtVSYfk3M7lJjdrTaWNFcGA+vvSIPNBd2RNbflxx4sb0qWrBu32RALAssDLOEEX0QGxEuJXpFIDqC7/ejFEX7eiPoPnC0heg4vt+PXFx0Cyna8eTjw01JCN8f6l3C6FDPEs6PQLqPCgQHK6tk+hhfnMKsmqweHBUPe0T/Wpne7JemPp3kzVuuI4XGXh8bTB/wcRMLEbk9UYIntTeKEjKX+ThVjNfFMBG5A63InvSVrQhCxwZBOVCR1Ii0naUgPCEGT54krdZJQqKkrQPaZqe4fzEidtxjGtDInlBBWNWCMLEgSCs1ktAmKKtbUWDWBo02saCZoiwdhzYyIIspAxpZFACPsKoFwRXukVZqJFkcPMrqVhSYtUGjhS2NMMgIR0yVS7BKZxBnjyCt1kny1BG0NS5NKIC0dm8+A8mr4kSVQ50B6UBlZRiI2NarUTyj+jScsKZHIYO5vgqVxT7gCfImiZnrFUUcU80F3Ym1LenKjy5FFbL8aLgFIiZoVZyopLQr0sTCiuAyEollEbznRX8UI9fkQKUnghZmdSuU0rdWR0RUrWhB9RQOtMD7IZTp0nofrQV6hOan6+pWVJh5RCuaUh+RHdkVviGrW1FhzxzRiqZkCw7lF0yIWe6twDj09aEEXRFHi3l9Iby/ist1pGD1saq3y3vt5tE61u/ddlWDZqw1lzzbqn5Dt8bnOszG1Yjhjevn2sowENu4YYrauGGcv3EFMrpxBUptXB/wVPibbb2i/I+NG6eHN25QBPxoHG7jasTwxh2XOdUfXCozPT9XRNGR/RzgPed6Ihh/446H03KtjohtXJ2qNq6O90MY3TDRY3OtoodpkY0bo4Y2bowW27jBMRyS7W/cGDW0cWO02MYNb3Xdcu/cnlg4bN8yECUHXcvKKCHUs2wQFKVMuBFtFdZEGDTiqggxYmp/jOTH/nBlaUWc5rczsDwxGwX3mgiDRlwVIUYWqz9G8tcwQEfzbEWcJvByZQ7bpQxEyUGPsjJKCHUoR7kUlRyHXfF1rZiCdV/fihxa/SND9MMs8ZoWLP5qrm1BDNYtLP0wi7OmBYu/DmtbEIOIh+Nz2Liva8UURH99K3JoDTaot6F3eJ/OcKbHytWasLzWkM/o2vY7lWY9OV+s1ZfUF4rTjrzdbJYaXVPl5qQPLZkVcxTYPS2fYfkINjXrTM25YuYGaodRxRZci7yHh9N4qlhzqvvwfKnifXC27ky5oljZvRmt7SzNVHClOe/Uqsx7n2jeEyWf1m12DnrHar8E/DgVyuXSQh0eAY0HT35DCHhSJRBniCcZ8AhuXRjl7hB1e5l3Ko2aEyGH7z6BHBY4Xj3kvU+0PoSK3NTClDUh+sSCRuySDwRdwPNzWfBMC6wNYUBdX+ThIETCRy7Wg0c1y7XnkjJG/cETvVwoxH3+A9bQw6IB/7ZcI/SEH4PCQ2RAhbhWuCj/eUsILx++qrWVQGxt5VOv0FIKRGQpwyiITpd8mqriGTwSVNGLPDNV0VPIcPQGivNuJ1cvVqb3+lfy/XnvbdDQ5xJ6PTj47IN8d1fh1OcbBLZTYOHjDwMAiL/wO7M9Chl6S74V35IoT7dO752ulsv6nIVys77Xe5EsPhjglgkwPKlfvp2sf3RhBbzLrH+uoFt/97k/hAihB8LoSADiqFURVITUJ0nap1YkUn97vFcJCC3f6iguaomihT50oVChN+0jqKhxrSxerSEjH/jRaYGaNTop8na+8D8kaEUIEcYPhPFhCcvDBD+QSwU2cH+dgGHN49J7BDnyGYVVEVREZZcgqQ2xTEE+ZnkY0wIbD4BM+ZCjrfaAIPj53u+D0U/hSEf96C8P4BB2rY6NyFgRokayIoT3Iy3djxsafD7LB8MR7wuwoTwPkMEHnGAdIh/jWqMhI/rX60RtsgxR8FGRFQEcrR8hEeFcCUtuqM/7+KhQoTmMfasOb5pUKb+REq6jbh33vmOyF0ZZlb2PqZw036zLO9VysTJ3klu6vTfcuqarjfqQgpYIyFLgUgnaCu4GOKUQyxQirTA9PiajUL0BKqtwfSEcb8HI4/KycbZsCzYesy0TY8rEZWVayMrEZWVjTNk4E9fjldZZ0jGb0nGb0i1sSsdtSsdsSsdtSsdsyugsmZicTFxOJiYnq7NkYyxcy6eUxpDS45OKxScVj0+qRXxS8fikYvFJxeOTisUnpccnFYtPKh6fVCw+KT0+qVh8Unp80hpDWrclHbMlHbclHbMlrduSjtmS1m3JaAwZXUYmJiOjy8hqDFmdwYdl/bGjZFvLF1vPFzuWL3Y8X+wW+WLH88WO5Ysdzxc7li+2ni92LF/seL7YsXyx9XyxY/li6/lia/li6/lix/LFjueLHcsXW88XO5Yvtp4vtpYvtp4vdixfbD1fbC1fbD1fbC1fUlFySotHSo9HKhaPVDweqVg8Uno8UrF4pPR4pLR4pPR4pGLxSOnxSGnxSOnxSGnxSEfJac2GtG5DOmZDWrchrdmQ1m1IazZkouSMNj+jz89o87NRclYj+6DoX6wI0YrWD0urH5ZeP6xY/bDi9cNqUT+seP2wYvXDitcPK1Y/LL1+WLH6YcXrhxWrH5ZeP6xY/bD0+mFp9cPS64cVqx9WvH5Ysfph6fXDitUPS68fllY/LL1+WLH6Yen1w9Lqh6XXD0urH1a0flha/bD0+mHF6ocVrx9WrH5Yev2wYvXD0uuHpdUPS68fVqx+WHr9sLT6Yen1w9LqhxWtH5ZWPyy9flix+mHp9cPS6oel1w9Lqx9WtH5YWv2w9PphafXDitYPS6sfVrR+2BGiHc0HW8sHW88HO5YPdjwf7Fg+2Ho+2LF8sPV8sLV8sPV8sGP5YOv5YGv5YOv5YGv5YEfzwdbywdbzwY7lg63ng63lg63ng63lgx3NB1vLB1vPB1vLBzuaD7aWD3Y0H1IRYirqf0rzP6X7n4r5n9L9T2n+p3T/U5r/qaj/Kc3/lO5/SvM/FfU/pfmfivqfjhDTUd1pTXda153WdKejutOa7nRUdyZCzETnZrS5mejcbISYjRIDSLwRUyyfJL6rIz+qF0F1Bb8GM1+dXiJ+scT7LQJn2gW795Vq9UajWnGmZsW3ezrVt3pdvklPk/yRDw9i4hvm4kr8Mod31R3+TRIPsST4VRHBKX4bRFyJX0fxrqj3SyUCJZ7/eFft8gvzQqf/yyMe1Bcy10dS7zdRvAvvk8/iZ0s8YGnot1g8uAN+pEXIlz+S4l0uCzu4capYF0UumCZQS3xXJej7K8DlutMC2xv1XE703ZegHwMBdqlASKIfDQEuDUIirYzERc5XcRDQgHywFn/stiywHn5LpT/qj0K3yW9si1epIPoVb9/6k6YWl4UBwZwY37KJNCulwcHBYW8cKowU5JjLwDgIowVjCvjUmIcR+Ec4jCMwwvwRNR/k54E/D/Q80PMgNwdyciAnJ/QMDlmKD/B5LvF2BsacHFNpOQ6PSr5R0DMKckdBzijoG1X2gD95sHMU9BQUP9BHgV4YlHoKI3JMSzusIdAzXJB4PibHjAV0JRf0F0B/AeaNgb0FxQd6C6B3DOaNgT4b7BtT8R+DuGVhHILRhjENfGqEOI0A/4jKhxyMMH9EzQf5eeDPAz0P9DzIzYGcHMjJjUp708Ownoof6Plh8CcL66lGWP8U+JtV6wF6R0HPKMgbBf2jyj7wLw92j4K+guJXeQL0whCsK+RTOgvrBnZnbICVHNBXAH0FsGcM7CsoPtBTAD1jMG8M5Ntgz9hwnzuOZLMp9SffcNGQPsGbZQ1mZZalhgZhHILRglFanRqEcVjxpWBMAx3wg2p+BsYsjBzGYeAbBXgE4DzAORgVrPgKMIK9FuizQJ8F9lrKXuC3wE4L7LTAHgvss8AuS9ml5IN+C+yzwK5BxafsVv4rPWDvIMgfBH2DoGcQ5FjKPtA3CPYPqxHmD4OeEcCPwLwc+J8DfA74c8CfB/oo6C0AX0HBhaWwjurHWgDORWHLp8t5Nsi1Ie42yLUh7mmVJ4oOcbEhTmmYn1Z0sBt2bcoG+2yIcxriaYNfaVgXqNopW8GKD+JjQ1xToC8F+lJgb0rZC/wpsBNOgVQK7IHqkUqBXSlll5IP+lNgXwrsSis+ZbfyX+kBe6H6p6BauD00jCAnpewDfWmVHyrOMG8Y+EcAPwL8OfA7B/gc8OeAPw98o2BvAfgKCh5bCusczQvb1mAtj+yMBmc1mGvwcBROj2r0EQ3W8tQei8Ipzd6UZk9K05/S9KfyGqzpTxU0/UPqZ45E3Oxhuc62PBUHbYizDV2JLbuXQVueNtYgH4RxCEYLRhvGFIxpGDMwqvkcxmE5ZmXeD8rT1B0tGEFeFuRlQV4W5GVBXhbkZYcZ/KDLZFli5A6zspk8jDKTB2U/YA3CiWBnC4AHz6DSFuTOtAZz6S7xAYZ5t2dvFGuLyUKzVpUkNSUHQciBsUqFbAndcQTGPNDBiRwEMQf8I+BMDoIzouYBfgTkycWy4Mh2Rxkce2Ssy+2Dg58FENgheYRYFpR61yFS9L6u31xoF6P4hBETl943v+SV92UveTVZbcwymDBd6fSvJuuOkJuGVEhDKqTdVHCp3vexAU7DmIEx2wbUhRCXTESXOgZjAcZRUt4XlpaDcQTGYVJrhOWAtmHQJguPO3IYh2GE+cMgbzgP4yiMoH94jJQb4gvkbeKVTM/JUVDzY3hKfslZgAUwXvbk7gihGYXQyB7OHcE42FXpUXB+FIwfA3hMwcA/Bvx5MDIPRufBqXyhvbrgVOTvTbBSZX9wFTZzFHwfBd8LYG5BmQtiR0HNKMRiFNzLgzmyRbZysolyRwVzGJVZEPsc6IG8T48U4JvJNWeqAShQOTLGJGmyehAwahLEUp4grhJwZgRiNgIxg02WHoGYweZKw+ZJj6h5KgjAVwC+AvAVgK8AfGPgxBjYMwb2jMHajik+COIYeDRWII1aqTjTXIAgZCQ8XYEgqeCAnBzYk1NrDfoKILcA+ALIrTXkWN4H88COPMQDilM6pxYDFjUP9ucUH/idU4sN9hSAXgD+gsKrXIV5YzBvDOI2BvoysB5p8CsN89Lgdwbmp8GvNMxPg99Qx9MZ0JtR88CutJIPdBvoQ2CvBXoHwe8hsDMF8i2AhxQM9gyCPRbgUyAno+xX+kFPCvhTIC8L62CDXUMwDgJ9EOTCSZbOgn2DSj/Mz0I8BkHfINiRBT4b+IYUv/JH+Q16U0C31KjwINcC+22AbQWDfzbYkVKjWg+wOwP8GeU/rEMW+LIgJ6viCeuagvlwsqctwA/B/EGAB5U8iH9W4SF+g2AXdArpQeAbBBg6iXRW+QV0KFrpIcWv/AX5luJT9oI8C+y2AbYVDP7ZsD4pNYKcDOhLg7y0ooN/NtDh+E6rOjek8hfwKeCzVdwUH8izwA9oEtIZtf9g/dNqfwKcAf602h9q/yh7lH1At0DukFp30J8B/+Wdi5UZGsb7nPli2Ul6L23iqwNJ7xsDbeKLAgS+HyCYs7BJsmDsECTxECT/ENCH1MkDTuYgaXKwWDnYDDkwMgcnV06dXFAUcnBC5aBY5qA45KAI5CCoOVjsHDibyyv56jACOyCJcnmYN6ToIB+KSQ42W25I2a38AXsg2DlL6QG7hgod8JFD7+OHAsdhY3AoKBw2PIdCwaHgcPCNwwJyKBQcCjeHws8hATic+nwYRrCBwwbn0PTwERih8PE8jFzpBTsgUTlsdA5NDYcDj8MBwaE54tDBcVgrDjnB4cDmcMBzKMwc1pZz5XcO9MMIhZJDYeZwYHM4MDlsDA7dEYcOkcMacNgoHBoCDg0Eh8LKISc4V3phHeAA4FAIOTQMHA58DgcXhyaRD8MIucXh4ONw8HJogDgUYA4HNedq3dMwjoIdMEJB51AAOTQoHBoNDgcwh+6PQ0fMIVc5FHgODQiHlo3DwcehOeVc6QU74EDhUIA5NLccGg8OBymHJphDJ89h73I46Dk0IhwaPQ4HF4e9y7nyexj0wwiFmMOByaFh4dDwcCjAfBRGuFPgUAM4NCgcGkMOjSSHws6hCedc6YV9CAcBhwOPQ+PIoQvm0OBwuFngwzBCjeBQSDl05xwaYQ6NC4fGkHO17y0YMzAWwB4Y4YDi0GjwMRihIeRQsDl0/RzuhDjUPg4HPS/ACHelHA5wnoeRK71gBxyQHA5mDjc1PAcjNHAcbo443MFxqIkcGkhegBEafA4HMYfazrnyewT0wwiNC4dGikODyuHunEPDyeHuiMMdIofaz+Fg43BDwOEGgkMjxKHWc670wjpA48Sh8eFww8DhqQGHxpHDTSIfhhHONA4HMofGm8MNEIeDmUMDz7la9xSMebADRmhkODRMHG5QODyV4NCIcLj743BHzOFM5dCAc7gB4SMwQgPH4WaUc6UX7IAGi0PDxuHmlsMNCYcbAQ43wRyeBHA4wzk02hxuNDjc6HFopHgeRq785qAfRmikODTYHG5IONwIcWiA+CiM8KSAwxnMoVHjcGPI4UaSQ+PFoXfgXOmFcxhuQDg0wBxuHDncBXO48eHwsIAPwwhnPocbHA535xyeNnFoEDncMHL5SG7QzsKjPFlfBy14hGfBI1QL3oCy4RG/DY/8bXjUb8OjfRve4rDheZENbyHY8NaBDW+52PAWiA1vUdjwloVt8U7QI96JBSAbBnJhwAoD+TCQCQMjYSAVAoaktA7/PeCpxe7QtSD+PzXnEgl4nG2KaVOSYRSG3xcEyczMCnlluUFBhCcU4QkEocilRSpEfJAHbLOF9oX2/a2ZZvyi4ww/wy/Qp/oRfOgXnWAGm2qcM3Of61znztDXU4Qv6Sr0NOFzivApWcfHJOHDLOF9MoF3CcLbmTrezBBexwiv4rt4GSe8OEl4HkmjFtHxLEJ4GiU84YTH4RoehQkPwy08mCbcnyLcm2rh7mQd1UnCnUkdt0M6boUIN9t7I1TEjRBw/QThGiviKiNcYTWsBwiVIKEc1CEDUyhNENb8LRT9BOEjrI4TCr40Vrw68l7CsreInJfjsteNS2OEi6N1ZEcJSx7CBU8O5z0hnPO4cNZNWHRzLLgI86DML8xBxxknIeMgnHboSKeqSCWXMJusYSZWRzzGwaM5RCOLmA7nwAIcwYCOgNOurU/Yh+DXRrT18ZZP+Ext8GqEMe0YRj06PFaC22YFdl3CNUxwVh3C0XZ2rmkVW8q6URnp0HCHjmsL1rXyUT4kjvBBMSQH5SHeL0y8R/TLHnk4MSAO8j7Ry81C5YoYkH3SLBV5gFuEkRuERRrkoGLMZEzqT3VHWWXZH720km1YlisNdbPhK3Qyky83zJsNRZQrpaaqbstvW1uKcy7b2CmUvhuVNsqmwTCfLzV7jNtyTmEKY0zpDuvyXqp/Tfet7rU7xP7xXWJ/7v/UPnLfFrP9BvOls3wAAA==") format("woff2");}</style>
+    
+  </defs>
+  <rect x="0" y="0" width="1633.4806151945463" height="1358.8828750693292" fill="transparent"/><g transform="translate(94.73667582606367 84.71406710150609) rotate(0 21.25 21.25)"><use href="#image-60b076cb044084e59e74d2b41f84159dcede0ddd" width="43" height="43" opacity="1" transform="scale(-1, 1) translate(-43 0)"/></g><g stroke-linecap="round" transform="translate(30 69.77631746693834) rotate(0 334.9749444471014 172.1678716953175)"><path d="M32 0 C251.6 0, 471.21 0, 637.95 0 M32 0 C158.17 0, 284.33 0, 637.95 0 M637.95 0 C659.28 0, 669.95 10.67, 669.95 32 M637.95 0 C659.28 0, 669.95 10.67, 669.95 32 M669.95 32 C669.95 136.39, 669.95 240.78, 669.95 312.34 M669.95 32 C669.95 122.11, 669.95 212.22, 669.95 312.34 M669.95 312.34 C669.95 333.67, 659.28 344.34, 637.95 344.34 M669.95 312.34 C669.95 333.67, 659.28 344.34, 637.95 344.34 M637.95 344.34 C481.79 344.34, 325.63 344.34, 32 344.34 M637.95 344.34 C405.74 344.34, 173.53 344.34, 32 344.34 M32 344.34 C10.67 344.34, 0 333.67, 0 312.34 M32 344.34 C10.67 344.34, 0 333.67, 0 312.34 M0 312.34 C0 237.13, 0 161.93, 0 32 M0 312.34 C0 201.66, 0 90.99, 0 32 M0 32 C0 10.67, 10.67 0, 32 0 M0 32 C0 10.67, 10.67 0, 32 0" stroke="#1e1e1e" stroke-width="2" fill="none"/></g><g transform="translate(64.5746303726387 133.31927113728705) rotate(0 54.658203125 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Your Cluster</text></g><g stroke-linecap="round" transform="translate(822.6763960763117 30) rotate(0 361.6726597977747 213.99999999999994)"><path d="M32 0 C259.82 -2.36, 488.75 -2.02, 691.35 0 M691.35 0 C713.28 -0.61, 722.62 12.56, 723.35 32 M723.35 32 C723.38 168.43, 723.8 307.6, 723.35 396 M723.35 396 C724.79 415.93, 713.94 426.45, 691.35 428 M691.35 428 C475.9 429.15, 259.71 429.18, 32 428 M32 428 C10.14 428.69, 0.54 417.8, 0 396 M0 396 C0.88 301.7, 0.73 210.74, 0 32 M0 32 C-0.85 10.16, 9.37 -0.3, 32 0" stroke="#1e1e1e" stroke-width="2.5" fill="none" stroke-dasharray="8 10"/></g><g transform="translate(184.66894723677888 214.693142905343) rotate(0 12 12)"><use href="#image-1eb35412189527b20624c29b9912c61108c16757" width="24" height="24" opacity="1"/></g><g transform="translate(95.64941598677888 245.173611655343) rotate(0 102.2900390625 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Lapdev-Kube-Manager</text></g><g stroke-linecap="round" transform="translate(63.66894723677888 198.443142905343) rotate(0 134.25 44.25000000000001)"><path d="M22.13 0 C93.22 2.22, 166.89 0.93, 246.38 0 M246.38 0 C261.93 -0.67, 267.05 7.39, 268.5 22.13 M268.5 22.13 C270.08 37.09, 269.36 53.27, 268.5 66.38 M268.5 66.38 C269.23 81.55, 261.6 87.51, 246.38 88.5 M246.38 88.5 C173.32 89.57, 98.57 89.32, 22.13 88.5 M22.13 88.5 C6.85 90.22, -1.67 82.6, 0 66.38 M0 66.38 C-1.11 48.4, 1.36 31.47, 0 22.13 M0 22.13 C1.56 9.04, 9.1 -1.52, 22.13 0" stroke="#1e1e1e" stroke-width="2.5" fill="none" stroke-dasharray="8 10"/></g><g stroke-linecap="round" transform="translate(412.20355722480326 213.3377450141473) rotate(0 120.17265979777466 28)"><path d="M14 0 C72.59 -1.42, 129.17 -2.36, 226.35 0 M226.35 0 C234.22 0.01, 241.81 6.11, 240.35 14 M240.35 14 C241.06 18.56, 241.25 27.3, 240.35 42 M240.35 42 C240.82 50.34, 236.24 55.48, 226.35 56 M226.35 56 C154.52 56.58, 83.77 57.94, 14 56 M14 56 C3 57.47, 1.99 50.49, 0 42 M0 42 C1.35 34.76, 1.74 28.29, 0 14 M0 14 C1.73 3.15, 3.93 -1.63, 14 0" stroke="#1e1e1e" stroke-width="2.5" fill="none" stroke-dasharray="8 10"/></g><g transform="translate(440.652584210078 229.8377450141473) rotate(0 91.7236328125 11.5)"><text x="91.7236328125" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="middle" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Lapdev Environment</text></g><g stroke-linecap="round" transform="translate(412.74859338938495 308.33272763840665) rotate(0 120.17265979777466 28)"><path d="M14 0 C80.63 0.63, 151.1 1.89, 226.35 0 M226.35 0 C234.27 1.26, 238.8 5.21, 240.35 14 M240.35 14 C240.93 18.79, 241 25.03, 240.35 42 M240.35 42 C241.04 51.88, 236.14 55.12, 226.35 56 M226.35 56 C159.34 58.9, 97.03 56.86, 14 56 M14 56 C4.16 54.71, -0.3 52.5, 0 42 M0 42 C1.51 31.45, -0.96 22.31, 0 14 M0 14 C0.35 2.96, 5.29 1.76, 14 0" stroke="#1e1e1e" stroke-width="2.5" fill="none" stroke-dasharray="8 10"/></g><g transform="translate(441.19762037465966 324.83272763840665) rotate(0 91.7236328125 11.5)"><text x="91.7236328125" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="middle" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Lapdev Environment</text></g><g transform="translate(861.620046554988 53.10539171566677) rotate(0 91.7236328125 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Lapdev Environment</text></g><g stroke-linecap="round" transform="translate(1153.7127387684225 741.6608922245682) rotate(0 224.88393821306192 203.03133067262627)"><path d="M32 0 C175.65 0, 319.3 0, 417.77 0 M32 0 C156 0, 280 0, 417.77 0 M417.77 0 C439.1 0, 449.77 10.67, 449.77 32 M417.77 0 C439.1 0, 449.77 10.67, 449.77 32 M449.77 32 C449.77 120.15, 449.77 208.31, 449.77 374.06 M449.77 32 C449.77 163.08, 449.77 294.17, 449.77 374.06 M449.77 374.06 C449.77 395.4, 439.1 406.06, 417.77 406.06 M449.77 374.06 C449.77 395.4, 439.1 406.06, 417.77 406.06 M417.77 406.06 C314.28 406.06, 210.8 406.06, 32 406.06 M417.77 406.06 C265.47 406.06, 113.18 406.06, 32 406.06 M32 406.06 C10.67 406.06, 0 395.4, 0 374.06 M32 406.06 C10.67 406.06, 0 395.4, 0 374.06 M0 374.06 C0 239.6, 0 105.14, 0 32 M0 374.06 C0 257.76, 0 141.46, 0 32 M0 32 C0 10.67, 10.67 0, 32 0 M0 32 C0 10.67, 10.67 0, 32 0" stroke="#1e1e1e" stroke-width="2" fill="none"/></g><g stroke-linecap="round" transform="translate(1229.674357738116 793.1710551358594) rotate(0 146.01321495687375 143.0132149568737)"><path d="M292.03 143.01 C292.03 146.75, 291.88 150.51, 291.58 154.23 C291.28 157.96, 290.83 161.69, 290.23 165.39 C289.63 169.08, 288.88 172.76, 287.99 176.4 C287.1 180.04, 286.06 183.65, 284.88 187.21 C283.7 190.76, 282.37 194.29, 280.91 197.74 C279.45 201.2, 277.85 204.61, 276.11 207.94 C274.38 211.27, 272.51 214.55, 270.51 217.74 C268.51 220.93, 266.38 224.05, 264.14 227.07 C261.9 230.1, 259.52 233.05, 257.04 235.89 C254.56 238.74, 251.96 241.49, 249.26 244.14 C246.56 246.78, 243.74 249.33, 240.84 251.76 C237.94 254.19, 234.93 256.51, 231.84 258.71 C228.75 260.91, 225.56 263, 222.3 264.95 C219.05 266.91, 215.7 268.74, 212.3 270.44 C208.9 272.14, 205.42 273.71, 201.89 275.14 C198.36 276.57, 194.77 277.87, 191.13 279.03 C187.5 280.18, 183.81 281.2, 180.1 282.07 C176.39 282.95, 172.63 283.68, 168.85 284.27 C165.08 284.85, 161.28 285.29, 157.47 285.59 C153.66 285.88, 149.83 286.03, 146.01 286.03 C142.19 286.03, 138.36 285.88, 134.56 285.59 C130.75 285.29, 126.94 284.85, 123.17 284.27 C119.4 283.68, 115.64 282.95, 111.93 282.07 C108.21 281.2, 104.52 280.18, 100.89 279.03 C97.26 277.87, 93.66 276.57, 90.14 275.14 C86.61 273.71, 83.13 272.14, 79.72 270.44 C76.32 268.74, 72.98 266.91, 69.72 264.95 C66.47 263, 63.28 260.91, 60.19 258.71 C57.1 256.51, 54.09 254.19, 51.19 251.76 C48.28 249.33, 45.47 246.78, 42.77 244.14 C40.07 241.49, 37.46 238.74, 34.98 235.89 C32.5 233.05, 30.13 230.1, 27.89 227.07 C25.64 224.05, 23.51 220.93, 21.52 217.74 C19.52 214.55, 17.65 211.27, 15.91 207.94 C14.18 204.61, 12.58 201.2, 11.11 197.74 C9.65 194.29, 8.33 190.76, 7.15 187.21 C5.97 183.65, 4.93 180.04, 4.03 176.4 C3.14 172.76, 2.4 169.08, 1.8 165.39 C1.2 161.69, 0.75 157.96, 0.45 154.23 C0.15 150.51, 0 146.75, 0 143.01 C0 139.27, 0.15 135.52, 0.45 131.79 C0.75 128.06, 1.2 124.34, 1.8 120.64 C2.4 116.95, 3.14 113.26, 4.03 109.63 C4.93 105.99, 5.97 102.38, 7.15 98.82 C8.33 95.26, 9.65 91.74, 11.11 88.28 C12.58 84.83, 14.18 81.42, 15.91 78.09 C17.65 74.75, 19.52 71.48, 21.52 68.29 C23.51 65.1, 25.64 61.98, 27.89 58.95 C30.13 55.93, 32.5 52.98, 34.98 50.13 C37.46 47.29, 40.07 44.53, 42.77 41.89 C45.47 39.24, 48.28 36.69, 51.19 34.27 C54.09 31.84, 57.1 29.51, 60.19 27.31 C63.28 25.11, 66.47 23.03, 69.72 21.07 C72.98 19.12, 76.32 17.29, 79.72 15.59 C83.13 13.89, 86.61 12.32, 90.14 10.89 C93.66 9.45, 97.26 8.16, 100.89 7 C104.52 5.84, 108.21 4.82, 111.93 3.95 C115.64 3.08, 119.4 2.35, 123.17 1.76 C126.94 1.18, 130.75 0.73, 134.56 0.44 C138.36 0.15, 142.19 0, 146.01 0 C149.83 0, 153.66 0.15, 157.47 0.44 C161.28 0.73, 165.08 1.18, 168.85 1.76 C172.63 2.35, 176.39 3.08, 180.1 3.95 C183.81 4.82, 187.5 5.84, 191.13 7 C194.77 8.16, 198.36 9.45, 201.89 10.89 C205.42 12.32, 208.9 13.89, 212.3 15.59 C215.7 17.29, 219.05 19.12, 222.3 21.07 C225.56 23.03, 228.75 25.11, 231.84 27.31 C234.93 29.51, 237.94 31.84, 240.84 34.27 C243.74 36.69, 246.56 39.24, 249.26 41.89 C251.96 44.53, 254.56 47.29, 257.04 50.13 C259.52 52.98, 261.9 55.93, 264.14 58.95 C266.38 61.98, 268.51 65.1, 270.51 68.29 C272.51 71.48, 274.38 74.75, 276.11 78.09 C277.85 81.42, 279.45 84.83, 280.91 88.28 C282.37 91.74, 283.7 95.26, 284.88 98.82 C286.06 102.38, 287.1 105.99, 287.99 109.63 C288.88 113.26, 289.63 116.95, 290.23 120.64 C290.83 124.34, 291.28 128.06, 291.58 131.79 C291.88 135.52, 292.03 139.27, 292.03 143.01" stroke="#1e1e1e" stroke-width="2" fill="none"/></g><g transform="translate(1363.2861290624917 842.6194828433968) rotate(0 12 12)"><use href="#image-1eb35412189527b20624c29b9912c61108c16757" width="24" height="24" opacity="1"/></g><g transform="translate(1279.3023777939209 876.0547923638534) rotate(0 97.83203125 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Lapdev Sidecar Proxy</text></g><g transform="translate(1293.0064414477322 1097.144866151134) rotate(0 83.203125 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">App Workload Pod</text></g><g transform="translate(1365.1589143904996 982.367413326095) rotate(0 12 12)"><use href="#image-1eb35412189527b20624c29b9912c61108c16757" width="24" height="24" opacity="1"/></g><g transform="translate(1311.7501210798866 1013.6974850496069) rotate(0 63.9306640625 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">App Container</text></g><g stroke-linecap="round"><g transform="translate(1377.093102158444 910.0547923638535) rotate(0 -0.3314019576998817 30.137119965967315)"><path d="M0 0 C-0.11 10.05, -0.55 50.23, -0.66 60.27" stroke="#1e1e1e" stroke-width="2.5" fill="none" stroke-dasharray="1.5 8"/></g><g transform="translate(1377.093102158444 910.0547923638535) rotate(0 -0.3314019576998817 30.137119965967315)"><path d="M-0.66 60.27 L-6.85 46.61 L5.83 46.75 L-0.66 60.27" stroke="none" stroke-width="0" fill="#1e1e1e" fill-rule="evenodd"/><path d="M-0.66 60.27 C-2.66 55.86, -4.66 51.44, -6.85 46.61 M-6.85 46.61 C-1.79 46.67, 3.28 46.72, 5.83 46.75 M5.83 46.75 C3.37 51.86, 0.92 56.97, -0.66 60.27 M-0.66 60.27 C-0.66 60.27, -0.66 60.27, -0.66 60.27" stroke="#1e1e1e" stroke-width="2.5" fill="none"/></g></g><mask/><g transform="translate(762.825702400266 1271.9668109169886) rotate(0 12 12)"><use href="#image-1fc42860614cb7357b66c1964aa081366cd82698" width="24" height="24" opacity="1"/></g><g transform="translate(739.9628287156224 1305.8828750693292) rotate(0 33.90625 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Devbox</text></g><g stroke-linecap="round"><g transform="translate(1266.024095126567 882.0133829717063) rotate(0 -174.17597771389956 0.2591883485791868)"><path d="M0 0 C-58.06 0.09, -290.29 0.43, -348.35 0.52" stroke="#2f9e44" stroke-width="4.5" fill="none" stroke-dasharray="1.5 10"/></g><g transform="translate(1266.024095126567 882.0133829717063) rotate(0 -174.17597771389956 0.2591883485791868)"><path d="M-348.35 0.52 L-334.77 -5.84 L-334.75 6.84 L-348.35 0.52" stroke="none" stroke-width="0" fill="#2f9e44" fill-rule="evenodd"/><path d="M-348.35 0.52 C-343.28 -1.86, -338.2 -4.23, -334.77 -5.84 M-334.77 -5.84 C-334.76 -1.75, -334.75 2.34, -334.75 6.84 M-334.75 6.84 C-339.06 4.83, -343.38 2.83, -348.35 0.52 M-348.35 0.52 C-348.35 0.52, -348.35 0.52, -348.35 0.52" stroke="#2f9e44" stroke-width="4.5" fill="none"/></g></g><mask/><g transform="translate(801.9302599083192 1114.4673172919167) rotate(0 157.275390625 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#2f9e44" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Devbox intercept traffic from cluster</text></g><g stroke-linecap="round"><g transform="translate(1365.0845836072706 715.3391001530583) rotate(0 -0.978305228718682 -152.78044856074723)"><path d="M0 0 C-0.33 -50.93, -1.63 -254.63, -1.96 -305.56 M0 0 C-0.33 -50.93, -1.63 -254.63, -1.96 -305.56" stroke="#1e1e1e" stroke-width="2" fill="none"/></g><g transform="translate(1365.0845836072706 715.3391001530583) rotate(0 -0.978305228718682 -152.78044856074723)"><path d="M0 0 L-6.43 -13.55 L6.25 -13.63 L0 0" stroke="none" stroke-width="0" fill="#1e1e1e" fill-rule="evenodd"/><path d="M0 0 C-1.51 -3.19, -3.02 -6.38, -6.43 -13.55 M0 0 C-1.44 -3.04, -2.88 -6.07, -6.43 -13.55 M-6.43 -13.55 C-3.82 -13.57, -1.21 -13.59, 6.25 -13.63 M-6.43 -13.55 C-2.96 -13.58, 0.51 -13.6, 6.25 -13.63 M6.25 -13.63 C4.55 -9.92, 2.85 -6.21, 0 0 M6.25 -13.63 C4.52 -9.85, 2.78 -6.06, 0 0 M0 0 C0 0, 0 0, 0 0 M0 0 C0 0, 0 0, 0 0" stroke="#1e1e1e" stroke-width="2" fill="none"/></g></g><mask/><g stroke-linecap="round" transform="translate(412.1972631545905 116.70914469981648) rotate(0 120.17265979777466 28)"><path d="M14 0 C91.6 0.06, 164.93 -2.1, 226.35 0 M226.35 0 C234.05 0.35, 238.63 5.29, 240.35 14 M240.35 14 C238.1 26.05, 241.75 35.01, 240.35 42 M240.35 42 C239.71 50.8, 234.92 55.09, 226.35 56 M226.35 56 C162.65 56.06, 94.73 57.45, 14 56 M14 56 C6.27 55.85, 1.03 52.83, 0 42 M0 42 C0.5 34.74, 0.35 26.9, 0 14 M0 14 C1.86 5.38, 4.03 -0.74, 14 0" stroke="#1e1e1e" stroke-width="2.5" fill="none" stroke-dasharray="8 10"/></g><g transform="translate(440.6462901398652 133.20914469981648) rotate(0 91.7236328125 11.5)"><text x="91.7236328125" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="middle" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Lapdev Environment</text></g><g stroke-linecap="round"><g transform="translate(799.640157252243 246.70532180349062) rotate(0 -67.47741615196821 0.13501618074694477)"><path d="M0 0 C-22.49 0.05, -112.46 0.23, -134.95 0.27 M0 0 C-22.49 0.05, -112.46 0.23, -134.95 0.27" stroke="#1e1e1e" stroke-width="2" fill="none"/></g><g transform="translate(799.640157252243 246.70532180349062) rotate(0 -67.47741615196821 0.13501618074694477)"><path d="M0 0 L-13.58 6.37 L-13.61 -6.31 L0 0" stroke="none" stroke-width="0" fill="#1e1e1e" fill-rule="evenodd"/><path d="M0 0 C-4.5 2.11, -9 4.22, -13.58 6.37 M0 0 C-3.59 1.68, -7.18 3.37, -13.58 6.37 M-13.58 6.37 C-13.59 2.19, -13.6 -1.98, -13.61 -6.31 M-13.58 6.37 C-13.59 1.91, -13.6 -2.55, -13.61 -6.31 M-13.61 -6.31 C-9.33 -4.33, -5.05 -2.34, 0 0 M-13.61 -6.31 C-9.68 -4.49, -5.74 -2.66, 0 0 M0 0 C0 0, 0 0, 0 0 M0 0 C0 0, 0 0, 0 0" stroke="#1e1e1e" stroke-width="2" fill="none"/></g></g><mask/><g transform="translate(604.2432597513866 699.4178759126715) rotate(0 160.33333333333337 160.33333333333343)"><use href="#image-cd5a510c10be4b13edac83ff2c63d62659dd7515" width="321" height="321" opacity="1"/></g><g transform="translate(748.7405153675431 834.4584974469199) rotate(0 15.836077717177318 15.836077717177261)"><use href="#image-04f28670dff6fd1042c3404f1cdf3fc1d3e0ce96" width="32" height="32" opacity="1"/></g><g transform="translate(733.0195895043023 880.03537105786) rotate(0 32.8076171875 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Lapdev</text></g><g stroke-linecap="round"><g transform="translate(758.5080242917875 1246.7977295380715) rotate(0 -0.6869939868970505 -144.11842275030108)"><path d="M0 0 C-0.23 -48.04, -1.14 -240.2, -1.37 -288.24" stroke="#f08c00" stroke-width="4.5" fill="none" stroke-dasharray="1.5 10"/></g><g transform="translate(758.5080242917875 1246.7977295380715) rotate(0 -0.6869939868970505 -144.11842275030108)"><path d="M-1.37 -288.24 L5.03 -274.67 L-7.65 -274.61 L-1.37 -288.24" stroke="none" stroke-width="0" fill="#f08c00" fill-rule="evenodd"/><path d="M-1.37 -288.24 C0.34 -284.6, 2.06 -280.96, 5.03 -274.67 M5.03 -274.67 C0.02 -274.65, -4.98 -274.62, -7.65 -274.61 M-7.65 -274.61 C-5.3 -279.72, -2.94 -284.83, -1.37 -288.24 M-1.37 -288.24 C-1.37 -288.24, -1.37 -288.24, -1.37 -288.24" stroke="#f08c00" stroke-width="4.5" fill="none"/></g></g><mask/><g stroke-linecap="round"><g transform="translate(785.7273800491835 959.8033587886342) rotate(0 0.8232080788914118 148.4094864623263)"><path d="M0 0 C0.27 49.47, 1.37 247.35, 1.65 296.82" stroke="#2f9e44" stroke-width="4.5" fill="none" stroke-dasharray="1.5 10"/></g><g transform="translate(785.7273800491835 959.8033587886342) rotate(0 0.8232080788914118 148.4094864623263)"><path d="M1.65 296.82 L-4.77 283.26 L7.91 283.19 L1.65 296.82" stroke="none" stroke-width="0" fill="#2f9e44" fill-rule="evenodd"/><path d="M1.65 296.82 C-0.03 293.27, -1.71 289.72, -4.77 283.26 M-4.77 283.26 C-1.6 283.24, 1.56 283.22, 7.91 283.19 M7.91 283.19 C6.17 286.97, 4.43 290.76, 1.65 296.82 M1.65 296.82 C1.65 296.82, 1.65 296.82, 1.65 296.82" stroke="#2f9e44" stroke-width="4.5" fill="none"/></g></g><mask/><g transform="translate(577.4271291176027 551.6176118790859) rotate(0 130.60546874999994 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#f08c00" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Devbox client traffic to cluster</text></g><g stroke-linecap="round"><g transform="translate(776.8488147027813 737.4705185123861) rotate(0 -271.86352055125656 -214.70453239632977)"><path d="M0 0 C-90.62 -71.57, -453.11 -357.84, -543.73 -429.41" stroke="#f08c00" stroke-width="4.5" fill="none" stroke-dasharray="1.5 10"/></g><g transform="translate(776.8488147027813 737.4705185123861) rotate(0 -271.86352055125656 -214.70453239632977)"><path d="M-543.73 -429.41 L-529.13 -425.96 L-536.99 -416.01 L-543.73 -429.41" stroke="none" stroke-width="0" fill="#f08c00" fill-rule="evenodd"/><path d="M-543.73 -429.41 C-538.92 -428.27, -534.12 -427.14, -529.13 -425.96 M-529.13 -425.96 C-531.89 -422.46, -534.66 -418.96, -536.99 -416.01 M-536.99 -416.01 C-539.11 -420.22, -541.23 -424.44, -543.73 -429.41 M-543.73 -429.41 C-543.73 -429.41, -543.73 -429.41, -543.73 -429.41" stroke="#f08c00" stroke-width="4.5" fill="none"/></g></g><mask/><g transform="translate(473.72815257977163 1113.775764607612) rotate(0 130.60546875 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#f08c00" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Devbox client traffic to cluster</text></g><g transform="translate(1344.2406427292765 132.55097265887173) rotate(0 12 12)"><use href="#image-1eb35412189527b20624c29b9912c61108c16757" width="24" height="24" opacity="1"/></g><g transform="translate(1293.6429620571228 167.07702246625598) rotate(0 62.6318359375 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">App Workload</text></g><g stroke-linecap="round" transform="translate(1219.6097104278545 106.39770938106062) rotate(0 140.09160121428226 55.18368428660908)"><path d="M27.59 0 C111.98 0, 196.36 0, 252.59 0 M27.59 0 C100.21 0, 172.83 0, 252.59 0 M252.59 0 C270.99 0, 280.18 9.2, 280.18 27.59 M252.59 0 C270.99 0, 280.18 9.2, 280.18 27.59 M280.18 27.59 C280.18 47.19, 280.18 66.78, 280.18 82.78 M280.18 27.59 C280.18 38.95, 280.18 50.3, 280.18 82.78 M280.18 82.78 C280.18 101.17, 270.99 110.37, 252.59 110.37 M280.18 82.78 C280.18 101.17, 270.99 110.37, 252.59 110.37 M252.59 110.37 C185.24 110.37, 117.88 110.37, 27.59 110.37 M252.59 110.37 C176.12 110.37, 99.64 110.37, 27.59 110.37 M27.59 110.37 C9.2 110.37, 0 101.17, 0 82.78 M27.59 110.37 C9.2 110.37, 0 101.17, 0 82.78 M0 82.78 C0 63.82, 0 44.86, 0 27.59 M0 82.78 C0 68.13, 0 53.48, 0 27.59 M0 27.59 C0 9.2, 9.2 0, 27.59 0 M0 27.59 C0 9.2, 9.2 0, 27.59 0" stroke="#1e1e1e" stroke-width="2" fill="none"/></g><g transform="translate(84.99710983202522 832.8538765011538) rotate(0 12 12)"><use href="#image-9d2f28049a8a90ddebd6f916b59a887ae5df33f6" width="24" height="24" opacity="1"/></g><g transform="translate(40.780122357920845 867.3318910163757) rotate(0 58.349609375 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Preview URL</text></g><g stroke-linecap="round"><g transform="translate(167.66938007274325 880.8746622086211) rotate(0 222.78591701025272 0.8986935981382089)"><path d="M0 0 C74.26 0.3, 371.31 1.5, 445.57 1.8" stroke="#1971c2" stroke-width="4.5" fill="none" stroke-dasharray="1.5 10"/></g><g transform="translate(167.66938007274325 880.8746622086211) rotate(0 222.78591701025272 0.8986935981382089)"><path d="M445.57 1.8 L431.95 8.08 L432 -4.6 L445.57 1.8" stroke="none" stroke-width="0" fill="#1971c2" fill-rule="evenodd"/><path d="M445.57 1.8 C441.29 3.77, 437 5.75, 431.95 8.08 M431.95 8.08 C431.97 4.42, 431.98 0.75, 432 -4.6 M432 -4.6 C436.59 -2.44, 441.17 -0.28, 445.57 1.8 M445.57 1.8 C445.57 1.8, 445.57 1.8, 445.57 1.8" stroke="#1971c2" stroke-width="4.5" fill="none"/></g></g><mask/><g stroke-linecap="round"><g transform="translate(744.0963403684018 741.2034535407844) rotate(0 -273.9958533329249 -219.85211323314968)"><path d="M0 0 C-91.33 -73.28, -456.66 -366.42, -547.99 -439.7" stroke="#1971c2" stroke-width="4.5" fill="none" stroke-dasharray="1.5 10"/></g><g transform="translate(744.0963403684018 741.2034535407844) rotate(0 -273.9958533329249 -219.85211323314968)"><path d="M-547.99 -439.7 L-533.42 -436.14 L-541.36 -426.25 L-547.99 -439.7" stroke="none" stroke-width="0" fill="#1971c2" fill-rule="evenodd"/><path d="M-547.99 -439.7 C-542.26 -438.3, -536.54 -436.9, -533.42 -436.14 M-533.42 -436.14 C-536.12 -432.78, -538.82 -429.42, -541.36 -426.25 M-541.36 -426.25 C-543.71 -431.03, -546.07 -435.81, -547.99 -439.7 M-547.99 -439.7 C-547.99 -439.7, -547.99 -439.7, -547.99 -439.7" stroke="#1971c2" stroke-width="4.5" fill="none"/></g></g><mask/><g transform="translate(230.83249704214995 546.7037827361436) rotate(0 128.92578125 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1971c2" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Preview URL traffic to cluster</text></g><g transform="translate(234.80226239265312 846.4488831672636) rotate(0 128.92578125 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1971c2" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Preview URL traffic to cluster</text></g><g transform="translate(1346.4342490553865 303.9378626478181) rotate(0 12 12)"><use href="#image-1eb35412189527b20624c29b9912c61108c16757" width="24" height="24" opacity="1"/></g><g transform="translate(1295.8365683832328 338.4639124552024) rotate(0 62.6318359375 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">App Workload</text></g><g stroke-linecap="round" transform="translate(1221.8033167539645 277.784599370007) rotate(0 140.09160121428226 55.18368428660908)"><path d="M27.59 0 C90.16 0, 152.73 0, 252.59 0 M27.59 0 C75.94 0, 124.29 0, 252.59 0 M252.59 0 C270.99 0, 280.18 9.2, 280.18 27.59 M252.59 0 C270.99 0, 280.18 9.2, 280.18 27.59 M280.18 27.59 C280.18 47.76, 280.18 67.92, 280.18 82.78 M280.18 27.59 C280.18 39.56, 280.18 51.54, 280.18 82.78 M280.18 82.78 C280.18 101.17, 270.99 110.37, 252.59 110.37 M280.18 82.78 C280.18 101.17, 270.99 110.37, 252.59 110.37 M252.59 110.37 C172.08 110.37, 91.57 110.37, 27.59 110.37 M252.59 110.37 C166.34 110.37, 80.09 110.37, 27.59 110.37 M27.59 110.37 C9.2 110.37, 0 101.17, 0 82.78 M27.59 110.37 C9.2 110.37, 0 101.17, 0 82.78 M0 82.78 C0 71.68, 0 60.59, 0 27.59 M0 82.78 C0 64.29, 0 45.81, 0 27.59 M0 27.59 C0 9.2, 9.2 0, 27.59 0 M0 27.59 C0 9.2, 9.2 0, 27.59 0" stroke="#1e1e1e" stroke-width="2" fill="none"/></g><g transform="translate(901.1976086345753 842.3518058538695) rotate(0 157.275390625 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#2f9e44" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Devbox intercept traffic from cluster</text></g><g transform="translate(1003.2156742001623 220.5881289746428) rotate(0 12 12)"><use href="#image-1eb35412189527b20624c29b9912c61108c16757" width="24" height="24" opacity="1"/></g><g transform="translate(952.6179935280086 255.11417878202707) rotate(0 62.6318359375 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">App Workload</text></g><g stroke-linecap="round" transform="translate(878.5847418987403 194.4348656968317) rotate(0 140.09160121428226 55.18368428660908)"><path d="M27.59 0 C93.25 0, 158.9 0, 252.59 0 M27.59 0 C93.81 0, 160.02 0, 252.59 0 M252.59 0 C270.99 0, 280.18 9.2, 280.18 27.59 M252.59 0 C270.99 0, 280.18 9.2, 280.18 27.59 M280.18 27.59 C280.18 48.71, 280.18 69.83, 280.18 82.78 M280.18 27.59 C280.18 44.85, 280.18 62.1, 280.18 82.78 M280.18 82.78 C280.18 101.17, 270.99 110.37, 252.59 110.37 M280.18 82.78 C280.18 101.17, 270.99 110.37, 252.59 110.37 M252.59 110.37 C171.07 110.37, 89.55 110.37, 27.59 110.37 M252.59 110.37 C163 110.37, 73.4 110.37, 27.59 110.37 M27.59 110.37 C9.2 110.37, 0 101.17, 0 82.78 M27.59 110.37 C9.2 110.37, 0 101.17, 0 82.78 M0 82.78 C0 68.99, 0 55.2, 0 27.59 M0 82.78 C0 66, 0 49.23, 0 27.59 M0 27.59 C0 9.2, 9.2 0, 27.59 0 M0 27.59 C0 9.2, 9.2 0, 27.59 0" stroke="#1e1e1e" stroke-width="2" fill="none"/></g></svg>
\ No newline at end of file
diff --git a/docs/.gitbook/assets/file.excalidraw (3).svg b/docs/.gitbook/assets/file.excalidraw (3).svg
new file mode 100644
index 0000000..7a20d0b
--- /dev/null
+++ b/docs/.gitbook/assets/file.excalidraw (3).svg	
@@ -0,0 +1,8 @@
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 2430.55893694676 1628.9926813033908" width="4861.11787389352" height="3257.9853626067816"><symbol id="image-9d2f28049a8a90ddebd6f916b59a887ae5df33f6"><image width="100%" height="100%" href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyNCIgaGVpZ2h0PSIyNCIgdmlld0JveD0iMCAwIDI0IDI0IiBmaWxsPSJub25lIiBzdHJva2U9ImN1cnJlbnRDb2xvciIgc3Ryb2tlLXdpZHRoPSIyIiBzdHJva2UtbGluZWNhcD0icm91bmQiIHN0cm9rZS1saW5lam9pbj0icm91bmQiIGNsYXNzPSJsdWNpZGUgbHVjaWRlLWdsb2JlLWljb24gbHVjaWRlLWdsb2JlIj48Y2lyY2xlIGN4PSIxMiIgY3k9IjEyIiByPSIxMCIvPjxwYXRoIGQ9Ik0xMiAyYTE0LjUgMTQuNSAwIDAgMCAwIDIwIDE0LjUgMTQuNSAwIDAgMCAwLTIwIi8+PHBhdGggZD0iTTIgMTJoMjAiLz48L3N2Zz4="/></symbol><symbol id="image-1eb35412189527b20624c29b9912c61108c16757"><image width="100%" height="100%" href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyNCIgaGVpZ2h0PSIyNCIgdmlld0JveD0iMCAwIDI0IDI0IiBmaWxsPSJub25lIiBzdHJva2U9ImN1cnJlbnRDb2xvciIgc3Ryb2tlLXdpZHRoPSIyIiBzdHJva2UtbGluZWNhcD0icm91bmQiIHN0cm9rZS1saW5lam9pbj0icm91bmQiIGNsYXNzPSJpY29uIGljb24tdGFibGVyIGljb25zLXRhYmxlci1vdXRsaW5lIGljb24tdGFibGVyLWJveCI+PHBhdGggc3Ryb2tlPSJub25lIiBkPSJNMCAwaDI0djI0SDB6IiBmaWxsPSJub25lIi8+PHBhdGggZD0iTTEyIDNsOCA0LjVsMCA5bC04IDQuNWwtOCAtNC41bDAgLTlsOCAtNC41Ii8+PHBhdGggZD0iTTEyIDEybDggLTQuNSIvPjxwYXRoIGQ9Ik0xMiAxMmwwIDkiLz48cGF0aCBkPSJNMTIgMTJsLTggLTQuNSIvPjwvc3ZnPg=="/></symbol>
+  <!-- svg-source:excalidraw -->
+  <!-- payload-type:application/vnd.excalidraw+json --><!-- payload-version:2 --><!-- payload-start -->eyJ2ZXJzaW9uIjoiMSIsImVuY29kaW5nIjoiYnN0cmluZyIsImNvbXByZXNzZWQiOnRydWUsImVuY29kZWQiOiJ4nO1dWXPi2JJ+71/hqPswXHUwMDBm06jPvvTEfVx1MDAwMIxZjbHBYDwx4Vx1MDAxMCBA7Gaz4Ub/98mDXUYsYrHBhbvtiqoykpCOpPNl5peZJ/M/v52d/Vx1MDAxOE56zo8/z344z2W75Vb69tOP3832sdNcdTAwMWa43Vx1MDAwZexcIrPPg+6oX55cdTAwMWRZXHUwMDFmXHUwMDBle4M///jD7vWsmjssdbtNq9xtv3zNaTltpzNcdTAwMWPAgf9cdTAwMGKfz87+M/vXcyG3bdec2cGzzfPrUCmXt6a7ndk1MSaKcaQ1ezvCXHUwMDFknMO1hk5cdTAwMDV2V+3WwJnvMZt+JItcdTAwMTPe7lx0XkjE4plqtlx1MDAxMlx1MDAwZVxiqeeXrbqtVnY4ac2GNOjCnc/3XHKG/W7TKbiVYf3n7Xu2+32r31x1MDAxZNXqXHUwMDFkZ2BuXHUwMDFkv23t9uyyO5yYbVxivW21O7XZOeZbns1cdTAwMDOggllSM6W4ZkyR+c2a71x1MDAwNzAnXHUwMDE24ohcdTAwMTFMpZBcdTAwMTJ5XHUwMDFl18vIwt1Wt29GNuzbnUHP7sOLmI+vZJebNVx1MDAxOGSnsvm4p5/3Pb983XFr9eHitoEze/SYYKaxIHK+x1xcpFx1MDAxN6/Mp8Bsa6aSl2rKa5GsvlwiXHKWeGjV9PTtqnBA5V46aTdcdTAwMWKapsdPXHUwMDAx0miz3OOT9Fx1MDAxZVCIxc9DoWcyLvSr7rB23blRrdGP1/3/N3+zfbvtxM3YOqNWy/t6OpXX17Owo2R2RDzTdn6qUa9iv8wwLFx1MDAwNWJcdTAwMWMrXHUwMDBlj52/7W+5neby6VrdcnPNpFx1MDAxY1xm7eHInP5Hz+lU3E5tYSq+jPdcdTAwMDd2SpQzeKRKc1wiS1x1MDAwNFx0wspEl7TGpCwwRqqMheTSM1VcdTAwMDG0zsKDxvMnhn8+m9n/f/2+XHUwMDFlj0PnebhcdTAwMGWOhPvCkVOOtVZ8dzRW25nLavM2cu1e3dfiLVx1MDAxNFf6snfqaMTMwlpcdTAwMTJcdTAwMDTvglxiuVx1MDAwNEYsLU5cdTAwMTiVmFx1MDAwYk2V4MtcdTAwMDN7XHUwMDAz2b+wY/68XHUwMDFmiJhwi1xiKiRWnrk3xyRdwSSjXFxcdTAwMTMhXHUwMDE42YLJL42oarczzLpT8+JcYlrYemG33dZkYbLMJjk86GCvd1bo9putru2ZLGZvsOXWzLT/0XKqi3hcdTAwMTi6XHUwMDAwsrfdw65n3pbharbbcfqrT6fbd2tux27lNl5cdTAwMTnu14n9fJPYwtwzS1x1MDAwNo7Za7brjVx1MDAwMO475eHLXHUwMDE0XoNiTsjy1p8oJogwTVx1MDAxOabzp7dccsZcdTAwMTfDy0Ag6pZ7XHUwMDA0lYuT26brkuHos2A8XHUwMDFm5l4wJlxmWVhQzUG7UobmV37BsVRcdTAwMTZBVCgmOONcbit1NFx1MDAxY1x1MDAxM1x1MDAwNVx1MDAwM1HUPHaiuGBrsFxmXCLeXHUwMDAyoMNwuKSgXHUwMDA2sFjGtqaEaDCHPlx1MDAwZtr/mZ/0dcbR1y1/+SP+7Tvzb79NXCJE75BcdTAwMTTRrLioT+g0mku1XHUwMDExXHR5XHUwMDE0vWdq2/1+9+nH256/Vsa/Kk9cdTAwMDQmlHnxtUWevFx1MDAxZlpcdTAwMDIrP2hhxYyJRvawV+8mbm7E0+GLXHUwMDEyqvdtfp1cdTAwMWLZpfjJQ0tblIG2YaBcIlx1MDAxOV+EXHUwMDE2kTCXXHRjkihCKVwiUnxcdTAwMDRZ/6rOfo6EKqBcdTAwMTaYK+p5oetR9dDLlGuDq+6AhcLdfDTauGv3h6eBqlBcdNf0yIlcdTAwMGbjd5e9WPx5Oqlcbnk4VCnkkYxcdTAwMWZElS9cdTAwMDNkwtfk1Fx1MDAxOFx1MDAxOWWld9dVVylcdTAwMTGhvandu0km71x1MDAxZVx1MDAxM53idadwfuomp6SWlpzA8yZKSbaEKC0sJiVMZIwwxmB1fpRcdTAwMDD6o2o38lx1MDAwN6Ypw6BW0Vx1MDAxNtxcdTAwMTREeFx1MDAxMJJXJZqYPlxyrq5cdTAwMDJcdTAwMTk6yEW93K7IgrF0MKCeXFxdXHUwMDEy43at1HdlznvA4ZD3Tf7OtpM/KrVcdTAwMWZcdTAwMTLpTFZ6XGaQbUDU7vVznTV1aXhzX+hMJs2nJ1k6cSBcdTAwMDL6LFx0XG5eXHUwMDBippXWSCxcdTAwMDBcdTAwMTGooYVcdTAwMTCVimuk4IBcdTAwMGZxP39cZmJuSYmZXHUwMDAylrlcdTAwMWLvXHUwMDEzUlBseOKnqbEvw/tabtn5r8FZXGJcdTAwMDRjuf6rKOC2QVx1MDAxY51cclxuTpe3vpmsMJ1cdTAwMTVcdTAwMDMqtLuGvVbV24dHVCy4uVKh/lAodVx1MDAxZmrlUzdZubZcdTAwMTRcdTAwMDXRXG6qiyCFXHUwMDE3faxScotcdTAwMDBcdTAwMTMkmDGBxCmbrMauXHUwMDA2XHUwMDE1sY1cdTAwMDeWQ/r6uflcdTAwMWO7cVx1MDAxMyrUrDxG7lG+d1x1MDAxYVx1MDAxNmtcdTAwMTlcdTAwMDdcdTAwMWXoQIupk7+8LT+VnmvBQvhgXHUwMDE2q8RaXHUwMDFl32LlyNe9ojWTYLHuricjgXrxJjaM8e5cdTAwMDNcdTAwMWI9JqvJULnLT1xcT1LFLLDasaScU44oX4CTQtiiXHUwMDFh3lx1MDAwM0xWquSvt1cpkVx1MDAxODO5zVxcPa+GnrtP/btWPaJcdTAwMWHNXHUwMDE2iXJZaXut0ekli4T7JTWJZOrXV1x1MDAwZuI5MMzeeFx1MDAwZjhcdTAwMWPsvs3VXHUwMDFkzFVcdTAwMTiHr17TVCl4XHUwMDEwu3tiXCJu6LZRdMSt21x1MDAxZmV0YPQ8rSh04jgkWluEg1xup4SAdltEIeWWJlxcUcYpJoL6gfBjOlxyKTCJpVx1MDAwMrW6i6nKOVx1MDAxY8s+U319XHUwMDE1SzXULf1qO3XLXHUwMDEwjm6lYq+vaSVoQYWAXHUwMDE5Lnc3U9PjJ1x1MDAxMFW39WAvqKJ5p8fzXHUwMDA1enviZiqwSlx1MDAwYlx1MDAxNJVcdTAwMDC4YiSRmlx1MDAwM2hcdTAwMTa1oFxmXHUwMDE5T5CYuYqAo+KlkVx1MDAxZC5owWAgcFx1MDAxZCVcdTAwMDUjxrU+fzFv6GZIWCD9hcAgYcCqns+HV7BcdTAwMGJKkdJoq9qN8F7yMlx1MDAxYdDlW5vYsUkjI3v3ydOwVY9cdTAwMWOz4FRcdTAwMWbMVnVaLbc3WFx1MDAwYiytfdWkXHUwMDExyNgknexcZqv6OH9dfVx1MDAxZVx1MDAxNvrRSHzUian+eMq6J1x1MDAwZStQg1x1MDAxNkaawDxVaCVcdTAwMTZonD5cdTAwMWEwXHUwMDA101xcclx1MDAwMfzKN8Hm47FATSxEXHUwMDAwU2AuUcnW+neUWDhk1ZqVUnHQoVx1MDAxZbP683FFtuPqkLp148z3ZWlcdTAwMTh5JOSKfahcdTAwMDRcdTAwMTbwutXOM//88mGcT1RcdTAwMDO97m2k7Vxc1d1mzv20mf8+XHUwMDAzkSGuLEkwwlx1MDAwMlx1MDAxZbyUUixNfaotjo03U1xihYHM+bo0PzO3XGYoJZNU0W3+TDdcdTAwMTZpNKv3vZDM3YtuXtVv407DS8fy133avM92xldcdTAwMGZaZmr9+FMwmPJcdTAwMWVwOIh887Wz7XxNU38/pGaUXHRcZtbGzngss0BOP1x1MDAwZW9cYn6spVL1biBQKTycNlx1MDAxZamWzJJUXHUwMDEyUP1gzaLl9DJibCpFJSgjk0lwxKxcdTAwMTSsuSVcdTAwMDTYcDtcdTAwMTI3YaikpNvSPT9cdTAwMGJQm4y2Ok1cdTAwMTJZRm5gUIteJHmYpzRu7ma0/b7pvLe5ZFx1MDAwNTc7VT68XGK6w+ywfz5cdTAwMTlGXHUwMDBlcN5Sml1FnWyn9lhcdTAwMGWRi3Y1XHUwMDExdm/0wYzMz6WxKbtXccZnWbfilO3+WabffZ58LovdPIJDkFhf6cZ8pVx1MDAxYqVcdTAwMTRzsbto07a8XHUwMDAyWT29v8+qXHUwMDFlLtdcdTAwMWXwQ7N56qJccsxoxjAlJnCKPMHI2fe5hUDWgNFFtUBY0+PZ2GDqWDvLNUxcdTAwMTFcdTAwMDWtpD+Po35cdTAwMTWHlDdx9SzT/YVps4tXP1x1MDAwNII3MFx1MDAwNrXBo4xcdTAwMTihhNHdXcrP+PYpl0q0rnP1J+nag6xqXGZcbqdccmNAXHUwMDBlsrimyoCUXHUwMDAw01xcXGbtXHUwMDA0tDbJXHRcdTAwMThMSiChVHpcIj+/jjBw4PZcdTAwMTJLvo0vlCuNfCDci1x1MDAwZd1IduJMXHUwMDFmU5Ve2atof+CLUDpcdTAwMTjuJeOPeKzHdV5+qFZcdTAwMTO/gi9cdTAwMWPJvDmmufBcdTAwMTXZiK93gFx1MDAxOZ/nXt7meHVwLsrtfDVcdTAwMTNgqam6uiU3sftThzqSXHUwMDE2vHGElCBcdTAwMDRLslx1MDAwNHUx0+cgXHUwMDEx4WmA9U8/lFx1MDAxNbFlqYu0lDCmw45xJCyYXHUwMDEyQmO0LZD0z9Tb4Z+K9vOV9ppLXHUwMDFmQmO/SLI1ICaS+aYsYtBPXGIjukdcdTAwMTB4s3A9XHUwMDA0jCvdobn8Wlx1MDAxY7/Pvc2QJFx1MDAxNohTrbRcdTAwMDRIU7S8gFx1MDAxNHZ/jlNcdTAwMDFZQlx1MDAxMFx1MDAwNVx1MDAxNjXmJv9D0DXqXHUwMDFizFx1MDAwYnhnXHUwMDA09lOwMJhYxTZXlFCQXHUwMDA0/yD/tleL9och90WBLlxm7HWFdXxcdTAwMDfX10xIlGfKOICAd1x1MDAxMYxcdTAwMTjSxGBcdTAwMDF0rOCe42p2z1xmXHUwMDFir9wu6PDtw9hs3y5cckNhXHUwMDA1isRk1yHGXGLXq6OAaWq8voBY+CNcdTAwMTRZXHLetezBMNxtt12DoUzX7Vxml5/r7Fx1MDAwMVx1MDAwNo20qDv2ykuHu/Lug9nsLoWje+aki1x1MDAxM23+29lcdTAwMWN5s1x1MDAwZm+//9/va49cdTAwMGX4XHUwMDAzwvysQGF+vp1cZpst0XThL1x1MDAxODWiVHKud1x1MDAwZn6oXHUwMDFjvsw4xYtudnxcdTAwMTcrPjbbncHFpzlb31x1MDAxYk1cdTAwMTfUXHUwMDAy4Vxiz1x1MDAxZcOMY0tUXHUwMDA2M9grXHUwMDEw11opXHUwMDAxXFxcdTAwMDb7UpmTiKZcdTAwMDO94TDQbUIxXHUwMDFhqVx1MDAxN4ah2C07x73M85RcdTAwMGLMw+5pXHUwMDA00z/g5/x903m/0Fx1MDAxMqhNQXrp6z1UkjDGvHmU29DauKSBhlx1MDAxM5Ky0MCPQ5ZcdTAwMWR0hq3AiaNVU21RoaQkXHUwMDE4m1x1MDAwZotg1cxcdTAwMDLrRlx1MDAwMifTUlF2RP/hIWL0XHUwMDA0yFx1MDAxNMicrSsyjonWXHUwMDFkTJhNqPpAtGNcdTAwMDdUXHUwMDFkNFx1MDAwMcCX4HPkXHUwMDA3KVO6RFx1MDAxM5hru2NqOs2LiEt7T7GaimUvy+lJOjv5LEy9O9woLEk1kFx1MDAwMq6Qt7KH+T7TytKMcVx0Jlx1MDAxN1x1MDAwNZ6vj6dcdTAwMDBcdFx1MDAxN5bGu0dcdTAwMWLhSM5cdTAwMTne5pU/XHUwMDFjfL5cZrtfv5boXHUwMDE3OOh3XHUwMDE5yHF99Vx1MDAxOPkvXHUwMDFillLgvUpcXKjidS1cdTAwMWO96ndI91wi6fTu8XnSO+FPXHUwMDEx3WDaMktxSlx0XHUwMDE4loJcdTAwMTKymNxDNIa9XG5AoU2Gtj/t/0RPvcJcdTAwMWF4KN6aupbE0mb44lZcdTAwMTdKsUugmIFqqVjzKJ9cdTAwMWb5c11y8zlcdTAwMTeHxqNErZhcZif004X3gC8tXHUwMDFhvqAvXWxQtcCxzFqMPcjmTadcdTAwMTiIXHUwMDA2h9XMOHeTTGh7pO1PK4rxXlUrhCUowFAxQ/SXyKZZOqxcdTAwMTioQYyoklx1MDAwMNkj2q9gRyO8R90ooL5gyFx1MDAxMv6tbVe0rXFoj1x1MDAwNsNu21x1MDAxZDiVX+pW3ziKT1iasWGlXHUwMDE1XCKIclx1MDAxM4zZXHUwMDE53/Hc+ajX719FrvNN/swj9/lg4NPKwr3bmaQswSnSglx1MDAxYuNULeJcdTAwMWKUrMVcdTAwMDFFXHUwMDAyISy4VHppYKflS8JcZlx1MDAwNJCh2evT+b7XXHUwMDA3XHUwMDFmwJ2D/auaXG4yc3Lz3Vx1MDAwMaOdWqjhpEYq1a3108WaXHUwMDFhTmufllx1MDAwZvZef1x1MDAwZWNcdTAwMTZcdTAwMTjhXHUwMDEyc7OgaalKXHUwMDE0aCdcdTAwMGIxkCpcdTAwMDRYuJLoeCuZXHUwMDBl4c7heFac9Thw+aCf5rSyR99lPCr/9UkmLVxcUlONZWesVIQ9ucj0nMegPK9cXLl1XHUwMDFkvWTBUzdcdTAwMWVcdTAwMTW2tOKgOzRbdtNoyY09Z7JcdTAwMTSZXHRkXHUwMDFjL1xyw9R1w1x1MDAxY1G9c/YkV2Doan5cYmB8XHUwMDE1m3DtKtnP97/sMIwjZ0py3+wp4EKMXCK8R9G2op2utSah89Zd+zxcdTAwMThmKCbP3Vx1MDAxM893ZkghXHUwMDBiXHUwMDAxb1x1MDAwMkNcblx1MDAxNFxiXUItmGiWNj5mU1rHpFD5ofZTXHUwMDE3Vlx1MDAxOU9cdTAwMTCRW5me/XBdXHUwMDBlJp/Veeqc3Fx1MDAwZuUk8eTUkl7vXG5NZVx1MDAxYn2Cp7qQkDlRXHUwMDFhZZu1VParUMEv6F3xpPSsLIxHQPil2oN90Uk4WpqOXHUwMDFl5UX4MqPT7eT1VbV92mCDO8SWUoRIeO9aM73Ivlx1MDAxNFx1MDAwMrBhrIHSXGIgRscjX3v7VjRcdTAwMTdcdTAwMWPsSp/U5FNHyrfT5L1piVx1MDAxNPlDXHUwMDE2XHUwMDBiTjFcdTAwMTi1ezhEN1x1MDAwN2NPNC1cdTAwMTFLacFcdTAwMDTEpvo28K6VXG7cwoKNmDBlKlt7q1x1MDAxN1x1MDAxZT76yE2xb1x1MDAwMlxmTjIhtGeB/1x1MDAxYnQ5XHUwMDA2ZCsuKFx1MDAxNWBws1XlqbHCkqCtIf3qbU3eXHUwMDA1r57rxZtcdTAwMDFcdTAwMGI/3vbzyVj8Oyvx5abn6YBSXHUwMDAzXHUwMDA2XHUwMDE42InGIe5pKXH2M1x1MDAxYlDCKzOl7rDZa8pcdTAwMWSs3PtOKYqbM2E8Y0KWhlfPMDarSVx1MDAwNFx1MDAxMCC6MiQsLJM5x1x1MDAwNVx1MDAwNj3EudJsZUxfLEHRXHUwMDFmXHUwMDE5L3vhPcFeTZRiXG70q9h2PqHB6EVKaimZd3Wz+VlB2PxkO1x1MDAxOUf+slx1MDAxNuNN5lx1MDAxMYhaJtHueVx1MDAxZZtcdTAwMWQqpylrzaJKXHUwMDBirPuZZjGLtpaWcoBcdTAwMTVrMiFcdTAwMTVFTFDgLOyI4ScgPmb5jKRKMLDF5ibRvMolwqBvMVx1MDAxOK2cIElBsK5cYltlloLIrXXC3Pp1pH4x7NBmhd83XHUwMDAygXo5W1Dfwvblpl9cdTAwMDWbcbQyrVx1MDAwMXqSIeP9XpW1puNccsBcdTAwMWbYjnHoYMb4+4TtZje1V1x1MDAwMcCgQNpgXHUwMDEws1x1MDAxODRcdTAwMDGieDVcdTAwMWScmD5cdTAwMDJ0tp7BxDK4XHUwMDEyK4P6YtI24ItccvPDZlx1MDAxNIdcdTAwMDM2wVx1MDAxOFx1MDAxMnDA1tNR0EdYmCYnIG0l01x1MDAwYuJ2XHUwMDE1ZHvK2839ZTyVZFaaYHAhqamlu7PIXHJe0cc+zTnxXFw6XHUwMDFieujEY4/T4dNhRa49qPuJ3HdSUqRMXHUwMDBiXHUwMDE5rrnJI4S5vCRymaGKZrFcdTAwMDPlWlx1MDAxMKI+VH9x8+o5xsHQXHUwMDA2hFx1MDAwM5A0oJfM+e9cXORyoSxcdTAwMTD8pspcdTAwMGYy69091vZryircXHUwMDBmV0j7JN1cdTAwMWQ/JvjLw1x1MDAxMN5cdTAwMDYyy3OaUM5cdTAwMDSXe8zpafS+XHUwMDEzyOUj6UYte627MXtK1ODEvSxmSVx1MDAwNGhcYkFMeyiBl6pkXHUwMDA3qMaW6UNk1oUz05HwiFx0o4JboP5cdTAwMDXfNVx1MDAxMmFcdTAwMTLLgFH7LFx1MDAxYftbOlpeK51EOmO33+2YXHUwMDAxnoV+ei5cdTAwMTZcdTAwMGX+pJIrm1x1MDAwN3LUaIQk/j2ZuElx5nyPslxyj+WHZ0xSOPaQKjVv49dcdTAwMTFSbchcdTAwMTNnXHUwMDAwxpCyyEtccjcw4/BcXFx1MDAwMrxcdTAwMTSWwsowM2J2XHUwMDAyXHUwMDAzk/41XHUwMDBlPzVcdTAwMWVcdTAwMDHmXHUwMDBiMjGSLWa+nVx1MDAxMeXMZVx1MDAwMmh5XCJso9R9p1x1MDAxNcClv1W4QVdI1dSm1LayNapUnFJFVDVcdTAwMTYlXHUwMDBlW5S0XHUwMDFkXqlSWlx1MDAxNZ9cdTAwMTJukFx1MDAxYnJXlFBcdTAwMTTDXHUwMDAz2SPc8Ky7LqPjQSHabDixaULUk8lTR1x1MDAxM5NcdTAwMTSsN0aFNPkgSCxcdTAwMTXixab+PSOESmlaMlx0j6Y8uHWHhTHuyK5cdTAwMTFcdTAwMDeCzUJfRbaWNPosUL1dcU3ySqxcdTAwMWXu3+FGI1VNP+VZu1bKXrHOL0te+Zg6zvSdses8nd3epD5X/a698HGLLmyMblDT/2Kf6P/mWXCiXHUwMDEygptKSCawIVxyufOKzNfwXHUwMDA2skyFJOBTpl1cdTAwMGLzL5T08YxQYJomXHUwMDE2zVx1MDAxOTJcZoWvXHUwMDExXHUwMDEz2FJSmXg2o0rO/O6ruti0tJLellefm+P2K31pm1XUmTdIgLl524RcdTAwMGKuqSlU4TnoxW2lLdN5wiy5M6nCdDVEsOBJW7yJr+XO8p135md1xs1P9yHjRFx1MDAxM1/Pk8JcXFx1MDAwMe7k7pZ+MpjPJtJXyWK0XHUwMDExl11ZXHUwMDFm39PBifcnJ0Igi4JNXHUwMDAyT1x1MDAxN/5IseR3XCLILFxuM6m11GSzXHUwMDEyfry4KiXaQlx1MDAxYUstdu1QzimSciGb82/P0uvDYW/w51x1MDAxZn9cdTAwMTi1XHUwMDFicOZcdTAwMTTZsns9q2X3LKDOn2sv7Deio/J2xf0zf5VcdTAwMDbxuleB9qSsodzVoClYNFN6jFdGN+OcOHk7glBg5kqbNlqCkSXejjFcdTAwMDWwc4KENl1+8PLIflx0bZfUdKGlW9NcYlx1MDAwM7nMdVx1MDAxNEUnj6PHok2b91x1MDAxMZy+el8z8m/avoNmVP7dXHUwMDBlNMfcJJbvjqXutJhcdTAwMWSG29fXpNnJhZ/PXHUwMDFkt0jxqWOJSbDJMdZMckEoXmbtUllKS6xcdDB3gfRcdTAwMTEz6fcl7ViaOjPc60f4tZB6u+K6XHUwMDA1WrlOe1x1MDAxMmjfXthVwvOVPO7WSodrivNN2o9F2lx09yftnGJu8md3N503z4JcdTAwMTNcdTAwMTVcdTAwMTBcdTAwMDJcdFx1MDAwYvRcdTAwMTbwXHUwMDE1xEy10UX5ILhcdTAwMDWkjTIuiVx1MDAwNM5cIo7n1DtcZmUnSlx1MDAxMI6Yj9D4e1P2zfrpzJ+yc+lJk1jH2Zlak2nyTdo/ZJpgpH1cdTAwMDN0ylx1MDAxNPuCd7O76Fx0tNN32baY3IqrZMRcdTAwMWU7j0O7kjio6DlcdTAwMDJrJyahXHUwMDE1I1x1MDAwMvOMXGK17C1EyII3Y/JhXHUwMDE15/A0jkjaNbOE2J2zXHUwMDAzXHUwMDAzXHUwMDAzYYnYPyiw/pMg26bGUaA0W2N3WtR9v5FcdTAwMWQ39L6pY1x1MDAwMtWm+izfnXaUMmWOxrRcdTAwMWNoJKuXwfxziU9cdTAwMWZcdTAwMGbbMeEooXfT3YSb3lx1MDAxMJxgqZfBrSysYLvUs5ryXHUwMDEynULPXHUwMDA0IEIwWLq1OWc8V1xyXFxFXHUwMDFlSIhQXHUwMDFlL1TSI5fF899cdTAwMWP+aKF36d+xUDBuXCJKe5RcdTAwMDE9TydcdTAwMDKo4FxckUIrnlx1MDAxOF1lq8Ewj506mphEllSKmlqgyvviZ99cdTAwMTeWWU1HwV7AYDKgI6ag7cvhhUQwJuHj2/58RL1dcVxyhVx1MDAwZqTGiUm7fkeGcXnR5kF6XHUwMDE3Tp9/U/j9lPEvoPBcdTAwMTj7ilx1MDAwNyU1R0qx3aXD5klwotKBa2kxXCJcdTAwMThcdTAwMTOU66VOXHUwMDA3RFsgN4RcdTAwMDJmXHUwMDBmLI4rX2f5ifB32MtcdTAwMDXFPulvf2/+vlk1nW1cYrlTXHUwMDBmZf3m75/F3zd0boXhXHUwMDEwIJR7dFnJ1p9cdTAwMWFXwcdGI1x1MDAxMEneR+8v0DVvsJMn8NpcIjDBTG5cdTAwMWRBaLG9YUBYkmiw8MG+XHUwMDE3mHhbjFx1MDAxZpy/K2GZTnQ7XHUwMDEzeFBcdTAwMWGmL8w/qUbPW4S7WzpJ+r7PuI7ZsVx1MDAxNCOyIY9cdTAwMGZmPGV6XHUwMDBm8s7jZZSoq8ZFK1NcbofLgVxibaCTb5CuTOlcdTAwMTBccvZcdTAwMDRiwmiXRVxcY65Mk1x1MDAxMFPhXHUwMDEyTFx1MDAwYi7k8WKG+2fTSM20Vv+o4lwi39k0XHUwMDFi0Iy1b96+WY4vNdqj3UHCxp3ufSRcdTAwMTm6xVx1MDAxN4VYvtkrdlx1MDAxYadcdTAwMGVmQLElzHpijiRTdNF1IFx1MDAwMeiGN3BkymBcdHJEXHUwMDE1vaeLXSswKkx/rn9cdTAwMWWOv13sO+Ca+GfbK1OyxLTL2F1JMyRvM9fJzmXoSpeHUVxce6g0Tlx1MDAxYteUamVcdTAwMDHbUaZWXHUwMDEwx8vrUoHoW4xI08VUI47p8WrJ7m17m0rQ3Fx1MDAxNO785yH72/bepq09837Z9p51XG6g+1x1MDAxNPUrt1x1MDAxM0/2+VVm3Of5aaJyz4vd6/Fpw1x1MDAxYSg1tjQngoOqXHUwMDE03m7ML6a34Fx1MDAxNmxcdTAwMDWwSYK16fh7NFxcwzUsU6tzd9PbOFi4YD7t+P6WwIYnWHZMRM3586w1W/FtXHUwMDAwXHUwMDE0cCv/npm+3rnxXHUwMDE5eN5jOMeFsedcdTAwMTWsRuyUlHJcdTAwMGaXfO28oGoqkVx1MDAxMaFKtJ9sZmOqcHHiXYhcdTAwMDDFyFwiSpiCaFh7M9RfXHUwMDFjY8wyJb+QwGCdU+S/7vzjytlUK6OE7bFSllxuJJhPXHUwMDFh+z9cZsNv5i7oxdOBst+ojmtuM19fN6Gm2M8+a1KawWjx4nGUuU3i+sMwXHUwMDEzXHUwMDBmVSrTw65+P1x1MDAwNqJNaU4wXU3XJi5cdTAwMTdcdTAwMTFNsUWFKSjGmSSUY33EVDVGrL28YUIgfYhs2K9cdTAwMGbnVyv3pMC8fkxHXHKYYyH865RR0/5cdTAwMTOTPVx1MDAxMk9cdTAwMTG9Q1JEs+KiPqHTaC7VRuSwOe9H6FtEXHUwMDAxRNpoZ0Ayk3ixSWBcdTAwMDBjZSlcIik1nnAq9Fx1MDAxMYPmREmLSlx1MDAwNFxmXHUwMDFlgXBBal2ZMlx1MDAwYlx1MDAwNmJcdTAwMWFcdTAwMWEybFxc4Xy1TNmsXHUwMDA2L1xmmp9i0rswXd7fg/5cdTAwMWSD5unxU4ny23qwXHUwMDE3VNG80+P5XHUwMDAyvV1cdTAwMTc0XHUwMDBmIFNqVXJT8Z9jbFx1MDAxNlx0rFx1MDAxNlg05Ww5WEBSUkVMUdaVm9+p6OPF8DJcdTAwMTCIuuVcdTAwMWVB5eLktum6ZDjyieRjXCJcdTAwMTlcdTAwMTbY9DJcdTAwMDFSx1Yz8Vx0t8whplx1MDAwNiVcdTAwMTFaUL1aOO5cdTAwMWRcdTAwMDH7NUH5pbD9wvdcdTAwMGZcXPTRb9qbn9VcdD8/32/e//dcdTAwMTd9kmxIJVx1MDAxNEJcdI3o7nbM5ibrpyr6lImoIWQ8/oospuVSMHI0PHYjXHUwMDEyXHUwMDE1XCJYXHUwMDFjL5PwMIJPXHUwMDAzoFx1MDAxNdU+vVN/seCDu9qnq9q+gk/l8GXGKV50s+O7WPGx2e5cZi7WXHUwMDE2u1x1MDAwNVx1MDAxOYOwSVx1MDAxN0JcbjFcdTAwMDHGIFst41xyMoaCXHUwMDEw4sRcdTAwMTSFw6aB7vtcdTAwMDTf3cTNjXg6fFFC9b7Nr3Mju1x1MDAxNF8/KCRMfW0k5Ys4lmuq3YLpXHUwMDAz7FlcdTAwMTMuJUKYq9U38i34znZcdTAwMTN81N/mw0BdmPJcdTAwMDb/tjpWN7YjPFHBx7RlwpxUwEziYpHAXHUwMDE5g9BsXHUwMDE1iCt26uZcdTAwMWUxVjr8nORcdTAwMWHHfXtJ7iv1NrdJXTL3QJOZbouEKVNcdTAwMDFH8tUsSaytmbZDTCOthcArd7+T2LtW1duHR1QsuLlSof5QKHVcdTAwMWZqZT+xZ+rQSbhcdTAwMThcdTAwMDExS/TqmFxiMSWsXHTDZsUtUOdvqfcq9X57vcJcdTAwMGa718tcdTAwMWE2/fZGXHUwMDAwXHUwMDAwbuXVVTC/j1x1MDAxZiZcdTAwMTU9tFx1MDAxOaK/vT7X2eKXOVwidu91NZ9cdTAwMTQ/2m7byXnXhv0xXHUwMDE41/77ud2aP/NcdTAwMTf5uX8jLYCZbXLq/3z59c+F0/+P8VxuXGL2eyaWJveTXHUwMDEwK1x1MDAxNZ5H5Sly7dhcciqfd8cpWqGVXHSnl1x1MDAxMz4ut8vjy0bw6TKsp5V22Y3HKr372E03k41P0uF4zY7me/ekjn5+rrRbrVxuSoydc+RehoNP8fM4mv11Q2278DzIZFx1MDAxM6NcdTAwMTLhLfg8rcRcdTAwMTJjm9zqeDuNy51Eq9S5OS+R5zFcXKVWpjeTXHUwMDEyXHUwMDE5tlJ38+t5vjMsRVuj+0K6XobrlNtcdTAwMWGX2tcwtjSC3/v3WTywXHUwMDBivGW3da/U8OyPplx1MDAwN8W79Fx1MDAxNMbQK1x1MDAxMj2KR1uNXHUwMDEyYcNK9MItRfOTl898mrq7qVx1MDAxN9vPrbKLx5W7m9m5lo9NXHUwMDE14Fx1MDAxZcPx/87EQvVKtPY2Xs/9NeH3tHlcdTAwMDY23H+lXHUwMDExR9nzkFh9XHUwMDBl6u1cdTAwMWP3cC+5XFxkXHUwMDEyP09cdTAwMGauwkGUauRcdTAwMDfwfV5cbiNcdTAwMTY/v1x1MDAxZaVcdTAwMGJPQ9g+TIdcdTAwMTkunVx1MDAwN2upXFxr8PPz+vNEJqXzXHUwMDFhXHUwMDFjXHUwMDA3383Gx5nG81Px7qZcdTAwMWKPXut4XHUwMDEzPV+6wefL9lx1MDAxM7yjppuaMlWOXiA7/DruXFy8dplLXGZSOe/3n8Zlet/J1P79b49fq+94ZbrpRCOpp5awXHUwMDExPjdcdTAwMGWIXHUwMDEzZ7x6lNc82X1cdTAwMTXZezC0/1x1MDAxMrVvXGZtxtCgUkj37qO3tVIs37BcdTAwMGI3rVShMiiRXHUwMDA0/D/Dysr2eIOpXCJpTYrkXHUwMDE58JRmMFx1MDAxZZiD8VqRNnW8XHUwMDExMWObzLaF187VSTFcdTAwMTdcdTAwMDFM3MK8NPPRPJdg7fX5wN/1+1I52LeCjdnc7sI7mc37XHUwMDE0hXc4ZVx1MDAxYua0pox5l1x1MDAxNa6f069HvSmfv3776/9cdTAwMDHCLc1UIn0=<!-- payload-end -->
+  <defs>
+    <style class="style-fonts">@font-face {font-family: "Virgil";src: url("data:application/font-woff;charset=utf-8;base64,d09GMk9UVE8AAO9AAAkAAAABO1AAAO73AAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAADYTJHQZgAIluATYCJAOQWAQGBY9lByBbpzpxQ1QZOitEWvl1ExHg7NqqxsS6RlCwSkciyuhqMfv//89KOsZwUAeGmJXV32EeijNbRUcYuVUTmWNvG5FWRBfkAW4YWVueXU6tq9d0pZufMcACcUzc7AmXTyBwYmw0WojBScItqLq853lRPMu/i21F/1VrveHFeyj+LdHE3AfsFiWacmNotmSIhpJesVGSFIFWJDgsMxNmRIsQQzGF4rvOX33MPtY+LeOF490dgR0G/l0zmGbP8ku9beGBOf2+EcKFm8Md59ESM5GZKYtFok/F14jmMBPlbsKEWTmjIcDMVCgM0RQv1VD4IZddn+x6g2Ff91p6BriTOHYqRgBPP/Z8O3Pn/WXBXUTBKoZoSbZg6N3qwPP/937uvc+bD5huHSziTSgio5mQNpAsr235cGq9P8/r5vc1H/KatrSSHj8fGwzDhavuia24cMyBvutkjYQtKFtwTcS1wVWcODY7KMSFOM69OS/+4fm59f7vRf5FsY0aMXLQQgsGrRwggmTYYCJVEmVBm4V5Z0ThidFYPeyrtRKEoeme3dvtgT6iOeJnlC8MsAKKT0UoFD469oV+l7DD8pn6lvkVc++0kSEfkCM0Vauqh+RnHNszHtYIqREKELpb3S0eAhMvIXmB7+tkb9/wpNO+5fOjmT/aU+6YYwu6wVlib1xrbGxcwNgduqmiNNOESimjUWmogISEAOOOe086XjvNccGlpjQnb8gjOY3Gyr1sLlmavf8vKSIJwtUoBiEBfY1jpaqrq1ET/z2/7f+/4/hmD/yU4cZxDvyseBGJ7/W9rVwMSlAkJUsk6hzqQCsqJVbd9NbifX/4r6pJ4LDfsD5vl0a3Nl1TSqk09SUxpviFT9KCpj3jFmScMz4t9f8VWXkadd4bSR35QqxNH33Ai5BewBI5hQAbQsZFe2nQZ84A787uLKHXduwYMHUawjI9wuP+7R+jZdW/WpL3hdof92mkcoac8YBwj3gJB7CB3aayqzgrsSIikYrAZYK2u3l6AJfgdm+OybOvB8+JTFAi4hU026JOz7fHCxQujUCxVVutY8Wgje+dK4CA+afpvl+9Nyecky85rLBnngvwxHEpBa9ATSI+MxnxjMcbadI6LaWIPXHlOeusTrrDBkAFCAzMc6UTOFEFKTY1Nm4GuAPasdAah4+DcVmNg/pfU5Nao+e7QykouG0KYR4ewkKQVmtP1n91ike6Kvt60/WySWeBpeOKr7QCg0hoKAwgPPOvqrl+UPI78CqVirROp/RhKm2YMy0C6CJQdAHdBNBOBOmKyGuC5AZe6X1LKQUflBN+2M7DB2VHoBs/KOcRvCZQfn6i0lsdM5Ypw5otoyCn0UlftixbMiaTk2XKy5Q1Y17G2zJOB7nKUm0/PkgM7J3K/X5azIxlS8eShkmeIYrIIuvN47j+8Xk5xmbzq/fd0AYlB/aifvZu/3or31eH2eCosZNM23gKUvMyo25K7fx8x2ZRqLM4/xxLbOST4x/7aOuym35y8olHctP4b8V/TX/YCP2p/1mult99+Gj0u488j59Q7/DTaWN4EkPx7itzRBhgghZ7XPAiQJAIcTLMtFCJKku1WqHHWlvsst9xLnKDYR4xwicQZ7tG+knSE5NnLF69LLqrR0X89vtHVudoGtiw59gDkletTr9hov04IcNsWAhCFGnUMYNrWMA6cqigBQoCbHTgQRhxDOMAjuIkzuIyzuAybuEuHmMEbxC773VEWIigqlrWqT4NbHCjmtiM5nd+y1vXlq5ob9d1c/f3eC93qA/7pk6NEihFn0Rmmnk61thin7O8wilOc4krXGeGedbYJEaSKhN6GOUQD/IKz/ACr/IW7/ERn/Il3/ITf/B1//9y0DjoHH5x+M2hIRCCxhEpTKlFmUZcYipGDGMmFmBNbIBtYYfYXewxq9h9hvn6/vr3thQeZ+KUArHScmqorznNakXbKqkpSqIM+SLlVlB9GtJ+HdUZXdZZXdGQ7uuZ3uizfnlBkASHEFk57pwrbnvKU17wunOuGjNrxbYj2+1zj/u92yM+4fO+5gu+7jt+6Od+40+uMZH/QTH0f6P/F2WjGegMdD6aieagxWg5WoU2oG0oH5WhWgfrEB2GI+UoOOqOGcc5+Rat6/9k/8+mUCCeJiIC5sZapHx9QEX2IMLTPuIbQjZoyoY9XgDCc1CSUcEfzRVFJcPJ4YfarTTXnEEp9Fll4bmCyF6huXD0c2NkyBrUclqFDS0fCcldmnBxq5ZzUdjQ0hBhra3noZkdrY2QIXdtwDXbzuJpombNK3hcpdld/aaHaGW4yOQ0Uq2KuSpqqHgkIlXMSxG5hZWvipLO5Yja+dGe2Ec0Xl7hJVeLriry+vKRHMnapHSSWh3Na/r0xosnKF8vBiOnHHm02DmrmKh7JKa/6Kx4A1EGB5L5gPZja3EC36Px8gVmpEMfpVo7eKal3dCDQk3OQWrtEfywxsP7kXKdc+xllnS10CSorh6UNHRFJNThKpI3Uj12NefH5EBdrYWSRruZkfa+i7mL+aR7b+irdu+/Svdr602Xpz3AJtUl38juYpi/pk0HYWKZtRHy//WcNGHEROmgcepGC9vOyzGRY1+qfJxX8Ka4G2gxbNKvLqrqBjSlQRMYHTrDDGsYBjAs71XrIXW0LYetKxhHqGHoNTTSyi1NsvSW9pYPZAY4gkxWtrU0z9vbRMU08fOJQxc+Syy+gtk9G54gA+xj+zrZX5Y0rjZrdBmGy68X/sBnzCF5AdMtKp4mqPbyQez0lZGifaq47Tf7SIZExoiy9kkO2JjFGs8VnQMdK9nMR0/nKEUbGADCEcjocG6DUGjz+CoAhQFwBBIDEwuFxo4bN+++CUBhAAhHIDEwsVBobBxhCwAAwIcDAomBiYVCY+OISUAQBH0SBIEgCIIgCIKgcvQdCMIRSAy0MCC+M6Y5BcVI/gkYkMn8sRZzoj6jjymGesj9+I2a22/ocz8NNPA2C+fgZtOvbe7ZbLKKuW1NchzK6mJ1Pf/1IF9PGNzuWk+fWr5AJLsGbXx6WqXtz7Sw5sK/2TRigdQEnKWCSwHOJDBxwFWcy/MuPpBExwGTydS++B38ygHYhoswSGJKao0cwRU+cxa87AMKDql645JDKYO+5m4QVzcJ3y7stzuYTaZTHAbNHXHpPfKmuHugSHKiUk/ZPC/TXrC0xqt/dsGQ57sgXd3hs/6nDbLRY/DknG/yxVziZVz+ldwy0Iy6cNfv9o1UVPeO7SRI/Eej3M5tWU/0ydP7mv8W+vb7QPcr3ytNdXF9bro22Y7bj7Zf+/5e7C/73n67/xrB1Iy9URj6uDPOjzvj1fgeZsnDRCrKMR3LsR2VaAcbarhhDXcEIhLDcSROx6U4E5fjZgzHoxiJt3PJ9GZwpV151l4c+73B+fGXExniT6JM1AELXkAM6XgMP5YTZEIWvN+8x96yP86/HmkfeR30BDeCq6FruBPGwn1qRw26oBG6Ql8N9qqpBupSDaqaqtbOeqAPtE9H9a6ua4yag2bZtBiT0RqTSZtKYzeKbdmu2Fors26rtyFbtJX2mzudd3CO+7zBVdzBKraziKWsZzf7OcUPuIzfccG8beSYgWdMypiWsTBjeUZ2xraMHRl1GW0ZwgxVhjlDyrAzchn1jJlUWRX48WpiZWxuhR6qmw57kBDolGzsgvY89rhb7XvJzwQfY4+20SX4OtWreKpuSFaXlECpiOVamcv4JA4/x8nKhM2qKCxtMjn4oyulp5+2+DzPxYtYzPSoPf9Yvlvd4vcuYU3142xsRkmAfbwfK6ODt6039/4JpW8VEqlHIZIunBL+6JmzfHyE3o3mF33fTPtyd+kt8NrwT5yY3tXcECqX0RZRjsN416y3bBO8IjDJcPLMjeX3UFc4USotsEQLOQvWwDz+tuofrKKIxg39EBCg4K6oeW4pSCLqm7ih+kAy7/Fydux5Ldh5nZZU05IuqzLvripqXcA6pZ2RPKH/d7Vhy+50yl+yFh/UIyLAjn8fv/fx2Z7SNsWc2qzj/U7z+cFG30qoPh7Z5qC3Ze5YhCSBZYH04b4xhJmKKLbQSuzNojJnYgVKYcrTV4jLFCCbX7QrsD8wOFpEHcVC6m7/T4/rDbOCMYvv9JxgP8P+5bnnhxblt29k79MERhrZfpNruPWEn9zyaWm9D6Yhlysalgwi4BGLoGwXLltLytTuk/Fts6n1vh2+DbWgbnrIDLRawWQ8nikM/EuPyg9/viTjuTpg3B1Y+hDUoC9ieivGQlh0cicgzznLfcQVZ3dVKCuRSmjBAmXfyhNu9pTGGImlCL53o0K42CnEDXXqbCl182f/Bf89gv5vwu2e7vJ4iWYg3CGwkKTThtD0GoseIwAWO58TjMhWCDTwf4n/MWnupK2x/YCzIig48kILRHftWSKYgi+uRo3xYmrCurpHP+wg/v01/53uutoVJiUQVDulJgTOfnkrR0ZI1k1tENAMdR8iv1SLeO3Yf8I/i8/b9WdwvtwVMZlpeDIIzYdmpyAtzZMJSHtCcxcsWTFrteeNzqfiMmfScU8kIho1b78owsx+mq4uQutyR6w+9Yo3PmDBKfNIugWybM4TIVcd0CWURQ0Sc9kHMwiRyovyick6zb2ikU77TH+AKiu2Gf+Ahqq76ShpCk2KlUBjcPCK11f9dj+F7vSs8H0W2JSabHDxn24YNFev43yHqeq6XfE4R3rTOnZgFh8dEP9Q12qAHDk022XQ1pUSyjS/MSNipVuDYUYp0cM2GyEIDULG3HlLVE2Auyq87HOQvZquGjVgYq9KECHaIH0yk/2vr37SWfBV8B39wF8uFIxNfTsoDBvADTTNVVQ7OCrfY6L0G9yaU8aGZUKY7KcewrBtVffi6ub8GXxbdpI97b8hBoFQUgYJ00i0awM2XFgyVBGcFpXLAuR+2yS9JkI/gib26ZWf37eeNzxCOI7hrUwsKtpDVjRC3jQBB+N9CokJWXc0xw4tO43puOVMxB3S5XQnpNSwKH7otNIEjQiM4uWWjq3nF5hOi5K7xSdq3G9gYjUCzpPda9tRcOW32Y1gO7B4VKSrcYl2suSDeHI+STDgD5mdKorFl+SBLm5wuaWCyjmlZRMIsqBi5kErzkGOJ4nBBsasiHSBSPGEh2GWK1XRkbr0idAO/blDD3UvNXmqJJmxpciGbqkJFkRNIUlDf+tr0yuVBmbNePeTRpvLyLH+s3osJPvlgTLqh3bYTHbiV3M6AGRNwjDRIuSterpZLzTWgcuy62rHrJUFzGaxIq+ArjzfVthhOorC0AiCppSU1uIeWScjvuX2saqaGLe8Fh3SttzX2jZ4L/t29aumKWwl4SBuLsVe6wvvnzl7f2Fj60x2nQvYoDXgEEtrWEGMMhekBIg0R6qwt5tu7aJsxFY80wzcmiOQL9SbhS37pegG7yUM0NERxJnuG9BGqdPXDMtrch5+Nbp6qOhNVG7d8BXcqZcV5coyFjc48CSzVlnjgNh2I9tCF1i0cmNaz0tWcdOWmnZQokq6pKW7cjrIj6FvBr7l+gH1AYTeF4etWFaoxef12lP4cFlvw7p8amqeUgDZqPYsC1MlUuNK8Mrdazc29gBZsdmRjPBrIuC6r/YdOIIzHVFYFJYrS6tbwdJCTvZNziE5kR7IqdUadOyGS3ESUHqK7/9NM3cbbyjUVkSsAOtQcaUIuezfbaVYT2V/XL5KOV9TQ9fG3WezS8MLr2cJBkVOfn9tH754Wao4QR+eb7wYvd2+107VAeA12lEZIBOssvLIFFCpkDpjRTY7Ovv0+7XIpQne3FTbfpFkF4sx2A8e2b/y6YM3OW4SCexYtGl0iDncNe3uxpa942A1SXQP5Cf61mjfYINvow1RZVm/4BbL9Xyj+fTag1N1gDdXtRHSP7w5j1qrmZ5xB3ApbsCAIKQ4zRDLkDfbE3FVSPJxnsxGk+P9wytWacTijZsSdBKq2ytb/prJ+O2mCchsWw3g0mDn9m7b4DN2d5seOaA066UNdPbUzuH6nQfXAunVgqo2ekuBJiumUfT9cxcjX6hdfdEzvjRfml7aBmEgqFVDoUAjb8kGGy6WB4uKKOG8vup5eFWweTsT9ItV3gQCp1IF8dX6Ok5ox9gPGraY2+n1iq7ZkiVZ5Dm9YDs7FyRqz+xpVVUolMUgZ/h2DpOmplbsrFN3TFtxNEArmqxBPWcSCxlJGisugPhwyHi/GDsfHF06QQKjxAP8pKgompEleE9YZHz32WddH0hyGDqskcSu9dgEuaqpMCjrBRHiIZeQsMiKnimZr0syQ+0SvxE9AFhxhQTs/AE/sanpzViT/b1wMD7ZvX1rBxCO8WcNLUCqHPuaarv1pOIBIHGalH2hk4EPA4jG3RO5MbMxXOhX7kx99f2ds1Vs7czum7f7DmvB5YZGY71ArWtIxnOaBSRdxAprUkE9EkEqH4Y6kuSWwazEblObCGPKRPDEqNqV1ZqTdw0xlgornRgwgOezRgQpEMGwA4+rQo3NbYvbG1gBuLaPrA9GzVMv9HbRsnav4EhDT3mZOlKNK+/e+Fx1s1pz/M9+UXf4Ja1DUcdd6aYJ8L++VzqQssWypCkghOsGqraGxEuQ2mgxXrGzpnFHzPRhhCT4J3DIYv5KjPnM8J3hYgyJRUFRERCiihSmv6uN1bjpzcsbV/NL2xfqs00vXq6mMiCiD4gbnSqNoxUtBqPV1/g+LIxqtIXWiofbm1thsPl6Tpp+Np3aKwM27ZYdKGpYoyiRVXwlWj4WDsx7Sn4iIWHC0NlwyGTXXr6wn4uzjyhq6JJ29+I1ABL4ss3q49ZkuZsSPlHwQmoZbRecMh/egNGDZJQi3KCtimV30adH2/PUB1KNGxptAPUUU7ajIqzWOquk8wrlY3tfbHumeo8VEOyryY9PbkV+J1BKHY2KWtbXAMeel6CQTZtybf3V627dbiPd71q46Ddo1HO0RRCRHyo+zBQ6YTv23devSKVABnQx4MJ/5Tlb/kCNO2giJf1rDycrANLWTQHC9x/Z272Dh6XbUfmlokgarA96u5NbV5DMzZEIEqnHX51L1IoVK7ndbzlCfP0n1UX1AtgGWfbL81d6m/JpVqBUQQS48gdViQ3PSvZD+VA4KO8s3VKOzdv7/ejA1bbLR/zvRoPib+DjXfcMJQd2I+MnyDoe/DePZDoN1QCCWscaqmlTQKd1AtMAB7bbbXfVsTEmNmOQ5EIvYqiRay296XeXArEJZJYnNeiPqoaL4seQk549GuJ/GTLKLduXFx+/SCHfYgMfIXRFrLHzo25iixS8ZaBbAuc7Cett9j01p1gzBodStOCUNZCCwIubdyN/utMxWO14HRr2m54XGI7nOpR6FsVAzvk0gLiVrFY4QZKKQSnXCC1RAq4xJbwHvP8Nyy0kkV7GC9pOVkK5M6vCwqa0z74TqahlwTSNmZKWbEHNZ6K6hPrG5FaXGRswXApnlnYWSWn6diVOZ79nOvEtn+Ox0RQ6xrJqA1cxLbjQJHiEZXWqYnb54dX2zEoxAQcYyxtX5JSdZTobF3KdImDFfgmUvYKII2bqGld+gzJ1Sapw1KJKJmbE8qJDxZTF08osFb/EMhMWs+mPDlXMCwmssLjEqUIZM9Ut8a2YS5QME1arzFoJ5lck07VmWSrXpid4zLMi0ww0pN7udPnlN1/hvUYAl62L039i1+t4moKRhtpjPKdhhJMXOPL0MpLpz0T2r4vrH581ODlaJd/z5uxALVOmys4gc4g4tnkm0yt9Yk0AMSu0KvP62glaZpuc/2JzG9suZErr5XUgDRhB1PifHrq0pvMFWDgK+c4wj14B5Om3O0g/F3lco3RR/aQgWEeRUE/slB77cjCLjTzqvCmGSrPM1EwiJDTNyALmpLmIgGrQ2pXdTLbk7vLBQQvjmUcktrqu72KCXYVU0+t1lYKg/gArCHwpVrmaQL0yckjHi1APcQhyykKTXX9tS/qqYwCZr16RoNHrtq9ceWLl/S0rn7jmlkW/waImOdjpXOn4bKbQpUscuG9fGb+xzmZMxYR6klAHLRZ/qJA2mjDlf+3hX0OMsUSsPQVhOPHsYmjyqGpQD4YJCCSMPCQv2q5IGDmI31OLvrQ01dvWVIanBA+Njw15M/XUSGnW/6I+tzKLo9Fj1+xXGPPUprENKxNidYwuiSiZbFutTvZlMVs5l9sqMQaR8LGJZeJUV3OWPWBkUfftVXC87aB2G39YDFYflLVYi5pIQDDNFBxKBlE1ZOZrWzjmgpJnu0o0AaR6neXUqQkJ19loSiYKkfHMwYnKfhMEUXOx02VkOGu+xrm6x6OvNc+9DajfWqqbU5OzpSUNwPN1zKNjWoHzF6kuw+EcRTkak/k0VudILpcSJXaPdFg+zHgJuWznOoTERhyYB5y6SCPWjrpkd39NaLQajfWd/uHWHoASlSRGba2322QquVondGQV20ZoNwLfO7l751szicl4a26KyEdv7bSPATtgJwUb6GRJtSGKRl4JhcO8qCVFZmPBKUkck2FO76rN17PktdM99RuLxKbn5gs3J3FHSuk4aqAk1ZACcNFGkJFaYxvBhvVyQ90LPqguF7fHJZ1+zh76WuBJPmLUuJoaNjBbPhdW4Abx+f51GmgAZIOYVBBv8i7WgQIt4w0bU4yN8UMzmMxcimVAllVR70rk+mJb1x1wRcsWr6SuCegtXmcFbZXI4pazvJwVljqqZGiqagmkGOQkoc5QGbD5S1rE/m9oYZeVhKXYlyqQFwoul/d5Nrp6SiKVmlThv1KiIog52ffqXvnT3xxQlwGT9OGGu9bWtn0+Dyqyyk9G51mb7sw/akWV73//dJNdcvmSQDNd/m6qUZ9XHRhWK0kRVetydUlKiYgFYr/8kEnFR2xXNiI/QK9CACmZ/+YXnf3LiOjMsS8ZnEgG63G1TZsNvzeGc4oeqmGeBLxogCYm2XWeAfNvJLvNO5S/onTtM7bnt9NTY6Rds26C4bbw/urcKix4S9t5hWLznuKpgW+FhAY3TMCEqVDWsJqeaX7XIyBw19HqWn68/u5qx/PVytZMTO8CGZaKfXMnuNX8WinQ8dW260lAKBdV2DWmsePLDauxHGxbE4d0lFBYwuzTG/gjJBPBQ0io/Z12b2eodtoTARgDpdIxSo5+/4l7YUDGSCgX6ha4JVZg4upSBZBjXQOimGEU1DcuUqbPWXsd/MczAA48M4B+0gpp9TEqiOV2NFhVIct11HPA3pfGoCQu+SIU8A0mREVOuSKXZNJys9d6O5kBWbq07svP1xb5aq4qn/nEGlSDh+O2g28bS6CG2abuNYKw7PjKDbQPhnlDt3AYZMLk87dDwAMyto8/2B+x8bvNlNB3R4DT6MZHUtVtlAr3xh0mpQ7aKnJAJSshCpAgdz2uiiAG/rD99o/XUODaTWr5BKoOdiMZ1Y0vug2o1ShyFVF2MZQNMMf84E66z0huVdwVpZcJeHZLG3DV0RwtJ1H6bzdWnZ87BkUEktYTxVcdByuZp1u352nwaA64cpHGX1aA2Pm3jjxjy9gGCbqilSAW9cM8wslgTjApO7u5Dfenl6eYOWrGoMI2wYTCoLyj7iub/VcZdDk6C4sywsci7sbhk8hs18B+32UvzeL7EfPPThkDuoYxqaeNzWhT9pdGnXHObIsHEEhWEMWpZYT7RoYhiGVN4sKs3B466Q88G8K/PDkP9IkN7Iz1rzCAmf77F10WCEy+W1mHfweg8htltqr2EqKSSNuco1kxc6ksA19TpZGFKQrTCvpJwff+YqgZbvttM8tTT5c0rLFVibKgWXl9dQLDI5NSoWLG85xuYziabFhAzljEhIlcrewjQnPG2JIPdCPjGA09JQRnNgLtVExzqGGWC3q32rimghfAFmMmuxwCFtd6EhrP7n49Pikn+aZp86ouacvA1mn3IePGfB5gDn3vkOwjCdNwINloGRy2xsRY2mQHAoyRCV2DVxhW5eUmnJwyej6yx6xUC4AFeVUyJfzK1gSvclTCoA8QxHkuhm18w3WELQ26hn0kcLfuCMexDQkAqbLKQ0aa4sHhljGG4RerELEjFJ+H9wGSr0eBevkxnn9Yj+AAEBlFqaAH6TGe5BUJUrcxwkWEAT4uJRw6HLZjXYjFmShkWEliKEhru1wMFQCNOrbRFVcPSBt1Aqe/GuP0BfzzGz9cW3I+s3JH6d7zPNHtRqA9bJS4IkTpohqK7cI6qzTpkji3uiYyGhZTZXFVE3ukSre9cPlO7S0ip6Bh7JQaNYUOwXblfCEELP1CJYAPUlOVjV22Q3ttPSpzFb4McMBEtXLzVyjNsgKRczcssaTDEjBDutnTgaqiTweDrT8SZi+58DlOCJA4XNTg6pG3U/rroamj7WTT52noPBolRUWR0KhujBe20ZBi/F4jVCOhWJwwKeXeqiF7lu/lHJE1eS3Fgno3UW1k+1QXR85btD3d3fid4lJjHUo3/rYpFQj5gWawRvTge6osbDe2V7rAwld3NSiXRX4eSTWdOV7Ob2nz9QKO9coZJknLzPQ6e/Jt+VZ4Mt1paA0aQ+thM1FdlCP1gXeqa7C620j7KLPb3JG2iqcmK8GUhSfWUbuXEtFXMZXtSe1Z4xlrg/nFGcjYOAWV63RehdtXnTvwHDIGuUElACLra3wCP9kk8z6Kp+485PnsZb+/93UWFVKh32aqSlfTEFNvkIBF4hRgVPUdi4tcKSxQDROKmCafwvL+3tp9tB7gt9AuTstW7Sf33LtyyzO4hcy2GMQ4HlBH3PWx/GOYBBg6pAoCzzBh+wGv0xsrLcud0OmyRYgILA719aT4ChbQnzhreVORUK1hc2QgKVp5pL8dMgHUrY2l5sZyFTOYl0Ie3AKZEO/arV6ApISCJVZEp2ShrijMQSgQTlGz9Ugrm2pkBKqe0ibpmTOQh/rAHv43T2BXA3BtpQT20woXrkiKQLjapGZ7h4vfq1XxZVLDHWtO2+bnFdWc4i8PrmBwRK1beJqSkhdouYDTZVGSrLkdCcwjdqTN9Ne9LNbR39Pzd4rTalZ93HbVhLdXXCCRZVqCgaAr8Gj87tPL7j3n7G9njhWADt4REmjnqRoioDdkDTLdubxDL66vjczXBWQu5CDUuenOC8ThncfkIbtmnAze4Cknur452dvk7onBc28W1MBtfGGvALu64uQCktJsnRNQHztGC4oC8VS1egptGIEFYKWtUI0AhPxo1jBcxcFaEp+t5ZUtEbD9N1IWtncO9q4hTrnohxYZcT1vNB3L5gxTN9tEM7meAeUFsOfSEBcB1tYFzCW0oOLCSvJiuKrd7NS6xIm6O/wtfvYGmRkRmJ6hTbcPrV96dZKYc0uxRmqTod/YN1QnUYBQWZV30MiB71ndge0w0Xx02zV7k1tlVu8PnhVE2BQEaXppK1/ZeMwaq2H9yW2jO5kVAjeIOQT+/dMN+LKlBy5ITd6ND6GVkyUH1cn9l0p1t/C0VvcJqUhZXU5qo/0JIKKDVEucSEAUUmwEouWEXvoJNWkLHblbNbhmvkXKnKyVmaxl+irxlHkwL/5Ra5I9SgxJVTBQwMcrFwu1tfhmdkFyAQSgwNckiY0Rl64mycf2XBdaxDnwBMstw5oUfzL21uQzxDz3RzFe8C1Mzaaqzi4Zh7UjbSzv1cbSQZQhONLcDC/ev/rS5iHAw5nPly+VltPTfd2eU7+qmzN5wlkJo6boBQ0yCh8oXmKKtEACgJtluJp6ALTs2NRoia7QexrLVMRfjfgkEFUqJmHYye/+FBiF7+HvZiIxE+IYVmdEJUI2HdQDDFyz1g8Z3yjfb5NpU4wr89e8J0aYqZCzVD1CY204dedr+ZHwA3nr3NjNrgs3e42TyL+kKQnl7yaf1wD+jxs3TCvVV1rHrbdjPpCNr9wSoULmayuo1SpVxEr1WkYulKtpEAt0bw7Hu4mSZkGtVhIqiLGUikkCcBAAcijrypeONwGX9CUfWlmqmUhN1zXFvviwT8YbCvtLxD3UHczdsNP5nHTQVGI/JR2+t0U7JK0P5LTmTAONui5V9bSYqPqsW6fzUlGcxfUq4IQyFqaxDSNnZi9TJQNrFMQgLI3JJoR78LIpAFfQe8H8NgFSaHZPhjiWRkW09lBpfpXIt4Gx/BH8ouFFgpmqEdCqrzRly+h5gK5+fVQAX6JqVtWopemdzmFeg0jjeBvZice2UQGpMHlDy2mBM91p0soCroBx1/GyD4tOEsKoFHT7ndb0n3iHBclEgKorBFnGKUFWMEzGd9xpIFOV4sTu+q6vH108hVZa1xwrwxOfZBVqPOVBm28UF7/OGhEQq7OKAZhmjNNcE+hyQTGEZTdRdZT1hul0ZzWEX3bNlsk7GdfaTeiWevtnKtqfMOVk1tegShNkeVSCRADUxkJMZlILhLjULCWm7Xl5ycQdqVJylBWKGpQRQvWGHBQH0bA2BLh3lzx1iAGLGksqHCV0bDyP0tzXVOUs3izGtqJIkq1NU70al0hAq+uiATV/cRFplJfYqQkspiM7UPViNi3jWxLH3z/JBY9ZuzfnIJFlu4uzTHYuY9ulEtHp5wS9QlvNZykyhU3FUrzVSjCNuRKm4rDMre2zU93UGNwL6RmwiyHvdrRl+bFONeLAdUsNvRUnTtXp/6mdEZrhQk8ypNZtbJYfS+mJ7TmOLQTYE43poPYIKwi//Qino7vU69FW3xQKX6mieISp2kuwQ8hwKOuRoRcfYcbSFzpdnVdPiNe4JHOgdMFTsco7JUmeJr9GX4pwBzsT+VMH3cF7JZoApHN8GUTX8mlDdsXuUj/tTm9ctLy9XEoYrUnanfZ1OvSVh2GrhngG7h2b22A8MMjgOB7bvhyRiFOuALGSfH9Fd1+DySdEwIph4gg9j4yBh/gIzpdNp8S/QXy07fKAqQpu/dOuGm1hZdocSc5cThCbiapoAv6jjzFDot/8ocOukugMCyVJPDrJtAopaTE4eaC+igv68rTrlyDpI/UFnyK0oBbUpttnn9b/mMxvM5kUNSWAmYENQVUB0A5kArSLFgF+v1Iq0AuUARuBOiAbdB1YAxQDfUAnsBrYACwGHQCzgAqgA2gE5gHdwCpgAFgIbAU2BWwHtgDbgG+CHWCQ2XlgP7PnwEpwABxiDgYcZv4D1oOl4ARzNHASdDHtwHnmjOAiOAcuME3AJXCNuRy4FX49sA4YAsPMbcFd5g6gB7SCR8z9wGPQr/0E6Mbv1Ay6+wnqFd4CevABGsLbQG+/gCPm7wEd/gCngH71h9OAp0D/3n8oAqoVXhJQDlSZXAJUgnerTQdqAF+ABMxVeBZQCBSAOcw7wFv35gfkBN4ErADfPLAWfOcbRAcgUAhoMFjobQdeXB7mKJfzlL+39BHAl+uXXvl/so5N/2RJKH9Sj7U5/fmhxseQzubqP3GyV3+yNnYcHb818XdREE6URRU0WPiFd/AeFsudUi8d0iU9clrOeDmvwh/o5/j3I+uDlACCuSAn/MtJnGbQK5KQllx0mWyGALVe/0NHdV5P6S3mr2ab+WTKzRv7k31i7dbLI3zgMT0qi2XGJmM/4qcTH02OJJk8mxxv7pOxZi5nVO+uXE++5Fv+Yx5b48U9xfcOczlXcPvO4MKlT5b+tQ+tuuv31P/sfKK5o+ltzbT/2rZ2/tWxdnO9W72S/o/9N5O/Tm6fLE0+TSV+8sNbXT16oe9i+pq/1lSu2V0rvLzm8quXT1xJy36Q8+DUZC7kKtf+3wTt3+9u8Jn+3Y2/nf3vQ3mz6dxffR1zIOSnYSML3sXCxcriT27//tLS8v/Ie5LPW21f/bWCduFHC+8WLhedXv89qlOx70Z3YzzaWNKxZPPmNyX/714rdS/tVPpqx8mMNptWbsr+FKedkpVby/m5k3l2ZbvKPpXh+ZdVn6iaVRAKSSFYeJ1wi/OFmlY1FyqFlX+te6L6/1M718+snaSNq7fqUuOPmz7YdKn1VvOXrFNtmL0QE7C72H5sPKdJ6yLiibarbQvtR9v7tP9DZkmW9Mkf8ydSN6ljtID+GS7VVeYxeC15vXhDuC2O5Eyuw33H/wX/C4KHBFHwBYfwSsgV6/t90ZD8jPxnknsURvk36eelRWpDlbVPyWq0P5V/Ux7X/2ZRT0WvsW7cNd5R/F8JytnK5UqbmZhr1suWaF232tahdU9VUq2orhW9J//ZTd2+2cZKRJ1qsiurIt89p76Ke843onpSvvxW/hFv4V/zNaJGxERCpIkMkSV5sn04J5nLOXN/cN58M77FhFwvs/VRpThMfU28hHnkBZWKr54RT6h3tX8vLZNeN/8snzE+biwZP2h+2XzTes76Bf1LesLJGDONa+af3H+2Br2u98D+tX8nmA+3w990RuJ/m5qXWpDKia/Hf5w+mv6lx8n9X1ea6unfujvZd2XLLaXdbnfb/fawPW5POjc6XEfoSJ2d7i91Z3vfVXq6PFeBDctGh6O36k+vbU6+0Jzf3LP+S+uP1rsba6eg81dTxVsT7i+5X7j/5+nxaDxaD7WzsPslb937ZW/K96Ozl2aUfmHgSOB/ULBUH7pywo/8Yu2X80+iumggmr9Tv2uIfyauENNH7xEqkRJbxJ+RWEG+YFCwST5PJol/UVgvfEg8SFSTv02+k/rctavUakpIM9fv03/Oo6irWTH3H4s+5HZz+7n7+W/dXimyd36VXOX5yn+8/302NfeT6t99+Hn+9/N7Cx97Ip8WycyaeM32n5fm6OW6L8pJ77/t1m/ojXI4q7U/EMXqXibzWQOct33KO7p78qQWcK2sTGv+kkDXjNWp2M49I1Q6L/q2WHP2BWDFnVwzBqFVqTVW48phjWgW1QgAq2uyBhveX4cDCDiwzY8u4tMErObflbyTvAPyR09/8Vrtj228o58s7AB/nZZNdnyWpFfGOpHuAfL1l505dxgxrAWyDzLMOTeGYxpvdRXF6aVDVqrJGoBWyAWyvl7CNcAdbjReNhsNNjaI79ewimqdXvT1XIQQYG6A9LGwTo9MAmeLkxvgZkmGleW0z8L4QB4biCACM6Q6Nwwi7OqW2+6F7+lOABJYISyTmeKVOsaMDKH829PqIqiLLw7X2FLIcZsqmBjpU8aYsnaVU9rmU2b++BFIPTHEGGm6HegMNZ4tcybgY4uhCgmKaDXkzOC76dpWsK5sS4DmV3nIm/OcndbuBmHXfJJvsTD+sdRuKFZ2T222Pgk0olNlHwdc6GaACrecfCB0VwvmHD5TsaSkXlNAr3mngRIfgBxbDY9VVFEFpwHK7VYqVwELH0G33Wss5cPV1bCslXILKfg2kHP+5RrUnzUSh50HK+9mhw+RztN6hTnR/xx32e/84W71GRAWuNBih/zhvlsGCENv0CWHUFbKHqtMJRP0DHYmvU23MNgfPIPzSIB66UhwB4TY6wYiwMKof9r1UcqjlqO+UvNJebyXL9okq0QcOxkmOrHV0NzS7zgb3ckuv976+mx7Y3LTnPnCfrNBJCWLbgHtXWurUmpJdvGoMwoqk+sm+BEgOUqR8UW62ZzHXHreFSGOx14FDUX7mkCJV7Nn0dVPNN/mu3d7xD7XEzdse8+Wzfjc37VU5IZ4LMe7kiuCMRhfJ17Q5pJA4mriTy9/nV5OQLhf20HsYMeyAzf19y6ZmcJig9+S6m8UNlRAndgQN+DZ05p5gshG6UbPSKFmKoKGvl2rA/fIHzQtcaKNkkSgCpWwBEaRe4I9m0dz/naSkFW/pwPUTGHwvETmjRclZYYI5U3VYsUcT8Q9XNxziuUgIGikhWj8/AIafZRmBY0jM7GUnbmFLFBkP5r6QLWpAdb272zUNGoBTDNqR3eN4RaowxPBagWjUW1Rcch/v7zyUuNtMhs23/gIkMQfsdI4V+a80am/guRmhiA/+R1MghTO3rpSA4EMWng7xLo+Y0MGC68IMN/7WpLVtlIHgT7t98OjKDb2GhTI4MyGe0s91U8bi+EWAX2ShzuIgKc4roCd7Mz33B7K+3X3PWnvXZu1EDjwb7N8QIvLJtjNUItzFCpqGs5IBcCC9itFn9xmXf4/dIhriZBnqyUZ1pFzGkHh1yudZljbjoBWtUMkXOaEX7xdbErxhW9KFBMPjPEyJ7HziGbku9OpneY97bc2JDJDIapthguGa/1MpaP+4q+szFdH5Op3URYsmnPCFAns1NnkU3GkZ09orWn62jd3Lu72nlLxexunYJG1Ya8AuDOBmsAZlKb4/XkH5Xpla0DjDlGIHJYzgkgUrKTZ74x0Kd61xe7T0lZrdvkrD3U59jYXwxBxrFCQIKJg9OMIyYq8+ilkjKGQk6lgVrxzpGDX1Sha1RJdSeo6jiKtrTbBO9oz/FZp3VAju6YpQBpSqYoSuhJgX+8vamqDCxuq3Aa8TChmHDlW/Youh4ZKXDf1lZhMVid1UuHblWYO0EHxUEIfIzZGHMoGdK9ay//aOOlXV4sikKS6wvapZIvQAU9hCQ5I5NyQkSWnpIo0tlaMxK5ZFVdtk3bYIoC4fJFzmvdNv9gpmmwt+dG/EdyAIpAFWqNSks3wOXndgtrphouiZyv3FAuQx31ihYZwBAvZMDSRVFm17TQTH/P/WHSwKtenDHx1uxjtpw6rVmEZ6ZUpPz9TRfahB/1nKNgXb+5ijOxxmdQGTwFtqiLtw7QoiRoC9fzx5xkXvEwt3EY6bKk0J20cyD6NVWjQlzEbBqtIfp3gmBgtwwvvaHv2qzDjxPTH3ITZWDUBpKukCof8jlRCyaAuyiJx+Lys5+vxdq0EXOSEWfW68pSK9UefUzldBRweqbbr8wMxwoBsnE733ZEKZkBOWKuktOnFjh+pUS1Y9g2jotCE08QyTwDdhrM21PkrQwq6GzGrk5RQkMRXUxGAwkogvxpfw86oxs00akFFXmWXXMUfqHhMRO15Rr/TPzXHsDfA6bN+XMFHmvXa683j6P1xLxiLyb4os9qZ01fSVCpjTriaUQj1chJ8+gmzMxT8Dake7+S+C9EbQjILkBE/bDlakqLfbu2v7gABfwBPTy2Zaf83aFabWmtZmf4ddn6M79SPrpbdU1GqSYnovxh+/gRbAib0/300uO+LdzdhW6vvXEZWi6qiGYRRVhoB94lK9b90rkT99iZQHjZ2K3PW86SXaE7bG8cuMMdG+gAu7135ygfo+hZxZDprXeEzeeufat9iVH+48h2ZNdkXj9K5Ao/W7n+jnXz9f7CmxDivEBeENMmyWUkXMBvNOJILtTShNjKyTlsKARilp8Z7FwgJBwesZEEOMYW6TRjUoYW8KWFWoGs4YanKfPYmWrdl9UkKB5TYXunDiVO+ZSKIKaoMMbvKo6bxjAuoI37cXIKhmt5P6Q9qMWL6iyOoAawnxEN6nV06fP8mQKfuCwOYKGCSopywHvvJcBJSb+OxRA3427Z/+Lzp2kXNNRO7thsKgX707IBog2dnyO6M/8PfLged30mDZafp5iYwA1eHTejpTeIraIVX87JfEWS3DYKgSm5K3d2OomhGDMgL9mGtQazxO+u810A4e1eqzq9+qe4OXz8QevXVkSPmcoXE62UxX90GFjFqfrg0li9ve2NoZ2XBQn58TAj1+BARufLyUqCKgEBIBLFTjx17Sm+a+CP8wcC1mnI6IaaVWHd9cHwsvk7PPx+qHeZ3Xtrczo+pQLABWjPv2OK3TVk5kaP/sX576na9XV0v1SOVU6vWqmDskY6cGpmhU4fmAXQKihyg1qms+B4ChJwrDZrLX/M1maLaLYacT+p7w8rveoc1rzNPOYmHpdMLRbIqMxogW16Ka7B+5/71L6L92VKnqDGlPi/jwHUvh3NaW7PN/APqrOrYEmAZcGj5ch5qgD6eiyTW/fHLiiY1JQ2DibypqaxqOqnD0FOloD8BDbXjjFhJ7lGNgtTgYYyoyuqaEb/ypl5pUpLECwWPdLPrBM+p7Fwq8FMvfcG3spNUq5IC2B7egfTBC0kTdnX3hxcQaSzbjjsXf/+Gloz27t4e7eoxF67aDBFqyvKVKxN9bdUtK99p8tUR1xIey7oAoEJH15ne3/y4BvnZoTNW6finnjU7vVvRo0zoVv9ucpd8dSAK3pr03AdPdt1KK6X/RMa1PVu2sE5TfNPo+68rGiAr/sCE/7LYQby4OOHH0AVfjzOwLg8YaVxtzPlyLGBaEEoTTPe5tA7r64a7zyMNze6ZMIRJgb8MBPZ8AZLDFVUSl6fixvWZhMF0RwdcMZZimKmqaoruhl/Hv5v2K3Z1eOUw713+Sr3UpEvn0ltUS89vAb0HP7wKu1X1+X1O9drnwsBSugt3LDV+GBXImeTD0bJeQTm1oOB1UhbFWFmH3MWPELhx/wuz+btnP6uoW5fZhY3o3uzeY6ulYeA2PX2rAIWi2F9GrVLFbGdv/Fxxpr+7e2/Nf/vW5nBPPgpBPk8WEsSXoH1aIKiWJXzqcoUhuDMr8zIbISoDPrmA6+MZeRQNuuvakN8qPLaf/HuDq/K0RAX0lx+8uogs1MJJSgHRQu99uq3NOUD0ItbUPTcS1uX01BdzigMHVitX9XNYx41CgIXKutwetHzSEVtAwhs7DPterpkpywo9NZNN48AK1N0wMsKExpVg3gVyeK6LwSioPpcnMwlR6zekdvXki1JDBDyvKDw6Ro7xrKTI3BMyrBn2cHgo3tT5+3SoAjITSsnmPaPcNQ0SgqcIOdB+cM6vsXFPNc1zVfX0QJwURMdUo/wT+vdb+dZTnyOeelHft+pTaAZKQNiwdvXrMWILoRLAxdNuaxe1xnbXtGNwfVJqXo/EjRUvtjHNvP7Fbu5gR4bXwKlmWqEhBiTKOybd5Jal7FxeyRSK/KcX/oYBB0ZzMd4NraWkZ4WDsT8IHlUj+ps0AnlJUhEcKxK4xAz7fA9Mqy/323BF+srclLgurTazBKF1iy69k9ktv6qPxFvzlrv6xa2NdAVY6snzvaGbr+iIO5McTvoAJLEKU2q3NMcNza5KRBKUSq59Bau5JQ0QeTXv6UEGWDw3AWXhAXvCnmcM1Cl1e7akO7pGvp4Gp9h3MWh2VAaptFa93NcY7rA1WO4ntOTF9Pm9S7VV6cvD16/b/Oy+fdHVoywQdFlT2JYnSo7lN+OzF3Imtbp92BRA4Oz8VJj2uZVMtHwwdBv777xsWcialW07ua7gzzOyoOuLhTB9cXnDLOwDgu5v5Zz5DF8CE4nFoGOsyZi2NGXxjj3ALeCwOdOAFCkJNTTg95sYB3bSf4hOveq2qdFSnBgklFaYMmKu3rNs3fMdxRcHfPu6DcaAR2bnHYlE6S7RFOXjejSTfh39E3i5pETJNRHqKWndh5Ztsx8haUZJL8F6kSqhkUvfIAksaq3w/R2psvFN2+nsulEwABYMPm+fKDnAC0hhadW2mAMNbTBm06h2oypKYjNAgli9s/XCSWsasY/88S5JrN3RQDty4D3ZGjeM6+Hdl7UIMKYtWdDpMWIVGXEp4VoLb8+dKFg721ycae/rnII38MQkaunht94ECG2qbqr1/SZeA3SBi7K12RVDyq0+NWP5v+bMb2/ONfcyKubxPeVB+24nxUeskxZPufbbbZKoFfSf+RLfwidfXWhkfCUFpvMjbgRlgLhvqq65bkZOmn3KaERyPUTG7ik3QS8QpKJ0/9IG2vMcpchSjPJSUYD8ijBy2G47AurTP4wprJKeMUFAORXuz2u/IZthDXyQb9EJmpAtyrisf85FRLpk+PBxkBDqMmZH9MWzB4CA8x0JPYDPecUq4MJ8DH8LDuF2uMW4Fs7B7Kc/XGdmwqo4dB0xci1No7t7mvZnr4k1p/Q7ifxMcrqRCgPRq4TnLD1kiOl/8WMIPfF8DQ0DEJS0KkrB9MOTaJ8GdPLx0WH4Wh4pua4p4hOGX0sO9AY2QooRGGEBe4Bwr121diEct8KBF7mRhE0Ibc1VVasmA1EDBmO5jHHywdz0EEj6H70vx+zZ6tbVLtgc/ZObl2H9Dj/8ElpayMitIIpFNA+st60L6B2GfqYi2SgZM0xR5pxnn3V8RRFEXnx2boLlRUmWn7lYbnVmwR+IDz043+zTIA67coeX1+Am3vtp0ejsLo6qNiBwMR9l0h8xHmL3GjctLz+ZebzYllD87A9xt2B9SrXH6HVH2a2pMi01LF9x7dEiBop/cUeEBxrc6PNoE3uRm8cLwRW//VobKtzhUCmbMY+FhOxbt+3xJjBBqzOpPXYu06YP3NxliCEI6ymusPZElicujdA2syBrOTSTwe/94PpSAf1g5GDbqIqrpHq9hFs+d8NKQNkJZQszmdGl8mK85b/Ve5jcHg2dra/IrqIgMnYbMDNVqQpDqr27GAk2VdFZ5vAUb9Q1zERi2Vh2QNuFVMAz88F+39rd6a8lXacZ9GsAqpKE0RFx0hDqJbqpEx1AVE6+PNj1CErlXtZk1zOdb6p9xVQt0Ve6O8ACCNtqs4MteqrFyPqTAMjh76caeccfpvfuX9o2CxnIpYw30PGMXUBQDgs4Z01AmsM89OKOUkWVvT361G6SGif39qXOsNR1fmfF+k7gZv1OTAu1XXjqCAeCFgUPAnYq0ljrVNGwEOEqzuHTJ6WOqUx1o3warTj3lKiSoNvVlIYUFJbMDcW78kM+Qm/pk+xhbIjhaONP/evFxgaxVVgcv4DFjCB03I0Tl6/EyU8+8+XAQrZFmSBWIoq2dOZpa/fGJSavrtCABcHQjUreTqTrWs9XJkoXKDByBL8FvcaxDtXYKQUIylakwrXC9xNxV2++C3V+GkvdeQ9IWH5Hh56+KJlDK+jywkwIWLaOa2i3NgYYvi5BtiD+ehK7gli5BgM1x4xwzNdshJCjFrbfogdqHVVWJYfLKJwpWSTUvYiPQCN5YZ2EGlMkBmzb6/U5dJCfLzWM5zz3cvcf7zFVbdAaFzMukJf40bt47edOoDqUIm7ZnrsYDgFMYQwnh7THjrNz3Pq+FlN2b+w3G4vjM2CZo9nzlmgAnqJUQqfHm2WMCOV4AbMiabvp8rq9tbOes/TA8KyYWSBYO6Nsylv74AFl6k7wLpOf8x/uv7UZjv2wgNJgujR5whx3NxJ3JG4V2lhCCZH8yooflYoTvHg5n6afuTTTKuan8xdn8YvNK4Pzh7NHK9/NN/bbfDlZXSFr49/1kaAwrlaaqE7uGvQFrZKj1YoldILCCnD1RRY73+fFbPyR1X9m1FIC71PVSPfMnBLA3dj2/JF8y7gz9K9DW9+uHkm/Gw8pP4oCnvSNws9A1SJ15rJyqnurNtKGhjEEZf3mkII2Hr9YTkn/RvjtD5Vv6K+IXXjiWKrttggIAEmURBH5A3FPuA76h7TEZE0xqFsYpC1x3ItdiiorOgI6X0dsQOUpJ5NkFBe3poSZgMTJBtvP4ZYMm8uldjUJ1Ax4wPFoKmI8H0tAEhc5LhCxGBtSQHK0deSKe1YTHGwdsYYAUvNPoyMQk7wXtqJqkjsLLqcOUXUFo2rtqMdBt15z2D60skWACbwX9TSR5ao1sfP8VvZevT4RsyN2O+309tod/3Z4p/SGGCidIk1fn3fKoWC5vgGDoSjKoh6c5vRGGhYuJPGXz+FMOUNi9PNKvTi788JMa+K+/bw+BdRgU27Cs2dMYwfV9dH6RAbtN1+Ey6fcdXxEQ5KYzgf/Ickt7xmtJA1KrX4TWLlQjaFb4cUYLUaOVwf5NB+t3Mx6ZkUsewupOVLamm+qqmyUtUIkKbRIRDwwo42AFlR7dScUlpeIPiUCNl7ulOHuhlfeeBa5ft0UK2tyPp14fJL8xDwmneLmu76Lapw1GtsCaA0ND5ok3KvWohN54VucbbF7xRofQACjsOdJ58foyJrkG1ybhpkRMw0M5T50y9hwkbdCVM66tbPViscnoP7k2sBiTNeB4/k7O3vUX9lw3KyvE1EyyoodrU5wu5Oi60uKxy/RBUEr0so3Qu1cQTJZWmDbYSMHWDIrydDXP9jPov3IyT8YRq2zNJQtlfAFx6y69QuSDUTu5SdYxAKisPcTI6m7dl6Tr10APJzqVPS4Dqkx6Ux4tTEfz42X0nn6QVbDirHOcI06oRv6LoD1ZYMGpkA0BhpTfO/m7b4XSef2b2UCmjneNU1MbQtj2637FbfUwQRe8aTVciiAkX675rSunp8fceYtU8ROc17lX/Ue+kzYH2lN+bKpcTtzhDeUoqkAF/otmfz5B9fzKkrVKtj7gZOGrr/3aHqpShWSuXolbZNzvuAuoIp6uuoAA88PLBiLhV4ZBYJjInMNa9k4yUbT14hN7dJp0ajijLgaOHw5mM0/3/uN1S3jTkuw0Vs/mXx0HFjsSb1uiB0lj8MzNXV13zXPktUNOKq/OJz2Jf984eQLJ1U6F6/SdXcDlrtICH6IffTDx1+6SNWNOqTOt6X+ir8LHFBS436tbWx/cdQmNanO1dWytEWINZCE5AXXjrVN77Bt73bSwsiL9XGmRXFPfcPQSqns0NRteq6ndpaStkZjX8kpsjKShv1m9KGRwbBE7LnIVGiZDoSIDNpGW1ww18wFbSNfSNerFb3dzAs40MerlmyBUsTfvhuPha64LTQJ4EZO4eQjkHDSUcon63FqderCH1YC3uFVJjBaAZYPwKPN5R296Q0yrF+0ZQKcyOq+AYVSXbRRPac107KHd4b/9eI2YFPwl59t0I18dwou3bOAWVNlFdqB1NUQ8MuaYANiLfhl0ahf6zypwIxlOI5djuSuMpGbVibLGK8PascMxUdFa4P2rUe9rd2jJtNeJw7dCWlX0nIKChCW+IYUA+FjFwxepmkvyyH6VWFc8ks20CPZvgy7O7z4KqqjN6sFVazVqv51TpEMR/O11GjtAflsosO88vuyXVYVr4Bj7We4y/yV7MjKhdxa2myVwyQvBspl7tsTLRIjs1XnBnAtr3HwgmTXCjS1qRG3D6QkE1t6Q+X35eZLk/ZJY4OaUF1qQ+wLRW6PWqQbLMvjvMAIAPXpqkikotSOfGAmedtBi08c3Dk+iUgaxcq3jpEj2uPFyIUthB5xDq7Zn2zLxXh2ynrNh7ydLGvY7rb0Vx1bVmji4dz0ym/9ZPN/E8On5zuoYf5LtN+0C6CCOfRKqEKGkQQeRckSFxeUT/ttIuyKxL/x9f0MlzpXbv04Ryr8sSNpRTd1WhZ66Ywv0N6qDtnyhg1I1QlH7N+tYAn6hLgsN2F0Sv3f9/Ce0nyCF8qdslgCTCKvqCxvsx12RK6bHHR48Y57FiKuJudd6eCZT7Eb/iBPx7NsrokQe75t9VwcSF87Htv7JiYkKGVAdQomKGGkYkhCmC5LYoqos/f9QdjKYuqinOy3hPRmC3cI+zlnLXkmjRsT4U+EttZSvOP1/eKad+9hg+o4J5+1XRDXrpCAVaOW2Rh2ymTT8ZRUS8qx4Cx3QvOn35q6+NRRhxhbGWjQ5w/kHBrtLq8PClK5XCBV0KxMr0ABxgxFicXOdZWvFe9pDk+V3BKNATHwkpny049pZnNn5tgfOtBlLF181v4axl9ImuWmCdWODqK9pjZ6efqRo7UD42ZtrT23HXL3dFdqPg5oDI8te7jaamnT1I5DvWvvLLb8IK8YmDOjjFAmn+q03xRTQIaIcTNzXCYm8bS21dZ7ipcSe3XsW0CKl3fKsLdXNTB0d+yw+0Q6gUt5VVbBmcTuDiMJB5LPspXKmyIWL+fXON7AgVQr4YrYsMvA3qGFMU2WDaUpmHOKQ+FaxNhqI0lo0/O6diuZCLeNTaCCJLosyGBIQdeB663BvWRxq69Yh7je28Y5/VX4oBgOQpJe9nUYJ4yn9Gi7Ssslr2kBK6P9XkgANE2VotqzrfiZBAZkTcbwLyCpFmjMyv5OkKpNy2lGKSaqphmbx5lTMFXDxHFu3zdHgWoU+B2kblXXulum7mpxHIqpSmISSRHvP17t5Lb7u8Ixd3xzX2/IJkPBCC7xhkw22TreDnYzf4vECuV2VuM0siTZOwqnFQ2TlAVRCO+Wu2oMiAgdkR8Tw0DqSawYuNcRsXqgD0oT/wUglYrBbDU6/4a47qpgqbjdUVrXPaCRgL4YBnizDcJJS5q6pn3htSqFPPR62MCOqFpyYEQlb+to83XvAp+GqVY4jI1AagF1Yr4tOECq+9zeBlybYxXn0FLRVuP6PM6k6ycCUEQfiC2YiakkRSuB443DJmiXXHgqNhSkHftxLpenRAQLomQg6BYUig5uu3b1JXMH33LCNUBAI3z4sUtzcY6ONQv7uPjzuAHEliSDB4YD2T7rDaB26Tgmapm1VtiOxE7QVUBq0FVDhNA8I1p715TXm7RRC+TNqwKH/VJNkcLaBRxc/pzff7YMOKqm1GBA9syyDYafHoBJzoLwWWPzgJHMSG/qKZ4R5HtG2L+rzuiKYVqW3mnQAc+TicdMIr8cJbioXv1v0dv/elwmJ4Wm6fCaLmrZdGTvwtCfq5Sqy8rp3l7PrlOaOZOPO2oYNiXXb+Bx2KN71BBIgfgAxNX5POQyV5fOnPw92vK8Y8sZt0JUqlSYY5upmRnWHv88y508uMB/3KN7KuDyjZIPKzo1KEqUa2m5c/Fo50i/h6llp1cbE1k0U0mWgWuSfkJImbVOOJTdD6goYbHsSu2KKdl531VV6Wwm1cMqwAr9ehPmRawm/tGosz05vH/DU1hoYXLe6ziMizY0ioRkRXXKV16w15kStlArbC24Xkm0aN42vmrYjMdWPslQyvmxxIFTUlhc0YArL/Zh+K7xnLU7bDbC56/HldpPTe7QU5TXY13Z8Q3OJ55sGI7VTpvDdmfQ60y2A1UxCJW3b6yXdzhQjbf32jJIG57ZZGC+6tdczlrAFg1oTk/opx9NSFpdw+pbt0q67fmyhymWhV8WF+bW2lUtU24IQGIUCbIcrqODh6Wj9mZg5KMEA4GpahykOVkQUZQqlJMy2APT4SEeqbGcGp640qzKLCXbiiH4VkXMeTZwhSCPOWuyoPmCWlc0VOOmeE2tY1hRDkv9gWmGoeAJjed93QLO5l87mIEtckVo2AmuWgpt9YbeIDzuf3fJn8ZhGKkdhWTiY8VQcD5v3ZC9FjomOk1HY8NKw3G4UJIsnk2F2Ny0XrV95IH9WuyEg/jdZwVhtRglP/n8zPL5miW5PboIPAbdc9hM/CAa1gARc+X/i3H+rFG9JoGRuI6w/m0gwUhwz4aX1WyPUS/+tfa+GFGlSIhhqqxZCbLTui9EAAoqZoZKvMY5VTs7kbf8Lu63GsPbh73x4WA8frfX4zdWVcuMybVmTEE856aKL+68HNJtPXL7UXp48HuVuGN39sxR0NKDRq1ZcVcMXQP3q5/f+7B3c/HSDv1TVvO43qKIb3M1jrt50/UWa6KBabJD7O4Mqm0nY6qWbPON0oZLll+ZXcWLa8ClmqcHzxz5oqPUmfc+KPbyFcKJrYE6iIeG6YdDp2WNlbaWZiM7as8akLGwpL+3Iy7HGwlhoAQa8YSjDa8MeRuIvEAEOIa6SRWxQrWkxJWfM1cqVzvjmFMfaz9KpWMfd3rxiNM40HuE7OywYtbGNiwOc+oQ1VOtsNFZ73C3uPWlA+bAO5Rj3PDdN5RI7nYf8BmPd+tX13YasgYmzWpXTcvNUggS3sWUgniwl5ZRXK2YnKmM+mvOSDvi+rlb5L31bMaRUE6v6sDEsrsKRNHYLaGg75hsiqG1q3ve/uV+yd0i3ItEKFdNPi+6y9fKkXRNbN4q6DWQbzJLg5Ymq6IkcvFN0SFARZf78KlQqU6TCiLcyJfOy0QPpB/3sTP9c5Zg4a5svueCabLzqstW+lK3y9gadS5rSxkRiU70QGhtuLa90OxkNigzQcIp4T4TAWib1jxodlZq9qUEiS2GS0NLUBZkkFwZT2T/C2RXz9ufCVCx+/+0MbGP74od/O859pzCf9NDClLEe68zaUTOfsNUCv2TmToicctpAMmxWXfgo6ZFDfCYzzANJN/bP34nYjKdrUqR4ZqICen3MFcgLdJGZq/+ggnSZQmy7YNK0sBiogH14ANABw6v2ScEvLzTpqmwbaZVyCLzenewu8qyQFrEn/+YAw593NbBnmtAjWVADV5t6JVZXjEEDGsgNeOrFC0OjP1NS/0kXZA2a2Fmt/N33VyovqABLyJqhVFCgcTzhIcRQpQ4dJwTX4pI0Me/fHUAI9wx8ht29Pe7vnIPKR/cNyWt19ZL652ZBACqSilyhlVZ6yu9+UjxfJKvewoYuhmTBVS/Jjr+IgojSlVsS21gSbfkezvPM8zZmuAhOFTS4PzU6452MbQ19IfSBmWZ66zLQyUCMuQLuIsDUNLHXApno4fCtmrGmVLItQcJyEyFTRUBpWkywpCYrASWp3A6KehFp9bIpVl/u0avFuyo5uS1b2v7AJWo4grbR+PlVgHw4WIC0+BJUuVioVzK8JjcyzGugsf+YlvKMoOicsc80R3sEocACgJMMSTjF9wJLiwk8A+ghXSElxgO7k//AKawQtraGgKnbGMLURD0aqn+VswRfaiPABhbJzGsgnfytJpjX9sgTJJ1LtgIpMuawFNcY+kWdlQDNKopURYQLJCA+38WzYzJCkyIbWlb03HG0l1V0xw3IxlamzC8WfQo25LPwCYBiAlNZfiRKSmhqgwAj101MatYsa9nbFfll1JsJekhPlHGIgtwTR3HZmIaqlM5nB8LWMqTmz+5TZU/6TRADEpyIBU2CpOeX8R+ivLP1s0Tb8DuYLTrIxkhRw2hbPVPdzDG9KBYCGQJwEweYjX3OuwyKcUY9SLWBK/owhNjyRRJ13mZIfbXbikAsSRayPVGA+tLm4wlHap9gLUl5syr69HcKdHhPrlENYsLU/v1JST3f64FITEsRM9w8LJAKcPZq1uyCgziiuXAng534eNoZnvxyEbhgHtEgXLf0QfZcaAAUCEyY1lvfPNTbV3dihG3hbq5HUUW9Of2VO2CfqPY/TEm80E69vu1H9pAyLQjjeQLYUiQ6Zh5KhRCAVl/m8AIKKB26HftmgsFk0aW/tLsXIIuXzGnJ9lp4K+8WR1AO080F03DX79IJjtccXA9bFVBEOtFF6/fYGAsFukraLOXLOyVwB+2MvXJdTpy3AW7cV0HaDjYyUJWLLjROiAsSCm19eyMdYVDEMs9+LwF57C+OrJd+8Bdw3uyosgEZZgpQaR1hRkYuaMQmAJ62rFQDfK6FEu05E50P7Fprm2Ck6meFzOFAf2Ny6xyWdd7rubPSKa/YTBlX8SzBDgdKokYyhSoGkQu5aPT/uizSwSofZLk4H9i667CftfWg06+vdCBy+GGHwhABlXDjpwJSEPVM+xe/qkPdpfZlvLYSLoc7DGsKpkKBha0Jt202wVQTdYpLI8HE9MEVsnwbEblnCplveAAKnPlcmBlPG2lzSAAsQ0vMp1OXoCI7vgRZ6K/TduWapAQ38CvXZXRPd2av+ulvUVeL1qJUujc3Seo3312OERUF/0nAizQOuL5PjDohB5keU82LUzYkdl+ZR8j3uSA51UHf4Y2b9ItwNingP6kCMSDC45rlfaOCxaIvWeKEEEJK0sHH3hF1uAFUoOROO/zaJDmBYNtb9hNd19IbtTMFtUaAnU4l7wFp0Xe3IMvvcjyaY18XoAYcuN+JbFuwVMBRHh83fdZt2/U3WBkRtbb3P4PaRL5pu3WtndX2S6v4VMtQIDJAqntwUkCNwRtOcaCjtxf+RjJbpxo0RV0NpE6xQlHigD+jyf7qlGm8j4pBUvwEyTV6M/KZmBBMPXWTQzz8lQ1uxchHTaY8RpjwKT+FrTANQBzvEKRCbJm1G0w+UDjooXEgdDxvzQJeo2xCfYwYVahIWStBHoBFcs76C6Yuy3tsmN4KxRhA+glqVUcCqldtcKmw1OMadZ9aFuCQ7qH5HWJuCQx7TQagEMTtJ2wNZD+WJZA8t7Raa8Fp19ODpsIqBirqJKagqmhZqgmF9dP9lxFhSEItN3mzV9uolKMu/Eyfkni63UYApyP1eWnr3M47M5x13gHUoDctYO5jkEMEAeWmqgLam1h7NTxuSCor3+/9v0cQqsv8x1YGjfMNgKKQqBYbRoGeo1hqGkwKGmYi0Z0TEUr+ydlkBOc71AYri7CQYoRIuQ1GSIdKg0NNiJt4TQAEum/IkHApsgojjCoELEq//IeATu7QmMVs9KS1ygfzmCVBNRW2HfOiG6um50PdpquZrkd4tXeaF3dB61tt4OAlRF3AvtKD+g972w0I9WuXzwoQ7FMkMXvE/o+mo5cJHAMCa+RvRusSt5x8wzPTX6Nzzqs6qSrjI6TMxCF5dyEgoJ9Gu9cHmLBc/ws9ktTVr7m+BxlxFhcDC7HVuU0hp16iExN2zwOnKHyMGRNRktT5PAY/K3WEQ3abAej2bT9LOVh1lSunF4kBFxyUls19FbwOfAORkI4aLWdZONY+cELzkxrgoDL+DblQ8uf8LjZDdPQBYOQd3QepgrcvxzAJaewkzK+u9SNjhLMBZsBqrJCynppqAAWnMDf42TzCeGMZz0ZH4E7321Z1Z3pYVB84N3y9X2SztzWkgI/kzjnPTruSyi3JpPLY8XdTsHh9IcvQ+/WrSBFNdsbzMf8tY1tBm2odi/Ff34e7Utjv1qE3QTHY8Kj7tjP7A8iYjSK82MHv1FcOH++3lrYfe8mEFJ1MYT5RLhpoxWLVfc6G4SyG46dCeKb6fx756NLr7pB/AaDAdAfi3aynwE4TPXtCTxUH8nyu2ij3rZUhwC0/SQoMay8IpnsLpsxP1q7mITcZTkE7b0BT8W1w7kYngYJzdXVULolhJPbbyIooOtXfhM5RevEZMDsE+au5fdAc1f+jTqMRDwZDa/9XjZRseAZSeYl5uT2EUmyjI3AhZp+YW7rh35Y+GI58R6K1hrPe50hWTxw2DQonPxuToOAanmUdjoZoNoBxnfuZOzycGAxamZ8oJn7+7e/3bA+On/sQ5PHQavQibYMDRkAtPDKdQeDu+815nHy+fOqWtrs7wIOUIKvK8iBgN121eJgyNSCvxuPsn3GmA/EuHhuDuqCpFQwZbbJekisy451w0iutQDdAsnILENknnVK3Vcm6uouLbHdTkmEtgZTnnoolQ1z24ohJ2cUFeM6hro8BUHxD9StgU9kXCpsegzUqIspqENvecyMyb0s7BA6r1xHJb78s7UAjJFWUYIJUdeQAfXBqMHkyMEFF+kHfVHKrkBUX5m/AgXHa3s0q87wHkwDoOBooUxySpAprjOgNOsEgqQkIgLo1pIkhTJX7j7hGZb/PTt+igOrm4r+F2hp+NG0C+WzD9d58ID9j5RjZAT5TatjfuPNTgPLj52KkEz8RYHrFOpASSoYTmVVap+ANEyH1bsvQBxwwmotkQT52uU4vjF/5kGCAKmAm/keHObWYvS3yLz/UU6AjIMw69XEK4CBXO6SxLhzH4/2viJCeyC/5udpGqHpSzeSBDztVZ0FRo5OCbM7D3TPj1naVLj5l/sRX6TSBJL95j2MoWA2LW5JJqdGMCinBVG0ugXLwK0oKrzod2JkwWeeWs2+D72DCBJVdDY6M0UZFBUzDX7yjIX0gWi07eMMBjnjphGwboh49tMgDt2zgiKKCmxTjoowq04/UNuptuk/DyHrbBD1xazXPXH2zlNDxtsVA256IpMhWn4NiCaTra2MO9gdq85Xbx8bOXx46Fn9rmXNOON+rwlTOcuwRwAkMEEAtmIBZSJeEOnNURQaj69sWVZoZ5UxnitWOzDa2R9ICAhYJuxIZkwQZaLAiLrY7DIyrExoXbUBZBh8pX5e02O8aEYUZBuu3tZgADAYH0B3NQnFFw2sn7L9dJlN0ppUY8LouUhn49BsUaUgArS+zUlUwxhOhwFdLjVjMLuZGcMLYQOKqCP1x/FkGGemwlhBCyAvFHQeSyyZU/HFuCdiwT2RQjI3MklP0FA6FcCYd6Ry/05v6DGFxuna22LmrtHLFSismVIAp7V4DdVgK7e7T/UAM8YsHvgboNoP1JSqUw/bTQWp+s2bz0J/tF9eQm3uqsC2afRvV9losn6nYoOcXzqchwezOzeHckzhWgodhmarnrkjAlHbzpYlk+1Sj9Qp1EBhyOhBCdRAayM0xG+GGJLWcfERSjOvJ2jbVKspL7gxq4Ck1rQDRpf7tPh9rwcI4nmtD9sr1VLoX0c+cWYxNn8I8Gb8KEfNlp7qXx2UC9CgStSAgo5wcB5VVHR2cmhK97wo/9RCDkDzozuV5aFoRT29n6yL3cfaxDuOZ1re6sfOI0ZmPuChTiuLHDotTRSp/CuNEWd+yxXA+lrkbz+1ZYGYBtyzZbsCR193ldnXtff55VYg7uuLfZgPKGtrRZm9i568IrR8yCR1y4YEO9ppwRQjtD30vQ+GC0Kzx74f2EKys8+2zpzmTOhFqmLMmU601O61CMgUD3T0GsKkL2951hdOVRGzpb8go4vCaxKG3LQJLGCe5oQssggKd4lr1gZ+oZ7j5he+vPbuO9aTcSZKV8pFxnqJu0BIYMy+A9wcXNzdJzErIBb2XHussr5Ufhp61kExc+c1W/NtMMTOxuao7b9/izU7FRq/OT9CfQ/T6M7HBVxeWv7m7gMrgKY/W28yl+Z+D4PmEyL5YXgtnkH0q4VSaeYjH1HcgSLJkym3899Ce355DvFaU/UnKPGpbhsVYfT0r34ztoup35dCYHRFfWa/JUq2xgRaKnmIzdoy7O1UeAvl5WIJ6hMyZZMNbuCLjctXRoYDbACzB8tmnmNaN6+vgloCrwbHR76sHwSe9pRiObYuwD5p7B3cfa2+vOQHRJnt/Sxceaa+bjF7DrM3d7jnwZ+/EEJbPlE/TVvYFsFI/9bFngX8lZcrHXj7/qWwBwlqkhIVR+pmlrbF9iVSBt4eqtGGWQbTGnq8oH21HGLDls+bbV56mtT4RrOcZEGzfH+1DQtyHaN0xvLMbjBsTjoWkJM6NaCeqpVs9P0/lX2d7krm+6ZY8mnzJr8c38DeMbffwUblm90UYwBX1TANKT/DA9tcz/2X136bl9GAnvZ3fWn3DSNw/AbqsFzNl9nW3O+n0RNsp4fh8SmpCcNW2gmA3a7lk2XwWM9LItQj6cg3jkGz5h1VQXv++NlBtxuji2pTPW0yZkCibTC3Hp5PixpVk+GwFikRoBiziSY6PSd63BQVE9WDevhr1cA4aPsWpbiEyQnrfIKbAmlYTMUKWK/AGSKSx880ndMvq9SSs+89GwBHbkzGvQ39gdQDwK4hBKetCJWf9L98O4GAdfYSEi5i4Fq/EEmYqcxCOUtZPb8Nuf7XF+1IwiMOL8MIHxbKKAUhY8zRCLQ19lroe5LQERkspdTtCWOPJc4GBNoRUbKRnALaQ5VA7fmy+BhWz234u9edKeS51+OH/eKszKihl7mFTFSSiBXKngrtxx+k7NAp1XMuGhjYURyYAGrR72hIhrFqfXdVB9lAdpCFDYBtyYYwy10Sg+oXiAtB4qgTy+aneAW3MNPInKp2JCH32L63DfW0IluIMw1Fh46+YVS7IB29u8JeL9zku8nnaAGSVMcSCtZm5RdqF9IU+SJJdJ3pTznxCmuwxtU8dB3UsT8BJnljUkJURJbuRnN1SWaImZ3BE5dP+uLae32wtiD/n7UEHS663cd/D9KFB3Sn3Rt9OAuEUTfdQIIyiDCcBm2GHo5nZKgJxWYC4+BIK6IaXt7rP1r8ZWC7dpPg/oPjkO9vG8faZGLMN+LO0KRxufGXvQgl/HlTOGK0ZAeYguiV4JLUxSsXYjC27XoX3UYEPYlMuKY8yMUwMFMFD3M1JLLuto7kyeuJGGyZFxY3eiDitwbzyP25TiQOXWblmLQdsWsDJ8ZdCYxqt7IRPFv8zgTbhCvkl61V6P7Tat6Tzy+PwF80q1gW6k132/Os+/eucynPMQTHZwI8C5V6PH3wx7EtiAC7aTvdI2ALJTajlfXKbx8jzoMPghkJb3twW0L/ypTKdXYRgV2JWBr/4zakFOXAdnxt3h6BU8cfrEzg7LDYvtmXd2e/szIAgu0mga7+bwLkNjZiW6rHB38pPS8dLL/WNS74A08h8M+tOoRCdkGBpVRCFgx85exllrAbKRIPioaTa+4YWjmZ99Co0ckmiqSXrAz7vVKPtVDe8EriZWOCu3dKwU+4KdcfvRJ3qKGsq0CaITqH4uB5WiMF5uBw3Kixq/x3pmkyLVdyavF3wrvSHgH3lGTzouhczo/wPeyvAtejRZyPY5Ft+puesfuzxFWrW2iBqb4UIQUAz240GujF/cS8RCVkr6kTYKitcFjBl5Eo1iU4LI0Fw5wAh0J4wM8D5WoskR0hbpoU0mZOU5kvdhLQ/LEMMtQustuB1m/y7QjMvZcVTxA069hCLzl7QNKoU9iYbnMj92tJinK/iwHNyWpbxTY4tr/PYvAK14JZEGe3Y4SstOcz3xNErGxMdbE+Fkvg+BKTX72Nxg1Sd2CVc+8zavPhr6UcBn3RgIY2TbFJH5sIdLg/lpzYm4P93YKLPg7JI0s2AgqKBpcFJ/iN++SUJFFk4VNp8d7YA3cwzU9xPbYKRYWXKlV4Z6RPC1FGrGaEOM660sZFLQz5E8c9sWYEL738W6GEZ4SfkVihfvfUcYfpH0EW0rjE+5bRq7bjS9S/MaD+n/qt+D8IWCzbdhAMxRi35IHe00AffN7gcTr0f3L8Q9gUt4Dmvz7gIIqmmYIZifZyhwPWFsovnNxOiOQ/a0PvFU5gwmS4phDSpp94QaomtXA50sySQhHAAphEEiipKFNFyD813AF+4v0lE7NYcw5IaFAryoBrDYNODuTA4shv/fPxdSgFltk/fGpmBwhPGNrWjcD1fqLoP6JtIb5qzuauYXMGCBGJnUPNWTe9qQPb35eqEuDGdQoroM2eRWZ3Cdgy+1YYz9V693bf2jSwZv56CSx3/YgJCtU0aOd/voAO24LcfW982yHJ3eIjWBjx3Bg8GnePRRy3yH3/GqicvEma5UBj5mKqa8dEAsotmc59qBmai79hF24oagXt+frQ8t3WaVzwrzGZIW/0Kubgy4cSjEUCs4j23dtvwyvuPnCD57rddzs0gZzHMq5eG++EAYN1sdB6YxMT6H0THMhEKTvzA9fAjqXLoezft63rN7U/bUOm6S1pE66c0/xdhNDjR08ev7YHKiMIIW0WGlo15Bwcj8IQZYOTgUmBMBYRgvgieNL9GBftlVTOkwvBBBgQsknBjPi9uJ0r+tllTABGPBtrItwXTV1uHvDLl3RkbUBf4yHJXgTinxZmrxVQYjDATTgEj5VP6Vs+Gm6c++2zW//5lW27wbqH7+Pu63po4EHlzK4/Qt89fraoQXn8ZAt8DVzaxDM++NzaUeEP+0S3Fzdc4Nv1NjeGn3xXiMFaYnQCQomvDedpQczPVTUgWVhYSx7W03dSRb8ICg8L3G0v5xBGQaBfqZoEmcOiGthpf7UwVsCmLPhc226kneypiQGkdBdlBfiqh9pLVaIJQVcXFX2GDuA/O6A1XWwyMr9SBG9JgGMvmCOWqKopwAQ5rdnyGAUROZNrsWPRsd59jbXjA21pwrV1dv1Cpx5FtHK3MAYF6JAC1+gi3NlhclU07pNlHWYOeY6hXR8a+QuUVk9TwMsFEr8KGAh4rahAFk6T0Q01nek9fLzigx25BYnx+309hxzaancoptvAUqQO4FtvjI+zshJgGaqAHyxzJiK+MMz6VyefmvvDpJGPOpCJOAraPqfTvrJVfn+EHk8CPaGn0BpIRo6+4FeLclrxkm1pCc74rc3LhwyADDUIrJC+DOL3PeNZ0fgdFnFpS3Hg3wGW5XmUPX9n+qAIBSFfHqptUoKTapNDDyy8CMWjp5FFH3trqhDVxpdjAZbn374lopNNpFNsAqTSHst+CwyzjJ3/mihTgrziKpcK9EtODmDt/Q8jbTvahD0Yv8U3hk+UmRt2FjpNF9MfvnNs1H5rrKrHg5ofpkBBRzqrYkjNmYW2BozgF5mFGv6/oHAmWcBOaGaGuq8/XeTaI7+4J8sW+wmxEVKfvvZuGLSph/zbstHbWj7u7IEcbPrXGAuRtGVSgcMSm4rQhbd7ILI6Q1S6+kKuYcSK3Hwqj30g2oxj/EkmAlq+tiAjp5PikoID1/65T0z65/em0GPuCA2oZDXdQXoqjb1erzOTHZzidnBfMsomfGtjbPjBqHbYNvQ2yMNA3rYz+qZbt6pbIM1Zq00kEc0NdYg26G107yr7VuafOLLtOq979sxlFsEGqbCX+bTaq39q8D8iSReKOcATtZLjgnjWrwZQ1jHVkWsGnhZO9h8umI+ACvnKsk/U2LJILd9YzukjgGyDh/4bkzBeo3WDZ5vEBf8PxP6/YonaXADWFvzCDQ9zSG0dfhiMemz0PUZBvoYA9VQL/fXGAr7CZbEPg368ewE2NBhMG+WFKVs8dYoYYstsqSPDQ6z4PCpw9MlMUwhegEqSf6UgvK3OuD/2CTHREVunW8oW8MYFkYKaqklXYAGEiiIhXq7sKq5dBsADO2FQRacsTt8BzUiONMMZwtZ273T3YKvn8+dW8KliFWUdcyJHNIEDnjVrl6mY52w+DGYY1VD99J8/+DCMXt356LNvo16XHhRGMk5N9MySSMaJx0PI/IwlEBlDBb1X2Kzwj119zAYENV/02h2XI2Ua5LwjcSO+KE7K6ObzqzCDHI7CCYNWRlNXjZz94bTIUczxUbxsVeCp64IHm7OTtRJiapcTacSBpUsfe5zMu94hH0bxyVOaiJXGy2qSXjrBEwcn10/BPJxd80jMIH0v+lP5fbdffoMZBSqzGnXgAyA8NTd27g0Zha3TbRWqHFxUmVagN+wKNbQPCnoRJ+zq7imDPZUSLXjBGNzV+7zNNPXln520kZdzEFdJpATOHvPH28jUuodJD7SL7j5OPVdQvbWB5DSpR/At9QMqKmyb/+oyolrL3Dv2AiLoor6P5ipehR33ULaqaDVqL7zNrfk0LokNtjSyN+ncl8c108wjdgyRdz/T2HqVQVOg6kRmJLRf2ZoYzCbjq1uATS3uH/Wz+x0mmhL0sgqeQV87lBD1qL7adPWZUPCgn8nrujqlFBRVZTX915fE2qnV03+UTrpjB3GzrwSODIBYl1ivzhRUJ5KeLkTpswsXq3QI9oJosJmi3ZAZKKoOS8G+ruX5yAcop/X8lo4VgUVYdioaWzEkgVqOkaoxHvTAuWwvZnInG9uHFrBeC54/QkP+HVFUgcsq2OynH/AY6Ev2xBSqGXV9rqxkEnmtbmsmU/wnHl2vmvCN7ZHhj3xTw7auNUAWBrO2nVO33IZRWwcOb6ymiB3NDQyINZgEun+TfSP77x3gMZ3xcL4SkY5BmsT3QM4/Wei4wFt+WG3BK581ZlxIUOIQUxyow1VKSPh1RgOhfpYgYJbFlEfP5IxXax7Bw1xRJwT1ZdqUCKydVEGHfLfQhAFcsz0nZTpGw++kg5YBJFMnGtSTfNVCKEHVkA7yo+nneK3RY91Rya/oW/UGAUI2DDlxRadaMNzYNGo+GmIMq5mFEqoTy3PsHjjN3KUKQpNVuYeTDsJIzJdqTXh+Cm2lvVI5U7CigT+kF1vE/urX8bI+qasd98VwT2mbI3Of2xxwXXFME72XaAmxig3feMLa9Zvu1IaZSRhbTJQW7945VLzh3vjortfBLbWVd8JALlqm2DmMFGDKVqBZZKxs4GK5Rw3amwV5xp26XNzeLDINdwawfs2z0IhFgg/8MKSNUzIwlPPDhQFjaob5AOk+b7uzr2rEMxP1BzcZ+sCFfrNEe/qlIQ06xlaOkOy1fKJprgLBNrKE3RhpobkTpb+VBO2ChM44NkRu7bry1ko+XBV7vfUbhu1CG6sBdsuC76KHGp6fkW0E+2vlRRTOVHVQVvHmSHtKC7o/vX2i1rX6H77qh/fpvIOA9EA9NsTY7aoRMn97f5b/UkX0ddQMa+deNVgqw29eMIZxLR0abJCBeNs04h+eaxKZS4fMW7LAe71Pw5IdNsmi2XUjyA7NmIuCIlTB8f1H5MA6FG++Ihtg+5xN+g3oR+RXzo/zWeKbTdNNB7vZmcf8NTztPZjVqeGGrxF53b7FXHRKALJeseC7m+OuTa9u0DW01h0IFmdLX3erZuXfYdIYkpStDnQor9QxdMcG++bWP0c9dnRz4pr6/4s6NlT8Qk+FuKULNv6ngJ+2KD+e+Nrr/OJk/pxqFBx6jO/XWYUfv6KmW69k5KRCYSqp9tA0zApCZcD2nTuSv/wI2PF8R4MoiHWJAnrx11voSQ+XbXge2MaWj24ayjexJAQaNrBtvP01OX2PUgW3ZhU04AMRzKyTsVDBGsNfWrHABTvSls6ct3S/wV+B6B3WNnqe7Uhu3Ohmzp59+3wiMlxR03wjlb7Z5SHDyqKA+onii3K0/FJPes4AoZAiSJB5aTMcyYg7boagzamjEMFk2GyHFjeGJn/gNEWbp9aB1GRnx/okn5KDmrQqSbKjLxFbaviVf2LSZNpB7pGdTp2f8oXa3XYgAir061vBD68+aBtak3zQsb+i5ZyW2RwAxhBVwvAhwcynwI7lhgZUcnQCrdhk38j9GxRMUCEvAgvYJAMXHmj87+waq0ZexFL3vQ6CTweXti17SqR1Qt+JnDiK4u/+oZA10Rg90UbJtD1hQAixNj/xnb79Rta4eUq4+IBJ/4+4DjMqHZLNu3bDcWynZaWkIQQFXZAVvj3Ha06Y8kj+ejxxPChHDV02ygXD8Qp1o+GNixN5IiwaoqZrtqTiRxpgueesWRJt8Gk2L1WMiYj5vGwKFGa4KPB8omdqf5gH9vP7yADFg/5IFLnTcqLPj/ba1CTeNv6twXVjNRJnH6RjAILcSbs/QaXDv1PSPMAU6KCBpkRKnX0gXqlPswAHmKpokfbcwcS5osF3PwUbwLXBA3rjaw4Te5MrXa32mUflLnTzdDhElbO7Cisow0AnbjpfITV39PS4HkiqfhmfwHGlrVK2jW2GIbBgmu4KMVujtKOrEBNKr9wSgJ2gDeNtF6JCQbmFA9ewORf2/+PWZHJDN/3Tw5APfQ++8vYHPESXJ8I63LgiVrvokwPWH8VWNYAHvfn5qQbXkEPjc2cdO2HTM/Jcllfn1kJzeTTR4sklHkBX4T6OWV3+/bX4BrskLD1Z2TOfCwpMMOU47C3jHT8nfB/DD4G/BYKk1DWDqcGMEaQpm63KI6uzxN9mpGHN+rPVOyv7LFu4TN0RjZeKKVBUNpIXHefCTd3lJOD0boa06rWHWcR6lwBTeYfxHuil8jwJ6bgFSzpRS9mR1LUaXGRe0u8OA1Dfhh9uTrh2vfpBz9A7Wv6gZW/oK27FLIqSRKVZHIK8PLlq8Qbr5oakgPd7DNIEEG6sg07H35nt20ASf6Xag3fvt5wJBZCgpBFWSUDHWdoSm9cIDQS6CawJswwhNfTogPpa0cf6DZczmoL0Am7weL0Zl0Cbcj/f8f+zu9pp2zFbQa817JlAEpzo0EjxFRUc1HZQ00gH6ad4x/kWo6dywtmTAF0Hlk7PF/+kDXKbm8iNgj38HDzRqzRFNtrqWnXIIacUs44NpASndAiyUyVoSq7pngrI5KR2yQuMjGrKaw480aG0UNhFpSD6sQNzgXqNIqRzBIZJ8XgMEGUew9va9gog5TplDYZQ9eMYLSA6kV8vQpmdqXJFYMLO+RzERzblz5DvsmiM5kVIjrZyCQ2nuQpoNzv6RK2o7gduFaGNVL589mYna4jNUUxr9KpDnhIdUP162YTK47eGSMoaluGAT88au3fRrevJRd7VMTe9VR69+8BUqy6QYbiy1OIE0DvQ/dSnUA6TrLLzv1SbWLVz41tbnhyFHN/ocBkcttEtocWesZbDMUt6w7ctoiFukHsa4bCiFWggyhBPR3AEUIzviwgtQgbkx/IvoHEo7/vH65ocAOrVDiPy1DtbqVOKFwRgYmjbillD37qL4YSJKUu0ztFzRO5DvkYJR69JcAzoWttB7LO/SlUdoB/spVe5DuLF7s991Uhgxy0HdQycqnujZPBavN8wW8CCoZlzLwtIcOTJI/txntcxmfWuenAOdnnaL1zOh0VVMEEEuYwmpp51LsB6pHwjKBTNH05PqJl8HYrAhEwpU26P7Jfi1ZccxFtvz7y8CZrGf2D+GNYzmNio8eEmr7E7amRZzVWb9lTgWsT+6zd+TEn/iGoQ0vdbDjwZ+kpq90aTtidsYmASEpgsdP0g6HlhwShNucqqp0GGkQUBTQiKb5JiqHpF9GM1leNA1/ZW0kFhlOPLUJtJFIS69IWjGeX8my+924Xcs3ycyDHcvKRMTLGrLzkSSQLJ5MV/e+5y2rQkLwgBPTCR+DylWH2TzXRd2V0wxW6VUkTiin4HdgM6fImssz5RtzS29OCzNtq1caO5/kPOo1jcLGb9IGkOlylCKVdq5EVPmHFtn1PY1JeZDZ6gZt90GrjNXmPGLVBcsjAy+GHAszUSSkCyx5hux/oK3d28+b2gx2TkIkgQZ4ZJoxV+zvWvLEUnwPwW2Ej6+s5TeZN3GolBtKYFxi1lJYEPgFnLFQMeMATDagTd7kpyQ9wTXc/m3usnbIfZFoNtA6XlRaJcabYbmIy6/omHE40qqqScu5ezn515t9PFC3ABsJ9bKYdU/IgEQqto4dMHsFr4D6Pltr3imj3xPAVBFwMNdxmP2KBPH6q3ZPXNQfWx+5Oj+ov3Sn3UasyL/pf70CFeUZkX/vjWTVcmzp+98Cf9NNrcBoAmpOVViJiONz/yPWNUhDW2ZJhFM/Ag2disRfNvTAZPj8cvf5oe4xlekSH9MC1cRwRgKEmqof6QGxd5TnAibbMMpLU1LoDylrNPJzw6O3UL4sUf/ujvEB2j3+JK/JOTwbJ944MUdLLaQed+49uLxKqqIzUNIr7jB19bTq6hCmywRdMsGr773Go0A1egmsdP/jiUTOzyJ8g6GtxveG1tfJiMC3wizEQgw4pg396ltPVqCGWgvaMKYQNg1O6uYxNdqSWAHT3xwMps3bMIOkX8gojeUArgF1dunLahHqRXGm+lV8Vc/7WFIjmnoPs3eX3F0d1FASSNLvXT6U/s+zpgE2O20RSGZmTqYT2f5U3gfBV4zGgWmXu206Gu623fRONkJxMh2z4ZqFu/pDc+88oCK9CoqEqaeA5L5Kr5DqfsGGbbAKAT5vhNIlz59Zz/FX0A7mCgnstDV/8kMXTjS/nIKwY1NFWPzqKfGYgkTsg6RiLBmvV+vOJ2rw21h0h1MAF/3h9Aw+Lo7yfhcpHro0/Tjar51tLArSF49qhPuvNFZYzlvT9qn0j3mv6dML6nkPUOiI/B0uPj7iAK+Npx0F1rzwxG+d8N3O6KDb8ZSrmuz9s3HOzPtfsRacj0L7nmgwVvRn1jcSQskgwUtmycjqN5PuatpZloAIzvig0a91H3E/QC6LAS/5dvwQQwrhvo2V2x4HPfjOuKxDAYdGDSoOlfdS8Git78GZsExZKgbHxH4d/mzVXmrIQHhpnKUneKYneMPGkLGZp+I+M0PvhqdqiK/AYsia8So+4G1UMVHEh5n1SMvcy9hPXbFhs1mzh3QD9ZJjHbJnI32IPsr0AR5GZ9qlcIoqAoiRSAbwGMy7JkfGsD7ODTA0v9rj/o31vTzp+DOPLJ4Q7pzs/rfzuxpAmW2h1m3uKAtO01vKkkdruTQpPk8fb6hnBJiizJfoXApzEzdV3orejfGZ1BYaE8TOcNJQLR1UUMA2nK3fpDEBnOhkSmuOb3zkGMD/dRO2niw3IVEZzpTrQ90Nh3H6j8B7TZb1f6Cd6EkwH2hEqS3FjVUDLcTKotfCf3NV1USIW46AHICliEXp245KHCRq/KbQAdFNEy4xiARTsUggIKx/BlxvxX97qJGht3A1CYHR7q5PGz2baPuJcQJvRMEp6z6k5hTVgH7iu2U2o/EDlF4dFetxVkBXPMejFZQCRgaUnm0emwH5cFSTlGIZ+oKwrLcV88ezkLabXPuVAiHkXoaF6fAoZWJ7AYnH0xRkMjd5pQOGlKpsmsyV9TtRNle7WowpWNcrlU86/k4xLMJwLss3QncwC55J7NID5qh/roG499ld+15Pq3QQF/CQKaSo4d+WtiiiO5QVMqvZCZ9UVm4IOI+3ycRr5tl2lHdKsldISIdvyGHzXUlIsWI8XM1XECWBHLEPUnRufy4gF5/nNcCHFVAQdqYKEvxOSuWkC+eF1gQFuy8Ng/d2SrUYwtN6haGMPx+gfBNF+2yqD00i2ZvvdiLlp4YzIE6LUFD2YeYfi9BRUI8okA6XRXMRSktLVqIOtu6huqCNZ2xVYNtL7mrD3bzmjn3OR84XUX6uczQK3upbLDjgVv+M4BysMyWzZKJUt5n8vHK3AjELqFGHoBs6nkw8xKMZlDxA+eCBWX5q8Ua5udq+RGnAdloLysCGE5OGteHqbPHjkLXWhyc6LYAEqEtbeBTO38tgb9/RZwMJL+tw7X8eVgCjOp2Ll5IXfWgnqQiKyfSOfEXP/l5aLx9w+/IeCCci+A4kOS6EKMSocELWtOzIidI4FlsUikuQ8pw+45EaL53q/vJJ5h/VblrpnShqyzDqRpCoycWcZrRuEd9MtPb7Umbb+qwkH22B+cRBNtuqKx1xIIf04LwkTxCa9MfNbIjDXA4sUkMGRJwiwypirRGEh8qpUmY3Wsu2PLzFC2SiIHNWW7f5pYn33qxKWIfoIUOoUOOlpjwB4MQA34SRutuGmg88Uzd3eKaPvmmSTzYpH5AUSqBjUnMM8mYgyUWaRCV/KO2No8G+8JWuPmTKL3XxIhfvjcL+28IjO8frbAtdhd9OQfE5Jlk6UbKbRwhHljdTHKNfbQTlimfdy2oRmOng6WJO8IbegLadv9uL9FB9jU5RJ9U06IDV8ModzXCvcOR4E2CIeW3QuSL3s4fBJfjr/SQ3XqOA2tgkHmreWpaP4f/Oact3mJH43bs1IC1IoQMEUiOYRfX79ywoFCSK+kr5FeFnPjU7PFI+4dv83lggKyuySCZFGVATadHm8PHj2YhDHcEcITLampmm0v7186KyMiP+5AJj035t7PQsq/W6Ln+01csGo/Zt6xH0/vsNv2VRC35LPHv8J1x7DJvmxcwQIZq/iqoiG522v+YAm40prMf+6cjtGvjh6Gfq3P8a+T8QSPgO69S3asn94CcHATU9Y5OqWmhdBjZKHuVaFPNoiZs1VlQzPYcreFKRAS/UaRJdOu6EIjo+o2ElXXJxS0C+02zZ2itdJ/hEhrSH3x9kTwzjdjqOZUzUVmshn4zVFjJrfwekrBjwtTg/2AYdA3xDP5s5a5pi07ZaPQobNJNFwpF6J7kmf+HVut62v/3QG2qI2ms0Ic+KSz+t6Z4xTdkOz1Hz776Ywa+PoEnB5pN3f4BKpp3XCQnolTb9Ttz7hDUxCIetmEr2WFd399WDNsm1oPlGGw4DhPGxm/adcOQIa3cx0kFcsNzcqFoVJHDzwYL+WfIDJuU70XT7mdP55Zc+JyH70oTSJpGldHdfmk7ksJY2qZXMsltmCYeSNws4WOAZUiDWn03KxDJRuKya4FfBsfwWEgsorCocdpE1YMn/xIioAL+gXQfbE8XBHgOODJ7SjdE5mU37JRXMMGFz7HlkYIaSKerFd4ZtYV7y+tZFBHeQ0iwjHSJwii/JVJflLb1jYBGNlTDUhk1ui1UuNLJAzDPveEuVPYdJpNgOnXZVdK3oQUOKPKVWu1uUr8EvQArpuoSEL36VkxQHjCAQErxAlk94jJCmIAx0iSiEbDYVwVZPLEeuHGlSZnQREArUFDDV5/mAndr8ZoMCH6EcHZGzvBRLYWDcMwEQcp1ilb5WQlFWIfhKqvcm147au0J4AUQ9c0ojszIKdNrhNKZgqCBWRwwM9rrMHune415abSBDwcz7le3mXdlsOrgqwXDdvxKrWiYKxOBIM8m1CgQ3lUGMC5lJc2hh03GqkGoKFiDSqmyJuoLVN/eupqVsHX/J+o1YLCWmWzEmZjMfRBcPB+rQ0vfJLxeJCsu058x4o2nKOcLBQkqylM4DHNVuGMk04CGtD1hl1xvYqb90QXtxVNksyi6XhVjisJxspEJKTwKQs65fv5LgwVhVJkpxzLSERYC2Y5aMQqgLqGVSjrkmCg8qVQL+R6pLa1DsLVgnkwD+M43vzUcmxS6UgQGJlfWI3n4SrAd9QiOLJ8bl9DT1HHg8GHmLA4EEhJrO/jhZzbguZmU9rkmHC7Z4bQpo62wEa7na0OThMrujroHueCUuIp/Igx/4HsbQ22la8alTKu1a6W4gLcDSSxrkjIy3FMgnpHEEicEgEd0pIgJ6Yz24VkCdGAzYFIQ0PBIK7wso2RxvA/8qgjVWfVadKdgDPGwzUIzAEhMENpkm3fnxZz/RTMEnSIjKb+9lMq5Dvg98bfLLHb5Nu/+gRWVt6/8bU+Lvjj0V9IKAzEOy5d4mOFlwg5++kPPClinJFFIpGqWwmKJqjGlLdX4NYj40Rcr2yemwjxQjozH6GX1l8DSEFarnvKEi06VOsLuMOXMBSdBRrVZJTsGy3X/dTSievHTQ6wMtRO6aU+CttESmgW55URe20DwAWPL2bd61lIqaslP55bNZl9fH6yrERaUw0yTL/+FMGGBHHpArTd8EZWrBh0Mo7YiOg6PfxE1fyth+T113gvA00y2TkDgjElNkafcNan5YZ8RxetKkgiA/5XyDhfePg2aaz6bc4PmzC8LV1DoGlc+DCBR1YcOHxsBjBOQ7VXvQmytohT6POv8ILLjyBkBjFL5iF3sr9D9RHy5vFhl2ygIjNVA5nRLfsAKqbu+0w+1l1XEZ+aWAZTNTbIgF3JuKddWTDlFMOdaLTDbmpBHR9TuorC8GB/wQVhTaYySwEnx+RyBcfbSBMX3mQpCtfggeKrtZdiX82cKtsuRcHBCFdEN5w58Vj4AixCodCA+SCy/zaWTbjYYRVjSkkmNIGpkiQ7yFS+2Idnz+we9+bbDLJxx4048mfL4b+n2ZDgeg0voi7gXm22Lhy3VuqpomRN9Lw6ZtBlUoJ+SrgsegQEwpX+degNKFz1OnGAZof0PuplVHgfAarOccyAyAksG9/ojGLWzWlr0L0oRF5fgu7tpFlJaoho5xyorwUqkjGlIrl2nNjlcTj02/S4WnBAN62RuU9u7oIsMNNSq+rK5OJmquVTdcCIlhpd9CXQ/99pqZOzIMWLiI//zkaePvxK4r4ijIN0XysMOqPWTCEGHnUbeDtuS7su+47FuQs24S2oN9UtwW43cOaym5LsQIXyUoNECzZbN1b/Azp14uFoXAWw+G9UfwY4V9MekzDPH4tQoZTmfBQEvqL8+OwpE27KWXJ7hWbaSKsuxihPwiKuFqzmr1gX5HAAzUfHlRwyu9uNYLg2mCnGnRBU+WqrKPf1uXFTP9TDfD2mu6TPBwU7M2rg7OWoCFgCIitWamjeCmVkKfEZ76U97Tw/AF9rMsz5LFRvm2ez6gqhMigPhykZyFbiRcSXE0WVXIly+rxpa2Sntm9tA16vB1jvr9+Kt1tvLobCd2Z8yf1JEwXwqK5Bx2w71ZbVv94RTECDcVmqGsI3eu7dtrDpIF1mCyJrNzk2MBVZcux8fGdNjcNd/fBKc5wR8mJzlYQ4L9aH+5YLJuOI+avEs/7V/vq1Z7EtEaaSa3aahHrDBlbG6GuR7mWcbItGIYB6pKrBBfMo0IPwPfhRYh+k6tGO3rox0Lp6bOr3DoeTq+BydBN2ecueXI3OXd4hv2PRXLlE14yrFIORHgQYZsGxRKwAg1KtHOjopu69XA/scGGiob5Qx7Zbb16I7g261M24960MtsyYlqpis5u5qPd8BUAfe1dPjM4+e7g5t3kbz/r83W7U6TXcP/LAXqRe+CkOivQFcpDpTcZCPm9dU8xXTvePuLdR/VuJQJkFHOKBuRxvMxSLNd94w2S1H98qE9YsBhS2MiDUjahrhpKo2FmoXmP6t9o15HdQpyHQYm2jkXMXD8NbQ64VZUu5C/YA/ns44f3i+IyyxlHNVTZDd0Pan6bM8t4LFRTbuOZ3oO95Cuw5BWniCD14kLq9AC1y33swsSKksJzULMWIQtcoD/24olootnyYXVoFCUkQGT68yuyr/7e/rdcILXGutdbB2AjXS1gD1JW64g/ApjaLWgTbD7o58gbqgjJ8gmbOjIbJ3wSlfoL41NzhnvyypBJngDemQ+wwMYlYG8ypspJsgDvaUsipsZ3gINu4iLqAbExKkxn5YFY/7E68iaNlXhs+2Lq9aw9ngCx7WJf1jEnUcRXG4/Xda0hiZEVCMYGXLV0qTbx90eMkSc6Vkg7ggXHYGhpDnvYWOVKu/hdvlhSnIz/Bxv8mxtK2K9ZkucaXV1+e0NApb/pWzYd2zsAqQvTTvxTA0E5e90PMXI/vqglyRfOKDcXpLGh8uncMEV6FJbGi8k/2de2UXeqiyI8vDo0qRsY/soc/0ewonCIpFzn5Oq2kaSmXpKslSZN1FZqqvmFRKFzNRr1nJqWEIjM8O8UdpuBtZyIDSJJ4/AzFS8DFYq2SSWJT0ex1wYWpgk9V9C8386emSIL/tLT2ccilzklQ9AnhZsLKqFPt1U9zdIexZJDGl4AfTjeCNhoatKpesCO7aqDeYMvVk3tnfdvtNvDLucGF3paOVHEsz5eKUfdiLbhL030mj9M3WC+IshYeUDnaVxtoOCW6cOiXtZdkOox9ZTXjy+mCBzECsiDEYHNoC8++EIVHRESXsrVJwEjmDoLvbiCVCvsQ1H9eJd9aQgvKiB0mwAn63wenqz/a9pr9XgHBR15/1sDW902ehHtpDyQwxVIJgGvuT3wzpk4q4zo6CmEJ5PB4aERnpAEIbvJby6l1VEWaTKBArfBrK2iB2mPRryh4ML2MtlxdGx/ShBe2pLkt1Q3qXUtNhvquIoLtCXTbEycfoS+vztT4TM8jeMOvwLm+VI7h558k/dMogTiBRvnTt5eWP52e03f93X4ueMDaXV6EpJbKgGFhLm1p4lHkxK+0MYx71YVIHu9NzILfPA2+3rJ7pJDy49eibtQjVhY8kERJqDMUximGoQwyAjs1ljoqBLBkEC3Hraai1GoBASaraSfp9NdHu40tAORAqYmGWWvOQ5ZV5BoawhhMpKwp4BIJLPmQ+ZIkyzIL1Fqe001pRuWmwkm77EPJJJr+P6027VbQCNOo2d+aHDbW9WamYlSShV6RkzjkI5V5WbD1id5Wuso3wCU3et0EuR/5PT0A64hc3Xj1Ys6SV8F8q6GkXUGOYwIhMdWt9gaeA1Zbw3VErO68eiFn/fnY3ORSglXocI6pbeEbWLp9U1V6InM2G9hbn148a0rt2yv97FOnV5ab53509ua+bCO+OvpzmTDqS5iRcsXWaL2HvP/YZBdN1zGH+CP1dY0Uzg5CMaXZmAGaZEsWAHns6do4moGwj7lCKd1UzRV533S4HESr9Bsg7R33DlLjTKnWjo+AjnNWzQJvjPjcsTs1h52aDRCtYiPahWCkv7MXLqVqx9pnD+yT/ptcLkmZDrLl9JugCrl0Ra/IIAaeExWlWl4p5/LrwyVxYYu7N1QpzVpTsw1bN4EEhGJB6SH/+FvFMWxmsOqgTWfiXBLj33zEOU+An0ikFVQfqzSwMnh1LlNVKCZsaWyytgtz1I7IXS5r87YcglPe5Po8kvml3MPwyxhyVkkmVB0ANXMNiDZg4ts9KW9XV1Suy6RzbecaD1cC252sI/NRnSOKDMvxIbpQDLvn1Y0W0ZkNONYiD3p0o7b/iKA3v2/ESE7X1tDQTgMafGnlxklQqM70+FH6dauAljFBeRj6yk6LOa+5u0FtUeP+A3fHdi7ytu/AvVXjNbojjj9MQg8Rg0zLXn0yCJ+lQx2/+pNsO1H3F/HJ0Bh/xroOjk+HnSl9oQf9Ic0IUMjfTcL+Rm9mOPZPiCRP2YGvA+66AVP2DceG0QGDiDisd8+6rwa3fZtHQZ/RWuhHeoXCocyWjNSa6Ob++q3Zyeiaid+DDB0+/wiehK+uI2unG6DD4wd8St1D3b5WBOjnTs4+G5Z2XbHjo81wHRdWi1zQuRHBbJ6DMDUMTdBx6p/kHDR/Ioj2DLBBAWve0udYF9j2U31lVSi4TxqvOA/9L6V//tkx2qfvtnn/yr163PFDGRyLDMCWwWvK2+G1SXeKlZnxJ4LWbkmT4arzoN+Rm8vF433yY+X7tX173BHfEGUtcpkXiD8qIOXYa7oyNxKW3hDzofr0L6KnAf/M1G2fiPYgZmFsybb9cjAZm989i+7snft6UQDXeGbDMBbwvvvgE6bXiBFi/z5hP63oadAH0cdmkQLR7pLVedJXyqKDWC/1E+K1FkexgjJxAjOazCqcfW3Uqa+GuEZGFy3ahX9E1CH/gTWl9fHHFynN6TeW+8xoEuEQn8Ty+Pa74TdO/ytKBepKMJd1jyBTkX1cHNcJw/sK4ACaCbK2BMQ5N0jmO7kfqNPu5CKw28XG7mJPb7NR6UmPBC1l0qDmG7kQcBiF5bEAR2h+wUOVpXFRWASJhIAFVoxyhGsA+40qj0aINHXsgYVRqa3Hk/C+B1hZM7tSJ1OgioYJIxG3U0S7OYU/XzsT+42XpbWE5FED1clZrVesS03Aeq75IaRuH2PbCBPHGEIUOXTUb0cGHwszgJoCQh0Dc4BVhT0xJjOKPAUNTCx01d8zL+wGJnBK+22b9znjvFKZURRG9xJsuL1bYpY1pnZz+38vmfcn+hsGZR0FZTRxKG7/IHHscuBg9Z59sZ3J0WW9BNGonTpoP63X5kpX7Ak3ISmC75MsPmDDkinEo7/2R94uTGgpiCAt/W9vn2fLE6xUEWvCtYUJki1yqYi5DMOPNaa4IQd0RpZN8l5aiGfqxtfTI/+5kekRIR9OuPbM6ZlkVYpFMO7fnx05YHToteoAvv64HikXMQQdjYikuFsYL9OaWLuOqUDUgmF12KBPzDP3QEh5vdxL+VWPMeq88GLLZLGK5i2DZvvDfC93C5bx2a7VjLqdYT+53pRBDGj6u6TQIy/adrCeOMhLsV8Z3uZM1wbivkfVNkz2qGaILuw3D289EIbi9MAbX1ulmIhdo9T2DgbDE+0byfHJkP5GrY/3255gYLzyAmUIWLvRyeFuvgWLDCdtuWbL7zWGbSvJHujZfHzFRu0o2tHinj1z0lqpTwvVcgx2Uzk9PD2bhu2wg/tHuEEqDQHHS9V878ALGuOinJSfWINbk10kCQ1esA8p6GMYNsc7w3KE5CbSUpxx0dWI1zO+u3rRJNBgwMWgqUUCn9SSuJC8aLGR+PPREHSXEuc7oJu/g3N9sRzDzz5OBbxbmE6wUWYLqVsf/wfi9feuv3+cCx60dpcC0s3NJdGO8li37vn4mfq0Gk5jqHP/S/JZUMN1ERiGu97LjlME+Y3j3EyB6RYL0yPO9L5ELx3j/33VUMA/JcqodCi4ITDu2IhgMKtK2pENjGm36nvI7GgGynXHqdk4ev1GyZMH4kzGXvVXoFGvaJ/FfjmDsyRU+c3aWi0D7PolT3F4WbP/djOvIZtJmIPXbpQpIaDSDDN2FfVFWYKvq0oUtYxP6pN59sLqcbFcsUjeD7pTrmw8upC1ZDEDVkIxVrVKARmsZUBe2dJQd4qV7c8DVgg3sRTjVaogkkk8g3dl+z11pQPViLCjxDL1EaLOw+d1CEitgkgC5jfc99kWqoncsyUllbsB7c+Isz9T077xmv+7Y7z7QJHspsZODXfWNgbf8wwct3bw2ZHdkfbSsw/Zor8OBSxhn5fzs+UJZwBMp39fBEXbuBE/5aCdby6PW5GFrt62gWukPY9/U3UT9XBBFlnuKWtTut+5AgDZ75+UXxzgsQRQNK7A2nRvq7ELlIHk1gNPJDzABS7qapynr04x9ni2s6E3DMACdeKCDw39hQBWJPesiOZA7LAHXyMM2sPWTKK30Zux21214OORSee+TD/o6Xozgni5oOVblyregnuwETaRpNJht8Mg0OJhwNcXooSp5/sQeeMFrMUgustU4YLCdUGuS3fHe3rpm3FflRgHtYvYJL7iCgUHcwcjXZWoY7JkI4YWDALKsjIbnQY7BhMFQliIqUpsG88JWYN2fX/9QPhLv4zzqszI/hObgFykB4BiE7CyRBTaJ/XAxo2vZklfRwugpVZzKKgZet3dzdQfDPszibhrlC+JreqfcO+L9MOevZ4KhsglbAXW3Suhsq94HMRMVnYA6e0w8klqA9Zblbn+Fpr2p0U3HY3RM3mm0UvN9UkU2bN6YL6YRMPC0aijZ3aHhbqhRJ4O83iXEUNfdX33z+IrXyYdXC2PpgvmM/StXbFMJ+OjE4RPO1RGQDZN2jR/AAqtIIVAego/6o5hkHqvFyoz0Djrc+gbg6QUhLrXvmThUfRivwRujzRFrLaLu6N1KNpt443Y6t5PBw5mx7HdngXnGFcj8I4DdcHZRDI+41XcwLwpfMr4UwNYZfPhta3ge/T6ynC3Us7JpYqUKwUuwTB+5uNXqEJ73LnJ46d2DjYOAH7So+iKISuwfCUjDQoxOnJ/vDnLnUbmsTxIbWzYr1aMmqSPZHMX747Ga1V8Nr+wmF0D6IpbJhHBoCx6qGVSK4tnZEkRFNE6snsiB4BNKIXjEtCZ5i1EXPjkdOnMLOpUgOFua3JA3HUyhv0018Pmb1ryZ6Kdui8qIlPAmZI8DEKgv1TGRGD95mQ6G4C54M+RMZNcAyQosB2xjFsreJJ1ZdIBLQinAfQAFkq76IkanpqgkXIiXDRD9cnDGgxcjoSCcOpOn1VaJiE4wEfcMSfDOM8lh9rEuKU7gRV0EIclzMdADS4c/4O7ggtcprbdbQFwchPlvBL/lX4e1Wh+Gy3qMoIxTKz2Hs/n83lsDFbRhKsgw0qN0Glqi1vnswBENOzGYHXw87H5yVzCVyRKDfAcvKBcopyuoIUx4LP6q7/lG5XTQHZCf8Pc4RuXqjZulk7uPOmYbIdInuwumE5zoHuRPVdfinX4r5/bgiuxdjeuJlyETtxx1H0tVK9GwT5zRlboStDKGAXGDnv5G6fYdHZVam08b5vLobyxwnPCjap+/ZiW1MsjODwKOOZuNg819NsjpKALNqy0fTJ+YBLYiEqoiu76hsO3OfRXn6fqr+UyObduZZRS43PjabbSehkjxHF66cMIHG/+p3sZF3M7s8Ct0OU4buCBqHfttN4tNZyvCuv+ql6cMbVFw4YaNW9W0XCHWsMtdcadNVbAN2o0tIfZdeRcQHL8MIFKr9wRV7r0g4rURaVDYnt+BES+Qoqwbq3Ro1C+ab2wIR39jNOUFTvRb8ghG2hG2omYYtcIZ4VOefFo78ZybihWB7vebxr+38zv5LZokeQKrgx05U3bx5Cx4zX6Igvh0CvZyQMo3zRS+BdByrjgBKyAZ1d0jZwSlDqGkQL70nwOCPUC12BEIbkZsyfXCC8pMlEWEOKOZ8j7fTK0V3ZqRRm+yyb65rih8w0ByM2PPtJj0UNT/I+EyampWLt9Z+64PNv12H+J3aoP1n/Ux7159ghUJOmEJ/wx2s3CWgBe1Z57K1ahSyEN2ZXKyxffWtQywaJ6WVkENfrp1RLUZj+otKAzoBkTxNYtjXjhTQD6cAx8gZLq6DTIUKEtLRKa+YB9pJ5rTWkFGVVTUh04pg6tGkrxLdymwo3mZpIDLAjxoxjgDEIsBBQrT53QfSMT5EEls+UeX5LqBA1KezsKCgCLzcA4E1jFRtzbJd0JDrAR3p5Mb4OlbsywcfOKK8B6Hb8Qoj26zVwN4oUru321Tg2WjGmfKGOntwWLCbVVl5wFAMfxqeDRGoU0AfkpJTWQ3jNlLwX6fXtphNAJMpqmoFlQpYqcCgoLKEVpbdvP2gUA+tXGdx6YHPr3W7Fo5/kLH91f0/JqvP60kz7hmLm006Frda1lxFIzF/KPddW+tG6kUhcHFlQoA2VbKMqzMIP018GJssDNp1QFUPmqDTBHD/THCdtNxif/dJrYZev4tW2EQpYvnkTuhLs+S2HipwGtBMtR7hZnkLoliAz+bJEmaHSiRmqylydqPp/rap2y5a/FY+UNbbjdhmdOvPZsEgtPzOB8okWm8/BvXzCw6VKRFtYvweFr/EmMFGQ7wuh4Yc+ELCvLAvLFYoKnuXVlQ85oBtViG9DFRlmTy8sJ1lRkZ7SEa+KHTprLqOdNycR6t26VC2MuKkBHtcdKGK6bdy82g3HUO+WHnuCOlh+TTmarlhYjACIvD0mIxj2Wpn9LzC+3GuWmoLVz7e3aiIjeUh2NT/RNFjxJn43vZUI5K7LYQXAjYbZaZH95tlwMxQa6ztPgOuJHB/slJEOJUEKXWVVuEpOVq8rriszvN38/a+vtN71ev92ZqFs+kFIBiWBxUqg00EKsUU8K7enFq+6USD73TbxPRoi6JDE0vchXY3v5dNBxejSiPC2yrKRRy0imja2kwVuwwA3wkAB7NPZNJJ+9OWzj25PoIP0h9v/zqh9PU1Yx7bTJGlYTI5DinC+ceK/3h2I1QytTSrzYt4sGHdnWY0GTMTkv3yhGVeCisMQ/3RpzoOvOSbs9kW5Z8NOraO63ZxyWuyV2Rm5x3tsy03AXVStDfBOy0FmVOSGbXnTrFil25n5nf5Edp+wK53zNxWLfq5vKrpKdyMEcpqmvAjNrPHnXvddVKipSjNTkW7JMfWFzE+qbUWLkJee549q6caf++mRnD2qb0uiV4Er+iviSW6JcLcsYWHhRQzyNZzURpUYPJd8Kljiv8Z8AeBa0CYDacGjlhmvIqzlupw1YK4kqLIsA40wfIQ9cSjEoIAGmlgF1svijIy/J0gjUwv88Nf0fG1kkg86Nyw34CsN/ZlovmwgRZR9BiFauwNQHRND4MERV5HsKzClrFEvZO6q1IQITyI20rmAb6QCax7S9pZ2PA+caFiP/Jsqx8bsPXT/xWI6cUhWdmNCO8p6GkMFwxyjTZ0QuzZy7bjkfrQYe4I9RP0C1Pa5vBNidOefoIQ8I1Ju5MZwJmYMAcX00whGACaoyIDaVhGR0hKx96uWYyoY9jggsMNXrCgMMNSzAoEHbnbPkgbKz7EKGwyS2y5CfRE8VUhHWNXxZru8KtIb2Ia17a2sIsRBbjFkQVkE4YIdYXtiIQYRhiR/zXrQzDbggph9k+3Bi3OoYSCxzjZIzJB07ou+WGpNlPW7E4xFPu5hxV1IXqht3+2A2uZsg4Ux+42gXlD19mm1WWhdq4Te5208t9thNe/UnsaVKD7yAfR2/3DIkP8AT+C4CwOnk7Yv7ejCwrb12wbIs9GoiTN92R6tWuSMAHlSZ7qjNMNMk1PqghkbYZUMQI+QBfIGfU4BiEt1m6sGAYeu58FNaFUQpp3yNqSFkBTZpurLHpi1xSLK9TRjgaXbZcTDE5FMM9oacJkp7ct3ONbD9Nd2JbFK1mYgF3HduTla6RsdkvosW9G4fKbCqqI+f6GsgxTmU5jmpKgEin9cRwHSraJdE36319KcAbf/t6hGhbb3TR/1veiOSUJ9UPtpI72Uc39dmb9TZgCSEKSDk76uWSt0qVF/Xf6n90nZCTsu33nCKQhEgcrx+grdNN53PyhAOeBvVkbVKjulyrdz9Ue2UdlZmNUR+lymBOYzxe/W6F7H3FThYDuUWrHzOpatPpyxSUno1FF/kC25FGdmHQtsUyHG3WDN7tNF/WdCDgGe/MIKtgWYrRhFHTSdse77Wyk3xkGqVai9BrDVEHZPhpJAd9jTAvvK7csBeY5sUFiOSIGX8BULOP+sbVQOueYy8qfcX5+ClRnbhp6QfKsn6Eg9iI6CXFVZj2rrsAl7B4nRI04RyaKjdaKCyL1QbbijvULUCommHa8PEMxrXgK18st5fmmAIBZgR9kyvpTXagUk6t29n5o6dnPJK0rYrIJHI3ZfZkakpMJU4ttfycbM88p3TiZE2960LtNuJAUWx7ZnFFdltH0vD6TLj4PI5uSgQJqQ4WUDqBt1ULZDWOlYQRz07EA68h1/3IP+x+e1bFdYpvylZuClEDESVTakgEWkDcnDdiqgcrKkTQCzBvt/Aef//ji5GemouQxrRmZwxmUJqhMcLS3lqMC5sIXZoSjHCUIdXGKrDJZM/LsYEMlinyJ8XP+VVPe38SNdoumta88Sf9G/nHx0LgGnjNr6/Q89rMmwXyVcoYfWcek5V4GVyrYoHBHjOXBSJnQy6P6lhbzBT7R7NiqyxmFVBTxffRoUI/vOq1e5RbQlAOy1nIPqubwZsbnzzp1f0NedRef6W0r3nWpaNhMTfMR60p13drjDbYVsE3+1d6zy3U2+QaiJgl0S7pjUiKV6wXlEI9JOeLnYYPUBtv2EKJZ6Nv7Ss3ek/rNhVceglYtDogYb2/804onJFZ0AC3wSsitctB8TSTsmDJWeeSSavF6nJ4N4iWUzEse2tRiwnFRVG44kCm+PLALjTS0jkRb7xei3C72uEoLRLazYY4VJbgsINx37xVTDD0MU/g6rxWGTLStiRijgdWvs3k5oywsNtE/JOW4JtDvzAwh149UrOOEFnIhvbo03Q7lr+lOPoKfI6T9ohwyXCABN8vvHKtVVYpti9UUSsbN1vbRndSYJDIh6cNXir6mFfb6hKCCwuKBvswLRyQK8FNOMzRT5YAZH0GIMtdrbIlAb2JnU4Fq87UUujZV4a5ZQjAlyzpzcYWOaTnEudqG+1Qp6W0cbL14i1eArPE4XXYyw24GP5gUK8gr63n4/B4e7EH6Q8rrJt47G79BHwG5xqqMZW21aaOK5GOT92jH2vcTqmGQO14OU0/o1/2nkhPsgNlIergw10NiQ7E/rLrTAyNj8ClVVgPZPM9FzwxpbhtP4nPnHp+LefRWpJWTPYt+fuOD1swL+4zENhnBki/ABiGLUoXqM4gQHD/NTW3O/PX4CBBMNqgWwvoI8Z4+3mg+6zIAw+JurEsBasAeKjiMUa0hhacv/dF9NJho2C1cLak6FWKEmmCSEsTPzyJ26PHsnBKPglemnPOwNE+jnggX7ftqKnfLT+WN2NdMXSIhoiGw6lIXcO4uRErCXQIg6IEoHhMuTLx/0XEzi7a5VWH6KXyS4c2geSUzSXxEiW+2JrD/dC1ClALo1rnkivvgpH7/zttW024GC3sfTF6w6TIzlo8GEZOTVRplrv4juxnfG+BKLzvzQWCspyVAVRo801YKpHj2WU3zmmVcSpfeagDFfnCNw6WtBU2ZiDln5RVW5nkVRSmu8oosif/oagLDsFcd20S7DgNDrAhRzhm/+nHVV3kTYFq1T93RLafkh5FExg+uHj7i3IxloEFmf4iW4j6DGpBols83q147QljyXoBej/A+Yf/L4D8kY+HuXz8P6rNCA9Ixu8CyfHf8iAGmXnAXL2pLB5yG+DKeViA4NCka+U0bAmL2lLwlCH+5BEZ8t8xaOvFl9tbaksxIfWfdEOeclNdLEvtOZPkdTixwFLJ9O/0L6Y2TB4XcprMCBv4zowNr4PC5GRMq72W6EPeIAYNaeAvwdoTICaDcaT40H0lMB1C0itkwRVWFsULtA1aV7ZDK/JCadU5bkay++94OOD3TbBnF0iHPgPfTSEXU6tAa9T/zpFzmd/+WxvLorQrajjH+lbdd4rls3/5ILKgKUi5xv+Q8sJrsylLf+q95sIXZvSYaev2cRWXP1bZlOrUacXM20zKzMgbNQHdsfYbkGuHO0E6zgYqzZgRsyHPOCz36MUx0vSCZxxEZiCgW1D0aGIFGXWBxduLYHlZy/+GuiNbgDxjffZWsuyI0Juu8YmaLzzeRPvjGibD5xylj7uqJhqfxj5+aXt9XkWkaNiidMaH7Umx19RWk+YRBu+qfRBOKlD3LDf/sHvTgFypDmOFMWipMxtj4eAI+SsBY29o548OY1vyx7dHnkNdgEJXLWurboBfaGdgM/D0E8CTdgHFlRshyRiAeiJ6s5Gk+9fuOk4BQ71Dsm/RUqqp3RzQHAFR781fHHJAProluJ01L9GQjThFqjMRj0Gl8I5sriTNEEq5RoOdCNz52JUzbKepdc90c6CkDEKlZGdbv3QB6UxZwOB/pztGuCdy67SPGvO7+V2g2CW4GIgOEc6A8bgY4gOP0E69U/6dfTOL23BM/EHCwq09PPrkr28afKOjk9AkVmUWwUIBY5aQVlTTZCkf3j/9Mz1EFr4UAJY9w9QPlkiFlw3NTNPjfJ65M7babeTsOlQ0EghARXkqYAM5eN7MLdaaTQFp+h/1O8ikbwQpLaRy9T57/MucJPdsnSj2s/ZOMwX7j0sorNI7cPXZQtJp/669vJjdAq/ucdDjUaWK2ik9ejevU2hX0eLLgCPwczWmixb7chdrSRgb/HD4+cr2Ejuyxa18VuaYA1564Pzh1x0XVX+817aMSNt+bXs5fQp8o7X1R4Pv/ysqBawYk7FMoNlo2tWftYbPwCkeGllowlRkDmf33pi2xFqSeH2qId5LV5Yd7OqS1ruaEk8E/c4VQ+m3ZaloUn/r166+u38DTnu+34QEQDalqrD5Ri+AbuzVe7mEjtj5XLaFWgn1bSabGP3j/6bBfb8+cNbSc50PHRUKyzbqJWx71znB2oOyyQA4/Ab67mDrRYCg8oGuxJ4KwuyTnSC5JKu1KqthdFKOSIUSwTITEVmYDaP61RRhF6tujLowUp2CAoVuM4923Vt1s43jFQt2XL/Pn/JmlJFLMsxBTotd8oJNIO5VrXMPz69/SEDjWQW9KJm5XT9E5RamQIkupgfkbs3D9dCsbfXRPExf617BXtz8IEwgR99c/3xmy9vzGF3MSa3qUbSkHkBSAZATrbNkOUjqoEgJj8OoaPPPL1VmN1A8R9zA29dX0QXek6pa+nvhpPJSgE+b0Fv6Tb5t8gQ6RpQRyzoiAhrP2kDtvutvZksVg1VESoYBNzdVsoUbAMrZZcSj//5aCOuT5dsWA5Gna2bBvvE2B0GEafbru2/Pel8Yt3uw0KsdkVFTwqwlCHjP1T0Y5SFXMnzPVrwMllg+cG8k4v+Wf8rSlGA7LPhLWoNkZxThcFRa5MoKmVchS/IyNNO7xdedCSsGoIC2pLeUEpk46de5tXDc5cnWQNud8gWSC+OHJDPf2np3KLZK0pUP/IjiAAepl9HR7BToBZ1GtBU0PnAsD55/TU9fOt6nWHVjJYfSv1Bl3rxYPSd/J0eaFmheb8686qOXwi0rIf6Wlb36tIV7Wp81Qa/D42KCPkrrdNxMzuE3cscEWbHu9W1U/zMUXWGRUZgVNSCPke3Z1j2jsYttkYwfuzFtAkLfbEE/5xuYmeCF7Y8GtKHpzvVgyz0jV7n1Rjv634HmFT+ZmU+i+wOgYnohD6untiKE8RgwfPM3Rysr7MEAoWmPUlouQpKxoWam/0HWPPwUrO6k4ski2u2MgQ53BP/3nq4qtdO04x/2NKQc58fWelcigEuF0LgmXPzwcm8Hq9W+k4HluLF8wP0v0Bzsm4iS2fVwotK51J118StnXUbmHl5GrRFjcEP4G4Ps+4vZx6vzml1mbZk71gPGDcaSvhjNGm9FJBQrUnFKnpYMfMLdlvjJbmBXfb68eZc7O2Wpvz+7nPTV0pfX80FTshOT83H5/95TV8jZM7czg7VNVRiCBmMYT6+MezCVuAJWNA4L//ZrUVXAetTvjSjRmMFZQPFKZ39iCTj3K8GrMYfhwEceKmILNuxf/C3VlAhWSRPlHwjhIpXli1UOtxaW1906P89a1NxDqUYQ8Lsk12c4f3MlCv+waN9Zbb81RRlm7im3ACdZu/TNXj0kPojXYA75G5p+6BeuLmPwSLr88OTugvssrMcvZCHxB1/pKz2R+zxaaybGzk//tdomHXt+rdwmvv+P3+Vnb1aSdrYL+z5oWuP2cCrtlpNb5pk/OSp2IwHfFyHVlGxrR22aoAHWxF6lohgnXfrCasPu05K8298IKL4OfWIuwWy1KonQk88ICuoWVfaZnJA6P7y/gEbDJEYn/pd2VP08u8k25kNFpjlU0zgioUOC71dZbKPBpfrTyQX7ZGjebE+/bGvP4XM+WsjYrHI18k2zviWkPZtVcxU0y/nlUbPpH18gl3tVMWJxvBq0CmnFPca2oAqDTXk4pyP35LebIRcLSOSFVrx/m5SMXiU83mMw7Xy/VK7CmxH+rpz5oZxoqg+zmOwInwspBirGPdTbWjQhhaJccHlj603yWDFRVHFHAzEnCvnkofTFhfkG+W4Aq6zZ/MF3o4srH9xsw1t5AshS/mluN/Qh7rUxEklWfZqJ8Q7+bCtTUCqSjjoRX1VQIEnpkK2n90ojsrAblC5C1ndX/ozFFl5cuf03NiTBcu698dVpprhihgwesqXnsFGYWT89Toa1tyWD+6/WNFKdopwUaJVjAuNYnulA8YO+zsbzKS6Z/TYxcKGPtQ2tHW9ZY289RL5UVD2WyJGTgiVSqvMVLnabLn/ulJU7A+Lx5D06C8rxoafMpmQp9nIEGioV6wmujM4pqaJazHleMM85zLXEoQK8ZhiAEFScJ2J4Yt+9KtxOCNytILL5SekSw+3YyxhQNZmBAhS6xV/iBLiFFTrtPonF0aQ2B3xW5dRH7bxv5eMnPxnrL1uZYUCFrLY57kGNFSMKg0FskZNYmntbOJJifQNv81ehs1NsfcltJ+87MXznFO49MAHkUxTbEBngKgGWtTHxjoGXELGKTLPlQEbD7sS/SbuJm4bUfrZE02bC2unrTC2LMQJ4IhyPnRAvOhVosQQI2qhXG7o6PH7S8kpcyulmMzwtShfrZUwjhDWykH3uZfAtf+dBnIfPXvNjcgrTmv0z+svo/aCfgqv/mflVzLytHi0xcjZttqGhVGR81Atvqlv9UDTSrn9geOKzaEgy1akEoj2tH0cdnTt37yOcr4bQ1o03pF2R9JJLtnZC11h2nimjUXNHFm/RK+iSNkV40sKO9ymLLmz+F7qYB//YM+ASqmvKcS/fV4NqOJfBxO76T+6qSlXdjZMhr76PV/+QNC6jpIAEwqfVUD+uXULDvOGNdkdxLi3upkbVCVWVmp6bSTsJYe0MFssy+RWZEMDAFrxoYHHNXiKL1KHqMA7qo12XOzRXsP8jL3lVdZeQDgFWjwx1elLh4CoxRYiwgduhJ6KCaHCPwChQt3H79W3H3vttEuTn6iRB04Yowk1kMQ/whiufeWca8AuAcFk+APSJSh3ZklOVhc8G1y0dE9YotGEEdiieCaaCuUOLdiu3ViQcnkAe1cLyLGe0Q17Azq9shCiunZMhl/UC6JQYzRZ9PHCkZX5BtC6AFN/bKledOajOgSDBAfMer5s1/xaXE7NWPdt1RtPbm/0N4AC+cKKS/N8VV5VdIyiSYYB0MDOgPbQkRTD+q4fLorRHYHd3uSGzIzat0tcWH1cijVXU37RtTgfxdW5XVMprm02tlNdU03FBgJcPHVvynnn8OjB3ykIzO2XFIr0WBv/itvObahnSRcGHygbyhbIJR7sZpWR6f/2pUk8utNheU19MQdtRKyShBW2d6ffv3iuY2R2DjstVnIIy1PGgB2/AbGgeuVXmbf4uLmCVIEUUebtqfmjYv1ZnHOLuAurNUmH0ulwOVg8TZr+HkWwS1u92gF3XDE86kPszOmmNIKvvW6/9hKbu/au9a2YsUxeTkYYBsXV5Rp6ruqaeQ3e2TgYXkQC55hJVa1lKJGnTAltQBwSapXw9cGWoqUK6KFasr/XCJRDX+GV0web27g7XUjFG/EkxhjTLsVlUTxvgnxKG7BxsFaK0ZJ2VB4+6BTIN6rzvXmjsa5KVt3sGRdQHUN1mhdiNHa4osTzXQLM23TCa9ugvbHDUobBmJ53cCMdjK3QVCt4i7JVT1AFUBR+7X9fZzs/qpg41uGSS6uSyIpo11cyIcaaR6cZTTBFrd/veh1n7PfsUQKWp776Sh4b84QmRfZws794a/OqTGlUUF9Zaa1kb/xxMhRsWD1n01oDeXEx4eH+yGLGQnmU12s67mUObZ7dXNjaO2G4qMfozg7TELeeVpGH44vr2gYIKMe5LpwoRa0RCtslDkPQ3d+UqyzMQP7iU8uaVqcWy4Mz5uCUmXgMCAmMGZCaAhQKZuGRKVnWNaYwstZPg6+9dIxuLhf4hs0L9VUMxH0ucwHqHtb6SEPyb5mbej8T6OhbhTAg+tz8IbhWMpPqkbckOZx56ue/b08glmWyFYJolGUvP5gFmJFP4Mo5tni09XiWFGe/bh55ZVCXQbc4SvddgbCBWhdxpWF/qfNm8AeZmHXuCTTx7rpNOi/pSQv05IV0n02kIse113p7w9dNtC56ajV+/jkI8kjRC5KTRQ9+Yok1k7iOnifDlXmIdWsd55Nt7Mx3L+H2i+7O7IjHvRE7TNjVsJbQkToyJ/IYICLIQpEQN2oKBHkPe1dJ7K6psnPHroNrxxttU8vM+wo/Kjvlq1cumwwYCuevW7BaR9wI0SDnbsA9B2xMnuywP38HwkR5QSjU2uNC3xfmx1bQSe43zbWpGCFFlWJ9Wl0mUsYN2Qm2yfG2qwrhtPeZL5GgC+kY7hpB2w1cNh2Z4nKe6EE7qDdsBKLkABtmeHy7N/rhxyr1byNcDlylzfpVWoOzVG2welVFr0BEF1/6ZCPmOieAIOnev1wZvAEJfKiDTQlG5ETQe8J/xE7Z/Q8Wwm5j6Mp9kMFaDMulhOsibYq6Q14FuscUrcWUrEp6HnJs9A1UDE2BY1i8lqAMKctMHPY6MPezU36SZmp/Md+hMTZIGhjEMl41hW6/9859o4gte/kIyST8UdLcur9YrJcwYUpRTATkWMO69vWv3bP7eABKtXqCLxSgrqjUf8ttDFhkmAc55zngdPU1Ns0lBfObbxvN2iDXJTBgBSacZ2GDqlURYMQMnlbwnCI+k6pyRczJ1RsLL0DDfhCJsRTJwCIWiOVEykg8JtF6wLOsyKSQRXS0ORgSLX34rrwXskqXAg+DypZcp2roVnwGKrjbYchxfHUCk0+GxxsdxBquLXeXTw+5MEfkLX0jeMLr1HfPKy0gyy+5KsyxarygByDim094qFL2ekVU6xgTe64MWhBCFOg7IsZNMuuqWVUHMt+Hcx5cN3lb2ei4t795OABfTtHW+K68mc748oj09RSbfGHV1d2XrN7pF5fjiPDolJawXealsE4aKhOlg4/K2f/syLbOAL+dCD3xK2L7m/juw+5F5zdl2wu4eKLK06LeX6YoXiKDKsB7gftBZexTejoCdt+1Wn3CcqfxwS3GOH7stTfAxaLs5h42K92tzKbzyPk7652FwWnlajqAH2HaWCiryKDdodmr9kqyVF0B0G5kJlxMSldc8tb70BPlCUGqhezvTD3pSywUcjkA/JSFvUfUzQLJlGtYiMkLSfMT3mr2ArLtlIq5g8GneoiZtzv3wkUAArSmL5V1rj0ty1zYorv0P1Q9SzCTvU45PYgw380+euDRr7fwa/pMWgIdQXz3TqfTtlgw0guj4NG5Uklcc2r/W1aoAHpaGDYY8KmVNwtyUqeMMKiJ1wIJykWSHKNjleacvahOPwVTu3Wg6rPh9hqTzi0LOaoVGIzX4j/2FHCzyeIvms4Qv/YWo16pTQnXAP5j1WRx/cuQfXU6gsvXRfvvvhpvTP56berAAiTgVU/pwUPZ27lSHpAQTZOvAJbftlN+r2Rn3q+GRGsy/E2Cs/RYOErfzcdbxlcxu5i327BTETKNKCiF7GsN357iTir3VjEkSQam2fd2Sp85V6Z3sGnhnOHBxy3mzzhLsi3asvVLX58P5d1y0J2GnaTD0BfU9+SkFKCv8i6wJPGniB9b1mlwHTRY8GFLXK99mZ7OvYOt80y/08n6btB2fPfrRXNvpzfm/tnQUvs0sEBaBhZiQF2QyqOm+IRTiAD+Cu3NxsRHT959vkUn3c0FWP/i2X3MIco0nQAY45HShBWyL6y9gT3Y98pqG872626I7u5ZOTP9Q4wLUyP1ltdNv6M05TkY1u4ZFMa4HRQ59pjJIgVy2dRgufJzbSTKvMtBjpKpLhSW6gWVWDYoG2hxwYURo97WUcaUkCbL39HaessAyIVEHEsZE8FbL6qno4zfwIhlI5zBgJheJlhCX3lzC+Avah7pRJeQ/YVu0X+IMb70pMWkmAJj3dnaO197jw+M43hjkykoApog3ZbuBbkFJLawtpDfpMhD20CYqIw00S1kWyBBm/1eYQATQEIzlZPy9/eanv+qCuQ1zsH88FqmQZwlFEbAmFLKA36/1ELO2N3hXVKj4/YaEchNNtd3GPDqj6/nvhfQOWW3w3BfJNasuhTQd+0NoGZUy2TK/IEoIXtI69mAyI6Q2FcEQ6ZMwbGqSmlJBWSqHtimYth32fXb2HsI80rC6Zih3b5APidjVIzErw/ZcraQ7cwcoPVP1mCWoWoFWQ1CW13mn4mz6iHdZ+VEgDUWTpDJiJmBDlY9KED3x41nitnEwizO8rnAPdKtmDkhigzwTb07pXjr9i/di7fZzS0NTFbFLqyO2oeb6Lmh9yoNuPZy0XuMWvvCg+0bwIVHIsvoQsUKaKVx54rkLWPcB/DEFwwy9YnxMmKRqjQBZWnJF2AoqSzHAmjuWGmTsHFg/iczfWvkz37Hv59rsr7uYEWpAlQ/yHbgJfPuGGWeedHt7YNA5XdfiMJW2QzaqDHC/+/og/QjgA8HadYEv++vvpjJTlXPI5tnJ+v/ONuTdBQqgeNwJnF4o4cIHI956Av5qoQ+BO2oLaP41NE/bpMt1uLrwYz6m0iUOW53MzNprBzH8c9ufOUzszVZTCzdnchjJmnFp6BAKQkOekrN1ym4Uv6X1wfYpcHmaNQA1++JgFbqOi04je+ULmVsbW6NpoVsAG2bWLsICRCKndqPUNzUSZIWadaiA14yP+q6G9fQdfLsKaM9u7miWsyhJxHuSWXNKHk4g77SXmDuONv2AlYJJHtqn8YGw0/kGyZRCw5A05G1AE69l3pIagOBG8dNqNUrcgVVjsYb+wPwjT8pYY/ZsGIqY8/5pk5n/KLQk0WpNgMYVGSKVeqU2n/6RR07E7WGcvDgnrdPo8/9QTMzG69TmD48omvIuMmQ3fKnfqGRmx/5bSxZI+s9xP2tJ+b8W+zoKIHVmpeOMfeEmLsf/ROElQyy9GP6HfUR9vKu67ILa8f3O6jsWUw5qNcTojax25gywLBau5FDUiBaBUiS30X5seUhC+uq8ZqJOrqG+iQBlhGEDvy3XSTp4Z3EBTOrKY6AMHYWauCplufK8iF96EKKGIyrNyKR0hP2Akh0mfrPPeZKfx5WWVeXURYoi1z6PwHs1AclYFoOLr7qzuF/AJcyS8BSrN1aPnk57bYIG/2ILVzFLNQhXmeRyXHXstrWhRk3Tjrf9kXmRuB3HeA4P/LER/5hLkg73U5/pl/r+TEAIEdUwufgBmfpl8ja8rc7Q2uNSJu2wjrRpi83n3CiXouGZ6i9yrthJzgX+tZ3K/tK9INfwRVJbjuRQJYyCYgH2Yw0m1hsoAshASTOBxcjGH31B+2Z8jZ+hAHvCrC/+R+WUjsq6p3ffiA8QuKuUstWc3Fu7uLMyNCbm/890m8pc+i7u5cufXKd9YLcmqdXv7KGXyvZ/dQ3jrT/Zjr4Jzw69SoFqPw2wrVffRBXBF3Cgr3Sa0wIsEek9Q3GoEY4YsNBT3Kh4afERGeQ+OMXluk9oATrXvUY8IXVhIuY0teUq1rNKbCOztWuCiE8s2mkbpVGrkm+8in/3jP/aFlbOLegsSzubGobjfQwkXqg5Te5j0mXF6eD31gEv/ff/QHnoa9JrZsmV6wVH9DOY0ZuK5jST5e6NC/VgMuz0g2g+CAhy7GODuRfJl17olFbY4ADoUcDAI78QNiadb1+Ybn/dvhZ6TXI36M/BP+h73zjOUsRW+rBZz1M5SA4+t8GpfLXachaVDANamqE3Cq04Ti+pbDL2vLPibaCe8OY9z0AKlJ9lkYjs1wLy/+luOEYnGw+fB0Rs4Oi096XP7munwmq7juDtc7fAuPVB5HbPrVzsnN/LXDAfav3umNGgXKoWZqhb03WBsLtG99dOdwkglMtti2h9oEpi8qbFtxuOP951DmHXQxnYp066gKEjwAa7gIu5NzCHiiZrd4YuucELC2jwq5f3r4wBD57CzBD/jZugcXc3q37XUffpR9FK7kXvnff70LB3eMs6rIfCOnBD43LU8oXxUX0LKDXR7NyXmJ5RhH4jGqLG5gokzZh6o6U9Pv8cM9oFV47MIlvYnXkJ5TyAnSfNwhNsEKAwItYhEHUdhzECR+xgIkmDFQEnoo5jQGSpTg/QQY47++TnNigtmqHKhDUJzmjbBFDejIEb5nB8uIk6Bw1THM0mLHmxyv+e5okeKPcgq7JanoWXg8/KNaxL8ZutBkPGwkilCio0fugFGIyak96Li0W60jVQeHoJ3ckD61eVLHmYg8qLiYvT0mWRzWuiO6Tu/Lzpz9rfPA183vbuTB7pvH6Bqa13jr/s9jIfJYJYbpkTuGK7IROd+USN9A2/WFpX3wsqJWffTJc8F8dSzG+ZWrjVhzE7JuIpUIfTvcZl9rKtQ6UpOsD9XIRUnFavsZ+spNp5ytCTQAa3nBSb2gS+cIW0MDjrbflvdsgbXhppa+aDzvB0XS0WAHI5RUg0PYuN7A+RKduLm29hVFdgas/OTe/2kZUogNW4oHYf1AzYSo01kM0m5jcvQPJUSdvubr0qZFwfjGKjyn7ZbtHg9aIMUIcB1OFsm8ql20M9PGsDbpAwq3JvvN9UwP0rOWmjOzObkhV8LDp+WM7BrmjJmLpsaWPXn0aktGSpZx+QNaPQTvocIJDrf3K3R95A8GWC6zCSfWGRtvsTH9V2nrsRpu3DvY0Jk8mxM2Xsr56M0QAQn7Zddp5/gLMs52gey93Hc0WUzdEr3z+IHdDQ+S83s4nn8BDp/7TfGV7NWLyNLgXu9AxdxHVI0zM4ZoBIBa5RYOTaEw/lz3NfyXu7f0KKXE2EUjov7+1ENQqD64cWffaZeDAc30P9loq5Q76DULaROD0BERlfvetUg9euIXIa4fYYIe7MlCI310ODsCLpfsx+8ueiPDvRI+7WHl/Tt9DvLZQtQX/A/pyuo3xS1oaMzWxzb0ivViiRIyV/xtqphUBy0i93WM05O3U5XduN87CGZ8L4RKwRs3uSeT9gZdS/tnCN/kcxHU54P31HRPtqZO/osoIq1Qt/ZSos4adOfxZB5hgFPg8tkEoqA2fRmHkaagicYTrZyAxsQ7ht3I8KfV+RD1UjsGUjH/wcJ+cwpd3OUXyXC0HYKpWZYwFmT2i6f3CrideqREqBuS+W6UEru39QWUY3ZUBb8pZXu4ZvMsB38C78z6c7m+nO/M6o6HH/UzIBOc3LnTPFlGi3C192MnOuIafGnTeybfg6aGvTmrQ5lh6K3Y1+93arMZqYKdwpcIwbfH6zj7gDE1/RH5kJ9ARiM2/KQnVTsG8l23AjHMSBUbpSPpwBbNbdTxL7gjfpQ4Jpmqc3U/eY2t7om5rtZX2EAPYyRYz2uLJRzkpfhaWe+iXdZSznv7Gika0SXdSOgSWGpuXbdQChcEQybAlssh+53obzoWbMUa3EL+yd8Dsjb768i4Mzv0MkTtfxf5sXvoSxIL8UNHpPqzJXf6oFcg9f/F6BiY+xvfB2VzmgJfdeMtKhiw0bfUYGdBSLCTUYsjDyoHEz+XsmCshYoOWw8XL9lPxPYEhTVCW2mFAWnlQ6+sk9Wuod1Begtw/OO+kzAsQB8m/z4zCa02m6ciwyR7k8s9B+6FPvVPowC2VbtS6+Jb0dWm6F+wikjmIdsXvu3eBS7aTyCGH9y/xCQ683ITZZJpNS3UKGS6ee6Q2gyrGfydmR2VtNd9ozxV16pmgGxXjOqD20IWtL33YdLiO/8+sJv8kWqmMxGt2CJ7JOTjHM33RGzkxgfuxo/VjaIckLkBaXW41KSoeUhyFD5V/n4NmF4f5PFJbkmEtuYOrbjm7nwddnsMbW3DdP2gh+g4HQWv+HpgnHftj+ao4GwBzCkgG1Ft85Qamsi6ECpR0ahxKZusXlqZG5Nw5kG2yeXLBofm3Tjhba122sViC6ObbsOt4FM48p5aUi++9Hmvlv6UvW1i6KCUdnsgYtOffT81cAdGDdC4iba7nipcj6uNsIwRjlndCROxRmMQ4Tnz36ubP7/8u7HV8TmPjCkh5kyJ7/NwOvgoed2F2xoU+sklWEJE+HewIm3gbFJibgZzVYhsWkr+wrgy+LaoR7FdbHUaOLK8TAvhd33PPK1H+ilzIH7cZ6NCiq0KzzXb2zAPzCJGjXn/6J6tYzRq/9EJw7lkSIcc0h7xlNU+nFQ1vvJm+F8u+bF/Evjt4+uZX2fdI6hiFUIxTZhKXNchAFQpgHs/+FyhGX3KKeo6cxfc6/3hH4nyn1dlYX/IJVuVWVtJ7gBwlfWaDPBLnKzVunpMVN0UCTjF22sP/TnXkyufyK2PmQf8lI4spowOOLTL7n9OKIBfZRCZPaNWNghdLtl3ErJ/Cx4z3GLlyCbC2UNKu9OFG9tEQwNo/Aa2vf1dev4If6JU64WZuTo45q5lEbW4Pt2/vlIAlH5ZCWGO8mCg45R5MmzVv2h9Y8nXlUWlj4utqzFTVKTFHmzWElJgOXQX4z+2+dO4TkNw8U0QEjhYWJDAPP92yb+zsHD00ZcKzYavNShjlS3oXDr6NclqzFIWoVZ1QgRMkFTQ28sVESVnAho+SyQ7TtI+fYfFvK4aoyyj+un7hfNj5LOD7mD6C1I9b56B/ISQmeTmmYYTr/+jm3ZM2S4CptPnd65BL8a/nAn/Nt7QpSzn+o177Rf/nG1yi+fAxBUEx0n7ODH8ouVcaY1PXhKKRxryY02Lxg5ov+q0X4Gb9D22g2uFnH9jtz/75msL6NqbtbYsft0fGC9K37Ck9D2VV1KZJRKQjcnICTFUJDUZCPjt6BaGuw/pff/zRCF9CqAaDEJvKhaUR3opCQ4wXW/f+3pMRmla/+vid3fmb9dfc2v/aaVwnvRjeDGx8mWf6B4V1ZI3c1w/bgEl9pVavVhnyhuZF7UsvDlfGrVPak1PEfXf2vPnpPxN7gYWU1rnmDQ6wxlbWwYJKIEfuWXVq/e/5HyDwmJW9wP+tH4hntuG233wHRs1j7TaQC34vTZkZmVefC82SizCGqYEiQijDMvHgYAE5+R3+piYL5+6Yo49Nfu/+ToWF+2yhEZ37OmXIfePBMPy3SF1rH9jyRPiepHk1meL3Ec2i4Feavifkne9dYjJ6t24vfu2gopt22eVj+/dB+eoQWQgdArJi063ve6KrYk/06naIFo7cOXROADmzXzohWLyiThpxp7I5nSfKM5M0ZPFtedg8AfNm/dR/MFzO/Y54kvLtYUf2n5WVZ/SpONb4UPAAD89H/nmyDUXi0MqjlvNiXNkELf5Pn7qvS88hu6BRSMB9YhKrI0XdAaPlnS8F0+gVHIEB843gF3cO+fWVSqFam8F7J1xVJjxAhpKJbrCLp6aUM7j+yV/7Utkk1lvBO8igVAm5G1dLuzXWMgjYaGyz7/R+/S2AGj26D/Dzq/cTm75/ZWOphFIMXlw6pR+zHJ4+Pi6PpqDsl8uSzONftnnBRCjGT2Y1Q1kclMoggsbA7t7iREkBT9QJh5ru16t2mPTxuU8WVxdRVtb7r/U5L7ZxPU8JyVdybdjspqaBEHHYYiN03KIllk5l/q4fob2LKS2CffxYhFZjHSPxRJXkd9g3itNrJ8HjjGY5LtOP7N7tyFLRRXL6P+v5IF//xb4yqGM4TI66a2SdZWu/9NL0fJSCTiK8ciUzLSKsL3gb+6gPiH1AvX7jvTBzzLW5gWS46g9ADjA3OQ7+WBO+Z+oICNqbEkTGvP/rFch93we+h++d5sf+PNYaCGgTf3pbENX4RBi64RW3ILZqocwrrpFBUVtXhuyS4+2HtAh5seZ1vohDQqfbZ0XS1kSOLptnoBCQElGWFwwmQnpCx/UYkrHgR0AfrpYhFoklSkUfQYdxDzR8UmES3a7efM2lBKuH//3+SYo5GogQugatafm5Q1zE3RxufBhDhBAqyxdDpvUeeJcsu8ZPAhbBzxAH/cipEp/+i2J/Kpd5p6BuRJvPofhKkz15mXvezOXV00YTLy8z/NCFYwR6NKJ7LhfB7G5zuP9CLWigQDzYVvuA3KchfxYAaPPfyB3eQGLxw5qbglKG2wwC1L4tt2/5EJ1lxKNThZL1kWUw+3TtvYeIFP6l0L1BtphWpyS9vCBkEPAVr8I/lGvL8K8xlDqmD28DVBTLlsX1LSkPqHxrBkaxLkFi0deAZrbmOXuekCrQy+/Dkzp6aY+zzTWsHYGNhPPrDaYtX8vbzgl7vK+7/MoBDzpdH6yM4FLMHfKovV/D+Ai8C2clkpyFIBz14/dvyLP7qJ6gxcCpD+JHFlSFRJuTZU1BWioXttfgrOqfvzXKjgf8WgDvfrxaYDM4F8u1hX++BSrnGxHkUpM64q3LiOl8hRQTwIh1LKKSZ7LegEQTnVBevJZyEjD1HBArfDmJ66EsNld4QQDVdZOBr4brhw+WzMfdhupyQJVgUqNOVskmsCm1hcGMT5+5Ozgh1VMqbgxcDCOpxM40mswGps4ShyUr56Ttqyc9ULK8C/barhgqwg4UqAwcDu3vLdNrnOLnD0jY2e/bN1CZqRHex6VRK6Nh9IipOOAevpXKRSY8rMYBm7KTHTbBKN6lyhAB7eqfaLa4Balimb/zjAiOi1EhB21/WijZ8z87ysXvSlKcycrelsmUxXOkAjvaOofLCFMHesCAFzL7d/lIzC/W0YaykcpjMEtejBrQ7w3sZfT6bfHvsNfQrzkt8zBC63gVtQpRltCYPWj2d4CZprqJpE4Nt8l0+Q9Gls/dYepgsyvt1bfYT9GBMPiV57IzwJFnG+tUj00NlCEYqThF7nLw4SMwoKhptgV0WaPkwiKmkq4dTn21efBwaiYd5Ob/Y8NENiGrXF4iZbq1HXWvPQ06J0yrWwSgO635rF9dlTL1sgcWtnuKV4Av54O5x5d9eOd8ZHdc3NsS0QTn6hj78/9dWnLn8PEXKs+S3WwWklsbDZ5t+wODqu8Mk6c004U3C+dnYWnn8Pnm9+0gcD0d+WWrSjpIn3r1xVY2/kJ87vcLXMQe97/xCA/stWZu9lAWeSI28qnbuMNPG6y8WjyPLwCxmcoHSA8jyHHmPMRHO15iWZQlx0pqedmsjYutHBaI8vxEt7V10eu9wRM879fzm087XouoBbPY//ICZbfv60JcNAFjjLlvz6kBuKvrpBoRlv1o+uG32YQRwu4cx4rCU3L9QYQffMkiF+6OnBzkjfNiA6538FHbBpr/5oCDjY2ecRnVMUJ2hRoVPneMF1Sgljn6RagE89hUCfF0WPrwO3Pe/fRb16nyaK7zWVv56MFar8NOIuRouMyDyDTaGHjbcGgAjL0dTXd5RtSggdK7l0+x5KNyVwi/jHUurChydUV5Ckq/fLNJaBqea07SxXBAf6Gn8+/JMjSM5EXGtUY74oWvRJ2o9fedStGoTuT7jPMc/ttbp1qrO7BgOBp0t9z4Dag+VDy0vZ+MkhHC1bLqnbuMw8mcqbjVECv5lJjdn3b5qOfHZlj2ORdMGNHuwaiWYwmBB4GvwmjU0V71RhCO9y1C81De0gAKGZGPO+/CQB9P/l5bLfmFDQkVLk4TUlpFD3U4CdJXRB5f8UoSURWqTNMIKLwoCrwx2meTqz22h3PyXMpIc4hfgMaZ0nZmQiXGILW2pF/fo4mbWdrz1Xq0aNLK0Z3zYQIMOqgh2wnfbbs5AYn/KuO/me5v4BhalXgasNL7KwTWgD2peyoy8mvrhAEy9agGZBiZMJTPrQOextLFqnwRlqS6IqEgP8aLcl2BT11P8SJqz3KM+e86MM4J1So63rM1vkAip/ZVgk0W8R0dqbriovdNPXNnVp1ChaAHw4UjWHHkrG7t3Dz7sxqp/PRffqnM1B5ua6MwzrzKxzWkGriOVCMMiANEPpJU9rlH13eir4lBa2+0ZQdiWrCBSpdkF+4+1FqLZ9Zp7/LxyilLwvNA9+lYv9OiI2r21m6Nv5OPa2ozFRvAZqpaBY7FXC+PDm4085UiSAiiLLLx2JwiQy6wojWql1AkgmSIRSoD+X5tinJyIsWrVvY0GaULObDH/unIglJPXbpLAEk1BQx1kMn7DaTBgRel1cgKWuLaZz1kQsTK+ZVaiLRdjfNlpvFfdVKtNpYT1+UzdeAaI9XAFueh6OgL9k906t0OAylLwmwf8NH+tdImcI2sjVNOruXTigOw0OBbfhWw9sNNuea75lKcglbisSncOqVnH0MyOAHRzwvpvI0cBnykaOm8rC7+LradeGy72/epXj3tzbG04YguzI8HoYDAQD3gfFCE+tOtxcdMYAzsiPQbSxDe7pbkpizTlyG7WOMue6pPDXiB2ISsYDaWtQXnX3mq2SShXdKqO0sR2NTq2h7VWKl4i4wRGFCSrAogXVVrkOKr5V4Ne6sKzy4RvVy5VeU4g9LACsS4jMl2A/bgVSll7dDUamOAaFrZ/BEWhId+bPUQTpeoGaDm4GDHW0+Prh27h6Dlu/JeCTKMInMoJlx0DF2eWdSmrJI8fIPBlhPdbgStbVhBiNdtmC8rfar4FZqJhRor5ZswxHjaV9ig+cMLGuwWY19DNagqZSumoL8Kk+z5lgljEd8uTbdP/4nRuJpjagb58wc5RlGY+6BgOmxLrAwS+nA3YurQEbjeDXjpnS+zQ46TLIvl9usBTKecXn+pF4VI5FaoBwNk91nkGl9EDATj5xeM/8eBZh6Z/BI3lfjTBf1PU+LH/9iYrrbfmHlrL+nNW3UNu4BR8KmKfTj+/bujvOp/h5zgGb0m1riscpAxux16t19+Q0wxSct37a4Rxo2GGPEPjprLW5njc2bDfVC/Kb/0lJzQsc42X5giz8bWNm63tfuyNt8SLABJKAdtgpQqNbRnXzL7+Wo1XZfaSyAetmpTlRbuiPjwq5RjLdcsnnuKJ0hFL4OQeiS40MiqxESFJzePuiedrWSzu90cFPuD8fI6NhHGdF8aSJ8BFOsJ01UxTaJFIGOiYxUP1g43DlaAGgj5Bch/851LQl93sLDyYP2de93E/agJxpSBybGCpEl1JgPMIZsQZKiW35GqckWpKpWsoNQErqNkeBBmpnhRqSMGHGVtPpFqXIajFFxm/v2hKacSs6Hr1zMwv0+PqWJ7KBzN+WvzYyC5K15MnG2QeHzWidkBRYe7Oul1JGd0z3DB6uOz97mXfPeTYewpf7eziFRlc387vNOasSot2oLJoqwEqDpd61xrAhgt9GzoD8fxPGrFx1DwUNtDa/ac1yKVVzgw75wAKEHH4SclVzr9za65hxFhBrcFNtJvTgyQAULeCRKUKYpGcKTHqmNZQAYH0q99dhtOgdqpbyRlKF/s33UhlKey4j/fX0EP5u6uhLBeDmId0Z9zkdIHgB3L3b3BmPu7PdYL6sjpF0i0/VBPuqYDSRUMyixR7zES1iVXdRXieBKX0azforhLXpg/HejgcJECwaBtNSB7AB1Bqidr7SLAYcQYfCqEJ3KKkbSMrsE2Qu8OMO5kYX24EUq/7Z3YAW52EKBouryx4iwfXVq91gcTQl1W2JH9DqFx8SshIgF70C5zFRI6m8bQB9onM2NQlbepVAEEljjjamJj7rlrFHIj9c0uX1IpoI7cq9kwy3ALUeLDgildRTd5l1M5c23UkN48yJTOee9tYK06UPc7hzgdF3ZxCAnyafNO/iRuVbD+Faikd3VSYQFbBsgvKO77jhJdvZFIz6Dqc+cN2S5tbHXxLrq4WJl1el4nx6IUQgxLpUgArCqF9EkCO6Wdear/QHWEtKhePLJB8rVrqaquqX5ZaCFL06g0tZ2mfnS5MXXqN+okePFJpHyIv1RXYbWWmkM5y7kL+EuE07dmdC3VSDMmXU1cYsB1PAnGrPSlzKofe7KWz8mbg4n612uA7LCEp36WJtWns+kKYNVh3civQJLV022b/fiTRGFnt9pvrwiKo2toFBRmY0yQmvi2YYFFnr1KM14OLQ3dxYDho9geurtF0ubRlp7pHo4unQLkCw0Uiekw8wH9cnm74rOm2orSwQ7Xmz5aC253u7nejOocVmAYjs8Xwu655wF0sxeCoKJJqnrwFNweZ/9nxnnlfrO7NWPx2LIN176ajOooK4vkJdetVlmvoiJ4ZeHWVHe2oxiUX+34hbyiRmSZmdkDR9uT44dXqkDb+TqBsvqiYRLA8Een7vkY7kWxlsSZx224572LFzrcbwimLpOW+kqDLfOP9rJ2S+l/HFkQTVlhwnL9dXIJWgwpkYyzf+KX00fP/xLoGXFaCgsVipVIrYyrTpKUqXd6dSa0R8ltQq6imr3Bj82TJ7AZyIUh/347kBJ9vTE4TLUB0VInqftCIlPBlUhVu6laFEsLm8om4DQ50Jns8ZON9cHvXDs10mqtdzPmQNDMBuHgnMkLsZwZ5+Z+KnIVJXOso4FXaF7HSc4BHF2WKiilrIDeHbi+gWN7Xzm09slaxpZqjVXIYrVYRP6oS3GCeHnlyfhKUIc+xW1iO1PUJGDdActLkJGlAxKrfiaRb+l+oqqRrmLQbQd5IGhC+vB/gb7+T0zOBBfxn7V9PsKJOVYB5HsNfBCDCVMuzdCpyLCtOO3LgThZ2kwnlUfCApeURJlkuqknlODMeuH7uahBpPekYDr6Gu9f14rSxIPbeH8FCXGjJ6Hxwu4fxNVyJ9+3fF4zRG0O2ClalvpC4Yq+kp7ub/ZMZU/PzuQxWwiDpuAmDTps3Nc81OTpCvEAuSS2O6LWLrj0+6CECpz1wkOCVMPGreB2daPSr22qKwsO3CDbKz/9kErBi3YFKrmNsblubFN7zIGxu5+sx+PmHt4mt4w/Tu7nd4rR6NQ27HVMSNdsSQXj2Xm6yzS9X7i9DpsbXfUS+kj37pFBzmZtfnv5NgeYYxNxDKsT1BojoGp1Cqld0hS/Udq6+eILXhBBfteo00dEH6hUlVagP+o5RWSx8AGEw/3dVRTNc5POJv6b80cLUKF8EJCEQFJ+AYxzuyhPwGThl9avHNkKs+zqnyEDBOiNMGjU0LWDcHyq+XTB/WCH3NrgOyyPDIxWZ7ZYZ3ZmGxelM/L27FYT1CD2uOu51FMylx1iVScGcfFb3EEt0v4KT4FCMS4JAEBWVHCJAxxq71VR1DNVOvTlB1kolyVhDr1rXPLjhWmOf7+ft2uRKSE1qZRmeMYbO/Mb4RL21dOpe6rWV2d7gjFxJFDzjo7iwVYytgFU0kDpUFOTY3JOJv6HENPNY5/H71oHUIVzB5Qx/LQFKuHgrbz16g86I7XdjRSkm186qEClopMW0AZLYamBD5oZB3nHvcilFs78R2dH5p9trxJ7j6tflELcsFAEYtDvySjRc+kQg+Fw7K+g9fGlywdT3ouvNC3sKoinNfTHxZnj8QPsZ7PzWUlUJPZEe7uYjSgjVx9uO81u1LKBUAxpNFRQJzguCz4SpQ5e5hX4MoTz4yVgY8fZWA48QNS/Teamjqu4QbEPIemoYduuXrJ8T4z5jC1EZpzQXNj3xFOY/fPB1hvkxd67qwNEIwuqCg/VS5UM6otF/8Bt8wfSQiuLqOyfsrhkCUPPrgQesx7Bv85TopRjHWch25aa+6pa6gybgDhZjsbfT9ahRx3cbETeC9LX6AfUezCTTDBmebG22MuOxZkRz5q1Pphoa0F3xx2GE36v8JdTzsxXBZmriFz0zWh8cKdP29IdnD9WUDw8rtRqb3ZJTDrzetlcvKA5aVUu0TB1z60VKen0TB3/0OcIf9flj3fWGP/sx0cg0VrF4ABfjzc+iU+eCq5/X/U3uBVx5etTx211gFLA9nWOA22udo75ziMUfHTKOxkhZzbdvb/DUs14Z5blldgax3UO5Vesn1LQhJNW90D6N+KJYEM6JX2beuDrcXFMGgMaDKmUyuCdAR2oQ223daqdkqvb7kVeyG4mXf0nxTU5o+QBwwg1DmSsEOUBOVQ4GWyA6uReN2pe+PTZ9ojluqpaYyekdJmlpya/Ruz6t6+7c1Yx8JxWM3nAH8L1F6B2gQoI9mxs843K6xwlZr4+c9KgQ+QCjlH4y23wbbjB/P29BfjYEWtjgpyx5nCL+afK6BTbLzECLXTG8nX7Q7pnvQ+mLzoTB3jjcpoVr/GrMwJe7NhbQ3ZAIwmFd1LaUJv6sH0KdugVw71Z05frSdf4vFCVW0obMDwv1Bj0guyAKObXh12QmRr2kvb8C6t123IcQjmWkH0+hBUgq0qyft0BtSSGQxE+rd9VDmeKVLfeIIA1LcV9YRYVAhD3fa8LrmHs8IQiZY475Y/kd2C11PlGDMDm0+KpwMX7qVhRShHt/EiozS3cnxEz6oLyBL9NJunb+JNStTyih7ftT/6obxyQUXyq2UW5fwfYSxeQR8Twqc8D4gw0SIOcUBuS8bGB3hf9Dz2ioHnfdPQtdWS5lvP9kz/TmB0h4HybjbCnmuy0jKUn9tkp8vUJ1RbIwLyGYk2v8RwvwEGxIBM4CTNlBS+mDvKSVK8zfRvichXdGbjH8lNxCNmEN/GakcpjlZ5XmzJGn9AW/daJm8e8B7UkVU2UrwRtZ3jydrP0phUREyahzvJcw4swSTkv6CzhXdbkAAnb14iWEgIvwLrQmz9wAwlZqSuMHBAkIsLxmCzGKNNjYL7dwdrVgQHihberG7A+YyYFPPZG31G2lLEykHvynZunQUHvHsxO5lUTUiwlNsGZN2VnAxVgWagaVa5S42E/P0OqQjjMPI/wRlaUmNPE86nAi23j0GyV3d1Dsysd6uQ6pWWWPmFBu8GY0nNU86Dqo7rFE10PU7Vv/bP+f9eDESxA9OE/1ZS3kapRS/jouP241I963zy896dviI4VXVeFNzFI6lGYMmdqdI7FY+X5u+nPSOBFc1kxsaSre1873GdWjY+oKAtsdczwzql3niY5pveEXXld2piLCSzwIifUrq4+I+jaSF1lFXvLv0Ce68jlv56T823txp+bcOk4ykG/2hLkA9t1UaS9hs9BCh/V/wF92FVZoU9r+i0AT+3hPeiDoaxg8ZTT2Gs3RSwYiCkWqwXuZnZtAL4U4Ua4c1mZzho39TXZ0fY7VlzVWc4wHHi70bptfSHDMOSX7fMfh+qMlVqDHxu6Z7nci5AIwTkQTVpBXxBz8GnCqnxYbC7UjnzXlx4XkJ2xZQf//1/rK93mz7Wtgv/rT+8l8f+vPxub73/hxxXhoEjL2+C2sCuTZTnG6Hup0MlY5UGeHHUOF3pRpyCjD7Na0MaH9wiep69tr39fR85VxYkRr1t6/er33ggh9Kot93zc133RV33T9zziD/7uf0UkmxQVXZKlUGqlW2bKtbJQ1gpen6jTNWyV/Qt9si+O/8wkmAfHZ4GztsXJyWArZ2JmZ2N25+dQ8FurN3u8GfOm983uNye4037v/P2DBv9usLaB7/88a/CyAc3/wXnGeZJzT8qplFHnb/Rv6KfoW+vH6XfqSXwf/qH+pf4X7n+w4RDMwHZoBg2MgQXi8C+UQN0fowDjBkaxjB2cxm1YgS0oQj2OohS16EAfRjCDxfgCq/AdfoU/DVHZcGfkY5zsGoDMWUUPlnTapneCi81A69x5ay7SGgML8tOLzXaZWuXbAlFZibqXPgfmne2ALIPOhJYalhedfcXg6M98cO+SnxmfTwVqbkRpWmPSrWVqwMnHRlMFQKsTodidS1O12WsE4+gJfm2SYPRVMSDSnCXpgLado3Zva3ftex4Hbv0kor34hxe3eEcXsf6zWxtQqMI1ftgcjjUWTw1jHRFLTmOkT7Qtcofa1/Z200k6bO/SbfXI/cPMbnnbJNfD4j1Mm72i4RZgwUlKy4YUWM19u3cL7PcP9pdRbKA6eNQdbhxu3pYSeV10apukMNppg0bgxVsV2NnuyPPoTv/52XCWLNzeOqEBPWMgX705rZrrQMkS3cVPVzcKmaMXn/cDqVB1Ge4z2SNqCDSqQsvQ04TvFpEr3/mQM/XgaHWQ7zK+y0eruGws7UrEz8y3vUMFMdNMvIbcFoO07T3fcCtOzQK4zVDogfogyUojN2ad8SjL6vRqeH8MKVU6NgBTZf0rPag9MGeQdaSxe8g0LM0XrtoyFyIE0c+0Lnp7WJun27gfx0cA8VHT3yDwL6fQ8JOLPMBWNIVMFWlbmSx7pfN55bCuCTY9DMci4Mz3aAGkzx7Lx/D81RHxq/ete9uL7u+6wYWHndPcsN5m+z9+8mjzrbo782C6yj7CnpFhApRkN4dNUsIgzl5oFupGyGzRiNhg/GXagTqjysm8whk14/2XH7rGToH15sgksypbPo9/YnBMCizui1CpjL0Corn8NGSVlVrrho1rpYsy+W/mFt0p3pPPGx7OYhHrHOAZXEf8GyzYBb29eS7BJP3IZqkngM3lT81jc0AwN20DvqRPS8RwxH10WrpR+VYbDVnNl6Q8zRMgpmXHZQjc+unnxvU1Pmv0e04waf/LneTu+cnfbiR3x2TWsTyKuEXDwaDuwEZG7L933+dEXnpTo8K8KEn0bMhgSYugnpJF26g2r36ZTyt/rQ2JVU35JUBMd7qON/94onSudlKDliIOw3375YCL5fXCcNggA9louHE9EFNF5T2JVo2bpqW3u9h90gYGxtpP0XIzDutcifbePmM6frVh2b7bdXbSTCITx6vNeHQhZnGsZMZFLWd75x7admbVarpC1VutNM1QGnuBriQ313Hq7deP3QMyyQijw28/czpUztdiIZt3aI6vXeBHBhuXdVaWn6A3KC0TX7eaSaCnDjCz6oAmWvWba/nypIh7dFQgBq/4IlBK1s5q5rin0mJDjWzPjwI10QOzT9Sgu/16WbD3uZPp45X10qRwSLheTHwMFDWMqIaNeqwYxSHVETvb764UtgqANguDHSYNl565XExYNIO7UToEm9pgkZFEJZcvrFZLVEuub9JuUFFKpH5EPij66KNkfHVfgzStiDU0zOqX92XqUEGreuWHj0ktW+9juoyDelnhXr5AVIk6yymMTQDalxihAlSRyHWG8Dk1cvwoZ5E0ooH9pJqb1b8+M8Ep82z6JqfAs1e0VyZVhDh/YKf2tf0Z+5FjGx7u7N7uP+T7wPHGiWHI0Ws71YrhRQ4Asko4W4bM9Tyq48s4uw8GmUdUQbgF2HvKepTFeM2AbNFASNqiBRWDaCpSP/fQk3HuTdv5A7P4WndXs+PzkpxpaFUCGm/UVRnAkqrCkiGvCcnc2s6otp09Odr9tB4qmeF4as9DRou37VZdvk4mMpgHxGClHSST491Xzws91oa4beFijVFssb3UUlia0I2CBng0F+swGNq7Z5v3KUrlyHF7miTZWaZ6NqohtCt5iAytagGLi1PaCPwic7R9lrkJS2KiJtOQdYjzoNTykV6HHuhwkyzrRhfUMs90QgyXxZ2Y3k65ySfh4dYYTsuhn0RPzdZUT66xzIPqHxKrxZitc409VkxsbFpkdhouG5K6DotnhKYp06zAScq07/Z4KNPnWCAHPFUptiRb8m9xQS20r1qzrrMos16QNt+Ru/hdvpQomG684wxZ/0JlvbwSUdAtykq5vFDZzi8PWZnReCfUa3rVaNVnBFrZADPxjODJnpKEbTfc+Z0bWAFCqSjvIP/EO6UJbOaw6qKLzvRGAuPffMAxTVRsi7K0mis1WxXwxlymqnIBak2sjw9ggdoXq1cUmrNF+mQ/NRdYaIsnxwFiW9g6DU4D6u6St4osJm7NnamP66nYx4v4hbh9dhT3x7uTdeHnPB8TJ+WS/4/n085y/78RaReNMO/h0lyjXfSs+o8fM8OdqeS0QEi/Aa7/37dOiI4q6eMeQerrobOvvG56vHeLquSz3lpzLW13ZneCQHTqvtaLgnYw6LzfnM9UMfXE2iktPg+gMSExC0sUWwxINt4CfHfnxv3SAF+1L8S0kuE0pbTw5YDNnrbw0JoJRroRdf3S2unoUG3IR4Wv9eaDc6GaGKXIsqTUlGnOyQmktZFv2avsZfUyeRmIzEtyzI73HR1XLwCXtRynmJssksc1z2vlC2Ky04XadX86+8lG8ODZU4mJ+px/z4tCkVNB96UuGAa28wZbPtbWzQwM1peOMREfqAPhfnVlpcIeomPjUr87H3SISI1rMY3PeJMsueViVX3Pl4YS6NC+YSLyDj5pSTacLPf7KFY1A9IERbSHLTpGaAdRH6k7QjYUdRP9IPubjZGZrUdFqpaqFdPIMZ1WzGQxTwqQb8dtctW9LoqUksyr8Wa6kdnPHwvDoUmi9ePqwZAlGpwu8HoDTcOwkJidwUCIt81W+qAR3jhujLsPK1LzS2TL2vIxZ3HLBHnOln08spMobW09WE4200nL/b/jjxHSfwPwMSGqqre3M6JBNIyTce5uRWUl5bonlMtls9J86cz+azeu3t6aYMDQYN8ThkJD6SsBuJqWu4pJFaJxUcXONQxMy2bZvplmlxgpX1vBl0uraVq4lCSrC62yQYF5a51vG0TQuvLJyXkbnH/XH806ezGO5AiXsC1k7Hf6YApyuapRlUEc7Bd0pVXIWBU1u/sktXlWQfMzRq0GHMh6qrdixt8b/yli3XP7M/Df9dofo2myXGMiDRSmauLwnBHitBUZoXN2dMBR3/cdXkNN2bxZ0J6NrX3inrnZmJqKbYA0AZ91FRciqAaNz6RQ2tIk5BlZSiVNAhR8zmb2uKbOpi1rWP+itAfYWh4DwhPKvWVTUNaXQx+s+q2oysjS+ZKiAxrPhyYMR2zLw4cVhHdgnErbXvPQ04uyP8kLZ1tRP/kxhw4anFn9ljb09Ky51J8XN6Xxjo3/uXHHLM7DZmDMUzko9xyY/e8S/Th+GtEIfCU8o7QW5T8+2OBfnKA3/pGsivlOJyTXrEv8TLBgdaRL0oBh7w0hgovHTsei8tAkMa6namxlQ63vgzw4c3LQ7aPWgalnnMc/cZMdU0V/s0dG7Bx+NRkFzuhab8zIe19oERWwW/lUjRRtKNteXtaT3Qx1u1gCi5gebRIs6xODCp4u02swYPRArVYLfDl9ZzMNTtFMrTBrppoEtuwomeVFF5EXHZqKCnN77/iNRc9RUdulm7n6iaAxeSFJKBil5wKb2jTjab1ai8VKJcNoBAqq5INWr3KWKdJFJzV58mcfSHNLfSZ2QDxlCzZUvaqpI2e4McpOzHv+OEvoxqgRt+0ioF1M1mZ0s7aBd6T+wpYU+UMhph6tDbB7vb+wi6cg2fP8fhk2t4T2PFpZU685M4A5uEBkzO1/La/Sk2d2FlTvKMX4Qne4/mi9eSEEAl7ZqcCIVhYLaAuvjAlXAVATHzQRLVFSb9LcX496ZlBsyIfFdnllCbSrMRODZdLBfgHpXee2IhMQVcSBfYv7wYE0XLi917s9i6vvWzi1EhChg6cG0dvZ6sZ7Et+Q/MRaLgGU/TIm5xZSHb7b1DkKcpeiTdp/nx9E9Onodx4ZAntsm9d7KI38JjHKRNbBY52tXdaCRsGFdCSU2wzlazqyjcG8m8j5sVu9a2kKI1b/Y0OQOwZeleXthohhlZE64lKKZroHztCQ/mkwwzg1z2HZfp8Q2LjPy9YOrjhfmzqmhbN/3ZhVAPXhw8X8fX8NzOJnWmAuvBchdE57bpzl/fCjt5A9MDZ+nFARnEL1aDHZ5azQ7nARcePk7nATNPV2MGaB26JMxrt+w0Ba1AMXI2l1NYmE1RI2kG1bRD8GnMXnC1AodeR5YktX2g8FZj57/8ZNSyEfLS/nN/TKUE9HjbDaxc2KxbkF1VJW6jYGmp+Lz8NS8qrxospsHfe+UcKPP8cg+/d8ixw+5ilaOELT7ubxp0jkSGGeDpDDwovwPyLTZTcdsWmmVgiOQlGhW4GHDVMwoVGAhOq5ulYDivZRAK0wY9zfdb6m4G1KeqM23emKiHdDw9x7H7leTAAWMjY0CGIDl6HM8rxjjyFkLPJ0h0jvorxKjoVaEu8hmQquuLZN3yJ9iRlfmEyzGK9ZJtCmnWJN8PtdRUmfm04XEfWynpYeUubMZLtWTKWHLvECw9TD6U6yyRdYv7GrHJjT5GdSLbdwB6efZZFlYtpNw5UNidZMCS9SN7oZPyat8e0JPfHbQuRferR+iB9u2l7ba6pppqzwzeHedJsb+gAloo3k+QbNf5lMFy41BT+9EePOAITdab0NBeZePwc09WuKM31vP2ASbuEH0v7uLWZn044FxNPjKPvdfaCERad5I0MpyJwjYFqPKSGacMItIDhU3n7Qqn8XOL/jhK+ECFGa3sssuTrGPGMGXXEQ9Pnian+POTptoKlN7/S9wMKSczUSTJz/Jc+iNgN3UrLGcT+RJdAzTG9y8Bpesy6mzpbm6bPQgodPZIA2Pk0wAHxwMQAIkjo2AKCejh8AwGA7+O0ikH3wHQBM9CZyCpO0fIBvx5GC/yZsy1hJAQA4V/8oAD29XwBQgzFEtsPnQCqvKJohkPDoeTP0sX/eTzDM20YxAgoGDgEJDToMmLBgw4ELDz4UAoSIECNBigw5il9tGEExnCApmmE5XhAlWVE13TAt23E9PwijOEmzvCirumm7fhineVm3/XA8nS/X2/3xfL0/398fSI+qNYGafhKnzUar0+v2B6PheG19c2NrZ/tg//Do/gOAfFZJQfoEOuVq/k+cmgJl2gEwnViTNJGa1HAAQPsAyFJ4AAwYtEjyYve7INu8/ADAYsVawoRY0Pt8yJd8zafU2w2Af6MDoP9RYwdenpPP+RayRJUi1SrUqlOvRpNmADRaZrkO7/TLeHkZm4AEmpsJGRd/aGcAEMcHhgIAWBQZsNYmg3HpH0xF+QvLz+VO3/l0L1dmMlPZm+N5OH9CJhrGHIuscJdfcWRHuL7x/xmglqmVaiO1Rm2ndldvZsJQY4QTc/77t+N//58YxlHTZ431ttgbtwTn17mIsU/d7Za3GtXQ9g504wOhbDTimSZQTc/t5/nPYv1JLYwuxj8F5bVZt7pv3a6v6xDczd+1tbpW1tI+wnEOhd8nJHVsypGjYytG4dFrpB4+pkvn2+Uvyuh6J4ZvdFwnyhff+h7rFwVSVTqJAgUUKKJApc7sBQXG1c3dm8VHn1FQqJgRjmJQLDcnMwdOKrWG8/tWf0n7p9uKzJWrsmbz9RLWJn51K8qqbtputz8cr641noylfxqdwWSxOf/vH3+TUn9ESv//94jEkk/1aWhqaevo6ukbGBoZWzOxbsOmLdt27Nqz78ChI7ccO3H7Wemiu+6BEIygGE6QFM2wHC+Ikqyomm6xBnfsDqd5Bt3Pg2PD3KPyMI+Onyd5egyYCT3L84zkRV7mVV7nTd7mXRSwETAtn2Oh67fwiNieE/cjnNIMAQL4+Dhk889zj38AmRfi8neu9fzNePf5FPA37Z+NlqdQqxmG2RAgfT6UeyabsyZtz1LhFeEjCZgBfZVevMDL8WzGAEBOs51NrLvMP3SQkh50J+GGArKZ8gMBjasI5BubL3vXdnZyAIDvCb0NOBWjl82sddszGZN+i7skhnwCEwMD7+IhZVH7jMJr6GMq5ppwGppaGMEwAb9+4rz2+EJkZtQZEraApDTWReP2R/S9nFu3CGun6CiitaQloo/J7nWOXZiEXh2jopChgDsG++RbYne9+tkv2Kmxxn01Doq7VSh/EfsNOzdoxmQ+X61fsX1HyjCk42d2ZP9fECD45tN6nShLQt8SZ4TuVoFWYee04lyZxQC8kiCpI/AmDSwPwjz5W0/gB5yZgM9KHE9SDQvUH/p3SDqIvmm6rgbXf0lqx2g3drn4/YTaybMgLNdAzrWE4sDE9zupq6gM6I2blFThVoLRJUR3kGP7+ZA9WvXwYQGoJpnTNhk05gTxcLyHUQWxEMdgkkgkRyDXmGGCYQFet2jvGFo7XrZ7iAQzzcArDqepxGAFBVw3YzaHprhh7bDCvA+g53Mk5HbW4pSJUSd+BTDug+suxPBKg54u+RKaH4F/YBzE97HNMAEwv2OmcDNFDwJCjIQ8IWZCnK/8Kt0Ibo3i/OZs7w+M76vP7T2EAscLqWJfcCMSnv1LHG857uwv5DjN8Qors1X7bhuTz87wik2OQCpMdYNvxL5bquIwK+6TiVKPbBL3OH7h9Rb/3oqJagkQghHv0B7bLBjlHljo2I65fMtl7Dlvx0JotXkSr1/acoVwidDYcmaksjZSjgtwGWqQiM77iXGBPZuW3YzaXRHdGqZ2oqkE6ySn8sLG+yauHAeSeLqOAm6EBRWzmCiuxgFvbzht8SruT26xOwk3eCxb6v54fiHznH/yOhzYyaXxdScuTxcTpAcH467LwvxEK2M7+w/Ly8jYWDa5DMZrXwzelRoIUlfxb4CetniasVNW8J4pcrjWgEN7XGoUdhGZuoLrBBj+Cs8Lka7CPXChvy3H+zmI7Tc8d1KpmMUtqwkeU308ue8N4d3XYO4Aaf+62QPQKfQuE/oenB7O0BeYuzE9gmgDui24Lsb3P3WvT5FuIawKM2qnK0ZVSmrHyEsifbuPH2/0Gde/f69kOlu/AkVIuX9hOX4YMIrjhZbuDV/C3Y6b1gOKLDRcn8PSapQf9q0wVEYpPQE8ZBzpa+ojxc8DKyy2mSAABb/LhXGBNL1m3hHKydyX7hJFA3w/Eo529nz2LaXP9xHNB2SeZC/ajTXEqPXamyOmz7GiASgmwEKByENh5Omcx0Qg4u5HMA+VOgIJiqtns8d1B6F/sAcB5jXvwliy8CqRH4e2j0JLg/jZ0b8+Fwp7EeEZwDAkw+s85zrSAGQHcYi6lYFMxdFR/B63tdMod2Gu7ejTiO47ycPXKq+vQxlhEwTC4obFfvg/l1NnIs+2Bm/PhLVdMFUE3Vr4hgJW5+FxQiMfHnfcje0XXe0apeCGA1nWZHPo3Npf0fJi4jB4mnHKoGJ3InmPT/B8ddJ32xftb9UY4QHCwUcAoDT/N46ML7AvgmCVAhgMQShD0PKP5VgexcAwOCxlOAw6GYEj68pIhCDAoEU/MDq+wRgDmYEGM5rIWLRnwdZsZHEAArTRAAClZyEkdC66icGwO8kQou56DYpodBmGcrwlDtF4RpDZ2YzEcoYZDcsNY3RKH1vGwHHbIZkUfcZYWr6kD9m8svO/jVCv+dDs4tveUJ29kdsblexxWt/fbLTC/dG/XNZj8K/eadcz9tqJb4uUrT3t/yOpic9MnM3sAvRqUup243FfKT0MKOc+VMVHasvt2TUKIeqNECoWdF735WA8cqSRnZSgt74lse54Tu8shUjoPJmmQ81IjFGfIeZrjGFCidYcCQbl3RrJcRjhcYI1AYczHSLabJvWuq4PehMSXDI42U+xoLrGOgPh/ihbOMGFdQezf0tcfIqDAT5jmcBLvQAFFvT5VuZy7pIYaFzy7zqMUlT2QiIiTkhJf+BEUHOaNLchX9LGhTdILfMM8WGAjERslyaOObp19wMe3xvT5+e4L1yG94Vn1vtJ6E3BzqT0x/iQOGNgrggGEnmWJVLrza95BFYFdZr0pqn4xxnAz7ZPOrvxu9ln9GCHuHCq4qq2L77Vp8JuQPrgG8R7iwRQrDcvyLhL2T1n5FNGYDi1WhnLFfWeY4GC7lB0PGKUoMbrzuuEsy8uljTmTmNQAmvoaLLZQOmok1jKn+jxKpDVzuCgR3FYa2Y1qrBICINYO3L1m0h4Nbwz8Pagv0tjAAAA") format("woff2");} @font-face {font-family: "Cascadia";src: url("data:application/font-woff;charset=utf-8;base64,d09GRgABAAAAAVMcABEAAAADQeQHdzXDAAAAAAAAAAAAAAAAAAAAAAAAAABHREVGAAABgAAAATAAAAG8nuKcikdQT1MAAAKwAAAHlwAAFlLMTxXFR1NVQgAACkgAACXhAABRIFkPGxpPUy8yAAAwLAAAAF4AAABgbEt/gWNtYXAAADCMAAAKPgAADSZvLoOeY3Z0IAAAOswAAADjAAABFlZAOwxmcGdtAAA7sAAACBUAAA+DV4sPEGdhc3AAAEPIAAAAEAAAABAAOwAmZ2x5ZgAAQ9gAAMcWAAH9uFaLzNxoZWFkAAEK8AAAADYAAAA2EapGVWhoZWEAAQsoAAAAIQAAACQABASPaG10eAABC0wAAAUuAAAYLrBaWdJsb2NhAAEQfAAADBoAAAwaQSrAaW1heHAAARyYAAAAIAAAACAJshCbbmFtZQABHLgAAAfUAAAZ3FI4deJwb3N0AAEkjAAALIQAAHpUjVe9UXByZXAAAVEQAAACCgAAArOJYnqCeJwd0c9Hw3Ecx/H36/3Z99uatl1SikmZlNGtJDPrh5126Jj6L6JDt0liIh2SDunepVNGTDqMItEhSWmmS4cOnWaHRE99+Dx8Dm9eH6+3ydwy9n90xnvJZIvcZdvDul1iw96wrYRJsZKYUhqzGsWc5nFBK1jRJm5pG2uq4Y52cFe7WNc+HugQj3SMJzrFM5Klc11gQ1fYVBOvdYMttfBWd3ivB3zUE77oBV/F3/SuNnbUwS99Y1dd7KmHP/rBX3eTRx5h0lOY9gwO+TCO+hiO+wTmPY+TPolTPo0FL+CMz+Csz2HRi1jyEpa9jBWvYNWruOpruO4bpuCBxNAX6C0MBHoL2ZDFwUBuyAVyo+fo00LUjWUhDnECk3G/BVoXi0myl8DMhxkzZun/mZE/IhM7bnicvVh9bFRFEJ/Zd+9aa+m9d9doRT4qIQ0KNg1BQxpCEJpqtFRSiLmgNopVtBykQb0gElMbbcrZACEVEZv6RQgQbNAYCgQJKn5ElKAhiICkIYhGDRqjaBDQ2dl5r3dbyBX+4DY7v5nZ2dl9s7N7+x4gABRBIywBp6a2bg6UPvLM4hSUpR5+ahGMg9updSKo6Xc2lMPE2Q3TicIYcGfcMaccxsy8t45ofV0N0Vl19xBtuHcmUYD//gNFPRHUwocXL4CShQsWLoBS1gBTaoFo6WMQYamQajH1i+A6NYFaHPeQ+yOA+1cUIR51ohEYTdqpZHUH2c+AdsLl8D68CNvgKLwLxzEC32IUC+ECFuEwRIzhcHRxJE5GH6uxBm/FWlxM0tP4DD6KrVSasY3KAnyBSgqX40u4EFfgKmzBLlyDT+JafA3T2ENlKW7CXnwWt+EOfB53UXkRd+MebMe9VJbjZ/g5ZnAffoWdeAAP4ko8TKULj+BRfBm/x+P4CvZTeRV/wd9wHf5F5XX8m8ob+C+VN/G8UviWcpWLG1WhKsJNapgqwS3qOnU99qrhajRuVTepMbhNjVVjcbuqUBW4Q41TN+NONV6Nx12qUlXiB+o2dTvuVlPUFNyjpqqp+KGapqbhR6pW1eLHqk7V4V41SyXxEzVX3Y/7HeW4eMApcArxoFPsDMNDTsyJ4WGn1Lkev3NGOqPxe7gJILGUaivVdqqbqXZSXW3VHsG1zCOtkYpvl9oMDug+W4dQ14c8+j0yHvHqZGQs0X1QhP2JUQDxCr87xBWXiW2XifZ4+bDLQtHH5hGWDGCcdkR8OID/DdXDAxhTllwoWCKo+9yVhaW5sp+husrvDjBWLlghOOHyMPQzMVceMp4hPEfPSs8Vp2eJTRacKlhjMGy/26CJWxa2ZcsXWX97vZZd2fr5xWac2Kys8UoGMHafvyb2wNBx0HME2HEJ/SD015j5Ca4QbLtMtP1cZTR5T1XyPsCgXcv+caPXGHs8V9bxyMEOS24bbBcvz8IOSw4xT3yvVpy6bP0l8qFtqHlzhfb58nWZweB8GpynWfHX+qicf4sEjwg+ZclLLTnAU4KtltxuyQF2yn4Oxu235NWWvFawJ1efADN/75icB+tN/vqfUv2S5H8MekUGA70XkfbNoj/p/+z/noWj5DzdKrhNzsmxIn8uuMuSP7JkQf8WkfeLPCrXXzjeQatdMFFG+BDNO011mVkvfzHN/4hgv+Apg2H7rwb9OZIPgrE/DOqfP1fiMpfG/0fwgkGOE6FfbzCw53hqvfTzvNz2UH8d2dJt0xshOI5qZRZO8qrZ3xAxWO+EnP9+lSUvyZVDBP99yped3jGDiWbBRtFPs+TaXDlAv1dk8ZdosmR7nHx2dSKnh+bHazD7NszjJOHvJi5eo9kHGhNNgqL3p5h+XpNgs/gJ9C2WLHnmtXkd3or8mCj2n/NfoHyoMuh1CW4X3G0wtFuSK9v989l56wTfsPQbLHkLzfE9kwd6/+h84X20XXC36JcYDPLLp7cqP0XtewW/EDxgMGw/lCv7j+XK9vmk14XlE4I/yTqeFvmsrPOfsg5nB/YpacJ7VXgvvcR9LjjXIdgvee4t9j03+N/148ZHdj/Ok+A+HA3uBxe/nw3tfyv7f9TMJxxXznl/j0SgTNA+P+V8TUikQmwSLJZ+VUG77OdPc/8XwnW01i/YF6HddOB7fHjeyfkYzDMYL+wfnL9yLgbneSJtzUfyJzi/B+2PcD8E51puHO28uPQ9NSvuJfnzIuc+Zq3fQH4MjGfHwd+Y+5zZ68T20u6/ZduL3Guta5afi4036L0tWLes/Ob1DP7vrfcfOy72fThfXOg9+MOCKk2jB5mfTLSCNRVuJ9F0dL+mrEmzTZpt+ljfx/o+1vdpvVOseYxw3xT7b2W+ii1rog2aFhxl+gPZbyrYQHRjgX4vr3VPaL3bzZaNbNNM3sqi5cR3cGuKPaTcd6jX19z3APdNuaeJNhsb40HbkJ8HmNet03Urxgv023+G/WTYJsOtGbbM6L5Oif5C4JRovVN8gUbHIp5DjX4iPOseI/0eph/wHHbxHDayh3n8dWGEptjLEUjzWGluTfNYJ7U3PMetSbcJMFLJvVaypp5n1cP29fws9RyNB9nmQbHRfmbx885n//NZ84RodN8k6+9jTSbawn5aeCYt3EoUJ4BLfFyvkVPMK5Vh2mrizCOm2Nsi9lNvxmJ9mmmFoTyrThNhHRnVY+bJdD5H9V3mR+h4kh/yGXmI+1abKJl803ykW/ORyVBEmuE8bhlbztV8xGM+ya2tzGcMNfnMft5mfp6mTo+OdqTbrAvru9imi/k+5veZXGVaZTKW+dlmjYhGwQOkMUG+MCLUwGn5wniCvzACDOMvjDeQ1iUt7Vu33+2Ha9wz7hkocs+65+FasnAgBjeSH3qHAXpvAXpXAR0tPXq7VVcLdgq/fgh1bRbfw0hZYOLHdDzTuIki0xqm9Yby01ebVuI9etYxMA4qYRJUwzSohTpogCQ0QhM0Qwuk2U6v0XjOk2rOkHkmAzknk8K/w3wj8zqrk3ySJPn0SPL5kORTJVmQYj8t/wM5o4LrAHicnXwNfJRHtffM7LNLSDYfJJuQQliSTcjH7uZrs0k2JIQkTSmlKfJiLi9yESmkiEhTDBQpRhoRub2YxogVESlFSilSihQRMUXESGmkiBgxUqQRKSIiIiJWRKT3PzNnn90ky2vv+3t+Z/Z5zs7M+c+ZM2fOmf1gnDEWzVssrcxSP6mhkTnmP9WymKUufnRZM1vCVuHdlUzUPTg9nSV8eHpdOvMz9v77LB58zgSzMINZmY3FsjjwEtgIlsiSmCNCHfuQOi5mvb+2MZ3VP/KhhnS2cGpDfTprn9bwcDrbO/1Dj6Sz06qXuAG9/Hs5wz5AnagPUGf4B6gT/QHqxAypk/zoo4uXsbb5snxm/qNLH+Od8+c/voRvaGp+4nG+ZUHLo/P59sVPzF/M96hyvyq7VHlElcdUeUKVvc1PPt7CzzzR0tTM+5d+onkBv7R0aZGPX126tLiC31j65Lyl/NbSJ5cs5XdXPtbyhDCATiiEjK3GnU2NIoEls1SWxsZiVrJZHvOyIlbCylgFq2ITWR17gE1mD7MPsensP9hM9p/sY2wee4x9nH2CLWbSTpayJ9kKWMpnWRv7PFvL1rF21sHWs+fY19g32AtsG9vBvsVeZXvZPvZd9j32ffY6+wE7wrrZUfYm+wl7i/2U/Yz9nP2C/ZL9ip1l51g/O88usN+x37M/sKvsGrvO/sr+xv7O/sH+ye5yxgU3uI1H8Whu53E8gSfxZD6S38dH8zF8LM/gWTyb53I3z+eFvJj7eRkP8Eo+gU/ktbyeP8gf4g/zR/g0/mGpC94itcJn8I+op0+gtPBF/JN8sXpuUuVcVc5R5cdU+VFVzlblfFUuVP08wT+lnhaocqkqn1TlY6r8uCqX8eXimpFqaxuW6BEeMSxr2AH12hPVUtwTtXZ4Ufn44VOHn59YJq/h16Ln5MyNXhITlbc1b2tMSsxaj4jZaE/zCHuBfX9hXWGdvTt2cmFd7KzYW8U9cdFxO4t78HogvrG4J35BglHck5CSsL80MeHYiKbK7hHLEx3FPYnZiUdR9iUtK1mT1JF0tzTRkeBoQ7k+ubo0sTQxuSH5EMqTKXhKmZZyBGXvyLry8SMbRx4tH4/X3tS6yu7UxtSjOXNT++6bdF/TfbvvOz5qqkeMmjvq1Khro8tGN44+W9wz+mpaS1rnmJTK7jG5YzaOOeDMLh/vDDh3VnY7u8a6K7vHVo3djfJw+qLK7sru9BXpR9L7M6ZmLM44J0eeccU1y7XCdbmuJlNkttTV4LUt8/r9q+5flXk3q7m4J6st6/qDPQ/2ZN0d1zy5atwz425l23CNyl6cvTK7I/tSDsuZnjM3pznnWM75XF9uQ+6W3IN50XlpeeuhyT1u5h7l7nRvc9+E7hM8yzwdnhteu3eOd4X3uPdi/uT8WflH8/sL6gpmF+wvOFnoh6anFR4oPFU0uWhW0ZGi3uKs4uriLui6zzfd1+Q777tdsrxkTcn6kosld/3z/K2lBjSZXtpSuqa0r/R6WWNZc9mRsrPlXuhvcvmm8t3ldwOpgUWBNYFzgfcqJlfMq9hfcXK8f/zU8VvHd1XaK7Mr90Mnp6pcVVVVHVU7J7AJoya0TGif0D/hVvWU6qbqQ9V9E3OhpfqJGyburRE1aTXLajpqztdcqxW1jbXNtcdqz9f5oLOpdVvr9t1v3O+8fwk0t/7+O/Up9W31m+pvPGB/YM4Dix9oe6D3gfMP3Jy0ZNK6SRcm3Xlw6oMLH+yCVvsmF0yumjztodyHJj0066GrD12dUveI/xH/lKNT1oIuPex4uOHhxQ+3P7y1wYbL0VDf4GooQjm9oRPXzobrjySifusjnY90Ko/D4XsF/MIk/jQ7wL7H29hB+IK17FnWxZ/mT/KlfDlv45/mK7BGH+Yr+VP8R7yb/1gkC4swhFXYxDARJYaLaBEj7CJWxIl4kSBGiESRJByiRSwVy8STYrn4tFghnhIrxWeMdlu0cVxcsP7N+p7179Z/WG9b/2m9Y/2X9a71fRuzcZvNNhyoJoHS2Cw2lz0Kr7gG3msfPFQfewc+xQl/UsPr+BT+GF/Cn+Ff4c/zN/gx/iY/zk/yn/FT/Oe8l/+C/5K/zc/xC/xdfpFf4r/nN0Sr+KxYJZ4WbeJzYrX4vFgjviB2W0qNmcZb1j7rr6xnrGetv7aes75j7bf+xnre+lvruzarLQo7h9YUFykskzXA685hC1kLa4WmOtkmtp3tgd6OYoc8Cx95ld2CL0zkqUCaBY9Xz6fyRj6HdwLZJX6D3+J3RQK80ipbNLOKj4uF0FOrWMsM8Qno67Piv3C3CHpbJZ7B3Sehv6fFf+NuMfTYJtbh7nHo83Pii7hrhl5Xi3bcPQH9fl48i7sl0PMa0YG7T4nPYIRfgpRfiNPit+IiJA4Tb4uz4nfiz8aLxh48C/EblBZxXlzHqyF+JS6Jvyhkl8UfxN+MvfKef4a3ip+LG7i3iU7xR/EPcdt4U7bmnxVX0cefVE/XZGk8i9Iu3hDHRK/xReObxsvGLuMV49vGj4yfKAk3xT/FHVXzgHw2vmpsMA7iLlWcEb8W58QF8a74vfireE/83eg01hsbja8bm4xvGFuN7cZOo8t43eg23jJOosVY8ab4iTgu3hFXxC3jS8aXja8YzxlfMzYbzxtbjG3GS8YO41vGbuM147vG94zvG4eMHxg/NN4weowTNoH20eItcUL0iX7jBeNV47BxxPixGvlPjaPGMeOnCuPPVLkOZZToESfFKaPD2Gd8x9gv+dZbNgssI5PPFR8Vc8THxFzxqJgn5osm8ZhYIDaKTeIb4nnxgnhRvCReFt8Sr4hXxR7xmjhgGWbJsXgs+ZYCS4ml1viI0WR9G3s/AyVixx/PprEFsC/07qtXZPHV++prr8qdUFqjr4gZviJfUe2Z2jOKZ6mdLS/Ga49SNAEeE7WTarGWfDbw95hcXlvEePF1Joqv125UXEP3WnyWWYrPFp+tXa241pCPGNcNLXxJzn8kjLVViizFW+UVxFiby4zidn1pyTUH5QU5KwjjMImxZlvNNvDmaQJXrjhe047nBmBsQCm5w3WvNb2QUyYv6sHEWFzEMKvGfoVxGCK7XERL07FSVyHukT1uUGSZiBAKEgllzWpmVF+tvgo/3aF4YsLyqungNzNL9ZnqMzUrNfaJd+QFfhNhj5F1J16aeInx6t3gTzW5fOIp8DYwUb2hJqC4dpKVgj7bqttqXFTXxO5ADWA/RBqOgH7iGUWWsrSK7IrsIPqJR5lRFlWRKC+Nvupg5XPg72WW0puBu4G7hL5aXowHLhP6OIU+d2IueL2awI1XkhIZL93HROBQ4JBZV8qaiT43B3YEdhA3tINo9N8Geg5f8rx4zVIQ2VLK4xRZyuPkFRxF2W2M4ra+NN7qDnnhnUuEd4TEW72iegV4pzSBmyj7rIbVlHUxUdaFUnKTqNft0NZ2eSmuw8TLy9be/ZXCZ0Wk7UIONZnNVj2tVCSqV1a3BbFVLwSahdXN1c1kHTcn3AR3NuFKke0mnAenDjTZ5MmWBeipoNqveCND2nJOgZ2KsJnOZgE2BQiWYKdDb5WXFInKS5WXgigqTzNL5Wl5KQ6vhS1XYk3KCM2sgzmv3Fu5t3YNIZ0yYQq4WwjpfQopVk3lOk3gjaKWy9HTcpSSNzqkp8pZ2Ikj6Cl/ryKRv7fyQFB6/hZmyd9Sub1yO9nhiaoT6GE9SR8j21Vh7edjBitXmTzZsgk9NVUuUjxnSE/pF+BzOsN8ThYyoMlKTxKDV5HI91adNjFgPPmjqrqrtE54FWY+Hz3lR1XtJVRlVdBAVVAn6aoWVqP3Al7XmTy86z3JhPdkldZJRhiqg0D15UGopiAiaFH2fUCRKD9QbmqmHHZYvl1eGkNFSvkNcNej1vry9ZpXuQXzxMtXEa5MZQfAU75IE3hZ1NsMtJuBUvLGheaqfDyruQcmlyJR7hofZWJKAKaEivcq3tPyA6vL52Bd3MUqultxkTBFV2I9V5wiTDmyr/HvoVYfuIdMnlxpsMSy7oqdipcb0pVrhfTI4tcDLL0BuepyZKToraJZkSh7pqI5iKwCFla2vGJ2xWyNovxy2VFwsWbKmlAq7zD+RPnpMthgRRm401CqmuNnjZ8FXjrhdSu82P3KssG1mzy8G7iFdokoJc8TwpvRo3aQjffCGzisSAQOoyS8gd3MEtgtL8IbKIOnCWxCrU0oNd608qwyWXctuGtRajvYVbELvCWEN19pBOs6MFsTeAUkYzLaTQ5o71IYmvOAly+5J9ZERSKQWLHfxIrXAKvYVqF3P1HWXroQtnANqK9VdGqsFUvKVpQ2gnsW3LMVrWQfcifhFQsIa7GScAW15CxMN3nSsjaj3eaKasXzhUUQqUq3m++Ft3yeIlFYhTJopdOYpdBdPg2vCkXpOT88SHk1aqWiVHgDR0p7/Fjn5W5wDZQa79QA9uNyB+H1K7zjGS84C26IJ20X8WvBMZSSVxpmu5cU3q/fC2/ZPkUi0BhoNPexrcBTJy/C6/XL3aYDtYoCRYQ3oTS1BDtIGfaZQFogjaxmSznWf8BGeMuVRuT6v6EJvADJqELt/vJ+qmfizTyo8G65J16hSJRvLN8YxFt6HV5grbw0Cn9ryUxw+1FrWfkyjbd8rn9hCWLQ0uPgzi2fS5ZzrewakE0hvOOVBKnbMk3gVZKMdul5yl1Uz8Sbe1bhfeFeeEunKxLj96MM4q3BWtpWWoNXhaLkhA8+pxT77PhOlApv2d6Sgz5EQKWjwG1FqfFWl8EiSw3CO0HhdcM/QIr/usnDu/5zaFeNUvKqQ3j9ZxTerffC621VJPzb/GZs6V3ELP5OeRHetGL4HO9M1FrlX0V4WUlU8UVw68Fd5F9EltNRiujH30h4a5RGEJ34azSBV0sybGjn9XupXmifyla+99174fWcUCQ8J3wiiNfTxSyeruLryA0UCt/iYvgcz07U2lncr/GWTvPNLEZM43kO3OeKj5Pl9PthkcX7Ce/9UoL/OGph70JGEORJGdi/PDOQEUhefVgMKTPI36oIUiBzej5S3OE/r0iUVKMkzP6TzFLi9Z/Eq0bSCK1x/yFCMkm1g15KkAP5d5o82RIj8N1AKXkPhmmuWc30SxERzFEk/HN8h0wEDZjlBt8u3y6a5d4SRNO+jYTgIdmuBDuHH/uQb43Jky3hn/2JviWKNyWEYCx8krGTYowoxJO5WDkN2M9lhLhR9denSJT0oSQcJUehiaPyUhxeDI9SAg9Vsg+l4hQgByzZCs5WlIqTvQkc+KeSjhLKfkocJdi/SloJfYOSJntfqAm8R0heI2o3opS8qaFdqSTAWyPprsSlSJS4vE0mZsQhJQne6d7pZHEbfNgBvTUkfZps50M26sNe4/WaPJkBY/S+Pm+q4v2fsD08Drp7mXQ3CIFvqyLhueDbGkTg64DNn/J1+Gj8PocP4/cFx/9h1U7aLfZq30KTJ1ti/J4NPj3+xjD7aVf2sy0SAs9cRcLn9DnNVTcV2b1dXhpB8fri9Zi924RghppLRMzFlzSB93+ppQO1e4t7qV4IQbRa+8cjIXD3KxLu/uLNQQTuE8ziPlG8rngdIUgoTgjL0j8i2xUh93Uj8ytuMnmyJaJY9/riaYo3K8yCn1EI3oyIYLYi4Z7tnm0imAIEU+SlERR1FMH/uQOEQLUrgv9zZ2kC76PUMgE9JaCUvDkhK8y7yZIjSc/rVySKOos6g9LzMP6iVfIi6QlF6K9oMUmfK9sVYvxFMzWB9yi1xPiL6ovqqV4oejitxn8iEoKiOEWiyFHkCCJA75YiIS+NoLCjEOMvvE4I5isEGH/hOU3gNVFLxN6FPYU9VC80A/XKCo9FQlDYrkgUri80YwH0bilsK1xbSLFAob0QMXPhMkKwQPkP7F6FmOXCuSZPtqxB7UmFDcQbcCpgvGGL1qcC+qxLobHgnXQVf4mCHQWwqcI4krJQSYH1e2HnBbdNHlORm/D2Flwi3uCzh9fo7OFFKSdyxliwQZFw3nbeDo66ABm387K8TA5yJmefs6+AbKHAKDAYdwZP1RbJnvIRMTj3agLvk9QygL43OzdTvVC+v1HNxHcizUSBUCScCwrM0xD0bnE25t/Jv6MR5K/OhwfMv0IIHlcIkDk5C/DaZ/JkS2SezlH53cQbOBPfDZ8Jo2nwTOSn5aehhzUk5QklBesoHXFN/hKTJ6VMg4dZmD+beINn4nskZdiQmTAz0ny7IuFZ7lkeHLX3Nvxwk7z0qPOu5yJC8V5Greke2h28K7wr4PWqCeOnVNwFf+RxawKvhXrbjXYpnhSqF5qLJuwOr98re/cuUwTf6G0zcc2TvtHb7KXzn7yZuYh+vNCBu8tLOarnvAeRiXcy4VoWjK/c0pL9Jk/2Bo/tXuVNJ95g3f2AdOe5t+48pxQJ93jPKXMHOQyMuZ7DHp2Vitz9OZ3gQgfuFA/lpZ4qTxV4wahkueoLuXoe4njPGpMne1uCUZ716Dn/dAjjmFxlx4cj7mvjFYmsZzyTTFS5zJK13OP3+DUCd5e7C1wXIXhK7QVY/VnYPTxxJk/6dGSkWVXu28QbrKXdtNZfM7U0eIfZrUhk3s40V7p7E7NkXpYXofG6EU9k9hGaz6h2iCYyuzWB10otsV9n7sncQ/VMNGnXYUuvRI403G5FInOF220iSAWCBe5UvGpL2pWHmMIdzPlWqd0JPioT0WreDZPH9H6V6c3TOd/TYQh0pPpqxH1upyKRtzM3MYgAvVvyNuQinCQEuXmwgJxrhOBzqh2inzzMfc5ZkydbYr/Om51zTPFWhxCMhj0b3ZF1kJetSORlu5aZCBxA4HDNc80jS92RCwtwTSME6vwzF6smF1bpqjJ5eFfmi7lnXfp06QthCBYBwY/+X7Fy7hZFIndL7pYgjtx2Zsltl5fJwf6XuzJ3ZXaLycHOk7swd2HmapODWCx3Ru6M0eQLci7nXAa3ntD/l5SWcxqcIk3gPUMt0yA/DaXk/XcoSsFwvjrYE+esz4EGcoLx3xdVr4j/XDfxesnk4V3Mh3Cdz+kl3uB18n3yJjn3Wic5axQJz7QcMxbKgZfxVOesyqH9L8fIwf6XE4yFnlVZA/Y/D9ZKzkyTJ1ti//MYOfXEG4ymh1bty/dC47yhSDhvoCQ0zvPYC8/LS6PJXp69HNyThOZLCs08cLo0gddJLXegpx1O/VnFl0Mad6672xdR+jJFInuay4xKnfD92dWuKS6KSsfdGocIyBWMSr8i241D7p4NXbiyTJ5sCV+ZbbgSiDdIF/yzpIuXxLfEgUhoXE2KhKtp3JUgGtd0ZnFNH3dm3BlCs2gcooxxxwjNVxUaZAEu+LVx+0yebJmKnlLHbVG8DWFodJ4gYwjk3JFnJeOsIpFxFiUhyehhloweeWkkWeezsP9lHCAkatVlYf/L2KYJvK9TS+SaGR0oJW9TaFYyWlhVJOlj7ygSY++MvROUPvYKs4y9Ii+SPi8LFjD2DEnfrKQjHx17VBN4z1PLvehp71gdtW0JSR/7HH8iknRax8J10nXS9AFOzMIheWnpmRczYQGuXSR9q2yXiT3atUETeN+k9XERPa12raZ6oVxhlZqFv0dcoXsUiZw9KIMrFCPM2SwvQjAvE+PPWUcIXlQIMP6c5ZrA204t56GneTn6U9aXQuPPmYScNoL0zCpFIqkHJUnPdDNL0oFMdyadtLouujD+zFSS/rKyXow/CRFIpmHypBViv0xqdenTtp0DrVD8k05+DlBkOggJ9mJJAtQaRKJi8UXq0khmuWQGOpOQ7FJI5DdJ6okYe4VaYk5B2kPvDumBOcI+f+LMZmB/Vt80k4gMFod3C/RZnMr1NAXRICIE6ZNqnnESnBpCsodqFBAx9u0BMovDZfLXpEzjIxFk0jjSa0yZfkTiRelFJBOjT08nma9RjUTw4oiDfi1hJ9xS7+p7FNA7Is7SoRIzFpkUXPmzsH5noVQS07H7ZQTPgL9DNQKacL8/bH07efhqTxC/Giot/Y4mVh+Uln4VKP3MT9KQ/yIW1tIOUI3jeoyKI/U2c7B3M46r8ZXgnaES12lyXjMlrsSu0e/sJ4lRYXvNQaoBCc5DxBmoy7dMXZZEkOUkyjJlxWH2HOn6DICPRd6YHjyf7iJ/dRV0gzgDZZ0gWfmRZI3dpynVjH7HbmMi9UrqFZIFy089S7IOUY028HqIY8qy90HWT8LyJRfzsTo2XZ0+8DFVJpGcMV7kCV6USo5c62PSFAXfR9Y3xu46r993wguk3SEch3WNtCuacP/DkMWknWIPhD11Wz4+dNRpezQ5zU/E0xD1Ofc56fTTiRzFuY2k/YhqwK84O4kzeF+8ojzSi5b8yKNPq9bkMuPrtAJ4IVy0HjFzaU71GnwfM55xIU1n+nwMvEtGL+H5sa4xGjOecYQ4oRj3isLzx6Fjjss2iWTEpTARl4JSy4D/iwtmGG/oGrE3NeH+WEinsWeZO+zpBN9h+uF0eMoajBr9xR7QJFYG5cUizhKLhPYQfATsNBa7niAPkQYJIugheqgFIi0RIM5Aq26nXWB32C4QLj2gyZJgSkecZVG3SjpmPxaxmLhO0ifj/jxJP65b2N8D7yRxBkp/lqTvIekDNG0/pGmUaV12ZJij9o0i6xp9Du8FresE1YBvGdVJnIGy1gd9RURZ0zSNvmXKqoEVXB59mWQhPxsdjHdOUg1Y2uhjxBko6ytBXxFZqzEXNDlOBKXF9DLhOOQwP+GI6cbz7hj6VsUo2LVjM0k/RTUQzzjWEceUPhy2aHwxLDuUUidhh0Yv8Z2aYhYHpcS3MREzO8aMvuOX4LmBJajeuNitZCOeiSkj2b1UD7Mck0WcwWv4pJrRVyKPPH6Vpmjz9C8eGXX0megz5vMcPPcgWlMjvw/Rf/RBkn6aasD/Re8gzmDpp5T0VyPNcXA3TzSCsuRuPuLmiJskqx32fJFk9YV28xG9xJE62TNQovg5WfBLeCd8vHWsUfaZnGoSyUxGy+SoZP29EJHSmozdzXFLkUZhw33wO1hndBvHaU24fzvkMRxdbGLY027LkkgIHBs0jTSjOMdaJkYuHqmtQCTfdmBkDszySG0HPBU56sigB/k1tZkOXoA4g3V+Tmlgk8UzwGvXQ746w3Y4NKWan344DOyN7anthGCFoxHRK/xjqokx6QJqLErR2Q4fCftPnUWI3qEa8Nmpk4ljIrLsUIjeiaSJpHZNqeZ3cpIQ3468NVJrXjiuJ8FnJC2GPFr1IxH/jAyeV/2G2kDmyKPEMeVGrVdy+4daXfQuTSPNk5DoTZDaMbKDZKSAgt9C+i3VWAHeYuIMjq6eU55l2KA9sh5rXJ2UJ7ebFLQ4jDK5NZm+V+KITrwE3mJFkmNJuZ50KxHWlTxLkUKVgtgkeRKhepf68WvC/cWQ3SWP4k+EPdnFbyLjctzUlLLBtAJkZylrU+jTj6SWxKnaylOWE66ZSXMTsdYd3eDpM2qejPg3JXh2dYn6QRyXUk0cU1tilNLW85HRwLsrciww/T0yFMcMxwyNJvHiCNiXPR019OmqJfl4Yq/c7eyI7R0UH0uNOdIJzWXyy0DoiCPO4JVyQa2U54esFEIVs8uk4D4AW4nZFLOJUE0dgYghZp0ijcqfWDUC/iVmhSKFygHrjAl+Z/YK9TNdE+7/GJqtmAC7P+zJbXl8qP06+jUlzDDn7SQTCZMSJpG0GXgvuD/8iWogw0vIIs7AnfFF8pebyH4H7Q+OJZoSzezfMRfjPpxofvvLgawvcY9DZyw86QzqBr9b+GeqgYwvsZ04A6VvN/OFfPNbGlnYBaSvatIn9EnXTAp6iX5YZ38SZSgy3ko6qUg9x0mfcViRerbJ9/co0gjLQEGEf6EeyRPh/kZI/0kt/KmwpybyYgNmI2maJvt6Ex3iFPtquz4x5YmI7+wtJO0m1UCcYp9LHFMffCb08U2KFAbGQgWaEs3vwiLSEYl9iX0kowkUPAN7j+wLWWTifuIMtvqfqhl/jfKmwbHQEU3C/FZFzF7UPiaOaWnigI51xAHSP9a42EHSb1ELRBTiOeIMlt6jpUeKCGLqNSWa38eJkRHBjRE3SBb8/4gLJOs21ZARwSniDJb1ExppfoR94IxJwX2gR0Y60bTHjYgLi3TuUI0dZqTzr5BlRLeHf7M6epUlwslF9CJNI8w8MHoWRmYfob/xwBOg0YRgHvg+1cD+nnCFOKEdtVWN7K2hMhIOEplrM2EnPMOeBLL8BPjuBLJ8zqnGWlA7cQbvbEfV2iyIlF8nNGiKM08q0LuI88eRJ47HjMTRSQW3UI1R4CUSZ6Af2Ete6EU6gR0gK/68ptCpCHoPOxWJl9/HCMqyUo09jE5FuPwNBzeahoxunx5dJDtEDKwo2sxbVRR8IfoC+Rh4iWjKW/mwsCj4CHEGjm6P6WMjjU5oEqOCstC7ENEimmRhhjh9EsLpFyBx0C6/TJyBsg6QRx0WdpYdFnPFPafJfteUtgb+6ppde1cR0xqN+DcO+amd/CtyZ24/QfJjqI30eF3EGSi/y/ToEcaKnFyTy5Rug9UkxunzAx67CRz6LTCP1TViEdvEXifOQFk/NE+AIsiK3aXJZmaQ6F3YLtsoloyFR7VRBsnjqQZ2bdsx4gyUtYvmMPi7jvCdapH+ZUcwN48NmBKRm8fmxuaaz6l4To0J5e7oPTYqytSG/Rbm4lYw37MMU94f828nn8dHUL1TmnCbGPI89gN8fdjTTuQBQ/eS5zQNM8/S7Zj/YVuG6WiY2xG7DOsgaQ6qMQ+8VuIM1MpBmoGcSDNgz9UUf9OUhfHHX4zX367nMYhK4k+TLPrFSAx2q/hu4gyU9SbNwMuRZFkOagr5CMvOcB8RUxPmI1KpxlrTR8jv0HHxypD9409M55KvRJA4SVOYxLJwidEnwyTSr0wsDlPiKCXx1SESr5HEV4dKFKc12czzAXEUbRpsDSRxNt6rIolpVGMbeG7iDMyU/xz0SuKlCLIWaooyowCB+CTqWBRFAcOxIqPo0y7upBqIrKK2E2fwuP6qx0WR9gBZ/I6mkCb5gFPv4WvCNJlONcxTb3CkJp8fNLrrNLrnI42OrzMpKHElIrCVfCVJRM98EUl0UY2ZmnCbGVplvJo9EvZUZHksgrQ0TVbznIPbYc83DTrnkDoz6JyDj9M1kCdwo5c4g3V5lWzkWxHOVPZqsponV2wrE9bd1t0kC/7JSidXnH67whCtWdcRZ6AW/0JafCGSFoPnN1HppixEa1EJUdq/8WGIxGVqr3rOY+b5zbBrxJHz9tKQ0d2k0R3433/mNEx++lVDEj1s0GdO3BuaKebgHWFPNhUpcktthHV+TpPVPBu0nIBGD5GGuQ3xr9KulEC/VrFg37FuIs7g8Z1h+rPmCCvBskRTmE+ZG74SbGGf//AiqlFtroQipdHXhkjs1RLxztB1ftek4Dq/Jn/HLK6RRPmb736S6KMaJzQx+bVoU4diH6sMe9puaYkgrVOTxfzmr2jD7hFnoc8DpM4UEtl3KdWYA7pKnNBpwmw1sgifoalzZpDVjILZIczXHitFwVZ4KWswCi6nGpBrbSfO4Djxa7TDRcgh/p09qk/egvZYMcQeQ78FkfbYPMAe31X2mBMpQ+NnNDHzVzccmQtshnJwhv2dH1SrUaOoD7OaKmqxwbSaKmU1mwaOW/zO3B1eiHR2zRs1CfM3frwetXeoTFBiSADHj/c3qF45fJW07y414xpJtekLuWgmzmDL/b32PpHWijrp7g1fK6w7fK1YpoaNusb0hcFR1yhUGweN+qL564sX/vezrc5dg7NdN2S2w052EDs+GPZks3xSofn/kbkwTOYDQ2ROGiCzfoDMJ5TMb0T+ZM8W0MTM3ynYEMvC4kybs6VKm7Ol0nz7ta8Iap+fCtP+ZN3CesnU/mQl+8VB2v9bMAsULw/VhHWHptB8WzeEzzefEyZxCtVYZkqcotaThw22sPeYjikjWJjVr4mb392zZiFKaOJ09smuqjWgJTZQDWRymHvNGSzrFsmK4EmMHpNIliF/ZXvQOEiy2sDZSbKmUo0NmnD7odDMGq1sethTs2X+AGnq10DqO+qaglY1AyhnsBkkTeqMTpu5/GUJl/+QMci2wqTAtsItzWZpVPMb2sH9wH9U9SwjYBn7pqs+VD1LgSpLVJkfihNYaqgOewf4ZN9dTH7KdBqv8n+XXud2ZIWHeTwykyN8Nd/HjvEf8R+zv4sUUa5OiLgh4/A1JFn3lqIwjGYZbBwrZ6+jt1+yX7PfsBuR/sNC+RLtx/Ur4/8RNrN2ZuFL+UpDnqlZ2Dv8MUtJuCZYskTPQ1FhOq0wWSMbpPYATr9mAUbB0vTvh1WsKdgdleEb1netF62XrL8Hh1v7rHQOYdmviJl9KL1Z6DNYeaLIDK0zpZsupZs/Kt1cCxtDLhvB/sWj6R9pbt3zP2lGSDT0PzFv3+OfYuQ4pb2nhWU86uSZzzLxBTP8/5T/SWb9mw33kGBjsbbhkBP+rwppLEb+K4/6T54u/iRfrv6J5yn1nyMx6v9x5L/j7GN9fKT6T5wl1rfDWsdh9GvZs/Kfe6QO5b/oyH/NYYY5P06F1aHe/S7u5Z5hYL0LpXXB7md3zRHpLEewajU/aq/ijxJviupD/X6Nz1O2/80wKZLilB3Eq/6T4AUivq9WriHXIt4Pt6JpqvUbYWMrYsn0T0Qf4H+I0CaZ/ifoA/xLUJjkU2H/0CH317ywp/3Ktk2M7/9BjfvlMN56NtbUnsv0K3U0+4+r+p0m3038ZmnjokV8Rj+b/b+n+K3iC2q/0r1mqdZe1YNuvUTNG8eqDvabZr4j239ULFDPgs0dkKXCVvjTvE2SmgO5476OGqFZctCrYXwCa96pYgfOPhLWRxaL/zdrCOsR6+e3CKfetb7L7FgxVlh9FNZNXPhY78r/yuDGWwNsIFrp66P/AwwX9+UAAAB4nGNgYdnAOIGBlYGB1ZjlLAMDwywIzXSWwYipBkhzs3EyASkGloUMTP8ZGH78ZmBhAINgRy9HBgcGTu3TbAr/FBhnsu9kfJDAwDj//nUGBhYV1h6gEgUGVgA6XBKoAAB4nG1XBXQVyRK91VUVCE4CwcPkQRIguLsFd3dd3N0tuLt7cHd3WNx18QSS4O5O8jvAcnb3/J5T1dX9ZubM7ddz7x0ABgDbSGQz/eglroftvyAIbugLd2RBPgykQTSRptB8WkQb6SE9pSiTwuQweUxd09XsNcfNSRPCwnHYg1NwGk7HPXggj+FxPIkX8SreyCf5PF+T5JJG8kugNJapMlPmyhLZIjtkjxyU83JDIuSxvIxXxHu49wLvz05ix9txOX5OOierk8PJ7xR0CjslnM5OH2eQM9pZ5Cx11jubnW3Obme/j/p4+iTxcfn4+WT2aeQz3Wely7jcXPFdHq7EruSu1K70rgBXGVdTV4s0CdL4pNngO813oW+UXzK/on7F/Zr4NfNr6dfW39O/lX+HdFEBWQJOBJyOirJr4A4HWZEfwb+wB9MGekBP6ItJarL/wr7HHLPYrzPY7Rd2P+5usQ+z2CfwZF7Cq3kTn7LYISkkrRSQEjJJZsgcWSzrZbvs/oH9uoTLI3lhsQdZ7MGOp5PEcX5hz+7k+429u8Ue5AQ7S5zlziZnq7PT2fsDu9cv7PV9Jv3GntBiT+by/oW9iau5xe5Y7PCd7hv8D+wtfmFvnw4BHgFHA05FRbnZXWEy2RVA5GfqE3kI/2qRlyNnRa6228af4/ycMRfMCXPIHDANo4Ls78ttDI8cZvPI6Ar43tvGHPynffv2Pcvf9bvDQNhjIDw4ehTeM/xGhMe9rOGjwlvbo0K4V7hXmAl79O/rI+pH1LC5ULhnRMGwfPb6RWGFwnKGZbTVj+cKixcW9+6T6OquF3CnOxByHAjNHZogNH7Im5BXIS9DW4YE3n51K/D3LaPfgE+2S0Tzfk5wDa7FdbgeN+CW3P7XXOsfuSV35t7/fJ7oEQ/5UdnM42xMs3HMxivxk4ySWbJKdikohaPPie6lqBS3VXSUs/FFY/53jf5u8k4+yCeNqbE0jiaInvmZf1SxfldxokPj/T3/c/wz3LL/v/u63Y550z2Re3L7H0aZ+eawWcYxuJjUNUfMKrPaLGF/M9tsMrPMCjPHzOXMHMCZzEKpY1cqOVLAB77Ig7wojGKohCqohjqoiyaWN/pjAAZjNCZgERZjBVZik1lnVpr1nMts1yfYgyv4C7dwB2/wFp/xjdwpDsWnxORF3pSX8lMBKkKlqQI1pibUglpSJ7NGmpu1nINhFliuSWHfuNTSQurrI2lAg8wBzmk2S0N9I005mxllRutTLiz1zCJ9a0ZSkDloppjJZqoJRkLLeu5IgvhIjKTwRnb4Ib3lubIIREmUgguN0Q5N0Qy90YbToyemYSImYwpWoR+VxGnsxWFcxEmcxyVcxzPcRQQeEyOSQITblIrSU2ryodzkzxkoJ1WjilSZqlArykdt4Imzlm33Wa49h5S4itS4YZnmJlLhGtIgBGkRipx4AX+EWf55glx4iXQIRwF8sFz8DoXsHi2IjyiKryhimboixUR5ckMJRKECxUBpfEdxUlSm2KhKcSkeqlMC1CQP1KCEqEWeqE2JUI+SoAElR31KRknRkFKgO2XHH+SgG2VDH8pjWb8ggqgwBlEhDKGiGE6BGEbFMZSKYRyVw1gqizFUxvJjI8yn+phElbCQGmIe1cMCaoCl9AdWU2uswWbqjK3UFVuoC5VCBwrADKphmfU9elAOeOECkuEyelEujKASGE/lsYE66BW9rC/1sb7Sd/pan+l1vaG39I7e1RC9plc1TEP1pt52U7cYJrP5brKYrCabVaWcprrJZXJbfq5n6puqppapZmqa2qaGqWPy0BgaS5tpBK2mVbSW1tF6WkErLbNPoUk0j5bQEBpKw2g4jaLRNI7G0wTL/pMt+y+w/L/Q6t9iWkbLaSmtsUq4iY7QUTpGx+kUnaZzdJ4u0EW6THfoLoVTGEXQPauWj6xqPKc39JbO0Fl6RyfomVXQF/SSXtFjqyev6QpdolC6TyPpJG2h97SVPtA2+kjb6RPtoM+0k77QLvpKu+kb7aHvtI+iaL8BHTBEB43BcmqOJdQUy6gZEuAUPHAGsXAEcXAMcXEc8XACsXEUgv1W1Q8iBg4hJv6E4gCy4Sly4Dly4xUy4B4y4gEy4SEy4xECcB/lSFCGDNpSOrSnDGhOLrSktGhFvmhNfmhBadCRMqIzZUYXyoKulBWdKBOmUlVMp+qYSTUxm2pjDtXBXKqLWVQL66gd1lJbrKf22EgdzQ7rIfaZnWa/2W0VdZe0lNZmMcditY4iISfixJyUvTk5x2R3js+p2IvjcjxmTsnJrOp6chJOIG2kEZfiQC7BJbk0l+GC1oU4XIhzc1HOyC7OylnYl9NKUn4jvhwl3vxJUvNnScHvJSV/kCT8gO/ya/HiexxqGTutFJF8HGkdSyHJw98knZSXvBwmZfihZW4j/lJOcvMdKc33LZeTJBaRDBzBIZJJYvBLcYlKgNX7XJb3Y/JXqwBuVgPKSk4Ol1ISy2oBS3p+ZP1QFnG37sCDn4knP+dLfJWf8m2+yE/4Fl+Q4pKD/5Jikp2vSCUpyTekopTg6/yYb/J5qyDZ+LJUkEDrMOJIbIkr8SShJJD4kkwcSSWJ+C1/4Y/8wnovH37H37kal+PyXIErciWuzFW4qlW3ulbjalulq2n1rj634tbchqvzDJ7Js3g2z+V5PJ8X8EIOtm5uMU/laTyFp1tvN9k6u618gA9bj7OND/IR3sP7eDNv50N8lLfwDv6Tj/Fe3s+jeLT1Q/14IrfjvtyH+3Nb7sAduZNV0W7WMXXhrtY1DeIgHmy903AewSN5CA/lE9Y5nuLjPMA6qaW8jJfzCt7Ju3g3t+eV1lmu5jXWa/bkXtybz/FpPstreR2v5w18Ri7KJa0ml3WKemp1uaKbNYd2k3c6VRNpDflL/9RAHaqiSzStNpf7ukVzand5r9M0sdaUq3pKy+tYq6drNKO2l+e6Rwtqf/mu8zSVNpRQPawldJiqLlVfbSEPdKvm0h7yQaerl9aSa3pOK+tETaAbNKt2ltd6QItqkJIGq482lXA9rmV0lLrrSk2vbeSJ7tR82se6gNmaXOvJLT2tFXScxtW1mkk7yAvdq4V0gETqfPXWRnJHj2hJHa5uukz9tKU81G2aW3vKR52hSbS2XNcLWlUnq4du0uzaVd7qIS2uQ5R1sabRZnJPT2o5HaOxdbUGaDt5pru1gPaTbzpXU2oDCdGzWkknaHxdr1m0k7zS/VpEByl0oTraRML0mJbWkdaTrNB02loe6w7Nq73ls87SZFpXbup5raKTNKFu1GzaRd7oQS2mg9XoInXpHxKhJ7SsjrYuZZVm0LbyVHdpfu0rX3WOptD6clvPaEUdr/F0nWbWjvJS92lhHShRukBTa2O5q0e1lI7QGLpc/bWVPNLtmkd7WZc0U5NqHfs90V8GyQAJst8hY60bH89zpKMMlT4yWnrICBks7aSfdJBOMky6ynDpKb1kpLSXIdJbRkl36SxdpJsMlL7/A5avJe8AAHicNY49agIBEIU/2XULa8tUYpU6p0jtCbyDjeQEEuyEkCI/JKIoYqIrKuqaXSVs/hSM2UqClZXkACG4eVkJw8C8mXnfTHxFMn66TzNNEsLtf+6Owq+//l4zw8dRLGkqfBI44TdFVXOu1G2FP5rmeKAvVSCgxzlv0lM6VFlJ3zKKndCWcnlho5nPO3d05cyLVeaeAY8iBmLa0Xwp5zUNKYeJ+HXt9PF4lXOtOzbP+i3gU5weY0pcyPcUMaq67KpeiHFDTbtDpvrgkooo3eiLDzZGyjywPPPMOLSOrayV+QWU4mJ+AHicjVfdb9zGEV9S932n4GwErgGq6BJbEgEo562FrBoJodOd9dHaJ93ZIWW7IY8n2UqT2Elby2miVnXr2ti+t+5/sbRfpDzFD/lj8leov9nlnT7gBiWW5M7HzszOzszuhmv/efnvfz3/x7O//+3pXw/+8uf9b77+01dP9h7/8Q+///KLRw8//+zT332y++D+zvY4G6XJx7+9d/fOVhx9dPvWcLDRv3njN79eX1tdud5772ftRn3eypuNjuhsN67Ms7zRRLd5Zd5SlY6qaqS6GXAVbkTu+mbUXXZcN3aEq0JV8rr0pmOZTQgxRGAUxkLE+kCsb2xFvCsTTQRmeAYy9IUpregpuzOMVC8AdAq+ruEpuHKOvDohC65YX8pxzmY84EMnt3Sn3PlnjJnEQo0C4YpoG7x5jbXcYdJBrzXpWfw6JPLDNhvhzT4Sh1bR24oUT3biFXAz21O6DQ7ZL8QT008UzzhXFU+M+pF0lZUIp4A3I3jMSh3pCpfH8eHxmzniFi5k2WwpF9aLjTy0Xgy2oqM2Y/zFMHplW3YnWYrzn4MWHXHGQo21CUtIAjgBbN3Cyryya5rfOQoZO9DUkkZoOMMsNK42wVksO7QNrm0U+VpRyGxQSoYSTrhLwNUM7sBwv1dw10BpE+VbZluMaaJ54CWsTNgoh7WwHrbsWRtrQahXwHwL3rrFXresWcvJIXNTow+tg7weOkda0mbBeQBOwh1McbCc2E4Jgj4z8VsnM7i1Fb1uMcjXX3As0XNlvpvbNwJxEtYbEVavm1s3ggShTeCM1+UIaxUOIuJNHMQ8onv5yjxFF4/EtiPi/N135aNu3m531mUHgYxY0wGWpxU/CaQJOQo00V5EmM54q5noJWARSBu0VaCy2zxRoyRAl7d7skdRkRI3u5TbM15ulTzrA/YB/FZpqYbYXlJNsTSlfMg+NJQKUapiSVmXjNe7ossv78pMjBCBYT+67+zEKWSrUKSqJJacvMSWkC+XLUypm7MbAea2jhi8GfTvIEnJGVzKZZ6HJT/NUoKXXeS9LEhieTk+NaLLpQrTLAFHN9bMyEQguyLlY3gZ04XnBgLdrS0aM9yKZGssxgIeDkOZYtoOz2JHxpn2OMbDNHZlvnxSnYriZFPOe9kOPoecjRIxMgjKzvO4++cRO+A6jRNrpE7/Lf2Xa6I7Bge96VjNIOJcPo5NyLC+rhv/k8k6xcSxplq4bP9qAlkFBABNqvtnwQdTsEdvAq+9b2JFlXyKvMhVnzjq0ziYsqTqYMQlb4tFQR89+Dq9iSqjc5ClVJwqFHtArAHBoxFiGQJ7iZxEHIaV/Kkm9XlwRiRKqjWEatuj6aiDPk9iniTAIntch6sy/nwnpeCists38+mj9uOXygHGMkogR1WxA+yk28JFtVaUtMb7ZGMJ1rFBpJgjpZDKgoleD8wQ76uKv0o/tEeBSLexiKSPp9t6bA/mau+QNKcr3Bgstqd9CcehWozok0lEo7qHbCt7F+RFya9KVK17KLglP7udYFvgbd7jeqlTRDI5YZWgGIIMY90jRozXzVefBfm9qneC0e1hYJhrWios24xUf8JS1Q2dLwJl/2QBRJq8tYn6UdILRc4re6twb4iocmg0V/YwKpZHj1+loc5kwcwwYHTZpW3RndjbNPYapRXdWrrVPVXzsNCqBBsMuUrTOQkC9GG0GTOjzTUTQB+qeEHRE0kKoORt6zmZ7ZBT+cRBIRX0OofH3/VRIxNBbxyT+ppWRCO0aGkEk7sqRHybKwpNpjWpreopnEY3dKtqm4lmplQ+6/jCe0fH3zHjObd4KGZols+LrCzybttRD+JgbEZVigrOUVFRubMNfdq4g2wQbhV1DNNHVnE1CLCJ6Lk9N15dM9WBotLqCdZDDBUddokpJlYs+jCkllhRNsBpT7yymVUTC/Sri4Xctqqo9lSM2rMtFHqZJWOzUcPLbMG5Rkejil7oul7bx1SahlHZKcU6ZHy1FxRRbL6Pgyl9j3KyOvFkjWhySixrcXsmNvzi+ziovXWUrP1/ymrFaqq6plE18ms/rmrGLNCaWa4120heM3UCWD+Tkkpbfu8dytCWfwH4izDtKoy8WlgJ33wDU/qkuqYxGkS6Vckcs2xeE4Q2eN+Y0G6C2IY1bxzDhXZ0fMweBxNu4wTY3fBMnBfkYrSJzr0gRq9HbwKWHr1FJjWLLG2dq/qFeLOm9bNEMRVGG72YSiQot1o4A5ecMjT6vA13LWp/+jAVsFzMrapfMJSJwfYWpWxO6j+V/yMcQJk+XLJYnkeofawH1nr27ZTaeeysRherPDv9E7JIh0ZHNTt0fqG9qU4B8D7Wd//7oubo48Qpx2gUpeJp7GXyfXVSEh4Gk7ETv+3olC7GnsMOo31gyVPf006iLPzLvkuvQ67T2ijGHwbFQXefVvepFvc04HwX56yOhdMWNspd2qo4cdd8XeQkDjy7aarrkL7GXMZZapNOx7gBiDa3rrFr5jIkinsG9oCSF11zrsa4Vxwe/zAXm1JlY5PHO5Scty+AJPlFXDTUM+3egiY0Drt4xS+4aAbPkJyGj6xv2XJ9ACfQjayx4DTolje5YL0MfozMaTyqlPpYPHHJFeq2+AqHhY5QnN9FSQTy+lwsJbZTKegmdTsyXyJZ83N0MqBTTMHrzOGOdgK25ijc0sPj13N0XZpq+3qi7Utoo46cqFPZW7VRlFl3TKyhafPzXzJh9Jf8Qqm8K7dwP3TVT0lxYQfAd+ZiLQGWvCRL/gvbMGjtAAAAAAEAAwAJAAoAMgAP//8ACnicrH0JeBRVEnC/7p6e+75yJ5MbwhEyCUm4MiD3GRUh3Mgikl7A7HAICIjcQkRAVETQCCxmEVnUqIjsiK66WXRZxIioQfBCXVkXFQFJ5uV/R3dPz2Si/t//O06SYarfq1evql5VvXr1GJZZyTB8oaaW4Rgt4w6YgFYEbJDhRUYXZArQf4U9/HafPcdn963kDoezWV34uqb2xoIQb2MYlumKnl6NntYyRiY9YNMBXtCLgsCgNnjSQlGBvbx7gd1RjtoBPpDF+TiA3l3BTpAJdp6eAnVTQOVxsO04bhRMhPv5C+EytpFpa6Nta3PZXAYwDBA01xmGMb7EmgAAdeOYguIIzEAFpjUC80gUjG42hWFyMQzQ4tbAADRiC5dkBaDzuMgz0lNwcqRl9NSXSvsJAROXQIBZBw/AK22zGfpYh31d+62+yFPPRz8lMOQpbwOX5AHMkbZrL3fw3L6Y3iBjiPTGpMR/Sluo0OwGpZkthq6azro0peUblGZgGnMdY+Q0Y4yuIIyUp9RUK4yh2g2JaikEuCOqxfZ27bd7Q8/tUVH7BqUbeQ6P32lnmJK4T63WHYjpDVNtKH3KDEDP+E9pyxSq/YyeNb/MRdgxMn5NrQKFxs9YGqJGHIezr3XI2TUyDOYGGWZuFIzwjdJOW2w7WEJhFZFQL5PMdAp4E4DLkyh6sIDqLaJLX825XFRQ7X4k7fZylaxmCm6Xv6hUK2Rl5pYU9yyNll1OXLQgq7ujW5f5y6vGRMtxVWWV8YD+jkkTlngiIq2MaY6Cb1hFw4ERGpL58TB5ROIvcwLjJlRkGA/DvNJ2OJqKM5TWoEEZ/TZ59J0RzEg0eivjZAoCiRa7qNGJFo1Fw9gAjzWdSS+aJEVVUFDuKC/v3p3oPOBzI5VH3yU+LeD89s5gC7sNHgc8bAUBaIIfDALTvmvV1DbAYQ1wSMPVq/yF1le5QQgz0iuZ3wSqufIJZq7IvHBMHYKZRzBLYHxMVsCl0zuSRIeDAXaigZMVDexACrS8nOjhIo/bJWjdHvwri8uy+4t6lhTncghL8kcd2H/20nN7T1+8cPLgwaNrtu3Ih5dBGvqtqX312VWP203c0aePvsufhPfeMXXyjPDrsPuSuTX3IBSZ6W2X+OWaOkTpxIBFrzGJOg0XZOwioyc4FBUUFfbQZNhtDELBq83Nzcpk7TZfUalXYK+GRTAaFD70cdH2rptufv1b8PnWB7odcrHNYBJYPmXcQwOHw/+0MeHTfQ4PxLNLeiK0Saa0qca0AR4NALUyX1OYQgWmJR4MzMAYKzAXCe+DFPRrUEft3KDtJLXvq0yBuRrbF+IiPFer0FwJjBmvkYxeBDoySeo1ElHHZ0dTgn7XgSp2Y3jRli3giKY2nBsezZ9suQyusCkSR+K2DIjWaNZZl0nEIqhxihrUoFk9635Mdb89q0Rq3ekjrfuy7L66RYtoH8/B11AvcOgW0J+dGWJF3Bs7E07EvcGxaHwEd0IDH6XlScKLFrWukXBiBSYTLzrkGSw1eE13IIHRaBgqLWjkaq4k41bkpI47GE5hC8On2C81tSFYFYLjQoyEAZWGHDrjaYTCUdqOwgxUYFojMI9EwxQqMC0dthOBuUFhbDEwmqFktcmh+j+Nrm3LyWrDKqsNiFkB6pBuV9rGa1ua3ANa21i6tgEkv9FrG8ZoRrverv12b+i542RtUz2H1rbldG1j6doW76mRZG1T9waZfLq2sXRti/sUkQFKtZ/TsF5mQfTaFgt1NR79MY3I+kdhEI2Q5o6iShyOuNbhTNbIMAITgZkbBUPWP9pOW2w7mJfR+od5OYXpGkhW87LNLRpt1clGo8LUfrIExuHs2IWwRMXqkVWwd6nC9nQBvOuO4TMdLmUsMxQ8Yb6C5zYFT0nm9ExywBolc1TgYrFSUMCdpoTCTZIWX4G0eDLWLF6P6PUycXU5bStGn7uRPu9ZakernV0Q2ObwGjAcdH74QsnD3TZVnrgAQkXjc+Cn4ELn92XVftt2pNq/bQufNulAZSg8w9xd1qcriCSXUUmeRvUy0qer1Dp3BZEkCtMSgantCOYGhcmIXQNWkDWAwnw1n3BbKuG2DTK30ZbKFKirsb0hytUi6mcTjZeMLECDyHGMgGivk0yDIrtEfewLIY2MftY2srrGRuwMhR9hxRsL2JnhXXit6IdaCqKWnMjiKggkGDmvVrSwLm+1yyEiPW9AWt6mbrWgCP0h6/kSP7I2/G6/O4v0gSejdvRo3BP6Gb6OnS/uP6Ev0X+hVg/ukcvEdhXBntCqn8qiBzaNSg7qEYyOjBCv8AxAXMGTJUcXWeH9aO5Rl4TD6sEI+CI3Hb4ARiFfLxRquRyS/D3sLZqZRGRNJniMOtFrsYqspZplGZcRNaeRVwjCZbRdtHr5kQDZ0RB9dhsowWP1oTH63WwNnN34wU/HwYaW8OHDrOmJ58HiN4GLE0KtfWAZqwmxxlAo/DNZR8gIiNbor/IHgUmj0hoUZqAC0xqBeSQaplCBaUctBaZMgaHWPhvpLC7U1XgYIY2oIxqxv8ojiNWIsWO71uHYamQYySMgMHOjYIhG7K/yCFTtYE5AGhFzQiqTE/DYPaLJXg2QGZzCmHRBmSnIxBVhoziaK3ztVKGKT+ANtTKUuSZGF9JRzFAwpFY7wVDRhVhiMZfZsS7kecZiRCIUZLSyCsPKEOmvTLbE7/JgG5hoLRfPDv0PbHysdsNDsJbtA6ELaL57ZP+WNVxSqDX/o//JWuWPZO5HE6/vBtNAKeQxq9cMhON2IsOpAavJyjlEjtEjdWCRBddRLlnkfns/1oGwYLUgC02J1l7XuOmdNYGTD20CM36EXwe2ViL9wJg3fAh0tZ/A4P3hWWxqVhctLCdrZQbuBeFSSbVXPuEMN+GMBYQzVOuChrEH9AynWhEkfeSua8QGV0tRCLV5n7Ky3kI9dniQjk9Q+4R03cxAXghZbZAyQP+App3Xirx6tQFOPwdIH+yNoqaJrTdQT/w+sAyuaZks94hHQVf8W+goXGQUWtUo5BVQgdKyTzGPgCCGMwEW+XQBebS9pNGamdyABxh4La/T6TkW0R9zpVFUFsOCIr/di6bAZ9eWlCIUc9wahCbgT5xoBNvhHHYlW1j9SjW7N/zW+6+8D3NDqG050mVFVq3dwJureaPIMwKrUvOoXWpz+5x+J7bmkZOF3KyVoNse2x7Q7XjSniN7ktCMPsHOuLGA3xJuYEe21GCO2Y7aTiHa1Rsw6jldTKuUVwCeryyQZd/eCo64jrfCoS5ExUa+DLVV1kJiXqQdMn8TonSc2jKiMIUKTEscXbEdzUoKoTeF+YpqHbMuirckKOSJIIo4OTvG2mQU7aZqu+ITR2OPvE9tXmnPniUlkXEc3L3KsHj06N6R4bj2/t1iqneYZk6tIgMDbSulnly4J4tOYwKMaALVSOMYiLrBPdlJTxxqvkRFK9LnIsPiXQrNwMHdMKPe4Tim+VImXutK+M2f/26KUGeGMnJZv6ijAiORFpiJ7CQt4gXsz+lE3iTyyEjSy/4cto2wz5Uj/WarwldYE2sKXwG94NvwbReLTL9wSrjwCJvAdgk3hb/BfZN2yexNV0csbbzKZqEwAxWY1gjMqmiYQgVGitC5YtqRInTT40XovHY5ZqY8JT2H1iOl7XYRugwCzHqI9C6LeDEEo3a9Xfvt3tBzNEKnek4VofO6SYQuzlMziRej7i0SoUPd4QhdvKfIajw9KkKnkD8yfmIzTldH6NQjjjOT1zqcyRoZRo7QYZgJapgLwkIJRou08BZ5Lhnmgygo0ttcFd9wCVG9IbxpS3NVeHNp7fFWt3QtXksEpkaGkfAmMNF4Eymaq5IiArMievwRGv0Sn94Yilgk09UxygglsTwiiwTLYyLjY9ICDkOaaODcjCi4q4Uk0SLoJQVRgZckbHaUlmRTsdRYWDe2AJA9wsmSum3+8iAyHZGwwr/0mDGg2+Ccrg7/7VRsYdUdk3bmeruydUR6X7nLnltRltQP2SfsSEWQOWZA21KETyuyPxKYdKYwkGpn01ypbqNOJwDGak0UrfqgQS9MF7yiwGGVkWQ7iRBEPxx4TfLmlebi6Ji31Kv1oD8y8ziXF+RmZYAMe3Ee8Pxz/dp7WFN98Pb1i1aGrzy7IDEXnBg6D74NeoFeBbDnsHUjvm4Ak9kvR9aPOPkK3BYuHM2uenUplzqw5Rib8K/7Wj8bguhKcCTUX6TmmQyhHYfOUGgvRUhtyixKunAkor0H0d4fyEh02UWzTTSb9S5dMElvEvVsUEghw/Qq5leBtK1DooI4EujwF3n8qohpppBXVGqnUUIHq3v/22/f71nZDWxRoqc1WRO65adlda1ZutIFloDx4Haw2iUFUl1HBD7fA8/Ba20M/Ea2V6aTmJkT2ytmPcKPAaZ43nEG73Yxviy7Uw6O1oE9gAPJ8CsY/hj998ShQ2iR+up7eAMO5U+G63ds3L5H1YOJroVWo8hZRCtn5RilD7sSG0Z+i1/qxx3pp/FjwIIU+CWESj/NNy6ijpq5H3E/Dz9FOL2YcLoNc1bAqXWLWg6Zlai3as4uGjmZ1XE/iFsUPnfb/H4tkFic2wNHw8mEw2+5NMsFZ0rMXQyO6G5i1xLWXtBPB2EDW6NwNUu8xEVyxDng0Bkdlki82SAv+O2izciwzczy2YEcZK4F35z7YdlCkHMZtun08ALIwO+7167V1F44+dh7PcJ/Y1PCX/InoWlFcPl6yTtdRDh1OeXUs4QLE9U2DYUpVGBa4sEgG2IRsWkozFcGormTou3l+xA/5yAKZyELMsFtTxB1mQZjepolWce47IiLBSUOgmSVMnBeqcfjzygpzsvLxT6NXw6JIFfH4/V6PG4bm/djQ9K8f90OXKuubn388ifrTk6rrdw0YuF9w4eeemKfa/SJ7j3evrd3zYCjG4++O3ba5qH9/3D7oPGZM4Yf3QZXYKsc40QocJ/aqsu2q2SVwhQqMC3xYBAFcsjaRWEuvkZgOqtj3rHtSN5t/q+1QykJclRxExwTQS2tRZTMZPICibpk0WvUpQga3uISLfogn0YMJikYXIBpiXnG1hOpPT/AGxR8FiUsYZq8PKT/cgW3vfZnYIVvAPjNk8/C1kuLb0nqeke3ezctEP8KMiZM2P8ItweYfzgA5+Z9svfTK95XdYYNy6ZvziwCoSLwWH3rVJXtZkOS6gs4XRqRdbkYs040q4NcNHxO7DjkpPpYX6Y2r6efGHROn4NYcyzXLxNu2PtAyq7DbA2y69ISw1vdLvZYeu8UcCLvuW7EugPH4EBs31dK+kHLOAMGATskkcgJdkKofwyuoEXaht4nkedbpH7OiiXOoBVEC3rWyHGMVn6exvmVViKeNm7tXVBMW0S/32UrG8CJUAj2bAgfxrNI2iYzfb+aY3ScSmYq0UxPJzJDYS4eJjAWBNqjI5ivWgg36KPlCnNDNhmJ7WUjzyKbGTmPFQUVfkJkbKYjGSK/BXYsLGtcvh7wjZdcoJl7s7XP5i0gDf/+/nssx7glIg2b1dJgU+NNYQYqMFIcx2ZUxXEoTKECI3G6y9iunTIFRo7j2IzqOE4tInI2ocBmdYwmxiaMxftah3jXyDByjAZ3N1eJNSLL3SEsRL5QcsBmRFrfUm0k7BSJ0BZEExV5RH6bVk3Zvq8c/z6auIa01+Hnla2vf/+9hIfGQXB9RE1jjzVKn07GeCgw0qiT2406qqVr8VoiMDUyjDxqN6eKTFGYGUo7kl+GYbapqTdKReFf4s8WpjGxKDerY1yRecA0RhYl5tYMJjVgtyMbJgWZkynVbsEiEnOywE8lVzEnVQystirZXdianEe5GX7avaqc2pPUkPQkg9fU7A033mzNC/iJQRnhhjkKpmHVeAZGj4dQZrOaMjZOFRHrIu0aYv2j50lsmqqPIrxb7wN+8kLaquYMGOkAI8/AGmTmpPGf31iAnnahp3cR2U0JWHmtmTNpBAPe/JYjFBXEbvVzfqf04nxcFtdQd3qxa3Xjfa7Fp+vgO9WmatSki1vTuoy/dGMBN7V1D8aetE3mbE+UNKtXbgpTqMDIkqpvB1OmwCiSqlfPfWxvsgzqVXM/AMHUkFhMUsBi0AKe1+PAhl4Jx5CxAkD/zwJgAHgBjroIeoAeF+Eo8MJF+G/4b/Y19l/hC2xG2B/uz7rD36F2E1G7j5IdGm/ABHQajtXrglqWhi+kYJQ0EVh35zSDiQ4wsRnmgGvcw+Fe7Nutf4R6NAbSDhlDvZpiBlZFDQpTqMBIFLMI7WDKFBiZYgZBTbFEpNseJbqtXi3ltuj4cyxOEl0N7furkWFkKccwc6NgiGzWq2UzzthmKDASv2MYhd+RjuC7EVonBiwCz4k8GwQ4AEyZnkbpSgBeLIHP/Qi7JVzDrQlPZo8c5tPQ2vv5YdQPaYOM6bkoOvMqXChMoQLT0iFMmQJzNQ4Mzpcykr4Q9+HMFdgkxWMC6DOOWaQZSO5TkjNq5zUmQ0HgI9kHMzuI9wl8JN63uIOIkQRDPD2lnRjLUG4HW5gzO6CHDIPHulj2GDHO6/huTBKTy/QIpDrdLtHjNgQzhCxRh7jCYkYuO85fSWCMkjfjKLcTG4ea29TG9hKrsNTLe9x2r1uTlyUgnxEHFpHlneF2gVN/ff3nzxZPfPgh6DoDtG0N8KDBbTwoTrmnX9ld5UgRPPlQfUNiufgHXnuM4z85DQd7Dhj+s3TpgYFiWcCqeWKXTN11wmQ0mlfJzH1E/d88CwDPq/cZ1wk3KTDnLikw9VEw2q8oDJOLYdDcfsQYwP1kbssLAMgdF3lG3p2cHGlZibTh9nGkzU+A2a6xkbb4fZ1lEuW+iuP2hZ/S5cQ89Rnq8Tef0r4f89T5tquRcTG2+E+pqPoJpVhBLFXf0B5WWv6EUgzcBcbieGG3fBwvPPvyuMhTappNjqHZJxLNSglwRzSL7e0sWP5bvZHnLsc89xm44/c8p3PFPIfpdoLQDT0IyuI/pflcoduZ72m8TCFvhAJ8NwVKik92jbbKYufgbGJHnL1LgfmM6QBGE4G5cCkGBss7sqWwvHdhypjiQHo+kne3QShRCXsPpquYnCEmd6IS/24BDSQgoa8o8Hck8lohditR+5tKIGvyHZENxpG/qRCAMH443XwcOMWWzKrVg0KfqcrYP70UmY+VkfkgPLJAmetPFdlPYJIa+N5I8x9p2xnQj1M/qJqj4Ur7568qtN1FacsxbgTzKF/GdGIKmT7MTYE8T1JXMY+xO5OSGKdQKgpCFiaxs7Po1AaLmR5iVqqYJevVImzGOmh6dXdHuaM8rn71og8OHMjxYWe81CtgemNKg0z0b8W5oAjTm0Y7QMHarW8cHtJ7V+1U11Sg+WPlc9ue5DhY4nowWF6RlD+h07LnCxPd94OnBg/igW9Q+K3KqtIxYyePcNVt2/+Su+QPC3juJU7/3D/g1R8zh6at22Z+RmdYHKxZym3b+tRTW8MJS+YOd1VVDr8FUYeMnHDwaaqbSe4O19cp613EefUIplLTzFjQWpMecJicImMyBq1CosgLWmQPSPvU6EX3Qv14qDipJTPXaZdDD1kZ9U0u689N38BT8D8TDy3tOqXbEwfvXQh/1DSHNzTBixDCn+EnRnYKvIVn//His3iymA2o52FoXhKx/WEQzKIedcig/o3qfEhGnUAjEJ+hJyYwewC2wC+AF3CPn+u+t2vtrQ/tfam+cveIhPFHXCAVGAEPMuZX3zOs8sWnX3zNYjrqIDtXpE9CkQ8oRSpptqKgWoliYZqL4sAgfx7hrsBc/JpmzqijRLHtfELbSWvXF9FXFObDQqWvJ9S2gA7NkJ3mHJkMBsaLpkeHqOVhXKJVYlXyqqiIRIu9eLqIvAObP6MEB8kFVvjnuU9PhJNdTSFHgmEHbLgKTPDHhfe6ECE1iGg5TeziG9mGQ5OmsClwRwNgQOHbGIdFhEsuMalMPtMz4DN5rS7ebXZbHHbR4qg2W0SPGfG8yAjVTJo8gQUkYF+AkCDeAE4loIE/P5unycvJzSv1eHO8Wo/D7bYxeRn2YmmC2aHnfzpx9L4X0uzaGliYD+aITxR9/zDw5R+97WbY+iNI2Ljy3vtXuYDw/emLd90B+H3r/ypW9po5dMHYv/acD99/vRAzxhHg2rxz7T2P/hlrAERBzWyyF++kOWoMKzKMSWcxIPcsqEsWjTptkPeINj4i9UTg5f35DLLVoKKnj9KTn1HUNDHMwkrw/E8STbfBQ4hqLGyF0i7+UDaFLWxPVnlmg2hmE5ksplsgyWWwmxxGk1GwMEHBR8UhRfSoVJGjvByLYPQkIwNdymfqaLLhTjCrSRQ7mnIw9dCcOYda+sVMO0u4Mx9JqBtRzRdw6k2JosnECB4RY2ZV5hkTSpZVB1GEVA8SOeWoBmRD8Af40Y0vP/xOCBenvFk3YOWApKm7tt2zzcwmbVAEFrZeH1ax9n6r+ajDwG3bufnBxyQZySdydJ7KLJEjNjVWjvKJHUhhzrkUmCeiYSLtNLs6aicC8wmF8cXC/IdYQuepZeKidtej1KLJTpMtGuUpWWdMjrSt5LbiHrDd1ZUAs1mxdhfubWC73s6CP/9Wb+i57cTuUj/3GXjgdzyXT+wu9XPnmTTJ7kIPYrsr3lNEj1G6nfHQdV6ZgLhQHzrizBKmEtGsFIZmt0bRJc48ne3f0VzuUmA+y+8ARhOBuRDLE1gKkG2GpSAXeaB5Aa+pMxGCPCwESeliEqNIgu1dZZcsnixEIl5ZNCL2a7Lhv3MwjYLlzV8eTKjpUE5MeYPo5iqOlbkBFZrI6IcrIzufpoxMydGIkW9Ok4RTYm160Ybk29NOvrECL/WRdVib17OnH4+RRbZkqQ8p7eFnLgnsuxL20x7vA2wg98ZFhHf4IsJbcw3j63IcTrfDL5AtEIbnj+7cvHkntgMGIn94puYyzVthbU6Rs9kYrVnUgiBjkHce/Ur0vgSrYmwNZNjdJIS/DT4PRoOrQdFTMb0r/BI8D0ez6w49wua6jugEuKfuUHgpsbAzeR2xNrKYToFElxBMt/lEBxppmiFF1BrQWIHIWGXTQ7J4nHk5JBEHG3Sywi31I5NEwylq9iUDGPvUVodhx2Kqbr3248jeuXhU0rMw85hN9+e9syZNURTu8dZe8Ct4xcg1K8qWeCUIQ6LDflJ7ydk2lXRQmMkKTHMEpr4jGMl3zG8PU6zAfH5VaWdlFAyRVgrz4X9i8FEyXpsZB94ztgtW2Wg0kpkrknNeid2I9zrtWWSZt9uRvegAQv2RppkTbxAj8d2j4dHs83fMhafCB3HL/aSWk/CJqkSLV+QMWpE1GDRGizaoYYJOpYfI7o6S34vYIrY/UWwCs+DOSK/8G3jVg3uie25ra/sbyZ5cicb9C81fhEeZSmyVeWPz+0ZrrjBGukeG9zzt0+020S4EnSazaDJIQbQk20k5pQIbP8hJACXSLpSb3dZ3/Pi+/caNC58C22E92wUM5t8l/9Cv7/iW4kPs24dbNx6SsyVH89kkLmrWIk7FOaSCLB+qvGKcqyi3dYhtPISfl3IDRxOeCKvtXoMGgGPyfFOYmxSYc0UKzPPRMJF2JJvW0q4dwjcU5kyxFDOVG1JOMSD6IahWqucHEz2fYmp3ikHd39lpHeG9S4H5bHAMDMMzjTCD+4bMFj6jl4ft6JRUMcUadKCJMzHTMxOFYAKdsqSTUk6ues586vlD3MyRBD070QRgsjSL4Kg8nTOa3jU0PrW1qY2BFyMzGplZPrulGWYcc1ie3MtdJMog7FIoFxnJhaLYkbDkrAXluzxkySal4ZiAZ7rZ4xRNHgPZerdTLsQL0kkigJgFizriwfbZxnG4Ep5RZx3H4VF1AnJkToYrIznfRxnJfnkkB9Cc1JKREM8To+6a7nKKSDVjAaKqOJ78UNqTdGRB0LLXZXRXYJrDmWxNzffHIjj+MvaYw/rEXq7sUGuvv/13iRVJE+55MZImC85M1GmRK6VS/kTrR/XQoGoXz5q6NTRW1Bo/FvMoMBB98QnzEo3oOnXKvFEJXkA0pS/gsBg5Oz7/gDpGytIsq7JIXogfZ7z0LPWzWuDjhKwse11TrzUHbvc29/g7KIM3fh5yyxxNc+uCSSefgUt3h9vAXjucR6UqA/eCcDHRfeZLZCfC1T7feQEavwOfJzdaKC56ICiYkFMTvxsTPht2icYE9VFFLCvstSIaCxpRYIKMSTEpaAyFUlgOmbCXjuyDjawpY8qkW+9LuPlhV2Mz98ShltBYsSj3qAfLB2lTuwiNzkp3G/YQvewQVHqZwBBfz024Cnt6vEEvGpggbxN5lUlDfTuuPR44D/toNC6yLxeNEqZ4FaJ4PqE4xekroseAM/p8jEQNCUrLPgX6gC7kjALWd2yDPDMy1RKZzoFELWtIxLnZgBGBxm0V3cYgVvuMPAQ5P9tZkkNGgPOzXaoAVEnJIpCER4EmqlEeybgj+8A/XnmITT4U/vPeV/bC09JYGptPoP5rELECyEpKZwoCXq/bnSakiAazmcOruhB0JCZSBsGHuIrwT/yDcInXT137nkRI8bKblan8qjlmsZkO3DTBatdMGDtvZtMtsxvGzuKz1+wYObLfxEVrWt/gOs/b0nqd6zcR/ZStCoRFtFUhtLcqvLGr/HG7N7LAZx+X1vbps+HHZG2Xzm5gWfXQddBFJVVt7zMUBnGQB60TbrfBKeoMWqwhNEw1WnStvEHOICN42BEXOdvjMvibWiEKnQuEhTJi0YqDVfPVGKwwDOIzHfaLJBgp2zxGsiUopFF9AZfFKlqswUTBK9NPMhfkMycRnG2slHIeS8fzP880rFpWE6HmQfhVG+M1ESXILpCMJtDWS+o3GfdrMwQ9RpeoN2qDQpRmpTa1vHbGEgyr2mO4NzXVZvx7L1a59l1ooTyuMtWg4W/fLlbOuuCVRqLLeUn3AtVKI/s5ePXHuegmUXCQGIZKG1Hr3kE9mhIlFlXVfOVK87mffjq38N57F6K3C2QAAWhBOvwM/gJvwAuhYwefffXVZw8eU3ulIE0Vb2UT4kYqJJhzjALTPlIhwXxCYVJi2zmD4wIYBvvpDI1CrKb+fXqi7N+ndBCFkJ77UukBRyHyaRQiLV4UorBdb2fB1t/qDT23Ekchop77DCz5Hc+RKETUc+cZgxSFQA/iKES8p7DlKdHtDEujEAnRUQg5wiBBSbs/aR1EGCSos107mstdCsxnrvgwRzQVEoxW8wXS+6S/BAFXWhii7u8I6a9AHavPiI46T5baKlBhzuW2x1zdEsU8piUCs0uBoZjHgxmuwJw3KDDbOuLUjwdHKB7Zb1OiLBLUBSaGTqooSyrTiexDZIsmbTCRERMFIU10CDQGSiIsSkZRLltCZdbFalVJ6mrx3T1/efCND7AEP1LbaVIFDanMkWRZylR3gJSfZYn+F/y5yJY7QMpXv0WWbbQWbGhbivA7hLOjmSycr+5kMz0+r0mv0wJkcqeIdmPQaNBO1yaKWm37fHUNyVfH8QOasM5myRnrmYITY5wHPKBr9fiHrjQvnDhh/rTtP527e7KvEyjr3m/hvVcW3tsZvtVj3YhdW4APo9rpyf5/2QI/xfqnALRsnMAWJr8a/u7YwdoJ4VOplOJLpXkpVnNTtrYd9w5XZoXOL5mVbfLemQvBPEL0eibTmSkNZOhSRB1vtOK4l8BbrQyfJ/LaYIJDTGCyJOvOT+0rullm98snfYribZLlRXbI7Da0CNjAHFgPql4YdsszMbti3905FORKW2LvbdmyB+kGNvfYMfUu2KlT0h5YFzAbzIY74A68vwWL+Uo0Arx7khPwuE1e0WoyBl1oBZBXRYs66IPMKcmacZBZys3LsoMMtDr5itA6hRfG5PA75879c/GjRhewwB+B6eq9sFhz+XgT/AT+DFvgt1MmhbdoKuGpNqYBzH7pbRkHaQcnHg5MPBzsHeLQ5IqHgrYeb7V1iEMVwoGJ0MFkCRqFIN5H0kv7SBb1PpJ6TSQRryx71NYCgEqsq8kVd1Ph+A0bWxO1n0AzdVciHLwYAwtjsItaZFjRUIYb2wly0AS9SYUceorZ6XdgQyGLSjXyWSsvvQlqshMcwLFv++lBo9avBTyOdcDLIPvY6QWzvv4AXjwkZ++uJFLQWyUFIMGgkoJYmGYmDgyyblaSFaM30eFftY2j1lditPW1C0mLi0SKMwMeQ7bZ4suwp+oYV5Lo0pKjtbL3QffDctW52zgtPluKbEay4l0CKyx+ZkhC9VNDn9rqL7my+yFE3E7b1nluXtb7+boBA998+vEbLovtuM1WMaiwu7lf/qLFh3bhuGffQd062Qvz16185nE8AoIZGWUFpQT1x/NcqlHGwjSnxYFBlHARSlAYKTu+q3rfM7adT2g7Bb/WjpQdnx+dHT8QtVSrucyUM0UBH/aCgFBmCGZ5c52dbeau+kKDkOQTk4xBwS8KQCGt5Nw5S/xKyEAgiRAebxqLi/rIhMd074Y3JbE9iv7GzJVlH7jzvx8eeCW9u9eZ07+g4LayF/88ZlmPhGE1BSuGFeWP9hclppYMG1iztIldc/jGh9/t2T548k1Z2cPKe9zWPX/SXUO21dksx632mmHT8rJG/GHo4OpuXWYNK6sAq+9uaWTXqKLdNuzb4CR3rl2suyA20o2MY7AfPgFmgLOL53kG3NEdos6VAHdrF+xv9yG54zORbKUG7GbkcBsEXTU2v+0K2/nl3AXiLdIyF8p+Omf54UN4FRiawOcw7Z4HimqGJgxei7xCcPEQCMDjh2D2iqBRf9RkUvWVjiPpyS4xGXVgtonAZK7m8XEmrajRC4qnRrWJswSPSOqWvJSuiavaBxiU7tUojPjhQ3D50FmKxNlD4yQsGpunY6uBYEK8fazVvHbk6CM9YmCqLQZTtUEI8m7F5ZezkdU+fwwN2API8x8ahw4R9789ORA390HcjOiBuHkIlYpLdKdfLRWxMF+VqjTIBrUGWcdn45NiAacVB/IMQTMvBHE9JKdKQSsz6bdLp/P9coYfuPH0y02zpy5Y1LQNHrQ6E7e5/vEieyw8cNIfHnqW7dW6y3PAcGbOAklOSX4TGKn2hb1mVWx1l5y5J8Gcu6rAPB8NE2nnEwqT3K4dYplTmDPXaUxYaUjSCjgvK1uB+vJzVa0Rxb6N7e9sVkd471JgPjPEwEi0PqOpYNKYzoEkb2KCmGgIWjw4n8EiYJon46I1kkVTVCGF2WOIjjWHH5k07YgP8qeMbZ6zKN4UGLyrFj/yes+wJWomzpARjVXPRDqvHhGizRli+49V0yanPW3ULWHaIKh0B0C+xlPRULsUqM8MHUMNV6Akzxpjtb+juf+4T2Rej0XmVc6Ak6AuSFzEq2eDZMBlM/m45ok3RfTaMftnS/yfo54L/CJR4fYS0EHCm0omotPb4spHTEqbWlqmKmP49GpkpBujR0poNlJNM69CM/m8EhoprgVq4BmEnRyZKbJHnTQ4BVd+DjIdIOFzuJHPbt3C1bQ0o+eRi8WL6HlcY8Gm5c2cgTGQRkxK9FZKuYk9bBBa3FjpWP7GcsfE04/A1mWmZajVZfiwAbempZkb3voSGgFpnczodDUv2tQ7LrEwksS72sEQiZ8eJfH4GEFE4mNbkmQ50hsaLw7gDkbjpWcNgJacNRCCenm0ylkDp5OcNeBEcA9cexnCy3AlWHkZhn9hTWwCfADMD18OXwI1cAtutRTp40moVTvedab7DVoudjLK8colz4dFCpKVgnNwYjOYaAVcMzzZ5+F3NjcY9t/753KJmL1C3yywuUIu67LVeISkHzLCWZSexBsHDjWtYmE+sSoZ6tEwhJ4U5oyd0tMRtasmjUqC0mq+BBMoBzpMaLHsqL+zfTrCaZcC81lWBzCaCMwFircDtGtnuAJzPlGBUSQC70eYyO6mfBJBoCcRZH8g6iRCHVsdfpSrCj/Nzj3Mvnn4cLjPYWnHyUTGdJfa1jfwMTuFaphmpgMYQmcK8yFUYJ6XvWKcT8Yr+WQFgSSLg4Q5GV1MOplTydwiR7k7yiZDpij2fnlH0fGJ4WK4Cqw8m0Czye6D//381OkLv5FKxjM/IiovJDFrLYly4jxBwtMahBfPTHcge0wXu7+JtYJUfSZqP5M70BQCxehHuK96H5PEr+UYdtz9S5rxWCNnMwpcnOxKGq+tkeO1AhcbgVciEzVyZELg4sRRqZdRI3sQAhfHo6HzXSPPpdRO9HwvYY7xpfw+VuA6IW4Qrh1BE7xDU8v0ZiqYm5ghzAhmDPNU4JaunTrl5Ph8qamJ/kCgomLo0CFDRo509uzVi2UFwWCwWJx2seimm/r1GzFi8OAxYzxotvPysrLS05OTPQmi0+P02BLZYBlCiNfpTCabVA6WvqRz78rn6FdH/x55IelwIv0e9c4q8ZM3nePYt9+dRd4YlkNvn8/pA/Jv9O6ZBmenHU6DrfiH8te+F9Leu4B+Ax7/2NH+LxkAQa/Gz7FD0T/D1pae6g8XyS8coIl+HyD/x/4rfR8g/+O/WEf775Hg/aST5g3P163MeGYSM435A3Mn815A7FteXlLSo0dXOocDbr115Mg//GHy5EmTxo278860it69S0v9/u7SjKVliDdVVo4aNX36lClVVePHz5yZPHj4cHmWHQ6PJzlRTEtOS07wscGhynzaXK6EqDklM+f4tXn9/fP7W3P9++b898w9+ul0Rnigi8IDcf6K5oamX/srmi+6pLFrCA9cfUP1ATTgB7aRv68FO+CR38Mrv49nIrzDXjvSVsk1CWOZ7oyfGRPokp0nZm8MegsLtUksqxVEj99vcFqtBiMOVxl4u5kNdk1NZsRknp529OMpVM+08hvbqHFmRp4BX0kmjmEzPr82KxMnuvv9Xkz5X77sCltiKbzv+fT3zqdpXx9XPw/cCQYVunT/hW0A/Fdn+XkU4NNhy2Fk5MSQhpLAtReUfgr+Cj5qgGtgPdwNl2xj38AjB1cvSrZkd2ZioCvVb4nubhK3S/rL63U6LW7O1skuBLvI/G5gKiSGpBbYrzIsl0XMz8hbMUtjX+T7HU+YtsPWelM9bN1ueoL++HReY6VrZ/M+1yH0PtJ8xLWv+RB673RVNs6Dn6IH2IvhJPWbWGOm1ivt3sjUxd+jeQcpnIb7XINr4mTiiKTHlcSIzvSkaiFd1JmEarNJNNvl0+K0giSInPzABz88HrcbOR3SmZqSkqxMtwv8fGdw4713DPnrK8Y9Dc/+8RdNcuKk4qqq+qmc5o7Js/+kZedy/DYAHtzwi7lGmN+n74ZAdtHI4QgblmO5QwgbaZfSxIgOUzXeqOTkXUp1Fkz0LuXOY8d2Pv7qq48PGTduCHpz7JFHd7z88o5Hjzwy69axs2aNvRUbX8DHebhVqAe6r661ipyWC+IyYUAuR0giJCT+HbWPD3yHDWbN2CF3rz46fzHnYVfM7zvgnrvgdLB++Wa4sa1NvqOAFUi990itFwsaC65vbFPVWrXHr29cRMKdQlak0jay8WrA8FWv//GPr6/qBS8D24odO3Al1u1z3li96u9z2H0wad3ceWvllX4e6R9NLMKhAX0eIFf0i6rxKvfXwG0O90KttRTh5wk8PlsK1tLMEmqVCOoqtxhmnPCGdIeDRgRcdWx9ahxQsjewHzeGczW1oCc04QoVLJMGP+W3IWxsiNMQNQzA6hHNVka06oK6RFHHKrvjNPLfjytRSqA6XcjtQBRJm5xSkGrl8lY0hlOOm5Pyk1kbnIhrxXave+PNW9i8liKYATJRPw9Uho4/XcbbZKqMJFTJYZTPZJS0CkXHNYHLFJg4dYoRLZLbWviHNVvRSjswkF/RT6wYXmIwFvNpI0b4hoppPl/6cGwPD9cFOxeIndPxabZ06Qy3nxQ2ojmbdqI4EOm8JcSDR/56aQmOhOOMAKQuMQci515KQsLf+5HaxGFaXCPPjcWPfO/Gzj55Bu9T0O+zkr3OtNsGJSUNui3N6Z04rsrVa9uBbb2dE26bSL7IzqZf3DbB2Rt90ctVNU4TSssE+f2H8mwXVjM0APIz00JTZsOG0mz2zvBj2aVg5OwpCASeDQzVIBB+aH94FoFMvROMLM0OP8bemV0KG+6ciukTwPvlSNIKmLyAJysbny+zMKkuMZULIidTZBm9FMpTcr40GZHdgKysvJ6SdAvavH6sP4PWpCfha4G1wK9e2HJr7cxdz720/RHPj6cefjb3zpnZid5Zy8qA++pTR8SXa9b+7HrmgUG91y4K3nNMN1u8NWhx6I5ondbjjy9/srNJM/aJ4PJXZ7WvqSjojLogKXxAk8DkDDBANoDA9uMucKHpuAtmaGpbTvPdbizgu7WcjpyfHoi4htbk0EfOTyu1RJS6iyCqtkdU3dRaxFci4iucae8xW0Qz8CZwXURSIirTJ2ZGKigVlFPWkZijtBSRiTCHVouUSJYbZyMhBqHMQfZXEHfUNp6cMdyZ6+41a/zAwm7ZlhLPlCVFRSurPSWW7G6Fo8bP6uXOdYyuPqmpDT82ZuKROxYUhQrLPqgSU8SqD8oKQ0ULZx6ZUBkm+fUEUzKarVRj0NF0U2uMHKnisQ1n7WKB0CHqGkWBlRaVwh6lJUUk05DIOhL1nNmTPFxuI5zkHb0HhO4MreJyEZFPhp/c8tVT41CvK2l9TSTRVUSipZrK6HM/RjmjrqlDn6cTPSjXXMY6y8gjPFWakGZu0a5ruR2N9NIZ/iTViJIGRy0tZZRT9KTlZEbeN6Pf3096Qv3xO4jGx/VkjTqOlGEmg1ZKQWEvHk2VEk9555795bB3M5hmA/ZmuLf44f+GcrrzS1uD3OaW5o27+5N+cbuEsx6nnEVzYq16mbNILblLSPs3MGa0snkR57htGo+o09iBW0SKGjCCXHaSnJ8im9I4lIsrf+WU+N08Lv7ltOXYs4FNY+dZFgbA8QPgDdjvBrJB+fBMwELo2teFNbAp3fbt6xL+PPxzwT72Y7C4S+u7ncEs+HgBV9wV4SpVxUA0eTqK+lYmMWDWM6Jez5t1QRPPKpf20DWdxjCpymcHfnOqMbgCJDQ2sr4vwmATXLhjI/vsjQWsj9Rc+ZTfIFeYxoKqZTiRMVRHVZi205UIt1bbCGDjvEZcSBZPLF4jVFVacStmwQC0UTVvEXn8klxJr5WNrx54FTeSz5/F7xsL8OhWSrjQuksCxsaoJfiYqyNNFcgZgqpXltRilarNlnzYGSEnjTFbPUZGX63Dzeqk7ALVGH1kjKyuEe6QBnljAVoVM2UbZJ5Ubw5X4LXienNcVLW57kqF3/bWRyOokk2Pz0EaMT2gLnhy48aTQfZM+JuHlizdJmcLzotYOsi6ocZOVP0qh9wTLs7tV/qS69rduIGYTerszTdRV/zJUPu+OGXeDKS3rIDTyCDrzS5ytvbjkkxvoh3JVSaYXEDucWXjig379m0AB0PhyQMHjpw8GQ+u5d//bsEqQOmSZUrIbiWuXpuGLWStV0QzrLHj+tXWBNGqiLc/Ys2VkFrRkV6zcGKf0nHJ9CGs+e5Fmzcvgh+80mczu6Bv316DB4fmbuP+TRHgT7Zeffbtm1U4rJRwcODM/YCHs4taF7ZctaREj9WN0JBWhSJ1/UB71Niz1GM/2zhv6fbtS+GJs6CpuLjfyJG0wDxFAJd8l3tva5Nr3SGZvo/qOaoHSX0/p9WBOlfK/7uiyv+3q/4vaJHd6Yh3ocvzF71s1/DpXPBG7LUun70Xgl3wrS6oZzs5g1uHLFwc3TPiU2hum+jmgjyjxcWz1RaFOr2g1FdCDm2R6mzYywTN67+bsGXCphkvfGALn2S7Jl46tR31+3cQAMPg265xtz0wrPTaudCpz1HHcCN8Ev4FLpUjd0S79WeUSN5v1m+X6oyjp0YT+uHqQrmk7nd6wK51YH6Sar2ZlWmU/YIsUqfNrySJZtkvN3PFsOb0R39vnFlzGpeAgzu+CMOlYN2OjeEqxCuVUuU6B+LXroEUQ4qHI9ntWrNTNOuDODmLC6qsdkotr2znOBxyyg2LhDOnqCf9227zVIZ2G/c/c+TPfz7y7H79bvC/sSNGjEVvzDhgDOgOn4L3wLXwGdAFjAzv2gdBEsgBWvgL/ARehAivochawKNOZ/Kx3JqMPq/oc3mw/Hh0wUwXXhH+RQ1jYg0Sg7i0FHlh/pJuHHb6yDotUOsG14kkjt9QX14/Z3bG3GGusjV3j2xtBp82wquj+1j93vmbwAfAA/9z94MPakJ5Q1b9aUAilzLiwUXvnEPy7dD26/PulLnsBwAuX75kkzQrVWRWEG9FzQoOI6sLVdPsBGlmcCS7JKOkGM0MsNxAU7M5BN5EetzSGiKTsx8OgzeF2n4JI3egrVXyycx45oHeJPJ6PYNv4VCrSfV9PFKNvoYjR7CvBobCI+ywELs2BMtD4ZeJF4JWisPIWryNGRooMJQUG/m0UaN8w4kDMhLTtv/IQPVIXXBAP3FAHEekO84K8Kudkf9nT4T4Hx35IpmZsi9iLVhxYEUXi+yLdOmCv1gV0t42wdIFfVNg/b9zRrjOHHZGzmWmoQU+NZ4/Qu0GbFd3DSSp7GqyamT7xGwms1rR5NQl+X3WNRrk77OuR4duGZ34K8Y1zAHZtsXLqH2tsnSsmCPpwo3VvUmL2NEQwVXRFRGbR7k5ZGZonnx3CDV9yP0hbW1ylTGkk+qJTpKrjtnpmgpEi2BA/TE8ctD1krWG+vGWE+4EJf4SyYSVbhEB4CdVKbKrVxtBXsgh1yNzhOBHIA/XTFNGlB1wW3DNNIFUxjcZxKgb0iROVKqnUd8rpoJa382hQEwNtTYyRFpHTaaek5zbJ5anw1rtMIuOiP2pnIKJskApBSNWKCKi2g6VCOmLtW4V00ouAaeaF0V/43kBCaRl+A2amPNIdy8Em5DuvjXO+hLxZTYwiv+I656BqJqEJvWNb5Gq8yays+sw2ESDAbVLKqma1aVLVRXoQQbnY4FStZTUoIdfJrPzkuGXID0xvCVRqUXPt8Je4O2WY+A4DMjeCcHpcYqT5J1oVCeS5OiPkVrKJk5nMIoas9nAigZdkGMjljLe/Xfa8b2ANPiDbwJMuxt0B5mg+/LGcAqY9R9w8T846iMb8/BTgW35lCd2c+SeUGdAL/Cq60GV2wbRS7pZsBkedcCjxOG70JJBfCiRnydkSvW4kRy4takIP7RcekCKaGOmA0y6pH/h/It/Sf5TLk4QLUUelAcvmlrkQ7F59p6OHJfDaxdYcP3iqVMXQ1+/997XF+cvXz4/vDi4bFnwkfXJYDyYAGaA21PWr09G1sVu+DSsT1rP3QK0wJ7esj8V6MOt8Ho6PyEd/k+yIHC1JoFUB2KZpehzH6TLEpgszN3OdNHqdDI6fMNUNZOoPrVOco/RkEpsTE6OF5ecdEuBTZfqlIeNFf8H2wALksGfDPDY1qeHeNOPrG14+0rz3avXLlmzxQX6At8itLL3LKwIlSaMf2jBjLuWXL3wLWw7Urft/oc3roRHEf0w9/YhWRlx7hoktdrkw7od3jWIFrvouwbrWc/eF3Zs3P1s/Y4afMvg8FsmdIKNYDD6zWdvWzdzvsbJbVi69iFu1uWK8vIKWAO/GXbTTcMYAPrgGnMIGyX+qRz+IbmF+Nh8H/bH8Od8dqh1Z1sbhSc74/+gu+eDlfinnIdBYAZo8qX4p0Din5EjyKRdooVRy/0awyf5bMDDfq070Yzlwx/JLoOFnsnTsWaHaMSrkCEouEVBiIl/0oiIHP8UcPgz/47ibmx4RWN49JHcLshZ2gJ/BO/edvlJsKp1JyzGSdDcyzuvTGHr5d1jvgzxy3km+ozCO8yv1oogu/4UJk79ChzPabvKb+K7/VbU06CKegq/GfUsUWyNEsXWcKtsjRLF1nArtoZbiXqWqCwNzEQ5Bd7ssX1zc/uOzfYWDJs9195zQcOCnvZ5dw4r8OTQL3I8BcPunCd9MXe2IZSSvg7ZGVwSh+yMdRnJoUl3HCjNBq/CQdmlB+6YFErOWIdtjCRsY6xLT6Ffw0HgVfI1pst8RD0TqbCF/LPsHKtFtFqZNK+YppV8E2MwNtqpTn7OysrDZ0ypOJLKEkU8kQv0E5k/S78bO2voK8OXP/jUPzsbyzZu6LJ32aA54xKHr64+D4R1q0ERbHUVj95e3HlU4Nab92VUdOnXz6xvMNhWb755k93V9cPaA4xypjCbRBVMBh7odEbEfUCQQp2O2FhnfZMLPPlRkwvezme3Qo5taebYVhjJYMA5kadIREoXiWM+H53lMFmGkc7gEBglr6ke+QQ9+E5MZ1zhgNhkHi/XiSyjQjA9TUyPPhbcsT2GFEj7UGd90/6A3z4ofcCM0QUFObmWwQkThj9ZONiSm+MrGH3nkPRBdn9gP58NR+UVPDPq5tSQK3NfzzIuBdTsy3SFUm8e9UxBHhyFR4KxJCN5X50PVqDSDEwFGq2F6D5vwIwDnDg7S07n9xdIUYFInFMQKion5bKwCT445GCodM1Ctici7yz44OsfT2Tk+BRpLyVgNXFmA7GUhKBOSXCjFlK7K4SyD9oOguwTSXv27Unis/EVQqjdfHyFUOvZKB5Q3UCnbrbdDXT1TeBIUxMcyhOGb2nGUsGodQxJ8o20rIqzKqpRHWet56aT1vBwkWok5zrJ+RTUUpmirYYR7fUBaXki3nUiLctV0SPnOFVV0b+Hc7hW9J4VCtF25UwwAeddKXlYmGvPUa5tUfK5lLymrgi11ZpmtP53ZkqQp5CQbDEwGYIf2ad6q6DNYbqJiSkpbkS/Cnr6t8JPdrvbVR2LPrpCz47gE55U3gFO2CQZTwLIXrVw0eqnHa4TLsfTqxctXDXmDi36WzsTHFu1clC/vuFN/QatXHVTPxdgQArIA/oT7LzwthPwGvwIftnGVI0LH2JvGVfF7SBHXQ6EGhvgmtABkhXVgEct5Q4iKtzByJyF58mMbVYtg/xcDqkBAyeoI7IZdmTS2OR4bCGsbGoGfFMTWAYO3bjRxoAbiA+WUR+Frms0jopmHEc/9dPJ9CS9Gyca2wQONW1oRAplJ55+vHApZ66lVmgmJ43qSnuysfHTmqZXGl5togmhUlIobgXhso7IjC9gp63QaKw5gk9H0diapoYDLzVNbIy02boF9sMV7AHzLGqXk2UGt6pnpusU9PxJtndj47HP4lHC13BrG7lFLc1oqbZgu+0YGmclakm6YQRZ4yYOB7EUSYmOx1KTSLKEjjWBqoPHjh1MgW+CPpVVVUge61995plXWQs8XFVZWSVHYnH7Junkv1W0aPC2W5TMREVi5V7kyOD16+BdoHvp7bdfSrl0aeKMGUiaYrrhlNmiMdjUgM3GIevYBMhJi8gBdXt5QcfR15qmKU8cPPgEeKcpPKh/f9VwsGJgM+GGGRMnzkAjwnr1IdSXFH31avFtozj6KijRV1nF/r7oa8WYXqx/NO4b/ni0Vy27rE+fIaNGhfpPYN+lCHCLwt+uf6xCGS+L95kIDjT66hYACbhqXXZOtNuj586PGSyKv+JEX6uafjg+h2DQ9ANrnDgR9Y9GvxEsghuf2Y0ozeBwGQxVVQ6vlLP8iHasIPIr14wk9apsTkR5pXCkR1U4Uoq+Mu3Cr57IUY+Y8pFr9zrBc/AW74vb4xWRrF11aP0DtIokwmKNdJ4cn7J3Gk1o2nEgNo6xEz8OWyrFYVnLfSd7zy7aNXndPjscAw4mN+5dvMbxp60gEfSA37qGFNfllD249tCaje43lKpZSpWYK2iFaFV29X+73o5UbQVRUk8oySj1lZCex/WVjBZWi5ZErQW9GFWBJRJTj+yaRddY8qsP8J86daoJTIV7XLYrTxxqmlh5kV96qKHhEAzic/tvs73Iuf1sNL3zsJdO6jsoUVrCTiRKawzSI7Qq3yImStszanXJUSXCzHvrAdOuJ3GU9qldhgfAidFDhoxGb8RgA658Ki8an/wAh+77y6tvP//826/+BWGzAlk4WMPh2CyyXw16n1v0+VwOLF4uQ9CRKToEibHssv0aic+W0IMGJD5L9uu1FjYSoF3h69TVW5QxfphvZ/3p4+BM0z39B2ZaC7KHzb4NrMHbiuOnTdOEsjKHd++WumPTjqfRyjLbkZ1y86AJXdgCEBg3ZvjNeK5wdQU0V5mMP5Dq8Yoea5DOlc+SjuYNTxmeMUouh3q+ZF0XM2PKFYPxZu6NM/MMtZPHxszfp9e/spqOOXQrV7EDpImUcvO7kfUU127Tm0ROiukK7Wu3qWO6oM/p09j/JFdVPX0I/DsE/3cITkAtdkfrzWZkFY/FMd3+FWL/fmL/EdTNGjnSNwy7WSPS8dSM+H1u1m/5WR7MUqQeckd+Fglx4odysSmDppg4Wt0rnGnTB+XmDpqe5qwYNmeBsXxg3cBy44I5w1Rf7Do9foqxbBD9Akd0l/UfoqGO1jISz63Lzrdim9KWl11H4rnLqKulGdL/7sw0ZCAY9VMn1+XkWbH5iYHunEqqfFAadUbSkxjrOfjSRF+GtOaf9FPN/Lu8B3Uot2PvYUXj2Gn5v+Y8wHJg1I2ZQfwHBddsEsd1ynFcgcRxDSosY2xvOY5L7O91jdtkC5waTcQKxydpkO2MT9LosOWkswR5FmiRU8fKTh3Wv8BOw6jYRJ7xOfJbfJ/DGaiRj3hv62muW8u3ME/Vkg1jabEE9ZzA6YCOnEMQgWRu2x3lsuPuK6GtEqHKsn8IvJHGQQL8punQIbPcgfkQ3kAm0oJosYbQIjvg5rXAgk//IGzlCLBcV0YVAcZnWpzUI1Wfa7n2j8ZZUQdb4AFCGHy4Be/MU5qTeDa1cs226TajaIvYugXIcnO0s3el6K9s8yLKR6xeifbLFP9W04zWoF8iaxC2s/EaFBWD+SGyV0hOipxSVYAgsdtjsvcRqdLioHlyVi+OIwgmMaoutLK/GanYQupo5uZyeI31qGq2zFpmARcsy2ah3zDDsqxd7RZu89Z167aGC/HP6PMs5+KfZ8FZBQjLIrLDmItXf5M5OUlMZoRMkqapRlLK6sq149MeqjifFHjMKpGCH0j92tjNsPU/4M1/ntu27rGnm7//0/IVC2bP+MNccfpl1zeABR+BH/72zIqdLgsfOtjYHFp999K1oTm3j5sKT8DO5BIM5eR5AT55zmWmp+n0pkQd47GKHkS7nHYnz0uK+7GlpUrMBS9k+LY9ZAJoBHWR7drwT4Or5+SdLen70PODF4+ylM8fjOwia/mEGfnwemmPTdsn11Un3Pov1+4tt9UMzNb7zV2KBw4BmmMa7snHx8zslW4caAnkDeudmPxyeopSU5LwxU+MElFDK9t4ZmCgU/+A2H+UsWepgR+ROSJ9tJiZnu4ehVX9KEMwgw126Sp2wcpekE3e/8uIGlJxHHr9qq6XY2pKUC1+VM3Yc0CZJqQpG9DT2D6yhr9swF91EFtDKp+b3/qANT+7g+iapO6teTlSfG0M0k45aHa7qOJrqSSPMJWpTnWLqdqI4UvtE6DKJlSnE6qyCZV0wlR4/tnayu3VGx+btmvSXQnnXt/0ZNlTxYmemUtKgeHH/WtTqxvmLf0GFr+wfWj/BxZPXtLnNd2cOeOX2Yx/05p1/9y79dE0rV0z4cDylW/VyCcgicc9kok6QcziOJkg6K5GnRul/0rO/UkRMcQNncm999KShtc3UiZPHRJrVyvv/1dETNPc+vCvRcQQltOQLrtZisjgfRYB2f2Gdvss08BskAlmN8NLDniJBHwWt26QNSHxaDyEPlLFNfTZzdBzsNSPT2DY9gdcsXqOPdDaWNv+ECvW1Dr+zBySp1WDaI091gzkQ7o8hqDLjE/UJiQn2xm9mCq7K9KxhTinal04WEPPqmVlks5H/THY1L1bt+4NUyc3vWF0+NYvK7DZprue24v3yEaOHT2Z/TicUlfHftlyVti5b9+Y2xAWt6BxIZOByWYKAolJCWKSR0yScUlJT/dFDvjKmBR0jItMBwmf7ip81jSu+DWMJNJQrOjtBzPJipyEYxKCxyB6GIQRY5NVpnLjQ57sesRk37MrPvuJbXKkvXDfK+/Aiys2rr/n3k2u5hPsNuia/ad/H3vzzJFFc+6YN188S2IUUn925MHinZAEk5jA4OqIqEuHevGQ+yQJY/F6feqdZvY6eNeR9HjNX45c+mDe3Qv+KM5H/YKmULuOJY+LVJ9MQzokQc+LyE43J4pmbVDLBAWDeulSZxBhLajyuNSHDjht3W7DA2+99YBxN/a43pB8LRd2r5AUbfz5nOxwHVGcLeJt4d27B5Av0w2vn1ohuRNaP+1o8PZqpYRQZP3MzCanuHGZDrRi0U08pMq9aZzbxUSfgTgDW488dNe87FmPPVkGhhvgYwPmBkpv6zLh2c1j4fUPV96/fdHSzVtdVz586d0Ub+KYKV1nLexpY5FLw1m6+Lv3TDMl9L3zL2u/gfDIwfs27ahbf39d7LmG2HMG8rkB/BmfG0Cjk/dgOSUSzAYZjZwDa6f6Qc/65G3Y8LvwC3Yk/ELaiMU7uXHy9qWbutDn59pn/f7/3fX+KoWdlwK/AhkJ4S0J6l3vPuDNlmPgTdgnzk49xnc7+VxJPitUA2+Qz7FZy1LWOfo8geA/k45XOr2Kz4vwokYDdHpRpwsqx1Nk/J34GLD0nsl90xrkitH7G5xwFN6J3jtCodhMaDXNwKMKzkp+s+o2NNy/neO1IlqZyIVoeuVCNHwenJ5Exl37AL4VDbwCh3BrwpvAAVjB1h1mE1kNQqEl/PXh2Bzp2LwTnC9M85YRTrvp55j84ZFS5iPOynJYDQbeCHQiskYxYnKqp3zaDHvY5IpFmxf96EkvWbSDn+CExvONnzXC8aBPD/AV2yv8NjxbxG1vndMDdCKfknrAt5S+8FkotEpoXThPzpaQYOQ4nLguZ1jiqH+RXdrR8cs3J2vdfrevpCf94HXPvgq/x9x041M4rxlfmnzlqL0X+ImtD1dBodB19OgY8D9wGdpgUtVRNPto3HLeAs6QyAu4zQK+e1pvYnlWb8SXY8t5DAV+ZPBJ93KQdZbzcfgUcw76/TPoiQSq5+n+cEd/WDaxaR64sh5krMeCBSbC/bwNn1w+FS5jG5Gckj5HSjkZeQEvjlhoGDPeKDdbRTNOOVYOKfnlm0CUm7fRm5zjno2E40tyvjCl5QXUIz6bVBWC40K0M7mfbKkfRFe652QWWJZ2o4sMzK/0Etl9Ir2MbQSBxkZ4PPwF6QJnM91YgDOZonvRSb3gVQWLD+1Ar2ToFkn1f3y0ppYb6XU6ipqvv2Z3fPttyzXUPMI8FGq5LA8AzY2iWYyIC1MDDmlCbESzmFS3lav0Cm5VKufGHoNVoB7UtzyOZyR85syZiE7Jxn20bo/cnk3GsYPcSEjiSTrAI43AcUazaFRyBHGWpnwPJD4xCAiV2Afg35uPOt5shn9rPYC6YgG3iaRfLYBMNJ0oj6cy3QPJyaliMhukvG62UW7HyV8ysxNeJ4YInpcSb4TfSym/4xF6KRULL8HreKCXm+CBujNnjoRvR1gcBY7e4EeJ8d3g6Cs3g+8J5ydPfEXCSp1Hy6b9Sh6tchMl2ykKSnUTJa6kABdiTcwk49ogJi+XJHKMDqlPx3QyqKSTJDYu2839WEeJ38Vq8V3SJIqbxyHb2V7XuOmdNYGTm9cDX0ZCY0JGy02P3YYYjzFv+BDoas/CJffDQT3G9IKDwf7sfoVgSV6hDpbL99yvQ34K4hRsZZjwsSdD0CAEhWQ5Rm9T3WYTdbe9Fxd7k6voROrM/SjfV7QNHjQlxa80R2oaxd5dU4d8Juynu5lOTG7AY0sWbcag3pCVKWZl2TiPyLGk5l6F5EiQElUxnjqNLzuxg+6PdtrrFF+9MbjB5Lp8+YrissNizT3EXX/caeFfe6axedbU8BrhEHXVFc8dz1U2wnABP5LxYMvT4hQtFrvHErQLQb1WVQkMYNeNRU5MaRrr8Gbb/TYNvjA+TaPx9rpj9NJpq8bkacD+pvAGjQYWz/ju/g9A/okH+/510OP/gl803slxrYVTV1+YFrG86pAf0AXpIrdOm5gnJjJ21LPNAoKML3r/RMrSoEV0pDvbvVq5Nh11HaPsr0lbPlz03N5N937x7+aGWfc+s7B6cs3D781bfPbBxVsfWTb/ga2uu/657uk39J5u62ftee6Peyv7Duw1NL1TzWt1D3646MgzDyzd/uTqNXWYLvsRnkmIi9JwFpWGdzhxFpXeImKyJERFgWiExV6cU5JdgiSToOd2abT4Xjs5ghFE9n4RvARCIHl5/40vXwNPJWTAJdeW7Q2UVr7nAl1OdXYNPgHYXi+WLqu1vbh1Ra79NU8SwuIwzOB7kf0RXNHYiFkZGcoeUVBfFIKphTNC8+glaEyJDeAiZ26eITEUfKt927TGYTchS/gcGwy/zY2ED8NX3nvtgcdhRkOvBUVlwNIK3gOB5KNHv4ZrXnv6r48/AP9HPGHEG7QCdmrAbsBcYY1TxPn31sBuWcWvkG/WkOJs5JwxjrOxvx5Ku9KMg2nNV5Ys1YPr+qVLli7RQ51+iQtMBCvRC62scCV67edbP/juuw9ajp39/nucabGKxPJwPFWq/o7wNsav/i4VXW99bjdsYpkR945elDBqMy489+Xh8KIVQVJnXcqw2IAoYqG5daIOeS4GM0dj3iZlr6q7t1w5/4FL9XgBshJAfZPHOmYoeOQx+CqY9V8I3+GzW9fPa5wIwnfD2eEPwRpI9vNvwtVO0ZxjzvOkpyYnAY3BYxc9xqBBIxpAZD9KCs/myccqijxeIBU1xUqD03q03E3gxcTkm3slZyX4S1fu6gzY5Fv7kg+r6rq8mJSef4FPGzdthO6oqWZ76zLyx8Kd7BLd6mD4fhoHKCa61ItjIXrOKYhuu9MYlHSqEWilmqHS0XQ5dy62HBz2kJ27VPXgOh/eU+BEqkfgw4vmL9+4hx3dugEXIrtwIYwrAjACqU6F6ZwYsBiRrRLE06dVxo59GB/Xjc0r9Ti8Tnoj9p/ybp4/cenOvf7pJpD5OVwJ1q37d23mX8vhL41wjVS1ajOSp0JE2074/rXMLDHTihrGe1kexo4DWgy+60xmkKKIUsbyLWugUiJcWbzb5tNqebfLR0RMI0W32Fmw59HmkwdWroRN3IZP4Vh2nGU/DIDe05C4vTXitmnDbnKBsbuPZTisj21asDrBffSo9b/w5xCf8u0BLHc3N6SO71VUFie7ZyL6jO+LICe87AZc6lfweKJzcahV7JNsq6jahnj7m63nbW93H2NJdSbk9Ov+0OobOFMn/PGYITx/VKvZ/SxbSDIl5Wq1FiYB31yvd4tmvTHIW3GRXalGLL2XCJ9AyIgUhyXnDHzI6Kr/+Txo+vr9mlqDCzBL1wHTVdRipy+uh09FysI+uZWUhaU5LNJNhmhVQHrObnaJNhwTSBK10XqOVgYglM4jJ2JiLmX002Klr0ybMWfhhPM/Rd3LuGvLxFWb65HGS5lUeifX7nJG9vFNq16RqrQfJrGRVJxHphMSYsIikrVQ7PDj8pFxlqBbP/7hh4/ZKXB1/zt61/xzw7y77543fxkN+4eBO5RgEPfe/tC5paFjB/c+99zeg8cYSVN1I/kNpE+qqszRfVJd5Y7VVtxBOFalr86EQrBYUliA0ZCIPM7dQO06dAK5ZCRyZ56fcDanxKedUmTLxq6Ec0BRv0VP7L4XHD/e5AKHQGBURWj543Dz5cvsxvAieAvS4ePgUH4ikiZ64jUH2TfkxKsgarRBeuwVec1KvTxq+QMnPu/K+Tl83tXptOXZewLkLArgey+8GRzyNHnAIXiz99S334Zrv/0WDgX1ncF1cL0zqIdVnaEO6jrDKu4EuLlbmO0GboZ/7cbCbpiC5QiXanJnRE7Am25JA3YLb0hyi0nWoE0gmlMbUZsViHcBp9KbTqRBnGrdyY0DO/dkT+xPdOWah0uDQHMZVu3OmXwT+Zd1O8tnX4eT2dNgz5RRSGku2gw/Zj1hH/zj1JHo4z3bgSn8C9lrG8oPRhTC58wceiZo4YUgdZ+NiuakayimC/GbEWkkv9kJfrLC2Sfetx63vn8CzrYiYvylK7jCOsLfw7e6a4pvvNsd9CafTF3heNwbmu1eaLZ92O62WBiPB3WHrBYxOVK0Ezt4cSKayh/KnbHT7l5Bw5n4R9Oq5bPn2HX2oBLMnDQXXIGmuZPGjsSf9z6398UX92IPYZWc58wGSIaf5lOye4UmOFLtapWc50xhNGfeoF4EBorkikyNaUl7hmFsAT3HArcChytEauRKv+xI2iOtJ+FxqHokMKRHqfInS3vEQJEeMdRQVUtaj9xjkk7do5LLzQ5W9RhdGYzMBYGpVGOV6VFhNVLZfyijMLQifZpR1Q6xQwlMHwpDc+LT9VG3chTTPF+2H4Vpd58ItuUW8nci+fDgSAO2XISg26DlAM8zeBW3VkcyJRztrBen4prlqayY0C+ZyU0OzzH4lsqQmQv/1vnWPvAm8Ki/IuUyXIRtvQWSza9lrMgnRH6Gx8bwJuK861SmdHnEe8+RvXhVrRm2CqaAL8GX6KcF/gh/BB585VLF+PGKM39E9uLBqvEV+N6lCiwVB6TqEgYkFU4NL2LtyokCH9ThpcUkmS80muSza0pycILIATADX+jXBPoc5fkFJxa3dDuKqbgCtTWU+HOpaF00C6LBrAk6AI5b04ak6jX+kmympFi5otDuYjRosTgIhoFB/4e6Nw+MqsgWxm9V3d6y9po9IZ3O0pCwJYQY1jbsEBbZjICACJi+IEJAWVWEsEUWRYgMIIOAgMggKqJGjAiKeQwyChn0+RjGlXGUQccVk76Vr07de7tvZ0Hn/X7fHx/hdjq3qk6dOnXqnFPbOd/fdrRv1QD6KDpJv6X/xNM/OY7WX/hx8oh1dy+iYz+i819J4zU9yDl2t+AVMnzOhBSXFOPJiBWFxBQD9+EdHXRnoC3St+a3QznGHppMihjPeWVQYu8/3L/90Md16QlfX7jvntLnSqsmfb/1VP2+yideot84k+LetGUvm7toxYr0J++9/a7S0nXlU575w/I3PK6kN7bXQghnYXDQr04q97IgCSQy0hQVVWESlbM/nZU7ao4i8KUEbMQvqA0m754/gD48u3r1WdSHkMbAi2RXYNpRegr10c6zDWRQU2B/MSY+SnLGi/GiAOfrRF2blaNFQS/SBYroYtN0k8fBtCNRWyzi0Ze/v7Ri0bon6KU19891YiqfdfZc0PPKZRpw/s+79y3d8ShKL8Ff1NC9CbbrV79oUOML9zJsZtKaz/pSY5KkCCZGTWYJGubUYaD6blBv9cSLre2OWLH0HQ2gp9ABp7wadmZqzn5/5f6HVz24fD0c6zN0QU+ig67aZPnz+xZfvfBF4NUdG5aueqySXlNP467QPGYQwYAlA8MgSh2h4A2Un+RG6E10QP7ovGinCeJ5eg5937BAN94ShSyhq5DpizM6HSYxKU9KEqLTJcaxQrauLbnB3fjQHFu3/qCPZOEI2+r4h/zMH1Y/9s+L9V9tWrVtn/yPOYsWzbl38eJ7H9mw4RH2OD88venVdrFpex587o03nlu2p11s+iubTn9Ipt0zsXzu3PKJ98jjGZutXr1o7jJO+waOs0r7eJOTWZsmvjtkqAgO1NBJrvicTJvHqDrYLcgXbC6rQBRGAOxuOPESheY//P07JNK7hy2vol8tWrHOWJuMUxWC089pYxcq0dvxC49VIieQP1xawU2hNJ/dGeGIFAUxWhJt3Hhy6E8xaIKKR9FIR2yekIPiNFElx8SiT27dDWePUUwkzekXFFX4/Yem4sGnGk/ghHkT5df/2NSEzE3XyBK8AJvwakEI1LM34xk6k/Bs9mYNe3OFvend1EQm4AfZm7Xszd/Ym1FN35CReD57wyZsgYvsDdOWZBqW2JsqtdQoBlnCU9ibR9U8/dmbubzUevXNNFZqJS+1QS0FeWbhCvZmY7DUd6wUvNnE3lz4fxVnkkCWwJ4M4AwYkwwyybCR/b2G/92b/T2Bp/Mbn2gUyz+S/833T5CPpU+D/RHAlacnEon//Sj/uz/7ey7Pv57/PY3l5/tQgKWaPsvwR/b3RvXvNDX/Jti90/D733hgK9l4+PDGDc89t6Hn4ME9ew8eTBJe2rL5+cNbt7y0d+KQwePHDx4CJzm0FjONyHSxmdmNBPlFphMNRqydGi7gN4xtpsIikN5o/Lu1tTv3kowNqG/BrkLq3sCgqHRiI5bNLZBNkAw2f6RBiiTBuQUqzAQlGNRCJqYD0XjUfubQUSV5q0fev+FHFEMynipfdmenKrfn3jt2roxeD/ipFBcyYU6R1i46yiRIUSbwhGeP9kOUF6Kteyk3ppAxGEtBVX66SjU5hjvcOie3fbvbClY/7Iu4a/zcu0a48uf1XbpqdL9hE/9AElFM9GZjbN9uC0yehK6pW60xg/p1GxaTEFna587pgJPa64pnocgoSTBHSkQ0mlU/SvnFihUPGq9A0XguTyHy4eH7ilbtHDBgJ1kvov+hf0IL6Pr1kqS0kvMNxAL2uaJJhFGQIox+J5vYO/0xNikGhzbCi5U+L3DyJqqazqTZRRMefvTN0nFTb+m03II+oJ8YOnWZt2wjSZw5KX9gvxT0wPrymDvHlc9nnKVypuDk+/4OlyAluvyxiVKkOdYPSo6oa3oaj4FGYPNMl065QfUuJ75r7dbPG817N5tjJ5VMuWfDmunTy0ni8gdcbx6zbBAnTevQadodM+auGDF0+DBoqToClNtDIhb8oM+U5kHLHIxUNjfBHde+shO7j5IM9PedKEeuFog2VmDNQ8iBtYF0QcpM99uNCZlSSoI/KkWKUnlBWadRRkaRXoupSkxB3KE14PYVj0t33XHX2iVL17Jf0uMr+/UrKRk7dgxJvKus3+jIyNLeQ0aNGtK7NDJydL+yu9Djvr59ffTLsbfdNpbTMU1PRzaAzMhvcJmBnDGJUgzRlkhy1dUKnaKCI15BdNDmEA1XrNvyeWF5+XSStsFwxxSFgoyiJ15EU4YPGzEULKTJKF+cJMLMO+ZlhAXYPVCUoSMHxddMInsmofy1eNsK0GKjm5rEcj7GY4QMoafP40yS3E6/NdYtRUXGREdGG2PtFWFj3xoc+4qHKu3ktkMnB1g9rQ3q0Vw80GmAAjU3H+BBoUGNgF2guPmIZ9gye2eSim2q0NeXZYt3SY6keCk2OUnDN/n34JufW9wS4/BBqUdWrg8N0BCecoDjeSR8xBJhMscS5JJXKBIG+Drkde0sdezWVWpf2E3KykkotFc0l1ZOJq5cCTYNVUViKXv4Cq6/S3a10grU4ybijP7YvHE3lW80nrd3e3h7DYyHromL1V7JFjoJ3aHNuclSTq7f5S7IkToX+GM7B9nJ8Zvdo43SZv1Dfueg1XfcL22N3xbclv2bA5q1tJS3VOlZH5vfjBLG+AoGFEq3DvB37jn8VmnIcH/7IZI3JzsrJyuhveN3drOtWbt/V1+T/4AiKPsmTHDjpnS6OUNE/07SaZRbz3ezC4XewgBhuK9Ljw5S9x7+zC4l3aU+Jf60PlJqSnJSSlJMmqMiWmyh6Kw6RdeSZm3qvf+EddD41nQk/ezmJGqmQWns76bKZJUqcGLBI+QKBUJvX5Y3Qcr0+u1pXTKlvC7+qDwpMsJijjAbohwVBJu4UlRI0QoVVB35H7W5vaJP6Tc3HzCqtv3dwwWht5uu4WvIydoW9TIEzOYTIm0OqS3WqPGwnVoEbFZuMy3FZwXKJGnES3CRQNDCH6PNo75axBJflEeABczhhyKlRtklRiLGNUZTaxYwaa1aLdA5sWp/Bi4HMcEcE6WGWLBJYqKkmCD8zs3g85MdGlwaYJiGgDb24jg3NQndWY8vQU6cg7fRCtYI9hs8xDCrfpsQbJOB2TSsRtamCOIXIyTRUYGswTYRJSZUsN6fje9HTNaiuteR84F8mqlrw9t0Y7ANsL8Z5Ye+iPELISrlqwcIGEziKHDgMpUyucaTEeItGpEaxgNsNgeH89BxTArGM57N9sU7icEuxqYJ/oQ0KcFRERlrlqJiQzKOR31Ghd2KQotNmYpFYHS5whry47490ydNPu6rGojIk6c/vLI81KqpZ8pnrBs2ZvKITXcveuHpv20ac/9oXSMZTttpJb9TAOMox5eQHpUqxSYl2OIMTrfApkVO3mi1xfk2ZTlM324Hj9LZvbCwgCOmbYmJeLxKi2RA6O19e2ZM5BhSWUeY0hd3X9nIUGJYTq9SsWQztrdxPr7G5rQm6Fs8kHF2F7SLLCfXWU9EvGRm5qCgMhFg0F1ztYjLRq8eNWr1aP6Jdmnf4BOsuzkIi33EbXxVzYGiYnBkBDEbRAvTrYLfuJrPMjjJcxxZRQbGLFnxBoeJoAX7Zbp3KCpN+igJlQ6le+X9nyG8HonTz21BEq3ecm46DaxHxYxHj7PZcQPjwRz8FP2ecaUJPwWXohmVF6kresnMzi7ypSbBtmKKg8Sa2kVKdmM7wn6EGAuuSAieSlLu9ymxtwv4vm9BG/7lwcM/ePOnzTzJh7zxd1T97Ld0Gq/5zQf6TDemi6XG97n04HFOtGOY08lXxvSjRyFPeVOJONU4lOWJPAabT2uFvnAhAxWgcpJZH7hcazLfuBGWL+plnk+VYCwjWR+4XE8y1ZwooukWctU4Vokgb4uVTDa/ySKZqoJnCJT7vTrf+eQ4fZ3+Idw7vrMO/R29HPJ+v4c+dAzwPcug79egKzHjIEp8EHp8ESxtWQVwTqJUdJbBRIg2MZhd0EA0k26nNXXH0Ao0GZWhZcdoDr2NDqNuhrnQ1IF8YZzAtLLH58zKjoyQIiNdQmfJJfhdKZKrqtkJFj5a+EWNQsUNijJ+Q7urIRMldDWH9Nj7Er5tdvuce0fjl/b2HOFO8NyaMmiY8X6//37jsEEpt3oS3CMunX5+7L6yW/om7srwdZq0e+yzr0RaDhkME0bfvuv2u+/FGXjelIm7xky82ygeskQCVc4zzF/UMLdZc/Ok3Fy3YJLcgt/NZjEtMQ8tfocWMZuvgPO7N64Mo9oUtKjHyNawHQktGjM7p/3s2/BLlxiiovHuiWN2TZwyjyF6790M5dETDAaG6CvPjt09qZMvY1di31vK9o19/jTMdBcwzK8apyneiQSDBLwlSmhdkFu0k5sLcAUdjw5dMt1S29C/lnNCB9IrWFKJ8i5KhmDJ+ELuZcN2Fu2i03DFpVrDidobdUCtv7Gpyd+4rREHHpGwQQydzFUOKSK4J+hC+Hv5G+z6Bj7wG3b8htzPLvcDCBcZhIsaBCNiEIjJrvoEsymHTBQIF8Gx2zfwEQLA5Mp0XC6WkgxsJF5+gjj4N36Bn1wYyP6WSEZwtK1URhuMXXCLUV7Ddzy8LNfa1nN5xak8F4Ot5mKwj3HY05tGiaX8/LYy4s3KiFfEwlEmFQAfeTTkwSaSKwiNXzAJvpOWklKBMgn+BntTwfLU0lIxm9kmOezNx40VTDa+0ZTBU+rwx9zfbQ4+0ZTBpeYJ4WPezlqWks1T3oA3ShnACu3HH5Px/Cx51Mtsoo6tSlsQYrbOfhSzpxp/zA0HhHaynKWt5HS4WVo1SqLfq1kZ1utZ3l4s7yD8hviRIJxkUxU47ygMFXuRj/juWgdfIrIYY6INEdgcaY6MIqJkjuX+APyEycvc/AK4Y8O5Iov1qcvgMhjU32IvmoC+ovUoT76hfRuKlm9Ey69+ZP/oavAbq3EBq3G6WqPXlxDFGNUUG4FJZIzRbIDDvmbGvdEGvjgR3KPKKoQfxkTqb7wM5bE6vgpYld9DeTV0+Ua6XPsG/XtNGEr287pSfFZkNGA4jcvbw1gKmpQb1hqyXx6Ia2gHdEnB/fJn9s9AijMob2tQTJgYRUNojOmgaDhGoEu0A64ZCsUvAyaM+kkkilTz3n676Rbe228L53hvf0ai8Fm1D4EHtT5kOhr97PzKyZKXy8tZXwXKcTnZxnncJFhfEVjtyLBS0agKp8MJj0Uk/cb7rAzjeBgZ5JdXdaXAA0o0slgMgpmfsOajRI30EgKhgvkxnUShoSRdAcWAoV9eFeaSk4YEwcHPa9gki9Vvd1jMyhqWxSxZVqonrNS4c0WFfQg/8VTYieQw0hgPXFzS1/HT7Igtzn7LPthDauZ+N2hcng3lncjDMbnjh3wnf72E0SRQTs+SKC1OhcEkGVZVwFGllUHbVA19ivs3ZBou17Hcu2rI7htmXvb/O45L+9obUgxfaDheHTqhU3MccZAWJmb3dPKlGhISJdGW4BdYFchq8ScDoyQZIf4przC+ODcYGruoEMEP4+ZmVcPhGFJzo56T6cYVU0aQTGiSHU2AquWvvus/tpNDQafD7Qo6Squ3MWwssM5pNEjE6LcwgWDxm8xBykF7ocVZEIaO1e5CZFtgXmAKeYo8IT+Aq+Zi4SAWvqP77XSf1sJtvIU2aCGJiZbESDZFsJklU4TNj4zWWAM2gmnQooV8RLEfg76qgaQGqgmcC6xs+MCQSx5RKk1YguOUSr9DP59AP6sIsDbhTPIVuaCcX7ULUpzdb4iWDJaIOG7nWNULSeqcrhNm81bgXaay0zC/RFsAk7r3ey5ctLDnzMaPyYKSC8XzK+YXd+l2djPO7DWq16S0mm0lZSV33Z4/8Lk3YIT56Fl8gvEdEYohJl77DvyeaqJYICWK/sR0KbGqAqaeq/S3zPj6OuPFrP+VDYR+rAtkXPhKM4O+unDnY+6EvvPzFz2kGBYPLcqf3zeh24P0rOnGDfPUz84NWDNYNYaGVQ5450NuDC2ZM2jFINUYGrqi/8KVijFEAiXMLtjGbCGIAjdGKPMVDB04sEeXgoIeRdKQQYN6opKSnn2kUQmJI8WePdhP93597RX53a0V5lipvdnfPkNqXxU6PMetdi6PFYEREhwFDrdTO23+e4yp1sJ4aeG7WNeBndU9Tf4Xemlv22YWwiNbmQygrvApd8SeNPkty+gZmV7/bai8YEa350/f1Bor8ndvO+aWtzh1WkJPxh/ybMYfGzl/RMJNEtEigRQ1g6UVxhcqR2j22pm6hitklLwEr1a6cY4p5WhDfzbnIIG+vIemgb9SIUcY5st1xMbmREkZcTkoLS2L2avxWTnsJ7pdsr3CFm2tIEYpgkgRpqCZHz6fgv7QPGQ5FJuPP60RPBQj7U55IzpEx+MK9PdWaCr/Gb2YRrvgaepESz4F5qN8qm2CsZH0Ee7CtE6Ztr4QJfBQVEZ/dEiG6yb5WUzjyLO1ef0esRR30abx3bnlJu9uuoanIifTn9vAWRjTn9uaFoAd9euPTdfQJCXlRheWAjlGKTnoXHAR9Ms1NIdsE1P46kmy4hlWjLNKEXFxKDVFSkWgdSsBLet59TYaLE2wftNh6NZ9N7A0GmVY/+NXKsb4be0LM8bItJoaej5sHYn9PsWaQW54hUsMk2Owl8Xw6OxLMSc5pZikJEEkEmZ2EEPEBBupSMJrQhJbw0kTqllt4EW2NW4UKwL7yKSfMrUVrIPql0uo6iyqukx/ttOfZzdHjtF3EZvdZxt2c+od49T7Y5MVLOPARzrqwf0pa4QoRSDQa80Ix/qUNKOagVvSgV/rta79ngTC6cPoovWueAurfbvau9v1vaukqL27Xe3d7bx3jb9cE3Yz/K7x9T7o3VyhCM5nZ+flS+kpeX7o4UTBHiUZE+1+iJBdqd09YEirZ4Jv0s/AB4Y20m8sb63/Gxa0xhnk7eZEBzJE1dS04BTGsYGPgm2K5ZyS5Yt3JklWpx/IHm0U+Ehi40lpC5C/+YhqDffQCNsoTm3cLU4N9ksIuyoFq/0hbAjH5hTHBnAp9GXExtgdDJ8oJyDhiJbsDonhZDP6mbllt0r2NZoc1O2y65f0NPOnVdxqSLfAOXHyr4da4CbbL6MIO4q4TB84S316DD8J0gsw7OpLZ+jEMnRipRirpGDqYORySDY7XD7Qja2WsgipoywMuwUqMoarjXvEyYFzpNuvl1vBTzfI6HXd6FpLS/EizsU7Gn8GrsU71gelmrKmpvL9Uwrf36hjKWuVlF9EzvdPNU7nJbftBCtXbNpJAobvuJXrijYZJRtmsxosWYkpysSsPs4ZBdbz2slpg4PpAf4UgJNm/siBr+U04nsq4BF7fnP2G/xD4PmnyPXGY19PRxdqUI8aVE/zauiZGn5G+pexao3JcOIgMtofEcnUkFIpYfWbuGA/w5jxjBozstBdpD5KnSb1IY3ntjdcN9w3ryHd2Hver6NNkTvO7hAvNrw/z/B0A55nvO/Xbtuno/yaT9gP6kbP8S/0PKNK4DKnCkipPwZ8GjVafb+dvy9hUm228r5xvyrVxoNOCMSxlG18tTpVcAsdGVe77QbiFM1ewZ/hlTIcFeluKT01NUFKtYatXfdVRtvNF7BR9+5F6g1vPRfNab6UjfbEZ5hIZcBIGhp63WxZGx1pPzO3hqaz0Tk+xFeNAYRFUdzG2re3cSNv994zrN2/lMJ7w9tCNvwNqT9f4a3f2zgB5UE5poeuMz0ULEc67hLgfVOJmG0cqoN34AyMr/KmW8gF41jBK+Tx+KIdPelSvMcfnyjFV1V0yc21OKxWS5TUtUMHcw5CZoNkMVvMItgrgmhX6GZvPboov3HSWuRXu1CgWxZlX4hishi6FTHuzaZ7WovgOqcPKqW6hdMuAfpyXzo2jS7mtguJNtM/pqHlllYisMagjNDqKspAMYo5c2TiGLrtDqDBWHVFNGhL9+wmJfX0J7mlpKqKEQMGmEt4y4cPHKhSY3CH3DEiEMISTom27OibEOP3zSWUPYtClU75wIPEzaZFdGMrtMLDUZtrrj2ZeS0vDFItN3PGaIv8TBpeKt7m97akXXd/0U1XZU8/321GgULOh1KLvXRbYc8Ehas6kFNB23ekr1NykhSX7IcbVesqPDl+j4UZw4yQmenp5jSMfy9b5d6EkKH776r9a3O3zkn7lCVWeSNN1+iAqtEHdHjL5uM+sAqL+4TsXyZ5ylkDMV/veabxO8VeEeKEY5DCJA/mkl1JMeKn4hRqXCOnmETKF7oLJcJU3y0pnqwk0ds73V/UWypyVMR7pXhbRcfu3S25DoUunQoKzF1/P12CtOGiqzXyaEe1QIR5QqKNzar5rIFTTCfPWqXcS5H//HPdZb4pJk2d/wi9H9JUCoqpmoxrQcTjZw7vvPqYslvm3zRo+ANzKvm0AkgaqAjqepWy28Io+wxfURODKclBjmqfEhfn8VhSVYJlxcczVspMSvo9RAsnHPdOcZM4yFzWA31gbtAaXZQ/0Ah8o6GAEwO/gm+0pIMymSILjh6lu9hU6xrsTGHGG6PISdYy0FX9fJmu9PQIp9XKNHBCu3amRISY/o0wRZh4a5JFwc8blFvQBhv8RkRn3g66pc34zeK9DZE3j9Z8lMdmZn3VhekTkeuTA411mn5ivM7ek+18B83EZ9I2MCaMRpNkrOQT6bVBu1bZVkOgTdkT6MI34vCRCWRjY/4EcQHfaBPTFaNVEAy/LGeQtwUhxyqrgLHMQI2JsPtNrBpjhL6K4IKVVktBoVIT/P5leai2XaL150pWIfsdrFOple8/8BZdZ/VGwl1XgiMi2dwoEknQrjUVosVkkExrdTM6bhPzZUDkgWV9Vxd8IjBGfqee1bhNnHyJG7rzG5HJTA/TbmeBltNYDedUWjZwvj/QNBtsxV8+ZimHlZSmUm4rHvilQsnROAfWmHl08G3GT5QzlGRVhRFmbiqPQBQU7rHD9curhvV1hvVHjxo/+TX9KF9LhXJ8f0RZm7arO52MOIFyUxdlhwS9TaxwlkDZ0SaZ7I16QgIzO1eAE1K76UlxjvEck4BJfGx2YPZWamRUTqJbSktMFFJRgmQgCFd4hQzJNdWh7BODp4fc85yJYS9AjTfCMI3TOziAuyHg4SmrW46tu4F/yWbfuu9G06peefeFvReufnK+W9X27aj74cP0LPu9feOKRzYZ1iMffSP21V0rdtiiSM2BmnP0JPKJ5+nDpzdk0a1Z/6Kdr85eYqCd0WLYJZnK8H+Q4Z8gpAm5vvjo2FhjCniUNxlJhRUlS/HNYstoXsqRLZPZL1kcZ6a7c2z5/JKgyQZROo0YL5GvogSEq1a903nLmM0REY9v6HTwVZqP+lcfYfgU3Iq3oN7ogXYon140Thr1xDJrY22voyWY1ot2WjRGzMmgP8CtU/qiOMRQISQK6YBdjNVqSpOiIyLMJrhJmSolMOwiW8UuGxd2sxeF0OvO7QiGnjMu3mY04tGXr//rb1Wr3sjdO+SRIY8NSBi2azhdu3R+xTL6IuqTgBJ+/BYlx6E+9O3IuVOWLkyWi1BMZE1sNKZnyOytx1PwG66jjHem0uOMeseELGZnFwjDfV7s8aSjjAzBnc5sx/R4Kd1S4YyL6xqVLTlstiirxRJrnmriZ3Pzk87lB6UXv6DMPqzv5QclGcpxZEMEH0e8idE23hFPeEuIdhvTQ1iGHMSs7Lh4RzZyxjuMRrRu7eB//vuTbmvzYmKLu+Wv7bawcEtS5ktWK4QuPBkbW7S2cHAflOBOf+GWISeyaJf+j02fS48noG0voBdQNrq3AGUnBEwoOYF+3HnCEzlpASOCMINnE1BeVKL4X2LA3t4pZlvkrz9YSfJ7fQ+x84SVYrn4DfgfF3r4PPHJTmy0WqLNkYlsnhmXKPhTEqWMFH9khmSKjTVHxvgjhc5qe3P5b2XXrSinCM6j5BTFgyeLongT6Op4Uw5ckS/SHeU/seCV0mHHHz5+14NLprz88IvDR7y04M0pSx+868qkuXMnsWdl5ckZj22aWbvs/a6dzy97febmzTPfqPyoc9cN86dMmQ8PjPhHGM9nMZ5PZzh3ZFhne+LsCVJeqre92ZKUmOGOyopCLrtNirWTig7IJLUDAWHR7uvm5xZwE5cHY+erwvG2HOUGfIjdwGclGwiE8RrDGjH+K+yG06+/kHTPqUnDH9/x9stV814et/7huYW79tF1O2x7hyLc7mk2MPLQ8LN5XQl6z1NSU3XwXQfqQi+Yx43dWOGgxYlDazbTlzrR98T9ZrQifeeA2+nOGPqgZ9vDKidWGC7DqXnWqiJfRnaO5Mz2OyMqbJFRkj0y0hgrVBjdiqeXFClO5+lFWYRT9uFDcSJg76aAh1AzhXt9gZUwbFQ9v9DtaGa9JNXaE3TeX9aTaSEHMGjykdmzjzT2CfcB03iDCVgkjFTjdbaH0zXxlgRTGmpnQu0t7CcqJ0PKsVRYoxxSrDJgFK/tMMMoLtbt7BUA4zBl310oCPMmzwgfH4zp6UknIxdivLDSi2yXH6vvetC7dPCiA+noEk1CBH1BOw9BBWtXdNp/jCaNQt9UeXM9GVUNKHZ++cPDxx3ZW5Wa1jWvir7GxgJqgt3XPswoKzL8kUn8jr7kKHOMFGkmFYkpbMotMRvfiSSnEOcXuE4p5sucxYoudtuC591D7lpgX1L9wabIv/7z6vsL1hev6n2/f/6yebgLXYcc9F9oIc794v1LXw8t2XTnmqUVy8U1Nbtr9vDzASOoR5zDaAhefeJio+xSgsUouSwWIQbIFvQSAD6cC9QNVcW7OPSw1Z3PSZZu486SnUxElkXMfmA2XPJEP1dIcX2ndqRfoBfpiKlnd1PPiVjbzr3YXHUIZztfNTMz+VgVTXjj60UOhkea6rXLBmt6SuTIKIskRkngucuqc3UVvFWq8znOf3avWEEOyym4i/w+k7yn/lElJtfSlNrXq/4hcA4/KT7ENW2KkCF09iUlutIkW4Zks8Qhl6UiKdoSK0WZpxotinQFjcDqes9ezP0EKPpKN0LdNmNQWyEbm2ba8Fz5O+QMVK09m7/1jmo00/vWg7QX6lG9D73dZWwmG5z5PfEO1AstVLXWyC2PRMl/l6dF54pcbeUNE72Z9Ed6J90ZZUb87NpAxt8Sn/n09LVLNCSJqWkCbLHnGtjosOdmSrmWihh7JJc0eg4HT2rFqocrvnsNa03Nd5u4ZzeV08MnykWFA5FUJ5/H73jn3TPs2VHrJ99YVfc/W3+m6+twL/nWgauXTPl0btLk7x+68uPIkei9LYe39Bo0eebgWzeOv3PDI8vucrIXPQeOKsvvdDar/aMPF1UkOdWYBEdZ/yYxOzAuzpQoOUQkWU2CKApRrK9doSNwbIAWKKf4lVihIV9W4JjPg7gbq92qI6uVy9AUWoM6fE//4Xt8FO5ahT/QnFn9ha5ZVyX/Bad68kzgw0r1g2dMZ1K7qy8pKzkmXfKkpCQkCLaIqQ5LDKnI07MZaFgwsGzqObxCdw6zCpSYeKBleGg8mA5ac8C7uifDxH4ZbXAeyu0aj3LQugM1h2d7shMTZh86XrdtdkJitmf2rkUfb0YTapLaIes3KAKN6bGjUsQrNufRry8fPowsE+XvcCExMwYOLKOHDtH1NQzrexnWExkXdBCKfWkuW4KUGpUW6TFmRhoNUexHcNoIsw91mDeTcsrNaWbBMGJ2K4RhE75mwgePEz6NIPkqCwfa973yyitX3gZB12H5sNvvRWvYPHUNnWEfVIi/qxm2fmCVxVJedeDUBSbgho66t3x/VbnFUjVo/VAuURZxv3LrmX5kowzuWBvZQCZR6dFWCUdHRZsSUywVyqWofFsoZrtyVKOo0FQIoyzLZXDB44zTs2bhojr2D12hGfBkTJvap2rS2IqPHnp1H+PCjOMZWzLQm/Tu0VtGH2fPwrFSfkHx/oF96i5PCfO3mOqLiSZWyUiIiCNiYwWz0Jdh0LdYi4FhBbNUBNuZ96zRZitF71ahdy/8VPUTTsGds1Ey/TJb/kD+AqeguR0CQ8nxDvQx+QuQMhqXO/ieS09fWqTJFBdHYpKT7XaCpUTBZSFEsFgYx1uDHA/OAYrtxeFzapX3UYF20Rt5bA6PEsJsy5YtAWR49yT7RRvfdTo3oRnOTfiRKvyI/DA8Vcov8RZ6kQ5BHXV42fi6bkdfYqpVisLOFMlCnKnsRzA4wmL1Bo+hajEmbO58MZ7hYRQ9gIdL8yPlYiMR7fkJJcSOHp9Iv/n6448/xm7nwUfXHXTJn5AxVej5T89XvXOJDhbP/3vBg/LB+dLfGCpBfFLYvN3LxmNPn7tjstQxHmfnSU7SLluKNrWzGrOy2rUTLGmSRXdLuzPrpwIVt/z888EYGDocQbiFoerolsO4uzvKV/AFjP+MTF1n3YbImHndaOAdhjX6etzjonwFewg99sY46sSfVM2qQh13Pl7ldGWkV236AzThvvvo2fTUWXH0Z0lSoxLB+d44iC/iYwaIZMGJbLJuM04lLruEBVdoUDJpAmvkquJS0AW37ILbwwegQwuioyLI7ArGZlT+GB2mYxl+u44cebpqQy2Ja/zyOm3YUPW0eF4+uK1qyx7Wu6O4byslTn2B0MuX3S7f3SWzozEhO1fKNlUksJlOZIUpwhbNw/pYJV0o16CLPM3xFQ/sYzU5PCTDo3CcEteLGdL8ig3Yqorah9sQcfEs86gvnn5u64bTc80WADNq9Gj09f3jEio7TV07sBSZ7xwe1z9z9kDfFsP6T87TT2bLR3CK/IV4Rb62ZnHlY40xzreTJpVsHb59NMpwvhoz3TNz6LOrKfgZ26daBKAxEhPMFfHMjjYiv8tkZAapyR8LYdJxyNlLbrFyrFENxuPhB7ZcccAQ2MTUxj40+57lVvkpPNV7jm4hu+n1BzMX3+f4Fd36Hf07TqmdfHvVy7W1zviqKvrTCPksToH5Lffyyv2BxyqRrWMkg9kiRU2FKFlmhYTKdDzk3dOtxoNDS3ejNbWN3+Evd9PFJEreRZY0XhYzAz/iaYHVOrmeBjECYyPtUpzBKCUaDEJMJKlA4DFL452Q7aXJcVuYBLcFZfeQEaaXm0nuhaZRQ5jULq+dUYV6B0U2fbtqxsmZNcE28nN2cAouVjRXRMC2FQo657WeUfxSwQqQ6ixplGiVt9BJopU952trG/PV4HQoCC2exy8hRslKnDhesmGCzXFmZtOZwckob5dO+gP0rEJDYZYKX5X/jI5PozH0T+zhdanf/1SHxm3pcbzHlh7ortpa+lYP5Q86Em3SyZZ4db1zkC/TGhWVlGQ2E1tGhsuVlsYksSUhOiVdAA+40UzuOcNlcTG/SRiSxqpEJozwhDsmhR9lTZB4iMNUkIMKHB54jt06/+6RF/ptz6/r+od+F0bePf9W+udBowb5bZ1sTYKz92JsdnoX4QFVcMoXjaPPwe8q+XU8QH6dTN60SS5Bz9CJ6Bld3Op48KluiYwRDVIsEv0QucgRJ/jjoioiuV+Q/OBanY2vnIFZ7lZDWGuWsadwDxpNj7Dp1SwtkvUsFEMPo7H0cN2bVYerSDR3qPoD+/rmm7Bypd68wEa8R1D87pSI04xDYd8LK16dPxNLxYPqamKiLwa61SBKYIbww5NnYMuzpT/nBOUh12tq6BLlaWpqqkYHDEl4KTaKCfz0cX/qwTNNVvB47bMIRn9oGhKcfRTwycYImGzUh+YWxgu/jlDmE2izbOf+YKP4yp5FMsDhVqKt7CFbaOpiQ5tDcxXZbizXZie/boST0GiyWErWCGxYHodD5wK/YMXdtAGjQqM+QpNx+xr6OOQWahldzik0iVA2gU3E4FfOGRbw+/tZ6hlNHivpBp2NtpxEW+jsWvRcDXqW3l5Dx/ET2Mpp79bObbM6tdPdi4UTYpG4j9UH53gtkWZsICZzRIQo+I0iPymsro8gVITAYaIJ/boczaA7lqMpaMpyugPNWE6fPrEYLUFLltL1aMFSupquXozm8z5+krXl33y1OBnaE2eV4qKjJLgaxE8rnc/NPd/8jECznV1c1mPMmB49R4+RL5CvaJTyx2jy0ZgePUaP7tFjDH2MMUHn0fCyZ4/RII2mozms1hTNyzocIws7ThPiKZWfiHpehFNf0Rh8bZtJGb79D3v/JuKPgp1/c0hdcMvG4Qnu/Reoe/8bX/0M+Z5iDNjztbOvfU7ffApdkd9+Fc3h+/5zGb6w778ZaL9ZuCSO4meWWG0EG00MTROSmP5nY9UoSsbgaQ/dqnYhcm2GYA6k9lLozAZAm8qgpXFobp/zpqeeQuedxLRACallU94v9KeYuD9Y4R6xF4cWCec1MTEZ2QgVLP7mOPJT2iEcHcHj5G7XQ+BThdQG+pHXUI/LH9k/ukwPnpX/yigNZ9XvEfNV+B19KeD5SsE5IlISIvx6zIXOwRMl/PqWeqQcahDzNfwDA6ESVHYWlUFN9Da1P2sYL9QpsWcZ5iKCk+UmA4PfWaFEkXqOT1sJmA4jSR1QaEtNDSqqQXfTp2rof9XAjQVhJ4N3DeeQAkbyDMEEv+kVPsrZuCVnBRd4ZjTFSBEmv93lJ3YpgvgjVBoBdcCJMJhBEFQJwo/AydrpSByyefOQ6Wcvl27bVroI1eajsWlp+9Ly6WH41VyGEL9OhhSCqcAY+SR+r0b+EN0HnHCOdCOf8Xsj1leMYlAL50P3cMfoHnIOiSgGiZf32/eTbrhMPohepYO5XEZl4hKxE2sHnN1w+2wWp9EeJ0gZKXF+LyzNG9XrA3zupRu78doZVE9GDng/KdL2093a8imbxzDxsHXr0tsX5eUtuh2+7R837v7iEqu1pLj3sGHo/T5Dh/bhf6Kyd/c+e7psypSy08/ufff48YOzx0+YPWvi7bNm3T5x1uwJ42eDb0o2ViEiVDSMcpMA3tNN4VF1wQMQTMLA8e1a9D56//KPP+IR6GsaJ7/IfufRevlFVVtwSe+C85TmGMmsX7cKaQydwA+qjpDcD+kQ0kuT/4GPQZeARznFtzjThh3DYyDgRNWH6C2ixH20Q6zYiAgmcsygbjTrFNoTr3oPBcvwzGzRWlVPN9YZqmtrGyRDdYMEUQoYFCVKQarPClEKID4BNsOupVUd/dwGjA+LUXCa9iaV8jL0Gs3Hf6o7ih/C5bW1crVcyW/ujVcxswCVMYGrGeagkxC45QX2DOLA7CfO32tHBnSKXqZX6/AdlNmmDDke0UfxV8va24+3X/PoNQjfLb6o3phRpa8Wl57Zx/q49Dz2m2v6SeJlBnB1DcsDN3s3qv54YPW/QCjwuSHeVqcMydvJn+KVUhwVcCxxd8hVj03p0iR+zqiF7gkLYAKuHdpIQ3Ob+fNZzB1sNDT38pP0wuNPvHCk+vEX9pYNGnrHHUMHlcn388vcKZDwwhM8YUhZ2ZBBZWysprP2/CmsPX2FYUJvX3ZiQsLAHtLAbj4pKRka14k1rVuKv5ulooUPIt6ofDZAz6v7UDdpHWmrdW29n9CsfVuh1f5ZK1bMmvXII7OyO3bMzu7Uia5s9qJNKsgjquZVVFVVzKt6rGeXrj17du3Sk/Zp8Qr44g0mmH7glEn1xaAIg5mYiSHSXmHg3WlTF6v46jZhRjQIOBtq8uZ/hbbEofVX8r1iD3oeb5PLUX7jGQbPjxLF+8SRcHfZZwfNY4hgZgLIyanqvSPGIKDOuLUAF6PAJuZa7UOUKt+PH6Wf420okUE+wWqhs+MAy5NN18jPaowQNhmriEAmUWSWB2DJQCoLD0oMJQhOAN/ZyMFj6eyvOJwrdIETb6PnxR6NZ1C+4m95IMO0lGOaymAKUiRGJojbIolTmQYDNi4uPh/SiWCqG/AVuZzB+Rw/Kt+PUlEiWh+HtihVMIi3qm13CF5fXLRDkGIcUQhHikabFMHgWsSpRgAMAj6++LxyiBeAm1zuwhyu15nGdMWjH+gI9OJpPPA0OkH7n5ZrTocqUkhCF1yBr7z/GGV+4B6pvD5njMFiihWxKcqGsS3KJFowrJ/1jWed2LkzTOgUh5OoIL7A5jHx7szx2AqKGKlu46TS9atKtA4/k9KfcQf50s+BYz/Ll3iNA3mN8UK+L9lqirQYbaIlxiGKjhiLiCJxhYvfSVRManuzuuNh+tOidrerDi2hS1sisAL5a2pwXBgOX3PbWmAziKP0Nlg9szGhLR6V7agvfUtLaXpcn4Iflh/RUoQP9CnkzcCtWgq26VPEpkakpZBR+hRjn19PaSniY/oU00M3Vmgphvf1KebaX0q0FDZ30qVY6M8YUrAtPIX9rWJgeD88xfA+8tGTCjShWkspsFWrwJQUlBcqg/JC9bCUU7qUU/oUXBZKYYaLPuW6LuW6PoVUhlKYrtOliEk6rJO0FICrtQfxekI1Qa5QWgErFd4mltemx0+hkAJRSQlB1KiHbeGtCtFVrcugpIQwaUQsHev6ysRzJGIliwKgEXEwrcFhvXowCCcsHan1yAcVDhObFIqE+l7DX8WyGRaQquVoHNUMlTZbpNZjCYOlnDLSVmEEG1x2Dj2u4MP+w004d5HLhMq9dC6+4Q18Iq71No4Sj2pPIIlcDZSgcjxevoDKz+wyLPei8sAnXnyjcZRXXPvrSa941Kv/bHiRXPUGSvB4r3zhjHeXINhvgluOkCt0Zhq7SOjJtDacY2XYFhWQcIxbYt6sFQXNH9ai3d46pVFdvPJB3jJy0htIaNa8sGe0eKRxyW5o726SJkfshjbvRhvp9t1ndhkHe3fTuazt8kEv7sIJEEjwkpOcCg1rectv/vmieMTbuIQTh6R55QhOIbTRS7cDmbL+IyoNE0YKY4TbhYnCFOFu4R5hlnCfMF9YKCwVHhZWCmuER4VNwhMter7Nx8BoblLo3jqNb/a0Rv82+gQepQMyvY3HeH+QSd7AMt49eItX7s97C53z0ijeeUj00nrWk72809vos5s9vD97iUMbr/SCTu1FVgT294Ke7YVr5Dm9oHt7oe9p917Qx71QB0p7ndnVa1oPPJX1aeMxsJihiwPLvGQS73G5vxdv4QxAo7zoHOcHWu9FYp1393Rvr4ZrvKP/f/psjOMMIw71Nl5RuGaFN7BfYZ0arzxH4Z/vvbQ7ZyLUwUsp46Rp3h4guYYJr4kzxIuMj4SsFn5bdl1bufLaLv75mvYFPplMCpVLblkyPDSgDsquQ++9d+jZ8+fDoFWff1Z5zWM0CnOYdkuD1XyAmwnHvDIL8kW7y4nFHOV2arZHcWfBYL9Mv9+6FcW8/DKK2bqVfv/y2rNz555du+bPc+f+eY7+PeSrnvvnNcF0IawNcW22oSX6LXH/bVi2VkjRggz4OifCb8BCbk7ZMFjyN0rZMHg4mmH7e1rpbtlJsr1FFzHMOLfgMgbLrIOklVULgC5Ta4RctnBmek1MUrOFYZbUBmat0e3Qe3RdKyyEFragnrM16tla0A4tbEE5BozJVz1+7drikBybOy7OAYdNmqO5p4r2j3tn2KIdjua4Vr8TR/tX7UGnULZjx6LfronYgp7NDay2+LCaxlTtee8Qg4iy6ccMWnhLygCFasClmuHx2zXx45NuPsIMcKayGan2VKETDN6z59Gp5s3C0YDDCYbMTxyPsLqcrbaK1ZPD96htxhbdPIaTZphKqWb9U8YqlxOCyMB+daiuRH7ur5XeKlLOgMQh5ZhtlnpSNKzXcjIzc9iDdo0cNGikbIfP8M4z4s+MRjnNiBbes7uLvLnL7nvYbzynC+xjaDhEck9inZkWhvs2U5jWXci07SZY0QxN/ePbuJppautK5/+F97gso337DPacVH/TZPXLO+pv/A/1S+BJ9QuZpr3Z1jyPvEj9gp7W4AXUL2Jv/os9wS/as6/5i0+bv/ik+Ytnmr8IAg3juuTW+SCkm4rCaNGKnnp25tKlM9nTur6q5mns4XuaIb0F93h/U3cVtbEMdFOdtmbtvn1r4ek/enT/fmPG3FzHVSt51+6rHtNPKQAe+bqgx8hy8gnnUqGtxShctmrv3lWr9+xZXTJqVAl70GPKn6v2VvO/2aOTtXDDWihis40sHYxhbCr3g1JmL5P7jVc/1EDw8y4KvQi/9yoUKmXbpBDMp5opT+iEOWDBDWvdmGC2BD7D64hidfDZkEeDXqDAFY8O05XCZ2BWFup/zRrBZxQIhbYC5bRT90LFZ4bbaVTLD5MPPnue6eA5GhfJBz/lKhN0JsNCtbAcGh96FBpptQO++IyuZtUuYzVrdpka76FAU6Uc42rFLgNicM0LdWn6mdflUitRwbOKBD7XPKPpZyYLPYWAEfnLe4dAtJ7hUHdpWpxhAFq8MFi1Umm1UqFmEai5NDw1BBXc+Pw42NtClgUDmWFaOofPTQ/qrD4+w82yGLUczMavpMvoMjUnXYYqebg4fQkjlDCElwjL3zI3saFQfl1uYm4NtujWAw/c0AEXWubGbncQeCATIM7RigphfA+zN2irIacovnl7UeXRo0ebNfroUX6jKnh+w8Bm8w6fxWwUsLlC4DsGyiotggtBORaM/k7noU1foT/Qexag7vQsrWfccUbuIfc4jJNwknyV9wzaLh4l3/O1EYebHBKNh9B2rVeCaSYlNcvtcEOOwEn8l3FyVyVjNcoTEHvmkEq1h/lqE+teGJzN6+BrI23UADLAbXOzYldJZWBZCDyTWiH4JqUGyAm10D6w0cTrqiaVuhkNUSQSk0Jc+IRJK5MqrRgMls4mltdlO8/FjPBwy1SxWwrhOA8P9Og0erJgxw3iPbp54Lc4NGz+hg3zcRJ8yl/ilC6sF+Qv2OdrwbdX52+oLu4SShJ0ekrlBA0fh4KzglM1OqWhxVjjFO3zn1oZ7t/xva38/+n7tr6LSe3y8tqxJ3Cn+gVFN/8ir1O/kBnNM7d807J48IvYm/+6yUPr/zdvmj86i1Nbh+E9iIJ+awpDnKU9vCvx9WraB/4LbcHIKrB5kPpwGNVsDChPkBlUmIIQ0QKGfj1Iwamg0GNQn7a+N6uHDbtWv2stgH+sCbpfcFdOjwn4Trcp9ZNC5DEUekgBctkKclhN1XTQGfzwlwPPyAu//ZaDRIYz6LUvv2RNWneG9v62bVhw6bCwyOMoQIWkoFCh8MNn6KAvv5xxBp0OQsMP00H1DBw6DXUIQrQOnpFHuLYG6ZQhZAleZrMp8Is8hiIPKcoxGYpyDIUmpHwzhd4YCnIMvBVyds8H0F97PrD57rvvptd8PnzdJwfYdySzD0n38pWqAWhc1QCOGhnSs2dPeoOl+ny+5ct99P27lX/8i/Lu+QEDBoBERdtJpSI1kSpRNbmpS1NXhMOloV5ytin15B/QQrquNanXUj62ndMYzKmyezBba7lQK+K2TUmIgrVDk07Bp57/w2Uo9GmwpDIC1apovUIUrSxjWEaYm5RV64VSsFHSrDSHdtO6dXjD1ooec/gO2zK/rzzgGt5ygAgOKqEPqpEoJolrld5yqKWrYfuF2xEiqNBqZsUhXU6ej+VRUgHKp2gk+YvYOxzKp5q6QSNVLcSghHLyfCyPkqrYd1fFo+JnoNELERiYZVdJICDCXQNm7yxgehtDC9EiEpgDprxS5hArsx9SGF8oGyKHSICl9GJlblHKZCEk3hIQWTEAyq0trSYDryvLzasLjMf76BFeaTXuwz07a/UaoGYLYVUHtuM+8imOAD2CRqPRHJ6GhYHjgTRUGAFGy5MYQnIehBfEOqx4TsSMSAW1agYzhAO38UI42jQsbWFzTS23qlE0xOmQoIJpu62AWVhbW+azKTWg0cFcrCfQZHGB2AnyO3hPoMn4fboN6M1SblFSLFhpE5qMysEbmq6UgZczZGVxSqIfaLQCYMuWLUCdIAwDQCE2g0ocyAawqIi8W6DfV6KuYkdxBMcDoZXor+ynK0kNfM7STgv/Jp+IO1RuOU1S/00O0VylVB9WaiK3GaGLaC45hPqQVEh7n5X6l1IK+uVfgc9ZQYDL3oRqM/D6styEVylPQrv+otRbjXiE9lDdnGOgpQwBeTGaQp/maPzlL38ROEQNEwPHBTlUdFgOOg1wopEKxBBeGscYFOSqGcQgEvpVeGUsiDMar3KrNTylCIWM2WYpNtRmiltJ0UttjdeJTa2qWr7KssijcFLzXKxORbRDoioDW8Ji9TPeVGRWEofVVj4YX/p8vE7SVC3bDUlkJJeFzAoiykF2lybKJUMlzI/oMpnNgxhrL62vb3hS3Fof6Eveqm+cxeoBCKSaQTCABlGcrCpl8alAvSgoBVkt/vpfTyuFMEpSa9XKuIKHfpNEIVBfz2u0G3trlfF6hIsqpiYVT/Yw/BqWGSoBL1pWXy9AiyAf34fldh1SIPODkFACn6pHrAyqrJcPQkFxa6BvfT15q3EWB8DrIdVqeSFHK8c+JZJXz4RkZf3FeoP/19PoIC8FrdHVyC/uAw35Z1I9yZMPsgovGns3PFmPDvLaBIUCpDq0s6xcj2C4yQwvvunON95FpX9U2Da+bqRrD9Ed8Ay1qx4Izkmob13Dk5z4CjmJ0mscrtbvDI5DuaIB/Q5w6oOdrgAAlJQeJEoPhsqjYKt12ASEej0aCgC1P5HSMrw0yDUuOO/pYRxAWYfSZax2O8vLUWY1IgVjlt+icZmWWxTUvMAswJNIwS6YNwhZFBS4jBdVsDo8TCE82KTfznCwaxioteexXAatdshDqtV6BS0Ho0gQP6AF5GKdIfF8UCPPiyrVOg0afqiSVEN9HLNgDg2aRlVUKQFBeT4AVq9rAcsbGapZa4XCCPZg9foS+EvNhoUfdB3GA5ydEHMh9HXjX5V8+BTLFzw9AbkYS/M8DR1btFq94AO50HV0UFIyirkNHRk41qrrar06eDBA2NuLSo3h7fYEcZPQQQAK8AwXG//KM7doefBHq18rAiiohbBO4kUG5R3vdSZLAvUKERQ5x3g9xKv4FCuj9W0h54DrIBoVekBWJt+CbQzmVa6ZqO2E3FysKXDBkuwtAj2IvieYeZfHTdje0A/wMHlR2fQOyRPvDD+JgiqVHPivaC1dFPgOPhUacl7V5i8sF3AMY73Wez7E7WE9z2Doe0rjd7XnVR4Oy6Hy8EUNBuptUFonMEkF9FWaJChpnLO0NJIXlqbhSFQKsnRufrE8Ur3E5u9ZjHJVKuVCcl53K4k8+2njjk+HsZ8QHYP0FBk98xk9v9OXV2najLbaQ87CNh9d1PwTejzUTqTytNoYIpQwPO8N4hmkOeBKpqHIxr+iyFUoMhxF1myGXxnDr05frjXMyGw0ie6Tfw59Qs+gAyQvdKIJ8qMDWv8DrixNoS3/kZShAjgow0TtAw7DoOVTcvVWRrOgcZkCSRmpHmWcclkHtYHcZHX3VvVEkEuUypRhrIMTxq3KibQ2xzfjRQVpjWuD4zskkZpxOOTX8gLsoKQJy6fBtFA9PJ4vWssHl4518lUKx0IK6gvOE5pcVKUASAtFCkB+La9KI4tCay69XRIX3bJKcia5pdbooUp6LonqQ4B5gVbwKFSsM4UeymhlikHSj1dV9qo59bRGvSXQIbzXWuqcVntmq1ogXFpH63oTruDp5DW1S7oWSMFyTFYsFWKgHGwkeQoL8sU4u4sVXPXJOknajIRTc1imA+s+WVU/51STsFm+I6httHL27pkFBS6+CcXKzTmFhM2StPbTVVCOA6hnsKAc3LnDcEozBvQD33WCO3XYKHokKVgDOlC/6tO1+IB8x+YmVphLfrirp5RDGZnZmBeLi2O1ikd5JighoQO8bijJaq+H+XgTEo8a3CCFXHCBoQChAji15UEIXaQdV6GL6OIq2pF/0I5NR/A0PO2IvIt/yLvYn/IuHRQ20gwAwwXcuErMbTJUHGnYeCQ8B6uHVSHmrmr8a9MRnoFrowNiEtcbJs4BPKhDUBsdYFqL2cfoetM7+FRIE4EVyuyc6ywxTA0p9Of9pp4nZXlUNdSG1RWyQHRWF4cQsro0+0O1uoJ9HLKkNIvCr9k6yg1KrmmUGQM0RdD6WZdC8kIpQQ2EwrQ9SHYJBozAddABpoOW6nRIIZMM4NtHfXQ6iFOPU1BkFMxnFPwuXHcR3cOpCf/aVDoat6nUBSvmuoo+6JwDTOcsDeoOtSfBPZ1e56gogba53lTGMNJpmxa4tKJoFBzwqdCJYZZXVTTN9UOBag1LYAorxqvKB+qYMWlzEE3yMfS4waobjwYtD+Tg6SoPqDAMwXnIdQ7A4OflFT4MwzJ4rrlN2zlMoja3nTk0U6iEmlvNybXLdb120WCq8Jhy0UvnoEQEv1DqJXlFjkoh410K13CtyHSVP1WE25TpBTZd63QivQ1a2FqlReuYaFqOW4ohrdi6llNyS5rY16m5NvS+qw2933wWxGnpKdTppOuSVkzRj1K4VlK5J1LjLmW2pcyAwZbina/jRT5vtuhzq3m1nApXJqlwLSH+5ysCClDgzSDMVnSpq8UsJsSELUaN2xakZHDYtDYjbT4328qHkAYxaO8Vhuw9dZC1Ni9zhc/LtvLRptp8B8JsPpdq86kDsg07xtZ8xqo361parlBClRQhw7WV+WizWbgKVJm7whwkZOOqckUzcVubg9vC5uAXQ2NSmQPoZJAy2oNmrrZ+xfGPDMk6vobFW6EuY5G3An2VpSwEJTh+Fr4OpY5eSTmxUH8RhPJbbMrJ6lYhW7TVJ/hRpQ0uu2jsDWtAYXR36NcoCmz6tReV7YMLMEHm11ZMcHDtyKSXFJzOWvmgJORiFgdXi4LaRVlhLFDWiWB1sT4oFtuUzK3KgLBREWb56yxddDAkmlux/F3NLP/W11VsrcvD5lwaph1s4dpBm3y0oh9s4fqhhc2s9VhhUEe5QnoqiI9Sni9GcEYKW7/Q0bJQr7dU7NRSYdor1FsunQbTsNQqgH0Qs3hUvCGkCj4h15eckZYlRYtSdyG1R+eEaEuExR2b5nfExkn2WPWOdbzqO64TzulEuKdHe9BpiymNwAVVLXB1Jxw6oRnfByvfjCRgHbpj3ZqaJUPjj3VZfNeqL+94olt59pTOi/ov2C0NSA5ce+LkkPGFfdNu7TG8h3/y2JnZJo8rt3+PKRULPkC14+8bk5c7dvqaKd6HFucgT0nJY3kddnkGTXjkThpTOqCqfVb/vB49brt1SvnMsd0mOGOKJhbNm7z0tZmwYsPvZht2C3FCBkSHjY2XiDXWjxxWSXA6JKe5wpIqWdQ7q5ovBfA8og+erDoecehO7B1HfY7U/nj5bz/UHkH96Bt10+9/+OH72XO8dkfyt+98+M03H77zbfKO2uPHsXXz6gfXrHlw9WbAJrPpmrjZsEJIErLBo5g5zmizGd2SKyLGaBQgagWuEJIlwRKMXwneW4qVO6WGDIWw8SjHyGZUTAKAm1DEMMRhl2Mvnf/ii/MTh6LE5DuGrsX9j92ZRhvmfXH+nvvuu4c9TmS8/mVjIpoUX3pMPrG274JE+vxDn1+nDbV7tjz65JOPbtnDWEgYIPQSZzHRGCck+qJiBadkF6ZGgbMMoXNuQZL1PI9Uk5FdaBWKRMGmRNIFgeSBYMjTZqPEBiQgx+xpk/3ew95Ze7asRmZ0cEs1LaMNq7dIU+gHqPMUSVePV0j32d1CtuSyJBjjzEYh1p85NY3VBg6C1eiA6q5gfFhc6/jgVf8QApay2XPvLO3mnbEATv7dNy0nf9Cdc2fdMXk+w6Viz+Lp/oc7dc/YWn7gz38+MHNLRoH3Yf/0xYun0zdQv+mLNZzEa4JTiHk5MkaQTDEwBiD2XzZWWTtec6KOMS7b/W3l5kUzNlqjrBtnLNpc+W2vCciCincfPLd75crd5w7upmfoLwL3keQV+xmczKqNeRkRiOQoKIHF4JzfJGpD36J/ePED+AG5iuV+iPHtTO45weWLEDEWjMGIncWd4ewav+3OZp79z5xfaEenz8vfwz138aOGBc3Gd54vpXdaD8mWJLXvIKCsLkabyxnRhw1wJeRF+AB35PQhRSHfig5wFhxDTDFYDVUMZzL1PRCDXU7Vq92xY8kDpN0L+i/qPCW7vNuWsi9X3bW4y7H4oUtq1qzbMRSPWn9hwfzJPfvlujym7Jljp5SzgX5rWt/C8UNOotpedz4yYZBnV4e8x0pK6N9yFj/knbJm+tjcvDH3yT/OfG3p5HlsSMc4J3QbO7N8yq239eiR1z+rfdWAUtbS2WxEdYHoH0IBSDJnJyk+2ek3JEsGW0WMV4owu2P8gluNQA6O1vg4h6i8ECsXvDIUejRnkbxnC60e1fWrEr9Wf9R3j3wWZSAj2nk4yn7fmFVPPLFm+H1xUd+98l9vnx27zOvMXZM2avyIoaMnjHHiL1AZWkSt8pL6+xb/7b+ufLz4vjRUSj+lv9J/0n+kpxxLSUdfLb5v5cKFK+/j3qdvYe2oY+3IEPKErr60dHuFMVdye9MSjYbkWPYjRNqlSFsFGyJqU1TPdvHFocDqRVq3eDSM41H3wgKryeHOgfsKBflFKJt9O//K36sfXfrX08+9cWlo/4kzRpQgS9eT5ddow8ydtOTBe56cTv8dYXnD+e4zj77V4fmtb/5l/7ZbB8wtH/LoCFq39iT977fo1wvWogfG+e9EhZGRQ4C3Mxm3rmXcGgteIyJMMRISTNaKKEHxuW8vVjy+KmyjeI5gxsv+1/5L/gYvO1h3CFc63tp/4kJtY754vhHijA9oyhRnGdOF7kI/Jhmc8Qki6XlrWruC/IiI7DwpO8ImgSeTzoqfNxR0FO7Wx6bLyeL1xRdyhaR6zFCoYkjDBqeWj70TZz2xZ9bM7+jPi54blOB/enD1Wm8e3fXUE6+/P/+RghvIuXl13G3Lej61oWNXNHDOxoGB42Xbplav3bf+YDXes/4RnJK7cNZzO2KsJ63WvgO6dI6e03XT5tVrUXzOkLuHH9kJDjh6D+jktS/yjn/QP2xM+qTpD4yaDOdakoRYsdrwID+f2EXI9sVlZLrT0jI7JIgCeFKwVghRkuI6l3u0U1x3ZSlRnvlnVr690IqBX5324BnwoDtdlYOZ8XsdTsIgO/vJo/X0+lsXL77Fnp+ef7Pm8B0PJy/NG1s69p678m5vn9BtXiyajvqj0WgBXU+P0BN053bkbGACzUP/Rn9poNcuHt694099i+cNGV1aNjkmaqc9ClZW9C3JhLuVvhR3gidHSsyWEjyJiZ4E0mqLOnfurHhIaatROTY39+8a78nxuBweF9gXbbanJ8pb8NCyqtfn3L1+/fpJv9WQz/GSWdO253967hy6cWjcuOatyBDag7chd5aUmCkluBMT3Tdrw2+2gGns34f/QwvWr1ix4vdg/8Cs+5fvQzcu+P0gP1KJUVzI9UU8+FOIsVgcUfY4kVitZiz4jRDAyap5gwVH49wph0N15MIdQDgKYFgScFnx+i506ekP/meUedQHm2OGPjA2hhgxrqyUKV5Nv0EueQn6mP6MImg2UK0b937yR+73P1vIFwp9mUmJkjvJ39Et5XT0J+dIyY6KhHhJSPDbBSnK7jdGBd2ftBKdS8e+jHvRzZyfVO4+enz/nZUpnIHvuG3MHQkT6LFwByjFAwYU9xg4kHR+5sknnga2HT5o6OjMnV5Kwt2fHBw3YNC4cYMGjIO9fkwwOaL6P4FY2wxfQe+0pW1vJrhs+4kT23e8/vqO0okTS9lD8KtPbnvllW1Pvlo9c8zYmTPHjpkJs4lrJIpkthIPGEI2XstHxkVqQGCMrCznRzwn+FAyGQQ/Nli1eMA8niZ78G4oIx8NleSlEfoxGOtUqWeVWg/MJX6sUwJVQotD+ZRovKJEDH5dtEulCFGK1dWRmWRSYF/jdPhk0v8yw7Ke0wukP3cTx93zcHJxf48Q6phNYYgSlww1GennKIWcJCiD/s2IrPjYQQgCdlAuVT2RKha7G/wuJprNRgchRoPETOTodlI0gxoXGoDFnUMRT9wZmcw0LsxnehD0N+scwcSkPHLGq5cCMTn5F/ru7Xve3L4i5V///exrTcK/+/93lfxj3Isnhg1YsPylP6a86przIBqC/B+8+TV9Zezdc3D3u8aXfHvwnnn0hqBrqQM8P8diItlxjMkoRZow+7EIfovSZO5yVvMGiRzqKWel9TA5c6CfzPTvMJhRuumkCWXTD1F7+t9mZEVxu1CvXQhTuou+vYt+zcZXD0aPSu7NJZ6fVO7oS0mzSwlp/qgEKSvKn5klZdorxIhIbPIbscoampcyGOKKhxfuiaYtHzxMCPT4ar3zMHvw3Kr9+6vWPfPMusK+fQu7+3wNeDIZjPvTSrRMPoGW0Up5y3MbNj333KYNzx0c5YP7Tb5RdFlVFcQZB2/J4k7Wc6nca110khTt8EdHC0Y2+o1+waqzXTpzc9OgxP7KhzmEyW3jKqvAKJIME5tfZ+NplH6FEuhPKBpj2X3H2gdfyn6yI6W1a+9AR8Y4US6KZWJ0KP0z/UdOHxv9YNijD718Ruwzlu5ED5Rw/51zxKmGNOUMlw0h8CVxA5uxeQ4/Igxet/j5ymHoUXGGiPjK/s1udqNHR2ycMmXjCOVT0N3WiW15i63F7bQWN9DCb/vAvS7xaPAmSD0qIZdFiHEjWAgcyoGrLahEvdWDmBF6gRwSraFTfkfwPnQBzl8iFIEWkMFignJKkQyWT+E+aAE/xYnQYCQQv7g+CPc7xnM2Nlk7g87QHiy9nJXdr5QFkpVDUX5Yk9e5jBwiNQpc9heDiJbBQVHekoO8JaIgFBGEyNWr/GzrQXwKHaOlMsfrII4jZvIAX9fnV3mOHj2K4+CyDkJ/RJuJjTTyNOJw4LLXXnsNbUbdUCH9M5RNFV4jT7R1+z7YJyM2ht++R2gh+pIUkwPB3eqF6BT6kt8PCd0c025kubUOh6vX2iVt3rZaNps6r55NdCPEj1mrLFQLDCXfkG/c/Fx46CA3WtjGuXDU8sR36E6cWXcnTr0Mp92Da61e1KJeuKrdWr05PGN1+K2e0MiJ1MaOIcuWZQiOIPkGqqAb6UbdSHr4Ejp06RIdz1sXHFHJLcfUb/o8CB9n1ROHDp0IT/Pbb4W28FtQwZtNWDd6TMDncC9BG0P8epg2kNSbYrpRoc/Pxwb9dtq0adoA2cv+KeeNNW63qPyexYQ6UpleXocj9tIyWhbk/mr0Ayg4VlOIz00Kp5t4XYzbXxswoL/G8RXsH+AV4vrf9B2hGwNTFHpNbNN3hG5UaLci4JbLQjgyX12tjI/qakEMRDRdI58xfecWSoQhjCvu8OXnRzulzraeqSNNg6VsU3Fyn/QRg25FaFB6ssmQamM/JI+p6FIyQMogjgqfOgXMDzrztykTGZs+mB/MDpnmZlPyrOyWc1iHMoc1hJLTbS1SPTDDZSYjMxSUX5T2fvAc3YzS+k18/Vk+0y0Z2i1TTjw+6jDaCO9vvfP1Z1E5f989g70f+dxXPZc1PH7ikeGfHSQB/mvKfDQbDenjf33Y0y/AJPi2YUUPFNOKpc/RczX0OydPLD9+29Mv0FOQWLywO0+se43+cOc89EDdVHRX3xr+KSA5jp4l25iNxS0s0SSJKytgEShkYXmUlVv5Sl2doaZhIFhngalM2sr9WcmToYj1LmfnLlLnzllipJQl+rPSpKwqPSRdxHrwsf87w7XDdNilXCeGqH9RzMiLu3NZYULfBV1DYeq7Luib4H7szgtf4TGzc9rPvg1/xU3Ich52feXC/iuGqmHXB60YNGcJD7v+4TsDKod18mXsSux7y+A1A859xtpTER5hPdLIQ6iZpIjWI6yr98Tkijo0FneXzxJBjbB+1HDi6I0vIMbuGQaxB4OYI05vegiioonTGy+AIfnTYJ1lC3v3HXxJMbFR0aIl0sxrtUDsNhOr1sDrVWOyKIFf1RNqTPy5QAb+NLiOpNfhLwyfUNr4tRinYAEPyjPslrecnYPWBz5Ejwr417lqX0ONbp8DRcdKOHpVhTlSMovQ9YoH4Pe02NSeoNNXN1Qq96+rM4799TA8gTxupssTwFmvPIkb7OTXbaxVm4KtyvYlRESaLaLBJII7XDCV14RzhNIeYAe1LQ1T6+rwSH1Lfu0W1oYQv/LYfTrMdYBZC8Kx13hX418FbSZx5HubfibDDdUc4zSf3WgSDSIiDBSRgj6BVTwNKo7yvRp+EWGoCSQQQU+Sd4Jxq0p9XQhulw4THF+7dKndmgox+f809yzQUZTnzj/PfWXfm8dCQp4kmBDiJiEEMCwPQ6A8NYTwKAZ8sXNShQjKoVRtsUqpx0uFI2ipeBSVSz3qqY/SNKW0entyEa1SpNYG5HC93F71YK5WHslmuP//z+xmd2d2MzM7G9tm2YyZ+f/v/X/f93/zfyV8lbligtfHMsVFuWU2e8HYMVTXdXYPn9VhtZvFvji4URruYFVZCa9ijjaOdK0qwW2tYrtaAR+I7WTFkT2D9wSePig8uvPL1/wn31zys5//6c2dzL9d/Yv3hfmAHPu0eDTyBWF97rzfPi68VCOcBsVg4R9baXC6dFb3zsP/6QSThKNDzxwHrBn8eNyBG9uEn2cJm8sOPID6AQaJo9Qx+gRRTpWLvaOpctQ7GnX7g3/ZB/8yBveLQr0vrT6Xy5oVImjaYgr5SZJlrRbeul1sTlIbiUeGz4AvcxVJZYCR0oHa4QK1OeG3j8EffAAxNR39SOd6C8vEDz7fO/JB53zjrp1HqbdFaMM0hnai2OkaQiv27i6nKi+3ou6FVCXuYsjhTu+voztwr+YnFO74Be4FT4ZpcBcVTnmaduR09jAtKmb0OG2CgmO+B5/uISLdKJ34lHd8xjsaabs0SNw46HO51Xbo63bxQ5NwvDvEj8iDDdQxJpdwETXBfLuDt1tdnMlJW6MHeFqZEOLBQ9GzXlHmBU/RUI+Pt2+oL0d7e+g4S7b30mfm8IUz3wya/Seo7g19BbndD7of7PYW9g19thX1aYyZbazSbIw1OhmcY6TZBp9iFlw4M/BLmleYjYzixhF5qJsdk53D09keAlINmDu4PNLhpHJZkwc1qPd43LwnMi3UYHxmp1M8sTNyUDiQQ0DuGeqkuq/e23u1m6u6cObKO+x8DAnY4AZ3ISiG/pEAFYWh2oehyoIx+ORgEQc1mnDaQ4BlSNricvIuC23L4imLLYRM+0ORBqAiZKK5jRw5jt5ALvNBF7K+iKH2hZup7qFOcs/gnCt97EVwVGi6ms2Vgh0byNytZHaf8Lhb2EVmd4f7wnVCd19Mr3TcnR1lAdziGfkOirOq7c4+ePCzgT8x+35x9R129+fHP2e+M7D8F2zz1dWK3dmxBCDszdIp7WbIeTPgWXPkBPTt8ae0l4nEhxOF12Nq/5B6JbwwQmHB0hMjw3lYhiGXs5zZoTyrLZd2cmh8CwdCTo53bo9Q0uWO0LGhvomCXAXSLPXVFObri3/ZOsNz5X/D28UpOY939rYPnoWc7Z/ZOskHYwVLFIAq0lnV1twPeQutx0fQRhRjGzEx3Cx1U55MvA7XjvnELvIi8xTWXNx5leWQ9iY5//09CXsQc/770Hx6w+Au5uDAauYg+LTvkvtSn7Dn7FDw6NFYPfYRU4KFdjdcI9wOn9nipR00gxu1dMCFlXM4bLxDFPMTlVjGRf2SaIEpUYYlvAxRQ9SyK38WxoAdpnVXLl7eI2wB57kpkrYJF/su7HTv/LQP+pGSzkH+vgytfR/u0FIXHEdarBTNcibEZYioA2KaBVG1QVzt+ED+wPD/pd6RUW0Tv0nxeP4rh8Tvl/tAwA0CfcKi48Ki4d8lbRcly0UEguNcNpLKcrKs2YI63IoiBmkBp40IWUBq1iHOOyxokZkHvsDc38PkDnx6dbqo6jGCF5UBhLiSXhMOOw88Dp4jKZa2Oj2808qYLTxtNfPQcbMO6/WJGL2W5i4rq2eQ8S6D8Fw+Is4NSEj9o+zFy61gB1d6NTvGzHz8cV+4e8je19ctrlSnIQ9eR1J4bQNehyZeHi+uZXgdAnBNFmH1oO4GXiJk84ZIYLWhs5CtdMgq6WAj3pcrR/DYKbGCoIDKYZGVefaDbbO9zKcDYz0ztp56QbQv/c1tVU6yqqcK+Ca1zoQyuSt2Fg/B2zzJZylLmGVwfnQay55vOpNPI82DZL8E6b+7sIj3+AtDJU5XMe3nHJD7dqj/fo73J9d/NKMvCkGcFbh0BM8dhcbckmALRDj6Y2EbtgkxVMgjqoJjbNk+PsubzZvzCN4E8nhLbo6VRh0mMWwiVBELnwAVtvfQxm+/8r/xEHEe6ocoW74BXFKABVzqF15wCwehdboIrdN4bJ2qw49J1mkqtE70V+ckz4WSTktvDJYWE6GxxejQ9xyad+aEWMbhdObl8iaOd5hCjrztXUDai6nEbXoaI9EOVUuBBF4mdiG5Opl93xI+GEWA+jg8HqNE32Z66hIR6b3eS70XDgiHFJgO2J6eoYcjzdYhZq1Q4j/GEl89+E+xf/d+pAkHZZpQfXkOxvy5wZXYI3vt2iVy97BPz9AcSxPQoYdiI/PpQb2ZdAFy90Ahc26wmM4e/MxC8sfJzqHxwmZqggDdROrKLhjVjJVFNdAE8tC7EaOauPgwGqUBcXTQ2htuHZ5AjM9AVcI89NfnhOOgPT4mzLI57LQJBoRwYRFjQjp1TCjOGD6EQsIr6xMnVZgYUVSK42UUhdEqoigVzoVxzXswrkGd5KqJJcFaU2ElPz6ruMQ/xmK+bkLBRJuzCBRCucrLc5by2R6Pq8Pp6sLbNXAhRJt8w81V/O9Gnf533WINDQyqRNdHXZte8P5AC3VyaDx9TAxrtr5RdWjWRhztPC2FN8IxUEZ+/zjY9ZHwhVugwavDQc0HWXevfqArX5gbjXzoF8zg+/l7xRDn/tK9D0DLvx5ifAxijPZbJxGtwUYoPMWALyrmiyAP8sv4avN1ldk5LFNa4i+3WQvH5bu63C7e6eadDt75SJfPWsXbYUznifa+Rv+LhnViY5W4iE5OgoSYDq6agzViTDdAI/wZWgrrTl7dFRfWDQo356JWxDisG0s+JNFh6P/AW8N0ODW0MxrcLRf2i8Ed1jsxgovoHYrtFhCi5kWivgQ5gVEg1rw4j6gk0mPHZFHoVXP23cqETjXkReQFDe6iN4jeEOg8CzqRSzT0PnSHkM1dDe1ZFfYE8l0E7+oAVgtJc1l2PosLohP/uQ7OxIv+LaoF80fc/shShI0X50M9h33SYnTC7P9m8MwFc/jSZ72ryaqt5HX9hV7s2+cWEORX56RVyIM7TZaYPDneMblus8mX5ecJqP+A7fDRvC8r6IIhjtPakeUkZmAXzB/xxUT1bBB7Avhi+wSUMdAhKyti2N5v6F4Mi5WGTlh/M7DYHgSWa8TXndcI5JLlFvSJvn6hV3TJ6vbsce/ZA+mNaXIM0gTBNz1YOjJ8iDiqAczBXiPH9l59XQSQbYUA/vPSBVPuhTOXT59Z3Y+A64+QzVvYP3R6a92DkHoPxvDLByErZt0ujrYBAjprProDLY62YBa0aXazrcPm4G0RpsVCJvlwIAYudIY5YiBcM4WpV14VoeKWg7eELZfX/vaPpn0wLgLuGJiAs08QOt2dQhhK9gK4cvRKK8oXUh5gC14xgsRBKPMXsIcL/Q0rlCYbklwouA4ouXaWyaLNUHotpOTfxq7qDZLmMtK3O1wNtbOGfJ96GPdemkP2HAQ9x0FPn/C2W3i7L+Z3kYcRj2oMUR3MR07VGOhVAZ8/L5tkoWuVA6HJjTpXYt+JmIgxZlGOQCD0DDsSxVfOiq7FY5FIUsnlktwL7FVIciXqWh7RFCxzQ3XLc3V4gDU3x0J6TZLO+SBg2Qlahxk4HG4raV4USr8oVPOvvHPmAld1tbt3qCYCY6IuSgzF0a7kA+wTOXlta5wlqh68LeoNH4RURXUfxXkFvL2C95TwHnseRQUIvioAvVZLFfJaLXTIEuO14sK1WA8ZVQoXwE8TVSt25LSTJcXVJHr/j4t3nSet2ri0bXPH+rnz2qdNWTz7D7d2BB+eunTx+iVrNq/qbJt967qg3OOl8seWVpfmlpTkdu1qhr/Bn/x8UuRJKl+HqsUWV/REX4V4LiVagjUVC/kChg/M4SfO40sIvqGJbyiZGCioYJ1eD+/3htwuv9nh5M2OkN8ccZ0rRUdPxFsqIolBzyejQ8K31Dm4mhIpMx5TKDw9Hmc5jdruWnH7gpkdy757Q1vnqs1rVnS1rQg6qrPq8prz5y2/Ibh2ydz1HZvb5u1+uC64oq2LrIolTL+cgrE/DPeMx4dICn+fNg3+g+Xh2iy6gp0P16WyYLYJoJqIHUkcFLxHkeOJZGNqQc0jgz9B6y31HrnoVLjvKKgG/cfBnj7kWtzBVFy5gvhwbRb0F+ZDLW4IlnJ22kU7GN6xowvaXbMVeZ4ewHsoWxZJQ6vnNotmJKdRdAsqo0EyKBmel8KBcrhk6I1T2wZvwg4PS7af2kE/Jq7yewfOgGzSFIFkERMU/iy4UKe7cC44Qu2j7iD8KEozu3hzVjYRorNhnB5CqhvJx7gacVYR+fCIlfXoBT9Wkm6fL5y7+8fT7tty37Q76PHhR2edbLyn657GmjpwpPmXv5u+ZPrqgu59s9pnrV0eQB5iEEcbzxDXEzcQ84lg8DoiwFdPnEOEmubwuWNC43L5Ei8fnFUyjp7Q5Olip/DWLDY0IYuf4JICuKgE4obIIL7wFQojLobFzeBKIi3iJjdMJmojpbKxu46eQmpyg7NIqjO0RQtin+zZUJ5318J5u3fP23IC0AuffHLhxCl59eCGsFg6myeVyTqGhmbcMQfsE4tnQXa0UPa7fz589/dw4znUf27VnR8CINXSHo0UzQq5pL9gvhDAtbTIJ5oD7iJ76G4chRUF3ajfVk6HycF7Kd7kteWEbJJH5JdyvBBukRm1PmcR5oXPhyph4EBPLdv7+N5lh48Ljy17as+Tbb0nmC3kywHQVV5XfqIgIGyF30cKhGM4CxxeLfkuART5+X18mZUvdPKFZX4KTKrhJ0wKXR+YIPZTDE3g+Alx1sAtWUExlEYwRKweV46EhRL1H/rocXF1cN2ts6E6b7plyfrFS6c+HOy49Q+zF0+Z1j4PKvO9y5ZuXDUpIc4m8/NFnW3e1SVp7Nh8KibURtlFgPxRP4w8SoPZWWN5Vy5PlfFcEc9RrizaWxHyeVGteI7UuBFEpAMZ7GgjwSLJMEVkCI4aXHD/Q63TF06bdnNw0X3rGx89Lpy68ac/vXHqzYtuaW68/0cznsFdBquryxsbyysqcK/BiorJLZPR78hnqAJ3QYl/FJ/9Ni7ogYrOWVFXRrgUkgyM0cSGcpEIGvXdKvKIuXthzz73+T4QBPbn6O+HK6iPqHVg59AL5ABqfYn3BUyDfde+oFtw7ZpYvTiTWEisIG4nlgYDTTfwLU2h6TNmNXa08K0rO0KLZq3ka2d5ulxOnnCF3A7WNobgy4vGhCaidzhwdWC0f21jZWXcRXzNICpUBuUgsvsaexZ0kVIDtByQA9i4o0KTPTKULZU+Uo90PlkYXrWaumh/cTu8HrxFqoWkF0m/CDZ0K7+3iNq/Ojw260XqcelR+a3DrdPWrxxqu5/8+MEn0MWhZTe2tLW13Lgs8h2+Dt13+wry6S1DFQ/slVVXDldZAmL/tS/ppbjD6bigy2YlOCfPkV2si6ClF2CwgohvvtTXQafAVejyQrWorytzeVnw8GdCU4Cc+/vWduHiTtexPzjpKuHOd481rf3JrwrCd9+2Fc7QS28C/8S8jTvpFaxpam9vgh96E/6CH1TT0Uv+Xro74bRvSunZJtkYwneGR6OIXmCNjlaSfLyUY6eaQ1gwPBuNZqP+EZ1tUvx8RSrmpm6S5hp6b0QgUgLDyGCZpg6aZOfmJocMvJn4l1QwKsDKKsA6Nz1oi3RCHv0v2lAYlgGO6L3WJsPlZuOw0cuTdLmkoF6mJLjekhls0+apUVyW3zMKfFdnJVLgqsaAqGI70lcFXNOzLjqx04dUDDIZ4Vuye/RgplNWlWQ0A3xL2xrpZpz+FU47dzTxQmlVSIPy6a3NyTmgDQWjNMa4tTtN2VJn1TPAN23enibrndpqMwq4aPdPNUGvDegYYA2iu35N16nxSjJkCN11artmwo8Uw6iBOxo/qVmuUwYGI9t4zWvXyLApEE+V669CZtNaaTVArmDktfp4qqy8YV6+Htx08klBRTPAOY36kMLMa2TciNZGs+UZGXptQGuMJNLyKtTDrlGaFKTIEMrr1XjNpB/BzmuiriZaKljOESmn1YMcGbKUFjLt6Dcdj1cD7BrprEdmtXq0I0OfylikJDyNYI3J5aqUWFXQqQNKkzet1ScdETaV3FbgMi2DVV0e3EBdjyEdhTL8MdCo84WT+rypXFyEedxcKjPyGnM2anIYaeQr0sgCqiGSnFmGZYq0RzAyyHVmqzOR4UuGjUZpkWH2r5fh0x7xy7DTJ3mG5CuM2C1RA3Z4bxTYDGRW097t0IaCwXTPoJ2KIbveHVeNUqFyy1U/5YzIqI9mjk1VVGO0zGYoy5bUEzJGapNm2VJ5ZOnZYjVgxSiRIfnJDOyjKNkmnXQzUN9jrU9KT1ZHritVEK87M6syo6Axk6A/25HsHjWwacxrGpRpSpOradPayFxTMmunBn65XVGfa0qltaOwpxCrtYbk6TKxp6Bg8HRSzkidjyEdlWCBklfnpcocqMwYaMlajGhTZHOrzP/pzvhoshnJoRuVnM+INkEGXyqVS5bzicvdGV+HmRAV6Ml3pZ/bVtBgKgGWDOhMDOpkXL2rnurZBP8mub4bkamLmUxDJKc+WtIbJWnL1emLhgyrW9Gc9dHsJ2iB/VuoL9KKj26+/AtUGGn1UzThl1xRM1JjlFSPNcKvDWz9GRA18GqVrabEv4xSBiSpx5RZm6Wh0khVllFPLJ+xnKdxmTs5iMbk7fRZxOSQa6KyoVk77d6HCiuXkuzfVs5uGCgtVT6jmrNTAjFtuqWds1MkXGqfVkduKs13wozKLRlVaZOJ7EJma23S8f6My9oZU21jYFbMoHob7ZJrQNZOZ/5Fq3+Wbt4unfxLmlZHV9WNutydugyVUsJALe66KvhSWZPU67amvJ0mq5EcNlV0Si9rN6JNkEEnV7mUhMtUzk55XR7lnF1KlyVjOTtF1En0fnx0tuS+kcwHkrs86mvrVMZ5KYvr9ObsVMb3cslJZerSiH/Ve536qtOMzj3oq0NLs/4sQ7kH9ZGSrgqztKsv0smNZKL+QpWHaFTeJs0KjAzpvK4dCt32TsO+UubkJv0cwCjIjWFZAEPlJmkWIPkKrz23JJ924Hx0Mp35j7TznMMg6MBbt77EIC6e5aPs2aSOcxQP81GduUkdgcp5pqf6QJNHqMZtMDT6VeMhqIBuVKJf9e8dJn60VR9kOOenYZ3IZM5PawWCMXqTWIGQns7HVxxliHO6olDjOac/Dk2Hc8ni0Jh4X0/tSKztVx1Da803KSxrZNxcumQuBnQgnkBHfZ70vDry98N4ShU3+G4tVBseIzaG1bXGqfFLkq1x6VYUa/NnR6oo1nfWg8H+bCoghzllUD1xOnTVS2kF3U/rtIeM8iUDxz1kgncG1txoZJ3xteD6am5U1oIbRPsM1dxofd/S8LcgMmCzNGRs9VFYFT2VbKjumEa91ZTBpn8zWqPkjnLdjda6Q0Non3bljdo6AAPiSS21NyPEk7ppZ2j1jdrcvAGZjLR1XqECR/KY0869DTvS8mkj9i46V2Zyb6lAkGlcDCyjWGOoBkS5rYuD9duuMdSGgsF012npNJI9oqta5VWbnUsFlNzKaaebAVZOHYhp002jNqkkXGoLpyNvpJQrUI27Kjokn1suNKqikeRSo9mGjAybAoNUmQadlFOZa9QIVaTeRllqNNfbKE2qwdIYU2+TGoh4zJPpi/Z6mxFQV7krlareJp5r2s8AULWjlsTOpXs6q6Zd1JQJO+NPPNRXcZP5zMMoVNyMWubB0IobDXmHdN9jTzfTrKXi5lvLNOuouBkFnVddcaMjq6Xi/Yl066j1Sk76sX+aa4EBG/FGVPHrlJ6kvrH2PU1tO1zxb5XryX0YkO9U0mRdu9kadSdWVyVPR2lvMjWG8kBHfdZGJewp0zZa4rl0tD4TkbDhOp/BWDgNjdcQCyf37Y3I9sm1fdSzfSl0PYP6kqDpMdqpoQJCsQwhJezqx06Zv9AQi6aZPTE0Gk0amcrml0tssmg0JurXUz+S4J2pi6RTxvEKFFMQcTJuLl0yFwM6EOtoyIakVTfAKpP3dGL4dM+1io7dlHwOPVU3mmJN2dzG78GqqiXVBltG92C1wquRrqO6B6tKFrTB36QTak1v6I3oV8jgUweWljhMDTzqeC8zi4ZHYZrOAtar8wo7FBnIWhqYwdAfw6d8r/VfJfuj7oSU0c7+pH6XOmPRu2JF8mhH76nfYMpc9K5ci67Sp08Vvcf79Nr3JFXFIwbuSeqP39X0xNK+J2lw/K7OKzBgP1dT/J561dcVDamJ31OdFKwGd0Mi+NSrtq44WKPOKGg8joE05euGQ6NYfUewS2OlnXeRzyDnWnSuzORdUoEg49nIeKvkWUrEI9G7EsdSn8lhVRotJex6Mh8KsyTArixtqeN3ReAB2RM9xYJQpO3wegfnJnuS7cGnjBcUt+AJiuxRF7+nHDvVHBp2pJJWaqiZOwP7UWrgSRkHyWBLJw4ie/TQThXf1PFPtTdrTN5H/V5UBvM+ivnpBE4YrzNx+ek4DdWj7wpZTuP5picKMZxvI0QhGeJb0hhEzZuVqfKsMW9Wqo6gNGcdlM46IOMopUfmYt9nBeKKJX8rNPp83FuhoryPlNWXzZ30rVDt9XHJZS49H9wgeVftg4tc1FYVmVTeVXjgavY0UsXc8rfXMxBzK1l0Mo5SemQu1sYCUYLl+zHR5xP2Y9T4kqkiF/l5Ddr8YFU+vKIfLNJtJB9eRjdlHx6IEQHxI0Q3RsmPPhy9WaIavjcn/u7UmB2WYwFELOTzRp+OPnTtGthPfkwtYB4lWfJ3BAGvHxcWkMcJAV4/ia/j/k4A8CplozqYo5AzltcAxQNiUmXN9QDUUuBVYH/2CcpG/mpo0bVrxGH6HM0y+0mW+Qo+RwKCPk29ypzH+NnfcBMsbyOISYHKAHw6GbbXNSxe3DBl0SKhVPqFPo2/pkiX8BtCdJI+TZ7FI1teg8MSIkQx45DtsscRJkX0OfIAuxpjQoDIc1StB3xy9BQEH2wTHkL3fUifo26W3eeBGH94+NTRyH0k8Xd43zv4Pg5iyMBb6SiG8O4i+CGXP3H28FA3/Ed8DD8KgBs++TR8kiWcbzI0LU1S62rET3pKyjng7n+p/1RXl/jY+fNEwlMUw0hPBdyNGIucBjgdiZ451Y+eOn9exMYC+fACO5twEc5fZxE0T5jxYxE+1Nf6vNm1gcn4F0i5A6+8cvOChTe98gp9+tBTlZUr1q5dUVn51CHEUZ5+mWpm10C6ewhP0OKEHHWGCJs4XAILygP1dSXFPi/ZvvEHP9iIPh0dHfTLG++8cyP6bLrt9ttvQxrzOX2c+g92PpSRMUGnl+IJb8hkDTlMPOEIieOikT31dbWBnGwIJwazpHh8+Xg4uu/zkzfeOqUme/JLPeOWNyytmE8fXzJw/dicNdOX9OcVTFw/Hc0gyWU8Nz31Rb7D1Gr6XE8PotFtkLIcux9C4fy1yc4TplAO5iRCCqI0ub4OTseVTxaRs5M+H7g0ub547Lza2eM2zVyzsbS6lD5XWj+jrshfUHlf8QR+ec20ibXlZjT2F/QR8iu2TkGavlj5UoA+EpG6t6gHqEeZGUiW3gR0CBBY1dC95Q2T62udDPgmMP23J4XnqQeet4z7SnhoKnrqpLCaPHttPdYFluDZ5LogrI7VhQNCIXn82iZRq4mIViOoDiw8u1koBK3CS8iykEIhtY24Ho7vC1rhjQwImRjeBOd5V+R5PWJ0Qw4H54LW9NnW+wteEgqfaJnzZdmG0u0fwpn2C+2Umygk3IQ3aLETvNkeMrFmNzGjtnZYaBrqG3zFrM9bG2jgWPLRe37QHOzn791UMsk9UWi/fdX829zNZGH7knbrYTOyURHbwjKnsc2KWASW+Su+jmg6y3yEryMazTJ/Q9dRzWWZj/Hfo5rF/D3hug9fR3SIZc7g64gmsMxZPF5EilnmE3wdkTmWOYeuo1RkmQuijZVowjL/g2wlIbBV1MvcFE22siLRVrJVSraSrSLP4pFHspXDjyOt+RI+99/c+ASpLSvKAV8LYeDvY6sGBrCthJC/I7uvoYgBH/YBvxAW7yOJq2wVvRDfh2wlIJjQsK1sKOKK4Ifc/Qzw9w5tQv+ix+CDAFBw/F9zNYqWEtQCZCkpQL8E6LPbtrFVgBbCu3Yh+BFFfyU9l2grAbKVSLTD8KGzCEZA79olhBE+FWwxtYObQ2RBS0ATlhDBxVnLWtFW1iK6/ezAK3NuaJr9ygG2eN/OeUuXztu5D1tJ5n2qmevUbyWZ9zvXretEn00rV61aibD5K1tA/Y1bR+QhK5kNrWR2yJwVckJL7ky0ktkJZhLbyb+enLBi6rSmPGgoi9fMrGzxz2cLAgP5Xu+4NQWB/sIcR8H6AjQP4ubf2X/IbeWHFMtWSbaSuUrN5jYQXoid2WrK4i3QXGLiYiLV1zUge4nNZW0A4sixPtI7q7zwpo45s5f+8r8mz8xnrvqKJuYVOWsr7/vOc9MXj3e50biP0G9QS9jNov2DFgmZwHj795vA9HePCc/TbzxvKf5StH+XnyE2UMeYXGIp0RKsmWPlp/r4mgK+spSvz+NnOPkZ9ZU1U+ewYNFivmVRaMnSFg4OzYFQC8e3bO8iEN1c7sbGykp3TmOlRMaG+iaqob6aLCm2ww/6Zlnx204hkjYgAjeRtYECMv47Ozunvpoqrwc+9sW/bJ3hCa67dXZb56pNt7Tf07YiWPfjPfOW3duxfu6StcEbls8b2+yvs090BFe03dN+y6ZVnW03fHfZ2uCC21fcvWzu+o57ly3duGqSd/a2D56lujf0z2yd5ANVZH4+XGjgz7Rp8J/ckpJcu/8ZjhH/W/RnbD5VRTqr2pr7hz7bCun6CbRlWewGhfXnk5Wn7oKewi5hA7L0HEtTOVBjZPeRXMFXK1kaVAmnFGxp5JpkWYZA8eoO+jQdwF6RgxgDVw1LNm3hKcBTTpqYVCupEhw2mcsLjv/o1BPCQ5JVIu+IuHLYEbLITByU2iFonV+D1lmFzr52qKdl+Yrmnn+nT79xZMv37r73N68j2SOg1r+qTuufe+OtRXPnLnrrdaT17bNmtUOt/3/vLPotAAAAAQAAB3c1w/mIN9tfDzz1AAsIAAAAAADYz+FlAAAAANn85G7y4P0SBWgIsgAAAAYAAgAAAAAAAHicY2BkYGDf+U+BgYFlw6cHvzezZjAARZABGzcAod8GkwAAAHic7ZhdaFxFFMfnrmOVPmmJYuMHFhSCdLEPfpaotUYRu2goQYqIDbIPMRgJGmoqWBINmIcgJUgQWWgeQlkKwoJF+tCK0CJFRKQ2KG3F6IMvLRHa6jb0ruv/3PlP7tm79yZrTOlLAj/OzNwzZ87MnDkzG1sxI7Zi8teQB8g06M1gWul4uVpkjTkBnqQs09fyf0D77hlN1Ldat76fNFP37YVrxHbi696nAuesGc1ggvrdKSRt/B82g7YUxP+NLTCVIM+98es7yvasWFgNbiMSG+MZiN4e1SdLbyV0LeGb+IRYrx+zrZ2Zk4n6IYVu35XBoI3PibEN56a+dZk1Wk3a1NjiVzKGSxl0kc4UsvqsBPHhuRT6waMtkJbrLnLufo1L/LbXVqpHbOXSzU7+/YetBHeBHNhk3Znxdg4r7kmMcSfYZhvzmT/H91uX73zemFB+dds4Hn1u8v1GVD/RN6w/TDnKfrfaxvzbRrvPu3I9pH/ers8PeqwyffO5oZdzzFNP6u85vaAzxnTYxtiSub5j0++Gp+i334OyKr+i9i/PvfZzHySfg6Nch0Ha28W9FBtjtvFsit5bYB/LYvNBNa6Pdz9WmX11nPh4KnENZH4v2cZ4Fd3dlINsE7nTxmfd++Hj6bAqT9k4NrwPeRvfkUXbGDdT9NvvobrP6vVsItsbbXzfibyPfh0EFTXvD1h+hvNZBz5We6VzlejeCF4Gj3M9+9kuvMbvnnF+L3Bcvx9D3Dfx533r4lf2dA/Xc4hlyADnNcB4wRMAaxFso0R+Cl6n7Lp+etGcdxJf9m8O1IMTYDKW5hGWT3C9P2N9C2PnSzDMWOhzBOshv4WU+PoecsjVzS/gR+oKkjs7CNsCGeMr6+40yOCgawt8HIqtC26MoB38bithn8uRgpR9XcsQ6xEiHmtvQuJ8hj+jjDhbuAwd2LsCH2rDze1Sj5hD+7j7dgW+hRbfeyDPEdgOb7eVq8hp1YKTQjR2T+xXKlsc1RGWsV/VM7Hvi3thFD5P+3eKxKTPu5IH5K38onW5spdrbbiGA9yzQsKm4fmdoRywcS4y7oxG+97v9qou572LvhUVexP1Sfqwj/tXTPAdpX8XiV95nucpnt8Sz1jRxaS5F8j76A3wNef3NNuOpcxrBeSQw217XM7SSe2/g+iyIuqX0t6E4ZrvyLBPW4v2lppTd1wONifKrfhCRL/lPv6N/xuRMYcpOzPqRrV3KvkhOE75Q0p9GV8kXgXJG77s67otqxzVxxy6LWqfb26XNpPSJ6knd3ekI/rb0/WXs5GF2Fz0Ra+t93m+WbfBr3nl13zzPJezsaRv7SltWes7lj1Ow36NZej4+UuOkbfFswrJc/4thvvBPKZ02hV3g4f4Bpc76BZw2WHOsb9I+c3kf4frM3kauut4dyFfB32uHp1Beb8eABgjeFf1S4tlbfe0sxXZUP1DjFHDfVRDPq29Db6xlb+gt4D3ysKn/Dbg9ORu1PdlVOb9lmyv9qh7Ve7KF1J0jtDm/pgQ639xzt2FVdwv4Re4R9F+aY71OyD74u+R3f2uz6KNQsLuDOsz/M5vYkvKMvfwVd6xyFdXZW9KXLeTa6yxxvUidzRGtyW/L/VtpX2j3xOTlPLb8pAxgQGnwCYwi8pZyA1kPehH23kgukVwARxnnwPG5HKQJfebJzhlo//RBLOwfRZyA5G8L2/n8zb6PZmTe6QEm/84O+ZPjr0AeQPbOzj2T2CWY3+EPDcN+SvGvcmNE401Dp2azAVl/P0LwMzxwwAAAAAAHwBNAF8AcQCMAKcAwgDeAPkBCwEnAUIBXgF5AZQBpwG6AcwB3gHwAjYCSQJdAm8CqgK8AwMDOANKA1wDbgOAA5IDuAPwBAIECgQxBEMEVQRnBHkElQSwBMwE5wUCBRUFJwU6BUwFXgVwBbIFxAXmBigGOgZMBl4GcQaDBqgG4gb0BxcHVQdnB3kHiweeB7AHwwfVB+cH+Qg4CEoIdwiKCL0I0AjnCPoJIAkzCUcJdQmjCccJ2QnrCf4KMwpoCnoKpgq4CsoK3Ar4CxMLLwtKC2ULeAuLC50LrwvCC9QL5wv5DAsMHQwwDEIMigzcDO4NAA1SDYMNtw31DjEOQw5VDmgOsg7EDtYO6A76Dw0PWA+TD68P3Q/vEAEQFBA5EEsQXRBvEIIQlRCnELkQ6xD9ERARIhE0EUYRWRFrEa4RwRHTEfISIBIyEkQSVxJpEpUSuRLLEt0S8BMDExUTJxM5E0sTbRN/E5EToxO/E9ET4xP1FAcUGRRuFIAUkhStFMgU4xT+FRkVKxVHFWIVfhWaFbUVyBXbFe0V/xYRFn0WkBatFr8XPBdOF4sXxRfXF+kX+xgNGB8YYRjAGQwZXBmfGbEZwxnVGecaAxoeGjoaVhpxGoQalhqpGrsazRrfGzobTBuPG8IcExwlHDccSRxbHG0cmhzXHOodIR1BHVMdZR13HYodnR2vHcEeFB4mHnkeix7IHu8fAh81H0gfeh+kH7Yf7iABIBUgVSCYIMUg1yEQISIhNSFxIa4hwCH0IgYiGCIqIkYiYSJ9IpkitCLHItoi7CL+IxIjJCM3I0kjWyNtI4AjkiPiJDkkSyRdJL4lACVCJYQlvCXOJeAl9CZBJlMmZSZ3JokmnCcGJzInaCetJ/AoAigVKEsoXShvKIEolCinKLkoyykQKSIpNSlIKVspbSmAKZIp4in1KgcqJypWKmgqeiqNKp8qyir+KxArIis1K0grWitsK34rkCuyK8Qr1ivoLDEsdCyGLJgsqiy8LM4s1i2yLtAvTS/MMBMwRDBxMHkwsTC5MNEw4zEAMTwxRDFWMWkx+TJNMnEygzKVMuoy/DMlMy0zNTM9M1ozYjNqM3IznjOwM/Qz/DQlNEg0azSXNLs07jUkNV01nzXeNeY2IzZjNms2fjaGNrU3ATdRN4M3rDhBOJo4yDjQOQM5OTlrOZM5mzmjObU57Tn/OjM6UjqfOqc68js5O1E7YzuAO7c7vzvRO+Q8cDzCPOc8+T0LPV49cD2YPcQ96T3xPg4+Fj4ePjo+Qj5UPr0+xT7sPw8/Mj9eP4M/sz/mQBxAXkCdQKVA6EEnQS9BQkFKQYhBz0IgQm1ClkMoQ35DrEPRRAREOERpRHFEeUSBRJNE1ETmRTFFhUWNRiBGdkZ+RolGlEbnRwZHDkcWRz9HgkfNSAVIQUiGSN1I5UjtSPVJGEkgSShJMEloSXBJeEmASYhJkEm6ScJJyknSSfxKBEoMShRKHEpSSo9KyUr9SzBLXUuUS8RMD0wiTDVMdEy6TQtNQ02XTdpOGU5HTnlOok7UTxpPVk+CT9hP4FAVUE5Qk1DOUPpRKVFvUbpR8VIzUkVSWFJsUn5SkVKlUrdSyVLbUu1S/1M9U3xTolPXVCVUUFSRVNZU9VVPVZRV0FXZVeJV61X0Vf1WBlYPVhhWIVYqVjNWPFZFVk5WV1ZgVmlWclZ7VoRWjFaUVpxWpFasVrRWvFbEVsxW1FcFVyhXVVefV8hYAVg9WFpYpVjhWPdZTlmhWhlajlsrW7ZcJVxBXFVchlyvXL9c6F0RXVtdpV2uXdBeAV4OXmBecl6GXpteyl74X1Vfsl/PX+xgDWAtYDVgPWBQYGNga2B9YIZgj2CcYKlgtmDLYOFg7GElYVthfmGgYa1hwmHdYgNiN2JVYoli0GL6Yzpjc2PbZINkrGUYZUBlTWVeZaNl8GX9Zi9mPGZNZrdm/mdPZ59nq2e4Z8hoAWhDaE9oW2hoaMto12jnaPNo/2mBaipqmGqlarFrRWtSa79sG2wnbFRskGzBbM5s32z7bQ5tF20fbR9tH20fbX9tzm4ebp9u+W9jb75wGnBgcKRw1HEucZRx1nIxcoly1HMHc1Nzm3P+dEJ0rXTvdR11YXWIdcl2LHZrdnN2e3aidqp2zHbwdwd3LHc/d213qHfGd/14JHhLeHt4rnjWeON5EnkpeUd5nHnBefJ5+noCeiV6T3pyenp6hXqcewR7kXu5e+R8Dnw3fHF8qnztfPp9B30UfSF9Ln07fUh9VX1ifW99fH2JfZZ9o32wfb19yn3YfeZ9834Bfg5+Hn4yfkJ+U35hfnd+h37Vf2iAj4CrgNeBDYEzgVmBgIGmgbmBzYH4gh2CUoKHgr2C84M1g/iEM4SIhK6Ey4T9hR6FQIVbhXaFiYWcha+FwoXSheuGAoYZhjCGR4Zoho+GnYazhsGGzobjhviHBYcah0yHaIgsiE6IcIi1iNuJA4lciWqJgImViaqJvYnRie6KDIosikyKbIqBio+KpIqyir+KzIrZiueK+4sPiySLOYtdi3GLhIuRi5+Ls4vIi9aL44vxi/+MFIwojD2MUoxfjGyMeYyFjJiMq4y/jNKM840NjSeNO41bjXSNjo2ijc6N7o4PjieOPY5TjmaOd46Njp6OtI7NjuGO8o8JjxqPMY9Lj2WPe4+Rj6aPvI/Kj96P75AAkA6QHJAukE6QdJCCkJ6QvJDKkN6Q75ECkRORIZE7kU+RY5F+kZSRqZHCkdiR7pIIkiSSQJJckniSlJK3ksiS2JLrkwCTDpMhkzKTQ5NQk12TcJOMk6+TvJPVk/GT/5QSlCSUNJRElFKUa5R+lJGUrJTClNiU8ZUHlR2VN5VTlWqVf5WUla2VwJXWleaV/JYNlieWOpZQlmCWdpaHlqCWtJbJluyXBZcflziXTJdgl3qXjpeil8WX3Zf1mGqYsZkFmTmZg5mvmcaZ5Zpamr6bHZtFm7icHZyAnN6dG52EnbWdyp3pnf2eHJ5DnpGey58gn2iffJ+Zn7mfxp/Wn+Sf8qACoBCgHqAwoD6gTqBqoHigjKChoLagyqDdoPKhBaEloVGhZaF9oZWhsqHJofWiCaKvosyjNKNdo2qjpaPVpAekLqRVpMmk1qUgpS2lPqVPpW6lmKXPpgamUaaXptCm+qc/p0ynfKfAp/2oPaiCqJOoxqj6qUmpjqmbqfuqB6oYqkCqdKqwqsGrOqu3q8Sr1awDrD2sjazbrSStMa1vrbmuCa4arn2ujq8ir1Kvma/SsF+wm7D/sUuxerI3smiyaLJ/sqay3bMjs3mz37RVtNu1UbW3ti22lLbqt1C3xrgsuIK46Lk/uYa53LpDurm7H7t2u9y8M7x5vNC9Nr2MvdO+Kb5wvqa+7L9Cv6jAHsCEwNrBQMGWwd3CNMKbwvLDOMOOw9XEDMRTxKvFEsVpxbDGBsZNxoTGzMcjx2rHocfnyB7IRch7yMLJGcmAyffKXsq1yxzLdMu6zBDMdszMzRLNaM2vzefOLs6Gzu3PRM+Mz+PQK9Bh0KjQ/tFE0XvRwdH40h7SVdKc0vPTWtOx0/jUT9SW1M3VFNVr1bLV6NYu1mXWjNbD1wvXYtep1+HYKNhf2IbYvtkF2TzZY9mZ2cDZ19n+2jXafNrT2zrbsdwY3G/c1t0u3XXdzN4z3ore0d8o33Dfpt/s4ELgqOD+4UThmuHh4hjiX+K14vzjM+N547Dj1+QO5FXkrOUT5WrlseYI5k/mh+bP5yfnb+em5+3oJehL6ILoyekg6Wfpnenj6hrqQep56sDq9+se61Tre+uS67nr8Ow37I7s9e1M7ZPt6u4y7mnusO8H707vhe/M8ATwK/Bi8KnxAPFH8X7xxfH98iPyWfKf8tby/fM081vzcvOZ89D0F/Ru9LX07PUz9Wr1kfXI9g/2RvZt9qT2y/bi9wn3QPeH97735fgc+EP4WviB+Lj43/j1+Rv5Mfk5+UH5Sfld+WX5kvmu+cL51vnz+g76KfpO+nj6qfq7+un6/fsY+zT7SPtp+5P7m/uj+6v7s/u7+8P7y/vT+9v74/vr+/P7+/wo/ET8WPxs/Ij8pPzA/OH9C/0//VH9ff2Y/in+Pf5R/ln+Yf6a/rv+3P7c/twAAAABAAAGDACUACUAUQAGAAIAEAAvAJoAAALND4MAAwACeJytWMtyG1UQvU7CI+GxoigqxUKVYuFQsh2HRxVkpcjyg8hSkOyELEcjWZ5ElsTMKIo3LFjzI2z4Cj6ABR/AR7CgWNF9uu9jNJJjDOWydOfevv04fbrvHRlj3je/mOtm7cZNY0yf/mW8Zm7Tk4yvkcwPOr5udsxPOr5hPjW/6fgNUzF/6/hNs752W8dvmR/XHur4bfPx2q86vmk+WPtDx++Ye2t/6vjdYPzeh79f+0TH75svP/rL/ExW7pt7Ztt8RaNDk5jYpGZiMvo/MTnN1WmUmik+I5pJaDQ2m7RSMyP6q5gOzQ3NKa1leBrQ94CkX9JnnyTrtC8jvRE9JfQpOvu0yrJDMyMtEcmzD9v0t0kebZNPD0yXbHxD/w9KOqyGjQUdq21VFiSfwMdM46mUrP8fFhMgwnM50OPZM+x6QXOMMK+cQnYZ9kM8zwh9Kx3T9xk9R+RzAqQ3CaXIPIeVI3NOawMzR7Ze0GoN1iTCh7TCGeNM5ST3tdmiv0x356W9m2ptmWcZvJqStgRZrtA8W8nBjGfwuoJYz+l7BkZIrIKJlea5CeJKSYK9GJgqPfchNwXG55jhiNnOlCQT3RurloE+R9A9RWbPSCrHGu/qwQ+L9QgR8S7rl+zIgHNamjlxMVQvlbcpnvu0J6bnKvCSihC7VWdnMYIEmZoDp5g+l2M210hZOqZoZmBWfyn2vGeE0TrJ36Vv5mBPcVmmXXy4KrZeex+ahjSXgqk5Mhe7HrIsAmu97NeDgAMcicSSw57tTqxfYu3TzByRT1B3F3EvKrBqgLxM9FOikvEMVTPDTvbWZtPqOUV9TS/kqPTNsWbGa7cVkijKzB/2twekJbe3aOUW1bjgzFGMEN/c4VzkdRW5iTDuKxN8nrrmwDTpu42c8squw2WxPtZdz8hc14gR4xRdfxN9dETfjNuQ1tukrUkZksr1nSJzaJXzIdgIbyxHIpwwF9Wr5XnPoTJTlhTj3YPWfVrtKSOnqNkE/qTQceKqv8yVMgZD7D2FRtsrt1AbxX6whdMhPCM2IM0c2qK9nMMedkaoEo5ti9A7oJOkYVqUqQYhafP/2FVgFpxe4q2waaAVOURNjJU/VUTDq4PgNDlF1QyVLbYehJ9TPSHFAvuY01qCk0f4Fim/p8rnsC96NnUVhzlshZZ8T+W4uQdIr7c6q8jvIPDQdxdZmwDRE5VNsZK4XtNDtQ4K50emp2C4255hVoYZVF4VryyL/020GTjynJ7ioO/kF1SydI2wEph1woBtdL4W7U2CDvJ6Tyo0L/yOXAc6AXdy14vZIvc1Pruk9uyNg7VKD8sQk/TpNnAe4knkxcJhCb3ifSvT/IW1mwEHf6KIX5ytE8f++4j96lYvn7dF73raV0aOfavY5pm0pX75yOaaM5+DbAlfpP9LHvw5HcFPviXJzcBXnj1jpDqzIL6IvJrgJu7lU3dfF0bk7hyz/Pf9r9h5uUPL+ZOpxggs6OnZtXiWFxkqN4gMfrKdDeROeCU9/RV8OsFZMlCOcH89w44NvSP2EdUIu051RrJseeDvEAN3/qSIPkX/zV1+Y0TKHizTzr0n17kc3U6YxbnMgmxaezYC8aKn/LRni43KIiGxD90za5ooskU7RZwHkLc3nZeQnC+9i8303mmr5zPtHJNL1MpVKiW859s3rvBdMNTSoj2M7zpJ3NWeK/hkiPGV3hliYMxYp+7WOTbhTbR8DhZPvkVUYuRH7qRT12clE/UlNbKv1StISgWIneX32vDOvfruMzD2nngWcMSiM1Z0/L07VSx9VEVdNteZy/bnwNXeF8cLeBez+7q4/a7wrKmh451idrnei1iToafJWSx9yDJ85u6sEqNU7xlk7D1gjDt+qoyz51ofTEuRi8z1tPNL8L2qrItxMwzfDmJ6Gx7jdJbePyxw3PZefwKIvv+Gc9iJVyOdFk4UkU0we7X6scz5osCci+825XvSRN9oyncof2+YQoPvlf69dwKURfMM1WVZseqslZpI4NFI+9BY8Vx9loV3Qm+pyMNVFkP9/i7lT7pVp6Z0jO9pv3h7ZuzbtX3zsB3A9wqRixShy0Qmb7/Sb2w8tg+dB7weuzflGGes9SX8Laav1Wj74+vr2r+n7tN7C0u2qdcfQZLfCo/MU2JzB2sHNFehN5oOrTyhpx2a3aGZOyTR1fU7yNRTGrPGtjmGLtHRoU/W/cxUoLuCZ356RPIt0sV7G+Y72GiQti4kO9B9SLP8ltVQOd5Rp5ljeubxnuHfzMRei3bxdxP72Bfx9IjmvdWiVwewaD07pKcO6d/X1RrpPoA+9r8KpHjccn7uqqc1YMSaj/BOeEy7alh5TOMOfbbxjih+7Ki3LcSwS+sSSwMeSCbEozp9PybbLLFHfh3BC7Z0pJJVRMjx7GA/W32EWfGsrVnmsdeyqViKH4z/E2e5i/ib+OXBMqTsRwWZbsJqB1loKPaMWtPxqhNgXwcqnB32b4fG7O+ey8Giv1ZbMQfLOGAt7CGKBvBoQrpLfjdI/sDNCOsOwLa6Iig6hd2S+WaAYR254vx9S1YbypwaECpGIXXA/vsoBOeaftaxt40nn+OW5rDuMtoGl8qoPEXFNSBVQz66DoVdVOmhen4c8Mjm8VhZ2HaeFfG11WLlLtMhRJe1Xcwg41mDdvaw69B4vd7Nq/2e9Q9nNlrDeJx9PAd4HMXVs3unKSq2LMmy3A2hE4y0e2VESNGdTrZB2Ma2cEyKc5LW0qHTnbhiW07vgfRCAgkk9Bo6IaR3CBAIpFc66YH0QpI//+7Mmy2z59ifbvaVeW3evHm7V5CJxL//XowsdzCQ9g93ui9HoXsNEy/H/XgFHsAr0T14FV6N1+C1eB2axOvRjXiDsdToRlPGMnQTep/Rg45Gx6D/oP+iaaPX6EPHol8by41+dBxyjBXGAPomPgIfiZ+Hj8JHo/uMdfgYdD8+1jjCOBIfh45HJ6B/GEcZR+PjjWPRicZxxvHo+cYJ6FvGiegB9CB6Dp+Avo1PNDYaJxuD6CRjCG3Ez0cnG7aRwicZGfQEGkRDRtbgeKNxCj4Z7XP9esg4FT2MB/EQtrCNU2gGp9F3ccYYxVnM8TA+Bb/AOM04HZ+K3m+cgW5GtyAb/R6lUNrYamzDL0QZ40z0FPqXsQO/CL8YvwRljbOM3XgE5xBH3zPORt9HsziPfoBHjVfgAh7Dm/BmvMWYMqYNx9hnzKBhdIoxa5SMc4w59AJ0KvqtUUafw6cZFXw6HsdnoBcaNfQLo240jKax3zhgHDQW0SgqGYfwVrwNb8dn4h1oDu/Eu/AEPgvvRmX8UnQO3mO83XgHqhjnoXl0qXE+KqAx9H/uAlaNdxrvQpvQb4x3GwbajBaM9xjvRTV8Nn4Zfjl+BX4lqhsX4L3oXPwq40LjIlzEk2gLOg3907jYuARPGZ9ApxuXGpehcfRD1DCuQPvRATyNmtgxrjauMa41rkNn4H3GDWgrnjFuRNuMm4yb8axxK3oSbUdnGrcZtxt34JJxJz4HHUQ70KJxF3o1nsNlPI8ruIpegxfQIXyu8WVcw3XcwE2837jbuAcfQJcZ96LXolvRTvQM2oUmjPuM+/FBdJbxAHoa/dt4EC+i84yH0G7jYeM7+BB+NXopep3xffQG9Eb8GvR6/FrjR/h1+PX4DfiN+E3GI8ajxmPG48YTaA8623jSeMp42vgFehl6Ofqd8Uv0Wfxm49f4Lfit+G3oFcbv0S+NZ4xnjT8YfzT+ZPzZ+IvxV+Nv+O34HcY/jefQJejj+Dx8Pn4nfhd+N34Pfi9+H34//gD+IP4QvgB/GH8EX4gvwh/FH8MX40vwx/En8KX4Mnw5vgJfia/CV+Nr8LX4Onw9vgF/Et+Ib8I341vwrfg2fDu+A38K34k/je/Cn8GfxZ/Dn8dfwF/EX8Jfxl/BX8Vfw1/H38B343vwN/G9+D58P/4WfgA/iL+NH8IP4+/g7+Lv4e/jH+Af4h/hH+Of4J/in+Gf40fwo/gx/Dh+Aj+Jn8JP41/gX+Jf4V/j3+Df4t/h3+Nn8LP4D/iP+E/4z/gv+K/4b/jv+B/4n/g5/C/8b/wf/H/4vwQRg5gkQZKkjWBCCCWMtJMO0km6yBKylHSTZaSH9JI+spz0kxVkgKwkq8hqsoasNd9nvt/8AFlnftD8kHmB+WHzI+aF5kXmR82PmRebl5gfNz9hXmpeZl5uXmFeaV5F1ptXm9eY15rXmdebN5ifNG80byIbzFvMW83bzNvNO8xPmXeanzbvMj9jfpYcYX7O/Lz5BfQx84vkSPPL5lfMr5pfM79ufsO827zH/KZ5r3mfeb/5LfMB80Hz2+ZD5sPkeagX9aHlqB+tQANoJVqFVqM15nfJUeRocgw5lhxHjicnkBPJ88lJ5iPmo+Zj5uPmE+aT5lPm0+YvzF+avzJ/bf7G/K35O/P35jPms+YfzD+SjeRkMkiGiEVskiJpkiFZ9Hn0F/RX9Dfzn+Zz5r/Mf6NlaClai9ahG1ASXYGORJejr6G3oy7CESbDqAe9GHWgTvRK9Cr0IvQScgp5Aeomp6Lb0O3khSiXSKCvo2+gO9Cn0J3o04kkug5dj76IvoTaUHuCJGiCJdoTHYnORFdiSWJpojuxLNGT6E30JZYn+hMrEgOJlYlVidWJNYm1iXWJ9YkNiSMSRyaelzgqcXTimMSxieMSxydOSJyYeH7ipMTGxMmJwcRQwkrYiVQincgksgmeGE6cknhB4tTECxMvSryYvAglyIvJS8gIyaG3kDz6AiKJMTJKCuhq9HcyRjaRzWRL4gxyGjmdjCfOJGeQrWQb2U7ORG8lO8hOsgt9mEyQsxIvJ7sTr0zsJS9FS9Cz6A/oLrQBvRcdgdajC9CH0AfRNaiIrkQj6AOJIrqY7CFno4+ii9BV5GXowoSDKLqbvJy8gryS7CWvIkUySabINHHIPjJDZkmJnEPmSJnMkwqpkgVyLqmROmmQJtlPDpCDZJEcIq8mryGvJa8jrydvIG8kbyJvJm8hbyVvI28n7yDnkfPJO8m7yLvJe8h7yfvI+8kHyAfJh8gF5MPkI+RCchH5KPkYuZhcQj5OPkEuJZeRy8kV5EpyFbmaXIM+Q64l15HryQ3kk+RGchO5mdxCbiW3kdvJHeRT5E7yaXIX+Qz5LPkc+Tz5Avki+RL5MvkK+Sr5Gvk6+Qa5m9xDvknuJfeR+8m3yAPkQfJt8hB5mHyHfJd8j3yf/ID8kPyI/Jj8hPyU/Iz8nDxCHiWPkcfJE+RJ8hR5mvyC/JL8ivya/Ib8lvyO/J48Q54lfyB/JH8ifyZ/IX8lfyN/J/8g/yTPkX+Rf5P/kP8j/6WIGtSkCZqkbRRTQilltJ120E7aRZfQpbSbLqM9tJf20eW0n66gA3QlXUVX0zV0LV1H19MN9Ah6JH0ePYoeTY+hx9Lj6PH0BHoifT49iW6kJ9NBOkQtatMUTdMMzVJOh+kp9AX0VPpC+iL6YvoSOkJzNE9HaYGO0U10M91CT6On03F6Bt1Kt9Ht9Ey6g+6ku+gEPYvupi+le+jZ9GX05fQV9JV0L30VLdJJOkWnqUP30Rk6S0v0HDpHy3SeVmgVPQ8x9A70NvROdD5dQO+i56I3J1+TfC3ai36F3kRr6Ku0nnwDbdAm3U8P0IN0kR6ir6avoa+lr6Ovp2+gb6Rvom+mb6FvpW+jb6fvoOfR8+k76bvou+l76Hvp++j76QeSlyYvS16evCJ5ZfKq5NXJa5LXJq9LXp+8IfnJ5I3Jm5I3J29J3pq8LXl78o7kp5J3Jj+dvCv5meRnk59Lfj75heQXk19Kfjn5leRXk19Lfj35jeTdyXuS30zem7wveX/yW8kHkg8mv518KPlw8jvJ7ya/l/x+8gfJHyZ/lPxx8ifJnyZ/lvx58pHko8nHko8nn0g+mXwq+TT9IP0QvYB+mH6EXkgvoh+lH6MX00vox+kn6KX0Mno5vYJeSa+iV9Nr6LX0Ono9vYF+kt5Ib6I301vorfQ2eju9g36K3kk/Te+in6GfpZ+jn6dfoF+kX6Jfpl+hX6Vfo1+n36B303voN+m99D56P/0WfYA+SL9NH6IP0+/Q79Lv0e/TH9Af0h/RH9Of0J/Sn9Gf00foo/Qx+jh9gj5Jn6JP01/QX9Jf0V/T39Df0t/R39Nn6LP0D/SP9E/0z/Qv9K/0b/Tv9B/0n/Q5+i/6b/of+n/0vwwxg5kswZKsjWFGGGWMtbMO1sm62BK2lHWzZayH9bI+tpz1sxVsgK1kq9hqtoatZevYeraBHcGOZM9jR7Gj2THsWHYcO56dwE5kz2cnsY3sZDbIhpjFbJZiaZZhWcbZMDuFvYCdyl7IXsRezF7CRliO5dkoK7AxtoltZlvYaex0Ns7OYFvZNradncl2sJ1sF5tgZ7Hd7KVsDzubvYy9nL2CvZLtZa9iRTbJptg0c9g+NsNmWYmdw+ZYmc2zCquyBXYuq7E6a7Am288OsINskR1ir2avYa9lr2OvZ29gb2RvYm9mb2FvZW9jb2fvYOex89k72bvYu9l72HvZ+9j72QfYB9mH2AXsw+wj7EJ2Efto2zNtz7KPsYvZJezj7BNtf2WXtv2dXcYub3uOXcGuZFeh96CfoTx6N3oU/Qg9jn6Kfo5+jH6CHkGPsavZNRhhg13LrmPXsxvYJzFhN2LGbsIduBN34SV4Ke5mN7NbcC/uwyOTNWe/0yGH4lSz4SyR19PVxqRTrh4A0kytuN9ZKq9nq9W54mTVn9Yolaed7pGpUm2qOb+v7BwUcnpDCCUszCQk9oUQvtgwl5DNRpSA9hGfi4zMF6dq1QoZqc5UK85c+0itVJkRqslIQYwd+UBQe96VUZyacioNPDpVdCe6Q61abOCCcAIXBLK7oLtRaOFGQXej0MqNguZGe8E3gRV8jwqBRwXwqCA9wgUxDW8SlnVsCsR1bpqqzs8Xpaz2Tb7Y5ObJYq1jc8BobjkNbxH+sS2+xi2Bxi2gcQto3CI0dpwWUnV6SBUeFzHB48KizvEQKTnuysdbJX2rpG8N0ROFygzb6mkuO/saeJswqnubHu1tLaK9TY/2tlbR3qYnzTbf4W0+V5t7Wau0i1ehsEtchjlrFaFkibj0J0qKEOxOabqJVmvOl4vNBtkGIdwmQ9ixrV4u1mdlHHbAIMOxIxzJnTJDd4YivTOyqE5tvliZnizX23ZOzR4oJne5S4t3CUl015QzXSqXi527wiIn5EJP+N5MBH5PCL8nAr8nIn5PBH5PRP2eCPyeiPg9AX5PSL/bJrzthydkyu6W3u0OvGO7p0tOzamX6ni3UNSxJ0TcoyzBewSxfU+Qo3ukIrxHij5biG4/20/67i0Cs/e0jeXqVHnr+OiSvEAIcPv46Uu2RsFtUXBnFDw7AuKirI/FUH0sRutjMVQfi1p9LIbqY1FP9WKLVC/qqV5slepFPdWL/kIWg7gVYYGKUB+LQX0sSlc6pkL1cSqoj9OyPjqyMDqyMDq6/U4L+x3dfqeV/Y5eGJ2gMPqBbQ/iSBxwxYEyJUPaVvc2Bp6R5XEmtJNmwjtpJiiPs155nA0YacmllZ16HZfk3in52ku+drN0DimBASUwoCQMoOfA9I5zQsrnQso752ZqjlMpuzu5NIXLshyUZTkoh6tn2auecmt2VIoL1XqjVl2YdXBF8lbCldRxK2nFr6RVWUmr+vJUWyxPVV+eaqvlqerpVfWjUg0qSlVUlGpQUaqRilINKko1WlGqQUWpRipKFYJchUpaDVXSGgwyHLVw2avLqNVDS1AP0dvK1cpMPdnwymdDls+GKp+NsJymTIGm70IzcLYpnG0GzjYjzjYDZ5tRZ5uBs82Is01wtgnlsynKZ1PWuAPSpQOhCnnAL58HZPlcDBEX/fK5KMvnYrB3FqF8LkrRh2T5PORvina52zcWy43ukqyk5/iVdCpaHCtRsBoF61HwUARsP7hxvllulBbKi92V5vxe+NtYLs0U+0IIHzngAc3KtFPbu1CsuXvITXZBaD+w1/0vLpOV+ep0cuSkqcW2nOO9niVeN3mveNM53tC5adZpLjSatYpHGRX0Ld5r+xZZtAWi6k04e1YAZ0tUSfCU6u4CNuSlz3560WM/XchvK5TF67x49ZQkt3mX2yWxJl7r3usuD5OccF/YhJLaVtjnvW4WAvNCP95VF8POWQ9Jd85OiQsyekiQO3ZW9zXqpRlPU8fmYm0arskep9b05o0Ls/BWOYweEloLXiQKXn7X6s60h9ni6d3jOdl2msdCdtWl+1ua4lVYNOqH0KtHcx6w1I3StFN3M8ddGRdecnoxAhYqYbBzwp1YLM3Mes72+IAvbcnmyOyl+ahwsnNWON+xveim0eycjIhX9cWKyMz2Lre5u7smHGuf8LFdYrVFAuY27egSCxVA+0JQ0pPXNin8l0s8I6I3I/2fCafQtKCXRAqVghQqiRSSa9R2SKJECpWCFCoFKSRcwXMyhRyRQo5IIUekkCesbUESRQo5IoUaYjG9BWJNP4UckUIiTnhKplBDplBdplBdpdA0pFA9lEKzoRRahBQqy9ypyGFappCIhBNOIZE8i+JVcJIGpFBJpFBJWDTthzBIoUNaCs1FU8iJplAznELNeArNRlNoSkuhOqTQQiiF6iqFSkEKVYMUagYptD+SQjMRaDoMLZGx9YmHIpBIBQX1BCkRQqnU8OcIU33IiWTvQoSzETFELr4PyiRQYLdKBoXoDSWDjwslReBCMwxN+jp27si1jZQXZovJnNMotm0quicqKSzUS+65mzzbRSUKLnrXrHuV3OIeOm71XFgouneS85PTRfOMprm1ab605N5GlbyYm9tLiR2z1badpZn5YmJXsUkmpKjE9tlSIu/+ba+X2oW+RrVSrXeCJgFQV5O4YJ4iSQe5EpgIMbdvm3dmgMljV+frUmBSMDu9WNq5OD9ZLbcVhZuTnpsznptuLSg3isQBZw95znrEhnC25Dk7J5wtS2crTfNgyW1zhEWJ2my1ve65ua9UKZbbxGWi4XrcBI8XXG+n3D8XbKt6xrKS71YpZPGyMCDJzZCjS5tRh/o0WM6ohuLUXvVD014MQu2EQ+2oUM+p8LBDTq260Xvp9F5KlX1OrVStdbjtjX/dOODjuxqzbmusoM59Va8DUkBpfzCnXjroz6m75afiQ45XCPxJLt6fJG2ZrlTnqateXri6xUW7UCwumacVrlyVks/VJ/mEMnkpNElGT428EjrcLqUmdIgLT4d3ATq8S6lDXnk6BJ+nQ/BJHeJS6hCMQod3JSJZby4EMQoAV5gCvBipaxkjHxJS/UmeYAUw12pBne0U1srreocnGK47hSwFOAen3ESerjYnyw51W8ta2ZV2zLzbS7s9rdudLbhr2/DuMSszZffesTg15zS8hnne7TKPlWw1T9T/4mv3ytHsonvrU+lya2TpkJtvxbJbmrtEK+g29m6Nnix3ndusNvzDqGum6bbzzrzT8MxY4kNCW4+UtlcOom1cGUGFKauiFPfmreiqEaSlgHNtEXBvC57VUVyE1g00735RIJaHEAG2H7BF935G3mUKdI8XJ8dzzzdglUAJH72medINhVuyZUMNUY3wrwFkyxk9Iiemw7FQKDnIwEVQYcpAlOKc2yyWBWFFlOD72QeIc5tuY1CqSpXLYtO7p6puydkrXmV8QojDoWPTA0SPREQWVqJ8ywbqjlsLBc6/knPlBtgrBxmQCCockGWKEkQijAnh+1QIwtN7fWTIRx8XCVrAGsjsL9Zd90r1ub3qQqDXx9BR+nIfHQ5Qr48VN+TS8SB/tNuzMMVPWrk7NAokqNQcooU8DmFDUR8IoSOhWBUiaAkeVhDEKTwhKDDSa+FsND7dEheKcwgRzjKJjmx/iQoi2B9ChNDrAjO8natbtSpE1kisWHFrYtkpFbtUULyHT3OkMllfcNehyyvXdcddLffkriUni7ONpPcghIl4eyFITrtTkk7TPcG9l6mm2xBX3BZ6punOqZTIbG1xf6VUTMyVFpLlYq2ULJdqxQ7vZVezNuc2tW3zxUqx0VYpuii84Cpz2yB3qLbVvDPDfV1wnA7xusVtP4oV9w7FOdcpu/c1lRkHN5oztdJc4kC1smSy6VbwRtXdEJ6tXdOl/aW6648IU4cb59L+Ytk1zVkRnBGed85BV5LH2O6eMN69WXmy4V82FnrK1ZnSVLHsxmkHHB2dHtW9mPLCldg2O89Klama4x1FbaIjancb9VnvGU2x7DZmI7Va9UC7qKDikk1XD1TklZfK4mqJd7XDZ+loLowqpqXyerJYdwTcW64ecGrbKk5BHLE5t5+e61O4M92ou7YJZL9A7vKOaclaF+glAr25WN4nwOUCHHPP7zDTimAuiKyHZO70TvgwO9vnxl5Kby4shKT3CjBqbI/naxTVC6iw+cs9XMx6ETLw2b3S7e73J0XMFrJiVss1kQaIy6hRMlDjSt9SAe7wp0hPffKxPjhSmR5XM9V1MG11jC+gRWRMeNcyJUICBd9x/5svELi06RNDyv+X0BgtLrS97t09lz24Q1zKNo2J6+liba5jsuwW6nypNlV2Og7MlhoOXLv7fwauB7wVkWni8u4OmFaKlWhJCSWuRgklXZTSG1EjcX1RDRK5PBypgNUPdEjmGh/p5ti0W+QiRD9pWhDXBinUihqY0ILa49aehleIxtxGVaI6p6uNhjMtAbLPraXOokO9Mlh3L2Tkc6IodpUqonRJqAegkPTVfgS3xGl+3OO0Tn/eSG2q02f0gCBHa1NdodxyoSAM/ixg7BSpM1oqzrv3mp3CAwD6IisJyOXRpQRsr3sI6Lj+STdW1fkYq9C3pbI7pKlH4La7x5cbLLf614rzPcKSCGqZ4DoLFmWHexi07/NuIaa9Syb4vatl4irMJnfHTvfcr8EayeuVck7VO6Gn8+69jRtqSZHat1RywURYegn0BQealxwwKZwvwOceTXV3lzamZgPkerE0XnAbVbESIqQ6XSCBQdZdRV/jnsnipGslvFv6Ol/0EdLhABHdoGBndFUlcoOfT6OgUGM4Isiqw3BsUCHJlcThXZkZd8//3cESrBHWTejbO0wc17e3JK4NiJENHKZOxLa3pC6T9TNkB2BCpveHeYLo9YcZA7Rb9gVqV60k7pd7an5dU6hlXhMSxciTNYRxxQiFUTERlBATxZRVtVSYfk3M7lJjdrTaWNFcGA+vvSIPNBd2RNbflxx4sb0qWrBu32RALAssDLOEEX0QGxEuJXpFIDqC7/ejFEX7eiPoPnC0heg4vt+PXFx0Cyna8eTjw01JCN8f6l3C6FDPEs6PQLqPCgQHK6tk+hhfnMKsmqweHBUPe0T/Wpne7JemPp3kzVuuI4XGXh8bTB/wcRMLEbk9UYIntTeKEjKX+ThVjNfFMBG5A63InvSVrQhCxwZBOVCR1Ii0naUgPCEGT54krdZJQqKkrQPaZqe4fzEidtxjGtDInlBBWNWCMLEgSCs1ktAmKKtbUWDWBo02saCZoiwdhzYyIIspAxpZFACPsKoFwRXukVZqJFkcPMrqVhSYtUGjhS2NMMgIR0yVS7BKZxBnjyCt1kny1BG0NS5NKIC0dm8+A8mr4kSVQ50B6UBlZRiI2NarUTyj+jScsKZHIYO5vgqVxT7gCfImiZnrFUUcU80F3Ym1LenKjy5FFbL8aLgFIiZoVZyopLQr0sTCiuAyEollEbznRX8UI9fkQKUnghZmdSuU0rdWR0RUrWhB9RQOtMD7IZTp0nofrQV6hOan6+pWVJh5RCuaUh+RHdkVviGrW1FhzxzRiqZkCw7lF0yIWe6twDj09aEEXRFHi3l9Iby/ist1pGD1saq3y3vt5tE61u/ddlWDZqw1lzzbqn5Dt8bnOszG1Yjhjevn2sowENu4YYrauGGcv3EFMrpxBUptXB/wVPibbb2i/I+NG6eHN25QBPxoHG7jasTwxh2XOdUfXCozPT9XRNGR/RzgPed6Ihh/446H03KtjohtXJ2qNq6O90MY3TDRY3OtoodpkY0bo4Y2bowW27jBMRyS7W/cGDW0cWO02MYNb3Xdcu/cnlg4bN8yECUHXcvKKCHUs2wQFKVMuBFtFdZEGDTiqggxYmp/jOTH/nBlaUWc5rczsDwxGwX3mgiDRlwVIUYWqz9G8tcwQEfzbEWcJvByZQ7bpQxEyUGPsjJKCHUoR7kUlRyHXfF1rZiCdV/fihxa/SND9MMs8ZoWLP5qrm1BDNYtLP0wi7OmBYu/DmtbEIOIh+Nz2Liva8UURH99K3JoDTaot6F3eJ/OcKbHytWasLzWkM/o2vY7lWY9OV+s1ZfUF4rTjrzdbJYaXVPl5qQPLZkVcxTYPS2fYfkINjXrTM25YuYGaodRxRZci7yHh9N4qlhzqvvwfKnifXC27ky5oljZvRmt7SzNVHClOe/Uqsx7n2jeEyWf1m12DnrHar8E/DgVyuXSQh0eAY0HT35DCHhSJRBniCcZ8AhuXRjl7hB1e5l3Ko2aEyGH7z6BHBY4Xj3kvU+0PoSK3NTClDUh+sSCRuySDwRdwPNzWfBMC6wNYUBdX+ThIETCRy7Wg0c1y7XnkjJG/cETvVwoxH3+A9bQw6IB/7ZcI/SEH4PCQ2RAhbhWuCj/eUsILx++qrWVQGxt5VOv0FIKRGQpwyiITpd8mqriGTwSVNGLPDNV0VPIcPQGivNuJ1cvVqb3+lfy/XnvbdDQ5xJ6PTj47IN8d1fh1OcbBLZTYOHjDwMAiL/wO7M9Chl6S74V35IoT7dO752ulsv6nIVys77Xe5EsPhjglgkwPKlfvp2sf3RhBbzLrH+uoFt/97k/hAihB8LoSADiqFURVITUJ0nap1YkUn97vFcJCC3f6iguaomihT50oVChN+0jqKhxrSxerSEjH/jRaYGaNTop8na+8D8kaEUIEcYPhPFhCcvDBD+QSwU2cH+dgGHN49J7BDnyGYVVEVREZZcgqQ2xTEE+ZnkY0wIbD4BM+ZCjrfaAIPj53u+D0U/hSEf96C8P4BB2rY6NyFgRokayIoT3Iy3djxsafD7LB8MR7wuwoTwPkMEHnGAdIh/jWqMhI/rX60RtsgxR8FGRFQEcrR8hEeFcCUtuqM/7+KhQoTmMfasOb5pUKb+REq6jbh33vmOyF0ZZlb2PqZw036zLO9VysTJ3klu6vTfcuqarjfqQgpYIyFLgUgnaCu4GOKUQyxQirTA9PiajUL0BKqtwfSEcb8HI4/KycbZsCzYesy0TY8rEZWVayMrEZWVjTNk4E9fjldZZ0jGb0nGb0i1sSsdtSsdsSsdtSsdsyugsmZicTFxOJiYnq7NkYyxcy6eUxpDS45OKxScVj0+qRXxS8fikYvFJxeOTisUnpccnFYtPKh6fVCw+KT0+qVh8Unp80hpDWrclHbMlHbclHbMlrduSjtmS1m3JaAwZXUYmJiOjy8hqDFmdwYdl/bGjZFvLF1vPFzuWL3Y8X+wW+WLH88WO5Ysdzxc7li+2ni92LF/seL7YsXyx9XyxY/li6/lia/li6/lix/LFjueLHcsXW88XO5Yvtp4vtpYvtp4vdixfbD1fbC1fbD1fbC1fUlFySotHSo9HKhaPVDweqVg8Uno8UrF4pPR4pLR4pPR4pGLxSOnxSGnxSOnxSGnxSEfJac2GtG5DOmZDWrchrdmQ1m1IazZkouSMNj+jz89o87NRclYj+6DoX6wI0YrWD0urH5ZeP6xY/bDi9cNqUT+seP2wYvXDitcPK1Y/LL1+WLH6YcXrhxWrH5ZeP6xY/bD0+mFp9cPS64cVqx9WvH5Ysfph6fXDitUPS68fllY/LL1+WLH6Yen1w9Lqh6XXD0urH1a0flha/bD0+mHF6ocVrx9WrH5Yev2wYvXD0uuHpdUPS68fVqx+WHr9sLT6Yen1w9LqhxWtH5ZWPyy9flix+mHp9cPS6oel1w9Lqx9WtH5YWv2w9PphafXDitYPS6sfVrR+2BGiHc0HW8sHW88HO5YPdjwf7Fg+2Ho+2LF8sPV8sLV8sPV8sGP5YOv5YGv5YOv5YGv5YEfzwdbywdbzwY7lg63ng63lg63ng63lgx3NB1vLB1vPB1vLBzuaD7aWD3Y0H1IRYirqf0rzP6X7n4r5n9L9T2n+p3T/U5r/qaj/Kc3/lO5/SvM/FfU/pfmfivqfjhDTUd1pTXda153WdKejutOa7nRUdyZCzETnZrS5mejcbISYjRIDSLwRUyyfJL6rIz+qF0F1Bb8GM1+dXiJ+scT7LQJn2gW795Vq9UajWnGmZsW3ezrVt3pdvklPk/yRDw9i4hvm4kr8Mod31R3+TRIPsST4VRHBKX4bRFyJX0fxrqj3SyUCJZ7/eFft8gvzQqf/yyMe1Bcy10dS7zdRvAvvk8/iZ0s8YGnot1g8uAN+pEXIlz+S4l0uCzu4capYF0UumCZQS3xXJej7K8DlutMC2xv1XE703ZegHwMBdqlASKIfDQEuDUIirYzERc5XcRDQgHywFn/stiywHn5LpT/qj0K3yW9si1epIPoVb9/6k6YWl4UBwZwY37KJNCulwcHBYW8cKowU5JjLwDgIowVjCvjUmIcR+Ec4jCMwwvwRNR/k54E/D/Q80PMgNwdyciAnJ/QMDlmKD/B5LvF2BsacHFNpOQ6PSr5R0DMKckdBzijoG1X2gD95sHMU9BQUP9BHgV4YlHoKI3JMSzusIdAzXJB4PibHjAV0JRf0F0B/AeaNgb0FxQd6C6B3DOaNgT4b7BtT8R+DuGVhHILRhjENfGqEOI0A/4jKhxyMMH9EzQf5eeDPAz0P9DzIzYGcHMjJjUp708Ownoof6Plh8CcL66lGWP8U+JtV6wF6R0HPKMgbBf2jyj7wLw92j4K+guJXeQL0whCsK+RTOgvrBnZnbICVHNBXAH0FsGcM7CsoPtBTAD1jMG8M5Ntgz9hwnzuOZLMp9SffcNGQPsGbZQ1mZZalhgZhHILRglFanRqEcVjxpWBMAx3wg2p+BsYsjBzGYeAbBXgE4DzAORgVrPgKMIK9FuizQJ8F9lrKXuC3wE4L7LTAHgvss8AuS9ml5IN+C+yzwK5BxafsVv4rPWDvIMgfBH2DoGcQ5FjKPtA3CPYPqxHmD4OeEcCPwLwc+J8DfA74c8CfB/oo6C0AX0HBhaWwjurHWgDORWHLp8t5Nsi1Ie42yLUh7mmVJ4oOcbEhTmmYn1Z0sBt2bcoG+2yIcxriaYNfaVgXqNopW8GKD+JjQ1xToC8F+lJgb0rZC/wpsBNOgVQK7IHqkUqBXSlll5IP+lNgXwrsSis+ZbfyX+kBe6H6p6BauD00jCAnpewDfWmVHyrOMG8Y+EcAPwL8OfA7B/gc8OeAPw98o2BvAfgKCh5bCusczQvb1mAtj+yMBmc1mGvwcBROj2r0EQ3W8tQei8Ipzd6UZk9K05/S9KfyGqzpTxU0/UPqZ45E3Oxhuc62PBUHbYizDV2JLbuXQVueNtYgH4RxCEYLRhvGFIxpGDMwqvkcxmE5ZmXeD8rT1B0tGEFeFuRlQV4W5GVBXhbkZYcZ/KDLZFli5A6zspk8jDKTB2U/YA3CiWBnC4AHz6DSFuTOtAZz6S7xAYZ5t2dvFGuLyUKzVpUkNSUHQciBsUqFbAndcQTGPNDBiRwEMQf8I+BMDoIzouYBfgTkycWy4Mh2Rxkce2Ssy+2Dg58FENgheYRYFpR61yFS9L6u31xoF6P4hBETl943v+SV92UveTVZbcwymDBd6fSvJuuOkJuGVEhDKqTdVHCp3vexAU7DmIEx2wbUhRCXTESXOgZjAcZRUt4XlpaDcQTGYVJrhOWAtmHQJguPO3IYh2GE+cMgbzgP4yiMoH94jJQb4gvkbeKVTM/JUVDzY3hKfslZgAUwXvbk7gihGYXQyB7OHcE42FXpUXB+FIwfA3hMwcA/Bvx5MDIPRufBqXyhvbrgVOTvTbBSZX9wFTZzFHwfBd8LYG5BmQtiR0HNKMRiFNzLgzmyRbZysolyRwVzGJVZEPsc6IG8T48U4JvJNWeqAShQOTLGJGmyehAwahLEUp4grhJwZgRiNgIxg02WHoGYweZKw+ZJj6h5KgjAVwC+AvAVgK8AfGPgxBjYMwb2jMHajik+COIYeDRWII1aqTjTXIAgZCQ8XYEgqeCAnBzYk1NrDfoKILcA+ALIrTXkWN4H88COPMQDilM6pxYDFjUP9ucUH/idU4sN9hSAXgD+gsKrXIV5YzBvDOI2BvoysB5p8CsN89Lgdwbmp8GvNMxPg99Qx9MZ0JtR88CutJIPdBvoQ2CvBXoHwe8hsDMF8i2AhxQM9gyCPRbgUyAno+xX+kFPCvhTIC8L62CDXUMwDgJ9EOTCSZbOgn2DSj/Mz0I8BkHfINiRBT4b+IYUv/JH+Q16U0C31KjwINcC+22AbQWDfzbYkVKjWg+wOwP8GeU/rEMW+LIgJ6viCeuagvlwsqctwA/B/EGAB5U8iH9W4SF+g2AXdArpQeAbBBg6iXRW+QV0KFrpIcWv/AX5luJT9oI8C+y2AbYVDP7ZsD4pNYKcDOhLg7y0ooN/NtDh+E6rOjek8hfwKeCzVdwUH8izwA9oEtIZtf9g/dNqfwKcAf602h9q/yh7lH1At0DukFp30J8B/+Wdi5UZGsb7nPli2Ul6L23iqwNJ7xsDbeKLAgS+HyCYs7BJsmDsECTxECT/ENCH1MkDTuYgaXKwWDnYDDkwMgcnV06dXFAUcnBC5aBY5qA45KAI5CCoOVjsHDibyyv56jACOyCJcnmYN6ToIB+KSQ42W25I2a38AXsg2DlL6QG7hgod8JFD7+OHAsdhY3AoKBw2PIdCwaHgcPCNwwJyKBQcCjeHws8hATic+nwYRrCBwwbn0PTwERih8PE8jFzpBTsgUTlsdA5NDYcDj8MBwaE54tDBcVgrDjnB4cDmcMBzKMwc1pZz5XcO9MMIhZJDYeZwYHM4MDlsDA7dEYcOkcMacNgoHBoCDg0Eh8LKISc4V3phHeAA4FAIOTQMHA58DgcXhyaRD8MIucXh4ONw8HJogDgUYA4HNedq3dMwjoIdMEJB51AAOTQoHBoNDgcwh+6PQ0fMIVc5FHgODQiHlo3DwcehOeVc6QU74EDhUIA5NLccGg8OBymHJphDJ89h73I46Dk0IhwaPQ4HF4e9y7nyexj0wwiFmMOByaFh4dDwcCjAfBRGuFPgUAM4NCgcGkMOjSSHws6hCedc6YV9CAcBhwOPQ+PIoQvm0OBwuFngwzBCjeBQSDl05xwaYQ6NC4fGkHO17y0YMzAWwB4Y4YDi0GjwMRihIeRQsDl0/RzuhDjUPg4HPS/ACHelHA5wnoeRK71gBxyQHA5mDjc1PAcjNHAcbo443MFxqIkcGkhegBEafA4HMYfazrnyewT0wwiNC4dGikODyuHunEPDyeHuiMMdIofaz+Fg43BDwOEGgkMjxKHWc670wjpA48Sh8eFww8DhqQGHxpHDTSIfhhHONA4HMofGm8MNEIeDmUMDz7la9xSMebADRmhkODRMHG5QODyV4NCIcLj743BHzOFM5dCAc7gB4SMwQgPH4WaUc6UX7IAGi0PDxuHmlsMNCYcbAQ43wRyeBHA4wzk02hxuNDjc6HFopHgeRq785qAfRmikODTYHG5IONwIcWiA+CiM8KSAwxnMoVHjcGPI4UaSQ+PFoXfgXOmFcxhuQDg0wBxuHDncBXO48eHwsIAPwwhnPocbHA535xyeNnFoEDncMHL5SG7QzsKjPFlfBy14hGfBI1QL3oCy4RG/DY/8bXjUb8OjfRve4rDheZENbyHY8NaBDW+52PAWiA1vUdjwloVt8U7QI96JBSAbBnJhwAoD+TCQCQMjYSAVAoaktA7/PeCpxe7QtSD+PzXnEgl4nG2KaVOSYRSG3xcEyczMCnlluUFBhCcU4QkEocilRSpEfJAHbLOF9oX2/a2ZZvyi4ww/wy/Qp/oRfOgXnWAGm2qcM3Of61znztDXU4Qv6Sr0NOFzivApWcfHJOHDLOF9MoF3CcLbmTrezBBexwiv4rt4GSe8OEl4HkmjFtHxLEJ4GiU84YTH4RoehQkPwy08mCbcnyLcm2rh7mQd1UnCnUkdt0M6boUIN9t7I1TEjRBw/QThGiviKiNcYTWsBwiVIKEc1CEDUyhNENb8LRT9BOEjrI4TCr40Vrw68l7CsreInJfjsteNS2OEi6N1ZEcJSx7CBU8O5z0hnPO4cNZNWHRzLLgI86DML8xBxxknIeMgnHboSKeqSCWXMJusYSZWRzzGwaM5RCOLmA7nwAIcwYCOgNOurU/Yh+DXRrT18ZZP+Ext8GqEMe0YRj06PFaC22YFdl3CNUxwVh3C0XZ2rmkVW8q6URnp0HCHjmsL1rXyUT4kjvBBMSQH5SHeL0y8R/TLHnk4MSAO8j7Ry81C5YoYkH3SLBV5gFuEkRuERRrkoGLMZEzqT3VHWWXZH720km1YlisNdbPhK3Qyky83zJsNRZQrpaaqbstvW1uKcy7b2CmUvhuVNsqmwTCfLzV7jNtyTmEKY0zpDuvyXqp/Tfet7rU7xP7xXWJ/7v/UPnLfFrP9BvOls3wAAA==") format("woff2");}</style>
+    
+  </defs>
+  <rect x="0" y="0" width="2430.55893694676" height="1628.9926813033908" fill="transparent"/><g transform="translate(924.0065490667489 317.01718221945754) rotate(0 12 12)"><use href="#image-1eb35412189527b20624c29b9912c61108c16757" width="24" height="24" opacity="1"/></g><g transform="translate(873.4088683945952 351.5432320268418) rotate(0 62.6318359375 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">App Workload</text></g><g stroke-linecap="round" transform="translate(799.3756167653269 290.86391894164643) rotate(0 140.09160121428226 55.18368428660908)"><path d="M27.59 0 C116.7 0, 205.81 0, 252.59 0 M27.59 0 C92.45 0, 157.31 0, 252.59 0 M252.59 0 C270.99 0, 280.18 9.2, 280.18 27.59 M252.59 0 C270.99 0, 280.18 9.2, 280.18 27.59 M280.18 27.59 C280.18 48.89, 280.18 70.2, 280.18 82.78 M280.18 27.59 C280.18 47.71, 280.18 67.83, 280.18 82.78 M280.18 82.78 C280.18 101.17, 270.99 110.37, 252.59 110.37 M280.18 82.78 C280.18 101.17, 270.99 110.37, 252.59 110.37 M252.59 110.37 C185.66 110.37, 118.72 110.37, 27.59 110.37 M252.59 110.37 C196.68 110.37, 140.76 110.37, 27.59 110.37 M27.59 110.37 C9.2 110.37, 0 101.17, 0 82.78 M27.59 110.37 C9.2 110.37, 0 101.17, 0 82.78 M0 82.78 C0 62.09, 0 41.41, 0 27.59 M0 82.78 C0 65.57, 0 48.35, 0 27.59 M0 27.59 C0 9.2, 9.2 0, 27.59 0 M0 27.59 C0 9.2, 9.2 0, 27.59 0" stroke="#1e1e1e" stroke-width="2" fill="none"/></g><g stroke-linecap="round" transform="translate(808.5560176493773 739.3920764195311) rotate(0 140.09160121428226 55.183684286609065)"><path d="M27.59 0 C78.82 0, 130.05 0, 252.59 0 C270.99 0, 280.18 9.2, 280.18 27.59 C280.18 41.94, 280.18 56.28, 280.18 82.78 C280.18 101.17, 270.99 110.37, 252.59 110.37 C194.24 110.37, 135.89 110.37, 27.59 110.37 C9.2 110.37, 0 101.17, 0 82.78 C0 67.8, 0 52.83, 0 27.59 C0 9.2, 9.2 0, 27.59 0" stroke="none" stroke-width="0" fill="#ffffff"/><path d="M27.59 0 C109.86 0, 192.12 0, 252.59 0 M27.59 0 C85.39 0, 143.2 0, 252.59 0 M252.59 0 C270.99 0, 280.18 9.2, 280.18 27.59 M252.59 0 C270.99 0, 280.18 9.2, 280.18 27.59 M280.18 27.59 C280.18 40.9, 280.18 54.21, 280.18 82.78 M280.18 27.59 C280.18 46.89, 280.18 66.18, 280.18 82.78 M280.18 82.78 C280.18 101.17, 270.99 110.37, 252.59 110.37 M280.18 82.78 C280.18 101.17, 270.99 110.37, 252.59 110.37 M252.59 110.37 C168.92 110.37, 85.25 110.37, 27.59 110.37 M252.59 110.37 C195.3 110.37, 138.02 110.37, 27.59 110.37 M27.59 110.37 C9.2 110.37, 0 101.17, 0 82.78 M27.59 110.37 C9.2 110.37, 0 101.17, 0 82.78 M0 82.78 C0 62.14, 0 41.51, 0 27.59 M0 82.78 C0 63.79, 0 44.8, 0 27.59 M0 27.59 C0 9.2, 9.2 0, 27.59 0 M0 27.59 C0 9.2, 9.2 0, 27.59 0" stroke="#1e1e1e" stroke-width="2" fill="none"/></g><g transform="translate(933.1869499507993 765.5453396973421) rotate(0 12 12)"><use href="#image-1eb35412189527b20624c29b9912c61108c16757" width="24" height="24" opacity="1"/></g><g transform="translate(847.9735596209157 800.0713895047265) rotate(0 107.8857421875 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Alice's Branch Workload</text></g><g stroke-linecap="round" transform="translate(819.0479043740065 1244.314125042296) rotate(0 140.09160121428226 55.18368428660909)"><path d="M27.59 0 C92.08 0, 156.57 0, 252.59 0 C270.99 0, 280.18 9.2, 280.18 27.59 C280.18 45.45, 280.18 63.3, 280.18 82.78 C280.18 101.17, 270.99 110.37, 252.59 110.37 C174.98 110.37, 97.37 110.37, 27.59 110.37 C9.2 110.37, 0 101.17, 0 82.78 C0 61.06, 0 39.35, 0 27.59 C0 9.2, 9.2 0, 27.59 0" stroke="none" stroke-width="0" fill="#ffffff"/><path d="M27.59 0 C107.28 0, 186.96 0, 252.59 0 M27.59 0 C72.65 0, 117.71 0, 252.59 0 M252.59 0 C270.99 0, 280.18 9.2, 280.18 27.59 M252.59 0 C270.99 0, 280.18 9.2, 280.18 27.59 M280.18 27.59 C280.18 45.73, 280.18 63.87, 280.18 82.78 M280.18 27.59 C280.18 44.72, 280.18 61.85, 280.18 82.78 M280.18 82.78 C280.18 101.17, 270.99 110.37, 252.59 110.37 M280.18 82.78 C280.18 101.17, 270.99 110.37, 252.59 110.37 M252.59 110.37 C199.26 110.37, 145.92 110.37, 27.59 110.37 M252.59 110.37 C192.95 110.37, 133.31 110.37, 27.59 110.37 M27.59 110.37 C9.2 110.37, 0 101.17, 0 82.78 M27.59 110.37 C9.2 110.37, 0 101.17, 0 82.78 M0 82.78 C0 64.29, 0 45.8, 0 27.59 M0 82.78 C0 71.04, 0 59.31, 0 27.59 M0 27.59 C0 9.2, 9.2 0, 27.59 0 M0 27.59 C0 9.2, 9.2 0, 27.59 0" stroke="#1e1e1e" stroke-width="2" fill="none"/></g><g transform="translate(943.6788366754286 1270.467388320107) rotate(0 12 12)"><use href="#image-1eb35412189527b20624c29b9912c61108c16757" width="24" height="24" opacity="1"/></g><g transform="translate(858.4654463455449 1304.9934381274913) rotate(0 104.00390625 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Bob's Branch Workload</text></g><g stroke-linecap="round" transform="translate(1408.3592894326334 128.58992830926422) rotate(0 224.88393821306204 203.03133067262624)"><path d="M32 0 C150.48 0, 268.95 0, 417.77 0 M32 0 C113.84 0, 195.68 0, 417.77 0 M417.77 0 C439.1 0, 449.77 10.67, 449.77 32 M417.77 0 C439.1 0, 449.77 10.67, 449.77 32 M449.77 32 C449.77 108.54, 449.77 185.08, 449.77 374.06 M449.77 32 C449.77 161.08, 449.77 290.15, 449.77 374.06 M449.77 374.06 C449.77 395.4, 439.1 406.06, 417.77 406.06 M449.77 374.06 C449.77 395.4, 439.1 406.06, 417.77 406.06 M417.77 406.06 C275.11 406.06, 132.46 406.06, 32 406.06 M417.77 406.06 C299.26 406.06, 180.74 406.06, 32 406.06 M32 406.06 C10.67 406.06, 0 395.4, 0 374.06 M32 406.06 C10.67 406.06, 0 395.4, 0 374.06 M0 374.06 C0 239.33, 0 104.6, 0 32 M0 374.06 C0 263.62, 0 153.17, 0 32 M0 32 C0 10.67, 10.67 0, 32 0 M0 32 C0 10.67, 10.67 0, 32 0" stroke="#1e1e1e" stroke-width="2" fill="none"/></g><g stroke-linecap="round" transform="translate(1484.320908402327 180.10009122055544) rotate(0 146.01321495687375 143.0132149568737)"><path d="M292.03 143.01 C292.03 146.75, 291.88 150.51, 291.58 154.23 C291.28 157.96, 290.83 161.69, 290.23 165.39 C289.63 169.08, 288.88 172.76, 287.99 176.4 C287.1 180.04, 286.06 183.65, 284.88 187.21 C283.7 190.76, 282.37 194.29, 280.91 197.74 C279.45 201.2, 277.85 204.61, 276.11 207.94 C274.38 211.27, 272.51 214.55, 270.51 217.74 C268.51 220.93, 266.38 224.05, 264.14 227.07 C261.9 230.1, 259.52 233.05, 257.04 235.89 C254.56 238.74, 251.96 241.49, 249.26 244.14 C246.56 246.78, 243.74 249.33, 240.84 251.76 C237.94 254.19, 234.93 256.51, 231.84 258.71 C228.75 260.91, 225.56 263, 222.3 264.95 C219.05 266.91, 215.7 268.74, 212.3 270.44 C208.9 272.14, 205.42 273.71, 201.89 275.14 C198.36 276.57, 194.77 277.87, 191.13 279.03 C187.5 280.18, 183.81 281.2, 180.1 282.07 C176.39 282.95, 172.63 283.68, 168.85 284.27 C165.08 284.85, 161.28 285.29, 157.47 285.59 C153.66 285.88, 149.83 286.03, 146.01 286.03 C142.19 286.03, 138.36 285.88, 134.56 285.59 C130.75 285.29, 126.94 284.85, 123.17 284.27 C119.4 283.68, 115.64 282.95, 111.93 282.07 C108.21 281.2, 104.52 280.18, 100.89 279.03 C97.26 277.87, 93.66 276.57, 90.14 275.14 C86.61 273.71, 83.13 272.14, 79.72 270.44 C76.32 268.74, 72.98 266.91, 69.72 264.95 C66.47 263, 63.28 260.91, 60.19 258.71 C57.1 256.51, 54.09 254.19, 51.19 251.76 C48.28 249.33, 45.47 246.78, 42.77 244.14 C40.07 241.49, 37.46 238.74, 34.98 235.89 C32.5 233.05, 30.13 230.1, 27.89 227.07 C25.64 224.05, 23.51 220.93, 21.52 217.74 C19.52 214.55, 17.65 211.27, 15.91 207.94 C14.18 204.61, 12.58 201.2, 11.11 197.74 C9.65 194.29, 8.33 190.76, 7.15 187.21 C5.97 183.65, 4.93 180.04, 4.03 176.4 C3.14 172.76, 2.4 169.08, 1.8 165.39 C1.2 161.69, 0.75 157.96, 0.45 154.23 C0.15 150.51, 0 146.75, 0 143.01 C0 139.27, 0.15 135.52, 0.45 131.79 C0.75 128.06, 1.2 124.34, 1.8 120.64 C2.4 116.95, 3.14 113.26, 4.03 109.63 C4.93 105.99, 5.97 102.38, 7.15 98.82 C8.33 95.26, 9.65 91.74, 11.11 88.28 C12.58 84.83, 14.18 81.42, 15.91 78.09 C17.65 74.75, 19.52 71.48, 21.52 68.29 C23.51 65.1, 25.64 61.98, 27.89 58.95 C30.13 55.93, 32.5 52.98, 34.98 50.13 C37.46 47.29, 40.07 44.53, 42.77 41.89 C45.47 39.24, 48.28 36.69, 51.19 34.27 C54.09 31.84, 57.1 29.51, 60.19 27.31 C63.28 25.11, 66.47 23.03, 69.72 21.07 C72.98 19.12, 76.32 17.29, 79.72 15.59 C83.13 13.89, 86.61 12.32, 90.14 10.89 C93.66 9.45, 97.26 8.16, 100.89 7 C104.52 5.84, 108.21 4.82, 111.93 3.95 C115.64 3.08, 119.4 2.35, 123.17 1.76 C126.94 1.18, 130.75 0.73, 134.56 0.44 C138.36 0.15, 142.19 0, 146.01 0 C149.83 0, 153.66 0.15, 157.47 0.44 C161.28 0.73, 165.08 1.18, 168.85 1.76 C172.63 2.35, 176.39 3.08, 180.1 3.95 C183.81 4.82, 187.5 5.84, 191.13 7 C194.77 8.16, 198.36 9.45, 201.89 10.89 C205.42 12.32, 208.9 13.89, 212.3 15.59 C215.7 17.29, 219.05 19.12, 222.3 21.07 C225.56 23.03, 228.75 25.11, 231.84 27.31 C234.93 29.51, 237.94 31.84, 240.84 34.27 C243.74 36.69, 246.56 39.24, 249.26 41.89 C251.96 44.53, 254.56 47.29, 257.04 50.13 C259.52 52.98, 261.9 55.93, 264.14 58.95 C266.38 61.98, 268.51 65.1, 270.51 68.29 C272.51 71.48, 274.38 74.75, 276.11 78.09 C277.85 81.42, 279.45 84.83, 280.91 88.28 C282.37 91.74, 283.7 95.26, 284.88 98.82 C286.06 102.38, 287.1 105.99, 287.99 109.63 C288.88 113.26, 289.63 116.95, 290.23 120.64 C290.83 124.34, 291.28 128.06, 291.58 131.79 C291.88 135.52, 292.03 139.27, 292.03 143.01" stroke="#1e1e1e" stroke-width="2" fill="none"/></g><g transform="translate(1617.9326797267026 229.5485189280928) rotate(0 12 12)"><use href="#image-1eb35412189527b20624c29b9912c61108c16757" width="24" height="24" opacity="1"/></g><g transform="translate(1533.9489284581318 262.9838284485495) rotate(0 97.83203125000023 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Lapdev Sidecar Proxy</text></g><g transform="translate(1547.6529921119431 484.07390223583025) rotate(0 83.20312500000023 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">App Workload Pod</text></g><g transform="translate(1619.8054650547106 369.29644941079096) rotate(0 12 12)"><use href="#image-1eb35412189527b20624c29b9912c61108c16757" width="24" height="24" opacity="1"/></g><g transform="translate(1566.3966717440976 400.62652113430295) rotate(0 63.93066406250023 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">App Container</text></g><g stroke-linecap="round"><g transform="translate(1631.7396528226554 296.9838284485495) rotate(0 -0.3314019576998817 30.137119965967315)"><path d="M0 0 C-0.11 10.05, -0.55 50.23, -0.66 60.27" stroke="#1e1e1e" stroke-width="2.5" fill="none" stroke-dasharray="1.5 8"/></g><g transform="translate(1631.7396528226554 296.9838284485495) rotate(0 -0.3314019576998817 30.137119965967315)"><path d="M-0.66 60.27 L-6.85 46.61 L5.83 46.75 L-0.66 60.27" stroke="none" stroke-width="0" fill="#1e1e1e" fill-rule="evenodd"/><path d="M-0.66 60.27 C-3.05 55.01, -5.43 49.75, -6.85 46.61 M-6.85 46.61 C-2.86 46.65, 1.13 46.7, 5.83 46.75 M5.83 46.75 C3.68 51.23, 1.53 55.71, -0.66 60.27 M-0.66 60.27 C-0.66 60.27, -0.66 60.27, -0.66 60.27" stroke="#1e1e1e" stroke-width="2.5" fill="none"/></g></g><mask/><g stroke-linecap="round" transform="translate(1422.6188162661706 612.5282034827715) rotate(0 224.88393821306204 203.03133067262627)"><path d="M32 0 C120.78 0, 209.57 0, 417.77 0 M32 0 C124.65 0, 217.3 0, 417.77 0 M417.77 0 C439.1 0, 449.77 10.67, 449.77 32 M417.77 0 C439.1 0, 449.77 10.67, 449.77 32 M449.77 32 C449.77 137.68, 449.77 243.36, 449.77 374.06 M449.77 32 C449.77 154.09, 449.77 276.18, 449.77 374.06 M449.77 374.06 C449.77 395.4, 439.1 406.06, 417.77 406.06 M449.77 374.06 C449.77 395.4, 439.1 406.06, 417.77 406.06 M417.77 406.06 C304.18 406.06, 190.6 406.06, 32 406.06 M417.77 406.06 C290.64 406.06, 163.51 406.06, 32 406.06 M32 406.06 C10.67 406.06, 0 395.4, 0 374.06 M32 406.06 C10.67 406.06, 0 395.4, 0 374.06 M0 374.06 C0 238.26, 0 102.45, 0 32 M0 374.06 C0 303.09, 0 232.12, 0 32 M0 32 C0 10.67, 10.67 0, 32 0 M0 32 C0 10.67, 10.67 0, 32 0" stroke="#1e1e1e" stroke-width="2" fill="none"/></g><g stroke-linecap="round" transform="translate(1498.5804352358641 664.0383663940627) rotate(0 146.01321495687375 143.0132149568737)"><path d="M292.03 143.01 C292.03 146.75, 291.88 150.51, 291.58 154.23 C291.28 157.96, 290.83 161.69, 290.23 165.39 C289.63 169.08, 288.88 172.76, 287.99 176.4 C287.1 180.04, 286.06 183.65, 284.88 187.21 C283.7 190.76, 282.37 194.29, 280.91 197.74 C279.45 201.2, 277.85 204.61, 276.11 207.94 C274.38 211.27, 272.51 214.55, 270.51 217.74 C268.51 220.93, 266.38 224.05, 264.14 227.07 C261.9 230.1, 259.52 233.05, 257.04 235.89 C254.56 238.74, 251.96 241.49, 249.26 244.14 C246.56 246.78, 243.74 249.33, 240.84 251.76 C237.94 254.19, 234.93 256.51, 231.84 258.71 C228.75 260.91, 225.56 263, 222.3 264.95 C219.05 266.91, 215.7 268.74, 212.3 270.44 C208.9 272.14, 205.42 273.71, 201.89 275.14 C198.36 276.57, 194.77 277.87, 191.13 279.03 C187.5 280.18, 183.81 281.2, 180.1 282.07 C176.39 282.95, 172.63 283.68, 168.85 284.27 C165.08 284.85, 161.28 285.29, 157.47 285.59 C153.66 285.88, 149.83 286.03, 146.01 286.03 C142.19 286.03, 138.36 285.88, 134.56 285.59 C130.75 285.29, 126.94 284.85, 123.17 284.27 C119.4 283.68, 115.64 282.95, 111.93 282.07 C108.21 281.2, 104.52 280.18, 100.89 279.03 C97.26 277.87, 93.66 276.57, 90.14 275.14 C86.61 273.71, 83.13 272.14, 79.72 270.44 C76.32 268.74, 72.98 266.91, 69.72 264.95 C66.47 263, 63.28 260.91, 60.19 258.71 C57.1 256.51, 54.09 254.19, 51.19 251.76 C48.28 249.33, 45.47 246.78, 42.77 244.14 C40.07 241.49, 37.46 238.74, 34.98 235.89 C32.5 233.05, 30.13 230.1, 27.89 227.07 C25.64 224.05, 23.51 220.93, 21.52 217.74 C19.52 214.55, 17.65 211.27, 15.91 207.94 C14.18 204.61, 12.58 201.2, 11.11 197.74 C9.65 194.29, 8.33 190.76, 7.15 187.21 C5.97 183.65, 4.93 180.04, 4.03 176.4 C3.14 172.76, 2.4 169.08, 1.8 165.39 C1.2 161.69, 0.75 157.96, 0.45 154.23 C0.15 150.51, 0 146.75, 0 143.01 C0 139.27, 0.15 135.52, 0.45 131.79 C0.75 128.06, 1.2 124.34, 1.8 120.64 C2.4 116.95, 3.14 113.26, 4.03 109.63 C4.93 105.99, 5.97 102.38, 7.15 98.82 C8.33 95.26, 9.65 91.74, 11.11 88.28 C12.58 84.83, 14.18 81.42, 15.91 78.09 C17.65 74.75, 19.52 71.48, 21.52 68.29 C23.51 65.1, 25.64 61.98, 27.89 58.95 C30.13 55.93, 32.5 52.98, 34.98 50.13 C37.46 47.29, 40.07 44.53, 42.77 41.89 C45.47 39.24, 48.28 36.69, 51.19 34.27 C54.09 31.84, 57.1 29.51, 60.19 27.31 C63.28 25.11, 66.47 23.03, 69.72 21.07 C72.98 19.12, 76.32 17.29, 79.72 15.59 C83.13 13.89, 86.61 12.32, 90.14 10.89 C93.66 9.45, 97.26 8.16, 100.89 7 C104.52 5.84, 108.21 4.82, 111.93 3.95 C115.64 3.08, 119.4 2.35, 123.17 1.76 C126.94 1.18, 130.75 0.73, 134.56 0.44 C138.36 0.15, 142.19 0, 146.01 0 C149.83 0, 153.66 0.15, 157.47 0.44 C161.28 0.73, 165.08 1.18, 168.85 1.76 C172.63 2.35, 176.39 3.08, 180.1 3.95 C183.81 4.82, 187.5 5.84, 191.13 7 C194.77 8.16, 198.36 9.45, 201.89 10.89 C205.42 12.32, 208.9 13.89, 212.3 15.59 C215.7 17.29, 219.05 19.12, 222.3 21.07 C225.56 23.03, 228.75 25.11, 231.84 27.31 C234.93 29.51, 237.94 31.84, 240.84 34.27 C243.74 36.69, 246.56 39.24, 249.26 41.89 C251.96 44.53, 254.56 47.29, 257.04 50.13 C259.52 52.98, 261.9 55.93, 264.14 58.95 C266.38 61.98, 268.51 65.1, 270.51 68.29 C272.51 71.48, 274.38 74.75, 276.11 78.09 C277.85 81.42, 279.45 84.83, 280.91 88.28 C282.37 91.74, 283.7 95.26, 284.88 98.82 C286.06 102.38, 287.1 105.99, 287.99 109.63 C288.88 113.26, 289.63 116.95, 290.23 120.64 C290.83 124.34, 291.28 128.06, 291.58 131.79 C291.88 135.52, 292.03 139.27, 292.03 143.01" stroke="#1e1e1e" stroke-width="2" fill="none"/></g><g transform="translate(1535.950736702182 968.0121774093373) rotate(0 128.45703124999977 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Alice's Branch Workload Pod</text></g><g transform="translate(1634.0649918882477 760.9261654970171) rotate(0 12.000000000000227 12)"><use href="#image-1eb35412189527b20624c29b9912c61108c16757" width="24" height="24" opacity="1"/></g><g transform="translate(1525.8479916195606 800.9101646349616) rotate(0 119.50683593750023 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">App Customised Container</text></g><g stroke-linecap="round" transform="translate(1427.8647596284836 1088.5975636128073) rotate(0 224.8839382130618 203.0313306726262)"><path d="M32 0 C156.52 0, 281.04 0, 417.77 0 M32 0 C143.52 0, 255.04 0, 417.77 0 M417.77 0 C439.1 0, 449.77 10.67, 449.77 32 M417.77 0 C439.1 0, 449.77 10.67, 449.77 32 M449.77 32 C449.77 149.01, 449.77 266.02, 449.77 374.06 M449.77 32 C449.77 111.88, 449.77 191.75, 449.77 374.06 M449.77 374.06 C449.77 395.4, 439.1 406.06, 417.77 406.06 M449.77 374.06 C449.77 395.4, 439.1 406.06, 417.77 406.06 M417.77 406.06 C302.53 406.06, 187.29 406.06, 32 406.06 M417.77 406.06 C333.78 406.06, 249.79 406.06, 32 406.06 M32 406.06 C10.67 406.06, 0 395.4, 0 374.06 M32 406.06 C10.67 406.06, 0 395.4, 0 374.06 M0 374.06 C0 285, 0 195.94, 0 32 M0 374.06 C0 240.39, 0 106.72, 0 32 M0 32 C0 10.67, 10.67 0, 32 0 M0 32 C0 10.67, 10.67 0, 32 0" stroke="#1e1e1e" stroke-width="2" fill="none"/></g><g stroke-linecap="round" transform="translate(1503.8263785981771 1140.1077265240983) rotate(0 146.01321495687398 143.0132149568737)"><path d="M292.03 143.01 C292.03 146.75, 291.88 150.51, 291.58 154.23 C291.28 157.96, 290.83 161.69, 290.23 165.39 C289.63 169.08, 288.88 172.76, 287.99 176.4 C287.1 180.04, 286.06 183.65, 284.88 187.21 C283.7 190.76, 282.37 194.29, 280.91 197.74 C279.45 201.2, 277.85 204.61, 276.11 207.94 C274.38 211.27, 272.51 214.55, 270.51 217.74 C268.51 220.93, 266.38 224.05, 264.14 227.07 C261.9 230.1, 259.52 233.05, 257.04 235.89 C254.56 238.74, 251.96 241.49, 249.26 244.14 C246.56 246.78, 243.74 249.33, 240.84 251.76 C237.94 254.19, 234.93 256.51, 231.84 258.71 C228.75 260.91, 225.56 263, 222.3 264.95 C219.05 266.91, 215.7 268.74, 212.3 270.44 C208.9 272.14, 205.42 273.71, 201.89 275.14 C198.36 276.57, 194.77 277.87, 191.13 279.03 C187.5 280.18, 183.81 281.2, 180.1 282.07 C176.39 282.95, 172.63 283.68, 168.85 284.27 C165.08 284.85, 161.28 285.29, 157.47 285.59 C153.66 285.88, 149.83 286.03, 146.01 286.03 C142.19 286.03, 138.36 285.88, 134.56 285.59 C130.75 285.29, 126.94 284.85, 123.17 284.27 C119.4 283.68, 115.64 282.95, 111.93 282.07 C108.21 281.2, 104.52 280.18, 100.89 279.03 C97.26 277.87, 93.66 276.57, 90.14 275.14 C86.61 273.71, 83.13 272.14, 79.72 270.44 C76.32 268.74, 72.98 266.91, 69.72 264.95 C66.47 263, 63.28 260.91, 60.19 258.71 C57.1 256.51, 54.09 254.19, 51.19 251.76 C48.28 249.33, 45.47 246.78, 42.77 244.14 C40.07 241.49, 37.46 238.74, 34.98 235.89 C32.5 233.05, 30.13 230.1, 27.89 227.07 C25.64 224.05, 23.51 220.93, 21.52 217.74 C19.52 214.55, 17.65 211.27, 15.91 207.94 C14.18 204.61, 12.58 201.2, 11.11 197.74 C9.65 194.29, 8.33 190.76, 7.15 187.21 C5.97 183.65, 4.93 180.04, 4.03 176.4 C3.14 172.76, 2.4 169.08, 1.8 165.39 C1.2 161.69, 0.75 157.96, 0.45 154.23 C0.15 150.51, 0 146.75, 0 143.01 C0 139.27, 0.15 135.52, 0.45 131.79 C0.75 128.06, 1.2 124.34, 1.8 120.64 C2.4 116.95, 3.14 113.26, 4.03 109.63 C4.93 105.99, 5.97 102.38, 7.15 98.82 C8.33 95.26, 9.65 91.74, 11.11 88.28 C12.58 84.83, 14.18 81.42, 15.91 78.09 C17.65 74.75, 19.52 71.48, 21.52 68.29 C23.51 65.1, 25.64 61.98, 27.89 58.95 C30.13 55.93, 32.5 52.98, 34.98 50.13 C37.46 47.29, 40.07 44.53, 42.77 41.89 C45.47 39.24, 48.28 36.69, 51.19 34.27 C54.09 31.84, 57.1 29.51, 60.19 27.31 C63.28 25.11, 66.47 23.03, 69.72 21.07 C72.98 19.12, 76.32 17.29, 79.72 15.59 C83.13 13.89, 86.61 12.32, 90.14 10.89 C93.66 9.45, 97.26 8.16, 100.89 7 C104.52 5.84, 108.21 4.82, 111.93 3.95 C115.64 3.08, 119.4 2.35, 123.17 1.76 C126.94 1.18, 130.75 0.73, 134.56 0.44 C138.36 0.15, 142.19 0, 146.01 0 C149.83 0, 153.66 0.15, 157.47 0.44 C161.28 0.73, 165.08 1.18, 168.85 1.76 C172.63 2.35, 176.39 3.08, 180.1 3.95 C183.81 4.82, 187.5 5.84, 191.13 7 C194.77 8.16, 198.36 9.45, 201.89 10.89 C205.42 12.32, 208.9 13.89, 212.3 15.59 C215.7 17.29, 219.05 19.12, 222.3 21.07 C225.56 23.03, 228.75 25.11, 231.84 27.31 C234.93 29.51, 237.94 31.84, 240.84 34.27 C243.74 36.69, 246.56 39.24, 249.26 41.89 C251.96 44.53, 254.56 47.29, 257.04 50.13 C259.52 52.98, 261.9 55.93, 264.14 58.95 C266.38 61.98, 268.51 65.1, 270.51 68.29 C272.51 71.48, 274.38 74.75, 276.11 78.09 C277.85 81.42, 279.45 84.83, 280.91 88.28 C282.37 91.74, 283.7 95.26, 284.88 98.82 C286.06 102.38, 287.1 105.99, 287.99 109.63 C288.88 113.26, 289.63 116.95, 290.23 120.64 C290.83 124.34, 291.28 128.06, 291.58 131.79 C291.88 135.52, 292.03 139.27, 292.03 143.01" stroke="#1e1e1e" stroke-width="2" fill="none"/></g><g transform="translate(1541.196680064495 1444.081537539373) rotate(0 124.5751953125 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Bob's Branch Workload Pod</text></g><g transform="translate(1639.3109352505608 1236.9955256270528) rotate(0 12 12)"><use href="#image-1eb35412189527b20624c29b9912c61108c16757" width="24" height="24" opacity="1"/></g><g transform="translate(1531.0939349818746 1276.9795247649972) rotate(0 119.5068359375 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">App Customised Container</text></g><g stroke-linecap="round"><g transform="translate(1736.8157971466771 292.31547876711113) rotate(0 127.60162968733493 259.5428168487712)"><path d="M0 0 C42.53 41.78, 243.55 164.19, 255.2 250.7 C266.86 337.22, 100.8 474.36, 69.92 519.09" stroke="#1e1e1e" stroke-width="2.5" fill="none" stroke-dasharray="1.5 8"/></g><g transform="translate(1736.8157971466771 292.31547876711113) rotate(0 127.60162968733493 259.5428168487712)"><path d="M69.92 519.09 L74.38 504.77 L83.76 513.3 L69.92 519.09" stroke="none" stroke-width="0" fill="#1e1e1e" fill-rule="evenodd"/><path d="M69.92 519.09 C71.36 514.47, 72.8 509.85, 74.38 504.77 M74.38 504.77 C77.32 507.44, 80.25 510.11, 83.76 513.3 M83.76 513.3 C79.85 514.94, 75.94 516.57, 69.92 519.09 M69.92 519.09 C69.92 519.09, 69.92 519.09, 69.92 519.09" stroke="#1e1e1e" stroke-width="2.5" fill="none"/></g></g><mask/><g stroke-linecap="round"><g transform="translate(1519.8023162997806 279.65977313223584) rotate(0 -133.73063693238464 505.55890760365907)"><path d="M0 0 C-44.58 78.65, -261.44 303.37, -267.46 471.89 C-273.48 640.4, -74.67 921.25, -36.12 1011.12" stroke="#1e1e1e" stroke-width="2.5" fill="none" stroke-dasharray="1.5 8"/></g><g transform="translate(1519.8023162997806 279.65977313223584) rotate(0 -133.73063693238464 505.55890760365907)"><path d="M-36.12 1011.12 L-48.21 1002.24 L-37.09 996.15 L-36.12 1011.12" stroke="none" stroke-width="0" fill="#1e1e1e" fill-rule="evenodd"/><path d="M-36.12 1011.12 C-39.99 1008.28, -43.86 1005.43, -48.21 1002.24 M-48.21 1002.24 C-45.29 1000.65, -42.38 999.05, -37.09 996.15 M-37.09 996.15 C-36.88 999.38, -36.67 1002.62, -36.12 1011.12 M-36.12 1011.12 C-36.12 1011.12, -36.12 1011.12, -36.12 1011.12" stroke="#1e1e1e" stroke-width="2.5" fill="none"/></g></g><mask/><g stroke-linecap="round" transform="translate(647.4176223999066 30) rotate(0 728.8495465475712 784.4963406516954)"><path d="M32 0 C586.84 -1.66, 1140.97 -2.34, 1425.7 0 M1425.7 0 C1447.41 0.32, 1457.83 9.36, 1457.7 32 M1457.7 32 C1462.31 496.81, 1460.93 960.24, 1457.7 1536.99 M1457.7 1536.99 C1458.47 1558.2, 1446.11 1570.69, 1425.7 1568.99 M1425.7 1568.99 C1094.65 1566.35, 765.01 1566.52, 32 1568.99 M32 1568.99 C9.87 1569.63, -0.04 1558.31, 0 1536.99 M0 1536.99 C5.28 971.47, 4.11 406.96, 0 32 M0 32 C-0.85 9.94, 12.12 -1.39, 32 0" stroke="#1e1e1e" stroke-width="2.5" fill="none" stroke-dasharray="8 10"/></g><g transform="translate(702.4092865355365 77.74467081172406) rotate(0 132.861328125 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Lapdev Environment Baseline</text></g><g transform="translate(76.49301834343623 250.14735137989044) rotate(0 12 12)"><use href="#image-9d2f28049a8a90ddebd6f916b59a887ae5df33f6" width="24" height="24" opacity="1"/></g><g transform="translate(32.27603086933141 284.62536589511217) rotate(0 58.349609375 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Preview URL</text></g><g stroke-linecap="round"><g transform="translate(158.91414035029675 298.213212590004) rotate(0 219.58377702857274 0.9391770719358732)"><path d="M0 0 C73.19 0.31, 365.97 1.57, 439.17 1.88" stroke="#1e1e1e" stroke-width="2.5" fill="none" stroke-dasharray="1.5 8"/></g><g transform="translate(158.91414035029675 298.213212590004) rotate(0 219.58377702857274 0.9391770719358732)"><path d="M439.17 1.88 L425.55 8.16 L425.6 -4.52 L439.17 1.88" stroke="none" stroke-width="0" fill="#1e1e1e" fill-rule="evenodd"/><path d="M439.17 1.88 C433.94 4.29, 428.71 6.7, 425.55 8.16 M425.55 8.16 C425.56 4.75, 425.58 1.34, 425.6 -4.52 M425.6 -4.52 C428.6 -3.1, 431.61 -1.69, 439.17 1.88 M439.17 1.88 C439.17 1.88, 439.17 1.88, 439.17 1.88" stroke="#1e1e1e" stroke-width="2.5" fill="none"/></g></g><mask/><g transform="translate(219.58574665730157 264.21359120485573) rotate(0 164.5458984375 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">https://base-environment.app.lap.dev</text></g><g transform="translate(83.14059815834617 355.6923966583971) rotate(0 12 12)"><use href="#image-9d2f28049a8a90ddebd6f916b59a887ae5df33f6" width="24" height="24" opacity="1"/></g><g transform="translate(38.92361068424134 390.17041117361885) rotate(0 58.349609375 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Preview URL</text></g><g stroke-linecap="round"><g transform="translate(165.56172016520622 403.75825786851067) rotate(0 219.58377702857274 0.9391770719358732)"><path d="M0 0 C73.19 0.31, 365.97 1.57, 439.17 1.88" stroke="#1e1e1e" stroke-width="2.5" fill="none" stroke-dasharray="1.5 8"/></g><g transform="translate(165.56172016520622 403.75825786851067) rotate(0 219.58377702857274 0.9391770719358732)"><path d="M439.17 1.88 L425.55 8.16 L425.6 -4.52 L439.17 1.88" stroke="none" stroke-width="0" fill="#1e1e1e" fill-rule="evenodd"/><path d="M439.17 1.88 C435.75 3.45, 432.33 5.03, 425.55 8.16 M425.55 8.16 C425.56 5.3, 425.57 2.45, 425.6 -4.52 M425.6 -4.52 C429.37 -2.74, 433.15 -0.96, 439.17 1.88 M439.17 1.88 C439.17 1.88, 439.17 1.88, 439.17 1.88" stroke="#1e1e1e" stroke-width="2.5" fill="none"/></g></g><mask/><g transform="translate(186.41269201461228 368.62813921063173) rotate(0 197.333984375 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">https://alice-branch-environment.app.lap.dev</text></g><g transform="translate(74.21698747410483 450.8854256726006) rotate(0 12 12)"><use href="#image-9d2f28049a8a90ddebd6f916b59a887ae5df33f6" width="24" height="24" opacity="1"/></g><g transform="translate(30 485.36344018782233) rotate(0 58.349609375 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Preview URL</text></g><g stroke-linecap="round"><g transform="translate(156.63810948096489 498.95128688271416) rotate(0 219.58377702857274 0.9391770719358732)"><path d="M0 0 C73.19 0.31, 365.97 1.57, 439.17 1.88" stroke="#1e1e1e" stroke-width="2.5" fill="none" stroke-dasharray="1.5 8"/></g><g transform="translate(156.63810948096489 498.95128688271416) rotate(0 219.58377702857274 0.9391770719358732)"><path d="M439.17 1.88 L425.55 8.16 L425.6 -4.52 L439.17 1.88" stroke="none" stroke-width="0" fill="#1e1e1e" fill-rule="evenodd"/><path d="M439.17 1.88 C434.31 4.12, 429.45 6.36, 425.55 8.16 M425.55 8.16 C425.57 3.66, 425.58 -0.84, 425.6 -4.52 M425.6 -4.52 C430.45 -2.23, 435.3 0.05, 439.17 1.88 M439.17 1.88 C439.17 1.88, 439.17 1.88, 439.17 1.88" stroke="#1e1e1e" stroke-width="2.5" fill="none"/></g></g><mask/><g transform="translate(188.48466494393324 462.3378239686159) rotate(0 193.4521484375 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">https://bob-branch-environment.app.lap.dev</text></g><g transform="translate(1647.1311091685084 310.60740000787155) rotate(0 164.5458984375 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">https://base-environment.app.lap.dev</text></g><g transform="translate(2005.8909681967598 547.0320686552345) rotate(0 197.333984375 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">https://alice-branch-environment.app.lap.dev</text></g><g transform="translate(957.7834879470365 1051.4946898867415) rotate(0 193.4521484375 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">https://bob-branch-environment.app.lap.dev</text></g><g transform="translate(181.164321088856 303.37430687431186) rotate(0 148.1396484375 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">tracestate: lapdev-env-id=base-id</text></g><g transform="translate(179.49781894123726 404.50429745179747) rotate(0 175.3662109375 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">tracestate: lapdev-env-id=alice-brach-id</text></g><g transform="translate(185.9695619294971 500.4321031434635) rotate(0 171.484375 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">tracestate: lapdev-env-id=bob-brach-id</text></g><g stroke-linecap="round"><g transform="translate(1392.2032216943967 350.2402695088585) rotate(0 -143.68512552890456 0.6671664205458754)"><path d="M0 0 C-47.9 0.22, -239.48 1.11, -287.37 1.33 M0 0 C-47.9 0.22, -239.48 1.11, -287.37 1.33" stroke="#1e1e1e" stroke-width="2" fill="none"/></g><g transform="translate(1392.2032216943967 350.2402695088585) rotate(0 -143.68512552890456 0.6671664205458754)"><path d="M0 0 L-13.57 6.4 L-13.62 -6.28 L0 0" stroke="none" stroke-width="0" fill="#1e1e1e" fill-rule="evenodd"/><path d="M0 0 C-4.24 2, -8.49 4.01, -13.57 6.4 M0 0 C-4.1 1.94, -8.21 3.87, -13.57 6.4 M-13.57 6.4 C-13.59 2.03, -13.61 -2.35, -13.62 -6.28 M-13.57 6.4 C-13.59 1.78, -13.61 -2.85, -13.62 -6.28 M-13.62 -6.28 C-9.74 -4.48, -5.85 -2.69, 0 0 M-13.62 -6.28 C-9.62 -4.43, -5.62 -2.59, 0 0 M0 0 C0 0, 0 0, 0 0 M0 0 C0 0, 0 0, 0 0" stroke="#1e1e1e" stroke-width="2" fill="none"/></g></g><mask/><g stroke-linecap="round"><g transform="translate(1397.3026637127523 796.05175076425) rotate(0 -143.68512552890434 0.6671664205458683)"><path d="M0 0 C-47.9 0.22, -239.48 1.11, -287.37 1.33 M0 0 C-47.9 0.22, -239.48 1.11, -287.37 1.33" stroke="#1e1e1e" stroke-width="2" fill="none"/></g><g transform="translate(1397.3026637127523 796.05175076425) rotate(0 -143.68512552890434 0.6671664205458683)"><path d="M0 0 L-13.57 6.4 L-13.62 -6.28 L0 0" stroke="none" stroke-width="0" fill="#1e1e1e" fill-rule="evenodd"/><path d="M0 0 C-3.6 1.7, -7.19 3.39, -13.57 6.4 M0 0 C-3.91 1.84, -7.81 3.69, -13.57 6.4 M-13.57 6.4 C-13.58 3.46, -13.59 0.52, -13.62 -6.28 M-13.57 6.4 C-13.59 1.67, -13.61 -3.05, -13.62 -6.28 M-13.62 -6.28 C-8.6 -3.96, -3.57 -1.65, 0 0 M-13.62 -6.28 C-10.32 -4.75, -7.01 -3.23, 0 0 M0 0 C0 0, 0 0, 0 0 M0 0 C0 0, 0 0, 0 0" stroke="#1e1e1e" stroke-width="2" fill="none"/></g></g><mask/><g stroke-linecap="round"><g transform="translate(1408.717599137487 1301.2232641810483) rotate(0 -143.68512552890434 0.6671664205458683)"><path d="M0 0 C-47.9 0.22, -239.48 1.11, -287.37 1.33 M0 0 C-47.9 0.22, -239.48 1.11, -287.37 1.33" stroke="#1e1e1e" stroke-width="2" fill="none"/></g><g transform="translate(1408.717599137487 1301.2232641810483) rotate(0 -143.68512552890434 0.6671664205458683)"><path d="M0 0 L-13.57 6.4 L-13.62 -6.28 L0 0" stroke="none" stroke-width="0" fill="#1e1e1e" fill-rule="evenodd"/><path d="M0 0 C-4.97 2.34, -9.93 4.69, -13.57 6.4 M0 0 C-5.07 2.39, -10.14 4.78, -13.57 6.4 M-13.57 6.4 C-13.58 2.42, -13.6 -1.57, -13.62 -6.28 M-13.57 6.4 C-13.58 2.83, -13.6 -0.75, -13.62 -6.28 M-13.62 -6.28 C-8.35 -3.85, -3.08 -1.42, 0 0 M-13.62 -6.28 C-10.25 -4.72, -6.87 -3.16, 0 0 M0 0 C0 0, 0 0, 0 0 M0 0 C0 0, 0 0, 0 0" stroke="#1e1e1e" stroke-width="2" fill="none"/></g></g><mask/></svg>
\ No newline at end of file
diff --git a/docs/README.md b/docs/README.md
new file mode 100644
index 0000000..d40a040
--- /dev/null
+++ b/docs/README.md
@@ -0,0 +1,68 @@
+# Introduction
+
+Kubernetes makes deploying apps easy, well, sort of. But that 100 microservices app makes the development flow hard. You can't fit the whole app on your workstation, without pain. The most sensible way is probably running the development flow in Kubernetes itself. Have a pipeline to build and deploy your code changes. But the feedback is slow.
+
+Tools like Skaffold can sync your code changes to pods directly, and tools like Telepresence can intercept traffic to your local machine which enables you to do local debugging. That makes things feel like good old local development again. But,
+
+**How do you manage all the Kubernetes resources?** The deployments, ConfigMaps, services, secrets - who maintains them? Do developers share the same resources, or does everyone get separate environments? If they're separate, how do you keep them in sync? How do you ensure changes to the app propagate to all dev environments? And what about domains, DNS, and HTTPS for developers to actually access their work?
+
+## Why Lapdev
+
+Lapdev Kubernetes Environment solves all these pains so that you don't have to.
+
+### **Seamless Environment Management:**
+
+Lapdev reads your **production Kubernetes manifests directly from your cluster**. Just tell Lapdev which workloads your app needs, and it automatically replicates:
+
+* The workloads (Deployments, StatefulSets, DaemonSets, etc.)
+* Associated ConfigMaps and Secrets
+* Services and networking configuration
+
+**Your production manifests become the single source of truth** - no duplicate YAML files to maintain, no config drift between prod and dev.
+
+### Stay in Sync with Production
+
+* Lapdev continuously monitors your production manifests for changes
+* App Catalogs automatically update when their source workloads change
+* Environments **notify you when updates are available** - sync with one click when you're ready
+* No surprise interruptions during development - you control when to pull in changes
+
+### Flexible Environment Models
+
+**Personal Environments:** Each developer gets a complete, independent copy of all workloads. Perfect for testing breaking changes or complex multi-service interactions with full isolation.
+
+**Branch Environments (Cost-Effective):** A shared baseline environment runs all services once. Developers create lightweight "branch environments" for only the services they're actively modifying. Lapdev automatically routes your traffic to your version while everything else uses the shared baseline.
+
+### Local Development with Devbox
+
+Lapdev includes **Devbox**, a CLI tool that integrates seamlessly with your environments:
+
+* Intercept cluster traffic to your local machine for real-time debugging
+* Use your local IDE, set breakpoints, and see live logs
+* Transparently access in-cluster services (databases, caches, internal APIs) as if you're running inside the pod
+* No complex VPN or tunneling setup required
+
+### Preview URLs with Zero Configuration
+
+Create Preview URLs for any service in your environment:
+
+* Unique HTTPS URLs automatically generated for each service
+* Automatic TLS certificates and DNS configuration
+* Traffic proxied directly to your in-cluster services
+* Optional access control - configure URLs to be accessible only to Lapdev logged-in users
+* No firewall changes, no manual Ingress configuration, no cert-manager setup
+
+Share your work with teammates, PMs, or QA instantly - they can test your changes without any cluster access or VPN.
+
+### Easy Installation in Your Cluster
+
+Lapdev requires just one deployment `lapdev-kube-manager` installed in your cluster. That's it.
+
+## Getting Started
+
+1. [Connect Your Kubernetes Cluster](how-to-guides/connect-your-kubernetes-cluster.md)
+2. [Create an App Catalog](how-to-guides/create-an-app-catalog.md)
+3. [Create Your First Environment](how-to-guides/create-lapdev-environment.md)
+4. [Start Local Development with Devbox](how-to-guides/local-development-with-devbox.md)
+
+Learn more about [Core Concepts](core-concepts/architecture/README.md).
diff --git a/docs/SUMMARY.md b/docs/SUMMARY.md
new file mode 100644
index 0000000..da4c2f8
--- /dev/null
+++ b/docs/SUMMARY.md
@@ -0,0 +1,22 @@
+# Table of contents
+
+* [Introduction](README.md)
+
+## How to guides
+
+* [Connect Your Kubernetes Cluster](how-to-guides/connect-your-kubernetes-cluster.md)
+* [Create an App Catalog](how-to-guides/create-an-app-catalog.md)
+* [Create Lapdev Environment](how-to-guides/create-lapdev-environment.md)
+* [Local Development With Devbox](how-to-guides/local-development-with-devbox.md)
+* [Use Preview URLs](how-to-guides/use-preview-urls.md)
+
+## Core Concepts
+
+* [Architecture](core-concepts/architecture/README.md)
+  * [Traffic Routing Architecture](core-concepts/architecture/traffic-routing-architecture.md)
+  * [Branch Environment Architecture](core-concepts/architecture/branch-environment-architecture.md)
+* [Cluster](core-concepts/cluster.md)
+* [App Catalog](core-concepts/app-catalog.md)
+* [Environment](core-concepts/environment.md)
+* [Devbox](core-concepts/devbox.md)
+* [Preview URL](core-concepts/preview-url.md)
diff --git a/docs/core-concepts/app-catalog.md b/docs/core-concepts/app-catalog.md
new file mode 100644
index 0000000..1866b0a
--- /dev/null
+++ b/docs/core-concepts/app-catalog.md
@@ -0,0 +1,79 @@
+# App Catalog
+
+The **App Catalog** is the foundation of how Lapdev understands and manages your application in Kubernetes.
+
+It defines **which workloads belong to your app** — such as deployments, statefulsets, and their associated configuration — and acts as the **blueprint** Lapdev uses to create consistent and production-aligned development environments.
+
+### Why App Catalogs
+
+In most Kubernetes setups, application configuration is scattered across multiple manifests or Helm charts.\
+Developers often need to manually manage which workloads belong to which app, and this can easily lead to configuration drift between environments.
+
+The App Catalog solves this by:
+
+* **Defining your app once** — directly from your production workloads.
+* **Reusing that definition** to create any number of environments (personal, shared, or branch).
+* **Keeping everything in sync** with your production manifests — no duplicate YAML or manual updates.
+
+### How It Works
+
+1. Lapdev connects to your **source cluster** and reads all workloads running in it.
+2. You select the workloads that make up your application (for example, `frontend`, `api`, and `database`).
+3. Lapdev groups those workloads — along with their related **ConfigMaps**, **Secrets**, and **Services** — into an **App Catalog**.
+4. The catalog is stored in Lapdev and can be reused to create environments on any connected cluster.
+
+> 💡 The **source cluster** is typically your staging or production cluster.\
+> You can also use a dedicated cluster that mirrors production manifests.\
+> Learn more about cluster roles in [**Cluster**](cluster.md).
+
+### Relationship Between App Catalogs and Environments
+
+| Concept         | Purpose                                                                       | Example                                                                  |
+| --------------- | ----------------------------------------------------------------------------- | ------------------------------------------------------------------------ |
+| **App Catalog** | Defines what your app is — a collection of workloads and their configuration. | `checkout-service` (includes `checkout-api`, `payment-api`, `frontend`)  |
+| **Environment** | A running instance of that app in a specific cluster.                         | `mia-checkout-feature` (personal env) or `staging-checkout` (shared env) |
+
+You can think of an **App Catalog** as a _template_ and an **Environment** as a _live deployment_ of that template.
+
+### Editing an App Catalog
+
+After creating an App Catalog, you can modify it anytime:
+
+* Add or remove workloads
+* Update its description
+* Sync it with your source cluster to reflect production changes
+
+Lapdev automatically tracks these updates and keeps associated environments consistent with the latest configuration.
+
+### Typical Usage Pattern
+
+App Catalogs fit into your workflow like this:
+
+```
+Source Cluster (Production/Staging)
+        ↓
+   App Catalog (Blueprint)
+        ↓
+Multiple Environments (Personal/Shared/Branch)
+```
+
+Once created, catalogs can be synced when production manifests change, keeping all environments up to date.
+
+> For step-by-step instructions, see [**Create an App Catalog**](../how-to-guides/create-an-app-catalog.md).
+
+### Benefits of App Catalogs
+
+✅ **No config drift:** Use production manifests as the single source of truth.\
+✅ **Reusable blueprint:** Create multiple environments from the same catalog.\
+✅ **Simplified management:** Centralize workloads and configuration in one place.\
+✅ **Scalable:** Works across clusters and environment models.
+
+### When to Use Multiple App Catalogs
+
+You can create more than one App Catalog if:
+
+* Your organization manages multiple independent apps (e.g. `checkout`, `search`, `analytics`).
+* You want to separate internal tools from core services.
+* Different teams own different parts of your system.
+
+Each App Catalog can have its own lifecycle and permissions.
diff --git a/docs/core-concepts/app-catalog.mdx b/docs/core-concepts/app-catalog.mdx
new file mode 100644
index 0000000..b961bdd
--- /dev/null
+++ b/docs/core-concepts/app-catalog.mdx
@@ -0,0 +1 @@
+export { default } from "./app-catalog.md";
diff --git a/docs/core-concepts/architecture/README.md b/docs/core-concepts/architecture/README.md
new file mode 100644
index 0000000..af86a7e
--- /dev/null
+++ b/docs/core-concepts/architecture/README.md
@@ -0,0 +1,90 @@
+# Architecture
+
+This document explains how Lapdev works and how its components interact to provide seamless Kubernetes development environments.
+
+### Overview
+
+Lapdev consists of three main components:
+
+1. **Lapdev API Server** (SaaS) - Manages users, authentication, and orchestrates environment creation
+2. **Lapdev-Kube-Manager** (In your cluster) - Reads production manifests, manages dev environments, and pushes routing/intercept state to sidecars
+3. [**Devbox**](../devbox.md) **CLI** (Developer's machine) - Enables local debugging with cluster connectivity
+   - Plus an auto-injected **Sidecar Proxy** per pod that enforces routing and intercepts at runtime
+
+### Architecture Diagram
+
+<img src="../../images/architecture.svg" alt="" class="gitbook-drawing">
+
+### Component Details
+
+#### Lapdev API Server (SaaS)
+
+The Lapdev cloud service handles:
+
+* **User authentication and authorization** - GitHub/GitLab OAuth, team management
+* **Environment orchestration** - Receives environment creation requests from users
+* **Secure tunnel management** - Establishes websocket tunnels between your cluster and Lapdev
+* [**Preview URL**](../preview-url.md) **routing** - Routes traffic from automatically generated HTTPS URLs to your cluster
+
+**Security:**
+
+* Communicates with your cluster via secure websocket tunnels (TLS encrypted)
+* No direct access to your cluster's API server
+* Receives workload manifests (Deployments, StatefulSets, ConfigMaps, Secrets) from lapdev-kube-manager to build App Catalogs
+* You control which workloads Lapdev can access through App Catalog selection
+* No access to runtime application data (databases, logs, persistent volumes)
+
+#### Lapdev-Kube-Manager (In Your Cluster)
+
+Deployed as a single Kubernetes deployment in your cluster, `lapdev-kube-manager`:
+
+* **Reads production manifests** - Discovers Deployments, StatefulSets, ConfigMaps, Secrets, and Services from your production namespace to build [App Catalogs](../app-catalog.md)
+* **Creates dev** [**environments**](../environment.md) - Replicates selected workloads into isolated or shared namespaces
+* **Manages sync** - Monitors production manifests for changes and updates dev environments
+* **Publishes traffic routing** - For [branch environments](branch-environment-architecture.md), computes routing tables and distributes them to sidecars (sidecars enforce routing; see [Traffic Routing Architecture](traffic-routing-architecture.md))
+* **Establishes secure tunnel** - Maintains websocket connection to Lapdev API Server for orchestration
+
+**Permissions:**
+
+* Read access to production namespace (to read manifests)
+* Full access to Lapdev-managed namespaces (to create/update environments)
+* No access to other cluster resources
+
+#### Devbox CLI (Developer Machine)
+
+The `lapdev devbox` command-line tool enables local development:
+
+* **Traffic interception** - Routes requests for specific services to `localhost` (controlled via Lapdev dashboard)
+* **Cluster connectivity** - Provides transparent access to in-cluster services (databases, APIs, caches)
+* **Secure tunnel** - Establishes encrypted connection to Lapdev API Server, which proxies to your cluster
+
+**How it works:**
+
+1. Developer runs `lapdev devbox connect` and sets their active environment in the dashboard
+2. Devbox establishes secure tunnel: `Developer → Lapdev API`
+   - Lapdev-Kube-Manager stays in the control plane, pushing intercept metadata and (optional) direct-connect hints to sidecars, but is not on the data path.
+3. Sidecar receives intercept config, opens its own tunnel to Lapdev API for that workload, and forwards intercepted pod traffic over the tunnel to the Devbox CLI
+4. Developer's code processes requests on localhost; responses flow back through the same tunnel to the pod
+5. Non-intercepted traffic continues to the in-cluster service transparently
+
+Learn more: [Devbox Concept](../devbox.md) | [Local Development with Devbox](../../how-to-guides/local-development-with-devbox.md)
+
+### Learn More
+
+**Specialized Architecture Documentation:**
+
+* [Traffic Routing Architecture](traffic-routing-architecture.md) - How Lapdev routes traffic between components
+* [Branch Environment Architecture](branch-environment-architecture.md) - Cost-effective environment model details
+
+**Core Concepts:**
+
+* [Cluster](../cluster.md) - How clusters connect to Lapdev
+* [App Catalog](../app-catalog.md) - Blueprint for your application
+* [Environment](../environment.md) - Running instances of your app
+* [Preview URL](../preview-url.md) - HTTPS access to your services
+
+**Getting Started:**
+
+* [Connect Your Kubernetes Cluster](../../how-to-guides/connect-your-kubernetes-cluster.md)
+* [Create an App Catalog](../../how-to-guides/create-an-app-catalog.md)
+* [Create Lapdev Environment](../../how-to-guides/create-lapdev-environment.md)
diff --git a/docs/core-concepts/architecture/branch-environment-architecture.md b/docs/core-concepts/architecture/branch-environment-architecture.md
new file mode 100644
index 0000000..7f818ff
--- /dev/null
+++ b/docs/core-concepts/architecture/branch-environment-architecture.md
@@ -0,0 +1,184 @@
+# Branch Environment Architecture
+
+Branch environments are a cost-effective way to run development environments in Kubernetes. Instead of duplicating all services for each developer, branch environments build on a [shared environment](../environment.md) and only run the services you're actively modifying.
+
+### Architecture Diagram
+
+<img src="../../.gitbook/assets/file.excalidraw (3).svg" alt="" class="gitbook-drawing" />
+
+### Concept
+
+Without Branch Environments:
+
+```
+10 developers × 100 services each = 1000 pods total
+Every developer runs a complete copy of all services
+```
+
+With Branch Environments:
+
+```
+Shared environment: 100 services (shared by everyone)
++ 10 developers × 2 modified services each = 20 branched services
+Total: 120 pods
+```
+
+**Example:** Alice modifies `api`, Bob modifies `worker` - they only run their modified services while sharing the rest.
+
+**Savings: 88% reduction in infrastructure costs**
+
+### Prerequisites
+
+Branch environments require:
+
+* **HTTP/HTTPS communication only** - Non-HTTP components (databases, message queues, gRPC) remain shared across all branches
+* **Header propagation** - Your application must forward OpenTelemetry `tracestate` headers in service-to-service calls
+
+**Important:** While Lapdev automatically injects the tracestate header for incoming requests, your application code must forward headers in service-to-service HTTP calls for routing to work correctly.
+
+### How It Works
+
+#### The Shared Environment
+
+One shared environment runs all your services:
+
+* Contains a complete copy of all workloads
+* Shared by all developers
+* Acts as the foundation for all branch environments
+
+#### Your Branch Environment
+
+When you create a branch, you specify which service(s) you're modifying:
+
+* Only those services run as branched workloads alongside the shared copies in the same namespace
+* Everything else routes to the shared environment
+
+#### Traffic Routing Overview
+
+When someone accesses your branch [preview URL](../preview-url.md), Lapdev routes traffic intelligently:
+
+* Requests to services you've modified → route to your branch version
+* Requests to all other services → route to the shared environment
+
+**Example:** If Alice's branch modifies only the `api` service, then requests for `api` go to her branch while `web`, `worker`, and all other services use the shared environment.
+
+#### Routing Mechanism
+
+**1. Header Injection**
+
+When a request enters through a [preview URL](../preview-url.md), Lapdev automatically injects an OpenTelemetry `tracestate` header that identifies which branch the request belongs to.
+
+**2. Header Propagation (Your Responsibility)**
+
+Your application must forward the `tracestate` header in all HTTP service-to-service calls.
+
+**How to implement:**
+
+Most HTTP clients automatically forward headers when you pass them explicitly. For example:
+
+```javascript
+// Forward all incoming headers to downstream services
+const response = await axios.get('http://other-service:8080/api', {
+  headers: request.headers  // This includes the tracestate header
+});
+```
+
+**Framework-specific approaches:**
+
+✅ **Automatic with these frameworks:**
+- Spring Cloud Sleuth (auto-propagates OpenTelemetry headers)
+- OpenTelemetry-instrumented applications (SDK handles propagation)
+
+⚠️ **Manual forwarding required:**
+- Express.js, Fastify, Koa (pass `request.headers` to HTTP client)
+- Go HTTP clients (copy headers from incoming request)
+- Any custom HTTP client implementation
+
+**3. Routing Decision**
+
+The Lapdev Sidecar Proxy (automatically injected by Lapdev into each pod in managed environments) sits in front of your workload traffic:
+
+1. Intercepts incoming requests headed to your service
+2. Reads the `tracestate` header to identify the branch
+3. Checks if the target service has a branch override for this branch
+4. If a Devbox intercept is active for this branch/service, routes to the developer’s local process; otherwise routes to the branched service if present
+5. Falls back to the shared environment if no branch-specific target exists
+6. The header continues downstream, so the next hop can repeat the decision
+
+> **Note:** The sidecar proxy is automatically added when Lapdev creates your environment. No manual configuration needed. For more details, see [Traffic Routing Architecture](traffic-routing-architecture.md).
+
+### Key Benefits
+
+* **Cost-effective:** Only run what you're changing (up to 88% infrastructure reduction)
+* **Instant creation:** Branch environments are created instantly - branched workloads are only deployed when you modify them
+* **Realistic testing:** Test your changes against real production-like services, not mocks
+* **No conflicts:** Multiple developers can work on different services simultaneously
+
+### Limitations
+
+#### 1. Header Propagation Required
+
+Your application must forward the `tracestate` header in service-to-service HTTP calls, otherwise routing will break mid-request chain. See the **Routing Mechanism** section above for implementation guidance.
+
+#### 2. HTTP/HTTPS Traffic Only
+
+Branch routing works exclusively for HTTP/HTTPS communication. Other protocols are always shared:
+
+* **Shared across all branches:** Databases, message queues, gRPC services, TCP connections
+* **Implication:** Be careful with database schema changes or queue message format changes
+
+#### 3. Stateful Services Considerations
+
+Services with persistent state (databases, caches) are shared across branches:
+
+* Database writes from one branch affect all other branches
+* Redis/Memcached entries are visible to all branches
+* File uploads or background jobs may interfere between branches
+
+**Best Practice:** Use branch-specific prefixes for cache keys and database records when testing data modifications.
+
+### Troubleshooting
+
+#### Traffic not routing correctly to my branch
+
+**Symptoms:**
+- Changes aren't visible when accessing your branch preview URL
+- Some requests use your branch version, others use the shared version (inconsistent routing)
+
+**Possible causes:**
+
+1. **Headers not propagated:** Your services aren't forwarding the `tracestate` header in HTTP calls
+2. **Service not branched:** The service is not actually deployed in your branch environment
+3. **Wrong preview URL:** You're accessing the shared environment URL instead of your branch URL
+
+**Debug steps:**
+
+* Verify your HTTP clients forward incoming headers to downstream services (see example above)
+* Check the Lapdev dashboard to confirm which services are branched in your environment
+* Check sidecar proxy logs to see routing decisions
+* Look for the `tracestate` header in your service logs - if it's missing after the first hop, headers aren't being propagated
+
+#### Database changes from my branch affect other developers
+
+This is **expected behavior**. Branch environments share databases and other stateful services.
+
+**Solutions:**
+
+* Use branch-specific database prefixes or namespaces
+* Test with read-only database operations
+* Use separate test databases per branch (requires manual configuration)
+
+### Learn More
+
+**Related Architecture Documentation:**
+* [Traffic Routing Architecture](traffic-routing-architecture.md) - Detailed explanation of how routing works across all environment types
+* [Architecture Overview](README.md) - Overall system design and component interactions
+
+**Core Concepts:**
+* [Environment](../environment.md) - Understanding Personal, Shared, and Branch environments
+* [Preview URL](../preview-url.md) - HTTPS access to your services
+* [App Catalog](../app-catalog.md) - Blueprint for your application
+
+**How-To Guides:**
+* [Create Lapdev Environment](../../how-to-guides/create-lapdev-environment.md) - How to create branch environments
+* [Use Preview URLs](../../how-to-guides/use-preview-urls.md) - Access and share your branch environment
diff --git a/docs/core-concepts/architecture/branch-environment-architecture.mdx b/docs/core-concepts/architecture/branch-environment-architecture.mdx
new file mode 100644
index 0000000..5515baa
--- /dev/null
+++ b/docs/core-concepts/architecture/branch-environment-architecture.mdx
@@ -0,0 +1 @@
+export { default } from "./branch-environment-architecture.md";
diff --git a/docs/core-concepts/architecture/index.mdx b/docs/core-concepts/architecture/index.mdx
new file mode 100644
index 0000000..72567f1
--- /dev/null
+++ b/docs/core-concepts/architecture/index.mdx
@@ -0,0 +1 @@
+export { default } from "./README.md";
diff --git a/docs/core-concepts/architecture/traffic-routing-architecture.md b/docs/core-concepts/architecture/traffic-routing-architecture.md
new file mode 100644
index 0000000..d77e133
--- /dev/null
+++ b/docs/core-concepts/architecture/traffic-routing-architecture.md
@@ -0,0 +1,133 @@
+# Traffic Routing Architecture
+
+This document explains how traffic flows through Lapdev for both preview URLs and local development with Devbox.
+
+### Overview
+
+Lapdev handles two main traffic patterns:
+
+1. **[Preview URL](../preview-url.md) Traffic** - External users accessing your development environment via browser
+2. **[Devbox](../devbox.md) Traffic** - Developers debugging locally while accessing cluster services
+
+Both patterns use secure tunnels through the Lapdev cloud service, eliminating the need for VPNs or firewall changes.
+
+### Architecture Diagram
+
+<img src="../../.gitbook/assets/file.excalidraw (2).svg" alt="" class="gitbook-drawing" />
+
+### Components
+
+#### In Your Cluster
+
+**Lapdev-Kube-Manager**
+
+* Orchestrates environment creation and management
+* Maintains control-plane connection to Lapdev cloud service (route updates, heartbeats)
+* Pushes branch/service routing tables and Devbox intercept metadata to sidecars
+
+**Lapdev [Environment](../environment.md) (Namespace)**
+
+* Contains your replicated workloads
+* Each environment is isolated in its own namespace
+* Multiple environments can coexist in the same cluster
+
+**App Workload Pod**
+
+* Your application container(s)
+* Runs unmodified in Personal and Shared environments
+* [Branch environments](branch-environment-architecture.md) may require header propagation (see Branch Environment Routing below)
+
+**Lapdev Sidecar Proxy**
+
+* Automatically injected into each pod in Lapdev environments
+* Routes traffic for branch environments based on tracestate headers
+* Handles Devbox intercepts directly (opens tunnels to Lapdev cloud and shuttles pod traffic over them)
+* Falls back to in-cluster service when no intercept is active
+
+#### External Components
+
+**Lapdev Cloud Service**
+
+* Routes preview URL traffic to your cluster
+* Manages secure websocket tunnels
+* Handles authentication for preview URLs
+
+**Devbox (Developer Machine)**
+
+* CLI tool running on developer's laptop
+* Establishes secure tunnel to cluster
+* Intercepts traffic for specific services
+* Provides transparent access to in-cluster services
+
+### Traffic Flows
+
+#### Preview URL Traffic
+
+When a user accesses a Preview URL:
+
+1. **Browser** → Request to automatically generated HTTPS URL
+2. **Lapdev Cloud Service** → Authenticates request (if access control enabled)
+3. **Lapdev Cloud Service** → Routes through WebSocket tunnel to kube-manager
+4. **Kube-Manager** → Forwards to appropriate environment namespace
+5. **Sidecar Proxy** → Routes to target service based on environment type:
+   - **Personal/Shared:** Routes directly to service
+   - **Branch:** Checks tracestate header and routes to branched or shared version
+6. **Service** → Processes request and returns response
+
+The response flows back through the same path to the user's browser.
+
+#### Devbox Intercept Traffic
+
+When a developer intercepts a service with Devbox:
+
+1. **Developer runs** `lapdev devbox connect` and enables intercept in dashboard
+2. **Devbox CLI** → Establishes secure tunnel: `Local machine → Lapdev Cloud → Sidecar Proxy`
+   - Kube-Manager stays on the control plane (publishing intercept metadata and optional direct-connect hints) but is **not** on the data path.
+3. **Sidecar Proxy** for the intercepted pod:
+   - Receives routing rules from Kube-Manager
+   - Opens the tunnel to Lapdev Cloud using the intercept token
+   - Forwards intercepted traffic to the developer’s local machine
+4. **Local service** → Developer's code running on localhost processes the request
+5. **Response** flows back through the same tunnel to the pod
+
+When no intercept is active, traffic routes normally to the in-cluster service.
+
+#### Branch Environment Routing
+
+Branch environments use intelligent routing based on tracestate headers:
+
+1. **Request enters** through Preview URL with branch-specific tracestate header (auto-injected by Lapdev)
+2. **Sidecar Proxy** reads tracestate header to identify the branch
+3. **Routing decision:**
+   - Service modified in branch? → Route to branch version
+   - Service not modified? → Route to shared environment version
+4. **Header propagation:** Application must forward headers to downstream services
+5. **Next hop:** Process repeats at each service
+
+This enables multiple developers to test different modifications simultaneously without conflicts.
+
+> **Important:** Branch environment routing requires your application to propagate the tracestate header in HTTP calls. See [Branch Environment Architecture](branch-environment-architecture.md) for implementation details.
+
+### Component Roles Summary
+
+| Component | Purpose | When Used |
+|-----------|---------|-----------|
+| **Sidecar Proxy** | Routes traffic based on environment type and headers | All environments |
+| **Kube-Manager** | Orchestrates environments and pushes routing/intercept state to sidecars | Always running |
+| **Lapdev Cloud** | Routes external traffic and manages authentication | Preview URLs and Devbox |
+
+### Learn More
+
+**Specialized Routing Documentation:**
+* [Branch Environment Architecture](branch-environment-architecture.md) - Tracestate header propagation, routing mechanism, and troubleshooting
+* [Architecture Overview](README.md) - Overall system design and component interactions
+
+**Core Concepts:**
+* [Environment](../environment.md) - Personal, Shared, and Branch environment types
+* [Devbox](../devbox.md) - Local development with cluster connectivity
+* [Preview URL](../preview-url.md) - HTTPS access to your services
+
+**How-To Guides:**
+* [Use Preview URLs](../../how-to-guides/use-preview-urls.md) - Create and manage preview URLs
+* [Local Development with Devbox](../../how-to-guides/local-development-with-devbox.md) - Set up traffic interception and cluster access
+* [Create Lapdev Environment](../../how-to-guides/create-lapdev-environment.md) - Set up different environment types
diff --git a/docs/core-concepts/architecture/traffic-routing-architecture.mdx b/docs/core-concepts/architecture/traffic-routing-architecture.mdx
new file mode 100644
index 0000000..cb8b9a0
--- /dev/null
+++ b/docs/core-concepts/architecture/traffic-routing-architecture.mdx
@@ -0,0 +1 @@
+export { default } from "./traffic-routing-architecture.md";
diff --git a/docs/core-concepts/cluster.md b/docs/core-concepts/cluster.md
new file mode 100644
index 0000000..9a0c80f
--- /dev/null
+++ b/docs/core-concepts/cluster.md
@@ -0,0 +1,166 @@
+# Cluster
+
+A **Cluster** in Lapdev refers to a Kubernetes cluster you've connected to Lapdev for managing development environments.
+
+Clusters can serve two roles:
+- **Source Cluster** - Provides production manifests for creating App Catalogs
+- **Target Cluster** - Hosts development environments
+
+The same cluster can serve both roles, which is the most common setup.
+
+### Why Connect Clusters
+
+Connecting your Kubernetes cluster to Lapdev enables:
+
+* **App Catalog Creation** - Read production manifests to define your app
+* **Environment Deployment** - Run development environments in the cluster
+* **Production Parity** - Ensure dev environments match production exactly
+* **Centralized Management** - Manage multiple clusters from one dashboard
+
+### How It Works
+
+#### Lapdev Kube Manager
+
+When you connect a cluster, Lapdev deploys a lightweight controller called **lapdev-kube-manager** inside your cluster.
+
+The kube-manager:
+
+* **Establishes secure connection** - Opens a WebSocket tunnel to Lapdev API Server (TLS encrypted)
+* **Reads production manifests** - Discovers Deployments, StatefulSets, ConfigMaps, Secrets, and Services
+* **Creates dev environments** - Replicates selected workloads into isolated or shared namespaces
+* **Handles traffic routing** - For branch environments, routes traffic to the correct version of services
+* **Manages synchronization** - Keeps environments updated with production changes
+
+**Security Model:**
+
+* Connection is **outbound-only** from your cluster (no inbound firewall rules needed)
+* Lapdev API Server **never** accesses your cluster's API server directly
+* Kube-manager has **read access** to production namespaces
+* Kube-manager has **full access** to Lapdev-managed namespaces only
+* Cannot access other cluster resources or namespaces
+
+#### Token-Based Authentication
+
+Each cluster is authenticated using a unique token:
+
+* Generated when you create the cluster in Lapdev dashboard
+* Used by kube-manager to establish the secure tunnel
+* Stored as a Kubernetes Secret in your cluster
+
+### Cluster Roles
+
+#### Source Cluster
+
+A **source cluster** is where Lapdev reads production manifests to create App Catalogs.
+
+* Typically your **staging** or **production** cluster
+* Contains the workloads you want to replicate in dev environments
+* Kube-manager reads manifests but doesn't modify them
+* You can designate any cluster as a source
+
+**Common setups:**
+* Use production cluster as source (safest, always up-to-date)
+* Use staging cluster as source (if staging mirrors production)
+* Use dedicated "template" cluster (for controlled rollout)
+
+#### Target Cluster
+
+A **target cluster** is where Lapdev deploys development environments.
+
+* Can be the same as your source cluster or different
+* Hosts all Personal, Shared, and Branch environments
+* Kube-manager creates and manages namespaces here
+* Choose based on resource availability and cost
+
+**Common setups:**
+* Same cluster as source (simplest, most common)
+* Dedicated dev cluster (isolates dev from production)
+* Multiple dev clusters (for different teams or regions)
+
+### Cluster Permissions
+
+Cluster permissions control **which types of environments** can be deployed to a cluster.
+
+#### Personal Environments Permission
+
+When enabled, developers can create **Personal Environments** in this cluster.
+
+* Each developer gets fully isolated namespaces
+* Higher resource usage (every dev runs complete app)
+* Best for: staging/dev clusters with sufficient resources
+
+**Enable when:**
+* Developers need full isolation for testing
+* Cluster has resources for multiple complete environments
+* You want individual developers to experiment freely
+
+#### Shared Environments Permission
+
+When enabled, admins can create **Shared Environments** and developers can create **Branch Environments** in this cluster.
+
+* Shared environments are team-wide baselines
+* Branch environments are lightweight personal modifications
+* Lower resource usage (shared baseline + modifications only)
+* Best for: cost-efficient development at scale
+
+**Enable when:**
+* Team uses branch environment workflow
+* You want cost-efficient development environments
+* Multiple developers work on the same application
+
+#### Permission Use Cases
+
+| Cluster Type | Personal | Shared | Use Case |
+|-------------|----------|---------|-----------|
+| Dev Cluster | ✅ | ✅ | Full flexibility for developers |
+| Staging Cluster | ❌ | ✅ | Team-wide testing baseline only |
+| Testing Cluster | ✅ | ❌ | Isolated testing environments |
+| Production | ❌ | ❌ | Source only, no dev environments |
+
+> You can change these permissions at any time in the cluster settings.
+
+### Relationship to Other Components
+
+Clusters are foundational to Lapdev's workflow:
+
+```
+Source Cluster
+    ↓ (provides manifests)
+App Catalog
+    ↓ (blueprint)
+Target Cluster
+    ↓ (deploys to)
+Environments (Personal/Shared/Branch)
+```
+
+| Component | Role with Clusters |
+|-----------|-------------------|
+| **Cluster** | Provides infrastructure and manifests |
+| **App Catalog** | Created by reading manifests from source cluster |
+| **Environment** | Deployed into target cluster using App Catalog |
+| **Kube Manager** | Runs inside cluster, bridges to Lapdev API |
+
+### Multiple Clusters
+
+You can connect multiple clusters to Lapdev for different purposes:
+
+**Common multi-cluster setups:**
+
+* **Source + Multiple Targets:**
+  - Production cluster (source only)
+  - Dev cluster A (target for team A)
+  - Dev cluster B (target for team B)
+
+* **Regional Separation:**
+  - US cluster (source + target)
+  - EU cluster (target only, for EU developers)
+
+* **Environment Segregation:**
+  - Staging cluster (source + shared environments)
+  - Dev cluster (personal environments only)
+
+Each cluster appears in your Lapdev dashboard with its own status, permissions, and environments.
+
+### Next Steps
+
+Ready to connect your cluster? See [**Connect Your Kubernetes Cluster**](../how-to-guides/connect-your-kubernetes-cluster.md) for step-by-step instructions.
diff --git a/docs/core-concepts/cluster.mdx b/docs/core-concepts/cluster.mdx
new file mode 100644
index 0000000..b3d24ff
--- /dev/null
+++ b/docs/core-concepts/cluster.mdx
@@ -0,0 +1 @@
+export { default } from "./cluster.md";
diff --git a/docs/core-concepts/devbox.md b/docs/core-concepts/devbox.md
new file mode 100644
index 0000000..c8dd0b7
--- /dev/null
+++ b/docs/core-concepts/devbox.md
@@ -0,0 +1,54 @@
+# Devbox
+
+**Devbox** is Lapdev’s local development companion — a CLI tool that connects your local machine directly to your Lapdev Kubernetes environment.
+
+It bridges the gap between _local iteration speed_ and _production realism_.
+
+### Why Devbox
+
+Developing in Kubernetes usually means slow feedback loops: rebuild, redeploy, and wait for pods to restart just to test a single change.\
+Devbox changes that by letting you **run your code locally while still connected to your real cluster environment**.
+
+This means:
+
+* You can test your app against live in-cluster services (databases, APIs, caches).
+* Cluster traffic can be routed to your local process for real-time debugging.
+* You no longer need complex port-forwarding, VPNs, or separate mock setups.
+
+### How It Works
+
+When you start Devbox inside a Lapdev environment:
+
+1. It authenticates with Lapdev and connects to your active environment’s namespace.
+2. It synchronizes local and cluster networking rules.
+3. It can optionally intercept service traffic and forward it to your local process.
+4. It provides seamless access to other workloads and in-cluster dependencies.
+
+> 💡 Devbox doesn't replace Kubernetes — it _extends_ it for developers.\
+> You keep your production topology and cluster configuration, but develop with local speed.
+
+### Core Capabilities
+
+* **Intercept Service Traffic:** Redirect in-cluster service requests to your local code.
+* **In-Cluster Connectivity:** Access internal APIs and databases as if you were inside the pod.
+* **Seamless IDE Debugging:** Run locally, attach debuggers, and see live logs.
+* **Compatible with All Environment Types:** Works with personal, shared, and branch environments.
+
+### How It Fits in the Lapdev Model
+
+| Concept         | Role                                                                   |
+| --------------- | ---------------------------------------------------------------------- |
+| **App Catalog** | Defines what your app consists of (the workloads).                     |
+| **Environment** | A running instance of that app in Kubernetes.                          |
+| **Devbox**      | Bridges your local machine with that environment for live development. |
+
+### When to Use Devbox
+
+* When you need fast feedback without redeploying to Kubernetes.
+* When debugging complex issues that depend on real cluster state.
+* When integrating or testing locally while keeping the rest of the system in-cluster.
+
+### Next Steps
+
+Ready to use Devbox? See [**Local Development with Devbox**](../how-to-guides/local-development-with-devbox.md) for setup instructions.
+
diff --git a/docs/core-concepts/devbox.mdx b/docs/core-concepts/devbox.mdx
new file mode 100644
index 0000000..415c022
--- /dev/null
+++ b/docs/core-concepts/devbox.mdx
@@ -0,0 +1 @@
+export { default } from "./devbox.md";
diff --git a/docs/core-concepts/environment.md b/docs/core-concepts/environment.md
new file mode 100644
index 0000000..a9b1608
--- /dev/null
+++ b/docs/core-concepts/environment.md
@@ -0,0 +1,140 @@
+# Environment
+
+The **Lapdev Kubernetes Environment** is the foundation of Lapdev’s platform. It’s where you **develop**, **test**, and **demo** your applications — all directly within Kubernetes.
+
+Lapdev’s unique strength is that it manages the **entire environment lifecycle** — from creation to synchronisation — in a seamless, automated way. You don’t need to manually manage YAML files, sync resources, or worry about configuration drift.
+
+### How It Works
+
+Environments are created from **App Catalogs**, which serve as blueprints for your application.
+
+When you create an environment:
+
+1. Select an existing App Catalog that defines your app's workloads
+2. Choose an environment type (Personal, Shared, or Branch)
+3. Lapdev deploys the workloads:
+   - Personal/Shared: into a dedicated namespace
+   - Branch: into the shared base environment's namespace
+4. ConfigMaps, Secrets, and Services are automatically included
+
+The result: a fully functional copy of your app that mirrors production exactly, with zero manual YAML management.
+
+> App Catalogs are created by reading production manifests directly from your cluster. Learn more about [**App Catalogs**](app-catalog.md).
+
+### Environment Types
+
+Lapdev supports three environment types, depending on your workflow and cost requirements:
+
+* **Personal Environments** — fully isolated, ideal for independent development
+* **Shared Environments** — team-wide baseline, ideal for integration testing
+* **Branch Environments** — lightweight personal modifications on shared foundation, ideal for large teams
+
+All types support **Devbox** for local development and debugging.
+
+#### 1. Personal Environments
+
+A **Personal Environment** is a completely isolated workspace for a single developer.
+
+Each personal environment runs in its **own Kubernetes namespace**, so:
+
+* One developer’s work never affects another’s.
+* Multiple environments can be created per developer (e.g., one per feature or bug fix).
+* You can switch between environments freely.
+
+Because every personal environment contains a **full set of workloads**, it guarantees total isolation — but that comes with higher resource usage.
+
+Lapdev helps mitigate this cost by allowing you to **pause and resume environments on demand**, automatically scaling down resources when you’re not using them.
+
+**Best for:**\
+Developers who need full isolation or want to test complex changes safely.
+
+#### 2. Shared Environments
+
+A **Shared Environment** is a team-wide baseline that runs a complete version of your app.
+
+* Created and managed by admins
+* Accessible by all team members
+* Acts as the foundation for branch environments
+* Ideal for integration testing or staging setups
+
+**Best for:**\
+Teams who need a stable, shared environment for testing or as a baseline for branch environments.
+
+#### 3. Branch Environments
+
+**Branch Environments** provide a cost-effective way to test changes by building on top of a shared environment.
+
+When you create a branch environment:
+
+* Initially, it references all workloads from the shared environment
+* Only when you modify a service does Lapdev create a branched copy
+* The branched copy runs alongside the shared version inside the shared environment's namespace, and Lapdev handles routing between them
+* Unmodified services continue using the shared environment
+* Multiple developers can work simultaneously without conflicts
+
+This Git-like branching model means:
+
+* **Near-instant creation** - no waiting for full environment deployment
+* **Minimal cost** - only run what you're changing (up to 88% infrastructure reduction)
+* **Realistic testing** - test against real production-like services, not mocks
+
+**How it works:**
+
+Lapdev uses intelligent traffic routing to direct requests to your branched services while everything else uses the shared baseline. This enables multiple developers to safely test changes in parallel.
+
+**Requirements:**
+
+* Services must communicate via HTTP/HTTPS
+* Your application must forward `tracestate` headers in service calls
+* Non-HTTP components (databases, message queues) remain shared
+
+**Best for:**\
+Large teams doing frequent feature development with cost efficiency in mind.
+
+> For technical details on routing, sidecar proxies, and header propagation, see [**Branch Environment Architecture**](architecture/branch-environment-architecture.md).
+
+### Local Development with Devbox
+
+All environment types support **Devbox**, Lapdev's CLI tool for local development.
+
+Devbox allows you to:
+
+* **Intercept cluster traffic** to your local machine for real-time debugging
+* Use your **local IDE** to edit, build, and debug as if running in the cluster
+* **Access in-cluster resources** (databases, caches, internal APIs) transparently
+
+When connected via Devbox, your local process integrates seamlessly with your environment. Other services automatically route traffic to your local instance, combining fast local iteration with accurate cluster integration.
+
+> Learn more about [**Devbox**](devbox.md) and how to use it.
+
+### Preview URLs
+
+Every Lapdev environment can expose one or more **Preview URLs** — public HTTPS endpoints for accessing or sharing your running services.
+
+Preview URLs are created **per service**. You choose which service to expose, and Lapdev automatically handles DNS, certificates, routing, and security.
+
+When requests come in through a Preview URL in a branch environment, Lapdev automatically manages the **`tracestate` header** to route traffic to the correct branch environment.
+
+> Learn more about [**Preview URLs**](preview-url.md).
+
+### Comparison
+
+| Feature         | Personal Environment                  | Shared Environment                   | Branch Environment              |
+| --------------- | ------------------------------------- | ------------------------------------ | ------------------------------- |
+| **Isolation**   | Fully isolated (per namespace)        | Shared by all team members           | Shared base, routed isolation   |
+| **Cost**        | Highest                               | Medium                               | Lowest                          |
+| **Ideal For**   | Deep testing, multi-service debugging | Integration testing, team staging    | Large teams, frequent branching |
+| **Performance** | Slower to start, full workloads       | Full workloads, shared infrastructure| Instant setup, minimal overhead |
+| **Access**      | Single developer                      | Entire team                          | Single developer (with shared base) |
+
+### Summary
+
+Lapdev Kubernetes Environments let you:
+
+* Reproduce production exactly, without manual setup
+* Stay notified when production changes - sync with one click when you're ready
+* Choose between **full isolation**, **team-wide sharing**, or **cost-efficient branching**
+* Use **Devbox** for fast, local-style development in Kubernetes
+* Collaborate efficiently with consistent, shareable environments
+
+Whether you're developing alone, testing as a team, or scaling across a large organization, Lapdev ensures every environment stays consistent, efficient, and production-accurate.
diff --git a/docs/core-concepts/environment.mdx b/docs/core-concepts/environment.mdx
new file mode 100644
index 0000000..78fdf5a
--- /dev/null
+++ b/docs/core-concepts/environment.mdx
@@ -0,0 +1 @@
+export { default } from "./environment.md";
diff --git a/docs/core-concepts/preview-url.md b/docs/core-concepts/preview-url.md
new file mode 100644
index 0000000..ac8f2e3
--- /dev/null
+++ b/docs/core-concepts/preview-url.md
@@ -0,0 +1,68 @@
+# Preview URL
+
+A **Preview URL** is a unique, automatically generated HTTPS endpoint that lets you access services in your Lapdev environment directly from the web — without any manual DNS or Ingress configuration.
+
+You can create Preview URLs for any environment type (**personal**, **shared**, or **branch**), exposing specific services for access and sharing.\
+This makes it easy to preview changes, share work with teammates, and test production-like behavior in real time.
+
+### Why Preview URLs
+
+In traditional Kubernetes setups, exposing your app for testing often means:
+
+* Creating or editing Ingress rules
+* Configuring DNS records
+* Managing TLS certificates
+* Waiting for ops to approve changes
+
+That’s slow, error-prone, and not scalable for dozens of developers or short-lived environments.
+
+Lapdev solves this with **automatic Preview URLs** — secure, per-environment endpoints that “just work.”
+
+### How It Works
+
+When you create a Preview URL for a service in your environment, Lapdev:
+
+1. Detects the service you want to expose (e.g. `frontend`, `api`, `gateway`)
+2. Automatically generates a unique HTTPS domain for that service
+3. Configures TLS certificates automatically — no `cert-manager`, DNS setup, or manual YAML needed
+4. Routes traffic through Lapdev's managed proxy layer directly to your service inside the cluster
+
+All routing and TLS termination are handled by Lapdev's control plane, so your cluster stays secure and simple.
+
+Each Preview URL is unique and automatically managed by Lapdev, making it safe to share with your team.
+
+### Access Control
+
+Preview URLs default to **Organization** access, but you can configure per Preview URL:
+
+* **Organization (default):** Only members of your Lapdev organization can access (after login)
+* **Public:** Anyone with the link can access without authentication
+
+Access settings are managed per Preview URL in the Lapdev dashboard.
+
+### Benefits
+
+✅ **Instant access:** No waiting for ops or configuring ingress.\
+✅ **Secure by default:** Auto-managed HTTPS and certificates.\
+✅ **Shareable:** Send links to PMs, QA, or teammates easily.\
+✅ **Isolated:** Each environment’s URL maps only to its own workloads.\
+✅ **Consistent:** Same domain and routing system across all environments.
+
+### How It Relates to Other Lapdev Components
+
+| Component       | Role                                                                        |
+| --------------- | --------------------------------------------------------------------------- |
+| **App Catalog** | Defines which workloads are part of the app.                                |
+| **Environment** | A running instance of the app in Kubernetes.                                |
+| **Preview URL** | Provides web access to that environment — with automatic routing and HTTPS. |
+
+### Usage Pattern
+
+Preview URLs make collaboration effortless:
+
+* Create an environment and expose the services you want to share
+* Lapdev generates secure HTTPS URLs automatically
+* Share URLs with teammates, QA, or stakeholders instantly
+* No infrastructure changes, ingress configuration, or firewall rules needed
+
+> For step-by-step instructions, see [**Use Preview URLs**](../how-to-guides/use-preview-urls.md).
diff --git a/docs/core-concepts/preview-url.mdx b/docs/core-concepts/preview-url.mdx
new file mode 100644
index 0000000..5bb3d59
--- /dev/null
+++ b/docs/core-concepts/preview-url.mdx
@@ -0,0 +1 @@
+export { default } from "./preview-url.md";
diff --git a/docs/docs.json b/docs/docs.json
new file mode 100644
index 0000000..49e93b9
--- /dev/null
+++ b/docs/docs.json
@@ -0,0 +1,44 @@
+{
+  "$schema": "https://mintlify.com/docs.json",
+  "name": "Lapdev Docs",
+  "description": "Guides, how-tos, and core concepts for operating Lapdev developer environments on Kubernetes.",
+  "theme": "maple",
+  "colors": {
+    "primary": "#3B82F6",
+    "light": "#F8FAFC",
+    "dark": "#0F172A"
+  },
+  "navigation": {
+    "groups": [
+      {
+        "group": "Introduction",
+        "pages": [
+          "index"
+        ]
+      },
+      {
+        "group": "How-to guides",
+        "pages": [
+          "how-to-guides/connect-your-kubernetes-cluster",
+          "how-to-guides/create-an-app-catalog",
+          "how-to-guides/create-lapdev-environment",
+          "how-to-guides/local-development-with-devbox",
+          "how-to-guides/use-preview-urls"
+        ]
+      },
+      {
+        "group": "Core concepts",
+        "pages": [
+          "core-concepts/architecture/index",
+          "core-concepts/architecture/traffic-routing-architecture",
+          "core-concepts/architecture/branch-environment-architecture",
+          "core-concepts/cluster",
+          "core-concepts/app-catalog",
+          "core-concepts/environment",
+          "core-concepts/devbox",
+          "core-concepts/preview-url"
+        ]
+      }
+    ]
+  }
+}
\ No newline at end of file
diff --git a/docs/how-to-guides/connect-your-kubernetes-cluster.md b/docs/how-to-guides/connect-your-kubernetes-cluster.md
new file mode 100644
index 0000000..9f49bb6
--- /dev/null
+++ b/docs/how-to-guides/connect-your-kubernetes-cluster.md
@@ -0,0 +1,66 @@
+# Connect Your Kubernetes Cluster
+
+This guide walks you through connecting your Kubernetes cluster to **Lapdev**, so Lapdev can manage development environments inside your cluster.
+
+> Read [**Cluster**](../core-concepts/cluster.md) to understand cluster roles, permissions, and how kube-manager works.
+
+### Create a Cluster in the Lapdev Dashboard
+
+1. Go to the Lapdev dashboard: [https://app.lap.dev](https://app.lap.dev)
+2. Navigate to **Clusters** → click **Create New Cluster**.
+3. Enter a **name** to identify your cluster (e.g. `staging-cluster` or `dev-cluster`).
+4. After creating it, you’ll see an **authentication token** and **installation instructions** for your cluster.
+
+Keep this token handy — it’s used to securely register your cluster with Lapdev.
+
+<figure><img src="../.gitbook/assets/Screenshot 2025-11-19 at 20-29-35 Lapdev Dashboard.png" alt=""><figcaption></figcaption></figure>
+
+### Install the Lapdev Kube Manager
+
+Run the install command shown in the dashboard, or apply the manifest manually:
+
+```bash
+kubectl apply -f "https://get.lap.dev/install/lapdev-kube-manager.yaml?token=<your-cluster-token>"
+```
+
+Replace `<your-cluster-token>` with the token generated when you created the cluster. The manifest creates the `lapdev` namespace (if needed), configures the required RBAC, and deploys the `lapdev-kube-manager` controller that securely connects your cluster to Lapdev.
+
+### Configure Cluster Permissions
+
+After the cluster is connected, configure which environment types can be deployed to this cluster:
+
+1. Go to the cluster details page in the dashboard
+2. Find the **Permissions** section
+3. Toggle permissions based on your needs:
+   * **Personal Environments** - Allow developers to create isolated environments
+   * **Shared Environments** - Allow team-wide baseline and branch environments
+
+You can change these settings at any time.
+
+> Learn more about cluster permissions and use cases in [**Cluster**](../core-concepts/cluster.md).
+
+### Verify Connection
+
+Once the installation is complete:
+
+* Go back to the **Clusters** page in the Lapdev dashboard.
+* Your cluster should appear in the list with a status of **Active**.
+
+If the status doesn’t update after a minute, double-check that:
+
+*   The `lapdev-kube-manager` pod is running:
+
+    ```bash
+    kubectl get pods -n lapdev
+    ```
+* Your network allows outbound HTTPS connections to `api.lap.dev`.
+
+### Next Steps
+
+Your cluster is now connected to Lapdev! 🎉
+
+You can start:
+
+* Creating an [App Catalog](create-an-app-catalog.md) from your cluster's workloads
+* Creating [Environments](create-lapdev-environment.md) from your App Catalog
+* Learn more about [Cluster concepts](../core-concepts/cluster.md) and architecture
diff --git a/docs/how-to-guides/connect-your-kubernetes-cluster.mdx b/docs/how-to-guides/connect-your-kubernetes-cluster.mdx
new file mode 100644
index 0000000..70a755c
--- /dev/null
+++ b/docs/how-to-guides/connect-your-kubernetes-cluster.mdx
@@ -0,0 +1 @@
+export { default } from "./connect-your-kubernetes-cluster.md";
diff --git a/docs/how-to-guides/create-an-app-catalog.md b/docs/how-to-guides/create-an-app-catalog.md
new file mode 100644
index 0000000..14e091b
--- /dev/null
+++ b/docs/how-to-guides/create-an-app-catalog.md
@@ -0,0 +1,74 @@
+# Create an App Catalog
+
+An **App Catalog** defines which workloads make up your application — it's the blueprint Lapdev uses to create development environments.
+
+This guide walks you through creating an App Catalog from your connected cluster.
+
+> To understand why App Catalogs exist and how they fit into Lapdev, read [**App Catalog**](../core-concepts/app-catalog.md) first.
+
+### Prerequisites
+
+Before creating an App Catalog, make sure:
+
+* You've connected at least one **Kubernetes cluster** to Lapdev.
+* The cluster you'll read workloads from shows as **Active** in the Lapdev dashboard.
+* The cluster contains the workloads you want to include (e.g. your production or staging workloads).
+
+> Don't have a cluster connected yet? See [**Connect Your Kubernetes Cluster**](connect-your-kubernetes-cluster.md).
+
+> 💡 The same cluster can be used later for both reading workloads **and** deploying environments.
+
+### Open the Cluster in the Dashboard
+
+1. Go to [https://app.lap.dev](https://app.lap.dev).
+2. Navigate to the **Clusters** tab.
+3. Click the cluster you want to use as the **source**.
+
+### Select Workloads
+
+Once inside the cluster details page:
+
+1. Lapdev lists all **workloads** (Deployments, StatefulSets, DaemonSets, etc.) discovered in the cluster.
+2. You can:
+   * Filter workloads by **Namespace** or **Workload Type**.
+   * Optionally check **Show System Workloads** to include system components.
+3. Select the workloads that make up your app.
+
+<figure><img src="../.gitbook/assets/Screenshot 2025-11-19 at 20-27-19 Lapdev Dashboard.png" alt=""><figcaption></figcaption></figure>
+
+
+
+### Create the App Catalog
+
+1. After selecting workloads, click **Create App Catalog**.
+2. In the dialog:
+   * Enter a **Name** for the catalog (e.g. `checkout-service`, `internal-tools`).
+   * Optionally add a **Description**.
+   * Review the list of selected workloads.
+3. Click **Create**.
+
+<figure><img src="../.gitbook/assets/Screenshot 2025-11-19 at 20-30-01 Lapdev Dashboard.png" alt=""><figcaption></figcaption></figure>
+
+Lapdev will create the catalog and register it in the **App Catalogs** section of your dashboard.
+
+> 💡 Don’t worry if you missed something — you can edit the catalog later to add or remove workloads.
+
+### Verify Your App Catalog
+
+1. Go to the **App Catalogs** tab in the dashboard.
+2. You’ll see your newly created catalog listed with:
+   * The **name** and **description**
+   * The **number of workloads** included
+   * The **source cluster**
+
+Click a catalog name to view its details.
+
+_Example screenshot:_
+
+### Next Steps
+
+Once your App Catalog is ready, you can:
+
+* Create a [Lapdev Environment](create-lapdev-environment.md) from it
+* Learn about [Environment types](../core-concepts/environment.md)
+* Understand [Cluster roles](../core-concepts/cluster.md) for multi-cluster setups
diff --git a/docs/how-to-guides/create-an-app-catalog.mdx b/docs/how-to-guides/create-an-app-catalog.mdx
new file mode 100644
index 0000000..2bd5ece
--- /dev/null
+++ b/docs/how-to-guides/create-an-app-catalog.mdx
@@ -0,0 +1 @@
+export { default } from "./create-an-app-catalog.md";
diff --git a/docs/how-to-guides/create-lapdev-environment.md b/docs/how-to-guides/create-lapdev-environment.md
new file mode 100644
index 0000000..2a0e731
--- /dev/null
+++ b/docs/how-to-guides/create-lapdev-environment.md
@@ -0,0 +1,76 @@
+# Create Lapdev Environment
+
+A **Lapdev Environment** is a running instance of your app inside a Kubernetes cluster.
+
+It's created from an existing **App Catalog**, which defines which workloads make up your application.
+
+This guide shows how to create **personal** and **shared** environments from an App Catalog, and how to create **branch** environments from a shared environment.
+
+> Read [**Environment**](../core-concepts/environment.md) to understand environment types and how they work.
+
+### Prerequisites
+
+Before creating an environment:
+
+* You must have at least one **connected Kubernetes cluster** (Active in the Lapdev dashboard).
+*   You must have an existing **App Catalog** that defines your app's workloads.
+
+    > If you haven't created one yet, see [**Create an App Catalog**](create-an-app-catalog.md).
+
+### Start from an App Catalog (Personal or Shared)
+
+1. Go to the **App Catalogs** tab in the Lapdev dashboard.
+2. Select the catalog you want to use as the base for your environment.
+3. Click **Create Environment**.
+
+<figure><img src="../.gitbook/assets/Screenshot 2025-11-19 at 20-28-39 Lapdev Dashboard.png" alt=""><figcaption></figcaption></figure>
+
+### Select Environment Type (Personal or Shared)
+
+Lapdev supports three environment types depending on your workflow and cost needs. When you create an environment from an App Catalog you can choose between:
+
+#### **Personal Environment**
+
+* A fully isolated copy of your app, deployed into a per-developer namespace.
+* Ideal for local testing, debugging, or experimentation without affecting others.
+
+#### **Shared Environment**
+
+* A single shared version of your app that multiple developers can access.
+* Useful for integration testing or a team staging setup.
+
+Branch environments are created from an existing shared environment. See the next section for that workflow.
+
+### Create a Branch Environment
+
+Branch environments reuse an existing shared environment as their baseline.
+
+1. Go to the **Environments** tab in the Lapdev dashboard.
+2. Open the shared environment you want to branch from.
+3. Click **Create Branch Environment**.
+4. Select the services you plan to modify and provide a name/description for the branch.
+5. Click **Create**.
+
+Only the services you modify are duplicated alongside the shared workloads in the same namespace; everything else continues to run on the shared versions.
+
+> 🧠 Use **branch environments** for feature work — they're lightweight, fast to spin up, and cost-efficient.
+
+### Verify and Access Your Environment
+
+After creation:
+
+* The environment will appear in the **Environments** list.
+* Lapdev automatically provisions:
+  * All workloads from the App Catalog
+  * Associated ConfigMaps, Secrets, and Services
+  * Kubernetes namespace and networking
+
+You can monitor status, logs, and sync state directly from the dashboard.
+
+### Next Steps
+
+Your environment is ready! You can now:
+
+* Create [Preview URLs](use-preview-urls.md) for HTTPS access to your services
+* Use [Devbox](local-development-with-devbox.md) to connect locally for live debugging
+* Learn more about [Environments](../core-concepts/environment.md)
diff --git a/docs/how-to-guides/create-lapdev-environment.mdx b/docs/how-to-guides/create-lapdev-environment.mdx
new file mode 100644
index 0000000..873ac0a
--- /dev/null
+++ b/docs/how-to-guides/create-lapdev-environment.mdx
@@ -0,0 +1 @@
+export { default } from "./create-lapdev-environment.md";
diff --git a/docs/how-to-guides/local-development-with-devbox.md b/docs/how-to-guides/local-development-with-devbox.md
new file mode 100644
index 0000000..9996bd0
--- /dev/null
+++ b/docs/how-to-guides/local-development-with-devbox.md
@@ -0,0 +1,87 @@
+# Local Development With Devbox
+
+This guide shows how to set up and use **Devbox** for local development with your Lapdev environments.
+
+> Read [**Devbox**](../core-concepts/devbox.md) to understand what it does and when to use it.
+
+### Prerequisites
+
+Before using Devbox, you need:
+
+* **Lapdev CLI installed** - Devbox is built into the `lapdev` command
+* **An active Lapdev environment** - Personal, shared, or branch environment
+
+### Install the Lapdev CLI
+
+Run one of the following commands based on your operating system.
+
+#### Linux or macOS
+
+```bash
+curl -fsSL https://get.lap.dev/lapdev-cli.sh | bash
+```
+
+This script detects your architecture, downloads the latest release, and places the `lapdev` binary in `/usr/local/bin` (or `~/.local/bin` if needed). Re-run it at any time to upgrade or pass `--version <x.y.z>` to pin a specific build.
+
+#### Windows PowerShell
+
+```powershell
+irm https://get.lap.dev/lapdev-cli.ps1 | iex
+```
+
+Run the command in an elevated PowerShell window if your execution policy requires it. The installer copies `lapdev.exe` into `%LOCALAPPDATA%\Lapdev\bin` and appends that directory to your user `PATH`. Restart your shell (or VS Code terminal) after installation so the new path is picked up.
+
+After installing, verify everything is ready with:
+
+```bash
+lapdev --version
+```
+
+### Connect to Lapdev
+
+First, connect your Devbox CLI to Lapdev:
+
+```bash
+lapdev devbox connect
+```
+
+This establishes a secure connection between your local machine and Lapdev.
+
+### Set Active Environment
+
+After connecting, set which environment you want to work with in the Lapdev dashboard:
+
+1. Go to the **Environments** tab
+2. Select the environment you want to use
+3. Click **Set as Active Environment**
+
+Once set, all traffic interception and service access will route through this active environment.
+
+### Intercept a Service
+
+Once connected, you can intercept traffic for a specific workload through the Lapdev dashboard:
+
+1. Open your environment in the Lapdev dashboard
+2. Stay on (or switch to) the **Workloads** tab
+3. Locate the workload that owns the service you want to intercept (e.g., `checkout-service`)
+4. Click **Start Intercept** inside that workload’s row
+
+Lapdev automatically mirrors each container port, reusing any overrides from your most recent intercept. If you need custom local ports after starting the intercept, use the **Edit Ports** button on the intercept card and update the mappings there.
+
+<figure><img src="../.gitbook/assets/Screenshot 2025-11-19 at 20-31-07 Lapdev Dashboard.png" alt=""><figcaption></figcaption></figure>
+
+After enabling interception:
+
+* All cluster traffic for that service routes to your local machine
+* You can make edits, hot-reload, or debug directly in your IDE
+* Other services in the cluster remain unaffected
+
+### Access In-Cluster Services
+
+While connected via Devbox, you can access any service in your environment using their cluster DNS names (e.g., `postgres-service:5432`, `redis-service:6379`) directly from your local code. Devbox handles the tunneling automatically — no port forwarding or VPN needed.
+
+### Next Steps
+
+* Learn more about [Devbox architecture](../core-concepts/devbox.md)
+* Understand [traffic routing](../core-concepts/architecture/traffic-routing-architecture.md)
+* Create [preview URLs](use-preview-urls.md) to share your work
diff --git a/docs/how-to-guides/local-development-with-devbox.mdx b/docs/how-to-guides/local-development-with-devbox.mdx
new file mode 100644
index 0000000..c259579
--- /dev/null
+++ b/docs/how-to-guides/local-development-with-devbox.mdx
@@ -0,0 +1 @@
+export { default } from "./local-development-with-devbox.md";
diff --git a/docs/how-to-guides/use-preview-urls.md b/docs/how-to-guides/use-preview-urls.md
new file mode 100644
index 0000000..25fe832
--- /dev/null
+++ b/docs/how-to-guides/use-preview-urls.md
@@ -0,0 +1,102 @@
+# Use Preview URLs
+
+Lapdev lets you create **Preview URLs** for your environments so you can securely access and share running services — without setting up DNS, ingress, or TLS certificates manually.
+
+Each Preview URL points to a specific **service** inside your environment (for example, your `frontend`, `api-gateway`, or `admin` service).\
+You can create multiple Preview URLs per environment, each targeting a different service.
+
+> Read [**Preview URL**](../core-concepts/preview-url.md) to understand what they are and why they're useful.
+
+### Prerequisites
+
+Before you begin:
+
+* You must have at least one **active environment** in Lapdev (personal, shared, or branch).
+* The environment must show a status of **Active** in the Lapdev dashboard.
+* Your app must expose at least one **Service** in Kubernetes.
+
+### Create a Preview URL
+
+1. Open the Lapdev dashboard: [https://app.lap.dev](https://app.lap.dev)
+2. Go to the **Environments** tab.
+3. Select the environment you want to create a preview for.
+4. In the environment details page, scroll to the **Preview URLs** section.
+5.  Click **Create Preview URL**.
+
+    _Example screenshot:_\\
+6. In the **Create Preview URL** dialog:
+   * Choose the **Service** you want this URL to point to (for example, `frontend`, `api-gateway`, or `admin`).
+   * Optionally, enter a **Description** (e.g., “Frontend QA demo”).
+   * Select the **Access Level** (`Organization` by default, or `Public`).
+7. Click **Create**.
+
+<figure><img src="../.gitbook/assets/Screenshot 2025-11-19 at 20-30-23 Lapdev Dashboard.png" alt=""><figcaption></figcaption></figure>
+
+Lapdev will:
+
+* Automatically generate a unique HTTPS domain for the selected service
+* Handle routing, DNS, and TLS certificates for that URL
+* Route traffic directly to the selected service inside your environment
+
+### View and Open Preview URLs
+
+Once created:
+
+* All Preview URLs for the environment appear in the **Preview URLs** section.
+* Each entry lists:
+  * The **Service name** it targets
+  * The **URL** itself
+  * The **Access level** (`Organization` or `Public`)
+
+Click the URL to open it in your browser.
+
+### Share the Preview URL
+
+You can safely share a Preview URL with:
+
+* Teammates or QA engineers for quick testing
+* PMs or designers for feature reviews
+* Automated test systems for integration runs
+
+Just copy and share the link — no VPN, firewall, or cluster access needed.
+
+> 💡 Tip: You can create multiple Preview URLs in the same environment if your app exposes multiple services (e.g., `frontend`, `admin`, `gateway`).
+
+### Manage Access Control
+
+Each Preview URL has its own access policy.
+
+To update it:
+
+1. In the **Preview URLs** section, click the settings icon next to a URL.
+2. Choose who can access it:
+   * **Organization (recommended, default):** Only authenticated Lapdev users can view.
+   * **Public:** Anyone with the link can view.
+   * _(Coming soon)_ **Custom rules** for organization-level access.
+3. Click **Save**.
+
+> 🔒 Use organization access for internal branches or unreleased features.
+
+### Delete a Preview URL
+
+To remove a Preview URL:
+
+1. Go to the **Preview URLs** section of your environment.
+2. Click the **Delete** icon next to the URL.
+3. Confirm deletion.
+
+Deleting a Preview URL does **not** affect the environment or its workloads — it only removes that specific public endpoint.
+
+### Troubleshooting
+
+| Issue                    | Possible Cause                            | Solution                                                 |
+| ------------------------ | ----------------------------------------- | -------------------------------------------------------- |
+| Service not listed       | The service has no exposed port           | Check that the Kubernetes Service defines a valid `port` |
+| Preview URL doesn’t open | Service not ready or endpoint unreachable | Verify pods and services are running                     |
+| HTTPS warning            | Certificate still propagating             | Wait 30–60 seconds; Lapdev handles TLS automatically     |
+
+### Next Steps
+
+* Learn more about [Preview URLs](../core-concepts/preview-url.md) and how they work internally
+* Use [Devbox](local-development-with-devbox.md) for real-time debugging connected to your environment
+* Explore [App Catalogs](create-an-app-catalog.md) to define which workloads appear in your environments
diff --git a/docs/how-to-guides/use-preview-urls.mdx b/docs/how-to-guides/use-preview-urls.mdx
new file mode 100644
index 0000000..b1a21f3
--- /dev/null
+++ b/docs/how-to-guides/use-preview-urls.mdx
@@ -0,0 +1 @@
+export { default } from "./use-preview-urls.md";
diff --git a/docs/images/architecture.svg b/docs/images/architecture.svg
new file mode 100644
index 0000000..331d63b
--- /dev/null
+++ b/docs/images/architecture.svg
@@ -0,0 +1,8 @@
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1321.5272813140255 649.2932293019985" width="2643.054562628051" height="1298.586458603997"><symbol id="image-04f28670dff6fd1042c3404f1cdf3fc1d3e0ce96"><image width="100%" height="100%" href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIGNsYXNzPSJ3LTEwIGgtMTAgbXItNCIgZmlsbD0iY3VycmVudENvbG9yIiB2aWV3Qm94PSIwIDAgMTAyNCAxMDI0IiB3aWR0aD0iMTAyNCIgaGVpZ2h0PSIxMDI0Ij48cGF0aCBkPSJNNTEyIDBDMzkwLjc1OSAwIDI3OS40MjYgNDIuMjIyNyAxOTEuNzE5IDExMi42NTZMMTkxLjcxOSA2MTJMMzUxLjcxOSA2MTJMMzUxLjcxOSAzMzJMNDIyIDMzMkw0MzEuNzE5IDMzMkw0MzEuNzE5IDMzMi4zNDRDNDg4LjE2OSAzMzQuMTI3IDU0MS4yNDkgMzUxLjEzOCA1ODEuODc1IDM4MC42MjVDNjI3LjU5MSA0MTMuODA2IDY1NC44NzUgNDYwLjYzMyA2NTQuODc1IDUxMkM2NTQuODc1IDU2My4zNjcgNjI3LjU5MSA2MTAuMTk0IDU4MS44NzUgNjQzLjM3NUM1NDEuMjQ5IDY3Mi44NjIgNDg4LjE2OSA2ODkuODczIDQzMS43MTkgNjkxLjY1Nkw0MzEuNzE5IDEwMTcuNjlDNDU3Ljg4IDEwMjEuODEgNDg0LjY4IDEwMjQgNTEyIDEwMjRDNzk0Ljc3IDEwMjQgMTAyNCA3OTQuNzcgMTAyNCA1MTJDMTAyNCAyMjkuMjMgNzk0Ljc3IDAgNTEyIDBaTTExMS43MTkgMTkyLjkwNkM0MS44NTM5IDI4MC40MzIgMCAzOTEuMzAzIDAgNTEyQzAgNzM4Ljc2NiAxNDcuNDg3IDkzMC45NiAzNTEuNzE5IDk5OC4yNUwzNTEuNzE5IDY5MkwxNTEuNzE5IDY5MkwxNTEuNzE5IDY5MS44NDRMMTExLjcxOSA2OTEuODQ0TDExMS43MTkgMTkyLjkwNlpNNzM4LjIxOSAzNzJDNzQxLjU5NyAzNzIuMTA3IDc0NS4wNDIgMzczLjAyIDc0OC4zMTIgMzc0LjgxMkw5NDYuMjgxIDQ4My4zMTJDOTUyLjMxMSA0ODYuNjE2IDk1Ni42OTIgNDkyLjM5MyA5NTkuMTg4IDQ5OS4xNTZDOTU5LjgyMSA1MDAuODc0IDk2MC4zMTcgNTAyLjY0MSA5NjAuNjg4IDUwNC40NjlDOTYwLjc2NCA1MDQuODM0IDk2MC44NDEgNTA1LjE5NiA5NjAuOTA2IDUwNS41NjJDOTYxLjEyIDUwNi44MDcgOTYxLjIyNSA1MDguMDcxIDk2MS4zMTIgNTA5LjM0NEM5NjEuMzc4IDUxMC4yMzUgOTYxLjQ5OCA1MTEuMTEyIDk2MS41IDUxMkM5NjEuNDk4IDUxMi44ODggOTYxLjM3OCA1MTMuNzY1IDk2MS4zMTIgNTE0LjY1NkM5NjEuMjI2IDUxNS45MjkgOTYxLjEyIDUxNy4xOTMgOTYwLjkwNiA1MTguNDM4Qzk2MC44NDEgNTE4LjgwNCA5NjAuNzY0IDUxOS4xNjYgOTYwLjY4OCA1MTkuNTMxQzk2MC4zMTcgNTIxLjM1OSA5NTkuODIxIDUyMy4xMjYgOTU5LjE4OCA1MjQuODQ0Qzk1Ni42OTIgNTMxLjYwOCA5NTIuMzExIDUzNy4zODQgOTQ2LjI4MSA1NDAuNjg4TDc0OC4zMTIgNjQ5LjE4OEM3MzUuMjMyIDY1Ni4zNTUgNzE5LjgxOCA2NDkuMzY3IDcxMy44NzUgNjMzLjU5NEM3MDcuOTMyIDYxNy44MiA3MTMuNyA1OTkuMjMgNzI2Ljc4MSA1OTIuMDYyTDg3Mi44NzUgNTEyTDcyNi43ODEgNDMxLjkzOEM3MTMuNyA0MjQuNzcxIDcwNy45MzIgNDA2LjE4IDcxMy44NzUgMzkwLjQwNkM3MTguMzMyIDM3OC41NzYgNzI4LjA4NSAzNzEuNjc4IDczOC4yMTkgMzcyWk00MzEuNzE5IDQxMi4zNDRMNDMxLjcxOSA2MTEuNjU2QzUxMy41NiA2MDguMjA4IDU3NC44NzUgNTYxLjk4NSA1NzQuODc1IDUxMkM1NzQuODc1IDQ2Mi4wMTUgNTEzLjU2IDQxNS43OTIgNDMxLjcxOSA0MTIuMzQ0WiIvPjxwYXRoIGQ9Ik03NDIgNDAzLjY4OEM3NDAuMDYyIDQwMy40ODMgNzM4LjA5NyA0MDQuNDM4IDczNy4wOTQgNDA2LjI1QzczNS43NTYgNDA4LjY2NiA3MzYuNjE1IDQxMS42OTQgNzM5LjAzMSA0MTMuMDMxTDkyNS43MTkgNTE2LjM3NUM5MjguMTM1IDUxNy43MTIgOTMxLjE5NCA1MTYuODIyIDkzMi41MzEgNTE0LjQwNkM5MzMuODY5IDUxMS45OSA5MzIuOTc5IDUwOC45NjIgOTMwLjU2MiA1MDcuNjI1TDc0My44NzUgNDA0LjI4MUM3NDMuMjcxIDQwMy45NDcgNzQyLjY0NiA0MDMuNzU2IDc0MiA0MDMuNjg4WiIvPjxwYXRoIGQ9Ik05MjcuNSA1MDcuMDMxQzkyNi44NTYgNTA3LjExNSA5MjYuMjIxIDUwNy4zMzkgOTI1LjYyNSA1MDcuNjg4TDczOC45MzggNjE2LjkwNkM3MzYuNTU0IDYxOC4zMDEgNzM1Ljc2MiA2MjEuMzM1IDczNy4xNTYgNjIzLjcxOUM3MzguNTUxIDYyNi4xMDIgNzQxLjYxNiA2MjYuOTI2IDc0NCA2MjUuNTMxTDkzMC42ODggNTE2LjMxMkM5MzMuMDcxIDUxNC45MTggOTMzLjg2MyA1MTEuODUyIDkzMi40NjkgNTA5LjQ2OUM5MzEuNDIzIDUwNy42ODEgOTI5LjQzMiA1MDYuNzggOTI3LjUgNTA3LjAzMVoiLz48L3N2Zz4="/></symbol><symbol id="image-2b10442303d643dca388433f79fbdc5627ede668"><image width="100%" height="100%" href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyNCIgaGVpZ2h0PSIyNCIgdmlld0JveD0iMCAwIDI0IDI0IiBmaWxsPSJub25lIiBzdHJva2U9ImN1cnJlbnRDb2xvciIgc3Ryb2tlLXdpZHRoPSIyIiBzdHJva2UtbGluZWNhcD0icm91bmQiIHN0cm9rZS1saW5lam9pbj0icm91bmQiIGNsYXNzPSJsdWNpZGUgbHVjaWRlLWNoZXZyb25zLWxlZnQtcmlnaHQtZWxsaXBzaXMtaWNvbiBsdWNpZGUtY2hldnJvbnMtbGVmdC1yaWdodC1lbGxpcHNpcyI+PHBhdGggZD0iTTEyIDEyaC4wMSIvPjxwYXRoIGQ9Ik0xNiAxMmguMDEiLz48cGF0aCBkPSJtMTcgNyA1IDUtNSA1Ii8+PHBhdGggZD0ibTcgNy01IDUgNSA1Ii8+PHBhdGggZD0iTTggMTJoLjAxIi8+PC9zdmc+"/></symbol><symbol id="image-16a008902a4fc9df48f908e5018bd01b47a4a0c9"><image width="100%" height="100%" href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyNCIgaGVpZ2h0PSIyNCIgdmlld0JveD0iMCAwIDI0IDI0IiBmaWxsPSJub25lIiBzdHJva2U9ImN1cnJlbnRDb2xvciIgc3Ryb2tlLXdpZHRoPSIwLjEiIHN0cm9rZS1saW5lY2FwPSJyb3VuZCIgc3Ryb2tlLWxpbmVqb2luPSJyb3VuZCIgY2xhc3M9Imljb24gaWNvbi10YWJsZXIgaWNvbnMtdGFibGVyLW91dGxpbmUgaWNvbi10YWJsZXItY2xvdWQiPjxwYXRoIHN0cm9rZT0ibm9uZSIgZD0iTTAgMGgyNHYyNEgweiIgZmlsbD0ibm9uZSIvPjxwYXRoIGQ9Ik02LjY1NyAxOGMtMi41NzIgMCAtNC42NTcgLTIuMDA3IC00LjY1NyAtNC40ODNjMCAtMi40NzUgMi4wODUgLTQuNDgyIDQuNjU3IC00LjQ4MmMuMzkzIC0xLjc2MiAxLjc5NCAtMy4yIDMuNjc1IC0zLjc3M2MxLjg4IC0uNTcyIDMuOTU2IC0uMTkzIDUuNDQ0IDFjMS40ODggMS4xOSAyLjE2MiAzLjAwNyAxLjc3IDQuNzY5aC45OWMxLjkxMyAwIDMuNDY0IDEuNTYgMy40NjQgMy40ODZjMCAxLjkyNyAtMS41NTEgMy40ODcgLTMuNDY1IDMuNDg3aC0xMS44NzgiLz48L3N2Zz4="/></symbol><symbol id="image-9d2f28049a8a90ddebd6f916b59a887ae5df33f6"><image width="100%" height="100%" href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyNCIgaGVpZ2h0PSIyNCIgdmlld0JveD0iMCAwIDI0IDI0IiBmaWxsPSJub25lIiBzdHJva2U9ImN1cnJlbnRDb2xvciIgc3Ryb2tlLXdpZHRoPSIyIiBzdHJva2UtbGluZWNhcD0icm91bmQiIHN0cm9rZS1saW5lam9pbj0icm91bmQiIGNsYXNzPSJsdWNpZGUgbHVjaWRlLWdsb2JlLWljb24gbHVjaWRlLWdsb2JlIj48Y2lyY2xlIGN4PSIxMiIgY3k9IjEyIiByPSIxMCIvPjxwYXRoIGQ9Ik0xMiAyYTE0LjUgMTQuNSAwIDAgMCAwIDIwIDE0LjUgMTQuNSAwIDAgMCAwLTIwIi8+PHBhdGggZD0iTTIgMTJoMjAiLz48L3N2Zz4="/></symbol><symbol id="image-1fc42860614cb7357b66c1964aa081366cd82698"><image width="100%" height="100%" href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyNCIgaGVpZ2h0PSIyNCIgdmlld0JveD0iMCAwIDI0IDI0IiBmaWxsPSJub25lIiBzdHJva2U9ImN1cnJlbnRDb2xvciIgc3Ryb2tlLXdpZHRoPSIyIiBzdHJva2UtbGluZWNhcD0icm91bmQiIHN0cm9rZS1saW5lam9pbj0icm91bmQiIGNsYXNzPSJsdWNpZGUgbHVjaWRlLWNvbXB1dGVyLWljb24gbHVjaWRlLWNvbXB1dGVyIj48cmVjdCB3aWR0aD0iMTQiIGhlaWdodD0iOCIgeD0iNSIgeT0iMiIgcng9IjIiLz48cmVjdCB3aWR0aD0iMjAiIGhlaWdodD0iOCIgeD0iMiIgeT0iMTQiIHJ4PSIyIi8+PHBhdGggZD0iTTYgMThoMiIvPjxwYXRoIGQ9Ik0xMiAxOGg2Ii8+PC9zdmc+"/></symbol><symbol id="image-92a881e3924c72134888938407657fee82e47e5c"><image width="100%" height="100%" href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyNCIgaGVpZ2h0PSIyNCIgdmlld0JveD0iMCAwIDI0IDI0IiBmaWxsPSJub25lIiBzdHJva2U9ImN1cnJlbnRDb2xvciIgc3Ryb2tlLXdpZHRoPSIyIiBzdHJva2UtbGluZWNhcD0icm91bmQiIHN0cm9rZS1saW5lam9pbj0icm91bmQiIGNsYXNzPSJsdWNpZGUgbHVjaWRlLXNoaWVsZC1jaGVjay1pY29uIGx1Y2lkZS1zaGllbGQtY2hlY2siPjxwYXRoIGQ9Ik0yMCAxM2MwIDUtMy41IDcuNS03LjY2IDguOTVhMSAxIDAgMCAxLS42Ny0uMDFDNy41IDIwLjUgNCAxOCA0IDEzVjZhMSAxIDAgMCAxIDEtMWMyIDAgNC41LTEuMiA2LjI0LTIuNzJhMS4xNyAxLjE3IDAgMCAxIDEuNTIgMEMxNC41MSAzLjgxIDE3IDUgMTkgNWExIDEgMCAwIDEgMSAxeiIvPjxwYXRoIGQ9Im05IDEyIDIgMiA0LTQiLz48L3N2Zz4="/></symbol><symbol id="image-1eb35412189527b20624c29b9912c61108c16757"><image width="100%" height="100%" href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyNCIgaGVpZ2h0PSIyNCIgdmlld0JveD0iMCAwIDI0IDI0IiBmaWxsPSJub25lIiBzdHJva2U9ImN1cnJlbnRDb2xvciIgc3Ryb2tlLXdpZHRoPSIyIiBzdHJva2UtbGluZWNhcD0icm91bmQiIHN0cm9rZS1saW5lam9pbj0icm91bmQiIGNsYXNzPSJpY29uIGljb24tdGFibGVyIGljb25zLXRhYmxlci1vdXRsaW5lIGljb24tdGFibGVyLWJveCI+PHBhdGggc3Ryb2tlPSJub25lIiBkPSJNMCAwaDI0djI0SDB6IiBmaWxsPSJub25lIi8+PHBhdGggZD0iTTEyIDNsOCA0LjVsMCA5bC04IDQuNWwtOCAtNC41bDAgLTlsOCAtNC41Ii8+PHBhdGggZD0iTTEyIDEybDggLTQuNSIvPjxwYXRoIGQ9Ik0xMiAxMmwwIDkiLz48cGF0aCBkPSJNMTIgMTJsLTggLTQuNSIvPjwvc3ZnPg=="/></symbol><symbol id="image-60b076cb044084e59e74d2b41f84159dcede0ddd"><image width="100%" height="100%" href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSI4MDBweCIgaGVpZ2h0PSI4MDBweCIgdmlld0JveD0iMCAtMTAuNDQgNzIyLjg0NiA3MjIuODQ2Ij48cGF0aCBkPSJNMzU4Ljk4NiAxMC4wNmE0Ni43MjUgNDYuMzQyIDAgMDAtMTcuOTA2IDQuNTMxTDk2LjczNiAxMzEuMzQxYTQ2LjcyNSA0Ni4zNDIgMCAwMC0yNS4yOCAzMS40MzhsLTYwLjI4MiAyNjIuMjVhNDYuNzI1IDQ2LjM0MiAwIDAwNi4zNDQgMzUuNTMxIDQ2LjcyNSA0Ni4zNDIgMCAwMDIuNjU2IDMuNjg4bDE2OS4xMjUgMjEwLjI4YTQ2LjcyNSA0Ni4zNDIgMCAwMDM2LjUzMSAxNy40MzhsMjcxLjIxOS0uMDYyYTQ2LjcyNSA0Ni4zNDIgMCAwMDM2LjUzMS0xNy40MDZsMTY5LjA2My0yMTAuMzEzYTQ2LjcyNSA0Ni4zNDIgMCAwMDkuMDMtMzkuMjE5TDY1MS4zIDE2Mi43MTZhNDYuNzI1IDQ2LjM0MiAwIDAwLTI1LjI4MS0zMS40MzdMMzgxLjY0MyAxNC41OWE0Ni43MjUgNDYuMzQyIDAgMDAtMjIuNjU3LTQuNTN6IiBmaWxsPSIjMzI2Y2U1Ii8+PHBhdGggZD0iTTM2MS40MDggOTkuMzA3Yy04LjA3Ny4wMDEtMTQuNjI2IDcuMjc2LTE0LjYyNSAxNi4yNSAwIC4xMzguMDI4LjI3LjAzLjQwNi0uMDExIDEuMjItLjA3IDIuNjg5LS4wMyAzLjc1LjE5MiA1LjE3NiAxLjMyIDkuMTM4IDIgMTMuOTA3IDEuMjMgMTAuMjA2IDIuMjYgMTguNjY3IDEuNjI1IDI2LjUzMS0uNjIgMi45NjUtMi44MDMgNS42NzctNC43NSA3LjU2MmwtLjM0NCA2LjE4OGExOTAuMzM3IDE5MC4zMzcgMCAwMC0yNi40MzggNC4wNjJjLTM3Ljk3NCA4LjYyMy03MC42NyAyOC4xODQtOTUuNTYyIDU0LjU5NGEyNDUuMTY3IDI0NS4xNjcgMCAwMS01LjI4MS0zLjc1Yy0yLjYxMi4zNTMtNS4yNSAxLjE1OS04LjY4OC0uODQ0LTYuNTQ1LTQuNDA1LTEyLjUwNi0xMC40ODYtMTkuNzE5LTE3LjgxMi0zLjMwNS0zLjUwNC01LjY5OC02Ljg0MS05LjYyNS0xMC4yMTktLjg5MS0uNzY3LTIuMjUyLTEuODA0LTMuMjUtMi41OTQtMy4wNy0yLjQ0Ny02LjY5LTMuNzI0LTEwLjE4Ny0zLjg0My00LjQ5Ni0uMTU0LTguODI0IDEuNjA0LTExLjY1NiA1LjE1Ni01LjAzNiA2LjMxNS0zLjQyNCAxNS45NjggMy41OTMgMjEuNTYyLjA3MS4wNTcuMTQ3LjEwMS4yMTkuMTU3Ljk2NC43ODEgMi4xNDUgMS43ODMgMy4wMzEgMi40MzcgNC4xNjcgMy4wNzcgNy45NzMgNC42NTIgMTIuMTI1IDcuMDk0IDguNzQ3IDUuNDAyIDE1Ljk5OSA5Ljg4IDIxLjc1IDE1LjI4MSAyLjI0NiAyLjM5NCAyLjYzOSA2LjYxMyAyLjkzOCA4LjQzOGw0LjY4NyA0LjE4N2MtMjUuMDkzIDM3Ljc2NC0zNi43MDcgODQuNDEtMjkuODQzIDEzMS45MzhsLTYuMTI1IDEuNzgxYy0xLjYxNSAyLjA4NS0zLjg5NiA1LjM2NS02LjI4MiA2LjM0NC03LjUyNSAyLjM3LTE1Ljk5NCAzLjI0LTI2LjIxOCA0LjMxMi00LjguNC04Ljk0My4xNjEtMTQuMDMyIDEuMTI1LTEuMTIuMjEyLTIuNjguNjE5LTMuOTA2LjkwNmwtLjEyNS4wMzJjLS4wNjcuMDE1LS4xNTUuMDQ4LS4yMTkuMDYyLTguNjIgMi4wODMtMTQuMTU3IDEwLjAwNi0xMi4zNzUgMTcuODEzIDEuNzgzIDcuODA4IDEwLjIwMyAxMi41NTYgMTguODc1IDEwLjY4Ny4wNjMtLjAxNC4xNTQtLjAxNy4yMTktLjAzMS4wOTgtLjAyMi4xODQtLjA3LjI4MS0uMDk0IDEuMjEtLjI2NSAyLjcyNC0uNTYgMy43ODItLjg0MyA1LjAwMy0xLjM0IDguNjI2LTMuMzA4IDEzLjEyNS01LjAzMiA5LjY3Ni0zLjQ3IDE3LjY5MS02LjM3IDI1LjUtNy41IDMuMjYtLjI1NSA2LjY5NyAyLjAxMiA4LjQwNiAyLjk2OWw2LjM3NS0xLjA5NGMxNC42NyA0NS40ODMgNDUuNDE0IDgyLjI0NSA4NC4zNDQgMTA1LjMxM2wtMi42NTcgNi4zNzVjLjk1OCAyLjQ3NSAyLjAxNCA1LjgyNCAxLjMgOC4yNy0yLjgzOCA3LjM2LTcuNyAxNS4xMy0xMy4yMzcgMjMuNzkyLTIuNjgxIDQuMDAyLTUuNDI1IDcuMTA4LTcuODQ0IDExLjY4OC0uNTc5IDEuMDk2LTEuMzE2IDIuNzgtMS44NzUgMy45MzctMy43NTkgOC4wNDMtMS4wMDIgMTcuMzA1IDYuMjE5IDIwLjc4MiA3LjI2NiAzLjQ5NyAxNi4yODQtLjE5MiAyMC4xODctOC4yNS4wMDYtLjAxMi4wMjYtLjAyLjAzMS0uMDMyLjAwNC0uMDA5LS4wMDQtLjAyMiAwLS4wMy41NTYtMS4xNDMgMS4zNDQtMi42NDUgMS44MTMtMy43MiAyLjA3Mi00Ljc0NyAyLjc2Mi04LjgxNSA0LjIxOS0xMy40MDYgMy44Ny05LjcyIDUuOTk1LTE5LjkxOSAxMS4zMjItMjYuMjc0IDEuNDU5LTEuNzQgMy44MzctMi40MSA2LjMwMy0zLjA3bDMuMzEyLTZjMzMuOTM4IDEzLjAyNyA3MS45MjcgMTYuNTIzIDEwOS44NzUgNy45MDdhMTg5Ljc3IDE4OS43NyAwIDAwMjUuMDk0LTcuNTYzYy45MyAxLjY1MSAyLjY2MSA0LjgyNiAzLjEyNSA1LjYyNSAyLjUwNi44MTUgNS4yNCAxLjIzNiA3LjQ2OSA0LjUzMSAzLjk4NSA2LjgxIDYuNzEgMTQuODY1IDEwLjAzMSAyNC41OTQgMS40NTcgNC41OTEgMi4xNzggOC42NiA0LjI1IDEzLjQwNi40NzIgMS4wODIgMS4yNTYgMi42MDUgMS44MTIgMy43NSAzLjg5NSA4LjA4NSAxMi45NDMgMTEuNzg3IDIwLjIyIDguMjgyIDcuMjE5LTMuNDc4IDkuOTc5LTEyLjc0IDYuMjE4LTIwLjc4Mi0uNTU5LTEuMTU4LTEuMzI3LTIuODQxLTEuOTA2LTMuOTM3LTIuNDItNC41OC01LjE2My03LjY1NS03Ljg0NC0xMS42NTYtNS41MzctOC42NjItMTAuMTMtMTUuODU4LTEyLjk2OS0yMy4yMi0xLjE4Ny0zLjc5Ni4yLTYuMTU3IDEuMTI1LTguNjI0LS41NTQtLjYzNS0xLjczOS00LjIyLTIuNDM3LTUuOTA2IDQwLjQ1Ny0yMy44ODkgNzAuMjk4LTYyLjAyMiA4NC4zMTItMTA2LjA2MyAxLjg5My4yOTggNS4xODIuODggNi4yNSAxLjA5NCAyLjItMS40NSA0LjIyMi0zLjM0NCA4LjE4OC0zLjAzMSA3LjgwOCAxLjEyOSAxNS44MjMgNC4wMyAyNS41IDcuNSA0LjQ5OCAxLjcyMyA4LjEyMSAzLjcyMyAxMy4xMjUgNS4wNjIgMS4wNTcuMjgzIDIuNTcyLjU0NyAzLjc4MS44MTMuMDk3LjAyMy4xODMuMDcxLjI4MS4wOTMuMDY2LjAxNS4xNTYuMDE3LjIxOS4wMzIgOC42NzIgMS44NjYgMTcuMDk0LTIuODggMTguODc1LTEwLjY4OCAxLjc4LTcuODA3LTMuNzU0LTE1LjczMi0xMi4zNzUtMTcuODEyLTEuMjU0LS4yODYtMy4wMzItLjc3LTQuMjUtMS01LjA5LS45NjQtOS4yMzEtLjcyNy0xNC4wMzEtMS4xMjUtMTAuMjI1LTEuMDcyLTE4LjY5NC0xLjk0My0yNi4yMTktNC4zMTMtMy4wNjgtMS4xOS01LjI1MS00Ljg0MS02LjMxMy02LjM0NGwtNS45MDYtMS43MThjMy4wNjItMjIuMTU1IDIuMjM3LTQ1LjIxMi0zLjA2Mi02OC4yODItNS4zNDktMjMuMjg0LTE0LjgtNDQuNTgtMjcuNDA3LTYzLjM0MyAxLjUxNS0xLjM3OCA0LjM3Ny0zLjkxMSA1LjE4OC00LjY1Ny4yMzctMi42MjQuMDMzLTUuMzc1IDIuNzUtOC4yODEgNS43NTEtNS40IDEzLjAwMy05Ljg3OSAyMS43NS0xNS4yODEgNC4xNTItMi40NDMgNy45OS00LjAxNyAxMi4xNTYtNy4wOTQuOTQyLS42OTYgMi4yMy0xLjc5OCAzLjIxOS0yLjU5NCA3LjAxNS01LjU5NiA4LjYzLTE1LjI0OCAzLjU5NC0yMS41NjItNS4wMzctNi4zMTQtMTQuNzk3LTYuOTEtMjEuODEzLTEuMzEzLS45OTguNzkxLTIuMzUzIDEuODIzLTMuMjUgMi41OTQtMy45MjYgMy4zNzgtNi4zNTEgNi43MTQtOS42NTYgMTAuMjE5LTcuMjEzIDcuMzI2LTEzLjE3NCAxMy40MzgtMTkuNzE5IDE3Ljg0NC0yLjgzNiAxLjY1LTYuOTkgMS4wOC04Ljg3NS45NjhsLTUuNTYyIDMuOTY5Yy0zMS43Mi0zMy4yNi03NC45MDUtNTQuNTI1LTEyMS40MDYtNTguNjU2LS4xMy0xLjk0OS0uMy01LjQ3MS0uMzQ0LTYuNTMyLTEuOTA0LTEuODIxLTQuMjA0LTMuMzc2LTQuNzgxLTcuMzEyLS42MzctNy44NjQuNDI2LTE2LjMyNSAxLjY1Ni0yNi41MzEuNjc5LTQuNzY5IDEuODA3LTguNzMgMi0xMy45MDcuMDQ0LTEuMTc2LS4wMjctMi44ODQtLjAzMS00LjE1Ni0uMDAxLTguOTc0LTYuNTQ4LTE2LjI1LTE0LjYyNS0xNi4yNXptLTE4LjMxMyAxMTMuNDM4bC00LjM0NCA3Ni43MTgtLjMxMi4xNTdjLS4yOTIgNi44NjMtNS45NCAxMi4zNDMtMTIuODc1IDEyLjM0My0yLjg0MSAwLTUuNDYzLS45MTItNy41OTQtMi40NjhsLS4xMjUuMDYyLTYyLjkwNi00NC41OTRjMTkuMzMzLTE5LjAxIDQ0LjA2My0zMy4wNiA3Mi41NjItMzkuNTNhMTU0LjEyNSAxNTQuMTI1IDAgMDExNS41OTQtMi42ODh6bTM2LjY1NiAwYzMzLjI3NCA0LjA5MiA2NC4wNDUgMTkuMTU5IDg3LjYyNSA0Mi4yNWwtNjIuNSA0NC4zMTItLjIxOC0uMDkzYy01LjU0OCA0LjA1MS0xMy4zNjQgMy4wNDYtMTcuNjg4LTIuMzc1YTEyLjgwNyAxMi44MDcgMCAwMS0yLjgxMi03LjQ3bC0uMDYzLS4wM3pNMjMyLjEyNiAyODMuNjJsNTcuNDM4IDUxLjM3NS0uMDYzLjMxMmM1LjE4NSA0LjUwNyA1Ljk1IDEyLjMyOCAxLjYyNSAxNy43NWExMi44OTIgMTIuODkyIDAgMDEtNi42ODcgNC40MDZsLS4wNjMuMjUtNzMuNjI1IDIxLjI1Yy0zLjc0Ny0zNC4yNjUgNC4zMjktNjcuNTczIDIxLjM3NS05NS4zNDN6bTI1OC4xNTcuMDNjOC41MzQgMTMuODMzIDE0Ljk5NiAyOS4yODMgMTguODQzIDQ2LjAzMiAzLjgwMSAxNi41NDggNC43NTUgMzMuMDY3IDMuMTg4IDQ5LjAzMWwtNzQtMjEuMzEyLS4wNjMtLjMxM2MtNi42MjYtMS44MS0xMC42OTktOC41NTEtOS4xNTYtMTUuMzEyYTEyLjc4NiAxMi43ODYgMCAwMTQuMDk0LTYuODQ0bC0uMDMxLS4xNTYgNTcuMTI1LTUxLjEyNXptLTE0MC42NTcgNTUuMzEzaDIzLjUzMmwxNC42MjUgMTguMjgyLTUuMjUgMjIuODEyLTIxLjEyNSAxMC4xNTYtMjEuMTg4LTEwLjE4Ny01LjI1LTIyLjgxM3ptNzUuNDM4IDYyLjU2M2MxLS4wNSAxLjk5NS4wNCAyLjk2OS4yMTlsLjEyNS0uMTU3IDc2LjE1NiAxMi44NzVjLTExLjE0NiAzMS4zMTQtMzIuNDczIDU4LjQ0LTYwLjk2OSA3Ni41OTRsLTI5LjU2Mi03MS40MDYuMDkzLS4xMjVjLTIuNzE1LTYuMzEuMDAyLTEzLjcxIDYuMjUtMTYuNzE5IDEuNi0uNzcgMy4yNzEtMS4xOTcgNC45MzgtMS4yODF6bS0xMjcuOTA2LjMxMmM1LjgxMS4wODIgMTEuMDI0IDQuMTE2IDEyLjM3NSAxMC4wMzIuNjMyIDIuNzcuMzI0IDUuNTEzLS43MiA3LjkzN2wuMjIuMjgxLTI5LjI1IDcwLjY4OGMtMjcuMzQ4LTE3LjU0OS00OS4xMy00My44MjQtNjAuNzgyLTc2LjA2M2w3NS41LTEyLjgxMi4xMjUuMTU2Yy44NDUtLjE1NSAxLjcwMS0uMjMgMi41MzItLjIxOXptNjMuNzggMzAuOTdhMTIuNzY0IDEyLjc2NCAwIDAxNi4wMzIgMS4yOGMyLjU2IDEuMjMzIDQuNTM3IDMuMTc0IDUuNzgxIDUuNWguMjgybDM3LjIxOCA2Ny4yNWExNTQuMjU2IDE1NC4yNTYgMCAwMS0xNC44NzUgNC4xNTdjLTI4LjQ2NCA2LjQ2My01Ni44MzggNC41MDQtODIuNTMtNC4yNWwzNy4xMjQtNjcuMTI1aC4wNjNhMTIuOTEgMTIuOTEgMCAwMTEwLjkwNi02LjgxM3oiIHN0eWxlPSJ0ZXh0LWluZGVudDowO3RleHQtYWxpZ246c3RhcnQ7bGluZS1oZWlnaHQ6bm9ybWFsO3RleHQtdHJhbnNmb3JtOm5vbmU7YmxvY2stcHJvZ3Jlc3Npb246dGI7bWFya2VyOm5vbmU7LWlua3NjYXBlLWZvbnQtc3BlY2lmaWNhdGlvbjpTYW5zIiBmb250LXdlaWdodD0iNDAwIiBjb2xvcj0iIzAwMDAwMCIgZmlsbD0iI2ZmZmZmZiIgc3Ryb2tlPSIjZmZmZmZmIiBzdHJva2Utd2lkdGg9Ii4yNSIgb3ZlcmZsb3c9InZpc2libGUiIGZvbnQtZmFtaWx5PSJTYW5zIi8+PC9zdmc+"/></symbol>
+  <!-- svg-source:excalidraw -->
+  <!-- payload-type:application/vnd.excalidraw+json --><!-- payload-version:2 --><!-- payload-start -->eyJ2ZXJzaW9uIjoiMSIsImVuY29kaW5nIjoiYnN0cmluZyIsImNvbXByZXNzZWQiOnRydWUsImVuY29kZWQiOiJ4nO1921LjWLbte39FRu7H7vReN936xH4w2Fx0XCKRnFx1MDAwNlx1MDAxYjAnOjJs2Vxi3ylssKVcdTAwMWT972eOuVx1MDAwNDYkJoFcdTAwMDSK7tNVUWVb0rrPMeZlzSX+9y+fPn2eZ1x1MDAxN73Pf//0ubdM2qN+97K9+Pw3XFy/7l3O+tNcdN1S/Hs2vbpM+Mnz+fxi9vf//u/2xUUp7c870+mwlEzHtlhv1Fx1MDAxYvcm81x1MDAxOT34f+n3p0//y/9fa6g/bqc9fpgvr9pxlLl/NZ5OuE3pO4F0fOm5t0/0Z1x1MDAxNWpr3uvS7bP2aNZb3cGlz9W41SnLpHvZaF5e1HeHnerXRWPV7Fl/NDqcZyPu0mxKI1/dm80vp8Pecb87P79cdTAwMTn+2vVNpS6nV+n5pDfD0OXt1elFO+nPM1xcXHUwMDEz4vZqe5JyXHUwMDFkqytLPCFdUXJV4CvluDJwhXd7XHUwMDFiXHUwMDE1eFqUXHUwMDAy41x1MDAxODdQwtPa9+91bHs6ml6iY/PL9mR20b6kdVh1r9NOhin1cdJ9/LlFMWyjSs7txfNePz2f37866/Hs+472XFzfMavVQztcdTAwMTdhl4XgXHUwMDFmqym/bI97IUpMrkaj9XmbdIt5u3Ojg1x1MDAxYtU1eVpVdXXRbdulJ5FcdTAwMTBGXHUwMDA3nudcdTAwMDTOaqVG/cnwfnWjaTJ8QFpm8/b8XG7Vf77oTbr9SXpHRmx/P7uiIzw36VxiY4Rvek7Q80xXdYw88410gm7S6/ZEt7suQ4Sm3i1cYvDPl1uh+PRJXHUwMDE23/7Bn//828NIuewlcyspXHUwMDBmoEW6ciNagiCQytfCfzJawt1j9eV67+zotJxcdTAwMWTNK4E8/tGS74VcdTAwMTbxMrSIQJaMJ1XgXHUwMDEyNVxiXHUwMDEzmDtoMZ4pKS/wffpPe56437FbXHUwMDE0/Jfs4d+XI8V1XHUwMDAzwiW15PuBUUL5P8NGXHUwMDFiU9La8YzWgXD1T1x1MDAxMFxuXGI/Qiklflx1MDAxZkL/eytkN3Kkiyv/fFx1MDAwMbKMp5XytHxcdTAwMDayXHUwMDFlXHUwMDE16XlvOX9YmvUmaVbad6TWUj1ZmFx1MDAwN85g+cd0/r2uXHUwMDE3c+2Yqdjd82ZcdTAwMWad+oncjevRP1JcdTAwMTChundkmditRIAmveC6jvLU28kygaqkpWuEq1x1MDAxZWB/pe9cdTAwMGKu9Fx1MDAxY1x1MDAwN332/zXJ/2w6mVx1MDAxZvZzXHUwMDE2M3Hn6tf2uD/K7shcdTAwMDDLLk1giyyhT9ujq9m8d/n5zt3yqJ9Cmj+Pemd3xXzeJ31we3s+vVjdTai1dn/Su/x5dqaX/bQ/aY9cdTAwMWGPtkzj7e3eLJEsSWdt9Wc93GWd8HJVo9bI81x1MDAxZTh911x1MDAxM1x1MDAxZSnF1eT9XG6c41x1MDAxZvPUnU6Xrpr90c6c5VkjXHLMq4Kz256d915cdTAwMTedRIMl7flkhbpkfml/hYOMXHJXt+RcdTAwMDa+o0TgOtKR5l7PXlx1MDAwZp7KiJI2jpZcdTAwMDFJvGNcdTAwMDK9aupcdTAwMTakzoo7XG6QKmKXQChvXHIj76tebsusSm/SXHRrklL5Y28m00p4eP3Hl8Ghic5GX5yjz7fP/fPGhnpFYniZ7lxu3E3wIGkh1pZrjs2v4PHwoD84PFx1MDAxYyFLvlwifLgumVx1MDAwYvJcdTAwMWU6jC7Jd0GH9HWJLFx1MDAxNuU6T9ReOvBdstnMK5hdL1ReRCyOXHUwMDE0UjxDRn9Pee23L7q960/VyXX/cjpcdTAwMTnfmcc7KiyhW+ta5iclNu53u+v64q5cdTAwMWX7XHUwMDE1z99XbY/16zVcdTAwMTTcxqiD1JuVm9FGudI8XHUwMDFkvcGXi6P2WM8rsalO27ODpOx/vf7glqcybklcdTAwMWGh4JtcdTAwMThf+avZRVx1MDAwNa5cZlxiva4naSqU9EywXHS9r1x1MDAxMnRQXHUwMDBm6LO1azf6zCNcdTAwMWTsiDX3dlx1MDAxZLYrXHUwMDA15Z5cdTAwMWRcdTAwMWNcdTAwMGac9ld3q7NcdTAwMTVMx9/PJ9HB1zVN83m4uChvl0W/VWv+aGxccvZcdTAwMDb9Tv/kRsN8dNv1SYFcdTAwMGLZ65BcdTAwMDcklfSpXHUwMDE1r6PIrjeJXG46XGJcdTAwMTAkriRfI5Gu53iPXHUwMDA1Lp5cdTAwMWS32KgovY1Qk+Q2XHUwMDEzXHUwMDFiK/N0QzLxut/Sy9p5a8/Zalx1MDAxZXcvv+59XHTiXHUwMDBmjjXpeOTIXHSPXHUwMDE2xDyANVx1MDAxM5RcXDhTXHUwMDA0tEex9vt2pDAlx1x1MDAxN8Lz5dM0pZHGNZ5r/v+G3G9o3C/frjq9L1F7Qmronb3GRzvw9s6j2Vx1MDAxOKd0vMBox/eeXHUwMDFl2SlcdTAwMDcnf/xIx071u5+fqeOLef9q4X5065gg9piCXHUwMDE1qlx1MDAxNJgnKNjfXHUwMDA3ves/XHUwMDE00vfpqlj7ZzXKm1x1MDAxOI/rONS9YIP7+Fx1MDAxNth+RS/TXG7OzunZt+ZwtPyRnGyVvcnRwfeeXHUwMDE2d53OXHUwMDFiaW5fXk5cdTAwMTd/opu50VJ118B5X32Sh++Ss/lcZij1T+PyMD+efPtcdTAwMTF/6ybLxTxRV95cdTAwMDeHXHUwMDEyuWol3oFcdEyglXPXz3SlKFx1MDAxOWWU8KVPXCK7tj3y51mqUpD15Srqz5/mYWoy9Vx1MDAxYyPMM8TzeSZmoNq+L3s6IMuSzFx1MDAxNm2wXHUwMDBmon0jPNfxzno9X/WM13OSVzUxLUhcdTAwMWayMcUjKDE+mV3SPMPIfJw3Xlx1MDAwNSXT+XxcdTAwMTNKXrYxRkZdyVx1MDAxMKUjLENcdTAwMDb/fZhcdTAwMTin5GtidEVcdTAwMWHJl3LjLvJv61x1MDAxYq3IdTRKKk3emu9cdTAwMWHzgPJcdTAwMTEll1x1MDAxMOtcdTAwMTJkXHUwMDFkJV3hXHUwMDA33k9cdTAwMTByfENcdTAwMTax0W9cdTAwMTK8VL9WK48hS/u+cF6IrMv5Vt+C6k7Hilx1MDAwNFxui62rpNlo/Jh6leQ6XsT+8lvli9Hr5vTZNGGAflx1MDAxMSXhXHUwMDA1Tlx1MDAxMHiavFx1MDAwYlc5a1x1MDAxYp6YsfZcdTAwMDXos+RcdTAwMTFcdTAwMTP4nvDId9ZGOj9ccp5Q/utOPW6ErXWK+iRcdTAwMDJXa8dcdTAwMTVk+viG+OCnPklyREhcZoUxxvVcdTAwMDPf1z8r+lF7Nt+ejsd9XHUwMDAw5fu0P5nfn2SezTIo4bzX7lrB7N+zSGlov3jiXHUwMDAyVd+1JFbfPq1Axj9uv//jb1x1MDAwZj69Wfi5+E9iv6rvSfy3ycU2cmNcdTAwMGVccklGQGTwjGhW5H6b++Xj6kQ5h2F7vj9cdTAwMWbV5CubXGKvTn6+0SXf08ZcdTAwMGJI4khcdTAwMDOtzGkmP4dM8UBIXyuaXHLfde917Fx1MDAxNY1trUvkMD81XHUwMDEy7VxirYSW7sP+9b+lX3zYS64ue5+Oe51cdTAwMTlqnX9qXFxNJr3R+/rGv+zEm8aeld7oXHUwMDFiI0CkXHUwMDAystuensNzcprLSznJrvy037vezkeLy2T3g8PVI/7XJvCFNkJcdTAwMGLh3M178Fx1MDAxZFNyiUVJtZF3TGblRzDpXHUwMDE1kaiCXHUwMDFl/YU3PFx1MDAxZY1GX05221dX/rR+Xjs72W90zt4g0nXb4lx1MDAwM26vd3SuZo1cdTAwMWZcdTAwMTdcdTAwMTdbjezs4nQ+PCt/n7yW2+t7Snkv2rl6Wuj6LKE1d1x1MDAwNVx0QNLxtON1XFw3kYFr2m1y8cjdTbq+clx1MDAwM/9dQtdkf270KsjM1sJcdTAwMDTBM1x1MDAxMpRazajd9p3R13Nv1PrWb81cdTAwMWHb3z84Ul1k2/luoFx1MDAwMo/Up7vmNzBSXHUwMDExRdJCkVdBWlVcdTAwMDVvXHUwMDE3xXK90lOD1tLBZrSU4uHkpPeH6q/A9Jw0u99TvpXedWe6fF9de7/NN1at/v2rq/RY0IpWT49cdTAwMDJsJb1l7WrPXHUwMDFj1b5cXH+b7M+2+m2388Hx6lx0t+SRoyc0kmDJJbyDV61USWlPXHUwMDE45ZFfpjcnZbynZvWNY9RGT39cdTAwMDXXva1JPdBnw1rim/P5nin3+u0v71xyVz9w3jCm1lVnXG45zW2/XHUwMDFkiG631+m6Z4F0O1x1MDAwZV3xvXbP6Z5pfea+j+5TXHUwMDFi85tcdTAwMWPjXHTPo54+XHUwMDE5SmN9OTtcdTAwMTTdtL1/rPZcdTAwMDZuzzvo6VdO/3t91eeqkkPaTbpaXHUwMDE5T8q7Rqp2XGJoZFx1MDAwNDhcdTAwMWWpPZ9swzdMcJJINFxmlPS9pylA0n5cIkCG/Fx1MDAwN0HUY7bqodfUP755XHUwMDE3rYOGl87yvis6w8rr2aovxeuL1Ov3y951v7f41DzYf19cdTAwMWT7YMNvv8e7mSE8zyezcH1cdTAwMDPkV1xmkXeal4vysTtcdTAwMWN/c7e3u1tqclx1MDAxY77uwa03Slx1MDAxMHY9Q/DX2OFVd09uuZKMVkNgXHUwMDA0i1x1MDAwNN5cdTAwMWJu8b4oP9hR9KznrrH4v0J6cG1aPYv2w17/MOiGf/T3q2l53P6A6cFKPeI6XHUwMDFh43r0v6fHZFx1MDAxZlx1MDAxZfVcdTAwMDdHhyNUSSpslmiXnDfv7kktVyNcdTAwMDb0XHUwMDBl6Hh2frBSvkc4eo28+d/IXHUwMDBmNka4z1x1MDAxMNLf01xc75ZcdTAwMWb8XHUwMDBimn/v/ODH9ZuzcU/Z+K5RbvCMg8nzo8VhO/le1Zfellue7e1VnbODj45g4/klj0xb4brG97x7XGKGrymIyJTCPoZa2+j9XHUwMDE4XG4ukIboZ1NcdTAwMWPooyq4y2y3fT5uXHUwMDFlbu+eXsz6Xn9a+yNxnq/g9DpO3kTBbUaH73NcdTAwMWWI+/RNjIdcdTAwMDf9wdHhXGKvJH1ptCZdJlx1MDAxY3U31uIpclx1MDAxZt9cdTAwMDVcdTAwMWTPVnAyQHSUjL8/V8O5UnrPkNJ/XHUwMDExXHL3XHUwMDBiov8wJ2B8f2NaviekJmF6xvHOQfI1Md5hbTasd3dcdTAwMWHLP4am+fWDv3bDXHUwMDA0QclcdTAwMGZ0ILSnccTau5uga6QoeY7rKq209lx1MDAxY+9+x175tVx1MDAxYo4sXHUwMDE5TXYn0UggXeE+9Fx1MDAxMo7Nz9zi2vGEoVtcdTAwMGbCeqXC5Ner7SP/7Mf+Wbef6+Z5XtGmup7K04xcdTAwMGbi/GRvf3LcX5x+nYzNNFx1MDAwZWvvXHUwMDFjajXIXHUwMDFjelx0PTxtm9FtXHUwMDBi4Vx1MDAwN0K1zVlcdTAwMTJ0z4x/XHUwMDE2XGK/51xi6Xe6QnaM1zZtkVx1MDAwNK9cdTAwMWFq3Zzj+8hpNEfh9KTzdEtz2qt9/5IsrnVleFo/d5ZcdTAwMTezk/aPj41FT6qSMJ6RUipXeuruLqNcdTAwMTP4JSPoMl6kodaNvz/xMJpcdMj89X95MuZcXIyHji/TndnhdPd01tqbtGe1dah9XHUwMDE4LD5srb5HkFa5Jni7hFx1MDAwMtVBmqHSQnddo7tJW5N1qvWZXHUwMDE3nHW6XHSZTF6v2yNb9V02VdzNSldcbuqW8vTTgf54muiHXHUwMDA0uuuZUlx1MDAxMLieXGLIXHUwMDA2XHL8e+lcdTAwMDSuxpFcdTAwMTlHaun5nv92WXrBM/dTNJn3nr8pnf/fXHLsv3Fo5m+P1fu2WUkuKcn3S6Qof1x1MDAwZj9cdTAwMWT2Lq/f+1DfQ+2+hpewka/kZr5y8HK+Z53jW+xVTs7Sy+Nv4lp9OT/Ls9F85n9swnJ8UVwi4PsyUIp0yF1cdTAwMTffJcNcdTAwMDRv7fNcdTAwMDLX90Fpb8ZYrlNypaO00U+jLENcdTAwMTRKvf1VXHUwMDA21Ifho9eMZv1cdTAwMWWyrT/+vqi+3+bbpki5XHUwMDFid22lXHUwMDE2UrqBI56+MaV6mfnj+2T03feS/PtVbVx1MDAxMv043fvgiVx1MDAxZE5gSlxup1x1MDAwMXyhfc+T9/alXFxd8oVcdTAwMTEqIFx1MDAxMLmPnJR6XHUwMDE1b0PLkuuRh+dcdTAwMTjCtmPWX1x1MDAwMbd6jeDmZ25cdTAwMWR/XHUwMDFjMd544PDfXHUwMDA0z08y94U5U3g9WffszD3rkumvXHUwMDEyst7MmUy6Z/oskV3dXHUwMDEzSS943Vx1MDAxY6rN51x1MDAxMlx1MDAxZH/zNjD5uVx1MDAwMXUweLrF/7hcdTAwMWb2MdGGODiCzb52nUCsv1aHfXvfK5FcdTAwMGbmKrKxSWGtZVC8tlxuxVt0/UAr31x1MDAxMFikUsFcdTAwMDOKVFx1MDAwNk7JJ3WuXHUwMDEx1veIIH5cdTAwMGWxKcd3XHUwMDA0Xn37INL+1HOJnO30ludcdTAwMTJcdTAwMWaPLH26cy5RekL5yiFPziXfKVj5vZ9uz1x1MDAwMJJlpVx1MDAwMVx1MDAwMIG31NFDP1xy/knnXHUwMDEyXHUwMDFmTy282ykhpPak52hpXHUwMDAyRdy+ylxyW/VKllx1MDAwMj9w8VpcdTAwMDasvyN/XpN/yZOJXzbLP9/+WfRXNf4mXHUwMDA3up53//LteSdiXHUwMDA3Xzwn6PG4XHUwMDE3+VEp0JSMI1x1MDAxZG1cdTAwMWOPmHDNT+VDXHUwMDE0XHUwMDFhL199XHUwMDFmXG6Uvlx1MDAxN1xiXHUwMDAxWDpG+c5aNGrFgZ4o6ZUgmPVXKN+83sAzhlx1MDAxMPtcdTAwMWEv0Ht9XHUwMDBlfOmBiidy4OPH7e5xoENL6uFduYHx3MDz11x1MDAxZSvYximRze34hnxpMsy1eOHh7GedXHUwMDE4R8Y92b1cdTAwMDFRIdmVwVx1MDAwM71cImZcdTAwMTakSlx1MDAwMs9cYk1cdTAwMDSu5U+9+lflwI1cdTAwMDDg+z/L/jNJ8JFcdTAwMWSeR97i4irPv5OT+CtcdTAwMTJMlyr/4ndcdTAwMGbSw52vW9uTLT1zg1c+mfLq6Vx1MDAxMlx1MDAxZd6H5CDtXHUwMDEx71x1MDAxNNL339uuSeZgXCJ65OJcdTAwMTBcdTAwMGXcjelcdTAwMTLveTRFu4FyRPBcdTAwMWHG3ss3QslcdTAwMWZ/yzMnf8Z7XFxcdTAwMWWBycbzW47ruo5cdTAwMTTPeItLP1x1MDAxY1//cTCvXHUwMDFkbNdcdTAwMDbmYHE2zKvZ/MOjxC25XHUwMDFiUUJ2WUmvoWSjqfCeIMF741x1MDAxZLyH6k9cdTAwMDRcdHlcdTAwMTDqxa9k+bNB8pdCYX1uX1xcXHUwMDFjUnd6t4qeZrLfLUKYq8F8xlmPrcdcdTAwMTfzL1x1MDAwNfh4XHUwMDEwK0Pr6X/SZGVrfFx1MDAxZffHvcY6cv97dp3+dTlee1+CXHUwMDA13PP/XlxuLWNcdTAwMWKHVv5uv/79TvX/XHUwMDA30U5cdTAwMTKr77uxOs22TOd4eZXkot/ePVx1MDAxMEller2vu7qbOTrKnOtknFxcR4PyXCLaXHUwMDBl8u446Ye73YvT3YPp98PQRJWtRW87TNs7R1x1MDAxN6fqXFysX+uOR6Ou2LvuVUQ/2i7Po0b5Kq7U0zhcdTAwMGaz/UEq4n5ZR4Pwqlapq3Bg/GTnq2hvb1xyv1x1MDAxZu7FUd40+4OhoWeW0bZZxOMqPW/o+WZcdTAwMWFXWldRXs/CSjmNKqg3uao1yiqs1K/iRrRsVIZqf5DkXFw2r+LZZatRx7UsPiyjnjyuhCn1icYk6JrJatvlPDo0XCLKz2f7jdZif0Dj6JezmPpcdTAwMTdcco7O0Sb1W1JcdTAwMWJUTyTo3oLaX9i66in1l9u291x1MDAxZminXHUwMDEyXsWDJvUxos/UdCpVVTs0S4wnXHUwMDFhVLm9jX2sRHS9Sf0rL+PM9jFcdTAwMWEkSyqzrFx1MDAxZIqrqNLKfl1W2LKV01nUaDn7g7KKMpFhTWiO8s3lh1R/NI9y+lx1MDAxY1SdRqUlaZ7ykPpcdTAwMWZhPVx1MDAxYadcdTAwMWLnZr9cdTAwMTFKnsdDUcxtN4rylPrdXHUwMDEyUUZj2TaydvzIulx1MDAwZXjO9H5cdTAwMDPrXHUwMDFhu2F/a9w+Xs5Ixlx1MDAwNlFcdTAwMWWqlmrKsO//9fvu1nl3J01PSc5cdTAwMWGNSHFblTStNajPeVm3MkGyVNY0flx1MDAxYU+V5IXqXHUwMDFihLRcdTAwMTZcdI0pUfuNqqA+YexL6lx1MDAwYj5cdTAwMTfhNq1NntLYQypcdTAwMWJqKp/vXHUwMDBm6rTemO8qrTPJ1SCco96Q1zZ19lx1MDAwZqn+XGbPJTTuqkPzgE9ccjmkeaFxUX9cdTAwMWGRXHQxt41cYjKrbT1RyuswgFxmQ95a9DulOlt8n/pKc1x1MDAxYt6sI36nNPdcdTAwMGXNzZw+XHRvUUoyrOI8mdOcauo/9bepovFijvWIt8tUtmpqO9Vljdc7Qr1cdTAwMGXhKo/yZIWDPtYoTWPgbbA32G9EVM9QU3mD+SF50VRGxVmZ8GKWhNt5rVx1MDAwMblv0diaNIdNJ96pZnGlSeNE30NB/VrGg6KNQ3ErXHUwMDBmmCNaXHUwMDE34oHWMoK8NaI5cIg1oL5Kkmu0aWrbXHUwMDAy/CBcYpPUTl2yLFRoXlx1MDAxYlUq28R6gFx1MDAxZkSt0qJ1XHUwMDFkklx1MDAxY1ZcdTAwMWS6R/1OqV60XHUwMDEzLWJuj57dRvsth+pU4Fx1MDAxZuqHY9ed6yAsXGZpvlKH5zhvkdxhLZpcdTAwMTnVR30oU1x1MDAxZlwi/Macy1qjPo9InmJcdTAwMWVDXdCnQt14hrBAz1x1MDAwMtNVQ9dzbitcdTAwMTM0P3WH5adBc0XrW6P5seuLuqvAhYytzNAn+lpcdTAwMDaHXHUwMDAxU0s7hnpGa0HfsfZpSu1TP1wi8Fx1MDAwN69cdTAwMDFkkWR/XHUwMDExXHUwMDEzXHUwMDFmkozTXHUwMDFjVGnOeVxcaFx1MDAxM2upIFx1MDAxZrVKXHUwMDE18rOkdUrpPv2OUNeCeFx1MDAwMNdcdTAwMDVkgp6z64Yx4ndGbeZcdTAwMTGuq7hcdTAwMDH5pblpQC6prcqQxkHymtdpzZtYXHUwMDFmkocq9X/o1Fx1MDAwZcs0xylkfok1t9chXHUwMDAzZepvXGJcdTAwMWRAn5FD44Is5PS8YpnI8HuY11j26nltZ1x1MDAwMYzSfNJcXGFeXHUwMDE1cdKgibaJiyCnXHSNTeTMJZUkrUFcdTAwMTdcdTAwMDDrgyHkXHUwMDA3fFx1MDAwNVx1MDAwZXJcbn4v+k7zRnxEcoi5p3lFm2Vj5zp17FpEin6rQlx1MDAxZiiLJ1x1MDAwMXxl9nlqu2HHSmPIMSaSXHUwMDFixdy8jb5GkEP6pPnZhkxcdTAwMGZJXHUwMDE2MLeWh1xiu1x1MDAxOXNcdTAwMDC4ssGf4NlcZrJcdTAwMTejzKDKMlx1MDAwNf1GZUlcdTAwMGZcdTAwMDLTVegsWi/CKNZ7gDWgPlx1MDAwMGtccsxJ3ezfrDvphn3mXHUwMDEy5oxFXHJcXI52SVx1MDAxZahdktGyxVx1MDAxMDCYkzxAl9JcXFx1MDAxNXOTY31J9o19Nlx1MDAwNL/hWUnyxlx1MDAxY1Wr8Jou7NqgL1x1MDAxMThxyfJDXHUwMDE44e/ZXHK2WMcuao1cdTAwMTTfM8ggOFx1MDAwNHJb8EIhS+DEKl1cdTAwMGaVnWPSS8RcdTAwMDPcZlx1MDAwNnlcdTAwMDXvXHUwMDAyU1hcdTAwMWbiXHUwMDE1Xr/IyiCVYZzm3OfczpXFXHUwMDEyrVx1MDAxZvBOfMxYwvg1MFx1MDAxYvH6glx1MDAxM6GvmnPqr4SeJlx1MDAxZUZcdTAwMWZkbGXSiVkmMX6WyYWV3aGqXHUwMDFkL7g8eITuXHUwMDEzXHUwMDA3RsvY8iT4T1x1MDAwMF8x46KKPlq5PyQ52y5sh1x1MDAwNsvZMlJcdTAwMGJwXHUwMDBi4YvwxutxNKD6ZY2xUdeFfFLdeD5lLqByKXFxZnkoXHUwMDA1XjRkdp/WMc6YK5aYn1xia1x1MDAwMK5cdTAwMWaAn4Y38lx1MDAwNXuF5pzqXHUwMDA1j1dcbjw3aHwsXHUwMDA3dazF8oaHqV9cdTAwMGWvXHLsK8hqXmV9RXIyp3U1LD9cdTAwMTkwloBcdTAwMWJ13Fx1MDAxOKJvi1x1MDAxODJcdTAwMDd5Zb2XYG2onVx1MDAxNttcdTAwMTNUnmQnXHUwMDAxtjSvd5/1rMN9J11s5YN1aVx1MDAxNrHOSeY8Xq6vNbfrQd95rXh+citHUcayvY3vZaubraxlsE+srmY5Rt+IXHUwMDBiI3Ah1sOugeVGQ3qax1x1MDAxMvFaXHUwMDEzvzKWXHUwMDEzYWUhIVx1MDAxYlximE7BXHUwMDFkorDHMNdkf7Csgv9cdTAwMWTIL3iR7Fx1MDAxMWCcflx1MDAwZuk56je1XHUwMDA3XHUwMDFigvpcdTAwMGU7xOqCSlx1MDAxM/pcdTAwMGJcXMrleS7BySyDXHUwMDExZD1HPzqQz1x1MDAxYzxxSrZcdTAwMTD4ISrknWzWjPWAXHUwMDEzgb9Zb4bA86JWrFx1MDAxMbg8qnTPXHS/6Fx1MDAxYnBg6Fx1MDAxZdlH1m4reFWwXGY1WnlcdTAwMGLPZ2XWT5a3W2RjYbwkg7xewFx1MDAxOGSyVXBcIvQy5q6Zsk5nOVxyoctojetk96Is27M52/g8NshcIuxI0kHET6TPXHUwMDBiXsF60pi2WediTVx1MDAwNOODf1x1MDAxN3qMbJZcdTAwMWHw1uc1kHZcdTAwMWWAT3o2XHUwMDBmU+acXG5/ZswhtL7R7fqGzCkx94U4/1x1MDAxMNiGXHUwMDBlYLlyWC54PVJtZTXMwDNcdTAwMTGN3dqPlp/jSmJg39VcYiPWNsF6soxcdTAwMTOWbmRcdTAwMWNcdTAwMTiy60tzYyyGQrYzSM6XbGeA55nvI75OmJzzWNl2qcJm12wnXHUwMDFj4jOFLoJcdTAwMWMpyDHNtYS88FxcQK5g60F+XHTbtVxut2f56pDsfvBBXHUwMDFmfHVjoyRcdTAwMGXwZnVjU690XHUwMDEyc6ogvEjL563c8lxcQrpcdTAwMWFYXGItl0BcdTAwMDejXHUwMDFk64fReOtcdTAwMTKcXHUwMDA0XHUwMDE5rlWG5PPBvlx1MDAxZFJcdTAwMWbYTlx1MDAwMVx1MDAwNpn/qFxy9FNZf1x1MDAwNHJC9lx1MDAxN/WNdFx1MDAwNGSH8I65SdPCLrf8ynxcdTAwMTjOWVx1MDAxNizussLWXHUwMDEz1latgq/yQnYwT4tcdTAwMWHLYDVcdTAwMDPuYqz7gG1cdTAwMTnoM3BcdPOeravu2GdcdTAwMTPqO9eVWTnl38A2+2wx610rW2xvXHKgK0NwJORcdTAwMWb8kPOaW1x1MDAwZVx1MDAwMZ40jzvDmPCb/Tdj9SF+t1x1MDAxNHM76/BcdTAwMTb0ubZ8XHUwMDAyPVx1MDAxZlr5trJsYvZcdTAwMGaSXHUwMDAyo3Z+bnSxtTvB1zyGgsdpXHUwMDBl2C6F3Vx0WyXJo5XOn1x1MDAxNzqf7VxcXHUwMDFhXHUwMDFi1jpje5ptQujahH0wtn2tLlx1MDAwNZ+SXHJK9j/sjFx1MDAxY7o6gVx1MDAwZVrynNLvyPq2Vlx1MDAwNlx1MDAwN4VtU0nQhmFdulxyXHUwMDE5gi3Eflx1MDAwN9tcdTAwMDdWXHUwMDFlXCJrV1x1MDAwZlingE9hL1x1MDAxMu+wXHIlXG5dXHKdZm2xnVx1MDAwNeTegS6ALVx1MDAxYjXOXHUwMDA3tnzI/iPJsrQ+XHUwMDE15LOOulxuv6BcZu5W0CWwJ2Lm/uFcdTAwMWP6kdZSWJ8wncdcdTAwMWNToL6QjVx1MDAxNfM8tljOrKw2l1x1MDAxNlx1MDAwYpEubD1tsTQkTLJcdTAwMWRcdTAwMGY5XHUwMDE0jFerf1m3RFx1MDAwM7b7cuCFrkmrQ5tz25cqZIt0Z1x1MDAxNX1cdTAwMTJcdTAwMDWng/dhR2uS31xm40S7XHUwMDFjt8DzbGuFrCfAV+B3i03YXsxjS+aHXGayRtzaqGe0fqpmuTCz9lNcdTAwMDK5z1x1MDAwYlx1MDAxZJaxL8e2XHUwMDA0ZFx1MDAxMmvQhD2MtcutXGaFwj6P51x1MDAwNPokMefWLiU/tI+1rFtfO1x1MDAxZmLeqF3Y41W2L1x1MDAwYvshh1x1MDAxY9XAMflwyf5W3mTbk9YkL/ytdM3fctg3ziC3KbdB85Syzd9gWVTWLi1cdTAwMTe8zPzMNiziXHUwMDA11GbO/vh22epo2C2Fz2htQeZTtqOsz96Stt9Dq0PYfk+19b/gR9z4vuDrlkN+RM4ySPJcdTAwMDVcdTAwMGUjO5PagmySTckxXGbGQWbjXHUwMDEztFx1MDAxZcytTbVf2GjAXHUwMDAzx3MyzHdds1x1MDAxZJPf+L5RVuhcdTAwMDdh/VHyp1x1MDAxOJOFX5ojjlFnf4bHXHLbgOaD11x1MDAwMnbIXHUwMDAw/lx1MDAxMM9cdTAwMDFwU3Ap/E3Gn0ScjPxcYsfW0XLsXHUwMDFhQN6xNqRcdTAwMDP7bNfQWMA7dWF1WKLYjlx1MDAxYbBcXJvCls8tVtmHhe21ZF+3kdz48Mb2gedC3PjfzO8nXHUwMDE3c8tcdTAwMGbAN61cdTAwMTHr1ch0XHUwMDE4Q8zt2q41/IeokOvugPmK9DhsXHUwMDBl+Fx1MDAxZrw+22XLb+zvhDd+Smaxy2tcZptqYe3eXHUwMDE2yyF0UZxcdTAwMTWyXHUwMDA2LGGNLY9cdTAwMTV+XHUwMDE0dNdcdTAwMTD+krD2x8GAfaxcdTAwMWNYhl1Xhj0tithazjyEXHUwMDE4Z99iXHUwMDAzMbS4XHUwMDExn7P/b20m+EiFL4qYV1x1MDAxNZi+aV/VKudup4H4XHUwMDFkx1x1MDAwNVx1MDAxNi20M1xiIb9oXHUwMDAzNrHiWFxybFx1MDAxOevj07qlurDDXHUwMDA0sFx1MDAxZFx1MDAxZlx1MDAxMz9cIo6GuF6hb61vyr5cdTAwMTbZdoxtYfmrXGaeXTK+XHUwMDA2dev7c1xcJeGYpcVnXCJbbEeki4JbXGb87VwivpNcdTAwMTVxXHUwMDE32Hm6w23w3C5cIn1cdTAwMTFcdTAwMTO3ZjxusqVrXHUwMDFjXHUwMDA33ZtBd2KNyT5eXHUwMDE2PpQtg/VcdTAwMWRHzKFWLzfRXHUwMDFl/OybdcysjividrDhjqvcn1pcdTAwMTGfILujiCVWwVx1MDAxNTSfbDdyXGbU+s02nkPyfVx1MDAxM2ODTkZcXCq3Nr7IY/hcdTAwMWHQ95i7XHUwMDAx6SjogUaS22e5v47VXHUwMDFkMa1VKGvMxcBIPKDvhKu6jfVcdTAwMTHfU79cdTAwMDXHXHQwfubuqNDbiE8gdso+KuzQRWRjkTKucDyO9Fx1MDAwMa1xznaCZt+0gZhK3eEyWOO8ztxa4L7ww+FTRjx2+Edsi9hYXHUwMDE3cf9cdTAwMTD6RkLP1KzNwXZcIsrb9U1s7L1cdTAwMGZ/u2XXl+NcdTAwMTVDxjF8Q7u+0dLGXHUwMDFkWqmNO1x1MDAwMddNtrVcbjxcdTAwMGKOXHUwMDE5wma39edtcDvs//GC/WTm+Ia1qVknckw8LGyScHmDlWi76CfG2YA83sbYpOWT0MqfvqD5aFx1MDAxNnJcdTAwMDXMNlx1MDAxNc3DkueFeW/osP22XfjvXHUwMDFjK1x1MDAxOc2KWEFh/ybKcpiVcfbFOUaHeDXHMax+y2H7Qlx1MDAxZbBfwVxcvbB1MleBI0hPhFx1MDAwZfeBcFFwP2PPclx1MDAwYuqF/q+yruH9XG72x6GrkqX1IWBHtW701Fx1MDAxNXhcdTAwMTUxOdYxha1Vsz6RXHUwMDEzWV+cZOur28FaXHUwMDBmklwidnSDp3R561x1MDAwZrFNhlx1MDAxOCQ4XGK+PONKXHUwMDE3c73gsXHcXHUwMDFh/WNcdTAwMWQqOL7XYL2trc8+zGO1uGJba1x1MDAwMN2DsXJcdTAwMWPB2qE7XHUwMDEx206EXHUwMDAzY+OyTeg4UbM6T7CPS3ZkPChDd9G4XHUwMDEz61x1MDAwYqhcdTAwMDX0bFx1MDAxMedNmeuZh1x1MDAxYk3Vgj4jncrrw+uZLFhXXCKOzrqs4DiSv5jjXHUwMDFkZFx1MDAxZpP/UWvA58VYWsKOXHUwMDE1MUP2eYE1trN57nZcIpaZXCI2n1x1MDAxN/tKXHUwMDA17lx1MDAxMjtcdTAwMDc5/FX6PLZy2+FcdTAwMTgkx/xcdTAwMTRsPXBRbG1m1COZR1x1MDAxYa1cdTAwMWKehNxbX3y70GFccuwz1JWN1dehPyT70DZcdTAwMWUvXHUwMDExu6ixf1x1MDAxMc25ruNFXHUwMDFlsy9SZ05cdTAwMDLu2lx1MDAxY7ePeYzsXHUwMDFi33wydoFcdTAwMTXWXcpiZNpcdTAwMGZ3Y9E7Xo6+XHUwMDFm7onTk3Oxfzy6Ot05uupWpouaPlx1MDAxOPV26/PW8fLiVFx1MDAxOTfRXHUwMDA358mk7nV26JlDOT09XHUwMDFlTdq7dbczXHUwMDBlss7x19nN893dvfPOJFx1MDAxZXf03rw2dq4746bXXHUwMDFhL69bajZPdveuT/XeKNHxRYfq7O6EXHUwMDFllc3a6ii7eVx1MDAxNn1oa/JwTrZG+8en151JfZ7orVFLjcbt4/i8uzO67lxmLlx1MDAxYa1jJ8d+UEc5Yv+kO2pcdTAwMWZ3p92K6JONvqDrg45aXidcdTAwMDPRXHUwMDBmc+xhYX8jTE/Ho1mHnlx01emY/+2HKY0r66j5XGJ7SsXVMZXPaVx1MDAxY9dt1Zx31WjY3UmDkP3PMO3o01EyPp11dFx1MDAxMoST04tEjfqdnWY/3LF9PVx1MDAxZH+dt4+XXHUwMDBlzWnRR/+v3+2+6V/Xzq9cXPbu7LH7ruN6a294Rlx1MDAwNthBb37Z713//NR69sfT/1x1MDAxYeVL9pyf/6cu32PPOYvv7jfz73t7zYuQeY3+u90z3LtcIllcdTAwMTmtrW1cdTAwMTCOY5lM9kadyUGF5WVNXHUwMDFlSKZu21uXXHUwMDA3ln+Sw4TaScaB7IzrjCP6fkm4mLWPnVF7XHUwMDFjXFx0XHUwMDA2a/d34lnrJM6pXHUwMDBmXHUwMDE3LVx1MDAxNVxchTsjkk8z7+58Jdk5yuxvJ98/OTgnrIySvrzunlx1MDAxY3Bd95/dP6Yxboe3e54r+b1cdTAwMWSf3T+nOSA9K7rkp1x1MDAxZFa23J/n4f6+aZV4Pp5ZO/BoRuVcdTAwMWTS74a5j+xcdTAwMGK6znGoXHUwMDBl2VP7pCtvfj9cXE+V+DBN2Zc4XGavv1x1MDAwZpaL1snBNNypXHUwMDA34Vx1MDAxMHFcdTAwMDfSL+NcdTAwMDWt0bC/n9/b92fbbY905nr5xXWiTyff0//5n0cw5DueXnu7wVx1MDAwNlxm2afuYOjJXHUwMDE5KC/B0PPTW/6DoccxNOtcdTAwMWXHXHUwMDE3pzvNtLN7NGhcdTAwMWZcdTAwMWZQO/G0fXw0O92WXHUwMDAzXHUwMDFh06CdyVx1MDAwMmdLSXpjSHXm7Z3RqLND+kydky6Z9e/JZFx1MDAxNsFfVFx1MDAxMY25iThDXHUwMDExXHUwMDBm5FirQry31jg6h03O/lx1MDAwNPxcdTAwMGXEXHUwMDFhMti/Xyt2v1xiMV7o8zLv+yFuczQ4vVMmxH7kccQ+XHSwwz407ynyniHZXHUwMDE0e+e8XHUwMDE3wbGlql4rd8V7rlXeV5I2XHUwMDFlXHT7XHUwMDAzz7Dvl8LeXGIrVtfzJ7Xb69/D3ljAfsw4/1x1MDAwMLHyRp3xt69JlnLzXGK2XHUwMDAy4Vx1MDAwNZ73K2xcdTAwMTVP3dVPT/2TXHUwMDEzL9JPz/57XHUwMDE2/8HWc7F1XHUwMDFjX3dOtmSXdVx1MDAwZuuiXHUwMDA373H+1vho0N3e0nRPtDHOXHUwMDA26j6/tc1qNFx1MDAwZlx1MDAxOD/sqF6D7mM8XHUwMDEzsq1cdTAwMDah1Vx1MDAwM/fLXHUwMDBmylx1MDAwZpZHOS6P+nf3jJ2D+3pcYnHA82l0XHUwMDFmXHUwMDAzhf6p7aTqabZZoFx1MDAwMuOv/7HHh2XfPnVXrzz1lfMv0ivPfp/9f2T/2bLfnXXU3uhnubfXIfOkX7KWWpKdXHUwMDE2Q1x1MDAwZZeQzZZcdTAwMWWSTFfRt4yvbT8og4izIK7F+52cc2b5XHUwMDFl87OwsaKf72Ev8WdZZ5tpXG68PJHPtTHe+lGeh2XaPnWXz5/6bq9cdTAwMTfx+bNfXHUwMDFj9u8o04hp/SS3LfV1QXVmXHUwMDFkfXR1ur1Wjvzzzvjoj45cdTAwMWFdrd8nmTxPdERtWtltg6v7UrSO92anJ6H9PYnW/IqAeFx1MDAxY3U17z9LNtPyuntcXF/ZTDd9I1x1MDAwZSb//+qU+NzKIcnoTprFu60srqZcdTAwMGKyP2597uK5+ziwse1cZnxcdTAwMWNxXlx1MDAxZO9xWt+CY4ZcdTAwMWNzrpR1eLuPxvdErVx1MDAxMlx1MDAwZjinmPf4m0VuU9P6XGZcdTAwMTXszdc5d9SWq5tojD2SYVx1MDAxZfK+I/I2OG6EfVx1MDAwMth7mc3LTWTI+8Y0c4hcdTAwMTdcIm/N5r1cdTAwMTR7PE2F32Rv5TbPXHL5MV9cdTAwMDdcdTAwMTHn+KSp3a9ETFx1MDAxMbmxZd63s7ZcdTAwMWNyLOy+SnvbOLVj1D3EXHUwMDFlx4LbrbRs7ofNb1x1MDAxMkXsneo8XHUwMDFksK05XHUwMDE4XCKnY857bIjn8D3MXHKXlbaOVLdtLoCJ8/SJPOBcdTAwMWKP/KFf6bbiqTs88OQ3f72EXHUwMDA3nv9asX9HXHUwMDFleGu7bnp6cppx3OF4OTpFnG3MMb35KfW7fbKVt0+iueWCrZvy7D91J3vMXHUwMDFkxFx1MDAxYuPutszYPtuW5F8tL5Ld+ILQ8mBMXHUwMDAw8cnogXhcdTAwMDDH2MfIta7ej1x1MDAwN2DvKcW+XHUwMDBm/DLkXHUwMDE43dd9XHUwMDFkvi9wP33ofqORsm7kvbmnxeKU4zrrR/1cdTAwMWbGhH3qXHUwMDBlJp78eoyXYOL57954O0ys5Fxuua+LcFx1MDAwN/vo5bRzglxcpVx1MDAxNee39FFGNv1Vt0oytFx1MDAxM0CeXHUwMDE1+em6Plx1MDAwZWArWZumUeb8sMhiZs13KN/Hm33m3jmRmGVrq0Lcjlx1MDAxYytZY1sp1DXss1xmWmnMuVx1MDAxZmHGOobzuHhcdTAwMGZlafMsTyPicvAzeFuRnERR3tz0O4/yvYjqgy7Io+FC8J451/fAb957PqhcdTAwMTAvI4dI2fK811x1MDAwYp9dcC5aZZja+qvI25Q13nPHPnVkXCLeXHUwMDE3O1wiLYezXHUwMDA3TVx1MDAwN/l2dlx1MDAxZlx1MDAxMflVLXm7f1DBflMrJ12iYs6bQ/nmMlx1MDAxYUbrv5Xd0yWsrOpTNj9cZvm2TXOTv0m6J+c9oGYkY97/qNN4Wpr3wFx1MDAwNmG6Nlx1MDAxZVVDvlx1MDAxYu991W3eXHUwMDAz4lx1MDAxMIOhzSu4M1x1MDAxZtWF3UNcdTAwMWXRfCBcdTAwMGY95XziXCJcdTAwMTdcdTAwMDR1cm63vVZP7ZriO81fPlx1MDAxNEWOXCLfK+RF1zhPIbn5LWmtKsX3XGY535zfdVu2XFzUudUmLlre9JX+s/v5w0jw+Fx1MDAxYlx1MDAxMfJRMfdcIrJ2SF7jPJVyflNHPafPPDK8d0S8XHUwMDE1I05UQW7gMKdy2NtFTkox7qHDuarNxdq1lkOysnz0N/pSOSDZrN7KYo1zPuqiUXmg/6OL2PYpZDmN8z2at/qSc3My/EZcdTAwMWVcdTAwMTTOmiSC9z1cdTAwMTH/yVx1MDAxM85cdTAwMTXFtZrNXHUwMDBiwDXBe0PDhcNncWx+sIHsYH7J/sl4XHUwMDFmkWSxhlxczVx1MDAwMfZcZoeS99aRf1FcdTAwMTlyLj/Jolx1MDAxM3M+gt2jtvvLpyiPXHUwMDFjJuTTSbLpIDske0PF51B4f5hzS5GX4fB+IMtcdM5twCZcdTAwMWFRecg679lhP1xme+o35Wm+qijP525oXHK4vM1FpPKcm4T+t3gvma9cdTAwMTV5XHUwMDBi9lrI+atcdTAwMTHyOivYc1x1MDAxZCq7v1x1MDAxYqJOh3NPqlx1MDAxMdVcdFlIOFeBz4tcdTAwMTBebHnOXHUwMDE5lLyfynLG5W9wyOVobmw5zpNJi3KcNyY5zyWHXHUwMDFkt95u1dq7RfmIzys1+excdTAwMDfJd7o2XHUwMDE25D4scVx1MDAwZcTOXHUwMDBm9vhQZ8r73/V8fX6QW5Ni39vOL++DNpe8PsSVtjznXHUwMDBlSs6LakTLonyxPpzzXHUwMDAwjuX1RVx1MDAwZVx1MDAxMpXPbE4kymN9q7b8oM7ySuVX8tGA3dtCLiaVRy5cdGKWTexj5vQsla+r4mxcYnGPXf/GmnxcdTAwMTI32fqrkcZ5u4j3ppFcdTAwMWKDPDDiLpz9IZnlPVictcqRK5EsOVx1MDAwZpu5LbL5aiiPc1xyXHIuj/nj/HNeXHUwMDA3sjX43Fx1MDAxOPNcdTAwMDfOcSTcn1x1MDAxYfshraxBWLf5XHUwMDAwTeZcdTAwMDPqXHUwMDFm8qe05TG263Pun61LYFx1MDAxZYinlthcdTAwMGbnvOtcdTAwMWM4seex1vtm9VdcdTAwMWRcXKQ5XHUwMDE3XCJH3yBcdTAwMWbwiVroy01eMuGZc7VQPq/Zc0vAbnY8XHUwMDE0a5xbL/KfXHUwMDBlXCLbr1x1MDAxYp1W5ZyzOulcdTAwMWTOf+/TNc5nxnmJpr7VKyxfnJtN7d/RK2u/64pz71x1MDAxYjxcdTAwMTe53TOvQ0a15YPbdlx1MDAwNZ9ryevi+Od4nFx1MDAwNlx1MDAxZtGc5Cx7NHdYe8w18oitr1x1MDAxM1x1MDAxNZxbdnhO+WxPxOMvclx1MDAxYYs5XHJlnXjN5k9C93O+ouJcdTAwMWOsnPlK8rxw7iPOoUZOkSMsbI4un1x1MDAxZEU+sNVlNldcdTAwMGW6kDCXXCKXWlx1MDAxNnjTkMdcdTAwMWHLc9Wx+lx1MDAwNzkxsFxyhrnNQahcdTAwMTZcdTAwMTjmNXU4R7+CvLom2udzUcivqPGZiiZhXHUwMDAyOYVcXOfC5oqAj1x1MDAxMs5LXHUwMDAyXHUwMDA2bmW4wvnOJmpinpC/XHUwMDA02eJ5XCLOJozmdeZQ5MJHXHUwMDE1zvnFOUecybS/XHRTXHUwMDBmrIHD+a2Htk3MXHUwMDAz4TbjfDrO60GeXHUwMDA3ctPKjj2rwLiHPJNNXHUwMDAzLlxub3L/iz4zbiGbXHUwMDBl5y9cZqqq0LN2XHUwMDFkXHUwMDFhTeTGL1x1MDAxOdfATY68XHUwMDE09smVzWHCPPPa2ryiQci5MLUmyqcoj7xcdTAwMTj0XHUwMDBmNmFqdV1rybI8QL4mn+3kc4/IXHUwMDE5Kc5cdTAwMDTnnPeEfCq7rszNNqdcbnPYXFxy/kxcdTAwMDPcXGaeSJGPzpxeI44r1pX00LDQXHR1VYNcXFx1MDAwMG9cdTAwMTWcr+D5UOCBXHUwMDFh58DUc7uGLc4/oWua94d4LknmjqZPjdW5gedp71exOvvU7aH3f/7ln/9cdTAwMGbX67+/In0=<!-- payload-end -->
+  <defs>
+    <style class="style-fonts">@font-face {font-family: "Virgil";src: url("data:application/font-woff;charset=utf-8;base64,d09GMk9UVE8AAO9AAAkAAAABO1AAAO73AAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAADYTJHQZgAIluATYCJAOQWAQGBY9lByBbpzpxQ1QZOitEWvl1ExHg7NqqxsS6RlCwSkciyuhqMfv//89KOsZwUAeGmJXV32EeijNbRUcYuVUTmWNvG5FWRBfkAW4YWVueXU6tq9d0pZufMcACcUzc7AmXTyBwYmw0WojBScItqLq853lRPMu/i21F/1VrveHFeyj+LdHE3AfsFiWacmNotmSIhpJesVGSFIFWJDgsMxNmRIsQQzGF4rvOX33MPtY+LeOF490dgR0G/l0zmGbP8ku9beGBOf2+EcKFm8Md59ESM5GZKYtFok/F14jmMBPlbsKEWTmjIcDMVCgM0RQv1VD4IZddn+x6g2Ff91p6BriTOHYqRgBPP/Z8O3Pn/WXBXUTBKoZoSbZg6N3qwPP/937uvc+bD5huHSziTSgio5mQNpAsr235cGq9P8/r5vc1H/KatrSSHj8fGwzDhavuia24cMyBvutkjYQtKFtwTcS1wVWcODY7KMSFOM69OS/+4fm59f7vRf5FsY0aMXLQQgsGrRwggmTYYCJVEmVBm4V5Z0ThidFYPeyrtRKEoeme3dvtgT6iOeJnlC8MsAKKT0UoFD469oV+l7DD8pn6lvkVc++0kSEfkCM0Vauqh+RnHNszHtYIqREKELpb3S0eAhMvIXmB7+tkb9/wpNO+5fOjmT/aU+6YYwu6wVlib1xrbGxcwNgduqmiNNOESimjUWmogISEAOOOe086XjvNccGlpjQnb8gjOY3Gyr1sLlmavf8vKSIJwtUoBiEBfY1jpaqrq1ET/z2/7f+/4/hmD/yU4cZxDvyseBGJ7/W9rVwMSlAkJUsk6hzqQCsqJVbd9NbifX/4r6pJ4LDfsD5vl0a3Nl1TSqk09SUxpviFT9KCpj3jFmScMz4t9f8VWXkadd4bSR35QqxNH33Ai5BewBI5hQAbQsZFe2nQZ84A787uLKHXduwYMHUawjI9wuP+7R+jZdW/WpL3hdof92mkcoac8YBwj3gJB7CB3aayqzgrsSIikYrAZYK2u3l6AJfgdm+OybOvB8+JTFAi4hU026JOz7fHCxQujUCxVVutY8Wgje+dK4CA+afpvl+9Nyecky85rLBnngvwxHEpBa9ATSI+MxnxjMcbadI6LaWIPXHlOeusTrrDBkAFCAzMc6UTOFEFKTY1Nm4GuAPasdAah4+DcVmNg/pfU5Nao+e7QykouG0KYR4ewkKQVmtP1n91ike6Kvt60/WySWeBpeOKr7QCg0hoKAwgPPOvqrl+UPI78CqVirROp/RhKm2YMy0C6CJQdAHdBNBOBOmKyGuC5AZe6X1LKQUflBN+2M7DB2VHoBs/KOcRvCZQfn6i0lsdM5Ypw5otoyCn0UlftixbMiaTk2XKy5Q1Y17G2zJOB7nKUm0/PkgM7J3K/X5azIxlS8eShkmeIYrIIuvN47j+8Xk5xmbzq/fd0AYlB/aifvZu/3or31eH2eCosZNM23gKUvMyo25K7fx8x2ZRqLM4/xxLbOST4x/7aOuym35y8olHctP4b8V/TX/YCP2p/1mult99+Gj0u488j59Q7/DTaWN4EkPx7itzRBhgghZ7XPAiQJAIcTLMtFCJKku1WqHHWlvsst9xLnKDYR4xwicQZ7tG+knSE5NnLF69LLqrR0X89vtHVudoGtiw59gDkletTr9hov04IcNsWAhCFGnUMYNrWMA6cqigBQoCbHTgQRhxDOMAjuIkzuIyzuAybuEuHmMEbxC773VEWIigqlrWqT4NbHCjmtiM5nd+y1vXlq5ob9d1c/f3eC93qA/7pk6NEihFn0Rmmnk61thin7O8wilOc4krXGeGedbYJEaSKhN6GOUQD/IKz/ACr/IW7/ERn/Il3/ITf/B1//9y0DjoHH5x+M2hIRCCxhEpTKlFmUZcYipGDGMmFmBNbIBtYYfYXewxq9h9hvn6/vr3thQeZ+KUArHScmqorznNakXbKqkpSqIM+SLlVlB9GtJ+HdUZXdZZXdGQ7uuZ3uizfnlBkASHEFk57pwrbnvKU17wunOuGjNrxbYj2+1zj/u92yM+4fO+5gu+7jt+6Od+40+uMZH/QTH0f6P/F2WjGegMdD6aieagxWg5WoU2oG0oH5WhWgfrEB2GI+UoOOqOGcc5+Rat6/9k/8+mUCCeJiIC5sZapHx9QEX2IMLTPuIbQjZoyoY9XgDCc1CSUcEfzRVFJcPJ4YfarTTXnEEp9Fll4bmCyF6huXD0c2NkyBrUclqFDS0fCcldmnBxq5ZzUdjQ0hBhra3noZkdrY2QIXdtwDXbzuJpombNK3hcpdld/aaHaGW4yOQ0Uq2KuSpqqHgkIlXMSxG5hZWvipLO5Yja+dGe2Ec0Xl7hJVeLriry+vKRHMnapHSSWh3Na/r0xosnKF8vBiOnHHm02DmrmKh7JKa/6Kx4A1EGB5L5gPZja3EC36Px8gVmpEMfpVo7eKal3dCDQk3OQWrtEfywxsP7kXKdc+xllnS10CSorh6UNHRFJNThKpI3Uj12NefH5EBdrYWSRruZkfa+i7mL+aR7b+irdu+/Svdr602Xpz3AJtUl38juYpi/pk0HYWKZtRHy//WcNGHEROmgcepGC9vOyzGRY1+qfJxX8Ka4G2gxbNKvLqrqBjSlQRMYHTrDDGsYBjAs71XrIXW0LYetKxhHqGHoNTTSyi1NsvSW9pYPZAY4gkxWtrU0z9vbRMU08fOJQxc+Syy+gtk9G54gA+xj+zrZX5Y0rjZrdBmGy68X/sBnzCF5AdMtKp4mqPbyQez0lZGifaq47Tf7SIZExoiy9kkO2JjFGs8VnQMdK9nMR0/nKEUbGADCEcjocG6DUGjz+CoAhQFwBBIDEwuFxo4bN+++CUBhAAhHIDEwsVBobBxhCwAAwIcDAomBiYVCY+OISUAQBH0SBIEgCIIgCIKgcvQdCMIRSAy0MCC+M6Y5BcVI/gkYkMn8sRZzoj6jjymGesj9+I2a22/ocz8NNPA2C+fgZtOvbe7ZbLKKuW1NchzK6mJ1Pf/1IF9PGNzuWk+fWr5AJLsGbXx6WqXtz7Sw5sK/2TRigdQEnKWCSwHOJDBxwFWcy/MuPpBExwGTydS++B38ygHYhoswSGJKao0cwRU+cxa87AMKDql645JDKYO+5m4QVzcJ3y7stzuYTaZTHAbNHXHpPfKmuHugSHKiUk/ZPC/TXrC0xqt/dsGQ57sgXd3hs/6nDbLRY/DknG/yxVziZVz+ldwy0Iy6cNfv9o1UVPeO7SRI/Eej3M5tWU/0ydP7mv8W+vb7QPcr3ytNdXF9bro22Y7bj7Zf+/5e7C/73n67/xrB1Iy9URj6uDPOjzvj1fgeZsnDRCrKMR3LsR2VaAcbarhhDXcEIhLDcSROx6U4E5fjZgzHoxiJt3PJ9GZwpV151l4c+73B+fGXExniT6JM1AELXkAM6XgMP5YTZEIWvN+8x96yP86/HmkfeR30BDeCq6FruBPGwn1qRw26oBG6Ql8N9qqpBupSDaqaqtbOeqAPtE9H9a6ua4yag2bZtBiT0RqTSZtKYzeKbdmu2Fors26rtyFbtJX2mzudd3CO+7zBVdzBKraziKWsZzf7OcUPuIzfccG8beSYgWdMypiWsTBjeUZ2xraMHRl1GW0ZwgxVhjlDyrAzchn1jJlUWRX48WpiZWxuhR6qmw57kBDolGzsgvY89rhb7XvJzwQfY4+20SX4OtWreKpuSFaXlECpiOVamcv4JA4/x8nKhM2qKCxtMjn4oyulp5+2+DzPxYtYzPSoPf9Yvlvd4vcuYU3142xsRkmAfbwfK6ODt6039/4JpW8VEqlHIZIunBL+6JmzfHyE3o3mF33fTPtyd+kt8NrwT5yY3tXcECqX0RZRjsN416y3bBO8IjDJcPLMjeX3UFc4USotsEQLOQvWwDz+tuofrKKIxg39EBCg4K6oeW4pSCLqm7ih+kAy7/Fydux5Ldh5nZZU05IuqzLvripqXcA6pZ2RPKH/d7Vhy+50yl+yFh/UIyLAjn8fv/fx2Z7SNsWc2qzj/U7z+cFG30qoPh7Z5qC3Ze5YhCSBZYH04b4xhJmKKLbQSuzNojJnYgVKYcrTV4jLFCCbX7QrsD8wOFpEHcVC6m7/T4/rDbOCMYvv9JxgP8P+5bnnhxblt29k79MERhrZfpNruPWEn9zyaWm9D6Yhlysalgwi4BGLoGwXLltLytTuk/Fts6n1vh2+DbWgbnrIDLRawWQ8nikM/EuPyg9/viTjuTpg3B1Y+hDUoC9ieivGQlh0cicgzznLfcQVZ3dVKCuRSmjBAmXfyhNu9pTGGImlCL53o0K42CnEDXXqbCl182f/Bf89gv5vwu2e7vJ4iWYg3CGwkKTThtD0GoseIwAWO58TjMhWCDTwf4n/MWnupK2x/YCzIig48kILRHftWSKYgi+uRo3xYmrCurpHP+wg/v01/53uutoVJiUQVDulJgTOfnkrR0ZI1k1tENAMdR8iv1SLeO3Yf8I/i8/b9WdwvtwVMZlpeDIIzYdmpyAtzZMJSHtCcxcsWTFrteeNzqfiMmfScU8kIho1b78owsx+mq4uQutyR6w+9Yo3PmDBKfNIugWybM4TIVcd0CWURQ0Sc9kHMwiRyovyick6zb2ikU77TH+AKiu2Gf+Ahqq76ShpCk2KlUBjcPCK11f9dj+F7vSs8H0W2JSabHDxn24YNFev43yHqeq6XfE4R3rTOnZgFh8dEP9Q12qAHDk022XQ1pUSyjS/MSNipVuDYUYp0cM2GyEIDULG3HlLVE2Auyq87HOQvZquGjVgYq9KECHaIH0yk/2vr37SWfBV8B39wF8uFIxNfTsoDBvADTTNVVQ7OCrfY6L0G9yaU8aGZUKY7KcewrBtVffi6ub8GXxbdpI97b8hBoFQUgYJ00i0awM2XFgyVBGcFpXLAuR+2yS9JkI/gib26ZWf37eeNzxCOI7hrUwsKtpDVjRC3jQBB+N9CokJWXc0xw4tO43puOVMxB3S5XQnpNSwKH7otNIEjQiM4uWWjq3nF5hOi5K7xSdq3G9gYjUCzpPda9tRcOW32Y1gO7B4VKSrcYl2suSDeHI+STDgD5mdKorFl+SBLm5wuaWCyjmlZRMIsqBi5kErzkGOJ4nBBsasiHSBSPGEh2GWK1XRkbr0idAO/blDD3UvNXmqJJmxpciGbqkJFkRNIUlDf+tr0yuVBmbNePeTRpvLyLH+s3osJPvlgTLqh3bYTHbiV3M6AGRNwjDRIuSterpZLzTWgcuy62rHrJUFzGaxIq+ArjzfVthhOorC0AiCppSU1uIeWScjvuX2saqaGLe8Fh3SttzX2jZ4L/t29aumKWwl4SBuLsVe6wvvnzl7f2Fj60x2nQvYoDXgEEtrWEGMMhekBIg0R6qwt5tu7aJsxFY80wzcmiOQL9SbhS37pegG7yUM0NERxJnuG9BGqdPXDMtrch5+Nbp6qOhNVG7d8BXcqZcV5coyFjc48CSzVlnjgNh2I9tCF1i0cmNaz0tWcdOWmnZQokq6pKW7cjrIj6FvBr7l+gH1AYTeF4etWFaoxef12lP4cFlvw7p8amqeUgDZqPYsC1MlUuNK8Mrdazc29gBZsdmRjPBrIuC6r/YdOIIzHVFYFJYrS6tbwdJCTvZNziE5kR7IqdUadOyGS3ESUHqK7/9NM3cbbyjUVkSsAOtQcaUIuezfbaVYT2V/XL5KOV9TQ9fG3WezS8MLr2cJBkVOfn9tH754Wao4QR+eb7wYvd2+107VAeA12lEZIBOssvLIFFCpkDpjRTY7Ovv0+7XIpQne3FTbfpFkF4sx2A8e2b/y6YM3OW4SCexYtGl0iDncNe3uxpa942A1SXQP5Cf61mjfYINvow1RZVm/4BbL9Xyj+fTag1N1gDdXtRHSP7w5j1qrmZ5xB3ApbsCAIKQ4zRDLkDfbE3FVSPJxnsxGk+P9wytWacTijZsSdBKq2ytb/prJ+O2mCchsWw3g0mDn9m7b4DN2d5seOaA066UNdPbUzuH6nQfXAunVgqo2ekuBJiumUfT9cxcjX6hdfdEzvjRfml7aBmEgqFVDoUAjb8kGGy6WB4uKKOG8vup5eFWweTsT9ItV3gQCp1IF8dX6Ok5ox9gPGraY2+n1iq7ZkiVZ5Dm9YDs7FyRqz+xpVVUolMUgZ/h2DpOmplbsrFN3TFtxNEArmqxBPWcSCxlJGisugPhwyHi/GDsfHF06QQKjxAP8pKgompEleE9YZHz32WddH0hyGDqskcSu9dgEuaqpMCjrBRHiIZeQsMiKnimZr0syQ+0SvxE9AFhxhQTs/AE/sanpzViT/b1wMD7ZvX1rBxCO8WcNLUCqHPuaarv1pOIBIHGalH2hk4EPA4jG3RO5MbMxXOhX7kx99f2ds1Vs7czum7f7DmvB5YZGY71ArWtIxnOaBSRdxAprUkE9EkEqH4Y6kuSWwazEblObCGPKRPDEqNqV1ZqTdw0xlgornRgwgOezRgQpEMGwA4+rQo3NbYvbG1gBuLaPrA9GzVMv9HbRsnav4EhDT3mZOlKNK+/e+Fx1s1pz/M9+UXf4Ja1DUcdd6aYJ8L++VzqQssWypCkghOsGqraGxEuQ2mgxXrGzpnFHzPRhhCT4J3DIYv5KjPnM8J3hYgyJRUFRERCiihSmv6uN1bjpzcsbV/NL2xfqs00vXq6mMiCiD4gbnSqNoxUtBqPV1/g+LIxqtIXWiofbm1thsPl6Tpp+Np3aKwM27ZYdKGpYoyiRVXwlWj4WDsx7Sn4iIWHC0NlwyGTXXr6wn4uzjyhq6JJ29+I1ABL4ss3q49ZkuZsSPlHwQmoZbRecMh/egNGDZJQi3KCtimV30adH2/PUB1KNGxptAPUUU7ajIqzWOquk8wrlY3tfbHumeo8VEOyryY9PbkV+J1BKHY2KWtbXAMeel6CQTZtybf3V627dbiPd71q46Ddo1HO0RRCRHyo+zBQ6YTv23devSKVABnQx4MJ/5Tlb/kCNO2giJf1rDycrANLWTQHC9x/Z272Dh6XbUfmlokgarA96u5NbV5DMzZEIEqnHX51L1IoVK7ndbzlCfP0n1UX1AtgGWfbL81d6m/JpVqBUQQS48gdViQ3PSvZD+VA4KO8s3VKOzdv7/ejA1bbLR/zvRoPib+DjXfcMJQd2I+MnyDoe/DePZDoN1QCCWscaqmlTQKd1AtMAB7bbbXfVsTEmNmOQ5EIvYqiRay296XeXArEJZJYnNeiPqoaL4seQk549GuJ/GTLKLduXFx+/SCHfYgMfIXRFrLHzo25iixS8ZaBbAuc7Cett9j01p1gzBodStOCUNZCCwIubdyN/utMxWO14HRr2m54XGI7nOpR6FsVAzvk0gLiVrFY4QZKKQSnXCC1RAq4xJbwHvP8Nyy0kkV7GC9pOVkK5M6vCwqa0z74TqahlwTSNmZKWbEHNZ6K6hPrG5FaXGRswXApnlnYWSWn6diVOZ79nOvEtn+Ox0RQ6xrJqA1cxLbjQJHiEZXWqYnb54dX2zEoxAQcYyxtX5JSdZTobF3KdImDFfgmUvYKII2bqGld+gzJ1Sapw1KJKJmbE8qJDxZTF08osFb/EMhMWs+mPDlXMCwmssLjEqUIZM9Ut8a2YS5QME1arzFoJ5lck07VmWSrXpid4zLMi0ww0pN7udPnlN1/hvUYAl62L039i1+t4moKRhtpjPKdhhJMXOPL0MpLpz0T2r4vrH581ODlaJd/z5uxALVOmys4gc4g4tnkm0yt9Yk0AMSu0KvP62glaZpuc/2JzG9suZErr5XUgDRhB1PifHrq0pvMFWDgK+c4wj14B5Om3O0g/F3lco3RR/aQgWEeRUE/slB77cjCLjTzqvCmGSrPM1EwiJDTNyALmpLmIgGrQ2pXdTLbk7vLBQQvjmUcktrqu72KCXYVU0+t1lYKg/gArCHwpVrmaQL0yckjHi1APcQhyykKTXX9tS/qqYwCZr16RoNHrtq9ceWLl/S0rn7jmlkW/waImOdjpXOn4bKbQpUscuG9fGb+xzmZMxYR6klAHLRZ/qJA2mjDlf+3hX0OMsUSsPQVhOPHsYmjyqGpQD4YJCCSMPCQv2q5IGDmI31OLvrQ01dvWVIanBA+Njw15M/XUSGnW/6I+tzKLo9Fj1+xXGPPUprENKxNidYwuiSiZbFutTvZlMVs5l9sqMQaR8LGJZeJUV3OWPWBkUfftVXC87aB2G39YDFYflLVYi5pIQDDNFBxKBlE1ZOZrWzjmgpJnu0o0AaR6neXUqQkJ19loSiYKkfHMwYnKfhMEUXOx02VkOGu+xrm6x6OvNc+9DajfWqqbU5OzpSUNwPN1zKNjWoHzF6kuw+EcRTkak/k0VudILpcSJXaPdFg+zHgJuWznOoTERhyYB5y6SCPWjrpkd39NaLQajfWd/uHWHoASlSRGba2322QquVondGQV20ZoNwLfO7l751szicl4a26KyEdv7bSPATtgJwUb6GRJtSGKRl4JhcO8qCVFZmPBKUkck2FO76rN17PktdM99RuLxKbn5gs3J3FHSuk4aqAk1ZACcNFGkJFaYxvBhvVyQ90LPqguF7fHJZ1+zh76WuBJPmLUuJoaNjBbPhdW4Abx+f51GmgAZIOYVBBv8i7WgQIt4w0bU4yN8UMzmMxcimVAllVR70rk+mJb1x1wRcsWr6SuCegtXmcFbZXI4pazvJwVljqqZGiqagmkGOQkoc5QGbD5S1rE/m9oYZeVhKXYlyqQFwoul/d5Nrp6SiKVmlThv1KiIog52ffqXvnT3xxQlwGT9OGGu9bWtn0+Dyqyyk9G51mb7sw/akWV73//dJNdcvmSQDNd/m6qUZ9XHRhWK0kRVetydUlKiYgFYr/8kEnFR2xXNiI/QK9CACmZ/+YXnf3LiOjMsS8ZnEgG63G1TZsNvzeGc4oeqmGeBLxogCYm2XWeAfNvJLvNO5S/onTtM7bnt9NTY6Rds26C4bbw/urcKix4S9t5hWLznuKpgW+FhAY3TMCEqVDWsJqeaX7XIyBw19HqWn68/u5qx/PVytZMTO8CGZaKfXMnuNX8WinQ8dW260lAKBdV2DWmsePLDauxHGxbE4d0lFBYwuzTG/gjJBPBQ0io/Z12b2eodtoTARgDpdIxSo5+/4l7YUDGSCgX6ha4JVZg4upSBZBjXQOimGEU1DcuUqbPWXsd/MczAA48M4B+0gpp9TEqiOV2NFhVIct11HPA3pfGoCQu+SIU8A0mREVOuSKXZNJys9d6O5kBWbq07svP1xb5aq4qn/nEGlSDh+O2g28bS6CG2abuNYKw7PjKDbQPhnlDt3AYZMLk87dDwAMyto8/2B+x8bvNlNB3R4DT6MZHUtVtlAr3xh0mpQ7aKnJAJSshCpAgdz2uiiAG/rD99o/XUODaTWr5BKoOdiMZ1Y0vug2o1ShyFVF2MZQNMMf84E66z0huVdwVpZcJeHZLG3DV0RwtJ1H6bzdWnZ87BkUEktYTxVcdByuZp1u352nwaA64cpHGX1aA2Pm3jjxjy9gGCbqilSAW9cM8wslgTjApO7u5Dfenl6eYOWrGoMI2wYTCoLyj7iub/VcZdDk6C4sywsci7sbhk8hs18B+32UvzeL7EfPPThkDuoYxqaeNzWhT9pdGnXHObIsHEEhWEMWpZYT7RoYhiGVN4sKs3B466Q88G8K/PDkP9IkN7Iz1rzCAmf77F10WCEy+W1mHfweg8htltqr2EqKSSNuco1kxc6ksA19TpZGFKQrTCvpJwff+YqgZbvttM8tTT5c0rLFVibKgWXl9dQLDI5NSoWLG85xuYziabFhAzljEhIlcrewjQnPG2JIPdCPjGA09JQRnNgLtVExzqGGWC3q32rimghfAFmMmuxwCFtd6EhrP7n49Pikn+aZp86ouacvA1mn3IePGfB5gDn3vkOwjCdNwINloGRy2xsRY2mQHAoyRCV2DVxhW5eUmnJwyej6yx6xUC4AFeVUyJfzK1gSvclTCoA8QxHkuhm18w3WELQ26hn0kcLfuCMexDQkAqbLKQ0aa4sHhljGG4RerELEjFJ+H9wGSr0eBevkxnn9Yj+AAEBlFqaAH6TGe5BUJUrcxwkWEAT4uJRw6HLZjXYjFmShkWEliKEhru1wMFQCNOrbRFVcPSBt1Aqe/GuP0BfzzGz9cW3I+s3JH6d7zPNHtRqA9bJS4IkTpohqK7cI6qzTpkji3uiYyGhZTZXFVE3ukSre9cPlO7S0ip6Bh7JQaNYUOwXblfCEELP1CJYAPUlOVjV22Q3ttPSpzFb4McMBEtXLzVyjNsgKRczcssaTDEjBDutnTgaqiTweDrT8SZi+58DlOCJA4XNTg6pG3U/rroamj7WTT52noPBolRUWR0KhujBe20ZBi/F4jVCOhWJwwKeXeqiF7lu/lHJE1eS3Fgno3UW1k+1QXR85btD3d3fid4lJjHUo3/rYpFQj5gWawRvTge6osbDe2V7rAwld3NSiXRX4eSTWdOV7Ob2nz9QKO9coZJknLzPQ6e/Jt+VZ4Mt1paA0aQ+thM1FdlCP1gXeqa7C620j7KLPb3JG2iqcmK8GUhSfWUbuXEtFXMZXtSe1Z4xlrg/nFGcjYOAWV63RehdtXnTvwHDIGuUElACLra3wCP9kk8z6Kp+485PnsZb+/93UWFVKh32aqSlfTEFNvkIBF4hRgVPUdi4tcKSxQDROKmCafwvL+3tp9tB7gt9AuTstW7Sf33LtyyzO4hcy2GMQ4HlBH3PWx/GOYBBg6pAoCzzBh+wGv0xsrLcud0OmyRYgILA719aT4ChbQnzhreVORUK1hc2QgKVp5pL8dMgHUrY2l5sZyFTOYl0Ie3AKZEO/arV6ApISCJVZEp2ShrijMQSgQTlGz9Ugrm2pkBKqe0ibpmTOQh/rAHv43T2BXA3BtpQT20woXrkiKQLjapGZ7h4vfq1XxZVLDHWtO2+bnFdWc4i8PrmBwRK1beJqSkhdouYDTZVGSrLkdCcwjdqTN9Ne9LNbR39Pzd4rTalZ93HbVhLdXXCCRZVqCgaAr8Gj87tPL7j3n7G9njhWADt4REmjnqRoioDdkDTLdubxDL66vjczXBWQu5CDUuenOC8ThncfkIbtmnAze4Cknur452dvk7onBc28W1MBtfGGvALu64uQCktJsnRNQHztGC4oC8VS1egptGIEFYKWtUI0AhPxo1jBcxcFaEp+t5ZUtEbD9N1IWtncO9q4hTrnohxYZcT1vNB3L5gxTN9tEM7meAeUFsOfSEBcB1tYFzCW0oOLCSvJiuKrd7NS6xIm6O/wtfvYGmRkRmJ6hTbcPrV96dZKYc0uxRmqTod/YN1QnUYBQWZV30MiB71ndge0w0Xx02zV7k1tlVu8PnhVE2BQEaXppK1/ZeMwaq2H9yW2jO5kVAjeIOQT+/dMN+LKlBy5ITd6ND6GVkyUH1cn9l0p1t/C0VvcJqUhZXU5qo/0JIKKDVEucSEAUUmwEouWEXvoJNWkLHblbNbhmvkXKnKyVmaxl+irxlHkwL/5Ra5I9SgxJVTBQwMcrFwu1tfhmdkFyAQSgwNckiY0Rl64mycf2XBdaxDnwBMstw5oUfzL21uQzxDz3RzFe8C1Mzaaqzi4Zh7UjbSzv1cbSQZQhONLcDC/ev/rS5iHAw5nPly+VltPTfd2eU7+qmzN5wlkJo6boBQ0yCh8oXmKKtEACgJtluJp6ALTs2NRoia7QexrLVMRfjfgkEFUqJmHYye/+FBiF7+HvZiIxE+IYVmdEJUI2HdQDDFyz1g8Z3yjfb5NpU4wr89e8J0aYqZCzVD1CY204dedr+ZHwA3nr3NjNrgs3e42TyL+kKQnl7yaf1wD+jxs3TCvVV1rHrbdjPpCNr9wSoULmayuo1SpVxEr1WkYulKtpEAt0bw7Hu4mSZkGtVhIqiLGUikkCcBAAcijrypeONwGX9CUfWlmqmUhN1zXFvviwT8YbCvtLxD3UHczdsNP5nHTQVGI/JR2+t0U7JK0P5LTmTAONui5V9bSYqPqsW6fzUlGcxfUq4IQyFqaxDSNnZi9TJQNrFMQgLI3JJoR78LIpAFfQe8H8NgFSaHZPhjiWRkW09lBpfpXIt4Gx/BH8ouFFgpmqEdCqrzRly+h5gK5+fVQAX6JqVtWopemdzmFeg0jjeBvZice2UQGpMHlDy2mBM91p0soCroBx1/GyD4tOEsKoFHT7ndb0n3iHBclEgKorBFnGKUFWMEzGd9xpIFOV4sTu+q6vH108hVZa1xwrwxOfZBVqPOVBm28UF7/OGhEQq7OKAZhmjNNcE+hyQTGEZTdRdZT1hul0ZzWEX3bNlsk7GdfaTeiWevtnKtqfMOVk1tegShNkeVSCRADUxkJMZlILhLjULCWm7Xl5ycQdqVJylBWKGpQRQvWGHBQH0bA2BLh3lzx1iAGLGksqHCV0bDyP0tzXVOUs3izGtqJIkq1NU70al0hAq+uiATV/cRFplJfYqQkspiM7UPViNi3jWxLH3z/JBY9ZuzfnIJFlu4uzTHYuY9ulEtHp5wS9QlvNZykyhU3FUrzVSjCNuRKm4rDMre2zU93UGNwL6RmwiyHvdrRl+bFONeLAdUsNvRUnTtXp/6mdEZrhQk8ypNZtbJYfS+mJ7TmOLQTYE43poPYIKwi//Qino7vU69FW3xQKX6mieISp2kuwQ8hwKOuRoRcfYcbSFzpdnVdPiNe4JHOgdMFTsco7JUmeJr9GX4pwBzsT+VMH3cF7JZoApHN8GUTX8mlDdsXuUj/tTm9ctLy9XEoYrUnanfZ1OvSVh2GrhngG7h2b22A8MMjgOB7bvhyRiFOuALGSfH9Fd1+DySdEwIph4gg9j4yBh/gIzpdNp8S/QXy07fKAqQpu/dOuGm1hZdocSc5cThCbiapoAv6jjzFDot/8ocOukugMCyVJPDrJtAopaTE4eaC+igv68rTrlyDpI/UFnyK0oBbUpttnn9b/mMxvM5kUNSWAmYENQVUB0A5kArSLFgF+v1Iq0AuUARuBOiAbdB1YAxQDfUAnsBrYACwGHQCzgAqgA2gE5gHdwCpgAFgIbAU2BWwHtgDbgG+CHWCQ2XlgP7PnwEpwABxiDgYcZv4D1oOl4ARzNHASdDHtwHnmjOAiOAcuME3AJXCNuRy4FX49sA4YAsPMbcFd5g6gB7SCR8z9wGPQr/0E6Mbv1Ay6+wnqFd4CevABGsLbQG+/gCPm7wEd/gCngH71h9OAp0D/3n8oAqoVXhJQDlSZXAJUgnerTQdqAF+ABMxVeBZQCBSAOcw7wFv35gfkBN4ErADfPLAWfOcbRAcgUAhoMFjobQdeXB7mKJfzlL+39BHAl+uXXvl/so5N/2RJKH9Sj7U5/fmhxseQzubqP3GyV3+yNnYcHb818XdREE6URRU0WPiFd/AeFsudUi8d0iU9clrOeDmvwh/o5/j3I+uDlACCuSAn/MtJnGbQK5KQllx0mWyGALVe/0NHdV5P6S3mr2ab+WTKzRv7k31i7dbLI3zgMT0qi2XGJmM/4qcTH02OJJk8mxxv7pOxZi5nVO+uXE++5Fv+Yx5b48U9xfcOczlXcPvO4MKlT5b+tQ+tuuv31P/sfKK5o+ltzbT/2rZ2/tWxdnO9W72S/o/9N5O/Tm6fLE0+TSV+8sNbXT16oe9i+pq/1lSu2V0rvLzm8quXT1xJy36Q8+DUZC7kKtf+3wTt3+9u8Jn+3Y2/nf3vQ3mz6dxffR1zIOSnYSML3sXCxcriT27//tLS8v/Ie5LPW21f/bWCduFHC+8WLhedXv89qlOx70Z3YzzaWNKxZPPmNyX/714rdS/tVPpqx8mMNptWbsr+FKedkpVby/m5k3l2ZbvKPpXh+ZdVn6iaVRAKSSFYeJ1wi/OFmlY1FyqFlX+te6L6/1M718+snaSNq7fqUuOPmz7YdKn1VvOXrFNtmL0QE7C72H5sPKdJ6yLiibarbQvtR9v7tP9DZkmW9Mkf8ydSN6ljtID+GS7VVeYxeC15vXhDuC2O5Eyuw33H/wX/C4KHBFHwBYfwSsgV6/t90ZD8jPxnknsURvk36eelRWpDlbVPyWq0P5V/Ux7X/2ZRT0WvsW7cNd5R/F8JytnK5UqbmZhr1suWaF232tahdU9VUq2orhW9J//ZTd2+2cZKRJ1qsiurIt89p76Ke843onpSvvxW/hFv4V/zNaJGxERCpIkMkSV5sn04J5nLOXN/cN58M77FhFwvs/VRpThMfU28hHnkBZWKr54RT6h3tX8vLZNeN/8snzE+biwZP2h+2XzTes76Bf1LesLJGDONa+af3H+2Br2u98D+tX8nmA+3w990RuJ/m5qXWpDKia/Hf5w+mv6lx8n9X1ea6unfujvZd2XLLaXdbnfb/fawPW5POjc6XEfoSJ2d7i91Z3vfVXq6PFeBDctGh6O36k+vbU6+0Jzf3LP+S+uP1rsba6eg81dTxVsT7i+5X7j/5+nxaDxaD7WzsPslb937ZW/K96Ozl2aUfmHgSOB/ULBUH7pywo/8Yu2X80+iumggmr9Tv2uIfyauENNH7xEqkRJbxJ+RWEG+YFCwST5PJol/UVgvfEg8SFSTv02+k/rctavUakpIM9fv03/Oo6irWTH3H4s+5HZz+7n7+W/dXimyd36VXOX5yn+8/302NfeT6t99+Hn+9/N7Cx97Ip8WycyaeM32n5fm6OW6L8pJ77/t1m/ojXI4q7U/EMXqXibzWQOct33KO7p78qQWcK2sTGv+kkDXjNWp2M49I1Q6L/q2WHP2BWDFnVwzBqFVqTVW48phjWgW1QgAq2uyBhveX4cDCDiwzY8u4tMErObflbyTvAPyR09/8Vrtj228o58s7AB/nZZNdnyWpFfGOpHuAfL1l505dxgxrAWyDzLMOTeGYxpvdRXF6aVDVqrJGoBWyAWyvl7CNcAdbjReNhsNNjaI79ewimqdXvT1XIQQYG6A9LGwTo9MAmeLkxvgZkmGleW0z8L4QB4biCACM6Q6Nwwi7OqW2+6F7+lOABJYISyTmeKVOsaMDKH829PqIqiLLw7X2FLIcZsqmBjpU8aYsnaVU9rmU2b++BFIPTHEGGm6HegMNZ4tcybgY4uhCgmKaDXkzOC76dpWsK5sS4DmV3nIm/OcndbuBmHXfJJvsTD+sdRuKFZ2T222Pgk0olNlHwdc6GaACrecfCB0VwvmHD5TsaSkXlNAr3mngRIfgBxbDY9VVFEFpwHK7VYqVwELH0G33Wss5cPV1bCslXILKfg2kHP+5RrUnzUSh50HK+9mhw+RztN6hTnR/xx32e/84W71GRAWuNBih/zhvlsGCENv0CWHUFbKHqtMJRP0DHYmvU23MNgfPIPzSIB66UhwB4TY6wYiwMKof9r1UcqjlqO+UvNJebyXL9okq0QcOxkmOrHV0NzS7zgb3ckuv976+mx7Y3LTnPnCfrNBJCWLbgHtXWurUmpJdvGoMwoqk+sm+BEgOUqR8UW62ZzHXHreFSGOx14FDUX7mkCJV7Nn0dVPNN/mu3d7xD7XEzdse8+Wzfjc37VU5IZ4LMe7kiuCMRhfJ17Q5pJA4mriTy9/nV5OQLhf20HsYMeyAzf19y6ZmcJig9+S6m8UNlRAndgQN+DZ05p5gshG6UbPSKFmKoKGvl2rA/fIHzQtcaKNkkSgCpWwBEaRe4I9m0dz/naSkFW/pwPUTGHwvETmjRclZYYI5U3VYsUcT8Q9XNxziuUgIGikhWj8/AIafZRmBY0jM7GUnbmFLFBkP5r6QLWpAdb272zUNGoBTDNqR3eN4RaowxPBagWjUW1Rcch/v7zyUuNtMhs23/gIkMQfsdI4V+a80am/guRmhiA/+R1MghTO3rpSA4EMWng7xLo+Y0MGC68IMN/7WpLVtlIHgT7t98OjKDb2GhTI4MyGe0s91U8bi+EWAX2ShzuIgKc4roCd7Mz33B7K+3X3PWnvXZu1EDjwb7N8QIvLJtjNUItzFCpqGs5IBcCC9itFn9xmXf4/dIhriZBnqyUZ1pFzGkHh1yudZljbjoBWtUMkXOaEX7xdbErxhW9KFBMPjPEyJ7HziGbku9OpneY97bc2JDJDIapthguGa/1MpaP+4q+szFdH5Op3URYsmnPCFAns1NnkU3GkZ09orWn62jd3Lu72nlLxexunYJG1Ya8AuDOBmsAZlKb4/XkH5Xpla0DjDlGIHJYzgkgUrKTZ74x0Kd61xe7T0lZrdvkrD3U59jYXwxBxrFCQIKJg9OMIyYq8+ilkjKGQk6lgVrxzpGDX1Sha1RJdSeo6jiKtrTbBO9oz/FZp3VAju6YpQBpSqYoSuhJgX+8vamqDCxuq3Aa8TChmHDlW/Youh4ZKXDf1lZhMVid1UuHblWYO0EHxUEIfIzZGHMoGdK9ay//aOOlXV4sikKS6wvapZIvQAU9hCQ5I5NyQkSWnpIo0tlaMxK5ZFVdtk3bYIoC4fJFzmvdNv9gpmmwt+dG/EdyAIpAFWqNSks3wOXndgtrphouiZyv3FAuQx31ihYZwBAvZMDSRVFm17TQTH/P/WHSwKtenDHx1uxjtpw6rVmEZ6ZUpPz9TRfahB/1nKNgXb+5ijOxxmdQGTwFtqiLtw7QoiRoC9fzx5xkXvEwt3EY6bKk0J20cyD6NVWjQlzEbBqtIfp3gmBgtwwvvaHv2qzDjxPTH3ITZWDUBpKukCof8jlRCyaAuyiJx+Lys5+vxdq0EXOSEWfW68pSK9UefUzldBRweqbbr8wMxwoBsnE733ZEKZkBOWKuktOnFjh+pUS1Y9g2jotCE08QyTwDdhrM21PkrQwq6GzGrk5RQkMRXUxGAwkogvxpfw86oxs00akFFXmWXXMUfqHhMRO15Rr/TPzXHsDfA6bN+XMFHmvXa683j6P1xLxiLyb4os9qZ01fSVCpjTriaUQj1chJ8+gmzMxT8Dake7+S+C9EbQjILkBE/bDlakqLfbu2v7gABfwBPTy2Zaf83aFabWmtZmf4ddn6M79SPrpbdU1GqSYnovxh+/gRbAib0/300uO+LdzdhW6vvXEZWi6qiGYRRVhoB94lK9b90rkT99iZQHjZ2K3PW86SXaE7bG8cuMMdG+gAu7135ygfo+hZxZDprXeEzeeufat9iVH+48h2ZNdkXj9K5Ao/W7n+jnXz9f7CmxDivEBeENMmyWUkXMBvNOJILtTShNjKyTlsKARilp8Z7FwgJBwesZEEOMYW6TRjUoYW8KWFWoGs4YanKfPYmWrdl9UkKB5TYXunDiVO+ZSKIKaoMMbvKo6bxjAuoI37cXIKhmt5P6Q9qMWL6iyOoAawnxEN6nV06fP8mQKfuCwOYKGCSopywHvvJcBJSb+OxRA3427Z/+Lzp2kXNNRO7thsKgX707IBog2dnyO6M/8PfLged30mDZafp5iYwA1eHTejpTeIraIVX87JfEWS3DYKgSm5K3d2OomhGDMgL9mGtQazxO+u810A4e1eqzq9+qe4OXz8QevXVkSPmcoXE62UxX90GFjFqfrg0li9ve2NoZ2XBQn58TAj1+BARufLyUqCKgEBIBLFTjx17Sm+a+CP8wcC1mnI6IaaVWHd9cHwsvk7PPx+qHeZ3Xtrczo+pQLABWjPv2OK3TVk5kaP/sX576na9XV0v1SOVU6vWqmDskY6cGpmhU4fmAXQKihyg1qms+B4ChJwrDZrLX/M1maLaLYacT+p7w8rveoc1rzNPOYmHpdMLRbIqMxogW16Ka7B+5/71L6L92VKnqDGlPi/jwHUvh3NaW7PN/APqrOrYEmAZcGj5ch5qgD6eiyTW/fHLiiY1JQ2DibypqaxqOqnD0FOloD8BDbXjjFhJ7lGNgtTgYYyoyuqaEb/ypl5pUpLECwWPdLPrBM+p7Fwq8FMvfcG3spNUq5IC2B7egfTBC0kTdnX3hxcQaSzbjjsXf/+Gloz27t4e7eoxF67aDBFqyvKVKxN9bdUtK99p8tUR1xIey7oAoEJH15ne3/y4BvnZoTNW6finnjU7vVvRo0zoVv9ucpd8dSAK3pr03AdPdt1KK6X/RMa1PVu2sE5TfNPo+68rGiAr/sCE/7LYQby4OOHH0AVfjzOwLg8YaVxtzPlyLGBaEEoTTPe5tA7r64a7zyMNze6ZMIRJgb8MBPZ8AZLDFVUSl6fixvWZhMF0RwdcMZZimKmqaoruhl/Hv5v2K3Z1eOUw713+Sr3UpEvn0ltUS89vAb0HP7wKu1X1+X1O9drnwsBSugt3LDV+GBXImeTD0bJeQTm1oOB1UhbFWFmH3MWPELhx/wuz+btnP6uoW5fZhY3o3uzeY6ulYeA2PX2rAIWi2F9GrVLFbGdv/Fxxpr+7e2/Nf/vW5nBPPgpBPk8WEsSXoH1aIKiWJXzqcoUhuDMr8zIbISoDPrmA6+MZeRQNuuvakN8qPLaf/HuDq/K0RAX0lx+8uogs1MJJSgHRQu99uq3NOUD0ItbUPTcS1uX01BdzigMHVitX9XNYx41CgIXKutwetHzSEVtAwhs7DPterpkpywo9NZNN48AK1N0wMsKExpVg3gVyeK6LwSioPpcnMwlR6zekdvXki1JDBDyvKDw6Ro7xrKTI3BMyrBn2cHgo3tT5+3SoAjITSsnmPaPcNQ0SgqcIOdB+cM6vsXFPNc1zVfX0QJwURMdUo/wT+vdb+dZTnyOeelHft+pTaAZKQNiwdvXrMWILoRLAxdNuaxe1xnbXtGNwfVJqXo/EjRUvtjHNvP7Fbu5gR4bXwKlmWqEhBiTKOybd5Jal7FxeyRSK/KcX/oYBB0ZzMd4NraWkZ4WDsT8IHlUj+ps0AnlJUhEcKxK4xAz7fA9Mqy/323BF+srclLgurTazBKF1iy69k9ktv6qPxFvzlrv6xa2NdAVY6snzvaGbr+iIO5McTvoAJLEKU2q3NMcNza5KRBKUSq59Bau5JQ0QeTXv6UEGWDw3AWXhAXvCnmcM1Cl1e7akO7pGvp4Gp9h3MWh2VAaptFa93NcY7rA1WO4ntOTF9Pm9S7VV6cvD16/b/Oy+fdHVoywQdFlT2JYnSo7lN+OzF3Imtbp92BRA4Oz8VJj2uZVMtHwwdBv777xsWcialW07ua7gzzOyoOuLhTB9cXnDLOwDgu5v5Zz5DF8CE4nFoGOsyZi2NGXxjj3ALeCwOdOAFCkJNTTg95sYB3bSf4hOveq2qdFSnBgklFaYMmKu3rNs3fMdxRcHfPu6DcaAR2bnHYlE6S7RFOXjejSTfh39E3i5pETJNRHqKWndh5Ztsx8haUZJL8F6kSqhkUvfIAksaq3w/R2psvFN2+nsulEwABYMPm+fKDnAC0hhadW2mAMNbTBm06h2oypKYjNAgli9s/XCSWsasY/88S5JrN3RQDty4D3ZGjeM6+Hdl7UIMKYtWdDpMWIVGXEp4VoLb8+dKFg721ycae/rnII38MQkaunht94ECG2qbqr1/SZeA3SBi7K12RVDyq0+NWP5v+bMb2/ONfcyKubxPeVB+24nxUeskxZPufbbbZKoFfSf+RLfwidfXWhkfCUFpvMjbgRlgLhvqq65bkZOmn3KaERyPUTG7ik3QS8QpKJ0/9IG2vMcpchSjPJSUYD8ijBy2G47AurTP4wprJKeMUFAORXuz2u/IZthDXyQb9EJmpAtyrisf85FRLpk+PBxkBDqMmZH9MWzB4CA8x0JPYDPecUq4MJ8DH8LDuF2uMW4Fs7B7Kc/XGdmwqo4dB0xci1No7t7mvZnr4k1p/Q7ifxMcrqRCgPRq4TnLD1kiOl/8WMIPfF8DQ0DEJS0KkrB9MOTaJ8GdPLx0WH4Wh4pua4p4hOGX0sO9AY2QooRGGEBe4Bwr121diEct8KBF7mRhE0Ibc1VVasmA1EDBmO5jHHywdz0EEj6H70vx+zZ6tbVLtgc/ZObl2H9Dj/8ElpayMitIIpFNA+st60L6B2GfqYi2SgZM0xR5pxnn3V8RRFEXnx2boLlRUmWn7lYbnVmwR+IDz043+zTIA67coeX1+Am3vtp0ejsLo6qNiBwMR9l0h8xHmL3GjctLz+ZebzYllD87A9xt2B9SrXH6HVH2a2pMi01LF9x7dEiBop/cUeEBxrc6PNoE3uRm8cLwRW//VobKtzhUCmbMY+FhOxbt+3xJjBBqzOpPXYu06YP3NxliCEI6ymusPZElicujdA2syBrOTSTwe/94PpSAf1g5GDbqIqrpHq9hFs+d8NKQNkJZQszmdGl8mK85b/Ve5jcHg2dra/IrqIgMnYbMDNVqQpDqr27GAk2VdFZ5vAUb9Q1zERi2Vh2QNuFVMAz88F+39rd6a8lXacZ9GsAqpKE0RFx0hDqJbqpEx1AVE6+PNj1CErlXtZk1zOdb6p9xVQt0Ve6O8ACCNtqs4MteqrFyPqTAMjh76caeccfpvfuX9o2CxnIpYw30PGMXUBQDgs4Z01AmsM89OKOUkWVvT361G6SGif39qXOsNR1fmfF+k7gZv1OTAu1XXjqCAeCFgUPAnYq0ljrVNGwEOEqzuHTJ6WOqUx1o3warTj3lKiSoNvVlIYUFJbMDcW78kM+Qm/pk+xhbIjhaONP/evFxgaxVVgcv4DFjCB03I0Tl6/EyU8+8+XAQrZFmSBWIoq2dOZpa/fGJSavrtCABcHQjUreTqTrWs9XJkoXKDByBL8FvcaxDtXYKQUIylakwrXC9xNxV2++C3V+GkvdeQ9IWH5Hh56+KJlDK+jywkwIWLaOa2i3NgYYvi5BtiD+ehK7gli5BgM1x4xwzNdshJCjFrbfogdqHVVWJYfLKJwpWSTUvYiPQCN5YZ2EGlMkBmzb6/U5dJCfLzWM5zz3cvcf7zFVbdAaFzMukJf40bt47edOoDqUIm7ZnrsYDgFMYQwnh7THjrNz3Pq+FlN2b+w3G4vjM2CZo9nzlmgAnqJUQqfHm2WMCOV4AbMiabvp8rq9tbOes/TA8KyYWSBYO6Nsylv74AFl6k7wLpOf8x/uv7UZjv2wgNJgujR5whx3NxJ3JG4V2lhCCZH8yooflYoTvHg5n6afuTTTKuan8xdn8YvNK4Pzh7NHK9/NN/bbfDlZXSFr49/1kaAwrlaaqE7uGvQFrZKj1YoldILCCnD1RRY73+fFbPyR1X9m1FIC71PVSPfMnBLA3dj2/JF8y7gz9K9DW9+uHkm/Gw8pP4oCnvSNws9A1SJ15rJyqnurNtKGhjEEZf3mkII2Hr9YTkn/RvjtD5Vv6K+IXXjiWKrttggIAEmURBH5A3FPuA76h7TEZE0xqFsYpC1x3ItdiiorOgI6X0dsQOUpJ5NkFBe3poSZgMTJBtvP4ZYMm8uldjUJ1Ax4wPFoKmI8H0tAEhc5LhCxGBtSQHK0deSKe1YTHGwdsYYAUvNPoyMQk7wXtqJqkjsLLqcOUXUFo2rtqMdBt15z2D60skWACbwX9TSR5ao1sfP8VvZevT4RsyN2O+309tod/3Z4p/SGGCidIk1fn3fKoWC5vgGDoSjKoh6c5vRGGhYuJPGXz+FMOUNi9PNKvTi788JMa+K+/bw+BdRgU27Cs2dMYwfV9dH6RAbtN1+Ey6fcdXxEQ5KYzgf/Ickt7xmtJA1KrX4TWLlQjaFb4cUYLUaOVwf5NB+t3Mx6ZkUsewupOVLamm+qqmyUtUIkKbRIRDwwo42AFlR7dScUlpeIPiUCNl7ulOHuhlfeeBa5ft0UK2tyPp14fJL8xDwmneLmu76Lapw1GtsCaA0ND5ok3KvWohN54VucbbF7xRofQACjsOdJ58foyJrkG1ybhpkRMw0M5T50y9hwkbdCVM66tbPViscnoP7k2sBiTNeB4/k7O3vUX9lw3KyvE1EyyoodrU5wu5Oi60uKxy/RBUEr0so3Qu1cQTJZWmDbYSMHWDIrydDXP9jPov3IyT8YRq2zNJQtlfAFx6y69QuSDUTu5SdYxAKisPcTI6m7dl6Tr10APJzqVPS4Dqkx6Ux4tTEfz42X0nn6QVbDirHOcI06oRv6LoD1ZYMGpkA0BhpTfO/m7b4XSef2b2UCmjneNU1MbQtj2637FbfUwQRe8aTVciiAkX675rSunp8fceYtU8ROc17lX/Ue+kzYH2lN+bKpcTtzhDeUoqkAF/otmfz5B9fzKkrVKtj7gZOGrr/3aHqpShWSuXolbZNzvuAuoIp6uuoAA88PLBiLhV4ZBYJjInMNa9k4yUbT14hN7dJp0ajijLgaOHw5mM0/3/uN1S3jTkuw0Vs/mXx0HFjsSb1uiB0lj8MzNXV13zXPktUNOKq/OJz2Jf984eQLJ1U6F6/SdXcDlrtICH6IffTDx1+6SNWNOqTOt6X+ir8LHFBS436tbWx/cdQmNanO1dWytEWINZCE5AXXjrVN77Bt73bSwsiL9XGmRXFPfcPQSqns0NRteq6ndpaStkZjX8kpsjKShv1m9KGRwbBE7LnIVGiZDoSIDNpGW1ww18wFbSNfSNerFb3dzAs40MerlmyBUsTfvhuPha64LTQJ4EZO4eQjkHDSUcon63FqderCH1YC3uFVJjBaAZYPwKPN5R296Q0yrF+0ZQKcyOq+AYVSXbRRPac107KHd4b/9eI2YFPwl59t0I18dwou3bOAWVNlFdqB1NUQ8MuaYANiLfhl0ahf6zypwIxlOI5djuSuMpGbVibLGK8PascMxUdFa4P2rUe9rd2jJtNeJw7dCWlX0nIKChCW+IYUA+FjFwxepmkvyyH6VWFc8ks20CPZvgy7O7z4KqqjN6sFVazVqv51TpEMR/O11GjtAflsosO88vuyXVYVr4Bj7We4y/yV7MjKhdxa2myVwyQvBspl7tsTLRIjs1XnBnAtr3HwgmTXCjS1qRG3D6QkE1t6Q+X35eZLk/ZJY4OaUF1qQ+wLRW6PWqQbLMvjvMAIAPXpqkikotSOfGAmedtBi08c3Dk+iUgaxcq3jpEj2uPFyIUthB5xDq7Zn2zLxXh2ynrNh7ydLGvY7rb0Vx1bVmji4dz0ym/9ZPN/E8On5zuoYf5LtN+0C6CCOfRKqEKGkQQeRckSFxeUT/ttIuyKxL/x9f0MlzpXbv04Ryr8sSNpRTd1WhZ66Ywv0N6qDtnyhg1I1QlH7N+tYAn6hLgsN2F0Sv3f9/Ce0nyCF8qdslgCTCKvqCxvsx12RK6bHHR48Y57FiKuJudd6eCZT7Eb/iBPx7NsrokQe75t9VwcSF87Htv7JiYkKGVAdQomKGGkYkhCmC5LYoqos/f9QdjKYuqinOy3hPRmC3cI+zlnLXkmjRsT4U+EttZSvOP1/eKad+9hg+o4J5+1XRDXrpCAVaOW2Rh2ymTT8ZRUS8qx4Cx3QvOn35q6+NRRhxhbGWjQ5w/kHBrtLq8PClK5XCBV0KxMr0ABxgxFicXOdZWvFe9pDk+V3BKNATHwkpny049pZnNn5tgfOtBlLF181v4axl9ImuWmCdWODqK9pjZ6efqRo7UD42ZtrT23HXL3dFdqPg5oDI8te7jaamnT1I5DvWvvLLb8IK8YmDOjjFAmn+q03xRTQIaIcTNzXCYm8bS21dZ7ipcSe3XsW0CKl3fKsLdXNTB0d+yw+0Q6gUt5VVbBmcTuDiMJB5LPspXKmyIWL+fXON7AgVQr4YrYsMvA3qGFMU2WDaUpmHOKQ+FaxNhqI0lo0/O6diuZCLeNTaCCJLosyGBIQdeB663BvWRxq69Yh7je28Y5/VX4oBgOQpJe9nUYJ4yn9Gi7Ssslr2kBK6P9XkgANE2VotqzrfiZBAZkTcbwLyCpFmjMyv5OkKpNy2lGKSaqphmbx5lTMFXDxHFu3zdHgWoU+B2kblXXulum7mpxHIqpSmISSRHvP17t5Lb7u8Ixd3xzX2/IJkPBCC7xhkw22TreDnYzf4vECuV2VuM0siTZOwqnFQ2TlAVRCO+Wu2oMiAgdkR8Tw0DqSawYuNcRsXqgD0oT/wUglYrBbDU6/4a47qpgqbjdUVrXPaCRgL4YBnizDcJJS5q6pn3htSqFPPR62MCOqFpyYEQlb+to83XvAp+GqVY4jI1AagF1Yr4tOECq+9zeBlybYxXn0FLRVuP6PM6k6ycCUEQfiC2YiakkRSuB443DJmiXXHgqNhSkHftxLpenRAQLomQg6BYUig5uu3b1JXMH33LCNUBAI3z4sUtzcY6ONQv7uPjzuAHEliSDB4YD2T7rDaB26Tgmapm1VtiOxE7QVUBq0FVDhNA8I1p715TXm7RRC+TNqwKH/VJNkcLaBRxc/pzff7YMOKqm1GBA9syyDYafHoBJzoLwWWPzgJHMSG/qKZ4R5HtG2L+rzuiKYVqW3mnQAc+TicdMIr8cJbioXv1v0dv/elwmJ4Wm6fCaLmrZdGTvwtCfq5Sqy8rp3l7PrlOaOZOPO2oYNiXXb+Bx2KN71BBIgfgAxNX5POQyV5fOnPw92vK8Y8sZt0JUqlSYY5upmRnWHv88y508uMB/3KN7KuDyjZIPKzo1KEqUa2m5c/Fo50i/h6llp1cbE1k0U0mWgWuSfkJImbVOOJTdD6goYbHsSu2KKdl531VV6Wwm1cMqwAr9ehPmRawm/tGosz05vH/DU1hoYXLe6ziMizY0ioRkRXXKV16w15kStlArbC24Xkm0aN42vmrYjMdWPslQyvmxxIFTUlhc0YArL/Zh+K7xnLU7bDbC56/HldpPTe7QU5TXY13Z8Q3OJ55sGI7VTpvDdmfQ60y2A1UxCJW3b6yXdzhQjbf32jJIG57ZZGC+6tdczlrAFg1oTk/opx9NSFpdw+pbt0q67fmyhymWhV8WF+bW2lUtU24IQGIUCbIcrqODh6Wj9mZg5KMEA4GpahykOVkQUZQqlJMy2APT4SEeqbGcGp640qzKLCXbiiH4VkXMeTZwhSCPOWuyoPmCWlc0VOOmeE2tY1hRDkv9gWmGoeAJjed93QLO5l87mIEtckVo2AmuWgpt9YbeIDzuf3fJn8ZhGKkdhWTiY8VQcD5v3ZC9FjomOk1HY8NKw3G4UJIsnk2F2Ny0XrV95IH9WuyEg/jdZwVhtRglP/n8zPL5miW5PboIPAbdc9hM/CAa1gARc+X/i3H+rFG9JoGRuI6w/m0gwUhwz4aX1WyPUS/+tfa+GFGlSIhhqqxZCbLTui9EAAoqZoZKvMY5VTs7kbf8Lu63GsPbh73x4WA8frfX4zdWVcuMybVmTEE856aKL+68HNJtPXL7UXp48HuVuGN39sxR0NKDRq1ZcVcMXQP3q5/f+7B3c/HSDv1TVvO43qKIb3M1jrt50/UWa6KBabJD7O4Mqm0nY6qWbPON0oZLll+ZXcWLa8ClmqcHzxz5oqPUmfc+KPbyFcKJrYE6iIeG6YdDp2WNlbaWZiM7as8akLGwpL+3Iy7HGwlhoAQa8YSjDa8MeRuIvEAEOIa6SRWxQrWkxJWfM1cqVzvjmFMfaz9KpWMfd3rxiNM40HuE7OywYtbGNiwOc+oQ1VOtsNFZ73C3uPWlA+bAO5Rj3PDdN5RI7nYf8BmPd+tX13YasgYmzWpXTcvNUggS3sWUgniwl5ZRXK2YnKmM+mvOSDvi+rlb5L31bMaRUE6v6sDEsrsKRNHYLaGg75hsiqG1q3ve/uV+yd0i3ItEKFdNPi+6y9fKkXRNbN4q6DWQbzJLg5Ymq6IkcvFN0SFARZf78KlQqU6TCiLcyJfOy0QPpB/3sTP9c5Zg4a5svueCabLzqstW+lK3y9gadS5rSxkRiU70QGhtuLa90OxkNigzQcIp4T4TAWib1jxodlZq9qUEiS2GS0NLUBZkkFwZT2T/C2RXz9ufCVCx+/+0MbGP74od/O859pzCf9NDClLEe68zaUTOfsNUCv2TmToicctpAMmxWXfgo6ZFDfCYzzANJN/bP34nYjKdrUqR4ZqICen3MFcgLdJGZq/+ggnSZQmy7YNK0sBiogH14ANABw6v2ScEvLzTpqmwbaZVyCLzenewu8qyQFrEn/+YAw593NbBnmtAjWVADV5t6JVZXjEEDGsgNeOrFC0OjP1NS/0kXZA2a2Fmt/N33VyovqABLyJqhVFCgcTzhIcRQpQ4dJwTX4pI0Me/fHUAI9wx8ht29Pe7vnIPKR/cNyWt19ZL652ZBACqSilyhlVZ6yu9+UjxfJKvewoYuhmTBVS/Jjr+IgojSlVsS21gSbfkezvPM8zZmuAhOFTS4PzU6452MbQ19IfSBmWZ66zLQyUCMuQLuIsDUNLHXApno4fCtmrGmVLItQcJyEyFTRUBpWkywpCYrASWp3A6KehFp9bIpVl/u0avFuyo5uS1b2v7AJWo4grbR+PlVgHw4WIC0+BJUuVioVzK8JjcyzGugsf+YlvKMoOicsc80R3sEocACgJMMSTjF9wJLiwk8A+ghXSElxgO7k//AKawQtraGgKnbGMLURD0aqn+VswRfaiPABhbJzGsgnfytJpjX9sgTJJ1LtgIpMuawFNcY+kWdlQDNKopURYQLJCA+38WzYzJCkyIbWlb03HG0l1V0xw3IxlamzC8WfQo25LPwCYBiAlNZfiRKSmhqgwAj101MatYsa9nbFfll1JsJekhPlHGIgtwTR3HZmIaqlM5nB8LWMqTmz+5TZU/6TRADEpyIBU2CpOeX8R+ivLP1s0Tb8DuYLTrIxkhRw2hbPVPdzDG9KBYCGQJwEweYjX3OuwyKcUY9SLWBK/owhNjyRRJ13mZIfbXbikAsSRayPVGA+tLm4wlHap9gLUl5syr69HcKdHhPrlENYsLU/v1JST3f64FITEsRM9w8LJAKcPZq1uyCgziiuXAng534eNoZnvxyEbhgHtEgXLf0QfZcaAAUCEyY1lvfPNTbV3dihG3hbq5HUUW9Of2VO2CfqPY/TEm80E69vu1H9pAyLQjjeQLYUiQ6Zh5KhRCAVl/m8AIKKB26HftmgsFk0aW/tLsXIIuXzGnJ9lp4K+8WR1AO080F03DX79IJjtccXA9bFVBEOtFF6/fYGAsFukraLOXLOyVwB+2MvXJdTpy3AW7cV0HaDjYyUJWLLjROiAsSCm19eyMdYVDEMs9+LwF57C+OrJd+8Bdw3uyosgEZZgpQaR1hRkYuaMQmAJ62rFQDfK6FEu05E50P7Fprm2Ck6meFzOFAf2Ny6xyWdd7rubPSKa/YTBlX8SzBDgdKokYyhSoGkQu5aPT/uizSwSofZLk4H9i667CftfWg06+vdCBy+GGHwhABlXDjpwJSEPVM+xe/qkPdpfZlvLYSLoc7DGsKpkKBha0Jt202wVQTdYpLI8HE9MEVsnwbEblnCplveAAKnPlcmBlPG2lzSAAsQ0vMp1OXoCI7vgRZ6K/TduWapAQ38CvXZXRPd2av+ulvUVeL1qJUujc3Seo3312OERUF/0nAizQOuL5PjDohB5keU82LUzYkdl+ZR8j3uSA51UHf4Y2b9ItwNingP6kCMSDC45rlfaOCxaIvWeKEEEJK0sHH3hF1uAFUoOROO/zaJDmBYNtb9hNd19IbtTMFtUaAnU4l7wFp0Xe3IMvvcjyaY18XoAYcuN+JbFuwVMBRHh83fdZt2/U3WBkRtbb3P4PaRL5pu3WtndX2S6v4VMtQIDJAqntwUkCNwRtOcaCjtxf+RjJbpxo0RV0NpE6xQlHigD+jyf7qlGm8j4pBUvwEyTV6M/KZmBBMPXWTQzz8lQ1uxchHTaY8RpjwKT+FrTANQBzvEKRCbJm1G0w+UDjooXEgdDxvzQJeo2xCfYwYVahIWStBHoBFcs76C6Yuy3tsmN4KxRhA+glqVUcCqldtcKmw1OMadZ9aFuCQ7qH5HWJuCQx7TQagEMTtJ2wNZD+WJZA8t7Raa8Fp19ODpsIqBirqJKagqmhZqgmF9dP9lxFhSEItN3mzV9uolKMu/Eyfkni63UYApyP1eWnr3M47M5x13gHUoDctYO5jkEMEAeWmqgLam1h7NTxuSCor3+/9v0cQqsv8x1YGjfMNgKKQqBYbRoGeo1hqGkwKGmYi0Z0TEUr+ydlkBOc71AYri7CQYoRIuQ1GSIdKg0NNiJt4TQAEum/IkHApsgojjCoELEq//IeATu7QmMVs9KS1ygfzmCVBNRW2HfOiG6um50PdpquZrkd4tXeaF3dB61tt4OAlRF3AvtKD+g972w0I9WuXzwoQ7FMkMXvE/o+mo5cJHAMCa+RvRusSt5x8wzPTX6Nzzqs6qSrjI6TMxCF5dyEgoJ9Gu9cHmLBc/ws9ktTVr7m+BxlxFhcDC7HVuU0hp16iExN2zwOnKHyMGRNRktT5PAY/K3WEQ3abAej2bT9LOVh1lSunF4kBFxyUls19FbwOfAORkI4aLWdZONY+cELzkxrgoDL+DblQ8uf8LjZDdPQBYOQd3QepgrcvxzAJaewkzK+u9SNjhLMBZsBqrJCynppqAAWnMDf42TzCeGMZz0ZH4E7321Z1Z3pYVB84N3y9X2SztzWkgI/kzjnPTruSyi3JpPLY8XdTsHh9IcvQ+/WrSBFNdsbzMf8tY1tBm2odi/Ff34e7Utjv1qE3QTHY8Kj7tjP7A8iYjSK82MHv1FcOH++3lrYfe8mEFJ1MYT5RLhpoxWLVfc6G4SyG46dCeKb6fx756NLr7pB/AaDAdAfi3aynwE4TPXtCTxUH8nyu2ij3rZUhwC0/SQoMay8IpnsLpsxP1q7mITcZTkE7b0BT8W1w7kYngYJzdXVULolhJPbbyIooOtXfhM5RevEZMDsE+au5fdAc1f+jTqMRDwZDa/9XjZRseAZSeYl5uT2EUmyjI3AhZp+YW7rh35Y+GI58R6K1hrPe50hWTxw2DQonPxuToOAanmUdjoZoNoBxnfuZOzycGAxamZ8oJn7+7e/3bA+On/sQ5PHQavQibYMDRkAtPDKdQeDu+815nHy+fOqWtrs7wIOUIKvK8iBgN121eJgyNSCvxuPsn3GmA/EuHhuDuqCpFQwZbbJekisy451w0iutQDdAsnILENknnVK3Vcm6uouLbHdTkmEtgZTnnoolQ1z24ohJ2cUFeM6hro8BUHxD9StgU9kXCpsegzUqIspqENvecyMyb0s7BA6r1xHJb78s7UAjJFWUYIJUdeQAfXBqMHkyMEFF+kHfVHKrkBUX5m/AgXHa3s0q87wHkwDoOBooUxySpAprjOgNOsEgqQkIgLo1pIkhTJX7j7hGZb/PTt+igOrm4r+F2hp+NG0C+WzD9d58ID9j5RjZAT5TatjfuPNTgPLj52KkEz8RYHrFOpASSoYTmVVap+ANEyH1bsvQBxwwmotkQT52uU4vjF/5kGCAKmAm/keHObWYvS3yLz/UU6AjIMw69XEK4CBXO6SxLhzH4/2viJCeyC/5udpGqHpSzeSBDztVZ0FRo5OCbM7D3TPj1naVLj5l/sRX6TSBJL95j2MoWA2LW5JJqdGMCinBVG0ugXLwK0oKrzod2JkwWeeWs2+D72DCBJVdDY6M0UZFBUzDX7yjIX0gWi07eMMBjnjphGwboh49tMgDt2zgiKKCmxTjoowq04/UNuptuk/DyHrbBD1xazXPXH2zlNDxtsVA256IpMhWn4NiCaTra2MO9gdq85Xbx8bOXx46Fn9rmXNOON+rwlTOcuwRwAkMEEAtmIBZSJeEOnNURQaj69sWVZoZ5UxnitWOzDa2R9ICAhYJuxIZkwQZaLAiLrY7DIyrExoXbUBZBh8pX5e02O8aEYUZBuu3tZgADAYH0B3NQnFFw2sn7L9dJlN0ppUY8LouUhn49BsUaUgArS+zUlUwxhOhwFdLjVjMLuZGcMLYQOKqCP1x/FkGGemwlhBCyAvFHQeSyyZU/HFuCdiwT2RQjI3MklP0FA6FcCYd6Ry/05v6DGFxuna22LmrtHLFSismVIAp7V4DdVgK7e7T/UAM8YsHvgboNoP1JSqUw/bTQWp+s2bz0J/tF9eQm3uqsC2afRvV9losn6nYoOcXzqchwezOzeHckzhWgodhmarnrkjAlHbzpYlk+1Sj9Qp1EBhyOhBCdRAayM0xG+GGJLWcfERSjOvJ2jbVKspL7gxq4Ck1rQDRpf7tPh9rwcI4nmtD9sr1VLoX0c+cWYxNn8I8Gb8KEfNlp7qXx2UC9CgStSAgo5wcB5VVHR2cmhK97wo/9RCDkDzozuV5aFoRT29n6yL3cfaxDuOZ1re6sfOI0ZmPuChTiuLHDotTRSp/CuNEWd+yxXA+lrkbz+1ZYGYBtyzZbsCR193ldnXtff55VYg7uuLfZgPKGtrRZm9i568IrR8yCR1y4YEO9ppwRQjtD30vQ+GC0Kzx74f2EKys8+2zpzmTOhFqmLMmU601O61CMgUD3T0GsKkL2951hdOVRGzpb8go4vCaxKG3LQJLGCe5oQssggKd4lr1gZ+oZ7j5he+vPbuO9aTcSZKV8pFxnqJu0BIYMy+A9wcXNzdJzErIBb2XHussr5Ufhp61kExc+c1W/NtMMTOxuao7b9/izU7FRq/OT9CfQ/T6M7HBVxeWv7m7gMrgKY/W28yl+Z+D4PmEyL5YXgtnkH0q4VSaeYjH1HcgSLJkym3899Ce355DvFaU/UnKPGpbhsVYfT0r34ztoup35dCYHRFfWa/JUq2xgRaKnmIzdoy7O1UeAvl5WIJ6hMyZZMNbuCLjctXRoYDbACzB8tmnmNaN6+vgloCrwbHR76sHwSe9pRiObYuwD5p7B3cfa2+vOQHRJnt/Sxceaa+bjF7DrM3d7jnwZ+/EEJbPlE/TVvYFsFI/9bFngX8lZcrHXj7/qWwBwlqkhIVR+pmlrbF9iVSBt4eqtGGWQbTGnq8oH21HGLDls+bbV56mtT4RrOcZEGzfH+1DQtyHaN0xvLMbjBsTjoWkJM6NaCeqpVs9P0/lX2d7krm+6ZY8mnzJr8c38DeMbffwUblm90UYwBX1TANKT/DA9tcz/2X136bl9GAnvZ3fWn3DSNw/AbqsFzNl9nW3O+n0RNsp4fh8SmpCcNW2gmA3a7lk2XwWM9LItQj6cg3jkGz5h1VQXv++NlBtxuji2pTPW0yZkCibTC3Hp5PixpVk+GwFikRoBiziSY6PSd63BQVE9WDevhr1cA4aPsWpbiEyQnrfIKbAmlYTMUKWK/AGSKSx880ndMvq9SSs+89GwBHbkzGvQ39gdQDwK4hBKetCJWf9L98O4GAdfYSEi5i4Fq/EEmYqcxCOUtZPb8Nuf7XF+1IwiMOL8MIHxbKKAUhY8zRCLQ19lroe5LQERkspdTtCWOPJc4GBNoRUbKRnALaQ5VA7fmy+BhWz234u9edKeS51+OH/eKszKihl7mFTFSSiBXKngrtxx+k7NAp1XMuGhjYURyYAGrR72hIhrFqfXdVB9lAdpCFDYBtyYYwy10Sg+oXiAtB4qgTy+aneAW3MNPInKp2JCH32L63DfW0IluIMw1Fh46+YVS7IB29u8JeL9zku8nnaAGSVMcSCtZm5RdqF9IU+SJJdJ3pTznxCmuwxtU8dB3UsT8BJnljUkJURJbuRnN1SWaImZ3BE5dP+uLae32wtiD/n7UEHS663cd/D9KFB3Sn3Rt9OAuEUTfdQIIyiDCcBm2GHo5nZKgJxWYC4+BIK6IaXt7rP1r8ZWC7dpPg/oPjkO9vG8faZGLMN+LO0KRxufGXvQgl/HlTOGK0ZAeYguiV4JLUxSsXYjC27XoX3UYEPYlMuKY8yMUwMFMFD3M1JLLuto7kyeuJGGyZFxY3eiDitwbzyP25TiQOXWblmLQdsWsDJ8ZdCYxqt7IRPFv8zgTbhCvkl61V6P7Tat6Tzy+PwF80q1gW6k132/Os+/eucynPMQTHZwI8C5V6PH3wx7EtiAC7aTvdI2ALJTajlfXKbx8jzoMPghkJb3twW0L/ypTKdXYRgV2JWBr/4zakFOXAdnxt3h6BU8cfrEzg7LDYvtmXd2e/szIAgu0mga7+bwLkNjZiW6rHB38pPS8dLL/WNS74A08h8M+tOoRCdkGBpVRCFgx85exllrAbKRIPioaTa+4YWjmZ99Co0ckmiqSXrAz7vVKPtVDe8EriZWOCu3dKwU+4KdcfvRJ3qKGsq0CaITqH4uB5WiMF5uBw3Kixq/x3pmkyLVdyavF3wrvSHgH3lGTzouhczo/wPeyvAtejRZyPY5Ft+puesfuzxFWrW2iBqb4UIQUAz240GujF/cS8RCVkr6kTYKitcFjBl5Eo1iU4LI0Fw5wAh0J4wM8D5WoskR0hbpoU0mZOU5kvdhLQ/LEMMtQustuB1m/y7QjMvZcVTxA069hCLzl7QNKoU9iYbnMj92tJinK/iwHNyWpbxTY4tr/PYvAK14JZEGe3Y4SstOcz3xNErGxMdbE+Fkvg+BKTX72Nxg1Sd2CVc+8zavPhr6UcBn3RgIY2TbFJH5sIdLg/lpzYm4P93YKLPg7JI0s2AgqKBpcFJ/iN++SUJFFk4VNp8d7YA3cwzU9xPbYKRYWXKlV4Z6RPC1FGrGaEOM660sZFLQz5E8c9sWYEL738W6GEZ4SfkVihfvfUcYfpH0EW0rjE+5bRq7bjS9S/MaD+n/qt+D8IWCzbdhAMxRi35IHe00AffN7gcTr0f3L8Q9gUt4Dmvz7gIIqmmYIZifZyhwPWFsovnNxOiOQ/a0PvFU5gwmS4phDSpp94QaomtXA50sySQhHAAphEEiipKFNFyD813AF+4v0lE7NYcw5IaFAryoBrDYNODuTA4shv/fPxdSgFltk/fGpmBwhPGNrWjcD1fqLoP6JtIb5qzuauYXMGCBGJnUPNWTe9qQPb35eqEuDGdQoroM2eRWZ3Cdgy+1YYz9V693bf2jSwZv56CSx3/YgJCtU0aOd/voAO24LcfW982yHJ3eIjWBjx3Bg8GnePRRy3yH3/GqicvEma5UBj5mKqa8dEAsotmc59qBmai79hF24oagXt+frQ8t3WaVzwrzGZIW/0Kubgy4cSjEUCs4j23dtvwyvuPnCD57rddzs0gZzHMq5eG++EAYN1sdB6YxMT6H0THMhEKTvzA9fAjqXLoezft63rN7U/bUOm6S1pE66c0/xdhNDjR08ev7YHKiMIIW0WGlo15Bwcj8IQZYOTgUmBMBYRgvgieNL9GBftlVTOkwvBBBgQsknBjPi9uJ0r+tllTABGPBtrItwXTV1uHvDLl3RkbUBf4yHJXgTinxZmrxVQYjDATTgEj5VP6Vs+Gm6c++2zW//5lW27wbqH7+Pu63po4EHlzK4/Qt89fraoQXn8ZAt8DVzaxDM++NzaUeEP+0S3Fzdc4Nv1NjeGn3xXiMFaYnQCQomvDedpQczPVTUgWVhYSx7W03dSRb8ICg8L3G0v5xBGQaBfqZoEmcOiGthpf7UwVsCmLPhc226kneypiQGkdBdlBfiqh9pLVaIJQVcXFX2GDuA/O6A1XWwyMr9SBG9JgGMvmCOWqKopwAQ5rdnyGAUROZNrsWPRsd59jbXjA21pwrV1dv1Cpx5FtHK3MAYF6JAC1+gi3NlhclU07pNlHWYOeY6hXR8a+QuUVk9TwMsFEr8KGAh4rahAFk6T0Q01nek9fLzigx25BYnx+309hxzaancoptvAUqQO4FtvjI+zshJgGaqAHyxzJiK+MMz6VyefmvvDpJGPOpCJOAraPqfTvrJVfn+EHk8CPaGn0BpIRo6+4FeLclrxkm1pCc74rc3LhwyADDUIrJC+DOL3PeNZ0fgdFnFpS3Hg3wGW5XmUPX9n+qAIBSFfHqptUoKTapNDDyy8CMWjp5FFH3trqhDVxpdjAZbn374lopNNpFNsAqTSHst+CwyzjJ3/mihTgrziKpcK9EtODmDt/Q8jbTvahD0Yv8U3hk+UmRt2FjpNF9MfvnNs1H5rrKrHg5ofpkBBRzqrYkjNmYW2BozgF5mFGv6/oHAmWcBOaGaGuq8/XeTaI7+4J8sW+wmxEVKfvvZuGLSph/zbstHbWj7u7IEcbPrXGAuRtGVSgcMSm4rQhbd7ILI6Q1S6+kKuYcSK3Hwqj30g2oxj/EkmAlq+tiAjp5PikoID1/65T0z65/em0GPuCA2oZDXdQXoqjb1erzOTHZzidnBfMsomfGtjbPjBqHbYNvQ2yMNA3rYz+qZbt6pbIM1Zq00kEc0NdYg26G107yr7VuafOLLtOq979sxlFsEGqbCX+bTaq39q8D8iSReKOcATtZLjgnjWrwZQ1jHVkWsGnhZO9h8umI+ACvnKsk/U2LJILd9YzukjgGyDh/4bkzBeo3WDZ5vEBf8PxP6/YonaXADWFvzCDQ9zSG0dfhiMemz0PUZBvoYA9VQL/fXGAr7CZbEPg368ewE2NBhMG+WFKVs8dYoYYstsqSPDQ6z4PCpw9MlMUwhegEqSf6UgvK3OuD/2CTHREVunW8oW8MYFkYKaqklXYAGEiiIhXq7sKq5dBsADO2FQRacsTt8BzUiONMMZwtZ273T3YKvn8+dW8KliFWUdcyJHNIEDnjVrl6mY52w+DGYY1VD99J8/+DCMXt356LNvo16XHhRGMk5N9MySSMaJx0PI/IwlEBlDBb1X2Kzwj119zAYENV/02h2XI2Ua5LwjcSO+KE7K6ObzqzCDHI7CCYNWRlNXjZz94bTIUczxUbxsVeCp64IHm7OTtRJiapcTacSBpUsfe5zMu94hH0bxyVOaiJXGy2qSXjrBEwcn10/BPJxd80jMIH0v+lP5fbdffoMZBSqzGnXgAyA8NTd27g0Zha3TbRWqHFxUmVagN+wKNbQPCnoRJ+zq7imDPZUSLXjBGNzV+7zNNPXln520kZdzEFdJpATOHvPH28jUuodJD7SL7j5OPVdQvbWB5DSpR/At9QMqKmyb/+oyolrL3Dv2AiLoor6P5ipehR33ULaqaDVqL7zNrfk0LokNtjSyN+ncl8c108wjdgyRdz/T2HqVQVOg6kRmJLRf2ZoYzCbjq1uATS3uH/Wz+x0mmhL0sgqeQV87lBD1qL7adPWZUPCgn8nrujqlFBRVZTX915fE2qnV03+UTrpjB3GzrwSODIBYl1ivzhRUJ5KeLkTpswsXq3QI9oJosJmi3ZAZKKoOS8G+ruX5yAcop/X8lo4VgUVYdioaWzEkgVqOkaoxHvTAuWwvZnInG9uHFrBeC54/QkP+HVFUgcsq2OynH/AY6Ev2xBSqGXV9rqxkEnmtbmsmU/wnHl2vmvCN7ZHhj3xTw7auNUAWBrO2nVO33IZRWwcOb6ymiB3NDQyINZgEun+TfSP77x3gMZ3xcL4SkY5BmsT3QM4/Wei4wFt+WG3BK581ZlxIUOIQUxyow1VKSPh1RgOhfpYgYJbFlEfP5IxXax7Bw1xRJwT1ZdqUCKydVEGHfLfQhAFcsz0nZTpGw++kg5YBJFMnGtSTfNVCKEHVkA7yo+nneK3RY91Rya/oW/UGAUI2DDlxRadaMNzYNGo+GmIMq5mFEqoTy3PsHjjN3KUKQpNVuYeTDsJIzJdqTXh+Cm2lvVI5U7CigT+kF1vE/urX8bI+qasd98VwT2mbI3Of2xxwXXFME72XaAmxig3feMLa9Zvu1IaZSRhbTJQW7945VLzh3vjortfBLbWVd8JALlqm2DmMFGDKVqBZZKxs4GK5Rw3amwV5xp26XNzeLDINdwawfs2z0IhFgg/8MKSNUzIwlPPDhQFjaob5AOk+b7uzr2rEMxP1BzcZ+sCFfrNEe/qlIQ06xlaOkOy1fKJprgLBNrKE3RhpobkTpb+VBO2ChM44NkRu7bry1ko+XBV7vfUbhu1CG6sBdsuC76KHGp6fkW0E+2vlRRTOVHVQVvHmSHtKC7o/vX2i1rX6H77qh/fpvIOA9EA9NsTY7aoRMn97f5b/UkX0ddQMa+deNVgqw29eMIZxLR0abJCBeNs04h+eaxKZS4fMW7LAe71Pw5IdNsmi2XUjyA7NmIuCIlTB8f1H5MA6FG++Ihtg+5xN+g3oR+RXzo/zWeKbTdNNB7vZmcf8NTztPZjVqeGGrxF53b7FXHRKALJeseC7m+OuTa9u0DW01h0IFmdLX3erZuXfYdIYkpStDnQor9QxdMcG++bWP0c9dnRz4pr6/4s6NlT8Qk+FuKULNv6ngJ+2KD+e+Nrr/OJk/pxqFBx6jO/XWYUfv6KmW69k5KRCYSqp9tA0zApCZcD2nTuSv/wI2PF8R4MoiHWJAnrx11voSQ+XbXge2MaWj24ayjexJAQaNrBtvP01OX2PUgW3ZhU04AMRzKyTsVDBGsNfWrHABTvSls6ct3S/wV+B6B3WNnqe7Uhu3Ohmzp59+3wiMlxR03wjlb7Z5SHDyqKA+onii3K0/FJPes4AoZAiSJB5aTMcyYg7boagzamjEMFk2GyHFjeGJn/gNEWbp9aB1GRnx/okn5KDmrQqSbKjLxFbaviVf2LSZNpB7pGdTp2f8oXa3XYgAir061vBD68+aBtak3zQsb+i5ZyW2RwAxhBVwvAhwcynwI7lhgZUcnQCrdhk38j9GxRMUCEvAgvYJAMXHmj87+waq0ZexFL3vQ6CTweXti17SqR1Qt+JnDiK4u/+oZA10Rg90UbJtD1hQAixNj/xnb79Rta4eUq4+IBJ/4+4DjMqHZLNu3bDcWynZaWkIQQFXZAVvj3Ha06Y8kj+ejxxPChHDV02ygXD8Qp1o+GNixN5IiwaoqZrtqTiRxpgueesWRJt8Gk2L1WMiYj5vGwKFGa4KPB8omdqf5gH9vP7yADFg/5IFLnTcqLPj/ba1CTeNv6twXVjNRJnH6RjAILcSbs/QaXDv1PSPMAU6KCBpkRKnX0gXqlPswAHmKpokfbcwcS5osF3PwUbwLXBA3rjaw4Te5MrXa32mUflLnTzdDhElbO7Cisow0AnbjpfITV39PS4HkiqfhmfwHGlrVK2jW2GIbBgmu4KMVujtKOrEBNKr9wSgJ2gDeNtF6JCQbmFA9ewORf2/+PWZHJDN/3Tw5APfQ++8vYHPESXJ8I63LgiVrvokwPWH8VWNYAHvfn5qQbXkEPjc2cdO2HTM/Jcllfn1kJzeTTR4sklHkBX4T6OWV3+/bX4BrskLD1Z2TOfCwpMMOU47C3jHT8nfB/DD4G/BYKk1DWDqcGMEaQpm63KI6uzxN9mpGHN+rPVOyv7LFu4TN0RjZeKKVBUNpIXHefCTd3lJOD0boa06rWHWcR6lwBTeYfxHuil8jwJ6bgFSzpRS9mR1LUaXGRe0u8OA1Dfhh9uTrh2vfpBz9A7Wv6gZW/oK27FLIqSRKVZHIK8PLlq8Qbr5oakgPd7DNIEEG6sg07H35nt20ASf6Xag3fvt5wJBZCgpBFWSUDHWdoSm9cIDQS6CawJswwhNfTogPpa0cf6DZczmoL0Am7weL0Zl0Cbcj/f8f+zu9pp2zFbQa817JlAEpzo0EjxFRUc1HZQ00gH6ad4x/kWo6dywtmTAF0Hlk7PF/+kDXKbm8iNgj38HDzRqzRFNtrqWnXIIacUs44NpASndAiyUyVoSq7pngrI5KR2yQuMjGrKaw480aG0UNhFpSD6sQNzgXqNIqRzBIZJ8XgMEGUew9va9gog5TplDYZQ9eMYLSA6kV8vQpmdqXJFYMLO+RzERzblz5DvsmiM5kVIjrZyCQ2nuQpoNzv6RK2o7gduFaGNVL589mYna4jNUUxr9KpDnhIdUP162YTK47eGSMoaluGAT88au3fRrevJRd7VMTe9VR69+8BUqy6QYbiy1OIE0DvQ/dSnUA6TrLLzv1SbWLVz41tbnhyFHN/ocBkcttEtocWesZbDMUt6w7ctoiFukHsa4bCiFWggyhBPR3AEUIzviwgtQgbkx/IvoHEo7/vH65ocAOrVDiPy1DtbqVOKFwRgYmjbillD37qL4YSJKUu0ztFzRO5DvkYJR69JcAzoWttB7LO/SlUdoB/spVe5DuLF7s991Uhgxy0HdQycqnujZPBavN8wW8CCoZlzLwtIcOTJI/txntcxmfWuenAOdnnaL1zOh0VVMEEEuYwmpp51LsB6pHwjKBTNH05PqJl8HYrAhEwpU26P7Jfi1ZccxFtvz7y8CZrGf2D+GNYzmNio8eEmr7E7amRZzVWb9lTgWsT+6zd+TEn/iGoQ0vdbDjwZ+kpq90aTtidsYmASEpgsdP0g6HlhwShNucqqp0GGkQUBTQiKb5JiqHpF9GM1leNA1/ZW0kFhlOPLUJtJFIS69IWjGeX8my+924Xcs3ycyDHcvKRMTLGrLzkSSQLJ5MV/e+5y2rQkLwgBPTCR+DylWH2TzXRd2V0wxW6VUkTiin4HdgM6fImssz5RtzS29OCzNtq1caO5/kPOo1jcLGb9IGkOlylCKVdq5EVPmHFtn1PY1JeZDZ6gZt90GrjNXmPGLVBcsjAy+GHAszUSSkCyx5hux/oK3d28+b2gx2TkIkgQZ4ZJoxV+zvWvLEUnwPwW2Ej6+s5TeZN3GolBtKYFxi1lJYEPgFnLFQMeMATDagTd7kpyQ9wTXc/m3usnbIfZFoNtA6XlRaJcabYbmIy6/omHE40qqqScu5ezn515t9PFC3ABsJ9bKYdU/IgEQqto4dMHsFr4D6Pltr3imj3xPAVBFwMNdxmP2KBPH6q3ZPXNQfWx+5Oj+ov3Sn3UasyL/pf70CFeUZkX/vjWTVcmzp+98Cf9NNrcBoAmpOVViJiONz/yPWNUhDW2ZJhFM/Ag2disRfNvTAZPj8cvf5oe4xlekSH9MC1cRwRgKEmqof6QGxd5TnAibbMMpLU1LoDylrNPJzw6O3UL4sUf/ujvEB2j3+JK/JOTwbJ944MUdLLaQed+49uLxKqqIzUNIr7jB19bTq6hCmywRdMsGr773Go0A1egmsdP/jiUTOzyJ8g6GtxveG1tfJiMC3wizEQgw4pg396ltPVqCGWgvaMKYQNg1O6uYxNdqSWAHT3xwMps3bMIOkX8gojeUArgF1dunLahHqRXGm+lV8Vc/7WFIjmnoPs3eX3F0d1FASSNLvXT6U/s+zpgE2O20RSGZmTqYT2f5U3gfBV4zGgWmXu206Gu623fRONkJxMh2z4ZqFu/pDc+88oCK9CoqEqaeA5L5Kr5DqfsGGbbAKAT5vhNIlz59Zz/FX0A7mCgnstDV/8kMXTjS/nIKwY1NFWPzqKfGYgkTsg6RiLBmvV+vOJ2rw21h0h1MAF/3h9Aw+Lo7yfhcpHro0/Tjar51tLArSF49qhPuvNFZYzlvT9qn0j3mv6dML6nkPUOiI/B0uPj7iAK+Npx0F1rzwxG+d8N3O6KDb8ZSrmuz9s3HOzPtfsRacj0L7nmgwVvRn1jcSQskgwUtmycjqN5PuatpZloAIzvig0a91H3E/QC6LAS/5dvwQQwrhvo2V2x4HPfjOuKxDAYdGDSoOlfdS8Git78GZsExZKgbHxH4d/mzVXmrIQHhpnKUneKYneMPGkLGZp+I+M0PvhqdqiK/AYsia8So+4G1UMVHEh5n1SMvcy9hPXbFhs1mzh3QD9ZJjHbJnI32IPsr0AR5GZ9qlcIoqAoiRSAbwGMy7JkfGsD7ODTA0v9rj/o31vTzp+DOPLJ4Q7pzs/rfzuxpAmW2h1m3uKAtO01vKkkdruTQpPk8fb6hnBJiizJfoXApzEzdV3orejfGZ1BYaE8TOcNJQLR1UUMA2nK3fpDEBnOhkSmuOb3zkGMD/dRO2niw3IVEZzpTrQ90Nh3H6j8B7TZb1f6Cd6EkwH2hEqS3FjVUDLcTKotfCf3NV1USIW46AHICliEXp245KHCRq/KbQAdFNEy4xiARTsUggIKx/BlxvxX97qJGht3A1CYHR7q5PGz2baPuJcQJvRMEp6z6k5hTVgH7iu2U2o/EDlF4dFetxVkBXPMejFZQCRgaUnm0emwH5cFSTlGIZ+oKwrLcV88ezkLabXPuVAiHkXoaF6fAoZWJ7AYnH0xRkMjd5pQOGlKpsmsyV9TtRNle7WowpWNcrlU86/k4xLMJwLss3QncwC55J7NID5qh/roG499ld+15Pq3QQF/CQKaSo4d+WtiiiO5QVMqvZCZ9UVm4IOI+3ycRr5tl2lHdKsldISIdvyGHzXUlIsWI8XM1XECWBHLEPUnRufy4gF5/nNcCHFVAQdqYKEvxOSuWkC+eF1gQFuy8Ng/d2SrUYwtN6haGMPx+gfBNF+2yqD00i2ZvvdiLlp4YzIE6LUFD2YeYfi9BRUI8okA6XRXMRSktLVqIOtu6huqCNZ2xVYNtL7mrD3bzmjn3OR84XUX6uczQK3upbLDjgVv+M4BysMyWzZKJUt5n8vHK3AjELqFGHoBs6nkw8xKMZlDxA+eCBWX5q8Ua5udq+RGnAdloLysCGE5OGteHqbPHjkLXWhyc6LYAEqEtbeBTO38tgb9/RZwMJL+tw7X8eVgCjOp2Ll5IXfWgnqQiKyfSOfEXP/l5aLx9w+/IeCCci+A4kOS6EKMSocELWtOzIidI4FlsUikuQ8pw+45EaL53q/vJJ5h/VblrpnShqyzDqRpCoycWcZrRuEd9MtPb7Umbb+qwkH22B+cRBNtuqKx1xIIf04LwkTxCa9MfNbIjDXA4sUkMGRJwiwypirRGEh8qpUmY3Wsu2PLzFC2SiIHNWW7f5pYn33qxKWIfoIUOoUOOlpjwB4MQA34SRutuGmg88Uzd3eKaPvmmSTzYpH5AUSqBjUnMM8mYgyUWaRCV/KO2No8G+8JWuPmTKL3XxIhfvjcL+28IjO8frbAtdhd9OQfE5Jlk6UbKbRwhHljdTHKNfbQTlimfdy2oRmOng6WJO8IbegLadv9uL9FB9jU5RJ9U06IDV8ModzXCvcOR4E2CIeW3QuSL3s4fBJfjr/SQ3XqOA2tgkHmreWpaP4f/Oact3mJH43bs1IC1IoQMEUiOYRfX79ywoFCSK+kr5FeFnPjU7PFI+4dv83lggKyuySCZFGVATadHm8PHj2YhDHcEcITLampmm0v7186KyMiP+5AJj035t7PQsq/W6Ln+01csGo/Zt6xH0/vsNv2VRC35LPHv8J1x7DJvmxcwQIZq/iqoiG522v+YAm40prMf+6cjtGvjh6Gfq3P8a+T8QSPgO69S3asn94CcHATU9Y5OqWmhdBjZKHuVaFPNoiZs1VlQzPYcreFKRAS/UaRJdOu6EIjo+o2ElXXJxS0C+02zZ2itdJ/hEhrSH3x9kTwzjdjqOZUzUVmshn4zVFjJrfwekrBjwtTg/2AYdA3xDP5s5a5pi07ZaPQobNJNFwpF6J7kmf+HVut62v/3QG2qI2ms0Ic+KSz+t6Z4xTdkOz1Hz776Ywa+PoEnB5pN3f4BKpp3XCQnolTb9Ttz7hDUxCIetmEr2WFd399WDNsm1oPlGGw4DhPGxm/adcOQIa3cx0kFcsNzcqFoVJHDzwYL+WfIDJuU70XT7mdP55Zc+JyH70oTSJpGldHdfmk7ksJY2qZXMsltmCYeSNws4WOAZUiDWn03KxDJRuKya4FfBsfwWEgsorCocdpE1YMn/xIioAL+gXQfbE8XBHgOODJ7SjdE5mU37JRXMMGFz7HlkYIaSKerFd4ZtYV7y+tZFBHeQ0iwjHSJwii/JVJflLb1jYBGNlTDUhk1ui1UuNLJAzDPveEuVPYdJpNgOnXZVdK3oQUOKPKVWu1uUr8EvQArpuoSEL36VkxQHjCAQErxAlk94jJCmIAx0iSiEbDYVwVZPLEeuHGlSZnQREArUFDDV5/mAndr8ZoMCH6EcHZGzvBRLYWDcMwEQcp1ilb5WQlFWIfhKqvcm147au0J4AUQ9c0ojszIKdNrhNKZgqCBWRwwM9rrMHune415abSBDwcz7le3mXdlsOrgqwXDdvxKrWiYKxOBIM8m1CgQ3lUGMC5lJc2hh03GqkGoKFiDSqmyJuoLVN/eupqVsHX/J+o1YLCWmWzEmZjMfRBcPB+rQ0vfJLxeJCsu058x4o2nKOcLBQkqylM4DHNVuGMk04CGtD1hl1xvYqb90QXtxVNksyi6XhVjisJxspEJKTwKQs65fv5LgwVhVJkpxzLSERYC2Y5aMQqgLqGVSjrkmCg8qVQL+R6pLa1DsLVgnkwD+M43vzUcmxS6UgQGJlfWI3n4SrAd9QiOLJ8bl9DT1HHg8GHmLA4EEhJrO/jhZzbguZmU9rkmHC7Z4bQpo62wEa7na0OThMrujroHueCUuIp/Igx/4HsbQ22la8alTKu1a6W4gLcDSSxrkjIy3FMgnpHEEicEgEd0pIgJ6Yz24VkCdGAzYFIQ0PBIK7wso2RxvA/8qgjVWfVadKdgDPGwzUIzAEhMENpkm3fnxZz/RTMEnSIjKb+9lMq5Dvg98bfLLHb5Nu/+gRWVt6/8bU+Lvjj0V9IKAzEOy5d4mOFlwg5++kPPClinJFFIpGqWwmKJqjGlLdX4NYj40Rcr2yemwjxQjozH6GX1l8DSEFarnvKEi06VOsLuMOXMBSdBRrVZJTsGy3X/dTSievHTQ6wMtRO6aU+CttESmgW55URe20DwAWPL2bd61lIqaslP55bNZl9fH6yrERaUw0yTL/+FMGGBHHpArTd8EZWrBh0Mo7YiOg6PfxE1fyth+T113gvA00y2TkDgjElNkafcNan5YZ8RxetKkgiA/5XyDhfePg2aaz6bc4PmzC8LV1DoGlc+DCBR1YcOHxsBjBOQ7VXvQmytohT6POv8ILLjyBkBjFL5iF3sr9D9RHy5vFhl2ygIjNVA5nRLfsAKqbu+0w+1l1XEZ+aWAZTNTbIgF3JuKddWTDlFMOdaLTDbmpBHR9TuorC8GB/wQVhTaYySwEnx+RyBcfbSBMX3mQpCtfggeKrtZdiX82cKtsuRcHBCFdEN5w58Vj4AixCodCA+SCy/zaWTbjYYRVjSkkmNIGpkiQ7yFS+2Idnz+we9+bbDLJxx4048mfL4b+n2ZDgeg0voi7gXm22Lhy3VuqpomRN9Lw6ZtBlUoJ+SrgsegQEwpX+degNKFz1OnGAZof0PuplVHgfAarOccyAyAksG9/ojGLWzWlr0L0oRF5fgu7tpFlJaoho5xyorwUqkjGlIrl2nNjlcTj02/S4WnBAN62RuU9u7oIsMNNSq+rK5OJmquVTdcCIlhpd9CXQ/99pqZOzIMWLiI//zkaePvxK4r4ijIN0XysMOqPWTCEGHnUbeDtuS7su+47FuQs24S2oN9UtwW43cOaym5LsQIXyUoNECzZbN1b/Azp14uFoXAWw+G9UfwY4V9MekzDPH4tQoZTmfBQEvqL8+OwpE27KWXJ7hWbaSKsuxihPwiKuFqzmr1gX5HAAzUfHlRwyu9uNYLg2mCnGnRBU+WqrKPf1uXFTP9TDfD2mu6TPBwU7M2rg7OWoCFgCIitWamjeCmVkKfEZ76U97Tw/AF9rMsz5LFRvm2ez6gqhMigPhykZyFbiRcSXE0WVXIly+rxpa2Sntm9tA16vB1jvr9+Kt1tvLobCd2Z8yf1JEwXwqK5Bx2w71ZbVv94RTECDcVmqGsI3eu7dtrDpIF1mCyJrNzk2MBVZcux8fGdNjcNd/fBKc5wR8mJzlYQ4L9aH+5YLJuOI+avEs/7V/vq1Z7EtEaaSa3aahHrDBlbG6GuR7mWcbItGIYB6pKrBBfMo0IPwPfhRYh+k6tGO3rox0Lp6bOr3DoeTq+BydBN2ecueXI3OXd4hv2PRXLlE14yrFIORHgQYZsGxRKwAg1KtHOjopu69XA/scGGiob5Qx7Zbb16I7g261M24960MtsyYlqpis5u5qPd8BUAfe1dPjM4+e7g5t3kbz/r83W7U6TXcP/LAXqRe+CkOivQFcpDpTcZCPm9dU8xXTvePuLdR/VuJQJkFHOKBuRxvMxSLNd94w2S1H98qE9YsBhS2MiDUjahrhpKo2FmoXmP6t9o15HdQpyHQYm2jkXMXD8NbQ64VZUu5C/YA/ns44f3i+IyyxlHNVTZDd0Pan6bM8t4LFRTbuOZ3oO95Cuw5BWniCD14kLq9AC1y33swsSKksJzULMWIQtcoD/24olootnyYXVoFCUkQGT68yuyr/7e/rdcILXGutdbB2AjXS1gD1JW64g/ApjaLWgTbD7o58gbqgjJ8gmbOjIbJ3wSlfoL41NzhnvyypBJngDemQ+wwMYlYG8ypspJsgDvaUsipsZ3gINu4iLqAbExKkxn5YFY/7E68iaNlXhs+2Lq9aw9ngCx7WJf1jEnUcRXG4/Xda0hiZEVCMYGXLV0qTbx90eMkSc6Vkg7ggXHYGhpDnvYWOVKu/hdvlhSnIz/Bxv8mxtK2K9ZkucaXV1+e0NApb/pWzYd2zsAqQvTTvxTA0E5e90PMXI/vqglyRfOKDcXpLGh8uncMEV6FJbGi8k/2de2UXeqiyI8vDo0qRsY/soc/0ewonCIpFzn5Oq2kaSmXpKslSZN1FZqqvmFRKFzNRr1nJqWEIjM8O8UdpuBtZyIDSJJ4/AzFS8DFYq2SSWJT0ex1wYWpgk9V9C8386emSIL/tLT2ccilzklQ9AnhZsLKqFPt1U9zdIexZJDGl4AfTjeCNhoatKpesCO7aqDeYMvVk3tnfdvtNvDLucGF3paOVHEsz5eKUfdiLbhL030mj9M3WC+IshYeUDnaVxtoOCW6cOiXtZdkOox9ZTXjy+mCBzECsiDEYHNoC8++EIVHRESXsrVJwEjmDoLvbiCVCvsQ1H9eJd9aQgvKiB0mwAn63wenqz/a9pr9XgHBR15/1sDW902ehHtpDyQwxVIJgGvuT3wzpk4q4zo6CmEJ5PB4aERnpAEIbvJby6l1VEWaTKBArfBrK2iB2mPRryh4ML2MtlxdGx/ShBe2pLkt1Q3qXUtNhvquIoLtCXTbEycfoS+vztT4TM8jeMOvwLm+VI7h558k/dMogTiBRvnTt5eWP52e03f93X4ueMDaXV6EpJbKgGFhLm1p4lHkxK+0MYx71YVIHu9NzILfPA2+3rJ7pJDy49eibtQjVhY8kERJqDMUximGoQwyAjs1ljoqBLBkEC3Hraai1GoBASaraSfp9NdHu40tAORAqYmGWWvOQ5ZV5BoawhhMpKwp4BIJLPmQ+ZIkyzIL1Fqe001pRuWmwkm77EPJJJr+P6027VbQCNOo2d+aHDbW9WamYlSShV6RkzjkI5V5WbD1id5Wuso3wCU3et0EuR/5PT0A64hc3Xj1Ys6SV8F8q6GkXUGOYwIhMdWt9gaeA1Zbw3VErO68eiFn/fnY3ORSglXocI6pbeEbWLp9U1V6InM2G9hbn148a0rt2yv97FOnV5ab53509ua+bCO+OvpzmTDqS5iRcsXWaL2HvP/YZBdN1zGH+CP1dY0Uzg5CMaXZmAGaZEsWAHns6do4moGwj7lCKd1UzRV533S4HESr9Bsg7R33DlLjTKnWjo+AjnNWzQJvjPjcsTs1h52aDRCtYiPahWCkv7MXLqVqx9pnD+yT/ptcLkmZDrLl9JugCrl0Ra/IIAaeExWlWl4p5/LrwyVxYYu7N1QpzVpTsw1bN4EEhGJB6SH/+FvFMWxmsOqgTWfiXBLj33zEOU+An0ikFVQfqzSwMnh1LlNVKCZsaWyytgtz1I7IXS5r87YcglPe5Po8kvml3MPwyxhyVkkmVB0ANXMNiDZg4ts9KW9XV1Suy6RzbecaD1cC252sI/NRnSOKDMvxIbpQDLvn1Y0W0ZkNONYiD3p0o7b/iKA3v2/ESE7X1tDQTgMafGnlxklQqM70+FH6dauAljFBeRj6yk6LOa+5u0FtUeP+A3fHdi7ytu/AvVXjNbojjj9MQg8Rg0zLXn0yCJ+lQx2/+pNsO1H3F/HJ0Bh/xroOjk+HnSl9oQf9Ic0IUMjfTcL+Rm9mOPZPiCRP2YGvA+66AVP2DceG0QGDiDisd8+6rwa3fZtHQZ/RWuhHeoXCocyWjNSa6Ob++q3Zyeiaid+DDB0+/wiehK+uI2unG6DD4wd8St1D3b5WBOjnTs4+G5Z2XbHjo81wHRdWi1zQuRHBbJ6DMDUMTdBx6p/kHDR/Ioj2DLBBAWve0udYF9j2U31lVSi4TxqvOA/9L6V//tkx2qfvtnn/yr163PFDGRyLDMCWwWvK2+G1SXeKlZnxJ4LWbkmT4arzoN+Rm8vF433yY+X7tX173BHfEGUtcpkXiD8qIOXYa7oyNxKW3hDzofr0L6KnAf/M1G2fiPYgZmFsybb9cjAZm989i+7snft6UQDXeGbDMBbwvvvgE6bXiBFi/z5hP63oadAH0cdmkQLR7pLVedJXyqKDWC/1E+K1FkexgjJxAjOazCqcfW3Uqa+GuEZGFy3ahX9E1CH/gTWl9fHHFynN6TeW+8xoEuEQn8Ty+Pa74TdO/ytKBepKMJd1jyBTkX1cHNcJw/sK4ACaCbK2BMQ5N0jmO7kfqNPu5CKw28XG7mJPb7NR6UmPBC1l0qDmG7kQcBiF5bEAR2h+wUOVpXFRWASJhIAFVoxyhGsA+40qj0aINHXsgYVRqa3Hk/C+B1hZM7tSJ1OgioYJIxG3U0S7OYU/XzsT+42XpbWE5FED1clZrVesS03Aeq75IaRuH2PbCBPHGEIUOXTUb0cGHwszgJoCQh0Dc4BVhT0xJjOKPAUNTCx01d8zL+wGJnBK+22b9znjvFKZURRG9xJsuL1bYpY1pnZz+38vmfcn+hsGZR0FZTRxKG7/IHHscuBg9Z59sZ3J0WW9BNGonTpoP63X5kpX7Ak3ISmC75MsPmDDkinEo7/2R94uTGgpiCAt/W9vn2fLE6xUEWvCtYUJki1yqYi5DMOPNaa4IQd0RpZN8l5aiGfqxtfTI/+5kekRIR9OuPbM6ZlkVYpFMO7fnx05YHToteoAvv64HikXMQQdjYikuFsYL9OaWLuOqUDUgmF12KBPzDP3QEh5vdxL+VWPMeq88GLLZLGK5i2DZvvDfC93C5bx2a7VjLqdYT+53pRBDGj6u6TQIy/adrCeOMhLsV8Z3uZM1wbivkfVNkz2qGaILuw3D289EIbi9MAbX1ulmIhdo9T2DgbDE+0byfHJkP5GrY/3255gYLzyAmUIWLvRyeFuvgWLDCdtuWbL7zWGbSvJHujZfHzFRu0o2tHinj1z0lqpTwvVcgx2Uzk9PD2bhu2wg/tHuEEqDQHHS9V878ALGuOinJSfWINbk10kCQ1esA8p6GMYNsc7w3KE5CbSUpxx0dWI1zO+u3rRJNBgwMWgqUUCn9SSuJC8aLGR+PPREHSXEuc7oJu/g3N9sRzDzz5OBbxbmE6wUWYLqVsf/wfi9feuv3+cCx60dpcC0s3NJdGO8li37vn4mfq0Gk5jqHP/S/JZUMN1ERiGu97LjlME+Y3j3EyB6RYL0yPO9L5ELx3j/33VUMA/JcqodCi4ITDu2IhgMKtK2pENjGm36nvI7GgGynXHqdk4ev1GyZMH4kzGXvVXoFGvaJ/FfjmDsyRU+c3aWi0D7PolT3F4WbP/djOvIZtJmIPXbpQpIaDSDDN2FfVFWYKvq0oUtYxP6pN59sLqcbFcsUjeD7pTrmw8upC1ZDEDVkIxVrVKARmsZUBe2dJQd4qV7c8DVgg3sRTjVaogkkk8g3dl+z11pQPViLCjxDL1EaLOw+d1CEitgkgC5jfc99kWqoncsyUllbsB7c+Isz9T077xmv+7Y7z7QJHspsZODXfWNgbf8wwct3bw2ZHdkfbSsw/Zor8OBSxhn5fzs+UJZwBMp39fBEXbuBE/5aCdby6PW5GFrt62gWukPY9/U3UT9XBBFlnuKWtTut+5AgDZ75+UXxzgsQRQNK7A2nRvq7ELlIHk1gNPJDzABS7qapynr04x9ni2s6E3DMACdeKCDw39hQBWJPesiOZA7LAHXyMM2sPWTKK30Zux21214OORSee+TD/o6Xozgni5oOVblyregnuwETaRpNJht8Mg0OJhwNcXooSp5/sQeeMFrMUgustU4YLCdUGuS3fHe3rpm3FflRgHtYvYJL7iCgUHcwcjXZWoY7JkI4YWDALKsjIbnQY7BhMFQliIqUpsG88JWYN2fX/9QPhLv4zzqszI/hObgFykB4BiE7CyRBTaJ/XAxo2vZklfRwugpVZzKKgZet3dzdQfDPszibhrlC+JreqfcO+L9MOevZ4KhsglbAXW3Suhsq94HMRMVnYA6e0w8klqA9Zblbn+Fpr2p0U3HY3RM3mm0UvN9UkU2bN6YL6YRMPC0aijZ3aHhbqhRJ4O83iXEUNfdX33z+IrXyYdXC2PpgvmM/StXbFMJ+OjE4RPO1RGQDZN2jR/AAqtIIVAego/6o5hkHqvFyoz0Djrc+gbg6QUhLrXvmThUfRivwRujzRFrLaLu6N1KNpt443Y6t5PBw5mx7HdngXnGFcj8I4DdcHZRDI+41XcwLwpfMr4UwNYZfPhta3ge/T6ynC3Us7JpYqUKwUuwTB+5uNXqEJ73LnJ46d2DjYOAH7So+iKISuwfCUjDQoxOnJ/vDnLnUbmsTxIbWzYr1aMmqSPZHMX747Ga1V8Nr+wmF0D6IpbJhHBoCx6qGVSK4tnZEkRFNE6snsiB4BNKIXjEtCZ5i1EXPjkdOnMLOpUgOFua3JA3HUyhv0018Pmb1ryZ6Kdui8qIlPAmZI8DEKgv1TGRGD95mQ6G4C54M+RMZNcAyQosB2xjFsreJJ1ZdIBLQinAfQAFkq76IkanpqgkXIiXDRD9cnDGgxcjoSCcOpOn1VaJiE4wEfcMSfDOM8lh9rEuKU7gRV0EIclzMdADS4c/4O7ggtcprbdbQFwchPlvBL/lX4e1Wh+Gy3qMoIxTKz2Hs/n83lsDFbRhKsgw0qN0Glqi1vnswBENOzGYHXw87H5yVzCVyRKDfAcvKBcopyuoIUx4LP6q7/lG5XTQHZCf8Pc4RuXqjZulk7uPOmYbIdInuwumE5zoHuRPVdfinX4r5/bgiuxdjeuJlyETtxx1H0tVK9GwT5zRlboStDKGAXGDnv5G6fYdHZVam08b5vLobyxwnPCjap+/ZiW1MsjODwKOOZuNg819NsjpKALNqy0fTJ+YBLYiEqoiu76hsO3OfRXn6fqr+UyObduZZRS43PjabbSehkjxHF66cMIHG/+p3sZF3M7s8Ct0OU4buCBqHfttN4tNZyvCuv+ql6cMbVFw4YaNW9W0XCHWsMtdcadNVbAN2o0tIfZdeRcQHL8MIFKr9wRV7r0g4rURaVDYnt+BES+Qoqwbq3Ro1C+ab2wIR39jNOUFTvRb8ghG2hG2omYYtcIZ4VOefFo78ZybihWB7vebxr+38zv5LZokeQKrgx05U3bx5Cx4zX6Igvh0CvZyQMo3zRS+BdByrjgBKyAZ1d0jZwSlDqGkQL70nwOCPUC12BEIbkZsyfXCC8pMlEWEOKOZ8j7fTK0V3ZqRRm+yyb65rih8w0ByM2PPtJj0UNT/I+EyampWLt9Z+64PNv12H+J3aoP1n/Ux7159ghUJOmEJ/wx2s3CWgBe1Z57K1ahSyEN2ZXKyxffWtQywaJ6WVkENfrp1RLUZj+otKAzoBkTxNYtjXjhTQD6cAx8gZLq6DTIUKEtLRKa+YB9pJ5rTWkFGVVTUh04pg6tGkrxLdymwo3mZpIDLAjxoxjgDEIsBBQrT53QfSMT5EEls+UeX5LqBA1KezsKCgCLzcA4E1jFRtzbJd0JDrAR3p5Mb4OlbsywcfOKK8B6Hb8Qoj26zVwN4oUru321Tg2WjGmfKGOntwWLCbVVl5wFAMfxqeDRGoU0AfkpJTWQ3jNlLwX6fXtphNAJMpqmoFlQpYqcCgoLKEVpbdvP2gUA+tXGdx6YHPr3W7Fo5/kLH91f0/JqvP60kz7hmLm006Frda1lxFIzF/KPddW+tG6kUhcHFlQoA2VbKMqzMIP018GJssDNp1QFUPmqDTBHD/THCdtNxif/dJrYZev4tW2EQpYvnkTuhLs+S2HipwGtBMtR7hZnkLoliAz+bJEmaHSiRmqylydqPp/rap2y5a/FY+UNbbjdhmdOvPZsEgtPzOB8okWm8/BvXzCw6VKRFtYvweFr/EmMFGQ7wuh4Yc+ELCvLAvLFYoKnuXVlQ85oBtViG9DFRlmTy8sJ1lRkZ7SEa+KHTprLqOdNycR6t26VC2MuKkBHtcdKGK6bdy82g3HUO+WHnuCOlh+TTmarlhYjACIvD0mIxj2Wpn9LzC+3GuWmoLVz7e3aiIjeUh2NT/RNFjxJn43vZUI5K7LYQXAjYbZaZH95tlwMxQa6ztPgOuJHB/slJEOJUEKXWVVuEpOVq8rriszvN38/a+vtN71ev92ZqFs+kFIBiWBxUqg00EKsUU8K7enFq+6USD73TbxPRoi6JDE0vchXY3v5dNBxejSiPC2yrKRRy0imja2kwVuwwA3wkAB7NPZNJJ+9OWzj25PoIP0h9v/zqh9PU1Yx7bTJGlYTI5DinC+ceK/3h2I1QytTSrzYt4sGHdnWY0GTMTkv3yhGVeCisMQ/3RpzoOvOSbs9kW5Z8NOraO63ZxyWuyV2Rm5x3tsy03AXVStDfBOy0FmVOSGbXnTrFil25n5nf5Edp+wK53zNxWLfq5vKrpKdyMEcpqmvAjNrPHnXvddVKipSjNTkW7JMfWFzE+qbUWLkJee549q6caf++mRnD2qb0uiV4Er+iviSW6JcLcsYWHhRQzyNZzURpUYPJd8Kljiv8Z8AeBa0CYDacGjlhmvIqzlupw1YK4kqLIsA40wfIQ9cSjEoIAGmlgF1svijIy/J0gjUwv88Nf0fG1kkg86Nyw34CsN/ZlovmwgRZR9BiFauwNQHRND4MERV5HsKzClrFEvZO6q1IQITyI20rmAb6QCax7S9pZ2PA+caFiP/Jsqx8bsPXT/xWI6cUhWdmNCO8p6GkMFwxyjTZ0QuzZy7bjkfrQYe4I9RP0C1Pa5vBNidOefoIQ8I1Ju5MZwJmYMAcX00whGACaoyIDaVhGR0hKx96uWYyoY9jggsMNXrCgMMNSzAoEHbnbPkgbKz7EKGwyS2y5CfRE8VUhHWNXxZru8KtIb2Ia17a2sIsRBbjFkQVkE4YIdYXtiIQYRhiR/zXrQzDbggph9k+3Bi3OoYSCxzjZIzJB07ou+WGpNlPW7E4xFPu5hxV1IXqht3+2A2uZsg4Ux+42gXlD19mm1WWhdq4Te5208t9thNe/UnsaVKD7yAfR2/3DIkP8AT+C4CwOnk7Yv7ejCwrb12wbIs9GoiTN92R6tWuSMAHlSZ7qjNMNMk1PqghkbYZUMQI+QBfIGfU4BiEt1m6sGAYeu58FNaFUQpp3yNqSFkBTZpurLHpi1xSLK9TRjgaXbZcTDE5FMM9oacJkp7ct3ONbD9Nd2JbFK1mYgF3HduTla6RsdkvosW9G4fKbCqqI+f6GsgxTmU5jmpKgEin9cRwHSraJdE36319KcAbf/t6hGhbb3TR/1veiOSUJ9UPtpI72Uc39dmb9TZgCSEKSDk76uWSt0qVF/Xf6n90nZCTsu33nCKQhEgcrx+grdNN53PyhAOeBvVkbVKjulyrdz9Ue2UdlZmNUR+lymBOYzxe/W6F7H3FThYDuUWrHzOpatPpyxSUno1FF/kC25FGdmHQtsUyHG3WDN7tNF/WdCDgGe/MIKtgWYrRhFHTSdse77Wyk3xkGqVai9BrDVEHZPhpJAd9jTAvvK7csBeY5sUFiOSIGX8BULOP+sbVQOueYy8qfcX5+ClRnbhp6QfKsn6Eg9iI6CXFVZj2rrsAl7B4nRI04RyaKjdaKCyL1QbbijvULUCommHa8PEMxrXgK18st5fmmAIBZgR9kyvpTXagUk6t29n5o6dnPJK0rYrIJHI3ZfZkakpMJU4ttfycbM88p3TiZE2960LtNuJAUWx7ZnFFdltH0vD6TLj4PI5uSgQJqQ4WUDqBt1ULZDWOlYQRz07EA68h1/3IP+x+e1bFdYpvylZuClEDESVTakgEWkDcnDdiqgcrKkTQCzBvt/Aef//ji5GemouQxrRmZwxmUJqhMcLS3lqMC5sIXZoSjHCUIdXGKrDJZM/LsYEMlinyJ8XP+VVPe38SNdoumta88Sf9G/nHx0LgGnjNr6/Q89rMmwXyVcoYfWcek5V4GVyrYoHBHjOXBSJnQy6P6lhbzBT7R7NiqyxmFVBTxffRoUI/vOq1e5RbQlAOy1nIPqubwZsbnzzp1f0NedRef6W0r3nWpaNhMTfMR60p13drjDbYVsE3+1d6zy3U2+QaiJgl0S7pjUiKV6wXlEI9JOeLnYYPUBtv2EKJZ6Nv7Ss3ek/rNhVceglYtDogYb2/804onJFZ0AC3wSsitctB8TSTsmDJWeeSSavF6nJ4N4iWUzEse2tRiwnFRVG44kCm+PLALjTS0jkRb7xei3C72uEoLRLazYY4VJbgsINx37xVTDD0MU/g6rxWGTLStiRijgdWvs3k5oywsNtE/JOW4JtDvzAwh149UrOOEFnIhvbo03Q7lr+lOPoKfI6T9ohwyXCABN8vvHKtVVYpti9UUSsbN1vbRndSYJDIh6cNXir6mFfb6hKCCwuKBvswLRyQK8FNOMzRT5YAZH0GIMtdrbIlAb2JnU4Fq87UUujZV4a5ZQjAlyzpzcYWOaTnEudqG+1Qp6W0cbL14i1eArPE4XXYyw24GP5gUK8gr63n4/B4e7EH6Q8rrJt47G79BHwG5xqqMZW21aaOK5GOT92jH2vcTqmGQO14OU0/o1/2nkhPsgNlIergw10NiQ7E/rLrTAyNj8ClVVgPZPM9FzwxpbhtP4nPnHp+LefRWpJWTPYt+fuOD1swL+4zENhnBki/ABiGLUoXqM4gQHD/NTW3O/PX4CBBMNqgWwvoI8Z4+3mg+6zIAw+JurEsBasAeKjiMUa0hhacv/dF9NJho2C1cLak6FWKEmmCSEsTPzyJ26PHsnBKPglemnPOwNE+jnggX7ftqKnfLT+WN2NdMXSIhoiGw6lIXcO4uRErCXQIg6IEoHhMuTLx/0XEzi7a5VWH6KXyS4c2geSUzSXxEiW+2JrD/dC1ClALo1rnkivvgpH7/zttW024GC3sfTF6w6TIzlo8GEZOTVRplrv4juxnfG+BKLzvzQWCspyVAVRo801YKpHj2WU3zmmVcSpfeagDFfnCNw6WtBU2ZiDln5RVW5nkVRSmu8oosif/oagLDsFcd20S7DgNDrAhRzhm/+nHVV3kTYFq1T93RLafkh5FExg+uHj7i3IxloEFmf4iW4j6DGpBols83q147QljyXoBej/A+Yf/L4D8kY+HuXz8P6rNCA9Ixu8CyfHf8iAGmXnAXL2pLB5yG+DKeViA4NCka+U0bAmL2lLwlCH+5BEZ8t8xaOvFl9tbaksxIfWfdEOeclNdLEvtOZPkdTixwFLJ9O/0L6Y2TB4XcprMCBv4zowNr4PC5GRMq72W6EPeIAYNaeAvwdoTICaDcaT40H0lMB1C0itkwRVWFsULtA1aV7ZDK/JCadU5bkay++94OOD3TbBnF0iHPgPfTSEXU6tAa9T/zpFzmd/+WxvLorQrajjH+lbdd4rls3/5ILKgKUi5xv+Q8sJrsylLf+q95sIXZvSYaev2cRWXP1bZlOrUacXM20zKzMgbNQHdsfYbkGuHO0E6zgYqzZgRsyHPOCz36MUx0vSCZxxEZiCgW1D0aGIFGXWBxduLYHlZy/+GuiNbgDxjffZWsuyI0Juu8YmaLzzeRPvjGibD5xylj7uqJhqfxj5+aXt9XkWkaNiidMaH7Umx19RWk+YRBu+qfRBOKlD3LDf/sHvTgFypDmOFMWipMxtj4eAI+SsBY29o548OY1vyx7dHnkNdgEJXLWurboBfaGdgM/D0E8CTdgHFlRshyRiAeiJ6s5Gk+9fuOk4BQ71Dsm/RUqqp3RzQHAFR781fHHJAProluJ01L9GQjThFqjMRj0Gl8I5sriTNEEq5RoOdCNz52JUzbKepdc90c6CkDEKlZGdbv3QB6UxZwOB/pztGuCdy67SPGvO7+V2g2CW4GIgOEc6A8bgY4gOP0E69U/6dfTOL23BM/EHCwq09PPrkr28afKOjk9AkVmUWwUIBY5aQVlTTZCkf3j/9Mz1EFr4UAJY9w9QPlkiFlw3NTNPjfJ65M7babeTsOlQ0EghARXkqYAM5eN7MLdaaTQFp+h/1O8ikbwQpLaRy9T57/MucJPdsnSj2s/ZOMwX7j0sorNI7cPXZQtJp/669vJjdAq/ucdDjUaWK2ik9ejevU2hX0eLLgCPwczWmixb7chdrSRgb/HD4+cr2Ejuyxa18VuaYA1564Pzh1x0XVX+817aMSNt+bXs5fQp8o7X1R4Pv/ysqBawYk7FMoNlo2tWftYbPwCkeGllowlRkDmf33pi2xFqSeH2qId5LV5Yd7OqS1ruaEk8E/c4VQ+m3ZaloUn/r166+u38DTnu+34QEQDalqrD5Ri+AbuzVe7mEjtj5XLaFWgn1bSabGP3j/6bBfb8+cNbSc50PHRUKyzbqJWx71znB2oOyyQA4/Ab67mDrRYCg8oGuxJ4KwuyTnSC5JKu1KqthdFKOSIUSwTITEVmYDaP61RRhF6tujLowUp2CAoVuM4923Vt1s43jFQt2XL/Pn/JmlJFLMsxBTotd8oJNIO5VrXMPz69/SEDjWQW9KJm5XT9E5RamQIkupgfkbs3D9dCsbfXRPExf617BXtz8IEwgR99c/3xmy9vzGF3MSa3qUbSkHkBSAZATrbNkOUjqoEgJj8OoaPPPL1VmN1A8R9zA29dX0QXek6pa+nvhpPJSgE+b0Fv6Tb5t8gQ6RpQRyzoiAhrP2kDtvutvZksVg1VESoYBNzdVsoUbAMrZZcSj//5aCOuT5dsWA5Gna2bBvvE2B0GEafbru2/Pel8Yt3uw0KsdkVFTwqwlCHjP1T0Y5SFXMnzPVrwMllg+cG8k4v+Wf8rSlGA7LPhLWoNkZxThcFRa5MoKmVchS/IyNNO7xdedCSsGoIC2pLeUEpk46de5tXDc5cnWQNud8gWSC+OHJDPf2np3KLZK0pUP/IjiAAepl9HR7BToBZ1GtBU0PnAsD55/TU9fOt6nWHVjJYfSv1Bl3rxYPSd/J0eaFmheb8686qOXwi0rIf6Wlb36tIV7Wp81Qa/D42KCPkrrdNxMzuE3cscEWbHu9W1U/zMUXWGRUZgVNSCPke3Z1j2jsYttkYwfuzFtAkLfbEE/5xuYmeCF7Y8GtKHpzvVgyz0jV7n1Rjv634HmFT+ZmU+i+wOgYnohD6untiKE8RgwfPM3Rysr7MEAoWmPUlouQpKxoWam/0HWPPwUrO6k4ski2u2MgQ53BP/3nq4qtdO04x/2NKQc58fWelcigEuF0LgmXPzwcm8Hq9W+k4HluLF8wP0v0Bzsm4iS2fVwotK51J118StnXUbmHl5GrRFjcEP4G4Ps+4vZx6vzml1mbZk71gPGDcaSvhjNGm9FJBQrUnFKnpYMfMLdlvjJbmBXfb68eZc7O2Wpvz+7nPTV0pfX80FTshOT83H5/95TV8jZM7czg7VNVRiCBmMYT6+MezCVuAJWNA4L//ZrUVXAetTvjSjRmMFZQPFKZ39iCTj3K8GrMYfhwEceKmILNuxf/C3VlAhWSRPlHwjhIpXli1UOtxaW1906P89a1NxDqUYQ8Lsk12c4f3MlCv+waN9Zbb81RRlm7im3ACdZu/TNXj0kPojXYA75G5p+6BeuLmPwSLr88OTugvssrMcvZCHxB1/pKz2R+zxaaybGzk//tdomHXt+rdwmvv+P3+Vnb1aSdrYL+z5oWuP2cCrtlpNb5pk/OSp2IwHfFyHVlGxrR22aoAHWxF6lohgnXfrCasPu05K8298IKL4OfWIuwWy1KonQk88ICuoWVfaZnJA6P7y/gEbDJEYn/pd2VP08u8k25kNFpjlU0zgioUOC71dZbKPBpfrTyQX7ZGjebE+/bGvP4XM+WsjYrHI18k2zviWkPZtVcxU0y/nlUbPpH18gl3tVMWJxvBq0CmnFPca2oAqDTXk4pyP35LebIRcLSOSFVrx/m5SMXiU83mMw7Xy/VK7CmxH+rpz5oZxoqg+zmOwInwspBirGPdTbWjQhhaJccHlj603yWDFRVHFHAzEnCvnkofTFhfkG+W4Aq6zZ/MF3o4srH9xsw1t5AshS/mluN/Qh7rUxEklWfZqJ8Q7+bCtTUCqSjjoRX1VQIEnpkK2n90ojsrAblC5C1ndX/ozFFl5cuf03NiTBcu698dVpprhihgwesqXnsFGYWT89Toa1tyWD+6/WNFKdopwUaJVjAuNYnulA8YO+zsbzKS6Z/TYxcKGPtQ2tHW9ZY289RL5UVD2WyJGTgiVSqvMVLnabLn/ulJU7A+Lx5D06C8rxoafMpmQp9nIEGioV6wmujM4pqaJazHleMM85zLXEoQK8ZhiAEFScJ2J4Yt+9KtxOCNytILL5SekSw+3YyxhQNZmBAhS6xV/iBLiFFTrtPonF0aQ2B3xW5dRH7bxv5eMnPxnrL1uZYUCFrLY57kGNFSMKg0FskZNYmntbOJJifQNv81ehs1NsfcltJ+87MXznFO49MAHkUxTbEBngKgGWtTHxjoGXELGKTLPlQEbD7sS/SbuJm4bUfrZE02bC2unrTC2LMQJ4IhyPnRAvOhVosQQI2qhXG7o6PH7S8kpcyulmMzwtShfrZUwjhDWykH3uZfAtf+dBnIfPXvNjcgrTmv0z+svo/aCfgqv/mflVzLytHi0xcjZttqGhVGR81Atvqlv9UDTSrn9geOKzaEgy1akEoj2tH0cdnTt37yOcr4bQ1o03pF2R9JJLtnZC11h2nimjUXNHFm/RK+iSNkV40sKO9ymLLmz+F7qYB//YM+ASqmvKcS/fV4NqOJfBxO76T+6qSlXdjZMhr76PV/+QNC6jpIAEwqfVUD+uXULDvOGNdkdxLi3upkbVCVWVmp6bSTsJYe0MFssy+RWZEMDAFrxoYHHNXiKL1KHqMA7qo12XOzRXsP8jL3lVdZeQDgFWjwx1elLh4CoxRYiwgduhJ6KCaHCPwChQt3H79W3H3vttEuTn6iRB04Yowk1kMQ/whiufeWca8AuAcFk+APSJSh3ZklOVhc8G1y0dE9YotGEEdiieCaaCuUOLdiu3ViQcnkAe1cLyLGe0Q17Azq9shCiunZMhl/UC6JQYzRZ9PHCkZX5BtC6AFN/bKledOajOgSDBAfMer5s1/xaXE7NWPdt1RtPbm/0N4AC+cKKS/N8VV5VdIyiSYYB0MDOgPbQkRTD+q4fLorRHYHd3uSGzIzat0tcWH1cijVXU37RtTgfxdW5XVMprm02tlNdU03FBgJcPHVvynnn8OjB3ykIzO2XFIr0WBv/itvObahnSRcGHygbyhbIJR7sZpWR6f/2pUk8utNheU19MQdtRKyShBW2d6ffv3iuY2R2DjstVnIIy1PGgB2/AbGgeuVXmbf4uLmCVIEUUebtqfmjYv1ZnHOLuAurNUmH0ulwOVg8TZr+HkWwS1u92gF3XDE86kPszOmmNIKvvW6/9hKbu/au9a2YsUxeTkYYBsXV5Rp6ruqaeQ3e2TgYXkQC55hJVa1lKJGnTAltQBwSapXw9cGWoqUK6KFasr/XCJRDX+GV0web27g7XUjFG/EkxhjTLsVlUTxvgnxKG7BxsFaK0ZJ2VB4+6BTIN6rzvXmjsa5KVt3sGRdQHUN1mhdiNHa4osTzXQLM23TCa9ugvbHDUobBmJ53cCMdjK3QVCt4i7JVT1AFUBR+7X9fZzs/qpg41uGSS6uSyIpo11cyIcaaR6cZTTBFrd/veh1n7PfsUQKWp776Sh4b84QmRfZws794a/OqTGlUUF9Zaa1kb/xxMhRsWD1n01oDeXEx4eH+yGLGQnmU12s67mUObZ7dXNjaO2G4qMfozg7TELeeVpGH44vr2gYIKMe5LpwoRa0RCtslDkPQ3d+UqyzMQP7iU8uaVqcWy4Mz5uCUmXgMCAmMGZCaAhQKZuGRKVnWNaYwstZPg6+9dIxuLhf4hs0L9VUMxH0ucwHqHtb6SEPyb5mbej8T6OhbhTAg+tz8IbhWMpPqkbckOZx56ue/b08glmWyFYJolGUvP5gFmJFP4Mo5tni09XiWFGe/bh55ZVCXQbc4SvddgbCBWhdxpWF/qfNm8AeZmHXuCTTx7rpNOi/pSQv05IV0n02kIse113p7w9dNtC56ajV+/jkI8kjRC5KTRQ9+Yok1k7iOnifDlXmIdWsd55Nt7Mx3L+H2i+7O7IjHvRE7TNjVsJbQkToyJ/IYICLIQpEQN2oKBHkPe1dJ7K6psnPHroNrxxttU8vM+wo/Kjvlq1cumwwYCuevW7BaR9wI0SDnbsA9B2xMnuywP38HwkR5QSjU2uNC3xfmx1bQSe43zbWpGCFFlWJ9Wl0mUsYN2Qm2yfG2qwrhtPeZL5GgC+kY7hpB2w1cNh2Z4nKe6EE7qDdsBKLkABtmeHy7N/rhxyr1byNcDlylzfpVWoOzVG2welVFr0BEF1/6ZCPmOieAIOnev1wZvAEJfKiDTQlG5ETQe8J/xE7Z/Q8Wwm5j6Mp9kMFaDMulhOsibYq6Q14FuscUrcWUrEp6HnJs9A1UDE2BY1i8lqAMKctMHPY6MPezU36SZmp/Md+hMTZIGhjEMl41hW6/9859o4gte/kIyST8UdLcur9YrJcwYUpRTATkWMO69vWv3bP7eABKtXqCLxSgrqjUf8ttDFhkmAc55zngdPU1Ns0lBfObbxvN2iDXJTBgBSacZ2GDqlURYMQMnlbwnCI+k6pyRczJ1RsLL0DDfhCJsRTJwCIWiOVEykg8JtF6wLOsyKSQRXS0ORgSLX34rrwXskqXAg+DypZcp2roVnwGKrjbYchxfHUCk0+GxxsdxBquLXeXTw+5MEfkLX0jeMLr1HfPKy0gyy+5KsyxarygByDim094qFL2ekVU6xgTe64MWhBCFOg7IsZNMuuqWVUHMt+Hcx5cN3lb2ei4t795OABfTtHW+K68mc748oj09RSbfGHV1d2XrN7pF5fjiPDolJawXealsE4aKhOlg4/K2f/syLbOAL+dCD3xK2L7m/juw+5F5zdl2wu4eKLK06LeX6YoXiKDKsB7gftBZexTejoCdt+1Wn3CcqfxwS3GOH7stTfAxaLs5h42K92tzKbzyPk7652FwWnlajqAH2HaWCiryKDdodmr9kqyVF0B0G5kJlxMSldc8tb70BPlCUGqhezvTD3pSywUcjkA/JSFvUfUzQLJlGtYiMkLSfMT3mr2ArLtlIq5g8GneoiZtzv3wkUAArSmL5V1rj0ty1zYorv0P1Q9SzCTvU45PYgw380+euDRr7fwa/pMWgIdQXz3TqfTtlgw0guj4NG5Uklcc2r/W1aoAHpaGDYY8KmVNwtyUqeMMKiJ1wIJykWSHKNjleacvahOPwVTu3Wg6rPh9hqTzi0LOaoVGIzX4j/2FHCzyeIvms4Qv/YWo16pTQnXAP5j1WRx/cuQfXU6gsvXRfvvvhpvTP56berAAiTgVU/pwUPZ27lSHpAQTZOvAJbftlN+r2Rn3q+GRGsy/E2Cs/RYOErfzcdbxlcxu5i327BTETKNKCiF7GsN357iTir3VjEkSQam2fd2Sp85V6Z3sGnhnOHBxy3mzzhLsi3asvVLX58P5d1y0J2GnaTD0BfU9+SkFKCv8i6wJPGniB9b1mlwHTRY8GFLXK99mZ7OvYOt80y/08n6btB2fPfrRXNvpzfm/tnQUvs0sEBaBhZiQF2QyqOm+IRTiAD+Cu3NxsRHT959vkUn3c0FWP/i2X3MIco0nQAY45HShBWyL6y9gT3Y98pqG872626I7u5ZOTP9Q4wLUyP1ltdNv6M05TkY1u4ZFMa4HRQ59pjJIgVy2dRgufJzbSTKvMtBjpKpLhSW6gWVWDYoG2hxwYURo97WUcaUkCbL39HaessAyIVEHEsZE8FbL6qno4zfwIhlI5zBgJheJlhCX3lzC+Avah7pRJeQ/YVu0X+IMb70pMWkmAJj3dnaO197jw+M43hjkykoApog3ZbuBbkFJLawtpDfpMhD20CYqIw00S1kWyBBm/1eYQATQEIzlZPy9/eanv+qCuQ1zsH88FqmQZwlFEbAmFLKA36/1ELO2N3hXVKj4/YaEchNNtd3GPDqj6/nvhfQOWW3w3BfJNasuhTQd+0NoGZUy2TK/IEoIXtI69mAyI6Q2FcEQ6ZMwbGqSmlJBWSqHtimYth32fXb2HsI80rC6Zih3b5APidjVIzErw/ZcraQ7cwcoPVP1mCWoWoFWQ1CW13mn4mz6iHdZ+VEgDUWTpDJiJmBDlY9KED3x41nitnEwizO8rnAPdKtmDkhigzwTb07pXjr9i/di7fZzS0NTFbFLqyO2oeb6Lmh9yoNuPZy0XuMWvvCg+0bwIVHIsvoQsUKaKVx54rkLWPcB/DEFwwy9YnxMmKRqjQBZWnJF2AoqSzHAmjuWGmTsHFg/iczfWvkz37Hv59rsr7uYEWpAlQ/yHbgJfPuGGWeedHt7YNA5XdfiMJW2QzaqDHC/+/og/QjgA8HadYEv++vvpjJTlXPI5tnJ+v/ONuTdBQqgeNwJnF4o4cIHI956Av5qoQ+BO2oLaP41NE/bpMt1uLrwYz6m0iUOW53MzNprBzH8c9ufOUzszVZTCzdnchjJmnFp6BAKQkOekrN1ym4Uv6X1wfYpcHmaNQA1++JgFbqOi04je+ULmVsbW6NpoVsAG2bWLsICRCKndqPUNzUSZIWadaiA14yP+q6G9fQdfLsKaM9u7miWsyhJxHuSWXNKHk4g77SXmDuONv2AlYJJHtqn8YGw0/kGyZRCw5A05G1AE69l3pIagOBG8dNqNUrcgVVjsYb+wPwjT8pYY/ZsGIqY8/5pk5n/KLQk0WpNgMYVGSKVeqU2n/6RR07E7WGcvDgnrdPo8/9QTMzG69TmD48omvIuMmQ3fKnfqGRmx/5bSxZI+s9xP2tJ+b8W+zoKIHVmpeOMfeEmLsf/ROElQyy9GP6HfUR9vKu67ILa8f3O6jsWUw5qNcTojax25gywLBau5FDUiBaBUiS30X5seUhC+uq8ZqJOrqG+iQBlhGEDvy3XSTp4Z3EBTOrKY6AMHYWauCplufK8iF96EKKGIyrNyKR0hP2Akh0mfrPPeZKfx5WWVeXURYoi1z6PwHs1AclYFoOLr7qzuF/AJcyS8BSrN1aPnk57bYIG/2ILVzFLNQhXmeRyXHXstrWhRk3Tjrf9kXmRuB3HeA4P/LER/5hLkg73U5/pl/r+TEAIEdUwufgBmfpl8ja8rc7Q2uNSJu2wjrRpi83n3CiXouGZ6i9yrthJzgX+tZ3K/tK9INfwRVJbjuRQJYyCYgH2Yw0m1hsoAshASTOBxcjGH31B+2Z8jZ+hAHvCrC/+R+WUjsq6p3ffiA8QuKuUstWc3Fu7uLMyNCbm/890m8pc+i7u5cufXKd9YLcmqdXv7KGXyvZ/dQ3jrT/Zjr4Jzw69SoFqPw2wrVffRBXBF3Cgr3Sa0wIsEek9Q3GoEY4YsNBT3Kh4afERGeQ+OMXluk9oATrXvUY8IXVhIuY0teUq1rNKbCOztWuCiE8s2mkbpVGrkm+8in/3jP/aFlbOLegsSzubGobjfQwkXqg5Te5j0mXF6eD31gEv/ff/QHnoa9JrZsmV6wVH9DOY0ZuK5jST5e6NC/VgMuz0g2g+CAhy7GODuRfJl17olFbY4ADoUcDAI78QNiadb1+Ybn/dvhZ6TXI36M/BP+h73zjOUsRW+rBZz1M5SA4+t8GpfLXachaVDANamqE3Cq04Ti+pbDL2vLPibaCe8OY9z0AKlJ9lkYjs1wLy/+luOEYnGw+fB0Rs4Oi096XP7munwmq7juDtc7fAuPVB5HbPrVzsnN/LXDAfav3umNGgXKoWZqhb03WBsLtG99dOdwkglMtti2h9oEpi8qbFtxuOP951DmHXQxnYp066gKEjwAa7gIu5NzCHiiZrd4YuucELC2jwq5f3r4wBD57CzBD/jZugcXc3q37XUffpR9FK7kXvnff70LB3eMs6rIfCOnBD43LU8oXxUX0LKDXR7NyXmJ5RhH4jGqLG5gokzZh6o6U9Pv8cM9oFV47MIlvYnXkJ5TyAnSfNwhNsEKAwItYhEHUdhzECR+xgIkmDFQEnoo5jQGSpTg/QQY47++TnNigtmqHKhDUJzmjbBFDejIEb5nB8uIk6Bw1THM0mLHmxyv+e5okeKPcgq7JanoWXg8/KNaxL8ZutBkPGwkilCio0fugFGIyak96Li0W60jVQeHoJ3ckD61eVLHmYg8qLiYvT0mWRzWuiO6Tu/Lzpz9rfPA183vbuTB7pvH6Bqa13jr/s9jIfJYJYbpkTuGK7IROd+USN9A2/WFpX3wsqJWffTJc8F8dSzG+ZWrjVhzE7JuIpUIfTvcZl9rKtQ6UpOsD9XIRUnFavsZ+spNp5ytCTQAa3nBSb2gS+cIW0MDjrbflvdsgbXhppa+aDzvB0XS0WAHI5RUg0PYuN7A+RKduLm29hVFdgas/OTe/2kZUogNW4oHYf1AzYSo01kM0m5jcvQPJUSdvubr0qZFwfjGKjyn7ZbtHg9aIMUIcB1OFsm8ql20M9PGsDbpAwq3JvvN9UwP0rOWmjOzObkhV8LDp+WM7BrmjJmLpsaWPXn0aktGSpZx+QNaPQTvocIJDrf3K3R95A8GWC6zCSfWGRtvsTH9V2nrsRpu3DvY0Jk8mxM2Xsr56M0QAQn7Zddp5/gLMs52gey93Hc0WUzdEr3z+IHdDQ+S83s4nn8BDp/7TfGV7NWLyNLgXu9AxdxHVI0zM4ZoBIBa5RYOTaEw/lz3NfyXu7f0KKXE2EUjov7+1ENQqD64cWffaZeDAc30P9loq5Q76DULaROD0BERlfvetUg9euIXIa4fYYIe7MlCI310ODsCLpfsx+8ueiPDvRI+7WHl/Tt9DvLZQtQX/A/pyuo3xS1oaMzWxzb0ivViiRIyV/xtqphUBy0i93WM05O3U5XduN87CGZ8L4RKwRs3uSeT9gZdS/tnCN/kcxHU54P31HRPtqZO/osoIq1Qt/ZSos4adOfxZB5hgFPg8tkEoqA2fRmHkaagicYTrZyAxsQ7ht3I8KfV+RD1UjsGUjH/wcJ+cwpd3OUXyXC0HYKpWZYwFmT2i6f3CrideqREqBuS+W6UEru39QWUY3ZUBb8pZXu4ZvMsB38C78z6c7m+nO/M6o6HH/UzIBOc3LnTPFlGi3C192MnOuIafGnTeybfg6aGvTmrQ5lh6K3Y1+93arMZqYKdwpcIwbfH6zj7gDE1/RH5kJ9ARiM2/KQnVTsG8l23AjHMSBUbpSPpwBbNbdTxL7gjfpQ4Jpmqc3U/eY2t7om5rtZX2EAPYyRYz2uLJRzkpfhaWe+iXdZSznv7Gika0SXdSOgSWGpuXbdQChcEQybAlssh+53obzoWbMUa3EL+yd8Dsjb768i4Mzv0MkTtfxf5sXvoSxIL8UNHpPqzJXf6oFcg9f/F6BiY+xvfB2VzmgJfdeMtKhiw0bfUYGdBSLCTUYsjDyoHEz+XsmCshYoOWw8XL9lPxPYEhTVCW2mFAWnlQ6+sk9Wuod1Begtw/OO+kzAsQB8m/z4zCa02m6ciwyR7k8s9B+6FPvVPowC2VbtS6+Jb0dWm6F+wikjmIdsXvu3eBS7aTyCGH9y/xCQ683ITZZJpNS3UKGS6ee6Q2gyrGfydmR2VtNd9ozxV16pmgGxXjOqD20IWtL33YdLiO/8+sJv8kWqmMxGt2CJ7JOTjHM33RGzkxgfuxo/VjaIckLkBaXW41KSoeUhyFD5V/n4NmF4f5PFJbkmEtuYOrbjm7nwddnsMbW3DdP2gh+g4HQWv+HpgnHftj+ao4GwBzCkgG1Ft85Qamsi6ECpR0ahxKZusXlqZG5Nw5kG2yeXLBofm3Tjhba122sViC6ObbsOt4FM48p5aUi++9Hmvlv6UvW1i6KCUdnsgYtOffT81cAdGDdC4iba7nipcj6uNsIwRjlndCROxRmMQ4Tnz36ubP7/8u7HV8TmPjCkh5kyJ7/NwOvgoed2F2xoU+sklWEJE+HewIm3gbFJibgZzVYhsWkr+wrgy+LaoR7FdbHUaOLK8TAvhd33PPK1H+ilzIH7cZ6NCiq0KzzXb2zAPzCJGjXn/6J6tYzRq/9EJw7lkSIcc0h7xlNU+nFQ1vvJm+F8u+bF/Evjt4+uZX2fdI6hiFUIxTZhKXNchAFQpgHs/+FyhGX3KKeo6cxfc6/3hH4nyn1dlYX/IJVuVWVtJ7gBwlfWaDPBLnKzVunpMVN0UCTjF22sP/TnXkyufyK2PmQf8lI4spowOOLTL7n9OKIBfZRCZPaNWNghdLtl3ErJ/Cx4z3GLlyCbC2UNKu9OFG9tEQwNo/Aa2vf1dev4If6JU64WZuTo45q5lEbW4Pt2/vlIAlH5ZCWGO8mCg45R5MmzVv2h9Y8nXlUWlj4utqzFTVKTFHmzWElJgOXQX4z+2+dO4TkNw8U0QEjhYWJDAPP92yb+zsHD00ZcKzYavNShjlS3oXDr6NclqzFIWoVZ1QgRMkFTQ28sVESVnAho+SyQ7TtI+fYfFvK4aoyyj+un7hfNj5LOD7mD6C1I9b56B/ISQmeTmmYYTr/+jm3ZM2S4CptPnd65BL8a/nAn/Nt7QpSzn+o177Rf/nG1yi+fAxBUEx0n7ODH8ouVcaY1PXhKKRxryY02Lxg5ov+q0X4Gb9D22g2uFnH9jtz/75msL6NqbtbYsft0fGC9K37Ck9D2VV1KZJRKQjcnICTFUJDUZCPjt6BaGuw/pff/zRCF9CqAaDEJvKhaUR3opCQ4wXW/f+3pMRmla/+vid3fmb9dfc2v/aaVwnvRjeDGx8mWf6B4V1ZI3c1w/bgEl9pVavVhnyhuZF7UsvDlfGrVPak1PEfXf2vPnpPxN7gYWU1rnmDQ6wxlbWwYJKIEfuWXVq/e/5HyDwmJW9wP+tH4hntuG233wHRs1j7TaQC34vTZkZmVefC82SizCGqYEiQijDMvHgYAE5+R3+piYL5+6Yo49Nfu/+ToWF+2yhEZ37OmXIfePBMPy3SF1rH9jyRPiepHk1meL3Ec2i4Feavifkne9dYjJ6t24vfu2gopt22eVj+/dB+eoQWQgdArJi063ve6KrYk/06naIFo7cOXROADmzXzohWLyiThpxp7I5nSfKM5M0ZPFtedg8AfNm/dR/MFzO/Y54kvLtYUf2n5WVZ/SpONb4UPAAD89H/nmyDUXi0MqjlvNiXNkELf5Pn7qvS88hu6BRSMB9YhKrI0XdAaPlnS8F0+gVHIEB843gF3cO+fWVSqFam8F7J1xVJjxAhpKJbrCLp6aUM7j+yV/7Utkk1lvBO8igVAm5G1dLuzXWMgjYaGyz7/R+/S2AGj26D/Dzq/cTm75/ZWOphFIMXlw6pR+zHJ4+Pi6PpqDsl8uSzONftnnBRCjGT2Y1Q1kclMoggsbA7t7iREkBT9QJh5ru16t2mPTxuU8WVxdRVtb7r/U5L7ZxPU8JyVdybdjspqaBEHHYYiN03KIllk5l/q4fob2LKS2CffxYhFZjHSPxRJXkd9g3itNrJ8HjjGY5LtOP7N7tyFLRRXL6P+v5IF//xb4yqGM4TI66a2SdZWu/9NL0fJSCTiK8ciUzLSKsL3gb+6gPiH1AvX7jvTBzzLW5gWS46g9ADjA3OQ7+WBO+Z+oICNqbEkTGvP/rFch93we+h++d5sf+PNYaCGgTf3pbENX4RBi64RW3ILZqocwrrpFBUVtXhuyS4+2HtAh5seZ1vohDQqfbZ0XS1kSOLptnoBCQElGWFwwmQnpCx/UYkrHgR0AfrpYhFoklSkUfQYdxDzR8UmES3a7efM2lBKuH//3+SYo5GogQugatafm5Q1zE3RxufBhDhBAqyxdDpvUeeJcsu8ZPAhbBzxAH/cipEp/+i2J/Kpd5p6BuRJvPofhKkz15mXvezOXV00YTLy8z/NCFYwR6NKJ7LhfB7G5zuP9CLWigQDzYVvuA3KchfxYAaPPfyB3eQGLxw5qbglKG2wwC1L4tt2/5EJ1lxKNThZL1kWUw+3TtvYeIFP6l0L1BtphWpyS9vCBkEPAVr8I/lGvL8K8xlDqmD28DVBTLlsX1LSkPqHxrBkaxLkFi0deAZrbmOXuekCrQy+/Dkzp6aY+zzTWsHYGNhPPrDaYtX8vbzgl7vK+7/MoBDzpdH6yM4FLMHfKovV/D+Ai8C2clkpyFIBz14/dvyLP7qJ6gxcCpD+JHFlSFRJuTZU1BWioXttfgrOqfvzXKjgf8WgDvfrxaYDM4F8u1hX++BSrnGxHkUpM64q3LiOl8hRQTwIh1LKKSZ7LegEQTnVBevJZyEjD1HBArfDmJ66EsNld4QQDVdZOBr4brhw+WzMfdhupyQJVgUqNOVskmsCm1hcGMT5+5Ozgh1VMqbgxcDCOpxM40mswGps4ShyUr56Ttqyc9ULK8C/barhgqwg4UqAwcDu3vLdNrnOLnD0jY2e/bN1CZqRHex6VRK6Nh9IipOOAevpXKRSY8rMYBm7KTHTbBKN6lyhAB7eqfaLa4Balimb/zjAiOi1EhB21/WijZ8z87ysXvSlKcycrelsmUxXOkAjvaOofLCFMHesCAFzL7d/lIzC/W0YaykcpjMEtejBrQ7w3sZfT6bfHvsNfQrzkt8zBC63gVtQpRltCYPWj2d4CZprqJpE4Nt8l0+Q9Gls/dYepgsyvt1bfYT9GBMPiV57IzwJFnG+tUj00NlCEYqThF7nLw4SMwoKhptgV0WaPkwiKmkq4dTn21efBwaiYd5Ob/Y8NENiGrXF4iZbq1HXWvPQ06J0yrWwSgO635rF9dlTL1sgcWtnuKV4Av54O5x5d9eOd8ZHdc3NsS0QTn6hj78/9dWnLn8PEXKs+S3WwWklsbDZ5t+wODqu8Mk6c004U3C+dnYWnn8Pnm9+0gcD0d+WWrSjpIn3r1xVY2/kJ87vcLXMQe97/xCA/stWZu9lAWeSI28qnbuMNPG6y8WjyPLwCxmcoHSA8jyHHmPMRHO15iWZQlx0pqedmsjYutHBaI8vxEt7V10eu9wRM879fzm087XouoBbPY//ICZbfv60JcNAFjjLlvz6kBuKvrpBoRlv1o+uG32YQRwu4cx4rCU3L9QYQffMkiF+6OnBzkjfNiA6538FHbBpr/5oCDjY2ecRnVMUJ2hRoVPneMF1Sgljn6RagE89hUCfF0WPrwO3Pe/fRb16nyaK7zWVv56MFar8NOIuRouMyDyDTaGHjbcGgAjL0dTXd5RtSggdK7l0+x5KNyVwi/jHUurChydUV5Ckq/fLNJaBqea07SxXBAf6Gn8+/JMjSM5EXGtUY74oWvRJ2o9fedStGoTuT7jPMc/ttbp1qrO7BgOBp0t9z4Dag+VDy0vZ+MkhHC1bLqnbuMw8mcqbjVECv5lJjdn3b5qOfHZlj2ORdMGNHuwaiWYwmBB4GvwmjU0V71RhCO9y1C81De0gAKGZGPO+/CQB9P/l5bLfmFDQkVLk4TUlpFD3U4CdJXRB5f8UoSURWqTNMIKLwoCrwx2meTqz22h3PyXMpIc4hfgMaZ0nZmQiXGILW2pF/fo4mbWdrz1Xq0aNLK0Z3zYQIMOqgh2wnfbbs5AYn/KuO/me5v4BhalXgasNL7KwTWgD2peyoy8mvrhAEy9agGZBiZMJTPrQOextLFqnwRlqS6IqEgP8aLcl2BT11P8SJqz3KM+e86MM4J1So63rM1vkAip/ZVgk0W8R0dqbriovdNPXNnVp1ChaAHw4UjWHHkrG7t3Dz7sxqp/PRffqnM1B5ua6MwzrzKxzWkGriOVCMMiANEPpJU9rlH13eir4lBa2+0ZQdiWrCBSpdkF+4+1FqLZ9Zp7/LxyilLwvNA9+lYv9OiI2r21m6Nv5OPa2ozFRvAZqpaBY7FXC+PDm4085UiSAiiLLLx2JwiQy6wojWql1AkgmSIRSoD+X5tinJyIsWrVvY0GaULObDH/unIglJPXbpLAEk1BQx1kMn7DaTBgRel1cgKWuLaZz1kQsTK+ZVaiLRdjfNlpvFfdVKtNpYT1+UzdeAaI9XAFueh6OgL9k906t0OAylLwmwf8NH+tdImcI2sjVNOruXTigOw0OBbfhWw9sNNuea75lKcglbisSncOqVnH0MyOAHRzwvpvI0cBnykaOm8rC7+LradeGy72/epXj3tzbG04YguzI8HoYDAQD3gfFCE+tOtxcdMYAzsiPQbSxDe7pbkpizTlyG7WOMue6pPDXiB2ISsYDaWtQXnX3mq2SShXdKqO0sR2NTq2h7VWKl4i4wRGFCSrAogXVVrkOKr5V4Ne6sKzy4RvVy5VeU4g9LACsS4jMl2A/bgVSll7dDUamOAaFrZ/BEWhId+bPUQTpeoGaDm4GDHW0+Prh27h6Dlu/JeCTKMInMoJlx0DF2eWdSmrJI8fIPBlhPdbgStbVhBiNdtmC8rfar4FZqJhRor5ZswxHjaV9ig+cMLGuwWY19DNagqZSumoL8Kk+z5lgljEd8uTbdP/4nRuJpjagb58wc5RlGY+6BgOmxLrAwS+nA3YurQEbjeDXjpnS+zQ46TLIvl9usBTKecXn+pF4VI5FaoBwNk91nkGl9EDATj5xeM/8eBZh6Z/BI3lfjTBf1PU+LH/9iYrrbfmHlrL+nNW3UNu4BR8KmKfTj+/bujvOp/h5zgGb0m1riscpAxux16t19+Q0wxSct37a4Rxo2GGPEPjprLW5njc2bDfVC/Kb/0lJzQsc42X5giz8bWNm63tfuyNt8SLABJKAdtgpQqNbRnXzL7+Wo1XZfaSyAetmpTlRbuiPjwq5RjLdcsnnuKJ0hFL4OQeiS40MiqxESFJzePuiedrWSzu90cFPuD8fI6NhHGdF8aSJ8BFOsJ01UxTaJFIGOiYxUP1g43DlaAGgj5Bch/851LQl93sLDyYP2de93E/agJxpSBybGCpEl1JgPMIZsQZKiW35GqckWpKpWsoNQErqNkeBBmpnhRqSMGHGVtPpFqXIajFFxm/v2hKacSs6Hr1zMwv0+PqWJ7KBzN+WvzYyC5K15MnG2QeHzWidkBRYe7Oul1JGd0z3DB6uOz97mXfPeTYewpf7eziFRlc387vNOasSot2oLJoqwEqDpd61xrAhgt9GzoD8fxPGrFx1DwUNtDa/ac1yKVVzgw75wAKEHH4SclVzr9za65hxFhBrcFNtJvTgyQAULeCRKUKYpGcKTHqmNZQAYH0q99dhtOgdqpbyRlKF/s33UhlKey4j/fX0EP5u6uhLBeDmId0Z9zkdIHgB3L3b3BmPu7PdYL6sjpF0i0/VBPuqYDSRUMyixR7zES1iVXdRXieBKX0azforhLXpg/HejgcJECwaBtNSB7AB1Bqidr7SLAYcQYfCqEJ3KKkbSMrsE2Qu8OMO5kYX24EUq/7Z3YAW52EKBouryx4iwfXVq91gcTQl1W2JH9DqFx8SshIgF70C5zFRI6m8bQB9onM2NQlbepVAEEljjjamJj7rlrFHIj9c0uX1IpoI7cq9kwy3ALUeLDgildRTd5l1M5c23UkN48yJTOee9tYK06UPc7hzgdF3ZxCAnyafNO/iRuVbD+Faikd3VSYQFbBsgvKO77jhJdvZFIz6Dqc+cN2S5tbHXxLrq4WJl1el4nx6IUQgxLpUgArCqF9EkCO6Wdear/QHWEtKhePLJB8rVrqaquqX5ZaCFL06g0tZ2mfnS5MXXqN+okePFJpHyIv1RXYbWWmkM5y7kL+EuE07dmdC3VSDMmXU1cYsB1PAnGrPSlzKofe7KWz8mbg4n612uA7LCEp36WJtWns+kKYNVh3civQJLV022b/fiTRGFnt9pvrwiKo2toFBRmY0yQmvi2YYFFnr1KM14OLQ3dxYDho9geurtF0ubRlp7pHo4unQLkCw0Uiekw8wH9cnm74rOm2orSwQ7Xmz5aC253u7nejOocVmAYjs8Xwu655wF0sxeCoKJJqnrwFNweZ/9nxnnlfrO7NWPx2LIN176ajOooK4vkJdetVlmvoiJ4ZeHWVHe2oxiUX+34hbyiRmSZmdkDR9uT44dXqkDb+TqBsvqiYRLA8Een7vkY7kWxlsSZx224572LFzrcbwimLpOW+kqDLfOP9rJ2S+l/HFkQTVlhwnL9dXIJWgwpkYyzf+KX00fP/xLoGXFaCgsVipVIrYyrTpKUqXd6dSa0R8ltQq6imr3Bj82TJ7AZyIUh/347kBJ9vTE4TLUB0VInqftCIlPBlUhVu6laFEsLm8om4DQ50Jns8ZON9cHvXDs10mqtdzPmQNDMBuHgnMkLsZwZ5+Z+KnIVJXOso4FXaF7HSc4BHF2WKiilrIDeHbi+gWN7Xzm09slaxpZqjVXIYrVYRP6oS3GCeHnlyfhKUIc+xW1iO1PUJGDdActLkJGlAxKrfiaRb+l+oqqRrmLQbQd5IGhC+vB/gb7+T0zOBBfxn7V9PsKJOVYB5HsNfBCDCVMuzdCpyLCtOO3LgThZ2kwnlUfCApeURJlkuqknlODMeuH7uahBpPekYDr6Gu9f14rSxIPbeH8FCXGjJ6Hxwu4fxNVyJ9+3fF4zRG0O2ClalvpC4Yq+kp7ub/ZMZU/PzuQxWwiDpuAmDTps3Nc81OTpCvEAuSS2O6LWLrj0+6CECpz1wkOCVMPGreB2daPSr22qKwsO3CDbKz/9kErBi3YFKrmNsblubFN7zIGxu5+sx+PmHt4mt4w/Tu7nd4rR6NQ27HVMSNdsSQXj2Xm6yzS9X7i9DpsbXfUS+kj37pFBzmZtfnv5NgeYYxNxDKsT1BojoGp1Cqld0hS/Udq6+eILXhBBfteo00dEH6hUlVagP+o5RWSx8AGEw/3dVRTNc5POJv6b80cLUKF8EJCEQFJ+AYxzuyhPwGThl9avHNkKs+zqnyEDBOiNMGjU0LWDcHyq+XTB/WCH3NrgOyyPDIxWZ7ZYZ3ZmGxelM/L27FYT1CD2uOu51FMylx1iVScGcfFb3EEt0v4KT4FCMS4JAEBWVHCJAxxq71VR1DNVOvTlB1kolyVhDr1rXPLjhWmOf7+ft2uRKSE1qZRmeMYbO/Mb4RL21dOpe6rWV2d7gjFxJFDzjo7iwVYytgFU0kDpUFOTY3JOJv6HENPNY5/H71oHUIVzB5Qx/LQFKuHgrbz16g86I7XdjRSkm186qEClopMW0AZLYamBD5oZB3nHvcilFs78R2dH5p9trxJ7j6tflELcsFAEYtDvySjRc+kQg+Fw7K+g9fGlywdT3ouvNC3sKoinNfTHxZnj8QPsZ7PzWUlUJPZEe7uYjSgjVx9uO81u1LKBUAxpNFRQJzguCz4SpQ5e5hX4MoTz4yVgY8fZWA48QNS/Teamjqu4QbEPIemoYduuXrJ8T4z5jC1EZpzQXNj3xFOY/fPB1hvkxd67qwNEIwuqCg/VS5UM6otF/8Bt8wfSQiuLqOyfsrhkCUPPrgQesx7Bv85TopRjHWch25aa+6pa6gybgDhZjsbfT9ahRx3cbETeC9LX6AfUezCTTDBmebG22MuOxZkRz5q1Pphoa0F3xx2GE36v8JdTzsxXBZmriFz0zWh8cKdP29IdnD9WUDw8rtRqb3ZJTDrzetlcvKA5aVUu0TB1z60VKen0TB3/0OcIf9flj3fWGP/sx0cg0VrF4ABfjzc+iU+eCq5/X/U3uBVx5etTx211gFLA9nWOA22udo75ziMUfHTKOxkhZzbdvb/DUs14Z5blldgax3UO5Vesn1LQhJNW90D6N+KJYEM6JX2beuDrcXFMGgMaDKmUyuCdAR2oQ223daqdkqvb7kVeyG4mXf0nxTU5o+QBwwg1DmSsEOUBOVQ4GWyA6uReN2pe+PTZ9ojluqpaYyekdJmlpya/Ruz6t6+7c1Yx8JxWM3nAH8L1F6B2gQoI9mxs843K6xwlZr4+c9KgQ+QCjlH4y23wbbjB/P29BfjYEWtjgpyx5nCL+afK6BTbLzECLXTG8nX7Q7pnvQ+mLzoTB3jjcpoVr/GrMwJe7NhbQ3ZAIwmFd1LaUJv6sH0KdugVw71Z05frSdf4vFCVW0obMDwv1Bj0guyAKObXh12QmRr2kvb8C6t123IcQjmWkH0+hBUgq0qyft0BtSSGQxE+rd9VDmeKVLfeIIA1LcV9YRYVAhD3fa8LrmHs8IQiZY475Y/kd2C11PlGDMDm0+KpwMX7qVhRShHt/EiozS3cnxEz6oLyBL9NJunb+JNStTyih7ftT/6obxyQUXyq2UW5fwfYSxeQR8Twqc8D4gw0SIOcUBuS8bGB3hf9Dz2ioHnfdPQtdWS5lvP9kz/TmB0h4HybjbCnmuy0jKUn9tkp8vUJ1RbIwLyGYk2v8RwvwEGxIBM4CTNlBS+mDvKSVK8zfRvichXdGbjH8lNxCNmEN/GakcpjlZ5XmzJGn9AW/daJm8e8B7UkVU2UrwRtZ3jydrP0phUREyahzvJcw4swSTkv6CzhXdbkAAnb14iWEgIvwLrQmz9wAwlZqSuMHBAkIsLxmCzGKNNjYL7dwdrVgQHihberG7A+YyYFPPZG31G2lLEykHvynZunQUHvHsxO5lUTUiwlNsGZN2VnAxVgWagaVa5S42E/P0OqQjjMPI/wRlaUmNPE86nAi23j0GyV3d1Dsysd6uQ6pWWWPmFBu8GY0nNU86Dqo7rFE10PU7Vv/bP+f9eDESxA9OE/1ZS3kapRS/jouP241I963zy896dviI4VXVeFNzFI6lGYMmdqdI7FY+X5u+nPSOBFc1kxsaSre1873GdWjY+oKAtsdczwzql3niY5pveEXXld2piLCSzwIifUrq4+I+jaSF1lFXvLv0Ce68jlv56T823txp+bcOk4ykG/2hLkA9t1UaS9hs9BCh/V/wF92FVZoU9r+i0AT+3hPeiDoaxg8ZTT2Gs3RSwYiCkWqwXuZnZtAL4U4Ua4c1mZzho39TXZ0fY7VlzVWc4wHHi70bptfSHDMOSX7fMfh+qMlVqDHxu6Z7nci5AIwTkQTVpBXxBz8GnCqnxYbC7UjnzXlx4XkJ2xZQf//1/rK93mz7Wtgv/rT+8l8f+vPxub73/hxxXhoEjL2+C2sCuTZTnG6Hup0MlY5UGeHHUOF3pRpyCjD7Na0MaH9wiep69tr39fR85VxYkRr1t6/er33ggh9Kot93zc133RV33T9zziD/7uf0UkmxQVXZKlUGqlW2bKtbJQ1gpen6jTNWyV/Qt9si+O/8wkmAfHZ4GztsXJyWArZ2JmZ2N25+dQ8FurN3u8GfOm983uNye4037v/P2DBv9usLaB7/88a/CyAc3/wXnGeZJzT8qplFHnb/Rv6KfoW+vH6XfqSXwf/qH+pf4X7n+w4RDMwHZoBg2MgQXi8C+UQN0fowDjBkaxjB2cxm1YgS0oQj2OohS16EAfRjCDxfgCq/AdfoU/DVHZcGfkY5zsGoDMWUUPlnTapneCi81A69x5ay7SGgML8tOLzXaZWuXbAlFZibqXPgfmne2ALIPOhJYalhedfcXg6M98cO+SnxmfTwVqbkRpWmPSrWVqwMnHRlMFQKsTodidS1O12WsE4+gJfm2SYPRVMSDSnCXpgLado3Zva3ftex4Hbv0kor34hxe3eEcXsf6zWxtQqMI1ftgcjjUWTw1jHRFLTmOkT7Qtcofa1/Z200k6bO/SbfXI/cPMbnnbJNfD4j1Mm72i4RZgwUlKy4YUWM19u3cL7PcP9pdRbKA6eNQdbhxu3pYSeV10apukMNppg0bgxVsV2NnuyPPoTv/52XCWLNzeOqEBPWMgX705rZrrQMkS3cVPVzcKmaMXn/cDqVB1Ge4z2SNqCDSqQsvQ04TvFpEr3/mQM/XgaHWQ7zK+y0eruGws7UrEz8y3vUMFMdNMvIbcFoO07T3fcCtOzQK4zVDogfogyUojN2ad8SjL6vRqeH8MKVU6NgBTZf0rPag9MGeQdaSxe8g0LM0XrtoyFyIE0c+0Lnp7WJun27gfx0cA8VHT3yDwL6fQ8JOLPMBWNIVMFWlbmSx7pfN55bCuCTY9DMci4Mz3aAGkzx7Lx/D81RHxq/ete9uL7u+6wYWHndPcsN5m+z9+8mjzrbo782C6yj7CnpFhApRkN4dNUsIgzl5oFupGyGzRiNhg/GXagTqjysm8whk14/2XH7rGToH15sgksypbPo9/YnBMCizui1CpjL0Corn8NGSVlVrrho1rpYsy+W/mFt0p3pPPGx7OYhHrHOAZXEf8GyzYBb29eS7BJP3IZqkngM3lT81jc0AwN20DvqRPS8RwxH10WrpR+VYbDVnNl6Q8zRMgpmXHZQjc+unnxvU1Pmv0e04waf/LneTu+cnfbiR3x2TWsTyKuEXDwaDuwEZG7L933+dEXnpTo8K8KEn0bMhgSYugnpJF26g2r36ZTyt/rQ2JVU35JUBMd7qON/94onSudlKDliIOw3375YCL5fXCcNggA9louHE9EFNF5T2JVo2bpqW3u9h90gYGxtpP0XIzDutcifbePmM6frVh2b7bdXbSTCITx6vNeHQhZnGsZMZFLWd75x7admbVarpC1VutNM1QGnuBriQ313Hq7deP3QMyyQijw28/czpUztdiIZt3aI6vXeBHBhuXdVaWn6A3KC0TX7eaSaCnDjCz6oAmWvWba/nypIh7dFQgBq/4IlBK1s5q5rin0mJDjWzPjwI10QOzT9Sgu/16WbD3uZPp45X10qRwSLheTHwMFDWMqIaNeqwYxSHVETvb764UtgqANguDHSYNl565XExYNIO7UToEm9pgkZFEJZcvrFZLVEuub9JuUFFKpH5EPij66KNkfHVfgzStiDU0zOqX92XqUEGreuWHj0ktW+9juoyDelnhXr5AVIk6yymMTQDalxihAlSRyHWG8Dk1cvwoZ5E0ooH9pJqb1b8+M8Ep82z6JqfAs1e0VyZVhDh/YKf2tf0Z+5FjGx7u7N7uP+T7wPHGiWHI0Ws71YrhRQ4Asko4W4bM9Tyq48s4uw8GmUdUQbgF2HvKepTFeM2AbNFASNqiBRWDaCpSP/fQk3HuTdv5A7P4WndXs+PzkpxpaFUCGm/UVRnAkqrCkiGvCcnc2s6otp09Odr9tB4qmeF4as9DRou37VZdvk4mMpgHxGClHSST491Xzws91oa4beFijVFssb3UUlia0I2CBng0F+swGNq7Z5v3KUrlyHF7miTZWaZ6NqohtCt5iAytagGLi1PaCPwic7R9lrkJS2KiJtOQdYjzoNTykV6HHuhwkyzrRhfUMs90QgyXxZ2Y3k65ySfh4dYYTsuhn0RPzdZUT66xzIPqHxKrxZitc409VkxsbFpkdhouG5K6DotnhKYp06zAScq07/Z4KNPnWCAHPFUptiRb8m9xQS20r1qzrrMos16QNt+Ru/hdvpQomG684wxZ/0JlvbwSUdAtykq5vFDZzi8PWZnReCfUa3rVaNVnBFrZADPxjODJnpKEbTfc+Z0bWAFCqSjvIP/EO6UJbOaw6qKLzvRGAuPffMAxTVRsi7K0mis1WxXwxlymqnIBak2sjw9ggdoXq1cUmrNF+mQ/NRdYaIsnxwFiW9g6DU4D6u6St4osJm7NnamP66nYx4v4hbh9dhT3x7uTdeHnPB8TJ+WS/4/n085y/78RaReNMO/h0lyjXfSs+o8fM8OdqeS0QEi/Aa7/37dOiI4q6eMeQerrobOvvG56vHeLquSz3lpzLW13ZneCQHTqvtaLgnYw6LzfnM9UMfXE2iktPg+gMSExC0sUWwxINt4CfHfnxv3SAF+1L8S0kuE0pbTw5YDNnrbw0JoJRroRdf3S2unoUG3IR4Wv9eaDc6GaGKXIsqTUlGnOyQmktZFv2avsZfUyeRmIzEtyzI73HR1XLwCXtRynmJssksc1z2vlC2Ky04XadX86+8lG8ODZU4mJ+px/z4tCkVNB96UuGAa28wZbPtbWzQwM1peOMREfqAPhfnVlpcIeomPjUr87H3SISI1rMY3PeJMsueViVX3Pl4YS6NC+YSLyDj5pSTacLPf7KFY1A9IERbSHLTpGaAdRH6k7QjYUdRP9IPubjZGZrUdFqpaqFdPIMZ1WzGQxTwqQb8dtctW9LoqUksyr8Wa6kdnPHwvDoUmi9ePqwZAlGpwu8HoDTcOwkJidwUCIt81W+qAR3jhujLsPK1LzS2TL2vIxZ3HLBHnOln08spMobW09WE4200nL/b/jjxHSfwPwMSGqqre3M6JBNIyTce5uRWUl5bonlMtls9J86cz+azeu3t6aYMDQYN8ThkJD6SsBuJqWu4pJFaJxUcXONQxMy2bZvplmlxgpX1vBl0uraVq4lCSrC62yQYF5a51vG0TQuvLJyXkbnH/XH806ezGO5AiXsC1k7Hf6YApyuapRlUEc7Bd0pVXIWBU1u/sktXlWQfMzRq0GHMh6qrdixt8b/yli3XP7M/Df9dofo2myXGMiDRSmauLwnBHitBUZoXN2dMBR3/cdXkNN2bxZ0J6NrX3inrnZmJqKbYA0AZ91FRciqAaNz6RQ2tIk5BlZSiVNAhR8zmb2uKbOpi1rWP+itAfYWh4DwhPKvWVTUNaXQx+s+q2oysjS+ZKiAxrPhyYMR2zLw4cVhHdgnErbXvPQ04uyP8kLZ1tRP/kxhw4anFn9ljb09Ky51J8XN6Xxjo3/uXHHLM7DZmDMUzko9xyY/e8S/Th+GtEIfCU8o7QW5T8+2OBfnKA3/pGsivlOJyTXrEv8TLBgdaRL0oBh7w0hgovHTsei8tAkMa6namxlQ63vgzw4c3LQ7aPWgalnnMc/cZMdU0V/s0dG7Bx+NRkFzuhab8zIe19oERWwW/lUjRRtKNteXtaT3Qx1u1gCi5gebRIs6xODCp4u02swYPRArVYLfDl9ZzMNTtFMrTBrppoEtuwomeVFF5EXHZqKCnN77/iNRc9RUdulm7n6iaAxeSFJKBil5wKb2jTjab1ai8VKJcNoBAqq5INWr3KWKdJFJzV58mcfSHNLfSZ2QDxlCzZUvaqpI2e4McpOzHv+OEvoxqgRt+0ioF1M1mZ0s7aBd6T+wpYU+UMhph6tDbB7vb+wi6cg2fP8fhk2t4T2PFpZU685M4A5uEBkzO1/La/Sk2d2FlTvKMX4Qne4/mi9eSEEAl7ZqcCIVhYLaAuvjAlXAVATHzQRLVFSb9LcX496ZlBsyIfFdnllCbSrMRODZdLBfgHpXee2IhMQVcSBfYv7wYE0XLi917s9i6vvWzi1EhChg6cG0dvZ6sZ7Et+Q/MRaLgGU/TIm5xZSHb7b1DkKcpeiTdp/nx9E9Onodx4ZAntsm9d7KI38JjHKRNbBY52tXdaCRsGFdCSU2wzlazqyjcG8m8j5sVu9a2kKI1b/Y0OQOwZeleXthohhlZE64lKKZroHztCQ/mkwwzg1z2HZfp8Q2LjPy9YOrjhfmzqmhbN/3ZhVAPXhw8X8fX8NzOJnWmAuvBchdE57bpzl/fCjt5A9MDZ+nFARnEL1aDHZ5azQ7nARcePk7nATNPV2MGaB26JMxrt+w0Ba1AMXI2l1NYmE1RI2kG1bRD8GnMXnC1AodeR5YktX2g8FZj57/8ZNSyEfLS/nN/TKUE9HjbDaxc2KxbkF1VJW6jYGmp+Lz8NS8qrxospsHfe+UcKPP8cg+/d8ixw+5ilaOELT7ubxp0jkSGGeDpDDwovwPyLTZTcdsWmmVgiOQlGhW4GHDVMwoVGAhOq5ulYDivZRAK0wY9zfdb6m4G1KeqM23emKiHdDw9x7H7leTAAWMjY0CGIDl6HM8rxjjyFkLPJ0h0jvorxKjoVaEu8hmQquuLZN3yJ9iRlfmEyzGK9ZJtCmnWJN8PtdRUmfm04XEfWynpYeUubMZLtWTKWHLvECw9TD6U6yyRdYv7GrHJjT5GdSLbdwB6efZZFlYtpNw5UNidZMCS9SN7oZPyat8e0JPfHbQuRferR+iB9u2l7ba6pppqzwzeHedJsb+gAloo3k+QbNf5lMFy41BT+9EePOAITdab0NBeZePwc09WuKM31vP2ASbuEH0v7uLWZn044FxNPjKPvdfaCERad5I0MpyJwjYFqPKSGacMItIDhU3n7Qqn8XOL/jhK+ECFGa3sssuTrGPGMGXXEQ9Pnian+POTptoKlN7/S9wMKSczUSTJz/Jc+iNgN3UrLGcT+RJdAzTG9y8Bpesy6mzpbm6bPQgodPZIA2Pk0wAHxwMQAIkjo2AKCejh8AwGA7+O0ikH3wHQBM9CZyCpO0fIBvx5GC/yZsy1hJAQA4V/8oAD29XwBQgzFEtsPnQCqvKJohkPDoeTP0sX/eTzDM20YxAgoGDgEJDToMmLBgw4ELDz4UAoSIECNBigw5il9tGEExnCApmmE5XhAlWVE13TAt23E9PwijOEmzvCirumm7fhineVm3/XA8nS/X2/3xfL0/398fSI+qNYGafhKnzUar0+v2B6PheG19c2NrZ/tg//Do/gOAfFZJQfoEOuVq/k+cmgJl2gEwnViTNJGa1HAAQPsAyFJ4AAwYtEjyYve7INu8/ADAYsVawoRY0Pt8yJd8zafU2w2Af6MDoP9RYwdenpPP+RayRJUi1SrUqlOvRpNmADRaZrkO7/TLeHkZm4AEmpsJGRd/aGcAEMcHhgIAWBQZsNYmg3HpH0xF+QvLz+VO3/l0L1dmMlPZm+N5OH9CJhrGHIuscJdfcWRHuL7x/xmglqmVaiO1Rm2ndldvZsJQY4QTc/77t+N//58YxlHTZ431ttgbtwTn17mIsU/d7Za3GtXQ9g504wOhbDTimSZQTc/t5/nPYv1JLYwuxj8F5bVZt7pv3a6v6xDczd+1tbpW1tI+wnEOhd8nJHVsypGjYytG4dFrpB4+pkvn2+Uvyuh6J4ZvdFwnyhff+h7rFwVSVTqJAgUUKKJApc7sBQXG1c3dm8VHn1FQqJgRjmJQLDcnMwdOKrWG8/tWf0n7p9uKzJWrsmbz9RLWJn51K8qqbtputz8cr641noylfxqdwWSxOf/vH3+TUn9ESv//94jEkk/1aWhqaevo6ukbGBoZWzOxbsOmLdt27Nqz78ChI7ccO3H7Wemiu+6BEIygGE6QFM2wHC+Ikqyomm6xBnfsDqd5Bt3Pg2PD3KPyMI+Onyd5egyYCT3L84zkRV7mVV7nTd7mXRSwETAtn2Oh67fwiNieE/cjnNIMAQL4+Dhk889zj38AmRfi8neu9fzNePf5FPA37Z+NlqdQqxmG2RAgfT6UeyabsyZtz1LhFeEjCZgBfZVevMDL8WzGAEBOs51NrLvMP3SQkh50J+GGArKZ8gMBjasI5BubL3vXdnZyAIDvCb0NOBWjl82sddszGZN+i7skhnwCEwMD7+IhZVH7jMJr6GMq5ppwGppaGMEwAb9+4rz2+EJkZtQZEraApDTWReP2R/S9nFu3CGun6CiitaQloo/J7nWOXZiEXh2jopChgDsG++RbYne9+tkv2Kmxxn01Doq7VSh/EfsNOzdoxmQ+X61fsX1HyjCk42d2ZP9fECD45tN6nShLQt8SZ4TuVoFWYee04lyZxQC8kiCpI/AmDSwPwjz5W0/gB5yZgM9KHE9SDQvUH/p3SDqIvmm6rgbXf0lqx2g3drn4/YTaybMgLNdAzrWE4sDE9zupq6gM6I2blFThVoLRJUR3kGP7+ZA9WvXwYQGoJpnTNhk05gTxcLyHUQWxEMdgkkgkRyDXmGGCYQFet2jvGFo7XrZ7iAQzzcArDqepxGAFBVw3YzaHprhh7bDCvA+g53Mk5HbW4pSJUSd+BTDug+suxPBKg54u+RKaH4F/YBzE97HNMAEwv2OmcDNFDwJCjIQ8IWZCnK/8Kt0Ibo3i/OZs7w+M76vP7T2EAscLqWJfcCMSnv1LHG857uwv5DjN8Qors1X7bhuTz87wik2OQCpMdYNvxL5bquIwK+6TiVKPbBL3OH7h9Rb/3oqJagkQghHv0B7bLBjlHljo2I65fMtl7Dlvx0JotXkSr1/acoVwidDYcmaksjZSjgtwGWqQiM77iXGBPZuW3YzaXRHdGqZ2oqkE6ySn8sLG+yauHAeSeLqOAm6EBRWzmCiuxgFvbzht8SruT26xOwk3eCxb6v54fiHznH/yOhzYyaXxdScuTxcTpAcH467LwvxEK2M7+w/Ly8jYWDa5DMZrXwzelRoIUlfxb4CetniasVNW8J4pcrjWgEN7XGoUdhGZuoLrBBj+Cs8Lka7CPXChvy3H+zmI7Tc8d1KpmMUtqwkeU308ue8N4d3XYO4Aaf+62QPQKfQuE/oenB7O0BeYuzE9gmgDui24Lsb3P3WvT5FuIawKM2qnK0ZVSmrHyEsifbuPH2/0Gde/f69kOlu/AkVIuX9hOX4YMIrjhZbuDV/C3Y6b1gOKLDRcn8PSapQf9q0wVEYpPQE8ZBzpa+ojxc8DKyy2mSAABb/LhXGBNL1m3hHKydyX7hJFA3w/Eo529nz2LaXP9xHNB2SeZC/ajTXEqPXamyOmz7GiASgmwEKByENh5Omcx0Qg4u5HMA+VOgIJiqtns8d1B6F/sAcB5jXvwliy8CqRH4e2j0JLg/jZ0b8+Fwp7EeEZwDAkw+s85zrSAGQHcYi6lYFMxdFR/B63tdMod2Gu7ejTiO47ycPXKq+vQxlhEwTC4obFfvg/l1NnIs+2Bm/PhLVdMFUE3Vr4hgJW5+FxQiMfHnfcje0XXe0apeCGA1nWZHPo3Npf0fJi4jB4mnHKoGJ3InmPT/B8ddJ32xftb9UY4QHCwUcAoDT/N46ML7AvgmCVAhgMQShD0PKP5VgexcAwOCxlOAw6GYEj68pIhCDAoEU/MDq+wRgDmYEGM5rIWLRnwdZsZHEAArTRAAClZyEkdC66icGwO8kQou56DYpodBmGcrwlDtF4RpDZ2YzEcoYZDcsNY3RKH1vGwHHbIZkUfcZYWr6kD9m8svO/jVCv+dDs4tveUJ29kdsblexxWt/fbLTC/dG/XNZj8K/eadcz9tqJb4uUrT3t/yOpic9MnM3sAvRqUup243FfKT0MKOc+VMVHasvt2TUKIeqNECoWdF735WA8cqSRnZSgt74lse54Tu8shUjoPJmmQ81IjFGfIeZrjGFCidYcCQbl3RrJcRjhcYI1AYczHSLabJvWuq4PehMSXDI42U+xoLrGOgPh/ihbOMGFdQezf0tcfIqDAT5jmcBLvQAFFvT5VuZy7pIYaFzy7zqMUlT2QiIiTkhJf+BEUHOaNLchX9LGhTdILfMM8WGAjERslyaOObp19wMe3xvT5+e4L1yG94Vn1vtJ6E3BzqT0x/iQOGNgrggGEnmWJVLrza95BFYFdZr0pqn4xxnAz7ZPOrvxu9ln9GCHuHCq4qq2L77Vp8JuQPrgG8R7iwRQrDcvyLhL2T1n5FNGYDi1WhnLFfWeY4GC7lB0PGKUoMbrzuuEsy8uljTmTmNQAmvoaLLZQOmok1jKn+jxKpDVzuCgR3FYa2Y1qrBICINYO3L1m0h4Nbwz8Pagv0tjAAAA") format("woff2");} @font-face {font-family: "Cascadia";src: url("data:application/font-woff;charset=utf-8;base64,d09GRgABAAAAAVMcABEAAAADQeQHdzXDAAAAAAAAAAAAAAAAAAAAAAAAAABHREVGAAABgAAAATAAAAG8nuKcikdQT1MAAAKwAAAHlwAAFlLMTxXFR1NVQgAACkgAACXhAABRIFkPGxpPUy8yAAAwLAAAAF4AAABgbEt/gWNtYXAAADCMAAAKPgAADSZvLoOeY3Z0IAAAOswAAADjAAABFlZAOwxmcGdtAAA7sAAACBUAAA+DV4sPEGdhc3AAAEPIAAAAEAAAABAAOwAmZ2x5ZgAAQ9gAAMcWAAH9uFaLzNxoZWFkAAEK8AAAADYAAAA2EapGVWhoZWEAAQsoAAAAIQAAACQABASPaG10eAABC0wAAAUuAAAYLrBaWdJsb2NhAAEQfAAADBoAAAwaQSrAaW1heHAAARyYAAAAIAAAACAJshCbbmFtZQABHLgAAAfUAAAZ3FI4deJwb3N0AAEkjAAALIQAAHpUjVe9UXByZXAAAVEQAAACCgAAArOJYnqCeJwd0c9Hw3Ecx/H36/3Z99uatl1SikmZlNGtJDPrh5126Jj6L6JDt0liIh2SDunepVNGTDqMItEhSWmmS4cOnWaHRE99+Dx8Dm9eH6+3ydwy9n90xnvJZIvcZdvDul1iw96wrYRJsZKYUhqzGsWc5nFBK1jRJm5pG2uq4Y52cFe7WNc+HugQj3SMJzrFM5Klc11gQ1fYVBOvdYMttfBWd3ivB3zUE77oBV/F3/SuNnbUwS99Y1dd7KmHP/rBX3eTRx5h0lOY9gwO+TCO+hiO+wTmPY+TPolTPo0FL+CMz+Csz2HRi1jyEpa9jBWvYNWruOpruO4bpuCBxNAX6C0MBHoL2ZDFwUBuyAVyo+fo00LUjWUhDnECk3G/BVoXi0myl8DMhxkzZun/mZE/IhM7bnicvVh9bFRFEJ/Zd+9aa+m9d9doRT4qIQ0KNg1BQxpCEJpqtFRSiLmgNopVtBykQb0gElMbbcrZACEVEZv6RQgQbNAYCgQJKn5ElKAhiICkIYhGDRqjaBDQ2dl5r3dbyBX+4DY7v5nZ2dl9s7N7+x4gABRBIywBp6a2bg6UPvLM4hSUpR5+ahGMg9updSKo6Xc2lMPE2Q3TicIYcGfcMaccxsy8t45ofV0N0Vl19xBtuHcmUYD//gNFPRHUwocXL4CShQsWLoBS1gBTaoFo6WMQYamQajH1i+A6NYFaHPeQ+yOA+1cUIR51ohEYTdqpZHUH2c+AdsLl8D68CNvgKLwLxzEC32IUC+ECFuEwRIzhcHRxJE5GH6uxBm/FWlxM0tP4DD6KrVSasY3KAnyBSgqX40u4EFfgKmzBLlyDT+JafA3T2ENlKW7CXnwWt+EOfB53UXkRd+MebMe9VJbjZ/g5ZnAffoWdeAAP4ko8TKULj+BRfBm/x+P4CvZTeRV/wd9wHf5F5XX8m8ob+C+VN/G8UviWcpWLG1WhKsJNapgqwS3qOnU99qrhajRuVTepMbhNjVVjcbuqUBW4Q41TN+NONV6Nx12qUlXiB+o2dTvuVlPUFNyjpqqp+KGapqbhR6pW1eLHqk7V4V41SyXxEzVX3Y/7HeW4eMApcArxoFPsDMNDTsyJ4WGn1Lkev3NGOqPxe7gJILGUaivVdqqbqXZSXW3VHsG1zCOtkYpvl9oMDug+W4dQ14c8+j0yHvHqZGQs0X1QhP2JUQDxCr87xBWXiW2XifZ4+bDLQtHH5hGWDGCcdkR8OID/DdXDAxhTllwoWCKo+9yVhaW5sp+husrvDjBWLlghOOHyMPQzMVceMp4hPEfPSs8Vp2eJTRacKlhjMGy/26CJWxa2ZcsXWX97vZZd2fr5xWac2Kys8UoGMHafvyb2wNBx0HME2HEJ/SD015j5Ca4QbLtMtP1cZTR5T1XyPsCgXcv+caPXGHs8V9bxyMEOS24bbBcvz8IOSw4xT3yvVpy6bP0l8qFtqHlzhfb58nWZweB8GpynWfHX+qicf4sEjwg+ZclLLTnAU4KtltxuyQF2yn4Oxu235NWWvFawJ1efADN/75icB+tN/vqfUv2S5H8MekUGA70XkfbNoj/p/+z/noWj5DzdKrhNzsmxIn8uuMuSP7JkQf8WkfeLPCrXXzjeQatdMFFG+BDNO011mVkvfzHN/4hgv+Apg2H7rwb9OZIPgrE/DOqfP1fiMpfG/0fwgkGOE6FfbzCw53hqvfTzvNz2UH8d2dJt0xshOI5qZRZO8qrZ3xAxWO+EnP9+lSUvyZVDBP99yped3jGDiWbBRtFPs+TaXDlAv1dk8ZdosmR7nHx2dSKnh+bHazD7NszjJOHvJi5eo9kHGhNNgqL3p5h+XpNgs/gJ9C2WLHnmtXkd3or8mCj2n/NfoHyoMuh1CW4X3G0wtFuSK9v989l56wTfsPQbLHkLzfE9kwd6/+h84X20XXC36JcYDPLLp7cqP0XtewW/EDxgMGw/lCv7j+XK9vmk14XlE4I/yTqeFvmsrPOfsg5nB/YpacJ7VXgvvcR9LjjXIdgvee4t9j03+N/148ZHdj/Ok+A+HA3uBxe/nw3tfyv7f9TMJxxXznl/j0SgTNA+P+V8TUikQmwSLJZ+VUG77OdPc/8XwnW01i/YF6HddOB7fHjeyfkYzDMYL+wfnL9yLgbneSJtzUfyJzi/B+2PcD8E51puHO28uPQ9NSvuJfnzIuc+Zq3fQH4MjGfHwd+Y+5zZ68T20u6/ZduL3Guta5afi4036L0tWLes/Ob1DP7vrfcfOy72fThfXOg9+MOCKk2jB5mfTLSCNRVuJ9F0dL+mrEmzTZpt+ljfx/o+1vdpvVOseYxw3xT7b2W+ii1rog2aFhxl+gPZbyrYQHRjgX4vr3VPaL3bzZaNbNNM3sqi5cR3cGuKPaTcd6jX19z3APdNuaeJNhsb40HbkJ8HmNet03Urxgv023+G/WTYJsOtGbbM6L5Oif5C4JRovVN8gUbHIp5DjX4iPOseI/0eph/wHHbxHDayh3n8dWGEptjLEUjzWGluTfNYJ7U3PMetSbcJMFLJvVaypp5n1cP29fws9RyNB9nmQbHRfmbx885n//NZ84RodN8k6+9jTSbawn5aeCYt3EoUJ4BLfFyvkVPMK5Vh2mrizCOm2Nsi9lNvxmJ9mmmFoTyrThNhHRnVY+bJdD5H9V3mR+h4kh/yGXmI+1abKJl803ykW/ORyVBEmuE8bhlbztV8xGM+ya2tzGcMNfnMft5mfp6mTo+OdqTbrAvru9imi/k+5veZXGVaZTKW+dlmjYhGwQOkMUG+MCLUwGn5wniCvzACDOMvjDeQ1iUt7Vu33+2Ha9wz7hkocs+65+FasnAgBjeSH3qHAXpvAXpXAR0tPXq7VVcLdgq/fgh1bRbfw0hZYOLHdDzTuIki0xqm9Yby01ebVuI9etYxMA4qYRJUwzSohTpogCQ0QhM0Qwuk2U6v0XjOk2rOkHkmAzknk8K/w3wj8zqrk3ySJPn0SPL5kORTJVmQYj8t/wM5o4LrAHicnXwNfJRHtffM7LNLSDYfJJuQQliSTcjH7uZrs0k2JIQkTSmlKfJiLi9yESmkiEhTDBQpRhoRub2YxogVESlFSilSihQRMUXESGmkiBgxUqQRKSIiIiJWRKT3PzNnn90ky2vv+3t+Z/Z5zs7M+c+ZM2fOmf1gnDEWzVssrcxSP6mhkTnmP9WymKUufnRZM1vCVuHdlUzUPTg9nSV8eHpdOvMz9v77LB58zgSzMINZmY3FsjjwEtgIlsiSmCNCHfuQOi5mvb+2MZ3VP/KhhnS2cGpDfTprn9bwcDrbO/1Dj6Sz06qXuAG9/Hs5wz5AnagPUGf4B6gT/QHqxAypk/zoo4uXsbb5snxm/qNLH+Od8+c/voRvaGp+4nG+ZUHLo/P59sVPzF/M96hyvyq7VHlElcdUeUKVvc1PPt7CzzzR0tTM+5d+onkBv7R0aZGPX126tLiC31j65Lyl/NbSJ5cs5XdXPtbyhDCATiiEjK3GnU2NIoEls1SWxsZiVrJZHvOyIlbCylgFq2ITWR17gE1mD7MPsensP9hM9p/sY2wee4x9nH2CLWbSTpayJ9kKWMpnWRv7PFvL1rF21sHWs+fY19g32AtsG9vBvsVeZXvZPvZd9j32ffY6+wE7wrrZUfYm+wl7i/2U/Yz9nP2C/ZL9ip1l51g/O88usN+x37M/sKvsGrvO/sr+xv7O/sH+ye5yxgU3uI1H8Whu53E8gSfxZD6S38dH8zF8LM/gWTyb53I3z+eFvJj7eRkP8Eo+gU/ktbyeP8gf4g/zR/g0/mGpC94itcJn8I+op0+gtPBF/JN8sXpuUuVcVc5R5cdU+VFVzlblfFUuVP08wT+lnhaocqkqn1TlY6r8uCqX8eXimpFqaxuW6BEeMSxr2AH12hPVUtwTtXZ4Ufn44VOHn59YJq/h16Ln5MyNXhITlbc1b2tMSsxaj4jZaE/zCHuBfX9hXWGdvTt2cmFd7KzYW8U9cdFxO4t78HogvrG4J35BglHck5CSsL80MeHYiKbK7hHLEx3FPYnZiUdR9iUtK1mT1JF0tzTRkeBoQ7k+ubo0sTQxuSH5EMqTKXhKmZZyBGXvyLry8SMbRx4tH4/X3tS6yu7UxtSjOXNT++6bdF/TfbvvOz5qqkeMmjvq1Khro8tGN44+W9wz+mpaS1rnmJTK7jG5YzaOOeDMLh/vDDh3VnY7u8a6K7vHVo3djfJw+qLK7sru9BXpR9L7M6ZmLM44J0eeccU1y7XCdbmuJlNkttTV4LUt8/r9q+5flXk3q7m4J6st6/qDPQ/2ZN0d1zy5atwz425l23CNyl6cvTK7I/tSDsuZnjM3pznnWM75XF9uQ+6W3IN50XlpeeuhyT1u5h7l7nRvc9+E7hM8yzwdnhteu3eOd4X3uPdi/uT8WflH8/sL6gpmF+wvOFnoh6anFR4oPFU0uWhW0ZGi3uKs4uriLui6zzfd1+Q777tdsrxkTcn6kosld/3z/K2lBjSZXtpSuqa0r/R6WWNZc9mRsrPlXuhvcvmm8t3ldwOpgUWBNYFzgfcqJlfMq9hfcXK8f/zU8VvHd1XaK7Mr90Mnp6pcVVVVHVU7J7AJoya0TGif0D/hVvWU6qbqQ9V9E3OhpfqJGyburRE1aTXLajpqztdcqxW1jbXNtcdqz9f5oLOpdVvr9t1v3O+8fwk0t/7+O/Up9W31m+pvPGB/YM4Dix9oe6D3gfMP3Jy0ZNK6SRcm3Xlw6oMLH+yCVvsmF0yumjztodyHJj0066GrD12dUveI/xH/lKNT1oIuPex4uOHhxQ+3P7y1wYbL0VDf4GooQjm9oRPXzobrjySifusjnY90Ko/D4XsF/MIk/jQ7wL7H29hB+IK17FnWxZ/mT/KlfDlv45/mK7BGH+Yr+VP8R7yb/1gkC4swhFXYxDARJYaLaBEj7CJWxIl4kSBGiESRJByiRSwVy8STYrn4tFghnhIrxWeMdlu0cVxcsP7N+p7179Z/WG9b/2m9Y/2X9a71fRuzcZvNNhyoJoHS2Cw2lz0Kr7gG3msfPFQfewc+xQl/UsPr+BT+GF/Cn+Ff4c/zN/gx/iY/zk/yn/FT/Oe8l/+C/5K/zc/xC/xdfpFf4r/nN0Sr+KxYJZ4WbeJzYrX4vFgjviB2W0qNmcZb1j7rr6xnrGetv7aes75j7bf+xnre+lvruzarLQo7h9YUFykskzXA685hC1kLa4WmOtkmtp3tgd6OYoc8Cx95ld2CL0zkqUCaBY9Xz6fyRj6HdwLZJX6D3+J3RQK80ipbNLOKj4uF0FOrWMsM8Qno67Piv3C3CHpbJZ7B3Sehv6fFf+NuMfTYJtbh7nHo83Pii7hrhl5Xi3bcPQH9fl48i7sl0PMa0YG7T4nPYIRfgpRfiNPit+IiJA4Tb4uz4nfiz8aLxh48C/EblBZxXlzHqyF+JS6Jvyhkl8UfxN+MvfKef4a3ip+LG7i3iU7xR/EPcdt4U7bmnxVX0cefVE/XZGk8i9Iu3hDHRK/xReObxsvGLuMV49vGj4yfKAk3xT/FHVXzgHw2vmpsMA7iLlWcEb8W58QF8a74vfireE/83eg01hsbja8bm4xvGFuN7cZOo8t43eg23jJOosVY8ab4iTgu3hFXxC3jS8aXja8YzxlfMzYbzxtbjG3GS8YO41vGbuM147vG94zvG4eMHxg/NN4weowTNoH20eItcUL0iX7jBeNV47BxxPixGvlPjaPGMeOnCuPPVLkOZZToESfFKaPD2Gd8x9gv+dZbNgssI5PPFR8Vc8THxFzxqJgn5osm8ZhYIDaKTeIb4nnxgnhRvCReFt8Sr4hXxR7xmjhgGWbJsXgs+ZYCS4ml1viI0WR9G3s/AyVixx/PprEFsC/07qtXZPHV++prr8qdUFqjr4gZviJfUe2Z2jOKZ6mdLS/Ga49SNAEeE7WTarGWfDbw95hcXlvEePF1Joqv125UXEP3WnyWWYrPFp+tXa241pCPGNcNLXxJzn8kjLVViizFW+UVxFiby4zidn1pyTUH5QU5KwjjMImxZlvNNvDmaQJXrjhe047nBmBsQCm5w3WvNb2QUyYv6sHEWFzEMKvGfoVxGCK7XERL07FSVyHukT1uUGSZiBAKEgllzWpmVF+tvgo/3aF4YsLyqungNzNL9ZnqMzUrNfaJd+QFfhNhj5F1J16aeInx6t3gTzW5fOIp8DYwUb2hJqC4dpKVgj7bqttqXFTXxO5ADWA/RBqOgH7iGUWWsrSK7IrsIPqJR5lRFlWRKC+Nvupg5XPg72WW0puBu4G7hL5aXowHLhP6OIU+d2IueL2awI1XkhIZL93HROBQ4JBZV8qaiT43B3YEdhA3tINo9N8Geg5f8rx4zVIQ2VLK4xRZyuPkFRxF2W2M4ra+NN7qDnnhnUuEd4TEW72iegV4pzSBmyj7rIbVlHUxUdaFUnKTqNft0NZ2eSmuw8TLy9be/ZXCZ0Wk7UIONZnNVj2tVCSqV1a3BbFVLwSahdXN1c1kHTcn3AR3NuFKke0mnAenDjTZ5MmWBeipoNqveCND2nJOgZ2KsJnOZgE2BQiWYKdDb5WXFInKS5WXgigqTzNL5Wl5KQ6vhS1XYk3KCM2sgzmv3Fu5t3YNIZ0yYQq4WwjpfQopVk3lOk3gjaKWy9HTcpSSNzqkp8pZ2Ikj6Cl/ryKRv7fyQFB6/hZmyd9Sub1yO9nhiaoT6GE9SR8j21Vh7edjBitXmTzZsgk9NVUuUjxnSE/pF+BzOsN8ThYyoMlKTxKDV5HI91adNjFgPPmjqrqrtE54FWY+Hz3lR1XtJVRlVdBAVVAn6aoWVqP3Al7XmTy86z3JhPdkldZJRhiqg0D15UGopiAiaFH2fUCRKD9QbmqmHHZYvl1eGkNFSvkNcNej1vry9ZpXuQXzxMtXEa5MZQfAU75IE3hZ1NsMtJuBUvLGheaqfDyruQcmlyJR7hofZWJKAKaEivcq3tPyA6vL52Bd3MUqultxkTBFV2I9V5wiTDmyr/HvoVYfuIdMnlxpsMSy7oqdipcb0pVrhfTI4tcDLL0BuepyZKToraJZkSh7pqI5iKwCFla2vGJ2xWyNovxy2VFwsWbKmlAq7zD+RPnpMthgRRm401CqmuNnjZ8FXjrhdSu82P3KssG1mzy8G7iFdokoJc8TwpvRo3aQjffCGzisSAQOoyS8gd3MEtgtL8IbKIOnCWxCrU0oNd608qwyWXctuGtRajvYVbELvCWEN19pBOs6MFsTeAUkYzLaTQ5o71IYmvOAly+5J9ZERSKQWLHfxIrXAKvYVqF3P1HWXroQtnANqK9VdGqsFUvKVpQ2gnsW3LMVrWQfcifhFQsIa7GScAW15CxMN3nSsjaj3eaKasXzhUUQqUq3m++Ft3yeIlFYhTJopdOYpdBdPg2vCkXpOT88SHk1aqWiVHgDR0p7/Fjn5W5wDZQa79QA9uNyB+H1K7zjGS84C26IJ20X8WvBMZSSVxpmu5cU3q/fC2/ZPkUi0BhoNPexrcBTJy/C6/XL3aYDtYoCRYQ3oTS1BDtIGfaZQFogjaxmSznWf8BGeMuVRuT6v6EJvADJqELt/vJ+qmfizTyo8G65J16hSJRvLN8YxFt6HV5grbw0Cn9ryUxw+1FrWfkyjbd8rn9hCWLQ0uPgzi2fS5ZzrewakE0hvOOVBKnbMk3gVZKMdul5yl1Uz8Sbe1bhfeFeeEunKxLj96MM4q3BWtpWWoNXhaLkhA8+pxT77PhOlApv2d6Sgz5EQKWjwG1FqfFWl8EiSw3CO0HhdcM/QIr/usnDu/5zaFeNUvKqQ3j9ZxTerffC621VJPzb/GZs6V3ELP5OeRHetGL4HO9M1FrlX0V4WUlU8UVw68Fd5F9EltNRiujH30h4a5RGEJ34azSBV0sybGjn9XupXmifyla+99174fWcUCQ8J3wiiNfTxSyeruLryA0UCt/iYvgcz07U2lncr/GWTvPNLEZM43kO3OeKj5Pl9PthkcX7Ce/9UoL/OGph70JGEORJGdi/PDOQEUhefVgMKTPI36oIUiBzej5S3OE/r0iUVKMkzP6TzFLi9Z/Eq0bSCK1x/yFCMkm1g15KkAP5d5o82RIj8N1AKXkPhmmuWc30SxERzFEk/HN8h0wEDZjlBt8u3y6a5d4SRNO+jYTgIdmuBDuHH/uQb43Jky3hn/2JviWKNyWEYCx8krGTYowoxJO5WDkN2M9lhLhR9denSJT0oSQcJUehiaPyUhxeDI9SAg9Vsg+l4hQgByzZCs5WlIqTvQkc+KeSjhLKfkocJdi/SloJfYOSJntfqAm8R0heI2o3opS8qaFdqSTAWyPprsSlSJS4vE0mZsQhJQne6d7pZHEbfNgBvTUkfZps50M26sNe4/WaPJkBY/S+Pm+q4v2fsD08Drp7mXQ3CIFvqyLhueDbGkTg64DNn/J1+Gj8PocP4/cFx/9h1U7aLfZq30KTJ1ti/J4NPj3+xjD7aVf2sy0SAs9cRcLn9DnNVTcV2b1dXhpB8fri9Zi924RghppLRMzFlzSB93+ppQO1e4t7qV4IQbRa+8cjIXD3KxLu/uLNQQTuE8ziPlG8rngdIUgoTgjL0j8i2xUh93Uj8ytuMnmyJaJY9/riaYo3K8yCn1EI3oyIYLYi4Z7tnm0imAIEU+SlERR1FMH/uQOEQLUrgv9zZ2kC76PUMgE9JaCUvDkhK8y7yZIjSc/rVySKOos6g9LzMP6iVfIi6QlF6K9oMUmfK9sVYvxFMzWB9yi1xPiL6ovqqV4oejitxn8iEoKiOEWiyFHkCCJA75YiIS+NoLCjEOMvvE4I5isEGH/hOU3gNVFLxN6FPYU9VC80A/XKCo9FQlDYrkgUri80YwH0bilsK1xbSLFAob0QMXPhMkKwQPkP7F6FmOXCuSZPtqxB7UmFDcQbcCpgvGGL1qcC+qxLobHgnXQVf4mCHQWwqcI4krJQSYH1e2HnBbdNHlORm/D2Flwi3uCzh9fo7OFFKSdyxliwQZFw3nbeDo66ABm387K8TA5yJmefs6+AbKHAKDAYdwZP1RbJnvIRMTj3agLvk9QygL43OzdTvVC+v1HNxHcizUSBUCScCwrM0xD0bnE25t/Jv6MR5K/OhwfMv0IIHlcIkDk5C/DaZ/JkS2SezlH53cQbOBPfDZ8Jo2nwTOSn5aehhzUk5QklBesoHXFN/hKTJ6VMg4dZmD+beINn4nskZdiQmTAz0ny7IuFZ7lkeHLX3Nvxwk7z0qPOu5yJC8V5Greke2h28K7wr4PWqCeOnVNwFf+RxawKvhXrbjXYpnhSqF5qLJuwOr98re/cuUwTf6G0zcc2TvtHb7KXzn7yZuYh+vNCBu8tLOarnvAeRiXcy4VoWjK/c0pL9Jk/2Bo/tXuVNJ95g3f2AdOe5t+48pxQJ93jPKXMHOQyMuZ7DHp2Vitz9OZ3gQgfuFA/lpZ4qTxV4wahkueoLuXoe4njPGpMne1uCUZ716Dn/dAjjmFxlx4cj7mvjFYmsZzyTTFS5zJK13OP3+DUCd5e7C1wXIXhK7QVY/VnYPTxxJk/6dGSkWVXu28QbrKXdtNZfM7U0eIfZrUhk3s40V7p7E7NkXpYXofG6EU9k9hGaz6h2iCYyuzWB10otsV9n7sncQ/VMNGnXYUuvRI403G5FInOF220iSAWCBe5UvGpL2pWHmMIdzPlWqd0JPioT0WreDZPH9H6V6c3TOd/TYQh0pPpqxH1upyKRtzM3MYgAvVvyNuQinCQEuXmwgJxrhOBzqh2inzzMfc5ZkydbYr/Om51zTPFWhxCMhj0b3ZF1kJetSORlu5aZCBxA4HDNc80jS92RCwtwTSME6vwzF6smF1bpqjJ5eFfmi7lnXfp06QthCBYBwY/+X7Fy7hZFIndL7pYgjtx2Zsltl5fJwf6XuzJ3ZXaLycHOk7swd2HmapODWCx3Ru6M0eQLci7nXAa3ntD/l5SWcxqcIk3gPUMt0yA/DaXk/XcoSsFwvjrYE+esz4EGcoLx3xdVr4j/XDfxesnk4V3Mh3Cdz+kl3uB18n3yJjn3Wic5axQJz7QcMxbKgZfxVOesyqH9L8fIwf6XE4yFnlVZA/Y/D9ZKzkyTJ1ti//MYOfXEG4ymh1bty/dC47yhSDhvoCQ0zvPYC8/LS6PJXp69HNyThOZLCs08cLo0gddJLXegpx1O/VnFl0Mad6672xdR+jJFInuay4xKnfD92dWuKS6KSsfdGocIyBWMSr8i241D7p4NXbiyTJ5sCV+ZbbgSiDdIF/yzpIuXxLfEgUhoXE2KhKtp3JUgGtd0ZnFNH3dm3BlCs2gcooxxxwjNVxUaZAEu+LVx+0yebJmKnlLHbVG8DWFodJ4gYwjk3JFnJeOsIpFxFiUhyehhloweeWkkWeezsP9lHCAkatVlYf/L2KYJvK9TS+SaGR0oJW9TaFYyWlhVJOlj7ygSY++MvROUPvYKs4y9Ii+SPi8LFjD2DEnfrKQjHx17VBN4z1PLvehp71gdtW0JSR/7HH8iknRax8J10nXS9AFOzMIheWnpmRczYQGuXSR9q2yXiT3atUETeN+k9XERPa12raZ6oVxhlZqFv0dcoXsUiZw9KIMrFCPM2SwvQjAvE+PPWUcIXlQIMP6c5ZrA204t56GneTn6U9aXQuPPmYScNoL0zCpFIqkHJUnPdDNL0oFMdyadtLouujD+zFSS/rKyXow/CRFIpmHypBViv0xqdenTtp0DrVD8k05+DlBkOggJ9mJJAtQaRKJi8UXq0khmuWQGOpOQ7FJI5DdJ6okYe4VaYk5B2kPvDumBOcI+f+LMZmB/Vt80k4gMFod3C/RZnMr1NAXRICIE6ZNqnnESnBpCsodqFBAx9u0BMovDZfLXpEzjIxFk0jjSa0yZfkTiRelFJBOjT08nma9RjUTw4oiDfi1hJ9xS7+p7FNA7Is7SoRIzFpkUXPmzsH5noVQS07H7ZQTPgL9DNQKacL8/bH07efhqTxC/Giot/Y4mVh+Uln4VKP3MT9KQ/yIW1tIOUI3jeoyKI/U2c7B3M46r8ZXgnaES12lyXjMlrsSu0e/sJ4lRYXvNQaoBCc5DxBmoy7dMXZZEkOUkyjJlxWH2HOn6DICPRd6YHjyf7iJ/dRV0gzgDZZ0gWfmRZI3dpynVjH7HbmMi9UrqFZIFy089S7IOUY028HqIY8qy90HWT8LyJRfzsTo2XZ0+8DFVJpGcMV7kCV6USo5c62PSFAXfR9Y3xu46r993wguk3SEch3WNtCuacP/DkMWknWIPhD11Wz4+dNRpezQ5zU/E0xD1Ofc56fTTiRzFuY2k/YhqwK84O4kzeF+8ojzSi5b8yKNPq9bkMuPrtAJ4IVy0HjFzaU71GnwfM55xIU1n+nwMvEtGL+H5sa4xGjOecYQ4oRj3isLzx6Fjjss2iWTEpTARl4JSy4D/iwtmGG/oGrE3NeH+WEinsWeZO+zpBN9h+uF0eMoajBr9xR7QJFYG5cUizhKLhPYQfATsNBa7niAPkQYJIugheqgFIi0RIM5Aq26nXWB32C4QLj2gyZJgSkecZVG3SjpmPxaxmLhO0ifj/jxJP65b2N8D7yRxBkp/lqTvIekDNG0/pGmUaV12ZJij9o0i6xp9Du8FresE1YBvGdVJnIGy1gd9RURZ0zSNvmXKqoEVXB59mWQhPxsdjHdOUg1Y2uhjxBko6ytBXxFZqzEXNDlOBKXF9DLhOOQwP+GI6cbz7hj6VsUo2LVjM0k/RTUQzzjWEceUPhy2aHwxLDuUUidhh0Yv8Z2aYhYHpcS3MREzO8aMvuOX4LmBJajeuNitZCOeiSkj2b1UD7Mck0WcwWv4pJrRVyKPPH6Vpmjz9C8eGXX0megz5vMcPPcgWlMjvw/Rf/RBkn6aasD/Re8gzmDpp5T0VyPNcXA3TzSCsuRuPuLmiJskqx32fJFk9YV28xG9xJE62TNQovg5WfBLeCd8vHWsUfaZnGoSyUxGy+SoZP29EJHSmozdzXFLkUZhw33wO1hndBvHaU24fzvkMRxdbGLY027LkkgIHBs0jTSjOMdaJkYuHqmtQCTfdmBkDszySG0HPBU56sigB/k1tZkOXoA4g3V+Tmlgk8UzwGvXQ746w3Y4NKWan344DOyN7anthGCFoxHRK/xjqokx6QJqLErR2Q4fCftPnUWI3qEa8Nmpk4ljIrLsUIjeiaSJpHZNqeZ3cpIQ3468NVJrXjiuJ8FnJC2GPFr1IxH/jAyeV/2G2kDmyKPEMeVGrVdy+4daXfQuTSPNk5DoTZDaMbKDZKSAgt9C+i3VWAHeYuIMjq6eU55l2KA9sh5rXJ2UJ7ebFLQ4jDK5NZm+V+KITrwE3mJFkmNJuZ50KxHWlTxLkUKVgtgkeRKhepf68WvC/cWQ3SWP4k+EPdnFbyLjctzUlLLBtAJkZylrU+jTj6SWxKnaylOWE66ZSXMTsdYd3eDpM2qejPg3JXh2dYn6QRyXUk0cU1tilNLW85HRwLsrciww/T0yFMcMxwyNJvHiCNiXPR019OmqJfl4Yq/c7eyI7R0UH0uNOdIJzWXyy0DoiCPO4JVyQa2U54esFEIVs8uk4D4AW4nZFLOJUE0dgYghZp0ijcqfWDUC/iVmhSKFygHrjAl+Z/YK9TNdE+7/GJqtmAC7P+zJbXl8qP06+jUlzDDn7SQTCZMSJpG0GXgvuD/8iWogw0vIIs7AnfFF8pebyH4H7Q+OJZoSzezfMRfjPpxofvvLgawvcY9DZyw86QzqBr9b+GeqgYwvsZ04A6VvN/OFfPNbGlnYBaSvatIn9EnXTAp6iX5YZ38SZSgy3ko6qUg9x0mfcViRerbJ9/co0gjLQEGEf6EeyRPh/kZI/0kt/KmwpybyYgNmI2maJvt6Ex3iFPtquz4x5YmI7+wtJO0m1UCcYp9LHFMffCb08U2KFAbGQgWaEs3vwiLSEYl9iX0kowkUPAN7j+wLWWTifuIMtvqfqhl/jfKmwbHQEU3C/FZFzF7UPiaOaWnigI51xAHSP9a42EHSb1ELRBTiOeIMlt6jpUeKCGLqNSWa38eJkRHBjRE3SBb8/4gLJOs21ZARwSniDJb1ExppfoR94IxJwX2gR0Y60bTHjYgLi3TuUI0dZqTzr5BlRLeHf7M6epUlwslF9CJNI8w8MHoWRmYfob/xwBOg0YRgHvg+1cD+nnCFOKEdtVWN7K2hMhIOEplrM2EnPMOeBLL8BPjuBLJ8zqnGWlA7cQbvbEfV2iyIlF8nNGiKM08q0LuI88eRJ47HjMTRSQW3UI1R4CUSZ6Af2Ete6EU6gR0gK/68ptCpCHoPOxWJl9/HCMqyUo09jE5FuPwNBzeahoxunx5dJDtEDKwo2sxbVRR8IfoC+Rh4iWjKW/mwsCj4CHEGjm6P6WMjjU5oEqOCstC7ENEimmRhhjh9EsLpFyBx0C6/TJyBsg6QRx0WdpYdFnPFPafJfteUtgb+6ppde1cR0xqN+DcO+amd/CtyZ24/QfJjqI30eF3EGSi/y/ToEcaKnFyTy5Rug9UkxunzAx67CRz6LTCP1TViEdvEXifOQFk/NE+AIsiK3aXJZmaQ6F3YLtsoloyFR7VRBsnjqQZ2bdsx4gyUtYvmMPi7jvCdapH+ZUcwN48NmBKRm8fmxuaaz6l4To0J5e7oPTYqytSG/Rbm4lYw37MMU94f828nn8dHUL1TmnCbGPI89gN8fdjTTuQBQ/eS5zQNM8/S7Zj/YVuG6WiY2xG7DOsgaQ6qMQ+8VuIM1MpBmoGcSDNgz9UUf9OUhfHHX4zX367nMYhK4k+TLPrFSAx2q/hu4gyU9SbNwMuRZFkOagr5CMvOcB8RUxPmI1KpxlrTR8jv0HHxypD9409M55KvRJA4SVOYxLJwidEnwyTSr0wsDlPiKCXx1SESr5HEV4dKFKc12czzAXEUbRpsDSRxNt6rIolpVGMbeG7iDMyU/xz0SuKlCLIWaooyowCB+CTqWBRFAcOxIqPo0y7upBqIrKK2E2fwuP6qx0WR9gBZ/I6mkCb5gFPv4WvCNJlONcxTb3CkJp8fNLrrNLrnI42OrzMpKHElIrCVfCVJRM98EUl0UY2ZmnCbGVplvJo9EvZUZHksgrQ0TVbznIPbYc83DTrnkDoz6JyDj9M1kCdwo5c4g3V5lWzkWxHOVPZqsponV2wrE9bd1t0kC/7JSidXnH67whCtWdcRZ6AW/0JafCGSFoPnN1HppixEa1EJUdq/8WGIxGVqr3rOY+b5zbBrxJHz9tKQ0d2k0R3433/mNEx++lVDEj1s0GdO3BuaKebgHWFPNhUpcktthHV+TpPVPBu0nIBGD5GGuQ3xr9KulEC/VrFg37FuIs7g8Z1h+rPmCCvBskRTmE+ZG74SbGGf//AiqlFtroQipdHXhkjs1RLxztB1ftek4Dq/Jn/HLK6RRPmb736S6KMaJzQx+bVoU4diH6sMe9puaYkgrVOTxfzmr2jD7hFnoc8DpM4UEtl3KdWYA7pKnNBpwmw1sgifoalzZpDVjILZIczXHitFwVZ4KWswCi6nGpBrbSfO4Djxa7TDRcgh/p09qk/egvZYMcQeQ78FkfbYPMAe31X2mBMpQ+NnNDHzVzccmQtshnJwhv2dH1SrUaOoD7OaKmqxwbSaKmU1mwaOW/zO3B1eiHR2zRs1CfM3frwetXeoTFBiSADHj/c3qF45fJW07y414xpJtekLuWgmzmDL/b32PpHWijrp7g1fK6w7fK1YpoaNusb0hcFR1yhUGweN+qL564sX/vezrc5dg7NdN2S2w052EDs+GPZks3xSofn/kbkwTOYDQ2ROGiCzfoDMJ5TMb0T+ZM8W0MTM3ynYEMvC4kybs6VKm7Ol0nz7ta8Iap+fCtP+ZN3CesnU/mQl+8VB2v9bMAsULw/VhHWHptB8WzeEzzefEyZxCtVYZkqcotaThw22sPeYjikjWJjVr4mb392zZiFKaOJ09smuqjWgJTZQDWRymHvNGSzrFsmK4EmMHpNIliF/ZXvQOEiy2sDZSbKmUo0NmnD7odDMGq1sethTs2X+AGnq10DqO+qaglY1AyhnsBkkTeqMTpu5/GUJl/+QMci2wqTAtsItzWZpVPMb2sH9wH9U9SwjYBn7pqs+VD1LgSpLVJkfihNYaqgOewf4ZN9dTH7KdBqv8n+XXud2ZIWHeTwykyN8Nd/HjvEf8R+zv4sUUa5OiLgh4/A1JFn3lqIwjGYZbBwrZ6+jt1+yX7PfsBuR/sNC+RLtx/Ur4/8RNrN2ZuFL+UpDnqlZ2Dv8MUtJuCZYskTPQ1FhOq0wWSMbpPYATr9mAUbB0vTvh1WsKdgdleEb1netF62XrL8Hh1v7rHQOYdmviJl9KL1Z6DNYeaLIDK0zpZsupZs/Kt1cCxtDLhvB/sWj6R9pbt3zP2lGSDT0PzFv3+OfYuQ4pb2nhWU86uSZzzLxBTP8/5T/SWb9mw33kGBjsbbhkBP+rwppLEb+K4/6T54u/iRfrv6J5yn1nyMx6v9x5L/j7GN9fKT6T5wl1rfDWsdh9GvZs/Kfe6QO5b/oyH/NYYY5P06F1aHe/S7u5Z5hYL0LpXXB7md3zRHpLEewajU/aq/ijxJviupD/X6Nz1O2/80wKZLilB3Eq/6T4AUivq9WriHXIt4Pt6JpqvUbYWMrYsn0T0Qf4H+I0CaZ/ifoA/xLUJjkU2H/0CH317ywp/3Ktk2M7/9BjfvlMN56NtbUnsv0K3U0+4+r+p0m3038ZmnjokV8Rj+b/b+n+K3iC2q/0r1mqdZe1YNuvUTNG8eqDvabZr4j239ULFDPgs0dkKXCVvjTvE2SmgO5476OGqFZctCrYXwCa96pYgfOPhLWRxaL/zdrCOsR6+e3CKfetb7L7FgxVlh9FNZNXPhY78r/yuDGWwNsIFrp66P/AwwX9+UAAAB4nGNgYdnAOIGBlYGB1ZjlLAMDwywIzXSWwYipBkhzs3EyASkGloUMTP8ZGH78ZmBhAINgRy9HBgcGTu3TbAr/FBhnsu9kfJDAwDj//nUGBhYV1h6gEgUGVgA6XBKoAAB4nG1XBXQVyRK91VUVCE4CwcPkQRIguLsFd3dd3N0tuLt7cHd3WNx18QSS4O5O8jvAcnb3/J5T1dX9ZubM7ddz7x0ABgDbSGQz/eglroftvyAIbugLd2RBPgykQTSRptB8WkQb6SE9pSiTwuQweUxd09XsNcfNSRPCwnHYg1NwGk7HPXggj+FxPIkX8SreyCf5PF+T5JJG8kugNJapMlPmyhLZIjtkjxyU83JDIuSxvIxXxHu49wLvz05ix9txOX5OOierk8PJ7xR0CjslnM5OH2eQM9pZ5Cx11jubnW3Obme/j/p4+iTxcfn4+WT2aeQz3Wely7jcXPFdHq7EruSu1K70rgBXGVdTV4s0CdL4pNngO813oW+UXzK/on7F/Zr4NfNr6dfW39O/lX+HdFEBWQJOBJyOirJr4A4HWZEfwb+wB9MGekBP6ItJarL/wr7HHLPYrzPY7Rd2P+5usQ+z2CfwZF7Cq3kTn7LYISkkrRSQEjJJZsgcWSzrZbvs/oH9uoTLI3lhsQdZ7MGOp5PEcX5hz+7k+429u8Ue5AQ7S5zlziZnq7PT2fsDu9cv7PV9Jv3GntBiT+by/oW9iau5xe5Y7PCd7hv8D+wtfmFvnw4BHgFHA05FRbnZXWEy2RVA5GfqE3kI/2qRlyNnRa6228af4/ycMRfMCXPIHDANo4Ls78ttDI8cZvPI6Ar43tvGHPynffv2Pcvf9bvDQNhjIDw4ehTeM/xGhMe9rOGjwlvbo0K4V7hXmAl79O/rI+pH1LC5ULhnRMGwfPb6RWGFwnKGZbTVj+cKixcW9+6T6OquF3CnOxByHAjNHZogNH7Im5BXIS9DW4YE3n51K/D3LaPfgE+2S0Tzfk5wDa7FdbgeN+CW3P7XXOsfuSV35t7/fJ7oEQ/5UdnM42xMs3HMxivxk4ySWbJKdikohaPPie6lqBS3VXSUs/FFY/53jf5u8k4+yCeNqbE0jiaInvmZf1SxfldxokPj/T3/c/wz3LL/v/u63Y550z2Re3L7H0aZ+eawWcYxuJjUNUfMKrPaLGF/M9tsMrPMCjPHzOXMHMCZzEKpY1cqOVLAB77Ig7wojGKohCqohjqoiyaWN/pjAAZjNCZgERZjBVZik1lnVpr1nMts1yfYgyv4C7dwB2/wFp/xjdwpDsWnxORF3pSX8lMBKkKlqQI1pibUglpSJ7NGmpu1nINhFliuSWHfuNTSQurrI2lAg8wBzmk2S0N9I005mxllRutTLiz1zCJ9a0ZSkDloppjJZqoJRkLLeu5IgvhIjKTwRnb4Ib3lubIIREmUgguN0Q5N0Qy90YbToyemYSImYwpWoR+VxGnsxWFcxEmcxyVcxzPcRQQeEyOSQITblIrSU2ryodzkzxkoJ1WjilSZqlArykdt4Imzlm33Wa49h5S4itS4YZnmJlLhGtIgBGkRipx4AX+EWf55glx4iXQIRwF8sFz8DoXsHi2IjyiKryhimboixUR5ckMJRKECxUBpfEdxUlSm2KhKcSkeqlMC1CQP1KCEqEWeqE2JUI+SoAElR31KRknRkFKgO2XHH+SgG2VDH8pjWb8ggqgwBlEhDKGiGE6BGEbFMZSKYRyVw1gqizFUxvJjI8yn+phElbCQGmIe1cMCaoCl9AdWU2uswWbqjK3UFVuoC5VCBwrADKphmfU9elAOeOECkuEyelEujKASGE/lsYE66BW9rC/1sb7Sd/pan+l1vaG39I7e1RC9plc1TEP1pt52U7cYJrP5brKYrCabVaWcprrJZXJbfq5n6puqppapZmqa2qaGqWPy0BgaS5tpBK2mVbSW1tF6WkErLbNPoUk0j5bQEBpKw2g4jaLRNI7G0wTL/pMt+y+w/L/Q6t9iWkbLaSmtsUq4iY7QUTpGx+kUnaZzdJ4u0EW6THfoLoVTGEXQPauWj6xqPKc39JbO0Fl6RyfomVXQF/SSXtFjqyev6QpdolC6TyPpJG2h97SVPtA2+kjb6RPtoM+0k77QLvpKu+kb7aHvtI+iaL8BHTBEB43BcmqOJdQUy6gZEuAUPHAGsXAEcXAMcXEc8XACsXEUgv1W1Q8iBg4hJv6E4gCy4Sly4Dly4xUy4B4y4gEy4SEy4xECcB/lSFCGDNpSOrSnDGhOLrSktGhFvmhNfmhBadCRMqIzZUYXyoKulBWdKBOmUlVMp+qYSTUxm2pjDtXBXKqLWVQL66gd1lJbrKf22EgdzQ7rIfaZnWa/2W0VdZe0lNZmMcditY4iISfixJyUvTk5x2R3js+p2IvjcjxmTsnJrOp6chJOIG2kEZfiQC7BJbk0l+GC1oU4XIhzc1HOyC7OylnYl9NKUn4jvhwl3vxJUvNnScHvJSV/kCT8gO/ya/HiexxqGTutFJF8HGkdSyHJw98knZSXvBwmZfihZW4j/lJOcvMdKc33LZeTJBaRDBzBIZJJYvBLcYlKgNX7XJb3Y/JXqwBuVgPKSk4Ol1ISy2oBS3p+ZP1QFnG37sCDn4knP+dLfJWf8m2+yE/4Fl+Q4pKD/5Jikp2vSCUpyTekopTg6/yYb/J5qyDZ+LJUkEDrMOJIbIkr8SShJJD4kkwcSSWJ+C1/4Y/8wnovH37H37kal+PyXIErciWuzFW4qlW3ulbjalulq2n1rj634tbchqvzDJ7Js3g2z+V5PJ8X8EIOtm5uMU/laTyFp1tvN9k6u618gA9bj7OND/IR3sP7eDNv50N8lLfwDv6Tj/Fe3s+jeLT1Q/14IrfjvtyH+3Nb7sAduZNV0W7WMXXhrtY1DeIgHmy903AewSN5CA/lE9Y5nuLjPMA6qaW8jJfzCt7Ju3g3t+eV1lmu5jXWa/bkXtybz/FpPstreR2v5w18Ri7KJa0ml3WKemp1uaKbNYd2k3c6VRNpDflL/9RAHaqiSzStNpf7ukVzand5r9M0sdaUq3pKy+tYq6drNKO2l+e6Rwtqf/mu8zSVNpRQPawldJiqLlVfbSEPdKvm0h7yQaerl9aSa3pOK+tETaAbNKt2ltd6QItqkJIGq482lXA9rmV0lLrrSk2vbeSJ7tR82se6gNmaXOvJLT2tFXScxtW1mkk7yAvdq4V0gETqfPXWRnJHj2hJHa5uukz9tKU81G2aW3vKR52hSbS2XNcLWlUnq4du0uzaVd7qIS2uQ5R1sabRZnJPT2o5HaOxdbUGaDt5pru1gPaTbzpXU2oDCdGzWkknaHxdr1m0k7zS/VpEByl0oTraRML0mJbWkdaTrNB02loe6w7Nq73ls87SZFpXbup5raKTNKFu1GzaRd7oQS2mg9XoInXpHxKhJ7SsjrYuZZVm0LbyVHdpfu0rX3WOptD6clvPaEUdr/F0nWbWjvJS92lhHShRukBTa2O5q0e1lI7QGLpc/bWVPNLtmkd7WZc0U5NqHfs90V8GyQAJst8hY60bH89zpKMMlT4yWnrICBks7aSfdJBOMky6ynDpKb1kpLSXIdJbRkl36SxdpJsMlL7/A5avJe8AAHicNY49agIBEIU/2XULa8tUYpU6p0jtCbyDjeQEEuyEkCI/JKIoYqIrKuqaXSVs/hSM2UqClZXkACG4eVkJw8C8mXnfTHxFMn66TzNNEsLtf+6Owq+//l4zw8dRLGkqfBI44TdFVXOu1G2FP5rmeKAvVSCgxzlv0lM6VFlJ3zKKndCWcnlho5nPO3d05cyLVeaeAY8iBmLa0Xwp5zUNKYeJ+HXt9PF4lXOtOzbP+i3gU5weY0pcyPcUMaq67KpeiHFDTbtDpvrgkooo3eiLDzZGyjywPPPMOLSOrayV+QWU4mJ+AHicjVfdb9zGEV9S932n4GwErgGq6BJbEgEo562FrBoJodOd9dHaJ93ZIWW7IY8n2UqT2Elby2miVnXr2ti+t+5/sbRfpDzFD/lj8leov9nlnT7gBiWW5M7HzszOzszuhmv/efnvfz3/x7O//+3pXw/+8uf9b77+01dP9h7/8Q+///KLRw8//+zT332y++D+zvY4G6XJx7+9d/fOVhx9dPvWcLDRv3njN79eX1tdud5772ftRn3eypuNjuhsN67Ms7zRRLd5Zd5SlY6qaqS6GXAVbkTu+mbUXXZcN3aEq0JV8rr0pmOZTQgxRGAUxkLE+kCsb2xFvCsTTQRmeAYy9IUpregpuzOMVC8AdAq+ruEpuHKOvDohC65YX8pxzmY84EMnt3Sn3PlnjJnEQo0C4YpoG7x5jbXcYdJBrzXpWfw6JPLDNhvhzT4Sh1bR24oUT3biFXAz21O6DQ7ZL8QT008UzzhXFU+M+pF0lZUIp4A3I3jMSh3pCpfH8eHxmzniFi5k2WwpF9aLjTy0Xgy2oqM2Y/zFMHplW3YnWYrzn4MWHXHGQo21CUtIAjgBbN3Cyryya5rfOQoZO9DUkkZoOMMsNK42wVksO7QNrm0U+VpRyGxQSoYSTrhLwNUM7sBwv1dw10BpE+VbZluMaaJ54CWsTNgoh7WwHrbsWRtrQahXwHwL3rrFXresWcvJIXNTow+tg7weOkda0mbBeQBOwh1McbCc2E4Jgj4z8VsnM7i1Fb1uMcjXX3As0XNlvpvbNwJxEtYbEVavm1s3ggShTeCM1+UIaxUOIuJNHMQ8onv5yjxFF4/EtiPi/N135aNu3m531mUHgYxY0wGWpxU/CaQJOQo00V5EmM54q5noJWARSBu0VaCy2zxRoyRAl7d7skdRkRI3u5TbM15ulTzrA/YB/FZpqYbYXlJNsTSlfMg+NJQKUapiSVmXjNe7ossv78pMjBCBYT+67+zEKWSrUKSqJJacvMSWkC+XLUypm7MbAea2jhi8GfTvIEnJGVzKZZ6HJT/NUoKXXeS9LEhieTk+NaLLpQrTLAFHN9bMyEQguyLlY3gZ04XnBgLdrS0aM9yKZGssxgIeDkOZYtoOz2JHxpn2OMbDNHZlvnxSnYriZFPOe9kOPoecjRIxMgjKzvO4++cRO+A6jRNrpE7/Lf2Xa6I7Bge96VjNIOJcPo5NyLC+rhv/k8k6xcSxplq4bP9qAlkFBABNqvtnwQdTsEdvAq+9b2JFlXyKvMhVnzjq0ziYsqTqYMQlb4tFQR89+Dq9iSqjc5ClVJwqFHtArAHBoxFiGQJ7iZxEHIaV/Kkm9XlwRiRKqjWEatuj6aiDPk9iniTAIntch6sy/nwnpeCists38+mj9uOXygHGMkogR1WxA+yk28JFtVaUtMb7ZGMJ1rFBpJgjpZDKgoleD8wQ76uKv0o/tEeBSLexiKSPp9t6bA/mau+QNKcr3Bgstqd9CcehWozok0lEo7qHbCt7F+RFya9KVK17KLglP7udYFvgbd7jeqlTRDI5YZWgGIIMY90jRozXzVefBfm9qneC0e1hYJhrWios24xUf8JS1Q2dLwJl/2QBRJq8tYn6UdILRc4re6twb4iocmg0V/YwKpZHj1+loc5kwcwwYHTZpW3RndjbNPYapRXdWrrVPVXzsNCqBBsMuUrTOQkC9GG0GTOjzTUTQB+qeEHRE0kKoORt6zmZ7ZBT+cRBIRX0OofH3/VRIxNBbxyT+ppWRCO0aGkEk7sqRHybKwpNpjWpreopnEY3dKtqm4lmplQ+6/jCe0fH3zHjObd4KGZols+LrCzybttRD+JgbEZVigrOUVFRubMNfdq4g2wQbhV1DNNHVnE1CLCJ6Lk9N15dM9WBotLqCdZDDBUddokpJlYs+jCkllhRNsBpT7yymVUTC/Sri4Xctqqo9lSM2rMtFHqZJWOzUcPLbMG5Rkejil7oul7bx1SahlHZKcU6ZHy1FxRRbL6Pgyl9j3KyOvFkjWhySixrcXsmNvzi+ziovXWUrP1/ymrFaqq6plE18ms/rmrGLNCaWa4120heM3UCWD+Tkkpbfu8dytCWfwH4izDtKoy8WlgJ33wDU/qkuqYxGkS6Vckcs2xeE4Q2eN+Y0G6C2IY1bxzDhXZ0fMweBxNu4wTY3fBMnBfkYrSJzr0gRq9HbwKWHr1FJjWLLG2dq/qFeLOm9bNEMRVGG72YSiQot1o4A5ecMjT6vA13LWp/+jAVsFzMrapfMJSJwfYWpWxO6j+V/yMcQJk+XLJYnkeofawH1nr27ZTaeeysRherPDv9E7JIh0ZHNTt0fqG9qU4B8D7Wd//7oubo48Qpx2gUpeJp7GXyfXVSEh4Gk7ETv+3olC7GnsMOo31gyVPf006iLPzLvkuvQ67T2ijGHwbFQXefVvepFvc04HwX56yOhdMWNspd2qo4cdd8XeQkDjy7aarrkL7GXMZZapNOx7gBiDa3rrFr5jIkinsG9oCSF11zrsa4Vxwe/zAXm1JlY5PHO5Scty+AJPlFXDTUM+3egiY0Drt4xS+4aAbPkJyGj6xv2XJ9ACfQjayx4DTolje5YL0MfozMaTyqlPpYPHHJFeq2+AqHhY5QnN9FSQTy+lwsJbZTKegmdTsyXyJZ83N0MqBTTMHrzOGOdgK25ijc0sPj13N0XZpq+3qi7Utoo46cqFPZW7VRlFl3TKyhafPzXzJh9Jf8Qqm8K7dwP3TVT0lxYQfAd+ZiLQGWvCRL/gvbMGjtAAAAAAEAAwAJAAoAMgAP//8ACnicrH0JeBRVEnC/7p6e+75yJ5MbwhEyCUm4MiD3GRUh3Mgikl7A7HAICIjcQkRAVETQCCxmEVnUqIjsiK66WXRZxIioQfBCXVkXFQFJ5uV/R3dPz2Si/t//O06SYarfq1evql5VvXr1GJZZyTB8oaaW4Rgt4w6YgFYEbJDhRUYXZArQf4U9/HafPcdn963kDoezWV34uqb2xoIQb2MYlumKnl6NntYyRiY9YNMBXtCLgsCgNnjSQlGBvbx7gd1RjtoBPpDF+TiA3l3BTpAJdp6eAnVTQOVxsO04bhRMhPv5C+EytpFpa6Nta3PZXAYwDBA01xmGMb7EmgAAdeOYguIIzEAFpjUC80gUjG42hWFyMQzQ4tbAADRiC5dkBaDzuMgz0lNwcqRl9NSXSvsJAROXQIBZBw/AK22zGfpYh31d+62+yFPPRz8lMOQpbwOX5AHMkbZrL3fw3L6Y3iBjiPTGpMR/Sluo0OwGpZkthq6azro0peUblGZgGnMdY+Q0Y4yuIIyUp9RUK4yh2g2JaikEuCOqxfZ27bd7Q8/tUVH7BqUbeQ6P32lnmJK4T63WHYjpDVNtKH3KDEDP+E9pyxSq/YyeNb/MRdgxMn5NrQKFxs9YGqJGHIezr3XI2TUyDOYGGWZuFIzwjdJOW2w7WEJhFZFQL5PMdAp4E4DLkyh6sIDqLaJLX825XFRQ7X4k7fZylaxmCm6Xv6hUK2Rl5pYU9yyNll1OXLQgq7ujW5f5y6vGRMtxVWWV8YD+jkkTlngiIq2MaY6Cb1hFw4ERGpL58TB5ROIvcwLjJlRkGA/DvNJ2OJqKM5TWoEEZ/TZ59J0RzEg0eivjZAoCiRa7qNGJFo1Fw9gAjzWdSS+aJEVVUFDuKC/v3p3oPOBzI5VH3yU+LeD89s5gC7sNHgc8bAUBaIIfDALTvmvV1DbAYQ1wSMPVq/yF1le5QQgz0iuZ3wSqufIJZq7IvHBMHYKZRzBLYHxMVsCl0zuSRIeDAXaigZMVDexACrS8nOjhIo/bJWjdHvwri8uy+4t6lhTncghL8kcd2H/20nN7T1+8cPLgwaNrtu3Ih5dBGvqtqX312VWP203c0aePvsufhPfeMXXyjPDrsPuSuTX3IBSZ6W2X+OWaOkTpxIBFrzGJOg0XZOwioyc4FBUUFfbQZNhtDELBq83Nzcpk7TZfUalXYK+GRTAaFD70cdH2rptufv1b8PnWB7odcrHNYBJYPmXcQwOHw/+0MeHTfQ4PxLNLeiK0Saa0qca0AR4NALUyX1OYQgWmJR4MzMAYKzAXCe+DFPRrUEft3KDtJLXvq0yBuRrbF+IiPFer0FwJjBmvkYxeBDoySeo1ElHHZ0dTgn7XgSp2Y3jRli3giKY2nBsezZ9suQyusCkSR+K2DIjWaNZZl0nEIqhxihrUoFk9635Mdb89q0Rq3ekjrfuy7L66RYtoH8/B11AvcOgW0J+dGWJF3Bs7E07EvcGxaHwEd0IDH6XlScKLFrWukXBiBSYTLzrkGSw1eE13IIHRaBgqLWjkaq4k41bkpI47GE5hC8On2C81tSFYFYLjQoyEAZWGHDrjaYTCUdqOwgxUYFojMI9EwxQqMC0dthOBuUFhbDEwmqFktcmh+j+Nrm3LyWrDKqsNiFkB6pBuV9rGa1ua3ANa21i6tgEkv9FrG8ZoRrverv12b+i542RtUz2H1rbldG1j6doW76mRZG1T9waZfLq2sXRti/sUkQFKtZ/TsF5mQfTaFgt1NR79MY3I+kdhEI2Q5o6iShyOuNbhTNbIMAITgZkbBUPWP9pOW2w7mJfR+od5OYXpGkhW87LNLRpt1clGo8LUfrIExuHs2IWwRMXqkVWwd6nC9nQBvOuO4TMdLmUsMxQ8Yb6C5zYFT0nm9ExywBolc1TgYrFSUMCdpoTCTZIWX4G0eDLWLF6P6PUycXU5bStGn7uRPu9ZakernV0Q2ObwGjAcdH74QsnD3TZVnrgAQkXjc+Cn4ELn92XVftt2pNq/bQufNulAZSg8w9xd1qcriCSXUUmeRvUy0qer1Dp3BZEkCtMSgantCOYGhcmIXQNWkDWAwnw1n3BbKuG2DTK30ZbKFKirsb0hytUi6mcTjZeMLECDyHGMgGivk0yDIrtEfewLIY2MftY2srrGRuwMhR9hxRsL2JnhXXit6IdaCqKWnMjiKggkGDmvVrSwLm+1yyEiPW9AWt6mbrWgCP0h6/kSP7I2/G6/O4v0gSejdvRo3BP6Gb6OnS/uP6Ev0X+hVg/ukcvEdhXBntCqn8qiBzaNSg7qEYyOjBCv8AxAXMGTJUcXWeH9aO5Rl4TD6sEI+CI3Hb4ARiFfLxRquRyS/D3sLZqZRGRNJniMOtFrsYqspZplGZcRNaeRVwjCZbRdtHr5kQDZ0RB9dhsowWP1oTH63WwNnN34wU/HwYaW8OHDrOmJ58HiN4GLE0KtfWAZqwmxxlAo/DNZR8gIiNbor/IHgUmj0hoUZqAC0xqBeSQaplCBaUctBaZMgaHWPhvpLC7U1XgYIY2oIxqxv8ojiNWIsWO71uHYamQYySMgMHOjYIhG7K/yCFTtYE5AGhFzQiqTE/DYPaLJXg2QGZzCmHRBmSnIxBVhoziaK3ztVKGKT+ANtTKUuSZGF9JRzFAwpFY7wVDRhVhiMZfZsS7kecZiRCIUZLSyCsPKEOmvTLbE7/JgG5hoLRfPDv0PbHysdsNDsJbtA6ELaL57ZP+WNVxSqDX/o//JWuWPZO5HE6/vBtNAKeQxq9cMhON2IsOpAavJyjlEjtEjdWCRBddRLlnkfns/1oGwYLUgC02J1l7XuOmdNYGTD20CM36EXwe2ViL9wJg3fAh0tZ/A4P3hWWxqVhctLCdrZQbuBeFSSbVXPuEMN+GMBYQzVOuChrEH9AynWhEkfeSua8QGV0tRCLV5n7Ky3kI9dniQjk9Q+4R03cxAXghZbZAyQP+App3Xirx6tQFOPwdIH+yNoqaJrTdQT/w+sAyuaZks94hHQVf8W+goXGQUWtUo5BVQgdKyTzGPgCCGMwEW+XQBebS9pNGamdyABxh4La/T6TkW0R9zpVFUFsOCIr/di6bAZ9eWlCIUc9wahCbgT5xoBNvhHHYlW1j9SjW7N/zW+6+8D3NDqG050mVFVq3dwJureaPIMwKrUvOoXWpz+5x+J7bmkZOF3KyVoNse2x7Q7XjSniN7ktCMPsHOuLGA3xJuYEe21GCO2Y7aTiHa1Rsw6jldTKuUVwCeryyQZd/eCo64jrfCoS5ExUa+DLVV1kJiXqQdMn8TonSc2jKiMIUKTEscXbEdzUoKoTeF+YpqHbMuirckKOSJIIo4OTvG2mQU7aZqu+ITR2OPvE9tXmnPniUlkXEc3L3KsHj06N6R4bj2/t1iqneYZk6tIgMDbSulnly4J4tOYwKMaALVSOMYiLrBPdlJTxxqvkRFK9LnIsPiXQrNwMHdMKPe4Tim+VImXutK+M2f/26KUGeGMnJZv6ijAiORFpiJ7CQt4gXsz+lE3iTyyEjSy/4cto2wz5Uj/WarwldYE2sKXwG94NvwbReLTL9wSrjwCJvAdgk3hb/BfZN2yexNV0csbbzKZqEwAxWY1gjMqmiYQgVGitC5YtqRInTT40XovHY5ZqY8JT2H1iOl7XYRugwCzHqI9C6LeDEEo3a9Xfvt3tBzNEKnek4VofO6SYQuzlMziRej7i0SoUPd4QhdvKfIajw9KkKnkD8yfmIzTldH6NQjjjOT1zqcyRoZRo7QYZgJapgLwkIJRou08BZ5Lhnmgygo0ttcFd9wCVG9IbxpS3NVeHNp7fFWt3QtXksEpkaGkfAmMNF4Eymaq5IiArMievwRGv0Sn94Yilgk09UxygglsTwiiwTLYyLjY9ICDkOaaODcjCi4q4Uk0SLoJQVRgZckbHaUlmRTsdRYWDe2AJA9wsmSum3+8iAyHZGwwr/0mDGg2+Ccrg7/7VRsYdUdk3bmeruydUR6X7nLnltRltQP2SfsSEWQOWZA21KETyuyPxKYdKYwkGpn01ypbqNOJwDGak0UrfqgQS9MF7yiwGGVkWQ7iRBEPxx4TfLmlebi6Ji31Kv1oD8y8ziXF+RmZYAMe3Ee8Pxz/dp7WFN98Pb1i1aGrzy7IDEXnBg6D74NeoFeBbDnsHUjvm4Ak9kvR9aPOPkK3BYuHM2uenUplzqw5Rib8K/7Wj8bguhKcCTUX6TmmQyhHYfOUGgvRUhtyixKunAkor0H0d4fyEh02UWzTTSb9S5dMElvEvVsUEghw/Qq5leBtK1DooI4EujwF3n8qohpppBXVGqnUUIHq3v/22/f71nZDWxRoqc1WRO65adlda1ZutIFloDx4Haw2iUFUl1HBD7fA8/Ba20M/Ea2V6aTmJkT2ytmPcKPAaZ43nEG73Yxviy7Uw6O1oE9gAPJ8CsY/hj998ShQ2iR+up7eAMO5U+G63ds3L5H1YOJroVWo8hZRCtn5RilD7sSG0Z+i1/qxx3pp/FjwIIU+CWESj/NNy6ijpq5H3E/Dz9FOL2YcLoNc1bAqXWLWg6Zlai3as4uGjmZ1XE/iFsUPnfb/H4tkFic2wNHw8mEw2+5NMsFZ0rMXQyO6G5i1xLWXtBPB2EDW6NwNUu8xEVyxDng0Bkdlki82SAv+O2izciwzczy2YEcZK4F35z7YdlCkHMZtun08ALIwO+7167V1F44+dh7PcJ/Y1PCX/InoWlFcPl6yTtdRDh1OeXUs4QLE9U2DYUpVGBa4sEgG2IRsWkozFcGormTou3l+xA/5yAKZyELMsFtTxB1mQZjepolWce47IiLBSUOgmSVMnBeqcfjzygpzsvLxT6NXw6JIFfH4/V6PG4bm/djQ9K8f90OXKuubn388ifrTk6rrdw0YuF9w4eeemKfa/SJ7j3evrd3zYCjG4++O3ba5qH9/3D7oPGZM4Yf3QZXYKsc40QocJ/aqsu2q2SVwhQqMC3xYBAFcsjaRWEuvkZgOqtj3rHtSN5t/q+1QykJclRxExwTQS2tRZTMZPICibpk0WvUpQga3uISLfogn0YMJikYXIBpiXnG1hOpPT/AGxR8FiUsYZq8PKT/cgW3vfZnYIVvAPjNk8/C1kuLb0nqeke3ezctEP8KMiZM2P8ItweYfzgA5+Z9svfTK95XdYYNy6ZvziwCoSLwWH3rVJXtZkOS6gs4XRqRdbkYs040q4NcNHxO7DjkpPpYX6Y2r6efGHROn4NYcyzXLxNu2PtAyq7DbA2y69ISw1vdLvZYeu8UcCLvuW7EugPH4EBs31dK+kHLOAMGATskkcgJdkKofwyuoEXaht4nkedbpH7OiiXOoBVEC3rWyHGMVn6exvmVViKeNm7tXVBMW0S/32UrG8CJUAj2bAgfxrNI2iYzfb+aY3ScSmYq0UxPJzJDYS4eJjAWBNqjI5ivWgg36KPlCnNDNhmJ7WUjzyKbGTmPFQUVfkJkbKYjGSK/BXYsLGtcvh7wjZdcoJl7s7XP5i0gDf/+/nssx7glIg2b1dJgU+NNYQYqMFIcx2ZUxXEoTKECI3G6y9iunTIFRo7j2IzqOE4tInI2ocBmdYwmxiaMxftah3jXyDByjAZ3N1eJNSLL3SEsRL5QcsBmRFrfUm0k7BSJ0BZEExV5RH6bVk3Zvq8c/z6auIa01+Hnla2vf/+9hIfGQXB9RE1jjzVKn07GeCgw0qiT2406qqVr8VoiMDUyjDxqN6eKTFGYGUo7kl+GYbapqTdKReFf4s8WpjGxKDerY1yRecA0RhYl5tYMJjVgtyMbJgWZkynVbsEiEnOywE8lVzEnVQystirZXdianEe5GX7avaqc2pPUkPQkg9fU7A033mzNC/iJQRnhhjkKpmHVeAZGj4dQZrOaMjZOFRHrIu0aYv2j50lsmqqPIrxb7wN+8kLaquYMGOkAI8/AGmTmpPGf31iAnnahp3cR2U0JWHmtmTNpBAPe/JYjFBXEbvVzfqf04nxcFtdQd3qxa3Xjfa7Fp+vgO9WmatSki1vTuoy/dGMBN7V1D8aetE3mbE+UNKtXbgpTqMDIkqpvB1OmwCiSqlfPfWxvsgzqVXM/AMHUkFhMUsBi0AKe1+PAhl4Jx5CxAkD/zwJgAHgBjroIeoAeF+Eo8MJF+G/4b/Y19l/hC2xG2B/uz7rD36F2E1G7j5IdGm/ABHQajtXrglqWhi+kYJQ0EVh35zSDiQ4wsRnmgGvcw+Fe7Nutf4R6NAbSDhlDvZpiBlZFDQpTqMBIFLMI7WDKFBiZYgZBTbFEpNseJbqtXi3ltuj4cyxOEl0N7furkWFkKccwc6NgiGzWq2UzzthmKDASv2MYhd+RjuC7EVonBiwCz4k8GwQ4AEyZnkbpSgBeLIHP/Qi7JVzDrQlPZo8c5tPQ2vv5YdQPaYOM6bkoOvMqXChMoQLT0iFMmQJzNQ4Mzpcykr4Q9+HMFdgkxWMC6DOOWaQZSO5TkjNq5zUmQ0HgI9kHMzuI9wl8JN63uIOIkQRDPD2lnRjLUG4HW5gzO6CHDIPHulj2GDHO6/huTBKTy/QIpDrdLtHjNgQzhCxRh7jCYkYuO85fSWCMkjfjKLcTG4ea29TG9hKrsNTLe9x2r1uTlyUgnxEHFpHlneF2gVN/ff3nzxZPfPgh6DoDtG0N8KDBbTwoTrmnX9ld5UgRPPlQfUNiufgHXnuM4z85DQd7Dhj+s3TpgYFiWcCqeWKXTN11wmQ0mlfJzH1E/d88CwDPq/cZ1wk3KTDnLikw9VEw2q8oDJOLYdDcfsQYwP1kbssLAMgdF3lG3p2cHGlZibTh9nGkzU+A2a6xkbb4fZ1lEuW+iuP2hZ/S5cQ89Rnq8Tef0r4f89T5tquRcTG2+E+pqPoJpVhBLFXf0B5WWv6EUgzcBcbieGG3fBwvPPvyuMhTappNjqHZJxLNSglwRzSL7e0sWP5bvZHnLsc89xm44/c8p3PFPIfpdoLQDT0IyuI/pflcoduZ72m8TCFvhAJ8NwVKik92jbbKYufgbGJHnL1LgfmM6QBGE4G5cCkGBss7sqWwvHdhypjiQHo+kne3QShRCXsPpquYnCEmd6IS/24BDSQgoa8o8Hck8lohditR+5tKIGvyHZENxpG/qRCAMH443XwcOMWWzKrVg0KfqcrYP70UmY+VkfkgPLJAmetPFdlPYJIa+N5I8x9p2xnQj1M/qJqj4Ur7568qtN1FacsxbgTzKF/GdGIKmT7MTYE8T1JXMY+xO5OSGKdQKgpCFiaxs7Po1AaLmR5iVqqYJevVImzGOmh6dXdHuaM8rn71og8OHMjxYWe81CtgemNKg0z0b8W5oAjTm0Y7QMHarW8cHtJ7V+1U11Sg+WPlc9ue5DhY4nowWF6RlD+h07LnCxPd94OnBg/igW9Q+K3KqtIxYyePcNVt2/+Su+QPC3juJU7/3D/g1R8zh6at22Z+RmdYHKxZym3b+tRTW8MJS+YOd1VVDr8FUYeMnHDwaaqbSe4O19cp613EefUIplLTzFjQWpMecJicImMyBq1CosgLWmQPSPvU6EX3Qv14qDipJTPXaZdDD1kZ9U0u689N38BT8D8TDy3tOqXbEwfvXQh/1DSHNzTBixDCn+EnRnYKvIVn//His3iymA2o52FoXhKx/WEQzKIedcig/o3qfEhGnUAjEJ+hJyYwewC2wC+AF3CPn+u+t2vtrQ/tfam+cveIhPFHXCAVGAEPMuZX3zOs8sWnX3zNYjrqIDtXpE9CkQ8oRSpptqKgWoliYZqL4sAgfx7hrsBc/JpmzqijRLHtfELbSWvXF9FXFObDQqWvJ9S2gA7NkJ3mHJkMBsaLpkeHqOVhXKJVYlXyqqiIRIu9eLqIvAObP6MEB8kFVvjnuU9PhJNdTSFHgmEHbLgKTPDHhfe6ECE1iGg5TeziG9mGQ5OmsClwRwNgQOHbGIdFhEsuMalMPtMz4DN5rS7ebXZbHHbR4qg2W0SPGfG8yAjVTJo8gQUkYF+AkCDeAE4loIE/P5unycvJzSv1eHO8Wo/D7bYxeRn2YmmC2aHnfzpx9L4X0uzaGliYD+aITxR9/zDw5R+97WbY+iNI2Ljy3vtXuYDw/emLd90B+H3r/ypW9po5dMHYv/acD99/vRAzxhHg2rxz7T2P/hlrAERBzWyyF++kOWoMKzKMSWcxIPcsqEsWjTptkPeINj4i9UTg5f35DLLVoKKnj9KTn1HUNDHMwkrw/E8STbfBQ4hqLGyF0i7+UDaFLWxPVnlmg2hmE5ksplsgyWWwmxxGk1GwMEHBR8UhRfSoVJGjvByLYPQkIwNdymfqaLLhTjCrSRQ7mnIw9dCcOYda+sVMO0u4Mx9JqBtRzRdw6k2JosnECB4RY2ZV5hkTSpZVB1GEVA8SOeWoBmRD8Af40Y0vP/xOCBenvFk3YOWApKm7tt2zzcwmbVAEFrZeH1ax9n6r+ajDwG3bufnBxyQZySdydJ7KLJEjNjVWjvKJHUhhzrkUmCeiYSLtNLs6aicC8wmF8cXC/IdYQuepZeKidtej1KLJTpMtGuUpWWdMjrSt5LbiHrDd1ZUAs1mxdhfubWC73s6CP/9Wb+i57cTuUj/3GXjgdzyXT+wu9XPnmTTJ7kIPYrsr3lNEj1G6nfHQdV6ZgLhQHzrizBKmEtGsFIZmt0bRJc48ne3f0VzuUmA+y+8ARhOBuRDLE1gKkG2GpSAXeaB5Aa+pMxGCPCwESeliEqNIgu1dZZcsnixEIl5ZNCL2a7Lhv3MwjYLlzV8eTKjpUE5MeYPo5iqOlbkBFZrI6IcrIzufpoxMydGIkW9Ok4RTYm160Ybk29NOvrECL/WRdVib17OnH4+RRbZkqQ8p7eFnLgnsuxL20x7vA2wg98ZFhHf4IsJbcw3j63IcTrfDL5AtEIbnj+7cvHkntgMGIn94puYyzVthbU6Rs9kYrVnUgiBjkHce/Ur0vgSrYmwNZNjdJIS/DT4PRoOrQdFTMb0r/BI8D0ez6w49wua6jugEuKfuUHgpsbAzeR2xNrKYToFElxBMt/lEBxppmiFF1BrQWIHIWGXTQ7J4nHk5JBEHG3Sywi31I5NEwylq9iUDGPvUVodhx2Kqbr3248jeuXhU0rMw85hN9+e9syZNURTu8dZe8Ct4xcg1K8qWeCUIQ6LDflJ7ydk2lXRQmMkKTHMEpr4jGMl3zG8PU6zAfH5VaWdlFAyRVgrz4X9i8FEyXpsZB94ztgtW2Wg0kpkrknNeid2I9zrtWWSZt9uRvegAQv2RppkTbxAj8d2j4dHs83fMhafCB3HL/aSWk/CJqkSLV+QMWpE1GDRGizaoYYJOpYfI7o6S34vYIrY/UWwCs+DOSK/8G3jVg3uie25ra/sbyZ5cicb9C81fhEeZSmyVeWPz+0ZrrjBGukeG9zzt0+020S4EnSazaDJIQbQk20k5pQIbP8hJACXSLpSb3dZ3/Pi+/caNC58C22E92wUM5t8l/9Cv7/iW4kPs24dbNx6SsyVH89kkLmrWIk7FOaSCLB+qvGKcqyi3dYhtPISfl3IDRxOeCKvtXoMGgGPyfFOYmxSYc0UKzPPRMJF2JJvW0q4dwjcU5kyxFDOVG1JOMSD6IahWqucHEz2fYmp3ikHd39lpHeG9S4H5bHAMDMMzjTCD+4bMFj6jl4ft6JRUMcUadKCJMzHTMxOFYAKdsqSTUk6ues586vlD3MyRBD070QRgsjSL4Kg8nTOa3jU0PrW1qY2BFyMzGplZPrulGWYcc1ie3MtdJMog7FIoFxnJhaLYkbDkrAXluzxkySal4ZiAZ7rZ4xRNHgPZerdTLsQL0kkigJgFizriwfbZxnG4Ep5RZx3H4VF1AnJkToYrIznfRxnJfnkkB9Cc1JKREM8To+6a7nKKSDVjAaKqOJ78UNqTdGRB0LLXZXRXYJrDmWxNzffHIjj+MvaYw/rEXq7sUGuvv/13iRVJE+55MZImC85M1GmRK6VS/kTrR/XQoGoXz5q6NTRW1Bo/FvMoMBB98QnzEo3oOnXKvFEJXkA0pS/gsBg5Oz7/gDpGytIsq7JIXogfZ7z0LPWzWuDjhKwse11TrzUHbvc29/g7KIM3fh5yyxxNc+uCSSefgUt3h9vAXjucR6UqA/eCcDHRfeZLZCfC1T7feQEavwOfJzdaKC56ICiYkFMTvxsTPht2icYE9VFFLCvstSIaCxpRYIKMSTEpaAyFUlgOmbCXjuyDjawpY8qkW+9LuPlhV2Mz98ShltBYsSj3qAfLB2lTuwiNzkp3G/YQvewQVHqZwBBfz024Cnt6vEEvGpggbxN5lUlDfTuuPR44D/toNC6yLxeNEqZ4FaJ4PqE4xekroseAM/p8jEQNCUrLPgX6gC7kjALWd2yDPDMy1RKZzoFELWtIxLnZgBGBxm0V3cYgVvuMPAQ5P9tZkkNGgPOzXaoAVEnJIpCER4EmqlEeybgj+8A/XnmITT4U/vPeV/bC09JYGptPoP5rELECyEpKZwoCXq/bnSakiAazmcOruhB0JCZSBsGHuIrwT/yDcInXT137nkRI8bKblan8qjlmsZkO3DTBatdMGDtvZtMtsxvGzuKz1+wYObLfxEVrWt/gOs/b0nqd6zcR/ZStCoRFtFUhtLcqvLGr/HG7N7LAZx+X1vbps+HHZG2Xzm5gWfXQddBFJVVt7zMUBnGQB60TbrfBKeoMWqwhNEw1WnStvEHOICN42BEXOdvjMvibWiEKnQuEhTJi0YqDVfPVGKwwDOIzHfaLJBgp2zxGsiUopFF9AZfFKlqswUTBK9NPMhfkMycRnG2slHIeS8fzP880rFpWE6HmQfhVG+M1ESXILpCMJtDWS+o3GfdrMwQ9RpeoN2qDQpRmpTa1vHbGEgyr2mO4NzXVZvx7L1a59l1ooTyuMtWg4W/fLlbOuuCVRqLLeUn3AtVKI/s5ePXHuegmUXCQGIZKG1Hr3kE9mhIlFlXVfOVK87mffjq38N57F6K3C2QAAWhBOvwM/gJvwAuhYwefffXVZw8eU3ulIE0Vb2UT4kYqJJhzjALTPlIhwXxCYVJi2zmD4wIYBvvpDI1CrKb+fXqi7N+ndBCFkJ77UukBRyHyaRQiLV4UorBdb2fB1t/qDT23Ekchop77DCz5Hc+RKETUc+cZgxSFQA/iKES8p7DlKdHtDEujEAnRUQg5wiBBSbs/aR1EGCSos107mstdCsxnrvgwRzQVEoxW8wXS+6S/BAFXWhii7u8I6a9AHavPiI46T5baKlBhzuW2x1zdEsU8piUCs0uBoZjHgxmuwJw3KDDbOuLUjwdHKB7Zb1OiLBLUBSaGTqooSyrTiexDZIsmbTCRERMFIU10CDQGSiIsSkZRLltCZdbFalVJ6mrx3T1/efCND7AEP1LbaVIFDanMkWRZylR3gJSfZYn+F/y5yJY7QMpXv0WWbbQWbGhbivA7hLOjmSycr+5kMz0+r0mv0wJkcqeIdmPQaNBO1yaKWm37fHUNyVfH8QOasM5myRnrmYITY5wHPKBr9fiHrjQvnDhh/rTtP527e7KvEyjr3m/hvVcW3tsZvtVj3YhdW4APo9rpyf5/2QI/xfqnALRsnMAWJr8a/u7YwdoJ4VOplOJLpXkpVnNTtrYd9w5XZoXOL5mVbfLemQvBPEL0eibTmSkNZOhSRB1vtOK4l8BbrQyfJ/LaYIJDTGCyJOvOT+0rullm98snfYribZLlRXbI7Da0CNjAHFgPql4YdsszMbti3905FORKW2LvbdmyB+kGNvfYMfUu2KlT0h5YFzAbzIY74A68vwWL+Uo0Arx7khPwuE1e0WoyBl1oBZBXRYs66IPMKcmacZBZys3LsoMMtDr5itA6hRfG5PA75879c/GjRhewwB+B6eq9sFhz+XgT/AT+DFvgt1MmhbdoKuGpNqYBzH7pbRkHaQcnHg5MPBzsHeLQ5IqHgrYeb7V1iEMVwoGJ0MFkCRqFIN5H0kv7SBb1PpJ6TSQRryx71NYCgEqsq8kVd1Ph+A0bWxO1n0AzdVciHLwYAwtjsItaZFjRUIYb2wly0AS9SYUceorZ6XdgQyGLSjXyWSsvvQlqshMcwLFv++lBo9avBTyOdcDLIPvY6QWzvv4AXjwkZ++uJFLQWyUFIMGgkoJYmGYmDgyyblaSFaM30eFftY2j1lditPW1C0mLi0SKMwMeQ7bZ4suwp+oYV5Lo0pKjtbL3QffDctW52zgtPluKbEay4l0CKyx+ZkhC9VNDn9rqL7my+yFE3E7b1nluXtb7+boBA998+vEbLovtuM1WMaiwu7lf/qLFh3bhuGffQd062Qvz16185nE8AoIZGWUFpQT1x/NcqlHGwjSnxYFBlHARSlAYKTu+q3rfM7adT2g7Bb/WjpQdnx+dHT8QtVSrucyUM0UBH/aCgFBmCGZ5c52dbeau+kKDkOQTk4xBwS8KQCGt5Nw5S/xKyEAgiRAebxqLi/rIhMd074Y3JbE9iv7GzJVlH7jzvx8eeCW9u9eZ07+g4LayF/88ZlmPhGE1BSuGFeWP9hclppYMG1iztIldc/jGh9/t2T548k1Z2cPKe9zWPX/SXUO21dksx632mmHT8rJG/GHo4OpuXWYNK6sAq+9uaWTXqKLdNuzb4CR3rl2suyA20o2MY7AfPgFmgLOL53kG3NEdos6VAHdrF+xv9yG54zORbKUG7GbkcBsEXTU2v+0K2/nl3AXiLdIyF8p+Omf54UN4FRiawOcw7Z4HimqGJgxei7xCcPEQCMDjh2D2iqBRf9RkUvWVjiPpyS4xGXVgtonAZK7m8XEmrajRC4qnRrWJswSPSOqWvJSuiavaBxiU7tUojPjhQ3D50FmKxNlD4yQsGpunY6uBYEK8fazVvHbk6CM9YmCqLQZTtUEI8m7F5ZezkdU+fwwN2API8x8ahw4R9789ORA390HcjOiBuHkIlYpLdKdfLRWxMF+VqjTIBrUGWcdn45NiAacVB/IMQTMvBHE9JKdKQSsz6bdLp/P9coYfuPH0y02zpy5Y1LQNHrQ6E7e5/vEieyw8cNIfHnqW7dW6y3PAcGbOAklOSX4TGKn2hb1mVWx1l5y5J8Gcu6rAPB8NE2nnEwqT3K4dYplTmDPXaUxYaUjSCjgvK1uB+vJzVa0Rxb6N7e9sVkd471JgPjPEwEi0PqOpYNKYzoEkb2KCmGgIWjw4n8EiYJon46I1kkVTVCGF2WOIjjWHH5k07YgP8qeMbZ6zKN4UGLyrFj/yes+wJWomzpARjVXPRDqvHhGizRli+49V0yanPW3ULWHaIKh0B0C+xlPRULsUqM8MHUMNV6Akzxpjtb+juf+4T2Rej0XmVc6Ak6AuSFzEq2eDZMBlM/m45ok3RfTaMftnS/yfo54L/CJR4fYS0EHCm0omotPb4spHTEqbWlqmKmP49GpkpBujR0poNlJNM69CM/m8EhoprgVq4BmEnRyZKbJHnTQ4BVd+DjIdIOFzuJHPbt3C1bQ0o+eRi8WL6HlcY8Gm5c2cgTGQRkxK9FZKuYk9bBBa3FjpWP7GcsfE04/A1mWmZajVZfiwAbempZkb3voSGgFpnczodDUv2tQ7LrEwksS72sEQiZ8eJfH4GEFE4mNbkmQ50hsaLw7gDkbjpWcNgJacNRCCenm0ylkDp5OcNeBEcA9cexnCy3AlWHkZhn9hTWwCfADMD18OXwI1cAtutRTp40moVTvedab7DVoudjLK8colz4dFCpKVgnNwYjOYaAVcMzzZ5+F3NjcY9t/753KJmL1C3yywuUIu67LVeISkHzLCWZSexBsHDjWtYmE+sSoZ6tEwhJ4U5oyd0tMRtasmjUqC0mq+BBMoBzpMaLHsqL+zfTrCaZcC81lWBzCaCMwFircDtGtnuAJzPlGBUSQC70eYyO6mfBJBoCcRZH8g6iRCHVsdfpSrCj/Nzj3Mvnn4cLjPYWnHyUTGdJfa1jfwMTuFaphmpgMYQmcK8yFUYJ6XvWKcT8Yr+WQFgSSLg4Q5GV1MOplTydwiR7k7yiZDpij2fnlH0fGJ4WK4Cqw8m0Czye6D//381OkLv5FKxjM/IiovJDFrLYly4jxBwtMahBfPTHcge0wXu7+JtYJUfSZqP5M70BQCxehHuK96H5PEr+UYdtz9S5rxWCNnMwpcnOxKGq+tkeO1AhcbgVciEzVyZELg4sRRqZdRI3sQAhfHo6HzXSPPpdRO9HwvYY7xpfw+VuA6IW4Qrh1BE7xDU8v0ZiqYm5ghzAhmDPNU4JaunTrl5Ph8qamJ/kCgomLo0CFDRo509uzVi2UFwWCwWJx2seimm/r1GzFi8OAxYzxotvPysrLS05OTPQmi0+P02BLZYBlCiNfpTCabVA6WvqRz78rn6FdH/x55IelwIv0e9c4q8ZM3nePYt9+dRd4YlkNvn8/pA/Jv9O6ZBmenHU6DrfiH8te+F9Leu4B+Ax7/2NH+LxkAQa/Gz7FD0T/D1pae6g8XyS8coIl+HyD/x/4rfR8g/+O/WEf775Hg/aST5g3P163MeGYSM435A3Mn815A7FteXlLSo0dXOocDbr115Mg//GHy5EmTxo278860it69S0v9/u7SjKVliDdVVo4aNX36lClVVePHz5yZPHj4cHmWHQ6PJzlRTEtOS07wscGhynzaXK6EqDklM+f4tXn9/fP7W3P9++b898w9+ul0Rnigi8IDcf6K5oamX/srmi+6pLFrCA9cfUP1ATTgB7aRv68FO+CR38Mrv49nIrzDXjvSVsk1CWOZ7oyfGRPokp0nZm8MegsLtUksqxVEj99vcFqtBiMOVxl4u5kNdk1NZsRknp529OMpVM+08hvbqHFmRp4BX0kmjmEzPr82KxMnuvv9Xkz5X77sCltiKbzv+fT3zqdpXx9XPw/cCQYVunT/hW0A/Fdn+XkU4NNhy2Fk5MSQhpLAtReUfgr+Cj5qgGtgPdwNl2xj38AjB1cvSrZkd2ZioCvVb4nubhK3S/rL63U6LW7O1skuBLvI/G5gKiSGpBbYrzIsl0XMz8hbMUtjX+T7HU+YtsPWelM9bN1ueoL++HReY6VrZ/M+1yH0PtJ8xLWv+RB673RVNs6Dn6IH2IvhJPWbWGOm1ivt3sjUxd+jeQcpnIb7XINr4mTiiKTHlcSIzvSkaiFd1JmEarNJNNvl0+K0giSInPzABz88HrcbOR3SmZqSkqxMtwv8fGdw4713DPnrK8Y9Dc/+8RdNcuKk4qqq+qmc5o7Js/+kZedy/DYAHtzwi7lGmN+n74ZAdtHI4QgblmO5QwgbaZfSxIgOUzXeqOTkXUp1Fkz0LuXOY8d2Pv7qq48PGTduCHpz7JFHd7z88o5Hjzwy69axs2aNvRUbX8DHebhVqAe6r661ipyWC+IyYUAuR0giJCT+HbWPD3yHDWbN2CF3rz46fzHnYVfM7zvgnrvgdLB++Wa4sa1NvqOAFUi990itFwsaC65vbFPVWrXHr29cRMKdQlak0jay8WrA8FWv//GPr6/qBS8D24odO3Al1u1z3li96u9z2H0wad3ceWvllX4e6R9NLMKhAX0eIFf0i6rxKvfXwG0O90KttRTh5wk8PlsK1tLMEmqVCOoqtxhmnPCGdIeDRgRcdWx9ahxQsjewHzeGczW1oCc04QoVLJMGP+W3IWxsiNMQNQzA6hHNVka06oK6RFHHKrvjNPLfjytRSqA6XcjtQBRJm5xSkGrl8lY0hlOOm5Pyk1kbnIhrxXave+PNW9i8liKYATJRPw9Uho4/XcbbZKqMJFTJYZTPZJS0CkXHNYHLFJg4dYoRLZLbWviHNVvRSjswkF/RT6wYXmIwFvNpI0b4hoppPl/6cGwPD9cFOxeIndPxabZ06Qy3nxQ2ojmbdqI4EOm8JcSDR/56aQmOhOOMAKQuMQci515KQsLf+5HaxGFaXCPPjcWPfO/Gzj55Bu9T0O+zkr3OtNsGJSUNui3N6Z04rsrVa9uBbb2dE26bSL7IzqZf3DbB2Rt90ctVNU4TSssE+f2H8mwXVjM0APIz00JTZsOG0mz2zvBj2aVg5OwpCASeDQzVIBB+aH94FoFMvROMLM0OP8bemV0KG+6ciukTwPvlSNIKmLyAJysbny+zMKkuMZULIidTZBm9FMpTcr40GZHdgKysvJ6SdAvavH6sP4PWpCfha4G1wK9e2HJr7cxdz720/RHPj6cefjb3zpnZid5Zy8qA++pTR8SXa9b+7HrmgUG91y4K3nNMN1u8NWhx6I5ondbjjy9/srNJM/aJ4PJXZ7WvqSjojLogKXxAk8DkDDBANoDA9uMucKHpuAtmaGpbTvPdbizgu7WcjpyfHoi4htbk0EfOTyu1RJS6iyCqtkdU3dRaxFci4iucae8xW0Qz8CZwXURSIirTJ2ZGKigVlFPWkZijtBSRiTCHVouUSJYbZyMhBqHMQfZXEHfUNp6cMdyZ6+41a/zAwm7ZlhLPlCVFRSurPSWW7G6Fo8bP6uXOdYyuPqmpDT82ZuKROxYUhQrLPqgSU8SqD8oKQ0ULZx6ZUBkm+fUEUzKarVRj0NF0U2uMHKnisQ1n7WKB0CHqGkWBlRaVwh6lJUUk05DIOhL1nNmTPFxuI5zkHb0HhO4MreJyEZFPhp/c8tVT41CvK2l9TSTRVUSipZrK6HM/RjmjrqlDn6cTPSjXXMY6y8gjPFWakGZu0a5ruR2N9NIZ/iTViJIGRy0tZZRT9KTlZEbeN6Pf3096Qv3xO4jGx/VkjTqOlGEmg1ZKQWEvHk2VEk9555795bB3M5hmA/ZmuLf44f+GcrrzS1uD3OaW5o27+5N+cbuEsx6nnEVzYq16mbNILblLSPs3MGa0snkR57htGo+o09iBW0SKGjCCXHaSnJ8im9I4lIsrf+WU+N08Lv7ltOXYs4FNY+dZFgbA8QPgDdjvBrJB+fBMwELo2teFNbAp3fbt6xL+PPxzwT72Y7C4S+u7ncEs+HgBV9wV4SpVxUA0eTqK+lYmMWDWM6Jez5t1QRPPKpf20DWdxjCpymcHfnOqMbgCJDQ2sr4vwmATXLhjI/vsjQWsj9Rc+ZTfIFeYxoKqZTiRMVRHVZi205UIt1bbCGDjvEZcSBZPLF4jVFVacStmwQC0UTVvEXn8klxJr5WNrx54FTeSz5/F7xsL8OhWSrjQuksCxsaoJfiYqyNNFcgZgqpXltRilarNlnzYGSEnjTFbPUZGX63Dzeqk7ALVGH1kjKyuEe6QBnljAVoVM2UbZJ5Ubw5X4LXienNcVLW57kqF3/bWRyOokk2Pz0EaMT2gLnhy48aTQfZM+JuHlizdJmcLzotYOsi6ocZOVP0qh9wTLs7tV/qS69rduIGYTerszTdRV/zJUPu+OGXeDKS3rIDTyCDrzS5ytvbjkkxvoh3JVSaYXEDucWXjig379m0AB0PhyQMHjpw8GQ+u5d//bsEqQOmSZUrIbiWuXpuGLWStV0QzrLHj+tXWBNGqiLc/Ys2VkFrRkV6zcGKf0nHJ9CGs+e5Fmzcvgh+80mczu6Bv316DB4fmbuP+TRHgT7Zeffbtm1U4rJRwcODM/YCHs4taF7ZctaREj9WN0JBWhSJ1/UB71Niz1GM/2zhv6fbtS+GJs6CpuLjfyJG0wDxFAJd8l3tva5Nr3SGZvo/qOaoHSX0/p9WBOlfK/7uiyv+3q/4vaJHd6Yh3ocvzF71s1/DpXPBG7LUun70Xgl3wrS6oZzs5g1uHLFwc3TPiU2hum+jmgjyjxcWz1RaFOr2g1FdCDm2R6mzYywTN67+bsGXCphkvfGALn2S7Jl46tR31+3cQAMPg265xtz0wrPTaudCpz1HHcCN8Ev4FLpUjd0S79WeUSN5v1m+X6oyjp0YT+uHqQrmk7nd6wK51YH6Sar2ZlWmU/YIsUqfNrySJZtkvN3PFsOb0R39vnFlzGpeAgzu+CMOlYN2OjeEqxCuVUuU6B+LXroEUQ4qHI9ntWrNTNOuDODmLC6qsdkotr2znOBxyyg2LhDOnqCf9227zVIZ2G/c/c+TPfz7y7H79bvC/sSNGjEVvzDhgDOgOn4L3wLXwGdAFjAzv2gdBEsgBWvgL/ARehAivochawKNOZ/Kx3JqMPq/oc3mw/Hh0wUwXXhH+RQ1jYg0Sg7i0FHlh/pJuHHb6yDotUOsG14kkjt9QX14/Z3bG3GGusjV3j2xtBp82wquj+1j93vmbwAfAA/9z94MPakJ5Q1b9aUAilzLiwUXvnEPy7dD26/PulLnsBwAuX75kkzQrVWRWEG9FzQoOI6sLVdPsBGlmcCS7JKOkGM0MsNxAU7M5BN5EetzSGiKTsx8OgzeF2n4JI3egrVXyycx45oHeJPJ6PYNv4VCrSfV9PFKNvoYjR7CvBobCI+ywELs2BMtD4ZeJF4JWisPIWryNGRooMJQUG/m0UaN8w4kDMhLTtv/IQPVIXXBAP3FAHEekO84K8Kudkf9nT4T4Hx35IpmZsi9iLVhxYEUXi+yLdOmCv1gV0t42wdIFfVNg/b9zRrjOHHZGzmWmoQU+NZ4/Qu0GbFd3DSSp7GqyamT7xGwms1rR5NQl+X3WNRrk77OuR4duGZ34K8Y1zAHZtsXLqH2tsnSsmCPpwo3VvUmL2NEQwVXRFRGbR7k5ZGZonnx3CDV9yP0hbW1ylTGkk+qJTpKrjtnpmgpEi2BA/TE8ctD1krWG+vGWE+4EJf4SyYSVbhEB4CdVKbKrVxtBXsgh1yNzhOBHIA/XTFNGlB1wW3DNNIFUxjcZxKgb0iROVKqnUd8rpoJa382hQEwNtTYyRFpHTaaek5zbJ5anw1rtMIuOiP2pnIKJskApBSNWKCKi2g6VCOmLtW4V00ouAaeaF0V/43kBCaRl+A2amPNIdy8Em5DuvjXO+hLxZTYwiv+I656BqJqEJvWNb5Gq8yays+sw2ESDAbVLKqma1aVLVRXoQQbnY4FStZTUoIdfJrPzkuGXID0xvCVRqUXPt8Je4O2WY+A4DMjeCcHpcYqT5J1oVCeS5OiPkVrKJk5nMIoas9nAigZdkGMjljLe/Xfa8b2ANPiDbwJMuxt0B5mg+/LGcAqY9R9w8T846iMb8/BTgW35lCd2c+SeUGdAL/Cq60GV2wbRS7pZsBkedcCjxOG70JJBfCiRnydkSvW4kRy4takIP7RcekCKaGOmA0y6pH/h/It/Sf5TLk4QLUUelAcvmlrkQ7F59p6OHJfDaxdYcP3iqVMXQ1+/997XF+cvXz4/vDi4bFnwkfXJYDyYAGaA21PWr09G1sVu+DSsT1rP3QK0wJ7esj8V6MOt8Ho6PyEd/k+yIHC1JoFUB2KZpehzH6TLEpgszN3OdNHqdDI6fMNUNZOoPrVOco/RkEpsTE6OF5ecdEuBTZfqlIeNFf8H2wALksGfDPDY1qeHeNOPrG14+0rz3avXLlmzxQX6At8itLL3LKwIlSaMf2jBjLuWXL3wLWw7Urft/oc3roRHEf0w9/YhWRlx7hoktdrkw7od3jWIFrvouwbrWc/eF3Zs3P1s/Y4afMvg8FsmdIKNYDD6zWdvWzdzvsbJbVi69iFu1uWK8vIKWAO/GXbTTcMYAPrgGnMIGyX+qRz+IbmF+Nh8H/bH8Od8dqh1Z1sbhSc74/+gu+eDlfinnIdBYAZo8qX4p0Din5EjyKRdooVRy/0awyf5bMDDfq070Yzlwx/JLoOFnsnTsWaHaMSrkCEouEVBiIl/0oiIHP8UcPgz/47ibmx4RWN49JHcLshZ2gJ/BO/edvlJsKp1JyzGSdDcyzuvTGHr5d1jvgzxy3km+ozCO8yv1oogu/4UJk79ChzPabvKb+K7/VbU06CKegq/GfUsUWyNEsXWcKtsjRLF1nArtoZbiXqWqCwNzEQ5Bd7ssX1zc/uOzfYWDJs9195zQcOCnvZ5dw4r8OTQL3I8BcPunCd9MXe2IZSSvg7ZGVwSh+yMdRnJoUl3HCjNBq/CQdmlB+6YFErOWIdtjCRsY6xLT6Ffw0HgVfI1pst8RD0TqbCF/LPsHKtFtFqZNK+YppV8E2MwNtqpTn7OysrDZ0ypOJLKEkU8kQv0E5k/S78bO2voK8OXP/jUPzsbyzZu6LJ32aA54xKHr64+D4R1q0ERbHUVj95e3HlU4Nab92VUdOnXz6xvMNhWb755k93V9cPaA4xypjCbRBVMBh7odEbEfUCQQp2O2FhnfZMLPPlRkwvezme3Qo5taebYVhjJYMA5kadIREoXiWM+H53lMFmGkc7gEBglr6ke+QQ9+E5MZ1zhgNhkHi/XiSyjQjA9TUyPPhbcsT2GFEj7UGd90/6A3z4ofcCM0QUFObmWwQkThj9ZONiSm+MrGH3nkPRBdn9gP58NR+UVPDPq5tSQK3NfzzIuBdTsy3SFUm8e9UxBHhyFR4KxJCN5X50PVqDSDEwFGq2F6D5vwIwDnDg7S07n9xdIUYFInFMQKion5bKwCT445GCodM1Ctici7yz44OsfT2Tk+BRpLyVgNXFmA7GUhKBOSXCjFlK7K4SyD9oOguwTSXv27Unis/EVQqjdfHyFUOvZKB5Q3UCnbrbdDXT1TeBIUxMcyhOGb2nGUsGodQxJ8o20rIqzKqpRHWet56aT1vBwkWok5zrJ+RTUUpmirYYR7fUBaXki3nUiLctV0SPnOFVV0b+Hc7hW9J4VCtF25UwwAeddKXlYmGvPUa5tUfK5lLymrgi11ZpmtP53ZkqQp5CQbDEwGYIf2ad6q6DNYbqJiSkpbkS/Cnr6t8JPdrvbVR2LPrpCz47gE55U3gFO2CQZTwLIXrVw0eqnHa4TLsfTqxctXDXmDi36WzsTHFu1clC/vuFN/QatXHVTPxdgQArIA/oT7LzwthPwGvwIftnGVI0LH2JvGVfF7SBHXQ6EGhvgmtABkhXVgEct5Q4iKtzByJyF58mMbVYtg/xcDqkBAyeoI7IZdmTS2OR4bCGsbGoGfFMTWAYO3bjRxoAbiA+WUR+Frms0jopmHEc/9dPJ9CS9Gyca2wQONW1oRAplJ55+vHApZ66lVmgmJ43qSnuysfHTmqZXGl5togmhUlIobgXhso7IjC9gp63QaKw5gk9H0diapoYDLzVNbIy02boF9sMV7AHzLGqXk2UGt6pnpusU9PxJtndj47HP4lHC13BrG7lFLc1oqbZgu+0YGmclakm6YQRZ4yYOB7EUSYmOx1KTSLKEjjWBqoPHjh1MgW+CPpVVVUge61995plXWQs8XFVZWSVHYnH7Junkv1W0aPC2W5TMREVi5V7kyOD16+BdoHvp7bdfSrl0aeKMGUiaYrrhlNmiMdjUgM3GIevYBMhJi8gBdXt5QcfR15qmKU8cPPgEeKcpPKh/f9VwsGJgM+GGGRMnzkAjwnr1IdSXFH31avFtozj6KijRV1nF/r7oa8WYXqx/NO4b/ni0Vy27rE+fIaNGhfpPYN+lCHCLwt+uf6xCGS+L95kIDjT66hYACbhqXXZOtNuj586PGSyKv+JEX6uafjg+h2DQ9ANrnDgR9Y9GvxEsghuf2Y0ozeBwGQxVVQ6vlLP8iHasIPIr14wk9apsTkR5pXCkR1U4Uoq+Mu3Cr57IUY+Y8pFr9zrBc/AW74vb4xWRrF11aP0DtIokwmKNdJ4cn7J3Gk1o2nEgNo6xEz8OWyrFYVnLfSd7zy7aNXndPjscAw4mN+5dvMbxp60gEfSA37qGFNfllD249tCaje43lKpZSpWYK2iFaFV29X+73o5UbQVRUk8oySj1lZCex/WVjBZWi5ZErQW9GFWBJRJTj+yaRddY8qsP8J86daoJTIV7XLYrTxxqmlh5kV96qKHhEAzic/tvs73Iuf1sNL3zsJdO6jsoUVrCTiRKawzSI7Qq3yImStszanXJUSXCzHvrAdOuJ3GU9qldhgfAidFDhoxGb8RgA658Ki8an/wAh+77y6tvP//826/+BWGzAlk4WMPh2CyyXw16n1v0+VwOLF4uQ9CRKToEibHssv0aic+W0IMGJD5L9uu1FjYSoF3h69TVW5QxfphvZ/3p4+BM0z39B2ZaC7KHzb4NrMHbiuOnTdOEsjKHd++WumPTjqfRyjLbkZ1y86AJXdgCEBg3ZvjNeK5wdQU0V5mMP5Dq8Yoea5DOlc+SjuYNTxmeMUouh3q+ZF0XM2PKFYPxZu6NM/MMtZPHxszfp9e/spqOOXQrV7EDpImUcvO7kfUU127Tm0ROiukK7Wu3qWO6oM/p09j/JFdVPX0I/DsE/3cITkAtdkfrzWZkFY/FMd3+FWL/fmL/EdTNGjnSNwy7WSPS8dSM+H1u1m/5WR7MUqQeckd+Fglx4odysSmDppg4Wt0rnGnTB+XmDpqe5qwYNmeBsXxg3cBy44I5w1Rf7Do9foqxbBD9Akd0l/UfoqGO1jISz63Lzrdim9KWl11H4rnLqKulGdL/7sw0ZCAY9VMn1+XkWbH5iYHunEqqfFAadUbSkxjrOfjSRF+GtOaf9FPN/Lu8B3Uot2PvYUXj2Gn5v+Y8wHJg1I2ZQfwHBddsEsd1ynFcgcRxDSosY2xvOY5L7O91jdtkC5waTcQKxydpkO2MT9LosOWkswR5FmiRU8fKTh3Wv8BOw6jYRJ7xOfJbfJ/DGaiRj3hv62muW8u3ME/Vkg1jabEE9ZzA6YCOnEMQgWRu2x3lsuPuK6GtEqHKsn8IvJHGQQL8punQIbPcgfkQ3kAm0oJosYbQIjvg5rXAgk//IGzlCLBcV0YVAcZnWpzUI1Wfa7n2j8ZZUQdb4AFCGHy4Be/MU5qTeDa1cs226TajaIvYugXIcnO0s3el6K9s8yLKR6xeifbLFP9W04zWoF8iaxC2s/EaFBWD+SGyV0hOipxSVYAgsdtjsvcRqdLioHlyVi+OIwgmMaoutLK/GanYQupo5uZyeI31qGq2zFpmARcsy2ah3zDDsqxd7RZu89Z167aGC/HP6PMs5+KfZ8FZBQjLIrLDmItXf5M5OUlMZoRMkqapRlLK6sq149MeqjifFHjMKpGCH0j92tjNsPU/4M1/ntu27rGnm7//0/IVC2bP+MNccfpl1zeABR+BH/72zIqdLgsfOtjYHFp999K1oTm3j5sKT8DO5BIM5eR5AT55zmWmp+n0pkQd47GKHkS7nHYnz0uK+7GlpUrMBS9k+LY9ZAJoBHWR7drwT4Or5+SdLen70PODF4+ylM8fjOwia/mEGfnwemmPTdsn11Un3Pov1+4tt9UMzNb7zV2KBw4BmmMa7snHx8zslW4caAnkDeudmPxyeopSU5LwxU+MElFDK9t4ZmCgU/+A2H+UsWepgR+ROSJ9tJiZnu4ehVX9KEMwgw126Sp2wcpekE3e/8uIGlJxHHr9qq6XY2pKUC1+VM3Yc0CZJqQpG9DT2D6yhr9swF91EFtDKp+b3/qANT+7g+iapO6teTlSfG0M0k45aHa7qOJrqSSPMJWpTnWLqdqI4UvtE6DKJlSnE6qyCZV0wlR4/tnayu3VGx+btmvSXQnnXt/0ZNlTxYmemUtKgeHH/WtTqxvmLf0GFr+wfWj/BxZPXtLnNd2cOeOX2Yx/05p1/9y79dE0rV0z4cDylW/VyCcgicc9kok6QcziOJkg6K5GnRul/0rO/UkRMcQNncm999KShtc3UiZPHRJrVyvv/1dETNPc+vCvRcQQltOQLrtZisjgfRYB2f2Gdvss08BskAlmN8NLDniJBHwWt26QNSHxaDyEPlLFNfTZzdBzsNSPT2DY9gdcsXqOPdDaWNv+ECvW1Dr+zBySp1WDaI091gzkQ7o8hqDLjE/UJiQn2xm9mCq7K9KxhTinal04WEPPqmVlks5H/THY1L1bt+4NUyc3vWF0+NYvK7DZprue24v3yEaOHT2Z/TicUlfHftlyVti5b9+Y2xAWt6BxIZOByWYKAolJCWKSR0yScUlJT/dFDvjKmBR0jItMBwmf7ip81jSu+DWMJNJQrOjtBzPJipyEYxKCxyB6GIQRY5NVpnLjQ57sesRk37MrPvuJbXKkvXDfK+/Aiys2rr/n3k2u5hPsNuia/ad/H3vzzJFFc+6YN188S2IUUn925MHinZAEk5jA4OqIqEuHevGQ+yQJY/F6feqdZvY6eNeR9HjNX45c+mDe3Qv+KM5H/YKmULuOJY+LVJ9MQzokQc+LyE43J4pmbVDLBAWDeulSZxBhLajyuNSHDjht3W7DA2+99YBxN/a43pB8LRd2r5AUbfz5nOxwHVGcLeJt4d27B5Av0w2vn1ohuRNaP+1o8PZqpYRQZP3MzCanuHGZDrRi0U08pMq9aZzbxUSfgTgDW488dNe87FmPPVkGhhvgYwPmBkpv6zLh2c1j4fUPV96/fdHSzVtdVz586d0Ub+KYKV1nLexpY5FLw1m6+Lv3TDMl9L3zL2u/gfDIwfs27ahbf39d7LmG2HMG8rkB/BmfG0Cjk/dgOSUSzAYZjZwDa6f6Qc/65G3Y8LvwC3Yk/ELaiMU7uXHy9qWbutDn59pn/f7/3fX+KoWdlwK/AhkJ4S0J6l3vPuDNlmPgTdgnzk49xnc7+VxJPitUA2+Qz7FZy1LWOfo8geA/k45XOr2Kz4vwokYDdHpRpwsqx1Nk/J34GLD0nsl90xrkitH7G5xwFN6J3jtCodhMaDXNwKMKzkp+s+o2NNy/neO1IlqZyIVoeuVCNHwenJ5Exl37AL4VDbwCh3BrwpvAAVjB1h1mE1kNQqEl/PXh2Bzp2LwTnC9M85YRTrvp55j84ZFS5iPOynJYDQbeCHQiskYxYnKqp3zaDHvY5IpFmxf96EkvWbSDn+CExvONnzXC8aBPD/AV2yv8NjxbxG1vndMDdCKfknrAt5S+8FkotEpoXThPzpaQYOQ4nLguZ1jiqH+RXdrR8cs3J2vdfrevpCf94HXPvgq/x9x041M4rxlfmnzlqL0X+ImtD1dBodB19OgY8D9wGdpgUtVRNPto3HLeAs6QyAu4zQK+e1pvYnlWb8SXY8t5DAV+ZPBJ93KQdZbzcfgUcw76/TPoiQSq5+n+cEd/WDaxaR64sh5krMeCBSbC/bwNn1w+FS5jG5Gckj5HSjkZeQEvjlhoGDPeKDdbRTNOOVYOKfnlm0CUm7fRm5zjno2E40tyvjCl5QXUIz6bVBWC40K0M7mfbKkfRFe652QWWJZ2o4sMzK/0Etl9Ir2MbQSBxkZ4PPwF6QJnM91YgDOZonvRSb3gVQWLD+1Ar2ToFkn1f3y0ppYb6XU6ipqvv2Z3fPttyzXUPMI8FGq5LA8AzY2iWYyIC1MDDmlCbESzmFS3lav0Cm5VKufGHoNVoB7UtzyOZyR85syZiE7Jxn20bo/cnk3GsYPcSEjiSTrAI43AcUazaFRyBHGWpnwPJD4xCAiV2Afg35uPOt5shn9rPYC6YgG3iaRfLYBMNJ0oj6cy3QPJyaliMhukvG62UW7HyV8ysxNeJ4YInpcSb4TfSym/4xF6KRULL8HreKCXm+CBujNnjoRvR1gcBY7e4EeJ8d3g6Cs3g+8J5ydPfEXCSp1Hy6b9Sh6tchMl2ykKSnUTJa6kABdiTcwk49ogJi+XJHKMDqlPx3QyqKSTJDYu2839WEeJ38Vq8V3SJIqbxyHb2V7XuOmdNYGTm9cDX0ZCY0JGy02P3YYYjzFv+BDoas/CJffDQT3G9IKDwf7sfoVgSV6hDpbL99yvQ34K4hRsZZjwsSdD0CAEhWQ5Rm9T3WYTdbe9Fxd7k6voROrM/SjfV7QNHjQlxa80R2oaxd5dU4d8Juynu5lOTG7AY0sWbcag3pCVKWZl2TiPyLGk5l6F5EiQElUxnjqNLzuxg+6PdtrrFF+9MbjB5Lp8+YrissNizT3EXX/caeFfe6axedbU8BrhEHXVFc8dz1U2wnABP5LxYMvT4hQtFrvHErQLQb1WVQkMYNeNRU5MaRrr8Gbb/TYNvjA+TaPx9rpj9NJpq8bkacD+pvAGjQYWz/ju/g9A/okH+/510OP/gl803slxrYVTV1+YFrG86pAf0AXpIrdOm5gnJjJ21LPNAoKML3r/RMrSoEV0pDvbvVq5Nh11HaPsr0lbPlz03N5N937x7+aGWfc+s7B6cs3D781bfPbBxVsfWTb/ga2uu/657uk39J5u62ftee6Peyv7Duw1NL1TzWt1D3646MgzDyzd/uTqNXWYLvsRnkmIi9JwFpWGdzhxFpXeImKyJERFgWiExV6cU5JdgiSToOd2abT4Xjs5ghFE9n4RvARCIHl5/40vXwNPJWTAJdeW7Q2UVr7nAl1OdXYNPgHYXi+WLqu1vbh1Ra79NU8SwuIwzOB7kf0RXNHYiFkZGcoeUVBfFIKphTNC8+glaEyJDeAiZ26eITEUfKt927TGYTchS/gcGwy/zY2ED8NX3nvtgcdhRkOvBUVlwNIK3gOB5KNHv4ZrXnv6r48/AP9HPGHEG7QCdmrAbsBcYY1TxPn31sBuWcWvkG/WkOJs5JwxjrOxvx5Ku9KMg2nNV5Ys1YPr+qVLli7RQ51+iQtMBCvRC62scCV67edbP/juuw9ajp39/nucabGKxPJwPFWq/o7wNsav/i4VXW99bjdsYpkR945elDBqMy489+Xh8KIVQVJnXcqw2IAoYqG5daIOeS4GM0dj3iZlr6q7t1w5/4FL9XgBshJAfZPHOmYoeOQx+CqY9V8I3+GzW9fPa5wIwnfD2eEPwRpI9vNvwtVO0ZxjzvOkpyYnAY3BYxc9xqBBIxpAZD9KCs/myccqijxeIBU1xUqD03q03E3gxcTkm3slZyX4S1fu6gzY5Fv7kg+r6rq8mJSef4FPGzdthO6oqWZ76zLyx8Kd7BLd6mD4fhoHKCa61ItjIXrOKYhuu9MYlHSqEWilmqHS0XQ5dy62HBz2kJ27VPXgOh/eU+BEqkfgw4vmL9+4hx3dugEXIrtwIYwrAjACqU6F6ZwYsBiRrRLE06dVxo59GB/Xjc0r9Ti8Tnoj9p/ybp4/cenOvf7pJpD5OVwJ1q37d23mX8vhL41wjVS1ajOSp0JE2074/rXMLDHTihrGe1kexo4DWgy+60xmkKKIUsbyLWugUiJcWbzb5tNqebfLR0RMI0W32Fmw59HmkwdWroRN3IZP4Vh2nGU/DIDe05C4vTXitmnDbnKBsbuPZTisj21asDrBffSo9b/w5xCf8u0BLHc3N6SO71VUFie7ZyL6jO+LICe87AZc6lfweKJzcahV7JNsq6jahnj7m63nbW93H2NJdSbk9Ov+0OobOFMn/PGYITx/VKvZ/SxbSDIl5Wq1FiYB31yvd4tmvTHIW3GRXalGLL2XCJ9AyIgUhyXnDHzI6Kr/+Txo+vr9mlqDCzBL1wHTVdRipy+uh09FysI+uZWUhaU5LNJNhmhVQHrObnaJNhwTSBK10XqOVgYglM4jJ2JiLmX002Klr0ybMWfhhPM/Rd3LuGvLxFWb65HGS5lUeifX7nJG9vFNq16RqrQfJrGRVJxHphMSYsIikrVQ7PDj8pFxlqBbP/7hh4/ZKXB1/zt61/xzw7y77543fxkN+4eBO5RgEPfe/tC5paFjB/c+99zeg8cYSVN1I/kNpE+qqszRfVJd5Y7VVtxBOFalr86EQrBYUliA0ZCIPM7dQO06dAK5ZCRyZ56fcDanxKedUmTLxq6Ec0BRv0VP7L4XHD/e5AKHQGBURWj543Dz5cvsxvAieAvS4ePgUH4ikiZ64jUH2TfkxKsgarRBeuwVec1KvTxq+QMnPu/K+Tl83tXptOXZewLkLArgey+8GRzyNHnAIXiz99S334Zrv/0WDgX1ncF1cL0zqIdVnaEO6jrDKu4EuLlbmO0GboZ/7cbCbpiC5QiXanJnRE7Am25JA3YLb0hyi0nWoE0gmlMbUZsViHcBp9KbTqRBnGrdyY0DO/dkT+xPdOWah0uDQHMZVu3OmXwT+Zd1O8tnX4eT2dNgz5RRSGku2gw/Zj1hH/zj1JHo4z3bgSn8C9lrG8oPRhTC58wceiZo4YUgdZ+NiuakayimC/GbEWkkv9kJfrLC2Sfetx63vn8CzrYiYvylK7jCOsLfw7e6a4pvvNsd9CafTF3heNwbmu1eaLZ92O62WBiPB3WHrBYxOVK0Ezt4cSKayh/KnbHT7l5Bw5n4R9Oq5bPn2HX2oBLMnDQXXIGmuZPGjsSf9z6398UX92IPYZWc58wGSIaf5lOye4UmOFLtapWc50xhNGfeoF4EBorkikyNaUl7hmFsAT3HArcChytEauRKv+xI2iOtJ+FxqHokMKRHqfInS3vEQJEeMdRQVUtaj9xjkk7do5LLzQ5W9RhdGYzMBYGpVGOV6VFhNVLZfyijMLQifZpR1Q6xQwlMHwpDc+LT9VG3chTTPF+2H4Vpd58ItuUW8nci+fDgSAO2XISg26DlAM8zeBW3VkcyJRztrBen4prlqayY0C+ZyU0OzzH4lsqQmQv/1vnWPvAm8Ki/IuUyXIRtvQWSza9lrMgnRH6Gx8bwJuK861SmdHnEe8+RvXhVrRm2CqaAL8GX6KcF/gh/BB585VLF+PGKM39E9uLBqvEV+N6lCiwVB6TqEgYkFU4NL2LtyokCH9ThpcUkmS80muSza0pycILIATADX+jXBPoc5fkFJxa3dDuKqbgCtTWU+HOpaF00C6LBrAk6AI5b04ak6jX+kmympFi5otDuYjRosTgIhoFB/4e6Nw+MqsgWxm9V3d6y9po9IZ3O0pCwJYQY1jbsEBbZjICACJi+IEJAWVWEsEUWRYgMIIOAgMggKqJGjAiKeQwyChn0+RjGlXGUQccVk76Vr07de7tvZ0Hn/X7fHx/hdjq3qk6dOnXqnFPbOd/fdrRv1QD6KDpJv6X/xNM/OY7WX/hx8oh1dy+iYz+i819J4zU9yDl2t+AVMnzOhBSXFOPJiBWFxBQD9+EdHXRnoC3St+a3QznGHppMihjPeWVQYu8/3L/90Md16QlfX7jvntLnSqsmfb/1VP2+yideot84k+LetGUvm7toxYr0J++9/a7S0nXlU575w/I3PK6kN7bXQghnYXDQr04q97IgCSQy0hQVVWESlbM/nZU7ao4i8KUEbMQvqA0m754/gD48u3r1WdSHkMbAi2RXYNpRegr10c6zDWRQU2B/MSY+SnLGi/GiAOfrRF2blaNFQS/SBYroYtN0k8fBtCNRWyzi0Ze/v7Ri0bon6KU19891YiqfdfZc0PPKZRpw/s+79y3d8ShKL8Ff1NC9CbbrV79oUOML9zJsZtKaz/pSY5KkCCZGTWYJGubUYaD6blBv9cSLre2OWLH0HQ2gp9ABp7wadmZqzn5/5f6HVz24fD0c6zN0QU+ig67aZPnz+xZfvfBF4NUdG5aueqySXlNP467QPGYQwYAlA8MgSh2h4A2Un+RG6E10QP7ovGinCeJ5eg5937BAN94ShSyhq5DpizM6HSYxKU9KEqLTJcaxQrauLbnB3fjQHFu3/qCPZOEI2+r4h/zMH1Y/9s+L9V9tWrVtn/yPOYsWzbl38eJ7H9mw4RH2OD88venVdrFpex587o03nlu2p11s+iubTn9Ipt0zsXzu3PKJ98jjGZutXr1o7jJO+waOs0r7eJOTWZsmvjtkqAgO1NBJrvicTJvHqDrYLcgXbC6rQBRGAOxuOPESheY//P07JNK7hy2vol8tWrHOWJuMUxWC089pYxcq0dvxC49VIieQP1xawU2hNJ/dGeGIFAUxWhJt3Hhy6E8xaIKKR9FIR2yekIPiNFElx8SiT27dDWePUUwkzekXFFX4/Yem4sGnGk/ghHkT5df/2NSEzE3XyBK8AJvwakEI1LM34xk6k/Bs9mYNe3OFvend1EQm4AfZm7Xszd/Ym1FN35CReD57wyZsgYvsDdOWZBqW2JsqtdQoBlnCU9ibR9U8/dmbubzUevXNNFZqJS+1QS0FeWbhCvZmY7DUd6wUvNnE3lz4fxVnkkCWwJ4M4AwYkwwyybCR/b2G/92b/T2Bp/Mbn2gUyz+S/833T5CPpU+D/RHAlacnEon//Sj/uz/7ey7Pv57/PY3l5/tQgKWaPsvwR/b3RvXvNDX/Jti90/D733hgK9l4+PDGDc89t6Hn4ME9ew8eTBJe2rL5+cNbt7y0d+KQwePHDx4CJzm0FjONyHSxmdmNBPlFphMNRqydGi7gN4xtpsIikN5o/Lu1tTv3kowNqG/BrkLq3sCgqHRiI5bNLZBNkAw2f6RBiiTBuQUqzAQlGNRCJqYD0XjUfubQUSV5q0fev+FHFEMynipfdmenKrfn3jt2roxeD/ipFBcyYU6R1i46yiRIUSbwhGeP9kOUF6Kteyk3ppAxGEtBVX66SjU5hjvcOie3fbvbClY/7Iu4a/zcu0a48uf1XbpqdL9hE/9AElFM9GZjbN9uC0yehK6pW60xg/p1GxaTEFna587pgJPa64pnocgoSTBHSkQ0mlU/SvnFihUPGq9A0XguTyHy4eH7ilbtHDBgJ1kvov+hf0IL6Pr1kqS0kvMNxAL2uaJJhFGQIox+J5vYO/0xNikGhzbCi5U+L3DyJqqazqTZRRMefvTN0nFTb+m03II+oJ8YOnWZt2wjSZw5KX9gvxT0wPrymDvHlc9nnKVypuDk+/4OlyAluvyxiVKkOdYPSo6oa3oaj4FGYPNMl065QfUuJ75r7dbPG817N5tjJ5VMuWfDmunTy0ni8gdcbx6zbBAnTevQadodM+auGDF0+DBoqToClNtDIhb8oM+U5kHLHIxUNjfBHde+shO7j5IM9PedKEeuFog2VmDNQ8iBtYF0QcpM99uNCZlSSoI/KkWKUnlBWadRRkaRXoupSkxB3KE14PYVj0t33XHX2iVL17Jf0uMr+/UrKRk7dgxJvKus3+jIyNLeQ0aNGtK7NDJydL+yu9Djvr59ffTLsbfdNpbTMU1PRzaAzMhvcJmBnDGJUgzRlkhy1dUKnaKCI15BdNDmEA1XrNvyeWF5+XSStsFwxxSFgoyiJ15EU4YPGzEULKTJKF+cJMLMO+ZlhAXYPVCUoSMHxddMInsmofy1eNsK0GKjm5rEcj7GY4QMoafP40yS3E6/NdYtRUXGREdGG2PtFWFj3xoc+4qHKu3ktkMnB1g9rQ3q0Vw80GmAAjU3H+BBoUGNgF2guPmIZ9gye2eSim2q0NeXZYt3SY6keCk2OUnDN/n34JufW9wS4/BBqUdWrg8N0BCecoDjeSR8xBJhMscS5JJXKBIG+Drkde0sdezWVWpf2E3KykkotFc0l1ZOJq5cCTYNVUViKXv4Cq6/S3a10grU4ybijP7YvHE3lW80nrd3e3h7DYyHromL1V7JFjoJ3aHNuclSTq7f5S7IkToX+GM7B9nJ8Zvdo43SZv1Dfueg1XfcL22N3xbclv2bA5q1tJS3VOlZH5vfjBLG+AoGFEq3DvB37jn8VmnIcH/7IZI3JzsrJyuhveN3drOtWbt/V1+T/4AiKPsmTHDjpnS6OUNE/07SaZRbz3ezC4XewgBhuK9Ljw5S9x7+zC4l3aU+Jf60PlJqSnJSSlJMmqMiWmyh6Kw6RdeSZm3qvf+EddD41nQk/ezmJGqmQWns76bKZJUqcGLBI+QKBUJvX5Y3Qcr0+u1pXTKlvC7+qDwpMsJijjAbohwVBJu4UlRI0QoVVB35H7W5vaJP6Tc3HzCqtv3dwwWht5uu4WvIydoW9TIEzOYTIm0OqS3WqPGwnVoEbFZuMy3FZwXKJGnES3CRQNDCH6PNo75axBJflEeABczhhyKlRtklRiLGNUZTaxYwaa1aLdA5sWp/Bi4HMcEcE6WGWLBJYqKkmCD8zs3g85MdGlwaYJiGgDb24jg3NQndWY8vQU6cg7fRCtYI9hs8xDCrfpsQbJOB2TSsRtamCOIXIyTRUYGswTYRJSZUsN6fje9HTNaiuteR84F8mqlrw9t0Y7ANsL8Z5Ye+iPELISrlqwcIGEziKHDgMpUyucaTEeItGpEaxgNsNgeH89BxTArGM57N9sU7icEuxqYJ/oQ0KcFRERlrlqJiQzKOR31Ghd2KQotNmYpFYHS5whry47490ydNPu6rGojIk6c/vLI81KqpZ8pnrBs2ZvKITXcveuHpv20ac/9oXSMZTttpJb9TAOMox5eQHpUqxSYl2OIMTrfApkVO3mi1xfk2ZTlM324Hj9LZvbCwgCOmbYmJeLxKi2RA6O19e2ZM5BhSWUeY0hd3X9nIUGJYTq9SsWQztrdxPr7G5rQm6Fs8kHF2F7SLLCfXWU9EvGRm5qCgMhFg0F1ztYjLRq8eNWr1aP6Jdmnf4BOsuzkIi33EbXxVzYGiYnBkBDEbRAvTrYLfuJrPMjjJcxxZRQbGLFnxBoeJoAX7Zbp3KCpN+igJlQ6le+X9nyG8HonTz21BEq3ecm46DaxHxYxHj7PZcQPjwRz8FP2ecaUJPwWXohmVF6kresnMzi7ypSbBtmKKg8Sa2kVKdmM7wn6EGAuuSAieSlLu9ymxtwv4vm9BG/7lwcM/ePOnzTzJh7zxd1T97Ld0Gq/5zQf6TDemi6XG97n04HFOtGOY08lXxvSjRyFPeVOJONU4lOWJPAabT2uFvnAhAxWgcpJZH7hcazLfuBGWL+plnk+VYCwjWR+4XE8y1ZwooukWctU4Vokgb4uVTDa/ySKZqoJnCJT7vTrf+eQ4fZ3+Idw7vrMO/R29HPJ+v4c+dAzwPcug79egKzHjIEp8EHp8ESxtWQVwTqJUdJbBRIg2MZhd0EA0k26nNXXH0Ao0GZWhZcdoDr2NDqNuhrnQ1IF8YZzAtLLH58zKjoyQIiNdQmfJJfhdKZKrqtkJFj5a+EWNQsUNijJ+Q7urIRMldDWH9Nj7Er5tdvuce0fjl/b2HOFO8NyaMmiY8X6//37jsEEpt3oS3CMunX5+7L6yW/om7srwdZq0e+yzr0RaDhkME0bfvuv2u+/FGXjelIm7xky82ygeskQCVc4zzF/UMLdZc/Ok3Fy3YJLcgt/NZjEtMQ8tfocWMZuvgPO7N64Mo9oUtKjHyNawHQktGjM7p/3s2/BLlxiiovHuiWN2TZwyjyF6790M5dETDAaG6CvPjt09qZMvY1di31vK9o19/jTMdBcwzK8apyneiQSDBLwlSmhdkFu0k5sLcAUdjw5dMt1S29C/lnNCB9IrWFKJ8i5KhmDJ+ELuZcN2Fu2i03DFpVrDidobdUCtv7Gpyd+4rREHHpGwQQydzFUOKSK4J+hC+Hv5G+z6Bj7wG3b8htzPLvcDCBcZhIsaBCNiEIjJrvoEsymHTBQIF8Gx2zfwEQLA5Mp0XC6WkgxsJF5+gjj4N36Bn1wYyP6WSEZwtK1URhuMXXCLUV7Ddzy8LNfa1nN5xak8F4Ot5mKwj3HY05tGiaX8/LYy4s3KiFfEwlEmFQAfeTTkwSaSKwiNXzAJvpOWklKBMgn+BntTwfLU0lIxm9kmOezNx40VTDa+0ZTBU+rwx9zfbQ4+0ZTBpeYJ4WPezlqWks1T3oA3ShnACu3HH5Px/Cx51Mtsoo6tSlsQYrbOfhSzpxp/zA0HhHaynKWt5HS4WVo1SqLfq1kZ1utZ3l4s7yD8hviRIJxkUxU47ygMFXuRj/juWgdfIrIYY6INEdgcaY6MIqJkjuX+APyEycvc/AK4Y8O5Iov1qcvgMhjU32IvmoC+ovUoT76hfRuKlm9Ey69+ZP/oavAbq3EBq3G6WqPXlxDFGNUUG4FJZIzRbIDDvmbGvdEGvjgR3KPKKoQfxkTqb7wM5bE6vgpYld9DeTV0+Ua6XPsG/XtNGEr287pSfFZkNGA4jcvbw1gKmpQb1hqyXx6Ia2gHdEnB/fJn9s9AijMob2tQTJgYRUNojOmgaDhGoEu0A64ZCsUvAyaM+kkkilTz3n676Rbe228L53hvf0ai8Fm1D4EHtT5kOhr97PzKyZKXy8tZXwXKcTnZxnncJFhfEVjtyLBS0agKp8MJj0Uk/cb7rAzjeBgZ5JdXdaXAA0o0slgMgpmfsOajRI30EgKhgvkxnUShoSRdAcWAoV9eFeaSk4YEwcHPa9gki9Vvd1jMyhqWxSxZVqonrNS4c0WFfQg/8VTYieQw0hgPXFzS1/HT7Igtzn7LPthDauZ+N2hcng3lncjDMbnjh3wnf72E0SRQTs+SKC1OhcEkGVZVwFGllUHbVA19ivs3ZBou17Hcu2rI7htmXvb/O45L+9obUgxfaDheHTqhU3MccZAWJmb3dPKlGhISJdGW4BdYFchq8ScDoyQZIf4przC+ODcYGruoEMEP4+ZmVcPhGFJzo56T6cYVU0aQTGiSHU2AquWvvus/tpNDQafD7Qo6Squ3MWwssM5pNEjE6LcwgWDxm8xBykF7ocVZEIaO1e5CZFtgXmAKeYo8IT+Aq+Zi4SAWvqP77XSf1sJtvIU2aCGJiZbESDZFsJklU4TNj4zWWAM2gmnQooV8RLEfg76qgaQGqgmcC6xs+MCQSx5RKk1YguOUSr9DP59AP6sIsDbhTPIVuaCcX7ULUpzdb4iWDJaIOG7nWNULSeqcrhNm81bgXaay0zC/RFsAk7r3ey5ctLDnzMaPyYKSC8XzK+YXd+l2djPO7DWq16S0mm0lZSV33Z4/8Lk3YIT56Fl8gvEdEYohJl77DvyeaqJYICWK/sR0KbGqAqaeq/S3zPj6OuPFrP+VDYR+rAtkXPhKM4O+unDnY+6EvvPzFz2kGBYPLcqf3zeh24P0rOnGDfPUz84NWDNYNYaGVQ5450NuDC2ZM2jFINUYGrqi/8KVijFEAiXMLtjGbCGIAjdGKPMVDB04sEeXgoIeRdKQQYN6opKSnn2kUQmJI8WePdhP93597RX53a0V5lipvdnfPkNqXxU6PMetdi6PFYEREhwFDrdTO23+e4yp1sJ4aeG7WNeBndU9Tf4Xemlv22YWwiNbmQygrvApd8SeNPkty+gZmV7/bai8YEa350/f1Bor8ndvO+aWtzh1WkJPxh/ybMYfGzl/RMJNEtEigRQ1g6UVxhcqR2j22pm6hitklLwEr1a6cY4p5WhDfzbnIIG+vIemgb9SIUcY5st1xMbmREkZcTkoLS2L2avxWTnsJ7pdsr3CFm2tIEYpgkgRpqCZHz6fgv7QPGQ5FJuPP60RPBQj7U55IzpEx+MK9PdWaCr/Gb2YRrvgaepESz4F5qN8qm2CsZH0Ee7CtE6Ztr4QJfBQVEZ/dEiG6yb5WUzjyLO1ef0esRR30abx3bnlJu9uuoanIifTn9vAWRjTn9uaFoAd9euPTdfQJCXlRheWAjlGKTnoXHAR9Ms1NIdsE1P46kmy4hlWjLNKEXFxKDVFSkWgdSsBLet59TYaLE2wftNh6NZ9N7A0GmVY/+NXKsb4be0LM8bItJoaej5sHYn9PsWaQW54hUsMk2Owl8Xw6OxLMSc5pZikJEEkEmZ2EEPEBBupSMJrQhJbw0kTqllt4EW2NW4UKwL7yKSfMrUVrIPql0uo6iyqukx/ttOfZzdHjtF3EZvdZxt2c+od49T7Y5MVLOPARzrqwf0pa4QoRSDQa80Ix/qUNKOagVvSgV/rta79ngTC6cPoovWueAurfbvau9v1vaukqL27Xe3d7bx3jb9cE3Yz/K7x9T7o3VyhCM5nZ+flS+kpeX7o4UTBHiUZE+1+iJBdqd09YEirZ4Jv0s/AB4Y20m8sb63/Gxa0xhnk7eZEBzJE1dS04BTGsYGPgm2K5ZyS5Yt3JklWpx/IHm0U+Ehi40lpC5C/+YhqDffQCNsoTm3cLU4N9ksIuyoFq/0hbAjH5hTHBnAp9GXExtgdDJ8oJyDhiJbsDonhZDP6mbllt0r2NZoc1O2y65f0NPOnVdxqSLfAOXHyr4da4CbbL6MIO4q4TB84S316DD8J0gsw7OpLZ+jEMnRipRirpGDqYORySDY7XD7Qja2WsgipoywMuwUqMoarjXvEyYFzpNuvl1vBTzfI6HXd6FpLS/EizsU7Gn8GrsU71gelmrKmpvL9Uwrf36hjKWuVlF9EzvdPNU7nJbftBCtXbNpJAobvuJXrijYZJRtmsxosWYkpysSsPs4ZBdbz2slpg4PpAf4UgJNm/siBr+U04nsq4BF7fnP2G/xD4PmnyPXGY19PRxdqUI8aVE/zauiZGn5G+pexao3JcOIgMtofEcnUkFIpYfWbuGA/w5jxjBozstBdpD5KnSb1IY3ntjdcN9w3ryHd2Hver6NNkTvO7hAvNrw/z/B0A55nvO/Xbtuno/yaT9gP6kbP8S/0PKNK4DKnCkipPwZ8GjVafb+dvy9hUm228r5xvyrVxoNOCMSxlG18tTpVcAsdGVe77QbiFM1ewZ/hlTIcFeluKT01NUFKtYatXfdVRtvNF7BR9+5F6g1vPRfNab6UjfbEZ5hIZcBIGhp63WxZGx1pPzO3hqaz0Tk+xFeNAYRFUdzG2re3cSNv994zrN2/lMJ7w9tCNvwNqT9f4a3f2zgB5UE5poeuMz0ULEc67hLgfVOJmG0cqoN34AyMr/KmW8gF41jBK+Tx+KIdPelSvMcfnyjFV1V0yc21OKxWS5TUtUMHcw5CZoNkMVvMItgrgmhX6GZvPboov3HSWuRXu1CgWxZlX4hishi6FTHuzaZ7WovgOqcPKqW6hdMuAfpyXzo2jS7mtguJNtM/pqHlllYisMagjNDqKspAMYo5c2TiGLrtDqDBWHVFNGhL9+wmJfX0J7mlpKqKEQMGmEt4y4cPHKhSY3CH3DEiEMISTom27OibEOP3zSWUPYtClU75wIPEzaZFdGMrtMLDUZtrrj2ZeS0vDFItN3PGaIv8TBpeKt7m97akXXd/0U1XZU8/321GgULOh1KLvXRbYc8Ehas6kFNB23ekr1NykhSX7IcbVesqPDl+j4UZw4yQmenp5jSMfy9b5d6EkKH776r9a3O3zkn7lCVWeSNN1+iAqtEHdHjL5uM+sAqL+4TsXyZ5ylkDMV/veabxO8VeEeKEY5DCJA/mkl1JMeKn4hRqXCOnmETKF7oLJcJU3y0pnqwk0ds73V/UWypyVMR7pXhbRcfu3S25DoUunQoKzF1/P12CtOGiqzXyaEe1QIR5QqKNzar5rIFTTCfPWqXcS5H//HPdZb4pJk2d/wi9H9JUCoqpmoxrQcTjZw7vvPqYslvm3zRo+ANzKvm0AkgaqAjqepWy28Io+wxfURODKclBjmqfEhfn8VhSVYJlxcczVspMSvo9RAsnHPdOcZM4yFzWA31gbtAaXZQ/0Ah8o6GAEwO/gm+0pIMymSILjh6lu9hU6xrsTGHGG6PISdYy0FX9fJmu9PQIp9XKNHBCu3amRISY/o0wRZh4a5JFwc8blFvQBhv8RkRn3g66pc34zeK9DZE3j9Z8lMdmZn3VhekTkeuTA411mn5ivM7ek+18B83EZ9I2MCaMRpNkrOQT6bVBu1bZVkOgTdkT6MI34vCRCWRjY/4EcQHfaBPTFaNVEAy/LGeQtwUhxyqrgLHMQI2JsPtNrBpjhL6K4IKVVktBoVIT/P5leai2XaL150pWIfsdrFOple8/8BZdZ/VGwl1XgiMi2dwoEknQrjUVosVkkExrdTM6bhPzZUDkgWV9Vxd8IjBGfqee1bhNnHyJG7rzG5HJTA/TbmeBltNYDedUWjZwvj/QNBtsxV8+ZimHlZSmUm4rHvilQsnROAfWmHl08G3GT5QzlGRVhRFmbiqPQBQU7rHD9curhvV1hvVHjxo/+TX9KF9LhXJ8f0RZm7arO52MOIFyUxdlhwS9TaxwlkDZ0SaZ7I16QgIzO1eAE1K76UlxjvEck4BJfGx2YPZWamRUTqJbSktMFFJRgmQgCFd4hQzJNdWh7BODp4fc85yJYS9AjTfCMI3TOziAuyHg4SmrW46tu4F/yWbfuu9G06peefeFvReufnK+W9X27aj74cP0LPu9feOKRzYZ1iMffSP21V0rdtiiSM2BmnP0JPKJ5+nDpzdk0a1Z/6Kdr85eYqCd0WLYJZnK8H+Q4Z8gpAm5vvjo2FhjCniUNxlJhRUlS/HNYstoXsqRLZPZL1kcZ6a7c2z5/JKgyQZROo0YL5GvogSEq1a903nLmM0REY9v6HTwVZqP+lcfYfgU3Iq3oN7ogXYon140Thr1xDJrY22voyWY1ot2WjRGzMmgP8CtU/qiOMRQISQK6YBdjNVqSpOiIyLMJrhJmSolMOwiW8UuGxd2sxeF0OvO7QiGnjMu3mY04tGXr//rb1Wr3sjdO+SRIY8NSBi2azhdu3R+xTL6IuqTgBJ+/BYlx6E+9O3IuVOWLkyWi1BMZE1sNKZnyOytx1PwG66jjHem0uOMeseELGZnFwjDfV7s8aSjjAzBnc5sx/R4Kd1S4YyL6xqVLTlstiirxRJrnmriZ3Pzk87lB6UXv6DMPqzv5QclGcpxZEMEH0e8idE23hFPeEuIdhvTQ1iGHMSs7Lh4RzZyxjuMRrRu7eB//vuTbmvzYmKLu+Wv7bawcEtS5ktWK4QuPBkbW7S2cHAflOBOf+GWISeyaJf+j02fS48noG0voBdQNrq3AGUnBEwoOYF+3HnCEzlpASOCMINnE1BeVKL4X2LA3t4pZlvkrz9YSfJ7fQ+x84SVYrn4DfgfF3r4PPHJTmy0WqLNkYlsnhmXKPhTEqWMFH9khmSKjTVHxvgjhc5qe3P5b2XXrSinCM6j5BTFgyeLongT6Op4Uw5ckS/SHeU/seCV0mHHHz5+14NLprz88IvDR7y04M0pSx+868qkuXMnsWdl5ckZj22aWbvs/a6dzy97febmzTPfqPyoc9cN86dMmQ8PjPhHGM9nMZ5PZzh3ZFhne+LsCVJeqre92ZKUmOGOyopCLrtNirWTig7IJLUDAWHR7uvm5xZwE5cHY+erwvG2HOUGfIjdwGclGwiE8RrDGjH+K+yG06+/kHTPqUnDH9/x9stV814et/7huYW79tF1O2x7hyLc7mk2MPLQ8LN5XQl6z1NSU3XwXQfqQi+Yx43dWOGgxYlDazbTlzrR98T9ZrQifeeA2+nOGPqgZ9vDKidWGC7DqXnWqiJfRnaO5Mz2OyMqbJFRkj0y0hgrVBjdiqeXFClO5+lFWYRT9uFDcSJg76aAh1AzhXt9gZUwbFQ9v9DtaGa9JNXaE3TeX9aTaSEHMGjykdmzjzT2CfcB03iDCVgkjFTjdbaH0zXxlgRTGmpnQu0t7CcqJ0PKsVRYoxxSrDJgFK/tMMMoLtbt7BUA4zBl310oCPMmzwgfH4zp6UknIxdivLDSi2yXH6vvetC7dPCiA+noEk1CBH1BOw9BBWtXdNp/jCaNQt9UeXM9GVUNKHZ++cPDxx3ZW5Wa1jWvir7GxgJqgt3XPswoKzL8kUn8jr7kKHOMFGkmFYkpbMotMRvfiSSnEOcXuE4p5sucxYoudtuC591D7lpgX1L9wabIv/7z6vsL1hev6n2/f/6yebgLXYcc9F9oIc794v1LXw8t2XTnmqUVy8U1Nbtr9vDzASOoR5zDaAhefeJio+xSgsUouSwWIQbIFvQSAD6cC9QNVcW7OPSw1Z3PSZZu486SnUxElkXMfmA2XPJEP1dIcX2ndqRfoBfpiKlnd1PPiVjbzr3YXHUIZztfNTMz+VgVTXjj60UOhkea6rXLBmt6SuTIKIskRkngucuqc3UVvFWq8znOf3avWEEOyym4i/w+k7yn/lElJtfSlNrXq/4hcA4/KT7ENW2KkCF09iUlutIkW4Zks8Qhl6UiKdoSK0WZpxotinQFjcDqes9ezP0EKPpKN0LdNmNQWyEbm2ba8Fz5O+QMVK09m7/1jmo00/vWg7QX6lG9D73dZWwmG5z5PfEO1AstVLXWyC2PRMl/l6dF54pcbeUNE72Z9Ed6J90ZZUb87NpAxt8Sn/n09LVLNCSJqWkCbLHnGtjosOdmSrmWihh7JJc0eg4HT2rFqocrvnsNa03Nd5u4ZzeV08MnykWFA5FUJ5/H73jn3TPs2VHrJ99YVfc/W3+m6+twL/nWgauXTPl0btLk7x+68uPIkei9LYe39Bo0eebgWzeOv3PDI8vucrIXPQeOKsvvdDar/aMPF1UkOdWYBEdZ/yYxOzAuzpQoOUQkWU2CKApRrK9doSNwbIAWKKf4lVihIV9W4JjPg7gbq92qI6uVy9AUWoM6fE//4Xt8FO5ahT/QnFn9ha5ZVyX/Bad68kzgw0r1g2dMZ1K7qy8pKzkmXfKkpCQkCLaIqQ5LDKnI07MZaFgwsGzqObxCdw6zCpSYeKBleGg8mA5ac8C7uifDxH4ZbXAeyu0aj3LQugM1h2d7shMTZh86XrdtdkJitmf2rkUfb0YTapLaIes3KAKN6bGjUsQrNufRry8fPowsE+XvcCExMwYOLKOHDtH1NQzrexnWExkXdBCKfWkuW4KUGpUW6TFmRhoNUexHcNoIsw91mDeTcsrNaWbBMGJ2K4RhE75mwgePEz6NIPkqCwfa973yyitX3gZB12H5sNvvRWvYPHUNnWEfVIi/qxm2fmCVxVJedeDUBSbgho66t3x/VbnFUjVo/VAuURZxv3LrmX5kowzuWBvZQCZR6dFWCUdHRZsSUywVyqWofFsoZrtyVKOo0FQIoyzLZXDB44zTs2bhojr2D12hGfBkTJvap2rS2IqPHnp1H+PCjOMZWzLQm/Tu0VtGH2fPwrFSfkHx/oF96i5PCfO3mOqLiSZWyUiIiCNiYwWz0Jdh0LdYi4FhBbNUBNuZ96zRZitF71ahdy/8VPUTTsGds1Ey/TJb/kD+AqeguR0CQ8nxDvQx+QuQMhqXO/ieS09fWqTJFBdHYpKT7XaCpUTBZSFEsFgYx1uDHA/OAYrtxeFzapX3UYF20Rt5bA6PEsJsy5YtAWR49yT7RRvfdTo3oRnOTfiRKvyI/DA8Vcov8RZ6kQ5BHXV42fi6bkdfYqpVisLOFMlCnKnsRzA4wmL1Bo+hajEmbO58MZ7hYRQ9gIdL8yPlYiMR7fkJJcSOHp9Iv/n6448/xm7nwUfXHXTJn5AxVej5T89XvXOJDhbP/3vBg/LB+dLfGCpBfFLYvN3LxmNPn7tjstQxHmfnSU7SLluKNrWzGrOy2rUTLGmSRXdLuzPrpwIVt/z888EYGDocQbiFoerolsO4uzvKV/AFjP+MTF1n3YbImHndaOAdhjX6etzjonwFewg99sY46sSfVM2qQh13Pl7ldGWkV236AzThvvvo2fTUWXH0Z0lSoxLB+d44iC/iYwaIZMGJbLJuM04lLruEBVdoUDJpAmvkquJS0AW37ILbwwegQwuioyLI7ArGZlT+GB2mYxl+u44cebpqQy2Ja/zyOm3YUPW0eF4+uK1qyx7Wu6O4byslTn2B0MuX3S7f3SWzozEhO1fKNlUksJlOZIUpwhbNw/pYJV0o16CLPM3xFQ/sYzU5PCTDo3CcEteLGdL8ig3Yqorah9sQcfEs86gvnn5u64bTc80WADNq9Gj09f3jEio7TV07sBSZ7xwe1z9z9kDfFsP6T87TT2bLR3CK/IV4Rb62ZnHlY40xzreTJpVsHb59NMpwvhoz3TNz6LOrKfgZ26daBKAxEhPMFfHMjjYiv8tkZAapyR8LYdJxyNlLbrFyrFENxuPhB7ZcccAQ2MTUxj40+57lVvkpPNV7jm4hu+n1BzMX3+f4Fd36Hf07TqmdfHvVy7W1zviqKvrTCPksToH5Lffyyv2BxyqRrWMkg9kiRU2FKFlmhYTKdDzk3dOtxoNDS3ejNbWN3+Evd9PFJEreRZY0XhYzAz/iaYHVOrmeBjECYyPtUpzBKCUaDEJMJKlA4DFL452Q7aXJcVuYBLcFZfeQEaaXm0nuhaZRQ5jULq+dUYV6B0U2fbtqxsmZNcE28nN2cAouVjRXRMC2FQo657WeUfxSwQqQ6ixplGiVt9BJopU952trG/PV4HQoCC2exy8hRslKnDhesmGCzXFmZtOZwckob5dO+gP0rEJDYZYKX5X/jI5PozH0T+zhdanf/1SHxm3pcbzHlh7ortpa+lYP5Q86Em3SyZZ4db1zkC/TGhWVlGQ2E1tGhsuVlsYksSUhOiVdAA+40UzuOcNlcTG/SRiSxqpEJozwhDsmhR9lTZB4iMNUkIMKHB54jt06/+6RF/ptz6/r+od+F0bePf9W+udBowb5bZ1sTYKz92JsdnoX4QFVcMoXjaPPwe8q+XU8QH6dTN60SS5Bz9CJ6Bld3Op48KluiYwRDVIsEv0QucgRJ/jjoioiuV+Q/OBanY2vnIFZ7lZDWGuWsadwDxpNj7Dp1SwtkvUsFEMPo7H0cN2bVYerSDR3qPoD+/rmm7Bypd68wEa8R1D87pSI04xDYd8LK16dPxNLxYPqamKiLwa61SBKYIbww5NnYMuzpT/nBOUh12tq6BLlaWpqqkYHDEl4KTaKCfz0cX/qwTNNVvB47bMIRn9oGhKcfRTwycYImGzUh+YWxgu/jlDmE2izbOf+YKP4yp5FMsDhVqKt7CFbaOpiQ5tDcxXZbizXZie/boST0GiyWErWCGxYHodD5wK/YMXdtAGjQqM+QpNx+xr6OOQWahldzik0iVA2gU3E4FfOGRbw+/tZ6hlNHivpBp2NtpxEW+jsWvRcDXqW3l5Dx/ET2Mpp79bObbM6tdPdi4UTYpG4j9UH53gtkWZsICZzRIQo+I0iPymsro8gVITAYaIJ/boczaA7lqMpaMpyugPNWE6fPrEYLUFLltL1aMFSupquXozm8z5+krXl33y1OBnaE2eV4qKjJLgaxE8rnc/NPd/8jECznV1c1mPMmB49R4+RL5CvaJTyx2jy0ZgePUaP7tFjDH2MMUHn0fCyZ4/RII2mozms1hTNyzocIws7ThPiKZWfiHpehFNf0Rh8bZtJGb79D3v/JuKPgp1/c0hdcMvG4Qnu/Reoe/8bX/0M+Z5iDNjztbOvfU7ffApdkd9+Fc3h+/5zGb6w778ZaL9ZuCSO4meWWG0EG00MTROSmP5nY9UoSsbgaQ/dqnYhcm2GYA6k9lLozAZAm8qgpXFobp/zpqeeQuedxLRACallU94v9KeYuD9Y4R6xF4cWCec1MTEZ2QgVLP7mOPJT2iEcHcHj5G7XQ+BThdQG+pHXUI/LH9k/ukwPnpX/yigNZ9XvEfNV+B19KeD5SsE5IlISIvx6zIXOwRMl/PqWeqQcahDzNfwDA6ESVHYWlUFN9Da1P2sYL9QpsWcZ5iKCk+UmA4PfWaFEkXqOT1sJmA4jSR1QaEtNDSqqQXfTp2rof9XAjQVhJ4N3DeeQAkbyDMEEv+kVPsrZuCVnBRd4ZjTFSBEmv93lJ3YpgvgjVBoBdcCJMJhBEFQJwo/AydrpSByyefOQ6Wcvl27bVroI1eajsWlp+9Ly6WH41VyGEL9OhhSCqcAY+SR+r0b+EN0HnHCOdCOf8Xsj1leMYlAL50P3cMfoHnIOiSgGiZf32/eTbrhMPohepYO5XEZl4hKxE2sHnN1w+2wWp9EeJ0gZKXF+LyzNG9XrA3zupRu78doZVE9GDng/KdL2093a8imbxzDxsHXr0tsX5eUtuh2+7R837v7iEqu1pLj3sGHo/T5Dh/bhf6Kyd/c+e7psypSy08/ufff48YOzx0+YPWvi7bNm3T5x1uwJ42eDb0o2ViEiVDSMcpMA3tNN4VF1wQMQTMLA8e1a9D56//KPP+IR6GsaJ7/IfufRevlFVVtwSe+C85TmGMmsX7cKaQydwA+qjpDcD+kQ0kuT/4GPQZeARznFtzjThh3DYyDgRNWH6C2ixH20Q6zYiAgmcsygbjTrFNoTr3oPBcvwzGzRWlVPN9YZqmtrGyRDdYMEUQoYFCVKQarPClEKID4BNsOupVUd/dwGjA+LUXCa9iaV8jL0Gs3Hf6o7ih/C5bW1crVcyW/ujVcxswCVMYGrGeagkxC45QX2DOLA7CfO32tHBnSKXqZX6/AdlNmmDDke0UfxV8va24+3X/PoNQjfLb6o3phRpa8Wl57Zx/q49Dz2m2v6SeJlBnB1DcsDN3s3qv54YPW/QCjwuSHeVqcMydvJn+KVUhwVcCxxd8hVj03p0iR+zqiF7gkLYAKuHdpIQ3Ob+fNZzB1sNDT38pP0wuNPvHCk+vEX9pYNGnrHHUMHlcn388vcKZDwwhM8YUhZ2ZBBZWysprP2/CmsPX2FYUJvX3ZiQsLAHtLAbj4pKRka14k1rVuKv5ulooUPIt6ofDZAz6v7UDdpHWmrdW29n9CsfVuh1f5ZK1bMmvXII7OyO3bMzu7Uia5s9qJNKsgjquZVVFVVzKt6rGeXrj17du3Sk/Zp8Qr44g0mmH7glEn1xaAIg5mYiSHSXmHg3WlTF6v46jZhRjQIOBtq8uZ/hbbEofVX8r1iD3oeb5PLUX7jGQbPjxLF+8SRcHfZZwfNY4hgZgLIyanqvSPGIKDOuLUAF6PAJuZa7UOUKt+PH6Wf420okUE+wWqhs+MAy5NN18jPaowQNhmriEAmUWSWB2DJQCoLD0oMJQhOAN/ZyMFj6eyvOJwrdIETb6PnxR6NZ1C+4m95IMO0lGOaymAKUiRGJojbIolTmQYDNi4uPh/SiWCqG/AVuZzB+Rw/Kt+PUlEiWh+HtihVMIi3qm13CF5fXLRDkGIcUQhHikabFMHgWsSpRgAMAj6++LxyiBeAm1zuwhyu15nGdMWjH+gI9OJpPPA0OkH7n5ZrTocqUkhCF1yBr7z/GGV+4B6pvD5njMFiihWxKcqGsS3KJFowrJ/1jWed2LkzTOgUh5OoIL7A5jHx7szx2AqKGKlu46TS9atKtA4/k9KfcQf50s+BYz/Ll3iNA3mN8UK+L9lqirQYbaIlxiGKjhiLiCJxhYvfSVRManuzuuNh+tOidrerDi2hS1sisAL5a2pwXBgOX3PbWmAziKP0Nlg9szGhLR6V7agvfUtLaXpcn4Iflh/RUoQP9CnkzcCtWgq26VPEpkakpZBR+hRjn19PaSniY/oU00M3Vmgphvf1KebaX0q0FDZ30qVY6M8YUrAtPIX9rWJgeD88xfA+8tGTCjShWkspsFWrwJQUlBcqg/JC9bCUU7qUU/oUXBZKYYaLPuW6LuW6PoVUhlKYrtOliEk6rJO0FICrtQfxekI1Qa5QWgErFd4mltemx0+hkAJRSQlB1KiHbeGtCtFVrcugpIQwaUQsHev6ysRzJGIliwKgEXEwrcFhvXowCCcsHan1yAcVDhObFIqE+l7DX8WyGRaQquVoHNUMlTZbpNZjCYOlnDLSVmEEG1x2Dj2u4MP+w004d5HLhMq9dC6+4Q18Iq71No4Sj2pPIIlcDZSgcjxevoDKz+wyLPei8sAnXnyjcZRXXPvrSa941Kv/bHiRXPUGSvB4r3zhjHeXINhvgluOkCt0Zhq7SOjJtDacY2XYFhWQcIxbYt6sFQXNH9ai3d46pVFdvPJB3jJy0htIaNa8sGe0eKRxyW5o726SJkfshjbvRhvp9t1ndhkHe3fTuazt8kEv7sIJEEjwkpOcCg1rectv/vmieMTbuIQTh6R55QhOIbTRS7cDmbL+IyoNE0YKY4TbhYnCFOFu4R5hlnCfMF9YKCwVHhZWCmuER4VNwhMter7Nx8BoblLo3jqNb/a0Rv82+gQepQMyvY3HeH+QSd7AMt49eItX7s97C53z0ijeeUj00nrWk72809vos5s9vD97iUMbr/SCTu1FVgT294Ke7YVr5Dm9oHt7oe9p917Qx71QB0p7ndnVa1oPPJX1aeMxsJihiwPLvGQS73G5vxdv4QxAo7zoHOcHWu9FYp1393Rvr4ZrvKP/f/psjOMMIw71Nl5RuGaFN7BfYZ0arzxH4Z/vvbQ7ZyLUwUsp46Rp3h4guYYJr4kzxIuMj4SsFn5bdl1bufLaLv75mvYFPplMCpVLblkyPDSgDsquQ++9d+jZ8+fDoFWff1Z5zWM0CnOYdkuD1XyAmwnHvDIL8kW7y4nFHOV2arZHcWfBYL9Mv9+6FcW8/DKK2bqVfv/y2rNz555du+bPc+f+eY7+PeSrnvvnNcF0IawNcW22oSX6LXH/bVi2VkjRggz4OifCb8BCbk7ZMFjyN0rZMHg4mmH7e1rpbtlJsr1FFzHMOLfgMgbLrIOklVULgC5Ta4RctnBmek1MUrOFYZbUBmat0e3Qe3RdKyyEFragnrM16tla0A4tbEE5BozJVz1+7drikBybOy7OAYdNmqO5p4r2j3tn2KIdjua4Vr8TR/tX7UGnULZjx6LfronYgp7NDay2+LCaxlTtee8Qg4iy6ccMWnhLygCFasClmuHx2zXx45NuPsIMcKayGan2VKETDN6z59Gp5s3C0YDDCYbMTxyPsLqcrbaK1ZPD96htxhbdPIaTZphKqWb9U8YqlxOCyMB+daiuRH7ur5XeKlLOgMQh5ZhtlnpSNKzXcjIzc9iDdo0cNGikbIfP8M4z4s+MRjnNiBbes7uLvLnL7nvYbzynC+xjaDhEck9inZkWhvs2U5jWXci07SZY0QxN/ePbuJppautK5/+F97gso337DPacVH/TZPXLO+pv/A/1S+BJ9QuZpr3Z1jyPvEj9gp7W4AXUL2Jv/os9wS/as6/5i0+bv/ik+Ytnmr8IAg3juuTW+SCkm4rCaNGKnnp25tKlM9nTur6q5mns4XuaIb0F93h/U3cVtbEMdFOdtmbtvn1r4ek/enT/fmPG3FzHVSt51+6rHtNPKQAe+bqgx8hy8gnnUqGtxShctmrv3lWr9+xZXTJqVAl70GPKn6v2VvO/2aOTtXDDWihis40sHYxhbCr3g1JmL5P7jVc/1EDw8y4KvQi/9yoUKmXbpBDMp5opT+iEOWDBDWvdmGC2BD7D64hidfDZkEeDXqDAFY8O05XCZ2BWFup/zRrBZxQIhbYC5bRT90LFZ4bbaVTLD5MPPnue6eA5GhfJBz/lKhN0JsNCtbAcGh96FBpptQO++IyuZtUuYzVrdpka76FAU6Uc42rFLgNicM0LdWn6mdflUitRwbOKBD7XPKPpZyYLPYWAEfnLe4dAtJ7hUHdpWpxhAFq8MFi1Umm1UqFmEai5NDw1BBXc+Pw42NtClgUDmWFaOofPTQ/qrD4+w82yGLUczMavpMvoMjUnXYYqebg4fQkjlDCElwjL3zI3saFQfl1uYm4NtujWAw/c0AEXWubGbncQeCATIM7RigphfA+zN2irIacovnl7UeXRo0ebNfroUX6jKnh+w8Bm8w6fxWwUsLlC4DsGyiotggtBORaM/k7noU1foT/Qexag7vQsrWfccUbuIfc4jJNwknyV9wzaLh4l3/O1EYebHBKNh9B2rVeCaSYlNcvtcEOOwEn8l3FyVyVjNcoTEHvmkEq1h/lqE+teGJzN6+BrI23UADLAbXOzYldJZWBZCDyTWiH4JqUGyAm10D6w0cTrqiaVuhkNUSQSk0Jc+IRJK5MqrRgMls4mltdlO8/FjPBwy1SxWwrhOA8P9Og0erJgxw3iPbp54Lc4NGz+hg3zcRJ8yl/ilC6sF+Qv2OdrwbdX52+oLu4SShJ0ekrlBA0fh4KzglM1OqWhxVjjFO3zn1oZ7t/xva38/+n7tr6LSe3y8tqxJ3Cn+gVFN/8ir1O/kBnNM7d807J48IvYm/+6yUPr/zdvmj86i1Nbh+E9iIJ+awpDnKU9vCvx9WraB/4LbcHIKrB5kPpwGNVsDChPkBlUmIIQ0QKGfj1Iwamg0GNQn7a+N6uHDbtWv2stgH+sCbpfcFdOjwn4Trcp9ZNC5DEUekgBctkKclhN1XTQGfzwlwPPyAu//ZaDRIYz6LUvv2RNWneG9v62bVhw6bCwyOMoQIWkoFCh8MNn6KAvv5xxBp0OQsMP00H1DBw6DXUIQrQOnpFHuLYG6ZQhZAleZrMp8Is8hiIPKcoxGYpyDIUmpHwzhd4YCnIMvBVyds8H0F97PrD57rvvptd8PnzdJwfYdySzD0n38pWqAWhc1QCOGhnSs2dPeoOl+ny+5ct99P27lX/8i/Lu+QEDBoBERdtJpSI1kSpRNbmpS1NXhMOloV5ytin15B/QQrquNanXUj62ndMYzKmyezBba7lQK+K2TUmIgrVDk07Bp57/w2Uo9GmwpDIC1apovUIUrSxjWEaYm5RV64VSsFHSrDSHdtO6dXjD1ooec/gO2zK/rzzgGt5ygAgOKqEPqpEoJolrld5yqKWrYfuF2xEiqNBqZsUhXU6ej+VRUgHKp2gk+YvYOxzKp5q6QSNVLcSghHLyfCyPkqrYd1fFo+JnoNELERiYZVdJICDCXQNm7yxgehtDC9EiEpgDprxS5hArsx9SGF8oGyKHSICl9GJlblHKZCEk3hIQWTEAyq0trSYDryvLzasLjMf76BFeaTXuwz07a/UaoGYLYVUHtuM+8imOAD2CRqPRHJ6GhYHjgTRUGAFGy5MYQnIehBfEOqx4TsSMSAW1agYzhAO38UI42jQsbWFzTS23qlE0xOmQoIJpu62AWVhbW+azKTWg0cFcrCfQZHGB2AnyO3hPoMn4fboN6M1SblFSLFhpE5qMysEbmq6UgZczZGVxSqIfaLQCYMuWLUCdIAwDQCE2g0ocyAawqIi8W6DfV6KuYkdxBMcDoZXor+ynK0kNfM7STgv/Jp+IO1RuOU1S/00O0VylVB9WaiK3GaGLaC45hPqQVEh7n5X6l1IK+uVfgc9ZQYDL3oRqM/D6styEVylPQrv+otRbjXiE9lDdnGOgpQwBeTGaQp/maPzlL38ROEQNEwPHBTlUdFgOOg1wopEKxBBeGscYFOSqGcQgEvpVeGUsiDMar3KrNTylCIWM2WYpNtRmiltJ0UttjdeJTa2qWr7KssijcFLzXKxORbRDoioDW8Ji9TPeVGRWEofVVj4YX/p8vE7SVC3bDUlkJJeFzAoiykF2lybKJUMlzI/oMpnNgxhrL62vb3hS3Fof6Eveqm+cxeoBCKSaQTCABlGcrCpl8alAvSgoBVkt/vpfTyuFMEpSa9XKuIKHfpNEIVBfz2u0G3trlfF6hIsqpiYVT/Yw/BqWGSoBL1pWXy9AiyAf34fldh1SIPODkFACn6pHrAyqrJcPQkFxa6BvfT15q3EWB8DrIdVqeSFHK8c+JZJXz4RkZf3FeoP/19PoIC8FrdHVyC/uAw35Z1I9yZMPsgovGns3PFmPDvLaBIUCpDq0s6xcj2C4yQwvvunON95FpX9U2Da+bqRrD9Ed8Ay1qx4Izkmob13Dk5z4CjmJ0mscrtbvDI5DuaIB/Q5w6oOdrgAAlJQeJEoPhsqjYKt12ASEej0aCgC1P5HSMrw0yDUuOO/pYRxAWYfSZax2O8vLUWY1IgVjlt+icZmWWxTUvMAswJNIwS6YNwhZFBS4jBdVsDo8TCE82KTfznCwaxioteexXAatdshDqtV6BS0Ho0gQP6AF5GKdIfF8UCPPiyrVOg0afqiSVEN9HLNgDg2aRlVUKQFBeT4AVq9rAcsbGapZa4XCCPZg9foS+EvNhoUfdB3GA5ydEHMh9HXjX5V8+BTLFzw9AbkYS/M8DR1btFq94AO50HV0UFIyirkNHRk41qrrar06eDBA2NuLSo3h7fYEcZPQQQAK8AwXG//KM7doefBHq18rAiiohbBO4kUG5R3vdSZLAvUKERQ5x3g9xKv4FCuj9W0h54DrIBoVekBWJt+CbQzmVa6ZqO2E3FysKXDBkuwtAj2IvieYeZfHTdje0A/wMHlR2fQOyRPvDD+JgiqVHPivaC1dFPgOPhUacl7V5i8sF3AMY73Wez7E7WE9z2Doe0rjd7XnVR4Oy6Hy8EUNBuptUFonMEkF9FWaJChpnLO0NJIXlqbhSFQKsnRufrE8Ur3E5u9ZjHJVKuVCcl53K4k8+2njjk+HsZ8QHYP0FBk98xk9v9OXV2najLbaQ87CNh9d1PwTejzUTqTytNoYIpQwPO8N4hmkOeBKpqHIxr+iyFUoMhxF1myGXxnDr05frjXMyGw0ie6Tfw59Qs+gAyQvdKIJ8qMDWv8DrixNoS3/kZShAjgow0TtAw7DoOVTcvVWRrOgcZkCSRmpHmWcclkHtYHcZHX3VvVEkEuUypRhrIMTxq3KibQ2xzfjRQVpjWuD4zskkZpxOOTX8gLsoKQJy6fBtFA9PJ4vWssHl4518lUKx0IK6gvOE5pcVKUASAtFCkB+La9KI4tCay69XRIX3bJKcia5pdbooUp6LonqQ4B5gVbwKFSsM4UeymhlikHSj1dV9qo59bRGvSXQIbzXWuqcVntmq1ogXFpH63oTruDp5DW1S7oWSMFyTFYsFWKgHGwkeQoL8sU4u4sVXPXJOknajIRTc1imA+s+WVU/51STsFm+I6httHL27pkFBS6+CcXKzTmFhM2StPbTVVCOA6hnsKAc3LnDcEozBvQD33WCO3XYKHokKVgDOlC/6tO1+IB8x+YmVphLfrirp5RDGZnZmBeLi2O1ikd5JighoQO8bijJaq+H+XgTEo8a3CCFXHCBoQChAji15UEIXaQdV6GL6OIq2pF/0I5NR/A0PO2IvIt/yLvYn/IuHRQ20gwAwwXcuErMbTJUHGnYeCQ8B6uHVSHmrmr8a9MRnoFrowNiEtcbJs4BPKhDUBsdYFqL2cfoetM7+FRIE4EVyuyc6ywxTA0p9Of9pp4nZXlUNdSG1RWyQHRWF4cQsro0+0O1uoJ9HLKkNIvCr9k6yg1KrmmUGQM0RdD6WZdC8kIpQQ2EwrQ9SHYJBozAddABpoOW6nRIIZMM4NtHfXQ6iFOPU1BkFMxnFPwuXHcR3cOpCf/aVDoat6nUBSvmuoo+6JwDTOcsDeoOtSfBPZ1e56gogba53lTGMNJpmxa4tKJoFBzwqdCJYZZXVTTN9UOBag1LYAorxqvKB+qYMWlzEE3yMfS4waobjwYtD+Tg6SoPqDAMwXnIdQ7A4OflFT4MwzJ4rrlN2zlMoja3nTk0U6iEmlvNybXLdb120WCq8Jhy0UvnoEQEv1DqJXlFjkoh410K13CtyHSVP1WE25TpBTZd63QivQ1a2FqlReuYaFqOW4ohrdi6llNyS5rY16m5NvS+qw2933wWxGnpKdTppOuSVkzRj1K4VlK5J1LjLmW2pcyAwZbina/jRT5vtuhzq3m1nApXJqlwLSH+5ysCClDgzSDMVnSpq8UsJsSELUaN2xakZHDYtDYjbT4328qHkAYxaO8Vhuw9dZC1Ni9zhc/LtvLRptp8B8JsPpdq86kDsg07xtZ8xqo361parlBClRQhw7WV+WizWbgKVJm7whwkZOOqckUzcVubg9vC5uAXQ2NSmQPoZJAy2oNmrrZ+xfGPDMk6vobFW6EuY5G3An2VpSwEJTh+Fr4OpY5eSTmxUH8RhPJbbMrJ6lYhW7TVJ/hRpQ0uu2jsDWtAYXR36NcoCmz6tReV7YMLMEHm11ZMcHDtyKSXFJzOWvmgJORiFgdXi4LaRVlhLFDWiWB1sT4oFtuUzK3KgLBREWb56yxddDAkmlux/F3NLP/W11VsrcvD5lwaph1s4dpBm3y0oh9s4fqhhc2s9VhhUEe5QnoqiI9Sni9GcEYKW7/Q0bJQr7dU7NRSYdor1FsunQbTsNQqgH0Qs3hUvCGkCj4h15eckZYlRYtSdyG1R+eEaEuExR2b5nfExkn2WPWOdbzqO64TzulEuKdHe9BpiymNwAVVLXB1Jxw6oRnfByvfjCRgHbpj3ZqaJUPjj3VZfNeqL+94olt59pTOi/ov2C0NSA5ce+LkkPGFfdNu7TG8h3/y2JnZJo8rt3+PKRULPkC14+8bk5c7dvqaKd6HFucgT0nJY3kddnkGTXjkThpTOqCqfVb/vB49brt1SvnMsd0mOGOKJhbNm7z0tZmwYsPvZht2C3FCBkSHjY2XiDXWjxxWSXA6JKe5wpIqWdQ7q5ovBfA8og+erDoecehO7B1HfY7U/nj5bz/UHkH96Bt10+9/+OH72XO8dkfyt+98+M03H77zbfKO2uPHsXXz6gfXrHlw9WbAJrPpmrjZsEJIErLBo5g5zmizGd2SKyLGaBQgagWuEJIlwRKMXwneW4qVO6WGDIWw8SjHyGZUTAKAm1DEMMRhl2Mvnf/ii/MTh6LE5DuGrsX9j92ZRhvmfXH+nvvuu4c9TmS8/mVjIpoUX3pMPrG274JE+vxDn1+nDbV7tjz65JOPbtnDWEgYIPQSZzHRGCck+qJiBadkF6ZGgbMMoXNuQZL1PI9Uk5FdaBWKRMGmRNIFgeSBYMjTZqPEBiQgx+xpk/3ew95Ze7asRmZ0cEs1LaMNq7dIU+gHqPMUSVePV0j32d1CtuSyJBjjzEYh1p85NY3VBg6C1eiA6q5gfFhc6/jgVf8QApay2XPvLO3mnbEATv7dNy0nf9Cdc2fdMXk+w6Viz+Lp/oc7dc/YWn7gz38+MHNLRoH3Yf/0xYun0zdQv+mLNZzEa4JTiHk5MkaQTDEwBiD2XzZWWTtec6KOMS7b/W3l5kUzNlqjrBtnLNpc+W2vCciCincfPLd75crd5w7upmfoLwL3keQV+xmczKqNeRkRiOQoKIHF4JzfJGpD36J/ePED+AG5iuV+iPHtTO45weWLEDEWjMGIncWd4ewav+3OZp79z5xfaEenz8vfwz138aOGBc3Gd54vpXdaD8mWJLXvIKCsLkabyxnRhw1wJeRF+AB35PQhRSHfig5wFhxDTDFYDVUMZzL1PRCDXU7Vq92xY8kDpN0L+i/qPCW7vNuWsi9X3bW4y7H4oUtq1qzbMRSPWn9hwfzJPfvlujym7Jljp5SzgX5rWt/C8UNOotpedz4yYZBnV4e8x0pK6N9yFj/knbJm+tjcvDH3yT/OfG3p5HlsSMc4J3QbO7N8yq239eiR1z+rfdWAUtbS2WxEdYHoH0IBSDJnJyk+2ek3JEsGW0WMV4owu2P8gluNQA6O1vg4h6i8ECsXvDIUejRnkbxnC60e1fWrEr9Wf9R3j3wWZSAj2nk4yn7fmFVPPLFm+H1xUd+98l9vnx27zOvMXZM2avyIoaMnjHHiL1AZWkSt8pL6+xb/7b+ufLz4vjRUSj+lv9J/0n+kpxxLSUdfLb5v5cKFK+/j3qdvYe2oY+3IEPKErr60dHuFMVdye9MSjYbkWPYjRNqlSFsFGyJqU1TPdvHFocDqRVq3eDSM41H3wgKryeHOgfsKBflFKJt9O//K36sfXfrX08+9cWlo/4kzRpQgS9eT5ddow8ydtOTBe56cTv8dYXnD+e4zj77V4fmtb/5l/7ZbB8wtH/LoCFq39iT977fo1wvWogfG+e9EhZGRQ4C3Mxm3rmXcGgteIyJMMRISTNaKKEHxuW8vVjy+KmyjeI5gxsv+1/5L/gYvO1h3CFc63tp/4kJtY754vhHijA9oyhRnGdOF7kI/Jhmc8Qki6XlrWruC/IiI7DwpO8ImgSeTzoqfNxR0FO7Wx6bLyeL1xRdyhaR6zFCoYkjDBqeWj70TZz2xZ9bM7+jPi54blOB/enD1Wm8e3fXUE6+/P/+RghvIuXl13G3Lej61oWNXNHDOxoGB42Xbplav3bf+YDXes/4RnJK7cNZzO2KsJ63WvgO6dI6e03XT5tVrUXzOkLuHH9kJDjh6D+jktS/yjn/QP2xM+qTpD4yaDOdakoRYsdrwID+f2EXI9sVlZLrT0jI7JIgCeFKwVghRkuI6l3u0U1x3ZSlRnvlnVr690IqBX5324BnwoDtdlYOZ8XsdTsIgO/vJo/X0+lsXL77Fnp+ef7Pm8B0PJy/NG1s69p678m5vn9BtXiyajvqj0WgBXU+P0BN053bkbGACzUP/Rn9poNcuHt694099i+cNGV1aNjkmaqc9ClZW9C3JhLuVvhR3gidHSsyWEjyJiZ4E0mqLOnfurHhIaatROTY39+8a78nxuBweF9gXbbanJ8pb8NCyqtfn3L1+/fpJv9WQz/GSWdO253967hy6cWjcuOatyBDag7chd5aUmCkluBMT3Tdrw2+2gGns34f/QwvWr1ix4vdg/8Cs+5fvQzcu+P0gP1KJUVzI9UU8+FOIsVgcUfY4kVitZiz4jRDAyap5gwVH49wph0N15MIdQDgKYFgScFnx+i506ekP/meUedQHm2OGPjA2hhgxrqyUKV5Nv0EueQn6mP6MImg2UK0b937yR+73P1vIFwp9mUmJkjvJ39Et5XT0J+dIyY6KhHhJSPDbBSnK7jdGBd2ftBKdS8e+jHvRzZyfVO4+enz/nZUpnIHvuG3MHQkT6LFwByjFAwYU9xg4kHR+5sknnga2HT5o6OjMnV5Kwt2fHBw3YNC4cYMGjIO9fkwwOaL6P4FY2wxfQe+0pW1vJrhs+4kT23e8/vqO0okTS9lD8KtPbnvllW1Pvlo9c8zYmTPHjpkJs4lrJIpkthIPGEI2XstHxkVqQGCMrCznRzwn+FAyGQQ/Nli1eMA8niZ78G4oIx8NleSlEfoxGOtUqWeVWg/MJX6sUwJVQotD+ZRovKJEDH5dtEulCFGK1dWRmWRSYF/jdPhk0v8yw7Ke0wukP3cTx93zcHJxf48Q6phNYYgSlww1GennKIWcJCiD/s2IrPjYQQgCdlAuVT2RKha7G/wuJprNRgchRoPETOTodlI0gxoXGoDFnUMRT9wZmcw0LsxnehD0N+scwcSkPHLGq5cCMTn5F/ru7Xve3L4i5V///exrTcK/+/93lfxj3Isnhg1YsPylP6a86przIBqC/B+8+TV9Zezdc3D3u8aXfHvwnnn0hqBrqQM8P8diItlxjMkoRZow+7EIfovSZO5yVvMGiRzqKWel9TA5c6CfzPTvMJhRuumkCWXTD1F7+t9mZEVxu1CvXQhTuou+vYt+zcZXD0aPSu7NJZ6fVO7oS0mzSwlp/qgEKSvKn5klZdorxIhIbPIbscoampcyGOKKhxfuiaYtHzxMCPT4ar3zMHvw3Kr9+6vWPfPMusK+fQu7+3wNeDIZjPvTSrRMPoGW0Up5y3MbNj333KYNzx0c5YP7Tb5RdFlVFcQZB2/J4k7Wc6nca110khTt8EdHC0Y2+o1+waqzXTpzc9OgxP7KhzmEyW3jKqvAKJIME5tfZ+NplH6FEuhPKBpj2X3H2gdfyn6yI6W1a+9AR8Y4US6KZWJ0KP0z/UdOHxv9YNijD718Ruwzlu5ED5Rw/51zxKmGNOUMlw0h8CVxA5uxeQ4/Igxet/j5ymHoUXGGiPjK/s1udqNHR2ycMmXjCOVT0N3WiW15i63F7bQWN9DCb/vAvS7xaPAmSD0qIZdFiHEjWAgcyoGrLahEvdWDmBF6gRwSraFTfkfwPnQBzl8iFIEWkMFignJKkQyWT+E+aAE/xYnQYCQQv7g+CPc7xnM2Nlk7g87QHiy9nJXdr5QFkpVDUX5Yk9e5jBwiNQpc9heDiJbBQVHekoO8JaIgFBGEyNWr/GzrQXwKHaOlMsfrII4jZvIAX9fnV3mOHj2K4+CyDkJ/RJuJjTTyNOJw4LLXXnsNbUbdUCH9M5RNFV4jT7R1+z7YJyM2ht++R2gh+pIUkwPB3eqF6BT6kt8PCd0c025kubUOh6vX2iVt3rZaNps6r55NdCPEj1mrLFQLDCXfkG/c/Fx46CA3WtjGuXDU8sR36E6cWXcnTr0Mp92Da61e1KJeuKrdWr05PGN1+K2e0MiJ1MaOIcuWZQiOIPkGqqAb6UbdSHr4Ejp06RIdz1sXHFHJLcfUb/o8CB9n1ROHDp0IT/Pbb4W28FtQwZtNWDd6TMDncC9BG0P8epg2kNSbYrpRoc/Pxwb9dtq0adoA2cv+KeeNNW63qPyexYQ6UpleXocj9tIyWhbk/mr0Ayg4VlOIz00Kp5t4XYzbXxswoL/G8RXsH+AV4vrf9B2hGwNTFHpNbNN3hG5UaLci4JbLQjgyX12tjI/qakEMRDRdI58xfecWSoQhjCvu8OXnRzulzraeqSNNg6VsU3Fyn/QRg25FaFB6ssmQamM/JI+p6FIyQMogjgqfOgXMDzrztykTGZs+mB/MDpnmZlPyrOyWc1iHMoc1hJLTbS1SPTDDZSYjMxSUX5T2fvAc3YzS+k18/Vk+0y0Z2i1TTjw+6jDaCO9vvfP1Z1E5f989g70f+dxXPZc1PH7ikeGfHSQB/mvKfDQbDenjf33Y0y/AJPi2YUUPFNOKpc/RczX0OydPLD9+29Mv0FOQWLywO0+se43+cOc89EDdVHRX3xr+KSA5jp4l25iNxS0s0SSJKytgEShkYXmUlVv5Sl2doaZhIFhngalM2sr9WcmToYj1LmfnLlLnzllipJQl+rPSpKwqPSRdxHrwsf87w7XDdNilXCeGqH9RzMiLu3NZYULfBV1DYeq7Luib4H7szgtf4TGzc9rPvg1/xU3Ich52feXC/iuGqmHXB60YNGcJD7v+4TsDKod18mXsSux7y+A1A859xtpTER5hPdLIQ6iZpIjWI6yr98Tkijo0FneXzxJBjbB+1HDi6I0vIMbuGQaxB4OYI05vegiioonTGy+AIfnTYJ1lC3v3HXxJMbFR0aIl0sxrtUDsNhOr1sDrVWOyKIFf1RNqTPy5QAb+NLiOpNfhLwyfUNr4tRinYAEPyjPslrecnYPWBz5Ejwr417lqX0ONbp8DRcdKOHpVhTlSMovQ9YoH4Pe02NSeoNNXN1Qq96+rM4799TA8gTxupssTwFmvPIkb7OTXbaxVm4KtyvYlRESaLaLBJII7XDCV14RzhNIeYAe1LQ1T6+rwSH1Lfu0W1oYQv/LYfTrMdYBZC8Kx13hX418FbSZx5HubfibDDdUc4zSf3WgSDSIiDBSRgj6BVTwNKo7yvRp+EWGoCSQQQU+Sd4Jxq0p9XQhulw4THF+7dKndmgox+f809yzQUZTnzj/PfWXfm8dCQp4kmBDiJiEEMCwPQ6A8NYTwKAZ8sXNShQjKoVRtsUqpx0uFI2ipeBSVSz3qqY/SNKW0entyEa1SpNYG5HC93F71YK5WHslmuP//z+xmd2d2MzM7G9tm2YyZ+f/v/X/f93/zfyV8lbligtfHMsVFuWU2e8HYMVTXdXYPn9VhtZvFvji4URruYFVZCa9ijjaOdK0qwW2tYrtaAR+I7WTFkT2D9wSePig8uvPL1/wn31zys5//6c2dzL9d/Yv3hfmAHPu0eDTyBWF97rzfPi68VCOcBsVg4R9baXC6dFb3zsP/6QSThKNDzxwHrBn8eNyBG9uEn2cJm8sOPID6AQaJo9Qx+gRRTpWLvaOpctQ7GnX7g3/ZB/8yBveLQr0vrT6Xy5oVImjaYgr5SZJlrRbeul1sTlIbiUeGz4AvcxVJZYCR0oHa4QK1OeG3j8EffAAxNR39SOd6C8vEDz7fO/JB53zjrp1HqbdFaMM0hnai2OkaQiv27i6nKi+3ou6FVCXuYsjhTu+voztwr+YnFO74Be4FT4ZpcBcVTnmaduR09jAtKmb0OG2CgmO+B5/uISLdKJ34lHd8xjsaabs0SNw46HO51Xbo63bxQ5NwvDvEj8iDDdQxJpdwETXBfLuDt1tdnMlJW6MHeFqZEOLBQ9GzXlHmBU/RUI+Pt2+oL0d7e+g4S7b30mfm8IUz3wya/Seo7g19BbndD7of7PYW9g19thX1aYyZbazSbIw1OhmcY6TZBp9iFlw4M/BLmleYjYzixhF5qJsdk53D09keAlINmDu4PNLhpHJZkwc1qPd43LwnMi3UYHxmp1M8sTNyUDiQQ0DuGeqkuq/e23u1m6u6cObKO+x8DAnY4AZ3ISiG/pEAFYWh2oehyoIx+ORgEQc1mnDaQ4BlSNricvIuC23L4imLLYRM+0ORBqAiZKK5jRw5jt5ALvNBF7K+iKH2hZup7qFOcs/gnCt97EVwVGi6ms2Vgh0byNytZHaf8Lhb2EVmd4f7wnVCd19Mr3TcnR1lAdziGfkOirOq7c4+ePCzgT8x+35x9R129+fHP2e+M7D8F2zz1dWK3dmxBCDszdIp7WbIeTPgWXPkBPTt8ae0l4nEhxOF12Nq/5B6JbwwQmHB0hMjw3lYhiGXs5zZoTyrLZd2cmh8CwdCTo53bo9Q0uWO0LGhvomCXAXSLPXVFObri3/ZOsNz5X/D28UpOY939rYPnoWc7Z/ZOskHYwVLFIAq0lnV1twPeQutx0fQRhRjGzEx3Cx1U55MvA7XjvnELvIi8xTWXNx5leWQ9iY5//09CXsQc/770Hx6w+Au5uDAauYg+LTvkvtSn7Dn7FDw6NFYPfYRU4KFdjdcI9wOn9nipR00gxu1dMCFlXM4bLxDFPMTlVjGRf2SaIEpUYYlvAxRQ9SyK38WxoAdpnVXLl7eI2wB57kpkrYJF/su7HTv/LQP+pGSzkH+vgytfR/u0FIXHEdarBTNcibEZYioA2KaBVG1QVzt+ED+wPD/pd6RUW0Tv0nxeP4rh8Tvl/tAwA0CfcKi48Ki4d8lbRcly0UEguNcNpLKcrKs2YI63IoiBmkBp40IWUBq1iHOOyxokZkHvsDc38PkDnx6dbqo6jGCF5UBhLiSXhMOOw88Dp4jKZa2Oj2808qYLTxtNfPQcbMO6/WJGL2W5i4rq2eQ8S6D8Fw+Is4NSEj9o+zFy61gB1d6NTvGzHz8cV+4e8je19ctrlSnIQ9eR1J4bQNehyZeHi+uZXgdAnBNFmH1oO4GXiJk84ZIYLWhs5CtdMgq6WAj3pcrR/DYKbGCoIDKYZGVefaDbbO9zKcDYz0ztp56QbQv/c1tVU6yqqcK+Ca1zoQyuSt2Fg/B2zzJZylLmGVwfnQay55vOpNPI82DZL8E6b+7sIj3+AtDJU5XMe3nHJD7dqj/fo73J9d/NKMvCkGcFbh0BM8dhcbckmALRDj6Y2EbtgkxVMgjqoJjbNk+PsubzZvzCN4E8nhLbo6VRh0mMWwiVBELnwAVtvfQxm+/8r/xEHEe6ocoW74BXFKABVzqF15wCwehdboIrdN4bJ2qw49J1mkqtE70V+ckz4WSTktvDJYWE6GxxejQ9xyad+aEWMbhdObl8iaOd5hCjrztXUDai6nEbXoaI9EOVUuBBF4mdiG5Opl93xI+GEWA+jg8HqNE32Z66hIR6b3eS70XDgiHFJgO2J6eoYcjzdYhZq1Q4j/GEl89+E+xf/d+pAkHZZpQfXkOxvy5wZXYI3vt2iVy97BPz9AcSxPQoYdiI/PpQb2ZdAFy90Ahc26wmM4e/MxC8sfJzqHxwmZqggDdROrKLhjVjJVFNdAE8tC7EaOauPgwGqUBcXTQ2htuHZ5AjM9AVcI89NfnhOOgPT4mzLI57LQJBoRwYRFjQjp1TCjOGD6EQsIr6xMnVZgYUVSK42UUhdEqoigVzoVxzXswrkGd5KqJJcFaU2ElPz6ruMQ/xmK+bkLBRJuzCBRCucrLc5by2R6Pq8Pp6sLbNXAhRJt8w81V/O9Gnf533WINDQyqRNdHXZte8P5AC3VyaDx9TAxrtr5RdWjWRhztPC2FN8IxUEZ+/zjY9ZHwhVugwavDQc0HWXevfqArX5gbjXzoF8zg+/l7xRDn/tK9D0DLvx5ifAxijPZbJxGtwUYoPMWALyrmiyAP8sv4avN1ldk5LFNa4i+3WQvH5bu63C7e6eadDt75SJfPWsXbYUznifa+Rv+LhnViY5W4iE5OgoSYDq6agzViTDdAI/wZWgrrTl7dFRfWDQo356JWxDisG0s+JNFh6P/AW8N0ODW0MxrcLRf2i8Ed1jsxgovoHYrtFhCi5kWivgQ5gVEg1rw4j6gk0mPHZFHoVXP23cqETjXkReQFDe6iN4jeEOg8CzqRSzT0PnSHkM1dDe1ZFfYE8l0E7+oAVgtJc1l2PosLohP/uQ7OxIv+LaoF80fc/shShI0X50M9h33SYnTC7P9m8MwFc/jSZ72ryaqt5HX9hV7s2+cWEORX56RVyIM7TZaYPDneMblus8mX5ecJqP+A7fDRvC8r6IIhjtPakeUkZmAXzB/xxUT1bBB7Avhi+wSUMdAhKyti2N5v6F4Mi5WGTlh/M7DYHgSWa8TXndcI5JLlFvSJvn6hV3TJ6vbsce/ZA+mNaXIM0gTBNz1YOjJ8iDiqAczBXiPH9l59XQSQbYUA/vPSBVPuhTOXT59Z3Y+A64+QzVvYP3R6a92DkHoPxvDLByErZt0ujrYBAjprProDLY62YBa0aXazrcPm4G0RpsVCJvlwIAYudIY5YiBcM4WpV14VoeKWg7eELZfX/vaPpn0wLgLuGJiAs08QOt2dQhhK9gK4cvRKK8oXUh5gC14xgsRBKPMXsIcL/Q0rlCYbklwouA4ouXaWyaLNUHotpOTfxq7qDZLmMtK3O1wNtbOGfJ96GPdemkP2HAQ9x0FPn/C2W3i7L+Z3kYcRj2oMUR3MR07VGOhVAZ8/L5tkoWuVA6HJjTpXYt+JmIgxZlGOQCD0DDsSxVfOiq7FY5FIUsnlktwL7FVIciXqWh7RFCxzQ3XLc3V4gDU3x0J6TZLO+SBg2Qlahxk4HG4raV4USr8oVPOvvHPmAld1tbt3qCYCY6IuSgzF0a7kA+wTOXlta5wlqh68LeoNH4RURXUfxXkFvL2C95TwHnseRQUIvioAvVZLFfJaLXTIEuO14sK1WA8ZVQoXwE8TVSt25LSTJcXVJHr/j4t3nSet2ri0bXPH+rnz2qdNWTz7D7d2BB+eunTx+iVrNq/qbJt967qg3OOl8seWVpfmlpTkdu1qhr/Bn/x8UuRJKl+HqsUWV/REX4V4LiVagjUVC/kChg/M4SfO40sIvqGJbyiZGCioYJ1eD+/3htwuv9nh5M2OkN8ccZ0rRUdPxFsqIolBzyejQ8K31Dm4mhIpMx5TKDw9Hmc5jdruWnH7gpkdy757Q1vnqs1rVnS1rQg6qrPq8prz5y2/Ibh2ydz1HZvb5u1+uC64oq2LrIolTL+cgrE/DPeMx4dICn+fNg3+g+Xh2iy6gp0P16WyYLYJoJqIHUkcFLxHkeOJZGNqQc0jgz9B6y31HrnoVLjvKKgG/cfBnj7kWtzBVFy5gvhwbRb0F+ZDLW4IlnJ22kU7GN6xowvaXbMVeZ4ewHsoWxZJQ6vnNotmJKdRdAsqo0EyKBmel8KBcrhk6I1T2wZvwg4PS7af2kE/Jq7yewfOgGzSFIFkERMU/iy4UKe7cC44Qu2j7iD8KEozu3hzVjYRorNhnB5CqhvJx7gacVYR+fCIlfXoBT9Wkm6fL5y7+8fT7tty37Q76PHhR2edbLyn657GmjpwpPmXv5u+ZPrqgu59s9pnrV0eQB5iEEcbzxDXEzcQ84lg8DoiwFdPnEOEmubwuWNC43L5Ei8fnFUyjp7Q5Olip/DWLDY0IYuf4JICuKgE4obIIL7wFQojLobFzeBKIi3iJjdMJmojpbKxu46eQmpyg7NIqjO0RQtin+zZUJ5318J5u3fP23IC0AuffHLhxCl59eCGsFg6myeVyTqGhmbcMQfsE4tnQXa0UPa7fz589/dw4znUf27VnR8CINXSHo0UzQq5pL9gvhDAtbTIJ5oD7iJ76G4chRUF3ajfVk6HycF7Kd7kteWEbJJH5JdyvBBukRm1PmcR5oXPhyph4EBPLdv7+N5lh48Ljy17as+Tbb0nmC3kywHQVV5XfqIgIGyF30cKhGM4CxxeLfkuART5+X18mZUvdPKFZX4KTKrhJ0wKXR+YIPZTDE3g+Alx1sAtWUExlEYwRKweV46EhRL1H/rocXF1cN2ts6E6b7plyfrFS6c+HOy49Q+zF0+Z1j4PKvO9y5ZuXDUpIc4m8/NFnW3e1SVp7Nh8KibURtlFgPxRP4w8SoPZWWN5Vy5PlfFcEc9RrizaWxHyeVGteI7UuBFEpAMZ7GgjwSLJMEVkCI4aXHD/Q63TF06bdnNw0X3rGx89Lpy68ac/vXHqzYtuaW68/0cznsFdBquryxsbyysqcK/BiorJLZPR78hnqAJ3QYl/FJ/9Ni7ogYrOWVFXRrgUkgyM0cSGcpEIGvXdKvKIuXthzz73+T4QBPbn6O+HK6iPqHVg59AL5ABqfYn3BUyDfde+oFtw7ZpYvTiTWEisIG4nlgYDTTfwLU2h6TNmNXa08K0rO0KLZq3ka2d5ulxOnnCF3A7WNobgy4vGhCaidzhwdWC0f21jZWXcRXzNICpUBuUgsvsaexZ0kVIDtByQA9i4o0KTPTKULZU+Uo90PlkYXrWaumh/cTu8HrxFqoWkF0m/CDZ0K7+3iNq/Ojw260XqcelR+a3DrdPWrxxqu5/8+MEn0MWhZTe2tLW13Lgs8h2+Dt13+wry6S1DFQ/slVVXDldZAmL/tS/ppbjD6bigy2YlOCfPkV2si6ClF2CwgohvvtTXQafAVejyQrWorytzeVnw8GdCU4Cc+/vWduHiTtexPzjpKuHOd481rf3JrwrCd9+2Fc7QS28C/8S8jTvpFaxpam9vgh96E/6CH1TT0Uv+Xro74bRvSunZJtkYwneGR6OIXmCNjlaSfLyUY6eaQ1gwPBuNZqP+EZ1tUvx8RSrmpm6S5hp6b0QgUgLDyGCZpg6aZOfmJocMvJn4l1QwKsDKKsA6Nz1oi3RCHv0v2lAYlgGO6L3WJsPlZuOw0cuTdLmkoF6mJLjekhls0+apUVyW3zMKfFdnJVLgqsaAqGI70lcFXNOzLjqx04dUDDIZ4Vuye/RgplNWlWQ0A3xL2xrpZpz+FU47dzTxQmlVSIPy6a3NyTmgDQWjNMa4tTtN2VJn1TPAN23enibrndpqMwq4aPdPNUGvDegYYA2iu35N16nxSjJkCN11artmwo8Uw6iBOxo/qVmuUwYGI9t4zWvXyLApEE+V669CZtNaaTVArmDktfp4qqy8YV6+Htx08klBRTPAOY36kMLMa2TciNZGs+UZGXptQGuMJNLyKtTDrlGaFKTIEMrr1XjNpB/BzmuiriZaKljOESmn1YMcGbKUFjLt6Dcdj1cD7BrprEdmtXq0I0OfylikJDyNYI3J5aqUWFXQqQNKkzet1ScdETaV3FbgMi2DVV0e3EBdjyEdhTL8MdCo84WT+rypXFyEedxcKjPyGnM2anIYaeQr0sgCqiGSnFmGZYq0RzAyyHVmqzOR4UuGjUZpkWH2r5fh0x7xy7DTJ3mG5CuM2C1RA3Z4bxTYDGRW097t0IaCwXTPoJ2KIbveHVeNUqFyy1U/5YzIqI9mjk1VVGO0zGYoy5bUEzJGapNm2VJ5ZOnZYjVgxSiRIfnJDOyjKNkmnXQzUN9jrU9KT1ZHritVEK87M6syo6Axk6A/25HsHjWwacxrGpRpSpOradPayFxTMmunBn65XVGfa0qltaOwpxCrtYbk6TKxp6Bg8HRSzkidjyEdlWCBklfnpcocqMwYaMlajGhTZHOrzP/pzvhoshnJoRuVnM+INkEGXyqVS5bzicvdGV+HmRAV6Ml3pZ/bVtBgKgGWDOhMDOpkXL2rnurZBP8mub4bkamLmUxDJKc+WtIbJWnL1emLhgyrW9Gc9dHsJ2iB/VuoL9KKj26+/AtUGGn1UzThl1xRM1JjlFSPNcKvDWz9GRA18GqVrabEv4xSBiSpx5RZm6Wh0khVllFPLJ+xnKdxmTs5iMbk7fRZxOSQa6KyoVk77d6HCiuXkuzfVs5uGCgtVT6jmrNTAjFtuqWds1MkXGqfVkduKs13wozKLRlVaZOJ7EJma23S8f6My9oZU21jYFbMoHob7ZJrQNZOZ/5Fq3+Wbt4unfxLmlZHV9WNutydugyVUsJALe66KvhSWZPU67amvJ0mq5EcNlV0Si9rN6JNkEEnV7mUhMtUzk55XR7lnF1KlyVjOTtF1En0fnx0tuS+kcwHkrs86mvrVMZ5KYvr9ObsVMb3cslJZerSiH/Ve536qtOMzj3oq0NLs/4sQ7kH9ZGSrgqztKsv0smNZKL+QpWHaFTeJs0KjAzpvK4dCt32TsO+UubkJv0cwCjIjWFZAEPlJmkWIPkKrz23JJ924Hx0Mp35j7TznMMg6MBbt77EIC6e5aPs2aSOcxQP81GduUkdgcp5pqf6QJNHqMZtMDT6VeMhqIBuVKJf9e8dJn60VR9kOOenYZ3IZM5PawWCMXqTWIGQns7HVxxliHO6olDjOac/Dk2Hc8ni0Jh4X0/tSKztVx1Da803KSxrZNxcumQuBnQgnkBHfZ70vDry98N4ShU3+G4tVBseIzaG1bXGqfFLkq1x6VYUa/NnR6oo1nfWg8H+bCoghzllUD1xOnTVS2kF3U/rtIeM8iUDxz1kgncG1txoZJ3xteD6am5U1oIbRPsM1dxofd/S8LcgMmCzNGRs9VFYFT2VbKjumEa91ZTBpn8zWqPkjnLdjda6Q0Non3bljdo6AAPiSS21NyPEk7ppZ2j1jdrcvAGZjLR1XqECR/KY0869DTvS8mkj9i46V2Zyb6lAkGlcDCyjWGOoBkS5rYuD9duuMdSGgsF012npNJI9oqta5VWbnUsFlNzKaaebAVZOHYhp002jNqkkXGoLpyNvpJQrUI27Kjokn1suNKqikeRSo9mGjAybAoNUmQadlFOZa9QIVaTeRllqNNfbKE2qwdIYU2+TGoh4zJPpi/Z6mxFQV7krlareJp5r2s8AULWjlsTOpXs6q6Zd1JQJO+NPPNRXcZP5zMMoVNyMWubB0IobDXmHdN9jTzfTrKXi5lvLNOuouBkFnVddcaMjq6Xi/Yl066j1Sk76sX+aa4EBG/FGVPHrlJ6kvrH2PU1tO1zxb5XryX0YkO9U0mRdu9kadSdWVyVPR2lvMjWG8kBHfdZGJewp0zZa4rl0tD4TkbDhOp/BWDgNjdcQCyf37Y3I9sm1fdSzfSl0PYP6kqDpMdqpoQJCsQwhJezqx06Zv9AQi6aZPTE0Gk0amcrml0tssmg0JurXUz+S4J2pi6RTxvEKFFMQcTJuLl0yFwM6EOtoyIakVTfAKpP3dGL4dM+1io7dlHwOPVU3mmJN2dzG78GqqiXVBltG92C1wquRrqO6B6tKFrTB36QTak1v6I3oV8jgUweWljhMDTzqeC8zi4ZHYZrOAtar8wo7FBnIWhqYwdAfw6d8r/VfJfuj7oSU0c7+pH6XOmPRu2JF8mhH76nfYMpc9K5ci67Sp08Vvcf79Nr3JFXFIwbuSeqP39X0xNK+J2lw/K7OKzBgP1dT/J561dcVDamJ31OdFKwGd0Mi+NSrtq44WKPOKGg8joE05euGQ6NYfUewS2OlnXeRzyDnWnSuzORdUoEg49nIeKvkWUrEI9G7EsdSn8lhVRotJex6Mh8KsyTArixtqeN3ReAB2RM9xYJQpO3wegfnJnuS7cGnjBcUt+AJiuxRF7+nHDvVHBp2pJJWaqiZOwP7UWrgSRkHyWBLJw4ie/TQThXf1PFPtTdrTN5H/V5UBvM+ivnpBE4YrzNx+ek4DdWj7wpZTuP5picKMZxvI0QhGeJb0hhEzZuVqfKsMW9Wqo6gNGcdlM46IOMopUfmYt9nBeKKJX8rNPp83FuhoryPlNWXzZ30rVDt9XHJZS49H9wgeVftg4tc1FYVmVTeVXjgavY0UsXc8rfXMxBzK1l0Mo5SemQu1sYCUYLl+zHR5xP2Y9T4kqkiF/l5Ddr8YFU+vKIfLNJtJB9eRjdlHx6IEQHxI0Q3RsmPPhy9WaIavjcn/u7UmB2WYwFELOTzRp+OPnTtGthPfkwtYB4lWfJ3BAGvHxcWkMcJAV4/ia/j/k4A8CplozqYo5AzltcAxQNiUmXN9QDUUuBVYH/2CcpG/mpo0bVrxGH6HM0y+0mW+Qo+RwKCPk29ypzH+NnfcBMsbyOISYHKAHw6GbbXNSxe3DBl0SKhVPqFPo2/pkiX8BtCdJI+TZ7FI1teg8MSIkQx45DtsscRJkX0OfIAuxpjQoDIc1StB3xy9BQEH2wTHkL3fUifo26W3eeBGH94+NTRyH0k8Xd43zv4Pg5iyMBb6SiG8O4i+CGXP3H28FA3/Ed8DD8KgBs++TR8kiWcbzI0LU1S62rET3pKyjng7n+p/1RXl/jY+fNEwlMUw0hPBdyNGIucBjgdiZ451Y+eOn9exMYC+fACO5twEc5fZxE0T5jxYxE+1Nf6vNm1gcn4F0i5A6+8cvOChTe98gp9+tBTlZUr1q5dUVn51CHEUZ5+mWpm10C6ewhP0OKEHHWGCJs4XAILygP1dSXFPi/ZvvEHP9iIPh0dHfTLG++8cyP6bLrt9ttvQxrzOX2c+g92PpSRMUGnl+IJb8hkDTlMPOEIieOikT31dbWBnGwIJwazpHh8+Xg4uu/zkzfeOqUme/JLPeOWNyytmE8fXzJw/dicNdOX9OcVTFw/Hc0gyWU8Nz31Rb7D1Gr6XE8PotFtkLIcux9C4fy1yc4TplAO5iRCCqI0ub4OTseVTxaRs5M+H7g0ub547Lza2eM2zVyzsbS6lD5XWj+jrshfUHlf8QR+ec20ibXlZjT2F/QR8iu2TkGavlj5UoA+EpG6t6gHqEeZGUiW3gR0CBBY1dC95Q2T62udDPgmMP23J4XnqQeet4z7SnhoKnrqpLCaPHttPdYFluDZ5LogrI7VhQNCIXn82iZRq4mIViOoDiw8u1koBK3CS8iykEIhtY24Ho7vC1rhjQwImRjeBOd5V+R5PWJ0Qw4H54LW9NnW+wteEgqfaJnzZdmG0u0fwpn2C+2Umygk3IQ3aLETvNkeMrFmNzGjtnZYaBrqG3zFrM9bG2jgWPLRe37QHOzn791UMsk9UWi/fdX829zNZGH7knbrYTOyURHbwjKnsc2KWASW+Su+jmg6y3yEryMazTJ/Q9dRzWWZj/Hfo5rF/D3hug9fR3SIZc7g64gmsMxZPF5EilnmE3wdkTmWOYeuo1RkmQuijZVowjL/g2wlIbBV1MvcFE22siLRVrJVSraSrSLP4pFHspXDjyOt+RI+99/c+ASpLSvKAV8LYeDvY6sGBrCthJC/I7uvoYgBH/YBvxAW7yOJq2wVvRDfh2wlIJjQsK1sKOKK4Ifc/Qzw9w5tQv+ix+CDAFBw/F9zNYqWEtQCZCkpQL8E6LPbtrFVgBbCu3Yh+BFFfyU9l2grAbKVSLTD8KGzCEZA79olhBE+FWwxtYObQ2RBS0ATlhDBxVnLWtFW1iK6/ezAK3NuaJr9ygG2eN/OeUuXztu5D1tJ5n2qmevUbyWZ9zvXretEn00rV61aibD5K1tA/Y1bR+QhK5kNrWR2yJwVckJL7ky0ktkJZhLbyb+enLBi6rSmPGgoi9fMrGzxz2cLAgP5Xu+4NQWB/sIcR8H6AjQP4ubf2X/IbeWHFMtWSbaSuUrN5jYQXoid2WrK4i3QXGLiYiLV1zUge4nNZW0A4sixPtI7q7zwpo45s5f+8r8mz8xnrvqKJuYVOWsr7/vOc9MXj3e50biP0G9QS9jNov2DFgmZwHj795vA9HePCc/TbzxvKf5StH+XnyE2UMeYXGIp0RKsmWPlp/r4mgK+spSvz+NnOPkZ9ZU1U+ewYNFivmVRaMnSFg4OzYFQC8e3bO8iEN1c7sbGykp3TmOlRMaG+iaqob6aLCm2ww/6Zlnx204hkjYgAjeRtYECMv47Ozunvpoqrwc+9sW/bJ3hCa67dXZb56pNt7Tf07YiWPfjPfOW3duxfu6StcEbls8b2+yvs090BFe03dN+y6ZVnW03fHfZ2uCC21fcvWzu+o57ly3duGqSd/a2D56lujf0z2yd5ANVZH4+XGjgz7Rp8J/ckpJcu/8ZjhH/W/RnbD5VRTqr2pr7hz7bCun6CbRlWewGhfXnk5Wn7oKewi5hA7L0HEtTOVBjZPeRXMFXK1kaVAmnFGxp5JpkWYZA8eoO+jQdwF6RgxgDVw1LNm3hKcBTTpqYVCupEhw2mcsLjv/o1BPCQ5JVIu+IuHLYEbLITByU2iFonV+D1lmFzr52qKdl+Yrmnn+nT79xZMv37r73N68j2SOg1r+qTuufe+OtRXPnLnrrdaT17bNmtUOt/3/vLPotAAAAAQAAB3c1w/mIN9tfDzz1AAsIAAAAAADYz+FlAAAAANn85G7y4P0SBWgIsgAAAAYAAgAAAAAAAHicY2BkYGDf+U+BgYFlw6cHvzezZjAARZABGzcAod8GkwAAAHic7ZhdaFxFFMfnrmOVPmmJYuMHFhSCdLEPfpaotUYRu2goQYqIDbIPMRgJGmoqWBINmIcgJUgQWWgeQlkKwoJF+tCK0CJFRKQ2KG3F6IMvLRHa6jb0ruv/3PlP7tm79yZrTOlLAj/OzNwzZ87MnDkzG1sxI7Zi8teQB8g06M1gWul4uVpkjTkBnqQs09fyf0D77hlN1Ldat76fNFP37YVrxHbi696nAuesGc1ggvrdKSRt/B82g7YUxP+NLTCVIM+98es7yvasWFgNbiMSG+MZiN4e1SdLbyV0LeGb+IRYrx+zrZ2Zk4n6IYVu35XBoI3PibEN56a+dZk1Wk3a1NjiVzKGSxl0kc4UsvqsBPHhuRT6waMtkJbrLnLufo1L/LbXVqpHbOXSzU7+/YetBHeBHNhk3Znxdg4r7kmMcSfYZhvzmT/H91uX73zemFB+dds4Hn1u8v1GVD/RN6w/TDnKfrfaxvzbRrvPu3I9pH/ers8PeqwyffO5oZdzzFNP6u85vaAzxnTYxtiSub5j0++Gp+i334OyKr+i9i/PvfZzHySfg6Nch0Ha28W9FBtjtvFsit5bYB/LYvNBNa6Pdz9WmX11nPh4KnENZH4v2cZ4Fd3dlINsE7nTxmfd++Hj6bAqT9k4NrwPeRvfkUXbGDdT9NvvobrP6vVsItsbbXzfibyPfh0EFTXvD1h+hvNZBz5We6VzlejeCF4Gj3M9+9kuvMbvnnF+L3Bcvx9D3Dfx533r4lf2dA/Xc4hlyADnNcB4wRMAaxFso0R+Cl6n7Lp+etGcdxJf9m8O1IMTYDKW5hGWT3C9P2N9C2PnSzDMWOhzBOshv4WU+PoecsjVzS/gR+oKkjs7CNsCGeMr6+40yOCgawt8HIqtC26MoB38bithn8uRgpR9XcsQ6xEiHmtvQuJ8hj+jjDhbuAwd2LsCH2rDze1Sj5hD+7j7dgW+hRbfeyDPEdgOb7eVq8hp1YKTQjR2T+xXKlsc1RGWsV/VM7Hvi3thFD5P+3eKxKTPu5IH5K38onW5spdrbbiGA9yzQsKm4fmdoRywcS4y7oxG+97v9qou572LvhUVexP1Sfqwj/tXTPAdpX8XiV95nucpnt8Sz1jRxaS5F8j76A3wNef3NNuOpcxrBeSQw217XM7SSe2/g+iyIuqX0t6E4ZrvyLBPW4v2lppTd1wONifKrfhCRL/lPv6N/xuRMYcpOzPqRrV3KvkhOE75Q0p9GV8kXgXJG77s67otqxzVxxy6LWqfb26XNpPSJ6knd3ekI/rb0/WXs5GF2Fz0Ra+t93m+WbfBr3nl13zzPJezsaRv7SltWes7lj1Ow36NZej4+UuOkbfFswrJc/4thvvBPKZ02hV3g4f4Bpc76BZw2WHOsb9I+c3kf4frM3kauut4dyFfB32uHp1Beb8eABgjeFf1S4tlbfe0sxXZUP1DjFHDfVRDPq29Db6xlb+gt4D3ysKn/Dbg9ORu1PdlVOb9lmyv9qh7Ve7KF1J0jtDm/pgQ639xzt2FVdwv4Re4R9F+aY71OyD74u+R3f2uz6KNQsLuDOsz/M5vYkvKMvfwVd6xyFdXZW9KXLeTa6yxxvUidzRGtyW/L/VtpX2j3xOTlPLb8pAxgQGnwCYwi8pZyA1kPehH23kgukVwARxnnwPG5HKQJfebJzhlo//RBLOwfRZyA5G8L2/n8zb6PZmTe6QEm/84O+ZPjr0AeQPbOzj2T2CWY3+EPDcN+SvGvcmNE401Dp2azAVl/P0LwMzxwwAAAAAAHwBNAF8AcQCMAKcAwgDeAPkBCwEnAUIBXgF5AZQBpwG6AcwB3gHwAjYCSQJdAm8CqgK8AwMDOANKA1wDbgOAA5IDuAPwBAIECgQxBEMEVQRnBHkElQSwBMwE5wUCBRUFJwU6BUwFXgVwBbIFxAXmBigGOgZMBl4GcQaDBqgG4gb0BxcHVQdnB3kHiweeB7AHwwfVB+cH+Qg4CEoIdwiKCL0I0AjnCPoJIAkzCUcJdQmjCccJ2QnrCf4KMwpoCnoKpgq4CsoK3Ar4CxMLLwtKC2ULeAuLC50LrwvCC9QL5wv5DAsMHQwwDEIMigzcDO4NAA1SDYMNtw31DjEOQw5VDmgOsg7EDtYO6A76Dw0PWA+TD68P3Q/vEAEQFBA5EEsQXRBvEIIQlRCnELkQ6xD9ERARIhE0EUYRWRFrEa4RwRHTEfISIBIyEkQSVxJpEpUSuRLLEt0S8BMDExUTJxM5E0sTbRN/E5EToxO/E9ET4xP1FAcUGRRuFIAUkhStFMgU4xT+FRkVKxVHFWIVfhWaFbUVyBXbFe0V/xYRFn0WkBatFr8XPBdOF4sXxRfXF+kX+xgNGB8YYRjAGQwZXBmfGbEZwxnVGecaAxoeGjoaVhpxGoQalhqpGrsazRrfGzobTBuPG8IcExwlHDccSRxbHG0cmhzXHOodIR1BHVMdZR13HYodnR2vHcEeFB4mHnkeix7IHu8fAh81H0gfeh+kH7Yf7iABIBUgVSCYIMUg1yEQISIhNSFxIa4hwCH0IgYiGCIqIkYiYSJ9IpkitCLHItoi7CL+IxIjJCM3I0kjWyNtI4AjkiPiJDkkSyRdJL4lACVCJYQlvCXOJeAl9CZBJlMmZSZ3JokmnCcGJzInaCetJ/AoAigVKEsoXShvKIEolCinKLkoyykQKSIpNSlIKVspbSmAKZIp4in1KgcqJypWKmgqeiqNKp8qyir+KxArIis1K0grWitsK34rkCuyK8Qr1ivoLDEsdCyGLJgsqiy8LM4s1i2yLtAvTS/MMBMwRDBxMHkwsTC5MNEw4zEAMTwxRDFWMWkx+TJNMnEygzKVMuoy/DMlMy0zNTM9M1ozYjNqM3IznjOwM/Qz/DQlNEg0azSXNLs07jUkNV01nzXeNeY2IzZjNms2fjaGNrU3ATdRN4M3rDhBOJo4yDjQOQM5OTlrOZM5mzmjObU57Tn/OjM6UjqfOqc68js5O1E7YzuAO7c7vzvRO+Q8cDzCPOc8+T0LPV49cD2YPcQ96T3xPg4+Fj4ePjo+Qj5UPr0+xT7sPw8/Mj9eP4M/sz/mQBxAXkCdQKVA6EEnQS9BQkFKQYhBz0IgQm1ClkMoQ35DrEPRRAREOERpRHFEeUSBRJNE1ETmRTFFhUWNRiBGdkZ+RolGlEbnRwZHDkcWRz9HgkfNSAVIQUiGSN1I5UjtSPVJGEkgSShJMEloSXBJeEmASYhJkEm6ScJJyknSSfxKBEoMShRKHEpSSo9KyUr9SzBLXUuUS8RMD0wiTDVMdEy6TQtNQ02XTdpOGU5HTnlOok7UTxpPVk+CT9hP4FAVUE5Qk1DOUPpRKVFvUbpR8VIzUkVSWFJsUn5SkVKlUrdSyVLbUu1S/1M9U3xTolPXVCVUUFSRVNZU9VVPVZRV0FXZVeJV61X0Vf1WBlYPVhhWIVYqVjNWPFZFVk5WV1ZgVmlWclZ7VoRWjFaUVpxWpFasVrRWvFbEVsxW1FcFVyhXVVefV8hYAVg9WFpYpVjhWPdZTlmhWhlajlsrW7ZcJVxBXFVchlyvXL9c6F0RXVtdpV2uXdBeAV4OXmBecl6GXpteyl74X1Vfsl/PX+xgDWAtYDVgPWBQYGNga2B9YIZgj2CcYKlgtmDLYOFg7GElYVthfmGgYa1hwmHdYgNiN2JVYoli0GL6Yzpjc2PbZINkrGUYZUBlTWVeZaNl8GX9Zi9mPGZNZrdm/mdPZ59nq2e4Z8hoAWhDaE9oW2hoaMto12jnaPNo/2mBaipqmGqlarFrRWtSa79sG2wnbFRskGzBbM5s32z7bQ5tF20fbR9tH20fbX9tzm4ebp9u+W9jb75wGnBgcKRw1HEucZRx1nIxcoly1HMHc1Nzm3P+dEJ0rXTvdR11YXWIdcl2LHZrdnN2e3aidqp2zHbwdwd3LHc/d213qHfGd/14JHhLeHt4rnjWeON5EnkpeUd5nHnBefJ5+noCeiV6T3pyenp6hXqcewR7kXu5e+R8Dnw3fHF8qnztfPp9B30UfSF9Ln07fUh9VX1ifW99fH2JfZZ9o32wfb19yn3YfeZ9834Bfg5+Hn4yfkJ+U35hfnd+h37Vf2iAj4CrgNeBDYEzgVmBgIGmgbmBzYH4gh2CUoKHgr2C84M1g/iEM4SIhK6Ey4T9hR6FQIVbhXaFiYWcha+FwoXSheuGAoYZhjCGR4Zoho+GnYazhsGGzobjhviHBYcah0yHaIgsiE6IcIi1iNuJA4lciWqJgImViaqJvYnRie6KDIosikyKbIqBio+KpIqyir+KzIrZiueK+4sPiySLOYtdi3GLhIuRi5+Ls4vIi9aL44vxi/+MFIwojD2MUoxfjGyMeYyFjJiMq4y/jNKM840NjSeNO41bjXSNjo2ijc6N7o4PjieOPY5TjmaOd46Njp6OtI7NjuGO8o8JjxqPMY9Lj2WPe4+Rj6aPvI/Kj96P75AAkA6QHJAukE6QdJCCkJ6QvJDKkN6Q75ECkRORIZE7kU+RY5F+kZSRqZHCkdiR7pIIkiSSQJJckniSlJK3ksiS2JLrkwCTDpMhkzKTQ5NQk12TcJOMk6+TvJPVk/GT/5QSlCSUNJRElFKUa5R+lJGUrJTClNiU8ZUHlR2VN5VTlWqVf5WUla2VwJXWleaV/JYNlieWOpZQlmCWdpaHlqCWtJbJluyXBZcflziXTJdgl3qXjpeil8WX3Zf1mGqYsZkFmTmZg5mvmcaZ5Zpamr6bHZtFm7icHZyAnN6dG52EnbWdyp3pnf2eHJ5DnpGey58gn2iffJ+Zn7mfxp/Wn+Sf8qACoBCgHqAwoD6gTqBqoHigjKChoLagyqDdoPKhBaEloVGhZaF9oZWhsqHJofWiCaKvosyjNKNdo2qjpaPVpAekLqRVpMmk1qUgpS2lPqVPpW6lmKXPpgamUaaXptCm+qc/p0ynfKfAp/2oPaiCqJOoxqj6qUmpjqmbqfuqB6oYqkCqdKqwqsGrOqu3q8Sr1awDrD2sjazbrSStMa1vrbmuCa4arn2ujq8ir1Kvma/SsF+wm7D/sUuxerI3smiyaLJ/sqay3bMjs3mz37RVtNu1UbW3ti22lLbqt1C3xrgsuIK46Lk/uYa53LpDurm7H7t2u9y8M7x5vNC9Nr2MvdO+Kb5wvqa+7L9Cv6jAHsCEwNrBQMGWwd3CNMKbwvLDOMOOw9XEDMRTxKvFEsVpxbDGBsZNxoTGzMcjx2rHocfnyB7IRch7yMLJGcmAyffKXsq1yxzLdMu6zBDMdszMzRLNaM2vzefOLs6Gzu3PRM+Mz+PQK9Bh0KjQ/tFE0XvRwdH40h7SVdKc0vPTWtOx0/jUT9SW1M3VFNVr1bLV6NYu1mXWjNbD1wvXYtep1+HYKNhf2IbYvtkF2TzZY9mZ2cDZ19n+2jXafNrT2zrbsdwY3G/c1t0u3XXdzN4z3ore0d8o33Dfpt/s4ELgqOD+4UThmuHh4hjiX+K14vzjM+N547Dj1+QO5FXkrOUT5WrlseYI5k/mh+bP5yfnb+em5+3oJehL6ILoyekg6Wfpnenj6hrqQep56sDq9+se61Tre+uS67nr8Ow37I7s9e1M7ZPt6u4y7mnusO8H707vhe/M8ATwK/Bi8KnxAPFH8X7xxfH98iPyWfKf8tby/fM081vzcvOZ89D0F/Ru9LX07PUz9Wr1kfXI9g/2RvZt9qT2y/bi9wn3QPeH97735fgc+EP4WviB+Lj43/j1+Rv5Mfk5+UH5Sfld+WX5kvmu+cL51vnz+g76KfpO+nj6qfq7+un6/fsY+zT7SPtp+5P7m/uj+6v7s/u7+8P7y/vT+9v74/vr+/P7+/wo/ET8WPxs/Ij8pPzA/OH9C/0//VH9ff2Y/in+Pf5R/ln+Yf6a/rv+3P7c/twAAAABAAAGDACUACUAUQAGAAIAEAAvAJoAAALND4MAAwACeJytWMtyG1UQvU7CI+GxoigqxUKVYuFQsh2HRxVkpcjyg8hSkOyELEcjWZ5ElsTMKIo3LFjzI2z4Cj6ABR/AR7CgWNF9uu9jNJJjDOWydOfevv04fbrvHRlj3je/mOtm7cZNY0yf/mW8Zm7Tk4yvkcwPOr5udsxPOr5hPjW/6fgNUzF/6/hNs752W8dvmR/XHur4bfPx2q86vmk+WPtDx++Ye2t/6vjdYPzeh79f+0TH75svP/rL/ExW7pt7Ztt8RaNDk5jYpGZiMvo/MTnN1WmUmik+I5pJaDQ2m7RSMyP6q5gOzQ3NKa1leBrQ94CkX9JnnyTrtC8jvRE9JfQpOvu0yrJDMyMtEcmzD9v0t0kebZNPD0yXbHxD/w9KOqyGjQUdq21VFiSfwMdM46mUrP8fFhMgwnM50OPZM+x6QXOMMK+cQnYZ9kM8zwh9Kx3T9xk9R+RzAqQ3CaXIPIeVI3NOawMzR7Ze0GoN1iTCh7TCGeNM5ST3tdmiv0x356W9m2ptmWcZvJqStgRZrtA8W8nBjGfwuoJYz+l7BkZIrIKJlea5CeJKSYK9GJgqPfchNwXG55jhiNnOlCQT3RurloE+R9A9RWbPSCrHGu/qwQ+L9QgR8S7rl+zIgHNamjlxMVQvlbcpnvu0J6bnKvCSihC7VWdnMYIEmZoDp5g+l2M210hZOqZoZmBWfyn2vGeE0TrJ36Vv5mBPcVmmXXy4KrZeex+ahjSXgqk5Mhe7HrIsAmu97NeDgAMcicSSw57tTqxfYu3TzByRT1B3F3EvKrBqgLxM9FOikvEMVTPDTvbWZtPqOUV9TS/kqPTNsWbGa7cVkijKzB/2twekJbe3aOUW1bjgzFGMEN/c4VzkdRW5iTDuKxN8nrrmwDTpu42c8squw2WxPtZdz8hc14gR4xRdfxN9dETfjNuQ1tukrUkZksr1nSJzaJXzIdgIbyxHIpwwF9Wr5XnPoTJTlhTj3YPWfVrtKSOnqNkE/qTQceKqv8yVMgZD7D2FRtsrt1AbxX6whdMhPCM2IM0c2qK9nMMedkaoEo5ti9A7oJOkYVqUqQYhafP/2FVgFpxe4q2waaAVOURNjJU/VUTDq4PgNDlF1QyVLbYehJ9TPSHFAvuY01qCk0f4Fim/p8rnsC96NnUVhzlshZZ8T+W4uQdIr7c6q8jvIPDQdxdZmwDRE5VNsZK4XtNDtQ4K50emp2C4255hVoYZVF4VryyL/020GTjynJ7ioO/kF1SydI2wEph1woBtdL4W7U2CDvJ6Tyo0L/yOXAc6AXdy14vZIvc1Pruk9uyNg7VKD8sQk/TpNnAe4knkxcJhCb3ifSvT/IW1mwEHf6KIX5ytE8f++4j96lYvn7dF73raV0aOfavY5pm0pX75yOaaM5+DbAlfpP9LHvw5HcFPviXJzcBXnj1jpDqzIL6IvJrgJu7lU3dfF0bk7hyz/Pf9r9h5uUPL+ZOpxggs6OnZtXiWFxkqN4gMfrKdDeROeCU9/RV8OsFZMlCOcH89w44NvSP2EdUIu051RrJseeDvEAN3/qSIPkX/zV1+Y0TKHizTzr0n17kc3U6YxbnMgmxaezYC8aKn/LRni43KIiGxD90za5ooskU7RZwHkLc3nZeQnC+9i8303mmr5zPtHJNL1MpVKiW859s3rvBdMNTSoj2M7zpJ3NWeK/hkiPGV3hliYMxYp+7WOTbhTbR8DhZPvkVUYuRH7qRT12clE/UlNbKv1StISgWIneX32vDOvfruMzD2nngWcMSiM1Z0/L07VSx9VEVdNteZy/bnwNXeF8cLeBez+7q4/a7wrKmh451idrnei1iToafJWSx9yDJ85u6sEqNU7xlk7D1gjDt+qoyz51ofTEuRi8z1tPNL8L2qrItxMwzfDmJ6Gx7jdJbePyxw3PZefwKIvv+Gc9iJVyOdFk4UkU0we7X6scz5osCci+825XvSRN9oyncof2+YQoPvlf69dwKURfMM1WVZseqslZpI4NFI+9BY8Vx9loV3Qm+pyMNVFkP9/i7lT7pVp6Z0jO9pv3h7ZuzbtX3zsB3A9wqRixShy0Qmb7/Sb2w8tg+dB7weuzflGGes9SX8Laav1Wj74+vr2r+n7tN7C0u2qdcfQZLfCo/MU2JzB2sHNFehN5oOrTyhpx2a3aGZOyTR1fU7yNRTGrPGtjmGLtHRoU/W/cxUoLuCZ356RPIt0sV7G+Y72GiQti4kO9B9SLP8ltVQOd5Rp5ljeubxnuHfzMRei3bxdxP72Bfx9IjmvdWiVwewaD07pKcO6d/X1RrpPoA+9r8KpHjccn7uqqc1YMSaj/BOeEy7alh5TOMOfbbxjih+7Ki3LcSwS+sSSwMeSCbEozp9PybbLLFHfh3BC7Z0pJJVRMjx7GA/W32EWfGsrVnmsdeyqViKH4z/E2e5i/ib+OXBMqTsRwWZbsJqB1loKPaMWtPxqhNgXwcqnB32b4fG7O+ey8Giv1ZbMQfLOGAt7CGKBvBoQrpLfjdI/sDNCOsOwLa6Iig6hd2S+WaAYR254vx9S1YbypwaECpGIXXA/vsoBOeaftaxt40nn+OW5rDuMtoGl8qoPEXFNSBVQz66DoVdVOmhen4c8Mjm8VhZ2HaeFfG11WLlLtMhRJe1Xcwg41mDdvaw69B4vd7Nq/2e9Q9nNlrDeJx9PAd4HMXVs3unKSq2LMmy3A2hE4y0e2VESNGdTrZB2Ma2cEyKc5LW0qHTnbhiW07vgfRCAgkk9Bo6IaR3CBAIpFc66YH0QpI//+7Mmy2z59ifbvaVeW3evHm7V5CJxL//XowsdzCQ9g93ui9HoXsNEy/H/XgFHsAr0T14FV6N1+C1eB2axOvRjXiDsdToRlPGMnQTep/Rg45Gx6D/oP+iaaPX6EPHol8by41+dBxyjBXGAPomPgIfiZ+Hj8JHo/uMdfgYdD8+1jjCOBIfh45HJ6B/GEcZR+PjjWPRicZxxvHo+cYJ6FvGiegB9CB6Dp+Avo1PNDYaJxuD6CRjCG3Ez0cnG7aRwicZGfQEGkRDRtbgeKNxCj4Z7XP9esg4FT2MB/EQtrCNU2gGp9F3ccYYxVnM8TA+Bb/AOM04HZ+K3m+cgW5GtyAb/R6lUNrYamzDL0QZ40z0FPqXsQO/CL8YvwRljbOM3XgE5xBH3zPORt9HsziPfoBHjVfgAh7Dm/BmvMWYMqYNx9hnzKBhdIoxa5SMc4w59AJ0KvqtUUafw6cZFXw6HsdnoBcaNfQLo240jKax3zhgHDQW0SgqGYfwVrwNb8dn4h1oDu/Eu/AEPgvvRmX8UnQO3mO83XgHqhjnoXl0qXE+KqAx9H/uAlaNdxrvQpvQb4x3GwbajBaM9xjvRTV8Nn4Zfjl+BX4lqhsX4L3oXPwq40LjIlzEk2gLOg3907jYuARPGZ9ApxuXGpehcfRD1DCuQPvRATyNmtgxrjauMa41rkNn4H3GDWgrnjFuRNuMm4yb8axxK3oSbUdnGrcZtxt34JJxJz4HHUQ70KJxF3o1nsNlPI8ruIpegxfQIXyu8WVcw3XcwE2837jbuAcfQJcZ96LXolvRTvQM2oUmjPuM+/FBdJbxAHoa/dt4EC+i84yH0G7jYeM7+BB+NXopep3xffQG9Eb8GvR6/FrjR/h1+PX4DfiN+E3GI8ajxmPG48YTaA8623jSeMp42vgFehl6Ofqd8Uv0Wfxm49f4Lfit+G3oFcbv0S+NZ4xnjT8YfzT+ZPzZ+IvxV+Nv+O34HcY/jefQJejj+Dx8Pn4nfhd+N34Pfi9+H34//gD+IP4QvgB/GH8EX4gvwh/FH8MX40vwx/En8KX4Mnw5vgJfia/CV+Nr8LX4Onw9vgF/Et+Ib8I341vwrfg2fDu+A38K34k/je/Cn8GfxZ/Dn8dfwF/EX8Jfxl/BX8Vfw1/H38B343vwN/G9+D58P/4WfgA/iL+NH8IP4+/g7+Lv4e/jH+Af4h/hH+Of4J/in+Gf40fwo/gx/Dh+Aj+Jn8JP41/gX+Jf4V/j3+Df4t/h3+Nn8LP4D/iP+E/4z/gv+K/4b/jv+B/4n/g5/C/8b/wf/H/4vwQRg5gkQZKkjWBCCCWMtJMO0km6yBKylHSTZaSH9JI+spz0kxVkgKwkq8hqsoasNd9nvt/8AFlnftD8kHmB+WHzI+aF5kXmR82PmRebl5gfNz9hXmpeZl5uXmFeaV5F1ptXm9eY15rXmdebN5ifNG80byIbzFvMW83bzNvNO8xPmXeanzbvMj9jfpYcYX7O/Lz5BfQx84vkSPPL5lfMr5pfM79ufsO827zH/KZ5r3mfeb/5LfMB80Hz2+ZD5sPkeagX9aHlqB+tQANoJVqFVqM15nfJUeRocgw5lhxHjicnkBPJ88lJ5iPmo+Zj5uPmE+aT5lPm0+YvzF+avzJ/bf7G/K35O/P35jPms+YfzD+SjeRkMkiGiEVskiJpkiFZ9Hn0F/RX9Dfzn+Zz5r/Mf6NlaClai9ahG1ASXYGORJejr6G3oy7CESbDqAe9GHWgTvRK9Cr0IvQScgp5Aeomp6Lb0O3khSiXSKCvo2+gO9Cn0J3o04kkug5dj76IvoTaUHuCJGiCJdoTHYnORFdiSWJpojuxLNGT6E30JZYn+hMrEgOJlYlVidWJNYm1iXWJ9YkNiSMSRyaelzgqcXTimMSxieMSxydOSJyYeH7ipMTGxMmJwcRQwkrYiVQincgksgmeGE6cknhB4tTECxMvSryYvAglyIvJS8gIyaG3kDz6AiKJMTJKCuhq9HcyRjaRzWRL4gxyGjmdjCfOJGeQrWQb2U7ORG8lO8hOsgt9mEyQsxIvJ7sTr0zsJS9FS9Cz6A/oLrQBvRcdgdajC9CH0AfRNaiIrkQj6AOJIrqY7CFno4+ii9BV5GXowoSDKLqbvJy8gryS7CWvIkUySabINHHIPjJDZkmJnEPmSJnMkwqpkgVyLqmROmmQJtlPDpCDZJEcIq8mryGvJa8jrydvIG8kbyJvJm8hbyVvI28n7yDnkfPJO8m7yLvJe8h7yfvI+8kHyAfJh8gF5MPkI+RCchH5KPkYuZhcQj5OPkEuJZeRy8kV5EpyFbmaXIM+Q64l15HryQ3kk+RGchO5mdxCbiW3kdvJHeRT5E7yaXIX+Qz5LPkc+Tz5Avki+RL5MvkK+Sr5Gvk6+Qa5m9xDvknuJfeR+8m3yAPkQfJt8hB5mHyHfJd8j3yf/ID8kPyI/Jj8hPyU/Iz8nDxCHiWPkcfJE+RJ8hR5mvyC/JL8ivya/Ib8lvyO/J48Q54lfyB/JH8ifyZ/IX8lfyN/J/8g/yTPkX+Rf5P/kP8j/6WIGtSkCZqkbRRTQilltJ120E7aRZfQpbSbLqM9tJf20eW0n66gA3QlXUVX0zV0LV1H19MN9Ah6JH0ePYoeTY+hx9Lj6PH0BHoifT49iW6kJ9NBOkQtatMUTdMMzVJOh+kp9AX0VPpC+iL6YvoSOkJzNE9HaYGO0U10M91CT6On03F6Bt1Kt9Ht9Ey6g+6ku+gEPYvupi+le+jZ9GX05fQV9JV0L30VLdJJOkWnqUP30Rk6S0v0HDpHy3SeVmgVPQ8x9A70NvROdD5dQO+i56I3J1+TfC3ai36F3kRr6Ku0nnwDbdAm3U8P0IN0kR6ir6avoa+lr6Ovp2+gb6Rvom+mb6FvpW+jb6fvoOfR8+k76bvou+l76Hvp++j76QeSlyYvS16evCJ5ZfKq5NXJa5LXJq9LXp+8IfnJ5I3Jm5I3J29J3pq8LXl78o7kp5J3Jj+dvCv5meRnk59Lfj75heQXk19Kfjn5leRXk19Lfj35jeTdyXuS30zem7wveX/yW8kHkg8mv518KPlw8jvJ7ya/l/x+8gfJHyZ/lPxx8ifJnyZ/lvx58pHko8nHko8nn0g+mXwq+TT9IP0QvYB+mH6EXkgvoh+lH6MX00vox+kn6KX0Mno5vYJeSa+iV9Nr6LX0Ono9vYF+kt5Ib6I301vorfQ2eju9g36K3kk/Te+in6GfpZ+jn6dfoF+kX6Jfpl+hX6Vfo1+n36B303voN+m99D56P/0WfYA+SL9NH6IP0+/Q79Lv0e/TH9Af0h/RH9Of0J/Sn9Gf00foo/Qx+jh9gj5Jn6JP01/QX9Jf0V/T39Df0t/R39Nn6LP0D/SP9E/0z/Qv9K/0b/Tv9B/0n/Q5+i/6b/of+n/0vwwxg5kswZKsjWFGGGWMtbMO1sm62BK2lHWzZayH9bI+tpz1sxVsgK1kq9hqtoatZevYeraBHcGOZM9jR7Gj2THsWHYcO56dwE5kz2cnsY3sZDbIhpjFbJZiaZZhWcbZMDuFvYCdyl7IXsRezF7CRliO5dkoK7AxtoltZlvYaex0Ns7OYFvZNradncl2sJ1sF5tgZ7Hd7KVsDzubvYy9nL2CvZLtZa9iRTbJptg0c9g+NsNmWYmdw+ZYmc2zCquyBXYuq7E6a7Am288OsINskR1ir2avYa9lr2OvZ29gb2RvYm9mb2FvZW9jb2fvYOex89k72bvYu9l72HvZ+9j72QfYB9mH2AXsw+wj7EJ2Efto2zNtz7KPsYvZJezj7BNtf2WXtv2dXcYub3uOXcGuZFeh96CfoTx6N3oU/Qg9jn6Kfo5+jH6CHkGPsavZNRhhg13LrmPXsxvYJzFhN2LGbsIduBN34SV4Ke5mN7NbcC/uwyOTNWe/0yGH4lSz4SyR19PVxqRTrh4A0kytuN9ZKq9nq9W54mTVn9Yolaed7pGpUm2qOb+v7BwUcnpDCCUszCQk9oUQvtgwl5DNRpSA9hGfi4zMF6dq1QoZqc5UK85c+0itVJkRqslIQYwd+UBQe96VUZyacioNPDpVdCe6Q61abOCCcAIXBLK7oLtRaOFGQXej0MqNguZGe8E3gRV8jwqBRwXwqCA9wgUxDW8SlnVsCsR1bpqqzs8Xpaz2Tb7Y5ObJYq1jc8BobjkNbxH+sS2+xi2Bxi2gcQto3CI0dpwWUnV6SBUeFzHB48KizvEQKTnuysdbJX2rpG8N0ROFygzb6mkuO/saeJswqnubHu1tLaK9TY/2tlbR3qYnzTbf4W0+V5t7Wau0i1ehsEtchjlrFaFkibj0J0qKEOxOabqJVmvOl4vNBtkGIdwmQ9ixrV4u1mdlHHbAIMOxIxzJnTJDd4YivTOyqE5tvliZnizX23ZOzR4oJne5S4t3CUl015QzXSqXi527wiIn5EJP+N5MBH5PCL8nAr8nIn5PBH5PRP2eCPyeiPg9AX5PSL/bJrzthydkyu6W3u0OvGO7p0tOzamX6ni3UNSxJ0TcoyzBewSxfU+Qo3ukIrxHij5biG4/20/67i0Cs/e0jeXqVHnr+OiSvEAIcPv46Uu2RsFtUXBnFDw7AuKirI/FUH0sRutjMVQfi1p9LIbqY1FP9WKLVC/qqV5slepFPdWL/kIWg7gVYYGKUB+LQX0sSlc6pkL1cSqoj9OyPjqyMDqyMDq6/U4L+x3dfqeV/Y5eGJ2gMPqBbQ/iSBxwxYEyJUPaVvc2Bp6R5XEmtJNmwjtpJiiPs155nA0YacmllZ16HZfk3in52ku+drN0DimBASUwoCQMoOfA9I5zQsrnQso752ZqjlMpuzu5NIXLshyUZTkoh6tn2auecmt2VIoL1XqjVl2YdXBF8lbCldRxK2nFr6RVWUmr+vJUWyxPVV+eaqvlqerpVfWjUg0qSlVUlGpQUaqRilINKko1WlGqQUWpRipKFYJchUpaDVXSGgwyHLVw2avLqNVDS1AP0dvK1cpMPdnwymdDls+GKp+NsJymTIGm70IzcLYpnG0GzjYjzjYDZ5tRZ5uBs82Is01wtgnlsynKZ1PWuAPSpQOhCnnAL58HZPlcDBEX/fK5KMvnYrB3FqF8LkrRh2T5PORvina52zcWy43ukqyk5/iVdCpaHCtRsBoF61HwUARsP7hxvllulBbKi92V5vxe+NtYLs0U+0IIHzngAc3KtFPbu1CsuXvITXZBaD+w1/0vLpOV+ep0cuSkqcW2nOO9niVeN3mveNM53tC5adZpLjSatYpHGRX0Ld5r+xZZtAWi6k04e1YAZ0tUSfCU6u4CNuSlz3560WM/XchvK5TF67x49ZQkt3mX2yWxJl7r3usuD5OccF/YhJLaVtjnvW4WAvNCP95VF8POWQ9Jd85OiQsyekiQO3ZW9zXqpRlPU8fmYm0arskep9b05o0Ls/BWOYweEloLXiQKXn7X6s60h9ni6d3jOdl2msdCdtWl+1ua4lVYNOqH0KtHcx6w1I3StFN3M8ddGRdecnoxAhYqYbBzwp1YLM3Mes72+IAvbcnmyOyl+ahwsnNWON+xveim0eycjIhX9cWKyMz2Lre5u7smHGuf8LFdYrVFAuY27egSCxVA+0JQ0pPXNin8l0s8I6I3I/2fCafQtKCXRAqVghQqiRSSa9R2SKJECpWCFCoFKSRcwXMyhRyRQo5IIUekkCesbUESRQo5IoUaYjG9BWJNP4UckUIiTnhKplBDplBdplBdpdA0pFA9lEKzoRRahBQqy9ypyGFappCIhBNOIZE8i+JVcJIGpFBJpFBJWDTthzBIoUNaCs1FU8iJplAznELNeArNRlNoSkuhOqTQQiiF6iqFSkEKVYMUagYptD+SQjMRaDoMLZGx9YmHIpBIBQX1BCkRQqnU8OcIU33IiWTvQoSzETFELr4PyiRQYLdKBoXoDSWDjwslReBCMwxN+jp27si1jZQXZovJnNMotm0quicqKSzUS+65mzzbRSUKLnrXrHuV3OIeOm71XFgouneS85PTRfOMprm1ab605N5GlbyYm9tLiR2z1badpZn5YmJXsUkmpKjE9tlSIu/+ba+X2oW+RrVSrXeCJgFQV5O4YJ4iSQe5EpgIMbdvm3dmgMljV+frUmBSMDu9WNq5OD9ZLbcVhZuTnpsznptuLSg3isQBZw95znrEhnC25Dk7J5wtS2crTfNgyW1zhEWJ2my1ve65ua9UKZbbxGWi4XrcBI8XXG+n3D8XbKt6xrKS71YpZPGyMCDJzZCjS5tRh/o0WM6ohuLUXvVD014MQu2EQ+2oUM+p8LBDTq260Xvp9F5KlX1OrVStdbjtjX/dOODjuxqzbmusoM59Va8DUkBpfzCnXjroz6m75afiQ45XCPxJLt6fJG2ZrlTnqateXri6xUW7UCwumacVrlyVks/VJ/mEMnkpNElGT428EjrcLqUmdIgLT4d3ATq8S6lDXnk6BJ+nQ/BJHeJS6hCMQod3JSJZby4EMQoAV5gCvBipaxkjHxJS/UmeYAUw12pBne0U1srreocnGK47hSwFOAen3ESerjYnyw51W8ta2ZV2zLzbS7s9rdudLbhr2/DuMSszZffesTg15zS8hnne7TKPlWw1T9T/4mv3ytHsonvrU+lya2TpkJtvxbJbmrtEK+g29m6Nnix3ndusNvzDqGum6bbzzrzT8MxY4kNCW4+UtlcOom1cGUGFKauiFPfmreiqEaSlgHNtEXBvC57VUVyE1g00735RIJaHEAG2H7BF935G3mUKdI8XJ8dzzzdglUAJH72medINhVuyZUMNUY3wrwFkyxk9Iiemw7FQKDnIwEVQYcpAlOKc2yyWBWFFlOD72QeIc5tuY1CqSpXLYtO7p6puydkrXmV8QojDoWPTA0SPREQWVqJ8ywbqjlsLBc6/knPlBtgrBxmQCCockGWKEkQijAnh+1QIwtN7fWTIRx8XCVrAGsjsL9Zd90r1ub3qQqDXx9BR+nIfHQ5Qr48VN+TS8SB/tNuzMMVPWrk7NAokqNQcooU8DmFDUR8IoSOhWBUiaAkeVhDEKTwhKDDSa+FsND7dEheKcwgRzjKJjmx/iQoi2B9ChNDrAjO8natbtSpE1kisWHFrYtkpFbtUULyHT3OkMllfcNehyyvXdcddLffkriUni7ONpPcghIl4eyFITrtTkk7TPcG9l6mm2xBX3BZ6punOqZTIbG1xf6VUTMyVFpLlYq2ULJdqxQ7vZVezNuc2tW3zxUqx0VYpuii84Cpz2yB3qLbVvDPDfV1wnA7xusVtP4oV9w7FOdcpu/c1lRkHN5oztdJc4kC1smSy6VbwRtXdEJ6tXdOl/aW6648IU4cb59L+Ytk1zVkRnBGed85BV5LH2O6eMN69WXmy4V82FnrK1ZnSVLHsxmkHHB2dHtW9mPLCldg2O89Klama4x1FbaIjancb9VnvGU2x7DZmI7Va9UC7qKDikk1XD1TklZfK4mqJd7XDZ+loLowqpqXyerJYdwTcW64ecGrbKk5BHLE5t5+e61O4M92ou7YJZL9A7vKOaclaF+glAr25WN4nwOUCHHPP7zDTimAuiKyHZO70TvgwO9vnxl5Kby4shKT3CjBqbI/naxTVC6iw+cs9XMx6ETLw2b3S7e73J0XMFrJiVss1kQaIy6hRMlDjSt9SAe7wp0hPffKxPjhSmR5XM9V1MG11jC+gRWRMeNcyJUICBd9x/5svELi06RNDyv+X0BgtLrS97t09lz24Q1zKNo2J6+liba5jsuwW6nypNlV2Og7MlhoOXLv7fwauB7wVkWni8u4OmFaKlWhJCSWuRgklXZTSG1EjcX1RDRK5PBypgNUPdEjmGh/p5ti0W+QiRD9pWhDXBinUihqY0ILa49aehleIxtxGVaI6p6uNhjMtAbLPraXOokO9Mlh3L2Tkc6IodpUqonRJqAegkPTVfgS3xGl+3OO0Tn/eSG2q02f0gCBHa1NdodxyoSAM/ixg7BSpM1oqzrv3mp3CAwD6IisJyOXRpQRsr3sI6Lj+STdW1fkYq9C3pbI7pKlH4La7x5cbLLf614rzPcKSCGqZ4DoLFmWHexi07/NuIaa9Syb4vatl4irMJnfHTvfcr8EayeuVck7VO6Gn8+69jRtqSZHat1RywURYegn0BQealxwwKZwvwOceTXV3lzamZgPkerE0XnAbVbESIqQ6XSCBQdZdRV/jnsnipGslvFv6Ol/0EdLhABHdoGBndFUlcoOfT6OgUGM4Isiqw3BsUCHJlcThXZkZd8//3cESrBHWTejbO0wc17e3JK4NiJENHKZOxLa3pC6T9TNkB2BCpveHeYLo9YcZA7Rb9gVqV60k7pd7an5dU6hlXhMSxciTNYRxxQiFUTERlBATxZRVtVSYfk3M7lJjdrTaWNFcGA+vvSIPNBd2RNbflxx4sb0qWrBu32RALAssDLOEEX0QGxEuJXpFIDqC7/ejFEX7eiPoPnC0heg4vt+PXFx0Cyna8eTjw01JCN8f6l3C6FDPEs6PQLqPCgQHK6tk+hhfnMKsmqweHBUPe0T/Wpne7JemPp3kzVuuI4XGXh8bTB/wcRMLEbk9UYIntTeKEjKX+ThVjNfFMBG5A63InvSVrQhCxwZBOVCR1Ii0naUgPCEGT54krdZJQqKkrQPaZqe4fzEidtxjGtDInlBBWNWCMLEgSCs1ktAmKKtbUWDWBo02saCZoiwdhzYyIIspAxpZFACPsKoFwRXukVZqJFkcPMrqVhSYtUGjhS2NMMgIR0yVS7BKZxBnjyCt1kny1BG0NS5NKIC0dm8+A8mr4kSVQ50B6UBlZRiI2NarUTyj+jScsKZHIYO5vgqVxT7gCfImiZnrFUUcU80F3Ym1LenKjy5FFbL8aLgFIiZoVZyopLQr0sTCiuAyEollEbznRX8UI9fkQKUnghZmdSuU0rdWR0RUrWhB9RQOtMD7IZTp0nofrQV6hOan6+pWVJh5RCuaUh+RHdkVviGrW1FhzxzRiqZkCw7lF0yIWe6twDj09aEEXRFHi3l9Iby/ist1pGD1saq3y3vt5tE61u/ddlWDZqw1lzzbqn5Dt8bnOszG1Yjhjevn2sowENu4YYrauGGcv3EFMrpxBUptXB/wVPibbb2i/I+NG6eHN25QBPxoHG7jasTwxh2XOdUfXCozPT9XRNGR/RzgPed6Ihh/446H03KtjohtXJ2qNq6O90MY3TDRY3OtoodpkY0bo4Y2bowW27jBMRyS7W/cGDW0cWO02MYNb3Xdcu/cnlg4bN8yECUHXcvKKCHUs2wQFKVMuBFtFdZEGDTiqggxYmp/jOTH/nBlaUWc5rczsDwxGwX3mgiDRlwVIUYWqz9G8tcwQEfzbEWcJvByZQ7bpQxEyUGPsjJKCHUoR7kUlRyHXfF1rZiCdV/fihxa/SND9MMs8ZoWLP5qrm1BDNYtLP0wi7OmBYu/DmtbEIOIh+Nz2Liva8UURH99K3JoDTaot6F3eJ/OcKbHytWasLzWkM/o2vY7lWY9OV+s1ZfUF4rTjrzdbJYaXVPl5qQPLZkVcxTYPS2fYfkINjXrTM25YuYGaodRxRZci7yHh9N4qlhzqvvwfKnifXC27ky5oljZvRmt7SzNVHClOe/Uqsx7n2jeEyWf1m12DnrHar8E/DgVyuXSQh0eAY0HT35DCHhSJRBniCcZ8AhuXRjl7hB1e5l3Ko2aEyGH7z6BHBY4Xj3kvU+0PoSK3NTClDUh+sSCRuySDwRdwPNzWfBMC6wNYUBdX+ThIETCRy7Wg0c1y7XnkjJG/cETvVwoxH3+A9bQw6IB/7ZcI/SEH4PCQ2RAhbhWuCj/eUsILx++qrWVQGxt5VOv0FIKRGQpwyiITpd8mqriGTwSVNGLPDNV0VPIcPQGivNuJ1cvVqb3+lfy/XnvbdDQ5xJ6PTj47IN8d1fh1OcbBLZTYOHjDwMAiL/wO7M9Chl6S74V35IoT7dO752ulsv6nIVys77Xe5EsPhjglgkwPKlfvp2sf3RhBbzLrH+uoFt/97k/hAihB8LoSADiqFURVITUJ0nap1YkUn97vFcJCC3f6iguaomihT50oVChN+0jqKhxrSxerSEjH/jRaYGaNTop8na+8D8kaEUIEcYPhPFhCcvDBD+QSwU2cH+dgGHN49J7BDnyGYVVEVREZZcgqQ2xTEE+ZnkY0wIbD4BM+ZCjrfaAIPj53u+D0U/hSEf96C8P4BB2rY6NyFgRokayIoT3Iy3djxsafD7LB8MR7wuwoTwPkMEHnGAdIh/jWqMhI/rX60RtsgxR8FGRFQEcrR8hEeFcCUtuqM/7+KhQoTmMfasOb5pUKb+REq6jbh33vmOyF0ZZlb2PqZw036zLO9VysTJ3klu6vTfcuqarjfqQgpYIyFLgUgnaCu4GOKUQyxQirTA9PiajUL0BKqtwfSEcb8HI4/KycbZsCzYesy0TY8rEZWVayMrEZWVjTNk4E9fjldZZ0jGb0nGb0i1sSsdtSsdsSsdtSsdsyugsmZicTFxOJiYnq7NkYyxcy6eUxpDS45OKxScVj0+qRXxS8fikYvFJxeOTisUnpccnFYtPKh6fVCw+KT0+qVh8Unp80hpDWrclHbMlHbclHbMlrduSjtmS1m3JaAwZXUYmJiOjy8hqDFmdwYdl/bGjZFvLF1vPFzuWL3Y8X+wW+WLH88WO5Ysdzxc7li+2ni92LF/seL7YsXyx9XyxY/li6/lia/li6/lix/LFjueLHcsXW88XO5Yvtp4vtpYvtp4vdixfbD1fbC1fbD1fbC1fUlFySotHSo9HKhaPVDweqVg8Uno8UrF4pPR4pLR4pPR4pGLxSOnxSGnxSOnxSGnxSEfJac2GtG5DOmZDWrchrdmQ1m1IazZkouSMNj+jz89o87NRclYj+6DoX6wI0YrWD0urH5ZeP6xY/bDi9cNqUT+seP2wYvXDitcPK1Y/LL1+WLH6YcXrhxWrH5ZeP6xY/bD0+mFp9cPS64cVqx9WvH5Ysfph6fXDitUPS68fllY/LL1+WLH6Yen1w9Lqh6XXD0urH1a0flha/bD0+mHF6ocVrx9WrH5Yev2wYvXD0uuHpdUPS68fVqx+WHr9sLT6Yen1w9LqhxWtH5ZWPyy9flix+mHp9cPS6oel1w9Lqx9WtH5YWv2w9PphafXDitYPS6sfVrR+2BGiHc0HW8sHW88HO5YPdjwf7Fg+2Ho+2LF8sPV8sLV8sPV8sGP5YOv5YGv5YOv5YGv5YEfzwdbywdbzwY7lg63ng63lg63ng63lgx3NB1vLB1vPB1vLBzuaD7aWD3Y0H1IRYirqf0rzP6X7n4r5n9L9T2n+p3T/U5r/qaj/Kc3/lO5/SvM/FfU/pfmfivqfjhDTUd1pTXda153WdKejutOa7nRUdyZCzETnZrS5mejcbISYjRIDSLwRUyyfJL6rIz+qF0F1Bb8GM1+dXiJ+scT7LQJn2gW795Vq9UajWnGmZsW3ezrVt3pdvklPk/yRDw9i4hvm4kr8Mod31R3+TRIPsST4VRHBKX4bRFyJX0fxrqj3SyUCJZ7/eFft8gvzQqf/yyMe1Bcy10dS7zdRvAvvk8/iZ0s8YGnot1g8uAN+pEXIlz+S4l0uCzu4capYF0UumCZQS3xXJej7K8DlutMC2xv1XE703ZegHwMBdqlASKIfDQEuDUIirYzERc5XcRDQgHywFn/stiywHn5LpT/qj0K3yW9si1epIPoVb9/6k6YWl4UBwZwY37KJNCulwcHBYW8cKowU5JjLwDgIowVjCvjUmIcR+Ec4jCMwwvwRNR/k54E/D/Q80PMgNwdyciAnJ/QMDlmKD/B5LvF2BsacHFNpOQ6PSr5R0DMKckdBzijoG1X2gD95sHMU9BQUP9BHgV4YlHoKI3JMSzusIdAzXJB4PibHjAV0JRf0F0B/AeaNgb0FxQd6C6B3DOaNgT4b7BtT8R+DuGVhHILRhjENfGqEOI0A/4jKhxyMMH9EzQf5eeDPAz0P9DzIzYGcHMjJjUp708Ownoof6Plh8CcL66lGWP8U+JtV6wF6R0HPKMgbBf2jyj7wLw92j4K+guJXeQL0whCsK+RTOgvrBnZnbICVHNBXAH0FsGcM7CsoPtBTAD1jMG8M5Ntgz9hwnzuOZLMp9SffcNGQPsGbZQ1mZZalhgZhHILRglFanRqEcVjxpWBMAx3wg2p+BsYsjBzGYeAbBXgE4DzAORgVrPgKMIK9FuizQJ8F9lrKXuC3wE4L7LTAHgvss8AuS9ml5IN+C+yzwK5BxafsVv4rPWDvIMgfBH2DoGcQ5FjKPtA3CPYPqxHmD4OeEcCPwLwc+J8DfA74c8CfB/oo6C0AX0HBhaWwjurHWgDORWHLp8t5Nsi1Ie42yLUh7mmVJ4oOcbEhTmmYn1Z0sBt2bcoG+2yIcxriaYNfaVgXqNopW8GKD+JjQ1xToC8F+lJgb0rZC/wpsBNOgVQK7IHqkUqBXSlll5IP+lNgXwrsSis+ZbfyX+kBe6H6p6BauD00jCAnpewDfWmVHyrOMG8Y+EcAPwL8OfA7B/gc8OeAPw98o2BvAfgKCh5bCusczQvb1mAtj+yMBmc1mGvwcBROj2r0EQ3W8tQei8Ipzd6UZk9K05/S9KfyGqzpTxU0/UPqZ45E3Oxhuc62PBUHbYizDV2JLbuXQVueNtYgH4RxCEYLRhvGFIxpGDMwqvkcxmE5ZmXeD8rT1B0tGEFeFuRlQV4W5GVBXhbkZYcZ/KDLZFli5A6zspk8jDKTB2U/YA3CiWBnC4AHz6DSFuTOtAZz6S7xAYZ5t2dvFGuLyUKzVpUkNSUHQciBsUqFbAndcQTGPNDBiRwEMQf8I+BMDoIzouYBfgTkycWy4Mh2Rxkce2Ssy+2Dg58FENgheYRYFpR61yFS9L6u31xoF6P4hBETl943v+SV92UveTVZbcwymDBd6fSvJuuOkJuGVEhDKqTdVHCp3vexAU7DmIEx2wbUhRCXTESXOgZjAcZRUt4XlpaDcQTGYVJrhOWAtmHQJguPO3IYh2GE+cMgbzgP4yiMoH94jJQb4gvkbeKVTM/JUVDzY3hKfslZgAUwXvbk7gihGYXQyB7OHcE42FXpUXB+FIwfA3hMwcA/Bvx5MDIPRufBqXyhvbrgVOTvTbBSZX9wFTZzFHwfBd8LYG5BmQtiR0HNKMRiFNzLgzmyRbZysolyRwVzGJVZEPsc6IG8T48U4JvJNWeqAShQOTLGJGmyehAwahLEUp4grhJwZgRiNgIxg02WHoGYweZKw+ZJj6h5KgjAVwC+AvAVgK8AfGPgxBjYMwb2jMHajik+COIYeDRWII1aqTjTXIAgZCQ8XYEgqeCAnBzYk1NrDfoKILcA+ALIrTXkWN4H88COPMQDilM6pxYDFjUP9ucUH/idU4sN9hSAXgD+gsKrXIV5YzBvDOI2BvoysB5p8CsN89Lgdwbmp8GvNMxPg99Qx9MZ0JtR88CutJIPdBvoQ2CvBXoHwe8hsDMF8i2AhxQM9gyCPRbgUyAno+xX+kFPCvhTIC8L62CDXUMwDgJ9EOTCSZbOgn2DSj/Mz0I8BkHfINiRBT4b+IYUv/JH+Q16U0C31KjwINcC+22AbQWDfzbYkVKjWg+wOwP8GeU/rEMW+LIgJ6viCeuagvlwsqctwA/B/EGAB5U8iH9W4SF+g2AXdArpQeAbBBg6iXRW+QV0KFrpIcWv/AX5luJT9oI8C+y2AbYVDP7ZsD4pNYKcDOhLg7y0ooN/NtDh+E6rOjek8hfwKeCzVdwUH8izwA9oEtIZtf9g/dNqfwKcAf602h9q/yh7lH1At0DukFp30J8B/+Wdi5UZGsb7nPli2Ul6L23iqwNJ7xsDbeKLAgS+HyCYs7BJsmDsECTxECT/ENCH1MkDTuYgaXKwWDnYDDkwMgcnV06dXFAUcnBC5aBY5qA45KAI5CCoOVjsHDibyyv56jACOyCJcnmYN6ToIB+KSQ42W25I2a38AXsg2DlL6QG7hgod8JFD7+OHAsdhY3AoKBw2PIdCwaHgcPCNwwJyKBQcCjeHws8hATic+nwYRrCBwwbn0PTwERih8PE8jFzpBTsgUTlsdA5NDYcDj8MBwaE54tDBcVgrDjnB4cDmcMBzKMwc1pZz5XcO9MMIhZJDYeZwYHM4MDlsDA7dEYcOkcMacNgoHBoCDg0Eh8LKISc4V3phHeAA4FAIOTQMHA58DgcXhyaRD8MIucXh4ONw8HJogDgUYA4HNedq3dMwjoIdMEJB51AAOTQoHBoNDgcwh+6PQ0fMIVc5FHgODQiHlo3DwcehOeVc6QU74EDhUIA5NLccGg8OBymHJphDJ89h73I46Dk0IhwaPQ4HF4e9y7nyexj0wwiFmMOByaFh4dDwcCjAfBRGuFPgUAM4NCgcGkMOjSSHws6hCedc6YV9CAcBhwOPQ+PIoQvm0OBwuFngwzBCjeBQSDl05xwaYQ6NC4fGkHO17y0YMzAWwB4Y4YDi0GjwMRihIeRQsDl0/RzuhDjUPg4HPS/ACHelHA5wnoeRK71gBxyQHA5mDjc1PAcjNHAcbo443MFxqIkcGkhegBEafA4HMYfazrnyewT0wwiNC4dGikODyuHunEPDyeHuiMMdIofaz+Fg43BDwOEGgkMjxKHWc670wjpA48Sh8eFww8DhqQGHxpHDTSIfhhHONA4HMofGm8MNEIeDmUMDz7la9xSMebADRmhkODRMHG5QODyV4NCIcLj743BHzOFM5dCAc7gB4SMwQgPH4WaUc6UX7IAGi0PDxuHmlsMNCYcbAQ43wRyeBHA4wzk02hxuNDjc6HFopHgeRq785qAfRmikODTYHG5IONwIcWiA+CiM8KSAwxnMoVHjcGPI4UaSQ+PFoXfgXOmFcxhuQDg0wBxuHDncBXO48eHwsIAPwwhnPocbHA535xyeNnFoEDncMHL5SG7QzsKjPFlfBy14hGfBI1QL3oCy4RG/DY/8bXjUb8OjfRve4rDheZENbyHY8NaBDW+52PAWiA1vUdjwloVt8U7QI96JBSAbBnJhwAoD+TCQCQMjYSAVAoaktA7/PeCpxe7QtSD+PzXnEgl4nG2KaVOSYRSG3xcEyczMCnlluUFBhCcU4QkEocilRSpEfJAHbLOF9oX2/a2ZZvyi4ww/wy/Qp/oRfOgXnWAGm2qcM3Of61znztDXU4Qv6Sr0NOFzivApWcfHJOHDLOF9MoF3CcLbmTrezBBexwiv4rt4GSe8OEl4HkmjFtHxLEJ4GiU84YTH4RoehQkPwy08mCbcnyLcm2rh7mQd1UnCnUkdt0M6boUIN9t7I1TEjRBw/QThGiviKiNcYTWsBwiVIKEc1CEDUyhNENb8LRT9BOEjrI4TCr40Vrw68l7CsreInJfjsteNS2OEi6N1ZEcJSx7CBU8O5z0hnPO4cNZNWHRzLLgI86DML8xBxxknIeMgnHboSKeqSCWXMJusYSZWRzzGwaM5RCOLmA7nwAIcwYCOgNOurU/Yh+DXRrT18ZZP+Ext8GqEMe0YRj06PFaC22YFdl3CNUxwVh3C0XZ2rmkVW8q6URnp0HCHjmsL1rXyUT4kjvBBMSQH5SHeL0y8R/TLHnk4MSAO8j7Ry81C5YoYkH3SLBV5gFuEkRuERRrkoGLMZEzqT3VHWWXZH720km1YlisNdbPhK3Qyky83zJsNRZQrpaaqbstvW1uKcy7b2CmUvhuVNsqmwTCfLzV7jNtyTmEKY0zpDuvyXqp/Tfet7rU7xP7xXWJ/7v/UPnLfFrP9BvOls3wAAA==") format("woff2");}</style>
+    
+  </defs>
+  <rect x="0" y="0" width="1321.5272813140255" height="649.2932293019985" fill="transparent"/><g transform="translate(690.735918823734 438.70842642270736) rotate(0 21.25 21.25)"><use href="#image-60b076cb044084e59e74d2b41f84159dcede0ddd" width="43" height="43" opacity="1" transform="scale(-1, 1) translate(-43 0)"/></g><g stroke-linecap="round" transform="translate(621.5773924198227 182.0428451991388) rotate(0 334.9749444471014 172.1678716953175)"><path d="M32 0 C266.01 0, 500.02 0, 637.95 0 M32 0 C162.01 0, 292.01 0, 637.95 0 M637.95 0 C659.28 0, 669.95 10.67, 669.95 32 M637.95 0 C659.28 0, 669.95 10.67, 669.95 32 M669.95 32 C669.95 120.3, 669.95 208.61, 669.95 312.34 M669.95 32 C669.95 89.13, 669.95 146.26, 669.95 312.34 M669.95 312.34 C669.95 333.67, 659.28 344.34, 637.95 344.34 M669.95 312.34 C669.95 333.67, 659.28 344.34, 637.95 344.34 M637.95 344.34 C468.4 344.34, 298.86 344.34, 32 344.34 M637.95 344.34 C404.23 344.34, 170.51 344.34, 32 344.34 M32 344.34 C10.67 344.34, 0 333.67, 0 312.34 M32 344.34 C10.67 344.34, 0 333.67, 0 312.34 M0 312.34 C0 232.6, 0 152.87, 0 32 M0 312.34 C0 205.88, 0 99.42, 0 32 M0 32 C0 10.67, 10.67 0, 32 0 M0 32 C0 10.67, 10.67 0, 32 0" stroke="#1e1e1e" stroke-width="2" fill="none"/></g><g transform="translate(660.5738733703092 482.8917798806408) rotate(0 54.658203125 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Your Cluster</text></g><g stroke-linecap="round" transform="translate(1003.4849559087115 234.46147818051998) rotate(0 120.17265979777471 28)"><path d="M14 0 C63.12 -0.09, 115.12 -0.02, 226.35 0 M226.35 0 C236.73 0.15, 241.97 4.96, 240.35 14 M240.35 14 C239.94 24.79, 242.03 33.52, 240.35 42 M240.35 42 C238.83 49.42, 234.79 54.9, 226.35 56 M226.35 56 C169.09 56.08, 111.25 55.59, 14 56 M14 56 C6.38 56.95, -1.52 51, 0 42 M0 42 C1.34 34.31, 0.55 25.03, 0 14 M0 14 C1.3 3, 4.55 -1.62, 14 0" stroke="#1e1e1e" stroke-width="2.5" fill="none" stroke-dasharray="8 10"/></g><g transform="translate(1031.9339828939862 250.96147818051998) rotate(0 91.7236328125 11.5)"><text x="91.7236328125" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="middle" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Lapdev Environment</text></g><g transform="translate(776.2463396566018 326.95967063754347) rotate(0 12 12)"><use href="#image-1eb35412189527b20624c29b9912c61108c16757" width="24" height="24" opacity="1"/></g><g transform="translate(687.2268084066018 357.44013938754347) rotate(0 102.2900390625 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Lapdev-Kube-Manager</text></g><g stroke-linecap="round" transform="translate(655.2463396566018 310.70967063754347) rotate(0 134.25 44.25)"><path d="M22.13 0 C69.22 2.6, 113.62 2.95, 246.38 0 M246.38 0 C263.04 -1.33, 269.48 6.61, 268.5 22.13 M268.5 22.13 C268.53 31.61, 268.01 41.8, 268.5 66.38 M268.5 66.38 C269.52 80.63, 260.01 88.13, 246.38 88.5 M246.38 88.5 C167.66 88.61, 91.14 89.38, 22.13 88.5 M22.13 88.5 C5.55 90.26, -0.38 79.4, 0 66.38 M0 66.38 C0.19 56.16, -1.47 45.2, 0 22.13 M0 22.13 C-1.77 8, 7.43 1.42, 22.13 0" stroke="#1e1e1e" stroke-width="2.5" fill="none" stroke-dasharray="8 10"/></g><g transform="translate(474.5469457550263 318.1871653970247) rotate(0 12 12)"><use href="#image-92a881e3924c72134888938407657fee82e47e5c" width="24" height="24" opacity="1"/></g><g stroke-linecap="round"><g transform="translate(311.5561112738385 353.59852924018037) rotate(0 164.57106196793222 0.32103409260804483)"><path d="M0 0 C54.86 0.11, 274.29 0.54, 329.14 0.64" stroke="#1e1e1e" stroke-width="2.5" fill="none" stroke-dasharray="1.5 8"/></g><g transform="translate(311.5561112738385 353.59852924018037) rotate(0 164.57106196793222 0.32103409260804483)"><path d="M0 0 L13.61 -6.31 L13.58 6.37 L0 0" stroke="none" stroke-width="0" fill="#1e1e1e" fill-rule="evenodd"/><path d="M0 0 C3.13 -1.45, 6.27 -2.91, 13.61 -6.31 M13.61 -6.31 C13.6 -2.42, 13.59 1.48, 13.58 6.37 M13.58 6.37 C10.15 4.76, 6.71 3.14, 0 0 M0 0 C0 0, 0 0, 0 0" stroke="#1e1e1e" stroke-width="2.5" fill="none"/></g><g transform="translate(311.5561112738385 353.59852924018037) rotate(0 164.57106196793222 0.32103409260804483)"><path d="M329.14 0.64 L315.54 6.95 L315.56 -5.72 L329.14 0.64" stroke="none" stroke-width="0" fill="#1e1e1e" fill-rule="evenodd"/><path d="M329.14 0.64 C326.01 2.1, 322.88 3.55, 315.54 6.95 M315.54 6.95 C315.54 3.06, 315.55 -0.84, 315.56 -5.72 M315.56 -5.72 C319 -4.11, 322.43 -2.5, 329.14 0.64 M329.14 0.64 C329.14 0.64, 329.14 0.64, 329.14 0.64" stroke="#1e1e1e" stroke-width="2.5" fill="none"/></g></g><mask/><g transform="translate(373.9795756605391 362.9531404463552) rotate(0 116.73828125000006 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Secure Websocket Tunnel</text></g><g transform="translate(244.45589966477883 562.3771651496575) rotate(0 12 12)"><use href="#image-1fc42860614cb7357b66c1964aa081366cd82698" width="24" height="24" opacity="1"/></g><g transform="translate(221.59302598013505 596.2932293019985) rotate(0 33.90625 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Devbox</text></g><g transform="translate(236.87610006058947 30) rotate(0 12 12)"><use href="#image-9d2f28049a8a90ddebd6f916b59a887ae5df33f6" width="24" height="24" opacity="1"/></g><g transform="translate(192.65911258648487 64.47801451522184) rotate(0 58.349609375 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Preview URL</text></g><g stroke-linecap="round" transform="translate(1003.7809496446259 325.60427274634765) rotate(0 120.17265979777471 28)"><path d="M14 0 C64.44 -2.65, 119.75 -2.22, 226.35 0 M226.35 0 C237.06 0.43, 239.75 3.75, 240.35 14 M240.35 14 C238.65 20.43, 239.13 26.18, 240.35 42 M240.35 42 C240.62 53.27, 234.06 57.43, 226.35 56 M226.35 56 C168.21 56.15, 111.07 53.62, 14 56 M14 56 C5.13 55.13, 0.17 51.96, 0 42 M0 42 C1.51 33.12, 1.87 28.18, 0 14 M0 14 C1.31 5.68, 3.82 0.22, 14 0" stroke="#1e1e1e" stroke-width="2.5" fill="none" stroke-dasharray="8 10"/></g><g transform="translate(1032.2299766299006 342.10427274634765) rotate(0 91.7236328125 11.5)"><text x="91.7236328125" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="middle" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Lapdev Environment</text></g><g stroke-linecap="round" transform="translate(1008.8385029105507 413.8304797185931) rotate(0 120.17265979777471 28)"><path d="M14 0 C83.54 0.27, 150.02 0.87, 226.35 0 M226.35 0 C236.55 -1.02, 239.62 5.96, 240.35 14 M240.35 14 C242.08 22.55, 239.46 29.25, 240.35 42 M240.35 42 C238.97 51.43, 237.15 55.8, 226.35 56 M226.35 56 C147.38 55.23, 70.52 53.82, 14 56 M14 56 C4.53 56.52, -0.63 49.34, 0 42 M0 42 C-2.17 34.08, 0.39 28.98, 0 14 M0 14 C-0.64 5.77, 5.89 -0.2, 14 0" stroke="#1e1e1e" stroke-width="2.5" fill="none" stroke-dasharray="8 10"/></g><g transform="translate(1037.2875298958254 430.3304797185931) rotate(0 91.7236328125 11.5)"><text x="91.7236328125" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="middle" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Lapdev Environment</text></g><g transform="translate(30 118.51958044912578) rotate(0 225.71643526458035 225.71643526458035)"><use href="#image-16a008902a4fc9df48f908e5018bd01b47a4a0c9" width="451" height="451" opacity="1"/></g><g transform="translate(242.1535073879461 306.16468464866205) rotate(0 12 12)"><use href="#image-2b10442303d643dca388433f79fbdc5627ede668" width="24" height="24" opacity="1"/></g><g transform="translate(205.10280545375508 342.9080890032286) rotate(0 48.349609375 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">API Server</text></g><g transform="translate(110.92291548407525 406.5855369034605) rotate(0 32.8076171875 11.5)"><text x="0" y="0" font-family="Helvetica, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="text-before-edge">Lapdev</text></g><g transform="translate(124.30793430054462 371.56698664698035) rotate(0 15.836077717177261 15.836077717177261)"><use href="#image-04f28670dff6fd1042c3404f1cdf3fc1d3e0ce96" width="32" height="32" opacity="1"/></g><g stroke-linecap="round"><g transform="translate(252.15157992078764 295.32558055839127) rotate(0 -0.47446642497061475 -97.92896590739193)"><path d="M0 0 C-0.16 -32.64, -0.79 -163.21, -0.95 -195.86" stroke="#1e1e1e" stroke-width="2.5" fill="none" stroke-dasharray="1.5 8"/></g><g transform="translate(252.15157992078764 295.32558055839127) rotate(0 -0.47446642497061475 -97.92896590739193)"><path d="M0 0 L-6.41 -13.56 L6.27 -13.63 L0 0" stroke="none" stroke-width="0" fill="#1e1e1e" fill-rule="evenodd"/><path d="M0 0 C-2.05 -4.35, -4.11 -8.7, -6.41 -13.56 M-6.41 -13.56 C-3.05 -13.58, 0.31 -13.6, 6.27 -13.63 M6.27 -13.63 C4.09 -8.88, 1.9 -4.14, 0 0 M0 0 C0 0, 0 0, 0 0" stroke="#1e1e1e" stroke-width="2.5" fill="none"/></g><g transform="translate(252.15157992078764 295.32558055839127) rotate(0 -0.47446642497061475 -97.92896590739193)"><path d="M-0.95 -195.86 L5.46 -182.29 L-7.22 -182.23 L-0.95 -195.86" stroke="none" stroke-width="0" fill="#1e1e1e" fill-rule="evenodd"/><path d="M-0.95 -195.86 C1.1 -191.51, 3.16 -187.16, 5.46 -182.29 M5.46 -182.29 C2.1 -182.28, -1.26 -182.26, -7.22 -182.23 M-7.22 -182.23 C-5.04 -186.98, -2.85 -191.72, -0.95 -195.86 M-0.95 -195.86 C-0.95 -195.86, -0.95 -195.86, -0.95 -195.86" stroke="#1e1e1e" stroke-width="2.5" fill="none"/></g></g><mask/><g stroke-linecap="round"><g transform="translate(254.55763083631734 547.0755805583913) rotate(0 -0.09395012587714291 -85.17896590739201)"><path d="M0 0 C-0.03 -28.39, -0.16 -141.96, -0.19 -170.36" stroke="#1e1e1e" stroke-width="2.5" fill="none" stroke-dasharray="1.5 8"/></g><g transform="translate(254.55763083631734 547.0755805583913) rotate(0 -0.09395012587714291 -85.17896590739201)"><path d="M0 0 L-6.35 -13.59 L6.32 -13.6 L0 0" stroke="none" stroke-width="0" fill="#1e1e1e" fill-rule="evenodd"/><path d="M0 0 C-2.42 -5.17, -4.83 -10.34, -6.35 -13.59 M-6.35 -13.59 C-3.63 -13.59, -0.91 -13.59, 6.32 -13.6 M6.32 -13.6 C4.44 -9.55, 2.56 -5.5, 0 0 M0 0 C0 0, 0 0, 0 0" stroke="#1e1e1e" stroke-width="2.5" fill="none"/></g><g transform="translate(254.55763083631734 547.0755805583913) rotate(0 -0.09395012587714291 -85.17896590739201)"><path d="M-0.19 -170.36 L6.17 -156.77 L-6.51 -156.76 L-0.19 -170.36" stroke="none" stroke-width="0" fill="#1e1e1e" fill-rule="evenodd"/><path d="M-0.19 -170.36 C2.23 -165.19, 4.65 -160.02, 6.17 -156.77 M6.17 -156.77 C3.45 -156.77, 0.72 -156.76, -6.51 -156.76 M-6.51 -156.76 C-4.63 -160.81, -2.75 -164.86, -0.19 -170.36 M-0.19 -170.36 C-0.19 -170.36, -0.19 -170.36, -0.19 -170.36" stroke="#1e1e1e" stroke-width="2.5" fill="none"/></g></g><mask/><g transform="translate(255.26364065701262 138.64661465099925) rotate(0 12 12)"><use href="#image-92a881e3924c72134888938407657fee82e47e5c" width="24" height="24" opacity="1"/></g><g transform="translate(256.7636406570126 491.14661465099925) rotate(0 12 12)"><use href="#image-92a881e3924c72134888938407657fee82e47e5c" width="24" height="24" opacity="1"/></g></svg>
\ No newline at end of file
diff --git a/docs/index.mdx b/docs/index.mdx
new file mode 100644
index 0000000..c1f5866
--- /dev/null
+++ b/docs/index.mdx
@@ -0,0 +1 @@
+sdfsdfdsf
\ No newline at end of file
diff --git a/lapdev-api/pages/main.css b/lapdev-api/pages/main.css
deleted file mode 100644
index 85e5c9a..0000000
--- a/lapdev-api/pages/main.css
+++ /dev/null
@@ -1,1042 +0,0 @@
-/*
-! tailwindcss v3.4.1 | MIT License | https://tailwindcss.com
-*/
-
-/*
-1. Prevent padding and border from affecting element width. (https://github.com/mozdevs/cssremedy/issues/4)
-2. Allow adding a border to an element by just adding a border-width. (https://github.com/tailwindcss/tailwindcss/pull/116)
-*/
-
-*,
-::before,
-::after {
-  box-sizing: border-box;
-  /* 1 */
-  border-width: 0;
-  /* 2 */
-  border-style: solid;
-  /* 2 */
-  border-color: #E5E7EB;
-  /* 2 */
-}
-
-::before,
-::after {
-  --tw-content: '';
-}
-
-/*
-1. Use a consistent sensible line-height in all browsers.
-2. Prevent adjustments of font size after orientation changes in iOS.
-3. Use a more readable tab size.
-4. Use the user's configured `sans` font-family by default.
-5. Use the user's configured `sans` font-feature-settings by default.
-6. Use the user's configured `sans` font-variation-settings by default.
-7. Disable tap highlights on iOS
-*/
-
-html,
-:host {
-  line-height: 1.5;
-  /* 1 */
-  -webkit-text-size-adjust: 100%;
-  /* 2 */
-  -moz-tab-size: 4;
-  /* 3 */
-  -o-tab-size: 4;
-     tab-size: 4;
-  /* 3 */
-  font-family: ui-sans-serif, system-ui, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";
-  /* 4 */
-  font-feature-settings: normal;
-  /* 5 */
-  font-variation-settings: normal;
-  /* 6 */
-  -webkit-tap-highlight-color: transparent;
-  /* 7 */
-}
-
-/*
-1. Remove the margin in all browsers.
-2. Inherit line-height from `html` so users can set them as a class directly on the `html` element.
-*/
-
-body {
-  margin: 0;
-  /* 1 */
-  line-height: inherit;
-  /* 2 */
-}
-
-/*
-1. Add the correct height in Firefox.
-2. Correct the inheritance of border color in Firefox. (https://bugzilla.mozilla.org/show_bug.cgi?id=190655)
-3. Ensure horizontal rules are visible by default.
-*/
-
-hr {
-  height: 0;
-  /* 1 */
-  color: inherit;
-  /* 2 */
-  border-top-width: 1px;
-  /* 3 */
-}
-
-/*
-Add the correct text decoration in Chrome, Edge, and Safari.
-*/
-
-abbr:where([title]) {
-  -webkit-text-decoration: underline dotted;
-          text-decoration: underline dotted;
-}
-
-/*
-Remove the default font size and weight for headings.
-*/
-
-h1,
-h2,
-h3,
-h4,
-h5,
-h6 {
-  font-size: inherit;
-  font-weight: inherit;
-}
-
-/*
-Reset links to optimize for opt-in styling instead of opt-out.
-*/
-
-a {
-  color: inherit;
-  text-decoration: inherit;
-}
-
-/*
-Add the correct font weight in Edge and Safari.
-*/
-
-b,
-strong {
-  font-weight: bolder;
-}
-
-/*
-1. Use the user's configured `mono` font-family by default.
-2. Use the user's configured `mono` font-feature-settings by default.
-3. Use the user's configured `mono` font-variation-settings by default.
-4. Correct the odd `em` font sizing in all browsers.
-*/
-
-code,
-kbd,
-samp,
-pre {
-  font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", monospace;
-  /* 1 */
-  font-feature-settings: normal;
-  /* 2 */
-  font-variation-settings: normal;
-  /* 3 */
-  font-size: 1em;
-  /* 4 */
-}
-
-/*
-Add the correct font size in all browsers.
-*/
-
-small {
-  font-size: 80%;
-}
-
-/*
-Prevent `sub` and `sup` elements from affecting the line height in all browsers.
-*/
-
-sub,
-sup {
-  font-size: 75%;
-  line-height: 0;
-  position: relative;
-  vertical-align: baseline;
-}
-
-sub {
-  bottom: -0.25em;
-}
-
-sup {
-  top: -0.5em;
-}
-
-/*
-1. Remove text indentation from table contents in Chrome and Safari. (https://bugs.chromium.org/p/chromium/issues/detail?id=999088, https://bugs.webkit.org/show_bug.cgi?id=201297)
-2. Correct table border color inheritance in all Chrome and Safari. (https://bugs.chromium.org/p/chromium/issues/detail?id=935729, https://bugs.webkit.org/show_bug.cgi?id=195016)
-3. Remove gaps between table borders by default.
-*/
-
-table {
-  text-indent: 0;
-  /* 1 */
-  border-color: inherit;
-  /* 2 */
-  border-collapse: collapse;
-  /* 3 */
-}
-
-/*
-1. Change the font styles in all browsers.
-2. Remove the margin in Firefox and Safari.
-3. Remove default padding in all browsers.
-*/
-
-button,
-input,
-optgroup,
-select,
-textarea {
-  font-family: inherit;
-  /* 1 */
-  font-feature-settings: inherit;
-  /* 1 */
-  font-variation-settings: inherit;
-  /* 1 */
-  font-size: 100%;
-  /* 1 */
-  font-weight: inherit;
-  /* 1 */
-  line-height: inherit;
-  /* 1 */
-  color: inherit;
-  /* 1 */
-  margin: 0;
-  /* 2 */
-  padding: 0;
-  /* 3 */
-}
-
-/*
-Remove the inheritance of text transform in Edge and Firefox.
-*/
-
-button,
-select {
-  text-transform: none;
-}
-
-/*
-1. Correct the inability to style clickable types in iOS and Safari.
-2. Remove default button styles.
-*/
-
-button,
-[type='button'],
-[type='reset'],
-[type='submit'] {
-  -webkit-appearance: button;
-  /* 1 */
-  background-color: transparent;
-  /* 2 */
-  background-image: none;
-  /* 2 */
-}
-
-/*
-Use the modern Firefox focus style for all focusable elements.
-*/
-
-:-moz-focusring {
-  outline: auto;
-}
-
-/*
-Remove the additional `:invalid` styles in Firefox. (https://github.com/mozilla/gecko-dev/blob/2f9eacd9d3d995c937b4251a5557d95d494c9be1/layout/style/res/forms.css#L728-L737)
-*/
-
-:-moz-ui-invalid {
-  box-shadow: none;
-}
-
-/*
-Add the correct vertical alignment in Chrome and Firefox.
-*/
-
-progress {
-  vertical-align: baseline;
-}
-
-/*
-Correct the cursor style of increment and decrement buttons in Safari.
-*/
-
-::-webkit-inner-spin-button,
-::-webkit-outer-spin-button {
-  height: auto;
-}
-
-/*
-1. Correct the odd appearance in Chrome and Safari.
-2. Correct the outline style in Safari.
-*/
-
-[type='search'] {
-  -webkit-appearance: textfield;
-  /* 1 */
-  outline-offset: -2px;
-  /* 2 */
-}
-
-/*
-Remove the inner padding in Chrome and Safari on macOS.
-*/
-
-::-webkit-search-decoration {
-  -webkit-appearance: none;
-}
-
-/*
-1. Correct the inability to style clickable types in iOS and Safari.
-2. Change font properties to `inherit` in Safari.
-*/
-
-::-webkit-file-upload-button {
-  -webkit-appearance: button;
-  /* 1 */
-  font: inherit;
-  /* 2 */
-}
-
-/*
-Add the correct display in Chrome and Safari.
-*/
-
-summary {
-  display: list-item;
-}
-
-/*
-Removes the default spacing and border for appropriate elements.
-*/
-
-blockquote,
-dl,
-dd,
-h1,
-h2,
-h3,
-h4,
-h5,
-h6,
-hr,
-figure,
-p,
-pre {
-  margin: 0;
-}
-
-fieldset {
-  margin: 0;
-  padding: 0;
-}
-
-legend {
-  padding: 0;
-}
-
-ol,
-ul,
-menu {
-  list-style: none;
-  margin: 0;
-  padding: 0;
-}
-
-/*
-Reset default styling for dialogs.
-*/
-
-dialog {
-  padding: 0;
-}
-
-/*
-Prevent resizing textareas horizontally by default.
-*/
-
-textarea {
-  resize: vertical;
-}
-
-/*
-1. Reset the default placeholder opacity in Firefox. (https://github.com/tailwindlabs/tailwindcss/issues/3300)
-2. Set the default placeholder color to the user's configured gray 400 color.
-*/
-
-input::-moz-placeholder, textarea::-moz-placeholder {
-  opacity: 1;
-  /* 1 */
-  color: #9CA3AF;
-  /* 2 */
-}
-
-input::placeholder,
-textarea::placeholder {
-  opacity: 1;
-  /* 1 */
-  color: #9CA3AF;
-  /* 2 */
-}
-
-/*
-Set the default cursor for buttons.
-*/
-
-button,
-[role="button"] {
-  cursor: pointer;
-}
-
-/*
-Make sure disabled buttons don't get the pointer cursor.
-*/
-
-:disabled {
-  cursor: default;
-}
-
-/*
-1. Make replaced elements `display: block` by default. (https://github.com/mozdevs/cssremedy/issues/14)
-2. Add `vertical-align: middle` to align replaced elements more sensibly by default. (https://github.com/jensimmons/cssremedy/issues/14#issuecomment-634934210)
-   This can trigger a poorly considered lint error in some tools but is included by design.
-*/
-
-img,
-svg,
-video,
-canvas,
-audio,
-iframe,
-embed,
-object {
-  display: block;
-  /* 1 */
-  vertical-align: middle;
-  /* 2 */
-}
-
-/*
-Constrain images and videos to the parent width and preserve their intrinsic aspect ratio. (https://github.com/mozdevs/cssremedy/issues/14)
-*/
-
-img,
-video {
-  max-width: 100%;
-  height: auto;
-}
-
-/* Make elements with the HTML hidden attribute stay hidden by default */
-
-[hidden] {
-  display: none;
-}
-
-[data-popper-arrow],[data-popper-arrow]:before {
-  position: absolute;
-  width: 8px;
-  height: 8px;
-  background: inherit;
-}
-
-[data-popper-arrow] {
-  visibility: hidden;
-}
-
-[data-popper-arrow]:before {
-  content: "";
-  visibility: visible;
-  transform: rotate(45deg);
-}
-
-[data-popper-arrow]:after {
-  content: "";
-  visibility: visible;
-  transform: rotate(45deg);
-  position: absolute;
-  width: 9px;
-  height: 9px;
-  background: inherit;
-}
-
-[role="tooltip"] > [data-popper-arrow]:before {
-  border-style: solid;
-  border-color: #e5e7eb;
-}
-
-[role="tooltip"] > [data-popper-arrow]:after {
-  border-style: solid;
-  border-color: #e5e7eb;
-}
-
-[data-popover][role="tooltip"][data-popper-placement^='top'] > [data-popper-arrow]:before {
-  border-bottom-width: 1px;
-  border-right-width: 1px;
-}
-
-[data-popover][role="tooltip"][data-popper-placement^='top'] > [data-popper-arrow]:after {
-  border-bottom-width: 1px;
-  border-right-width: 1px;
-}
-
-[data-popover][role="tooltip"][data-popper-placement^='right'] > [data-popper-arrow]:before {
-  border-bottom-width: 1px;
-  border-left-width: 1px;
-}
-
-[data-popover][role="tooltip"][data-popper-placement^='right'] > [data-popper-arrow]:after {
-  border-bottom-width: 1px;
-  border-left-width: 1px;
-}
-
-[data-popover][role="tooltip"][data-popper-placement^='bottom'] > [data-popper-arrow]:before {
-  border-top-width: 1px;
-  border-left-width: 1px;
-}
-
-[data-popover][role="tooltip"][data-popper-placement^='bottom'] > [data-popper-arrow]:after {
-  border-top-width: 1px;
-  border-left-width: 1px;
-}
-
-[data-popover][role="tooltip"][data-popper-placement^='left'] > [data-popper-arrow]:before {
-  border-top-width: 1px;
-  border-right-width: 1px;
-}
-
-[data-popover][role="tooltip"][data-popper-placement^='left'] > [data-popper-arrow]:after {
-  border-top-width: 1px;
-  border-right-width: 1px;
-}
-
-[data-popover][role="tooltip"][data-popper-placement^='top'] > [data-popper-arrow] {
-  bottom: -5px;
-}
-
-[data-popover][role="tooltip"][data-popper-placement^='bottom'] > [data-popper-arrow] {
-  top: -5px;
-}
-
-[data-popover][role="tooltip"][data-popper-placement^='left'] > [data-popper-arrow] {
-  right: -5px;
-}
-
-[data-popover][role="tooltip"][data-popper-placement^='right'] > [data-popper-arrow] {
-  left: -5px;
-}
-
-[type='text'],[type='email'],[type='url'],[type='password'],[type='number'],[type='date'],[type='datetime-local'],[type='month'],[type='search'],[type='tel'],[type='time'],[type='week'],[multiple],textarea,select {
-  -webkit-appearance: none;
-     -moz-appearance: none;
-          appearance: none;
-  background-color: #fff;
-  border-color: #6B7280;
-  border-width: 1px;
-  border-radius: 0px;
-  padding-top: 0.5rem;
-  padding-right: 0.75rem;
-  padding-bottom: 0.5rem;
-  padding-left: 0.75rem;
-  font-size: 1rem;
-  line-height: 1.5rem;
-  --tw-shadow: 0 0 #0000;
-}
-
-[type='text']:focus, [type='email']:focus, [type='url']:focus, [type='password']:focus, [type='number']:focus, [type='date']:focus, [type='datetime-local']:focus, [type='month']:focus, [type='search']:focus, [type='tel']:focus, [type='time']:focus, [type='week']:focus, [multiple]:focus, textarea:focus, select:focus {
-  outline: 2px solid transparent;
-  outline-offset: 2px;
-  --tw-ring-inset: var(--tw-empty,/*!*/ /*!*/);
-  --tw-ring-offset-width: 0px;
-  --tw-ring-offset-color: #fff;
-  --tw-ring-color: #1C64F2;
-  --tw-ring-offset-shadow: var(--tw-ring-inset) 0 0 0 var(--tw-ring-offset-width) var(--tw-ring-offset-color);
-  --tw-ring-shadow: var(--tw-ring-inset) 0 0 0 calc(1px + var(--tw-ring-offset-width)) var(--tw-ring-color);
-  box-shadow: var(--tw-ring-offset-shadow), var(--tw-ring-shadow), var(--tw-shadow);
-  border-color: #1C64F2;
-}
-
-input::-moz-placeholder, textarea::-moz-placeholder {
-  color: #6B7280;
-  opacity: 1;
-}
-
-input::placeholder,textarea::placeholder {
-  color: #6B7280;
-  opacity: 1;
-}
-
-::-webkit-datetime-edit-fields-wrapper {
-  padding: 0;
-}
-
-::-webkit-date-and-time-value {
-  min-height: 1.5em;
-}
-
-select:not([size]) {
-  background-image: url("data:image/svg+xml,%3csvg aria-hidden='true' xmlns='http://www.w3.org/2000/svg' fill='none' viewBox='0 0 10 6'%3e %3cpath stroke='%236B7280' stroke-linecap='round' stroke-linejoin='round' stroke-width='2' d='m1 1 4 4 4-4'/%3e %3c/svg%3e");
-  background-position: right 0.75rem center;
-  background-repeat: no-repeat;
-  background-size: 0.75em 0.75em;
-  padding-right: 2.5rem;
-  -webkit-print-color-adjust: exact;
-          print-color-adjust: exact;
-}
-
-:is([dir=rtl]) select:not([size]) {
-  background-position: left 0.75rem center;
-  padding-right: 0.75rem;
-  padding-left: 0;
-}
-
-[multiple] {
-  background-image: initial;
-  background-position: initial;
-  background-repeat: unset;
-  background-size: initial;
-  padding-right: 0.75rem;
-  -webkit-print-color-adjust: unset;
-          print-color-adjust: unset;
-}
-
-[type='checkbox'],[type='radio'] {
-  -webkit-appearance: none;
-     -moz-appearance: none;
-          appearance: none;
-  padding: 0;
-  -webkit-print-color-adjust: exact;
-          print-color-adjust: exact;
-  display: inline-block;
-  vertical-align: middle;
-  background-origin: border-box;
-  -webkit-user-select: none;
-     -moz-user-select: none;
-          user-select: none;
-  flex-shrink: 0;
-  height: 1rem;
-  width: 1rem;
-  color: #1C64F2;
-  background-color: #fff;
-  border-color: #6B7280;
-  border-width: 1px;
-  --tw-shadow: 0 0 #0000;
-}
-
-[type='checkbox'] {
-  border-radius: 0px;
-}
-
-[type='radio'] {
-  border-radius: 100%;
-}
-
-[type='checkbox']:focus,[type='radio']:focus {
-  outline: 2px solid transparent;
-  outline-offset: 2px;
-  --tw-ring-inset: var(--tw-empty,/*!*/ /*!*/);
-  --tw-ring-offset-width: 2px;
-  --tw-ring-offset-color: #fff;
-  --tw-ring-color: #1C64F2;
-  --tw-ring-offset-shadow: var(--tw-ring-inset) 0 0 0 var(--tw-ring-offset-width) var(--tw-ring-offset-color);
-  --tw-ring-shadow: var(--tw-ring-inset) 0 0 0 calc(2px + var(--tw-ring-offset-width)) var(--tw-ring-color);
-  box-shadow: var(--tw-ring-offset-shadow), var(--tw-ring-shadow), var(--tw-shadow);
-}
-
-[type='checkbox']:checked,[type='radio']:checked,.dark [type='checkbox']:checked,.dark [type='radio']:checked {
-  border-color: transparent;
-  background-color: currentColor;
-  background-size: 0.55em 0.55em;
-  background-position: center;
-  background-repeat: no-repeat;
-}
-
-[type='checkbox']:checked {
-  background-image: url("data:image/svg+xml,%3csvg aria-hidden='true' xmlns='http://www.w3.org/2000/svg' fill='none' viewBox='0 0 16 12'%3e %3cpath stroke='white' stroke-linecap='round' stroke-linejoin='round' stroke-width='3' d='M1 5.917 5.724 10.5 15 1.5'/%3e %3c/svg%3e");
-  background-repeat: no-repeat;
-  background-size: 0.55em 0.55em;
-  -webkit-print-color-adjust: exact;
-          print-color-adjust: exact;
-}
-
-[type='radio']:checked {
-  background-image: url("data:image/svg+xml,%3csvg viewBox='0 0 16 16' fill='white' xmlns='http://www.w3.org/2000/svg'%3e%3ccircle cx='8' cy='8' r='3'/%3e%3c/svg%3e");
-  background-size: 1em 1em;
-}
-
-[type='checkbox']:indeterminate {
-  background-image: url("data:image/svg+xml,%3csvg aria-hidden='true' xmlns='http://www.w3.org/2000/svg' fill='none' viewBox='0 0 16 12'%3e %3cpath stroke='white' stroke-linecap='round' stroke-linejoin='round' stroke-width='3' d='M1 5.917 5.724 10.5 15 1.5'/%3e %3c/svg%3e");
-  background-color: currentColor;
-  border-color: transparent;
-  background-position: center;
-  background-repeat: no-repeat;
-  background-size: 0.55em 0.55em;
-  -webkit-print-color-adjust: exact;
-          print-color-adjust: exact;
-}
-
-[type='checkbox']:indeterminate:hover,[type='checkbox']:indeterminate:focus {
-  border-color: transparent;
-  background-color: currentColor;
-}
-
-[type='file'] {
-  background: unset;
-  border-color: inherit;
-  border-width: 0;
-  border-radius: 0;
-  padding: 0;
-  font-size: unset;
-  line-height: inherit;
-}
-
-[type='file']:focus {
-  outline: 1px auto inherit;
-}
-
-input[type=file]::file-selector-button {
-  color: white;
-  background: #1F2937;
-  border: 0;
-  font-weight: 500;
-  font-size: 0.875rem;
-  cursor: pointer;
-  padding-top: 0.625rem;
-  padding-bottom: 0.625rem;
-  padding-left: 2rem;
-  padding-right: 1rem;
-  margin-inline-start: -1rem;
-  margin-inline-end: 1rem;
-}
-
-input[type=file]::file-selector-button:hover {
-  background: #374151;
-}
-
-:is([dir=rtl]) input[type=file]::file-selector-button {
-  padding-right: 2rem;
-  padding-left: 1rem;
-}
-
-input[type="range"]::-webkit-slider-thumb {
-  height: 1.25rem;
-  width: 1.25rem;
-  background: #1C64F2;
-  border-radius: 9999px;
-  border: 0;
-  appearance: none;
-  -moz-appearance: none;
-  -webkit-appearance: none;
-  cursor: pointer;
-}
-
-input[type="range"]:disabled::-webkit-slider-thumb {
-  background: #9CA3AF;
-}
-
-input[type="range"]:focus::-webkit-slider-thumb {
-  outline: 2px solid transparent;
-  outline-offset: 2px;
-  --tw-ring-offset-shadow: var(--tw-ring-inset) 0 0 0 var(--tw-ring-offset-width) var(--tw-ring-offset-color);
-  --tw-ring-shadow: var(--tw-ring-inset) 0 0 0 calc(4px + var(--tw-ring-offset-width)) var(--tw-ring-color);
-  box-shadow: var(--tw-ring-offset-shadow), var(--tw-ring-shadow), var(--tw-shadow, 0 0 #0000);
-  --tw-ring-opacity: 1px;
-  --tw-ring-color: rgb(164 202 254 / var(--tw-ring-opacity));
-}
-
-input[type="range"]::-moz-range-thumb {
-  height: 1.25rem;
-  width: 1.25rem;
-  background: #1C64F2;
-  border-radius: 9999px;
-  border: 0;
-  appearance: none;
-  -moz-appearance: none;
-  -webkit-appearance: none;
-  cursor: pointer;
-}
-
-input[type="range"]:disabled::-moz-range-thumb {
-  background: #9CA3AF;
-}
-
-input[type="range"]::-moz-range-progress {
-  background: #3F83F8;
-}
-
-input[type="range"]::-ms-fill-lower {
-  background: #3F83F8;
-}
-
-*, ::before, ::after {
-  --tw-border-spacing-x: 0;
-  --tw-border-spacing-y: 0;
-  --tw-translate-x: 0;
-  --tw-translate-y: 0;
-  --tw-rotate: 0;
-  --tw-skew-x: 0;
-  --tw-skew-y: 0;
-  --tw-scale-x: 1;
-  --tw-scale-y: 1;
-  --tw-pan-x:  ;
-  --tw-pan-y:  ;
-  --tw-pinch-zoom:  ;
-  --tw-scroll-snap-strictness: proximity;
-  --tw-gradient-from-position:  ;
-  --tw-gradient-via-position:  ;
-  --tw-gradient-to-position:  ;
-  --tw-ordinal:  ;
-  --tw-slashed-zero:  ;
-  --tw-numeric-figure:  ;
-  --tw-numeric-spacing:  ;
-  --tw-numeric-fraction:  ;
-  --tw-ring-inset:  ;
-  --tw-ring-offset-width: 0px;
-  --tw-ring-offset-color: #fff;
-  --tw-ring-color: rgb(63 131 248 / 0.5);
-  --tw-ring-offset-shadow: 0 0 #0000;
-  --tw-ring-shadow: 0 0 #0000;
-  --tw-shadow: 0 0 #0000;
-  --tw-shadow-colored: 0 0 #0000;
-  --tw-blur:  ;
-  --tw-brightness:  ;
-  --tw-contrast:  ;
-  --tw-grayscale:  ;
-  --tw-hue-rotate:  ;
-  --tw-invert:  ;
-  --tw-saturate:  ;
-  --tw-sepia:  ;
-  --tw-drop-shadow:  ;
-  --tw-backdrop-blur:  ;
-  --tw-backdrop-brightness:  ;
-  --tw-backdrop-contrast:  ;
-  --tw-backdrop-grayscale:  ;
-  --tw-backdrop-hue-rotate:  ;
-  --tw-backdrop-invert:  ;
-  --tw-backdrop-opacity:  ;
-  --tw-backdrop-saturate:  ;
-  --tw-backdrop-sepia:  ;
-}
-
-::backdrop {
-  --tw-border-spacing-x: 0;
-  --tw-border-spacing-y: 0;
-  --tw-translate-x: 0;
-  --tw-translate-y: 0;
-  --tw-rotate: 0;
-  --tw-skew-x: 0;
-  --tw-skew-y: 0;
-  --tw-scale-x: 1;
-  --tw-scale-y: 1;
-  --tw-pan-x:  ;
-  --tw-pan-y:  ;
-  --tw-pinch-zoom:  ;
-  --tw-scroll-snap-strictness: proximity;
-  --tw-gradient-from-position:  ;
-  --tw-gradient-via-position:  ;
-  --tw-gradient-to-position:  ;
-  --tw-ordinal:  ;
-  --tw-slashed-zero:  ;
-  --tw-numeric-figure:  ;
-  --tw-numeric-spacing:  ;
-  --tw-numeric-fraction:  ;
-  --tw-ring-inset:  ;
-  --tw-ring-offset-width: 0px;
-  --tw-ring-offset-color: #fff;
-  --tw-ring-color: rgb(63 131 248 / 0.5);
-  --tw-ring-offset-shadow: 0 0 #0000;
-  --tw-ring-shadow: 0 0 #0000;
-  --tw-shadow: 0 0 #0000;
-  --tw-shadow-colored: 0 0 #0000;
-  --tw-blur:  ;
-  --tw-brightness:  ;
-  --tw-contrast:  ;
-  --tw-grayscale:  ;
-  --tw-hue-rotate:  ;
-  --tw-invert:  ;
-  --tw-saturate:  ;
-  --tw-sepia:  ;
-  --tw-drop-shadow:  ;
-  --tw-backdrop-blur:  ;
-  --tw-backdrop-brightness:  ;
-  --tw-backdrop-contrast:  ;
-  --tw-backdrop-grayscale:  ;
-  --tw-backdrop-hue-rotate:  ;
-  --tw-backdrop-invert:  ;
-  --tw-backdrop-opacity:  ;
-  --tw-backdrop-saturate:  ;
-  --tw-backdrop-sepia:  ;
-}
-
-.mx-auto {
-  margin-left: auto;
-  margin-right: auto;
-}
-
-.mb-6 {
-  margin-bottom: 1.5rem;
-}
-
-.mr-4 {
-  margin-right: 1rem;
-}
-
-.flex {
-  display: flex;
-}
-
-.h-10 {
-  height: 2.5rem;
-}
-
-.h-6 {
-  height: 1.5rem;
-}
-
-.h-9 {
-  height: 2.25rem;
-}
-
-.w-1\/2 {
-  width: 50%;
-}
-
-.w-10 {
-  width: 2.5rem;
-}
-
-.w-64 {
-  width: 16rem;
-}
-
-.grid-cols-4 {
-  grid-template-columns: repeat(4, minmax(0, 1fr));
-}
-
-.grid-cols-7 {
-  grid-template-columns: repeat(7, minmax(0, 1fr));
-}
-
-.flex-col {
-  flex-direction: column;
-}
-
-.items-center {
-  align-items: center;
-}
-
-.justify-center {
-  justify-content: center;
-}
-
-.rounded-e-lg {
-  border-start-end-radius: 0.5rem;
-  border-end-end-radius: 0.5rem;
-}
-
-.rounded-l-lg {
-  border-top-left-radius: 0.5rem;
-  border-bottom-left-radius: 0.5rem;
-}
-
-.rounded-r-lg {
-  border-top-right-radius: 0.5rem;
-  border-bottom-right-radius: 0.5rem;
-}
-
-.rounded-s-lg {
-  border-start-start-radius: 0.5rem;
-  border-end-start-radius: 0.5rem;
-}
-
-.bg-gray-200 {
-  --tw-bg-opacity: 1;
-  background-color: rgb(229 231 235 / var(--tw-bg-opacity));
-}
-
-.bg-gray-50 {
-  --tw-bg-opacity: 1;
-  background-color: rgb(249 250 251 / var(--tw-bg-opacity));
-}
-
-.px-6 {
-  padding-left: 1.5rem;
-  padding-right: 1.5rem;
-}
-
-.py-8 {
-  padding-top: 2rem;
-  padding-bottom: 2rem;
-}
-
-.text-2xl {
-  font-size: 1.5rem;
-  line-height: 2rem;
-}
-
-.text-lg {
-  font-size: 1.125rem;
-  line-height: 1.75rem;
-}
-
-.font-semibold {
-  font-weight: 600;
-}
-
-.leading-6 {
-  line-height: 1.5rem;
-}
-
-.leading-9 {
-  line-height: 2.25rem;
-}
-
-.text-gray-900 {
-  --tw-text-opacity: 1;
-  color: rgb(17 24 39 / var(--tw-text-opacity));
-}
-
-.text-red-600 {
-  --tw-text-opacity: 1;
-  color: rgb(224 36 36 / var(--tw-text-opacity));
-}
-
-.shadow-lg {
-  --tw-shadow: 0 10px 15px -3px rgb(0 0 0 / 0.1), 0 4px 6px -4px rgb(0 0 0 / 0.1);
-  --tw-shadow-colored: 0 10px 15px -3px var(--tw-shadow-color), 0 4px 6px -4px var(--tw-shadow-color);
-  box-shadow: var(--tw-ring-offset-shadow, 0 0 #0000), var(--tw-ring-shadow, 0 0 #0000), var(--tw-shadow);
-}
-
-:is(.dark .dark\:bg-gray-900) {
-  --tw-bg-opacity: 1;
-  background-color: rgb(17 24 39 / var(--tw-bg-opacity));
-}
-
-:is(.dark .dark\:text-white) {
-  --tw-text-opacity: 1;
-  color: rgb(255 255 255 / var(--tw-text-opacity));
-}
-
-@media (min-width: 768px) {
-  .md\:h-screen {
-    height: 100vh;
-  }
-}
-
-@media (min-width: 1024px) {
-  .lg\:py-0 {
-    padding-top: 0px;
-    padding-bottom: 0px;
-  }
-}
\ No newline at end of file
diff --git a/lapdev-api/pages/not_authorised.html b/lapdev-api/pages/not_authorised.html
deleted file mode 100644
index fe03705..0000000
--- a/lapdev-api/pages/not_authorised.html
+++ /dev/null
@@ -1,22 +0,0 @@
-<!DOCTYPE html>
-<html>
-  <head>
-    <title>Lapdev Dashboard</title>
-    <link rel="stylesheet" href="/error-page/lapdev-main.css">
-  </head>
-  <body>
-    <section class="bg-gray-50">
-        <div class="flex flex-col items-center justify-center px-6 py-8 mx-auto md:h-screen lg:py-0">
-            <a href="#" class="flex items-center mb-6 text-2xl font-semibold text-gray-900">
-                <svg class="w-10 h-10 mr-4" xmlns="http://www.w3.org/2000/svg" fill="currentColor" viewBox="0 0 1024 1024">
-                    <path d="M512 0C390.759 0 279.426 42.2227 191.719 112.656L191.719 612L351.719 612L351.719 332L422 332L431.719 332L431.719 332.344C488.169 334.127 541.249 351.138 581.875 380.625C627.591 413.806 654.875 460.633 654.875 512C654.875 563.367 627.591 610.194 581.875 643.375C541.249 672.862 488.169 689.873 431.719 691.656L431.719 1017.69C457.88 1021.81 484.68 1024 512 1024C794.77 1024 1024 794.77 1024 512C1024 229.23 794.77 0 512 0ZM111.719 192.906C41.8539 280.432 0 391.303 0 512C0 738.766 147.487 930.96 351.719 998.25L351.719 692L151.719 692L151.719 691.844L111.719 691.844L111.719 192.906ZM738.219 372C741.597 372.107 745.042 373.02 748.312 374.812L946.281 483.312C952.311 486.616 956.692 492.393 959.188 499.156C959.821 500.874 960.317 502.641 960.688 504.469C960.764 504.834 960.841 505.196 960.906 505.562C961.12 506.807 961.225 508.071 961.312 509.344C961.378 510.235 961.498 511.112 961.5 512C961.498 512.888 961.378 513.765 961.312 514.656C961.226 515.929 961.12 517.193 960.906 518.438C960.841 518.804 960.764 519.166 960.688 519.531C960.317 521.359 959.821 523.126 959.188 524.844C956.692 531.608 952.311 537.384 946.281 540.688L748.312 649.188C735.232 656.355 719.818 649.367 713.875 633.594C707.932 617.82 713.7 599.23 726.781 592.062L872.875 512L726.781 431.938C713.7 424.771 707.932 406.18 713.875 390.406C718.332 378.576 728.085 371.678 738.219 372ZM431.719 412.344L431.719 611.656C513.56 608.208 574.875 561.985 574.875 512C574.875 462.015 513.56 415.792 431.719 412.344Z" />
-                    <path d="M742 403.688C740.062 403.483 738.097 404.438 737.094 406.25C735.756 408.666 736.615 411.694 739.031 413.031L925.719 516.375C928.135 517.712 931.194 516.822 932.531 514.406C933.869 511.99 932.979 508.962 930.562 507.625L743.875 404.281C743.271 403.947 742.646 403.756 742 403.688Z" />
-                    <path d="M927.5 507.031C926.856 507.115 926.221 507.339 925.625 507.688L738.938 616.906C736.554 618.301 735.762 621.335 737.156 623.719C738.551 626.102 741.616 626.926 744 625.531L930.688 516.312C933.071 514.918 933.863 511.852 932.469 509.469C931.423 507.681 929.432 506.78 927.5 507.031Z" />
-                </svg>
-                Lapdev
-            </a>
-            <p class="text-red-600 text-lg">Not authorised</p>
-        </div>
-    </section>
-  </body>
-</html>
diff --git a/lapdev-api/pages/not_forwarded.html b/lapdev-api/pages/not_forwarded.html
deleted file mode 100644
index 9e94084..0000000
--- a/lapdev-api/pages/not_forwarded.html
+++ /dev/null
@@ -1,22 +0,0 @@
-<!DOCTYPE html>
-<html>
-  <head>
-    <title>Lapdev Dashboard</title>
-    <link rel="stylesheet" href="/error-page/lapdev-main.css">
-  </head>
-  <body>
-    <section class="bg-gray-50">
-        <div class="flex flex-col items-center justify-center px-6 py-8 mx-auto md:h-screen lg:py-0">
-            <a href="#" class="flex items-center mb-6 text-2xl font-semibold text-gray-900">
-                <svg class="w-10 h-10 mr-4" xmlns="http://www.w3.org/2000/svg" fill="currentColor" viewBox="0 0 1024 1024">
-                    <path d="M512 0C390.759 0 279.426 42.2227 191.719 112.656L191.719 612L351.719 612L351.719 332L422 332L431.719 332L431.719 332.344C488.169 334.127 541.249 351.138 581.875 380.625C627.591 413.806 654.875 460.633 654.875 512C654.875 563.367 627.591 610.194 581.875 643.375C541.249 672.862 488.169 689.873 431.719 691.656L431.719 1017.69C457.88 1021.81 484.68 1024 512 1024C794.77 1024 1024 794.77 1024 512C1024 229.23 794.77 0 512 0ZM111.719 192.906C41.8539 280.432 0 391.303 0 512C0 738.766 147.487 930.96 351.719 998.25L351.719 692L151.719 692L151.719 691.844L111.719 691.844L111.719 192.906ZM738.219 372C741.597 372.107 745.042 373.02 748.312 374.812L946.281 483.312C952.311 486.616 956.692 492.393 959.188 499.156C959.821 500.874 960.317 502.641 960.688 504.469C960.764 504.834 960.841 505.196 960.906 505.562C961.12 506.807 961.225 508.071 961.312 509.344C961.378 510.235 961.498 511.112 961.5 512C961.498 512.888 961.378 513.765 961.312 514.656C961.226 515.929 961.12 517.193 960.906 518.438C960.841 518.804 960.764 519.166 960.688 519.531C960.317 521.359 959.821 523.126 959.188 524.844C956.692 531.608 952.311 537.384 946.281 540.688L748.312 649.188C735.232 656.355 719.818 649.367 713.875 633.594C707.932 617.82 713.7 599.23 726.781 592.062L872.875 512L726.781 431.938C713.7 424.771 707.932 406.18 713.875 390.406C718.332 378.576 728.085 371.678 738.219 372ZM431.719 412.344L431.719 611.656C513.56 608.208 574.875 561.985 574.875 512C574.875 462.015 513.56 415.792 431.719 412.344Z" />
-                    <path d="M742 403.688C740.062 403.483 738.097 404.438 737.094 406.25C735.756 408.666 736.615 411.694 739.031 413.031L925.719 516.375C928.135 517.712 931.194 516.822 932.531 514.406C933.869 511.99 932.979 508.962 930.562 507.625L743.875 404.281C743.271 403.947 742.646 403.756 742 403.688Z" />
-                    <path d="M927.5 507.031C926.856 507.115 926.221 507.339 925.625 507.688L738.938 616.906C736.554 618.301 735.762 621.335 737.156 623.719C738.551 626.102 741.616 626.926 744 625.531L930.688 516.312C933.071 514.918 933.863 511.852 932.469 509.469C931.423 507.681 929.432 506.78 927.5 507.031Z" />
-                </svg>
-                Lapdev
-            </a>
-            <p class="text-red-600 text-lg">Workspace port not forwarded</p>
-        </div>
-    </section>
-  </body>
-</html>
diff --git a/lapdev-api/pages/not_found.html b/lapdev-api/pages/not_found.html
deleted file mode 100644
index cc58110..0000000
--- a/lapdev-api/pages/not_found.html
+++ /dev/null
@@ -1,22 +0,0 @@
-<!DOCTYPE html>
-<html>
-  <head>
-    <title>Lapdev Dashboard</title>
-    <link rel="stylesheet" href="/error-page/lapdev-main.css">
-  </head>
-  <body>
-    <section class="bg-gray-50">
-        <div class="flex flex-col items-center justify-center px-6 py-8 mx-auto md:h-screen lg:py-0">
-            <a href="#" class="flex items-center mb-6 text-2xl font-semibold text-gray-900">
-                <svg class="w-10 h-10 mr-4" xmlns="http://www.w3.org/2000/svg" fill="currentColor" viewBox="0 0 1024 1024">
-                    <path d="M512 0C390.759 0 279.426 42.2227 191.719 112.656L191.719 612L351.719 612L351.719 332L422 332L431.719 332L431.719 332.344C488.169 334.127 541.249 351.138 581.875 380.625C627.591 413.806 654.875 460.633 654.875 512C654.875 563.367 627.591 610.194 581.875 643.375C541.249 672.862 488.169 689.873 431.719 691.656L431.719 1017.69C457.88 1021.81 484.68 1024 512 1024C794.77 1024 1024 794.77 1024 512C1024 229.23 794.77 0 512 0ZM111.719 192.906C41.8539 280.432 0 391.303 0 512C0 738.766 147.487 930.96 351.719 998.25L351.719 692L151.719 692L151.719 691.844L111.719 691.844L111.719 192.906ZM738.219 372C741.597 372.107 745.042 373.02 748.312 374.812L946.281 483.312C952.311 486.616 956.692 492.393 959.188 499.156C959.821 500.874 960.317 502.641 960.688 504.469C960.764 504.834 960.841 505.196 960.906 505.562C961.12 506.807 961.225 508.071 961.312 509.344C961.378 510.235 961.498 511.112 961.5 512C961.498 512.888 961.378 513.765 961.312 514.656C961.226 515.929 961.12 517.193 960.906 518.438C960.841 518.804 960.764 519.166 960.688 519.531C960.317 521.359 959.821 523.126 959.188 524.844C956.692 531.608 952.311 537.384 946.281 540.688L748.312 649.188C735.232 656.355 719.818 649.367 713.875 633.594C707.932 617.82 713.7 599.23 726.781 592.062L872.875 512L726.781 431.938C713.7 424.771 707.932 406.18 713.875 390.406C718.332 378.576 728.085 371.678 738.219 372ZM431.719 412.344L431.719 611.656C513.56 608.208 574.875 561.985 574.875 512C574.875 462.015 513.56 415.792 431.719 412.344Z" />
-                    <path d="M742 403.688C740.062 403.483 738.097 404.438 737.094 406.25C735.756 408.666 736.615 411.694 739.031 413.031L925.719 516.375C928.135 517.712 931.194 516.822 932.531 514.406C933.869 511.99 932.979 508.962 930.562 507.625L743.875 404.281C743.271 403.947 742.646 403.756 742 403.688Z" />
-                    <path d="M927.5 507.031C926.856 507.115 926.221 507.339 925.625 507.688L738.938 616.906C736.554 618.301 735.762 621.335 737.156 623.719C738.551 626.102 741.616 626.926 744 625.531L930.688 516.312C933.071 514.918 933.863 511.852 932.469 509.469C931.423 507.681 929.432 506.78 927.5 507.031Z" />
-                </svg>
-                Lapdev
-            </a>
-            <p class="text-red-600 text-lg">Workspace not found</p>
-        </div>
-    </section>
-  </body>
-</html>
diff --git a/lapdev-api/pages/not_running.html b/lapdev-api/pages/not_running.html
deleted file mode 100644
index 5757809..0000000
--- a/lapdev-api/pages/not_running.html
+++ /dev/null
@@ -1,22 +0,0 @@
-<!DOCTYPE html>
-<html>
-  <head>
-    <title>Lapdev Dashboard</title>
-    <link rel="stylesheet" href="/error-page/lapdev-main.css">
-  </head>
-  <body>
-    <section class="bg-gray-50">
-        <div class="flex flex-col items-center justify-center px-6 py-8 mx-auto md:h-screen lg:py-0">
-            <a href="#" class="flex items-center mb-6 text-2xl font-semibold text-gray-900">
-                <svg class="w-10 h-10 mr-4" xmlns="http://www.w3.org/2000/svg" fill="currentColor" viewBox="0 0 1024 1024">
-                    <path d="M512 0C390.759 0 279.426 42.2227 191.719 112.656L191.719 612L351.719 612L351.719 332L422 332L431.719 332L431.719 332.344C488.169 334.127 541.249 351.138 581.875 380.625C627.591 413.806 654.875 460.633 654.875 512C654.875 563.367 627.591 610.194 581.875 643.375C541.249 672.862 488.169 689.873 431.719 691.656L431.719 1017.69C457.88 1021.81 484.68 1024 512 1024C794.77 1024 1024 794.77 1024 512C1024 229.23 794.77 0 512 0ZM111.719 192.906C41.8539 280.432 0 391.303 0 512C0 738.766 147.487 930.96 351.719 998.25L351.719 692L151.719 692L151.719 691.844L111.719 691.844L111.719 192.906ZM738.219 372C741.597 372.107 745.042 373.02 748.312 374.812L946.281 483.312C952.311 486.616 956.692 492.393 959.188 499.156C959.821 500.874 960.317 502.641 960.688 504.469C960.764 504.834 960.841 505.196 960.906 505.562C961.12 506.807 961.225 508.071 961.312 509.344C961.378 510.235 961.498 511.112 961.5 512C961.498 512.888 961.378 513.765 961.312 514.656C961.226 515.929 961.12 517.193 960.906 518.438C960.841 518.804 960.764 519.166 960.688 519.531C960.317 521.359 959.821 523.126 959.188 524.844C956.692 531.608 952.311 537.384 946.281 540.688L748.312 649.188C735.232 656.355 719.818 649.367 713.875 633.594C707.932 617.82 713.7 599.23 726.781 592.062L872.875 512L726.781 431.938C713.7 424.771 707.932 406.18 713.875 390.406C718.332 378.576 728.085 371.678 738.219 372ZM431.719 412.344L431.719 611.656C513.56 608.208 574.875 561.985 574.875 512C574.875 462.015 513.56 415.792 431.719 412.344Z" />
-                    <path d="M742 403.688C740.062 403.483 738.097 404.438 737.094 406.25C735.756 408.666 736.615 411.694 739.031 413.031L925.719 516.375C928.135 517.712 931.194 516.822 932.531 514.406C933.869 511.99 932.979 508.962 930.562 507.625L743.875 404.281C743.271 403.947 742.646 403.756 742 403.688Z" />
-                    <path d="M927.5 507.031C926.856 507.115 926.221 507.339 925.625 507.688L738.938 616.906C736.554 618.301 735.762 621.335 737.156 623.719C738.551 626.102 741.616 626.926 744 625.531L930.688 516.312C933.071 514.918 933.863 511.852 932.469 509.469C931.423 507.681 929.432 506.78 927.5 507.031Z" />
-                </svg>
-                Lapdev
-            </a>
-            <p class="text-red-600 text-lg">Workspace not running</p>
-        </div>
-    </section>
-  </body>
-</html>
diff --git a/lapdev-api/src/router.rs b/lapdev-api/src/router.rs
deleted file mode 100644
index 0203b9a..0000000
--- a/lapdev-api/src/router.rs
+++ /dev/null
@@ -1,470 +0,0 @@
-use axum::{
-    body::Body,
-    extract::{Host, State, WebSocketUpgrade},
-    http::Request,
-    middleware::{self, Next},
-    response::{IntoResponse, Response},
-    routing::{any, delete, get, post, put},
-    Router,
-};
-use axum_client_ip::SecureClientIpSource;
-use axum_extra::{headers, TypedHeader};
-use hyper::StatusCode;
-use lapdev_common::WorkspaceStatus;
-use lapdev_proxy_http::{forward::ProxyForward, proxy::WorkspaceForwardError};
-use lapdev_rpc::error::ApiError;
-
-use crate::{
-    account, admin, machine_type, organization, project,
-    session::{logout, new_session, session_authorize},
-    state::CoreState,
-    websocket::handle_websocket,
-    workspace,
-};
-
-static STATIC_DIR: include_dir::Dir =
-    include_dir::include_dir!("$CARGO_MANIFEST_DIR/../lapdev-dashboard/dist");
-const PAGE_NOT_FOUND: &[u8] = include_bytes!("../pages/not_found.html");
-const PAGE_NOT_AUTHORISED: &[u8] = include_bytes!("../pages/not_authorised.html");
-const PAGE_NOT_RUNNING: &[u8] = include_bytes!("../pages/not_running.html");
-const PAGE_NOT_FORWARDED: &[u8] = include_bytes!("../pages/not_forwarded.html");
-const PAGE_CSS: &[u8] = include_bytes!("../pages/main.css");
-
-fn private_routes() -> Router<CoreState> {
-    Router::new()
-        .route("/session", get(new_session))
-        .route("/session", delete(logout))
-        .route("/session/authorize", get(session_authorize))
-        .route("/me", get(account::me))
-        .route(
-            "/me/organization/:org_id",
-            put(account::set_current_organization),
-        )
-}
-
-async fn not_found() -> impl IntoResponse {
-    StatusCode::NOT_FOUND
-}
-
-fn v1_api_routes(additional_router: Option<Router<CoreState>>) -> Router<CoreState> {
-    let router = Router::new()
-        .route("/", any(not_found))
-        .route("/*0", any(not_found))
-        .route("/cluster_info", get(admin::get_cluster_info))
-        .route("/auth_providers", get(admin::get_auth_providers))
-        .route("/hostnames", get(admin::get_hostnames))
-        .route("/machine_types", get(machine_type::all_machine_types))
-        .route("/join/:invitation_id", put(organization::join_organization))
-        .route("/organizations", post(organization::create_organization))
-        .route(
-            "/organizations/:org_id",
-            delete(organization::delete_organization),
-        )
-        .route(
-            "/organizations/:org_id/name",
-            put(organization::update_org_name),
-        )
-        .route(
-            "/organizations/:org_id/auto_start_stop",
-            put(organization::update_org_auto_start_stop),
-        )
-        .route(
-            "/organizations/:org_id/members",
-            get(organization::get_organization_members),
-        )
-        .route(
-            "/organizations/:org_id/members/:user_id",
-            put(organization::update_organization_member),
-        )
-        .route(
-            "/organizations/:org_id/members/:user_id",
-            delete(organization::delete_organization_member),
-        )
-        .route(
-            "/organizations/:org_id/invitations",
-            post(organization::create_user_invitation),
-        )
-        .route(
-            "/organizations/:org_id/usage",
-            get(organization::get_organization_usage),
-        )
-        .route(
-            "/organizations/:org_id/audit_logs",
-            get(organization::get_organization_audit_log),
-        )
-        .route(
-            "/organizations/:org_id/quota",
-            get(organization::get_organization_quota),
-        )
-        .route(
-            "/organizations/:org_id/quota",
-            put(organization::update_organization_quota),
-        )
-        .route(
-            "/organizations/:org_id/projects",
-            post(project::create_project),
-        )
-        .route(
-            "/organizations/:org_id/projects",
-            get(project::all_projects),
-        )
-        .route(
-            "/organizations/:org_id/projects/:project_id",
-            get(project::get_project),
-        )
-        .route(
-            "/organizations/:org_id/projects/:project_id",
-            delete(project::delete_project),
-        )
-        .route(
-            "/organizations/:org_id/projects/:project_id/branches",
-            get(project::get_project_branches),
-        )
-        .route(
-            "/organizations/:org_id/projects/:project_id/prebuilds",
-            get(project::get_project_prebuilds),
-        )
-        .route(
-            "/organizations/:org_id/projects/:project_id/prebuilds",
-            post(project::create_project_prebuild),
-        )
-        .route(
-            "/organizations/:org_id/projects/:project_id/prebuilds/:prebuild_id",
-            delete(project::delete_project_prebuild),
-        )
-        .route(
-            "/organizations/:org_id/projects/:project_id/machine_type/:machine_type_id",
-            put(project::update_project_machine_type),
-        )
-        .route(
-            "/organizations/:org_id/projects/:project_id/env",
-            get(project::get_project_env),
-        )
-        .route(
-            "/organizations/:org_id/projects/:project_id/env",
-            put(project::update_project_env),
-        )
-        .route(
-            "/organizations/:org_id/workspaces",
-            post(workspace::create_workspace),
-        )
-        .route(
-            "/organizations/:org_id/workspaces",
-            get(workspace::all_workspaces),
-        )
-        .route(
-            "/organizations/:org_id/workspaces/:workspace_name",
-            get(workspace::get_workspace),
-        )
-        .route(
-            "/organizations/:org_id/workspaces/:workspace_name",
-            delete(workspace::delete_workspace),
-        )
-        .route(
-            "/organizations/:org_id/workspaces/:workspace_name/start",
-            post(workspace::start_workspace),
-        )
-        .route(
-            "/organizations/:org_id/workspaces/:workspace_name/stop",
-            post(workspace::stop_workspace),
-        )
-        .route(
-            "/organizations/:org_id/workspaces/:workspace_name/pin",
-            post(workspace::pin_workspace),
-        )
-        .route(
-            "/organizations/:org_id/workspaces/:workspace_name/unpin",
-            post(workspace::unpin_workspace),
-        )
-        .route(
-            "/organizations/:org_id/workspaces/:workspace_name/rebuild",
-            post(workspace::rebuild_workspace),
-        )
-        .route(
-            "/organizations/:org_id/workspaces/:workspace_name/ports",
-            get(workspace::workspace_ports),
-        )
-        .route(
-            "/organizations/:org_id/workspaces/:workspace_name/ports/:port",
-            put(workspace::update_workspace_port),
-        )
-        .route("/account/ssh_keys", post(account::create_ssh_key))
-        .route("/account/ssh_keys", get(account::all_ssh_keys))
-        .route("/account/ssh_keys/:key_id", delete(account::delete_ssh_key))
-        .route("/account/git_providers", get(account::get_git_providers))
-        .route(
-            "/account/git_providers/connect",
-            put(account::connect_git_provider),
-        )
-        .route(
-            "/account/git_providers/disconnect",
-            put(account::disconnect_git_provider),
-        )
-        .route(
-            "/account/git_providers/update_scope",
-            put(account::update_scope),
-        )
-        .route("/admin/workspace_hosts", get(admin::get_workspace_hosts))
-        .route("/admin/workspace_hosts", post(admin::create_workspace_host))
-        .route(
-            "/admin/workspace_hosts/:workspace_host_id",
-            put(admin::update_workspace_host),
-        )
-        .route(
-            "/admin/workspace_hosts/:workspace_host_id",
-            delete(admin::delete_workspace_host),
-        )
-        .route("/admin/license", get(admin::get_license))
-        .route("/admin/license", put(admin::update_license))
-        .route("/admin/new_license", post(admin::new_license))
-        .route("/admin/oauth", get(admin::get_oauth))
-        .route("/admin/oauth", put(admin::update_oauth))
-        .route("/admin/certs", get(admin::get_certs))
-        .route("/admin/certs", put(admin::update_certs))
-        .route("/admin/hostnames", put(admin::update_hostnames))
-        .route("/admin/cpu_overcommit", get(admin::get_cpu_overcommit))
-        .route(
-            "/admin/cpu_overcommit/:value",
-            put(admin::update_cpu_overcommit),
-        )
-        .route(
-            "/admin/machine_types",
-            post(machine_type::create_machine_type),
-        )
-        .route(
-            "/admin/machine_types/:machine_type_id",
-            put(machine_type::update_machine_type),
-        )
-        .route(
-            "/admin/machine_types/:machine_type_id",
-            delete(machine_type::delete_machine_type),
-        )
-        .route("/admin/users", get(admin::get_cluster_users))
-        .route("/admin/users/:user_id", put(admin::update_cluster_user))
-        .route(
-            "/admin/organizations/:org_id/clear",
-            put(organization::clear_organization),
-        );
-    if let Some(additional) = additional_router {
-        router.merge(additional)
-    } else {
-        router
-    }
-}
-
-fn main_routes(additional_router: Option<Router<CoreState>>) -> Router<CoreState> {
-    Router::new()
-        .nest("/v1", v1_api_routes(additional_router))
-        .nest("/private", private_routes())
-}
-
-pub async fn build_router(
-    state: CoreState,
-    additional_router: Option<Router<CoreState>>,
-) -> Router<()> {
-    Router::new()
-        .route("/", any(handle_catch_all))
-        .route("/*0", any(handle_catch_all))
-        .route("/health-check", get(health_check))
-        .nest("/api", main_routes(additional_router))
-        .route_layer(middleware::from_fn_with_state(
-            state.clone(),
-            forward_middleware,
-        ))
-        .with_state(state)
-        .layer(SecureClientIpSource::ConnectInfo.into_extension())
-}
-
-async fn health_check() {}
-
-async fn handle_catch_all(
-    websocket: Option<WebSocketUpgrade>,
-    State(state): State<CoreState>,
-    TypedHeader(cookie): TypedHeader<headers::Cookie>,
-    req: Request<Body>,
-) -> Result<Response, ApiError> {
-    let path = req.uri().path();
-
-    if let Some(websocket) = websocket {
-        let uri = req.uri();
-        let path = uri.path();
-        let query = uri.query();
-        let resp = handle_websocket(path, query, websocket, cookie, state).await?;
-        return Ok(resp);
-    }
-
-    if let Some(f) = path.strip_prefix("/static/") {
-        let accept_gzip = req
-            .headers()
-            .get("Accept-Encoding")
-            .and_then(|h| h.to_str().ok())
-            .map(|s| s.contains("gzip"))
-            .unwrap_or(false);
-        if let Some(file) = if let Some(d) = state.static_dir.as_ref() {
-            d.get_file(f)
-        } else {
-            STATIC_DIR.get_file(f)
-        } {
-            let content_type = if f.ends_with(".css") {
-                Some("text/css")
-            } else if f.ends_with(".js") {
-                Some("text/javascript")
-            } else if f.ends_with(".wasm") {
-                Some("application/wasm")
-            } else if f.ends_with(".ico") {
-                Some("image/vnd.microsoft.icon")
-            } else {
-                None
-            };
-            if let Some(content_type) = content_type {
-                if accept_gzip {
-                    if let Some(file) = if let Some(d) = state.static_dir.as_ref() {
-                        d.get_file(format!("{f}.gz"))
-                    } else {
-                        STATIC_DIR.get_file(format!("{f}.gz"))
-                    } {
-                        return Ok((
-                            [
-                                (axum::http::header::CONTENT_TYPE, content_type),
-                                (
-                                    axum::http::header::CACHE_CONTROL,
-                                    "public, max-age=31536000",
-                                ),
-                                (axum::http::header::CONTENT_ENCODING, "gzip"),
-                            ],
-                            file.contents(),
-                        )
-                            .into_response());
-                    }
-                }
-                return Ok((
-                    [
-                        (axum::http::header::CONTENT_TYPE, content_type),
-                        (
-                            axum::http::header::CACHE_CONTROL,
-                            "public, max-age=31536000",
-                        ),
-                    ],
-                    file.contents(),
-                )
-                    .into_response());
-            }
-        }
-    }
-
-    if let Some(file) = if let Some(d) = state.static_dir.as_ref() {
-        d.get_file("index.html")
-    } else {
-        STATIC_DIR.get_file("index.html")
-    } {
-        return Ok(axum::response::Html::from(file.contents()).into_response());
-    }
-
-    Err(ApiError::InvalidRequest("Invalid Request".to_string()))
-}
-
-async fn forward_middleware(
-    Host(hostname): Host,
-    websocket: Option<WebSocketUpgrade>,
-    State(state): State<CoreState>,
-    TypedHeader(cookie): TypedHeader<headers::Cookie>,
-    req: axum::extract::Request,
-    next: Next,
-) -> Result<Response, ApiError> {
-    let path = req.uri().path();
-    let path_query = req
-        .uri()
-        .path_and_query()
-        .map(|v| v.as_str())
-        .unwrap_or(path);
-    let hostname = hostname
-        .split(":")
-        .next()
-        .ok_or_else(|| ApiError::InternalError("can't split : from hostname".to_string()))?;
-    let is_forward = state
-        .conductor
-        .hostnames
-        .read()
-        .await
-        .values()
-        .any(|v| v != hostname && hostname.ends_with(v));
-    if !is_forward {
-        if let Some(websocket) = websocket {
-            let uri = req.uri();
-            let path = uri.path();
-            let query = uri.query();
-            let resp = handle_websocket(path, query, websocket, cookie, state).await?;
-            return Ok(resp);
-        }
-
-        return Ok(next.run(req).await);
-    }
-
-    if path.starts_with("/error-page/lapdev-main.css") {
-        return Ok((
-            [
-                (axum::http::header::CONTENT_TYPE, "text/css"),
-                (
-                    axum::http::header::CACHE_CONTROL,
-                    "public, max-age=31536000",
-                ),
-            ],
-            PAGE_CSS,
-        )
-            .into_response());
-    }
-
-    let user = state.authenticate(&cookie).await.ok();
-    match lapdev_proxy_http::proxy::forward_workspace(hostname, &state.db, user.as_ref()).await {
-        Ok((ws, port)) => {
-            if ws.status != WorkspaceStatus::Running.to_string() {
-                return Ok(axum::response::Html::from(PAGE_NOT_RUNNING).into_response());
-            }
-
-            let Some(workspace_host) = state.db.get_workspace_host(ws.host_id).await.ok().flatten()
-            else {
-                return Ok(axum::response::Html::from(PAGE_NOT_RUNNING).into_response());
-            };
-
-            let port = port
-                .map(|p| p.host_port as u16)
-                .or_else(|| ws.ide_port.map(|p| p as u16));
-            if let Some(forward) = lapdev_proxy_http::forward::handler(
-                &workspace_host.host,
-                path_query,
-                websocket,
-                req.headers(),
-                port,
-            )
-            .await
-            {
-                match forward {
-                    ProxyForward::Resp(resp) => Ok(resp),
-                    ProxyForward::Proxy(uri) => {
-                        // *req.uri_mut() = uri;
-                        let headers = req.headers().clone();
-                        let mut new_req = Request::builder()
-                            .method(req.method())
-                            .uri(uri)
-                            .body(req.into_body())
-                            .unwrap();
-                        *new_req.headers_mut() = headers;
-                        let resp = state.hyper_client.request(new_req).await?;
-                        Ok(resp.into_response())
-                    }
-                }
-            } else {
-                Ok(axum::response::Html::from(PAGE_NOT_FOUND).into_response())
-            }
-        }
-        Err(e) => {
-            let b = match e {
-                WorkspaceForwardError::WorkspaceNotFound => PAGE_NOT_FOUND,
-                WorkspaceForwardError::PortNotForwarded => PAGE_NOT_FORWARDED,
-                WorkspaceForwardError::InvalidHostname => PAGE_NOT_RUNNING,
-                WorkspaceForwardError::Unauthorised => PAGE_NOT_AUTHORISED,
-            };
-            Ok(axum::response::Html::from(b).into_response())
-        }
-    }
-}
diff --git a/lapdev-api/src/server.rs b/lapdev-api/src/server.rs
deleted file mode 100644
index d94349b..0000000
--- a/lapdev-api/src/server.rs
+++ /dev/null
@@ -1,226 +0,0 @@
-use std::{
-    path::{Path, PathBuf},
-    sync::Arc,
-};
-
-use anyhow::{anyhow, Context, Result};
-use axum::{extract::Request, Router};
-use clap::Parser;
-use futures_util::pin_mut;
-use hyper::body::Incoming;
-use hyper_util::rt::{TokioExecutor, TokioIo};
-use lapdev_conductor::Conductor;
-use lapdev_db::api::DbApi;
-use serde::Deserialize;
-use tokio::net::TcpListener;
-use tokio_rustls::TlsAcceptor;
-use tower::Service;
-use tracing::error;
-
-use crate::{cert::tls_config, router, state::CoreState};
-
-pub const LAPDEV_VERSION: &str = env!("CARGO_PKG_VERSION");
-
-#[derive(Clone, Deserialize, Default)]
-#[serde(rename_all = "kebab-case")]
-struct LapdevConfig {
-    db: Option<String>,
-    bind: Option<String>,
-    http_port: Option<u16>,
-    https_port: Option<u16>,
-    ssh_proxy_port: Option<u16>,
-    ssh_proxy_display_port: Option<u16>,
-    force_osuser: Option<String>,
-}
-
-#[derive(Parser)]
-#[clap(name = "lapdev")]
-#[clap(version = env!("CARGO_PKG_VERSION"))]
-struct Cli {
-    /// The config file path
-    #[clap(short, long, action, value_hint = clap::ValueHint::AnyPath)]
-    config_file: Option<PathBuf>,
-    /// The folder for putting logs
-    #[clap(short, long, action, value_hint = clap::ValueHint::AnyPath)]
-    logs_folder: Option<PathBuf>,
-    /// The folder for putting data
-    #[clap(short, long, action, value_hint = clap::ValueHint::AnyPath)]
-    data_folder: Option<PathBuf>,
-    /// Don't run db migration on startup
-    #[clap(short, long, action)]
-    no_migration: bool,
-}
-
-pub async fn start(
-    additional_router: Option<Router<CoreState>>,
-    static_dir: Option<include_dir::Dir<'static>>,
-) {
-    let cli = Cli::parse();
-    let data_folder = cli
-        .data_folder
-        .clone()
-        .unwrap_or_else(|| PathBuf::from("/var/lib/lapdev"));
-
-    let _result = setup_log(&cli, &data_folder).await;
-
-    if let Err(e) = run(&cli, additional_router, data_folder, static_dir).await {
-        tracing::error!("lapdev api start server error: {e:#}");
-    }
-}
-
-async fn run(
-    cli: &Cli,
-    additional_router: Option<Router<CoreState>>,
-    data_folder: PathBuf,
-    static_dir: Option<include_dir::Dir<'static>>,
-) -> Result<()> {
-    let config_file = cli
-        .config_file
-        .clone()
-        .unwrap_or_else(|| PathBuf::from("/etc/lapdev.conf"));
-    let config_content = tokio::fs::read_to_string(&config_file)
-        .await
-        .with_context(|| format!("can't read config file {}", config_file.to_string_lossy()))?;
-    let config: LapdevConfig =
-        toml::from_str(&config_content).with_context(|| "wrong config file format")?;
-    let db_url = config
-        .db
-        .ok_or_else(|| anyhow!("can't find database url in your config file"))?;
-
-    let db = DbApi::new(&db_url, cli.no_migration).await?;
-    let conductor =
-        Conductor::new(LAPDEV_VERSION, db.clone(), data_folder, config.force_osuser).await?;
-
-    let ssh_proxy_port = config.ssh_proxy_port.unwrap_or(2222);
-    let ssh_proxy_display_port = config.ssh_proxy_display_port.unwrap_or(2222);
-    {
-        let conductor = conductor.clone();
-        let bind = config.bind.clone();
-        tokio::spawn(async move {
-            if let Err(e) = lapdev_proxy_ssh::server::run(
-                conductor,
-                bind.as_deref().unwrap_or("0.0.0.0"),
-                ssh_proxy_port,
-            )
-            .await
-            {
-                error!("ssh proxy error: {e:?}");
-            }
-        });
-    }
-
-    {
-        tokio::spawn(async move {
-            if let Err(e) = lapdev_kube::run().await {
-                error!("kube run error {e:?}");
-            }
-        });
-    }
-
-    let state = CoreState::new(
-        conductor,
-        ssh_proxy_port,
-        ssh_proxy_display_port,
-        static_dir,
-    )
-    .await;
-    let app = router::build_router(state.clone(), additional_router).await;
-    let certs = state.certs.clone();
-
-    {
-        // start http server
-        let bind = format!(
-            "{}:{}",
-            config.bind.clone().unwrap_or_else(|| "0.0.0.0".to_string()),
-            config.http_port.unwrap_or(80)
-        );
-        let tcp_listener = TcpListener::bind(&bind)
-            .await
-            .with_context(|| format!("bind to {bind}"))?;
-        let app = app.clone();
-        tokio::spawn(async move {
-            if let Err(err) = axum::serve(tcp_listener, app.into_make_service()).await {
-                tracing::error!("http server stopped error: {err}");
-            }
-        });
-    }
-
-    let bind = format!(
-        "{}:{}",
-        config.bind.unwrap_or_else(|| "0.0.0.0".to_string()),
-        config.https_port.unwrap_or(443)
-    );
-    let tcp_listener = TcpListener::bind(&bind)
-        .await
-        .with_context(|| format!("bind to {bind}"))?;
-    let tls_acceptor = TlsAcceptor::from(Arc::new(tls_config(certs)?));
-
-    pin_mut!(tcp_listener);
-    loop {
-        let tower_service = app.clone();
-        let tls_acceptor = tls_acceptor.clone();
-
-        // Wait for new tcp connection
-        let (cnx, addr) = tcp_listener.accept().await?;
-
-        tokio::spawn(async move {
-            // Wait for tls handshake to happen
-            let stream = match tls_acceptor.accept(cnx).await {
-                Err(_) => {
-                    return;
-                }
-                Ok(stream) => stream,
-            };
-
-            // Hyper has its own `AsyncRead` and `AsyncWrite` traits and doesn't use tokio.
-            // `TokioIo` converts between them.
-            let stream = TokioIo::new(stream);
-
-            // Hyper also has its own `Service` trait and doesn't use tower. We can use
-            // `hyper::service::service_fn` to create a hyper `Service` that calls our app through
-            // `tower::Service::call`.
-            let hyper_service = hyper::service::service_fn(move |request: Request<Incoming>| {
-                // We have to clone `tower_service` because hyper's `Service` uses `&self` whereas
-                // tower's `Service` requires `&mut self`.
-                //
-                // We don't need to call `poll_ready` since `Router` is always ready.
-                tower_service.clone().call(request)
-            });
-
-            let ret = hyper_util::server::conn::auto::Builder::new(TokioExecutor::new())
-                .serve_connection_with_upgrades(stream, hyper_service)
-                .await;
-
-            if let Err(err) = ret {
-                tracing::warn!("error serving connection from {}: {}", addr, err);
-            }
-        });
-    }
-}
-
-async fn setup_log(
-    cli: &Cli,
-    data_folder: &Path,
-) -> Result<tracing_appender::non_blocking::WorkerGuard, anyhow::Error> {
-    let folder = cli
-        .logs_folder
-        .clone()
-        .unwrap_or_else(|| data_folder.join("logs"));
-    tokio::fs::create_dir_all(&folder).await?;
-    let file_appender = tracing_appender::rolling::Builder::new()
-        .max_log_files(30)
-        .rotation(tracing_appender::rolling::Rotation::DAILY)
-        .filename_prefix("lapdev.log")
-        .build(folder)?;
-    let (non_blocking, guard) = tracing_appender::non_blocking(file_appender);
-    let var = std::env::var("RUST_LOG").unwrap_or_default();
-    let var =
-        format!("error,lapdev=info,lapdev_api=info,lapdev_conductor=info,lapdev_rpc=info,lapdev_common=info,lapdev_db=info,lapdev_enterprise=info,lapdev_proxy_ssh=info,lapdev_proxy_http=info,{var}");
-    let filter = tracing_subscriber::EnvFilter::builder().parse_lossy(var);
-    tracing_subscriber::fmt()
-        .with_ansi(false)
-        .with_env_filter(filter)
-        .with_writer(non_blocking)
-        .init();
-    Ok(guard)
-}
diff --git a/lapdev-api/src/state.rs b/lapdev-api/src/state.rs
deleted file mode 100644
index 8a5f6b7..0000000
--- a/lapdev-api/src/state.rs
+++ /dev/null
@@ -1,267 +0,0 @@
-use std::{collections::HashMap, sync::Arc};
-
-use anyhow::{anyhow, Context, Result};
-use axum::{
-    async_trait, body::Body, extract::FromRequestParts, http::request::Parts, RequestPartsExt,
-};
-use axum_client_ip::InsecureClientIp;
-use axum_extra::{
-    headers::{self, UserAgent},
-    TypedHeader,
-};
-use hyper_util::{client::legacy::connect::HttpConnector, rt::TokioExecutor};
-use lapdev_common::LAPDEV_BASE_HOSTNAME;
-use lapdev_conductor::{scheduler::LAPDEV_CPU_OVERCOMMIT, Conductor};
-use lapdev_db::{api::DbApi, entities};
-use lapdev_enterprise::license::LAPDEV_ENTERPRISE_LICENSE;
-use lapdev_rpc::error::ApiError;
-use pasetors::{
-    claims::ClaimsValidationRules,
-    keys::SymmetricKey,
-    token::{TrustedToken, UntrustedToken},
-    version4::V4,
-};
-use sea_orm::{ColumnTrait, EntityTrait, QueryFilter};
-use serde::Deserialize;
-use sqlx::postgres::PgNotification;
-use tokio_rustls::rustls::sign::CertifiedKey;
-use uuid::Uuid;
-
-use crate::{
-    auth::{Auth, AuthConfig},
-    cert::{load_cert, CertStore},
-    github::GithubClient,
-    session::OAUTH_STATE_COOKIE,
-};
-
-pub const TOKEN_COOKIE_NAME: &str = "token";
-pub const LAPDEV_CERTS: &str = "lapdev-certs";
-
-pub type HyperClient = hyper_util::client::legacy::Client<HttpConnector, Body>;
-
-pub struct RequestInfo {
-    pub ip: Option<String>,
-    pub user_agent: Option<String>,
-}
-
-#[derive(Debug, Deserialize)]
-struct ConfigUpdatePayload {
-    name: String,
-    value: String,
-}
-
-#[async_trait]
-impl<S: Send + Sync> FromRequestParts<S> for RequestInfo {
-    type Rejection = ApiError;
-
-    async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
-        let ip = InsecureClientIp::from(&parts.headers, &parts.extensions)
-            .ok()
-            .map(|ip| ip.0.to_string());
-        let user_agent = parts.extract::<TypedHeader<UserAgent>>().await.ok();
-        let user_agent = user_agent.map(|u| u.to_string());
-        Ok(Self { user_agent, ip })
-    }
-}
-
-#[derive(Clone)]
-pub struct CoreState {
-    pub conductor: Conductor,
-    pub github_client: GithubClient,
-    pub hyper_client: Arc<HyperClient>,
-    pub db: DbApi,
-    pub auth: Arc<Auth>,
-    pub auth_token_key: Arc<SymmetricKey<V4>>,
-    pub certs: CertStore,
-    // actuall ssh proxy port
-    pub ssh_proxy_port: u16,
-    // ssh proxy port to display in front end
-    pub ssh_proxy_display_port: u16,
-    pub static_dir: Arc<Option<include_dir::Dir<'static>>>,
-}
-
-impl CoreState {
-    pub async fn new(
-        conductor: Conductor,
-        ssh_proxy_port: u16,
-        ssh_proxy_display_port: u16,
-        static_dir: Option<include_dir::Dir<'static>>,
-    ) -> Self {
-        let github_client = GithubClient::new();
-        let key = conductor.db.load_api_auth_token_key().await;
-        let auth = Auth::new(&conductor.db).await;
-        let certs = load_certs(&conductor.db).await.unwrap_or_default();
-
-        let hyper_client: HyperClient =
-            hyper_util::client::legacy::Client::<(), ()>::builder(TokioExecutor::new())
-                .build(HttpConnector::new());
-
-        let state = Self {
-            db: conductor.db.clone(),
-            conductor,
-            github_client,
-            auth: Arc::new(auth),
-            auth_token_key: Arc::new(key),
-            certs: Arc::new(std::sync::RwLock::new(Arc::new(certs))),
-            ssh_proxy_port,
-            ssh_proxy_display_port,
-            hyper_client: Arc::new(hyper_client),
-            static_dir: Arc::new(static_dir),
-        };
-
-        {
-            let state = state.clone();
-            tokio::spawn(async move {
-                if let Err(e) = state.monitor_config_updates().await {
-                    tracing::error!("api monitor config updates error: {e}");
-                }
-            });
-        }
-
-        state
-    }
-
-    async fn monitor_config_updates(&self) -> Result<()> {
-        let pool = self
-            .db
-            .pool
-            .clone()
-            .ok_or_else(|| anyhow!("db doesn't have pg pool"))?;
-        let mut listener = sqlx::postgres::PgListener::connect_with(&pool).await?;
-        listener.listen("config_update").await?;
-        loop {
-            let notification = listener.recv().await?;
-            if let Err(e) = self.handle_config_update_notification(notification).await {
-                tracing::error!("handle config update notification error: {e:#}");
-            }
-        }
-    }
-
-    async fn handle_config_update_notification(&self, notification: PgNotification) -> Result<()> {
-        let payload: ConfigUpdatePayload = serde_json::from_str(notification.payload())
-            .with_context(|| format!("trying to deserialize payload {}", notification.payload()))?;
-        if payload.name == AuthConfig::GITHUB.client_id
-            || payload.name == AuthConfig::GITHUB.client_secret
-            || payload.name == AuthConfig::GITLAB.client_id
-            || payload.name == AuthConfig::GITLAB.client_secret
-        {
-            self.auth.resync(&self.db).await;
-        } else if payload.name == LAPDEV_ENTERPRISE_LICENSE {
-            self.conductor.enterprise.license.resync_license().await;
-        } else if payload.name == LAPDEV_CPU_OVERCOMMIT {
-            if let Ok(v) = payload.value.parse::<usize>() {
-                *self.conductor.cpu_overcommit.write().await = v.max(1);
-            }
-        } else if payload.name == LAPDEV_BASE_HOSTNAME {
-            *self.conductor.hostnames.write().await = self
-                .conductor
-                .enterprise
-                .get_hostnames()
-                .await
-                .unwrap_or_default();
-        } else if payload.name == LAPDEV_CERTS {
-            if let Ok(certs) = load_certs(&self.db).await {
-                if let Ok(mut current) = self.certs.write() {
-                    *current = Arc::new(certs);
-                }
-            }
-        }
-        Ok(())
-    }
-
-    fn cookie_token(&self, cookie: &headers::Cookie, name: &str) -> Result<TrustedToken, ApiError> {
-        let token = cookie.get(name).ok_or(ApiError::Unauthenticated)?;
-        let untrusted_token =
-            UntrustedToken::try_from(token).map_err(|_| ApiError::Unauthenticated)?;
-        let token = pasetors::local::decrypt(
-            &self.auth_token_key,
-            &untrusted_token,
-            &ClaimsValidationRules::new(),
-            None,
-            None,
-        )
-        .map_err(|_| ApiError::Unauthenticated)?;
-        Ok(token)
-    }
-
-    pub fn auth_state_token(&self, cookie: &headers::Cookie) -> Result<TrustedToken, ApiError> {
-        self.cookie_token(cookie, OAUTH_STATE_COOKIE)
-    }
-
-    pub fn token(&self, cookie: &headers::Cookie) -> Result<TrustedToken, ApiError> {
-        self.cookie_token(cookie, TOKEN_COOKIE_NAME)
-    }
-
-    pub async fn require_enterprise(&self) -> Result<(), ApiError> {
-        if self.conductor.enterprise.has_valid_license().await {
-            return Ok(());
-        }
-        Err(ApiError::EnterpriseInvalid)
-    }
-
-    pub async fn authenticate(
-        &self,
-        cookie: &headers::Cookie,
-    ) -> Result<entities::user::Model, ApiError> {
-        let token = self.token(cookie)?;
-        let user_id: Uuid = token
-            .payload_claims()
-            .and_then(|c| c.get_claim("user_id"))
-            .and_then(|v| serde_json::from_value(v.to_owned()).ok())
-            .ok_or(ApiError::Unauthenticated)?;
-        let user = entities::user::Entity::find_by_id(user_id)
-            .filter(entities::user::Column::DeletedAt.is_null())
-            .one(&self.db.conn)
-            .await?
-            .ok_or(ApiError::Unauthenticated)?;
-        Ok(user)
-    }
-
-    pub async fn authenticate_cluster_admin(
-        &self,
-        cookie: &headers::Cookie,
-    ) -> Result<entities::user::Model, ApiError> {
-        let user = self.authenticate(cookie).await?;
-        if !user.cluster_admin {
-            return Err(ApiError::Unauthorized);
-        }
-        Ok(user)
-    }
-
-    pub async fn get_project(
-        &self,
-        cookie: &headers::Cookie,
-        org_id: Uuid,
-        project_id: Uuid,
-    ) -> Result<(entities::user::Model, entities::project::Model), ApiError> {
-        let user = self.authenticate(cookie).await?;
-        self.db
-            .get_organization_member(user.id, org_id)
-            .await
-            .map_err(|_| ApiError::Unauthorized)?;
-        let project = self
-            .db
-            .get_project(project_id)
-            .await
-            .map_err(|_| ApiError::InvalidRequest("project doesn't exist".to_string()))?;
-        if project.organization_id != org_id {
-            return Err(ApiError::Unauthorized);
-        }
-        Ok((user, project))
-    }
-}
-
-async fn load_certs(db: &DbApi) -> Result<HashMap<String, Arc<CertifiedKey>>> {
-    let certs = db.get_config(LAPDEV_CERTS).await?;
-    let certs: Vec<(String, String)> = serde_json::from_str(&certs)?;
-
-    let mut final_certs = HashMap::new();
-    for (cert, key) in certs {
-        if let Ok((dns_names, cert)) = load_cert(&cert, &key) {
-            for dns_name in dns_names {
-                final_certs.insert(dns_name, Arc::new(cert.clone()));
-            }
-        }
-    }
-    Ok(final_certs)
-}
diff --git a/lapdev-common/src/utils.rs b/lapdev-common/src/utils.rs
deleted file mode 100644
index 534ab07..0000000
--- a/lapdev-common/src/utils.rs
+++ /dev/null
@@ -1,37 +0,0 @@
-use std::time::{SystemTime, UNIX_EPOCH};
-
-use rand::{distributions::Alphanumeric, Rng};
-use sha2::{Digest, Sha256};
-
-pub fn rand_string(n: usize) -> String {
-    rand::thread_rng()
-        .sample_iter(&Alphanumeric)
-        .take(n)
-        .map(|i| i as char)
-        .collect::<String>()
-        .to_lowercase()
-}
-
-pub fn sha256(input: &str) -> String {
-    let hash = Sha256::digest(input.as_bytes());
-    base16ct::lower::encode_string(&hash)
-}
-
-pub fn format_repo_url(repo: &str) -> String {
-    let repo = repo.trim().to_lowercase();
-    let repo = if !repo.starts_with("http://")
-        && !repo.starts_with("https://")
-        && !repo.starts_with("ssh://")
-    {
-        format!("https://{repo}")
-    } else {
-        repo.to_string()
-    };
-    repo.strip_suffix('/')
-        .map(|r| r.to_string())
-        .unwrap_or(repo)
-}
-
-pub fn unix_timestamp() -> anyhow::Result<u64> {
-    Ok(SystemTime::now().duration_since(UNIX_EPOCH)?.as_secs())
-}
diff --git a/lapdev-dashboard/Cargo.toml b/lapdev-dashboard/Cargo.toml
deleted file mode 100644
index f63f612..0000000
--- a/lapdev-dashboard/Cargo.toml
+++ /dev/null
@@ -1,21 +0,0 @@
-[package]
-name = "lapdev-dashboard"
-version.workspace = true
-authors.workspace = true
-edition.workspace = true
-
-[dependencies]
-gloo-net = "0.5.0"
-wasm-bindgen = "0.2.88"
-web-sys = "0.3.65"
-urlencoding = "2.1.3"
-leptos = { version = "0.6.5", features = ["csr"] }
-leptos_router = { version = "0.6.5", features = ["csr"] }
-rust_decimal.workspace = true
-chrono.workspace = true
-uuid.workspace = true
-serde.workspace = true
-serde_json.workspace = true
-anyhow.workspace = true
-futures.workspace = true
-lapdev-common.workspace = true
diff --git a/lapdev-dashboard/src/account.rs b/lapdev-dashboard/src/account.rs
deleted file mode 100644
index 22f05cd..0000000
--- a/lapdev-dashboard/src/account.rs
+++ /dev/null
@@ -1,238 +0,0 @@
-use anyhow::Result;
-use gloo_net::http::Request;
-use lapdev_common::{
-    console::{MeUser, NewSessionResponse},
-    AuthProvider, ClusterInfo,
-};
-use leptos::{
-    component, create_action, create_local_resource, expect_context, use_context, view, window,
-    IntoView, Resource, RwSignal, Signal, SignalGet, SignalGetUntracked, SignalSet, SignalWith,
-};
-use leptos_router::use_params_map;
-
-use crate::{cluster::OauthSettings, modal::ErrorResponse};
-
-pub async fn get_login() -> Result<MeUser> {
-    let resp: MeUser = Request::get("/api/private/me").send().await?.json().await?;
-    Ok(resp)
-}
-
-async fn now_login(provider: AuthProvider) -> Result<()> {
-    let location = window().window().location();
-    let next = location.href().unwrap_or_default();
-    let next = urlencoding::encode(&next).to_string();
-    let resp = Request::get("/api/private/session")
-        .query([
-            ("provider", &provider.to_string()),
-            ("next", &next),
-            ("host", &location.origin().unwrap_or_default()),
-        ])
-        .send()
-        .await?;
-    let resp: NewSessionResponse = resp.json().await?;
-    let _ = window().location().set_href(&resp.url);
-
-    Ok(())
-}
-
-async fn now_logout() {
-    let _ = Request::delete("/api/private/session").send().await;
-    let _ = window().location().set_href("/");
-}
-
-#[component]
-pub fn Login() -> impl IntoView {
-    let cluster_info = expect_context::<Signal<Option<ClusterInfo>>>();
-
-    view! {
-        <section class="bg-gray-50">
-            <div class="flex flex-col items-center justify-center px-6 py-8 mx-auto h-screen lg:py-0">
-                <a href="#" class="flex items-center mb-6 text-2xl font-semibold text-gray-900">
-                    <svg class="w-10 h-10 mr-4" xmlns="http://www.w3.org/2000/svg" fill="currentColor" viewBox="0 0 1024 1024">
-                        <path d="M512 0C390.759 0 279.426 42.2227 191.719 112.656L191.719 612L351.719 612L351.719 332L422 332L431.719 332L431.719 332.344C488.169 334.127 541.249 351.138 581.875 380.625C627.591 413.806 654.875 460.633 654.875 512C654.875 563.367 627.591 610.194 581.875 643.375C541.249 672.862 488.169 689.873 431.719 691.656L431.719 1017.69C457.88 1021.81 484.68 1024 512 1024C794.77 1024 1024 794.77 1024 512C1024 229.23 794.77 0 512 0ZM111.719 192.906C41.8539 280.432 0 391.303 0 512C0 738.766 147.487 930.96 351.719 998.25L351.719 692L151.719 692L151.719 691.844L111.719 691.844L111.719 192.906ZM738.219 372C741.597 372.107 745.042 373.02 748.312 374.812L946.281 483.312C952.311 486.616 956.692 492.393 959.188 499.156C959.821 500.874 960.317 502.641 960.688 504.469C960.764 504.834 960.841 505.196 960.906 505.562C961.12 506.807 961.225 508.071 961.312 509.344C961.378 510.235 961.498 511.112 961.5 512C961.498 512.888 961.378 513.765 961.312 514.656C961.226 515.929 961.12 517.193 960.906 518.438C960.841 518.804 960.764 519.166 960.688 519.531C960.317 521.359 959.821 523.126 959.188 524.844C956.692 531.608 952.311 537.384 946.281 540.688L748.312 649.188C735.232 656.355 719.818 649.367 713.875 633.594C707.932 617.82 713.7 599.23 726.781 592.062L872.875 512L726.781 431.938C713.7 424.771 707.932 406.18 713.875 390.406C718.332 378.576 728.085 371.678 738.219 372ZM431.719 412.344L431.719 611.656C513.56 608.208 574.875 561.985 574.875 512C574.875 462.015 513.56 415.792 431.719 412.344Z" />
-                        <path d="M742 403.688C740.062 403.483 738.097 404.438 737.094 406.25C735.756 408.666 736.615 411.694 739.031 413.031L925.719 516.375C928.135 517.712 931.194 516.822 932.531 514.406C933.869 511.99 932.979 508.962 930.562 507.625L743.875 404.281C743.271 403.947 742.646 403.756 742 403.688Z" />
-                        <path d="M927.5 507.031C926.856 507.115 926.221 507.339 925.625 507.688L738.938 616.906C736.554 618.301 735.762 621.335 737.156 623.719C738.551 626.102 741.616 626.926 744 625.531L930.688 516.312C933.071 514.918 933.863 511.852 932.469 509.469C931.423 507.681 929.432 506.78 927.5 507.031Z" />
-                    </svg>
-                    Lapdev
-                </a>
-                {
-                    move || if let Some(auth_providers) = cluster_info.with(|i| i.as_ref().map(|i| i.auth_providers.clone())) {
-                        if !auth_providers.is_empty() {
-                            view! {
-                                <LoginWithView auth_providers />
-                            }.into_view()
-                        } else {
-                            view! {
-                                <div class="w-96 bg-white rounded-lg shadow p-6">
-                                    <InitAuthProvidersView />
-                                </div>
-                            }.into_view()
-                        }
-                    } else {
-                        view! {
-
-                        }.into_view()
-                    }
-                }
-            </div>
-        </section>
-    }
-}
-
-#[component]
-pub fn LoginWithView(auth_providers: Vec<AuthProvider>) -> impl IntoView {
-    let login = use_context::<Resource<i32, Option<MeUser>>>().unwrap();
-    view! {
-        <div
-            class="max-w-96 w-full"
-            class:hidden=move || login.with(|l| l.is_none())
-        >
-            <h1 class="mb-4 text-center text-2xl font-bold leading-tight tracking-tight text-gray-900">
-                Sign in to your account
-            </h1>
-            <div
-                class="w-full bg-white rounded-lg shadow md:mt-0 sm:max-w-md xl:p-0"
-            >
-                <div class="p-6 flex flex-col space-y-3">
-                    <button type="button"
-                        class="w-full text-gray-900 bg-white hover:bg-gray-100 border border-gray-200 focus:ring-4 focus:outline-none focus:ring-gray-100 font-medium rounded-lg text-sm px-5 py-2.5 text-center inline-flex items-center"
-                        class:hidden={ let auth_providers = auth_providers.clone(); move || !auth_providers.contains(&AuthProvider::Github) }
-                        on:click=move |_| { create_action(move |_| {now_login(AuthProvider::Github)}).dispatch(()) }
-                    >
-                        <svg class="w-4 h-4 me-2" aria-hidden="true" xmlns="http://www.w3.org/2000/svg" fill="currentColor" viewBox="0 0 20 20">
-                        <path fill-rule="evenodd" d="M10 .333A9.911 9.911 0 0 0 6.866 19.65c.5.092.678-.215.678-.477 0-.237-.01-1.017-.014-1.845-2.757.6-3.338-1.169-3.338-1.169a2.627 2.627 0 0 0-1.1-1.451c-.9-.615.07-.6.07-.6a2.084 2.084 0 0 1 1.518 1.021 2.11 2.11 0 0 0 2.884.823c.044-.503.268-.973.63-1.325-2.2-.25-4.516-1.1-4.516-4.9A3.832 3.832 0 0 1 4.7 7.068a3.56 3.56 0 0 1 .095-2.623s.832-.266 2.726 1.016a9.409 9.409 0 0 1 4.962 0c1.89-1.282 2.717-1.016 2.717-1.016.366.83.402 1.768.1 2.623a3.827 3.827 0 0 1 1.02 2.659c0 3.807-2.319 4.644-4.525 4.889a2.366 2.366 0 0 1 .673 1.834c0 1.326-.012 2.394-.012 2.72 0 .263.18.572.681.475A9.911 9.911 0 0 0 10 .333Z" clip-rule="evenodd"/>
-                        </svg>
-                        Sign in with GitHub
-                    </button>
-
-                    <button type="button"
-                        class="w-full text-gray-900 bg-white hover:bg-gray-100 border border-gray-200 focus:ring-4 focus:outline-none focus:ring-gray-100 font-medium rounded-lg text-sm px-5 py-2.5 text-center inline-flex items-center"
-                        class:hidden=move || !auth_providers.contains(&AuthProvider::Gitlab)
-                        on:click=move |_| { create_action(move |_| {now_login(AuthProvider::Gitlab)}).dispatch(()) }
-                    >
-                        <svg class="w-4 h-4 me-2" viewBox="0 0 25 24" xmlns="http://www.w3.org/2000/svg"><path d="M24.507 9.5l-.034-.09L21.082.562a.896.896 0 00-1.694.091l-2.29 7.01H7.825L5.535.653a.898.898 0 00-1.694-.09L.451 9.411.416 9.5a6.297 6.297 0 002.09 7.278l.012.01.03.022 5.16 3.867 2.56 1.935 1.554 1.176a1.051 1.051 0 001.268 0l1.555-1.176 2.56-1.935 5.197-3.89.014-.01A6.297 6.297 0 0024.507 9.5z" fill="#E24329"/><path d="M24.507 9.5l-.034-.09a11.44 11.44 0 00-4.56 2.051l-7.447 5.632 4.742 3.584 5.197-3.89.014-.01A6.297 6.297 0 0024.507 9.5z" fill="#FC6D26"/><path d="M7.707 20.677l2.56 1.935 1.555 1.176a1.051 1.051 0 001.268 0l1.555-1.176 2.56-1.935-4.743-3.584-4.755 3.584z" fill="#FCA326"/><path d="M5.01 11.461a11.43 11.43 0 00-4.56-2.05L.416 9.5a6.297 6.297 0 002.09 7.278l.012.01.03.022 5.16 3.867 4.745-3.584-7.444-5.632z" fill="#FC6D26"/></svg>
-                        Sign in with GitLab
-                    </button>
-                </div>
-            </div>
-        </div>
-    }
-}
-
-#[component]
-pub fn InitAuthProvidersView() -> impl IntoView {
-    view! {
-        <OauthSettings reload=true />
-    }
-}
-
-#[component]
-pub fn NavUserControl(user_control_hidden: RwSignal<bool>) -> impl IntoView {
-    let login = use_context::<Resource<i32, Option<MeUser>>>().unwrap();
-
-    let logout = move |_| {
-        user_control_hidden.set(true);
-        create_action(move |_| now_logout()).dispatch(());
-    };
-
-    view! {
-      <div
-        class="absolute z-50 my-2 right-0 w-56 text-base list-none bg-white rounded divide-y divide-gray-100 shadow border rounded-xl"
-        class:hidden=move || user_control_hidden.get()
-      >
-        <div class="py-3 px-4">
-          <span class="block text-sm font-semibold text-gray-900">
-            { move || login.get().flatten().and_then(|l| l.name).unwrap_or("".to_string()) }
-          </span>
-          <span class="block text-sm text-gray-900 truncate">
-            { move || login.get().flatten().and_then(|l| l.email).unwrap_or("".to_string()) }
-          </span>
-        </div>
-        <ul
-          class="py-1 text-gray-700"
-          aria-labelledby="dropdown"
-        >
-          <li>
-            <a
-              href="/account"
-              class="block py-2 px-4 text-sm hover:bg-gray-100"
-              >User settings</a
-            >
-          </li>
-        </ul>
-        <ul
-          class="py-1 text-gray-700"
-          aria-labelledby="dropdown"
-        >
-          <li>
-            <a
-              href="#"
-              class="block py-2 px-4 text-sm hover:bg-gray-100"
-              on:click=logout
-              >Sign out</a
-            >
-          </li>
-        </ul>
-      </div>
-    }
-}
-
-#[component]
-pub fn AccountSettings() -> impl IntoView {
-    view! {
-        <div class="border-b pb-4">
-            <h5 class="mr-3 text-2xl font-semibold">
-                User Settings
-            </h5>
-            <p class="text-gray-700">{"Manage your account settings"}</p>
-        </div>
-    }
-}
-
-async fn join_org(invitation_id: String) -> Result<Option<ErrorResponse>> {
-    let resp = Request::put(&format!("/api/v1/join/{invitation_id}"))
-        .send()
-        .await?;
-    if resp.status() != 204 {
-        let error = resp
-            .json::<ErrorResponse>()
-            .await
-            .unwrap_or_else(|_| ErrorResponse {
-                error: "Internal Server Error".to_string(),
-            });
-        return Ok(Some(error));
-    }
-    let _ = window().location().set_href("/");
-    Ok(None)
-}
-
-#[component]
-pub fn JoinView() -> impl IntoView {
-    let params = use_params_map();
-    let id = Signal::derive(move || {
-        params
-            .with(|params| params.get("id").cloned())
-            .unwrap_or_default()
-    });
-
-    let result = {
-        create_local_resource(
-            || (),
-            move |_| async move { join_org(id.get_untracked()).await },
-        )
-    };
-
-    view! {
-        {
-            move || if let Some(error) = result.with(|r| r.as_ref().and_then(|r| r.as_ref().ok().cloned())).flatten() {
-                view! {
-                    <div class="my-2 p-4 rounded-lg bg-red-50">
-                        <span class="text-sm font-medium text-red-800">{ error.error }</span>
-                    </div>
-                }.into_view()
-            } else {
-                view! {}.into_view()
-            }
-        }
-    }
-}
diff --git a/lapdev-dashboard/src/app.rs b/lapdev-dashboard/src/app.rs
deleted file mode 100644
index b270a4c..0000000
--- a/lapdev-dashboard/src/app.rs
+++ /dev/null
@@ -1,157 +0,0 @@
-use anyhow::Result;
-use gloo_net::http::Request;
-use lapdev_common::{console::MeUser, ClusterInfo};
-use leptos::{
-    component, create_local_resource, create_rw_signal, provide_context, use_context, view, window,
-    IntoView, Resource, Show, Signal, SignalGet,
-};
-use leptos_router::{Route, Router, Routes};
-
-use crate::{
-    account::{get_login, AccountSettings, JoinView, Login},
-    audit_log::AuditLogView,
-    cluster::{ClusterSettings, ClusterUsersView, MachineTypeView, WorkspaceHostView},
-    git_provider::GitProviderView,
-    license::{LicenseView, SignLicenseView},
-    nav::{AdminSideNav, NavExpanded, SideNav, TopNav},
-    organization::{NewOrgModal, OrgMembers, OrgSettings},
-    project::{ProjectDetails, Projects},
-    quota::QuotaView,
-    ssh_key::SshKeys,
-    usage::UsageView,
-    workspace::{WorkspaceDetails, Workspaces},
-};
-
-#[derive(Clone)]
-pub struct AppConfig {
-    pub show_lapdev_website: bool,
-}
-
-#[component]
-fn Root() -> impl IntoView {
-    view! {
-        <Workspaces />
-    }
-}
-
-async fn get_cluster_info() -> Result<ClusterInfo> {
-    let resp = Request::get("/api/v1/cluster_info").send().await?;
-    let info: ClusterInfo = resp.json().await?;
-    Ok(info)
-}
-
-pub fn set_context() {
-    let login_counter = create_rw_signal(0);
-    provide_context(login_counter);
-
-    let login = create_local_resource(
-        move || login_counter.get(),
-        |_| async move { get_login().await.ok() },
-    );
-    provide_context(login);
-
-    let cluster_info =
-        create_local_resource(move || (), |_| async move { get_cluster_info().await.ok() });
-    let cluster_info = Signal::derive(move || cluster_info.get().flatten());
-    provide_context(cluster_info);
-
-    let current_org = Signal::derive(move || {
-        let login = login.get().flatten();
-        login.map(|u| u.organization)
-    });
-    provide_context(current_org);
-
-    let pathname = window().location().pathname().unwrap_or_default();
-    let nav_expanded = NavExpanded {
-        orgnization: create_rw_signal(pathname.starts_with("/organization")),
-        account: create_rw_signal(pathname.starts_with("/account")),
-    };
-    provide_context(nav_expanded);
-
-    provide_context(create_rw_signal(AppConfig {
-        show_lapdev_website: false,
-    }));
-}
-
-#[component]
-pub fn App() -> impl IntoView {
-    set_context();
-    view! {
-        <Router>
-            <Routes>
-                <Route path="/" view=move || view! { <WrappedView element=Root /> } />
-                <Route path="/projects" view=move || view! { <WrappedView element=Projects /> } />
-                <Route path="/projects/:id" view=move || view! { <WrappedView element=ProjectDetails /> } />
-                <Route path="/workspaces" view=move || view! { <WrappedView element=Workspaces /> } />
-                <Route path="/workspaces/:name" view=move || view! { <WrappedView element=WorkspaceDetails /> } />
-                <Route path="/organization/usage" view=move || view! { <WrappedView element=UsageView /> } />
-                <Route path="/organization/members" view=move || view! { <WrappedView element=OrgMembers /> } />
-                <Route path="/organization/quota" view=move || view! { <WrappedView element=QuotaView /> } />
-                <Route path="/organization/audit_log" view=move || view! { <WrappedView element=AuditLogView /> } />
-                <Route path="/organization/settings" view=move || view! { <WrappedView element=OrgSettings /> } />
-                <Route path="/account" view=move || view! { <WrappedView element=AccountSettings /> } />
-                <Route path="/join/:id" view=move || view! { <WrappedView element=JoinView /> } />
-                <Route path="/account/ssh-keys" view=move || view! { <WrappedView element=SshKeys /> } />
-                <Route path="/account/git-providers" view=move || view! { <WrappedView element=GitProviderView /> } />
-                <Route path="/admin" view=move || view! { <AdminWrappedView element=WorkspaceHostView /> } />
-                <Route path="/admin/workspace_hosts" view=move || view! { <AdminWrappedView element=WorkspaceHostView /> } />
-                <Route path="/admin/machine_types" view=move || view! { <AdminWrappedView element=MachineTypeView /> } />
-                <Route path="/admin/users" view=move || view! { <AdminWrappedView element=ClusterUsersView /> } />
-                <Route path="/admin/settings" view=move || view! { <AdminWrappedView element=ClusterSettings /> } />
-                <Route path="/admin/license" view=move || view! { <AdminWrappedView element=LicenseView /> } />
-                <Route path="/admin/sign_license" view=move || view! { <AdminWrappedView element=SignLicenseView /> } />
-            </Routes>
-        </Router>
-
-    }
-}
-
-#[component]
-pub fn WrappedView<T>(element: T) -> impl IntoView
-where
-    T: IntoView + Copy + 'static,
-{
-    let login = use_context::<Resource<i32, Option<MeUser>>>().unwrap();
-    let new_org_modal_hidden = create_rw_signal(true);
-    view! {
-        <Show
-            when=move || { login.get().flatten().is_some() }
-            fallback=move || view! { <Login /> }
-        >
-            <div class="flex flex-col h-screen">
-                <TopNav />
-                <div class="container mx-auto flex flex-row basis-0 grow">
-                    <SideNav new_org_modal_hidden />
-                    <div class="p-8 w-[calc(100%-16rem)] h-full">
-                        {element}
-                    </div>
-                </div>
-                <NewOrgModal modal_hidden=new_org_modal_hidden />
-            </div>
-        </Show>
-    }
-}
-
-#[component]
-pub fn AdminWrappedView<T>(element: T) -> impl IntoView
-where
-    T: IntoView + Copy + 'static,
-{
-    let login = use_context::<Resource<i32, Option<MeUser>>>().unwrap();
-    view! {
-        <Show
-            when=move || { login.get().flatten().is_some() }
-            fallback=move || view! { <Login /> }
-        >
-            <div class="flex flex-col h-screen">
-                <TopNav />
-                <div class="container mx-auto flex flex-row basis-0 grow">
-                    <AdminSideNav />
-                    <div class="px-8 pt-8 w-[calc(100%-16rem)] h-full">
-                        {element}
-                    </div>
-                </div>
-            </div>
-        </Show>
-    }
-}
diff --git a/lapdev-dashboard/src/lib.rs b/lapdev-dashboard/src/lib.rs
deleted file mode 100644
index e63534c..0000000
--- a/lapdev-dashboard/src/lib.rs
+++ /dev/null
@@ -1,15 +0,0 @@
-pub mod account;
-pub mod app;
-pub mod audit_log;
-pub mod cluster;
-pub mod datepicker;
-pub mod git_provider;
-pub mod license;
-pub mod modal;
-pub mod nav;
-pub mod organization;
-pub mod project;
-pub mod quota;
-pub mod ssh_key;
-pub mod usage;
-pub mod workspace;
diff --git a/lapdev-dashboard/src/main.rs b/lapdev-dashboard/src/main.rs
deleted file mode 100644
index 275c129..0000000
--- a/lapdev-dashboard/src/main.rs
+++ /dev/null
@@ -1,11 +0,0 @@
-use lapdev_dashboard::app::App;
-use leptos::{mount_to_body, view};
-
-pub fn main() {
-    leptos::document().body().unwrap().set_inner_html("");
-    mount_to_body(move || {
-        view! {
-            <App />
-        }
-    })
-}
diff --git a/lapdev-dashboard/src/modal.rs b/lapdev-dashboard/src/modal.rs
deleted file mode 100644
index 772a182..0000000
--- a/lapdev-dashboard/src/modal.rs
+++ /dev/null
@@ -1,399 +0,0 @@
-use anyhow::Result;
-use chrono::{DateTime, FixedOffset};
-use leptos::{
-    component, create_effect, create_rw_signal, event_target_value, view, Action, IntoView,
-    RwSignal, SignalGet, SignalSet, SignalUpdate, SignalWith, View,
-};
-use serde::Deserialize;
-
-#[derive(Debug, Deserialize, Clone)]
-pub struct ErrorResponse {
-    pub error: String,
-}
-
-impl<E> From<E> for ErrorResponse
-where
-    E: Into<anyhow::Error>,
-{
-    fn from(err: E) -> Self {
-        let err: anyhow::Error = err.into();
-        Self {
-            error: err.to_string(),
-        }
-    }
-}
-
-#[component]
-pub fn CreationInput(label: String, value: RwSignal<String>, placeholder: String) -> impl IntoView {
-    view! {
-        <div>
-            <label class="block mb-2 text-sm font-medium text-gray-900">{ label }</label>
-            <input
-                prop:value={move || value.get()}
-                on:input=move |ev| { value.set(event_target_value(&ev)); }
-                class="bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5"
-                placeholder={placeholder}
-            />
-        </div>
-    }
-}
-
-#[component]
-pub fn CreationModal<T>(
-    title: String,
-    modal_hidden: RwSignal<bool>,
-    action: Action<(), Result<(), ErrorResponse>>,
-    body: T,
-    update_text: Option<String>,
-    updating_text: Option<String>,
-    create_button_hidden: Box<dyn Fn() -> bool + 'static>,
-    width_class: Option<String>,
-) -> impl IntoView
-where
-    T: IntoView + 'static,
-{
-    let error = create_rw_signal(None);
-    let handle_create = move |_| {
-        error.set(None);
-        action.dispatch(());
-    };
-    let create_pending = action.pending();
-    create_effect(move |_| {
-        modal_hidden.track();
-        error.set(None);
-    });
-    create_effect(move |_| {
-        action.value().with(|result| {
-            if let Some(result) = result {
-                match result {
-                    Ok(_) => {}
-                    Err(e) => {
-                        error.set(Some(e.error.clone()));
-                    }
-                }
-            }
-        })
-    });
-
-    let width_class = if let Some(width_class) = width_class {
-        width_class
-    } else {
-        "max-w-2xl".to_string()
-    };
-    view! {
-        <div
-            tabindex="-1"
-            class="bg-gray-900/50 flex overflow-y-auto overflow-x-hidden fixed top-0 right-0 left-0 z-50 justify-center items-center w-full h-full"
-            class:hidden=move || modal_hidden.get()
-            on:click=move |_| modal_hidden.set(true)
-        >
-            <div
-                class=format!("relative p-4 w-full {width_class} max-h-full")
-                on:click=move |e| e.stop_propagation()
-            >
-                <div class="relative bg-white rounded-lg shadow">
-                    <div class="flex items-center justify-between p-4 md:p-5 border-b rounded-t">
-                        <h3 class="text-xl font-semibold text-gray-900">
-                            { title }
-                        </h3>
-                        <button
-                            type="button"
-                            class="text-gray-400 bg-transparent hover:bg-gray-200 hover:text-gray-900 rounded-lg text-sm w-8 h-8 ms-auto inline-flex justify-center items-center" data-modal-hide="default-modal"
-                            on:click=move |_| modal_hidden.set(true)
-                        >
-                            <svg class="w-3 h-3" aria-hidden="true" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 14 14">
-                                <path stroke="currentColor" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="m1 1 6 6m0 0 6 6M7 7l6-6M7 7l-6 6"/>
-                            </svg>
-                            <span class="sr-only">Close modal</span>
-                        </button>
-                    </div>
-                    { move || if let Some(error) = error.get() {
-                            view! {
-                                <div class="p-4">
-                                    <div class="p-4 rounded-lg bg-red-50">
-                                        <span class="text-sm font-medium text-red-800">{ error }</span>
-                                    </div>
-                                </div>
-                            }.into_view()
-                        } else {
-                            view! {}.into_view()
-                        }
-                    }
-                    <div class="p-4 md:p-5 space-y-4">
-                        {body}
-                    </div>
-                    <div class="flex items-center p-4 border-t border-gray-200 rounded-b">
-                        <button
-                            type="button"
-                            class="mr-3 flex flex-row items-center text-white bg-blue-700 hover:bg-blue-800 focus:ring-4 focus:outline-none focus:ring-blue-300 font-medium rounded-lg text-sm px-5 py-2.5 text-center"
-                            disabled=move || create_pending.get()
-                            class:hidden=move || create_button_hidden()
-                            on:click=handle_create
-                        >
-                            <svg aria-hidden="true" role="status"
-                                class="inline w-4 h-4 me-3 text-white animate-spin" viewBox="0 0 100 101" fill="none" xmlns="http://www.w3.org/2000/svg"
-                                class:hidden=move || !create_pending.get()
-                            >
-                            <path d="M100 50.5908C100 78.2051 77.6142 100.591 50 100.591C22.3858 100.591 0 78.2051 0 50.5908C0 22.9766 22.3858 0.59082 50 0.59082C77.6142 0.59082 100 22.9766 100 50.5908ZM9.08144 50.5908C9.08144 73.1895 27.4013 91.5094 50 91.5094C72.5987 91.5094 90.9186 73.1895 90.9186 50.5908C90.9186 27.9921 72.5987 9.67226 50 9.67226C27.4013 9.67226 9.08144 27.9921 9.08144 50.5908Z" fill="#E5E7EB"/>
-                            <path d="M93.9676 39.0409C96.393 38.4038 97.8624 35.9116 97.0079 33.5539C95.2932 28.8227 92.871 24.3692 89.8167 20.348C85.8452 15.1192 80.8826 10.7238 75.2124 7.41289C69.5422 4.10194 63.2754 1.94025 56.7698 1.05124C51.7666 0.367541 46.6976 0.446843 41.7345 1.27873C39.2613 1.69328 37.813 4.19778 38.4501 6.62326C39.0873 9.04874 41.5694 10.4717 44.0505 10.1071C47.8511 9.54855 51.7191 9.52689 55.5402 10.0491C60.8642 10.7766 65.9928 12.5457 70.6331 15.2552C75.2735 17.9648 79.3347 21.5619 82.5849 25.841C84.9175 28.9121 86.7997 32.2913 88.1811 35.8758C89.083 38.2158 91.5421 39.6781 93.9676 39.0409Z" fill="currentColor"/>
-                            </svg>
-                            { move || if create_pending.get() { updating_text.clone().unwrap_or_else(|| "Updating".to_string()) } else  { update_text.clone().unwrap_or_else(|| "Update".to_string()) } }
-                        </button>
-                        <button
-                            type="button"
-                            class="text-gray-500 bg-white hover:bg-gray-100 focus:ring-4 focus:outline-none focus:ring-blue-300 rounded-lg border border-gray-200 text-sm font-medium px-5 py-2.5 hover:text-gray-900 focus:z-10"
-                            disabled=move || create_pending.get()
-                            on:click=move |_| modal_hidden.set(true)
-                        >Cancel</button>
-                    </div>
-                </div>
-            </div>
-        </div>
-    }
-}
-
-#[component]
-pub fn DeletionModal(
-    resource: String,
-    modal_hidden: RwSignal<bool>,
-    delete_action: Action<(), Result<(), ErrorResponse>>,
-) -> impl IntoView {
-    let error = create_rw_signal(None);
-    let handle_delete = move |_| {
-        delete_action.dispatch(());
-    };
-    let delete_pending = delete_action.pending();
-    create_effect(move |_| {
-        delete_action.value().with(|result| {
-            if let Some(result) = result {
-                match result {
-                    Ok(_) => {}
-                    Err(e) => {
-                        error.set(Some(e.error.clone()));
-                    }
-                }
-            }
-        })
-    });
-
-    create_effect(move |_| {
-        if modal_hidden.get() {
-            error.set(None);
-        }
-    });
-
-    view! {
-        <div tabindex="-1"
-            class="bg-gray-900/50 flex overflow-y-auto overflow-x-hidden fixed top-0 right-0 left-0 z-50 justify-center items-center w-full h-full"
-            class:hidden=move || modal_hidden.get()
-            on:click=move |_| modal_hidden.set(true)
-        >
-            <div
-                class="relative p-4 w-full max-w-md max-h-full"
-                on:click=move |e| e.stop_propagation()
-            >
-                <div class="relative bg-white rounded-lg shadow">
-                    <button type="button"
-                        class="absolute top-3 end-2.5 text-gray-400 bg-transparent hover:bg-gray-200 hover:text-gray-900 rounded-lg text-sm w-8 h-8 ms-auto inline-flex justify-center items-center"
-                        on:click=move |_| modal_hidden.set(true)
-                    >
-                        <svg class="w-3 h-3" aria-hidden="true" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 14 14">
-                            <path stroke="currentColor" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="m1 1 6 6m0 0 6 6M7 7l6-6M7 7l-6 6"/>
-                        </svg>
-                        <span class="sr-only">Close modal</span>
-                    </button>
-                    <div class="p-4 md:p-5 text-center">
-                        <svg class="mx-auto mb-4 text-gray-400 w-12 h-12" aria-hidden="true" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 20 20">
-                            <path stroke="currentColor" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 11V6m0 8h.01M19 10a9 9 0 1 1-18 0 9 9 0 0 1 18 0Z"/>
-                        </svg>
-                        <h3 class="mb-5 text-lg font-normal text-gray-500 flex flex-col items-center">
-                            <span>Are you sure you want to delete</span>
-                            <span class="text-semibold">{ resource }</span>
-                        </h3>
-                        { move || if let Some(error) = error.get() {
-                                view! {
-                                    <div class="text-left p-4 mb-4 rounded-lg bg-red-50">
-                                        <span class="text-sm font-medium text-red-800">{ error }</span>
-                                    </div>
-                                }.into_view()
-                            } else {
-                                view! {}.into_view()
-                            }
-                        }
-                        <button
-                            type="button"
-                            class="text-white bg-red-600 hover:bg-red-800 focus:ring-4 focus:outline-none focus:ring-red-300 font-medium rounded-lg text-sm inline-flex items-center px-5 py-2.5 text-center me-2"
-                            disabled=move || delete_pending.get()
-                            on:click=handle_delete
-                        >
-                            <svg aria-hidden="true" role="status"
-                                class="inline w-3 h-3 me-3 text-white animate-spin" viewBox="0 0 100 101" fill="none" xmlns="http://www.w3.org/2000/svg"
-                                class:hidden=move || !delete_pending.get()
-                            >
-                            <path d="M100 50.5908C100 78.2051 77.6142 100.591 50 100.591C22.3858 100.591 0 78.2051 0 50.5908C0 22.9766 22.3858 0.59082 50 0.59082C77.6142 0.59082 100 22.9766 100 50.5908ZM9.08144 50.5908C9.08144 73.1895 27.4013 91.5094 50 91.5094C72.5987 91.5094 90.9186 73.1895 90.9186 50.5908C90.9186 27.9921 72.5987 9.67226 50 9.67226C27.4013 9.67226 9.08144 27.9921 9.08144 50.5908Z" fill="#E5E7EB"/>
-                            <path d="M93.9676 39.0409C96.393 38.4038 97.8624 35.9116 97.0079 33.5539C95.2932 28.8227 92.871 24.3692 89.8167 20.348C85.8452 15.1192 80.8826 10.7238 75.2124 7.41289C69.5422 4.10194 63.2754 1.94025 56.7698 1.05124C51.7666 0.367541 46.6976 0.446843 41.7345 1.27873C39.2613 1.69328 37.813 4.19778 38.4501 6.62326C39.0873 9.04874 41.5694 10.4717 44.0505 10.1071C47.8511 9.54855 51.7191 9.52689 55.5402 10.0491C60.8642 10.7766 65.9928 12.5457 70.6331 15.2552C75.2735 17.9648 79.3347 21.5619 82.5849 25.841C84.9175 28.9121 86.7997 32.2913 88.1811 35.8758C89.083 38.2158 91.5421 39.6781 93.9676 39.0409Z" fill="currentColor"/>
-                            </svg>
-                            { move || if delete_pending.get() { "Deleting" } else { "Yes, I'm sure" } }
-                        </button>
-                        <button
-                            type="button"
-                            class="text-gray-500 bg-white hover:bg-gray-100 focus:ring-4 focus:outline-none focus:ring-gray-200 rounded-lg border border-gray-200 text-sm font-medium px-5 py-2.5 hover:text-gray-900 focus:z-10"
-                            disabled=move || delete_pending.get()
-                            on:click=move |_| modal_hidden.set(true)
-                        >No, cancel</button>
-                    </div>
-                </div>
-            </div>
-        </div>
-    }
-}
-
-#[component]
-pub fn DatetimeModal(time: DateTime<FixedOffset>) -> impl IntoView {
-    let offset = web_sys::js_sys::Date::new_0().get_timezone_offset();
-    let time = if let Some(offset) = FixedOffset::east_opt((offset * 60.0) as i32) {
-        time.with_timezone(&offset)
-    } else {
-        time
-    };
-
-    let hidden = create_rw_signal(true);
-    let duration = chrono::Utc::now() - time.with_timezone(&chrono::Utc);
-    let days = duration.num_days();
-    let formatted = move || {
-        if days > 365 {
-            let unit = days / 365;
-            format!("{} year{} ago", unit, if unit > 1 { "s" } else { "" })
-        } else if days > 30 {
-            let unit = days / 30;
-            format!("{} month{} ago", unit, if unit > 1 { "s" } else { "" })
-        } else if days > 7 {
-            let unit = days / 7;
-            format!("{} week{} ago", unit, if unit > 1 { "s" } else { "" })
-        } else if days > 0 {
-            let unit = days;
-            format!("{} day{} ago", unit, if unit > 1 { "s" } else { "" })
-        } else {
-            let hours = duration.num_hours();
-            if hours > 0 {
-                format!("{hours} hour{} ago", if hours > 1 { "s" } else { "" })
-            } else {
-                let minutes = duration.num_minutes();
-                if minutes > 0 {
-                    format!("{minutes} minute{} ago", if minutes > 1 { "s" } else { "" })
-                } else {
-                    format!("{} seconds ago", duration.num_seconds())
-                }
-            }
-        }
-    };
-    view! {
-        <div
-            class="relative"
-            on:mouseenter=move |_| hidden.set(false)
-            on:mouseleave=move |_| hidden.set(true)
-        >
-            <div
-                class="absolute bottom-6 -left-3 z-10"
-                class:hidden=move || hidden.get()
-            >
-                <div class="text-nowrap px-3 py-2 text-sm font-medium text-gray-900 bg-white border border-gray-200 rounded-lg shadow-sm">
-                    { format!("{}", time.format("%Y-%m-%d %H:%M:%S")) }
-                </div>
-            </div>
-            <span>{ formatted }</span>
-        </div>
-    }
-}
-
-#[component]
-pub fn SettingView<T>(
-    title: String,
-    action: Action<(), Result<(), ErrorResponse>>,
-    body: T,
-    update_counter: RwSignal<i32>,
-    extra: Option<View>,
-) -> impl IntoView
-where
-    T: IntoView + 'static,
-{
-    let success = create_rw_signal(None);
-    let error = create_rw_signal(None);
-    let handle_save = move |_| {
-        success.set(None);
-        error.set(None);
-        action.dispatch(());
-    };
-    let save_pending = action.pending();
-
-    create_effect(move |_| {
-        action.value().with(|result| {
-            if let Some(result) = result {
-                match result {
-                    Ok(_) => {
-                        update_counter.update(|c| *c += 1);
-                        success.set(Some("Saved successfully"));
-                    }
-                    Err(e) => {
-                        error.set(Some(e.error.clone()));
-                    }
-                }
-            }
-        })
-    });
-
-    view! {
-        {
-            if title.is_empty() {
-                view!{}.into_view()
-            } else {
-                view!{ <h5 class="text-lg font-semibold">{title}</h5> }.into_view()
-            }
-        }
-        { body }
-        <div class="mt-4 flex flex-row items-center">
-            <button
-                type="button"
-                class="flex flex-row items-center text-white bg-blue-700 hover:bg-blue-800 focus:ring-4 focus:outline-none focus:ring-blue-300 font-medium rounded-lg text-sm px-5 py-2.5 text-center"
-                disabled=move || save_pending.get()
-                on:click=handle_save
-            >
-                <svg aria-hidden="true" role="status"
-                    class="inline w-4 h-4 me-3 text-white animate-spin" viewBox="0 0 100 101" fill="none" xmlns="http://www.w3.org/2000/svg"
-                    class:hidden=move || !save_pending.get()
-                >
-                <path d="M100 50.5908C100 78.2051 77.6142 100.591 50 100.591C22.3858 100.591 0 78.2051 0 50.5908C0 22.9766 22.3858 0.59082 50 0.59082C77.6142 0.59082 100 22.9766 100 50.5908ZM9.08144 50.5908C9.08144 73.1895 27.4013 91.5094 50 91.5094C72.5987 91.5094 90.9186 73.1895 90.9186 50.5908C90.9186 27.9921 72.5987 9.67226 50 9.67226C27.4013 9.67226 9.08144 27.9921 9.08144 50.5908Z" fill="#E5E7EB"/>
-                <path d="M93.9676 39.0409C96.393 38.4038 97.8624 35.9116 97.0079 33.5539C95.2932 28.8227 92.871 24.3692 89.8167 20.348C85.8452 15.1192 80.8826 10.7238 75.2124 7.41289C69.5422 4.10194 63.2754 1.94025 56.7698 1.05124C51.7666 0.367541 46.6976 0.446843 41.7345 1.27873C39.2613 1.69328 37.813 4.19778 38.4501 6.62326C39.0873 9.04874 41.5694 10.4717 44.0505 10.1071C47.8511 9.54855 51.7191 9.52689 55.5402 10.0491C60.8642 10.7766 65.9928 12.5457 70.6331 15.2552C75.2735 17.9648 79.3347 21.5619 82.5849 25.841C84.9175 28.9121 86.7997 32.2913 88.1811 35.8758C89.083 38.2158 91.5421 39.6781 93.9676 39.0409Z" fill="currentColor"/>
-                </svg>
-                { move || if save_pending.get() { "Saving" } else { "Save" } }
-            </button>
-            {
-                if let Some(extra) = extra {
-                    extra.into_view()
-                } else {
-                    view!{}.into_view()
-                }
-            }
-            { move || if let Some(error) = error.get() {
-                    view! {
-                        <div class="ml-4 py-2 px-4 rounded-lg bg-red-50">
-                            <span class="text-sm font-medium text-red-800">{ error }</span>
-                        </div>
-                    }.into_view()
-                } else {
-                    view! {}.into_view()
-                }
-            }
-            { move || if let Some(success) = success.get() {
-                    view! {
-                        <div class="ml-4 py-2 px-4 rounded-lg bg-green-50">
-                            <span class="text-sm font-medium text-green-800">{ success }</span>
-                        </div>
-                    }.into_view()
-                } else {
-                    view! {}.into_view()
-                }
-            }
-        </div>
-    }
-}
diff --git a/lapdev-dashboard/src/organization.rs b/lapdev-dashboard/src/organization.rs
deleted file mode 100644
index 24c59ed..0000000
--- a/lapdev-dashboard/src/organization.rs
+++ /dev/null
@@ -1,1038 +0,0 @@
-use std::{str::FromStr, time::Duration};
-
-use anyhow::{anyhow, Result};
-use gloo_net::http::Request;
-use lapdev_common::{
-    console::{MeUser, Organization, OrganizationMember},
-    ClusterInfo, NewOrganization, UpdateOrganizationAutoStartStop, UpdateOrganizationMember,
-    UpdateOrganizationName, UserRole,
-};
-use leptos::{
-    component, create_action, create_effect, create_local_resource, create_rw_signal, document,
-    event_target_checked, event_target_value, expect_context, leptos_dom::logging::console_log,
-    set_timeout, use_context, view, window, Action, For, IntoView, Resource, RwSignal, Signal,
-    SignalGet, SignalGetUntracked, SignalSet, SignalUpdate, SignalWith,
-};
-use uuid::Uuid;
-use wasm_bindgen::{JsCast, UnwrapThrowExt};
-use web_sys::FocusEvent;
-
-use crate::modal::{CreationModal, DatetimeModal, DeletionModal, ErrorResponse, SettingView};
-
-async fn create_org(name: RwSignal<String>) -> Result<()> {
-    let org_name = name.get_untracked();
-    let resp = Request::post("/api/v1/organizations")
-        .json(&NewOrganization { name: org_name })?
-        .send()
-        .await?;
-    if resp.status() != 200 {
-        return Err(anyhow!("can't create organization"));
-    }
-    let _resp: Organization = resp.json().await?;
-
-    let _ = window().location().set_href("/");
-
-    Ok(())
-}
-
-async fn switch_org(org_id: String) -> Result<()> {
-    let _ = Request::put(&format!("/api/private/me/organization/{org_id}"))
-        .send()
-        .await;
-    let _ = window().location().set_href("/");
-    Ok(())
-}
-
-#[component]
-pub fn OrgSelector(new_org_modal_hidden: RwSignal<bool>) -> impl IntoView {
-    let login = use_context::<Resource<i32, Option<MeUser>>>().unwrap();
-    let hidden = create_rw_signal(true);
-    let toggle_dropdown = move |_| {
-        if hidden.get_untracked() {
-            hidden.set(false);
-        } else {
-            hidden.set(true);
-        }
-    };
-
-    let on_focusout = move |e: FocusEvent| {
-        let node = e
-            .current_target()
-            .unwrap_throw()
-            .unchecked_into::<web_sys::HtmlElement>();
-
-        set_timeout(
-            move || {
-                let has_focus = if let Some(active) = document().active_element() {
-                    let active: web_sys::Node = active.into();
-                    node.contains(Some(&active))
-                } else {
-                    false
-                };
-                if !has_focus && !hidden.get_untracked() {
-                    hidden.set(true);
-                }
-            },
-            Duration::from_secs(0),
-        );
-    };
-
-    view! {
-        <div
-            class="w-full mb-5"
-            on:focusout=on_focusout
-        >
-        <button
-            class="flex items-center justify-between w-full border rounded-xl px-5"
-            type="button"
-            on:click=toggle_dropdown
-        >
-            <div class="flex items-center grow basis-0 min-w-0">
-                <div class="rounded-full flex items-center justify-center flex-shrink-0 w-10 h-10 bg-gradient-to-tr from-sky-500 to-indigo-500 from-30% to-70% mr-2">
-                    <span class="text-white font-semibold text-xl">{ move || login.get().flatten().and_then(|l| l.organization.name.chars().next()).unwrap_or('P') }</span>
-                </div>
-                <span class="py-4 truncate">{ move || login.get().flatten().map(|l| l.organization.name).unwrap_or_else(|| "Personal".to_string()) }</span>
-            </div>
-            <svg class="w-5 h-5" fill="currentColor" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" d="M10 3a1 1 0 01.707.293l3 3a1 1 0 01-1.414 1.414L10 5.414 7.707 7.707a1 1 0 01-1.414-1.414l3-3A1 1 0 0110 3zm-3.707 9.293a1 1 0 011.414 0L10 14.586l2.293-2.293a1 1 0 011.414 1.414l-3 3a1 1 0 01-1.414 0l-3-3a1 1 0 010-1.414z" clip-rule="evenodd"></path></svg>
-        </button>
-        <div
-            class="relative"
-            class:hidden=move || hidden.get()
-        >
-        <div
-            class="absolute w-full mr-4 mt-2 z-10 bg-white divide-y divide-gray-100 rounded-xl border shadow w-full"
-        >
-            <ul class="py-2 text-sm text-gray-700">
-                <For
-                    each=move || login.get().flatten().map(|l| {
-                        let mut orgs = l.all_organizations;
-                        orgs.retain(|o| o.id != l.organization.id);
-                        orgs
-                    }).unwrap_or_default()
-                    key=|o| o.id
-                    children=move |org| {
-                        view! {
-                            <li>
-                                <a href="#"
-                                    class="flex items-center px-5 hover:bg-gray-100"
-                                    on:click=move |_| {
-                                        hidden.set(true);
-                                        create_action(move |org_id: &String| switch_org(org_id.clone())).dispatch(org.id.to_string());
-                                    }
-                                >
-                                    <div class="rounded-full flex items-center justify-center flex-shrink-0 w-10 h-10 bg-gradient-to-tr from-sky-500 to-indigo-500 from-30% to-70% mr-2">
-                                        <span class="text-white font-semibold text-xl">{ org.name.chars().next().unwrap_or('O') }</span>
-                                    </div>
-                                    <span class="py-4 truncate">{org.name}</span>
-                                </a>
-                            </li>
-                        }
-                    }
-                />
-                <li>
-                    <a href="#"
-                        class="flex items-center justify-between px-5 py-4 hover:bg-gray-100"
-                        on:click=move |_| { new_org_modal_hidden.set(false); hidden.set(true); }
-                    >
-                        Create New Organization
-                        <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 14 14" class="w-3.5">
-                            <path fill="currentColor" fill-rule="evenodd" d="M7 0a1 1 0 011 1v5h5a1 1 0 110 2H8v5a1 1 0 11-2 0V8H1a1 1 0 010-2h5V1a1 1 0 011-1z" clip-rule="evenodd" />
-                        </svg>
-                    </a>
-                </li>
-            </ul>
-        </div>
-        </div>
-        </div>
-    }
-}
-
-#[component]
-pub fn NewOrgModal(modal_hidden: RwSignal<bool>) -> impl IntoView {
-    let org_name = create_rw_signal("".to_string());
-    let action = create_action(move |_| create_org(org_name));
-    let handle_create_org = move |_| {
-        action.dispatch(());
-    };
-    let create_pending = action.pending();
-    view! {
-        <div
-            id="default-modal"
-            tabindex="-1"
-            aria-hidden="true"
-            class="bg-gray-900/50 flex overflow-y-auto overflow-x-hidden fixed top-0 right-0 left-0 z-50 justify-center items-center w-full h-full"
-            class:hidden=move || modal_hidden.get()
-            on:click=move |_| modal_hidden.set(true)
-        >
-            <div
-                class="relative p-4 w-full max-w-2xl max-h-full"
-                on:click=move |e| e.stop_propagation()
-            >
-                <div class="relative bg-white rounded-lg shadow">
-                    <div class="flex items-center justify-between p-4 md:p-5 border-b rounded-t">
-                        <h3 class="text-xl font-semibold text-gray-900">
-                            Create New Organization
-                        </h3>
-                        <button
-                            type="button"
-                            class="text-gray-400 bg-transparent hover:bg-gray-200 hover:text-gray-900 rounded-lg text-sm w-8 h-8 ms-auto inline-flex justify-center items-center" data-modal-hide="default-modal"
-                            on:click=move |_| modal_hidden.set(true)
-                        >
-                            <svg class="w-3 h-3" aria-hidden="true" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 14 14">
-                                <path stroke="currentColor" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="m1 1 6 6m0 0 6 6M7 7l6-6M7 7l-6 6"/>
-                            </svg>
-                            <span class="sr-only">Close modal</span>
-                        </button>
-                    </div>
-                    <div class="p-4 md:p-5 space-y-4">
-                        <div>
-                            <label class="block mb-2 text-sm font-medium text-gray-900">Your Organization Name</label>
-                            <input
-                                prop:value={move || org_name.get()}
-                                on:input=move |ev| { org_name.set(event_target_value(&ev)); }
-                                class="bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5"
-                                required
-                            />
-                        </div>
-                    </div>
-                    <div class="flex items-center p-4 md:p-5 border-t border-gray-200 rounded-b">
-                        <button
-                            type="button"
-                            class="flex flex-row items-center text-white bg-blue-700 hover:bg-blue-800 focus:ring-4 focus:outline-none focus:ring-blue-300 font-medium rounded-lg text-sm px-5 py-2.5 text-center"
-                            disabled=move || create_pending.get()
-                            on:click=handle_create_org
-                        >
-                            <svg aria-hidden="true" role="status"
-                                class="inline w-4 h-4 me-3 text-white animate-spin" viewBox="0 0 100 101" fill="none" xmlns="http://www.w3.org/2000/svg"
-                                class:hidden=move || !create_pending.get()
-                            >
-                            <path d="M100 50.5908C100 78.2051 77.6142 100.591 50 100.591C22.3858 100.591 0 78.2051 0 50.5908C0 22.9766 22.3858 0.59082 50 0.59082C77.6142 0.59082 100 22.9766 100 50.5908ZM9.08144 50.5908C9.08144 73.1895 27.4013 91.5094 50 91.5094C72.5987 91.5094 90.9186 73.1895 90.9186 50.5908C90.9186 27.9921 72.5987 9.67226 50 9.67226C27.4013 9.67226 9.08144 27.9921 9.08144 50.5908Z" fill="#E5E7EB"/>
-                            <path d="M93.9676 39.0409C96.393 38.4038 97.8624 35.9116 97.0079 33.5539C95.2932 28.8227 92.871 24.3692 89.8167 20.348C85.8452 15.1192 80.8826 10.7238 75.2124 7.41289C69.5422 4.10194 63.2754 1.94025 56.7698 1.05124C51.7666 0.367541 46.6976 0.446843 41.7345 1.27873C39.2613 1.69328 37.813 4.19778 38.4501 6.62326C39.0873 9.04874 41.5694 10.4717 44.0505 10.1071C47.8511 9.54855 51.7191 9.52689 55.5402 10.0491C60.8642 10.7766 65.9928 12.5457 70.6331 15.2552C75.2735 17.9648 79.3347 21.5619 82.5849 25.841C84.9175 28.9121 86.7997 32.2913 88.1811 35.8758C89.083 38.2158 91.5421 39.6781 93.9676 39.0409Z" fill="currentColor"/>
-                            </svg>
-                            { move || if create_pending.get() { "Creating" } else { "Create" } }
-                        </button>
-                        <button
-                            type="button"
-                            class="ms-3 text-gray-500 bg-white hover:bg-gray-100 focus:ring-4 focus:outline-none focus:ring-blue-300 rounded-lg border border-gray-200 text-sm font-medium px-5 py-2.5 hover:text-gray-900 focus:z-10"
-                            disabled=move || create_pending.get()
-                            on:click=move |_| modal_hidden.set(true)
-                        >Cancel</button>
-                    </div>
-                </div>
-            </div>
-        </div>
-    }
-}
-
-async fn delete_org() -> Result<Option<ErrorResponse>> {
-    let org =
-        use_context::<Signal<Option<Organization>>>().ok_or_else(|| anyhow!("can't get org"))?;
-    let org = org
-        .get_untracked()
-        .ok_or_else(|| anyhow!("can't get org"))?;
-    let resp = Request::delete(&format!("/api/v1/organizations/{}", org.id))
-        .send()
-        .await?;
-    if resp.status() == 200 {
-        let _ = window().location().set_href("/");
-    } else {
-        let error = resp
-            .json::<ErrorResponse>()
-            .await
-            .unwrap_or_else(|_| ErrorResponse {
-                error: "Internal Server Error".to_string(),
-            });
-        return Ok(Some(error));
-    }
-    Ok(None)
-}
-
-#[component]
-pub fn OrgSettings() -> impl IntoView {
-    let modal_hidden = create_rw_signal(true);
-    let delete_action = create_action(|()| delete_org());
-    let login = use_context::<Resource<i32, Option<MeUser>>>().unwrap();
-    let cluster_info = expect_context::<Signal<Option<ClusterInfo>>>();
-    view! {
-        <div class="border-b pb-4 mb-8">
-            <h5 class="mr-3 text-2xl font-semibold">
-                Organization Settings
-            </h5>
-            <p class="text-gray-700">{"Manage your organization's settings"}</p>
-        </div>
-        <div class="mb-8">
-            <div class="w-full p-8 border rounded-xl shadow">
-                <UpdateNameView />
-            </div>
-            <div
-                class="mt-8 w-full p-8 border rounded-xl shadow"
-                class:hidden=move || !cluster_info.with(|i| i.as_ref().map(|i| i.has_enterprise)).unwrap_or(false)
-            >
-                <AutoStartStopView />
-            </div>
-
-            <div
-                class="mt-8 w-full p-8 border rounded-xl shadow"
-                class:hidden=move || !login.with(|l| { l.as_ref() .and_then(|l| l.as_ref().map(|l| l.organization.role == UserRole::Owner)) .unwrap_or(false) })
-            >
-                <h5 class="text-lg font-semibold">
-                    Delete Organization
-                </h5>
-                <button
-                    type="button"
-                    class="flex items-center justify-center mt-2 px-5 py-2.5 text-sm font-medium text-white rounded-lg bg-red-600 hover:bg-red-800 focus:ring-4 focus:ring-red-300 focus:outline-none"
-                    on:click=move |_| modal_hidden.set(false)
-                >
-                    Delete
-                </button>
-            </div>
-        </div>
-        <DeleteOrgModal modal_hidden delete_action />
-    }
-}
-
-#[component]
-pub fn DeleteOrgModal(
-    modal_hidden: RwSignal<bool>,
-    delete_action: Action<(), Result<Option<ErrorResponse>>>,
-) -> impl IntoView {
-    let error = create_rw_signal(None);
-    let confirmation = create_rw_signal(String::new());
-    let handle_delete = move |_| {
-        delete_action.dispatch(());
-    };
-    let delete_pending = delete_action.pending();
-    let org = use_context::<Signal<Option<Organization>>>().unwrap();
-    create_effect(move |_| {
-        delete_action.value().with(|result| {
-            if let Some(result) = result {
-                match result {
-                    Ok(err) => {
-                        if let Some(err) = err {
-                            error.set(Some(err.error.to_string()));
-                        }
-                    }
-                    Err(e) => {
-                        console_log(&format!("creation error: {e}"));
-                    }
-                }
-            }
-        })
-    });
-    view! {
-        <div tabindex="-1" class="bg-gray-900/50 flex overflow-y-auto overflow-x-hidden fixed top-0 right-0 left-0 z-50 justify-center items-center w-full h-full"
-            class:hidden=move || modal_hidden.get()
-            on:click=move |_| modal_hidden.set(true)
-        >
-            <div
-                class="relative p-4 w-full max-w-md max-h-full"
-                on:click=move |e| e.stop_propagation()
-            >
-                <div class="relative bg-white rounded-lg shadow">
-                    <button type="button"
-                        class="absolute top-3 end-2.5 text-gray-400 bg-transparent hover:bg-gray-200 hover:text-gray-900 rounded-lg text-sm w-8 h-8 ms-auto inline-flex justify-center items-center"
-                        on:click=move |_| modal_hidden.set(true)
-                    >
-                        <svg class="w-3 h-3" aria-hidden="true" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 14 14">
-                            <path stroke="currentColor" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="m1 1 6 6m0 0 6 6M7 7l6-6M7 7l-6 6"/>
-                        </svg>
-                        <span class="sr-only">Close modal</span>
-                    </button>
-                    <div class="p-4 md:p-5 text-center text-gray-500">
-                        <svg class="mx-auto mb-4 text-gray-400 w-12 h-12" aria-hidden="true" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 20 20">
-                            <path stroke="currentColor" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 11V6m0 8h.01M19 10a9 9 0 1 1-18 0 9 9 0 0 1 18 0Z"/>
-                        </svg>
-                        <h3 class="mb-5 text-lg font-normalflex flex-col items-center">
-                            <p>Are you sure you want to delete organization</p>
-                            <p class="text-bold text-gray-600">{ move || org.get().map(|org| org.name).unwrap_or_default() }</p>
-                        </h3>
-                        { move || if let Some(error) = error.get() {
-                                view! {
-                                    <div class="text-left p-4 mb-4 rounded-lg bg-red-50">
-                                        <span class="text-sm font-medium text-red-800">{ error }</span>
-                                    </div>
-                                }.into_view()
-                            } else {
-                                view! {}.into_view()
-                            }
-                        }
-                        <div class="text-left">
-                        <p>{"1. You'll lose all the projects and workspaces in this organization and this cannot be restored."}</p>
-                        <p>{"2. All organization members will lose access to this organization and all the associated workspaces."}</p>
-                        </div>
-                        <p class="mt-4 text-left">
-                        Type
-                        <span class="text-semibold mx-1 px-1 text-gray-800 bg-gray-200 rounded">{ move || org.get().map(|org| org.name).unwrap_or_default() }</span>
-                        To Confirm
-                        </p>
-                        <input
-                            class="w-full border rounded py-1 px-1 my-2"
-                            prop:value={move || confirmation.get()}
-                            on:input=move |ev| { confirmation.set(event_target_value(&ev)); }
-                        />
-                        <button
-                            type="button"
-                            class="text-white bg-red-600 disabled:bg-red-400 hover:bg-red-800 focus:ring-4 focus:outline-none focus:ring-red-300 font-medium rounded-lg text-sm inline-flex items-center px-5 py-2.5 text-center me-2"
-                            on:click=handle_delete
-                            disabled=move || delete_pending.get() || {
-                                let confirmation = confirmation.get();
-                                let org = org.get().map(|org| org.name).unwrap_or_default();
-                                confirmation != org
-                            }
-                        >
-                            <svg aria-hidden="true" role="status"
-                                class="inline w-3 h-3 me-3 text-white animate-spin" viewBox="0 0 100 101" fill="none" xmlns="http://www.w3.org/2000/svg"
-                                class:hidden=move || !delete_pending.get()
-                            >
-                            <path d="M100 50.5908C100 78.2051 77.6142 100.591 50 100.591C22.3858 100.591 0 78.2051 0 50.5908C0 22.9766 22.3858 0.59082 50 0.59082C77.6142 0.59082 100 22.9766 100 50.5908ZM9.08144 50.5908C9.08144 73.1895 27.4013 91.5094 50 91.5094C72.5987 91.5094 90.9186 73.1895 90.9186 50.5908C90.9186 27.9921 72.5987 9.67226 50 9.67226C27.4013 9.67226 9.08144 27.9921 9.08144 50.5908Z" fill="#E5E7EB"/>
-                            <path d="M93.9676 39.0409C96.393 38.4038 97.8624 35.9116 97.0079 33.5539C95.2932 28.8227 92.871 24.3692 89.8167 20.348C85.8452 15.1192 80.8826 10.7238 75.2124 7.41289C69.5422 4.10194 63.2754 1.94025 56.7698 1.05124C51.7666 0.367541 46.6976 0.446843 41.7345 1.27873C39.2613 1.69328 37.813 4.19778 38.4501 6.62326C39.0873 9.04874 41.5694 10.4717 44.0505 10.1071C47.8511 9.54855 51.7191 9.52689 55.5402 10.0491C60.8642 10.7766 65.9928 12.5457 70.6331 15.2552C75.2735 17.9648 79.3347 21.5619 82.5849 25.841C84.9175 28.9121 86.7997 32.2913 88.1811 35.8758C89.083 38.2158 91.5421 39.6781 93.9676 39.0409Z" fill="currentColor"/>
-                            </svg>
-                            { move || if delete_pending.get() { "Deleting" } else { "Yes, I'm sure" } }
-                        </button>
-                        <button
-                            type="button"
-                            class="text-gray-500 bg-white hover:bg-gray-100 focus:ring-4 focus:outline-none focus:ring-gray-200 rounded-lg border border-gray-200 text-sm font-medium px-5 py-2.5 hover:text-gray-900 focus:z-10"
-                            disabled=move || delete_pending.get()
-                            on:click=move |_| modal_hidden.set(true)
-                        >No, cancel</button>
-                    </div>
-                </div>
-            </div>
-        </div>
-    }
-}
-
-async fn update_name(id: Uuid, name: String) -> Result<(), ErrorResponse> {
-    let resp = Request::put(&format!("/api/v1/organizations/{id}/name"))
-        .json(&UpdateOrganizationName { name })?
-        .send()
-        .await?;
-
-    if resp.status() != 204 {
-        let error = resp
-            .json::<ErrorResponse>()
-            .await
-            .unwrap_or_else(|_| ErrorResponse {
-                error: "Internal Server Error".to_string(),
-            });
-        return Err(error);
-    }
-
-    Ok(())
-}
-
-async fn update_auto_start_stop(
-    id: Uuid,
-    auto_start: bool,
-    allow_workspace_change_auto_start: bool,
-    auto_stop: Option<i32>,
-    allow_workspace_change_auto_stop: bool,
-) -> Result<(), ErrorResponse> {
-    let resp = Request::put(&format!("/api/v1/organizations/{id}/auto_start_stop"))
-        .json(&UpdateOrganizationAutoStartStop {
-            auto_start,
-            auto_stop,
-            allow_workspace_change_auto_start,
-            allow_workspace_change_auto_stop,
-        })?
-        .send()
-        .await?;
-
-    if resp.status() != 204 {
-        let error = resp
-            .json::<ErrorResponse>()
-            .await
-            .unwrap_or_else(|_| ErrorResponse {
-                error: "Internal Server Error".to_string(),
-            });
-        return Err(error);
-    }
-
-    Ok(())
-}
-
-#[component]
-fn AutoStartStopView() -> impl IntoView {
-    let org = use_context::<Signal<Option<Organization>>>().unwrap();
-    let login_counter = expect_context::<RwSignal<i32>>();
-
-    let auto_start_enabled = create_rw_signal(false);
-    create_effect(move |_| {
-        if let Some(enabled) = org.with(|o| o.as_ref().map(|o| o.auto_start)) {
-            auto_start_enabled.set(enabled);
-        }
-    });
-
-    let allow_workspace_change_auto_start = create_rw_signal(false);
-    create_effect(move |_| {
-        if let Some(enabled) = org.with(|o| o.as_ref().map(|o| o.allow_workspace_change_auto_start))
-        {
-            allow_workspace_change_auto_start.set(enabled);
-        }
-    });
-
-    let auto_stop_enabled = create_rw_signal(false);
-    create_effect(move |_| {
-        if let Some(enabled) = org.with(|o| o.as_ref().map(|o| o.auto_stop.is_some())) {
-            auto_stop_enabled.set(enabled);
-        }
-    });
-
-    let auto_stop_seconds = create_rw_signal(3600);
-    create_effect(move |_| {
-        if let Some(seconds) = org.with(|o| o.as_ref().map(|o| o.auto_stop)).flatten() {
-            auto_stop_seconds.set(seconds);
-        }
-    });
-
-    let allow_workspace_change_auto_stop = create_rw_signal(false);
-    create_effect(move |_| {
-        if let Some(enabled) = org.with(|o| o.as_ref().map(|o| o.allow_workspace_change_auto_stop))
-        {
-            allow_workspace_change_auto_stop.set(enabled);
-        }
-    });
-
-    let save_action = create_action(move |_| async move {
-        if let Some(id) = org.with(|o| o.as_ref().map(|o| o.id)) {
-            update_auto_start_stop(
-                id,
-                auto_start_enabled.get_untracked(),
-                allow_workspace_change_auto_start.get_untracked(),
-                if auto_stop_enabled.get_untracked() {
-                    Some(auto_stop_seconds.get_untracked())
-                } else {
-                    None
-                },
-                allow_workspace_change_auto_stop.get_untracked(),
-            )
-            .await
-        } else {
-            Err(ErrorResponse {
-                error: "Organization not loaded yet".to_string(),
-            })
-        }
-    });
-
-    let body = view! {
-        <div class="mt-2">
-            <label class="inline-flex items-center cursor-pointer">
-                <input type="checkbox" value="" class="sr-only peer"
-                    prop:checked=move || auto_start_enabled.get()
-                    on:change=move |e| auto_start_enabled.set(event_target_checked(&e))
-                />
-                <div class="relative w-11 h-6 bg-gray-200 peer-focus:outline-none peer-focus:ring-4 peer-focus:ring-blue-300 rounded-full peer peer-checked:after:translate-x-full rtl:peer-checked:after:-translate-x-full peer-checked:after:border-white after:content-[''] after:absolute after:top-[2px] after:start-[2px] after:bg-white after:border-gray-300 after:border after:rounded-full after:h-5 after:w-5 after:transition-all peer-checked:bg-blue-600"></div>
-                <span class="ms-3 text-sm font-medium text-gray-900">Auto Start Enabled</span>
-            </label>
-        </div>
-        <div class="mt-2">
-            <label class="inline-flex items-center cursor-pointer">
-                <input type="checkbox" value="" class="sr-only peer"
-                    prop:checked=move || allow_workspace_change_auto_start.get()
-                    on:change=move |e| allow_workspace_change_auto_start.set(event_target_checked(&e))
-                />
-                <div class="relative w-11 h-6 bg-gray-200 peer-focus:outline-none peer-focus:ring-4 peer-focus:ring-blue-300 rounded-full peer peer-checked:after:translate-x-full rtl:peer-checked:after:-translate-x-full peer-checked:after:border-white after:content-[''] after:absolute after:top-[2px] after:start-[2px] after:bg-white after:border-gray-300 after:border after:rounded-full after:h-5 after:w-5 after:transition-all peer-checked:bg-blue-600"></div>
-                <span class="ms-3 text-sm font-medium text-gray-900">Allow Changing Auto Start on Workspace</span>
-            </label>
-        </div>
-        <div class="mt-2">
-            <label class="inline-flex items-center cursor-pointer">
-                <input type="checkbox" value="" class="sr-only peer"
-                    prop:checked=move || auto_stop_enabled.get()
-                    on:change=move |e| auto_stop_enabled.set(event_target_checked(&e))
-                />
-                <div class="relative w-11 h-6 bg-gray-200 peer-focus:outline-none peer-focus:ring-4 peer-focus:ring-blue-300 rounded-full peer peer-checked:after:translate-x-full rtl:peer-checked:after:-translate-x-full peer-checked:after:border-white after:content-[''] after:absolute after:top-[2px] after:start-[2px] after:bg-white after:border-gray-300 after:border after:rounded-full after:h-5 after:w-5 after:transition-all peer-checked:bg-blue-600"></div>
-                <span class="ms-3 text-sm font-medium text-gray-900">Auto Stop Enabled</span>
-            </label>
-        </div>
-        <div class="mt-2">
-            <label class="inline-flex items-center cursor-pointer">
-                <input type="checkbox" value="" class="sr-only peer"
-                    prop:checked=move || allow_workspace_change_auto_stop.get()
-                    on:change=move |e| allow_workspace_change_auto_stop.set(event_target_checked(&e))
-                />
-                <div class="relative w-11 h-6 bg-gray-200 peer-focus:outline-none peer-focus:ring-4 peer-focus:ring-blue-300 rounded-full peer peer-checked:after:translate-x-full rtl:peer-checked:after:-translate-x-full peer-checked:after:border-white after:content-[''] after:absolute after:top-[2px] after:start-[2px] after:bg-white after:border-gray-300 after:border after:rounded-full after:h-5 after:w-5 after:transition-all peer-checked:bg-blue-600"></div>
-                <span class="ms-3 text-sm font-medium text-gray-900">Allow Changing Auto Stop on Workspace</span>
-            </label>
-        </div>
-        {
-            move || if auto_stop_enabled.get() {
-                view! {
-                    <div class="mt-2">
-                        <label class="block mb-2 text-sm font-medium text-gray-900">Auto Stop Seconds</label>
-                        <input
-                            prop:value={move || auto_stop_seconds.get()}
-                            on:input=move |ev| {
-                                if let Ok(seconds) = event_target_value(&ev).parse() {
-                                    auto_stop_seconds.set(seconds);
-                                }
-                            }
-                            class="max-w-96 bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5"
-                            // placeholder={placeholder}
-                        />
-                    </div>
-                }.into_view()
-            } else {
-                view! {}.into_view()
-            }
-        }
-    };
-
-    view! {
-        <SettingView title="Auto Start Stop Settings".to_string() action=save_action body update_counter=login_counter extra=None />
-    }
-}
-
-#[component]
-fn UpdateNameView() -> impl IntoView {
-    let org = use_context::<Signal<Option<Organization>>>().unwrap();
-    let login_counter = expect_context::<RwSignal<i32>>();
-
-    let org_name = create_rw_signal(String::new());
-    create_effect(move |_| {
-        if let Some(name) = org.with(|o| o.as_ref().map(|o| o.name.clone())) {
-            org_name.set(name);
-        }
-    });
-
-    let save_action = create_action(move |_| async move {
-        if let Some(id) = org.with(|o| o.as_ref().map(|o| o.id)) {
-            update_name(id, org_name.get_untracked()).await
-        } else {
-            Err(ErrorResponse {
-                error: "Organization not loaded yet".to_string(),
-            })
-        }
-    });
-
-    let body = view! {
-        <div class="mt-2">
-            <input
-                prop:value={move || org_name.get()}
-                on:input=move |ev| {
-                    org_name.set(event_target_value(&ev));
-                }
-                class="max-w-96 bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5"
-                // placeholder={placeholder}
-            />
-        </div>
-    };
-
-    view! {
-        <SettingView title="Organization Name".to_string() action=save_action body update_counter=login_counter extra=None />
-    }
-}
-
-async fn get_org_members() -> Result<Vec<OrganizationMember>> {
-    let org =
-        use_context::<Signal<Option<Organization>>>().ok_or_else(|| anyhow!("can't get org"))?;
-    let org = org
-        .get_untracked()
-        .ok_or_else(|| anyhow!("can't get org"))?;
-    let resp = Request::get(&format!("/api/v1/organizations/{}/members", org.id))
-        .send()
-        .await?;
-    let members: Vec<OrganizationMember> = resp.json().await?;
-    Ok(members)
-}
-
-#[component]
-pub fn OrgMembers() -> impl IntoView {
-    let invite_member_modal_hidden = create_rw_signal(true);
-    let member_filter = create_rw_signal(String::new());
-
-    let update_counter = create_rw_signal(0);
-    let members = create_local_resource(
-        move || update_counter.get(),
-        move |_| async move { get_org_members().await },
-    );
-    let members = Signal::derive(move || {
-        let filter = member_filter.get();
-        let mut members = members
-            .with(|m| m.as_ref().and_then(|m| m.as_ref().ok().cloned()))
-            .unwrap_or_default();
-        if !filter.trim().is_empty() {
-            members.retain(|m| {
-                m.name
-                    .as_ref()
-                    .map(|n| n.contains(&filter))
-                    .unwrap_or(false)
-            });
-        }
-        members
-    });
-
-    view! {
-        <div class="pb-4">
-            <h5 class="mr-3 text-2xl font-semibold">
-                Organization Members
-            </h5>
-            <p class="text-gray-700">{"Manage your organization's members"}</p>
-            <div class="flex flex-col items-center justify-between py-4 gap-y-3 md:flex-row md:space-y-0 md:space-x-4">
-                <div class="w-full md:w-1/2">
-                    <form class="flex items-center">
-                        <label for="simple-search" class="sr-only">Filter Members</label>
-                        <div class="relative w-full">
-                        <div class="absolute inset-y-0 left-0 flex items-center pl-3 pointer-events-none">
-                            <svg aria-hidden="true" class="w-5 h-5 text-gray-500" fill="currentColor" viewbox="0 0 20 20" xmlns="http://www.w3.org/2000/svg">
-                            <path fill-rule="evenodd" d="M8 4a4 4 0 100 8 4 4 0 000-8zM2 8a6 6 0 1110.89 3.476l4.817 4.817a1 1 0 01-1.414 1.414l-4.816-4.816A6 6 0 012 8z" clip-rule="evenodd" />
-                            </svg>
-                        </div>
-                        <input
-                            prop:value={move || member_filter.get()}
-                            on:input=move |ev| { member_filter.set(event_target_value(&ev)); }
-                            type="text"
-                            class="bg-white block w-full p-2 pl-10 text-sm text-gray-900 border border-gray-300 rounded-lg bg-gray-50 focus:ring-blue-500 focus:border-blue-500"
-                            placeholder="Filter Members"
-                        />
-                        </div>
-                    </form>
-                </div>
-                <button
-                    type="button"
-                    class="px-4 py-2 text-sm font-medium text-white rounded-lg bg-blue-700 hover:bg-blue-800 focus:ring-4 focus:ring-blue-300 focus:outline-none"
-                    on:click=move |_| invite_member_modal_hidden.set(false)
-                >
-                    Invite New Member
-                </button>
-            </div>
-        </div>
-
-        <div class="flex items-center w-full px-4 py-2 text-gray-900 bg-gray-50">
-            <span class="w-1/3 truncate pr-2">Name</span>
-            <span class="w-1/3 truncate">Joined</span>
-            <span class="w-1/3 truncate pl-2 flex flex-row items-center">
-                <div class="w-2/3 flex flex-row justify-center">
-                    <span>Role</span>
-                </div>
-                <span class="w-1/3">
-                </span>
-            </span>
-        </div>
-
-        <For
-            each=move || members.get().into_iter().enumerate()
-            key=|(i, m)| (*i, m.clone())
-            children=move |(i, m)| {
-                view! {
-                    <MemberItemView i member=m update_counter />
-                }
-            }
-        />
-
-        <InviteMemberView invite_member_modal_hidden />
-    }
-}
-
-async fn delete_org_member(
-    user_id: Uuid,
-    delete_modal_hidden: RwSignal<bool>,
-    update_counter: RwSignal<i32>,
-) -> Result<(), ErrorResponse> {
-    let current_org =
-        use_context::<Signal<Option<Organization>>>().ok_or_else(|| anyhow!("can't get org"))?;
-    let org = current_org
-        .get_untracked()
-        .ok_or_else(|| anyhow!("can't get org"))?;
-    let resp = Request::delete(&format!(
-        "/api/v1/organizations/{}/members/{user_id}",
-        org.id
-    ))
-    .send()
-    .await?;
-    if resp.status() != 204 {
-        let error = resp
-            .json::<ErrorResponse>()
-            .await
-            .unwrap_or_else(|_| ErrorResponse {
-                error: "Internal Server Error".to_string(),
-            });
-        return Err(error);
-    }
-    delete_modal_hidden.set(true);
-    update_counter.update(|c| *c += 1);
-    Ok(())
-}
-
-async fn update_org_member(
-    user_id: Uuid,
-    role: String,
-    update_modal_hidden: RwSignal<bool>,
-    update_counter: RwSignal<i32>,
-) -> Result<(), ErrorResponse> {
-    let current_org =
-        use_context::<Signal<Option<Organization>>>().ok_or_else(|| anyhow!("can't get org"))?;
-    let org = current_org
-        .get_untracked()
-        .ok_or_else(|| anyhow!("can't get org"))?;
-
-    let role: UserRole = match UserRole::from_str(&role) {
-        Ok(r) => r,
-        Err(_) => {
-            return Err(ErrorResponse {
-                error: "role is invalid".to_string(),
-            })
-        }
-    };
-
-    let resp = Request::put(&format!(
-        "/api/v1/organizations/{}/members/{user_id}",
-        org.id
-    ))
-    .json(&UpdateOrganizationMember { role })?
-    .send()
-    .await?;
-    if resp.status() != 200 {
-        let error = resp
-            .json::<ErrorResponse>()
-            .await
-            .unwrap_or_else(|_| ErrorResponse {
-                error: "Internal Server Error".to_string(),
-            });
-        return Err(error);
-    }
-    update_modal_hidden.set(true);
-    update_counter.update(|c| *c += 1);
-    Ok(())
-}
-
-#[component]
-fn MemberItemView(
-    i: usize,
-    member: OrganizationMember,
-    update_counter: RwSignal<i32>,
-) -> impl IntoView {
-    let update_member_modal_hidden = create_rw_signal(true);
-    let delete_modal_hidden = create_rw_signal(true);
-    let delete_action = create_action(move |_| {
-        delete_org_member(member.user_id, delete_modal_hidden, update_counter)
-    });
-
-    view! {
-        <div
-            class="flex items-center w-full px-4 py-2"
-            class=("border-t", move || i > 0)
-        >
-            <span class="w-1/3 truncate pr-2 text-gray-900 flex flex-row items-center">
-                <img
-                    class="w-8 h-8 rounded-full mr-2"
-                    src={ member.avatar_url.clone().unwrap_or("https://flowbite.s3.amazonaws.com/blocks/marketing-ui/avatars/michael-gough.png".to_string()) }
-                    alt="user photo"
-                />
-                {member.name.clone()}
-            </span>
-            <div class="w-1/3 flex flex-col">
-                <DatetimeModal time=member.joined />
-            </div>
-            <span class="w-1/3 pl-2 flex flex-row items-center">
-                <div class="w-2/3 flex flex-row justify-center">
-                    <span>{member.role.to_string()}</span>
-                </div>
-                <span class="w-1/3">
-                    <MemberControl delete_modal_hidden update_member_modal_hidden align_right=true />
-                </span>
-            </span>
-        </div>
-        <DeletionModal resource=member.name.clone().unwrap_or_default() modal_hidden=delete_modal_hidden delete_action />
-        <UpdateMemberView member=member.clone() update_modal_hidden=update_member_modal_hidden update_counter />
-    }
-}
-
-#[component]
-fn UpdateMemberView(
-    member: OrganizationMember,
-    update_modal_hidden: RwSignal<bool>,
-    update_counter: RwSignal<i32>,
-) -> impl IntoView {
-    let role = create_rw_signal(member.role.to_string());
-    let update_action = create_action(move |_| {
-        update_org_member(
-            member.user_id,
-            role.get_untracked(),
-            update_modal_hidden,
-            update_counter,
-        )
-    });
-    let select_on_change = move |ev: web_sys::Event| {
-        role.set(event_target_value(&ev));
-    };
-    let body = view! {
-        <div>
-            <label class="block mb-2 text-sm font-medium text-gray-900">
-                Role
-            </label>
-            <select
-                class="bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5"
-                on:change=select_on_change
-            >
-                <For
-                    each=move || vec![UserRole::Admin, UserRole::Member]
-                    key=|b| b.clone()
-                    children=move |r| {
-                        let current_role = r.to_string();
-                        view! {
-                            <option
-                                selected=move || current_role == role.get().as_ref()
-                            >{r.to_string()}</option>
-                        }
-                    }
-                />
-            </select>
-        </div>
-    };
-    view! {
-        <CreationModal title="Update Member".to_string() modal_hidden=update_modal_hidden body action=update_action update_text=None updating_text=None width_class=None create_button_hidden=Box::new(|| false) />
-    }
-}
-
-#[component]
-fn MemberControl(
-    delete_modal_hidden: RwSignal<bool>,
-    update_member_modal_hidden: RwSignal<bool>,
-    align_right: bool,
-) -> impl IntoView {
-    let dropdown_hidden = create_rw_signal(true);
-
-    let toggle_dropdown = move |_| {
-        if dropdown_hidden.get_untracked() {
-            dropdown_hidden.set(false);
-        } else {
-            dropdown_hidden.set(true);
-        }
-    };
-
-    let on_focusout = move |e: FocusEvent| {
-        let node = e
-            .current_target()
-            .unwrap_throw()
-            .unchecked_into::<web_sys::HtmlElement>();
-
-        set_timeout(
-            move || {
-                let has_focus = if let Some(active) = document().active_element() {
-                    let active: web_sys::Node = active.into();
-                    node.contains(Some(&active))
-                } else {
-                    false
-                };
-                if !has_focus && !dropdown_hidden.get_untracked() {
-                    dropdown_hidden.set(true);
-                }
-            },
-            Duration::from_secs(0),
-        );
-    };
-
-    let delete_member = {
-        move |_| {
-            dropdown_hidden.set(true);
-            delete_modal_hidden.set(false);
-        }
-    };
-
-    view! {
-        <div
-            class="relative w-9"
-            on:focusout=on_focusout
-        >
-            <button
-                class="hover:bg-gray-100 focus:outline-none font-medium rounded-lg text-sm px-2.5 py-2.5 text-center inline-flex items-center"
-                type="button"
-                on:click=toggle_dropdown
-            >
-                <svg class="w-4 h-4 text-white" viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
-                    <path d="M9.5 13a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0z"/>
-                </svg>
-            </button>
-            <div
-                class="absolute pt-2 z-10 divide-y divide-gray-100"
-                class:hidden=move || dropdown_hidden.get()
-                class=("right-0", move || align_right)
-            >
-                <ul class="py-2 text-sm text-gray-700 bg-white rounded-lg border shadow w-44">
-                    <li>
-                        <a
-                            href="#"
-                            class="block px-4 py-2 hover:bg-gray-100"
-                            on:click=move |_| {
-                                dropdown_hidden.set(true);
-                                update_member_modal_hidden.set(false);
-                            }
-                        >
-                            Update Member
-                        </a>
-                    </li>
-                    <li>
-                        <a
-                            href="#"
-                            class="block px-4 py-2 hover:bg-gray-100 text-red-700"
-                            on:click=delete_member
-                        >
-                            Delete Member
-                        </a>
-                    </li>
-                </ul>
-            </div>
-        </div>
-    }
-}
-
-async fn create_user_invitation() -> Result<String> {
-    let org =
-        use_context::<Signal<Option<Organization>>>().ok_or_else(|| anyhow!("can't get org"))?;
-    let org = org
-        .get_untracked()
-        .ok_or_else(|| anyhow!("can't get org"))?;
-    let resp = Request::post(&format!("/api/v1/organizations/{}/invitations", org.id))
-        .send()
-        .await?;
-    if resp.status() != 200 {
-        return Err(anyhow!(resp.text().await?));
-    }
-    let invitation: String = resp.text().await?;
-    Ok(invitation)
-}
-
-#[component]
-fn InviteMemberView(invite_member_modal_hidden: RwSignal<bool>) -> impl IntoView {
-    let action = create_action(move |_| async move { Ok(()) });
-
-    let update_counter = create_rw_signal(0);
-    let invitation_resource = create_local_resource(
-        move || update_counter.get(),
-        move |_| async move { create_user_invitation().await },
-    );
-    let invitation = create_rw_signal(String::new());
-    create_effect(move |_| {
-        let hidden = invite_member_modal_hidden.get();
-        invitation.set(String::new());
-        if !hidden {
-            update_counter.update(|c| *c += 1);
-        }
-    });
-
-    create_effect(move |_| {
-        if let Some(i) =
-            invitation_resource.with(|i| i.as_ref().and_then(|i| i.as_ref().ok().cloned()))
-        {
-            invitation.set(i);
-        }
-    });
-
-    let body = view! {
-        <div>
-            <label class="block mb-2 text-sm font-medium text-gray-900">
-                Invite URL
-            </label>
-            <span class="bg-gray-50 text-gray-900 text-sm rounded-lg block w-full p-2.5">
-                { move || format!("{}/join/{}", window().location().origin().unwrap(), invitation.get()) }
-            </span>
-            <label class="block mt-2 text-sm font-medium text-yellow-500">
-                This URL will expiry in 30 minutes
-            </label>
-        </div>
-    };
-    view! {
-        <CreationModal title="Invite New Member".to_string() modal_hidden=invite_member_modal_hidden action body update_text=Some("Create".to_string()) updating_text=Some("Creating".to_string()) width_class=None create_button_hidden=Box::new(|| true) />
-    }
-}
diff --git a/lapdev-dashboard/src/ssh_key.rs b/lapdev-dashboard/src/ssh_key.rs
deleted file mode 100644
index 70a5b9e..0000000
--- a/lapdev-dashboard/src/ssh_key.rs
+++ /dev/null
@@ -1,162 +0,0 @@
-use anyhow::Result;
-use gloo_net::http::Request;
-use lapdev_common::{NewSshKey, SshKey};
-use leptos::{
-    component, create_action, create_local_resource, create_rw_signal, event_target_value, view,
-    For, IntoView, RwSignal, SignalGet, SignalGetUntracked, SignalSet, SignalUpdate,
-};
-
-use crate::modal::{CreationInput, CreationModal, DeletionModal, ErrorResponse};
-
-async fn delete_ssh_key(
-    id: String,
-    delete_modal_hidden: RwSignal<bool>,
-    update_counter: RwSignal<i32>,
-) -> Result<(), ErrorResponse> {
-    let resp = Request::delete(&format!("/api/v1/account/ssh_keys/{id}"))
-        .send()
-        .await?;
-    if resp.status() != 204 {
-        let error = resp
-            .json::<ErrorResponse>()
-            .await
-            .unwrap_or_else(|_| ErrorResponse {
-                error: "Internal Server Error".to_string(),
-            });
-        return Err(error);
-    }
-    delete_modal_hidden.set(true);
-    update_counter.update(|c| *c += 1);
-    Ok(())
-}
-
-#[component]
-pub fn SshKeyItem(key: SshKey, update_counter: RwSignal<i32>) -> impl IntoView {
-    let id = key.id;
-    let name = key.name.clone();
-    let delete_modal_hidden = create_rw_signal(true);
-    let delete_action =
-        create_action(move |_| delete_ssh_key(id.to_string(), delete_modal_hidden, update_counter));
-
-    view! {
-        <div class="flex flex-row items-center border rounded-xl px-4 py-2">
-            <span class="w-1/6">{key.name}</span>
-            <span class="w-3/6 truncate p-2">{key.key}</span>
-            <span class="w-1/6 truncate p-2">{key.created_at.to_rfc2822()}</span>
-            <div class="w-1/6 flex justify-end items-center">
-                <button class="px-4 py-2 text-sm text-white rounded-lg bg-red-700 hover:bg-red-800 focus:ring-4 focus:ring-red-300 focus:outline-none"
-                    on:click=move |_| delete_modal_hidden.set(false)
-                >Delete</button>
-            </div>
-            <DeletionModal resource=name  modal_hidden=delete_modal_hidden delete_action=delete_action />
-        </div>
-    }
-}
-
-async fn all_ssh_keys() -> Result<Vec<SshKey>> {
-    let resp = Request::get("/api/v1/account/ssh_keys").send().await?;
-    let ssh_keys: Vec<SshKey> = resp.json().await?;
-    Ok(ssh_keys)
-}
-
-#[component]
-pub fn SshKeys() -> impl IntoView {
-    let update_counter = create_rw_signal(0);
-    let ssh_keys = create_local_resource(
-        move || update_counter.get(),
-        |_| async move { all_ssh_keys().await.unwrap_or_default() },
-    );
-
-    view! {
-        <section class="w-full h-full flex flex-col">
-            <div class="border-b pb-4">
-                <div class="flex items-end justify-between">
-                    <div class="min-w-0 mr-4">
-                        <h5 class="mr-3 text-2xl font-semibold">
-                            SSH Keys
-                        </h5>
-                        <p class="text-gray-700">{"Manage your SSH keys. Add your SSH public keys to your account will enable you to SSH into all your workspaces."}</p>
-                    </div>
-                    <NewSshKey update_counter />
-                </div>
-            </div>
-            <div class="relative w-full basis-0 grow">
-                <div class="absolute w-full h-full flex flex-col py-4 space-y-4 overflow-y-auto">
-                    <For
-                        each=move || ssh_keys.get().unwrap_or_default()
-                        key=|key|  key.id
-                        children=move |key| {
-                            view! {
-                                <SshKeyItem key update_counter />
-                            }
-                        }
-                    />
-                </div>
-            </div>
-        </section>
-    }
-}
-
-async fn create_ssh_key(
-    name: RwSignal<String>,
-    key: RwSignal<String>,
-    modal_hidden: RwSignal<bool>,
-    update_counter: RwSignal<i32>,
-) -> Result<(), ErrorResponse> {
-    let resp = Request::post("/api/v1/account/ssh_keys")
-        .json(&NewSshKey {
-            name: name.get_untracked(),
-            key: key.get_untracked(),
-        })?
-        .send()
-        .await?;
-    if resp.status() != 200 {
-        let error = resp
-            .json::<ErrorResponse>()
-            .await
-            .unwrap_or_else(|_| ErrorResponse {
-                error: "Internal Server Error".to_string(),
-            });
-        return Err(error);
-    }
-
-    modal_hidden.set(true);
-    update_counter.update(|c| *c += 1);
-    name.set(String::new());
-    key.set(String::new());
-
-    Ok(())
-}
-
-#[component]
-pub fn NewSshKey(update_counter: RwSignal<i32>) -> impl IntoView {
-    let name = create_rw_signal(String::new());
-    let key = create_rw_signal(String::new());
-
-    let modal_hidden = create_rw_signal(true);
-    let action = create_action(move |_| create_ssh_key(name, key, modal_hidden, update_counter));
-
-    let body = view! {
-        <CreationInput label="Name".to_string() value=name placeholder="".to_string() />
-        <div>
-            <label class="block mb-2 text-sm font-medium text-gray-900">SSH Public Key</label>
-            <textarea
-                rows=4
-                prop:value={move || key.get()}
-                on:input=move |ev| { key.set(event_target_value(&ev)); }
-                class="bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5"
-            />
-        </div>
-    };
-
-    view! {
-        <button
-            type="button"
-            class="flex items-center justify-center whitespace-nowrap px-4 py-2 text-sm font-medium text-white rounded-lg bg-blue-700 hover:bg-blue-800 focus:ring-4 focus:ring-blue-300 focus:outline-none"
-            on:click=move |_| modal_hidden.set(false)
-        >
-            New SSH Key
-        </button>
-        <CreationModal title="New SSH Key".to_string() modal_hidden action body update_text=Some("Create".to_string()) updating_text=Some("Creating".to_string()) width_class=None create_button_hidden=Box::new(|| false) />
-    }
-}
diff --git a/lapdev-dashboard/src/workspace.rs b/lapdev-dashboard/src/workspace.rs
deleted file mode 100644
index 9684a2d..0000000
--- a/lapdev-dashboard/src/workspace.rs
+++ /dev/null
@@ -1,1820 +0,0 @@
-use std::{collections::HashMap, time::Duration};
-
-use anyhow::{anyhow, Result};
-use futures::{SinkExt, StreamExt};
-use gloo_net::{
-    http::Request,
-    websocket::{futures::WebSocket, Message},
-};
-use lapdev_common::{
-    console::Organization, utils, ClusterInfo, GitBranch, NewWorkspace, NewWorkspaceResponse,
-    PrebuildStatus, ProjectInfo, ProjectPrebuild, RepoSource, RepobuildError, UpdateWorkspacePort,
-    WorkspaceInfo, WorkspacePort, WorkspaceService, WorkspaceStatus, WorkspaceUpdateEvent,
-};
-use leptos::{
-    component, create_action, create_effect, create_local_resource, create_rw_signal, document,
-    event_target_checked, event_target_value, expect_context, on_cleanup, set_timeout, spawn_local,
-    spawn_local_with_current_owner, use_context, view, window, For, IntoView, RwSignal, Show,
-    Signal, SignalGet, SignalGetUntracked, SignalSet, SignalUpdate, SignalWith,
-    SignalWithUntracked,
-};
-use leptos_router::{use_location, use_navigate, use_params_map};
-use uuid::Uuid;
-use wasm_bindgen::{JsCast, UnwrapThrowExt};
-use web_sys::FocusEvent;
-
-use crate::{
-    modal::{CreationModal, DatetimeModal, DeletionModal, ErrorResponse},
-    project::MachineTypeView,
-};
-
-#[derive(Clone)]
-enum BuildMessage {
-    Stdout(String),
-    Stderr(String),
-}
-
-impl BuildMessage {
-    fn msg(&self) -> &str {
-        match self {
-            BuildMessage::Stdout(s) => s,
-            BuildMessage::Stderr(s) => s,
-        }
-    }
-
-    fn is_error(&self) -> bool {
-        matches!(self, BuildMessage::Stderr(_))
-    }
-}
-
-async fn all_workspaces() -> Result<Vec<WorkspaceInfo>> {
-    let org =
-        use_context::<Signal<Option<Organization>>>().ok_or_else(|| anyhow!("can't get org"))?;
-    let org = org
-        .get_untracked()
-        .ok_or_else(|| anyhow!("can't get org"))?;
-    let resp = Request::get(&format!("/api/v1/organizations/{}/workspaces", org.id))
-        .send()
-        .await?;
-    let workspaces: Vec<WorkspaceInfo> = resp.json().await?;
-    Ok(workspaces)
-}
-
-async fn get_workspace(name: &str) -> Result<WorkspaceInfo> {
-    let org =
-        use_context::<Signal<Option<Organization>>>().ok_or_else(|| anyhow!("can't get org"))?;
-    let org = org
-        .get_untracked()
-        .ok_or_else(|| anyhow!("can't get org"))?;
-    let resp = Request::get(&format!(
-        "/api/v1/organizations/{}/workspaces/{name}",
-        org.id
-    ))
-    .send()
-    .await?;
-    let workspace: WorkspaceInfo = resp.json().await?;
-    Ok(workspace)
-}
-
-async fn delete_workspace(
-    name: String,
-    delete_modal_hidden: RwSignal<bool>,
-    update_counter: Option<RwSignal<i32>>,
-) -> Result<(), ErrorResponse> {
-    let org =
-        use_context::<Signal<Option<Organization>>>().ok_or_else(|| anyhow!("can't get org"))?;
-    let org = org
-        .get_untracked()
-        .ok_or_else(|| anyhow!("can't get org"))?;
-    let resp = Request::delete(&format!(
-        "/api/v1/organizations/{}/workspaces/{name}",
-        org.id
-    ))
-    .send()
-    .await?;
-    if resp.status() != 204 {
-        let error = resp
-            .json::<ErrorResponse>()
-            .await
-            .unwrap_or_else(|_| ErrorResponse {
-                error: "Internal Server Error".to_string(),
-            });
-        return Err(error);
-    }
-
-    delete_modal_hidden.set(true);
-    if let Some(update_counter) = update_counter {
-        update_counter.update(|c| *c += 1);
-    } else {
-        use_navigate()("/workspaces", Default::default());
-    }
-
-    Ok(())
-}
-
-async fn rebuild_workspace(
-    name: String,
-    rebuild_modal_hidden: RwSignal<bool>,
-) -> Result<(), ErrorResponse> {
-    let org =
-        use_context::<Signal<Option<Organization>>>().ok_or_else(|| anyhow!("can't get org"))?;
-    let org = org
-        .get_untracked()
-        .ok_or_else(|| anyhow!("can't get org"))?;
-    let resp = Request::post(&format!(
-        "/api/v1/organizations/{}/workspaces/{name}/rebuild",
-        org.id
-    ))
-    .send()
-    .await?;
-    if resp.status() != 204 {
-        let error = resp
-            .json::<ErrorResponse>()
-            .await
-            .unwrap_or_else(|_| ErrorResponse {
-                error: "Internal Server Error".to_string(),
-            });
-        return Err(error);
-    }
-
-    rebuild_modal_hidden.set(true);
-
-    Ok(())
-}
-
-async fn stop_workspace(name: String) -> Result<(), ErrorResponse> {
-    let org =
-        use_context::<Signal<Option<Organization>>>().ok_or_else(|| anyhow!("can't get org"))?;
-    let org = org
-        .get_untracked()
-        .ok_or_else(|| anyhow!("can't get org"))?;
-    let resp = Request::post(&format!(
-        "/api/v1/organizations/{}/workspaces/{name}/stop",
-        org.id
-    ))
-    .send()
-    .await?;
-    if resp.status() != 204 {
-        let error = resp
-            .json::<ErrorResponse>()
-            .await
-            .unwrap_or_else(|_| ErrorResponse {
-                error: "Internal Server Error".to_string(),
-            });
-        return Err(error);
-    }
-    Ok(())
-}
-
-async fn start_workspace(name: String) -> Result<(), ErrorResponse> {
-    let org =
-        use_context::<Signal<Option<Organization>>>().ok_or_else(|| anyhow!("can't get org"))?;
-    let org = org
-        .get_untracked()
-        .ok_or_else(|| anyhow!("can't get org"))?;
-    let resp = Request::post(&format!(
-        "/api/v1/organizations/{}/workspaces/{name}/start",
-        org.id
-    ))
-    .send()
-    .await?;
-    if resp.status() != 204 {
-        let error = resp
-            .json::<ErrorResponse>()
-            .await
-            .unwrap_or_else(|_| ErrorResponse {
-                error: "Internal Server Error".to_string(),
-            });
-        return Err(error);
-    }
-    Ok(())
-}
-
-async fn pin_workspace(name: String) -> Result<(), ErrorResponse> {
-    let org =
-        use_context::<Signal<Option<Organization>>>().ok_or_else(|| anyhow!("can't get org"))?;
-    let org = org
-        .get_untracked()
-        .ok_or_else(|| anyhow!("can't get org"))?;
-    let resp = Request::post(&format!(
-        "/api/v1/organizations/{}/workspaces/{name}/pin",
-        org.id
-    ))
-    .send()
-    .await?;
-    if resp.status() != 204 {
-        let error = resp
-            .json::<ErrorResponse>()
-            .await
-            .unwrap_or_else(|_| ErrorResponse {
-                error: "Internal Server Error".to_string(),
-            });
-        return Err(error);
-    }
-    Ok(())
-}
-
-async fn unpin_workspace(name: String) -> Result<(), ErrorResponse> {
-    let org =
-        use_context::<Signal<Option<Organization>>>().ok_or_else(|| anyhow!("can't get org"))?;
-    let org = org
-        .get_untracked()
-        .ok_or_else(|| anyhow!("can't get org"))?;
-    let resp = Request::post(&format!(
-        "/api/v1/organizations/{}/workspaces/{name}/unpin",
-        org.id
-    ))
-    .send()
-    .await?;
-    if resp.status() != 204 {
-        let error = resp
-            .json::<ErrorResponse>()
-            .await
-            .unwrap_or_else(|_| ErrorResponse {
-                error: "Internal Server Error".to_string(),
-            });
-        return Err(error);
-    }
-    Ok(())
-}
-
-#[component]
-fn OpenWorkspaceView(
-    workspace_name: String,
-    workspace_status: WorkspaceStatus,
-    workspace_folder: String,
-    workspace_hostname: String,
-    align_right: bool,
-) -> impl IntoView {
-    let dropdown_hidden = create_rw_signal(true);
-    let toggle_dropdown = move |_| {
-        if dropdown_hidden.get_untracked() {
-            dropdown_hidden.set(false);
-        } else {
-            dropdown_hidden.set(true);
-        }
-    };
-
-    let on_focusout = move |e: FocusEvent| {
-        let node = e
-            .current_target()
-            .unwrap_throw()
-            .unchecked_into::<web_sys::HtmlElement>();
-
-        set_timeout(
-            move || {
-                let has_focus = if let Some(active) = document().active_element() {
-                    let active: web_sys::Node = active.into();
-                    node.contains(Some(&active))
-                } else {
-                    false
-                };
-                if !has_focus && !dropdown_hidden.get_untracked() {
-                    dropdown_hidden.set(true);
-                }
-            },
-            Duration::from_secs(0),
-        );
-    };
-
-    let open_button_class = if workspace_status == WorkspaceStatus::Running {
-        "bg-green-700 hover:bg-green-800"
-    } else {
-        "bg-green-200"
-    };
-    let open_button_class = format!("{open_button_class} py-2 text-sm font-medium text-white focus:ring-4 focus:ring-green-300 focus:outline-none");
-
-    let workspace_hostname = workspace_hostname.clone();
-    let cluster_info = expect_context::<Signal<Option<ClusterInfo>>>();
-    let port =
-        cluster_info.with_untracked(|i| i.as_ref().map(|i| i.ssh_proxy_port).unwrap_or(2222));
-    view! {
-        <div
-            class="pr-6 relative"
-            on:focusout=on_focusout
-        >
-            <a
-                class={format!("{open_button_class} px-4 rounded-l-lg inline-block")}
-                disabled=move || workspace_status != WorkspaceStatus::Running
-                target="_blank"
-                href={format!("https://{workspace_name}.{workspace_hostname}/")}
-            >
-            Open
-            </a>
-            <button
-                class={format!("{open_button_class} h-full absolute right-0 px-2 rounded-r-lg border-l-1")}
-                disabled=move || workspace_status != WorkspaceStatus::Running
-                on:click=toggle_dropdown
-            >
-                <svg class="w-2.5 h-2.5" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 10 6">
-                    <path stroke="currentColor" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="m1 1 4 4 4-4"/>
-                </svg>
-            </button>
-            <div
-                class="absolute pt-2 z-10 divide-y divide-gray-100"
-                class:hidden=move || dropdown_hidden.get()
-                class=("right-0", move || align_right)
-            >
-                <ul class="py-2 text-sm text-gray-700 bg-white rounded-lg border shadow w-64">
-                    <li>
-                        <a
-                            href={
-                                format!(
-                                        "vscode://vscode-remote/ssh-remote+{workspace_name}@{}{}/workspaces/{workspace_folder}",
-                                        workspace_hostname.split(':').next().unwrap_or(""),
-                                        if port == 22 {
-                                            "".to_string()
-                                        } else {
-                                            format!(":{port}")
-                                        }
-                                    )
-                            }
-                            class="block px-4 py-2 hover:bg-gray-100"
-                            target="_blank"
-                        >
-                            Open in VSCode Desktop
-                        </a>
-                    </li>
-                </ul>
-            </div>
-        </div>
-    }
-}
-
-#[component]
-fn WorkspaceControl(
-    workspace_name: String,
-    workspace_status: WorkspaceStatus,
-    workspace_folder: String,
-    workspace_hostname: String,
-    workspace_pinned: bool,
-    rebuild_modal_hidden: RwSignal<bool>,
-    delete_modal_hidden: RwSignal<bool>,
-    error: RwSignal<Option<String>>,
-    align_right: bool,
-) -> impl IntoView {
-    let dropdown_hidden = create_rw_signal(true);
-    let toggle_dropdown = move |_| {
-        if dropdown_hidden.get_untracked() {
-            dropdown_hidden.set(false);
-        } else {
-            dropdown_hidden.set(true);
-        }
-    };
-
-    let on_focusout = move |e: FocusEvent| {
-        let node = e
-            .current_target()
-            .unwrap_throw()
-            .unchecked_into::<web_sys::HtmlElement>();
-
-        set_timeout(
-            move || {
-                let has_focus = if let Some(active) = document().active_element() {
-                    let active: web_sys::Node = active.into();
-                    node.contains(Some(&active))
-                } else {
-                    false
-                };
-                if !has_focus && !dropdown_hidden.get_untracked() {
-                    dropdown_hidden.set(true);
-                }
-            },
-            Duration::from_secs(0),
-        );
-    };
-
-    let delete_workspace = {
-        move |_| {
-            dropdown_hidden.set(true);
-            delete_modal_hidden.set(false);
-        }
-    };
-
-    let rebuild_workspace = {
-        move |_| {
-            dropdown_hidden.set(true);
-            rebuild_modal_hidden.set(false);
-        }
-    };
-
-    let stop_action = {
-        let workspace_name = workspace_name.clone();
-        create_action(move |_| {
-            let workspace_name = workspace_name.clone();
-            async move {
-                if let Err(e) = stop_workspace(workspace_name.clone()).await {
-                    error.set(Some(e.error));
-                }
-            }
-        })
-    };
-    let stop_workspace = move |_| {
-        dropdown_hidden.set(true);
-        error.set(None);
-        stop_action.dispatch(());
-    };
-
-    let start_action = {
-        let workspace_name = workspace_name.clone();
-        create_action(move |_| {
-            let workspace_name = workspace_name.clone();
-            async move {
-                if let Err(e) = start_workspace(workspace_name.clone()).await {
-                    error.set(Some(e.error));
-                }
-            }
-        })
-    };
-    let start_workspace = move |_| {
-        dropdown_hidden.set(true);
-        error.set(None);
-        start_action.dispatch(());
-    };
-
-    let pin_action = {
-        let workspace_name = workspace_name.clone();
-        create_action(move |_| {
-            let workspace_name = workspace_name.clone();
-            async move {
-                if let Err(e) = pin_workspace(workspace_name.clone()).await {
-                    error.set(Some(e.error));
-                }
-            }
-        })
-    };
-    let pin_workspace = move |_| {
-        dropdown_hidden.set(true);
-        error.set(None);
-        pin_action.dispatch(());
-    };
-
-    let unpin_action = {
-        let workspace_name = workspace_name.clone();
-        create_action(move |_| {
-            let workspace_name = workspace_name.clone();
-            async move {
-                if let Err(e) = unpin_workspace(workspace_name.clone()).await {
-                    error.set(Some(e.error));
-                }
-            }
-        })
-    };
-    let unpin_workspace = move |_| {
-        dropdown_hidden.set(true);
-        error.set(None);
-        unpin_action.dispatch(());
-    };
-
-    view! {
-        <div class="flex flex-row items-center">
-            <OpenWorkspaceView workspace_name workspace_status workspace_folder workspace_hostname align_right />
-            <div
-                class="ml-2 relative"
-                on:focusout=on_focusout
-            >
-                <button
-                    class="hover:bg-gray-100 focus:outline-none font-medium rounded-lg text-sm px-2.5 py-2.5 text-center inline-flex items-center"
-                    type="button"
-                    on:click=toggle_dropdown
-                >
-                    <svg class="w-4 h-4 text-white" viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
-                        <path d="M9.5 13a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0z"/>
-                    </svg>
-                </button>
-                <div
-                    class="absolute pt-2 z-10 divide-y divide-gray-100"
-                    class:hidden=move || dropdown_hidden.get()
-                    class=("right-0", move || align_right)
-                >
-                    <ul class="py-2 text-sm text-gray-700 bg-white rounded-lg border shadow w-44">
-                    <li>
-                        <a
-                            href="#"
-                            class="block px-4 py-2 hover:bg-gray-100"
-                            on:click=stop_workspace
-                            class:hidden=move || workspace_status == WorkspaceStatus::Stopped
-                        >
-                            Stop
-                        </a>
-                    </li>
-                    <li>
-                        <a
-                            href="#"
-                            class="block px-4 py-2 hover:bg-gray-100"
-                            on:click=start_workspace
-                            class:hidden=move || workspace_status != WorkspaceStatus::Stopped
-                        >
-                            Start
-                        </a>
-                    </li>
-                    <li>
-                        <a
-                            href="#"
-                            class="block px-4 py-2 hover:bg-gray-100"
-                            on:click=pin_workspace
-                            class:hidden=move || workspace_pinned
-                        >
-                            Pin
-                        </a>
-                    </li>
-                    <li>
-                        <a
-                            href="#"
-                            class="block px-4 py-2 hover:bg-gray-100"
-                            on:click=unpin_workspace
-                            class:hidden=move || !workspace_pinned
-                        >
-                            Unpin
-                        </a>
-                    </li>
-                    <li>
-                        <a
-                            href="#"
-                            class="block px-4 py-2 hover:bg-gray-100"
-                            on:click=rebuild_workspace
-                        >
-                            Rebuild
-                        </a>
-                    </li>
-                    <li>
-                        <a
-                            href="#"
-                            class="block px-4 py-2 hover:bg-gray-100 text-red-700"
-                            on:click=delete_workspace
-                        >
-                            Delete
-                        </a>
-                    </li>
-                    </ul>
-                </div>
-            </div>
-        </div>
-    }
-}
-
-fn workspace_status_class(status: &WorkspaceStatus) -> &str {
-    match status {
-        WorkspaceStatus::Running => "bg-green-100 text-green-800",
-        WorkspaceStatus::Failed
-        | WorkspaceStatus::Deleting
-        | WorkspaceStatus::DeleteFailed
-        | WorkspaceStatus::StopFailed => "bg-red-100 text-red-800",
-        WorkspaceStatus::New
-        | WorkspaceStatus::Building
-        | WorkspaceStatus::PrebuildBuilding
-        | WorkspaceStatus::PrebuildCopying
-        | WorkspaceStatus::Stopping
-        | WorkspaceStatus::Starting => "bg-yellow-100 text-yellow-800",
-        WorkspaceStatus::Stopped | WorkspaceStatus::Deleted => "bg-gray-100 text-gray-800",
-    }
-}
-
-#[component]
-fn WorkspaceRebuildModal(
-    workspace_name: String,
-    rebuild_modal_hidden: RwSignal<bool>,
-) -> impl IntoView {
-    let rebuild_action = {
-        let workspace_name = workspace_name.clone();
-        create_action(move |_| rebuild_workspace(workspace_name.clone(), rebuild_modal_hidden))
-    };
-
-    let body = view! {
-        <p>Rebuild your workspace image.</p>
-        <p>It will pick up your devcontainer config changes.</p>
-        <p>
-            All files in
-            <span class="text-semibold mx-1 px-1 text-gray-800 bg-gray-200 rounded">/workspaces</span>
-            folder will persist.
-        </p>
-    };
-
-    view! {
-        <CreationModal
-            title="Rebuild Workspace Image".to_string()
-            modal_hidden=rebuild_modal_hidden
-            action=rebuild_action
-            body
-            update_text=Some("Rebuild".to_string())
-            updating_text=None
-            create_button_hidden=Box::new(|| false)
-            width_class=None
-        />
-    }
-}
-
-#[component]
-pub fn WorkspaceItem(
-    workspace: WorkspaceInfo,
-    error: RwSignal<Option<String>>,
-    update_counter: RwSignal<i32>,
-) -> impl IntoView {
-    let rebuild_modal_hidden = create_rw_signal(true);
-    let delete_modal_hidden = create_rw_signal(true);
-    let workspace_name = workspace.name.clone();
-    let workspace_folder = workspace.repo_name.clone();
-    let workspace_hostname = workspace.hostname.clone();
-    let workspace_hostname = if workspace_hostname.is_empty() {
-        window().window().location().hostname().unwrap_or_default()
-    } else {
-        workspace_hostname
-    };
-    let delete_action = {
-        let workspace_name = workspace_name.clone();
-        create_action(move |_| {
-            delete_workspace(
-                workspace_name.clone(),
-                delete_modal_hidden,
-                Some(update_counter),
-            )
-        })
-    };
-    let status_class = workspace_status_class(&workspace.status);
-    let status_class = format!("{status_class} text-sm font-medium me-2 px-2.5 py-0.5 rounded");
-    view! {
-        <div class="w-full mb-8 bg-white rounded-lg border border-gray-200 shadow-lg">
-            <div class="flex flex-col items-center w-full lg:flex-row">
-                <div class="lg:w-1/3 flex flex-row">
-                    <a href={ workspace.repo_url.clone() } target="_blank">
-                        <img
-                            src={ repo_img(&workspace.repo_url) }
-                            class="object-contain lg:object-left h-40 rounded-lg justify-self-start"
-                        />
-                    </a>
-                </div>
-                <div class="lg:w-1/3 flex flex-col justify-center">
-                    <div class="flex flex-col p-4">
-                        <a href={ format!("/workspaces/{}", workspace.name) }>
-                            <span class="font-semibold" href={ format!("/workspaces/{}", workspace.name) }>{ move || workspace.name.clone() }</span>
-                            <span href={ workspace.repo_url.clone() } target="_blank" class="flex flex-row items-center text-sm text-gray-700 mt-2">
-                                <svg class="w-4 h-4 mr-1" aria-hidden="true" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24">
-                                    <path stroke="currentColor" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M13.2 9.8a3.4 3.4 0 0 0-4.8 0L5 13.2A3.4 3.4 0 0 0 9.8 18l.3-.3m-.3-4.5a3.4 3.4 0 0 0 4.8 0L18 9.8A3.4 3.4 0 0 0 13.2 5l-1 1"/>
-                                </svg>
-                                <p>{ move || workspace.repo_url.clone() }</p>
-                            </span>
-                            <span class="flex flex-row truncate items-center text-sm text-gray-700 mt-2">
-                                <svg class="w-3 h-3 mr-2" aria-hidden="true" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 14 20">
-                                    <path stroke="currentColor" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M3 5v10M3 5a2 2 0 1 0 0-4 2 2 0 0 0 0 4Zm0 10a2 2 0 1 0 0 4 2 2 0 0 0 0-4Zm6-3.976-2-.01A4.015 4.015 0 0 1 3 7m10 4a2 2 0 1 1-4 0 2 2 0 0 1 4 0Z"/>
-                                </svg>
-                                <span class="mr-2">{workspace.branch}</span>
-                                <span>{workspace.commit[..7].to_string()}</span>
-                            </span>
-                            <span class="mt-2 text-sm text-gray-800 inline-flex items-center rounded me-2 text-gray-700">
-                                <svg class="w-2.5 h-2.5 mr-2.5" aria-hidden="true" xmlns="http://www.w3.org/2000/svg" fill="currentColor" viewBox="0 0 20 20">
-                                <path d="M10 0a10 10 0 1 0 10 10A10.011 10.011 0 0 0 10 0Zm3.982 13.982a1 1 0 0 1-1.414 0l-3.274-3.274A1.012 1.012 0 0 1 9 10V6a1 1 0 0 1 2 0v3.586l2.982 2.982a1 1 0 0 1 0 1.414Z"/>
-                                </svg>
-                                <span class="mr-1">Created</span> <DatetimeModal time=workspace.created_at />
-                            </span>
-                        </a>
-                    </div>
-                </div>
-                <div class="lg:w-1/3 flex flex-col xl:flex-row items-center justify-between">
-                    <div class="flex flex-row items-center">
-                        <span
-                            class=status_class
-                        >{ move || workspace.status.to_string() }</span>
-                    </div>
-                    <div class="flex flex-row items-center p-4 justify-center">
-                        <div class="w-4 h-4 mr-6">
-                            <svg
-                                class:hidden = move || !workspace.pinned
-                                class="w-4 h-4" xmlns="http://www.w3.org/2000/svg" width="24px" height="24px" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><line x1="12" x2="12" y1="17" y2="22"></line><path d="M5 17h14v-1.76a2 2 0 0 0-1.11-1.79l-1.78-.9A2 2 0 0 1 15 10.76V6h1a2 2 0 0 0 0-4H8a2 2 0 0 0 0 4h1v4.76a2 2 0 0 1-1.11 1.79l-1.78.9A2 2 0 0 0 5 15.24Z"
-                            ></path></svg>
-                        </div>
-                        <WorkspaceControl
-                            workspace_name={workspace_name.clone()}
-                            workspace_status={workspace.status}
-                            workspace_folder=workspace_folder.clone()
-                            workspace_hostname=workspace_hostname.clone()
-                            workspace_pinned=workspace.pinned
-                            align_right=true
-                            delete_modal_hidden rebuild_modal_hidden error
-                        />
-                    </div>
-                </div>
-            </div>
-            <For
-                each=move || workspace.services.clone()
-                key=move |s| s.clone()
-                children={
-                    let workspace_folder = workspace_folder.clone();
-                    let workspace_hostname = workspace_hostname.clone();
-                    move |ws_service| {
-                        view! {
-                            <div class="flex flex-col border-t items-center shadow-sm lg:flex-row w-full">
-                                <div class="hidden w-1/3 lg:flex flex-row">
-                                </div>
-                                <div class="w-full lg:w-1/3 flex flex-col items-center lg:items-start">
-                                    <div class="flex flex-col p-4">
-                                        <span class="font-semibold">{ws_service.name.clone()}</span>
-                                        <div class="flex flex-row items-center text-sm text-gray-700 mt-2">
-                                            <svg class="w-4 h-4 mr-1" xmlns="http://www.w3.org/2000/svg" fill="currentColor" viewBox="0 0 16 16">
-                                                <path fill-rule="evenodd" d="M6 3.5A1.5 1.5 0 0 1 7.5 2h1A1.5 1.5 0 0 1 10 3.5v1A1.5 1.5 0 0 1 8.5 6v1H11a.5.5 0 0 1 .5.5v1a.5.5 0 0 1-1 0V8h-5v.5a.5.5 0 0 1-1 0v-1A.5.5 0 0 1 5 7h2.5V6A1.5 1.5 0 0 1 6 4.5zM8.5 5a.5.5 0 0 0 .5-.5v-1a.5.5 0 0 0-.5-.5h-1a.5.5 0 0 0-.5.5v1a.5.5 0 0 0 .5.5zM3 11.5A1.5 1.5 0 0 1 4.5 10h1A1.5 1.5 0 0 1 7 11.5v1A1.5 1.5 0 0 1 5.5 14h-1A1.5 1.5 0 0 1 3 12.5zm1.5-.5a.5.5 0 0 0-.5.5v1a.5.5 0 0 0 .5.5h1a.5.5 0 0 0 .5-.5v-1a.5.5 0 0 0-.5-.5zm4.5.5a1.5 1.5 0 0 1 1.5-1.5h1a1.5 1.5 0 0 1 1.5 1.5v1a1.5 1.5 0 0 1-1.5 1.5h-1A1.5 1.5 0 0 1 9 12.5zm1.5-.5a.5.5 0 0 0-.5.5v1a.5.5 0 0 0 .5.5h1a.5.5 0 0 0 .5-.5v-1a.5.5 0 0 0-.5-.5z"/>
-                                            </svg>
-                                            <p>{ws_service.service.clone()}</p>
-                                        </div>
-                                    </div>
-                                </div>
-                                <div class="w-full lg:w-1/3 flex flex-row items-center p-4 justify-center xl:justify-end">
-                                    <div class="mx-11">
-                                        <OpenWorkspaceView workspace_name=ws_service.name.clone() workspace_status={workspace.status} workspace_folder=workspace_folder.clone() workspace_hostname=workspace_hostname.clone() align_right=true />
-                                    </div>
-                                </div>
-                            </div>
-                        }
-                    }
-                }
-            />
-        </div>
-        <DeletionModal resource=workspace_name.clone() modal_hidden=delete_modal_hidden delete_action />
-        <WorkspaceRebuildModal
-            workspace_name=workspace_name.clone()
-            rebuild_modal_hidden
-        />
-    }
-}
-
-async fn watch_all_workspace_status(
-    status_update: RwSignal<(String, WorkspaceStatus)>,
-) -> Result<()> {
-    let location = window().location();
-    let protocol = if location.protocol().map(|p| p == "http:").unwrap_or(false) {
-        "ws"
-    } else {
-        "wss"
-    };
-    let host = location.host().unwrap();
-    let websocket = WebSocket::open(&format!("{protocol}://{host}/all_workspaces_ws"))?;
-
-    let (mut tx, mut rx) = websocket.split();
-    on_cleanup(move || {
-        spawn_local(async move {
-            let _ = tx.close().await;
-        });
-    });
-
-    while let Some(Ok(msg)) = rx.next().await {
-        if let Message::Text(s) = msg {
-            if let Ok((ws_name, status)) = serde_json::from_str::<(String, WorkspaceStatus)>(&s) {
-                status_update.set((ws_name, status));
-            }
-        }
-    }
-
-    Ok(())
-}
-
-#[component]
-pub fn Workspaces() -> impl IntoView {
-    let error = create_rw_signal(None);
-    let status_update = create_rw_signal(("".to_string(), WorkspaceStatus::New));
-
-    let _ = spawn_local_with_current_owner(async move {
-        let _ = watch_all_workspace_status(status_update).await;
-    });
-
-    let new_workspace_modal_hidden = create_rw_signal(true);
-
-    let delete_counter = create_rw_signal(0);
-    create_effect(move |_| {
-        status_update.track();
-        delete_counter.update(|c| {
-            *c += 1;
-        });
-    });
-
-    let workspaces_resource = create_local_resource(
-        move || delete_counter.get(),
-        |_| async move { all_workspaces().await.unwrap_or_default() },
-    );
-
-    let workspace_filter = create_rw_signal(String::new());
-
-    let workspaces = Signal::derive(move || {
-        let mut workspaces = workspaces_resource.get().unwrap_or_default();
-        let workspace_filter = workspace_filter.get();
-        workspaces.retain(|w| w.name.contains(&workspace_filter));
-        workspaces
-    });
-
-    let new_workspace = move |_| {
-        new_workspace_modal_hidden.set(false);
-    };
-
-    {
-        let hash = use_location().hash.get_untracked();
-        if let Some(url) = hash.strip_prefix("#") {
-            let url = utils::format_repo_url(url);
-            let action_dispatched = create_rw_signal(false);
-            let current_org = expect_context::<Signal<Option<Organization>>>();
-            let cluster_info = expect_context::<Signal<Option<ClusterInfo>>>();
-            let action = create_action(move |url: &String| {
-                create_workspace(RepoSource::Url(url.clone()), None, None, true)
-            });
-            create_effect(move |_| {
-                let org = current_org.get();
-                if org.is_none() {
-                    return;
-                }
-                let cluster_info = cluster_info.get();
-                if cluster_info.is_none() {
-                    return;
-                }
-                if !action_dispatched.get_untracked() {
-                    action.dispatch(url.clone());
-                    action_dispatched.set(true);
-                }
-            });
-            create_effect(move |_| {
-                action.value().with(|result| {
-                    if let Some(result) = result {
-                        match result {
-                            Ok(_) => {}
-                            Err(e) => {
-                                error.set(Some(e.error.clone()));
-                            }
-                        }
-                    }
-                })
-            });
-        }
-    }
-
-    view! {
-        <section class="w-full h-full flex items-center flex-col">
-            <div class="mx-auto w-full">
-                <div class="flex-row items-center justify-between space-y-3 sm:flex sm:space-y-0 sm:space-x-4">
-                    <div>
-                        <h5 class="mr-3 text-2xl font-semibold">
-                            All Workspaces
-                        </h5>
-                        <p class="text-gray-700">Manage all your existing workspaces or add a new one</p>
-                    </div>
-                </div>
-                <div class="flex flex-row items-center justify-between py-4 space-x-4">
-                    <div class="w-1/2">
-                        <form class="flex items-center">
-                            <label for="simple-search" class="sr-only">Filter Workspaces</label>
-                            <div class="relative w-full">
-                            <div class="absolute inset-y-0 left-0 flex items-center pl-3 pointer-events-none">
-                                <svg aria-hidden="true" class="w-5 h-5 text-gray-500" fill="currentColor" viewbox="0 0 20 20" xmlns="http://www.w3.org/2000/svg">
-                                <path fill-rule="evenodd" d="M8 4a4 4 0 100 8 4 4 0 000-8zM2 8a6 6 0 1110.89 3.476l4.817 4.817a1 1 0 01-1.414 1.414l-4.816-4.816A6 6 0 012 8z" clip-rule="evenodd" />
-                                </svg>
-                            </div>
-                            <input
-                                prop:value={move || workspace_filter.get()}
-                                on:input=move |ev| { workspace_filter.set(event_target_value(&ev)); }
-                                type="text"
-                                class="bg-white block w-full p-2 pl-10 text-sm text-gray-900 border border-gray-300 rounded-lg bg-gray-50 focus:ring-blue-500 focus:border-blue-500"
-                                placeholder="Filter Workspaces"
-                                required=""
-                            />
-                            </div>
-                        </form>
-                    </div>
-                    <button
-                        type="button"
-                        class="flex items-center justify-center px-4 py-2 text-sm font-medium text-white rounded-lg bg-blue-700 hover:bg-blue-800 focus:ring-4 focus:ring-blue-300 focus:outline-none"
-                        on:click=new_workspace
-                    >
-                        New Workspace
-                    </button>
-                </div>
-            </div>
-
-            { move || if let Some(error) = error.get() {
-                view! {
-                    <div class="w-full my-4 p-4 rounded-lg bg-red-50">
-                        <span class="text-sm font-medium text-red-800">{ error }</span>
-                    </div>
-                }.into_view()
-            } else {
-                view!{}.into_view()
-            }}
-
-            <div class="relative w-full basis-0 grow">
-                <div class="absolute w-full h-full flex flex-col py-4 overflow-y-auto">
-                    <For
-                        each=move || workspaces.get()
-                        key=|w|  (w.name.clone(), w.status, w.pinned)
-                        children=move |workspace| {
-                            view! {
-                                <WorkspaceItem workspace=workspace update_counter=delete_counter error />
-                            }
-                        }
-                    />
-                </div>
-            </div>
-
-            <NewWorkspaceModal modal_hidden=new_workspace_modal_hidden project_info=create_rw_signal(None) />
-
-        </section>
-
-    }
-}
-
-pub async fn create_workspace(
-    source: RepoSource,
-    branch: Option<String>,
-    machine_type: Option<Uuid>,
-    from_hash: bool,
-) -> Result<(), ErrorResponse> {
-    let current_org =
-        use_context::<Signal<Option<Organization>>>().ok_or_else(|| anyhow!("can't get org"))?;
-    let org = current_org
-        .get_untracked()
-        .ok_or_else(|| anyhow!("can't get org"))?;
-
-    let machine_type_id = machine_type.unwrap_or_else(|| {
-        let cluster_info = expect_context::<Signal<Option<ClusterInfo>>>();
-        cluster_info
-            .get_untracked()
-            .and_then(|i| i.machine_types.first().map(|m| m.id))
-            .unwrap_or_else(|| Uuid::from_u128(0))
-    });
-    let resp = Request::post(&format!("/api/v1/organizations/{}/workspaces", org.id))
-        .json(&NewWorkspace {
-            source,
-            branch,
-            machine_type_id,
-            from_hash,
-        })?
-        .send()
-        .await?;
-    if resp.status() != 200 {
-        let error = resp
-            .json::<ErrorResponse>()
-            .await
-            .unwrap_or_else(|_| ErrorResponse {
-                error: "Internal Server Error".to_string(),
-            });
-        return Err(error);
-    }
-
-    let resp: NewWorkspaceResponse = resp.json().await?;
-    use_navigate()(&format!("/workspaces/{}", resp.name), Default::default());
-
-    Ok(())
-}
-
-#[derive(Clone)]
-pub struct CreateWorkspaceProjectInfo {
-    pub project: ProjectInfo,
-    pub branch: Option<GitBranch>,
-    pub branches: Vec<GitBranch>,
-    pub prebuilds: HashMap<String, ProjectPrebuild>,
-}
-
-pub fn repo_img(repo_url: &str) -> String {
-    if let Some(sufix) = repo_url.strip_prefix("https://github.com/") {
-        format!("https://opengraph.githubassets.com/a/{sufix}")
-    } else {
-        "".to_string()
-    }
-}
-
-#[component]
-pub fn NewWorkspaceModal(
-    modal_hidden: RwSignal<bool>,
-    project_info: RwSignal<Option<CreateWorkspaceProjectInfo>>,
-) -> impl IntoView {
-    let repo_url = create_rw_signal("".to_string());
-    let current_branch = create_rw_signal(None);
-    let current_machine_type = create_rw_signal(None);
-
-    create_effect(move |_| {
-        let branch = project_info.with(|info| {
-            info.as_ref()
-                .and_then(|info| info.branch.as_ref().or(info.branches.first()))
-                .cloned()
-        });
-        current_branch.set(branch);
-    });
-
-    let preferred_machine_type = Signal::derive(move || {
-        project_info.with(|info| info.as_ref().map(|info| info.project.machine_type))
-    });
-
-    let current_project =
-        Signal::derive(move || project_info.with(|info| info.as_ref().map(|info| info.project.id)));
-
-    let select_on_change = move |ev: web_sys::Event| {
-        let name = event_target_value(&ev);
-        let branch = project_info.with_untracked(|info| {
-            info.as_ref()
-                .and_then(|info| info.branches.iter().find(|b| b.name == name))
-                .cloned()
-        });
-        current_branch.set(branch);
-    };
-
-    let action = create_action(move |_| {
-        let source = if let Some(project) = current_project.get_untracked() {
-            RepoSource::Project(project)
-        } else {
-            RepoSource::Url(repo_url.get_untracked())
-        };
-        create_workspace(
-            source,
-            current_branch.get_untracked().map(|b| b.name),
-            current_machine_type.get_untracked(),
-            false,
-        )
-    });
-
-    let no_project_view = move || {
-        view! {
-            <div>
-                <label class="block mb-2 text-sm font-medium text-gray-900">Your repository url</label>
-                <input
-                    prop:value={move || repo_url.get()}
-                    on:input=move |ev| { repo_url.set(event_target_value(&ev)); }
-                    class="bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5"
-                    placeholder="https://github.com/owner/repo"
-                    required
-                />
-            </div>
-            <MachineTypeView current_machine_type preferred_machine_type />
-        }
-    };
-
-    let create_info_view = view! {
-        <Show
-            when=move || { project_info.with(|i| i.is_some()) }
-            fallback=no_project_view
-        >
-            {
-                if let Some(project_info) = project_info.get() {
-                    let branches = project_info.branches.clone();
-                    view! {
-                        <div>
-                            <label class="block mb-2 text-sm font-medium text-gray-900">
-                                Project Name
-                            </label>
-                            <span class="bg-gray-50 text-gray-900 text-sm rounded-lg block w-full p-2.5">
-                                { project_info.project.name }
-                            </span>
-                        </div>
-                        <div>
-                            <label class="block mb-2 text-sm font-medium text-gray-900">
-                                Project Repository
-                            </label>
-                            <span class="bg-gray-50 text-gray-900 text-sm rounded-lg block w-full p-2.5">
-                                { project_info.project.repo_url }
-                            </span>
-                        </div>
-                        <div>
-                            <label class="block mb-2 text-sm font-medium text-gray-900">
-                                Branch
-                            </label>
-                            <select
-                                class="bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-blue-500 focus:border-blue-500 block w-full p-2.5"
-                                on:change=select_on_change
-                            >
-                                <For
-                                    each=move || branches.clone()
-                                    key=|b| b.name.clone()
-                                    children=move |branch| {
-                                        let branch_name = branch.name.clone();
-                                        view! {
-                                            <option
-                                                selected=move || Some(&branch_name) == current_branch.get().as_ref().map(|b| &b.name)
-                                            >{branch.name}</option>
-                                        }
-                                    }
-                                />
-                            </select>
-                        </div>
-                        <div>
-                            <label class="block mb-2 text-sm font-medium text-gray-900">
-                                Prebuild Status
-                            </label>
-                            <span class="bg-gray-50 text-gray-900 text-sm rounded-lg block w-full p-2.5">
-                                {
-                                    move || if let Some(branch) = current_branch.get() {
-                                        project_info.prebuilds.get(&branch.name).and_then(|prebuild| {
-                                            if prebuild.commit == branch.commit {
-                                                Some(prebuild.status.to_string())
-                                            } else if prebuild.status == PrebuildStatus::Ready {
-                                                Some("Outdated".to_string())
-                                            } else {
-                                                None
-                                            }
-                                        })
-                                    } else {
-                                        None
-                                    }.unwrap_or_else(|| "Not Created".to_string())
-                                }
-                            </span>
-                        </div>
-                        <MachineTypeView current_machine_type preferred_machine_type />
-                    }.into_view()
-                } else {
-                    view! {
-                    }.into_view()
-                }
-            }
-        </Show>
-    };
-
-    view! {
-        <CreationModal title="Create New Workspace".to_string() modal_hidden action body=create_info_view update_text=Some("Create".to_string()) updating_text=Some("Creating".to_string()) width_class=None create_button_hidden=Box::new(|| false) />
-    }
-}
-
-async fn watch_workspace_updates(
-    name: &str,
-    status: RwSignal<WorkspaceStatus>,
-    build_messages: RwSignal<Vec<BuildMessage>>,
-) -> Result<()> {
-    let location = window().location();
-    let host = location.host().map_err(|_| anyhow!("can't get host"))?;
-    let protocol = if location.protocol().map(|p| p == "http:").unwrap_or(false) {
-        "ws"
-    } else {
-        "wss"
-    };
-    let websocket = WebSocket::open(&format!("{protocol}://{host}/ws?name={}", name))?;
-
-    let (mut tx, mut rx) = websocket.split();
-    on_cleanup(move || {
-        println!("watch workspace updates cleanup");
-        spawn_local(async move {
-            let _ = tx.close().await;
-        });
-    });
-
-    while let Some(Ok(msg)) = rx.next().await {
-        if let Message::Text(s) = msg {
-            if let Ok(event) = serde_json::from_str::<WorkspaceUpdateEvent>(&s) {
-                match event {
-                    WorkspaceUpdateEvent::Status(s) => {
-                        status.set(s);
-                        if s == WorkspaceStatus::Deleted {
-                            if let Ok(pathname) = window().location().pathname() {
-                                if pathname.ends_with(name) {
-                                    use_navigate()("/workspaces", Default::default());
-                                }
-                            }
-                        }
-                    }
-                    WorkspaceUpdateEvent::Stdout(line) => {
-                        build_messages.update(|messages| {
-                            messages.push(BuildMessage::Stdout(line));
-                        });
-                        let _ = scroll_build_messages();
-                    }
-                    WorkspaceUpdateEvent::Stderr(line) => {
-                        build_messages.update(|messages| {
-                            messages.push(BuildMessage::Stderr(line));
-                        });
-                        let _ = scroll_build_messages();
-                    }
-                }
-            }
-        }
-    }
-    Ok(())
-}
-
-fn scroll_build_messages() -> Result<()> {
-    let scroll = window()
-        .document()
-        .ok_or_else(|| anyhow!("can't find document"))?
-        .get_element_by_id("build-messages-scroll")
-        .ok_or_else(|| anyhow!("can't find element"))?;
-    scroll.set_scroll_top(scroll.scroll_height());
-    Ok(())
-}
-
-#[component]
-pub fn WorkspaceDetails() -> impl IntoView {
-    let error = create_rw_signal(None);
-    let params = use_params_map();
-    let name = params.with_untracked(|params| params.get("name").cloned().unwrap());
-    let local_name = name.clone();
-    let workspace_name = name.clone();
-    let rebuild_modal_hidden = create_rw_signal(true);
-    let delete_modal_hidden = create_rw_signal(true);
-    let delete_action = {
-        let workspace_name = workspace_name.clone();
-        create_action(move |_| delete_workspace(workspace_name.clone(), delete_modal_hidden, None))
-    };
-    let cluster_info = expect_context::<Signal<Option<ClusterInfo>>>();
-    let machine_types = create_rw_signal(cluster_info.get_untracked().map(|i| i.machine_types));
-
-    let update_counter = create_rw_signal(0);
-    let workspace_info = create_local_resource(
-        move || update_counter.get(),
-        move |_| async move {
-            let name = params.with_untracked(|params| params.get("name").cloned().unwrap());
-            get_workspace(&name).await
-        },
-    );
-
-    let build_messages = create_rw_signal(Vec::new());
-    let status = create_rw_signal(WorkspaceStatus::New);
-    {
-        let name = local_name.clone();
-        let _ = spawn_local_with_current_owner(async move {
-            let _ = watch_workspace_updates(&name, status, build_messages).await;
-        });
-    }
-    create_effect(move |_| {
-        if let Some(info) = workspace_info.with(|info| {
-            info.as_ref()
-                .map(|info| info.as_ref().ok().cloned())
-                .clone()
-                .flatten()
-        }) {
-            if status.get_untracked() != info.status {
-                status.set(info.status);
-            }
-        }
-    });
-    create_effect(move |_| {
-        status.track();
-        update_counter.update(|c| *c += 1);
-    });
-    view! {
-        <section class="w-full flex flex-col">
-            <a href="/workspaces" class="text-sm inline-flex items-center text-gray-700">
-                <svg class="w-2 h-2 mr-2" aria-hidden="true" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 14 10">
-                <path stroke="currentColor" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M13 5H1m0 0 4 4M1 5l4-4"/>
-                </svg>
-                Back to Workspace List
-            </a>
-            <h5 class="text-semibold text-2xl mt-4">
-                { local_name.clone() }
-            </h5>
-            <Show
-                when=move || { workspace_info.with(|info| info.as_ref().map(|info| info.is_ok()).unwrap_or(false)) }
-                fallback=move || view! {}
-            >
-                {
-                    if let Some(info) = workspace_info.with(|info|  info.as_ref().map(|info| info.as_ref().ok().cloned()).clone().flatten()) {
-                        let workspace_hostname = info.hostname.clone();
-                        let workspace_hostname = if workspace_hostname.is_empty() {
-                            window().window().location().hostname().unwrap_or_default()
-                        } else {
-                            workspace_hostname
-                        };
-                        view! {
-                            <div>
-                                { move || {
-                                    let status = status.get();
-                                    let status_class = workspace_status_class(&status);
-                                    let status_class = format!("{status_class} text-sm font-medium me-2 px-2.5 py-0.5 rounded");
-                                    view! {
-                                        <div class="mt-2">
-                                        <span class=status_class>{ move || status.to_string() }
-                                        </span>
-                                        </div>
-                                    }
-                                }
-                                }
-                                <a href={ info.repo_url.clone() } target="_blank" class="inline-flex border rounded-lg mt-8">
-                                    <img src={ repo_img(&info.repo_url) } class="object-contain object-left h-40" />
-                                </a>
-                                <span class="flex flex-row items-center text-sm mt-4">
-                                    <a href={ info.repo_url.clone() } target="_blank" class="inline-flex items-center">
-                                        <svg class="w-4 h-4 mr-1" aria-hidden="true" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24">
-                                            <path stroke="currentColor" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M13.2 9.8a3.4 3.4 0 0 0-4.8 0L5 13.2A3.4 3.4 0 0 0 9.8 18l.3-.3m-.3-4.5a3.4 3.4 0 0 0 4.8 0L18 9.8A3.4 3.4 0 0 0 13.2 5l-1 1"/>
-                                        </svg>
-                                        <span class="mr-1 text-gray-500">{"Repository URL:"}</span>
-                                        <p>{ move || info.repo_url.clone() }</p>
-                                    </a>
-                                </span>
-                                <span class="mt-2 text-sm flex flex-row items-center rounded me-2">
-                                    <svg class="w-3 h-3 mr-2" aria-hidden="true" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 14 20">
-                                        <path stroke="currentColor" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M3 5v10M3 5a2 2 0 1 0 0-4 2 2 0 0 0 0 4Zm0 10a2 2 0 1 0 0 4 2 2 0 0 0 0-4Zm6-3.976-2-.01A4.015 4.015 0 0 1 3 7m10 4a2 2 0 1 1-4 0 2 2 0 0 1 4 0Z"/>
-                                    </svg>
-                                    <span class="mr-1 text-gray-500">{"Branch:"}</span>
-                                    <span class="mr-2">{ info.branch }</span>
-                                    <span>{ info.commit }</span>
-                                </span>
-                                <span class="mt-2 text-sm flex flex-row items-center rounded me-2">
-                                    <svg class="w-2.5 h-2.5 mr-2" xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" viewBox="0 0 16 16">
-                                        <path d="M6 9a.5.5 0 0 1 .5-.5h3a.5.5 0 0 1 0 1h-3A.5.5 0 0 1 6 9M3.854 4.146a.5.5 0 1 0-.708.708L4.793 6.5 3.146 8.146a.5.5 0 1 0 .708.708l2-2a.5.5 0 0 0 0-.708z"/>
-                                        <path d="M2 1a2 2 0 0 0-2 2v10a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V3a2 2 0 0 0-2-2zm12 1a1 1 0 0 1 1 1v10a1 1 0 0 1-1 1H2a1 1 0 0 1-1-1V3a1 1 0 0 1 1-1z"/>
-                                    </svg>
-                                    <span class="mr-1 text-gray-500">{"SSH Connection:"}</span>
-                                    {
-                                        let workspace_name = workspace_name.clone();
-                                        let workspace_hostname = workspace_hostname.clone();
-                                        move || {
-                                            let ssh_port = cluster_info.with(|i| i.as_ref().map(|i| i.ssh_proxy_port).unwrap_or(2222));
-                                            format!("ssh {workspace_name}@{}{}",
-                                                workspace_hostname.split(':').next().unwrap_or(""),
-                                                if ssh_port == 22 {
-                                                    "".to_string()
-                                                } else {
-                                                    format!(" -p {ssh_port}")
-                                                }
-                                            )
-                                        }
-                                    }
-                                </span>
-                                <span class="mt-2 text-sm flex flex-row items-center rounded me-2">
-                                    <svg class="w-2.5 h-2.5 mr-2" xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" viewBox="0 0 16 16">
-                                        <path d="M14 10a1 1 0 0 1 1 1v1a1 1 0 0 1-1 1H2a1 1 0 0 1-1-1v-1a1 1 0 0 1 1-1zM2 9a2 2 0 0 0-2 2v1a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2v-1a2 2 0 0 0-2-2z"/>
-                                        <path d="M5 11.5a.5.5 0 1 1-1 0 .5.5 0 0 1 1 0m-2 0a.5.5 0 1 1-1 0 .5.5 0 0 1 1 0M14 3a1 1 0 0 1 1 1v1a1 1 0 0 1-1 1H2a1 1 0 0 1-1-1V4a1 1 0 0 1 1-1zM2 2a2 2 0 0 0-2 2v1a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V4a2 2 0 0 0-2-2z"/>
-                                        <path d="M5 4.5a.5.5 0 1 1-1 0 .5.5 0 0 1 1 0m-2 0a.5.5 0 1 1-1 0 .5.5 0 0 1 1 0"/>
-                                    </svg>
-                                    <span class="mr-1 text-gray-500">{"Machine Type:"}</span>
-                                    {
-                                        machine_types.get()
-                                            .and_then(|m|
-                                                m.into_iter()
-                                                 .find(|m| m.id == info.machine_type)
-                                            )
-                                            .map(|machine_type| format!("{} - {} vCPUs, {}GB memory, {}GB disk",machine_type.name, machine_type.cpu, machine_type.memory, machine_type.disk))
-                                    }
-                                </span>
-                                <span class="mt-2 text-sm flex flex-row items-center rounded me-2">
-                                    <svg class="w-2.5 h-2.5 mr-2" xmlns="http://www.w3.org/2000/svg" width="24px" height="24px" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><line x1="12" x2="12" y1="17" y2="22"></line><path d="M5 17h14v-1.76a2 2 0 0 0-1.11-1.79l-1.78-.9A2 2 0 0 1 15 10.76V6h1a2 2 0 0 0 0-4H8a2 2 0 0 0 0 4h1v4.76a2 2 0 0 1-1.11 1.79l-1.78.9A2 2 0 0 0 5 15.24Z"></path></svg>
-                                    <span class="mr-1 text-gray-500">{"Pinned:"}</span>
-                                    <span>{ info.pinned }</span>
-                                </span>
-                                <span class="mt-2 text-sm flex flex-row items-center rounded me-2">
-                                    <svg class="w-2.5 h-2.5 mr-2" aria-hidden="true" xmlns="http://www.w3.org/2000/svg" fill="currentColor" viewBox="0 0 20 20">
-                                    <path d="M10 0a10 10 0 1 0 10 10A10.011 10.011 0 0 0 10 0Zm3.982 13.982a1 1 0 0 1-1.414 0l-3.274-3.274A1.012 1.012 0 0 1 9 10V6a1 1 0 0 1 2 0v3.586l2.982 2.982a1 1 0 0 1 0 1.414Z"/>
-                                    </svg>
-                                    <span class="mr-1 text-gray-500">{"Created:"}</span>
-                                    <DatetimeModal time=info.created_at />
-                                </span>
-                                <div class="mt-4">
-                                    <WorkspaceControl
-                                        workspace_name=workspace_name.clone()
-                                        workspace_status=status.get()
-                                        workspace_folder=info.repo_name.clone()
-                                        workspace_hostname=workspace_hostname.clone()
-                                        workspace_pinned=info.pinned
-                                        align_right=false
-                                        delete_modal_hidden
-                                        rebuild_modal_hidden
-                                        error />
-                                </div>
-                                { move || if let Some(error) = error.get() {
-                                    view! {
-                                        <div class="w-full my-4 p-4 rounded-lg bg-red-50">
-                                            <span class="text-sm font-medium text-red-800">{ error }</span>
-                                        </div>
-                                    }.into_view()
-                                } else {
-                                    view!{}.into_view()
-                                }}
-
-                                <Show
-                                    when=move || { let status = status.get(); status == WorkspaceStatus::New || status == WorkspaceStatus::Building || status == WorkspaceStatus::PrebuildBuilding || status == WorkspaceStatus::PrebuildCopying || status == WorkspaceStatus::Failed}
-                                >
-                                    <div id="build-messages-scroll" class="overflow-y-auto p-4 h-48 w-full mt-8 border rounded">
-                                        <For
-                                            each=move || build_messages.get().into_iter().enumerate()
-                                            key=|(i, _)| *i
-                                            children=move |(_, msg)| {
-                                                let is_error = msg.is_error();
-                                                view! {
-                                                    <p
-                                                        class=("text-red-500", move || is_error)
-                                                    >{msg.msg().to_string()}</p>
-                                                }
-                                            }
-                                        />
-                                    </div>
-                                </Show>
-
-                                <div class="flex flex-col">
-                                    <For
-                                        each=move || info.services.clone()
-                                        key=move |s| s.clone()
-                                        children={
-                                            let workspace_folder = info.repo_name.clone();
-                                            let workspace_hostname = workspace_hostname.clone();
-                                            move |ws_service| {
-                                                view! {
-                                                    <WorkspaceServiceView
-                                                        ws_service
-                                                        workspace_hostname=workspace_hostname.clone()
-                                                        workspace_folder=workspace_folder.clone()
-                                                        status
-                                                        cluster_info
-                                                    />
-                                                }
-                                            }
-                                        }
-                                    />
-                                </div>
-
-                                <WorkspaceTabView
-                                    name=info.name.clone()
-                                    workspace_hostname=workspace_hostname.clone()
-                                    show_build_error=true
-                                    build_error=info.build_error.clone()
-                                />
-
-                                <DeletionModal resource=info.name.clone() modal_hidden=delete_modal_hidden delete_action />
-                                <WorkspaceRebuildModal
-                                    workspace_name=workspace_name.clone()
-                                    rebuild_modal_hidden
-                                />
-                            </div>
-                        }
-                    } else {
-                        view! {
-                            <div>
-                            </div>
-                        }
-                    }
-                }
-            </Show>
-        </section>
-    }
-}
-
-#[derive(Copy, Clone, PartialEq, Eq)]
-enum TabKind {
-    Port,
-    BuildOutput,
-}
-
-#[component]
-fn WorkspaceServiceView(
-    ws_service: WorkspaceService,
-    workspace_hostname: String,
-    workspace_folder: String,
-    status: RwSignal<WorkspaceStatus>,
-    cluster_info: Signal<Option<ClusterInfo>>,
-) -> impl IntoView {
-    let expanded = create_rw_signal(false);
-    let toggle_expand_view = move |_| {
-        expanded.update(|e| {
-            *e = !*e;
-        });
-    };
-    view! {
-        <div class="border rounded-lg p-8 mt-8">
-            <div
-                class="flex flex-row flex-wrap justify-between items-center"
-            >
-                <div class="flex flex-row items-center">
-                    <button
-                        class="p-2"
-                        on:click=toggle_expand_view
-                    >
-                        <svg
-                            class:hidden=move || expanded.get()
-                            class="text-gray-600 w-3 h-3 mr-3" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 6 10"
-                        >
-                            <path stroke="currentColor" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="m1 9 4-4-4-4"></path>
-                        </svg>
-                        <svg
-                            class:hidden=move || !expanded.get()
-                            class="text-gray-600 w-3 h-3 mr-3" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 10 6"
-                        >
-                            <path stroke="currentColor" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="m1 1 4 4 4-4"/>
-                        </svg>
-                    </button>
-                    <div class="flex flex-col text-sm">
-                        <div class="flex flex-row items-center">
-                            <svg class="w-4 h-4 mr-1" xmlns="http://www.w3.org/2000/svg" fill="currentColor" viewBox="0 0 16 16">
-                                <path fill-rule="evenodd" d="M6 3.5A1.5 1.5 0 0 1 7.5 2h1A1.5 1.5 0 0 1 10 3.5v1A1.5 1.5 0 0 1 8.5 6v1H11a.5.5 0 0 1 .5.5v1a.5.5 0 0 1-1 0V8h-5v.5a.5.5 0 0 1-1 0v-1A.5.5 0 0 1 5 7h2.5V6A1.5 1.5 0 0 1 6 4.5zM8.5 5a.5.5 0 0 0 .5-.5v-1a.5.5 0 0 0-.5-.5h-1a.5.5 0 0 0-.5.5v1a.5.5 0 0 0 .5.5zM3 11.5A1.5 1.5 0 0 1 4.5 10h1A1.5 1.5 0 0 1 7 11.5v1A1.5 1.5 0 0 1 5.5 14h-1A1.5 1.5 0 0 1 3 12.5zm1.5-.5a.5.5 0 0 0-.5.5v1a.5.5 0 0 0 .5.5h1a.5.5 0 0 0 .5-.5v-1a.5.5 0 0 0-.5-.5zm4.5.5a1.5 1.5 0 0 1 1.5-1.5h1a1.5 1.5 0 0 1 1.5 1.5v1a1.5 1.5 0 0 1-1.5 1.5h-1A1.5 1.5 0 0 1 9 12.5zm1.5-.5a.5.5 0 0 0-.5.5v1a.5.5 0 0 0 .5.5h1a.5.5 0 0 0 .5-.5v-1a.5.5 0 0 0-.5-.5z"/>
-                            </svg>
-                            <span class="text-gray-500">{"Service"}</span>
-                        </div>
-                        { ws_service.service.clone() }
-                    </div>
-                </div>
-                <div class="flex flex-col text-sm">
-                    <div class="flex flex-row items-center">
-                        <svg class="w-2.5 h-2.5 mr-2" xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" viewBox="0 0 16 16">
-                            <path d="M6 9a.5.5 0 0 1 .5-.5h3a.5.5 0 0 1 0 1h-3A.5.5 0 0 1 6 9M3.854 4.146a.5.5 0 1 0-.708.708L4.793 6.5 3.146 8.146a.5.5 0 1 0 .708.708l2-2a.5.5 0 0 0 0-.708z"/>
-                            <path d="M2 1a2 2 0 0 0-2 2v10a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V3a2 2 0 0 0-2-2zm12 1a1 1 0 0 1 1 1v10a1 1 0 0 1-1 1H2a1 1 0 0 1-1-1V3a1 1 0 0 1 1-1z"/>
-                        </svg>
-                        <span class="text-gray-500">{"SSH Connection"}</span>
-                    </div>
-                    <WorkspaceSSHConnView
-                        name=ws_service.name.clone()
-                        workspace_hostname=workspace_hostname.clone()
-                        cluster_info
-                    />
-                </div>
-                <div class="flex flex-row">
-                    <OpenWorkspaceView workspace_name=ws_service.name.clone() workspace_status={status.get()} workspace_folder=workspace_folder.clone() workspace_hostname=workspace_hostname.clone() align_right=false />
-                </div>
-            </div>
-            <div
-                class="pl-10"
-                class:hidden=move || !expanded.get()
-            >
-                <WorkspaceTabView
-                    name=ws_service.name.clone()
-                    workspace_hostname=workspace_hostname.clone()
-                    show_build_error=false
-                    build_error=None
-                />
-            </div>
-        </div>
-    }
-}
-
-#[component]
-fn WorkspaceSSHConnView(
-    name: String,
-    workspace_hostname: String,
-    cluster_info: Signal<Option<ClusterInfo>>,
-) -> impl IntoView {
-    view! {
-        <span>
-        {
-            let ws_service_name = name.clone();
-            let workspace_hostname = workspace_hostname.clone();
-            move || {
-                let ssh_proxy_port = cluster_info.with(|i| i.as_ref().map(|i| i.ssh_proxy_port).unwrap_or(2222));
-                format!(
-                    "ssh {ws_service_name}@{}{}",
-                    workspace_hostname.split(':').next().unwrap_or(""),
-                    if ssh_proxy_port == 22 {
-                        "".to_string()
-                    } else {
-                        format!(" -p {ssh_proxy_port}")
-                    },
-                )
-            }
-        }
-        </span>
-    }
-}
-
-#[component]
-pub fn WorkspaceTabView(
-    name: String,
-    workspace_hostname: String,
-    show_build_error: bool,
-    build_error: Option<RepobuildError>,
-) -> impl IntoView {
-    let tab_kind = create_rw_signal(TabKind::Port);
-    let active_class =
-        "inline-block p-4 text-blue-600 border-b-2 border-blue-600 rounded-t-lg active";
-    let inactive_class = "inline-block p-4 border-b-2 border-transparent rounded-t-lg hover:text-gray-600 hover:border-gray-300";
-    let change_tab = move |kind: TabKind| {
-        tab_kind.set(kind);
-    };
-
-    view! {
-        <div
-            class="mt-8 text-sm font-medium text-center text-gray-500 border-b border-gray-200"
-        >
-            <ul class="flex flex-wrap -mb-px">
-                <li class="me-2">
-                    <a
-                        href="#"
-                        class={ move || if tab_kind.get() == TabKind::Port {active_class} else {inactive_class} }
-                        on:click=move |_| change_tab(TabKind::Port)
-                    >Ports</a>
-                </li>
-                <li class="me-2"
-                    class:hidden=move || !show_build_error
-                >
-                    <a
-                        href="#"
-                        class={ move || if tab_kind.get() == TabKind::BuildOutput {active_class} else {inactive_class} }
-                        on:click=move |_| change_tab(TabKind::BuildOutput)
-                    >Build Output</a>
-                </li>
-            </ul>
-        </div>
-        <div
-            class="text-gray-600"
-            class=("min-h-32", move || show_build_error)
-        >
-            <div class:hidden=move || tab_kind.get() != TabKind::Port>
-                <WorkspacePortsView name=name workspace_hostname=workspace_hostname.clone() />
-            </div>
-            <div class:hidden=move || tab_kind.get() != TabKind::BuildOutput>
-                {
-                    if let Some(e) = build_error {
-                        view! {
-                            <p class="mt-4 text-sm text-gray-900">{e.msg}</p>
-                            <p class="text-sm text-gray-500">So the workspace was created with a default image.</p>
-                            <div class="overflow-y-auto p-4 h-48 w-full mt-4 border rounded">
-                                <For
-                                    each=move || e.stderr.clone()
-                                    key=|l| l.clone()
-                                    children=move |line| {
-                                        view! {
-                                            <p class="text-sm text-red-600">{line}</p>
-                                        }
-                                    }
-                                />
-                            </div>
-                        }.into_view()
-                    } else {
-                        view! {
-                            <p class="my-4 text-sm text-gray-900">Workspace image was built successfully</p>
-                        }.into_view()
-                    }
-                }
-            </div>
-        </div>
-    }
-}
-
-async fn workspace_ports(name: &str) -> Result<Vec<WorkspacePort>> {
-    let org =
-        use_context::<Signal<Option<Organization>>>().ok_or_else(|| anyhow!("can't get org"))?;
-    let org = org
-        .get_untracked()
-        .ok_or_else(|| anyhow!("can't get org"))?;
-    let resp = Request::get(&format!(
-        "/api/v1/organizations/{}/workspaces/{name}/ports",
-        org.id
-    ))
-    .send()
-    .await?;
-    let ports: Vec<WorkspacePort> = resp.json().await?;
-    Ok(ports)
-}
-
-async fn update_workspace_port(
-    name: &str,
-    port: u16,
-    shared: bool,
-    public: bool,
-) -> Result<(), ErrorResponse> {
-    let org =
-        use_context::<Signal<Option<Organization>>>().ok_or_else(|| anyhow!("can't get org"))?;
-    let org = org
-        .get_untracked()
-        .ok_or_else(|| anyhow!("can't get org"))?;
-    let resp = Request::put(&format!(
-        "/api/v1/organizations/{}/workspaces/{name}/ports/{port}",
-        org.id
-    ))
-    .json(&UpdateWorkspacePort { shared, public })?
-    .send()
-    .await?;
-    if resp.status() != 204 {
-        let error = resp
-            .json::<ErrorResponse>()
-            .await
-            .unwrap_or_else(|_| ErrorResponse {
-                error: "Internal Server Error".to_string(),
-            });
-        return Err(error);
-    }
-    Ok(())
-}
-
-#[component]
-pub fn WorkspacePortsView(name: String, workspace_hostname: String) -> impl IntoView {
-    let ports = {
-        let name = name.clone();
-        create_local_resource(
-            || (),
-            move |_| {
-                let name = name.clone();
-                async move { workspace_ports(&name.clone()).await }
-            },
-        )
-    };
-    let ports = Signal::derive(move || {
-        ports
-            .with(|p| p.as_ref().map(|p| p.as_ref().ok().cloned()))
-            .flatten()
-            .unwrap_or_default()
-    });
-
-    let success = create_rw_signal(None);
-    let error = create_rw_signal(None);
-
-    view! {
-        <p class="mt-2 py-2 text-sm text-gray-900">Exposed ports of your workspace</p>
-        <div class="text-sm text-gray-500">
-            <p>Only you can access the ports by default.</p>
-            <p>If you make the port shared, all members in the same organisation can access it.</p>
-            <p>If you make the port public, everyone who has the url can access it.</p>
-        </div>
-        { move || if let Some(success) = success.get() {
-            view! {
-                <div class="mt-4 p-4 rounded-lg bg-green-50 w-full">
-                    <span class="text-sm font-medium text-green-800">{ success }</span>
-                </div>
-            }.into_view()
-        } else {
-            view!{}.into_view()
-        }}
-
-        { move || if let Some(error) = error.get() {
-            view! {
-                <div class="mt-4 p-4 rounded-lg bg-red-50 w-full">
-                    <span class="text-sm font-medium text-red-800">{ error }</span>
-                </div>
-            }.into_view()
-        } else {
-            view!{}.into_view()
-        }}
-
-        <div class="mt-4 flex items-center w-full px-4 py-2 text-gray-900 bg-gray-50">
-            <span class="w-1/3 truncate pr-2">Port</span>
-            <div class="w-1/3 truncate flex flex-row items-center">
-                <span class="w-1/2 truncate text-center">shared</span>
-                <span class="w-1/2 truncate text-center">public</span>
-            </div>
-            <span class="w-1/3 truncate"></span>
-        </div>
-
-        <For
-            each=move || ports.get()
-            key=|p| p.clone()
-            children=move |p| {
-                view! {
-                    <WorkspacePortView name=name.clone() p=p workspace_hostname=workspace_hostname.clone() success error />
-                }
-            }
-        />
-    }
-}
-
-#[component]
-fn WorkspacePortView(
-    name: String,
-    p: WorkspacePort,
-    workspace_hostname: String,
-    success: RwSignal<Option<String>>,
-    error: RwSignal<Option<String>>,
-) -> impl IntoView {
-    let shared = create_rw_signal(p.shared);
-    let public = create_rw_signal(p.public);
-    let action = {
-        let name = name.clone();
-        let port = p.port;
-        create_action(move |_| {
-            let name = name.clone();
-            async move {
-                error.set(None);
-                success.set(None);
-                if let Err(e) = update_workspace_port(
-                    &name.clone(),
-                    port,
-                    shared.get_untracked(),
-                    public.get_untracked(),
-                )
-                .await
-                {
-                    error.set(Some(e.error.clone()));
-                } else {
-                    success.set(Some(format!("Port {port} updated successfully")));
-                }
-            }
-        })
-    };
-
-    view! {
-        <div class="flex flex-row items-center w-full px-4 py-2 border-b">
-            <span class="w-1/3 truncate pr-2">{
-                if let Some(label) = p.label.as_ref() {
-                    format!("{label} ({})", p.port)
-                } else {
-                    p.port.to_string()
-                }
-            }</span>
-            <div class="w-1/3 truncate flex flex-row items-center">
-                <div class="w-1/2 flex items-center justify-center">
-                    <input
-                        type="checkbox"
-                        value=""
-                        class="w-4 h-4 border border-gray-300 rounded bg-gray-50  focus:ring-0"
-                        prop:checked=p.shared
-                        on:change=move |e| shared.set(event_target_checked(&e))
-                    />
-                </div>
-                <div class="w-1/2 flex items-center justify-center">
-                    <input
-                        type="checkbox"
-                        value=""
-                        class="w-4 h-4 border border-gray-300 rounded bg-gray-50 focus:ring-0"
-                        prop:checked=p.public
-                        on:change=move |e| public.set(event_target_checked(&e))
-                    />
-                </div>
-            </div>
-            <div class="w-1/3 flex flex-row items-center">
-                <a
-                    href={ format!("https://{}-{name}.{workspace_hostname}/", p.port) }
-                    target="_blank"
-                    class="block px-4 py-2 text-sm font-medium text-white rounded-lg bg-green-700 hover:bg-green-800 focus:ring-4 focus:ring-green-300 focus:outline-none"
-                >
-                    Open
-                </a>
-                <button
-                    class="ml-4 flex items-center justify-center px-4 py-2 text-sm font-medium text-white rounded-lg bg-blue-700 hover:bg-blue-800 focus:ring-4 focus:ring-blue-300 focus:outline-none"
-                    on:click=move |_| action.dispatch(())
-                >
-                    Update
-                </button>
-            </div>
-        </div>
-    }
-}
diff --git a/lapdev-db/src/api.rs b/lapdev-db/src/api.rs
deleted file mode 100644
index 8702331..0000000
--- a/lapdev-db/src/api.rs
+++ /dev/null
@@ -1,705 +0,0 @@
-use anyhow::{anyhow, Result};
-use base64::{engine::general_purpose::STANDARD, Engine};
-use chrono::{DateTime, FixedOffset, Utc};
-use lapdev_common::{
-    AuthProvider, ProviderUser, UserRole, WorkspaceStatus, LAPDEV_BASE_HOSTNAME,
-    LAPDEV_ISOLATE_CONTAINER,
-};
-use pasetors::{
-    keys::{Generate, SymmetricKey},
-    version4::V4,
-};
-use sea_orm::{
-    sea_query::{Expr, Func, OnConflict},
-    ActiveModelTrait, ActiveValue, ColumnTrait, DatabaseConnection, DatabaseTransaction,
-    EntityTrait, QueryFilter, QueryOrder, QuerySelect,
-};
-use sea_orm_migration::MigratorTrait;
-use sqlx::PgPool;
-use uuid::Uuid;
-
-use crate::{entities, migration::Migrator};
-
-use super::entities::workspace;
-
-pub const LAPDEV_CLUSTER_NOT_INITIATED: &str = "lapdev-cluster-not-initiated";
-pub const LAPDEV_PIN_UNPIN_ERROR: &str = "lapdev-pin-unpin-error";
-pub const LAPDEV_MAX_CPU_ERROR: &str = "lapdev-max-cpu-error";
-const LAPDEV_API_AUTH_TOKEN_KEY: &str = "lapdev-api-auth-token-key";
-const LAPDEV_DEFAULT_USAGE_LIMIT: &str = "lapdev-default-org-usage-limit";
-const LAPDEV_DEFAULT_RUNNING_WORKSPACE_LIMIT: &str = "lapdev-default-org-running-workspace-limit";
-const LAPDEV_USER_CREATION_WEBHOOK: &str = "lapdev-user-creation-webhook";
-
-#[derive(Clone)]
-pub struct DbApi {
-    pub conn: DatabaseConnection,
-    pub pool: Option<PgPool>,
-}
-
-async fn connect_db(conn_url: &str) -> Result<sqlx::PgPool> {
-    let pool: sqlx::PgPool = sqlx::pool::PoolOptions::new()
-        .max_connections(100)
-        .connect(conn_url)
-        .await?;
-    Ok(pool)
-}
-
-impl DbApi {
-    pub async fn new(conn_url: &str, no_migration: bool) -> Result<Self> {
-        let pool = connect_db(conn_url).await?;
-        let conn = sea_orm::SqlxPostgresConnector::from_sqlx_postgres_pool(pool.clone());
-        let db = DbApi {
-            conn,
-            pool: Some(pool),
-        };
-        if !no_migration {
-            db.migrate().await?;
-        }
-        Ok(db)
-    }
-
-    async fn migrate(&self) -> Result<()> {
-        Migrator::up(&self.conn, None).await?;
-        Ok(())
-    }
-
-    pub async fn is_cluster_initiated(&self, txn: &DatabaseTransaction) -> bool {
-        // before the cluster is initiated, the auth providers can be configured
-        // without any authentication,
-        // also the user created before cluster is intiated is a cluster admin,
-        // so the value is default to true even when we've got an error
-        if entities::config::Entity::find()
-            .filter(entities::config::Column::Name.eq(LAPDEV_CLUSTER_NOT_INITIATED))
-            .one(txn)
-            .await
-            .as_ref()
-            .map(|v| v.as_ref().map(|v| v.value.as_str()))
-            == Ok(Some("yes"))
-        {
-            return false;
-        }
-        true
-    }
-
-    async fn generate_api_auth_token_key(&self) -> SymmetricKey<V4> {
-        let key = SymmetricKey::generate().unwrap();
-        {
-            let key = STANDARD.encode(key.as_bytes());
-            let _ = entities::config::ActiveModel {
-                name: ActiveValue::Set(LAPDEV_API_AUTH_TOKEN_KEY.to_string()),
-                value: ActiveValue::Set(key),
-            }
-            .insert(&self.conn)
-            .await;
-        }
-
-        key
-    }
-
-    pub async fn load_api_auth_token_key(&self) -> SymmetricKey<V4> {
-        if let Ok(key) = self.get_api_auth_token_key().await {
-            return key;
-        }
-
-        self.generate_api_auth_token_key().await
-    }
-
-    async fn get_api_auth_token_key(&self) -> Result<SymmetricKey<V4>> {
-        let key = self.get_config(LAPDEV_API_AUTH_TOKEN_KEY).await?;
-        let key = STANDARD.decode(key)?;
-        let key = SymmetricKey::from(&key)?;
-        Ok(key)
-    }
-
-    pub async fn update_config(&self, name: &str, value: &str) -> Result<entities::config::Model> {
-        let model = entities::config::Entity::insert(entities::config::ActiveModel {
-            name: ActiveValue::set(name.to_string()),
-            value: ActiveValue::set(value.to_string()),
-        })
-        .on_conflict(
-            OnConflict::column(entities::config::Column::Name)
-                .update_column(entities::config::Column::Value)
-                .to_owned(),
-        )
-        .exec_with_returning(&self.conn)
-        .await?;
-        Ok(model)
-    }
-
-    pub async fn get_config(&self, name: &str) -> Result<String> {
-        let model = entities::config::Entity::find()
-            .filter(entities::config::Column::Name.eq(name))
-            .one(&self.conn)
-            .await?
-            .ok_or_else(|| anyhow!("no config found"))?;
-        Ok(model.value)
-    }
-
-    async fn get_config_in_txn(&self, txn: &DatabaseTransaction, name: &str) -> Result<String> {
-        let model = entities::config::Entity::find()
-            .filter(entities::config::Column::Name.eq(name))
-            .one(txn)
-            .await?
-            .ok_or_else(|| anyhow!("no config found"))?;
-        Ok(model.value)
-    }
-
-    pub async fn get_base_hostname(&self) -> Result<String> {
-        self.get_config(LAPDEV_BASE_HOSTNAME).await
-    }
-
-    pub async fn get_user_creation_webhook(&self) -> Result<String> {
-        self.get_config(LAPDEV_USER_CREATION_WEBHOOK).await
-    }
-
-    pub async fn is_container_isolated(&self) -> Result<bool> {
-        Ok(entities::config::Entity::find()
-            .filter(entities::config::Column::Name.eq(LAPDEV_ISOLATE_CONTAINER))
-            .one(&self.conn)
-            .await?
-            .map(|v| v.value == "yes")
-            .unwrap_or(false))
-    }
-
-    pub async fn get_all_workspaces(
-        &self,
-        user_id: Uuid,
-        org_id: Uuid,
-    ) -> Result<
-        Vec<(
-            entities::workspace::Model,
-            Option<entities::workspace_host::Model>,
-        )>,
-    > {
-        let model = workspace::Entity::find()
-            .find_also_related(entities::workspace_host::Entity)
-            .filter(entities::workspace::Column::UserId.eq(user_id))
-            .filter(entities::workspace::Column::OrganizationId.eq(org_id))
-            .filter(entities::workspace::Column::DeletedAt.is_null())
-            .order_by_asc(entities::workspace::Column::CreatedAt)
-            .all(&self.conn)
-            .await?;
-        Ok(model)
-    }
-
-    pub async fn get_workspace(&self, id: Uuid) -> Result<entities::workspace::Model> {
-        let model = workspace::Entity::find_by_id(id)
-            .filter(entities::workspace::Column::DeletedAt.is_null())
-            .one(&self.conn)
-            .await?
-            .ok_or_else(|| anyhow!("no workspace found"))?;
-        Ok(model)
-    }
-
-    pub async fn get_workspace_by_name(&self, name: &str) -> Result<entities::workspace::Model> {
-        let model = workspace::Entity::find()
-            .filter(entities::workspace::Column::Name.eq(name))
-            .filter(entities::workspace::Column::DeletedAt.is_null())
-            .one(&self.conn)
-            .await?
-            .ok_or_else(|| anyhow!("no workspace found"))?;
-        Ok(model)
-    }
-
-    pub async fn get_workspace_by_url(
-        &self,
-        org_id: Uuid,
-        user_id: Uuid,
-        url: &str,
-    ) -> Result<Option<entities::workspace::Model>> {
-        let model = workspace::Entity::find()
-            .filter(entities::workspace::Column::OrganizationId.eq(org_id))
-            .filter(entities::workspace::Column::UserId.eq(user_id))
-            .filter(entities::workspace::Column::DeletedAt.is_null())
-            .filter(entities::workspace::Column::RepoUrl.eq(url))
-            .one(&self.conn)
-            .await?;
-        Ok(model)
-    }
-
-    pub async fn get_running_workspaces_on_host(
-        &self,
-        ws_host_id: Uuid,
-    ) -> Result<Vec<entities::workspace::Model>> {
-        let model = workspace::Entity::find()
-            .filter(entities::workspace::Column::HostId.eq(ws_host_id))
-            .filter(entities::workspace::Column::DeletedAt.is_null())
-            .filter(entities::workspace::Column::Status.eq(WorkspaceStatus::Running.to_string()))
-            .all(&self.conn)
-            .await?;
-        Ok(model)
-    }
-
-    pub async fn get_inactive_workspaces_on_host(
-        &self,
-        ws_host_id: Uuid,
-        last_updated_at: DateTime<FixedOffset>,
-    ) -> Result<Vec<entities::workspace::Model>> {
-        let model = workspace::Entity::find()
-            .filter(entities::workspace::Column::HostId.eq(ws_host_id))
-            .filter(entities::workspace::Column::DeletedAt.is_null())
-            .filter(entities::workspace::Column::Status.eq(WorkspaceStatus::Stopped.to_string()))
-            .filter(entities::workspace::Column::Pinned.eq(false))
-            .filter(entities::workspace::Column::UpdatedAt.lt(last_updated_at))
-            .all(&self.conn)
-            .await?;
-        Ok(model)
-    }
-
-    pub async fn get_org_running_workspace(
-        &self,
-        org_id: Uuid,
-    ) -> Result<Option<entities::workspace::Model>> {
-        let model = workspace::Entity::find()
-            .filter(entities::workspace::Column::OrganizationId.eq(org_id))
-            .filter(entities::workspace::Column::DeletedAt.is_null())
-            .filter(entities::workspace::Column::Status.eq(WorkspaceStatus::Running.to_string()))
-            .one(&self.conn)
-            .await?;
-        Ok(model)
-    }
-
-    pub async fn get_org_running_workspaces(
-        &self,
-        org_id: Uuid,
-    ) -> Result<Vec<entities::workspace::Model>> {
-        let model = workspace::Entity::find()
-            .filter(entities::workspace::Column::OrganizationId.eq(org_id))
-            .filter(entities::workspace::Column::Status.eq(WorkspaceStatus::Running.to_string()))
-            .filter(entities::workspace::Column::DeletedAt.is_null())
-            .all(&self.conn)
-            .await?;
-        Ok(model)
-    }
-
-    pub async fn validate_ssh_public_key(
-        &self,
-        user_id: Uuid,
-        public_key: &str,
-    ) -> Result<entities::ssh_public_key::Model> {
-        let model = entities::ssh_public_key::Entity::find()
-            .filter(entities::ssh_public_key::Column::UserId.eq(user_id))
-            .filter(entities::ssh_public_key::Column::ParsedKey.eq(public_key))
-            .filter(entities::ssh_public_key::Column::DeletedAt.is_null())
-            .one(&self.conn)
-            .await?
-            .ok_or_else(|| anyhow!("no workspace found"))?;
-        Ok(model)
-    }
-
-    pub async fn get_organization(&self, id: Uuid) -> Result<entities::organization::Model> {
-        let model = entities::organization::Entity::find_by_id(id)
-            .filter(entities::organization::Column::DeletedAt.is_null())
-            .one(&self.conn)
-            .await?
-            .ok_or_else(|| anyhow!("no organization found"))?;
-        Ok(model)
-    }
-
-    pub async fn get_organization_member(
-        &self,
-        user_id: Uuid,
-        org_id: Uuid,
-    ) -> Result<entities::organization_member::Model> {
-        let model = entities::organization_member::Entity::find()
-            .filter(entities::organization_member::Column::UserId.eq(user_id))
-            .filter(entities::organization_member::Column::OrganizationId.eq(org_id))
-            .filter(entities::organization_member::Column::DeletedAt.is_null())
-            .one(&self.conn)
-            .await?
-            .ok_or_else(|| anyhow!("no organization member found"))?;
-        Ok(model)
-    }
-
-    pub async fn get_all_organization_members(
-        &self,
-        org_id: Uuid,
-    ) -> Result<Vec<entities::organization_member::Model>> {
-        let models = entities::organization_member::Entity::find()
-            .filter(entities::organization_member::Column::OrganizationId.eq(org_id))
-            .filter(entities::organization_member::Column::DeletedAt.is_null())
-            .all(&self.conn)
-            .await?;
-        Ok(models)
-    }
-
-    pub async fn create_new_organization(
-        &self,
-        txn: &DatabaseTransaction,
-        name: String,
-    ) -> Result<entities::organization::Model> {
-        let default_usage_limit = self
-            .get_config_in_txn(txn, LAPDEV_DEFAULT_USAGE_LIMIT)
-            .await
-            .ok()
-            .and_then(|v| v.parse::<i64>().ok())
-            .unwrap_or(0);
-        let default_running_workspace_limit = self
-            .get_config_in_txn(txn, LAPDEV_DEFAULT_RUNNING_WORKSPACE_LIMIT)
-            .await
-            .ok()
-            .and_then(|v| v.parse::<i32>().ok())
-            .unwrap_or(0);
-
-        let org = entities::organization::ActiveModel {
-            id: ActiveValue::Set(Uuid::new_v4()),
-            deleted_at: ActiveValue::Set(None),
-            name: ActiveValue::Set(name.to_string()),
-            auto_start: ActiveValue::Set(true),
-            allow_workspace_change_auto_start: ActiveValue::Set(true),
-            auto_stop: ActiveValue::Set(Some(3600)),
-            allow_workspace_change_auto_stop: ActiveValue::Set(true),
-            last_auto_stop_check: ActiveValue::Set(None),
-            usage_limit: ActiveValue::Set(default_usage_limit),
-            running_workspace_limit: ActiveValue::Set(default_running_workspace_limit),
-            has_running_workspace: ActiveValue::Set(false),
-            max_cpu: ActiveValue::Set(4),
-        }
-        .insert(txn)
-        .await?;
-
-        Ok(org)
-    }
-
-    pub async fn create_new_user(
-        &self,
-        txn: &DatabaseTransaction,
-        provider: &AuthProvider,
-        provider_user: ProviderUser,
-        token: String,
-    ) -> Result<entities::user::Model> {
-        let cluster_admin = if !self.is_cluster_initiated(txn).await {
-            entities::config::ActiveModel {
-                name: ActiveValue::Set(LAPDEV_CLUSTER_NOT_INITIATED.to_string()),
-                value: ActiveValue::Set("no".to_string()),
-            }
-            .update(txn)
-            .await?;
-            true
-        } else {
-            false
-        };
-
-        let now = Utc::now();
-        let org = self
-            .create_new_organization(txn, "Personal".to_string())
-            .await?;
-
-        let user = entities::user::ActiveModel {
-            id: ActiveValue::Set(Uuid::new_v4()),
-            created_at: ActiveValue::Set(now.into()),
-            deleted_at: ActiveValue::Set(None),
-            provider: ActiveValue::Set(provider.to_string()),
-            osuser: ActiveValue::Set(format!("{provider}_{}", provider_user.login)),
-            avatar_url: ActiveValue::Set(provider_user.avatar_url.clone()),
-            email: ActiveValue::Set(provider_user.email.clone()),
-            name: ActiveValue::Set(provider_user.name.clone()),
-            current_organization: ActiveValue::Set(org.id),
-            cluster_admin: ActiveValue::Set(cluster_admin),
-            disabled: ActiveValue::Set(false),
-        }
-        .insert(txn)
-        .await?;
-
-        entities::oauth_connection::ActiveModel {
-            id: ActiveValue::Set(Uuid::new_v4()),
-            user_id: ActiveValue::Set(user.id),
-            created_at: ActiveValue::Set(now.into()),
-            deleted_at: ActiveValue::Set(None),
-            provider: ActiveValue::Set(provider.to_string()),
-            provider_id: ActiveValue::Set(provider_user.id),
-            provider_login: ActiveValue::Set(provider_user.login),
-            access_token: ActiveValue::Set(token),
-            avatar_url: ActiveValue::Set(provider_user.avatar_url),
-            email: ActiveValue::Set(provider_user.email),
-            name: ActiveValue::Set(provider_user.name),
-            read_repo: ActiveValue::Set(false),
-        }
-        .insert(txn)
-        .await?;
-
-        entities::organization_member::ActiveModel {
-            created_at: ActiveValue::Set(now.into()),
-            user_id: ActiveValue::Set(user.id),
-            organization_id: ActiveValue::Set(org.id),
-            role: ActiveValue::Set(UserRole::Owner.to_string()),
-            ..Default::default()
-        }
-        .insert(txn)
-        .await?;
-
-        Ok(user)
-    }
-
-    pub async fn get_user(&self, user_id: Uuid) -> Result<Option<entities::user::Model>> {
-        let model = entities::user::Entity::find()
-            .filter(entities::user::Column::Id.eq(user_id))
-            .filter(entities::user::Column::DeletedAt.is_null())
-            .one(&self.conn)
-            .await?;
-        Ok(model)
-    }
-
-    pub async fn get_oauth(&self, id: Uuid) -> Result<Option<entities::oauth_connection::Model>> {
-        let model = entities::oauth_connection::Entity::find()
-            .filter(entities::oauth_connection::Column::Id.eq(id))
-            .filter(entities::oauth_connection::Column::DeletedAt.is_null())
-            .one(&self.conn)
-            .await?;
-        Ok(model)
-    }
-
-    pub async fn get_user_all_oauth(
-        &self,
-        user_id: Uuid,
-    ) -> Result<Vec<entities::oauth_connection::Model>> {
-        let model = entities::oauth_connection::Entity::find()
-            .filter(entities::oauth_connection::Column::UserId.eq(user_id))
-            .filter(entities::oauth_connection::Column::DeletedAt.is_null())
-            .all(&self.conn)
-            .await?;
-        Ok(model)
-    }
-
-    pub async fn get_user_oauth(
-        &self,
-        user_id: Uuid,
-        provider_name: &str,
-    ) -> Result<Option<entities::oauth_connection::Model>> {
-        let model = entities::oauth_connection::Entity::find()
-            .filter(entities::oauth_connection::Column::UserId.eq(user_id))
-            .filter(entities::oauth_connection::Column::Provider.eq(provider_name))
-            .filter(entities::oauth_connection::Column::DeletedAt.is_null())
-            .one(&self.conn)
-            .await?;
-        Ok(model)
-    }
-
-    pub async fn get_user_organizations(
-        &self,
-        user_id: Uuid,
-    ) -> Result<Vec<entities::organization_member::Model>> {
-        let model = entities::organization_member::Entity::find()
-            .filter(entities::organization_member::Column::UserId.eq(user_id))
-            .filter(entities::organization_member::Column::DeletedAt.is_null())
-            .order_by_asc(entities::organization_member::Column::CreatedAt)
-            .all(&self.conn)
-            .await?;
-        Ok(model)
-    }
-
-    pub async fn get_all_ssh_keys(
-        &self,
-        user_id: Uuid,
-    ) -> Result<Vec<entities::ssh_public_key::Model>> {
-        let model = entities::ssh_public_key::Entity::find()
-            .filter(entities::ssh_public_key::Column::UserId.eq(user_id))
-            .filter(entities::ssh_public_key::Column::DeletedAt.is_null())
-            .order_by_asc(entities::ssh_public_key::Column::CreatedAt)
-            .all(&self.conn)
-            .await?;
-        Ok(model)
-    }
-
-    pub async fn get_ssh_key(&self, id: Uuid) -> Result<entities::ssh_public_key::Model> {
-        let model = entities::ssh_public_key::Entity::find_by_id(id)
-            .filter(entities::ssh_public_key::Column::DeletedAt.is_null())
-            .one(&self.conn)
-            .await?
-            .ok_or_else(|| anyhow!("no ssh key found"))?;
-        Ok(model)
-    }
-
-    pub async fn get_project(&self, id: Uuid) -> Result<entities::project::Model> {
-        let model = entities::project::Entity::find_by_id(id)
-            .filter(entities::project::Column::DeletedAt.is_null())
-            .one(&self.conn)
-            .await?
-            .ok_or_else(|| anyhow!("no project found"))?;
-        Ok(model)
-    }
-
-    pub async fn get_project_by_repo(
-        &self,
-        org_id: Uuid,
-        repo: &str,
-    ) -> Result<Option<entities::project::Model>> {
-        let model = entities::project::Entity::find()
-            .filter(entities::project::Column::OrganizationId.eq(org_id))
-            .filter(entities::project::Column::DeletedAt.is_null())
-            .filter(
-                Expr::expr(Func::lower(entities::project::Column::RepoUrl.into_expr()))
-                    .eq(repo.to_lowercase()),
-            )
-            .one(&self.conn)
-            .await?;
-        Ok(model)
-    }
-
-    pub async fn get_all_projects(&self, org_id: Uuid) -> Result<Vec<entities::project::Model>> {
-        let model = entities::project::Entity::find()
-            .filter(entities::project::Column::OrganizationId.eq(org_id))
-            .filter(entities::project::Column::DeletedAt.is_null())
-            .order_by_asc(entities::project::Column::CreatedAt)
-            .all(&self.conn)
-            .await?;
-        Ok(model)
-    }
-
-    pub async fn get_prebuild(&self, id: Uuid) -> Result<Option<entities::prebuild::Model>> {
-        let model = entities::prebuild::Entity::find_by_id(id)
-            .filter(entities::prebuild::Column::DeletedAt.is_null())
-            .one(&self.conn)
-            .await?;
-        Ok(model)
-    }
-
-    pub async fn get_prebuild_by_branch_and_commit(
-        &self,
-        project_id: Uuid,
-        branch: &str,
-        commit: &str,
-    ) -> Result<Option<entities::prebuild::Model>> {
-        let model = entities::prebuild::Entity::find()
-            .filter(entities::prebuild::Column::ProjectId.eq(project_id))
-            .filter(entities::prebuild::Column::Branch.eq(branch))
-            .filter(entities::prebuild::Column::Commit.eq(commit))
-            .filter(entities::prebuild::Column::DeletedAt.is_null())
-            .one(&self.conn)
-            .await?;
-        Ok(model)
-    }
-
-    pub async fn get_prebuild_by_branch_and_commit_with_lock(
-        &self,
-        txn: &DatabaseTransaction,
-        project_id: Uuid,
-        branch: &str,
-        commit: &str,
-    ) -> Result<Option<entities::prebuild::Model>> {
-        let model = entities::prebuild::Entity::find()
-            .filter(entities::prebuild::Column::ProjectId.eq(project_id))
-            .filter(entities::prebuild::Column::Branch.eq(branch))
-            .filter(entities::prebuild::Column::Commit.eq(commit))
-            .filter(entities::prebuild::Column::DeletedAt.is_null())
-            .lock_exclusive()
-            .one(txn)
-            .await?;
-        Ok(model)
-    }
-
-    pub async fn get_prebuilds(&self, project_id: Uuid) -> Result<Vec<entities::prebuild::Model>> {
-        let model = entities::prebuild::Entity::find()
-            .filter(entities::prebuild::Column::ProjectId.eq(project_id))
-            .filter(entities::prebuild::Column::DeletedAt.is_null())
-            .order_by_desc(entities::prebuild::Column::CreatedAt)
-            .all(&self.conn)
-            .await?;
-        Ok(model)
-    }
-
-    pub async fn get_prebuild_replica(
-        &self,
-        prebuild_id: Uuid,
-        host_id: Uuid,
-    ) -> Result<Option<entities::prebuild_replica::Model>> {
-        let replica = entities::prebuild_replica::Entity::find()
-            .filter(entities::prebuild_replica::Column::DeletedAt.is_null())
-            .filter(entities::prebuild_replica::Column::PrebuildId.eq(prebuild_id))
-            .filter(entities::prebuild_replica::Column::HostId.eq(host_id))
-            .one(&self.conn)
-            .await?;
-        Ok(replica)
-    }
-
-    pub async fn get_all_workspace_hosts(&self) -> Result<Vec<entities::workspace_host::Model>> {
-        let model = entities::workspace_host::Entity::find()
-            .filter(entities::workspace_host::Column::DeletedAt.is_null())
-            .all(&self.conn)
-            .await?;
-        Ok(model)
-    }
-
-    pub async fn get_workspace_host(
-        &self,
-        id: Uuid,
-    ) -> Result<Option<entities::workspace_host::Model>> {
-        let model = entities::workspace_host::Entity::find()
-            .filter(entities::workspace_host::Column::Id.eq(id))
-            .one(&self.conn)
-            .await?;
-        Ok(model)
-    }
-
-    pub async fn get_workspace_port(
-        &self,
-        ws_id: Uuid,
-        port: u16,
-    ) -> Result<Option<entities::workspace_port::Model>> {
-        let model = entities::workspace_port::Entity::find()
-            .filter(entities::workspace_port::Column::WorkspaceId.eq(ws_id))
-            .filter(entities::workspace_port::Column::Port.eq(port))
-            .filter(entities::workspace_port::Column::DeletedAt.is_null())
-            .one(&self.conn)
-            .await?;
-        Ok(model)
-    }
-
-    pub async fn get_workspace_ports(
-        &self,
-        ws_id: Uuid,
-    ) -> Result<Vec<entities::workspace_port::Model>> {
-        let model = entities::workspace_port::Entity::find()
-            .filter(entities::workspace_port::Column::WorkspaceId.eq(ws_id))
-            .filter(entities::workspace_port::Column::DeletedAt.is_null())
-            .all(&self.conn)
-            .await?;
-        Ok(model)
-    }
-
-    pub async fn get_workspace_host_by_host(
-        &self,
-        host: &str,
-    ) -> Result<Option<entities::workspace_host::Model>> {
-        let model = entities::workspace_host::Entity::find()
-            .filter(entities::workspace_host::Column::Host.eq(host))
-            .filter(entities::workspace_host::Column::DeletedAt.is_null())
-            .one(&self.conn)
-            .await?;
-        Ok(model)
-    }
-
-    pub async fn get_workspace_host_with_lock(
-        &self,
-        txn: &DatabaseTransaction,
-        id: Uuid,
-    ) -> Result<Option<entities::workspace_host::Model>> {
-        let model = entities::workspace_host::Entity::find()
-            .filter(entities::workspace_host::Column::Id.eq(id))
-            .filter(entities::workspace_host::Column::DeletedAt.is_null())
-            .lock_exclusive()
-            .one(txn)
-            .await?;
-        Ok(model)
-    }
-
-    pub async fn get_machine_type(
-        &self,
-        id: Uuid,
-    ) -> Result<Option<entities::machine_type::Model>> {
-        let model = entities::machine_type::Entity::find_by_id(id)
-            .one(&self.conn)
-            .await?;
-        Ok(model)
-    }
-
-    pub async fn get_all_machine_types(&self) -> Result<Vec<entities::machine_type::Model>> {
-        let models = entities::machine_type::Entity::find()
-            .filter(entities::machine_type::Column::DeletedAt.is_null())
-            .order_by_desc(entities::machine_type::Column::Shared)
-            .order_by_asc(entities::machine_type::Column::Cpu)
-            .all(&self.conn)
-            .await?;
-        Ok(models)
-    }
-}
diff --git a/lapdev-db/src/entities/mod.rs b/lapdev-db/src/entities/mod.rs
deleted file mode 100644
index 1900d05..0000000
--- a/lapdev-db/src/entities/mod.rs
+++ /dev/null
@@ -1,21 +0,0 @@
-//! `SeaORM` Entity. Generated by sea-orm-codegen 0.12.4
-
-pub mod prelude;
-
-pub mod audit_log;
-pub mod config;
-pub mod machine_type;
-pub mod oauth_connection;
-pub mod organization;
-pub mod organization_member;
-pub mod prebuild;
-pub mod prebuild_replica;
-pub mod project;
-pub mod quota;
-pub mod ssh_public_key;
-pub mod usage;
-pub mod user;
-pub mod user_invitation;
-pub mod workspace;
-pub mod workspace_host;
-pub mod workspace_port;
diff --git a/lapdev-db/src/entities/post.rs b/lapdev-db/src/entities/post.rs
deleted file mode 100644
index ef9a2cf..0000000
--- a/lapdev-db/src/entities/post.rs
+++ /dev/null
@@ -1,17 +0,0 @@
-//! `SeaORM` Entity. Generated by sea-orm-codegen 0.12.4
-
-use sea_orm::entity::prelude::*;
-
-#[derive(Clone, Debug, PartialEq, DeriveEntityModel, Eq)]
-#[sea_orm(table_name = "post")]
-pub struct Model {
-    #[sea_orm(primary_key)]
-    pub id: i32,
-    pub title: String,
-    pub text: String,
-}
-
-#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
-pub enum Relation {}
-
-impl ActiveModelBehavior for ActiveModel {}
diff --git a/lapdev-db/src/entities/prelude.rs b/lapdev-db/src/entities/prelude.rs
deleted file mode 100644
index 78e60a7..0000000
--- a/lapdev-db/src/entities/prelude.rs
+++ /dev/null
@@ -1,18 +0,0 @@
-//! `SeaORM` Entity. Generated by sea-orm-codegen 0.12.4
-
-pub use super::audit_log::Entity as AuditLog;
-pub use super::config::Entity as Config;
-pub use super::machine_type::Entity as MachineType;
-pub use super::organization::Entity as Organization;
-pub use super::organization_member::Entity as OrganizationMember;
-pub use super::prebuild::Entity as Prebuild;
-pub use super::prebuild_replica::Entity as PrebuildReplica;
-pub use super::project::Entity as Project;
-pub use super::quota::Entity as Quota;
-pub use super::ssh_public_key::Entity as SshPublicKey;
-pub use super::usage::Entity as Usage;
-pub use super::user::Entity as User;
-pub use super::user_invitation::Entity as UserInvitation;
-pub use super::workspace::Entity as Workspace;
-pub use super::workspace_host::Entity as WorkspaceHost;
-pub use super::workspace_port::Entity as WorkspacePort;
diff --git a/lapdev-db/src/entities/workspace_group.rs b/lapdev-db/src/entities/workspace_group.rs
deleted file mode 100644
index 78c438b..0000000
--- a/lapdev-db/src/entities/workspace_group.rs
+++ /dev/null
@@ -1,16 +0,0 @@
-//! `SeaORM` Entity. Generated by sea-orm-codegen 0.12.4
-
-use sea_orm::entity::prelude::*;
-
-#[derive(Clone, Debug, PartialEq, DeriveEntityModel, Eq)]
-#[sea_orm(table_name = "workspace_group")]
-pub struct Model {
-    #[sea_orm(primary_key)]
-    pub id: i32,
-    pub deleted_at: Option<DateTimeWithTimeZone>,
-}
-
-#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
-pub enum Relation {}
-
-impl ActiveModelBehavior for ActiveModel {}
diff --git a/lapdev-db/src/links.rs b/lapdev-db/src/links.rs
deleted file mode 100644
index 334f4ce..0000000
--- a/lapdev-db/src/links.rs
+++ /dev/null
@@ -1,17 +0,0 @@
-use sea_orm::{Linked, RelationTrait};
-
-use crate::entities;
-
-pub struct PrebuildToMachineType;
-
-impl Linked for PrebuildToMachineType {
-    type FromEntity = entities::prebuild::Entity;
-    type ToEntity = entities::machine_type::Entity;
-
-    fn link(&self) -> Vec<sea_orm::LinkDef> {
-        vec![
-            entities::project::Relation::Prebuild.def().rev(),
-            entities::project::Relation::MachineType.def(),
-        ]
-    }
-}
diff --git a/lapdev-db/src/main.rs b/lapdev-db/src/main.rs
deleted file mode 100644
index 530d8f6..0000000
--- a/lapdev-db/src/main.rs
+++ /dev/null
@@ -1,7 +0,0 @@
-use lapdev_db::migration::Migrator;
-use sea_orm_migration::cli;
-
-#[tokio::main]
-pub async fn main() {
-    cli::run_cli(Migrator).await;
-}
diff --git a/lapdev-db/src/migration/mod.rs b/lapdev-db/src/migration/mod.rs
deleted file mode 100644
index 375bc97..0000000
--- a/lapdev-db/src/migration/mod.rs
+++ /dev/null
@@ -1,48 +0,0 @@
-use sea_orm_migration::prelude::*;
-
-pub mod m20231105_152940_create_machine_type_table;
-pub mod m20231105_193627_create_workspace_host_table;
-pub mod m20231106_100019_create_user_table;
-pub mod m20231106_100804_create_workspace_table;
-pub mod m20231109_171859_create_project_table;
-pub mod m20231113_170211_create_ssh_public_key_table;
-pub mod m20231114_110943_create_config_table;
-pub mod m20231130_151650_create_organization_table;
-pub mod m20231130_151937_create_organization_member_table;
-pub mod m20231213_143210_create_prebuild_table;
-pub mod m20240125_135149_create_quota_table;
-pub mod m20240129_215530_create_usage_table;
-pub mod m20240205_113409_create_audit_log_table;
-pub mod m20240228_141013_create_user_invitation_table;
-pub mod m20240311_220708_create_prebuild_replica_table;
-pub mod m20240312_175753_create_table_update_trigger;
-pub mod m20240316_194115_create_workspace_port_table;
-pub mod m20240823_165223_create_oauth_table;
-
-pub struct Migrator;
-
-#[async_trait::async_trait]
-impl MigratorTrait for Migrator {
-    fn migrations() -> Vec<Box<dyn MigrationTrait>> {
-        vec![
-            Box::new(m20231105_152940_create_machine_type_table::Migration),
-            Box::new(m20231105_193627_create_workspace_host_table::Migration),
-            Box::new(m20231106_100019_create_user_table::Migration),
-            Box::new(m20231106_100804_create_workspace_table::Migration),
-            Box::new(m20231109_171859_create_project_table::Migration),
-            Box::new(m20231113_170211_create_ssh_public_key_table::Migration),
-            Box::new(m20231114_110943_create_config_table::Migration),
-            Box::new(m20231130_151650_create_organization_table::Migration),
-            Box::new(m20231130_151937_create_organization_member_table::Migration),
-            Box::new(m20231213_143210_create_prebuild_table::Migration),
-            Box::new(m20240125_135149_create_quota_table::Migration),
-            Box::new(m20240129_215530_create_usage_table::Migration),
-            Box::new(m20240205_113409_create_audit_log_table::Migration),
-            Box::new(m20240228_141013_create_user_invitation_table::Migration),
-            Box::new(m20240311_220708_create_prebuild_replica_table::Migration),
-            Box::new(m20240312_175753_create_table_update_trigger::Migration),
-            Box::new(m20240316_194115_create_workspace_port_table::Migration),
-            Box::new(m20240823_165223_create_oauth_table::Migration),
-        ]
-    }
-}
diff --git a/lapdev-enterprise/src/auto_start_stop.rs b/lapdev-enterprise/src/auto_start_stop.rs
deleted file mode 100644
index 21ce8b0..0000000
--- a/lapdev-enterprise/src/auto_start_stop.rs
+++ /dev/null
@@ -1,351 +0,0 @@
-use std::{collections::HashMap, time::Duration};
-
-use anyhow::Result;
-use chrono::Utc;
-use lapdev_common::WorkspaceStatus;
-use lapdev_db::{api::DbApi, entities};
-use sea_orm::{
-    sea_query::{Expr, Query},
-    ColumnTrait, Condition, EntityTrait, QueryFilter,
-};
-
-pub struct AutoStartStop {
-    db: DbApi,
-}
-
-impl AutoStartStop {
-    pub fn new(db: DbApi) -> Self {
-        Self { db }
-    }
-
-    pub async fn get_organization_auto_stop(&self) -> Result<Vec<entities::organization::Model>> {
-        let organizations: Vec<entities::organization::Model> =
-            entities::organization::Entity::update_many()
-                .col_expr(
-                    entities::organization::Column::LastAutoStopCheck,
-                    Expr::value(Some(Utc::now())),
-                )
-                .filter(
-                    Condition::any().add(
-                        entities::organization::Column::Id.in_subquery(
-                            Query::select()
-                                .column(entities::organization::Column::Id)
-                                .from(entities::organization::Entity)
-                                .and_where(entities::organization::Column::DeletedAt.is_null())
-                                .and_where(
-                                    entities::organization::Column::HasRunningWorkspace.eq(true),
-                                )
-                                .cond_where(
-                                    Condition::any()
-                                        .add(
-                                            entities::organization::Column::LastAutoStopCheck
-                                                .lt(Utc::now() - Duration::from_secs(60)),
-                                        )
-                                        .add(
-                                            entities::organization::Column::LastAutoStopCheck
-                                                .is_null(),
-                                        ),
-                                )
-                                .order_by(
-                                    entities::organization::Column::LastAutoStopCheck,
-                                    sea_orm::Order::Asc,
-                                )
-                                .limit(1)
-                                .to_owned(),
-                        ),
-                    ),
-                )
-                .exec_with_returning(&self.db.conn)
-                .await?;
-        Ok(organizations)
-    }
-
-    pub async fn organization_auto_stop_workspaces(
-        &self,
-        org: &entities::organization::Model,
-    ) -> Result<Vec<entities::workspace::Model>> {
-        let workspaces = match (org.auto_stop, org.allow_workspace_change_auto_stop) {
-            (None, false) => {
-                // auto stop is not set and we don't allow workspace to set their own
-                return Ok(vec![]);
-            }
-            (Some(timeout), false) => {
-                entities::workspace::Entity::find()
-                    .filter(
-                        entities::workspace::Column::Status
-                            .eq(WorkspaceStatus::Running.to_string()),
-                    )
-                    .filter(entities::workspace::Column::DeletedAt.is_null())
-                    .filter(
-                        entities::workspace::Column::LastInactivity
-                            .lt(Utc::now() - Duration::from_secs(timeout as u64)),
-                    )
-                    .all(&self.db.conn)
-                    .await?
-            }
-            (_, true) => {
-                let mut workspaces = entities::workspace::Entity::find()
-                    .filter(
-                        entities::workspace::Column::Status
-                            .eq(WorkspaceStatus::Running.to_string()),
-                    )
-                    .filter(entities::workspace::Column::DeletedAt.is_null())
-                    .filter(entities::workspace::Column::LastInactivity.is_not_null())
-                    .filter(entities::workspace::Column::AutoStop.is_not_null())
-                    .all(&self.db.conn)
-                    .await?;
-                workspaces.retain(|w| {
-                    let Some(last_inactivity) = w.last_inactivity else {
-                        return false;
-                    };
-
-                    let Some(auto_stop) = w.auto_stop else {
-                        return false;
-                    };
-
-                    (Utc::now() - last_inactivity.with_timezone(&Utc)).num_seconds()
-                        > auto_stop as i64
-                });
-                workspaces
-            }
-        };
-
-        let services = workspaces
-            .iter()
-            .filter_map(|ws| {
-                if ws.is_compose && ws.compose_parent.is_some() {
-                    Some((ws.id, ws.id))
-                } else {
-                    None
-                }
-            })
-            .collect::<HashMap<_, _>>();
-
-        let mut remaining = Vec::new();
-        for ws in workspaces {
-            if !ws.is_compose {
-                remaining.push(ws);
-            } else if ws.compose_parent.is_none() {
-                let children = entities::workspace::Entity::find()
-                    .filter(entities::workspace::Column::DeletedAt.is_null())
-                    .filter(entities::workspace::Column::ComposeParent.eq(ws.id))
-                    .all(&self.db.conn)
-                    .await?;
-                if children.iter().all(|ws| services.contains_key(&ws.id)) {
-                    // only stop the workspace if all services had inactivity timeout
-                    remaining.push(ws);
-                }
-            }
-        }
-
-        Ok(remaining)
-    }
-
-    pub async fn can_workspace_auto_start(&self, ws: &entities::workspace::Model) -> Result<bool> {
-        let org = self.db.get_organization(ws.organization_id).await?;
-        let auto_start = if org.allow_workspace_change_auto_start {
-            ws.auto_start
-        } else {
-            org.auto_start
-        };
-        Ok(auto_start)
-    }
-}
-
-#[cfg(test)]
-pub mod tests {
-    use std::time::Duration;
-
-    use chrono::Utc;
-    use lapdev_common::{utils, WorkspaceHostStatus, WorkspaceStatus};
-    use lapdev_db::entities;
-    use sea_orm::{ActiveModelTrait, ActiveValue};
-    use uuid::Uuid;
-
-    use crate::tests::prepare_enterprise;
-
-    #[tokio::test]
-    async fn test_organization_auto_stop_workspaces() {
-        let enterprise = prepare_enterprise().await.unwrap();
-
-        let db = enterprise.auto_start_stop.db.clone();
-
-        let user_id = Uuid::new_v4();
-
-        let workspace_host = entities::workspace_host::ActiveModel {
-            id: ActiveValue::Set(Uuid::new_v4()),
-            host: ActiveValue::Set("".to_string()),
-            port: ActiveValue::Set(6123),
-            inter_port: ActiveValue::Set(6122),
-            cpu: ActiveValue::Set(12),
-            memory: ActiveValue::Set(64),
-            disk: ActiveValue::Set(1000),
-            status: ActiveValue::Set(WorkspaceHostStatus::Active.to_string()),
-            available_shared_cpu: ActiveValue::Set(12),
-            available_dedicated_cpu: ActiveValue::Set(12),
-            available_memory: ActiveValue::Set(64),
-            available_disk: ActiveValue::Set(1000),
-            region: ActiveValue::Set("".to_string()),
-            zone: ActiveValue::Set("".to_string()),
-            ..Default::default()
-        }
-        .insert(&db.conn)
-        .await
-        .unwrap();
-        let machine_type = entities::machine_type::ActiveModel {
-            id: ActiveValue::Set(Uuid::new_v4()),
-            name: ActiveValue::Set("".to_string()),
-            shared: ActiveValue::Set(true),
-            cpu: ActiveValue::Set(2),
-            memory: ActiveValue::Set(8),
-            disk: ActiveValue::Set(10),
-            cost_per_second: ActiveValue::Set(1),
-            ..Default::default()
-        }
-        .insert(&db.conn)
-        .await
-        .unwrap();
-
-        let org = entities::organization::ActiveModel {
-            id: ActiveValue::Set(uuid::Uuid::new_v4()),
-            name: ActiveValue::Set("Personal".to_string()),
-            auto_start: ActiveValue::Set(true),
-            auto_stop: ActiveValue::Set(Some(3600)),
-            allow_workspace_change_auto_start: ActiveValue::Set(true),
-            allow_workspace_change_auto_stop: ActiveValue::Set(false),
-            usage_limit: ActiveValue::Set(108000),
-            running_workspace_limit: ActiveValue::Set(3),
-            has_running_workspace: ActiveValue::Set(false),
-            deleted_at: ActiveValue::Set(None),
-            last_auto_stop_check: ActiveValue::Set(None),
-            max_cpu: ActiveValue::Set(4),
-        }
-        .insert(&db.conn)
-        .await
-        .unwrap();
-
-        entities::workspace::ActiveModel {
-            id: ActiveValue::Set(Uuid::new_v4()),
-            updated_at: ActiveValue::Set(None),
-            deleted_at: ActiveValue::Set(None),
-            name: ActiveValue::Set(utils::rand_string(10)),
-            created_at: ActiveValue::Set(Utc::now().into()),
-            status: ActiveValue::Set(WorkspaceStatus::Running.to_string()),
-            repo_url: ActiveValue::Set("".to_string()),
-            repo_name: ActiveValue::Set("".to_string()),
-            branch: ActiveValue::Set("".to_string()),
-            commit: ActiveValue::Set("".to_string()),
-            organization_id: ActiveValue::Set(org.id),
-            user_id: ActiveValue::Set(user_id),
-            project_id: ActiveValue::Set(None),
-            host_id: ActiveValue::Set(workspace_host.id),
-            osuser: ActiveValue::Set("".to_string()),
-            ssh_private_key: ActiveValue::Set("".to_string()),
-            ssh_public_key: ActiveValue::Set("".to_string()),
-            cores: ActiveValue::Set(serde_json::to_string(&[1, 2]).unwrap()),
-            ssh_port: ActiveValue::Set(None),
-            ide_port: ActiveValue::Set(None),
-            prebuild_id: ActiveValue::Set(None),
-            service: ActiveValue::Set(None),
-            usage_id: ActiveValue::Set(None),
-            machine_type_id: ActiveValue::Set(machine_type.id),
-            last_inactivity: ActiveValue::Set(None),
-            auto_stop: ActiveValue::Set(None),
-            auto_start: ActiveValue::Set(true),
-            env: ActiveValue::Set(None),
-            build_output: ActiveValue::Set(None),
-            is_compose: ActiveValue::Set(false),
-            compose_parent: ActiveValue::Set(None),
-            pinned: ActiveValue::Set(false),
-        }
-        .insert(&enterprise.auto_start_stop.db.conn)
-        .await
-        .unwrap();
-
-        let worksapces = enterprise
-            .auto_start_stop
-            .organization_auto_stop_workspaces(&org)
-            .await
-            .unwrap();
-        assert!(worksapces.is_empty());
-
-        let ws = entities::workspace::ActiveModel {
-            id: ActiveValue::Set(Uuid::new_v4()),
-            updated_at: ActiveValue::Set(None),
-            deleted_at: ActiveValue::Set(None),
-            name: ActiveValue::Set(utils::rand_string(10)),
-            created_at: ActiveValue::Set(Utc::now().into()),
-            status: ActiveValue::Set(WorkspaceStatus::Running.to_string()),
-            repo_url: ActiveValue::Set("".to_string()),
-            repo_name: ActiveValue::Set("".to_string()),
-            branch: ActiveValue::Set("".to_string()),
-            commit: ActiveValue::Set("".to_string()),
-            organization_id: ActiveValue::Set(org.id),
-            user_id: ActiveValue::Set(user_id),
-            project_id: ActiveValue::Set(None),
-            host_id: ActiveValue::Set(workspace_host.id),
-            osuser: ActiveValue::Set("".to_string()),
-            ssh_private_key: ActiveValue::Set("".to_string()),
-            ssh_public_key: ActiveValue::Set("".to_string()),
-            cores: ActiveValue::Set(serde_json::to_string(&[1, 2]).unwrap()),
-            ssh_port: ActiveValue::Set(None),
-            ide_port: ActiveValue::Set(None),
-            prebuild_id: ActiveValue::Set(None),
-            service: ActiveValue::Set(None),
-            usage_id: ActiveValue::Set(None),
-            machine_type_id: ActiveValue::Set(machine_type.id),
-            last_inactivity: ActiveValue::Set(Some(
-                (Utc::now() - Duration::from_secs(3700)).into(),
-            )),
-            auto_stop: ActiveValue::Set(None),
-            auto_start: ActiveValue::Set(true),
-            env: ActiveValue::Set(None),
-            build_output: ActiveValue::Set(None),
-            is_compose: ActiveValue::Set(false),
-            compose_parent: ActiveValue::Set(None),
-            pinned: ActiveValue::Set(false),
-        }
-        .insert(&enterprise.auto_start_stop.db.conn)
-        .await
-        .unwrap();
-
-        let worksapces = enterprise
-            .auto_start_stop
-            .organization_auto_stop_workspaces(&org)
-            .await
-            .unwrap();
-        assert_eq!(worksapces.len(), 1);
-
-        let org = entities::organization::ActiveModel {
-            id: ActiveValue::Set(org.id),
-            allow_workspace_change_auto_stop: ActiveValue::Set(true),
-            ..Default::default()
-        }
-        .update(&db.conn)
-        .await
-        .unwrap();
-
-        let worksapces = enterprise
-            .auto_start_stop
-            .organization_auto_stop_workspaces(&org)
-            .await
-            .unwrap();
-        assert_eq!(worksapces.len(), 0);
-
-        entities::workspace::ActiveModel {
-            id: ActiveValue::Set(ws.id),
-            auto_stop: ActiveValue::Set(Some(3600)),
-            ..Default::default()
-        }
-        .update(&db.conn)
-        .await
-        .unwrap();
-
-        let worksapces = enterprise
-            .auto_start_stop
-            .organization_auto_stop_workspaces(&org)
-            .await
-            .unwrap();
-        assert_eq!(worksapces.len(), 1);
-    }
-}
diff --git a/lapdev-enterprise/src/quota.rs b/lapdev-enterprise/src/quota.rs
deleted file mode 100644
index 6d766ed..0000000
--- a/lapdev-enterprise/src/quota.rs
+++ /dev/null
@@ -1,724 +0,0 @@
-use anyhow::Result;
-use chrono::Utc;
-use lapdev_common::{
-    OrgQuota, OrgQuotaValue, QuotaKind, QuotaLevel, QuotaResult, QuotaValue, WorkspaceStatus,
-};
-use lapdev_db::{api::DbApi, entities};
-use sea_orm::{
-    sea_query::OnConflict, ActiveValue, ColumnTrait, Condition, DatabaseTransaction, EntityTrait,
-    PaginatorTrait, QueryFilter, QuerySelect,
-};
-use uuid::Uuid;
-
-use crate::usage::Usage;
-
-pub struct Quota {
-    usage: Usage,
-    db: DbApi,
-}
-
-impl Quota {
-    pub fn new(usage: Usage, db: DbApi) -> Self {
-        Self { usage, db }
-    }
-
-    async fn quota_value(
-        &self,
-        txn: &DatabaseTransaction,
-        kind: &QuotaKind,
-        organization: Uuid,
-        user: Uuid,
-    ) -> Result<QuotaValue> {
-        // lock on quota rows so that we don't calculate the existing
-        // resources at the same time
-        let default_user = Uuid::from_u128(0);
-        let quotas = entities::quota::Entity::find()
-            .filter(entities::quota::Column::DeletedAt.is_null())
-            .filter(entities::quota::Column::Organization.eq(organization))
-            .filter(entities::quota::Column::Kind.eq(kind.to_string()))
-            .filter(
-                Condition::any()
-                    .add(entities::quota::Column::User.is_null())
-                    .add(entities::quota::Column::User.eq(Some(user)))
-                    .add(entities::quota::Column::User.eq(Some(default_user))),
-            )
-            .lock_exclusive()
-            .all(txn)
-            .await?;
-
-        let mut value = QuotaValue {
-            kind: kind.to_owned(),
-            user: 0,
-            organization: 0,
-        };
-
-        for quota in &quotas {
-            if quota.user.is_none() && quota.value > 0 {
-                value.organization = quota.value as usize;
-            } else if quota.user == Some(user) && quota.value > 0 {
-                value.user = quota.value as usize;
-            }
-        }
-
-        if value.user == 0 {
-            // we haven't got a user specific quota, so we do another pass to find
-            // default user quota
-            for quota in &quotas {
-                if quota.user == Some(default_user) && quota.value > 0 {
-                    value.user = quota.value as usize;
-                }
-            }
-        }
-
-        Ok(value)
-    }
-
-    async fn do_check(
-        &self,
-        quota: QuotaValue,
-        organization: Uuid,
-        user: Uuid,
-    ) -> Result<Option<QuotaResult>> {
-        if quota.user > 0 {
-            let n = self
-                .get_user_existing(&quota.kind, organization, user)
-                .await?;
-            if n >= quota.user {
-                return Ok(Some(QuotaResult {
-                    kind: quota.kind,
-                    level: QuotaLevel::User,
-                    existing: n,
-                    quota: quota.user,
-                }));
-            }
-        }
-
-        if quota.organization > 0 {
-            let n = self
-                .get_organization_existing(&quota.kind, organization)
-                .await?;
-            if n >= quota.organization {
-                return Ok(Some(QuotaResult {
-                    kind: quota.kind,
-                    level: QuotaLevel::Organization,
-                    existing: n,
-                    quota: quota.organization,
-                }));
-            }
-        }
-
-        Ok(None)
-    }
-
-    pub(crate) async fn check(
-        &self,
-        txn: &DatabaseTransaction,
-        kind: QuotaKind,
-        organization: Uuid,
-        user: Uuid,
-    ) -> Result<Option<QuotaResult>> {
-        let quota = self.quota_value(txn, &kind, organization, user).await?;
-        self.do_check(quota, organization, user).await
-    }
-
-    async fn update(
-        &self,
-        txn: &DatabaseTransaction,
-        organization: Uuid,
-        user: Option<Uuid>,
-        kind: &QuotaKind,
-        value: usize,
-    ) -> Result<entities::quota::Model> {
-        let model = entities::quota::ActiveModel {
-            id: ActiveValue::set(Uuid::new_v4()),
-            created_at: ActiveValue::Set(Utc::now().into()),
-            deleted_at: ActiveValue::Set(None),
-            kind: ActiveValue::Set(kind.to_string()),
-            value: ActiveValue::Set(value as i32),
-            organization: ActiveValue::Set(organization),
-            user: ActiveValue::Set(user),
-        };
-        let model = entities::quota::Entity::insert(model)
-            .on_conflict(
-                OnConflict::columns([
-                    entities::quota::Column::DeletedAt,
-                    entities::quota::Column::Organization,
-                    entities::quota::Column::User,
-                    entities::quota::Column::Kind,
-                ])
-                .update_column(entities::quota::Column::Value)
-                .to_owned(),
-            )
-            .exec_with_returning(txn)
-            .await?;
-        Ok(model)
-    }
-
-    pub async fn update_for_organization(
-        &self,
-        txn: &DatabaseTransaction,
-        organization: Uuid,
-        kind: QuotaKind,
-        value: usize,
-    ) -> Result<entities::quota::Model> {
-        self.update(txn, organization, None, &kind, value).await
-    }
-
-    pub async fn update_for_default_user(
-        &self,
-        txn: &DatabaseTransaction,
-        organization: Uuid,
-        kind: QuotaKind,
-        value: usize,
-    ) -> Result<entities::quota::Model> {
-        self.update(txn, organization, Some(Uuid::from_u128(0)), &kind, value)
-            .await
-    }
-
-    pub async fn update_for_user(
-        &self,
-        txn: &DatabaseTransaction,
-        organization: Uuid,
-        user: Uuid,
-        kind: QuotaKind,
-        value: usize,
-    ) -> Result<entities::quota::Model> {
-        self.update(txn, organization, Some(user), &kind, value)
-            .await
-    }
-
-    async fn get_user_existing(
-        &self,
-        kind: &QuotaKind,
-        organization: Uuid,
-        user: Uuid,
-    ) -> Result<usize> {
-        let existing = match kind {
-            QuotaKind::Workspace => {
-                entities::workspace::Entity::find()
-                    .filter(entities::workspace::Column::DeletedAt.is_null())
-                    .filter(entities::workspace::Column::OrganizationId.eq(organization))
-                    .filter(entities::workspace::Column::UserId.eq(user))
-                    .count(&self.db.conn)
-                    .await? as usize
-            }
-            QuotaKind::RunningWorkspace => {
-                entities::workspace::Entity::find()
-                    .filter(entities::workspace::Column::DeletedAt.is_null())
-                    .filter(entities::workspace::Column::OrganizationId.eq(organization))
-                    .filter(entities::workspace::Column::UserId.eq(user))
-                    .filter(
-                        entities::workspace::Column::Status
-                            .ne(WorkspaceStatus::Stopped.to_string()),
-                    )
-                    .filter(entities::workspace::Column::ComposeParent.is_null())
-                    .count(&self.db.conn)
-                    .await? as usize
-            }
-            QuotaKind::Project => 0,
-            QuotaKind::DailyCost => {
-                self.usage
-                    .get_daily_cost(organization, Some(user), None, Utc::now().into(), None)
-                    .await?
-            }
-            QuotaKind::MonthlyCost => {
-                self.usage
-                    .get_monthly_cost(organization, Some(user), None, Utc::now().into(), None)
-                    .await?
-            }
-        };
-        Ok(existing)
-    }
-
-    pub async fn get_organization_existing(
-        &self,
-        kind: &QuotaKind,
-        organization: Uuid,
-    ) -> Result<usize> {
-        let existing = match kind {
-            QuotaKind::Workspace => {
-                entities::workspace::Entity::find()
-                    .filter(entities::workspace::Column::DeletedAt.is_null())
-                    .filter(entities::workspace::Column::OrganizationId.eq(organization))
-                    .count(&self.db.conn)
-                    .await? as usize
-            }
-            QuotaKind::RunningWorkspace => {
-                entities::workspace::Entity::find()
-                    .filter(entities::workspace::Column::DeletedAt.is_null())
-                    .filter(entities::workspace::Column::OrganizationId.eq(organization))
-                    .filter(
-                        entities::workspace::Column::Status
-                            .ne(WorkspaceStatus::Stopped.to_string()),
-                    )
-                    .filter(entities::workspace::Column::ComposeParent.is_null())
-                    .count(&self.db.conn)
-                    .await? as usize
-            }
-            QuotaKind::Project => {
-                entities::project::Entity::find()
-                    .filter(entities::project::Column::DeletedAt.is_null())
-                    .filter(entities::project::Column::OrganizationId.eq(organization))
-                    .count(&self.db.conn)
-                    .await? as usize
-            }
-            QuotaKind::DailyCost => {
-                self.usage
-                    .get_daily_cost(organization, None, None, Utc::now().into(), None)
-                    .await?
-                    / 60
-                    / 60
-            }
-            QuotaKind::MonthlyCost => {
-                self.usage
-                    .get_monthly_cost(organization, None, None, Utc::now().into(), None)
-                    .await?
-                    / 60
-                    / 60
-            }
-        };
-        Ok(existing)
-    }
-
-    pub async fn get_org_quota(&self, organization: Uuid) -> Result<OrgQuota> {
-        let org_quota = OrgQuota {
-            workspace: self
-                .get_org_quota_value(organization, QuotaKind::Workspace)
-                .await?,
-            running_workspace: self
-                .get_org_quota_value(organization, QuotaKind::RunningWorkspace)
-                .await?,
-            project: self
-                .get_org_quota_value(organization, QuotaKind::Project)
-                .await?,
-            daily_cost: self
-                .get_org_quota_value(organization, QuotaKind::DailyCost)
-                .await?,
-            monthly_cost: self
-                .get_org_quota_value(organization, QuotaKind::MonthlyCost)
-                .await?,
-        };
-
-        Ok(org_quota)
-    }
-
-    async fn get_org_quota_value(
-        &self,
-        organization: Uuid,
-        quota_kind: QuotaKind,
-    ) -> Result<OrgQuotaValue> {
-        let existing = self
-            .get_organization_existing(&quota_kind, organization)
-            .await?;
-
-        let org_quota = entities::quota::Entity::find()
-            .filter(entities::quota::Column::DeletedAt.is_null())
-            .filter(entities::quota::Column::Organization.eq(organization))
-            .filter(entities::quota::Column::Kind.eq(quota_kind.to_string()))
-            .filter(entities::quota::Column::User.is_null())
-            .one(&self.db.conn)
-            .await?
-            .map(|q| q.value as usize)
-            .unwrap_or(0);
-        let default_user = Uuid::from_u128(0);
-        let default_user_quota = entities::quota::Entity::find()
-            .filter(entities::quota::Column::DeletedAt.is_null())
-            .filter(entities::quota::Column::Organization.eq(organization))
-            .filter(entities::quota::Column::Kind.eq(quota_kind.to_string()))
-            .filter(entities::quota::Column::User.eq(Some(default_user)))
-            .one(&self.db.conn)
-            .await?
-            .map(|q| q.value as usize)
-            .unwrap_or(0);
-        Ok(OrgQuotaValue {
-            existing,
-            org_quota,
-            default_user_quota,
-        })
-    }
-}
-
-#[cfg(test)]
-pub mod tests {
-    use anyhow::Result;
-    use chrono::Utc;
-    use lapdev_common::{
-        utils, AuthProvider, ProviderUser, QuotaKind, QuotaLevel, WorkspaceHostStatus,
-        WorkspaceStatus,
-    };
-    use lapdev_db::{api::DbApi, entities};
-    use sea_orm::{ActiveModelTrait, ActiveValue, TransactionTrait};
-    use uuid::Uuid;
-
-    use crate::tests::prepare_enterprise;
-
-    async fn insert_workspace_host(db: &DbApi) -> Result<entities::workspace_host::Model> {
-        Ok(entities::workspace_host::ActiveModel {
-            id: ActiveValue::Set(Uuid::new_v4()),
-            host: ActiveValue::Set("".to_string()),
-            port: ActiveValue::Set(6123),
-            inter_port: ActiveValue::Set(6122),
-            cpu: ActiveValue::Set(12),
-            memory: ActiveValue::Set(64),
-            disk: ActiveValue::Set(1000),
-            status: ActiveValue::Set(WorkspaceHostStatus::Active.to_string()),
-            available_shared_cpu: ActiveValue::Set(12),
-            available_dedicated_cpu: ActiveValue::Set(12),
-            available_memory: ActiveValue::Set(64),
-            available_disk: ActiveValue::Set(1000),
-            region: ActiveValue::Set("".to_string()),
-            zone: ActiveValue::Set("".to_string()),
-            ..Default::default()
-        }
-        .insert(&db.conn)
-        .await?)
-    }
-
-    async fn insert_machine_type(db: &DbApi) -> Result<entities::machine_type::Model> {
-        Ok(entities::machine_type::ActiveModel {
-            id: ActiveValue::Set(Uuid::new_v4()),
-            name: ActiveValue::Set("".to_string()),
-            shared: ActiveValue::Set(true),
-            cpu: ActiveValue::Set(2),
-            memory: ActiveValue::Set(8),
-            disk: ActiveValue::Set(10),
-            cost_per_second: ActiveValue::Set(1),
-            ..Default::default()
-        }
-        .insert(&db.conn)
-        .await?)
-    }
-
-    async fn insert_workspace(
-        db: &DbApi,
-        organization: Uuid,
-        user: Uuid,
-        status: Option<WorkspaceStatus>,
-        workspace_host_id: Uuid,
-        machine_type_id: Uuid,
-    ) -> Result<entities::workspace::Model> {
-        let ws = entities::workspace::ActiveModel {
-            id: ActiveValue::Set(Uuid::new_v4()),
-            updated_at: ActiveValue::Set(None),
-            deleted_at: ActiveValue::Set(None),
-            name: ActiveValue::Set(utils::rand_string(10)),
-            created_at: ActiveValue::Set(Utc::now().into()),
-            status: ActiveValue::Set(status.unwrap_or(WorkspaceStatus::New).to_string()),
-            repo_url: ActiveValue::Set("".to_string()),
-            repo_name: ActiveValue::Set("".to_string()),
-            branch: ActiveValue::Set("".to_string()),
-            commit: ActiveValue::Set("".to_string()),
-            organization_id: ActiveValue::Set(organization),
-            user_id: ActiveValue::Set(user),
-            project_id: ActiveValue::Set(None),
-            host_id: ActiveValue::Set(workspace_host_id),
-            osuser: ActiveValue::Set("".to_string()),
-            ssh_private_key: ActiveValue::Set("".to_string()),
-            ssh_public_key: ActiveValue::Set("".to_string()),
-            cores: ActiveValue::Set(serde_json::to_string(&[1, 2])?),
-            ssh_port: ActiveValue::Set(None),
-            ide_port: ActiveValue::Set(None),
-            prebuild_id: ActiveValue::Set(None),
-            service: ActiveValue::Set(None),
-            usage_id: ActiveValue::Set(None),
-            machine_type_id: ActiveValue::Set(machine_type_id),
-            last_inactivity: ActiveValue::Set(None),
-            auto_stop: ActiveValue::Set(None),
-            auto_start: ActiveValue::Set(true),
-            env: ActiveValue::Set(None),
-            build_output: ActiveValue::Set(None),
-            is_compose: ActiveValue::Set(false),
-            compose_parent: ActiveValue::Set(None),
-            pinned: ActiveValue::Set(false),
-        };
-        let ws = ws.insert(&db.conn).await?;
-        Ok(ws)
-    }
-
-    #[tokio::test]
-    async fn test_insert_quota() {
-        let enterprise = prepare_enterprise().await.unwrap();
-        let user = uuid::Uuid::new_v4();
-        let organization = uuid::Uuid::new_v4();
-        let db = enterprise.quota.db.clone();
-        let txn = db.conn.begin().await.unwrap();
-        let quota = enterprise
-            .quota
-            .update_for_user(&txn, organization, user, QuotaKind::Workspace, 10)
-            .await
-            .unwrap();
-        assert_eq!(quota.user, Some(user));
-        assert_eq!(quota.organization, organization);
-        assert_eq!(quota.kind, QuotaKind::Workspace.to_string());
-        assert_eq!(quota.value, 10);
-    }
-
-    #[tokio::test]
-    async fn test_update_quota() {
-        let enterprise = prepare_enterprise().await.unwrap();
-        let user = uuid::Uuid::new_v4();
-        let organization = uuid::Uuid::new_v4();
-        let db = enterprise.quota.db.clone();
-        let txn = db.conn.begin().await.unwrap();
-        let quota = enterprise
-            .quota
-            .update_for_user(&txn, organization, user, QuotaKind::Workspace, 10)
-            .await
-            .unwrap();
-        assert_eq!(quota.user, Some(user));
-        assert_eq!(quota.organization, organization);
-        assert_eq!(quota.kind, QuotaKind::Workspace.to_string());
-        assert_eq!(quota.value, 10);
-
-        let quota = enterprise
-            .quota
-            .update_for_user(&txn, organization, user, QuotaKind::Workspace, 20)
-            .await
-            .unwrap();
-        assert_eq!(quota.user, Some(user));
-        assert_eq!(quota.organization, organization);
-        assert_eq!(quota.kind, QuotaKind::Workspace.to_string());
-        assert_eq!(quota.value, 20);
-    }
-
-    #[tokio::test]
-    async fn test_workspace_quota() {
-        let enterprise = prepare_enterprise().await.unwrap();
-        let db = enterprise.quota.db.clone();
-        let txn = db.conn.begin().await.unwrap();
-        let user = db
-            .create_new_user(
-                &txn,
-                &AuthProvider::Github,
-                ProviderUser {
-                    avatar_url: None,
-                    email: None,
-                    id: 0,
-                    login: "test".to_string(),
-                    name: None,
-                },
-                "".to_string(),
-            )
-            .await
-            .unwrap();
-        enterprise
-            .quota
-            .update_for_user(
-                &txn,
-                user.current_organization,
-                user.id,
-                QuotaKind::Workspace,
-                10,
-            )
-            .await
-            .unwrap();
-        txn.commit().await.unwrap();
-
-        let workspace_host = insert_workspace_host(&db).await.unwrap();
-        let machine_type = insert_machine_type(&db).await.unwrap();
-        for _ in 0..10 {
-            insert_workspace(
-                &db,
-                user.current_organization,
-                user.id,
-                None,
-                workspace_host.id,
-                machine_type.id,
-            )
-            .await
-            .unwrap();
-        }
-        let txn = db.conn.begin().await.unwrap();
-        let quota = enterprise
-            .quota
-            .quota_value(
-                &txn,
-                &QuotaKind::Workspace,
-                user.current_organization,
-                user.id,
-            )
-            .await
-            .unwrap();
-        txn.commit().await.unwrap();
-        let result = enterprise
-            .quota
-            .do_check(quota, user.current_organization, user.id)
-            .await
-            .unwrap()
-            .unwrap();
-        assert_eq!(result.existing, 10);
-        assert_eq!(result.quota, 10);
-        assert_eq!(result.level, QuotaLevel::User);
-        assert_eq!(result.kind, QuotaKind::Workspace);
-    }
-
-    #[tokio::test]
-    async fn test_workspace_quota_organization_level() {
-        let enterprise = prepare_enterprise().await.unwrap();
-        let db = enterprise.quota.db.clone();
-        let txn = db.conn.begin().await.unwrap();
-        let user = db
-            .create_new_user(
-                &txn,
-                &AuthProvider::Github,
-                ProviderUser {
-                    avatar_url: None,
-                    email: None,
-                    id: 0,
-                    login: "test".to_string(),
-                    name: None,
-                },
-                "".to_string(),
-            )
-            .await
-            .unwrap();
-        enterprise
-            .quota
-            .update_for_user(
-                &txn,
-                user.current_organization,
-                user.id,
-                QuotaKind::Workspace,
-                10,
-            )
-            .await
-            .unwrap();
-        enterprise
-            .quota
-            .update_for_organization(&txn, user.current_organization, QuotaKind::Workspace, 5)
-            .await
-            .unwrap();
-        txn.commit().await.unwrap();
-
-        let workspace_host = insert_workspace_host(&db).await.unwrap();
-        let machine_type = insert_machine_type(&db).await.unwrap();
-        for _ in 0..6 {
-            insert_workspace(
-                &db,
-                user.current_organization,
-                user.id,
-                None,
-                workspace_host.id,
-                machine_type.id,
-            )
-            .await
-            .unwrap();
-        }
-        let txn = db.conn.begin().await.unwrap();
-        let quota = enterprise
-            .quota
-            .quota_value(
-                &txn,
-                &QuotaKind::Workspace,
-                user.current_organization,
-                user.id,
-            )
-            .await
-            .unwrap();
-        txn.commit().await.unwrap();
-        let result = enterprise
-            .quota
-            .do_check(quota, user.current_organization, user.id)
-            .await
-            .unwrap()
-            .unwrap();
-        assert_eq!(result.existing, 6);
-        assert_eq!(result.quota, 5);
-        assert_eq!(result.level, QuotaLevel::Organization);
-        assert_eq!(result.kind, QuotaKind::Workspace);
-    }
-
-    #[tokio::test]
-    async fn test_running_workspace_quota() {
-        let enterprise = prepare_enterprise().await.unwrap();
-        let db = enterprise.quota.db.clone();
-        let txn = db.conn.begin().await.unwrap();
-        let user = db
-            .create_new_user(
-                &txn,
-                &AuthProvider::Github,
-                ProviderUser {
-                    avatar_url: None,
-                    email: None,
-                    id: 0,
-                    login: "test".to_string(),
-                    name: None,
-                },
-                "".to_string(),
-            )
-            .await
-            .unwrap();
-        enterprise
-            .quota
-            .update_for_user(
-                &txn,
-                user.current_organization,
-                user.id,
-                QuotaKind::RunningWorkspace,
-                5,
-            )
-            .await
-            .unwrap();
-        enterprise
-            .quota
-            .update_for_user(
-                &txn,
-                user.current_organization,
-                user.id,
-                QuotaKind::Workspace,
-                15,
-            )
-            .await
-            .unwrap();
-        txn.commit().await.unwrap();
-
-        let workspace_host = insert_workspace_host(&db).await.unwrap();
-        let machine_type = insert_machine_type(&db).await.unwrap();
-        for _ in 0..5 {
-            insert_workspace(
-                &db,
-                user.current_organization,
-                user.id,
-                Some(WorkspaceStatus::Running),
-                workspace_host.id,
-                machine_type.id,
-            )
-            .await
-            .unwrap();
-        }
-        for _ in 0..5 {
-            insert_workspace(
-                &db,
-                user.current_organization,
-                user.id,
-                Some(WorkspaceStatus::Stopped),
-                workspace_host.id,
-                machine_type.id,
-            )
-            .await
-            .unwrap();
-        }
-        let txn = db.conn.begin().await.unwrap();
-        let quota = enterprise
-            .quota
-            .quota_value(
-                &txn,
-                &QuotaKind::RunningWorkspace,
-                user.current_organization,
-                user.id,
-            )
-            .await
-            .unwrap();
-        txn.commit().await.unwrap();
-        let result = enterprise
-            .quota
-            .do_check(quota, user.current_organization, user.id)
-            .await
-            .unwrap()
-            .unwrap();
-        assert_eq!(result.existing, 5);
-        assert_eq!(result.quota, 5);
-        assert_eq!(result.level, QuotaLevel::User);
-        assert_eq!(result.kind, QuotaKind::RunningWorkspace);
-    }
-}
diff --git a/lapdev-kube/Cargo.toml b/lapdev-kube/Cargo.toml
deleted file mode 100644
index 61c99fb..0000000
--- a/lapdev-kube/Cargo.toml
+++ /dev/null
@@ -1,11 +0,0 @@
-[package]
-name = "lapdev-kube"
-version.workspace = true
-authors.workspace = true
-edition.workspace = true
-
-[dependencies]
-base64.workspace = true
-anyhow.workspace = true
-kube = { version = "0.98.0", features = [] }
-k8s-openapi = { version = "0.24.0", features = ["latest"] }
diff --git a/lapdev-kube/src/lib.rs b/lapdev-kube/src/lib.rs
deleted file mode 100644
index ba5da42..0000000
--- a/lapdev-kube/src/lib.rs
+++ /dev/null
@@ -1,5 +0,0 @@
-use anyhow::Result;
-
-pub async fn run() -> Result<()> {
-    Ok(())
-}
diff --git a/lapdev-rpc/src/lib.rs b/lapdev-rpc/src/lib.rs
deleted file mode 100644
index a4135eb..0000000
--- a/lapdev-rpc/src/lib.rs
+++ /dev/null
@@ -1,197 +0,0 @@
-pub mod error;
-
-use std::{
-    io,
-    time::{Duration, SystemTime},
-};
-
-use anyhow::{anyhow, Result};
-use chrono::{DateTime, FixedOffset};
-use error::ApiError;
-use futures::{
-    stream::{AbortHandle, Abortable},
-    Sink, SinkExt, Stream, StreamExt, TryFutureExt, TryStreamExt,
-};
-use lapdev_common::{
-    BuildTarget, ContainerInfo, CreateWorkspaceRequest, DeleteWorkspaceRequest, GitBranch,
-    HostWorkspace, PrebuildInfo, ProjectRequest, RepoBuildInfo, RepoBuildOutput, RepoBuildResult,
-    RepoContent, StartWorkspaceRequest, StopWorkspaceRequest,
-};
-use serde::{Deserialize, Serialize};
-use tarpc::transport::channel::UnboundedChannel;
-use uuid::Uuid;
-
-/// A tarpc message that can be either a request or a response.
-#[derive(serde::Serialize, serde::Deserialize)]
-pub enum TwoWayMessage<Req, Resp> {
-    ClientMessage(tarpc::ClientMessage<Req>),
-    Response(tarpc::Response<Resp>),
-}
-
-/// Returns two transports that multiplex over the given transport.
-/// The first transport can be used by a server: it receives requests and sends back responses.
-/// The second transport can be used by a client: it sends requests and receives back responses.
-#[allow(clippy::complexity)]
-pub fn spawn_twoway<Req1, Resp1, Req2, Resp2, T>(
-    transport: T,
-) -> (
-    UnboundedChannel<tarpc::ClientMessage<Req1>, tarpc::Response<Resp1>>,
-    UnboundedChannel<tarpc::Response<Resp2>, tarpc::ClientMessage<Req2>>,
-    AbortHandle,
-)
-where
-    T: Stream<Item = Result<TwoWayMessage<Req1, Resp2>, io::Error>>,
-    T: Sink<TwoWayMessage<Req2, Resp1>, Error = io::Error>,
-    T: Unpin + Send + 'static,
-    Req1: Send + 'static,
-    Resp1: Send + 'static,
-    Req2: Send + 'static,
-    Resp2: Send + 'static,
-{
-    let (server, server_ret) = tarpc::transport::channel::unbounded();
-    let (client, client_ret) = tarpc::transport::channel::unbounded();
-    let (mut server_sink, server_stream) = server.split();
-    let (mut client_sink, client_stream) = client.split();
-    let (transport_sink, mut transport_stream) = transport.split();
-
-    let (abort_handle, abort_registration) = AbortHandle::new_pair();
-
-    {
-        let abort_handle = abort_handle.clone();
-        // Task for inbound message handling
-        tokio::spawn(async move {
-            let e: Result<()> = async move {
-                while let Some(msg) = transport_stream.next().await {
-                    match msg? {
-                        TwoWayMessage::ClientMessage(req) => server_sink.send(req).await?,
-                        TwoWayMessage::Response(resp) => client_sink.send(resp).await?,
-                    }
-                }
-                Ok(())
-            }
-            .await;
-
-            match e {
-                Ok(()) => tracing::debug!("transport_stream done"),
-                Err(e) => tracing::warn!("Error in inbound multiplexing: {}", e),
-            }
-
-            abort_handle.abort();
-        });
-    }
-
-    let abortable_sink_channel = Abortable::new(
-        futures::stream::select(
-            server_stream.map_ok(TwoWayMessage::Response),
-            client_stream.map_ok(TwoWayMessage::ClientMessage),
-        )
-        .map_err(|e| anyhow!(e)),
-        abort_registration,
-    );
-
-    // Task for outbound message handling
-    tokio::spawn(
-        abortable_sink_channel
-            .forward(transport_sink.sink_map_err(|e| anyhow!(e)))
-            .inspect_ok(|_| tracing::debug!("transport_sink done"))
-            .inspect_err(|e| tracing::warn!("Error in outbound multiplexing: {}", e)),
-    );
-
-    (server_ret, client_ret, abort_handle)
-}
-
-#[tarpc::service]
-pub trait ConductorService {
-    async fn update_workspace_last_inactivity(
-        workspace_id: Uuid,
-        last_inactivity: Option<DateTime<FixedOffset>>,
-    );
-
-    async fn update_build_repo_stdout(target: BuildTarget, line: String);
-
-    async fn update_build_repo_stderr(target: BuildTarget, line: String);
-
-    async fn running_workspaces_on_host() -> Result<Vec<HostWorkspace>, ApiError>;
-
-    async fn auto_delete_inactive_workspaces();
-}
-
-#[derive(Debug, Serialize, Deserialize)]
-pub struct Workspace {
-    pub image: String,
-}
-
-#[tarpc::service]
-pub trait WorkspaceService {
-    async fn ping() -> String;
-
-    async fn version() -> String;
-
-    async fn create_workspace(req: CreateWorkspaceRequest) -> Result<(), ApiError>;
-
-    async fn start_workspace(req: StartWorkspaceRequest) -> Result<ContainerInfo, ApiError>;
-
-    async fn delete_workspace(req: DeleteWorkspaceRequest) -> Result<(), ApiError>;
-
-    async fn stop_workspace(req: StopWorkspaceRequest) -> Result<(), ApiError>;
-
-    async fn create_project(req: ProjectRequest) -> Result<(), ApiError>;
-
-    async fn get_project_branches(req: ProjectRequest) -> Result<Vec<GitBranch>, ApiError>;
-
-    async fn transfer_repo(info: RepoBuildInfo, repo: RepoContent) -> Result<(), ApiError>;
-
-    async fn unarchive_repo(info: RepoBuildInfo) -> Result<(), ApiError>;
-
-    async fn build_repo(info: RepoBuildInfo) -> RepoBuildResult;
-
-    async fn rebuild_repo(info: RepoBuildInfo) -> RepoBuildResult;
-
-    async fn create_prebuild_archive(
-        output: RepoBuildOutput,
-        prebuild: PrebuildInfo,
-        repo_name: String,
-    ) -> Result<(), ApiError>;
-
-    async fn copy_prebuild_image(
-        prebuild: PrebuildInfo,
-        output: RepoBuildOutput,
-        dest_osuser: String,
-        target: BuildTarget,
-    ) -> Result<(), ApiError>;
-
-    async fn copy_prebuild_content(
-        prebuild: PrebuildInfo,
-        info: RepoBuildInfo,
-    ) -> Result<(), ApiError>;
-
-    async fn delete_prebuild(
-        prebuild: PrebuildInfo,
-        output: Option<RepoBuildOutput>,
-    ) -> Result<(), ApiError>;
-
-    async fn transfer_prebuild(
-        prebuild: PrebuildInfo,
-        output: RepoBuildOutput,
-        dst_host: String,
-        dst_port: u16,
-    ) -> Result<(), ApiError>;
-
-    async fn unarchive_prebuild(prebuild: PrebuildInfo, repo_name: String) -> Result<(), ApiError>;
-}
-
-#[tarpc::service]
-pub trait InterWorkspaceService {
-    async fn transfer_prebuild_archive(
-        archive: PrebuildInfo,
-        file: String,
-        content: Vec<u8>,
-        append: bool,
-    ) -> Result<(), ApiError>;
-}
-
-pub fn long_running_context() -> tarpc::context::Context {
-    let mut context = tarpc::context::current();
-    context.deadline = SystemTime::now() + Duration::from_secs(86400);
-    context
-}
diff --git a/pkg/image/vnc/Dockerfile b/pkg/image/vnc/Dockerfile
index ab8c648..f39ca67 100644
--- a/pkg/image/vnc/Dockerfile
+++ b/pkg/image/vnc/Dockerfile
@@ -1,6 +1,6 @@
 FROM debian:12
 
-RUN apt-get update && apt-mark hold iptables && \
+RUN apt-get update && \
     env DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
       dbus-x11 \
       psmisc \
diff --git a/pkg/installers/lapdev-cli.ps1 b/pkg/installers/lapdev-cli.ps1
new file mode 100644
index 0000000..35edaae
--- /dev/null
+++ b/pkg/installers/lapdev-cli.ps1
@@ -0,0 +1,81 @@
+param(
+    [string]$Version = "latest",
+    [string]$InstallDir = "$env:LOCALAPPDATA\Lapdev\bin",
+    [string]$BaseUrl = ""
+)
+
+$ErrorActionPreference = "Stop"
+
+function Get-TargetTriple {
+    $arch = [System.Runtime.InteropServices.RuntimeInformation]::OSArchitecture
+    switch ($arch) {
+        "X64" { return "x86_64-pc-windows-msvc" }
+        "Arm64" { return "aarch64-pc-windows-msvc" }
+        default { throw "Unsupported CPU architecture: $arch" }
+    }
+}
+
+function Get-DownloadUrl {
+    param (
+        [string]$BaseUrl,
+        [string]$Version,
+        [string]$Target
+    )
+
+    $assetName = "lapdev-cli-$Target.zip"
+    if ($BaseUrl -and $BaseUrl.Trim().Length -gt 0) {
+        if ($Version -eq "latest") {
+            return "$BaseUrl/releases/latest/$assetName"
+        }
+
+        $normalized = if ($Version.StartsWith("v")) { $Version } else { "v$Version" }
+        return "$BaseUrl/releases/$normalized/$assetName"
+    }
+
+    if ($Version -eq "latest") {
+        return "https://github.com/lapce/lapdev/releases/latest/download/$assetName"
+    }
+
+    $normalized = if ($Version.StartsWith("v")) { $Version } else { "v$Version" }
+    return "https://github.com/lapce/lapdev/releases/download/$normalized/$assetName"
+}
+
+$targetTriple = Get-TargetTriple
+$downloadUrl = Get-DownloadUrl -BaseUrl $BaseUrl -Version $Version -Target $targetTriple
+
+Write-Host "Downloading Lapdev CLI ($targetTriple) from $downloadUrl"
+
+$tempZip = Join-Path -Path ([System.IO.Path]::GetTempPath()) -ChildPath ("lapdev-cli-{0}.zip" -f ([guid]::NewGuid()))
+$tempDir = Join-Path -Path ([System.IO.Path]::GetTempPath()) -ChildPath ("lapdev-cli-{0}" -f ([guid]::NewGuid()))
+
+try {
+    Invoke-WebRequest -Uri $downloadUrl -OutFile $tempZip -UseBasicParsing
+    Expand-Archive -Path $tempZip -DestinationPath $tempDir -Force
+
+    $binary = Get-ChildItem -Path $tempDir -Filter "lapdev.exe" -Recurse -ErrorAction SilentlyContinue | Select-Object -First 1
+    if (-not $binary) {
+        throw "Could not locate lapdev.exe in downloaded archive."
+    }
+
+    New-Item -ItemType Directory -Path $InstallDir -Force | Out-Null
+    $destination = Join-Path -Path $InstallDir -ChildPath "lapdev.exe"
+    Copy-Item -Force -Path $binary.FullName -Destination $destination
+}
+finally {
+    if (Test-Path $tempZip) {
+        Remove-Item -Path $tempZip -Force -ErrorAction SilentlyContinue
+    }
+    if (Test-Path $tempDir) {
+        Remove-Item -Path $tempDir -Recurse -Force -ErrorAction SilentlyContinue
+    }
+}
+
+$pathEntries = $env:Path -split ";"
+if (-not ($pathEntries | Where-Object { $_ -eq $InstallDir })) {
+    $newPath = ($pathEntries + $InstallDir | Where-Object { $_ -and ($_ -ne "") }) -join ";"
+    [Environment]::SetEnvironmentVariable("Path", $newPath, "User")
+    Write-Host "Added $InstallDir to your user PATH. Restart your shell to pick up the change."
+}
+
+Write-Host "Lapdev CLI installed to $destination"
+& $destination --version
diff --git a/pkg/installers/lapdev-cli.sh b/pkg/installers/lapdev-cli.sh
new file mode 100644
index 0000000..ddc940a
--- /dev/null
+++ b/pkg/installers/lapdev-cli.sh
@@ -0,0 +1,247 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+BASE_URL="${BASE_URL:-}"
+PRODUCT="lapdev-cli"
+BINARY_NAME="lapdev"
+DEFAULT_INSTALL_DIR="/usr/local/bin"
+FALLBACK_INSTALL_DIR="${HOME}/.local/bin"
+
+VERSION="latest"
+REQUESTED_INSTALL_DIR=""
+
+usage() {
+  cat <<'USAGE'
+Lapdev CLI installer
+
+Options:
+  --version <x.y.z>   Install a specific version (defaults to latest release)
+  --install-dir <dir> Install into a custom directory (defaults to /usr/local/bin or ~/.local/bin)
+  -h, --help          Show this message
+
+Environment overrides:
+  BASE_URL            Override release base URL (defaults to GitHub Releases)
+  INSTALL_DIR         Same as --install-dir
+USAGE
+}
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --version)
+      shift
+      VERSION="${1:-}"
+      if [[ -z "$VERSION" ]]; then
+        echo "Missing value for --version" >&2
+        exit 1
+      fi
+      ;;
+    --version=*)
+      VERSION="${1#*=}"
+      ;;
+    --install-dir)
+      shift
+      REQUESTED_INSTALL_DIR="${1:-}"
+      ;;
+    --install-dir=*)
+      REQUESTED_INSTALL_DIR="${1#*=}"
+      ;;
+    INSTALL_DIR=*)
+      # Allow INSTALL_DIR=value positional style for curl | bash convenience
+      REQUESTED_INSTALL_DIR="${1#*=}"
+      ;;
+    -h|--help)
+      usage
+      exit 0
+      ;;
+    *)
+      echo "Unknown option: $1" >&2
+      usage
+      exit 1
+      ;;
+  esac
+  shift
+done
+
+if [[ -n "${INSTALL_DIR:-}" && -z "$REQUESTED_INSTALL_DIR" ]]; then
+  REQUESTED_INSTALL_DIR="$INSTALL_DIR"
+fi
+
+ensure_cmd() {
+  if ! command -v "$1" >/dev/null 2>&1; then
+    echo "Missing required command: $1" >&2
+    exit 1
+  fi
+}
+
+http_download() {
+  local url=$1
+  local dest=$2
+  if command -v curl >/dev/null 2>&1; then
+    curl -fsSL "$url" -o "$dest"
+  elif command -v wget >/dev/null 2>&1; then
+    wget -qO "$dest" "$url"
+  else
+    echo "Need curl or wget to download releases" >&2
+    exit 1
+  fi
+}
+
+detect_platform() {
+  local kernel machine
+  kernel="$(uname -s)"
+  machine="$(uname -m)"
+
+  case "$kernel" in
+    Linux)
+      PLATFORM_OS="linux"
+      ;;
+    Darwin)
+      PLATFORM_OS="macos"
+      ;;
+    MINGW*|MSYS*|CYGWIN*|Windows*)
+      echo "Please use the PowerShell installer: irm https://get.lap.dev/lapdev-cli.ps1 | iex" >&2
+      exit 1
+      ;;
+    *)
+      echo "Unsupported operating system: $kernel" >&2
+      exit 1
+      ;;
+  esac
+  case "$machine" in
+    x86_64|amd64)
+      PLATFORM_ARCH="x86_64"
+      ;;
+    arm64|aarch64)
+      PLATFORM_ARCH="aarch64"
+      ;;
+    *)
+      echo "Unsupported architecture: $machine" >&2
+      exit 1
+      ;;
+  esac
+
+  if [[ "${PLATFORM_OS}" == "linux" && -f /proc/version ]]; then
+    if grep -qi microsoft /proc/version >/dev/null 2>&1; then
+      echo "Detected WSL - installing Linux binary" >&2
+    fi
+  fi
+}
+
+build_target() {
+  case "${PLATFORM_OS}:${PLATFORM_ARCH}" in
+    linux:x86_64)
+      TARGET_TRIPLE="x86_64-unknown-linux-gnu"
+      ;;
+    linux:aarch64)
+      TARGET_TRIPLE="aarch64-unknown-linux-gnu"
+      ;;
+    macos:x86_64)
+      TARGET_TRIPLE="x86_64-apple-darwin"
+      ;;
+    macos:aarch64)
+      TARGET_TRIPLE="aarch64-apple-darwin"
+      ;;
+    *)
+      echo "No supported build for ${PLATFORM_OS}/${PLATFORM_ARCH}" >&2
+      exit 1
+      ;;
+  esac
+}
+
+compute_download_url() {
+  local asset_name="${PRODUCT}-${TARGET_TRIPLE}.tar.gz"
+  if [[ -n "$BASE_URL" ]]; then
+    if [[ "$VERSION" == "latest" ]]; then
+      DOWNLOAD_URL="${BASE_URL}/releases/latest/${asset_name}"
+    else
+      local normalized="v${VERSION#v}"
+      DOWNLOAD_URL="${BASE_URL}/releases/${normalized}/${asset_name}"
+    fi
+    return
+  fi
+
+  if [[ "$VERSION" == "latest" ]]; then
+    DOWNLOAD_URL="https://github.com/lapce/lapdev/releases/latest/download/${asset_name}"
+  else
+    local normalized="v${VERSION#v}"
+    DOWNLOAD_URL="https://github.com/lapce/lapdev/releases/download/${normalized}/${asset_name}"
+  fi
+}
+
+ensure_install_dir() {
+  if [[ -n "$REQUESTED_INSTALL_DIR" ]]; then
+    INSTALL_DIR="$REQUESTED_INSTALL_DIR"
+  else
+    if [[ -d "$DEFAULT_INSTALL_DIR" && -w "$DEFAULT_INSTALL_DIR" ]] || [[ ! -e "$DEFAULT_INSTALL_DIR" && -w "$(dirname "$DEFAULT_INSTALL_DIR")" ]]; then
+      INSTALL_DIR="$DEFAULT_INSTALL_DIR"
+    else
+      INSTALL_DIR="$FALLBACK_INSTALL_DIR"
+      mkdir -p "$INSTALL_DIR"
+    fi
+  fi
+
+  if [[ -d "$INSTALL_DIR" ]]; then
+    return
+  fi
+
+  if mkdir -p "$INSTALL_DIR" 2>/dev/null; then
+    return
+  fi
+
+  if command -v sudo >/dev/null 2>&1; then
+    sudo mkdir -p "$INSTALL_DIR"
+  else
+    echo "Cannot create $INSTALL_DIR; re-run with sudo or pick INSTALL_DIR you can write to." >&2
+    exit 1
+  fi
+}
+
+install_binary() {
+  local src=$1
+  local dst="$INSTALL_DIR/$BINARY_NAME"
+  if [[ -w "$INSTALL_DIR" ]]; then
+    install -m 0755 "$src" "$dst"
+  elif command -v sudo >/dev/null 2>&1; then
+    sudo install -m 0755 "$src" "$dst"
+  else
+    echo "Cannot write to $INSTALL_DIR and sudo is unavailable. Re-run with INSTALL_DIR or sudo." >&2
+    exit 1
+  fi
+}
+
+post_install_message() {
+  echo "Lapdev CLI installed to $INSTALL_DIR/$BINARY_NAME"
+  if ! command -v lapdev >/dev/null 2>&1; then
+    echo "Add $INSTALL_DIR to your PATH to use the 'lapdev' command."
+  fi
+  "$INSTALL_DIR/$BINARY_NAME" --version || true
+}
+
+ensure_cmd uname
+ensure_cmd mktemp
+ensure_cmd tar
+ensure_cmd install
+
+detect_platform
+build_target
+compute_download_url
+ensure_install_dir
+
+TMPDIR="$(mktemp -d)"
+trap 'rm -rf "$TMPDIR"' EXIT
+
+ARCHIVE_PATH="${TMPDIR}/lapdev-cli.tar.gz"
+
+echo "Downloading Lapdev CLI (${TARGET_TRIPLE}) from ${DOWNLOAD_URL}"
+http_download "$DOWNLOAD_URL" "$ARCHIVE_PATH"
+
+tar -xzf "$ARCHIVE_PATH" -C "$TMPDIR"
+BIN_PATH="$(find "$TMPDIR" -type f -name "$BINARY_NAME" -perm -u+x | head -n 1 || true)"
+
+if [[ -z "$BIN_PATH" ]]; then
+  echo "Failed to locate Lapdev binary in archive" >&2
+  exit 1
+fi
+
+install_binary "$BIN_PATH"
+post_install_message
diff --git a/pkg/kube-container/Dockerfile b/pkg/kube-container/Dockerfile
new file mode 100644
index 0000000..3e634e8
--- /dev/null
+++ b/pkg/kube-container/Dockerfile
@@ -0,0 +1,92 @@
+#
+# Multi-stage build producing runtime images for Lapdev's Kubernetes services.
+# Build all binaries once in the shared "builder" stage, then select the desired
+# runtime stage with `--target`.
+#
+
+FROM docker.io/library/rust:1.90-bullseye AS builder
+
+WORKDIR /app
+
+# Install additional build dependencies and targets required for cross-compiling.
+RUN apt-get update \
+ && apt-get install --yes --no-install-recommends musl-tools pkg-config \
+ && rm -rf /var/lib/apt/lists/* \
+ && rustup target add x86_64-unknown-linux-musl
+ 
+COPY Cargo.toml Cargo.lock ./
+COPY crates ./crates
+COPY src ./src
+COPY pkg ./pkg
+
+
+# Build auxiliary artifacts required at compile time (e.g. guest agent binary).
+RUN --mount=type=cache,target=/usr/local/cargo/registry \
+    --mount=type=cache,target=/usr/local/cargo/git \
+    --mount=type=cache,target=/app/target \
+    cargo build --release --locked --target x86_64-unknown-linux-musl \
+    --package lapdev-guest-agent
+
+# Compile the service binaries we ship to customer clusters.
+RUN --mount=type=cache,target=/usr/local/cargo/registry \
+    --mount=type=cache,target=/usr/local/cargo/git \
+    --mount=type=cache,target=/app/target \
+    cargo build --release --locked \
+    --package lapdev \
+    --package lapdev-kube-manager \
+    --package lapdev-kube-sidecar-proxy \
+    && mkdir -p /artifacts \
+    && install -Dm755 /app/target/release/lapdev /artifacts/lapdev-api \
+    && install -Dm755 /app/target/release/lapdev-kube-manager /artifacts/lapdev-kube-manager \
+    && install -Dm755 /app/target/release/lapdev-kube-sidecar-proxy /artifacts/lapdev-kube-sidecar-proxy
+
+# Base runtime image shared by all targets.
+FROM docker.io/library/debian:12-slim AS runtime-base
+
+ENV RUST_BACKTRACE=1 \
+    RUST_LOG=info
+
+RUN apt-get update \
+ && apt-get install --yes --no-install-recommends ca-certificates curl \
+ && rm -rf /var/lib/apt/lists/*
+
+# -----------------------------------------------------------------------------
+# lapdev-kube-manager image
+# -----------------------------------------------------------------------------
+FROM runtime-base AS kube-manager
+
+WORKDIR /app
+
+COPY --from=builder /artifacts/lapdev-kube-manager /usr/local/bin/lapdev-kube-manager
+
+EXPOSE 5001 7771
+
+ENTRYPOINT ["/usr/local/bin/lapdev-kube-manager"]
+
+# -----------------------------------------------------------------------------
+# lapdev-kube-sidecar-proxy image
+# -----------------------------------------------------------------------------
+FROM runtime-base AS kube-sidecar-proxy
+
+WORKDIR /app
+
+COPY --from=builder /artifacts/lapdev-kube-sidecar-proxy /usr/local/bin/lapdev-kube-sidecar-proxy
+
+EXPOSE 8080
+
+ENTRYPOINT ["/usr/local/bin/lapdev-kube-sidecar-proxy"]
+
+# -----------------------------------------------------------------------------
+# lapdev-api image
+# -----------------------------------------------------------------------------
+FROM runtime-base AS lapdev-api
+
+WORKDIR /app
+
+COPY --from=builder /artifacts/lapdev-api /usr/local/bin/lapdev
+
+EXPOSE 8080 2222 8443
+
+ENTRYPOINT ["/usr/local/bin/lapdev"]
+
+# -----------------------------------------------------------------------------
diff --git a/pkg/kube-container/README.md b/pkg/kube-container/README.md
new file mode 100644
index 0000000..635da79
--- /dev/null
+++ b/pkg/kube-container/README.md
@@ -0,0 +1,79 @@
+# Lapdev Kubernetes Service Images
+
+This directory contains the multi-stage Dockerfile we use to build and publish
+the service binaries that run inside customer clusters:
+
+- `lapdev-api`
+- `lapdev-kube-manager`
+- `lapdev-kube-sidecar-proxy`
+
+## Building images locally
+
+The Dockerfile builds all binaries in a shared builder stage and exposes
+named runtime targets. Select the service you want with `--target`:
+
+```bash
+# Lapdev API
+podman build \
+  -f pkg/kube-container/Dockerfile \
+  --target lapdev-api \
+  -t ghcr.io/lapdev/lapdev-api:0.1.0 \
+  .
+
+# Kube manager
+podman build \
+  -f pkg/kube-container/Dockerfile \
+  --target kube-manager \
+  -t ghcr.io/lapdev/lapdev-kube-manager:0.1.0 \
+  .
+
+# Sidecar proxy
+podman build \
+  -f pkg/kube-container/Dockerfile \
+  --target kube-sidecar-proxy \
+  -t ghcr.io/lapdev/lapdev-kube-sidecar-proxy:0.1.0 \
+  .
+
+```
+
+We publish these images from CI; customers do not need to build them.
+
+Alternatively, run the helper script to build all images, tag them, and
+push to GitHub Container Registry in one shot. The script derives the registries
+and tags from `crates/api/src/kube_controller/container_images.rs` so the
+published images stay in lockstep with the API's hard-coded references:
+
+```bash
+./pkg/kube-container/build_and_push.sh
+# optional overrides:
+#   --owner lapdev        # must match the repo constants
+#   --registry ghcr.io    # must match the repo constants
+```
+
+Make sure you have already authenticated via `podman login ghcr.io`.
+When cutting a new release, update `CONTAINER_IMAGE_TAG` in
+`crates/api/src/kube_controller/container_images.rs` before invoking the script.
+
+## Runtime expectations
+
+### `lapdev-api`
+
+- Exposes HTTP on `8080`, SSH proxy on `2222`, and preview URL proxy on `8443`.
+- Configured entirely via environment variables (see `.env.example`), notably
+  `LAPDEV_DB_URL`, `LAPDEV_BIND_ADDR`, and the various `*_PORT` overrides.
+- Persists data under `/var/lib/lapdev`; mount that path if you need stateful data.
+- Emits structured logs to stdout/stderr; collect them via your container platform.
+
+### `lapdev-kube-manager`
+
+- Listens on TCP ports `5001` (sidecar RPC) and `7771` (devbox RPC).
+- Requires the token and endpoint env vars defined in `lapdev_common::kube`, e.g.
+  `LAPDEV_KUBE_CLUSTER_TOKEN`, `LAPDEV_KUBE_CLUSTER_URL`, and
+  `LAPDEV_KUBE_CLUSTER_TUNNEL_URL`.
+
+### `lapdev-kube-sidecar-proxy`
+
+- Listens on port `8080` by default; workloads should direct service traffic to it.
+- Requires `LAPDEV_ENVIRONMENT_ID`, `LAPDEV_ENVIRONMENT_AUTH_TOKEN`, and
+  `LAPDEV_SIDECAR_PROXY_MANAGER_ADDR` to bootstrap (`crates/kube-sidecar-proxy`).
+- Runs as root because it needs low-level socket access for SO\_ORIGINAL\_DST.
diff --git a/pkg/kube-container/build_and_push.sh b/pkg/kube-container/build_and_push.sh
new file mode 100755
index 0000000..b86390a
--- /dev/null
+++ b/pkg/kube-container/build_and_push.sh
@@ -0,0 +1,209 @@
+#!/usr/bin/env bash
+
+# Builds the kube service images and pushes them to GitHub Container Registry.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+usage() {
+  cat <<'EOF'
+Usage: build_and_push.sh [--tag <tag>] [--owner <github-owner>] [--registry <registry>]
+
+Optional:
+  --tag       Override the image tag (must match the source constant)
+  --owner     GitHub owner/namespace (defaults to source constant)
+  --registry  Container registry host (defaults to source constant)
+
+Environment:
+  Requires prior `podman login` to the target registry.
+EOF
+}
+
+TAG_OVERRIDE=""
+REGISTRY="${REGISTRY:-}"
+OWNER="${OWNER:-}"
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --tag)
+      TAG_OVERRIDE="${2:-}"
+      shift 2
+      ;;
+    --owner)
+      OWNER="${2:-}"
+      shift 2
+      ;;
+    --registry)
+      REGISTRY="${2:-}"
+      shift 2
+      ;;
+    -h|--help)
+      usage
+      exit 0
+      ;;
+    *)
+      echo "Unknown argument: $1" >&2
+      usage
+      exit 1
+      ;;
+  esac
+done
+
+if [[ -z "$OWNER" ]]; then
+  if [[ -n "${GITHUB_REPOSITORY:-}" ]]; then
+    OWNER="${GITHUB_REPOSITORY%%/*}"
+  elif git_remote=$(git config --get remote.origin.url 2>/dev/null || true); then
+    case "$git_remote" in
+      git@github.com:*)
+        OWNER="${git_remote#git@github.com:}"
+        OWNER="${OWNER%%/*}"
+        ;;
+      https://github.com/*)
+        OWNER="${git_remote#https://github.com/}"
+        OWNER="${OWNER%%/*}"
+        ;;
+      *)
+        OWNER=""
+        ;;
+    esac
+  fi
+fi
+
+if ! command -v podman >/dev/null 2>&1; then
+  echo "Error: podman CLI not found in PATH." >&2
+  exit 1
+fi
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+if ! REPO_ROOT="$(git -C "$SCRIPT_DIR" rev-parse --show-toplevel 2>/dev/null)"; then
+  REPO_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+fi
+
+cd "$REPO_ROOT"
+
+IMAGE_CONST_FILE="crates/api/src/kube_controller/container_images.rs"
+if [[ ! -f "$IMAGE_CONST_FILE" ]]; then
+  echo "Error: unable to locate ${IMAGE_CONST_FILE}" >&2
+  exit 1
+fi
+
+extract_const_value() {
+  local name="$1"
+  local value
+  value=$(grep -E "const ${name}: &str" "$IMAGE_CONST_FILE" | head -n1 | sed -E "s/.*const ${name}: &str = \"([^\"]+)\".*/\\1/")
+  printf '%s' "$value"
+}
+
+parse_repo_components() {
+  local repo="$1"
+  local registry="${repo%%/*}"
+  if [[ "$registry" == "$repo" ]]; then
+    echo "Error: repo '${repo}' is missing registry" >&2
+    exit 1
+  fi
+  local remainder="${repo#${registry}/}"
+  local owner="${remainder%%/*}"
+  if [[ "$owner" == "$remainder" ]]; then
+    echo "Error: repo '${repo}' is missing owner" >&2
+    exit 1
+  fi
+  local image_name="${remainder#${owner}/}"
+  if [[ -z "$image_name" || "$image_name" == "$owner" ]]; then
+    echo "Error: repo '${repo}' is missing image name" >&2
+    exit 1
+  fi
+  printf '%s|%s|%s' "$registry" "$owner" "$image_name"
+}
+
+API_REPO=$(extract_const_value "API_IMAGE_REPO")
+SIDECAR_REPO=$(extract_const_value "SIDECAR_PROXY_IMAGE_REPO")
+KUBE_MANAGER_REPO=$(extract_const_value "KUBE_MANAGER_IMAGE_REPO")
+CONTAINER_IMAGE_TAG=$(extract_const_value "CONTAINER_IMAGE_TAG")
+
+if [[ -z "$API_REPO" || -z "$SIDECAR_REPO" || -z "$KUBE_MANAGER_REPO" || -z "$CONTAINER_IMAGE_TAG" ]]; then
+  echo "Error: failed to parse image constants from ${IMAGE_CONST_FILE}" >&2
+  exit 1
+fi
+
+IFS='|' read -r API_REGISTRY API_OWNER API_IMAGE_NAME <<< "$(parse_repo_components "$API_REPO")"
+IFS='|' read -r SIDECAR_REGISTRY SIDECAR_OWNER SIDECAR_IMAGE_NAME <<< "$(parse_repo_components "$SIDECAR_REPO")"
+IFS='|' read -r KUBE_MANAGER_REGISTRY KUBE_MANAGER_OWNER KUBE_MANAGER_IMAGE_NAME <<< "$(parse_repo_components "$KUBE_MANAGER_REPO")"
+
+if [[ "$API_REGISTRY" != "$SIDECAR_REGISTRY" || "$SIDECAR_REGISTRY" != "$KUBE_MANAGER_REGISTRY" ]]; then
+  echo "Error: image registries differ between components" >&2
+  exit 1
+fi
+
+if [[ "$API_OWNER" != "$SIDECAR_OWNER" || "$SIDECAR_OWNER" != "$KUBE_MANAGER_OWNER" ]]; then
+  echo "Error: image owners differ between components" >&2
+  exit 1
+fi
+
+if [[ -z "$REGISTRY" ]]; then
+  REGISTRY="$SIDECAR_REGISTRY"
+fi
+
+if [[ -z "$OWNER" ]]; then
+  OWNER="$SIDECAR_OWNER"
+fi
+
+if [[ "$REGISTRY" != "$SIDECAR_REGISTRY" ]]; then
+  echo "Error: registry '${REGISTRY}' does not match source registry '${SIDECAR_REGISTRY}'." >&2
+  exit 1
+fi
+
+if [[ "$OWNER" != "$SIDECAR_OWNER" ]]; then
+  echo "Error: owner '${OWNER}' does not match source owner '${SIDECAR_OWNER}'." >&2
+  exit 1
+fi
+
+TAG=""
+
+if [[ -z "$TAG_OVERRIDE" ]]; then
+  TAG="$CONTAINER_IMAGE_TAG"
+else
+  TAG="$TAG_OVERRIDE"
+  if [[ "$TAG_OVERRIDE" != "$CONTAINER_IMAGE_TAG" ]]; then
+    echo "Error: provided --tag '${TAG_OVERRIDE}' does not match source constant '${CONTAINER_IMAGE_TAG}'." >&2
+    exit 1
+  fi
+fi
+
+declare -a TARGETS=(
+  "lapdev-api|${API_IMAGE_NAME}|${API_REPO}"
+  "kube-manager|${KUBE_MANAGER_IMAGE_NAME}|${KUBE_MANAGER_REPO}"
+  "kube-sidecar-proxy|${SIDECAR_IMAGE_NAME}|${SIDECAR_REPO}"
+)
+
+build_image() {
+  local target="$1"
+  local image="$2"
+  local repo="$3"
+  local tag="$4"
+
+  local ref="${REGISTRY}/${OWNER}/${image}:${tag}"
+  local expected_ref="${repo}:${tag}"
+
+  if [[ "$ref" != "$expected_ref" ]]; then
+    echo "Error: image ref '${ref}' does not match source constant '${expected_ref}'." >&2
+    exit 1
+  fi
+
+  echo "Building ${ref} (target=${target})"
+  podman build \
+    -f pkg/kube-container/Dockerfile \
+    --target "${target}" \
+    -t "${ref}" \
+    .
+
+  echo "Pushing ${ref}"
+  podman push "${ref}"
+}
+
+for entry in "${TARGETS[@]}"; do
+  IFS='|' read -r target image repo <<< "${entry}"
+  build_image "${target}" "${image}" "${repo}" "${TAG}"
+done
+
+echo "All images built and pushed with tag '${TAG}' to ${REGISTRY}/${OWNER}/"
diff --git a/src/main.rs b/src/main.rs
index 9e21c3b..f17f0d7 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -1,4 +1,5 @@
 #[tokio::main]
 pub async fn main() {
-    lapdev_api::server::start(None, None).await;
+    let _ = dotenvy::dotenv();
+    lapdev_api::server::start(None).await;
 }