From 92b92e13b56b78e5e778d7a32805eb79d449d9e4 Mon Sep 17 00:00:00 2001
From: Markus Thielker <mail.markus.thielker@gmail.com>
Date: Tue, 14 Jan 2025 19:04:13 +0100
Subject: [PATCH 01/58] NORY-46: add button to create client

---
 dashboard/src/app/(inside)/client/create/page.tsx | 12 ++++++++++++
 dashboard/src/app/(inside)/client/page.tsx        |  9 ++++++++-
 2 files changed, 20 insertions(+), 1 deletion(-)
 create mode 100644 dashboard/src/app/(inside)/client/create/page.tsx

diff --git a/dashboard/src/app/(inside)/client/create/page.tsx b/dashboard/src/app/(inside)/client/create/page.tsx
new file mode 100644
index 0000000..8b67099
--- /dev/null
+++ b/dashboard/src/app/(inside)/client/create/page.tsx
@@ -0,0 +1,12 @@
+export default async function CreateClientPage() {
+    return (
+        <div className="space-y-4">
+            <div>
+                <p className="text-3xl font-bold leading-tight tracking-tight">Create OAuth2 Client</p>
+                <p className="text-lg font-light">
+                    Configure your new OAuth2 Client.
+                </p>
+            </div>
+        </div>
+    );
+}
\ No newline at end of file
diff --git a/dashboard/src/app/(inside)/client/page.tsx b/dashboard/src/app/(inside)/client/page.tsx
index 0d3f5a3..be59eba 100644
--- a/dashboard/src/app/(inside)/client/page.tsx
+++ b/dashboard/src/app/(inside)/client/page.tsx
@@ -1,5 +1,7 @@
 import { getOAuth2Api } from '@/ory/sdk/server';
 import { ClientDataTable } from '@/app/(inside)/client/data-table';
+import { Button } from '@/components/ui/button';
+import Link from 'next/link';
 
 export interface FetchClientPageProps {
     pageSize: number;
@@ -50,11 +52,16 @@ export default async function ListClientPage() {
 
     return (
         <div className="space-y-4">
-            <div>
+            <div className="relative">
                 <p className="text-3xl font-bold leading-tight tracking-tight">OAuth2 Clients</p>
                 <p className="text-lg font-light">
                     See and manage all OAuth2 clients registered with your Ory Hydra instance
                 </p>
+                <Button className="absolute bottom-0 right-0" asChild>
+                    <Link href="/client/create">
+                        Create new client
+                    </Link>
+                </Button>
             </div>
             <ClientDataTable
                 data={initialFetch.data}

From 7da7a3c8ca957fae0701760573ea5af85fa84c8b Mon Sep 17 00:00:00 2001
From: Markus Thielker <mail.markus.thielker@gmail.com>
Date: Sun, 26 Jan 2025 20:33:21 +0100
Subject: [PATCH 02/58] NORY-46: add basic action to create client

---
 dashboard/src/lib/action/client.ts | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 dashboard/src/lib/action/client.ts

diff --git a/dashboard/src/lib/action/client.ts b/dashboard/src/lib/action/client.ts
new file mode 100644
index 0000000..5cc2799
--- /dev/null
+++ b/dashboard/src/lib/action/client.ts
@@ -0,0 +1,29 @@
+'use server';
+
+import { clientFormSchema } from '@/lib/forms/client-form';
+import { z } from 'zod';
+import { getFrontendApi, getOAuth2Api } from '@/ory/sdk/server';
+import { cookies } from 'next/headers';
+
+export async function createClient(
+    formData: z.infer<typeof clientFormSchema>,
+) {
+
+    const cookie = await cookies();
+    const frontendApi = await getFrontendApi();
+
+    const session = await frontendApi
+        .toSession({ cookie: 'ory_kratos_session=' + cookie.get('ory_kratos_session')?.value })
+        .then((response) => response.data)
+        .catch(() => null);
+
+    if (!session) {
+        console.log('Unauthorised action call');
+        throw 'Unauthorised';
+    }
+
+    console.log(session.identity?.traits.email, 'posted form', formData);
+
+    const oauthApi = await getOAuth2Api();
+    return await oauthApi.createOAuth2Client({ oAuth2Client: formData });
+}

From 253ad4e2b027451f647646c3211446619121ec24 Mon Sep 17 00:00:00 2001
From: Markus Thielker <mail.markus.thielker@gmail.com>
Date: Tue, 18 Feb 2025 09:12:49 +0100
Subject: [PATCH 03/58] NORY-46: modify card component for mobile devices

---
 dashboard/src/components/ui/card.tsx | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/dashboard/src/components/ui/card.tsx b/dashboard/src/components/ui/card.tsx
index 3c69472..22ccc98 100644
--- a/dashboard/src/components/ui/card.tsx
+++ b/dashboard/src/components/ui/card.tsx
@@ -23,7 +23,7 @@ const CardHeader = React.forwardRef<
 >(({ className, ...props }, ref) => (
     <div
         ref={ref}
-        className={cn('flex flex-col space-y-1.5 p-6', className)}
+        className={cn('flex flex-col space-y-1.5 pb-6 pt-6 sm:p-6', className)}
         {...props}
     />
 ));
@@ -60,7 +60,7 @@ const CardContent = React.forwardRef<
     HTMLDivElement,
     React.HTMLAttributes<HTMLDivElement>
 >(({ className, ...props }, ref) => (
-    <div ref={ref} className={cn('p-6 pt-0', className)} {...props} />
+    <div ref={ref} className={cn('pb-6 sm:p-6 pt-0', className)} {...props} />
 ));
 CardContent.displayName = 'CardContent';
 
@@ -70,7 +70,7 @@ const CardFooter = React.forwardRef<
 >(({ className, ...props }, ref) => (
     <div
         ref={ref}
-        className={cn('flex items-center p-6 pt-0', className)}
+        className={cn('flex items-center pb-6 sm:p-6 pt-0', className)}
         {...props}
     />
 ));

From 749974b7ec55947c6ff4dc9727127e150816fe64 Mon Sep 17 00:00:00 2001
From: Markus Thielker <mail.markus.thielker@gmail.com>
Date: Tue, 18 Feb 2025 09:13:27 +0100
Subject: [PATCH 04/58] NORY-46: add initial create-client form to page

---
 .../src/app/(inside)/client/create/page.tsx   |   4 +
 .../src/components/forms/client-form.tsx      | 276 ++++++++++++++++++
 dashboard/src/lib/forms/client-form.ts        |  12 +
 3 files changed, 292 insertions(+)
 create mode 100644 dashboard/src/components/forms/client-form.tsx
 create mode 100644 dashboard/src/lib/forms/client-form.ts

diff --git a/dashboard/src/app/(inside)/client/create/page.tsx b/dashboard/src/app/(inside)/client/create/page.tsx
index 8b67099..f42fda6 100644
--- a/dashboard/src/app/(inside)/client/create/page.tsx
+++ b/dashboard/src/app/(inside)/client/create/page.tsx
@@ -1,3 +1,6 @@
+import { CreateClientForm } from '@/components/forms/client-form';
+import { createClient } from '@/lib/action/client';
+
 export default async function CreateClientPage() {
     return (
         <div className="space-y-4">
@@ -7,6 +10,7 @@ export default async function CreateClientPage() {
                     Configure your new OAuth2 Client.
                 </p>
             </div>
+            <CreateClientForm action={createClient}/>
         </div>
     );
 }
\ No newline at end of file
diff --git a/dashboard/src/components/forms/client-form.tsx b/dashboard/src/components/forms/client-form.tsx
new file mode 100644
index 0000000..afaca44
--- /dev/null
+++ b/dashboard/src/components/forms/client-form.tsx
@@ -0,0 +1,276 @@
+'use client';
+
+import { z } from 'zod';
+import { clientFormSchema } from '@/lib/forms/client-form';
+import { useForm } from 'react-hook-form';
+import { zodResolver } from '@hookform/resolvers/zod';
+import { Form, FormControl, FormDescription, FormField, FormItem, FormLabel, FormMessage } from '@/components/ui/form';
+import { Input } from '@/components/ui/input';
+import { Button } from '@/components/ui/button';
+import { kratos } from '@/ory';
+import { useEffect, useState } from 'react';
+import { Identity, OAuth2Client } from '@ory/client';
+import { AxiosResponse } from 'axios';
+import { AlertDialog, AlertDialogContent, AlertDialogHeader, AlertDialogTitle } from '@/components/ui/alert-dialog';
+import { Card, CardContent, CardHeader, CardTitle } from '@/components/ui/card';
+import { useRouter } from 'next/navigation';
+import { Checkbox } from '@/components/ui/checkbox';
+
+interface CreateClientFormProps {
+    action: (data: z.infer<typeof clientFormSchema>) => Promise<AxiosResponse<OAuth2Client, any>>;
+}
+
+export function CreateClientForm({ action }: CreateClientFormProps) {
+
+    const router = useRouter();
+    const [identity, setIdentity] = useState<Identity | undefined>();
+
+    useEffect(() => {
+        kratos.toSession()
+            .then(response => response.data)
+            .then(session => setIdentity(session.identity));
+    }, []);
+
+    const form = useForm<z.infer<typeof clientFormSchema>>({
+        resolver: zodResolver(clientFormSchema),
+        defaultValues: {
+            client_name: '',
+            owner: '',
+            scope: '',
+            skip: false,
+            logo_uri: '',
+            policy_uri: '',
+            tos_uri: '',
+        },
+    });
+
+    const [successDialogOpen, setSuccessDialogOpen] = useState(false);
+    const [createdClient, setCreatedClient] = useState<OAuth2Client>();
+    const handleSubmit = async (data: z.infer<typeof clientFormSchema>) => {
+        await action(data)
+            .then((response) => {
+                console.log(response);
+                return response.data;
+            })
+            .then((client) => {
+                setCreatedClient(client);
+                setSuccessDialogOpen(true);
+            })
+            .catch((error) => {
+                console.error(error);
+            });
+    };
+
+    useEffect(() => {
+        form.setValue('owner', identity?.id ?? '');
+    }, [identity]);
+
+    return (
+        <>
+            {
+                createdClient && (
+                    <AlertDialog open={successDialogOpen} onOpenChange={() => setSuccessDialogOpen(false)}>
+                        <AlertDialogContent>
+                            <AlertDialogHeader>
+                                <AlertDialogTitle>Client created</AlertDialogTitle>
+                            </AlertDialogHeader>
+                            Your client was created successfully. Make sure to safe the client secret!
+                            <Input value={createdClient.client_secret} readOnly/>
+                        </AlertDialogContent>
+                    </AlertDialog>
+                )
+            }
+            <Form {...form}>
+                <form onSubmit={form.handleSubmit(handleSubmit)} className="space-y-4">
+
+                    <Card>
+                        <CardHeader>
+                            <CardTitle>
+                                Essentials
+                            </CardTitle>
+                        </CardHeader>
+                        <CardContent className="space-y-4">
+                            <FormField
+                                control={form.control}
+                                name="client_name"
+                                render={({ field }) => (
+                                    <FormItem>
+                                        <FormLabel>Client Name</FormLabel>
+                                        <FormControl>
+                                            <Input placeholder="ACME INC SSO" {...field} />
+                                        </FormControl>
+                                        <FormDescription>
+                                            The human-readable name of the client to be presented to the end-user
+                                            during
+                                            authorization.
+                                        </FormDescription>
+                                        <FormMessage/>
+                                    </FormItem>
+                                )}
+                            />
+                            <FormField
+                                control={form.control}
+                                name="scope"
+                                render={({ field }) => (
+                                    <FormItem>
+                                        <FormLabel>Scopes</FormLabel>
+                                        <FormControl>
+                                            <Input placeholder="post:read post:write user:read" {...field} />
+                                        </FormControl>
+                                        <FormDescription>
+                                            Scope is a string containing a space-separated list of scope values (as
+                                            described in
+                                            Section 3.3 of OAuth 2.0 [RFC6749]) that the client can use when
+                                            requesting
+                                            access
+                                            tokens.
+                                        </FormDescription>
+                                        <FormMessage/>
+                                    </FormItem>
+                                )}
+                            />
+                            <FormField
+                                control={form.control}
+                                name="scope"
+                                render={({ field }) => (
+                                    <FormItem>
+                                        <FormLabel>Scopes</FormLabel>
+                                        <FormControl>
+                                            <Input placeholder="post:read post:write user:read" {...field} />
+                                        </FormControl>
+                                        <FormDescription>
+                                            Scope is a string containing a space-separated list of scope values (as
+                                            described in
+                                            Section 3.3 of OAuth 2.0 [RFC6749]) that the client can use when
+                                            requesting
+                                            access
+                                            tokens.
+                                        </FormDescription>
+                                        <FormMessage/>
+                                    </FormItem>
+                                )}
+                            />
+                        </CardContent>
+                    </Card>
+
+                    <Card>
+                        <CardHeader>
+                            <CardTitle>
+                                Consent Screen
+                            </CardTitle>
+                        </CardHeader>
+                        <CardContent className="space-y-4">
+                            <FormField
+                                control={form.control}
+                                name="skip"
+                                render={({ field }) => (
+                                    <FormItem className="flex flex-row items-center justify-between rounded-lg">
+                                        <div className="space-y-0.5">
+                                            <FormLabel className="text-base">
+                                                Skip consent
+                                            </FormLabel>
+                                            <FormDescription>
+                                                Whether or not the consent screen is skipped for this client
+                                            </FormDescription>
+                                        </div>
+                                        <FormControl>
+                                            <Checkbox
+                                                checked={field.value}
+                                                onCheckedChange={field.onChange}
+                                            />
+                                        </FormControl>
+                                    </FormItem>
+                                )}/>
+                            {
+                                !form.getValues('skip') && (
+                                    <>
+                                        <FormField
+                                            control={form.control}
+                                            name="logo_uri"
+                                            render={({ field }) => (
+                                                <FormItem>
+                                                    <FormLabel>Logo URI</FormLabel>
+                                                    <FormControl>
+                                                        <Input
+                                                            placeholder="https://myapp.example/logo.png" {...field} />
+                                                    </FormControl>
+                                                    <FormDescription>
+                                                        A URL string referencing the client's logo.
+                                                    </FormDescription>
+                                                    <FormMessage/>
+                                                </FormItem>
+                                            )}/>
+
+                                        <FormField
+                                            control={form.control}
+                                            name="policy_uri"
+                                            render={({ field }) => (
+                                                <FormItem>
+                                                    <FormLabel>Policy URI</FormLabel>
+                                                    <FormControl>
+                                                        <Input
+                                                            placeholder="https://myapp.example/privacy_policy" {...field} />
+                                                    </FormControl>
+                                                    <FormDescription>
+                                                        A URL string pointing to a human-readable
+                                                        privacy policy document for the client that describes how the
+                                                        deployment organization collects, uses, retains, and discloses
+                                                        personal data.
+                                                    </FormDescription>
+                                                    <FormMessage/>
+                                                </FormItem>
+                                            )}/>
+
+                                        <FormField
+                                            control={form.control}
+                                            name="tos_uri"
+                                            render={({ field }) => (
+                                                <FormItem>
+                                                    <FormLabel>Terms URI</FormLabel>
+                                                    <FormControl>
+                                                        <Input
+                                                            placeholder="https://myapp.example/terms_of_service" {...field} />
+                                                    </FormControl>
+                                                    <FormDescription>
+                                                        A URL string pointing to a human-readable terms of service
+                                                        document for the client that describes a contractual
+                                                        relationship between the end-user and the client that the
+                                                        end-user accepts when authorizing the client.
+                                                    </FormDescription>
+                                                    <FormMessage/>
+                                                </FormItem>
+                                            )}/>
+
+                                        <FormField
+                                            control={form.control}
+                                            name="owner"
+                                            render={({ field }) => (
+                                                <FormItem>
+                                                    <FormLabel>Owner</FormLabel>
+                                                    <FormControl>
+                                                        <Input placeholder="Identity ID" {...field} />
+                                                    </FormControl>
+                                                    <FormDescription>
+                                                        Owner is a string identifying the owner of the OAuth 2.0 Client.
+                                                    </FormDescription>
+                                                    <FormMessage/>
+                                                </FormItem>
+                                            )}
+                                        />
+                                    </>
+                                )
+                            }
+                        </CardContent>
+                    </Card>
+
+                    <div className="space-x-2">
+                        <Button type="button" variant="outline" onClick={() => {
+                            router.back();
+                        }}>Cancel</Button>
+                        <Button type="submit">Create client</Button>
+                    </div>
+                </form>
+            </Form>
+        </>
+    );
+}
diff --git a/dashboard/src/lib/forms/client-form.ts b/dashboard/src/lib/forms/client-form.ts
new file mode 100644
index 0000000..b11378e
--- /dev/null
+++ b/dashboard/src/lib/forms/client-form.ts
@@ -0,0 +1,12 @@
+import { z } from 'zod';
+
+export const clientFormSchema = z.object({
+    access_token_strategy: z.string().default('opaque').readonly(),
+    client_name: z.string().min(1, 'Client name is required'),
+    owner: z.string().min(1, 'Owner is required'),
+    scope: z.string(),
+    skip: z.boolean(),
+    logo_uri: z.string().url(),
+    tos_uri: z.string().url(),
+    policy_uri: z.string().url(),
+});

From edbb93c03bc1e2a77187bf2f776664663c45c73d Mon Sep 17 00:00:00 2001
From: Markus Thielker <mail.markus.thielker@gmail.com>
Date: Tue, 18 Feb 2025 09:29:02 +0100
Subject: [PATCH 05/58] NORY-46: remove owner autofill

---
 .../src/components/forms/client-form.tsx      | 32 +++++++------------
 1 file changed, 12 insertions(+), 20 deletions(-)

diff --git a/dashboard/src/components/forms/client-form.tsx b/dashboard/src/components/forms/client-form.tsx
index afaca44..b4191d9 100644
--- a/dashboard/src/components/forms/client-form.tsx
+++ b/dashboard/src/components/forms/client-form.tsx
@@ -7,12 +7,11 @@ import { zodResolver } from '@hookform/resolvers/zod';
 import { Form, FormControl, FormDescription, FormField, FormItem, FormLabel, FormMessage } from '@/components/ui/form';
 import { Input } from '@/components/ui/input';
 import { Button } from '@/components/ui/button';
-import { kratos } from '@/ory';
-import { useEffect, useState } from 'react';
-import { Identity, OAuth2Client } from '@ory/client';
+import { useState } from 'react';
+import { OAuth2Client } from '@ory/client';
 import { AxiosResponse } from 'axios';
 import { AlertDialog, AlertDialogContent, AlertDialogHeader, AlertDialogTitle } from '@/components/ui/alert-dialog';
-import { Card, CardContent, CardHeader, CardTitle } from '@/components/ui/card';
+import { Card, CardContent, CardDescription, CardHeader, CardTitle } from '@/components/ui/card';
 import { useRouter } from 'next/navigation';
 import { Checkbox } from '@/components/ui/checkbox';
 
@@ -23,13 +22,6 @@ interface CreateClientFormProps {
 export function CreateClientForm({ action }: CreateClientFormProps) {
 
     const router = useRouter();
-    const [identity, setIdentity] = useState<Identity | undefined>();
-
-    useEffect(() => {
-        kratos.toSession()
-            .then(response => response.data)
-            .then(session => setIdentity(session.identity));
-    }, []);
 
     const form = useForm<z.infer<typeof clientFormSchema>>({
         resolver: zodResolver(clientFormSchema),
@@ -61,10 +53,6 @@ export function CreateClientForm({ action }: CreateClientFormProps) {
             });
     };
 
-    useEffect(() => {
-        form.setValue('owner', identity?.id ?? '');
-    }, [identity]);
-
     return (
         <>
             {
@@ -180,7 +168,8 @@ export function CreateClientForm({ action }: CreateClientFormProps) {
                                             />
                                         </FormControl>
                                     </FormItem>
-                                )}/>
+                                )}
+                            />
                             {
                                 !form.getValues('skip') && (
                                     <>
@@ -199,7 +188,8 @@ export function CreateClientForm({ action }: CreateClientFormProps) {
                                                     </FormDescription>
                                                     <FormMessage/>
                                                 </FormItem>
-                                            )}/>
+                                            )}
+                                        />
 
                                         <FormField
                                             control={form.control}
@@ -219,7 +209,8 @@ export function CreateClientForm({ action }: CreateClientFormProps) {
                                                     </FormDescription>
                                                     <FormMessage/>
                                                 </FormItem>
-                                            )}/>
+                                            )}
+                                        />
 
                                         <FormField
                                             control={form.control}
@@ -239,7 +230,8 @@ export function CreateClientForm({ action }: CreateClientFormProps) {
                                                     </FormDescription>
                                                     <FormMessage/>
                                                 </FormItem>
-                                            )}/>
+                                            )}
+                                        />
 
                                         <FormField
                                             control={form.control}
@@ -248,7 +240,7 @@ export function CreateClientForm({ action }: CreateClientFormProps) {
                                                 <FormItem>
                                                     <FormLabel>Owner</FormLabel>
                                                     <FormControl>
-                                                        <Input placeholder="Identity ID" {...field} />
+                                                        <Input placeholder="ACME INC" {...field} />
                                                     </FormControl>
                                                     <FormDescription>
                                                         Owner is a string identifying the owner of the OAuth 2.0 Client.

From ce28973deafda9e914d06af38d127faf01d31535 Mon Sep 17 00:00:00 2001
From: Markus Thielker <mail.markus.thielker@gmail.com>
Date: Tue, 18 Feb 2025 10:14:33 +0100
Subject: [PATCH 06/58] NORY-46: add dynamic redirect_uri input

---
 .../src/components/forms/client-form.tsx      | 88 +++++++++++++++----
 dashboard/src/lib/forms/client-form.ts        |  3 +-
 2 files changed, 72 insertions(+), 19 deletions(-)

diff --git a/dashboard/src/components/forms/client-form.tsx b/dashboard/src/components/forms/client-form.tsx
index b4191d9..88a34b7 100644
--- a/dashboard/src/components/forms/client-form.tsx
+++ b/dashboard/src/components/forms/client-form.tsx
@@ -14,6 +14,7 @@ import { AlertDialog, AlertDialogContent, AlertDialogHeader, AlertDialogTitle }
 import { Card, CardContent, CardDescription, CardHeader, CardTitle } from '@/components/ui/card';
 import { useRouter } from 'next/navigation';
 import { Checkbox } from '@/components/ui/checkbox';
+import { Minus } from 'lucide-react';
 
 interface CreateClientFormProps {
     action: (data: z.infer<typeof clientFormSchema>) => Promise<AxiosResponse<OAuth2Client, any>>;
@@ -22,17 +23,19 @@ interface CreateClientFormProps {
 export function CreateClientForm({ action }: CreateClientFormProps) {
 
     const router = useRouter();
+    const [redirectUris, setRedirectUris] = useState<string[]>(['']);
 
     const form = useForm<z.infer<typeof clientFormSchema>>({
         resolver: zodResolver(clientFormSchema),
         defaultValues: {
             client_name: '',
-            owner: '',
             scope: '',
+            redirect_uris: [''],
             skip: false,
             logo_uri: '',
             policy_uri: '',
             tos_uri: '',
+            owner: '',
         },
     });
 
@@ -53,6 +56,23 @@ export function CreateClientForm({ action }: CreateClientFormProps) {
             });
     };
 
+    const addRedirectUri = () => {
+        setRedirectUris([...redirectUris, '']);
+    };
+
+    const removeRedirectUri = (index) => {
+        const updatedRedirectUris = redirectUris.filter((_, i) => i !== index);
+        setRedirectUris(updatedRedirectUris);
+        form.setValue('redirect_uris', updatedRedirectUris);
+    };
+
+    const handleInputChange = (index, event) => {
+        const updatedRedirectUris = [...redirectUris];
+        updatedRedirectUris[index] = event.target.value;
+        setRedirectUris(updatedRedirectUris);
+        form.setValue('redirect_uris', updatedRedirectUris);
+    };
+
     return (
         <>
             {
@@ -117,27 +137,44 @@ export function CreateClientForm({ action }: CreateClientFormProps) {
                                     </FormItem>
                                 )}
                             />
-                            <FormField
-                                control={form.control}
-                                name="scope"
-                                render={({ field }) => (
+                            {redirectUris.map((uri, index) => (
+                                <div key={index} className="mb-4">
                                     <FormItem>
-                                        <FormLabel>Scopes</FormLabel>
+                                        <FormLabel htmlFor={`redirect_uri-${index}`}>Redirect
+                                            URI {index + 1}</FormLabel>
                                         <FormControl>
-                                            <Input placeholder="post:read post:write user:read" {...field} />
+                                            <div className="relative">
+                                                <Input
+                                                    type="text"
+                                                    id={`redirect_uri-${index}`}
+                                                    value={uri}
+                                                    placeholder="https://"
+                                                    className="pr-10"
+                                                    {...form.register(`redirect_uris.${index}`)}
+                                                    onChange={(event) => handleInputChange(index, event)}
+                                                />
+                                                {redirectUris.length > 1 && (
+                                                    <Button
+                                                        type="button"
+                                                        size="icon"
+                                                        variant="destructive"
+                                                        className="absolute inset-y-0 right-0 rounded-l-none"
+                                                        onClick={() => removeRedirectUri(index)}>
+                                                        <Minus/>
+                                                    </Button>
+                                                )}
+                                            </div>
                                         </FormControl>
-                                        <FormDescription>
-                                            Scope is a string containing a space-separated list of scope values (as
-                                            described in
-                                            Section 3.3 of OAuth 2.0 [RFC6749]) that the client can use when
-                                            requesting
-                                            access
-                                            tokens.
-                                        </FormDescription>
-                                        <FormMessage/>
+                                        {form.errors?.redirect_uris && form.errors.redirect_uris[index] && (
+                                            <FormMessage>{form.errors.redirect_uris[index].message}</FormMessage>
+                                        )}
                                     </FormItem>
-                                )}
-                            />
+                                </div>
+                            ))}
+
+                            <Button type="button" onClick={addRedirectUri}>
+                                Add Redirect URI
+                            </Button>
                         </CardContent>
                     </Card>
 
@@ -162,6 +199,7 @@ export function CreateClientForm({ action }: CreateClientFormProps) {
                                             </FormDescription>
                                         </div>
                                         <FormControl>
+                                            {/* TODO: change to switch */}
                                             <Checkbox
                                                 checked={field.value}
                                                 onCheckedChange={field.onChange}
@@ -255,6 +293,20 @@ export function CreateClientForm({ action }: CreateClientFormProps) {
                         </CardContent>
                     </Card>
 
+                    <Card>
+                        <CardHeader>
+                            <CardTitle>
+                                Supported OAuth2 flows
+                            </CardTitle>
+                            <CardDescription>
+                                Configure allowed grant types and response types for this OAuth2 Client.
+                            </CardDescription>
+                        </CardHeader>
+                        <CardContent>
+
+                        </CardContent>
+                    </Card>
+
                     <div className="space-x-2">
                         <Button type="button" variant="outline" onClick={() => {
                             router.back();
diff --git a/dashboard/src/lib/forms/client-form.ts b/dashboard/src/lib/forms/client-form.ts
index b11378e..b60b862 100644
--- a/dashboard/src/lib/forms/client-form.ts
+++ b/dashboard/src/lib/forms/client-form.ts
@@ -3,10 +3,11 @@ import { z } from 'zod';
 export const clientFormSchema = z.object({
     access_token_strategy: z.string().default('opaque').readonly(),
     client_name: z.string().min(1, 'Client name is required'),
-    owner: z.string().min(1, 'Owner is required'),
     scope: z.string(),
+    redirect_uris: z.array(z.string().url({ message: 'Invalid URL' })).min(1, { message: 'At least one redirect URI is required' }),
     skip: z.boolean(),
     logo_uri: z.string().url(),
     tos_uri: z.string().url(),
     policy_uri: z.string().url(),
+    owner: z.string().min(1, 'Owner is required'),
 });

From b5bd353f431c945bcc0f38b7d94e71faba823fd3 Mon Sep 17 00:00:00 2001
From: Markus Thielker <mail.markus.thielker@gmail.com>
Date: Wed, 19 Feb 2025 00:26:40 +0100
Subject: [PATCH 07/58] NORY-46: add temporary form items for OAuth2 flows

---
 .../src/components/forms/client-form.tsx      | 38 ++++++++++++++++++-
 dashboard/src/lib/forms/client-form.ts        |  3 ++
 2 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/dashboard/src/components/forms/client-form.tsx b/dashboard/src/components/forms/client-form.tsx
index 88a34b7..054023e 100644
--- a/dashboard/src/components/forms/client-form.tsx
+++ b/dashboard/src/components/forms/client-form.tsx
@@ -302,8 +302,42 @@ export function CreateClientForm({ action }: CreateClientFormProps) {
                                 Configure allowed grant types and response types for this OAuth2 Client.
                             </CardDescription>
                         </CardHeader>
-                        <CardContent>
-
+                        <CardContent className="space-y-4">
+                            <FormField
+                                control={form.control}
+                                name="grant_types"
+                                render={({ field }) => (
+                                    <FormItem>
+                                        <FormLabel>Grant types</FormLabel>
+                                        <FormControl>
+                                            {/* TODO: add multiselect component */}
+                                            <Input value="TODO: add multiselect component" readOnly disabled/>
+                                        </FormControl>
+                                        <FormMessage/>
+                                    </FormItem>
+                                )}
+                            />
+                            <FormField
+                                control={form.control}
+                                name="response_types"
+                                render={({ field }) => (
+                                    <FormItem>
+                                        <FormLabel>Response types</FormLabel>
+                                        <FormControl>
+                                            {/* TODO: add multiselect component */}
+                                            <Input value="TODO: add multiselect component" readOnly disabled/>
+                                        </FormControl>
+                                        <FormMessage/>
+                                    </FormItem>
+                                )}
+                            />
+                            <FormItem>
+                                <FormLabel>Access token type</FormLabel>
+                                <FormControl>
+                                    <Input value="opaque" readOnly disabled/>
+                                </FormControl>
+                                <FormMessage/>
+                            </FormItem>
                         </CardContent>
                     </Card>
 
diff --git a/dashboard/src/lib/forms/client-form.ts b/dashboard/src/lib/forms/client-form.ts
index b60b862..5e9b1bc 100644
--- a/dashboard/src/lib/forms/client-form.ts
+++ b/dashboard/src/lib/forms/client-form.ts
@@ -10,4 +10,7 @@ export const clientFormSchema = z.object({
     tos_uri: z.string().url(),
     policy_uri: z.string().url(),
     owner: z.string().min(1, 'Owner is required'),
+    grant_types: z.array(z.string()),
+    response_types: z.array(z.string()),
+    token_endpoint_auth_method: z.string(),
 });

From 8fbab67060fe5e4e3b5c3be8a547d05d5c75a38a Mon Sep 17 00:00:00 2001
From: Markus Thielker <mail.markus.thielker@gmail.com>
Date: Thu, 20 Feb 2025 20:59:29 +0100
Subject: [PATCH 08/58] NORY-46: add multi-select component

---
 dashboard/bun.lockb                          | Bin 270420 -> 291060 bytes
 dashboard/package.json                       |   4 +-
 dashboard/src/components/ui/command.tsx      | 154 ++++++++++++++++++
 dashboard/src/components/ui/dialog.tsx       | 123 ++++++++++++++
 dashboard/src/components/ui/multi-select.tsx | 129 +++++++++++++++
 dashboard/src/components/ui/select.tsx       | 160 +++++++++++++++++++
 6 files changed, 569 insertions(+), 1 deletion(-)
 create mode 100644 dashboard/src/components/ui/command.tsx
 create mode 100644 dashboard/src/components/ui/dialog.tsx
 create mode 100644 dashboard/src/components/ui/multi-select.tsx
 create mode 100644 dashboard/src/components/ui/select.tsx

diff --git a/dashboard/bun.lockb b/dashboard/bun.lockb
index 457965a40f7a0aaced242625b14554add2363733..92f5ffc97ef6ddd4ea77423e893905262488f643 100755
GIT binary patch
delta 60056
zcmeFacUTnJn?2s$(n_JIm=P1^tRM&qHYOBMRE(G<sYnjy05~R4R4nyk7IV%D<~)iS
zbI#duW*l|KFzWA|s%nOrozL!mcK7-I{+W6_eeQd1dT*@TWp{J=P|<e}Y-ZN4wdzo%
zF9o(l$9JoL`DNL8(bM;SGiBeXdE?e>`-7o@D}D<Kj<(S8+LP9!VnXL_2F1|nx`T`B
zbcrSM>2wl!R8+7MvlXvauqEgP!LcC$LGjQEp_C%9zo39Z;1))e8-i_MR{|FWzeGIC
zU4=Z%Kd^vKR~mc?T$mYy;^IQ$f^@nrvR+?0U>NG6S{Pg&To!q3!RcT-a1xl=Kf%Wm
z;Fn-lb5r9}8t>6~1Gq5amx0-gba|w{K|*JEZVl_F{Hhum5E&JU_FjaIgoz^qBEs4F
zR&bJ~JJVTk4UJ<%;-bQbh3HPBr4^wc2D9|-V5S=!5EnH(Ql~Sb<*a9r79Slta3qRN
z&~<@8_ieQT3xnA^`7{oVt2Zb-Do~fdq+0Mt&Cw~aS>O}RE?!D?I50LKC?rm&OMy*C
zE`aGsW%LyrbW2O0tu(NaE-@k`c2J0;PG_$06%w+g8_KA|Wr0rTICKJYm~Y893^lAK
zmQ{-_VkcYWtB?>{PHjbWXly_{s*f1OPSfeUFmh~7{NRvCwz#2YyMgJwKk}gi5|t(*
zeL?gg98UaPL3QFJZ06suamPxk6Dz>X9~}@sxL#O@ygHvv!q3RVw1&!ROCv%fL!$%Y
z;+{cg%d?=f0oGMi*Y9fjD%foBJTS|gRaH$N0%i|3tERFeY<9#s*qnGr!L09B=-|M_
z%<5_Z`D>^d{;PsaHC0FcQcz+?bP64I1+yaa%%3UGv#6MG8_S3T8W$BA84|109fQr(
zSL&!7H#i_R8eLhlzD|c0Ct8BhTZu2~sWbF67%flSsPRlN*H=6k6(;&?YyxAD6RU$U
z6%vbp;Y~u~$GYkmJ<|9b7?Uw^x5g{MoY83-kJUIF%&}hQq>e*;TzF_891VcZevAu=
z7{&$#MTJL!bT^&V{;u9wZSV+iL0uPJ;#stq0~tLCsc?n5s1^1BTSNB)v%u&<_2NfH
zhs0&Nsuhoj4~Yy$`gO3GZXuXGIbD|WH%PE|Q%imAuG3*AB%TFV0&mnfRpUr7S9(W{
z9l-3*;u`;oa@e0YG~N#`2YVUV4*XpUb-J0mVHj+9lYoU7F%Sz^H?^fYkOL4=2pJ}8
z86&_PkYZpqKipGwv^|)P*44O>#;;qej-Jza3z&}1(s(GCj`}N{pi6W|fS%fe>1lqA
ze`uvvycqq?evJ$n5f49g#oMd;$95{;2Xlu$3FeI1qVYU1W=`UFU@q<`FegY5m<{wH
zvtpAbIDxtHDs)mStRv?XD4pQsrzW2TH<W(S+zF1txDLa-i3kp(TSvR7Zk*Dq)rhWY
zv+9C5+-<w58(Rg$)16D*bvmrv#GoE(KW>9<54(lGx`2wp#_pYvI2QrBIU3CV2?Dd7
z`d(^=_ORK`#^6%mDqv(xoZDN~lfYak^ZTd+90Qvh&p>cN@VvgNgJ0obG1zax)Pus~
zM(|dli$aT8VJ|QXa__IU&{MPTYj#tuXW~L)hlj?+>q3JA*)h5r(CJWFFc-kY0Cgr^
z1am+l!EC?)Fnj71vT+<-gTSaiaVi4zY#f*c#K$@{X2H=zBS!{B1&5491`f?-u;TgP
zfN+k<FM74$|EjD1)zEPW66pEL5Oq%fS6x2?={N+>hNwMuUgNo7w#+<KyJ0ik;Ba*)
zj)U329boQND-h3~#*ic^5qHrNc9naiIu|y9xhSiEIrslM>9!(0^#x#7WS(4qZK*cN
zavQh>TR7+1A9D`<ZwJ9#p?Q*-TWa>yJn5FA08Xw%RLp!~V79~$OoyGoT>XK=)CQUJ
znJ1%pa+)XYxAw!;S=$nGkz>3V%=?accAHm)d0Cl<C_gIVq<x8bz!oX-@>naogeqgy
z!6*x6Ne94I;E2$Okb0Q1n_+XK8$VV}7Z5ixGAJxG-U>RK79SowBrebFn>Jb<wCLE7
z`1sI}*paX~X#&9<^tb3ja!7D!d}vf;LR><kI*lJ8f&~UeMTLc8=5$8}HgPWsX94kC
zf4D5ht9mCe(}%<b4h;<t)@`4lPVYrv4)SD;V>Irqv8Toj!6h-F63ZdL*<`8lyYE!{
zzQ$)X&eC{=#xpe@3#NlZH145sYmFVjoX(XrF0AqIXh1P8=$8zDXQOrG5Zsd^<8`{Z
z({;LPut$J-&*-J`^HjA$57>6lQ)jA!`qwko=rnaGgF^y`@-7|0al%y{`M4a4fJ<?!
z`HTYD1J}Xq(vGscu22Q5rf`U6gW2-MLiH0a&r$c2lUl0KxvCp|!5pa4LS-wkHSCpO
z&Zr@A^^^mAK<uFCfY`VY9y0^N<8%wt)%egskx{W2@Q^sn8L-zpRSy_~Re|d{Y%G?9
z#LEcK&2?~qQ*vl*Xg$uo-I~1+Tp0RHFddqpvD-qm9~{ASXe4xQj8R}t^$?AxFH+kZ
z9x^PF6;FW8_!x!D;huv43kVJgiLMtKr|Yd{?3^l>EnFd?+)}k%8;zsug+~S9Bn}RZ
z2#wd-WT^2WaWO-&FmyrM#(V@i{l?prdIQ4)23?+}-pXE1Roh!~g&Lm$X1mhCbc1K>
z2;5qR;1uf2d()TY>MH-TQthD5tJH))z~)9;aJA~dTj<;kHo)eDy9b*cJ18nTm<@k~
z^sM0d8g+zkfvsVSwQByUU^;RPI_HmiXv9?h84fVvLoi#^aJ`yg_eRx$lABb=21do!
z!yDJZqc*7V8<CD{)@if4FRnv+j__yL+%KnXQ5`C)>3BaD8!{+lL?-gn(J_cG>WM%Y
z0&HoZmf>d<z@bh@Mz-|MHnpO*+g1B#a8c-;cc??{wL|_?q(Z_ul*^I7g=p4)49te^
z0<&E!!K|hN(ouKIR6FnxY{n;{I_ljt|AuI`zvhMs%>BO>nB_}gmiHFv(GLlUfqPWp
zDFkaoT-OTDP!lAkf$8@|a3OFQm>t#+%=Byasd_uuY=|?M9b809_XQo!{&)_i1D7;D
z3NFe`aTWsHTSkF7RW4venPES;IM}?W%$ugB3yunkj}46sS%rAEJm#>PZWe4#t)bxZ
z;6Y&aP+u?|d$mj*pu1o?ehyren__%GbU<Kui0=ENYJy#epd&j_VI}Y&ur2uAah<Lz
zxGuON_%@j7%$ww^V_Hu@XTBm}I`SKIrc2bysRO3Xx8w<&Qzam<C10niUAOj>TH!)4
zJ)Lk`%`ii=$AH;0kzlqkU_?m0AZ%;{G`l<43i>sa$8>?`)bhQ-Y>4?GhT}Q(KNBjC
zcCgJ<MFJM62Qy>(1$8K1oK+pj(Ks0^w;<xBi)z848fSw!bmoI(%}Z*!zuq|ixM8CI
zIa&Vxj`{!KhMDl4>ha&+G2z(z9CcDX0dp1n>z4e_8j|q;<kk<z&3FE>7`j5RKRi&D
zv0LJ61UQzL!HoFyP;Chw%>{%91c$ta%}ICz%;nYOvAX_eKbB9GsNgvBi8^J>Z@T~b
zW;-fy=s;Ado9?QnoAhLR*^<)>Se9&m@Ba6VR))$m%a<ur>T6}sgPSi+FSPE$g{Bq@
z2N(Ugd5rZ_?<#V1`ATI1CLC?II<|kQ)jNZlA1!=t?S!XAE6pijW014TSMr*8e_X-<
z+pU+5EogZB!+6VTw}Jz`q$ABMRG4@B{)oLLU%2cqkh!;9#}myabv(H>y}f_(W~ZX9
zoob0s)d#<i8P!I2y6n$Yqe_a^+t-vkq)#Z)b$U&&P4lZRTM-=n{oWD9oVQvPY*ab2
z@#wL)&JQYaVx8HQjlS{8KRche(;&t3oJ+UV34e9%S&CgBegEnuudS{4Xus3?PaE3q
zX#KoK!IOooLQLfbSNzTFwO!FJA0}*DKBb;zlb(B9>h-tf5fvKBTPoCaHMhsySaXle
zsy27m74H^3Hot!E_G4tPjh!B4W;NWqr@T3Sd!>rct@Pz(skVo{hwP2lS#mO7&&k=f
zJ#0NKaOS}nVr~EFa**xo)X=BO-gP{r`$*FqX$*3ji;Lb@&aUHu7^$v@@tP62<+F9%
z^cCggx*qxzIlHchG`4{92stsooKwd||3LPx=V5GMsna>hsV;6(5JDYLnuToB%2k%?
zd+3|V-gq4^C*$>~oQ>B;vedvszg_lj;2{|?1$~e{pHf;!IU6xcWT~Nt{*LU8S35Zw
zuf6yx&BL^8jkJ2%rmhR)9X#~5axz}~$=MDbQX00hhDzOj^<4CaWp76h=_hD)mGYU#
zPR@4p(D#?6MjlcIZffqirM;4qp;g3^Z>psBb9B-7lqDw*eX{KB<RP6x4C~G>`#HHt
zg>gsqgjGaNi$*J*J*1aVFz?|TdePVko1(j%TGvfKP0mJa4s0jH8f17T6~l0}RMMgc
zrLM44KiK~><?O~D(jjP_kivqs8H-{Wwr20@yUNKf9?~q>Cd9%Qly(7DV>N9<7pW+2
zxh&1VK9bsNmW7<tz(tw^i}f048Lu%;_QmLylf9dGNZqk7)5m<WAIg~xi{%th%DD@R
ztv4#=)WN-ry;MM%F(GntQxAQHoQ>DdvgGC=HNee|{vkDHNQ9j1=Al0*XCtO4?nazz
zdbSJW;O*|AUnwW!^|74o?qMvAlS^aSx}h89p?5P6y(}j;^N>zMW$p00wu`Y6&JI5E
z*~V^$A$GD)Gn2Fo0yY~u?&xAbYfhO=`mwU)!Bybx;bE{SFQ<5zq%OEO(=Alq%tcxR
zi`|A?O<bf)xp6s-T_hX4C1OWm5@XVIk+Yk7=r_tz3lGU2=YXzC8SK!Zu(-T1d6DZ9
zES8VXj&!xGq#6ZeKMxnFAFMWrQr4JpE3B5vYI%#0>N-cu(_W`@R8nzVhv!<H7i;C@
zRvw0emE}{dOj4W5YPJIGU}+pI4u>SCxw}XwV5wEXLxWuv*{7aK>R-h?uX9?t=y%E9
zo*vQ%O|z8!+PPX*%`>EuzM4AtSmJ19Tg_4j|2tUCl~($>yBMFq>aH}!t-9J^OHK-D
zq-LQn&@;ziwNx5LpNiIyPqj5k?Q5u2T5?pSNwC!UM(c=X!2wubVX;c1?6=?5vZgv2
zbjm`U35$J>wl{T=&S_SD*`|?;RH&9(fjWw9WXXq<&D+Pr_zp2`Wa~z5dQUmq$3q%c
zTc@j!QZO?dU8EJ7h3c@4T$GdBc}S(|sEY&3+r!0n2rMqozui`C?`p9+T$t~<m%8cJ
zmy_Fj7=2LPAWn4SR)m6-P>BY3R<4AGBGg|AUCs?PYN*roRkWE1^=3$V#gO7RM&8)Q
zL8tSVQ`@^47bDbF3H^dlXC>4cGpmylnw=YZj8F$fb8KV|B_h;b(az+C%3xnmwP1wW
zFjm@)khYqzetv_cPTidPE>bOLH4fWdpsVcN*+W_bh4I+X++Flf<!oqtw8&+xQ^xK)
zSS(K`=WKD6le>86tIFA3JdBfE6u&*(q^k&V7Af1mR0iuttsf&Ib%(`;gc`9upG1&1
z6=j=|iZ#ityPk`&H7qQ?x^B`Wgjm0_WlN_tOIe~)VJs-_4tiw;wAQSA9DQjNEHsz-
zu--Olmbz6xgw;@)Sq<gn9v;S`&G7I+PVM1l9EwnXC3HDA)CdhwwOI)DRbqe24Yl{+
zI5Y3++>oKUPS;b>dgq3AAk;(A3bxScx+x(Up%$`rZ8!a8S?cX!DBe=`>21OtExEUc
zG#kALKiNGVF2-}Pn#k6@-HZiVnX~sns0#~{HX{Uo*;q7vh9{bnYrTWjKiBGlUFQ#L
z+n+3(wrE~%%E&)ir(tQ67&TPKe)@-%1gmFmzMFrt8hNAHxp675y5(B;{$x2}E_5-+
z=_kv{13aWp(6Bae2j|^xW_z_P)q3_P%jBz;tj5W(Se9x%{gc(CgHGp{8<zsBqhh74
zakYfe&K!lAEd_b#!({Iu4{0^hxFH7n8IBwe<!or(vAJ+=V=Z9+oec}iN3BwyEhh(i
zNUTSlgS?kDhlNSN*;?C0pD25Wc<5it$#})VD8xgO;W4%f4kGsE+pth1Q_pg>=*k7{
zThC3}j!<`1Zs1}qp)=`10UaJE$Z0+5%&Ki^-3ua{1Wi{Mby1YoLR1$Um%~RCF~nSo
z^c@DMpJLf$x>~{*pcve(g8cDcs<JP3vEvA->kzFqN*M3%vTqA_3k13<+uU}9(0_Co
z-BG!hxfojGVPUw`IO923KFTIp29pR|TRS)D6hdql7B+4QUVX43Di$^(=>{xyC9tgG
zn4*|s>?U+-Z&>UB^`@{ImgXexNUvb2TM=EZhbEfjv(4S4Fof9A%IV9npr7nB&}4Yq
zPfi(VGIqk^Xe*}<bTf$lveh7y@v9<O4|0<{(JhUU4R<k2#?i2_)oIo?SoLA4_tpEb
zu(Gtc>H(_zYQEX9=&))%g@skXX5(nlAW-c>H7*?%Z?=kMcpoUA3N=YBgYw>i7r|n`
zVq3#m<OM9Y*FxC^>I9po6I<UKmaFXB#7&YBYK~O6{nm9cTnd&`!c3A4_6zR(I6X9W
zF}8x$UOwB_P5K2PZK9w<`wYyTC|g`DVW6Gpd6Z);JBSk{HQL=00nS@>hdu*~J)z8b
zsn}ri<n_yPwS=LLm7kYlV3f6VmZ9dU#G<>y8X#LoxLY95UiR(kZUL8kWZ(VnmJBG_
zctiOHOPhgk);G*-rNz5i!qBD=qOQQwrXwu-a16QPG0tg*5#h2`j7ho%(E}oGdu}d<
zQW0_r#4ZuJQx8SLU~j8Uy8}yYC|s8OBh3xv$>=03&SoX0v1}A?mDVBdmI(ZjWeY5I
zVY7hz(YdQ11$2kSX5wfa<RYDcrFMLdn~PL8#@yeW0%Krl{f#r{5m;&$D`m#&bXp%H
zE)bSlA6?AKwV1MST<-aqDPd{u*KslKfQ5s7TQ}oZC6wCKP4bF2_X|(DGhuNUaF_4w
zBHe|hE>P5CEH_lyE*iN>(Fk!FD{mL1ELgd9NLIseMpENY-Y{5f6H>z32TLm*%in5v
zZs~{%fu(K@IXGu-gvBzk%(10dj!<U+N@?z5=rBUI8g7zSYa&(*w%iA>*d=h>!9{Wz
zncE5IpsBFbnZ_Zw0*g*yL{V*(QF*NxSS&@2I{{0}ht9JZjd!Fxco-IqmaRsa4A)1?
zKBG)VhcOr^`E0DaB?6qM%3DFh$uY9kXp_M>R`wZflHA9d$JP&(&V;3oEnUA1%N6-B
zUFW*$$H_ipOvY~Gu%@}>jgt{_m95>}q=N{lGYNMjgKdKBGu9;eCFJ^#w*gCFv0zE|
z!)~ijRNq76U96{zp-rOfGtMMUgV;*-5*>9O7WXhEiBu*@z31UhiScO<s|n(;8zALG
zSS%Xv#5%het|ZB)5=>Ij@#=nrCgV^#0G2w0XqI97csV7}WIQzi4$7&CZpJbbxdkv3
zoEzGb8~Qyr<Tc5hZZ<+bN{+h-c`2dllg**X+|aJv(AV5hn<?gW({n>tb3+x9F&?Tf
zxuJErp`UX@jZ-+d^m$Zn=s<4BFx4E}#vGDT5W<;7JxdtMr^;57P14@!IvrLi=M~1K
z-VF0eiq?2ooa%TJg)QMHSe%{c<{hqhR^c<nB(0sPo_eqtTwN_;aF!{La|}*tvQ@H4
znwX~ES#X>|3K))Rfx}&-x3KEM!ot9N_lmP*s}z%Q@GKlNIG3eNggPmSITZ`Y>ImZg
zvdPsFhPzS|ACb&~)mT1@9pf}YPO6Sw>l>_wu<$k<w|k%2Y5{6PXTehU4;Fp_7Uwyd
zfqSs!9Mw{f$jxCn@sMPUM+oQp;ckW%bL5m%lkpw|-1{52N#*CNvkluoTWpuG)SlwD
zcS?&>9~4v(=6T7AgJ5a9J^FhSEVTn|qFpUvG=@)@z}P72rkg#)z!-wlWviJc!^(8o
zXQoNIk2tm(cUkODCFZG?B-`NT<p+yJDshID^JJeilVq5$ZrSQ4*$)=`S*MKhCRp4S
zl?N))J6J4QnE}R{3ph2=0a7GF>XO3=+OTbbY$cndUm!L|VmumxAD#=<F;edRQWC7D
zN<n-kuoo74AFFwhtEHAuc~ft2UL>c?Hc5*YsiTFtfj0(EVR0l?7fUTRPbr(>F2>HZ
zlnFB(A=ZI$8;jc`EcPEJURxK#*TtOe#zsq!ge@>eAmqx27sizc;knZ)cS{D4!>DZA
zHI}MAs+)L-X60Anmc!zFQBoRj!NUBj?IxAW$Zgk1S4$Wy4(?#fnh8st`rO+uz+(Sl
zYGRN|EK`e9t7;Ex2;!7CoQ6WnWvlrnLzfk@4`|~GIc2`d_-qB6LFesPD$Q_nGxkIX
z`!WvmQxWo4D@Ij?R+;yAPPpE%)IQ>gYz{0OnH#woORZL>a=5z%0{%)d2N2SZGdSs4
zt-&l&4sX2>;$Wa%@I3{V*6FwteTIcC6-&{3t$Aj1FqXkGDS0@V@55@YSahk<I`f^4
z)-YI{aoF~oxER;LYAK&x=5B#NYrbPJxUHA1mYNKwHp)IrO~$I5I3?NYAqa6yaIeBW
zXxS#&D#K*F4-pST@P@y`X7e!xwHVjIQnMA^Vm>1H&2Y7Zq4f?<73X0g5#FVg+^UwX
zHrW?eZYpUqEU(<AormS4SlpRxw;`qM8}Dv`fJxaz(h$O}1|GddsH>V3!_;%TxwqM?
zx*g_1)7H6K!f;1ItOe{&>3>+*<1WK;%8j$!na47^!)h$2y1N-;5yIo%dTxeIJLOZW
zOp<<=xz9NsJz#M*st+|5z+w~BqxO?OQU<vgJ7#hg_`17EOAzu@^4Q=x!edx?<A$zk
znq}@Bwj&-^cO@0JE#oOzIB8?BO6@j}1`ZvD*xmA}wI=BpM78g@L<;XQcTZYx7by;w
z>J-nT`(d?2vDh1NjQ+Mqwpwp8w%*IJrVr@|aY)n-yAMm9ZM>&d+NUmueBA1d17WET
zgmxgLrs8vvcd)Rj;1ONJ{Yt6uc>+Rh)V5#?I|YlYL#?CK0rM>493Gr&vBo{Hv<ZSf
zFdW329mUH52>Gk!AypPEtvvLI#Ua^eGu{~-Qa24ao8e-d2&<oLjoZy5gj|)%Ied19
zb33`Ii*W+14oW9qM5vQm0rum{NAOlkv9KTw6OPC}TTRkQh|Y?bmgZ^+gNqcqEasWp
zQS$=kjy)EZH{!6H<6fErt1&F)3~VTHOg^>EWN33tw%Tqo%sD3eY&RKaA4jWY-|aYD
zeXq0_p<xJNgb+G~5SG?<H>v0e^<JqwLX-NzQbz&Lstt=zC`G-4h)IWRtxuY>r6ANx
z^#?srGdu5tnbEMCB2Ia_Z`heFr|dEr^rz%gyG+vaQ))ik`fwj@d0O_#G#M72mQylK
z()-hDi_zOYIH;dd9mAT(Y@7&-OGLdJXTxfuTDx2%!&x;BH!!4Z1Iu0Ytf`A({8`y&
zw@J!4XC5NXkKbVRR<ftz?%DagY_-QE%{Z?<Y%8K1SkJ&>8;Z&~UGTo`f_Z`ZZN*6j
zRtLnXyU{vWoH(!?U5vlN@>jO$4msxO#qnO1BU|k=87f_refF7*i5D@NJTVz=U6fDl
zGf9musZL|)v28`cGRfBK-1V2_l>H{-6WAT))ctNor^`4(Dxsv@(7D`@-4%1}V1(K!
z>9!-}t%QEh4S8NQYtwT>*OZX;0e6dQ=E%_8&^9IHdqj!Ea};>e^1AXw1)=2J(1qMk
z=^K1U#B_afLm9cDr{<7U=cf9W1BZlNF2+b$n6u5?3<qz@r;eJ8zd`6IpFQekY;%iE
zV@S>o-OmlxyKRmgg-|;s-EoA_$H-CmjycpLH?%Z2^g;>w9&@+2Yfd&gH*`!1rJi)R
zxX0$Qw63|K1-YSzxuIJ3*>I+d%nfbN4SmQBHG80?Gt7D*pUO5F3q0h~!vFUgd>_g_
zr%Z;a59O3ocpvr1ybbd#8v%<O50;jbi(%y>+2^#$@cfaS0`kIV1WucbOCDpc%4bhw
zmqLiUgmRQL*gla{&X}YQPt+1{)|u*R0Rw6AuKyuIct3^zM6UZ(U4__Km$_QNQ2zH*
z+J;a=Wt#Km@Q}J%bUhbC^=ER*xu*KY@||-P6AU_K<>2+toDX(0Mg4o$BM!SCKcT|g
zvX13+2YBUW3)sB?8z2l|zHopSI6)Ec*hVQJN|Ev5?*9X3MbTP0|C+nt%RWdHrzQM%
zm@OU(u!SQ5mNN#>$-Wm#w_x?-XyGE$PN0G7KVzm#1oZNv3+m`hgvE=@*hv~s)_4k-
zS6(*4PE}NunQuBkpJ!@33rt-Gc;#j4v(1hoptA%P0=&pfu!sgOGVR3xD_9B?09FIM
z@-jPV9l-SKHQoT`^&c4>l^+o}`6(Bf73@$=g;^j@Q%ZqZnx2<g(QZvAGyh)A&dW@<
z4<PT?;`ei)nBkx%km=BIfEDAes${?&RJq91&#2~~m<8irr=-UXO}WTSk9&`z<36KY
zWa<gH2PoHn#!QHvTyYc|uyXx(m<_uPknbwFROX6)r`nCpfq#$Xh)Wgi+1?KT`J-B#
z!n8lpmN#B1oj~ggK>iBw`a7nROhh(-nLZz1G-l8OFPwJ;HU00H3!^CFnZ!n~lfy1c
z9At)->+hIR#k4%dwRB|qQW9JkTt(CW2V7aH_&>{NA-}$?c2#Xu!<y=7)sY#jtJ!&(
zZZ*~P{{vRK=}!f6<1=X$<Yo3tbLgB%-L?4tJ)?e>)k7<g%!+zyc3$R+=mVWmeYJQp
zgZ=PQ4m?WJ$!y3tFqifO&7J~gIa9&-r<<lsRR&-c2QL9L<8m+)t^!+uw`lqfF#hRw
z;)U^9VD6%az?`KgG@aj)Vf<Mz9k`^$-vqP#yBc?UhyX7#Gd$5EUT8X*8D4`a{ix|=
z27kf}^YIHvyvPPQ^;&7=4Ddly$?VrpU<sTL26N@7s4*8&LD+QH2F$F*v~(r4ba|Qa
zr8NC-Se;pnD2jyDwSsDanWqk3=!lc1yMXC{yJmZU@lV%+FB&tx4Qx8tUW@ObaVJgh
z4(1XGHlTjCa1aFY5HK$?gW;OaZ=BJN;fuy>SuAW;I2_FUqrip0lfc$s8O(uS0LDMv
zBD^r&Qq5k*{$~NJ!M5N-V7540)6apKAqUKh%=A~ml&))h6U>?Q0L%(sfY}2-f!R`i
zDV_NYD2(a&<#k>O4A9e3U?#BB?3&<$up5E7n7zTw*a^&;))kC@x*m98zCK{~NMDWn
zF%lP<=>x&c9||r89u0<r3A!W%*k!3;t|6f%SPN!PYy-34?O^=V?c$5Z4DQAY<M(Jf
znf6}I{yS#;J|!OGuLk~}ndYEY;316<D;ae<G7CDQ*?F1zQRs~NUQ2gEOGhpP{T^-3
ze<kq$6D#ZQf8zj$?iE^69c;sa{tIK?>56MQnT;-`*<kfOKxqg}Xsbn#*@a~_`#)o*
zvqL%-TtQ1urd|=uRZvaS|0ARQthk1jfXs|FHLj)UWKKp$%_cLSlV+2d&snp{v>R(S
znYN2&=W+rBdfrq^;09(I55D{hW<kxh_`hR1)>4ZnGkq(~&dcnX1aB>Z%#7`{4DB`j
zzr(D+S4&T3IUO~d%=k_k`)S-+jZe@qzyw{u%-Bt{yQ>LwWNt(O;1b}WU`CDP%fDcj
zHwy9W*|A{S<Fxc->Pd=?@n?Vu#%l@4OfXTi$qXjrg<UoS%q><>)R^h#!)5~(YC4(v
z5{;LE>%+bP=8ky<tmpc>$^iHpm=~G$b<HL-cpERw_yEj;A8Y&!jDNaUc%cKYHU3HC
zH(-|c3z!#~4fz00U`tpk?*Z0erm+FDpyI6UzhD+z0_n&lH7=!bX^qQ(S#CKnFEZ1Y
zH)8$srchNAs)3oNHeT4mdK&X5R9JwM#;zK>YusGp)?i*_R^X}GWZG@OY?v3A<+n4U
z|5<QHEy7QW=&ErKjeBX_SK|R12Z7mxVPF;<0cLqIU{)BbaU7Tx4%6)6V5S?Lpb29%
zArZ{6nWXVFFt5DKf>WWh!Wmlp-!WIse65_NU^==+%ePL;mtYQ%S@3!-!A3CCY|}Us
z%=j#gcWe3qFfTHXaOc2mX%3j_FKY2*w)m=MYn<>`;ZHWt+AolSEqw*%&E_{SEBK`G
z7ceg}b#`A7P!TYrN@#2g#y?#}ywH&<U<2>J)sz740UFl=^UBLS0eNWp|0#3*|DP84
zFUn&Nwm<_)gZ;IJkXiqqg#X93Qvbi@0QZajS_|?r$215!=fFTM{_mKRauDLlgY$R6
zs}fK%h9QC##A*fn9W!H`7XMdfS^qp+#j{uRD+eNu9fIrMVNTV5o~@!2{&}{V&AEe%
z%;|K72Clr!<@nFDRdql6=h<qWN2!&Ssgg(d5B5LLR`HA$cVI4|f1a)W^K4Z)FaPsw
z^`B>}e8$TA?LW^}|2L0DmG?IPn*#oMw#r-fKhIYGdA9n`v(<l|t^V_D^`B>}|JI{Y
z-hcnC4FALQ|2$jeZJN(o`9|`OXRBV6`H=O0`)qalr{CUoZl36VC85oZ_ioQ?q(960
z{7X{9(LX)8)1<CN`V#jBE6<ns81=eY&hhPErWaV9P%BJ#=-r3Ror7Q3=<ZbFT;HXi
zKD>P*>b29CNjO!1%<evG^hXXh-Wa&3RFfC8m)EJ?!fD0LZ#@?_IJHQulSZ`pF8oDb
z(e(Qz+ds96E&t@+tN}R-9~%b5P5pk7TN8dXMz8x?<SY2C+CJsgBH;0hJ)6pp?7ye*
zs|MXXvr>K@u(-v~MXS}nP$u<J?8i=(jwf9Y_w-D(9bcwPY1wYy<@4tTPjssoKjhHG
z&d!@GudY2J?$Et4PDx33T}x!#yxg^YmnB0ijvkNgJ0rN`uEj$(E%r$A?~@+b<Uu9p
zsn@5r+CJ)4_{<AUZ@+#TTOoYQ%(w|Q38twv^0@atuX}?FXZFvxBDSBy@%)(;8l745
z=u`d5JA&PQo7d`k(Qc1d47*v%t<8A7vu(bOp40kdFRZxsr%#SIb?(Jq-nO`raHd{_
zqeyKJ_l71vs8GH}_3tV!ZWI1Ibk&5OHFUvY4Vs+WJMZ?pBVUUyY;$1WsET|0?SA#L
z`_fI#j-LAV<!<3Uk6M<_=-X#(?8yAX^SJk0UiZp6C-?uk#EJ^<?mW;B8J)Cn;v)MI
zO&kB>DGj%tQ$6@m>F_f(0yd=UZ8O>qjSg-4<C_j22Q|MbPJW%&Vbz9jk3)*Q5Y2qy
zp3ldTw$nXZJR1G%#MRnaXI|w0JmmDXQPo3sb^Xv~aLIA~^PiZbI~Z1|ZOg06&tz<w
z6mWBb(}*5DpIu$!`l#gV18!aOxM%*@BE7UIa<^dWxMHi@dzb9Krunnsu0I9;c(cWT
zOJb;h@Z2kQWxvdfx+I2WdDvPls4{24=j4qe+SQ7>cdy`fV^X)?yB9Cpt{1QA-eB=v
zs%7kvBJJ|O-uQdLk-rq(ym?RS1wM^yy^gsTJ<hSr+4%#9{&*&<X7ZW~%TJHbzWuGy
z=rX_c8GUH=lGbw%=I@|>m`j~|pY!(K!OFkiG&xN?92i|>+Wq#UC-&6;`sTjRiJc)s
zsvA}gtM)o)&cjJ=>C<d~US7D^wdY>ti!7YH(&5fZz3Zhi-`93oxUz#-)B)~g7pZAG
zc2f7lWgG&w#!mh5>VvuNb-O*b=|A$R!<vtq@;N)!^B6L3d1)`p9xL~k+H}fm)T&1D
z^Mfacop7A&ZL;tR%hP-OSf}~2@O)P9#+3!F&Xl!tZ9n9*Wn}OitNadWv2Tu-zp<~{
z=Xdf_;nMo__#U<n2gl6aWbaYZuKt0~3%`_b9rR)2(Gs7|hISIZ9pT=V{jQD$?|taG
zZNEq#b8BbOpUZ|7{Tf#IcECgZyMvwwHk<Zjh3s_dRcw0fmgQ?JJe(2R+cu_Jq1s*I
zpH-;;p|bUgJnnrn`v$h~i@o}wxt;y=o~ftbroQuBp6;-JbJ3J7`zQ4KxpjvUPYZo*
z|0Q39t;zP=r)^ml&JKs(<i8W+bf`<{$%$p(RImQCt(Evf_YQvb8)cc?bMj!Tw>9h=
z20Psz6<+h#oDcJ>58c?t)A?=X;;U}n?B{at{A{}=9U_}nt<m(ufuXw_E%qtv*gNiW
z=nwn|pm}4_BW%7bM(%nQ->Z!8>3J8wHndyNFFy3eueWda_<qZ|Gybb8-0$0d^TLZi
zwx4XUm3!^{A<b@)e-B;8{*1AwcAku$azq!n#J9fK*a_~n^g2-RO?_L>mMt2|MHalR
z;TY-Q-S6<eAL~?e{QO~Zqp&SyYybFb{(cq<+UkBuEY^Hvt$<~}27R-PT^Q89-j$VE
z{J^2vy?lAys~niI+0lD@wd^saMnt*oD_|8I*00=`cl9oITzIlqf_s@R36-98Ne{AZ
zddXE6^-gzY+b`p{H*t!e?J89|_aY$HNfv$m;NGtXw@tmbD#`aZ-RdgOCtdn=LQA)U
zr8ZSv{_@`K(ub}ZXN?{FU`7*%eEYBDJMR}=yVl+oL${=l+894Fr`m_+$693Z^N(it
zjCtLQT66KB-IXP^BMg-vMS4yx{;|WN3f0ECwKDWy+^K%fpawHr3~G9~+)3LW117vG
z8tFLTP27+vDR!--nIE0rP869rMq%AqUq*Zh)VK33khkDe!*6qJpT}fG>>V0^VfOPN
zj}I+db>Chna9ZQ>U9b8jmpFGjK41M4kyjQBv~PFiQI!{;_Fi3({_b?^@4wXF8T)*B
z2eBXJwlDcCI%ieXta7WD{#q^H9I@e0qGQx*??F8?*Tz*Vd`>>Lr`4123IQ)XL+^Ae
zHpckcHnQ#cxLG*^5_b37cP+Z@RL?xkmc)Yr`W|9L7rk}+9n*j4__222l3KrQnA9`1
zgCX|Brlt4K3}4c^*vuP=RgLw7!gdslS<>_CQ@3!h^M335zbRWiBhLL>??N*=OM^Rf
z%{vzhii{u>TeGX)TD<nrw=-DlMbmcr?&3O?MeU#z(TkT<rgVei+a8LIUd(R~#kD(>
zFI0-_g^w?k=TtWOLMf>ipQxnwfYP@El+t>!t^*V=e<;=+q1ft0uZ~bYP}vVfZzrTq
zaA!?V2oaqiloz`x`1gWP-VZ`W5$XrQvNwdY6zqj<X9!so#&(8KMPySL+y_FvE)c4T
zkzF8^=?mcwg&Lw(R|qF5q;`c+OWdF^q9252-5}Hv$=x8-><{5Jg?ge%cL>)hEb0!S
zfp|e-$^ZzyJs>!Uc|9Pw20-{ip^@<Rhwz-jMt=y-;v<FhKnQ(%LU0jldqVIEf?(YX
zLKD%m7laQK_ET^ZQf~-rf+0lohR{sxrr;j}p?n_*9wM|41j~UC&QfS0Z2LmUqA<2E
zgjOP(!r(!A>x7Q0mKWXUx8E(%A>dtLu=mx~+do(E_~GW>=F>)>SyZylsQEU72KADA
z7j5#iSC2N=8n!yJ?)2%oQyn}PE*-qSyD8W)&xGXUG+!3QC;W1FSkunO&$h7%D_VVb
zxq`=@ebtvdylt#|%Dpv3KFut3<=JRI$1K}@8_I89bYC~O;o8h2{`C_({L<_8qMUE{
zW^NMJgRxE6oPRew!J_i3qop6rOFdfRi`di1_I1~}g}=NDvHZ|7w3}nI8Qp!?wyjZk
z#I7abeIE|Kd!zHjA+e8oUua{<Df4Rk=REGU&FkI(!`3188@vs}-}E_E@!Ua+cP$@g
zjf?6W8uoC|h{Ek!clcpe;CZJ)i*4<)i&Xb`zI=jQ|6|zp(~lEAq-UQ!^z^j9B=*xi
zuSM@qKlV6NXx5}F*>Pva+-=Y$;Oe0<!^VBOV!QZ5cJ+*)b0@kkT<_q1U`nwIA;;F1
z_^IyQ&ELLnd9`zoqy=*>{x%?wd)|57yHfYi!_kc!bx)i7d+SYW+EqBzHlu#ODsxIi
zr_Mi=uad3Li29S(_&-dyo&V{(pfHbJy(3Lt!vi~f9?<{Q?Fm62q^%D`L@0K#kPwV^
zJK-0M(XKfJqkX=d#oHDwyX@}Mx5eDFTci5TzGS)l;f{zNHGe3X?B2HPGHK$xv5vn~
zyK$xM$TVwdz?TngyC3WjJtw28=TOHq-@UE#`0Jb3-``9lDz!{IHfewNI<Z6MTMRgz
zl%0`vv+A}hbDjhRF3j37Vb^AdNB7)pf4{rx+WgR^C+;Q9`FvAvbMwL7%O3tOyr0C0
zvqR9G+s01+)i=z&d&!flN7gm;Uw$`vj{Tfcb9audKRc^f|BZ7O?Y_R{>4oZ>ep-F4
z!cB(~?hluq`Kf!rwa44*%x>7Fo%fhL?sd%TUYkz~@5Ze?a$@``k5}WHcv~k{%KqKW
zwO&MrmaA{pc`*3!!oYh*FWX+W6XNC#@m+SO5Sm*$ad4v%ZFjYKxwz=)$%$fY7~Hda
zxNx=eiS?0{E4G_t_sR3;ecM-b_Ag_y8IyISQt9u9R=#$?@q~A?_nuy9-S@7oRJ=ju
z`R$YHUU=DW&y+$Tmqz!Uo5wxByzZ@vuKZiC!tzOXT?wl){Sq48+&VvK#_^>!mMxUa
zPkuR|y)@ZAEMiN9ZH326cVyJ8==CD5+{oo4daM~c(D`0M(+2yJMZIv0_QZY|?JmN;
zA4dCmI2QXI3f)Al{t(h5Af)z(&_mpy;1vm>*#HPVMKW(BA1HVRK<F*f0`xufeZ&h=
zU(q5E)KAPK^%vf_J?ICBkD!Eryv_K1VnDTi&10T?y4C!0jj8Ef&#XFka&7$5xaGqa
zEq_^kRJNgJ=>C#6XL6pN9J>A49HaO8I+G*shwL;KwhNu!VdIpbJlzwRx7=&Tj&D9&
z@3H5A2DgW{(<clF>u>iW-dL|lYss;tf6?a_Uf;EJNf{s4)3bBv*NH7eWZlg%3la)=
zv`qid<hb1YwDxr#^%xx_^dWFRSZpPQh_zT6`hh|k2pS{;NQ1?0QmC*Q1R5ejNnzqJ
zDO}hN21SS%Ql!WxMG5;*P_!6HiV-=aSW#;TC{84S#Pi|k+b2WNw?l<P7=-i@5axtI
z7%m=A@EXb94~H;Pq=j=hD7>dITC|9Oux1p5l@SoeiZ>MeM?>fq2_ZpbL_)9}1Hl*t
zAxZc}q4x1&E$KU<j|NQ;JxLSAR?;LP#egP@0MZn(o0KeUVnHb)lr&WwCQTEzaiCNY
zLz*tKNi&3fJZPpENlFtrq*<cYP>?K=NVCNa(j4J13^Z3HlZ1FcN*7IrgXW1ekoYix
zZ5<BB7l;-k*w%?`>j(&o#2X6!li1dg5SECHk!<T^wsjPQ4B<BlLKcOc6qXD9Xb6L+
zKnNKPVWrqgp-eJ_l4BsO76D@*oTPA^!dhW77Q%=W2t&t0ST7D!s5uovwQ&$OikNW_
zu2Z-|VY9GLfG}kmgoz0dwu&4IuBi~56CrFDNr@1iQ+PsQr*KGukUky4oFoXD;sFJ(
z84x_jL)b0S#zXi(;XQ@DqQ!R**35*k@;eCo#TyF#X%M<ifN)S`On_iH3xaVXgu}vb
zB7`goJ1HC$`biK5%Md~)K{zh9QYbSULdnSxPKbcX5KdA!P9a;^Oo1?B4uqjoAe<J5
zDb$<`p;|J8vmz!L!gUH)D4ZAeDG;Uz2oqBv<cJ&!uIUh*r$V?SlBPm<PT>iKE5czK
zg!Fk3=1hZdO+29BH6Ma!Duf#%EfvBC3hyc05-p}fShE1a%IOg9h&L4c7eeSZ1HwI#
zF$03-A_&Hr5FQA>nGmul?4<BW=+ht!UJM~54Z;(#l|q>%5K7L1@Js~Ef^d?;aSAVl
zjSOMLQV2t32(QFp3N<qzRGSUqwTPJw;W~vY6n+x+b0ADv24UhH2ya9V1=r;eoaaJ#
zE0X3ycuwI7h4;ciKuBK!VUB?Cn|MIMYb6BFbO;|sS~`Re6y8(#ELzNiux1s6mGdBc
z5pO8?uZGZVK7?-~V?G4SH4uyoaK_dfMCS!KV`ov>NhO~_7#2bqycSBxLMTRq*hZzy
zIw&O<K`CGmfs3G=q;i~!WDvy`Lm9Ci%FxA73L3-_Dm6DiskQ`)wL!!#fpVS76)Hsx
zqViHGQ#L}GxD<+wL0qKbx(SMN29)9kF+Kyzb1F}$lr#v(Wl+*LLz%M-N@;_5NX2Ul
z6wl>QYz<=8aws3Dyr*Jk5G_|gS+f<&$`w$`8^kYE{I@~rwh~H3gIKl_isg1F##K=4
z(Lbx8WKr2kr3(6IHI%_SpoFZ3QVsn>rOZw!CD)*vYlwg~=;o6Yj#H>5Y}P^;u?xb`
zwGirv!xU;}La4S5LOl_)4#IT`S12?P_Uj=`$$~I(Jp>1lL&0@71m_J98i}M05S~+b
zLcv)$Y=n@$2g00<5M0Cq3SN65cy5BwM5Jwk@PWd63T~psW(aHcL0GvNLNoD(g8zO9
z-L^pR5E)w_SRR02+zO$E@Y@O@i^5I{t%QCXguw?PglvQ0DYjB5a|lAo?GW0Efb9@Y
zQaDb*TiEP?Fyb(Tp*tY76Nf3(JOZKGP6)mtW+#N}6s}O{DC~FPCecZZB>9OPQfE;s
z6Vyc{k-CZ-q;A3?3)EdClX{2;B!AIlH>jsbBlQw5NWDdiJ)k~f9;vT*L+U5I_k#M1
z3=+;ZqyXW!4-_cYl7fVOKPXuAB!!5rAW`NtTrGJ3t_~6b2OylJaGXM@usMi?I6jcV
z#9<PS4~IYzB8G(H11U<_9|qz0K#CDLBpe@(fZ{|FDPG(l4HXVYLBm8cX}EYm8X=k-
z1C11Eq*3ApX|!l@95hDEBaIbrNaKX}_n-ukK}r-KNlC)*1PCVu(sx3C5`>ciX`<Ll
z!bu?;G+6|Ya8e*83!76QoD@h?#bJ=Bd7Wc<8qH4?F{dG1r*MVB3}Jr;32|N^rHLF8
z&I@NjvPdG~yg-^G9L|AoULXnafQ0kHdC)wOMw%~PkQRs*7eEWeJklcZhO}6C=YW=o
z4AN5Zk(43)E`pYcwWQ@je+jfg^dzkmTS=>gbQ!c-1d!H<-K4d`<_c(?2qmo-he;cR
z?N!i55kuM}vPqkT{WZ`QF_N@Z<dC+BTGv6_MG|R;xIx+}9BzPiiDXiyctFY$O>TmA
zi?o~id)DT^D0~T@akmyRcQD&8+|qj)tKl0RR<ujgw#an7t#{I6@<-g!Pc`1bmmmr&
zk+W)Bh%$He{`#2An7jIe`Oq~E5A{N-W3T=>9OulOhx#yszG-H&C;A=+!yxC(3P0#a
zSs<Te{u`ICGt2*=f0jS<&^LXhe26f#9Fb}DR{y=8h5!CeZ)xOr>5GaMPxP6PtjvEZ
zE;~t_d#`V5STjD;^hE!O$*s+QT&-v-nv;nf82Q>3nb9BhUV7tm0k<>lf6y;rHKNZ~
z6rG6wL9$}P21<3)p6M+$C!gle9PmUxn6hO4>pd}<h%T+ys(i}0xxYe!3xx|B?&^)>
zAJEgB_xc95=0ENd6dqcif5(jfm8blnmrU!o`a$~4rG*Vu$Fb3E3RtCUe;GPHOPrf#
zFrm3$zo{3Wa`3Che3!znu<|n7ERkQt;pMBP;YX|ZT^U~HuO{>B3;bRzFMds#UtLkY
zzM?4jS{yW%#V;Q4OB~8qNPB1r`IQBJdze=rk&$XBp3oOjER)|_<ageA1wb?VSVfg|
zfza?z@v(-c1#9W}`J>vJ7NTkVp4cNc0M|fG;}?vdY8t;ujXDyP@8I0m#K905WTVX=
zhzip*{y2;$z$;QKkR8!RQPe;7NvDeg{7Nm7=%Vq$PT=<eXF_AylcBM}C4sbj7#&_y
zwF3G5ouN#HYZ^2LSwO6&&47k~N~cC@TAG%Z9a~q^_%~NM0%d`UnwGAmvxBBh5#2m~
zubc7g`i)wqg<8V$&@vI`wMf${Ae^Xa{QI&DRs{IOiq}#tT_uG1vjv=H8PGUH_P}UO
zV_nRWP#G`$laoxa2_n0u3Q(2q<D#cbSQX%xPI+zDv}y?RdtMyt9hz1h;klfUxOQq9
z=gVSE+ofqWp@s5$y}Z~;R#FRC3h>I(G)}A)=pv5cZfNwO4saM@4%dDyU0sCv?RE~=
z0ZpriFu&o>uTdY=G=8<x3FWEZqDTF#xB<{w6In1TX$bIZ^c;rcT4o1?IafFg-)ov9
z!kYjN!wF4mgz!8RTnT&<8vgM&1$BIuL+zB7&YA6>u8F5Lu`#sSns!FhT%gU@H2ytj
z1o^8`I{xB>J@}laH9@#OBXOPAw5AA`*0c+n<_3*lXiMN&vz6>hcc8j9?$5M@&7hUj
z#{IdbnV_w}cye6Xy)4@U;Exfo%U^0*b4_DUzS6W72=51Y{lM?lF>_0x7!vS$ttD)Q
z@Ighv&s1nyYuJZ0jlWpHyq>^efCc}oX>AZb3h;UZ4gdJV;ksiKaJ|*idFfE%MF_0y
zohEuCd;wq~?={T_;qL(!@~fsT<qX9&=9oCOz))QjN;8~E;2=8#VZf05>W3QmNe6z1
zt|!n7=neD%`U3VqWuPKZ2`G%NE(GKUKIOyG0v7=a00jYlh5j}075EYO4X}c)2P7`1
zpCG&eegP~XS^{qo{sz1QJ^()hoZ|1n`M|$|i-Lau8^9mIM(}6w@4y#;d-+4)8Soh3
zKK>lI4?F<4T|eP=8jZ4J0Y88fh2z6dcyNNW0h$BsMs{-tz!&HUv;#T=oq#StE1)$n
z5C{MQfgm6l=nM1%1^|74{y+%O3-#-c!;@nGe-MH{4zUhc4{QWB0h@s>0DnkgIxquB
z1112IfXToVfcJrTfP4QCfcrgvl_DJAKF@t!0<3|efDMqq?UK7$BJc&%lb`?i1}OV8
zH2$Cpe`JM^?Y#g#4(|Z?0PO%ie{K)71o+sT|2fheXa(^1gh~LGfCLx;3*a^y{Q`J`
z`gLy*_!0O4_zCzKcn!P-egPf=&w%H^Bj6SA5_kYS1s(%;f&0KcfSU(53+@fvaQMx~
za3BJR1fqawAO;waAN?PIKp?;y2){|{19Sn}0iA(1Kv$qW&=T+k+5+8x9zX}6JJ1nm
z1$Y6SfYyK?;0<^J4KYC-fRexrI5r(H@n;g60lZW3hXT3+I}x!9*a7edBboy(09T+a
zz)#I~0QlPriAduN=C2(10HuJ|fEVBioJ71Z>U47e8Q`5R4Ojs14wn#*7yc4~KhPWK
z3j_dxKoAfNgaEkp>4pH2Kok%S!~$^uzao7YI0766jseGk6TnH}G;jvE2HXH{0r!DN
z{F?kz1fBtN;puE(9z6!808@bpz%U>Q=nixRx&fnr(ZEt516U5M09FF4fN<arX8892
ze_~|^uoK{~qU;9_0DHOqk71U-#;i0z$OjmK{D41no<n;9-GPFDHBcDf4+w2R1sj14
zz*b;0@GHtm1^7cv{Nhn#pdruz;Lljq1DXI%fD7Qj+adpNk+(osz!_)+R0M2+G5~*$
zs}xWfC=XNu$^v!(Z<F>w1)v;I4EP<6d<DJ%{GKnrJj}bKBZjIGkOo}_x*?p9i9i-m
z9)=yjTW3e0G*AZM_wlC#{NDa#U<!~7qySTa?|_NGSd=jW>4yTtfZ@Pp=={3;Q-m$x
zKmouKkN_*7V1A5$Aq1>}!T`Ve{u%fkcn7=(eg!6?@P)uQ;0kaJSPiTNA^?7^BNNC1
z4gvSj3r~P>43iD89cc~#ypQhz`1@B)foA-Ym>UB8^|Z5y(1UBh5q>m(7Hs}pN+)0<
zFbS9f@OL&6fn~sQU<I%WSPiTJHUgV~EkG8q8`uNv1@;36fkVJy-~`uyHgF0!4V(ea
z0_TA9z)au=pctHTK~L~kh)m!~aBdyI9|hu<S$YCdXer-76bE=XDFGZrnnS=5;3#km
zsD(xvfGQ|Ap%Px~fr>y?fInlx-|6UvO1cBpfg7-I0pEbhDBv=18sHDNRfopk@3;fp
z1@a-i5y%e|1gwF=KoOuQ&>Q*qZinw~X63{9hanILL<2EE1W*B}1gt{~cuwcxe=D#7
z;2VodKv|#+P!ae9M@9jBv(N(I`vacy`Rfz|;nW}?2Dl0PG4KRPha)MdU&o&<x&Yh&
za)9f=8Q>;x5jY840?q=rfV;qD;5Kjt$Og^<SAkQ&HQ+pO8ki3(1Qr7;02erW2si@p
z*nW#|r}!p-r&1>*a0QwI&43m_YoI6M9s`en2LKO^JOT4uKLy}feg;}B02$ypJ{{oM
zok#Uq0FUQsz<gjPz<s9>*%~i}fg%9U*B<Dmz33kPo(7N1{K1c_sK6VJ_yFwzUw}tv
zGiD?Fck%p@u)WB;4rQ+g_5v?~BfwH%q8|P4jzBfQ0hKoe9Dyc4J-`iU1n?ItoPhd(
zJ75Bwfo4Espf=C|Z~^K7u0TVeE>IJwz(&ClzUd$iBh24&yU4#iaSBEbBY_LR_nJ+O
zacg*kz!iU&$L7ij#SrFX+zf02Rsmdk3(yF5Z&kz>0&IYBu+dq%vEV_#Kp+_4{{aU8
z-GOdESD*{P6BJKQoW#w5ssOis-U7I_W1lLh3>Sy3kUleZp`o8K;WyO4qY{QnmkhiI
zczn{H;(W`iztePTOvf|~{|XdDq13Fvyouxkvm9;~+!=X8VLiOLu$(WzC(I$`Co%u7
zvX4k$t{`t^46_0j#)6pcGw|Oj<FDoX!gv4XLjJA*#_7a^<%Z(Ef6bfMH~R9|>`S5X
z@X8O!837A+0xou#QRJ+|<0x)5W{JtoVV-yM+N@glm$Y1fTz4#v<Hq0VWSHk>&KjPb
z$!5C>Y`&AgWK#|RI3Oe_CjfJT+lb(a!ED<jY);IA=p0WGEQE1(T0G-;df=&pCkgW@
zgKLw=7H;%Br8odQ&hWItyGR{<LG?^i14cEakM-5X)@6p`Hq2H>OI96RQ;D@^(A-6}
z)eLo%4ETQ}4iWzMC}x$RwD4MPC<=*Td!C8h03Mhc13Wx60#pxh3sRC<^NeLK+F2>n
zmM1E6=Qc%{M=wIHt5)6|^p{O*4zStgCYlgdTV`+W4f?=jtltA*Guf_cB4dT2w8Ut|
zH4(GIV5e`Hw|QdAGJ}P0XQW_Zd_Tnx$g~AI0v!Oe4{Z?k1=<5Gfp&lo;0>@cPk{cb
zzS*!SW?@oBtKE(Nonoh2Q#E%@8^tZrX}Q5t%FUrBqaUnak=5ZqYV#0uLJWt1Da=Fg
zM*&QxZ=+;t!ezqcvJ}&bONUFyTs_-v?rZk3xg(WMR4UVEg1vbLu|Cc(^8_@HjM{SB
zyvf+9JpgvU8tutw^B}P#*2mJ=p9279`D@7>b5417WI@1RX;%6E2=)fptX|-rfVo)`
zcY}%!`62bmBlktPA7IXAPOi)k=+%{ym098N*BN1+4S`6<er^w#X97oGZ6M|syS{wh
zZpiH+q~e@uq|{O}Z;}wmbV6N&&UvH$+B;nI<`UT})qp>GC1DKA(ZDc(`_E8tJP-%O
z0E2+RKr}D}2nC{m2p|jy2O@!3U=%O{7_RY1jd|8jLO227qnAYRJOHPh1m)N>7sec5
zHXsADfHYtxFawwlqyp1`sXz*l3`_wg1CxM>zy#nsU_8M8EO-Xy`#&DR_+HQ#;Cn$6
z&>ncoHxS%C7a-v=;1ci%SP2{f4g(K?TflALAizhS`@uJX8^AK)I*<dzAnpP<0L-Ts
z=Mg>woCZz-CxC1q6KIS0b?lNQz*=Apuo_qjECv<<3jxN{K|00CGJxd(-y*L7uL9Ns
zJAsYB24EAg1K0*^1(<IOuo<AfT|>ey1laPtEoLj(LT1_xWC44DJ-|NT0B{JX1P6|S
z=^(==!EE98z;U1wa1J=D;R^T~a22==ptlor7ZG3t1v0z(E^r692iyl904#(L5*~w}
z0PQe-blMBt8hQf4Z4u`1v;lMMxn9|Go=gL@0$Kvifo6aQe`lAIfj=(cfQ$_R7QmLf
zLHi2+0{jlV2A%^f@CV=(@Dg~Tg?|PA4EzZE1iS-&0p0*_HBf&KeAes_^!hh|i5cmL
z%0Gaah?$x26Tkw@@r?Tj&|$`#3pK~*b;KP0hICEQpeBF?K;0Fbz_&Dw0docP-Wj$N
zPywJbjlhn8*{RA1n;mF~a07skRO$ou04ty_z(+2X09&9Az@DfLt_jotBtDO?jsUy1
z8n`M@1+WK-0{H<QVD{L6FrCnY=>RJ=0&GnYO)CH{4DeY`A%IR;0!+g^s8k8Fx2!n+
zj4&6<E~U*1{>rR?n%N1qjFs~V1$B-+hl*Xz!p+0T_wtNqZ?fF-Ksmq;D9bmH>@Ic@
z-wxAzJ^)~=O9Q0<zSZHw02abR$$1?#hv@(-=UeK(>opD=ou<Qdl;tFtTVsx-Nbi}D
zVe^bOhgkvV2yHsUE~Vq<c;>AI+dQG^3@5TVp6NLcXrqpV+=7^q-S40kX6`~x96G@v
zVkWcBv1d1OZ0QJl!909S!^vn)|JN{Ag6a^)Kks;PCUfR8l3_KGnue|Broru&%)O!>
za0_<cbS)5PcEmg+)bggGgDkHF$3JfbMYe{sb{Puy0eb_y5#0bfBg`8}H!$xNUBMlJ
zF2DlVyu)!<?373Epv6&NhBCRqamO42M6f_}Vm~d+JEB=*CZ=J9=7Jc<8x$)wYpmQK
zc01(dovjVv2{Z$OpmY0eF5YaxdoDf(WC!(w)CVwcwp^LL0Tz|FPx?Y*_Lcy*4{pe`
zBZ1~X1mFRL0lZ6?%VxPlpm8H-p26TjoO0aF2f_#eSebd0@>XgdAr1zo9_MXCr03qn
z`ORs{8PEWz5A;PmAC84WH<x2xC+6~5rZcx3^Dgg*#4MZ(gbUDINjSpXAeqs;$hc}*
zvAJ;bwEdS;3u&hVslYTK8c0BSG0ZR&hy~(-IAAJ}0we=dfXTolU?MO9_zoBkBms#A
z(Ppcmb^>Qc60j253Sc>~49EbM0!x6!z#?EFumG43%mdN^0n7#F0J8xZm<6N(Gl3bv
zTHpzKbq#nmP#s}s01s)z!L0^k_l*!Y0PBGDS^{R;3~T|m0mYDEJ+KYf4Lb|i1?&WN
z0Na5~V9i~;;Oag}l-*{i&Q*}<vCZ&<Uf)>M-C>AqR|<_U(sg=GuTAr-8ua}f>pRqM
ztRAmy5tBdOKh3x9mHUWsKnx}aPkbd1GkWZ;^Mgv9Sf|Bce%=+QcNlC#Iqs#AplyMO
z+JQ|g=4c6=)W@UNh^c+=!-$lWfqM*k3C`I-;k+mg{^{eOh;u7@l>Q@zyBglmCtj@R
zYg*|yx!fNyp2Byh!Pc%95|l)OYALG=Z|d^+EUI&@@7S=uvo1;`?KCuU4vGj4V-J*U
zfA9YHjaG&l^k@fLq6?0S4~fL_YxLGWvl2#M`H`MBuJ2UeMK@WTN7?v{+zXU|kF}NG
zW$0gpLtuxRj)5ic=rV4fLML|}XwaKu&Wa_w48Ho?;`J_g_7dsXs2JnOb^&j$E>=3C
zAxhVM5%!t*%&e48xMvz14JGo4=uAU<Lm>-sAk$D=;{SPYSSpD(NTzQn3TA;?h-z7e
zI`{yiUzXt-J|+I9Za!PPi+GYqUq+M*z3^a4zh6*CBaBlc?BJsBZaDD-39OLdRm8Cc
z{?GhQBY_i|k8}J__-rPM{V3Lh%H=Dd_VeONdt0sfQg{{8HAXrt>cR!Y{oRH#&bCNV
z7$uF#-*-W?X)7a@s+5kbp~W<eIzKP1^jK%aI5;b_#aYzb11DM`K~ZEa*Ql6lwF^}j
zA%Sy!M~*=k5r72v7Rcy5=;%vgGwGsuw8ya1IUNn7>-PIfJnQ(>V<~dEqEyVZWm-&V
zyRecCW+f-GLN#WCIJ*}W?m+@p==reO@qG(X8WSj8e@f{0p~9QO4rKRIOIM(o^}Uo8
z?hUncX!R%25eb|N!-4WB$hMi4p>ctcR!D%(qvv%HgWQP|`<xt*)ZXf43B9SA0~+Pr
z&`B)XhgmR8ykZq)F?+d^M!wm3{g%hRaRz<E`i<)Ic9kS5?uRS*c;$X1*M_6B$e=h-
z?A?!^=pufiHAqMYkYu}PVV$p}XkIg)1-@wza{w`?#YX3RwqnHrLs^5dxHxnG(<pyQ
zQTU*t3_dMd<DkLUt~jO=9ql&Yhi{)|2K<U9IKl&TV~Ut@5N*7G1RPikf5)z8^RGLO
z1kUIzB&dva%&fH=c>VsNcL~le7sR0Tx5OP}E%you*v|*+F1YE|t&9&6un#c(@)Z!p
z4jCNr`F_tsaAHFlbuFAN<a@c-&Yx--^xSB;>)jF?522eZ&_{SeojAEbt;N2}x2;x6
za$rAo5)Td;78p?AxWk4rb`#60-nK5XWp#Y&g%pE+9E*ZawqomHL!)v<utvG31W()5
zJ@ocsu4+s*CMaHN?h#DnzwMBQ^|3+y>nZLke2<{JJBmR^Ff9IJ!4Whnw4AyXzVr(k
z-Dzq~3@s*y;&Ve0b`;6o!~^GiCGsnM=_Oo_8tO=Cm`!Y_lA@9Ru2{l^&qTp`Sj|6I
zP#59EqJ6@{C+HWdoxmyoS-eI%yMh(fonc*}t6#shy5giHP};U%*dIedCxzQFc-FBJ
z-aDX{<|Xf?H$7-M_K!YTA(kIAcvg9CkL?%<43*Up{`uJ0=!MtLTw;M(_2{iEQSdlw
zw63CdcMreIzI}hme(*<)^MnTybX<i5oC0e`evN9h)UJhv(g_?8$N#Uk?~beLX#R$C
z01*jAE=ajZQ)8q^y(%bzHBn+0O-w{UEJzTM*g!?W=<l%`!)T%i*aZ~Sh(?pxFh-Gx
zn%GM$u^TM0m-oA8&*3888}aizuYb6nvoo`^GqY26_goRs*i>I67#1bDcQ^%9<`uBG
z`l5&7Jbs!wY<K^KD+R+)ykS8jj-r3TsF`?VCOP<%J-f3lbBqPUk$A)0`~o`7*xG<c
z7E1ig?%r(HNo6D$eup<KE<L0QGf@>R2}K77f!tQ&0L^@hv-_VOJL|e{18>aT!ARQB
z=ldYYIC^F%I^g@A`Ru8j^3kYE5USazF{2u_39Dz>5?IW%uu@FkrwjXFTMt2(g{yAO
zcjq}A*rSr@O4g}^7kQP*b8gd^v-GLqlGB|YElZMF0&xxiUQ(HCLYs2ge6ml|>qeI+
zw*bdAW-yO703hg1j{|@JAOApuMPQ9ZuqW1WBVGm`S`1V_#5+G<_@Wm;g)eHbU-0bS
z#S?W5;A%!XD?_E{cR(=D(CgBw5es8BL<)vK;0>dl92Xs%f^|Lb>WOm>^Y$*Z!bR@+
z`-KqP=|8j|>?e5f<#}P3?aRy)!!8>!e;B}A!9+6r6+Fx*Cp1ng0mt;&b*y2Rp7+mK
zY2mg}cK`&H1AtjX(yGv{Q&Vp)(*j&V4~w6vw_+;IGuGy5d!EozM%xl44zsqk+XvlP
zK6S_#EkF~hU_6A<P1f|MnFrCN;6gpH<^hYvg6>96&R^8q9c?5f5^x&^h17<@9i%S~
zz)G$I4(l|%{g!8ED|Rd!t%Wo7p~?gB%uQ)K0OdxI-#Y2X<AibRoelFZd~ik;w%5_h
zgF=8tztNt8(9OZ<55~DGjDB5RESW<qwg_O(7G-d@O*Gur>Zqbrsn^?WkZlc1cpQb7
z37&#!3rZ{#`Z)D$!R>x-(BF3VM&FwykwUCMF+^v}!1QncFm=X$TW~FG<Y1Oi`uj)#
z6Uq9J5a2WiDG6KhduJRg|MbCO2g$EXD{=`%9Rh`Q0AP#nO1C>}k7WO8000)#A^#Hk
z`j9YGs2@Vl4}od75bpd^_HCIm)cx8%mheflGWdd;m&0<V1Av)o|NChVRvpM$$rQu^
z^5mX}VHWw3pC@~3dw!&eKy^9^0A>Te8%NKoxO%Br3-FMN0U+44rm}J{;ny0QBLFPE
zcmMmSft_QufZgd8V<Hg%%u1SGv$4F^(f*zmU^aT#>I*2&7<?^Z<UwsuA$|NCm^dT@
zeB%;0;$@4^O|<~GX$k=F70ulWz>Nv#5}R)EW9GA;zd0uuCg2Tod+X>o2A4r?j|dJV
z92UCaGm@T%5j}6U=Ye73=wDjC9QLx3(U#O?VA6qd4#UN{b>PxFG4lEMEjFaI*Fv;L
zj~djk?^2EUr1$;p+MfP&`!E>#5&%qk9euBi4ep$KR12_x+`utD;Rs=jmjjN;#{cAz
zLC)Xgex-%GO(OviWR5DFiD=aA=1V3#Y$mCJbLl1b{HLGI&xddBo2^BSpdT6S1OOmp
zrTYxMc4>v{X~ZjKg6||XPp8r@D4ap)O($7O(~iL5dD1RO*D#Pyqj3uD$`@Owb+6W{
zi`!YUJWxv14Z4u!QNh6`Rt5-I5IbSl(j3I>ND4VBxZxwE&(ZIcfqv%Ivik@BA?%55
z2*z0eL9T@_a{vJ0<ukbbfJ3&Ge)8F)eP*{WP1C|%pz{DwKLG%X{U3g1(8X(Y|F5+G
zHW8#cCipvfNAURk)5=Yy9~N%@P$k6)7P{Nu6CDiIol?<wzd7}IU?NEBhywAn>lh}}
zkS-lV74rdE{*I@=$?tcNlagK)Mg1-qLtJsc17J7J|6RE2<kgGEnbccD56!55(_LlQ
z4E~n=38JNcAQcOvia$W%W4ejPX#l{P6S)`PZGr3bOFOmT!^!113}-9=SYq^J+4r4H
z7k3(<1^5a*EGHS$$IG~J`LsDKpXaH*G-s77;v{N&K(U&xiH*^T?EIlc911Cu?^?>m
z0Qg3DI~u1WfMdbQ>f<Q7+bcUnJI+=5n=$en08C59L%WPPU(fSTMhL3JA60MO^O2>&
zf*wtZM`?%fqBbW4hprs~z$%IlI_wFvE?x740r*R(4Gp=8SUuU0_TFC~dGJyfUfy7j
zj1yFBRxiLkQNw!zsOLGsw)a3kR5b9_Z>m%2@#@3nYWLE;<Ifw8&Vl!C;p2xQ!uQSX
z0Opka$?d%GQSV@&u{irCVWmeuVFE65CY=ZTX)x{JR|`4EepGQ;XzubBbQ-l$u%WPv
zg1V6c*|{%QocX%Lhl7ol43i?6A4*|^`+dpvu3$e|KPxYRTOX`EZ8GeiQ4=~L@~}C=
z8Vsx=Io0UQJzZBPN7-q6Jmj8f7bZ;}<WP*n8l|CB@aU1)WRTMUi7oNtYh5n=7?}T*
zlS70vh(HgMWVS^@#f&c77ib5HMGrHi1&y<|{QgmRKW&d5or78`a99A${L9Mqn>yA4
z!x<rkQUg6=2T~T0m_k;69~-vEqI|7(ppEEpLr>m{!AbkJkE_pnnAsgg4|4~G|0LI$
z{y6NkjPu`HM{GYH035&n)g*O)&ld{ece9SkigoDMy?zbr7q5O9)?nLR;Txg~?~i&L
zqB{NM@(!=|2W9dZ1^oXNRjaoPK#yp&OYDoc)A%2VN|BT#kE$X6hmHj*F#MF;@!FoF
zVmn$soURxZ^JP_%dgmdvlB&Jisv1p?^x=5*$W)R~)j)cfrSJ!WeTY<+4jI4`_cmX3
z-(S2aqCfm1+e$+`8HFAe5L^6Mr)0aj`!7;Y088no44`xO1$+A}KuGTWJKxgBQ%xHK
zg6%8?P~{atB@_;z9`^)$*Fr$Cq;CpZTV~*cV?M0AJFKAu?eF8Cbr^T6mfgc&>E{GT
zW7p5vO(8Jotoj!JWJPAf#b+*z+irWEaX{Ii$sw1cTO&b|)dQiv^wLav37o~BQ}R8b
zgY>eM@>0Jv^{Jlu6JyE1`9Mi0u+i2!ie{a_-qv0kbwy}kgyZ}uI(0&5COn8DlaoTF
zW>7Q_m+{~In)=xV+94RCyzucu#7IOB6WQXZdv!Wic8JjSOp7M3Q^FA8NHi@xg<ZUf
zF?8`1HirjAlig{dgW3PZ@XX~{3=KXl_y<nJGb`TyT3uW+(QPy8B@Oh(g3?X&uq6NT
ztsfkBy1u{${COFc&YTn+>GEmJp=E5=8NpvYDVCQA<r~~X7Wcva8QUI~GU=JI)C~~A
z%f3`}N3a*HBFXADYS#nw@k7)(bK~gn8NAj+W<5j`5lKlm(Z)tn!?S4j^rj0J&{7}z
z=^WaXag@N`Z;YgYpduWNq@1(Dz(#xHq?0Bc8G_Oi+mGg)7di-g<7m<i!QV`IFY{A1
zf-)k9w->_ulll2~8KJI1na_|8ToXFgf<Me~-~}E0aeituLq$gTnS}I<!a%jc$D4~+
zmcbjcQ06XEs0G(q@wDSI^spkH)RzQ%^|pAPc{oh#-`?4H;4x`&O4T<s+XE1q-vGh#
zj2(|wJ{f=NlS1YkB@be7RqlDdb^h8v8jtu++oSNM%uvxy?fK-8{<QPFP`^s`ocT9R
zVpsx&UQyPigRnV)W?jJ?OA}~k^|tn!(K)(ec#6q;B$Dqn45KWR8cRUkI+5p1JB<wY
zUHEdy39Wc)zX%lC)y8H@5tOlIL95qeELPfG{g2aUhEYvywPV#(fjqXyzZn}}n(~5|
z?V$R~hTTImw*;@Zn{1Wtz(>m)`j<=S+xfYVY`h-kc+j!3(MVh3Ck6g&A1Eh@S~Dl~
zy0lcm%qhN^k0VxTSoN$cAD0540rzn#6INVFeoke=b8+tLUKhTq4+GP!0M?@`=jOxc
zN*B2&&x#~<CDvY15;vjd|LIuXqVH@eH{@$?CHyDbDJlFo<^L*!emTn(&c>71np#(K
z&QD&rb-#-*=H{m|VFKkQr*dUu>7RkJ;$?5#>h0>)qYf#rsfA;c?W@Y(WHt?XMf!F_
z)#F=hH&4DAYGK2ACJ9k0UPb0xvOPX0PP`T(sE%5DPb)_R%?fyPmZq7T#f7SexjfQZ
z)W60E7XAN=7*RX<+6%Rx&+Cfs^LE42lg+kZ`L52)HGpNVEu?j*Cs&4d(UV_GIkK9E
zH6=S$+*dUx|5{G<y1&upR>~TCSJ~7iH&J*|!iQp>N*-4u4XhFS-XYD?H<0Yh)iGoE
z`N0nF`{A0UduH$hWafOhqTk((+1DakD$`X&uS{EZ%tC4;mHksK;{3Zfob;yxa*$P2
zDep-M9+9-<VXczbtO2wGyI2CR&Ai?I%`8#E4H-a<?xA9li!?K(NR!JZ;lr^~@y7aH
z?+dO{fu#T|FV(v0Gif8y;MG|A?7o(Ks6xKoI9{{}$48}8xW6Z>=r~3;dRVP@ZOwly
z|M<fMr=N51hSi^ZMje#Vt5{X^u9zm5U9DZP{xsr$l|H<gGN^TJ*6}1jc2~jwWvcKm
z;a<-8Y7w3Ehx6LI7=7zmw}-G->rZj6#?!G!wORvu#-u+Uqu`azMXq0KTixj)SyjjC
za|Ci(Tw}IM@yu0WFTDFQk4&XGPf(S|q|)vuLNl|ZRK9G+r_w|AepV_qdnyc3o2Bu^
z<K!+b>zNaHMOtV$FVYw|rcuFDRyw57zNgp$*Z@d&BGP?qvt>aQ8(zvwvL(KVNF&uV
z(40DvK4k5s$&|+0`;)1NwUg87GFto`X@loNfM7J0BA(-QkExXY9Ld0qseIS`+_|5Z
z=KKGMFR*YfAl*B9F82)I)_P5#$rpcVdn_`joZ-4=aNJ#2=C847(D{)T!e8#uM3imG
zU9fqAwx>e|sb8R!?FR@OOek;dr1(3gjgM#{;xniRAT$$Y2vh4&&#i_F%d`;l(4zwG
z{yIIV)3q;lYkO8?P&UKeDnslxxYN1Gbs<a(Q6~4C&KT0kFYDAUZO?@ay2UtqAVb91
zJ+Eu&qI#%>FwG>_m!PiBl*fOV?vl2mFOKFEnfaoJrDfSpzCRqj9{Z`br(-51GTZ@x
zumi+<4LV%UUO(m+EyO6fC%@D1&y(A}zeL+JJ(G3-SG`n*@VA~A`R5P4VzdyOGO3bL
zKR%O7^<rg{v&~wJ#7;g=fC6v;X>bEQOlBrm?%DJeRb$YDT|gFpUe2V@SAu=KY8K!0
zs&DwwnFl39mvdueN0*-Hu?KGC;>+ol>g+X0Hsv$Tq3B_UTtiN_-PqT=B@DPd-Za9S
zbh#%o<<9s|UfJ#eHHL$rws;op#CYn>fN%xm{<88Ljy(qYXmO9tq6e=~ef~4+`(UxZ
zp;NEfeEIDC#P^ZetSxgT&e)-l!Br~6{hy!#05Ah7JL6BByE$k4Dj2r(3Bu7AF6GEQ
zu4B3sC9AsZ1gbA?5g_H`SBIQN$^d;&{^?oYrRxL<K)UoO-PN*d1y`^C*5!C$vnsc_
zrD=@I{7p9`Y+TmC)#ceVNf7Nd^8jHEh{PwY9)BF)%Lx#HsAxfT33}KmsA}e^i+#&V
zSE2{|wv4rPv#AWY>TQ5vi{93%c>9F8iHiWiE&^fR`)6l~Ag<?PAH2c|pt7*+pRnov
zf!~G=1uDBa1&LgnP2CvoGe9tdn3KD)?~94Q^_3Wt6l6Jv8^T5hm#({PJnBfpN+M}8
zhn4_W-4+l|z-`klX}t5a-K_xu+HBYP(>ZjQQ6C2gcCjMZuWKL2Dd!6$8q)Y#=xL0e
zNXHK=T<&gyuB7CGbJoyEY-W6HE~wKoFVWEmZ?Dn_BV4+hJ&zaHp)-2sJ&8(40~)*3
z1!--iWdKm?zXF#!pN<)c{zCV!$<$aZ*IWf-EQxUuE)MK@=MKBV#ctzbtmX^3I*qS>
zqe)z}-dyGl0uNqD<|g70;n+8nVj^zFRX}EV>d&*dcF%3ew~XzzGDjkXi;lRApG5=f
zKoDlcw{G*@`sY2J_KIEJmUF2F=wX&|>v7E4C>v9DOOW09#b7Im3hIF2C5z|+TJ?vE
zIm3$<hV4DJwLj`BtR-9(la%RWDmD{lE~ZaSMOOiqlV%D99Rmha?#UTVUWN{sQ5P6E
zIF!`Cn2Jn6(|-x48NJ)BwDTf|f27f+bAym2^b#}#r5&}D%Ik{u)TOTIs7_tV(RNx~
zUE6un;JZLWX2ecRGnZ0&T@aoF2xfWXw*Aw>IQXM{KrlsVa8$twsWSn=R%^>F?}cuA
z>caviG3GFFWhh583}v0el@ZzVV7F+i&Fo}DzWk@op&n*pgkYUZ*=C}>QwZk52##p8
zaK@;kXBZ^E*lZwOGjtGk=h7`R2y{yxxz-c?oyzk#kHh}n{CBUwln*!pbCdkSwj3qx
zg>!k72L$y^Ah2~laP<8HbMG{d0s=I}*7=Q@R9O$wdYDIM<{0Ah<rHd;=b_8V)gPMp
zaydU&F>Bps$_B%EYk?^XY{7Dx#UNKLr&Z>d4fl(-#;x!L<Z`ljPxR+ki34O~6Amw@
zdGCSbMUb=rGp(Df@v~|-FIOTdErrVEv=?~l7l2?6J1HzJf9K>73mF1_!FC1Jw}8QT
zte{W}F<8B51=r`+`Dy3d<&2#NNalo~i`*5o&;k>>w33osz~-%$WaWnT1)l4p?X`+3
z8>2nHihM26-d{zBtwdWFpw?T>rRAaeY3Z`#6}P0}r3F^7I?D>MawC(VTh_QQecn<u
zR_|TIU60#)ck`Z@ICGCDu_L3LUX#@VBDe-PmOWIK%$T>>^h!%<1e{XgyUkV9jSZo&
z$FE!43mlPr)bda=zxMw!<jl2X?y7KWYm7x*gDAyYi;e=VrLU|Zbp5<no2TO&jOmka
z&G)|fl+#kQYw2$=A)jlvL+SHYZ4ZvZ-D<^yE<g|S%a!Q|do*kE<XgE1PO>nc%xy3i
zh3cMs3d6JJC@@&Ua#(ZAu-idfel?uO3AyJ~#x8ri^1BmdT2Sxn+N&~%7x{DsB-NG$
zJZjw@eEIsr8L2otlPn(MYgj;5Dlj1{F$jPx6|ywSz8K}NPM1f361x`AKox9{+myY~
zw}5_PHV9E)fDO_)734m!fR?}(gb@W~@jluK1>|Fkc3J`LV1_xrfMRT+mt1)m`)T_Z
z|I~l&C9P0O3aE%->@1);P_()nkj#&qY(PHs(}!HvGIXMVdNhLY1OCOf{{r@Vz}7@e
z@bp>sH}V<yb7>FvegQ?;VVt^!beM7MSV-x3)_hRNg}>(Bxas{D<6{#pDL4TA3plip
z${B8d;MT`zM{kThamleeyYtE73WOJro(AYqg$K3!a`$g62V^~v|CB;fH^4j>$+*V#
zQ?}-O*GVxGxaf6-)B_O0wnAFsjP`Z2i4bhp(>zDKmleTe?rM+czzsCW2`$Vk-2-jq
z21;b_WjOV-4Sc4ybH=&7Jb4Ir92IV3if9KQ)gy}dh2we`LvD2adj5N|EMRVFMN|n0
zO$p@7!nW$ztoA>xI(S=xU<s_jEa0-9oW*7umu<8D*7hjouJ9{MUS0;a#+b6QIDc}0
zP08?dk3GnfrG&;}17iqQA*Kl7ZO@7jI9!BcW{R-XXE$>DH#pp5?~Bft6vG5h9K+Ta
z4qI`%iZhbkfKiabcs0-FsP4RpTgCnkKmS%TH?*5piVCyJ8k8rYUI`3q$S(EKJ?~vn
ztMHkW6s{rFEt{xJ4bAKY1hXffMQ$J52zO_8EuSf#-jwBxRa#y^foL`Qm0SrDRv>Y7
zRc@ai0fdOJsGl2JgyzG|eCg#J7;1I<2O}0>S=Iol_mX>Fem=L~%_E(T%RK>#loWST
zWqX)ePD5^sQs7dal@^kaY?MpZ))-TTP<=lDN=OM6xuXSFt(m{6Y5s~IQXGbU4JztV
zbYBBgF|?{^AXBV*uc%##wu<_c_lg<#8q|c~&Q)G{Z-#H#+|@BZaJ?7RJN3o5X<OJQ
zC9=S4Mo>j4iZkY{*cv0}Q@Bx<x&FYf@Lz47k`g3ttH)L<^T5(uvx5c&iMGZ_uoO%s
z_R90)9=R$lp*)wW<twpP16&CXvQZ1OipZ4(37ML_8rV`-oIrKwP!&^ZGNZ&AMJ8H*
zqM)etM{5PCnjoRpolUUjdadFft?|chIeXilv5^*xR9DCXgZayGPhWhia#)f$lpv{0
zK+&9HNB)W((V6$fZq>eFYgx6fILd45Wz;T8YK4UAY*W#>7I18->1ROEm}1bJxHe_c
z%d(<GIh@nC&7j16duU5DF+#0>@8ITMvhqP((O+dh+RGEII^9yoCVg<H9ots$ldj#M
z5Ki!fo-9jwc0a#l&z|A#emL(?AiPQ`2M|KnQYyeGG{Z}*uO0z#=4@+jn^+m9m1cRN
zemhf2Vcx*1fh{~Jr6ez;?ITKQiI><%{;pL1AWe{GQWIN!Z8p!6udW|Izu(1CI3z?y
zf>n+ml;PvhDsPCY#-Q|oy_9LH^~*r!$xNA)Oh)~wT>6jR(Kmm+V983vKwjR-vQTEz
zM!{76_k(SH(o;8Bt$A!^czM6{I|1pxn(%et*LFqYv<z!U!4MbMSSnNNPaD;GKCOjk
zi9A3>%^_^1R9l6ri3Pgb;RE^ybyu~L7M)aP4>~|En<JG>Jise2_2cw<n}05tB27(7
zLDCLTgs*5XfBi+1d_~8gxqyBT^!l8h(9~1il7&{rJ(l|txo4(lh2x5#?*7t9*q2f^
zw3Jd$$rOdP2T1KFHZ$7|M0QhG_bRd%G7nO=U)7XsUEq%vU{)%i#1HHIc<hCcALLm<
zhJO{%EdZ-40m1n6Y>@QzXT8VYksze+%Vo)EDh~05Kpt(qP9?U%EjGk&sp{7+v+IW_
z(H}B1EaygO8+quGm&e|LGIbasHW+pQ!s$&pseoezj^tgIMtHQq<D)e(5t%1lc%k6O
zzK&K(Vx3cvEZx7Hk^``ET9;FH09M#X<+L*Z5{fCOQ+RJS9<<r_A@D91fe?l-%AR_7
zp1FTgz2k?@J>%@QfYx-&+|J0qDic#Y7Y{1cYE32mR7w^U1YSWHOn(sO0nomhBd+l=
zv6Ie2I%yY0`kpo59a9Ny#Vprx@`uV*A@VIXnNp6a7ais)Xt<9sEMe#)wXAOhET#NW
z9Jw6IV2QGPG<xzWtW`ad0<LbgXs7e`Frqu~_^Yo}a4Q_{+(onL#51^mtY5ZCWbjV~
z{nQGfqwW#zF)UV>t?Wr>V*nw4KVXEz6LXl6t;I*5#tu6kjGjP#V{`ZsG7m=9{Ob`4
z3kHp*N4ddezWP4<nZ0eIBrj>p<INkQ*mS}c7=9CKD$QZI78zXDSF=*?<+go@Pq|R%
zvENlN&~-G!d;Bx#3~<#QfNKK|ecOE-RbpZ(XmR^xkW~n%$IB2ij0%QDSqG2PLg+f0
z;ne44&_IT}0=UfU*gt*h*Xw{LPK&GSXolmKWl#Zd)fZ&kX7!r}7|y(utHphgK^GWx
zQyhda>R*T4@`#`P?F=o1uA>=F-8YkbS_8KuaP5HGEA+6Z+Sz)w7FXBN496XnNol}U
zPnU5M2Ial_WBxXLm8QrW2QWpg#SUg$PVs<sV=BF5qv<+C^K0ef=Wn1>cT$gQ21T^N
zXu1y3I4%y+(gC5-b%@3xbm~r`J`sm^3|H478pqYCI|+9y4(~$2nXW@Lj*COI9)Qs3
zIz;0TI&~*eS7%Z-!_{?&#&LD(PQo3KNw*khx(?AeE)LOL+luy+H$jIi%2(uCIqz+H
zy}P7CiN>)%`I;TM=r_wrGa^V@vp5S4FnIH$zYBn6G4nQB7A`vP97w6Qp2-qU0Q>cj
z$LL{)HxvDRTz1=t?&yKB_#j;1H$Ct@ogF*e=uN-36$3PH(l5Kn>7PW)Ed6Fkbo8(O
z-Rer-A;>4t&*1h&3JpUbdwP-jhheW+`eh0`M|g*t^RO};d<j-bQ*PjMtMV|MsP&}x
z!^HsMt1I+bIQGwVeALS}fx+Jrnj0=UXmotkEB~5934*XS_)BhgFx_DEz*O)j?;p>*
zLg&Iof3uvgM5Jpt>YG81?Zhw|)K2upf0#DEo#=x9VXc@q6=)_Gn{ruxv&Ff{ZhBGU
z9e8HjI(>%p`OGYH^X^hSvriNze;0iG+U}26U6kR+Z`;zeXIbTm+jwRY@7AtgdGhX7
zbDzuoE$g<*%ggWRQwPLYf6>{oHsKwdezn6hODhuG=h;o#HNriw5nj~C3!1)j<^E#7
zat)rDt5|pBPIh5bvz-w%zrE-Zd<t8vOy{TjrmpCh@9J;`&&=0PY0%f=l`8PuT|8Ui
zxwKVO@3v!tkN05z#RmRt99eRsy?E5nC?PI3g=Vc29ZL3g6tDEO!cX5c_ioO90mqx|
z)cI1+0#Rj}lsx>4;VHw%(5OYCGv(xnmUK5)RC_Uy0H2hh6T)JmW8xB;Cx4lkGW?4;
z_M<p0UDMKB2eJ}{|Dz>^zYrTrxLNB&6@H_pdx2<2pDq*4soiQ(&8bR{U+1AnS<plD
z@Oh0Y_>$>+xA5`T;OG<sC&vwqON>j7P8pf(O$Fmbcc1ESWO#;I4Njo~vkIhLJ4AOr
zc4$Y@#90Ex?-6(p9v+=Aa;PMPAU05R^6+Syv`lP3yRuPc-YpPq=vKDamwqk~O^ip!
zj!cT9iXzOYluhfsT+y0VEfbqi@*+Mr6>VRJcOf~VyNH1$xl++`(TK`&AcD*sv7a<&
z&I|B;02WjYEHYOdPI>#mZF;t7M#mK)aRhK-PT|F};Huu4(A6T0zam-m;O{0b7uBzg
zA75?Mh!vt^wZ}y(Kn|$x<WeYlY49;36U3LJ<Ge=?9~>7Ooy`6j8=a646CFFkJ2`HM
z^h*xjqf^EwFp$Kd32`YSsS*Z6J&G{V#f4%^M#_dgdKkB4)YwaBI{A%QkNQ-IPBeL>
zXhLP{MK24<u7<{?cqfibjE$=X7dcY=fW#s(m?o_kn^MeT(UmF+#fH`r#^AUVm^6?E
z$9a?A6A%v_k6(fbUoW;{g0r$5KDbK9!v}l&(R>&hSs5D{)1o4=RmmC>9qQ0u*-+w`
zWw7(IW#S?-D;7PgDeLDPF@v1eDes^ei;~=2@s(lKOY4#s%f(6)$2hjWs>T~FJ$f^L
zr6KEl$R%ev{xaVv1~7~9rQ|;_7se%9UamCs9{#Fa3oBY#EH+~*cO<)YfRi}$U5?42
z!<TagDyGzRqu7O6q+|=yza$H2$l&}aYOUzTF`!yUGP<CQc9A`14Nx9kR*J@SXEhWB
zG*_lFA0}ouW<qtTOTLH?`#VBokJe#Df7csoV?3A4$rs%W$)O9Lff7K!Y{kEz84qLT
z5L!`oq1b|^t`}454o@7z)>9&Wej*O$>A68XQDqqIxd7O*V#eEz*t(?o#qb##iq00B
z6Kq(TP;Xkt^kUW#)6Lx|hHwj4z=KN8Y!o{tm{qd>=!N}BB2O2iMvjiQjjgA6^e&sR
Zebo{Bu@zpv>_36QpTS8K?_zZ0{{dHts}cYJ

delta 49623
zcmeFad7O>)|Nno^8HYI}dzP_giP2zeGYm8Ko$N*ugTY{oooq8i_AD1(_N9_7J5iF5
z(ncymt57I~HkA6^AJ=uAG4<B_-TQO<e7?8eA6>T|^LRZUujgyuu5+F1=!dhpK6oYP
zoC@WR6{<J8$Knn1rxeOnZRM`9-<G+Q^Zn>dal7AI*t6cW>kG!eS}c=C*ZjGiilx3f
z(`OqVPe(Y9$CLIOLI56}(#ww7#^0>i-=k-Pha@KS9ESE&h{uxy`z!Q&;PQTl3&FXt
zv%)#y4~SR3&yq&zTW9fj^27V!dzG-~(4mP#dwM*zEw49!LU+oNdV@L?fisb&AUqKc
zgZsluexCTe@CUGpdDZ2eE<fY)Lik?dXToa6MC&nc#nf8VJUiCu%#J!RVPHxU?R^Ow
z$F#>1k_V{u5mZvS7gJ^7TrLku9GWs<M51RGEiHz=5mxTYVfpn<7@9J2pvUuFZl|0!
zZv3F6-j9)Os;4%BsvqKJc!Pq~J6Bvz8XD1OKuQnKRh*RZIk%!i@;MnEbM4#Ms&J1X
z2|W{sdOXAKbNpX~Rgrt>E5#pn{dd3tPZdvEa^jFaiIqK`V1XxaR7)2YaE9w!SmRKW
z&et#>wodyV$eL2f$@XR;D{Dy6)OLlPRt!oSk}!<olSix5Jf6yooLV!iZ{k3;xR7g?
zhSlx$NJj^x*-ga%$D$q&6;8VVs}kGkQ>9<)a*g6nC7y(peo(@&z7hQst+gS!QqPb^
zzTcE^TAG|RFlkW2(4oiC)$*tAchde0t4EHw`kazZS&zfYb8IQc{~=gC{y=Gm3uCJz
z_F!w`ZGu(a=jd>cwAE#t46edT_@6Q=Th^(_pE63TL8qv~_roeEIP*tai!&8VeT`+L
z>JLpBI52UD$Fmt*-uuftJhX4ZkU?~1?g}0cEls-~;qlO0Y45|Dp}SyOo@QJg4QqWp
z3R7TOJ(tVE402jdm?@BU^Fg~dscGj3XpG)*c@NCwOMBYo*|28x7?=CF+!5AT&#&r?
z!?2+Pl6p|l=IH9jp^3>O)S#Xz15zN*tJR$T&RN}Qa1S_}r=2HlH!apo9MlIdu69vQ
zfsNqo=rOP|9MmUb*kgkdhpvux3LZ5qabPd}=VQz730OTj$_iwzn3^rd$@Rlp9uG4i
zZ8uyTHZG5JIUZI&)^IrtR)5|mz4&uj{dvgcwQynVnQ$1KT-TXy!EWe|O>I(Hh{?TK
zxSrwloPlgc#62V!>?Z64Ye0Uj=~T31L#LwEVO8`#mw#&D*dM~G=pL7sz^dR_m%G8L
zXg!-#J!xeKsHWLq)%0q8hfl&Pcq;v_ejS)NY8dtO+-~mZ=Ujdh)(*WL){I%=^5d}P
zaWbrl(;3zTX$h-=RmCc}tSc0SwSYofI|b&mj%Uf=rf3_-eJs_m`^BwJuN2001oLLV
z&{3*ZXLJ?c0M@*0)!r$tqHAAw?NU~*K>pNRs5+H0!I~7Nqtm<RVO25>R^^Alnk=_F
zIdy9m@9=UsH~Jh{>4y!eT3xjmG<@J=JyUum&c<K0{SwXw_w1W6pg-{+d)?)<u#3mT
zhLP6(5og$jW0%0L+|^mXC9u`2J4v7l)x=h3?ReO!ct>mva{yMe=X7(@UngD_{}{dx
ze$C~2365X5%?$gs?oP{s3Gx!51c!P!6Sa6xr-eCSt>54ASHG?%L$&;fTQSqisaPP<
znHJ-*?^f}p_)AZN!$Jx8S;sl8BH6-H8}@bDcox>6j8Aep?L4f`9|-GM=nSh0KlO8#
zN)38coxA`Jz*k(o9)9YBljNt)-wTJqD`E9vQL3P(W`^mzd($o^I}w)|p~BWCs&p{L
zDf$IiS$Ab`)!a-@N=}UE)x*;YTbogd!H!?T(8mV$?4LAjJ^rfdumQdLX;la3LwR)d
z;-Ddk!-gd#4k>`Grg~vDaURa%#9m3ml2Qhy4lO#&nOGBvP=-BIQu-&+#Xk;o+Ps&{
zmBBD)_IsWl?&#ma@=qMvV|dblUY@q2oW7_9tIcIx&gt^4k&b@e<zsL@Zcx(p641n3
z>$2r?s>}Ud?&NZPmn*tl7*+)XF8?&bvCp}D9M(MA@A4*>mx@z~nC1%eX{j6&IXDK=
zE7c}?Jf*So!`j$xPH=b%tO7rUHQEnOat8I!Hv)wwJ44wkvBz*7CCT)#uEV6$1l<hZ
zm!H5A0_uU0u)6fyC#*Bsi)KAN#W9agv3&PdNF6%OnPh!juh8jEHGW0c<a{1mydKt0
z(O`x%qxubvu<tSxhV&VfFl1<=?u8Nt4E4m!bmEix3``lqfF}-R&cI)}dO|<?g=@+z
zd%dNm4JDvzHl+eN;Ne4(A~g5nT{{NW)T#)pA|+iuGu!Eh<FKZ90d%dFdtpuWOfE;v
zb=o^1aRhUZ!v|aOIc+ZNNh?G^8T3j_92Ai>)N?D%ak!RdHOo;nb+6^*yVd1E5d%_s
za=Qp8B_|E@Y-NB|ZsO3v!xM)*<_T_<2@9Nhb1xmydq6^;p=4VEziCVkwRfj+;_EDO
z+7$(>8oB{YP8vF_AGb=?bg#V(#{xtwTkLeuHCT=_;9T&AB~AtA!SZXq)R}POu~kr?
zltJui9?wKK-IQg{2#<y}qSco>>BC`la8Gp2ALq`7+Rml|a-87S_}B_3LHuf`0y|-i
zT<?@25q!GpTX2;V-(sb+Hs62B*;<>reoLNq_QCScI1PCLf2HR`!;r*2iK9AVtASy}
z=WIwID*?6C>n4~@2I}%CGSt!<`>a#Ym$2;FYn>s#25YFlT5E;pDw>*1zA{H6=YxB~
zYG?;oGpqruV)jvQ>1Q@L9oUU@iZ4!a(tjXc^$WQ6&%~?PPvAoE5m@=JgO%Sr_&(h$
zc{e-4WCV5SNLU%yaU9Yr!CI-MV2wmpSRHel0_ER$tD|4WRzp63$vAB@EWc&2Dl!FD
z1%|lX1J0>UF_M7xmV&URN{Vq3JObyz4(=(@X^vm7l%B(eBn?b#NPK?cbMA8dBC$2K
z^1`|q%M7a_zb<qtHXYUgje}M3WH@Ikfnf=Q5_$|s^d#<f96Au8inOD^;&5iTAZ)$h
z@sxt!+T+|NjKP*)aFd*lt{%D!E8S*T6<G)ufQz~Lyh)+5^|>)sW3~e!KfD~i4{q|Z
zQ(z3NnwH$}B&gupVX%58JFFHaj7p5?$;S5kKF9tM)=-QfKlynNI{9Bb;N%<pq<#DV
z{VzxR`2*X`Asm$9Dp(1lUUi0IDz<7o$mMAsr>E8(b}|lq&EdYV#yWUs_d2$-4gK-p
zymMf>Ex!AS`TyX+Oda9W_^u}=EtyXXHK``Sce@3+(-LRs{_BSPKRNnoK=9-r$Ixk#
zniKZ&j7ghGKw~r%R>b0yPD^-xlrSKnSK>@;O~O&Idg9cF&bqF0%DR=WXyuBhohh?A
z+Sx|_{E0B7$MD`1=@~`5rdH|GJDT11WR@LUi@xH`84+5e^WJ*ikHd1dyD@3|(^IXh
z#VdtQ+fp@WgR13>RlG#mCPf#2{Q0Q8`7XV>w9?@l6GKbCRp@G|lze9Gq%U(8Uyvo2
zZ|$z0bq?KobbZd7TgGPpvT4aJS1!hUJMiI66{j~m8r5Oeq}Jzl@2Rx+#UeY>N?gq9
z&0-}z80W2Pt>^Dp>k@zWSmh$(3RcYI@id`w%=tfDVb+9*2fQP#^$~G_H}R>1kIx$1
zH_97jm8%d(Oj3n7{{cU#t%wRS-hg!pb(mGIVqBn47W?^MT4pP<LX`I{Ydu=QP>-i7
zd4wpBKufGvSedMC6{Eb(t)xnE-UqDp{2gFj;_oJ_Tx6WLh?T_O<<|PhxWIP|R5Lrh
z@~mN%s~qQ@W+n0Wb!$C;{njP^HqhU|;|y8@e7)9Se2K3T=MAwg@wbUpu4-Ih45Lvg
zz4VRNdbHDM58C-Fjo&I)EzaB2N~#tYn88+FD?PUp)+Mw63!<j&y{&4Lx4xBBJ<dDS
zT3<abu#*^-o!Qz}Jt}Ymt07hnD>5R=+uKTtit~TK8PwZK?i=H;$%awOx<c=bu*yZp
z1@>aAk9_Ktz^_>Ku)OL;e=Gx3OR2o0t#UQu0voVf6H5<L&MhpJ>hx|blQlNo8tYor
zh+JR9s&1znJU==VLrr5~D?|mV=X0z~R%GR<Kq{7s_gRq(qBAMV+7uDv&1|iYi3`-Z
zFF2apa2=1OY_izd9Klju{B}0^*xl7r#4&dsvM$w%^Uko!)sFLCu###sFW6jFSG?)>
zPSz!2)?4Lb;{vyc(X8{Tg^b1e*f{TO>k@yDTIJ&6{9exX>Q-{)7-r=9xH#`P>rz}?
zU>B-Nr`i!w{;Zs?&8&zTF~0U;)`qy)z)S>|BOS%S`MwUb!t2I*`&dbJwI0^jjq`n5
z*t%RdHc*?>OVy(AxTwGsEOi>GVxj{3(&Hj)L<N4qQa@#~CtGc+T>Ut&v6AY?`Lh-C
zc-mXZ{cD91&>9P|lwcp0vZk9ONbXu$tZj9p0!@m0JdKF6S6W~xma=w6^%E?o>Kd$y
zC3r4sdq!4@4ox@I$(D7gVVv*B5>|Ml*g&QGom5%Wzk$A38jXN;EjB8!4a+Hw0r&Y!
zS{o|H2AY-(PVLA>QQlS7`o?jAFI+9uo<h%-$}psXudy`vEOw?sWNF8820s}~L&zkh
zxMNryv7F|VF5`4VsJ$WdbS*lCF4~M$4^IY>irp$>g*S^0RDZxJHq`F7L0Hb5iyRpp
z>KfF6F1?7QQtc@fs9x5Y5FUG>jK)&u(*d=j0()F5vo*L{RNyBpb&fNVm8_%|nsDn|
z#Q8rhM@L!7)ndFAt#U2n0^P$so(gy}JE}$no^&n0b**u<b%}USd1rZet!s6o3bx16
zQoZXITkwb*>*3;7EB$gd-~!gAR&oBS6xK&m-M^GjPdoG*p#(eBt)j=%%?`bs9x77F
z<LPQ^qX~6UC~!g{yVeZ8zfvTh>8vZQV*FDHwYNhb6KZRRDloTN+oAF4p`(Oa*;?T$
z!B9U!Eo|-i^pLM=P-{h~kzxZ+6LQxRE9fkiJ9#6c0(q)Aacp~)qr8t=>)Xc#=Ap^M
zo;lukt#TdW0!3MZTG}3a?2@sRqsNM@9p&9<UFs0$z1J$&G0s0I%C39e82>AT>RAz^
zYK5|JoZ=afKpiZtBno8j+)hv@i@nbTe#LSNt{CO7P(vB8L;D92YM}i$uu~yBwNA1d
zSlSxcrJ4Q}m_M>YH1L65ShSQlt+qw3W$)Pjx3MbOQ>u`4sdJqF7Lz&Ay3#qu->tTW
zQ=ymBLq({(qm3oh)s8)#9;zOvAy$gH>7j23b+)yJb%LQ4ggV*UkAyndp>cIRp1M}@
zgE8Kht)#ATzT0)J4P9e7(k^w43yfzGQcrbF-6;PatQuBw*BJjbLQe8V^?7oxi~@@Z
zQC~Hdra#81mzZvSiq$RMs?DBr$6EFW>ldu9>7Mb8Gg`Z_-1$ohIh$m(`eSuYPxtB{
ztRhWmc6!_}tPbhc8-K8hG7s7X<Gh2dOFiNO=h0Xe9O2B)z~~lEUXFGA4_4WhPR>r;
zI4tGmSnvM9D%r~8X=BF?ZXX?r@ld+sA*|*>iwT{S80YO^txt>#%*82&7&bEQIo`I)
z_2wLAU(vi~5$GJoV%<1JdUsft@VJcT%s~z^e>kPqu_DISvex&B^L}Vu;xG3^ed7Y-
zs4M$}PM!);zD@0{ekrj&e|u{~O02&}dyl8FwJ9aWx4yj<J}B0olMZZbMGT4wbRwh)
z&wfe;W?`}9T<cXVHmNjchrf=+;JR_q9i5rwq<a=i&2X$6SPTnQxyF%Im!YFi+_()`
z+V*WvUzT|5@{rg-`}p*;fbD+^7UQC=gZrIdu$Zk_nwGVhBWk6+TK&mb(blGzn7|rB
zEC~)Vwf;h9Ys0YEK*@)lt$=f+MwGt;RtqblSxn$EldzwY3B?V2#N&B1X!+m6>TV^k
ztCfja+{3yuvQ{Vo#y}m*c99uZ^#T<jZ3`?K>sn7?X=8EXzQiIk*Q&>YQ7_oHw1I6{
z-JQ4w(V>LYUMH$6mb07bykDDcX{UQQA()8@Uw6k^8Xbz^taL?H>JiK`GAcS0gOx`E
z$kF$H4=a3hY@l*ak0%b1y|{LiZ*Wg*1L9^xR-UR%ju`5Ar!~>Ng6*b*13R$N+wCvO
zM$y(vexg<=0d<v=<S>@gRZ5brcQA>p1gvyV|28acw5rAU^YvjOS(~=h3MHVbQ0d2_
zWwdqjCG8a~CWX_UK<B<rDR%1uKVYewIT^U^dp0R}YS40j4#vEJoi_ounYE(=OR<zW
z<I6q7?^x<bva28EYuMlF_jqhzMSn-+#)2tu%C%@EOD6XKr(Kj-CCc9yE7ppr9}{?%
z5X;W(i(9UjGsdlxGmh~REN5y^%Rr`q>HYLfbZEMv25iM@sBZGrO0h0aj`fX9vBIB-
z4ZNF@ao*(}6s#=O^Ys~IU4A0g_sk$Gd`fKKBjTJP*~ZOv#lh+j9f?B;MN?UiHTdx;
z-^RgK_|#bc4~Uhuy8LB^Xq_e3jtM+UsF~e8^sjHv5G#CIY~U)Q+W_wUVuw1l30T{>
zH&}(m;laY()|iDk)C!*-8z?`_<Ef9x%_6s7dWf&>!gdMl#;S_NF3AXfja37St)xm+
zpww_DYwp84MEQmdw>Hd(4QxTI<75^Y<^LV4iQ43AJHqNWGuEFpipp8ZGh_U_3AM08
zA&&(^52c5eriZ>t4^<gWYwZ-{2$3zh98M2q9~0C%q=%NLhc2XtBE|;&hNp-25#olF
z{6fYBLrv2|v(rN-2r)$X6&xQ7bxjYgP7hrOh63eMJs!>~=M3?^lxAI?7aMqZqQ}D^
zX)-cp-^OAycdZhSJM*8(&1!fOOJhkFH;VFo{J0f9KQ_>0l5^bIH+X@?SXv^uXg`@`
zUB;!<WM>O^4zli8m2n}@$D;!CupY!BIiJ~Ho@`xS5bMwK1gEAZbD$$3?FG*2dKOEI
z)A=}Z1FIGmAKa=(`KwOhu(BeUhy4g?mY|=C4#lX1!ACG|(=K7TtGjZPKXR%Tq~>@E
zA<c2tIeoC!wVXSn&#<amn<~cm^GvgE>mHBs)t_edTO8{jkHCuN_WLD5nrLhd&7uNf
z(}Nu~m{psEr8wsk;z8GPTI8FNzL8RJODw1Nu5F4A#i&j)=cD9XSWXSKazkcXmzT!+
z8qBo9m&FEBXF3h$EMt^*xK_X#%&~A4OIg}+z6P_b@a3_A)w7)Ahvx2!4#iLxv%X2)
z@=0eGus=fwEG%`UJ^udJ6=x+s9uvquJGj`k^^N9p)a4bifw^dEW)}Mn{ydfj$39;J
z#pk5&JM01vW5wDfs<Reh$<zJ}=lfue)o&Fa(dRk?#kAmLpNv(>c2N~~VL1tyK>lm8
z?70##&nbk7JS{5F2TR?@q-z%CTRzX8>+hwzT$>UdYB^o%d}M8aC4Xlgk9IA;y{o^5
zr3yP^mTA6YaX-P1Uk^(IV|)5XV=)UOVgh?zFUsf8y(t|prW89@#Rb77pj|x$s{wIL
zQ3h-WmhyAT`WmYrmi?K-w{f9$c}=YEy0OBajrFxyWc7PCHt@uv;H05C{#US~tt+)-
z{5J@(MOTaogfDguMG9wU--yL1GV5;<(%hiKxCg4b#NN<Ybh`+tx%PqN{~jye&Zq0r
z^g9P8>w2u#w%4_l(V-X`A&Q_4<(36AR)I^f_-I)xCUB8ZJ*PlMsP6J$G4zl>6|0V_
z<=;=Jqg}y#E1c=a?#~CyrdUpDt@jyNoY<9Pd}mfzmp8`xl2%*c&&B!=tyc5Y?7&k_
zPjVZ>c~ti)>oU=)h<qOAL*ErbkJtq^eL9$A3!%171sSxe&jgz>_;hq84D#h;`c6We
zcpGblrpIfD%d83REqI4wG)wP~Jy>o>)6(l$+{dt?RC-ot4V4MZBh=pUC#xIMgQ@*1
z*OIZ_qF)GU<~wsVYF)a;z3@=1s=+w_T3ObWr)p&)P~Ex`8{^NlUJHd{eJ$5p8@9&=
zRv~n>OVJ%2Mg!Z>$Jv@2f=9Wg_#`aXv3HdJTddaBrr4N3>_+GOW}dJ}AIEaMuJwuz
z#c*1z`H<(iU=*8|KMAXa-JV^99<d8$p7?TYvNr6B_4nMQc^L6Vtxy6^pIqz8z0~Gl
zm9A}#4#m(^U~i0#@~zlxU4A~+e-5#|Mko-qC4Ki`qNZYLV{#6-{aB5#SoPG!zm<&a
z5okxq@nXmETUhKWjP@}?<jQ<1xy?ywFPA_Pmd3~)3;!-GZgW{wS+)nK(6)uqp%_hq
zMf+D{J!)6*cS7+&J<w@KdRBD9(>tv2y|IDoh?VVnUVAReUuvh4CP&5uCK8Hv${ijZ
zis6n-?I?fAU0P_W>R>{x?fkcOhz`Z*;S@G4%2)DvD|}yUpwIKp$4MH)gj<HC70($!
zhn>Mv?>Y@FyxX}2V<%_p8iZAyIQx#+_v~(K!^^S03%jk$P}MzF`2JXbl@~N$BldGw
zMd(pGl<!6LqO>GJjT8!OA=HYj>}Mu{+gMKjU$dgUd+nU8y_#xDb&imes@zK+&%>mm
zI#m31taez=2k}DtoLOf-%JsG1XZ1T6>sz(Y+Hf#7Fy&<@9To2v&GV4(L$SV?{Z_w2
zv4Q#fo%S*%T0{j-VyRm8ZW$=`inA{Gh&duU6r+Yy<AYIw)ov6A7d5$nrM2lCv?UH$
z;fG`Wbq+E<_Ow_?sEeKS8t3=5gVyE4v4IMQoX0ABgTU=@f2^9g<g_9?Mg`VjISVp!
zA2%*oZlzdHO<zslAF4+A7huKPA6~C0L=FrbBi-<@b@}yJ-~Pi^_>owDvDX+z-5>cz
zzh-SX5*v6AK^11q$@1RU(>LSh(R{7a?~PdhBs6Zr-iYzPPpG98@pi3DM--5hoE~~H
zJ(T4Qo^RN(Z3#8CLrc>`=hH(GZw6yWq=)vWheF>9#<ochEg{s{&hKn`sO;N8EhRnl
zJfVix6)I{6RM9%`*q@9DO%8?vZxX6+w|(2eD1Y{&ny{PVVtkJtwKg1!^)Ezt$l7!)
z#(#kj?R~FSreg|7N=*;FogOOqt{Se`UWA(3p-t(bpVC8d$Ahs`(?iG8LxtW8#`a7P
zJx7SgGvxezdZ_06L2W{M=m?>PR>b?YGJT+c60}VZne@=d!H_TVgtg&BtpC{)_QI+V
z<NM}>6@D_-7k<*}cal#|Cxe@>Zej2F(AjkCTWw#153TSIV|`OTwE96`eQ0g?FxDS?
z%07=jWQQW8EyBKq^zAui^*a?CxPlmsXg|2|*FG(0J#U#nsG04oljbd~dRW{>v!t@0
zah8B{gVqMC5^+p!YBV7|jt4=$!)L61XKEI#>aov2j}N8>_GPoR=1j5F5bPLNy&HRp
zV?pRu1>FSLxwMCMW#mlQ@gNsS0!r5p=n~8B4^)d}pbO@+mlOCOvoaoNr~db>h7NZ9
z?yyt-T_PM$IjY7(fm%2cD5KFpS4LJv#sKkHpi3-!oD8mi;ZlxnN62wJ5WDrV*=Hqx
zTr5@UBsX@l%TK_%GO{0ghOIiRbTfgP@ubUhVCi##u8b^wo~=3@N_a`ILImuDOI-)C
z5-bBMfZI<`7QoG%ePv|z+d3fs^)7FKb={3Kqi?li#dL@Y*zO8qWymRRXZXCUXJi$`
z!E9e*rGLRO|G@Hl5s3G?@nZRNcG}lI4Tx%V2&mxKfD&*9*q2!Pn~wPhmLD6m?avNu
zUt;;QTiQCip?!&^vvb*3kW+(!j4a2KKs9A6v9G_w@;?K_AKR%M)*`>|+JEBee-&|8
zT`m3|c&*x>6)T|}f0hMq$lwyozA3iGeU{&z@xNl}%E+qZZ$PXhO6AobmlgE!NAoV=
z>UU!;jC+ZfOAgmB13N1&gMgdkDBqlJ!dz}bu_}}Yz85ax>i=^tPcDCvk#?Ta6reK7
zh^>8}JN;G8Rl^m<m627gXjlI~;8c4<tmPJvk<~A;=$cLK-T40vR#qL{{5p8u4WW}O
zWMnOihtU<)#f=v$_y~Ur!=qe1BTIUWKT1E=jTfsy<6T=UJ53w10u$W`vFu530G<Ua
zqd9K8SW|ETtc^sk^DAl@f8@7P#-CWyDp&tAr)Cs#;<(k#Xa}r{?1EL1mtFk;tO~s5
z+Hb(}dkfYjR{XoLDtOY3KjrcnSN|MlZl!v@C7_yLbNL5YmslD9<mxwF`xiG}tl+Qw
zQGs5Zm5+W(au1vn&JGuWb^4Ts`OotJf8-Z#+l>E%1e8G}tOT*JF0u6buHG8XhTR3$
zq#O)uw-^O$ZRwXWy2L6V6;}F5uqry)<tJcWHfz67Kp9MT9cIAFcpl7up85RA4L=L3
zW!qhSC!7`gWmrS>I;?_@z^cGour9Ieqi*~$R~Oqi1n;`S-B=kOcjNyZs{sARRQ@Mi
zKIx_tOaIWdGjOUMaf%3K@R95IvFj)<fc}GP|L?Q2U;iH#K<(WIXz0|+GEf<{R&3un
zD}bOzmUSb<3YK?mvAXa<Sbh~;T`aw#YyUfzUnTtHTE+EGRX`C{VXfDiZp7VK1=n)p
z#Y$J(<yco2Yce)=ZL!idb#1ZIHFNA#J0PLC>mZih!nHH9q=(%2*05Ghd)M!7tb97S
z@pogNZU{TM4q_#UckPU<o_W;O#cEM^*FVA4{|+nv9<IOGr}@{*6~uB#bh)?7ecX7l
z;`_p?KtI>+@5YO@L5+a(!qZ{((35Wb-Pm6LvvH8mJpQNv%S|9waG`696>nTytl$#Y
z7OTJ&uzKtnSX=LNZoF8*E&NdfwuRWAOzeOivD0<f4OhV70<10cGOU8XcKI7vmst80
z*A}Y+*I=d7kK+|})8$`b#p{nM;LAk+E0D<*GQ-L+i|ysGT9O@GEy)M#jJO|`OBwzs
zeOVd*ft7DL{KVldmrr#A54s!y^PeYDe_U3A%Gf#+YQVB<!fIh0tQOXDxgpGdo~ACh
zbh(Yo9bE1V>q=EX89wX^V%c3_wX7?w0=mQe=jr9@y<I)Y<pD0IxIDz=;VzGY)q`oU
z@|_6tU#jN`{;I$!E>DG3;0)KE3G<(4j%&|#?FF!gW~s}oVO<$n`96iN0-tf?|HzEL
z1TC8_urk~QtET&4CEO3|%E-$26*vAMtf6?_<+owQzvJ>zSAQSYCDxtRIXFb?|4RZ&
z@RjQzR`6@r{yUrp|KIReg;g6JHuu2l$s8`{RxP>2((}QoIS7;@pty1_SAf+MRbka3
z8dk<NU9RPFEUYUd+qdhk-u^$c+Rq;TpB?{?{G9UtPyw~HBNfUIC%YB<KjYN@!veHl
z40H3($Qsg7=$ZqmV_b*3u_onM;>F`!Kd};~!75;itKW^4ZmJvqXC_MDsokeP_T;KA
zh0ErD9x4uYkH&u<Dmv3b4;M9`<~gR#+NJ+_sQAxA#k)Q{)I9mq(?{FZB>Lx}BAxK}
zA2R;)P*IcV-#vWPr26Nf;wp6m*FO&x|9PnBx!c1;O%CarC;#qYqWl!E8_j<nD*n5t
zp8q^l)Li-Jq2fOe75{mt_|HSde;z9S^H7mziT^xQ)S>u)^Yrrn=MNQs%ki7nv%7I-
z@0V@O@E+dgW>jZycJmG)-}fF<sHeB1Df=+WxSl9Kdd!<rPDzRAh4Qn<jP8XpwF}B8
zQf_)ocp^&lBPg>HQGW55Gg2-}sofjpw#Q8Gjk2gK$`vWUdrZwfC`}$kS>DIn-0L-$
z`gl8;8xmUfMF=sA`y#CChHzVg-!x4^i0_WDDG4EqxhWwu0ikO@gn(J!4`Gjl?EMk4
zna=$Y`u0HBCn38D3_vK*lTh*igdFAt2}dLpNk+(Jl9CZd^+I?@LLO6aAVS$hgmD8A
z@|iazoRSccf{@=lmVz*~H^L_p3Yv0*5Tg4a%o>CcW=>1ED53UXgd%3zV1z||5w1um
zW@-#UXp)4md<a4bb4kJt2`z^rlr)QnBCP9&a9cuY({va@e1C*Z!w?=YHzkA)K<GLg
zp`1BB8exxw$)gd<n{s0i`X(dH8iNpFPD>~-5TW*1go<X`ScD@Iu1JV92?+?JQV<%B
zL#SfrjzcIr2;oNw)lA*-2&W{h8IKTUI(J8yIvC-$gc>GS4}|C;2pv)pVoa`42p1(}
zpMX%?v`Ir)G!)_RNQ5}EUP6;$2#NBjYqm{5xFI3mM1=Y#VIso1;YuQ*p~>|)Li`AX
z;g2IUHU}hxjzlOu38ASOJPBcsgcA~)n-Y@|`i?@FJQ<;-IWD2VV+hrrKzPVZcmm;w
zgbNbdn8+yzqedevn1ayGoRv^^3_`=H2p!DasR*Ye{3xN5sXL87Q^z8#nTF8WT$2zz
z4xz(zgf3?FbZ;l`Bj%>4t7$U>dep2Jbu-?XP<PW=lwh`rdYHg0sHaH~^)fGr5>2ir
zq24A*)W;kU^)&@&LrG?^sGoU5)Zdht0}U{biIUB6(LhsfE|g*>hz6O{qQNF|9yG*E
z6Ad+IAyf7Vwbi2H!_8a^;gp0QC5$w6=c}z#)Ykb3kC|%{qNl2@3lPSb)e8_VO7Jg4
z7-!lnL|8NpVV8td<249PrXwU8gb8LFf_I_`EP@_438G2n1<_=aYcceMNfJ#l2Sig%
z!6nc%Ggvg;ydj!lN-TwDn#V-5%yH3^rra`UwwWNBV@`|an#kqQJTpyXnX{t#rp5|r
zftf2>XfBD2sk;(dWEP7Sn`@AXw$#>DRD7vfy-IDB;9rff+_YJ(w$4{uC9E{wr_|O3
zYU@)7tIakEHzeeH8sTY^@HE1@g$RcwtTDNsL5Md9!=FJ|YYs>VU4&424Z?aecn!iH
z2`40MG$o!z=(`wU^0Nq=%y9_?mLODHi?GE^Sc`B(!UYN2OyoL*QA-gPtV7sg&Pph|
z458tAgk5ItdW2IFew47=)ZKtEbveSC4G1roYZ9VYAavM>u-B~Kh;UJY|2c$xrp<E*
zi&i4+lCa-+Hz71xg^;)j;egpD;f92Kn-LC~gv|)+RwEpiaM<M9f)M`{!tgB!ubTrB
zLZ3z`y%pgNGk7b)9tkHTyk$ykL+JYq!sKlT@0jBf3amk>wjJS^nXnz<h=dCgj+@9G
z2&0}wSg-@(eREbq*|i7_cOslHb9W+~lJKL14^7=&2vgS~tl5Qd+FX+my&j>%^BjX8
zdCgPL>!_6C-;MH#*R<WOqjCevE-9aRjc<>R%8e+Adr;1L&2}j_q~v=6<(${_cmZYI
zb0~+UT=1IQFQUY6LK*%d%2!@<P)g`#l+t@qE_uz6y(oL6oRIRh*WCXSO5ZIglV3u)
z;x+F{DX<l#+CG%;yk_D)lp|6uNV(=Um0v~~wGCy#%P8M_%@<P2ZbxajALU1{nYSP1
zl$0N({OmRLUO}0<17*!CC^x<4x|HahC>;)<{6ha6K)EQze-Pz1{c{jy(Jqu-Qhuj@
z4xu!89wqS*-Rw2n4$;jwB;<P)A;cuSim+}s!eI%1lj|@-{2qkihY_-v0}?`CKq&nh
zLck1u4PlRj6B4qS60alleGy^u>j>G+aR~+X5~_9tA%~f81mTE;3legf$Ttv1y@asf
z4TL=Atc0@r5E{OTkk8D06XBGEA0^~Bb>Bjm`ZB_rw-5@NYZ9XOBXoEhA<V3P8{wh^
z|2qgpOq+KQ7QKS7OF}W@J&Mre07BwXgc4?(gc}m_9YZK-5{@CPJBV;tLTQuhU4-~U
z2*ck+c)%Qx5c(=Y>Ej6H%;4h)dnBBYP~Mby525d2gvswAM400e3cQ9;?R|ubX2Saj
zM<iU35NRSmKp6Ep!h#PFs+hA9${s;zcmkoCnR^1^l!PB8M47rL5vIO@u;wH}4RcLG
z^qUABK17Hyt3O1zD8YXUp|)vr3SrS(2)iW28SiO?CT}Aoo<^u^wn?}lA>SE<`X=EF
z!n$`54ohfga(#ple-vT(M+lA00STeU5K4cH(9{h67-5fu6B3%65}zRSeHUT!CkQRg
zaR~*EBUJko;UP2OQx1vN=Cr7diTn&|Yo>|XnX{tyrpD(`2QydH(OeRBGIh^F@n*58
zv$-aE*fjkD>S9)lxN#75HEqs8+&GB38Si<B8wXK>*(Tz~;R4jtB#5|i5G9&iUs6o`
zX{tK>ORCz(9FP!t2BGv<2uWt}S2%L}AnI>QT!grN5G9-AB5ofpK`CZ}h}#FzU=w*6
z;`Tu_)SML!Gc~@3hMT#f5$2L;q^bK2G|DU%J!Y<nMw_NrpfP5(Xso#@8fV&k3ynAH
zMXAR79h7D|izb+DBJLEfLXVpS5qAor$tKq|h&u(*6mvktox*i!ni(wOPC+!ol=z<J
z_x)01`8~~_WsXZI@Ri2$2ZY&X!VfrdzaW}xB7cOqUl3X5?2q2hvVX<%d7eI}={2eB
z=D-ccxcJZBCjK0JE1y+%e%YCJPyN|j)ypK^cf&iw|2nT5-D^i$-5<<k`rh=$d%NsD
zaMQa#gc?s^_Y34J;rvUq#deqY&D-DSEwyWwuanQ$rrPd-S$v~2DP17=|3LU~cXAfr
zSDB^x?SF-S_k{AkK3-G2pl_1ItigZhecce#Dv$3qf8XI$TIH9w%WqN67wT&~V%L+t
zTV7jeeV;GXza@<p?V9VOspPSHPkvt$uYbx6YQB4L7T?kksR8$&wf6Mey{WJ-&g*Tn
z`$`dCmr!Obt+DLPJ}=`-b8`RE$^A}o?>WMQ<teTNKNHNEUZ?wl|EOxu0ZA3~?}zJk
zq{Sz9k1y|gGBsQ1ESdbwW{%G!JQ0$|4BGAsPyOw8=Tb~V9Q5^yzB<trw3SXTi|cBX
z!AEbt>1yn1dO1jMr|D|qYI=o7FQDsc>S}sFOs{5h-REiMih4Lu$kuqDmm3OSp41j@
zl->z0?MAh9HPxrAtF>}9)hGCc$3tjphrZ<ak+80|uBNvzZ@5|qSZ&sCReo``j*gb9
ze^6S#N42j`uA>^*z}4biEf;q1J#_s~EcE)98oh_Gu0gJ!-n47)YJ*)(Z`-N^bq#T~
ze1x;w@AncI>WX?hZnCP%HO$piP$o3>#&9%^fO@uu`{vYRu3tekz4WYWw5zGJ$Gh4X
zR|`YayNBwbvHB5$%F~Zkwkc<>ajsT`@D5iS?`lQS^z%Di!L-E)KSI2&G+4pn;5ncM
zO?1<iApD>T<9giHQt!ve=Ze8!LX<?)yM$_`eifliN`V-+#Y^49nlF)V>z27%8MGIu
zv?{;c)gB-m{K?%4G_^_dil5y%j{=`^9m^rU43yw$H2(91gZ-|y#`P<YeE{gvuP)^G
zAUFt=cAcw55Y{hmbZtOWQ130j3sixPzGz3Rh;bAs<L6w*N`zkp%6OBjh0Z0w^~zE+
zevj{ZY7$|+ai`Y=^(LO)LmUWFz#uRf3;|U^HBcQy0WBLZ@PQDJ3HU)~kOhQ-0LTim
zfqOu9a4*OKa)MlXJ3BXlJRmQ~2kry;K><(@6arzOFen0wf?}XJC;{#VB|#}r8fa;2
zDgOk123o>5!7ZSr`zyE&2GWK>o<7d6hHGQQg1Vp{s1F)|hM*B>44Q)Gpap0NT7ic^
zYtRP7gNH#E@CfJ%9tGV%cXQxHwyM*Vdj{xtH2O`=e((x72o8Z)!C|ly>;lgN?GEd~
zMxcS!KpL<JECx$}rt>PW8ffRxP7w*JfoM<zWYtd*)-!*!J4^vn!89-(=+|TVMOiGU
z1L}f$pgw2>8iOXFDQE_ogBGAA&`%6=10M(hnL!qChIW4pJ^`PC&$LuNCvX;g0nUN*
z-~#v(d<8CoOW-p28hit;fN#Nf;3~KVnDzR{9Q02v*za@dWzh*>B6u830+YcLU^o~7
zMrw}hz1vP89&`o|gD&6^&=ouix`FN>0rUVpK`)R9dV@ZoFGvFYKz}d*Xg}5d*%q_|
z`W;6%pr2DDfmHpLrX|qtEP8;Rpg9;%E1JROL1*wV=n7s#-wt+woj|`ZX$TsDnb@;H
zMZ)1g?{I$uu7GdBRd5}A4}JtcWupIoCU67%0)7P}NH_{S2DHnkfk|Krm<seJ`AP60
zI0a6FGvE{OIXDZp0&V=;fj0YR!8))3^e2yGFbE9MtLUSs@nc{GSP52xr@+(T888pb
z2Md4!Pk?D)A|SbE7-$dLf_9)ExX$eU2<TU7Z-6&}-tBk~ybts~$O}x!={jz7py~kC
z*{HKn$Ij<Oo&{fk^I!v+ZUmdaX0Qe5=a2?00{Y2h8qjYy^-h+4%~~GlXo>(8Kt)gq
zM1sno3P`QWpK72whywamZeF0{>pqYl6aWQ5ArJ-%gCd|PC<cmyoZwd~bsO9QdNo?_
zTkCl1M_2a(4}u8rJn_3gV{Nug5cHnwY*2}?&c4b(KXF(FmV*^wC0GR_$*>A22=xDZ
zEDVZ(qM#Tk4oZOgK}m3lH2N_>PLK-(fd2oG*}!y-{|pM731$KPD&ZISDfnsdK9%B5
z)&5cbTKI9W1dIj!fqrH9Hh2e|0BK+X7zOkjP94xMfjwXw&@We`K@AWC?$u9`-Xh|6
zP>UKRQn+61n1iifnd#R>OTluWUnVU8`k~Ms@B-KiUIP2TL2w8h2Je8Q;23xpyazr2
zC%{SYG58due#W2A!CCMHI0w#yHNZ;`JV2#dz`A8=2d|@IlYo9lsoz%Kqye|UKC}Zs
zcLvMB3h)5%0R5(`DyRmkgJ@6#@JpstPd_s44`RT#h*v>g!jnn+9(V(kC6ij{`iawZ
z@I5GiPazNnii7(>Nl*%u270%@Gigsz$rpg`ksbg~k(YjG90xM#r_kTwd=uPKA~GHe
zo&dU?)bDZ@lF3x?F^N9`pMuZ8=in^(0-OWq!3FRo_zGMEm%wH4HTVWx0pEh}z*TTf
z>;HS8Ul=FB=iuD%a}=1Ba5iuc$PRS(*j|;RQttwN2-RKT2ly5tO;PXy;hOlC1p0+a
z9H;~8f_k7nXaE|5Mj*8@f0}@%pc!ZmT7Z_I6?h1=25mrF&<@lFRj7yxdl~EpuYiN#
zUGO?M0*-;V!BOxkI1E-&G3f$6**sTur@)nSyYBwVq~<0(18EwV3bdq}g5e|_21*fs
z56A`Lv8jhgzhKw>K^>rRtqp1c?R?q+wG);Dnnz{8{U88-A+0v6pTUpddu4asv%B(P
z-=qFi9qK;-T5E6kKe^!>uu8q@a?lPXN8MpjS$jSI25U<U#(zv$+hfqyT}jYa`RVhl
z?oyNoaoo(g4vO>=)(0lt&gizr4@v;t>gZoy&_1pGTKl&BFDt;>lXV-U36#}D9`ofl
z4c_tP%%wDn(?98;36|ZC3#fdxHHX>umM@Ptr>Xl6bgyms<)7DhkNLvP=kM?VUTO2%
zQKfY(6bCvMbUf&&(2*e*B~uZOYj&M1!D0&8`4`kd671n(gmtJ0PPyeWrck}rzS2N#
z54Ka2J*!=p62UG}J>;f3lmfweIBwb1V{);pXt&DyK(M)IkNWZ#2^OUyg82mVaN6Q_
zOo?D;s$%Ns;6MZ`=ag75qnj#O0jP8*x~`&w^$a#qx#^J5dRCG@=d5O{A?n{6=D<5t
zTW3oZu!>>S5nl-e`#aL)dfS)B{CeDXPr)eksu|*{5!M|*7279ZcME1VyK5pd*8R_w
z(wqx6Rh7}E<yIzRvY?BiV?hBs=X@Dmv|v@RGyPIK66^q41Ff8g;8vg|Xb$RvdY~C-
z0O|vM7HA9_f<{1}4_bispe<<QayyrGq<10Q89YSzVR$GQ;^kl(Okfa50RurY7y$Z%
zejo|-1${tokO+E#o}dRv0Np`1@F?gC9s#ke`2%oOxC+pxA{|VXKmkw&yrP3i%YHbH
zE5IhO52S)+U@3SB>;lh&#h?cM2HpvFfU#gZ*a!v_w*gLoqrrN@&w@4J8L%2W4d#Nz
z#7|N|kAcU*L@)u22BW}8FajuE6_l?E8w19H0c0>9P6Ly{Y%m2p0j7c{!Avj%DBW~0
z4M?BmB6SV{wLD{s)k?Kci7YS=ECBPtLa+!d0mZ4na#$5q_$gQ|Tm@DFKUfFWy4V75
z16#pnKyRmdo+F?L31W5i9<Up{0A2)pfif9EAuq%GL21TMmA)TtfZmyK3Bnql;;_bE
zYf?Q|3|q&xj_<;t5XcV->KU3Q!+ju<gq46YP|Ne7oq|6EC&BCBAW(*{fy3ZcaL5h6
z3%?1DfH%NV@HTi0yyHUpF>u1Q-%|^Y134?QGKIef%Snml_yJG`!Fa{J4^&~r2Qv-E
zXRJstd>X&JG$;@Fl(2N&0NMYS+?)i01*rBpu<r#o2&*#L3Eu;PmHHJeSOFd`cmm)P
zv`{z;I8Qh;d;z`%z6XA6^+YDv2fW~%#$RW%y7qVQ8@LUA0hht&;0y@X_+!GV#796C
zP@$gzwdN9#b{1R&Ux6=yD)9x7kK!rR4y(7$YyB%Cn5nu{whH(&s{m=iN~mQj{A*X&
z*lVcN)yh0LjNcGeI`yXV{TciOegr>g{MB9RqU%7lzXH_iYv3yQ4txugi82*utY9##
z3aId#;BLL9VN<15VO3Q5qy}3PjFhO_%TeLrj1GoXfaZv7RYqN^iU;GBHiRJ!PH0s|
z6FC?!f6W8gl#!aAkrJx=vyoVl!7kLqQ6)4)8Fh`lx=~}Ril`TY!>6>Gj6wfDhqV$E
z_ol{QEeaN<nXH+sNQE6I$49N!rjh2d_KFCw3p=A<7(T&@1cyXgMjw@@{KE9XBx8g`
zwMMh{DKalbd`Ykrdk1)s@Y8TbcmiAjE(apOaBQ7$np5E!^s;W8^ry&E8=Q7bJwZuT
zhC%1@ZdfN`P*WoLsK8)GiW`NlLW7zLuZ-QCv^v=ufrg;AfUfOV+iooo18M>uPNv#V
zz|>vQ2-U$@GSb$oby^Kp#u<Ak3Qd`5AJ=B0?OApcpaL3$f}kPLnGwue`8GgP-bzys
zuB-iDdwU&>IH1CUW0tYd;CN|hG!Zq6v*NFvOtW2+R`a1Er~s-FucyKF(S!K}S4}W~
z<(Wg{AKdfrw#BNDMnK!85~>0!Tx(bb2Qv>&;=i0|`1S>TKyT0tbS96~<^&!BEkG;K
z5+s6NpeN`75<qv*4Ll0Ef=56X@G$5M;z1|S5p)3UK|9bEv;nPw=290GN_adN=ku5;
zpZJQT4#yY<hJqnLkLm`26fh7Zg8`sF=m(O(<KO~aJQ1D%%Bb6cKDbJsg7yTM1SY%j
zN;3^i2Qz^_1oODBy#1)vLYN2UfZ5<lFbm8Db++?|D`!13{!?F>-RnN(eIIXSGyikn
zz{rB^37Ln*&u#hOiO+rBM<XjlR$wmdq@j6<88hyqV}0_zzClyPxsI5YXMF{ewDa=)
zTw3ES$>BX}7CY`Ht?Eqc?8JnBc4O4^>Ahd{dB4Xu7fLQN$pe3PvrqETHJ$R`i77=)
zHe%i@)-rZYn<<6w#8foLC@##N`#6-IzV_bD?aseLanThjSE^9W)7gZ4;j3a=f8i^{
zO9%bG@D=2BfyqdG!~en;zHTMeGhrm%3<uyb1!8U`O=;iT=MBc}HZkXXEvvnT!@Y7$
zH22<~^<D|es9d3P1(x6k#Hiwf{f{+IxOQ@d-PlSMqBy6`zH`2UzVChJ)Hz>e-)}y1
z&v{=9-%lat;q$)mfIky=XC%yOW}T-MdK9USSQI{bMZwXlW|B`O`kNBUn*-;4<$2TK
z%6Z?1Vfvrhs;ZH3&y*hfc&<YDRjE)#{|B{~%x4$K=r9ghaoCo<==o{0)<@VCqOz=S
zbM_nGeVMp@KW&ar3c0TsnV)mL!`7#Mw)v}FJQ{ekY6S}Bu+D7eGzux;yOG(9{nA%}
z_oa?~O9$pMTfX!atX3?G(;=NVmb{#O@`#s6SDg-FdPESDlky8!$sJw#-BQbmspiDg
zHn&O2yDs^^VhHw`=AxHO>Q}y9VH0VSYF*-`yk9-^W!x%KMLW%(X&$;rfeUfa2wZ>t
zOrUyv%ZfO-^YIyCRA9p|Y9D@S**PW^G4=@TG|NdE_Nwa;Kj!BPc~Up2u5zHRAMln6
zH9Bv;mfsEhijYyk+F5<ovpkj+ze*LN<(JPCyM$j+Q{$4aWmtDA$`hotKuWFGF1J~-
z*XJEi+m&G^vs!-r&0f(&llp_Np!xQauPSf(smC+XueD6=%S5&|oi5Y-+Gd8VHfGIb
zUrXKu9XueUAa7=7{~B?ZdEjeb72kKc%_Cp?T7+F?(W#5FE<bx_QkHX7s2(#=Lp8)4
z`kH#(&gV>x4&A@`{nng>pKOOJau{aHe?tRbWWK2nGsRbK|4!x&hjFOp4E8;yn;Z_a
zY}J)Bdd=VV(wR3tvva7VxpTsFYaDW)zluFCHh<%*%*&9>rk1?(TJZ|Q^RFqH3@kxz
z@CrD+H6=^A6)m6MzLq>SaGcdO&A2PRrPZ!51+~CeJh8X_y4&|YOLtbofkIOXIrVLj
zW9!;sv)-Lfj9ScqgqW7!`l=MZi9;@u_L}*8$E1%}eCyU1huitgvTuC_?%pSrDzFzh
z^EvGP!p>&3G~e#ag(knmyE6>By`E~Aknb3wdM4^SI=3Bu+Vw8C={ctLjI!fxKf4))
z%*yZRyV6V@?QLzRo!neBzL{o^yOJuK_rLR%4~)S<)5h^P#jmm}9WgOi8R_Gu&0xm;
zj7h<&cA=;<3I%iL9?-sIjt|I*QB<>kBu0D2hI>x__Iv#kRf%zD@>;V`8ErQoUZt`%
zigN<vS0~?Ri)!u<9fzNWgB+eTao2nev%Xh?dkP%BDPf+x<||P6sr#J-o%et1U-s#h
zvTg#V&d>KRY#LI4x28V2MkD8xbgH)QvENdvtO~1}$=;<@x56gJbsXY2rE-$-jay^-
z9*m#A#^)`IqSN3ZbNhQ=!G{K7Y7X}5eCXhc9IO03Z)X%{ZrWIw6`0oH{clQ*PRZGs
zI%o@^(u;{v*G6W&_H}rpyqSF7$tW6)&&@`aS{PGZdwYO)>!AA^oFQpdC+S0`ZljR<
zijv6#rJd#Tuy@%<jecG^2p@Oy+dc(({W*dPhV8*m^?fcSa_4|=dul_k;`H5WlYoQo
zY8f;3d#2Xs6smdKs^Y<?3ch(LFOJonLJONMIPz|vS{!zlf~z~L&T*jNjl&rIvL=%4
zg4f%cLt&Z7TIcU$*LI!yDDEX^zA-PWdYo+~tUnH_XZNN(v)w<fgWBxQ65AoadGiNf
z-WpZQ^UwgVKc8?py}_9Mc&OXko_n_c{2p66`n=DegqehDA^CW1E#gOCOtt0@I!*0+
zb8K3sxLu7YOY@1{pd&F_fuA49_uHgXea~m|B3IGE?_-w#NIS;hpplwz%=bXM$9?1O
zILtQ3ao|<<ujRJ~Kh1(c&&KYVIOgk>cl_Ql#eQN{oWntL|JIDUCC9(Nc=#QMo5ZLm
z*6;0p`RR$hN8E|YX_84AR+djQn(g1kf3o1-X1ns=aj0ij<G{<2*>B)C8b2KX4`m7~
zlAP^eLME?P7kh=rnD6Ab%k2NzSFrH=_!Yyi{`0?la{Q&0L+|)qk1(-6b6Dm!gK>1p
z=c-|UozBUaUk<34e^U>qqU=d_wdb3<H`t+^dFg%C%%&05u9k7;`SJJ-?>7Bm<psvd
z-6L{Vca~n3yxsDSxm0fpG3@QyXnUAXZurXku2(l%Z~EHv`fRtG<kTq2S#}$q|Mj6Q
zvE^^G*tK)BDYPR-gW7Y+a~JER^wP~?<qA<+s(s9+n^b9(IZF<_R{0AQ7W{veUugC1
z`uA3x<tAgi+p()n#aq5UVZYXNwx0&wuRJjO)<kZ8_$T$19Z!(A-6Eq-<}D~}aEx=m
z7XSU&AD(@4)f#nt4cl*~`5lL9YjI$sPFs|6;oYAncQ|y%;Sezz+e+Jq&OH9rxovl1
zJ~u6YA@AEbu)U@&u9^F_{Ey5Sd&eQnOu&J+jF-wUzLqoiWiRH*aj{{6>v#M{nqxRr
zGdO6;wW<^GQSsD4Pu_9Z?Zzx9R<-|cQC&mt#C&Lq{7Mnc%&gxiqI+GZ<EPxaZ_+RO
z7kujTc0|$HKi?d{fwyZvg3O9veXV$7_R6pH_(@aZwl=5wrq*pXr)&+Jo;sEC>#nFR
z!|JOjr$@_}6dbG7!$JMA>64GIzWhKfdk#Ae-Q1Xll`f2|*?9H)can}Z`$!tL1PAq0
z&uQacsXw~yFLxaFm}@xj8;5La#!vXEBL-ioxNP)K;dYlhMcilNaHv+jq2oYp*MvV4
z`{|vGIugTClUAY6#dFUT|A=!YSpEO1i^_*>X~rjcGWys3Z;L7MyDx^f?YsU?U5hq%
zI@tH@)i-<h-BaG@)jbFc##7eJ#lc(EY=rW(#P1&Rt1_?W=mX1FakADiAO7wuQLQr(
z_C6PRVp!htRy;M<@xm6FOpG?J74bDs`VRFhdMD=b1rZ^1C-K}PrOmmz?(Ie+-Y$73
ze*1z1&V@G@j0q`N_#9r^!<szdY4+gSc<YYW?dA)%hExvA-@-Y0UtY80aFb0to8;AM
zt*ZN|2Nv88DHvIU_%Jf4`uv)OpBKwHB(FD|*6I4!zG;td8RrCOZ@PLzN_ay}syC!O
zKUUZ%>$LH5H>*>%7PlEXn#-SfddTtq+aGav8}^i<#_J=+b0)$Ua?N|6DHcLo_(fw#
zNEL6mNyZ9`YU^xB_qWdf!|j)SkLLBp*5<PZH!2OyYPq*Fd*zpapKfRNy}heZ=;B6Q
z?o@q{`3{F_4^ZFSICR+>8lRXnX@Jvq?Nn(b)yK0kc`}_^v9ZtAJ4INgb|&&(i-XRc
zv~G{g&hqrTrR6|6u9wVU9Jn`|0TuodKaG;VPqY4?Wh;MHehe<xZ*9#hnL-M*zOS8g
zVo%@yLe7sqJ~vq&Iy-oH;>MI~aHvkM!|QG;rm`K=bHLD13bgyQ%egL}q-C==QhSSS
z)!tmq8B)3MzYY%dt6m|Rhm-A1Y_5=SU*-;`U#^g=z9AjWBe_Eg6i(~t9EXd$UC+|+
zYJ(O&FI!}VNE&52nmM^cdi&1vGojoeEqt>(nP2mS6flqG2`LmzZl>o7DP*3@6OudY
z(oRmdf64DP@`O|lx)-{QuFdHDH!l`?rTA?=-(N$y2gTIMP2whb$*x(v>6MrI&xv;?
z$k8qL$1HBY?Eo#T>g+_z<IQ$Fe5)Te1Ect$x#Qu5`MA^EX-bp|$(LE1|7#DMcPkR}
z@x!JSQNHUBn?a@EKo|3FEx1G%Gp86_vx})z0q%${zu{d>t6B_Q7gMx0&3mPENTX6O
zb+I2{-DM*P#<YLLyiy+b759Za=zFP)>3)Am<*dO-r*i2f1xt3*_$qfbgYt(w`d^k3
z2<Gmz**se&q}kud!fmektpuIjJ$p#*f2ploJ@Z?Izt!?!|IO)UJ}(&ZXyIVB{&nuT
z-SSrj`rI7;MkB6uH^qxER=;;QX<^LTya~=OS#WZE{UZKH^`Xc8$l{E8UVBD_Czzx1
zu7|f)<F9+>u0L72|5DvB*dG-<!I25JDL6uZzh-#8QZ%GN`p`QyZSXH`KGefJRpj5S
z&<d4u^fXs#WA)-ao$cv#mRVnQnlfu0ZPSexYxu8Y{>vf!bEVz+8eB2sdzm_w>FwZJ
z`_l?4Y<fBOO|N9~zV`X>-ly*L=feMP5d{nQL;23w1?%9ptZ*RFInlnF9`=a0TbX=!
z%KY=#WvoNVe>XXuC7xji$vAiZG&8h(8vW;~o<0qnO64_M?+>Z;FLNQ|XvO~L8v6S<
zXLVT4b~h$%e|qYjrvIVe?(B4b>bvxP=)a%c8Eg7Cmg%4Nz2JOucGv>GKkv|gnpeJz
zBlkZq&7D+*8}@bXv0jS!zHas9hv+sv4$?^)9NYg<d4FRj2HPDRhhY0x_BHpEW?k*=
zYo5%wzWzhMg#Gn;%P@J}!7Y4}W@lrwd#ljZQYraN@Ch0R`q{o_UX{Of?9@v#Y4?WY
z^K(brImuM0%DFo*$+Wnax{psXW2<r>F)hjDtQJxr>$D{2lfn5U^G%MB2EOZ#?zeRl
znIojg!W^7Au6qXAccq_cor4^I>SuOVyOU#VFh~2>W;De2;ovk=w=y@`!H=d3`a2IH
zF0PxN<K)TAJe-+~k`rI2wh`u7&Jh1!l^Y!WKkXYj$qSjZ(2xiJi)H>FCj4Iwc<>hG
zPYWR9-Hbao|5t|dFKYRx(u2#-cQM&?ugSpFOE9Br{+$Cpeb@Wff-1!@cibL#oA-Bb
zTz(vAKB!G<eh(TN8xo#1M~XA*1yW3{SoHEKW>9QM@9OK(HTGfmhpcR~s;ct{gO5|y
zJukQ^W-o5s_j=d{eG8z6tlTUfOfmPwkw>dRrcNA9?K;RjEW5;D^Q3s<P;*c`Z>af6
zTy&TTuM<+4f1jXhoscTNr-z%P4{`Iip-xDl!ru*d$}d`_QNqR13+}%&Pp6GApV#3;
zUpm4$(UV@NwXSOB<S+F^sj~g3eUlsW)xu%dSI7Od_fE|I5vD?2(jIp`s<(Li`PK7w
zj=tk@ju?GdsZ?)Cx80d@`0m8~G{TG}ZQ;O3$75=y=lXWbRdduGkHRC(R^?t14}A_j
zlBKn2bTRqh9gq5MOo3asBHO-MJ@HOVr;+A2rS0!}eDrwlMv)889Ju3=>c)iUE?dPr
z<J{^yG1f@aq8>F{>v~u*-<0e(Ysu6*9(zZcG(4&w!$Y66R)kf0@%>9ZAHL&po|yZH
zX&d`)`NBnVt-TX-Yos}<v^hsP9vd4absZA-z_L3YW!#tn-JkmX<lGl{QV<-8TBA(i
z`qZo~9{I`r`0AWRUM+j+p*tQUQcY_-s!!v~a`jo}3)k~>2+2Ew@vdB<itZ<u6Qi2_
zymfx#kS-&>A%<tXns7T(%?hP`6ORITbX<HsEl1%M+}i~|_h(LXJ`eUj9k;zhL^QMb
z3w%rATP)3dqqNa@=p%XJ%sesk-rCWF-1Xf<bv_RgQ=FJ1Zy&u}sP&^2?xY=>W@<KI
zSDv4?JFP)Tyf^F`u6lm^YUfHnXPx={Y<se@D0uzKY-<vd*BomT;`iN3GxzdsURb6H
z&S$scBbsd;lDF9_c9Avon8JAq?z?w_c?8G8Yl}IDPV4alUix_3j^}XX*^Lfc_lv>m
z1;|RrQpFshJ&MiUaoNs_M-Du>Ax0kumo6^#a!YIN4|ZDnL1V=U=2LR79)pLz1;{(&
z%oiQrKD-7GJ!GdEO^MNG{enm420od*b)y{<shIc)W_$`w=!1uLhs5!hMh@wGR>z@k
z11Q)2lB!_!k*-7K0Xx2b^H|?LIJghorx2qB_SNRc=63pmN3<%osxn_P!EA0!#Wv%i
z$+Ep*vE~Qzl+1z$cNpr;!^G%;{Mo4=4cpf0%}`>hR$wyl64wOtD`^Yg#6!=;hQ8Ec
z<7QuuYqp1-HvdFZsR<s{Ch~e89vurcIbQ7AjyLSw?QdJBOfbEgaAXdB+{|ebQk<s_
zj9o$BgOkkLN_dy=XY_$5D){}3uh3*us43gpw@;W>O+$`4>GPJbA0-@};tZ7ks|D2u
zF4}yLTPkfjJ;k(b#sh(&)69#_LUy{T>={%2*J;ime){~z96j5v(KoVu{h;=SPIr3o
zp-sm}Uiq+KH9N*GY5jEba&xNtJRX_=-`wc&Nw++q`ku<&rW?#K*PBz%n3<+b3qCx3
zHPe~Bi{{sP^@Ba}1@NrqeEmj`3~ND;gwHaoT7(oY{1+30`V5_AK5oI5KV_ErNqHWh
z?c|wou*BiUiwgc|m(KL!<+0i3(Uy1yIp<t6swK54G}k;Qz2sc;8g})Fxy}?D^}>%)
z{+dlS3H4!=g_)BWJ^R@4M(VtJeV!{#jOGWmAZ>+K<UyWIT9M~g%Z!!1*D?!Rg|sNV
zb-ue?*2cc_<>VgvPL7dxYxNtRh41o(lKU-I!U9wIA@c07(Da6@CogpB*Y~@f-?gne
ztQ>jqxRU3Mp1*!Qz&+u7;})8W%4_;UQ@Ayy{(1Ae^Kfm!Lesi6{rM}Usm;5qmw5I3
z52G8{ZMJKk*_fQeST%W#bIX{uR_zH}ymQvOy;6;rl!(#R+OKcp8zVoDalV|lzg}%<
z%r~v+m%rEq`F{8jW7@ajh_=5K=lk3?Aw@IJP+y8M6^7Hp6O6gq2A*xqijkb*_qXNw
z(=uaX+am5XCcZ7x=%6u^+J@BhMJ+O~NUyWVoM}rpOk8Z<?T9^NvDw-eUbff_N`$X1
zUO0~48NbA-|B1q{eB5s5tIyaivsdiAC1y@L95*a6k3I}HUur&;9b_j1le0aQ>AB2Q
z>X0FB^fJ@EJ^eOinX{6v?w&elap;9;x8K-g?^>?C$vOGDZv_<axmlT8Du+7d>_a)h
z^1_#!d%M$$=1ZO1l>#frES|NlJ$GRCjW@IQkGYwx9mu8na`Scvx+a**otEUwVsB@E
zO!Svs_~))Yw!&QPPwfh>G(|g6tH_nk@pm=tt=8dXZZ2_a#cteUrCHV!PdA6cJ@C|)
z|K_?WIZpW-e{!e(Lsptq%4-T9y16*>_<;iV9lfU2#SGQz`r~*6$G7k@667Yqy>%8|
z4ja=ho&;Lr6ux<-sTEI_`|!w*$D^%2Z+EFp*}8U?_ICnqpBMfBkNfb*k!i&j-6|JO
za|>noF0VA*$Iykr0r_F2**t~@(X~e(VTzXOOh4aVY3g)l7Gz!J9C^u0UMev+;pKy5
zqr;E`tspTvVzZt8VL|-!*#_GM@J$=H5vxq=eq>l_m08!Bg6ga?ACp(%j-=4tK;92#
z)_?igx30KVB1N}VCMWZ>dNLkb&8PF53c1sIpTAS-k;LdwZunTeC3_Dv%x=d-@^+EO
zo#WLf<DsYh)mw}%Ut#5U+?KGfN9x<&dBmtIN~Sg{_x(4;^<_A^x^vws^Bm<CegO|1
z>|>sOs9D11xBI%~;&Eh^`CKc=U9yEg!Bby#6e#mmiBIP&Dd~DfbJ(pi6}r%dz-nh`
z^46_ZZ}`DuAGsdP=i+Y6gl7)rK9gxyEjNZCiCS&OlD2SDJXDXX_vG)__q|&!?|8(o
z{{I>|+Nh|m<L<kw6;y=4F6gc<QL$D9`4R;iV-y4C5TjATX{z7?YupMOT#!XjSQ|v6
z9JMEg(WdnvD%cp2RwH<<9}qOAQWS}z(ID}IXtWx8QZ)+Nx$oW!xI8rekn`S~nKyT4
z?tI;O3l#_<IawdnCy`KT-`1iete=q(*P%gCIdZ1bSON~zGBw|$Dfr6u+n5?v;Xh@T
zM6J!~d?lwP{dpUdn-EgHovH5!Q+cmfGD^?Nkg}_F-42F%2%$#^x)n&QeNAhTfe!ib
z*5^BD5)@)Ir%}AwHOzRR@NOrB*pOlcJ*$L4%IyNa`!(@sv3T1z9<7ZD1NK<RASw|-
zw^K$hx?@DFo~6REnc%tIN<yg1O5tb%6D~S#Z7(zn;k&uJlbEB?X~qfn*2PJ37uH$|
z8_+X$c$l6yJ6jZGII@h*I^;a~uYYwyDNYH>E(3i`Y#GE@kXlk1j6pR@*=6v$3FVYp
z4B7OrQ15!AK$X{6x^>RX5D@tv(&n}Yk4$K5-<LsPB5Lv;g43<~WZwF?TW4Nx;xEK4
zBjn2$CM=C9rejs&QeHxbIr31a?S+gpNqPCw4Cb3pS*Wu;+4bn$l|qr);M*8;I!&mv
zV`dr>&P`}aXh^8z8Fe}Xi<R)0B4~))LbW0+JKq<o4pccq2+;_aJ81zk;Af&ef2+D2
z3YVh5Uler>J<CXVdd8r(7y3lOyV&F+QxI$DvR3LQXee)?(VOqMYq7+e>L{uL0%&F;
z&^XV0eFi&vOC_%z#NRJc9GN92Ttycq#}{tV%FaZNO+vn%zF;tCv5VV~M4WPB{@L3~
z2s}yXAlXHp+-Q4ajgA`}d}&U>xX~KXT6+$s7$mI}nCr-hG<yaX91AV7w{|3m@O32q
zlGL~qGLhw{Z&IqV8W}>@?S-5MsoXz@4XGIVN2D@4`~|R_(az*l@W9n5OrDXJgVPJR
z7U`md!QzA!J(IZ-+N_v`-*d3Q)4hwZrV3IPqtJNyEfrNknhp1gVm&OkM#`(84hwbZ
zWEB)s%pa<X(#WWxt_PU=bnc6|tM&NA2mKtltw7o29Du|4f@jfvq>m0jzjQLHk02uh
zgS420K4&JH4OU8G4NjyD3jKgkR_$|0xV^YLM-XAdn}Q~nhv3gu@W&}AcLn7Bj4YRq
zg~bU(b9#!!nt|U4&T-`Iao_pSUH!p7<?mV?-HSUq`i)tSs{8n@9GWn&^f0(P(D1)Q
zEVxAPu$G@U_NJW<UU~DXPGS`r9?>3x$P5xZuK!`?X$%h?efJ&tYz1QQ`c#ikJW+u+
zd)MFc_FQ%bpU~_ZL$f^F7$OB6h88Ro^%D`0CXj1KHw@Z7?k!P>V6oS=S;Y&x=cJ6$
zhaqtZc92a-59i$+%4V+{5~3P*gxOXQ`A7AQgaTSR&>mZGpo%S18y?nUm5P#GiQZKq
z<Hg(@tIe29G*cn1v}$nBYazAO)vzxUtLNfsCL8TL|GqkASZ%y48#$%JE`(&q$(;Z$
zlsOl(M~*g3z`SBF;?O*yi%<+-;63W+AM8ww$-iJ^#YPa7v8aQ2{VO$8LzNv%-iy_6
z&5oUu8;Cg&F-xkiEFICfj`nM4HwGs{)HUFnMMe$xsbN!6Yd5nk8eRK}Zia0}9Oo6C
zDtaDk7OqZN&?07u>Pom7R+WnQ$Lk$K548dsE04qas0!9U>aTnF?vI5nqMAcZJu@M1
z_}qid;<X(e|MN-ntYn#Ax#|mF1a8?lP2vZ?&c^n>Guy&*I^SmwR;QtXMXvvQE)&^U
zzKA^N<(^;iiE2+8Ukh!t6y$YLN8>?6e<3ZFMQM#_YU*;PmWsaLq-L$$--yekwJMtD
zi};s*L1<78CU9~&861{>j2WV3@Ec)!&p)1mZ^q$XT2^nwCthe&3DL!M`QBd`@d<K7
z8^k-0!H`@G5Zjh8C2HNKzniqMDFPw*<WHaD@OCb4jfKZq4PNB#cr9dJ`81gZek>BC
z`tmpwBaN``qel1^Z06#3gPGk=V1np(KdRlCaEIa^;Skl=|FqN7JL&=L`!fio6Bzd7
zY9{<P4|%_jxYVJQ{4Mtncl!99>BM!hLmEPa8SD(AkH@6ZRqBm(oe)YVFpT<CI~=CC
zafnN0SEITUHR7f;xf56E1cu?}*`c2UIs1s?ChFQ;1{l5WcjA`WVKPF59pn%v?mLXj
zw#VY6pjfxk2@Iot%?|4*?jyw2A!q%)BX4dg&-}6zSLp<X;f~0HONcAIodx$DByxCc
zJxe7%<nnKBKJwRH!H2?STHygf!KgckUx9B^Ix7p3Ary5dKWWH>&k)yem20T$SsBB{
zv$7USUFochK`81@rasmV0e?hXrL!`ItEf8}caa^IA+AB`tc>B}Sy=_8u5?z$AQW{c
zQ$K}gbQD+Vtc>9*>Q2UW&w`i_kTa#TGKPz~b09>R_#M^vH=P=gyE+EsJ&OmMA*$|!
zuX$%#Xe>Mn^@ytnyrzwn<-q~Q8c#w`P0{e^iIF@mIuO5g(&v+qncXQZI>#tw;a|Eh
zZcQ|qz6ze<f)r>IDKtn`$RR3yj$Jx^`U!1X$sTY5{>m$C$;T$K{DIX#FXsigt4R|)
z$tPAEYENBBLiBzYSlYAh^o(&+{F3qXh-NCtq$&#zuEc@R0*t6M&Q3pVaG9HP4nMre
z<==m7gu4h}*opuccO14UCmpKvc-qb30Anw}@B$nfoIiyiJ^adlD$Fk+lkxi|`VWc=
zNFe?Oazg<z;*TcZV}CqW5o6vbeOQC&<NbpxbgL@-O7WU@@#ZX;GuJhLU(Fu8ro-BK
zpF}j>sCl!rj>9iKuz%#Nx*yLs;WZWgj45&Twwmzut^D}}m++F3UDE>Y@#hua+C5*3
z)PF^Z(>10H-Jr{@UNp4C4R5@JH(=G#9Vh-CRPT$|I=ue$%$+T}6Gj~kg9hX?q83jp
zX+QE}Y|i$$UA_ZP;Wa(yS>YY)_S7r1`66D^yyaMU!t7TwBbwYJnIJrjm7`XZMs=m<
z8ghG9Wm7Bh`4z-B6D?f+4;cYt+emNtOEY=ZCCz3@wPaW_%`oI!Vt~buh!J91$jdP7
zGQxS?A)8?DWnzb~)tXR<Zy{sw_rrHz#wm}@cZnP9Z6Uv}Ja(7hZ{Z`97aY7o`h)EX
z`CaAHd!(^9Y-%SX-6q>i$(AhtC6=+)C8>$fvX%^n!0(7F%x))<mABe)ycxc~MBE|z
zG3f^<n~A=!$!0P6FSH~lo2}r{j%DAr9YhZmg*cJYPJYuXFd*Z-Z2G{9B${l{aFuBF
zOVZ8$Nv4#PL{ritf17y$y-v3zo0AYA?Hayv&^07+`YF-Czpj%(p23txvN^+?l;LlE
zKiTYWPKQlT$pm<*l|)jwJeT*(^pQ2m{PA0wc8I)AA_NO=kf7E~g-xww5={OHS-;p!
z`obZ#W;$EMhVQWMjC)LiA@@U+bU#Vs1#^k!W$<ky17M4!8OB!Z{xca5_+LM``G~v$
zw<S$f<#M8#mf||osF7`Wz7b11&2WQikk-#*#jx3Rs}Gi*@v%3I*}ws6jT*>nmi!<v
HO;h`Sz#V85

diff --git a/dashboard/package.json b/dashboard/package.json
index 9641b8b..d5a5cb5 100644
--- a/dashboard/package.json
+++ b/dashboard/package.json
@@ -14,11 +14,12 @@
     "@ory/integrations": "^1.1.5",
     "@radix-ui/react-alert-dialog": "^1.0.5",
     "@radix-ui/react-checkbox": "^1.0.4",
-    "@radix-ui/react-dialog": "^1.1.2",
+    "@radix-ui/react-dialog": "^1.1.6",
     "@radix-ui/react-dropdown-menu": "^2.0.6",
     "@radix-ui/react-hover-card": "^1.1.2",
     "@radix-ui/react-label": "^2.0.2",
     "@radix-ui/react-scroll-area": "^1.0.5",
+    "@radix-ui/react-select": "^2.1.6",
     "@radix-ui/react-separator": "^1.1.0",
     "@radix-ui/react-slot": "^1.1.1",
     "@radix-ui/react-tabs": "^1.1.1",
@@ -30,6 +31,7 @@
     "@tanstack/react-table": "^8.20.5",
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.0",
+    "cmdk": "1.0.0",
     "dotenv": "^16.4.7",
     "drizzle-orm": "^0.38.3",
     "lucide-react": "^0.462.0",
diff --git a/dashboard/src/components/ui/command.tsx b/dashboard/src/components/ui/command.tsx
new file mode 100644
index 0000000..f485776
--- /dev/null
+++ b/dashboard/src/components/ui/command.tsx
@@ -0,0 +1,154 @@
+'use client';
+
+import * as React from 'react';
+import { type DialogProps } from '@radix-ui/react-dialog';
+import { Command as CommandPrimitive } from 'cmdk';
+import { Search } from 'lucide-react';
+
+import { cn } from '@/lib/utils';
+import { Dialog, DialogContent } from '@/components/ui/dialog';
+
+const Command = React.forwardRef<
+    React.ElementRef<typeof CommandPrimitive>,
+    React.ComponentPropsWithoutRef<typeof CommandPrimitive>
+>(({ className, ...props }, ref) => (
+    <CommandPrimitive
+        ref={ref}
+        className={cn(
+            'flex h-full w-full flex-col overflow-hidden rounded-md bg-popover text-popover-foreground',
+            className,
+        )}
+        {...props}
+    />
+));
+Command.displayName = CommandPrimitive.displayName;
+
+const CommandDialog = ({ children, ...props }: DialogProps) => {
+    return (
+        <Dialog {...props}>
+            <DialogContent className="overflow-hidden p-0 shadow-lg">
+                <Command
+                    className="[&_[cmdk-group-heading]]:px-2 [&_[cmdk-group-heading]]:font-medium [&_[cmdk-group-heading]]:text-muted-foreground [&_[cmdk-group]:not([hidden])_~[cmdk-group]]:pt-0 [&_[cmdk-group]]:px-2 [&_[cmdk-input-wrapper]_svg]:h-5 [&_[cmdk-input-wrapper]_svg]:w-5 [&_[cmdk-input]]:h-12 [&_[cmdk-item]]:px-2 [&_[cmdk-item]]:py-3 [&_[cmdk-item]_svg]:h-5 [&_[cmdk-item]_svg]:w-5">
+                    {children}
+                </Command>
+            </DialogContent>
+        </Dialog>
+    );
+};
+
+const CommandInput = React.forwardRef<
+    React.ElementRef<typeof CommandPrimitive.Input>,
+    React.ComponentPropsWithoutRef<typeof CommandPrimitive.Input>
+>(({ className, ...props }, ref) => (
+    <div className="flex items-center border-b px-3" cmdk-input-wrapper="">
+        <Search className="mr-2 h-4 w-4 shrink-0 opacity-50"/>
+        <CommandPrimitive.Input
+            ref={ref}
+            className={cn(
+                'flex h-11 w-full rounded-md bg-transparent py-3 text-sm outline-none placeholder:text-muted-foreground disabled:cursor-not-allowed disabled:opacity-50',
+                className,
+            )}
+            {...props}
+        />
+    </div>
+));
+
+CommandInput.displayName = CommandPrimitive.Input.displayName;
+
+const CommandList = React.forwardRef<
+    React.ElementRef<typeof CommandPrimitive.List>,
+    React.ComponentPropsWithoutRef<typeof CommandPrimitive.List>
+>(({ className, ...props }, ref) => (
+    <CommandPrimitive.List
+        ref={ref}
+        className={cn('max-h-[300px] overflow-y-auto overflow-x-hidden', className)}
+        {...props}
+    />
+));
+
+CommandList.displayName = CommandPrimitive.List.displayName;
+
+const CommandEmpty = React.forwardRef<
+    React.ElementRef<typeof CommandPrimitive.Empty>,
+    React.ComponentPropsWithoutRef<typeof CommandPrimitive.Empty>
+>((props, ref) => (
+    <CommandPrimitive.Empty
+        ref={ref}
+        className="py-6 text-center text-sm"
+        {...props}
+    />
+));
+
+CommandEmpty.displayName = CommandPrimitive.Empty.displayName;
+
+const CommandGroup = React.forwardRef<
+    React.ElementRef<typeof CommandPrimitive.Group>,
+    React.ComponentPropsWithoutRef<typeof CommandPrimitive.Group>
+>(({ className, ...props }, ref) => (
+    <CommandPrimitive.Group
+        ref={ref}
+        className={cn(
+            'overflow-hidden p-1 text-foreground [&_[cmdk-group-heading]]:px-2 [&_[cmdk-group-heading]]:py-1.5 [&_[cmdk-group-heading]]:text-xs [&_[cmdk-group-heading]]:font-medium [&_[cmdk-group-heading]]:text-muted-foreground',
+            className,
+        )}
+        {...props}
+    />
+));
+
+CommandGroup.displayName = CommandPrimitive.Group.displayName;
+
+const CommandSeparator = React.forwardRef<
+    React.ElementRef<typeof CommandPrimitive.Separator>,
+    React.ComponentPropsWithoutRef<typeof CommandPrimitive.Separator>
+>(({ className, ...props }, ref) => (
+    <CommandPrimitive.Separator
+        ref={ref}
+        className={cn('-mx-1 h-px bg-border', className)}
+        {...props}
+    />
+));
+CommandSeparator.displayName = CommandPrimitive.Separator.displayName;
+
+const CommandItem = React.forwardRef<
+    React.ElementRef<typeof CommandPrimitive.Item>,
+    React.ComponentPropsWithoutRef<typeof CommandPrimitive.Item>
+>(({ className, ...props }, ref) => (
+    <CommandPrimitive.Item
+        ref={ref}
+        className={cn(
+            'relative flex cursor-default gap-2 select-none items-center rounded-sm px-2 py-1.5 text-sm outline-none data-[disabled=true]:pointer-events-none data-[selected=\'true\']:bg-accent data-[selected=true]:text-accent-foreground data-[disabled=true]:opacity-50 [&_svg]:pointer-events-none [&_svg]:size-4 [&_svg]:shrink-0',
+            className,
+        )}
+        {...props}
+    />
+));
+
+CommandItem.displayName = CommandPrimitive.Item.displayName;
+
+const CommandShortcut = ({
+                             className,
+                             ...props
+                         }: React.HTMLAttributes<HTMLSpanElement>) => {
+    return (
+        <span
+            className={cn(
+                'ml-auto text-xs tracking-widest text-muted-foreground',
+                className,
+            )}
+            {...props}
+        />
+    );
+};
+CommandShortcut.displayName = 'CommandShortcut';
+
+export {
+    Command,
+    CommandDialog,
+    CommandInput,
+    CommandList,
+    CommandEmpty,
+    CommandGroup,
+    CommandItem,
+    CommandShortcut,
+    CommandSeparator,
+};
diff --git a/dashboard/src/components/ui/dialog.tsx b/dashboard/src/components/ui/dialog.tsx
new file mode 100644
index 0000000..c7b4160
--- /dev/null
+++ b/dashboard/src/components/ui/dialog.tsx
@@ -0,0 +1,123 @@
+'use client';
+
+import * as React from 'react';
+import * as DialogPrimitive from '@radix-ui/react-dialog';
+import { X } from 'lucide-react';
+
+import { cn } from '@/lib/utils';
+
+const Dialog = DialogPrimitive.Root;
+
+const DialogTrigger = DialogPrimitive.Trigger;
+
+const DialogPortal = DialogPrimitive.Portal;
+
+const DialogClose = DialogPrimitive.Close;
+
+const DialogOverlay = React.forwardRef<
+    React.ElementRef<typeof DialogPrimitive.Overlay>,
+    React.ComponentPropsWithoutRef<typeof DialogPrimitive.Overlay>
+>(({ className, ...props }, ref) => (
+    <DialogPrimitive.Overlay
+        ref={ref}
+        className={cn(
+            'fixed inset-0 z-50 bg-black/80  data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0',
+            className,
+        )}
+        {...props}
+    />
+));
+DialogOverlay.displayName = DialogPrimitive.Overlay.displayName;
+
+const DialogContent = React.forwardRef<
+    React.ElementRef<typeof DialogPrimitive.Content>,
+    React.ComponentPropsWithoutRef<typeof DialogPrimitive.Content>
+>(({ className, children, ...props }, ref) => (
+    <DialogPortal>
+        <DialogOverlay/>
+        <DialogPrimitive.Content
+            ref={ref}
+            className={cn(
+                'fixed left-[50%] top-[50%] z-50 grid w-full max-w-lg translate-x-[-50%] translate-y-[-50%] gap-4 border bg-background p-6 shadow-lg duration-200 data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 data-[state=closed]:zoom-out-95 data-[state=open]:zoom-in-95 data-[state=closed]:slide-out-to-left-1/2 data-[state=closed]:slide-out-to-top-[48%] data-[state=open]:slide-in-from-left-1/2 data-[state=open]:slide-in-from-top-[48%] sm:rounded-lg',
+                className,
+            )}
+            {...props}
+        >
+            {children}
+            <DialogPrimitive.Close
+                className="absolute right-4 top-4 rounded-sm opacity-70 ring-offset-background transition-opacity hover:opacity-100 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 disabled:pointer-events-none data-[state=open]:bg-accent data-[state=open]:text-muted-foreground">
+                <X className="h-4 w-4"/>
+                <span className="sr-only">Close</span>
+            </DialogPrimitive.Close>
+        </DialogPrimitive.Content>
+    </DialogPortal>
+));
+DialogContent.displayName = DialogPrimitive.Content.displayName;
+
+const DialogHeader = ({
+                          className,
+                          ...props
+                      }: React.HTMLAttributes<HTMLDivElement>) => (
+    <div
+        className={cn(
+            'flex flex-col space-y-1.5 text-center sm:text-left',
+            className,
+        )}
+        {...props}
+    />
+);
+DialogHeader.displayName = 'DialogHeader';
+
+const DialogFooter = ({
+                          className,
+                          ...props
+                      }: React.HTMLAttributes<HTMLDivElement>) => (
+    <div
+        className={cn(
+            'flex flex-col-reverse sm:flex-row sm:justify-end sm:space-x-2',
+            className,
+        )}
+        {...props}
+    />
+);
+DialogFooter.displayName = 'DialogFooter';
+
+const DialogTitle = React.forwardRef<
+    React.ElementRef<typeof DialogPrimitive.Title>,
+    React.ComponentPropsWithoutRef<typeof DialogPrimitive.Title>
+>(({ className, ...props }, ref) => (
+    <DialogPrimitive.Title
+        ref={ref}
+        className={cn(
+            'text-lg font-semibold leading-none tracking-tight',
+            className,
+        )}
+        {...props}
+    />
+));
+DialogTitle.displayName = DialogPrimitive.Title.displayName;
+
+const DialogDescription = React.forwardRef<
+    React.ElementRef<typeof DialogPrimitive.Description>,
+    React.ComponentPropsWithoutRef<typeof DialogPrimitive.Description>
+>(({ className, ...props }, ref) => (
+    <DialogPrimitive.Description
+        ref={ref}
+        className={cn('text-sm text-muted-foreground', className)}
+        {...props}
+    />
+));
+DialogDescription.displayName = DialogPrimitive.Description.displayName;
+
+export {
+    Dialog,
+    DialogPortal,
+    DialogOverlay,
+    DialogClose,
+    DialogTrigger,
+    DialogContent,
+    DialogHeader,
+    DialogFooter,
+    DialogTitle,
+    DialogDescription,
+};
diff --git a/dashboard/src/components/ui/multi-select.tsx b/dashboard/src/components/ui/multi-select.tsx
new file mode 100644
index 0000000..266eea7
--- /dev/null
+++ b/dashboard/src/components/ui/multi-select.tsx
@@ -0,0 +1,129 @@
+'use client';
+
+import * as React from 'react';
+import { X } from 'lucide-react';
+
+import { Badge } from '@/components/ui/badge';
+import { Command, CommandGroup, CommandItem, CommandList } from '@/components/ui/command';
+import { Command as CommandPrimitive } from 'cmdk';
+
+type MultiSelectItem = Record<'value' | 'label', string>;
+
+interface MultiSelectProps {
+    items: MultiSelectItem[];
+    placeholder?: string;
+}
+
+// Credits: https://github.com/mxkaske/mxkaske.dev/blob/main/components/craft/fancy-multi-select.tsx
+export function MultiSelect({ items, placeholder }: MultiSelectProps) {
+    const inputRef = React.useRef<HTMLInputElement>(null);
+    const [open, setOpen] = React.useState(false);
+    const [selected, setSelected] = React.useState<MultiSelectItem[]>([]);
+    const [inputValue, setInputValue] = React.useState('');
+
+    const handleUnselect = React.useCallback((item: MultiSelectItem) => {
+        setSelected((prev) => prev.filter((s) => s.value !== item.value));
+    }, []);
+
+    const handleKeyDown = React.useCallback(
+        (e: React.KeyboardEvent<HTMLDivElement>) => {
+            const input = inputRef.current;
+            if (input) {
+                if (e.key === 'Delete' || e.key === 'Backspace') {
+                    if (input.value === '') {
+                        setSelected((prev) => {
+                            const newSelected = [...prev];
+                            newSelected.pop();
+                            return newSelected;
+                        });
+                    }
+                }
+                // This is not a default behaviour of the <input /> field
+                if (e.key === 'Escape') {
+                    input.blur();
+                }
+            }
+        },
+        [],
+    );
+
+    const selectables = items.filter(
+        (item) => !selected.includes(item),
+    );
+
+    console.log(selectables, selected, inputValue);
+
+    return (
+        <Command
+            onKeyDown={handleKeyDown}
+            className="overflow-visible bg-transparent"
+        >
+            <div
+                className="group rounded-md border border-input px-3 py-2 text-sm ring-offset-background focus-within:ring-2 focus-within:ring-ring focus-within:ring-offset-2">
+                <div className="flex flex-wrap gap-1">
+                    {selected.map((item) => {
+                        return (
+                            <Badge key={item.value} variant="secondary">
+                                {item.label}
+                                <button
+                                    className="ml-1 rounded-full outline-none ring-offset-background focus:ring-2 focus:ring-ring focus:ring-offset-2"
+                                    onKeyDown={(e) => {
+                                        if (e.key === 'Enter') {
+                                            handleUnselect(item);
+                                        }
+                                    }}
+                                    onMouseDown={(e) => {
+                                        e.preventDefault();
+                                        e.stopPropagation();
+                                    }}
+                                    onClick={() => handleUnselect(item)}
+                                >
+                                    <X className="h-3 w-3 text-muted-foreground hover:text-foreground"/>
+                                </button>
+                            </Badge>
+                        );
+                    })}
+                    {/* Avoid having the "Search" Icon */}
+                    <CommandPrimitive.Input
+                        ref={inputRef}
+                        value={inputValue}
+                        onValueChange={setInputValue}
+                        onBlur={() => setOpen(false)}
+                        onFocus={() => setOpen(true)}
+                        placeholder={placeholder ?? 'Select an item...'}
+                        className="ml-2 flex-1 bg-transparent outline-none placeholder:text-muted-foreground"
+                    />
+                </div>
+            </div>
+            <div className="relative mt-2">
+                <CommandList>
+                    {open && selectables.length > 0 ? (
+                        <div
+                            className="absolute top-0 z-10 w-full rounded-md border bg-popover text-popover-foreground shadow-md outline-none animate-in">
+                            <CommandGroup className="h-full overflow-auto">
+                                {selectables.map((item) => {
+                                    return (
+                                        <CommandItem
+                                            key={item.value}
+                                            onMouseDown={(e) => {
+                                                e.preventDefault();
+                                                e.stopPropagation();
+                                            }}
+                                            onSelect={(value) => {
+                                                setInputValue('');
+                                                setSelected((prev) => [...prev, item]);
+                                            }}
+                                            className={'cursor-pointer'}
+                                        >
+                                            {item.label}
+                                        </CommandItem>
+                                    );
+                                })}
+                            </CommandGroup>
+                        </div>
+                    ) : null}
+                </CommandList>
+            </div>
+        </Command>
+    );
+}
\ No newline at end of file
diff --git a/dashboard/src/components/ui/select.tsx b/dashboard/src/components/ui/select.tsx
new file mode 100644
index 0000000..ddd77ac
--- /dev/null
+++ b/dashboard/src/components/ui/select.tsx
@@ -0,0 +1,160 @@
+'use client';
+
+import * as React from 'react';
+import * as SelectPrimitive from '@radix-ui/react-select';
+import { Check, ChevronDown, ChevronUp } from 'lucide-react';
+
+import { cn } from '@/lib/utils';
+
+const Select = SelectPrimitive.Root;
+
+const SelectGroup = SelectPrimitive.Group;
+
+const SelectValue = SelectPrimitive.Value;
+
+const SelectTrigger = React.forwardRef<
+    React.ElementRef<typeof SelectPrimitive.Trigger>,
+    React.ComponentPropsWithoutRef<typeof SelectPrimitive.Trigger>
+>(({ className, children, ...props }, ref) => (
+    <SelectPrimitive.Trigger
+        ref={ref}
+        className={cn(
+            'flex h-10 w-full items-center justify-between rounded-md border border-input bg-background px-3 py-2 text-sm ring-offset-background placeholder:text-muted-foreground focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 disabled:cursor-not-allowed disabled:opacity-50 [&>span]:line-clamp-1',
+            className,
+        )}
+        {...props}
+    >
+        {children}
+        <SelectPrimitive.Icon asChild>
+            <ChevronDown className="h-4 w-4 opacity-50"/>
+        </SelectPrimitive.Icon>
+    </SelectPrimitive.Trigger>
+));
+SelectTrigger.displayName = SelectPrimitive.Trigger.displayName;
+
+const SelectScrollUpButton = React.forwardRef<
+    React.ElementRef<typeof SelectPrimitive.ScrollUpButton>,
+    React.ComponentPropsWithoutRef<typeof SelectPrimitive.ScrollUpButton>
+>(({ className, ...props }, ref) => (
+    <SelectPrimitive.ScrollUpButton
+        ref={ref}
+        className={cn(
+            'flex cursor-default items-center justify-center py-1',
+            className,
+        )}
+        {...props}
+    >
+        <ChevronUp className="h-4 w-4"/>
+    </SelectPrimitive.ScrollUpButton>
+));
+SelectScrollUpButton.displayName = SelectPrimitive.ScrollUpButton.displayName;
+
+const SelectScrollDownButton = React.forwardRef<
+    React.ElementRef<typeof SelectPrimitive.ScrollDownButton>,
+    React.ComponentPropsWithoutRef<typeof SelectPrimitive.ScrollDownButton>
+>(({ className, ...props }, ref) => (
+    <SelectPrimitive.ScrollDownButton
+        ref={ref}
+        className={cn(
+            'flex cursor-default items-center justify-center py-1',
+            className,
+        )}
+        {...props}
+    >
+        <ChevronDown className="h-4 w-4"/>
+    </SelectPrimitive.ScrollDownButton>
+));
+SelectScrollDownButton.displayName =
+    SelectPrimitive.ScrollDownButton.displayName;
+
+const SelectContent = React.forwardRef<
+    React.ElementRef<typeof SelectPrimitive.Content>,
+    React.ComponentPropsWithoutRef<typeof SelectPrimitive.Content>
+>(({ className, children, position = 'popper', ...props }, ref) => (
+    <SelectPrimitive.Portal>
+        <SelectPrimitive.Content
+            ref={ref}
+            className={cn(
+                'relative z-50 max-h-96 min-w-[8rem] overflow-hidden rounded-md border bg-popover text-popover-foreground shadow-md data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 data-[state=closed]:zoom-out-95 data-[state=open]:zoom-in-95 data-[side=bottom]:slide-in-from-top-2 data-[side=left]:slide-in-from-right-2 data-[side=right]:slide-in-from-left-2 data-[side=top]:slide-in-from-bottom-2',
+                position === 'popper' &&
+                'data-[side=bottom]:translate-y-1 data-[side=left]:-translate-x-1 data-[side=right]:translate-x-1 data-[side=top]:-translate-y-1',
+                className,
+            )}
+            position={position}
+            {...props}
+        >
+            <SelectScrollUpButton/>
+            <SelectPrimitive.Viewport
+                className={cn(
+                    'p-1',
+                    position === 'popper' &&
+                    'h-[var(--radix-select-trigger-height)] w-full min-w-[var(--radix-select-trigger-width)]',
+                )}
+            >
+                {children}
+            </SelectPrimitive.Viewport>
+            <SelectScrollDownButton/>
+        </SelectPrimitive.Content>
+    </SelectPrimitive.Portal>
+));
+SelectContent.displayName = SelectPrimitive.Content.displayName;
+
+const SelectLabel = React.forwardRef<
+    React.ElementRef<typeof SelectPrimitive.Label>,
+    React.ComponentPropsWithoutRef<typeof SelectPrimitive.Label>
+>(({ className, ...props }, ref) => (
+    <SelectPrimitive.Label
+        ref={ref}
+        className={cn('py-1.5 pl-8 pr-2 text-sm font-semibold', className)}
+        {...props}
+    />
+));
+SelectLabel.displayName = SelectPrimitive.Label.displayName;
+
+const SelectItem = React.forwardRef<
+    React.ElementRef<typeof SelectPrimitive.Item>,
+    React.ComponentPropsWithoutRef<typeof SelectPrimitive.Item>
+>(({ className, children, ...props }, ref) => (
+    <SelectPrimitive.Item
+        ref={ref}
+        className={cn(
+            'relative flex w-full cursor-default select-none items-center rounded-sm py-1.5 pl-8 pr-2 text-sm outline-none focus:bg-accent focus:text-accent-foreground data-[disabled]:pointer-events-none data-[disabled]:opacity-50',
+            className,
+        )}
+        {...props}
+    >
+    <span className="absolute left-2 flex h-3.5 w-3.5 items-center justify-center">
+      <SelectPrimitive.ItemIndicator>
+        <Check className="h-4 w-4"/>
+      </SelectPrimitive.ItemIndicator>
+    </span>
+
+        <SelectPrimitive.ItemText>{children}</SelectPrimitive.ItemText>
+    </SelectPrimitive.Item>
+));
+SelectItem.displayName = SelectPrimitive.Item.displayName;
+
+const SelectSeparator = React.forwardRef<
+    React.ElementRef<typeof SelectPrimitive.Separator>,
+    React.ComponentPropsWithoutRef<typeof SelectPrimitive.Separator>
+>(({ className, ...props }, ref) => (
+    <SelectPrimitive.Separator
+        ref={ref}
+        className={cn('-mx-1 my-1 h-px bg-muted', className)}
+        {...props}
+    />
+));
+SelectSeparator.displayName = SelectPrimitive.Separator.displayName;
+
+export {
+    Select,
+    SelectGroup,
+    SelectValue,
+    SelectTrigger,
+    SelectContent,
+    SelectLabel,
+    SelectItem,
+    SelectSeparator,
+    SelectScrollUpButton,
+    SelectScrollDownButton,
+};

From b70afcf16ce2c567f422438a2d0bcaeb23bd357a Mon Sep 17 00:00:00 2001
From: Markus Thielker <mail.markus.thielker@gmail.com>
Date: Tue, 25 Feb 2025 15:58:53 +0100
Subject: [PATCH 09/58] NORY-46: add client auth mechanism

---
 .../src/components/forms/client-form.tsx      | 53 +++++++++++++++++--
 dashboard/src/lib/forms/client-form.ts        |  1 +
 2 files changed, 50 insertions(+), 4 deletions(-)

diff --git a/dashboard/src/components/forms/client-form.tsx b/dashboard/src/components/forms/client-form.tsx
index 054023e..84ceebf 100644
--- a/dashboard/src/components/forms/client-form.tsx
+++ b/dashboard/src/components/forms/client-form.tsx
@@ -15,6 +15,7 @@ import { Card, CardContent, CardDescription, CardHeader, CardTitle } from '@/com
 import { useRouter } from 'next/navigation';
 import { Checkbox } from '@/components/ui/checkbox';
 import { Minus } from 'lucide-react';
+import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from '@/components/ui/select';
 
 interface CreateClientFormProps {
     action: (data: z.infer<typeof clientFormSchema>) => Promise<AxiosResponse<OAuth2Client, any>>;
@@ -60,13 +61,13 @@ export function CreateClientForm({ action }: CreateClientFormProps) {
         setRedirectUris([...redirectUris, '']);
     };
 
-    const removeRedirectUri = (index) => {
+    const removeRedirectUri = (index: number) => {
         const updatedRedirectUris = redirectUris.filter((_, i) => i !== index);
         setRedirectUris(updatedRedirectUris);
         form.setValue('redirect_uris', updatedRedirectUris);
     };
 
-    const handleInputChange = (index, event) => {
+    const handleInputChange = (index: number, event: any) => {
         const updatedRedirectUris = [...redirectUris];
         updatedRedirectUris[index] = event.target.value;
         setRedirectUris(updatedRedirectUris);
@@ -165,8 +166,8 @@ export function CreateClientForm({ action }: CreateClientFormProps) {
                                                 )}
                                             </div>
                                         </FormControl>
-                                        {form.errors?.redirect_uris && form.errors.redirect_uris[index] && (
-                                            <FormMessage>{form.errors.redirect_uris[index].message}</FormMessage>
+                                        {form.formState.errors?.redirect_uris && form.formState.errors.redirect_uris[index] && (
+                                            <FormMessage>{form.formState.errors.redirect_uris[index].message}</FormMessage>
                                         )}
                                     </FormItem>
                                 </div>
@@ -341,6 +342,50 @@ export function CreateClientForm({ action }: CreateClientFormProps) {
                         </CardContent>
                     </Card>
 
+                    <Card>
+                        <CardHeader>
+                            <CardTitle>
+                                Client authentication mechanism
+                            </CardTitle>
+                            <CardDescription>
+                                Set the client authentication method for the token endpoint. By default the client
+                                credentials must be sent in the body of an HTTP POST. This option can also specify for
+                                sending the credentials encoded in the HTTP Authorization header or by using JSON Web
+                                Tokens. Specify none for public clients (native apps, mobile apps) which can not have
+                                secrets.
+                            </CardDescription>
+                        </CardHeader>
+                        <CardContent className="space-y-4">
+                            <FormField
+                                control={form.control}
+                                name="token_endpoint_auth_method"
+                                render={({ field }) => (
+                                    <FormItem>
+                                        <FormLabel>Authentication method</FormLabel>
+                                        <Select onValueChange={field.onChange} defaultValue={field.value}>
+                                            <FormControl>
+                                                <SelectTrigger>
+                                                    <SelectValue placeholder="Select an authentication mechanism"/>
+                                                </SelectTrigger>
+                                            </FormControl>
+                                            <SelectContent>
+                                                <SelectItem value="client_secret_post">HTTP Body <span
+                                                    className="text-sm text-gray-500 ml-2">(client_secret_post)</span></SelectItem>
+                                                <SelectItem value="client_secret_basic">HTTP Basic Authorization<span
+                                                    className="text-sm text-gray-500 ml-2">(client_secret_basic)</span></SelectItem>
+                                                <SelectItem value="private_key_jwt">JWT Authentication <span
+                                                    className="text-sm text-gray-500 ml-2">(private_key_jwt)</span></SelectItem>
+                                                <SelectItem value="none">None <span
+                                                    className="text-sm text-gray-500 ml-2">(none)</span></SelectItem>
+                                            </SelectContent>
+                                        </Select>
+                                        <FormMessage/>
+                                    </FormItem>
+                                )}
+                            />
+                        </CardContent>
+                    </Card>
+
                     <div className="space-x-2">
                         <Button type="button" variant="outline" onClick={() => {
                             router.back();
diff --git a/dashboard/src/lib/forms/client-form.ts b/dashboard/src/lib/forms/client-form.ts
index 5e9b1bc..a924c69 100644
--- a/dashboard/src/lib/forms/client-form.ts
+++ b/dashboard/src/lib/forms/client-form.ts
@@ -13,4 +13,5 @@ export const clientFormSchema = z.object({
     grant_types: z.array(z.string()),
     response_types: z.array(z.string()),
     token_endpoint_auth_method: z.string(),
+
 });

From 80624326546d45bfcf1a5913673a0c6159240b33 Mon Sep 17 00:00:00 2001
From: Markus Thielker <mail.markus.thielker@gmail.com>
Date: Tue, 25 Feb 2025 17:13:56 +0100
Subject: [PATCH 10/58] NORY-46: replace checkbox with switch

---
 dashboard/bun.lockb                           | Bin 291060 -> 291836 bytes
 dashboard/package.json                        |   1 +
 dashboard/src/app/globals.css                 |  11 +++++++
 .../src/components/forms/client-form.tsx      |  10 +++---
 dashboard/src/components/ui/switch.tsx        |  29 ++++++++++++++++++
 5 files changed, 47 insertions(+), 4 deletions(-)
 create mode 100644 dashboard/src/components/ui/switch.tsx

diff --git a/dashboard/bun.lockb b/dashboard/bun.lockb
index 92f5ffc97ef6ddd4ea77423e893905262488f643..4148b6f3f2c38e1d23e7903e70834e5e2f957969 100755
GIT binary patch
delta 51127
zcmeF4d7O>q|NqZ22S@fLGY!cS24iPN!yHR?%DyCNFc{fM_8Cc0RJzqgD9Sc=N=OPN
zOWD$5NfMP&vb0gD-}80f_Zg$q$LII>eE;h_dd=&4zpnRv?c05y`{;)g`G5O5|I?LX
z+LyCh{<?g^ksZbMkNRR<y?blK2aB#9KW))^Pp9mgZ{NDE|F8&;KAWa@DxP}xD?Z!s
zcsjxbJ)X4kevc;zj~>*^j#<OsoY=+DZ-R#=C-oeTR+3cmVi!cu1$PQK+!)S}T?@_!
zdx%%Mi?~MDkInA!6oE6~Ji4&wuwlu=dU`x5me*S(X)1Y1Ee#igt8h&eyb_Lv4Xn%a
z5nl*a*_6$B$}Ile<^3*igY%$ofN@P*X^rw$PVGy{b7KW4gw%ma0|%v0-_zNg%8yDK
z&|kIhLcCIKp~Av-T^^b|Y*7CZ$(|F`v^e@Fu+rHD%dc<Jut5(Eq{P%*`HXYp2dDHN
zMY5@$6a*E&vYTLOSgjM~a>}sSKK%#v@DwfVB%Bvr8N7h41b?NVvSV&`3fyC8QqSaJ
z9?v{%>0iMrNIY#t&C@Qp{>SYKR`;Y0NFLfJxf*TjX6TJ{YPt<pcilpxs~>v9>gEg9
zVPDzc>|2~<Z?}T};;E@cok|Q&8JaYl+y{(Sn|VC<(Q&HG@V?0dRpG|2-3C_S2XY<t
zPqS-?e+in9@}}j7)!LuIy8fWc$+tOWcpcXDgOi5$jeQ{5TI|oCn$7izEa_BqK+3?B
z!AZl0UAfh<_oA!(rAj#^|H0MYz*b(XV5PaFwBtVpRs*)X-QlL#YKK$U8h3|bl`WUU
zJ<|4+aS|w6*16z6CDgv0Q;<I;l$K1RsHg6Nl~H)$FS2Gu6i>a#G*y2N8#HiW@=%ZG
z2)4Yxso?OizDYv|)0Byon3?Fe!n9V}AF<8=Jpohmw6|Se1Z#Rd4wGTpK$qLY^l@4p
zn30fnJ4|U()AABfA6>5K@F|$Fn6}U5O|S;^VwWwKABNS}TWUD{Fnn15lpYlHA#}Cl
zu;c+FRH2@O`VWFU=W9CcU8j~);V0pnJncMbC#kVIa&RBK_@u@;84iVWqxXT8;NU*7
z!$%EH9=0dm$#~@O<bl2L--0c_wXj-pffdYFIW;c9N!4H1<6$JEovh=u+uJU`?D8Wp
zBP}i2<tDJ&Gsfjyu-fw+>4^`*Md1x_G(4-mGu*<>Fcq89q%sc&^k&|A<~MLUas&~%
zxL~e(;Y3&+QVv%2A8zCnv<G|}b_177y6lHl&{KCh{4T75E^+w@SOpwtbE+q;EdiA@
z4pvEvy6l6M@vF4E+I3*^$l;XJ6VuYs^Sb;~3ul4;4AzKw*X30(BPVSZtbsEL)&Lm=
ztAh87m2rDlXbx-U)oATxSl>F3y+~^FHjeueiea~lTby2l=+_a9n*qHZP_YiTbBeLs
z>twT{y;H3Qu)4cj2WMTom3S2=qoc>e%uO5B$!W)(*d?$#b#^9D8En?U)U@RURLtqH
z+GiB3dKS6Ixu6HO>e&*$8Lka$0bSnJ(G9GLvie@9gCE1z!ZQ}W30~FBDPSS4D}Wt@
zrT6SVY^29i!Q+`kjg{eGSP8Z5?$ofWYyafht*!jQBF*ZeD*Gz1hWqR!XWX2I)%=gZ
zD((na?c(j}wEA5x&xciv8P<?skyNXP)9PnnyHI_T`aeKx=OA^Z@}FAq?|Q{;-Ly@~
z&M5txMorCZ)rB~!b+7bu8skfsm&2+?xEJ<e%Wr&tr<ISws?Kg$%h2n@s}aMk{e#zO
zmbL?(UVaDGsILu2u}`OchJzB^J;-qgkE=h|EL@}T_*=tuI=9SruMdx}aE<>wtil<G
zhml=jl{8%9@VII@)GBaOnJ(K#I0X;O;o%e>Ug2Taok66H;w4z~=Xci*56|$h4$q5G
z*7Td=YEK;NH0x+sSKm6$86^W!1|-M!>fy<Yt<~rYSk0d_Y}CM>52Ot5XL)lKY4+_H
zr?CeQO&&fxC3)y!Y>mlnu)N!)Ih@=pWq8V<fy0htYpgbeH8pw;8uUO49sZh?l&eT;
zuZNwIuZ9(yJgmoqDgAqS3Qlsy;FU+59{Sql11@iJd7;Zs!)nm6ux3JEm)pBs&*h3P
zM>?FE7U2r#Cps4%gH@f~F0Xfafy>Xp8gpqb4|Mrnmz%phgNY=+WVXbC!#$p#p7eNb
z$36sW$$s7D3ZAs41eD>6a5Q}OX=g0{`HXYanxDH!iAV9$$QuM}j&_Ar-*{N<x5_%4
zyLj+<a+md#<;_#MO^xTA`CZQS*@dkfH^Uk=4;hF1!Ro2NOlMs58y0IHm6L|{8Jsk9
zSh7xZN&Sa;ezPXzDU!NmmgAMwkHN~P>GRIyssXD+Imu0<=)s{WvHgZoYS;d4nlnDm
z!^-`X%d_V=qwpD6qw+AiR;7J#PI$Y^-_5n_RxPc6@`!=T_!NR14!C?2Rsy|}lLyD9
z4D)PqFI;Oi%Ue7+cAk^$5Nk-@BF%=(cdX=LLmo^XI?B`2T>?wK<P?&ler)glNquUN
zMhVhvKGmt*gA1H^??R^%m#hPMi==i#jl`?lBB$zWVU?sMto7-E#ZGSRVEN@*;*60H
zwwkQZpuxRVqlWHvP1Bu@N`P|{|1+#6`36?gm4-D4++$X%r!@tTV*|H%PcL&Wh+63s
z;6Ye@(tFU*Snl-t9$D_h=Z0@apRvm6!<?>P*VWFf`W6lnKYE38JvT5zllvr(EP^fl
zQ{wY^8hX;+BcPgYb1!HOtHhUZ)NH8xij&b|Sa$1Ioq@U*Rv#|0V)7SHt%SF%1XNAx
z(y;1zGn@wwz{+Jj#g;yMz0-cTah>8%z|z+duj1`??G3PUeF4@!Fa=inDX`LO2h$9x
zY1>|RgvJQDiHL`lu-9=&yFkMEu)l<J!SBIp*EeDL=h*D%%dl0EXJNJPAlI)Otb#O!
zRe<U)mxA+YW4cJkX)!ngYot`6Lv=whSW~xGa*qf5Fj6j0b^Lk_>N$L9%E07o#H;29
zwmN<nUv^sNBe)p)4p<f0469%*VD(QTtb$j9^Q96Po-{bANB?9`nRgtAn~6|C3QcoP
zR6EF6>rnf5J)Y9=)a}k*Uk6)$;Z>~#dM@l`@NMuQSOw_>%kOhHohM+~x`j<upAAP)
zP40u$biwzW41e40l=Kv~E;#4fpTcUHy|8MSG%`81=b)j<TU`4!I461>>B(=~UMKx@
zSQQE1^gpwg_LrmmD1`On5ghCUVO@A>zta`XuvLJnE>EF5)RZY7I0^4^Ip(0_A3lps
z#+Kioce<-P9PO_f|Btq~|9*!{o#>SK@3y!O)T|H%Yy@i-{C!RS|0<IDH=Ff;Uz7h(
zk?>wUj;_l^MLK_BPvbk%S`knm)qoXo&q=2yJjzPypVTY46}F~JZCEWa>y$J9f3PkW
zE?)Kgm(GX@-=zNe=5$bx2YZvFXF<H<_th)SZqA!C^1hLc_gy@7CZY1<jrPWMnD$7M
zt|vT`-g|V0m3CWXxiRC8?(0)%$I@)WJ5O&_@uSc4wtuo*)0NMcerZ9k!S8MwSztx0
z;Zx4n+;QxcCAV$4$y?n@sTlGOu+sUv#LD3BDJv#66xB6?eVXzzj<5MNu_nZp^}cMS
z$A*GG;ZqMEpEaa!oVTYHQz=ADN~KWXY=En+*h&fBnpOttJS(PhC}?H3A1|h5v#M5#
z^Zsn5qczIm@zfv<ztRYf!nzA9!Wz;j-b$$w^0u?m`8(6f;O}88rfSIB%u3<!E-Sri
zC>TwXH+QanINpk>7V@sMQuzD5mCoO)RtA3u>u+!sop2|fUTX+>6JI^#t!!oRceoW(
zBNSYm$K$DD=e(wJoc9we9WB5@UC~LMYpPl?HA8_1(HdB>&(+C6piVeJpEsX%re<QW
zCWHJA`-(L+;=F^blv*M0i&lEAQ1EkNlz%pBO|7_KY4(stSb43gv2osKtdzJ=K&y6d
zYe3(GKyN~Ith2P<OIA#LDEKwD+Q?^7wqQBBqyd&!tr+NsRYzBO7g;g2L&1-+TN4{$
z=Tn9ur(B)Z?T3|^X)SRrN<^w(VbyZ3s}>h5!&alp(X*A}f<0U-!m3K#GA!lqlNC6t
zIBP|0g14HLo)8N5XFaN6=dlLgrC3TQyPeJtSSn4xPNzO=w%Up~M$Z^4qfW@X-ioOk
z^5u`T`qfPgHe$_GadD^lCt4YGL*9?9n8Z-949l<vo>!IhK4_&UhP<1s4F3LN#e_nE
zShnn1)_`gW49fIS$eV6ughIg+sLGy#$HoO}v1vB9VrwV((xR=Up~T<@1g05nrM@d-
z#nflS7WH`Apn0sSuf|*H^+VoUtPJ!NHYOE~0)*m%uVAU|xH2Iwn2{M*wRT*vEGKxi
z79*NUq*yTxL*BQol!l>TTyc-5y`6?y^$9G^H@~H;GO(0BEgnl6w>egJYfb&Q;Bc(Q
z#M!ehxC2Y+J3Soa<muEw{niz$n(e6`o|b8;z2CAj8il+iteD23;JqcCtFo)1gEO$y
zFG1@<VqEYTmXjN$^i?foEv=jwe6Un_m{)Ba=Y8KwZxRaTDeY)EtTnCTbGU}xx4|N}
zJEMSkPffeImNN=wVW}$_ujKYCR>#cRv?=4%JBPhCJmp%n2`zL4tASlN()5<GVw#77
zJ<5iQpjMlM<%~U9hg^#?U==Fo<QlMsjE~QOp>g4{r_3TOH9gg@6Bj(?TG^~2HRFOM
zW1I|}&b-%3X{m9S-ZB)(S)OLH2GmUOcC}(!g@RMDE0GEVq()rub=L}Ls(DXa8F*Bz
z;7k;+b)kM-R2r71?RA&is2|)|4<Ckp=Eqr#@3b=R3I*;byFME8fgOZ;+M)85J)R^x
z^aP>qcIZrIs96<{r<<)UBGgr(ptmX^yWDhs;9jiG*4euf0<RKkZ-;U)qT1S_dkD3*
zLrXJ5zYx01)|yrihn^$U($>Dn3{_%{aJ12c8Y?!qkB~d5m`1s4h6iues&T;(mf~0f
zdodB)hk|dq@%F&+{$|B=2nCxn3!R=+-_63(HB8>RTGBH*guHiHF&#sJIdOK$>n8-i
zC8S|wZwtXn%pIo$^hvNkmL?N<vSfcoP+N_?<^;>tc1lO?mE!{UU^UQ!9hgJtPA$j5
z&lR$-*2Y$v8KotHMVl#bk8AnW_ra&Js5)_)aPPR5y?_TUVO6omRbwloODIsLuE&#X
zo$Znkc!E%OJ9H*9)QrMA+7d$D?ASmk9O^-+tF3L$3`N%C%Pm_Qk{Q}fsFSUgsPFM~
zutVvD>RSUUCV0<SDcwTe7%QE>gRG2hq2N*)kYcK3>c<66Vb!(<bV~>nYZ$(ID4}*r
zC%Byu#Z_IY`NBrjCezBvI@3MVO1Z|`d5u-J33bZ!eB>JI1eQC3$)Qfutd_y*l6l?v
zYpiC?sC8!CJgg3x){oa%%^3#m!g1cYRz{CdFkcIghbh8_zJ~r?)Y3`Iv94TWwQuF5
z?8K#GDJ{qP?HcRuyPVC(iJOOYcc$k#EVAUfA#6-3$sz9qD?K?B+>A>CI%^r5*d;5b
zH(N3bi#rb}+fpp1j+3MJxRrs&&27RXP}^BYEQWx_Du<Kjtn@x1pTDhjrca{IN`1AR
zrt}R3E>iB+)(RG!KJ7JyS5!_2?jof1+aBiL;#NwE&R^*%q2ODzrZass$n(<D{lb31
zSy=aFT0djmZ(H&l)!F0e;aD%l=fKdMvXc)Krz<;JD;m~`Akf}kzIG9!WgLfK{5|26
zH0fqy(G%{)r?8sai(e&13rkijrYs?q-e+B4vA^$L7CPHnLpjc2IfGnj#W4C9J*0Jk
z1{;E<26h(v%~)<B*=f8~j2YqP+7K(zifxz>oIr?GSGzdpf;CpkppY-v-C8;*G0>Yy
z(8O9XD8akJiWwXV6rwenSh0f>f?Ww|6=83p5Yw^ZGOe9hm9U)6@+T~&jO$q^$tk>Z
z-BK(S*Rg)XVtA|4Z2paCYc-$~w-QTRsBQUf>S>)Bni%ZdGwZ(k3YJ=xEz!j1z))o)
z?Acwvms3Tjw}xQFTPqS0g6V|n;l-Xx)ibR0;h|tzmI1a7o%L$R1-f9hv|^hl1atJx
z94IvAP%PR_jfu4%i)vz#POwU!@IX=AGgu6CH7~307g%ZyI%sQrj=q^=6vy#cPH(Mg
zZb#A2Zu+;Tga?z-?~mo=M*4yGv07RyI@XC`7&DH>*U6!PlLxy+;RnLksx&>bT7flK
zcUS`k*2zJ@9g#T2^{1QdB3GqZp0r{{hk|F(SgV=N7udooTIpyh1HxlZNw2|DlRHiF
zJ(g2Z6?x#mtTp`%OXJ!03{)AU**l<5og4(*a&uDo3d^0qBwlB5*iv%OU^#87<K!1u
zPF55*SZ+wT8Rgj@>uNF9V(B`kh`ymtew@O4#|7`ja$A*2_6C;Q{-hE)EKBZzfmobC
z#?{F|z^w=OKZS;?{TV8O`|Qx!Itjrggq+!_qMgUmkY*ci9~Vq~Fg#bQ#>GcquyE8&
z2<|7OOYD1tVC0A_Sp@aenuSMkB=<3v>gHHQAIeOeg`gjnW)?NYb32w>jJlj>MuwLY
zoh18WX*nU4hH>7NR?5UsF#9M+V=6Ib>tm@WD0cO@fWe}qj2Qw>cd7Ymj?NrrWH|8}
z>j0J#unQ9?J4Wqv_K`Xf1RB{ViYr#eq>wLutX2Ne#K82ibf7h0RGl0IR5JT!&sT1o
zb>`7TZ?YBhSSUDWT)11;Fa^$IIY*ru<DG+&#~Ly*&fDLLnH&nNL#w9g9{5_Z)_}SR
z!Q!dmu4kL^j<RB=go10()H{@tQ~e)UnvFqg4Trv@H0LgvJJcp|y1#uq6#N#gp;J7D
zYvl>f;$?dTM`G0=j?ItGSdLX2i-oOvT<}XQrOf?Rhd5u&hpnYgBnAgR9KQMBj2YO1
z)l_FUU%`o1zp06V@{=f=HDGE&U?icIcIchVP`*dQ+P#^fC7Gcg2(d13ZQ^5gvV<PZ
z4DHPf-8?xQdtYW~QD*2nI}|&;PQ;Y3+jv6UX^`AInW3DIhqcz3q2~zEJ@_55L$OcS
ziFhI`^~ek@3WtJc2yy;!4+i6`jAwYh@|4HJoK)|y;Y`EokZFB^rFqD3Wq9BHw9}8Y
zFSmqqt(Y01U~sx~fME!8^*vY`Sa`6$&9E}?_!6xS8b@?IN<0%jR5Ol(?XW5m$JHEV
zQmu?<LxG)WciR)Th~+FQ&SdF>)f8Xn4s#=xQssWUR$SmmtXftq<FCRDXM9kCCh<8i
zs^G*;H7n0jEG1x9G;k3s(LTjjc{Y3xFoXj3buIg(8=Qw#!@g$7n)nC|4(byVd=bxC
z{bnTwLeD9USnjFD5vqqDbG><7@KY=ecy8F4vgM5vN0Au*6J5)x)Z19@(oWuaW`>*Z
z!r1s67_~^mc|I@|E8fX~d*OGijM*VyV3t*WPGYd$ET@d@t8~(E*9uxg*rV29sYC2I
zU*LJG{M^J~kLR5wn8LCFyosfyo0-k!d1gEF-+n?8Y>%bt+x;JytT@#_xR;PK)97_y
zfjQQh7ZQVQ=Q#DuZr@ce#8L;@yM6EkmdfGW*hkNG)=-87t<?ofo@{{6an79=3jU6w
zo?=*VzHj`3(~C|4M_@VL44}YTS@vN0j*xPocc-vdz34QaorCYb7p*hTBnB)*Hf74c
zhmcy+d7=`S=QxwyviKaX!D9nf=*O@UaddiXyK8Z(A<jSFNyPC?z*2Y7%W?5JFmxHK
z)PuI67)BIJ)_J0;*(qxOsPdB2kc`k*<8xrBR8D5gvHD@zH;}Bj84E++SFD&tAz$u=
zR=-7w!6plx8rzi!Ou&k_&elx`Y$U|8%u)RtLY<wQS<L${vb&G_)=h-mw&EoABNodT
zJLHJPPO<INR^U~v&UQMtF3CK^@Hns^R%`p@_BtWWFKWhEJA>t<s;#4Ix)xS#)#-#9
z*k0-x-_md%48A};ta_S-fiyxL?fLjIAq_efe4Y{HTo%4s6TKzYow_0M&bBg^g?!~#
zTIH7~1|C_ds;SDm38@VkOrbcRZ<Te1=z6Q{a|QSAD+%3e=a+MJ_>#ed+B)T9I{b*`
zwhiU0yvFuohCfJ12|IONftBeM{2HriW(t+pI$NOQISMP&Gw=#lq6!+gK!~R!l@fyO
zUZHeO%H+Qh%Q-NrP49m-obm;hGYk!VXRW<-)#9jDW1Z7zPF&xtR$vZRE$eJzLf`{J
zJjtz`;LG!xwRCM_FzL0-0|a@m$I`TRo>KgZ)!fcbqrK7kOwZnNfmK-C7$znJ{~*-J
zzGetd2JYOTUZj75&l7S-1NHb&y6wd#5GcP<bys(dAat*-GiJOWSn2CR!P2jX+fOrO
zAePfQ7rMm-54v$wlS&uc<ctkgmBct-_f6KB*AfE@5Zl{DxI{?Z;<QP<H=O0k+2_)*
z8WYFlp+N6q*$;Pug*J!1^q`|X7RyWPIuQg&loFpJqzg%g)x7+hPH)*+1V&)Bwa4&I
zg&Z%|^;_Nw_o8aw1M5D!fLjQ4&h(1hl9?85(aVb26binAR?RNvh2?R9FR|{k22@Q5
zHr(orMrR2hgXOkvU7pTh-DQ`x+BRotr$66`&w<gy$!toTz5&`C3YL4@c~C%Q=>Be4
ziFmNkQs~)O?zE+%$FQ0a$8ydhR`s3mipfFO+s8_OGsM{~<IRxo$9JqVTS5`rsjwCM
z7N@FrRb+)eCe+>zmEWOBg%%u4NE@a7AT0PMRz0VLjpKa3@36|hl^AHh(_U>zU;!cL
zvNMG4aSB7RC+`YBU%9~J1B^R}vY*rY3h%c1ZA<hfS?SwC!KUvySJ7r{p?vM~c8F(+
zDQ|~@9o~1U%3x?27c^KZ6!VwVzr@m<aJJ!?J<frX0&n9>6D-BC%;UKTs}7dE*LuIO
zVz!3@-hG-6dREwpP**#h3xngWjP0S|Ih496d_lxPxZ-}N;Q6eo9pi$%v6M0$vze0%
zmRlm`QqBXJD@2XBKu4_3_G-LRA?KPYalULHSZ8)5def|!ouR<zAJBU`ANdjvT1$5(
z2CaimS?Ow0+=r!(CpT`la(}3uWWalMA_#C2+m#TQL8z4-I*}Qw^ifzFlNs7csD<rU
z@MAm2y>%k&fD&1l8Tu|W6!(eT6q}YA+Lak9a3~zxl~5Dg@1@L8MrNqW;c)Cjgt+q|
zy*DyL-XmeHaX1uwf>1+hOwVnL3+%;eYOM$*1d1P3-B%o_6G7l^YsJ2Vz#>Ae?9lg_
zp?aT&wP~55BZOMmezza9i~V7p2s@xe)@O!1pD9vWGdnckqdF0p($UON>EmIy0fcx|
z#09TrhJMWqHTXOnJB3gq+i!1XsNjjP);TjYHyrX_w9-Ec1^ayAENC2+cJck{$06@G
zR?5er;NX+tg;$5zJy`KHn0?;%1x{JzKS}g8J!SR#B$4lw(?1CX{y4>uwN`w>;`C+s
zD5O*UC@bYqD7X?$*E<i>f5*Dh9<&X<au$305EGn=r8UP{*7jm)5;$=Mz78KYv@JBi
za^m!L%cEAxkp#UZu7_nFAE*uV$;#3bZ1r09qb0if_1H^X2;2-h0HxCj=#z!Zdm<3J
zg8ZOA(1inlK4RGefzO(Iw5+xKXe7v&Ds>3Z=bu=`9BzC4cdX)$04m*RpmfFoec;q^
zz%Jf+EEUL69hRL2^hvY-UZ3SR0f--V{lqH3Bd#r${itg{>akw>v_NfLGR2j$ascf~
zR~O6gDWD{#i>)i47O~4Z152^b0)50ez+4%8#EO4G1|PBP7lBfn53++LK%cCv7USS)
z`!9ES1*{M3v{e?tlZ^<@arQ^74AwcO%}Q_sPysf&dRCVHx~q$I{Tr^GmF2ft`77|I
z>mb$zTU=YL0=)~AF*~H~zZ=#^EPam*K3Q4m?ge7DEBhmsKYNO;A9U*P@vw{75v=a^
z=bu;!90n>V%c}jk5tjckAU<wi#R{i@Cg+c?@c+eDqvK_*;m0Gr9&6I^;`Xfk!%gpc
ztO9sx7O@{z3q|OU%L)egqcN4s)vw1I;rWS|O99spPQ|=N_=_#yg6@Td+zZ7j(9Lij
zxU{SP_gu=(?;jJ0u(p5hv{OYl8?l11uAP-toCH_@AF|U<N-%;9LT(0GS?y6DT?3?(
z8~?vxCDqyM<WIn9_<P(8va*JHH*`ha=f;Z_?9QK}@EBJYt0EeHnzNH!dkU;{ro#N^
znWjHtITj=^57vbXU^y;^bHe&<g7kGT|9M{HkK#ANS{}E;8lpR0{XLiW!YaUrZv0VL
z=^S_YB&<)W0!r{JH{y&NA=U-o!II9ox>&*U{LyvaySi9i^`mQxW&iB*WmgwV{}m4E
z>#ztcC6ryN%bHZVuvLQsu&ymAKWpyEB5E>E5!d^lI3IpxbroD5)+H7BL$;opt{x97
zH~khze)VAf^EA*OmlfXxTcv5`V`?kzZvKedxDlOT&5>kS3H5dP0azcgf&*M#KM|5W
zRDWDn#fD)k!;!Gk83X5nAA@tlGkgqL_52(J{`0)RpPS%x*IwrG3RnrPg_Y1cSRb+M
z4Q~8qI12k?SS@qh)lb3v=lP018ewN)<@;kQ0X4<1uxcD6HD#0smSbV1?y^c;(v2?*
z%dP>dz#&+Zx&y51?u9kt?uYr$)000+w=b-gNpU%~pJMrlb-_Sb2|NfFfFFZZz-h3W
zZWgS$^s*bj4pvRygq84HF#mbB>5t0_Zs(8U-*t5{cB*HGD_oCt!A>{+pI9#MISG2+
zcX^L{omlDYb?vNdZ!P<XP}~Qu<3ZO^9EtvoYyY3HmdyW?g#VPTy6$HxQU)%jes<Yj
zvL!J7JjLAzu_|5CwZ&?}Qn37PcXhG!GOqnkEWfh&Dc$m}Kb&eOPys=Mtg0JvJyyom
z-FUGQtl@G^R~KtACc3s**VS`vv97D{+VvwSj@Jrgl#Nlj8oSX=V0pA~-L7G)Zbn(n
zTF+f>tXPTO?b=ycmFnQ?VqMqC_3!NJH^NH4i|Y?NtEOIA)<-OddtL74@_lZ+Sn=Iq
z6(GsAd${pptsw*8LhuAwQIquNy3D9if{)^$cAEmre%!r4EPa}5ixvN*Yl{^>-L=IE
zKFc4q*lbv<<I56Vmj5DbRbWY~8?gjd#4?vx!j-T;g|*t9fR*tVE}w+;5lcVi+F}Jy
z^GDa6g_Z7km%oSk&+{{XRDjgWZs1p!ufR(1cUT{>Y7#+es!1+b%XJhimtwFIDh})O
zPpour!%tko;Z#paS19FjX;=xDgY^;Xf*4rKc@@{L3iF>w|4M~wSli_~u&%G?@|`X>
zb-AU>tzoU&9tD&^8(VN#c3W)KtUas@^v`1`;jXUU&DHOBxu?s$T~2YizsrMQwctar
z(j5gyXw@1=KpBpAITcoh54-k6SQ$U&+LK*-Dy*(~#^sr?K3Q4m&O%p)v)%ZtY_FOU
zG;J2aN^m)>lD-P-!q;GZva%9h@5XP0<?^P>Z^Mdz$K~y=z8ls@tW(&L0PU}u9&;T(
za~;I0@fWUrBdp`{kNB&=Kf~H5{M1J2XLC8I+VK%f&y|h(=Oqx0puBE#`F5E9JQet(
zf>ef;a8;M9yId32CoAjl(!$mMBd6Y|<NuLg>h(&fnzkatB5*G^<NqU0{Xfk>>%{|Z
z1+ucbbP&4VV<n!y*=l*-d0aQ#broxPJOnF=@veS7);JG$;-8r)`^n`EJiWB%;Wdvj
zRe(gLz~_3bj6=XaE5quvERQX*99wn$&rdJO?cc|j|31F__wnVwk1zE&Q+wgRk1w@^
z{(n8*bXRj4Qmb!BOZA^vtM$K+FaLdf`S0V)e;;4k_e%dhzV!V2`10S!m;XM#<Y4gc
z<I8^^U)JLYuEXQMk1zjyeEIL=%j-R*WO8`^eSGOWzHFsi%>UWr%k{Ohd4~_I_whrC
zZ&uCIph1V#vpd!;H@RuAU*gj@G%q!G>h8qf%ii?vv`4@AZP<q?XK%8qkA1W9g>N^<
zH#vW9@BSQhhklk^dH<nF`OVqk-bl0kA#V$BLvwk!x06}&pf|Tk9)ZxvtQmpOc?3dX
zc{DNe<&ondgl-QaG&AWBB5aV5TbHyjNe?0P9f?qEBtk2bG7=$j6v7?}cblkD2s<T=
z8->uu?2<5YG(zlXgmz}sXoPZO5ROUcU}DA~9Fj0?3_>S!Si<D72zAFIbTL!LBE*mL
z<}u%m^)~l*HMPefoF0eA+;MnxGZ_+Qjz?%U9-+ILH6Ed9D#8^BNv2sU!X*hSQW1KZ
z%MzBPA#_VaNH*zd2%RS&<eq@g$8?#1kmF&5%@R^f@L_}v5(Yes@POGUq3=Y5ViOSt
zn3RbKk&htkkub<aJ%X@P!nj8ehL~LvMovPAorEyVjGBZ{?oote5*{=$k0KnBFzr!<
zhs<FKlOIE<`xwF~GvzUa_{j)oC5$n(CnKDeFn2P-IFlh^<`jfhQxH<ktSJahA4j+%
zVS;J)xVMw{VKZMe(OeciV%j_bO)}}CM~!zX^qA=)nrzmHrkLO~=y8)IdctfJO*Q$S
zgr=Dk(UWGY=qVHR6!f$iBARY?iJmbfo`x(lN;Jb95It*RrbEw}2_j<-i)Nat&p@-x
z6w&kMglM*@ZK<M`Dr!-Uxh6xx%o(ca41^cWtQo54v#O|s`KH;k2$v+RcoyMhb6LWY
z=McI*hp^D3KZnrSAmla(i%l1UkYgsoW(nygI1^!mgaI=VmYIzb`p!ZqHVa{eNtuNZ
z`8>iN39C%h^9Va7jC&qojoBq(<ZK3UrP&PPSInr{2<7JBacnjo>rBiXghLXh%|Tdi
z4ojFk7oqN4gpFp(T!i=+5Y9^2WNN>Fa9YCL7Z5g^3<)z|L}>LQ!dqt6iwI5UAzYEL
z)ij%ja7n_7c?fTt%MzB%N9Z;mVY^A6kI?xggxoJ7>@ZzkLdfwl!e$A(Oz>rd4H5>t
zjPRb>D538HgklR2_L!6f2$2gB_DI-gq81|TlrU}~!U3~O!pKDkv5OE6no)}o$}L7X
zCgCF!vl!u!glUTrJ~4+SOkRRecL~B_Gi3=vd^*Be2}e!sbcE9q=B6VYGZ_+QE=6dy
z6ydm;wG^T0GK4D<PMBuP5H3kru?*p)xh!GHa)fTn5xz9(%Mm)SK*+rU;cL@n1wxLM
z2%9BjnBYo;4H5>dMEJ&Rl+bq-La|i{XHCi~gviwhdnBAQQL7PlN*K2q;ey#EVdNTw
z*fj{>n^9{J%B@8>CgDdDvliiyglTILel~|COnwES?kfnF&6HOV;$KBLE8$mD`&ER~
z66U^&aK&Uun7Iz2)jEVf%&c_?O<zN}BEf5#y@qf}!iv`r{N}QRCF>Eotw#u$^z{gx
zHz4HRfRNpE*?^E^Bf@40K@;4FutCCrjR-fHjS~94j!^7%gxn_Ob%e-Gg!V|tYoazG
z?36HW6GDEoOTx%E5MtjzC}>8#flzKU!Z8VjP0VJ5LlUNKMkrzqOPKs7LftnJqRf;x
z5#rxMI4dFA)P4)$w1l~DArvzi5@v2eXtf2QxS6#Dq3KqHD-ueWW?K<1Nm#KJp_I8S
zVaYaxZrc!UH|g6DI=_vO`)!1>rpwz1Io@Hazxg&(J;nszLD=vP9s}ONqk`Eeq3?Et
zV%rg7P0DtJ$afL;NT_V0-bL6cVcfe2Rn0C5BX=Og?m(z+M(sc-w-e!*gqkL1C&D2K
z({>`nnZpt$??R}%3!%1|vI`-8H^Ny738waLgwqn{?nbC<G9=7=524k22q81;J%pz3
zBV3VC-!yw4;gW<E?;|ucmnAIOgV1dcLL-yD2ch#`gxq@(nwTzo5pwK9*es!$3GPGK
zAYs5hgcfF_gueR`itR^eWm5JdL>@rcBjIinbpT<fgmDKD+L&DuMt*=0`vF2bGwK6`
zat9HPN$6l=4k8?qFzp~hCv#ZB<PQ<*eu&V;O!*KY{v(9561tk&A0eEUF!v*bZYD#*
z%#RUTeT>lE%=#Fi=_d$RBqW(;pCDY4u;LShp60TIC5I5Y9YRPp>4y+HA4bT17@?2p
zau^}U5roYWQcUm&!UhQgjvzc>HcIGw6rtErgaIbyC_?0?2zw+9GEtu*?36I>Q-mRA
zmxPhW5MqxZ3^SvSA(Z<J;h2O6P0VNPp(D%$(L?4iWF{Xcy6$nJN0}+d(MOvTqA{lS
z=g?R)T{O;Qh{l`xC!ka_OO$3Vh$fh3UqGBBL=(+r5hsb0&?J*C;v{hjddzeYagq>C
zF~Kh(P7<Og%tjF>iLan(CIvE)UsJd}Us1THOw`v1J0*<!8ezKGg`o4qX~;68M4Tr?
z&zhJFi1UQVn8PB@6K9}VW{QaOglM*@{S7q7Oc%{H8KM_V{coWc%`DM8b3ruUG&>8u
zWaf)rHkU;UOq=hZg(h9J$av2|i%l2E<Ty`JH=m=Z=_Ys{VS|JL=Mk2fjS~7^Kqz(r
zVTDP#fDm~RVUL7WCh8)>P6^{KBCIjHB#itXA@+NOSInsI5z765a7@BF6Y~SYAqmrd
zKv-`MOPKs4Lfsz`Hkv6vQoh&Ci66bka~I@&176Tc%is}5ZnO0g^XImoy-foNympjR
zb`jYT>nH#0t>I-rZocGwBJe$L>g2H_t@|rRn7)_2oxP8(-+I~mmY)($xZ*Xz`X!uy
z0Jz2a62E&N@OfLWo964}^Np*yeqeUr=m=exGyK27@VAhdEvHqbVj)EYUK&ZE)=#M5
z>*F=^u6Xa27!3al_$j7ULEnx*%)|Jo3>EA$w2blP@a34e?n&P-UR!8=voA+r@HA?*
zZn}@5K@#gX6!A6n2Aa;K^y`OY_s#a(3HRfF1XGi{w&&KbDC!G&z2nxOE#~W*gK<iY
zEIYB!%lOiq)W334zna|#j!>}z*?n<>*QqkgbaVLMv+dbGrIP+lc74@&&&l=UEBHQq
zRQ0NQ)67?-@vitrpGkVuU(gI*>#Nul;rBnBk0M*)qq|DIBCSu@)}?w`OrN`4AHA!h
z7rOMh+niYIE10Sm;PoxCpjR>V>4>Jw^*W8-Ez+m6>!<f@^uD=1-O!Y^-a)%X0-yWP
zl#O1B)lVz*NkY>zG8M6y1U`Dvo@-O>GM08UPj5v2v)>6T=W2QrUzzA-#tN>M;%a(-
z{hV^+)6doPn%G5G(_8zxR(1Z?)%v3;s9y<w<9EIR_6%}Gy?@>q=%ZKrb+KMpYa)S<
zUhkKtmeSWCn4aPMQ7aV&bI_Fd6KJZjUiz6UfzMO!wep?dYESFEUWN7A_jp&d(D=`8
z=FzV9tb4JVIo{QtLsJ(;g9@&upB1QpYWkf@gwI@9(Q5j)-D~E#eyO)2?r|OGyJB%P
zh1IVwx!P@nC%Aqu!wQxFzbQ993thjGg!MBT`#nW8z1~*}jCD2ro<WzW%d_ikc=fBs
zxti;CP{n<TYrX4O22HO=>!Tk%=;E?KFD<J7H@cd}%S#%?d|r387{W_kZIi2&M|;ps
z?+yJLLkVhN%?JAE7ZuVfg4MK}`t?mTT@wpFA*?>!=KAUNU;WBLU8v^OwUxn-gf&y%
zakVOh>ye(iaJ#Ej)%a`eiti#SlWIUe<51V^b{(q|o=W&O_&ryvL3kA?0p52ttyIrb
zf|9VhmH+hbqIis}?Q{L&(4Im|mE(R_j3@l8>v+J`YNO3|wGUkF4zx5h_3J@bOCVes
zO`i{4tqx&+&}V->a<#fxdOK5H&2Lsx?J1)7=Bl~<{;lg6LM!L?(^*%mhqjvjRKI@b
zYV`@PAgm@o=V}dHO)Yue)fy6h6X<in)$SyJ`<F=)FS=qQ!doQp`QFtU6W(eo9?uW1
zrZr(3P{QhKRkSI12k7$?8vp6vZSZWDz~_?d*PQS{&`8a3*%ez5J^+-+FRs>-@D89v
z^ot#3vQtBz&xY-0{084Isp{YUU<56wXN$vtUIR@Ay+I$)7o>n#Pzh836~QgEa3m-I
zvVkZN4GMxHK)>L)4000w1@^-?gWRAn_|;DnULoRlkPo2{_=E6GutswP_zgQ3>;-v&
z4-^HL(DT3nkRN0RIY1C-S^o}v56%NE=|2E1<7a_>!g2u&Q5Uj%>figY-?MBCtF`I@
zb&<x0T2xJbH@FM525Q-Mpbcmb?gZ-kKA;Ea33`EKa3AOnl0Y|bKj;ngzUF~cO0gg4
z_elC}(raKn*a%(+o4^}DzhinH%m&&Mo(9hV3(Nr86ViaTfe}DUzkU-n5@^ZS5?>fZ
zfuf)o&=Q}jd9J1TcLv8F8X$zVEPG-7u1~-9YYv)$yTIL`1!xIc13i>(2pWOLK<_)<
z3G{Q;!XOB8f@~lFj*-O~@D;eIE&LpTv*0|q0KNl1fbYRca2jNQQ{Y?h4fq0l4ZZ}&
z!3pp=&^n@ZLlZ-5kKXMa2}Xg@U<?=w#)1A|fL;wBNI?6BUWV=nx`R&OKF}824?2Up
zKo`&sB!Qmb9?%1H1$Tq?;9k%gbORkg8&HQqSr?Q5PgAg`Ky$*)^wSV+Q2MdU{opks
z)`N9GzgKDrT7f%38K7U)+yfeb3Ha29^-G<Opd@Gw+JiP=7x6C#*qgwMKpWg#uo!4#
zO9QDraO?&8fE1vwr3ZpRU@#a0wBwBcqrn(37K{ffyk7I)1NMS_U_Uqj4uTKCC*Tk`
z3BCkhgKxn(a8W-E_@02Fq|buq0VintpA(o0PXZ5the0RM0dxdoz*sOJyaX12g<ug_
z3<iJ<M!0?>r(gJO0b7B7l(!4)2KoWt5pCi6m1`c1ydXa)0J<>xb!hDh^y|)CAP>k3
z^rO`^WUvyf0BgZ&pkKQ_3G{nm{iZk$R0UOleob8o+yQEWcu);g*AH5?^XXqvs0C_(
z+rTX#3h3A1ML;QVD<}b?K~bRHu_P!CiUIwi{0as618A++o9uc4UYlbgT@?b)5H$lN
z5#9i&Zsbo4Mp>X8vnwbCN&|f<`#jKZPb@G4JPV!!20R6(gYl&C2>uhm!(bx#99_To
zxJWo31t<s#fx_TsPy|F~qyM7_+yeCdXLgVS=w#{zKJX~!TtH8GJ_d)t60j5u1p4LX
z+u$9bA5(r#&Gm!k0d!LV@G3rU0d3!#fPRLZ01`nR{RUjG!0si&2kR#v^(e80tzYZi
z3-oiZXTS`gpNdTd`sLOtuo|oduYgy<M({d#1H1#agLlCWunW8g-UoZYLGY2L(8u5t
za0na*N5D}q2V4TTQmBSBrG5n49Da<#Ed%;Zs(z=M4D^%YA)pW_2nvHO_-qAlgLlAo
zP@YQqL1ogd2vTGDQvp-~`X$~;kVGauKsE3s_SfJh!jnnhBk(?`KqA%9^%6%0I0N$H
zlOGfSML-m|1w@0Q;9joNjgM}0UH}hi|JM#U7K{U<KzUFRY@r4^!0J@I1L(xO4(K<}
zy04fIN`Pn(1#SbsQm8RN_X`aG_Xze;Uq7}QN&$y~ao{WL^WZ{&{+~suo&fp*?Wf>N
za15LRhrn0hGw>le4i1B_!5Q#5I1NsKkH8V|1^5`81V_OqU=dgXmV(tFp2Bi~^&HYI
zobCy}2D%T>S+E`scY?;C8E6GsgL{b6fm8=o9cq6AI_m2HtK<C?u!@R2O|55w89>MR
zSwKg49oa3QQ~EPtHb|Y$pEQsg<N<j>KA>ZE3z}*N&7_}*>Ex{6uzf-X9Vkpk&>3_A
zDnJ;|624yi4D>g+b{T0e2XBCHbPM-3f%)K3P#2UDlX+v12pWOfpa}>8{R*odxC1l=
z%|U(83^V|>Kmuq8;=rAt4u}UeKzS;qg6Ljyt&h8wZ5TIW9E9HkAAo&8r|BK8ElqK!
zb??RJ)N!4j%On>dtb|sBRbVmDRGdR4)V!sM&js=WE%h{(XFS{&^a07B7w7>xfsUX9
zXb*JaY6_aH4{rAr%vrcGVeKW=flgRDbu}>4_xXxEx8IjfU$(#JE0{;Bp6}3Ac$hN#
zd?g#TL#qRnLR+A-T5F)QoKma@l;T|=e4f+!PE$x{J#|TQGi{$QI;bS<%*`51@14dg
zHC&uBb{TRjeWmL<QY;*|?xCQ2eGyS@h|%6C4{dju^)VCn+exY(X7zqwQ63oX+3$P8
z+u6h(@D(>B5BLfNRIVg5{eZ75&(`Ic|9+Hv!8~f*6~4zDJK(EaSle*8A?_pG9o%b5
zeBi4dleHbfZP1fwl{ahso7=6+*AFVYS^j}9GN2}@ZoCvH*qdMsC@-^=Td=5uzT$4d
zQpXWF7CZz#rEnwQ2f=VK6lf5nfFa-k&<_j-13`Z<01N`dfL66pV5G~VUDj#mVZxfi
zcN3lfyK~;`IOyw=n#^cCji{5177(3k^h8gmnh<COz9wEHQ=@h}_z;`|i-4x*HgFPr
z3XXv-K*#Gh;iKRPco`f9AAljm9e|UxYcs<<`!V)__rZH$C)f=(fF{H*gXe*zARR0L
zS`%IbFMzo~@hYGSrOaLe3qXIaUkEP-%fV}4C0GGgX@6fw;1#eI=)yH%HIV+Qi}kQ-
zp0&oRrD~{aUI!b&8(<UI4Bi4;!EF@a9asfaco(b+?f~y<(%%O5fxRw1h7W;Hz(+vM
zeGo{OEml(>2cLn@!3ppMP#Po1<V*M~(30*`p_{>XqNfpVN?6^~1Wr}oYZ|EO8Y484
zBWMWfgG5jdXe`tPRk^SVPy(uX9kf5--@z5|9moJm?=1Khd;`w7;h*6P;2b!w_5DWz
z--C<b2Ny(megeO__GS1IkgwvZk-0Sa=vw*x3UqxqUU9zw6<G1%G{f;uLFj*#BwQ*F
zwMhVXfB=wQ8`gdt2f`WXnp)U3L2;nM)PSplaG^>O4i}&*;VMA)29-f2a1)44<&SP2
zbW*tmR0L{?3UCZ42Xcb4Kuuc)z8#bXB|(0W9e6>wz<$Cigb!8$lxa4g%H(sk9I$Ry
zQgzpo8>kRLASYd<OchphsiX>r6IGMSRtA4&WgsnF2vtm(>!>YVeXp)kOOtkLW<Tmw
zDhD;E6227_14V((a4LjaNM|{fUME@AIuaBC+M){srJ?Q+XDwhjtO6+W+kjX1cYkg+
z^_xnq604+2C|sLxoHVtJ{1gt4=x|sWgvXT%qZU=c!|}SdJob;8|1wk>jpVR{F3>oT
z9nM4v$yd!^%}q?Ubd4JoLS3Y5!n*oit*EY*pIRZ@eey}wXbfNQ=dfl%xIn5=I8lw{
zST|1LtUju>)(kDTVyzW=u>C1^R=)<sQIOQXh*_PKp%RpHR$ZEEqe1%;iMN2818qb{
zKs&<PKRUwND>}ffL3=O<TN|8K#Ww2yaKzniq#|A-QLS)VGW!7~*apbAtsB;k7}j)+
ze3W509mTzfu1v$4GVg-jf@`(0H70-i!JwW<^&+AXs1JIA9v}(a4|EHye(O%S8wfAG
znx^*xC7iW|?n6^r4T07YEzhzC0i{0>)B~yg`J+uEoVXHx08Q(<E=qy>0<G<R;NC!)
zg{M*0OvBx!uF*i$Ag+qP7BY=?4O)$d%AgXsPxD`oIr|Y2PAEKW!Wk%0Ew$k_zdB(h
zuGymL7|vt>VXc<BP6d#zDXfgcX@>{#)$yb!f;faru860=lVBPc0<>igg-3v4;6X4P
zOf}7p`8wrP*FOvv`OMN|zI#%a67?miro&4>8NxMzj{4G9qOAbSz;ZWU*Q^F>z$-wv
z4a>k<@H+NJupYby)`3^S1`zo<fB5`9S%Z;9yH3~jkA3Fb<tuVC<qrREMt$D<s#dC6
zsXE)2X?4OEm7?Xd2o6oM4=CT`j^YPghZ@cvm7AFI$1jb1{PEte`@C9?^P_0*F9@Hz
z+-Jbvg`J9AjnSOAiI@+Hw@O^t=CPtzW4fAsWEVXchr&4A{`lfNE8CsgLw50%s#U2}
z(=*BVzu=4Zx#oc{d{N#dX3`hF>fTq)#xH!`OTEQa(Oh)|4#Hz16Mji~tbK2vHym@)
zB%JiMs&x^EJUFaOHhHd0`=A8LSF2R5k_I%bqB0K&jB1f|;o}$VdRD0vhw3+Pp7cfX
zuGJ?e$+En;>6EXPw<K?e_$maeMzEW3SuHc|6vc1Mt&&<`X8F-CM2(&|l~k(GoTT5$
zY{j1!PR^e4eG+|~n@1J2YG}djV<+an1;6T*s#jv%o;Jt7B%up9<iuf3?pseynU)@F
z7l)#<&6pG4`fd(z6b@uJmA>*tM(54$_(rFv9$)$OIuE`zDv>SQh)Md2#wu;bh$@?X
z-$8ZFDy*6<xJpgYWm%~+xhIWygR5%M6wJ9U#N;EUX!Qc|x9=}KmzbJPOp3XpgvOd8
zU(*s9riJLVN&VWlE_x;PQHe{uQRwTtzY5Lcs(7dB8_eCO$#5GE%JAZjBf(moTUEwE
zLyZjg6Qc|peNlJ&8*@%Fl8CX}{&O>zOKY8X9XgNs`OAW-D^ylFaH+D?rP=G|KK}TE
zI#t{l+9_X7^X+L`r!*eL@QA9L(^o6|sGN9IsT8kk>zm>k)TX(qo#AU0JrzH0uhW8q
z>b!fV&GVal-tn}DGO1$b%g>liqLn7~2Va!=F2h&D=k|cNuc>>+ZkJAHXpj{1gsgF9
z;TZ<XE;FRRKZ>_ObAN+)!j%06muS=V8}cm5P*<DfoO|NPBiT<@r)&&H_1p{QZ5((N
zFaNh(HP2LlqQ7FKsRbiCS8Kl~+tTg0*K|5M-gL*I=mln~TH}dcGuFIuWY=*!y($_t
zyjOpJ6Mx|dCU%rr@hwHL$5AWqHdFa5o%7c#84Aog&QVcLyF8XX=7m--uU$-<>Na+~
z-e%lc-|U)E3>VGm7arZzaLJWCi)gr-IFRXVzF}5*@65Y;@$hN;A16lDqv<P~R^L&E
z+sy=xNV}GW%&PBv0XLkjivF*W&VY@+tEjUC%`UwD%q^4N;4K|`(4H*G#($1v2Aa5Y
zv}P)Pg~;wqo1SA@KT&SH?Pr&?v3c<v?bn8JpcSj_l#f^5+PS%gf;&;}GY8Kxn-}At
zG2r-{+s^xL@%~^E&Qr!Krp*w4lrLLxGx)qOvS$9`PD@7>DA2!ssk|SORCT9nC5X|A
zur$}lzyHzjqZ-7xWA&iftdu@8pPZ+($+vN;#;;!C<1_DgE5|te)Z{eI>n3!;*C_aV
z2^t@VNHgsMh2LA!@$d51cY!&doh|43GgeBOtvK)&)=~MrQOYUVl2N}8sy;8eeuTXQ
zsnwgByccnJfZaud<kBx=`flqyW1-L69z|>X7<1)&UsUVoG1YCoy1c#Zg}n0uKJO$H
zt;$Parea!$gWr}OJt$un%Ah$;nYR<8rmdRu!Z+m`7mDzC*Py63a@}s0Ut}IO#a7#1
z>F-@Vxa6HjxVDCK?HE(PvH#{<Nu}NG&V0DXJLhQQpI;n|k2}C^pD13Tj-`arr|?sO
zmk+A?YX9$gYO${FwA~()goC%J86&@3_-Sa~Re9S>QM=zRgkLQu&!%RT{G1v`Unk#M
z&ct#Y$amRrCUJXHmATKWb1k6gDkRP1NE>xw-JzqQH=OatxUAuE)`)0>gNk{7vz|AV
zoYFy6b_a>=P{i#1!B?pE{S`RU<MrpwE1x$U^9>$q_O>S%Jusuks*XPIew1jFRMTIW
zSLS1X^d;1MsG?KVzL&?QMTFKhAukOl=KI6M<mc+ow-)~Wkwbk?MR<{`Yi?U+?vK=C
zF%Igf3Hy9y+fDS1yXvsX9KeCM;lGjJDf~1F1}{q7@bH*#UcBme*%beYMI<kWcMbht
zo~U1H{J~idUUj&g7_~(Dru)yl{BZ9PS7Yj!0bCm09tREfbDfVpo2U7@B3B&-n)x{J
z;$`kj_$|UutNGm#(ZvSbv@I#ZtI5S$;d$GflivyR*3bC;fgckwt>J6G9y{>Hi^Hz^
z-D>LM;7v3`vXCSG!&OeQ{Q5wd{6i_6VzMIHh2CQ7Ut)c72jzM56ji8Mw5&784|HC-
zzu6Bjeo0Tc3q+k-&cw@JsC%I?84Xqu!{V)#^htB<5~qh-P4Kd>18?MZzf3|y<D5CS
z^tIpaUX@tk3Nu|RGb@7r34HZv&*zt)t~aRH=k{QT(>%4zip!K}fjL16-nHgeD0&Nr
ziQKq<dDnO8AG~ma1H^c@Rri?6zxet@m*eQGwd&6M&z61amxnpl@Ne%cIZvEf^9u=0
zH19#tbMezTtn>F{e^|78-a@r{ZQE~y`2&Yq2XSDPPMbOC%l$u3>hShehjYZJW2>wk
zHub>QC)Zq!$yLYP^(zZVOdW3Y@tAc-fp?4C`^4C*9!<=IUnxYgnGHohf}gs+-06aO
zPdAFZc-8M^vk!+_Z{wf|cUQgGqqn6Fe)6irNjK)%;x!)lJ+51ht1<q%=GNah1dcG%
zekYHq^_>=bEYIdgetqlN&wSp8QM8qBF<Wuq#oeQjdEqzTUA&BY_BUVkXy2XA5Fa;e
zNBr-7e?PCpoklEb60VSF91d!|LxX->7q@D7!>bN$%^)0V4#YuiwBp#O=ie+_#~##9
z3QxE(jjDY4&>c<YAG~_$60=!pzl(z!ujiC;TN;jT`|DMQQ|1B=K7S*V>vvkYWFx0>
zhMcWDXY^0y?S63bXkbEAsb&w?A^N5}7nWa;_}SHz9wvs(C#_PS(<c|)c9fkbT*3dU
z)ha|EZO-i(3H^0NJZeh(;Y;AH{%(Izspc)5Huo($zq@ze4HbM|9Xyysp7v%s4&M9C
zGN|Av{Bn_A^=EpH-a2<4TWx>y$sfKFH75~auY6TM8eXV^)tM4&zhTjwMU0lR7dqeZ
zvG47kw_c4|^=z!4_9Q-%_@~b=dB5?9_e))k|LoZ$c8Z^#9fMcimQI&9ebm#u;^NNM
zRj-(5SNW?)HzYnEsl2)HmF-PeyxO#oW^fIio!UKn#UE8QnRtze8m}#U?(^dLh8FUc
zr*iuIwQ17uE#qtnX{MXkU&33%q<Z}o_)WwzES**Ndi{~neVNFb>=izGdFX)$*52zb
zKP)oMjn{|&ArtHKU+^|C#r;&Ig{kfLSNC=_1F)idwslshlC6vUaOF+keTBS<b-B~v
z*fPY-mwT$&B)@6+X~Ee1{<_9FW;O15wcvBiIUH)XqqGHZ=(;*b=j4<}`a3n(+O?cZ
zbt6`$V8o#pmi1YEHH)`Q-3Zb?h=aDFwC?vlmHp-Yx66U+_?$LFaNwx+g!~G$bGj(d
zr}+cNZ>n%Ye)KG#^5!i$G{8ao_v3GE%y;zDlau72orEtq%=Zyg`mlK~yFbd*3;1vG
z9x+`5q}{;e&xZ75z<+<K*6p25?XP_ij&ZzsVZKBWUYeeFlRukzG@rj>@Y;COI_R%h
zH>`E*;M70Y(*67Ih?vvY-UO<0PW1#kI$QjEx129MsIUp2#HqWJPjn$1)TqCd>HFi5
z(T!QhwT!E6%9zU3gkRK5uTDYk&F;U=+tQ4a)WfVP;V+ooaT{gUNOS7Vj}|7>v7^)|
zS?b_jZidAB3zl%M*-54)$n>QJy#~L#X=DK>Q%)D24AUxyzx$0h(<pO+W_m6st+eGP
z|1IYJ-2MXBYpOqKUbk{?sk0XJYKr`{V0sy<eoIb&%l~PK!XrX`_~(NCV~JG9#y4J+
ztko)F4iu#>gLC~Cb+HH8p9*+AEj;K~=Jq#^4v)#}jBt}T4@=BgQ#B6*<}s6012QI7
zwA`fT@mKJ@-PPo)>5mM)-PPH(jM<aN-`!iw#OCG7)#mQJ{zid~_wvNfRL$!z_FP^X
z&^8%NtIRif{oON7cOJR*PRr-7=54J46gB(u`HOqonsfPBP5)X-7KU1tINbbX>gK0J
zIqx_9^83%TiFYl){C_0LnZL8TU(DX<{GBa*Ud}3&sxn_@o2Lr+`|xDr=K}s#{9NbP
zg3S5*3bG71mzu}(Gd`CWWPHBZ!&&Lhm>mUKG92Gqygi+r>D0Hc-?HVlD?By(5x-p2
z%+xEurA-Tw)?KD&A&NZ%UoFUcSCved)qc%ZCVUO&U@+gT!NFIkqZt_Ik7S(xfywW8
zwpOE+TbfpdA$$H7HmfW9Blu0!1WAXDw<u(fm?(a9yHDay)2a@XVT#qIE?aJA>>WwA
zAFW<zn+?a<^QRGO--(j`>cOyTmm@QMH#gfg%9&=}|C^+rD&a3-mX^7p@~kjhBmI9V
zk5dBkd!-vpgT*+C-wV~R?e88PuG3$~j#KGB*WInHbM*~WbGa#AjND!~snLwMef^wM
zMbxCu4T}Zt(^CWYp5N}qD1N-V2S0YOAr+u&JJN088_wFEEsZjJ%`VAb+HSm=U+f>I
zPNgcl%{eMi^Jsr(YdM^K+Si>Po3_N>m8xlO{e8@T*Drr6t~<!G4)5BgesLbbgr~zb
zqdmIqK<Cb4ON95`&mZi4NZSy*pS=xb4*Amm(B1B22&bMke{Gz~I@}@em<v_0+zICP
zOO~1SkE2TC-I=wS>Dj}&x=G97ulSFb{&f}>4rq7J+DKW4PGK{z0?Wb*bD=ctwtJAd
z{|=Us8!f1EbB8}fv5T4gasCKXvFr`bvjZ{y>dqz}ZuS-CuUeK-as%BH>}ckd@<$eJ
zIn+5hN9SvI>5;WBPrlmS*L0xMKDEvKxbVVR*t9O~kBDx`spV!C-A~espWIwy*)PuZ
zI_P9=%&gt+Hm2S8g#*>_w9iLQ&}m}lV05*mH<{4wj1zZ&>@-irW7*^Uzg>v!(dbmh
zZm(;4Hk^Td#JQ2R*G*z@MSt@fA8*&q*BkR6*3ishbInF|ZCZ?p|Dx3PkiOwXFzfnT
zxVU=lKdiy-R(hR<__}R=!v)FG<~Ou$aD=)!g2y<<{9KW-YoD-g*5iBo$aS;n8tboI
zDtuh}``M6n8N2qBkacYTc`f_zY87>(Td!Lfciqf7(cII?wMUz47Wk~o)(te^-)5D$
zeQYx&w20gN^8Ym*qrBJd16k|iHm+MO`+h0Pxu3eafBjQs+nSi_^t!WhMF0JbpM67j
zBa_EIliwUsO9P5Sx;vosRh|y;W=0KvfxjHs?L&AYzG}@|(;pSEkMZG?dZu$0**Vfj
z`MQrZuh#UJ|4VW&8E-AlK);W49%i3j@_62lKhDN8{_jxq6vQrBB^~Jl+ze!9k$D5*
zc2(xKtHtNWw~Wk=&$5;}8^aB52KI1tmiw&h*Wc{|oVe}vKFfA{1LM}+NN#un{_Qyb
z)6IZWip(>Bb4s|;WB1=?Vwxs!ALI0k8JoZ}k?>A`o%6JN!1~+7!nY{bpDpg~&NXX-
zvb@Dz82%TN<TZ1!E>mNh$)4!15Zph;8K{R%LL%z7W>BKPPjtVr?!lv^|HU@*YB*2t
zd1_e8Gum88WI>r|ZVGYJmUo<~7xG8?ZXIXt330#rg_$O~VVc>7>1&r}ev*9L#MC44
zlct-fmzfR~UH!0=$F0>HC!HSsY)KB=dXU3mw)sT!c|Ct*&3h+0$MKYnb(Yk~HsC9L
zT~dwjmUvmmjrsby;TPwJe%f?3Ce2Krz*B>I_5IoO4^gD@Xveu^fk~=Q!PlEHQ1osR
zD9CJ_9I?D__xyK^yqdr<vkHe==W!^6!_MrjP2<x8wq13Ic*Kc`{N<ObZFkp7z8Vwx
zi21#~KeARu*W>8K-i@n1cVz2Tk9uxQ`2yvtd!INt|7uM8M@-8GdT{A_SP9>j>NoBA
z$yYtbn$!l|qdbj+9t^$^UFG$I89nd0>adU)o%Y%$?ypd^SpLOVV>X$p6KRys8_*~R
z%+|EbM)}%!8`3COOf*!q;3Vf!!GZbtioH`V<L;{o#7#A=8`2}qr#f}d_T|Nb9sGqx
z*td4obq8`EG0Obs)iav-yN>vl7`}v5cMdmmNxbG0I7H&man`A{yhUH&-YWbQdIvFj
zLfQLpXl;kscm~_cD5X(8H{Wn+t;?8tK%6|aV8S!+z0$+JEvv3a;Dx3+&+&J@zxT{7
zt?#RJ_0k&C%pG_7@AP$;wm$7ne`jy>T3q$@;yYcc{G4;@Yfst3O%EJBSInBG{z7J7
z8-IZ32)P?GJhtPk?>TN8(R}sLLe00>Io8%AbN4ISeWt7Y4)PVuP58AQ-~WwI*SxYE
zKfXrb$+r7aO3lM0B!|j*bMz=a{gpFzLOlKEb#Y>H5i@&M={H+hi+`{$wZ8^CZ;p|6
zt>19a7u1EGIPyh@_qQ*^L0|t;hMZ42Ph+BXP7fZNw0fBxW53Q6^`sd;h#QA;cxbap
z9-r~h&@LzR5LNFakgfBIL}aaa*P~khSH9o9uWuhb+%JQh5~Hc{^~zDxJAJ|Thsw8x
z^6mPhS=od!ItUMa&$%|Lc#EwCOJ&D{r}=8iN6m>QjHegPuTb>s`04AIVQ+L;w$hjP
z0)90dzeA>SQwH2mINXjy$6J~nD1PCUU3NnD1J|ZcnqE!WUTZvUo^Hx>T)U5=_$RyG
z<GSm;C7}CY4wCL$0!K|$Ggg{ard2clKIh^>x7lABJ~hMXkigf^)*3i-WiB^M%Kp4*
z)7;<3SK~SJdUOA)?nU;fsJZz$r>{PHZCT!)Z5PhtBEA9FLbQt*HP+oL4m@=Blc<_@
zjGa+Gv$+LTe8@PLetW6MvF-(P=tT*=jX{2andV{(7RTSr?JZdjm&|g;=gb-P-uZAt
z=SUoDI`4nb7Q<Wm%kvMIz1Y%UqUhiBK830Ay!o^xt8vrk%}*`;)uNx7<0P51t;F^w
zGoyaA^JWa`(VzDrf1zx4pJfdnFb}n&-Hw`Nt?0&6W;<5R@8&v#Y2?Nq;{tay({R)C
z9H!p^Vl+)&*_HZCgFee|Cq@H-qMS0Zcag#Y)8sDF8)C-D8f%`t%ik(`$b5HBEKc0=
z)ubMJCxkw~TC5Uw_&RSjxNlOFe92V1o89H+mrZZDW~G;%^7TFU>bbTxhR2W|-;nVY
zm*?+aK(qItC|}~s=CqP(@v<q}ntAi*_3i36Ivrm&ty|Nko5@U7USF%kJEwjaeWzVz
zyTCh4Uf!OF{s;$seVMaP-3hC_Pp7+W!dC?s&4Jc>xn_a+wza=y(Z5;MYIFGl)4mNO
z!+xo%u$j}we{0s^=&Q28RC<tpZm__dZv(epU|x90A8AUq_21&_w!kE|<pIcprc+zK
z=bC6Hw)H1?FPXR6k~fc4kF=$}4HudH9l5gQBD1<L+-;E=oXkaQP5t{Bw4ue$GXGK0
zEuXe~^_>NF9qf78Zn1f~9gYu}ZugL0t|jI(%rLvxn|$plNa=J_rNh-YUqZUMzdd_M
z({yLboL@ir=~+3xjCUJ|HS@aJ+N+jRF6V`^sBlW=7iB|<^7SDbH#=rYn_hH7E`IS^
zfNqF<am=h~OWIevT7_%UGOIgqxcb?=*MVb8I0?r?wJ7XNk!vpbyT<#o&cCvG?g2*q
z5mT%aZF+H;vx%Kgd#`o*GMArs3&gUTd%2m@lNz|4Qnb`^XFTs-@>t$OfhNbU7QOoN
z|5wPBM@4yE@nJqhzzt;>ATykCj}aIh7Ax8$O4JaGs7ELo6$)05C|dwm3=9!>TWwF`
zZIjlhbxSD(4M$9JRG^ZoAW_VT8*XUR*cgR2M?sD4?`;CZK=|k5``*3p-FM&J-+M#5
z;vuF{fM7Aem9>?A#=2&vK@dTvL2^OlLa22$%?ASGM&AiL{%y*gH5&*_g)w*rjh_wb
z@&Le0dP2<2S$AiSn8<tNyUcRgOz#202#9{JI~x;2%yu~@maT{qbHP2i5ctunX7mW2
zo}GuBYv>&C_c-0cMlpVoa<^cJEd_7?B$p+4G}D1Oz()P9VGgF|TP$pr;j68$9p7K`
zy&MLnePA(py$SiT0)lDaWnZ!murIpPM#xyS^hL|$Rgv$1UOBmsm;{cT>V&w4PXRz5
z0E~%V9ccaV0m21-It#iv3oUGRL-MD*^xt~}*%>OE74{d$y{QP2Zdwfhw%42cm+4cJ
zN^04LC1W`NHqi~H3R3S(I|0ZKv<?5)pzGV;A0h!!Lq1BubJ5co05Db?CWc2YtNQY)
z1c1@JMM(gFuIA!l_AC)2Hud&hvbg^7GzkZW`<GDZTnLPV;85KHEev{Z1K%b4A$;Jq
z!How8?@~Tmn3z?h!i&!+6=ql$@x$^xuW!k1>t8ILer_q1Bth4!$YnlytRWK~<_4g7
zfqX4)#pZ8zm>+U9ZUB9YX~ujk;XOdGNNd+0J;zu+-TI&nLQ1$K&fGOm1)vYh<fSsY
zCP3Hmd0+wzqnIP5%5Th+$!|)DoWGj8p0gy4^H48E4ZmH-Irj1=RFU{xL4DY%WNA31
zwGpcBtA$Hy+gm7ULJrV2SXM=zscU@`b2IlS6X)4-AN?n|GI2i+d8<tnV;M!KFoRb{
zL0BIB_%fQ31e<Oxrq%2zm(4r_J+Otkuzz>#j8Ia+Rh#_K<0Qz-K^m2eWjzdNrd7}8
zZ;St~e#%8T9^_kcM$Jjd4>)`Xh-yaiwcS@HWYWR-xQ@mpYi1682D0$rgL2_tvYr(^
z{<?9iiW@MP5N)Gtn4?t`!YyozS|7b!7`Y0H6sMqa7RoTn6;>#Yj?nSDTwqK?ddlYj
z(mX12_sSw6rtQ6}920u9Wfk=Qr@WlGYwjptCnn?51BOcpqR?68m(`lJn<iflP<s>3
zQu*mSahh)rERFjyva&G1fk|?1=C16jO^&YO2_IJwB=l8Di!ea`dMUKdZ392rs2JI%
z+rDhuM^3fP5=g({Kx@aZ?F@%<Gr|i?tPY$La@ivUww%*$=*c5kK@UGmF8mgAQRz#c
zbBRw@wkUS1#Sorfd0+Z!5|Z!mRD@wXqMOF3aIPJo!lpY<+tT1Uho=cq`bkK|3MIrU
z@Q^E^Vmscgk?rYpPp(=zJ?#0ZbQqN3C+TTA0@kiG=wDP*>RaH9Oh5JU)s&e9F<VcE
zGT=EfsD?eZQb8sjMbw;y>G@@90|wVr3oGYX0`PKaKnp7uP~QTu;pbn_an@mnF7&Zq
zQ15IcMm2ORQ;X~7x`{m2uE^}zo7qXiE7Md7NcZ0AK*OLc1T3mEIafuDr<#()b)E$C
zx`SYZLY%D-7iOoXr03v@Q>;DrW3PiPUM`bP^Luyp&gl%hP6H*;b-viZy#>~~iz^ZS
zrXy#B!H?RPUUJFe#*%oMZ;C`l<|%$I74%vTHqYw-&w?v+i@jIbiN6&9Ugl#B^gDKJ
zoSz;K#gAy;U}?}(fcF9Tmca8b><yo;;%{U(?aD1Glj$ZB@Tj5WW!gy3!8QEinBA%D
z`UZsR?f`%Zj7>XS`EBBQ7BwS0!`&7gpAX*^;2D_F0*-YN35MZ9<6eqh4pEa_u+@<r
zuZkP`H|nTtIr6}yI+4Zr{POJWpdlv{FdQpEz?kxUI@I()G9dQq>JfqFv2fryKw%EK
z9RtjT_{O;U=wNbm;bn`6s%`AVflBgZa_91UDqn$o?oV`kg*M3a5%5^eY)@t5s^J%Y
z%jyoStbk)ZRb*MI1rE6k0Cu`GdcV-HsFN=nW3po6C7p1!+bL~joB!_Kcqp5|Q!W)-
zim2YyMd%FKlMc`Qm?(ktF}A$fwDqRSRuJ2DxHV+D)n6QGep>Of)|!Pgf6YndSq<M*
zF}QK9nMp6MhWa_kfwHxZ-&JHLZM%OrnGnCN^gOwQnd&;LQ3*{8Jz;r`ND&kV8LzmL
zm0`39QhY3st*Xz&VwCo}lD2Z)kqek1OT(VKITbJYIg*V+3VcF0##_ZT9gRKJysZU<
zPp%homl7~_%qN$gL}FB2j9{V~hZX~bBr$4NZK3bqEocEXtbUn70eP4iFOwKq^mdwN
z=D`ZQbU`GNJG|@@L+6)F<`}p)XVYz@4}lTh`AitPL}d||a#2wqfWg{V^KI<fqb{Ak
zXM^$5y}^xt;-!0koZv^%-kW0bH8)c^@V%MHf0Vc6zWcCxR-G33XDA~d1=DL1z`g$~
zfk$25t!)EvR?HWuu7z|wA0>M~S$40|-G6=fUHybMTxZ36fjgm)dfSmm#Y)^{<5Q1*
z7Q@3f+{N^&9Xweh0Zu)%Th{E2!vSeUxwB%v=zJgj2B@e<qjE2K!YlXwF1%*%P514Z
zo8EgJJ+y0+h8nMmlxwQw@%8H`{#+DtEP{^|VYP*T`;<@sVx8@r*f<1dzd!5@Hcbq4
zq5#!!!Tz42y_{|oU^32jP6U8c{`0PzDEJ*LkgMcF`<)Yk>XiK)HK>r*yo03D+0Kc;
z#m-47Ai|yPoCpY~{O7%IryoI>$=S|{K;`^rbxdrU7$|Wqm?HS^F50mG_O+0outs6y
zGXC&ozr2mn1ie5E!AcLEkL6DQEOU+18mSJr;j{71N(*m?SS?lF8rukie6US~9=LSq
ziI(h5QP0Zu4PAp4R&;>9NFh_97CNJI=Rvnc=Mi`^)&6dLQqt*=7!Qsbj$`+_X%eE`
zue#yfxo50?!i~^a{2VszEYw1Roes-=o8vUSa5~_}LM;QAb<)<M(EAPTUI(e&OP}Lm
zIt(|)oZB1c%pUV{zsA+EJb8hwf*vq{vjBk6w`WDx*mc<ntOOwenrO&+Ez~n=lZNO9
zzYepRezji9g!enY9!Ft!P_uaS-=JCY|KTnQ8SfnlC^c><9afKbR)2_H6g$teu&nAT
z-dRO9|ATQCzpa|KzeU2Y`t-<%nYB%qGypUH$3({0WmQFN8-RDVXEW9#V$YtU$<_eb
zUV3eX_ryu2(?NJ=(@Gt@-I!Oobnu>W_`ob1ZK&9H>X5B28t<%_^w;|PJBt%XRwUDT
z&^fLNdswXBt8uw|<BJCRKf!x%ychV!_5GhA?0QeLu+!BMiL+i^KJH@6W-<BCvdTwp
z)C_vJ>=h|F3l^7KH)}`JUf}<a3LcfUFlj+fuxJWqAxJ2Fd;`T`Lo3dud9`Z2>F#4~
zDp{{-Luq=87D5MFwJTKH0C8@8gx7)=EuR{<XeOHQgXTr^ZfaIq){2G~o3$V+eyokA
zs3+)U`z_6{JpPHcG{>`r{W2W>+_R}R!!@keSoSM%_)E=prTpvqVKh3^_2mBnG$VHY

delta 50492
zcmeFad4P>||Nnm$hdE?l#}HB?`!Z(6m^qYvmnD*98H|0;Seg-vBy?48LLr2rq+)17
zRF-VfBH1csNt70&==*qH*LB9!t^4l&{663B@1M@y^E}_L=lk{Em+O69a~=0@-xU1u
zWWm|hDlOkq_G+$IhmGn~?a<kh^M*aK>G#B)hbtaF@>IFa$-S2T(!0;F93Fi(&bg;d
z>fNvTY{TQ}3>Wrz(u(*!o*+DKXdgRfE#JAZgXnqS5lKCJk3zeNT=HXIC4-ybh5?6b
zzy-0(!Uf>7#4F$Bq*405xjdfY@Ig4A680WBGHGOQkEes>^%n0rhO(sQgG<9DNfQar
zg`?m}u##V)jz!?Ju!{N2<y|gsbopgCAMs0IHDj)o;;o)~H#N_Tbs?vt4(T~$Xfo~n
z5F5v|l%9hJsr7eJN#!1`%EGt1JR)i2&_QF8JiBRW8T75Na$g6_uYb>xLmwRC@dRkO
z%IW9E4@>TwLbj=%4hX7#q?=(rSiR$SIeBE&euIYg^5iV)WSr?%bQ-oYJmuPji#ZkU
zHKJ$lq>&!aW7w+5epnT`g}zdQj=26i?FQENqzz6Q(J!f%#}h8_9FA(~%O#xQ%0Z`V
z9NNJe<|Ec&-|fMvC7o>ZTS0%B)Z|i5BZei9=sAkg2ai*qc|6S+I5lQe|D+*ma1Gav
zhgJD5q@(?5b_?;(Ll;utv|n#_>aYV_=`&nzTh^(=QdsGS^&Hi|>cAxHMSsE6i=>gS
z?-r+_gOi6O59>K{<TvPQ_y%;<KW}-b=Eq!pIkwt64_2N}-s<=#!Ro+-+Z?Wit$x^x
zt$DW%R(U_8!@bhhS8y`OdApO~KV_6y(W%IvGD>Spr>MfQunG!K{MpvL9A#2JXBBBY
zM-Ck_Bx!`lvmIOBA60gEWdEKchS8N3t9d-MI4uIEx6;m3btdR;n3kulc6m0e<uwYX
zz_czdC&G+zS_PPykd_~&HmPZuRh%*U(&fD{b1^O5<z=uY^c<Hbx;zNhSg)$%jKipr
zgOYnu(Vpn)$B{{c$EZQQhYlJFc|MDF`ny71r@>?4Jf04ov^}&~139c8UVM^coC5EI
z^P;zhmEo{{RY#=^OB%U8)+u=GsH7o%@Lz>3zXh;*@(C-LvwCW|cqiBM^*tVDLfRg<
zEWFy~nJy23wb0wTToYD*7Iyh(@=<>tb~ytsg}nrhf+sh0rdzlh#$Z#MRMz3(zN}l%
zj60oye1M3XNbsnea4@U^DFmzegBm*(Z3U~MRb0Nw<@1f4itcs!Rag~$(&f>xD%!>7
zR8Lxc0;*{_ST)V*^0#+61wTi>t6zsCjU7cjJ%w92dS*+9Pr%xscfgu4uev-BX6B?#
zhPAkd!kQqxVKuOYSOq7#LLFEu@8)(+ft9TTxr(ROY45l{Nj2<#ajVm3DC0VYc{8}r
zKvip72d5glyiPHuqtmP^u!g&7Cud)~nRr#_U}ukqm7CW49;Y8)!!C#2u#2;R3ShH&
zr=~qaK-C-%tABdKYNz*JCqXN0wX-f<3@#6oFzuOcjy?(2LV5N+XMl%eYvbt)=Yi*S
zcPe;|3Kqh?1WWHdXyjOrr?SU0loqSNdtqf%zlYPp#;$$Bwd+|0gT<TQj;i8I!kX?=
zdph&xLs;EE1Xgt)fYmSOdO5uw+uPw8u&VKpH9S~6bt19q^+T{-ss23&4Wze!@H)Bt
zr(XQ4QE_`WZCR2tTmPa{Q?q(?7LMxOZw5G>vCrjaU^OE=3hCJL>p#fp<#%B<=XF@y
z&{E>niQ(QpMnlvs^@lj4yav{CD-TC<olg7nd|FEaP51e*3JTAgKezPHEqs;TS<~px
z(<xkFc>07JYFAVP7@kjyhFK-^ROs4kj8oyT9G*tuX%(Jszdz_qw>z0c8o}paT`<Da
zGCZBb>!G(bFHcNr`3X*UmW1W~Hk=zCoIE(GYM)-7SFp7UJv`Cz>p3!INbiBkqjIBb
zQjZ$cXTV72$FR{uQhE>Vll1s_r`v~(NE$UNIcY=+wq|E9Si^QH)#0Q*$)l2o4oMxE
zn&wQ~FNsiwy@w7Rn9SIBCV`r<iOiM3C@l^?IUaWOcCh@DM)n$=JgARn-4thnE`&8q
zkGeeE<!&xFcDV*zRO4NWfF?wQ%Rf$b>=Q13;PM8Sm%2RL<%zH=IKbt5TyErYEm#w>
ztjqaa{*49{qS0w*6@Z_jb>bv0m_tT+JkLDg@!W<z7S@J-ugj-rIt7NXqtIv0b|%`N
z4?yGRI78Vdsn=*-LI-P{_*5XBCUkzdsCI^5$xuD;DXcDSYn{wnCRmU9$f|Ay^Hr~P
z=xJv^*x~vlKjT!QJFH<UZXC`H=fz%TtO5CMPF*n9nO4dDh729Ss3whMV!+MjIeO0l
z%x*rXv9$^h!K%tCiqW(iJtDcP=2yCFFM#u*&xTd(6qn-{IBl&3YZ|AZvwgKl8%jX)
zImzWG7CNmOlr(0D3Z8<k_~9;(hm}E}q@-b0lSg{Gx#{k<+UGA*uGAu@7Ye#Otm>el
zy*UZP$%B(ec?w!{@)u8iXR%XB?g^^)9n`bmp~syI$JrT9<BBeI;uphe#9UZq>Lfcj
zdE}@8ocW@u+tnAGt?%kGr!($e?)ZI+t*tH3i%xAWp_jmZ8Jh`|nsyvPz1VN)us-DD
z`H}=G;PeV-(2l@)vCT>+gBh?YvK?I$B78)<NCo8g1*~4L@si`8zS^lk(KSxR`VJjY
zm7B!=<6c%gYic!)T7-38afWpj2{fF)Vrw&g{8gtyC0(7HpAkv@lE$tl166ba@tS)B
zVYRfE>wl5-3~Sn4(rKw2ea$JS={m>02p3RG?ta}F)@D}Cf@M<olC1{$2+=BjJFIrT
z39DVpU=?#Se$wODJN>r>Tk(@9PI@P7Rd0Z6cX6wc2y6CMf|Y*|R(_Z8ryEk!dTn%s
zuMzSR@u{2fV#gtE4y^W0g>Qlf!s@U4Vfn9k%h6k6t0B>_`ZvGpca{EDf1HL@frBn@
zg9~Uto+O~XVjQfgvY!!Ef(*DY9Nr`5J?{AR8QOc)h~yzj%ZXRZhi`TKp2XJ78V#3*
z`@!m=?yxF$ZizEM$6!@_FI+&I+^C+zdiENW<auwK<M1XCs>tgUSQhRFN5Vh8>+#$Q
zSAomGpTqJCZ+hppyFG!fbopUb<QH`LrMdZ3hGpyaH&tU+1VJsiHpA(<mAjk*7r?6N
zl-*8(S*|?+R?iH9)xw@*ldAS+4|~A1JHxrrKOsN)_1f#?-yBv$!Ve5;?WO<aXg@|_
zOSu&XW$1;KaPEF*D9-G0DsaH%=`7ql#0NigGER1RC#<0hpW`YXbo~B&A-sM8r2jQp
zZhQs&e{cazo$S>3hF3r;_R|4pQk{ae3jVq!|Fedq{y({tQ}OVXd?G`46ZYkk_A;)Q
zcAkL7@(`?uD_=M*;W1dxK|T8<oyXQBJPd1j#eL<h|EDZ(u`)GhpK@kQ_y+gSH?~82
zjqXc{o+n}*zem=!FP1-dyYUl`?CV$L{Z&o7o%BrI{m4@}M|GLgy2?i<@^^fqVzV{R
z-nwLIpJDH98e1rOZSFj^Zy8cI?B8?Bww5oB=uvES>rvA$M!$cw`eTjv#&nuFW!;9d
zTk?2ITPamS-g~TczMr%*`QB^ARSiWp&cRiksxzhk@TqCdsd~G2rj=eb6g+`X1AKhe
zr2aA9)>d4#5HTs$LV-^Lq_z^O#e2(GnW&Fhan(b?iMi~jlxaDwhSg%cC#`g}>Jc7K
z9rExik6>@CHdr~Vt<__^J*|`)A#Z|}&iBJsCg0nvxSAnvZ7YTEbyj-KP%uFMx3JSI
z&$d=vt&sP5D~0c)RyyBNRwm!~>N_}(F=>Ra*P4Vc@wG$VNGp@?`>nV-q2L_WagD6f
zw_53F7tpHM`72G76&D@y_OMc-L&3%D==H<7`Of9Hu0$sW%P`^V+3s8G#CW?}DRo2M
z=~jB(P;eJ9Dm<sPwQfu>AJ>z{SotmQq*yB@CKNb}($|{UKR(co?V!GOmCk$Iii-^e
z4`8c{eCm{7Ax7j*EU!8-&=IS?Qh8@vadDyG7VLJ!(t(sxfXSyaozCrum6&Bc=~~o>
zT=!$ub<))$9Ty!nje)He6Kv&LIjn}nJ&mREeX;_dD9*~L8t*M-rN@VYo!Ob{*kx?R
z_bDvplgrNM7?x@iu=A<R?ya68j>(f`W!4XQ7h7=&A>XgXt#Jv7!RqYysxI#I{9r3H
zA>`d`#U+M<1=x@^@4RXxqmiB%@-DM7`Toj^3xxv3xp>#LCf15)PNs)KUdzf1g@U_L
zRXi218WSkX<+FvA5Et(o5M^x)B?gxuu;Az`jhxqtYZ&rQv{LxqYo+s@!^&(J3U=V)
zq)JhAC?>cNOT9*#_?Y0qthk18F~NeI@zqZ`?8(-_in}Z1U2Ub@6$+H&LfFxoIIw;M
z0j)8=r344Dlr`O4mE>g|E0?vkVNCFTtR}?SD=oMdOIbU^dI`&^xCX0nIgh87?b)zK
zY($o!K3-{MHV%37SaD54!6vsjiE^oPgAZY8EP|GoR=tnq6sGZxD(`d~EjF<c7;>b>
zO=7%nTIo$g!ON}|VKrPE8*yv4Q4M-;bH<+qPfkr;%NhU4SPjUEnVJ|AJcZTS$#`jO
zL<Ohq5%!*t;#%|zy|f+cP8{v&=Ph8xwFm`U-R=}h4d}T?u$)QP@WI#!*PsSOUBgnD
z_LK^?s_3-LW3QFjSn7WIAR#8W*R^t5lcHmSH&t>9aK^HUmC{NRF1=MK@FOuztclU_
z-o{p3>rima9Uf0La-p~C!~~bRR>1N$i?uR|FIL%EA70CQXH4V(EUnfXZnBZb+*l7E
zW_;Gi*@CNCnQcOW78KS`Q$4VjP;Wa_q&iP$?a*jKJ?zk-tWfP59#41c>W2C`2y|0q
z@SH++r5XM}lbRk+7wc-9_`q|7I@+Nh2;FUm8Zo)r*`cShLSGSTV{5f)heK(ETG`qM
zS)mf_435@^P!q)l(+Rl?iY4?5mOFcE#sn)xJ8^7$wPL)Ztn`kd;0iQ(*we=QwH4PX
z6s*G<)XMhQLpK>qIeM&y2{GQSR%WM=_f{*eb13jgj9vGJ@qv#C-DxF^tslY4af)X=
zf}OFnlqitha|c0PTI_8mSST*5;Oa4fMp$=hj}AOSsF8Ny;4X#i)Vh@AW1VPkV4r60
zH*zh%#yvO=i<T0n^|r>f>^(d11y&7vM%Az~yM_V<61dH_u6B(Nj3(5>4jsx0)u!@}
z_9P+36~7Bvp;jRcv9uSnLcRtbPgh&(mKA!P&^@-6r=iEw$qreB8d?*p#Cs1}DcwWf
z!d5!pU9HUSq2N=jK&q*pX&4jOixp>0>>eM;byqm`eS|tFpWrKmsIJ;d%V#yFHCfh=
zSUs|=4s1Htt=Ilw6>LiDvOI_U!P<@GPG3r>z>a#|nuOIgE8S;*uxdA_)md?mVRg!~
zj{m``!!+m+j`KchW%ddMub{CixPmh|gR@&Xc{$cMf3Ol;J2^XX7MAjItgruI#kKKx
z+S_rHI>ts|w9RrnjMXx1F`rYCLf(N^dQvF(B2Mwdu#Iuy`ofCq%Vn5dMbnx!K;@po
zV%a!FdUslxc&Hp_3UVO}G{9<LB}}MqrS}W@&bPO&^h?yCsJ||rDg8r%&#7`dD}#Ne
zeMc?bjOy{hb%Z*Ttv$oNK`SL$2d(tvP;ez3>8u>h?@XKqg#Ch(>GJ!ttdm#|*p{}Q
z-d*^EoJtA4OGs<USv^69Fsr0M4=k>qc&#Huzqnqv+#AkIjeZ!5VQ}ICd$C&BJ7EbX
z2b)!E)+-_9>a)D8_Gb67#o3mwM~AVT8LqqvGxeA{<mGJ;6YPei&b9aWz>8R{|CIU>
z1axJxs~o6G8xyUByW)cb39-TI+RZs;zLhdG<hyjgwQ*=-pdHh_sg*G_-fOJ5VWGe^
z+fEo3A8bsg)FlyDquMdS@mTCwvfhi0z^I1dTpdqfu~J;e3O$`_JIS8HQbir>Yb<89
zn#+N&dM~HzoVdAIx@Ovz@26hYl@W=-J9}qcNV#?{#8Q8<OOgBxmKvMGUe%TRI8Ah#
z-VH0(%7~8-T7(+l#Z{E1AGFd(g@OfH{@TE~2FJw&?!sziCA5eS{y@l`C6snw-|#Hi
z%6R~TX411{6DZkFljLez{RjfgY;`RA?FU%u2<kxkLjAL53|4<EcQ#?YjK%P}o)O96
zIYj2c&R9-S%H>TgXAUXONA;Xp-4Lr)mZfXO?^y0kBwg!)*{r~Pta?_)BlRN)xKk3R
za)TIryZU739c#sn3k5$x3!!l(ON{Xrv(nKz3=U5|RcSt!I^JpKQ7os?s$iEP*&DqB
zOB34hEIHKaEXNvvbv@mySkCfNE;)yVJtxhNjlfWwId1i(kFng|VU1K79`1i;L|_6I
zC!y5(5d@shwsRYi)!8j$BQV@`Oj9;wS#r!bl2z?g7e@@Y?u_{BSe(^c#0Rd~p{w=d
zgUv=|^$Lk+W2yVOaCeLe9>a1LC_NS^HQL@TqT_?Z2x%GHcL2c+SXpHRbC2QF<HV8Q
z7%cS<o>*^Txw*5Q<$f@nySG+s1ctJtTRAnZ#!{BdNKTCrW1YoFCU?bn+gRz7*{ofS
zlO%KYB$oPvYO~5?QnGr0-kE{r&Nh1fBP>;ca_Erq<FKrZsr4fWC<9v#zK`W5!KvVQ
zZZYkH#6m0Xk&y4x@z%IU5`#4-goj7dX*8DhIs4wuw_}1;@6kkWz)E>E6s$inJV&<D
zi?gwuW6mK$u_WPoGdae4la(?p6zKF2i&{%Q@F<~JYhprta5Eui>TreOK09T4DA+zV
zs~Mc-pU2Wn30hk@?RnFjTVifVo5pxKWIq-PK8|*mQ$3E;`>?cw*&e|XlbkCU^<Y$5
zVZ{;0?uO@7Eal97N~aj#N0Y28GZKRZ9uD7eG^`mDcmS)J&TYPR4_g}_PYmpuVt4A}
z@qrRkwJBu~>XQ|EH7oR6R;bw{VZWycwXjnhBh<_eRd_TU8j=-yGb?m0E7W9K*zbv~
z(8qS@>YVyHrfXH%Rmlpi$_ibyLkY9%=Xgw`Be!u`p|`U_z8T@zCgD)<F+!X@+%rLG
zE6xf9H$CC;uqHK|xad`#6+RHzms2cFZ6+=g{Q{PzqjMjaV5L08MSr$)c(G6G!7Esr
zSa`6z)v@B94h5&qaV{v%sbniwEjvf%QScI06)aM7iYa5oJrfG_f07drGq`>Pfp)g5
zR!uI84#RTpD!XFo(#6g2qSzc5b*%(u-)=&69C>7H1V#-EZl>9{T0G^Xx0@Mw5-ZU@
zzwalciOuSz`4LY$mUG5!fK^AQp1>$VHLQ%u@xG-`TN~#k296_erRO+O`Wa_}vEW<8
z1SeoQeWdMemm5caF!Rfs@KjWTdSkhJI*(M=VAZn{s>TO@CRCRSIZp(t%netM@$mMs
z;ueH_%jR0+79<8w5T(X)O=WP3%yX=uHHj-zdn^rv9p_s%&l<NdG3a~N*_EB0@O~_H
zug4zSHCWpF><1yiAF-6RJ??>u^X=(4IX*aqkh8+J){61HHs7lEd}8ni#0EI$vTwv1
zFK|Z2zS0LLVb!xUQU`3p(iY8BpsO-nPy0^X8*Qa83I(5A=!_B*f(Ia9V`&7PDi(V#
zJdv0>fxBgCqYFMkNM&$Pn9lthmb%X_!*}gDtDcn@sQtWpm*EQzCZyqZo}w(nk~90q
zz}N`a2-v&y?TehcI(v4KYjLJw=w855Cbnnb2o}?ip)0jGt9|UU_hKn?<`P@gY%FKu
z>*BH>OC8DFWVDJbaq@G@YK1j`IQy=Vtu}6X$lJk6SswDOUTSSzo*4XQsncM)4S{mY
zNNinAh!1on#D2^neFmW}PSNb*H!aur>1MSXA*ZW!40{@j<1t-W>_w;I&RMG?Ru?;;
zw+Xpt7v^a070ej>*mf@=4Gc}A`j25bx$2tnD;7s>uGY<0hG)12W(iiJokrK^6IcyY
zr$E_NT+Qs-jUl92$4<{vfmK*{W|i?RmO6~(`$DW0_j1U$Yqd4*<;1|PYwXEMqX!Vu
zsBnyG5aV02#;UhEF>nHrry1O`w|RxxZ<n}=kaIIr;MJ_t00Z_kmfJhja32<4tni|1
zos6B<w#Lfx3O<U}%&8YS?89o2Rp-dpvUvtNU?tj{$s9sF5vdj*yhNy@<4@|Y>%zTF
zuLeA?le0Yv_Yta(m$S#t&9WNKi;cjjlNA;5Mm8%@AFHl)H8DOgf)LMZtH=A+ykT8=
zEiveQGwTFFx%Xf>ear1wa6XpW;2f||UH9x86KK0$Gaw@|KKMML#&*poHH?kG=xiGe
zlVT$_gj+pnnQgc+OrTvvafxNDilv7Sh)fyp2rKiAP;fh%(|KAU`8I~T#(RHEa3q#f
zDcy%;U}<WwMJC4he&1--Tb~$cv`Hha@tR9WW8(DJ39JTA<=EiMzQw3wv396XUo889
zPVjX?j+Y*8{D{To!i{f@3_Dk<JcW=_G6UJlc428{*kuHYz0Ewb=Wu_8vP#>C<<1UD
z^KIt##;)N5gq-!st{&Wg<>p0a<gijUasJ=pY!_TPR>uUUV%={|tQjBtl8`33vxi4*
z&FXkA0aLJa?cs*CS!@JGJEtN<-SQ5%PqxKU^iHu-GD5)}Xwi-bli(_rmM42HRf^vh
zUVLioM6Bk-v8OXZ4q(;Avd_ETTvq1WAr5YFn?v5Gt(487z*FyP;!fPmk?K9W+Jwds
z;_jW$E<$WZo8yB8-gl~NKLHEgkL3&i51D<>y>E@%9Lj;#&Q8^6M>y4EgzmNLvUN;s
z#7<AP$13Bo>Jeo>nD@Q0)7tn>BG2?Q-w6dz?{ZSnZCpn0v{JT(ybG-KZK2>#yPcLY
zAzE=7{~+9j%*)_ZEG-P@QoIu@&bGYUxG&t}#Bue)vk6vxyH?%|{<8CKD6n{Mcw760
zP&X%C?HKRfR@{4`;H-Vl^RfIEr_$gDSgLpdt6^tu#rB7n<D?AEEm+Q=YO7s^rK!SJ
zR3|3zGgcRSLvC{*JfRq0-|_=iy&Z|(vR2BDP$2C?22ZCW-;ockD?1W{wGTRVWu(b*
zD3->ZY5j35ck3H>CI(KSwY4&K#s}&g;=pK!CS`^8W`&|Y3di;*)YA4_N2s|S`ppg1
z&+&0sdLk?INmi)rC*j!Stk7#&p<fB{u!O4I`Dr*bJu9?7D^&cjec!XYehxdJ1dFpm
zUx!1%%AYy67F;8?#RP_6vBieseVaeCuIx(;{DRQdy1Fku(Bz1krjV5tI*}Es`gu5Z
z9HExB-@AmG+o60%olyN8ZXiCeC@XX(D^%-PIKlX=(DtlQ-s5VnD$p@2G(Ri!MOLWN
z2{k<9K>ZwcKnd1mg)V1>5>DD~AJ(@rKMDnMeWB%)z#ki1TPYuhyfduykNFGRm*Fi}
zXV<}4+G$u#bz^+XzO=@DlIT1ArM2;sL~k=I^OI2E`LCF$*40ngl?Z7|uuqTN^`(Cr
z3br}rq_-a(1)jrdWKY#E2x%*KPGD8Oc9x&BpAEs%f^*_t!>WPB)TBONWW{j_@K&(W
zKZ{SLOqJ{L0qSahva@s+mi@`jev|}PzY%+hV^Qdh3tgY>{5!+?WaCs%4upF_K`;;~
z;UJ)oST;{<><os&`uuOO@*U=}mK?byRc#rmeEIx0tiBly)PxkEd?o;Wva^bs2*eKo
zeZ;a;Jszvu55b@`!dMeOFJ4nIlVtG`tE9;?_=sgsmBB~swK9Gv&h^FPnWis3;sBT_
zgO6CbJ^_?^w#!e#(k-Bm%~sw^#S2DYEwD9*y;j1d;;Blz2;>4U0)4Wx`d}4Mo-eul
zGOW*yI43$sIQt`3{;xZx&B|{*P<|WiSB;ziHNAS&sm>-8eX_IM-vZ(cppRJDZ<fJF
ztm5AVDu&CV?awvP{)nZ2;Fy14<;w*t)lR_G$^M9yfGdfubJ?&zV(IMW_UGTR{5}P$
zC|jxh`D@mK;Ufnn_}pc-K>H)s0{qc2|39(UntA+oug6+_yo`0|cnN#1UUT!!&Z>u6
zFZRLeDZjp4Rxk%&nm~D6{YI?GTYz}E6m<Qvv0eU+BJ2c(+=PYQgkn{wD4Y*2@9O_^
zE>A9hk&(6odWuDv_hcD*?CQ_O?b=px3$N!E{(pm2cA}eqHcqu$-+%~Bht96U{{}0o
zd))lQ>gBGkeVu8)CiZ<qD6YHfAXe~xzDmL4TwSb|JOpcnPI2vNu=1G!^PlH&eYsp1
zejZ!tUV!Dd9L^2Dn(9Wp4)dSq4Zh^C0oFdZ1=fUo-_`Zw2gUD!Re^(U{AaKVIOg&f
zus&k>pK|pxt}d2;>UjdvzH=kQ3SQt#3H7@YeZ=a*A6;84`)8LgySiBV6<F5}KZf$j
zDbZ!Epgh<#pn|6$0i`YEIu>;uv$NM)omt#^D>Fh!Er53g*Siv|1eN(xadlih239fk
zT{{HxpQoX|TvmJ&Z1rO+H@=O_?OeSxtaaH3Rx|qf*jg1BfS`|9!9lKrej6lvxV~Ig
z^G0B+zz1Qa9|zwAKLY24Em#9SALc*LLcZj;$hDWiO8=sdDH};(3xZm_(~Z~*E5QL+
zAF&dA3`_dd<<DTvsFSb?JOir-F2HK3em$&oJ~ES^er2qWSQRa%Q;8g+T%jVI2fH?`
zMcf=#!gjExSVx%uJooUWboasPk?t<vuSh;(`S*gAJ{c|qkB3#kNw9h>btVBV9^*Q!
zgw+$T!OD0Y%zvIY_2sgH>3k`EqpOQ$Z*uJ$vEtuy<6Z9jXTi4Rv)RpXi_2Txgkoj%
zj%#OU>D$o#R`;)qr<TAv?t1<Iz|OVnf1_Xx)Hxbb0WPRf{S!0EJcV6dtTq?R;gnCn
z>969j93x#vvHGi|YyUfzUle}I_-5B%EWHe@8FibhXK|}+f(pLfwZ%$U(dA06F4oMe
z<=SGUt0UW5c)GZ@cTZh6RxCTlwX?ITS<j7+hvgD-{cgm{r-2)PBUUZ$%;B-NT`N~m
zO>OS_ihWkz-*2~Cohe|~uC*H@R;sqHEmkS*TyF33-EO>C@f~2L>*U&<-FUIKg`RK`
zcr>i26n#1D40krc&Tt$K>W+!93V6s(AeKJKwZ)2m*tNxqpX%CT1*h|+E|>*t!!r_X
zrhFxM7C|jo;6{k0KkxDqxEl6;SR2?!unPXz<xgOJ#L_=?ZLxx%^QCkrVdeXk%ip9D
z;6KkfzEpwpE?;o@dsrF%0P7=GOD@A|iE`DJoEMf$L0I_|R%!o%m2YYh92F?)axs^S
zyIcZR#-(6=#PTl<Ym2_swQqy@&vOS~YGGBE^)F8-eI1u$U9Ru2$>sCr?Ml3-5rQ&q
z4C^D7-2_&Pn!(DrC9DkFx_Wz8@96S9F5fG*W`0{dRsA#&OSue&m3la=+()=P5?1bG
zT>C*-e&bzxf@`P2>i<VvejL^(J1gIr=qhhkz`1i)!2V=st&L~hj26MF=n6OCD%U?d
zE8~~k_|>pnUUPXptoRKsr@Q*w0e44z8$rjWy|7w(z;*l()<>)sf9%?Shjp$!gTGpO
z4%U|c3#|OFxO_F0fIe4ULH(B>J3p+bA}&Y5{O2jdmnu>oR>rrve7nn)V12T)4jmy^
z|1+olS@?f!r~YNlvR6bcZAc4>!(H5#{O>U1|G$&b-^)jvLJzkAHn(#HjcIQpG&%aZ
z4mV=W;(o-7`@4Q(r5gz6vRYrf-JaAV-PkbWU_URc3#&h~KPyz6Z0Yr6@X5}~{YK9U
z<tJUWNd%f{JTr7|T03LtlbzMfd%^$RXNFpNe6l}m^jZs#+@7j-jI`taJ66B^^Stn%
z=Y@OSxg*wG`saBeD_@J_pXY^T{&`-g=ZEes!#~dp|9M_$Zw&uDFZ}0uVfN>SIw}71
zypT@d^WQv2{O5V$KhF#Qd0yx|`}pU1;Xls{ogMU_=Y{_~FU<a&P_sg|Zb|=nUa04X
zI&b~Q=Y{$ki6{J=aOC=VIlZHXn9>h=TbeGTy?IT>Xm3mJT_*WK?>#1B48k6wyp2ud
zScDA{ijF~OYI=@A=>H(XyAqn4;qoXk79mM_v@|;<?2u431);S`NkJH!f^bwqTT^Kq
zLd9_iGshvcH-{yBDj{J!LI*Q_Ji@f`2<IhqGI0|SVkaOhoPcnTIV0h;gw_)gx|(?t
z5#~<x<}=qOdRutAndT26G<yh-)eqs(-DFC*ETMZULJzYt6=6jxLf$llo~COWLYFjz
z3<<qWa1uhqB!t0}5Ry!~gbfl(Ka9}NBtMMM|6znZ5|T~iWP}ov5hhMX7-)7%*dd|n
z6okPhWeURBDF{a;3^kReB2=7;Fmo!xaC2C~rxFq#K^SSKKY}pr5rp#+Mw_@t5n>-j
zSokQygXWBc(-K-wLr5|6rXkFohHzEFc+-43LbK@ztEVGOG?@}EOX&U>LaJH$7{ZFj
z5c1AIm}I)n@ZRHn*sK*zHo?cCDW<1rs!10;VhYZL9yQ6LX=bZvx`})Oddv(L%`iJf
zkDGF{pqVB`^n^Jenq?}@hGv^dqB-WU=t)y^4rH0>qNmJB(bFdGN$43fM`X+y(OlEe
zg65fdqG!$bqWPxzQ)=i_YUoomW1-2Ea9Kk4rxBhvE1y<FpH@SkL0D|MK7-KZ8H5Z8
zFPNY~h%g9)4Z<>$E@6X&(sL1BG|6)j`p-q!BVnb9oQF_i9>T<V2rrqP5_U+a`Ygg~
zlkzOW*k=)rN_fRonvYO%KEllT2y4w@37^hq5+^QT60bAU7a&YqfXDd-c)Vfa79zwh
zL|C{GVZAvc;k1O-&mp9ndCwuteGcKOgiWUT^9aqJM_BzlLWaqda9Kk4MF^YC%0&n(
z79r$ajIh;oU5wCWF+zrfZ6>$`Az}%_;3Wv}nsf;pB$R#u;eC_*0z&^65cWveX(E>*
zlvs)|aVf%Xvs1zj300RN>@g|J5XLS;I4WVEsk9uS;&OzU%MlKk!xBD~knkeHK{NeD
zglR7#oR{#CiCcjXy8>b13WQJ0840H)v|fpD*vwmrFn1-wRS8E-^Hm7VRw1ljg>ckl
zO1Lbc`%4JN&B~V$R=k9e_hp2Wrt8ZHU0z1Wknp7mu11JhjWBpM!YPw3VS|LyYY@IM
z$!ie$uR+)&;f#rV1);<%2oqmHIA?ZB*dd|ns|e>!%Bu)tUqv`7;ex5O7NO!=gqdp*
zzBh*@d@3Q~HH1rM`fCW&UPCx9;U^Qf4k30O!oqb3znC);PD^P0IzpzI_d3Gd*AcEt
z_|-Ij1EJX)2&>;fxN0&bT$a%NO>axz?_RU&O>bwj;!Tvi>v8d#uIq8>vK}Erg5Lx;
zAVh3H7`y=?VA3UQkWe}uA(u%`N9do9ut!4BL~cYVu@Pb7Mua?Or-U66s%}EaYf?5L
zjNL@&sD%8c(pv}>-$I!A7D7RDSi+|g5;719o9P({(=rgwODJmM-bRRh8)4zw2*u4A
z38y8r-i#1w=50opyBXoCgecQ|3qrFk2&=asls1_XE=%aX6`_n-xfNl>R)oCoAe1v*
z-$Cf|4nl^6@+P<qAz~ZC;B5%EnRE#oB$VEcaJxy~j?jNQYklu_)_Nrq`7T0<ck!6`
zE*_Q5P6<0CRDBPjs!4edVeESdM<rA@mEK3F_&&nS_YrEE!xBD~kgx-xwwb;IVcHIa
z^Ae&>+)jkpod^qeBE*<85>88Ky$d1E%-e-9cNfA{3Gt@+ZiHsL5mxU;NHCcaE=%bC
z0Yb>E`~YFa2MBrhAT%^x_aJoHgODNNE)(2~5V03w@Lq(*CSAe?38nWTG&RZl5c=;!
z*dw92iQJD+Vn4#f{Rl11P6<0CR6T&u+N2yn7<&NWsD!qr(uW8YKSY@MAwqj|Si+|g
z5)LACFw+krOgo5hUP31mcL*W&5W>Pk2=|yX5>88K{SiV}Gw&mWxgQ~1mC(&J{}`d!
z#|W!GM(A!bC0v%!{S$;9X5}XcD?UNU`zb<C)Adt?E}tS~Na$^XhY=zUBMd%_kYv&&
zY>-g;GlYI7`7?z6pCRm#kZdB4Ae1<QF!2b&K(kZA4hdC1M;L5UK1Ue)Il@s1LrtZl
z2o;Ya%sh%P+#Hthsf2`M2qVq(V+hlZA)J>m+Qc2_B09#*5j|+mK<4yuqFbLJI>pR8
zfj-WBFB)%}pM)lu#iEHOQ}mE&{{@t4R*KS$_e*G!=_=wVA)0K0UqKutL{m+=h@-?Q
z=uwj_;wT}SZX&;iI7*0Sn4Kby65l{GO$ubjenaJsenaJEnM$V-DxOA|c^YAkIgFqK
z#Tm#l(?uL8L{FQzvk(UgkuhgP94O8~^UORE2MW=A)BIa#fmtkCXfj35nfB+Q=gmsd
zBIErIT5P(CmYB7o7fkR1wAAzzEi>t&<)+|8=tYwZnf@24>Yj^Kb)|{?9-+kd2ot|Y
zc**RPutP%C9}rfXlpher{(x{)!YiiIC4`EX5N2LNSZfYT_*6o|j|l6`^dAwX{fKa0
z!W$;;CxqCa5ElM~u-=@Ja9Tp^pApi{yq~?tgL<IN<H)pwX3{U-=e@VBFL&A7!5iqr
z%dtVT*zX%}4XctP82<mKIcmIDyblJ3^B4a->xuo<XU1OjZV4>BnKy3aK1=R-E0=Tr
zHQH#nfc(1oq?`I)UqqnZ9d6>Lj`-@$z6fu>^$Y#JM|1ejw^;w2-#0GD`iqgi34VPS
zu)P9zj-{UKTUYV*^O|<oy!YAp6(~Y}LH<f*m%ZLDJNz%R@0>&eRjIP%+~I%4b;ZN$
zZ!YS~>GKtssgmyXDt7&p624|$-)XacZ=`RPKaj?~R&Le1x*ct<S8=>sGu5GsU58;;
zyb(@^WVPSCe7i5rM@iKx`hM^RRy^!Bc%PkHa3c3->hgz;w~DWJvGBjb+IvuPHT~n_
zy4}6<#rhUie1{&%J=gvJM;f)kbY16b(D>T#&PVrndW&0kgnBzzpRlbA^uCootz94e
zeOs?Y>C?uXT<0sCs+Yd?Qj+~*k{!Wojc7`)w@vhVjz0IeetO$QuVU+SADW8RYg|zh
z_;g3p8zFi{RKFt7r>E<uDweku-grjizf`-9x4WX=I9G;xGS2+4KS{2p8`>|`06u+P
zjp^z6+SPbV-A=1FtxmXFe>4Tv=J1pGfv%?4RT{hRs(FUEiS_Pv6QGaYYFB0S=84``
z#`Fy1OFg2OJ7=RQ^GDIt;-X-V1U@s|w0e1Fw5vUirl8V~aJ5<b2^atApM~}eam6`q
zVs&#BSJVITh=!viDC25#T|afbJ3&12&=jq%U+tz@;QEzDTTfV@g|3#$lI5q*w&v0Q
z$%=wyz^`gLpGB@?S;G1yh{kX+nue$x81HH-Oi6A5ISD9!4VrqUJh)Z0=c9_s?^eJ|
zzxHcQo^`Hx8=~Il(^$XmY841SquI&l4Oi2AdCt||bhV0T$tsPHTB$-Rfki-{4X&nn
zwUjQ>5T@&g1xiyHY{fz2mEk&8A*>$`XuRHbwW@^m;{grVW>>35xDFYHf1sd(tAj?a
zrhHXK4WJ(=Xc*pg)7Dh`HCZ$a@3~?v!fSwr;eA)DO?VzTmxXtr@t^*o1kW?Bw#)U4
zMtj25cDq_#w5MF{16PYddloIVECKzW8WFZ%7t{OE<p}Gi71H8BH3j(Wb2Yt2R@~M0
zyIMS&UR=~ztCi}>`k;b4?%%k6dbO;SJ4~nb!xH6_2$nLQ8dr6%v=GqmJk;f9U9Ewu
zsVmR9T0_DaK%Z}2?M}jl2<vm+)$Ss^*;e@BkE=D({M+J+`Z0(KZVa{pWqi@qnh@Rw
z^!Xl*|MbtEdA3X7bIJ8<Mp!>ERAE25T64ntf%5pt)mjjK4>Z-L@v|!~(iG)0VY^wL
z?z@sYknn(<&O3p6-lvxuyMlW`H*g>54$6UBKp9XL<fD7_|BIIsT=BD-;QSyL$OH5n
zh4bJV_zwI6a-(}e5M03i-cQ&3Kp+P~1h_=_ckm;)3@!pq>z`mh{4-nt{ucJZnQ#F9
z75)ue1=_y90N;SGfVS?_-~>1cv_+o+!^nDshNe9M%?%BSx>j?d31|S+{p#8_pfzX<
zT7tVlJJ12#1sZ|ApeN`BdV@ZoJGdV_0PX`lKoZcajPFv3?Wug}=QaAN%_{H`SPj;I
zSHP=4Kg)Rn%mUi`r+`PmqhK1)-aiUxzaId!#p^ddgMhYnZRJ6b7Zd;mfp$o3V5w<*
zU1dgI1HS`%OGeYr()3fc=Aap94cdSfpe1MvT7f%3BhVN$0CxfX_Ob|w06`D{`T^+Y
zwE7G<1-=L0>C*fyfeYXwI1es?AHWyj8*mzY3C@AD;3W7Od<Bky6W}<|exdzA`+;6b
z)l02|z+f;03<bl$aPR==33}yZ{B_aLGyfK#1852E22DUm&<flMT7#yb6SxPo0i8ix
za2IF>+JQ!(J!lRZgBncGnxH6{Ma7-~iG&kCynd;mA9{2IZxHb&cpc~$ISoKV5DWB+
z9Q}}_4babB((s9f^|O-}pcrTbnt{e(2k|E0@jMMIpo`laFdyimHVWv6B&l8a>IS-l
zo}d@#4f=p2psU>gFa!(*!@vkI66odkt>7K74QvPRg7?7=up4{;J^_cp5pV*03BCs3
z=r#UlsOeK+o@xxHff-;57y~AO&Y&ac1jd2!U=dghUI0tMGO!#B0!NwQ?*aW_?RD@5
z(90tk;BBB6OSUt~&+D}_ABG<UKu*ww2pvT41^Sg@9*`I01NzbBs}!&rybRWYSAc%3
zITPshHT@>GE~o*j1N{iNDu@GhKn&2&{cC}0x)R2MXiyvQHlQaGlmPnaaxriVC=JSj
zk{}A`%2*EE3`&7Q;5RCA4g3y9F!A(SxUP(~7^>P}4!Q+85nc~(0I8)h^m8s<F580Q
zpajrQEuH}SNyejK8ki0q12e#6FcnNBld<@Z24ld3;1Ifg2=O)H98@3|hyX#58{`2u
zfxI~x|9k}WtA<~}Z{SDp6ZjcSCG!Q~A@C9S1iT1Vg26yPL|hLxfGyxSy`UfD4q})J
zf_3=34Rq<=2=puBdLRMBg8~}=Jw$jhZl@ypec6-P`aN1ZFcmxkrUCs-Dh=pYOD}+>
zU^#dZtN^RQ8t^LE0MfxmunA;<&0q`I3f>1h!7i=;-QWYT2kZs=z-;g>C`6@V=n4I%
zGZB7-%B=$WiKTva*%jy>LiY@Xfes`^z-D~5fOo()upLyQk$T^@Jo%Od<v?l~zHSBj
z6`Fo$)rmqng9_j<_7U(qc$5qdf!*K^GO2*3_bHBoW5ADp0OSODKwgj!<Oc;nH`3__
zM>jN2f`MS9uK&Xb3<rb3&7dq;MGJH^*Li;}cp2zsqAVy0N`Nxp3Kba#bbrtg=$=4F
zd;RXHFO}*ChJ(+rzXGSgTq^Pyc%O3i`x*bk1P*{t!3W?o@FCa%4uU=42sj1~fzQE5
zU?<oMJ_ftMCtx4g4W0!Hz;i(N0Wnl|3wQ_UsD1?K*ndX1W_56g1@%AzXb5z!?@HWP
z;7f24=$xoiua5H5fR698Xt4nn(9wM^&~aVI^Cy9h<a5BYU^dWxa}&r5^2yH6myXmS
zx@i;LqhCttl&qg}eM|w(sYnaZ3bY0~Er;<G;Ty&4C)b-uyNbMD0-L~D@D5l6rh@w5
zHZS8}lfvtPS|AQo1@WLZ(2tSofNG#VNCeR!0n`O|fa)LyR0gr22B-omf}7PSDx&)g
zVJl(%{9UK#UEqM{Rw4-O2k+T}L??2Et`K}i9n(qqmY#(OYcjq9)_~<eOK(0cQTLLS
zeM4Fh)<0uFXL%;V{Xk#P2lNI#L1)kjbOarMPEdEPZ~dOHaBlCN=ICDE?XB}5-3`=H
zI)JqYO@R(xI*94=(f~98I-G?MV>+DakfwuM1<)8&H|6&GiU*aA-0w7t_xhrEIzD`_
zuW(+S;Pj-20rxbqB~xmjuRzfDB(8$vrm|J0lYvs21_yjOOpSfM5|QnQ&~;4?y2j~J
z<~a7;=ZkV2NA2|$Fl9gVmGa(g5<c|J;1S`%4}E3K=?{HH0;=@`#(U6rySIy7UcnwH
z-M}KMbuZl2v_9yoUQ}1uaBaI2z8`cma}N4ySIXW?;U4Nmv?`LlcN*Kh5m39Uo8hWL
z#Y4WE0_wEdwjE3&sNM1ondRNeO+Vx-<5n(p0+HHu#sHmaN5iAQNH82|%=?33U;s!4
zL&0D$5DWrCzzCoXY%F-t<rJ57p_@clOIG(CX|TJ*P3R+Er__fL^f2oiScetu7dp7K
z20FMTf>z*b;x!pHQMZGG;7hO!yaTp^FTfG-IoJ$zN1g$H1`dNI;8Sn_3@2{CmTpf1
zI%@Aj`~d6*yTJQkCs+@f62A(59;^f_z>7fpz;j?BSO65S3aU~nY%zEN=s33&UJhOY
zZ-CX{WnH@05O^KD2G#;4d=<O`q_1=FCajicZ?Rgb7Aj3T*Z?+xjo>ZtHrN8nQh{x-
zDyZ-dSPgtHm9KX}S+E!Eaq$uS3HTTs0_yG$fppnob@efD6dVU9z)7Gybm;vGJ_TAb
ze5!OaxDmR_Y)V+eliGxU#$L-oU8nz-+(zIoa3^R05<m!OF6f`^s7b;aKpCjz@o3lJ
ztKc_q9-Ics?^|#VoCRmx@Xzo?@SVp00)ZdF58!)n$%XWvz^|@-8U6*xS8=r{T$+58
zR(@B2(ud;}mkCs1#fS3@$N#MHcWYuFzZL!+)T2dlAO}!wV_{u>>w<6r)ZP<~T?gC@
zRGHdvEfB8MEri1rs6n_o(DA<-s0woH(p?4U{-7*~1eJk$;tseXxE%yR1)#3I4ZanW
z2jxHkkP~=7xWYcds)QF-1ypDNs4@9nEf<`ck1ySr+yqpK2p}gVQlSc~yK=kXaHi@~
z#i@WlvkH(Fu7nz<!gZRKu3pwq(bLZOhsRL|PdTVNm2qiM3Pb@N*;EPjkdAJuy$-8t
zb#YJ(=(4PXtMX8u;_MX+hr`2MMo(35)NL9!)mk-HO_fo&HQ_jE>KXYde4}}!IifgK
zMm?&Ehkcc{lEyzgqstK1Ob$CJf#!kia3RV_3Dx~I-OOZ5*St|BG(<`h);0F(MGdX|
z)C=L^OO=ymV>rQ|!&(X93Tb78Gu2Gi#8sTa*?rV%?HSr`#o8;Xf+N`3{Tk}2YPcrh
zF+u!;lL}OZf7Yd`HJY?b$h-yI9Oy!H7~D-**N;xHt`!~Owx9!;kF5*bGOho1*&^Dw
zk=ibokg0Y!ZJ7grG7S5+cf-0OhBc*;j|vRuqc~llRA^XJ;a#xx2(YQ<UlY(6B!J#T
zX!~sddV!wc0nh{J23EawKjHg8c<a?N?FN)__U`SDro8S1+Do)O%N_!h|6q_B;%gw#
zMI)TKG9G}YeO-zA!~KBv_P%fuP+{RA%U)=BxHL4Hh?>MT@YhCG324%4K2!(QDBu1^
zy>wrfOhh=N@UjUPpiH&ZhWGqhgq68gi<V=!kU@mCTPmF@AYDsX1&8wvPhw|2#b0kl
zxaNv@0?Y)DgJB?*jE2Lb!3Z!4j5Ha?eD~xYLr_CM$!l&t?z=a27WPVTiZ-o)Uj!8h
zM+2SirLRVN8LR>?x$#Q#3V0Q~26U(J5_k=yV{ZU&f;YhHU>#TwRvhDtPiH;NMY?p{
zx5t-SgrnXDGy2jC$DSYK^WI;x8vk?pt2i-Da}B<uSG_U^+?YDf?wXgFJC0u-``BZB
zH~PFmvMq?B{wxe%$m}<G@3MP}Uysq&kcXHL%d}2h*8b5_*JB#jA*v`*RbN?Eu6_M!
zAqtAFR<~BQ+V&Y!F}FSTV!kyUzS=`fY_(c7szrN-nwekv`b9nJ<~pmw;tA8AYfnw?
zuTiabEJ>d<`M>hj<^_klzVh`bul|Z6qwR1I9$zB<O7f!}`}(}$m_6p*uY9dbeU3vu
z9M&Y6d{<|FSdI*9RjZ}$IO{XjPWehiUB%-jJQl^*`t7zy_QcyBHL5X9gQn*xiY#KD
zKILoey~%ue%2&C(o^%z%y=;JMFTB6+6GH+eb3Ja?v}QFXX$@2JYhNTU8@2q}SDCk8
z9{k$(3GW@Y{l*s={UNuMs_)oR$@@=EyZ;AL)n;^Rvpo`%o0zqEZ~kif%#~G%AvfiB
z$}A+Q??O(q<{b6SbRDBsrXFAO%^N(AxxY@e8fuZ>oWn6HUoK~49vd+rqkD@p@7ZP8
z4T>~nPE(27aZsPs7`kuXoZ=IsRa7*!sNsorW4gXn{%qc<W8NaBE|s7!?lOZ(8r1;@
z&4;#`+unF9N3Uny!l`9nv-mWfb<lhy`p^W=_}<{fmCa`;a0yLT+mc%jEL#1^>1is^
znUgOQqpJMy{%66uU0PRnV<>Q=$$ORpcj2IJerVRZ56a{#d5i5(qgo926{aB$zOzAd
z-&wll3XYoh@7;9i%PUcvC*oM!>6UzEmU6004e&{udf$!*Cbi0awum<|K|LH@qmJ2j
zmH{4P3Z7%!N}9@0)FdXiR?7p;d*``jdZ*9a{1~aZrpGy7>+pDRD>~foFOt)qQ+>_J
zbH3V99auW5%d+W<%HPpuNg`=AM6{}(ss1fRtuxg-`ilmrpl7R@G{GOqYp83#rQZT(
z=so^ObM0GSov56w6!lu}g(p9olIzRb<U%1D=xL_)d2%Ui=AWmgk1-wPmvCvz+Fb>r
z`{Nhm`0Y3Q<Zuh^P|NSA-t4!_-HK?^#W>YDVxq?QBYo$Jo14G$mEd*BwqyLYd24jw
zcfQuqFPCt}de2R*58eC5g-SlJiq}qdgbXz(Gx|KW_N~u$9#@POF(*)S{yX}xoym2<
zH$Ten&cx>)*>u;6tNE7uybo!fF<YjZj0^Zhnolm!>ij0pMe13YhNzyM9{Be6E3<q4
zY&Y2M*TN=*1MZr?QL&|*p_yNF{n?UJ-x`P?n}o7$Yi3>~zb<C$MfxY%<o}*jHOw3+
zD!w#lU2?yB`p0W-?$RPRsoZtb%yj?WS2;Kb2W<qlf9<GaH#@c2Qu4N(n|eHO0)H)4
zO8LedC&TEAIA{l)THwAxgQj>F;K1l;fPN)L{S#TJ(4dax^B;1PGX8mZX^OgJlyQ=_
zduY&GpRZl_G7j#D>@Yolpz3YSEBNt}*3KV%jmw`d#~w|7zFV9sUEDr#*n&?!IH(e9
z*z0qHsd)+iyrv}-HLtwW)aO<`d9GN|52xZ6%K%aJ<t7z}=vrKh)YPkkysr+srI9AL
zJ20JyQPnSB8Q=e%E>A7<c@t5z5R%Lu<vj&cE4EM9ZSOpne^J2a9g3n&{Ym5fk-T5Q
zR6p0u{r$N+niR?5^Ug=na`+imhqbBx&XUMo+lo-CyDVy%wo00WgJyE+TTYhW61*iH
zhq}&0O}Nd8x!1ekNRwZlA7)qB-t>~pLXt*p!$Em}+vna+N9%8CgoBz)m+v(PaNw1)
z-!pxYrE=cxWOSg*s{PG>eEt+uQd<!h!Jlt6Wq)ELxnbY9MX3jP&vfulkkcQ$gT7c+
zqS*vR&93D1#mQ@X)>N#McP`b?9>ba~X)egm-aP(dchL^)>@LMk$De&gqFYqv>`$Zq
ze3dKU4aa<hhnCFUUoIc`RIgV$`@9>?!k;N;rCI;8FFvYg6{lPJXHH1V5qhI3_0dvg
z7aL^q{z8Q(;-InlZrZfZBbp9>IER<m+FHwVOhX)aL9m<r((%(EzjL|D<yUr`Uvk}V
zubG8I^p`m3x;XyZUKekgyfT|ZrW<o*M#J(C9h^7%deZ#nsPeAB?E!mDTB)ea8K-LJ
z|M<E?qA7TpI&?8>8M~-a__6fUK6<VH?6>EiNzCD;$24@F*`^16(W`M_>7_Lrvb52)
zfjN#|ci8R5yt#GBYjq2qT6R6=jH#}?BdR%FT`oudMaMg?{o=YqMRQVhaOmIoIT=O&
zbxD6+JE!{prhQHacvqR-nQU*)RF3|PLAr_7ZVW75nq%jSYwfufr#bYmlbl&-FNO-H
z^%WX3*7Uo=*(AbPSA3nK+s8PQWLETrVn2-hK}VUI)!2`?(I6%-MXY-Bx3;e&R=%3U
z-r_W!lTGPg$!Ma9`IQ<yVFqGFE#Og}_J-#BO9k&6|M5fi;<C$KWuBM&dXxSu??e_d
z<$l8|XX2r#!5qW2yEToR*|_-9?S0hsb~8MWnxQyEFTp{Fy`LN8d#Q8x5mm1{WDuhn
zF?Z;x{l84@wC#G#VUwY}f5w4rJ?-V~U!*k5ol)hwLt*p1>QK|<xr$%g`usTvzpn?p
zxcBL*)iSR84KX1cqG#furC59I<UXed4c&d+VYM66ra{#sWmAVeaXn^_nW?<b<G_ZT
zmU6WIcf&_bu72I&0kc&OV;VZW{Aj+6DZg%h`k2o<2t^y=s;66WHkfSkU!&J%m<O-<
zYWu#u%e;JzeJW=or&p54mFrQt<-P^V)*duZIdl9PRj!XiDKa^;waCD(9WHIU?$Cu8
z^~&m_pI?0Y_WC2Q$BZ^rf2T%I;$SbN6VpCwG5XgI*BxFpJ#p~vHRI)X9zS*4u%n}H
zpLw)Jj_ZCmnOAU#uF}})w#V)%ym|k*_hw#qXywL4<!Q9+j-`pmuEz{AS5?G+(>ak(
zKjbeI^==F9G^x$MZkO*q{gOXEs&Y$bvs|;{(xZ1jyLP9~%dywq4C@%LmyS*}QBc(u
z_-SG7?)=Q24-Y-u!^fV;<&jOZw;NOY$=>6(E?mSRv$N^x^_PnpN`$u2Ni{zjRiv`j
zh1R%PPc{q5Gin|Vx{7}CaIv+)gH_a1uEVS5fXd!s&OxP4;1`MCE2*ic3k5ICz3!LU
z(v<c2OK|Fo^KnS4Y6knrH=&h%vzXTH)rc-h$x{XuaaJg6x2;)>L-Bv@i~%I6U>5)E
zD;jWu4GZ~8<m5`sn46&AUzy*0MEhyf1@}&4<n(6OUSD?W1bbhwm$QB5jr7(rGvxk`
zS?~9MA64aUr+deL+i%abLg#KN;=O~dS)XXLEr-8$R0ABen~Y9gbFgXSCO=$vXl)7x
z=!0&iG8C1JpSF?jf2y+TksOONby8;|;`5;CfkX5oI26EPOvfsL+xAX<LJl>malQB4
zusiB#!+OT7R^BT~s)1_UxY^?qisb0;B-JfWhB>J^d}w}!N_~T$u6Ii=52=x3N6Eq0
z>-yW>rbbSGiRdC7oU2yz{GKP<RaiUR$%*q=jVi=w3?JK^Uf{^*Urtqwu2MYcF%xq#
zcH7KaDC%E_=Kh+_p{0u1nw#5z61n^jl&{y(nK}RJ9gcCl`LV#(M1Ns3ERR2@*_+E>
zCHRN<##v@l(>{Vj|D{f*Y+dG)liGK!lUWpjS-{LG;V+!aKJa+Tn}ZS5x32M4v^BM&
zl_?jbpL(0M^(d`P(4W(3Pb9y)7^;|T^@w_=v$F@i_(tyr+w$#Q$&zEmF&v)Pj5nI}
z`<4En*?KGCvq68Wzu(;6re<D$ZS%lQ{z6$zv)gjLrEbUkp-Fb%|DlpJg`9N5J|~aA
z$NxeFBAq_{mwNnF(f>u6+4`1WyG^P_uU*Oe_j~P6Rr-?|=?<h>mB-&CDm;5`Fz-x4
zA%Cfy_HnhZ*_5AUHN2a%B4aXgt>09t?fdptq1#)}By#}=e$Wyuz*e!^w2kpc23O;*
z3y>XI%nUBzZyqRnAG^0<FDlJ1TpGqQ{g=l03z-wS{3ZF#N|}QG*1;EWsY|kXW_XOh
zu^pAAxnu2iO724bTHbo9XS}z*Nh!o6-fnu7@fYVY*$MN0A%A7xk3Gzfh5Q$z9_Z=p
zHUsAG9Dm;l!!r*KAKb_BsMP#kn5s`TkwyId*cc`i@wev0v#$ubJz)Gr{f&dud+`?)
zYIMl7FN$hMMixGYs>}CR-)=0qrR-Inv>i8Vi&B+Xb6#!_nR3O*c!r5D=C7@lH>_BA
z<wcsa(KL9L$&g1~Gp82R%6u=&UUEfE+2Z~jjMSVEl06?Hqn0H(*WuNzM@_#N{r*uc
zGkbWPWftkIupZ^N<Htew23N>%OmFjj4Z8lbTm2>NrA4>RDe12r49DARDO_&27EU5(
z0Tnjw?qEWO{r`3Lgkx?{($+|SzrT^vY4l&$(dip=qKv=E-_FfhO+BK*wYx#R?T+|!
zf4JjdPrJX<zt5Npr5LxRW^Gj-0I@zi>1KD;@E8|0?aDK_`^@i>zA?i~Lw^`*CV>XX
zt?u7wo?SC{n+!M3sl;D*V1HA&OnAjaM!i1Bc^15~ZRrCGp8Rl=y|%e8=Wo|$bs6g7
z(tp?OH>#IAx!mbq-ju$D>r{Ao++g<CHwU6A-@bhGxHa6m8w{O0?Za7RFURe2r?7Be
zuQBZ@+Ff1YE_aIgw=;wZT+UgoZnl3IJ9T)If1CafOU<6<Ma}FA{u(!)b@mMZ8_niQ
z-|BXM3E!e&rhX0h58Y5SpsR6t)4U!hl38?=ZsK2V`g)_&x98cReZ+nS?XiylSvyho
z-YRMeRAtWET~@SAEixO=ML&vMrhHwX?9;gl`kdWJG1r@vgDXOQcCe^dhdC#N>W?+v
z8`Ej#l<Qm9GIOpXgWyhh`@B#zz&)?Wo;u-S{~Jrd9&V?d_IS88&R&^+-NF9tI5Ezp
z&6eBzE&fL7*Ndr<wTot}hACD3Z%m3CPJq8`$A6w^;RfUgUt6-($eH%`#JkySDekZG
zHyW8e`TuAyjN~Vt*Z0B58*PDq+1$Us8D^`d-R}widCz!;ql#|aw$HEe?&XIgZe#c3
zFIoBn#3b{4b=J&Z9DTT3>}$?f_czWRKDD^Z&pBadEv4++TJ~l2=iTRT_p05-$iI8_
z`{VW8-FfY`7Wt<`NcM_4W&Hh9#f?e{Z$nYN#yGcRZ&kh2u<pWb)11FEXuJ3y7W2p5
z`wv$WuiG?d^C@-Xok~~b@E-ZcgV+uFz`h36c6X_)o2v3At}gcye`9)?O?BDioKv#-
zuCBl2Uri`#<s7z6ea^*yK1n-AVqdcdO}iM*lB>;u7_Q*Xaoe%VxyNeX?+=>$V*Pix
zkqP0mxc!@DCc5vF;c2E}t;*N$_MaQ;+}NL9@mT(kKhDX+_a{&a;CsE=Ma}au{^D+)
zS?7Cq0PQU>yp!9T(|>W*3Xep#UEH}^Ik%;MTuAO|$=NERZalm<z7RPx!@0mXSNgv(
zde`^%9Djcky3t}_{%||}$Fsd%i+^{4{Kk|^_*;|gMkShy3EXGc16122CjPCX@{RKO
zuUC|NPxCJg*58hK3~>Fy#NS>+oz3_LO!i*pl?MLG!C~W_*_vX$l=`?S-jKVu+$Oal
zr;U;moXA=8n)d%8YL))p?EVR=yjj=KU%S*RIOvA1?SpqbAAR7JYwjxG!S>q|jPFkF
zDjzn{cXHSEWvUr~>ARF_o|Bwv4j}Wd2L<kea+u?3{$i%>UEIyKGlTEqq1D-kohNn2
zj%{A}Qmu?Q{gtB@e^KPk8aF06z5a?iIR}4zJtm*oMAE3TlbxhnPt93TxOmfFt~=B+
z7nFA+912tG8h1Y1V|~v2zUvP6xG_ssJ~ZIFh}%BA9y7o!p2FjUc8z!dGttz1m<K#g
zb!MC4jTnZdlg;Ce{3S|lAO}4$d&l!#(+X#N4X)?#!DO=qkLVMw#~p<#*7nZ$a`APK
zAKjQ<#eNIsFH_{_>oE~#_*6<S+nCZz8Smt*(rcK8joA<zn{H54w<*qnG;i@nXP#R#
z=Kbp#3^%iIsQakvFzA6LzkfU@z2S9-g>Fo(f)hKR+<14d>oM!5m}8CoCF*`M!|Amz
zE><{tN6gS8jCD-4+B}x^oFztW&UxyG!kzp@^b!phece%Cn_;Rn@t24y^0;#>DCBMa
z`H$=Sy<pE19{$z#R5m@DFeLqO&_lq!heNM*sv6558t+266(!A$={)MYl&-%Q-9}P9
z3TA(wXHItT7c0Xfj@R)ii|>vP_MR=-?*3}mQy+TVe9^?;$oJFZ>nk?(ck%N6!K7w%
z*f(ZA6xD5}^XQ>iplj(ir6==@JGNRhuLJPjmf0si_wS`cUB6C;PgX8ersX&);ru0;
z=b)vV<LA6g!oRH2Ue**d5Q>^js+*|Rkj%Kttq0s4MXEa0cteC2u+8&0)Ln&xmQUo4
zIl-e-UwsJ&_x+Z1H>PNTwVTGx8shwA)PCr^W2X78Im2;|W0o!|o2$(KEWT5T7NphP
z2TSi$(kiCbpmmpa?d#u<82w$CMxCB%>bGDxe#Jur_Qc}XI$fQ(uajLdyHE3*p)DAW
z3Qsu0adO&`QES`mim)B(DvJ;?x?4$TGc2X_)OYF=L)LnBb+5@FY1CL8^v95THCuKp
zIqA6mSnoc>e8zl_gO5tw)Y5-P;Lt2`GT)Ezmy9LfZ%Cs*&6e?faew>ozSEzq^+F0a
zFf(U6w>*i{+AqoMF-XtV-9O51Ff;WBALq~bJWt))lD(v@`KhIUU(^lr)7u981mSoq
zQq?n=t^ECbhn_aQTKivjCj|crP|Y?(CYzQ}RBq!uf`6%8mnB!G{(h_57Uo`YlZu0H
znK93{VLMx3_OzkwX2#prX<@0h92sVqrfvP@{%Vw|%AtAAI2@i<;aXz1X+iSmFSPbZ
z%`?xnCF5G=06FrnH=WBy!%dlX9HqxEbh>OyzHe4GUDxM(yLP;x!%sQQU>x{6<KlKC
zw%vIZ0e3xSi+!f*Q{}c5Vy-`=!f4EJb3yqPT;%*=vvd31ZF&}XT~8(5_X$dwg!Vkl
zD`;l4=V5>R0w<$^2~SNMe(-boIqyU1rGPE%xn+K5vH7e$yZxI>OuoDQwW9Veab{%y
z3$I_eyUwUeP6}-u&Wm2|1wgl}$CjAcBq?={BzdUq{Ua~!n)O|E{;EXR*nhr0JHs5i
zn?inGVlLy!kX7zLEBl$eDbQ%sL)MdK^H_he084H83+AZ~{#N{RK<pNgzKj>lZyiWw
zzf)A(9d_UT7tBK)*}cDb!Fjq_zru=|1@4@^m{K))xjVV|f_beYO}UCk3F<Yh!GxE#
zq{ioSJy>={&F>v~W?SA=?&OazHFv2qI2-0nIDY4%2WR7_`AlywUTPlhMCW|D%+%;f
zJHB0J_IHA>E;Fy*%VG3xv$YEqJ-*!B+!^`Oa+B80Uo;0P^O*LXiFx@&^POT`b`n%G
z$H)5vrM9ndHrjG|zh9D>v$V5s*u{oZ9a&+v45X>2@zh1|;`(W`=S7@~wHsnTy`bd!
z_hePXeaXt_rZc5_bMR7GZp}(W{dJi$%=f&XrHbCvC3}XUF3e72MneB4wcQc5-Tnwy
z<1c#c&%McOOy!0%55}1ugYD^Xyel(z^-Iq6ap=4$r<dNm<)k}!+?|HA-S(2H#vs%^
zh-XoHXMf#qy=`_Eb#_;04|QWco4mC|vAy5x%{fgGhUX9C5g8uO=&K|sL{|A4JaaZ`
ze1|S1aQCnLFFV`+`95Er`FYy-R_+k6G2Cpf-b=^1ea^r4R<qmxY3$0QqPoubFb@~7
zDCn>`5Rqt$!E!PLI1mg5tJoF-4Vvgt6d^>T5H^VlQUO6xqfwj0Pfr>v9(N&PFcN!g
zT!7XEQHh=qtPw~|T!Ip{H5JtU?#AFaqnUpm_r32f-*Uh0e(wP+qA7YRd?_Ij9{B26
z(k$F1%2<RPbp2E~sMG1;LflFvy98YF$cT$^38rCY$T_C|^-<Y=%jJqO&02~}fEQN=
z0G7w{SaNK`7n65>D*+(&)#a3#1yMU(PWiJSG!1}cI^=723K&>8^E(NNZPrvy5vdvy
z^h!#<FDIXAur;^k;LjFBjkx`z4=ZCrSsdF^4)hN!92JC#GhlK?R0xXixV4~k@`j<+
z94;^*3}w|ew;aldrUAjp=*lSk<+b@u-wux3V_wx9x(R@gA^^Z#78Y%(8Q5&UiWx1&
zGc0?(?AmK!&gYvxieeR-><N5|T@@5D9g=VW5H9FDxjf<4(6o3~oyJZJOu@RRN)tUu
z(t_~u!o5k|YywZ56445xSCYYCh~3L?g1#MlC?OF$MDSAIxrf%E8Jt`xl*qNDPkOzS
zv+cZ`8?u&)Cu~*y+QP3zzrWUrKVj#xx_r8b35?YsJF};Tb1Q%M#kP~}=B_Kr1@u-M
zMouZYAn&@`g8)JgQTYsQumYwQG=NZKn)W=?t#a2$6cv<>ro>S}apEY!QuMg^DYeW5
zJ;cDSy`Wa5dW11$x<u@2cP&^hPi+yVmIix`uM&cAZ0w=a)vF_7%~Vk<6&p*faBCH9
zdILP(kAD3@EU&1dc~_eBLwG;#eAMCzlbnF{Lq}YT^o3{1xeq#DsG=KhK#ez)lWz*H
zl4tskD#}a&3I{4^MT!<<{QW+$Wj39d<=p;vduGVk_6POi>8BJkBNQeKcP0~Jjc)AF
zLoJ?5k{h!G;xGA(OOPNFHxpd-xl&~Y^335hU?w(zEg=s2r9v!pjbfKx@<}q~5td4|
z)D5Z@FU^|NB&v(0^|QP$`3;<<dF%#Ix>2gX@82?usTx$7j%13P4MJPkH9;DsP5HR#
z;G2>+F)qGm%5AR1q9<0I>|zzJ_E4trR5l07bjLxVZJpeHp3<?hMcIcSGaDr(Bm#P&
zIlCvO%v6a9R->E&g{;)*w&j&?ZUgEOFrVtg_bWnh?r-$i+FrH|!=p@lDqxR6pI~i-
zEq;v9LR@>X7alle41IV7sG=+kg)nEf%#_qaj9LP)TSOEqg)g8CGMz}*Vr5M^1!QQU
z4E{-bD2t91AUkm~L-YP+pgs0%w>U|EMDkwwdVJ_^U2FlY7Tm2Fgf$M-|Fed+WWl8s
zv8?`jEj`GAakd>Z-mRsVvtduHhIOn4M>n8Olo+h7uBn;rYeH5zG{D5`<3`e|Z0Ox+
z+MccX8&d(t?2cu;?u_q;wr6WY_5ZFT=eb~o=;jp-covzbKXd!g`KDoE=5g=T(e$|p
z1Nn$74D_a5b73xJL?Eih6>gTpURfoa*B?H~T|22Q>n@aP5U=dk$@%Gn9PFY;7ej6A
zo}`vu(nK%U;ixcEeWp;sJ8&7FiU5S}5&#{(JH}ssD?Cni^FXgByer^|GPsW!j0jnb
z+u+|Y8`B;+b#ic=0W^Y*;RX6L=sJ7DAf1NHhe^*rA&|b>yWzU~p!`M-he9rv`Dazt
zlr|sv@YR5F!e|pO<oWq~h2k9_1RlIZ8Q(s|Fcu+?GW<JFkmCaFIme^u{%dqs3eUWU
zvKF9o3B8Mpah8meTs=M>>83vw!6z{>w}}T{o_gW^xjq9m)B#wwAb<DF_Y)@M-r&pT
zumb;(v!_HzMbC~N*_{58CkNnhtZm9%Jw*w*2;=N%HH-SfX=g5CiN|p_G>FJk<a_Lf
zkxL#dfeiPIR+q-Ts6a~0Lohdr-p#`q^&hAL-H<Z<7j8P{VoX*z3DR`sLDc!yHuS-E
z309`sVkav#u56gp%;s21d11nTx8*ZK(@9gd;~>T6V`>|3#&{a79#8OKKb%hIvxKbm
z=+p8(kmGz8ddp}#mJzSwC{^{uP(?;5#`R}}w-y<oe=BX)T`wsZQ1~J;P(+l2aw97p
zWZ{3f+C#jOX>>skFUmq*#k!FKfeN>!XDzrRfoWbLJj%;wh5XF+{$og0Q|A~i=qz!e
z`_EY_FGPIf&?t6q|Lyf#U!{x5fPn0>EDX<Tvs}{u3PJGWjTBG>U(@ePk=Q7C_}Ruz
z57%^#HIE-3uY*F$gIA7pEv9_*HTEwS6#HRa&aJZ1|3!^5LQ?ihpw5T(6d{NTlmH<y
z_4~{IvM<jJU@hk@x=y0|=xWCk+=kwKG@ju0#D8=^YI_h(U##`^+Jcb{5PFY$_e}98
zLf$lw{CP1IE(T)t65>Mf%qY{k<|AeZYZ-4b_nl&DKwp&BBfl*t=lN~s=tqvj<N?K6
zZ{s+boQ{t;<L~9|vfVuNREjHxf14!%c1O*gmOc76sP0yTv6k@`b0e?4u~-}HxW8Ej
zS&Qk%Vi4Kd`GP4dz!a$KPeV#TWNYUO0>CQydDpS@Ho6+EoiB*4oc!z!0URwD=yZwJ
zOOn5@c#iXhjuKGW+WCTjuu6YEc}p=xECFWL&KE>qPJd5vv|ymWEy3)9{(Z#radc=2
zFt>KTAONf~fKOgZPD?e<IaS~gGjeCkoV{!PuEuc=ae#BJ!eP!>e|o^8Wif;e0b356
zWu<<+1+dJPwBy<j*YSs^(?VDOY~F{L8T{NzYnB368`aqG(<e~PQtgG1$BWbJ+r;2s
z<H|(+dU#UO@xWM?m1P-=Ad{}WjYgItM!45TQKeeoZ>>&(`~fn%7DzeUrO?(=Edw93
zcU`8v5WMuVhzj336B|5cc*=HG$HRj{-FvX-EEcU@cCKN{oinh8i&)|i3;!$qc^PDA
z7XTOyF2~;3*|@P4Z?rCAZyI9KYT63`$jwPi;kZe><gD{qMtzrSnfNq&?s9DizU96_
zTn^w;u(z)u<cIscE8R*fhaW_nr41&|oS5KPvhQde+N|`n;G-A6x^ncDZEX@h_rQL?
zSL-{P+R<hw7_nm}HDn(RTiqp}hdP99-n@HUKpzaoo>yL+KPYmn@wgk>47)VnHExTJ
zr21|ih8qKMgGvu?J+{}>5P~+#MeS<5v9TiYxx+D(yFwc>z8Pl@jNunvTexM?ZXeIf
zX#WcBBKOz&KQsh=^Ap<6XxD`$P8dD!#jpOvzSD`{r|c7o_&JVxCp5yxw5~<(QGIuX
zcGIr9Yo)g1ZCcZX%GktC?R7fer4>+XD>k1~r`DIgxu^NlnO4n(*4)?P=(A3(nJ(Se
r6379-)!`4c)j5tGa&TQHoy)cl>i2x6m@FmJo^D>!52w(%_O<^9pVl|6

diff --git a/dashboard/package.json b/dashboard/package.json
index d5a5cb5..589ca60 100644
--- a/dashboard/package.json
+++ b/dashboard/package.json
@@ -22,6 +22,7 @@
     "@radix-ui/react-select": "^2.1.6",
     "@radix-ui/react-separator": "^1.1.0",
     "@radix-ui/react-slot": "^1.1.1",
+    "@radix-ui/react-switch": "^1.1.3",
     "@radix-ui/react-tabs": "^1.1.1",
     "@radix-ui/react-tooltip": "^1.1.4",
     "@serwist/next": "^9.0.0-preview.21",
diff --git a/dashboard/src/app/globals.css b/dashboard/src/app/globals.css
index 262da57..65bc799 100644
--- a/dashboard/src/app/globals.css
+++ b/dashboard/src/app/globals.css
@@ -75,4 +75,15 @@
     body {
         @apply bg-sidebar text-foreground;
     }
+}
+
+
+@layer base {
+    * {
+        @apply border-border outline-ring/50;
+    }
+
+    body {
+        @apply bg-background text-foreground;
+    }
 }
\ No newline at end of file
diff --git a/dashboard/src/components/forms/client-form.tsx b/dashboard/src/components/forms/client-form.tsx
index 84ceebf..76ff0c8 100644
--- a/dashboard/src/components/forms/client-form.tsx
+++ b/dashboard/src/components/forms/client-form.tsx
@@ -13,9 +13,10 @@ import { AxiosResponse } from 'axios';
 import { AlertDialog, AlertDialogContent, AlertDialogHeader, AlertDialogTitle } from '@/components/ui/alert-dialog';
 import { Card, CardContent, CardDescription, CardHeader, CardTitle } from '@/components/ui/card';
 import { useRouter } from 'next/navigation';
-import { Checkbox } from '@/components/ui/checkbox';
 import { Minus } from 'lucide-react';
 import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from '@/components/ui/select';
+import { Switch } from '@/components/ui/switch';
+import Link from 'next/link';
 
 interface CreateClientFormProps {
     action: (data: z.infer<typeof clientFormSchema>) => Promise<AxiosResponse<OAuth2Client, any>>;
@@ -200,8 +201,7 @@ export function CreateClientForm({ action }: CreateClientFormProps) {
                                             </FormDescription>
                                         </div>
                                         <FormControl>
-                                            {/* TODO: change to switch */}
-                                            <Checkbox
+                                            <Switch
                                                 checked={field.value}
                                                 onCheckedChange={field.onChange}
                                             />
@@ -238,7 +238,9 @@ export function CreateClientForm({ action }: CreateClientFormProps) {
                                                     <FormLabel>Policy URI</FormLabel>
                                                     <FormControl>
                                                         <Input
-                                                            placeholder="https://myapp.example/privacy_policy" {...field} />
+                                                            placeholder="https://myapp.example/privacy_policy"
+                                                            {...field}
+                                                        />
                                                     </FormControl>
                                                     <FormDescription>
                                                         A URL string pointing to a human-readable
diff --git a/dashboard/src/components/ui/switch.tsx b/dashboard/src/components/ui/switch.tsx
new file mode 100644
index 0000000..4c01734
--- /dev/null
+++ b/dashboard/src/components/ui/switch.tsx
@@ -0,0 +1,29 @@
+'use client';
+
+import * as React from 'react';
+import * as SwitchPrimitives from '@radix-ui/react-switch';
+
+import { cn } from '@/lib/utils';
+
+const Switch = React.forwardRef<
+    React.ElementRef<typeof SwitchPrimitives.Root>,
+    React.ComponentPropsWithoutRef<typeof SwitchPrimitives.Root>
+>(({ className, ...props }, ref) => (
+    <SwitchPrimitives.Root
+        className={cn(
+            'peer inline-flex h-6 w-11 shrink-0 cursor-pointer items-center rounded-full border-2 border-transparent transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-ring focus-visible:ring-offset-2 focus-visible:ring-offset-background disabled:cursor-not-allowed disabled:opacity-50 data-[state=checked]:bg-primary data-[state=unchecked]:bg-input',
+            className,
+        )}
+        {...props}
+        ref={ref}
+    >
+        <SwitchPrimitives.Thumb
+            className={cn(
+                'pointer-events-none block h-5 w-5 rounded-full bg-background shadow-lg ring-0 transition-transform data-[state=checked]:translate-x-5 data-[state=unchecked]:translate-x-0',
+            )}
+        />
+    </SwitchPrimitives.Root>
+));
+Switch.displayName = SwitchPrimitives.Root.displayName;
+
+export { Switch };

From 8c1e38efda272f443376ed412d8fcba44f047d30 Mon Sep 17 00:00:00 2001
From: Markus Thielker <mail.markus.thielker@gmail.com>
Date: Tue, 25 Feb 2025 17:15:23 +0100
Subject: [PATCH 11/58] NORY-46: move form description above input

---
 .../src/components/forms/client-form.tsx      | 54 +++++++++----------
 1 file changed, 25 insertions(+), 29 deletions(-)

diff --git a/dashboard/src/components/forms/client-form.tsx b/dashboard/src/components/forms/client-form.tsx
index 76ff0c8..4ef7693 100644
--- a/dashboard/src/components/forms/client-form.tsx
+++ b/dashboard/src/components/forms/client-form.tsx
@@ -106,14 +106,13 @@ export function CreateClientForm({ action }: CreateClientFormProps) {
                                 render={({ field }) => (
                                     <FormItem>
                                         <FormLabel>Client Name</FormLabel>
+                                        <FormDescription>
+                                            The human-readable name of the client to be presented to the end-user during
+                                            authorization.
+                                        </FormDescription>
                                         <FormControl>
                                             <Input placeholder="ACME INC SSO" {...field} />
                                         </FormControl>
-                                        <FormDescription>
-                                            The human-readable name of the client to be presented to the end-user
-                                            during
-                                            authorization.
-                                        </FormDescription>
                                         <FormMessage/>
                                     </FormItem>
                                 )}
@@ -124,17 +123,14 @@ export function CreateClientForm({ action }: CreateClientFormProps) {
                                 render={({ field }) => (
                                     <FormItem>
                                         <FormLabel>Scopes</FormLabel>
+                                        <FormDescription>
+                                            Scope is a string containing a space-separated list of scope values (as
+                                            described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client can use
+                                            when requesting access tokens.
+                                        </FormDescription>
                                         <FormControl>
                                             <Input placeholder="post:read post:write user:read" {...field} />
                                         </FormControl>
-                                        <FormDescription>
-                                            Scope is a string containing a space-separated list of scope values (as
-                                            described in
-                                            Section 3.3 of OAuth 2.0 [RFC6749]) that the client can use when
-                                            requesting
-                                            access
-                                            tokens.
-                                        </FormDescription>
                                         <FormMessage/>
                                     </FormItem>
                                 )}
@@ -218,13 +214,13 @@ export function CreateClientForm({ action }: CreateClientFormProps) {
                                             render={({ field }) => (
                                                 <FormItem>
                                                     <FormLabel>Logo URI</FormLabel>
+                                                    <FormDescription>
+                                                        A URL string referencing the client's logo.
+                                                    </FormDescription>
                                                     <FormControl>
                                                         <Input
                                                             placeholder="https://myapp.example/logo.png" {...field} />
                                                     </FormControl>
-                                                    <FormDescription>
-                                                        A URL string referencing the client's logo.
-                                                    </FormDescription>
                                                     <FormMessage/>
                                                 </FormItem>
                                             )}
@@ -236,18 +232,18 @@ export function CreateClientForm({ action }: CreateClientFormProps) {
                                             render={({ field }) => (
                                                 <FormItem>
                                                     <FormLabel>Policy URI</FormLabel>
+                                                    <FormDescription>
+                                                        A URL string pointing to a human-readable privacy policy
+                                                        document
+                                                        for the client that describes how the deployment organization
+                                                        collects, uses, retains, and discloses personal data.
+                                                    </FormDescription>
                                                     <FormControl>
                                                         <Input
                                                             placeholder="https://myapp.example/privacy_policy"
                                                             {...field}
                                                         />
                                                     </FormControl>
-                                                    <FormDescription>
-                                                        A URL string pointing to a human-readable
-                                                        privacy policy document for the client that describes how the
-                                                        deployment organization collects, uses, retains, and discloses
-                                                        personal data.
-                                                    </FormDescription>
                                                     <FormMessage/>
                                                 </FormItem>
                                             )}
@@ -259,16 +255,16 @@ export function CreateClientForm({ action }: CreateClientFormProps) {
                                             render={({ field }) => (
                                                 <FormItem>
                                                     <FormLabel>Terms URI</FormLabel>
-                                                    <FormControl>
-                                                        <Input
-                                                            placeholder="https://myapp.example/terms_of_service" {...field} />
-                                                    </FormControl>
                                                     <FormDescription>
                                                         A URL string pointing to a human-readable terms of service
                                                         document for the client that describes a contractual
                                                         relationship between the end-user and the client that the
                                                         end-user accepts when authorizing the client.
                                                     </FormDescription>
+                                                    <FormControl>
+                                                        <Input
+                                                            placeholder="https://myapp.example/terms_of_service" {...field} />
+                                                    </FormControl>
                                                     <FormMessage/>
                                                 </FormItem>
                                             )}
@@ -280,12 +276,12 @@ export function CreateClientForm({ action }: CreateClientFormProps) {
                                             render={({ field }) => (
                                                 <FormItem>
                                                     <FormLabel>Owner</FormLabel>
-                                                    <FormControl>
-                                                        <Input placeholder="ACME INC" {...field} />
-                                                    </FormControl>
                                                     <FormDescription>
                                                         Owner is a string identifying the owner of the OAuth 2.0 Client.
                                                     </FormDescription>
+                                                    <FormControl>
+                                                        <Input placeholder="ACME INC" {...field} />
+                                                    </FormControl>
                                                     <FormMessage/>
                                                 </FormItem>
                                             )}

From 2bdf7c5c4e5ea88f1da85bc71a4a6f2d9ff08f6f Mon Sep 17 00:00:00 2001
From: Markus Thielker <mail.markus.thielker@gmail.com>
Date: Tue, 25 Feb 2025 17:23:14 +0100
Subject: [PATCH 12/58] NORY-46: add 'OpenID Connect logout' section

---
 .../src/components/forms/client-form.tsx      | 191 ++++++++++++++++++
 dashboard/src/lib/forms/client-form.ts        |   7 +-
 2 files changed, 197 insertions(+), 1 deletion(-)

diff --git a/dashboard/src/components/forms/client-form.tsx b/dashboard/src/components/forms/client-form.tsx
index 4ef7693..fc5d6be 100644
--- a/dashboard/src/components/forms/client-form.tsx
+++ b/dashboard/src/components/forms/client-form.tsx
@@ -25,7 +25,9 @@ interface CreateClientFormProps {
 export function CreateClientForm({ action }: CreateClientFormProps) {
 
     const router = useRouter();
+
     const [redirectUris, setRedirectUris] = useState<string[]>(['']);
+    const [postLogoutRedirectUris, setPostLogoutRedirectUris] = useState<string[]>(['']);
 
     const form = useForm<z.infer<typeof clientFormSchema>>({
         resolver: zodResolver(clientFormSchema),
@@ -62,12 +64,22 @@ export function CreateClientForm({ action }: CreateClientFormProps) {
         setRedirectUris([...redirectUris, '']);
     };
 
+    const addPostLogoutRedirectUri = () => {
+        setPostLogoutRedirectUris([...postLogoutRedirectUris, '']);
+    };
+
     const removeRedirectUri = (index: number) => {
         const updatedRedirectUris = redirectUris.filter((_, i) => i !== index);
         setRedirectUris(updatedRedirectUris);
         form.setValue('redirect_uris', updatedRedirectUris);
     };
 
+    const removePostLogoutRedirectUri = (index: number) => {
+        const updatedPostLogoutRedirectUris = postLogoutRedirectUris.filter((_, i) => i !== index);
+        setPostLogoutRedirectUris(postLogoutRedirectUris);
+        form.setValue('post_logout_redirect_uris', updatedPostLogoutRedirectUris);
+    };
+
     const handleInputChange = (index: number, event: any) => {
         const updatedRedirectUris = [...redirectUris];
         updatedRedirectUris[index] = event.target.value;
@@ -75,6 +87,13 @@ export function CreateClientForm({ action }: CreateClientFormProps) {
         form.setValue('redirect_uris', updatedRedirectUris);
     };
 
+    const handlePostLogoutInputChange = (index: number, event: any) => {
+        const updatedPostLogoutRedirectUris = [...postLogoutRedirectUris];
+        updatedPostLogoutRedirectUris[index] = event.target.value;
+        setPostLogoutRedirectUris(updatedPostLogoutRedirectUris);
+        form.setValue('post_logout_redirect_uris', updatedPostLogoutRedirectUris);
+    };
+
     return (
         <>
             {
@@ -384,6 +403,178 @@ export function CreateClientForm({ action }: CreateClientFormProps) {
                         </CardContent>
                     </Card>
 
+                    <Card>
+                        <CardHeader>
+                            <CardTitle>
+                                OpenID Connect logout
+                            </CardTitle>
+                            <CardDescription>
+                                Get more information about using front and backchannels here&nbsp;
+                                <Button variant="link" className="p-0" asChild>
+                                    <Link target="_blank"
+                                          href="https://www.ory.sh/docs/oauth2-oidc/oidc-logout#openid-connect-front-channel-logout-10">
+                                        documentation
+                                    </Link>
+                                </Button>.
+                            </CardDescription>
+                        </CardHeader>
+                        <CardContent className="space-y-4">
+                            <FormField
+                                control={form.control}
+                                name="frontchannel_logout_session_required"
+                                render={({ field }) => (
+                                    <FormItem className="flex flex-row items-center justify-between rounded-lg">
+                                        <div className="space-y-0.5">
+                                            <FormLabel className="text-base">
+                                                Frontchannel Logout Session Required
+                                            </FormLabel>
+                                            <FormDescription>
+                                                Boolean value specifying whether the Relay Party (RP) requires that
+                                                issuer and session ID query parameters be included to identify the RP
+                                                session with the OpenID provider (OP) when the Frontchannel Logout URI
+                                                is used. The default value is false.
+                                            </FormDescription>
+                                        </div>
+                                        <FormControl>
+                                            <Switch
+                                                checked={field.value}
+                                                onCheckedChange={field.onChange}
+                                            />
+                                        </FormControl>
+                                    </FormItem>
+                                )}
+                            />
+                            <FormField
+                                control={form.control}
+                                name="frontchannel_logout_uri"
+                                render={({ field }) => (
+                                    <FormItem>
+                                        <FormLabel>Frontchannel Logout URI</FormLabel>
+                                        <FormDescription>
+                                            URL that will cause the Relying Party (RP) to log itself out when rendered
+                                            in an iframe by the OpenID provider (OP). An issuer query parameter and a
+                                            session ID query parameter MAY be included by the OpenID provider (OP) to
+                                            enable the Relying Party (RP) to validate the request and to determine which
+                                            of the potentially multiple sessions is to be logged out; if either is
+                                            included, both MUST be.
+                                        </FormDescription>
+                                        <FormControl>
+                                            <Input placeholder="https://" {...field} />
+                                        </FormControl>
+                                        <FormMessage/>
+                                    </FormItem>
+                                )}
+                            />
+                            <FormField
+                                control={form.control}
+                                name="backchannel_logout_session_required"
+                                render={({ field }) => (
+                                    <FormItem className="flex flex-row items-center justify-between rounded-lg">
+                                        <div className="space-y-0.5">
+                                            <FormLabel className="text-base">
+                                                Backchannel Logout Session Required
+                                            </FormLabel>
+                                            <FormDescription>
+                                                Boolean value specifying whether the Relying Party (RP) requires that a
+                                                session ID Claim be included in the Logout Token to identify the Relying
+                                                Party session with the OpenID provider (OP) when the Backchannel Logout
+                                                URI is used. If omitted, the default value is false.
+                                            </FormDescription>
+                                        </div>
+                                        <FormControl>
+                                            <Switch
+                                                checked={field.value}
+                                                onCheckedChange={field.onChange}
+                                            />
+                                        </FormControl>
+                                    </FormItem>
+                                )}
+                            />
+                            <FormField
+                                control={form.control}
+                                name="backchannel_logout_uri"
+                                render={({ field }) => (
+                                    <FormItem>
+                                        <FormLabel>Backchannel Logout URI</FormLabel>
+                                        <FormDescription>
+                                            URL that will cause the Relying Party (RP) to log itself out when rendered
+                                            in an iframe by the OpenID provider (OP). An issuer query parameter and a
+                                            session ID query parameter MAY be included by the OpenID provider (OP) to
+                                            enable the Relying Party (RP) to validate the request and to determine which
+                                            of the potentially multiple sessions is to be logged out; if either is
+                                            included, both MUST be.
+                                        </FormDescription>
+                                        <FormControl>
+                                            <Input placeholder="https://" {...field} />
+                                        </FormControl>
+                                        <FormMessage/>
+                                    </FormItem>
+                                )}
+                            />
+                            <FormField
+                                control={form.control}
+                                name="skip_logout_consent"
+                                render={({ field }) => (
+                                    <FormItem className="flex flex-row items-center justify-between rounded-lg">
+                                        <div className="space-y-0.5">
+                                            <FormLabel className="text-base">
+                                                Skip logout consent
+                                            </FormLabel>
+                                            <FormDescription>
+                                                Boolean value specifying whether the additional logout consent screen
+                                                should be skipped.
+                                            </FormDescription>
+                                        </div>
+                                        <FormControl>
+                                            <Switch
+                                                checked={field.value}
+                                                onCheckedChange={field.onChange}
+                                            />
+                                        </FormControl>
+                                    </FormItem>
+                                )}
+                            />
+                            {postLogoutRedirectUris.map((uri, index) => (
+                                <div key={index} className="mb-4">
+                                    <FormItem>
+                                        <FormLabel htmlFor={`post_logout_redirect_uri-${index}`}>
+                                            Post Logout Redirect URI {index + 1}</FormLabel>
+                                        <FormControl>
+                                            <div className="relative">
+                                                <Input
+                                                    type="text"
+                                                    id={`post_logout_redirect_uri-${index}`}
+                                                    value={uri}
+                                                    placeholder="https://"
+                                                    className="pr-10"
+                                                    {...form.register(`post_logout_redirect_uris.${index}`)}
+                                                    onChange={(event) => handlePostLogoutInputChange(index, event)}
+                                                />
+                                                {postLogoutRedirectUris.length > 1 && (
+                                                    <Button
+                                                        type="button"
+                                                        size="icon"
+                                                        variant="destructive"
+                                                        className="absolute inset-y-0 right-0 rounded-l-none"
+                                                        onClick={() => removePostLogoutRedirectUri(index)}>
+                                                        <Minus/>
+                                                    </Button>
+                                                )}
+                                            </div>
+                                        </FormControl>
+                                        {form.formState.errors?.post_logout_redirect_uris && form.formState.errors.post_logout_redirect_uris[index] && (
+                                            <FormMessage>{form.formState.errors.post_logout_redirect_uris[index].message}</FormMessage>
+                                        )}
+                                    </FormItem>
+                                </div>
+                            ))}
+
+                            <Button type="button" onClick={addPostLogoutRedirectUri}>
+                                Add Post Logout Redirect URI
+                            </Button>
+                        </CardContent>
+                    </Card>
+
                     <div className="space-x-2">
                         <Button type="button" variant="outline" onClick={() => {
                             router.back();
diff --git a/dashboard/src/lib/forms/client-form.ts b/dashboard/src/lib/forms/client-form.ts
index a924c69..ea3814e 100644
--- a/dashboard/src/lib/forms/client-form.ts
+++ b/dashboard/src/lib/forms/client-form.ts
@@ -13,5 +13,10 @@ export const clientFormSchema = z.object({
     grant_types: z.array(z.string()),
     response_types: z.array(z.string()),
     token_endpoint_auth_method: z.string(),
-
+    backchannel_logout_session_required: z.boolean().default(false),
+    backchannel_logout_uri: z.string().url(),
+    frontchannel_logout_session_required: z.boolean().default(false),
+    frontchannel_logout_uri: z.string().url(),
+    skip_logout_consent: z.boolean().default(false),
+    post_logout_redirect_uris: z.array(z.string().url({ message: 'Invalid URL' })).min(1, { message: 'At least one redirect URI is required' }),
 });

From b2ce32a07659f978f924700d6f641bf8c9fda55c Mon Sep 17 00:00:00 2001
From: Markus Thielker <hey@thielker.dev>
Date: Tue, 1 Apr 2025 14:42:50 +0200
Subject: [PATCH 13/58] NORY-59: fix database relations file

---
 dashboard/drizzle/relations.ts | 318 ++++++++++++++++-----------------
 1 file changed, 159 insertions(+), 159 deletions(-)

diff --git a/dashboard/drizzle/relations.ts b/dashboard/drizzle/relations.ts
index 615b353..47aff7f 100644
--- a/dashboard/drizzle/relations.ts
+++ b/dashboard/drizzle/relations.ts
@@ -1,334 +1,334 @@
 import { relations } from 'drizzle-orm/relations';
 import {
-	continuityContainers,
-	courierMessageDispatches,
-	courierMessages,
+	continuity_containers,
+	courier_message_dispatches,
+	courier_messages,
 	identities,
-	identityCredentialIdentifiers,
-	identityCredentials,
-	identityCredentialTypes,
-	identityLoginCodes,
-	identityRecoveryAddresses,
-	identityRecoveryCodes,
-	identityRecoveryTokens,
-	identityRegistrationCodes,
-	identityVerifiableAddresses,
-	identityVerificationCodes,
-	identityVerificationTokens,
+	identity_credential_identifiers,
+	identity_credential_types,
+	identity_credentials,
+	identity_login_codes,
+	identity_recovery_addresses,
+	identity_recovery_codes,
+	identity_recovery_tokens,
+	identity_registration_codes,
+	identity_verifiable_addresses,
+	identity_verification_codes,
+	identity_verification_tokens,
 	networks,
-	selfserviceErrors,
-	selfserviceLoginFlows,
-	selfserviceRecoveryFlows,
-	selfserviceRegistrationFlows,
-	selfserviceSettingsFlows,
-	selfserviceVerificationFlows,
-	sessionDevices,
+	selfservice_errors,
+	selfservice_login_flows,
+	selfservice_recovery_flows,
+	selfservice_registration_flows,
+	selfservice_settings_flows,
+	selfservice_verification_flows,
+	session_devices,
 	sessions,
 } from './schema';
 
-export const identityCredentialsRelations = relations(identityCredentials, ({ one, many }) => ({
+export const identityCredentialsRelations = relations(identity_credentials, ({ one, many }) => ({
 	identity: one(identities, {
-		fields: [identityCredentials.identityId],
+		fields: [identity_credentials.identity_id],
 		references: [identities.id],
 	}),
-	identityCredentialType: one(identityCredentialTypes, {
-		fields: [identityCredentials.identityCredentialTypeId],
-		references: [identityCredentialTypes.id],
+	identityCredentialType: one(identity_credential_types, {
+		fields: [identity_credentials.identity_credential_type_id],
+		references: [identity_credential_types.id],
 	}),
 	network: one(networks, {
-		fields: [identityCredentials.nid],
+		fields: [identity_credentials.nid],
 		references: [networks.id],
 	}),
-	identityCredentialIdentifiers: many(identityCredentialIdentifiers),
+	identityCredentialIdentifiers: many(identity_credential_identifiers),
 }));
 
 export const identitiesRelations = relations(identities, ({ one, many }) => ({
-	identityCredentials: many(identityCredentials),
+	identityCredentials: many(identity_credentials),
 	network: one(networks, {
 		fields: [identities.nid],
 		references: [networks.id],
 	}),
-	identityVerifiableAddresses: many(identityVerifiableAddresses),
-	selfserviceSettingsFlows: many(selfserviceSettingsFlows),
-	continuityContainers: many(continuityContainers),
+	identityVerifiableAddresses: many(identity_verifiable_addresses),
+	selfserviceSettingsFlows: many(selfservice_settings_flows),
+	continuityContainers: many(continuity_containers),
 	sessions: many(sessions),
-	identityRecoveryAddresses: many(identityRecoveryAddresses),
-	selfserviceRecoveryFlows: many(selfserviceRecoveryFlows),
-	identityRecoveryTokens: many(identityRecoveryTokens),
-	identityRecoveryCodes: many(identityRecoveryCodes),
-	identityLoginCodes: many(identityLoginCodes),
+	identityRecoveryAddresses: many(identity_recovery_addresses),
+	selfserviceRecoveryFlows: many(selfservice_recovery_flows),
+	identityRecoveryTokens: many(identity_recovery_tokens),
+	identityRecoveryCodes: many(identity_recovery_codes),
+	identityLoginCodes: many(identity_login_codes),
 }));
 
-export const identityCredentialTypesRelations = relations(identityCredentialTypes, ({ many }) => ({
-	identityCredentials: many(identityCredentials),
-	identityCredentialIdentifiers: many(identityCredentialIdentifiers),
+export const identityCredentialTypesRelations = relations(identity_credential_types, ({ many }) => ({
+	identityCredentials: many(identity_credentials),
+	identityCredentialIdentifiers: many(identity_credential_identifiers),
 }));
 
 export const networksRelations = relations(networks, ({ many }) => ({
-	identityCredentials: many(identityCredentials),
-	selfserviceLoginFlows: many(selfserviceLoginFlows),
-	selfserviceRegistrationFlows: many(selfserviceRegistrationFlows),
+	identityCredentials: many(identity_credentials),
+	selfserviceLoginFlows: many(selfservice_login_flows),
+	selfserviceRegistrationFlows: many(selfservice_registration_flows),
 	identities: many(identities),
-	identityCredentialIdentifiers: many(identityCredentialIdentifiers),
-	identityVerifiableAddresses: many(identityVerifiableAddresses),
-	courierMessages: many(courierMessages),
-	selfserviceErrors: many(selfserviceErrors),
-	selfserviceVerificationFlows: many(selfserviceVerificationFlows),
-	selfserviceSettingsFlows: many(selfserviceSettingsFlows),
-	continuityContainers: many(continuityContainers),
+	identityCredentialIdentifiers: many(identity_credential_identifiers),
+	identityVerifiableAddresses: many(identity_verifiable_addresses),
+	courierMessages: many(courier_messages),
+	selfserviceErrors: many(selfservice_errors),
+	selfserviceVerificationFlows: many(selfservice_verification_flows),
+	selfserviceSettingsFlows: many(selfservice_settings_flows),
+	continuityContainers: many(continuity_containers),
 	sessions: many(sessions),
-	identityRecoveryAddresses: many(identityRecoveryAddresses),
-	identityVerificationTokens: many(identityVerificationTokens),
-	selfserviceRecoveryFlows: many(selfserviceRecoveryFlows),
-	identityRecoveryTokens: many(identityRecoveryTokens),
-	identityRecoveryCodes: many(identityRecoveryCodes),
-	sessionDevices: many(sessionDevices),
-	identityVerificationCodes: many(identityVerificationCodes),
-	courierMessageDispatches: many(courierMessageDispatches),
-	identityLoginCodes: many(identityLoginCodes),
-	identityRegistrationCodes: many(identityRegistrationCodes),
+	identityRecoveryAddresses: many(identity_recovery_addresses),
+	identityVerificationTokens: many(identity_verification_tokens),
+	selfserviceRecoveryFlows: many(selfservice_recovery_flows),
+	identityRecoveryTokens: many(identity_recovery_tokens),
+	identityRecoveryCodes: many(identity_recovery_codes),
+	sessionDevices: many(session_devices),
+	identityVerificationCodes: many(identity_verification_codes),
+	courierMessageDispatches: many(courier_message_dispatches),
+	identityLoginCodes: many(identity_login_codes),
+	identityRegistrationCodes: many(identity_registration_codes),
 }));
 
-export const selfserviceLoginFlowsRelations = relations(selfserviceLoginFlows, ({ one, many }) => ({
+export const selfserviceLoginFlowsRelations = relations(selfservice_login_flows, ({ one, many }) => ({
 	network: one(networks, {
-		fields: [selfserviceLoginFlows.nid],
+		fields: [selfservice_login_flows.nid],
 		references: [networks.id],
 	}),
-	identityLoginCodes: many(identityLoginCodes),
+	identityLoginCodes: many(identity_login_codes),
 }));
 
-export const selfserviceRegistrationFlowsRelations = relations(selfserviceRegistrationFlows, ({ one, many }) => ({
+export const selfserviceRegistrationFlowsRelations = relations(selfservice_registration_flows, ({ one, many }) => ({
 	network: one(networks, {
-		fields: [selfserviceRegistrationFlows.nid],
+		fields: [selfservice_registration_flows.nid],
 		references: [networks.id],
 	}),
-	identityRegistrationCodes: many(identityRegistrationCodes),
+	identityRegistrationCodes: many(identity_registration_codes),
 }));
 
-export const identityCredentialIdentifiersRelations = relations(identityCredentialIdentifiers, ({ one }) => ({
-	identityCredential: one(identityCredentials, {
-		fields: [identityCredentialIdentifiers.identityCredentialId],
-		references: [identityCredentials.id],
+export const identityCredentialIdentifiersRelations = relations(identity_credential_identifiers, ({ one }) => ({
+	identityCredential: one(identity_credentials, {
+		fields: [identity_credential_identifiers.identity_credential_id],
+		references: [identity_credentials.id],
 	}),
 	network: one(networks, {
-		fields: [identityCredentialIdentifiers.nid],
+		fields: [identity_credential_identifiers.nid],
 		references: [networks.id],
 	}),
-	identityCredentialType: one(identityCredentialTypes, {
-		fields: [identityCredentialIdentifiers.identityCredentialTypeId],
-		references: [identityCredentialTypes.id],
+	identityCredentialType: one(identity_credential_types, {
+		fields: [identity_credential_identifiers.identity_credential_type_id],
+		references: [identity_credential_types.id],
 	}),
 }));
 
-export const identityVerifiableAddressesRelations = relations(identityVerifiableAddresses, ({ one, many }) => ({
+export const identityVerifiableAddressesRelations = relations(identity_verifiable_addresses, ({ one, many }) => ({
 	identity: one(identities, {
-		fields: [identityVerifiableAddresses.identityId],
+		fields: [identity_verifiable_addresses.identity_id],
 		references: [identities.id],
 	}),
 	network: one(networks, {
-		fields: [identityVerifiableAddresses.nid],
+		fields: [identity_verifiable_addresses.nid],
 		references: [networks.id],
 	}),
-	identityVerificationTokens: many(identityVerificationTokens),
-	identityVerificationCodes: many(identityVerificationCodes),
+	identityVerificationTokens: many(identity_verification_tokens),
+	identityVerificationCodes: many(identity_verification_codes),
 }));
 
-export const courierMessagesRelations = relations(courierMessages, ({ one, many }) => ({
+export const courierMessagesRelations = relations(courier_messages, ({ one, many }) => ({
 	network: one(networks, {
-		fields: [courierMessages.nid],
+		fields: [courier_messages.nid],
 		references: [networks.id],
 	}),
-	courierMessageDispatches: many(courierMessageDispatches),
+	courierMessageDispatches: many(courier_message_dispatches),
 }));
 
-export const selfserviceErrorsRelations = relations(selfserviceErrors, ({ one }) => ({
+export const selfserviceErrorsRelations = relations(selfservice_errors, ({ one }) => ({
 	network: one(networks, {
-		fields: [selfserviceErrors.nid],
+		fields: [selfservice_errors.nid],
 		references: [networks.id],
 	}),
 }));
 
-export const selfserviceVerificationFlowsRelations = relations(selfserviceVerificationFlows, ({ one, many }) => ({
+export const selfserviceVerificationFlowsRelations = relations(selfservice_verification_flows, ({ one, many }) => ({
 	network: one(networks, {
-		fields: [selfserviceVerificationFlows.nid],
+		fields: [selfservice_verification_flows.nid],
 		references: [networks.id],
 	}),
-	identityVerificationTokens: many(identityVerificationTokens),
-	identityVerificationCodes: many(identityVerificationCodes),
+	identityVerificationTokens: many(identity_verification_tokens),
+	identityVerificationCodes: many(identity_verification_codes),
 }));
 
-export const selfserviceSettingsFlowsRelations = relations(selfserviceSettingsFlows, ({ one }) => ({
+export const selfserviceSettingsFlowsRelations = relations(selfservice_settings_flows, ({ one }) => ({
 	identity: one(identities, {
-		fields: [selfserviceSettingsFlows.identityId],
+		fields: [selfservice_settings_flows.identity_id],
 		references: [identities.id],
 	}),
 	network: one(networks, {
-		fields: [selfserviceSettingsFlows.nid],
+		fields: [selfservice_settings_flows.nid],
 		references: [networks.id],
 	}),
 }));
 
-export const continuityContainersRelations = relations(continuityContainers, ({ one }) => ({
+export const continuityContainersRelations = relations(continuity_containers, ({ one }) => ({
 	identity: one(identities, {
-		fields: [continuityContainers.identityId],
+		fields: [continuity_containers.identity_id],
 		references: [identities.id],
 	}),
 	network: one(networks, {
-		fields: [continuityContainers.nid],
+		fields: [continuity_containers.nid],
 		references: [networks.id],
 	}),
 }));
 
 export const sessionsRelations = relations(sessions, ({ one, many }) => ({
 	identity: one(identities, {
-		fields: [sessions.identityId],
+		fields: [sessions.identity_id],
 		references: [identities.id],
 	}),
 	network: one(networks, {
 		fields: [sessions.nid],
 		references: [networks.id],
 	}),
-	sessionDevices: many(sessionDevices),
+	sessionDevices: many(session_devices),
 }));
 
-export const identityRecoveryAddressesRelations = relations(identityRecoveryAddresses, ({ one, many }) => ({
+export const identityRecoveryAddressesRelations = relations(identity_recovery_addresses, ({ one, many }) => ({
 	identity: one(identities, {
-		fields: [identityRecoveryAddresses.identityId],
+		fields: [identity_recovery_addresses.identity_id],
 		references: [identities.id],
 	}),
 	network: one(networks, {
-		fields: [identityRecoveryAddresses.nid],
+		fields: [identity_recovery_addresses.nid],
 		references: [networks.id],
 	}),
-	identityRecoveryTokens: many(identityRecoveryTokens),
-	identityRecoveryCodes: many(identityRecoveryCodes),
+	identityRecoveryTokens: many(identity_recovery_tokens),
+	identityRecoveryCodes: many(identity_recovery_codes),
 }));
 
-export const identityVerificationTokensRelations = relations(identityVerificationTokens, ({ one }) => ({
-	identityVerifiableAddress: one(identityVerifiableAddresses, {
-		fields: [identityVerificationTokens.identityVerifiableAddressId],
-		references: [identityVerifiableAddresses.id],
+export const identityVerificationTokensRelations = relations(identity_verification_tokens, ({ one }) => ({
+	identityVerifiableAddress: one(identity_verifiable_addresses, {
+		fields: [identity_verification_tokens.identity_verifiable_address_id],
+		references: [identity_verifiable_addresses.id],
 	}),
-	selfserviceVerificationFlow: one(selfserviceVerificationFlows, {
-		fields: [identityVerificationTokens.selfserviceVerificationFlowId],
-		references: [selfserviceVerificationFlows.id],
+	selfserviceVerificationFlow: one(selfservice_verification_flows, {
+		fields: [identity_verification_tokens.selfservice_verification_flow_id],
+		references: [selfservice_verification_flows.id],
 	}),
 	network: one(networks, {
-		fields: [identityVerificationTokens.nid],
+		fields: [identity_verification_tokens.nid],
 		references: [networks.id],
 	}),
 }));
 
-export const selfserviceRecoveryFlowsRelations = relations(selfserviceRecoveryFlows, ({ one, many }) => ({
+export const selfserviceRecoveryFlowsRelations = relations(selfservice_recovery_flows, ({ one, many }) => ({
 	identity: one(identities, {
-		fields: [selfserviceRecoveryFlows.recoveredIdentityId],
+		fields: [selfservice_recovery_flows.recovered_identity_id],
 		references: [identities.id],
 	}),
 	network: one(networks, {
-		fields: [selfserviceRecoveryFlows.nid],
+		fields: [selfservice_recovery_flows.nid],
 		references: [networks.id],
 	}),
-	identityRecoveryTokens: many(identityRecoveryTokens),
-	identityRecoveryCodes: many(identityRecoveryCodes),
+	identityRecoveryTokens: many(identity_recovery_tokens),
+	identityRecoveryCodes: many(identity_recovery_codes),
 }));
 
-export const identityRecoveryTokensRelations = relations(identityRecoveryTokens, ({ one }) => ({
-	selfserviceRecoveryFlow: one(selfserviceRecoveryFlows, {
-		fields: [identityRecoveryTokens.selfserviceRecoveryFlowId],
-		references: [selfserviceRecoveryFlows.id],
+export const identityRecoveryTokensRelations = relations(identity_recovery_tokens, ({ one }) => ({
+	selfserviceRecoveryFlow: one(selfservice_recovery_flows, {
+		fields: [identity_recovery_tokens.selfservice_recovery_flow_id],
+		references: [selfservice_recovery_flows.id],
 	}),
 	network: one(networks, {
-		fields: [identityRecoveryTokens.nid],
+		fields: [identity_recovery_tokens.nid],
 		references: [networks.id],
 	}),
-	identityRecoveryAddress: one(identityRecoveryAddresses, {
-		fields: [identityRecoveryTokens.identityRecoveryAddressId],
-		references: [identityRecoveryAddresses.id],
+	identityRecoveryAddress: one(identity_recovery_addresses, {
+		fields: [identity_recovery_tokens.identity_recovery_address_id],
+		references: [identity_recovery_addresses.id],
 	}),
 	identity: one(identities, {
-		fields: [identityRecoveryTokens.identityId],
+		fields: [identity_recovery_tokens.identity_id],
 		references: [identities.id],
 	}),
 }));
 
-export const identityRecoveryCodesRelations = relations(identityRecoveryCodes, ({ one }) => ({
-	identityRecoveryAddress: one(identityRecoveryAddresses, {
-		fields: [identityRecoveryCodes.identityRecoveryAddressId],
-		references: [identityRecoveryAddresses.id],
+export const identityRecoveryCodesRelations = relations(identity_recovery_codes, ({ one }) => ({
+	identityRecoveryAddress: one(identity_recovery_addresses, {
+		fields: [identity_recovery_codes.identity_recovery_address_id],
+		references: [identity_recovery_addresses.id],
 	}),
-	selfserviceRecoveryFlow: one(selfserviceRecoveryFlows, {
-		fields: [identityRecoveryCodes.selfserviceRecoveryFlowId],
-		references: [selfserviceRecoveryFlows.id],
+	selfserviceRecoveryFlow: one(selfservice_recovery_flows, {
+		fields: [identity_recovery_codes.selfservice_recovery_flow_id],
+		references: [selfservice_recovery_flows.id],
 	}),
 	identity: one(identities, {
-		fields: [identityRecoveryCodes.identityId],
+		fields: [identity_recovery_codes.identity_id],
 		references: [identities.id],
 	}),
 	network: one(networks, {
-		fields: [identityRecoveryCodes.nid],
+		fields: [identity_recovery_codes.nid],
 		references: [networks.id],
 	}),
 }));
 
-export const sessionDevicesRelations = relations(sessionDevices, ({ one }) => ({
+export const sessionDevicesRelations = relations(session_devices, ({ one }) => ({
 	session: one(sessions, {
-		fields: [sessionDevices.sessionId],
+		fields: [session_devices.session_id],
 		references: [sessions.id],
 	}),
 	network: one(networks, {
-		fields: [sessionDevices.nid],
+		fields: [session_devices.nid],
 		references: [networks.id],
 	}),
 }));
 
-export const identityVerificationCodesRelations = relations(identityVerificationCodes, ({ one }) => ({
-	identityVerifiableAddress: one(identityVerifiableAddresses, {
-		fields: [identityVerificationCodes.identityVerifiableAddressId],
-		references: [identityVerifiableAddresses.id],
+export const identityVerificationCodesRelations = relations(identity_verification_codes, ({ one }) => ({
+	identityVerifiableAddress: one(identity_verifiable_addresses, {
+		fields: [identity_verification_codes.identity_verifiable_address_id],
+		references: [identity_verifiable_addresses.id],
 	}),
-	selfserviceVerificationFlow: one(selfserviceVerificationFlows, {
-		fields: [identityVerificationCodes.selfserviceVerificationFlowId],
-		references: [selfserviceVerificationFlows.id],
+	selfserviceVerificationFlow: one(selfservice_verification_flows, {
+		fields: [identity_verification_codes.selfservice_verification_flow_id],
+		references: [selfservice_verification_flows.id],
 	}),
 	network: one(networks, {
-		fields: [identityVerificationCodes.nid],
+		fields: [identity_verification_codes.nid],
 		references: [networks.id],
 	}),
 }));
 
-export const courierMessageDispatchesRelations = relations(courierMessageDispatches, ({ one }) => ({
-	courierMessage: one(courierMessages, {
-		fields: [courierMessageDispatches.messageId],
-		references: [courierMessages.id],
+export const courierMessageDispatchesRelations = relations(courier_message_dispatches, ({ one }) => ({
+	courierMessage: one(courier_messages, {
+		fields: [courier_message_dispatches.message_id],
+		references: [courier_messages.id],
 	}),
 	network: one(networks, {
-		fields: [courierMessageDispatches.nid],
+		fields: [courier_message_dispatches.nid],
 		references: [networks.id],
 	}),
 }));
 
-export const identityLoginCodesRelations = relations(identityLoginCodes, ({ one }) => ({
-	selfserviceLoginFlow: one(selfserviceLoginFlows, {
-		fields: [identityLoginCodes.selfserviceLoginFlowId],
-		references: [selfserviceLoginFlows.id],
+export const identityLoginCodesRelations = relations(identity_login_codes, ({ one }) => ({
+	selfserviceLoginFlow: one(selfservice_login_flows, {
+		fields: [identity_login_codes.selfservice_login_flow_id],
+		references: [selfservice_login_flows.id],
 	}),
 	network: one(networks, {
-		fields: [identityLoginCodes.nid],
+		fields: [identity_login_codes.nid],
 		references: [networks.id],
 	}),
 	identity: one(identities, {
-		fields: [identityLoginCodes.identityId],
+		fields: [identity_login_codes.identity_id],
 		references: [identities.id],
 	}),
 }));
 
-export const identityRegistrationCodesRelations = relations(identityRegistrationCodes, ({ one }) => ({
-	selfserviceRegistrationFlow: one(selfserviceRegistrationFlows, {
-		fields: [identityRegistrationCodes.selfserviceRegistrationFlowId],
-		references: [selfserviceRegistrationFlows.id],
+export const identityRegistrationCodesRelations = relations(identity_registration_codes, ({ one }) => ({
+	selfserviceRegistrationFlow: one(selfservice_registration_flows, {
+		fields: [identity_registration_codes.selfservice_registration_flow_id],
+		references: [selfservice_registration_flows.id],
 	}),
 	network: one(networks, {
-		fields: [identityRegistrationCodes.nid],
+		fields: [identity_registration_codes.nid],
 		references: [networks.id],
 	}),
 }));
\ No newline at end of file

From 007098ca91ffbdd1b115d48b4a01d991ed2f67dc Mon Sep 17 00:00:00 2001
From: Markus Thielker <hey@thielker.dev>
Date: Fri, 4 Apr 2025 16:00:00 +0200
Subject: [PATCH 14/58] NORY-59: add new script to create Keto relationships

---
 docker/ory-dev/keto-add-permission-to-role.sh | 31 +++++++++++++++++++
 docker/ory-dev/keto-add-permission.sh         | 26 ++++++++++++++++
 docker/ory-dev/ory/keto/keto.yaml             |  2 ++
 3 files changed, 59 insertions(+)
 create mode 100644 docker/ory-dev/keto-add-permission-to-role.sh
 create mode 100644 docker/ory-dev/keto-add-permission.sh

diff --git a/docker/ory-dev/keto-add-permission-to-role.sh b/docker/ory-dev/keto-add-permission-to-role.sh
new file mode 100644
index 0000000..9a0f7fa
--- /dev/null
+++ b/docker/ory-dev/keto-add-permission-to-role.sh
@@ -0,0 +1,31 @@
+# this script gives the referenced identity the admin role
+# make sure to provide the id of the identity
+
+# check if a identity id argument was provided
+if [ $# -ne 4 ]; then
+  echo "Usage: $0 <object> <relation> <role> <role_relation>"
+  exit 1
+fi
+
+# set user id variable
+OBJECT=$1
+RELATION=$2
+ROLE=$3
+ROLE_RELATION=$4
+
+# execute curl to Ory Keto write endpoint
+curl --request PUT \
+  --url http://localhost:4467/admin/relation-tuples \
+  --data '{
+           "namespace": "permissions",
+           "object": "'"$OBJECT"'",
+           "relation": "'"$RELATION"'",
+           "subject_set": {
+              "namespace": "roles",
+              "object": "'"$ROLE"'",
+              "relation": "'"$ROLE_RELATION"'"
+           }
+         }'
+
+# write success response to terminal
+echo "Added relation Permissions:$OBJECT#$RELATION@(Roles:$ROLE#$RELATION)"
diff --git a/docker/ory-dev/keto-add-permission.sh b/docker/ory-dev/keto-add-permission.sh
new file mode 100644
index 0000000..5812ce3
--- /dev/null
+++ b/docker/ory-dev/keto-add-permission.sh
@@ -0,0 +1,26 @@
+# this script gives the referenced identity the provided permission
+# make sure to provide the id of the identity
+
+# check if a required arguments were provided
+if [ $# -ne 3 ]; then
+  echo "Usage: $0 <object> <relation> <identity_id>"
+  exit 1
+fi
+
+# set variables from input
+OBJECT=$1
+RELATION=$2
+IDENTITY_ID=$3
+
+# execute curl to Ory Keto write endpoint
+curl --request PUT \
+  --url http://localhost:4467/admin/relation-tuples \
+  --data '{
+           "namespace": "permissions",
+           "object": "'"$OBJECT"'",
+           "relation": "'"$RELATION"'",
+           "subject_id": "'"$IDENTITY_ID"'"
+         }'
+
+# write success response to terminal
+echo "Added permission $OBJECT#$RELATION@$IDENTITY_ID"
diff --git a/docker/ory-dev/ory/keto/keto.yaml b/docker/ory-dev/ory/keto/keto.yaml
index 21dad3d..2be94ad 100644
--- a/docker/ory-dev/ory/keto/keto.yaml
+++ b/docker/ory-dev/ory/keto/keto.yaml
@@ -22,6 +22,8 @@ dsn: postgres://postgres:postgres@ory-postgres:5432/keto?sslmode=disable&max_con
 namespaces:
   - id: 0
     name: roles
+  - id: 1
+    name: permissions
 
 serve:
   read:

From 7d7782a92cca885d2f70fe506a42803d33ec7565 Mon Sep 17 00:00:00 2001
From: Markus Thielker <hey@thielker.dev>
Date: Fri, 4 Apr 2025 16:20:32 +0200
Subject: [PATCH 15/58] NORY-59: add authentication and authorisation actions

---
 dashboard/src/lib/action/authentication.ts | 106 +++++++++++++++++++++
 1 file changed, 106 insertions(+)
 create mode 100644 dashboard/src/lib/action/authentication.ts

diff --git a/dashboard/src/lib/action/authentication.ts b/dashboard/src/lib/action/authentication.ts
new file mode 100644
index 0000000..d1d70e3
--- /dev/null
+++ b/dashboard/src/lib/action/authentication.ts
@@ -0,0 +1,106 @@
+'use server';
+
+import { getFrontendApi, getPermissionApi } from '@/ory/sdk/server';
+import { cookies } from 'next/headers';
+import { redirect } from 'next/navigation';
+
+export async function getSession() {
+
+    const cookie = await cookies();
+
+    const frontendApi = await getFrontendApi();
+
+    return frontendApi
+        .toSession({ cookie: 'ory_kratos_session=' + cookie.get('ory_kratos_session')?.value })
+        .then((response) => response.data)
+        .catch(() => null);
+}
+
+export async function requireSession() {
+
+    const session = await getSession();
+
+    if (!session) {
+
+        // TODO: set return_to dynamically
+        const url = process.env.NEXT_PUBLIC_AUTHENTICATION_NODE_URL +
+            '/flow/login?return_to=' + process.env.NEXT_PUBLIC_DASHBOARD_NODE_URL;
+
+        console.log('Intercepted request with missing session');
+        console.log('Redirecting client to: ', url);
+
+        redirect(url);
+    }
+
+    return session;
+}
+
+
+export async function checkRole(
+    object: string,
+    subjectId: string,
+) {
+
+    const permissionApi = await getPermissionApi();
+    return permissionApi.checkPermission({
+        namespace: 'roles',
+        object,
+        relation: 'member',
+        subjectId,
+    })
+        .then(({ data: { allowed } }) => allowed)
+        .catch(_ => false);
+}
+
+export async function requireRole(
+    object: string,
+    subjectId: string,
+) {
+
+    const hasRole = await checkRole(object, subjectId);
+
+    if (!hasRole) {
+        console.log(`Intercepted request with missing role ${object} for identity ${subjectId}`);
+        redirect('/unauthorised');
+    }
+
+    return hasRole;
+}
+
+
+export async function checkPermission(
+    object: string,
+    relation: string,
+    subjectId: string,
+) {
+
+    const permissionApi = await getPermissionApi();
+    return permissionApi.checkPermission({
+        namespace: 'permissions',
+        object,
+        relation,
+        subjectId,
+    })
+        .then(({ data: { allowed } }) => allowed)
+        .catch(_ => false);
+}
+
+export async function requirePermission(
+    object: string,
+    relation: string,
+    subjectId: string,
+) {
+
+    const allowed = await checkPermission(
+        object,
+        relation,
+        subjectId,
+    );
+
+    if (!allowed) {
+        console.log(`Intercepted request with insufficient permission (${object}#${relation}@${subjectId})`);
+        redirect('/unauthorised');
+    }
+
+    return allowed;
+}

From 48c14c08a244e78765644040de023001cba02aa0 Mon Sep 17 00:00:00 2001
From: Markus Thielker <hey@thielker.dev>
Date: Fri, 4 Apr 2025 16:22:00 +0200
Subject: [PATCH 16/58] NORY-59: add component to display insufficient
 permissions

---
 .../components/insufficient-permission.tsx    | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 dashboard/src/components/insufficient-permission.tsx

diff --git a/dashboard/src/components/insufficient-permission.tsx b/dashboard/src/components/insufficient-permission.tsx
new file mode 100644
index 0000000..261004a
--- /dev/null
+++ b/dashboard/src/components/insufficient-permission.tsx
@@ -0,0 +1,36 @@
+import { Card, CardDescription, CardFooter, CardHeader, CardTitle } from '@/components/ui/card';
+
+interface InsufficientPermissionProps {
+    permission: string;
+    relation: string;
+    identityId: string;
+    classNames?: string;
+}
+
+export default async function InsufficientPermission(
+    {
+        permission,
+        relation,
+        identityId,
+        classNames,
+    }: InsufficientPermissionProps,
+) {
+    return (
+        <Card className={classNames}>
+            <CardHeader>
+                <CardTitle>Insufficient Permission</CardTitle>
+                <CardDescription>
+                    You are missing the permission to see this content.<br/>
+                    If you think this is an error, please contact your system administrator
+                </CardDescription>
+            </CardHeader>
+            <CardFooter>
+                <CardDescription className="text-xs">
+                    Permission: {permission}<br/>
+                    Relation: {relation}<br/>
+                    Identity: {identityId}
+                </CardDescription>
+            </CardFooter>
+        </Card>
+    );
+}

From cbc6b0517397abe71188af105928e6d8d7f77024 Mon Sep 17 00:00:00 2001
From: Markus Thielker <hey@thielker.dev>
Date: Fri, 4 Apr 2025 16:22:38 +0200
Subject: [PATCH 17/58] NORY-59: move stack status requests to protected server
 actions

---
 dashboard/src/app/(inside)/page.tsx      | 101 ++++++++++++-----------
 dashboard/src/components/status-card.tsx |   2 +-
 dashboard/src/lib/action/metadata.ts     |  83 +++++++++++++++++++
 3 files changed, 135 insertions(+), 51 deletions(-)
 create mode 100644 dashboard/src/lib/action/metadata.ts

diff --git a/dashboard/src/app/(inside)/page.tsx b/dashboard/src/app/(inside)/page.tsx
index 604a7e2..778d24a 100644
--- a/dashboard/src/app/(inside)/page.tsx
+++ b/dashboard/src/app/(inside)/page.tsx
@@ -1,40 +1,20 @@
-import { getHydraMetadataApi, getKetoMetadataApi, getKratosMetadataApi } from '@/ory/sdk/server';
-import { MetadataApiReady, StatusCard } from '@/components/status-card';
+import { StatusCard } from '@/components/status-card';
+import { hydraMetadata, ketoMetadata, kratosMetadata } from '@/lib/action/metadata';
+import { checkPermission, requireRole, requireSession } from '@/lib/action/authentication';
+import InsufficientPermission from '@/components/insufficient-permission';
 
 export default async function RootPage() {
 
-    const kratosMetadataApi = await getKratosMetadataApi();
-    const kratosVersion = await kratosMetadataApi.getVersion()
-        .then(res => res.data.version)
-        .catch(() => undefined);
-    const kratosStatus = await fetch(process.env.ORY_KRATOS_ADMIN_URL + '/health/ready')
-        .then((response) => response.json() as MetadataApiReady)
-        .catch(() => {
-            return { errors: ['No instance running'] } as MetadataApiReady;
-        });
+    const session = await requireSession();
+    const identityId = session.identity!.id;
 
+    await requireRole('admin', identityId);
 
-    const hydraMetadataApi = await getHydraMetadataApi();
-    const hydraVersion = await hydraMetadataApi.getVersion()
-        .then(res => res.data.version)
-        .catch(() => undefined);
-    const hydraStatus = await fetch(process.env.ORY_HYDRA_ADMIN_URL + '/health/ready')
-        .then((response) => response.json() as MetadataApiReady)
-        .catch(() => {
-            return { errors: ['No instance running'] } as MetadataApiReady;
-        });
-
-
-    const ketoMetadataApi = await getKetoMetadataApi();
-    const ketoVersion = await ketoMetadataApi.getVersion()
-        .then(res => res.data.version)
-        .catch(() => undefined);
-    const ketoStatus = await fetch(process.env.ORY_KETO_ADMIN_URL + '/health/ready')
-        .then((response) => response.json() as MetadataApiReady)
-        .catch(() => {
-            return { errors: ['No instance running'] } as MetadataApiReady;
-        });
+    const pmAccessStackStatus = await checkPermission('admin.stack.status', 'access', identityId);
 
+    const kratos = pmAccessStackStatus && await kratosMetadata();
+    const hydra = pmAccessStackStatus && await hydraMetadata();
+    const keto = pmAccessStackStatus && await ketoMetadata();
 
     return (
         <div className="flex flex-col space-y-4">
@@ -43,25 +23,46 @@ export default async function RootPage() {
                 <p className="text-lg font-light">See the list of all applications in your stack</p>
             </div>
             <div className="grid grid-cols-1 md:grid-cols-4 gap-4">
-                <StatusCard
-                    title="Ory Kratos"
-                    version={kratosVersion}
-                    name="Kratos"
-                    status={kratosStatus}
-                    className="flex-1"/>
-                <StatusCard
-                    title="Ory Hydra"
-                    version={hydraVersion}
-                    name="Hydra"
-                    status={hydraStatus}
-                    className="flex-1"/>
-                <StatusCard
-                    title="Ory Keto"
-                    version={ketoVersion}
-                    name="Keto"
-                    status={ketoStatus}
-                    className="flex-1"/>
-                <div className="flex-1"/>
+                {
+                    !pmAccessStackStatus && (
+                        <InsufficientPermission
+                            permission="admin.stack.status"
+                            relation="access"
+                            identityId={identityId}
+                            classNames="col-span-1 md:col-span-4"
+                        />
+                    )
+                }
+                {
+                    kratos && (
+                        <StatusCard
+                            title="Ory Kratos"
+                            version={kratos.version}
+                            name="Kratos"
+                            status={kratos.status}
+                            className="flex-1"/>
+                    )
+                }
+                {
+                    hydra && (
+                        <StatusCard
+                            title="Ory Hydra"
+                            version={hydra.version}
+                            name="Hydra"
+                            status={hydra.status}
+                            className="flex-1"/>
+                    )
+                }
+                {
+                    keto && (
+                        <StatusCard
+                            title="Ory Keto"
+                            version={keto.version}
+                            name="Keto"
+                            status={keto.status}
+                            className="flex-1"/>
+                    )
+                }
             </div>
         </div>
     );
diff --git a/dashboard/src/components/status-card.tsx b/dashboard/src/components/status-card.tsx
index d6d4038..e12bf53 100644
--- a/dashboard/src/components/status-card.tsx
+++ b/dashboard/src/components/status-card.tsx
@@ -50,7 +50,7 @@ export function StatusCard({ title, version, name, status, className }: StatusCa
                             </TooltipTrigger>
                             <TooltipContent>
                                 {
-                                    status.errors.map((error) => <span>{error}</span>)
+                                    status.errors.map((error) => <span key={error}>{error}</span>)
                                 }
                             </TooltipContent>
                         </Tooltip>
diff --git a/dashboard/src/lib/action/metadata.ts b/dashboard/src/lib/action/metadata.ts
new file mode 100644
index 0000000..03d5768
--- /dev/null
+++ b/dashboard/src/lib/action/metadata.ts
@@ -0,0 +1,83 @@
+'use server';
+
+import { getHydraMetadataApi, getKetoMetadataApi, getKratosMetadataApi } from '@/ory/sdk/server';
+import { MetadataApiReady } from '@/components/status-card';
+import { checkPermission, requireSession } from '@/lib/action/authentication';
+
+export async function kratosMetadata() {
+
+    const session = await requireSession();
+    const allowed = await checkPermission('admin.stack.status', 'access', session.identity!.id);
+    if (!allowed) {
+        return;
+    }
+
+    const api = await getKratosMetadataApi();
+
+    const version = await api.getVersion()
+        .then(res => res.data.version)
+        .catch(() => undefined);
+
+    const status = await fetch(process.env.ORY_KRATOS_ADMIN_URL + '/health/ready')
+        .then((response) => response.json() as MetadataApiReady)
+        .catch(() => {
+            return { errors: ['No instance running'] } as MetadataApiReady;
+        });
+
+    return {
+        version,
+        status,
+    };
+}
+
+export async function hydraMetadata() {
+
+    const session = await requireSession();
+    const allowed = await checkPermission('admin.stack.status', 'access', session.identity!.id);
+    if (!allowed) {
+        return;
+    }
+
+    const api = await getHydraMetadataApi();
+
+    const version = await api.getVersion()
+        .then(res => res.data.version)
+        .catch(() => undefined);
+
+    const status = await fetch(process.env.ORY_HYDRA_ADMIN_URL + '/health/ready')
+        .then((response) => response.json() as MetadataApiReady)
+        .catch(() => {
+            return { errors: ['No instance running'] } as MetadataApiReady;
+        });
+
+    return {
+        version,
+        status,
+    };
+}
+
+export async function ketoMetadata() {
+
+    const session = await requireSession();
+    const allowed = await checkPermission('admin.stack.status', 'access', session.identity!.id);
+    if (!allowed) {
+        return;
+    }
+
+    const api = await getKetoMetadataApi();
+
+    const version = await api.getVersion()
+        .then(res => res.data.version)
+        .catch(() => undefined);
+
+    const status = await fetch(process.env.ORY_KETO_ADMIN_URL + '/health/ready')
+        .then((response) => response.json() as MetadataApiReady)
+        .catch(() => {
+            return { errors: ['No instance running'] } as MetadataApiReady;
+        });
+
+    return {
+        version,
+        status,
+    };
+}

From 4f06445869da31dbf5b01a1fb18d55ff6e6f6ebd Mon Sep 17 00:00:00 2001
From: Markus Thielker <hey@thielker.dev>
Date: Fri, 4 Apr 2025 16:31:15 +0200
Subject: [PATCH 18/58] NORY-59: refactor middleware to use new authentication
 functions

---
 dashboard/src/middleware.ts | 45 ++++++++++++-------------------------
 1 file changed, 14 insertions(+), 31 deletions(-)

diff --git a/dashboard/src/middleware.ts b/dashboard/src/middleware.ts
index 52d7714..62d78cc 100644
--- a/dashboard/src/middleware.ts
+++ b/dashboard/src/middleware.ts
@@ -1,47 +1,30 @@
 import { NextRequest, NextResponse } from 'next/server';
-import { cookies } from 'next/headers';
-import { getFrontendApi, getPermissionApi } from '@/ory/sdk/server';
+import { checkRole, getSession } from '@/lib/action/authentication';
 
 export async function middleware(request: NextRequest) {
 
-    const frontendApi = await getFrontendApi();
-    const cookie = await cookies();
-
-    const session = await frontendApi
-        .toSession({ cookie: 'ory_kratos_session=' + cookie.get('ory_kratos_session')?.value })
-        .then((response) => response.data)
-        .catch(() => null);
+    // middleware can not work with requireSession, requireRole and
+    // requirePermission due to the different redirect mechanisms in use!
 
+    const session = await getSession();
     if (!session) {
 
-        console.log('NO SESSION');
+        console.log('middleware', 'MISSING SESSION');
 
         const url = process.env.NEXT_PUBLIC_AUTHENTICATION_NODE_URL +
             '/flow/login?return_to=' +
             process.env.NEXT_PUBLIC_DASHBOARD_NODE_URL;
 
-        console.log('REDIRECT TO', url);
-
-        return NextResponse.redirect(url);
+        console.log('middleware', 'REDIRECT TO', url);
+        return NextResponse.redirect(url!);
     }
 
-    const permissionApi = await getPermissionApi();
-    const isAdmin = await permissionApi.checkPermission({
-        namespace: 'roles',
-        object: 'admin',
-        relation: 'member',
-        subjectId: session!.identity!.id,
-    })
-        .then(({ data: { allowed } }) => {
-            console.log('is_admin', session!.identity!.id, allowed);
-            return allowed;
-        })
-        .catch((response) => {
-            console.log('is_admin', session!.identity!.id, response, 'check failed');
-            return false;
-        });
+    const allowed = await checkRole(
+        'admin',
+        session!.identity!.id,
+    );
 
-    if (isAdmin) {
+    if (allowed) {
         if (request.nextUrl.pathname === '/unauthorised') {
             return redirect('/', 'HAS PERMISSION BUT ACCESSING /unauthorized');
         }
@@ -55,9 +38,9 @@ export async function middleware(request: NextRequest) {
 }
 
 function redirect(path: string, reason: string) {
-    console.log(reason);
+    console.log('middleware', reason);
     const url = `${process.env.NEXT_PUBLIC_DASHBOARD_NODE_URL}${path}`;
-    console.log('REDIRECT TO', url);
+    console.log('middleware', 'REDIRECT TO', url);
     return NextResponse.redirect(url!);
 }
 

From 3693b0b1f9eaf882056af46fc5b03de8805319ff Mon Sep 17 00:00:00 2001
From: Markus Thielker <hey@thielker.dev>
Date: Fri, 4 Apr 2025 19:10:40 +0200
Subject: [PATCH 19/58] NORY-59: add authentication and authorisation to user
 page

---
 .../src/app/(inside)/user/data-table.tsx      | 13 +++-
 dashboard/src/app/(inside)/user/page.tsx      | 73 ++++++++++++++-----
 2 files changed, 67 insertions(+), 19 deletions(-)

diff --git a/dashboard/src/app/(inside)/user/data-table.tsx b/dashboard/src/app/(inside)/user/data-table.tsx
index 510ee6c..2baabaa 100644
--- a/dashboard/src/app/(inside)/user/data-table.tsx
+++ b/dashboard/src/app/(inside)/user/data-table.tsx
@@ -33,9 +33,16 @@ interface IdentityDataTableProps {
     data: Identity[];
     page: number;
     query: string;
+    permission: {
+        pmEditUser: boolean;
+        pmBlockUser: boolean;
+        pmUnblockUser: boolean;
+        pmDeleteUser: boolean;
+        pmDeleteUserSession: boolean;
+    };
 }
 
-export function IdentityDataTable({ data, page, query }: IdentityDataTableProps) {
+export function IdentityDataTable({ data, page, query, permission }: IdentityDataTableProps) {
 
     const columns: ColumnDef<Identity>[] = [
         {
@@ -137,6 +144,7 @@ export function IdentityDataTable({ data, page, query }: IdentityDataTableProps)
                                     setCurrentIdentity(identity);
                                     setIdentitySessionVisible(true);
                                 }}
+                                disabled={!permission.pmDeleteUserSession}
                                 className="flex items-center space-x-2 text-red-500">
                                 <UserMinus className="h-4 w-4"/>
                                 <span>Delete sessions</span>
@@ -148,6 +156,7 @@ export function IdentityDataTable({ data, page, query }: IdentityDataTableProps)
                                         setCurrentIdentity(identity);
                                         setBlockIdentityVisible(true);
                                     }}
+                                    disabled={!permission.pmBlockUser}
                                     className="flex items-center space-x-2 text-red-500">
                                     <UserX className="h-4 w-4"/>
                                     <span>Block identity</span>
@@ -160,6 +169,7 @@ export function IdentityDataTable({ data, page, query }: IdentityDataTableProps)
                                         setCurrentIdentity(identity);
                                         setUnblockIdentityVisible(true);
                                     }}
+                                    disabled={!permission.pmUnblockUser}
                                     className="flex items-center space-x-2 text-red-500">
                                     <UserCheck className="h-4 w-4"/>
                                     <span>Unblock identity</span>
@@ -170,6 +180,7 @@ export function IdentityDataTable({ data, page, query }: IdentityDataTableProps)
                                     setCurrentIdentity(identity);
                                     setDeleteIdentityVisible(true);
                                 }}
+                                disabled={!permission.pmDeleteUser}
                                 className="flex items-center space-x-2 text-red-500">
                                 <Trash className="h-4 w-4"/>
                                 <span>Delete identity</span>
diff --git a/dashboard/src/app/(inside)/user/page.tsx b/dashboard/src/app/(inside)/user/page.tsx
index efb1095..b889ecf 100644
--- a/dashboard/src/app/(inside)/user/page.tsx
+++ b/dashboard/src/app/(inside)/user/page.tsx
@@ -3,6 +3,8 @@ import { IdentityDataTable } from '@/app/(inside)/user/data-table';
 import { SearchInput } from '@/components/search-input';
 import { queryIdentities } from '@/lib/action/identity';
 import { IdentityPagination } from '@/components/pagination';
+import { checkPermission, requireRole, requireSession } from '@/lib/action/authentication';
+import InsufficientPermission from '@/components/insufficient-permission';
 
 export default async function UserPage(
     {
@@ -12,6 +14,18 @@ export default async function UserPage(
     },
 ) {
 
+    const session = await requireSession();
+    const identityId = session.identity!.id;
+
+    await requireRole('admin', identityId);
+
+    const pmAccessUser = await checkPermission('admin.user', 'access', identityId);
+    const pmEditUser = await checkPermission('admin.user', 'edit', identityId);
+    const pmBlockUser = await checkPermission('admin.user', 'block', identityId);
+    const pmUnblockUser = await checkPermission('admin.user', 'unblock', identityId);
+    const pmDeleteUser = await checkPermission('admin.user', 'delete', identityId);
+    const pmDeleteUserSession = await checkPermission('admin.user.session', 'delete', identityId);
+
     const params = await searchParams;
 
     const page = params.page ? Number(params.page) : 1;
@@ -20,7 +34,7 @@ export default async function UserPage(
     let pageSize = 50;
     let paginationRange = 11;
 
-    const { data, itemCount, pageCount } = await queryIdentities({ page, pageSize, query });
+    const users = pmAccessUser && await queryIdentities({ page, pageSize, query });
 
     return (
         <div className="space-y-4">
@@ -31,23 +45,46 @@ export default async function UserPage(
                 </p>
             </div>
             <div className="space-y-2">
-                <SearchInput
-                    value={query}
-                    pageParamKey="page"
-                    queryParamKey="query"
-                    placeholder="Search for addresses and traits"/>
-                <div>
-                    <p className="text-xs text-neutral-500">{itemCount} item{itemCount && itemCount > 1 ? 's' : ''} found</p>
-                    <IdentityDataTable
-                        data={data}
-                        page={page}
-                        query={query}/>
-                </div>
-                <IdentityPagination
-                    page={page}
-                    pageCount={pageCount}
-                    pageParamKey="page"
-                    paginationRange={paginationRange}/>
+                {
+                    !pmAccessUser && (
+                        <InsufficientPermission
+                            permission="admin.user"
+                            relation="see"
+                            identityId={identityId}
+                        />
+                    )
+                }
+                {
+                    pmAccessUser && users && (
+                        <>
+                            <SearchInput
+                                value={query}
+                                pageParamKey="page"
+                                queryParamKey="query"
+                                placeholder="Search for addresses and traits"/>
+                            <div>
+                                <p className="text-xs text-neutral-500">{users.itemCount} item{users.itemCount && users.itemCount > 1 ? 's' : ''} found</p>
+                                <IdentityDataTable
+                                    data={users.data}
+                                    page={page}
+                                    query={query}
+                                    permission={{
+                                        pmEditUser: pmEditUser,
+                                        pmBlockUser: pmBlockUser,
+                                        pmUnblockUser: pmUnblockUser,
+                                        pmDeleteUser: pmDeleteUser,
+                                        pmDeleteUserSession: pmDeleteUserSession,
+                                    }}
+                                />
+                            </div>
+                            <IdentityPagination
+                                page={page}
+                                pageCount={users.pageCount}
+                                pageParamKey="page"
+                                paginationRange={paginationRange}/>
+                        </>
+                    )
+                }
             </div>
         </div>
     );

From 86412e01336511c735988e73f1aceb44159da29d Mon Sep 17 00:00:00 2001
From: Markus Thielker <hey@thielker.dev>
Date: Fri, 4 Apr 2025 19:32:26 +0200
Subject: [PATCH 20/58] NORY-59: introduce permission constants

---
 dashboard/src/app/(inside)/page.tsx            |  4 ++--
 dashboard/src/app/(inside)/user/data-table.tsx |  7 +++----
 dashboard/src/app/(inside)/user/page.tsx       | 18 ++++++++----------
 dashboard/src/lib/permission.ts                | 16 ++++++++++++++++
 4 files changed, 29 insertions(+), 16 deletions(-)
 create mode 100644 dashboard/src/lib/permission.ts

diff --git a/dashboard/src/app/(inside)/page.tsx b/dashboard/src/app/(inside)/page.tsx
index 778d24a..dad9358 100644
--- a/dashboard/src/app/(inside)/page.tsx
+++ b/dashboard/src/app/(inside)/page.tsx
@@ -10,7 +10,7 @@ export default async function RootPage() {
 
     await requireRole('admin', identityId);
 
-    const pmAccessStackStatus = await checkPermission('admin.stack.status', 'access', identityId);
+    const pmAccessStackStatus = await checkPermission(permission.stack.status, relation.access, identityId);
 
     const kratos = pmAccessStackStatus && await kratosMetadata();
     const hydra = pmAccessStackStatus && await hydraMetadata();
@@ -26,7 +26,7 @@ export default async function RootPage() {
                 {
                     !pmAccessStackStatus && (
                         <InsufficientPermission
-                            permission="admin.stack.status"
+                            permission={permission.stack.status}
                             relation="access"
                             identityId={identityId}
                             classNames="col-span-1 md:col-span-4"
diff --git a/dashboard/src/app/(inside)/user/data-table.tsx b/dashboard/src/app/(inside)/user/data-table.tsx
index 2baabaa..69a1c4b 100644
--- a/dashboard/src/app/(inside)/user/data-table.tsx
+++ b/dashboard/src/app/(inside)/user/data-table.tsx
@@ -35,9 +35,8 @@ interface IdentityDataTableProps {
     query: string;
     permission: {
         pmEditUser: boolean;
-        pmBlockUser: boolean;
-        pmUnblockUser: boolean;
         pmDeleteUser: boolean;
+        pmEditUserState: boolean;
         pmDeleteUserSession: boolean;
     };
 }
@@ -156,7 +155,7 @@ export function IdentityDataTable({ data, page, query, permission }: IdentityDat
                                         setCurrentIdentity(identity);
                                         setBlockIdentityVisible(true);
                                     }}
-                                    disabled={!permission.pmBlockUser}
+                                    disabled={!permission.pmEditUserState}
                                     className="flex items-center space-x-2 text-red-500">
                                     <UserX className="h-4 w-4"/>
                                     <span>Block identity</span>
@@ -169,7 +168,7 @@ export function IdentityDataTable({ data, page, query, permission }: IdentityDat
                                         setCurrentIdentity(identity);
                                         setUnblockIdentityVisible(true);
                                     }}
-                                    disabled={!permission.pmUnblockUser}
+                                    disabled={!permission.pmEditUserState}
                                     className="flex items-center space-x-2 text-red-500">
                                     <UserCheck className="h-4 w-4"/>
                                     <span>Unblock identity</span>
diff --git a/dashboard/src/app/(inside)/user/page.tsx b/dashboard/src/app/(inside)/user/page.tsx
index b889ecf..3e52891 100644
--- a/dashboard/src/app/(inside)/user/page.tsx
+++ b/dashboard/src/app/(inside)/user/page.tsx
@@ -19,12 +19,11 @@ export default async function UserPage(
 
     await requireRole('admin', identityId);
 
-    const pmAccessUser = await checkPermission('admin.user', 'access', identityId);
-    const pmEditUser = await checkPermission('admin.user', 'edit', identityId);
-    const pmBlockUser = await checkPermission('admin.user', 'block', identityId);
-    const pmUnblockUser = await checkPermission('admin.user', 'unblock', identityId);
-    const pmDeleteUser = await checkPermission('admin.user', 'delete', identityId);
-    const pmDeleteUserSession = await checkPermission('admin.user.session', 'delete', identityId);
+    const pmAccessUser = await checkPermission(permission.user.it, relation.access, identityId);
+    const pmEditUser = await checkPermission(permission.user.it, relation.edit, identityId);
+    const pmDeleteUser = await checkPermission(permission.user.it, relation.delete, identityId);
+    const pmEditUserState = await checkPermission(permission.user.state, relation.edit, identityId);
+    const pmDeleteUserSession = await checkPermission(permission.user.session, relation.delete, identityId);
 
     const params = await searchParams;
 
@@ -48,8 +47,8 @@ export default async function UserPage(
                 {
                     !pmAccessUser && (
                         <InsufficientPermission
-                            permission="admin.user"
-                            relation="see"
+                            permission={permission.user.it}
+                            relation={relation.access}
                             identityId={identityId}
                         />
                     )
@@ -70,9 +69,8 @@ export default async function UserPage(
                                     query={query}
                                     permission={{
                                         pmEditUser: pmEditUser,
-                                        pmBlockUser: pmBlockUser,
-                                        pmUnblockUser: pmUnblockUser,
                                         pmDeleteUser: pmDeleteUser,
+                                        pmEditUserState: pmEditUserState,
                                         pmDeleteUserSession: pmDeleteUserSession,
                                     }}
                                 />
diff --git a/dashboard/src/lib/permission.ts b/dashboard/src/lib/permission.ts
new file mode 100644
index 0000000..7bced61
--- /dev/null
+++ b/dashboard/src/lib/permission.ts
@@ -0,0 +1,16 @@
+const permission = {
+    stack: {
+        status: 'admin.stack.status',
+    },
+    user: {
+        it: 'admin.user',
+        session: 'admin.user.session',
+        state: 'admin.user.state',
+    },
+};
+
+const relation = {
+    access: 'access',
+    edit: 'edit',
+    delete: 'delete',
+};

From a72ca49271f0e9a474b87f05455fd2318ef2e67f Mon Sep 17 00:00:00 2001
From: Markus Thielker <hey@thielker.dev>
Date: Fri, 4 Apr 2025 19:48:39 +0200
Subject: [PATCH 21/58] NORY-59: replace 'force-admin-role'  with new
 permission

---
 dashboard/src/app/(inside)/page.tsx      | 5 +++--
 dashboard/src/app/(inside)/user/page.tsx | 5 +++--
 dashboard/src/lib/permission.ts          | 5 +++--
 dashboard/src/middleware.ts              | 9 ++++-----
 4 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/dashboard/src/app/(inside)/page.tsx b/dashboard/src/app/(inside)/page.tsx
index dad9358..607c2c4 100644
--- a/dashboard/src/app/(inside)/page.tsx
+++ b/dashboard/src/app/(inside)/page.tsx
@@ -1,14 +1,15 @@
 import { StatusCard } from '@/components/status-card';
 import { hydraMetadata, ketoMetadata, kratosMetadata } from '@/lib/action/metadata';
-import { checkPermission, requireRole, requireSession } from '@/lib/action/authentication';
+import { checkPermission, requirePermission, requireSession } from '@/lib/action/authentication';
 import InsufficientPermission from '@/components/insufficient-permission';
+import { permission, relation } from '@/lib/permission';
 
 export default async function RootPage() {
 
     const session = await requireSession();
     const identityId = session.identity!.id;
 
-    await requireRole('admin', identityId);
+    await requirePermission(permission.stack.dashboard, relation.access, identityId);
 
     const pmAccessStackStatus = await checkPermission(permission.stack.status, relation.access, identityId);
 
diff --git a/dashboard/src/app/(inside)/user/page.tsx b/dashboard/src/app/(inside)/user/page.tsx
index 3e52891..ebb9079 100644
--- a/dashboard/src/app/(inside)/user/page.tsx
+++ b/dashboard/src/app/(inside)/user/page.tsx
@@ -3,8 +3,9 @@ import { IdentityDataTable } from '@/app/(inside)/user/data-table';
 import { SearchInput } from '@/components/search-input';
 import { queryIdentities } from '@/lib/action/identity';
 import { IdentityPagination } from '@/components/pagination';
-import { checkPermission, requireRole, requireSession } from '@/lib/action/authentication';
+import { checkPermission, requirePermission, requireSession } from '@/lib/action/authentication';
 import InsufficientPermission from '@/components/insufficient-permission';
+import { permission, relation } from '@/lib/permission';
 
 export default async function UserPage(
     {
@@ -17,7 +18,7 @@ export default async function UserPage(
     const session = await requireSession();
     const identityId = session.identity!.id;
 
-    await requireRole('admin', identityId);
+    await requirePermission(permission.stack.dashboard, relation.access, identityId);
 
     const pmAccessUser = await checkPermission(permission.user.it, relation.access, identityId);
     const pmEditUser = await checkPermission(permission.user.it, relation.edit, identityId);
diff --git a/dashboard/src/lib/permission.ts b/dashboard/src/lib/permission.ts
index 7bced61..bab8592 100644
--- a/dashboard/src/lib/permission.ts
+++ b/dashboard/src/lib/permission.ts
@@ -1,5 +1,6 @@
-const permission = {
+export const permission = {
     stack: {
+        dashboard: 'admin.stack.dashboard',
         status: 'admin.stack.status',
     },
     user: {
@@ -9,7 +10,7 @@ const permission = {
     },
 };
 
-const relation = {
+export const relation = {
     access: 'access',
     edit: 'edit',
     delete: 'delete',
diff --git a/dashboard/src/middleware.ts b/dashboard/src/middleware.ts
index 62d78cc..8fb5913 100644
--- a/dashboard/src/middleware.ts
+++ b/dashboard/src/middleware.ts
@@ -1,5 +1,6 @@
 import { NextRequest, NextResponse } from 'next/server';
-import { checkRole, getSession } from '@/lib/action/authentication';
+import { checkPermission, getSession } from '@/lib/action/authentication';
+import { permission, relation } from '@/lib/permission';
 
 export async function middleware(request: NextRequest) {
 
@@ -19,10 +20,8 @@ export async function middleware(request: NextRequest) {
         return NextResponse.redirect(url!);
     }
 
-    const allowed = await checkRole(
-        'admin',
-        session!.identity!.id,
-    );
+    const allowed = await checkPermission(permission.stack.dashboard, relation.access, session.identity!.id);
+
 
     if (allowed) {
         if (request.nextUrl.pathname === '/unauthorised') {

From f794f7d7003d751c4eb2ec75e926db114d0c6e40 Mon Sep 17 00:00:00 2001
From: Markus Thielker <hey@thielker.dev>
Date: Fri, 4 Apr 2025 19:58:57 +0200
Subject: [PATCH 22/58] NORY-59: refactor permission-checks to use constant
 values

---
 dashboard/src/lib/action/metadata.ts | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/dashboard/src/lib/action/metadata.ts b/dashboard/src/lib/action/metadata.ts
index 03d5768..5a64b3b 100644
--- a/dashboard/src/lib/action/metadata.ts
+++ b/dashboard/src/lib/action/metadata.ts
@@ -3,11 +3,12 @@
 import { getHydraMetadataApi, getKetoMetadataApi, getKratosMetadataApi } from '@/ory/sdk/server';
 import { MetadataApiReady } from '@/components/status-card';
 import { checkPermission, requireSession } from '@/lib/action/authentication';
+import { permission, relation } from '@/lib/permission';
 
 export async function kratosMetadata() {
 
     const session = await requireSession();
-    const allowed = await checkPermission('admin.stack.status', 'access', session.identity!.id);
+    const allowed = await checkPermission(permission.stack.status, relation.access, session.identity!.id);
     if (!allowed) {
         return;
     }
@@ -33,7 +34,7 @@ export async function kratosMetadata() {
 export async function hydraMetadata() {
 
     const session = await requireSession();
-    const allowed = await checkPermission('admin.stack.status', 'access', session.identity!.id);
+    const allowed = await checkPermission(permission.stack.status, relation.access, session.identity!.id);
     if (!allowed) {
         return;
     }
@@ -59,7 +60,7 @@ export async function hydraMetadata() {
 export async function ketoMetadata() {
 
     const session = await requireSession();
-    const allowed = await checkPermission('admin.stack.status', 'access', session.identity!.id);
+    const allowed = await checkPermission(permission.stack.status, relation.access, session.identity!.id);
     if (!allowed) {
         return;
     }

From 0da4158d60c92febf25a9fb8912b748ba9ca92cb Mon Sep 17 00:00:00 2001
From: Markus Thielker <hey@thielker.dev>
Date: Fri, 4 Apr 2025 20:20:45 +0200
Subject: [PATCH 23/58] NORY-59: add protection to identity actions

---
 dashboard/src/lib/action/identity.ts | 56 ++++++++++++++++++++++++++++
 dashboard/src/lib/permission.ts      |  4 ++
 2 files changed, 60 insertions(+)

diff --git a/dashboard/src/lib/action/identity.ts b/dashboard/src/lib/action/identity.ts
index 4ffed77..b39e721 100644
--- a/dashboard/src/lib/action/identity.ts
+++ b/dashboard/src/lib/action/identity.ts
@@ -12,6 +12,8 @@ import {
 import { getDB } from '@/db';
 import { identities, identity_recovery_addresses, identity_verifiable_addresses } from '@/db/schema';
 import { eq, ilike, or, sql } from 'drizzle-orm';
+import { checkPermission, requireSession } from '@/lib/action/authentication';
+import { permission, relation } from '@/lib/permission';
 
 interface QueryIdentitiesProps {
     page: number,
@@ -21,6 +23,12 @@ interface QueryIdentitiesProps {
 
 export async function queryIdentities({ page, pageSize, query }: QueryIdentitiesProps) {
 
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.user.it, relation.access, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
     if (page < 1 || pageSize < 1) {
         return {
             data: [],
@@ -81,6 +89,12 @@ interface UpdatedIdentityProps {
 
 export async function updateIdentity({ id, body }: UpdatedIdentityProps) {
 
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.user.it, relation.edit, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
     const identityApi = await getIdentityApi();
     const { data } = await identityApi.updateIdentity({
         id: id,
@@ -101,6 +115,12 @@ interface DeleteIdentityCredentialProps {
 
 export async function deleteIdentityCredential({ id, type }: DeleteIdentityCredentialProps) {
 
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.user.credential, relation.delete, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
     const identityApi = await getIdentityApi();
     const { data } = await identityApi.deleteIdentityCredentials({ id, type });
 
@@ -113,6 +133,12 @@ export async function deleteIdentityCredential({ id, type }: DeleteIdentityCrede
 
 export async function deleteIdentitySessions(id: string) {
 
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.user.session, relation.delete, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
     const identityApi = await getIdentityApi();
     const { data } = await identityApi.deleteIdentitySessions({ id });
 
@@ -125,6 +151,12 @@ export async function deleteIdentitySessions(id: string) {
 
 export async function createRecoveryCode(id: string) {
 
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.user.code, relation.create, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
     const identityApi = await getIdentityApi();
     const { data } = await identityApi.createRecoveryCodeForIdentity({
         createRecoveryCodeForIdentityBody: {
@@ -139,6 +171,12 @@ export async function createRecoveryCode(id: string) {
 
 export async function createRecoveryLink(id: string) {
 
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.user.link, relation.create, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
     const identityApi = await getIdentityApi();
     const { data } = await identityApi.createRecoveryLinkForIdentity({
         createRecoveryLinkForIdentityBody: {
@@ -153,6 +191,12 @@ export async function createRecoveryLink(id: string) {
 
 export async function blockIdentity(id: string) {
 
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.user.state, relation.edit, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
     const identityApi = await getIdentityApi();
     const { data } = await identityApi.patchIdentity({
         id,
@@ -172,6 +216,12 @@ export async function blockIdentity(id: string) {
 
 export async function unblockIdentity(id: string) {
 
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.user.state, relation.edit, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
     const identityApi = await getIdentityApi();
     const { data } = await identityApi.patchIdentity({
         id,
@@ -191,6 +241,12 @@ export async function unblockIdentity(id: string) {
 
 export async function deleteIdentity(id: string) {
 
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.user.credential, relation.delete, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
     const identityApi = await getIdentityApi();
     const { data } = await identityApi.deleteIdentity({ id });
 
diff --git a/dashboard/src/lib/permission.ts b/dashboard/src/lib/permission.ts
index bab8592..49958b0 100644
--- a/dashboard/src/lib/permission.ts
+++ b/dashboard/src/lib/permission.ts
@@ -5,6 +5,9 @@ export const permission = {
     },
     user: {
         it: 'admin.user',
+        code: 'admin.user.code',
+        credential: 'admin.user.credential',
+        link: 'admin.user.link',
         session: 'admin.user.session',
         state: 'admin.user.state',
     },
@@ -12,6 +15,7 @@ export const permission = {
 
 export const relation = {
     access: 'access',
+    create: 'create',
     edit: 'edit',
     delete: 'delete',
 };

From b72a45f39d82aabf754db53806dd104c32e6e5ed Mon Sep 17 00:00:00 2001
From: Markus Thielker <markus@thielker.dev>
Date: Sun, 6 Apr 2025 11:14:22 +0200
Subject: [PATCH 24/58] NORY-59: add permission checks to identity action UI

---
 dashboard/src/app/(inside)/user/[id]/page.tsx | 41 ++++++++++++++---
 .../components/identity/identity-actions.tsx  | 44 +++++++++++++++----
 2 files changed, 71 insertions(+), 14 deletions(-)

diff --git a/dashboard/src/app/(inside)/user/[id]/page.tsx b/dashboard/src/app/(inside)/user/[id]/page.tsx
index 83cc3b3..98a578a 100644
--- a/dashboard/src/app/(inside)/user/[id]/page.tsx
+++ b/dashboard/src/app/(inside)/user/[id]/page.tsx
@@ -11,6 +11,9 @@ import { Badge } from '@/components/ui/badge';
 import { Check, X } from 'lucide-react';
 import { IdentityActions } from '@/components/identity/identity-actions';
 import { IdentityCredentials } from '@/components/identity/identity-credentials';
+import { checkPermission, requirePermission, requireSession } from '@/lib/action/authentication';
+import { permission, relation } from '@/lib/permission';
+import { redirect } from 'next/navigation';
 
 interface MergedAddress {
     recovery_id?: string;
@@ -76,19 +79,35 @@ function mergeAddresses(
 
 export default async function UserDetailsPage({ params }: { params: Promise<{ id: string }> }) {
 
-    const identityId = (await params).id;
+    const session = await requireSession();
+    const identityId = session.identity!.id;
+
+    await requirePermission(permission.stack.dashboard, relation.access, identityId);
+
+    const pmAccessUser = await checkPermission(permission.user.it, relation.access, identityId);
+    if (!pmAccessUser) {
+        return redirect('/user');
+    }
+
+    const pmEditUser = await checkPermission(permission.user.it, relation.edit, identityId);
+    const pmDeleteUser = await checkPermission(permission.user.it, relation.delete, identityId);
+    const pmEditUserState = await checkPermission(permission.user.state, relation.edit, identityId);
+    const pmDeleteUserSession = await checkPermission(permission.user.session, relation.delete, identityId);
+    const pmCreateUserCode = await checkPermission(permission.user.code, relation.create, identityId);
+    const pmCreateUserLink = await checkPermission(permission.user.link, relation.create, identityId);
+
+    const detailIdentityId = (await params).id;
 
     const identityApi = await getIdentityApi();
-    const identity = await identityApi.getIdentity({ id: identityId })
+    const identity = await identityApi.getIdentity({ id: detailIdentityId })
         .then((response) => {
-            console.log('identity', response.data);
             return response.data;
         })
         .catch(() => {
             console.log('Identity not found');
         });
 
-    const sessions = await identityApi.listIdentitySessions({ id: identityId })
+    const sessions = await identityApi.listIdentitySessions({ id: detailIdentityId })
         .then((response) => response.data)
         .catch(() => {
             console.log('No sessions found');
@@ -97,7 +116,7 @@ export default async function UserDetailsPage({ params }: { params: Promise<{ id
     if (!identity) {
         return <ErrorDisplay
             title="Identity not found"
-            message={`The requested identity with id ${identityId} does not exist`}/>;
+            message={`The requested identity with id ${detailIdentityId} does not exist`}/>;
     }
 
     if (!identity.verifiable_addresses || !identity.verifiable_addresses[0]) {
@@ -137,7 +156,17 @@ export default async function UserDetailsPage({ params }: { params: Promise<{ id
                         <CardDescription>Quick actions to manage the identity</CardDescription>
                     </CardHeader>
                     <CardContent>
-                        <IdentityActions identity={identity}/>
+                        <IdentityActions
+                            identity={identity}
+                            permissions={{
+                                pmEditUser,
+                                pmDeleteUser,
+                                pmEditUserState,
+                                pmDeleteUserSession,
+                                pmCreateUserCode,
+                                pmCreateUserLink,
+                            }}
+                        />
                     </CardContent>
                 </Card>
                 <Card>
diff --git a/dashboard/src/components/identity/identity-actions.tsx b/dashboard/src/components/identity/identity-actions.tsx
index 0ddcf32..b6a48ca 100644
--- a/dashboard/src/components/identity/identity-actions.tsx
+++ b/dashboard/src/components/identity/identity-actions.tsx
@@ -28,12 +28,22 @@ import { Input } from '@/components/ui/input';
 import { Label } from '@/components/ui/label';
 
 interface IdentityActionProps {
-    identity: Identity;
+    identity: Identity,
+    permissions: {
+        pmEditUser: boolean;
+        pmDeleteUser: boolean;
+        pmEditUserState: boolean;
+        pmDeleteUserSession: boolean;
+        pmCreateUserCode: boolean;
+        pmCreateUserLink: boolean;
+    }
 }
 
-export function IdentityActions({ identity }: IdentityActionProps,
+export function IdentityActions({ identity, permissions }: IdentityActionProps,
 ) {
 
+    console.log('IdentityActions', 'Permissions', permissions);
+
     const router = useRouter();
 
     const [dialogVisible, setDialogVisible] = useState(false);
@@ -122,7 +132,10 @@ export function IdentityActions({ identity }: IdentityActionProps,
                 dialogDescription="Are you sure you want to create a recovery code for this identity?"
                 dialogButtonSubmit="Create code"
             >
-                <Button className="mr-2" size="icon">
+                <Button
+                    disabled={!permissions.pmCreateUserCode}
+                    className="mr-2"
+                    size="icon">
                     <Key className="h-4"/>
                 </Button>
             </ConfirmationDialogWrapper>
@@ -142,7 +155,10 @@ export function IdentityActions({ identity }: IdentityActionProps,
                 dialogDescription="Are you sure you want to create a recovery link for this identity?"
                 dialogButtonSubmit="Create link"
             >
-                <Button className="mr-2" size="icon">
+                <Button
+                    disabled={!permissions.pmCreateUserLink}
+                    className="mr-2"
+                    size="icon">
                     <Link className="h-4"/>
                 </Button>
             </ConfirmationDialogWrapper>
@@ -160,7 +176,10 @@ export function IdentityActions({ identity }: IdentityActionProps,
                         dialogDescription="Are you sure you want to deactivate this identity? The user will not be able to sign-in or use any active session until re-activation!"
                         dialogButtonSubmit="Deactivate"
                     >
-                        <Button className="mr-2" size="icon">
+                        <Button
+                            disabled={!permissions.pmEditUserState}
+                            className="mr-2"
+                            size="icon">
                             <UserX className="h-4"/>
                         </Button>
                     </ConfirmationDialogWrapper>
@@ -176,7 +195,10 @@ export function IdentityActions({ identity }: IdentityActionProps,
                         dialogDescription="Are you sure you want to activate this identity?"
                         dialogButtonSubmit="Activate"
                     >
-                        <Button className="mr-2" size="icon">
+                        <Button
+                            disabled={!permissions.pmEditUserState}
+                            className="mr-2"
+                            size="icon">
                             <UserCheck className="h-4"/>
                         </Button>
                     </ConfirmationDialogWrapper>
@@ -194,7 +216,10 @@ export function IdentityActions({ identity }: IdentityActionProps,
                 dialogButtonSubmit="Invalidate sessions"
                 dialogButtonSubmitProps={{ variant: 'destructive' }}
             >
-                <Button className="mr-2" size="icon">
+                <Button
+                    disabled={!permissions.pmDeleteUserSession}
+                    className="mr-2"
+                    size="icon">
                     <UserMinus className="h-4"/>
                 </Button>
             </ConfirmationDialogWrapper>
@@ -214,7 +239,10 @@ export function IdentityActions({ identity }: IdentityActionProps,
                 dialogButtonSubmit="Delete identity"
                 dialogButtonSubmitProps={{ variant: 'destructive' }}
             >
-                <Button className="mr-2" size="icon">
+                <Button
+                    disabled={!permissions.pmDeleteUser}
+                    className="mr-2"
+                    size="icon">
                     <Trash className="h-4"/>
                 </Button>
             </ConfirmationDialogWrapper>

From b3be0440d120d7c7dd3ef9346be5f54e2ba990a6 Mon Sep 17 00:00:00 2001
From: Markus Thielker <markus@thielker.dev>
Date: Sun, 6 Apr 2025 13:02:56 +0200
Subject: [PATCH 25/58] NORY-59: refactor identity queries to use server
 actions

---
 dashboard/src/app/(inside)/user/[id]/page.tsx | 149 +++++++++---------
 dashboard/src/lib/action/identity.ts          |  46 ++++++
 dashboard/src/lib/permission.ts               |   1 +
 3 files changed, 123 insertions(+), 73 deletions(-)

diff --git a/dashboard/src/app/(inside)/user/[id]/page.tsx b/dashboard/src/app/(inside)/user/[id]/page.tsx
index 98a578a..e590abc 100644
--- a/dashboard/src/app/(inside)/user/[id]/page.tsx
+++ b/dashboard/src/app/(inside)/user/[id]/page.tsx
@@ -1,5 +1,4 @@
 import React from 'react';
-import { getIdentityApi } from '@/ory/sdk/server';
 import { ErrorDisplay } from '@/components/error';
 import { Card, CardContent, CardDescription, CardHeader, CardTitle } from '@/components/ui/card';
 import { IdentityTraits } from '@/components/identity/identity-traits';
@@ -14,6 +13,8 @@ import { IdentityCredentials } from '@/components/identity/identity-credentials'
 import { checkPermission, requirePermission, requireSession } from '@/lib/action/authentication';
 import { permission, relation } from '@/lib/permission';
 import { redirect } from 'next/navigation';
+import InsufficientPermission from '@/components/insufficient-permission';
+import { getIdentity, getIdentitySchema, listIdentitySessions } from '@/lib/action/identity';
 
 interface MergedAddress {
     recovery_id?: string;
@@ -91,65 +92,65 @@ export default async function UserDetailsPage({ params }: { params: Promise<{ id
 
     const pmEditUser = await checkPermission(permission.user.it, relation.edit, identityId);
     const pmDeleteUser = await checkPermission(permission.user.it, relation.delete, identityId);
+    const pmAccessUserTraits = await checkPermission(permission.user.trait, relation.access, identityId);
     const pmEditUserState = await checkPermission(permission.user.state, relation.edit, identityId);
+    const pmAccessUserSession = await checkPermission(permission.user.session, relation.access, identityId);
     const pmDeleteUserSession = await checkPermission(permission.user.session, relation.delete, identityId);
     const pmCreateUserCode = await checkPermission(permission.user.code, relation.create, identityId);
     const pmCreateUserLink = await checkPermission(permission.user.link, relation.create, identityId);
 
     const detailIdentityId = (await params).id;
+    const detailIdentity = pmAccessUser && await getIdentity(detailIdentityId);
 
-    const identityApi = await getIdentityApi();
-    const identity = await identityApi.getIdentity({ id: detailIdentityId })
-        .then((response) => {
-            return response.data;
-        })
-        .catch(() => {
-            console.log('Identity not found');
-        });
-
-    const sessions = await identityApi.listIdentitySessions({ id: detailIdentityId })
-        .then((response) => response.data)
-        .catch(() => {
-            console.log('No sessions found');
-        });
-
-    if (!identity) {
+    if (!detailIdentity) {
         return <ErrorDisplay
             title="Identity not found"
             message={`The requested identity with id ${detailIdentityId} does not exist`}/>;
     }
 
-    if (!identity.verifiable_addresses || !identity.verifiable_addresses[0]) {
+    if (!detailIdentity.verifiable_addresses || !detailIdentity.verifiable_addresses[0]) {
         return <ErrorDisplay
             title="No verifiable adress"
             message="The identity you are trying to see exists but has no identifiable address"/>;
     }
 
-    const identitySchema = await identityApi
-        .getIdentitySchema({ id: identity.schema_id })
-        .then((response) => response.data as KratosSchema);
+
+    const detailIdentitySessions = pmAccessUserSession && await listIdentitySessions(detailIdentityId);
+
+    const detailIdentitySchema = await getIdentitySchema(detailIdentity.schema_id)
+        .then((response) => response as KratosSchema);
 
     const addresses = mergeAddresses(
-        identity.recovery_addresses ?? [],
-        identity.verifiable_addresses ?? [],
+        detailIdentity.recovery_addresses ?? [],
+        detailIdentity.verifiable_addresses ?? [],
     );
 
     return (
         <div className="space-y-4">
             <div>
                 <p className="text-3xl font-bold leading-tight tracking-tight">{addresses[0].value}</p>
-                <p className="text-lg font-light">{identity.id}</p>
+                <p className="text-lg font-light">{detailIdentity.id}</p>
             </div>
             <div className="grid grid-cols-1 xl:grid-cols-2 gap-4">
-                <Card className="row-span-3">
-                    <CardHeader>
-                        <CardTitle>Traits</CardTitle>
-                        <CardDescription>All identity properties specified in the identity schema</CardDescription>
-                    </CardHeader>
-                    <CardContent>
-                        <IdentityTraits schema={identitySchema} identity={identity}/>
-                    </CardContent>
-                </Card>
+                {
+                    pmAccessUserTraits ?
+                        <Card className="row-span-3">
+                            <CardHeader>
+                                <CardTitle>Traits</CardTitle>
+                                <CardDescription>All identity properties specified in the identity
+                                    schema</CardDescription>
+                            </CardHeader>
+                            <CardContent>
+                                <IdentityTraits schema={detailIdentitySchema} identity={detailIdentity}/>
+                            </CardContent>
+                        </Card>
+                        :
+                        <InsufficientPermission
+                            permission={permission.user.trait}
+                            relation={relation.access}
+                            identityId={identityId}
+                            classNames="row-span-3"/>
+                }
                 <Card>
                     <CardHeader>
                         <CardTitle>Actions</CardTitle>
@@ -157,7 +158,7 @@ export default async function UserDetailsPage({ params }: { params: Promise<{ id
                     </CardHeader>
                     <CardContent>
                         <IdentityActions
-                            identity={identity}
+                            identity={detailIdentity}
                             permissions={{
                                 pmEditUser,
                                 pmDeleteUser,
@@ -220,7 +221,7 @@ export default async function UserDetailsPage({ params }: { params: Promise<{ id
                         <CardDescription>All authentication mechanisms registered with this identity</CardDescription>
                     </CardHeader>
                     <CardContent className="space-y-4">
-                        <IdentityCredentials identity={identity}/>
+                        <IdentityCredentials identity={detailIdentity}/>
                     </CardContent>
                 </Card>
                 <Card>
@@ -229,46 +230,48 @@ export default async function UserDetailsPage({ params }: { params: Promise<{ id
                         <CardDescription>See and manage all sessions of this identity</CardDescription>
                     </CardHeader>
                     <CardContent>
-                        <Table>
-                            <TableHeader>
-                                <TableRow>
-                                    <TableHead>OS</TableHead>
-                                    <TableHead>Browser</TableHead>
-                                    <TableHead>Active since</TableHead>
-                                </TableRow>
-                            </TableHeader>
-                            <TableBody>
-                                {
-                                    sessions ?
-                                        sessions.map((session) => {
+                        {
+                            detailIdentitySessions ?
+                                <Table>
+                                    <TableHeader>
+                                        <TableRow>
+                                            <TableHead>OS</TableHead>
+                                            <TableHead>Browser</TableHead>
+                                            <TableHead>Active since</TableHead>
+                                        </TableRow>
+                                    </TableHeader>
+                                    <TableBody>
+                                        {
+                                            detailIdentitySessions.map((session) => {
 
-                                            const device = session.devices![0];
-                                            const parser = new UAParser(device.user_agent);
-                                            const result = parser.getResult();
+                                                const device = session.devices![0];
+                                                const parser = new UAParser(device.user_agent);
+                                                const result = parser.getResult();
 
-                                            return (
-                                                <TableRow key={session.id}>
-                                                    <TableCell className="space-x-1">
-                                                        <span>{result.os.name}</span>
-                                                        <span
-                                                            className="text-xs text-neutral-500">{result.os.version}</span>
-                                                    </TableCell>
-                                                    <TableCell className="space-x-1">
-                                                        <span>{result.browser.name}</span>
-                                                        <span
-                                                            className="text-xs text-neutral-500">{result.browser.version}</span>
-                                                    </TableCell>
-                                                    <TableCell>
-                                                        {new Date(session.authenticated_at!).toLocaleString()}
-                                                    </TableCell>
-                                                </TableRow>
-                                            );
-                                        })
-                                        :
-                                        <ErrorDisplay title="No sessions" message=""/>
-                                }
-                            </TableBody>
-                        </Table>
+                                                return (
+                                                    <TableRow key={session.id}>
+                                                        <TableCell className="space-x-1">
+                                                            <span>{result.os.name}</span>
+                                                            <span
+                                                                className="text-xs text-neutral-500">{result.os.version}</span>
+                                                        </TableCell>
+                                                        <TableCell className="space-x-1">
+                                                            <span>{result.browser.name}</span>
+                                                            <span
+                                                                className="text-xs text-neutral-500">{result.browser.version}</span>
+                                                        </TableCell>
+                                                        <TableCell>
+                                                            {new Date(session.authenticated_at!).toLocaleString()}
+                                                        </TableCell>
+                                                    </TableRow>
+                                                );
+                                            })
+                                        }
+                                    </TableBody>
+                                </Table>
+                                :
+                                <p>This user has no active sessions</p>
+                        }
                     </CardContent>
                 </Card>
             </div>
diff --git a/dashboard/src/lib/action/identity.ts b/dashboard/src/lib/action/identity.ts
index b39e721..11ef3d9 100644
--- a/dashboard/src/lib/action/identity.ts
+++ b/dashboard/src/lib/action/identity.ts
@@ -15,6 +15,34 @@ import { eq, ilike, or, sql } from 'drizzle-orm';
 import { checkPermission, requireSession } from '@/lib/action/authentication';
 import { permission, relation } from '@/lib/permission';
 
+export async function getIdentity(id: string) {
+
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.user.it, relation.access, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
+    const identityApi = await getIdentityApi();
+    const { data } = await identityApi.getIdentity({ id });
+
+    console.log('Got identity', data);
+
+    return data;
+}
+
+
+export async function getIdentitySchema(id: string) {
+
+    const identityApi = await getIdentityApi();
+    const { data } = await identityApi.getIdentitySchema({ id: id });
+
+    console.log('Got identity schema');
+
+    return data;
+}
+
+
 interface QueryIdentitiesProps {
     page: number,
     pageSize: number,
@@ -131,6 +159,24 @@ export async function deleteIdentityCredential({ id, type }: DeleteIdentityCrede
     return data;
 }
 
+export async function listIdentitySessions(id: string) {
+
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.user.session, relation.access, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
+    const identityApi = await getIdentityApi();
+    const { data } = await identityApi.listIdentitySessions({ id });
+
+    console.log('Listed identity\'s sessions', data);
+
+    revalidatePath('/user');
+
+    return data;
+}
+
 export async function deleteIdentitySessions(id: string) {
 
     const session = await requireSession();
diff --git a/dashboard/src/lib/permission.ts b/dashboard/src/lib/permission.ts
index 49958b0..69a8523 100644
--- a/dashboard/src/lib/permission.ts
+++ b/dashboard/src/lib/permission.ts
@@ -10,6 +10,7 @@ export const permission = {
         link: 'admin.user.link',
         session: 'admin.user.session',
         state: 'admin.user.state',
+        trait: 'admin.user.trait',
     },
 };
 

From 85234b44655be26b4188b1a7a88df014862afe63 Mon Sep 17 00:00:00 2001
From: Markus Thielker <markus@thielker.dev>
Date: Sun, 6 Apr 2025 15:07:16 +0200
Subject: [PATCH 26/58] NORY-59: fix path-revalidation during rendering

---
 dashboard/src/lib/action/identity.ts | 2 --
 1 file changed, 2 deletions(-)

diff --git a/dashboard/src/lib/action/identity.ts b/dashboard/src/lib/action/identity.ts
index 11ef3d9..902d17d 100644
--- a/dashboard/src/lib/action/identity.ts
+++ b/dashboard/src/lib/action/identity.ts
@@ -172,8 +172,6 @@ export async function listIdentitySessions(id: string) {
 
     console.log('Listed identity\'s sessions', data);
 
-    revalidatePath('/user');
-
     return data;
 }
 

From 5494233e59f0972af28751792c459c7ab190d20c Mon Sep 17 00:00:00 2001
From: Markus Thielker <markus@thielker.dev>
Date: Sun, 6 Apr 2025 15:08:05 +0200
Subject: [PATCH 27/58] NORY-59: protect all missing cards in identity details

---
 dashboard/src/app/(inside)/user/[id]/page.tsx | 207 ++++++++++--------
 dashboard/src/lib/permission.ts               |   1 +
 2 files changed, 118 insertions(+), 90 deletions(-)

diff --git a/dashboard/src/app/(inside)/user/[id]/page.tsx b/dashboard/src/app/(inside)/user/[id]/page.tsx
index e590abc..2fff21c 100644
--- a/dashboard/src/app/(inside)/user/[id]/page.tsx
+++ b/dashboard/src/app/(inside)/user/[id]/page.tsx
@@ -92,7 +92,10 @@ export default async function UserDetailsPage({ params }: { params: Promise<{ id
 
     const pmEditUser = await checkPermission(permission.user.it, relation.edit, identityId);
     const pmDeleteUser = await checkPermission(permission.user.it, relation.delete, identityId);
-    const pmAccessUserTraits = await checkPermission(permission.user.trait, relation.access, identityId);
+    const pmAccessUserTrait = await checkPermission(permission.user.trait, relation.access, identityId);
+    const pmEditUserTraits = await checkPermission(permission.user.trait, relation.edit, identityId);
+    const pmAccessUserAddress = await checkPermission(permission.user.address, relation.access, identityId);
+    const pmAccessUserCredential = await checkPermission(permission.user.credential, relation.access, identityId);
     const pmEditUserState = await checkPermission(permission.user.state, relation.edit, identityId);
     const pmAccessUserSession = await checkPermission(permission.user.session, relation.access, identityId);
     const pmDeleteUserSession = await checkPermission(permission.user.session, relation.delete, identityId);
@@ -114,7 +117,6 @@ export default async function UserDetailsPage({ params }: { params: Promise<{ id
             message="The identity you are trying to see exists but has no identifiable address"/>;
     }
 
-
     const detailIdentitySessions = pmAccessUserSession && await listIdentitySessions(detailIdentityId);
 
     const detailIdentitySchema = await getIdentitySchema(detailIdentity.schema_id)
@@ -133,7 +135,7 @@ export default async function UserDetailsPage({ params }: { params: Promise<{ id
             </div>
             <div className="grid grid-cols-1 xl:grid-cols-2 gap-4">
                 {
-                    pmAccessUserTraits ?
+                    pmAccessUserTrait ?
                         <Card className="row-span-3">
                             <CardHeader>
                                 <CardTitle>Traits</CardTitle>
@@ -170,98 +172,44 @@ export default async function UserDetailsPage({ params }: { params: Promise<{ id
                         />
                     </CardContent>
                 </Card>
-                <Card>
-                    <CardHeader>
-                        <CardTitle>Addresses</CardTitle>
-                        <CardDescription>All linked addresses for verification and recovery</CardDescription>
-                    </CardHeader>
-                    <CardContent>
+                {
+                    pmAccessUserAddress ?
+                        <Card>
+                            <CardHeader>
+                                <CardTitle>Addresses</CardTitle>
+                                <CardDescription>All linked addresses for verification and recovery</CardDescription>
+                            </CardHeader>
+                            <CardContent>
 
-                        <Table>
-                            <TableHeader>
-                                <TableRow>
-                                    <TableHead>Type</TableHead>
-                                    <TableHead>Value</TableHead>
-                                </TableRow>
-                            </TableHeader>
-                            <TableBody>
-                                {
-                                    addresses.map((address) => {
-                                        return (
-                                            <TableRow key={address.value}>
-                                                <TableCell>{address.value}</TableCell>
-                                                <TableCell>{address.via}</TableCell>
-                                                <TableCell>
-                                                    {address.verifiable_id &&
-                                                        <Badge className="m-1 space-x-1">
-                                                            <span>Verifiable</span>
-                                                            {
-                                                                address.verified ?
-                                                                    <Check className="h-3 w-3"/>
-                                                                    :
-                                                                    <X className="h-3 w-3"/>
-                                                            }
-                                                        </Badge>
-                                                    }
-                                                    {address.recovery_id &&
-                                                        <Badge className="m-1">Recovery</Badge>
-                                                    }
-                                                </TableCell>
-                                            </TableRow>
-                                        );
-                                    })
-                                }
-                            </TableBody>
-                        </Table>
-                    </CardContent>
-                </Card>
-                <Card>
-                    <CardHeader>
-                        <CardTitle>Credentials</CardTitle>
-                        <CardDescription>All authentication mechanisms registered with this identity</CardDescription>
-                    </CardHeader>
-                    <CardContent className="space-y-4">
-                        <IdentityCredentials identity={detailIdentity}/>
-                    </CardContent>
-                </Card>
-                <Card>
-                    <CardHeader>
-                        <CardTitle>Sessions</CardTitle>
-                        <CardDescription>See and manage all sessions of this identity</CardDescription>
-                    </CardHeader>
-                    <CardContent>
-                        {
-                            detailIdentitySessions ?
                                 <Table>
                                     <TableHeader>
                                         <TableRow>
-                                            <TableHead>OS</TableHead>
-                                            <TableHead>Browser</TableHead>
-                                            <TableHead>Active since</TableHead>
+                                            <TableHead>Type</TableHead>
+                                            <TableHead>Value</TableHead>
                                         </TableRow>
                                     </TableHeader>
                                     <TableBody>
                                         {
-                                            detailIdentitySessions.map((session) => {
-
-                                                const device = session.devices![0];
-                                                const parser = new UAParser(device.user_agent);
-                                                const result = parser.getResult();
-
+                                            addresses.map((address) => {
                                                 return (
-                                                    <TableRow key={session.id}>
-                                                        <TableCell className="space-x-1">
-                                                            <span>{result.os.name}</span>
-                                                            <span
-                                                                className="text-xs text-neutral-500">{result.os.version}</span>
-                                                        </TableCell>
-                                                        <TableCell className="space-x-1">
-                                                            <span>{result.browser.name}</span>
-                                                            <span
-                                                                className="text-xs text-neutral-500">{result.browser.version}</span>
-                                                        </TableCell>
+                                                    <TableRow key={address.value}>
+                                                        <TableCell>{address.value}</TableCell>
+                                                        <TableCell>{address.via}</TableCell>
                                                         <TableCell>
-                                                            {new Date(session.authenticated_at!).toLocaleString()}
+                                                            {address.verifiable_id &&
+                                                                <Badge className="m-1 space-x-1">
+                                                                    <span>Verifiable</span>
+                                                                    {
+                                                                        address.verified ?
+                                                                            <Check className="h-3 w-3"/>
+                                                                            :
+                                                                            <X className="h-3 w-3"/>
+                                                                    }
+                                                                </Badge>
+                                                            }
+                                                            {address.recovery_id &&
+                                                                <Badge className="m-1">Recovery</Badge>
+                                                            }
                                                         </TableCell>
                                                     </TableRow>
                                                 );
@@ -269,11 +217,90 @@ export default async function UserDetailsPage({ params }: { params: Promise<{ id
                                         }
                                     </TableBody>
                                 </Table>
-                                :
-                                <p>This user has no active sessions</p>
-                        }
-                    </CardContent>
-                </Card>
+                            </CardContent>
+                        </Card>
+                        :
+                        <InsufficientPermission
+                            permission={permission.user.address}
+                            relation={relation.access}
+                            identityId={identityId}/>
+                }
+                {
+                    pmAccessUserCredential ?
+                        <Card>
+                            <CardHeader>
+                                <CardTitle>Credentials</CardTitle>
+                                <CardDescription>All authentication mechanisms registered with this
+                                    identity</CardDescription>
+                            </CardHeader>
+                            <CardContent className="space-y-4">
+                                <IdentityCredentials identity={detailIdentity}/>
+                            </CardContent>
+                        </Card>
+                        :
+                        <InsufficientPermission
+                            permission={permission.user.credential}
+                            relation={relation.access}
+                            identityId={identityId}/>
+                }
+                {
+                    pmAccessUserSession ?
+                        <Card>
+                            <CardHeader>
+                                <CardTitle>Sessions</CardTitle>
+                                <CardDescription>See and manage all sessions of this identity</CardDescription>
+                            </CardHeader>
+                            <CardContent>
+                                {
+                                    detailIdentitySessions ?
+                                        <Table>
+                                            <TableHeader>
+                                                <TableRow>
+                                                    <TableHead>OS</TableHead>
+                                                    <TableHead>Browser</TableHead>
+                                                    <TableHead>Active since</TableHead>
+                                                </TableRow>
+                                            </TableHeader>
+                                            <TableBody>
+                                                {
+                                                    detailIdentitySessions.map((session) => {
+
+                                                        const device = session.devices![0];
+                                                        const parser = new UAParser(device.user_agent);
+                                                        const result = parser.getResult();
+
+                                                        return (
+                                                            <TableRow key={session.id}>
+                                                                <TableCell className="space-x-1">
+                                                                    <span>{result.os.name}</span>
+                                                                    <span
+                                                                        className="text-xs text-neutral-500">{result.os.version}</span>
+                                                                </TableCell>
+                                                                <TableCell className="space-x-1">
+                                                                    <span>{result.browser.name}</span>
+                                                                    <span
+                                                                        className="text-xs text-neutral-500">{result.browser.version}</span>
+                                                                </TableCell>
+                                                                <TableCell>
+                                                                    {new Date(session.authenticated_at!).toLocaleString()}
+                                                                </TableCell>
+                                                            </TableRow>
+                                                        );
+                                                    })
+                                                }
+                                            </TableBody>
+                                        </Table>
+                                        :
+                                        <p>This user has no active sessions</p>
+                                }
+                            </CardContent>
+                        </Card>
+                        :
+                        <InsufficientPermission
+                            permission={permission.user.session}
+                            relation={relation.access}
+                            identityId={identityId}/>
+                }
             </div>
         </div>
     );
diff --git a/dashboard/src/lib/permission.ts b/dashboard/src/lib/permission.ts
index 69a8523..9fc8ba0 100644
--- a/dashboard/src/lib/permission.ts
+++ b/dashboard/src/lib/permission.ts
@@ -5,6 +5,7 @@ export const permission = {
     },
     user: {
         it: 'admin.user',
+        address: 'admin.user.address',
         code: 'admin.user.code',
         credential: 'admin.user.credential',
         link: 'admin.user.link',

From 3151103195998de4a8fcb1cbd5fcdbdcf907e478 Mon Sep 17 00:00:00 2001
From: Markus Thielker <markus@thielker.dev>
Date: Sun, 6 Apr 2025 17:59:45 +0200
Subject: [PATCH 28/58] NORY-59: fix permission in delete-identity server
 action

---
 dashboard/src/lib/action/identity.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dashboard/src/lib/action/identity.ts b/dashboard/src/lib/action/identity.ts
index 902d17d..d214e17 100644
--- a/dashboard/src/lib/action/identity.ts
+++ b/dashboard/src/lib/action/identity.ts
@@ -286,7 +286,7 @@ export async function unblockIdentity(id: string) {
 export async function deleteIdentity(id: string) {
 
     const session = await requireSession();
-    const allowed = await checkPermission(permission.user.credential, relation.delete, session.identity!.id);
+    const allowed = await checkPermission(permission.user.it, relation.delete, session.identity!.id);
     if (!allowed) {
         throw Error('Unauthorised');
     }

From 50bedbb976a9af14d5567ba1a360e3ec76d578f3 Mon Sep 17 00:00:00 2001
From: Markus Thielker <markus@thielker.dev>
Date: Sun, 6 Apr 2025 19:16:01 +0200
Subject: [PATCH 29/58] NORY-59: disable identity traits form if edit
 permission is missing

---
 dashboard/src/app/(inside)/user/[id]/page.tsx         |  6 +++++-
 dashboard/src/components/dynamic-form.tsx             |  8 +++++---
 dashboard/src/components/identity/identity-traits.tsx | 10 ++++++----
 3 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/dashboard/src/app/(inside)/user/[id]/page.tsx b/dashboard/src/app/(inside)/user/[id]/page.tsx
index 2fff21c..3393c58 100644
--- a/dashboard/src/app/(inside)/user/[id]/page.tsx
+++ b/dashboard/src/app/(inside)/user/[id]/page.tsx
@@ -143,7 +143,11 @@ export default async function UserDetailsPage({ params }: { params: Promise<{ id
                                     schema</CardDescription>
                             </CardHeader>
                             <CardContent>
-                                <IdentityTraits schema={detailIdentitySchema} identity={detailIdentity}/>
+                                <IdentityTraits
+                                    schema={detailIdentitySchema}
+                                    identity={detailIdentity}
+                                    disabled={!pmEditUserTraits}
+                                />
                             </CardContent>
                         </Card>
                         :
diff --git a/dashboard/src/components/dynamic-form.tsx b/dashboard/src/components/dynamic-form.tsx
index 9020d46..f36cde4 100644
--- a/dashboard/src/components/dynamic-form.tsx
+++ b/dashboard/src/components/dynamic-form.tsx
@@ -15,6 +15,7 @@ interface DynamicFormProps<T extends FieldValues> {
     onValid: SubmitHandler<T>,
     onInvalid: SubmitErrorHandler<T>,
     submitLabel?: string,
+    disabled?: boolean,
 }
 
 export function DynamicForm<T extends FieldValues>(
@@ -25,6 +26,7 @@ export function DynamicForm<T extends FieldValues>(
         onValid,
         onInvalid,
         submitLabel,
+        disabled,
     }: DynamicFormProps<T>,
 ) {
 
@@ -48,7 +50,7 @@ export function DynamicForm<T extends FieldValues>(
                                     key={fullFieldName}
                                     render={({ field }) => (
                                         <FormItem className="flex items-center space-x-2 space-y-0">
-                                            <Checkbox {...field} checked={field.value}/>
+                                            <Checkbox {...field} disabled={disabled} checked={field.value}/>
                                             <FormLabel>{key}</FormLabel>
                                         </FormItem>
                                     )}
@@ -65,7 +67,7 @@ export function DynamicForm<T extends FieldValues>(
                                         <FormItem>
                                             <FormLabel>{value.title}</FormLabel>
                                             <FormControl>
-                                                <Input placeholder={value.title} {...field} />
+                                                <Input placeholder={value.title} {...field} disabled={disabled}/>
                                             </FormControl>
                                             <FormDescription>{value.description}</FormDescription>
                                         </FormItem>
@@ -87,7 +89,7 @@ export function DynamicForm<T extends FieldValues>(
                 <Button
                     key="submit"
                     type="submit"
-                    disabled={!form.formState.isDirty}
+                    disabled={!form.formState.isDirty || disabled}
                 >
                     {submitLabel ?? 'Submit'}
                 </Button>
diff --git a/dashboard/src/components/identity/identity-traits.tsx b/dashboard/src/components/identity/identity-traits.tsx
index 1606db4..3feb314 100644
--- a/dashboard/src/components/identity/identity-traits.tsx
+++ b/dashboard/src/components/identity/identity-traits.tsx
@@ -16,9 +16,10 @@ import { useState } from 'react';
 interface IdentityTraitFormProps {
     schema: KratosSchema;
     identity: Identity;
+    disabled: boolean;
 }
 
-export function IdentityTraits({ schema, identity }: IdentityTraitFormProps) {
+export function IdentityTraits({ schema, identity, disabled }: IdentityTraitFormProps) {
 
     const [currentIdentity, setCurrentIdentity] = useState(identity);
 
@@ -74,10 +75,11 @@ export function IdentityTraits({ schema, identity }: IdentityTraitFormProps) {
     return (
         <DynamicForm
             form={form}
+            disabled={disabled}
             properties={schema.properties.traits.properties}
             onValid={onValid}
             onInvalid={onInvalid}
-            submitLabel="Update Identity"
+            submitLabel={disabled ? 'Insufficient permissions' : 'Update Identity'}
         >
             <FormField
                 {...form.register('metadata_public')}
@@ -86,7 +88,7 @@ export function IdentityTraits({ schema, identity }: IdentityTraitFormProps) {
                     <FormItem>
                         <FormLabel>Public Metadata</FormLabel>
                         <FormControl>
-                            <Textarea placeholder="Public Metadata" {...field} />
+                            <Textarea placeholder="Public Metadata" {...field} disabled={disabled}/>
                         </FormControl>
                         <FormDescription>This has to be valid JSON</FormDescription>
                     </FormItem>
@@ -99,7 +101,7 @@ export function IdentityTraits({ schema, identity }: IdentityTraitFormProps) {
                     <FormItem>
                         <FormLabel>Admin Metadata</FormLabel>
                         <FormControl>
-                            <Textarea placeholder="Admin Metadata" {...field} />
+                            <Textarea placeholder="Admin Metadata" {...field} disabled={disabled}/>
                         </FormControl>
                         <FormDescription>This has to be valid JSON</FormDescription>
                     </FormItem>

From bf9a3aac3bee0b397078fb4932782562881ab472 Mon Sep 17 00:00:00 2001
From: Markus Thielker <markus@thielker.dev>
Date: Sun, 6 Apr 2025 19:16:31 +0200
Subject: [PATCH 30/58] NORY-59: remove unused permission

---
 dashboard/src/app/(inside)/user/[id]/page.tsx          | 2 --
 dashboard/src/components/identity/identity-actions.tsx | 1 -
 2 files changed, 3 deletions(-)

diff --git a/dashboard/src/app/(inside)/user/[id]/page.tsx b/dashboard/src/app/(inside)/user/[id]/page.tsx
index 3393c58..e132f18 100644
--- a/dashboard/src/app/(inside)/user/[id]/page.tsx
+++ b/dashboard/src/app/(inside)/user/[id]/page.tsx
@@ -90,7 +90,6 @@ export default async function UserDetailsPage({ params }: { params: Promise<{ id
         return redirect('/user');
     }
 
-    const pmEditUser = await checkPermission(permission.user.it, relation.edit, identityId);
     const pmDeleteUser = await checkPermission(permission.user.it, relation.delete, identityId);
     const pmAccessUserTrait = await checkPermission(permission.user.trait, relation.access, identityId);
     const pmEditUserTraits = await checkPermission(permission.user.trait, relation.edit, identityId);
@@ -166,7 +165,6 @@ export default async function UserDetailsPage({ params }: { params: Promise<{ id
                         <IdentityActions
                             identity={detailIdentity}
                             permissions={{
-                                pmEditUser,
                                 pmDeleteUser,
                                 pmEditUserState,
                                 pmDeleteUserSession,
diff --git a/dashboard/src/components/identity/identity-actions.tsx b/dashboard/src/components/identity/identity-actions.tsx
index b6a48ca..7606af3 100644
--- a/dashboard/src/components/identity/identity-actions.tsx
+++ b/dashboard/src/components/identity/identity-actions.tsx
@@ -30,7 +30,6 @@ import { Label } from '@/components/ui/label';
 interface IdentityActionProps {
     identity: Identity,
     permissions: {
-        pmEditUser: boolean;
         pmDeleteUser: boolean;
         pmEditUserState: boolean;
         pmDeleteUserSession: boolean;

From e4a62b914c841df47b638d3c9429243f316805b2 Mon Sep 17 00:00:00 2001
From: Markus Thielker <markus@thielker.dev>
Date: Sun, 6 Apr 2025 19:17:01 +0200
Subject: [PATCH 31/58] NORY-59: create new script to initialise the admin role

---
 docker/ory-dev/keto-init-admin-role.sh | 47 ++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
 create mode 100644 docker/ory-dev/keto-init-admin-role.sh

diff --git a/docker/ory-dev/keto-init-admin-role.sh b/docker/ory-dev/keto-init-admin-role.sh
new file mode 100644
index 0000000..171ee20
--- /dev/null
+++ b/docker/ory-dev/keto-init-admin-role.sh
@@ -0,0 +1,47 @@
+# this script adds all permissions required for full control over the dashboard to
+# all everybody, who is a member of the admin role
+
+# Define an array with tuples as strings
+permissions=(
+  "admin.stack.dashboard#access"
+  "admin.stack.status#access"
+  "admin.user#access"
+  "admin.user#create"
+  "admin.user#edit"
+  "admin.user#delete"
+  "admin.user.session#access"
+  "admin.user.session#delete"
+  "admin.user.state#edit"
+  "admin.user.code#create"
+  "admin.user.link#create"
+  "admin.user.trait#access"
+  "admin.user.trait#edit"
+  "admin.user.address#access"
+  "admin.user.credential#access"
+  "admin.user.credential#delete"
+)
+
+# Iterate over the array
+for permission in "${permissions[@]}"; do
+
+    # split strings
+    IFS='#' read -r OBJECT RELATION <<< "$permission"
+
+    # execute curl to Ory Keto write endpoint
+    curl --silent --request PUT \
+      --url http://localhost:4467/admin/relation-tuples \
+      --data '{
+               "namespace": "permissions",
+               "object": "'"$OBJECT"'",
+               "relation": "'"$RELATION"'",
+               "subject_set": {
+                  "namespace": "roles",
+                  "object": "admin",
+                  "relation": "member"
+               }
+             }' > /dev/null
+
+    # write success response to terminal
+    echo "Added relation Permissions:$OBJECT#$RELATION@(Roles:admin#member)"
+
+done

From b4a7c6f3969629a1e94586c181de7d28f24fb589 Mon Sep 17 00:00:00 2001
From: Markus Thielker <markus@thielker.dev>
Date: Sun, 6 Apr 2025 19:17:17 +0200
Subject: [PATCH 32/58] NORY-59: update comments explaining the existing
 scripts

---
 docker/ory-dev/hydra-create-client.sh         | 2 +-
 docker/ory-dev/hydra-test-consent.sh          | 2 +-
 docker/ory-dev/keto-add-permission-to-role.sh | 3 +--
 3 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/docker/ory-dev/hydra-create-client.sh b/docker/ory-dev/hydra-create-client.sh
index 181920e..7d47b3a 100644
--- a/docker/ory-dev/hydra-create-client.sh
+++ b/docker/ory-dev/hydra-create-client.sh
@@ -1,4 +1,4 @@
-# this script adds a new oath client using the
+# this script adds a new OAuth client using the
 # Ory Hydra CLI and writes the client id and
 # client secret to the command line.
 
diff --git a/docker/ory-dev/hydra-test-consent.sh b/docker/ory-dev/hydra-test-consent.sh
index 8067e7d..1f018ca 100644
--- a/docker/ory-dev/hydra-test-consent.sh
+++ b/docker/ory-dev/hydra-test-consent.sh
@@ -1,4 +1,4 @@
-# this script adds a new oath client using the
+# this script adds a new OAuth client using the
 # Ory Hydra CLI and uses the client to start
 # the Ory Hydra test application.
 
diff --git a/docker/ory-dev/keto-add-permission-to-role.sh b/docker/ory-dev/keto-add-permission-to-role.sh
index 9a0f7fa..65807a2 100644
--- a/docker/ory-dev/keto-add-permission-to-role.sh
+++ b/docker/ory-dev/keto-add-permission-to-role.sh
@@ -1,5 +1,4 @@
-# this script gives the referenced identity the admin role
-# make sure to provide the id of the identity
+# this script creates a reference from the role to the permission you provide
 
 # check if a identity id argument was provided
 if [ $# -ne 4 ]; then

From d4b453d71ccd88c662efc4138d23d22ed0a6f21a Mon Sep 17 00:00:00 2001
From: Markus Thielker <markus@thielker.dev>
Date: Mon, 7 Apr 2025 11:36:57 +0200
Subject: [PATCH 33/58] NORY-59: refactor server action parameters

---
 dashboard/src/app/(inside)/user/page.tsx      |  2 +-
 .../identity/identity-credentials.tsx         |  2 +-
 .../components/identity/identity-traits.tsx   |  8 +++----
 dashboard/src/lib/action/identity.ts          | 24 +++----------------
 4 files changed, 9 insertions(+), 27 deletions(-)

diff --git a/dashboard/src/app/(inside)/user/page.tsx b/dashboard/src/app/(inside)/user/page.tsx
index ebb9079..8218dc3 100644
--- a/dashboard/src/app/(inside)/user/page.tsx
+++ b/dashboard/src/app/(inside)/user/page.tsx
@@ -34,7 +34,7 @@ export default async function UserPage(
     let pageSize = 50;
     let paginationRange = 11;
 
-    const users = pmAccessUser && await queryIdentities({ page, pageSize, query });
+    const users = pmAccessUser && await queryIdentities(page, pageSize, query);
 
     return (
         <div className="space-y-4">
diff --git a/dashboard/src/components/identity/identity-credentials.tsx b/dashboard/src/components/identity/identity-credentials.tsx
index f362971..78e1fe6 100644
--- a/dashboard/src/components/identity/identity-credentials.tsx
+++ b/dashboard/src/components/identity/identity-credentials.tsx
@@ -36,7 +36,7 @@ export function IdentityCredentials({ identity }: IdentityCredentialsProps) {
                                         (
                                             <ConfirmationDialogWrapper
                                                 onSubmit={async () => {
-                                                    deleteIdentityCredential({ id: identity.id, type: key as never })
+                                                    deleteIdentityCredential(identity.id, key as never)
                                                         .then(() => toast.success(`Credential ${key} deleted`))
                                                         .catch(() => toast.error(`Deleting credential ${key} failed`));
                                                 }}
diff --git a/dashboard/src/components/identity/identity-traits.tsx b/dashboard/src/components/identity/identity-traits.tsx
index 3feb314..1a9205c 100644
--- a/dashboard/src/components/identity/identity-traits.tsx
+++ b/dashboard/src/components/identity/identity-traits.tsx
@@ -48,16 +48,16 @@ export function IdentityTraits({ schema, identity, disabled }: IdentityTraitForm
         delete traits['metadata_public'];
         delete traits['metadata_admin'];
 
-        updateIdentity({
-            id: currentIdentity.id,
-            body: {
+        updateIdentity(
+            currentIdentity.id,
+            {
                 schema_id: currentIdentity.schema_id,
                 state: currentIdentity.state!,
                 traits: traits,
                 metadata_public: data.metadata_public,
                 metadata_admin: data.metadata_admin,
             },
-        })
+        )
             .then((identity) => {
                 setCurrentIdentity(identity);
                 toast.success('Identity updated');
diff --git a/dashboard/src/lib/action/identity.ts b/dashboard/src/lib/action/identity.ts
index d214e17..236e4b0 100644
--- a/dashboard/src/lib/action/identity.ts
+++ b/dashboard/src/lib/action/identity.ts
@@ -42,14 +42,7 @@ export async function getIdentitySchema(id: string) {
     return data;
 }
 
-
-interface QueryIdentitiesProps {
-    page: number,
-    pageSize: number,
-    query?: string,
-}
-
-export async function queryIdentities({ page, pageSize, query }: QueryIdentitiesProps) {
+export async function queryIdentities(page: number, pageSize: number, query?: string) {
 
     const session = await requireSession();
     const allowed = await checkPermission(permission.user.it, relation.access, session.identity!.id);
@@ -109,13 +102,7 @@ export async function queryIdentities({ page, pageSize, query }: QueryIdentities
     };
 }
 
-
-interface UpdatedIdentityProps {
-    id: string;
-    body: UpdateIdentityBody;
-}
-
-export async function updateIdentity({ id, body }: UpdatedIdentityProps) {
+export async function updateIdentity(id: string, body: UpdateIdentityBody) {
 
     const session = await requireSession();
     const allowed = await checkPermission(permission.user.it, relation.edit, session.identity!.id);
@@ -136,12 +123,7 @@ export async function updateIdentity({ id, body }: UpdatedIdentityProps) {
     return data;
 }
 
-interface DeleteIdentityCredentialProps {
-    id: string;
-    type: DeleteIdentityCredentialsTypeEnum;
-}
-
-export async function deleteIdentityCredential({ id, type }: DeleteIdentityCredentialProps) {
+export async function deleteIdentityCredential(id: string, type: DeleteIdentityCredentialsTypeEnum) {
 
     const session = await requireSession();
     const allowed = await checkPermission(permission.user.credential, relation.delete, session.identity!.id);

From 17f91cfe502e8095fab66acbdf0dc23c32a3ecd4 Mon Sep 17 00:00:00 2001
From: Markus Thielker <hey@thielker.dev>
Date: Tue, 1 Apr 2025 14:42:50 +0200
Subject: [PATCH 34/58] NORY-59: fix database relations file

---
 dashboard/drizzle/relations.ts | 318 ++++++++++++++++-----------------
 1 file changed, 159 insertions(+), 159 deletions(-)

diff --git a/dashboard/drizzle/relations.ts b/dashboard/drizzle/relations.ts
index 615b353..47aff7f 100644
--- a/dashboard/drizzle/relations.ts
+++ b/dashboard/drizzle/relations.ts
@@ -1,334 +1,334 @@
 import { relations } from 'drizzle-orm/relations';
 import {
-	continuityContainers,
-	courierMessageDispatches,
-	courierMessages,
+	continuity_containers,
+	courier_message_dispatches,
+	courier_messages,
 	identities,
-	identityCredentialIdentifiers,
-	identityCredentials,
-	identityCredentialTypes,
-	identityLoginCodes,
-	identityRecoveryAddresses,
-	identityRecoveryCodes,
-	identityRecoveryTokens,
-	identityRegistrationCodes,
-	identityVerifiableAddresses,
-	identityVerificationCodes,
-	identityVerificationTokens,
+	identity_credential_identifiers,
+	identity_credential_types,
+	identity_credentials,
+	identity_login_codes,
+	identity_recovery_addresses,
+	identity_recovery_codes,
+	identity_recovery_tokens,
+	identity_registration_codes,
+	identity_verifiable_addresses,
+	identity_verification_codes,
+	identity_verification_tokens,
 	networks,
-	selfserviceErrors,
-	selfserviceLoginFlows,
-	selfserviceRecoveryFlows,
-	selfserviceRegistrationFlows,
-	selfserviceSettingsFlows,
-	selfserviceVerificationFlows,
-	sessionDevices,
+	selfservice_errors,
+	selfservice_login_flows,
+	selfservice_recovery_flows,
+	selfservice_registration_flows,
+	selfservice_settings_flows,
+	selfservice_verification_flows,
+	session_devices,
 	sessions,
 } from './schema';
 
-export const identityCredentialsRelations = relations(identityCredentials, ({ one, many }) => ({
+export const identityCredentialsRelations = relations(identity_credentials, ({ one, many }) => ({
 	identity: one(identities, {
-		fields: [identityCredentials.identityId],
+		fields: [identity_credentials.identity_id],
 		references: [identities.id],
 	}),
-	identityCredentialType: one(identityCredentialTypes, {
-		fields: [identityCredentials.identityCredentialTypeId],
-		references: [identityCredentialTypes.id],
+	identityCredentialType: one(identity_credential_types, {
+		fields: [identity_credentials.identity_credential_type_id],
+		references: [identity_credential_types.id],
 	}),
 	network: one(networks, {
-		fields: [identityCredentials.nid],
+		fields: [identity_credentials.nid],
 		references: [networks.id],
 	}),
-	identityCredentialIdentifiers: many(identityCredentialIdentifiers),
+	identityCredentialIdentifiers: many(identity_credential_identifiers),
 }));
 
 export const identitiesRelations = relations(identities, ({ one, many }) => ({
-	identityCredentials: many(identityCredentials),
+	identityCredentials: many(identity_credentials),
 	network: one(networks, {
 		fields: [identities.nid],
 		references: [networks.id],
 	}),
-	identityVerifiableAddresses: many(identityVerifiableAddresses),
-	selfserviceSettingsFlows: many(selfserviceSettingsFlows),
-	continuityContainers: many(continuityContainers),
+	identityVerifiableAddresses: many(identity_verifiable_addresses),
+	selfserviceSettingsFlows: many(selfservice_settings_flows),
+	continuityContainers: many(continuity_containers),
 	sessions: many(sessions),
-	identityRecoveryAddresses: many(identityRecoveryAddresses),
-	selfserviceRecoveryFlows: many(selfserviceRecoveryFlows),
-	identityRecoveryTokens: many(identityRecoveryTokens),
-	identityRecoveryCodes: many(identityRecoveryCodes),
-	identityLoginCodes: many(identityLoginCodes),
+	identityRecoveryAddresses: many(identity_recovery_addresses),
+	selfserviceRecoveryFlows: many(selfservice_recovery_flows),
+	identityRecoveryTokens: many(identity_recovery_tokens),
+	identityRecoveryCodes: many(identity_recovery_codes),
+	identityLoginCodes: many(identity_login_codes),
 }));
 
-export const identityCredentialTypesRelations = relations(identityCredentialTypes, ({ many }) => ({
-	identityCredentials: many(identityCredentials),
-	identityCredentialIdentifiers: many(identityCredentialIdentifiers),
+export const identityCredentialTypesRelations = relations(identity_credential_types, ({ many }) => ({
+	identityCredentials: many(identity_credentials),
+	identityCredentialIdentifiers: many(identity_credential_identifiers),
 }));
 
 export const networksRelations = relations(networks, ({ many }) => ({
-	identityCredentials: many(identityCredentials),
-	selfserviceLoginFlows: many(selfserviceLoginFlows),
-	selfserviceRegistrationFlows: many(selfserviceRegistrationFlows),
+	identityCredentials: many(identity_credentials),
+	selfserviceLoginFlows: many(selfservice_login_flows),
+	selfserviceRegistrationFlows: many(selfservice_registration_flows),
 	identities: many(identities),
-	identityCredentialIdentifiers: many(identityCredentialIdentifiers),
-	identityVerifiableAddresses: many(identityVerifiableAddresses),
-	courierMessages: many(courierMessages),
-	selfserviceErrors: many(selfserviceErrors),
-	selfserviceVerificationFlows: many(selfserviceVerificationFlows),
-	selfserviceSettingsFlows: many(selfserviceSettingsFlows),
-	continuityContainers: many(continuityContainers),
+	identityCredentialIdentifiers: many(identity_credential_identifiers),
+	identityVerifiableAddresses: many(identity_verifiable_addresses),
+	courierMessages: many(courier_messages),
+	selfserviceErrors: many(selfservice_errors),
+	selfserviceVerificationFlows: many(selfservice_verification_flows),
+	selfserviceSettingsFlows: many(selfservice_settings_flows),
+	continuityContainers: many(continuity_containers),
 	sessions: many(sessions),
-	identityRecoveryAddresses: many(identityRecoveryAddresses),
-	identityVerificationTokens: many(identityVerificationTokens),
-	selfserviceRecoveryFlows: many(selfserviceRecoveryFlows),
-	identityRecoveryTokens: many(identityRecoveryTokens),
-	identityRecoveryCodes: many(identityRecoveryCodes),
-	sessionDevices: many(sessionDevices),
-	identityVerificationCodes: many(identityVerificationCodes),
-	courierMessageDispatches: many(courierMessageDispatches),
-	identityLoginCodes: many(identityLoginCodes),
-	identityRegistrationCodes: many(identityRegistrationCodes),
+	identityRecoveryAddresses: many(identity_recovery_addresses),
+	identityVerificationTokens: many(identity_verification_tokens),
+	selfserviceRecoveryFlows: many(selfservice_recovery_flows),
+	identityRecoveryTokens: many(identity_recovery_tokens),
+	identityRecoveryCodes: many(identity_recovery_codes),
+	sessionDevices: many(session_devices),
+	identityVerificationCodes: many(identity_verification_codes),
+	courierMessageDispatches: many(courier_message_dispatches),
+	identityLoginCodes: many(identity_login_codes),
+	identityRegistrationCodes: many(identity_registration_codes),
 }));
 
-export const selfserviceLoginFlowsRelations = relations(selfserviceLoginFlows, ({ one, many }) => ({
+export const selfserviceLoginFlowsRelations = relations(selfservice_login_flows, ({ one, many }) => ({
 	network: one(networks, {
-		fields: [selfserviceLoginFlows.nid],
+		fields: [selfservice_login_flows.nid],
 		references: [networks.id],
 	}),
-	identityLoginCodes: many(identityLoginCodes),
+	identityLoginCodes: many(identity_login_codes),
 }));
 
-export const selfserviceRegistrationFlowsRelations = relations(selfserviceRegistrationFlows, ({ one, many }) => ({
+export const selfserviceRegistrationFlowsRelations = relations(selfservice_registration_flows, ({ one, many }) => ({
 	network: one(networks, {
-		fields: [selfserviceRegistrationFlows.nid],
+		fields: [selfservice_registration_flows.nid],
 		references: [networks.id],
 	}),
-	identityRegistrationCodes: many(identityRegistrationCodes),
+	identityRegistrationCodes: many(identity_registration_codes),
 }));
 
-export const identityCredentialIdentifiersRelations = relations(identityCredentialIdentifiers, ({ one }) => ({
-	identityCredential: one(identityCredentials, {
-		fields: [identityCredentialIdentifiers.identityCredentialId],
-		references: [identityCredentials.id],
+export const identityCredentialIdentifiersRelations = relations(identity_credential_identifiers, ({ one }) => ({
+	identityCredential: one(identity_credentials, {
+		fields: [identity_credential_identifiers.identity_credential_id],
+		references: [identity_credentials.id],
 	}),
 	network: one(networks, {
-		fields: [identityCredentialIdentifiers.nid],
+		fields: [identity_credential_identifiers.nid],
 		references: [networks.id],
 	}),
-	identityCredentialType: one(identityCredentialTypes, {
-		fields: [identityCredentialIdentifiers.identityCredentialTypeId],
-		references: [identityCredentialTypes.id],
+	identityCredentialType: one(identity_credential_types, {
+		fields: [identity_credential_identifiers.identity_credential_type_id],
+		references: [identity_credential_types.id],
 	}),
 }));
 
-export const identityVerifiableAddressesRelations = relations(identityVerifiableAddresses, ({ one, many }) => ({
+export const identityVerifiableAddressesRelations = relations(identity_verifiable_addresses, ({ one, many }) => ({
 	identity: one(identities, {
-		fields: [identityVerifiableAddresses.identityId],
+		fields: [identity_verifiable_addresses.identity_id],
 		references: [identities.id],
 	}),
 	network: one(networks, {
-		fields: [identityVerifiableAddresses.nid],
+		fields: [identity_verifiable_addresses.nid],
 		references: [networks.id],
 	}),
-	identityVerificationTokens: many(identityVerificationTokens),
-	identityVerificationCodes: many(identityVerificationCodes),
+	identityVerificationTokens: many(identity_verification_tokens),
+	identityVerificationCodes: many(identity_verification_codes),
 }));
 
-export const courierMessagesRelations = relations(courierMessages, ({ one, many }) => ({
+export const courierMessagesRelations = relations(courier_messages, ({ one, many }) => ({
 	network: one(networks, {
-		fields: [courierMessages.nid],
+		fields: [courier_messages.nid],
 		references: [networks.id],
 	}),
-	courierMessageDispatches: many(courierMessageDispatches),
+	courierMessageDispatches: many(courier_message_dispatches),
 }));
 
-export const selfserviceErrorsRelations = relations(selfserviceErrors, ({ one }) => ({
+export const selfserviceErrorsRelations = relations(selfservice_errors, ({ one }) => ({
 	network: one(networks, {
-		fields: [selfserviceErrors.nid],
+		fields: [selfservice_errors.nid],
 		references: [networks.id],
 	}),
 }));
 
-export const selfserviceVerificationFlowsRelations = relations(selfserviceVerificationFlows, ({ one, many }) => ({
+export const selfserviceVerificationFlowsRelations = relations(selfservice_verification_flows, ({ one, many }) => ({
 	network: one(networks, {
-		fields: [selfserviceVerificationFlows.nid],
+		fields: [selfservice_verification_flows.nid],
 		references: [networks.id],
 	}),
-	identityVerificationTokens: many(identityVerificationTokens),
-	identityVerificationCodes: many(identityVerificationCodes),
+	identityVerificationTokens: many(identity_verification_tokens),
+	identityVerificationCodes: many(identity_verification_codes),
 }));
 
-export const selfserviceSettingsFlowsRelations = relations(selfserviceSettingsFlows, ({ one }) => ({
+export const selfserviceSettingsFlowsRelations = relations(selfservice_settings_flows, ({ one }) => ({
 	identity: one(identities, {
-		fields: [selfserviceSettingsFlows.identityId],
+		fields: [selfservice_settings_flows.identity_id],
 		references: [identities.id],
 	}),
 	network: one(networks, {
-		fields: [selfserviceSettingsFlows.nid],
+		fields: [selfservice_settings_flows.nid],
 		references: [networks.id],
 	}),
 }));
 
-export const continuityContainersRelations = relations(continuityContainers, ({ one }) => ({
+export const continuityContainersRelations = relations(continuity_containers, ({ one }) => ({
 	identity: one(identities, {
-		fields: [continuityContainers.identityId],
+		fields: [continuity_containers.identity_id],
 		references: [identities.id],
 	}),
 	network: one(networks, {
-		fields: [continuityContainers.nid],
+		fields: [continuity_containers.nid],
 		references: [networks.id],
 	}),
 }));
 
 export const sessionsRelations = relations(sessions, ({ one, many }) => ({
 	identity: one(identities, {
-		fields: [sessions.identityId],
+		fields: [sessions.identity_id],
 		references: [identities.id],
 	}),
 	network: one(networks, {
 		fields: [sessions.nid],
 		references: [networks.id],
 	}),
-	sessionDevices: many(sessionDevices),
+	sessionDevices: many(session_devices),
 }));
 
-export const identityRecoveryAddressesRelations = relations(identityRecoveryAddresses, ({ one, many }) => ({
+export const identityRecoveryAddressesRelations = relations(identity_recovery_addresses, ({ one, many }) => ({
 	identity: one(identities, {
-		fields: [identityRecoveryAddresses.identityId],
+		fields: [identity_recovery_addresses.identity_id],
 		references: [identities.id],
 	}),
 	network: one(networks, {
-		fields: [identityRecoveryAddresses.nid],
+		fields: [identity_recovery_addresses.nid],
 		references: [networks.id],
 	}),
-	identityRecoveryTokens: many(identityRecoveryTokens),
-	identityRecoveryCodes: many(identityRecoveryCodes),
+	identityRecoveryTokens: many(identity_recovery_tokens),
+	identityRecoveryCodes: many(identity_recovery_codes),
 }));
 
-export const identityVerificationTokensRelations = relations(identityVerificationTokens, ({ one }) => ({
-	identityVerifiableAddress: one(identityVerifiableAddresses, {
-		fields: [identityVerificationTokens.identityVerifiableAddressId],
-		references: [identityVerifiableAddresses.id],
+export const identityVerificationTokensRelations = relations(identity_verification_tokens, ({ one }) => ({
+	identityVerifiableAddress: one(identity_verifiable_addresses, {
+		fields: [identity_verification_tokens.identity_verifiable_address_id],
+		references: [identity_verifiable_addresses.id],
 	}),
-	selfserviceVerificationFlow: one(selfserviceVerificationFlows, {
-		fields: [identityVerificationTokens.selfserviceVerificationFlowId],
-		references: [selfserviceVerificationFlows.id],
+	selfserviceVerificationFlow: one(selfservice_verification_flows, {
+		fields: [identity_verification_tokens.selfservice_verification_flow_id],
+		references: [selfservice_verification_flows.id],
 	}),
 	network: one(networks, {
-		fields: [identityVerificationTokens.nid],
+		fields: [identity_verification_tokens.nid],
 		references: [networks.id],
 	}),
 }));
 
-export const selfserviceRecoveryFlowsRelations = relations(selfserviceRecoveryFlows, ({ one, many }) => ({
+export const selfserviceRecoveryFlowsRelations = relations(selfservice_recovery_flows, ({ one, many }) => ({
 	identity: one(identities, {
-		fields: [selfserviceRecoveryFlows.recoveredIdentityId],
+		fields: [selfservice_recovery_flows.recovered_identity_id],
 		references: [identities.id],
 	}),
 	network: one(networks, {
-		fields: [selfserviceRecoveryFlows.nid],
+		fields: [selfservice_recovery_flows.nid],
 		references: [networks.id],
 	}),
-	identityRecoveryTokens: many(identityRecoveryTokens),
-	identityRecoveryCodes: many(identityRecoveryCodes),
+	identityRecoveryTokens: many(identity_recovery_tokens),
+	identityRecoveryCodes: many(identity_recovery_codes),
 }));
 
-export const identityRecoveryTokensRelations = relations(identityRecoveryTokens, ({ one }) => ({
-	selfserviceRecoveryFlow: one(selfserviceRecoveryFlows, {
-		fields: [identityRecoveryTokens.selfserviceRecoveryFlowId],
-		references: [selfserviceRecoveryFlows.id],
+export const identityRecoveryTokensRelations = relations(identity_recovery_tokens, ({ one }) => ({
+	selfserviceRecoveryFlow: one(selfservice_recovery_flows, {
+		fields: [identity_recovery_tokens.selfservice_recovery_flow_id],
+		references: [selfservice_recovery_flows.id],
 	}),
 	network: one(networks, {
-		fields: [identityRecoveryTokens.nid],
+		fields: [identity_recovery_tokens.nid],
 		references: [networks.id],
 	}),
-	identityRecoveryAddress: one(identityRecoveryAddresses, {
-		fields: [identityRecoveryTokens.identityRecoveryAddressId],
-		references: [identityRecoveryAddresses.id],
+	identityRecoveryAddress: one(identity_recovery_addresses, {
+		fields: [identity_recovery_tokens.identity_recovery_address_id],
+		references: [identity_recovery_addresses.id],
 	}),
 	identity: one(identities, {
-		fields: [identityRecoveryTokens.identityId],
+		fields: [identity_recovery_tokens.identity_id],
 		references: [identities.id],
 	}),
 }));
 
-export const identityRecoveryCodesRelations = relations(identityRecoveryCodes, ({ one }) => ({
-	identityRecoveryAddress: one(identityRecoveryAddresses, {
-		fields: [identityRecoveryCodes.identityRecoveryAddressId],
-		references: [identityRecoveryAddresses.id],
+export const identityRecoveryCodesRelations = relations(identity_recovery_codes, ({ one }) => ({
+	identityRecoveryAddress: one(identity_recovery_addresses, {
+		fields: [identity_recovery_codes.identity_recovery_address_id],
+		references: [identity_recovery_addresses.id],
 	}),
-	selfserviceRecoveryFlow: one(selfserviceRecoveryFlows, {
-		fields: [identityRecoveryCodes.selfserviceRecoveryFlowId],
-		references: [selfserviceRecoveryFlows.id],
+	selfserviceRecoveryFlow: one(selfservice_recovery_flows, {
+		fields: [identity_recovery_codes.selfservice_recovery_flow_id],
+		references: [selfservice_recovery_flows.id],
 	}),
 	identity: one(identities, {
-		fields: [identityRecoveryCodes.identityId],
+		fields: [identity_recovery_codes.identity_id],
 		references: [identities.id],
 	}),
 	network: one(networks, {
-		fields: [identityRecoveryCodes.nid],
+		fields: [identity_recovery_codes.nid],
 		references: [networks.id],
 	}),
 }));
 
-export const sessionDevicesRelations = relations(sessionDevices, ({ one }) => ({
+export const sessionDevicesRelations = relations(session_devices, ({ one }) => ({
 	session: one(sessions, {
-		fields: [sessionDevices.sessionId],
+		fields: [session_devices.session_id],
 		references: [sessions.id],
 	}),
 	network: one(networks, {
-		fields: [sessionDevices.nid],
+		fields: [session_devices.nid],
 		references: [networks.id],
 	}),
 }));
 
-export const identityVerificationCodesRelations = relations(identityVerificationCodes, ({ one }) => ({
-	identityVerifiableAddress: one(identityVerifiableAddresses, {
-		fields: [identityVerificationCodes.identityVerifiableAddressId],
-		references: [identityVerifiableAddresses.id],
+export const identityVerificationCodesRelations = relations(identity_verification_codes, ({ one }) => ({
+	identityVerifiableAddress: one(identity_verifiable_addresses, {
+		fields: [identity_verification_codes.identity_verifiable_address_id],
+		references: [identity_verifiable_addresses.id],
 	}),
-	selfserviceVerificationFlow: one(selfserviceVerificationFlows, {
-		fields: [identityVerificationCodes.selfserviceVerificationFlowId],
-		references: [selfserviceVerificationFlows.id],
+	selfserviceVerificationFlow: one(selfservice_verification_flows, {
+		fields: [identity_verification_codes.selfservice_verification_flow_id],
+		references: [selfservice_verification_flows.id],
 	}),
 	network: one(networks, {
-		fields: [identityVerificationCodes.nid],
+		fields: [identity_verification_codes.nid],
 		references: [networks.id],
 	}),
 }));
 
-export const courierMessageDispatchesRelations = relations(courierMessageDispatches, ({ one }) => ({
-	courierMessage: one(courierMessages, {
-		fields: [courierMessageDispatches.messageId],
-		references: [courierMessages.id],
+export const courierMessageDispatchesRelations = relations(courier_message_dispatches, ({ one }) => ({
+	courierMessage: one(courier_messages, {
+		fields: [courier_message_dispatches.message_id],
+		references: [courier_messages.id],
 	}),
 	network: one(networks, {
-		fields: [courierMessageDispatches.nid],
+		fields: [courier_message_dispatches.nid],
 		references: [networks.id],
 	}),
 }));
 
-export const identityLoginCodesRelations = relations(identityLoginCodes, ({ one }) => ({
-	selfserviceLoginFlow: one(selfserviceLoginFlows, {
-		fields: [identityLoginCodes.selfserviceLoginFlowId],
-		references: [selfserviceLoginFlows.id],
+export const identityLoginCodesRelations = relations(identity_login_codes, ({ one }) => ({
+	selfserviceLoginFlow: one(selfservice_login_flows, {
+		fields: [identity_login_codes.selfservice_login_flow_id],
+		references: [selfservice_login_flows.id],
 	}),
 	network: one(networks, {
-		fields: [identityLoginCodes.nid],
+		fields: [identity_login_codes.nid],
 		references: [networks.id],
 	}),
 	identity: one(identities, {
-		fields: [identityLoginCodes.identityId],
+		fields: [identity_login_codes.identity_id],
 		references: [identities.id],
 	}),
 }));
 
-export const identityRegistrationCodesRelations = relations(identityRegistrationCodes, ({ one }) => ({
-	selfserviceRegistrationFlow: one(selfserviceRegistrationFlows, {
-		fields: [identityRegistrationCodes.selfserviceRegistrationFlowId],
-		references: [selfserviceRegistrationFlows.id],
+export const identityRegistrationCodesRelations = relations(identity_registration_codes, ({ one }) => ({
+	selfserviceRegistrationFlow: one(selfservice_registration_flows, {
+		fields: [identity_registration_codes.selfservice_registration_flow_id],
+		references: [selfservice_registration_flows.id],
 	}),
 	network: one(networks, {
-		fields: [identityRegistrationCodes.nid],
+		fields: [identity_registration_codes.nid],
 		references: [networks.id],
 	}),
 }));
\ No newline at end of file

From c395a44bf631a531783d6b3d004f332755bf2a20 Mon Sep 17 00:00:00 2001
From: Markus Thielker <hey@thielker.dev>
Date: Fri, 4 Apr 2025 16:00:00 +0200
Subject: [PATCH 35/58] NORY-59: add new script to create Keto relationships

---
 docker/ory-dev/keto-add-permission-to-role.sh | 31 +++++++++++++++++++
 docker/ory-dev/keto-add-permission.sh         | 26 ++++++++++++++++
 docker/ory-dev/ory/keto/keto.yaml             |  2 ++
 3 files changed, 59 insertions(+)
 create mode 100644 docker/ory-dev/keto-add-permission-to-role.sh
 create mode 100644 docker/ory-dev/keto-add-permission.sh

diff --git a/docker/ory-dev/keto-add-permission-to-role.sh b/docker/ory-dev/keto-add-permission-to-role.sh
new file mode 100644
index 0000000..9a0f7fa
--- /dev/null
+++ b/docker/ory-dev/keto-add-permission-to-role.sh
@@ -0,0 +1,31 @@
+# this script gives the referenced identity the admin role
+# make sure to provide the id of the identity
+
+# check if a identity id argument was provided
+if [ $# -ne 4 ]; then
+  echo "Usage: $0 <object> <relation> <role> <role_relation>"
+  exit 1
+fi
+
+# set user id variable
+OBJECT=$1
+RELATION=$2
+ROLE=$3
+ROLE_RELATION=$4
+
+# execute curl to Ory Keto write endpoint
+curl --request PUT \
+  --url http://localhost:4467/admin/relation-tuples \
+  --data '{
+           "namespace": "permissions",
+           "object": "'"$OBJECT"'",
+           "relation": "'"$RELATION"'",
+           "subject_set": {
+              "namespace": "roles",
+              "object": "'"$ROLE"'",
+              "relation": "'"$ROLE_RELATION"'"
+           }
+         }'
+
+# write success response to terminal
+echo "Added relation Permissions:$OBJECT#$RELATION@(Roles:$ROLE#$RELATION)"
diff --git a/docker/ory-dev/keto-add-permission.sh b/docker/ory-dev/keto-add-permission.sh
new file mode 100644
index 0000000..5812ce3
--- /dev/null
+++ b/docker/ory-dev/keto-add-permission.sh
@@ -0,0 +1,26 @@
+# this script gives the referenced identity the provided permission
+# make sure to provide the id of the identity
+
+# check if a required arguments were provided
+if [ $# -ne 3 ]; then
+  echo "Usage: $0 <object> <relation> <identity_id>"
+  exit 1
+fi
+
+# set variables from input
+OBJECT=$1
+RELATION=$2
+IDENTITY_ID=$3
+
+# execute curl to Ory Keto write endpoint
+curl --request PUT \
+  --url http://localhost:4467/admin/relation-tuples \
+  --data '{
+           "namespace": "permissions",
+           "object": "'"$OBJECT"'",
+           "relation": "'"$RELATION"'",
+           "subject_id": "'"$IDENTITY_ID"'"
+         }'
+
+# write success response to terminal
+echo "Added permission $OBJECT#$RELATION@$IDENTITY_ID"
diff --git a/docker/ory-dev/ory/keto/keto.yaml b/docker/ory-dev/ory/keto/keto.yaml
index 21dad3d..2be94ad 100644
--- a/docker/ory-dev/ory/keto/keto.yaml
+++ b/docker/ory-dev/ory/keto/keto.yaml
@@ -22,6 +22,8 @@ dsn: postgres://postgres:postgres@ory-postgres:5432/keto?sslmode=disable&max_con
 namespaces:
   - id: 0
     name: roles
+  - id: 1
+    name: permissions
 
 serve:
   read:

From 47d1989ee58f47774a38cab0c61e96773f80dc94 Mon Sep 17 00:00:00 2001
From: Markus Thielker <hey@thielker.dev>
Date: Fri, 4 Apr 2025 16:20:32 +0200
Subject: [PATCH 36/58] NORY-59: add authentication and authorisation actions

---
 dashboard/src/lib/action/authentication.ts | 106 +++++++++++++++++++++
 1 file changed, 106 insertions(+)
 create mode 100644 dashboard/src/lib/action/authentication.ts

diff --git a/dashboard/src/lib/action/authentication.ts b/dashboard/src/lib/action/authentication.ts
new file mode 100644
index 0000000..d1d70e3
--- /dev/null
+++ b/dashboard/src/lib/action/authentication.ts
@@ -0,0 +1,106 @@
+'use server';
+
+import { getFrontendApi, getPermissionApi } from '@/ory/sdk/server';
+import { cookies } from 'next/headers';
+import { redirect } from 'next/navigation';
+
+export async function getSession() {
+
+    const cookie = await cookies();
+
+    const frontendApi = await getFrontendApi();
+
+    return frontendApi
+        .toSession({ cookie: 'ory_kratos_session=' + cookie.get('ory_kratos_session')?.value })
+        .then((response) => response.data)
+        .catch(() => null);
+}
+
+export async function requireSession() {
+
+    const session = await getSession();
+
+    if (!session) {
+
+        // TODO: set return_to dynamically
+        const url = process.env.NEXT_PUBLIC_AUTHENTICATION_NODE_URL +
+            '/flow/login?return_to=' + process.env.NEXT_PUBLIC_DASHBOARD_NODE_URL;
+
+        console.log('Intercepted request with missing session');
+        console.log('Redirecting client to: ', url);
+
+        redirect(url);
+    }
+
+    return session;
+}
+
+
+export async function checkRole(
+    object: string,
+    subjectId: string,
+) {
+
+    const permissionApi = await getPermissionApi();
+    return permissionApi.checkPermission({
+        namespace: 'roles',
+        object,
+        relation: 'member',
+        subjectId,
+    })
+        .then(({ data: { allowed } }) => allowed)
+        .catch(_ => false);
+}
+
+export async function requireRole(
+    object: string,
+    subjectId: string,
+) {
+
+    const hasRole = await checkRole(object, subjectId);
+
+    if (!hasRole) {
+        console.log(`Intercepted request with missing role ${object} for identity ${subjectId}`);
+        redirect('/unauthorised');
+    }
+
+    return hasRole;
+}
+
+
+export async function checkPermission(
+    object: string,
+    relation: string,
+    subjectId: string,
+) {
+
+    const permissionApi = await getPermissionApi();
+    return permissionApi.checkPermission({
+        namespace: 'permissions',
+        object,
+        relation,
+        subjectId,
+    })
+        .then(({ data: { allowed } }) => allowed)
+        .catch(_ => false);
+}
+
+export async function requirePermission(
+    object: string,
+    relation: string,
+    subjectId: string,
+) {
+
+    const allowed = await checkPermission(
+        object,
+        relation,
+        subjectId,
+    );
+
+    if (!allowed) {
+        console.log(`Intercepted request with insufficient permission (${object}#${relation}@${subjectId})`);
+        redirect('/unauthorised');
+    }
+
+    return allowed;
+}

From cca60935e2688e2e820e090eddc62049b0110aca Mon Sep 17 00:00:00 2001
From: Markus Thielker <hey@thielker.dev>
Date: Fri, 4 Apr 2025 16:22:00 +0200
Subject: [PATCH 37/58] NORY-59: add component to display insufficient
 permissions

---
 .../components/insufficient-permission.tsx    | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 dashboard/src/components/insufficient-permission.tsx

diff --git a/dashboard/src/components/insufficient-permission.tsx b/dashboard/src/components/insufficient-permission.tsx
new file mode 100644
index 0000000..261004a
--- /dev/null
+++ b/dashboard/src/components/insufficient-permission.tsx
@@ -0,0 +1,36 @@
+import { Card, CardDescription, CardFooter, CardHeader, CardTitle } from '@/components/ui/card';
+
+interface InsufficientPermissionProps {
+    permission: string;
+    relation: string;
+    identityId: string;
+    classNames?: string;
+}
+
+export default async function InsufficientPermission(
+    {
+        permission,
+        relation,
+        identityId,
+        classNames,
+    }: InsufficientPermissionProps,
+) {
+    return (
+        <Card className={classNames}>
+            <CardHeader>
+                <CardTitle>Insufficient Permission</CardTitle>
+                <CardDescription>
+                    You are missing the permission to see this content.<br/>
+                    If you think this is an error, please contact your system administrator
+                </CardDescription>
+            </CardHeader>
+            <CardFooter>
+                <CardDescription className="text-xs">
+                    Permission: {permission}<br/>
+                    Relation: {relation}<br/>
+                    Identity: {identityId}
+                </CardDescription>
+            </CardFooter>
+        </Card>
+    );
+}

From b29c19f32297a6b498c54a75a43793e86a68a0dd Mon Sep 17 00:00:00 2001
From: Markus Thielker <hey@thielker.dev>
Date: Fri, 4 Apr 2025 16:22:38 +0200
Subject: [PATCH 38/58] NORY-59: move stack status requests to protected server
 actions

---
 dashboard/src/app/(inside)/page.tsx      | 101 ++++++++++++-----------
 dashboard/src/components/status-card.tsx |   2 +-
 dashboard/src/lib/action/metadata.ts     |  83 +++++++++++++++++++
 3 files changed, 135 insertions(+), 51 deletions(-)
 create mode 100644 dashboard/src/lib/action/metadata.ts

diff --git a/dashboard/src/app/(inside)/page.tsx b/dashboard/src/app/(inside)/page.tsx
index 604a7e2..778d24a 100644
--- a/dashboard/src/app/(inside)/page.tsx
+++ b/dashboard/src/app/(inside)/page.tsx
@@ -1,40 +1,20 @@
-import { getHydraMetadataApi, getKetoMetadataApi, getKratosMetadataApi } from '@/ory/sdk/server';
-import { MetadataApiReady, StatusCard } from '@/components/status-card';
+import { StatusCard } from '@/components/status-card';
+import { hydraMetadata, ketoMetadata, kratosMetadata } from '@/lib/action/metadata';
+import { checkPermission, requireRole, requireSession } from '@/lib/action/authentication';
+import InsufficientPermission from '@/components/insufficient-permission';
 
 export default async function RootPage() {
 
-    const kratosMetadataApi = await getKratosMetadataApi();
-    const kratosVersion = await kratosMetadataApi.getVersion()
-        .then(res => res.data.version)
-        .catch(() => undefined);
-    const kratosStatus = await fetch(process.env.ORY_KRATOS_ADMIN_URL + '/health/ready')
-        .then((response) => response.json() as MetadataApiReady)
-        .catch(() => {
-            return { errors: ['No instance running'] } as MetadataApiReady;
-        });
+    const session = await requireSession();
+    const identityId = session.identity!.id;
 
+    await requireRole('admin', identityId);
 
-    const hydraMetadataApi = await getHydraMetadataApi();
-    const hydraVersion = await hydraMetadataApi.getVersion()
-        .then(res => res.data.version)
-        .catch(() => undefined);
-    const hydraStatus = await fetch(process.env.ORY_HYDRA_ADMIN_URL + '/health/ready')
-        .then((response) => response.json() as MetadataApiReady)
-        .catch(() => {
-            return { errors: ['No instance running'] } as MetadataApiReady;
-        });
-
-
-    const ketoMetadataApi = await getKetoMetadataApi();
-    const ketoVersion = await ketoMetadataApi.getVersion()
-        .then(res => res.data.version)
-        .catch(() => undefined);
-    const ketoStatus = await fetch(process.env.ORY_KETO_ADMIN_URL + '/health/ready')
-        .then((response) => response.json() as MetadataApiReady)
-        .catch(() => {
-            return { errors: ['No instance running'] } as MetadataApiReady;
-        });
+    const pmAccessStackStatus = await checkPermission('admin.stack.status', 'access', identityId);
 
+    const kratos = pmAccessStackStatus && await kratosMetadata();
+    const hydra = pmAccessStackStatus && await hydraMetadata();
+    const keto = pmAccessStackStatus && await ketoMetadata();
 
     return (
         <div className="flex flex-col space-y-4">
@@ -43,25 +23,46 @@ export default async function RootPage() {
                 <p className="text-lg font-light">See the list of all applications in your stack</p>
             </div>
             <div className="grid grid-cols-1 md:grid-cols-4 gap-4">
-                <StatusCard
-                    title="Ory Kratos"
-                    version={kratosVersion}
-                    name="Kratos"
-                    status={kratosStatus}
-                    className="flex-1"/>
-                <StatusCard
-                    title="Ory Hydra"
-                    version={hydraVersion}
-                    name="Hydra"
-                    status={hydraStatus}
-                    className="flex-1"/>
-                <StatusCard
-                    title="Ory Keto"
-                    version={ketoVersion}
-                    name="Keto"
-                    status={ketoStatus}
-                    className="flex-1"/>
-                <div className="flex-1"/>
+                {
+                    !pmAccessStackStatus && (
+                        <InsufficientPermission
+                            permission="admin.stack.status"
+                            relation="access"
+                            identityId={identityId}
+                            classNames="col-span-1 md:col-span-4"
+                        />
+                    )
+                }
+                {
+                    kratos && (
+                        <StatusCard
+                            title="Ory Kratos"
+                            version={kratos.version}
+                            name="Kratos"
+                            status={kratos.status}
+                            className="flex-1"/>
+                    )
+                }
+                {
+                    hydra && (
+                        <StatusCard
+                            title="Ory Hydra"
+                            version={hydra.version}
+                            name="Hydra"
+                            status={hydra.status}
+                            className="flex-1"/>
+                    )
+                }
+                {
+                    keto && (
+                        <StatusCard
+                            title="Ory Keto"
+                            version={keto.version}
+                            name="Keto"
+                            status={keto.status}
+                            className="flex-1"/>
+                    )
+                }
             </div>
         </div>
     );
diff --git a/dashboard/src/components/status-card.tsx b/dashboard/src/components/status-card.tsx
index d6d4038..e12bf53 100644
--- a/dashboard/src/components/status-card.tsx
+++ b/dashboard/src/components/status-card.tsx
@@ -50,7 +50,7 @@ export function StatusCard({ title, version, name, status, className }: StatusCa
                             </TooltipTrigger>
                             <TooltipContent>
                                 {
-                                    status.errors.map((error) => <span>{error}</span>)
+                                    status.errors.map((error) => <span key={error}>{error}</span>)
                                 }
                             </TooltipContent>
                         </Tooltip>
diff --git a/dashboard/src/lib/action/metadata.ts b/dashboard/src/lib/action/metadata.ts
new file mode 100644
index 0000000..03d5768
--- /dev/null
+++ b/dashboard/src/lib/action/metadata.ts
@@ -0,0 +1,83 @@
+'use server';
+
+import { getHydraMetadataApi, getKetoMetadataApi, getKratosMetadataApi } from '@/ory/sdk/server';
+import { MetadataApiReady } from '@/components/status-card';
+import { checkPermission, requireSession } from '@/lib/action/authentication';
+
+export async function kratosMetadata() {
+
+    const session = await requireSession();
+    const allowed = await checkPermission('admin.stack.status', 'access', session.identity!.id);
+    if (!allowed) {
+        return;
+    }
+
+    const api = await getKratosMetadataApi();
+
+    const version = await api.getVersion()
+        .then(res => res.data.version)
+        .catch(() => undefined);
+
+    const status = await fetch(process.env.ORY_KRATOS_ADMIN_URL + '/health/ready')
+        .then((response) => response.json() as MetadataApiReady)
+        .catch(() => {
+            return { errors: ['No instance running'] } as MetadataApiReady;
+        });
+
+    return {
+        version,
+        status,
+    };
+}
+
+export async function hydraMetadata() {
+
+    const session = await requireSession();
+    const allowed = await checkPermission('admin.stack.status', 'access', session.identity!.id);
+    if (!allowed) {
+        return;
+    }
+
+    const api = await getHydraMetadataApi();
+
+    const version = await api.getVersion()
+        .then(res => res.data.version)
+        .catch(() => undefined);
+
+    const status = await fetch(process.env.ORY_HYDRA_ADMIN_URL + '/health/ready')
+        .then((response) => response.json() as MetadataApiReady)
+        .catch(() => {
+            return { errors: ['No instance running'] } as MetadataApiReady;
+        });
+
+    return {
+        version,
+        status,
+    };
+}
+
+export async function ketoMetadata() {
+
+    const session = await requireSession();
+    const allowed = await checkPermission('admin.stack.status', 'access', session.identity!.id);
+    if (!allowed) {
+        return;
+    }
+
+    const api = await getKetoMetadataApi();
+
+    const version = await api.getVersion()
+        .then(res => res.data.version)
+        .catch(() => undefined);
+
+    const status = await fetch(process.env.ORY_KETO_ADMIN_URL + '/health/ready')
+        .then((response) => response.json() as MetadataApiReady)
+        .catch(() => {
+            return { errors: ['No instance running'] } as MetadataApiReady;
+        });
+
+    return {
+        version,
+        status,
+    };
+}

From 6d277a7d62f82416b0a0d48b27dc4dbcc7e3d660 Mon Sep 17 00:00:00 2001
From: Markus Thielker <hey@thielker.dev>
Date: Fri, 4 Apr 2025 16:31:15 +0200
Subject: [PATCH 39/58] NORY-59: refactor middleware to use new authentication
 functions

---
 dashboard/src/middleware.ts | 45 ++++++++++++-------------------------
 1 file changed, 14 insertions(+), 31 deletions(-)

diff --git a/dashboard/src/middleware.ts b/dashboard/src/middleware.ts
index 52d7714..62d78cc 100644
--- a/dashboard/src/middleware.ts
+++ b/dashboard/src/middleware.ts
@@ -1,47 +1,30 @@
 import { NextRequest, NextResponse } from 'next/server';
-import { cookies } from 'next/headers';
-import { getFrontendApi, getPermissionApi } from '@/ory/sdk/server';
+import { checkRole, getSession } from '@/lib/action/authentication';
 
 export async function middleware(request: NextRequest) {
 
-    const frontendApi = await getFrontendApi();
-    const cookie = await cookies();
-
-    const session = await frontendApi
-        .toSession({ cookie: 'ory_kratos_session=' + cookie.get('ory_kratos_session')?.value })
-        .then((response) => response.data)
-        .catch(() => null);
+    // middleware can not work with requireSession, requireRole and
+    // requirePermission due to the different redirect mechanisms in use!
 
+    const session = await getSession();
     if (!session) {
 
-        console.log('NO SESSION');
+        console.log('middleware', 'MISSING SESSION');
 
         const url = process.env.NEXT_PUBLIC_AUTHENTICATION_NODE_URL +
             '/flow/login?return_to=' +
             process.env.NEXT_PUBLIC_DASHBOARD_NODE_URL;
 
-        console.log('REDIRECT TO', url);
-
-        return NextResponse.redirect(url);
+        console.log('middleware', 'REDIRECT TO', url);
+        return NextResponse.redirect(url!);
     }
 
-    const permissionApi = await getPermissionApi();
-    const isAdmin = await permissionApi.checkPermission({
-        namespace: 'roles',
-        object: 'admin',
-        relation: 'member',
-        subjectId: session!.identity!.id,
-    })
-        .then(({ data: { allowed } }) => {
-            console.log('is_admin', session!.identity!.id, allowed);
-            return allowed;
-        })
-        .catch((response) => {
-            console.log('is_admin', session!.identity!.id, response, 'check failed');
-            return false;
-        });
+    const allowed = await checkRole(
+        'admin',
+        session!.identity!.id,
+    );
 
-    if (isAdmin) {
+    if (allowed) {
         if (request.nextUrl.pathname === '/unauthorised') {
             return redirect('/', 'HAS PERMISSION BUT ACCESSING /unauthorized');
         }
@@ -55,9 +38,9 @@ export async function middleware(request: NextRequest) {
 }
 
 function redirect(path: string, reason: string) {
-    console.log(reason);
+    console.log('middleware', reason);
     const url = `${process.env.NEXT_PUBLIC_DASHBOARD_NODE_URL}${path}`;
-    console.log('REDIRECT TO', url);
+    console.log('middleware', 'REDIRECT TO', url);
     return NextResponse.redirect(url!);
 }
 

From 0b81a02fba0f11d97995516d47337ca98a12167d Mon Sep 17 00:00:00 2001
From: Markus Thielker <hey@thielker.dev>
Date: Fri, 4 Apr 2025 19:10:40 +0200
Subject: [PATCH 40/58] NORY-59: add authentication and authorisation to user
 page

---
 .../src/app/(inside)/user/data-table.tsx      | 13 +++-
 dashboard/src/app/(inside)/user/page.tsx      | 73 ++++++++++++++-----
 2 files changed, 67 insertions(+), 19 deletions(-)

diff --git a/dashboard/src/app/(inside)/user/data-table.tsx b/dashboard/src/app/(inside)/user/data-table.tsx
index 510ee6c..2baabaa 100644
--- a/dashboard/src/app/(inside)/user/data-table.tsx
+++ b/dashboard/src/app/(inside)/user/data-table.tsx
@@ -33,9 +33,16 @@ interface IdentityDataTableProps {
     data: Identity[];
     page: number;
     query: string;
+    permission: {
+        pmEditUser: boolean;
+        pmBlockUser: boolean;
+        pmUnblockUser: boolean;
+        pmDeleteUser: boolean;
+        pmDeleteUserSession: boolean;
+    };
 }
 
-export function IdentityDataTable({ data, page, query }: IdentityDataTableProps) {
+export function IdentityDataTable({ data, page, query, permission }: IdentityDataTableProps) {
 
     const columns: ColumnDef<Identity>[] = [
         {
@@ -137,6 +144,7 @@ export function IdentityDataTable({ data, page, query }: IdentityDataTableProps)
                                     setCurrentIdentity(identity);
                                     setIdentitySessionVisible(true);
                                 }}
+                                disabled={!permission.pmDeleteUserSession}
                                 className="flex items-center space-x-2 text-red-500">
                                 <UserMinus className="h-4 w-4"/>
                                 <span>Delete sessions</span>
@@ -148,6 +156,7 @@ export function IdentityDataTable({ data, page, query }: IdentityDataTableProps)
                                         setCurrentIdentity(identity);
                                         setBlockIdentityVisible(true);
                                     }}
+                                    disabled={!permission.pmBlockUser}
                                     className="flex items-center space-x-2 text-red-500">
                                     <UserX className="h-4 w-4"/>
                                     <span>Block identity</span>
@@ -160,6 +169,7 @@ export function IdentityDataTable({ data, page, query }: IdentityDataTableProps)
                                         setCurrentIdentity(identity);
                                         setUnblockIdentityVisible(true);
                                     }}
+                                    disabled={!permission.pmUnblockUser}
                                     className="flex items-center space-x-2 text-red-500">
                                     <UserCheck className="h-4 w-4"/>
                                     <span>Unblock identity</span>
@@ -170,6 +180,7 @@ export function IdentityDataTable({ data, page, query }: IdentityDataTableProps)
                                     setCurrentIdentity(identity);
                                     setDeleteIdentityVisible(true);
                                 }}
+                                disabled={!permission.pmDeleteUser}
                                 className="flex items-center space-x-2 text-red-500">
                                 <Trash className="h-4 w-4"/>
                                 <span>Delete identity</span>
diff --git a/dashboard/src/app/(inside)/user/page.tsx b/dashboard/src/app/(inside)/user/page.tsx
index efb1095..b889ecf 100644
--- a/dashboard/src/app/(inside)/user/page.tsx
+++ b/dashboard/src/app/(inside)/user/page.tsx
@@ -3,6 +3,8 @@ import { IdentityDataTable } from '@/app/(inside)/user/data-table';
 import { SearchInput } from '@/components/search-input';
 import { queryIdentities } from '@/lib/action/identity';
 import { IdentityPagination } from '@/components/pagination';
+import { checkPermission, requireRole, requireSession } from '@/lib/action/authentication';
+import InsufficientPermission from '@/components/insufficient-permission';
 
 export default async function UserPage(
     {
@@ -12,6 +14,18 @@ export default async function UserPage(
     },
 ) {
 
+    const session = await requireSession();
+    const identityId = session.identity!.id;
+
+    await requireRole('admin', identityId);
+
+    const pmAccessUser = await checkPermission('admin.user', 'access', identityId);
+    const pmEditUser = await checkPermission('admin.user', 'edit', identityId);
+    const pmBlockUser = await checkPermission('admin.user', 'block', identityId);
+    const pmUnblockUser = await checkPermission('admin.user', 'unblock', identityId);
+    const pmDeleteUser = await checkPermission('admin.user', 'delete', identityId);
+    const pmDeleteUserSession = await checkPermission('admin.user.session', 'delete', identityId);
+
     const params = await searchParams;
 
     const page = params.page ? Number(params.page) : 1;
@@ -20,7 +34,7 @@ export default async function UserPage(
     let pageSize = 50;
     let paginationRange = 11;
 
-    const { data, itemCount, pageCount } = await queryIdentities({ page, pageSize, query });
+    const users = pmAccessUser && await queryIdentities({ page, pageSize, query });
 
     return (
         <div className="space-y-4">
@@ -31,23 +45,46 @@ export default async function UserPage(
                 </p>
             </div>
             <div className="space-y-2">
-                <SearchInput
-                    value={query}
-                    pageParamKey="page"
-                    queryParamKey="query"
-                    placeholder="Search for addresses and traits"/>
-                <div>
-                    <p className="text-xs text-neutral-500">{itemCount} item{itemCount && itemCount > 1 ? 's' : ''} found</p>
-                    <IdentityDataTable
-                        data={data}
-                        page={page}
-                        query={query}/>
-                </div>
-                <IdentityPagination
-                    page={page}
-                    pageCount={pageCount}
-                    pageParamKey="page"
-                    paginationRange={paginationRange}/>
+                {
+                    !pmAccessUser && (
+                        <InsufficientPermission
+                            permission="admin.user"
+                            relation="see"
+                            identityId={identityId}
+                        />
+                    )
+                }
+                {
+                    pmAccessUser && users && (
+                        <>
+                            <SearchInput
+                                value={query}
+                                pageParamKey="page"
+                                queryParamKey="query"
+                                placeholder="Search for addresses and traits"/>
+                            <div>
+                                <p className="text-xs text-neutral-500">{users.itemCount} item{users.itemCount && users.itemCount > 1 ? 's' : ''} found</p>
+                                <IdentityDataTable
+                                    data={users.data}
+                                    page={page}
+                                    query={query}
+                                    permission={{
+                                        pmEditUser: pmEditUser,
+                                        pmBlockUser: pmBlockUser,
+                                        pmUnblockUser: pmUnblockUser,
+                                        pmDeleteUser: pmDeleteUser,
+                                        pmDeleteUserSession: pmDeleteUserSession,
+                                    }}
+                                />
+                            </div>
+                            <IdentityPagination
+                                page={page}
+                                pageCount={users.pageCount}
+                                pageParamKey="page"
+                                paginationRange={paginationRange}/>
+                        </>
+                    )
+                }
             </div>
         </div>
     );

From 6b80e93bf02b3e3ba9c41037dafc0c9545d6957a Mon Sep 17 00:00:00 2001
From: Markus Thielker <hey@thielker.dev>
Date: Fri, 4 Apr 2025 19:32:26 +0200
Subject: [PATCH 41/58] NORY-59: introduce permission constants

---
 dashboard/src/app/(inside)/page.tsx            |  4 ++--
 dashboard/src/app/(inside)/user/data-table.tsx |  7 +++----
 dashboard/src/app/(inside)/user/page.tsx       | 18 ++++++++----------
 dashboard/src/lib/permission.ts                | 16 ++++++++++++++++
 4 files changed, 29 insertions(+), 16 deletions(-)
 create mode 100644 dashboard/src/lib/permission.ts

diff --git a/dashboard/src/app/(inside)/page.tsx b/dashboard/src/app/(inside)/page.tsx
index 778d24a..dad9358 100644
--- a/dashboard/src/app/(inside)/page.tsx
+++ b/dashboard/src/app/(inside)/page.tsx
@@ -10,7 +10,7 @@ export default async function RootPage() {
 
     await requireRole('admin', identityId);
 
-    const pmAccessStackStatus = await checkPermission('admin.stack.status', 'access', identityId);
+    const pmAccessStackStatus = await checkPermission(permission.stack.status, relation.access, identityId);
 
     const kratos = pmAccessStackStatus && await kratosMetadata();
     const hydra = pmAccessStackStatus && await hydraMetadata();
@@ -26,7 +26,7 @@ export default async function RootPage() {
                 {
                     !pmAccessStackStatus && (
                         <InsufficientPermission
-                            permission="admin.stack.status"
+                            permission={permission.stack.status}
                             relation="access"
                             identityId={identityId}
                             classNames="col-span-1 md:col-span-4"
diff --git a/dashboard/src/app/(inside)/user/data-table.tsx b/dashboard/src/app/(inside)/user/data-table.tsx
index 2baabaa..69a1c4b 100644
--- a/dashboard/src/app/(inside)/user/data-table.tsx
+++ b/dashboard/src/app/(inside)/user/data-table.tsx
@@ -35,9 +35,8 @@ interface IdentityDataTableProps {
     query: string;
     permission: {
         pmEditUser: boolean;
-        pmBlockUser: boolean;
-        pmUnblockUser: boolean;
         pmDeleteUser: boolean;
+        pmEditUserState: boolean;
         pmDeleteUserSession: boolean;
     };
 }
@@ -156,7 +155,7 @@ export function IdentityDataTable({ data, page, query, permission }: IdentityDat
                                         setCurrentIdentity(identity);
                                         setBlockIdentityVisible(true);
                                     }}
-                                    disabled={!permission.pmBlockUser}
+                                    disabled={!permission.pmEditUserState}
                                     className="flex items-center space-x-2 text-red-500">
                                     <UserX className="h-4 w-4"/>
                                     <span>Block identity</span>
@@ -169,7 +168,7 @@ export function IdentityDataTable({ data, page, query, permission }: IdentityDat
                                         setCurrentIdentity(identity);
                                         setUnblockIdentityVisible(true);
                                     }}
-                                    disabled={!permission.pmUnblockUser}
+                                    disabled={!permission.pmEditUserState}
                                     className="flex items-center space-x-2 text-red-500">
                                     <UserCheck className="h-4 w-4"/>
                                     <span>Unblock identity</span>
diff --git a/dashboard/src/app/(inside)/user/page.tsx b/dashboard/src/app/(inside)/user/page.tsx
index b889ecf..3e52891 100644
--- a/dashboard/src/app/(inside)/user/page.tsx
+++ b/dashboard/src/app/(inside)/user/page.tsx
@@ -19,12 +19,11 @@ export default async function UserPage(
 
     await requireRole('admin', identityId);
 
-    const pmAccessUser = await checkPermission('admin.user', 'access', identityId);
-    const pmEditUser = await checkPermission('admin.user', 'edit', identityId);
-    const pmBlockUser = await checkPermission('admin.user', 'block', identityId);
-    const pmUnblockUser = await checkPermission('admin.user', 'unblock', identityId);
-    const pmDeleteUser = await checkPermission('admin.user', 'delete', identityId);
-    const pmDeleteUserSession = await checkPermission('admin.user.session', 'delete', identityId);
+    const pmAccessUser = await checkPermission(permission.user.it, relation.access, identityId);
+    const pmEditUser = await checkPermission(permission.user.it, relation.edit, identityId);
+    const pmDeleteUser = await checkPermission(permission.user.it, relation.delete, identityId);
+    const pmEditUserState = await checkPermission(permission.user.state, relation.edit, identityId);
+    const pmDeleteUserSession = await checkPermission(permission.user.session, relation.delete, identityId);
 
     const params = await searchParams;
 
@@ -48,8 +47,8 @@ export default async function UserPage(
                 {
                     !pmAccessUser && (
                         <InsufficientPermission
-                            permission="admin.user"
-                            relation="see"
+                            permission={permission.user.it}
+                            relation={relation.access}
                             identityId={identityId}
                         />
                     )
@@ -70,9 +69,8 @@ export default async function UserPage(
                                     query={query}
                                     permission={{
                                         pmEditUser: pmEditUser,
-                                        pmBlockUser: pmBlockUser,
-                                        pmUnblockUser: pmUnblockUser,
                                         pmDeleteUser: pmDeleteUser,
+                                        pmEditUserState: pmEditUserState,
                                         pmDeleteUserSession: pmDeleteUserSession,
                                     }}
                                 />
diff --git a/dashboard/src/lib/permission.ts b/dashboard/src/lib/permission.ts
new file mode 100644
index 0000000..7bced61
--- /dev/null
+++ b/dashboard/src/lib/permission.ts
@@ -0,0 +1,16 @@
+const permission = {
+    stack: {
+        status: 'admin.stack.status',
+    },
+    user: {
+        it: 'admin.user',
+        session: 'admin.user.session',
+        state: 'admin.user.state',
+    },
+};
+
+const relation = {
+    access: 'access',
+    edit: 'edit',
+    delete: 'delete',
+};

From eff751996c93f6acd154ee6758e024581a8faa4d Mon Sep 17 00:00:00 2001
From: Markus Thielker <hey@thielker.dev>
Date: Fri, 4 Apr 2025 19:48:39 +0200
Subject: [PATCH 42/58] NORY-59: replace 'force-admin-role'  with new
 permission

---
 dashboard/src/app/(inside)/page.tsx      | 5 +++--
 dashboard/src/app/(inside)/user/page.tsx | 5 +++--
 dashboard/src/lib/permission.ts          | 5 +++--
 dashboard/src/middleware.ts              | 9 ++++-----
 4 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/dashboard/src/app/(inside)/page.tsx b/dashboard/src/app/(inside)/page.tsx
index dad9358..607c2c4 100644
--- a/dashboard/src/app/(inside)/page.tsx
+++ b/dashboard/src/app/(inside)/page.tsx
@@ -1,14 +1,15 @@
 import { StatusCard } from '@/components/status-card';
 import { hydraMetadata, ketoMetadata, kratosMetadata } from '@/lib/action/metadata';
-import { checkPermission, requireRole, requireSession } from '@/lib/action/authentication';
+import { checkPermission, requirePermission, requireSession } from '@/lib/action/authentication';
 import InsufficientPermission from '@/components/insufficient-permission';
+import { permission, relation } from '@/lib/permission';
 
 export default async function RootPage() {
 
     const session = await requireSession();
     const identityId = session.identity!.id;
 
-    await requireRole('admin', identityId);
+    await requirePermission(permission.stack.dashboard, relation.access, identityId);
 
     const pmAccessStackStatus = await checkPermission(permission.stack.status, relation.access, identityId);
 
diff --git a/dashboard/src/app/(inside)/user/page.tsx b/dashboard/src/app/(inside)/user/page.tsx
index 3e52891..ebb9079 100644
--- a/dashboard/src/app/(inside)/user/page.tsx
+++ b/dashboard/src/app/(inside)/user/page.tsx
@@ -3,8 +3,9 @@ import { IdentityDataTable } from '@/app/(inside)/user/data-table';
 import { SearchInput } from '@/components/search-input';
 import { queryIdentities } from '@/lib/action/identity';
 import { IdentityPagination } from '@/components/pagination';
-import { checkPermission, requireRole, requireSession } from '@/lib/action/authentication';
+import { checkPermission, requirePermission, requireSession } from '@/lib/action/authentication';
 import InsufficientPermission from '@/components/insufficient-permission';
+import { permission, relation } from '@/lib/permission';
 
 export default async function UserPage(
     {
@@ -17,7 +18,7 @@ export default async function UserPage(
     const session = await requireSession();
     const identityId = session.identity!.id;
 
-    await requireRole('admin', identityId);
+    await requirePermission(permission.stack.dashboard, relation.access, identityId);
 
     const pmAccessUser = await checkPermission(permission.user.it, relation.access, identityId);
     const pmEditUser = await checkPermission(permission.user.it, relation.edit, identityId);
diff --git a/dashboard/src/lib/permission.ts b/dashboard/src/lib/permission.ts
index 7bced61..bab8592 100644
--- a/dashboard/src/lib/permission.ts
+++ b/dashboard/src/lib/permission.ts
@@ -1,5 +1,6 @@
-const permission = {
+export const permission = {
     stack: {
+        dashboard: 'admin.stack.dashboard',
         status: 'admin.stack.status',
     },
     user: {
@@ -9,7 +10,7 @@ const permission = {
     },
 };
 
-const relation = {
+export const relation = {
     access: 'access',
     edit: 'edit',
     delete: 'delete',
diff --git a/dashboard/src/middleware.ts b/dashboard/src/middleware.ts
index 62d78cc..8fb5913 100644
--- a/dashboard/src/middleware.ts
+++ b/dashboard/src/middleware.ts
@@ -1,5 +1,6 @@
 import { NextRequest, NextResponse } from 'next/server';
-import { checkRole, getSession } from '@/lib/action/authentication';
+import { checkPermission, getSession } from '@/lib/action/authentication';
+import { permission, relation } from '@/lib/permission';
 
 export async function middleware(request: NextRequest) {
 
@@ -19,10 +20,8 @@ export async function middleware(request: NextRequest) {
         return NextResponse.redirect(url!);
     }
 
-    const allowed = await checkRole(
-        'admin',
-        session!.identity!.id,
-    );
+    const allowed = await checkPermission(permission.stack.dashboard, relation.access, session.identity!.id);
+
 
     if (allowed) {
         if (request.nextUrl.pathname === '/unauthorised') {

From 270124465b535a4591eb58cf67ae7714b6f2b286 Mon Sep 17 00:00:00 2001
From: Markus Thielker <hey@thielker.dev>
Date: Fri, 4 Apr 2025 19:58:57 +0200
Subject: [PATCH 43/58] NORY-59: refactor permission-checks to use constant
 values

---
 dashboard/src/lib/action/metadata.ts | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/dashboard/src/lib/action/metadata.ts b/dashboard/src/lib/action/metadata.ts
index 03d5768..5a64b3b 100644
--- a/dashboard/src/lib/action/metadata.ts
+++ b/dashboard/src/lib/action/metadata.ts
@@ -3,11 +3,12 @@
 import { getHydraMetadataApi, getKetoMetadataApi, getKratosMetadataApi } from '@/ory/sdk/server';
 import { MetadataApiReady } from '@/components/status-card';
 import { checkPermission, requireSession } from '@/lib/action/authentication';
+import { permission, relation } from '@/lib/permission';
 
 export async function kratosMetadata() {
 
     const session = await requireSession();
-    const allowed = await checkPermission('admin.stack.status', 'access', session.identity!.id);
+    const allowed = await checkPermission(permission.stack.status, relation.access, session.identity!.id);
     if (!allowed) {
         return;
     }
@@ -33,7 +34,7 @@ export async function kratosMetadata() {
 export async function hydraMetadata() {
 
     const session = await requireSession();
-    const allowed = await checkPermission('admin.stack.status', 'access', session.identity!.id);
+    const allowed = await checkPermission(permission.stack.status, relation.access, session.identity!.id);
     if (!allowed) {
         return;
     }
@@ -59,7 +60,7 @@ export async function hydraMetadata() {
 export async function ketoMetadata() {
 
     const session = await requireSession();
-    const allowed = await checkPermission('admin.stack.status', 'access', session.identity!.id);
+    const allowed = await checkPermission(permission.stack.status, relation.access, session.identity!.id);
     if (!allowed) {
         return;
     }

From c935bbd8a20787b959665c3ed1376e21987e6c23 Mon Sep 17 00:00:00 2001
From: Markus Thielker <hey@thielker.dev>
Date: Fri, 4 Apr 2025 20:20:45 +0200
Subject: [PATCH 44/58] NORY-59: add protection to identity actions

---
 dashboard/src/lib/action/identity.ts | 56 ++++++++++++++++++++++++++++
 dashboard/src/lib/permission.ts      |  4 ++
 2 files changed, 60 insertions(+)

diff --git a/dashboard/src/lib/action/identity.ts b/dashboard/src/lib/action/identity.ts
index 4ffed77..b39e721 100644
--- a/dashboard/src/lib/action/identity.ts
+++ b/dashboard/src/lib/action/identity.ts
@@ -12,6 +12,8 @@ import {
 import { getDB } from '@/db';
 import { identities, identity_recovery_addresses, identity_verifiable_addresses } from '@/db/schema';
 import { eq, ilike, or, sql } from 'drizzle-orm';
+import { checkPermission, requireSession } from '@/lib/action/authentication';
+import { permission, relation } from '@/lib/permission';
 
 interface QueryIdentitiesProps {
     page: number,
@@ -21,6 +23,12 @@ interface QueryIdentitiesProps {
 
 export async function queryIdentities({ page, pageSize, query }: QueryIdentitiesProps) {
 
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.user.it, relation.access, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
     if (page < 1 || pageSize < 1) {
         return {
             data: [],
@@ -81,6 +89,12 @@ interface UpdatedIdentityProps {
 
 export async function updateIdentity({ id, body }: UpdatedIdentityProps) {
 
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.user.it, relation.edit, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
     const identityApi = await getIdentityApi();
     const { data } = await identityApi.updateIdentity({
         id: id,
@@ -101,6 +115,12 @@ interface DeleteIdentityCredentialProps {
 
 export async function deleteIdentityCredential({ id, type }: DeleteIdentityCredentialProps) {
 
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.user.credential, relation.delete, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
     const identityApi = await getIdentityApi();
     const { data } = await identityApi.deleteIdentityCredentials({ id, type });
 
@@ -113,6 +133,12 @@ export async function deleteIdentityCredential({ id, type }: DeleteIdentityCrede
 
 export async function deleteIdentitySessions(id: string) {
 
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.user.session, relation.delete, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
     const identityApi = await getIdentityApi();
     const { data } = await identityApi.deleteIdentitySessions({ id });
 
@@ -125,6 +151,12 @@ export async function deleteIdentitySessions(id: string) {
 
 export async function createRecoveryCode(id: string) {
 
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.user.code, relation.create, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
     const identityApi = await getIdentityApi();
     const { data } = await identityApi.createRecoveryCodeForIdentity({
         createRecoveryCodeForIdentityBody: {
@@ -139,6 +171,12 @@ export async function createRecoveryCode(id: string) {
 
 export async function createRecoveryLink(id: string) {
 
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.user.link, relation.create, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
     const identityApi = await getIdentityApi();
     const { data } = await identityApi.createRecoveryLinkForIdentity({
         createRecoveryLinkForIdentityBody: {
@@ -153,6 +191,12 @@ export async function createRecoveryLink(id: string) {
 
 export async function blockIdentity(id: string) {
 
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.user.state, relation.edit, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
     const identityApi = await getIdentityApi();
     const { data } = await identityApi.patchIdentity({
         id,
@@ -172,6 +216,12 @@ export async function blockIdentity(id: string) {
 
 export async function unblockIdentity(id: string) {
 
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.user.state, relation.edit, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
     const identityApi = await getIdentityApi();
     const { data } = await identityApi.patchIdentity({
         id,
@@ -191,6 +241,12 @@ export async function unblockIdentity(id: string) {
 
 export async function deleteIdentity(id: string) {
 
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.user.credential, relation.delete, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
     const identityApi = await getIdentityApi();
     const { data } = await identityApi.deleteIdentity({ id });
 
diff --git a/dashboard/src/lib/permission.ts b/dashboard/src/lib/permission.ts
index bab8592..49958b0 100644
--- a/dashboard/src/lib/permission.ts
+++ b/dashboard/src/lib/permission.ts
@@ -5,6 +5,9 @@ export const permission = {
     },
     user: {
         it: 'admin.user',
+        code: 'admin.user.code',
+        credential: 'admin.user.credential',
+        link: 'admin.user.link',
         session: 'admin.user.session',
         state: 'admin.user.state',
     },
@@ -12,6 +15,7 @@ export const permission = {
 
 export const relation = {
     access: 'access',
+    create: 'create',
     edit: 'edit',
     delete: 'delete',
 };

From 8d10b744e9cd11eefc9f0abaaf7d84f4aca60f10 Mon Sep 17 00:00:00 2001
From: Markus Thielker <markus@thielker.dev>
Date: Sun, 6 Apr 2025 11:14:22 +0200
Subject: [PATCH 45/58] NORY-59: add permission checks to identity action UI

---
 dashboard/src/app/(inside)/user/[id]/page.tsx | 41 ++++++++++++++---
 .../components/identity/identity-actions.tsx  | 44 +++++++++++++++----
 2 files changed, 71 insertions(+), 14 deletions(-)

diff --git a/dashboard/src/app/(inside)/user/[id]/page.tsx b/dashboard/src/app/(inside)/user/[id]/page.tsx
index 83cc3b3..98a578a 100644
--- a/dashboard/src/app/(inside)/user/[id]/page.tsx
+++ b/dashboard/src/app/(inside)/user/[id]/page.tsx
@@ -11,6 +11,9 @@ import { Badge } from '@/components/ui/badge';
 import { Check, X } from 'lucide-react';
 import { IdentityActions } from '@/components/identity/identity-actions';
 import { IdentityCredentials } from '@/components/identity/identity-credentials';
+import { checkPermission, requirePermission, requireSession } from '@/lib/action/authentication';
+import { permission, relation } from '@/lib/permission';
+import { redirect } from 'next/navigation';
 
 interface MergedAddress {
     recovery_id?: string;
@@ -76,19 +79,35 @@ function mergeAddresses(
 
 export default async function UserDetailsPage({ params }: { params: Promise<{ id: string }> }) {
 
-    const identityId = (await params).id;
+    const session = await requireSession();
+    const identityId = session.identity!.id;
+
+    await requirePermission(permission.stack.dashboard, relation.access, identityId);
+
+    const pmAccessUser = await checkPermission(permission.user.it, relation.access, identityId);
+    if (!pmAccessUser) {
+        return redirect('/user');
+    }
+
+    const pmEditUser = await checkPermission(permission.user.it, relation.edit, identityId);
+    const pmDeleteUser = await checkPermission(permission.user.it, relation.delete, identityId);
+    const pmEditUserState = await checkPermission(permission.user.state, relation.edit, identityId);
+    const pmDeleteUserSession = await checkPermission(permission.user.session, relation.delete, identityId);
+    const pmCreateUserCode = await checkPermission(permission.user.code, relation.create, identityId);
+    const pmCreateUserLink = await checkPermission(permission.user.link, relation.create, identityId);
+
+    const detailIdentityId = (await params).id;
 
     const identityApi = await getIdentityApi();
-    const identity = await identityApi.getIdentity({ id: identityId })
+    const identity = await identityApi.getIdentity({ id: detailIdentityId })
         .then((response) => {
-            console.log('identity', response.data);
             return response.data;
         })
         .catch(() => {
             console.log('Identity not found');
         });
 
-    const sessions = await identityApi.listIdentitySessions({ id: identityId })
+    const sessions = await identityApi.listIdentitySessions({ id: detailIdentityId })
         .then((response) => response.data)
         .catch(() => {
             console.log('No sessions found');
@@ -97,7 +116,7 @@ export default async function UserDetailsPage({ params }: { params: Promise<{ id
     if (!identity) {
         return <ErrorDisplay
             title="Identity not found"
-            message={`The requested identity with id ${identityId} does not exist`}/>;
+            message={`The requested identity with id ${detailIdentityId} does not exist`}/>;
     }
 
     if (!identity.verifiable_addresses || !identity.verifiable_addresses[0]) {
@@ -137,7 +156,17 @@ export default async function UserDetailsPage({ params }: { params: Promise<{ id
                         <CardDescription>Quick actions to manage the identity</CardDescription>
                     </CardHeader>
                     <CardContent>
-                        <IdentityActions identity={identity}/>
+                        <IdentityActions
+                            identity={identity}
+                            permissions={{
+                                pmEditUser,
+                                pmDeleteUser,
+                                pmEditUserState,
+                                pmDeleteUserSession,
+                                pmCreateUserCode,
+                                pmCreateUserLink,
+                            }}
+                        />
                     </CardContent>
                 </Card>
                 <Card>
diff --git a/dashboard/src/components/identity/identity-actions.tsx b/dashboard/src/components/identity/identity-actions.tsx
index 0ddcf32..b6a48ca 100644
--- a/dashboard/src/components/identity/identity-actions.tsx
+++ b/dashboard/src/components/identity/identity-actions.tsx
@@ -28,12 +28,22 @@ import { Input } from '@/components/ui/input';
 import { Label } from '@/components/ui/label';
 
 interface IdentityActionProps {
-    identity: Identity;
+    identity: Identity,
+    permissions: {
+        pmEditUser: boolean;
+        pmDeleteUser: boolean;
+        pmEditUserState: boolean;
+        pmDeleteUserSession: boolean;
+        pmCreateUserCode: boolean;
+        pmCreateUserLink: boolean;
+    }
 }
 
-export function IdentityActions({ identity }: IdentityActionProps,
+export function IdentityActions({ identity, permissions }: IdentityActionProps,
 ) {
 
+    console.log('IdentityActions', 'Permissions', permissions);
+
     const router = useRouter();
 
     const [dialogVisible, setDialogVisible] = useState(false);
@@ -122,7 +132,10 @@ export function IdentityActions({ identity }: IdentityActionProps,
                 dialogDescription="Are you sure you want to create a recovery code for this identity?"
                 dialogButtonSubmit="Create code"
             >
-                <Button className="mr-2" size="icon">
+                <Button
+                    disabled={!permissions.pmCreateUserCode}
+                    className="mr-2"
+                    size="icon">
                     <Key className="h-4"/>
                 </Button>
             </ConfirmationDialogWrapper>
@@ -142,7 +155,10 @@ export function IdentityActions({ identity }: IdentityActionProps,
                 dialogDescription="Are you sure you want to create a recovery link for this identity?"
                 dialogButtonSubmit="Create link"
             >
-                <Button className="mr-2" size="icon">
+                <Button
+                    disabled={!permissions.pmCreateUserLink}
+                    className="mr-2"
+                    size="icon">
                     <Link className="h-4"/>
                 </Button>
             </ConfirmationDialogWrapper>
@@ -160,7 +176,10 @@ export function IdentityActions({ identity }: IdentityActionProps,
                         dialogDescription="Are you sure you want to deactivate this identity? The user will not be able to sign-in or use any active session until re-activation!"
                         dialogButtonSubmit="Deactivate"
                     >
-                        <Button className="mr-2" size="icon">
+                        <Button
+                            disabled={!permissions.pmEditUserState}
+                            className="mr-2"
+                            size="icon">
                             <UserX className="h-4"/>
                         </Button>
                     </ConfirmationDialogWrapper>
@@ -176,7 +195,10 @@ export function IdentityActions({ identity }: IdentityActionProps,
                         dialogDescription="Are you sure you want to activate this identity?"
                         dialogButtonSubmit="Activate"
                     >
-                        <Button className="mr-2" size="icon">
+                        <Button
+                            disabled={!permissions.pmEditUserState}
+                            className="mr-2"
+                            size="icon">
                             <UserCheck className="h-4"/>
                         </Button>
                     </ConfirmationDialogWrapper>
@@ -194,7 +216,10 @@ export function IdentityActions({ identity }: IdentityActionProps,
                 dialogButtonSubmit="Invalidate sessions"
                 dialogButtonSubmitProps={{ variant: 'destructive' }}
             >
-                <Button className="mr-2" size="icon">
+                <Button
+                    disabled={!permissions.pmDeleteUserSession}
+                    className="mr-2"
+                    size="icon">
                     <UserMinus className="h-4"/>
                 </Button>
             </ConfirmationDialogWrapper>
@@ -214,7 +239,10 @@ export function IdentityActions({ identity }: IdentityActionProps,
                 dialogButtonSubmit="Delete identity"
                 dialogButtonSubmitProps={{ variant: 'destructive' }}
             >
-                <Button className="mr-2" size="icon">
+                <Button
+                    disabled={!permissions.pmDeleteUser}
+                    className="mr-2"
+                    size="icon">
                     <Trash className="h-4"/>
                 </Button>
             </ConfirmationDialogWrapper>

From c2299f0340a2650786e85989f61d8fc039dbef01 Mon Sep 17 00:00:00 2001
From: Markus Thielker <markus@thielker.dev>
Date: Sun, 6 Apr 2025 13:02:56 +0200
Subject: [PATCH 46/58] NORY-59: refactor identity queries to use server
 actions

---
 dashboard/src/app/(inside)/user/[id]/page.tsx | 149 +++++++++---------
 dashboard/src/lib/action/identity.ts          |  46 ++++++
 dashboard/src/lib/permission.ts               |   1 +
 3 files changed, 123 insertions(+), 73 deletions(-)

diff --git a/dashboard/src/app/(inside)/user/[id]/page.tsx b/dashboard/src/app/(inside)/user/[id]/page.tsx
index 98a578a..e590abc 100644
--- a/dashboard/src/app/(inside)/user/[id]/page.tsx
+++ b/dashboard/src/app/(inside)/user/[id]/page.tsx
@@ -1,5 +1,4 @@
 import React from 'react';
-import { getIdentityApi } from '@/ory/sdk/server';
 import { ErrorDisplay } from '@/components/error';
 import { Card, CardContent, CardDescription, CardHeader, CardTitle } from '@/components/ui/card';
 import { IdentityTraits } from '@/components/identity/identity-traits';
@@ -14,6 +13,8 @@ import { IdentityCredentials } from '@/components/identity/identity-credentials'
 import { checkPermission, requirePermission, requireSession } from '@/lib/action/authentication';
 import { permission, relation } from '@/lib/permission';
 import { redirect } from 'next/navigation';
+import InsufficientPermission from '@/components/insufficient-permission';
+import { getIdentity, getIdentitySchema, listIdentitySessions } from '@/lib/action/identity';
 
 interface MergedAddress {
     recovery_id?: string;
@@ -91,65 +92,65 @@ export default async function UserDetailsPage({ params }: { params: Promise<{ id
 
     const pmEditUser = await checkPermission(permission.user.it, relation.edit, identityId);
     const pmDeleteUser = await checkPermission(permission.user.it, relation.delete, identityId);
+    const pmAccessUserTraits = await checkPermission(permission.user.trait, relation.access, identityId);
     const pmEditUserState = await checkPermission(permission.user.state, relation.edit, identityId);
+    const pmAccessUserSession = await checkPermission(permission.user.session, relation.access, identityId);
     const pmDeleteUserSession = await checkPermission(permission.user.session, relation.delete, identityId);
     const pmCreateUserCode = await checkPermission(permission.user.code, relation.create, identityId);
     const pmCreateUserLink = await checkPermission(permission.user.link, relation.create, identityId);
 
     const detailIdentityId = (await params).id;
+    const detailIdentity = pmAccessUser && await getIdentity(detailIdentityId);
 
-    const identityApi = await getIdentityApi();
-    const identity = await identityApi.getIdentity({ id: detailIdentityId })
-        .then((response) => {
-            return response.data;
-        })
-        .catch(() => {
-            console.log('Identity not found');
-        });
-
-    const sessions = await identityApi.listIdentitySessions({ id: detailIdentityId })
-        .then((response) => response.data)
-        .catch(() => {
-            console.log('No sessions found');
-        });
-
-    if (!identity) {
+    if (!detailIdentity) {
         return <ErrorDisplay
             title="Identity not found"
             message={`The requested identity with id ${detailIdentityId} does not exist`}/>;
     }
 
-    if (!identity.verifiable_addresses || !identity.verifiable_addresses[0]) {
+    if (!detailIdentity.verifiable_addresses || !detailIdentity.verifiable_addresses[0]) {
         return <ErrorDisplay
             title="No verifiable adress"
             message="The identity you are trying to see exists but has no identifiable address"/>;
     }
 
-    const identitySchema = await identityApi
-        .getIdentitySchema({ id: identity.schema_id })
-        .then((response) => response.data as KratosSchema);
+
+    const detailIdentitySessions = pmAccessUserSession && await listIdentitySessions(detailIdentityId);
+
+    const detailIdentitySchema = await getIdentitySchema(detailIdentity.schema_id)
+        .then((response) => response as KratosSchema);
 
     const addresses = mergeAddresses(
-        identity.recovery_addresses ?? [],
-        identity.verifiable_addresses ?? [],
+        detailIdentity.recovery_addresses ?? [],
+        detailIdentity.verifiable_addresses ?? [],
     );
 
     return (
         <div className="space-y-4">
             <div>
                 <p className="text-3xl font-bold leading-tight tracking-tight">{addresses[0].value}</p>
-                <p className="text-lg font-light">{identity.id}</p>
+                <p className="text-lg font-light">{detailIdentity.id}</p>
             </div>
             <div className="grid grid-cols-1 xl:grid-cols-2 gap-4">
-                <Card className="row-span-3">
-                    <CardHeader>
-                        <CardTitle>Traits</CardTitle>
-                        <CardDescription>All identity properties specified in the identity schema</CardDescription>
-                    </CardHeader>
-                    <CardContent>
-                        <IdentityTraits schema={identitySchema} identity={identity}/>
-                    </CardContent>
-                </Card>
+                {
+                    pmAccessUserTraits ?
+                        <Card className="row-span-3">
+                            <CardHeader>
+                                <CardTitle>Traits</CardTitle>
+                                <CardDescription>All identity properties specified in the identity
+                                    schema</CardDescription>
+                            </CardHeader>
+                            <CardContent>
+                                <IdentityTraits schema={detailIdentitySchema} identity={detailIdentity}/>
+                            </CardContent>
+                        </Card>
+                        :
+                        <InsufficientPermission
+                            permission={permission.user.trait}
+                            relation={relation.access}
+                            identityId={identityId}
+                            classNames="row-span-3"/>
+                }
                 <Card>
                     <CardHeader>
                         <CardTitle>Actions</CardTitle>
@@ -157,7 +158,7 @@ export default async function UserDetailsPage({ params }: { params: Promise<{ id
                     </CardHeader>
                     <CardContent>
                         <IdentityActions
-                            identity={identity}
+                            identity={detailIdentity}
                             permissions={{
                                 pmEditUser,
                                 pmDeleteUser,
@@ -220,7 +221,7 @@ export default async function UserDetailsPage({ params }: { params: Promise<{ id
                         <CardDescription>All authentication mechanisms registered with this identity</CardDescription>
                     </CardHeader>
                     <CardContent className="space-y-4">
-                        <IdentityCredentials identity={identity}/>
+                        <IdentityCredentials identity={detailIdentity}/>
                     </CardContent>
                 </Card>
                 <Card>
@@ -229,46 +230,48 @@ export default async function UserDetailsPage({ params }: { params: Promise<{ id
                         <CardDescription>See and manage all sessions of this identity</CardDescription>
                     </CardHeader>
                     <CardContent>
-                        <Table>
-                            <TableHeader>
-                                <TableRow>
-                                    <TableHead>OS</TableHead>
-                                    <TableHead>Browser</TableHead>
-                                    <TableHead>Active since</TableHead>
-                                </TableRow>
-                            </TableHeader>
-                            <TableBody>
-                                {
-                                    sessions ?
-                                        sessions.map((session) => {
+                        {
+                            detailIdentitySessions ?
+                                <Table>
+                                    <TableHeader>
+                                        <TableRow>
+                                            <TableHead>OS</TableHead>
+                                            <TableHead>Browser</TableHead>
+                                            <TableHead>Active since</TableHead>
+                                        </TableRow>
+                                    </TableHeader>
+                                    <TableBody>
+                                        {
+                                            detailIdentitySessions.map((session) => {
 
-                                            const device = session.devices![0];
-                                            const parser = new UAParser(device.user_agent);
-                                            const result = parser.getResult();
+                                                const device = session.devices![0];
+                                                const parser = new UAParser(device.user_agent);
+                                                const result = parser.getResult();
 
-                                            return (
-                                                <TableRow key={session.id}>
-                                                    <TableCell className="space-x-1">
-                                                        <span>{result.os.name}</span>
-                                                        <span
-                                                            className="text-xs text-neutral-500">{result.os.version}</span>
-                                                    </TableCell>
-                                                    <TableCell className="space-x-1">
-                                                        <span>{result.browser.name}</span>
-                                                        <span
-                                                            className="text-xs text-neutral-500">{result.browser.version}</span>
-                                                    </TableCell>
-                                                    <TableCell>
-                                                        {new Date(session.authenticated_at!).toLocaleString()}
-                                                    </TableCell>
-                                                </TableRow>
-                                            );
-                                        })
-                                        :
-                                        <ErrorDisplay title="No sessions" message=""/>
-                                }
-                            </TableBody>
-                        </Table>
+                                                return (
+                                                    <TableRow key={session.id}>
+                                                        <TableCell className="space-x-1">
+                                                            <span>{result.os.name}</span>
+                                                            <span
+                                                                className="text-xs text-neutral-500">{result.os.version}</span>
+                                                        </TableCell>
+                                                        <TableCell className="space-x-1">
+                                                            <span>{result.browser.name}</span>
+                                                            <span
+                                                                className="text-xs text-neutral-500">{result.browser.version}</span>
+                                                        </TableCell>
+                                                        <TableCell>
+                                                            {new Date(session.authenticated_at!).toLocaleString()}
+                                                        </TableCell>
+                                                    </TableRow>
+                                                );
+                                            })
+                                        }
+                                    </TableBody>
+                                </Table>
+                                :
+                                <p>This user has no active sessions</p>
+                        }
                     </CardContent>
                 </Card>
             </div>
diff --git a/dashboard/src/lib/action/identity.ts b/dashboard/src/lib/action/identity.ts
index b39e721..11ef3d9 100644
--- a/dashboard/src/lib/action/identity.ts
+++ b/dashboard/src/lib/action/identity.ts
@@ -15,6 +15,34 @@ import { eq, ilike, or, sql } from 'drizzle-orm';
 import { checkPermission, requireSession } from '@/lib/action/authentication';
 import { permission, relation } from '@/lib/permission';
 
+export async function getIdentity(id: string) {
+
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.user.it, relation.access, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
+    const identityApi = await getIdentityApi();
+    const { data } = await identityApi.getIdentity({ id });
+
+    console.log('Got identity', data);
+
+    return data;
+}
+
+
+export async function getIdentitySchema(id: string) {
+
+    const identityApi = await getIdentityApi();
+    const { data } = await identityApi.getIdentitySchema({ id: id });
+
+    console.log('Got identity schema');
+
+    return data;
+}
+
+
 interface QueryIdentitiesProps {
     page: number,
     pageSize: number,
@@ -131,6 +159,24 @@ export async function deleteIdentityCredential({ id, type }: DeleteIdentityCrede
     return data;
 }
 
+export async function listIdentitySessions(id: string) {
+
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.user.session, relation.access, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
+    const identityApi = await getIdentityApi();
+    const { data } = await identityApi.listIdentitySessions({ id });
+
+    console.log('Listed identity\'s sessions', data);
+
+    revalidatePath('/user');
+
+    return data;
+}
+
 export async function deleteIdentitySessions(id: string) {
 
     const session = await requireSession();
diff --git a/dashboard/src/lib/permission.ts b/dashboard/src/lib/permission.ts
index 49958b0..69a8523 100644
--- a/dashboard/src/lib/permission.ts
+++ b/dashboard/src/lib/permission.ts
@@ -10,6 +10,7 @@ export const permission = {
         link: 'admin.user.link',
         session: 'admin.user.session',
         state: 'admin.user.state',
+        trait: 'admin.user.trait',
     },
 };
 

From 328b827bf88d70cb1dbbd627f83f68eed0e41a37 Mon Sep 17 00:00:00 2001
From: Markus Thielker <markus@thielker.dev>
Date: Sun, 6 Apr 2025 15:07:16 +0200
Subject: [PATCH 47/58] NORY-59: fix path-revalidation during rendering

---
 dashboard/src/lib/action/identity.ts | 2 --
 1 file changed, 2 deletions(-)

diff --git a/dashboard/src/lib/action/identity.ts b/dashboard/src/lib/action/identity.ts
index 11ef3d9..902d17d 100644
--- a/dashboard/src/lib/action/identity.ts
+++ b/dashboard/src/lib/action/identity.ts
@@ -172,8 +172,6 @@ export async function listIdentitySessions(id: string) {
 
     console.log('Listed identity\'s sessions', data);
 
-    revalidatePath('/user');
-
     return data;
 }
 

From 77c2135e13e5232cac5eef7a0df730316c4ced70 Mon Sep 17 00:00:00 2001
From: Markus Thielker <markus@thielker.dev>
Date: Sun, 6 Apr 2025 15:08:05 +0200
Subject: [PATCH 48/58] NORY-59: protect all missing cards in identity details

---
 dashboard/src/app/(inside)/user/[id]/page.tsx | 207 ++++++++++--------
 dashboard/src/lib/permission.ts               |   1 +
 2 files changed, 118 insertions(+), 90 deletions(-)

diff --git a/dashboard/src/app/(inside)/user/[id]/page.tsx b/dashboard/src/app/(inside)/user/[id]/page.tsx
index e590abc..2fff21c 100644
--- a/dashboard/src/app/(inside)/user/[id]/page.tsx
+++ b/dashboard/src/app/(inside)/user/[id]/page.tsx
@@ -92,7 +92,10 @@ export default async function UserDetailsPage({ params }: { params: Promise<{ id
 
     const pmEditUser = await checkPermission(permission.user.it, relation.edit, identityId);
     const pmDeleteUser = await checkPermission(permission.user.it, relation.delete, identityId);
-    const pmAccessUserTraits = await checkPermission(permission.user.trait, relation.access, identityId);
+    const pmAccessUserTrait = await checkPermission(permission.user.trait, relation.access, identityId);
+    const pmEditUserTraits = await checkPermission(permission.user.trait, relation.edit, identityId);
+    const pmAccessUserAddress = await checkPermission(permission.user.address, relation.access, identityId);
+    const pmAccessUserCredential = await checkPermission(permission.user.credential, relation.access, identityId);
     const pmEditUserState = await checkPermission(permission.user.state, relation.edit, identityId);
     const pmAccessUserSession = await checkPermission(permission.user.session, relation.access, identityId);
     const pmDeleteUserSession = await checkPermission(permission.user.session, relation.delete, identityId);
@@ -114,7 +117,6 @@ export default async function UserDetailsPage({ params }: { params: Promise<{ id
             message="The identity you are trying to see exists but has no identifiable address"/>;
     }
 
-
     const detailIdentitySessions = pmAccessUserSession && await listIdentitySessions(detailIdentityId);
 
     const detailIdentitySchema = await getIdentitySchema(detailIdentity.schema_id)
@@ -133,7 +135,7 @@ export default async function UserDetailsPage({ params }: { params: Promise<{ id
             </div>
             <div className="grid grid-cols-1 xl:grid-cols-2 gap-4">
                 {
-                    pmAccessUserTraits ?
+                    pmAccessUserTrait ?
                         <Card className="row-span-3">
                             <CardHeader>
                                 <CardTitle>Traits</CardTitle>
@@ -170,98 +172,44 @@ export default async function UserDetailsPage({ params }: { params: Promise<{ id
                         />
                     </CardContent>
                 </Card>
-                <Card>
-                    <CardHeader>
-                        <CardTitle>Addresses</CardTitle>
-                        <CardDescription>All linked addresses for verification and recovery</CardDescription>
-                    </CardHeader>
-                    <CardContent>
+                {
+                    pmAccessUserAddress ?
+                        <Card>
+                            <CardHeader>
+                                <CardTitle>Addresses</CardTitle>
+                                <CardDescription>All linked addresses for verification and recovery</CardDescription>
+                            </CardHeader>
+                            <CardContent>
 
-                        <Table>
-                            <TableHeader>
-                                <TableRow>
-                                    <TableHead>Type</TableHead>
-                                    <TableHead>Value</TableHead>
-                                </TableRow>
-                            </TableHeader>
-                            <TableBody>
-                                {
-                                    addresses.map((address) => {
-                                        return (
-                                            <TableRow key={address.value}>
-                                                <TableCell>{address.value}</TableCell>
-                                                <TableCell>{address.via}</TableCell>
-                                                <TableCell>
-                                                    {address.verifiable_id &&
-                                                        <Badge className="m-1 space-x-1">
-                                                            <span>Verifiable</span>
-                                                            {
-                                                                address.verified ?
-                                                                    <Check className="h-3 w-3"/>
-                                                                    :
-                                                                    <X className="h-3 w-3"/>
-                                                            }
-                                                        </Badge>
-                                                    }
-                                                    {address.recovery_id &&
-                                                        <Badge className="m-1">Recovery</Badge>
-                                                    }
-                                                </TableCell>
-                                            </TableRow>
-                                        );
-                                    })
-                                }
-                            </TableBody>
-                        </Table>
-                    </CardContent>
-                </Card>
-                <Card>
-                    <CardHeader>
-                        <CardTitle>Credentials</CardTitle>
-                        <CardDescription>All authentication mechanisms registered with this identity</CardDescription>
-                    </CardHeader>
-                    <CardContent className="space-y-4">
-                        <IdentityCredentials identity={detailIdentity}/>
-                    </CardContent>
-                </Card>
-                <Card>
-                    <CardHeader>
-                        <CardTitle>Sessions</CardTitle>
-                        <CardDescription>See and manage all sessions of this identity</CardDescription>
-                    </CardHeader>
-                    <CardContent>
-                        {
-                            detailIdentitySessions ?
                                 <Table>
                                     <TableHeader>
                                         <TableRow>
-                                            <TableHead>OS</TableHead>
-                                            <TableHead>Browser</TableHead>
-                                            <TableHead>Active since</TableHead>
+                                            <TableHead>Type</TableHead>
+                                            <TableHead>Value</TableHead>
                                         </TableRow>
                                     </TableHeader>
                                     <TableBody>
                                         {
-                                            detailIdentitySessions.map((session) => {
-
-                                                const device = session.devices![0];
-                                                const parser = new UAParser(device.user_agent);
-                                                const result = parser.getResult();
-
+                                            addresses.map((address) => {
                                                 return (
-                                                    <TableRow key={session.id}>
-                                                        <TableCell className="space-x-1">
-                                                            <span>{result.os.name}</span>
-                                                            <span
-                                                                className="text-xs text-neutral-500">{result.os.version}</span>
-                                                        </TableCell>
-                                                        <TableCell className="space-x-1">
-                                                            <span>{result.browser.name}</span>
-                                                            <span
-                                                                className="text-xs text-neutral-500">{result.browser.version}</span>
-                                                        </TableCell>
+                                                    <TableRow key={address.value}>
+                                                        <TableCell>{address.value}</TableCell>
+                                                        <TableCell>{address.via}</TableCell>
                                                         <TableCell>
-                                                            {new Date(session.authenticated_at!).toLocaleString()}
+                                                            {address.verifiable_id &&
+                                                                <Badge className="m-1 space-x-1">
+                                                                    <span>Verifiable</span>
+                                                                    {
+                                                                        address.verified ?
+                                                                            <Check className="h-3 w-3"/>
+                                                                            :
+                                                                            <X className="h-3 w-3"/>
+                                                                    }
+                                                                </Badge>
+                                                            }
+                                                            {address.recovery_id &&
+                                                                <Badge className="m-1">Recovery</Badge>
+                                                            }
                                                         </TableCell>
                                                     </TableRow>
                                                 );
@@ -269,11 +217,90 @@ export default async function UserDetailsPage({ params }: { params: Promise<{ id
                                         }
                                     </TableBody>
                                 </Table>
-                                :
-                                <p>This user has no active sessions</p>
-                        }
-                    </CardContent>
-                </Card>
+                            </CardContent>
+                        </Card>
+                        :
+                        <InsufficientPermission
+                            permission={permission.user.address}
+                            relation={relation.access}
+                            identityId={identityId}/>
+                }
+                {
+                    pmAccessUserCredential ?
+                        <Card>
+                            <CardHeader>
+                                <CardTitle>Credentials</CardTitle>
+                                <CardDescription>All authentication mechanisms registered with this
+                                    identity</CardDescription>
+                            </CardHeader>
+                            <CardContent className="space-y-4">
+                                <IdentityCredentials identity={detailIdentity}/>
+                            </CardContent>
+                        </Card>
+                        :
+                        <InsufficientPermission
+                            permission={permission.user.credential}
+                            relation={relation.access}
+                            identityId={identityId}/>
+                }
+                {
+                    pmAccessUserSession ?
+                        <Card>
+                            <CardHeader>
+                                <CardTitle>Sessions</CardTitle>
+                                <CardDescription>See and manage all sessions of this identity</CardDescription>
+                            </CardHeader>
+                            <CardContent>
+                                {
+                                    detailIdentitySessions ?
+                                        <Table>
+                                            <TableHeader>
+                                                <TableRow>
+                                                    <TableHead>OS</TableHead>
+                                                    <TableHead>Browser</TableHead>
+                                                    <TableHead>Active since</TableHead>
+                                                </TableRow>
+                                            </TableHeader>
+                                            <TableBody>
+                                                {
+                                                    detailIdentitySessions.map((session) => {
+
+                                                        const device = session.devices![0];
+                                                        const parser = new UAParser(device.user_agent);
+                                                        const result = parser.getResult();
+
+                                                        return (
+                                                            <TableRow key={session.id}>
+                                                                <TableCell className="space-x-1">
+                                                                    <span>{result.os.name}</span>
+                                                                    <span
+                                                                        className="text-xs text-neutral-500">{result.os.version}</span>
+                                                                </TableCell>
+                                                                <TableCell className="space-x-1">
+                                                                    <span>{result.browser.name}</span>
+                                                                    <span
+                                                                        className="text-xs text-neutral-500">{result.browser.version}</span>
+                                                                </TableCell>
+                                                                <TableCell>
+                                                                    {new Date(session.authenticated_at!).toLocaleString()}
+                                                                </TableCell>
+                                                            </TableRow>
+                                                        );
+                                                    })
+                                                }
+                                            </TableBody>
+                                        </Table>
+                                        :
+                                        <p>This user has no active sessions</p>
+                                }
+                            </CardContent>
+                        </Card>
+                        :
+                        <InsufficientPermission
+                            permission={permission.user.session}
+                            relation={relation.access}
+                            identityId={identityId}/>
+                }
             </div>
         </div>
     );
diff --git a/dashboard/src/lib/permission.ts b/dashboard/src/lib/permission.ts
index 69a8523..9fc8ba0 100644
--- a/dashboard/src/lib/permission.ts
+++ b/dashboard/src/lib/permission.ts
@@ -5,6 +5,7 @@ export const permission = {
     },
     user: {
         it: 'admin.user',
+        address: 'admin.user.address',
         code: 'admin.user.code',
         credential: 'admin.user.credential',
         link: 'admin.user.link',

From af89324237c6b5f3b73b5de0f8a705f04a653717 Mon Sep 17 00:00:00 2001
From: Markus Thielker <markus@thielker.dev>
Date: Sun, 6 Apr 2025 17:59:45 +0200
Subject: [PATCH 49/58] NORY-59: fix permission in delete-identity server
 action

---
 dashboard/src/lib/action/identity.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dashboard/src/lib/action/identity.ts b/dashboard/src/lib/action/identity.ts
index 902d17d..d214e17 100644
--- a/dashboard/src/lib/action/identity.ts
+++ b/dashboard/src/lib/action/identity.ts
@@ -286,7 +286,7 @@ export async function unblockIdentity(id: string) {
 export async function deleteIdentity(id: string) {
 
     const session = await requireSession();
-    const allowed = await checkPermission(permission.user.credential, relation.delete, session.identity!.id);
+    const allowed = await checkPermission(permission.user.it, relation.delete, session.identity!.id);
     if (!allowed) {
         throw Error('Unauthorised');
     }

From ac6343afe02f4c4dae12c5e981d504dd3a644948 Mon Sep 17 00:00:00 2001
From: Markus Thielker <markus@thielker.dev>
Date: Sun, 6 Apr 2025 19:16:01 +0200
Subject: [PATCH 50/58] NORY-59: disable identity traits form if edit
 permission is missing

---
 dashboard/src/app/(inside)/user/[id]/page.tsx         |  6 +++++-
 dashboard/src/components/dynamic-form.tsx             |  8 +++++---
 dashboard/src/components/identity/identity-traits.tsx | 10 ++++++----
 3 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/dashboard/src/app/(inside)/user/[id]/page.tsx b/dashboard/src/app/(inside)/user/[id]/page.tsx
index 2fff21c..3393c58 100644
--- a/dashboard/src/app/(inside)/user/[id]/page.tsx
+++ b/dashboard/src/app/(inside)/user/[id]/page.tsx
@@ -143,7 +143,11 @@ export default async function UserDetailsPage({ params }: { params: Promise<{ id
                                     schema</CardDescription>
                             </CardHeader>
                             <CardContent>
-                                <IdentityTraits schema={detailIdentitySchema} identity={detailIdentity}/>
+                                <IdentityTraits
+                                    schema={detailIdentitySchema}
+                                    identity={detailIdentity}
+                                    disabled={!pmEditUserTraits}
+                                />
                             </CardContent>
                         </Card>
                         :
diff --git a/dashboard/src/components/dynamic-form.tsx b/dashboard/src/components/dynamic-form.tsx
index 9020d46..f36cde4 100644
--- a/dashboard/src/components/dynamic-form.tsx
+++ b/dashboard/src/components/dynamic-form.tsx
@@ -15,6 +15,7 @@ interface DynamicFormProps<T extends FieldValues> {
     onValid: SubmitHandler<T>,
     onInvalid: SubmitErrorHandler<T>,
     submitLabel?: string,
+    disabled?: boolean,
 }
 
 export function DynamicForm<T extends FieldValues>(
@@ -25,6 +26,7 @@ export function DynamicForm<T extends FieldValues>(
         onValid,
         onInvalid,
         submitLabel,
+        disabled,
     }: DynamicFormProps<T>,
 ) {
 
@@ -48,7 +50,7 @@ export function DynamicForm<T extends FieldValues>(
                                     key={fullFieldName}
                                     render={({ field }) => (
                                         <FormItem className="flex items-center space-x-2 space-y-0">
-                                            <Checkbox {...field} checked={field.value}/>
+                                            <Checkbox {...field} disabled={disabled} checked={field.value}/>
                                             <FormLabel>{key}</FormLabel>
                                         </FormItem>
                                     )}
@@ -65,7 +67,7 @@ export function DynamicForm<T extends FieldValues>(
                                         <FormItem>
                                             <FormLabel>{value.title}</FormLabel>
                                             <FormControl>
-                                                <Input placeholder={value.title} {...field} />
+                                                <Input placeholder={value.title} {...field} disabled={disabled}/>
                                             </FormControl>
                                             <FormDescription>{value.description}</FormDescription>
                                         </FormItem>
@@ -87,7 +89,7 @@ export function DynamicForm<T extends FieldValues>(
                 <Button
                     key="submit"
                     type="submit"
-                    disabled={!form.formState.isDirty}
+                    disabled={!form.formState.isDirty || disabled}
                 >
                     {submitLabel ?? 'Submit'}
                 </Button>
diff --git a/dashboard/src/components/identity/identity-traits.tsx b/dashboard/src/components/identity/identity-traits.tsx
index 1606db4..3feb314 100644
--- a/dashboard/src/components/identity/identity-traits.tsx
+++ b/dashboard/src/components/identity/identity-traits.tsx
@@ -16,9 +16,10 @@ import { useState } from 'react';
 interface IdentityTraitFormProps {
     schema: KratosSchema;
     identity: Identity;
+    disabled: boolean;
 }
 
-export function IdentityTraits({ schema, identity }: IdentityTraitFormProps) {
+export function IdentityTraits({ schema, identity, disabled }: IdentityTraitFormProps) {
 
     const [currentIdentity, setCurrentIdentity] = useState(identity);
 
@@ -74,10 +75,11 @@ export function IdentityTraits({ schema, identity }: IdentityTraitFormProps) {
     return (
         <DynamicForm
             form={form}
+            disabled={disabled}
             properties={schema.properties.traits.properties}
             onValid={onValid}
             onInvalid={onInvalid}
-            submitLabel="Update Identity"
+            submitLabel={disabled ? 'Insufficient permissions' : 'Update Identity'}
         >
             <FormField
                 {...form.register('metadata_public')}
@@ -86,7 +88,7 @@ export function IdentityTraits({ schema, identity }: IdentityTraitFormProps) {
                     <FormItem>
                         <FormLabel>Public Metadata</FormLabel>
                         <FormControl>
-                            <Textarea placeholder="Public Metadata" {...field} />
+                            <Textarea placeholder="Public Metadata" {...field} disabled={disabled}/>
                         </FormControl>
                         <FormDescription>This has to be valid JSON</FormDescription>
                     </FormItem>
@@ -99,7 +101,7 @@ export function IdentityTraits({ schema, identity }: IdentityTraitFormProps) {
                     <FormItem>
                         <FormLabel>Admin Metadata</FormLabel>
                         <FormControl>
-                            <Textarea placeholder="Admin Metadata" {...field} />
+                            <Textarea placeholder="Admin Metadata" {...field} disabled={disabled}/>
                         </FormControl>
                         <FormDescription>This has to be valid JSON</FormDescription>
                     </FormItem>

From 57a83bccccbe1ac853db7efa158279bdd8ac0ddd Mon Sep 17 00:00:00 2001
From: Markus Thielker <markus@thielker.dev>
Date: Sun, 6 Apr 2025 19:16:31 +0200
Subject: [PATCH 51/58] NORY-59: remove unused permission

---
 dashboard/src/app/(inside)/user/[id]/page.tsx          | 2 --
 dashboard/src/components/identity/identity-actions.tsx | 1 -
 2 files changed, 3 deletions(-)

diff --git a/dashboard/src/app/(inside)/user/[id]/page.tsx b/dashboard/src/app/(inside)/user/[id]/page.tsx
index 3393c58..e132f18 100644
--- a/dashboard/src/app/(inside)/user/[id]/page.tsx
+++ b/dashboard/src/app/(inside)/user/[id]/page.tsx
@@ -90,7 +90,6 @@ export default async function UserDetailsPage({ params }: { params: Promise<{ id
         return redirect('/user');
     }
 
-    const pmEditUser = await checkPermission(permission.user.it, relation.edit, identityId);
     const pmDeleteUser = await checkPermission(permission.user.it, relation.delete, identityId);
     const pmAccessUserTrait = await checkPermission(permission.user.trait, relation.access, identityId);
     const pmEditUserTraits = await checkPermission(permission.user.trait, relation.edit, identityId);
@@ -166,7 +165,6 @@ export default async function UserDetailsPage({ params }: { params: Promise<{ id
                         <IdentityActions
                             identity={detailIdentity}
                             permissions={{
-                                pmEditUser,
                                 pmDeleteUser,
                                 pmEditUserState,
                                 pmDeleteUserSession,
diff --git a/dashboard/src/components/identity/identity-actions.tsx b/dashboard/src/components/identity/identity-actions.tsx
index b6a48ca..7606af3 100644
--- a/dashboard/src/components/identity/identity-actions.tsx
+++ b/dashboard/src/components/identity/identity-actions.tsx
@@ -30,7 +30,6 @@ import { Label } from '@/components/ui/label';
 interface IdentityActionProps {
     identity: Identity,
     permissions: {
-        pmEditUser: boolean;
         pmDeleteUser: boolean;
         pmEditUserState: boolean;
         pmDeleteUserSession: boolean;

From c46b4cb9a34782ec140f1d8e9cf9e6234dd3b589 Mon Sep 17 00:00:00 2001
From: Markus Thielker <markus@thielker.dev>
Date: Sun, 6 Apr 2025 19:17:01 +0200
Subject: [PATCH 52/58] NORY-59: create new script to initialise the admin role

---
 docker/ory-dev/keto-init-admin-role.sh | 47 ++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
 create mode 100644 docker/ory-dev/keto-init-admin-role.sh

diff --git a/docker/ory-dev/keto-init-admin-role.sh b/docker/ory-dev/keto-init-admin-role.sh
new file mode 100644
index 0000000..171ee20
--- /dev/null
+++ b/docker/ory-dev/keto-init-admin-role.sh
@@ -0,0 +1,47 @@
+# this script adds all permissions required for full control over the dashboard to
+# all everybody, who is a member of the admin role
+
+# Define an array with tuples as strings
+permissions=(
+  "admin.stack.dashboard#access"
+  "admin.stack.status#access"
+  "admin.user#access"
+  "admin.user#create"
+  "admin.user#edit"
+  "admin.user#delete"
+  "admin.user.session#access"
+  "admin.user.session#delete"
+  "admin.user.state#edit"
+  "admin.user.code#create"
+  "admin.user.link#create"
+  "admin.user.trait#access"
+  "admin.user.trait#edit"
+  "admin.user.address#access"
+  "admin.user.credential#access"
+  "admin.user.credential#delete"
+)
+
+# Iterate over the array
+for permission in "${permissions[@]}"; do
+
+    # split strings
+    IFS='#' read -r OBJECT RELATION <<< "$permission"
+
+    # execute curl to Ory Keto write endpoint
+    curl --silent --request PUT \
+      --url http://localhost:4467/admin/relation-tuples \
+      --data '{
+               "namespace": "permissions",
+               "object": "'"$OBJECT"'",
+               "relation": "'"$RELATION"'",
+               "subject_set": {
+                  "namespace": "roles",
+                  "object": "admin",
+                  "relation": "member"
+               }
+             }' > /dev/null
+
+    # write success response to terminal
+    echo "Added relation Permissions:$OBJECT#$RELATION@(Roles:admin#member)"
+
+done

From 6a967157a5a1e763519147acc0dff3e89ee62894 Mon Sep 17 00:00:00 2001
From: Markus Thielker <markus@thielker.dev>
Date: Sun, 6 Apr 2025 19:17:17 +0200
Subject: [PATCH 53/58] NORY-59: update comments explaining the existing
 scripts

---
 docker/ory-dev/hydra-create-client.sh         | 2 +-
 docker/ory-dev/hydra-test-consent.sh          | 2 +-
 docker/ory-dev/keto-add-permission-to-role.sh | 3 +--
 3 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/docker/ory-dev/hydra-create-client.sh b/docker/ory-dev/hydra-create-client.sh
index 181920e..7d47b3a 100644
--- a/docker/ory-dev/hydra-create-client.sh
+++ b/docker/ory-dev/hydra-create-client.sh
@@ -1,4 +1,4 @@
-# this script adds a new oath client using the
+# this script adds a new OAuth client using the
 # Ory Hydra CLI and writes the client id and
 # client secret to the command line.
 
diff --git a/docker/ory-dev/hydra-test-consent.sh b/docker/ory-dev/hydra-test-consent.sh
index 8067e7d..1f018ca 100644
--- a/docker/ory-dev/hydra-test-consent.sh
+++ b/docker/ory-dev/hydra-test-consent.sh
@@ -1,4 +1,4 @@
-# this script adds a new oath client using the
+# this script adds a new OAuth client using the
 # Ory Hydra CLI and uses the client to start
 # the Ory Hydra test application.
 
diff --git a/docker/ory-dev/keto-add-permission-to-role.sh b/docker/ory-dev/keto-add-permission-to-role.sh
index 9a0f7fa..65807a2 100644
--- a/docker/ory-dev/keto-add-permission-to-role.sh
+++ b/docker/ory-dev/keto-add-permission-to-role.sh
@@ -1,5 +1,4 @@
-# this script gives the referenced identity the admin role
-# make sure to provide the id of the identity
+# this script creates a reference from the role to the permission you provide
 
 # check if a identity id argument was provided
 if [ $# -ne 4 ]; then

From 6f57f4fb388b4d2ab6577c20b333e2e62097d894 Mon Sep 17 00:00:00 2001
From: Markus Thielker <markus@thielker.dev>
Date: Mon, 7 Apr 2025 11:36:57 +0200
Subject: [PATCH 54/58] NORY-59: refactor server action parameters

---
 dashboard/src/app/(inside)/user/page.tsx      |  2 +-
 .../identity/identity-credentials.tsx         |  2 +-
 .../components/identity/identity-traits.tsx   |  8 +++----
 dashboard/src/lib/action/identity.ts          | 24 +++----------------
 4 files changed, 9 insertions(+), 27 deletions(-)

diff --git a/dashboard/src/app/(inside)/user/page.tsx b/dashboard/src/app/(inside)/user/page.tsx
index ebb9079..8218dc3 100644
--- a/dashboard/src/app/(inside)/user/page.tsx
+++ b/dashboard/src/app/(inside)/user/page.tsx
@@ -34,7 +34,7 @@ export default async function UserPage(
     let pageSize = 50;
     let paginationRange = 11;
 
-    const users = pmAccessUser && await queryIdentities({ page, pageSize, query });
+    const users = pmAccessUser && await queryIdentities(page, pageSize, query);
 
     return (
         <div className="space-y-4">
diff --git a/dashboard/src/components/identity/identity-credentials.tsx b/dashboard/src/components/identity/identity-credentials.tsx
index f362971..78e1fe6 100644
--- a/dashboard/src/components/identity/identity-credentials.tsx
+++ b/dashboard/src/components/identity/identity-credentials.tsx
@@ -36,7 +36,7 @@ export function IdentityCredentials({ identity }: IdentityCredentialsProps) {
                                         (
                                             <ConfirmationDialogWrapper
                                                 onSubmit={async () => {
-                                                    deleteIdentityCredential({ id: identity.id, type: key as never })
+                                                    deleteIdentityCredential(identity.id, key as never)
                                                         .then(() => toast.success(`Credential ${key} deleted`))
                                                         .catch(() => toast.error(`Deleting credential ${key} failed`));
                                                 }}
diff --git a/dashboard/src/components/identity/identity-traits.tsx b/dashboard/src/components/identity/identity-traits.tsx
index 3feb314..1a9205c 100644
--- a/dashboard/src/components/identity/identity-traits.tsx
+++ b/dashboard/src/components/identity/identity-traits.tsx
@@ -48,16 +48,16 @@ export function IdentityTraits({ schema, identity, disabled }: IdentityTraitForm
         delete traits['metadata_public'];
         delete traits['metadata_admin'];
 
-        updateIdentity({
-            id: currentIdentity.id,
-            body: {
+        updateIdentity(
+            currentIdentity.id,
+            {
                 schema_id: currentIdentity.schema_id,
                 state: currentIdentity.state!,
                 traits: traits,
                 metadata_public: data.metadata_public,
                 metadata_admin: data.metadata_admin,
             },
-        })
+        )
             .then((identity) => {
                 setCurrentIdentity(identity);
                 toast.success('Identity updated');
diff --git a/dashboard/src/lib/action/identity.ts b/dashboard/src/lib/action/identity.ts
index d214e17..236e4b0 100644
--- a/dashboard/src/lib/action/identity.ts
+++ b/dashboard/src/lib/action/identity.ts
@@ -42,14 +42,7 @@ export async function getIdentitySchema(id: string) {
     return data;
 }
 
-
-interface QueryIdentitiesProps {
-    page: number,
-    pageSize: number,
-    query?: string,
-}
-
-export async function queryIdentities({ page, pageSize, query }: QueryIdentitiesProps) {
+export async function queryIdentities(page: number, pageSize: number, query?: string) {
 
     const session = await requireSession();
     const allowed = await checkPermission(permission.user.it, relation.access, session.identity!.id);
@@ -109,13 +102,7 @@ export async function queryIdentities({ page, pageSize, query }: QueryIdentities
     };
 }
 
-
-interface UpdatedIdentityProps {
-    id: string;
-    body: UpdateIdentityBody;
-}
-
-export async function updateIdentity({ id, body }: UpdatedIdentityProps) {
+export async function updateIdentity(id: string, body: UpdateIdentityBody) {
 
     const session = await requireSession();
     const allowed = await checkPermission(permission.user.it, relation.edit, session.identity!.id);
@@ -136,12 +123,7 @@ export async function updateIdentity({ id, body }: UpdatedIdentityProps) {
     return data;
 }
 
-interface DeleteIdentityCredentialProps {
-    id: string;
-    type: DeleteIdentityCredentialsTypeEnum;
-}
-
-export async function deleteIdentityCredential({ id, type }: DeleteIdentityCredentialProps) {
+export async function deleteIdentityCredential(id: string, type: DeleteIdentityCredentialsTypeEnum) {
 
     const session = await requireSession();
     const allowed = await checkPermission(permission.user.credential, relation.delete, session.identity!.id);

From f73bfe603baf5d58028ace59de826efdb35647c4 Mon Sep 17 00:00:00 2001
From: Markus Thielker <markus@thielker.dev>
Date: Mon, 7 Apr 2025 13:59:46 +0200
Subject: [PATCH 55/58] NORY-46: fix different label sizes

---
 dashboard/src/components/forms/client-form.tsx | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/dashboard/src/components/forms/client-form.tsx b/dashboard/src/components/forms/client-form.tsx
index fc5d6be..9b74ceb 100644
--- a/dashboard/src/components/forms/client-form.tsx
+++ b/dashboard/src/components/forms/client-form.tsx
@@ -208,7 +208,7 @@ export function CreateClientForm({ action }: CreateClientFormProps) {
                                 render={({ field }) => (
                                     <FormItem className="flex flex-row items-center justify-between rounded-lg">
                                         <div className="space-y-0.5">
-                                            <FormLabel className="text-base">
+                                            <FormLabel>
                                                 Skip consent
                                             </FormLabel>
                                             <FormDescription>
@@ -425,7 +425,7 @@ export function CreateClientForm({ action }: CreateClientFormProps) {
                                 render={({ field }) => (
                                     <FormItem className="flex flex-row items-center justify-between rounded-lg">
                                         <div className="space-y-0.5">
-                                            <FormLabel className="text-base">
+                                            <FormLabel>
                                                 Frontchannel Logout Session Required
                                             </FormLabel>
                                             <FormDescription>
@@ -471,7 +471,7 @@ export function CreateClientForm({ action }: CreateClientFormProps) {
                                 render={({ field }) => (
                                     <FormItem className="flex flex-row items-center justify-between rounded-lg">
                                         <div className="space-y-0.5">
-                                            <FormLabel className="text-base">
+                                            <FormLabel>
                                                 Backchannel Logout Session Required
                                             </FormLabel>
                                             <FormDescription>

From d9a3cde1695a4038d54cce3427477369c2452f12 Mon Sep 17 00:00:00 2001
From: Markus Thielker <markus@thielker.dev>
Date: Mon, 7 Apr 2025 14:00:10 +0200
Subject: [PATCH 56/58] NORY-46: fix uri input placeholders

---
 dashboard/src/components/forms/client-form.tsx | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/dashboard/src/components/forms/client-form.tsx b/dashboard/src/components/forms/client-form.tsx
index 9b74ceb..0ca84b6 100644
--- a/dashboard/src/components/forms/client-form.tsx
+++ b/dashboard/src/components/forms/client-form.tsx
@@ -238,7 +238,7 @@ export function CreateClientForm({ action }: CreateClientFormProps) {
                                                     </FormDescription>
                                                     <FormControl>
                                                         <Input
-                                                            placeholder="https://myapp.example/logo.png" {...field} />
+                                                            placeholder="https://" {...field} />
                                                     </FormControl>
                                                     <FormMessage/>
                                                 </FormItem>
@@ -259,7 +259,7 @@ export function CreateClientForm({ action }: CreateClientFormProps) {
                                                     </FormDescription>
                                                     <FormControl>
                                                         <Input
-                                                            placeholder="https://myapp.example/privacy_policy"
+                                                            placeholder="https://"
                                                             {...field}
                                                         />
                                                     </FormControl>
@@ -282,7 +282,7 @@ export function CreateClientForm({ action }: CreateClientFormProps) {
                                                     </FormDescription>
                                                     <FormControl>
                                                         <Input
-                                                            placeholder="https://myapp.example/terms_of_service" {...field} />
+                                                            placeholder="https://" {...field} />
                                                     </FormControl>
                                                     <FormMessage/>
                                                 </FormItem>

From 222a93886b6ec9a0d53ccca102a7701efda3bcef Mon Sep 17 00:00:00 2001
From: Markus Thielker <markus@thielker.dev>
Date: Tue, 8 Apr 2025 10:52:47 +0200
Subject: [PATCH 57/58] NORY-46: refactor permission checks after rebase

---
 dashboard/src/app/(inside)/client/page.tsx | 53 +++++++++++++++++-----
 dashboard/src/lib/action/client.ts         | 20 +++-----
 dashboard/src/lib/permission.ts            |  3 ++
 3 files changed, 51 insertions(+), 25 deletions(-)

diff --git a/dashboard/src/app/(inside)/client/page.tsx b/dashboard/src/app/(inside)/client/page.tsx
index be59eba..42e0092 100644
--- a/dashboard/src/app/(inside)/client/page.tsx
+++ b/dashboard/src/app/(inside)/client/page.tsx
@@ -1,7 +1,10 @@
 import { getOAuth2Api } from '@/ory/sdk/server';
-import { ClientDataTable } from '@/app/(inside)/client/data-table';
 import { Button } from '@/components/ui/button';
 import Link from 'next/link';
+import { checkPermission, requireSession } from '@/lib/action/authentication';
+import { permission, relation } from '@/lib/permission';
+import InsufficientPermission from '@/components/insufficient-permission';
+import { ClientDataTable } from '@/app/(inside)/client/data-table';
 
 export interface FetchClientPageProps {
     pageSize: number;
@@ -31,6 +34,12 @@ function parseTokens(link: string) {
 async function fetchClientPage({ pageSize, pageToken }: FetchClientPageProps) {
     'use server';
 
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.client.it, relation.access, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
     const oAuth2Api = await getOAuth2Api();
     const response = await oAuth2Api.listOAuth2Clients({
         pageSize: pageSize,
@@ -45,10 +54,16 @@ async function fetchClientPage({ pageSize, pageToken }: FetchClientPageProps) {
 
 export default async function ListClientPage() {
 
+    const session = await requireSession();
+    const identityId = session.identity!.id;
+
+    const pmAccessClient = await checkPermission(permission.client.it, relation.access, identityId);
+    const pmCreateClient = await checkPermission(permission.client.it, relation.create, identityId);
+
     let pageSize = 100;
     let pageToken: string = '00000000-0000-0000-0000-000000000000';
 
-    const initialFetch = await fetchClientPage({ pageSize, pageToken });
+    const initialFetch = pmAccessClient && await fetchClientPage({ pageSize, pageToken });
 
     return (
         <div className="space-y-4">
@@ -57,17 +72,31 @@ export default async function ListClientPage() {
                 <p className="text-lg font-light">
                     See and manage all OAuth2 clients registered with your Ory Hydra instance
                 </p>
-                <Button className="absolute bottom-0 right-0" asChild>
-                    <Link href="/client/create">
-                        Create new client
-                    </Link>
-                </Button>
+                {
+                    pmCreateClient && (
+                        <Button className="absolute bottom-0 right-0" asChild>
+                            <Link href="/client/create">
+                                Create new client
+                            </Link>
+                        </Button>
+                    )
+                }
             </div>
-            <ClientDataTable
-                data={initialFetch.data}
-                pageSize={pageSize}
-                pageToken={initialFetch.tokens.get('next')}
-                fetchClientPage={fetchClientPage}/>
+            {
+                pmAccessClient ?
+                    (
+                        initialFetch && <ClientDataTable
+                            data={initialFetch.data}
+                            pageSize={pageSize}
+                            pageToken={initialFetch.tokens.get('next')}
+                            fetchClientPage={fetchClientPage}/>
+                    )
+                    :
+                    <InsufficientPermission
+                        permission={permission.client.it}
+                        relation={relation.access}
+                        identityId={identityId}/>
+            }
         </div>
     );
 }
diff --git a/dashboard/src/lib/action/client.ts b/dashboard/src/lib/action/client.ts
index 5cc2799..fb5156b 100644
--- a/dashboard/src/lib/action/client.ts
+++ b/dashboard/src/lib/action/client.ts
@@ -2,24 +2,18 @@
 
 import { clientFormSchema } from '@/lib/forms/client-form';
 import { z } from 'zod';
-import { getFrontendApi, getOAuth2Api } from '@/ory/sdk/server';
-import { cookies } from 'next/headers';
+import { getOAuth2Api } from '@/ory/sdk/server';
+import { checkPermission, requireSession } from '@/lib/action/authentication';
+import { permission, relation } from '@/lib/permission';
 
 export async function createClient(
     formData: z.infer<typeof clientFormSchema>,
 ) {
 
-    const cookie = await cookies();
-    const frontendApi = await getFrontendApi();
-
-    const session = await frontendApi
-        .toSession({ cookie: 'ory_kratos_session=' + cookie.get('ory_kratos_session')?.value })
-        .then((response) => response.data)
-        .catch(() => null);
-
-    if (!session) {
-        console.log('Unauthorised action call');
-        throw 'Unauthorised';
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.client.it, relation.create, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
     }
 
     console.log(session.identity?.traits.email, 'posted form', formData);
diff --git a/dashboard/src/lib/permission.ts b/dashboard/src/lib/permission.ts
index 9fc8ba0..38619ac 100644
--- a/dashboard/src/lib/permission.ts
+++ b/dashboard/src/lib/permission.ts
@@ -13,6 +13,9 @@ export const permission = {
         state: 'admin.user.state',
         trait: 'admin.user.trait',
     },
+    client: {
+        it: 'admin.client',
+    },
 };
 
 export const relation = {

From 96b1af1ce0508c2b5586a834eff22f863d272358 Mon Sep 17 00:00:00 2001
From: Markus Thielker <markus@thielker.dev>
Date: Tue, 8 Apr 2025 10:58:03 +0200
Subject: [PATCH 58/58] NORY-46: protect create-client page with permissions

---
 dashboard/src/app/(inside)/client/create/page.tsx | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/dashboard/src/app/(inside)/client/create/page.tsx b/dashboard/src/app/(inside)/client/create/page.tsx
index f42fda6..3aa3c9a 100644
--- a/dashboard/src/app/(inside)/client/create/page.tsx
+++ b/dashboard/src/app/(inside)/client/create/page.tsx
@@ -1,7 +1,19 @@
 import { CreateClientForm } from '@/components/forms/client-form';
 import { createClient } from '@/lib/action/client';
+import { checkPermission, requireSession } from '@/lib/action/authentication';
+import { permission, relation } from '@/lib/permission';
+import { redirect } from 'next/navigation';
 
 export default async function CreateClientPage() {
+
+    const session = await requireSession();
+    const identityId = session.identity!.id;
+
+    const pmCreateClient = await checkPermission(permission.client.it, relation.create, identityId);
+    if (!pmCreateClient) {
+        return redirect('/client');
+    }
+
     return (
         <div className="space-y-4">
             <div>